stackoom
  简体   繁体   中英

Make client_id and secret mandatory in access token request with grant_type=password in rails+doorkeeper

 原文  2015-02-16 05:55:37       ruby-on-rails/ devise/ oauth-2.0/ doorkeeper

Question

Currently I have an access token api with username, password and grant_type as password in my request in rails using doorkeeper. But I need to make client_id and secret as mandatory fields in the request. How can I do that. Can anyone please help to make this.

In my doorkeeper.rb config file, 

resource_owner_from_credentials do |routes|
#client = OAuth2::Client.new(request.params[:client_id], request.params[:client_secret], site: "http://localhost:3000/")
#auth_url = client.auth_code.authorize_url(:redirect_uri => "urn:ietf:wg:oauth:2.0:oob")
request.params[:user] = {:email => request.params[:username], :password => request.params[:password]}
request.env["devise.allow_params_authentication"] = true
request.env["warden"].authenticate!(:scope => :user)
end

I want to authenticate using user credentials and also want to make client_id and secret a required field. I want to show a message if the client_id and secret is missing.

2 answers

solution1
 2  2015-02-18 02:11:07

Inside the block, you can check the presence of params[:client_id] and params[:client_secret] , and do the necessary check to make sure that they are valid :) 

resource_owner_from_credentials do |routes|

  raise Doorkeeper::Errors::DoorkeeperError if params[:client_id].blank? || params[:client_secret].blank?
  dk_app = Doorkeeper::Application.find_by(uid: params[:client_id])
  raise Doorkeeper::Errors::DoorkeeperError if dk_app.blank? || dk_app.secret != params[:client_secret]

  ## here do some checking that the client_id and secret are valid

  request.params[:user] = {:email => request.params[:username], :password => request.params[:password]}
  request.env["devise.allow_params_authentication"] = true
  request.env["warden"].authenticate!(:scope => :user)
end

if you need to change the error message to a custom one you can refer to this issue

solution2
 2  2015-02-19 17:39:50

You can add this code to your doorkeeper.rb config file, 

# Doorkeeper patch: Always require a client on resource owner password flow
Doorkeeper::OAuth::PasswordAccessTokenRequest.class_eval do
  private
  def validate_client
    !!client
  end
end

It makes sure that the client application is always required for the password flow. Then the client_id and the client_secret are validated internally by Doorkeeper. If they are invalid the default error message from Doorkeeper for that case is provided.

Monkey patching is always ugly, but since Doorkeeper doesn't really allow to customize natively this behaviour I think it's a valid solution for now.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question CURL API token request with grant_type=password Oauth2 password grant type with Doorkeeper and Angular Where to get client_id and client_secret of Salesforce API for Rails 3.2.11 Google API: Invalid grant_type when trying to get access token Doorkeeper ActiveRecord::NotNullViolation on "application_id" (password grant) Doorkeeper - Reject access token request if user not an admin Rails - Get Access Token via URL Request submitting client and secret in Controller error unsupported_grant_type with Doorkeeper device Authorization Request flow Client Secret vs Access Token Rails Instagram API RSpec requests an access token from Doorkeeper and then always gets invalid_grant error
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM