"stored_nonce" is nil due to different sessions

[arvinwiyono]

Hi all,
I would appreciate if I can get some help on the verification of nonce.
During the phase of verify_nonce!, the stored_nonce and the value from payload['nonce'] are different.

I did a bit more debugging, apparently stored_nonce returns nil. It seems like Rails has created a new session, hence new_nonce and stored_nonce are referring to different sessions. Have a look at the byebug output below.

In #new_nonce:

   51:       def new_nonce
   52:         session['omniauth.nonce'] = SecureRandom.urlsafe_base64(16)
   53:         byebug
=> 54:         session['omniauth.nonce']
   55:       end
   56:
   57:       def stored_nonce
   58:         byebug
(byebug) session.id
"7b8a4c453dc2cdceb65aaa861a422284"

In #stored_nonce:

   57:       def stored_nonce
   58:         byebug
=> 59:         session.delete('omniauth.nonce')
   60:       end
   61:
   62:       def id_info
   63:         @id_info ||= if request.params&.key?('id_token') || access_token&.params&.key?('id_token')
(byebug) session.id
"6dec324aa336403ca3e77ae58ee90e8d"
(byebug) session['omniauth.nonce']
nil

The sessions are different, 7b8a4c453dc2cdceb65aaa861a422284 != 6dec324aa336403ca3e77ae58ee90e8d.

Final result: users are logged in, but getting the flash error message:

FYI, I am using this gem together with devise.

Wondering whether other people are experiencing the same issue and able to find a solution.
Thanks, looking forward to your replies.

[btalbot]

session cookies will only be sent to your site in the callback from apple if the Same-Site policy is Lax.

[arvinwiyono]

Hi @btalbot , thanks for answering. I have checked that the Same-Site policy for our session cookies are already set to Lax:

[btalbot]

Oh, sorry, the Same-Site policy must be None -- Lax is now the common default but which does not work with signin with apple. Sorry for the confustion.

[arvinwiyono]

Hi @btalbot , I can confirm that setting the Same-Site policy of our _xyz_session cookie to "None" solves the issue.
But this means we are exposing the session cookies to third party.
Is there any other options to this?

[btalbot]

Not any good ones that I know of. You can consider setting it to Same-Site=None in the request phase and then change it back to Same-Site=Lax when complete (success or failure). Other than that, it's an issue with how apple structures the callback request. They send it with Origin and Referrer both set to an appleid.com domain so no Lax cookies allowed.

[arvinwiyono]

Thanks @btalbot for the replies. I'll think about this. Your comments saved me from not being able to sleep lol.

[btalbot]

Note that Same-Site=None doesn't give 3rd parties access to the cookies. It just allows them to make requests to your site via a script on your users browser and the cookies will be sent to you. It is a XSRF risk which is what the Same-Site setting was intended to address. No clue why apple does it that way.

[hoffdog]

Hi all, I would appreciate if I can get some help on the verification of nonce. During the phase of verify_nonce!, the stored_nonce and the value from payload['nonce'] are different.

I did a bit more debugging, apparently stored_nonce returns nil. It seems like Rails has created a new session, hence new_nonce and stored_nonce are referring to different sessions. Have a look at the byebug output below.

In #new_nonce:

   51:       def new_nonce
   52:         session['omniauth.nonce'] = SecureRandom.urlsafe_base64(16)
   53:         byebug
=> 54:         session['omniauth.nonce']
   55:       end
   56:
   57:       def stored_nonce
   58:         byebug
(byebug) session.id
"7b8a4c453dc2cdceb65aaa861a422284"

In #stored_nonce:

   57:       def stored_nonce
   58:         byebug
=> 59:         session.delete('omniauth.nonce')
   60:       end
   61:
   62:       def id_info
   63:         @id_info ||= if request.params&.key?('id_token') || access_token&.params&.key?('id_token')
(byebug) session.id
"6dec324aa336403ca3e77ae58ee90e8d"
(byebug) session['omniauth.nonce']
nil

The sessions are different, 7b8a4c453dc2cdceb65aaa861a422284 != 6dec324aa336403ca3e77ae58ee90e8d.

Final result: users are logged in, but getting the flash error message:

FYI, I am using this gem together with devise.

Wondering whether other people are experiencing the same issue and able to find a solution. Thanks, looking forward to your replies.

Hi all, I would appreciate if I can get some help on the verification of nonce. During the phase of verify_nonce!, the stored_nonce and the value from payload['nonce'] are different.

I did a bit more debugging, apparently stored_nonce returns nil. It seems like Rails has created a new session, hence new_nonce and stored_nonce are referring to different sessions. Have a look at the byebug output below.

In #new_nonce:

   51:       def new_nonce
   52:         session['omniauth.nonce'] = SecureRandom.urlsafe_base64(16)
   53:         byebug
=> 54:         session['omniauth.nonce']
   55:       end
   56:
   57:       def stored_nonce
   58:         byebug
(byebug) session.id
"7b8a4c453dc2cdceb65aaa861a422284"

In #stored_nonce:

   57:       def stored_nonce
   58:         byebug
=> 59:         session.delete('omniauth.nonce')
   60:       end
   61:
   62:       def id_info
   63:         @id_info ||= if request.params&.key?('id_token') || access_token&.params&.key?('id_token')
(byebug) session.id
"6dec324aa336403ca3e77ae58ee90e8d"
(byebug) session['omniauth.nonce']
nil

The sessions are different, 7b8a4c453dc2cdceb65aaa861a422284 != 6dec324aa336403ca3e77ae58ee90e8d.

Final result: users are logged in, but getting the flash error message:

FYI, I am using this gem together with devise.

Wondering whether other people are experiencing the same issue and able to find a solution. Thanks, looking forward to your replies.

I having this same issue. Setting SameSite to None does not allow Chrome to use Apple Sign In.

[salzig]

see #107.