Google OAuth cannot find token by OAuth key on login, causes crash about authlogic-connect HOT 5 CLOSED

I just figured this out... When I started with Authlogic Connect I didn't really know the difference between Oauth and OpenID in terms of "login". Now it's becoming a bit more clear.

Oauth is not a login protocol it turns out, it's an authentication protocol. OpenID, however, is a login protocol. Here's what I mean.

With login, we need to be able to have some piece of info about the user that's guaranteed to be unique and unchanging. With OpenID, that's the openid_identifier. With Oauth, we don't have that; token and secret WILL change in the following situations:

• If the user logs out and logs back it, we need to go through the Oauth process again. In Twitter, it looks like they give you the same Oauth token, so we can use that to find the database record. In Google, however, every time you log back in, it changes, so we can never find the database record!
• If you explicity "revoke access" to our application (in Twitter, "Settings > Revoke Access", in Google, similar), then for sure the Token and Secret will be different, so we can't find the database record now.

SO, the solution that will make Oauth behave like a login protocol, is to ask for that piece of unique and unchanging data from the service for the user.

In Twitter, we get this for free in the Oauth params that come back, user_id. In google, we have to do more: We have to make a hacky API request and get the email address of the user, and save that. I just got this working last night.

So that's the issue you're facing. I'm learning this as I go too for sure.

I have updated a whole lot but for some reason OpenID isn't working in Rails 2.3 on my end, so once I get that back (need tests!), I will post the changes.

Best,
Lance

from authlogic-connect.

Ah, that makes sense. I had read blags about OAuth != OpenID but didn't really understand what they meant. Now I see.

FYI, Facebook will give you the same OAuth token back like Twitter does.

As an aside, I modified the Google token under the oauth/tokens dir to only request the user's email address from that "userinfo" scope they have but don't really talk about too much. Is that the same method you're using to get the user's email address? Maybe the "hacky" code can be pushed into these token classes somehow (if that makes any sense), so an overriden method could take care of it?

from authlogic-connect.

And yes I've also not gotten OpenID to do anything for me. OpenID would be cool but is not really priority for me, I just want users to be able to use Google in ANY fashion really.

from authlogic-connect.

Alright well I might just push my changes even though OpenID isn't working for Rails 2 because I've made a lot of changes to the internal code to make things more testable. OpenID is giving me a real hard time.

What I did to make Oauth work like login is add a class "key" method that takes a block or a string. So it looks like this:

class TwitterToken < OauthToken

  key :user_id

  settings "http://twitter.com",
    :authorize_url => "http://twitter.com/oauth/authenticate"

end

class GoogleToken < OauthToken

  settings "https://www.google.com", 
    :request_token_path => "/accounts/OAuthGetRequestToken",
    :authorize_path     => "/accounts/OAuthAuthorizeToken",
    :access_token_path  => "/accounts/OAuthGetAccessToken",
    :scope              => "https://www.google.com/m8/feeds/"

  key do |access_token|
    body = JSON.parse(access_token.get("https://www.google.com/m8/feeds/contacts/default/full?alt=json&max-results=0").body)
    email = body["feed"]["author"].first["email"]["$t"] # $t is some weird google json thing
  end

end

It works well enough now, and as this grows I'm sure we'll find more customizable ways to do this.

Thanks for all your input it's really helpful.

Best,
Lance

from authlogic-connect.

Fixed.

from authlogic-connect.