Different Access token every time – using Google OAuth and Authlogic

authlogicoauth

Greetings!

I have some troubles enabling OAuth authentication for my web
application running on Ruby on Rails. I am using authlogic and
authlogic_oauth and that is, in the end, using OAuth gem and therefore
I decided to ask here. So shortly:

I succesfully "register" (i.e. obtain the first Access Token for the
user) but then, whenever I try to "login", I receive a differenct
access token for the same Google Account, the Authlogic-oauth plugin
fails to find the user and the login crashes. Maybe I don't understand
it right but is not the AT supposed to be the same every time. And can
it be a problem that I am accessing Google from http://localhost even
though the Customer keys are for different domain?

anyway, thanks for any reply … I spend already 2 days with that
issue and debugging doesn't seems to lead me anywhere

Jakub

PS: I sent that question on Google Group oauth-ruby – sorry to anyone reading both channels

Best Answer

The AT is supposed to be different every time. OAuth is not an authentication protocol, it is an authorization delegation protocol. Try using OpenID instead: http://code.google.com/apis/accounts/docs/OpenID.html

Related Solutions

How to verify a Google authentication API access token

For user check, just post get the access token as accessToken and post it and get the response

https://www.googleapis.com/oauth2/v1/tokeninfo?access_token=accessToken

you can try in address bar in browsers too, use httppost and response in java also

response will be like

{
     "issued_to": "xxxxxxxxxxxxx-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.apps.googleusercontent.com",
     "audience": "xxxxxxxxxxxxxxx-xxxxxxxxxxxxxxxxxxxxxxxxxx.apps.googleusercontent.com",
     "user_id": "xxxxxxxxxxxxxxxxxxxxxxx",
     "scope": "https://www.googleapis.com/auth/userinfo.profile https://gdata.youtube.com",
     "expires_in": 3340,
     "access_type": "offline"
    }

The scope is the given permission of the accessToken. you can check the scope ids in this link

Update: New API post as below

https://oauth2.googleapis.com/tokeninfo?id_token=XYZ123

Response will be as

 {
 // These six fields are included in all Google ID Tokens.
 "iss": "https://accounts.google.com",
 "sub": "110169484474386276334",
 "azp": "1008719970978-hb24n2dstb40o45d4feuo2ukqmcc6381.apps.googleusercontent.com",
 "aud": "1008719970978-hb24n2dstb40o45d4feuo2ukqmcc6381.apps.googleusercontent.com",
 "iat": "1433978353",
 "exp": "1433981953",

 // These seven fields are only included when the user has granted the "profile" and
 // "email" OAuth scopes to the application.
 "email": "testuser@gmail.com",
 "email_verified": "true",
 "name" : "Test User",
 "picture": "https://lh4.googleusercontent.com/-kYgzyAWpZzJ/ABCDEFGHI/AAAJKLMNOP/tIXL9Ir44LE/s99-c/photo.jpg",
 "given_name": "Test",
 "family_name": "User",
 "locale": "en"
}

For more info, https://developers.google.com/identity/sign-in/android/backend-auth

R – Implicit user creation with Authlogic and Authlogic OAuth plugin

Seems like I'm going to answer the question myself.

I use the following code to generate the Sign In button (in HAML):

- form_tag({:controller => "users", :action => "create"}, {:method => "post"}) do
  = oauth_register_button :value => "Sign In with Twitter"

and then I simply create the user's session object in the create method of the UsersController class, if the user already exists:

def create
  @user = User.new(params[:user])
  @user.save do |result| # LINE A
    if result
      flash[:notice] = "Account registered!"
      redirect_to some_inner_path
    else
      unless @user.oauth_token.nil?
        @user = User.find_by_oauth_token(@user.oauth_token)
        unless @user.nil?
          UserSession.create(@user)
          flash.now[:message] = "Welcome back!"
          redirect_to some_inner_path        
        else
          redirect_back_or_default root_path
        end
      else
        redirect_back_or_default root_path
      end
    end
  end
end

If the user is a first time visitor, then the user object is successfully saved in the LINE A. And if it's not and there's an oauth token available, then we try to fetch the user from the DB and log him/her in.

Best Answer

Related Solutions

How to verify a Google authentication API access token

R – Implicit user creation with Authlogic and Authlogic OAuth plugin

Related Topic