doorkeeper 5.3.2 → 5.5.0.rc1
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of doorkeeper might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/CHANGELOG.md +106 -2
- data/README.md +6 -4
- data/app/controllers/doorkeeper/applications_controller.rb +4 -4
- data/app/controllers/doorkeeper/authorizations_controller.rb +32 -12
- data/app/controllers/doorkeeper/authorized_applications_controller.rb +2 -2
- data/app/controllers/doorkeeper/tokens_controller.rb +60 -20
- data/app/views/doorkeeper/applications/_form.html.erb +1 -1
- data/app/views/doorkeeper/applications/show.html.erb +19 -2
- data/config/locales/en.yml +3 -2
- data/lib/doorkeeper.rb +107 -79
- data/lib/doorkeeper/config.rb +140 -94
- data/lib/doorkeeper/config/abstract_builder.rb +28 -0
- data/lib/doorkeeper/config/option.rb +26 -14
- data/lib/doorkeeper/config/validations.rb +53 -0
- data/lib/doorkeeper/engine.rb +1 -1
- data/lib/doorkeeper/grant_flow.rb +43 -0
- data/lib/doorkeeper/grant_flow/fallback_flow.rb +15 -0
- data/lib/doorkeeper/grant_flow/flow.rb +34 -0
- data/lib/doorkeeper/grant_flow/registry.rb +50 -0
- data/lib/doorkeeper/grape/helpers.rb +1 -1
- data/lib/doorkeeper/helpers/controller.rb +6 -4
- data/lib/doorkeeper/models/access_grant_mixin.rb +20 -16
- data/lib/doorkeeper/models/access_token_mixin.rb +110 -47
- data/lib/doorkeeper/models/application_mixin.rb +5 -4
- data/lib/doorkeeper/models/concerns/resource_ownerable.rb +47 -0
- data/lib/doorkeeper/models/concerns/revocable.rb +1 -1
- data/lib/doorkeeper/models/concerns/scopes.rb +5 -1
- data/lib/doorkeeper/models/concerns/secret_storable.rb +1 -3
- data/lib/doorkeeper/oauth/authorization/code.rb +15 -6
- data/lib/doorkeeper/oauth/authorization/context.rb +5 -5
- data/lib/doorkeeper/oauth/authorization/token.rb +14 -16
- data/lib/doorkeeper/oauth/authorization/uri_builder.rb +4 -4
- data/lib/doorkeeper/oauth/authorization_code_request.rb +17 -14
- data/lib/doorkeeper/oauth/base_request.rb +12 -20
- data/lib/doorkeeper/oauth/client.rb +1 -1
- data/lib/doorkeeper/oauth/client/credentials.rb +2 -4
- data/lib/doorkeeper/oauth/client_credentials/creator.rb +27 -8
- data/lib/doorkeeper/oauth/client_credentials/issuer.rb +4 -2
- data/lib/doorkeeper/oauth/client_credentials/validator.rb +4 -2
- data/lib/doorkeeper/oauth/client_credentials_request.rb +8 -7
- data/lib/doorkeeper/oauth/code_request.rb +3 -3
- data/lib/doorkeeper/oauth/code_response.rb +28 -14
- data/lib/doorkeeper/oauth/error_response.rb +6 -7
- data/lib/doorkeeper/oauth/helpers/scope_checker.rb +2 -8
- data/lib/doorkeeper/oauth/hooks/context.rb +21 -0
- data/lib/doorkeeper/oauth/invalid_token_response.rb +2 -2
- data/lib/doorkeeper/oauth/password_access_token_request.rb +24 -7
- data/lib/doorkeeper/oauth/pre_authorization.rb +41 -31
- data/lib/doorkeeper/oauth/refresh_token_request.rb +31 -22
- data/lib/doorkeeper/oauth/token.rb +5 -6
- data/lib/doorkeeper/oauth/token_introspection.rb +4 -8
- data/lib/doorkeeper/oauth/token_request.rb +3 -3
- data/lib/doorkeeper/oauth/token_response.rb +1 -1
- data/lib/doorkeeper/orm/active_record.rb +10 -2
- data/lib/doorkeeper/orm/active_record/mixins/access_grant.rb +8 -3
- data/lib/doorkeeper/orm/active_record/mixins/access_token.rb +7 -3
- data/lib/doorkeeper/orm/active_record/mixins/application.rb +20 -16
- data/lib/doorkeeper/rails/routes.rb +14 -18
- data/lib/doorkeeper/rails/routes/abstract_router.rb +35 -0
- data/lib/doorkeeper/rails/routes/mapper.rb +2 -2
- data/lib/doorkeeper/rails/routes/registry.rb +45 -0
- data/lib/doorkeeper/request.rb +49 -12
- data/lib/doorkeeper/request/refresh_token.rb +2 -1
- data/lib/doorkeeper/request/strategy.rb +2 -2
- data/lib/doorkeeper/server.rb +4 -4
- data/lib/doorkeeper/stale_records_cleaner.rb +4 -4
