oauth

ruby-oauth Logo by Aboling0, CC BY-SA 4.0

๐Ÿ”‘ OAuth

Version GitHub tag (latest SemVer) License: MIT Downloads Rank CodeCov Test Coverage Coveralls Test Coverage QLTY Test Coverage QLTY Maintainability CI Heads CI Runtime Dependencies @ HEAD CI Current CI Truffle Ruby CI JRuby Deps Locked Deps Unlocked CI Test Coverage CI Style Apache SkyWalking Eyes License Compatibility Check

if ci_badges.map(&:color).detect { it != "green"} โ˜๏ธ let me know, as I may have missed the discord notification.

if ci_badges.map(&:color).all? { it == "green"} ๐Ÿ‘‡๏ธ send money so I can do more of this. FLOSS maintenance is now my full-time job.

OpenCollective Backers OpenCollective Sponsors Sponsor Me on Github Liberapay Goal Progress Donate on PayPal Buy me a coffee Donate on Polar Donate at ko-fi.com

๐Ÿ‘ฃ How will this project approach the September 2025 hostile takeover of RubyGems? ๐Ÿš‘๏ธ I've summarized my thoughts in [this blog post](https://dev.to/galtzo/hostile-takeover-of-rubygems-my-thoughts-5hlo).

๐ŸŒป Synopsis Galtzo FLOSS Logo by Aboling0, CC BY-SA 4.0 ruby-lang Logo, Yukihiro Matsumoto, Ruby Visual Identity Team, CC BY-SA 2.5

OAuth 1.0a is an industry-standard protocol for authorization. It is an update to the original OAuth 1.0 protocol, and is used by many popular services.

This is a RubyGem for implementing OAuth 1.0 or 1.0a clients and servers in Ruby applications. See the sibling oauth2 gem for OAuth 2.0, 2.1, & OIDC clients in Ruby.

All dependencies of this gem are signed, so it can be installed with a HighSecurity profile.

OAuth 1.0 vs 1.0a: What this library implements

This gem targets the OAuth 1.0a behavior (the errata that became RFC 5849), while maintaining compatibility with providers that still behave like classic 1.0. Here are the key differences between the two and how this gem handles them:

Practical guidance:

References: RFC 5849 (OAuth 1.0), sections 5โ€“7; 1.0a security errata.

Ruby OAuth has been maintained by a large number of talented individuals over the years. The primary maintainer since 2020 is Peter Boling (@pboling).

๐Ÿ’ก Info you can shake a stick at

Tokens to Remember Gem name Gem namespace
Works with JRuby JRuby 9.2 Compat JRuby 9.3 Compat
JRuby 9.4 Compat JRuby current Compat JRuby HEAD Compat
Works with Truffle Ruby Truffle Ruby 22.3 Compat Truffle Ruby 23.0 Compat Truffle Ruby 23.1 Compat
Truffle Ruby 24.2 Compat Truffle Ruby 25.0 Compat Truffle Ruby current Compat
Works with MRI Ruby 4 Ruby 4.0 Compat Ruby current Compat Ruby HEAD Compat
Works with MRI Ruby 3 Ruby 3.0 Compat Ruby 3.1 Compat Ruby 3.2 Compat Ruby 3.3 Compat Ruby 3.4 Compat
Works with MRI Ruby 2 Ruby 2.3 Compat
Ruby 2.4 Compat Ruby 2.5 Compat Ruby 2.6 Compat Ruby 2.7 Compat
Support & Community Join Me on Daily.dev's RubyFriends Live Chat on Discord Get help from me on Upwork Get help from me on Codementor
Source Source on GitLab.com Source on CodeBerg.org Source on Github.com The best SHA: dQw4w9WgXcQ!
Documentation Current release on RubyDoc.info YARD on Galtzo.com Maintainer Blog GitLab Wiki GitHub Wiki
Compliance License: MIT Apache license compatibility: Category A ๐Ÿ“„ilo-declaration-img Security Policy Contributor Covenant 2.1 SemVer 2.0.0
Style Enforced Code Style Linter Keep-A-Changelog 1.0.0 Gitmoji Commits Compatibility appraised by: appraisal2
Maintainer ๐ŸŽ–๏ธ Follow Me on LinkedIn Follow Me on Ruby.Social Follow Me on Bluesky Contact Maintainer My technical writing
... ๐Ÿ’– Find Me on WellFound: Find Me on CrunchBase My LinkTree More About Me ๐ŸงŠ ๐Ÿ™ ๐Ÿ›– ๐Ÿงช

