A Ruby wrapper for the OAuth 2.0 protocol.

⚠️ WARNING: You are viewing the README of the master branch which contains unreleased changes for version 2.0.0. Please help us reach the 2.0.0 release milestone by submitting PRs, or reviewing PRs and issues. OAuth2 If

Information

Category: Ruby / Authentication and OAuth
Watchers: 40
Star: 2.1k
Fork: 636
Last update: Nov 28, 2023

Resource links

http://rdoc.info/projects/intridea/oauth2

https://github.com/oauth-xx/oauth2

README
Issues 15

⚠️ WARNING: You are viewing the README of the master branch which contains unreleased changes for version 2.0.0. Please help us reach the 2.0.0 release milestone by submitting PRs, or reviewing PRs and issues.

OAuth2

If you need the readme for a released version of the gem please find it below:

Version	Release Date	Readme
1.4.4	Feb 12, 2020	https://github.com/oauth-xx/oauth2/blob/v1.4.4/README.md
1.4.3	Jan 29, 2020	https://github.com/oauth-xx/oauth2/blob/v1.4.3/README.md
1.4.2	Oct 1, 2019	https://github.com/oauth-xx/oauth2/blob/v1.4.2/README.md
1.4.1	Oct 13, 2018	https://github.com/oauth-xx/oauth2/blob/v1.4.1/README.md
1.4.0	Jun 9, 2017	https://github.com/oauth-xx/oauth2/blob/v1.4.0/README.md
1.3.1	Mar 3, 2017	https://github.com/oauth-xx/oauth2/blob/v1.3.1/README.md
1.3.0	Dec 27, 2016	https://github.com/oauth-xx/oauth2/blob/v1.3.0/README.md
1.2.0	Jun 30, 2016	https://github.com/oauth-xx/oauth2/blob/v1.2.0/README.md
1.1.0	Jan 30, 2016	https://github.com/oauth-xx/oauth2/blob/v1.1.0/README.md
1.0.0	May 23, 2014	https://github.com/oauth-xx/oauth2/blob/v1.0.0/README.md
< 1.0.0	Find here	https://github.com/oauth-xx/oauth2/tags

Oauth2 gem is looking for additional maintainers. See #307.

A Ruby wrapper for the OAuth 2.0 specification.

Installation

gem install oauth2

Resources

Usage Examples

require 'oauth2'
client = OAuth2::Client.new('client_id', 'client_secret', :site => 'https://example.org')

client.auth_code.authorize_url(:redirect_uri => 'http://localhost:8080/oauth2/callback')
# => "https://example.org/oauth/authorization?response_type=code&client_id=client_id&redirect_uri=http://localhost:8080/oauth2/callback"

token = client.auth_code.get_token('authorization_code_value', :redirect_uri => 'http://localhost:8080/oauth2/callback', :headers => {'Authorization' => 'Basic some_password'})
response = token.get('/api/resource', :params => { 'query_foo' => 'bar' })
response.class.name
# => OAuth2::Response

DEBUGGING

Set an environment variable, however you would normally do that.

# will log both request and response, including bodies
ENV['OAUTH_DEBUG'] = 'true'

By default, debug output will go to $stdout. This can be overridden when initializing your OAuth2::Client.

require 'oauth2'
client = OAuth2::Client.new(
  'client_id',
  'client_secret',
  :site   => 'https://example.org',
  :logger => Logger.new('example.log', 'weekly')
)

OAuth2::Response

The AccessToken methods #get, #post, #put and #delete and the generic #request will return an instance of the #OAuth2::Response class.

This instance contains a #parsed method that will parse the response body and return a Hash if the Content-Type is application/x-www-form-urlencoded or if the body is a JSON object. It will return an Array if the body is a JSON array. Otherwise, it will return the original body string.

The original response body, headers, and status can be accessed via their respective methods.

OAuth2::AccessToken

If you have an existing Access Token for a user, you can initialize an instance using various class methods including the standard new, from_hash (if you have a hash of the values), or from_kvform (if you have an application/x-www-form-urlencoded encoded string of the values).

OAuth2::Error

On 400+ status code responses, an OAuth2::Error will be raised. If it is a standard OAuth2 error response, the body will be parsed and #code and #description will contain the values provided from the error and error_description parameters. The #response property of OAuth2::Error will always contain the OAuth2::Response instance.

If you do not want an error to be raised, you may use :raise_errors => false option on initialization of the client. In this case the OAuth2::Response instance will be returned as usual and on 400+ status code responses, the Response instance will contain the OAuth2::Error instance.

Authorization Grants

Currently the Authorization Code, Implicit, Resource Owner Password Credentials, Client Credentials, and Assertion authentication grant types have helper strategy classes that simplify client use. They are available via the #auth_code, #implicit, #password, #client_credentials, and #assertion methods respectively.

auth_url = client.auth_code.authorize_url(:redirect_uri => 'http://localhost:8080/oauth/callback')
token = client.auth_code.get_token('code_value', :redirect_uri => 'http://localhost:8080/oauth/callback')

auth_url = client.implicit.authorize_url(:redirect_uri => 'http://localhost:8080/oauth/callback')
# get the token params in the callback and
token = OAuth2::AccessToken.from_kvform(client, query_string)

token = client.password.get_token('username', 'password')

token = client.client_credentials.get_token

token = client.assertion.get_token(assertion_params)

If you want to specify additional headers to be sent out with the request, add a 'headers' hash under 'params':

token = client.auth_code.get_token('code_value', :redirect_uri => 'http://localhost:8080/oauth/callback', :headers => {'Some' => 'Header'})

You can always use the #request method on the OAuth2::Client instance to make requests for tokens for any Authentication grant type.

Supported Ruby Versions

This library aims to support and is tested against the following Ruby implementations:

Rubies with support ending at Oauth2 1.x

For information on supported Rubies for the current 1.x release of oauth2 see the README for 1.4.x

Rubies with continued support past Oauth2 2.x

Ruby 2.2 - Support ends with version 2.x series
Ruby 2.3 - Support ends with version 3.x series
- JRuby 9.1 (targets MRI v2.3)
Ruby 2.4 - Support ends with version 4.x series
Ruby 2.5 - Support ends with version 5.x series
- JRuby 9.2 (targets MRI v2.5)
- truffleruby (targets MRI 2.5)
Ruby 2.6 - Support ends with version 6.x series
Ruby 2.7 - Support ends with version 7.x series

If something doesn't work on one of these interpreters, it's a bug.

This library may inadvertently work (or seem to work) on other Ruby implementations, however support will only be provided for the versions listed above.

If you would like this library to support another Ruby version, you may volunteer to be a maintainer. Being a maintainer entails making sure all tests run and pass on that implementation. When something breaks on your implementation, you will be responsible for providing patches in a timely fashion. If critical issues for a particular implementation exist at the time of a major release, support for that Ruby version may be dropped.

Versioning

This library aims to adhere to Semantic Versioning 2.0.0. Violations of this scheme should be reported as bugs. Specifically, if a minor or patch version is released that breaks backward compatibility, a new version should be immediately released that restores compatibility. Breaking changes to the public API will only be introduced with new major versions.

As a result of this policy, you can (and should) specify a dependency on this gem using the Pessimistic Version Constraint with two digits of precision.

For example:

spec.add_dependency 'oauth2', '~> 1.4'

License

Copyright (c) 2011-2013 Michael Bleigh and Intridea, Inc.
Copyright (c) 2017-2018 oauth-xx organization
See LICENSE for details.

Development

After checking out the repo, run bin/setup to install dependencies. Then, run rake spec to run the tests. You can also run bin/console for an interactive prompt that will allow you to experiment.

To install this gem onto your local machine, run bundle exec rake install. To release a new version, update the version number in version.rb, and then run bundle exec rake release, which will create a git tag for the version, push git commits and tags, and push the .gem file to rubygems.org.

Contributing

Bug reports and pull requests are welcome on GitHub at https://github.com/oauth-xx/oauth2. This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to the Contributor Covenant code of conduct.

Code of Conduct

Everyone interacting in the OAuth2 project’s codebases, issue trackers, chat rooms and mailing lists is expected to follow the code of conduct.

15 Open More issues

Closed

Update Assertion strategy claims and request parameters

This started long ago as a fix to get this gem working with the Google two-legged OAuth2 service account use case, but evolved into a general fix for several issues. See the message history here for the complete context, but the short version is that this PR:

Updates the assertion_type request parameter to grant_type. This was changed in OAuth2 draft v11 in 2010(!). See the final RFC.
Allows any string to be set as a JWT claim key, rather than restricting to a specific set of four. Relevant RFCs are 7519 and 7523. There are some standard/expected ones (iss, sub, aud, exp, etc) but any endpoint can specify a requirement for the presence (or absence!) of any custom key they want.
Allows the use of any encoding method supported by the jwt gem, rather than just HS256 or RS256. See their documentation for the list.
Adds a bunch of specs!

