I'm building a Rails API and have successfully built a way for a user to authenticate using Omniauth Identity.
We simply post to auth/identity/callback from the client, passing in an auth_key and password.
The server then returns a doorkeeper token that the users then uses from then on to access the app and identify themselves.
This diagram illustrates this:
We'd now like to implement a Facebook login from the client, but are having trouble making it work, both theoretically and practically.
On a simple Rails App with Omniauth Identity, you'd simply call auth/facebook, but if we put a link from this in the client, it calls the server and the server then logs:
INFO -- omniauth: (facebook) Request phase initiated.
The app is set up correctly in Facebook with an ID and Secret, so perhaps the log-in prompt is getting returned to the server?
I'm getting confused though chaining the authentication. Any help gratefully appreciated!
Best Answer
the best way I found (after being stuck for a while on this issue ) is to do your omniauth2 (specifically in my case using satellizer angular plugin) manually...
I'll discuss the solution for Facebook as it was my case, but everything could apply to any other provider.
first you have to know how omniauth2 works (as documented for humans here)...
code
(authorization code) query string parameterthe redirect back url must match your front-end app url not the back-end url and it must be specified in your facebook app configurations
code
parameter is sent back to the parent window that opened the popup.POST
request tobackend/auth/facebook
withcode
parameter.code
(Authorization code) is exchanged foraccess token
here is described in details how to exchange the
code
for anaccess-token
from facebook developers documentationServer: use the
access-token
retrieved in step 6 to retrieve the User's info.VOILA you've got yourself a user you can merge/create account for/link with other oauth providers/etc. but bear in mind that user can revoke some of the permissions (like email, facebook supports revoking some of the permissions)...
(enough talking, show me some code)
First you have to add HTTParty gem to your Gemfile
I've added this gist which contains the flow for step (6, 7 and 8) those are the most problematic steps and are not documented almost anywhere.
the gist exports 2 main methods:
which is used to authenticate the user with facebook and return the user_info, long_live_access_token (valid for 60 days)
which is used to de-authorize/revoke the access_token and application permissions on facebook...
This is used for special requirement I have, when the user revoke the email permission requested on facebook login... we revoke the whole application permissions... this will prompt the user in the next login as if it's his first login ( no need to go to facebook apps and manually revoke the application)...
here is how it's used in the controller
That's it... now if you are interested in the internals of the implementation... here is the code as seen in the gist. (added for reference) Feel free to fork it, edit it, help making it better.
here is another nodejs tutorial implementing oauth for instagram that helped me understand how oauth2 is working (added for reference)