I'm using Omniauth with Devise using the google_oauth2 strategy.
It works well, but now I'd like to change the authorize path with something of my choice.
Actually it's http://localhost:3000/users/auth/google_oauth2 while I'd like a much simpler http://localhost:3000/login since it's simple to remember.
It would not raise any error since I've disabled the Devise database authenticable (the only way to login is through a google account).
How can I do?
Thanks.
You can see how to change url prefix here How to change route of omniauth from /auth/:provider to /myapp/auth/:provider
So it is almost what you need.
Related
I'm have omniauth working in my Rails app on the top level domain.
Now I want to do it on any given subdomain (users each get their own subdomain assigned dynamically).
I can't find a way to dynamically change the callback url on the fly with omniauth
Leaving it as is, in the callback I can see the referrer and know which subdomain they came from, and log them in, but when I then redirect them to their subdomain they are logged out because the session was on the top level domain.
I'm using the omniauth-facebook gem if that matters: https://github.com/mkdynamic/omniauth-facebook
What's the best way to handle this?
I don't think that Omniauth let's you change this dynamically, but you can share the session between all subdomains, and continue to use the redirection approach. Just change your session_store to include domain (and tld_length if you need it - more details here)
Rails.application.config.session_store ... , domain: :all
I hope this does not count as an opinionated question. I just need to be pointed in the right direction.
I am modifying the Devise gem to work purely with JSON. I have had no problems with the registration, confirmation, re-confirmation, locking so far.
However, while working with the sign in, I dug deeper and understand that the default Devise sign in strategy uses Warden as it has to do with sessions and Rack authentication.
I understand JWT contains all the information in itself and does not need sessions.
So if I strip the default Devise strategy of everything and simply return a JWT on success and errors on error, would that be the right approach?
Am I missing something?
In order to use JWT with devise, I recommend to not monkey patch devise and instead use a tool others can audit and test.
For this reason, I developed devise-jwt. It does zero monkey patching and leverages warden, which is the authentication library below devise. You can also read more about it in this post I wrote: A Secure JWT Authentication Implementation for Rack and Rails
Hope it helps
I wouldn't use devise_token_auth since it seems like too much hassle and ... you store tokens in db :/. Why would we want to do so if JWT is available.
I'd rather add a new strategy to Warden/Devise couple and let them work as they should.
Here's an example: https://medium.com/#goncalvesjoao/rails-devise-jwt-and-the-forgotten-warden-67cfcf8a0b73 . One thing to note: JWTWrapper doesn't really belong to app/helpers/ . You need to inject somewhere a call to JWTWrapper.encode({ user_id: current_user.id }) once your users successfully signs in with their email/password. Perhaps in the Devise SessionsController?
def create
self.resource = warden.authenticate!(auth_options)
sign_in(resource_name, resource)
yield resource if block_given?
render json: JWTWrapper.encode({user_id:current_user.id})
end
You might want to do this only for xhr or json (format) requests
You probably shouldn't be hacking your Devise gem source. I suggest to just use Devise Token Auth gem to handle tokens instead.
https://github.com/lynndylanhurley/devise_token_auth
It will generate and authenticate valid RFC 6750 Bearer Tokens.
According to their README.
Seamless integration with both the the venerable ng-token-auth module for angular.js and the outstanding jToker plugin for jQuery.
Oauth2 authentication using OmniAuth.
Email authentication using Devise, including:
User registration
Password reset
Account updates
Account deletion
Support for multiple user models.
It is secure.
Sorry for late answer, but I'm actually working on the same problem, and want to share my opinions on that.
First, I would emphasize not changing Davise sources, this will likely bring you to further problems, especially when Devise code changes.
On the other hand, as I have encountered devise-token-auth, it might not be viable for your needs, especially in distributed systems (SOA). Perhaps I'm wrong, but as I see devise-token-auth, you can't add Subjects to restrict user access solely on the token. If you don't need this feature, you really should try devise-token-auth.
If you want to store additional information in the token, you could try to authenticate against a regular devise or devise-token-auth and then encode your information using a JWT gem.
Example can be found here: https://www.sitepoint.com/introduction-to-using-jwt-in-rails/
In my application I have at this point a authentication function through oauth, but before of that I would like to have a login page, so I want to use Devise to create that. The problem that I am facing is that bought Device and my authentication method require a before_filter, and both methods redirect to a page, and because of that I get an error saying that I have to redirects. How can I fix this problem?
Thank you
I don't know explicitly what you are doing and what are your actual requirements but as far as I know you don not need before filter. you need to provide both options for login, authentication with devise and Omniauth.
I am referring you to some links consult it.
Mandatory:
http://www.samionrails.blogspot.com/2013/08/google-omni-auth-with-devise-tutorial.html
Optional:
https://github.com/intridea/omniauth/wiki/Managing-Multiple-Providers
http://www.samionrails.blogspot.com/2013/08/authenticate-user-using-omniauth.html
Using OmniAuth (with omniauth_crowd), I'd like user to be redirected back to the login page if he doesn't submit right username and password. It works fine in production, but I have annoying problem testing it.
To mock OmniAuth provider, I use the following code, as recommended by the author of OmniAuth plugin:
OmniAuth.config.test_mode = true
OmniAuth.config.mock_auth[:someProvider] = :invalid_credentials
visit_page #page
The code above automatically (i.e. without entering username and password) redirects Capybara to the session#failure. My session#failure redirects to the login_path.
Thus I end up in a loop:
redirected more than 5 times, check for infinite redirects. (Capybara::InfiniteRedirectError)
What is the best workaround for my case?
I had a simular issue with Omniauth.
Not sure if there is a workaround, since it is the way OmniAuth.config.mock_auth works.
My solution was to use fakeweb instead of the OmniAuth mocking.
You should probably start off by looking at how omniauth_crowd is tested itself.
Here is a good example:
https://github.com/robdimarco/omniauth_crowd/blob/master/spec/omniauth/strategies/crowd_spec.rb#L49-69
As title, warden is very pluggable, I wonder if there is anything works with warden/devise?
I use http://github.com/ryanb/cancan with Devise, its great and requires very little setup, you only have to define the abilitys as CanCan defaults to using current_user for the logged in user, which devise provides.
I used acl9 with Devise. https://github.com/be9/acl9
I needed to dynamically grant authorization at the object level, which I don't think you can do with CanCan.
I've also used CanCan with Devise. It requires very easy to setup and all your authorization logic resides in a single file, in that way its very modularized.
You could try this, which might be able to work alongside:
http://railscasts.com/episodes/188-declarative-authorization