I'm using OmniAuth to make OAuth and OAuth2 request token calls. I can successfully get the OAuth2 tokens but I'm finding it very difficult to work with OAuth. Specifically generating the URL to the providers request token endpoint. I've tried generating the URLs manually but the OAuth signature craziness blew my mind. I then tried to generate a URL with the OAuth gem but I can't seem to get it to spit out a URL. I can get it to return a token but that completely defeats the purpose of using OmniAuth.
I completely missed the /auth/:provider portion of the OmniAuth gem.
OmniAuth automatically creates the /auth/:provider route in Rails. That will magically take you to whatever grant access page is necessary for the specified provider.
Related
My API uses the devise_token_auth (omniauth) gem for authentication in the Rails 5 backend. The frontend are using ng-token-auth (Angular 1.x).
I have all the API requests in Postman. I did the security implementation and I need authenticate Postman with every request. Devise_token_auth uses authentication with OAuth 2 and I am having difficulty to implementing this authentication.
For this type of authentication, using Postman, what is the process needed to obtain the connection?
For getting the token, there are few things you need to setup.
The client ID, client Secret are the things to be added into your identity serve as clients.
The Auth Url and access token url will be provided by the identity server and you will be able to get the url by hitting the identity server website when its ready for testing.
The grant type also is dependent upon how you setup the client. For the first time try doing the access token instead of authorization code flow.
For the authorization code flow its a two step process. Get the code first and use the code to get the token.
I recomment watching this tutorial which will help you in understanding Identity server and oauth better.
https://app.pluralsight.com/library/courses/oauth2-openid-connect-angular-aspdotnet/table-of-contents
I am using a custom authorization server using Spring. When hitting my protected resource on the client, I am successfully redirected to the auth server. I log in and get the OAuth approval page. Once I authorize the scopes, I am redirected back to my client app with a URL such as:
http://myapp.com/login?code=UjG0wC&state=POez9N
I get that this is the authorization code and it can be exchanged for a token. However, I am having trouble finding examples of how to do this. Do I need to write code to now go and request the token from the auth server, or is there a configuration piece that I am missing? Would it be better to focus on switching to the implicit grant type?
I was missing an AuthorizationServerConfigurerAdapter, which needed to include allowFormAuthenticationForClients()
I've been struggling through Facebook authentication for a canvas app for a while. My approach is as follows:
Check the user's session for an access token.
Check the user's Facebook cookies for an access token.
Check the parameters for a signed_request.
If an access token is found during any of those 3 steps:
I make a call to the graph API requesting the /me resource.
If the call is successful, the user is logged in.
If the call fails (causes an OAuthException), I request a new access token by redirecting the user to the Facebook OAuth endpoint to obtain a code, then obtaining a fresh access token by exchanging that code.
If no access token is found in the session, cookies, or signed_request, I display a landing page.
Is this the correct procedure? I've noticed that oftentimes there is no signed_request present in the parameters if the user's access token has expired. The method Facebook endorses for requesting a fresh access token results in 2 user-facing redirects as well as an API exchange, which seems a bit heavy.
The setup I'm working in is:
Rails v3.0.8
Koala gem v1.2.1
I've followed these guides:
https://github.com/arsduo/koala/wiki/OAuth
https://github.com/arsduo/koala/wiki/Koala-on-Rails
https://developers.facebook.com/blog/post/500/
Have you considered using Omniauth? (https://github.com/intridea/omniauth) It wraps up all this stuff and lets you easily extend to other sites as well.
I have 3 web apps - A, B and C. App A contains the user database. If accessing App B and App C, I would like the user to be redirected to App A to be authenticated, and then be returned back to whichever app they tried to access. At the same time, they should be logged in to all apps. Unless anyone has a better solution, I have gone with an OmniAuth/Devise combo solution as described in this blog post.
I have forked and updated to Rais 3.1.2 a sample App A and a sample app B/C.
