Skip to content
An example OAuth 2 provider application using the Doorkeeper gem, Rails and Devise
Ruby HTML CSS Other
Branch: master
Clone or download
dependabot-preview and nbulaj [Security] Bump nokogiri from 1.10.4 to 1.10.5 (#96)
Bumps [nokogiri]( from 1.10.4 to 1.10.5. **This update includes a security fix.**
- [Release notes](
- [Changelog](
- [Commits](sparklemotion/nokogiri@v1.10.4...v1.10.5)

Signed-off-by: dependabot-preview[bot] <>
Latest commit 521763d Nov 18, 2019
Type Name Latest commit message Commit time
Failed to load latest commit information.
app Allow PKCE to work May 5, 2019
bin Update dependencies Apr 3, 2019
config Add rollbar Apr 13, 2019
db Fix migration Apr 6, 2019
lib Initial commit Nov 28, 2011
public Disable robots May 11, 2019
spec Add specs Apr 5, 2019
.dockerignore Do not include semaphore-cache folder Apr 20, 2019
.gitignore Add bin stubs Mar 5, 2018
.rspec Add specs Apr 5, 2019
.rubocop.yml Update gems Apr 4, 2019
.ruby-version Add rubocop, bump ruby Apr 2, 2019
.travis.yml Update bundler Apr 6, 2019
Dockerfile Specify the Ruby version in the Dockerfile Apr 20, 2019
Gemfile.lock [Security] Bump nokogiri from 1.10.4 to 1.10.5 (#96) Nov 18, 2019 Update Apr 15, 2019
Rakefile Add rubocop, bump ruby Apr 2, 2019 Add rubocop, bump ruby Apr 2, 2019

Doorkeeper Provider App

Build Status Build Status

This app is an example of an OAuth 2 provider using Doorkeeper gem, Rails 5.2 and Devise. Check out the app hosted on heroku for a live demo.

About Doorkeeper Gem

For more information about the gem, documentation, wiki and another resources, check out the project on GitHub


First clone the repository from GitHub:

git clone git://

Install all dependencies with:

bundle install

After that you're almost ready to go.


The configuration is quite simple, all you need to do is run:

bundle exec rake db:setup

This will generate all necessary tables, create fake data, create an user and a client application.

Seed data

The generated user email is and password is doorkeeper.

The application id and secret will show up on terminal when the script ends.

After that, you can just fire up the rails server and you're ready to go.

OAuth Endpoint

The endpoints is mounted under /oauth so our routes look like this:

GET       /oauth/authorize
POST      /oauth/authorize
DELETE    /oauth/authorize
POST      /oauth/token
resources /oauth/applications

Example API

This app provides a sample JSON API under /api/v1. The current API endpoints are:


In routes.rb you can check out how they're made:

namespace :api do
  namespace :v1 do
    resources :profiles
    get '/me' => "credentials#me"

We namespace the API controllers to avoid name clashing and collisions between your existing application and the API. This way, you can make changes to your application without messing up with the API's behavior.

You can find all controllers under /app/controllers/api/v1 folder.

The api_controller.rb works as a parent class to the other controllers. It only defines a method that returns the current resource owner, based on the access token:

def current_resource_owner
  User.find(doorkeeper_token.resource_owner_id) if doorkeeper_token

This is required if you want to return data based on the current user, like in credentials_controller.rb

Make Access Token Required

To make your API only available for OAuth users, you need to tell doorkeeper to require an access token in your api controller, like this:

module Api::V1
  class ProfilesController < ApiController
    before_action :doorkeeper_authorize!

    def index
      render json: Profile.recent

However, see also the Doorkeeper wiki article about using scopes.

If you attempt to access any of the protected resources without an proper access token, you'll get an 401 Unauthorized response.

Client applications

You can manage all client applications in /oauth/applications.

If you want to create a client application, check out this example using Sinatra and this another one using Rails and Devise.

You can’t perform that action at this time.