CODEWITHSUNDEEP
ruby-on-rails-3oauth
ck3g
ck3g

Reputation: 5929

Authentication between applications using OAuth

I have two rails application running at different ports. First at 3000 and the second at 4000. Both of them use Devise gem for auth. First application plays the role of OAuth provider and the second on OAuth consumer. I've followed this and that tutorials to build my environment.

Almost all works fine. I've successfully generated key and secret for consumer application. And successfully authorize at provider application.

There are two methods at my client application:

    def auth
      @consumer = OAuth::Consumer.new 'KEY', 'SECRET', :site => "http://localhost:3000"
      @request_token = @consumer.get_request_token
      session[:request_token] = @request_token
      redirect_to @request_token.authorize_url
    end

    def auth_callback
      @request_token ||= session[:request_token]
      @access_token = @request_token.get_access_token :oauth_verifier => params[:oauth_verifier]
      @request = @access_token.get '/user_info.json'
      render :text => @request.body.inspect
   end

And API method at provider application:

    class UsersController < InheritedResources::Base
      before_filter :login_or_oauth_required
      load_and_authorize_resource

      def info
        logger.info current_user.present? # => false
        @info = {   } # here I've collect user info for current_user
        respond_to do |format|
          format.json { render :json => @info }
        end
      end
    end

Shit happens when I try getting user info at line: @request = @access_token.get '/user_info.json' When I call it in consumer application user already unauthorized at provider application.

How I can stay authorized at provider's resource?

upd: I've got current_user.present? # => false in case I pass authorization for info action (before_filter :login_or_oauth_required, :except => [:info]) otherwise I've got redirected to login page.

Upvotes: 1

Views: 872

Answers (2)

ck3g
ck3g

Reputation: 5929

The load_and_authorize_resource will deny access to info action. just add :except attribute

    load_and_authorize_resource :except => [:info]

Upvotes: 0

Felipe Elias Philipp
Felipe Elias Philipp

Reputation: 584

You don't stay authorized in the provider.

On every request to your API, you'll receive the access token (either in parameters or header), and from this token you'll be able to determine who is the current_user. There is no session among requests.

This gem may help if you need an OAuth provider.

Upvotes: 1

Related Questions