honeyryder

How To

This section is for documenting some less-common-but-still-supported use cases.

Use rodauth-oauth alongside devise (or something similar)

Although unusual, this isn’t necessarily impossible; You just have to be a bit more “creative”.

This assumes you already know how to configure rodauth-oauth on Rails.

Due to rodauth’s configuration capabilities, you can rename the table where you get the accounts from (which in devise, it’s probably called users).

# lib/rodauth_app.rb

plugin :rodauth do
  enable :oauth_authorization_code_grant # forget login and account management, devise is already handling that
  accounts_table :users
end

Check out this blog post on how to use rodauth-oauth with rails and without rodauth

Have routes under /oauth

You can load the routes for rodauth-oauth under the “/oauth” URL path (or something similar”). In order to use this, you just have to use this rodauth feature:

plugin :rodauth, name: :oauth do
  enable :oauth
  prefix "/oauth"
end

route do |r|
  r.on "oauth" do
    r.rodauth(:oauth)
  end
end

Scoping grants from the same resource owner

In cases where a provider supports multitenancy, it’s required that grants may be scoped by more than the account id. For this to be controlled, the following auth methods were added:

  • oauth_grants_resource_owner_columns: returns the account id by default;
  • resource_owner_params: returns an hash where the resource owner params (by default, the index of the logged in account) is indexed to the columns of oauth grants (by default, account id);
  • resource_owner_params_from_jwt_claims: extracts the claims identifying the resource owner (by default, “sub”) and indexes them to oauth grant columns (by default, account id);
  • jwt_claims was promoted to auth method (receives an oauth grant, returns claims for the jwt token);

A multitenancy solution will have to override all these. Here’s an example using an hypothetical tenant ID:

# the oauth grants table is assumed to contain a tenant_id column

oauth_grants_resource_owner_columns { super() | %i[tenant_id] }
resource_owner_params { super().merge(tenant_id: param_or_nil("tenant_id") }
# if using JWT access tokens, or OIDC
jwt_claims(grant) { super(grant),merge("tenant_id" => grant[:tenant_id]) }
resource_owner_params_from_jwt_claims(claims) { super().merge(tenant_id: claims["tenant_id"]) }

Home