Rails Two-Legged Oauth Provider

Rails two-legged OAuth provider?

Previously, the only good answer was to hack about in the oauth-plugin to get this subset of the oauth interaction. Since then, the oauth-plugin was refactored, and now you can use it straight up, just by adding the right type of authentication filter to your controller:

class ApiController < ApplicationController

    include OAuth::Controllers::ApplicationControllerMethods

    oauthenticate :strategies => :two_legged, :interactive => false

    # ...

end

Implementing a 2 Legged OAuth Provider

I would take a step back and think about what a properly authenticated client is going to be sending you.

Can you store the keys and credentials in a common database which is accessible from both sets of services, and just implement the OAuth provider in one language? When the user sends in a request to a service (PHP or Java) you then check against the common store. When the user is setting up the OAuth client then you do all of that through either a PHP or Java app (your preference), and store the credentials in the common DB.

There are some Oauth providers written in other languages that you might want to take a look at:

  • PHP - http://term.ie/oauth/example/ (see bottom of page)
  • Ruby - http://github.com/mojodna/sample-oauth-provider
  • .NET http://blog.bittercoder.com/PermaLink,guid,0d080a15-b412-48cf-b0d4-e842b25e3813.aspx

Three legged oauth flow on mobile app

If you're using NSURLSession to make HTTP requests, then see this for information about handling redirects.

Google also has some pre-built Google Sign-In packages for iOS and Android that you can include in your app, similar to the one in your web client. I've never used them though, so I don't how exactly they'd integrate with you app.

Alternatively you can set up an authentication endpoint in your backend that handles the whole thing, with the app only ever making one request to your server and your server handling communication with Google. So, for example, you could have the user submit a request to /oauth/mobile. The server then submits an authentication request to Google and gets an access token and a refresh token. Then you can return your own app's token from the server. Google has some documentation on Google Sign-In for server-side apps that may be relevant.

Writing a Two-legged OAuth provider in Django

'2 legged' is just normal OAuth request without an access token or access token secret. That's it. You still use the client credentials (identifier and secret) but use empty strings for the access token parameters. Depending on the server library you use, you can omit the oauth_token parameter when making the request.


Related Topics

Why Does Date Exist in Ruby Before It Is Required

Is Assignment in a Conditional Clause Good Ruby Style

Rspec View Undefined Method Stub_Model

Retrieving Image Height with Carrierwave

Convert 12 Hr Time to 24 Hr Format in Ruby

How to Deal with Ruby 2.1.2 Memory Leaks

How to Test If All Items in an Array Are Identical

Rails Change Routing of Submit in Form_For

Get Time Object at Start of Day in a Particular Time Zone

Passing Binding or Arguments to Erb from the Command Line

C1 or C2 Coverage Tool for Ruby

How to Remove All Elements That Satisfy a Condition in Array in Ruby

Add a Callback Function to a Ruby Array to Do Something When an Element Is Added

How to Do Named Capture in Ruby

Regex to Match Hashtags in a Sentence Using Ruby

How to Detect the End of a Method Chain in Ruby

Iterate an Array, N Items at a Time

How to Rescue Timeout Issues (Ruby, Rails)


Leave a reply



Submit