2013-01-12 21:40:22 -05:00
|
|
|
# OmniAuth: Standardized Multi-Provider Authentication
|
2013-02-25 19:07:20 -05:00
|
|
|
|
2014-03-02 12:08:49 -05:00
|
|
|
[![Gem Version](http://img.shields.io/gem/v/omniauth.svg)][gem]
|
2016-08-08 15:38:28 -04:00
|
|
|
[![Build Status](http://img.shields.io/travis/omniauth/omniauth.svg)][travis]
|
|
|
|
[![Dependency Status](http://img.shields.io/gemnasium/omniauth/omniauth.svg)][gemnasium]
|
|
|
|
[![Code Climate](http://img.shields.io/codeclimate/github/omniauth/omniauth.svg)][codeclimate]
|
|
|
|
[![Coverage Status](http://img.shields.io/coveralls/omniauth/omniauth.svg)][coveralls]
|
2016-08-08 13:45:27 -04:00
|
|
|
[![Security](https://hakiri.io/github/omniauth/omniauth/master.svg)](https://hakiri.io/github/omniauth/omniauth/master)
|
2013-02-25 19:07:20 -05:00
|
|
|
|
2013-02-07 11:34:14 -05:00
|
|
|
[gem]: https://rubygems.org/gems/omniauth
|
2016-08-08 15:38:28 -04:00
|
|
|
[travis]: http://travis-ci.org/omniauth/omniauth
|
|
|
|
[gemnasium]: https://gemnasium.com/omniauth/omniauth
|
|
|
|
[codeclimate]: https://codeclimate.com/github/omniauth/omniauth
|
|
|
|
[coveralls]: https://coveralls.io/r/omniauth/omniauth
|
2011-09-03 20:48:27 -04:00
|
|
|
|
2011-11-02 17:04:29 -04:00
|
|
|
**OmniAuth 1.0 has several breaking changes from version 0.x. You can set
|
|
|
|
the dependency to `~> 0.3.2` if you do not wish to make the more difficult
|
2016-08-08 15:38:28 -04:00
|
|
|
upgrade. See [the wiki](https://github.com/omniauth/omniauth/wiki/Upgrading-to-1.0)
|
2011-11-02 17:04:29 -04:00
|
|
|
for more information.**
|
|
|
|
|
2011-10-04 13:40:53 -04:00
|
|
|
## An Introduction
|
2011-12-28 17:23:32 -05:00
|
|
|
OmniAuth is a library that standardizes multi-provider authentication for
|
2011-10-04 13:40:53 -04:00
|
|
|
web applications. It was created to be powerful, flexible, and do as
|
|
|
|
little as possible. Any developer can create **strategies** for OmniAuth
|
|
|
|
that can authenticate users via disparate systems. OmniAuth strategies
|
|
|
|
have been created for everything from Facebook to LDAP.
|
|
|
|
|
|
|
|
In order to use OmniAuth in your applications, you will need to leverage
|
|
|
|
one or more strategies. These strategies are generally released
|
2016-08-08 15:38:28 -04:00
|
|
|
individually as RubyGems, and you can see a [community maintained list](https://github.com/omniauth/omniauth/wiki/List-of-Strategies)
|
2011-10-04 13:40:53 -04:00
|
|
|
on the wiki for this project.
|
|
|
|
|
2011-10-16 19:35:37 -04:00
|
|
|
One strategy, called `Developer`, is included with OmniAuth and provides
|
2011-12-28 17:23:32 -05:00
|
|
|
a completely insecure, non-production-usable strategy that directly
|
2011-10-16 19:35:37 -04:00
|
|
|
prompts a user for authentication information and then passes it
|
2011-10-18 21:32:43 -04:00
|
|
|
straight through. You can use it as a placeholder when you start
|
|
|
|
development and easily swap in other strategies later.
