Rails authentication with Authlogic RPX


Published on

A review of the current state of authentication in Rails, why Authlogic is the best thing since sliced bread, and how you can easily add multi-provider authentication support in your application using the new Authlogic_RPX plugin gem. This presentation was originally delivered at the Singapore Ruby Brigade Oct-09 meetup.

Published in: Technology
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Rails authentication with Authlogic RPX

  1. 1. NB: This presentation was delivered at the Singapore Ruby Brigade meetup 7-Oct-2009 (hosted at wego.com)
  2. 2. Some things should just be banned on the interwebs..
  3. 3. .. pointless social “applications” ..
  4. 4. .. pointless social “applications” ..
  5. 5. .. twitter celebs ..
  6. 6. .. twitter celebs ..
  7. 7. .. custom login screens!
  8. 8. .. custom login screens!
  9. 9. What’s so bad about that? <ul><li>Security </li></ul><ul><ul><li>Proliferation of credentials unavoidably leads to greater risks </li></ul></ul><ul><ul><li>Do sites hash my password? </li></ul></ul><ul><li>PITA </li></ul><ul><ul><li>Redundant entry of registration details </li></ul></ul><ul><ul><li>Validation emails.. aargh! </li></ul></ul><ul><ul><li>Code bloat: reset/forgot password flows </li></ul></ul><ul><ul><li>Site developer’s need to be (should be!) security experts </li></ul></ul><ul><li>Enterprise clients </li></ul><ul><ul><li>Ideally want your site to treat employees as “verified employees” not just part of the madding crowd </li></ul></ul><ul><ul><li>Public sites: still in its infancy. Belief: before long, enterprises will clue in to this, and be “exporting” corporate credentials for use on the web. If your site supports this, you can win big. </li></ul></ul>
  10. 10. End of days for “own the user identity”? <ul><li>Consumers: already have (multiple) “identities” </li></ul><ul><ul><li>Hypothesis: these days a reasonable assumption </li></ul></ul><ul><ul><li>Why should I jump thru hoops to create another just so I can try your site? </li></ul></ul><ul><li>Businesses: don’t really want their employees creating new “identities” on your site if it is for business purposes </li></ul><ul><ul><li>Compliance – no control or visibility of what employees are doing or information they are creating </li></ul></ul><ul><ul><li>Data ownership – what happens when the employee leaves? </li></ul></ul>
  11. 11. Or “Why authentication and identity management is still worth talking about”
  12. 12. Authorisation Options
  13. 13. <ul><li>Sometimes there’s no choice </li></ul><ul><ul><li>No internet access </li></ul></ul><ul><ul><li>Legacy accounts </li></ul></ul><ul><li>Special purpose </li></ul><ul><ul><li>Admin or test users for example </li></ul></ul>Internal (username / password)
  14. 14. LDAP/AD Intranet applications Legacy directories
  15. 15. <ul><li>Supports many providers , which don’t need to be known ahead of time </li></ul><ul><li>Consumer adoption has been relatively slow, although many users now have an OpenID (via Yahoo or Google) </li></ul><ul><ul><li>even though they don’t know this! </li></ul></ul><ul><li>Criticised for being a little too “technical” for the average web citizen(!) </li></ul>
  16. 16. OAuth Must tie to a specific provider ahead of time Also used as the basis of OpenSocial signed requests Great if you just want to target a specific community (e.g. build a twitter app)
  17. 17. A single-sign-on solution for web sites Abstracts the authentication provider – you can support as many as JanRain support Normalizes profile settings across providers (i.e. “email” is always “email”) RPX by JanRain
  18. 18. SAML – WS* security mainly enterprise use, but now gaining some attention via openSSO 2FA/3FA solutions – provider specific or custom integrated Many others..
  19. 19. Authentication options in Rails Internal (username/password) LDAP/AD RPX by JanRain Many others.. OAuth Acts_as_authenticated Restful_authentication Clearance Twitter_oauth Openid_authentication ActiveLDAP acts_as_ldpa_authenticated Ruby Net-LDAP Rpx_now … Ruby oauth OpenID
  20. 20. Or Authlogic Internal (username/password) LDAP/AD RPX by JanRain Many others.. OAuth Authlogic-oauth Authlogic-ldap Authlogic-oid Authlogic_rpx Authlogic (base) Authlogic plugin X Or use Authlogic “ unobtrusive authentication” No generator crud Smells like ActiveRecord Plugin architecture
  21. 21. Using Authlogic_RPX
  22. 22. RPX Request Model Link to sign-in ..chatter.. ..chatter.. Post:token Verify:token (returns:profile info)
  23. 23. Authlogic_RPX-on-a-page
  24. 24. Enabling Authlogic_RPX <ul><li>See the Authlogic RPX README for full details. It walks you through the steps for enabling Authlogic RPX: </li></ul><ul><ul><li>Enable RPX for your user model </li></ul></ul><ul><ul><li>Add RPX configuration for the Authlogic session model </li></ul></ul><ul><ul><li>Add custom user profile mapping (optional) </li></ul></ul><ul><ul><li>Add application controller helpers: current_user, current_user_session </li></ul></ul><ul><ul><li>Setup the Authlogic session controller </li></ul></ul><ul><ul><li>Setup the Authlogic user controller </li></ul></ul><ul><ul><li>Use view helpers to provide login links </li></ul></ul><ul><ul><li>Allow users to &quot;Add RPX&quot; to existing accounts (optional) </li></ul></ul><ul><li>In this presentation, we’ll touch on some of the main points… </li></ul>
