Home/ Questions/Q 8776915
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-13T19:10:20+00:00

I’ve been developing my rails apps whilst keeping them as modular as possible. I’m

  • 0

I’ve been developing my rails apps whilst keeping them as modular as possible. I’m trying to implement different parts underneath as services.

Say an example of Facebook:
a) A MainApp that allows the user to have a wall, posts, etc.
b) A PhotoApp that stores photos, allows the user to see his photos, etc. This is a standalone app that will have a REST API that can be used by MainApp as well.

I was thinking of using OAuth as a Single Sign On solution (as in this tutorial http://blog.joshsoftware.com/2010/12/16/multiple-applications-with-devise-omniauth-and-single-sign-on/) where each app will be authorized via OAuth and will get access to the current user session based on the cookie.

First question: Is this a viable solution?

Second question: I want to be able to call the PhotoApp API from the MainApp server (not from the user’s browser). How would authentication work in this situation?

Third question: How would this work if say I had a service that used node.js?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Yes, SSO using OAuth is a viable solution, but it’s not the simplest one. When building anything new, OAuth 2.0 is the way to go. The OAuth standards cover a lot of ground.

    The primary advantage of OAuth is that it allows users to give 3rd party apps access to their account without disclosing their password to the 3rd party. If you are not seriously providing such interoperability, then OAuth is probably overkill.

    Given the complexity, I offer a different pair of solutions:

    For Single Sign On

    The trick is to share the session ID cookie between hosts within your domain & to use a shared session store (like ActiveRecordStore or a cache-based store.)

    Every Rails app has a “secret” that is used to sign cookies. In newer Rails apps this is located in /config/initializers/secret_token.rb. Set the same secret token in each application.

    Then, configure the session to allow access from all subdomains:

    AppName::Application.config.session_store :active_record_store, :key => '_app_name_session', :domain => :all

    For Internal API calls

    Use a good shared secret to authenticate over HTTPS connections. Pass the secret in the “Authorization” header value.

    You can use the shared secret easily with other architectures (like node.js). Just make sure you always use HTTPS, otherwise the shared secret could be sniffed on the network.

    • 0