I am using eventbrite omniauth to authenticate the user. With reference to https://github.com/k504866430/omniauth-eventbrite I included the gem and created a file omniauth.rb file as:
Rails.application.config.middleware.use OmniAuth::Builder do
provider :eventbrite, ENV['EVENTBRITE_CLIENT_ID'], ENV['EVENTBRITE_CLIENT_SECRET']
end
On the show page of each event there is link to Authenticate with eventbrite.
events/24
= link_to "Authenticate with Eventbrite", "/auth/eventbrite"
When the user allows to access I want the callback url to redirect to same event page.
Thus I need to know how to pass the event_id in params so that the application can return to the same event page and how should the callback url be defined in routes.rb file
Eventbrite's OAuth2.0 implementation does not allow you to define the OAuth callback URL as a querystring parameter. This callback_url can only be defined by configuring your Eventbrite application key's 'redirect_uri' setting.
Pass-through of custom querystring parameters (such as an event_id) is also not supported.
Besides, you'll need to do a bit of follow-up work AFTER the user arrives back on your site.
If you need to redirect a user after they return to your website, I would consider stashing the 'redirect_url' (and possibly the event_id as well) in the user's browser session or another data store.
Setting up a single landing page (to match your redirect_uri) should allow you to complete the OAuth2.0 handshake before sending the user on to a url of your choice.
Related
I'm looking for a way to use a URL provided as a parameter in the POST request to create a user as the confirmation URL for confirming my Devise user model. The use case is that I have a rails application acting as an API for a frontend react app (setup using webpack) and I want the URL in the confirmations instructions email sent to the user to link to the frontend app, which would then send an API request to the backend to manually confirm the user, instead of the user visiting my backend API URLs themselves.
I want it so that the backend could potentially be used with other clients in the future, so the URL to be used must be variable. Currently I'm trying to pass it in the API request to create the user, and then somehow I would need a way to get this variable into the Devise mailer.
The end goal looks something like this:
# app/views/devise/mailer/confirmation_instructions.html.erb
<p>Welcome <%= #email %>!</p>
<p>You can confirm your account email through the link below:</p>
<p><%= link_to 'Confirm my account', #custom_confirmation_url ? "#{#custom_confirmation_url}#{#token}" : confirmation_url(#resource, confirmation_token: #token) %></p>
where #custom_confirmation_url is the variable holding the value of the URL passed into the POST request to register a new user.
I was potentially thinking of simply redirecting the user to my frontend after the confirmation, with something like this but I don't see how I'd make it work with multiple frontend clients, if I went that route.
I'm open to thoughts on whether or not this approach is even worth considering, or if there's a more stylistically correct way of accomplishing this.
I use odoo as a system in our company and want to use the website for internal news and informations. However the public should not see the website - only logged in users should! Viewers who aren't logged in should be redirected to the login screen.
Is that possible and how could I do it?
When you define the route with #http.route you have a parameter "auth", where you define that. From the odoo documentation:
auth –
The type of authentication method, can on of the following:
user: The user must be authenticated and the current request will perform using the rights of the user.
public: The user may or may not be authenticated. If she isn’t, the current request will perform using the shared Public user.
none: The method is always active, even if there is no database. Mainly used by the framework and authentication modules. There request code will not have any facilities to access the database nor have any configuration indicating the current database nor the current user.
Have a look to https://www.odoo.com/documentation/12.0/reference/http.html
It is simple , just give auth="user" in your method at main.py file in controller.
#http.route('/name', type='http', csrf=False, auth='user', website=True)
So here's my scenario. My user wants to integrate my app with basecamp. They click a link like: http://myapp.com/api/basecamp/enable/abc123xyz. The abc123xyz in this case is the users id. So my app then redirects to Basecamp to start the OAuth Process.
Once the user agrees to allow access, Basecamp redirects back to something like http://myapp.com/api/basecamp/complete?code=123456. At this point the "chain" to the user is broken, so I don't know what user this code is for. I tried using a redirect url of http://myapp.com/api/basecamp/complete/abc123xyz however basecamp rejects this URL as invalid, I'm assuming this is due to the redirect uri provided in the request not matching my registered app redirect url.
Any idea how I can pass something to github that they will pass back to me so I can associate the access token with the user requesting it be enabled? Github allows for a state property to be sent during oauth requests that are tied to a user and sent back with their requests so the user can be looked up in between request. Thanks!
So, after actually reading the docs, basecamp does support the state parameter, and with this my problem is solved.
This is a ruby question using omniauth-salesforce. I have omniauth 1.1.1 and omniauth-salesforce 1.0.3, and I can get user authenticated. However no refresh_token is returned by default. I only get access_token. My callback URL is http:// localhost:3000/auth/salesforce/callback
Based on the description of "Digging Deeper into OAuth2.0 on Force.com", the default scope of https://login.salesforce.com/services/oauth2/authorize is id api refresh_token. But this is not the case.
Then I I tried to specify scope parameter in the omniauth.rb
provider :salesforce, salesforce_client_id, client_secret, {:scope => "id api refresh_token"}
Then I got an error saying:
the requested scope is not allowed
In addition, if I try to put the following on a browser and I got the same error message
https://login.salesforce.com/services/oauth2/authorize?response_type=code&client_id=3MVG9rFJvQRVOvk4RuIKaSYwf07LcsMtIAUK7h3Q6n5OHfD.IbFpEsROli3SqxWo67RklJ5FBdnYf4ejHNFrq&redirect_uri=http%3A%2F%2Flocalhost%3A3000%2Fauth%2Fsalesforce%2Fcallback&display=page&scope=api
Any help will be greatly appreciated.
Thanks,
You are correct to set the scope in your omniauth.rb's provider statement. However, before salesforce.com will issue a refresh_token the application must be configured to support this OAuth scope.
On salesforce.com, navigate to where you app is configured. (Setup > Create > Apps)
Under Connected Apps, click on your application's name to view its settings, then click Edit.
Under Selected OAuth Scopes, ensure that "Perform requests on your behalf at any time" is selected. You must include this even if you already chose "Full access".
Save, then try your OAuth flow again. It make take a short while for the update to propagate.
In your callback controller action, the refresh_token will now be available in request.env["omniauth.auth"].credentials.refresh_token.
I have a weird problem when I try to use door_keeper gem with rails app. The problem occurs when I use Oauth2 gem to get the token. But at the part I have url :
http://0.0.0.0:3000/oauth/authorize?response_type=code&client_id=199f27a02764f1ef1d31c2860b83ef93c0cc3dc26886d2b3d76b8ef1e935f3ae&redirect_uri=http%3A%2F%2F0.0.0.0%3A3000%2Fcallback
it doesn't redirect to the page we authorize and get token but it redirects directly to http://0.0.0.0:3000
what's the problem I have here, it should redirect to application authorize page first, shouldn't it ?
The authorization page requires some user to be logged in. You set up that in the resource_owner_authenticator block and it should look something like this:
resource_owner_authenticator do |routes|
# Put your resource owner authentication logic here.
# If you want to use named routes from your app you need
# to call them on routes object eg.
# routes.new_user_session_path
User.find(session[:user_id]) || routes.new_user_session_path
end
In this case, if the user is not in the session when it tries to access /oauth/authorize, it gets redirected back to new_user_session_path.
Only when the user was found from the session, you'll be able to see the authorization page.