4

I'm working on a Rails 3.2 application that will allow users to authenticate with multiple providers ... Yahoo, Google, Facebook and/or Twitter. We are using omniauth, and while I understand the basic workflow, I cannot find an inclusive document that states how each of these specific providers should be configured nor how a Rails application should be set up so that I can properly test/use these strategies in development, test and production environments.

So my questions:

  1. For each of these providers (yahoo, google, twitter, facebook), what steps are necessary to configure each one individually for omniauth so that they can be used in development, test and production environments?

  2. What is the best/recommended way to configure the Rails application to properly use each of these providers for whatever environment I'm running in?

Thanks - wg

wgpubs
  • 8,131
  • 15
  • 62
  • 109
  • Ok, I edited my answer accordingly. Hope I put you in the right direction! And if you have any troubles, don't forget to check Ryan Bates' Railscasts, they have been invaluable to me. http://railscasts.com/episodes/241-simple-omniauth – Ashitaka Mar 24 '12 at 17:51

2 Answers2

5

As for your first question:

You need to create apps for Facebook, Google and Twitter to allow the use of their OAuth protocol. As for Yahoo, I don't know. Is Yahoo still relevant? Just kidding. For a list of all the available Omniauth provider strategies, go here.

So, Facebook:

https://developers.facebook.com/apps
Create app. You'll be given an API Key and an API Secret.
Settings > Basic > Website > Site URL:
  your_website_callback_url for production

Twitter:

https://apps.twitter.com/
Create app. You'll be given an API Key and an API Secret.
Settings > Callback URL:
  your_website_callback_url for production

Google:

https://console.developers.google.com
Create app. You'll be given an API Key and an API Secret.
Services > Select necessary services and scopes
APIs & auth > Credentials > Create New Client ID:
  http://localhost:3000/ for development/testing
  your_website_callback_url for production

Then, your Gemfile:

gem 'omniauth-facebook'
gem 'omniauth-twitter'
gem 'omniauth-google-oauth2'

Create a file to setup your strategies. The convention is naming it omniauth.rb. There are a bunch of different options available to each provider, you'll have to investigate what those are:

# config/initializers/omniauth.rb
Rails.application.config.middleware.use OmniAuth::Builder do
  provider :facebook, 'FACEBOOK_KEY', 'FACEBOOK_SECRET', {
    secure_image_url: 'true',
    image_size: 'square'
  }

  provider :twitter, 'TWITTER_KEY', 'TWITTER_SECRET', {
    secure_image_url: 'true',
    image_size: 'normal'
  }

  provider :google_oauth2, 'GOOGLE_KEY', 'GOOGLE_SECRET', {
    image_size: 50,
    image_aspect_ratio: 'square'
  }
end

And then follow this railscast and this wiki. You should be using environment variables like ENV['FACEBOOK_KEY'] and setting them in the console so that you can change them during runtime and so that they don't get pushed in a certain file into your repositoriy (specially if you have a public one). Here's a solution to this problem.

Finally, you should search for each provider's gem wiki for extra info. For instance, facebook's omniauth gem readme provides an example of an authentication hash returned by Facebook when a user authenticates through Facebook. You can then use this information to customize your user model (update his full name or his image, according to what you want to do). It also mentions how you can ask for extra permissions to access user data that is not publicly available.

Edit: To answer your question:

Like I said, I really like Railscasts and I followed 2 episodes where Devise and OmniAuth were integrated. In those episodes, the omniauth-openid gem is used to authenticate with Google. The downside of it is that since you don't register an app, you can't customize the authentication prompt. With Facebook and Twitter you're able to choose a name, type a description and upload the logo of your application. You can also set links to the "Privacy" and "Terms of Use" pages on your website. All these little details will appear to the user when he tries logging in with those services and, as you can imagine, they affect your user conversion rates.

With omniauth-openid you can't customize the prompt and the information you get is limited (only the email and the name associated with the account). If that's all you need, then you're all set. If, however, you want to get the user's image, maybe access other private info only available from the user's Google+ profile, then it's probably better to just go with omniauth-google2.

The good thing about OmniAuth is that once you get the basic foundation working, adding other providers is as easy as registering an app, getting an API key and secret and including a certain gem. I'd suggest starting first with Facebook since it's the most popular service and as such is the one with the most documentation (or at least the one with more questions here on SO). From there, build on your application and add other authentication methods.

Community
  • 1
  • 1
Ashitaka
  • 19,028
  • 6
  • 54
  • 69
  • Thanks for the thorough answer. A few questions: 1) You mention using 'omniauth-openid' for google but why not the 'omniauth-google-oauth2' or the 'omniauth-google' gems/strategies listed in the omniauth wiki? 2) Is there anything I have to configured differently with these providers so that my Rails application will work in any environment? – wgpubs Mar 24 '12 at 18:39
  • I wanted to answer you here but my response got a **bit** long winded. Check my edited answer! – Ashitaka Mar 24 '12 at 19:23
  • Last question, assuming I use the 3 separate omniauth strategies ... for which ones will I need to create duplicate applications for? For example, do I need to create TWO applications on Facebook, Twitter, and/or Google? One for development and one for production with the proper callback urls? I assume some providers will require this while others won't. – wgpubs Mar 24 '12 at 20:04
  • You don't have to create two apps. You can edit the callback url whenever you want to so you can create a single app with the url pointing to localhost, test it locally and then change the url to your website's when it is finally working. As for Twitter, there's an option called @Anywhere Domain where you can add 127.0.0.1 or localhost, I'm not sure now, and you'll always be able to test it locally. – Ashitaka Mar 24 '12 at 20:28
  • This wouldn't be the case though when you have a application in production that you are doing ongoing maintenance of would it? I still want to test authentication in development while things are running smoothly in production. – wgpubs Mar 24 '12 at 20:42
  • That is true. If you changed your Facebook callback url, for example, then people trying to log in to your website using FB would receive a 401 error: not authorized. But Twitter lets you have more than one callback url using the @Anywhere Domains. And with Google, using the open-id gem, since you don't register an app, you don't specify any callback url so it works both in development and production. So you could always test your changes with Twitter or Google. – Ashitaka Mar 24 '12 at 20:48
  • just did. sorry for the delay. – wgpubs Apr 06 '12 at 17:44
  • @Ashitaka hai i am a ruby on rails beginner,i would like to know if omniauth can be used to identify a user uniquely even if he logs from either twitter,facebook,or google.Identify user accross social media login – Jose Kj Oct 28 '18 at 11:20
0

Currently I'm putting environment specific stuff in config/initializers/devise.rb. For example Facebook:

  # Facebook strategy
  require "omniauth-facebook"

    case Rails.env
    when "development"
      config.omniauth :facebook, 'xxx', 'xxx', {:scope => 'manage_pages,publish_stream,offline_access,email'}
    when "production"
      config.omniauth :facebook, 'xxx', 'xxx', {:scope => 'manage_pages,publish_stream,offline_access,email'}
    end

Hope this helps you out.

Benjamin Tan Wei Hao
  • 9,621
  • 3
  • 30
  • 56