doorkeeper 5.1.0 → 5.5.1
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of doorkeeper might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/{NEWS.md → CHANGELOG.md} +242 -25
- data/README.md +21 -11
- data/app/controllers/doorkeeper/application_controller.rb +3 -2
- data/app/controllers/doorkeeper/application_metal_controller.rb +3 -2
- data/app/controllers/doorkeeper/applications_controller.rb +8 -7
- data/app/controllers/doorkeeper/authorizations_controller.rb +56 -19
- data/app/controllers/doorkeeper/authorized_applications_controller.rb +6 -6
- data/app/controllers/doorkeeper/token_info_controller.rb +12 -2
- data/app/controllers/doorkeeper/tokens_controller.rb +93 -25
- data/app/views/doorkeeper/applications/_form.html.erb +1 -7
- data/app/views/doorkeeper/applications/show.html.erb +35 -14
- data/app/views/doorkeeper/authorizations/form_post.html.erb +11 -0
- data/config/locales/en.yml +13 -3
- data/lib/doorkeeper/config/abstract_builder.rb +28 -0
- data/lib/doorkeeper/config/option.rb +20 -2
- data/lib/doorkeeper/config/validations.rb +53 -0
- data/lib/doorkeeper/config.rb +295 -121
- data/lib/doorkeeper/engine.rb +1 -1
- data/lib/doorkeeper/errors.rb +13 -18
- data/lib/doorkeeper/grant_flow/fallback_flow.rb +15 -0
- data/lib/doorkeeper/grant_flow/flow.rb +44 -0
- data/lib/doorkeeper/grant_flow/registry.rb +50 -0
- data/lib/doorkeeper/grant_flow.rb +45 -0
- data/lib/doorkeeper/grape/helpers.rb +7 -3
- data/lib/doorkeeper/helpers/controller.rb +36 -11
- data/lib/doorkeeper/models/access_grant_mixin.rb +22 -18
- data/lib/doorkeeper/models/access_token_mixin.rb +194 -51
- data/lib/doorkeeper/models/application_mixin.rb +8 -7
- data/lib/doorkeeper/models/concerns/ownership.rb +1 -1
- data/lib/doorkeeper/models/concerns/resource_ownerable.rb +47 -0
- data/lib/doorkeeper/models/concerns/reusable.rb +1 -1
- data/lib/doorkeeper/models/concerns/revocable.rb +1 -28
- data/lib/doorkeeper/models/concerns/scopes.rb +5 -1
- data/lib/doorkeeper/models/concerns/secret_storable.rb +1 -3
- data/lib/doorkeeper/oauth/authorization/code.rb +25 -14
- data/lib/doorkeeper/oauth/authorization/context.rb +5 -5
- data/lib/doorkeeper/oauth/authorization/token.rb +24 -19
- data/lib/doorkeeper/oauth/authorization/uri_builder.rb +4 -4
- data/lib/doorkeeper/oauth/authorization_code_request.rb +40 -21
- data/lib/doorkeeper/oauth/base_request.rb +21 -23
- data/lib/doorkeeper/oauth/client/credentials.rb +2 -4
- data/lib/doorkeeper/oauth/client.rb +8 -9
- data/lib/doorkeeper/oauth/client_credentials/creator.rb +45 -5
- data/lib/doorkeeper/oauth/client_credentials/issuer.rb +10 -8
- data/lib/doorkeeper/oauth/client_credentials/{validation.rb → validator.rb} +13 -3
- data/lib/doorkeeper/oauth/client_credentials_request.rb +8 -7
- data/lib/doorkeeper/oauth/code_request.rb +6 -12
- data/lib/doorkeeper/oauth/code_response.rb +24 -14
- data/lib/doorkeeper/oauth/error.rb +1 -1
- data/lib/doorkeeper/oauth/error_response.rb +10 -11
- data/lib/doorkeeper/oauth/helpers/scope_checker.rb +8 -12
- data/lib/doorkeeper/oauth/helpers/unique_token.rb +8 -5
- data/lib/doorkeeper/oauth/helpers/uri_checker.rb +19 -5
- data/lib/doorkeeper/oauth/hooks/context.rb +21 -0
- data/lib/doorkeeper/oauth/invalid_request_response.rb +43 -0
- data/lib/doorkeeper/oauth/invalid_token_response.rb +7 -4
- data/lib/doorkeeper/oauth/nonstandard.rb +39 -0
- data/lib/doorkeeper/oauth/password_access_token_request.rb +34 -11
- data/lib/doorkeeper/oauth/pre_authorization.rb +111 -42
- data/lib/doorkeeper/oauth/refresh_token_request.rb +45 -33
- data/lib/doorkeeper/oauth/token.rb +6 -7
- data/lib/doorkeeper/oauth/token_introspection.rb +24 -18
- data/lib/doorkeeper/oauth/token_request.rb +6 -20
- data/lib/doorkeeper/oauth/token_response.rb +1 -1
- data/lib/doorkeeper/orm/active_record/access_grant.rb +4 -43
