Gem for oAuth2 Consumer AND Provider functionality in Rails 2.3.5

Asked 26/10, 2010 at 16:8 Answered 17/10, 2011 at 18:59

ruby-on-rails rubygems oauth oauth-2.0 oauth-provider

I'm struggling finding a usable gem which provides the following for a Rails 2.3.5 application:

we want to protect out API with oAuth 2; therefore a Controller for creating access/request Tokens and the models (Client, Token,...) are required
we want to consume oAuth2 Services like Facebook and Twitter

It would also be nice to have support for 3 legged and 2 legged authentication.

I found those gems, but they all have major drawbacks:

oauth-ruby (github.com/oauth/oauth-ruby)
- i'm not quite sure if it already implements oauth2 mechanisms
- more like a basic lib for services on top

oauth-plugin (github.com/pelle/oauth-plugin)
- looks convenient BUT oauth2 only supported in rails3 branch :(

oauth2 (github.com/intridea/oauth2)
- only for oAuth2 Consumers / no Provider Functionality

oauth2-ruby (github.com/aflatter/oauth2-ruby/tree/)
- last Commit: 16.07.10 "DESCTRUCTIVE COMMIT" :(
- based on oAuth2 Draft 00 (old!)

oauth2-provider (github.com/ThoughtWorksStudios/oauth2_provider)
- last Commit: 21.10.10 - good
- only Provider functionality :(
- based on oAuth2 Draft 09 (quite recent)

Did anybody achieve those requirenments with one or a combination of those gems? Could you please provide me a direction?

Any help is much appreciated!

Karyolysis answered 26/10, 2010 at 16:8 Comment(7)

I received a response from pelle, the author of the oauth-plugin, today. I asked him if oauth2 Support would be available in the master branch, too (not just the rails3 branch). He said "It should work well within Rails 2.3.x but I would like to hear feedback about it. I should really rename the branch." ! I'll try it out ! github.com/pelle/oauth-plugin/issues#issue/19 – Karyolysis 27/10, 2010 at 8:8

We implemented a custom fork of the rails3 Branch from the oauth-plugin and it worked like a charm – Karyolysis 20/12, 2010 at 10:18

i still have an issue on before_filter :login_or_oauth_required and oauthenticate callbacks, how did you manage it? – Airlie 22/12, 2010 at 4:51

@gozali which exact problems do you have? we are only using oauthenticate btw (no more login_or_oauth_required); when the option "interactive" is set to true, it will act like login_or_oauth_required – Karyolysis 12/1, 2011 at 16:33

@makibo : i already solved it by upgrading my gems to the new one, but still confusing how to use the gem properly due to lack of documentations and example – Airlie 14/1, 2011 at 8:20

@gozali you'll need: (1) to create an OAuth Controller: require 'oauth/controllers/provider_controller' class Oauth::OauthController < ApplicationController include OAuth::Controllers::ProviderController end (2) Create a client_application with the generated views or console. Then you'll be able to fetch tokens like described in tools.ietf.org/html/draft-ietf-oauth-v2-08 (or newer). (3) Where you need to protect access, insert this like a before_filter: oauthenticate :strategies => [:token] # OAuth2 . Then you've got access to current_token and current_client_application. – Karyolysis 18/1, 2011 at 15:22

@gozali small addition: the token, once obtained, must be appended to each request to protected endpoints as extra query parameter like so: example.com/oauth_protected_resource?access_token=VALID_ACCESS_TOKEN – Karyolysis 18/1, 2011 at 15:30

I can't help with your search. But I'll just say that that's a pretty large number of implementations for a protocol that is still in very active development :)

See my pointers to the current OAuth 2.0 status, as of draft 11, at https://security.stackexchange.com/questions/1187/what-were-the-specific-security-flaws-with-oauth-1-0-how-are-they-being-addresse/1201#1201

(Can anyone characterize the degree of interoperability between the different drafts of 2.0?)

Arithmetic answered 18/12, 2010 at 5:21 Comment(0)

Wanted to add a couple more libraries that I've come across. I haven't used either, but I thought they should be on this post for people to compare:

Braggart answered 10/4, 2011 at 19:17 Comment(0)

I've evaluated most of the gems listed in this thread, and in my (biased) opinion the devise_oauth2_providable gem is the best oauth2 provider backend for a rails app. it's goal is to be the easiest integration for existing rails apps and I'd recommend giving it a look over.

https://github.com/socialcast/devise_oauth2_providable

You can mix and match a different gem for oauth2 consumers since they are different enough responsibilities.

Gudgeon answered 17/10, 2011 at 18:59 Comment(0)

Recommended topics

Hot tags