KO
Uploaded byKenji Otsuka
PDF, PPTX185 views

OAuth 2.0 and Library

The document discusses OAuth 2.0 libraries for PHP and Ruby. For PHP, it describes thephpleague/oauth2-client library which allows configuring 3 endpoint URLs and implementing the OAuth flow with conditional checks. For Ruby, it mentions omniauth/omniauth libraries like omniauth-twitter which simplify implementation by handling most complexity, with differences only in the 3 URLs. It also describes Doorkeeper for developing OAuth servers in Ruby on Rails, which works with Devise and allows registering client apps and users through predefined functions.

Embed presentation

Download as PDF, PPTX
OAuth 2.0 and Library What the libraries do? How can we use the libraries?
What is OAuth 2.0? ● Standard to authenticate the client application so that it can access to protected resource. ● The user doesn't have to provide own user id and password. ● RFC6749
OAuth Flow (simple version) Client App Resource Svr Auth Svr Start (1) Authorization Client Redirect and authenticate Respond Code (2) Request Token Respond Token (3) Request Resource redirect_uri client_id scope response_type grant_type client_id scope code code state access_token token_type expires_in refresh_token example_parameter
OAuth Flow (simple version Client App Resource Svr Auth Svr Start (1) Authenticate Client Redirect and authenticate Respond Code (2) Request Token Respond Token (3) Request Resource 3 endpoint URLs for configuration
PHP Library: thephpleague/oauth2-client https://github.com/thephpleague/oauth2-client $provider = new LeagueOAuth2ClientProviderGenericProvider([ 'clientId' => 'demoapp', // The client ID assigned to you by the provider 'clientSecret' => 'demopass', // The client password assigned to you by the provider 'redirectUri' => 'http://example.com/your-redirect-url/', 'urlAuthorize' => 'http://brentertainment.com/oauth2/lockdin/authorize', 'urlAccessToken' => 'http://brentertainment.com/oauth2/lockdin/token', 'urlResourceOwnerDetails' => 'http://brentertainment.com/oauth2/lockdin/resource' ]); // If we don't have an authorization code then get one if (!isset($_GET['code'])) { // Fetch the authorization URL from the provider; this returns the // urlAuthorize option and generates and applies any necessary parameters // (e.g. state). $authorizationUrl = $provider->getAuthorizationUrl(); // Get the state generated for you and store it to the session. $_SESSION['oauth2state'] = $provider->getState(); // Redirect the user to the authorization URL. header('Location: ' . $authorizationUrl); exit; // Check given state against previously stored one to mitigate CSRF attack } elseif (empty($_GET['state']) || (isset($_SESSION['oauth2state']) && $_GET['state'] !== $_SESSION['oauth2state'])) { if (isset($_SESSION['oauth2state'])) { unset($_SESSION['oauth2state']); } exit('Invalid state'); } else { try { // Try to get an access token using the authorization code grant. $accessToken = $provider->getAccessToken('authorization_code', [ 'code' => $_GET['code'] ]); // We have an access token, which we may use in authenticated // requests against the service provider's API. echo 'Access Token: ' . $accessToken->getToken() . "<br>"; echo 'Refresh Token: ' . $accessToken->getRefreshToken() . "<br>"; echo 'Expired in: ' . $accessToken->getExpires() . "<br>"; echo 'Already expired? ' . ($accessToken->hasExpired() ? 'expired' : 'not expired') . "<br>"; Let's view the sample code.
PHP Library: thephpleague/oauth2-client $provider = new LeagueOAuth2ClientProviderGenericProvider([ 'clientId' => 'demoapp', // The client ID assigned to you by the provider 'clientSecret' => 'demopass', // The client password assigned to you by the provider 'redirectUri' => 'http://example.com/your-redirect-url/', 'urlAuthorize' => 'http://brentertainment.com/oauth2/lockdin/authorize', 'urlAccessToken' => 'http://brentertainment.com/oauth2/lockdin/token', 'urlResourceOwnerDetails' => 'http://brentertainment.com/oauth2/lockdin/resource' ]); 3 URLs for auth and resource server.
