I would appreciate any links or examples as I am new to this and do not know where to start from. My application has basic authentication, I need to add OAuth to enable SSO, automatic log in a third party application.
Modify my user model to store OAuth parameters, modify a controller with login/logout actions
Use OmniAuth
https://github.com/intridea/omniauth
Devise and OmniAuth:
Create the standard devise User model and migration.
Create the Auth Controller actions (as show in the code snippet below)
Create the AccessGrant model (and if required the Authentication model)
Register the client applications (key and secret) via rails console on User Manager.
Use the oauth gem
https://github.com/albertopq/oauth-activeresource
Thanks for any pointers!
Use 2nd variant. It will be easier than others and you won't have any problems with integration another gems.
Related
I'm writing an application that will primarily be accessed via API, but will also have views for editing via web app.
I would like to create a User model with authentication and authorization across both platforms.
I'm having trouble understanding the relationship between the devise and devise_token_auth libraries, other than that the former is recommended for most rails apps and the latter is great for API-only authentication.
For my case, what is the appropriate library to use, or should I be using both? Should I be generating the User model via devise and then adding the token auth to it? Do both systems use different authentication schemes? I'm just trying to understand why devise_token_auth exists apart from devise.
I'm also just a bit confused about the added complexity of token-based authentication. What would be wrong with simply having the users be registered and managed through devise, generating an API secret key for them, and then having them sign their API requests with that. Why the need for token based auth in the API?
devise_token_auth is an advanced method of API authentication which may, or may not, be overkill for your application. Essentially, a new token is generated for each API request.
Depending on what your needs are, you may be fine with token-based authentication, or perhaps even HTTP Basic auth, which devise supports out of the box.
In a Ruby on Rails application, I implemented as authentication OmniAuth with multiple providers(facebook and twitter for now), and I followed the steps from this github page: Managing Multiple Providers. Everything worked fine, I have a User class, in which a user is able to have many Identity objects.
Now I want to add a login with username and password, using OmniAuth Identity. My plan is to use the same Identity table, making this gem to store the password_digest field into the existing oauth_token, username into uid and use 'omniauth' as provider.
I am having difficulties in implementing this, trying to use the same model both for the externals auth(like facebook) and for this user/password, and I am wondering:
Is this a recommended way to do this?
Am I reinventing the wheel and such thing already exists?
Should I use a new Model just for this type of login(OmniAuth Identity)?
At the moment, I have different problems, such as not being able to tell the Identity gem that provider should have only one value, or my SessionsController doesn't work now good when I register for the first time.
I don't have a specific technical issue but a general problem understanding the architecture for using Auth0 for Authentication and then using the returned profile to access a rails API.
I am using Auth0.Lock in React Native and can successfully sign-up and login to my React Native App and store the returned profile and token.
On the Rails side I have create an API and setup Knock (https://github.com/nsarno/knock) as per the instructions to implement JWT Authentication.
What I don't understand is the link between my User model in Rails and my Database in Auth0. Neither the Auth0 documentation or the Knock documentation are clear on how this association happens.
Thanks
Craig
I've created two example projects, a rails API and a front-end app that illustrate auth0 integration in rails. I'm presuming scope claims are present in the tokens to demonstrate at a very basic level how authorization would work in such scenario.
The frontend uses AngularJS, but this is mostly irrelevant as the logic is very basic and can easily be rewritten in any framework.
As joão-angelo hinted, using tokens mostly defeats the need to have a user model at all, you can of course define a user class as convenience wrapper in runtime, but you don't have to store it in the DB. In fact, having user models living in your app and in auth0 may be counter productive, as you'll have to keep them in sync.
Hope this helps!
From looking into the available documentation the following should be possible.
By defining the appropriate scope you can instruct Auth0 to include specific information - claims - within the ID token returned as the outcome of a successful authentication.
If all the user profile information is included in the token itself you can then use Knock in such way that it will create the user model instance from the JWT payload itself without any need to query additional stores.
By default, Knock assumes the payload as a subject (sub) claim containing the entity's id and calls find on the model. If you want to modify this behaviour, implement within your entity model a class method from_token_payload that takes the payload in argument.
class User < ActiveRecord::Base
def self.from_token_payload payload
# Returns a valid user, `nil` or raise
end
end
(source: Knock Customization)
With this approach the token itself is sufficient and there is no further interaction between the Rails API and Auth0. The user model is created from the token and the Auth0 database is not directly accessed by Rails API, it just uses the information stored there and surfaces on the token.
It should be possible to go with other approaches with more direct interaction with the Auth0 database. If you need to go down that route you should look into the Management API (user related endpoints) as a way for you to interact with the Auth0 database from your own application.
I have a rails web which has been using cookie session authentication (devise) from its beginning. Now, we are developing an ionic mobile application which uses the API available from the rails application.
I have considered to use JWT or token authentication for this new application but I can't find a way to combine both authentication methods, cookie and JWT. Also, both applications have different requirements. For example, in the web a user can have concurrent sessions only if he/she has a certain role. On the opposite, in the mobile application it is possible to have concurrent session without any restriction.
I have reading a lot trying to figure how to combine both methods but I can't find the way. Maybe I should consider to use only one of the methods (JWT) or use another approach (doorkeeper).
Finally I have found a solution. According to refaelos and Zac Stewart, I have combined devise with JWT gem, using the last as a new strategy for the first. By this way, when I don't use JWT tokens, devise will choose the default strategy (database_authenticatable in my case). Otherwise, it will use JWT strategy.
However, when the user is not authenticated and make a post request to Session#create to get the credentials, the strategy chosen by devise/warden is database_authenticatable. In order to avoid this, I needed to add a new parameter to the request but only for this case because, as I said, when the token appears in the request, the new strategy is selected.
See also:
An Introduction to Using JWT Authentication in Rails
So Im developing a Rails app- primarily serves API which I want to lock down behjind a nice authorization system. Ive created Rails apps which render HTML and for that I used Devise and CanCan. This time I want to serve JSON to my clients. I basically have the following requirements:
Need an authorization system thats robust
A user should be able to log in with existing apps such as facebook, twitter, linked in and google
There should be full stack authorization available
Now this is my 1st app that Im writing that serves up API so I started researching and so far Ive found the following solutions that people have used:
I've seen people use Devise with CanCan
I've seen people talk about using Oauth2
http://railscasts.com/episodes/353-oauth-with-doorkeeper?autoplay=true
I've heard... "Use Doorkeeper"
I've heard use ..." Use omniauth"
So basically my 1 day of research basically just confused me more. When di I use these and for my requirements which comnbination would I use! Im struggling to make sense of the alphabet soup, can someone help me understand this
Devise is an authentication engine for Rails apps of all types. Devise allows authentication against username/password, token authentication (good for API's), and an oauth provider (such as Google, Facebook and the like). This obviously allows you to deny access to the API unless the user is signed in through one of the services you offer.
CanCan is an authorization system that will work on top of Devise to allow users access to certain parts of your system based on their role within the system. CanCan has a very slick DSL prviding can and cannot methods for allowing or denying access to views or controller actions.
Doorkeeper is an oauth provider gem if you wanted to roll your own oauth solution on top of your API. This would be if you wanted your application to act in the same manner as Google or FAcebook in providing an oauth endpoint for users to authenticate against. From what you stated above, I don't think this is the case.
Given the requirements you provided above, I believe that Devise and CanCan would be the route that I would choose. This would allow the user to authenticate at first by username/password, or some oauth provider, then allow token authentication after that to access your API. You can then lock down access to specific actions through CanCan.