BUILD YOURAUTHENTICATION SYSTEM     WITH DEVISE      Tse-Ching Ho (何澤清)           2011-08-26
HTTPS://GITHUB.COM/TSECHINGHO/DEVISE_TUTORIAL  git clone git://github.com/tsechingho/devise_tutorial.git
AGENDA• OminiAuth  Client Application providers: Facebook, Twitter, Github• OpenID  Client Application providers: Google, ...
WHAT IS AUTHENTICATION ?
ABOUT AUTHENTICATION• authenticationand authorization are two things• authentication is just an identity token / ticket• c...
Oauth  customer    devise                        providers                         OpenID                        providers...
WHAT DO WE NEED ?
USER STORY PLEASE
users                                         managers    Model: User                                        Model: Manage...
WHY DEVISE ?
FEATURES OF DEVISE• rack   - simple and fast• strategies   - logical and flexible• modularity    - maintainable rails engin...
BUILDED IN MODULES• Database   authenticatable   • Rememberable• Token   authenticatable      • Trackable• Omniauthable   ...
EXTENSION MODULES• ORM• Encryption• Authentication• UI   enhancement• https://github.com/plataformatec/devise/wiki/Extensi...
FILTERS & HELPERS• authenticate_user!• user_signed_in?• current_user• user_session• user_root_path
DEMOSHOW, DON’T TELL
GIT LOGS ARE FRIENDS
NEW RAILS APP• rails new devise_tutorial -JTd mysql• cd devise_tutorial• vim Gemfile• bundle install• rails generate scaffo...
GIT CHECKOUT HEROKU
DEPLOY TO HEROKU• git   checkout heroku• heroku    keys:add• heroku    create• git   push heroku master• heroku    rake db...
GIT CHECKOUT USER
DEVISE CUSTOMIZATION• config    - set configurations for devise• migrations    - set database fields• models    - select modu...
rake middlewareuse ActionDispatch::Staticuse Rack::Lockuse ActiveSupport::Cache::Strategy::LocalCacheuse Rack::Runtimeuse ...
GIT CHECKOUT MANAGER
rake routes               manager_root GET      /pages/:id(.:format)               {:controller=>"pages", :id=>"management...
GIT CHECKOUT PROVIDER
users      Model: User      has_many :authentications, :as => :resource             authentications      has_one :profile, ...
GIT CHECKOUT OA-OAUTH
OMNIAUTH MIDDLEWARESrake middlewareuse ActionDispatch::Static......use ActionDispatch::BestStandardsSupportuse Warden::Man...
DEVISE OMNIAUTH ROUTES• /users/auth/:provider(.:format) { :controller => "users/omniauth_callbacks",   :action => "passthr...
NEEDS OF OAUTH• create   new app record for each client site• app   id and app secret are required• callback   url must ma...
---provider: facebookuid: "1290347368"credentials:  token: 49923..........6RqGcuser_info:  nickname: tsechingho  email: ts...
FACEBOOK
developers.facebook.comNEW FACEBOOK APP https://developers.facebook.com/apps
developers.facebook.comCORRECT APP SETTINGSapp id, app secret, site url, site domain are required.
facebook.com      FACEBOOK USER PANEL        http://www.facebook.com/settings?tab=applicationshttps://developers.facebook....
FACEBOOK OAUTH WORK           FLOW                                              facebook.com• ca_file   / ca_path• /users/a...
TWITTER
dev.twitter.comNEW TWITTER APP https://dev.twitter.com/apps/new use http://127.0.0.1 for localhost
dev.twitter.com  CORRECT APP SETTINGSconsumer key, consumer secret, callback url are required.
twitter.comTWITTER USER PANEL   you can stop it, not remove it.
TWITTER OAUTH WORK               FLOW    api.twitter.com• /users/auth/twitter• users/omniauth_callbacks#passthru• https://...
GITHUB
github.com  NEW GITHUB APPhttps://github.com/account/applications/new
github.comCORRECT APP SETTINGS client id, client secret, callback url are required.
github.comGITHUB APP/USER PANEL ?       Don’t delete oauth application,   otherwise you have to create new one.
GITHUB OAUTH WORK FLOW                                             github.com• /users/auth/github• users/omniauth_callback...
