OmniAuth Single Sign On with Devise, invalid_credentials

Question

I have 3 web apps - A, B and C. App A contains the user database. If accessing App B and App C, I would like the user to be redirected to App A to be authenticated, and th

Answer 1

I have no experience with oauth in rails, but i'll explain the flow I used to create my own provider in Java. It should be easy to apply this in rails. If you use Devise with omniauth you need to find out, how they provide OAuth support and which version.

Basics

• Consumer logs in to the app, and gets a consumer_key and consumer_secret. This is done with a regular form, usually on a developer account.

• (optional)Provider approves the created account

• All OAuth requests depend on a proper OAuth header in the request. A proper header means:

  1. All oauth attributes and their values have been alphabetically sorted
  2. All keys/tokens active for the particular Consumer request are provided.
  3. The request is signed using all relevant secrets. Secrets are known to the Provider and Consumer but are not included in the header.
  4. The Provider generates the same signature. If so, the request is valid. A nonce can be used to prevent replay attacks.

2-legged flow (consumer vs provider)

1. Consumer requests a resource, providing consumer_key.
2. Provider checks signature based on consumer_key and consumer_secret
3. Access to resource is granted

3-legged flow (person vs consumer vs provider)

1. Consumer request resource providing its consumer_key
2. Consumer gets a unsigned oauth_token and oauth_token_secret from Provider
3. User(person with user account on the provider) logs in at provider to authorize the oauth_token providing the oauth_request_token and consumer_key
4. Consumer has a authorized request_token
5. Consumer uses the request_token to request a access_token providing the oauth_request_token and consumer_key
6. Provider gives a access_token and access_token_secret for the specific resource
7. Consumer uses access_token to do something
8. Provider invalidates access_token after a certain duration
9. Consumer uses the request_token again to get a new access_token if expired

A decent resource for oauth is the official site. For 3 legged examples you can have at the google oauth playground

Answer 2

I've found two issues:

1. Since 0.2.1 version omniauth has changed auth parameter name from access_token to oauth_token while fetching access (POST /oauth/token request).
2. Since 0.3.0 version omniauth has changed method of passing oauth_token in auth request (GET /auth/josh_id/user.json). Prior 0.3.0 token have been passed through request parameter oauth_token, but since 0.3.0 it become passed through HTTP_AUTHORIZATION header.

I don't know how to nicely get token from header (I think it can be fetched by devise), so I ugly hack client for sending oauth_token through GET parameter like this (in lib/josh_id.rb):

def raw_info
  @raw_info ||= access_token.get("/auth/josh_id/user.json?oauth_token=#{access_token.token}").parsed
end

You can find fully workable code in our github repos:

• https://github.com/openteam/sso-devise-omniauth-client
• https://github.com/openteam/sso-devise-omniauth-provider