Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Doorkeeper Revoke Token

I'm implementing OAuth 2 in my application, and i already have Login/Refresh Token but i'm having some troubles with logout.

I have this set of routes generates by Doorkeeper:

Routes for Doorkeeper::Engine:
          authorization GET    /authorize(.:format)                   doorkeeper/authorizations#new
          authorization POST   /authorize(.:format)                   doorkeeper/authorizations#create
          authorization DELETE /authorize(.:format)                   doorkeeper/authorizations#destroy
                  token POST   /token(.:format)                       doorkeeper/tokens#create
           applications GET    /applications(.:format)                doorkeeper/applications#index
                        POST   /applications(.:format)                doorkeeper/applications#create
        new_application GET    /applications/new(.:format)            doorkeeper/applications#new
       edit_application GET    /applications/:id/edit(.:format)       doorkeeper/applications#edit
            application GET    /applications/:id(.:format)            doorkeeper/applications#show
                        PUT    /applications/:id(.:format)            doorkeeper/applications#update
                        DELETE /applications/:id(.:format)            doorkeeper/applications#destroy
authorized_applications GET    /authorized_applications(.:format)     doorkeeper/authorized_applications#index
 authorized_application DELETE /authorized_applications/:id(.:format) doorkeeper/authorized_applications#destroy

What i want to do is revoke a token in the server, so i think the service that i must call is "DELETE /authorize" right? but i try a lot of differents ways to consume this services and i only recibe errors.

By the way, i don't know if is correct to revoke the token in the server or only delete it from the application ?

PS: I'm using AFNetworking 2 in iOS 7 for my client.

like image 505
FxckDead Avatar asked Nov 21 '13 15:11

FxckDead


1 Answers

This does not really answer the question, but provides related information.

I had the issue where doorkeeper would validate any user/password combination on a Resource Owner Password Credentials Grant request after having made any prior authorization to a valid user/password combination. Scenario was:

  • client gets authorization using valid user name and password
  • client resets/forgets authorization token in order to end authorization
  • client can get a new authorization using any user name and password, authorizes for the original user.

This turned out to be Warden keeping the authorized user in a session, and my iOS client happily maintaining the session for me.

I solved this by having warden immediately sign-out the user after authenticating. This works because, on an authorized request, OAuth gets the current user stored with the authorization token. It does not need to have the user in a session.

The following is from config/initializers/doorkeeper.rb. The last two lines do the sign-out after authorization.

# called for Resource Owner Password Credentials Grant
  resource_owner_from_credentials do
  request.params[:user] = {:email => request.params[:username], :password => request.params[:password]}
  request.env["devise.allow_params_authentication"] = true
  user = request.env["warden"].authenticate!(:scope => :user)
  env['warden'].logout
  user
end 
like image 179
Douglas Lovell Avatar answered Oct 24 '22 01:10

Douglas Lovell