rack-oauth2-server 2.0.0.beta3 → 2.0.0.beta4

data/lib/rack/oauth2/server/admin.rb

@@ -71,8 +71,8 @@ module Rack
         # Forces all requests to use HTTPS (true by default except in
         # development mode).
         set :force_ssl, !development?
-        # Common scopes shown and added by default to new clients.
-        set :scopes, []
+        # Common scope shown and added by default to new clients.
+        set :scope, []
 
 
         set :logger, defined?(::Rails) && ::Rails.logger
@@ -129,7 +129,7 @@ module Rack
         get "/api/clients" do
           content_type "application/json"
           json = { :list=>Server::Client.all.map { |client| client_as_json(client) },
-                   :scopes=>Server::Utils.normalize_scopes(settings.scopes),
+                   :scope=>Server::Utils.normalize_scope(settings.scope),
                    :history=>"#{request.script_name}/api/clients/history",
                    :tokens=>{ :total=>Server::AccessToken.count, :week=>Server::AccessToken.count(:days=>7),
                               :revoked=>Server::AccessToken.count(:days=>7, :revoked=>true) } }
@@ -220,13 +220,15 @@ module Rack
               halt 400, "Image URL must be an absolute URL with HTTP/S scheme" unless
                 image_url.absolute? && %{http https}.include?(image_url.scheme)
             end
-            scopes = Server::Utils.normalize_scopes(params[:scopes])
-            { :display_name=>display_name, :link=>link.to_s, :image_url=>image_url.to_s, :redirect_uri=>redirect_uri.to_s, :scopes=>scopes }
+            scope = Server::Utils.normalize_scope(params[:scope])
+            { :display_name=>display_name, :link=>link.to_s, :image_url=>image_url.to_s,
+              :redirect_uri=>redirect_uri.to_s, :scope=>scope, :notes=>params[:notes] }
           end
 
           def client_as_json(client, with_stats = false)
             { "id"=>client.id.to_s, "secret"=>client.secret, :redirectUri=>client.redirect_uri,
-              :displayName=>client.display_name, :link=>client.link, :imageUrl=>client.image_url, :scopes=>client.scopes,
+              :displayName=>client.display_name, :link=>client.link, :imageUrl=>client.image_url,
+              :notes=>client.notes, :scope=>client.scope,
               :url=>"#{request.script_name}/api/client/#{client.id}",
               :revoke=>"#{request.script_name}/api/client/#{client.id}/revoke",
               :history=>"#{request.script_name}/api/client/#{client.id}/history",

data/lib/rack/oauth2/server/helper.rb

@@ -54,9 +54,9 @@ module Rack
         # @return [Array<String>, nil] Scope names, e.g ["read, "write"]
         def scope
           if access_token
-            @scope ||= Server::Utils.normalize_scopes(Server.get_access_token(access_token).scope)
+            @scope ||= Server.get_access_token(access_token).scope
           elsif authorization
-            @scope ||= Server::Utils.normalize_scopes(Server.get_auth_request(authorization).scope)
+            @scope ||= Server.get_auth_request(authorization).scope
           end
         end
 

data/lib/rack/oauth2/server/practice.rb

@@ -21,7 +21,7 @@ module Rack
   <dt>Resource requiring authorization and scope "sudo":</dt>
   <dd>http://#{request.host}:#{request.port}/make</dd>
 </dl>
-<p>The scopes are "nobody", "sudo" and "oauth-admin".</p>
+<p>The scope can be "nobody", "sudo", "oauth-admin" or combination of the three.</p>
 <p>You can manage client applications and tokens from the <a href="/oauth/admin">OAuth console</a>.</p>
           HTML
         end

data/lib/rack/oauth2/server/utils.rb

@@ -17,10 +17,10 @@ module Rack
           raise InvalidRequestError, "Redirect URL looks fishy to me"
         end
 
-        # Gives list of scopes, as either array of string, return array of
-        # scope names (unique and sorted).
-        def normalize_scopes(scopes)
-          (Array === scopes ? scopes.join(" ") : scopes || "").split(/\s+/).compact.uniq.sort
+        # Given scope as either array or string, return array of same names,
+        # unique and sorted.
+        def normalize_scope(scope)
+          (Array === scope ? scope.join(" ") : scope || "").split(/\s+/).compact.uniq.sort
         end
 
       end

data/lib/rack/oauth2/server.rb

@@ -35,8 +35,7 @@ module Rack
         # Registers and returns a new Client. Can also be used to update
         # existing client registration, by passing identifier (and secret) of
         # existing client record. That way, your setup script can create a new
-        # client application and run repeatedly without fail. Also useful for
-        # adding new scopes to your existing client application.
+        # client application and run repeatedly without fail.
         #
         # @param [Hash] args Arguments for registering client application
         # @option args [String] :id Client identifier. Use this to update
@@ -50,17 +49,19 @@ module Rack
         # name.
         # @option args [String] redirect_uri Redirect URL: authorization
         # requests for this client will always redirect back to this URL.
-        # @option args [Array] scopes Scopes that client application can request
+        # @option args [Array] scope Scope that client application can request
+        # (list of names).
+        # @option args [Array] notes Free form text, for internal use.
         #
         # @example Registering new client application
         #   Server.register :display_name=>"My Application",
-        #     :link=>"http://example.com", :scopes=>%w{read write},
+        #     :link=>"http://example.com", :scope=>%w{read write},
         #     :redirect_uri=>"http://example.com/oauth/callback"
         # @example Migration using configuration file
         #   config = YAML.load_file(Rails.root + "config/oauth.yml")
         #   Server.register config["id"], config["secret"],
         #     :display_name=>"My  Application", :link=>"http://example.com",
-        #     :scopes=>config["scopes"],
+        #     :scope=>config["scope"],
         #     :redirect_uri=>"http://example.com/oauth/callback"
         def register(args)
           if args[:id] && args[:secret] && (client = get_client(args[:id]))
@@ -71,6 +72,19 @@ module Rack
           end
         end
 
+        # Creates and returns a new access grant. Actually, returns only the
+        # authorization code which you can turn into an access token by
+        # making a request to /oauth/access_token.
+        #
+        # @param [String] identity User ID, account ID, etc
+        # @param [String] client_id Client identifier
+        # @param [Array, nil] scope Array of string, nil if you want 'em all
+        # @return [String] Access grant authorization code
+        def access_grant(identity, client_id, scope = nil)
+          client = get_client(client_id) or fail "No such client"
+          AccessGrant.create(identity, client, scope || client.scope).code
+        end
+
         # Returns AccessToken from token.
         #
         # @param [String] token Access token (e.g. from oauth.access_token)
@@ -80,15 +94,16 @@ module Rack
         end
 
         # Returns AccessToken for the specified identity, client application and
-        # scopes. You can use this method to request existing access token, new
+        # scope. You can use this method to request existing access token, new
         # token generated if one does not already exists.
         #
         # @param [String] identity Identity, e.g. user ID, account ID
         # @param [String] client_id Client application identifier
-        # @param [String] scope Access scope (e.g. "read write")
-        # @return [AccessToken]
-        def get_token_for(identity, client_id, scope)
-          AccessToken.get_token_for(identity, client_id, scope)
+        # @param [Array, nil] scope Array of names, nil if you want 'em all
+        # @return [String] Access token
+        def token_for(identity, client_id, scope = nil)
+          client = get_client(client_id) or fail "No such client"
+          AccessToken.get_token_for(identity, client, scope || client.scope).token
         end
 
         # Returns all AccessTokens for an identity.
@@ -121,6 +136,15 @@ module Rack
       #   Defaults to use the request host name.
       # - :logger -- The logger to use. Under Rails, defaults to use the Rails
       #   logger.  Will use Rack::Logger if available.
+      #
+      # Authenticator is a block that receives either two or four parameters.
+      # The first two are username and password. The other two are the client
+      # identifier and scope. It authenticated, it returns an identity,
+      # otherwise it can return nil or false. For example:
+      #   oauth.authenticator = lambda do |username, password|
+      #     user = User.find_by_username(username)
+      #     user if user && user.authenticated?(password)
+      #   end
       Options = Struct.new(:access_token_path, :authenticator, :authorization_types,
         :authorize_path, :database, :host, :param_authentication, :path, :realm, :logger)
 
@@ -184,8 +208,8 @@ module Rack
             # and return appropriate WWW-Authenticate header.
             response = @app.call(env)
             if response[0] == 403
-              scopes = Utils.normalize_scopes(response[1]["oauth.no_scope"])
-              challenge = 'OAuth realm="%s", error="insufficient_scope", scope="%s"' % [(options.realm || request.host), scopes.join(" ")]
+              scope = Utils.normalize_scope(response[1]["oauth.no_scope"])
+              challenge = 'OAuth realm="%s", error="insufficient_scope", scope="%s"' % [(options.realm || request.host), scope.join(" ")]
               response[1]["WWW-Authenticate"] = challenge
               return response
             else
@@ -228,7 +252,7 @@ module Rack
             response_type = auth_request.response_type # Needed for error handling
             client = self.class.get_client(auth_request.client_id)
             # Pass back to application, watch for 403 (deny!)
-            logger.info "Request #{auth_request.id}: Client #{client.display_name} requested #{auth_request.response_type} with scope #{auth_request.scope}" if logger
+            logger.info "Request #{auth_request.id}: Client #{client.display_name} requested #{auth_request.response_type} with scope #{auth_request.scope.join(" ")}" if logger
             request.env["oauth.authorization"] = auth_request.id.to_s
             response = @app.call(request.env)
             raise AccessDeniedError if response[0] == 403
@@ -249,15 +273,15 @@ module Rack
             client = get_client(request)
             raise RedirectUriMismatchError unless client.redirect_uri.nil? || client.redirect_uri == redirect_uri.to_s
             raise UnsupportedResponseTypeError unless options.authorization_types.include?(response_type)
-            requested_scope = Utils.normalize_scopes(request.GET["scope"])
-            allowed_scopes = client.scopes
-            raise InvalidScopeError unless (requested_scope - allowed_scopes).empty?
+            requested_scope = Utils.normalize_scope(request.GET["scope"])
+            allowed_scope = client.scope
+            raise InvalidScopeError unless (requested_scope - allowed_scope).empty?
             # Create object to track authorization request and let application
             # handle the rest.
-            auth_request = AuthRequest.create(client.id, requested_scope, redirect_uri.to_s, response_type, state)
+            auth_request = AuthRequest.create(client, requested_scope, redirect_uri.to_s, response_type, state)
             uri = URI.parse(request.url)
             uri.query = "authorization=#{auth_request.id.to_s}"
-            return [303, { "Location"=>uri.to_s }, []]
+            return [303, { "Location"=>uri.to_s }, ["You are being redirected"]]
           end
         rescue OAuthError=>error
           logger.error "Authorization request error: #{error.code} #{error.message}" if logger
@@ -326,13 +350,16 @@ module Rack
             # 4.1.2.  Resource Owner Password Credentials
             username, password = request.POST.values_at("username", "password")
             raise InvalidGrantError unless username && password
-            identity = options.authenticator.call(username, password)
+            requested_scope = Utils.normalize_scope(request.POST["scope"])
+            allowed_scope = client.scope
+            raise InvalidScopeError unless (requested_scope - allowed_scope).empty?
+            args = [username, password]
+            args << client.id << requested_scope unless options.authenticator.arity == 2
+            identity = options.authenticator.call(*args)
             raise InvalidGrantError unless identity
-            requested_scope = Utils.normalize_scopes(request.POST["scope"])
-            allowed_scopes = client.scopes
-            raise InvalidScopeError unless (requested_scope - allowed_scopes).empty?
-            access_token = AccessToken.get_token_for(identity, client.id, requested_scope)
-          else raise UnsupportedGrantType
+            access_token = AccessToken.get_token_for(identity, client, requested_scope)
+          else
+            raise UnsupportedGrantType
           end
           logger.info "Access token #{access_token.token} granted to client #{client.display_name}, identity #{access_token.identity}" if logger
           response = { :access_token=>access_token.token }
@@ -368,7 +395,7 @@ module Rack
 
       # Rack redirect response. The argument is typically a URI object.
       def redirect_to(uri)
-        return [302, { "Location"=>uri.to_s }, []]
+        return [302, { "Location"=>uri.to_s }, ["You are being redirected"]]
       end
 
       def bad_request(message)
@@ -379,7 +406,7 @@ module Rack
       def unauthorized(request, error = nil)
         challenge = 'OAuth realm="%s"' % (options.realm || request.host)
         challenge << ', error="%s", error_description="%s"' % [error.code, error.message] if error
-        return [401, { "WWW-Authenticate"=>challenge }, []]
+        return [401, { "WWW-Authenticate"=>challenge }, [error && error.message || ""]]
       end
 
