rack-oauth2-server 2.0.0.beta3 → 2.0.0.beta4

data/CHANGELOG

@@ -1,17 +1,35 @@
 2010-11-16 version 2.0.0
 
-Major change: you are no longer able to get an access token with the scope if
-the client is not registered to have this scope. The global setting scopes is
-gone (not backward compatible). You will need to manually add scopes to your
-clients, e.g. in mogno console:
+MAJOR CHANGE:
+Keeping with OAuth 2.0 spec terminology, we'll call it scope all around. Some
+places in the API that previously used "scopes" have been changed to "scope".
+
+OTOH, the scope is not consistently stored and returned as array of names,
+previous was stored as comma-separated string, and often returned as such.
+Whatever you have stored with pre 2.0 will probably not work with 2.0 and
+forward.
+
+Clients now store their scope, and only those names are allowed in access
+tokens. The global setting oauth.scope is no longer in use. Forget about it.
+Add a scope to your clients, like this:
 
   db.oauth2.clients.update({}, { $set: { scopes: ["read", "write"] } }, true, true)
 
-Rack::OAuth2::Server class methods get register -- for registering and updating
-client application record -- and get_token_for -- to obtain new/existing token.
+
+Use Rack::OAuth2::Server token_for and access_grant to generate access tokens
+and access grants, respectively. These are mighty useful if you're using the
+OAuth 2.0 infrastructure, but have different ways for authorizing, e.g. using
+access tokens instead of cookies.
+
+Rack::OAuth2::Server method register to register new client applications and
+update existing records. This method is idempotent, so you can use it in rake
+db:seed, deploy scripts, migrations, etc.
+
+If your authenticator accepts four arguments, it will receive, in addition to
+username and password, also the client identifier and requested scopes.
 
 Web console now allows you to set/unset individual scopes for each client
-application.
+application, and store a note on each client.
 
 Added Sammy.js OAuth 2.0 plugin.
 

data/README.rdoc

@@ -50,7 +50,7 @@ Rack::OAuth2::Sinatra into your application. For example:
     register Rack::OAuth2::Sinatra
 
     oauth.database = Mongo::Connection.new["my_db"]
-    oauth.scopes = %w{read write}
+    oauth.scope = %w{read write}
     oauth.authenticator = lambda do |username, password|
       user = User.find(username)
       user if user && user.authenticated?(password)
@@ -88,6 +88,16 @@ access tokens by passing the end-user's username/password, then you need an
 authenticator. This feature is necessary for some client applications, and
 quite handy during development/testing.
 
+The authenticator is a block that receives either two or four parameters.  The
+first two are username and password. The other two are the client identifier
+and scope. It authenticated, it returns an identity, otherwise it can return
+nil or false. For example:
+
+  oauth.authenticator = lambda do |username, password|
+    user = User.find_by_username(username)
+    user if user && user.authenticated?(password)
+  end
+
 
 === Step 3: Let Users Authorize
 
@@ -294,7 +304,7 @@ Programatically, registering a new client is as simple as:
   > Rack::OAuth2::Server.register(:display_name=>"UberClient",
      :link=>"http://example.com/",
      :image_url=>"http://farm5.static.flickr.com/4122/4890273282_58f7c345f4.jpg",
-     :scopes=>%{read write},
+     :scope=>%{read write},
      :redirect_uri=>"http://example.com/oauth/callback")
   > puts "Your client identifier: #{client.id}"
   > puts "Your client secret: #{client.secret}"
@@ -306,7 +316,7 @@ file. For example, your +db/seed.rb+ may contain:
   oauth2 = YAML.load_file(Rails.root + "config/oauth2.yml")
   Rack::OAuth2::Server.register(id: oauth2["client_id"], secret: oauth2["client_secret"],
     display_name: "UberClient", link: "http://example.com",
-    redirect_uri: "http://example.com/oauth/callback", scopes: oauth2["scopes"].split)
+    redirect_uri: "http://example.com/oauth/callback", scope: oauth2["scope"].split)
 
