Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP

Loading…

Update oauth2 middleware #587

Closed
wants to merge 3 commits into from

3 participants

@etehtsea

No description provided.

lib/grape/middleware/auth/oauth2.rb
@@ -54,7 +54,7 @@ def verify_token(token)
token = token_class.verify(token)
if token
if token.respond_to?(:expired?) && token.expired?
- error_out(401, 'expired_token')
+ error_out(401, 'invalid_token')
@dm1try Owner
dm1try added a note

could you clarify why you invalid_token used here?
in rfc http://tools.ietf.org/html/rfc6749 possible response is invalid_grant

@etehtsea
etehtsea added a note

That was typo. Fixed, thanks.

@etehtsea
etehtsea added a note

@dblock @dm1try according to http://tools.ietf.org/html/draft-ietf-oauth-v2-bearer-23#section-3.1 error should be invalid_token. Does anybody knows how it should look like?

@dm1try Owner
dm1try added a note

@etehtsea , sorry it's my fault..:pensive: rfc you provided seems more valid for our case. I used rfc link from oauth2 main page and just fluently search for differences but seems we should rely on this document that describes "Bearer Token Usage".

@dm1try Owner
dm1try added a note

@dblock , any thoughts?

@dblock Owner
dblock added a note

tbh i don't know what the 'right' thing to do here, oauth2 spec is always in flux. It would be great if you guys could figure it out and PR the "right thing to do".

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
etehtsea added some commits
@etehtsea etehtsea Update token expiration and invalid errors f647aa1
@etehtsea etehtsea Add access_token to oauth middleware
In latest oauth2 spec versions oauth_token was replaced with
access_token
7b5650a
@dblock
Owner

It would be great to have a clearer CHANGELOG, "latest" spec will become not so latest soon :) Maybe a spec version or a link or something like that?

@etehtsea

@dblock added spec version.

@dblock
Owner

Thanks, merging.

@dblock
Owner

Merged via 01f2590.

@dblock dblock closed this
@etehtsea etehtsea deleted the SPBTV:fix-expired-token branch
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Commits on Mar 5, 2014
  1. @etehtsea
  2. @etehtsea

    Add access_token to oauth middleware

    etehtsea authored
    In latest oauth2 spec versions oauth_token was replaced with
    access_token
  3. @etehtsea

    Update CHANGELOG

    etehtsea authored
This page is out of date. Refresh to see the latest.
View
1  CHANGELOG.md
@@ -33,6 +33,7 @@ Next Release
* [#549](https://github.com/intridea/grape/pull/549): Fixed handling of invalid version headers to return 406 if a header cannot be parsed - [@bwalex](https://github.com/bwalex).
* [#557](https://github.com/intridea/grape/pull/557): Pass `content_types` option to `Grape::Middleware::Error` to fix the content-type header for custom formats. - [@bernd](https://github.com/bernd).
* [#585](https://github.com/intridea/grape/pull/585): Fix after boot thread-safety issue - [@etehtsea](https://github.com/etehtsea).
+* [#587](https://github.com/intridea/grape/pull/587): Fix oauth2 middleware compatibility with draft-ietf-oauth-v2-31 spec - [@etehtsea](https://github.com/etehtsea).
0.6.1 (10/19/2013)
==================
View
6 lib/grape/middleware/auth/oauth2.rb
@@ -5,7 +5,7 @@ def default_options
{
token_class: 'AccessToken',
realm: 'OAuth API',
- parameter: %w(bearer_token oauth_token),
+ parameter: %w(bearer_token oauth_token access_token),
accepted_headers: %w(HTTP_AUTHORIZATION X_HTTP_AUTHORIZATION X-HTTP_AUTHORIZATION REDIRECT_X_HTTP_AUTHORIZATION),
header: [/Bearer (.*)/i, /OAuth (.*)/i],
required: true
@@ -54,7 +54,7 @@ def verify_token(token)
token = token_class.verify(token)
if token
if token.respond_to?(:expired?) && token.expired?
- error_out(401, 'expired_token')
+ error_out(401, 'invalid_grant')
else
if !token.respond_to?(:permission_for?) || token.permission_for?(env)
env['api.token'] = token
@@ -63,7 +63,7 @@ def verify_token(token)
end
end
elsif !!options[:required]
- error_out(401, 'invalid_token')
+ error_out(401, 'invalid_grant')
end
end
View
16 spec/grape/middleware/auth/oauth2_spec.rb
@@ -30,7 +30,7 @@ def app
context 'with the token in the query string' do
context 'and a valid token' do
- before { get '/awesome?oauth_token=g123' }
+ before { get '/awesome?access_token=g123' }
it 'sets env["api.token"]' do
last_response.body.should == 'g123'
@@ -40,7 +40,7 @@ def app
context 'and an invalid token' do
before do
@err = catch :error do
- get '/awesome?oauth_token=b123'
+ get '/awesome?access_token=b123'
end
end
@@ -49,7 +49,7 @@ def app
end
it 'sets the WWW-Authenticate header in the response' do
- @err[:headers]['WWW-Authenticate'].should == "OAuth realm='OAuth API', error='invalid_token'"
+ @err[:headers]['WWW-Authenticate'].should == "OAuth realm='OAuth API', error='invalid_grant'"
end
end
end
@@ -57,12 +57,12 @@ def app
context 'with an expired token' do
before do
@err = catch :error do
- get '/awesome?oauth_token=e123'
+ get '/awesome?access_token=e123'
end
end
it { @err[:status].should == 401 }
- it { @err[:headers]['WWW-Authenticate'].should == "OAuth realm='OAuth API', error='expired_token'" }
+ it { @err[:headers]['WWW-Authenticate'].should == "OAuth realm='OAuth API', error='invalid_grant'" }
end
%w(HTTP_AUTHORIZATION X_HTTP_AUTHORIZATION X-HTTP_AUTHORIZATION REDIRECT_X_HTTP_AUTHORIZATION).each do |head|
@@ -73,14 +73,14 @@ def app
end
context 'with the token in the POST body' do
- before { post '/awesome', 'oauth_token' => 'g123' }
+ before { post '/awesome', 'access_token' => 'g123' }
it { last_response.body.should == 'g123' }
end
context 'when accessing something outside its scope' do
before do
@err = catch :error do
- get '/forbidden?oauth_token=g123'
+ get '/forbidden?access_token=g123'
end
end
@@ -105,7 +105,7 @@ def app
end
context 'with a valid token' do
- before { get '/awesome?oauth_token=g123' }
+ before { get '/awesome?access_token=g123' }
it 'sets env["api.token"]' do
last_response.body.should == 'g123'
Something went wrong with that request. Please try again.