Oauth Tips

5 Tips to Use Oauth

Posted by Luis Ezcurdia on Thu, Apr 18, 2013
In Software Development,
Tags athentication omniauth coding ruby

As all we know oauth its one of the most popular methods to signup to many websites throught another 3rd patry services, and at this point probably you should know how to implement with omniauth gem. But many times we encounter some problems durning the development of this fancy feature. Here are my recomendations

Secure your API Keys

Many times we push our code on open source repos without consider that other people (with bad intentions) could read it, so we do something like this

Rails.application.config.middleware.use OmniAuth::Builder do
  provider :twitter, '611798630625', 'c699f703f247ee23ce447850'
end

That is not too much dangerous to run and scream, just take the necesary precautions and set those variables inside the rails enviroment

Rails.application.config.middleware.use OmniAuth::Builder do
  provider :twitter, ENV['TWITTER_KEY'], ENV['TWITTER_SECRET']
end

Diferent Keys for Enviroments

The reason of that its because in some api providers like facebook doesn’t support multiple callbacks in diferents urls, so I think it will be a good practice to do this

Rails.application.config.middleware.use OmniAuth::Builder do
  provider :twitter, ENV[Rails.env]['TWITTER_KEY'], ENV[Rails.env]['TWITTER_SECRET']
end

Yeah! I know its a lot of configuration, but that allow you to work and test with your 3rd Party provider better

Google Apps vs Google Oauth2

Since everyone have a google account, everyone want to use it (thats because som users feel more confident to login through google instead a common social network like facebook or twitter). But which its the best solution?

Google Apps

For groups who uses google apps, that is the easiest way: Include the gem

gem 'omniauth-google-apps'

After you add the gem you will need to require some libraries on your omniauth initializer file

require 'openid/store/filesystem'

and because we dont need to create api keys you will use open id

provider :google_apps, store: OpenID::Store::Filesystem.new('/tmp'), domain: 'yourdomain.com'

and that will work for an specific domain name

Google Oauth2

For a regular gmail account, but here we will need to add API keys… but where? Ok Go here and get some API keys for Oauth2 https://code.google.com/apis/console and also dont forget to add some permissions for the google api’s that you want to use.

The rest of the configurartion for omniauth its almost the same, but for the api use, that will be another show.