I am searching for a working solution of authentication on Rails 3 with the following features:
account types: standard login, facebook connect, openid, oauth
one user may have (and link) multiple accounts (EG a user attach both Wordpress and Google OpenID accounts)
A working example of Rails app implementing them would be perfect.
You could take a look at devise even thought it doesn't have every feature that you're asking for. But then again I doubt there's something out there doing all that.
Sounds like https://www.ruby-toolbox.com/gems/socialite is hoping to be what you're looking for.
Related
Recently I just notice how Path, Pinterest, and the like change the way they authenticate their users. Currently it seems that they require us to create an account associated with Facebook or Twitter. I could not understand the reason behind this. Is there any security concern for them to make this move?
Why is simple authentication with Facebook and Twitter not enough?
I think it is about giving the site more control over their future and the relationship to their users.
If they have their own account system, but allow the users to link it to Facebook or Twitter, that link can later be changed if the relationship with those providers turns sour.
The big reason is that they don't have to take any risk with handling passwords, etc. which can get hacked. They are offloading the security of user accounts to bigger partners, so they don't have to worry about it.
I'm currently using OAuth to authenticate people with their twitter (twitter gems) acount in my application. The problem is that for people who aren't connected or who have various accounts.
So that's my question, is that possible, to ask user their login/password to link their twitter account on my application ?
Thanks
It is no longer possible to connect to Twitter's API using Twitter credentials. Twitter's public stance on this is that you should -never- provide your Twitter credentials to anyone else, ever. This is part of their rationale for implementing OAuth.
Even if you had the user's Twitter password, you couldn't validate that it was actually their password, nor could you access their Twitter account with it through the Twitter API.
Your best bet would be to look into devise and omniauth. I've gotten it to work this way. Omniauth also allows to link to several accounts. Be it, Facebook, Twitter, etc.
I'm sure it's entirely possible to ask users for their Twitter login/password on your application. It's a very bad practice though, as OAuth avoids the need for client applications to ever touch a users credentials. I suggest setting up an authentication/authorization system that maintains a login/password and then allows connecting multiple OAuth accounts via an AuthenticationStrategy model or the like. Ryan Bates did a few Railscasts on the subject:
http://railscasts.com/episodes/235-omniauth-part-1
http://railscasts.com/episodes/236-omniauth-part-2
I'm trying to add Google Apps authentication to my Rails (3) app using Devise (1.2.1). Thing is, I can't find anything that helpful on the interwebs other than the small mention in the devise wiki.
Question is, is this possible, and are there any examples out there I can check out?
Devise is to make your web application authenticate users. If you wanт users to login into your app with Google ID then look into OpenID. If you want to connect to Google services you need to implement Oauth client
I'm currently using Authlogic to handle all user accounts, but our company has switched over to Google apps and I would much rather use that same authentication for all users.
My question is - how?
I know I'll need the ruby-openid gem but I have yet to integrate authentication with a 3rd party. Any recent examples or tutorials out there to help guide the way?
Thanks!
There is a good resource here that I've used to get this working in the past.
This does what you are looking for: authlogic_openid_selector_example. It isn't a tutorial but you can have a look at the code.
Seth Ladd, a Google developer advocates, has a blog post on how to authenticate using a google account in a rails 3 appl. You may need to change the example depending on how google apps is configured in your company.
Just a thought -- RPX has the ability to do logins from google, and you could use the Authlogic RPX plugin
Can we build applications on top of the twitter user base?
Is it just another open id or something more?
I noticed when using twitpic and some MUD type game 14mafia.com that it uses my twitter login (it tweets on your behalf).
If they are using my login/password that's pretty crazy, I mean what kind of security is that?
Anyhow, just want a developers who has expereince to tell me if we can re-use their membership like openid?
Can we build applications on top of
the twitter user base?
The Twitter API is described at http://apiwiki.twitter.com/
Is it just another open id or
something more?
Twitter is neither an OpenID consumer nor provider.
I noticed when using twitpic and some
MUD type game 14mafia.com that it uses
my twitter login (it tweets on your
behalf).
If they are using my login/password
that's pretty crazy, I mean what kind
of security is that?
Awful security. Don't give out your password to third party sites. Some just use the password anti-pattern, others will steal your credentials for purposes you don't want.
Twitter supports OAuth today. If a site wants to do things with your Twitter profile, it should use that.
Anyhow, just want a developers who has
expereince to tell me if we can re-use
their membership like openid?
No, you can't.
Twitter offers both OAuth and simple username/password authentication in its API. Originally they only had the basic authentication API so many early apps were built using it. Later, they added the OAuth support, but since it was easier to use the basic authentication, many twitter clients and apps still use it.
You can tell which one an application is using, because if they are using the simple authentication they will ask for your password. You have to trust them with it in that case. You're right that it's poor security.
I imagine they are using the Twitter API.