Home/ Questions/Q 3597606
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-18T20:08:24+00:00

I’m moving an app to use only Google Federated Login (OpenID) for an application

  • 0

I’m moving an app to use only Google Federated Login (OpenID) for an application (we use google apps for everything and feel it would be easier to combine user management there). While I can successfully login and create users, my thoughts are now on security…

When a user logs in I only have a “Log In” button – nothing else. The site domain is hard coded in (where SITE_DOMAIN appears below) and the user is redirected to the typical google login page.

Here is the code:

    def create
    open_id_authentication
  end

  protected

  def open_id_authentication
    openid_url = 'https://www.google.com/accounts/o8/site-xrds?hd=SITE_DOMAIN'
    authenticate_with_open_id(openid_url, 
                              :required => ['http://axschema.org/contact/email',
                                            'http://axschema.org/namePerson/first',
                                            'http://axschema.org/namePerson/last']) do |result, identity_url, registration|
      case result.status
      when :missing
        failed_login "Sorry, the OpenID server couldn't be found"
      when :invalid
        failed_login "Sorry, but this does not appear to be a valid OpenID"
      when :canceled
        failed_login "OpenID verification was canceled"
      when :failed
        failed_login "Sorry, the OpenID verification failed"
      when :successful
        if @current_user = User.find_by_id_url(identity_url)
          if @current_user.login_from(request.env['REMOTE_ADDR'])
            successful_login
          else
            failed_login "Your OpenID profile registration failed: " + @current_user.errors.full_messages.to_sentence
          end
        else
          ax_response = OpenID::AX::FetchResponse.from_success_response(request.env[Rack::OpenID::RESPONSE])
          @current_user = User.login_create(ax_response, identity_url, request.env['REMOTE_ADDR'])
          successful_login
        end
      end
    end
  end

Upon successful login I simply save the user into a session…

session[:current_user] = @current_user

…and use a simple current_user method in the Application controller…

  def current_user
    return session[:current_user] if defined?(session[:current_user])
  end

My main concern is regarding security. OpenIDAuthentication is using the in-memory store and overall this seemed a bit too easy to implement (after reading thru tons of documentation). Basic tests show this works fine, but I’m nervous. 🙂

Any thoughts?

I am using the open_id_authentication plugin and the basic ruby openid gem (with ruby-openid-apps-discovery gem for google apps)

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    This is now much easier thanks to omniauth.

    • 0