Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Some OAuth love

14,850 views

Published on

Some OAuth love in Ruby

Published in: Technology, Business
  • Be the first to comment

Some OAuth love

  1. 1. Some OAuth love <3 by Nicolas Blanco twitter.com/slainer68
  2. 2. WHY ?THE STORY
  3. 3. OAuth• 2006 by Blaine Cook (Twitter)• OpenID for API access• Delegation of access• IETF - final protocol in 2010
  4. 4. OAuth• 3-legged authentication • Resource owner (Mme Michu) • Server / Resource provider (vimeo) • Client / Consumer (dvdtrololol.com)
  5. 5. OAuth - Resource provider YOU !
  6. 6. OAuth - Resource owner
  7. 7. OAuth - workflow Temporary credentialstrolololdvd.com vimeo Redirection Authorization page
  8. 8. OAuth - Authorization page
  9. 9. OAuth - Workflow Authorized request token Access token Access token
  10. 10. OAuth - Signature• Must sign all requests • Base string • Consumer key • Consumer secret • The signature
  11. 11. OAuth - Base string The HTTP Method is GET The URL is http://vimeo.com/api/rest/v2/ The method is vimeo.people.getInfo There is only one API parameter for vimeo.people.getInfo: user_id is brad The oauth_consumer_key is abcdef0123456 The oauth_nonce is r4nd0m1234 The oauth_timestamp is 1328533189 The oauth_signature_method is HMAC The oauth_version is 1.0 GET&http%3A%2F%2Fvimeo.com%2Fapi%2Frest%2Fv2%2F&method%3D vimeo.people.getInfo%26oauth_consumer_key%3Dabcdef0123456%26oauth_nonce%3Dr4nd0m1234%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp %3D1328533189%26oauth_version%3D1.0%26user_id%3Dbrad
  12. 12. OAuth - Ruby • At least some Ruby! • ruby gem install oauth@callback_url = "http://www.dvdtrololol.com/oauth/callback"@consumer = OAuth::Consumer.new("key","secret", :site => "https://vimeo.com/auth")@request_token = @consumer.get_request_token(:oauth_callback =>@callback_url)session[:request_token] = @request_tokenredirect_to @request_token.authorize_url(:oauth_callback =>@callback_url)@access_token = @request_token.get_access_token@videos = @access_token.get(/videos.json)
  13. 13. OAuth - signature• Here comes Faraday ! Middleware like Rack • https://github.com/technoweenie/faradaybuilder.use Faraday::Request::OAuth, {        :consumer_key => @consumer_key,        :consumer_secret => @consumer_secret,        :token => @atoken,        :token_secret => @asecret       }
  14. 14. OAuth - Faraday middleware
  15. 15. OAuth2• The next evolution : OAuth2• Not backward-compatible• IETF Draft• Use it now!!!• Facebook OpenGraph - Google - Microsoft
  16. 16. Why <3 OAuth2• Clients don’t need cryptography anymore (HTTPS)• Less complicated signatures• Better support for non-browser apps• Access tokens are short-lived• Clean separation between auth server and request server
  17. 17. OAuth 2 - Debug with Curl!curl -H "Authorization: BearerACCESS_TOKEN" https://gdata.youtube.com/feeds/api/users/default/uploads
  18. 18. OAuth2 - Gemclient = OAuth2::Client.new(client_id, client_secret, :site => https://www.youtube.com/auth)client.auth_code.authorize_url(:redirect_uri => http://www.dvdtrololol.com/oauth2/callback)# => "https://example.org/oauth/authorization?response_type=code&client_id=client_id&redirect_uri=http://localhost:8080/oauth2/callback"token = client.auth_code.get_token(authorization_code_value, :redirect_uri => http://www.dvdtrololol.com/oauth2/callback)videos = token.get(/videos.json)
  19. 19. OAuth2 - Faraday middlewaremodule Faraday  class Request::OAuth2 < Faraday::Middleware    def call(env)      env[:request_headers][Authorization] = "Bearer#{@access_token.token}"      @app.call(env)    end    def initialize(app, access_token)      @app, @access_token = app, access_token    end  endend
  20. 20. Omniauth love <3 • Rack standardized multi-provider authentication • Very flexibleRails.application.config.middleware.use OmniAuth::Builder do provider :developer unless Rails.env.production? provider :twitter, ENV[TWITTER_KEY], ENV[TWITTER_SECRET]end
  21. 21. Omniauth - Authentication Lifecycle• Setup phase• Request phase• Callback phase
  22. 22. Omniauth basic strategymodule OmniAuth module Strategies class Developer include OmniAuth::Strategy option :fields, [:name, :email] option :uid_field, :email end endend
  23. 23. Omniauth base OAuth strategies• omniauth-oauth• omniauth-oauth2
  24. 24. Write a customOAuth2 strategy Dailymotion ?
  25. 25. Omniauth default stack• omniauth-oauth2• multi-json• multi-xml• faraday
  26. 26. Omniauth custom OAuth2 strategyrequire omniauth/strategies/oauth2module OmniAuth  module Strategies    class Dailymotion < OmniAuth::Strategies::OAuth2      DEFAULT_SCOPE = email userinfo            option :name, "dailymotion"            option :client_options, {        :site => https://api.dailymotion.com,        :authorize_url => /oauth/authorize,        :token_url => /oauth/token      } # ...
  27. 27. Omniauth custom OAuth2 strategy Give more info for free! uid { raw_info[id] }            info do        prune!({          screenname => raw_info[screenname],          url => raw_info[url],          email => raw_info[email],          fullname => raw_info[fullname],          description => raw_info[description],          gender => raw_info[gender]        })      end            def raw_info        @raw_info ||= access_token.get(/me, :params => { :fields =>%w(id,url,email,fullname,description,gender).join(",") }).parsed      end
  28. 28. Omniauth in Rails Lier un compte uniquement (pas d’auth) = link_to "Link to Dailymotion", "/auth/dailymotion"match /auth/:provider/callback, to: profiles#link_provider
  29. 29. class ProfilesController < AuthenticatedController  def show  end  def link_provider    current_user.update_attributes_for_provider(params[:provider],auth_hash.credentials)    redirect_to profile_path, notice: "Successfully linked to provider"  end  protected  def auth_hash    request.env[omniauth.auth]  endendclass User # ... def update_attributes_for_provider(provider, credentials)    credentials.each do |key, val|      send("#{provider}_#{key}=", val) if respond_to?("#{provider}_#{key}=")    end    save  endend
  30. 30. Omniauth in Rails - Authentication with Deviseclass Users::OmniauthCallbacksController < ApplicationController  def create    @user = User.find_or_create_for_provider(params[:provider],auth_hash)    sign_in_and_redirect(@user, :event => :authentication)  endend
  31. 31. Thank you !Follow me : twitter.com/slainer68

×