socialcast / devise_oauth2_providable Goto Github PK

View Code? Open in Web Editor NEW

220.0 56.0 102.0 463 KB

Rails3 engine integrating OAuth2 authentication with Devise

License: MIT License

Ruby 98.92% JavaScript 0.59% CSS 0.49%

devise_oauth2_providable's Introduction

THIS GEM IS NO LONGER MAINTAINED AND IS CONSIDERED DEPRECATED.

devise_oauth2_providable

Rails3 engine that brings OAuth2 Provider support to your application.

Current OAuth2 Specification Draft: http://tools.ietf.org/html/draft-ietf-oauth-v2-22

Features

integrate OAuth2 authentication with Devise authenthentication stack
one-stop-shop includes all Models, Controllers and Views to get up and running quickly
All server requests support authentication via bearer token included in the request. http://tools.ietf.org/html/draft-ietf-oauth-v2-bearer-04
customizable mount point for oauth2 routes (ex: /oauth2 vs /oauth)

Requirements

Devise authentication library
Rails 3.1 or higher

Installation

Install gem

# Gemfile
gem 'devise_oauth2_providable'

Migrate database for Oauth2 models

$ rake devise_oauth2_providable:install:migrations
$ rake db:migrate

Add Oauth2 Routes

# config/routes.rb
Rails.application.routes.draw do
  # oauth routes can be mounted to any path (ex: /oauth2 or /oauth)
  mount Devise::Oauth2Providable::Engine => '/oauth2'
end

Configure User for supported Oauth2 flows

class User
  # NOTE: include :database_authenticatable configuration
  # if supporting Resource Owner Password Credentials Grant Type
  devise :oauth2_providable,
    :oauth2_password_grantable,
    :oauth2_refresh_token_grantable,
    :oauth2_authorization_code_grantable
end

(optional) Configure token expiration settings

# config/application.rb
config.devise_oauth2_providable.access_token_expires_in         = 1.second # 15.minute default
config.devise_oauth2_providable.refresh_token_expires_in        = 1.minute # 1.month default
config.devise_oauth2_providable.authorization_token_expires_in  = 5.seconds # 1.minute default

Models

Client

registered OAuth2 client for storing the unique client_id and client_secret.

AccessToken

http://tools.ietf.org/html/draft-ietf-oauth-v2-15#section-1.3

Short lived token used by clients to perform subsequent requests (see bearer token spec)

expires after 15min by default. to customize the duration of the access token:

Devise::Oauth2Providable::AccessToken.default_lifetime = 1.minute

RefreshToken

http://tools.ietf.org/html/draft-ietf-oauth-v2-15#section-1.5

Long lived token used by clients to request new access tokens without requiring user intervention to re-authorize.

expires after 1 month by default. to customize the duration of refresh token:

Devise::Oauth2Providable::RefreshToken.default_lifetime = 1.year

AuthorizationCode

http://tools.ietf.org/html/draft-ietf-oauth-v2-15#section-1.4.1

Very short lived token created to allow a client to request an access token after a user has gone through the authorization flow.

expires after 1min by default. to customize the duration of the authorization code:

Devise::Oauth2Providable::AuthorizationCode.default_lifetime = 5.minutes

Routes

/oauth2/authorize

http://tools.ietf.org/html/draft-ietf-oauth-v2-15#section-2.1

Endpoint to start client authorization flow. Models, controllers and views are included for out of the box deployment.

Supports the Authorization Code and Implicit grant types.

/oauth2/token

http://tools.ietf.org/html/draft-ietf-oauth-v2-15#section-2.2

Endpoint to request access token. See grant type documentation for supported flows.

Grant Types

Resource Owner Password Credentials Grant Type

http://tools.ietf.org/html/draft-ietf-oauth-v2-15#section-4.3

in order to use the Resource Owner Password Credentials Grant Type, your Devise model must be configured with the :database_authenticatable option

Contributing

Fork the project
Fix the issue
Add unit tests
Submit pull request on github

See CONTRIBUTORS.txt for list of project contributors

Copyright

devise_oauth2_providable's People

Contributors

Stargazers

Watchers

devise_oauth2_providable's Issues

[Security Problem] authorization_code access token request does not verify redirection URI

According to http://tools.ietf.org/html/draft-ietf-oauth-v2-15#section-4.1.3 the authorization server must validate that the redirection URI matches the redirection URI used by the authorization server to deliver the authorization code. It currently ignores it. (This is in addition to ignoring the client_secret as describe in issue 25)

NameError in Devise/oauth2_providable/authorizations#new


app/views/layouts/_navigation.html.erb where line #11 raised:
undefined local variable or method `destroy_user_session_path' for #<#:0x37e60d8>

Asking to approve the app each time

Hello,
I have an issue, and this could be my own issue but looking for an answer. Each time the user logs in it's asking to "Approve" or "Deny", should this only take place once or until the refresh token expires or the user removes the app from the approved list?

Am i missing something?

Request in order:

/oauth2/authorize
"Approve" or "Deny" (every time)
/oauth2/ token (Grant type Authorization code)

Is there a way for the user to ONLY "Approve" or "Deny" once?

Thanks in advance!

[Security] Support for the :state parameter required with omniauth-oauth2 v1.1

Hi,

A few days ago, a security update has been made to omniauth-oauth2, this one uses the :state parameter to mitigate CSRF. omniauth/omniauth-oauth2#18

However, it seem that devise_oauth2_providable doesn't handle this parameter as expected as it doesn't send it back in the callback.

A similar issue seems to be faced at omniauth/omniauth-oauth2#20

Protected Resource Helpers?

I know it may be outside of what you want to offer here, but actually i think it fits nicely.

similar to authenticate_user, there should be a method to protect a Controller resource where you need an access token to trigger it.

I can create it in a fork, but what do you call your request.env[".....????..."] I'll dig around, but if you know off the top of your head, cool.

NO route for /oauth2/access_token

I keep getting this error and rake routes does not have a route for it either:


Started POST "/oauth2/access_token" for 127.0.0.1 at 2011-05-09 13:47:07 -0400

ActionController::RoutingError (No route matches "/oauth2/access_token"):

I know I can just add one, but your documentation said it should be accepted somehow... Where can i look to see what I'm doing wrong?

undefined method 'uid=' for Rack::OAuth2::Server::Authorize::Token::Response

I'm getting an undefined_method error when I try to grant access to a Backbone app using a token.

Here's the log:

NoMethodError (undefined method `uid=' for #<Rack::OAuth2::Server::Authorize::Token::Response:0x007fa4a0183818>):
  /Users/Jean/.rbenv/versions/1.9.3-p125/lib/ruby/gems/1.9.1/bundler/gems/devise_oauth2_providable-e329bc1afbd6/app/controllers/devise/oauth2_providable/authorizations_controller.rb:46:in `block in authorize_endpoint'
  rack-oauth2 (0.11.0) lib/rack/oauth2/server/abstract/handler.rb:13:in `call'
  rack-oauth2 (0.11.0) lib/rack/oauth2/server/abstract/handler.rb:13:in `call'
  rack-oauth2 (0.11.0) lib/rack/oauth2/server/authorize/token.rb:9:in `call'
  rack-oauth2 (0.11.0) lib/rack/oauth2/server/authorize.rb:7:in `call'

If I look at the code causing the error at authorizations_controller.rb#L46 and compare that with Rack::Oauth2's token.rb#L59 then it seems Rack::Oauth2 doesn't accept the uid attribute.

Am I doing something wrong? Or has something changed in Rack::Oauth2 that is incompatible with this gem? I looked at their commits in the last few days, but couldn't find anything related to this issue.

Removing the provided line in devise_oauth2_providable "fixes" the issue, but since I don't see the uid being used anywhere I am not sure if this causes a security issue or not.

env variables not set?

I'm trying to use it but I've run into some issues. Out of the box, when I grant access to a client app, oauth2/token does not see the current user (but there is one):

Started POST "/oauth2/token" for 127.0.0.1 at 2011-08-17 16:02:30 -0300
  Processing by Oauth2::TokensController#create as 
  Parameters: {"grant_type"=>"authorization_code", "code"=>"09e3b07c2a2ebb692a961c01afecebd3", "client_id"=>"120094574673767", "client_secret"=>"[FILTERED]", "redirect_uri"=>"http://localhost:9393/oauth/callback"}
Completed   in 16ms


Started POST "/users/sign_in" for 127.0.0.1 at 2011-08-17 16:02:31 -0300
  Processing by Devise::SessionsController#create as 
  Parameters: {"grant_type"=>"authorization_code", "code"=>"09e3b07c2a2ebb692a961c01afecebd3", "client_id"=>"120094574673767", "client_secret"=>"[FILTERED]", "redirect_uri"=>"http://localhost:9393/oauth/callback"}
Completed   in 61ms
  Processing by Devise::SessionsController#new as 
  Parameters: {"grant_type"=>"authorization_code", "code"=>"09e3b07c2a2ebb692a961c01afecebd3", "client_id"=>"120094574673767", "client_secret"=>"[FILTERED]", "redirect_uri"=>"http://localhost:9393/oauth/callback"}
Rendered /Users/tute/.rvm/gems/ruby-1.9.2-p290/gems/devise-1.4.2/app/views/devise/shared/_links.erb (2.2ms)
Rendered /Users/tute/.rvm/gems/ruby-1.9.2-p290/gems/devise-1.4.2/app/views/devise/sessions/new.html.erb within layouts/application (13.4ms)
Completed 200 OK in 37ms (Views: 24.6ms | ActiveRecord: 0.0ms)

If I comment the before filters from the gem controllers, I get:

Started POST "/oauth2/token" for 127.0.0.1 at 2011-08-17 16:04:53 -0300
  Processing by Oauth2::TokensController#create as 
  Parameters: {"grant_type"=>"authorization_code", "code"=>"5a76d626ab5a1d2e7e334e8c95a90d0f", "client_id"=>"120094574673767", "client_secret"=>"[FILTERED]", "redirect_uri"=>"http://localhost:9393/oauth/callback"}
Completed 500 Internal Server Error in 1ms

NoMethodError (undefined method `refresh_tokens' for nil:NilClass):

The nil object comes from Oauth2::TokensController#oauth2_current_client, which returns env['oauth2.client'].

Why is this happening? Thanks in advance,

TuteC.

undefined method `refresh_tokens' for nil:NilClass

I am putting together a web service for a mobile app and am getting the error message after authenticating. My client is an iOS app and it is able to pass the authorization part and I see records being created in the oauth2_authorization_codes table. The problem is that it fails when attempting to set the refresh token. Any help would be appreciated.

I put some print statements in the devise/oauth2_providable/tokens_controller.rb to see what was going on. Below is the terminal output with my debug statements:

Started POST "/oauth2/authorizations" for 127.0.0.1 at 2012-12-11 17:07:17 -1000
Processing by Devise::Oauth2Providable::AuthorizationsController#create as HTML
  Parameters: {"utf8"=>"✓", "authenticity_token"=>"INzYLPAAzzVTH7bDKuVItFkDzAmfMrJWNvkMQGbbAoE=", "client_id"=>"dd58eef1c489c744742546
abe08ca6b9", "response_type"=>"code", "redirect_uri"=>"http://127.0.0.1", "commit"=>"Approve", "approve"=>"true"}
  User Load (0.3ms)  SELECT 'users'.* FROM 'users' WHERE 'users'.'id' = 2 LIMIT 1
  Devise::Oauth2Providable::Client Load (0.4ms)  SELECT 'oauth2_clients'.* FROM 'oauth2_clients' WHERE 'oauth2_clients'.'identifier' =
 'dd58eef1c489c744742546abe08ca6b9' LIMIT 1
   (0.1ms)  BEGIN
  Devise::Oauth2Providable::AuthorizationCode Exists (0.4ms)  SELECT 1 AS one FROM 'oauth2_authorization_codes' WHERE 'oauth2_authorization_codes'.'token' = BINARY '19422126acf59290e4a77bd7338e19e1' LIMIT 1
  SQL (0.4ms)  INSERT INTO 'oauth2_authorization_codes' ('client_id', 'created_at', 'expires_at', 'token', 'updated_at', 'user_id') VALUES (1, '2012-12-12 03:07:17', '2012-12-12 03:08:17', '19422126acf59290e4a77bd7338e19e1', '2012-12-12 03:07:17', 2)
   (0.9ms)  COMMIT
Redirected to http://127.0.0.1?code=19422126acf59290e4a77bd7338e19e1
Completed 302 Found in 12ms (ActiveRecord: 2.6ms)

========== current_user
--- !ruby/object:User
attributes:
  id: 2
  email: [email protected]
  encrypted_password: $2a$10$IyV3ZQY1OQawLx2Y0VJe7OlmWH28poe6j94C8f9XTn9sAKQLH2DaO
  reset_password_token: !!null 
  reset_password_sent_at: !!null 
  remember_created_at: !!null 
  sign_in_count: 11
  current_sign_in_at: 2012-12-12 02:29:31.000000000Z
  last_sign_in_at: 2012-12-11 22:35:02.000000000Z
  current_sign_in_ip: 127.0.0.1
  last_sign_in_ip: 127.0.0.1
  authentication_token: !!null 
  created_at: 2012-12-03 19:55:18.000000000Z
  updated_at: 2012-12-12 02:29:31.000000000Z
  provider: !!null 
  uid: !!null 
  role: developer

========== oauth2_current_refresh_token

========== env[Devise::Oauth2Providable::REFRESH_TOKEN_ENV_REF]

========== oauth2_current_client

========== env[Devise::Oauth2Providable::CLIENT_ENV_REF]
--- !!null 
...

========== env[Devise::Oauth2Providable::REFRESH_TOKEN_ENV_REF]

========== env[Devise::Oauth2Providable::CLIENT_ENV_REF]


Started POST "/oauth2/token?grant_type=authorization_code&client_secret=[FILTERED]&code=19422126acf59290e4a77bd7338e19e1&redirect_uri=
http://127.0.0.1&client_id=dd58eef1c489c744742546abe08ca6b9" for 127.0.0.1 at 2012-12-11 17:07:17 -1000
Processing by Devise::Oauth2Providable::TokensController#create as */*
  Parameters: {"grant_type"=>"authorization_code", "client_secret"=>"[FILTERED]", "code"=>"19422126acf59290e4a77bd7338e19e1", "redirec
t_uri"=>"http://127.0.0.1", "client_id"=>"dd58eef1c489c744742546abe08ca6b9"}
  User Load (0.3ms)  SELECT 'users'.* FROM `users` WHERE 'users'.'id' = 2 LIMIT 1
Completed 500 Internal Server Error in 4ms

NoMethodError (undefined method `refresh_tokens' for nil:NilClass):

Thanks,

David

Tokens not expired correctly in production environment

I've noticed that in the production environment, or specifically, with "config.cache_classes = true" set, tokens are not expired properly. I've tested this with Rails 3.1.3 and devise_oauth2_providable 1.0.5.

This seems to be a problem in Devise::Oauth2Providable::ExpirableToken#expires_according_to, where the use of a named scope with a lambda that's then applied using default_scope causes the lambda to be evaulated only once, at server start. That then means that tokens are checked for expiry against the server start time, not against the current time, which means they'll never expire - at least until the server is restarted.

The simplest fix appears to be to pass the lambda directly to default_scope, which does then cause it to be re-evaluated for each load. I couldn't find anywhere that appears to depend on the existence of the named scope itself.

Namespace for Client model

I encountered some namespace conflicts when using the client class. I think it's desirable to specify the namespace for all the Client constant appearing in the code. Thanks.

Help: Wanting to do login post-password-reset

Hi, sorry to file this under issues, but I thought this might be a common enough question.

I'm attempting to do an auto-login after password-reset within devise's passwords controller.
I can't figure out how to do this, and thought perhaps you could suggest an approach.

The snippet looks a lot like the standard passwords controller, but I'm returning a JSON only response.

  # PUT /reset
  def update
    self.resource = resource_class.reset_password_by_token(resource_params)

    if resource.errors.empty?
      resource.unlock_access! if unlockable?(resource)
      message = resource.active_for_authentication? ? :updated : :updated_not_active
      sign_in(resource_name, resource)

      # ***TODO: Do an OAuth2 login here***

      render :json => { success: true, message: message, auth: @access_tokens }
    else
      render :json => { success: false, errors: resource.errors }, :status => :bad_request
    end
  end

Any help would be much appreciated

Allow scope to be changed

At the moment the controllers reference current_user and authenticate_user! but our application uses a model called Member instead of User.

The Devise registration controller has a small helper that handles this nicely

Mongoid integration

are you thinking to provide mongoid functionality?
if yes I can help with that

Access permission not saved. Bug or missing feature?

As of now, it seems that the provider will not save the access permission, therefore, on each "Sign In" the user will have to accept or deny access.

How to save such authorization in case of acceptance ? Is that a bug or a feature that need to be implemented on top of it ?

Thanks in advance for your enlightenment,
Best regards,

Sébastien Grosjean - ZenCocoon

Project is deprecated - any maintainers or other options?

This gem ranks pretty highly in Google searches for 'OAuth2 + Devise', and there are bunch of tutorials for using it etc. Any chance you could link to an alternative in the README for people coming across it but not being so familiar with the OAuth2 ecosystem? Looks like Doorkeeper is a good alternative?

Update OAuth Revision?

This is more of an initial question - but would anyone be interested in getting this conform with newer versions of the standard? I'd be up for involving myself in that.

client_id required. Why?

I am trying to obtain access token according to Section 4.3.2 Of OAuth 2.0 RFC.

When I send client_id and client_secret together with username and password everything works fine. But I need to obtain the access token without sending client_id and client_secret as my client is not confidential, say. Here is the HTTP flow between client and authorization server.

POST http://localhost:3000/oauth2/token HTTP/1.1
User-Agent: Fiddler
Host: localhost:3000
Content-Type: application/x-www-form-urlencoded
Content-Length: 59

grant_type=password&username=[email protected]&password=test

The server responds with 400 Bad request

HTTP/1.1 400 Bad Request
Content-Type: application/json
Content-Length: 71
X-Ua-Compatible: IE=Edge
X-Runtime: 0.009000
Server: WEBrick/1.3.1 (Ruby/1.9.3/2013-02-22)
Date: Thu, 04 Apr 2013 11:56:27 GMT
Connection: Keep-Alive

{"error":"invalid_request","error_description":"'client_id' required."}

How can I force the server not to bother about client's credentials?

Is there a CRUD for creating Clients?

I see the Client model , but not a CRUD for creating a Client.
Is this a ToDo. I will be happy to create it and contribute to the project.
Just wanna check that I'm on the right page.

Seeing a 401 on fresh server boot

After a fresh boot of the server:

$> curl -d client_id\=cf975811cbbcfc1ff3fc8afa04c8d8ac\&client_secret\=a4fff2a5a4557ac57f8953b2b8c79f46\&grant_type\=password\&username\=admin\&password\=test http://localhost:3002/oauth/token
<html><body>You are being <a href="http://localhost:3002/users/sign_in">redirected</a>.</body></html>

$> curl -d client_id\=cf975811cbbcfc1ff3fc8afa04c8d8ac\&client_secret\=a4fff2a5a4557ac57f8953b2b8c79f46\&grant_type\=password\&username\=admin\&password\=test http://localhost:3002/oauth/token
{"access_token":"f437ba79dacf57b23e70ef7c2475bc20","token_type":"bearer","expires_in":899,"refresh_token":"0cd05cdeadf642a8ed0b9677cf4e15ce"}

Can also reproduce by booting it then going to the authorize URL (in rails s output) will see:

Started GET "/oauth/authorize?response_type=code&client_id=cf975811cbbcfc1ff3fc8afa04c8d8ac&redirect_uri=http%3A%2F%2Flocalhost%3A3000%2Fusers%2Fauth%2Fngin%2Fcallback" for 127.0.0.1 at 2012-08-29 16:18:21 -0500
Processing by Devise::Oauth2Providable::AuthorizationsController#new as HTML
  Parameters: {"response_type"=>"code", "client_id"=>"cf975811cbbcfc1ff3fc8afa04c8d8ac", "redirect_uri"=>"http://localhost:3000/users/auth/ngin/callback"}
Completed 401 Unauthorized in 6ms

Which will eventually succeed in loading the sign_in URL fine (no extra calls or anything)

redirect_uri dissapears after "Approve/Deny" form

after I send GET

http://server/oauth2/authorize?response_type=code&client_id=someid&redirect_uri=callbackuri

to server, which use devise_oauth2_providable, I got
approve/deny page in my browser
I click 'approve'
and got

Invalid Authorization Request
Invalid redirect_uri is given

I found (with debugger) that

at first run of Devise::Oauth2Providable::AuthorizationsController#authorize_endpoint
req.redirect_uri is OK (also I see it in the browser address line:) and it matches @client.redirect_uri
at second run (after I click 'Approve') req.redirect_uri is empty (also, no value= property in code of "approve/deny" form)

I'm not sure that it's an issue, but in any case I really need a help:)
thanx
rails 3.1.3
ruby 1.8.7

unique index :name on Devise::Oauth2Providable::Client

Since we are validating uniqueness of name in Devise::Oauth2Providable::Client (oauth2_clients (name)) perhaps is a good idea to put a unique index also on name in migrations.

Error 500, NoMethodError (undefined method `refresh_tokens' for nil:NilClass):

Hello there,

I'm having an issue when trying to getting an access token from an iOS client (from an in-house SDK) with my rails-3.1.1 APIs.
The /authorize looks ok, and when I'm getting my authorization code and trying to post on /token, I'm experiencing some:
undefined method `refresh_tokens' for nil:NilClass (development mode).
It comes from tokens#create, and it looks like my env[Devise::Oauth2Providable::CLIENT_ENV_REF] is empty/nil.
I do have an ugly workaround, which consist in subclassing tokens_controller and overriding the method oauth2_current_client, authenticate_user! & cie and bypassing the calls on env[xxx].
Any idea?

Regards,

invalid_grant when I don't want grants

Sorry that this is a little spammy, but could you guys take a look at this StackOverflow post?

http://stackoverflow.com/q/7663339/124378

It's hard for me to tell if this is bug or implementation fail, but I am pretty sure its a conflict with omniauth stuff, database not saving or oauth2 expecting this to be following a newer draft of the spec than actually is.

authenticate_user! overrides other Middleware response headers

I've been using cyu/rack-cors to provide access my API through XHR requests. This returns the following headers:

Access-Control-Allow-Credentials:true
Access-Control-Allow-Methods:GET, PUT, CREATE, DELETE
Access-Control-Allow-Origin:http://app.mydomain.dev
Access-Control-Expose-Headers:
Access-Control-Max-Age:1728000

However, as soon as I start authenticating the backend using devise_oauth2_providable with :authenticate_user!, the CORS headers are lost and I can no longer access my API:

XMLHttpRequest cannot load http://api.mydomain.dev/projects.
Origin http://app.mydomain.dev is not allowed by Access-Control-Allow-Origin.

(no response-header is returned and the request simply stops with Status showing as canceled)

Could it be that devise_oauth2_providable overrides all previous set headers and therefor the cors headers are no longer sent back? And if so, I couldn't find anything doing this in the gem source, so should I be looking at nov/rack-oauth2 for the problem?

Don't know how to build task 'devise_oauth2_providable:install:migrations'

Followed instructions in README. Added to gemfile, then ran bundle install, then rake task and got error:

rake devise_oauth2_providable:install:migrations
rake aborted!
Don't know how to build task 'devise_oauth2_providable:install:migrations'

Using bundle exec rake ... doesn't make a difference. Neither does installing the gem using sudo gem install ...

Happy to post whatever you need and help work out what the issue is, but not sure where to start looking.

Running devise 1.4.8 and devise_oauth2_providable 0.3.8.

Does not work in Rails 4 - request method not specified in routes

From rails guides:

> Rails 4.0 requires that routes using match must specify the request method. For example:
> # Rails 3.x
> match "/" => "root#index"
>
># becomes
>match "/" => "root#index", via: :get
>
># or
>get "/" => "root#index"

Issue:
https://github.com/socialcast/devise_oauth2_providable/blob/master/config/routes.rb#L5
'match' method used without request method, application crashes on start-up.

[Security problem] Auth code strategy doesn't verify client secret!

According to the latest OAuth 2.0 spec the client_secret parameter is required when authenticating the client for access tokens.

Currently the secret is created in the model, but the authorization_code strategy only checks for the client_id and ignores the client_secret.

URI::InvalidURIError - query conflicts with opaque

Started POST "/oauth2/authorizations" for 127.0.0.1 at 2013-06-23 08:48:00 +0200
Processing by Devise::Oauth2Providable::AuthorizationsController#create as HTML
  Parameters: {"utf8"=>"✓", "authenticity_token"=>"BJD0TTWQiZTbijI/4FkjrZ4lKVSswMar0ePWSO++V/A=", "client_id"=>"6bdd98b192c59ee3cfea7852f3cc459c", "response_type"=>"code", "redirect_uri"=>"urn:ietf:wg:oauth:2.0:oob", "approve"=>"true", "commit"=>"Allow access"}
  User Load (0.7ms)  SELECT "accounts".* FROM "accounts" WHERE "accounts"."deleted_at" IS NULL AND "accounts"."type" IN ('User') AND "accounts"."id" = 1 LIMIT 1
  Devise::Oauth2Providable::Client Load (0.4ms)  SELECT "oauth2_clients".* FROM "oauth2_clients" WHERE "oauth2_clients"."identifier" = '6bdd98b192c59ee3cfea7852f3cc459c' LIMIT 1
   (0.1ms)  BEGIN
  Devise::Oauth2Providable::AuthorizationCode Exists (0.2ms)  SELECT 1 AS one FROM "oauth2_authorization_codes" WHERE "oauth2_authorization_codes"."token" = '908d3e4cd4cbacbd370d7997ef560bbd' LIMIT 1
  SQL (0.4ms)  INSERT INTO "oauth2_authorization_codes" ("client_id", "created_at", "expires_at", "token", "updated_at", "user_id") VALUES ($1, $2, $3, $4, $5, $6) RETURNING "id"  [["client_id", 13], ["created_at", Sun, 23 Jun 2013 06:48:00 UTC +00:00], ["expires_at", Sun, 23 Jun 2013 06:49:00 UTC +00:00], ["token", "908d3e4cd4cbacbd370d7997ef560bbd"], ["updated_at", Sun, 23 Jun 2013 06:48:00 UTC +00:00], ["user_id", 1]]
   (0.1ms)  COMMIT
Completed 500 Internal Server Error in 17ms

URI::InvalidURIError - query conflicts with opaque:
  /Users/kain/.rvm/rubies/ruby-2.0.0-p195/lib/ruby/2.0.0/uri/generic.rb:890:in `check_query'
  /Users/kain/.rvm/rubies/ruby-2.0.0-p195/lib/ruby/2.0.0/uri/generic.rb:936:in `query='
  rack-oauth2 (0.11.0) lib/rack/oauth2/util.rb:36:in `redirect_uri'
  rack-oauth2 (0.11.0) lib/rack/oauth2/server/authorize.rb:98:in `redirect_uri_with_credentials'
  rack-oauth2 (0.11.0) lib/rack/oauth2/server/authorize.rb:104:in `finish'
  rack-oauth2 (0.11.0) lib/rack/oauth2/server/authorize.rb:7:in `call'
  devise_oauth2_providable (1.1.2) app/controllers/devise/oauth2_providable/authorizations_controller.rb:16:in `create'

ActiveModel::MassAssignmentSecurity::Error in Devise::Oauth2Providable::AuthorizationsController#create

Rails 3.2.2 with config.active_record.whitelist_attributes = true, this happens when approving the request:

Can't mass-assign protected attributes: client

activemodel (3.2.2) lib/active_model/mass_assignment_security/sanitizer.rb:48:in `process_removed_attributes'
activemodel (3.2.2) lib/active_model/mass_assignment_security/sanitizer.rb:20:in `debug_protected_attribute_removal'
activemodel (3.2.2) lib/active_model/mass_assignment_security/sanitizer.rb:12:in `sanitize'
activemodel (3.2.2) lib/active_model/mass_assignment_security.rb:228:in `sanitize_for_mass_assignment'
activerecord (3.2.2) lib/active_record/attribute_assignment.rb:75:in `assign_attributes'
activerecord (3.2.2) lib/active_record/base.rb:495:in `initialize'
activerecord (3.2.2) lib/active_record/reflection.rb:183:in `new'
activerecord (3.2.2) lib/active_record/reflection.rb:183:in `build_association'
activerecord (3.2.2) lib/active_record/associations/association.rb:233:in `build_record'
activerecord (3.2.2) lib/active_record/associations/collection_association.rb:432:in `block in create_record'
activerecord (3.2.2) lib/active_record/associations/collection_association.rb:149:in `block in transaction'
activerecord (3.2.2) lib/active_record/connection_adapters/abstract/database_statements.rb:192:in `transaction'
activerecord (3.2.2) lib/active_record/transactions.rb:208:in `transaction'
/Users/kain/.rvm/gems/ruby-1.9.3-p125/bundler/gems/deadlock_retry-874c80de92d9/lib/deadlock_retry.rb:31:in `transaction_with_deadlock_handling'
activerecord (3.2.2) lib/active_record/associations/collection_association.rb:148:in `transaction'
activerecord (3.2.2) lib/active_record/associations/collection_association.rb:431:in `create_record'
activerecord (3.2.2) lib/active_record/associations/collection_association.rb:123:in `create!'
activerecord (3.2.2) lib/active_record/associations/collection_proxy.rb:46:in `create!'
devise_oauth2_providable (1.1.0) app/controllers/devise/oauth2_providable/authorizations_controller.rb:40:in `block in authorize_endpoint'
rack-oauth2 (0.11.0) lib/rack/oauth2/server/abstract/handler.rb:13:in `call'
rack-oauth2 (0.11.0) lib/rack/oauth2/server/abstract/handler.rb:13:in `call'
rack-oauth2 (0.11.0) lib/rack/oauth2/server/authorize/code.rb:9:in `call'
rack-oauth2 (0.11.0) lib/rack/oauth2/server/authorize.rb:7:in `call'
devise_oauth2_providable (1.1.0) app/controllers/devise/oauth2_providable/authorizations_controller.rb:16:in `create'
actionpack (3.2.2) lib/action_controller/metal/implicit_render.rb:4:in `send_action'
actionpack (3.2.2) lib/abstract_controller/base.rb:167:in `process_action'
actionpack (3.2.2) lib/action_controller/metal/rendering.rb:10:in `process_action'
actionpack (3.2.2) lib/abstract_controller/callbacks.rb:18:in `block in process_action'
activesupport (3.2.2) lib/active_support/callbacks.rb:458:in `_run__2117497397318556011__process_action__3349921856018633445__callbacks'
activesupport (3.2.2) lib/active_support/callbacks.rb:405:in `__run_callback'
activesupport (3.2.2) lib/active_support/callbacks.rb:385:in `_run_process_action_callbacks'
activesupport (3.2.2) lib/active_support/callbacks.rb:81:in `run_callbacks'
actionpack (3.2.2) lib/abstract_controller/callbacks.rb:17:in `process_action'
actionpack (3.2.2) lib/action_controller/metal/rescue.rb:29:in `process_action'
actionpack (3.2.2) lib/action_controller/metal/instrumentation.rb:30:in `block in process_action'
activesupport (3.2.2) lib/active_support/notifications.rb:123:in `block in instrument'
activesupport (3.2.2) lib/active_support/notifications/instrumenter.rb:20:in `instrument'
activesupport (3.2.2) lib/active_support/notifications.rb:123:in `instrument'
actionpack (3.2.2) lib/action_controller/metal/instrumentation.rb:29:in `process_action'
actionpack (3.2.2) lib/action_controller/metal/params_wrapper.rb:205:in `process_action'
activerecord (3.2.2) lib/active_record/railties/controller_runtime.rb:18:in `process_action'
actionpack (3.2.2) lib/abstract_controller/base.rb:121:in `process'
actionpack (3.2.2) lib/abstract_controller/rendering.rb:45:in `process'
actionpack (3.2.2) lib/action_controller/metal.rb:203:in `dispatch'
actionpack (3.2.2) lib/action_controller/metal/rack_delegation.rb:14:in `dispatch'
actionpack (3.2.2) lib/action_controller/metal.rb:246:in `block in action'
actionpack (3.2.2) lib/action_dispatch/routing/route_set.rb:67:in `call'
actionpack (3.2.2) lib/action_dispatch/routing/route_set.rb:67:in `dispatch'
actionpack (3.2.2) lib/action_dispatch/routing/route_set.rb:30:in `call'
journey (1.0.3) lib/journey/router.rb:68:in `block in call'
journey (1.0.3) lib/journey/router.rb:56:in `each'
journey (1.0.3) lib/journey/router.rb:56:in `call'
actionpack (3.2.2) lib/action_dispatch/routing/route_set.rb:594:in `call'
railties (3.2.2) lib/rails/engine.rb:479:in `call'
railties (3.2.2) lib/rails/railtie/configurable.rb:30:in `method_missing'
journey (1.0.3) lib/journey/router.rb:68:in `block in call'
journey (1.0.3) lib/journey/router.rb:56:in `each'
journey (1.0.3) lib/journey/router.rb:56:in `call'
actionpack (3.2.2) lib/action_dispatch/routing/route_set.rb:594:in `call'
omniauth (1.0.3) lib/omniauth/strategy.rb:168:in `call!'
omniauth (1.0.3) lib/omniauth/strategy.rb:148:in `call'
omniauth (1.0.3) lib/omniauth/strategy.rb:168:in `call!'
omniauth (1.0.3) lib/omniauth/strategy.rb:148:in `call'
omniauth (1.0.3) lib/omniauth/strategy.rb:168:in `call!'
omniauth (1.0.3) lib/omniauth/strategy.rb:148:in `call'
omniauth (1.0.3) lib/omniauth/strategy.rb:168:in `call!'
omniauth (1.0.3) lib/omniauth/strategy.rb:148:in `call'
omniauth (1.0.3) lib/omniauth/strategy.rb:168:in `call!'
omniauth (1.0.3) lib/omniauth/strategy.rb:148:in `call'
sass (3.1.15) lib/sass/plugin/rack.rb:54:in `call'
/Users/kain/.rvm/gems/ruby-1.9.3-p125/bundler/gems/exception_notification-63d9d483fab0/lib/exception_notifier.rb:34:in `call'
warden (1.1.1) lib/warden/manager.rb:35:in `block in call'
warden (1.1.1) lib/warden/manager.rb:34:in `catch'
warden (1.1.1) lib/warden/manager.rb:34:in `call'
actionpack (3.2.2) lib/action_dispatch/middleware/best_standards_support.rb:17:in `call'
rack (1.4.1) lib/rack/etag.rb:23:in `call'
rack (1.4.1) lib/rack/conditionalget.rb:35:in `call'
actionpack (3.2.2) lib/action_dispatch/middleware/head.rb:14:in `call'
actionpack (3.2.2) lib/action_dispatch/middleware/params_parser.rb:21:in `call'
actionpack (3.2.2) lib/action_dispatch/middleware/flash.rb:242:in `call'
rack (1.4.1) lib/rack/session/abstract/id.rb:205:in `context'
rack (1.4.1) lib/rack/session/abstract/id.rb:200:in `call'
actionpack (3.2.2) lib/action_dispatch/middleware/cookies.rb:338:in `call'
activerecord (3.2.2) lib/active_record/query_cache.rb:64:in `call'
activerecord (3.2.2) lib/active_record/connection_adapters/abstract/connection_pool.rb:443:in `call'
actionpack (3.2.2) lib/action_dispatch/middleware/callbacks.rb:28:in `block in call'
activesupport (3.2.2) lib/active_support/callbacks.rb:405:in `_run__940905103500068343__call__2192606004823890971__callbacks'
activesupport (3.2.2) lib/active_support/callbacks.rb:405:in `__run_callback'
activesupport (3.2.2) lib/active_support/callbacks.rb:385:in `_run_call_callbacks'
activesupport (3.2.2) lib/active_support/callbacks.rb:81:in `run_callbacks'
actionpack (3.2.2) lib/action_dispatch/middleware/callbacks.rb:27:in `call'
actionpack (3.2.2) lib/action_dispatch/middleware/reloader.rb:65:in `call'
actionpack (3.2.2) lib/action_dispatch/middleware/remote_ip.rb:31:in `call'
actionpack (3.2.2) lib/action_dispatch/middleware/debug_exceptions.rb:16:in `call'
actionpack (3.2.2) lib/action_dispatch/middleware/show_exceptions.rb:56:in `call'
railties (3.2.2) lib/rails/rack/logger.rb:26:in `call_app'
railties (3.2.2) lib/rails/rack/logger.rb:16:in `call'
config/initializers/quiet_assets.rb:18:in `call_with_quiet_assets'
actionpack (3.2.2) lib/action_dispatch/middleware/request_id.rb:22:in `call'
rack (1.4.1) lib/rack/methodoverride.rb:21:in `call'
/Users/kain/.rvm/gems/ruby-1.9.3-p125/bundler/gems/rack-contrib-95a895fb57e8/lib/rack/contrib/runtime.rb:18:in `call'
activesupport (3.2.2) lib/active_support/cache/strategy/local_cache.rb:72:in `call'
rack (1.4.1) lib/rack/lock.rb:15:in `call'
actionpack (3.2.2) lib/action_dispatch/middleware/static.rb:61:in `call'
railties (3.2.2) lib/rails/engine.rb:479:in `call'
railties (3.2.2) lib/rails/application.rb:220:in `call'
railties (3.2.2) lib/rails/railtie/configurable.rb:30:in `method_missing'
thin (1.3.1) lib/thin/stats.rb:24:in `block in call'
thin (1.3.1) lib/thin/stats.rb:33:in `log'
thin (1.3.1) lib/thin/stats.rb:24:in `call'
thin (1.3.1) lib/thin/connection.rb:80:in `block in pre_process'
thin (1.3.1) lib/thin/connection.rb:78:in `catch'
thin (1.3.1) lib/thin/connection.rb:78:in `pre_process'
thin (1.3.1) lib/thin/connection.rb:53:in `process'
thin (1.3.1) lib/thin/connection.rb:38:in `receive_data'
eventmachine (0.12.10) lib/eventmachine.rb:256:in `run_machine'
eventmachine (0.12.10) lib/eventmachine.rb:256:in `run'
thin (1.3.1) lib/thin/backends/base.rb:61:in `start'
thin (1.3.1) lib/thin/server.rb:159:in `start'
thin (1.3.1) lib/thin/controllers/controller.rb:86:in `start'
thin (1.3.1) lib/thin/runner.rb:185:in `run_command'
thin (1.3.1) lib/thin/runner.rb:151:in `run!'
thin (1.3.1) bin/thin:6:in `<top (required)>'
/Users/kain/.rvm/gems/ruby-1.9.3-p125/bin/thin:19:in `load'
/Users/kain/.rvm/gems/ruby-1.9.3-p125/bin/thin:19:in `<main>'