PHP Library: thephpleague/oauth2-client // If we don't have an authorization code then get one if (!isset($_GET['code'])) { // Fetch the authorization URL from the provider; this returns the // urlAuthorize option and generates and applies any necessary parameters // (e.g. state). $authorizationUrl = $provider->getAuthorizationUrl(); // Get the state generated for you and store it to the session. $_SESSION['oauth2state'] = $provider->getState(); // Redirect the user to the authorization URL. header('Location: ' . $authorizationUrl); exit; Conditional with parameters. (1) first step Authorization URL Redirection to authorization URL, such as Twitter login view.
PHP Library: thephpleague/oauth2-client // Check given state against previously stored one to mitigate CSRF attack } elseif (empty($_GET['state']) || (isset($_SESSION['oauth2state']) && $_GET['state'] !== $_SESSION['oauth2state'])) { if (isset($_SESSION['oauth2state'])) { unset($_SESSION['oauth2state']); } exit('Invalid state'); Process when the user came back from authorization. Handles irregular pattern
PHP Library: thephpleague/oauth2-client } else { try { // Try to get an access token using the authorization code grant. $accessToken = $provider->getAccessToken('authorization_code', [ 'code' => $_GET['code'] ]); // We have an access token, which we may use in authenticated // requests against the service provider's API. echo 'Access Token: ' . $accessToken->getToken() . "<br>"; echo 'Refresh Token: ' . $accessToken->getRefreshToken() . "<br>"; echo 'Expired in: ' . $accessToken->getExpires() . "<br>"; echo 'Already expired? ' . ($accessToken->hasExpired() ? 'expired' : 'not expired') . "<br>"; // Using the access token, we may look up details about the // resource owner. $resourceOwner = $provider->getResourceOwner($accessToken); var_export($resourceOwner->toArray()); // The provider provides a way to get an authenticated API request for // the service, using the access token; it returns an object conforming // to PsrHttpMessageRequestInterface. $request = $provider->getAuthenticatedRequest( 'GET', 'http://brentertainment.com/oauth2/lockdin/resource', $accessToken ); } catch (LeagueOAuth2ClientProviderExceptionIdentityProviderException$e) { // Failed to get the access token or user details. exit($e->getMessage()); } } (2) Get Access token (3) Get resource information
PHP Library: thephpleague/oauth2-client It enables us to develop application with user data based on old PHP website.
Ruby Library: omniauth/omniauth https://github.com/omniauth/omniauth omniauth-twitter, omniauth-facebook, omniauth-google are often used when developing Twitter/Google/Facebook Authorization in Rails. The main differences in omniauth-twitter, omniauth-facebook, omniauth-google are the 3 URLs. There are many libraries for many auth servers with omniauth in GitHub. The difference is 3 URLs and most complicated part is handled by omniauth, so implementation in each library such as omniauth-twitter is really simple.
Ruby Library: omniauth/omniauth The main component omniauth-google-oauth2 is google_oauth2.rb, 227 lines.
Ruby Library: omniauth/omniauth The main component of omniauth-facebook is facebook.rb, 180 lines.
Library to develop server: Doorkeeper https://github.com/doorkeeper-gem/doorkeeper It is used with Rails and it collaborates with Devise well.
Library to develop server: Doorkeeper ● For manager ○ With manager account, we can configure client applications. ○ We can register multiple managers. Devise can be used for managing manager. ● For user ○ All function for user are prepared. ● What the developer do ○ (1) create user authorization page ■ Devise can generate those code. ○ (3) create endpoint to return resource information
Library to develop server: Doorkeeper Endpoint to return resource information. The library handles most part. The main code of the endpoint can be written as follows. Simple. module Api class V1::ApiController < ::ApplicationController def current_resource_owner Member.find(doorkeeper_token.resource_owner_id) if doorkeeper_token end end end module Api class V1::CredentialsController < V1::ApiController before_action :doorkeeper_authorize! def me render json: { member: current_resource_owner } end end end
Reference ● OAuth 2.0 structure and authorization https://murashun.jp/blog/20150920-01.html ● OAuth 2.0 client in Java https://www.ibm.com/developerworks/jp/security/library/se-oauthjavapt3/index.html ● OAuth authorization with Rails + devise + omniauth + doorkeeper https://qiita.com/moehiko/items/300dcfa4d8f70660bcd1

