doorkeeper 4.4.3 → 5.5.2
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of doorkeeper might be problematic. Click here for more details.
- checksums.yaml +5 -5
- data/{NEWS.md → CHANGELOG.md} +393 -19
- data/README.md +97 -393
- data/app/assets/stylesheets/doorkeeper/admin/application.css +2 -2
- data/app/controllers/doorkeeper/application_controller.rb +8 -5
- data/app/controllers/doorkeeper/application_metal_controller.rb +7 -11
- data/app/controllers/doorkeeper/applications_controller.rb +62 -27
- data/app/controllers/doorkeeper/authorizations_controller.rb +97 -17
- data/app/controllers/doorkeeper/authorized_applications_controller.rb +22 -3
- data/app/controllers/doorkeeper/token_info_controller.rb +16 -4
- data/app/controllers/doorkeeper/tokens_controller.rb +98 -32
- data/app/helpers/doorkeeper/dashboard_helper.rb +9 -7
- data/app/views/doorkeeper/applications/_delete_form.html.erb +3 -1
- data/app/views/doorkeeper/applications/_form.html.erb +27 -26
- data/app/views/doorkeeper/applications/edit.html.erb +1 -1
- data/app/views/doorkeeper/applications/index.html.erb +17 -7
- data/app/views/doorkeeper/applications/new.html.erb +1 -1
- data/app/views/doorkeeper/applications/show.html.erb +38 -17
- data/app/views/doorkeeper/authorizations/error.html.erb +1 -1
- data/app/views/doorkeeper/authorizations/form_post.html.erb +15 -0
- data/app/views/doorkeeper/authorizations/new.html.erb +6 -0
- data/app/views/layouts/doorkeeper/admin.html.erb +16 -14
- data/config/locales/en.yml +23 -3
- data/lib/doorkeeper/config/abstract_builder.rb +28 -0
- data/lib/doorkeeper/config/option.rb +82 -0
- data/lib/doorkeeper/config/validations.rb +53 -0
- data/lib/doorkeeper/config.rb +471 -140
- data/lib/doorkeeper/engine.rb +8 -2
- data/lib/doorkeeper/errors.rb +25 -16
- data/lib/doorkeeper/grant_flow/fallback_flow.rb +15 -0
- data/lib/doorkeeper/grant_flow/flow.rb +44 -0
- data/lib/doorkeeper/grant_flow/registry.rb +50 -0
- data/lib/doorkeeper/grant_flow.rb +45 -0
- data/lib/doorkeeper/grape/authorization_decorator.rb +6 -4
- data/lib/doorkeeper/grape/helpers.rb +13 -7
- data/lib/doorkeeper/helpers/controller.rb +43 -10
- data/lib/doorkeeper/models/access_grant_mixin.rb +97 -3
- data/lib/doorkeeper/models/access_token_mixin.rb +272 -66
- data/lib/doorkeeper/models/application_mixin.rb +50 -5
- data/lib/doorkeeper/models/concerns/accessible.rb +2 -0
- data/lib/doorkeeper/models/concerns/expirable.rb +7 -3
- data/lib/doorkeeper/models/concerns/orderable.rb +2 -0
- data/lib/doorkeeper/models/concerns/ownership.rb +4 -7
- data/lib/doorkeeper/models/concerns/resource_ownerable.rb +47 -0
- data/lib/doorkeeper/models/concerns/reusable.rb +19 -0
- data/lib/doorkeeper/models/concerns/revocable.rb +3 -27
- data/lib/doorkeeper/models/concerns/scopes.rb +12 -2
- data/lib/doorkeeper/models/concerns/secret_storable.rb +106 -0
- data/lib/doorkeeper/oauth/authorization/code.rb +48 -12
- data/lib/doorkeeper/oauth/authorization/context.rb +17 -0
- data/lib/doorkeeper/oauth/authorization/token.rb +58 -24
- data/lib/doorkeeper/oauth/authorization/uri_builder.rb +7 -5
- data/lib/doorkeeper/oauth/authorization_code_request.rb +58 -10
- data/lib/doorkeeper/oauth/base_request.rb +35 -24
- data/lib/doorkeeper/oauth/base_response.rb +2 -0
- data/lib/doorkeeper/oauth/client/credentials.rb +5 -5
- data/lib/doorkeeper/oauth/client.rb +10 -11
- data/lib/doorkeeper/oauth/client_credentials/creator.rb +47 -4
- data/lib/doorkeeper/oauth/client_credentials/issuer.rb +16 -9
- data/lib/doorkeeper/oauth/client_credentials/validator.rb +56 -0
- data/lib/doorkeeper/oauth/client_credentials_request.rb +10 -11
- data/lib/doorkeeper/oauth/code_request.rb +8 -12
- data/lib/doorkeeper/oauth/code_response.rb +27 -15
- data/lib/doorkeeper/oauth/error.rb +3 -1
- data/lib/doorkeeper/oauth/error_response.rb +35 -14
- data/lib/doorkeeper/oauth/forbidden_token_response.rb +10 -3
- data/lib/doorkeeper/oauth/helpers/scope_checker.rb +23 -18
- data/lib/doorkeeper/oauth/helpers/unique_token.rb +20 -3
- data/lib/doorkeeper/oauth/helpers/uri_checker.rb +42 -7
- data/lib/doorkeeper/oauth/hooks/context.rb +21 -0
- data/lib/doorkeeper/oauth/invalid_request_response.rb +43 -0
- data/lib/doorkeeper/oauth/invalid_token_response.rb +29 -4
- data/lib/doorkeeper/oauth/nonstandard.rb +39 -0
- data/lib/doorkeeper/oauth/password_access_token_request.rb +43 -10
- data/lib/doorkeeper/oauth/pre_authorization.rb +133 -26
- data/lib/doorkeeper/oauth/refresh_token_request.rb +59 -31
- data/lib/doorkeeper/oauth/scopes.rb +8 -4
- data/lib/doorkeeper/oauth/token.rb +12 -8
- data/lib/doorkeeper/oauth/token_introspection.rb +97 -23
- data/lib/doorkeeper/oauth/token_request.rb +8 -20
- data/lib/doorkeeper/oauth/token_response.rb +14 -10
- data/lib/doorkeeper/oauth.rb +13 -0
- data/lib/doorkeeper/orm/active_record/access_grant.rb +5 -30
- data/lib/doorkeeper/orm/active_record/access_token.rb +5 -43
- data/lib/doorkeeper/orm/active_record/application.rb +6 -57
- data/lib/doorkeeper/orm/active_record/mixins/access_grant.rb +68 -0
- data/lib/doorkeeper/orm/active_record/mixins/access_token.rb +59 -0
- data/lib/doorkeeper/orm/active_record/mixins/application.rb +198 -0
- data/lib/doorkeeper/orm/active_record/redirect_uri_validator.rb +66 -0
- data/lib/doorkeeper/orm/active_record/stale_records_cleaner.rb +33 -0
- data/lib/doorkeeper/orm/active_record.rb +27 -9
- data/lib/doorkeeper/rails/helpers.rb +10 -8
- data/lib/doorkeeper/rails/routes/abstract_router.rb +35 -0
- data/lib/doorkeeper/rails/routes/mapper.rb +4 -2
- data/lib/doorkeeper/rails/routes/mapping.rb +9 -7
- data/lib/doorkeeper/rails/routes/registry.rb +45 -0
- data/lib/doorkeeper/rails/routes.rb +37 -30
