Auto Authentication - ruby-on-rails

I am using Facebook, GMail and many other services and for each such service I have to enter my login and password. But only first time. After this first time the browser remember a login and a password and an authentication occurs automaticaly every time when I open this site.
How can I make this possibile for my site? Now I have to enter a login/pwd every time after I restart the browser.

Search the web for "cookie login". Things like authlogic and devise (since you mention Rails) have this baked (ahem) in. You most likely should not be rolling your own authentication code.

I'd recommend using Devise for authentication generally.
While you can probably code your own authentication features with no issue, Devise makes rolling out these new features a lot faster. For example, it's not difficult to setup these features:
Making 'Remember Me' optional so users can choose whether or not they stay logged on using a permanent cookie.
Automatic login using a token-based url (unique token per user account)
Integration with facebook, twitter, linkedin, etc via Omniauth
Allowing users to reset their passwords
Changing password security rules
etc, etc, etc.
Moreover, since it's very widely used it's very solid and debugged. There are many, many 'eyes on the code'.

Related

In rails 4.2, using Facebook oauth through devise, I want users to reauthenticate before changing their account details

I am in the process of adding social media oauth login and registration to an existing site. I've followed the overall process described here:
https://github.com/plataformatec/devise/wiki/OmniAuth:-Overview
Currently, if a user wishes to change their account profile (including email address, password, etc.) then they need to supply their existing password. This is to prevent cookie stealing style attacks, or damage caused by people leaving accounts logged in on public machines.
However, if a user has registered using Facebook then a randomised password is set behind the scenes and the user is not aware that a password exists in our system.
This could make the simple process of updating the user profile a confusing and off-putting task. How do we present the password to the user, and how do we explain that it's different to the Facebook password?
I would like to present a Facebook pop-up or interstitial to the user before they change their account details, to force them to re-authenticate using their Facebook password, but I can't immediately see a way of supplying multiple callback URLs, or passing form data.
Is there a feature or workaround that would let me achieve this?
Please let me know if including any code would help, but you can assume that I'm using a standard Rails app running Devise and the Facebook oauth strategy, with code snippets described in the link above.

Shared authentication with devise

I have two Rails 4 sites, auth.example.com and app.example.com. Eventually there are going to be multiple app-type sites, maybe a dozen or two, but let's start with the one. Auth has devise set up so we can do basic user management (user creation and deactivation, password and SSH key management, etc.), with users logging into auth so they can do basic stuff themselves like update their address or phone number.
I want to set up app so that it uses the same authentication as auth. If a user tries to access app without being logged in, I want to redirect them to auth so they can log in, then go back to the page they were trying to access on app. Basically, I want to do devise actions on app, but with devise residing on auth. This, of course, is so that when we have multiple sites running, we can implement devise once instead of having to put it on every one of our sites individually.
I found this but it doesn't look like it's quite what I want:
http://4trabes.com/2012/10/31/remote-authentication-with-devise/
Anybody have a pointer to a resource that can walk me through how to do this?
Thanks.
What I would do is create a small API simply for user management. Then allow your other apps to make calls to that API to log a user in, create a user, etc. So keeping them on whatever site they're on, but in the background you're talking to the auth API.

Is this SSO workflow possible?

Let's say I have the following sites: ClientSiteA.com, ClientSiteB.com, ClientSiteC.com, MainServer.com
I am distributing a software to client sites. Anyone will be able to install the software so a site can not be considered trusted. MainServer.com will contain user information.
Users will interact with the software on client sites. A user will be able to click a login link on any client site which will bring up a popup. The popup can reside on MainServer.com. When a user logs in on any client, they will be logged in on ALL client sites as well as the MainServer.com. Remember, MainServer.com contains all user information.
I've done a lot of reading on SAML and OAuth2. Can someone tell me what is possible? If it is possible, which tools/workflows should I use? If this isn't possible, can someone tell me something I can accomplish that is similar to this?
FYI - I am trying to accomplish something like what Disqus does. If you login to Disqus on any site, you are logged into all the sites.
You can accomplish this with SAML, although it will involve browser redirects not popups.
The first time use hits a protected site (ClientA) it redirects to MainServer.com. The user logs in, MainServer gives them a session and redirects them back to the service provider with a SAML authentication statement which then lets them in.
When the user then visits ClientB.com, it also redirects to MainServer.com for authentication. Because the user is already logged at MainServer it can invisibly bounce them straight back to ClientB.com with a new authentication statement. The user barely if at all notices.
The problem with the pop-up window approach is that users have to give their credentials for site A to site B. This is a big security hole if site B isn't owned and controlled by Site A. Users should only give their credentials to the site that is authenticating them to prevent them being compromised. SAML and other federated/distributed auth mechanisms were designed with that in mind. I wouldn't want to give the keys to my email account to random sites on the internet but with this method I can log into stackoverflow with my gmail account.

Rails Devise Api + Facebook iOS SDK, security concern

I am currently developing an app that will use the FB SDK (for the first time) to log a user into the app. The flow is typical, I assume. User taps "log in with facebook", facebook graph authenticates, then we do a call to our api and log the user in via their facebook email (only) we have on file.
However, whats freaking me out here is, theoretically if some knew our api_token, and knew that calling a POST to a login url with only a valid existing email to log them in, isn't that a security issue since they could actually log in as someone else. Am I over thinking this? Understandably, they'd have to know every aspect of the api to do any damage. But still, I'm not feeling comfortable with this flow. Am I missing something?
This shouldn't be something you have to worry about. Facebook first protects you by having the requirement for the user to be logged into Facebook. Next, the user's UID(readily available to anyone) and your API Key isn't enough. They'd still need your API Secret Key (which if someone has is a bad thing) to sign requests as you.
What you're really using is OAuth (though Devise, through OmniAuth). I'm not an expert but you can read more here: http://hueniverse.com/oauth/guide/security/
When a user registers via OAuth, you aren't going to have a password set for them, and that's not a huge deal as they have to also first log into Facebook. It might be a good idea though to ask them to set a password if they ever edit their account, that also means they can sign in the old fashion way if they desire/delete Facebook/etc.

OmniAuth ruby on rails, forcing facebook user to re-authenticate when currently logged into facebook

I have a facebook application that the user has authorized. I want to re-authenticate when their token has expired. The problem is that when the user is already logged in to Facebook, and they have already authorized the application, facebook just redirects back to the redirect_url. I don't want this behavior as the user may have multiple facebook accounts and the one they're logged in to may not be the correct one.
The initial facebook authorization happens via server side authentication.
I want to either:
pick which one [account] to authenticate with (this is ideal) or
force them to re-authenticate their facebook credentials
I would like to avoid using the javascript sdk to force logout then re-login in if possible. I would like to keep everything server side for maintenance reasons.
You can configure omniauth-facebook to force reauthentication by setting auth_type to reauthenticate.
I don't know how to force to re-authenticate users. ( that would be the better solution ) But It's the first time I hear someone who wants the token expires faster. (Token last 2 hours, https://developers.facebook.com/blog/post/2011/05/13/how-to--handle-expired-access-tokens/ ).
Your use case it's really unusual:
"the user may have multiple facebook accounts and the one they're logged in to may not be the correct one"
Who has multiple Facebook accounts?
Maybe if your are a developer, you will need an extra account, but it's better to use this:
https://developers.facebook.com/docs/test_users/
Regards
Ivangrx
force them to re-authenticate their facebook credentials
The OAuth dialog offers a method for Re-Authentication – but I’m not quite sure if that fits your needs, so you’ll have to give it a try.

Resources