RailsCasts Pro episodes are now free!
Learn more or hide this
Ryan, can you make a tutorial for using "TOTP: Time-Based One-Time Password Algorithm" or "Multi-Factor Authentication" that compatible with Google Authenticator like in Google and AWS?? it will be great to add more security :)
See Two-factor Authentication with Rails and the subsequent Using the Google Authenticator App with Rails for tutorials of using 2-factor authentication with Google Authenticator.
Awesome Ryan! Great job. I have one question. Let's say your client app is a mobile app (such as an android app), would you have to redirect to a browser (out of the app) when trying to login? The json part is ok as both android and ios have libraries for those.
+100 on this episode.
For this I'd recommend looking into using the password grant type which doesn't require setting a callback URL.
Actually, if you look at existing apps that authenticate through Twitter's oAuth for example, you can see that, indeed, a browser is required to grant access to the account. However, both iOS and Android have an option to launch a browser window within an application itself.
So usually when the users clicks "login through twitter", you'd fire up a browser screen inside the app that will load the Twitter authentication page. This page is already optimized for mobile so it will simply show the button to authenticate (or the login fields if the user isn't logged in to twitter yet). Then you have your app setup to close the webview when a succesful request is made, and log the user in.
Facebook is a similar example, except that in this case, facebook requires the app to actually launch the Facebook app, which will handle the authentication and automatically switches back to your app when the authentication is succesful.
Here's an example of how to use the password grant type without a callback URL...
curl -i http://localhost:3000/oauth/access_token \
-F grant_type=password \
-F client_id=<client id> \
-F client_secret=<client secret> \
-F "scope=<scope>" \
-F firstname.lastname@example.org \
Thanks for the clarification.
Thanks for this information. Will be taking a closer look at this.
I've dealt with the same issue on titanium appcelerator mobile platfom. We need a high security in our app, that's why we cannot apply password authorization type. So I have set redirect uri to localhost and I've extracted grant code directly from redirect URL. You can check https://github.com/OrganisedMinds/titanium-oauth2-client for your inspiration, but be aware - this is still in development. Anyway there are already some oauth 2.0 libraries from google developers written in java if you consider to native android development.
The gem was updated with the fix for whitelist_attributes. Check out the version 0.3.4
This is difficult to grasp when we don't know the big picture. Diagrams are required to introduce the concepts before jumping into code. Also including specs with the code would be helpful.
OAuth 2 is very strange at first sight. It was for me :-)
But, in the OAuth 2 spec site there's few diagrams that might help you, or check out the applications examples, like this one
Excellent screencast as usual. I don't seem to be able to find any documentation though on customising the controllers Or models. Mainly things like having the applications associated to a specific user etc.
Right now, there's no way to customize controller behaviour specifically, but there's a branch which will allow you to do this.
There's also a pull request related to application customization (ownership). Feel free to comment on that, we need ideas :)
Has anyone got Doorkeeper working with Mongoid?
There are few forks out there, but we're working in a branch for that. :-)
Is it possible to use rails-api and doorkeeper together? I'm not sure where the Doorkeeper UI should live. Possibly hack it into rails-api or add it to another rails app, what do you think?
I haven't tried yet, but it might work, I thinkg you just need to enable before filters for your API controllers.
When I try to start up my rails (oauth client) app after building my OAuth strategy (identical to Ryan's structurally), I get this error:
undefined method `uid' for OmniAuth::Strategies:Module
Anyone seen this error before? I'm having a hard time figuring out what I'm doing wrong.
I always have this error when I follow this tutorial:
OAuth2::Error: invalid_grant: The provided authorization grant is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client.
when I'm in the phase of parsing token. What is the problem and how I can fix this ?
