OmniAuth questions
I'm trying to reverse engineer years' worth of what people who have been using OmniAuth take completely for granted, so my apologies if some of these questions seem derp or out of scope for this forum. It's surprisingly difficult to find straight answers to some of these questions, and you folks are clearly pretty smart.
First, what is the relationship between the omniauth gem and the many omniauth-provider gems? Are you intended to use them together? I notice that the public version of JumpStart uses omniauth-facebook, -github and -twitter but does not include the omniauth gem itself, whereas the JumpStartPro Gemfile uses omniauth but there's no provider gems defined; I expect that these get installed into config/jumpstar/Gemfile by the configuration tool. However, the fact remains that the Omniauth gem is present. In what scenarios do you need just providers vs both? Is there a viable scenario where you use just Omniauth but no providers? (I know the Developer provider is not intended for production.)
I thought, briefly, that perhaps omniauth was what you would use to make your app into an Oauth provider that people could use to authenticate you to other sites, but that does not seem to be the case. It's an academic question at this point, but if I did want a future version of society to use my app to login to other apps, what gem or tool would I use?
Bonus round questions:
What's the current status of OpenID? I know that there's https://github.com/m0n9oose/omniauth_openid_connect but I am really asking: is OpenID Still A Thing?
Does WebAuthn factor into omniauth in a meaningful way, or is the specification still too early? Long ago we were told that people would someday be logging into sites via UI in their browsers and that the whole authentication handshake would be abstracted... did that future ever come to pass? https://developer.mozilla.org/en-US/docs/Web/API/Web_Authentication_API
Is omniauth used for API authentication flows, or is that stuff mostly handled via JWT or other credentials mechanisms now? In other words: is Oauth just for humans, or are the machines in on the action, too?
Is omniauth used for native mobile app flows? How about desktop app flows?
Is omniauth used for shell authentication flows similar to how the Heroku CLI can direct your browser to open a page, and then when you login your console shows that the handshake was completed?
Finally, can omniauth wash your car? Does omniauth feel real human emotions?
First, what is the relationship between the omniauth gem and the many omniauth-provider gems? Are you intended to use them together? I notice that the public version of JumpStart uses omniauth-facebook, -github and -twitter but does not include the omniauth gem itself, whereas the JumpStartPro Gemfile uses omniauth but there's no provider gems defined; I expect that these get installed into config/jumpstar/Gemfile by the configuration tool. However, the fact remains that the Omniauth gem is present. In what scenarios do you need just providers vs both? Is there a viable scenario where you use just Omniauth but no providers? (I know the Developer provider is not intended for production.)
I thought, briefly, that perhaps omniauth was what you would use to make your app into an Oauth provider that people could use to authenticate you to other sites, but that does not seem to be the case. It's an academic question at this point, but if I did want a future version of society to use my app to login to other apps, what gem or tool would I use?
Bonus round questions:
What's the current status of OpenID? I know that there's https://github.com/m0n9oose/omniauth_openid_connect but I am really asking: is OpenID Still A Thing?
Does WebAuthn factor into omniauth in a meaningful way, or is the specification still too early? Long ago we were told that people would someday be logging into sites via UI in their browsers and that the whole authentication handshake would be abstracted... did that future ever come to pass? https://developer.mozilla.org/en-US/docs/Web/API/Web_Authentication_API
Is omniauth used for API authentication flows, or is that stuff mostly handled via JWT or other credentials mechanisms now? In other words: is Oauth just for humans, or are the machines in on the action, too?
Is omniauth used for native mobile app flows? How about desktop app flows?
Is omniauth used for shell authentication flows similar to how the Heroku CLI can direct your browser to open a page, and then when you login your console shows that the handshake was completed?
Finally, can omniauth wash your car? Does omniauth feel real human emotions?
You asked all the questions! 😜
The Omniauth gem is the base for all the omniauth-provider gems. They all build to the Omniauth spec, so they follow the same process and workflow. The provider gems only have to implement a couple things to handle the JSON responses and parse them appropriately. The omniauth gem is always a dependency of the omniauth-provider gem (and if it's missing, it's supposed to be there and someone probably made a mistake).
If you wanted a custom provider in your app that was just normal code, you wouldn't need a omniauth-provider gem. For example if you had some internal Oauth provider to your business.
Omniauth is only for the client consuming the provider, not creating the provider. Doorkeeper is a gem you can use to make an Oauth provider out of an app. There may be other alternatives, but I've only used Doorkeeper.
I'm not real sure about OpenID. I think some places still use it in enterprise but I don't think it ever took off as a consumer thing.
Web authentication is separate, kind of a replacement for email and password auth more than OAuth. Not sure why it hasn't moved forward much.
A lot of APIs will use OAuth to provide API tokens, that way the user doesn't have to copy paste anything. Especially useful for mobile.
Heroku does do OAuth in the CLI tool, I'm not sure how they do it though. It might be that they spin up a local web server just to retrieve the tokens. Kinda awesome.
It can't wash your car, and the only emotion it feels is pain. Just like how we feel using it as developers. 😫
The Omniauth gem is the base for all the omniauth-provider gems. They all build to the Omniauth spec, so they follow the same process and workflow. The provider gems only have to implement a couple things to handle the JSON responses and parse them appropriately. The omniauth gem is always a dependency of the omniauth-provider gem (and if it's missing, it's supposed to be there and someone probably made a mistake).
If you wanted a custom provider in your app that was just normal code, you wouldn't need a omniauth-provider gem. For example if you had some internal Oauth provider to your business.
Omniauth is only for the client consuming the provider, not creating the provider. Doorkeeper is a gem you can use to make an Oauth provider out of an app. There may be other alternatives, but I've only used Doorkeeper.
I'm not real sure about OpenID. I think some places still use it in enterprise but I don't think it ever took off as a consumer thing.
Web authentication is separate, kind of a replacement for email and password auth more than OAuth. Not sure why it hasn't moved forward much.
A lot of APIs will use OAuth to provide API tokens, that way the user doesn't have to copy paste anything. Especially useful for mobile.
Heroku does do OAuth in the CLI tool, I'm not sure how they do it though. It might be that they spin up a local web server just to retrieve the tokens. Kinda awesome.
It can't wash your car, and the only emotion it feels is pain. Just like how we feel using it as developers. 😫
Chris, you are amazing. Thank you for taking the time to take my questions seriously. I hope that this gets indexed properly by The Google.
One of my major beefs with open source is the defeated acceptance of project homepages that essentially say "if you're reading this, you already know what it does". That was an actual quote on some long-forgotten, nicotine-stained thing I remember from the pre-GitHub era, and it offended me so much that I have been consciously trying to fight it since. It's probably responsible for me becoming a better writer, so I could write more empathetic documentation.
For those of us who need to catch up on what we missed and don't want to blindly copy a bunch of dependencies into our Gemfile, understanding why some gems exist is incredibly important. It pains me that the OmniAuth folks couldn't put a nice big "this isn't a gem you need to include directly unless you're actually building a new provider" message at the top of their README. Their docs are amazing for what and how, but like so many others, short on the why.
One of my major beefs with open source is the defeated acceptance of project homepages that essentially say "if you're reading this, you already know what it does". That was an actual quote on some long-forgotten, nicotine-stained thing I remember from the pre-GitHub era, and it offended me so much that I have been consciously trying to fight it since. It's probably responsible for me becoming a better writer, so I could write more empathetic documentation.
For those of us who need to catch up on what we missed and don't want to blindly copy a bunch of dependencies into our Gemfile, understanding why some gems exist is incredibly important. It pains me that the OmniAuth folks couldn't put a nice big "this isn't a gem you need to include directly unless you're actually building a new provider" message at the top of their README. Their docs are amazing for what and how, but like so many others, short on the why.
Notifications
You’re not receiving notifications from this thread.