[Rails] How can I have several applications use the same authentication system?

Question

I need to build several Rails applications for one client. I would like to give them all the same user authentication system so that users will not have to remember separate login credentials for each app. These are strictly internal applications. OpenID is not an option for this organization.

I am thinking of creating a central Rails application to handle authentication. The other apps would take the submitted user id and password and send a request to the auth app and get back perhaps a string of YAML describing the user and their roles.

Is that a reasonable approach?

Is there a standard solution to this problem that I should be aware of?

(Note that due to organizational constraints I have to solve this on my own using one RedHat Linux 5 server running MySQL, Apache, and Rails.)

Answer 1

Sounds reasonable to me. I might set up the authentication application on its own as you describe, and then use ActiveResource in the client applications to access the authentication as a web service. You could essentially have your own in-house OpenID-style system.

If you haven't used ActiveResource before, Railscasts 94 and 95 are a good place to start.

Answer 2

That actually sounds like a reasonable approach. There are plenty of rails plugins that handle authentication quite well. You could just expose that functionality through your own custom authentication methods to be called via web service.

If you want to get fancy, you could write an API to your Rails (authentication) app using HTTParty and share it b/t the others.

Answer 3

It sounds like what you're really looking for is a single-sign-on system, not a shared credential system. The key difference is that with the latter the user will have to re-authenticate to each application whereas with the former he only has to sign in once and then seamlessly move between applications.

Unfortunately, it's a bit of work to integrate this to your rails applications. Here's a great starting point: http://www.ja-sig.org/products/cas/

Answer 4

OpenID was built to be decentralized, so you could in fact host your own OpenID provider for internal use. I see no need to reinvent the wheel if you are going a similar route.

Answer 5

It doesn't sound like the organization is too large, but if they have an LDAP directory in place, you could use that for credentials. Although, as mentioned above, this wouldn't solve the problem of the user having to individually sign onto each application.

Answer 6

I have a crazy solution for this I've been considering for something of my own that I need to do like this.

In the default configuration for Rails, it sends session data down to the end user as cookies. For the most part you should put next to nothing in the session except for the identity of the user who has logged in and authenticated right? OK, so what if every app you wanted to see as logged in used the exact same secret key in their config/environment.rb? That's the 120 character or so string that is used to sign the cookie so that the user cannot change cookies and send them back without being caught. If each app in your group had the same secret key AND they were all under the same domain then all the apps would get the same cookie and all would believe that they were the one to send it. Each one would say, "Yup, this is user #252. I put that user number into the session myself so I know that's him. By getting it back I know he/she is logged in and I can use it to look up his/her details."

Note: Full disclosure, I have not tried this yet, but I have every reason to believe it would work.