doorkeeper 5.3.3 → 5.5.0.rc2
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of doorkeeper might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/CHANGELOG.md +125 -7
- data/README.md +6 -4
- data/app/controllers/doorkeeper/applications_controller.rb +4 -4
- data/app/controllers/doorkeeper/authorizations_controller.rb +46 -16
- data/app/controllers/doorkeeper/authorized_applications_controller.rb +2 -2
- data/app/controllers/doorkeeper/tokens_controller.rb +67 -22
- data/app/views/doorkeeper/applications/_form.html.erb +1 -1
- data/app/views/doorkeeper/applications/show.html.erb +35 -14
- data/app/views/doorkeeper/authorizations/form_post.html.erb +11 -0
- data/config/locales/en.yml +6 -2
- data/lib/doorkeeper.rb +111 -79
- data/lib/doorkeeper/config.rb +148 -94
- data/lib/doorkeeper/config/abstract_builder.rb +28 -0
- data/lib/doorkeeper/config/option.rb +26 -14
- data/lib/doorkeeper/config/validations.rb +53 -0
- data/lib/doorkeeper/engine.rb +1 -1
- data/lib/doorkeeper/grant_flow.rb +45 -0
- data/lib/doorkeeper/grant_flow/fallback_flow.rb +15 -0
- data/lib/doorkeeper/grant_flow/flow.rb +44 -0
- data/lib/doorkeeper/grant_flow/registry.rb +50 -0
- data/lib/doorkeeper/grape/helpers.rb +1 -1
- data/lib/doorkeeper/helpers/controller.rb +8 -4
- data/lib/doorkeeper/models/access_grant_mixin.rb +21 -18
- data/lib/doorkeeper/models/access_token_mixin.rb +110 -47
- data/lib/doorkeeper/models/application_mixin.rb +5 -4
- data/lib/doorkeeper/models/concerns/resource_ownerable.rb +47 -0
- data/lib/doorkeeper/models/concerns/revocable.rb +1 -1
- data/lib/doorkeeper/models/concerns/scopes.rb +5 -1
- data/lib/doorkeeper/models/concerns/secret_storable.rb +1 -3
- data/lib/doorkeeper/oauth/authorization/code.rb +19 -6
- data/lib/doorkeeper/oauth/authorization/context.rb +5 -5
- data/lib/doorkeeper/oauth/authorization/token.rb +18 -16
- data/lib/doorkeeper/oauth/authorization/uri_builder.rb +4 -4
- data/lib/doorkeeper/oauth/authorization_code_request.rb +17 -14
- data/lib/doorkeeper/oauth/base_request.rb +12 -20
- data/lib/doorkeeper/oauth/client.rb +1 -1
- data/lib/doorkeeper/oauth/client/credentials.rb +2 -4
- data/lib/doorkeeper/oauth/client_credentials/creator.rb +27 -8
- data/lib/doorkeeper/oauth/client_credentials/issuer.rb +4 -2
- data/lib/doorkeeper/oauth/client_credentials/validator.rb +4 -2
- data/lib/doorkeeper/oauth/client_credentials_request.rb +8 -7
- data/lib/doorkeeper/oauth/code_request.rb +3 -3
- data/lib/doorkeeper/oauth/code_response.rb +22 -12
- data/lib/doorkeeper/oauth/error_response.rb +6 -7
- data/lib/doorkeeper/oauth/helpers/scope_checker.rb +2 -8
- data/lib/doorkeeper/oauth/hooks/context.rb +21 -0
- data/lib/doorkeeper/oauth/invalid_token_response.rb +2 -2
- data/lib/doorkeeper/oauth/password_access_token_request.rb +24 -7
- data/lib/doorkeeper/oauth/pre_authorization.rb +63 -32
- data/lib/doorkeeper/oauth/refresh_token_request.rb +31 -22
- data/lib/doorkeeper/oauth/token.rb +5 -6
- data/lib/doorkeeper/oauth/token_introspection.rb +4 -8
- data/lib/doorkeeper/oauth/token_request.rb +3 -3
- data/lib/doorkeeper/oauth/token_response.rb +1 -1
- data/lib/doorkeeper/orm/active_record.rb +14 -7
- data/lib/doorkeeper/orm/active_record/mixins/access_grant.rb +8 -3
- data/lib/doorkeeper/orm/active_record/mixins/access_token.rb +7 -3
- data/lib/doorkeeper/orm/active_record/mixins/application.rb +6 -3
- data/lib/doorkeeper/orm/active_record/redirect_uri_validator.rb +5 -0
- data/lib/doorkeeper/rails/routes.rb +14 -20
- data/lib/doorkeeper/rails/routes/abstract_router.rb +35 -0
- data/lib/doorkeeper/rails/routes/mapper.rb +2 -2
- data/lib/doorkeeper/rails/routes/registry.rb +45 -0
- data/lib/doorkeeper/request.rb +49 -12
- data/lib/doorkeeper/request/refresh_token.rb +2 -1
- data/lib/doorkeeper/request/strategy.rb +2 -2
- data/lib/doorkeeper/server.rb +4 -4
- data/lib/doorkeeper/stale_records_cleaner.rb +4 -4
- data/lib/doorkeeper/version.rb +3 -7
- data/lib/generators/doorkeeper/confidential_applications_generator.rb +1 -1
- data/lib/generators/doorkeeper/enable_polymorphic_resource_owner_generator.rb +39 -0
- data/lib/generators/doorkeeper/templates/add_owner_to_application_migration.rb.erb +3 -1
- data/lib/generators/doorkeeper/templates/add_previous_refresh_token_to_access_tokens.rb.erb +2 -0
- data/lib/generators/doorkeeper/templates/enable_pkce_migration.rb.erb +2 -0
- data/lib/generators/doorkeeper/templates/enable_polymorphic_resource_owner_migration.rb.erb +17 -0
- data/lib/generators/doorkeeper/templates/initializer.rb +48 -10
- data/lib/generators/doorkeeper/templates/migration.rb.erb +14 -5
- metadata +30 -300
- data/Appraisals +0 -40
- data/CODE_OF_CONDUCT.md +0 -46
- data/CONTRIBUTING.md +0 -49
- data/Dangerfile +0 -67
- data/Dockerfile +0 -29
- data/Gemfile +0 -25
- data/NEWS.md +0 -1
- data/RELEASING.md +0 -11
- data/Rakefile +0 -28
- data/SECURITY.md +0 -15
- data/UPGRADE.md +0 -2
- data/bin/console +0 -16
- data/doorkeeper.gemspec +0 -42
- data/gemfiles/rails_5_0.gemfile +0 -18
- data/gemfiles/rails_5_1.gemfile +0 -18
- data/gemfiles/rails_5_2.gemfile +0 -18
- data/gemfiles/rails_6_0.gemfile +0 -18
- data/gemfiles/rails_master.gemfile +0 -18
- data/spec/controllers/application_metal_controller_spec.rb +0 -64
- data/spec/controllers/applications_controller_spec.rb +0 -274
- data/spec/controllers/authorizations_controller_spec.rb +0 -608
- data/spec/controllers/protected_resources_controller_spec.rb +0 -361
- data/spec/controllers/token_info_controller_spec.rb +0 -50
- data/spec/controllers/tokens_controller_spec.rb +0 -498
- data/spec/dummy/Rakefile +0 -9
- data/spec/dummy/app/assets/config/manifest.js +0 -2
- data/spec/dummy/app/controllers/application_controller.rb +0 -5
- data/spec/dummy/app/controllers/custom_authorizations_controller.rb +0 -9
- data/spec/dummy/app/controllers/full_protected_resources_controller.rb +0 -14
- data/spec/dummy/app/controllers/home_controller.rb +0 -18
- data/spec/dummy/app/controllers/metal_controller.rb +0 -13
- data/spec/dummy/app/controllers/semi_protected_resources_controller.rb +0 -13
- data/spec/dummy/app/helpers/application_helper.rb +0 -7
- data/spec/dummy/app/models/user.rb +0 -7
- data/spec/dummy/app/views/home/index.html.erb +0 -0
- data/spec/dummy/app/views/layouts/application.html.erb +0 -14
- data/spec/dummy/config.ru +0 -6
- data/spec/dummy/config/application.rb +0 -49
- data/spec/dummy/config/boot.rb +0 -7
- data/spec/dummy/config/database.yml +0 -15
- data/spec/dummy/config/environment.rb +0 -5
- data/spec/dummy/config/environments/development.rb +0 -31
- data/spec/dummy/config/environments/production.rb +0 -64
- data/spec/dummy/config/environments/test.rb +0 -45
- data/spec/dummy/config/initializers/backtrace_silencers.rb +0 -9
- data/spec/dummy/config/initializers/doorkeeper.rb +0 -166
- data/spec/dummy/config/initializers/secret_token.rb +0 -10
- data/spec/dummy/config/initializers/session_store.rb +0 -10
- data/spec/dummy/config/initializers/wrap_parameters.rb +0 -16
- data/spec/dummy/config/locales/doorkeeper.en.yml +0 -5
- data/spec/dummy/config/routes.rb +0 -13
- data/spec/dummy/db/migrate/20111122132257_create_users.rb +0 -11
- data/spec/dummy/db/migrate/20120312140401_add_password_to_users.rb +0 -7
- data/spec/dummy/db/migrate/20151223192035_create_doorkeeper_tables.rb +0 -69
- data/spec/dummy/db/migrate/20151223200000_add_owner_to_application.rb +0 -9
- data/spec/dummy/db/migrate/20160320211015_add_previous_refresh_token_to_access_tokens.rb +0 -13
- data/spec/dummy/db/migrate/20170822064514_enable_pkce.rb +0 -8
- data/spec/dummy/db/migrate/20180210183654_add_confidential_to_applications.rb +0 -13
- data/spec/dummy/db/schema.rb +0 -68
- data/spec/dummy/public/404.html +0 -26
- data/spec/dummy/public/422.html +0 -26
- data/spec/dummy/public/500.html +0 -26
- data/spec/dummy/public/favicon.ico +0 -0
- data/spec/dummy/script/rails +0 -9
- data/spec/factories.rb +0 -30
- data/spec/generators/application_owner_generator_spec.rb +0 -28
- data/spec/generators/confidential_applications_generator_spec.rb +0 -29
- data/spec/generators/install_generator_spec.rb +0 -36
- data/spec/generators/migration_generator_spec.rb +0 -28
- data/spec/generators/pkce_generator_spec.rb +0 -28
- data/spec/generators/previous_refresh_token_generator_spec.rb +0 -44
- data/spec/generators/templates/routes.rb +0 -4
- data/spec/generators/views_generator_spec.rb +0 -29
- data/spec/grape/grape_integration_spec.rb +0 -137
- data/spec/helpers/doorkeeper/dashboard_helper_spec.rb +0 -26
- data/spec/lib/config_spec.rb +0 -809
- data/spec/lib/doorkeeper_spec.rb +0 -27
- data/spec/lib/models/expirable_spec.rb +0 -61
- data/spec/lib/models/reusable_spec.rb +0 -40
- data/spec/lib/models/revocable_spec.rb +0 -59
- data/spec/lib/models/scopes_spec.rb +0 -53
- data/spec/lib/models/secret_storable_spec.rb +0 -135
- data/spec/lib/oauth/authorization/uri_builder_spec.rb +0 -39
- data/spec/lib/oauth/authorization_code_request_spec.rb +0 -170
- data/spec/lib/oauth/base_request_spec.rb +0 -224
- data/spec/lib/oauth/base_response_spec.rb +0 -45
- data/spec/lib/oauth/client/credentials_spec.rb +0 -90
- data/spec/lib/oauth/client_credentials/creator_spec.rb +0 -134
- data/spec/lib/oauth/client_credentials/issuer_spec.rb +0 -112
- data/spec/lib/oauth/client_credentials/validation_spec.rb +0 -59
- data/spec/lib/oauth/client_credentials_integration_spec.rb +0 -27
- data/spec/lib/oauth/client_credentials_request_spec.rb +0 -107
- data/spec/lib/oauth/client_spec.rb +0 -38
- data/spec/lib/oauth/code_request_spec.rb +0 -46
- data/spec/lib/oauth/code_response_spec.rb +0 -32
- data/spec/lib/oauth/error_response_spec.rb +0 -64
- data/spec/lib/oauth/error_spec.rb +0 -21
- data/spec/lib/oauth/forbidden_token_response_spec.rb +0 -20
- data/spec/lib/oauth/helpers/scope_checker_spec.rb +0 -110
- data/spec/lib/oauth/helpers/unique_token_spec.rb +0 -21
- data/spec/lib/oauth/helpers/uri_checker_spec.rb +0 -262
- data/spec/lib/oauth/invalid_request_response_spec.rb +0 -73
- data/spec/lib/oauth/invalid_token_response_spec.rb +0 -53
- data/spec/lib/oauth/password_access_token_request_spec.rb +0 -190
- data/spec/lib/oauth/pre_authorization_spec.rb +0 -223
- data/spec/lib/oauth/refresh_token_request_spec.rb +0 -177
- data/spec/lib/oauth/scopes_spec.rb +0 -146
- data/spec/lib/oauth/token_request_spec.rb +0 -157
- data/spec/lib/oauth/token_response_spec.rb +0 -84
- data/spec/lib/oauth/token_spec.rb +0 -156
- data/spec/lib/request/strategy_spec.rb +0 -54
- data/spec/lib/secret_storing/base_spec.rb +0 -60
- data/spec/lib/secret_storing/bcrypt_spec.rb +0 -49
- data/spec/lib/secret_storing/plain_spec.rb +0 -44
- data/spec/lib/secret_storing/sha256_hash_spec.rb +0 -48
- data/spec/lib/server_spec.rb +0 -49
- data/spec/lib/stale_records_cleaner_spec.rb +0 -89
- data/spec/models/doorkeeper/access_grant_spec.rb +0 -161
- data/spec/models/doorkeeper/access_token_spec.rb +0 -622
- data/spec/models/doorkeeper/application_spec.rb +0 -482
- data/spec/requests/applications/applications_request_spec.rb +0 -259
- data/spec/requests/applications/authorized_applications_spec.rb +0 -32
- data/spec/requests/endpoints/authorization_spec.rb +0 -91
- data/spec/requests/endpoints/token_spec.rb +0 -75
- data/spec/requests/flows/authorization_code_errors_spec.rb +0 -79
- data/spec/requests/flows/authorization_code_spec.rb +0 -525
- data/spec/requests/flows/client_credentials_spec.rb +0 -166
- data/spec/requests/flows/implicit_grant_errors_spec.rb +0 -46
- data/spec/requests/flows/implicit_grant_spec.rb +0 -91
- data/spec/requests/flows/password_spec.rb +0 -316
- data/spec/requests/flows/refresh_token_spec.rb +0 -233
- data/spec/requests/flows/revoke_token_spec.rb +0 -157
- data/spec/requests/flows/skip_authorization_spec.rb +0 -66
- data/spec/requests/protected_resources/metal_spec.rb +0 -16
- data/spec/requests/protected_resources/private_api_spec.rb +0 -83
- data/spec/routing/custom_controller_routes_spec.rb +0 -133
- data/spec/routing/default_routes_spec.rb +0 -41
- data/spec/routing/scoped_routes_spec.rb +0 -47
- data/spec/spec_helper.rb +0 -54
- data/spec/spec_helper_integration.rb +0 -4
- data/spec/support/dependencies/factory_bot.rb +0 -4
- data/spec/support/doorkeeper_rspec.rb +0 -22
- data/spec/support/helpers/access_token_request_helper.rb +0 -13
- data/spec/support/helpers/authorization_request_helper.rb +0 -43
- data/spec/support/helpers/config_helper.rb +0 -11
- data/spec/support/helpers/model_helper.rb +0 -78
- data/spec/support/helpers/request_spec_helper.rb +0 -110
- data/spec/support/helpers/url_helper.rb +0 -62
- data/spec/support/orm/active_record.rb +0 -5
- data/spec/support/shared/controllers_shared_context.rb +0 -133
- data/spec/support/shared/hashing_shared_context.rb +0 -36
- data/spec/support/shared/models_shared_examples.rb +0 -54
- data/spec/validators/redirect_uri_validator_spec.rb +0 -183
- data/spec/version/version_spec.rb +0 -17
|
@@ -2,9 +2,9 @@
|
|
|
2
2
|
|
|
3
3
|
module Doorkeeper
|
|
4
4
|
module OAuth
|
|
5
|
-
|
|
5
|
+
module ClientCredentials
|
|
6
6
|
class Issuer
|
|
7
|
-
|
|
7
|
+
attr_reader :token, :validator, :error
|
|
8
8
|
|
|
9
9
|
def initialize(server, validator)
|
|
10
10
|
@server = server
|
|
@@ -19,6 +19,7 @@ module Doorkeeper
|
|
|
19
19
|
@token = false
|
|
20
20
|
@error = validator.error
|
|
21
21
|
end
|
|
22
|
+
|
|
22
23
|
@token
|
|
23
24
|
end
|
|
24
25
|
|
|
@@ -29,6 +30,7 @@ module Doorkeeper
|
|
|
29
30
|
client,
|
|
30
31
|
Doorkeeper::OAuth::CLIENT_CREDENTIALS,
|
|
31
32
|
scopes,
|
|
33
|
+
nil,
|
|
32
34
|
)
|
|
33
35
|
ttl = Authorization::Token.access_token_expires_in(@server, context)
|
|
34
36
|
|
|
@@ -2,7 +2,7 @@
|
|
|
2
2
|
|
|
3
3
|
module Doorkeeper
|
|
4
4
|
module OAuth
|
|
5
|
-
|
|
5
|
+
module ClientCredentials
|
|
6
6
|
class Validator
|
|
7
7
|
include Validations
|
|
8
8
|
include OAuth::Helpers
|
|
@@ -26,9 +26,11 @@ module Doorkeeper
|
|
|
26
26
|
end
|
|
27
27
|
|
|
28
28
|
def validate_client_supports_grant_flow
|
|
29
|
+
return if @client.blank?
|
|
30
|
+
|
|
29
31
|
Doorkeeper.config.allow_grant_flow_for_client?(
|
|
30
32
|
Doorkeeper::OAuth::CLIENT_CREDENTIALS,
|
|
31
|
-
@client,
|
|
33
|
+
@client.application,
|
|
32
34
|
)
|
|
33
35
|
end
|
|
34
36
|
|
|
@@ -3,18 +3,12 @@
|
|
|
3
3
|
module Doorkeeper
|
|
4
4
|
module OAuth
|
|
5
5
|
class ClientCredentialsRequest < BaseRequest
|
|
6
|
-
|
|
7
|
-
attr_reader :response
|
|
8
|
-
attr_writer :issuer
|
|
6
|
+
attr_reader :client, :original_scopes, :response
|
|
9
7
|
|
|
10
8
|
alias error_response response
|
|
11
9
|
|
|
12
10
|
delegate :error, to: :issuer
|
|
13
11
|
|
|
14
|
-
def issuer
|
|
15
|
-
@issuer ||= Issuer.new(server, Validator.new(server, self))
|
|
16
|
-
end
|
|
17
|
-
|
|
18
12
|
def initialize(server, client, parameters = {})
|
|
19
13
|
@client = client
|
|
20
14
|
@server = server
|
|
@@ -26,6 +20,13 @@ module Doorkeeper
|
|
|
26
20
|
issuer.token
|
|
27
21
|
end
|
|
28
22
|
|
|
23
|
+
def issuer
|
|
24
|
+
@issuer ||= ClientCredentials::Issuer.new(
|
|
25
|
+
server,
|
|
26
|
+
ClientCredentials::Validator.new(server, self),
|
|
27
|
+
)
|
|
28
|
+
end
|
|
29
|
+
|
|
29
30
|
private
|
|
30
31
|
|
|
31
32
|
def valid?
|
|
@@ -3,16 +3,16 @@
|
|
|
3
3
|
module Doorkeeper
|
|
4
4
|
module OAuth
|
|
5
5
|
class CodeRequest
|
|
6
|
-
|
|
6
|
+
attr_reader :pre_auth, :resource_owner
|
|
7
7
|
|
|
8
8
|
def initialize(pre_auth, resource_owner)
|
|
9
|
-
@pre_auth
|
|
9
|
+
@pre_auth = pre_auth
|
|
10
10
|
@resource_owner = resource_owner
|
|
11
11
|
end
|
|
12
12
|
|
|
13
13
|
def authorize
|
|
14
14
|
auth = Authorization::Code.new(pre_auth, resource_owner)
|
|
15
|
-
auth.issue_token
|
|
15
|
+
auth.issue_token!
|
|
16
16
|
CodeResponse.new(pre_auth, auth)
|
|
17
17
|
end
|
|
18
18
|
|
|
@@ -5,7 +5,7 @@ module Doorkeeper
|
|
|
5
5
|
class CodeResponse < BaseResponse
|
|
6
6
|
include OAuth::Helpers
|
|
7
7
|
|
|
8
|
-
|
|
8
|
+
attr_reader :pre_auth, :auth, :response_on_fragment
|
|
9
9
|
|
|
10
10
|
def initialize(pre_auth, auth, options = {})
|
|
11
11
|
@pre_auth = pre_auth
|
|
@@ -17,23 +17,33 @@ module Doorkeeper
|
|
|
17
17
|
true
|
|
18
18
|
end
|
|
19
19
|
|
|
20
|
-
def
|
|
21
|
-
|
|
22
|
-
|
|
23
|
-
|
|
24
|
-
|
|
25
|
-
|
|
20
|
+
def issued_token
|
|
21
|
+
auth.token
|
|
22
|
+
end
|
|
23
|
+
|
|
24
|
+
def body
|
|
25
|
+
if auth.try(:access_token?)
|
|
26
|
+
{
|
|
26
27
|
access_token: auth.token.plaintext_token,
|
|
27
28
|
token_type: auth.token.token_type,
|
|
28
29
|
expires_in: auth.token.expires_in_seconds,
|
|
29
30
|
state: pre_auth.state,
|
|
30
|
-
|
|
31
|
-
|
|
32
|
-
|
|
33
|
-
pre_auth.redirect_uri,
|
|
31
|
+
}
|
|
32
|
+
elsif auth.try(:access_grant?)
|
|
33
|
+
{
|
|
34
34
|
code: auth.token.plaintext_token,
|
|
35
35
|
state: pre_auth.state,
|
|
36
|
-
|
|
36
|
+
}
|
|
37
|
+
end
|
|
38
|
+
end
|
|
39
|
+
|
|
40
|
+
def redirect_uri
|
|
41
|
+
if URIChecker.oob_uri?(pre_auth.redirect_uri)
|
|
42
|
+
auth.oob_redirect
|
|
43
|
+
elsif response_on_fragment
|
|
44
|
+
Authorization::URIBuilder.uri_with_fragment(pre_auth.redirect_uri, body)
|
|
45
|
+
else
|
|
46
|
+
Authorization::URIBuilder.uri_with_query(pre_auth.redirect_uri, body)
|
|
37
47
|
end
|
|
38
48
|
end
|
|
39
49
|
end
|
|
@@ -5,6 +5,8 @@ module Doorkeeper
|
|
|
5
5
|
class ErrorResponse < BaseResponse
|
|
6
6
|
include OAuth::Helpers
|
|
7
7
|
|
|
8
|
+
NON_REDIRECTABLE_STATES = %i[invalid_redirect_uri invalid_client unauthorized_client].freeze
|
|
9
|
+
|
|
8
10
|
def self.from_request(request, attributes = {})
|
|
9
11
|
new(
|
|
10
12
|
attributes.merge(
|
|
@@ -32,7 +34,7 @@ module Doorkeeper
|
|
|
32
34
|
end
|
|
33
35
|
|
|
34
36
|
def status
|
|
35
|
-
if name == :invalid_client
|
|
37
|
+
if name == :invalid_client || name == :unauthorized_client
|
|
36
38
|
:unauthorized
|
|
37
39
|
else
|
|
38
40
|
:bad_request
|
|
@@ -40,8 +42,7 @@ module Doorkeeper
|
|
|
40
42
|
end
|
|
41
43
|
|
|
42
44
|
def redirectable?
