doorkeeper | Doorkeeper is an OAuth 2 provider for Ruby on Rails / Grape | OAuth library

According to The OAuth 2.0 Authorization Framework, when obtaining authorization via the Client Credentials Grant flow, it says: "The client credentials grant type MUST only be used by confidential clients."

I have implemented an OAuth 2.0 provider API with doorkeeper (Ruby on Rails gem). However, a non-confidential client application, created by the OAuth 2.0 provider, is able to use the Client Credentials Grant flow with its client_id only i.e. without client_secret. Is this an expected behaviour?

I came across this as I was looking to protect my Resource Server API, such that even for public endpoints that do not require an end-user to be autorized i.e. when the Client is the Resource Owner, the client is still required to provide an Access Token.

In this use case, the Authorization Code Grant flow is not relevant since the Resource Owner is not an end-user and as per the latest OAuth 2.0 security recommendations, the Implicit Grant flows is not advised. On this basis, I found that the Client Credentials Grant flow to be the most relevant flow but I want to double check if it's appropriate to use even though the OAuth 2.0 framework says that it MUST only be used by confidential clients.

The Back Story

I am currently changing my Ruby on Rails app to a multi-database configuration. Main reason for the switch was to put my Member(User) and Profile tables in a separate database, which could be accessed from another RoR app; thus allowing me to have a single sign-on capability aside from using OAuth and Doorkeeper. This has been a many many hours project with many crazy hurdles. Finally tonight it seemed that everything was working, until I ran my spec tests, and one of my work arounds I did today is throwing flags.

Here is the appropriate code for the problem, simplified for brevity sake.

Any help would be greatly appreciated. Thank you.

Models

app/models/members_record.rb

I have a Rails 6.1 app using devise 4.7.1, doorkeeper 5.5.1, and devise-doorkeeper 1.2.0.

I'm trying to run through a (PKCE) OAuth flow, but the final step -- a POST request to /oauth/token -- returns a 401 Unauthorized error with the JSON content {"error": "You need to sign in or sign up before continuing."}.

I'm confused about this, since the /oauth/token endpoint should be accessible to unauthenticated users as far as I understand. What's also weird (but perhaps a red herring) is that if I attempt to run the same POST request with curl, but remove the User-Agent header, it succeeds.

My current suspect is this block of code in initializers/doorkeeper.rb:

We have an oauth server that uses doorkeeper. We want to start using doorkeeper jwt, but we can't turn it on for all oauth clients yet as some are out of our control and we are pretty sure they are storing the access tokens their apps receive in a varchar(255) column which won't work if we start to hand out JWT tokens for all apps. Also we don't really want to be storing the whole JWT in our database either if we can avoid it.

Our idea is to have doorkeeper generate an opaque access token for all apps first, and store that in the db. Then before return the opaque access token to the app, we check to see if the app has JWT tokens turned on and if so convert the opaque access token to a JWT access token using the opaque access token as the JWT's jti claim. We are thinking of utilizing the before_successful_strategy_response callback to convert to a JWT using the doorkeeper-jwt gem if the app has JWT access tokens enabled.

Then, when we get a request which has an access token, check to see if the access token is a JWT access token, and if so read the jti claim out of it and use that to load the access token from the db. We don't have a good place to hook into this at the moment. Right now we are thinking of monkey patching Doorkeeper::Oauth::Token in the from_request method to check to see if the token is a JWT before returning it, and if so, return the JWTs jti instead.

Does that seem like a reasonable approach? Is there another way without monkey patching Doorkeeper::Oauth::Token?

I am building 2 apps; a front-end, and a back-end.

The back-end will be built using Rails API + Doorkeeper Gem (oauth2 provider) while the front-end will be built using React Native.

Currently, I am using "Client Credentials Grant Flow" which works just fine at the moment. But after researching for a while, this flow shouldn't be used in a client-only app as it exposes the client_secret if ever someone decompiles the app.

I have also read about "Implicit Grant Flow" which only requires client_id. But this flow seems old now?

And according to this: https://auth0.com/docs/api-auth/which-oauth-flow-to-use#is-the-client-a-single-page-app-

It is recommending to use "Authorization Code Grant with PKCE" over "Implicit Grant Flow". I am able to make it work but the problem is that it still needs the client_secret in order to get an access_token, is this how it should be?

Here is the sample flow I am doing:

When i try to use the sign_up method of Devise, i get an internal server error but, after create the user.

My application.rb:

I'm trying to test CredentialsController, which works fine in production, using RSpec request specs.

I'm writing an RSpec request spec, which looks roughly like (somewhat shortened for brevity):

In the upgrade docs there's a note about the default response status moving from 401 to 400 (https://github.com/doorkeeper-gem/doorkeeper/wiki/Migration-from-old-versions#api-changes-2).

This is going to break my clients until we can get them to upgrade (/handle both cases in the short term).

How can I reinstate the 401 response until such a time as my clients can update?

Thanks!