I have 2 domains on one app - example1.com and example2.com. It is necessary to log in at all, when authorization in any of them via rails4 devise gem.
How is it implemented?
Check this answer. You must redirect your login request in domain1.dn, after if login success, redirect to domain2.dn and set cookies !
Related
I'm currently testing my Ruby on Rails project Omniauth with Facebook functionality and no how I enter my Redirect URI it fails.
The exact error is:
URL Blocked: This redirect failed because the redirect URI is not whitelisted in the app’s Client OAuth Settings. Make sure Client and Web OAuth Login are on and add all your app domains as Valid OAuth Redirect URIs.
If I do,
https://localhost:3000/users/auth/facebook/callback
it then complains about trying to an ssl certificate to a non ssl puma. Are there any suggestions for this issue? Perhaps, working on my SSL certificates or any other solution.
I've been looking into similar posts and nothing has solved this issue. Please advise.
I am trying to use HTTP Basic Authentication over Devise for my Rails app. I have done following settings ->
config.http_authenticatable = true in the devise initializer
And
:database_authenticatable strategy in my USER model.
When I try to access a web service
mysite.com/user/list.json?email=test#mysite.com&password=test123
The username password is not recognized. A credentials box pops up where on entering the credentials I am authenticated to use the data.
How can I provide the credentials in the URL and avoid the pop up prompt?
HTTP Basic Auth, is passed through HTTP Headers, not GET or POST params.
I found a way of doing this-->
http://username:password#test.com/users/list.json?
I'm using Devise 3.5 with Omniauth in a Rails 4 app. I've created an integration with Facebook that allows a user to connect their Facebook account to my app. Currently when the user clicks the connect button, they're sent to /user/auth/facebook and then redirected to the callback url that Omniauth generates: /user/auth/facebook/callback. What I'd like to do is manually override this callback url in some cases - meaning that I don't want to override it in an initializer - with a fully qualified url. For example, if a user starts out on http://www.example.com/ I might want to override the default callback url with http://app.example.com/user/auth/facebook/callback.
My app has dynamic subdomains and a user will (almost) always begin the authentication process on a subdomain. Unfortunately it seems that Facebook doesn't support wildcards in oauth redirect urls, which is why I want the ability to detect if a user is on a subdomain and adjust the callback url to something that I have whitelisted on my Facebook app so that the authorization process succeeds.
From what I've read, the url helper omniauth_authorize_path accepts additional arguments to be passed on as parameters. I've tried passing a custom callback path in like so, but without success:
user_omniauth_authorize_path(:facebook, callback_path: #custom_callback)
I've also tried changing callback_path to redirect_url and redirect_uri, but nothing seems to work. When I look at the link that's generated, it does indeed include the callback as a parameter in the url, but when I click the link, I'm redirected back to the default callback url instead of the custom callback url.
Here's how I solved this problem. I'm sure there are other ways, but this seems like the simplest most elegant solution I could come up with.
In config/routes.rb I set up an auth subdomain. All my Oauth connect requests will start on different subdomains and then Facebook is set up to forward those users back to the auth.example.com subdomain.
constraints AuthRedirect do
devise_scope :contact do
get '/auth/facebook/callback' => 'omniauth_callbacks#facebook'
post '/auth/facebook/callback' => 'omniauth_callbacks#facebook'
end
end
Here is /lib/auth_redirect.rb. This just checks if the subdomain is auth and captures that traffic. This is placed at the top of my routes list so as to take precedence over other subdomains.
class AuthRedirect
def self.matches?(request)
request.subdomain.present? && request.subdomain == 'auth'
end
end
Then in my client, when a user clicks the Connect with Facebook button, I send them to /auth/facebook?contact_id=<id>. From here Devise directs them to Facebook, which then redirects them back to https://auth.example.com/.
