A review of the current state of authentication in Rails, why Authlogic is the best thing since sliced bread, and how you can easily add multi-provider authentication support in your application using the new Authlogic_RPX plugin gem. This presentation was originally delivered at the Singapore Ruby Brigade Oct-09 meetup.

1. NB: This presentation was delivered at the Singapore Ruby Brigade meetup 7-Oct-2009 (hosted at wego.com)

2. Some things should just be banned on the interwebs..

3. .. pointless social “applications” ..

4. .. pointless social “applications” ..

5. .. twitter celebs ..

6. .. twitter celebs ..

7. .. custom login screens!

8. .. custom login screens!

11. Or “Why authentication and identity management is still worth talking about”

12. Authorisation Options

14. LDAP/AD Intranet applications Legacy directories

16. OAuth Must tie to a specific provider ahead of time Also used as the basis of OpenSocial signed requests Great if you just want to target a specific community (e.g. build a twitter app)

17. A single-sign-on solution for web sites Abstracts the authentication provider – you can support as many as JanRain support Normalizes profile settings across providers (i.e. “email” is always “email”) RPX by JanRain

18. SAML – WS* security mainly enterprise use, but now gaining some attention via openSSO 2FA/3FA solutions – provider specific or custom integrated Many others..

19. Authentication options in Rails Internal (username/password) LDAP/AD RPX by JanRain Many others.. OAuth Acts_as_authenticated Restful_authentication Clearance Twitter_oauth Openid_authentication ActiveLDAP acts_as_ldpa_authenticated Ruby Net-LDAP Rpx_now … Ruby oauth OpenID

20. Or Authlogic Internal (username/password) LDAP/AD RPX by JanRain Many others.. OAuth Authlogic-oauth Authlogic-ldap Authlogic-oid Authlogic_rpx Authlogic (base) Authlogic plugin X Or use Authlogic “ unobtrusive authentication” No generator crud Smells like ActiveRecord Plugin architecture

21. Using Authlogic_RPX

22. RPX Request Model Link to sign-in ..chatter.. ..chatter.. Post:token Verify:token (returns:profile info)

23. Authlogic_RPX-on-a-page

28. Controllers – clean and sweet

29. [:post] create – this is a user “signing in” Session controller All this is optional branching logic, which you can tailor specifically for your application successful save means authentication OK!

30. [:delete] destroy – this is a user “signing out” Session controller

31. Access controls: Registration form (optional): Save registration (optional): Edit my profile: Show my profile: Save my profile: User controller Note: sample is a controller that only lets users access their own information, but you can just as easily adapt this so they can list and see the public profile information of other users too.

34. UserSession model – profile mapping