- data/lib/doorkeeper/rake/db.rake +40 -0
- data/lib/doorkeeper/rake/setup.rake +11 -0
- data/lib/doorkeeper/rake.rb +14 -0
- data/lib/doorkeeper/request/authorization_code.rb +6 -4
- data/lib/doorkeeper/request/client_credentials.rb +3 -3
- data/lib/doorkeeper/request/code.rb +1 -1
- data/lib/doorkeeper/request/password.rb +4 -3
- data/lib/doorkeeper/request/refresh_token.rb +6 -5
- data/lib/doorkeeper/request/strategy.rb +4 -2
- data/lib/doorkeeper/request/token.rb +1 -1
- data/lib/doorkeeper/request.rb +61 -34
- data/lib/doorkeeper/secret_storing/base.rb +64 -0
- data/lib/doorkeeper/secret_storing/bcrypt.rb +60 -0
- data/lib/doorkeeper/secret_storing/plain.rb +33 -0
- data/lib/doorkeeper/secret_storing/sha256_hash.rb +26 -0
- data/lib/doorkeeper/server.rb +9 -11
- data/lib/doorkeeper/stale_records_cleaner.rb +24 -0
- data/lib/doorkeeper/validations.rb +2 -0
- data/lib/doorkeeper/version.rb +7 -29
- data/lib/doorkeeper.rb +111 -64
- data/lib/generators/doorkeeper/application_owner_generator.rb +24 -18
- data/lib/generators/doorkeeper/confidential_applications_generator.rb +33 -0
- data/lib/generators/doorkeeper/enable_polymorphic_resource_owner_generator.rb +39 -0
- data/lib/generators/doorkeeper/install_generator.rb +19 -9
- data/lib/generators/doorkeeper/migration_generator.rb +23 -18
- data/lib/generators/doorkeeper/pkce_generator.rb +33 -0
- data/lib/generators/doorkeeper/previous_refresh_token_generator.rb +28 -22
- data/{spec/dummy/db/migrate/20180210183654_add_confidential_to_application.rb → lib/generators/doorkeeper/templates/add_confidential_to_applications.rb.erb} +2 -2
- data/lib/generators/doorkeeper/templates/add_owner_to_application_migration.rb.erb +3 -1
- data/lib/generators/doorkeeper/templates/add_previous_refresh_token_to_access_tokens.rb.erb +2 -0
- data/lib/generators/doorkeeper/templates/enable_pkce_migration.rb.erb +8 -0
- data/lib/generators/doorkeeper/templates/enable_polymorphic_resource_owner_migration.rb.erb +17 -0
- data/lib/generators/doorkeeper/templates/initializer.rb +382 -30
- data/lib/generators/doorkeeper/templates/migration.rb.erb +35 -16
- data/lib/generators/doorkeeper/views_generator.rb +8 -4
- data/vendor/assets/stylesheets/doorkeeper/bootstrap.min.css +4 -5
- metadata +95 -309
- data/.coveralls.yml +0 -1
- data/.github/ISSUE_TEMPLATE.md +0 -25
- data/.github/PULL_REQUEST_TEMPLATE.md +0 -17
- data/.gitignore +0 -19
- data/.hound.yml +0 -2
- data/.rspec +0 -1
- data/.rubocop.yml +0 -17
- data/.travis.yml +0 -38
- data/Appraisals +0 -18
- data/CODE_OF_CONDUCT.md +0 -46
- data/CONTRIBUTING.md +0 -47
- data/Gemfile +0 -10
- data/RELEASING.md +0 -10
- data/Rakefile +0 -20
- data/SECURITY.md +0 -15
- data/app/validators/redirect_uri_validator.rb +0 -44
- data/doorkeeper.gemspec +0 -32
- data/gemfiles/rails_4_2.gemfile +0 -13
- data/gemfiles/rails_5_0.gemfile +0 -12
- data/gemfiles/rails_5_1.gemfile +0 -12
- data/gemfiles/rails_5_2.gemfile +0 -12
- data/gemfiles/rails_master.gemfile +0 -14
- data/lib/doorkeeper/oauth/client_credentials/validation.rb +0 -45
- data/lib/generators/doorkeeper/add_client_confidentiality_generator.rb +0 -31
- data/lib/generators/doorkeeper/templates/add_confidential_to_application_migration.rb.erb +0 -11
- data/spec/controllers/application_metal_controller.rb +0 -10
- data/spec/controllers/applications_controller_spec.rb +0 -69
- data/spec/controllers/authorizations_controller_spec.rb +0 -250
- data/spec/controllers/protected_resources_controller_spec.rb +0 -309
- data/spec/controllers/token_info_controller_spec.rb +0 -56
- data/spec/controllers/tokens_controller_spec.rb +0 -274
- data/spec/dummy/Rakefile +0 -7
- data/spec/dummy/app/controllers/application_controller.rb +0 -3
- data/spec/dummy/app/controllers/custom_authorizations_controller.rb +0 -7
- data/spec/dummy/app/controllers/full_protected_resources_controller.rb +0 -12
- data/spec/dummy/app/controllers/home_controller.rb +0 -17
- data/spec/dummy/app/controllers/metal_controller.rb +0 -11
- data/spec/dummy/app/controllers/semi_protected_resources_controller.rb +0 -11
- data/spec/dummy/app/helpers/application_helper.rb +0 -5
- data/spec/dummy/app/models/user.rb +0 -5
- data/spec/dummy/app/views/home/index.html.erb +0 -0
- data/spec/dummy/app/views/layouts/application.html.erb +0 -14
- data/spec/dummy/config/application.rb +0 -23
- data/spec/dummy/config/boot.rb +0 -9
- data/spec/dummy/config/database.yml +0 -15
- data/spec/dummy/config/environment.rb +0 -5
- data/spec/dummy/config/environments/development.rb +0 -29
- data/spec/dummy/config/environments/production.rb +0 -62
- data/spec/dummy/config/environments/test.rb +0 -44
- data/spec/dummy/config/initializers/backtrace_silencers.rb +0 -7
- data/spec/dummy/config/initializers/doorkeeper.rb +0 -112
- data/spec/dummy/config/initializers/new_framework_defaults.rb +0 -6
- data/spec/dummy/config/initializers/secret_token.rb +0 -8
- data/spec/dummy/config/initializers/session_store.rb +0 -8
- data/spec/dummy/config/initializers/wrap_parameters.rb +0 -14
- data/spec/dummy/config/locales/doorkeeper.en.yml +0 -5
- data/spec/dummy/config/routes.rb +0 -52
- data/spec/dummy/config.ru +0 -4
- data/spec/dummy/db/migrate/20111122132257_create_users.rb +0 -11
- data/spec/dummy/db/migrate/20120312140401_add_password_to_users.rb +0 -7
- data/spec/dummy/db/migrate/20151223192035_create_doorkeeper_tables.rb +0 -62
- data/spec/dummy/db/migrate/20151223200000_add_owner_to_application.rb +0 -9
- data/spec/dummy/db/migrate/20160320211015_add_previous_refresh_token_to_access_tokens.rb +0 -13
- data/spec/dummy/db/schema.rb +0 -68
- data/spec/dummy/public/404.html +0 -26
- data/spec/dummy/public/422.html +0 -26
- data/spec/dummy/public/500.html +0 -26
