Comments (28)
Yeah! Waiting for that too.
from grape.
+1, would love to see OAuth 2 support!
from grape.
+1 happy to help where I'm able...
from grape.
+1
from grape.
We do OAuth with Grape and Devise, see http://code.dblock.org/grape-api-authentication-w-devise
from grape.
Oh man oh man would I love this!
from grape.
Yes, please.
from grape.
I think the best approach here would be to link with rack-oauth2-server: https://github.com/flowtown/rack-oauth2-server
It does have a MongoDB dependency, but it's pretty clean and well tested so it should be easy to swap it out for something else, or at least add on an adapter pattern so that it's possible to use multiple datastores.
It's possible there's a better oauth2 server implementation I'm not yet aware of, if anybody else knows about it please add it here as a candidate. The two things I think are important here are datastore agnosticism (ability to plug multiple backends in), and a popular and/or recent oauth2 implementation (either draft 10 or the latest draft). Bonus points if it can support the EM-Synchrony non-blocking IO w/fibers code.
from grape.
BTW We actually need something like this coming up at Geoloqi, so if I can find a good oauth2 server to plug into the Grape OAuth2 middleware, I may be interested in implementing this code. But it must meet my two criteria above, else it's kindof a waste of time for me.
from grape.
IMHO Grape can't help much with this. We all want to plug OAuth2 transparently, but an API is not the right place.
OAuth2 is two methods, authorize
and access_token
. access_token
is easily implementable in Grape, it needs to be aware of client_id
and issue an access grant - it also returns JSON. But authorize
produces a redirect for an authenticated user, it involves a login in a browser before it can be called.
So, now, why would you complicate your life bouncing between a Grape API and some web stack (eg. Rails) to do it? Or worse, render an HTML login from a Grape API?
The opposite works, a token obtained via an OAuth2 process done in an external OAuth2 server can easily be verified in a Grape API.
from grape.
hi, dblock
can you give a example about how to do it?
from grape.
See above, http://code.dblock.org/grape-api-authentication-w-devise.
from grape.
@mbleigh @jch you guys have any thoughts on this?
from grape.
Might be relevant to this ticket:
https://github.com/intridea/grape/blob/master/lib/grape/middleware/auth/oauth2.rb
This was added with the comment "Added OAuth 2.0 middleware (only for accessing protected resources at this point)"
from grape.
Intriguing.
from grape.
What's about the Warden-Oauth2?
from grape.
I'm using https://github.com/nov/rack-oauth2 in my sinatra app. It works quite well and leaves the ORM part up to you. It supports up to draft 18 of the oauth2 spec, bearer tokens, hmac, the authorization code, implicit, resource owner credential, and client crediant grant types. It just lacks documentation and you really have to look at the source and the example apps to figure out how to use it.
from grape.
@kamui What I think we would really like is a working sample with a HowTo integrating any OAuth2 mechanism with Grape. Care to contribute? Could go into the wiki or I could like a post from there.
from grape.
I've added a section on authentication here, with examples for Basic and Digest auth and redirecting users to warden-oauth2 and rack-oauth2, both work with Grape just fine.
from grape.
Unfortunately we don't use Warden and I have absolutely no idea how to make rack-oauth2 work with Grape. Suggestions?
from grape.
Is oauth2.rb usable?
I've been trying to work with it, but it does not seem to respect the pattern of other auth classes, it inherits ::base instead of auth::base and has no method like http_oauth2
Is it work in progress? Do you guys need help with it?
from grape.
@Balauru We probably do need help with it. It's one of the oldest pieces of code in Grape and isn't getting a lot of mileage. I almost wonder whether we should take all that stuff out into a separate gem.
from grape.
@dblock this is my concluzion as well, I've took a look at rack and it actually has auth implementations, I think a better place for it will be in there.
The second option will be to just drop it and build a decent sample on how to integrate with rack-oauth2
(I currently working on it)
from grape.
+10 on that @Balauru I take pull requests!
from grape.
https://github.com/balauru/grape-oauth2-sample
I've create a sample, is a rack app running a grape api and secured via OAuth2 via rack-oauth2. After running rackup
you can navigate to http://localhost:9292/apidoc
to see a list of end points.
I still need to put in the redirection and the authentication endpoint, feedback is greatly appreciated.
from grape.
I've added it to the wiki. Looking forward to seeing some PRs and HowTo's and getting some of this OAuth code out of Grape proper.
from grape.
Also you could look at the grape_oauth2
gem. The main goals of this project are ORM independence (but there are predefined mixins for ActiveRecord
and Sequel
and API documentation for any other ORM or PORO objects) and maximum customization. The gem is currently under development (and everybody could help with it), but it's already implements the next features:
- Resource Owner Password Credentials Flow
- Client Credentials Flow
- Refresh token Flow
- Token revocation
- Access Token Scopes
from grape.
@nbulaj You should add it to http://www.ruby-grape.org/projects/ please
from grape.
Related Issues (20)
- Param with multiple acceptable Hash Types HOT 4
- Define contract instead of params HOT 8
- undefined method `rewind' for #<Rack::Lint::Wrapper::InputWrapper w/Rack >= 3.0 HOT 4
- custom type not suppot multiple types, raise `Grape::Exceptions::ValidationErrors` HOT 1
- Route#options and Route#settings are confusing HOT 1
- Ruby 3.3 && cookiejar = ArgumentError HOT 1
- Use Rack's HeadersHash instead of {}
- endpoint method_missing vs override inspect HOT 2
- Values Validator => Proc's arity < 2 ? HOT 3
- Rails Edge requires Ruby >= 3.1
- Fix specs for Rack Edge
- Fix `params` warning method redefined
- Better tracking of gems deprecation
- Rack::Lint::Error => a header value must be a String or Array of Strings, but the value of 'content-type' is a NilClass HOT 2
- Recognize_path should account for HTTP method HOT 1
- Grape and Protecting Against Mass Assignment Abuse HOT 2
- Why do you convert PATH_INFO? Is there some RFC? HOT 2
- Add support for exclusive parameter groups (e.g. exactly_one_of) HOT 2
- Drop support rack ~> 1 ? HOT 2
- Replace Appraisals by eval_gemfile ? HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from grape.