OmniAuth-当前会话未加载到OpenID回调中 [英] OmniAuth - current session not loaded on OpenID callback

问题描述

我正在将OmniAuth与Rails 3.1.4结合使用，并且试图允许已通过身份验证的用户将多个OpenID提供程序与他们的帐户相关联.

I'm using OmniAuth with Rails 3.1.4 and I'm trying to allow already authenticated users to associate multiple OpenID providers with their account.

作为未经身份验证的用户，使用OpenID登录可以正常工作.作为经过身份验证的用户，当我尝试使用其他oid提供程序登录时，在执行回调方法时，好像我以前没有经过身份验证.

As an unauthenticated user, signing in with OpenID works fine. As an authenticated user, when I try to sign in with a different oid provider, when the callback method is executed, it just looks like I wasn't previously authenticated.

在我看来，控制器似乎在初始化会话(或完全跳过会话)之前就已执行.

To me it just looks like the controller gets executed before sessions are initialised (or sessions are completely skipped).

那会是什么?

推荐答案

确认Andrei Serdeliuc的解决方案， 禁用protect_from_forgery对我有用(Ruby 1.8.7，Rails 2.3.11，OmniAuth 0.1.6)

Confirming Andrei Serdeliuc's solution, disabling protect_from_forgery worked for me (Ruby 1.8.7, Rails 2.3.11, OmniAuth 0.1.6)

在您的CallbackController中(著名的屏幕录像中的AuthenticationsController) 在控制器顶部添加 skip_before_filter :verify_authenticity_token 或 protect_from_forgery :except => :create！

in your CallbackController (AuthenticationsController in the famous screencast) adding skip_before_filter :verify_authenticity_token or protect_from_forgery :except => :create at the top of the controller work !

由于它可能是CSRF(跨站请求伪造)的一种方式，因此您应该验证openid服务器的身份，不要忘记在初始化器中设置证书验证:

As it could be a way for CSRF (Cross-Site Request Forgery) you should verify the identity of the openid server, don't forget to setup the certificate verification (in the initializer):

# First of all get a ca-bundle.crt file (eg : from your open-source browser package)
require "openid/fetchers"
OpenID.fetcher.ca_file = "#{Rails.root}/config/ca-bundle.crt""

它将防止出现类似以下警告:

it will prevent warnings like :

WARNING: making https request to https://www.google.com/accounts/o8/id 
without verifying server certificate; no CA path was specified.

现在我的会话不再重置，并且可以向我的curren_user添加多个openid身份验证.

Now my sessions are not reseted anymore, and can add several openid authentication to my curren_user.

欢呼

这篇关于OmniAuth-当前会话未加载到OpenID回调中的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！