- data/spec/dummy/public/favicon.ico +0 -0
- data/spec/dummy/script/rails +0 -6
- data/spec/factories.rb +0 -28
- data/spec/generators/application_owner_generator_spec.rb +0 -41
- data/spec/generators/install_generator_spec.rb +0 -31
- data/spec/generators/migration_generator_spec.rb +0 -41
- data/spec/generators/previous_refresh_token_generator_spec.rb +0 -57
- data/spec/generators/templates/routes.rb +0 -3
- data/spec/generators/views_generator_spec.rb +0 -27
- data/spec/grape/grape_integration_spec.rb +0 -135
- data/spec/helpers/doorkeeper/dashboard_helper_spec.rb +0 -24
- data/spec/lib/config_spec.rb +0 -462
- data/spec/lib/doorkeeper_spec.rb +0 -150
- data/spec/lib/models/expirable_spec.rb +0 -50
- data/spec/lib/models/revocable_spec.rb +0 -59
- data/spec/lib/models/scopes_spec.rb +0 -43
- data/spec/lib/oauth/authorization/uri_builder_spec.rb +0 -41
- data/spec/lib/oauth/authorization_code_request_spec.rb +0 -123
- data/spec/lib/oauth/base_request_spec.rb +0 -155
- data/spec/lib/oauth/base_response_spec.rb +0 -45
- data/spec/lib/oauth/client/credentials_spec.rb +0 -90
- data/spec/lib/oauth/client_credentials/creator_spec.rb +0 -44
- data/spec/lib/oauth/client_credentials/issuer_spec.rb +0 -86
- data/spec/lib/oauth/client_credentials/validation_spec.rb +0 -54
- data/spec/lib/oauth/client_credentials_integration_spec.rb +0 -27
- data/spec/lib/oauth/client_credentials_request_spec.rb +0 -105
- data/spec/lib/oauth/client_spec.rb +0 -39
- data/spec/lib/oauth/code_request_spec.rb +0 -43
- data/spec/lib/oauth/code_response_spec.rb +0 -34
- data/spec/lib/oauth/error_response_spec.rb +0 -61
- data/spec/lib/oauth/error_spec.rb +0 -23
- data/spec/lib/oauth/forbidden_token_response_spec.rb +0 -23
- data/spec/lib/oauth/helpers/scope_checker_spec.rb +0 -64
- data/spec/lib/oauth/helpers/unique_token_spec.rb +0 -20
- data/spec/lib/oauth/helpers/uri_checker_spec.rb +0 -218
- data/spec/lib/oauth/invalid_token_response_spec.rb +0 -56
- data/spec/lib/oauth/password_access_token_request_spec.rb +0 -96
- data/spec/lib/oauth/pre_authorization_spec.rb +0 -160
- data/spec/lib/oauth/refresh_token_request_spec.rb +0 -166
- data/spec/lib/oauth/scopes_spec.rb +0 -149
- data/spec/lib/oauth/token_request_spec.rb +0 -96
- data/spec/lib/oauth/token_response_spec.rb +0 -85
- data/spec/lib/oauth/token_spec.rb +0 -116
- data/spec/lib/request/strategy_spec.rb +0 -53
- data/spec/lib/server_spec.rb +0 -59
- data/spec/models/doorkeeper/access_grant_spec.rb +0 -36
- data/spec/models/doorkeeper/access_token_spec.rb +0 -418
- data/spec/models/doorkeeper/application_spec.rb +0 -303
- data/spec/requests/applications/applications_request_spec.rb +0 -94
- data/spec/requests/applications/authorized_applications_spec.rb +0 -30
- data/spec/requests/endpoints/authorization_spec.rb +0 -71
- data/spec/requests/endpoints/token_spec.rb +0 -71
- data/spec/requests/flows/authorization_code_errors_spec.rb +0 -76
- data/spec/requests/flows/authorization_code_spec.rb +0 -149
- data/spec/requests/flows/client_credentials_spec.rb +0 -86
- data/spec/requests/flows/implicit_grant_errors_spec.rb +0 -32
- data/spec/requests/flows/implicit_grant_spec.rb +0 -61
- data/spec/requests/flows/password_spec.rb +0 -197
- data/spec/requests/flows/refresh_token_spec.rb +0 -174
- data/spec/requests/flows/revoke_token_spec.rb +0 -157
- data/spec/requests/flows/skip_authorization_spec.rb +0 -59
- data/spec/requests/protected_resources/metal_spec.rb +0 -14
- data/spec/requests/protected_resources/private_api_spec.rb +0 -81
- data/spec/routing/custom_controller_routes_spec.rb +0 -75
- data/spec/routing/default_routes_spec.rb +0 -39
- data/spec/routing/scoped_routes_spec.rb +0 -31
- data/spec/spec_helper.rb +0 -4
- data/spec/spec_helper_integration.rb +0 -74
- data/spec/support/dependencies/factory_girl.rb +0 -2
- data/spec/support/helpers/access_token_request_helper.rb +0 -11
- data/spec/support/helpers/authorization_request_helper.rb +0 -41
- data/spec/support/helpers/config_helper.rb +0 -9
- data/spec/support/helpers/model_helper.rb +0 -72
- data/spec/support/helpers/request_spec_helper.rb +0 -88
- data/spec/support/helpers/url_helper.rb +0 -56
- data/spec/support/http_method_shim.rb +0 -38
- data/spec/support/orm/active_record.rb +0 -3
- data/spec/support/shared/controllers_shared_context.rb +0 -65
- data/spec/support/shared/models_shared_examples.rb +0 -52
- data/spec/validators/redirect_uri_validator_spec.rb +0 -123
- data/spec/version/version_spec.rb +0 -15
@@ -1,12 +1,22 @@
|
|
1
|
-
|
2
|
-
include Rails::Generators::Migration
|
3
|
-
source_root File.expand_path('../templates', __FILE__)
|
4
|
-
desc 'Installs Doorkeeper.'
|
1
|
+
# frozen_string_literal: true
|
5
2
|
|
6
|
-
|
7
|
-
|
8
|
-
|
9
|
-
|
10
|
-
|
3
|
+
require "rails/generators"
|
4
|
+
require "rails/generators/active_record"
|
5
|
+
|
6
|
+
module Doorkeeper
|
7
|
+
# Setup doorkeeper into Rails application: locales, routes, etc.
|
8
|
+
#
|
9
|
+
class InstallGenerator < ::Rails::Generators::Base
|
10
|
+
include ::Rails::Generators::Migration
|
11
|
+
source_root File.expand_path("templates", __dir__)
|
12
|
+
desc "Installs Doorkeeper."
|
13
|
+
|
14
|
+
def install
|
15
|
+
template "initializer.rb", "config/initializers/doorkeeper.rb"
|
16
|
+
copy_file File.expand_path("../../../config/locales/en.yml", __dir__),
|
17
|
+
"config/locales/doorkeeper.en.yml"
|
18
|
+
route "use_doorkeeper"
|
19
|
+
readme "README"
|
20
|
+
end
|
11
21
|
end
|
12
22
|
end
|
@@ -1,26 +1,31 @@
|
|
1
|
-
|
1
|
+
# frozen_string_literal: true
|
2
2
|
|
3
|
-
|
4
|
-
|
5
|
-
source_root File.expand_path('../templates', __FILE__)
|
6
|
-
desc 'Installs Doorkeeper migration file.'
