doorkeeper-gem / doorkeeper-grants_assertion Goto Github PK

Please update the gemspec.

Hi guys,
I tried to integrate the Google SSO Login in my rails app.
However, I tried to test it using Postman but return this error invalid_grant which I think return 400 Bad Request.

Below are the details of my parameters:
client_id/client_secret is the value from the doorkeeper oath_applications.
grant_type must be assertion
assertion is the access token return from Google Oauth, see screenshot below:

Any idea on how to resolved this issue? Thanks

Hey @tute,

What do you need from someone in terms of maintaining this? I see there is one open PR I'd be interesting in trying to help out if I can…

Including this gem alongside doorkeeper causes: NoMethodError at /oauth/applications undefined method 'authenticate_admin!' for #<Doorkeeper::ApplicationsController:0x007f8051ce0120>

I'm POSTing the following JSON to: /oauth/token

{ "grant_type": "assertion", "assertion": "social_provider_token" }

But I'm getting the following error message:

ArgumentError (wrong number of arguments (given 1, expected 3)):
doorkeeper-grants_assertion (0.0.1) lib/doorkeeper/request/assertion.rb:10:in `initialize'

initializers/doorkeeper.rb

resource_owner_from_credentials do |routes|
    User.authenticate(params[:email], params[:password], request.remote_ip)
end

resource_owner_from_assertion do
    User.find(2)
end

grant_flows %w[assertion authorization_code password client_credentials]

Could you please help me?

Hi,

I've noticed the plain assertion parameter's value is shown in my logs as well as in Rollbar reports. I think the assertion strings should be treated as secure as Doorkeeper does for authorization codes, tokens.

Maybe we can add a new initializer block in railtie.rb to add assertion to app.config.filter_parameters in the same fashion?

As @tute has stated, this gem will be released to RubyGems once it reaches it's 1.0 version. I think it is a good idea to state clearly the roadmap, i.e. what is missing and on what we should focus the development.

1. Improve documentation for implementing authentication against most common 3rd party OAuth2 providers (https://tools.ietf.org/html/rfc6749#section-4.5)

• add example for utilizing Facebook login
• add example for utilizing Google login (CrossClient Auth)

2. Improve error reporting

• pass error message to final response from doorkeeper (doorkeeper-gem/doorkeeper#749)

3. Improve test coverage

Do you have anything else to add?

I see that you already implemented GrantFlow registry support.

Can you please release 0.3.1 with this change?

First of all, thank you for creating this gem!

I created the auth providers for Google/FB as shown in the Wiki, however, there is a use case where a user has already signed up with a normal account in the past and then tries to log in with Facebook/Google where the email already exists. This would throw an ActiveRecord::RecordInvalid exception upon account creation, how am I supposed to get that into the response to let the user know that an account with that email already exists ?

Here is the code:

doorkeeper.rb

resource_owner_from_assertion do
    provider = params[:provider]
    case provider
    when "google"
      g = ExternalAuth::Google.new(params[:assertion])
      g.get_user!
    when "facebook"
      f = ExternalAuth::Facebook.new(params[:assertion])
      begin
        f.get_user!
      rescue ActiveRecord::RecordInvalid => e
        #what happens here ? 
      end 
      end
    end
  end

facebook_auth.rb

def get_user!
  if user_data.present?
    user = User.where(fb_id: user_data["id"]).first
    if user.blank?
      user = User.new(
        remote_profile_image_url: image["data"]["url"], 
        fb_id: user_data["id"], 
        firstname: user_data["first_name"], 
        lastname: user_data["last_name"], 
        email: user_data["email"]
      )
      user.password = SecureRandom.hex
      user.save!
    end
      user
  else
    nil
  end
end

So I'm not sure if we should actually be overriding Doorkeeper::ApplicationController here it seems like whenever this gem is included it overrides all other strategies by way of fully redefining the ApplicationController…

Can you confirm my assumption? Easy to reproduce start a new app setup doorkeeper and this gem and try to use the authorization code flow…

I'm assuming we might want to do something like class_eval or include a helper method?

module Doorkeeper
  class ApplicationController < ActionController::Base
    def resource_owner_from_assertion
      instance_eval(&Doorkeeper.configuration.resource_owner_from_assertion)
    end
  end
end

Currently I'm using facebook token to issue access_token and it works without passing client_id and client_secret.
I want to issue token only if correct client_id and client_secret is provided. And refreshing token also doesn't work when client_id and secret provided.

Hello,

I'm having trouble setting up grants_assertion with google. I've setup doorkeeper and currently have a react-native app that is getting an idToken, accessToken and code. This is doing so, by using a specific iOS Client ID.

I'm then sending the idToken as the assertion to be checked by doorkeeper, like so:

Doorkeeper.configure do
  resource_owner_from_assertion do
    if server.client && params[:provider] && params[:assertion]
      auth = Doorkeeper::GrantsAssertion::Devise::OmniAuth.auth_hash(
        provider: params.fetch(:provider),
        assertion: params.fetch(:assertion)
      )
      User.where(email: auth.info.email).first if auth
    end
  end
  # add your supported grant types and other extensions
  grant_flows %w(assertion authorization_code implicit password client_credentials)
end

I've setup as my env variables in rails a specific Client ID and client secret for my rails server. However, every time I try validating the passed assertion, I get the following error:

{
  "error_description": "Invalid Value"
}

I've tried passing the idToken, accessToken and also directly calling Doorkeeper::GrantsAssertion::OmniAuth.oauth2_wrapper with different combinations of client_id and client_secret, but unfortunately nothing has worked so far.
I'm using rails 7 and ruby 3. Is this library still working with Google Oauth? Any help would be appreciated, thanks.

Hi there, really excited to use your gem, however I'm running into a problem (which may well be user error).

When I submit the following request, I get an "invalid request error" from doorkeeper (I've truncated the client_id, which is a valid application_id set up through Doorkeeper at oauth/applications, and the assertion param, which contains a valid oauth token from facebook):

curl -X POST --data "client_id=609336...dc431&assertion=CA...ROpHGFK&assertion_type=facebook" http://localhost:3000/oauth/token

This is how I have set up my doorkeeper initializer:

Doorkeeper.configure do
resource_owner_from_assertion do
if params[:assertion_type] == "facebook"
facebook = URI.parse('https://graph.facebook.com/me?access_token=' +
params[:assertion])
response = Net::HTTP.get_response(facebook)
user_data = JSON.parse(response.body)
User.find_by(provider: "facebook", uid: user_data['id'])
end
end

grant_flows %w(assertion password client_credentials authorization_code implicit)
end

This returns the error:

{"error":"invalid_request","error_description":"The request is missing a required parameter, includes an unsupported parameter value, or is otherwise malformed."}

Am I submitting the parameters incorrectly or missing something? Thanks for your help.

According to the specification it looks like you have to set the grant_type to a URI and I don't see anyway of setting that. From what it looks like the grant_type right now is just assertion?

grant_type
      REQUIRED.  The format of the assertion as defined by the
      authorization server.  The value MUST be an absolute URI.