App A - Provider - https://github.com/RobZolkos/sso-devise-omniauth-provider
App B/C - Client - https://github.com/RobZolkos/sso-devise-omniauth-client
These sample apps work, and I am get redirected to the Provider App to authenticate however it doesn't seem to authenticate. I have attached the log here. The provider seems to go through the motions, but then on line 26 of the log you can see that there seems to be an authentication issue.
Am I missing something simple to make these sample apps work?
I've found two issues:
Since 0.2.1 version omniauth has changed auth parameter name from access_token to oauth_token while fetching access (POST /oauth/token request).
Since 0.3.0 version omniauth has changed method of passing oauth_token in auth request (GET /auth/josh_id/user.json). Prior 0.3.0 token have been passed through request parameter oauth_token, but since 0.3.0 it become passed through HTTP_AUTHORIZATION header.
I don't know how to nicely get token from header (I think it can be fetched by devise), so I ugly hack client for sending oauth_token through GET parameter like this (in lib/josh_id.rb):
def raw_info
#raw_info ||= access_token.get("/auth/josh_id/user.json?oauth_token=#{access_token.token}").parsed
end
You can find fully workable code in our github repos:
https://github.com/openteam/sso-devise-omniauth-client
https://github.com/openteam/sso-devise-omniauth-provider
I have no experience with oauth in rails, but i'll explain the flow I used to create my own provider in Java. It should be easy to apply this in rails. If you use Devise with omniauth you need to find out, how they provide OAuth support and which version.
Basics
Consumer logs in to the app, and gets a consumer_key and consumer_secret. This is done with a regular form, usually on a developer account.
(optional)Provider approves the created account
All OAuth requests depend on a proper OAuth header in the request. A proper header means:
All oauth attributes and their values have been alphabetically sorted
All keys/tokens active for the particular Consumer request are provided.
The request is signed using all relevant secrets. Secrets are known to the Provider and Consumer but are not included in the header.
The Provider generates the same signature. If so, the request is valid. A nonce can be used to prevent replay attacks.
2-legged flow (consumer vs provider)
Consumer requests a resource, providing consumer_key.
Provider checks signature based on consumer_key and consumer_secret
Access to resource is granted
3-legged flow (person vs consumer vs provider)
Consumer request resource providing its consumer_key
Consumer gets a unsigned oauth_token and oauth_token_secret from Provider
User(person with user account on the provider) logs in at provider to authorize the oauth_token providing the oauth_request_token and consumer_key
Consumer has a authorized request_token
Consumer uses the request_token to request a access_token providing the oauth_request_token and consumer_key
Provider gives a access_token and access_token_secret for the specific resource
Consumer uses access_token to do something
Provider invalidates access_token after a certain duration
Consumer uses the request_token again to get a new access_token if expired
A decent resource for oauth is the official site.
For 3 legged examples you can have at the google oauth playground
I am using Rails with omniauth plugin to authenticate my application via LinkedIn. Currently, I store the linkedin token which omniauth returns if the user successfully authorize the application:
oauth_token"=>"9dd623ad-1e21-2cec-9ede-107e1f8e9e18"
I am also using linkedin plugin to get user's Linkedin information. The problem is; the plugin requires two tokens like the following:
client.authorize_from_request(rtoken, rsecret, pin)
c.authorize_from_access("OU812", "8675309")
How can I use the omniauth's token in linkedin plugin? Any idea?
OMNIAUTH is for Authentication only. AFAIK you wont be able to use the API with that oauth token alone. Youll still need to send the user off to linked in to authorize API access by doing something like
client.request_token(:oauth_callback =>'your callback url')
See example here:
http://pivotallabs.com/users/will/blog/articles/1096-linkedin-gem-for-a-web-app
Update:
I was able to reuse access token and access secret that I received upon Omniauth callback from LinkedIn and pass it on to client.authorize_from_access and got access to LinkedIn API that way. Your mileage may vary as I had to customize linked_in gem to fit my workflow a bit, but once Omniauth gets access token and secret you no longer need to call client.authorize_from_request