- data/lib/doorkeeper/version.rb +3 -3
- data/lib/generators/doorkeeper/confidential_applications_generator.rb +1 -1
- data/lib/generators/doorkeeper/enable_polymorphic_resource_owner_generator.rb +39 -0
- data/lib/generators/doorkeeper/templates/add_owner_to_application_migration.rb.erb +2 -0
- data/lib/generators/doorkeeper/templates/add_previous_refresh_token_to_access_tokens.rb.erb +2 -0
- data/lib/generators/doorkeeper/templates/enable_pkce_migration.rb.erb +2 -0
- data/lib/generators/doorkeeper/templates/enable_polymorphic_resource_owner_migration.rb.erb +17 -0
- data/lib/generators/doorkeeper/templates/initializer.rb +48 -10
- data/lib/generators/doorkeeper/templates/migration.rb.erb +14 -5
- metadata +21 -299
- data/Appraisals +0 -40
- data/CODE_OF_CONDUCT.md +0 -46
- data/CONTRIBUTING.md +0 -49
- data/Dangerfile +0 -67
- data/Dockerfile +0 -29
- data/Gemfile +0 -25
- data/NEWS.md +0 -1
- data/RELEASING.md +0 -11
- data/Rakefile +0 -28
- data/SECURITY.md +0 -15
- data/UPGRADE.md +0 -2
- data/bin/console +0 -16
- data/doorkeeper.gemspec +0 -42
- data/gemfiles/rails_5_0.gemfile +0 -18
- data/gemfiles/rails_5_1.gemfile +0 -18
- data/gemfiles/rails_5_2.gemfile +0 -18
- data/gemfiles/rails_6_0.gemfile +0 -18
- data/gemfiles/rails_master.gemfile +0 -18
- data/spec/controllers/application_metal_controller_spec.rb +0 -64
- data/spec/controllers/applications_controller_spec.rb +0 -274
- data/spec/controllers/authorizations_controller_spec.rb +0 -608
- data/spec/controllers/protected_resources_controller_spec.rb +0 -361
- data/spec/controllers/token_info_controller_spec.rb +0 -50
- data/spec/controllers/tokens_controller_spec.rb +0 -498
- data/spec/dummy/Rakefile +0 -9
- data/spec/dummy/app/assets/config/manifest.js +0 -2
- data/spec/dummy/app/controllers/application_controller.rb +0 -5
- data/spec/dummy/app/controllers/custom_authorizations_controller.rb +0 -9
- data/spec/dummy/app/controllers/full_protected_resources_controller.rb +0 -14
- data/spec/dummy/app/controllers/home_controller.rb +0 -18
- data/spec/dummy/app/controllers/metal_controller.rb +0 -13
- data/spec/dummy/app/controllers/semi_protected_resources_controller.rb +0 -13
- data/spec/dummy/app/helpers/application_helper.rb +0 -7
- data/spec/dummy/app/models/user.rb +0 -7
- data/spec/dummy/app/views/home/index.html.erb +0 -0
- data/spec/dummy/app/views/layouts/application.html.erb +0 -14
- data/spec/dummy/config.ru +0 -6
- data/spec/dummy/config/application.rb +0 -49
- data/spec/dummy/config/boot.rb +0 -7
- data/spec/dummy/config/database.yml +0 -15
- data/spec/dummy/config/environment.rb +0 -5
- data/spec/dummy/config/environments/development.rb +0 -31
- data/spec/dummy/config/environments/production.rb +0 -64
- data/spec/dummy/config/environments/test.rb +0 -45
- data/spec/dummy/config/initializers/backtrace_silencers.rb +0 -9
- data/spec/dummy/config/initializers/doorkeeper.rb +0 -166
- data/spec/dummy/config/initializers/secret_token.rb +0 -10
- data/spec/dummy/config/initializers/session_store.rb +0 -10
- data/spec/dummy/config/initializers/wrap_parameters.rb +0 -16
- data/spec/dummy/config/locales/doorkeeper.en.yml +0 -5
- data/spec/dummy/config/routes.rb +0 -13
- data/spec/dummy/db/migrate/20111122132257_create_users.rb +0 -11
- data/spec/dummy/db/migrate/20120312140401_add_password_to_users.rb +0 -7
- data/spec/dummy/db/migrate/20151223192035_create_doorkeeper_tables.rb +0 -69
- data/spec/dummy/db/migrate/20151223200000_add_owner_to_application.rb +0 -9
- data/spec/dummy/db/migrate/20160320211015_add_previous_refresh_token_to_access_tokens.rb +0 -13
- data/spec/dummy/db/migrate/20170822064514_enable_pkce.rb +0 -8
- data/spec/dummy/db/migrate/20180210183654_add_confidential_to_applications.rb +0 -13
- data/spec/dummy/db/schema.rb +0 -68
