🫵 OmniAuth::Identity

---

The omniauth-identity gem provides a way for applications to utilize a traditional username/password based authentication system without the need to give up the simple authentication flow provided by OmniAuth. Identity is designed on purpose to be as featureless as possible: it provides the basic construct for user management and then gets out of the way.

💡 Info you can shake a stick at

| Tokens to Remember | | |-----------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | Works with JRuby | | | Works with MRI Ruby 3 | | | Works with MRI Ruby 2 | | | Source | | | Documentation | | | Compliance | | | Style | | | Support | | | Enterprise Support |
💡Subscribe for support guarantees covering all FLOSS dependencies!
💡Tidelift is part of Sonar!
💡Tidelift pays maintainers to maintain the software you depend on!
📊@Pointy Haired Boss: An enterprise support subscription is "never gonna let you down", and supports open source maintainers! | | Comrade BDFL 🎖️ | | | ... 💖 | 🧊 🐙 🛖 🧪 |

✨ Installation

Install the gem and add to the application's Gemfile by executing:

$ bundle add omniauth-identity

If bundler is not being used to manage dependencies, install the gem by executing:

$ gem install omniauth-identity

🔒 Secure Installation

omniauth-identity is cryptographically signed, and has verifiable SHA-256 and SHA-512 checksums by stone_checksums. Be sure the gem you install hasn’t been tampered with by following the instructions below.

Add my public key (if you haven’t already, expires 2045-04-29) as a trusted certificate:

console gem cert --add <(curl -Ls https://raw.github.com/omniauth/omniauth-identity/main/certs/pboling.pem)

You only need to do that once. Then proceed to install with:

console gem install omniauth-identity -P MediumSecurity

The MediumSecurity trust profile will verify signed gems, but allow the installation of unsigned dependencies.

This is necessary because not all of omniauth-identity’s dependencies are signed, so we cannot use HighSecurity.

If you want to up your security game full-time:

console bundle config set --global trust-policy MediumSecurity

NOTE: Be prepared to track down certs for signed gems and add them the same way you added mine.

🔧 Compatibility

This gem is compatible with a wide range of Ruby versions and Ruby ORMs, as of May 2025, version 3.1.

• Tested in CI against:
  • Ruby 2.4, 2.5, 2.6, 2.7, 3.0, 3.1, 3.2, 3.3, 3.4, ruby-head
  • JRuby 9.2, 9.3, 9.4, 10.0, jruby-head
  • omniauth 1.0, 1.1, 1.2, 1.3, 1.4, 1.5, 1.6, 1.7, 1.8, 1.9, 2.0, 2.1, HEAD
  • activerecord 5.2, 6.0, 6.1, 7.0, 7.1, 7.2, 8.0, HEAD
  • sqlite3 1.2, 1.3, 1.4, 1.5, 1.6, 1.7, 2.0, 2.1
  • couch_potato 1.17+
  • mongoid 7.3, 7.4, 8.1, 9.0
  • bson 4.12, 4.15, 5.0, HEAD
  • sequel 5.86+
• At least 5 different database ORM adapters, which connect to 15 different database clients!

| Databases | Adapter Libraries | | --------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------ | | MySQL, MariaDB, PostgreSQL, SQLite | ActiveRecord | | CouchDB | CouchPotato | | MongoDB | Mongoid | | RethinkDB | NoBrainer | | ADO, Amalgalite, IBM_DB, JDBC, MySQL, MariaDB, ODBC, Oracle, PostgreSQL, SQLAnywhere, SQLite, and TinyTDS | Sequel |

🔧 Basic Usage

This can be a bit hard to understand the first time. Luckily, Ryan Bates made a Railscast about it!

You use omniauth-identity just like you would any other OmniAuth provider: as a Rack middleware. In rails, this would be created by an initializer, such as config/initializers/omniauth.rb. The basic setup for an email/password authentication would look something like this:

ruby use OmniAuth::Builder do provider :identity, # required: tells OA that the Identity strategy is being used model: Identity, # optional: specifies the name of the "Identity" model. Defaults to "Identity" fields: %i[email custom1 custom2] # optional: list of custom fields that are in the model's table end

Next, you need to create a model (called Identity by default, or specified with :model argument above) that will be able to persist the information provided by the user. Luckily for you, there are pre-built models for popular ORMs that make this dead simple.

