I use the omniauth-openid stone to implement OpenID login. In my OmniAuth callback method, I do something like this (it is simplified, but conveys important details):
def google oauth = request.env['omniauth.auth'] if @user = User.find_by_email(oauth.info.email) sign_in(@user) and redirect_to '/dashboard' end end
This is actually the same as the OmniAuth documentation on GitHub shows you; and yet I feel that it is very uncertain. All attackers will have to manually change the info.email parameter in the callback URL, and they can log in like any other user.
Is this a fundamental flaw in OmniAuth? Or is there some way to confirm that the parameters passed to the OmniAuth callback method were actually sent by the OpenID provider and not changed by the bad guy?
source share