Compatibility

Compatible with MRI Ruby 2.3+, and concordant releases of JRuby, and TruffleRuby. CI workflows and Appraisals are generated for MRI Ruby 2.4+. This test floor is configured by ruby.test_minimum in .kettle-jem.yml and may be higher than the gemโ€™s runtime compatibility floor when legacy Rubies are not practical for the current toolchain.

๐Ÿšš Amazing test matrix was brought to you by ๐Ÿ”Ž appraisal2 ๐Ÿ”Ž and the color ๐Ÿ’š green ๐Ÿ’š
๐Ÿ‘Ÿ Check it out! โœจ github.com/appraisal-rb/appraisal2 โœจ

Federated DVCS

Find this repo on federated forges (Coming soon!)
Federated DVCS Repository Status Issues PRs Wiki CI Discussions
๐Ÿงช ruby-oauth/oauth on GitLab The Truth ๐Ÿ’š ๐Ÿ’š ๐Ÿ’š ๐Ÿญ Tiny Matrix โž–
๐ŸงŠ ruby-oauth/oauth on CodeBerg An Ethical Mirror (Donate) ๐Ÿ’š ๐Ÿ’š โž– โญ•๏ธ No Matrix โž–
๐Ÿ™ ruby-oauth/oauth on GitHub Another Mirror ๐Ÿ’š ๐Ÿ’š ๐Ÿ’š ๐Ÿ’ฏ Full Matrix ๐Ÿ’š
๐ŸŽฎ๏ธ Discord Server Live Chat on Discord Letโ€™s talk about this library!

Enterprise Support Tidelift

Available as part of the Tidelift Subscription.

Need enterprise-level guarantees?

The maintainers of this and thousands of other packages are working with Tidelift to deliver commercial support and maintenance for the open source packages you use to build your applications. Save time, reduce risk, and improve code health, while paying the maintainers of the exact packages you use.

Get help from me on Tidelift

Alternatively:

โœจ Installation

Install the gem and add to the applicationโ€™s Gemfile by executing:

bundle add oauth

If bundler is not being used to manage dependencies, install the gem by executing:

gem install oauth

โš™๏ธ Configuration

This is a ruby library which is intended to be used in creating Ruby Consumer and Service Provider applications. It is NOT a Rails plugin, but could easily be used for the foundation for such a Rails plugin.

The main client entry point is OAuth::Consumer.new(consumer_key, consumer_secret, options). Common options include:

This gem was originally extracted from @pelleโ€™s oauth-plugin gem. After extraction that gem was made to depend on this gem.

Unfortunately, this gem does have some Rails related bits that are optional to load. You donโ€™t need Rails! The Rails bits may be pulled out into a separate gem with the 1.x minor updates of this gem.

๐Ÿ”ง Basic Usage

Extensions

Examples

For browser-based three-legged OAuth 1.0a flows, pass an explicit oauth_callback URL when requesting the request token. If you do not pass oauth_callback, this gem defaults it to "oob" (out of band), which is intended for command-line and non-HTTP clients.

callback_url = "http://127.0.0.1:3000/oauth/callback"

Create a new OAuth::Consumer instance by passing it a configuration hash:

oauth_consumer = OAuth::Consumer.new(
  "consumer_key",
  "consumer_secret",
  site: "https://provider.example"
)

