Devise: Error: Not found. Authentication passthru. with any Omniauth strategy

Did you get any further with this? I'm getting the same problem.

No, I didn't. I changed the flow to make it work differently, taking the authorization code from the client, then sending it to my Rails app.

@lionelrudaz and @apchester please make sure you use method: :post for you links. Also make sure JS is working.
= link_to "Sign in with Facebook", user_facebook_omniauth_authorize_path, method: :post

@arcooverbeek Thanks! instantly fixes the issue for me, though this doesn't appear to be the default?

@arcooverbeek the thing is that I was in API mode for my Rails app, and my calls were done from a different frontend application. In this case, I don't think it makes sense to post to the URL, don't you think?

@arcooverbeek using method: :post leads to WARN -- omniauth: Attack prevented by OmniAuth::AuthenticityTokenProtection. How ti fix Not found. Authentication passthru.?

Hey all, please note that using POST as the method is the new default in OmniAuth 2+, and that is to increase security and is definitely recommended.

Devise is upgrading to that default soon: https://github.com/heartcombo/devise/pull/5327, and so should you if possible. Check their release notes for more info: https://github.com/omniauth/omniauth/releases/tag/v2.0.0.

If you're getting to that error it means OmniAuth is not catching the route and doing its thing, and instead you're landing directly in Rails/Devise.

@lionelrudaz are you still encountering the problem you originally reported?

@carlosantoniodasilva thank you for coming back on this! So, another question, why OmniAuth is not catching the route?
routes.rb

devise_for :users, controllers: { omniauth_callbacks: 'omniauth_callbacks' }

Edit 1: I've recently upgraded to Rails 6.1.1 and Ruby 3.0.0. Could it be the reason?
Edit 2: I'm using this branch ref instead of the git ref directly:

gem 'devise', github: 'heartcombo/devise', branch: 'ca-omniauth-2'

Edit 3:

• Tried to add method: :post to my link
• skipped the authenticity check with skip_before_action :verify_authenticity_token, only: :facebook
• kept getting WARN -- omniauth: Attack prevented by OmniAuth::AuthenticityTokenProtection

Temporarily solution which worked for me is to downgrade to gem omniauth", "~> 1.9.1" as by this answer.

Have you verified that the request is actually being sent as POST with the link using method: :post? That requires rails or jQuery UJS, if you're not using that in your app it may still be going through a normal GET request. You can also try changing to a button_to temporarily to test if that is the problem.

With OmniAuth 2.0+, OmniAuth.config.allowed_request_methods should default to just include :post, while previous versions should have :get and :post, that may be the reason that it's not working for you.

If that's not the case, it'd be nice if you could provide a sample app that shows the issue. I haven't been able to re-test everything myself yet with that branch. Thanks.

@Pandenok I think you need to set the OmniAuth.config.request_validation_phase.

See: https://github.com/omniauth/omniauth/wiki/Upgrading-to-2.0#rails

@jkowens YEAAAAH!

1. Install the gem OmniAuth - Rails CSRF Protection
2. Add the link user_facebook_omniauth_authorize_path method: :post
3. Get the facebook omniauth working without downgrading!
   Thank youuuu!
   @carlosantoniodasilva sorry for the delay in answering. My bad...

Awesome, I'm happy to know that is working @Pandenok, and thanks for the direction @jkowens.

I'm gonna work on getting a new devise version released this week containing the patches in that branch.

@carlosantoniodasilva you're doing amazing job!

@carlosantoniodasilva I have been going through your suggestions on different forums to fix OmniAuth and have landed on an AuthenticityTokenProtection error just like @Pandenok.

I'm using these two gems:

gem 'devise', github: 'heartcombo/devise', branch: 'ca-omniauth-2'
gem 'omniauth-facebook'

And calling the user_facebook_omniauth_authorize_path with method: :post

I tried installingOmniAuth - Rails CSRF Protection, but didn't exactly understand where I should set OmniAuth.config.request_validation_phase, so that didn't work and I keep landing on this:

Started POST "/users/auth/facebook" for ::1 at 2021-01-25 11:56:40 -0300
D, [2021-01-25T11:56:40.532147 #4264] DEBUG -- omniauth: (facebook) Request phase initiated.
W, [2021-01-25T11:56:40.532787 #4264]  WARN -- omniauth: Attack prevented by OmniAuth::AuthenticityTokenProtection
E, [2021-01-25T11:56:40.532940 #4264] ERROR -- omniauth: (facebook) Authentication failure! authenticity_error: OmniAuth::AuthenticityError, Forbidden
Processing by Users::OmniauthCallbacksController#failure as HTML

Any thoughts on how to fix this would be super appreciated.

@juliaf1 did you see the Omniauth 2.0 upgrade wiki? https://github.com/omniauth/omniauth/wiki/Upgrading-to-2.0#rails

You can either add gem "omniauth-rails_csrf_protection" to your Gemfile or follow the instructions to manually set OmniAuth.config.request_validation_phase.

@juliaf1 right, from my understanding the only thing you should need (aside from using that branch and OmniAuth 2) is what @jkowens mentioned above: add the omniauth-rails_csrf_protection to your Gemfile, and make sure that's at least ~> 1.0.

That combined with initiating the OAuth flow using a POST request (using button_to or link_to + method: :post) should be enough to get it working.

I'll probably include some documentation around this on the Devise side (changelog/readme/wiki), I'm sure more people will hit issues upgrading and will come looking here first.

@juliaf1 Julia,

I tried installing OmniAuth - Rails CSRF Protection, but didn't exactly understand where I should set OmniAuth.config.request_validation_phase, so that didn't work and I keep landing on this..

If you installed the gem, you don't need to add anything, it's the gem itself that will add request validation on any post request, so make sure as @carlosantoniodasilva stated to use a link_to + method: :post or button_to which will make by default a post request.
Please check that you omniauth gem is really updated to the latest version by running bundle omniauth update

Hope this will help!

Edit: typos and formatting edited