       # Wraps Rack::Request to expose Basic and OAuth authentication

data/lib/rack/oauth2/sinatra.rb

@@ -13,13 +13,13 @@ module Rack
     # access scope.
     #
     # Adds oauth setting you can use to configure the module (e.g. setting
-    # available scopes, see example).
+    # available scope, see example).
     #
     # @example
     #   require "rack/oauth2/sinatra"
     #   class MyApp < Sinatra::Base
     #     register Rack::OAuth2::Sinatra
-    #     oauth[:scopes] = %w{read write}
+    #     oauth[:scope] = %w{read write}
     #
     #     oauth_required "/api"
     #     oauth_required "/api/edit", :scope=>"write"

data/test/admin/api_test.rb

@@ -18,13 +18,13 @@ class AdminApiTest < Test::Unit::TestCase
 
 
   def without_scope
-    token = Server.get_token_for("Superman", client.id, "nobody")
-    header "Authorization", "OAuth #{token.token}"
+    token = Server.token_for("Superman", client.id, "nobody")
+    header "Authorization", "OAuth #{token}"
   end
 
   def with_scope
-    token = Server.get_token_for("Superman", client.id, "oauth-admin")
-    header "Authorization", "OAuth #{token.token}"
+    token = Server.token_for("Superman", client.id, "oauth-admin")
+    header "Authorization", "OAuth #{token}"
   end
 
   def json
@@ -84,8 +84,8 @@ class AdminApiTest < Test::Unit::TestCase
       should "return list of clients" do
         assert Array === json["list"]
       end
-      should "return all known scopes" do
-        assert_equal %w{read write}, json["scopes"]
+      should "return known scope" do
+        assert_equal %w{read write}, json["scope"]
       end
     end
 
@@ -123,8 +123,8 @@ class AdminApiTest < Test::Unit::TestCase
       should "provide link to revoke resource"do
         assert_equal ["/oauth/admin/api/client", client.id, "revoke"].join("/"), @first["revoke"]
       end
-      should "provide scopes for client" do
-        assert_equal %w{read write}, @first["scopes"]
+      should "provide scope for client" do
+        assert_equal %w{oauth-admin read write}, @first["scope"]
       end
       should "tell if not revoked" do
         assert @first["revoked"].nil?
@@ -149,12 +149,14 @@ class AdminApiTest < Test::Unit::TestCase
         tokens = []
         1.upto(10).map do |days|
           Timecop.travel -days*86400 do
-            tokens << Server.get_token_for("Superman", client.id, days.to_s)
+            tokens << Server.token_for("Superman#{days}", client.id)
           end
         end
         # Revoke one token today (within past 7 days), one 10 days ago (beyond)
-        tokens.first.revoke!
-        tokens.last.revoke!
+        Timecop.travel -7 * 86400 do
+          Server.get_access_token(tokens[0]).revoke!
+        end
+        Server.get_access_token(tokens[1]).revoke!
         with_scope ; get "/oauth/admin/api/clients"
       end
 

data/test/oauth/access_grant_test.rb

@@ -148,7 +148,7 @@ class AccessGrantTest < Test::Unit::TestCase
 
   context "authorization code for different client" do
     setup do
-      grant = Rack::OAuth2::Server::AccessGrant.create("foo bar", "read write", "4cc7bc483321e814b8000000", nil)
+      grant = Server::AccessGrant.create("foo bar", Server.register(:scope=>%w{read write}), "read write", nil)
       request_access_token :code=>grant.code
     end
     should_return_error :invalid_grant
@@ -156,7 +156,7 @@ class AccessGrantTest < Test::Unit::TestCase
 
   context "authorization code revoked" do
     setup do
-      Rack::OAuth2::Server::AccessGrant.from_code(@code).revoke!
+      Server::AccessGrant.from_code(@code).revoke!
       request_access_token
     end
     should_return_error :invalid_grant
@@ -169,7 +169,8 @@ class AccessGrantTest < Test::Unit::TestCase
 
   context "no redirect URI to match" do
     setup do
-      grant = Rack::OAuth2::Server::AccessGrant.create("foo bar", "read write", client.id, nil)
+      @client = Server.register(:display_name=>"No rediret", :scope=>"read write")
+      grant = Server::AccessGrant.create("foo bar", client, "read write", nil)
       request_access_token :code=>grant.code, :redirect_uri=>"http://uberclient.dot/oz"
     end
     should_respond_with_access_token
@@ -203,6 +204,29 @@ class AccessGrantTest < Test::Unit::TestCase
     should_return_error :invalid_scope
   end
 