|
|
43
|
-
name
|
|
44
|
-
!URIChecker.oob_uri?(@redirect_uri)
|
|
45
|
+
!NON_REDIRECTABLE_STATES.include?(name) && !URIChecker.oob_uri?(@redirect_uri)
|
|
45
46
|
end
|
|
46
47
|
|
|
47
48
|
def redirect_uri
|
|
@@ -67,10 +68,8 @@ module Doorkeeper
|
|
|
67
68
|
|
|
68
69
|
protected
|
|
69
70
|
|
|
70
|
-
|
|
71
|
-
|
|
72
|
-
def configuration
|
|
73
|
-
Doorkeeper.config
|
|
71
|
+
def realm
|
|
72
|
+
Doorkeeper.config.realm
|
|
74
73
|
end
|
|
75
74
|
|
|
76
75
|
def exception_class
|
|
@@ -12,9 +12,7 @@ module Doorkeeper
|
|
|
12
12
|
@scope_str = scope_str
|
|
13
13
|
@valid_scopes = valid_scopes(server_scopes, app_scopes)
|
|
14
14
|
|
|
15
|
-
if grant_type
|
|
16
|
-
@scopes_by_grant_type = Doorkeeper.config.scopes_by_grant_type[grant_type.to_sym]
|
|
17
|
-
end
|
|
15
|
+
@scopes_by_grant_type = Doorkeeper.config.scopes_by_grant_type[grant_type.to_sym] if grant_type
|
|
18
16
|
end
|
|
19
17
|
|
|
20
18
|
def valid?
|
|
@@ -27,11 +25,7 @@ module Doorkeeper
|
|
|
27
25
|
private
|
|
28
26
|
|
|
29
27
|
def valid_scopes(server_scopes, app_scopes)
|
|
30
|
-
|
|
31
|
-
app_scopes
|
|
32
|
-
else
|
|
33
|
-
server_scopes
|
|
34
|
-
end
|
|
28
|
+
app_scopes.presence || server_scopes
|
|
35
29
|
end
|
|
36
30
|
|
|
37
31
|
def permitted_to_grant_type?
|
|
@@ -0,0 +1,21 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
2
|
+
|
|
3
|
+
module Doorkeeper
|
|
4
|
+
module OAuth
|
|
5
|
+
module Hooks
|
|
6
|
+
class Context
|
|
7
|
+
attr_reader :auth, :pre_auth
|
|
8
|
+
|
|
9
|
+
def initialize(**attributes)
|
|
10
|
+
attributes.each do |name, value|
|
|
11
|
+
instance_variable_set(:"@#{name}", value) if respond_to?(name)
|
|
12
|
+
end
|
|
13
|
+
end
|
|
14
|
+
|
|
15
|
+
def issued_token
|
|
16
|
+
auth&.issued_token
|
|
17
|
+
end
|
|
18
|
+
end
|
|
19
|
+
end
|
|
20
|
+
end
|
|
21
|
+
end
|
|
@@ -6,9 +6,9 @@ module Doorkeeper
|
|
|
6
6
|
attr_reader :reason
|
|
7
7
|
|
|
8
8
|
def self.from_access_token(access_token, attributes = {})
|
|
9
|
-
reason = if access_token
|
|
9
|
+
reason = if access_token&.revoked?
|
|
10
10
|
:revoked
|
|
11
|
-
elsif access_token
|
|
11
|
+
elsif access_token&.expired?
|
|
12
12
|
:expired
|
|
13
13
|
else
|
|
14
14
|
:unknown
|
|
@@ -10,8 +10,7 @@ module Doorkeeper
|
|
|
10
10
|
validate :resource_owner, error: :invalid_grant
|
|
11
11
|
validate :scopes, error: :invalid_scope
|
|
12
12
|
|
|
13
|
-
|
|
14
|
-
:access_token
|
|
13
|
+
attr_reader :client, :resource_owner, :parameters, :access_token
|
|
15
14
|
|
|
16
15
|
def initialize(server, client, resource_owner, parameters = {})
|
|
17
16
|
@server = server
|
|
@@ -25,18 +24,17 @@ module Doorkeeper
|
|
|
25
24
|
private
|
|
26
25
|
|
|
27
26
|
def before_successful_response
|
|
28
|
-
find_or_create_access_token(client, resource_owner
|
|
27
|
+
find_or_create_access_token(client, resource_owner, scopes, server)
|
|
29
28
|
super
|
|
30
29
|
end
|
|
31
30
|
|
|
32
31
|
def validate_scopes
|
|
33
|
-
client_scopes = client.try(:scopes)
|
|
34
32
|
return true if scopes.blank?
