Changing how clients are authenticated - doorkeeper-gem/doorkeeper GitHub Wiki

By default doorkeeper authenticates clients using HTTP Basic authentication scheme. If the basic auth is not found in the authorization header, then it falls back to post parameters (client_id and client_secret).

For example, this would be the HTTP request for Client Credentials flow, using basic auth:

POST /oauth/token
Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
grant_type=client_credentials

You have the option to include the client credentials using the request body instead of using HTTP Basic.

POST /oauth/token
grant_type=client_credentials&client_id=...&client_secret=...

You can either ignore credentials using Basic header, change the precedence order or even removing one of the features by setting the client_credentials in doorkeeper.rb

Doorkeeper.configure do
  # defaults
  client_credentials :from_basic, :from_params

  # only from basic header
  client_credentials :from_basic
end

Using a lambda/class/module

This option accepts any argument that responds to call, so you can use a lambda or a module/class for example:

Lambda example

Doorkeeper.configure do
  # custom credentials using lambda
  client_credentials lambda { |request| return 'uid', 'secret' }
end

Module/Class example

module MyClientCredentialsAwesomeParser
  def self.call(request)
    # find the client credentials in the request object
    # for example, looking in the authorization
    auth = request.authorization.split(' ').last.split(/:/, 2)

    # You have to return a tuple containing username/password
    return auth.first, auth.last
  end
end

And in doorkeeper.rb

require 'my_client_credentials_awesome_parser'

Doorkeeper.configure do
  client_credentials MyClientCredentialsAwesomeParser, :from_params
end