Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Authorization code must be short lived and single use #3

Merged
merged 3 commits into from
Nov 30, 2011
Merged

Conversation

felipeelias
Copy link
Member

According to specs, access grants must be short lived and single use. This means tha after the access token is issued for a specific grant, the grant must be revoked and cannot be used again.

http://tools.ietf.org/html/draft-ietf-oauth-v2-22#section-10.5

This commit upgrades all migration files adding 'revoked_at' field and changes the behavior of #accessible?. For a grant be accessible it needs to not be either exipired or revoked.

The error response when the grant is revoked is 'invalid_grant' as specified here:

http://tools.ietf.org/html/draft-ietf-oauth-v2-22#section-5.2

I also had to fix an issue when creating the access token, that was issued to the wrong client attribute (uid instead of id)

It was creating the access token with wrong client id
According to specs, access grants must be short lived and single
use. This means tha after the access token is issued for a specific
grant, the grant must be revoked and cannot be used again.

http://tools.ietf.org/html/draft-ietf-oauth-v2-22#section-10.5

This commit upgrades all migration files adding 'revoked_at' field
and changes the behavior of #accessible?. For a grant be accessible
it needs to not be either exipired or revoked.

The error response when the grant is revoked is 'invalid_grant' as
specified here:

http://tools.ietf.org/html/draft-ietf-oauth-v2-22#section-5.2
@@ -1,7 +1,7 @@
class AccessGrant < ActiveRecord::Base
include Doorkeeper::OAuth::RandomString

self.table_name = "oauth_access_grants"
self.set_table_name :oauth_access_grants
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do you need to call self.set... here. Just set_table_name without self is not enough ?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We don't need self there. Updating...

piotrj added a commit that referenced this pull request Nov 30, 2011
Authorization code must be short lived and single use
@piotrj piotrj merged commit ae98d8c into master Nov 30, 2011
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants