Comments (5)
I just figured this out... When I started with Authlogic Connect I didn't really know the difference between Oauth and OpenID in terms of "login". Now it's becoming a bit more clear.
Oauth is not a login protocol it turns out, it's an authentication protocol. OpenID, however, is a login protocol. Here's what I mean.
With login, we need to be able to have some piece of info about the user that's guaranteed to be unique and unchanging. With OpenID, that's the openid_identifier
. With Oauth, we don't have that; token
and secret
WILL change in the following situations:
- If the user logs out and logs back it, we need to go through the Oauth process again. In Twitter, it looks like they give you the same Oauth token, so we can use that to find the database record. In Google, however, every time you log back in, it changes, so we can never find the database record!
- If you explicity "revoke access" to our application (in Twitter, "Settings > Revoke Access", in Google, similar), then for sure the Token and Secret will be different, so we can't find the database record now.
SO, the solution that will make Oauth behave like a login protocol, is to ask for that piece of unique and unchanging data from the service for the user.
In Twitter, we get this for free in the Oauth params that come back, user_id
. In google, we have to do more: We have to make a hacky API request and get the email address of the user, and save that. I just got this working last night.
So that's the issue you're facing. I'm learning this as I go too for sure.
I have updated a whole lot but for some reason OpenID isn't working in Rails 2.3 on my end, so once I get that back (need tests!), I will post the changes.
Best,
Lance
from authlogic-connect.
Ah, that makes sense. I had read blags about OAuth != OpenID but didn't really understand what they meant. Now I see.
FYI, Facebook will give you the same OAuth token back like Twitter does.
As an aside, I modified the Google token under the oauth/tokens dir to only request the user's email address from that "userinfo" scope they have but don't really talk about too much. Is that the same method you're using to get the user's email address? Maybe the "hacky" code can be pushed into these token classes somehow (if that makes any sense), so an overriden method could take care of it?
from authlogic-connect.
And yes I've also not gotten OpenID to do anything for me. OpenID would be cool but is not really priority for me, I just want users to be able to use Google in ANY fashion really.
from authlogic-connect.
Alright well I might just push my changes even though OpenID isn't working for Rails 2 because I've made a lot of changes to the internal code to make things more testable. OpenID is giving me a real hard time.
What I did to make Oauth work like login is add a class "key" method that takes a block or a string. So it looks like this:
class TwitterToken < OauthToken
key :user_id
settings "http://twitter.com",
:authorize_url => "http://twitter.com/oauth/authenticate"
end
class GoogleToken < OauthToken
settings "https://www.google.com",
:request_token_path => "/accounts/OAuthGetRequestToken",
:authorize_path => "/accounts/OAuthAuthorizeToken",
:access_token_path => "/accounts/OAuthGetAccessToken",
:scope => "https://www.google.com/m8/feeds/"
key do |access_token|
body = JSON.parse(access_token.get("https://www.google.com/m8/feeds/contacts/default/full?alt=json&max-results=0").body)
email = body["feed"]["author"].first["email"]["$t"] # $t is some weird google json thing
end
end
It works well enough now, and as this grows I'm sure we'll find more customizable ways to do this.
Thanks for all your input it's really helpful.
Best,
Lance
from authlogic-connect.
Fixed.
from authlogic-connect.
Related Issues (20)
- new foursquare endpoint
- tokens and active token
- Oauth token/secret dont get update
- AbstractController::DoubleRenderError
- Error installing on Rails 2.3.8 HOT 4
- Problems when differentiating login and registration HOT 1
- dependence of params[:authentication_type] and model class (ActiveRecord::Base / Authlogic::Session::Base)
- Example App not working. HOT 1
- not compatible with authlogic 2.1.6
- symbolizing session keys make errors for flash HOT 2
- looks good -- how does this compare with using omniauth? HOT 1
- Interrupted OAuth flow hijacks future requests (auth_callback_method) HOT 1
- Twitter authorize URL should be https
- OAuth broken with latest rails security release (3.0.4) HOT 4
- Error while trying to generate AccessToken model HOT 2
- dependecy problem oauth2
- skip password and email validations HOT 2
- Connecting with twitter if a user is already signed-in using Facebook HOT 2
- OpenSSL::SSL::SSLError
- undefined method `oauth_login_button' in rails 3.1.3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from authlogic-connect.