OAuth PluginThis is the beginning of a plugin for implementing OAuth Providers in Rails applications.

See the OAuth specs at:

http://oauth.net/core/1.0/

and the OAuth site at:

http://oauth.net

NOTE We've moved to github

http://github.com/pelle/oauth-plugin/tree/master

InstallationYou need to install the oauth gem (0.2.1) which is the core OAuth ruby library. It will NOT work on any previous version of the gem.

sudo gem install oauthTo install the plugin in your rails application. Go to you rails application directory and type:

./script/plugin install git://github.com/pelle/oauth-plugin.gitThe Generator currently creates code (in particular views) that only work in Rails 2.

It should not be difficult to manually modify the code to work on Rails 1.2.x

I think the only real issue is that the views have .html.erb extensions. So these could theoretically just be renamed to .rhtml.

Please let me know if this works and I will see if I can make the generator conditionally create .rhtml for pre 2.0 versions of RAILS.

Also have a look at this quick start tutorial I wrote How to turn your rails site into an OAuth Provider

StatusChangelog

What is done:

Create and authenticate RequestTokens Exchange RequestToken for an AccessToken Simple http wrapper built into RequestToken. This has been refactored to fit into the ActiveResource way of doing http requests. Supports query and authorization headers Generators to create Token AR models Generators to create OAuth consumer and provider controllers Uses the new official oauth gem Still todo:

Improve error handling (it's virtually non existant) Generator to create OAuth consumer controllers Integrate with ActiveResource by including AccessToken support in the ActiveResource::Connection class. UsageThere is now a generator which allows you to quickly create an oauth provider.

./script/generate oauth_providerThis does require an acts_as_authenticated type of plugin. Such as restful_authentication or the cool new restful_open_id_authentication module.

RoutesYou need to add the following to your routes (config/routes.rb)

map.oauth '/oauth',:controller=>'oauth',:action=>'index'
map.authorize '/oauth/authorize',:controller=>'oauth',:action=>'authorize'
map.request_token '/oauth/request_token',:controller=>'oauth',:action=>'request_token'
map.access_token '/oauth/access_token',:controller=>'oauth',:action=>'access_token'
map.test_request '/oauth/test_request',:controller=>'oauth',:action=>'test_request'User ModelAdd the following lines to your user model:

has_many :client_applications
has_many :tokens, :class_name=>"OauthToken",:order=>"authorized_at desc",:include=>[:client_application]Migrate databaseThe database is defined in:

db/migrate/XXX_create_oauth_tables.rbRun them as any other normal migration in rails with:

rake db:migrateRSpecThe generator installs a collection of RSpec (http://rspec.info) specs instead of normal unit_tests. If you don't use RSpec (and really why aren't you?) feel free to remove the spec folder. If you would like to contribute regular unit tests I will accept them with a smile.

Protecting your actionsI recommend that you think about what your users would want to provide access to and limit oauth for those only. For example in a CRUD controller you may think about if you want to let consumer applications do the create, update or delete actions. For your application this might make sense, but for others maybe not.

If you want to give oauth access to everything a registered user can do, just replace the filter you have in your controllers with:

before_filter :login_or_oauth_required If you want to restrict consumers to the index and show methods of your controller do the following:

before_filter :login_required,:except=>[:show,:index]
before_filter :login_or_oauth_required,:only=>[:show,:index]If you have an action you only want used via oauth:

before_filter :oauth_requiredAll of these places the tokens user in current_user as you would expect. It also exposes the following methods:

current_token - for accessing the token used to authorize the current request  current_client_application - for accessing information about which consumer is currently accessing your request

You could add application specific information to the OauthToken and ClientApplication model for such things as object level access control, billing, expiry etc. Be creative and you can create some really cool applications here.