Only enable specific grant flows.

[yorkxin]

I'd like to disable some unused grant flows in my API design, such as Resource Owner Password Credentials Grant and Client Credentials Grant. I found there is no way to disable it, so I implemented it.

In practice, the Authorization Endpoint and Token Endpoint would check for available response / grant types (the "strategies") according to the grant flows enabled. For example, if :implicit is not enabled, then Authorization Endpoint will return "Unsupported Response Type" error when response_type is set to token.

By default it enables all the four grant flows. I've also modified initializer file:

  # Change what grant flows are enabled
  # By default it enables all the four grant flows. Remove any of them from
  # the array to disable.
  #
  # grant_flows [
  #               :authorization_code,
  #               :implicit,
  #               :password_credentials,
  #               :client_credentials
  #             ]

Notes:

1. I don't know whether the commit chitsaou/doorkeeper@110c0d01be8afd8a7713a302333f5c0abb7bad85 is necessary, since the "Unsupported Response Type" is filtered in Doorkeeper::Request. I can remove this commit if you think this is not necessary.
2. Instead of RSpec tests, I've tested this feature with my demo app, and it seems work.
3. How do you think about the config values in my commit? In fact I feel that :resource_owner_password_credentials is too long. Update: changed to :password_credentials thanks to advise from @simonbnrd!
4. Token refreshing on Token Endpoint is currently always-enabled. I think it would make more sense if it is enabled only when use_refresh_token is enabled.
5. server_spec.rb cannot be run standalone, it would raise some exceptions. I instead tested this spec with rake spec.

Update

According to discussions below, the grant_flows setting is now in array of strings:

grant_flows %w(authorization_code implicit password client_credentials)

[yorkxin]

@tute Hi, sorry for pinging you here, but I'd like to know how this PR will be? Is it acceptable? Do I need to refactor it? Thanks. :)

[tute]

@chitsaou, thank you very much for your work and your poke. I've been on vacations and hanging around Github only for quick comments, your PR deserves more time that I expect to give next week!
Till next, thank you again,
Tute.

[yorkxin]

@tute oh I see, sorry for the interruption. Enjoy your vacation :)

[kevintom]

I was thinking of something similar but on the oauth_applications level,

having a list of supported grant_types column on the applications table (default :all ?)

and then doing the check against the applications supported list

not sure if this address the same need
(a little more versatile for me, since i'd like to permit password grant type for my iOS app and android only and have every other api consumer use the authorization_code grant type)

[birarda]

This would be a very useful feature to have. Is it against the OAuth spec to disable certain grant types for an application?

[yorkxin]

No, it does not against the spec. Most websites implement only one or two of them. For example, Authorization Code grant type is the only implemented type for most website, and Twitter does only implement Client Credentials grant type.

I've summarized a list of OAuth 2 implementation differences among popular websites on my blog, and you can see that none of them implement all the 4 built-in grant types. Sorry it's in Chinese; here are some brief translations: 自製 = self-made (non-OAuth 2); 半自製 = partially self-made; 無 scope = scope not implemented; spec 相容 = compatible with spec; client 認證 = client authentication

[sjfbo]

Really interesting @chitsaou ! / ping @tute 😄

This is also something I was looking for. Now that grant flows such as Resource Owner Password Credentials Grant do not require a client_id and a secret (thanks to OAuth2 spec !), I think that we should be able to disable these grant-types if we want to.

[sjfbo]

should be :client_credentials instead of :password

[yorkxin]

Fixed. Thank you!

[yorkxin]

I've left the master branch too far. Maybe I should rebase my changes onto the current version first?

[sjfbo]

It may help yes.

[yorkxin]

OK, I'll rebase onto master later today (living in UTC+8)

[yorkxin]

I found it is hard to rebase because I don't know how to fix unit tests :(

[houndci-bot]

Line is too long. [83/80]

[tute]

Good work, thank you! Sorry I delayed so much for the review, looking good!

[yorkxin]

No problem! I'm correcting my code according to your advise. Actually didn't know those symbol DoS issues at that time until recently :( Sorry for that.

[yorkxin]

Accidentally changed this line. Will revert.

[yorkxin]

• All parameters are now in strings instead of symbols.
• Use a simpler term password for Resource Owner Password Credentials Grant Flow
• Improved notes about grant_flows command in initializer template.
• When requesting for token refresh but Doorkeeper's refresh token is not enabled, the server returns unsupported_grant_type error.

I think it's good to merge. Feel free to tell me if there is anything to improve.

[tute]

• This method's body can be replaced by:

types = flows - ['implicit']
types << 'refresh_token' if refresh_token_enabled?
types

• We don't need the comment of line 243 (unless we link to the four related parts of the spec, your take).
• We don't need the flows parameter, as it's an accessible option in this scope.

[tute]

There's something wrong in this PR: https://travis-ci.org/doorkeeper-gem/doorkeeper/jobs/24286507

[yorkxin]

Got it. Will dig into this.

[tute]

Probably we do need orm DOORKEEPER_ORM. Sorry, it seems tests need it, I made you take them out.

[tute]

For ActiveRecord they pass because that's default, and when trying mongoid it fails. That will do the trick! Sorry again, my mistake.

[yorkxin]

Oh, no problem, and I will not blame on you 😄

I think we need a way to run tests locally using Mongoid.

[tute]

There is, we have to install and run mongoid, and define the ORM env variable. See https://github.com/doorkeeper-gem/doorkeeper/blob/master/.travis.yml.

[yorkxin]

Thanks, I'll run test through all mongo adapters and make sure that they pass.

[houndci-bot]

Use the new Ruby 1.9 hash syntax.
Line is too long. [110/80]

[yorkxin]

Fixed. Waiting for Travis CI :p

[tute]

Well, just merged a big Pull Request. Rebase needed, sorry to bother, and thank you for being so responsive!

[yorkxin]

No problem. I think I can do another rebase again.

[yorkxin]

Some test are failed. I'll fix them and push again.

[houndci-bot]

Line is too long. [92/80]

[yorkxin]

Done rebasing! I've also converted hash to 1.9 style.

By the way according to test cases, it seems that if specifying grant_flows in symbols (i.e. %i(implicit password)) the grant flow restriction will also work.

[yorkxin]

Previously the tests are setting grant_flows in array of symbols. I've corrected them to array of strings, but the tests pass in both cases.

[tute]

Thank you! ❤️

[yorkxin]

👍 Thanks a lot!

[sjfbo]

Good job @chitsaou and @tute !