|
|
35
33
|
|
|
36
34
|
ScopeChecker.valid?(
|
|
37
35
|
scope_str: scopes.to_s,
|
|
38
36
|
server_scopes: server.scopes,
|
|
39
|
-
app_scopes:
|
|
37
|
+
app_scopes: client.try(:scopes),
|
|
40
38
|
grant_type: grant_type,
|
|
41
39
|
)
|
|
42
40
|
end
|
|
@@ -45,12 +43,31 @@ module Doorkeeper
|
|
|
45
43
|
resource_owner.present?
|
|
46
44
|
end
|
|
47
45
|
|
|
46
|
+
# Section 4.3.2. Access Token Request for Resource Owner Password Credentials Grant:
|
|
47
|
+
#
|
|
48
|
+
# If the client type is confidential or the client was issued client credentials (or assigned
|
|
49
|
+
# other authentication requirements), the client MUST authenticate with the authorization
|
|
50
|
+
# server as described in Section 3.2.1.
|
|
51
|
+
#
|
|
52
|
+
# The authorization server MUST:
|
|
53
|
+
#
|
|
54
|
+
# o require client authentication for confidential clients or for any client that was
|
|
55
|
+
# issued client credentials (or with other authentication requirements)
|
|
56
|
+
#
|
|
57
|
+
# o authenticate the client if client authentication is included,
|
|
58
|
+
#
|
|
59
|
+
# @see https://tools.ietf.org/html/rfc6749#section-4.3
|
|
60
|
+
#
|
|
48
61
|
def validate_client
|
|
49
|
-
|
|
62
|
+
if Doorkeeper.config.skip_client_authentication_for_password_grant
|
|
63
|
+
!parameters[:client_id] || client.present?
|
|
64
|
+
else
|
|
65
|
+
client.present?
|
|
66
|
+
end
|
|
50
67
|
end
|
|
51
68
|
|
|
52
69
|
def validate_client_supports_grant_flow
|
|
53
|
-
server_config.allow_grant_flow_for_client?(grant_type, client)
|
|
70
|
+
server_config.allow_grant_flow_for_client?(grant_type, client&.application)
|
|
54
71
|
end
|
|
55
72
|
end
|
|
56
73
|
end
|
|
@@ -5,39 +5,40 @@ module Doorkeeper
|
|
|
5
5
|
class PreAuthorization
|
|
6
6
|
include Validations
|
|
7
7
|
|
|
8
|
-
validate :client_id,
|
|
9
|
-
validate :client,
|
|
10
|
-
validate :redirect_uri, error: :invalid_redirect_uri
|
|
11
|
-
validate :params, error: :invalid_request
|
|
12
|
-
validate :response_type, error: :unsupported_response_type
|
|
13
|
-
validate :scopes, error: :invalid_scope
|
|
14
|
-
validate :code_challenge_method, error: :invalid_code_challenge_method
|
|
8
|
+
validate :client_id, error: :invalid_request
|
|
9
|
+
validate :client, error: :invalid_client
|
|
15
10
|
validate :client_supports_grant_flow, error: :unauthorized_client
|
|
11
|
+
validate :resource_owner_authorize_for_client, error: :invalid_client
|
|
12
|
+
validate :redirect_uri, error: :invalid_redirect_uri
|
|
13
|
+
validate :params, error: :invalid_request
|
|
14
|
+
validate :response_type, error: :unsupported_response_type
|
|
15
|
+
validate :response_mode, error: :unsupported_response_mode
|
|
16
|
+
validate :scopes, error: :invalid_scope
|
|
17
|
+
validate :code_challenge_method, error: :invalid_code_challenge_method
|
|
16
18
|
|
|
17
|
-
attr_reader :
|
|
18
|
-
:
|
|
19
|
+
attr_reader :client, :code_challenge, :code_challenge_method, :missing_param,
|
|
20
|
+
:redirect_uri, :resource_owner, :response_type, :state,
|
|
21
|
+
:authorization_response_flow, :response_mode
|
|
19
22
|
|
|
20
|
-
def initialize(server,
|
|
23
|
+
def initialize(server, parameters = {}, resource_owner = nil)
|
|
21
24
|
@server = server
|
|
22
|
-
@client_id =
|
|
23
|
-
@response_type =
|
|
24
|
-
@
|
|
25
|
-
@
|
|
26
|
-
@
|
|
27
|
-
@
|
|
28
|
-
@
|
|
25
|
+
@client_id = parameters[:client_id]
|
|
26
|
+
@response_type = parameters[:response_type]
|
|
27
|
+
@response_mode = parameters[:response_mode]
|
|
28
|
+
@redirect_uri = parameters[:redirect_uri]
|
|
29
|
+
@scope = parameters[:scope]
|
|
30
|
+
@state = parameters[:state]
|
|
31
|
+
@code_challenge = parameters[:code_challenge]
|
|
32
|
+
@code_challenge_method = parameters[:code_challenge_method]
|
|
33
|
+
@resource_owner = resource_owner
|
|
29
34
|
end
|
|
30
35
|
|
|
31
36
|
def authorizable?
|
|
32
37
|
valid?