- data/spec/dummy/public/404.html +0 -26
- data/spec/dummy/public/422.html +0 -26
- data/spec/dummy/public/500.html +0 -26
- data/spec/dummy/public/favicon.ico +0 -0
- data/spec/dummy/script/rails +0 -9
- data/spec/factories.rb +0 -30
- data/spec/generators/application_owner_generator_spec.rb +0 -28
- data/spec/generators/confidential_applications_generator_spec.rb +0 -29
- data/spec/generators/install_generator_spec.rb +0 -36
- data/spec/generators/migration_generator_spec.rb +0 -28
- data/spec/generators/pkce_generator_spec.rb +0 -28
- data/spec/generators/previous_refresh_token_generator_spec.rb +0 -44
- data/spec/generators/templates/routes.rb +0 -4
- data/spec/generators/views_generator_spec.rb +0 -29
- data/spec/grape/grape_integration_spec.rb +0 -137
- data/spec/helpers/doorkeeper/dashboard_helper_spec.rb +0 -26
- data/spec/lib/config_spec.rb +0 -809
- data/spec/lib/doorkeeper_spec.rb +0 -27
- data/spec/lib/models/expirable_spec.rb +0 -61
- data/spec/lib/models/reusable_spec.rb +0 -40
- data/spec/lib/models/revocable_spec.rb +0 -59
- data/spec/lib/models/scopes_spec.rb +0 -53
- data/spec/lib/models/secret_storable_spec.rb +0 -135
- data/spec/lib/oauth/authorization/uri_builder_spec.rb +0 -39
- data/spec/lib/oauth/authorization_code_request_spec.rb +0 -170
- data/spec/lib/oauth/base_request_spec.rb +0 -224
- data/spec/lib/oauth/base_response_spec.rb +0 -45
- data/spec/lib/oauth/client/credentials_spec.rb +0 -90
- data/spec/lib/oauth/client_credentials/creator_spec.rb +0 -134
- data/spec/lib/oauth/client_credentials/issuer_spec.rb +0 -112
- data/spec/lib/oauth/client_credentials/validation_spec.rb +0 -59
- data/spec/lib/oauth/client_credentials_integration_spec.rb +0 -27
- data/spec/lib/oauth/client_credentials_request_spec.rb +0 -107
- data/spec/lib/oauth/client_spec.rb +0 -38
- data/spec/lib/oauth/code_request_spec.rb +0 -46
- data/spec/lib/oauth/code_response_spec.rb +0 -32
- data/spec/lib/oauth/error_response_spec.rb +0 -64
- data/spec/lib/oauth/error_spec.rb +0 -21
- data/spec/lib/oauth/forbidden_token_response_spec.rb +0 -20
- data/spec/lib/oauth/helpers/scope_checker_spec.rb +0 -110
- data/spec/lib/oauth/helpers/unique_token_spec.rb +0 -21
- data/spec/lib/oauth/helpers/uri_checker_spec.rb +0 -262
- data/spec/lib/oauth/invalid_request_response_spec.rb +0 -73
- data/spec/lib/oauth/invalid_token_response_spec.rb +0 -53
- data/spec/lib/oauth/password_access_token_request_spec.rb +0 -190
- data/spec/lib/oauth/pre_authorization_spec.rb +0 -223
- data/spec/lib/oauth/refresh_token_request_spec.rb +0 -177
- data/spec/lib/oauth/scopes_spec.rb +0 -146
- data/spec/lib/oauth/token_request_spec.rb +0 -157
- data/spec/lib/oauth/token_response_spec.rb +0 -84
- data/spec/lib/oauth/token_spec.rb +0 -156
- data/spec/lib/request/strategy_spec.rb +0 -54
- data/spec/lib/secret_storing/base_spec.rb +0 -60
- data/spec/lib/secret_storing/bcrypt_spec.rb +0 -49
- data/spec/lib/secret_storing/plain_spec.rb +0 -44
- data/spec/lib/secret_storing/sha256_hash_spec.rb +0 -48
- data/spec/lib/server_spec.rb +0 -49
- data/spec/lib/stale_records_cleaner_spec.rb +0 -89
- data/spec/models/doorkeeper/access_grant_spec.rb +0 -161
- data/spec/models/doorkeeper/access_token_spec.rb +0 -622
- data/spec/models/doorkeeper/application_spec.rb +0 -482
- data/spec/requests/applications/applications_request_spec.rb +0 -259
- data/spec/requests/applications/authorized_applications_spec.rb +0 -32
- data/spec/requests/endpoints/authorization_spec.rb +0 -91
- data/spec/requests/endpoints/token_spec.rb +0 -75
- data/spec/requests/flows/authorization_code_errors_spec.rb +0 -79
- data/spec/requests/flows/authorization_code_spec.rb +0 -525
- data/spec/requests/flows/client_credentials_spec.rb +0 -166