|
3
|
+
require "rails/generators"
|
4
|
+
require "rails/generators/active_record"
|
7
5
|
|
8
|
-
|
9
|
-
|
10
|
-
|
11
|
-
|
12
|
-
|
13
|
-
)
|
14
|
-
|
6
|
+
module Doorkeeper
|
7
|
+
# Copies main Doorkeeper migration into parent Rails application.
|
8
|
+
#
|
9
|
+
class MigrationGenerator < ::Rails::Generators::Base
|
10
|
+
include ::Rails::Generators::Migration
|
11
|
+
source_root File.expand_path("templates", __dir__)
|
12
|
+
desc "Installs Doorkeeper migration file."
|
15
13
|
|
16
|
-
|
17
|
-
|
18
|
-
|
14
|
+
def install
|
15
|
+
migration_template(
|
16
|
+
"migration.rb.erb",
|
17
|
+
"db/migrate/create_doorkeeper_tables.rb",
|
18
|
+
migration_version: migration_version,
|
19
|
+
)
|
20
|
+
end
|
21
|
+
|
22
|
+
def self.next_migration_number(dirname)
|
23
|
+
ActiveRecord::Generators::Base.next_migration_number(dirname)
|
24
|
+
end
|
19
25
|
|
20
|
-
|
26
|
+
private
|
21
27
|
|
22
|
-
|
23
|
-
if ActiveRecord::VERSION::MAJOR >= 5
|
28
|
+
def migration_version
|
24
29
|
"[#{ActiveRecord::VERSION::MAJOR}.#{ActiveRecord::VERSION::MINOR}]"
|
25
30
|
end
|
26
31
|
end
|
@@ -0,0 +1,33 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
require "rails/generators"
|
4
|
+
require "rails/generators/active_record"
|
5
|
+
|
6
|
+
module Doorkeeper
|
7
|
+
# Generates migration with PKCE required database columns for
|
8
|
+
# Doorkeeper tables.
|
9
|
+
#
|
10
|
+
class PkceGenerator < ::Rails::Generators::Base
|
11
|
+
include ::Rails::Generators::Migration
|
12
|
+
source_root File.expand_path("templates", __dir__)
|
13
|
+
desc "Provide support for PKCE."
|
14
|
+
|
15
|
+
def pkce
|
16
|
+
migration_template(
|
17
|
+
"enable_pkce_migration.rb.erb",
|
18
|
+
"db/migrate/enable_pkce.rb",
|
19
|
+
migration_version: migration_version,
|
20
|
+
)
|
21
|
+
end
|
22
|
+
|
23
|
+
def self.next_migration_number(dirname)
|
24
|
+
ActiveRecord::Generators::Base.next_migration_number(dirname)
|
25
|
+
end
|
26
|
+
|
27
|
+
private
|
28
|
+
|
29
|
+
def migration_version
|
30
|
+
"[#{ActiveRecord::VERSION::MAJOR}.#{ActiveRecord::VERSION::MINOR}]"
|
31
|
+
end
|
32
|
+
end
|
33
|
+
end
|
@@ -1,35 +1,41 @@
|
|
1
|
-
|
1
|
+
# frozen_string_literal: true
|
2
2
|
|
3
|
-
|
4
|
-
|
5
|
-
source_root File.expand_path('../templates', __FILE__)
|
6
|
-
desc 'Support revoke refresh token on access token use'
|
3
|
+
require "rails/generators"
|
4
|
+
require "rails/generators/active_record"
|
7
5
|
|
8
|
-
|
9
|
-
|
10
|
-
|
6
|
+
module Doorkeeper
|
7
|
+
# Generates migration to add previous refresh token column to the
|
8
|
+
# database for Doorkeeper tables.
|
9
|
+
#
|
10
|
+
class PreviousRefreshTokenGenerator < ::Rails::Generators::Base
|
11
|
+
include ::Rails::Generators::Migration
|
12
|
+
source_root File.expand_path("templates", __dir__)
|
13
|
+
desc "Support revoke refresh token on access token use"
|
14
|
+
|
15
|
+
def self.next_migration_number(path)
|
16
|
+
ActiveRecord::Generators::Base.next_migration_number(path)
|
17
|
+
end
|
18
|
+
|
19
|
+
def previous_refresh_token
|
20
|
+
return unless no_previous_refresh_token_column?
|
11
21
|
|
12
|
-
def previous_refresh_token
|
13
|
-
if no_previous_refresh_token_column?
|
14
22
|
migration_template(
|
15
|
-
|
16
|
-
|
23
|
+
"add_previous_refresh_token_to_access_tokens.rb.erb",
|
24
|
+
"db/migrate/add_previous_refresh_token_to_access_tokens.rb",
|
17
25
|
)
|
18
26
|
end
|
19
|
-
end
|
20
27
|
|
21
|
-
|
28
|
+
private
|
22
29
|
|
23
|
-
|
24
|
-
if ActiveRecord::VERSION::MAJOR >= 5
|
30
|
+
def migration_version
|
25
31
|
"[#{ActiveRecord::VERSION::MAJOR}.#{ActiveRecord::VERSION::MINOR}]"
|
26
32
|
end
|
27
|
-
end
|
28
33
|
|
29
|
-
|
30
|
-
|
31
|
-
|
32
|
-
|
33
|
-
|
34
|
+
def no_previous_refresh_token_column?
|
35
|
+
!ActiveRecord::Base.connection.column_exists?(
|
36
|
+
:oauth_access_tokens,
|
37
|
+
:previous_refresh_token,
|
38
|
+
)
|
39
|
+
end
|
34
40
|
end
|
35
41
|
end
|
@@ -1,13 +1,13 @@
|
|
1
1
|
# frozen_string_literal: true
|
2
2
|
|
3
|
-
class
|
3
|
+
class AddConfidentialToApplications < ActiveRecord::Migration<%= migration_version %>
|
4
4
|
def change
|
5
5
|
add_column(
|
6
6
|
:oauth_applications,
|
7
7
|
:confidential,
|
8
8
|
:boolean,
|
9
9
|
null: false,
|
10
|
-
default: true
|
10
|
+
default: true
|
11
11
|
)
|
12
12
|
end
|
13
13
|
end
|
@@ -1,6 +1,8 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
1
3
|
class AddOwnerToApplication < ActiveRecord::Migration<%= migration_version %>
|
2
4
|
def change
|
3
|
-
add_column :oauth_applications, :owner_id, :
|
5
|
+
add_column :oauth_applications, :owner_id, :bigint, null: true
|
4
6
|
add_column :oauth_applications, :owner_type, :string, null: true
|
5
7
|
add_index :oauth_applications, [:owner_id, :owner_type]
|
6
8
|
end
|
@@ -0,0 +1,8 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
class EnablePkce < ActiveRecord::Migration<%= migration_version %>
|
4
|
+
def change
|
5
|
+
add_column :oauth_access_grants, :code_challenge, :string, null: true
|
6
|
+
add_column :oauth_access_grants, :code_challenge_method, :string, null: true
|
7
|
+
end
|
8
|
+
end
|
@@ -0,0 +1,17 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
class EnablePolymorphicResourceOwner < ActiveRecord::Migration<%= migration_version %>
|
4
|
+
def change
|
5
|
+
add_column :oauth_access_tokens, :resource_owner_type, :string
|
6
|
+
add_column :oauth_access_grants, :resource_owner_type, :string
|
7
|
+
change_column_null :oauth_access_grants, :resource_owner_type, false
|
8
|
+
|
9
|
+
add_index :oauth_access_tokens,
|
10
|
+
[:resource_owner_id, :resource_owner_type],
|
11
|
+
name: 'polymorphic_owner_oauth_access_tokens'
|
12
|
+
|
13
|
+
add_index :oauth_access_grants,
|
14
|
+
[:resource_owner_id, :resource_owner_type],
|
15
|
+
name: 'polymorphic_owner_oauth_access_grants'
|
16
|
+
end
|
17
|
+
end
|
@@ -1,67 +1,258 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
1
3
|
Doorkeeper.configure do
|
2
|
-
# Change the ORM that doorkeeper will use (
|
4
|
+
# Change the ORM that doorkeeper will use (requires ORM extensions installed).
|
5
|
+
# Check the list of supported ORMs here: https://github.com/doorkeeper-gem/doorkeeper#orms
|
3
6
|
orm :active_record
|
4
7
|
|
5
8
|
# This block will be called to check whether the resource owner is authenticated or not.
|
6
9
|
resource_owner_authenticator do
|
7
|
-
|
10
|
+
raise "Please configure doorkeeper resource_owner_authenticator block located in #{__FILE__}"
|
8
11
|
# Put your resource owner authentication logic here.
|
9
12
|
# Example implementation:
|
10
|
-
# User.
|
13
|
+
# User.find_by(id: session[:user_id]) || redirect_to(new_user_session_url)
|
11
14
|
end
|
12
15
|
|
13
|
-
# If you
|
16
|
+
# If you didn't skip applications controller from Doorkeeper routes in your application routes.rb
|
17
|
+
# file then you need to declare this block in order to restrict access to the web interface for
|
18
|
+
# adding oauth authorized applications. In other case it will return 403 Forbidden response
|
19
|
+
# every time somebody will try to access the admin web interface.
|
20
|
+
#
|
14
21
|
# admin_authenticator do
|
15
22
|
# # Put your admin authentication logic here.
|
16
23
|
# # Example implementation:
|
17
|
-
#
|
24
|
+
#
|
25
|
+
# if current_user
|
26
|
+
# head :forbidden unless current_user.admin?
|
27
|
+
# else
|
28
|
+
# redirect_to sign_in_url
|
29
|
+
# end
|
18
30
|
# end
|
19
31
|
|
20
|
-
#
|
32
|
+
# You can use your own model classes if you need to extend (or even override) default
|
33
|
+
# Doorkeeper models such as `Application`, `AccessToken` and `AccessGrant.
|
34
|
+
#
|
35
|
+
# Be default Doorkeeper ActiveRecord ORM uses it's own classes:
|
36
|
+
#
|
37
|
+
# access_token_class "Doorkeeper::AccessToken"
|
38
|
+
# access_grant_class "Doorkeeper::AccessGrant"
|
39
|
+
# application_class "Doorkeeper::Application"
|
40
|
+
#
|
41
|
+
# Don't forget to include Doorkeeper ORM mixins into your custom models:
|
42
|
+
#
|
43
|
+
# * ::Doorkeeper::Orm::ActiveRecord::Mixins::AccessToken - for access token
|
44
|
+
# * ::Doorkeeper::Orm::ActiveRecord::Mixins::AccessGrant - for access grant
|
45
|
+
# * ::Doorkeeper::Orm::ActiveRecord::Mixins::Application - for application (OAuth2 clients)
|
46
|
+
#
|
47
|
+
# For example:
|
48
|
+
#
|
49
|
+
# access_token_class "MyAccessToken"
|
50
|
+
#
|
51
|
+
# class MyAccessToken < ApplicationRecord
|
52
|
+
# include ::Doorkeeper::Orm::ActiveRecord::Mixins::AccessToken
|
53
|
+
#
|
54
|
+
# self.table_name = "hey_i_wanna_my_name"
|
55
|
+
#
|
56
|
+
# def destroy_me!
|
57
|
+
# destroy
|
58
|
+
# end
|
59
|
+
# end
|
60
|
+
|
61
|
+
# Enables polymorphic Resource Owner association for Access Tokens and Access Grants.
|
62
|
+
# By default this option is disabled.
|
63
|
+
#
|
64
|
+
# Make sure you properly setup you database and have all the required columns (run
|
65
|
+
# `bundle exec rails generate doorkeeper:enable_polymorphic_resource_owner` and execute Rails
|
66
|
+
# migrations).
|
67
|
+
#
|
68
|
+
# If this option enabled, Doorkeeper will store not only Resource Owner primary key
|
69
|
+
# value, but also it's type (class name). See "Polymorphic Associations" section of
|
70
|
+
# Rails guides: https://guides.rubyonrails.org/association_basics.html#polymorphic-associations
|
71
|
+
#
|
72
|
+
# [NOTE] If you apply this option on already existing project don't forget to manually
|
73
|
+
# update `resource_owner_type` column in the database and fix migration template as it will
|
74
|
+
# set NOT NULL constraint for Access Grants table.
|
75
|
+
#
|
76
|
+
# use_polymorphic_resource_owner
|
77
|
+
|
78
|
+
# If you are planning to use Doorkeeper in Rails 5 API-only application, then you might
|
79
|
+
# want to use API mode that will skip all the views management and change the way how
|
80
|
+
# Doorkeeper responds to a requests.
|
81
|
+
#
|
82
|
+
# api_only
|
83
|
+
|
84
|
+
# Enforce token request content type to application/x-www-form-urlencoded.
|
85
|
+
# It is not enabled by default to not break prior versions of the gem.
|
86
|
+
#
|
87
|
+
# enforce_content_type
|
88
|
+
|
89
|
+
# Authorization Code expiration time (default: 10 minutes).
|
90
|
+
#
|
21
91
|
# authorization_code_expires_in 10.minutes
|
22
92
|
|
23
|
-
# Access token expiration time (default 2 hours).
|
24
|
-
# If you want to disable expiration, set this to nil
|
93
|
+
# Access token expiration time (default: 2 hours).
|
94
|
+
# If you want to disable expiration, set this to `nil`.
|
95
|
+
#
|
25
96
|
# access_token_expires_in 2.hours
|
26
97
|
|
27
|
-
# Assign
|
28
|
-
#
|
29
|
-
#
|
98
|
+
# Assign custom TTL for access tokens. Will be used instead of access_token_expires_in
|
99
|
+
# option if defined. In case the block returns `nil` value Doorkeeper fallbacks to
|
100
|
+
# +access_token_expires_in+ configuration option value. If you really need to issue a
|
101
|
+
# non-expiring access token (which is not recommended) then you need to return
|
102
|
+
# Float::INFINITY from this block.
|
103
|
+
#
|
104
|
+
# `context` has the following properties available:
|
105
|
+
#
|
106
|
+
# * `client` - the OAuth client application (see Doorkeeper::OAuth::Client)
|
107
|
+
# * `grant_type` - the grant type of the request (see Doorkeeper::OAuth)
|
108
|
+
# * `scopes` - the requested scopes (see Doorkeeper::OAuth::Scopes)
|
109
|
+
# * `resource_owner` - authorized resource owner instance (if present)
|
110
|
+
#
|
111
|
+
# custom_access_token_expires_in do |context|
|
112
|
+
# context.client.additional_settings.implicit_oauth_expiration
|
30
113
|
# end
|
31
114
|
|
32
115
|
# Use a custom class for generating the access token.
|
33
|
-
# https://
|
116
|
+
# See https://doorkeeper.gitbook.io/guides/configuration/other-configurations#custom-access-token-generator
|
117
|
+
#
|
34
118
|
# access_token_generator '::Doorkeeper::JWT'
|
35
119
|
|
36
|
-
# The controller Doorkeeper::ApplicationController inherits from.
|
37
|
-
# Defaults to ActionController::Base
|
38
|
-
#
|
120
|
+
# The controller +Doorkeeper::ApplicationController+ inherits from.
|
121
|
+
# Defaults to +ActionController::Base+ unless +api_only+ is set, which changes the default to
|
122
|
+
# +ActionController::API+. The return value of this option must be a stringified class name.
|
123
|
+
# See https://doorkeeper.gitbook.io/guides/configuration/other-configurations#custom-controllers
|
124
|
+
#
|
39
125
|
# base_controller 'ApplicationController'
|
40
126
|
|
41
|
-
# Reuse access token for the same resource owner within an application (disabled by default)
|
127
|
+
# Reuse access token for the same resource owner within an application (disabled by default).
|
128
|
+
#
|
129
|
+
# This option protects your application from creating new tokens before old valid one becomes
|
130
|
+
# expired so your database doesn't bloat. Keep in mind that when this option is `on` Doorkeeper
|
131
|
+
# doesn't updates existing token expiration time, it will create a new token instead.
|
