OpenID Authentication in Rails (Part 1)
Over the weekend I was playing around with an application that uses the restful_authentication plugin to handle user authentication. I wanted to add the ability for users to provide their OpenID rather than a username and password. It turned out to be a little more complicated than I expected, but thanks to some great gems and plugins, it was much easier than it could have been.
What is OpenID?
First of all, I should probably explain what an OpenID is. The theory behind OpenID is that as you browse the Internet you are frequently required to create accounts and log into various resources. In an effort to bring all of this user authentication under one account, the OpenID project aims to have one unified user account that can be used across the Internet.
Of course, this will only happen if the folks developing websites integrate the OpenID system into their sites, but the idea is a good one. Image an Internet where you can have one user account that can be used everywhere. Additionally, the OpenID system tracks activity to your account.
Currently, you can get an OpenID by visiting the OpenID website, among other places.
Adding OpenID to a Rails Application.
To start working with OpenID and Rails, you will need some prerequisites. The first thing to do is to install the ruby-openid gem:
gem install ruby-openid
Then, you will need to install a plugin to handle the OpenID authentication stuff. My choice is the open_id_authentication plugin written by the Rails core team. You can install it into your application as a plugin by typing:
script/plugin install git://github.com/rails/open_id_authentication.git
Once installed, there are a few tables that will need to be created in your database in order to handle OpenID authentication. You can create these easily by running the migration that the plugin provides:
rake open_id_authentication:db:create
And you are ready to rumble. The plugin has a great README file that explains quite a bit of the technical mumbo-jumbo. Since that resource is already available, I wanted to go through an overview of what needs to be changed in order to implement OpenID authentication on top of another authentication system (such as restful_authentication).
The Login Process
The first place that I started was to implement a way that a user could log in with an OpenID rather than with their username and password, if that is what they choose. This requires a couple of things:
- Extra fields in our login form for the OpenID.
- A way to determine if a user is using OpenID or their username/password combination.
- A way to look up a user that is logging in using an OpenID.
The first one is relatively easy to handle, and is outlined in the ReadMe file for the plugin. The one thing to note is that you will need to make sure that the text field is called openid_identifier, so that they plugin can work with the submitted data.
In order to determine if a user is logging in with an OpenID, we can use the using_open_id? method that is provided with the plugin. We need this method in order to determine which authentication routine to run.
Finally, we will need to add an identity_url field to our user model, which can be done by generating a migration. This string field is used to store a users OpenID so that their user account can be retrieved from the database after a successful login.
This leaves us with the following sequence for someone that is logging in with an OpenID rather than a username/password combination:
- User enters their OpenID and submits their login information.
- The Rails application recognizes that an OpenID is being used, and authenticates through the OpenID system.
- Once authenticated through OpenID, the Rails application looks up the user by their OpenID (rather than using the username/password).
Not a whole lot has changed. Really all we did was put in a method to replace the username/password authentication routine (if needed) and then to look up a user by identity_url if they used an OpenID to log in. Doesn't seem too hard, and it wasn't. However, this is the simple part of the process, since for logging in the user account already exists. But how do we handle creating an account using OpenID?
Registration With OpenID
In the next post, I will cover the process for registering a new user using OpenID. As you might imagine, the process is slightly different from logging in since the user account needs to be created without a username/password. In my case, this was confusing since I was validating for these values and wanted to be sure that even if someone registers with an OpenID that they are given a username/password to use in case they wanted to.
Luckily, the OpenID system provides a way for simple registration to take place.
This post is filed under Developers' Corner and has the following keyword tags: ruby, rails, OpenID, open_id_authentication.
2 Comments
bkkissel says:
Congratulations on your persistence Brian. For any of your readers who would like to have OpenID registration and login, but not deal with the hassles of getting it installed, configured and keeping it current as OpenID continues to evolve, there is a software as a service (SaaS) alternative called RPX (http://rpxnow.com). You can read what AOL, MySpace, and Facebook are saying about it, the improved user interface, and what data it supports at http://blog.janrain.com/2008/12/rpx-addresses-user-experience-and.html
Laura says:
LOVE THE IDEA....with everything else I have going...how nice would it be to only have to remember 1 login and password....most of the time I forget where I put the piece of paper I wrote down the 10 million login names I have
