Server Authorization Endpoint - nov/rack-oauth2 GitHub Wiki

rack-oauth2 provide OAuth2 Authorization Endpoint as a rack application.

This is a sample authorization endpoint implementation. (just a concept code)

authorization_endpoint = Rack::OAuth2::Server::Authorize.new do |req, res|
  client = Client.find_by_client_id(req.client_id)
  req.bad_request! if client.blank?
  res.redirect_uri = req.verify_redirect_uri!(client.redirect_uri)
  if req.post?
    if params[:approve]
      case req.response_type
      when :code
        authorization_code = current_account.authorization_codes.create(
          client: client,
          redirect_uri: res.redirect_uri
        )
        res.code = authorization_code.token
      when :token
        req.unsupported_response_type!
      end
      res.approve!
    else
      req.access_denied!
    end
  else
    render 'authorize'
  end
end

authorization_endpoint.call request.env

Basically, what you need is

  • If error, tell it to the req object.
  • If success, set credentials to the res object and call res.approve!.

Response Type Handling

Rack::OAuth2::Server::Authorize support response_type=code and response_type=token and set :code or :token to req.response_type.

How to handle req.response_type is up to you.

You can define other response types by defining extension classes under Rack::OAuth2::Server::Authorize::Extension namespace.

Rack::OAuth2::Server::Authorize::Extension::CodeAndToken would be a good example.

response_type=code

In code flow, req.response_type would be :code.

If user approved the client access, set authorization code to res.code and call res.approve!.

In this case, successful redirect response would be issued to the client's redirect_uri including authorization code in query.

If user denied the client access, call res.access_denied!.

In this case error response will be retuned without calling res.finish.

response_type=token

In token flow, req.response_type would be :token.

You need to set res.token instead of res.code.

Others are same with code flow case.

Request Verification

rack-oauth2 provide simple redirect_uri exact matching verifier and protocol-defined error methods.

For others, you need to implement them by yourself.

  • Client Identity Verification
  • Custom Redirect URI Restrictions (SSL requirements, partial matching etc)