I'm implementing OAuth 2 in my application, and i already have Login/Refresh Token but i'm having some troubles with logout.
I have this set of routes generates by Doorkeeper:
Routes for Doorkeeper::Engine:
authorization GET /authorize(.:format) doorkeeper/authorizations#new
authorization POST /authorize(.:format) doorkeeper/authorizations#create
authorization DELETE /authorize(.:format) doorkeeper/authorizations#destroy
token POST /token(.:format) doorkeeper/tokens#create
applications GET /applications(.:format) doorkeeper/applications#index
POST /applications(.:format) doorkeeper/applications#create
new_application GET /applications/new(.:format) doorkeeper/applications#new
edit_application GET /applications/:id/edit(.:format) doorkeeper/applications#edit
application GET /applications/:id(.:format) doorkeeper/applications#show
PUT /applications/:id(.:format) doorkeeper/applications#update
DELETE /applications/:id(.:format) doorkeeper/applications#destroy
authorized_applications GET /authorized_applications(.:format) doorkeeper/authorized_applications#index
authorized_application DELETE /authorized_applications/:id(.:format) doorkeeper/authorized_applications#destroy
What i want to do is revoke a token in the server, so i think the service that i must call is "DELETE /authorize" right? but i try a lot of differents ways to consume this services and i only recibe errors.
By the way, i don't know if is correct to revoke the token in the server or only delete it from the application ?
PS: I'm using AFNetworking 2 in iOS 7 for my client.
This does not really answer the question, but provides related information.
I had the issue where doorkeeper would validate any user/password combination on a Resource Owner Password Credentials Grant request after having made any prior authorization to a valid user/password combination. Scenario was:
This turned out to be Warden keeping the authorized user in a session, and my iOS client happily maintaining the session for me.
I solved this by having warden immediately sign-out the user after authenticating. This works because, on an authorized request, OAuth gets the current user stored with the authorization token. It does not need to have the user in a session.
The following is from config/initializers/doorkeeper.rb. The last two lines do the sign-out after authorization.
# called for Resource Owner Password Credentials Grant
resource_owner_from_credentials do
request.params[:user] = {:email => request.params[:username], :password => request.params[:password]}
request.env["devise.allow_params_authentication"] = true
user = request.env["warden"].authenticate!(:scope => :user)
env['warden'].logout
user
end
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With