GitHub OAuth using Devise + OmniAuth - ruby-on-rails

I've got an application at http://github.com/rails3book/ticketee that contains an OAuth portion provided by Devise. The configuration is at config/initializers/devise.rb. I have got this working with Twitter but always get this "invalid credentials" message back from GitHub.
I cannot see what I am doing differently between Twitter and GitHub. To my knowledge, this should Just Work(tm).

This is actually because GitHub's OAuth2 support doesn't mesh with the current draft of the OAuth2 specification. Basically, they want a parameter called "access_token" but the oauth2 gem's latest version (0.3.0 as of this writing) passes this through as "oauth_token", as the latest version of the draft requires.
This basically works with every other provider except GitHub because they haven't yet updated their support for this alternatively named parameter.

Did you register your application with Github? Do you provide the correct keys? I have a similar authentication here, without Devise, however, configuration (in development.rb) should be nearly the same: http://github.com/markusproske/omniauth_pure
Edit: you need different registrations for development and production due to the callback route.

Related

Github warns security problem about Omniauth gem

I am using gem omniauth and when I push my code to Github, it shows me a security warning because of the gem.
CVE-2015-9284
high severity
Vulnerable versions: <= 1.9.0
Patched version: No fix
The request phase of the OmniAuth Ruby gem is vulnerable to Cross-Site Request Forgery when used as part of the Ruby on Rails framework, allowing accounts to be connected without user intent, user interaction, or feedback to the user. This permits a secondary account to be able to sign into the web application as the primary account.
However, it seems that I am using the latest version
Is there any possible fix, or should I skip this for now?
This was reported in omniauth/omniauth issue 960 and discussed in PR 809 "Protect request phase against CSRF when Rails is used. "
It includes:
So we have implemented the omniauth-rails_csrf_protection solution, but previously we had our 3rd party OAuth provider log people in after they had verified the registration and redirect them to our /auth/provider endpoint.
This would now require them POSTing to the endpoint with a CSRF token, which is not possible as they are on a separate platform/system.
Should the omniauth readme be updated to mention that anyone using omniauth with rails should also use omniauth-rails_csrf_protection?
See commit 0264706 as an example of using that setting.
gem "omniauth-rails_csrf_protection"
Or... coreinfrastructure/best-practices-badge PR 1298
I hate to bring in a third-party shim to fix a security issue, but upstream omniauth has still not fixed its vulnerability, and it's a CVE report from 4 years ago (2015).
The omniauth folks are still discussing how to fix it, and my patience has been exhausted.
I reviewed the shim code, and I don't see any issues. This is a vulnerability that allows account takeover, so I think ignoring it is extremely unwise. It's not trivial to exploit, but it's real.

Getting email back from Twitter Oauth with Devise and Rails

I've set up a basic rails application to use twitter oauth gem and devise and have been able to log in a user. However, my problem is I've now got my app white-listed and I would like to get a user's email back in the response. I've followed all necessary steps on the twitter side (setting necessary permissions, URLS, and reset keys) and have tried passing both
include_email=true
and
include_email=email
as a params when I initiate the oauth sequence. I feel like I've read and re-read the docs and tried few edge cases I thought might work based off of very little I've found on-line.
Any help with this? Something I'm missing if you've done this before?
I solved my problem. The omniauth gem was not the latest version which would include email. In my gem file I needed to declare '~> 1.2.1' where I had version 1.2.0 - - the new version includes the following changes you can read about here: https://github.com/arunagw/omniauth-twitter/pull/96

User Authentication into Devise from iOS

I am creating an application where user is going to sign in with username and password. At the back end and also for the website I am using ruby on rails where the authentication is handled by Devise. With the last edition of Devise they have depriciated the Authentication Token. I am lost in terms of how to authenticate from iOS ? Any suggestions ? How am I going to modify the gem files etc.
See this gist from Jose Valim Safe or Unsafe Tokens
Basically you will want to write your own auth token methods. You need to generate tokens and later compare them. You should read all of the comments, the discussion is pretty good.

Is there any running example code for Google login with authlogic

PS:- please dont say use this devise, omniauth or any other plugin/gem you know.
I am looking for some example code for google login using authlogic for ruby on rails 3.
Here is what i have tried/checked:-
authlogic-google-account-oauth --- This is sample code for twitter, not google (One of the top rated google result. )
http://www.manu-j.com/blog/add-google-oauth-ruby-on-rails-sites/214/ --> generating keys for google login? There was nothing like this while implementing facebook / twitter or linkedin login. All I need is secret key and application id from the respective sites.
Tons of links on stackoverflow, No-one is giving the solution just recommending other gems/ outdated blog posts like
Ruby on Rails: Best way to add Facebook login, Twitter login, OpenID login, etc
Configuring authlogic-oauth with google and many more.
Anybody knows any running example/ sample code for google login with authlogic in rail 3
EDIT
Have you noticed these warnings, this is from your code. The code you provided is running on my local machine:--
Attempting discovery to verify endpoint
Performing discovery on https://www.google.com/accounts /o8/id?id=AItOawlFBZciVpNUBSlYbz0wHzTgmJWu9PpCvyk
WARNING: making https request to https://www.google.com/accounts/o8/id?id=AItOawlFBZciVpNUBSlYbz0wHzTgmJWu9PpCvyk without verifying server certificate; no CA path was specified.
Using 'check_authentication' with https://www.google.com/accounts/o8/ud
WARNING: making https request to https://www.google.com/accounts/o8/ud without verifying server certificate; no CA path was specified.
You inspired me to hack away at this.
This blog basically worked for me http://blog.sethladd.com/2010/09/ruby-rails-openid-and-google.html
My code is extra ugly though, because it wasn't the first one I tried.
Other resources:
Ruby open_id_authentication with Google OpenID
http://toddsedano.blogspot.com/search?updated-max=2010-05-29T11%3A59%3A00-07%3A00&max-results=7
http://railscasts.com/episodes/170-openid-with-authlogic
Anywho, the rough code that is working for me is here:
https://github.com/softwaregravy/google_authlogic
and here is the running code
It's still very much a prototype. Hope it helps.

Omniauth: How to set authentication provider details at runtime

I have a rails app that is accessible from 2 domains. Facebook requires me to register a facebook app for each of these domains and gives me credentials for each. With Omniauth I can only specify one set of credentials that is set on application startup. However, I would need to supply FB with different credentials depending on the host of the request.
There are 2 problems here:
How can I change the Omniauth credentials for facebook at runtime?
How can I intercept the call to facebook, check the domain and set the credentials accordingly? A before filter will not work, as Omniauth uses Rack Middleware.
Any suggestions are highly appreciated!
Copying the answer from the comments in order to remove this question from the "Unanswered" filter:
I solved this myself now. The problem was that the fb strategy calls
back to fb a second time to get an access token. In that second call
the wrong credentials were used (the ones set in the initializer). So
I had to patch the OAuth2 strategy so that it calls through to the
rails app again, to set the runtime credentials for that second call.
In the call back, which normally only handles the response form
Omniauth, I set the credentials and return a 404 unless
request.env["omniauth.auth"] is present. That works fine but has some
side effects for apps without dynamic providers.
The problem is now, that even if an application doesn't want to set the credentials at runtime, it has to add a condition to the callback like if request.env["omniauth.auth"] to avoid the callback code being executed when it is called the first time. The solution is probably to add a parameter to the Omniauth builder like :dynamic_provider and only call through to the app if it is set.
~ answer per Nico
This question is fairly old but still relevant. Nowdays it is also possible to set provider details dynamically during OmniAuth's Setup Phase.
For example:
Rails.application.config.middleware.use do
provider :example,
setup: ->(env) do
env['omniauth.strategy'].options[:foo] = env['rack.session']['foo']
env['omniauth.strategy'].options[:client_options][:site] = Something.dynamic('param')
end
end
Source: https://github.com/omniauth/omniauth/wiki/Dynamic-Providers

Resources