2013-01-12 21:40:22 -05:00
|
|
|
# OmniAuth: Standardized Multi-Provider Authentication
|
|
|
|
|
|
|
|
[![CI Build Status](https://secure.travis-ci.org/intridea/omniauth.png?branch=master)][travis] [![Dependency Status](https://gemnasium.com/intridea/omniauth.png?travis)][gemnasium] [![Code Climate](https://codeclimate.com/badge.png)](https://codeclimate.com/github/intridea/omniauth) [![Gem Version](https://badge.fury.io/rb/omniauth.png)](http://badge.fury.io/rb/omniauth)
|
2011-12-17 04:05:43 -05:00
|
|
|
|
|
|
|
[travis]: http://travis-ci.org/intridea/omniauth
|
|
|
|
[gemnasium]: https://gemnasium.com/intridea/omniauth
|
2011-09-03 20:48:27 -04:00
|
|
|
|
2011-11-02 17:04:29 -04:00
|
|
|
**OmniAuth 1.0 has several breaking changes from version 0.x. You can set
|
|
|
|
the dependency to `~> 0.3.2` if you do not wish to make the more difficult
|
|
|
|
upgrade. See [the wiki](https://github.com/intridea/omniauth/wiki/Upgrading-to-1.0)
|
|
|
|
for more information.**
|
|
|
|
|
2011-10-04 13:40:53 -04:00
|
|
|
## An Introduction
|
|
|
|
|
2011-12-28 17:23:32 -05:00
|
|
|
OmniAuth is a library that standardizes multi-provider authentication for
|
2011-10-04 13:40:53 -04:00
|
|
|
web applications. It was created to be powerful, flexible, and do as
|
|
|
|
little as possible. Any developer can create **strategies** for OmniAuth
|
|
|
|
that can authenticate users via disparate systems. OmniAuth strategies
|
|
|
|
have been created for everything from Facebook to LDAP.
|
|
|
|
|
|
|
|
In order to use OmniAuth in your applications, you will need to leverage
|
|
|
|
one or more strategies. These strategies are generally released
|
2011-12-01 11:44:50 -05:00
|
|
|
individually as RubyGems, and you can see a [community maintained list](https://github.com/intridea/omniauth/wiki/List-of-Strategies)
|
2011-10-04 13:40:53 -04:00
|
|
|
on the wiki for this project.
|
|
|
|
|
2011-10-16 19:35:37 -04:00
|
|
|
One strategy, called `Developer`, is included with OmniAuth and provides
|
2011-12-28 17:23:32 -05:00
|
|
|
a completely insecure, non-production-usable strategy that directly
|
2011-10-16 19:35:37 -04:00
|
|
|
prompts a user for authentication information and then passes it
|
2011-10-18 21:32:43 -04:00
|
|
|
straight through. You can use it as a placeholder when you start
|
|
|
|
development and easily swap in other strategies later.
|
2011-10-16 19:35:37 -04:00
|
|
|
|
|
|
|
## Getting Started
|
2011-10-04 13:40:53 -04:00
|
|
|
|
|
|
|
Each OmniAuth strategy is a Rack Middleware. That means that you can use
|
|
|
|
it the same way that you use any other Rack middleware. For example, to
|
|
|
|
use the built-in Developer strategy in a Sinatra application I might do
|
|
|
|
this:
|
|
|
|
|
2011-11-09 21:17:19 -05:00
|
|
|
```ruby
|
|
|
|
require 'sinatra'
|
|
|
|
require 'omniauth'
|
2011-10-04 13:40:53 -04:00
|
|
|
|
2011-11-09 21:17:19 -05:00
|
|
|
class MyApplication < Sinatra::Base
|
2012-01-29 15:33:56 -05:00
|
|
|
use Rack::Session::Cookie
|
2011-11-09 21:17:19 -05:00
|
|
|
use OmniAuth::Strategies::Developer
|
|
|
|
end
|
|
|
|
```
|
2011-10-04 13:40:53 -04:00
|
|
|
|
|
|
|
Because OmniAuth is built for *multi-provider* authentication, I may
|
|
|
|
want to leave room to run multiple strategies. For this, the built-in
|
|
|
|
`OmniAuth::Builder` class gives you an easy way to specify multiple
|
|
|
|
strategies. Note that there is **no difference** between the following
|
|
|
|
code and using each strategy individually as middleware. This is an
|
|
|
|
example that you might put into a Rails initializer at
|
|
|
|
`config/initializers/omniauth.rb`:
|
|
|
|
|
2011-11-09 21:17:19 -05:00
|
|
|
```ruby
|
|
|
|
Rails.application.config.middleware.use OmniAuth::Builder do
|
|
|
|
provider :developer unless Rails.env.production?
|
|
|
|
provider :twitter, ENV['TWITTER_KEY'], ENV['TWITTER_SECRET']
|
|
|
|
end
|
|
|
|
```
|
2011-10-04 13:40:53 -04:00
|
|
|
|
|
|
|
You should look to the documentation for each provider you use for
|
|
|
|
specific initialization requirements.
|
|
|
|
|
|
|
|
## Integrating OmniAuth Into Your Application
|
|
|
|
|
|
|
|
OmniAuth is an extremely low-touch library. It is designed to be a
|
|
|
|
black box that you can send your application's users into when you need
|
|
|
|
authentication and then get information back. OmniAuth was intentionally
|
|
|
|
built not to automatically associate with a User model or make
|
|
|
|
assumptions about how many authentication methods you might want to use
|
|
|
|
or what you might want to do with the data once a user has
|
|
|
|
authenticated. This makes OmniAuth incredibly flexible. To use OmniAuth,
|
|
|
|
you need only to redirect users to `/auth/:provider`, where `:provider`
|
|
|
|
is the name of the strategy (for example, `developer` or `twitter`).
|
|
|
|
From there, OmniAuth will take over and take the user through the
|
|
|
|
necessary steps to authenticate them with the chosen strategy.
|
|
|
|
|
|
|
|
Once the user has authenticated, what do you do next? OmniAuth simply
|
|
|
|
sets a special hash called the Authentication Hash on the Rack
|
|
|
|
environment of a request to `/auth/:provider/callback`. This hash
|
|
|
|
contains as much information about the user as OmniAuth was able to
|
|
|
|
glean from the utilized strategy. You should set up an endpoint in your
|
|
|
|
application that matches to the callback URL and then performs whatever
|
|
|
|
steps are necessary for your application. For example, in a Rails app I
|
|
|
|
would add a line in my `routes.rb` file like this:
|
|
|
|
|
2011-11-09 21:17:19 -05:00
|
|
|
```ruby
|
|
|
|
match '/auth/:provider/callback', to: 'sessions#create'
|
|
|
|
```
|
2011-10-04 13:40:53 -04:00
|
|
|
|
|
|
|
And I might then have a `SessionsController` with code that looks
|
|
|
|
something like this:
|
|
|
|
|
2011-11-09 21:17:19 -05:00
|
|
|
```ruby
|
|
|
|
class SessionsController < ApplicationController
|
|
|
|
def create
|
|
|
|
@user = User.find_or_create_from_auth_hash(auth_hash)
|
|
|
|
self.current_user = @user
|
|
|
|
redirect_to '/'
|
|
|
|
end
|
2011-10-04 13:40:53 -04:00
|
|
|
|
2011-11-09 21:17:19 -05:00
|
|
|
protected
|
2011-10-04 13:40:53 -04:00
|
|
|
|
2011-11-09 21:17:19 -05:00
|
|
|
def auth_hash
|
|
|
|
request.env['omniauth.auth']
|
|
|
|
end
|
|
|
|
end
|
|
|
|
```
|
2011-10-04 13:40:53 -04:00
|
|
|
|
|
|
|
The `omniauth.auth` key in the environment hash gives me my
|
|
|
|
Authentication Hash which will contain information about the just
|
|
|
|
authenticated user including a unique id, the strategy they just used
|
|
|
|
for authentication, and personal details such as name and email address
|
|
|
|
as available. For an in-depth description of what the authentication
|
|
|
|
hash might contain, see the [Auth Hash Schema wiki page](https://github.com/intridea/omniauth/wiki/Auth-Hash-Schema).
|
|
|
|
|
|
|
|
Note that OmniAuth does not perform any actions beyond setting some
|
|
|
|
environment information on the callback request. It is entirely up to
|
|
|
|
you how you want to implement the particulars of your application's
|
|
|
|
authentication flow.
|
|
|
|
|
2012-04-12 16:50:13 -04:00
|
|
|
## Logging
|
|
|
|
|
2012-05-03 16:03:21 -04:00
|
|
|
OmniAuth supports a configurable logger. By default, OmniAuth will log
|
2012-04-12 16:50:13 -04:00
|
|
|
to `STDOUT` but you can configure this using `OmniAuth.config.logger`:
|
|
|
|
|
|
|
|
```ruby
|
|
|
|
# Rails application example
|
|
|
|
OmniAuth.config.logger = Rails.logger
|
|
|
|
```
|
|
|
|
|
2012-05-03 16:03:21 -04:00
|
|
|
## Resources
|
2011-10-04 13:40:53 -04:00
|
|
|
|
|
|
|
The [OmniAuth Wiki](https://github.com/intridea/omniauth/wiki) has
|
|
|
|
actively maintained in-depth documentation for OmniAuth. It should be
|
|
|
|
your first stop if you are wondering about a more in-depth look at
|
|
|
|
OmniAuth, how it works, and how to use it.
|
|
|
|
|
2012-05-03 16:03:21 -04:00
|
|
|
## Supported Ruby Versions
|
2011-11-02 08:26:07 -04:00
|
|
|
|
2012-03-29 23:57:09 -04:00
|
|
|
OmniAuth is tested under 1.8.7, 1.9.2, 1.9.3, JRuby (1.8 mode), and Rubinius
|
|
|
|
(1.8 and 1.9 modes).
|
2011-11-02 08:26:07 -04:00
|
|
|
|
2012-12-03 00:09:08 -05:00
|
|
|
## Versioning
|
|
|
|
|
|
|
|
This library aims to adhere to [Semantic Versioning 2.0.0][semver]. Violations
|
|
|
|
of this scheme should be reported as bugs. Specifically, if a minor or patch
|
|
|
|
version is released that breaks backward compatibility, that version should be
|
|
|
|
immediately yanked and/or a new version should be immediately released that
|
|
|
|
restores compatibility. Breaking changes to the public API will only be
|
|
|
|
introduced with new major versions. As a result of this policy, you can (and
|
|
|
|
should) specify a dependency on this gem using the [Pessimistic Version
|
|
|
|
Constraint][pvc] with two digits of precision. For example:
|
|
|
|
|
|
|
|
spec.add_dependency 'omniauth', '~> 1.0'
|
|
|
|
|
|
|
|
[semver]: http://semver.org/
|
|
|
|
[pvc]: http://docs.rubygems.org/read/chapter/16#page74
|
|
|
|
|
2012-05-03 16:03:21 -04:00
|
|
|
## License
|
2012-11-17 23:33:55 -05:00
|
|
|
Copyright (c) 2010-2013 Michael Bleigh and Intridea, Inc.
|
|
|
|
|
|
|
|
Permission is hereby granted, free of charge, to any person obtaining a copy
|
|
|
|
of this software and associated documentation files (the "Software"), to deal
|
|
|
|
in the Software without restriction, including without limitation the rights
|
|
|
|
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
|
|
|
copies of the Software, and to permit persons to whom the Software is
|
|
|
|
furnished to do so, subject to the following conditions:
|
|
|
|
|
|
|
|
The above copyright notice and this permission notice shall be included in
|
|
|
|
all copies or substantial portions of the Software.
|
|
|
|
|
|
|
|
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
|
|
|
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
|
|
|
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
|
|
|
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
|
|
|
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
|
|
|
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
|
|
|
|
THE SOFTWARE.
|