All geek questions in one place

How, and why, implement Oauth in a rails application?

So, I am creating an application that really only communicates with another rail application, as well as for some remote touch screens. The application is available only to those who own one of these touch screens, and the administrator. So I really don't see the point of logging in using twitter, facebook, etc. However, I need SOME HTTP authentication types using request / access tokens in order to 1. authenticate the user and 2. be able to get the user to communicate with the server (and when). I spent about a week (I'm newb rail), studying Oauth, omniauth, etc., and I ask two things:

  • Since Im authenticated between my two sets of applications, which gem is best for my situation?

  • Where should I write the logic for request / access tokens?

I really can't find good tutorials for this

+4
source share
2 answers

If you do not need any integration with existing identity providers, then Devise is all you need. It provides an easy way to manage user accounts, and users will log in using their email addresses and passwords.

It is more difficult to verify the authenticity of another application.

Method 1

If you don’t need a big connection between the two applications, you can log in to the main application and then create a temporary token that the user can use in the secondary application. Finally, the second application includes this line in all messages with the main application. Real world examples include the Pivotal Tracker, which gives users an API key that they can use in web hooks on GitHub.

Trivial example

  • The user is sent to Main.com and registered using email and password.
  • Main.com creates a temporary token for the user.
  • The user provides a token for Sub.com.
  • Contact Sub.com Main.com with <user>:<token>@main.com/some/path?some=query

There are many security issues associated with this, but it is good enough for non-critical use cases. You can use SSL to protect tokens.

Method 2

However, method 1 is not very safe. A more reliable and secure solution is to make the main application an OAuth provider, and then the secondary application authenticate against the main application using OAuth. Here is a Railscast that explains how to do this with DoorKeeper . You can use OmniAuth in the secondary application.

+11
source

I would recommend using Devise. It has many authentication strategies, including token authentication. There are many tutorials and Q&A on Stackoverflow covering a range of subjects. You can find it on Github, here .

Regarding the tutorial on using the Token authentication strategy in Devise, you can find it here .

Also, look at the CanCan stone, here . This allows you to define the roles and abilities that should help determine the admins and users, as well as what they can do.

+1
source

Source: https://habr.com/ru/post/1497115/

More articles:


All Articles