Zaikio::OAuthClient
This Gem enables you to easily connect to the Zaikio Directory and use the OAuth2 flow and easily lookup matching Access Tokens.
Installation
Simply add the following in your Gemfile:
gem "zaikio-oauth_client"
Then run bundle install
.
Setup & Configuration
1. Setup Active Record encryption
Setup Active Record Encryption by running:
rails db:encryption:init
(Continue generating the credentials each for different environments)
2. Copy & run Migrations
rails zaikio_oauth_client:install:migrations
rails db:migrate
This will create the tables:
zaikio_access_tokens
3. Mount routes
Add this to config/routes.rb
:
mount Zaikio::OAuthClient::Engine => "/zaikio"
4. Configure Gem
# config/initializers/zaikio_oauth_client.rb
Rails.application.reloader.to_prepare do
Zaikio::OAuthClient.configure do |config|
config.environment = :sandbox
config.register_client :warehouse do |warehouse|
warehouse.client_id = "52022d7a-7ba2-41ed-8890-97d88e6472f6"
warehouse.client_secret = "ShiKTnHqEf3M8nyHQPyZgbz7"
warehouse.default_scopes = %w[directory.person.r]
warehouse.register_organization_connection do |org|
org.default_scopes = %w[directory.organization.r]
end
end
config.register_client :warehouse_goods_call_of do |warehouse_goods_call_of|
warehouse_goods_call_of.client_id = "12345-7ba2-41ed-8890-97d88e6472f6"
warehouse_goods_call_of.client_secret = "secret"
warehouse_goods_call_of.default_scopes = %w[directory.person.r]
warehouse_goods_call_of.register_organization_connection do |org|
org.default_scopes = %w[directory.organization.r]
end
end
config.around_auth do |access_token, block|
Zaikio::Hub.with_token(access_token.token) do
block.call(access_token)
end
end
end
end
5. Clean up outdated access tokens (recommended)
To avoid keeping all expired oath and refresh tokens in your database, we recommend to implement their scheduled deletion. We recommend therefore to use a schedule gems such as sidekiq and sidekiq-scheduler.
Simply add the following to your Gemfile:
gem "sidekiq"
gem "sidekiq-scheduler"
Then run bundle install
.
Configure sidekiq scheduler in config/sidekiq.yml
:
:schedule:
cleanup_access_tokens_job:
cron: '0 3 * * *' # This will delete all expired tokens every day at 3am.
class: 'Zaikio::CleanupAccessTokensJob'
Usage
OAuth Flow
From any point in your application you can start using the Zaikio Hub OAuth2 flow with
redirect_to zaikio_oauth_client.new_session_path
# or
redirect_to zaikio_oauth_client.new_session_path(client_name: 'my_other_client')
# or install as organization
redirect_to zaikio_oauth_client.new_connection_path(client_name: 'my_other_client')
This will redirect the user to the OAuth Authorize endpoint of the Zaikio Directory
.../oauth/authorize
and include all necessary parameters like your client_id. You may
also pass show_signup
, force_login
and state
parameters through, like so:
# Take the user directly to the signup page
redirect_to zaikio_oauth_client.new_session_path(show_signup: true)
# Force the user to re-authenticate even if they have an existing session
redirect_to zaikio_oauth_client.new_session_path(force_login: true)
# Pass a custom Oauth 2.0 state parameter
redirect_to zaikio_oauth_client.new_session_path(state: "something-my-app-uses")
You can also send them to the Subscription Redirect flow, which behaves & redirects back like a regular Organization flow except it additionally sets up a subscription for the organization:
# Require them to select a plan themselves...
redirect_to zaikio_oauth_client.new_subscription_path
# Or preselect a plan for them
redirect_to zaikio_oauth_client.new_subscription_path(plan: "free")
Session handling
The Zaikio gem engine will set a cookie for the access token after a successful OAuth flow: session[:zaikio_access_token_id]
.
If you are using for example Zaikio::Hub::Models
, you can use this snippet to set the current user:
access_token = Zaikio::OAuthClient.find_active_access_token(session[:zaikio_access_token_id])
session[:zaikio_access_token_id] = access_token&.id
Current.user = Zaikio::Hub::Models::Person.find_by(id: access_token&.bearer_id)
unless Current.user
session[:origin] = request.fullpath
redirect_to zaikio_oauth_client.new_session_path
end
You can then use Current.user
anywhere.
For logout use: zaikio_oauth_client.session_path, method: :delete
or build your own controller for deleting the cookie. If you do build your own controller, please be aware that it is possible for the access token to be nil, and you should handle this accordingly.
Multiple clients
When performing requests against directory APIs, it is important to always provide the correct client in order to use the client credentials flow correctly. Otherwise always the first client will be used. It is recommended to specify an around_action
:
class ApplicationController < ActionController::Base
around_action :with_client
private
def with_client
Zaikio::OAuthClient.with_client Current.client_name do
yield
end
end
end
Redirecting
The zaikio_oauth_client.new_session_path
which was used for the first initiation of the OAuth flow, accepts an optional parameter origin
which will then be used to redirect the user at the end of a completed & successful OAuth flow.
Additionally you can also specify your own redirect handlers in your ApplicationController
:
class ApplicationController < ActionController::Base
def after_approve_path_for(access_token, origin)
session[:zaikio_person_id] = access_token.bearer_id unless access_token.organization?
# Sync data on login
Zaikio::Hub.with_token(access_token.token) do
access_token.bearer_klass.find_and_reload!(access_token.bearer_id, includes: :all)
end
origin || main_app.root_path
end
def after_destroy_path_for(access_token_id)
reset_session
main_app.root_path
end
def error_path_for(error_code, description: nil)
# Handle error
main_app.root_path
end
end
Custom behavior
Since the built in SessionsController
and ConnectionsController
are inheriting from the main app's ApplicationController
all behaviour will be added there, too. In some cases you might want to explicitly skip a before_action
or add custom before_action
callbacks.
You can achieve this by adding a custom controller name to your configuration:
# app/controllers/sessions_controller.rb
class SessionsController < Zaikio::OAuthClient::SessionsController
skip_before_action :redirect_unless_authenticated
end
# config/initializers/zaikio_oauth_client.rb
Zaikio::OAuthClient.configure do |config|
# ...
config.sessions_controller_name = "sessions"
# config.connections_controller_name = "connections"
# ...
end
Testing
You can use our test helper to login different users:
# test_helper.rb
class ActiveSupport::TestCase
# ...
include Zaikio::OAuthClient::TestHelper
# ...
end
# my_controller_test.rb
class MyControllerTest < ActionDispatch::IntegrationTest
test "does request" do
person = people(:my_person)
logged_in_as(person)
# ... make the request
end
end
For system tests (e.g. with a separate browser instance), there's a special helper:
class ApplicationSystemTestCase < ActionDispatch::SystemTestCase
include Zaikio::OAuthClient::SystemTestHelper
test "does request" do
person = people(:my_person)
logged_in_as(person)
visit "/"
end
end
Authenticated requests
Now further requests to the Directory API or to other Zaikio APIs should be made. For this purpose the OAuthClient provides a helper method with_auth
that automatically fetches an access token from the database, requests a refresh token or creates a new access token via client credentials flow.
Zaikio::OAuthClient.with_auth(bearer_type: "Organization", bearer_id: "fd61f5f5-038b-44cf-b554-dfe9555f1e29", scopes: %w[directory.organization.r directory.organization_members.r]) do |access_token|
# call config.around_auth with given access token
end
If you need the token for a certain period (e.g. a long-running job which makes many
requests in sequence), you can specify the valid_for
interval when requesting the token.
By default, it won't return an access token which was due to expire in less than 30
seconds from now. If there is an existing token, but it was due to expire before the end
of the validity period, this will go and get a fresh token anyway:
Zaikio::OAuthClient.with_auth(..., valid_for: 10.minutes) do |access_token|
# ...
end
Use of dummy app
You can use the included dummy app as a showcase for the workflow and to adjust your own application. To set up the dummy application properly, go into test/dummy
and use puma-dev like this:
puma-dev link -n 'zaikio-oauth-client'
This will make the dummy app available at: http://zaikio-oauth-client.test
If you use the provided OAuth credentials from above and test this against the Sandbox, everything should work as the redirect URLs for http://zaikio-oauth-client.test are approved within the Sandbox.
Contributing
Make sure you have the dummy app running locally to validate your changes.
- Make your changes and submit a pull request for them
- Make sure to update
CHANGELOG.md
To release a new version of the gem:
- Update the version in
lib/zaikio/oauth_client/version.rb
- Update
CHANGELOG.md
to include the new version and its release date - Commit and push your changes
- Create a new release on GitHub
- CircleCI will build the Gem package and push it Rubygems for you
License
The gem is available as open source under the terms of the MIT License.