- data/spec/requests/flows/implicit_grant_errors_spec.rb +0 -46
- data/spec/requests/flows/implicit_grant_spec.rb +0 -91
- data/spec/requests/flows/password_spec.rb +0 -316
- data/spec/requests/flows/refresh_token_spec.rb +0 -233
- data/spec/requests/flows/revoke_token_spec.rb +0 -157
- data/spec/requests/flows/skip_authorization_spec.rb +0 -66
- data/spec/requests/protected_resources/metal_spec.rb +0 -16
- data/spec/requests/protected_resources/private_api_spec.rb +0 -83
- data/spec/routing/custom_controller_routes_spec.rb +0 -133
- data/spec/routing/default_routes_spec.rb +0 -41
- data/spec/routing/scoped_routes_spec.rb +0 -47
- data/spec/spec_helper.rb +0 -54
- data/spec/spec_helper_integration.rb +0 -4
- data/spec/support/dependencies/factory_bot.rb +0 -4
- data/spec/support/doorkeeper_rspec.rb +0 -22
- data/spec/support/helpers/access_token_request_helper.rb +0 -13
- data/spec/support/helpers/authorization_request_helper.rb +0 -43
- data/spec/support/helpers/config_helper.rb +0 -11
- data/spec/support/helpers/model_helper.rb +0 -78
- data/spec/support/helpers/request_spec_helper.rb +0 -110
- data/spec/support/helpers/url_helper.rb +0 -62
- data/spec/support/orm/active_record.rb +0 -5
- data/spec/support/shared/controllers_shared_context.rb +0 -133
- data/spec/support/shared/hashing_shared_context.rb +0 -36
- data/spec/support/shared/models_shared_examples.rb +0 -54
- data/spec/validators/redirect_uri_validator_spec.rb +0 -183
- data/spec/version/version_spec.rb +0 -17
|
@@ -2,9 +2,9 @@
|
|
|
2
2
|
|
|
3
3
|
module Doorkeeper
|
|
4
4
|
module OAuth
|
|
5
|
-
|
|
5
|
+
module ClientCredentials
|
|
6
6
|
class Issuer
|
|
7
|
-
|
|
7
|
+
attr_reader :token, :validator, :error
|
|
8
8
|
|
|
9
9
|
def initialize(server, validator)
|
|
10
10
|
@server = server
|
|
@@ -19,6 +19,7 @@ module Doorkeeper
|
|
|
19
19
|
@token = false
|
|
20
20
|
@error = validator.error
|
|
21
21
|
end
|
|
22
|
+
|
|
22
23
|
@token
|
|
23
24
|
end
|
|
24
25
|
|
|
@@ -29,6 +30,7 @@ module Doorkeeper
|
|
|
29
30
|
client,
|
|
30
31
|
Doorkeeper::OAuth::CLIENT_CREDENTIALS,
|
|
31
32
|
scopes,
|
|
33
|
+
nil,
|
|
32
34
|
)
|
|
33
35
|
ttl = Authorization::Token.access_token_expires_in(@server, context)
|
|
34
36
|
|
|
@@ -2,7 +2,7 @@
|
|
|
2
2
|
|
|
3
3
|
module Doorkeeper
|
|
4
4
|
module OAuth
|
|
5
|
-
|
|
5
|
+
module ClientCredentials
|
|
6
6
|
class Validator
|
|
7
7
|
include Validations
|
|
8
8
|
include OAuth::Helpers
|
|
@@ -26,9 +26,11 @@ module Doorkeeper
|
|
|
26
26
|
end
|
|
27
27
|
|
|
28
28
|
def validate_client_supports_grant_flow
|
|
29
|
+
return if @client.blank?
|
|
30
|
+
|
|
29
31
|
Doorkeeper.config.allow_grant_flow_for_client?(
|
|
30
32
|
Doorkeeper::OAuth::CLIENT_CREDENTIALS,
|
|
31
|
-
@client,
|
|
33
|
+
@client.application,
|
|
32
34
|
)
|
|
33
35
|
end
|
|
34
36
|
|
|
@@ -3,18 +3,12 @@
|
|
|
3
3
|
module Doorkeeper
|
|
4
4
|
module OAuth
|
|
5
5
|
class ClientCredentialsRequest < BaseRequest
|
|
6
|
-
|
|
7
|
-
attr_reader :response
|
|
8
|
-
attr_writer :issuer
|
|
6
|
+
attr_reader :client, :original_scopes, :response
|
|
9
7
|
|
|
10
8
|
alias error_response response
|
|
11
9
|
|
|
12
10
|
delegate :error, to: :issuer
|
|
13
11
|
|
|
14
|
-
def issuer
|
|
15
|
-
@issuer ||= Issuer.new(server, Validator.new(server, self))
|
|
16
|
-
end
|
|
17
|
-
|
|
18
12
|
def initialize(server, client, parameters = {})
|
|
19
13
|
@client = client
|
|
20
14
|
@server = server
|
|
@@ -26,6 +20,13 @@ module Doorkeeper
|
|
|
26
20
|
issuer.token
|
|
27
21
|
end
|
|
28
22
|
|
|
23
|
+
def issuer
|
|
24
|
+
@issuer ||= ClientCredentials::Issuer.new(
|
|
25
|
+
server,
|
|
26
|
+
ClientCredentials::Validator.new(server, self),
|
|
27
|
+
)
|
|
28
|
+
end
|
|
29
|
+
|
|
29
30
|
private
|
|
30
31
|
|
|
31
32
|
def valid?
|
|
@@ -3,16 +3,16 @@
|
|
|
3
3
|
module Doorkeeper
|
|
4
4
|
module OAuth
|
|
5
5
|
class CodeRequest
|
|
6
|
-
|
|
6
|
+
attr_reader :pre_auth, :resource_owner
|
|
7
7
|
|
|
8
8
|
def initialize(pre_auth, resource_owner)
|
|
9
|
-
@pre_auth
|
|
9
|
+
@pre_auth = pre_auth
|
|
10
10
|
@resource_owner = resource_owner
|
|
11
11
|
end
|
|
12
12
|
|
|
13
13
|
def authorize
|
|
14
14
|
auth = Authorization::Code.new(pre_auth, resource_owner)
|
|
15
|
-
auth.issue_token
|
|
15
|
+
auth.issue_token!
|
|
16
16
|
CodeResponse.new(pre_auth, auth)
|
|
17
17
|
end
|
|
18
18
|
|
|
@@ -5,7 +5,7 @@ module Doorkeeper
|
|
|
5
5
|
class CodeResponse < BaseResponse
|
|
6
6
|
include OAuth::Helpers
|
|
7
7
|
|
|
8
|
-
|
|
8
|
+
attr_reader :pre_auth, :auth, :response_on_fragment
|
|
9
9
|
|
|
10
10
|
def initialize(pre_auth, auth, options = {})
|
|
11
11
|
@pre_auth = pre_auth
|
|
@@ -17,25 +17,39 @@ module Doorkeeper
|
|
|
17
17
|
true
|
|
18
18
|
end
|
|
19
19
|
|
|
20
|
+
def issued_token
|
|
21
|
+
auth.token
|
|
22
|
+
end
|
|
23
|
+
|
|
20
24
|
def redirect_uri
|
|
21
|
-
if URIChecker.oob_uri?
|
|
25
|
+
if URIChecker.oob_uri?(pre_auth.redirect_uri)
|
|
22
26
|
auth.oob_redirect
|
|
23
27
|
elsif response_on_fragment
|
|
24
|
-
|
|
25
|
-
pre_auth.redirect_uri,
|
|
26
|
-
access_token: auth.token.plaintext_token,
|
|
27
|
-
token_type: auth.token.token_type,
|
|
28
|
-
expires_in: auth.token.expires_in_seconds,
|
|
29
|
-
state: pre_auth.state,
|
|
30
|
-
)
|
|
28
|
+
uri_with_fragment
|
|
31
29
|
else
|
|
32
|
-
|
|
33
|
-
pre_auth.redirect_uri,
|
|
34
|
-
code: auth.token.plaintext_token,
|
|
35
|
-
state: pre_auth.state,
|
|
36
|
-
)
|
|
30
|
+
uri_with_query
|
|
37
31
|
end
|
|
38
32
|
end
|
|
33
|
+
|
|
34
|
+
private
|
|
35
|
+
|
|
36
|
+
def uri_with_fragment
|
|
37
|
+
Authorization::URIBuilder.uri_with_fragment(
|
|
38
|
+
pre_auth.redirect_uri,
|
|
39
|
+
access_token: auth.token.plaintext_token,
|
|
40
|
+
token_type: auth.token.token_type,
|
|
41
|
+
expires_in: auth.token.expires_in_seconds,
|
|
42
|
+
state: pre_auth.state,
|
|
43
|
+
)
|
|
44
|
+
end
|
|
45
|
+
|
|
46
|
+
def uri_with_query
|
|
47
|
+
Authorization::URIBuilder.uri_with_query(
|
|
48
|
+
pre_auth.redirect_uri,
|
|
49
|
+
code: auth.token.plaintext_token,
|
|
50
|
+
state: pre_auth.state,
|
|
51
|
+
)
|
|
52
|
+
end
|
|
39
53
|
end
|
|
40
54
|
end
|
|
41
55
|
end
|
|
@@ -5,6 +5,8 @@ module Doorkeeper
|
|
|
5
5
|
class ErrorResponse < BaseResponse
|
|
6
6
|
include OAuth::Helpers
|
|
7
7
|
|
|
8
|
+
NON_REDIRECTABLE_STATES = %i[invalid_redirect_uri invalid_client unauthorized_client].freeze
|
|
9
|
+
|
|
8
10
|
def self.from_request(request, attributes = {})
|
|
9
11
|
new(
|
|
10
12
|
attributes.merge(
|
|
@@ -32,7 +34,7 @@ module Doorkeeper
|
|
|
32
34
|
end
|
|
33
35
|
|
|
34
36
|
def status
|
|
35
|
-
if name == :invalid_client
|
|
37
|
+
if name == :invalid_client || name == :unauthorized_client
|
|
36
38
|
:unauthorized
|
|
37
39
|
else
|
|
38
40
|
:bad_request
|
|
@@ -40,8 +42,7 @@ module Doorkeeper
|
|
|
40
42
|
end
|
|
41
43
|
|
|
42
44
|
def redirectable?
