The future of Authlogic: add ons
Posted by benjohnson in AuthlogicFeb 25th, 2009 | 33 responses
It’s funny to say this, because Authlogic has only been out for about 4 months, but I feel like it’s a pretty solid, lean, and mature library. I feel this way because of the community around Authlogic. At lot of people have contributed bug fixes, feature additions, performance enhancements, etc. It’s been a really fun experience and shown me first hand how great open source can be on the other side of the fence.
That being said, feature-wise, it’s starting to plateau. At this stage it is tempting to start adding extraneous features that bloat the library. Obviously, no one likes a big bloated, complicated library, so I’ve been pretty picky with the features added. There is a very fine line that separates features that belong in an optional module and features that belong in the core that are toggled via a configuration option. Instead of slowing the growth of Authlogic by being Mr. anti-bloat, it would make more sense to provide a venue for extension, otherwise called a public API. I know that’s a pretty fundamental idea, but that’s what this post is all about. The last few releases of Authlogic have focused hard on the public API. Authlogic uses it’s own API internally and I have also used it in a few projects of mine. It has worked out great. So far, I have not encountered any limitations and I am confident it’s ready for prime time.
Getting the ball rolling
So I thought I would get the ball rolling with a few “add on” gems for authlogic. Here is the list I have so far, in the order of priority. I wanted to reach out to you and see if you have any suggestions.
- authlogic_openid (code is already written)
- authlogic_ldap (code is already written)
- authlogic_facebook_connect
- authlogic_captcha
- authlogic_authorization (still somewhat on the fence with this)
What do you think? Am I missing anything obvious? Do you have any other “add on” gems you’d like to see added?
I plan to release the first gem in the next couple of weeks.
P.S. – the picture contains an oxymoron, it’s a tough one to figure out
33 Responses to “The future of Authlogic: add ons”
About Me
Hi Ben.
For plugins, I would like to suggest:
authlogic_google_oauth
authlogic_facebook
authlogic_hotmail
authlogic_amazon
For an application, i would like to suggest an "dummy" application that offers the ability to login using the credentials of any of, say, 6 authentication methods (Google, Facebook, Hotmail, Yahoo, Amazon, and OpenID), and then displays the email address of the person that logged in at the top of the protected page. The application would also create a new User (keyed by email address) for first time registrants.
<a href=http://myworld.ebay.fr/cialis-achat>achat cialis</a> :-\ Livraison discrete et rapide. commander cialis canada en ligne Bon Marche Cialis ;())) <a href=http://myworld.ebay.fr/cialis-achat> acheter cialis canada bon marche</a>
That would be great!!! As easy and "logic" Authlogic is, it would became even easier and faster to work with! =D Congratulatios on that!
This sounds great! I’d like to see an add-on for "forgot my password" functionality. That’s a little thing, but always a pain to add. If there was a way you could generate (or bypass the need for generating) all of this stuff:
http://www.binarylogic.com/2008/11/16/tutorial-reset-passwords-with-authlogic
…that would be lovely.
Yes, authlogic is a breath of fresh air. One thing that would be great is to beef up the tutorials. Two tutorials that would be really helpful:
How to verify old password when changing the password.
How to send a confirmation email, and require the user to verify registration on sign up
I just found the AuthLogic library and it looks really clean. I was about to deploy a new app using restful auth and decided to nuke all the libs and start with this one instead. So congrats, you’ve convinced me :)
Few plugins I can think of:
- Email verification (disabling auto login on new user creation, email user link to verify)
- Forgot password
- Remember me
- ACL integration (maybe rails-authentication? That’s the one I am looking at)
Ben,
I have been a fan of your projects since they were "gasm"ism… I can’t explain how great it will be to have facebook-connect integration plugin. I’m working on a project now using Facebooker and Authlogic… Now… I got it working… but it’s only creating the sessions after being authenticated by Facebooker, which is a lot of bloat just for authentication. I def would be more then willing to extend support in that direction as much as I can! Have a timeline for these?
Thank!
Omar
authlogic_subdomain_accounts
This would be a wonderful add-on in my opinion. There are already tons of approaches to this, but it’d be nice to see one cohesive authentication approach that includes this. :)
Thanks everyone for your responses:
@omarvelous: I agree, if you have the code working I would love to look at it and see if I could easily turn that into a module
@arik: This is already built in, in fact its a very flexible system. Check out the "scoping" section in the authlogic readme. It comes how to scope to your sessions by domains and its pretty simple.
