Rails: Which oauth/oauth2 middleware to use? - ruby-on-rails

I am pretty much overwhelmed by the diversity of oauth/oauth2 rack middleware projects on github.
First question: Is oauth deprecated? Am I only up-to-date with an oauth2 middleware? Is oauth1 unsecure?
What if I want to provide an authorization procedure myself? I am sorry if I am not using the oauth terminology correctly. I mean that I don't want - at least not from beginning - to use Provider like Facebook or Twitter for login, but I want to maintain own User Accounts.
Not wanting an external provider (in the beginning at last) I got referenced to OmniAuth Identity.
Letdown: There are almost no tutorials, especially no up-to-date ones. There is mainly only the Railscast on it from 2011.
And the examples in the github page only state things like
# Anything else you want!
or
# whatever else you want!
Also no Wiki here.
So what is the to-go-for up-to-date oauth1/2 middleware if you want to be able to take a pass on external providers, please?
What's with the obviously "vanilla" OmniAuth

Related

omniauth vs. oauth-plugin

I'm trying to figure out the differences between omniauth (https://github.com/intridea/omniauth) and oauth-plugin - (https://github.com/pelle/oauth-plugin)
I'm simply looking for a way to allow my users to authenticate with (Twitter, Facebook, etc) within my app.
I know omniauth provides this, but I'm running rails 2.3.10 which I don't believe is supported by omniauth. Can I use oauth-plugin? It also seems to have a lot fewer dependencies. Any thoughts are appreciated.
I have to disagree with the previous answers.
oauth-plugin is
a plugin for implementing OAuth Providers and Consumers in Rails applications. 1
It provides two generators (one for implementing an OAuth provider, one for the consumer) which create the models, the views and the controllers. The way the controllers work, is that they are subclasses of controllers defined in the gem. It's tied into Rails pretty deeply, and can only do OAuth.
omniauth, on the other hand, is a modular, framework-agnostic library that allows you to provide authentication via a multitude of providers.
Concretely, it means that you set up two endpoints (/auth/:provider and /auth/:provider/callback), have your user authenticate with the provider, and receive a hash with the user's info in return.
TL;DR
If you only need to provide authentication via Facebook/Twitter/OAuth/etc (i.e. you want to be an OAuth consumer), then omniauth is definitely more lightweight.
If you want to run an OAuth provider, oauth-plugin might be more straightforward, but it tends to be a lot more bloated, in my opinion, since it injects a lot of boiler-plate code into your app.
Omniauth is a mega-authorization gem, giving you access to the OAuth processes for a whole list of web services (Twitter, Facebook, Foursquare, Gowalla, Netflix, YouTube, etc, etc), so you can call specific functions for each service and get it set up quickly.
The oauth-plugin you mention appears to just set you up with an OAuth general setup, and you'd have to do the API hookups for each service yourself. More lightweight, so if you only need Twitter services, for example, that might be a better way to go, although I'd still probably check out Omniauth to see how big of a performance drain it is, because it's going to be a lot easier to use overall.

How do I connect to Gmail's IMAP server using oauth in Rails3?

I found the gmail_xoauth gem, which does most of what I need, but I also need to generate the oauth tokens (consumer_key and consumer_secret) from inside Rails3.
I am trying to integrate Gmail's oauth integration into my site and hence cannot use the python script that the above gem refers to. I would like my site to take the user to the authentication page and extract the consumer_key/secret tokens.
I am new to OAuth, so maybe there's something obvious that I am missing.
UPDATE: I solved the above, and have written a blog post with the details (since its too big to fit here).
http://blog.asif.in/blog/2012/03/03/google-oauth-and-rails/
You may want to check out OmniAuth. It's a gem that encapsulates/abstracts a lot of the underlying protocol work that must be done for OAuth, as well as other authentication/authorization protocols like OpenID and LDAP. I'm not well versed on Google's API for sending/receiving email, but authenticating is the first step.
The OmniAuth wiki has a very good tutorial on using it with OpenID and Google Apps, although this may not be quite what you're looking for when it comes to IMAP. You may need to write your own provider for OmniAuth (a good tutorial describing this is available). Google also provides a reference site for authenticating/authorizing via IMAP and OAuth. The most relevant part of that to you would most likely be the page detailing the protocol.
Hope that helps!
I'm not going to write the full code for you, but do you know PHP? You could have a look at the way this example works:
http://googlecodesamples.com/docs/php/Docs.php
...then make something similar in Ruby.
This is a Google Code Sample from the following site:
http://googlecodesamples.com/

Rails two-legged OAuth provider?

