Ever actually tried implementing an Oauth provider? It's surprisingly difficult to get 100% right.
I had a similar problem, so I started my own open OAuth provider implementation complete with built in documentation https://github.com/schneems/opro. If you're using Rails, you can have a working OAuth provider in production in under 5 minutes. Of course adding the API endpoints and writing application specific docs is still up to the user, but the authentication flow and logic are at least standardized.
Thank you for this; I believe it fills a big hole in the ecosystem. I found myself wanting to implement an API endpoint about six months before your first commit to this project, so I hit Github expecting to find a couple of OAuth-provider Ruby libraries in competition; I'd pick one and do a day or two of work to get it integrated.
Instead, I couldn't find much of anything.
So I delegated the task to someone else who I believe ended up implementing… Basic auth over TLS. ;)
I find with Devise and Omniauth it works like magic. rbates has some excellent Railscasts on the process as well.
I agree with the main thrust of the argument though. OAuth providers do not make it as easy as they should. The point about the buttons is spot on. I've had some good success with the buttons provided here:
I've also open sourced a set of (incomplete) social buttons as well. Do as you would with them, they're MIT-licensed, and while the set is incomplete, the PSD is included.
Omniauth is for implementing an OAuth client, and it's great... but, that's the other side of this coin.
There are very few good provider libraries out there, making it harder to stick to standards. People who want to provide an API shouldn't have to re-invent the wheel every time.
I like doorkeeper as well. Opro doesn't currently support any other backends other than ActiveRecord, so if you're using mongo you would need to use doorkeeper.
I started writing opro before DK was out in the wild. There were some things I had in opro that weren't in DK so I decided to keep developing it.
Last time I checked here are some differences:
- Deals with CSRF protected resources automatically
- Works with your login system (like devise), not around it. No special casing or configuration is needed
<3 doorkeeper. Using it to make one of our open source apps - http://github.com/isotope11/xrono - an oauth provider to support an oauth sso flow inside of apps we've built for internal use regularly. It took an hour one night to build the provider, and maybe an hour to build the omniauth provider gem and integrate it into an app.
P.S. - it also took like six hours of banging my head against a wall for unrelated oauth-related problems, but not DK's fault.
Agreed. It'd be great for interoperability to get a set of quality, conformant open source provider implementations in various languages. I've implemented OAuth 1.0 and OAuth 2.0 as middleware in Node.js, available here:
Yea, I am currently implementing OAuth (https://github.com/ocharles/snaplet-oauth2) and the specification is not entirely straight forward. There's a lot of edge-case type stuff that's important to get right.
I had a similar problem, so I started my own open OAuth provider implementation complete with built in documentation https://github.com/schneems/opro. If you're using Rails, you can have a working OAuth provider in production in under 5 minutes. Of course adding the API endpoints and writing application specific docs is still up to the user, but the authentication flow and logic are at least standardized.