OmniAuth 2.0 on Rails for Google User Authentication

I recently (as in about 5 minutes ago) published an article on how to retrieve your Google Authentication credentials from their cloud platform. (You can see that story here: )I had intended on explaining how to then use those credentials for the purposes of allowing your program to use google login authentication. That would have made the original post too long, and now I return to finish what I started. Make sure you have a rails project set up. There is plenty of documentation on how to do this here:

With your rails project ready to go its time to begin. I recommend filling out what your project needs in order to work -first- then adding google authentication for user log in, but it is not necessary. First things first, you need your gemfile set up correctly. Aside from the gems normally installed with Ruby on Rails applications and what ever other gems your program ends up needing in order to function, you will also need these four at bare minimum. ‘dotenv-rails’ to make proper use of your .env file we’ll be making later. ‘omniauth’ should be a no brainer, ‘omniauth-rails_csrf_protection’ is a gem that helps with Cross Site Request Forgery. Without this gem OmniAuth will throw errors due to not having the security it needs to for the program. And finally, the meat and potatos, ‘omniauth-google-oauth2’. A separate OmniAuth gem for google exists out there somewhere. To my knowledge, it is depreciated as of this post.

Next you’re going to need your callback route set up. Locate your route file in ‘/config/routes.rb’ and add something like the following:

Let’s break this code down. We’re getting the route ‘/auth/google_oauth2/callback”. This code is universal provided you are using ‘omniauth-google-oauth2’. With your route set up we need to create some files. In your -TOP LEVEL DIRECTORY- you will need a file called ‘.env’. Make absolutely certain it is in your top level directory, otherwise it will cause errors and bugs for your whole program. Once you’ve done that, you’ll need to make an ‘Omniauth.rb’ file in your ‘/config/initializers’ folder. The standard code inside this ‘Omniauth.rb’ file should be:

If we want to be technical, you could rename ‘GOOGLE_CLIENT_ID’ and ‘GOOGLE_CLIENT_SECRET’ to whatever you want, as long as you call on that same constant in your ‘.env’ file. I tend to leave mine as the default for what I’m authenticating since you can copy and paste this entire chunk of code from the github repository site. ( Setting up the ‘.env’ file is extremely simple.

.env just sets your client ID and client secret fields to those credentials we retrieved from the google cloud console. Also make sure to add your ‘.env’ file to your application’s ‘.gitignore’ file, otherwise you’ll have the keys to your authentication quickly stolen. The next step I usually take is adding the button or my google authenticated log in my view, like so:

This button will make a POST request to ‘/auth/google_oauth2’. What should be seen after clicking this button is a google sign up page. With that simple button completely set up, we’ll need to make a method for our authentication. As you can see above in my route screen capture, I specified that my callback route should be directed to ‘sessions#create_with_google’ So I’m going to go make a ‘sessions_controller’ method called ‘create_with_google’.

Now, this looks like a lot of code but lets break it down. This is all just a log in or sign up action that is retrieving its information from google. For me, google is returning ‘uid’ for user ID when my button is clicked to route to ‘/auth/google_oauth2’. Provider is also given to me by the same package. I’m using the ‘find_or_create_by’ method on an instance of my User class model then passing a do block of code to that method.

I then set my username equal to the ‘email’ information provided by google from the ‘info’ hash they gave me. ‘user.password’ has to be set up a little bit different because A) Repeating the same password is bad security practice, and B) Google wouldn’t even given my application that information because they shouldn’t expose that information to any authentication site that asks for it. That’s just asking for a data breach.

While it is not necessary to do so, I have set up a private method called google_auth. This allows me to make a request as shown in the screen capture below. If I wanted to use the information google returns to me, I’d have to call ‘request.env[‘omniauth.auth’]’ every where in the above screen capture that I call ‘google_auth’ instead. Using this private method is far more DRY.

Finally, I need to make sure the user is valid. This is pretty easy as ActiveRecord provides us the ‘.valid?’ method that we can call on the instance of ‘user’ we set in our ‘create_with_google’ method. From there we make sure our session is set up correctly, and redirect to the home page index. If the user is not valid, it will instead send them back to the signup page.

And that is it! Make sure to test your own code and make sure to use either ‘byebug’ or ‘binding.pry’ in order to check what information google returns to you so you can use it properly as it can vary from application to application. Happy coding!

Hi, I'm studying Software Engineering in boot camp and Software Development and Security in college. I used to write poetry but now I just play video games.