roman
commented
14 years ago As I see it, the authenticate! method of service A shouldn't be called at all when you are authenticating via the service B. This should be avoided on the valid? method.
As I see this is not being covered on the specs nor on the code. We will have to do this:
1) Add a spec that has 2 services registered and check that each of them is being called successfully when using them.
The way we are going to do this is:
2) Add an Application Parameter on the get_request_token and get_access_token invocations that identifies each strategy uniquely, so that the valid? method can check which service is being called.
Probably we could use the same warden_oauth_provider parameter and dish the oauth_token verification from the valid? method altogether.
Something like:
def valid?
(params.include?('warden_oauth_provider') && params['warden_oauth_provider'] == config.provider_name.to_s)
end
...
def authenticate! if params.include?('oauth_token')
load_request_token_from_session
...
else
store_request_token_on_session
#...end
...
def request_token
host_with_port = Warden::OAuth::Utils.host_with_port(request)
@request_token ||= consumer.get_request_token({:oauth_callback => host_with_port}, :warden_oauth_provider => config.provider_name.to_s)
end
(As noted by Steven Parkes)
I'm using warden_oauth against both twitter and linkedin (in the context for devise, if that matters).
The problem I'm coming up against is that when I get the redirect back from the oauth provider, it again goes through all the strategies. The authenticate! for each strategy sees that it has the right URL parameter and goes on to do the find_user_by_access_token. But if the auth is through the second provider, this is wrong when checking the first provider, and it errors out because it's getting the wrong token.
Does that makes sense? The summary is that multiple oauth strategies have to be able to differentiate themselves.
Not sure the best way to do this. I could have different callback URLs, but that's getting overridden in #request_token right now.
I can hack it, but I'm wondering what you thought the best approach would be.