 When you call +register+ with +id+ and +secret+ parameters it either registers a
 new client with these specific ID and sceret, or if a client already exists,
@@ -358,7 +368,7 @@ client ID/secret. For example, for Rails 2.3.x add this to
       config.middleware.use Rack::OAuth2::Server::Admin.mount
       Rack::OAuth2::Server::Admin.set :client_id, "4dca20453e4859cb000007"
       Rack::OAuth2::Server::Admin.set :client_secret, "981fa734e110496fcf667cbf52fbaf03"
-      Rack::OAuth2::Server::Admin.set :scopes, %w{read write}
+      Rack::OAuth2::Server::Admin.set :scope, %w{read write}
     end
   end
 
@@ -369,7 +379,7 @@ For Rails 3.0.x, add this to you +config/application.rb+:
       config.after_initialize do
         Rack::OAuth2::Server::Admin.set :client_id, "4dca20453e4859cb000007"
         Rack::OAuth2::Server::Admin.set :client_secret, "981fa734e110496fcf667cbf52fbaf03"
-        Rack::OAuth2::Server::Admin.set :scopes, %w{read write}
+        Rack::OAuth2::Server::Admin.set :scope, %w{read write}
       end
     end
   end
@@ -387,7 +397,7 @@ like so (e.g. in +config.ru+):
   end
   Rack::OAuth2::Server::Admin.set :client_id, "4dca20453e4859cb000007"
   Rack::OAuth2::Server::Admin.set :client_secret, "981fa734e110496fcf667cbf52fbaf03"
-  Rack::OAuth2::Server::Admin.set :scopes, %w{read write}
+  Rack::OAuth2::Server::Admin.set :scope, %w{read write}
 
 Next, open your browser to http://example.com/oauth/admin, or wherever you
 mounted the Web admin.
@@ -404,7 +414,8 @@ You can set the following options:
   "http://example.com/users/#{id}")
 - +force_ssl+ -- Forces all requests to use HTTPS (true by default except in
   development mode).
-- +scopes+ -- Common scopes shown and added by default to new clients.
+- +scope+ -- Common scope shown and added by default to new clients (array of
+  names, e.g. ["read", "write"]).
  
 == Web Admin API
 

data/VERSION

@@ -1 +1 @@
-2.0.0.beta3
+2.0.0.beta4

data/bin/oauth2-server

@@ -41,9 +41,9 @@ when "register"
     link = $stdin.gets
     print "Redirect URI:\t\t"
     redirect_uri = $stdin.gets
-    print "Scopes (space separated):\t\t"
-    scopes = $stdin.gets
-    client = Server.register(:display_name=>display_name, :link=>link, :redirect_uri=>redirect_uri, :scopes=>scopes)
+    print "Scope (space separated names):\t\t"
+    scope = $stdin.gets
+    client = Server.register(:display_name=>display_name, :link=>link, :redirect_uri=>redirect_uri, :scope=>scope)
   rescue
     puts "\nFailed to register client: #{$!}"
     exit -1
@@ -63,7 +63,7 @@ when "setup"
     fail "No an HTTP/S URL" unless uri.absolute? && %{http https}.include?(uri.scheme)
     fail "Path must end with /admin" unless uri.path[/\/admin$/]
     client = Server.register(:display_name=>"OAuth Console", :link=>uri.to_s, :image_url=>"#{uri.to_s}/images/oauth-2.png",
-                             :redirect_uri=>uri.to_s, :scopes=>"oauth-admin")
+                             :redirect_uri=>uri.to_s, :scope=>"oauth-admin")
   rescue
     puts "\nFailed to register client: #{$!}"
     exit -1
@@ -131,11 +131,11 @@ when "practice"
   admin_url = "http://localhost:#{port}/oauth/admin"
   unless client = Server::Client.lookup(admin_url)
     client = Server.register(:display_name=>"Practice OAuth Console", :image_url=>"#{admin_url}/images/oauth-2.png",
-                             :link=>admin_url, :redirect_uri=>admin_url, :scopes=>"oauth-admin")
+                             :link=>admin_url, :redirect_uri=>admin_url, :scope=>"oauth-admin")
   end
   Server::Admin.set :client_id, client.id
   Server::Admin.set :client_secret, client.secret
-  Server::Admin.set :scopes, "nobody sudo"
+  Server::Admin.set :scope, "nobody sudo"
 
   print "\nFiring up the practice server.\nFor instructions, go to http://localhost:#{port}/\n\n\n"
   Thin::Server.new "127.0.0.1", port  do

data/lib/rack/oauth2/admin/css/screen.css

@@ -119,6 +119,7 @@ button:active { background: -webkit-gradient(linear, 0% 0%, 0% 100%, from(rgba(0
   float: right;
   font-size: 11pt;
   line-height: 32px;
+  display: none;
 }
 
 #main {
@@ -261,6 +262,7 @@ table.tokens td.scope {
 }
 
 .client .details {
+  margin: 0 0 2em 0;
 }
 .client .details .name {
   margin: 0;
@@ -288,6 +290,10 @@ table.tokens td.scope {
   color: #888;
   font-size: 10pt;
 }
+.client .details .notes {
+  font-size: 11pt;
+  margin: 0.2em 0;
+}
 
 .client.new, .client.edit {
   margin: 0;
@@ -306,10 +312,10 @@ table.tokens td.scope {
 .client .fields {
   float: left;
 }
-.client .scopes {
+.client .scope {
   float: right;
 }
-.client .scopes .non-common {
+.client .scope .uncommon {
   color: red;
 }
 .client hr {

data/lib/rack/oauth2/admin/js/application.js

@@ -15,60 +15,80 @@ Sammy("#main", function(app) {
   this.bind("oauth.denied", function(evt, error) {
     this.partial("admin/views/no_access.tmpl", { error: error.message });
   });
+  this.bind("oauth.connected", function() { $("#header .signout").show() });
+  this.bind("oauth.disconnected", function() { $("#header .signout").hide() });
 
   var api = document.location.pathname + "/api";
   // Takes array of string with scope names (typically request parameters) and
   // normalizes them into an array of scope names.
-  function mergeScopes(scopes) {
-    if ($.isArray(scopes))
-      scopes = scopes.join(" ");
-    scopes = (scopes || "").trim().split(/\s+/);
-    return scopes.length == 1 && scopes[0] == "" ? [] : _.uniq(scopes).sort();
+  function mergeScope(scope) {
+    if ($.isArray(scope))
+      scope = scope.join(" ");
+    scope = (scope || "").trim().split(/\s+/);
+    return scope.length == 1 && scope[0] == "" ? [] : _.uniq(scope).sort();
   }
-  var commonScopes;
-  function withCommonScopes(cb) {
-    if (commonScopes)
-      cb(commonScopes)
+  var commonScope;
+  function withCommonScope(cb) {
+    if (commonScope)
+      cb(commonScope)
     else
-      $.getJSON(api + "/clients", function(json) { cb(commonScopes = json.scopes); })
+      $.getJSON(api + "/clients", function(json) { cb(commonScope = json.scope); })
   }
 