- data/lib/doorkeeper/orm/active_record/access_token.rb +4 -35
- data/lib/doorkeeper/orm/active_record/application.rb +5 -83
- data/lib/doorkeeper/orm/active_record/mixins/access_grant.rb +68 -0
- data/lib/doorkeeper/orm/active_record/mixins/access_token.rb +59 -0
- data/lib/doorkeeper/orm/active_record/mixins/application.rb +198 -0
- data/lib/doorkeeper/orm/active_record/redirect_uri_validator.rb +66 -0
- data/lib/doorkeeper/orm/active_record.rb +20 -6
- data/lib/doorkeeper/rails/helpers.rb +4 -4
- data/lib/doorkeeper/rails/routes/abstract_router.rb +35 -0
- data/lib/doorkeeper/rails/routes/mapper.rb +2 -2
- data/lib/doorkeeper/rails/routes/registry.rb +45 -0
- data/lib/doorkeeper/rails/routes.rb +17 -25
- data/lib/doorkeeper/rake/db.rake +6 -6
- data/lib/doorkeeper/rake/setup.rake +5 -0
- data/lib/doorkeeper/request/authorization_code.rb +5 -3
- data/lib/doorkeeper/request/client_credentials.rb +2 -2
- data/lib/doorkeeper/request/password.rb +3 -2
- data/lib/doorkeeper/request/refresh_token.rb +5 -4
- data/lib/doorkeeper/request/strategy.rb +2 -2
- data/lib/doorkeeper/request.rb +49 -17
- data/lib/doorkeeper/server.rb +7 -11
- data/lib/doorkeeper/stale_records_cleaner.rb +6 -2
- data/lib/doorkeeper/version.rb +2 -6
- data/lib/doorkeeper.rb +114 -79
- data/lib/generators/doorkeeper/application_owner_generator.rb +1 -1
- data/lib/generators/doorkeeper/confidential_applications_generator.rb +2 -2
- data/lib/generators/doorkeeper/enable_polymorphic_resource_owner_generator.rb +39 -0
- data/lib/generators/doorkeeper/migration_generator.rb +1 -1
- data/lib/generators/doorkeeper/pkce_generator.rb +1 -1
- data/lib/generators/doorkeeper/previous_refresh_token_generator.rb +7 -7
- data/lib/generators/doorkeeper/templates/add_owner_to_application_migration.rb.erb +3 -1
- data/lib/generators/doorkeeper/templates/add_previous_refresh_token_to_access_tokens.rb.erb +2 -0
- data/lib/generators/doorkeeper/templates/enable_pkce_migration.rb.erb +2 -0
- data/lib/generators/doorkeeper/templates/enable_polymorphic_resource_owner_migration.rb.erb +17 -0
- data/lib/generators/doorkeeper/templates/initializer.rb +205 -43
- data/lib/generators/doorkeeper/templates/migration.rb.erb +18 -6
- metadata +45 -312
- data/.coveralls.yml +0 -1
- data/.github/ISSUE_TEMPLATE.md +0 -25
- data/.github/PULL_REQUEST_TEMPLATE.md +0 -17
- data/.gitignore +0 -20
- data/.gitlab-ci.yml +0 -16
- data/.hound.yml +0 -3
- data/.rspec +0 -1
- data/.rubocop.yml +0 -50
- data/.travis.yml +0 -35
- data/Appraisals +0 -40
- data/CODE_OF_CONDUCT.md +0 -46
- data/CONTRIBUTING.md +0 -47
- data/Dangerfile +0 -67
- data/Gemfile +0 -24
- data/RELEASING.md +0 -10
- data/Rakefile +0 -28
- data/SECURITY.md +0 -15
- data/UPGRADE.md +0 -2
- data/app/validators/redirect_uri_validator.rb +0 -50
- data/bin/console +0 -16
- data/doorkeeper.gemspec +0 -34
- data/gemfiles/rails_5_0.gemfile +0 -17
- data/gemfiles/rails_5_1.gemfile +0 -17
- data/gemfiles/rails_5_2.gemfile +0 -17
- data/gemfiles/rails_6_0.gemfile +0 -17
- data/gemfiles/rails_master.gemfile +0 -17
- data/spec/controllers/application_metal_controller_spec.rb +0 -64
- data/spec/controllers/applications_controller_spec.rb +0 -180
- data/spec/controllers/authorizations_controller_spec.rb +0 -527
- data/spec/controllers/protected_resources_controller_spec.rb +0 -353
- data/spec/controllers/token_info_controller_spec.rb +0 -50
- data/spec/controllers/tokens_controller_spec.rb +0 -330
- data/spec/dummy/Rakefile +0 -9
- data/spec/dummy/app/assets/config/manifest.js +0 -2
- data/spec/dummy/app/controllers/application_controller.rb +0 -5
- data/spec/dummy/app/controllers/custom_authorizations_controller.rb +0 -9
- data/spec/dummy/app/controllers/full_protected_resources_controller.rb +0 -14
