Skip to content

token_state cookie is not set correctly in OAuth flow #472

New issue
New issue
Open
Open
token_state cookie is not set correctly in OAuth flow#472
@gregouzdev

Description

@gregouzdev
gregouzdev
opened on Sep 4, 2025

During the OAuth login flow (tested with Azure AD), the cookie token_state is never set in the browser.
As a result, when the callback endpoint is called, cookies[:token_state] is empty and the following check in OAuthsController#callback always fails:

    unless reason == "test"
      return unless cookies[:token_state] == params[:state]
      cookies.delete(:token_state, domain: ".#{request.domain}")
    end

This prevents the OAuth login from working. However, if I skip to verify the cookie, the login works.

Steps to reproduce

  1. Deploy Astuto behind a reverse proxy (nginx) with HTTPS.
  2. Configure an OAuth provider (Azure AD in my case).
  3. Start the login flow via OAurh.
  4. Inspect cookies in the browser (Firefox/Chrome).
    • token_state is missing.
    • Only _app_session and remember_user_token appear.
  5. Callback request fails with No template for interactive request / state mismatch.

Root cause analysis
In OAuthsController#start, the cookie is set with:

cookies[:token_state] = { 
  value: token_state, 
  domain: ".#{request.domain}", 
  httponly: true 
}
  • request.domain returns only the top-level domain (e.g. org) instead of the full host (feedback.mydom.org).
  • Therefore, Rails tries to set the cookie for .org.
  • Modern browsers reject this cookie because the request host is feedback.mydom.org, not org.

This results in the cookie never being stored in the browser.

In /app/controllers/o_auths_controller.rb, line 33, I modified it like this to see the return

  def callback
    reason, tenant_domain, token_state = params[:state].split(TOKEN_STATE_SEPARATOR, 3)

    Rails.logger.warn "[OAuth DEBUG] -=-=-=-=-=-=-"
    Rails.logger.warn "[OAuth DEBUG] Parsed reason=#{reason}, tenant_domain=#{tenant_domain}, token_state=#{token_state}"
    Rails.logger.warn "[OAuth DEBUG] cookies[:token_state] = #{cookies[:token_state]}"
    Rails.logger.warn "[OAuth DEBUG] params[:state] = #{params[:state]}"
    Rails.logger.warn "[OAuth DEBUG] request.domain = #{request.domain}"
    Rails.logger.warn "[OAuth DEBUG] -=-=-=-=-=-=-"

For this result

[OAuth DEBUG] -=-=-=-=-=-=-
[OAuth DEBUG] Parsed reason=login, tenant_domain=default, token_state=TE9y3-vXmDvvrVs9wF1Uu7N88FxczQ
[OAuth DEBUG] cookies[:token_state] = 
[OAuth DEBUG] params[:state] = login,default,TE9y3-vXmDvvrVs9wF1Uu7N88FxczQ
[OAuth DEBUG] request.domain = org
[OAuth DEBUG] -=-=-=-=-=-=-

Environment

  • Astuto version: latest
  • Deployment: Docker + nginx reverse proxy
  • Browser: Firefox / Chrome
  • OAuth provider: Azure AD
  • BASE_URL : https://feedback.mydom.org

Thank you for your help

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions