Follow up - b9b3a73474 - Fixes #3085 - Required Doorkeeper scope is missing and fails authentication.

This commit is contained in:
Thorsten Eckel 2020-06-15 17:34:21 +02:00
parent 767239733c
commit 9ef0a368c0
3 changed files with 36 additions and 11 deletions

View file

@ -7,7 +7,7 @@ Doorkeeper.configure do
# fail "Please configure doorkeeper resource_owner_authenticator block located in #{__FILE__}" # fail "Please configure doorkeeper resource_owner_authenticator block located in #{__FILE__}"
# Put your resource owner authentication logic here. # Put your resource owner authentication logic here.
# Example implementation: # Example implementation:
User.find_by(id: session[:user_id]) || redirect_to(new_user_session_url) User.find_by(id: session[:user_id]) || redirect_to(root_path)
end end
# If you want to restrict access to the web interface for adding oauth authorized applications, you need to declare the block below. # If you want to restrict access to the web interface for adding oauth authorized applications, you need to declare the block below.
@ -54,7 +54,7 @@ Doorkeeper.configure do
# Define access token scopes for your provider # Define access token scopes for your provider
# For more information go to # For more information go to
# https://github.com/doorkeeper-gem/doorkeeper/wiki/Using-Scopes # https://github.com/doorkeeper-gem/doorkeeper/wiki/Using-Scopes
# default_scopes :public default_scopes :full
# optional_scopes :write, :update # optional_scopes :write, :update
# Change the way client credentials are retrieved from the request object. # Change the way client credentials are retrieved from the request object.

