OAuth2 in development and production

Question

What is the best strategy of using OAuth2 authentication in development and production environment?

For example, I want to create an open source web based GitHub client. I have registered my client as GitHub application. According to OAuth2 spec I have to specify a redirect url while registering an application. What redirect_url should I use, localhost-based or real production url? If I use localhost-based (for development), my production site obviously stop working (and vice versa).

Is it safe to store client_id and client_secret in public code? If no, what is the best strategy to store it (i.e. in some config file that is not added to source version control system)?

Answer 1

For rails, I used a gem called figaro.

You define environment-specific variables (config/application.yml):

CALENDAR_SCOPE: https://www.googleapis.com/auth/calendar

production:
  CLIENT_ID: 393sdfgsdfg.apps.googleusercontent.com
  CLIENT_SECRET: sdfgdfsgsg
  OAUTH2_REDIRECT: http://mydomain/users/auth/google_oauth2/callback
  etc...

development:
  CLIENT_ID: 24asdfsadfas.apps.googleusercontent.com
  CLIENT_SECRET: asdfsadf
  OAUTH2_REDIRECT: http://localhost:3000/users/auth/google_oauth2/callback
  etc....

You then use these in your code:

client = Google::APIClient.new({:auto_refresh_token => false})
client.authorization.scope = ENV['CALENDAR_SCOPE']
client.authorization.client_id = ENV['CLIENT_ID']
client.authorization.client_secret = ENV['CLIENT_SECRET']
client.authorization.redirect_uri = ENV['OAUTH2_REDIRECT']
etc...

You do have to remember to set the environment when starting the server. eg:

thin -e production start

or

thin -e development start

You probably would want to gitignore the application.yml file.