-
-
Notifications
You must be signed in to change notification settings - Fork 119
Server Authorization Endpoint
rack-oauth2 provide OAuth2 Authorization Endpoint as a rack application.
This is a sample authorization endpoint implementation. (just a concept code)
authorization_endpoint = Rack::OAuth2::Server::Authorize.new do |req, res|
client = Client.find_by_client_id(req.client_id)
req.bad_request! if client.blank?
res.redirect_uri = req.verify_redirect_uri!(client.redirect_uri)
if req.post?
if params[:approve]
case req.response_type
when :code
authorization_code = current_account.authorization_codes.create(
client: client,
redirect_uri: res.redirect_uri
)
res.code = authorization_code.token
when :token
res.unsupported_response_type!
end
res.approve!
else
req.access_denied!
end
else
render 'authorize'
end
end
authorization_endpoint.call request.env
Basically, what you need is
- If error, tell it to the
req
object. - If success, set credentials to the
res
object and callres.approve!
.
Rack::OAuth2::Server::Authorize
support response_type=code
and response_type=token
and set :code
or :token
to req.response_type
.
How to handle req.response_type
is your responsibility.
You can define other response types by defining extension classes under Rack::OAuth2::Server::Authorize::Extension
namespace.
Rack::OAuth2::Server::Authorize::Extension::CodeAndToken would be a good example.
In code flow, req.response_type
would be :code
.
If user approved the client access, set authorization code to res.code
and call res.approve!
.
In this case, successful redirect response would be issued to the client's redirect_uri including authorization code in query.
If user denied the client access, call res.access_denied!
.
In this case error response will be retuned without calling res.finish
.
In token flow, req.response_type
would be :token
.
You need to set res.token
instead of res.code
.
Others are same with code flow case.
rack-oauth2 provide simple redirect_uri exact matching verifier and protocol-defined error methods.
For others, you need to implement them by yourself.
- Client Identity Verification
- Custom Redirect URI Restrictions (SSL requirements, partial matching etc)