Once you've got an Identity persistence model and the strategy up and running, you can point users to /auth/identity and it will request that they log in or give them the opportunity to sign up for an account. Once they have authenticated with their identity, OmniAuth will call through to /auth/identity/callback with the same kinds of information it would have had the user authenticated through an external provider.

Note: OmniAuth Identity is different from many other user authentication systems in that it is not built to store authentication information in your primary User model. Instead, the Identity model should be associated with your User model giving you maximum flexibility to include other authentication strategies such as Facebook, Twitter, etc.

ActiveRecord

Just subclass OmniAuth::Identity::Models::ActiveRecord and provide fields in the database for all the fields you are using.

```ruby class Identity < OmniAuth::Identity::Models::ActiveRecord auth_key :email # optional: specifies the field within the model that will be used during the login process # defaults to email, but may be username, uid, login, etc.

# Anything else you want! end ```

Sequel

Sequel is an alternative to ActiveRecord.

Just include OmniAuth::Identity::Models::Sequel mixin, and specify whatever else you will need.

ruby class SequelTestIdentity < Sequel::Model(:identities) include ::OmniAuth::Identity::Models::Sequel auth_key :email # whatever else you want! end

Mongoid

Include the OmniAuth::Identity::Models::Mongoid mixin and specify fields that you will need.

```ruby class Identity include ::Mongoid::Document include ::OmniAuth::Identity::Models::Mongoid

field :email, type: String field :name, type: String field :password_digest, type: String end ```

CouchPotato

Include the OmniAuth::Identity::Models::CouchPotatoModule mixin and specify fields that you will need.

```ruby class Identity # NOTE: CouchPotato::Persistence must be included before OmniAuth::Identity::Models::CouchPotatoModule include ::CouchPotato::Persistence include ::OmniAuth::Identity::Models::CouchPotatoModule

property :email property :password_digest

def self.where(searchhash) CouchPotato.database.view(Identity.byemail(key: search_hash)) end

view :by_email, key: :email end ```

NoBrainer

NoBrainer is an ORM for RethinkDB.

Include the OmniAuth::Identity::Models::NoBrainer mixin and specify fields that you will need.

```ruby class Identity include ::NoBrainer::Document include ::OmniAuth::Identity::Models::NoBrainer

auth_key :email end ```

Ruby Object Mapper

Would love to add a mixin for the Ruby Object Mapper (ROM) if anyone wants to work on it!

Custom Auth Model

To use a class other than the default, specify the :model option to a different class.

ruby use OmniAuth::Builder do provider :identity, fields: [:email], model: MyCustomClass end

NOTE: In the above example, MyCustomClass must have a class method called auth_key that returns the default (email) or custom auth_key to use.

Customizing Registration Failure

To use your own custom registration form, create a form that POSTs to /auth/identity/register with password, password_confirmation, and your other fields.

erb <%= form_tag '/auth/identity/register' do |f| %> <h1>Create an Account</h1> <%= text_field_tag :email %> <%= password_field_tag :password %> <%= password_field_tag :password_confirmation %> <%= submit_tag %> <% end %>

Beware not to nest your form parameters within a namespace. This strategy looks for the form parameters at the top level of the post params. If you are using simple_form, then you can avoid the params nesting by specifying :input_html.

erb <%= simple_form_for @identity, :url => '/auth/identity/register' do |f| %> <h1>Create an Account</h1> <%# specify :input_html to avoid params nesting %> <%= f.input :email, :input_html => {:name => 'email'} %> <%= f.input :password, :as => 'password', :input_html => {:name => 'password'} %> <%= f.input :password_confirmation, :label => "Confirm Password", :as => 'password', :input_html => {:name => 'password_confirmation'} %> <button type='submit'>Sign Up</button> <% end %>

Next you'll need to let OmniAuth know what action to call when a registration fails. In your OmniAuth configuration, specify any valid rack endpoint in the :on_failed_registration option.

