I am trying to enable openid authentication on my website as well as use auto_register feature of latest authlogic_openid add-on.
Everything works fine until second login. The first time user is created and logged in, but after I logout and try logging in into the system with same OpenID identifier I get user registration form with errors saying that username and other fields are already taken and the form is prefilled with values of earlier data passed with openid.
Everything is implemented by authlogic/authlogic openid tutorial except for the user session model with new auto_register call:
class UserSession < Authlogic::Session::Base
auto_register
end
Any help much appreciated!
It seems like you're registering the users twice. The OpenID plugin doesn't know whether or not a user has been registered it just does SREG every time if auto_register is true. Rather than calling auto_register every time you could look up the user by openid_identifier and send auto_register(true) if they're a new user.
I've found http://github.com/gaizka/authlogic_openid
His version of the Authlogic Open ID extension seems to work with the auto_register feature... although I can't get it to capture the emails correctly from SREG (works with regular registration).
There's a demo of it working here:
http://big-glow-mama.heroku.com/
http://github.com/holden/authlogic_openid_selector_example/tree/with-facebook/
Related
So I am developing a Rails application with LinkedIn authentication. The application works fine in all the cases except the case when user cancels the login.
I have already visited all the solutions on this site could possibly help, but no luck.
I have designed a very basic login structure and I couldn't understand where to write the code to handle the exception and to redirect the failure to a particular path.
The process I have used to make my login page was: Adding gem, Adding a route to 'auth/linkedin/callback', Adding that controller, Adding omniauth.rb file with provider, client id, key, scope and fields parameters.
Adding from_omniauth method in user model.
And finally the link in view page. Here I have no idea what to manipulate to handle the params error. Thanks
error
My question is dead simple.
Does authentication token have to be reset on user logout?
Currently I am just developing an iOS application but there's a possibility for web, iPad, and Android applications too. If a single user account has to be able to be logged in to various devices, what is the best solution to achieve this?
I am currently saving user authentication token in NSUserDefaults to send with every request.
If there is just one user account and its authentication token and a user logs out and reset the authentication token, the user won't be able to use the application on other devices such as web, iPad, and Android because the authentication token is no longer valid now.
What is the best way to achieve this login on multiple devices?
My thoughts
My one thought is to make a login model that belongs to a user model and make that login model token authenticatable. Then each login can create a login model and destroy that model after logout. I will wait for any other solutions :) gg.
As I know, token doesn't reset on logout.
I answered similar question several days ago.
Is there a solution for Rails Gem Devise to allow a user to have multiple emails?
In your case you can create for example UserDevices model instead of UserEmails and override find_for_token_authentication in User model.
Some help you can find in comments here:
https://github.com/plataformatec/devise/blob/master/lib/devise/models/token_authenticatable.rb
im running rails 2.3.8, authlogic 2.1.6 and the extension for facebook connect (https://github.com/studybyte/authlogic_facebook_connect)
the facebook side is working good, user click on facebook connect button, goes to facebook, logs in and returns to my app.
my problem is very simple but i cant figure it out. when user is redirected to my site after logging in, if is a new user, i create a new record. Since it comes from facebook the user has no email or password but the user is not saved because authlogic fails password and email validation.
the authlogic_facebook_connect shouldnt skip these validations?
i realized that i don't have to create a user, the plugin is supposed to do that for you. You just have to login the user after he connects to facebook.
It didnt work before because a did not create the facebook_session_key field but facebook_access_token instead.
It should. It's supposed to call save(:validate => false) (in Rails 3.1 or save_with_validation(false) for older version if I remember correctly) to skip the validations.
I'm developing a web app in Ruby on Rails. I'm using authlogic to do authentication. My site has its own logins, but I'm hoping to also use Facebook. I tried out authlogic_facebook_connect (using Facebooker). After a lot of hiccups (the docs haven't really been fully kept up), I did get authlogic_facebook_connect to work and it's OK. The default "connect" behavior works perfectly when I'm faced with users who have never used by site before, but it results in a lot of duplicate logins for people that are using different email addresses for Facebook and for my site. Here's what I want:
When the user hits the Facebook "Connect" button (and after they go through the Facebook auth step of clicking 'Allow'), I want a box to pop up asking the user if they want to connect to a pre-existing account on my site or if they want to have an account automatically generated for them.
