I'm working on a Rails 3.2 application that will allow users to authenticate with multiple providers ... Yahoo, Google, Facebook and/or Twitter. We are using omniauth, and while I understand the basic workflow, I cannot find an inclusive document that states how each of these specific providers should be configured nor how a Rails application should be set up so that I can properly test/use these strategies in development, test and production environments.
So my questions:
For each of these providers (yahoo, google, twitter, facebook), what steps are necessary to configure each one individually for omniauth so that they can be used in development, test and production environments?
What is the best/recommended way to configure the Rails application to properly use each of these providers for whatever environment I'm running in?
Thanks - wg
As for your first question:
You need to create apps for Facebook, Google and Twitter to allow the use of their OAuth protocol. As for Yahoo, I don't know. Is Yahoo still relevant? Just kidding. For a list of all the available Omniauth provider strategies, go here.
So, Facebook:
https://developers.facebook.com/apps
Create app. You'll be given an API Key and an API Secret.
Settings > Basic > Website > Site URL:
your_website_callback_url for production
Twitter:
https://apps.twitter.com/
Create app. You'll be given an API Key and an API Secret.
Settings > Callback URL:
your_website_callback_url for production
Google:
https://console.developers.google.com
Create app. You'll be given an API Key and an API Secret.
Services > Select necessary services and scopes
APIs & auth > Credentials > Create New Client ID:
http://localhost:3000/ for development/testing
your_website_callback_url for production
Then, your Gemfile:
gem 'omniauth-facebook'
gem 'omniauth-twitter'
gem 'omniauth-google-oauth2'
Create a file to setup your strategies. The convention is naming it omniauth.rb. There are a bunch of different options available to each provider, you'll have to investigate what those are:
# config/initializers/omniauth.rb
Rails.application.config.middleware.use OmniAuth::Builder do
provider :facebook, 'FACEBOOK_KEY', 'FACEBOOK_SECRET', {
secure_image_url: 'true',
image_size: 'square'
}
provider :twitter, 'TWITTER_KEY', 'TWITTER_SECRET', {
secure_image_url: 'true',
image_size: 'normal'
}
provider :google_oauth2, 'GOOGLE_KEY', 'GOOGLE_SECRET', {
image_size: 50,
image_aspect_ratio: 'square'
}
end
And then follow this railscast and this wiki. You should be using environment variables like ENV['FACEBOOK_KEY'] and setting them in the console so that you can change them during runtime and so that they don't get pushed in a certain file into your repositoriy (specially if you have a public one). Here's a solution to this problem.
Finally, you should search for each provider's gem wiki for extra info. For instance, facebook's omniauth gem readme provides an example of an authentication hash returned by Facebook when a user authenticates through Facebook. You can then use this information to customize your user model (update his full name or his image, according to what you want to do). It also mentions how you can ask for extra permissions to access user data that is not publicly available.
Edit: To answer your question:
Like I said, I really like Railscasts and I followed 2 episodes where Devise and OmniAuth were integrated. In those episodes, the omniauth-openid gem is used to authenticate with Google. The downside of it is that since you don't register an app, you can't customize the authentication prompt. With Facebook and Twitter you're able to choose a name, type a description and upload the logo of your application. You can also set links to the "Privacy" and "Terms of Use" pages on your website. All these little details will appear to the user when he tries logging in with those services and, as you can imagine, they affect your user conversion rates.
With omniauth-openid you can't customize the prompt and the information you get is limited (only the email and the name associated with the account). If that's all you need, then you're all set. If, however, you want to get the user's image, maybe access other private info only available from the user's Google+ profile, then it's probably better to just go with omniauth-google2.
The good thing about OmniAuth is that once you get the basic foundation working, adding other providers is as easy as registering an app, getting an API key and secret and including a certain gem. I'd suggest starting first with Facebook since it's the most popular service and as such is the one with the most documentation (or at least the one with more questions here on SO). From there, build on your application and add other authentication methods.
Currently I'm putting environment specific stuff in config/initializers/devise.rb. For example Facebook:
# Facebook strategy
require "omniauth-facebook"
case Rails.env
when "development"
config.omniauth :facebook, 'xxx', 'xxx', {:scope => 'manage_pages,publish_stream,offline_access,email'}
when "production"
config.omniauth :facebook, 'xxx', 'xxx', {:scope => 'manage_pages,publish_stream,offline_access,email'}
end
Hope this helps you out.
{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://img.manongdao.com/sparkler-677774__340.jpg', '推荐 叼着烟拽天下 的文章《How to use and configure omniauth with yahoo, goog》','https://www.manongdao.com/article-578292.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}