ruby use OmniAuth::Builder do provider :identity, fields: [:email], on_failed_registration: UsersController.action(:new) end

For more information on rack endpoints, check out this introduction and ActionController::Metal

Customizing Locate Conditions

You can customize the way that matching records are found when authenticating. For example, for a site with multiple domains, you may wish to scope the search within a particular subdomain. To do so, add :locate_conditions to your config. The default value is:

ruby use OmniAuth::Builder do provider :identity, locate_conditions: ->(req) { {model.auth_key => req.params["auth_key"]} } # ... end

locate_conditions takes a Proc object, and must return a Hash object, which will be used as the argument to the locate method for your ORM. The proc is evaluated in the callback context, and has access to your Identity model (using model) and receives the request object as a parameter. Note that model.auth_key defaults to email, but is also configurable.

Note: Be careful when customizing locate_conditions. The best way to modify the conditions is to copy the default value, and then add to the hash. Removing the default condition will almost always break things!

Customizing Other Things

From the code - here are the options we have for you, a couple of which are documented above, and the rest are documented... in the specs we hope!?

``` option :fields, %i[name email]

  # Primary Feature Switches:

option :enableregistration, true # See #otherphase and #requestphase option :enablelogin, true # See #other_phase

  # Customization Options:

option :onlogin, nil # See #requestphase option :onvalidation, nil # See #registrationphase option :onregistration, nil # See #registrationphase option :onfailedregistration, nil # See #registrationphase option :locateconditions, ->(req) { {model.authkey => req.params["authkey"]} } ```

Please contribute some documentation if you have the gumption! The maintainer's time is limited, and sometimes the authors of PRs with new options don't update the this readme. 😭

🔐 Security

See SECURITY.md.

🤝 Contributing

If you need some ideas of where to help, you could work on adding more code coverage, or if it is already 💯 (see below) check issues, or PRs, or use the gem and think about how it could be better.

We so if you make changes, remember to update it.

See CONTRIBUTING.md for more detailed instructions.

🚀 Release Instructions

See CONTRIBUTING.md.

Code Coverage

🪇 Code of Conduct

Everyone interacting with this project's codebases, issue trackers, chat rooms and mailing lists agrees to follow the .

🌈 Contributors

Made with contributors-img.

⭐️ Star History

📌 Versioning

This Library adheres to . Violations of this scheme should be reported as bugs. Specifically, if a minor or patch version is released that breaks backward compatibility, a new version should be immediately released that restores compatibility. Breaking changes to the public API will only be introduced with new major versions.

📌 Is "Platform Support" part of the public API?

Yes. But I'm obligated to include notes...

SemVer should, but doesn't explicitly, say that dropping support for specific Platforms is a breaking change to an API. It is obvious to many, but not all, and since the spec is silent, the bike shedding is endless.

dropping support for a platform is both obviously and objectively a breaking change

• Jordan Harband (@ljharb, maintainer of SemVer) in SemVer issue 716

To get a better understanding of how SemVer is intended to work over a project's lifetime, read this article from the creator of SemVer:

• "Major Version Numbers are Not Sacred"

As a result of this policy, and the interpretive lens used by the maintainer, you can (and should) specify a dependency on these libraries using the Pessimistic Version Constraint with two digits of precision.

For example:

ruby spec.add_dependency("omniauth-identity", "~> 3.1")

See CHANGELOG.md for a list of releases.

📄 License

The gem is available as open source under the terms of the MIT License . See LICENSE.txt for the official Copyright Notice.

© Copyright

• Copyright (c) 2021, 2024-2025 Peter H. Boling, of Galtzo.com , and omniauth-identity contributors
• Copyright (c) 2020 Peter H. Boling, Andrew Roberts, and Jellybooks Ltd.
• Copyright (c) 2010-2015 Michael Bleigh, and Intridea, Inc.

🤑 One more thing

Having arrived at the bottom of the page, please endure a final supplication. The primary maintainer of this gem, Peter Boling, wants Ruby to be a great place for people to solve problems, big and small. Please consider supporting his efforts via the giant yellow link below, or one of smaller ones, depending on button size preference.

P.S. If you need help️, or want to say thanks, 👇 Join the Discord.