  25. 25. Register your RPX app <ul><li>Register your application at http://rpxnow.com – set it’s name and be assigned an API key, and select/configure the authentication providers: </li></ul>Note: max 6 providers with the free RPX account
  26. 26. Configure your project <ul><li>In config/environment.rb – </li></ul><ul><li>Set the RPX app name and API key: </li></ul><ul><li>Configure gems: </li></ul><ul><li>$ rake gems:install </li></ul><ul><li>Once setup, using Authlogic_RPX is almost identical to standard Authlogic </li></ul>
  27. 27. Two MVCs: session and user <ul><li>Minimal models: </li></ul><ul><li>Simple helpers you define and control: </li></ul><ul><ul><li>current_user </li></ul></ul><ul><ul><li>require_user (e.g. for before_filter) </li></ul></ul>
  28. 28. Controllers – clean and sweet
  29. 29. [:post] create – this is a user “signing in” Session controller All this is optional branching logic, which you can tailor specifically for your application successful save means authentication OK!
  30. 30. [:delete] destroy – this is a user “signing out” Session controller
  31. 31. Access controls: Registration form (optional): Save registration (optional): Edit my profile: Show my profile: Save my profile: User controller Note: sample is a controller that only lets users access their own information, but you can just as easily adapt this so they can list and see the public profile information of other users too.
  32. 32. Auto registration <ul><li>Authlogic_RPX will “register” new users by default. </li></ul><ul><li>For users this is great: registration is no more difficult than logging in. </li></ul><ul><ul><li>You can disable this in the session model: </li></ul></ul>
  33. 33. UserSession model – profile mapping <ul><li>When users auto-register, profile data from RPX is available to be inserted in the user's record on your site. </li></ul><ul><ul><li>Authlogic_rpx will map the username and email fields by default. </li></ul></ul><ul><li>If you have other fields you want to map, you can provide your own implementation of the map_rpx_data method in the UserSession model </li></ul>
  34. 34. UserSession model – profile mapping
  35. 35. UserSession model – profile mapping <ul><li>WARNING: any fields you map should NOT have constraints enforced at the database level. </li></ul><ul><ul><li>Authlogic_rpx will optimistically attempt to save the user record during registration, and violating a db constraint will cause the authentication/ registration to fail. </li></ul></ul><ul><ul><li>You can/should enforce any required validations at the model level. This will allow the auto-registration to proceed, and the user can be given a chance to rectify the validation errors on your user profile page </li></ul></ul><ul><li>If it is not acceptable in your application to have user records created with potential validation errors in auto-populated fields, you will need to override map_rpx_data and implement whatever special handling makes sense in your case. </li></ul>
  36. 36. RPX – the catch (or: why you might want to buy their pro service) Today I sign-in with Tomorrow I use these aren’t the same identities! <ul><li>We need identity mapping! </li></ul><ul><ul><li>RPX paid options support “identity mapping”, but this is currently not supported in Authlogic_RPX </li></ul></ul><ul><li>Authlogic_RPX 1.1.0+ includes an internal identity mapping solution (it is optional) </li></ul>
  37. 37. Try it out <ul><li>Live Demonstration Site: </li></ul><ul><ul><li>rails- authlogic-rpx-sample.heroku.com </li></ul></ul><ul><li>Demonstration site source repository: </li></ul><ul><ul><li>github.com/tardate/rails-authlogic-rpx-sample </li></ul></ul>
  38. 38. Take-aways <ul><li>Getting authentication right is critical for your site’s success </li></ul><ul><ul><li>Lower the barrier-to-entry for consumer/personal users. Eliminate the need to create redundant “identities”! </li></ul></ul><ul><ul><li>Business sites – make it possible for employees to use business identities “exported” via OpenID (for example), without the need for a specific agreement and integration to be in place </li></ul></ul>3
  39. 39. Take-aways <ul><li>Authlogic – leading authentication framework for rails (IMHO) </li></ul><ul><ul><li>Best even if you just want to do traditional username/password </li></ul></ul><ul><ul><li>Unobtrusive </li></ul></ul><ul><ul><li>Makes it easy to switch or add authentication options in future </li></ul></ul><ul><ul><li>One framework to learn – plugin the most suitable authentication method for each specific project </li></ul></ul>2
  40. 40. Take-aways <ul><li>Authlogic_RPX – takes away the pain </li></ul><ul><ul><li>Support diverse identity providers </li></ul></ul><ul><ul><li>Standard Authlogic - nothing special to do except plug in your API key </li></ul></ul><ul><ul><li>Can be used as “RPX only”, or co-exist with standard Authlogic username/password </li></ul></ul><ul><li>Use it for: </li></ul><ul><ul><li>Public sites + you just need authentication services + want to give users the best opportunity to use existing credentials. </li></ul></ul>1
  41. 41. Thank you! <ul><li>Questions? </li></ul>0
  42. 42. Some References <ul><li>Authlogic: http://github.com/binarylogic/authlogic </li></ul><ul><li>Authlogic_RPX: http://github.com/tardate/authlogic_rpx </li></ul><ul><li>RPX: http:// rpxnow.com </li></ul><ul><li>OpenID: http://openid.net </li></ul><ul><li>OAuth: http://oauth.net </li></ul><ul><li>Singapore Ruby Brigade (SRB): http://groups.google.com/group/singapore-rb </li></ul>