Skip to content

User Authentication

Jump to bottom
Dick Davis edited this page Jan 21, 2026 · 2 revisions

User Authentication

TokenAuthority requires user authentication for the consent screen where users approve or deny OAuth client access. This page explains how to integrate TokenAuthority with your authentication system.

Why Authentication Is Needed

When an OAuth client requests authorization, TokenAuthority needs to:

  1. Identify who is granting the authorization
  2. Ensure the user is logged in before showing the consent screen
  3. Associate the resulting tokens with the authenticated user

Required Methods

The authenticatable_controller must implement two methods:

Method Purpose
authenticate_user! A before_action that ensures the user is logged in. Should redirect to login if the user is not authenticated.
current_user Returns the currently authenticated user object.

Devise Integration

If you use Devise, these methods are already available on ApplicationController. No additional configuration is needed—the defaults (authenticatable_controller = "ApplicationController" and user_class = "User") work out of the box.

Devise automatically provides:

  • authenticate_user! - Redirects to the sign-in page if not authenticated
  • current_user - Returns the signed-in user

Custom Authentication Implementation

For authentication systems that don't provide these methods, implement them on your controller.

Session-Based Authentication

class ApplicationController < ActionController::Base
  def authenticate_user!
    redirect_to login_path, alert: "Please log in" unless current_user
  end

  def current_user
    @current_user ||= User.find_by(id: session[:user_id])
  end
end

Delegating to Existing Methods

If your authentication library uses different method names, delegate to them:

class ApplicationController < ActionController::Base
  # Your auth library might use different names
  before_action :require_login  # Your existing authentication

  def authenticate_user!
    authenticate_account!  # Delegate to your method
  end

  def current_user
    current_account  # Delegate to your method
  end
end

Token-Based Authentication (for APIs with session fallback)

If your app uses token authentication for APIs but session authentication for web views:

class ApplicationController < ActionController::Base
  def authenticate_user!
    return if current_user
    redirect_to login_path, alert: "Please log in"
  end

  def current_user
    @current_user ||= user_from_session || user_from_token
  end

  private

  def user_from_session
    User.find_by(id: session[:user_id])
  end

  def user_from_token
    # Your token authentication logic for API requests
  end
end

Dedicated Controller Approach

Instead of modifying ApplicationController, you can create a dedicated controller for TokenAuthority:

# app/controllers/oauth_base_controller.rb
class OAuthBaseController < ApplicationController
  def authenticate_user!
    redirect_to login_path, alert: "Please log in" unless current_user
  end

  def current_user
    @current_user ||= User.find_by(id: session[:user_id])
  end
end

Configure TokenAuthority to use it:

# config/initializers/token_authority.rb
TokenAuthority.configure do |config|
  config.authenticatable_controller = "OAuthBaseController"
end

When to Use a Dedicated Controller

Consider a dedicated controller when:

  • You want to keep OAuth authentication logic separate from your main app
  • Your ApplicationController has complex authentication that doesn't fit TokenAuthority's needs
  • You need different authentication behavior for OAuth flows

User Class Configuration

The user_class setting tells TokenAuthority which model represents users in your application:

config.user_class = "User"      # Default
config.user_class = "Account"   # If your model is named Account
config.user_class = "Admin::User"  # Namespaced models work too

This class must match the model returned by current_user.

Troubleshooting

"undefined method authenticate_user!"

Your authenticatable_controller doesn't have the required method. Add it to the controller or change the configuration to point to a controller that has it.

Users not redirected to login

Ensure authenticate_user! actually redirects when current_user is nil. Check that your authentication system's session handling is working correctly.

Wrong user associated with tokens

Verify that current_user returns the correct user object. The user returned by this method will be associated with any tokens issued during the OAuth flow.

See Also

Home

Getting Started

Process Flows

Development

Clone this wiki locally