I have both a Desktop application and a mobile application. I want to use the same rails application for both "devices". In another word, I want the mobile application to request contents on the Desktop application.
I use Devise for authentications (email + password).
I have implemented Doorkeeper on the Desktop app in order to generate an Oauth2 token for my mobile application.
Here are my questions:
I have before_filters sets in my desktop application controllers in order to secure them.
I am not sure how the mobile application should share the OAuth2 token with Devise in order to be authenticated and access my protected controllers ?
In fact, right now, it is Doorkeeper who should check the mobile token in my controllers with the doorkeeper_for :all code. But to do that I have to unable the devise protection before_filter :authenticate_user!...
Should I save the oauth token in devise too ?
I am misunderstanding how mobile applications should authenticate with devise and OAuth2 protocole ?
Thx
This is old, but doesn't have an answer yet.
Essentially Devise and Doorkeeper are doing the same thing, Devise authenticates using sessions (or token auth if you have enabled that) while Doorkeeper authenticates with OAuth tokens sent in every request.
What you probably want to do is split your application into two access points, have a regular desktop access using Devise and an API that uses Doorkeeper. Enable Devise routes for only the regular desktop controllers and enable doorkeeper routes for only the api controllers.
In your API Application Controller, you can override current_user to be something like User.find(doorkeeper_token.resource_owner_id) if doorkeeper_token. This will match the way Devise authenticates as well.
Alternatively, if your API doesn't have to use OAuth, you could use Devise's token_authenticable config, which provides similar features as OAuth's Bearer Tokens.
I'm not sure if I understood your question but Doorkeeper locks your controller completely. No access via Devise authentication is possible if you have doorkeeper_for :all in your controller.
You will need a seperate controller to share your data via OAuth2, like an API controller for instance. Then you can request data e.g. via protocol://myapp:1234/ressource?access_token=thetoken.
Is that what you asked for? Else please clarify :)
Related
I'm using Devise in a Rails 3 app for authentication.
I have another app that updates records in a table via the REST interface. Currently, I can't have before_filter :authenticate_user! in that table's controller.
Is there a way to supply a username, password via the REST interface? Or some other method to get the REST input authenticated?
You can use token authentication to send params to the Rest API securely using either https://github.com/gonzalo-bulnes/simple_token_authentication or https://github.com/lynndylanhurley/devise_token_auth
Oauth2 is driving me crazy.
Currently, my Rails application authenticates users through Facebook, and soon other Oauth2 providers, thanks to the beauty of Devise & OmniAuth. User can't sign in with login & password.
But as my application is mainly an API, I also want it to act as an Oauth2 provider, to protect data.
Thus, the user sign in with Facebook -> my application obtain an Access Token, and then -> provides the user a new Access Token to access my API -> my AngularJS application (or any other app) uses this token to access my API without knowing Facebook or Google Access Token.
It looks like I need to forward Oauth2 token to client with a custom provider.
I discovered doorkeeper gem... but I can't understand how to articulate it with Devise & Omniauth.
I found many partial answers here, but not a complete one.
I will appreciate any help, good tutorial, or more complete answers.
Here is a simple tutorial to get you started. Thanks to Andrea!
1. Server Application (Devise + Doorkeeper)
http://dev.mikamai.com/post/110722727899/oauth2-on-rails
2. Client Application (Ominauth-oauth2)
http://dev.mikamai.com/post/112508735689/oauth2-on-rails-the-client-application
P.S. Minor Errata!
1. When you generate the APP_ID and SECRET_ID for the client application from the server application - using http://localhost:3000/oauth/applications/new - enter the callback url http://localhost:3001/auth/doorkeeper/callback
Or, if you see this after the error, go back to http://localhost:3000/oauth/applications/ and edit the callback url. We can't use http://localhost:3001/doorkeeper/callback because this is not the route the tutorial is using from the Client Application.
2. In the client application include the callback action definition as below and change the to_json method to as_json.
../oauth-client/app/controllers/application_controller.rb
class ApplicationController < ActionController::Base
# Prevent CSRF attacks by raising an exception.
# For APIs, you may want to use :null_session instead.
protect_from_forgery with: :exception
def authentication_callback
auth = request.env['omniauth.auth']
render json: auth.as_json
end
end
Cheers!
I have a Rails application with admin accounts using Devise for authentication. I am creating a second application and would like to authenticate using the first application instead of duplicating admin accounts in the second application. So my idea is to turn the first application into an OAuth provider so that the second app can simply act as an OAuth client using something like OmniAuth. Have you done this before? Is there a plugin which adds the ability to Devise to be able to act as an OAuth provider? What do I need to change/add in order to turn the app into an OAuth provider?
Use Doorkeeper gem. Its easy to introduce OAuth 2 provider functionality to your application. It can be also integrated with Devise.
Doorkeeper also provides a configuration option to auto-approve and skip the authorization step. This is useful when working with a set of trusted applications, so that you don't confuse your users by requiring them to "authorize" your company's trusted app.
# in config/initializers/doorkeeper.rb
Doorkeeper.configure do
# ...other config options...
skip_authorization do
true
end
end
We are working on an iPhone app that's driven by API in rails. How would login functionality be implemented in Rails? We don't want to use cookies as it's not really 'web' so I am wondering how login is implemented in an API.
Thanks
You can use Token Based Authentication. Rails have authenticate_or_request_with_http_token method which handles the authorization for token. Tokens help in authorization as they can be expired and recreated at any point. You can have a :before_filter to check for the authentication
I'm developing a facebook app with rails that uses external apis from my own domain. The problem is that my domain requires authentication, which is done via oauth. It's not clear to me how to deal with this pattern. I'm not sure I can make oauth calls from a facebook app, thus requiring two separate registrations. Is there a way to pass a facebook access token so that I know the user is authenticated through facebook?
If you are using (or can use) Rails 3.0+, devise has a good section on how to authenticate via facebook or a google account.
Once a user has used this method to authenticate to your webapp, their session is handled in the same way a regular login session is, so you can just use current_user.nil? or user_signed_in? helpers to determine if the users are authenticated or not.