I used it to do facebook connect with facebooker as well. Worked great for the most part, but I was tripped up a bit by an issue I mentioned in your post on using authlogic with openid. Basically, the way you suggested using it implies that the authentication information could be in the params hash. For facebook connect, it is in the cookies. For other methods, it could be in a header, or some other part of the request.
This sounds like a great development. In fact, I’d love to see versions of platform-specific libraries like facebooker that let go of dealing with authentication and just leave that to other authentication-specific libraries like authlogic.
+1 for plugin architecture. Can only lead to good things ™.
Let’s do it dude, it would be nice !
Huge !! can’t wait for it !
I would like to see a "multi login" feature. Something that causes me no end of grief is when sites (Plaxo being a prime example) end up creating a separate account for each email address I give them. If you maintain multiple email addresses (as I do) and you get invitations to join networks at each of them, there is no way to tie them together. The notion that a person will have a single id is outmoded.
Yes, OpenID is attempting to unify that a bit, but I think it would be very useful to have an authentication mechanism where you have a site id and password, and then a (essentially unlimited) list of other ids yopu might use. Authentication always uses the password for the site, but the user can "login" with any of the ids. Essentially a 1:m relationship between User and Identifier.
I am doing a primitive version of this for my own purposes – I am sure I won’t have all the semantics properly worked out initially – however starting from Authlogic, I am confident that I will get the majority of what I need.
Of course there are some things to think about:
If there are multiple email addresses, which is the default for messages to go to?
How many login attempts will be tolerated before locking the account? (attempt to stop DOS/Dictionary attacks)
When counting login retries are they per id or per user?
How can we get a well performing version of this given that we want uniqueness across these "sub" identifiers
How can we stop "camping" – someone (out of spite?) grabbing and holding a different person’s email or other identifier – so that it is unavailable to the rightful owner?
I really don’t want to go down the path of requiring everyone just to use an OPENID or some other (as yet defined) standard. I would like the identifier mechanism to be convenient for the user and yet keep the bad guys out.
Regards
Chris
@Chris: you make some interesting points. What you describe seems more like an application specific issue other than an authentication standard that all apps can use. I agree though, this would be a nice "add on" and VERY easy to write. It’s almost easier to just redefine the "find_by_login" configuration to check for multiple email addresses, which would be 1 line of code. Lastly, regarding your issues: authlogic already has brute force protection installed and disabled the account after 50 failed consecutive attempts, you just need to have the proper fields present. Camping can be solved by email confirmation. Hope that helps, maybe I am missing something, but this seems pretty simple, but also a good case for an add on.
Hey,
awesom work. We are now starting a project right fromt scratch
and what we will need is a sophisticated way of authorize users with roles.
This should be on Model / Controller Level, and also the View Level.
We could also contribute and/or sponsor part of the development.
What you think?
Regards
Rafael
your missing RPX! thats openid+facebook+myspace+… connect in one and dead-simple ;)
rpxnow.com
http://github.com/grosser/rpx_now
LDAP would be very useful, although many organizations authenticate via means other than LDAP such as Kerberos (as LDAP’s authentication is not-so-secure).
However, almost any organization supports IMAP authentication.
I’ve gotten Authlogic working with http://daniel.collectiveidea.com/blog/2007/2/8/rails-plugin-imap_authenticatable
although this plugin is outdated and my implementation is likely very poor.
Thank you very much for this excellent library! …especially for the tutorials, they are well written, easy to follow, and they greatly enhance the accessibility of Authlogic. I’ve just integrated Authlogic and its took little time and works well. I’m a happy camper. :)
I found myself wishing for a couple things as I got Authlogic with OpenID up and running:
1) When you register an OpenID account, there’s no verification of the OpenID itself (beyond having an ok syntax). You can register with a bogus OpenID (i.e. "asdf" which turns into http://asdf/) and you’ll be registered and logged in, though you’ll never be able to login again because the OpenID won’t work. A validator that makes you login to your OpenID account (to verify it exists and you own it) before completing the registration would be a neat and useful addition to the tutorial.
2) I’d like to use OpenID as the only login mechanism in my app. To do so, I need a registration flow that works with both existing OpenIDs and with users that have no idea what a OpenID is…they just want to register and start using the app. The Authlogic OpenID tutorial covered registering with an existing OpenID, but it would be great if it someday also cover registering when a new OpenID must also be created (maybe using the "Simple Registration OpenID Extension"). Perhaps that could be part of the new gem you are working on?