More Related Content

PDF
OAuth 2.0
byUwe Friedrichsen
 
PPTX
Oauth 2.0 security
byvinoth kumar
 
PDF
Demystifying OAuth 2.0
byKarl McGuinness
 
PDF
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
byMatt Raible
 
PDF
CIS14: Developing with OAuth and OIDC Connect
byCloudIDSummit
 
PPTX
An Introduction to OAuth2
byAaron Parecki
 
PPTX
An introduction to OAuth 2
bySanjoy Kumar Roy
 
PPTX
Securing RESTful APIs using OAuth 2 and OpenID Connect
byJonathan LeBlanc
 
OAuth 2.0
byUwe Friedrichsen
 
Oauth 2.0 security
byvinoth kumar
 
Demystifying OAuth 2.0
byKarl McGuinness
 
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
byMatt Raible
 
CIS14: Developing with OAuth and OIDC Connect
byCloudIDSummit
 
An Introduction to OAuth2
byAaron Parecki
 
An introduction to OAuth 2
bySanjoy Kumar Roy
 
Securing RESTful APIs using OAuth 2 and OpenID Connect
byJonathan LeBlanc
 

What's hot

PDF
Rest Security with JAX-RS
byFrank Kim
 
PPTX
Making Sense of API Access Control
byCA API Management
 
PPT
Nine Ways to Use Network-Side Scripting
byLori MacVittie
 
PPTX
Single-Page-Application & REST security
byIgor Bossenko
 
PDF
Using OAuth with PHP
byDavid Ingram
 
PDF
Implementing OAuth with PHP
byLorna Mitchell
 
PPTX
REST Service Authetication with TLS & JWTs
byJon Todd
 
KEY
OAuth using PHP5
byNurulazrad Murad
 
PPTX
OAuth1.0
byG Jayendra Kartheek
 
PDF
Introduction to OAuth
byPaul Osman
 
PPTX
Securing RESTful Payment APIs Using OAuth 2
byJonathan LeBlanc
 
PDF
Introduction to OAuth2.0
byOracle Corporation
 
PDF
Stateless Auth using OAuth2 & JWT
byGaurav Roy
 
PPTX
(4) OAuth 2.0 Obtaining Authorization
byanikristo
 
PPTX
Esquema de pasos de ejecución IdM
byFernando Lopez Aguilar
 
PDF
Java Web Programming [9/9] : Web Application Security
byIMC Institute
 
PPTX
OAuth2 + API Security
byAmila Paranawithana
 
PPTX
The State of OAuth2
byAaron Parecki
 
PDF
Implementing OAuth
byleahculver
 
PPTX
JWT Authentication with AngularJS
byrobertjd
 
Rest Security with JAX-RS
byFrank Kim
 
Making Sense of API Access Control
byCA API Management
 
Nine Ways to Use Network-Side Scripting
byLori MacVittie
 
Single-Page-Application & REST security
byIgor Bossenko
 
Using OAuth with PHP
byDavid Ingram
 
Implementing OAuth with PHP
byLorna Mitchell
 
REST Service Authetication with TLS & JWTs
byJon Todd
 
OAuth using PHP5
byNurulazrad Murad
 
OAuth1.0
byG Jayendra Kartheek
 
Introduction to OAuth
byPaul Osman
 
Securing RESTful Payment APIs Using OAuth 2
byJonathan LeBlanc
 
Introduction to OAuth2.0
byOracle Corporation
 
Stateless Auth using OAuth2 & JWT
byGaurav Roy
 
(4) OAuth 2.0 Obtaining Authorization
byanikristo
 
Esquema de pasos de ejecución IdM
byFernando Lopez Aguilar
 
Java Web Programming [9/9] : Web Application Security
