Rails: stateless authentication with Devise - ruby-on-rails

I have a working devise user with connected omniauth identity and everything works fine. The problem is that I want to disable sessions and use stateless token authentication. I tried simple_token_authentication and devise_token_auth and experienced a lot of problems with both. Simple token auth was easy to add and I set config.skip_session_storage = [:token_auth], but I still had session in my requests and no tokens.
With devise_token_auth everything got messy and I wasn't able to get it to work. I had problems with duplicated routes. Disabling devise_for helped, but this way I disabled everything I have done so far and even then it would not work.
I don't know how to approach this problem, whether to use one of these gems or disable sessions and write some tokens handling manually (but using a gem seems safer to me). I don't want to set everything up from the beginning, but maybe it is the only way.
I know that my questions seems a bit imprecise, but I am really confused now. I will post some code parts or error messages if you need something specific.

Related

Rails/GraphQL/Devise: Any good alternative to Devise for applications running GraphQL?

I've used Devise for a long time and I love all the features it comes with. The only problem is that it has a RESTful style of authentication that doesn't work very well with GraphQL.
Is there something fully featured (e.g. email resets, account confirming and locking etc) like devise that works well with a GraphQL API?
I have been using this together with my GraphQL APIs. Not perfect but it works fine having the graphql route and the auth REST endpoint together.
Also a friend and I are working on precisely that over here. It's a work in progress but we expect to have something functional soon. You still have to have a separate route for your GraphQL auth schema, as those queries need to be unauthenticated (login, register) and you always want to authenticate in your main schema. So it might look like this
POST /graphql (main schema)
POST /graphql/auth (auth schema)
UPDATE We have released v0.14.0 now. Still some things to work on, but I wouldn't call it a work in progress anymore as we've been working on it for over a year. Here is the link for the Graphql Devise Gem, again.

Is there a working Devise/Omniauth/Oauth2 interface with Wordpress?

I'm trying to use Wordpress to authenticate my Rails application users with the following Omniauth plugin:
https://github.com/jwickard/omniauth-wordpress-oauth2-plugin
I've followed the instructions carefully, and duplicated his example, but it doesn't work. Which is really surprising, because there's just not that much to it. However, I've found several threads on here like this one, that talk about the same problem I have:
Devise, OmniAuth & Facebook: "Not found. Authentication passthru."
When I click the "Sign in with Wordpress" (which is automatically inserted in my Devise sign-in page), I simply get a 404, with "Not found. Authentication passthru," which is a stub response for the passthru method in the Devise sources. Routes rake just fine, and look like all the examples. I've restarted the server dozens of times.
Despite several attempts to set site: and authorization_url: in the client_options, in both my devise config, and the plugin sources directly, my app never redirects to my Wordpress site. I've got about 10 hours into screwing around with this, and I don't know what's supposed to be responsible for actually sending me to the site to DO the authentication. Further complicating figuring this out is that almost every reference I can find to redirection in this sort of scenario is about the callback to my Rails site, after the authentication is done. I can never get that far.
There's a lot of confusing references to this problem on SO and the internet at large. There's some talk about making a "real" passthru or action_missing method in my OmniauthCallbacksController, but that seems to be outdated information. There's a lot of talk about making sure that I've defined the omniauth_providers in my User model, and I've tried it with and without, but that's not in any of the documentation about this plugin.
I've been trying to look at the plugin's strategy file, and it just doesn't seem that different than other Oauth2 plugins for Facebook, Google, or whatever, that I've been reviewing. It seems like there's a very simple thing I need to set in order to make this all work, but I can't find it, and I've run out of ideas on how to track it down. The plugin was last updated about 5 years ago. Does anyone still use this with modern versions of Devise, Omniauth, and Wordpress? If so, is there a clue you can give me to make it work?
I finally started tracing through the gem, and found where it was failing. As I searched on those further problems, I finally figured out that there were about 25 forks of this gem, and many of them addressed the problem. I used this particular one: https://github.com/bkno/omniauth-wordpress-oauth2-plugin

