2013-01-12 21:40:22 -05:00
# OmniAuth: Standardized Multi-Provider Authentication
2013-02-25 19:07:20 -05:00
2014-03-02 12:08:49 -05:00
[![Gem Version ](http://img.shields.io/gem/v/omniauth.svg )][gem]
2016-08-08 15:38:28 -04:00
[![Build Status ](http://img.shields.io/travis/omniauth/omniauth.svg )][travis]
2019-11-20 11:56:43 -05:00
[![Code Climate ](https://api.codeclimate.com/v1/badges/ffd33970723587806744/maintainability )][codeclimate]
2016-08-08 15:38:28 -04:00
[![Coverage Status ](http://img.shields.io/coveralls/omniauth/omniauth.svg )][coveralls]
2013-02-25 19:07:20 -05:00
2013-02-07 11:34:14 -05:00
[gem]: https://rubygems.org/gems/omniauth
2016-08-08 15:38:28 -04:00
[travis]: http://travis-ci.org/omniauth/omniauth
[codeclimate]: https://codeclimate.com/github/omniauth/omniauth
[coveralls]: https://coveralls.io/r/omniauth/omniauth
2011-09-03 20:48:27 -04:00
2011-10-04 13:40:53 -04:00
## An Introduction
2011-12-28 17:23:32 -05:00
OmniAuth is a library that standardizes multi-provider authentication for
2011-10-04 13:40:53 -04:00
web applications. It was created to be powerful, flexible, and do as
little as possible. Any developer can create **strategies** for OmniAuth
that can authenticate users via disparate systems. OmniAuth strategies
have been created for everything from Facebook to LDAP.
In order to use OmniAuth in your applications, you will need to leverage
one or more strategies. These strategies are generally released
2016-08-08 15:38:28 -04:00
individually as RubyGems, and you can see a [community maintained list ](https://github.com/omniauth/omniauth/wiki/List-of-Strategies )
2011-10-04 13:40:53 -04:00
on the wiki for this project.
2011-10-16 19:35:37 -04:00
One strategy, called `Developer` , is included with OmniAuth and provides
2011-12-28 17:23:32 -05:00
a completely insecure, non-production-usable strategy that directly
2011-10-16 19:35:37 -04:00
prompts a user for authentication information and then passes it
2011-10-18 21:32:43 -04:00
straight through. You can use it as a placeholder when you start
development and easily swap in other strategies later.
2011-10-16 19:35:37 -04:00
## Getting Started
2011-10-04 13:40:53 -04:00
Each OmniAuth strategy is a Rack Middleware. That means that you can use
it the same way that you use any other Rack middleware. For example, to
2019-10-07 15:44:48 -04:00
use the built-in Developer strategy in a Sinatra application you might
do this:
2011-10-04 13:40:53 -04:00
2011-11-09 21:17:19 -05:00
```ruby
require 'sinatra'
require 'omniauth'
2011-10-04 13:40:53 -04:00
2011-11-09 21:17:19 -05:00
class MyApplication < Sinatra::Base
2012-01-29 15:33:56 -05:00
use Rack::Session::Cookie
2011-11-09 21:17:19 -05:00
use OmniAuth::Strategies::Developer
end
```
2011-10-04 13:40:53 -04:00
2019-10-07 15:44:48 -04:00
Because OmniAuth is built for *multi-provider* authentication, you may
2011-10-04 13:40:53 -04:00
want to leave room to run multiple strategies. For this, the built-in
`OmniAuth::Builder` class gives you an easy way to specify multiple
strategies. Note that there is **no difference** between the following
code and using each strategy individually as middleware. This is an
example that you might put into a Rails initializer at
`config/initializers/omniauth.rb` :
2011-11-09 21:17:19 -05:00
```ruby
Rails.application.config.middleware.use OmniAuth::Builder do
provider :developer unless Rails.env.production?
provider :twitter, ENV['TWITTER_KEY'], ENV['TWITTER_SECRET']
end
```
2011-10-04 13:40:53 -04:00
You should look to the documentation for each provider you use for
specific initialization requirements.
## Integrating OmniAuth Into Your Application
OmniAuth is an extremely low-touch library. It is designed to be a
black box that you can send your application's users into when you need
authentication and then get information back. OmniAuth was intentionally
built not to automatically associate with a User model or make
assumptions about how many authentication methods you might want to use
or what you might want to do with the data once a user has
authenticated. This makes OmniAuth incredibly flexible. To use OmniAuth,
you need only to redirect users to `/auth/:provider` , where `:provider`
is the name of the strategy (for example, `developer` or `twitter` ).
From there, OmniAuth will take over and take the user through the
necessary steps to authenticate them with the chosen strategy.
Once the user has authenticated, what do you do next? OmniAuth simply
sets a special hash called the Authentication Hash on the Rack
environment of a request to `/auth/:provider/callback` . This hash
contains as much information about the user as OmniAuth was able to
glean from the utilized strategy. You should set up an endpoint in your
application that matches to the callback URL and then performs whatever
2019-10-07 15:44:48 -04:00
steps are necessary for your application. For example, in a Rails app
you would add a line in your `routes.rb` file like this:
2011-10-04 13:40:53 -04:00
2011-11-09 21:17:19 -05:00
```ruby
2020-05-30 22:51:11 -04:00
post '/auth/:provider/callback', to: 'sessions#create'
2011-11-09 21:17:19 -05:00
```
2011-10-04 13:40:53 -04:00
2019-10-07 15:44:48 -04:00
And you might then have a `SessionsController` with code that looks
2011-10-04 13:40:53 -04:00
something like this:
2011-11-09 21:17:19 -05:00
```ruby
class SessionsController < ApplicationController
2020-12-04 13:27:23 -05:00
# If you're using a strategy that POSTs during callback, you'll need to skip the authenticity token check for the callback action only.
skip_before_action :verify_authenticity_token, only: :create
2020-05-30 22:51:11 -04:00
2011-11-09 21:17:19 -05:00
def create
@user = User.find_or_create_from_auth_hash(auth_hash)
self.current_user = @user
redirect_to '/'
end
2011-10-04 13:40:53 -04:00
2011-11-09 21:17:19 -05:00
protected
2011-10-04 13:40:53 -04:00
2011-11-09 21:17:19 -05:00
def auth_hash
request.env['omniauth.auth']
end
end
```
2011-10-04 13:40:53 -04:00
2019-10-07 15:44:48 -04:00
The `omniauth.auth` key in the environment hash provides an
2011-10-04 13:40:53 -04:00
Authentication Hash which will contain information about the just
authenticated user including a unique id, the strategy they just used
for authentication, and personal details such as name and email address
as available. For an in-depth description of what the authentication
2016-08-08 15:38:28 -04:00
hash might contain, see the [Auth Hash Schema wiki page ](https://github.com/omniauth/omniauth/wiki/Auth-Hash-Schema ).
2011-10-04 13:40:53 -04:00
Note that OmniAuth does not perform any actions beyond setting some
environment information on the callback request. It is entirely up to
you how you want to implement the particulars of your application's
authentication flow.
2019-10-25 09:02:35 -04:00
**Please note:** there is currently a CSRF vulnerability which affects OmniAuth (designated [CVE-2015-9284 ](https://nvd.nist.gov/vuln/detail/CVE-2015-9284 )) that requires mitigation at the application level. More details on how to do this can be found on the [Wiki ](https://github.com/omniauth/omniauth/wiki/Resolving-CVE-2015-9284 ).
2019-07-27 06:46:50 -04:00
2017-09-28 15:02:16 -04:00
## Configuring The `origin` Param
The `origin` url parameter is typically used to inform where a user came from and where, should you choose to use it, they'd want to return to.
There are three possible options:
Default Flow:
```ruby
# /auth/twitter/?origin=[URL]
# No change
# If blank, `omniauth.origin` is set to HTTP_REFERER
```
Renaming Origin Param:
```ruby
# /auth/twitter/?return_to=[URL]
# If blank, `omniauth.origin` is set to HTTP_REFERER
provider :twitter, ENV['KEY'], ENV['SECRET'], origin_param: 'return_to'
```
Disabling Origin Param:
```ruby
# /auth/twitter
# Origin handled externally, if need be. `omniauth.origin` is not set
provider :twitter, ENV['KEY'], ENV['SECRET'], origin_param: false
```
2017-02-20 14:08:52 -05:00
## Integrating OmniAuth Into Your Rails API
The following middleware are (by default) included for session management in
2017-09-28 15:02:16 -04:00
Rails applications. When using OmniAuth with a Rails API, you'll need to add
2017-02-20 14:08:52 -05:00
one of these required middleware back in:
- `ActionDispatch::Session::CacheStore`
- `ActionDispatch::Session::CookieStore`
- `ActionDispatch::Session::MemCacheStore`
2017-09-28 15:02:16 -04:00
The trick to adding these back in is that, by default, they are passed
`session_options` when added (including the session key), so you can't just add
a `session_store.rb` initializer, add `use ActionDispatch::Session::CookieStore`
2017-02-20 14:08:52 -05:00
and have sessions functioning as normal.
2017-09-28 15:02:16 -04:00
To be clear: sessions may work, but your session options will be ignored
2019-10-07 15:44:48 -04:00
(i.e. the session key will default to `_session_id` ). Instead of the
2017-02-20 14:08:52 -05:00
initializer, you'll have to set the relevant options somewhere
2017-09-28 15:02:16 -04:00
before your middleware is built (like `application.rb` ) and pass them to your
2017-02-20 14:08:52 -05:00
preferred middleware, like this:
**application.rb:**
```ruby
config.session_store :cookie_store, key: '_interslice_session'
config.middleware.use ActionDispatch::Cookies # Required for all session management
config.middleware.use ActionDispatch::Session::CookieStore, config.session_options
```
(Thanks @mltsy )
2012-04-12 16:50:13 -04:00
## Logging
2012-05-03 16:03:21 -04:00
OmniAuth supports a configurable logger. By default, OmniAuth will log
2012-04-12 16:50:13 -04:00
to `STDOUT` but you can configure this using `OmniAuth.config.logger` :
```ruby
# Rails application example
OmniAuth.config.logger = Rails.logger
```
2012-05-03 16:03:21 -04:00
## Resources
2016-08-08 15:38:28 -04:00
The [OmniAuth Wiki ](https://github.com/omniauth/omniauth/wiki ) has
2011-10-04 13:40:53 -04:00
actively maintained in-depth documentation for OmniAuth. It should be
your first stop if you are wondering about a more in-depth look at
OmniAuth, how it works, and how to use it.
2012-05-03 16:03:21 -04:00
## Supported Ruby Versions
2017-12-27 13:32:04 -05:00
OmniAuth is tested under 2.1.10, 2.2.6, 2.3.3, 2.4.0, 2.5.0, and JRuby.
2011-11-02 08:26:07 -04:00
2012-12-03 00:09:08 -05:00
## Versioning
This library aims to adhere to [Semantic Versioning 2.0.0][semver]. Violations
of this scheme should be reported as bugs. Specifically, if a minor or patch
version is released that breaks backward compatibility, that version should be
immediately yanked and/or a new version should be immediately released that
restores compatibility. Breaking changes to the public API will only be
introduced with new major versions. As a result of this policy, you can (and
should) specify a dependency on this gem using the [Pessimistic Version
Constraint][pvc] with two digits of precision. For example:
spec.add_dependency 'omniauth', '~> 1.0'
[semver]: http://semver.org/
2016-08-26 10:13:16 -04:00
[pvc]: http://guides.rubygems.org/patterns/#pessimistic-version-constraint
2012-12-03 00:09:08 -05:00
2012-05-03 16:03:21 -04:00
## License
2017-02-04 12:29:32 -05:00
Copyright (c) 2010-2017 Michael Bleigh and Intridea, Inc. See [LICENSE][] for
2013-02-13 03:49:06 -05:00
details.
[license]: LICENSE.md