Is Devise a good option? Another extension? Roll my own as per OAuth in Rails - google, twitter, facebook, connect for login like stackoverflow login?
You can go with Devise in combination with Omniauth or use Omniauth on its own building your own authentication. You need to decide whether you want local+remote sign-up or remote sign-up only. I did both recently and wrote articles about it:
Devise + Omniauth: http://communityguides.heroku.com/articles/11
Omniauth, includes full code on Github: http://communityguides.heroku.com/articles/16
(Links updated 15.12.2012)
Edit: Regarding local sign-up - you might use myopenid as a replacement and send users over there if they do not have or do not want a Twitter/FB/Google account...
I highly recommend Devise (1.2 or newer) with OmniAuth. I have been successful in using that combination to enable single sign-on from a Rails application to GitHub, and it's fairly trivial to add support for additional providers.
https://github.com/plataformatec/devise/wiki/OmniAuth%3A-Overview
Related
I'm creating an app in Ruby on Rails and have research Devise, Omniauth, and creating my own custom version.
My question is: what are the scenarios in which you would use one of the three choices above?
My take:
- Omniauth can provide quick registration through third party APIs, but would require additional permissions to access additional data
- Devise provides core functionality which can also be customized based on the applications needs
- Custom may be for extreme scenarios which, currently, I do not need
** I'm leaning towards Devise as it provides the core and allows me to add onto that
Additional Considerations:
- My application needs to sign in and access basic information for: location, language I18n, etc
- My application also does financial transactions (if you're a paid member, et al).
Going back to my question: based on the above, does Devise seem to be the better choice? Does Omniauth provide these features? When should I use one versus the other?
Thanks
Devise and Omniauth do very different things - and they are often used together.
Devise provides a full authentication package with views, controllers and routes to allow users to sign up, edit user profiles, reset passwords, etc.
Devise can be used without the database authentication module with provides signup via email password.
Omniauth is a framework for authentication users via Oauth. Omniauth unlike Devise does not ship with any views or controllers. Instead you need to integrate the Oauth callbacks into your app. What Omniauth does is abstract away the differences between different providers.
Both can be used together to provide user authentication via password or oauth for example.
Rolling your own authentication solution is generally not advisable. Projects like Devise have hundreds if not thousands of man-hours behind them and many eyes viewing the code base for flaws. Crappy home rolled auth solutions by companies with Not Invented Here Syndrom are one of the most common security failures that have lead to user data and passwords being leaked.
To add context to #max's answer, OmniAuth is an extraction of OAuth (Open Authorization)...
OAuth is a simple way to publish and interact with protected data. It's also a safer and more secure way for people to give you access. We've kept it simple to save you time.
Whenever you have a trusted service such as Facebook, Twitter, LinkedIn, GitHub, NetFlix, etc, and want to use a service in conjunction with your pre-built connectivity on these existing services, you'll need a secure way to "authorize" the use of that data...
A "CRM" system which allows you to "import" contacts from LinkedIn
A "social sender" system which allows you to send messages to your Facebook friends
Recommend new movies based on what you recently watched on NetFlix
Most people know OAuth by virtue of the "Allow Access" notification for Facebook etc:
Interpreting this in your own app is simple - do you want to pull data from Facebook / Twitter / LinkedIn / GitHub etc?
Real use of OAuth should be to extend your application.
Most users treat "app requests" for their social network data as an extension of the "social" experience (IE if I allow app access to my FB, I expect it to post to my wall etc).
Instead of treating it as a way to allow users to sign in with Twitter / Facebook / LinkedIn credentials (which is 100% valid), you should think about the higher-level functionality.
--
Devise != OmniAuth
Devise is an authentication system; OAuth is authorization.
OmniAuth extends OAuth for authentication:
OmniAuth is a library that standardizes multi-provider authentication for web applications.
It replaces email/password with Twitter API key. Thus, whenever creating authentication on your system, you will always need to store User data etc - it's how that data is authenticated which makes the difference.
In short, if you want Sign in with Twitter buttons etc, OmniAuth is recommended. However, to keep your authentication consistent, you'll be best using Devise with OmniAuth.
--
Finally, don't roll your own authentication unless you've implemented Devise at least 5 times. All Rails authentication works similarly (uses Warden strategies). It's not going to be worth your time debugging your own system when Devise has 100,000's of users doing the work for you.
I want to implement Facebook's Registration plugin
How do I do it using Devise ? is there any Devise/OmniAuth extension available ?
if you're using devise 1.2, the documentation is there in devise's github
https://github.com/plataformatec/devise/wiki/OmniAuth:-Overview
I think you're misunderstanding the registration plugin. It's aimed for web users that don't yet have a Facebook account. If you want to use that, then add it as a simple iframe with a callback returning them to you site, and then add a regular Omniauth Facebook login.
you can try a gem sorcery
I'm trying to add Google Apps authentication to my Rails (3) app using Devise (1.2.1). Thing is, I can't find anything that helpful on the interwebs other than the small mention in the devise wiki.
Question is, is this possible, and are there any examples out there I can check out?
Devise is to make your web application authenticate users. If you wanт users to login into your app with Google ID then look into OpenID. If you want to connect to Google services you need to implement Oauth client
Is there a rails plugin which can handle authentication with facebook, twitter and openID providers (ex. google, yahoo...)
I would recommend Devise. It is a very active project that is maintained by José Valim who is a contributor to Rails core. I've been using it for several months for authentication with both Facebook and Google (through openid) without any real problems.
authlogic with authlogic_oauth & authlogic_facebook_connect will cover all of those.
Using the current rails 2
I want users to be able to create an account from:
traditional signup
twitter
facebook
and then allow them to link facebook and/or twitter and/or traditional signup later.
I read this http://www.themomorohoax.com/2009/02/21/rails-2-3-authentication-comparison
and decided to check out:
Authlogic
Restful Authentication
Devise/Warden
It seems for at least some of the plugins you can use with them that making OAuth work with them will make them incompatible with any other login system.
Will I need to roll my own from the ground up, or can I glue together some existing pieces?
You can glue together existing pieces.
I wouldn't advise for Restful Authentication. It's getting old and isn't maintained anymore.
If you plan on using Authlogic, you can take a look at those two gems :
authlogic oauth for any oauth service (including twitter)
authlogic facebook connect
If you plan on using Devise, you can take a look at those two gems :
warden oauth for any oauth service (including twitter)
device facebook connectable