- data/spec/dummy/app/controllers/home_controller.rb +0 -18
- data/spec/dummy/app/controllers/metal_controller.rb +0 -13
- data/spec/dummy/app/controllers/semi_protected_resources_controller.rb +0 -13
- data/spec/dummy/app/helpers/application_helper.rb +0 -7
- data/spec/dummy/app/models/user.rb +0 -7
- data/spec/dummy/app/views/home/index.html.erb +0 -0
- data/spec/dummy/app/views/layouts/application.html.erb +0 -14
- data/spec/dummy/config/application.rb +0 -47
- data/spec/dummy/config/boot.rb +0 -7
- data/spec/dummy/config/database.yml +0 -15
- data/spec/dummy/config/environment.rb +0 -5
- data/spec/dummy/config/environments/development.rb +0 -31
- data/spec/dummy/config/environments/production.rb +0 -64
- data/spec/dummy/config/environments/test.rb +0 -45
- data/spec/dummy/config/initializers/backtrace_silencers.rb +0 -9
- data/spec/dummy/config/initializers/doorkeeper.rb +0 -121
- data/spec/dummy/config/initializers/secret_token.rb +0 -10
- data/spec/dummy/config/initializers/session_store.rb +0 -10
- data/spec/dummy/config/initializers/wrap_parameters.rb +0 -16
- data/spec/dummy/config/locales/doorkeeper.en.yml +0 -5
- data/spec/dummy/config/routes.rb +0 -13
- data/spec/dummy/config.ru +0 -6
- data/spec/dummy/db/migrate/20111122132257_create_users.rb +0 -11
- data/spec/dummy/db/migrate/20120312140401_add_password_to_users.rb +0 -7
- data/spec/dummy/db/migrate/20151223192035_create_doorkeeper_tables.rb +0 -69
- data/spec/dummy/db/migrate/20151223200000_add_owner_to_application.rb +0 -9
- data/spec/dummy/db/migrate/20160320211015_add_previous_refresh_token_to_access_tokens.rb +0 -13
- data/spec/dummy/db/migrate/20170822064514_enable_pkce.rb +0 -8
- data/spec/dummy/db/migrate/20180210183654_add_confidential_to_applications.rb +0 -13
- data/spec/dummy/db/schema.rb +0 -68
- data/spec/dummy/public/404.html +0 -26
- data/spec/dummy/public/422.html +0 -26
- data/spec/dummy/public/500.html +0 -26
- data/spec/dummy/public/favicon.ico +0 -0
- data/spec/dummy/script/rails +0 -9
- data/spec/factories.rb +0 -30
- data/spec/generators/application_owner_generator_spec.rb +0 -28
- data/spec/generators/confidential_applications_generator_spec.rb +0 -29
- data/spec/generators/install_generator_spec.rb +0 -36
- data/spec/generators/migration_generator_spec.rb +0 -28
- data/spec/generators/pkce_generator_spec.rb +0 -28
- data/spec/generators/previous_refresh_token_generator_spec.rb +0 -44
- data/spec/generators/templates/routes.rb +0 -4
- data/spec/generators/views_generator_spec.rb +0 -29
- data/spec/grape/grape_integration_spec.rb +0 -137
- data/spec/helpers/doorkeeper/dashboard_helper_spec.rb +0 -26
- data/spec/lib/config_spec.rb +0 -697
- data/spec/lib/doorkeeper_spec.rb +0 -27
- data/spec/lib/models/expirable_spec.rb +0 -61
- data/spec/lib/models/reusable_spec.rb +0 -40
- data/spec/lib/models/revocable_spec.rb +0 -59
- data/spec/lib/models/scopes_spec.rb +0 -53
- data/spec/lib/models/secret_storable_spec.rb +0 -135
- data/spec/lib/oauth/authorization/uri_builder_spec.rb +0 -39
- data/spec/lib/oauth/authorization_code_request_spec.rb +0 -156
- data/spec/lib/oauth/base_request_spec.rb +0 -205
- data/spec/lib/oauth/base_response_spec.rb +0 -47
- data/spec/lib/oauth/client/credentials_spec.rb +0 -90
- data/spec/lib/oauth/client_credentials/creator_spec.rb +0 -94
- data/spec/lib/oauth/client_credentials/issuer_spec.rb +0 -112
- data/spec/lib/oauth/client_credentials/validation_spec.rb +0 -59
- data/spec/lib/oauth/client_credentials_integration_spec.rb +0 -29
- data/spec/lib/oauth/client_credentials_request_spec.rb +0 -109
- data/spec/lib/oauth/client_spec.rb +0 -38
- data/spec/lib/oauth/code_request_spec.rb +0 -47
- data/spec/lib/oauth/code_response_spec.rb +0 -36
- data/spec/lib/oauth/error_response_spec.rb +0 -66
- data/spec/lib/oauth/error_spec.rb +0 -23
