Home/ Questions/Q 8019399
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-04T21:22:45+00:00

I’m thinking of moving over to Omniauth 1.0 (using the identity strategy or gem)

  • 0

I’m thinking of moving over to Omniauth 1.0 (using the “identity” strategy or gem) from Devise 1.4.7, my question is after doing all the code conversion, views etc, will the old passwords, those user accounts created with Devise, still work with the same passwords under OmniAuth?

I’ve done some research and both are using bcrypt, so I’m guessing “yes” they will work as before and users won’t have to create new passwords. Or am I missing something crucial?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Devise passwords are not directly compatible with omniauth-identity

    It is true that they both use bcrypt to hash the password, however Devise adds a “pepper” to the password. You would have to add code to omniauth-identity to support a “pepper”.

    Pepper your passwords

    Devise adds a pepper to your passwords (since it is already salted by bcrypt), so in order for you to migrate devise users to omniauth-identity, you have to teach the identity strategy how to pepper passwords. This snippit works for us, however we didn’t change the :stretches configuration option in devise.

    # snatch the pepper setting from the devise initializer
pepper = "biglonguglystringfromyourdeviseinitializer"

# password created by devise in your db (i.e. "my_password_123")
encrypted_password = "$2a$10$iU.Br8ZClxuqldJt8Evl5OaBbHPJeBWbGV/1RoUsaNIZMBo8wHYTq" 

# pepper the password then compare it using BCrypt like identity does
BCrypt::Password.new(encrypted_password) == "my_password_123#{pepper}"
 => true

    How we made it work

    This is a very quick and dirty monkey patch we used to make it work. We are investigating how to add this functionality in a more appropriate manner.

    # file: ~/railsapp/config/initializers/omniauth.rb
Rails.application.config.middleware.use OmniAuth::Builder do
  provider :identity
end


module OmniAuth
  module Identity
    module SecurePassword
      module InstanceMethodsOnActivation
        # Returns self if the password is correct, otherwise false.
        def authenticate(unencrypted_password)
          pepper = "the big pepper string from the devise initializer"
          if BCrypt::Password.new(password_digest) == "#{unencrypted_password}#{pepper}"
            self
          else
            false
          end
        end

        # Encrypts the password into the password_digest attribute.
        def password=(unencrypted_password)
          pepper = "the big pepper string from the devise initializer"
          @password = unencrypted_password
          unless unencrypted_password.empty?
            self.password_digest = BCrypt::Password.create("#{unencrypted_password}#{pepper}")
          end
        end
      end
    end
  end
end
    • 0