42
132
|
# Rationale: https://github.com/doorkeeper-gem/doorkeeper/issues/383
|
133
|
+
#
|
134
|
+
# You can not enable this option together with +hash_token_secrets+.
|
135
|
+
#
|
43
136
|
# reuse_access_token
|
44
137
|
|
45
|
-
#
|
138
|
+
# In case you enabled `reuse_access_token` option Doorkeeper will try to find matching
|
139
|
+
# token using `matching_token_for` Access Token API that searches for valid records
|
140
|
+
# in batches in order not to pollute the memory with all the database records. By default
|
141
|
+
# Doorkeeper uses batch size of 10 000 records. You can increase or decrease this value
|
142
|
+
# depending on your needs and server capabilities.
|
143
|
+
#
|
144
|
+
# token_lookup_batch_size 10_000
|
145
|
+
|
146
|
+
# Set a limit for token_reuse if using reuse_access_token option
|
147
|
+
#
|
148
|
+
# This option limits token_reusability to some extent.
|
149
|
+
# If not set then access_token will be reused unless it expires.
|
150
|
+
# Rationale: https://github.com/doorkeeper-gem/doorkeeper/issues/1189
|
151
|
+
#
|
152
|
+
# This option should be a percentage(i.e. (0,100])
|
153
|
+
#
|
154
|
+
# token_reuse_limit 100
|
155
|
+
|
156
|
+
# Only allow one valid access token obtained via client credentials
|
157
|
+
# per client. If a new access token is obtained before the old one
|
158
|
+
# expired, the old one gets revoked (disabled by default)
|
159
|
+
#
|
160
|
+
# When enabling this option, make sure that you do not expect multiple processes
|
161
|
+
# using the same credentials at the same time (e.g. web servers spanning
|
162
|
+
# multiple machines and/or processes).
|
163
|
+
#
|
164
|
+
# revoke_previous_client_credentials_token
|
165
|
+
|
166
|
+
# Hash access and refresh tokens before persisting them.
|
167
|
+
# This will disable the possibility to use +reuse_access_token+
|
168
|
+
# since plain values can no longer be retrieved.
|
169
|
+
#
|
170
|
+
# Note: If you are already a user of doorkeeper and have existing tokens
|
171
|
+
# in your installation, they will be invalid without adding 'fallback: :plain'.
|
172
|
+
#
|
173
|
+
# hash_token_secrets
|
174
|
+
# By default, token secrets will be hashed using the
|
175
|
+
# +Doorkeeper::Hashing::SHA256+ strategy.
|
176
|
+
#
|
177
|
+
# If you wish to use another hashing implementation, you can override
|
178
|
+
# this strategy as follows:
|
179
|
+
#
|
180
|
+
# hash_token_secrets using: '::Doorkeeper::Hashing::MyCustomHashImpl'
|
181
|
+
#
|
182
|
+
# Keep in mind that changing the hashing function will invalidate all existing
|
183
|
+
# secrets, if there are any.
|
184
|
+
|
185
|
+
# Hash application secrets before persisting them.
|
186
|
+
#
|
187
|
+
# hash_application_secrets
|
188
|
+
#
|
189
|
+
# By default, applications will be hashed
|
190
|
+
# with the +Doorkeeper::SecretStoring::SHA256+ strategy.
|
191
|
+
#
|
192
|
+
# If you wish to use bcrypt for application secret hashing, uncomment
|
193
|
+
# this line instead:
|
194
|
+
#
|
195
|
+
# hash_application_secrets using: '::Doorkeeper::SecretStoring::BCrypt'
|
196
|
+
|
197
|
+
# When the above option is enabled, and a hashed token or secret is not found,
|
198
|
+
# you can allow to fall back to another strategy. For users upgrading
|
199
|
+
# doorkeeper and wishing to enable hashing, you will probably want to enable
|
200
|
+
# the fallback to plain tokens.
|
201
|
+
#
|
202
|
+
# This will ensure that old access tokens and secrets
|
203
|
+
# will remain valid even if the hashing above is enabled.
|
204
|
+
#
|
205
|
+
# This can be done by adding 'fallback: plain', e.g. :
|
206
|
+
#
|
207
|
+
# hash_application_secrets using: '::Doorkeeper::SecretStoring::BCrypt', fallback: :plain
|
208
|
+
|
209
|
+
# Issue access tokens with refresh token (disabled by default), you may also
|
210
|
+
# pass a block which accepts `context` to customize when to give a refresh
|
211
|
+
# token or not. Similar to +custom_access_token_expires_in+, `context` has
|
212
|
+
# the following properties:
|
213
|
+
#
|
214
|
+
# `client` - the OAuth client application (see Doorkeeper::OAuth::Client)
|
215
|
+
# `grant_type` - the grant type of the request (see Doorkeeper::OAuth)
|
216
|
+
# `scopes` - the requested scopes (see Doorkeeper::OAuth::Scopes)
|
217
|
+
#
|
46
218
|
# use_refresh_token
|
47
219
|
|
48
220
|
# Provide support for an owner to be assigned to each registered application (disabled by default)
|
49
|
-
# Optional parameter confirmation: true (default false) if you want to enforce ownership of
|
221
|
+
# Optional parameter confirmation: true (default: false) if you want to enforce ownership of
|
50
222
|
# a registered application
|
51
|
-
#
|
223
|
+
# NOTE: you must also run the rails g doorkeeper:application_owner generator
|
224
|
+
# to provide the necessary support
|
225
|
+
#
|
52
226
|
# enable_application_owner confirmation: false
|
53
227
|
|
54
228
|
# Define access token scopes for your provider
|
55
229
|
# For more information go to
|
56
|
-
# https://
|
230
|
+
# https://doorkeeper.gitbook.io/guides/ruby-on-rails/scopes
|
231
|
+
#
|
57
232
|
# default_scopes :public
|
58
233
|
# optional_scopes :write, :update
|
59
234
|
|
235
|
+
# Allows to restrict only certain scopes for grant_type.
|
236
|
+
# By default, all the scopes will be available for all the grant types.
|
237
|
+
#
|
238
|
+
# Keys to this hash should be the name of grant_type and
|
239
|
+
# values should be the array of scopes for that grant type.
|
240
|
+
# Note: scopes should be from configured_scopes (i.e. default or optional)
|
241
|
+
#
|
242
|
+
# scopes_by_grant_type password: [:write], client_credentials: [:update]
|
243
|
+
|
244
|
+
# Forbids creating/updating applications with arbitrary scopes that are
|
245
|
+
# not in configuration, i.e. +default_scopes+ or +optional_scopes+.
|
246
|
+
# (disabled by default)
|
247
|
+
#
|
248
|
+
# enforce_configured_scopes
|
249
|
+
|
60
250
|
# Change the way client credentials are retrieved from the request object.
|
61
251
|
# By default it retrieves first from the `HTTP_AUTHORIZATION` header, then
|
62
252
|
# falls back to the `:client_id` and `:client_secret` params from the `params` object.
|
63
253
|
# Check out https://github.com/doorkeeper-gem/doorkeeper/wiki/Changing-how-clients-are-authenticated
|
64
254
|
# for more information on customization
|
255
|
+
#
|
65
256
|
# client_credentials :from_basic, :from_params
|
66
257
|
|
67
258
|
# Change the way access token is authenticated from the request object.
|
@@ -69,14 +260,8 @@ Doorkeeper.configure do
|
|
69
260
|
# falls back to the `:access_token` or `:bearer_token` params from the `params` object.
|
70
261
|
# Check out https://github.com/doorkeeper-gem/doorkeeper/wiki/Changing-how-clients-are-authenticated
|
71
262
|
# for more information on customization
|
72
|
-
# access_token_methods :from_bearer_authorization, :from_access_token_param, :from_bearer_param
|
73
|
-
|
74
|
-
# Change the native redirect uri for client apps
|
75
|
-
# When clients register with the following redirect uri, they won't be redirected to any server and the authorization code will be displayed within the provider