GIT CHECKOUT OA-OPENID
GOOGLE
SIGN IN GOOGLE ACCOUNT
GOOGLE OPENID WORK           FLOW• ca_file   / open_id_store• /users/auth/google• users/omniauth_callbacks#passthru• https:...
YAHOO
SIGN IN YAHOO ACCOUNT
YAHOO OPENID WORK             FLOW• ca_file   / open_id_store• /users/auth/yahoo• users/omniauth_callbacks#passthru• https:...
GOOGLE APPS
SIGN IN GOOGLE ACCOUNT       http://www.google.com/enterprise/marketplace/http://developer.googleapps.com/marketplace/gett...
GOOGLE APPS OPENID          WORK FLOW• ca_file   / open_id_store• /users/auth/gmail• users/omniauth_callbacks#passthru• htt...
ISSUES
FINDING USER ?
USERNAME       VSUNCHANGEABLE EMAIL
ONE EMAIL - ONE USER          VSONE USER - MULTI EMAILS
IF EMAIL OF PROVIDER USER       CHANGED,         THEN >.<
PUBLIC EMAIL ADDRESS         VS PROVIDER - UID PAIR
WHO AM I ?
ONE PROVIDER - ONE USER            VSONE USER - MULTI PROVIDERS
OWN LOCAL USER FIRST         OROWN PROVIDER USER FIRST
ONE USER  MULTI MAILSMULTI PROVIDERS
RESOURCES
TUTORIALS• http://www.communityguides.eu/articles/11• http://www.communityguides.eu/articles/16• http://railscasts.com/epi...
DOCUMENTS• https://github.com/plataformatec/devise/wiki• https://github.com/intridea/omniauth/wiki• https://github.com/int...
Q&A
Upcoming SlideShare
Loading in...5
×

devise tutorial - 2011 rubyconf taiwan

2,740

Published on

[Tutorial] Build your authentication system with Devise

Published in: Technology

Transcript of "devise tutorial - 2011 rubyconf taiwan"

  1. 1. BUILD YOURAUTHENTICATION SYSTEM WITH DEVISE Tse-Ching Ho (何澤清) 2011-08-26
  2. 2. HTTPS://GITHUB.COM/TSECHINGHO/DEVISE_TUTORIAL git clone git://github.com/tsechingho/devise_tutorial.git
  3. 3. AGENDA• OminiAuth Client Application providers: Facebook, Twitter, Github• OpenID Client Application providers: Google, Yahoo, Google Apps• LDAP Client Application providers: Localhost OpenLDAP• CAS Client Application providers: Localhost CAS
  4. 4. WHAT IS AUTHENTICATION ?
  5. 5. ABOUT AUTHENTICATION• authenticationand authorization are two things• authentication is just an identity token / ticket• canuse multi authentication providers on one site• oneuser can have many authentications
  6. 6. Oauth customer devise providers OpenID providers LDAP omniauth providers 3rd party providers CAS username server /passwordDEVISE - OMNIAUTH WAY
  7. 7. WHAT DO WE NEED ?
  8. 8. USER STORY PLEASE
  9. 9. users managers Model: User Model: Manager has_many :authentications, :as => :resource has_many :authentications, :as => :resource has_one :profile, :as => :resource has_one :profile, :as => :resource id integer id integer email string email string encrypted_password string encrypted_password string reset_password_token string reset_password_token string reset_password_sent_at datetime reset_password_sent_at datetime remember_created_at datetime remember_created_at datetime sign_in_count integer sign_in_count integer current_sign_in_at datetime current_sign_in_at datetime last_sign_in_at datetime last_sign_in_at datetime current_sign_in_ip string current_sign_in_ip string last_sign_in_ip string last_sign_in_ip string created_at datetime created_at datetime updated_at datetime updated_at datetime authentications profiles Model: Authentication Model: Profile belongs_to :resource, :polymorphic => true belongs_to :resource, :polymorphic => true id integer id integer resource_id integer resource_id integer resource_type string resource_type string provider string first_name string uid string last_name string uname string fullname string umail string nickname string created_at datetime created_at datetime updated_at datetime updated_at datetimePOSSIBLE DB SCHEMA
  10. 10. WHY DEVISE ?
