You are viewing a read-only archive of the Blogs.Harvard network. Learn more.

OmniAuth for Facebook Apps

November 14th, 2011

Been suffering a great deal of pain regarding authentication this fall due to the recent OAuth 2.0 and HTTPS migration at Facebook. As of October 1st, it has become a requirement to use OAuth2 authentication. And throughout the month of October, our recent migration from Authlogic to Devise has been funky.

On November 2nd, OmniAuth announced a major 1.0 release which should provide better support for Facebook authentication moving forward. And as of November 10th, Devise officially supports the new OmniAuth release. Unfortunately, the facebook strategy for OmniAuth 1.0 is still in the release candidate phase. The docs say that it will be officially release when OmniAuth 1.0 is released, but that was a week ago.

The upgrade went fairly easily but I still have to jump through hoops to get my facebook application to play nice. For example, if your users are playing at the library and require that one user logs out and another logs in you run into some trouble. The old session simply doesn’t clear out unless you take matters in to your own hands a log out the old session.

You can’t just clear_sesson! before you authenticate the new user, and sign_out @user doesn’t do the job either. I had to jump into the js and grab the session change event (auth.authResponseChange):


FB.Event.subscribe('auth.authResponseChange', function(response) {
if (response.status == "connected") {
$.ajax({
url: "/members/sign_out"
});
}
});

In addition, I have to check whether this is a new install. A new install of the game means you’re going to get a permissions pop up that pops you out of the facebook iframe. So I’m making the assumption that if you are asking for a new permission, it isn’t likely that I need to sign you out of an old session which leads to pop out hell. But that assumption doesn’t hold up at the library.

Now, there’s a little param that I just happened upon that you can call in the devise initializer called :iframe => true:


onfig.omniauth :github, 'APP_ID', 'APP_SECRET', :scope => 'user,public_repo', :client_options => {:ssl => {:ca_path => '/etc/ssl/certs'}, :iframe => true}

But I haven’t had much success using it. And two days ago I ran across this quote:

“I originally wrote in the functionality for “iframe => true” to break out of the iframe but I haven’t used it in quite a while and, considering v1.0, I don’t really know what it has evolved to.”

So, it’s still a work in progress. Things still mysteriously stop and start working which just convinces me that the FaceBook folks are still tweaking the API. I’m hoping that things will settle down now that we’re over a month out from this major FB change. Fingers crossed.

Entry Filed under: Ruby on Rails

Leave a Comment

Required

Required, hidden

Some HTML allowed:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>