I'm creating an app in Ruby on Rails and have research Devise, Omniauth, and creating my own custom version.
My question is: what are the scenarios in which you would use one of the three choices above?
My take:
- Omniauth can provide quick registration through third party APIs, but would require additional permissions to access additional data
- Devise provides core functionality which can also be customized based on the applications needs
- Custom may be for extreme scenarios which, currently, I do not need
** I'm leaning towards Devise as it provides the core and allows me to add onto that
Additional Considerations:
- My application needs to sign in and access basic information for: location, language I18n, etc
- My application also does financial transactions (if you're a paid member, et al).
Going back to my question: based on the above, does Devise seem to be the better choice? Does Omniauth provide these features? When should I use one versus the other?
Thanks
Devise and Omniauth do very different things - and they are often used together.
Devise provides a full authentication package with views, controllers and routes to allow users to sign up, edit user profiles, reset passwords, etc.
Devise can be used without the database authentication module with provides signup via email password.
Omniauth is a framework for authentication users via Oauth. Omniauth unlike Devise does not ship with any views or controllers. Instead you need to integrate the Oauth callbacks into your app. What Omniauth does is abstract away the differences between different providers.
Both can be used together to provide user authentication via password or oauth for example.
Rolling your own authentication solution is generally not advisable. Projects like Devise have hundreds if not thousands of man-hours behind them and many eyes viewing the code base for flaws. Crappy home rolled auth solutions by companies with Not Invented Here Syndrom are one of the most common security failures that have lead to user data and passwords being leaked.
To add context to #max's answer, OmniAuth is an extraction of OAuth (Open Authorization)...
OAuth is a simple way to publish and interact with protected data. It's also a safer and more secure way for people to give you access. We've kept it simple to save you time.
Whenever you have a trusted service such as Facebook, Twitter, LinkedIn, GitHub, NetFlix, etc, and want to use a service in conjunction with your pre-built connectivity on these existing services, you'll need a secure way to "authorize" the use of that data...
A "CRM" system which allows you to "import" contacts from LinkedIn
A "social sender" system which allows you to send messages to your Facebook friends
Recommend new movies based on what you recently watched on NetFlix
Most people know OAuth by virtue of the "Allow Access" notification for Facebook etc:
Interpreting this in your own app is simple - do you want to pull data from Facebook / Twitter / LinkedIn / GitHub etc?
Real use of OAuth should be to extend your application.
Most users treat "app requests" for their social network data as an extension of the "social" experience (IE if I allow app access to my FB, I expect it to post to my wall etc).
Instead of treating it as a way to allow users to sign in with Twitter / Facebook / LinkedIn credentials (which is 100% valid), you should think about the higher-level functionality.
--
Devise != OmniAuth
Devise is an authentication system; OAuth is authorization.
OmniAuth extends OAuth for authentication:
OmniAuth is a library that standardizes multi-provider authentication for web applications.
It replaces email/password with Twitter API key. Thus, whenever creating authentication on your system, you will always need to store User data etc - it's how that data is authenticated which makes the difference.
In short, if you want Sign in with Twitter buttons etc, OmniAuth is recommended. However, to keep your authentication consistent, you'll be best using Devise with OmniAuth.
--
Finally, don't roll your own authentication unless you've implemented Devise at least 5 times. All Rails authentication works similarly (uses Warden strategies). It's not going to be worth your time debugging your own system when Devise has 100,000's of users doing the work for you.
Related
I have an existing rails app which uses 'devise' for authentication.
I would like user's to be able to link their twitter and facebook accounts to their account on my site, so that my application can post updates on their behalf.
Ideally:
When registering, you can choose to set up a standard account, or use twitter, Facebook, etc credentials.
If user chooses to use facebook credentials, I would still like them to be able to link their twitter account, so that my application can post to both at same time on their behalf.
A bonus would be allowing them to have identities which they could link twitter account A to one identity, then switch identities and use another twitter acccount.
My questions are:
if they use a standard account, and link facebook and twitter, are they going to be prompted to enter those credentials every time I post on their behalf? Or does omniauth give me an infinitely valid token?
I know devise can handle omniauth, but I can't seem to tell if it can handle what I am asking. It seems that it's omniauth support is more along the lines of just authenticating site users against twitter credentials not for linking multiples.
is there a rails gem that does this, and is well supported? I see socialite is no longer supported, but it seemed to be a one or the other type deal, not what I want anyway.
because I am already doing standard auth with devise, would it be simpler to just force users to create a standard account, and then use the twitter and facebook api's directly on top of that?