- data/spec/lib/oauth/forbidden_token_response_spec.rb +0 -22
- data/spec/lib/oauth/helpers/scope_checker_spec.rb +0 -98
- data/spec/lib/oauth/helpers/unique_token_spec.rb +0 -21
- data/spec/lib/oauth/helpers/uri_checker_spec.rb +0 -247
- data/spec/lib/oauth/invalid_token_response_spec.rb +0 -55
- data/spec/lib/oauth/password_access_token_request_spec.rb +0 -192
- data/spec/lib/oauth/pre_authorization_spec.rb +0 -215
- data/spec/lib/oauth/refresh_token_request_spec.rb +0 -177
- data/spec/lib/oauth/scopes_spec.rb +0 -148
- data/spec/lib/oauth/token_request_spec.rb +0 -150
- data/spec/lib/oauth/token_response_spec.rb +0 -86
- data/spec/lib/oauth/token_spec.rb +0 -158
- data/spec/lib/request/strategy_spec.rb +0 -54
- data/spec/lib/secret_storing/base_spec.rb +0 -60
- data/spec/lib/secret_storing/bcrypt_spec.rb +0 -49
- data/spec/lib/secret_storing/plain_spec.rb +0 -44
- data/spec/lib/secret_storing/sha256_hash_spec.rb +0 -48
- data/spec/lib/server_spec.rb +0 -61
- data/spec/lib/stale_records_cleaner_spec.rb +0 -89
- data/spec/models/doorkeeper/access_grant_spec.rb +0 -144
- data/spec/models/doorkeeper/access_token_spec.rb +0 -591
- data/spec/models/doorkeeper/application_spec.rb +0 -367
- data/spec/requests/applications/applications_request_spec.rb +0 -259
- data/spec/requests/applications/authorized_applications_spec.rb +0 -32
- data/spec/requests/endpoints/authorization_spec.rb +0 -73
- data/spec/requests/endpoints/token_spec.rb +0 -75
- data/spec/requests/flows/authorization_code_errors_spec.rb +0 -78
- data/spec/requests/flows/authorization_code_spec.rb +0 -447
- data/spec/requests/flows/client_credentials_spec.rb +0 -128
- data/spec/requests/flows/implicit_grant_errors_spec.rb +0 -34
- data/spec/requests/flows/implicit_grant_spec.rb +0 -90
- data/spec/requests/flows/password_spec.rb +0 -259
- data/spec/requests/flows/refresh_token_spec.rb +0 -233
- data/spec/requests/flows/revoke_token_spec.rb +0 -143
- data/spec/requests/flows/skip_authorization_spec.rb +0 -66
- data/spec/requests/protected_resources/metal_spec.rb +0 -16
- data/spec/requests/protected_resources/private_api_spec.rb +0 -83
- data/spec/routing/custom_controller_routes_spec.rb +0 -133
- data/spec/routing/default_routes_spec.rb +0 -41
- data/spec/routing/scoped_routes_spec.rb +0 -47
- data/spec/spec_helper.rb +0 -57
- data/spec/spec_helper_integration.rb +0 -4
- data/spec/support/dependencies/factory_bot.rb +0 -4
- data/spec/support/doorkeeper_rspec.rb +0 -22
- data/spec/support/helpers/access_token_request_helper.rb +0 -13
- data/spec/support/helpers/authorization_request_helper.rb +0 -43
- data/spec/support/helpers/config_helper.rb +0 -11
- data/spec/support/helpers/model_helper.rb +0 -78
- data/spec/support/helpers/request_spec_helper.rb +0 -98
- data/spec/support/helpers/url_helper.rb +0 -62
- data/spec/support/http_method_shim.rb +0 -29
- data/spec/support/orm/active_record.rb +0 -5
- data/spec/support/shared/controllers_shared_context.rb +0 -123
- data/spec/support/shared/hashing_shared_context.rb +0 -36
- data/spec/support/shared/models_shared_examples.rb +0 -54
- data/spec/validators/redirect_uri_validator_spec.rb +0 -158
- data/spec/version/version_spec.rb +0 -17
@@ -1,7 +1,8 @@
|
|
1
1
|
# frozen_string_literal: true
|
2
2
|
|
3
3
|
Doorkeeper.configure do
|
4
|
-
# Change the ORM that doorkeeper will use (
|
4
|
+
# Change the ORM that doorkeeper will use (requires ORM extensions installed).
|
5
|
+
# Check the list of supported ORMs here: https://github.com/doorkeeper-gem/doorkeeper#orms
|
5
6
|
orm :active_record
|
6
7
|
|
7
8
|
# This block will be called to check whether the resource owner is authenticated or not.
|
@@ -9,7 +10,7 @@ Doorkeeper.configure do
|
|
9
10
|
raise "Please configure doorkeeper resource_owner_authenticator block located in #{__FILE__}"
