OmniAuth using google oauth 2 strategy scope failure - ruby-on-rails

I'm working on getting calendar data from google using OmniAuth and the google-oauth-2 strategy.
If I put nothing into the scope field it works fine and I get the default info without the auth/failure message and I can use the app normally.
However the moment I add a scope, as in the example below, I get an "auth/failure?message=invalid_credentials".
Rails.application.config.middleware.use OmniAuth::Builder do
provider :google_oauth2, ENV['TEST_KEY'], ENV['TEST_SECRET'], { :scope => 'https://www.google.com/calendar/feeds/' }
end
Is there something I'm missing or something I should change?

A quick e-mail from the google-oauth-2 strategy author pointed out the following:
If you don't include the profile scopes, it fails to authenticate.
By adding userinfo.email and userinfo.profile (along with the calendar scope) to the comma separated :scope list I was able to fix the problem.
Example:
Rails.application.config.middleware.use OmniAuth::Builder do
provider :google_oauth2, ENV['TEST_KEY'], ENV['TEST_SECRET'],
{ :scope => 'userinfo.email, userinfo.profile, https://www.googleapis.com/auth/calendar' }
end

Funny, this didn't work for me.
I was able to make it work, removing the comma from the scope:
Rails.application.config.middleware.use OmniAuth::Builder do
provider :google_oauth2, ENV['TEST_KEY'], ENV['TEST_SECRET'],
{ :scope => 'https://www.googleapis.com/auth/docs https://www.googleapis.com/auth/userinfo.profile' }
end

Related

Applying additional oauth scopes in an omniauth initializer

I am trying to apply the coinbase wallet API with oauth to use its send functionality. I have been able to connect to the API and use its endpoints, but whenever I try to use the send functionality, I am thrown the error Invalid amount for meta[send_limit_amount]. My omniauth initializer looks like this:
provider :coinbase, , ENV['CLIENT_ID'], ENV['CLIENT_SECRET'],
scope: 'wallet:user:read wallet:user:email wallet:accounts:read wallet:transactions:send'
The reason for this error is because, in order to use the send functionality, coinbase requires additional parameter meta[send_limit_amount]. Where and how am I supposed to apply this additional scope?
UPDATE: So I've made some progress in that I am able to attach one meta scope to my initializer, which seems to be sticking (as shown when I print out the auth_info). This is the current state of my initializer:
Rails.application.config.middleware.use OmniAuth::Builder do
provider :coinbase, ENV['CLIENT_ID'], ENV['CLIENT_SECRET'], scope: 'wallet:user:read wallet:user:email wallet:accounts:read ', :meta => {'send_limit_currency' => 'BTC'}
end
# wallet:transactions:send
# :meta => {'send_limit_amount' => '0.0001'}
The problem now is that I cannot seem to figure the syntax necessary to add the send_limit_amount property to the oauth meta hash.
Managed to solve the problem with the following initializer;
Rails.application.config.middleware.use OmniAuth::Builder do
provider :coinbase, ENV['CLIENT_ID'], ENV['CLIENT_SECRET'],
scope: 'wallet:user:read wallet:user:email wallet:accounts:read wallet:transactions:send',
:meta => {'send_limit_amount' => 1}
end
Now, I need to either disable the two factor authentication or determine how to Re-play the request with CB-2FA-Token header

Pass scope with omiauth Pinterest authentication request

I am using omniauth-pinterest gem to authenticate Pinterest users. In addition to the default "write_public" I need to pass "write_public" scope. What's the best way to pass "read_public,write_public" scope with the auth request?
Hello there I did not try omniauth-pinterest, but in omniauth-google-oauth2
we can pass the scope in initializer file. As I expect you can also pass the scope same as omniauth-google-oauth2 like:
Rails.application.config.middleware.use OmniAuth::Builder do
provider :pinterest, ENV['PINTEREST_APP_ID'], ENV['PINTEREST_APP_SECRET'], scope: ["read_public", "write_public"]
end

