OAuth2
-1. Get familiar with OmniAuth by Intridea: github.com/intridea/omniauth. Read about OAuth2.
-
Obtain client_id and client_secret for your app from Exvo.
-
Install exvo-auth gem or add it to your Gemfile.
-
Configure middleware.
In Rails, the relevant lines could look like this:
ExvoAuth::Config.client_id = "foo"
ExvoAuth::Config.client_secret = "bar"
ExvoAuth::Config.debug = true # dumps all HTTP traffic to STDERR, useful during development.
config.middleware.use ExvoAuth::Middleware
-
Add routes.
The following comes from Rails config/routes.rb file:
match "/auth/failure" => "sessions#failure"
match "/auth/interactive/callback" => "sessions#create"
match "/auth/non_interactive/callback" => "sessions#create" # only if you use json-based login
match "/sign_out" => "sessions#destroy"
Failure url is called whenever there’s a failure (d’oh). You can have separate callbacks for interactive and non-interactive callback routes but you can also route both callbacks to the same controller method like shown above.
-
Include controller helpers into your application controller.
include ExvoAuth::Controllers::Rails (or Merb)
-
Implement a sessions controller.
Sample implementation (Rails):
class SessionsController < ApplicationController
def create
auth = params[:auth] # sometimes you will need to do this: request.env["rack.request.query_hash"]["auth"]
user = User.find_or_create_by_uid(auth["uid"])
user_info = auth["user_info"]
user.update_attributes!(user_info)
sign_in_and_redirect!(user.id)
end
def destroy
sign_out_and_redirect!
end
def failure
render :text => "Sorry!"
end
end
In short: you get params. Do what you want to do with it: store the data, create session, etc.
-
Sign up and sign in paths for use in links.
sign in path: “/auth/interactive” sign up path: “/auth/interactive?x_sign_up=true” # this is OAuth2 custom param sign in path with a return address: “/auth/interactive?state=url” # using OAuth2 state param
You have a handy methods available in controllers (and views in Rails): sign_in_path and sign_up_path.
-
Read the source, there are few features not mentioned in this README.
Inter-Application Communication
You need to have “App Authorization” created by Exvo first. Contact us and provide following details:
* consumer_id - Id of an app that will be a consumer (this is you)
* provider_id - Id of the provider app
* scope - The tag associated with the api you want to use in the provider app
# Consumer side
consumer = ExvoAuth::Autonomous::Consumer.new(
:app_id => "this is client_id of the app you want to connect to"
) consumer.get(*args) - interface is exactly the same like in HTTParty. All http methods are available (post, put, delete, head, options).
# Provider side
See #authenticate_app_in_scope!(scope) method in ExvoAuth::Controllers::Rails (or Merb). This method lets you create a before filter. Scopes are used by providing app to check if a given consuming app should have access to a given resource inside a scope. If scopes are empty, then provider app should not present any resources to consumer.
# Example of the before filter for provider controller:
before_filter {|c| c.authenticate_app_in_scope!(“payments”) }
In provider controller which is just a fancy name for API controller you can use #current_app_id method to get the app_id of the app connecting.
Dejavu - replay non-GET requests after authentication redirects
Limitations:
-
doesn’t work with file uploads
-
all request params become query params when replayed