-
-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Only enable specific grant flows. #295
Conversation
@tute Hi, sorry for pinging you here, but I'd like to know how this PR will be? Is it acceptable? Do I need to refactor it? Thanks. :) |
@chitsaou, thank you very much for your work and your poke. I've been on vacations and hanging around Github only for quick comments, your PR deserves more time that I expect to give next week! |
@tute oh I see, sorry for the interruption. Enjoy your vacation :) |
I was thinking of something similar but on the oauth_applications level, having a list of supported grant_types column on the applications table (default :all ?) and then doing the check against the applications supported list not sure if this address the same need |
This would be a very useful feature to have. Is it against the OAuth spec to disable certain grant types for an application? |
No, it does not against the spec. Most websites implement only one or two of them. For example, Authorization Code grant type is the only implemented type for most website, and Twitter does only implement Client Credentials grant type. I've summarized a list of OAuth 2 implementation differences among popular websites on my blog, and you can see that none of them implement all the 4 built-in grant types. Sorry it's in Chinese; here are some brief translations: 自製 = self-made (non-OAuth 2); 半自製 = partially self-made; 無 scope = scope not implemented; spec 相容 = compatible with spec; client 認證 = client authentication |
Really interesting @chitsaou ! / ping @tute 😄 This is also something I was looking for. Now that grant flows such as Resource Owner Password Credentials Grant do not require a client_id and a secret (thanks to OAuth2 spec !), I think that we should be able to disable these grant-types if we want to. |
} | ||
end | ||
|
||
it "includes ':password' in token_grant_types" do |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
should be :client_credentials
instead of :password
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed. Thank you!
I've left the master branch too far. Maybe I should rebase my changes onto the current version first? |
It may help yes. |
OK, I'll rebase onto master later today (living in UTC+8) |
I found it is hard to rebase because I don't know how to fix unit tests :( |
response_types = [] | ||
|
||
response_types << :authorization_code if flows.include? :authorization_code | ||
response_types << :password if flows.include? :password_credentials |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Line is too long. [83/80]
Good work, thank you! Sorry I delayed so much for the review, looking good! |
No problem! I'm correcting my code according to your advise. Actually didn't know those symbol DoS issues at that time until recently :( Sorry for that. |
@@ -154,7 +171,7 @@ | |||
|
|||
describe "wildcard_redirect_uri" do | |||
it "is disabled by default" do | |||
Doorkeeper.configuration.wildcard_redirect_uri.should be_false | |||
expect(Doorkeeper.configuration.wildcard_redirect_uri).to be_false |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Accidentally changed this line. Will revert.
I think it's good to merge. Feel free to tell me if there is anything to improve. |
|
||
types << 'refresh_token' if refresh_token_enabled? | ||
|
||
types |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- This method's body can be replaced by:
types = flows - ['implicit']
types << 'refresh_token' if refresh_token_enabled?
types
- We don't need the comment of line 243 (unless we link to the four related parts of the spec, your take).
- We don't need the
flows
parameter, as it's an accessible option in this scope.
There's something wrong in this PR: https://travis-ci.org/doorkeeper-gem/doorkeeper/jobs/24286507 |
Got it. Will dig into this. |
Probably we do need |
For ActiveRecord they pass because that's default, and when trying mongoid it fails. That will do the trick! Sorry again, my mistake. |
Oh, no problem, and I will not blame on you 😄 I think we need a way to run tests locally using Mongoid. |
There is, we have to install and run mongoid, and define the ORM env variable. See https://github.com/doorkeeper-gem/doorkeeper/blob/master/.travis.yml. |
Thanks, I'll run test through all mongo adapters and make sure that they pass. |
end | ||
|
||
scenario 'returns unsupported_grant_type when refresh_token is not in use' do | ||
post token_endpoint_url(:code => @authorization.token, :client => @client, :grant_type => 'refresh_token') |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Use the new Ruby 1.9 hash syntax.
Line is too long. [110/80]
Fixed. Waiting for Travis CI :p |
Well, just merged a big Pull Request. Rebase needed, sorry to bother, and thank you for being so responsive! |
No problem. I think I can do another rebase again. |
Some test are failed. I'll fix them and push again. |
defaults to all grant flows + 'refresh_token'
Note: I'm not sure whether this is necessary, as there is already a validation in Doorkeeper::Request.
…when it is not enabled explicitly.
|
||
should_not_have_json 'access_token' | ||
should_have_json 'error', 'unsupported_grant_type' | ||
should_have_json 'error_description', translated_error_message('unsupported_grant_type') |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Line is too long. [92/80]
Done rebasing! I've also converted hash to 1.9 style. By the way according to test cases, it seems that if specifying |
Previously the tests are setting |
Thank you! ❤️ |
👍 Thanks a lot! |
Good job @chitsaou and @tute ! |
I'd like to disable some unused grant flows in my API design, such as Resource Owner Password Credentials Grant and Client Credentials Grant. I found there is no way to disable it, so I implemented it.
In practice, the Authorization Endpoint and Token Endpoint would check for available response / grant types (the "strategies") according to the grant flows enabled. For example, if
:implicit
is not enabled, then Authorization Endpoint will return "Unsupported Response Type" error whenresponse_type
is set totoken
.By default it enables all the four grant flows. I've also modified initializer file:
Notes:
In fact I feel thatUpdate: changed to:resource_owner_password_credentials
is too long.:password_credentials
thanks to advise from @simonbnrd!use_refresh_token
is enabled.server_spec.rb
cannot be run standalone, it would raise some exceptions. I instead tested this spec withrake spec
.Update
According to discussions below, the
grant_flows
setting is now in array of strings: