{"id":18104947,"url":"https://github.com/mtgrosser/oo_auth","last_synced_at":"2025-08-08T02:47:45.364Z","repository":{"id":11616820,"uuid":"14113548","full_name":"mtgrosser/oo_auth","owner":"mtgrosser","description":"Out Of Band OAuth for Ruby","archived":false,"fork":false,"pushed_at":"2023-05-25T19:24:24.000Z","size":41,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"master","last_synced_at":"2024-04-25T07:44:02.170Z","etag":null,"topics":["authorization","oauth","oauth-signature","oob","ruby"],"latest_commit_sha":null,"homepage":"","language":"Ruby","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/mtgrosser.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2013-11-04T15:20:01.000Z","updated_at":"2021-10-09T12:05:05.000Z","dependencies_parsed_at":"2024-10-31T22:16:31.338Z","dependency_job_id":"34e7fa49-6172-4178-aedd-62f415e50a9e","html_url":"https://github.com/mtgrosser/oo_auth","commit_stats":{"total_commits":28,"total_committers":2,"mean_commits":14.0,"dds":0.0357142857142857,"last_synced_commit":"dd01354a70d61322b2ac1dc3ea3c373fc45a4e44"},"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mtgrosser%2Foo_auth","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mtgrosser%2Foo_auth/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mtgrosser%2Foo_auth/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mtgrosser%2Foo_auth/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/mtgrosser","download_url":"https://codeload.github.com/mtgrosser/oo_auth/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247441274,"owners_count":20939277,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["authorization","oauth","oauth-signature","oob","ruby"],"created_at":"2024-10-31T22:16:29.153Z","updated_at":"2025-04-06T06:18:42.376Z","avatar_url":"https://github.com/mtgrosser.png","language":"Ruby","funding_links":[],"categories":[],"sub_categories":[],"readme":"[![Gem Version](https://badge.fury.io/rb/oo_auth.png)](http://badge.fury.io/rb/oo_auth) [![build](https://github.com/mtgrosser/oo_auth/actions/workflows/build.yml/badge.svg)](https://github.com/mtgrosser/oo_auth/actions/workflows/build.yml) [![Code Climate](https://codeclimate.com/github/mtgrosser/oo_auth.png)](https://codeclimate.com/github/mtgrosser/oo_auth)\n\n# oo_auth\n\nOAuth Out Of Band - Sign, verify and authorize OAuth requests\n\nOoAuth is a stripped-down implementation of the OAuth 1.0a protocol.\n\nIt only cares for signing and verifying OAuth requests, supporting both\n```Net::HTTP``` and  ```ActionDispatch::Request```.\n\nOoAuth does not include any models or controllers dealing with token and\nsecret exchange, storage or lookup. Instead, it offers a simplistic API\nwhere you can hook your own implementations as desired.\n\nOoAuth comes with optional Redis support for short-time high performance storage\nof OAuth nonces.\n\nIt can be used for implementing OAuth consumers as well as providers.\n\n## Install\n\nIn your Gemfile:\n\n```ruby\ngem 'oo_auth'\n```\n\n## Use\n\n### OAuth consumer\n\n```ruby\nhttp = Net::HTTP.new('photos.example.net', Net::HTTP.http_default_port)\nrequest = Net::HTTP::Get.new('/photos?file=vacation.jpg\u0026size=original')\n\ncredentials = OoAuth::Credentials.new('consumer_key',\n                                      'consumer_secret',\n                                      'access_token',\n                                      'access_token_secret')\n\nOoAuth.sign!(http, request, credentials)\n\nrequest['Authorization']\n=\u003e \"OAuth oauth_version=\\\"1.0\\\", oauth_nonce=\\\"ly9V24IvFMhEGSlGW1tPniUVnVzQkWvn4W6Bwtmc4\\\", oauth_timestamp=\\\"1384116351\\\", oauth_signature_method=\\\"HMAC-SHA1\\\", oauth_consumer_key=\\\"consumer_key\\\", oauth_token=\\\"access_token\\\", oauth_signature=\\\"5G1ktyWhicZGnSu2AKkjok9%2BMPo%3D\\\"\"\n```\n\n### OAuth provider\n\nIn your Rails API controller:\n\n```ruby\nclass ApiController \u003c ApplicationController\n\n  before_action :oauth_required\n\n  private\n  \n  def oauth_required\n    if authorization = OoAuth.authorize!