Can Omniauth be integrated with this?

[chriskilding]

We have a REST API and a Backbone web app, with smartphone apps to come. We'd like to secure the API with OAuth, but also keep the social login functionality we currently have.

Our question is, how should Omniauth (which we're using to provide that FB, Twitter, Google etc. login functionality) authentication be integrated with this API authorisation?

We've seen the "assertions" support which looks useful, but aren't sure how to go about using it.

[jcoglan]

Think of it like this: you have an authorization server, and a bunch of client applications that talk to your API. These clients will redirect to your OAuth authorization endpoint, which will authenticate the user and obtain authorization, and then redirect back to the client with an authorization code, which the client will exchange for an access token.

This says nothing about how your users authenticate. On Songkick, users can use their username and password, or log in through Facebook, and the client application has no idea either of these exist. They are implementation details of how the authorization server authenticates users.

This article might help you:

http://www.songkick.com/devblog/2012/05/09/fun-with-turtles-how-songkick-uses-oauth-for-just-about-everything/

[jcoglan]

The thing to remember is that the client will send the user to your server with params client_id, redirect_uri and response_type. The server must hang on to these values, either by storing them in the session or passing them through whatever authentication process it uses (prefer the latter since it's stateless), and then authenticate the user somehow, then use the OAuth params to redirect the user back to the client. How the authentication happens is not important as long as the server redirects correctly at some point.

[jcoglan]

Closing due to inactivity. If you run into problems/bugs while doing this, please open a bug report.