Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Rails two-legged OAuth provider?

I have a rails 2.3.5 application with an API I wish to protect.

There is no user - it is an app to app style webservice (more like an Amazon service than facebook), and so I would like to implement it using a two-legged OAuth approach.

I have been trying to use the oauth-plugin server implementation as a start:

http://github.com/pelle/oauth-plugin

...but it is built expecting three-legged (web redirect flow) oauth.

Before I dig deeper into making changes to it to support two-legged, I wanted to see if there was an easier way, or if someone had a better approach for a rails app to implement being a two-legged OAuth provider.

like image 296
Andrew Kuklewicz Avatar asked May 05 '10 17:05

Andrew Kuklewicz


2 Answers

Previously, the only good answer was to hack about in the oauth-plugin to get this subset of the oauth interaction. Since then, the oauth-plugin was refactored, and now you can use it straight up, just by adding the right type of authentication filter to your controller:

class ApiController < ApplicationController

    include OAuth::Controllers::ApplicationControllerMethods

    oauthenticate :strategies => :two_legged, :interactive => false

    # ...

end
like image 144
Andrew Kuklewicz Avatar answered Nov 15 '22 04:11

Andrew Kuklewicz


I'm not aware of any alternatives to oauth-plugin at the moment, though it is definitely getting long in the tooth and ripe for a replacement. My recommendation is to generate the oauth server from oauth-plugin, then extract the dependencies from the plugin (which are just a couple modules worth of methods) and trash the plugin. Then tweak everything to your needs. 2-legged oauth should not be a big problem since it is simpler than 3-legged anyway, and my feeling is that oauth-plugin is not usable these days without significant modifications anyway.

The meat of OAuth has long been extracted into the base oauth gem anyway, so the oauth-plugin is sort of in limbo. The architecture makes some heavy-handed assumptions about what authentication system you are using, and the generated code is dated. So to me, oauth-plugin serves more as an example of how to wire everything up rather than something that most sites would want to use out of the box.

like image 38
gtd Avatar answered Nov 15 '22 06:11

gtd