-
Rails and OpenID: Start Your Engines
Posted on September 4th, 2009 12 comments(Apologies for the ridiculously lame title, but I laughed while writing it, so it stays.)
If you care about your user’s security, and your time, it’s time you stop asking them for passwords. Storing user passwords and handling authentication offers a bunch of problems that have already been solved, and requires a lot of work to do it right.
Think about it. If you’re storing user’s passwords in your database, you’ve automatically got sensitive information on your server. Maybe it’s just a College Football Pick ‘Em site, which stores nothing too important … until you store a user’s password. Let’s face it, most users don’t use a new password for every site, so if someone breaks into your server, you’re responsible if that information is lost.
So, you’ve got to make sure your server’s security is up to date. Then, it’s still possible there’s a break in, or you have a malicious developer. So you have to encrypt the passwords. But not just encrypt them, because that would still be susceptible to dictionary attacks. You have to salt each password.
What about brute force login attempts on your sign in page? Have you handled that?
These are just some of the problems that you have to solve the minute you decide to store someone’s password.
A better solution? OpenID. Below I’ll explain how to use my newly written (really repackaged) OpenID Rails engine, and you can be on your way to making the world an easier place to sign in.
Before you do anything, you’ll need to install the ruby-openid gem. Just do this:
sudo gem install ruby-openid
I’m going to do this with a brand new Rails (needs to be >= 2.3) app. So, to start things up:
rails wutzit
Next, since the engine is in its infancy, it requires a User model:
script/generate model user
This is technically all that has to be done to use the engine. So, let’s put that in:
script/plugin install git://github.com/terrbear/openid_engine.git
There are a few steps that the engine requires to work (until engines better support migrations). They take about 3 seconds, though. First, create the OpenID auth tables:
rake open_id_authentication:db:create rake db:migrate
And then add a default route to your routes.rb (be sure to remove public/index.html!), something like:
map.root :controller => "welcome"
Of course, if we do that, we’ll need a welcome controller.
script/generate controller welcome
Let’s add a little bit of code to test out the welcome controller and the OpenID goodness:
class WelcomeController < ActionController::Base before_filter :signin_required def hello render(:text => "hello, #{current_user.identity_url}") end endThen fire up your server and try to log in. You should be greeted by this gorgeous screen:
Log in, and you have an authenticated user, using OpenID!
If you introduce validations to your user, and define edit_user_url with resources or a named route in your routes.rb, new users will be automagically redirected to the edit page after they create an account.
11 responses to “Rails and OpenID: Start Your Engines”
-
Don’t forget to run:
rake db:migrate
after you run rake open_id_authenitcation:db:createThe open_id_authentication:db:create just creates the migration script, db:migrate actually runs it against your db.
-
Does this solution work with JanRain’s RPX solution? (www.rpxnow.com)
If not, do you know of a plugin that does what you do, as easily as you do it, and with JanRain’s solution?
-
I like to add two minor points, don’t forget to:
* remove public/index.html
* rename the hello method from welcome controller into index.Otherwise it works like a charm!
-
@Jay
Sorry, I don’t have any experience w/ RPX.@Dovadi
Thanks! I’ll update the readme and the post. -
How do you customize the log in form?
Can you have more than one OpenID per user?
-
You can customize the login form by creating your own view to match the action. Rails Engines should default to your view, if present.
It doesn’t currently support more than one OpenID per user, but that’s a really good idea for me to implement this weekend
Thanks!
-
Pratik November 7th, 2009 at 03:53
Hey, thanks for the useful information.
I have implemented all the steps but when i try to login, it gives me the following error in the logs.[OPENID] No usable OpenID services were found for “http://google.com/”
Do i need to add some entries to the open_id tables in the DB ?
Thanks,
Pratik -
Pratik -
Google’s OpenID URL isn’t easy to guess – it’s https://www.google.com/accounts/o8/id
That said, if you’re planning on having non-technical users use your site, I’d suggest picking a front end that fixes that. Here are a few:
http://jvance.com/pages/JQueryOpenIDPlugin.xhtml
http://code.google.com/p/openid-selector/source/browse/trunk/js/openid-jquery.js?spec=svn14&r=14 -
This is awesome, I would like to add the functionality to request profile information, like email. How hard is this to do?
I did some googling and I can’t quite work out what extension people are using.
I know it is possible because i saw another site request my google email address. -
Don -
You could change the line in sessions_controller to say something like this:
authenticate_with_open_id(identity_url, :required => [:nickname, :email],
ptional => :fullname) do |status, identity_url, registration|And that will request the attributes if the OpenID provider supports it. More on that here: http://openid.net/specs/openid-simple-registration-extension-1_0.html
There’s a code example where I pulled that line from here (also the original plugin that this engine wraps) : http://agilewebdevelopment.com/plugins/openidauthentication
1 Trackbacks / Pingbacks
-
[...] Rails and OpenID: Start Your Engines @ terrbear.org (tags: rails authentication) [...]
-
meezy September 4th, 2009 at 20:02