The downside:

There are breaking changes to Assertion#get_token. Previously, the arguments looked like:

get_token(params, opts = {})

Now, the arguments are:

get_token(claims, encoding_opts, request_opts = {}, response_opts = {})

One of the reasons the Google use case did not work before was that Google requires a custom JWT claim key named scope. However, params[:scope] was a special key that was getting put into the request body itself -- having one params argument meant that this method could not differentiate between arguments intended to be put into the JWT, and arguments intended to be used elsewhere. In addition, like in the example of scope, there could be collisions between the two concepts.

Showing what an identical call might look like, translated from old to new:

OLD:

params = {
  :iss => '[email protected]',
  :scope => 'foo',
  :aud => 'https://example.com/oauth2/token',
  :exp => 1.hour.from_now.to_i,
  :prn => '[email protected]',
  :hmac_secret => 'secret!'
}

get_token(params)

NEW:

claims = {
  :iss => '[email protected]',
  :aud => 'https://example.com/oauth2/token',
  :exp => 1.hour.from_now.to_i,
  :prn => '[email protected]',
}

get_token(claims, {:algorithm => 'HS256', :key => 'secret!'}, {:scope => 'foo'})

Note that there is now the slight additional overhead of needing to know which encoding method you want to use. If you were passing in params[:hmac_secret] before, this file was inferring 'HS256' -- if you were passing in params[:private_key], it was inferring 'RS256'. See the list in RFC 7518 of supported algorithms -- including some that may be more strongly recommended in the future.

It's also worth noting that this PR expressly does not try to validate the presence of claim keys that are listed as required in the JWT for OAuth2 RFC. There are definitely endpoints that do not conform to that RFC (e.g. I think Google does not, in some cases), and folks should still be able to use this gem for those services. If there are endpoints that are strict about requiring the RFC-mandated keys, then they will enforce that behavior on their end.

in Changelog

opened Aug 28, 2015 by jhmoore 36

Closed

auth_code: default to header based authorization

http://tools.ietf.org/html/rfc6749#section-2.3.1

Including the client credentials in the request-body using the two parameters is NOT RECOMMENDED and SHOULD be limited to clients unable to directly utilize the HTTP Basic authentication scheme (or other password-based HTTP authentication schemes). The parameters can only be transmitted in the request-body and MUST NOT be included in the request URI.

opened Sep 12, 2014 by maletor 24

Closed

Upgraded to Faraday 2.0 and Ruby 3.1.0

Upgraded Faraday to 2.0 since I already depend on it and don't want to downgrade.

opened Jan 16, 2022 by prasanna 19

Closed

Upgrade jwt to 2.0.0

Version 2.0.0 of ruby-jwt has just been released after being in beta for many months. This PR updates the version used by this gem.

in Changelog

opened Sep 6, 2017 by travisofthenorth 17

Closed

Set the response object on the access token on Client#get_token

To allow further computation of the actual HTTP call, the response object (OAuth2::Response) is stored on the AccessToken.

This solves #186.

I hope you are fine with this. I am happy to change the naming/implementation upon your suggestion. Thank you for your great work on this gem!

in Changelog

opened Mar 24, 2017 by cpetschnig 16

Closed

Support Faraday 2.x on 1-4-stable branch, for subsequent 1.x release

For subsequent 1.x release supporting faraday 2.x -- gemspec is unchanged as to how old a faraday it allows, all the way back to 0.8 as per previous 1.x release.

Backported enough from master to get tests passing on both/either faraday 1.x AND 2.x.

I have confirmed locally that bundle exec rspec passes using both Faraday 1.9.3 and Faraday 2.2.0, by making local uncommitted edits the Gemfile to force both.

CI will of course only run with one version of Faraday. I'm not sure if it will actually be 1.x or 2.x -- see https://github.com/oauth-xx/oauth2/pull/561#issuecomment-1041714757

But this should make it possible to do a 1.4 release that allows and works with Faraday 2.x?

opened Feb 16, 2022 by jrochkind 15

tame-oauth - A (very) simple oauth 2.0 library

OAuth support for Django REST Framework

OAuth 1 Client

A spec compliant, secure by default PHP OAuth 2.0 Server

A generic, spec-compliant, thorough implementation of the OAuth request-signing logic

A Python library for OAuth 1.0/a, 2.0, and Ofly.

OAuth 2.0 Authorization Server & Authorization Middleware for Gin-Gonic

A fully tested, abstract interface to creating OAuth clients and servers.

Doorkeeper is an OAuth 2 provider for Ruby on Rails / Grape.

A ruby implementation of the RFC 7519 OAuth JSON Web Token (JWT) standard.