View file

@ -11,8 +11,12 @@ en:
redirect_uri: redirect_uri:
fragment_present: 'cannot contain a fragment.' fragment_present: 'cannot contain a fragment.'
invalid_uri: 'must be a valid URI.' invalid_uri: 'must be a valid URI.'
unspecified_scheme: 'must specify a scheme.'
relative_uri: 'must be an absolute URI.' relative_uri: 'must be an absolute URI.'
secured_uri: 'must be an HTTPS/SSL URI.' secured_uri: 'must be an HTTPS/SSL URI.'
forbidden_uri: 'is forbidden by the server.'
scopes:
not_match_configured: "doesn't match configured on the server."
doorkeeper: doorkeeper:
applications: applications:
@ -27,8 +31,9 @@ en:
form: form:
error: 'Whoops! Check your form for possible errors' error: 'Whoops! Check your form for possible errors'
help: help:
confidential: 'Application will be used where the client secret can be kept confidential. Native mobile apps and Single Page Apps are considered non-confidential.'
redirect_uri: 'Use one line per URI' redirect_uri: 'Use one line per URI'
native_redirect_uri: 'Use %{native_redirect_uri} for local tests' blank_redirect_uri: "Leave it blank if you configured your provider to use Client Credentials, Resource Owner Password Credentials or any other grant type that doesn't require redirect URI."
scopes: 'Separate scopes with spaces. Leave blank to use the default scopes.' scopes: 'Separate scopes with spaces. Leave blank to use the default scopes.'
edit: edit:
title: 'Edit application' title: 'Edit application'
@ -37,13 +42,19 @@ en:
new: 'New Application' new: 'New Application'
name: 'Name' name: 'Name'
callback_url: 'Callback URL' callback_url: 'Callback URL'
confidential: 'Confidential?'
actions: 'Actions'
confidentiality:
'yes': 'Yes'
'no': 'No'
new: new:
title: 'New Application' title: 'New Application'
show: show:
title: 'Application: %{name}' title: 'Application: %{name}'
application_id: 'Application Id' application_id: 'Application UID'
secret: 'Secret' secret: 'Secret'
scopes: 'Scopes' scopes: 'Scopes'
confidential: 'Confidential'
callback_urls: 'Callback urls' callback_urls: 'Callback urls'
actions: 'Actions' actions: 'Actions'
@ -71,20 +82,29 @@ en:
created_at: 'Created At' created_at: 'Created At'
date_format: '%Y-%m-%d %H:%M:%S' date_format: '%Y-%m-%d %H:%M:%S'
pre_authorization:
status: 'Pre-authorization'
errors: errors:
messages: messages:
# Common error messages # Common error messages
invalid_request: 'The request is missing a required parameter, includes an unsupported parameter value, or is otherwise malformed.' invalid_request:
invalid_redirect_uri: 'The redirect uri included is not valid.' unknown: 'The request is missing a required parameter, includes an unsupported parameter value, or is otherwise malformed.'
missing_param: 'Missing required parameter: %{value}.'
not_support_pkce: 'Invalid code_verifier parameter. Server does not support pkce.'
request_not_authorized: 'Request need to be authorized. Required parameter for authorizing request is missing or invalid.'
invalid_redirect_uri: "The requested redirect uri is malformed or doesn't match client redirect URI."
unauthorized_client: 'The client is not authorized to perform this request using this method.' unauthorized_client: 'The client is not authorized to perform this request using this method.'
access_denied: 'The resource owner or authorization server denied the request.' access_denied: 'The resource owner or authorization server denied the request.'
invalid_scope: 'The requested scope is invalid, unknown, or malformed.' invalid_scope: 'The requested scope is invalid, unknown, or malformed.'
invalid_code_challenge_method: 'The code challenge method must be plain or S256.'
server_error: 'The authorization server encountered an unexpected condition which prevented it from fulfilling the request.' server_error: 'The authorization server encountered an unexpected condition which prevented it from fulfilling the request.'
temporarily_unavailable: 'The authorization server is currently unable to handle the request due to a temporary overloading or maintenance of the server.' temporarily_unavailable: 'The authorization server is currently unable to handle the request due to a temporary overloading or maintenance of the server.'
#configuration error messages # Configuration error messages
credential_flow_not_configured: 'Resource Owner Password Credentials flow failed due to Doorkeeper.configure.resource_owner_from_credentials being unconfigured.' credential_flow_not_configured: 'Resource Owner Password Credentials flow failed due to Doorkeeper.configure.resource_owner_from_credentials being unconfigured.'
resource_owner_authenticator_not_configured: 'Resource Owner find failed due to Doorkeeper.configure.resource_owner_authenticator being unconfiged.' resource_owner_authenticator_not_configured: 'Resource Owner find failed due to Doorkeeper.configure.resource_owner_authenticator being unconfigured.'
admin_authenticator_not_configured: 'Access to admin panel is forbidden due to Doorkeeper.configure.admin_authenticator being unconfigured.'
# Access grant errors # Access grant errors
unsupported_response_type: 'The authorization server does not support this response type.' unsupported_response_type: 'The authorization server does not support this response type.'
@ -94,13 +114,12 @@ en:
invalid_grant: 'The provided authorization grant is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client.' invalid_grant: 'The provided authorization grant is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client.'
unsupported_grant_type: 'The authorization grant type is not supported by the authorization server.' unsupported_grant_type: 'The authorization grant type is not supported by the authorization server.'
# Password Access token errors
invalid_resource_owner: 'The provided resource owner credentials are not valid, or resource owner cannot be found'
invalid_token: invalid_token:
revoked: "The access token was revoked" revoked: "The access token was revoked"
expired: "The access token expired" expired: "The access token expired"
unknown: "The access token is invalid" unknown: "The access token is invalid"
revoke:
unauthorized: "You are not authorized to revoke this token"
flash: flash:
applications: applications:
@ -116,6 +135,7 @@ en:
layouts: layouts:
admin: admin:
title: 'Doorkeeper'
nav: nav:
oauth2_provider: 'OAuth2 Provider' oauth2_provider: 'OAuth2 Provider'
applications: 'Applications' applications: 'Applications'

View file

@ -0,0 +1,5 @@
class Issue3085DoorkeeperScopes < ActiveRecord::Migration[5.2]
def change
Doorkeeper::AccessGrant.where(scopes: ['', nil]).update_all(scopes: 'full') # rubocop:disable Rails/SkipsModelValidations
end
end