authentication using Doorkeeper from client-side application without transmitting secrets

4
votes

I'm trying to use Doorkeeper in a Ruby on Rails API app for authentication. From a client-side AngularJS app, I want to get an access token. Currently, this involves a GET request to /oauth/authorize, which gives me a code, then I POST that code along with a client_id and a secret to /oauth/token. I don't want to have to send the client ID and secret from my client-side app, since they're stored in plain-text in a JavaScript file. I would like to follow this flow where response_type is token, not code, but I can't figure out how to do that with Doorkeeper. Their wiki examples all seem to involve POSTing the client ID and secret to /oauth/token.

Is Doorkeeper the right gem for this? How can I do Google OAuth2 from a client-side app, where no secrets are passed from client-side to the server?

Edit: looks like what I want is Implicit Grant, which Doorkeeper supports. Now I just have to find out how to do that in my Rails app...

1
javascriptruby-on-railsoauthgoogle-oauthdoorkeeper

1 Answers

5
votes

No extra server-side configuration necessary.

When I created a new Doorkeeper::Application in my Rails app, the Doorkeeper interface gave me an Authorize link with response_type=code in it for that application.

I changed that to response_type=token and when I do a GET request to that, it responds immediately with access_token instead of code. The Authorize URL looks like http://my-rails-doorkeeper-app/oauth/authorize?client_id=1234&redirect_uri=http://my-angularjs-app&response_type=token.

Update :

This can only be applied when we also allow implicit grant for the grant flow. By default, doorkeeper will allow its four kinds of flow (implicit grant, authorization grant, password, and client_credentials).

You can configure it in initializer/doorkeeper.rb if you don't want to let it happens since sometimes it can be dangerous.