|
2011-10-16 19:35:37 -04:00
|
|
|
|
|
|
|
## Getting Started
|
2011-10-04 13:40:53 -04:00
|
|
|
Each OmniAuth strategy is a Rack Middleware. That means that you can use
|
|
|
|
it the same way that you use any other Rack middleware. For example, to
|
|
|
|
use the built-in Developer strategy in a Sinatra application I might do
|
|
|
|
this:
|
|
|
|
|
2011-11-09 21:17:19 -05:00
|
|
|
```ruby
|
|
|
|
require 'sinatra'
|
|
|
|
require 'omniauth'
|
2011-10-04 13:40:53 -04:00
|
|
|
|
2011-11-09 21:17:19 -05:00
|
|
|
class MyApplication < Sinatra::Base
|
2012-01-29 15:33:56 -05:00
|
|
|
use Rack::Session::Cookie
|
2011-11-09 21:17:19 -05:00
|
|
|
use OmniAuth::Strategies::Developer
|
|
|
|
end
|
|
|
|
```
|
2011-10-04 13:40:53 -04:00
|
|
|
|
|
|
|
Because OmniAuth is built for *multi-provider* authentication, I may
|
|
|
|
want to leave room to run multiple strategies. For this, the built-in
|
|
|
|
`OmniAuth::Builder` class gives you an easy way to specify multiple
|
|
|
|
strategies. Note that there is **no difference** between the following
|
|
|
|
code and using each strategy individually as middleware. This is an
|
|
|
|
example that you might put into a Rails initializer at
|
|
|
|
`config/initializers/omniauth.rb`:
|
|
|
|
|
2011-11-09 21:17:19 -05:00
|
|
|
```ruby
|
|
|
|
Rails.application.config.middleware.use OmniAuth::Builder do
|
|
|
|
provider :developer unless Rails.env.production?
|
|
|
|
provider :twitter, ENV['TWITTER_KEY'], ENV['TWITTER_SECRET']
|
|
|
|
end
|
|
|
|
```
|
2011-10-04 13:40:53 -04:00
|
|
|
|
|
|
|
You should look to the documentation for each provider you use for
|
|
|
|
specific initialization requirements.
|
|
|
|
|
|
|
|
## Integrating OmniAuth Into Your Application
|
|
|
|
OmniAuth is an extremely low-touch library. It is designed to be a
|
|
|
|
black box that you can send your application's users into when you need
|
|
|
|
authentication and then get information back. OmniAuth was intentionally
|
|
|
|
built not to automatically associate with a User model or make
|
|
|
|
assumptions about how many authentication methods you might want to use
|
|
|
|
or what you might want to do with the data once a user has
|
|
|
|
authenticated. This makes OmniAuth incredibly flexible. To use OmniAuth,
|
|
|
|
you need only to redirect users to `/auth/:provider`, where `:provider`
|
|
|
|
is the name of the strategy (for example, `developer` or `twitter`).
|
|
|
|
From there, OmniAuth will take over and take the user through the
|
|
|
|
necessary steps to authenticate them with the chosen strategy.
|
|
|
|
|
|
|
|
Once the user has authenticated, what do you do next? OmniAuth simply
|
|
|
|
sets a special hash called the Authentication Hash on the Rack
|
|
|
|
environment of a request to `/auth/:provider/callback`. This hash
|
|
|
|
contains as much information about the user as OmniAuth was able to
|
|
|
|
glean from the utilized strategy. You should set up an endpoint in your
|
|
|
|
application that matches to the callback URL and then performs whatever
|
|
|
|
steps are necessary for your application. For example, in a Rails app I
|
|
|
|
would add a line in my `routes.rb` file like this:
|
|
|
|
|
2011-11-09 21:17:19 -05:00
|
|
|
```ruby
|
2013-04-16 14:25:18 -04:00
|
|
|
get '/auth/:provider/callback', to: 'sessions#create'
|
2011-11-09 21:17:19 -05:00
|
|
|
```
|
2011-10-04 13:40:53 -04:00
|
|
|
|
|
|
|
And I might then have a `SessionsController` with code that looks
|
|
|
|
something like this:
|
|
|
|
|
2011-11-09 21:17:19 -05:00
|
|
|
```ruby
|
|
|
|
class SessionsController < ApplicationController
|
|
|
|
def create
|
|
|
|
@user = User.find_or_create_from_auth_hash(auth_hash)
|
|
|
|
self.current_user = @user
|
|
|
|
redirect_to '/'
|
|
|
|
end
|
2011-10-04 13:40:53 -04:00
|
|
|
|
2011-11-09 21:17:19 -05:00
|
|
|
protected
|
2011-10-04 13:40:53 -04:00
|
|
|
|
2011-11-09 21:17:19 -05:00
|
|
|
def auth_hash
|
|
|
|
request.env['omniauth.auth']
|
|
|
|
end
|
|
|
|
end
|
|
|
|
```
|
2011-10-04 13:40:53 -04:00
|
|
|
|
|
|
|
The `omniauth.auth` key in the environment hash gives me my
|
|
|
|
Authentication Hash which will contain information about the just
|
|
|
|
authenticated user including a unique id, the strategy they just used
|
|
|
|
for authentication, and personal details such as name and email address
|
|
|
|
as available. For an in-depth description of what the authentication
|
2016-08-08 15:38:28 -04:00
|
|
|
hash might contain, see the [Auth Hash Schema wiki page](https://github.com/omniauth/omniauth/wiki/Auth-Hash-Schema).
|
2011-10-04 13:40:53 -04:00
|
|
|
|
|
|
|
Note that OmniAuth does not perform any actions beyond setting some
|
|
|
|
environment information on the callback request. It is entirely up to
|
|
|
|
you how you want to implement the particulars of your application's
|
|
|
|
authentication flow.
|
|
|
|
|
2012-04-12 16:50:13 -04:00
|
|
|
## Logging
|
2012-05-03 16:03:21 -04:00
|
|
|
OmniAuth supports a configurable logger. By default, OmniAuth will log
|
2012-04-12 16:50:13 -04:00
|
|
|
to `STDOUT` but you can configure this using `OmniAuth.config.logger`:
|
|
|
|
|
|
|
|
```ruby
|
|
|
|
# Rails application example
|
|
|
|
OmniAuth.config.logger = Rails.logger
|
|
|
|
```
|
|
|
|
|
2012-05-03 16:03:21 -04:00
|
|
|
## Resources
|
2016-08-08 15:38:28 -04:00
|
|
|
The [OmniAuth Wiki](https://github.com/omniauth/omniauth/wiki) has
|
2011-10-04 13:40:53 -04:00
|
|
|
actively maintained in-depth documentation for OmniAuth. It should be
|
|
|
|
your first stop if you are wondering about a more in-depth look at
|
|
|
|
OmniAuth, how it works, and how to use it.
|
|
|
|
|
2012-05-03 16:03:21 -04:00
|
|
|
## Supported Ruby Versions
|
2017-02-04 12:29:32 -05:00
|
|
|
OmniAuth is tested under 1.9.3, 2.0.0, 2.1.10, 2.2.5, 2.3.1, and JRuby.
|
2011-11-02 08:26:07 -04:00
|
|
|
|
2012-12-03 00:09:08 -05:00
|
|
|
## Versioning
|
|
|
|
This library aims to adhere to [Semantic Versioning 2.0.0][semver]. Violations
|
|
|
|
of this scheme should be reported as bugs. Specifically, if a minor or patch
|
|
|
|
version is released that breaks backward compatibility, that version should be
|
|
|
|
immediately yanked and/or a new version should be immediately released that
|
|
|
|
restores compatibility. Breaking changes to the public API will only be
|
|
|
|
introduced with new major versions. As a result of this policy, you can (and
|
|
|
|
should) specify a dependency on this gem using the [Pessimistic Version
|
|
|
|
Constraint][pvc] with two digits of precision. For example:
|
|
|
|
|
|
|
|
spec.add_dependency 'omniauth', '~> 1.0'
|
|
|
|
|
|
|
|
[semver]: http://semver.org/
|
2016-08-26 10:13:16 -04:00
|
|
|
[pvc]: http://guides.rubygems.org/patterns/#pessimistic-version-constraint
|
2012-12-03 00:09:08 -05:00
|
|
|
|
2012-05-03 16:03:21 -04:00
|
|
|
## License
|
2017-02-04 12:29:32 -05:00
|
|
|
Copyright (c) 2010-2017 Michael Bleigh and Intridea, Inc. See [LICENSE][] for
|
2013-02-13 03:49:06 -05:00
|
|
|
details.
|
|
|
|
|
|
|
|
[license]: LICENSE.md
|