Gigya is a service that provides an general API for authentication to different services, such as Facebook, Twitter, Google and LinkedIn. The benefit is tha developers don’t have to deal with the particulars of each API, so it decreases maintenance costs.

The code to be implemented is usually JavaScript, for the front-end (where they provide several user-definable UI controls) and most likely backend code (which can be Ruby, PHP, Java, or whatever your backend uses).

On the downside, Gigya used to be very pricey (and such beyond the reach of small startups, for example) and the documentation on their site leaves much to be desired.

In particular, for verifying the signature (front-end to back-end call), there is no Ruby code sample on their site. After figuring out the steps, I thought of posting it here, in the hopes that it will benefit others who come across this issue.

def self.verify_signature(uid, timestamp, signature)

    #Validate that the timestamp is within 3 minutes of your current server time  
    if (Time.now.getutc - timestamp.to_time) > 180
      raise GigyaError.new(“GIGYA ERROR: Invalid Timestamp”)
    end

    base_string = “#{timestamp}_#{uid}”
    hmacsha1 = OpenSSL::HMAC.digest(DIGEST, Base64.decode64(SECRET), base_string)
    my_sig = Base64.encode64(hmacsha1).chomp.gsub(/\n/,”) 
    if (my_sig != signature)
     raise GigyaError.new(“GIGYA ERROR: Invalid Signature”)
    end 
    true
  end

where DIGEST = OpenSSL::Digest::Digest.new(‘sha1’) and SECRET is the Gigya secret.

Important things are the fact that the SECRET has to be Base64 decoded. Also, one should use OpenSSL::HMAC as it is the most efficient method for generating a sha1 digest.