10. OAuth - Signature
• Must sign all requests
• Base string
• Consumer key
• Consumer secret
• The signature
11. OAuth - Base string
The HTTP Method is GET
The URL is http://vimeo.com/api/rest/v2/
The method is vimeo.people.getInfo
There is only one API parameter for vimeo.people.getInfo: user_id is brad
The oauth_consumer_key is abcdef0123456
The oauth_nonce is r4nd0m1234
The oauth_timestamp is 1328533189
The oauth_signature_method is HMAC
The oauth_version is 1.0
GET&http%3A%2F%2Fvimeo.com%2Fapi%2Frest%2Fv2%2F&method%3D
vimeo.people.getInfo%26oauth_consumer_key%3Dabcdef0123456%26oauth_nonce
%3Dr4nd0m1234%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp
%3D1328533189%26oauth_version%3D1.0%26user_id%3Dbrad
15. OAuth2
• The next evolution : OAuth2
• Not backward-compatible
• IETF Draft
• Use it now!!!
• Facebook OpenGraph - Google - Microsoft
16. Why <3 OAuth2
• Clients don’t need cryptography anymore (HTTPS)
• Less complicated signatures
• Better support for non-browser apps
• Access tokens are short-lived
• Clean separation between auth server and request
server
22. Omniauth basic
strategy
module OmniAuth
module Strategies
class Developer
include OmniAuth::Strategy
option :fields, [:name, :email]
option :uid_field, :email
end
end
end
27. Omniauth custom OAuth2 strategy
Give more info for free!
uid { raw_info['id'] }
info do
prune!({
'screenname' => raw_info['screenname'],
'url' => raw_info['url'],
'email' => raw_info['email'],
'fullname' => raw_info['fullname'],
'description' => raw_info['description'],
'gender' => raw_info['gender']
})
end
def raw_info
@raw_info ||= access_token.get('/me', :params => { :fields =>
%w(id,url,email,fullname,description,gender).join(",") }).parsed
end
28. Omniauth in Rails
Lier un compte uniquement (pas d’auth)
= link_to "Link to Dailymotion", "/auth/dailymotion"
match '/auth/:provider/callback', to: 'profiles#link_provider'
29. class ProfilesController < AuthenticatedController
def show
end
def link_provider
current_user.update_attributes_for_provider(params[:provider],
auth_hash.credentials)
redirect_to profile_path, notice: "Successfully linked to provider"
end
protected
def auth_hash
request.env['omniauth.auth']
end
end
class User
# ...
def update_attributes_for_provider(provider, credentials)
credentials.each do |key, val|
send("#{provider}_#{key}=", val) if respond_to?("#{provider}_#{key}=")
end
save
end
end
30. Omniauth in Rails -
Authentication with Devise
class Users::OmniauthCallbacksController < ApplicationController
def create
@user = User.find_or_create_for_provider(params[:provider],
auth_hash)
sign_in_and_redirect(@user, :event => :authentication)
end
end