(request)\n      self.current_user = authorization.user\n    else\n      render nothing: true, status: 401\n      false\n    end\n  end\nend\n```\n\n## Prerequisites for OAuth providers\n\nOoAuth requires your provider application to provide stores for authorization tokens \nand OAuth nonces. (You won't need these stores if you're only using OoAuth's client\nfunctionality.)\n\nOoAuth stores can be simple lambdas or regular ruby objects.\n\n### Authorization store\n\nThe authorization store is used for looking up OAuth credentials. It could for example\nbe an API account or user model. OoAuth will query the authorization store by calling\nits method `authorization(consumer_key, token)` if it is a regular object, or just\ncall it with the same arguments if it is a lambda.\n\nWhen the consumer key and token combination actually exists, the call should return\nan object representing the API account (e.g. user instance, API account instance).\n\nThis instance again must implement the method `:credentials`, and return an instance\nof `OoAuth::Credentials` initialized with the account's full credential set.\n\n```ruby\n\n# app/models/api_account.rb\nclass ApiAccount \u003c ActiveRecord::Base\n\n  def self.authorization(consumer_key, token)\n    where(consumer_key: consumer_key, token: token).first\n  end\n  \n  def credentials\n    OoAuth::Credentials.new(consumer_key, consumer_secret, token, token_secret)\n  end\nend\n\n# config/initializers/oo_auth.rb\nOoAuth.authorization_store =  ApiAccount\n```\n\n### Nonce store\n\nThe nonce store is needed by provider applications to temporarily store OAuth nonces.\nIt must provide a `remember(nonce)` method or be a callable proc, where `nonce` is an\ninstance of `OoAuth::Nonce`. \n\nThe store must ensure that each tuple `(timestamp, nonce value)` is only created once.\nThis is required by the OAuth spec in order to prevent replay attacks.\n\n```ruby\n# app/models/nonce.rb\nclass Nonce \u003c ActiveRecord::Base\n  validates_presence_of :value, :timestamp\n  validates_uniqueness_of :value, scope: :timestamp\n  \n  def self.remember(ooauth_nonce)\n    new(value: ooauth_nonce.value, ooauth_nonce.timestamp).save\n  end\nend\n\n# config/initializers/oo_auth.rb\nOoAuth.nonce_store = Nonce\n```\n\nOoAuth comes with a pre-defined Redis nonce store, which can be enabled as following:\n```ruby\n# Gemfile\ngem 'redis'\n\n# config/initializers/oo_auth.rb\nrequire 'oo_auth/nonce/redis_store'\n\nOoAuth.nonce_store = OoAuth::Nonce::RedisStore.new(namespace: 'foobar')\n```\n\n## Configuring signature methods\n\nThe available signature methods can be configured using a setter which accepts\nsignature method names as strings or symbols:\n\n```ruby\n# config/initializers/oo_auth.rb\nOoAuth.signature_methods = [:hmac_sha1, 'HMAC-SHA256', :hmac_sha512]\n```\n\nThe default signature method OoAuth will use to sign requests is `HMAC-SHA1`.\nIt can be set to any of the supported methods using\n\n```ruby\nOoAuth.signature_method = :hmac_sha256\n```\n\nAs using `HMAC-SHA1` is no longer recommended, you can disable it altogether:\n\n```ruby\n# disable HMAC-SHA1 completely\nOoAuth.signature_methods = [:hmac_sha256]\n```\n\nA provider configured this way will only accept `HMAC-SHA256` signatures.\n\n## TODO\n\n* Support POST body signing for non-formencoded data\n  http://oauth.googlecode.com/svn/spec/ext/body_hash/1.0/oauth-bodyhash.html\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmtgrosser%2Foo_auth","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmtgrosser%2Foo_auth","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmtgrosser%2Foo_auth/lists"}