If they want it automatically generated for them, we're good and we proceed as normal, but if -- on the other hand -- they want to link their Facebook account to an account on my site, I actually want them to enter in their local credentials and find the correct account. In other words, I do not want my solution to automatically figure out which account looks like the right one, I want the user to do this.
Is there any gem / plugin / quick hack that will allow me to pull this off either using authlogic_facebook_connect or OAuth or something else?
--David
Someone else may be able to point you at the perfect gem for this, but I can tell you that I've worked on a similar problem and it wasn't much work to roll our own, based on the oauth2 gem.
Here's a sketch of the code/flow I use.
1) User clicks on 'Connect to Facebook' and this sends you to an action like this
def to_facebook
options = {
:redirect_uri => facebook_callback_url,
:scope => "email,publish_stream" # whatever you want to do
}
client = OAuth2::Client.new(FACEBOOK_API_KEY, FACEBOOK_API_SECRET, :site => FACEBOOK_API_SITE)
redirect_to client.web_server.authorize_url(options)
end
2) User goes over to facebook and gives you all the access you want, then facebook calls the callback you specified facebook_callback_url which should take you to an action like this:
def facebook_callback
client = OAuth2::Client.new(FACEBOOK_API_KEY, FACEBOOK_API_SECRET, :site => FACEBOOK_API_SITE)
access_token = client.web_server.get_access_token(params[:code], :redirect_uri => facebook_callback_url)
do_my_custom_user_association(access_token)
end
Then you can specify whatever you want in do_my_custom_user_association, you should have a current_user available from authlogic if someone is logged in, so you can redirect to a flow that lets the logged in user select if they want to merge into their current account or a different one. If there's no current user, you can send them to a create account flow, with some facebook data attached.
Note that this is just a sketch, there are error cases to handle (e.g. facebook_callback will be hit with the param error_reason if the get_acccess_token fails) and I'm not recommending you do all the oauth2 interaction right in your controller, but the basic idea is there.
See http://developers.facebook.com/docs/authentication/ if any of the oauth2 interactions don't make sense.
Ok this is something weird. I got authlogic-oid installed in my rails app today. Everything works perfectly fine but for one small nuisance.
This is what i did:
I first register with my google openid. Successful login, redirection and my email, along with my correct openid is stored in my database. I am happy that everything worked fine!
Now when i logout, my rails app as usual destroys the session and redirects me back to my root url where i can login again. Now if i try to login it still remembers my last login id. Not a big issue as i can always "Sign in as a different user" but i am wondering if there is anyway to not only logout from my app but also logout from google.
I noticed the same with stack overflow's openid authentication system.
Why am i so bothered about this, you may ask. But is it not a bad idea if your web apps end user, who happens to be in a cyber cafe, thinks he has logged out from your app and hence from his google account only to realize later that his google account had got hacked by some unworthy loser who just happened to notice that the one before him had not logged out from google and say.. changed his password!!
Should i be paranoid? Isn't this a major security lapse while implementing the openid spec? Probably today someone can give me a workaround for this issue and the question is solved for me. But what about the others who have implemented openid in their apps and not implemented a workaround?
If this is such a big issue to you, do not use OpenID, or display a DHTML popup after a successful log out reminding the users that their session is still valid on their OpenID provider.
As for Google's OpenID, what you can probably do is redirect users through the following URL after
http://www.google.com/accounts/ClearSID?continue=http%3A%2F%2Fwww.google.com%2Faccounts%2FLogout%3Fcontinue%3Dhttp%3A%2F%2Fwww.google.com%2F
Afaik, there is no way you can log the user out of their account in another system. Your app is supposed to be responsible only for it's own business. As a user, I'd be very surprised if a website using openid could log me out of my google account.
Yes, there is a scenario that a user can assume that they are logged out of google because they logged out on your site but that would (and should) be their own fault.