Error most likely from copying the token value in the example(4125be61e6780812595dc275a8bf365aa5738fcf0e6d4429019ad1f68ee37363) instead of using the value generated by your server
Since oauth2 1.1.0 with CSRF protection this code doesn't work. Could somebody point right direction how to apply state param in this provider and client example. thanks
Why do I keep getting the error
An error has occurred
Client authentication failed due to unknown client, no client authentication included, or unsupported authentication method.
when trying to sign in through the client app?
I tried running the source code and I get the same errors... any ideas?!
I'm getting the same error.
For future reference: This happens because the ENV["OAUTH_ID"] ENV["OAUTH_SECRET"] aren't set.
Any advice about using Doorkeeper with Active Model Serializers as shown in episode #409?
Guys, you may wanna check out this fix for the CSRF issues: http://stackoverflow.com/questions/10351386/rails-doorkeeper-cant-verify-csrf-token-authenticity?rq=1
I thought I'd add these notes for future n00bs to consider
Oh, crap - I just realized that the default callback URL parameter is in fact redirect_uri - I made the mistake of specifying it as callback when I was playing around. My bad.
Does anyone know why I get the error:
undefined local variable or method `new_user_session_url' for #Doorkeeper::AuthorizationsController:0x007fef99668bc8
# Put your resource owner authentication logic here.
# Example implementation:
current_user || redirect_to(login_url)
I am using Sorcery with Doorkeeper
I am getting this error as well Daniel Gaeta. Not using Sorcery, but I am using Doorkeeper and OmniAuth.
Use new_user_session_url_path instead.
With Doorkeeper 0.7.4 I had to use callback = "urn:ietf:wg:oauth:2.0:oob" in place of the localhost:3001 callback. Otherwise, the page to exchange the authorization token for an accepted authorization code complained of a bad callback url.
callback = "urn:ietf:wg:oauth:2.0:oob"
I wish to use Doorkeeper for 3rd party authentication but wish to skip and use before_filter authenticate! for AngularJS based client side web app.
Is it possible to do this?
What is the best way for authentication for an API which should be usable for Single Sign On 1st party app and 3rd party apps like chrome extension?
I want to create an api for an android application, would doorkeeper be perfect for registration and authentication? generally what is the best way to build a secure api? I found so many tutorials but that makes really many doubts.
See the NSScreencast episode below.
- Authentication with AFNetworking #41
- Retrying HTTP Requests #42
When I try to generate the access token in the irb console, I get "DNS lookup failed error". Does this have to do with some problem in my machine setup?
irb(main):021:0> access = client.auth_code.get_token("6246e2d200c46b338780e72c4db85f5225c097e907792c31f7acf9b07421fe7f", redirect_uri: callback)
OAuth2::Error: <!-- IE friendly error message walkround.
if error message from server is less than
512 bytes IE v5+ will use its own error
message instead of the one returned by
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN">
from /home/kempa/.rbenv/versions/2.0.0-p451/lib/ruby/gems/2.0.0/gems/oauth2-0.9.3/lib/oauth2/client.rb:110:in `request'
from /home/kempa/.rbenv/versions/2.0.0-p451/lib/ruby/gems/2.0.0/gems/oauth2-0.9.3/lib/oauth2/client.rb:135:in `get_token'
from /home/kempa/.rbenv/versions/2.0.0-p451/lib/ruby/gems/2.0.0/gems/oauth2-0.9.3/lib/oauth2/strategy/auth_code.rb:29:in `get_token'
from /home/kempa/.rbenv/versions/2.0.0-p451/bin/irb:12:in `<main>'
Ryan, can you shed any light on how you would go about using Doorkeeper (or something similar) to implement separate authorization and resource servers? I'm trying to build one authorization server that can handle oAuth2 for all of our resource servers (instead of trying to implement the authorization server on each of those endpoints). It seems like Doorkeeper is designed for the scenario where the resource and authorization servers are one in the same.
Awesome video and awesome service btw.
So this railscast is great but I ran into problems with the config/initializers/doorkeeper.rb file. Instead of getting to the authorization pages I was redirected to the provider site homepage. I was able to fix this by using all the code shown here