Facebook Omniauth login not returning all fields

I'm setting up the Facebook provider as follows:
provider :facebook, ENV['FACEBOOK_APP_ID'], ENV['FACEBOOK_APP_SECRET'], scope: ['email', 'public_profile']
The authorization appears to work fine, in that the Facebook dialog mentions the relevant requested permissions, but I'm only getting name and picture details coming back to the callback URL. The omniauth.auth hash looks as follows:
{
"provider":"facebook",
"uid":<redacted>
"info":{
"name":<redacted>,
"image":<redacted>,
"credentials":{
"token":<redacted>,
"expires_at":1442319308,
"expires":true
},
"extra":{
"raw_info":{
"name":<redacted>,
"id":<redacted>
}
}
}
Shouldn't I be seeing more fields here?
I had the exact same problem. You've probably figured this out, but in case you haven't... You just need to make sure to edit Devise.rb in addition to Omniauth.rb
Devise.rb should have:
config.omniauth :facebook, "your_facebook_id", "your_facebook_secret", scope: 'email,public_profile', info_fields: 'email, first_name, last_name'
replacing whatever specific info_fields you need (list of all available here)

Set different facebook oauth scope per user with devise

I have a rails app with two separate types of users (call them A and B). Right now they can both sign in with facebook. However, I need B to be able to oauth with some extended permissions, and I DO NOT want A to give me the extended permissions.
Inside config/initializers/devise.rb
config.omniauth :facebook, "API_KEY", "API_SECRET", :client_options => {:ssl => {:ca_path => ' /path/to/my/ssl/stuff'}}
I know I can add
:scope => "extended_permissions"
But I only want the extended permissions to happen when B users sign up.
Since this is in an initializer is this even possible? Or can I somehow config.omniauth elsewhere in the app and keep devise happy?
It's clearly explained in the documentation
If you want to set the display format, auth_type, or scope on a
per-request basis, you can just pass it to the OmniAuth request phase
URL, for example: /auth/facebook?display=popup or
/auth/facebook?scope=email.
source: https://github.com/mkdynamic/omniauth-facebook#per-request-options

Why does Google OAuth2 authentication fail when using analytics url instead of youtube url?

I'm working on a dashboard for my colleagues that shows a few stats from Google Analytics next to some other statistics. To get access to the Analytics data I use OAuth2. OAuth2 requires a scope to get send along with the authentication request in order to get access tokens. I created a client ID in the APIs Console that has access to Analytics, and specify the scope in an initializer that looks like this:
Rails.application.config.middleware.use OmniAuth::Builder do
provider :google_oauth2, ENV['ADMIN_DASHBOARD_GOOGLE_CLIENT_ID'], ENV['ADMIN_DASHBOARD_GOOGLE_CLIENT_SECRET'], { access_type: 'online', approval_prompt: '', scope: 'http://gdata.youtube.com,userinfo.email,userinfo.profile,analytics.readonly' }
end
This uses the omniauth-google-oauth2 gem, and the scope I found in an example somewhere. However, for my implementation, I think this scope is strange. Instead of http://gdata.youtube.com,userinfo.email,userinfo.profile,analytics.readonly I would like to use https://www.googleapis.com/auth/analytics.readonly, but changing to that scope causes the request to return invalid_credentials. What is the correct way to specify only access to analytics data is needed?
Scopes should be seperated by a space character, not a comma:
https://developers.google.com/accounts/docs/OAuth2WebServer#formingtheurl
if you need Youtube and Analytics scopes use:
Rails.application.config.middleware.use OmniAuth::Builder do
provider :google_oauth2, ENV['ADMIN_DASHBOARD_GOOGLE_CLIENT_ID'], ENV['ADMIN_DASHBOARD_GOOGLE_CLIENT_SECRET'], { access_type: 'online', approval_prompt: '', scope: 'http://gdata.youtube.com,userinfo.email https://www.googleapis.com/auth/analytics.readonly' }
end
if you need just Analytics, use:
Rails.application.config.middleware.use OmniAuth::Builder do
provider :google_oauth2, ENV['ADMIN_DASHBOARD_GOOGLE_CLIENT_ID'], ENV['ADMIN_DASHBOARD_GOOGLE_CLIENT_SECRET'], { access_type: 'online', approval_prompt: '', scope: 'https://www.googleapis.com/auth/analytics.readonly' }
end

Resources