KNV(Key-N-Value) is a very fast protocol engine for manipulating protocol data without knowing the detail of its contents. KNV serves for 3 main purposes: 1, As a fast protocol engine, supporting 1M+ processes per second; 2, As a schema-free protocol inspecter/modifier for general-purpose network server; 3, As a protocol and data storage engine for general data storage server.

Twitter OAuth API for PHP 5.3+

A Flutter OAuth package for performing user authentication for your apps.

The ultimate Python library in building OAuth, OpenID Connect clients and servers. JWS,JWE,JWK,JWA,JWT included.

Easy integration with OAuth 2.0 service providers.

A package to implement "Login with" flow using OAuth compliant authorization servers

oauthcli - Implementation of OAuth 1.0 (and Twitter’s f*ckin’ OAuth) Client

A demo project using OAuth to secure some of your Eleventy Serverless routes.

Cloudflare worker scripts for registering users to newsletter using Google and Github OAuth.

OAuth Proxy

Base encodings for protocol-buffers

Share this repo

Related Repos

Authentication and O

A JWT authorization middleware for any web application.

JayDoubleuTee A JWT authorization middleware for any web application. JayDoubleuTee is inspired by Hanami philosophy to build components that are high

Authentication and O

I18n integration and translations for Rodauth authentication framework

rodauth-i18n Provides I18n integration for Rodauth authentication framework. It also includes built-in translations, which you are welcome to extend.

Authentication and O

232

Simple, functional authorization library and role management for ruby

Kan Simple functional authorization library for ruby. Inspired by transproc and dry project Table of context Installation Usage Contributing License Code of Conduct Installation Add this l

Authentication and O

4.3k

A simple ruby authentication solution.

Authlogic An unobtrusive ruby authentication library based on ActiveRecord. Sponsors Tail Authlogic users in your logs! Documentation Version Documentation Unrele

Popular

Authentication and O

3.6k

Rails authentication with email & password.

Clearance Rails authentication with email & password. Clearance is intended to be small, simple, and well-tested. It has opinionated defaults but is intended to be easy to override. Please use GitHub Issues to report b

Authentication and O

23.5k

Flexible authentication solution for Rails with Warden.

Devise is a flexible authentication solution for Rails based on Warden. It: Is Rack based; Is a complete MVC solution based on Rails engines; Allows you to have multiple models signed in at the same time; Is based on a modula

Authentication and O

3.5k

A ruby implementation of the RFC 7519 OAuth JSON Web Token (JWT) standard.

JWT A pure ruby implementation of the RFC 7519 OAuth JSON Web Token (JWT) standard. If you have further questions related to development or usage, join us: ruby-jwt google group. Announcements Ruby 1.9.3 supp

Authentication and O

2.1k

Seamless JWT authentication for Rails API

knock Seamless JWT authentication for Rails API Description Knock is an authentication solution for Rails API-only application based on JSON Web Tokens. Why should I use this? It's lightweight. It

Authentication and O

7.8k

OmniAuth is a flexible authentication system utilizing Rack middleware.

OmniAuth: Standardized Multi-Provider Authentication An Introduction OmniAuth is a library that standardizes multi-provider authentication for web applications. It was created to be powerful, flexible, and do as

Authentication and O

1.6k

Ruby's Most Advanced Authentication Framework

Rodauth Rodauth is an authentication and account management framework for rack applications. It's built using Roda and Sequel, but it can be used with other web frameworks, database libraries, and databases. When used with Postgr

Authentication and O

124

Authentication protocol for use in your routing and model context

Shield Shield n. A solid piece of metal code used to protect your application. Why another authentication library? Because most of the other libraries are too huge. Extending other libraries is a pain. Writing

Authentication and O

2.5k

General Rack Authentication Framework

Warden Getting Started Please see the Warden Wiki for overview documentation. Maintainers Daniel Neighman (hassox) José Valim (josevalim) Justin Smestad (jsmestad) Whitney Smestad (whithub) A li

Popular

Authentication and O

5.2k

Doorkeeper is an OAuth 2 provider for Ruby on Rails / Grape.

Doorkeeper — awesome OAuth 2 provider for your Rails / Grape app. Doorkeeper is a gem (Rails engine) that makes it easy to introduce OAuth 2 provider functionality to your Ruby on Rails or Grape application. Supported f

Authentication and O

2.1k

A Ruby wrapper for the OAuth 2.0 protocol.

Authentication and O

855

Yet another role-based authorization system for Rails

acl9 Acl9 is a role-based authorization system that provides a concise DSL for securing your Rails application. Access control is pointless if you're not sure you've done it right. The fundamental goal of acl9 is to ensure tha