License:	MIT License
Labels:	oauth, rails, ruby

Links:	OAuth OAuth GEM
Blogs:	Stake Ventures
Groups:	OAuth group OAuth Ruby

Join project

Project owners:
	pelleb, lautaarnskov
Project members:
	chris.messina, lhalff, jon.r.crosby

OAuth Plugin

This is the beginning of a plugin for implementing OAuth Providers in Rails applications.

See the OAuth specs at:

http://oauth.net/core/1.0/

and the OAuth site at:

http://oauth.net

Installation

You need to install the oauth gem (0.2.1) which is the core OAuth ruby library. It will NOT work on any previous version of the gem.

sudo gem install oauth

To install the plugin in your rails application. Go to you rails application directory and type:

./script/plugin install  http://oauth-plugin.googlecode.com/svn/trunk/oauth_plugin

The Generator currently creates code (in particular views) that only work in Rails 2.

It should not be difficult to manually modify the code to work on Rails 1.2.x

I think the only real issue is that the views have .html.erb extensions. So these could theoretically just be renamed to .rhtml.

Please let me know if this works and I will see if I can make the generator conditionally create .rhtml for pre 2.0 versions of RAILS.

Also have a look at this quick start tutorial I wrote How to turn your rails site into an OAuth Provider

Status

Changelog

What is done:

Create and authenticate RequestTokens
Exchange RequestToken for an AccessToken
Simple http wrapper built into RequestToken. This has been refactored to fit into the ActiveResource way of doing http requests.
Supports query and authorization headers
Generators to create Token AR models
Generators to create OAuth consumer and provider controllers
Uses the new official oauth gem

Still todo:

Improve error handling (it's virtually non existant)
Generator to create OAuth consumer controllers
Integrate with ActiveResource by including AccessToken support in the ActiveResource::Connection class.

Usage

There is now a generator which allows you to quickly create an oauth provider.

./script/generate oauth_provider

This does require an acts_as_authenticated type of plugin. Such as restful_authentication or the cool new restful_open_id_authentication module.

Routes

You need to add the following to your routes (config/routes.rb)

map.oauth '/oauth',:controller=>'oauth',:action=>'index'
map.authorize '/oauth/authorize',:controller=>'oauth',:action=>'authorize'
map.request_token '/oauth/request_token',:controller=>'oauth',:action=>'request_token'
map.access_token '/oauth/access_token',:controller=>'oauth',:action=>'access_token'
map.test_request '/oauth/test_request',:controller=>'oauth',:action=>'test_request'

User Model

Add the following lines to your user model:

has_many :client_applications
has_many :tokens, :class_name=>"OauthToken",:order=>"authorized_at desc",:include=>[:client_application]

Migrate database

The database is defined in:

db/migrate/XXX_create_oauth_tables.rb

Run them as any other normal migration in rails with:

rake db:migrate

The generator installs a collection of RSpec (http://rspec.info) specs instead of normal unit_tests. If you don't use RSpec (and really why aren't you?) feel free to remove the spec folder. If you would like to contribute regular unit tests I will accept them with a smile.

Protecting your actions

I recommend that you think about what your users would want to provide access to and limit oauth for those only. For example in a CRUD controller you may think about if you want to let consumer applications do the create, update or delete actions. For your application this might make sense, but for others maybe not.

If you want to give oauth access to everything a registered user can do, just replace the filter you have in your controllers with:

before_filter :login_or_oauth_required

If you want to restrict consumers to the index and show methods of your controller do the following:

before_filter :login_required,:except=>[:show,:index]
before_filter :login_or_oauth_required,:only=>[:show,:index]

If you have an action you only want used via oauth:

before_filter :oauth_required

All of these places the tokens user in current_user as you would expect. It also exposes the following methods:

current_token - for accessing the token used to authorize the current request current_client_application - for accessing information about which consumer is currently accessing your request

You could add application specific information to the OauthToken and ClientApplication model for such things as object level access control, billing, expiry etc. Be creative and you can create some really cool applications here.