I'm moving an app to use only Google Federated Login (OpenID) for an application (we use google apps for everything and feel it would be easier to combine user management there). While I can successfully login and create users, my thoughts are now on security...
When a user logs in I only have a "Log In" button - nothing else. The site domain is hard coded in (where SITE_DOMAIN appears below) and the user is redirected to the typical google login page.
Here is the code:
def create open_id_authentication end protected def open_id_authentication openid_url = 'https://www.google.com/accounts/o8/site-xrds?hd=SITE_DOMAIN' authenticate_with_open_id(openid_url, :required => ['http://axschema.org/contact/email', 'http://axschema.org/namePerson/first', 'http://axschema.org/namePerson/last']) do |result, identity_url, registration| case result.status when :missing failed_login "Sorry, the OpenID server couldn't be found" when :invalid failed_login "Sorry, but this does not appear to be a valid OpenID" when :canceled failed_login "OpenID verification was canceled" when :failed failed_login "Sorry, the OpenID verification failed" when :successful if @current_user = User.find_by_id_url(identity_url) if @current_user.login_from(request.env['REMOTE_ADDR']) successful_login else failed_login "Your OpenID profile registration failed: " + @current_user.errors.full_messages.to_sentence end else ax_response = OpenID::AX::FetchResponse.from_success_response(request.env[Rack::OpenID::RESPONSE]) @current_user = User.login_create(ax_response, identity_url, request.env['REMOTE_ADDR']) successful_login end end end end
Upon successful login I simply save the user into a session...
session[:current_user] = @current_user
...and use a simple current_user method in the Application controller...
def current_user return session[:current_user] if defined?(session[:current_user]) end
My main concern is regarding security. OpenIDAuthentication is using the in-memory store and overall this seemed a bit too easy to implement (after reading thru tons of documentation). Basic tests show this works fine, but I'm nervous. :)
I am using the open_id_authentication plugin and the basic ruby openid gem (with ruby-openid-apps-discovery gem for google apps)
This is now much easier thanks to omniauth.