Added Assertion Flow #249
Added Assertion Flow #249
Conversation
|
+1 |
|
Could this feature be added to doorkeeper? It would be really helpful. |
|
Could we add this feature to doorkeeper? It is quite helpful to people that require 3rd party authentication. |
|
+1 |
|
@tsov could you please rebase on top of current master, and we work it out? Thanks for your work! |
|
Will do now, thanks! |
|
Easter passed so now time to merge :) 👍 |
Conflicts: spec/dummy/db/schema.rb spec/support/helpers/url_helper.rb
| @@ -16,7 +17,7 @@ def authorization_strategy(strategy) | |||
| end | |||
|
|
|||
| def token_strategy(strategy) | |||
| get_strategy strategy, %w[password client_credentials authorization_code refresh_token] | |||
| get_strategy strategy, %w[password client_credentials authorization_code refresh_token assertion] | |||
|
👍 |
|
@tute this should be good to go now, unless you have some more feedback. Let me know |
|
|
||
| def request | ||
| # TODO: For now OAuth::PasswordAccessTokenRequest is reused for the Assertion Flow. In need of | ||
| # OAuth::AssertionAccessTokenRequest in future |
There was a problem hiding this comment.
How exactly would an AssertionAccessTokenRequest be different than a PasswordAccessTokenRequest?
There was a problem hiding this comment.
There shouldn't be any differences in the PasswordAccessTokenRequest and the potential AssertionAccessTokenRequest to be honest, but I think by using the PasswordAccessTokenRequest for the assertion flow, the name didn't suite as much anymore. What do you think? I could also just remove the TODO comment
| t.string "token", :null => false | ||
| t.string "refresh_token" | ||
| t.integer "expires_in" | ||
| t.datetime "revoked_at" |
There was a problem hiding this comment.
Prefer single-quoted strings when you don't need string interpolation or special symbols.
|
Ok, sorry about the schema file, that's absolutely my fault! I saw you guys changed from double quotation marks to single, and that you use the new hash syntax. I will change it now! |
|
Ok, lets see if this passes, then this PR should be good to go :) |
|
This would be an extension: http://tools.ietf.org/html/rfc6749#section-4.5. I wouldn't like to add extensions into doorkeeper, but I'd love it to be extendable. We should be able to make extensions in separate projects, and add a wiki page to this project linking to them. I don't think this code belongs to this repository, will leave open until we sort it out. Thank you very much for your work. |
|
Ok, that seems reasonable! But I also think assertion should be part of doorkeeper, maybe if we followed the proper standard this could be added? draft-ietf-oauth-assertions-16 |
|
This seems ready for master 😊 |
|
I'm happy to work with you in a gem that extends doorkeeper with the new grant type. Could be hosted in https://github.com/doorkeeper-gem or in your own account, as you'd like. |
|
That's sounds promising and like a nice solution for the future. I think it should be available in the doorkeeper-gem github organization for others to see too! |
|
Cool, you have access to https://github.com/doorkeeper-gem/doorkeeper-assertion-grant. I'm not yet sure how the code/tests will look like, so let's sort it out! :) |
|
Thanks & sounds like a plan! |
|
Hey all, today I worked on a draft to extend doorkeeper with this assertion grant. Tests are passing in https://github.com/doorkeeper-gem/doorkeeper-grants_assertion. Need to polish up some code and write documentation, but tests are green. @tsov could you please test it out, addding the gem to your Gemfile and calling the resource by assertion? Thank you! |
|
@tute sweet! |
|
I dont understand how this would differentiate between several third-party integrations? eg. What if I wanted to allow Facebook and Twitter access tokens? |
|
Well it is up to you to implement the behaviour. Maybe with an extra parameter (e.g. assertion_type=facebook). Remember you have access to the params variable within the resource_owner_from_assertion block. |
|
@tsov It would be nice to be able to do: or |
|
That would not conform to the OAuth 2.0 specs, as e.g. Doorkeeper.configure do
resource_owner_from_assertion do
CustomAuthenticator.retrieve_user params[:assertion_type], params[:assertion]
end
endwhere params[:assertion_type] could be facebook, twitter, google or whatever you want to support. Hope this helps |
|
@MarkMurphy good examples of this would be from Google's OAuth provider – https://developers.google.com/accounts/docs/OAuth2ServiceAccount where they allow you to create an encrypted JWT that requires special params to be passed in much like any of the other OAuth flows see: https://developers.google.com/accounts/docs/OAuth2ServiceAccount#formingclaimset |
|
@tsov @christopherhein Thanks guys, makes sense. |
|
With doorkeeper-grants_assertion gem (v0.0.1) and Doorkeeper v1.4.0 I get this error: NoMethodError in Doorkeeper::TokensController#create Works instead with doorkeeper v1.3.1. Any chance to fix this in the new release? |
|
hi, i also have the same issue with using the latest version of doorkeeper any solutions for this issue?? |
|
How to issue token for a particular app in assertion flow? Currently I'm using facebook token to issue access_token and it works without passing client_id and client_secret. |
|
I'm using gem 'doorkeeper-grants_assertion', git: 'https://github.com/Badiapp/doorkeeper-grants_assertion' which has dependency of doorkeeper >= 4.0.0 if i'm using doorkeeper >= 4.0.0 i'm unable to generate access_token if i use doorkeeper >= 4.0.0.rc1 i can generate access_token but unable to call assertion method in doorkeeper.rb could any one suggest me which version of doorkeeper is best and i'm using mongodb as my db |
|
@tute Sorry to bring up an old topic, but is there a more official way to deal hook in OmniAuth so we can authenticate with Facebook, Twitter, or Google? |
|
Hi @dagumak. What is wrong with https://github.com/doorkeeper-gem/doorkeeper-grants_assertion gem? |
|
@nbulaj Nothing wrong with it, but I do have questions. In this example, the authentication just passes through and does not alter the database (ex, creation of a new user, etc...): https://github.com/doorkeeper-gem/doorkeeper-grants_assertion/wiki If I were previously using Devise and password grant and if I wanted to add Google login then how would user record creation and everything else work? My initial assumption would be to check if the user exists by google_id then email on authentication before creating a user record. |
Here a simple implementation for an Assertion Flow for Doorkeeper.
This lets you define a method to authenticate users coming from 3rd Party applications like facebook, twitter, etc.
Example: