Rails two-legged OAuth provider?

Asked 5/5, 2010 at 17:0 Answered 28/2, 2011 at 17:23

Solved ruby-on-rails ruby oauth oauth-provider two-legged

I have a rails 2.3.5 application with an API I wish to protect.

There is no user - it is an app to app style webservice (more like an Amazon service than facebook), and so I would like to implement it using a two-legged OAuth approach.

I have been trying to use the oauth-plugin server implementation as a start:

http://github.com/pelle/oauth-plugin

...but it is built expecting three-legged (web redirect flow) oauth.

Before I dig deeper into making changes to it to support two-legged, I wanted to see if there was an easier way, or if someone had a better approach for a rails app to implement being a two-legged OAuth provider.

Typescript answered 5/5, 2010 at 17:0 Comment(0)

Previously, the only good answer was to hack about in the oauth-plugin to get this subset of the oauth interaction. Since then, the oauth-plugin was refactored, and now you can use it straight up, just by adding the right type of authentication filter to your controller:

class ApiController < ApplicationController

    include OAuth::Controllers::ApplicationControllerMethods

    oauthenticate :strategies => :two_legged, :interactive => false

    # ...

end

Typescript answered 28/2, 2011 at 17:23 Comment(3)

is there more documentation on this anywhere? ...the two-legged variant I mean... – Aundreaaunson 2/2, 2012 at 6:26

Add the oauth-plugin to Gemfile, run 'rails g oauth_provider', add the above to your controller. If you have issues beyond this, I can probably help. – Typescript 2/2, 2012 at 16:2

I cannot make this work. As soon as I change to the two legged strategy, interactive false option i get Invalid OAuth Request errors. Am I supposed to do something very different at the client end too?. I am trying to follow this tutorial - unhandledexpression.com/2011/06/28/… - and it works to get a provider/consumer set up for 3-legged OAuth and I am trying to make it 2-legged. Any thoughts? – Aundreaaunson 7/3, 2012 at 9:23

I'm not aware of any alternatives to oauth-plugin at the moment, though it is definitely getting long in the tooth and ripe for a replacement. My recommendation is to generate the oauth server from oauth-plugin, then extract the dependencies from the plugin (which are just a couple modules worth of methods) and trash the plugin. Then tweak everything to your needs. 2-legged oauth should not be a big problem since it is simpler than 3-legged anyway, and my feeling is that oauth-plugin is not usable these days without significant modifications anyway.

The meat of OAuth has long been extracted into the base oauth gem anyway, so the oauth-plugin is sort of in limbo. The architecture makes some heavy-handed assumptions about what authentication system you are using, and the generated code is dated. So to me, oauth-plugin serves more as an example of how to wire everything up rather than something that most sites would want to use out of the box.

Penis answered 5/5, 2010 at 17:48 Comment(3)

good advice. I think I'll be ripping out just what I need from the plugin. Since the signature for two-legged request looks alot like the signature on an initial request for a token, I was able to base two-legged auth on that (verify_oauth_consumer_signature in particular). – Typescript 5/5, 2010 at 18:51

ok - got it working, and cleaned out most of the plugin. Will release a gist/branch for this when I get a chance. – Typescript 6/5, 2010 at 18:10

@Andrew Any word on that cleaned up 2 legged gist? Would love to borrow it :) – Lubricant 21/2, 2011 at 20:14

Recommended topics

Hot tags