Uploaded on

Some OAuth love in Ruby

Some OAuth love in Ruby

More in: Technology , Business
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
11,007
On Slideshare
0
From Embeds
0
Number of Embeds
10

Actions

Shares
Downloads
23
Comments
0
Likes
4

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Some OAuth love <3 by Nicolas Blanco twitter.com/slainer68
  • 2. WHY ?THE STORY
  • 3. OAuth• 2006 by Blaine Cook (Twitter)• OpenID for API access• Delegation of access• IETF - final protocol in 2010
  • 4. OAuth• 3-legged authentication • Resource owner (Mme Michu) • Server / Resource provider (vimeo) • Client / Consumer (dvdtrololol.com)
  • 5. OAuth - Resource provider YOU !
  • 6. OAuth - Resource owner
  • 7. OAuth - workflow Temporary credentialstrolololdvd.com vimeo Redirection Authorization page
  • 8. OAuth - Authorization page
  • 9. OAuth - Workflow Authorized request token Access token Access token
  • 10. OAuth - Signature• Must sign all requests • Base string • Consumer key • Consumer secret • The signature
  • 11. OAuth - Base string The HTTP Method is GET The URL is http://vimeo.com/api/rest/v2/ The method is vimeo.people.getInfo There is only one API parameter for vimeo.people.getInfo: user_id is brad The oauth_consumer_key is abcdef0123456 The oauth_nonce is r4nd0m1234 The oauth_timestamp is 1328533189 The oauth_signature_method is HMAC The oauth_version is 1.0 GET&http%3A%2F%2Fvimeo.com%2Fapi%2Frest%2Fv2%2F&method%3D vimeo.people.getInfo%26oauth_consumer_key%3Dabcdef0123456%26oauth_nonce%3Dr4nd0m1234%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp %3D1328533189%26oauth_version%3D1.0%26user_id%3Dbrad
  • 12. OAuth - Ruby • At least some Ruby! • ruby gem install oauth@callback_url = "http://www.dvdtrololol.com/oauth/callback"@consumer = OAuth::Consumer.new("key","secret", :site => "https://vimeo.com/auth")@request_token = @consumer.get_request_token(:oauth_callback =>@callback_url)session[:request_token] = @request_tokenredirect_to @request_token.authorize_url(:oauth_callback =>@callback_url)@access_token = @request_token.get_access_token@videos = @access_token.get(/videos.json)
  • 13. OAuth - signature• Here comes Faraday ! Middleware like Rack • https://github.com/technoweenie/faradaybuilder.use Faraday::Request::OAuth, {        :consumer_key => @consumer_key,        :consumer_secret => @consumer_secret,        :token => @atoken,        :token_secret => @asecret       }
  • 14. OAuth - Faraday middleware
  • 15. OAuth2• The next evolution : OAuth2• Not backward-compatible• IETF Draft• Use it now!!!• Facebook OpenGraph - Google - Microsoft
  • 16. Why <3 OAuth2• Clients don’t need cryptography anymore (HTTPS)• Less complicated signatures• Better support for non-browser apps• Access tokens are short-lived• Clean separation between auth server and request server
  • 17. OAuth 2 - Debug with Curl!curl -H "Authorization: BearerACCESS_TOKEN" https://gdata.youtube.com/feeds/api/users/default/uploads
  • 18. OAuth2 - Gemclient = OAuth2::Client.new(client_id, client_secret, :site => https://www.youtube.com/auth)client.auth_code.authorize_url(:redirect_uri => http://www.dvdtrololol.com/oauth2/callback)# => "https://example.org/oauth/authorization?response_type=code&client_id=client_id&redirect_uri=http://localhost:8080/oauth2/callback"token = client.auth_code.get_token(authorization_code_value, :redirect_uri => http://www.dvdtrololol.com/oauth2/callback)videos = token.get(/videos.json)
  • 19. OAuth2 - Faraday middlewaremodule Faraday  class Request::OAuth2 < Faraday::Middleware    def call(env)      env[:request_headers][Authorization] = "Bearer#{@access_token.token}"      @app.call(env)    end    def initialize(app, access_token)      @app, @access_token = app, access_token    end  endend
  • 20. Omniauth love <3 • Rack standardized multi-provider authentication • Very flexibleRails.application.config.middleware.use OmniAuth::Builder do provider :developer unless Rails.env.production? provider :twitter, ENV[TWITTER_KEY], ENV[TWITTER_SECRET]end
  • 21. Omniauth - Authentication Lifecycle• Setup phase• Request phase• Callback phase
  • 22. Omniauth basic strategymodule OmniAuth module Strategies class Developer include OmniAuth::Strategy option :fields, [:name, :email] option :uid_field, :email end endend
  • 23. Omniauth base OAuth strategies• omniauth-oauth• omniauth-oauth2
  • 24. Write a customOAuth2 strategy Dailymotion ?
  • 25. Omniauth default stack• omniauth-oauth2• multi-json• multi-xml• faraday
  • 26. Omniauth custom OAuth2 strategyrequire omniauth/strategies/oauth2module OmniAuth  module Strategies    class Dailymotion < OmniAuth::Strategies::OAuth2      DEFAULT_SCOPE = email userinfo            option :name, "dailymotion"            option :client_options, {        :site => https://api.dailymotion.com,        :authorize_url => /oauth/authorize,        :token_url => /oauth/token      } # ...
  • 27. Omniauth custom OAuth2 strategy Give more info for free! uid { raw_info[id] }            info do        prune!({          screenname => raw_info[screenname],          url => raw_info[url],          email => raw_info[email],          fullname => raw_info[fullname],          description => raw_info[description],          gender => raw_info[gender]        })      end            def raw_info        @raw_info ||= access_token.get(/me, :params => { :fields =>%w(id,url,email,fullname,description,gender).join(",") }).parsed      end
  • 28. Omniauth in Rails Lier un compte uniquement (pas d’auth) = link_to "Link to Dailymotion", "/auth/dailymotion"match /auth/:provider/callback, to: profiles#link_provider
  • 29. class ProfilesController < AuthenticatedController  def show  end  def link_provider    current_user.update_attributes_for_provider(params[:provider],auth_hash.credentials)    redirect_to profile_path, notice: "Successfully linked to provider"  end  protected  def auth_hash    request.env[omniauth.auth]  endendclass User # ... def update_attributes_for_provider(provider, credentials)    credentials.each do |key, val|      send("#{provider}_#{key}=", val) if respond_to?("#{provider}_#{key}=")    end    save  endend
  • 30. Omniauth in Rails - Authentication with Deviseclass Users::OmniauthCallbacksController < ApplicationController  def create    @user = User.find_or_create_for_provider(params[:provider],auth_hash)    sign_in_and_redirect(@user, :event => :authentication)  endend
  • 31. Thank you !Follow me : twitter.com/slainer68