I have a rails 2.3.5 application with an API I wish to protect.
There is no user - it is an app to app style webservice (more like an Amazon service than facebook), and so I would like to implement it using a two-legged OAuth approach.
I have been trying to use the oauth-plugin server implementation as a start:
http://github.com/pelle/oauth-plugin
...but it is built expecting three-legged (web redirect flow) oauth.
Before I dig deeper into making changes to it to support two-legged, I wanted to see if there was an easier way, or if someone had a better approach for a rails app to implement being a two-legged OAuth provider.
Previously, the only good answer was to hack about in the oauth-plugin to get this subset of the oauth interaction. Since then, the oauth-plugin was refactored, and now you can use it straight up, just by adding the right type of authentication filter to your controller:
class ApiController < ApplicationController
include OAuth::Controllers::ApplicationControllerMethods
oauthenticate :strategies => :two_legged, :interactive => false
# ...
end
I'm not aware of any alternatives to oauth-plugin at the moment, though it is definitely getting long in the tooth and ripe for a replacement. My recommendation is to generate the oauth server from oauth-plugin, then extract the dependencies from the plugin (which are just a couple modules worth of methods) and trash the plugin. Then tweak everything to your needs. 2-legged oauth should not be a big problem since it is simpler than 3-legged anyway, and my feeling is that oauth-plugin is not usable these days without significant modifications anyway.
The meat of OAuth has long been extracted into the base oauth gem anyway, so the oauth-plugin is sort of in limbo. The architecture makes some heavy-handed assumptions about what authentication system you are using, and the generated code is dated. So to me, oauth-plugin serves more as an example of how to wire everything up rather than something that most sites would want to use out of the box.
Related
I am pretty much overwhelmed by the diversity of oauth/oauth2 rack middleware projects on github.
First question: Is oauth deprecated? Am I only up-to-date with an oauth2 middleware? Is oauth1 unsecure?
What if I want to provide an authorization procedure myself? I am sorry if I am not using the oauth terminology correctly. I mean that I don't want - at least not from beginning - to use Provider like Facebook or Twitter for login, but I want to maintain own User Accounts.
Not wanting an external provider (in the beginning at last) I got referenced to OmniAuth Identity.
Letdown: There are almost no tutorials, especially no up-to-date ones. There is mainly only the Railscast on it from 2011.
And the examples in the github page only state things like
# Anything else you want!
or
# whatever else you want!
Also no Wiki here.
So what is the to-go-for up-to-date oauth1/2 middleware if you want to be able to take a pass on external providers, please?
What's with the obviously "vanilla" OmniAuth
I created a Rails API application, that is currently do his job awesomely, but I realized that is missing the most important part, a login from the React application and at the same time the authentication from a python application I developed that should consume those API as well.
Now, looking at the various offering, seems all fuzzy, at least from my prospective and I would like to have an advice that is not from 2016 or before but that is actual today.
Many solutions on the net, was getting dirty the main ApplicationController, that didn't make sense to me.
So I thought that a 'modern' way or let's say, 'a way' is to use doorkeep and devise.
I thought about Doorkeep because allow me to have the 'Applications' therefore I can delegate to applications the authentication in the proper way while using the JWT for the SPA application, but honestly I don't know from where to start deciding :)
I wanted to share here also the link of a blog post that inspired this question: https://www.vic-l.com/jwt-with-refresh-token-using-devise-and-doorkeeper-without-authorization/
Sadly something I found still, without an answer, at the moment, is Setting up DoorKeeper with multiple Rails/React applications?
Now, I can use doorkeeper to manage the JWT for the SPA and the applications for the client in Python ?
Thanks in advance!
My company is making a product where we have both a front and backend. The backend essentially provides all the brains as far as user information. The front end is something that will be displayed to the user (obviously), but if may have different front end implementations (including our own reference implementation).
My company wants to use OAuth to validate the user login information. I've looked into OAuth a bit and it seems that OAuth 1 would require the user to post a key into the front end app. Does that at all sound right? It seems a little contrived to me because all the data resides on the backend. We really just want to verify that the front end is from a legit 3rd party. Is OAuth overkill for that? Would OAuth 2 be a better fit?
Keep in mind in working with Ruby on Rails and so I'm not sure how great the OAuth2 gemsets are.
Thanks
OAuth might be an overkill if you are only using it internally. However since you're implementation would just be a reference design and you expect 3rd parties to connect it seems a good decision to rely on a standard.
As ruby implementations goes - you probably want to look at oauth-plugin (on the rails side) and oauth2 (client) gems
I'm trying to figure out the differences between omniauth (https://github.com/intridea/omniauth) and oauth-plugin - (https://github.com/pelle/oauth-plugin)
I'm simply looking for a way to allow my users to authenticate with (Twitter, Facebook, etc) within my app.
I know omniauth provides this, but I'm running rails 2.3.10 which I don't believe is supported by omniauth. Can I use oauth-plugin? It also seems to have a lot fewer dependencies. Any thoughts are appreciated.
I have to disagree with the previous answers.
oauth-plugin is
a plugin for implementing OAuth Providers and Consumers in Rails applications. 1
It provides two generators (one for implementing an OAuth provider, one for the consumer) which create the models, the views and the controllers. The way the controllers work, is that they are subclasses of controllers defined in the gem. It's tied into Rails pretty deeply, and can only do OAuth.
omniauth, on the other hand, is a modular, framework-agnostic library that allows you to provide authentication via a multitude of providers.
Concretely, it means that you set up two endpoints (/auth/:provider and /auth/:provider/callback), have your user authenticate with the provider, and receive a hash with the user's info in return.
TL;DR
If you only need to provide authentication via Facebook/Twitter/OAuth/etc (i.e. you want to be an OAuth consumer), then omniauth is definitely more lightweight.
If you want to run an OAuth provider, oauth-plugin might be more straightforward, but it tends to be a lot more bloated, in my opinion, since it injects a lot of boiler-plate code into your app.
Omniauth is a mega-authorization gem, giving you access to the OAuth processes for a whole list of web services (Twitter, Facebook, Foursquare, Gowalla, Netflix, YouTube, etc, etc), so you can call specific functions for each service and get it set up quickly.
The oauth-plugin you mention appears to just set you up with an OAuth general setup, and you'd have to do the API hookups for each service yourself. More lightweight, so if you only need Twitter services, for example, that might be a better way to go, although I'd still probably check out Omniauth to see how big of a performance drain it is, because it's going to be a lot easier to use overall.
I am developing an API in Ruby on Rails 3 and I would like to secure it with Oauth2.
In other words, I need to create an Oauth provider. Is there a working gem for Rails 3 out there or perhaps a tutorial on the issue?
UPDATE
I know Rails are REST based so I find it very strange that there are no tutorials on how to create a public API and secure it. Does anyone know of any good tutorials. Preferable with oAuth.
Thankful for all help!!
Check out this gem https://github.com/applicake/doorkeeper
It is for Rails 3, the development it's early stages though.
There's also an example app that you take a look and see how the API is done.
http://doorkeeper-provider.herokuapp.com/
I've opensourced an OAuth2 server implementation yesterday.
It's well documented and there is a dashboard to control accesses. Right now I'm searching for somebody who wants to build an engine starting from it, or something cool on top of rack. That's why it is open-source.
https://github.com/intridea/oauth2 is the canonical gem right now for OAuth2 dev. If you are looking for a more complete solution, instead of rolling your own provider code, check out:
https://github.com/songkick/oauth2-provider
https://github.com/freerange/oauth2-provider
But I suggest messing around with the oauth2 gem if you aren't very familiar with the flow so that you can learn it better.
If you are using (or planning to use) devise for authentication, you can use https://github.com/socialcast/devise_oauth2_providable as plugin.
I'm developing a rugygem for OAuth2 provider, Rack::OAuth2.
https://github.com/nov/rack-oauth2
It requires to develop models (token, code, client etc) by yourself, but you can get a whole Rails3 sample OAuth2 server here.
https://github.com/nov/rack-oauth2-sample
I'm looking to implement an OAuth2 provider, too! I'm currently experimenting with this https://github.com/assaf/rack-oauth2-server, which seems to be a full-featured OAuth2 server, though it still supports only MongoDB, although implementing support for other DBMS seems simple enough. I am also looking at some of the other options posted here, lots of promising stuff!
"Doorkeeper is a gem that makes it easy to introduce OAuth 2 provider functionality to your application."
https://github.com/applicake/doorkeeper