I'm looking for a nice, customisable way to authenticate users via OpenID. I'm using sorcery and so far it works like a charm: it has support for email-based login and OAuth-based login. However, it has no support for OpenID, and I wouldn't like to use existing authentication gems like Omniauth and the likes. I also find Ryan Bates' tutorial a bit outdated. Note that I also did some search on this topic on SO. All rants date to 2009, and I fear that implementation may not work (I also want to avoid another trial-and-error spike testing).
Any suggestions?
I've been working on GlitterGallery. I remember struggling with old docs and had blogged about the route I took to make OpenID login work. You might be interested to look it up here. I'm not sure if there's anything better available now, but I'll be coming back and I'll update the post accordingly; cheers!
Related
I have been searching a lot on the net to get facebook-connect integrated with authlogic in rails3. There are a number of solutions based on facebooker, oauth etc. but none of them seem to say anything on whether they work with rails 3 or not. Can anyone guide to me on how to get facebook-connect working with authlogic in "rails3". I see that there are a lot of questions related to this on the site but none seems to have actually answered the question.
I strongly recommend you to use http://www.janrain.com/products/engage with this gem https://github.com/tardate/authlogic_rpx. This combo works amazing with two of my projects and it is free if you only want to use authentication (like in my case).
PS. look at railscast: http://railscasts.com/episodes/233-engage-with-devise. I know that, this podcast show how to use Janrain with Devise, but it helped me with Authlogic so it also can help you.
I'm looking to build an application that handles authentication and authorization for a variety of smaller apps that may or may not be rails applications (e.g. some with sinatra, some with non-ruby frameworks, etc). These applications will be on separate domains.
Can I do this with Authlogic? I do not want to setup a rails application for each application, just use a central authenticator. I'm sure as I start reading and working the answer would become evident, but I'm trying to avoid a dead end (doing work and research, then finding out this can't be done.)
From what I've read this is a use case, and I'm looking for input from people who've done similar. This is at the idea stage so if i can offer more detail, let me know.
I think you are planning to build a cross domain, single sign-on service. Besides building your own, there are a quite a few project that do this out of the box.
rubycas is one of them : http://code.google.com/p/rubycas-server/
You could also look into open Id (http://openid.net), where the login functionality is done by a third party authentication server.
In case you want to roll your own:
It doesn't really matter which authentication plugin/system you will use. (I would choose devise/warden, but Authlogic will do just fine). Instead you need to focus on understanding the security problems and the http interaction between your service, the browser and the application for which authentication is used. I think it's doable, but you need to know what you are doing.
Today, the cool kids use warden, or the railsy thingy devise.
Im not sure but i think you cant use authlogic with a non-ruby-app.
I would probably go with Devise as well but you should look into some plugins for it like JanRain's Engage (used to be RPX Now). It allows you to use quite a few social login options (Facebook, Twitter, etc.) http://www.janrain.com/products/engage.
Ryan Bates from Railscasts.com just posted an episode on Devise using Engage this morning. http://railscasts.com/episodes/233-engage-with-devise
There are some more episodes about Devise on Railscasts too. http://railscasts.com/episodes?search=devise
If I were you I wouldn't reinvent the wheel. I'd use a third party service to authenticate and just get on with the project. Social connectors such as Engage will provide this functionality for you without all the time and expertise.
Im learning Rails by building apps.
I want to make my first authenticated app: users signup, login, do some changes in models they have access to and logout.
I did the Google search but it is quite confusing: many plugins, many tutorials. Don't know where to start.
Is there a state-of-the-art authentication method for Rails? What do you use in Production to authenticate your users?
Any help in this will be helpful. Thanks
I've used authlogic in the past and have been quite happy with it. Ryan has a railscast (video tutorial) for authlogic here.
+1 to Jason, -1 to NSD and sparky. Authentication system is not the thing you want to build yourself, at least if you're aiming for production use. It's like inventing your own encryption algorithm - it's a lot more safe to use something extensively tested and well-developed.
I've also been using authlogic, but there are some alternatives over there - like the good old restful authentication, and devise, which I guess is more modern so to speak. BTW the two latest railscasts are devoted to devise.
If your application is simple and just want a simple and secure user login page you might want to look into the Restful Authentication plugin. Its very easy to use and if you don't have much authentication requirements this should do fine.
script/plugin install git://github.com/technoweenie/restful-authentication.git
script/generate authenticated user sessions
rake db:migrate
You can find out more by checking out this excellent railscast.