|
10
11
|
# Put your resource owner authentication logic here.
|
11
12
|
# Example implementation:
|
12
|
-
# User.
|
13
|
+
# User.find_by(id: session[:user_id]) || redirect_to(new_user_session_url)
|
13
14
|
end
|
14
15
|
|
15
16
|
# If you didn't skip applications controller from Doorkeeper routes in your application routes.rb
|
@@ -28,6 +29,52 @@ Doorkeeper.configure do
|
|
28
29
|
# end
|
29
30
|
# end
|
30
31
|
|
32
|
+
# You can use your own model classes if you need to extend (or even override) default
|
33
|
+
# Doorkeeper models such as `Application`, `AccessToken` and `AccessGrant.
|
34
|
+
#
|
35
|
+
# Be default Doorkeeper ActiveRecord ORM uses it's own classes:
|
36
|
+
#
|
37
|
+
# access_token_class "Doorkeeper::AccessToken"
|
38
|
+
# access_grant_class "Doorkeeper::AccessGrant"
|
39
|
+
# application_class "Doorkeeper::Application"
|
40
|
+
#
|
41
|
+
# Don't forget to include Doorkeeper ORM mixins into your custom models:
|
42
|
+
#
|
43
|
+
# * ::Doorkeeper::Orm::ActiveRecord::Mixins::AccessToken - for access token
|
44
|
+
# * ::Doorkeeper::Orm::ActiveRecord::Mixins::AccessGrant - for access grant
|
45
|
+
# * ::Doorkeeper::Orm::ActiveRecord::Mixins::Application - for application (OAuth2 clients)
|
46
|
+
#
|
47
|
+
# For example:
|
48
|
+
#
|
49
|
+
# access_token_class "MyAccessToken"
|
50
|
+
#
|
51
|
+
# class MyAccessToken < ApplicationRecord
|
52
|
+
# include ::Doorkeeper::Orm::ActiveRecord::Mixins::AccessToken
|
53
|
+
#
|
54
|
+
# self.table_name = "hey_i_wanna_my_name"
|
55
|
+
#
|
56
|
+
# def destroy_me!
|
57
|
+
# destroy
|
58
|
+
# end
|
59
|
+
# end
|
60
|
+
|
61
|
+
# Enables polymorphic Resource Owner association for Access Tokens and Access Grants.
|
62
|
+
# By default this option is disabled.
|
63
|
+
#
|
64
|
+
# Make sure you properly setup you database and have all the required columns (run
|
65
|
+
# `bundle exec rails generate doorkeeper:enable_polymorphic_resource_owner` and execute Rails
|
66
|
+
# migrations).
|
67
|
+
#
|
68
|
+
# If this option enabled, Doorkeeper will store not only Resource Owner primary key
|
69
|
+
# value, but also it's type (class name). See "Polymorphic Associations" section of
|
70
|
+
# Rails guides: https://guides.rubyonrails.org/association_basics.html#polymorphic-associations
|
71
|
+
#
|
72
|
+
# [NOTE] If you apply this option on already existing project don't forget to manually
|
73
|
+
# update `resource_owner_type` column in the database and fix migration template as it will
|
74
|
+
# set NOT NULL constraint for Access Grants table.
|
75
|
+
#
|
76
|
+
# use_polymorphic_resource_owner
|
77
|
+
|
31
78
|
# If you are planning to use Doorkeeper in Rails 5 API-only application, then you might
|
32
79
|
# want to use API mode that will skip all the views management and change the way how
|
33
80
|
# Doorkeeper responds to a requests.
|
@@ -39,38 +86,40 @@ Doorkeeper.configure do
|
|
39
86
|
#
|
40
87
|
# enforce_content_type
|
41
88
|
|
42
|
-
# Authorization Code expiration time (default 10 minutes).
|
89
|
+
# Authorization Code expiration time (default: 10 minutes).
|
43
90
|
#
|
44
91
|
# authorization_code_expires_in 10.minutes
|
45
92
|
|
46
|
-
# Access token expiration time (default 2 hours).
|
47
|
-
# If you want to disable expiration, set this to nil
|
93
|
+
# Access token expiration time (default: 2 hours).
|
94
|
+
# If you want to disable expiration, set this to `nil`.
|
48
95
|
#
|
49
96
|
# access_token_expires_in 2.hours
|
50
97
|
|
51
98
|
# Assign custom TTL for access tokens. Will be used instead of access_token_expires_in
|
52
99
|
# option if defined. In case the block returns `nil` value Doorkeeper fallbacks to
|
53
|
-
#
|
100
|
+
# +access_token_expires_in+ configuration option value. If you really need to issue a
|
54
101
|
# non-expiring access token (which is not recommended) then you need to return
|
55
102
|
# Float::INFINITY from this block.
|
56
103
|
#
|
57
104
|
# `context` has the following properties available:
|
58
105
|
#
|
59
|
-
# `client` - the OAuth client application (see Doorkeeper::OAuth::Client)
|
60
|
-
# `grant_type` - the grant type of the request (see Doorkeeper::OAuth)
|
61
|
-
# `scopes` - the requested scopes (see Doorkeeper::OAuth::Scopes)
|
106
|
+
# * `client` - the OAuth client application (see Doorkeeper::OAuth::Client)
|
107
|
+
# * `grant_type` - the grant type of the request (see Doorkeeper::OAuth)
|
108
|
+
# * `scopes` - the requested scopes (see Doorkeeper::OAuth::Scopes)
|
109
|
+
# * `resource_owner` - authorized resource owner instance (if present)
|
62
110
|
#
|
63
111
|
# custom_access_token_expires_in do |context|
|
64
|
-
# context.client.
|
112
|
+
# context.client.additional_settings.implicit_oauth_expiration
|
65
113
|
# end
|
66
114
|
|
67
115
|
# Use a custom class for generating the access token.
|
68
|
-
# See https://
|
116
|
+
# See https://doorkeeper.gitbook.io/guides/configuration/other-configurations#custom-access-token-generator
|
69
117
|
#
|
70
118
|
# access_token_generator '::Doorkeeper::JWT'
|
71
119
|
|
72
|
-
# The controller Doorkeeper::ApplicationController inherits from.
|
73
|
-
# Defaults to ActionController::Base
|
120
|
+
# The controller +Doorkeeper::ApplicationController+ inherits from.
|
121
|
+
# Defaults to +ActionController::Base+ unless +api_only+ is set, which changes the default to
|
122
|
+
# +ActionController::API+. The return value of this option must be a stringified class name.
|
74
123
|
# See https://doorkeeper.gitbook.io/guides/configuration/other-configurations#custom-base-controller
|
75
124
|
#
|
76
125
|
# base_controller 'ApplicationController'
|
@@ -86,6 +135,14 @@ Doorkeeper.configure do
|
|
86
135
|
#
|
87
136
|
# reuse_access_token
|
88
137
|
|
138
|
+
# In case you enabled `reuse_access_token` option Doorkeeper will try to find matching
|
139
|
+
# token using `matching_token_for` Access Token API that searches for valid records
|
140
|
+
# in batches in order not to pollute the memory with all the database records. By default
|
141
|
+
# Doorkeeper uses batch size of 10 000 records. You can increase or decrease this value
|
142
|
+
# depending on your needs and server capabilities.
|
143
|
+
#
|
144
|
+
# token_lookup_batch_size 10_000
|
145
|
+
|
89
146
|
# Set a limit for token_reuse if using reuse_access_token option
|
90
147
|
#
|
91
148
|
# This option limits token_reusability to some extent.
|
@@ -96,13 +153,22 @@ Doorkeeper.configure do
|
|
96
153
|
#
|
97
154
|
# token_reuse_limit 100
|
98
155
|
|
156
|
+
# Only allow one valid access token obtained via client credentials
|
157
|
+
# per client. If a new access token is obtained before the old one
|
158
|
+
# expired, the old one gets revoked (disabled by default)
|
159
|
+
#
|
160
|
+
# When enabling this option, make sure that you do not expect multiple processes
|
161
|
+
# using the same credentials at the same time (e.g. web servers spanning
|
162
|
+
# multiple machines and/or processes).
|
163
|
+
#
|
164
|
+
# revoke_previous_client_credentials_token
|
165
|
+
|
99
166
|
# Hash access and refresh tokens before persisting them.
|
100
167
|
# This will disable the possibility to use +reuse_access_token+
|
101
168
|
# since plain values can no longer be retrieved.
|
102
169
|
#
|
103
170
|
# Note: If you are already a user of doorkeeper and have existing tokens
|
104
|
-
# in your installation, they will be invalid without
|
105
|
-
# setting `fallback_to_plain_secrets` below.
|
171
|
+
# in your installation, they will be invalid without adding 'fallback: :plain'.
|
106
172
|
#
|
107
173
|
# hash_token_secrets
|
108
174
|
# By default, token secrets will be hashed using the
|
@@ -128,21 +194,22 @@ Doorkeeper.configure do
|
|
128
194
|
#
|
129
195
|
# hash_application_secrets using: '::Doorkeeper::SecretStoring::BCrypt'
|
130
196
|
|
131
|
-
# When the above option is enabled,
|
132
|
-
#
|
133
|
-
#
|
134
|
-
#
|
135
|
-
# you will probably want to enable the fallback to plain tokens.
|
197
|
+
# When the above option is enabled, and a hashed token or secret is not found,
|
198
|
+
# you can allow to fall back to another strategy. For users upgrading
|
199
|
+
# doorkeeper and wishing to enable hashing, you will probably want to enable
|
200
|
+
# the fallback to plain tokens.
|
136
201
|
#
|
137
202
|
# This will ensure that old access tokens and secrets
|
138
203
|
# will remain valid even if the hashing above is enabled.
|
139
204
|
#
|
140
|
-
#
|
205
|
+
# This can be done by adding 'fallback: plain', e.g. :
|
206
|
+
#
|
207
|
+
# hash_application_secrets using: '::Doorkeeper::SecretStoring::BCrypt', fallback: :plain
|
141
208
|
|
142
209
|
# Issue access tokens with refresh token (disabled by default), you may also
|
143
210
|
# pass a block which accepts `context` to customize when to give a refresh
|
144
|
-
# token or not. Similar to
|
145
|
-
# the properties:
|
211
|
+
# token or not. Similar to +custom_access_token_expires_in+, `context` has
|
212
|
+
# the following properties:
|
146
213
|
#
|
147
214
|
# `client` - the OAuth client application (see Doorkeeper::OAuth::Client)
|
148
215
|
# `grant_type` - the grant type of the request (see Doorkeeper::OAuth)
|
@@ -151,7 +218,7 @@ Doorkeeper.configure do
|
|
151
218
|
# use_refresh_token
|
152
219
|
|
153
220
|
# Provide support for an owner to be assigned to each registered application (disabled by default)
|
154
|
-
# Optional parameter confirmation: true (default false) if you want to enforce ownership of
|
221
|
+
# Optional parameter confirmation: true (default: false) if you want to enforce ownership of
|
155
222
|
# a registered application
|
156
223
|
# NOTE: you must also run the rails g doorkeeper:application_owner generator
|
157
224
|
# to provide the necessary support
|
@@ -160,22 +227,22 @@ Doorkeeper.configure do
|
|
160
227
|
|
161
228
|
# Define access token scopes for your provider
|
162
229
|
# For more information go to
|
163
|
-
# https://
|
230
|
+
# https://doorkeeper.gitbook.io/guides/ruby-on-rails/scopes
|
164
231
|
#
|
165
232
|
# default_scopes :public
|
166
233
|
# optional_scopes :write, :update
|
167
234
|
|
168
|
-
#
|
235
|
+
# Allows to restrict only certain scopes for grant_type.
|
169
236
|
# By default, all the scopes will be available for all the grant types.
|
170
237
|
#
|
171
238
|
# Keys to this hash should be the name of grant_type and
|
172
239
|
# values should be the array of scopes for that grant type.
|
173
|
-
# Note: scopes should be from configured_scopes(i.e.
|
240
|
+
# Note: scopes should be from configured_scopes (i.e. default or optional)
|
174
241
|
#
|
175
242
|
# scopes_by_grant_type password: [:write], client_credentials: [:update]
|
176
243
|
|
177
244
|
# Forbids creating/updating applications with arbitrary scopes that are
|
178
|
-
# not in configuration, i.e.
|
245
|
+
# not in configuration, i.e. +default_scopes+ or +optional_scopes+.
|
179
246
|
# (disabled by default)
|
180
247
|
#
|
181
248
|