byIMC Institute
 
OAuth2 + API Security
byAmila Paranawithana
 
The State of OAuth2
byAaron Parecki
 
Implementing OAuth
byleahculver
 
JWT Authentication with AngularJS
byrobertjd
 

Similar to OAuth 2.0 and Library

PDF
Demystifying OAuth2 for PHP
bySWIFTotter Solutions
 
PDF
Top X OAuth 2 Hacks
byAntonio Sanso
 
PPTX
OAuth2 para desarrolladores
byLuis Ruiz Pavón
 
PPTX
Oauth2 and OWSM OAuth2 support
byGaurav Sharma
 
PPTX
Introduction to OAuth2
byKumaresh Chandra Baruri
 
PDF
Implementing open authentication_in_your_app
byNuhil Mehdy
 
PDF
Full stack security
byDPC Consulting Ltd
 
PDF
Intro to OAuth
bymfrost503
 
PPTX
Oauth
byRob Paok
 
PDF
OAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu
byAntonio Sanso
 
PDF
Oauth Php App
byAbdullah Mamun
 
PDF
Stateless authentication for microservices applications - JavaLand 2015
byAlvaro Sanchez-Mariscal
 
PDF
Twitter codeigniter library
byNavaneeswar Reddy
 
PPTX
How to build Simple yet powerful API.pptx
byChanna Ly
 
PPTX
OAuth [noddyCha]
bynoddycha
 
PPTX
Hybrid authentication - Talking To Major Social Networks
byRayhan Chowdhury
 
PDF
Integrating services with OAuth
byLuca Mearelli
 
PPTX
Api security
byteodorcotruta
 
PPTX
OAuth
byTom Elrod
 
PDF
oauth-for-credentials-security-in-rest-api-access
byidsecconf
 
Demystifying OAuth2 for PHP
bySWIFTotter Solutions
 
Top X OAuth 2 Hacks
byAntonio Sanso
 
OAuth2 para desarrolladores
byLuis Ruiz Pavón
 
Oauth2 and OWSM OAuth2 support
byGaurav Sharma
 
Introduction to OAuth2
byKumaresh Chandra Baruri
 
Implementing open authentication_in_your_app
byNuhil Mehdy
 
Full stack security
byDPC Consulting Ltd
 
Intro to OAuth
bymfrost503
 
Oauth
byRob Paok
 
OAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu
byAntonio Sanso
 
Oauth Php App
byAbdullah Mamun
 
Stateless authentication for microservices applications - JavaLand 2015
byAlvaro Sanchez-Mariscal
 
Twitter codeigniter library
byNavaneeswar Reddy
 
How to build Simple yet powerful API.pptx
byChanna Ly
 
OAuth [noddyCha]
bynoddycha
 
Hybrid authentication - Talking To Major Social Networks
byRayhan Chowdhury
 
Integrating services with OAuth
byLuca Mearelli
 
Api security
byteodorcotruta
 
OAuth
byTom Elrod
 
oauth-for-credentials-security-in-rest-api-access
byidsecconf
 

Recently uploaded

PDF
UiPath Automation Developer Associate Training Series 2026 - Session 2
byDianaGray10
 
PDF
Safer’s Picks: The 5 FME Transformers You Didn’t Know You Needed
bySafe Software
 
PDF
GenerationAI Paris 2025 | How Agentic AI is Reinventing Organizations
byapidays
 
PDF
NTG -Company Profile_Software_Vendor_Company_in_MENA
byMustafa Kuğu
 
PDF
GDG Cloud Southlake #49: Pradeep R Kumar: Implications of Agentic AI for Iden...
byJames Anderson
 
