I hope this does not count as an opinionated question. I just need to be pointed in the right direction.
I am modifying the Devise gem to work purely with JSON. I have had no problems with the registration, confirmation, re-confirmation, locking so far.
However, while working with the sign in, I dug deeper and understand that the default Devise sign in strategy uses Warden as it has to do with sessions and Rack authentication.
I understand JWT contains all the information in itself and does not need sessions.
So if I strip the default Devise strategy of everything and simply return a JWT on success and errors on error, would that be the right approach?
Am I missing something?
In order to use JWT with devise, I recommend to not monkey patch devise and instead use a tool others can audit and test.
For this reason, I developed devise-jwt. It does zero monkey patching and leverages warden, which is the authentication library below devise. You can also read more about it in this post I wrote: A Secure JWT Authentication Implementation for Rack and Rails
Hope it helps
I wouldn't use devise_token_auth since it seems like too much hassle and ... you store tokens in db :/. Why would we want to do so if JWT is available.
I'd rather add a new strategy to Warden/Devise couple and let them work as they should.
Here's an example: https://medium.com/#goncalvesjoao/rails-devise-jwt-and-the-forgotten-warden-67cfcf8a0b73 . One thing to note: JWTWrapper doesn't really belong to app/helpers/ . You need to inject somewhere a call to JWTWrapper.encode({ user_id: current_user.id }) once your users successfully signs in with their email/password. Perhaps in the Devise SessionsController?
def create
self.resource = warden.authenticate!(auth_options)
sign_in(resource_name, resource)
yield resource if block_given?
render json: JWTWrapper.encode({user_id:current_user.id})
end
You might want to do this only for xhr or json (format) requests
You probably shouldn't be hacking your Devise gem source. I suggest to just use Devise Token Auth gem to handle tokens instead.
https://github.com/lynndylanhurley/devise_token_auth
It will generate and authenticate valid RFC 6750 Bearer Tokens.
According to their README.
Seamless integration with both the the venerable ng-token-auth module for angular.js and the outstanding jToker plugin for jQuery.
Oauth2 authentication using OmniAuth.
Email authentication using Devise, including:
User registration
Password reset
Account updates
Account deletion
Support for multiple user models.
It is secure.
Sorry for late answer, but I'm actually working on the same problem, and want to share my opinions on that.
First, I would emphasize not changing Davise sources, this will likely bring you to further problems, especially when Devise code changes.
On the other hand, as I have encountered devise-token-auth, it might not be viable for your needs, especially in distributed systems (SOA). Perhaps I'm wrong, but as I see devise-token-auth, you can't add Subjects to restrict user access solely on the token. If you don't need this feature, you really should try devise-token-auth.
If you want to store additional information in the token, you could try to authenticate against a regular devise or devise-token-auth and then encode your information using a JWT gem.
Example can be found here: https://www.sitepoint.com/introduction-to-using-jwt-in-rails/
I'm using the omniauth-google-oauth2 gem.
My oauth2 setup is really similar to the one here: https://gist.github.com/sevos/821291 , meaning that I keep my scopes in a config/authentication_services.yml file.
I would like to exclude a scope from the initial request, and ask for that scope only at the point when I need it?
What you need is probably connected to dynamic scope setting with omniuath. Few reads that might get you closer, they are about facebook oauth, but the general notion is very similar - you need to use omniauths setup hook.
http://www.mikepackdev.com/blog_posts/2-Dynamically-Requesting-Facebook-Permissions-with-OmniAuth
How can I specify the Facebook permissions (aka scope) OmniAuth asks for DYNAMICALLY?
http://www.mikepackdev.com/blog_posts/2-Dynamically-Requesting-Facebook-Permissions-with-OmniAuth\
In my application I have at this point a authentication function through oauth, but before of that I would like to have a login page, so I want to use Devise to create that. The problem that I am facing is that bought Device and my authentication method require a before_filter, and both methods redirect to a page, and because of that I get an error saying that I have to redirects. How can I fix this problem?
Thank you
I don't know explicitly what you are doing and what are your actual requirements but as far as I know you don not need before filter. you need to provide both options for login, authentication with devise and Omniauth.
I am referring you to some links consult it.
Mandatory:
http://www.samionrails.blogspot.com/2013/08/google-omni-auth-with-devise-tutorial.html
Optional:
https://github.com/intridea/omniauth/wiki/Managing-Multiple-Providers
http://www.samionrails.blogspot.com/2013/08/authenticate-user-using-omniauth.html
I'm using Omniauth with Devise using the google_oauth2 strategy.
It works well, but now I'd like to change the authorize path with something of my choice.
Actually it's http://localhost:3000/users/auth/google_oauth2 while I'd like a much simpler http://localhost:3000/login since it's simple to remember.
It would not raise any error since I've disabled the Devise database authenticable (the only way to login is through a google account).
How can I do?
Thanks.
You can see how to change url prefix here How to change route of omniauth from /auth/:provider to /myapp/auth/:provider
So it is almost what you need.
I recently wanted to deploy my Rails app on heroku but wanted to shield it from the outside world until I had tested it on the heroku itself. In order to shield it I have used authenticate_or_request_with_http_basic. However after having passed through the basic authentication and wanting to login (login system using authlogic) I find that authlogic doesn't remember a session (e.g. current_user == nil).
Without the authenticate_or_request_with_http_basic before_filter the authlogic sessions work fine.
Does anybody know why this is and how to make the two work together?
Thanks in advance.
PS: Just to be clear, my goal is not to be able to use authlogic users with authenticate_or_request_with_http_basic.
PPS: I use Rails 3 and git://github.com/odorcicd/authlogic.git
I'm having this issue also! I'm going to try and look into it to see if I can come up with anything...
EDIT: The fix is to disallow HTTP basic auth on your Authlogic session...
class UserSession < Authlogic::Session::Base
allow_http_basic_auth false
end
I'm pretty sure that this is a bug in Authlogic. The problem is this method:
Authlogic::Session::HttpAuth::InstanceMethods#allow_http_basic_auth?
which returns true when HTTP Basic is being used, even elsewhere in your application.