Start the process by requesting a token:

request_token = oauth_consumer.get_request_token(oauth_callback: callback_url)

session[:token] = request_token.token
session[:token_secret] = request_token.secret
redirect_to request_token.authorize_url

When the user returns to your callback URL, rebuild the request token from the values you stored and exchange it for an access token. OAuth 1.0a providers return oauth_verifier in the callback, and it must be included in this exchange.

hash = {oauth_token: session[:token], oauth_token_secret: session[:token_secret]}
request_token = OAuth::RequestToken.from_hash(oauth_consumer, hash)
access_token = request_token.get_access_token(oauth_verifier: params[:oauth_verifier])
@photos = access_token.get("/photos.xml")

For OAuth 1.0 providers that do not use oauth_verifier, call request_token.get_access_token without the verifier.

Now that you have an access token, you can use Typhoeus to interact with the OAuth provider if you choose.

require "typhoeus"
require "oauth/request_proxy/typhoeus_request"

uri = "https://provider.example/photos.xml"
options = {method: :get, headers: {}}
oauth_params = {consumer: oauth_consumer, token: access_token}

hydra = Typhoeus::Hydra.new
req = Typhoeus::Request.new(uri, options) # :method needs to be specified in options
oauth_helper = OAuth::Client::Helper.new(req, oauth_params.merge(request_uri: uri))
req.options[:headers] ||= {}
req.options[:headers]["Authorization"] = oauth_helper.header # Signs the request
hydra.queue(req)
hydra.run
@response = req.response

More Information

๐Ÿฆท FLOSS Funding

While ruby-oauth tools are free software and will always be, the project would benefit immensely from some funding. Raising a monthly budget ofโ€ฆ โ€œdollarsโ€ would make the project more sustainable.

We welcome both individual and corporate sponsors! We also offer a wide array of funding channels to account for your preferences. Currently, Open Collective is our preferred funding platform.

If youโ€™re working in a company thatโ€™s making significant use of ruby-oauth tools weโ€™d appreciate it if you suggest to your company to become a ruby-oauth sponsor.

You can support the development of ruby-oauth tools via GitHub Sponsors, Liberapay, PayPal, Open Collective and Tidelift.

๐Ÿ“ NOTE
If doing a sponsorship in the form of donation is problematic for your company
from an accounting standpoint, weโ€™d recommend the use of Tidelift,
where you can get a support-like subscription instead.

Open Collective for Individuals

Support us with a monthly donation and help us continue our activities. [Become a backer]

NOTE: kettle-readme-backers updates this list every day, automatically.

No backers yet. Be the first!

Open Collective for Organizations

Become a sponsor and get your logo on our README on GitHub with a link to your site. [Become a sponsor]

NOTE: kettle-readme-backers updates this list every day, automatically.

No sponsors yet. Be the first!

Another way to support open-source

Iโ€™m driven by a passion to foster a thriving open-source community โ€“ a space where people can tackle complex problems, no matter how small. Revitalizing libraries that have fallen into disrepair, and building new libraries focused on solving real-world challenges, are my passions. I was recently affected by layoffs, and the tech jobs market is unwelcoming. Iโ€™m reaching out here because your support would significantly aid my efforts to provide for my family, and my farm (11 ๐Ÿ” chickens, 2 ๐Ÿถ dogs, 3 ๐Ÿฐ rabbits, 8 ๐Ÿˆโ€ cats).

If you work at a company that uses my work, please encourage them to support me as a corporate sponsor. My work on gems you use might show up in bundle fund.

Iโ€™m developing a new library, floss_funding, designed to empower open-source developers like myself to get paid for the work we do, in a sustainable way. Please give it a look.

