Doorkeeper :: AuthorizationsController # create Unable to authenticate CSRF token

I followed the page by testing the API

curl -F grant_type=password \
-F \
-F password=mypass \
-X POST http://localhost:3000/oauth/token


And I got the answer:

{"access_token": "6d4398b75d94835631a453af770161a6f58618b101b58ccf62a5a8492bce3440", "token_type": "by media", "expires_in": 600, "refresh_token": "c1445d0ada1f7a827235

But when I call / oauth / authorize with:

curl -F response_type=6d4398b75d94835631a453af770161a6f58618b101b58ccf62a5a8492bce3440 \ -F client_id=9c291dc4aa87bfafd6c6a4cf6930d225c106f8fe88e1d0769832047f1ee011c4 \ -F client_secret=decba5aca425095978d33653ef03d654f0b74427bcec0596bdde518016708c35 \ -F redirect_uri=urn:ietf:wg:oauth:2.0:oob \ -F \ -X POST http://localhost:3000/oauth/authorize

But I got:

Start POST "/ oauth / authorize" for at 2015-04-25 00:30:05 -0300 Processing with Doorkeeper :: AuthorizationsController # create as / Parameters: {"response_type" => "6d4398b75d94835631a453af770161a6f58618b101b58ccf62bce5408id" "=>" 9c291dc4aa87bfafd6c6a4cf6930d225c106f8fe88e1d0769832047f1ee011c4 "," client_secret "=>" [FILTERED] "," redirect_uri "=>" Urn: IETF: 2.0 foo OOBName "bargain:" " com "} Unable to authenticate CSRF token Completed 422 Non-process organization in 1 ms ActionController :: InvalidAuthenticityToken (ActionController :: InvalidAuthenticityToken): ...

What am I doing wrong?


source to share

2 answers

If you are only working with the API, I assume you can simply disable it in the environment file (test / developpement / production.rb) by adding this line:

config.action_controller.allow_forgery_protection = false'




It looks like in the second request you are using the token for response_type

. It should be, I think authorization_code


However, from the first answer, it looks like it gives you a bearer token. If so, then to view the protected page (before_action: doorkeeper_authorize is set) the command would be

curl http://localhost:3000/protected_page -H "Authorization: Bearer 6d4398b75d94835631a453af770161a6f58618b101b58ccf62a5a8492bce3440"


OAuth2 library

Do you need to use a curl? I have the same error with the CSRF authentication token as it thinks it is a form request, but I got it working with the OAuth2 gem.

Register the app (presumably it's secure) in /oauth/applications

, navigate to it, click Authorize

, click Approve

and you will see that you have POSTed with a URL like http://localhost:3000/oauth/authorize?client_id=abc123&redirect_uri=urn%3Aietf%3Awg%3Aoauth%3A2.0%3Aoob&response_type=code

with params "utf8"=>"βœ“", "authenticity_token"=>"[FILTERED]", "state"=>"", "scope"=>"public"


- this is your one-time authentication code.

But you still haven't authorized your app. So let's get access_token and refresh_token.

client_id = "9c291dc4aa87bfafd6c6a4cf6930d225c106f8fe88e1d0769832047f1ee011c4"
client_secret = "decba5aca425095978d33653ef03d654f0b74427bcec0596bdde518016708c35"
site = "http://localhost:3000"
redirect_uri = "urn:ietf:wg:oauth:2.0:oob"
code = "abc123" # see above
ENV['OAUTH_DEBUG'] = 'true'
client =, client_secret, :site => site)
token = client.auth_code.get_token(code, redirect_uri: redirect_uri)
access_token = token.token
refresh_token = token.refresh_token
# And if you want:
# if token.expired?
#   new_token = token.refresh!
#   new_token.token
#   new_token.refresh_token
# end


If you go to http://localhost:3000/oauth/authorized_applications

, you will see that your application is already on the list.

You can now view protected pages with curl -X GET http://localhost:3000/protected_page -H "Authorization: Bearer #{access_token}"

Also see

Possibly useful information: What Doorkeeper is looking for to verify a valid code

grant = Doorkeeper::AccessGrant.by_token(authorization_code)
grant.redirect_uri == redirect_uri
application = Doorkeeper::Application.by_uid_and_secret(client_id, client_secret)
dk_client =
grant.application_id ==
grant.accessible? #  !grant.expired? && !grant.revoked?





All Articles