Geek asks and answers

What mechanism does OmniAuth provide for secure login?

Using the omniauth login strategy, a non-registered user is redirected to an identity provider. The identity provider ensures that the user logs in and then redirects the user to a callback URL that allows the user to access a third-party site using authentication from the identity provider. This workflow is explained by Facebook on their graph:

https://developers.facebook.com/docs/user_registration/flows/

How is it ensured that the malicious user is not cheating on this callback so that he can access a third-party account to authenticate the user?

+5
source share
2 answers

Not being the “that guy,” but nothing is completely safe. This means that OmniAuth is a well-supported and widely used mechanism for many different authentication strategies. Regarding security, you will need to make sure that you are using openssl with jruby, which can be seen here: https://github.com/mkdynamic/omniauth-facebook under Supported Rubies. This should be all the necessary security, if you do not plan to widely use your application.

0
source

Facebook, Google OAuth2.0 . , OAuth2.0, OmniAuth , , .

OAuth2.0, OmniAuth

, , URL- , .

: URL , (, Facebook, Google ..). , , ( ).

, , ?

, . , , , . , , , :

  • SSL (.. HTTPS). .
  • , , .
  • , .

, / , , , .

.

OmniAuth . :

# Add the following gem to your Gemfile
gem 'httplog', group: :development

httplog. log/development.log. :

# Create a new file: config/initializers/httplog.rb
HttpLog.options[:logger] = Rails.logger if Rails.env.development?

Rails :

bundle install
rails s

:

tail -f log/development.log

. , , (Started GET "/auth/google_oauth2/callback?state=1) - :

[httplog] Connecting: accounts.google.com:443
[httplog] Sending: POST http://accounts.google.com:443/o/oauth2/token
[httplog] Data: client_id=123412341234-1234h1234h1234h1234h.apps.googleusercontent.com&client_secret=12341234123412341234&code=123412341234123412341234&grant_type=authorization_code&redirect_uri=https%3A%2F%2Fyourapp.domain.com%2Fauth%2Fgoogle_oauth2%2Fcallback
....
[httplog] Response:
{
  "access_token" : "123412341234123412341234",
  "token_type" : "Bearer",
  "expires_in" : 3599,
  ...
}

, . OmniAuth , . :

[httplog] Connecting: www.googleapis.com:443
[httplog] Sending: GET http://www.googleapis.com:443/plus/v1/people/me/openIdConnect
[httplog] Status: 200
[httplog] Response:
{
  "kind": "plus#personOpenIdConnect",
  "gender": "male",
  "sub": "1234123412341234",
  "name": "Matt",
  "given_name": "Matt",
  ...  
}

, OmniAuth .

, , . httplog , !

+13

More articles:


All Articles