Menu
I've written an oauth provider that is meant to work with several of my company's web applications. I am using the doorkeeper gem, which has worked well so far.
Typical behavior is for a user to go to the client application, get redirected to the provider to sign in, confirm that the client application is authorized to access that user's information, and get redirected back to the client application. However, I'd like to skip the step of the user confirming the client application. I'd like to do it for them, so there is no prompt.
I tried to mimic code I found here with something like:
Doorkeeper::Application.all.each do |application|
auth_params = {response_type: 'code', client_id: application.uid, redirect_uri: application.redirect_uri}
client = Doorkeeper::OAuth::Client.find(application.uid)
authorization = Doorkeeper::OAuth::AuthorizationRequest.new(client, user, auth_params)
authorization.authorize
end
but that didn't work, it still gives the user the Authorize/Deny prompt for a client app. Suggestions?
303
The OAuth 2.0 client credentials grant flow permits a web service (confidential client) to use its own credentials, instead of impersonating a user, to authenticate when calling another web service.
OAuth 2.0 was intentionally designed to provide authorization without providing user identity and authentication, as those problems have very different security considerations that don't necessarily overlap with those of an authorization protocol.
OAuth has the Resource Owner Credentials Grant flow for this, which Doorkeeper supports. Basically you request an access token with the user credentials (username and password). This way you skip the user confirmation and you also don't need a callback URL.
To configure Doorkeeper:
Doorkeeper.configure do
resource_owner_from_credentials do |routes|
User.authenticate!(params[:username], params[:password]) # change this if needed
end
end
Example token request:
curl -i https://example.com/oauth/token \
-F grant_type=password \
-F client_id=<client_id> \
-F client_secret=<client_secret> \
-F [email protected] \
-F password=password
If your OAuth client applications are Rails applications you can use the oauth2 gem for this:
client = OAuth2::Client.new('client_id', 'client_secret', :site => "https://example.com")
access_token = client.password.get_token('[email protected]', 'password')
Also see Doorkeepers wiki:
https://github.com/applicake/doorkeeper/wiki/Using-Resource-Owner-Password-Credentials-flow
102
To configure Doorkeeper:
Doorkeeper.configure do
skip_authorization do
true
end
end
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