   // View all clients
   this.get("#/", function(context) {
     context.title("All Clients");
     $.getJSON(api + "/clients", function(clients) {
-      commonScopes = clients.scopes;
+      commonScope = clients.scope;
       context.partial("admin/views/clients.tmpl", { clients: clients.list, tokens: clients.tokens }).
         load(clients.history).then(function(json) { $("#fig").chart(json.data, "granted"); });
     });
   });
+  // View single client
+  this.get("#/client/:id", function(context) {
+    $.getJSON(api + "/client/" + context.params.id, function(client) {
+      context.title(client.displayName);
+      client.notes = (client.notes || "").split(/\n\n/);
+      context.partial("admin/views/client.tmpl", client).
+        load(client.history).then(function(json) { $("#fig").chart(json.data, "granted"); });
+    });
+  });
+  this.get("#/client/:id/page/:page", function(context) {
+    $.getJSON(api + "/client/" + context.params.id + "?page=" + context.params.page, function(client) {
+      context.title(client.displayName);
+      client.notes = client.notes.split(/\n\n/);
+      context.partial("admin/views/client.tmpl", client).
+        load(client.history).then(function(json) { $("#fig").chart(json.data, "granted"); });
+    });
+  });
   // Edit client
   this.get("#/client/:id/edit", function(context) {
     $.getJSON(api + "/client/" + context.params.id, function(client) {
       context.title(client.displayName);
-      withCommonScopes(function(scopes) {
-        client.common = scopes;
+      withCommonScope(function(scope) {
+        client.common = scope;
         context.partial("admin/views/edit.tmpl", client)
       })
     })
   });
   this.put("#/client/:id", function(context) {
-    context.params.scopes = mergeScopes(context.params.scopes);
+    context.params.scope = mergeScope(context.params.scope);
     $.ajax({ type: "put", url: api + "/client/" + context.params.id,
       data: {
         displayName: context.params.displayName,
         link: context.params.link,
         imageUrl: context.params.imageUrl,
         redirectUri: context.params.redirectUri,
-        scopes: context.params.scopes
+        notes: context.params.notes,
+        scope: context.params.scope
       },
       success: function(client) {
         context.redirect("#/client/" + context.params.id);
         app.trigger("notice", "Saved your changes");
       },
       error: function(xhr) {
-        withCommonScopes(function(scopes) {
-          context.params.common = scopes;
+        withCommonScope(function(scope) {
+          context.params.common = scope;
           context.partial("admin/views/edit.tmpl", context.params);
         });
       }
@@ -88,45 +108,32 @@ Sammy("#main", function(app) {
   this.post("#/token/:id/revoke", function(context) {
     $.post(api + "/token/" + context.params.id + "/revoke", function() { app.refresh() });
   });
-  // View single client
-  this.get("#/client/:id", function(context) {
-    $.getJSON(api + "/client/" + context.params.id, function(client) {
-      context.title(client.displayName);
-      context.partial("admin/views/client.tmpl", client).
-        load(client.history).then(function(json) { $("#fig").chart(json.data, "granted"); });
-    });
-  });
-  this.get("#/client/:id/:page", function(context) {
-    $.getJSON(api + "/client/" + context.params.id + "?page=" + context.params.page, function(client) {
-      context.title(client.displayName);
-      context.partial("admin/views/client.tmpl", client)
-    });
-  });
   // Create new client
   this.get("#/new", function(context) {
     context.title("Add New Client");
-    withCommonScopes(function(scopes) {
-      context.partial("admin/views/edit.tmpl", { common: scopes, scopes: scopes });
+    withCommonScope(function(scope) {
+      context.partial("admin/views/edit.tmpl", { common: scope, scope: scope });
     });
   });
   this.post("#/clients", function(context) {
     context.title("Add New Client");
-    context.params.scopes = mergeScopes(context.params.scopes);
+    context.params.scope = mergeScope(context.params.scope);
     $.ajax({ type: "post", url: api + "/clients",
       data: {
         displayName: context.params.displayName,
         link: context.params.link,
         imageUrl: context.params.imageUrl,
         redirectUri: context.params.redirectUri,
-        scopes: context.params.scopes
+        notes: context.params.notes,
+        scope: context.params.scope
       },
       success: function(client) {
         app.trigger("notice", "Added new client application " + client.displayName);
         context.redirect("#/");
       },
       error: function(xhr) {
-        withCommonScopes(function(scopes) {
-          context.params.common = scopes;
+        withCommonScope(function(scope) {
+          context.params.common = scope;
           context.partial("admin/views/edit.tmpl", context.params);
         });
       }

data/lib/rack/oauth2/admin/js/sammy.oauth2.js

@@ -5,9 +5,12 @@
   // access your application's API. Requires Sammy.Session.
   //
   // Triggers the following events:
-  // - oauth.connected -- Access token set and ready to use
-  // - oauth.disconnected -- Access token reset
-  // - oauth.denied -- Authorization attempt rejected
+  // - oauth.connected -- Access token set and ready to use. Triggered when new
+  // access token acquired, of when application starts and already has access
+  // token.
+  // - oauth.disconnected -- Access token reset. Triggered by
+  // loseAccessToken().
+  // - oauth.denied -- Authorization attempt rejected.
   //
   // ### Example
   // this.use(Sammy.Storage);
@@ -27,6 +30,10 @@
   //   })
   // })
   //
+  // // Sign in/sign out.
+  // this.bind("oauth.connected", function() { $("#signin").hide() });
+  // this.bind("oauth.disconnected", function() { $("#signin").show() });
+  //
   // // Handle access denied and other errors
   // this.bind("oauth.denied", function(evt, error) {
   //   this.partial("admin/views/no_access.tmpl", { error: error.message });