I have a rails 2.3.5 application with an API I wish to protect.
There is no user - it is an app to app style webservice (more like an Amazon service than facebook), and so I would like to implement it using a two-legged OAuth approach.
I have been trying to use the oauth-plugin server implementation as a start:
http://github.com/pelle/oauth-plugin
...but it is built expecting three-legged (web redirect flow) oauth.
Before I dig deeper into making changes to it to support two-legged, I wanted to see if there was an easier way, or if someone had a better approach for a rails app to implement being a two-legged OAuth provider.
Previously, the only good answer was to hack about in the oauth-plugin to get this subset of the oauth interaction. Since then, the oauth-plugin was refactored, and now you can use it straight up, just by adding the right type of authentication filter to your controller:
class ApiController < ApplicationController
include OAuth::Controllers::ApplicationControllerMethods
oauthenticate :strategies => :two_legged, :interactive => false
# ...
end
I'm not aware of any alternatives to oauth-plugin at the moment, though it is definitely getting long in the tooth and ripe for a replacement. My recommendation is to generate the oauth server from oauth-plugin, then extract the dependencies from the plugin (which are just a couple modules worth of methods) and trash the plugin. Then tweak everything to your needs. 2-legged oauth should not be a big problem since it is simpler than 3-legged anyway, and my feeling is that oauth-plugin is not usable these days without significant modifications anyway.
The meat of OAuth has long been extracted into the base oauth gem anyway, so the oauth-plugin is sort of in limbo. The architecture makes some heavy-handed assumptions about what authentication system you are using, and the generated code is dated. So to me, oauth-plugin serves more as an example of how to wire everything up rather than something that most sites would want to use out of the box.

Login/Register in Ruby on Rails?

Im starting to learn RoR and i want to make my personal blog in this language. I usually code a couple of prototypes on top of whatever im doing in my blog. So i would like people to be able to log in, and register with their openID. So i was about to jump to the coding place when i realized the concept of gems and all that stuff is giving you tools for this kind of things.
So is there some kind of package to manage users, profiles and openId?
check out technoweeni's restful-authentication plugin
I'd advise you to look at bort as a complete RoR skeletton app with RESTful auth builtin, one of its fork here or at AuthLogic a less intrusive auth solution for Rails (and Merb and some others).
Take a look at the bort skeleton app. It has restful auth and openid authentication already setup among other things.
Railscasts also has a number of screencasts about setting up authentication, restful authentication and OpenID.
One thing you want to be aware of to avoid hours of headache: the Ruby OpenID library changed substantially with OpenID 2.0, so if you're using a plugin or example code from a blog, be sure you're using the version of OpenID to which it corresponds.
There are several plugins; one with lot of activity is open_id_authentication.
Dan Webb has a good guide to OpenID authentication in Rails that walks you through writing the actual code, but note that, at least last I checked, it hadn't been updated for OpenID 2.0.

How do I implement an OpenID server in Rails?

I see a similar question for Ubuntu, but I'm interested in hosting my own OpenID provider through my Rails-based site that already has an identity and authentication system in place.
Note that I'm not looking for the delegate method to use the site as an OpenID.
What's the best way to do this properly?
This "No Shit Guide To Supporting OpenID In Your Applications"
seems to be a step-by-step tutorial for what you want to do.
Railscasts episode 68 OpenID authentication describes how to do exactly this. It's about a year old, so you may have to do some stuff differently. I'd also strongly for either an updated or newer OpenID plugin (the link for the one in the video is labeled "outdated").
Err, wait, that is to support OpenID authentication in a Rails application you are writing, not to have run an OpenID endpoint in rails.. Here is a guide to implimenting an OpenID server/endpoint in Rails pretty-much form scratch.. gem install openid-server might be easier, but you'll learn more implementing it yourself, and the code is pretty simple.
This reminds me that the overview docs for ruby-openid server are still missing. But you can see the example, and until the docs are ported over, see the docs for the python implementation which follows the same object model.

Resources