I'm implementing a rails application that manage some objects let's call it project.
Every project has a:
category
region
company
I have to implement an authorization mechanism that allows me to assign user permission like that:
A User can edit all the project with region ASIA and can read all the project with category Information technology.
I found multiple gems that deal with authorization.
Which is the best one for you in relation to configurability and easy to use?
I like to use the Devise gem to authentication and user management, and Pundit to access authorization and scope policies. With Devise you can create users models easily and attach to oAuth services like Google, Github, Facebook... Also with Pundit is easy to create access policies to each resource in your app. Hope it helps!
Related
I'm new to OAuth2 and trying to figure out what is the best practice for the following scenario:
I'm implementing 'ToDo' web service (CRUD for 'tasks')
I'm using OAuth2 and Google as auth provider to get user details (email, name)
Now I need to implement project-specific roles for users ('admin', 'user')
Speaking in terms of OAuth2 - Google doesn't 'own' my service, so it cannot help me with storing/providing 'ToDo'-specific roles, is it correct?
What is the common/best approach to implement it, do I need to create my own authorization service where I'll need to store relations like userinfo -> project-specific role?
Well, it depends what, exactly, you're looking to do.
If you have users, and those users have specific roles that you have assigned to them already, then you're just using Google's OAuth service as an identity service. You don't need to implement your own authorization service, but you will need to keep track (typically in your own database) a relationship between the userid and the roles for that users.
If the goal is to create a service where the user can delegate specific permissions they have to a third-party service, then you will certainly need to implement your own OAuth server. This will allow the user to limit the scopes that are necessary for the third-party service to do its job.
It is easy for you to setup your own authorization and resource server rather than depending on google services. In your own authentication server you have more control over your roles and users you specify.
You can setup and authentications server using spring boot app and using dependencies like Spring-starter-security, spring-security-oauth2 and etc.
Yes, you'll have to use your own Authorization Server that can then issue tokens that have realm-specific roles associated with them.
So Im developing a Rails app- primarily serves API which I want to lock down behjind a nice authorization system. Ive created Rails apps which render HTML and for that I used Devise and CanCan. This time I want to serve JSON to my clients. I basically have the following requirements:
Need an authorization system thats robust
A user should be able to log in with existing apps such as facebook, twitter, linked in and google
There should be full stack authorization available
Now this is my 1st app that Im writing that serves up API so I started researching and so far Ive found the following solutions that people have used:
I've seen people use Devise with CanCan
I've seen people talk about using Oauth2
http://railscasts.com/episodes/353-oauth-with-doorkeeper?autoplay=true
I've heard... "Use Doorkeeper"
I've heard use ..." Use omniauth"
So basically my 1 day of research basically just confused me more. When di I use these and for my requirements which comnbination would I use! Im struggling to make sense of the alphabet soup, can someone help me understand this
Devise is an authentication engine for Rails apps of all types. Devise allows authentication against username/password, token authentication (good for API's), and an oauth provider (such as Google, Facebook and the like). This obviously allows you to deny access to the API unless the user is signed in through one of the services you offer.
CanCan is an authorization system that will work on top of Devise to allow users access to certain parts of your system based on their role within the system. CanCan has a very slick DSL prviding can and cannot methods for allowing or denying access to views or controller actions.
Doorkeeper is an oauth provider gem if you wanted to roll your own oauth solution on top of your API. This would be if you wanted your application to act in the same manner as Google or FAcebook in providing an oauth endpoint for users to authenticate against. From what you stated above, I don't think this is the case.
Given the requirements you provided above, I believe that Devise and CanCan would be the route that I would choose. This would allow the user to authenticate at first by username/password, or some oauth provider, then allow token authentication after that to access your API. You can then lock down access to specific actions through CanCan.
I need an authentication/authorization functionality where there will be an admin for the system. There are three different kinds of users with different privileges. When the user signs up, he can choose the role he desires.
The admin need to login, review and authorize the users before they can login.
Is there any gem that does this.
You could use Devise for authentication, together with CanCan for handling different roles. Both are wildly used and well documented gems.
You can use only cancan and it will serve the purpose which you are looking for as suggested by jlundqvist.
We're building a Rails 3 web application that will need to authorize and authenticate regular users who visit the site. Those same users may also use third-party applications to access the site via our API.
What approaches can we use to effectively and cleanly provide access to clients as well as users? What strategies have you used in your own Rails applications that also have RESTful APIs?
Ideally, we're after a solution which:
plays well with Devise and CanCan (which we already use for authn/authz)
plays well with Mongoid
doesn't pollute our controllers
is relatively simple to install and configure, if it's a gem or plugin
is easily testable, if it's a general strategy; or is already tested, if it's a gem or plugin
Since you're already using Devise, take a look at the token_authenticatable strategy (Add it to your user model and make sure the devise init reflects whatever you call the token param).
You'll want to add: "before_save :ensure_authentication_token" to your user model as well (assuming you don't want it to be single use).
Just provide your user's with their tokens on say their profile page or wherever. Call it an API token if you like.
i have a simple record system in rails, it has customers, appointments and visits as models.
with visits and appointments belonging to customer.
i want a simple authentication plug-in for the owner of the application, to be able to log in and edit and create new data in the system (administrator user) and be able to add new admin users to be able to log in to the system.
a plus would be if the plug-in allowed the admin user to also create customer accounts for customers to be able to go on line check their own customer profile, appointments and visits details.
so basically a authentication plug-in for a super user and a limited user (to view their own profiles).
i don't want anything too fancy to be honest like sending a verification e mail etc.
thanks
Checkout Devise:
http://github.com/plataformatec/devise
There's a couple railscasts on it:
http://railscasts.com/episodes/209-introducing-devise
For role-based auth you can combine Devise with Cacan:
http://railscasts.com/episodes/192-authorization-with-cancan
http://gist.github.com/389299
http://railscasts.com/episodes/210-customizing-devise
I have a plugin for doing simple Role-based Access Control:
http://github.com/heavysixer/rolesystem
If you need simple
Check out: http://code.google.com/p/rolerequirement/
Use that with the restful-authentication plugin
I use it in 2-3 projects and it works great, I even did some hacking to enable ldap authentication too.