Chris@909: OpenIdAuthentication Chris@909: ==================== Chris@909: Chris@909: Provides a thin wrapper around the excellent ruby-openid gem from JanRan. Be sure to install that first: Chris@909: Chris@909: gem install ruby-openid Chris@909: Chris@909: To understand what OpenID is about and how it works, it helps to read the documentation for lib/openid/consumer.rb Chris@909: from that gem. Chris@909: Chris@909: The specification used is http://openid.net/specs/openid-authentication-2_0.html. Chris@909: Chris@909: Chris@909: Prerequisites Chris@909: ============= Chris@909: Chris@909: OpenID authentication uses the session, so be sure that you haven't turned that off. It also relies on a number of Chris@909: database tables to store the authentication keys. So you'll have to run the migration to create these before you get started: Chris@909: Chris@909: rake open_id_authentication:db:create Chris@909: Chris@909: Or, use the included generators to install or upgrade: Chris@909: Chris@909: ./script/generate open_id_authentication_tables MigrationName Chris@909: ./script/generate upgrade_open_id_authentication_tables MigrationName Chris@909: Chris@909: Alternatively, you can use the file-based store, which just relies on on tmp/openids being present in RAILS_ROOT. But be aware that this store only works if you have a single application server. And it's not safe to use across NFS. It's recommended that you use the database store if at all possible. To use the file-based store, you'll also have to add this line to your config/environment.rb: Chris@909: Chris@909: OpenIdAuthentication.store = :file Chris@909: Chris@909: This particular plugin also relies on the fact that the authentication action allows for both POST and GET operations. Chris@909: If you're using RESTful authentication, you'll need to explicitly allow for this in your routes.rb. Chris@909: Chris@909: The plugin also expects to find a root_url method that points to the home page of your site. You can accomplish this by using a root route in config/routes.rb: Chris@909: Chris@909: map.root :controller => 'articles' Chris@909: Chris@909: This plugin relies on Rails Edge revision 6317 or newer. Chris@909: Chris@909: Chris@909: Example Chris@909: ======= Chris@909: Chris@909: This example is just to meant to demonstrate how you could use OpenID authentication. You might well want to add Chris@909: salted hash logins instead of plain text passwords and other requirements on top of this. Treat it as a starting point, Chris@909: not a destination. Chris@909: Chris@909: Note that the User model referenced in the simple example below has an 'identity_url' attribute. You will want to add the same or similar field to whatever Chris@909: model you are using for authentication. Chris@909: Chris@909: Also of note is the following code block used in the example below: Chris@909: Chris@909: authenticate_with_open_id do |result, identity_url| Chris@909: ... Chris@909: end Chris@909: Chris@909: In the above code block, 'identity_url' will need to match user.identity_url exactly. 'identity_url' will be a string in the form of 'http://example.com' - Chris@909: If you are storing just 'example.com' with your user, the lookup will fail. Chris@909: Chris@909: There is a handy method in this plugin called 'normalize_url' that will help with validating OpenID URLs. Chris@909: Chris@909: OpenIdAuthentication.normalize_url(user.identity_url) Chris@909: Chris@909: The above will return a standardized version of the OpenID URL - the above called with 'example.com' will return 'http://example.com/' Chris@909: It will also raise an InvalidOpenId exception if the URL is determined to not be valid. Chris@909: Use the above code in your User model and validate OpenID URLs before saving them. Chris@909: Chris@909: config/routes.rb Chris@909: Chris@909: map.root :controller => 'articles' Chris@909: map.resource :session Chris@909: Chris@909: Chris@909: app/views/sessions/new.erb Chris@909: Chris@909: <% form_tag(session_url) do %> Chris@909:

Chris@909: Chris@909: <%= text_field_tag "name" %> Chris@909:

Chris@909: Chris@909:

Chris@909: Chris@909: <%= password_field_tag %> Chris@909:

Chris@909: Chris@909:

Chris@909: ...or use: Chris@909:

Chris@909: Chris@909:

Chris@909: Chris@909: <%= text_field_tag "openid_identifier" %> Chris@909:

Chris@909: Chris@909:

Chris@909: <%= submit_tag 'Sign in', :disable_with => "Signing in…" %> Chris@909:

Chris@909: <% end %> Chris@909: Chris@909: app/controllers/sessions_controller.rb Chris@909: class SessionsController < ApplicationController Chris@909: def create Chris@909: if using_open_id? Chris@909: open_id_authentication Chris@909: else Chris@909: password_authentication(params[:name], params[:password]) Chris@909: end Chris@909: end Chris@909: Chris@909: Chris@909: protected Chris@909: def password_authentication(name, password) Chris@909: if @current_user = @account.users.authenticate(params[:name], params[:password]) Chris@909: successful_login Chris@909: else Chris@909: failed_login "Sorry, that username/password doesn't work" Chris@909: end Chris@909: end Chris@909: Chris@909: def open_id_authentication Chris@909: authenticate_with_open_id do |result, identity_url| Chris@909: if result.successful? Chris@909: if @current_user = @account.users.find_by_identity_url(identity_url) Chris@909: successful_login Chris@909: else Chris@909: failed_login "Sorry, no user by that identity URL exists (#{identity_url})" Chris@909: end Chris@909: else Chris@909: failed_login result.message Chris@909: end Chris@909: end Chris@909: end Chris@909: Chris@909: Chris@909: private Chris@909: def successful_login Chris@909: session[:user_id] = @current_user.id Chris@909: redirect_to(root_url) Chris@909: end Chris@909: Chris@909: def failed_login(message) Chris@909: flash[:error] = message Chris@909: redirect_to(new_session_url) Chris@909: end Chris@909: end Chris@909: Chris@909: Chris@909: Chris@909: If you're fine with the result messages above and don't need individual logic on a per-failure basis, Chris@909: you can collapse the case into a mere boolean: Chris@909: Chris@909: def open_id_authentication Chris@909: authenticate_with_open_id do |result, identity_url| Chris@909: if result.successful? && @current_user = @account.users.find_by_identity_url(identity_url) Chris@909: successful_login Chris@909: else Chris@909: failed_login(result.message || "Sorry, no user by that identity URL exists (#{identity_url})") Chris@909: end Chris@909: end Chris@909: end Chris@909: Chris@909: Chris@909: Simple Registration OpenID Extension Chris@909: ==================================== Chris@909: Chris@909: Some OpenID Providers support this lightweight profile exchange protocol. See more: http://www.openidenabled.com/openid/simple-registration-extension Chris@909: Chris@909: You can support it in your app by changing #open_id_authentication Chris@909: Chris@909: def open_id_authentication(identity_url) Chris@909: # Pass optional :required and :optional keys to specify what sreg fields you want. Chris@909: # Be sure to yield registration, a third argument in the #authenticate_with_open_id block. Chris@909: authenticate_with_open_id(identity_url, Chris@909: :required => [ :nickname, :email ], Chris@909: :optional => :fullname) do |result, identity_url, registration| Chris@909: case result.status Chris@909: when :missing Chris@909: failed_login "Sorry, the OpenID server couldn't be found" Chris@909: when :invalid Chris@909: failed_login "Sorry, but this does not appear to be a valid OpenID" Chris@909: when :canceled Chris@909: failed_login "OpenID verification was canceled" Chris@909: when :failed Chris@909: failed_login "Sorry, the OpenID verification failed" Chris@909: when :successful Chris@909: if @current_user = @account.users.find_by_identity_url(identity_url) Chris@909: assign_registration_attributes!(registration) Chris@909: Chris@909: if current_user.save Chris@909: successful_login Chris@909: else Chris@909: failed_login "Your OpenID profile registration failed: " + Chris@909: @current_user.errors.full_messages.to_sentence Chris@909: end Chris@909: else Chris@909: failed_login "Sorry, no user by that identity URL exists" Chris@909: end Chris@909: end Chris@909: end Chris@909: end Chris@909: Chris@909: # registration is a hash containing the valid sreg keys given above Chris@909: # use this to map them to fields of your user model Chris@909: def assign_registration_attributes!(registration) Chris@909: model_to_registration_mapping.each do |model_attribute, registration_attribute| Chris@909: unless registration[registration_attribute].blank? Chris@909: @current_user.send("#{model_attribute}=", registration[registration_attribute]) Chris@909: end Chris@909: end Chris@909: end Chris@909: Chris@909: def model_to_registration_mapping Chris@909: { :login => 'nickname', :email => 'email', :display_name => 'fullname' } Chris@909: end Chris@909: Chris@909: Attribute Exchange OpenID Extension Chris@909: =================================== Chris@909: Chris@909: Some OpenID providers also support the OpenID AX (attribute exchange) protocol for exchanging identity information between endpoints. See more: http://openid.net/specs/openid-attribute-exchange-1_0.html Chris@909: Chris@909: Accessing AX data is very similar to the Simple Registration process, described above -- just add the URI identifier for the AX field to your :optional or :required parameters. For example: Chris@909: Chris@909: authenticate_with_open_id(identity_url, Chris@909: :required => [ :email, 'http://schema.openid.net/birthDate' ]) do |result, identity_url, registration| Chris@909: Chris@909: This would provide the sreg data for :email, and the AX data for 'http://schema.openid.net/birthDate' Chris@909: Chris@909: Chris@909: Chris@909: Copyright (c) 2007 David Heinemeier Hansson, released under the MIT license