Address CVE-2015-9284 for generic Rack apps (eg Sinatra) for Omniauth

config.ru

require 'omniauth/strategies/<your strategy>'
require_relative 'omniauth_authenticity_checker'

OmniAuth.config.allowed_request_methods = [:post]
OmniAuth.config.before_request_phase = OmniauthAuthenticityChecker.new(reaction: :drop_session)


# And if you haven't already, you should be loading in the `Rack::Protection` middleware:

use Rack::Protection, reaction: :drop_session, use: :authenticity_token

# You will also need to make sure your users are POSTing to your authorise route, and not simply 
# linking/redirecting to it. This change would make GETing the authorise route 404 so you may wish to
# handle this by rendering a nicer error message, and/or rendering a form with a button to POST to your
# authorise route.

omniauth_authenticity_checker.rb

require 'rack-protection'

class OmniauthAuthenticityChecker < Rack::Protection::AuthenticityToken
  def initialize(options = {})
    @options = default_options.merge(options)
  end

  def call(env)
    unless accepts? env
      instrument env
      react env
    end
  end

  def deny(env)
    warn env, "attack prevented by #{self.class}"
    raise Net::HTTPForbidden, options[:message]
  end
end

Not sure I can add anything. No doubt something else in your app is configured differently - middleware order etc.

If your solution works for you and it verifies the authenticity token (and acts appropriately on failure) then happy days.

Absolutely! Thanks for pointing me in the right direction.