NameError Devise/oauth2_providable/authorizations#new

Hey,
I am having a small issue with my layout and using Devise/oauth2_providable. I have Devise 100% up and working, the oauth2 has been tested from a client and is working to a point.

This issue i am getting is:

NameError in Devise/oauth2_providable/authorizations#new

undefined local variable or method `settings_path' for #<#Class:0x007fd465b29378:0x007fd465aca328>

This issue shows it self when the user try's to login (oauth2/authorize) from oauth2. So the user is coming from the client to the provider to approve the client.

Here is whats in the view:

<%=link_to "Settings", settings_path%>

Here is the route to back it up:

match 'settings' => 'dashboard#settings', :as => :settings

What am i doing wrong here? I can remove the link from the view and it works just fine. Any help would be great, thanks!!

Rails 3.1.1
Ruby 1.9.2-p290

Bundler could not find compatible versions for gem "rack-oauth2":
  In Gemfile:
    devise_oauth2_providable depends on
      rack-oauth2 (~> 0.6.3)

    fb_graph depends on
      rack-oauth2 (0.8.1)

socialcast / devise_oauth2_providable Goto Github PK

devise_oauth2_providable's Introduction

THIS GEM IS NO LONGER MAINTAINED AND IS CONSIDERED DEPRECATED.

devise_oauth2_providable

Features

Requirements

Installation

Install gem

Migrate database for Oauth2 models

Add Oauth2 Routes

Configure User for supported Oauth2 flows

(optional) Configure token expiration settings

Models

Client

AccessToken

RefreshToken

AuthorizationCode

Routes

/oauth2/authorize

/oauth2/token

Grant Types

Resource Owner Password Credentials Grant Type

Client Credentials Grant Type

Authorization Code Grant Type

Implicit Grant Type

Refresh Token Grant Type

Contributing

Copyright

devise_oauth2_providable's People

Contributors

Stargazers

Watchers

Forkers

devise_oauth2_providable's Issues

NameError in Devise/oauth2_providable/authorizations#new

Recommend Projects

Recommend Topics

Recommend Org