# enforce_configured_scopes
|
@@ -196,15 +263,6 @@ Doorkeeper.configure do
|
|
196
263
|
#
|
197
264
|
# access_token_methods :from_bearer_authorization, :from_access_token_param, :from_bearer_param
|
198
265
|
|
199
|
-
# Change the native redirect uri for client apps
|
200
|
-
# When clients register with the following redirect uri, they won't be redirected to
|
201
|
-
# any server and the authorizationcode will be displayed within the provider
|
202
|
-
# The value can be any string. Use nil to disable this feature. When disabled, clients
|
203
|
-
# must providea valid URL
|
204
|
-
# (Similar behaviour: https://developers.google.com/accounts/docs/OAuth2InstalledApp#choosingredirecturi)
|
205
|
-
#
|
206
|
-
# native_redirect_uri 'urn:ietf:wg:oauth:2.0:oob'
|
207
|
-
|
208
266
|
# Forces the usage of the HTTPS protocol in non-native redirect uris (enabled
|
209
267
|
# by default in non-development environments). OAuth2 delegates security in
|
210
268
|
# communication to the HTTPS protocol so it is wise to keep this enabled.
|
@@ -246,7 +304,7 @@ Doorkeeper.configure do
|
|
246
304
|
# is invalid, expired, revoked or has invalid scopes.
|
247
305
|
#
|
248
306
|
# If you want to render error response yourself (i.e. rescue exceptions),
|
249
|
-
# set
|
307
|
+
# set +handle_auth_errors+ to `:raise` and rescue Doorkeeper::Errors::InvalidToken
|
250
308
|
# or following specific errors:
|
251
309
|
#
|
252
310
|
# Doorkeeper::Errors::TokenForbidden, Doorkeeper::Errors::TokenExpired,
|
@@ -290,6 +348,48 @@ Doorkeeper.configure do
|
|
290
348
|
#
|
291
349
|
# grant_flows %w[authorization_code client_credentials]
|
292
350
|
|
351
|
+
# Allows to customize OAuth grant flows that +each+ application support.
|
352
|
+
# You can configure a custom block (or use a class respond to `#call`) that must
|
353
|
+
# return `true` in case Application instance supports requested OAuth grant flow
|
354
|
+
# during the authorization request to the server. This configuration +doesn't+
|
355
|
+
# set flows per application, it only allows to check if application supports
|
356
|
+
# specific grant flow.
|
357
|
+
#
|
358
|
+
# For example you can add an additional database column to `oauth_applications` table,
|
359
|
+
# say `t.array :grant_flows, default: []`, and store allowed grant flows that can
|
360
|
+
# be used with this application there. Then when authorization requested Doorkeeper
|
361
|
+
# will call this block to check if specific Application (passed with client_id and/or
|
362
|
+
# client_secret) is allowed to perform the request for the specific grant type
|
363
|
+
# (authorization, password, client_credentials, etc).
|
364
|
+
#
|
365
|
+
# Example of the block:
|
366
|
+
#
|
367
|
+
# ->(flow, client) { client.grant_flows.include?(flow) }
|
368
|
+
#
|
369
|
+
# In case this option invocation result is `false`, Doorkeeper server returns
|
370
|
+
# :unauthorized_client error and stops the request.
|
371
|
+
#
|
372
|
+
# @param allow_grant_flow_for_client [Proc] Block or any object respond to #call
|
373
|
+
# @return [Boolean] `true` if allow or `false` if forbid the request
|
374
|
+
#
|
375
|
+
# allow_grant_flow_for_client do |grant_flow, client|
|
376
|
+
# # `grant_flows` is an Array column with grant
|
377
|
+
# # flows that application supports
|
378
|
+
#
|
379
|
+
# client.grant_flows.include?(grant_flow)
|
380
|
+
# end
|
381
|
+
|
382
|
+
# If you need arbitrary Resource Owner-Client authorization you can enable this option
|
383
|
+
# and implement the check your need. Config option must respond to #call and return
|
384
|
+
# true in case resource owner authorized for the specific application or false in other
|
385
|
+
# cases.
|
386
|
+
#
|
387
|
+
# Be default all Resource Owners are authorized to any Client (application).
|
388
|
+
#
|
389
|
+
# authorize_resource_owner_for_client do |client, resource_owner|
|
390
|
+
# resource_owner.admin? || client.owners_whitelist.include?(resource_owner)
|
391
|
+
# end
|
392
|
+
|
293
393
|
# Hook into the strategies' request & response life-cycle in case your
|
294
394
|
# application needs advanced customization or logging:
|
295
395
|
#
|
@@ -302,17 +402,25 @@ Doorkeeper.configure do
|
|
302
402
|
# end
|
303
403
|
|
304
404
|
# Hook into Authorization flow in order to implement Single Sign Out
|
305
|
-
# or add any other functionality.
|
405
|
+
# or add any other functionality. Inside the block you have an access
|
406
|
+
# to `controller` (authorizations controller instance) and `context`
|
407
|
+
# (Doorkeeper::OAuth::Hooks::Context instance) which provides pre auth
|
408
|
+
# or auth objects with issued token based on hook type (before or after).
|
306
409
|
#
|
307
|
-
# before_successful_authorization do |controller|
|
308
|
-
# Rails.logger.info(params.inspect)
|
410
|
+
# before_successful_authorization do |controller, context|
|
411
|
+
# Rails.logger.info(controller.request.params.inspect)
|
412
|
+
#
|
413
|
+
# Rails.logger.info(context.pre_auth.inspect)
|
309
414
|
# end
|
310
415
|
#
|
311
|
-
# after_successful_authorization do |controller|
|
416
|
+
# after_successful_authorization do |controller, context|
|
312
417
|
# controller.session[:logout_urls] <<
|
313
418
|
# Doorkeeper::Application
|
314
419
|
# .find_by(controller.request.params.slice(:redirect_uri))
|
315
420
|
# .logout_uri
|
421
|
+
#
|
422
|
+
# Rails.logger.info(context.auth.inspect)
|
423
|
+
# Rails.logger.info(context.issued_token)
|
316
424
|
# end
|
317
425
