I have a rails website in which I am using devise and OmniAuth for authentication (email + social authentication). Now I want to implement an api that will serve as a backend for my android app. I was wondering how can I extend my existing authentication system so that I can provide the same authentication functionality of email and social login to my android users? Also, a person should be able to login using same credentials on web and android app.
You need to add api token field in your user table.
Everytime when a android user request for login, after successfully match email and paasword an API token will create with expiration time. Then each time API token must be send with android request.
Request will be completed if the API token is valid.
To differentiate your request you can use namespace in your route like /api/v1/login
Related
in the working project on rails 4 is used omniauth gem for social authorization, connected some social networks
and the appropriate gems are used
omniauth-facebook
omniauth-instagram
omniauth-google-oauth2
now there was a task to add api for mobile authorization, where the scheme is somewhat different:
client starts oauth flow w/ Facebook (using login button etc)
client gets access token and posts back to server
server looks up user via (FB/Instagram/Google) api call w/ token
server does lookup/create of user based on uid & provider
user is logged in if a user association lookup is successful
Help me please how to use received access token from mobile in omniauth and not duplicate the functionality
I solved the problem through monkey patching build_access_token method, in this method i check the presence params[:access_token] parameter
I use rails as backend for ios applications. So far i have been using devise as it looks flexible and comfortable to use with less effort . And i have read about omniauth and that too looks easy to integrate with devise. My question is, consider my ios app requires authentication and the following are the different methods that i should be able to allow user to do
Login using email and password
Login using Facebook account
Login using Twitter account
Login using email can be handled by the devise itself but how about login using Facebook and twitter? Actually in one of my project i came up with the following approach which has all three of these login process. The ios app authenticates the user from the device(not devise) itself and sends the user information like username, email etc whatever required along with auth type so i save this a separate user with username that is sent and one of the field as password. And the next time he sends me these details i allow him to login to the app. But now i realised this is not the best way to do. I read about FBgraph which can be used to verify the access token validity, so should i get the token from user and then verify it and get the profile information and save it in user model and give them the token.
Also i have another doubt which is, For login using email and password i allow user to login through email and password and then for the each requests the user sends me the username and password. Is this is alright or do i have to create a token in login request and send the token as response and then the user can send the token for all the other request he makes.
Sorry if it is confusing but to tell you shortly i need to know what should i do if i have all these three login process. Any help is greatly appreciated. Thankyou
There are couple things to consider when dealing with external applications like on other devices:
You should use an API to communicate with your Rails server
Your server should send an authentication token after the first user authentication using his email and password. It is not a good idea to send user's email and password for each requests.
Devise
Devise is great for authentication both in-app and for remote applications using the token_authenticatable hook. This will allow any registered user to have a unique secret token to use in order to be authenticated on your server.
More information here
OAuth2
OAuth2 is becoming the standard way to authenticate on remote services giving the user the possibility to use his Facebook account to login for example.
This would be the easier way to allow your users to authenticate using their Facebook or Twitter account (note that twitter will not give you the user's email address).
Devise can handle OAuth2 clients.
Finally, you could also create your own OAuth consumer to authenticate users using your service. Doorkeeper is a great gem to protect your API endpoints and to allow users to use OAuth2.
Conclusion
Devise is great for authentication. Using their token module coupled with OAuth2 integration could do the trick in your case.
Here is the OmniAuth wiki page from Devise
Here is the Simple Token Authentication wiki page from Devise
How do I secure my API when I want an app to be able to retrieve app-specific information without a user logged in and when I have an OAuth provider for another section of my API? Can I use the client app's OAuth credentials to hit the API without a user logged in?
I have create an OAuth provider and client using doorkeeper following railscasts 353. I can successfully authenticate a user to my provider app and make requests on behalf of the user to my provider API.
However, a portion of the API is user independent, meaning that the information returned from the API is not specific for a user and therefore a user should not have to be logged in. For example, assume an ecommerce site and items and prices are stored on the provider for multiple clients. I want a client app to be able to securely retrieve the items/prices associated the retrieving app without a user having to be logged in. So if you went to example.com the items would be displayed even if a user is logged in via OAuth.
I have only be able to retrieve this information via OAuth when a user has logged in through OAuth (creating an access_token). Is there a way to use OAuth without having a user present (I've been trying to read about 2-legged OAuth and if that is an appropriate solution)? Or do I need to use Api keys (or Http Basic Auth) for the application to retrieve the application specific data?
If OAuth is not the right solution because I do not have a user present, could/should I use HTTP Basic Auth over SSL and use the client site's OAuth secret key as the API key for the basic auth username?
If you need to authenticate your client apps in you API (without requiring a user specifically) use the Client Credentials flow
I'm building an app with both a web client and a iPhone client.
On the web client I authenticate users through Facebook with Omniauth, the user can then post actions on the app to Facebook. That works good.
I'm having some problem implementing the Auth flow from the iPhone application.
I've set up Doorkeeper in the rails app as an OAuth provider. Although I'm not sure how the authentication flow should be implemented.
I've come up with this:
The user can log in to Facebook in the iPhone and get a token. The idea is then to send the token, along with the Facebook uid to the rails app, store it, and authenticate the user with Omniauth. Once the user is authenticated generate a token with Doorkeeper and send it back to the iPhone app.
If it's the first time the user authenticates against the rails app, a new user will be created.
The user can then do actions against a JSON-api and the rails app will take care of the Facebook integration since the Facebook token is stored on the user record.
The application will also span over several domains so I'll need to have multiple Doorkeeper applications registered to provide different callback uri's.
Does this seem like a viable solution?
Is it secure?
Is there alternative flows / approaches?
Thanks.
The solution I went with is summarized as followed:
Client starts oath flow w/ Facebook (using login button etc)
Client gets auth token and posts back to server
Server looks up user via FB API call w/ token
Server does lookup/create of user based on FB id
User is logged in if a user with FB id association lookup is successful
I have a diagram and more detail here: http://www.eggie5.com/57-ios-rails-oauth-flow
I'm building a Rails web app. I use OmniAuth for authentication.
I would like to provide API access but only after the user has authenticated themselves with OAuth (via twitter mainly).
Any suggestions of where to start?
EDIT: add more context as requested
Not trying to become an Oauth provider, but simply use the same login tokens. For example, you log into my app through twitter. You have both the token and secret OAuth tokens. I want to use those tokens to allow a user API access to the site.
I have a similar question: Retrieving OAuth tokens (on server) from Faraday OAuth module (from client)