Allow custom data to be sent inside access tokens #1602
Conversation
Insecure Use of Language/Framework API (1)
More info on how to fix Insecure Use of Language/Framework API in Ruby. 👉 Go to the dashboard for detailed results. 📥 Happy? Share your feedback with us. |
|
@nbulaj let me know what you think about these changes. I'm not sure about the codeclimate issue - seems like the code will be worse if I try to refactor that 🤷♂️ |
|
Thanks @JeremyC-za , will check a little bit later, don't have enough time. I like the idea, but I have to think if it could be done with current implementation or we still need some changes to make it possible |
|
OK, I've checked the changes. I'm afraid of some broken ORM and other extensions (like openid connect) while we changed a few internal class initializers. Maybe we should consider another way of doing it, I'll think more about it. |
|
Beyond just adding a thumbs up, I'll say this would be a huge feature addition allowing us to prioritize the user experience in multi-tenant setups. Happy to discuss or contribute, but I'm not sure I understand the doorkeeper DSL and flows enough yet. |
|
@nbulaj can you elaborate on what exactly would break for other extensions? |
|
Actually all the ORM extensions @ashkulz . Maybe more, have to be tested with doorkeeper-openid_connect as well (as it's also patches some Doorkeeper internals) |
|
@JeremyC-za could you please rebase you branch on top of current |
|
@nbulaj I've rebased and actioned your feedback. Let me know if there's anything else I can do. |
|
@nbulaj can you publish a release to RubyGems? |
|
Released with 5.6.5 |
|
@JeremyC-za @nbulaj |
doorkeeper-gem/doorkeeper#1602 added custom fields, and the tests need to be adjusted to expect the call to `custom_access_token_attributes` for `preauth`.
Summary
I've added a new config option -
custom_access_token_fields. By default, this will be an empty array and have no effect, and when in use, it will be an array of symbols. This array of symbols will then be permitted parameters keys when authorising and granting access to an application. A developer can then configure their OAuth consent screen to allow custom data to be submitted during authorisation. This custom data will then be saved to the Access Grant, and will be included in any subsequently generated access tokens.Example Use Case
You have a multi-tenanted platform, where our example user has access to
tenant_1,tenant_2, andtenant_3. The example user would like to grant an OAuth application access to their data, but only fortenant_2, and not the others. Using this new config option, the developer of the platform can specify that atenant_idwill be submitted when granting access -custom_access_token_fields [:tenant_id]. The developer can then add atenant_idcolumn to theoauth_access_grantsandoauth_access_tokensdatabase tables, and then add a tenant select dropdown to their OAuth consent screen, allowing thetenant_idto be selected and submitted and saved. This tenant_id is then included in access tokens. When receiving a request using one of these access tokens, then developer can add measures to check that the requested resource belongs to the tenant for which the access token was created.