How,and why, to implement Oauth in a rails application? [closed]

Question

So i'm creating an app that really only communicates with one other rails application besides for some remote touch screens. The app is only available to individuals who own one of these touch screens, and an admin. Therefore, I really don't see the point in being able to sign in with twitter, facebook, etc. However, I need SOME sort of http authentication using request/access tokens in order to 1. authenticate a user and 2. be able to derive what user is communicating with the server (and when). I've spent about a week (I'm a rails newb) researching Oauth, omniauth, etc, and I'm asking two things:

1. Because Im authenticating between my own two sets of apps, what gem would be best for my situation?

2. Where would I write the logic for request/access tokens?

I really can't find any good tutorials for this

Answer 1

If you don't need any kind of integration with existing identity providers, then Devise is all you need. It provides a simple way for you to manage user accounts, and users will login using their email addresses and passwords.

It gets trickier to authenticate against another app.

Method 1

If you don't need much communication between the two apps, you can have the user login to the main app, then generate a temporary token that the user can use in the secondary app. Finally, have the secondary app include this string in all communications with the main app. Real world examples include Pivotal Tracker, which gives users an API key that they can use in web hooks on GitHub.

Trivial Example

1. User goes to Main.com and logs in using email and password.
2. Main.com generates a temporary token for user.
3. User gives token to Sub.com.
4. Sub.com contacts Main.com using <user>:<token>@main.com/some/path?some=query

There are many security issues with this, but it's good enough for non-critical use cases. You might want to use SSL to protect the tokens.

Method 2

However, Method 1 is not very secure. A more robust and secure solution is to make the main app an OAuth provider, and then have the secondary app authenticate against the main app using OAuth. Here is a Railscast that explains how to do that with DoorKeeper. You can use OmniAuth in the secondary app.