I use Twitter oAuth to allow users to signup for my site.
I have the user's access_token, access_secret from their signup stored.
When the user wants to return to the site and login to their account, how do I authenticate them using twitter login/password?
I do not want to ask users to give access like:
- give access to example.com to read/write your stuff on twitter
The user already has signed up using their twitter credentials, how do I reuse it instead of asking them to create a separate password?
I would rather not venture towards authlogic in addition to oauth
Currently, if the user is already logged into twitter, I can authenticate him.
using the access_token, access_secret. What if he is not logged in?
How do I prompt for username/password for twitter and authenticate for my app?
Thanks for your help.
Try using them OmniAuth gem. Makes doing that pretty straight forward.
If you're not wanting another gem dependency, you could probably code up your own functionality based on what they do with their twitter strategy and abstract oauth logic.
This RailsCasts episode demonstrates how to create a simple authentication system that only requires an OAuth verification, without the need for a seperate user account maintained by your app.
Related
Just need a very basic detail clearified.
If I'm trying to implement au OAuth authentification system for my website, it mean my website is REQUIRED to have a facebook, google and twitter account ?
For example: I have no intention for my website to have a twitter presence, but I want twitter users to be able to use OAuth to login on my website without registering manually.
I really need to open a twitter account to get my clientID and secret key code ?
Yes, it looks like you need a Twitter account in order to create a Twitter application, but it doesn't have to be an account for your website. For instance, if I want to create a "Sign in with Twitter" button on my, page, I can just log into the dev site using my personal account and create an application. Follow the steps here. In particular following the "application settings" link will prompt you to login, and then you can create an application.
Facebook likewise requires you to have an account and create an application. They then provide API keys that can be used in the OAuth login flow. They have two ways to get a token: a server side flow that provides a longer lived token, and a client side that gives a shorter one. For more details see this page.
With Google, if you use their OAuth 1.0 flow, you can do a login without creating an application (https://developers.google.com/accounts/docs/OAuth). However, it looks like their preferred way is their OAuth 2.0 flow through Google+. See this page.
I use rails as backend for ios applications. So far i have been using devise as it looks flexible and comfortable to use with less effort . And i have read about omniauth and that too looks easy to integrate with devise. My question is, consider my ios app requires authentication and the following are the different methods that i should be able to allow user to do
Login using email and password
Login using Facebook account
Login using Twitter account
Login using email can be handled by the devise itself but how about login using Facebook and twitter? Actually in one of my project i came up with the following approach which has all three of these login process. The ios app authenticates the user from the device(not devise) itself and sends the user information like username, email etc whatever required along with auth type so i save this a separate user with username that is sent and one of the field as password. And the next time he sends me these details i allow him to login to the app. But now i realised this is not the best way to do. I read about FBgraph which can be used to verify the access token validity, so should i get the token from user and then verify it and get the profile information and save it in user model and give them the token.
Also i have another doubt which is, For login using email and password i allow user to login through email and password and then for the each requests the user sends me the username and password. Is this is alright or do i have to create a token in login request and send the token as response and then the user can send the token for all the other request he makes.
Sorry if it is confusing but to tell you shortly i need to know what should i do if i have all these three login process. Any help is greatly appreciated. Thankyou
There are couple things to consider when dealing with external applications like on other devices:
You should use an API to communicate with your Rails server
Your server should send an authentication token after the first user authentication using his email and password. It is not a good idea to send user's email and password for each requests.
Devise
Devise is great for authentication both in-app and for remote applications using the token_authenticatable hook. This will allow any registered user to have a unique secret token to use in order to be authenticated on your server.
More information here
OAuth2
OAuth2 is becoming the standard way to authenticate on remote services giving the user the possibility to use his Facebook account to login for example.
This would be the easier way to allow your users to authenticate using their Facebook or Twitter account (note that twitter will not give you the user's email address).
Devise can handle OAuth2 clients.
Finally, you could also create your own OAuth consumer to authenticate users using your service. Doorkeeper is a great gem to protect your API endpoints and to allow users to use OAuth2.
Conclusion
Devise is great for authentication. Using their token module coupled with OAuth2 integration could do the trick in your case.
Here is the OmniAuth wiki page from Devise
Here is the Simple Token Authentication wiki page from Devise
I am creating an application where the only way users can create an account and then subsequently login is through OAuth.
I only have one Oauth2 authentication source.
Ideally, the User would press one button on my app, ask for their Oauth credentials, and if they are not a user, begin to create a user profile. If they are a user, log them in.
I think that Devise is an overall superior choice and i personally prefer it for my authentication routines. And it supports oauth2. So i would certainly recommend Devise.
I'm developing a facebook app with rails that uses external apis from my own domain. The problem is that my domain requires authentication, which is done via oauth. It's not clear to me how to deal with this pattern. I'm not sure I can make oauth calls from a facebook app, thus requiring two separate registrations. Is there a way to pass a facebook access token so that I know the user is authenticated through facebook?
If you are using (or can use) Rails 3.0+, devise has a good section on how to authenticate via facebook or a google account.
Once a user has used this method to authenticate to your webapp, their session is handled in the same way a regular login session is, so you can just use current_user.nil? or user_signed_in? helpers to determine if the users are authenticated or not.
I've read through documentation where possible but unable to figure out this basic question. When using Oauth with Twitter in my web application, does it require the user to be logged into Twitter everytime?
For example, if a user authorises their account with my website, in future sessions, if they complete an action that posts to their twitter stream, will this occur without any problems, or would they need to re-sign in via Twitter?
Thanks guys!
The OAuth authorization actually allows your application to access their account whenever it wants. So the users do not even need to be there doing something with your web application to allow it to tweet something or such.
Your application is then able to use the key and token which it received in the authorization process to tell Twitter any time "hey, I am authorized to use this account" and basically works as the application's personal login credentials for that account.
No, they only need to be logged into Twitter when they go through the initial OAuth authorization. After that, your site talks directly to the Twitter API using tokens that it saved from earlier.
Ok I've setup a test-case and it looks like I was a bit wrong:
oauth_token, oauth_token_secret are unique for each user and they never change, so if you store them in your database you can reuse them. No matter if the user is logged in to twitter or not.
No, they will normally not need to re-authorize. If the token is revoked, however, they will, and your application needs to be able to handle this (by allowing them to do so). In general, this is true for any SSO system.
A twitter user can explicitly revoke an application's token at the provided page.