Then in OmniauthCallbacksController#facebook I can pull the user's id from the omniauth params like so:
auth = env["omniauth.auth"]
contact = Contact.find(env['omniauth.params']['contact_id'])
From here I can persist the credentials to the database and the redirect the user back to the appropriate subdomain. This solution avoids problems with CSRF tokens and more importantly does not require me to use Ruby/ERB to build the omniauth authorize path that the user is sent to when they click the connect button.
have you tried with redirect_uri ?
user_omniauth_authorize_path(:facebook, redirect_uri: #custom_callback)
EDIT: sorry I missed the second part of your post.
I actually have the same problem in production but it works perfectly on a staging environment. The only difference is about the callback url on staging which has one more subdomain *.staging.domain.com
By the way you can provide a static callback_url in the devise initializer file:
config.oaumniauth :facebook, ..., callback_url: 'url right here'
I'm on this issue this yesterday.
Either I provide a static callback url but facebook raises me an CRSF error:
omniauth: (facebook) Authentication failure! csrf_detected: OmniAuth::Strategies::OAuth2::CallbackError, csrf_detected | CSRF detected
Or I let devise set the callback_url dynamically which gonna look like
https://*.domain.com/DEVISE_MODELS/auth/facebook
and in this case I get a straight non matching/whitelisted callback url during FG loggin in process.
EDIT2:
GOOD! I made it. I'm able to get oauth login in with wildcard subdomain.
Provide a static callback_url in your devise initializer
add the domain to your session store as :
domain: ".domain.com"
With that I'm getting neither CRSF error nor nunmatching CB url/whitelisted.
Hope it'll work for you !
I'm trying to implement login with google to my web site.
The users can visit my site in 3 domains
1) regular link (HTTP and WWW...)
2) http://example.com - no www
3) apps.facebook.com/example - facebook app
We want to allow the user connect google in those three options.
We're using gapi (google javascript library) in order to authenticate the user.
My code looks like:
var config = {
'client_id': 'my_client_id',
'scope': 'my_scopes',
**'redirect_uri' : "https://www.example.com/oauth/",**
'immediate': immediate
};
**gapi.auth.authorize(config, function(){});**
As you can see I'm setting my redirect uri as part of the config of gapi.
We've created some popup in order to give the same uri for the three domains.
My problem is that in case I'm login to my site from the domain without the WWW, the authorize isn't working and the user isn't redirect to the redirect_uri link - which means, we don't have his token.
In case I'm removing the WWW in the redirect_uri (so it will looks like https://example.com/oauth/)
the facebook domain isn't working...
It's so frustrated..
Is anyone familiar with this kind of problem?
Any idea?
We've spent on it too many hours....
Thanks
Z
You can register multiple redirect URIs for a single client in the Google API Console so you would register one for each domain and pass the one for the currently accessed domain in the redirect_uri parameter of the authorization request. You don't need to use the same redirect URI across your domains so that should solve your state/token restoration problems.
Running Rails 3.2.1 with devise-2.0.4.gem and devise_ldap_authenticatable-0.4.4.gem.
Everything is working fine with HTTP. However, when deployed to production which uses HTTPS, after the user logged in, browser switches to HTTP which results in an error, since the production URL only supports HTTPS. If I manually add a "s" back in the URL, then I can con't with the rails app. The app itself has not problems maintaining the HTTPS protocol.
Similar with sign-out in that the even though the sign-out link is HTTPS, clicking on the link will go to HTTP and fails.
Since the app can navigate around with HTTPS, it seems it's devise that's having trouble keeping the HTTPS protocol. Any idea? At this point, I don't even mind hard coding HTTPS for production.
Have you read the Devise Wiki page about SSL? I think this might fix your problems: How To: Use SSL (HTTPS). All the steps to use HTTPS with devise are explained there.
If this is no help you should post your devise auth code here.
I solved my problem by setting the after_sign_in_path_for and after_sign_out_path_for in my application_controller.rb:
# Tell Devise to redirect after sign_in
def after_sign_in_path_for(resource_or_scope)
'https://www.xyz.com/'
end
# Tell Devise to redirect after sign_out
def after_sign_out_path_for(resource_or_scope)
'https://www.xyz.com/'
end