  11. 11. FEATURES OF DEVISE• rack - simple and fast• strategies - logical and flexible• modularity - maintainable rails engine• multi-models - signed in at the same time• extensions - diversity• authentication scheme with general user’s needs
  12. 12. BUILDED IN MODULES• Database authenticatable • Rememberable• Token authenticatable • Trackable• Omniauthable • Timeoutable• Confirmable • Validatable• Recoverable • Lockable• Registerable • Encryptalbe
  13. 13. EXTENSION MODULES• ORM• Encryption• Authentication• UI enhancement• https://github.com/plataformatec/devise/wiki/Extensions
  14. 14. FILTERS & HELPERS• authenticate_user!• user_signed_in?• current_user• user_session• user_root_path
  15. 15. DEMOSHOW, DON’T TELL
  16. 16. GIT LOGS ARE FRIENDS
  17. 17. NEW RAILS APP• rails new devise_tutorial -JTd mysql• cd devise_tutorial• vim Gemfile• bundle install• rails generate scaffold page title:string content:text• rake db:create• rake db:migrate• rails server bundle exec unicorn -p 3000• tail -f log/development.log
  18. 18. GIT CHECKOUT HEROKU
  19. 19. DEPLOY TO HEROKU• git checkout heroku• heroku keys:add• heroku create• git push heroku master• heroku rake db:setup• heroku open
  20. 20. GIT CHECKOUT USER
  21. 21. DEVISE CUSTOMIZATION• config - set configurations for devise• migrations - set database fields• models - select modules, set attributes• routes - set uri mapping• controllers - set filters and redirects• views - set html and css
  22. 22. rake middlewareuse ActionDispatch::Staticuse Rack::Lockuse ActiveSupport::Cache::Strategy::LocalCacheuse Rack::Runtimeuse Rails::Rack::Loggeruse ActionDispatch::ShowExceptionsuse ActionDispatch::RemoteIpuse Rack::Sendfileuse ActionDispatch::Callbacksuse ActiveRecord::ConnectionAdapters::ConnectionManagementuse ActiveRecord::QueryCacheuse ActionDispatch::Cookiesuse ActionDispatch::Session::CookieStoreuse ActionDispatch::Flashuse ActionDispatch::ParamsParseruse Rack::MethodOverrideuse ActionDispatch::Headuse ActionDispatch::BestStandardsSupportuse Warden::Managerrun DeviseTutorial::Application.routes
  23. 23. GIT CHECKOUT MANAGER
  24. 24. rake routes manager_root GET /pages/:id(.:format) {:controller=>"pages", :id=>"management", :action=>"show"} new_manager_session GET /managers/sign_in(.:format) {:controller=>"devise/sessions", :action=>"new"} manager_session POST /managers/sign_in(.:format) {:controller=>"devise/sessions", :action=>"create"} destroy_manager_session DELETE /managers/sign_out(.:format) {:controller=>"devise/sessions", :action=>"destroy"} manager_password POST /managers/password(.:format) {:controller=>"devise/passwords", :action=>"create"} new_manager_password GET /managers/password/new(.:format) {:controller=>"devise/passwords", :action=>"new"} edit_manager_password GET /managers/password/edit(.:format) {:controller=>"devise/passwords", :action=>"edit"} PUT /managers/password(.:format) {:controller=>"devise/passwords", :action=>"update"}cancel_manager_registration GET /managers/cancel(.:format) {:controller=>"devise/registrations", :action=>"cancel"} manager_registration POST /managers(.:format) {:controller=>"devise/registrations", :action=>"create"} new_manager_registration GET /managers/sign_up(.:format) {:controller=>"devise/registrations", :action=>"new"} edit_manager_registration GET /managers/edit(.:format) {:controller=>"devise/registrations", :action=>"edit"} PUT /managers(.:format) {:controller=>"devise/registrations", :action=>"update"} DELETE /managers(.:format) {:controller=>"devise/registrations", :action=>"destroy"} user_root GET /pages/:id(.:format) {:controller=>"pages", :id=>"dashboard", :action=>"show"} new_user_session GET /users/sign_in(.:format) {:controller=>"devise/sessions", :action=>"new"} user_session POST /users/sign_in(.:format) {:controller=>"devise/sessions", :action=>"create"} destroy_user_session DELETE /users/sign_out(.:format) {:controller=>"devise/sessions", :action=>"destroy"} user_password POST /users/password(.:format) {:controller=>"devise/passwords", :action=>"create"} new_user_password GET /users/password/new(.:format) {:controller=>"devise/passwords", :action=>"new"} edit_user_password GET /users/password/edit(.:format) {:controller=>"devise/passwords", :action=>"edit"} PUT /users/password(.:format) {:controller=>"devise/passwords", :action=>"update"} cancel_user_registration GET /users/cancel(.:format) {:controller=>"devise/registrations", :action=>"cancel"} user_registration POST /users(.:format) {:controller=>"devise/registrations", :action=>"create"} new_user_registration GET /users/sign_up(.:format) {:controller=>"devise/registrations", :action=>"new"} edit_user_registration GET /users/edit(.:format) {:controller=>"devise/registrations", :action=>"edit"} PUT /users(.:format) {:controller=>"devise/registrations", :action=>"update"} DELETE /users(.:format) {:controller=>"devise/registrations", :action=>"destroy"} root /(.:format) {:controller=>"pages", :action=>"show"}
  25. 25. GIT CHECKOUT PROVIDER
  26. 26. users Model: User has_many :authentications, :as => :resource authentications has_one :profile, :as => :resource Model: Authentication id integer belongs_to :resource, :polymorphic => true email string encrypted_password string id integer reset_password_token string resource_id integer reset_password_sent_at datetime resource_type string remember_created_at datetime provider string sign_in_count integer uid string current_sign_in_at datetime uname string last_sign_in_at datetime umail string current_sign_in_ip string created_at datetime last_sign_in_ip string updated_at datetime created_at datetime updated_at datetimePROVIDER - USER DB SCHEMA
  27. 27. GIT CHECKOUT OA-OAUTH
  28. 28. OMNIAUTH MIDDLEWARESrake middlewareuse ActionDispatch::Static......use ActionDispatch::BestStandardsSupportuse Warden::Manageruse OmniAuth::Strategies::Facebookuse OmniAuth::Strategies::Twitteruse OmniAuth::Strategies::GitHubuse OmniAuth::Strategies::OpenIDuse OmniAuth::Strategies::OpenIDuse OmniAuth::Strategies::OpenIDuse OmniAuth::Strategies::GoogleAppsuse OmniAuth::Strategies::GoogleAppsrun DeviseTutorial::Application.routes
  29. 29. DEVISE OMNIAUTH ROUTES• /users/auth/:provider(.:format) { :controller => "users/omniauth_callbacks", :action => "passthru" }• user_omniauth_callback /users/auth/:action/callback(.:format) { :controller => "users/omniauth_callbacks", :action => /facebook|twitter|github/ }
  30. 30. NEEDS OF OAUTH• create new app record for each client site• app id and app secret are required• callback url must match• access token / error message will append to callback url• specific yaml pattern for user auth data
  31. 31. ---provider: facebookuid: "1290347368"credentials: token: 49923..........6RqGcuser_info: nickname: tsechingho email: tsechingho@gmail.com first_name: Tse-Ching last_name: Ho name: Tse-Ching Ho image: http://graph.facebook.com/1290347368/picture?type=square urls: Facebook: http://www.facebook.com/tsechingho Website:extra: user_hash: id: "1290347368" name: Tse-Ching Ho first_name: Tse-Ching last_name: Ho link: http://www.facebook.com/tsechingho username: tsechingho hometown: id: "110922325599480" name: Taichung, Taiwan
  32. 32. FACEBOOK
  33. 33. developers.facebook.comNEW FACEBOOK APP https://developers.facebook.com/apps
  34. 34. developers.facebook.comCORRECT APP SETTINGSapp id, app secret, site url, site domain are required.