Looking for the best strategy here for doing what I want.
*note: If you think I can get 75% of what I want for 25% of the effort that all my goals would be, let me know. *
Thanks,
~S
I have created a Rails (3.2) application that uses the OmniAuth gem to provide OAuth authentication. Users can log into the site using their Twitter, Facebook or Google credentials, pretty bog-standard functionality.
I now want to make the data available via an API so it can be consumed outside of my web application, however, users would still have to login to be able to access their data. How do I do this in my Rails APP? And what would the user have to do to be able to call this?
UPDATE
Some people are suggesting "alternative" authentication methods, but I am wondering if I cannot use the same OAuth credentials I already have for them. I don't want them to have to provide another username/pwd, I want them to be able to use their Twitter, Facebook or Google Identities as they do when they use the WebUI.
authenticate_with_http_basic (or digest if you like) might work for you, called from a before filter in the controller.
You can test with curl, using the --user parameter.
Here's a good thread on the topic:
In Ruby on Rails, what does authenticate_with_http_basic do?
Devise has the feature token authentication which is what you are looking for.
Also visit http://zyphmartin.com/blog/simple-auth-token-example-with-devise
I want my web application, which is built with Ruby on Rails, to communicate with the Facebook Social Graph API, but I am aware of that I need some kind of authorization to achieve that.
So, do I need to build OAuth authentication for my application to make use of auto-publishing messages on the user's Facebook wall?
If not, how could I integrate the social features into my web application?
The web application already has an existing user base; could I also allow my application to get Facebook access? If yes, how?
I would appreciate examples of sites who do this kind of integration really well, also with other services like Twitter, LinkedIn, etc..
All is explained on the facebook developers site:
http://developers.facebook.com/
This explains the auth you need to access graph
http://developers.facebook.com/docs/guides/web/#login
You can then combine graph info with your existing user database by saving their facebook ID number hence then you can pull up profile pics etc
Try using the following gems:
Devise: User authentication (If you already have the framework for user authentication, this will not be needed.
Omniauth: Facebook (or any other OAauth e.g. Twitter) authentication
Koala: Facebook open graph api
If you need only Facebook integration, Koala should be sufficient.
For making them work together check this:
Making OmniAuth, Devise and Koala work together
I'm currently using OAuth to authenticate people with their twitter (twitter gems) acount in my application. The problem is that for people who aren't connected or who have various accounts.
So that's my question, is that possible, to ask user their login/password to link their twitter account on my application ?
Thanks
It is no longer possible to connect to Twitter's API using Twitter credentials. Twitter's public stance on this is that you should -never- provide your Twitter credentials to anyone else, ever. This is part of their rationale for implementing OAuth.
Even if you had the user's Twitter password, you couldn't validate that it was actually their password, nor could you access their Twitter account with it through the Twitter API.
Your best bet would be to look into devise and omniauth. I've gotten it to work this way. Omniauth also allows to link to several accounts. Be it, Facebook, Twitter, etc.
I'm sure it's entirely possible to ask users for their Twitter login/password on your application. It's a very bad practice though, as OAuth avoids the need for client applications to ever touch a users credentials. I suggest setting up an authentication/authorization system that maintains a login/password and then allows connecting multiple OAuth accounts via an AuthenticationStrategy model or the like. Ryan Bates did a few Railscasts on the subject:
http://railscasts.com/episodes/235-omniauth-part-1
http://railscasts.com/episodes/236-omniauth-part-2
Using the current rails 2
I want users to be able to create an account from:
traditional signup
twitter
facebook
and then allow them to link facebook and/or twitter and/or traditional signup later.
I read this http://www.themomorohoax.com/2009/02/21/rails-2-3-authentication-comparison
and decided to check out:
Authlogic
Restful Authentication
Devise/Warden
It seems for at least some of the plugins you can use with them that making OAuth work with them will make them incompatible with any other login system.
Will I need to roll my own from the ground up, or can I glue together some existing pieces?
You can glue together existing pieces.
I wouldn't advise for Restful Authentication. It's getting old and isn't maintained anymore.
If you plan on using Authlogic, you can take a look at those two gems :
authlogic oauth for any oauth service (including twitter)
authlogic facebook connect
If you plan on using Devise, you can take a look at those two gems :
warden oauth for any oauth service (including twitter)
device facebook connectable