Single Sign On with Rails Server and React client - ruby-on-rails

I have a Rails API and a client written in React that is embedded to website A. I want to use single sign-on so that users logging in to website A and going to my React app are automatically logged in to the API.
I am using Devise to manage users and Doorkeeper to handle OAuth2.
Here is the scenario wanted :
User logs in to website A which is a provider
User goes to React app (embedded in website A), some user info is passed by website A to React app
If user is unknown to Rails API, check that provider is website A and store user via Devise
Get access token for this user and user info from API and send back to React App
I cannot add routes to website A so it's not possible to install a usual OAuth2 flow.
My idea was to pass a signature identifying user from website A to the React app, and sending it to the API to authenticate user.
I tried using the doorkeeper-grants_assertion gem but I cannot wrap my head around this problem.
Which grant flow should I use for the user in that case ? How to integrate this strategy to omniauth ?
Any help would be much appreciated.

Related

React Facebook oAuth with devise_token_auth on Rails

I am attempting to use Rails 5.0.5 API only with devise_token_auth to build a React app. I have the Rails API server running locally on :3001, and my react app (running from within /client folder) is running on :3000.
I am able to register/login/etc. with email/password using axios and API calls, but the oauth is giving me some trouble. It seems that it doesn't want to work with React and the API situation, it loads up a new tab, authenticates with Facebook, then goes to the callback controller on my rails server (:3001). I'm unable to figure out a way for the callback info to be returned to my React app on :3000.
I am able to query facebook manually and receive back the info I need; is there a way to manually create a user based on the Facebook data that will allow me to use devise/devise_token_auth? Do any of you have any better methods for authentication on a React app using Rails API as a backend? I'm pretty new to all of this and not too far into the project, I'm ready to jump ship to a better solution if it exists! Thank you for any information. Please feel free to ask me any questions.

How do i authenticate facebook login with IOS using node.js + Passport

Currently I want to authenticate my user using facebook on IOS platform. I want to use node.js as the custom authentication, so that i could make it more flexible. My theory right now is to use node.js and passport-facebook via token, but my questions right now
1) Do i need to use Facebook ios sdk together with node.js /passport? or simply just serve it via node.js/passport https://developers.facebook.com/docs/ios
2) If the user already installed facebook on his iphone, how do i access the token?
This is my first time on creating an iphone app + facebook login, any advice would be highly appreciated. It is a project that I'm working on right now
Thank you
You can authenticate the user on the phone with the iOS SDK. That way the user will get the native "login with Facebook" flow and your application will get hold of the Facebook token. Then you take this token, pass it to your node backend (together with the email address of the user), and you can use passport/NodeJS to verify that the token belongs to the email address. If so, the user is authenticated and you can store the token together with the email (and other user related custom data) in you node node application for use later on and to fetch an existing user in your node application when they log in again.
For the rest of the authentication you can use something like JWT (Json Web Token), https://www.npmjs.com/package/passport-jwt, to secure your backend and to know which user sent the request.

Mobile facebook login and Rails API

This is a two-fold question in that it first asks a best practice for the situation, then asks how it should be implemented.
The situation: I'm creating a mobile app which operates through an API built in Rails. Meaning, users are created and fetched through the Rails API. The mobile app will allow the user to login via Facebook.
Problem: I'm not entirely familiar with how the Facebook login functions, such as what information should be used to fetch the database user.
Question: The goal is to login via Facebook in the mobile app and it fetch the user's data (or create the user) in the database via the API. So, should I set up the Facebook login on the mobile side? Or the website (API) side? And what information should be passed to/from the API?
I'm doing the same thing for Google+, but once I understand the best method for Facebook, I'm sure it will also apply to Google+ or any other oAuth authentication.
Thanks!

Rails backend for an iOS app, twitter sign in

I'm using omniauth-twitter for twitter log in to the website and it works perfectly well (go to /auth/twitter, user authenticates, and then redirect_to /auth/twitter/callback). Great.
However, on the iOS side, how can I implement sign in with twitter? Do I do it client side or server side? Could anybody go through the steps? (note: the only way to sign in to the app is through twitter)
We've tried:
using a UIWebView that goes to /auth/twitter, but on redirect, it goes back to the web version. Is there a way to get JSON data from the UIWebView?
doing sign in with twitter client side, and using a made up password to authenticate in sessions#create that matches a made up password on the db.
Is there another alternative for authentication? I know what we're doing has a lot of flaws but we couldn't find any other solutions even after asking in meetups and researching online for days. please help!
You could add an OAuth 2
implementation on your server. Your server authorizes the iOS app for an authenticated user / content owner. (You have completed the authentication part.) Once authorized, the iOS app accesses that particular user's content (via an api on your server) as if it is logged in as that user.
You will find one potential OAuth 2 provider implementation for RoR as
applicake/doorkeeper
You will find a sample iOS client application as
telegraphy-interactive/OAuthClientSetup
That is one suggestion, in any case. Not the whole answer, which would require a book chapter.

How do I authenticate a user if they are not using my web (rails) application, e.g. using an API

I have created a Rails (3.2) application that uses the OmniAuth gem to provide OAuth authentication. Users can log into the site using their Twitter, Facebook or Google credentials, pretty bog-standard functionality.
I now want to make the data available via an API so it can be consumed outside of my web application, however, users would still have to login to be able to access their data. How do I do this in my Rails APP? And what would the user have to do to be able to call this?
UPDATE
Some people are suggesting "alternative" authentication methods, but I am wondering if I cannot use the same OAuth credentials I already have for them. I don't want them to have to provide another username/pwd, I want them to be able to use their Twitter, Facebook or Google Identities as they do when they use the WebUI.
authenticate_with_http_basic (or digest if you like) might work for you, called from a before filter in the controller.
You can test with curl, using the --user parameter.
Here's a good thread on the topic:
In Ruby on Rails, what does authenticate_with_http_basic do?
Devise has the feature token authentication which is what you are looking for.
Also visit http://zyphmartin.com/blog/simple-auth-token-example-with-devise

Resources