PDF
Escape from the Forbidden Zone: Smuggling green and inclusive tech past the g...
byBookNet Canada
 
PDF
February 2026 Patch Tuesday hosted by Chris Goettl and Todd Schell
byIvanti
 
PDF
Python Automation in Action: Real-World Use Cases and Practical Implementation
byDenys Smirnov
 
PDF
Antminer S23Hyd-580_Manual-V1.1-oneminers.pdf
byFranzhLawrenceBataan1
 
PPTX
How Does an ICO Launchpad Work Step-by-Step Breakdown.pptx
byTom Hardy S
 
PPTX
Introducing VisualSim 2610 The Next Leap in System Level Modeling
byDeepak Shankar
 
PDF
final~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~.pdf
byomarbishtawi04
 
PPTX
Celonis Optimizing your future with process
bydevjeremyappleyard
 
PDF
Writing GPU-Ready AI Models in Pure Java with Babylon
byAna-Maria Mihalceanu
 
PPTX
PPTX game guess the logo with a twistppt
byAdrianAnig
 
PDF
Rustici Software: eLearning standards in the age of AI
byRustici Software
 
PDF
Self-Correction Failure Diagnostic: Detecting Drift in Complex Systems
bySystems Research Group
 
PPTX
TravelTech Paris 2025 | Beyond the pipes: Why Channel Management isn’t really...
byapidays
 
PDF
Poročilo odbora CIS (CH08873) za leto 2025 na letni skupščini IEEE Slovenija ...
byUniversity of Maribor
 
PPTX
Computer architecture, Computer architecture ,Computer architecture
bywaheedqazi123
 
UiPath Automation Developer Associate Training Series 2026 - Session 2
byDianaGray10
 
Safer’s Picks: The 5 FME Transformers You Didn’t Know You Needed
bySafe Software
 
GenerationAI Paris 2025 | How Agentic AI is Reinventing Organizations
byapidays
 
NTG -Company Profile_Software_Vendor_Company_in_MENA
byMustafa Kuğu
 
GDG Cloud Southlake #49: Pradeep R Kumar: Implications of Agentic AI for Iden...
byJames Anderson
 
Escape from the Forbidden Zone: Smuggling green and inclusive tech past the g...
byBookNet Canada
 
February 2026 Patch Tuesday hosted by Chris Goettl and Todd Schell
byIvanti
 
Python Automation in Action: Real-World Use Cases and Practical Implementation
byDenys Smirnov
 
Antminer S23Hyd-580_Manual-V1.1-oneminers.pdf
byFranzhLawrenceBataan1
 
How Does an ICO Launchpad Work Step-by-Step Breakdown.pptx
byTom Hardy S
 
Introducing VisualSim 2610 The Next Leap in System Level Modeling
byDeepak Shankar
 
final~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~.pdf
byomarbishtawi04
 
Celonis Optimizing your future with process
bydevjeremyappleyard
 
Writing GPU-Ready AI Models in Pure Java with Babylon
byAna-Maria Mihalceanu
 
PPTX game guess the logo with a twistppt
byAdrianAnig
 
Rustici Software: eLearning standards in the age of AI
byRustici Software
 
Self-Correction Failure Diagnostic: Detecting Drift in Complex Systems
bySystems Research Group
 
TravelTech Paris 2025 | Beyond the pipes: Why Channel Management isn’t really...
byapidays
 
Poročilo odbora CIS (CH08873) za leto 2025 na letni skupščini IEEE Slovenija ...
byUniversity of Maribor
 
Computer architecture, Computer architecture ,Computer architecture
bywaheedqazi123
 

OAuth 2.0 and Library

  • 1.
    OAuth 2.0 andLibrary What the libraries do? How can we use the libraries?
  • 2.
    What is OAuth2.0? ● Standard to authenticate the client application so that it can access to protected resource. ● The user doesn't have to provide own user id and password. ● RFC6749
  • 3.
    OAuth Flow (simpleversion) Client App Resource Svr Auth Svr Start (1) Authorization Client Redirect and authenticate Respond Code (2) Request Token Respond Token (3) Request Resource redirect_uri client_id scope response_type grant_type client_id scope code code state access_token token_type expires_in refresh_token example_parameter
  • 4.
    OAuth Flow (simpleversion Client App Resource Svr Auth Svr Start (1) Authenticate Client Redirect and authenticate Respond Code (2) Request Token Respond Token (3) Request Resource 3 endpoint URLs for configuration
  • 5.
    PHP Library: thephpleague/oauth2-client https://github.com/thephpleague/oauth2-client $provider= new LeagueOAuth2ClientProviderGenericProvider([ 'clientId' => 'demoapp', // The client ID assigned to you by the provider 'clientSecret' => 'demopass', // The client password assigned to you by the provider 'redirectUri' => 'http://example.com/your-redirect-url/', 'urlAuthorize' => 'http://brentertainment.com/oauth2/lockdin/authorize', 'urlAccessToken' => 'http://brentertainment.com/oauth2/lockdin/token', 'urlResourceOwnerDetails' => 'http://brentertainment.com/oauth2/lockdin/resource' ]); // If we don't have an authorization code then get one if (!isset($_GET['code'])) { // Fetch the authorization URL from the provider; this returns the // urlAuthorize option and generates and applies any necessary parameters // (e.g. state). $authorizationUrl = $provider->getAuthorizationUrl(); // Get the state generated for you and store it to the session. $_SESSION['oauth2state'] = $provider->getState(); // Redirect the user to the authorization URL. header('Location: ' . $authorizationUrl); exit; // Check given state against previously stored one to mitigate CSRF attack } elseif (empty($_GET['state']) || (isset($_SESSION['oauth2state']) && $_GET['state'] !== $_SESSION['oauth2state'])) { if (isset($_SESSION['oauth2state'])) { unset($_SESSION['oauth2state']); } exit('Invalid state'); } else { try { // Try to get an access token using the authorization code grant. $accessToken = $provider->getAccessToken('authorization_code', [ 'code' => $_GET['code'] ]); // We have an access token, which we may use in authenticated // requests against the service provider's API. echo 'Access Token: ' . $accessToken->getToken() . "<br>"; echo 'Refresh Token: ' . $accessToken->getRefreshToken() . "<br>"; echo 'Expired in: ' . $accessToken->getExpires() . "<br>"; echo 'Already expired? ' . ($accessToken->hasExpired() ? 'expired' : 'not expired') . "<br>"; Let's view the sample code.
  • 6.
    PHP Library: thephpleague/oauth2-client $provider= new LeagueOAuth2ClientProviderGenericProvider([ 'clientId' => 'demoapp', // The client ID assigned to you by the provider 'clientSecret' => 'demopass', // The client password assigned to you by the provider 'redirectUri' => 'http://example.com/your-redirect-url/', 'urlAuthorize' => 'http://brentertainment.com/oauth2/lockdin/authorize', 'urlAccessToken' => 'http://brentertainment.com/oauth2/lockdin/token', 'urlResourceOwnerDetails' => 'http://brentertainment.com/oauth2/lockdin/resource' ]); 3 URLs for auth and resource server.
  • 7.
    PHP Library: thephpleague/oauth2-client //If we don't have an authorization code then get one if (!isset($_GET['code'])) { // Fetch the authorization URL from the provider; this returns the // urlAuthorize option and generates and applies any necessary parameters // (e.g. state). $authorizationUrl = $provider->getAuthorizationUrl(); // Get the state generated for you and store it to the session. $_SESSION['oauth2state'] = $provider->getState(); // Redirect the user to the authorization URL. header('Location: ' . $authorizationUrl); exit; Conditional with parameters. (1) first step Authorization URL Redirection to authorization URL, such as Twitter login view.