Floss-Funding.dev: ๐Ÿ‘‰๏ธ No network calls. ๐Ÿ‘‰๏ธ No tracking. ๐Ÿ‘‰๏ธ No oversight. ๐Ÿ‘‰๏ธ Minimal crypto hashing. ๐Ÿ’ก Easily disabled nags

OpenCollective Backers OpenCollective Sponsors Sponsor Me on Github Liberapay Goal Progress Donate on PayPal Buy me a coffee Donate on Polar Donate to my FLOSS efforts at ko-fi.com Donate to my FLOSS efforts using Patreon

๐Ÿ” Security

See SECURITY.md.

๐Ÿค Contributing

If you need some ideas of where to help, you could work on adding more code coverage, or if it is already ๐Ÿ’ฏ (see below) check issues or PRs, or use the gem and think about how it could be better.

We Keep A Changelog so if you make changes, remember to update it.

See CONTRIBUTING.md for more detailed instructions.

๐Ÿš€ Release Instructions

See CONTRIBUTING.md.

Code Coverage

Coverage service badges

Coverage Graph

Coveralls Test Coverage

QLTY Test Coverage

๐Ÿช‡ Code of Conduct

Everyone interacting with this projectโ€™s codebases, issue trackers, chat rooms and mailing lists agrees to follow the Contributor Covenant 2.1.

๐ŸŒˆ Contributors

Contributors

Made with contributors-img.

Also see GitLab Contributors: https://gitlab.com/ruby-oauth/oauth/-/graphs/main

โญ๏ธ Star History Star History Chart

๐Ÿ“Œ Versioning

This library follows Semantic Versioning 2.0.0 for its public API where practical. For most applications, prefer the Pessimistic Version Constraint with two digits of precision.

For example:

spec.add_dependency("oauth", "~> 1.0")
๐Ÿ“Œ Is "Platform Support" part of the public API? More details inside.

Dropping support for a platform can be a breaking change for affected users. If a release changes supported platforms, it should be called out clearly in the changelog and versioned with that impact in mind.

To get a better understanding of how SemVer is intended to work over a projectโ€™s lifetime, read this article from the creator of SemVer:

See CHANGELOG.md for a list of releases.

๐Ÿ“„ License

The gem is available as open source under the terms of the MIT License: MIT.

ยฉ Copyright

See LICENSE.md for the official copyright notice.

Copyright holders

๐Ÿค‘ A request for help

Maintainers have teeth and need to pay their dentists. After getting laid off in an RIF in March, and encountering difficulty finding a new one, I began spending most of my time building open source tools. Iโ€™m hoping to be able to pay for my kidsโ€™ health insurance this month, so if you value the work I am doing, I need your support. Please consider sponsoring me or the project.

To join the community or get help ๐Ÿ‘‡๏ธ Join the Discord.

Live Chat on Discord

To say โ€œthanks!โ€ โ˜๏ธ Join the Discord or ๐Ÿ‘‡๏ธ send money.

Sponsor ruby-oauth/oauth on Open Source Collective ๐Ÿ’Œ Sponsor me on GitHub Sponsors ๐Ÿ’Œ Sponsor me on Liberapay ๐Ÿ’Œ Donate on PayPal

Please give the project a star โญ โ™ฅ.

Many parts of this project are actively managed by a kettle-jem smart template utilizing StructuredMerge.org merge contracts.

Thanks for RTFM. โ˜บ๏ธ

| Field | Value | |โ€”|โ€”| | Package | oauth | | Description | ๐Ÿ”‘ A Ruby wrapper for the original OAuth 1.0 / 1.0a spec. | | Homepage | https://github.com/ruby-oauth/oauth | | Source | https://github.com/ruby-oauth/oauth/tree/v1.1.5 | | License | MIT | | Funding | https://github.com/sponsors/pboling, https://issuehunt.io/u/pboling, https://ko-fi.com/pboling, https://liberapay.com/pboling/donate, https://opencollective.com/ruby-oauth, https://patreon.com/galtzo, https://polar.sh/pboling, https://thanks.dev/u/gh/pboling, https://tidelift.com/funding/github/rubygems/oauth, https://www.buymeacoffee.com/pboling |

This site is open source. Improve this page.