Thank you so much for creating this lib to mitigate OmniAuth's CVE.

After applying it I noticed our app stopped receiving a couple of parameters in the callback. It appears that in the default OmniAuth::Strategy, the request_call method sets the session['omniauth.params'] from request.GET.

Are you able to confirm that this is a side-effect of the mitigation strategy? If so, would you be able to recommend a workaround?

Thank you again.

Sorry for this, on further inspection the issue is on our end.