Bypass authorization for once authorized user-app #133

Open
crodjer opened this Issue Jan 28, 2013 · 2 comments

2 participants

@crodjer

I am trying to setup an internal oauth2 service, following Oauth2-Tutorial.

The issue that I have with this is that once a user has authorized access to one application I want to bypass asking again for permission from the user, like in other popular sites (Facebook, Google OAuth) and respond with the previously generated oauth tokens (Oauth2Token and Oauth2Verifier).

How can I achive this. I figure this would require me to override the authorize method in oauth_controller, but I don't know how exactly.

@mojovski

You will just have to store the received access token (you are receiving this after your user has accepted the access) and use it for later communication.
Here is an example where the access token is used to communicate. It should be stored in db

consumer = MyOAuthConsumer.new("IfE....", "EuEsBaIB.....", 
    {:site=>"http://provider..local:3000", 
    :request_token_path => '/oauth/request_token',
    :access_token_path => '/oauth/access_token',
    :authorize_path => '/oauth/authorize'})


#------------------------------------------------------------
#   getting the request token. works most of the time :(
#-------------------------------------------------------------
req_token=consumer.get_request_token


#--------------------------------------
#   check here if the response if a valid json structure
#   if not, something went wrong in the server. 
#--------------------------------------
puts "#{req_token.inspect}"


#--------------------------
# => now the user needs to open a url in order to confirm
#----------------------------
puts "open this URL #{req_token.authorize_url}"
gets #waiting for any key fro the user

#---------------------------
# => get the access token.
# => if this doesnt work, you will nee to redirect to
#redirect_to @request_token.authorize_url
#   let the user login and when he/she comes back to your page, 
#   @access_token=@request_token.get_access_token
#   will work.
#---------------------------
puts " trying to get an access token using the received request token"
access_token=req_token.get_access_token


puts "#{access_token.inspect}"
my_data=access_token.get("/all_my_data.json").body

puts "received my_data: #my_data}"
@crodjer

Thanks @mojovski for this. I do realize that, this is the standard way of communication via OAuth2 services and client applications. But my use case was a little different. We are using it as a common authentication service across our sites, and needed the server to respond with the same authentication token.
Anyway, I was able to override some methods in the oauth controller and verifier model to get the functionality. It is hackish, but I guess that isn't a popular requirement.

Helper method in client application to return the last verified token.

    def verified app_user, scope=""
        scope = scope.to_s
        Oauth2Token.where(user_id: app_user.id, client_application_id: self.id,
                          scope: scope).first
    end

A verified check filter in OauthController for looking up if the client has already been verified once.

    def check_verified
        if request.get?
            @client_application = ClientApplication.find_by_key! params[:client_id]
            @client_verified = (not @client_application.verified(current_user,
                                                                 params[:scope]).nil?)
        end
    end
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment