Latest omniauth-facebook gem breaks devise

11
votes

ruby '2.6.3' gem 'rails', '~> 6.0.2', '>= 6.0.2.1'

I'm using the latest omniauth-facebook and devise together Gemfile: gem 'devise' gem 'omniauth-facebook'

Getting this error when starting the server:

/versions/2.6.3/lib/ruby/gems/2.6.0/gems/devise-4.7.3/lib/devise/omniauth.rb:12:in `': You are using an old OmniAuth version, please ensure you have 1.0.0.pr2 version or later installed. (RuntimeError)

The problem is that if I try to use older omniauth-facebook versions the server works but then the Facebook authentication stops working properly (e.g. fails including emails despite

scope: 'email', info_fields: 'email,name'

in devise.rb. )

I have tried many different version combinations of omniauth-facebook and devise. Either Facebook-authentication stops working properly or the server fails (see above).

5
ruby-on-railsdeviserubygemsomniauthomniauth-facebook
This is a known issue with devise and there is a PR github.com/heartcombo/devise/pull/5327dbugger

5 Answers

19
votes

Using

gem 'devise', github: 'heartcombo/devise', branch: 'ca-omniauth-2'

In Gemfile will fix the problem, awaiting a merge.

Updated my answer based on Carlos answer below, I was in a rush when I posted this using ref.

Thank You, Carlos for maintaining Devise.

11
votes

This is Carlos, Devise maintainer. Please keep an eye on that Pull Request linked above, I just shared how you can test it in your app there:

I'd recommend using the branch ref instead of the git ref directly:

gem 'devise', github: 'heartcombo/devise', branch: 'ca-omniauth-2'

With that you should be able to run bundle update devise omniauth which should hopefully give you OmniAuth 2 and this Devise branch. That should allow the app to boot up.

Lastly, if you've copied over the Devise shared links on your app, or if you have your own links to initiate the OmniAuth authentication flow, you need to make sure they're changed to use a form. (you can do that by using link_to with method: :post option for example, or using button_to, if that works for your app.) Please note that this is a requirement change in how OmniAuth work due to a security issue, read more.

If you run into any issues please comment back in GitHub, and we'll work to get them resolved soon so we can release a new Devise version that fully supports OmniAuth 2. Thanks.

6
votes

Devise 4.8.0 (shipped yesterday) resolves this.

2
votes

Please downgrade OmniAuth:

gem "omniauth", "~> 1.9.1"

That's worked for me.

1
votes

I'm pretty sure the issue is related to this devise PR, https://github.com/heartcombo/devise/pull/5327

Devise currently has a version check that doesn't include OmaniAuth > 1.x.x