We recently updated a Rails app from Omniauth 1 to 2. We did some research and used the Omniauth upgrade wiki. It looked complicated but in the end, there were only two changes required.
Making buttons POST requests
We use link_to to generate our ‘Sign in with GitHub’ buttons. The code looks like this:
1
<%= link_to "Sign in with GitHub", user_github_omniauth_authorize_path, class: 'btn btn-outline-primary' %>
This won’t work with Omniauth 2 because POST is now the only allowed request_phase method. You can solve this easily by forcing the link_to to be a POST, by adding method: post:
1
<%= link_to "Sign in with GitHub", user_github_omniauth_authorize_path, method: post, class: 'btn btn-outline-primary' %>
Adding omniauth-rails_csrf_protection
After updating your Omniauth request phase links to POST requests, the next thing to do is include the omniauth-rails_csrf_protection gem. This will insert a Rails CSRF token verifier at the before request phase. Rails handles CSRF tokens in form helpers by default but for manually crafted link_to buttons, you’ll need the omniauth-rails_csrf_protection gem to add a CSRF token verifier.
That’s it! Re-load your Rails app and Omniauth will be working.