I got an API that I have developed using Rails 3 and Devise. I am using tokens (token_authenticatable) for authentication for requests made to the API from a client. I want to be able to switch between users in the requests just be replacing the token.
I heard about a setting called :stateless_token (boolean) but I cannot figure out where to put this setting. Is there another way?
If found the token_authenticatable here:
https://github.com/plataformatec/devise/blob/master/lib/devise/strategies/token_authenticatable.rb
If found info about the stateless_token here:
http://rdoc.info/github/plataformatec/devise/master/Devise/Models/TokenAuthenticatable
stateless_token is deprecated as of now. This is the new form (it allows more auth strategies to be stateless):
# config/initializers/devise.rb
config.skip_session_storage = [:token_auth]
You can also edit the file /config/initializers/devise.rb and put (or uncomment, if already there) the following line:
config.stateless_token = true
It should be an option in your devise_for line in the routes file.
devise_for :users, :stateless_token => true
Let me know if that works,
In this page of documentation for devise it says that "TokenAuthenticatable adds the following options to devise_for:" with stateless token being one of them.
Also here is a link to the devise_for documentation
Related
Pretty much as described in the title. I have a basic Ember Simple Auth setup. With a Devise Authenticator I've setup a custom URL for the serverTokenEndpoint.
(Coffeescript)
devise = DeviseAuthenticator.extend
serverTokenEndpoint: ENV.apiBaseURL + 'session'
tokenAttributeName: 'authentication_token'
resourceName: 'session'
export default devise
Authenticating and Invalidating are ok. But trying to navigate to certain pages I get requests for - https://apiBaseURL/users/sign_in. Which the endpoint doesn't exist.
Why is the configured URL not being used?
Or are there any other places this URL is set? Or used? It's currently causing the page to break and the user cannot continue.
Leaving this question here incase others stumble upon this issue as well. It was actually an issue with the back-end Devise setup.
Any endpoint which required Authentication token was sending this redirect if no token found/ was invalid. URL was take from the devise configuration of the back-end.
This gem ("devise_token_auth") is used for token authentication for applications using JSON APIs for front-end development.
Can we use this gem for server side rendering? If yes, then how to add the token from a previous response to the current request?
I don't know if this is still a pressing matter for you, but I'd like to throw in some advice.
For your API you can throw in devise_token_auth and it will do what everything you need for authentication there.
And if you need authentication with server-side rendering of pages (such as login forms, reset password forms, etc.) just throw in regular devise too. It will work with your exact same User model and table, and there will be little friction to get things up and running with the same resources you use with devise_token_auth.
Gemfile
#autentication and authorization
gem 'devise', '~> 3.5', '>= 3.5.6'
gem 'devise_token_auth', '0.1.37'
Then run
bundle
Run the installer for devise:
rails generate devise:install
Then generate your user model:
rails generate devise User
Install devise_token_auth now:
rails g devise_token_auth:install User "auth"
And make sure your database is migrated:
rake db:migrate
I think devise_token_auth may overwrite your user model, I'm not certain, but if it does, keep the migrations for devise_token_auth only and ignore the migrations for Devise.
Then make sure your routes.rb matches this:
Rails.application.routes.draw do
devise_for :users
root "home#index"
namespace :api, defaults: { format: :json } do
namespace :v1 do #I namespace my routes
mount_devise_token_auth_for "User", at: "auth"
end
end
end
devise_for must come before mount_devise_token_auth.
Then just refer to the official devise and devise token auth documentation to get both solutions working for you.
Hope this helps anyone who reaches this point and has a need to authenticate users on mobile app and on browser web app.
What is the best way to get SAML working with the widely used https://github.com/plataformatec/devise?
https://github.com/apokalipto/devise_saml_authenticatable doesn't do signed/encrypted auth requests and that's a deal breaker for us, and the usual sources haven't helped.
Devise's Omniauth integration, for example, requires an app ID and secret that Onelogin's SAML connector doesn't provide.
So, the answer that worked for me is to use the gemlfile and omniauth.rb settings as outlined in https://github.com/PracticallyGreen/omniauth-saml#usage and then to follow devise's omniauth tutorial at https://github.com/plataformatec/devise/wiki/OmniAuth:-Overview, replacing facebook with SAML. Note that you mightn't need the UID field mentioned in the tutorial, depending on how your IdP stores their users (and you wouldn't get a permanent UID if you use the transient nameid format). Use whatever uniquely identifies your user at the IdP, which is quite possibly an email address.
The devise.rb stuff added by ioblomov doesn't seem to add anything and in fact causes an issue if you do it as well as doing an omniauth.rb file. This creates a situation where the IdP does two callbacks, one using the omniauth.rb settings and another using the devise.rb settings. Given that the devise.rb settings are not complete (they don't have a consumer url for example), I can't see how even having it on its own could ever work. It is not clear to me what "devise integration" even means in the context of omniauth-saml. Once you get an auth response back (which you will just from using the omniauth.rb settings), then all you have to do is use the devise method sign_in_and_redirect in your callback controller and then you have all the usual devise stuff available to you for that user. I will submit a PR to omniauth-saml but I wouldn't be holding my breath as the project appears to be sporadically maintained at the moment.
I had to deal with recently to hook a rails app up to a university network using Shibboleth for SSO. I ended up using devise, omniauth and running on Apache with mod-shib2. I am not sure if you are using Shibboleth specifically but it is built on top of SAML. The lightweight rack-saml implementation did not work for me.
Turns out the Devise config's parameters were wrong. I documented the correct settings in a fork/PR:
https://github.com/omniauth/omniauth-saml#devise-integration
I'm trying to build a SSO system where a bunch of Rails 4 apps under different subdomains share a common cookie. I've got 4 apps doing authentication via the sorcery gem and 2 apps using ActiveAdmin and Devise.
The 4 apps using Sorcery are working as expected, I can get a successfully signed on user to access all 4 different apps using the same session cookie.
I'm having trouble with the 2 Devise/ActiveAdmin apps. I added a custom Warden authentication strategy and configured Devise to use it. But I don't think the strategy is being used because I continue to get 401 unauthorized errors and any puts statements/logging in the authenticate! method below is never seen. Anyone with previous experience doing this? Or maybe some help tracing through where the authentication steps are happening so I can try to add some logging?
Warden::Strategies.add(:gc_auth) do
def valid?
true
end
def authenticate!
user = AdminUser.find_by_uuid(session[:user_uuid])
user ? success!(user) : fail!("Not signed in")
end
end
config.warden do |manager|
manager.default_strategies.unshift :gc_auth
end
Was able to get this to work by examining how this gem is structured:
https://github.com/AMekss/devise_custom_authenticatable
I am using devise in my application for authentication. When I try to register, I get the following error:
Missing host to link to! Please provide the :host parameter, set default_url_options[:host], or set :only_path to true
I am using :comfirmable and had uncommented t.confirmable in the migration
In order to use confirmable module you need to configure ActionMailer that is used by devise for sending confirmation emails. First step for solving your problem is setting up mailer host in you environment.rb or in the corresponding file for a particular environment like that:
config.action_mailer.default_url_options = { :host => “example.com” }
For further steps have a look at this rails guide and answers to this question.