[英]Doorkeeper - Reject access token request if user not an admin
Using password-grant OAuth-2 flow, If a non-admin user requests an access token with scope: 'admin'
I want to be able to reject that from happening - I'm using doorkeeper with devise. 使用授予密码的OAuth-2流,如果非管理员用户请求访问令牌的scope: 'admin'
我希望能够拒绝这种情况的发生-我正在使用带有设计功能的门卫。
Currently any old user can ask for any scope and by default it gets granted. 当前,任何老用户都可以请求任何范围,默认情况下,它会被授予。
I don't see an obvious hook in doorkeeper to perform this sort of logic. 我看不出门卫可以执行这种逻辑。 Where/how should I configure this? 我应该在哪里/如何配置它?
This is not currently possible with doorkeeper 3.x. 目前无法使用Doorkeeper3.x。 You'd need to monkeypatch the OAuth::PreAuthorization
class or fork the gem to add the required logic. 您需要猴子修补OAuth::PreAuthorization
类或派生gem以添加所需的逻辑。
I had a similar need, so I made this into a config option where you can specify your own preauth
class. 我也有类似的需求,因此将其设置为config选项,您可以在其中指定自己的preauth
类。 The code is here . 代码在这里 。 The doorkeeper maintainers indicated they wanted to think more about the feature . 门卫维护者表示, 他们想对功能进行更多的思考 。
Using Doorkeeper 4.xx I am checking the presence of an 'admin' scope and if the current user is admin in the Doorkeeper's initializer: 使用Doorkeeper 4.xx,我正在检查'admin'范围的存在以及当前用户是否是Doorkeeper的初始化程序中的admin:
resource_owner_from_credentials do
user = User.find_for_database_authentication(login: params[:login])
if user&.active_for_authentication? &&
user.valid_for_authentication? { user.valid_password? params[:password] }
admin_scope = params[:scope]&.split&.include?('admin')
user if admin_scope && user.admin? || !admin_scope
end
end
end
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.