|
76
|
-
# The value can be any string. Use nil to disable this feature. When disabled, clients must provide a valid URL
|
77
|
-
# (Similar behaviour: https://developers.google.com/accounts/docs/OAuth2InstalledApp#choosingredirecturi)
|
78
263
|
#
|
79
|
-
#
|
264
|
+
# access_token_methods :from_bearer_authorization, :from_access_token_param, :from_bearer_param
|
80
265
|
|
81
266
|
# Forces the usage of the HTTPS protocol in non-native redirect uris (enabled
|
82
267
|
# by default in non-development environments). OAuth2 delegates security in
|
@@ -90,14 +275,61 @@ Doorkeeper.configure do
|
|
90
275
|
#
|
91
276
|
# force_ssl_in_redirect_uri { |uri| uri.host != 'localhost' }
|
92
277
|
|
93
|
-
# Specify what redirect URI's you want to block during creation.
|
94
|
-
# URI is whitelisted by default.
|
278
|
+
# Specify what redirect URI's you want to block during Application creation.
|
279
|
+
# Any redirect URI is whitelisted by default.
|
95
280
|
#
|
96
281
|
# You can use this option in order to forbid URI's with 'javascript' scheme
|
97
282
|
# for example.
|
98
283
|
#
|
99
284
|
# forbid_redirect_uri { |uri| uri.scheme.to_s.downcase == 'javascript' }
|
100
285
|
|
286
|
+
# Allows to set blank redirect URIs for Applications in case Doorkeeper configured
|
287
|
+
# to use URI-less OAuth grant flows like Client Credentials or Resource Owner
|
288
|
+
# Password Credentials. The option is on by default and checks configured grant
|
289
|
+
# types, but you **need** to manually drop `NOT NULL` constraint from `redirect_uri`
|
290
|
+
# column for `oauth_applications` database table.
|
291
|
+
#
|
292
|
+
# You can completely disable this feature with:
|
293
|
+
#
|
294
|
+
# allow_blank_redirect_uri false
|
295
|
+
#
|
296
|
+
# Or you can define your custom check:
|
297
|
+
#
|
298
|
+
# allow_blank_redirect_uri do |grant_flows, client|
|
299
|
+
# client.superapp?
|
300
|
+
# end
|
301
|
+
|
302
|
+
# Specify how authorization errors should be handled.
|
303
|
+
# By default, doorkeeper renders json errors when access token
|
304
|
+
# is invalid, expired, revoked or has invalid scopes.
|
305
|
+
#
|
306
|
+
# If you want to render error response yourself (i.e. rescue exceptions),
|
307
|
+
# set +handle_auth_errors+ to `:raise` and rescue Doorkeeper::Errors::InvalidToken
|
308
|
+
# or following specific errors:
|
309
|
+
#
|
310
|
+
# Doorkeeper::Errors::TokenForbidden, Doorkeeper::Errors::TokenExpired,
|
311
|
+
# Doorkeeper::Errors::TokenRevoked, Doorkeeper::Errors::TokenUnknown
|
312
|
+
#
|
313
|
+
# handle_auth_errors :raise
|
314
|
+
|
315
|
+
# Customize token introspection response.
|
316
|
+
# Allows to add your own fields to default one that are required by the OAuth spec
|
317
|
+
# for the introspection response. It could be `sub`, `aud` and so on.
|
318
|
+
# This configuration option can be a proc, lambda or any Ruby object responds
|
319
|
+
# to `.call` method and result of it's invocation must be a Hash.
|
320
|
+
#
|
321
|
+
# custom_introspection_response do |token, context|
|
322
|
+
# {
|
323
|
+
# "sub": "Z5O3upPC88QrAjx00dis",
|
324
|
+
# "aud": "https://protected.example.net/resource",
|
325
|
+
# "username": User.find(token.resource_owner_id).username
|
326
|
+
# }
|
327
|
+
# end
|
328
|
+
#
|
329
|
+
# or
|
330
|
+
#
|
331
|
+
# custom_introspection_response CustomIntrospectionResponder
|
332
|
+
|
101
333
|
# Specify what grant flows are enabled in array of Strings. The valid
|
102
334
|
# strings and the flows they enable are:
|
103
335
|
#
|
@@ -116,6 +348,48 @@ Doorkeeper.configure do
|
|
116
348
|
#
|
117
349
|
# grant_flows %w[authorization_code client_credentials]
|
118
350
|
|
351
|
+
# Allows to customize OAuth grant flows that +each+ application support.
|
352
|
+
# You can configure a custom block (or use a class respond to `#call`) that must
|
353
|
+
# return `true` in case Application instance supports requested OAuth grant flow
|
354
|
+
# during the authorization request to the server. This configuration +doesn't+
|
355
|
+
# set flows per application, it only allows to check if application supports
|
356
|
+
# specific grant flow.
|
357
|
+
#
|
358
|
+
# For example you can add an additional database column to `oauth_applications` table,
|
359
|
+
# say `t.array :grant_flows, default: []`, and store allowed grant flows that can
|
360
|
+
# be used with this application there. Then when authorization requested Doorkeeper
|
361
|
+
# will call this block to check if specific Application (passed with client_id and/or
|
362
|
+
# client_secret) is allowed to perform the request for the specific grant type
|
363
|
+
# (authorization, password, client_credentials, etc).
|
364
|
+
#
|
365
|
+
# Example of the block:
|
366
|
+
#
|
367
|
+
# ->(flow, client) { client.grant_flows.include?(flow) }
|
368
|
+
#
|
369
|
+
# In case this option invocation result is `false`, Doorkeeper server returns
|
370
|
+
# :unauthorized_client error and stops the request.
|
371
|
+
#
|
372
|
+
# @param allow_grant_flow_for_client [Proc] Block or any object respond to #call
|
373
|
+
# @return [Boolean] `true` if allow or `false` if forbid the request
|
374
|
+
#
|
375
|
+
# allow_grant_flow_for_client do |grant_flow, client|
|
376
|
+
# # `grant_flows` is an Array column with grant
|
377
|
+
# # flows that application supports
|
378
|
+