|
|
43
|
-
name
|
|
44
|
-
!URIChecker.oob_uri?(@redirect_uri)
|
|
45
|
+
!NON_REDIRECTABLE_STATES.include?(name) && !URIChecker.oob_uri?(@redirect_uri)
|
|
45
46
|
end
|
|
46
47
|
|
|
47
48
|
def redirect_uri
|
|
@@ -67,10 +68,8 @@ module Doorkeeper
|
|
|
67
68
|
|
|
68
69
|
protected
|
|
69
70
|
|
|
70
|
-
|
|
71
|
-
|
|
72
|
-
def configuration
|
|
73
|
-
Doorkeeper.config
|
|
71
|
+
def realm
|
|
72
|
+
Doorkeeper.config.realm
|
|
74
73
|
end
|
|
75
74
|
|
|
76
75
|
def exception_class
|
|
@@ -12,9 +12,7 @@ module Doorkeeper
|
|
|
12
12
|
@scope_str = scope_str
|
|
13
13
|
@valid_scopes = valid_scopes(server_scopes, app_scopes)
|
|
14
14
|
|
|
15
|
-
if grant_type
|
|
16
|
-
@scopes_by_grant_type = Doorkeeper.config.scopes_by_grant_type[grant_type.to_sym]
|
|
17
|
-
end
|
|
15
|
+
@scopes_by_grant_type = Doorkeeper.config.scopes_by_grant_type[grant_type.to_sym] if grant_type
|
|
18
16
|
end
|
|
19
17
|
|
|
20
18
|
def valid?
|
|
@@ -27,11 +25,7 @@ module Doorkeeper
|
|
|
27
25
|
private
|
|
28
26
|
|
|
29
27
|
def valid_scopes(server_scopes, app_scopes)
|
|
30
|
-
|
|
31
|
-
app_scopes
|
|
32
|
-
else
|
|
33
|
-
server_scopes
|
|
34
|
-
end
|
|
28
|
+
app_scopes.presence || server_scopes
|
|
35
29
|
end
|
|
36
30
|
|
|
37
31
|
def permitted_to_grant_type?
|
|
@@ -0,0 +1,21 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
2
|
+
|
|
3
|
+
module Doorkeeper
|
|
4
|
+
module OAuth
|
|
5
|
+
module Hooks
|
|
6
|
+
class Context
|
|
7
|
+
attr_reader :auth, :pre_auth
|
|
8
|
+
|
|
9
|
+
def initialize(**attributes)
|
|
10
|
+
attributes.each do |name, value|
|
|
11
|
+
instance_variable_set(:"@#{name}", value) if respond_to?(name)
|
|
12
|
+
end
|
|
13
|
+
end
|
|
14
|
+
|
|
15
|
+
def issued_token
|
|
16
|
+
auth&.issued_token
|
|
17
|
+
end
|
|
18
|
+
end
|
|
19
|
+
end
|
|
20
|
+
end
|
|
21
|
+
end
|
|
@@ -6,9 +6,9 @@ module Doorkeeper
|
|
|
6
6
|
attr_reader :reason
|
|
7
7
|
|
|
8
8
|
def self.from_access_token(access_token, attributes = {})
|
|
9
|
-
reason = if access_token
|
|
9
|
+
reason = if access_token&.revoked?
|
|
10
10
|
:revoked
|
|
11
|
-
elsif access_token
|
|
11
|
+
elsif access_token&.expired?
|
|
12
12
|
:expired
|
|
13
13
|
else
|
|
14
14
|
:unknown
|
|
@@ -10,8 +10,7 @@ module Doorkeeper
|
|
|
10
10
|
validate :resource_owner, error: :invalid_grant
|
|
11
11
|
validate :scopes, error: :invalid_scope
|
|
12
12
|
|
|
13
|
-
|
|
14
|
-
:access_token
|
|
13
|
+
attr_reader :client, :resource_owner, :parameters, :access_token
|
|
15
14
|
|
|
16
15
|
def initialize(server, client, resource_owner, parameters = {})
|
|
17
16
|
@server = server
|
|
@@ -25,18 +24,17 @@ module Doorkeeper
|
|
|
25
24
|
private
|
|
26
25
|
|
|
27
26
|
def before_successful_response
|
|
28
|
-
find_or_create_access_token(client, resource_owner
|
|
27
|
+
find_or_create_access_token(client, resource_owner, scopes, server)
|
|
29
28
|
super
|
|
30
29
|
end
|
|
31
30
|
|
|
32
31
|
def validate_scopes
|
|
33
|
-
client_scopes = client.try(:scopes)
|
|
34
32
|
return true if scopes.blank?
