使用Twitter反向身份验证在Rails后端中创建用户

Question

I am building an iOS app with a backend / companion website written on Rails.

I have set up devise and omniauth-twitter as outlined in the rails cast
http://railscasts.com/episodes/235-devise-and-omniauth-revised

I have also performed twitter reverse auth to obtain a oauth token on the devise as outlined here
https://dev.twitter.com/docs/ios/using-reverse-auth

Now what I want to do is to send the token to the server and create a devise User in my DB.
What is the ideal way to create the user? Is this scenario supported out of the box with my current setup or do I have to write a little custom code?

Answer 1

I have been researching the same thing for a few days.

I believe omniauth-twitter does not work with Twitter reverse authentication.

I think the solution is to send the oauth_token and oauth_token_secret you received from the reverse authentication process on iOS, to a custom endpoint in your application. Note, I am in the process of implementing this myself; it should work, but it's not tested yet.

There you would use the twitter API to to verify the credentials. This is the actual authentication step from the rails app's perspective. Something like this (untested code):

  consumer = OAuth::Consumer.new(TWITTER_APP_ID,
                                 TWITTER_APP_SECRET,
                                 { site: 'https://api.twitter.com' })
  access_token_token = ::OAuth::AccessToken.new(consumer,
                                                params[:oauth_token],
                                                params[:oauth_token_secret])
  MultiJson.load(access_token.get('/1.1/account/verify_credentials.json?include_entities=false&skip_status=true')).body

(This is the same thing that the omniauth-twitter gem does after it gets the access token) So from here on you would need to:

• Handle non-200 response from the above request
• Read the user ID from the returned hash, search your database for an existing user with an existing twitter user ID. If one exists, sign him in. If not, create a new user and sign him in.

Here's some more info:

• My first idea was to hit the twitter callback provider by omniauth-twitter directly. But in that case you would need to pass along 2 parameters: the oauth_token which is the request token you obtain from the reverse auth on iOS, and oauth_verifier parameter which I have no idea how to get on iOS (Using the standard web flow where the user is redirected back to your callback, this parameter is being passed from twitter).

• A downside with reverse auth seems to be that you need to embed the App secret in your application binary. It looks like a good idea to perform this step server-side (I saw the idea here: https://github.com/drudge/passport-twitter-token/#performing-twitter-reverse-auth-step-1-server-side )

Answer 2

I just created a UIWebview when the user clicks on the 'Sign up through twitter' button on in your ios which then follows the same process as my rails app.

Once the user has signed up through twitter, all handled by the server, you can then redirect back into your ios app signed up and logged in thus not having to handle all the tokens and requests in the app.