#
|
379
|
+
# client.grant_flows.include?(grant_flow)
|
380
|
+
# end
|
381
|
+
|
382
|
+
# If you need arbitrary Resource Owner-Client authorization you can enable this option
|
383
|
+
# and implement the check your need. Config option must respond to #call and return
|
384
|
+
# true in case resource owner authorized for the specific application or false in other
|
385
|
+
# cases.
|
386
|
+
#
|
387
|
+
# Be default all Resource Owners are authorized to any Client (application).
|
388
|
+
#
|
389
|
+
# authorize_resource_owner_for_client do |client, resource_owner|
|
390
|
+
# resource_owner.admin? || client.owners_whitelist.include?(resource_owner)
|
391
|
+
# end
|
392
|
+
|
119
393
|
# Hook into the strategies' request & response life-cycle in case your
|
120
394
|
# application needs advanced customization or logging:
|
121
395
|
#
|
@@ -127,13 +401,91 @@ Doorkeeper.configure do
|
|
127
401
|
# puts "AFTER HOOK FIRED! #{request}, #{response}"
|
128
402
|
# end
|
129
403
|
|
404
|
+
# Hook into Authorization flow in order to implement Single Sign Out
|
405
|
+
# or add any other functionality. Inside the block you have an access
|
406
|
+
# to `controller` (authorizations controller instance) and `context`
|
407
|
+
# (Doorkeeper::OAuth::Hooks::Context instance) which provides pre auth
|
408
|
+
# or auth objects with issued token based on hook type (before or after).
|
409
|
+
#
|
410
|
+
# before_successful_authorization do |controller, context|
|
411
|
+
# Rails.logger.info(controller.request.params.inspect)
|
412
|
+
#
|
413
|
+
# Rails.logger.info(context.pre_auth.inspect)
|
414
|
+
# end
|
415
|
+
#
|
416
|
+
# after_successful_authorization do |controller, context|
|
417
|
+
# controller.session[:logout_urls] <<
|
418
|
+
# Doorkeeper::Application
|
419
|
+
# .find_by(controller.request.params.slice(:redirect_uri))
|
420
|
+
# .logout_uri
|
421
|
+
#
|
422
|
+
# Rails.logger.info(context.auth.inspect)
|
423
|
+
# Rails.logger.info(context.issued_token)
|
424
|
+
# end
|
425
|
+
|
130
426
|
# Under some circumstances you might want to have applications auto-approved,
|
131
427
|
# so that the user skips the authorization step.
|
132
428
|
# For example if dealing with a trusted application.
|
429
|
+
#
|
133
430
|
# skip_authorization do |resource_owner, client|
|
134
431
|
# client.superapp? or resource_owner.admin?
|
135
432
|
# end
|
136
433
|
|
137
|
-
#
|
434
|
+
# Configure custom constraints for the Token Introspection request.
|
435
|
+
# By default this configuration option allows to introspect a token by another
|
436
|
+
# token of the same application, OR to introspect the token that belongs to
|
437
|
+
# authorized client (from authenticated client) OR when token doesn't
|
438
|
+
# belong to any client (public token). Otherwise requester has no access to the
|
439
|
+
# introspection and it will return response as stated in the RFC.
|
440
|
+
#
|
441
|
+
# Block arguments:
|
442
|
+
#
|
443
|
+
# @param token [Doorkeeper::AccessToken]
|
444
|
+
# token to be introspected
|
445
|
+
#
|
446
|
+
# @param authorized_client [Doorkeeper::Application]
|
447
|
+
# authorized client (if request is authorized using Basic auth with
|
448
|
+
# Client Credentials for example)
|
449
|
+
#
|
450
|
+
# @param authorized_token [Doorkeeper::AccessToken]
|
451
|
+
# Bearer token used to authorize the request
|
452
|
+
#
|
453
|
+
# In case the block returns `nil` or `false` introspection responses with 401 status code
|
454
|
+
# when using authorized token to introspect, or you'll get 200 with { "active": false } body
|
455
|
+
# when using authorized client to introspect as stated in the
|
456
|
+
# RFC 7662 section 2.2. Introspection Response.
|
457
|
+
#
|
458
|
+
# Using with caution:
|
459
|
+
# Keep in mind that these three parameters pass to block can be nil as following case:
|
460
|
+
# `authorized_client` is nil if and only if `authorized_token` is present, and vice versa.
|
461
|
+
# `token` will be nil if and only if `authorized_token` is present.
|
462
|
+
# So remember to use `&` or check if it is present before calling method on
|
463
|
+
# them to make sure you doesn't get NoMethodError exception.
|
464
|
+
#
|
465
|
+
# You can define your custom check:
|
466
|
+
#
|
467
|
+
# allow_token_introspection do |token, authorized_client, authorized_token|
|
468
|
+
# if authorized_token
|
469
|
+
# # customize: require `introspection` scope
|
470
|
+
# authorized_token.application == token&.application ||
|
471
|
+
# authorized_token.scopes.include?("introspection")
|
472
|
+
# elsif token.application
|
473
|
+
# # `protected_resource` is a new database boolean column, for example
|
474
|
+
# authorized_client == token.application || authorized_client.protected_resource?
|
475
|
+
# else
|
476
|
+
# # public token (when token.application is nil, token doesn't belong to any application)
|
477
|
+
# true
|
478
|
+
# end
|
479
|
+
# end
|
480
|
+
#
|
481
|
+
# Or you can completely disable any token introspection:
|
482
|
+
#
|
483
|
+
# allow_token_introspection false
|
484
|
+
#
|
485
|
+
# If you need to block the request at all, then configure your routes.rb or web-server
|
486
|
+
# like nginx to forbid the request.
|
487
|
+
|
488
|
+
# WWW-Authenticate Realm (default: "Doorkeeper").
|
489
|
+
#
|
138
490
|
# realm "Doorkeeper"
|
139
491
|
end
|