|
|
35
33
|
|
|
36
34
|
ScopeChecker.valid?(
|
|
37
35
|
scope_str: scopes.to_s,
|
|
38
36
|
server_scopes: server.scopes,
|
|
39
|
-
app_scopes:
|
|
37
|
+
app_scopes: client.try(:scopes),
|
|
40
38
|
grant_type: grant_type,
|
|
41
39
|
)
|
|
42
40
|
end
|
|
@@ -45,12 +43,31 @@ module Doorkeeper
|
|
|
45
43
|
resource_owner.present?
|
|
46
44
|
end
|
|
47
45
|
|
|
46
|
+
# Section 4.3.2. Access Token Request for Resource Owner Password Credentials Grant:
|
|
47
|
+
#
|
|
48
|
+
# If the client type is confidential or the client was issued client credentials (or assigned
|
|
49
|
+
# other authentication requirements), the client MUST authenticate with the authorization
|
|
50
|
+
# server as described in Section 3.2.1.
|
|
51
|
+
#
|
|
52
|
+
# The authorization server MUST:
|
|
53
|
+
#
|
|
54
|
+
# o require client authentication for confidential clients or for any client that was
|
|
55
|
+
# issued client credentials (or with other authentication requirements)
|
|
56
|
+
#
|
|
57
|
+
# o authenticate the client if client authentication is included,
|
|
58
|
+
#
|
|
59
|
+
# @see https://tools.ietf.org/html/rfc6749#section-4.3
|
|
60
|
+
#
|
|
48
61
|
def validate_client
|
|
49
|
-
|
|
62
|
+
if Doorkeeper.config.skip_client_authentication_for_password_grant
|
|
63
|
+
!parameters[:client_id] || client.present?
|
|
64
|
+
else
|
|
65
|
+
client.present?
|
|
66
|
+
end
|
|
50
67
|
end
|
|
51
68
|
|
|
52
69
|
def validate_client_supports_grant_flow
|
|
53
|
-
server_config.allow_grant_flow_for_client?(grant_type, client)
|
|
70
|
+
server_config.allow_grant_flow_for_client?(grant_type, client&.application)
|
|
54
71
|
end
|
|
55
72
|
end
|
|
56
73
|
end
|
|
@@ -5,39 +5,37 @@ module Doorkeeper
|
|
|
5
5
|
class PreAuthorization
|
|
6
6
|
include Validations
|
|
7
7
|
|
|
8
|
-
validate :client_id,
|
|
9
|
-
validate :client,
|
|
10
|
-
validate :redirect_uri, error: :invalid_redirect_uri
|
|
11
|
-
validate :params, error: :invalid_request
|
|
12
|
-
validate :response_type, error: :unsupported_response_type
|
|
13
|
-
validate :scopes, error: :invalid_scope
|
|
14
|
-
validate :code_challenge_method, error: :invalid_code_challenge_method
|
|
8
|
+
validate :client_id, error: :invalid_request
|
|
9
|
+
validate :client, error: :invalid_client
|
|
15
10
|
validate :client_supports_grant_flow, error: :unauthorized_client
|
|
11
|
+
validate :resource_owner_authorize_for_client, error: :invalid_client
|
|
12
|
+
validate :redirect_uri, error: :invalid_redirect_uri
|
|
13
|
+
validate :params, error: :invalid_request
|
|
14
|
+
validate :response_type, error: :unsupported_response_type
|
|
15
|
+
validate :scopes, error: :invalid_scope
|
|
16
|
+
validate :code_challenge_method, error: :invalid_code_challenge_method
|
|
16
17
|
|
|
17
|
-
attr_reader :
|
|
18
|
-
:
|
|
18
|
+
attr_reader :client, :code_challenge, :code_challenge_method, :missing_param,
|
|
19
|
+
:redirect_uri, :resource_owner, :response_type, :state
|
|
19
20
|
|
|
20
|
-
def initialize(server,
|
|
21
|
+
def initialize(server, parameters = {}, resource_owner = nil)
|
|
21
22
|
@server = server
|
|
22
|
-
@client_id =
|
|
23
|
-
@response_type =
|
|
24
|
-
@redirect_uri =
|
|
25
|
-
@scope =
|
|
26
|
-
@state =
|
|
27
|
-
@code_challenge =
|
|
28
|
-
@code_challenge_method =
|
|
23
|
+
@client_id = parameters[:client_id]
|
|
24
|
+
@response_type = parameters[:response_type]
|
|
25
|
+
@redirect_uri = parameters[:redirect_uri]
|
|
26
|
+
@scope = parameters[:scope]
|
|
27
|
+
@state = parameters[:state]
|
|
28
|
+
@code_challenge = parameters[:code_challenge]
|
|
29
|
+
@code_challenge_method = parameters[:code_challenge_method]
|
|
30
|
+
@resource_owner = resource_owner
|
|
29
31
|
end
|
|
30
32
|
|
|
31
33
|
def authorizable?