|
|
318
426
|
# Under some circumstances you might want to have applications auto-approved,
|
@@ -323,7 +431,61 @@ Doorkeeper.configure do
|
|
323
431
|
# client.superapp? or resource_owner.admin?
|
324
432
|
# end
|
325
433
|
|
326
|
-
#
|
434
|
+
# Configure custom constraints for the Token Introspection request.
|
435
|
+
# By default this configuration option allows to introspect a token by another
|
436
|
+
# token of the same application, OR to introspect the token that belongs to
|
437
|
+
# authorized client (from authenticated client) OR when token doesn't
|
438
|
+
# belong to any client (public token). Otherwise requester has no access to the
|
439
|
+
# introspection and it will return response as stated in the RFC.
|
440
|
+
#
|
441
|
+
# Block arguments:
|
442
|
+
#
|
443
|
+
# @param token [Doorkeeper::AccessToken]
|
444
|
+
# token to be introspected
|
445
|
+
#
|
446
|
+
# @param authorized_client [Doorkeeper::Application]
|
447
|
+
# authorized client (if request is authorized using Basic auth with
|
448
|
+
# Client Credentials for example)
|
449
|
+
#
|
450
|
+
# @param authorized_token [Doorkeeper::AccessToken]
|
451
|
+
# Bearer token used to authorize the request
|
452
|
+
#
|
453
|
+
# In case the block returns `nil` or `false` introspection responses with 401 status code
|
454
|
+
# when using authorized token to introspect, or you'll get 200 with { "active": false } body
|
455
|
+
# when using authorized client to introspect as stated in the
|
456
|
+
# RFC 7662 section 2.2. Introspection Response.
|
457
|
+
#
|
458
|
+
# Using with caution:
|
459
|
+
# Keep in mind that these three parameters pass to block can be nil as following case:
|
460
|
+
# `authorized_client` is nil if and only if `authorized_token` is present, and vice versa.
|
461
|
+
# `token` will be nil if and only if `authorized_token` is present.
|
462
|
+
# So remember to use `&` or check if it is present before calling method on
|
463
|
+
# them to make sure you doesn't get NoMethodError exception.
|
464
|
+
#
|
465
|
+
# You can define your custom check:
|
466
|
+
#
|
467
|
+
# allow_token_introspection do |token, authorized_client, authorized_token|
|
468
|
+
# if authorized_token
|
469
|
+
# # customize: require `introspection` scope
|
470
|
+
# authorized_token.application == token&.application ||
|
471
|
+
# authorized_token.scopes.include?("introspection")
|
472
|
+
# elsif token.application
|
473
|
+
# # `protected_resource` is a new database boolean column, for example
|
474
|
+
# authorized_client == token.application || authorized_client.protected_resource?
|
475
|
+
# else
|
476
|
+
# # public token (when token.application is nil, token doesn't belong to any application)
|
477
|
+
# true
|
478
|
+
# end
|
479
|
+
# end
|
480
|
+
#
|
481
|
+
# Or you can completely disable any token introspection:
|
482
|
+
#
|
483
|
+
# allow_token_introspection false
|
484
|
+
#
|
485
|
+
# If you need to block the request at all, then configure your routes.rb or web-server
|
486
|
+
# like nginx to forbid the request.
|
487
|
+
|
488
|
+
# WWW-Authenticate Realm (default: "Doorkeeper").
|
327
489
|
#
|
328
490
|
# realm "Doorkeeper"
|
329
491
|
end
|
@@ -1,3 +1,5 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
1
3
|
class CreateDoorkeeperTables < ActiveRecord::Migration<%= migration_version %>
|
2
4
|
def change
|
3
5
|
create_table :oauth_applications do |t|
|
@@ -24,7 +26,7 @@ class CreateDoorkeeperTables < ActiveRecord::Migration<%= migration_version %>
|
|
24
26
|
t.text :redirect_uri, null: false
|
25
27
|
t.datetime :created_at, null: false
|
26
28
|
t.datetime :revoked_at
|
27
|
-
t.string :scopes
|
29
|
+
t.string :scopes, null: false, default: ''
|
28
30
|
end
|
29
31
|
|
30
32
|
add_index :oauth_access_grants, :token, unique: true
|
@@ -36,6 +38,9 @@ class CreateDoorkeeperTables < ActiveRecord::Migration<%= migration_version %>
|
|
36
38
|
|
37
39
|
create_table :oauth_access_tokens do |t|
|
38
40
|
t.references :resource_owner, index: true
|
41
|
+
|
42
|
+
# Remove `null: false` if you are planning to use Password
|
43
|
+
# Credentials Grant flow that doesn't require an application.
|
39
44
|
t.references :application, null: false
|
40
45
|
|
41
46
|
# If you use a custom token generator you may need to change this column
|
@@ -52,12 +57,19 @@ class CreateDoorkeeperTables < ActiveRecord::Migration<%= migration_version %>
|
|
52
57
|
t.datetime :created_at, null: false
|
53
58
|
t.string :scopes
|
54
59
|
|
55
|
-
#
|
60
|
+
# The authorization server MAY issue a new refresh token, in which case
|
61
|
+
# *the client MUST discard the old refresh token* and replace it with the
|
62
|
+
# new refresh token. The authorization server MAY revoke the old
|
63
|
+
# refresh token after issuing a new refresh token to the client.
|
64
|
+
# @see https://tools.ietf.org/html/rfc6749#section-6
|
65
|
+
#
|
66
|
+
# Doorkeeper implementation: if there is a `previous_refresh_token` column,
|
56
67
|
# refresh tokens will be revoked after a related access token is used.
|
57
|
-
# If there is no previous_refresh_token column,
|
58
|
-
#
|
59
|
-
#
|
60
|
-
# instantly
|
68
|
+
# If there is no `previous_refresh_token` column, previous tokens are
|
69
|
+
# revoked as soon as a new access token is created.
|
70
|
+
#
|
71
|
+
# Comment out this line if you want refresh tokens to be instantly
|
72
|
+
# revoked after use.
|
61
73
|
t.string :previous_refresh_token, null: false, default: ""
|
62
74
|
end
|
63
75
|
|