OAuth / Open Authorization (Google Edition)

Access Granted Message

How great is it not having to create and remember the username/ passwords for the many different sites we visit on a daily basis? Logging in with pre-existing or third party accounts (most common, Google, LinkedIn, Facebook, Twitter…) has become an increasingly popular feature in modern day web applications. Instead of having to create a new account or logging in with the specific username and password tied to that application, nowadays users can simply opt to sign in with their Google/Twitter accounts.

Most, if not all, of us have seen or used this feature. In this post I’ll be discussing the technology that makes it all possible: OAuth!

What is OAuth? OAuth or Open Authorization is a system that allows third-party services to exchange your information for authorization. Etsy, for example, allows its users to sign in using Google/Facebook/Apple’s authentication system.

To make use of Open Authorization or OAuth we can use packages such as OmniAuth (OmniAuth-OAuth(2)). OmniAuth is a Ruby package, or gem, for supporting decentralized authentication in Rack-based (Rails) sites. Byway of JSON Web Tokens, OmniAuth asks the identity provider* for access to the user’s information, then responds with a hash in the form of request.env[‘omniauth.auth’] containing all of the user’s information. This information can then easily be passed onto a database using something like Active Record to create a new user or to compare against existing records (when logging the user in).

*For a current list of OmniAuth authentication providers (better known as strategies) visit: https://github.com/omniauth/omniauth/wiki/List-of-Strategies.

The OmniAuth flow:

1 - A new user tries to access a page that requires them to be logged in. They are redirected to the login screen. The login page offers the options of creating a new account or logging in with Google.

2 - If the user clicks Log in with Google they are redirected to the Google sign-in page (through the appname.com/auth/google route).

3 - If the user is already signed in to Google, Google simply asks if it’s okay to allow access to their information. If they are not, they sign in as they normally would.

4 - Lastly, the user is then redirected back to the app via the appname.com/auth/google/callback route to finally access the site.

To show how to incorporate OAuth in your Rails applications I’ll use my Giving-Back project as reference…

  1. To start, add the omniauth and omniauth-google-oauth2 gems ( I decided to use Google as my third-party auth provider/strategy) to your Gemfile and run bundle install.

To set these up:

  • Visit https://code.google.com/apis/console/

3. To set up our app’s OAuth credentials. Start by creating a file named config/initializers/omniauth.rb and include the following lines:

Rails.application.config.middleware.use OmniAuth::Builder do                       provider :google_oauth2, ENV['GOOGLE_CLIENT_ID HERE'], ENV['GOOGLE_CLIENT_SECRET HERE']end

***Important: (dotenv-rails) Instead of including your environment variables directly in the local ENV hash, risking potential exposure of these variables, consider using dotenv-rails; dotenv-rails is a Ruby gem that ensures our variables are loaded into our ENV hash in a safe and secure manner.

To use dotenv-rails:

  • Add dotenv-rails to your Gemfile and run bundle install.
.envGOOGLE_KEY=XXXXXXXXXXX...GOOGLE_SECRET=XXXXXXXXXXXXXXXXX...

4. Now all we need to do is create our “Log in with Google” link that will initiate this process.

When clicking on a “sign in/up with [PROVIDER]” button a GET request is sent to the …/auth/PROVIDER route. OmniAuth intercepts this request redirecting it to the PROVIDER’s login screen. Upon successful login, the user is redirected back to the OmniAuth route with new access to the site.

In addition to helping create a seamless user experience, OAuth allows us to put the burden of protecting our users’ passwords on someone else, someone like Google. Remember Rails security measures do not extend to your servers where hackers can potentially intercept requests, therefore a little help from someone like Google is greatly welcomed.

Thank you OAuth! Thank you OmniAuth!

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store