omniauth-googlefederated 0.1.2
Sign up to get free protection for your applications and to get access to all the features.
- data/.gitignore +4 -0
- data/Gemfile +8 -0
- data/LICENSE +22 -0
- data/README.md +45 -0
- data/Rakefile +10 -0
- data/lib/omniauth-googlefederated.rb +2 -0
- data/lib/omniauth-googlefederated/version.rb +5 -0
- data/lib/omniauth/strategies/google_federated.rb +58 -0
- data/lib/omniauth/strategies/google_federated.rb.backup +168 -0
- data/omniauth-googlefederated.gemspec +24 -0
- metadata +57 -0
data/.gitignore
ADDED
data/Gemfile
ADDED
data/LICENSE
ADDED
@@ -0,0 +1,22 @@
|
|
1
|
+
Copyright (c) 2012 Henry Liu
|
2
|
+
|
3
|
+
MIT License
|
4
|
+
|
5
|
+
Permission is hereby granted, free of charge, to any person obtaining
|
6
|
+
a copy of this software and associated documentation files (the
|
7
|
+
"Software"), to deal in the Software without restriction, including
|
8
|
+
without limitation the rights to use, copy, modify, merge, publish,
|
9
|
+
distribute, sublicense, and/or sell copies of the Software, and to
|
10
|
+
permit persons to whom the Software is furnished to do so, subject to
|
11
|
+
the following conditions:
|
12
|
+
|
13
|
+
The above copyright notice and this permission notice shall be
|
14
|
+
included in all copies or substantial portions of the Software.
|
15
|
+
|
16
|
+
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
|
17
|
+
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
|
18
|
+
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
|
19
|
+
NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
|
20
|
+
LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
|
21
|
+
OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
|
22
|
+
WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
data/README.md
ADDED
@@ -0,0 +1,45 @@
|
|
1
|
+
# OmniAuth Google Federated (Hybrid OpenID+OAuth) #
|
2
|
+
|
3
|
+
Hybrid authentication and authorization strategy for Google APIs. Combines the process for obtaining an authorized OAuth request token along with an OpenID authentication request. Based on the work of [Boy van Amstel](http://blog.boyvanamstel.nl/2011/07/omniauth-strategy-for-google-openidoauth-hybrid-protocol-login/). Unfortunately, OmniAuth 1.0 introduced significant [infrastructure changes](https://github.com/intridea/omniauth/wiki/Upgrading-to-1.0), so some modifications and updates were needed.
|
4
|
+
|
5
|
+
From the [Google API Docs](http://code.google.com/apis/accounts/docs/OpenID.html):
|
6
|
+
|
7
|
+
> The goal of OAuth is to acquire an access token from Google, which can then be used to exchange user-specific data with a Google service (such as calendar information or an address book). The regular OAuth process is a four-step sequence: (1) ask for a "request" token, (2) ask for the token to be authorized, which triggers user approval, (3) exchange the authorized request token for an "access" token, and (4) use the access token to interact with the user's Google service data. For a more detailed description, see OAuth for Web Applications.
|
8
|
+
> With OpenID+OAuth, this sequence remains essentially the same. The difference is that getting an authorized OAuth request token (steps 1 and 2) is wrapped up in the OpenID authentication request. In this way, the user can approve login and service access at the same time.
|
9
|
+
|
10
|
+
## Installation ##
|
11
|
+
Add to `Gemfile`:
|
12
|
+
|
13
|
+
```ruby
|
14
|
+
gem 'omniauth-googlefederated'
|
15
|
+
```
|
16
|
+
|
17
|
+
In Ruby 1.9.2, there is a bug in the interpreter that causes a segfault when using 'zip' on enumerables of bytes. As of January 30, 2012, this hasn't been fixed yet, so you need to use a fork of ruby-openid instead:
|
18
|
+
|
19
|
+
```ruby
|
20
|
+
gem 'ruby-openid', :git => 'git://github.com/liuhenry/ruby-openid.git'
|
21
|
+
```
|
22
|
+
Then run `bundle install`.
|
23
|
+
|
24
|
+
## Usage ##
|
25
|
+
|
26
|
+
For Devise, you need to configure `app/config/initializers/devise.rb`.
|
27
|
+
|
28
|
+
```ruby
|
29
|
+
config.omniauth :GoogleFederated,
|
30
|
+
:store => OpenID::Store::Filesystem.new('/tmp'),
|
31
|
+
:name => 'GoogleFederated',
|
32
|
+
:identifier => 'https://www.google.com/accounts/o8/id',
|
33
|
+
:consumer_key => GMAIL_KEY,
|
34
|
+
:consumer_secret => GMAIL_SECRET,
|
35
|
+
:scope => ["http(s)://www.google.com/calendar/feeds/", "https://www.google.com/m8/feeds/"],
|
36
|
+
:require => 'omniauth-googlefederated',
|
37
|
+
:client_options => {:ssl => {:ca_file => '/usr/lib/ssl/certs/ca-certificates.crt'}}
|
38
|
+
```
|
39
|
+
|
40
|
+
The returned information is accessible in the omniauth.auth hash:
|
41
|
+
|
42
|
+
```ruby
|
43
|
+
data = request.env["omniauth.auth"].info # OpenID login information
|
44
|
+
oauth = request.env["omniauth.auth"].credentials # OAuth credentials
|
45
|
+
```
|
data/Rakefile
ADDED
@@ -0,0 +1,58 @@
|
|
1
|
+
require 'omniauth'
|
2
|
+
require 'rack/openid'
|
3
|
+
require 'omniauth-openid'
|
4
|
+
|
5
|
+
module OmniAuth
|
6
|
+
module Strategies
|
7
|
+
class GoogleFederated < OmniAuth::Strategies::OpenID
|
8
|
+
include OmniAuth::Strategy
|
9
|
+
|
10
|
+
|
11
|
+
protected
|
12
|
+
|
13
|
+
def dummy_app
|
14
|
+
lambda{|env| [401, {"WWW-Authenticate" => Rack::OpenID.build_header(
|
15
|
+
:identifier => identifier,
|
16
|
+
:return_to => callback_url,
|
17
|
+
:required => @options[:required],
|
18
|
+
:optional => @options[:optional],
|
19
|
+
:"oauth[consumer]" => @options[:consumer_key],
|
20
|
+
:"oauth[scope]" => @options[:scope],
|
21
|
+
:method => 'post'
|
22
|
+
)}, []]}
|
23
|
+
end
|
24
|
+
|
25
|
+
def auth_hash
|
26
|
+
# Based on https://gist.github.com/569650 by nov
|
27
|
+
oauth_response = ::OpenID::OAuth::Response.from_success_response(@openid_response)
|
28
|
+
|
29
|
+
consumer = ::OAuth::Consumer.new(
|
30
|
+
@options[:consumer_key],
|
31
|
+
@options[:consumer_secret],
|
32
|
+
:site => 'https://www.google.com',
|
33
|
+
:access_token_path => '/accounts/OAuthGetAccessToken'
|
34
|
+
)
|
35
|
+
request_token = ::OAuth::RequestToken.new(
|
36
|
+
consumer,
|
37
|
+
oauth_response.request_token,
|
38
|
+
"" # OAuth request token secret is also blank in OpenID/OAuth Hybrid
|
39
|
+
)
|
40
|
+
@access_token = request_token.get_access_token
|
41
|
+
|
42
|
+
OmniAuth::Utils.deep_merge(super(), {
|
43
|
+
'uid' => @openid_response.display_identifier,
|
44
|
+
'user_info' => user_info,
|
45
|
+
'credentials' => {
|
46
|
+
'scope' => @options[:scope],
|
47
|
+
'token' => @access_token.token,
|
48
|
+
'secret' => @access_token.secret
|
49
|
+
}
|
50
|
+
})
|
51
|
+
end
|
52
|
+
end
|
53
|
+
end
|
54
|
+
end
|
55
|
+
|
56
|
+
OmniAuth.config.add_camelization 'googlefederated', 'GoogleFederated'
|
57
|
+
OmniAuth.config.add_camelization 'google_fedreated', 'GoogleFederated'
|
58
|
+
OmniAuth.config.add_camelization 'Google_Federated', 'GoogleFederated'
|
@@ -0,0 +1,168 @@
|
|
1
|
+
require 'omniauth'
|
2
|
+
require 'openid'
|
3
|
+
require 'rack/openid'
|
4
|
+
require 'openid/extensions/sreg'
|
5
|
+
require 'openid/extensions/ax'
|
6
|
+
require 'openid/extensions/oauth'
|
7
|
+
require 'openid/store/memory'
|
8
|
+
|
9
|
+
module OmniAuth
|
10
|
+
module Strategies
|
11
|
+
class GoogleFederated
|
12
|
+
include OmniAuth::Strategy
|
13
|
+
|
14
|
+
AX = {
|
15
|
+
:email => 'http://axschema.org/contact/email',
|
16
|
+
:name => 'http://axschema.org/namePerson',
|
17
|
+
:nickname => 'http://axschema.org/namePerson/friendly',
|
18
|
+
:first_name => 'http://axschema.org/namePerson/first',
|
19
|
+
:last_name => 'http://axschema.org/namePerson/last',
|
20
|
+
:city => 'http://axschema.org/contact/city/home',
|
21
|
+
:state => 'http://axschema.org/contact/state/home',
|
22
|
+
:website => 'http://axschema.org/contact/web/default',
|
23
|
+
:image => 'http://axschema.org/media/image/aspect11'
|
24
|
+
}
|
25
|
+
|
26
|
+
option :name, :google_federated
|
27
|
+
option :required, [AX[:email], AX[:name], AX[:first_name], AX[:last_name], 'email', 'fullname']
|
28
|
+
option :optional, [AX[:nickname], AX[:city], AX[:state], AX[:website], AX[:image], 'postcode', 'nickname']
|
29
|
+
option :store, ::OpenID::Store::Memory.new
|
30
|
+
option :identifier, nil
|
31
|
+
option :identifier_param, 'openid_url'
|
32
|
+
option :consumer_key, nil
|
33
|
+
option :consumer_key_param, 'openid_oauth_consumer'
|
34
|
+
option :consumer_secret, nil
|
35
|
+
option :scope, nil
|
36
|
+
option :scope_param, 'openid_oauth_scope'
|
37
|
+
|
38
|
+
def identifier
|
39
|
+
i = options.identifier || request.params[options.identifier_param.to_s]
|
40
|
+
i = nil if i == ''
|
41
|
+
i
|
42
|
+
end
|
43
|
+
|
44
|
+
def consumer_key
|
45
|
+
i = options.consumer_key || request.params[options.consumer_key_param.to_s]
|
46
|
+
i = nil if i == ''
|
47
|
+
i
|
48
|
+
end
|
49
|
+
|
50
|
+
def consumer_secret
|
51
|
+
i = options.consumer_secret || request.params[options.consumer_secret_params.to_s]
|
52
|
+
i = nil if i == ''
|
53
|
+
i
|
54
|
+
end
|
55
|
+
|
56
|
+
def scope
|
57
|
+
i = options.scope || request.params[options.consumer_secret_param.to_s]
|
58
|
+
i = nil if i == ''
|
59
|
+
i
|
60
|
+
end
|
61
|
+
|
62
|
+
def dummy_app
|
63
|
+
lambda{|env| [401, {"WWW-Authenticate" => Rack::OpenID.build_header(
|
64
|
+
:identifier => identifier,
|
65
|
+
:return_to => callback_url,
|
66
|
+
:required => options.required,
|
67
|
+
:optional => options.optional,
|
68
|
+
:"oauth[consumer]" => consumer_key,
|
69
|
+
:"oauth[scope]" => scope,
|
70
|
+
:method => 'post'
|
71
|
+
)}, []]}
|
72
|
+
end
|
73
|
+
|
74
|
+
def request_phase
|
75
|
+
identifier ? start : get_identifier
|
76
|
+
end
|
77
|
+
|
78
|
+
def start
|
79
|
+
openid = Rack::OpenID.new(dummy_app, options[:store])
|
80
|
+
response = openid.call(env)
|
81
|
+
case env['rack.openid.response']
|
82
|
+
when Rack::OpenID::MissingResponse, Rack::OpenID::TimeoutResponse
|
83
|
+
fail!(:connection_failed)
|
84
|
+
else
|
85
|
+
oauth_response = ::OpenID::OAuth::Response.from_success_response(env['rack.openid.response'])
|
86
|
+
p oauth_response
|
87
|
+
if oauth_response.request_token
|
88
|
+
consumer = OAuth::Consumer.new(
|
89
|
+
consumer_key,
|
90
|
+
consumer_secret,
|
91
|
+
:site => 'https://www.google.com',
|
92
|
+
:access_token_path => '/accounts/OAuthGetAccessToken'
|
93
|
+
)
|
94
|
+
request_token = OAuth::RequestToken.new(
|
95
|
+
consumer,
|
96
|
+
oauth_response.reqest_token,
|
97
|
+
"" # OAuth request token secret is also blank in OpenID/OAuth Hybrid
|
98
|
+
)
|
99
|
+
access_token = request_token.get_access_token
|
100
|
+
else
|
101
|
+
fail!(:connection_failed)
|
102
|
+
end
|
103
|
+
end
|
104
|
+
end
|
105
|
+
|
106
|
+
def get_identifier
|
107
|
+
f = OmniAuth::Form.new(:title => 'OpenID Authentication')
|
108
|
+
f.label_field('OpenID Identifier', options.identifier_param)
|
109
|
+
f.input_field('url', options.identifier_param)
|
110
|
+
f.to_response
|
111
|
+
end
|
112
|
+
|
113
|
+
uid { openid_response.display_identifier }
|
114
|
+
|
115
|
+
info do
|
116
|
+
sreg_user_info.merge(ax_user_info)
|
117
|
+
end
|
118
|
+
|
119
|
+
extra do
|
120
|
+
{'response' => openid_response}
|
121
|
+
end
|
122
|
+
|
123
|
+
def callback_phase
|
124
|
+
return fail!(:invalid_credentials) unless openid_response && openid_response.status == :success
|
125
|
+
super
|
126
|
+
end
|
127
|
+
|
128
|
+
def openid_response
|
129
|
+
unless @openid_response
|
130
|
+
openid = Rack::OpenID.new(lambda{|env| [200,{},[]]}, options[:store])
|
131
|
+
openid.call(env)
|
132
|
+
@openid_response = env.delete('rack.openid.response')
|
133
|
+
end
|
134
|
+
@openid_response
|
135
|
+
end
|
136
|
+
|
137
|
+
def sreg_user_info
|
138
|
+
sreg = ::OpenID::SReg::Response.from_success_response(openid_response)
|
139
|
+
return {} unless sreg
|
140
|
+
{
|
141
|
+
'email' => sreg['email'],
|
142
|
+
'name' => sreg['fullname'],
|
143
|
+
'location' => sreg['postcode'],
|
144
|
+
'nickname' => sreg['nickname']
|
145
|
+
}.reject{|k,v| v.nil? || v == ''}
|
146
|
+
end
|
147
|
+
|
148
|
+
def ax_user_info
|
149
|
+
ax = ::OpenID::AX::FetchResponse.from_success_response(openid_response)
|
150
|
+
return {} unless ax
|
151
|
+
{
|
152
|
+
'email' => ax.get_single(AX[:email]),
|
153
|
+
'first_name' => ax.get_single(AX[:first_name]),
|
154
|
+
'last_name' => ax.get_single(AX[:last_name]),
|
155
|
+
'name' => (ax.get_single(AX[:name]) || [ax.get_single(AX[:first_name]), ax.get_single(AX[:last_name])].join(' ')).strip,
|
156
|
+
'location' => ("#{ax.get_single(AX[:city])}, #{ax.get_single(AX[:state])}" if Array(ax.get_single(AX[:city])).any? && Array(ax.get_single(AX[:state])).any?),
|
157
|
+
'nickname' => ax.get_single(AX[:nickname]),
|
158
|
+
'urls' => ({'Website' => Array(ax.get_single(AX[:website])).first} if Array(ax.get_single(AX[:website])).any?)