|
|
32
34
|
valid?
|
|
33
35
|
end
|
|
34
36
|
|
|
35
|
-
def validate_client_supports_grant_flow
|
|
36
|
-
Doorkeeper.config.allow_grant_flow_for_client?(grant_type, client.application)
|
|
37
|
-
end
|
|
38
|
-
|
|
39
37
|
def scopes
|
|
40
|
-
Scopes.from_string
|
|
38
|
+
Scopes.from_string(scope)
|
|
41
39
|
end
|
|
42
40
|
|
|
43
41
|
def scope
|
|
@@ -55,14 +53,14 @@ module Doorkeeper
|
|
|
55
53
|
end
|
|
56
54
|
end
|
|
57
55
|
|
|
58
|
-
def as_json(
|
|
59
|
-
return pre_auth_hash.merge(attributes.to_h) if attributes.respond_to?(:to_h)
|
|
60
|
-
|
|
56
|
+
def as_json(_options = nil)
|
|
61
57
|
pre_auth_hash
|
|
62
58
|
end
|
|
63
59
|
|
|
64
60
|
private
|
|
65
61
|
|
|
62
|
+
attr_reader :client_id, :server
|
|
63
|
+
|
|
66
64
|
def build_scopes
|
|
67
65
|
client_scopes = client.scopes
|
|
68
66
|
if client_scopes.blank?
|
|
@@ -74,7 +72,6 @@ module Doorkeeper
|
|
|
74
72
|
|
|
75
73
|
def validate_client_id
|
|
76
74
|
@missing_param = :client_id if client_id.blank?
|
|
77
|
-
|
|
78
75
|
@missing_param.nil?
|
|
79
76
|
end
|
|
80
77
|
|
|
@@ -83,6 +80,15 @@ module Doorkeeper
|
|
|
83
80
|
@client.present?
|
|
84
81
|
end
|
|
85
82
|
|
|
83
|
+
def validate_client_supports_grant_flow
|
|
84
|
+
Doorkeeper.config.allow_grant_flow_for_client?(grant_type, client.application)
|
|
85
|
+
end
|
|
86
|
+
|
|
87
|
+
def validate_resource_owner_authorize_for_client
|
|
88
|
+
# The `authorize_resource_owner_for_client` config option is used for this validation
|
|
89
|
+
client.application.authorized_for_resource_owner?(@resource_owner)
|
|
90
|
+
end
|
|
91
|
+
|
|
86
92
|
def validate_redirect_uri
|
|
87
93
|
return false if redirect_uri.blank?
|
|
88
94
|
|
|
@@ -103,7 +109,9 @@ module Doorkeeper
|
|
|
103
109
|
end
|
|
104
110
|
|
|
105
111
|
def validate_response_type
|
|
106
|
-
server.
|
|
112
|
+
server.authorization_response_flows.any? do |flow|
|
|
113
|
+
flow.matches_response_type?(response_type)
|
|
114
|
+
end
|
|
107
115
|
end
|
|
108
116
|
|
|
109
117
|
def validate_scopes
|
|
@@ -115,11 +123,9 @@ module Doorkeeper
|
|
|
115
123
|
)
|
|
116
124
|
end
|
|
117
125
|
|
|
118
|
-
def grant_type
|
|
119
|
-
response_type == "code" ? AUTHORIZATION_CODE : IMPLICIT
|
|
120
|
-
end
|
|
121
|
-
|
|
122
126
|
def validate_code_challenge_method
|
|
127
|
+
return true unless Doorkeeper.config.access_grant_model.pkce_supported?
|
|
128
|
+
|
|
123
129
|
code_challenge.blank? ||
|
|
124
130
|
(code_challenge_method.present? && code_challenge_method =~ /^plain$|^S256$/)
|
|
125
131
|
end
|
|
@@ -128,6 +134,10 @@ module Doorkeeper
|
|
|
128
134
|
response_type == "token"
|
|
129
135
|
end
|
|
130
136
|
|
|
137
|
+
def grant_type
|
|
138
|
+
response_type == "code" ? AUTHORIZATION_CODE : IMPLICIT
|
|
139
|
+
end
|
|
140
|
+
|
|
131
141
|
def pre_auth_hash
|
|
132
142
|
{
|
|
133
143
|
client_id: client.uid,
|