This has been updated on July 21st, 2009 to reflect all the latest changes*
OAuth is the great new standard allowing your users to use your application to talk to their accounts on other applications. I won’t go more into it here as it’s pretty well covered on the OAuth site.
Consumers and Providers
I will cover consumers in another post, but it’s probably a good idea to explain what the difference is:
A consumer is an application that uses another web applications data. For example for a mashup. It is mainly intended for web applications, but there is nothing to stop you from writing say a way cool Mac client in Cocoa as well.
A provider is a web application that the consumer wants to access.
The classic example is a photo printing site as a consumer and a photo site (like Flickr) as the provider.
The plugin can generate an oauth provider that supports the following out of the box:
- User can register their own applications to receive consumer key/secret pairs.
- Provider supports standard best practises out of the box hmac-sha1 etc.
- Users can manage and revoke tokens issued in their name
- Easy before filter to provide oauth protection on your actions
Install the plugin
This plugin currently requires Rails 2. If someone would like to make it Rails 1.2 compatible. Please feel free to submit patches.
First install the oauth gem:
sudo gem install oauth
The plugin can now be installed as an gem from github, which is the easiest way to keep it up to date.
sudo gem install oauth-plugin
You should add the following in the gem dependency section of environment.rb
config.gem "oauth" config.gem "oauth-plugin"
Alternatively you can install it in vendors/plugin:
script/plugin install git://github.com/pelle/oauth-plugin.git
Lets create your provider
The generator creates 2 controllers a set of models and views.
You now need to add a few associations to your user object:
has_many :client_applications has_many :tokens, :class_name=>"OauthToken",:order=>"authorized_at desc",:include=>[:client_application]
Now run your migrations and start your server:
rake db:migrate script/server
And your oauth provider is now up and running on http://localhost:3000/oauth_clients to start registering a client application.
Protect your actions
I recommend that you think about what your users would want to provide access to and limit oauth for those only. For example in a CRUD controller you may think about if you want to let consumer applications do the create, update or delete actions. For your application this might make sense, but for others maybe not.
If you want to give oauth access to everything a registered user can do, just replace the filter you have in your controllers with:
If you want to restrict consumers to the index and show methods of your controller do the following:
before_filter :login_required,:except=>[:show,:index] before_filter :login_or_oauth_required,:only=>[:show,:index]
If you have an action you only want used via oauth:
All of these places the tokens user in current_user as you would expect.
Please bear in mind this is still early days and their maybe some major bugs and or changes coming. But please help me test the code.
There are also 2 other implementations:
- Choon Keat’s OAuth4R which is a rails plugin for both creating providers and consumers. Choon and I are talking about how we can merge things.
If your company needs help getting your OAuth Strategy right or implementing OAuth in your application I’m available for consulting work [email protected].