Omniauth-facebook keeps reporting invalid_credentials

petfreshman picture petfreshman · Jul 22, 2012 · Viewed 15.2k times · Source

I am trying to implement omniauth-facebook as described in Railscast #360 and have run into quite a roadblock. When I click on the signin link, I get the desired popup asking me to input my facebook credentials, but when I submit, I get an OmniAuth::Strategies::OAuth2::CallbackError error. In the apache logs, this is printed: (facebook) Authentication failure! invalid_credentials: OmniAuth::Strategies::OAuth2::CallbackError, OmniAuth::Strategies::OAuth2::CallbackError

here is the relevant code:

omniauth.rb

OmniAuth.config.logger = Rails.logger

Rails.application.config.middleware.use OmniAuth::Builder do
  provider :facebook, ENV['FACEBOOK_APP_ID'], ENV['FACEBOOK_SECRET']
end

sessions_controller.rb

class SessionsController < ApplicationController
  def create
    user = User.from_omniauth(env["omniauth.auth"])
    session[:user_id] = user.id
    redirect_to root_url
  end

  def destroy
    session[:user_id] = nil
    redirect_to root_url
  end
end

application.html.erb

<div id="fb-root"></div>
<script>        
window.fbAsyncInit = function() {
    FB.init({
        appId      : '(**my app id**)', // App ID
        status     : true, // check login status
        cookie     : true // enable cookies to allow the server to access the session
    });

    $('#sign_in').click(function(e) {
        e.preventDefault();
        return FB.login(function(response) {
            if (response.authResponse) {
                return window.location = '/auth/facebook/callback';
            }
        });
    });

    return $('#sign_out').click(function(e) {
        FB.getLoginStatus(function(response) {
            if (response.authResponse) {
                return FB.logout();
            }
        });
        return true;
    });
};
 </script>

Am I missing something simple? I've been searching for a solution for the last few days.

Answer

Tom S&#246;derlund picture Tom Söderlund · Jul 23, 2012

It seems like omniauth-facebook v1.4.1 introduced an issue with CSRF. A temporary fix is to just roll back to v1.4.0. In your Gemfile, change the omniauth-facebook line to:

gem 'omniauth-facebook', '1.4.0'

I've reported the issue: https://github.com/mkdynamic/omniauth-facebook/issues/73