All geek questions in one place

Browser cancels token

I am implementing OAuth 2 in my application and I already have a login / update token, but I am having problems logging out.

I have this set of routes created by Doorkeeper:

Routes for Doorkeeper::Engine: authorization GET /authorize(.:format) doorkeeper/authorizations#new authorization POST /authorize(.:format) doorkeeper/authorizations#create authorization DELETE /authorize(.:format) doorkeeper/authorizations#destroy token POST /token(.:format) doorkeeper/tokens#create applications GET /applications(.:format) doorkeeper/applications#index POST /applications(.:format) doorkeeper/applications#create new_application GET /applications/new(.:format) doorkeeper/applications#new edit_application GET /applications/:id/edit(.:format) doorkeeper/applications#edit application GET /applications/:id(.:format) doorkeeper/applications#show PUT /applications/:id(.:format) doorkeeper/applications#update DELETE /applications/:id(.:format) doorkeeper/applications#destroy authorized_applications GET /authorized_applications(.:format) doorkeeper/authorized_applications#index authorized_application DELETE /authorized_applications/:id(.:format) doorkeeper/authorized_applications#destroy

What I want to do is to invalidate the token on the server, so I think the service I should name is "DELETE / allow"? but I try many different ways to use these services, and I only recibe errors.

By the way, I don’t know whether it is right to cancel a token on the server or delete it only from the application?

PS: I am using AFNetworking 2 in iOS 7 for my client.

+6
source share
2 answers

This does not answer the question, but provides relevant information.

I had a problem when the gatekeeper checked any combination of users and passwords in a Grant Credentials Credentials Credentials request after having made some prior permission for a valid user / password combination. The script was:

  • client receives authorization using a valid username and password
  • the client resets / forgets the authorization token to terminate authorization
  • the client can obtain a new permission using any username and password, authorizing for the original user.

It turned out to be Warden who kept the authorized user in the session, and my iOS client happily supported the session for me.

I decided this after the authorities immediately logged out after authentication. This works because, on an authorized request, OAuth gets the current user stored using the authorization token. It should not have a user in the session.

The following are config / initializers / doorkeeper.rb files. The last two lines come out after authorization.

 # called for Resource Owner Password Credentials Grant resource_owner_from_credentials do request.params[:user] = {:email => request.params[:username], :password => request.params[:password]} request.env["devise.allow_params_authentication"] = true user = request.env["warden"].authenticate!(:scope => :user) env['warden'].logout user end
+4
source

If you understand correctly, the problem is 1) The user goes to the client application, logs into the system 2) client applications receive authentication from the oauth server. the user is prompted to enter the username / password at this time 3) shutting down the user in the client application 4) the user again clicks on the username in the client application and automatically signs it to use the old authenticated token, instead of again asking for the username and password that you need .

If this is your problem, this is due to cookies. Check the cookies sent in each request. In my case, I had to add a line

cookies.delete '_oauth_server_name_session'

and then it worked. You can first acknowledge this problem, because if you switch the browser (or switch to incognito mode), this will not happen.

0
source

Source: https://habr.com/ru/post/958573/

More articles:


All Articles