|
|
33
38
|
end
|
|
34
39
|
|
|
35
|
-
def validate_client_supports_grant_flow
|
|
36
|
-
Doorkeeper.config.allow_grant_flow_for_client?(grant_type, client.application)
|
|
37
|
-
end
|
|
38
|
-
|
|
39
40
|
def scopes
|
|
40
|
-
Scopes.from_string
|
|
41
|
+
Scopes.from_string(scope)
|
|
41
42
|
end
|
|
42
43
|
|
|
43
44
|
def scope
|
|
@@ -55,14 +56,18 @@ module Doorkeeper
|
|
|
55
56
|
end
|
|
56
57
|
end
|
|
57
58
|
|
|
58
|
-
def as_json(
|
|
59
|
-
return pre_auth_hash.merge(attributes.to_h) if attributes.respond_to?(:to_h)
|
|
60
|
-
|
|
59
|
+
def as_json(_options = nil)
|
|
61
60
|
pre_auth_hash
|
|
62
61
|
end
|
|
63
62
|
|
|
63
|
+
def form_post_response?
|
|
64
|
+
response_mode == "form_post"
|
|
65
|
+
end
|
|
66
|
+
|
|
64
67
|
private
|
|
65
68
|
|
|
69
|
+
attr_reader :client_id, :server
|
|
70
|
+
|
|
66
71
|
def build_scopes
|
|
67
72
|
client_scopes = client.scopes
|
|
68
73
|
if client_scopes.blank?
|
|
@@ -74,7 +79,6 @@ module Doorkeeper
|
|
|
74
79
|
|
|
75
80
|
def validate_client_id
|
|
76
81
|
@missing_param = :client_id if client_id.blank?
|
|
77
|
-
|
|
78
82
|
@missing_param.nil?
|
|
79
83
|
end
|
|
80
84
|
|
|
@@ -83,6 +87,15 @@ module Doorkeeper
|
|
|
83
87
|
@client.present?
|
|
84
88
|
end
|
|
85
89
|
|
|
90
|
+
def validate_client_supports_grant_flow
|
|
91
|
+
Doorkeeper.config.allow_grant_flow_for_client?(grant_type, client.application)
|
|
92
|
+
end
|
|
93
|
+
|
|
94
|
+
def validate_resource_owner_authorize_for_client
|
|
95
|
+
# The `authorize_resource_owner_for_client` config option is used for this validation
|
|
96
|
+
client.application.authorized_for_resource_owner?(@resource_owner)
|
|
97
|
+
end
|
|
98
|
+
|
|
86
99
|
def validate_redirect_uri
|
|
87
100
|
return false if redirect_uri.blank?
|
|
88
101
|
|
|
@@ -103,7 +116,21 @@ module Doorkeeper
|
|
|
103
116
|
end
|
|
104
117
|
|
|
105
118
|
def validate_response_type
|
|
106
|
-
server.
|
|
119
|
+
server.authorization_response_flows.any? do |flow|
|
|
120
|
+
if flow.matches_response_type?(response_type)
|
|
121
|
+
@authorization_response_flow = flow
|
|
122
|
+
true
|
|
123
|
+
end
|
|
124
|
+
end
|
|
125
|
+
end
|
|
126
|
+
|
|
127
|
+
def validate_response_mode
|
|
128
|
+
if response_mode.blank?
|
|
129
|
+
@response_mode = authorization_response_flow.default_response_mode
|
|
130
|
+
return true
|
|
131
|
+
end
|
|
132
|
+
|
|
133
|
+
authorization_response_flow.matches_response_mode?(response_mode)
|
|
107
134
|
end
|
|
108
135
|
|
|
109
136
|
def validate_scopes
|
|
@@ -115,17 +142,21 @@ module Doorkeeper
|
|
|
115
142
|
)
|
|
116
143
|
end
|
|
117
144
|
|
|
118
|
-
def grant_type
|
|
119
|
-
response_type == "code" ? AUTHORIZATION_CODE : IMPLICIT
|
|
120
|
-
end
|
|
121
|
-
|
|
122
145
|
def validate_code_challenge_method
|
|
146
|
+
return true unless Doorkeeper.config.access_grant_model.pkce_supported?
|
|
147
|
+
|
|
123
148
|
code_challenge.blank? ||
|
|
124
149
|
(code_challenge_method.present? && code_challenge_method =~ /^plain$|^S256$/)
|
|
125
150
|
end
|
|
126
151
|
|
|
127
152
|
def response_on_fragment?
|
|
128
|
-
response_type == "token"
|
|
153
|
+
return response_type == "token" if response_mode.nil?
|
|
154
|
+
|
|
155
|
+
response_mode == "fragment"
|
|
156
|
+
end
|
|
157
|
+
|
|
158
|
+
def grant_type
|
|
159
|
+
response_type == "code" ? AUTHORIZATION_CODE : IMPLICIT
|
|
129
160
|
end
|
|
130
161
|
|
|
131
162
|
def pre_auth_hash
|