  35. 35. facebook.com FACEBOOK USER PANEL http://www.facebook.com/settings?tab=applicationshttps://developers.facebook.com/docs/reference/api/permissions/
  36. 36. FACEBOOK OAUTH WORK FLOW facebook.com• ca_file / ca_path• /users/auth/facebook• users/omniauth_callbacks#passthru• https://www.facebook.com/connect/uiserver.php• /users/auth/facebook/callback?code=xxxxxx
  37. 37. TWITTER
  38. 38. dev.twitter.comNEW TWITTER APP https://dev.twitter.com/apps/new use http://127.0.0.1 for localhost
  39. 39. dev.twitter.com CORRECT APP SETTINGSconsumer key, consumer secret, callback url are required.
  40. 40. twitter.comTWITTER USER PANEL you can stop it, not remove it.
  41. 41. TWITTER OAUTH WORK FLOW api.twitter.com• /users/auth/twitter• users/omniauth_callbacks#passthru• https://api.twitter.com/oauth/authenticate• /users/auth/twitter/callback?code=xxxxxx• twitter auth data is too big for cookies session store• no email in user auth data
  42. 42. GITHUB
  43. 43. github.com NEW GITHUB APPhttps://github.com/account/applications/new
  44. 44. github.comCORRECT APP SETTINGS client id, client secret, callback url are required.
  45. 45. github.comGITHUB APP/USER PANEL ? Don’t delete oauth application, otherwise you have to create new one.
  46. 46. GITHUB OAUTH WORK FLOW github.com• /users/auth/github• users/omniauth_callbacks#passthru• https://github.com/login/oauth/authorize• /users/auth/github/callback?code=xxxxxx
  47. 47. GIT CHECKOUT OA-OPENID
  48. 48. GOOGLE
  49. 49. SIGN IN GOOGLE ACCOUNT
  50. 50. GOOGLE OPENID WORK FLOW• ca_file / open_id_store• /users/auth/google• users/omniauth_callbacks#passthru• https://www.google.com/accounts/o8/ud• https://accounts.google.com/o/openid2/auth• https://www.google.com/accounts/o8/id?id=xxxxxx• /users/auth/google/callback
  51. 51. YAHOO
  52. 52. SIGN IN YAHOO ACCOUNT
  53. 53. YAHOO OPENID WORK FLOW• ca_file / open_id_store• /users/auth/yahoo• users/omniauth_callbacks#passthru• https://open.login.yahooapis.com/openid/op/auth• https://login.yahoo.com/config/login• https://me.yahoo.com/a/xxxxxx• /users/auth/yahoo/callback
  54. 54. GOOGLE APPS
  55. 55. SIGN IN GOOGLE ACCOUNT http://www.google.com/enterprise/marketplace/http://developer.googleapps.com/marketplace/getting-started
  56. 56. GOOGLE APPS OPENID WORK FLOW• ca_file / open_id_store• /users/auth/gmail• users/omniauth_callbacks#passthru• https://www.google.com/accounts/o8/ud?source=gmail.com• https://accounts.google.com/o/openid2/auth• https://www.google.com/accounts/o8/id?id=xxxxxx• /users/auth/gmail/callback
  57. 57. ISSUES
  58. 58. FINDING USER ?
  59. 59. USERNAME VSUNCHANGEABLE EMAIL
  60. 60. ONE EMAIL - ONE USER VSONE USER - MULTI EMAILS
  61. 61. IF EMAIL OF PROVIDER USER CHANGED, THEN >.<
  62. 62. PUBLIC EMAIL ADDRESS VS PROVIDER - UID PAIR
  63. 63. WHO AM I ?
  64. 64. ONE PROVIDER - ONE USER VSONE USER - MULTI PROVIDERS
  65. 65. OWN LOCAL USER FIRST OROWN PROVIDER USER FIRST
  66. 66. ONE USER MULTI MAILSMULTI PROVIDERS
  67. 67. RESOURCES
  68. 68. TUTORIALS• http://www.communityguides.eu/articles/11• http://www.communityguides.eu/articles/16• http://railscasts.com/episodes/235-omniauth-part-1• http://railscasts.com/episodes/236-omniauth-part-2• https://github.com/plataformatec/devise/wiki/Example- Applications
  69. 69. DOCUMENTS• https://github.com/plataformatec/devise/wiki• https://github.com/intridea/omniauth/wiki• https://github.com/intridea/authbuttons
  70. 70. Q&A
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×