Authentication with Doorkeeper from a client application without passing secrets

Question

Authentication with Doorkeeper from a client application without passing secrets

I am trying to use Doorkeeper in a Ruby on Rails API application for authentication. From an AngularJS client application, I want to get an access token. This currently includes a GET request for / oauth / authorize, which gives me the code, then I send this code along with client_id and the secret to / oauth / token. I do not want to send the client ID and secret from my client application, as they are stored in text format in a JavaScript file. I would like to follow this thread where response_typethere is token, not code, but I cannot figure out how to do this with Doorkeeper. Their wiki examples seem to be related to the POSTing client id and secret in / oauth / token.

Is Doorkeeper the right stone for this? How can I make Google OAuth2 from a client application, where no secrets are transmitted from the client side to the server?

Edit: Looks the way I want, this is the Implicit Grant that Doorkeeper supports . Now I just need to figure out how to do this in my Rails application ...

+4

javascript ruby-on-rails oauth google-oauth doorkeeper

Sarah vessels Oct 25 '13 at 19:15

source share

1 answer

Sarah Vessels · Accepted Answer · 2013-10-25T19:39:06+0000

No additional server-side configuration is required.

When I created a new one Doorkeeper::Applicationin my Rails application, the Doorkeeper interface gave me an Authorize link with response_type=codein it for this application.

response_type=token, GET, access_token code. URL- http://my-rails-doorkeeper-app/oauth/authorize?client_id=1234&redirect_uri=http://my-angularjs-app&response_type=token.

:

, . doorkeeper ( , , client_credentials).

initializer/doorkeeper.rb, , , .

Authentication with Doorkeeper from a client application without passing secrets

More articles: