Doorkeeper :: AuthorizationsController # create Unable to authenticate CSRF token

It looks like in the second request you are using the token for response_type

. It should be, I think authorization_code

.

However, from the first answer, it looks like it gives you a bearer token. If so, then to view the protected page (before_action: doorkeeper_authorize is set) the command would be

curl http://localhost:3000/protected_page -H "Authorization: Bearer 6d4398b75d94835631a453af770161a6f58618b101b58ccf62a5a8492bce3440"

      

        
        
        
      

    

OAuth2 library

Do you need to use a curl? I have the same error with the CSRF authentication token as it thinks it is a form request, but I got it working with the OAuth2 gem.

Register the app (presumably it's secure) in /oauth/applications

, navigate to it, click Authorize

, click Approve

and you will see that you have POSTed with a URL like http://localhost:3000/oauth/authorize?client_id=abc123&redirect_uri=urn%3Aietf%3Awg%3Aoauth%3A2.0%3Aoob&response_type=code

with params "utf8"=>"✓", "authenticity_token"=>"[FILTERED]", "state"=>"", "scope"=>"public"

abc123

- this is your one-time authentication code.

But you still haven't authorized your app. So let's get access_token and refresh_token.

client_id = "9c291dc4aa87bfafd6c6a4cf6930d225c106f8fe88e1d0769832047f1ee011c4"
client_secret = "decba5aca425095978d33653ef03d654f0b74427bcec0596bdde518016708c35"
site = "http://localhost:3000"
redirect_uri = "urn:ietf:wg:oauth:2.0:oob"
code = "abc123" # see above
ENV['OAUTH_DEBUG'] = 'true'
client = OAuth2::Client.new(client_id, client_secret, :site => site)
token = client.auth_code.get_token(code, redirect_uri: redirect_uri)
access_token = token.token
refresh_token = token.refresh_token
# And if you want:
# if token.expired?
#   new_token = token.refresh!
#   new_token.token
#   new_token.refresh_token
# end

      

        
        
        
      

    

If you go to http://localhost:3000/oauth/authorized_applications

, you will see that your application is already on the list.

You can now view protected pages with curl -X GET http://localhost:3000/protected_page -H "Authorization: Bearer #{access_token}"

Also see https://github.com/doorkeeper-gem/doorkeeper/wiki/API-endpoint-descriptions-and-examples

Possibly useful information: What Doorkeeper is looking for to verify a valid code

redirect_uri.present?
grant = Doorkeeper::AccessGrant.by_token(authorization_code)
grant.redirect_uri == redirect_uri
application = Doorkeeper::Application.by_uid_and_secret(client_id, client_secret)
dk_client = Doorkeeper::OAuth::Client.new(application)
!!dk_client
grant.application_id == dk_client.id
grant.accessible? #  !grant.expired? && !grant.revoked?

      

        
        
        
      

    

Cm

• https://github.com/doorkeeper-gem/doorkeeper/blob/a70e1a86cf5290dd642e00aedbdbb94bfd553f6b/lib/doorkeeper/oauth/authorization_code_request.rb
• https://github.com/doorkeeper-gem/doorkeeper/blob/8b59c77ca2324b747ab0570b47f6d14df62fbcc8/spec/support/helpers/url_helper.rb#L50
• https://github.com/doorkeeper-gem/doorkeeper/blob/8b59c77ca2324b747ab0570b47f6d14df62fbcc8/lib/doorkeeper/models/access_grant_mixin.rb
• https://github.com/intridea/oauth2/blob/0ab3c213f7baa43f232eb18fa46301e1a9460f7d/lib/oauth2/client.rb