Doorkeeper :: AuthorizationsController # create Unable to authenticate CSRF token
I followed the page https://github.com/doorkeeper-gem/doorkeeper/wiki/Using-Resource-Owner-Password-Credentials-flow by testing the API
curl -F grant_type=password \
-F username=foo@bar.com \
-F password=mypass \
-X POST http://localhost:3000/oauth/token
And I got the answer:
{"access_token": "6d4398b75d94835631a453af770161a6f58618b101b58ccf62a5a8492bce3440", "token_type": "by media", "expires_in": 600, "refresh_token": "c1445d0ada1f7a827235
But when I call / oauth / authorize with:
curl -F response_type=6d4398b75d94835631a453af770161a6f58618b101b58ccf62a5a8492bce3440 \
-F client_id=9c291dc4aa87bfafd6c6a4cf6930d225c106f8fe88e1d0769832047f1ee011c4 \
-F client_secret=decba5aca425095978d33653ef03d654f0b74427bcec0596bdde518016708c35 \
-F redirect_uri=urn:ietf:wg:oauth:2.0:oob \
-F username=foo@bar.com \
-X POST http://localhost:3000/oauth/authorize
But I got:
Start POST "/ oauth / authorize" for 127.0.0.1 at 2015-04-25 00:30:05 -0300 Processing with Doorkeeper :: AuthorizationsController # create as / Parameters: {"response_type" => "6d4398b75d94835631a453af770161a6f58618b101b58ccf62bce5408id" "=>" 9c291dc4aa87bfafd6c6a4cf6930d225c106f8fe88e1d0769832047f1ee011c4 "," client_secret "=>" [FILTERED] "," redirect_uri "=>" Urn: IETF: 2.0 foo OOBName "bargain:" " com "} Unable to authenticate CSRF token Completed 422 Non-process organization in 1 ms ActionController :: InvalidAuthenticityToken (ActionController :: InvalidAuthenticityToken): ...
What am I doing wrong?
source to share
It looks like in the second request you are using the token for response_type
. It should be, I think authorization_code
.
However, from the first answer, it looks like it gives you a bearer token. If so, then to view the protected page (before_action: doorkeeper_authorize is set) the command would be
curl http://localhost:3000/protected_page -H "Authorization: Bearer 6d4398b75d94835631a453af770161a6f58618b101b58ccf62a5a8492bce3440"
OAuth2 library
Do you need to use a curl? I have the same error with the CSRF authentication token as it thinks it is a form request, but I got it working with the OAuth2 gem.
Register the app (presumably it's secure) in /oauth/applications
, navigate to it, click Authorize
, click Approve
and you will see that you have POSTed with a URL like http://localhost:3000/oauth/authorize?client_id=abc123&redirect_uri=urn%3Aietf%3Awg%3Aoauth%3A2.0%3Aoob&response_type=code
with params "utf8"=>"β", "authenticity_token"=>"[FILTERED]", "state"=>"", "scope"=>"public"
abc123
- this is your one-time authentication code.
But you still haven't authorized your app. So let's get access_token and refresh_token.
client_id = "9c291dc4aa87bfafd6c6a4cf6930d225c106f8fe88e1d0769832047f1ee011c4"
client_secret = "decba5aca425095978d33653ef03d654f0b74427bcec0596bdde518016708c35"
site = "http://localhost:3000"
redirect_uri = "urn:ietf:wg:oauth:2.0:oob"
code = "abc123" # see above
ENV['OAUTH_DEBUG'] = 'true'
client = OAuth2::Client.new(client_id, client_secret, :site => site)
token = client.auth_code.get_token(code, redirect_uri: redirect_uri)
access_token = token.token
refresh_token = token.refresh_token
# And if you want:
# if token.expired?
# new_token = token.refresh!
# new_token.token
# new_token.refresh_token
# end
If you go to http://localhost:3000/oauth/authorized_applications
, you will see that your application is already on the list.
You can now view protected pages with curl -X GET http://localhost:3000/protected_page -H "Authorization: Bearer #{access_token}"
Also see https://github.com/doorkeeper-gem/doorkeeper/wiki/API-endpoint-descriptions-and-examples
Possibly useful information: What Doorkeeper is looking for to verify a valid code
redirect_uri.present?
grant = Doorkeeper::AccessGrant.by_token(authorization_code)
grant.redirect_uri == redirect_uri
application = Doorkeeper::Application.by_uid_and_secret(client_id, client_secret)
dk_client = Doorkeeper::OAuth::Client.new(application)
!!dk_client
grant.application_id == dk_client.id
grant.accessible? # !grant.expired? && !grant.revoked?
Cm
- https://github.com/doorkeeper-gem/doorkeeper/blob/a70e1a86cf5290dd642e00aedbdbb94bfd553f6b/lib/doorkeeper/oauth/authorization_code_request.rb
- https://github.com/doorkeeper-gem/doorkeeper/blob/8b59c77ca2324b747ab0570b47f6d14df62fbcc8/spec/support/helpers/url_helper.rb#L50
- https://github.com/doorkeeper-gem/doorkeeper/blob/8b59c77ca2324b747ab0570b47f6d14df62fbcc8/lib/doorkeeper/models/access_grant_mixin.rb
- https://github.com/intridea/oauth2/blob/0ab3c213f7baa43f232eb18fa46301e1a9460f7d/lib/oauth2/client.rb
source to share