How to do Application-only authentication in doorkeeper (oauth2)

1
votes

Twitter has application-only authentication for their api: https://dev.twitter.com/docs/auth/application-only-auth

Twitter offers applications the ability to issue authenticated requests on behalf of the application itself (as opposed to on behalf of a specific user)

I want to do the same with doorkeeper in Rails, but I'm not sure how to do that. It seems to be only possible to authenticate users via a callback url, but how can I access my API using the applications context (only by using the app ID and app secret)

My first idea was to do a password credentials login with the app's ID and secret to obtain an access token that belongs to the application. Is this a bad idea? Is it safe from a security point of view? I am wondering because the app's secret is saved as plain text in the db, which is a no go for user authentication.

1
ruby-on-railsruby-on-rails-4oauthoauth-2.0doorkeeper
did you figure out how to accomplish this? Trying to figure it out currently and not sure where to start. Feedback greatly appreciated :) - Uzzar
yes, you have to use the client_credentials grant type as @gillien suggested in his answer. - Dominik Goltermann

1 Answers

5
votes

It is something you can definitely do : you can see on the example here where it generate a token with client_credentials, but no username / password :

curl -i http://localhost:5100/oauth/token \
-F grant_type="client_credentials" \
-F client_id="your_application_id" \
-F client_secret="your_secret"

Up to you after to check if you have a resource_owner associated to your doorkeeper_token.