Configuring OAuth2 gem with SSL Peer Certificates

OAuth2 recently has been gaining traction with major social networking sites, such as Twitter and Facebook. The OAuth2 gem makes it easy to access OAuth2 services, such as Facebook.

However if we want to build a user authentication alternative for our own webservices through OAuth, it is important to verify the authenticity of the OAuth provider. We will use HTTPS/SSL since Facebook provides that.

Michael Bleigh has posted this helpful example for Rails 2.3:http://wiki.github.com/intridea/oauth2/rails-23-webserver-example

Using the example alone will give you this warning:

warning: peer certificate won't be verified in this SSL session

This is fine if you are only polling data, but I needed to verify the provider. After some looking around the OAuth gem and Faraday, I found the site parameter, if given a hash, is treated as the options hash.

Download the certificate authority file from: http://curl.haxx.se/ca/cacert.pem and place it somewhere appropriate.

Using the example modify the client method to:

def client
ca_file = File.join('ca_file_path')
@client ||= OAuth2::Client.new(
'appid', 'app_secret',
{
# Faraday treats the site param if it is a hash as the options hash
:site => {
:url=>'https://graph.facebook.com',
:ssl=>{
:verify=>OpenSSL::SSL::VERIFY_PEER,
:ca_file =>ca_file
}
},
# doesnt have to be NetHttp
:adapter => :NetHttp}
)
end

And that should work!