Add support for RESTful JSON APIs access tokens and OAuth2.0 For Login #415
Conversation
This commit adds a new submodule feature 'access_token', it is intended for RESTful JSON APIs, it allows rich client-side applications to use access tokens to communicate with the backend server. It also adds support for OAuth 2.0 For Login - Implicit Grant Flow -.
|
I wonder why this has not yet made it into sorcery!? I really need it for use with Ember ;) |
|
Highly useful. Token Auth would be a great addition to sorcery. /cc @NoamB |
|
I have a recent fork where there is support for token auth (from @fzagarzazu) and also better mongoid generators. |
|
Hi, Ps: I will see if I can publish a simple working demo this weekend. Regards, |
|
+1 for this. I also need this functionality for an Ember project. Seems like more of a core feature than some of the other stuff already included in Sorcery. |
|
Also badly needed to simplify an Ember-Rails project. Excited for this pull request. |
|
For those of you who need to add OAuth provider capability to your API you can try the doorkeeper gem. I've used it in the past and it works well. |
|
Did you get doorkeeper integrated with sorcery? I'm having trouble with having doorkeeper use resource_owner_from_credentials and authenticating that against sorcery. |
|
This is what I have in initializers/doorkeeper.rb resource_owner_from_credentials do |routes|
User.authenticate(params[:username], params[:password])
end |
|
I also have this is my API controller private
def current_user
@current_user ||= User.find_by_id(doorkeeper_token.resource_owner_id) if doorkeeper_token
end |
|
thank you very much! It works perfectly now :). |
| @@ -0,0 +1,16 @@ | |||
| class SorceryAccessToken < ActiveRecord::Migration | |||
| def self.up | |||
There was a problem hiding this comment.
Could we use change method here?
|
@NoamB is sorcery abandoned? :( |
|
@dirty-hippie I'm not maintaining it, but it has a new maintainer - @kirs , so no, it is actually more active than it has been in a long while... :) |
|
+1 Seems kind of critical to staying relevant in the mobile-first world. |
|
👎 Sorcery's responsibility is first and foremost managing user credentials. API authorization has nothing to do with managing credentials and is beyond the scope of the project. There are other gems that do a very good job of providing this functionality and are relatively easy to integrate with Sorcery. I think the Sorcery community would be better served with some wiki articles rather than implementing this. Otherwise I'm afraid we'd be adding bloat and diluting the maintainers resources crafting a solution for a problem that has already been fixed. |
|
@anthonator I'd urge you to actually a look at this pull request. It seems like you saw "OAuth 2" and imagined something else. This pull request is fundamentally about adding a token-based authentication module to sorcery. You might argue the merit of the actual implementation, but I don't think this constitutes "bloat" any more than any of the other modules in sorcery. It is a legitimate strategy for managing user credentials. Token based authentication has a lot of advantages over cookie-based authentication. Have a look at this article for some examples: I'd also like to point out that OAuth and OAuth 2 are fundamentally about authentication. They also provide some authorization mechanisms, but you don't have to use them at all. Supporting both authentication mechanisms in sorcery seems reasonable. If you disagree then maybe you ought to lobby to have the entirety of the |
|
@jamezilla What I don't agree with is turning sorcery into an oauth2 provider which is the impression I got from reading through this PR. After reading through the documentation in @fzagarzazu's fork I'm still under that impression. It's already been done, very well, to the spec, and is easy to integrate with sorcery. If I misinterpreted this I apologize. |
|
So, why this request was not accepted? |
|
@slava-nikulin it got caught up in a rollover between maintainers in 2014 I believe. If @fzagarzazu wants to rebase it, I can take a look. |
This commit adds a new submodule feature 'access_token', it is intended
for RESTful JSON APIs, it allows rich client-side applications to use
access tokens to communicate with the backend server.
It also adds support for OAuth 2.0 For Login - Implicit Grant Flow -.