Single sign-on, multiple domains on same server, ruby on rails

If I have a single server with multiple domains, what is the preferred method for implementing a single-sign-on solution on the same domain. I am currently using devise, have a few million cookies in place on separate domains, and am stuck. On top of just implementing SSO, I also need to migrate the various cookies to a central domain. Regarding the various servers, they only have one single page that requires me to show different states depending on whether or not the user is logged in.
I have tried the following:
CORS: pick one domain as the central auth hub. From all other domains make cross domain checks to see if the user is logged in. For migrating cookies, detect if there's a "current_user" object, send it to the client, make a CORS request, sign the user in and kill the token. Works Great! BUT... After building it for 2-3 weeks, it TOTALLY FAILS in IE. Even IE11, I'm noticing the default setting is disabling this behavior.
tried tinkering with the session store at
Rails.application.config.session_store
with no luck.
I am currently experimenting with the following:
JSONP: I have someone right now trying to convert the above to JSONP instead while I try some other options:
Set up a custom OAUTH provider. Like before, it will be the "central domain" if the person is signed in, return to the requested domain with a token from which the users can make requests. https://github.com/songkick/oauth2-provider
Looking at this but it looks outdated? https://github.com/rubycas/rubycas-client. I also get the feeling this could have been a solution if I rolled this out from the get-go, but given how far we are into the project, it's unclear to me how I'd transfer the existing cookies. Also it's unclear if this requires two applications for me to get up and running ( one for client(s), one for auth server)
As I go through each of these possibilities, if anyone has had any experience doing what I'm doing, please do inform me and save me a whole lot of work :)
The best way unless this is a toy app is probably to set up an oauth provider.
We use Doorkeeper with Devise for this and it works great. It will be worth your time to set a little time aside to read through the documentation and watch a talk or two on youtube if you're not already familiar with the strategy but once you understand the core concepts its actually pretty simple to set up with the help of this gem.
There is a quick video run down on http://railscasts.com/episodes/353-oauth-with-doorkeeper

Kerberos Authentication in Rails

Is it possible to use kerberos to authenticate a user under rails? Are there any existing plugins (preferably which extend authlogic's functionality) to do this?
I'm hoping someone else will come around and show us a pure Rails way of doing this. But until then, the easiest way to get things going is by letting your web server handle it.
On that note, I'm going to assume Apache. If this is not the case, please tell us a bit more about your set-up.
Proper Kerberos authentication in browsers is done in the HTTP protocol itself, much like Basic or Digest authentication. In Apache, this can be done with mod_kerb_auth.
Then the next step is to find out how to retrieve the username. It depends a bit on the interface you're using between the web-server and your Rails app. This could be Passenger, FastCGI, mod_proxy, etc.
Many will follow the original CGI standard to some degree, passing along a bunch of environment variables with the request. Try the following in your controller:
username = request.env['REMOTE_USER']
That's as far as I can take you. I've never used authlogic. Though, by the looks of it, it supports plugins. Perhaps you can create a new one that blindly trusts REMOTE_USER if it is set?
If you wanto to switch from authlogic to Omniauth for your authentication there's a module for it:
https://github.com/jgraichen/omniauth-kerberos

Rails - Multiple top level domains and a single session/cookie

I've been struggling with this for quite awhile and haven't been able to
find a solution. I need a user to be able to view multiple top level
domains with a single login.
My understanding is that this needs to be set in environment.rb and
called with before_dispatch. This is what I've come up with:
require 'activesupport'
require 'dispatcher'
module ActionController
class Dispatcher
def set_session_domain
ActionController::Base.session_options.update :session_domain => "#{#request.host}"
end
before_dispatch :set_session_domain
end
end
However, this does not seem to be working when I try and pull the values
from session[:session_domain].
Any help is greatly appreciated.
This one is a bit tricky. Since cookies can only be assigned to (and retrieved from) the current domain ("forms.example.com", say) and parent domains (".example.com", but not ".com"), but NOT to other domains ("othersite.com"), you'll have to find yourself another solution. This has nothing to do with Rails, but with how cookies work.
EDIT: Sessions rely on a client-specific handle, stored in a cookie, which is why sessions also don't work cross-domain.
This site has one possible solution for creating a cross-domain cookie, and it's the cleanest way I know of, although it may have some security implications. A more complicated version would have the servers communicate directly through some secure channel.
If you're looking for a more general-purpose single-login service, try implementing some form of OpenID.
For sub-domains in Rails 2.3
ActionController::Base.session = { :domain => ".mydomain.com" }
For top-level domains try this middleware.
I've been playing with the above middleware at the moment and it does not quite work as expected. If you do use the middleware you do not need the above code as it handles sub-domains as well.
You will probably need something like RubyCAS if you want authentication across domains regardless of whether they're top-level or subdomains.
Your question is not really precise enough IMHO. Do you want a single cookie for all Rails apps you have or is it within the context of a single one? If the former, you want to look at solutions using database-backed sessions or something along the line of RubyCAS to implement the CAS protocol.
Both Keltia and zuk are right, Answer is rubyCAS, We have do that integration and it allows
SSI - Single sign -in
You sign to one site and you are automatically signed to the other
SSO - Single Sign Out
You sign out from one site and automatically you signed out from the other
For us this is a proven solution and not a hard one to implement
we are using it in
http://www.cabslk.com and www.ticketslk.com
cheers,
Sameera

Resources