oauth2_provider: Make your Rails app an OAuth v2.0 provider

Wynn Netherland Wynn Netherland

With the likes of Facebook, GitHub, Gowalla, and others adopting OAuth 2.0, client libraries have been popping up everywhere.

If you want to join the cool kids and OAuth2-enable your API, where do you start? ThoughtWorks Studios has released oauth2_provider, a Rails plugin to provide OAuth2 authentication to your app.

Install via RubyGems:

$ gem install oauth2_provider

… and configure via Bundler.

Next, run the supplied generator to create the initializer and migrations:

$ ./script/generate oauth2_provider

Enable OAuth support alongside your regular authentication in your ApplicationController:

class ApplicationController < ActionController::Base

  # the host application's authentication filter
  before_filter :login_required

  # include Oauth2::Provider::ApplicationControllerMethods
  include Oauth2::Provider::ApplicationControllerMethods

  # this checks whether the user is logged in for purposes
  # of an authentication filter. obviously, your host application
  # will have very different code than this.  this example is
  # pulled from the sample host application with which the plugin ships.
  def login_required
    current_user_id = session[:user_id]
    if current_user_id
      User.current = User.new(current_user_id)
      raise "Lack of rights!"

  # required by the OAuth plugin to figure out the currently logged in user
  # must be a string representation of the user.
  # A 'username', 'email' or a db primary key are good candidates.
  protected def current_user_id_for_oauth

  def login_required_with_oauth
    if user_id = self.user_id_for_oauth_access_token
      session[:user_id] = user_id
    elsif looks_like_oauth_request?
      render :text => "Denied!", :status => :unauthorized
  alias_method_chain :login_required, :oauth


By default, controller actions are not OAuth’d, so you have to opt-in, perhaps with a intermediate controller class:

class ProtectedResourceController < ApplicationController

  # Supported options are:
  #  :only => [:oauth_protected_action...]
  #  :except => [:oauth_unprotected_action...]
  # If no options are specified, defaults to oauth for all actions
  oauth_allowed :only => :index

  def index
    render :text => "current user is #{current_user.email}"

  def no_oauth_here
    render :text => "this content not available via Oauth"


[Source on GitHub]

0:00 / 0:00