+  context "authenticator with 4 parameters" do
+    setup do
+      @old = config.authenticator
+      config.authenticator = lambda do |username, password, client_id, scope|
+        @client_id = client_id
+        @scope = scope
+        "Batman"
+      end
+      request_with_username_password "cowbell", "more", "read"
+    end
+
+    should_respond_with_access_token "read"
+    should "receive client identifier" do
+      assert_equal client.id, @client_id
+    end
+    should "receive scope" do
+      assert_equal %w{read}, @scope
+    end
+
+    teardown { config.authenticator = @old }
+  end
+
+
   # 4.2.  Access Token Response
 
   context "using authorization code" do

data/test/oauth/access_token_test.rb

@@ -103,7 +103,7 @@ class AccessTokenTest < Test::Unit::TestCase
 
       context "revoked HTTP token" do
         setup do
-          Rack::OAuth2::Server::AccessToken.from_token(@token).revoke!
+          Server::AccessToken.from_token(@token).revoke!
           with_token
           get "/private"
         end
@@ -257,7 +257,7 @@ class AccessTokenTest < Test::Unit::TestCase
 
   context "list tokens" do
     setup do
-      @other = Rack::OAuth2::Server.get_token_for("foobar", client.id, "read").token
+      @other = Server.token_for("foobar", client.id, "read")
       get "/list_tokens"
     end
 
@@ -271,29 +271,6 @@ class AccessTokenTest < Test::Unit::TestCase
   end
 
 
-  context "get_token_for" do
-    should "return two different tokens for two different clients" do
-      myapp = Rack::OAuth2::Server.get_token_for("Batman", "4cca30423321e895cb000001", "read write")
-      yourapp = Rack::OAuth2::Server.get_token_for("Batman", "4fff30423321e895cb000001", "read write")
-      assert myapp.token != yourapp.token
-    end
-    should "return two different tokens for two different identities" do
-      me = Rack::OAuth2::Server.get_token_for("Batman", "4cca30423321e895cb000001", "read write")
-      you = Rack::OAuth2::Server.get_token_for("Robin", "4cca30423321e895cb000001", "read write")
-      assert me.token != you.token
-    end
-    should "return two different tokens for two different scope" do
-      write = Rack::OAuth2::Server.get_token_for("Batman", "4cca30423321e895cb000001", "read write")
-      math = Rack::OAuth2::Server.get_token_for("Batman", "4cca30423321e895cb000001", "read math")
-      assert write.token != math.token
-    end
-    should "return same tokens regardless of order of scope" do
-      one = Rack::OAuth2::Server.get_token_for("Batman", "4cca30423321e895cb000001", "read write math")
-      two = Rack::OAuth2::Server.get_token_for("Batman", "4cca30423321e895cb000001", "math write read")
-      assert_equal one.token, two.token
-    end
-  end
-
   context "with specific host" do
     context "right host" do
       setup do

data/test/oauth/server_test.rb

@@ -8,7 +8,7 @@ class ServerTest < Test::Unit::TestCase
   end
 
   context "get_auth_request" do
-    setup { @request = Server::AuthRequest.create(client.id, client.scopes.join(" "), client.redirect_uri, "token", nil) }
+    setup { @request = Server::AuthRequest.create(client, client.scope.join(" "), client.redirect_uri, "token", nil) }
     should "return authorization request" do
       assert_equal @request.id, Server.get_auth_request(@request.id).id
     end
@@ -34,7 +34,7 @@ class ServerTest < Test::Unit::TestCase
     context "no client ID" do
       setup do
         @client = Server.register(:display_name=>"MyApp", :link=>"http://example.org", :image_url=>"http://example.org/favicon.ico",
-                                  :redirect_uri=>"http://example.org/oauth/callback", :scopes=>%w{read write})
+                                  :redirect_uri=>"http://example.org/oauth/callback", :scope=>%w{read write})
       end
 
       should "create new client" do
@@ -58,8 +58,8 @@ class ServerTest < Test::Unit::TestCase
         assert_equal "http://example.org/oauth/callback", Server.get_client(@client.id).redirect_uri
       end
 
-      should "set scopes" do
-        assert_equal %w{read write}, Server.get_client(@client.id).scopes
+      should "set scope" do
+        assert_equal %w{read write}, Server.get_client(@client.id).scope
       end
 
       should "assign client an ID" do
@@ -134,8 +134,43 @@ class ServerTest < Test::Unit::TestCase
   end
 
