I want to implement an openid server which could interact with multiple providers to authenticate users. Basically I am looking for something like StackOverflow does for login.
I was looking into ruby-openid but it does not seem to be maintained with last commit 2-3 years back.
Can someone suggest me good gem /plugin or resource for implementing Open-id in Rails 3.2
Requirement :
Should be able to host my own open id server
Allow user to use multiple options like(google/ blogger / yahoo..etc)
Should work well with Rails 3.2 / ruby 1.9.3
There are a few useful gems:
OAuth
OmniAuth
P.S. ruby-openid is actially well maintained - last commit 18 days ago... ;)
You can include it in your application from it's Git Repository by adding this line into your Gemfile:
gem 'ruby-openid', :git => 'https://github.com/openid/ruby-openid.git'
Try OmniAuth
http://www.omniauth.org/
or you can also user RubyCAS Server
http://code.google.com/p/rubycas-server/
Try This OmniAuth and See Video you can easily Understand and implement
Part - 1 : http://railscasts.com/episodes/235-omniauth-part-1
Part - 2 : http://railscasts.com/episodes/236-omniauth-part-2
Related
Hello i've run into a bit of a problem with the omniauth-twitter gem, i have followed the documentation to a t and when i go to localhost:3000/auth/twitter i get a no matching route error. I've googled this issue for hours to no avail, I've searched stack overflow to no avail, the only lead i managed to get was on issue on github which was answered with a link to a page which no longer exists all other "solutions" involved misconfiguring devise, which im not even using.
I literally only have the bare minimum code from the documentation that should at least redirect me to the twitter login.
Might this have something to do with the 3-legged oauth being enabled in my twitter app in the developer portal?
Has anyone else run into this issue?
I finally found the solution:
The issue originates with the new CSRF protections due to Omniauth vulnerabilities, to use omniauth with rails for twitter you must use the
omniauth-rails_csrf_protection gem by Cookpad
I am using gem omniauth and when I push my code to Github, it shows me a security warning because of the gem.
CVE-2015-9284
high severity
Vulnerable versions: <= 1.9.0
Patched version: No fix
The request phase of the OmniAuth Ruby gem is vulnerable to Cross-Site Request Forgery when used as part of the Ruby on Rails framework, allowing accounts to be connected without user intent, user interaction, or feedback to the user. This permits a secondary account to be able to sign into the web application as the primary account.
However, it seems that I am using the latest version
Is there any possible fix, or should I skip this for now?
This was reported in omniauth/omniauth issue 960 and discussed in PR 809 "Protect request phase against CSRF when Rails is used. "
It includes:
So we have implemented the omniauth-rails_csrf_protection solution, but previously we had our 3rd party OAuth provider log people in after they had verified the registration and redirect them to our /auth/provider endpoint.
This would now require them POSTing to the endpoint with a CSRF token, which is not possible as they are on a separate platform/system.
Should the omniauth readme be updated to mention that anyone using omniauth with rails should also use omniauth-rails_csrf_protection?
See commit 0264706 as an example of using that setting.
gem "omniauth-rails_csrf_protection"
Or... coreinfrastructure/best-practices-badge PR 1298
I hate to bring in a third-party shim to fix a security issue, but upstream omniauth has still not fixed its vulnerability, and it's a CVE report from 4 years ago (2015).
The omniauth folks are still discussing how to fix it, and my patience has been exhausted.
I reviewed the shim code, and I don't see any issues. This is a vulnerability that allows account takeover, so I think ignoring it is extremely unwise. It's not trivial to exploit, but it's real.
I've set up a basic rails application to use twitter oauth gem and devise and have been able to log in a user. However, my problem is I've now got my app white-listed and I would like to get a user's email back in the response. I've followed all necessary steps on the twitter side (setting necessary permissions, URLS, and reset keys) and have tried passing both
include_email=true
and
include_email=email
as a params when I initiate the oauth sequence. I feel like I've read and re-read the docs and tried few edge cases I thought might work based off of very little I've found on-line.
Any help with this? Something I'm missing if you've done this before?
I solved my problem. The omniauth gem was not the latest version which would include email. In my gem file I needed to declare '~> 1.2.1' where I had version 1.2.0 - - the new version includes the following changes you can read about here: https://github.com/arunagw/omniauth-twitter/pull/96
I've been attempting to get Ruby on Rails 4.1 to talk to our salesforce instance using the gem omniauth and gem restforce as per this instruction link here.
All seems to be going alright, I got things up and running, with a hyperlink that takes me to a salesforce login and seems to return to the callback correctly. However when it does i get the error:
OAuth2::Error
Missing_OAuth_Token
This leaves me really confused and mystified, my oauth token should surely be supplied by the callback?
I have my client_id and client_secret stored in the app and they appear to load in correctly. Adding my salesforce login and password through omniauth should provide all it needs right? I don't see anywhere else in the omniauth gem docs or restforce gem to stick an oauth token... and even then i'm not sure where i'd get it from.
I'd read that there had recently been some authentication failures with the gem omniauth and there is a current issue request to put out a new version. If I specify my gem to pull directly from the github. I get a similar bit distinct error that I have posted about here.
Could anyone give any advice on:
Where I should expect the missing Auth_Token to come from (I really can't work out if I'm supposed to be providing it in my app or if that's what comes back from salesforce
How would be best to go about debugging this? (i'd thought about using debugger but as it pings to code outside of my rails app i'm unsure how much help this would be.
What the correct way would be to go about setting this up properly!
Any help would be greatly appreciated!
This was actually a bug in the omniauth-salesforce gem - https://github.com/realdoug/omniauth-salesforce/pull/13.
There was a minor change to the way the Salesforce API worked which was resolved in the above pull request. You must have upgraded your gem which solved the problem.
I am new to Ruby on Rails 4 and I started with the tutorial http://ruby.railstutorial.org/ruby-on-rails-tutorial-book and in this tutorial fo user's signup 'bcrypt' is used, however for my project I would like to have more options like email confirmation, password reset etc..So my question is, can I achieve all of this using existing rails 4 without any gems or do I need to use the 'devise' as suggested by some others in stack overflow. Also, can I use 'devise' gem along with 'bcrypt'?
Short answer: Devise isn't required. You can write all the authentication / email confirmation / password reset logic yourself. There's nothing inherently 'magical' about Devise, it's just a well-written solution to a common problem.
However...
Writing a complete (and secure) authentication system isn't an easy task. I'd recommend working through the tutorial and letting it guide you through writing your own authentication system there.
Then you'll be in a better position to understand how web app authentication works and whether or not to use Devise.
FYI, Devise already uses bcrypt, as seen on its gemspec:
s.add_dependency("bcrypt-ruby", "~> 3.0")