As A beginner I would recommend Restful Authentication as its simple to set up and will get you up and running with no time
following is a step by step guid
http://avnetlabs.com/rails/restful-authentication-with-rails-2
and authlogic - (http://github.com/binarylogic/authlogic) is another great plug in which is more flexible but requires some work to implement user registration and stuff
cheers,
sameera
One man's state-of-the-art authentication system is another man's worthless pile of garbage. You're almost always better off rolling your own in the long run. O'Reilly's Ruby Cookbook has some extremely basic examples that will set you off in the right general direction, then you can decide whether or not other people's solutions are right for you.
I would agree with NSD. Figuring out the plugins & how they should mesh with your application to me longer than creating an auth system in my latest application.
My tips - create a user_sessions controller and use normal CRUD methods to handle creating/destroying (ie logging in & out). Create another model for the user - it can handle create accounts & updating (ie changing passwords). Stick a :before_filter on each controller which needs protection.
I'm looking for a quality Administrative plugin for Rails. It seems that most of the existing plugins/gems (e.g. "restful_authentication", "acts_as_authenticated") revolve around self-signup, etc. However, I'm looking for a full-featured Administrative/Management role-based type of solution -- but not one that's simply tacked on to another non-role-based solution.
If I can't find one, I suppose I'll roll my own...just wasn't looking to re-invent the wheel.
Ryan Bates has recently made two railscasts on authorization (note the difference between authentication and authorization; authentication checks if a user is who she says she is, authorization checks if the user has access to a resource). Episode #188 is on declarative_authorization, which is a really powerful authorization plugin. Episode #192 (sorry, I don't have enough reputation to link to it) is about Ryan Bates' own CanCan plugin, which is a much simpler plugin, but it would still work for most apps.
There are a few out there. I have used:
http://github.com/DocSavage/rails-authorization-plugin/ for applications before in conjunction with restufl_authentication, but I believe it will work with any authentication that gives you a current_user method. On github there is also http://github.com/mdarby/restful_acl/ and http://github.com/danryan/role_model/, they are just role based stuff though I'd say not authentication as well.
The authentication and the access control role based stuff are all available as seperate plugins/gems to the best of my knowledge, and that's a good thing as they are different beasts. Not all apps that have authentication need to have ACL type stuff and even some that do only need a really simple am I an admin kind of thing rather than a full blown user roles thing. So I'd say if you want one that does it all you'll have to write, if you don't want to do that than I'd say a combination of either Authlogic or restful_authentication with on of the authorization plugins will do the trick quite nicely.
You might check out the links in "Which Rails plug in is best for role based permission?".
None of the solutions listed there seem very appealing to me. The top contender, role_requirement apparently requires restful_authentication, but I find AuthLogic much better designed and less intrusive. The others listed seem to not be very actively maintained.
I need a very granular authorization system that works seamlessly with Authlogic.
I've tried these gems/plugins so far:
Lockdown
rails_authorization_plugin
ACL9
I've also looked at, but not tried implementing:
Padlock
I've searched around for a good tutorial detailing how to set up any of these with Authlogic in a way that makes sense (only the Lockdown doc seems to outline how to set this up with Authlogic), but have come up with next to nothing. The only one of these that made the remotest sense to me was the documentation for Lockdown, but I don't think that package will work for me (from what I understand of it).
What I'd really love is a good tutorial specifically about setting one of these authorization solutions up with Authlogic, or else a simple example application where I can see how the code comes together and works. Can anyone point me to any good step-by-step (and why) resources, or else provide a simple application with one of these authorization solutions set up on top of Authlogic?
Yay! As of Nov. 16, 2009, Ryan Bates has finally answered my call with a Railscast devoted to this subject!
#188 - Declarative Authorization (with Authlogic)
Thanks, Mr. Bates!
I think you have a typo in your first sentence. You must mean "authorization that works seamlessly with Authlogic." AuthLogic already is an authentication solution.
I think you might be struggling to find a tutorial that's specific to AuthLogic because there's no reason authorization and authentication need to be tightly coupled to one another.
Authentication answers the question: "Who is the person accessing this page?"
Authorization answers the question: "What permissions does the person accessing this page have?
So the only thing your authorization needs from Authlogic is the current_user() method from your controller. For example, take the tutorial for Acl9 (http://github.com/be9/acl9/tree/master). I believe all you'll need to customize is the :subject_method part (Acl9 calls your active user the 'subject', so :subject_method needs to be set to the name of the method that returns the current user, which is :current_user if you followed the basic AuthLogic docs).