  • 8.
    PHP Library: thephpleague/oauth2-client //Check given state against previously stored one to mitigate CSRF attack } elseif (empty($_GET['state']) || (isset($_SESSION['oauth2state']) && $_GET['state'] !== $_SESSION['oauth2state'])) { if (isset($_SESSION['oauth2state'])) { unset($_SESSION['oauth2state']); } exit('Invalid state'); Process when the user came back from authorization. Handles irregular pattern
  • 9.
    PHP Library: thephpleague/oauth2-client }else { try { // Try to get an access token using the authorization code grant. $accessToken = $provider->getAccessToken('authorization_code', [ 'code' => $_GET['code'] ]); // We have an access token, which we may use in authenticated // requests against the service provider's API. echo 'Access Token: ' . $accessToken->getToken() . "<br>"; echo 'Refresh Token: ' . $accessToken->getRefreshToken() . "<br>"; echo 'Expired in: ' . $accessToken->getExpires() . "<br>"; echo 'Already expired? ' . ($accessToken->hasExpired() ? 'expired' : 'not expired') . "<br>"; // Using the access token, we may look up details about the // resource owner. $resourceOwner = $provider->getResourceOwner($accessToken); var_export($resourceOwner->toArray()); // The provider provides a way to get an authenticated API request for // the service, using the access token; it returns an object conforming // to PsrHttpMessageRequestInterface. $request = $provider->getAuthenticatedRequest( 'GET', 'http://brentertainment.com/oauth2/lockdin/resource', $accessToken ); } catch (LeagueOAuth2ClientProviderExceptionIdentityProviderException$e) { // Failed to get the access token or user details. exit($e->getMessage()); } } (2) Get Access token (3) Get resource information
  • 10.
    PHP Library: thephpleague/oauth2-client Itenables us to develop application with user data based on old PHP website.
  • 11.
    Ruby Library: omniauth/omniauth https://github.com/omniauth/omniauth omniauth-twitter,omniauth-facebook, omniauth-google are often used when developing Twitter/Google/Facebook Authorization in Rails. The main differences in omniauth-twitter, omniauth-facebook, omniauth-google are the 3 URLs. There are many libraries for many auth servers with omniauth in GitHub. The difference is 3 URLs and most complicated part is handled by omniauth, so implementation in each library such as omniauth-twitter is really simple.
  • 12.
    Ruby Library: omniauth/omniauth Themain component omniauth-google-oauth2 is google_oauth2.rb, 227 lines.
  • 13.
    Ruby Library: omniauth/omniauth Themain component of omniauth-facebook is facebook.rb, 180 lines.
  • 14.
    Library to developserver: Doorkeeper https://github.com/doorkeeper-gem/doorkeeper It is used with Rails and it collaborates with Devise well.
  • 15.
    Library to developserver: Doorkeeper ● For manager ○ With manager account, we can configure client applications. ○ We can register multiple managers. Devise can be used for managing manager. ● For user ○ All function for user are prepared. ● What the developer do ○ (1) create user authorization page ■ Devise can generate those code. ○ (3) create endpoint to return resource information
  • 16.
    Library to developserver: Doorkeeper Endpoint to return resource information. The library handles most part. The main code of the endpoint can be written as follows. Simple. module Api class V1::ApiController < ::ApplicationController def current_resource_owner Member.find(doorkeeper_token.resource_owner_id) if doorkeeper_token end end end module Api class V1::CredentialsController < V1::ApiController before_action :doorkeeper_authorize! def me render json: { member: current_resource_owner } end end end
  • 17.
    Reference ● OAuth 2.0structure and authorization https://murashun.jp/blog/20150920-01.html ● OAuth 2.0 client in Java https://www.ibm.com/developerworks/jp/security/library/se-oauthjavapt3/index.html ● OAuth authorization with Rails + devise + omniauth + doorkeeper https://qiita.com/moehiko/items/300dcfa4d8f70660bcd1