data/lib/rack/oauth2/admin/views/client.tmpl

@@ -13,6 +13,7 @@
       Created {{html $.shortdate(revoked)}}
       {{if revoked}}Revoked {{html $.shortdate(revoked)}}{{/if}}
     </div>
+    {{each notes}}<p class="notes">${this}</p>{{/each}}
   </div>
   <div class="metrics">
     <div id="fig"></div>
@@ -49,7 +50,7 @@
     </tbody>
   </table>
   <div class="pagination">
-    {{if tokens.previous}}<a href="#/client/${id}/${tokens.page - 1}" rel="previous">Previous</a>{{/if}}
-    {{if tokens.next}}<a href="#/client/${id}/${tokens.page + 1}" rel="next">Next</a>{{/if}}
+    {{if tokens.previous}}<a href="#/client/${id}/page/${tokens.page - 1}" rel="previous">Previous</a>{{/if}}
+    {{if tokens.next}}<a href="#/client/${id}/page/${tokens.page + 1}" rel="next">Next</a>{{/if}}
   </div>
 </div>

data/lib/rack/oauth2/admin/views/edit.tmpl

@@ -19,25 +19,29 @@
       <input type="url" name="redirectUri" value="${redirectUri}" size="70" required>
       <p class="hint">Users redirected back to this URL on successful authorization.</p>
     </label>
+    <label>Notes
+      <textarea name="notes" cols="50" rows="5">${notes}</textarea>
+      <p class="hint">For internal use.</p>
+    </label>
+    {{if id}}<button>Save Changes</button>
+    {{else}}<button>Create Client</button>{{/if}}
   </div>
-  <div class="scopes">
-    <h2>Scopes</h2>
+  <div class="scope">
+    <h2>Scope</h2>
     {{each common}}
-      <label class="check"><input type="checkbox" name="scopes" value="${this}" ${scopes.indexOf(this.toString()) < 0 ? null : "checked"}>${this}</label>
+      <label class="check"><input type="checkbox" name="scope" value="${this}" ${scope.indexOf(this.toString()) < 0 ? null : "checked"}>${this}</label>
     {{/each}}
-    {{each scopes}}
+    {{each scope}}
       {{if common.indexOf(this.toString()) < 0}}
-      <label class="check non-common"><input type="checkbox" name="scopes" value="${this}" checked>${this}</label>
+      <label class="check uncommon"><input type="checkbox" name="scope" value="${this}" checked>${this}</label>
       {{/if}}
     {{/each}}
     <label>Uncommon
-      <input type="text" name="scopes" value="" size="35">
-      <p class="hint">Space separated list of uncommon scopes.</p>
+      <input type="text" name="scope" value="" size="35">
+      <p class="hint">Space separated list of uncommon scope.</p>
     </label>
   </div>
   <hr>
-  {{if id}}<button>Save Changes</button>
-  {{else}}<button>Create Client</button>{{/if}}
 </form>
 <script type="text/javascript">
   $(function() {

data/lib/rack/oauth2/models/access_grant.rb

@@ -12,9 +12,10 @@ module Rack
           end
 
           # Create a new access grant.
-          def create(identity, scope, client_id, redirect_uri)
+          def create(identity, client, scope, redirect_uri = nil)
+            scope = Utils.normalize_scope(scope) & client.scope # Only allowed scope
             fields = { :_id=>Server.secure_random, :identity=>identity.to_s, :scope=>scope,
-                       :client_id=>BSON::ObjectId(client_id.to_s), :redirect_uri=>redirect_uri,
+                       :client_id=>client.id, :redirect_uri=>client.redirect_uri || redirect_uri,
                        :created_at=>Time.now.utc.to_i, :granted_at=>nil, :access_token=>nil, :revoked=>nil }
             collection.insert fields
             Server.new_instance self, fields
@@ -34,7 +35,7 @@ module Rack
         attr_reader :client_id
         # Redirect URI for this grant.
         attr_reader :redirect_uri
-        # The scope granted in this token.
+        # The scope requested in this grant.
         attr_reader :scope
         # Does what it says on the label.
         attr_reader :created_at
@@ -53,7 +54,8 @@ module Rack
         # InvalidGrantError.
         def authorize!
           raise InvalidGrantError if self.access_token || self.revoked
-          access_token = AccessToken.get_token_for(identity, client_id, scope)
+          client = Client.find(client_id) or raise InvalidGrantError
+          access_token = AccessToken.get_token_for(identity, client, scope)
           self.access_token = access_token.token
           self.granted_at = Time.now.utc.to_i
           self.class.collection.update({ :_id=>code, :access_token=>nil, :revoked=>nil }, { :$set=>{ :granted_at=>granted_at, :access_token=>access_token.token } }, :safe=>true)

data/lib/rack/oauth2/models/access_token.rb

@@ -15,12 +15,11 @@ module Rack
           end
 
           # Get an access token (create new one if necessary).
-          def get_token_for(identity, client_id, scope)
-            scope = Utils.normalize_scopes(scope)
-            client_id = BSON::ObjectId(client_id.to_s)
-            unless token = collection.find_one({ :identity=>identity.to_s, :scope=>scope, :client_id=>client_id, :revoked=>nil })
+          def get_token_for(identity, client, scope)
+            scope = Utils.normalize_scope(scope) & client.scope # Only allowed scope
+            unless token = collection.find_one({ :identity=>identity.to_s, :scope=>scope, :client_id=>client.id, :revoked=>nil })
               token = { :_id=>Server.secure_random, :identity=>identity.to_s, :scope=>scope,
-                        :client_id=>client_id, :created_at=>Time.now.utc.to_i,
+                        :client_id=>client.id, :created_at=>Time.now.utc.to_i,
                         :expires_at=>nil, :revoked=>nil }
               collection.insert token
             end
@@ -50,14 +49,12 @@ module Rack
             select = {}
             if filter[:days]
               now = Time.now.utc.to_i
-              select[:created_at] = { :$gt=>now - filter[:days] * 86400, :$lte=>now }
-            end
-            if filter.has_key?(:revoked)
+              range = { :$gt=>now - filter[:days] * 86400, :$lte=>now }
+              select[ filter[:revoked] ? :revoked : :created_at ] = range
+            elsif filter.has_key?(:revoked)
               select[:revoked] = filter[:revoked] ? { :$ne=>nil } : { :$eq=>nil }
             end
-            if filter[:client_id]
-              select[:client_id] = BSON::ObjectId(filter[:client_id].to_s)
-            end
+            select[:client_id] = BSON::ObjectId(filter[:client_id].to_s) if filter[:client_id]
             collection.find(select).count
           end
 
@@ -68,8 +65,9 @@ module Rack
             if filter[:client_id]
               select[:client_id] = BSON::ObjectId(filter[:client_id].to_s)
             end
-            Server::AccessToken.collection.group "function (token) { return { ts: Math.floor(token.created_at / 86400) } }",
-              select, { :granted=>0 }, "function (token, state) { state.granted++ }"
+            raw = Server::AccessToken.collection.group("function (token) { return { ts: Math.floor(token.created_at / 86400) } }",
+              select, { :granted=>0 }, "function (token, state) { state.granted++ }")
+            raw.sort { |a, b| a["ts"] - b["ts"] }
           end
 
           def collection
@@ -84,7 +82,7 @@ module Rack
         attr_reader :identity
         # Client that was granted this access token.
         attr_reader :client_id
-        # The scope granted in this token.
+        # The scope granted to this token.
         attr_reader :scope
         # When token was granted.
         attr_reader :created_at

data/lib/rack/oauth2/models/auth_request.rb

@@ -16,10 +16,12 @@ module Rack
           # Create a new authorization request. This holds state, so in addition
           # to client ID and scope, we need to know the URL to redirect back to
           # and any state value to pass back in that redirect.
-          def create(client_id, scope, redirect_uri, response_type, state)
-            fields = { :client_id=>BSON::ObjectId(client_id.to_s), :scope=>scope, :redirect_uri=>redirect_uri, :state=>state,
-                       :response_type=>response_type, :created_at=>Time.now.utc.to_i, :grant_code=>nil,
-                       :authorized_at=>nil, :revoked=>nil }
+          def create(client, scope, redirect_uri, response_type, state)
+            scope = Utils.normalize_scope(scope) & client.scope # Only allowed scope
+            fields = { :client_id=>client.id, :scope=>scope, :redirect_uri=>client.redirect_uri || redirect_uri,
+                       :response_type=>response_type, :state=>state,
+                       :grant_code=>nil, :authorized_at=>nil,
+                       :created_at=>Time.now.utc.to_i, :revoked=>nil }
             fields[:_id] = collection.insert(fields)
             Server.new_instance self, fields
           end
@@ -34,7 +36,7 @@ module Rack
         alias :id :_id
         # Client making this request.
         attr_reader :client_id
-        # Scope of this request: array of names.
+        # scope of this request: array of names.
         attr_reader :scope
         # Redirect back to this URL.
         attr_reader :redirect_uri
@@ -57,13 +59,14 @@ module Rack
         def grant!(identity)
           raise ArgumentError, "Must supply a identity" unless identity
           return if revoked
+          client = Client.find(client_id) or return
           self.authorized_at = Time.now.utc.to_i
           if response_type == "code" # Requested authorization code
-            access_grant = AccessGrant.create(identity, scope, client_id, redirect_uri)
+            access_grant = AccessGrant.create(identity, client, scope, redirect_uri)
             self.grant_code = access_grant.code
             self.class.collection.update({ :_id=>id, :revoked=>nil }, { :$set=>{ :grant_code=>access_grant.code, :authorized_at=>authorized_at } })
           else # Requested access token
-            access_token = AccessToken.get_token_for(identity, client_id, scope)
+            access_token = AccessToken.get_token_for(identity, client, scope)
             self.access_token = access_token.token
             self.class.collection.update({ :_id=>id, :revoked=>nil, :access_token=>nil }, { :$set=>{ :access_token=>access_token.token, :authorized_at=>authorized_at } })
           end

data/lib/rack/oauth2/models/client.rb

@@ -17,7 +17,8 @@ module Rack
           # # :link -- Link to client Web site (e.g. http://uberclient.dot)
           # # :image_url -- URL of image to show alongside display name
           # # :redirect_uri -- Registered redirect URI.
-          # # :scopes -- List of scopes the client is allowed to request.
+          # # :scope -- List of names the client is allowed to request.
+          # # :notes -- Free form text.
           # 
           # This method does not validate any of these fields, in fact, you're
           # not required to set them, use them, or use them as suggested. Using
@@ -25,9 +26,10 @@ module Rack
           # how we learned that.
           def create(args)
             redirect_uri = Server::Utils.parse_redirect_uri(args[:redirect_uri]).to_s if args[:redirect_uri]
-            scopes = Server::Utils.normalize_scopes(args[:scopes])
+            scope = Server::Utils.normalize_scope(args[:scope])
             fields =  { :display_name=>args[:display_name], :link=>args[:link],
-                        :image_url=>args[:image_url], :redirect_uri=>redirect_uri, :scopes=>scopes,
+                        :image_url=>args[:image_url], :redirect_uri=>redirect_uri,
+                        :nodes=>args[:notes].to_s, :scope=>scope,
                         :created_at=>Time.now.utc.to_i, :revoked=>nil }
             if args[:id] && args[:secret]
               fields[:_id], fields[:secret] = BSON::ObjectId(args[:id].to_s), args[:secret]
@@ -81,8 +83,10 @@ module Rack
         # Redirect URL. Supplied by the client if they want to restrict redirect
         # URLs (better security).
         attr_reader :redirect_uri
-        # List of scopes the client is allowed to request.
-        attr_reader :scopes
+        # List of scope the client is allowed to request.
+        attr_reader :scope
+        # Free form fields for internal use.
+        attr_reader :notes
         # Does what it says on the label.
         attr_reader :created_at
         # Timestamp if revoked.
@@ -99,9 +103,9 @@ module Rack
         end
 
         def update(args)
-          fields = [:display_name, :link, :image_url].inject({}) { |h,k| v = args[k]; h[k] = v if v; h }
+          fields = [:display_name, :link, :image_url, :notes].inject({}) { |h,k| v = args[k]; h[k] = v if v; h }
           fields[:redirect_uri] = Server::Utils.parse_redirect_uri(args[:redirect_uri]).to_s if args[:redirect_uri]
-          fields[:scopes] = Server::Utils.normalize_scopes(args[:scopes])
+          fields[:scope] = Server::Utils.normalize_scope(args[:scope])
           self.class.collection.update({ :_id=>id }, { :$set=>fields })
           self.class.find(id)
         end

data/lib/rack/oauth2/rails.rb

@@ -13,13 +13,13 @@ module Rack
     # access scope.
     #
     # Adds oauth setting you can use to configure the module (e.g. setting
-    # available scopes, see example).
+    # available scope, see example).
     #
     # @example config/environment.rb
     #   require "rack/oauth2/rails"
     #
     #   Rails::Initializer.run do |config|
-    #     config.oauth[:scopes] = %w{read write}
+    #     config.oauth[:scope] = %w{read write}
     #     config.oauth[:authenticator] = lambda do |username, password|
     #       User.authenticated username, password
     #     end