Follow up - b9b3a73474 - Fixes #3085 - Required Doorkeeper scope is missing and fails authentication.

2020-06-15 17:34:21 +02:00 · 2020-06-15 17:34:21 +02:00 · 9ef0a368c0
parent 767239733c
commit 9ef0a368c0
3 changed files with 36 additions and 11 deletions
--- a/config/initializers/doorkeeper.rb
+++ b/config/initializers/doorkeeper.rb
@ -7,7 +7,7 @@ Doorkeeper.configure do
    # fail "Please configure doorkeeper resource_owner_authenticator block located in #{__FILE__}"
    # Put your resource owner authentication logic here.
    # Example implementation:
-    User.find_by(id: session[:user_id]) || redirect_to(new_user_session_url)
+    User.find_by(id: session[:user_id]) || redirect_to(root_path)
  end

  # If you want to restrict access to the web interface for adding oauth authorized applications, you need to declare the block below.
@ -54,7 +54,7 @@ Doorkeeper.configure do
  # Define access token scopes for your provider
  # For more information go to
  # https://github.com/doorkeeper-gem/doorkeeper/wiki/Using-Scopes
-  # default_scopes  :public
+  default_scopes :full
  # optional_scopes :write, :update

  # Change the way client credentials are retrieved from the request object.
--- a/config/locales/doorkeeper.en.yml
+++ b/config/locales/doorkeeper.en.yml
@ -11,8 +11,12 @@ en:
            redirect_uri:
              fragment_present: 'cannot contain a fragment.'
              invalid_uri: 'must be a valid URI.'
+              unspecified_scheme: 'must specify a scheme.'
              relative_uri: 'must be an absolute URI.'
              secured_uri: 'must be an HTTPS/SSL URI.'
+              forbidden_uri: 'is forbidden by the server.'
+            scopes:
+              not_match_configured: "doesn't match configured on the server."

  doorkeeper:
    applications:
@ -27,8 +31,9 @@ en:
      form:
        error: 'Whoops! Check your form for possible errors'
      help:
+        confidential: 'Application will be used where the client secret can be kept confidential. Native mobile apps and Single Page Apps are considered non-confidential.'
        redirect_uri: 'Use one line per URI'
-        native_redirect_uri: 'Use %{native_redirect_uri} for local tests'
+        blank_redirect_uri: "Leave it blank if you configured your provider to use Client Credentials, Resource Owner Password Credentials or any other grant type that doesn't require redirect URI."
        scopes: 'Separate scopes with spaces. Leave blank to use the default scopes.'
      edit:
        title: 'Edit application'
@ -37,13 +42,19 @@ en:
        new: 'New Application'
        name: 'Name'
        callback_url: 'Callback URL'
+        confidential: 'Confidential?'
+        actions: 'Actions'
+        confidentiality:
+          'yes': 'Yes'
+          'no': 'No'
      new:
        title: 'New Application'
      show:
        title: 'Application: %{name}'
-        application_id: 'Application Id'
+        application_id: 'Application UID'
        secret: 'Secret'
        scopes: 'Scopes'
+        confidential: 'Confidential'
        callback_urls: 'Callback urls'
        actions: 'Actions'

@ -71,20 +82,29 @@ en:
        created_at: 'Created At'
        date_format: '%Y-%m-%d %H:%M:%S'

+    pre_authorization:
+      status: 'Pre-authorization'
+
    errors:
      messages:
        # Common error messages
-        invalid_request: 'The request is missing a required parameter, includes an unsupported parameter value, or is otherwise malformed.'
-        invalid_redirect_uri: 'The redirect uri included is not valid.'
+        invalid_request:
+          unknown: 'The request is missing a required parameter, includes an unsupported parameter value, or is otherwise malformed.'
+          missing_param: 'Missing required parameter: %{value}.'
+          not_support_pkce: 'Invalid code_verifier parameter. Server does not support pkce.'
+          request_not_authorized: 'Request need to be authorized. Required parameter for authorizing request is missing or invalid.'
+        invalid_redirect_uri: "The requested redirect uri is malformed or doesn't match client redirect URI."
        unauthorized_client: 'The client is not authorized to perform this request using this method.'
        access_denied: 'The resource owner or authorization server denied the request.'
        invalid_scope: 'The requested scope is invalid, unknown, or malformed.'
+        invalid_code_challenge_method: 'The code challenge method must be plain or S256.'
        server_error: 'The authorization server encountered an unexpected condition which prevented it from fulfilling the request.'
        temporarily_unavailable: 'The authorization server is currently unable to handle the request due to a temporary overloading or maintenance of the server.'

-        #configuration error messages
+        # Configuration error messages
        credential_flow_not_configured: 'Resource Owner Password Credentials flow failed due to Doorkeeper.configure.resource_owner_from_credentials being unconfigured.'
-        resource_owner_authenticator_not_configured: 'Resource Owner find failed due to Doorkeeper.configure.resource_owner_authenticator being unconfiged.'
+        resource_owner_authenticator_not_configured: 'Resource Owner find failed due to Doorkeeper.configure.resource_owner_authenticator being unconfigured.'
+        admin_authenticator_not_configured: 'Access to admin panel is forbidden due to Doorkeeper.configure.admin_authenticator being unconfigured.'

        # Access grant errors
        unsupported_response_type: 'The authorization server does not support this response type.'
@ -94,13 +114,12 @@ en:
        invalid_grant: 'The provided authorization grant is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client.'
        unsupported_grant_type: 'The authorization grant type is not supported by the authorization server.'

-        # Password Access token errors
-        invalid_resource_owner: 'The provided resource owner credentials are not valid, or resource owner cannot be found'
-
        invalid_token:
          revoked: "The access token was revoked"
          expired: "The access token expired"
          unknown: "The access token is invalid"
+        revoke:
+          unauthorized: "You are not authorized to revoke this token"

    flash:
      applications:
@ -116,6 +135,7 @@ en:

    layouts:
      admin:
+        title: 'Doorkeeper'
        nav:
          oauth2_provider: 'OAuth2 Provider'
          applications: 'Applications'
--- a/db/migrate/20200615150955_issue_3085_doorkeeper_scopes.rb
+++ b/db/migrate/20200615150955_issue_3085_doorkeeper_scopes.rb
@ -0,0 +1,5 @@
+class Issue3085DoorkeeperScopes < ActiveRecord::Migration[5.2]
+  def change
+    Doorkeeper::AccessGrant.where(scopes: ['', nil]).update_all(scopes: 'full') # rubocop:disable Rails/SkipsModelValidations
+  end
+end