Google Apps and Open ID Authentication in Rails - Security

I'm moving an app to use only Google Federated Login (OpenID) for an application (we use google apps for everything and feel it would be easier to combine user management there). While I can successfully login and create users, my thoughts are now on security...

When a user logs in I only have a "Log In" button - nothing else. The site domain is hard coded in (where SITE_DOMAIN appears below) and the user is redirected to the typical google login page.

Here is the code:

def create open_id_authentication end protected def open_id_authentication openid_url = 'https://www.google.com/accounts/o8/site-xrds?hd=SITE_DOMAIN' authenticate_with_open_id(openid_url, :required => ['http://axschema.org/contact/email', 'http://axschema.org/namePerson/first', 'http://axschema.org/namePerson/last']) do |result, identity_url, registration| case result.status when :missing failed_login "Sorry, the OpenID server couldn't be found" when :invalid failed_login "Sorry, but this does not appear to be a valid OpenID" when :canceled failed_login "OpenID verification was canceled" when :failed failed_login "Sorry, the OpenID verification failed" when :successful if @current_user = User.find_by_id_url(identity_url) if @current_user.login_from(request.env['REMOTE_ADDR']) successful_login else failed_login "Your OpenID profile registration failed: " + @current_user.errors.full_messages.to_sentence end else ax_response = OpenID::AX::FetchResponse.from_success_response(request.env[Rack::OpenID::RESPONSE]) @current_user = User.login_create(ax_response, identity_url, request.env['REMOTE_ADDR']) successful_login end end end end

Upon successful login I simply save the user into a session...

session[:current_user] = @current_user

...and use a simple current_user method in the Application controller...

def current_user return session[:current_user] if defined?(session[:current_user]) end

My main concern is regarding security. OpenIDAuthentication is using the in-memory store and overall this seemed a bit too easy to implement (after reading thru tons of documentation). Basic tests show this works fine, but I'm nervous. :)

Any thoughts?

I am using the open_id_authentication plugin and the basic ruby openid gem (with ruby-openid-apps-discovery gem for google apps)

-------------Problems Reply------------

This is now much easier thanks to omniauth.

Category:ruby on rails Views:0 Time:2010-08-09

Related post

  • Google Apps Premium Edition: which authentication mechanism to use? 2010-06-29

    Our company has a web application that is only used internally by our employees. We also have Google Apps Premier Edition. We would like to make it so our employees can log into our private web application using the Google Apps account that they alre

  • Google App Engine as Authentication Server for Mobile Application 2011-01-03

    Dear StackOverflow Community, I am attempting to utilize Google App Engine as an Authentication Server for a mobile application that runs on android natively. User names and passwords will be stored in GAE and my goal is to be able to both store and

  • Google apps login in django 2010-02-22

    I'm developing a django app that integrates with google apps. I'd like to let the users login with their google apps accounts (accounts in google hosted domains, not google accounts) so they can access their docs, calendar, and whatnot. In order to d

  • Google Apps Authentication for a Rails App 2010-07-29

    I'm currently using Authlogic to handle all user accounts, but our company has switched over to Google apps and I would much rather use that same authentication for all users. My question is - how? I know I'll need the ruby-openid gem but I have yet

  • How to setup Google Apps with ActionMailer with Rails 2.3.5? 2010-10-12

    I've got Google Apps setup with email for my domain, and now I need to configure ActionMailer to use it. But the info I've found seems to be conflicting. Can anyone tell me how exactly to set it up with Rails 2.3.5? --------------Solutions-----------

  • Rails 3: SMTP Settings for Google Apps / Heroku 2010-10-31

    Here are my smtp settings for Google Apps in setup_mail.rb. :address => "smtp.gmail.com", :port => 587, :domain => 'mysite.co', :user_name => '[email protected]', :password => 'password', :authentication => 'plain', :enable_starttls

  • Rails 3 ActionMailer Google Apps: Timeout::Error 2011-03-31

    I've been trying to fix this for way too many hours. I looked at Railscast, official Rails Guides, lots of blog posts and none of them help. I'm trying to send email from my Rails 3 app using ActionMailer 2.2.5 via my Google Apps account. I verified

  • Rails ActionMailer w/ Devise + Google Apps in Development Mode 2011-04-26

    I'm trying to configure ActionMailer to send mail from Devise in development mode with my Google Apps account. I've added the following to my config/environments/development.rb file, but it looks like mail is not being sent. Note: this is for Google

  • Upgraded to Rails 3.2.0 and get SSLError with Devise & tlsmail gem for Google Apps? 2012-02-01

    I just upgraded to Rails 3.2.0 and get this error after signing up to send a welcome email: OpenSSL::SSL::SSLError in Devise::RegistrationsController#create SSL_connect returned=1 errno=0 state=SSLv3 read server..... certificate B: certificate verify

  • Authentication server for Google Apps 2009-07-18

    We are using Google Apps services in our startup for email and docs. However for some other purposes such as svn and bug tracker we have our local machines on which we have installed the required apps. All of them have their own separate credential s

  • Google app engine authentication 2009-11-17

    I would like my iphone app to store & get data from my app engine application, but how can i make sure only my app makes these requests? Do i have to make a gmail account, and let that account login as administrator to my google app engine applic

  • What's the difference between Django, Ruby on Rails, Google App Engine, etc.? 2010-01-16

    I have a newbie question about developing interactive, dynamic web sites. Can someone explain concisely the differences between: Django Ruby on Rails Google App Engine CGI scripts/apps whatever else is or seems similar (PHP?, Java Servlets?, TurboGea

  • How do I get a permanent long term authentication token for google apps application? 2010-04-17

    Hi guys I'm working on my google apps application - currently I've build the authentication upon the example available at google namely this url The problem is that the session seems to time out and that everytime I am logged into my google apps acco

  • google-app-engine-django: authentication without Google accounts? 2010-04-25

    google-app-engine-django/ claims to have an "App Engine compatible implementation of the Django authentication framework". Does this authentication work only with Google Accounts? Is it possible to register a user with a username/password and authent

  • Google App Engine Python Authentication from API 2010-06-19

    I'm currently building a Python webapp on the Google App Engine and I want to expose various parts of my application via a JSON API. This API may be used in the form of a mobile client, or (for the purposes of testing) a headless Python script. I nee

  • Windows Live Web Authentication on Google App Engine (GAE) using Python 2010-08-25

    I'm struggling to get Windows Live Web Authentication running on Google App Engine (GAE) using Python, as I'm quite new to the language. However there are lots of examples for Facebook and Twitter, I was wondering if anyone had come up with a solutio

  • DotNetOpenAuth Authentication against Google Apps OpenID using MVC 2010-09-23

    I'm trying to approximate Single Sign on. Currently, the most workable solution involves the user imputing details on my site before being sent off to goggle Apps to authenicate. I'm using dotnetopenauth to send and recieve the requests This means th

  • Rails + Google Apps - Email Sending Limit Question 2010-10-06

    Currently for sending rails emails we use google apps for our emails, but we're limited to 500 emails/account/day. I was wondering if there's any way to track how many emails we're sending, and then switch accounts if needed - as in, if we're under 5

  • Google App Engine + JSON based service + Authentication 2010-10-10

    I am new to GAE (cloud based development in general actually) and I am looking for some advice. I am looking to use GAE only as a service (REST + JSON) with my client-side in Sproutcore. I am looking to find a light-weight service-based framework tha

Copyright (C) dskims.com, All Rights Reserved.

processed in 0.179 (s). 11 q(s)