Re: 5. authlogic_authorization (still somewhat on the fence with this)
Perhaps it would be best to reach out to the authors of the leading authorization plugins (uh, ACL?, authorization?, role_requirement (that’s my favorite, anyway), and figure out a way to wedge you in without upsetting the restful_authentication heavily coupled apple cart…? I hacked at role_requirement to get it working with authlogic in a test app, but didn’t do *extensive* testing…
Then again, if you *were* to create, er,…’rolelogic’, well I have no doubt it would be a compelling addition to the authorization landscape…
First of all, Authlogic is an amazing library–I’m only a rails hobbyist, and implementing Authlogic really helped orient my thinking to the REST approach.
One thing I’d like to see with it, though, is a framework or guide to help write tests. Even better:
should_act_as_authentic
Hey Ben,
I enabled facebook connect support for a site (link posted) I’m working on using authlogic. Might save you some time if I shared the code. :)
Cheers,
Ryan
Thanks man!
I’m waiting for ‘authlogic_authorization’.
Hi Ben!
I love your authentication gem, it works for me just the way it should and it’s truly done right! And the addons would be really great since some developers prefer not to use authlogic because of it’s "incompleteness".
I’m not sure about ahtorization addon. Is it really so important to have it? There are just too much solutions for authorization problem: role_requirement, padlock (which i am used to, by the way), acl2, acl9 and so on.
I’m going to use authlogic in some future projects, so, if there’ll be some common code structures – mayby i’ll be able to share them.
Great idea, I like it!
I’d like to ask for a Clickpass addon. That’d be neat. :)
Cheers,
C.
I’m looking at using this in a project and a few things I’d like to see (or pointers to them if they are already in there):
- Opinionated best practice defaults / scaffolding generator. 90%+ of the time we all want the same logic and just want to style the views. I don’t think it’s really that app dependent, and I’d much rather crank the handle and get some sensible defaults I can customise in the rare case I need to. I’d love the defaults to support username/password + openid in all the common flows (e.g. signup with username password for those who don’t have or want openid – optionally associate an openid later, help to get an openid if they don’t have one, etc).
- A tutorial on best practice for doing sessions/login/registration/reset etc with authlogic when it’s a non browser client (i.e. XML or JSON). I’m sure this both possible and easy to do, however the current tutorials are very HTML oriented – it would be nice to see ‘respond_to’ integrated for the full picture.
- How to upgrade from one version of authlogic to another once in production and what to watch out for
- How to clean up / time out sessions if the user doesn’t logout
- Some kind of map of where all the code and dependencies are so it can be security reviewed
- Tips on how performance can be improved with caching (I’d guess the session would benefit from it since it’s often looked up but there are also pitfalls with caching anything to do with login). This is important for high load apps.
I’d also second the requests to make ‘forgot_password’ add on as this is so common to want to do, it should be in there.
As far as authorisation goes, I don’t see any need to add this into the code even as an add on. It should just play nice with some default authorization plugin from somewhere else, and allow replacement of it. Opinionated defaults again.
(sorry about the formatting of that last one – it was a list but got munged by the blog all into one para)
One item I forgot – if they add an email address anywhere, the flow to prove they own it is important to have. i.e. an email "somebody, probably you, signed this email address up at foo.com. Click the following link to approve this…" etc.
Ben,
Thanks for making Authlogic available. In the process of downloading the source code and following the tutorial for authlogic_example I notice something odd. I believe app/controllers/application.rb should have been named application_controller.rb. The tutorial also used the name application.rb when referring to the required file changes. I was able to get the example working locally only after renaming the file.
Don
How about authlogic_shard ?
Being able to use Twitter auth and Facebook auth at the _same_ time is key for my apps.
As for the authorization… I’d like to choose which auth library to use. For example, I like padlock_authorization the most.
Hi,
I would like to be able to "batch add" users to my application. Say, I have a table of Users with the columns user_id, login, and password.
Now I want to add all the users in this table to the rails app using authlogic (so, adding them to the Users table and encrypting their passwords.
Background info:
We have a user base in our back office with passwords which changes on a daily basis. Now I want to be able to automatically add those users to the rails app with their own passwords they use elsewhere…
I guess a rake tasks to wrap this would be best..
Regarding authorization, the 0.9 release of Lockdown is now authentication-agnostic, and so should be a nice complement to authlogic.
http://stonean.com/wiki/lockdown