   
+  context "access_grant" do
+    setup do
+      code = Server.access_grant("Batman", client.id, %w{read})
+      basic_authorize client.id, client.secret
+      post "/oauth/access_token", :scope=>"read", :grant_type=>"authorization_code", :code=>code, :redirect_uri=>client.redirect_uri
+      @token = JSON.parse(last_response.body)["access_token"]
+    end
+
+    should "resolve into an access token" do
+      assert Server.get_access_token(@token)
+    end
+
+    should "resolve into access token with grant identity" do
+      assert_equal "Batman", Server.get_access_token(@token).identity
+    end
+
+    should "resolve into access token with grant scope" do
+      assert_equal %w{read}, Server.get_access_token(@token).scope
+    end
+
+    should "resolve into access token with grant client" do
+      assert_equal client.id, Server.get_access_token(@token).client_id
+    end
+
+    context "with no scope" do
+      setup { @code = Server.access_grant("Batman", client.id) }
+
+      should "pick client scope" do
+        assert_equal %w{oauth-admin read write}, Server::AccessGrant.from_code(@code).scope
+      end
+    end
+
+  end
+
+
   context "get_access_token" do
-    setup { @token = Server.get_token_for("Batman", client.id, %w{read}).token }
+    setup { @token = Server.token_for("Batman", client.id, %w{read}) }
     should "return authorization request" do
       assert_equal @token, Server.get_access_token(@token).token
     end
@@ -143,61 +178,69 @@ class ServerTest < Test::Unit::TestCase
     should "return nil if no client found" do
       assert !Server.get_access_token("4ce2488e3321e87ac1000004")
     end
+
+    context "with no scope" do
+      setup { @token = Server.token_for("Batman", client.id) }
+
+      should "pick client scope" do
+        assert_equal %w{oauth-admin read write}, Server::AccessToken.from_token(@token).scope
+      end
+    end
   end
 
 
-  context "get_token_for" do
-    setup { @token = Server.get_token_for("Batman", client.id, %w{read write}) }
+  context "token_for" do
+    setup { @token = Server.token_for("Batman", client.id, %w{read write}) }
 
     should "return access token" do
-      assert Server::AccessToken === @token
+      assert_match /[0-9a-f]{32}/, @token
     end
 
     should "associate token with client" do
-      assert_equal client.id, @token.client_id
+      assert_equal client.id, Server.get_access_token(@token).client_id
     end
 
     should "associate token with identity" do
-      assert_equal "Batman", @token.identity
+      assert_equal "Batman", Server.get_access_token(@token).identity
     end
 
     should "associate token with scope" do
-      assert_equal %w{read write}, @token.scope
+      assert_equal %w{read write}, Server.get_access_token(@token).scope
     end
 
     should "return same token for same parameters" do
-      assert_equal @token.token, Server.get_token_for("Batman", client.id, %w{write read}).token
+      assert_equal @token, Server.token_for("Batman", client.id, %w{write read})
     end
 
     should "return different token for different identity" do
-      assert @token.token != Server.get_token_for("Superman", client.id, %w{read write}).token
+      assert @token != Server.token_for("Superman", client.id, %w{read write})
     end
 
     should "return different token for different client" do
       client = Server.register(:display_name=>"MyApp")
-      assert @token.token != Server.get_token_for("Batman", client.id, %w{read write}).token
+      assert @token != Server.token_for("Batman", client.id, %w{read write})
     end
 
     should "return different token for different scope" do
-      assert @token.token != Server.get_token_for("Batman", client.id, %w{read}).token
+      assert @token != Server.token_for("Batman", client.id, %w{read})
     end
   end
 
 
   context "list access tokens" do
     setup do
-      @one = Server.get_token_for("Batman", client.id, %w{read})
-      @two = Server.get_token_for("Superman", client.id, %w{read})
-      @three = Server.get_token_for("Batman", client.id, %w{write})
+      @one = Server.token_for("Batman", client.id, %w{read})
+      @two = Server.token_for("Superman", client.id, %w{read})
+      @three = Server.token_for("Batman", client.id, %w{write})
     end
 
     should "return all tokens for identity" do
-      assert_contains Server.list_access_tokens("Batman").map(&:token), @one.token
-      assert_contains Server.list_access_tokens("Batman").map(&:token), @three.token
+      assert_contains Server.list_access_tokens("Batman").map(&:token), @one
+      assert_contains Server.list_access_tokens("Batman").map(&:token), @three
     end
 
     should "not return tokens for other identities" do
-      assert !Server.list_access_tokens("Batman").map(&:token).include?(@two.token)
+      assert !Server.list_access_tokens("Batman").map(&:token).include?(@two)
     end
 
   end