We have a working web application that uses Google+ OAuth 2.0 authentication to allow access only to owners of our own email address domain.
The solution is out of the box or close to it: put devise, omniauth and omniauth-google-oauth2 in your Gemfile, set it up, generate the keys here and you are ready to go.
But having decided to create a native mobile application to access the web application DB, we had to implement the same login method. In the past we could’ve used token_authenticable of Devise fame, but since it has been (rightfully) deprecated for security reasons we have two options:
1. We could use Cross Client Authentication and you can check here this approach. Unfortunately the documentation seems to be heavily Android centric, but we’ll delve into the iOS approach in the future.
2. We could ask for a short lived access_token on the native app and then exchange it with the web application to provide authentication.
In this article we focus on how to adapt the web application to accept the access_token and grant access when it has been validated.
We have to add a before_filter to ApplicationController:
We are passing store: false, so the user is not stored in the session and a valid access_token is needed for every request.
Now we just need to add a method to the User class and that’s it.
Here we had to validate the token against the Google API to ensure the token is still valid and to retrieve the email address and check if it’s in our database.
Obviously the first Cross Client Authentication is preferable since we are not passing an access_token (albeit short lived), but this approach has the benefit of not tying our application to any SDK 😉
Leave a Reply