Integrating openid, google apps, and ruby on rails

My university uses Google Apps for Universities. We wanted users to be able to authenticate to our rails application using their Google Apps account. Since Google Apps now supports openid, I thought that this would be really straightforward. A friend had just installed openid on his site and it was a breeze. I thought I would just install a few gems and get on with other rails development activities. I have no intention of becoming an openid expert. Here are the steps that I followed to get it to all work together.



Step 1) Enable Federated Login using OpenID on your Google Apps domain.

http://www.google.com/a/cpanel/{your-domain}/SetupIdp

Step 2) Download your needed gems

a) gem install ruby-openid
This is JanRan's ruby implementation of open id

b) gem install ruby-openid-apps-discovery
This is Google's extension of ruby-openid to work with Google Apps

c) gem install rack-openid
This is a rack wrapper around JanRan's open id

d) ./script/plugin install git://github.com/rails/open_id_authentication.git
This is Rails code to make integrating in with open id easier

e) Modify config/environment.erb and add this line
require 'gapps_openid'


Step 3) Add some code to your rails application.

 
class SessionsController < current_user =" @account.users.authenticate(params[:name]," required =""> ["http://axschema.org/contact/email", "http://axschema.org/namePerson/first", "http://axschema.org/namePerson/last"]) do |result, identity_url, registration|
       ax_response = OpenID::AX::FetchResponse.from_success_response(request.env[Rack::OpenID::RESPONSE])
         case result.status
         when :missing
           failed_login "Sorry, the OpenID server couldn't be found"
         when :invalid
           failed_login "Sorry, but this does not appear to be a valid OpenID"
         when :canceled
           failed_login "OpenID verification was canceled"
         when :failed
           failed_login "Sorry, the OpenID verification failed"
         when :successful

       email = ax_response['http://axschema.org/contact/email'].first()
       first_name = ax_response['http://axschema.org/namePerson/first'].first()
       last_name = ax_response['http://axschema.org/namePerson/last'].first()

       if result.successful?
         #Look up the user and if they don't exist then create the user
         @current_user = ...
         if @current_user
           successful_login
         else
           failed_login "Sorry, no user by that identity URL exists (#{identity_url})"
         end
       else
         failed_login result.message
       end
     end
   end
 end


   private
     def successful_login
       session[:user_id] = @current_user.id
       redirect_to(root_url)
     end

     def failed_login(message)
       flash[:error] = message
       redirect_to(new_session_url)
     end
 end

If you are still stuck, here are some other helpful links:

To understand open id: http://www.devx.com/opensource/Article/37692/1954?pf=true

To get google mail to work with rails plugin: http://stackoverflow.com/questions/2492043/ruby-open-id-authentication-with-google-openid

To understand all possible AX schema fields: http://www.axschema.org/types/#sreg

Discovering end points: http://groups.google.com/group/google-federated-login-api/web/openid-discovery-for-hosted-domains

Part 2

If you get a warning message like this
WARNING: making https request to https://www.google.com/accounts/o8/.well-known/host-meta?hd= without verifying server certificate; no CA path was specified.
WARNING: making https request to https://www.google.com/accounts/o8/site-xrds?ns=2&hd= without verifying server certificate; no CA path was specified.
WARNING: making https request to https://www.google.com/a//o8/ud?be=o8 without verifying server certificate; no CA path was specified.
Generated checkid_setup request to https://www.google.com/a//o8/ud?be=o8 with assocication AOQpcUfj9hGDs4DukDUrxhChnVBMbtoKAlXgvzQ1dp1L0yp6wCDxeFlx

The fix is pretty simple.
a) In your config/environment.rb file add the line
OpenID.fetcher.ca_file = "#{Rails.root}/config/ca-bundle.crt"
b) You'll need to get a ca-bundle.crt file. You should add in certificate authorities that you trust. If you are in a hurry, you can use the one in the ruby-openid-apps-discovery gem. Unpack it and find it in the lib directory. I copied mine to my application's config directory.