|
159
|
+
}.inject({}){|h,(k,v)| h[k] = Array(v).first; h}.reject{|k,v| v.nil? || v == ''}
|
160
|
+
end
|
161
|
+
end
|
162
|
+
end
|
163
|
+
end
|
164
|
+
|
165
|
+
|
166
|
+
OmniAuth.config.add_camelization 'googlefederated', 'GoogleFederated'
|
167
|
+
OmniAuth.config.add_camelization 'google_federated', 'GoogleFederated'
|
168
|
+
OmniAuth.config.add_camelization 'Google_Federated', 'GoogleFederated'
|
@@ -0,0 +1,24 @@
|
|
1
|
+
# -*- encoding: utf-8 -*-
|
2
|
+
$:.push File.expand_path("../lib", __FILE__)
|
3
|
+
require "omniauth-googlefederated/version"
|
4
|
+
|
5
|
+
Gem::Specification.new do |s|
|
6
|
+
s.name = "omniauth-googlefederated"
|
7
|
+
s.version = Omniauth::Googlefederated::VERSION
|
8
|
+
s.authors = ["Henry Liu"]
|
9
|
+
s.email = ["henry@liuhenry.com"]
|
10
|
+
s.homepage = ""
|
11
|
+
s.summary = %q{Google OAuth/OpenID Federated Login strategy for OmniAuth 1.0}
|
12
|
+
s.description = %q{Hybrid authentication and authorization strategy for Google APIs. Combines the process for obtaining an authorized OAuth request token along with an OpenID authentication request.}
|
13
|
+
|
14
|
+
s.rubyforge_project = "omniauth-googlefederated"
|
15
|
+
|
16
|
+
s.files = `git ls-files`.split("\n")
|
17
|
+
s.test_files = `git ls-files -- {test,spec,features}/*`.split("\n")
|
18
|
+
s.executables = `git ls-files -- bin/*`.split("\n").map{ |f| File.basename(f) }
|
19
|
+
s.require_paths = ["lib"]
|
20
|
+
|
21
|
+
# specify any dependencies here; for example:
|
22
|
+
# s.add_development_dependency "rspec"
|
23
|
+
# s.add_runtime_dependency "rest-client"
|
24
|
+
end
|
metadata
ADDED
@@ -0,0 +1,57 @@
|
|
1
|
+
--- !ruby/object:Gem::Specification
|
2
|
+
name: omniauth-googlefederated
|
3
|
+
version: !ruby/object:Gem::Version
|
4
|
+
version: 0.1.2
|
5
|
+
prerelease:
|
6
|
+
platform: ruby
|
7
|
+
authors:
|
8
|
+
- Henry Liu
|
9
|
+
autorequire:
|
10
|
+
bindir: bin
|
11
|
+
cert_chain: []
|
12
|
+
date: 2012-12-08 00:00:00.000000000 Z
|
13
|
+
dependencies: []
|
14
|
+
description: Hybrid authentication and authorization strategy for Google APIs. Combines
|
15
|
+
the process for obtaining an authorized OAuth request token along with an OpenID
|
16
|
+
authentication request.
|
17
|
+
email:
|
18
|
+
- henry@liuhenry.com
|
19
|
+
executables: []
|
20
|
+
extensions: []
|
21
|
+
extra_rdoc_files: []
|
22
|
+
files:
|
23
|
+
- .gitignore
|
24
|
+
- Gemfile
|
25
|
+
- LICENSE
|
26
|
+
- README.md
|
27
|
+
- Rakefile
|
28
|
+
- lib/omniauth-googlefederated.rb
|
29
|
+
- lib/omniauth-googlefederated/version.rb
|
30
|
+
- lib/omniauth/strategies/google_federated.rb
|
31
|
+
- lib/omniauth/strategies/google_federated.rb.backup
|
32
|
+
- omniauth-googlefederated.gemspec
|
33
|
+
homepage: ''
|
34
|
+
licenses: []
|
35
|
+
post_install_message:
|
36
|
+
rdoc_options: []
|
37
|
+
require_paths:
|
38
|
+
- lib
|
39
|
+
required_ruby_version: !ruby/object:Gem::Requirement
|
40
|
+
none: false
|
41
|
+
requirements:
|
42
|
+
- - ! '>='
|
43
|
+
- !ruby/object:Gem::Version
|
44
|
+
version: '0'
|
45
|
+
required_rubygems_version: !ruby/object:Gem::Requirement
|
46
|
+
none: false
|
47
|
+
requirements:
|
48
|
+
- - ! '>='
|
49
|
+
- !ruby/object:Gem::Version
|
50
|
+
version: '0'
|
51
|
+
requirements: []
|
52
|
+
rubyforge_project: omniauth-googlefederated
|
53
|
+
rubygems_version: 1.8.24
|
54
|
+
signing_key:
|
55
|
+
specification_version: 3
|
56
|
+
summary: Google OAuth/OpenID Federated Login strategy for OmniAuth 1.0
|
57
|
+
test_files: []
|