From 9ef0a368c083e72a823548f0832fca90073ffe93 Mon Sep 17 00:00:00 2001 From: Thorsten Eckel Date: Mon, 15 Jun 2020 17:34:21 +0200 Subject: [PATCH] Follow up - b9b3a73474cb3e44e3a18c898dfa113a495069d7 - Fixes #3085 - Required Doorkeeper scope is missing and fails authentication. --- config/initializers/doorkeeper.rb | 4 +- config/locales/doorkeeper.en.yml | 38 ++++++++++++++----- ...0615150955_issue_3085_doorkeeper_scopes.rb | 5 +++ 3 files changed, 36 insertions(+), 11 deletions(-) create mode 100644 db/migrate/20200615150955_issue_3085_doorkeeper_scopes.rb diff --git a/config/initializers/doorkeeper.rb b/config/initializers/doorkeeper.rb index be3dd4cd2..3894048a5 100644 --- a/config/initializers/doorkeeper.rb +++ b/config/initializers/doorkeeper.rb @@ -7,7 +7,7 @@ Doorkeeper.configure do # fail "Please configure doorkeeper resource_owner_authenticator block located in #{__FILE__}" # Put your resource owner authentication logic here. # Example implementation: - User.find_by(id: session[:user_id]) || redirect_to(new_user_session_url) + User.find_by(id: session[:user_id]) || redirect_to(root_path) end # If you want to restrict access to the web interface for adding oauth authorized applications, you need to declare the block below. @@ -54,7 +54,7 @@ Doorkeeper.configure do # Define access token scopes for your provider # For more information go to # https://github.com/doorkeeper-gem/doorkeeper/wiki/Using-Scopes - # default_scopes :public + default_scopes :full # optional_scopes :write, :update # Change the way client credentials are retrieved from the request object. diff --git a/config/locales/doorkeeper.en.yml b/config/locales/doorkeeper.en.yml index e67b778be..2a869b3c6 100644 --- a/config/locales/doorkeeper.en.yml +++ b/config/locales/doorkeeper.en.yml @@ -11,8 +11,12 @@ en: redirect_uri: fragment_present: 'cannot contain a fragment.' invalid_uri: 'must be a valid URI.' + unspecified_scheme: 'must specify a scheme.' relative_uri: 'must be an absolute URI.' secured_uri: 'must be an HTTPS/SSL URI.' + forbidden_uri: 'is forbidden by the server.' + scopes: + not_match_configured: "doesn't match configured on the server." doorkeeper: applications: @@ -27,8 +31,9 @@ en: form: error: 'Whoops! Check your form for possible errors' help: + confidential: 'Application will be used where the client secret can be kept confidential. Native mobile apps and Single Page Apps are considered non-confidential.' redirect_uri: 'Use one line per URI' - native_redirect_uri: 'Use %{native_redirect_uri} for local tests' + blank_redirect_uri: "Leave it blank if you configured your provider to use Client Credentials, Resource Owner Password Credentials or any other grant type that doesn't require redirect URI." scopes: 'Separate scopes with spaces. Leave blank to use the default scopes.' edit: title: 'Edit application' @@ -37,13 +42,19 @@ en: new: 'New Application' name: 'Name' callback_url: 'Callback URL' + confidential: 'Confidential?' + actions: 'Actions' + confidentiality: + 'yes': 'Yes' + 'no': 'No' new: title: 'New Application' show: title: 'Application: %{name}' - application_id: 'Application Id' + application_id: 'Application UID' secret: 'Secret' scopes: 'Scopes' + confidential: 'Confidential' callback_urls: 'Callback urls' actions: 'Actions' @@ -71,20 +82,29 @@ en: created_at: 'Created At' date_format: '%Y-%m-%d %H:%M:%S' + pre_authorization: + status: 'Pre-authorization' + errors: messages: # Common error messages - invalid_request: 'The request is missing a required parameter, includes an unsupported parameter value, or is otherwise malformed.' - invalid_redirect_uri: 'The redirect uri included is not valid.' + invalid_request: + unknown: 'The request is missing a required parameter, includes an unsupported parameter value, or is otherwise malformed.' + missing_param: 'Missing required parameter: %{value}.' + not_support_pkce: 'Invalid code_verifier parameter. Server does not support pkce.' + request_not_authorized: 'Request need to be authorized. Required parameter for authorizing request is missing or invalid.' + invalid_redirect_uri: "The requested redirect uri is malformed or doesn't match client redirect URI." unauthorized_client: 'The client is not authorized to perform this request using this method.' access_denied: 'The resource owner or authorization server denied the request.' invalid_scope: 'The requested scope is invalid, unknown, or malformed.' + invalid_code_challenge_method: 'The code challenge method must be plain or S256.' server_error: 'The authorization server encountered an unexpected condition which prevented it from fulfilling the request.' temporarily_unavailable: 'The authorization server is currently unable to handle the request due to a temporary overloading or maintenance of the server.' - #configuration error messages + # Configuration error messages credential_flow_not_configured: 'Resource Owner Password Credentials flow failed due to Doorkeeper.configure.resource_owner_from_credentials being unconfigured.' - resource_owner_authenticator_not_configured: 'Resource Owner find failed due to Doorkeeper.configure.resource_owner_authenticator being unconfiged.' + resource_owner_authenticator_not_configured: 'Resource Owner find failed due to Doorkeeper.configure.resource_owner_authenticator being unconfigured.' + admin_authenticator_not_configured: 'Access to admin panel is forbidden due to Doorkeeper.configure.admin_authenticator being unconfigured.' # Access grant errors unsupported_response_type: 'The authorization server does not support this response type.' @@ -94,13 +114,12 @@ en: invalid_grant: 'The provided authorization grant is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client.' unsupported_grant_type: 'The authorization grant type is not supported by the authorization server.' - # Password Access token errors - invalid_resource_owner: 'The provided resource owner credentials are not valid, or resource owner cannot be found' - invalid_token: revoked: "The access token was revoked" expired: "The access token expired" unknown: "The access token is invalid" + revoke: + unauthorized: "You are not authorized to revoke this token" flash: applications: @@ -116,6 +135,7 @@ en: layouts: admin: + title: 'Doorkeeper' nav: oauth2_provider: 'OAuth2 Provider' applications: 'Applications' diff --git a/db/migrate/20200615150955_issue_3085_doorkeeper_scopes.rb b/db/migrate/20200615150955_issue_3085_doorkeeper_scopes.rb new file mode 100644 index 000000000..31e1324c6 --- /dev/null +++ b/db/migrate/20200615150955_issue_3085_doorkeeper_scopes.rb @@ -0,0 +1,5 @@ +class Issue3085DoorkeeperScopes < ActiveRecord::Migration[5.2] + def change + Doorkeeper::AccessGrant.where(scopes: ['', nil]).update_all(scopes: 'full') # rubocop:disable Rails/SkipsModelValidations + end +end