I created a Rails API application, that is currently do his job awesomely, but I realized that is missing the most important part, a login from the React application and at the same time the authentication from a python application I developed that should consume those API as well.
Now, looking at the various offering, seems all fuzzy, at least from my prospective and I would like to have an advice that is not from 2016 or before but that is actual today.
Many solutions on the net, was getting dirty the main ApplicationController, that didn't make sense to me.
So I thought that a 'modern' way or let's say, 'a way' is to use doorkeep and devise.
I thought about Doorkeep because allow me to have the 'Applications' therefore I can delegate to applications the authentication in the proper way while using the JWT for the SPA application, but honestly I don't know from where to start deciding :)
I wanted to share here also the link of a blog post that inspired this question: https://www.vic-l.com/jwt-with-refresh-token-using-devise-and-doorkeeper-without-authorization/
Sadly something I found still, without an answer, at the moment, is Setting up DoorKeeper with multiple Rails/React applications?
Now, I can use doorkeeper to manage the JWT for the SPA and the applications for the client in Python ?
Thanks in advance!
Related
I have a project where I want to develop the frontend in Next.js (requests based on fetch API from JS) and the backend in RoR and I am having a hard time to get the User authentication to work. I have researched and found four possible solutions:
Sessions and cookies
JWT
devise_token_auth
devise-jwt
I have tried to implement some of them but i always end up getting a server error on client requests at some point. I would like to know if anyone has any resources where I can get to know more about and learn more about it so I can implement such authentication in my project.
If I could take advantage of devise would be even better, since I already have it setup for ActiveAdmin (wanna use the admin dashboard)
Thanks a lot in advance.
I used to use devise, but have since moved to AWS Cognito which handles everything for you and is customizable as needed. You might look into it.
https://aws.amazon.com/cognito/
I have been tasked with creating a Web API for our mobile application and future 3rd parties to use in order to access our data, etc.
That alone is simple enough, but then I need to secure it. Initially, after reading about OAuth and doing some research, I decided to go the home grown token based route utilizing best practices found online for security. My prototype worked wonderfully but unfortunately the company wants to use OAuth since it's a recognizable standard and considered marketable to our clients.
Soooo, after banging my head against multiple walls the past few days I am curious if anyone has an implementation using OAuth as a service provider and then an ASP.NET Web API client as consumer.
The workflow envisioned is that the mobile application would hit the API which in turn would expect token(s) issued from our self-hosted OAuth service provider. I've yet to find any comprehensive documentation or examples online about this. So far everything I've seen is very piecemeal and therefore incredibly frustrating trying to implement anything.
Well - there is the OAuth spec of course (since you seem to like to handcraft things ;)) https://www.rfc-editor.org/rfc/rfc6749 and the corresponding threat model - https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-threatmodel-08
Our OAuth2 authZ server / sec library has an implementation as well - I compiled some docs here: https://github.com/thinktecture/Thinktecture.IdentityServer.v2/wiki
I've got a rails app I want to start enabling some iOS integration with. I have a basic authentication system built mostly from scratch with a little help from Sorcery.
My understanding is there's basically two options for mobile integration: HTTP Basic Auth or Token Auth. From what I've been able to find so far it looks like Token Authentication is the preferred method.
I am not familiar with what token authentication is or how it is supposed to work, and I have not really been able to find any decent guides on this, except for a few tutorials on how to use the relevant module in the Devise library.
So, my question is, what is the basic theory of Token Authentication, and what would a from-scratch token auth system in rails look like? I understand that sharing the code for the entire system might be overkill for an SO answer, but I would be very grateful if anyone can help me understand a basic schematic of how such a system is supposed to work. I'd also happily accept links to any good existing materials on how to do this from scratch, as the main problem is I haven't been able to find anything like that.
Thanks!
Devise and Authlogic have a nice Token Authentication solution. You can either use one of these gems or to implement your own check their source code for inspiration.
Below is my understanding of how token authentication works:
The user signs in using a username/password combination through a
post request.
You authenticate the user and generate a unique token and
store it in the db.
You send this token back to the iOS device.
The device stores this token in memory.
Any subsequent call to the api need this token passed in as an
additional param to auth the user.
For this process to be secure this token needs to have an expiration
date and the communication between the iOS device and the server
must be encrypted through SSL.
For convenience you can store the user credentials on the device
using the iOS keychain.
I hope this helps.
I think there are three difficulties here.
There are very few books focused on authentication technique
The key word "token authentication" is confusing to use in security/authentication field.
Rails related documentation tend to be "how to."
So, Googling won't reveal good resources for this purpose. I know this field well, but it's difficult, especially due to reason 2.
In my understanding, "token" here work as an authenticated identity in the system, and provide bridge between authentication system and authorization system. But to understand this, you must understand overall system.
Let me provide few pointer with regard to authentication technique books and some papers here.
Butler Lampson did many work related authentication, and some of the articles are very good material to understand authentication/authorization framework. that might be helpful. One of the example is Computer security in the real world(2004).
Book written for Public Key Infrastructure(PKI) might be helpful. there are several of such. Such as Understanding PKI: Concepts, Standards, and Deployment Considerations, 2nd edition
Hope this helps.
ember-auth has a nice tutorial for token authentication for rails with devise and ember. However, it could also be applied to sorcery or to a custom authentication system. I think this is the best approach to authentication for an ember.js App.
https://github.com/heartsentwined/ember-auth-rails-demo
I am developing an API in Ruby on Rails 3 and I would like to secure it with Oauth2.
In other words, I need to create an Oauth provider. Is there a working gem for Rails 3 out there or perhaps a tutorial on the issue?
UPDATE
I know Rails are REST based so I find it very strange that there are no tutorials on how to create a public API and secure it. Does anyone know of any good tutorials. Preferable with oAuth.
Thankful for all help!!
Check out this gem https://github.com/applicake/doorkeeper
It is for Rails 3, the development it's early stages though.
There's also an example app that you take a look and see how the API is done.
http://doorkeeper-provider.herokuapp.com/
I've opensourced an OAuth2 server implementation yesterday.
It's well documented and there is a dashboard to control accesses. Right now I'm searching for somebody who wants to build an engine starting from it, or something cool on top of rack. That's why it is open-source.
https://github.com/intridea/oauth2 is the canonical gem right now for OAuth2 dev. If you are looking for a more complete solution, instead of rolling your own provider code, check out:
https://github.com/songkick/oauth2-provider
https://github.com/freerange/oauth2-provider
But I suggest messing around with the oauth2 gem if you aren't very familiar with the flow so that you can learn it better.
If you are using (or planning to use) devise for authentication, you can use https://github.com/socialcast/devise_oauth2_providable as plugin.
I'm developing a rugygem for OAuth2 provider, Rack::OAuth2.
https://github.com/nov/rack-oauth2
It requires to develop models (token, code, client etc) by yourself, but you can get a whole Rails3 sample OAuth2 server here.
https://github.com/nov/rack-oauth2-sample
I'm looking to implement an OAuth2 provider, too! I'm currently experimenting with this https://github.com/assaf/rack-oauth2-server, which seems to be a full-featured OAuth2 server, though it still supports only MongoDB, although implementing support for other DBMS seems simple enough. I am also looking at some of the other options posted here, lots of promising stuff!
"Doorkeeper is a gem that makes it easy to introduce OAuth 2 provider functionality to your application."
https://github.com/applicake/doorkeeper
Im starting to learn RoR and i want to make my personal blog in this language. I usually code a couple of prototypes on top of whatever im doing in my blog. So i would like people to be able to log in, and register with their openID. So i was about to jump to the coding place when i realized the concept of gems and all that stuff is giving you tools for this kind of things.
So is there some kind of package to manage users, profiles and openId?
check out technoweeni's restful-authentication plugin
I'd advise you to look at bort as a complete RoR skeletton app with RESTful auth builtin, one of its fork here or at AuthLogic a less intrusive auth solution for Rails (and Merb and some others).
Take a look at the bort skeleton app. It has restful auth and openid authentication already setup among other things.
Railscasts also has a number of screencasts about setting up authentication, restful authentication and OpenID.
One thing you want to be aware of to avoid hours of headache: the Ruby OpenID library changed substantially with OpenID 2.0, so if you're using a plugin or example code from a blog, be sure you're using the version of OpenID to which it corresponds.
There are several plugins; one with lot of activity is open_id_authentication.
Dan Webb has a good guide to OpenID authentication in Rails that walks you through writing the actual code, but note that, at least last I checked, it hadn't been updated for OpenID 2.0.