Authentication failure! HTTP Origin header (https://appleid.apple.com) didn't match request.base_url (https://mysite.com)

[jlxq0]

(I'm not sure if this is a duplicate with #76 or a new issue. Even if it is, I cannot make it work with any of the hints in that issue.)

I can successfully authenticate with apple, but then the callback fails with the following error:

2022-11-04T03:42:46.488017+00:00 app[web.1]: E, [2022-11-04T03:42:46.487931 #4] ERROR -- omniauth: (apple) Authentication failure! nonce_mismatch: OmniAuth::Strategies::OAuth2::CallbackError, nonce_mismatch | nonce mismatch
2022-11-04T03:42:46.488850+00:00 app[web.1]: I, [2022-11-04T03:42:46.488804 #4]  INFO -- : [b4b4effc-cef6-4567-9509-3d18b9daf37f] Processing by Users::OmniauthCallbacksController#failure as HTML
2022-11-04T03:42:46.488883+00:00 app[web.1]: I, [2022-11-04T03:42:46.488859 #4]  INFO -- : [b4b4effc-cef6-4567-9509-3d18b9daf37f]   Parameters: {"state"=>"cd7afa0a1bc11f655a0fe7cd737bb31c68636be05dfe1c86", "code"=>"cec90bc3ac5664ddbbb3d7890c59a8ded.0.rrtrs.wm71iFY5KsYGMy2F1nnW9g"}
2022-11-04T03:42:46.489141+00:00 app[web.1]: W, [2022-11-04T03:42:46.489114 #4]  WARN -- : [b4b4effc-cef6-4567-9509-3d18b9daf37f] HTTP Origin header (https://appleid.apple.com) didn't match request.base_url (https://mysite.com)
2022-11-04T03:42:46.489474+00:00 app[web.1]: I, [2022-11-04T03:42:46.489445 #4]  INFO -- : [b4b4effc-cef6-4567-9509-3d18b9daf37f] Completed 422 Unprocessable Entity in 1ms (ActiveRecord: 0.0ms | Allocations: 311)
2022-11-04T03:42:46.489572+00:00 app[web.1]: E, [2022-11-04T03:42:46.489547 #4] ERROR -- omniauth: (apple) Authentication failure! HTTP Origin header (https://appleid.apple.com) didn't match request.base_url (https://mysite.com): ActionController::InvalidAuthenticityToken, HTTP Origin header (https://appleid.apple.com) didn't match request.base_url (https://mysite.com)
2022-11-04T03:42:46.489950+00:00 app[web.1]: I, [2022-11-04T03:42:46.489918 #4]  INFO -- : [b4b4effc-cef6-4567-9509-3d18b9daf37f] Processing by Users::OmniauthCallbacksController#failure as HTML
2022-11-04T03:42:46.489979+00:00 app[web.1]: I, [2022-11-04T03:42:46.489960 #4]  INFO -- : [b4b4effc-cef6-4567-9509-3d18b9daf37f]   Parameters: {"state"=>"cd7afa0a1bc11f655a0fe7cd737bb31c68636be05dfe1c86", "code"=>"cec90bc3ac5664ddbbb3d7890c59a8ded.0.rrtrs.wm71iFY5KsYGMy2F1nnW9g"}
2022-11-04T03:42:46.490085+00:00 app[web.1]: W, [2022-11-04T03:42:46.490059 #4]  WARN -- : [b4b4effc-cef6-4567-9509-3d18b9daf37f] HTTP Origin header (https://appleid.apple.com) didn't match request.base_url (https://mysite.com)
2022-11-04T03:42:46.490270+00:00 app[web.1]: I, [2022-11-04T03:42:46.490248 #4]  INFO -- : [b4b4effc-cef6-4567-9509-3d18b9daf37f] Completed 422 Unprocessable Entity in 0ms (ActiveRecord: 0.0ms | Allocations: 140)
2022-11-04T03:42:46.490989+00:00 app[web.1]: F, [2022-11-04T03:42:46.490944 #4] FATAL -- : [b4b4effc-cef6-4567-9509-3d18b9daf37f]
2022-11-04T03:42:46.490989+00:00 app[web.1]: [b4b4effc-cef6-4567-9509-3d18b9daf37f] ActionController::InvalidAuthenticityToken (HTTP Origin header (https://appleid.apple.com) didn't match request.base_url (https://mysite.com)):
2022-11-04T03:42:46.490990+00:00 app[web.1]: [b4b4effc-cef6-4567-9509-3d18b9daf37f]
2022-11-04T03:42:46.490990+00:00 app[web.1]: [b4b4effc-cef6-4567-9509-3d18b9daf37f] actionpack (7.0.4) lib/action_controller/metal/request_forgery_protection.rb:251:in `handle_unverified_request'

I'm on ruby 3.1.2p20 and Rails 7.0.4; using devise, omniauth and omniauth-google-oauth2 successfully.

My callback controller for apple looks like this:

  def apple
    user = User.from_omniauth(auth)

    if user.present?
      sign_out_all_scopes
      flash[:success] = 'Success'
      sign_in_and_redirect user, event: :authentication
    else
      flash[:alert] = 'OAuth failure'
      redirect_to new_user_session_path
    end
  end

Is there a working minimal example app I could check out?

[nov]

Since Apple's AuthZ response is POST, you need SameSite=none cookie on some browsers.

[jlxq0]

Do you have an example app (or code) or a hint on how to implement this for some browsers?

[nov]

https://bogdanvlviv.com/posts/ruby/rails/samesite-cookies-and-rails.html

[jlxq0]

I think I am one step closer – however I'm not being logged in. Does the callback controller for apple look different from the other providers due to the POST instead of GET? Do you have an example?

[jlxq0]

Nvm my last comment. My problem was that the user(-email) already existed from another provider and thus the sign up failed (relatively silently). Now it is working.

[jakeNiemiec]

https://bogdanvlviv.com/posts/ruby/rails/samesite-cookies-and-rails.html

@nov, do you happen to have another example? That site is gone and there is no google cache or wayback snapshot to view it.

[dcrec1]

To avoid this I added the following code to the Omniauth callbacks controller:

  def verified_request?
    action_name == 'apple' || super
  end

[seballot]

Thanks @dcrec1 ! but for me I needed following code, and on ApplicationController.rb

# ApplicationController.rb

def verified_request?
    controller_name == "omniauth_callbacks" || super
end