Rails two-legged OAuth provider?
https://stackoverflow.com/questions/2775242
-
03-10-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I have a rails 2.3.5 application with an API I wish to protect.
There is no user - it is an app to app style webservice (more like an Amazon service than facebook), and so I would like to implement it using a two-legged OAuth approach.
I have been trying to use the oauth-plugin server implementation as a start:
http://github.com/pelle/oauth-plugin
...but it is built expecting three-legged (web redirect flow) oauth.
Before I dig deeper into making changes to it to support two-legged, I wanted to see if there was an easier way, or if someone had a better approach for a rails app to implement being a two-legged OAuth provider.
Solution
Previously, the only good answer was to hack about in the oauth-plugin to get this subset of the oauth interaction. Since then, the oauth-plugin was refactored, and now you can use it straight up, just by adding the right type of authentication filter to your controller:
class ApiController < ApplicationController
include OAuth::Controllers::ApplicationControllerMethods
oauthenticate :strategies => :two_legged, :interactive => false
# ...
end
OTHER TIPS
I'm not aware of any alternatives to oauth-plugin at the moment, though it is definitely getting long in the tooth and ripe for a replacement. My recommendation is to generate the oauth server from oauth-plugin, then extract the dependencies from the plugin (which are just a couple modules worth of methods) and trash the plugin. Then tweak everything to your needs. 2-legged oauth should not be a big problem since it is simpler than 3-legged anyway, and my feeling is that oauth-plugin is not usable these days without significant modifications anyway.
The meat of OAuth has long been extracted into the base oauth gem anyway, so the oauth-plugin is sort of in limbo. The architecture makes some heavy-handed assumptions about what authentication system you are using, and the generated code is dated. So to me, oauth-plugin serves more as an example of how to wire everything up rather than something that most sites would want to use out of the box.
