doorkeeper | Doorkeeper is an OAuth 2 provider for Ruby on Rails / Grape | OAuth library

 by   doorkeeper-gem Ruby Version: v5.6.6 License: MIT

kandi X-RAY | doorkeeper Summary

kandi X-RAY | doorkeeper Summary

doorkeeper is a Ruby library typically used in Security, OAuth, Ruby On Rails applications. doorkeeper has no bugs, it has no vulnerabilities, it has a Permissive License and it has medium support. You can download it from GitHub.

Doorkeeper is a gem (Rails engine) that makes it easy to introduce OAuth 2 provider functionality to your Ruby on Rails or Grape application.

            kandi-support Support

              doorkeeper has a medium active ecosystem.
              It has 5125 star(s) with 1058 fork(s). There are 108 watchers for this library.
              There were 4 major release(s) in the last 12 months.
              There are 16 open issues and 824 have been closed. On average issues are closed in 101 days. There are 3 open pull requests and 0 closed requests.
              It has a neutral sentiment in the developer community.
              The latest version of doorkeeper is v5.6.6

            kandi-Quality Quality

              doorkeeper has 0 bugs and 0 code smells.

            kandi-Security Security

              doorkeeper has no vulnerabilities reported, and its dependent libraries have no vulnerabilities reported.
              doorkeeper code analysis shows 0 unresolved vulnerabilities.
              There are 0 security hotspots that need review.

            kandi-License License

              doorkeeper is licensed under the MIT License. This license is Permissive.
              Permissive licenses have the least restrictions, and you can use them in most projects.

            kandi-Reuse Reuse

              doorkeeper releases are available to install and integrate.
              Installation instructions, examples and code snippets are available.
              doorkeeper saves you 7147 person hours of effort in developing the same functionality from scratch.
              It has 15449 lines of code, 678 functions and 267 files.
              It has medium code complexity. Code complexity directly impacts maintainability of the code.

            Top functions reviewed by kandi - BETA

            kandi has reviewed doorkeeper and discovered the below as its top functions. This is intended to give you an instant insight into doorkeeper implemented functionality, and help decide if they suit your requirements.
            • Validates the client access token .
            • Redirect in the form of the auth response .
            • POST
            • Validate attributes .
            • Updates an application
            • Returns true if the secret matches the given secret
            • Revoke an authorization request .
            • Destroys the authorization mechanism .
            • This method returns an array of authorization responses .
            • Calculates the access rules for an access token
            Get all kandi verified functions for this library.

            doorkeeper Key Features

            No Key Features are available at this moment for doorkeeper.

            doorkeeper Examples and Code Snippets

            No Code Snippets are available at this moment for doorkeeper.

            Community Discussions


            How to convert this android code into Curl command
            Asked 2021-Dec-25 at 02:45

            I have the following Android code



            Answered 2021-Dec-25 at 02:45

            I found it.

            My curl command above is correct, however, it is not enough. Curl sends header content-type: application/x-www-form-urlencoded by default. But since we are sending json data. We need to set it as content-type: application/json.

            So the working command is



            Should non-confidential client applications be allowed to use the OAuth 2.0 Client Credentials flow?
            Asked 2021-Oct-23 at 20:07

            According to The OAuth 2.0 Authorization Framework, when obtaining authorization via the Client Credentials Grant flow, it says: "The client credentials grant type MUST only be used by confidential clients."

            I have implemented an OAuth 2.0 provider API with doorkeeper (Ruby on Rails gem). However, a non-confidential client application, created by the OAuth 2.0 provider, is able to use the Client Credentials Grant flow with its client_id only i.e. without client_secret. Is this an expected behaviour?

            I came across this as I was looking to protect my Resource Server API, such that even for public endpoints that do not require an end-user to be autorized i.e. when the Client is the Resource Owner, the client is still required to provide an Access Token.

            In this use case, the Authorization Code Grant flow is not relevant since the Resource Owner is not an end-user and as per the latest OAuth 2.0 security recommendations, the Implicit Grant flows is not advised. On this basis, I found that the Client Credentials Grant flow to be the most relevant flow but I want to double check if it's appropriate to use even though the OAuth 2.0 framework says that it MUST only be used by confidential clients.



            Answered 2021-Oct-23 at 20:07

            The client_credentials grant must only be used by confidential clients, because the client needs to store the secret. That is because the clients needs to send client_id and client_secret to the Authorization Server in order to get the Token. I don't know of any special way where the client_credentials flow can be used with only the client_id.

            As far as I could see, the doorkeeper documentation also don't mention this.

            But I wouldn't use client_credentials flow in a non confidential client, when the client needs to save the secret. And I would not use ANY Grant that only sends its client_id and nothing else to the /token endpoint to get a Token.



            Rails NoMethodError (undefined method `<<' for #):
            Asked 2021-Jul-17 at 12:06

            The Back Story

            I am currently changing my Ruby on Rails app to a multi-database configuration. Main reason for the switch was to put my Member(User) and Profile tables in a separate database, which could be accessed from another RoR app; thus allowing me to have a single sign-on capability aside from using OAuth and Doorkeeper. This has been a many many hours project with many crazy hurdles. Finally tonight it seemed that everything was working, until I ran my spec tests, and one of my work arounds I did today is throwing flags.

            Here is the appropriate code for the problem, simplified for brevity sake.

            Any help would be greatly appreciated. Thank you.





            Answered 2021-Jul-16 at 10:03


            Why am I receiving 401 Unauthorized errors with my Doorkeeper configuration?
            Asked 2021-May-05 at 19:48

            I have a Rails 6.1 app using devise 4.7.1, doorkeeper 5.5.1, and devise-doorkeeper 1.2.0.

            I'm trying to run through a (PKCE) OAuth flow, but the final step -- a POST request to /oauth/token -- returns a 401 Unauthorized error with the JSON content {"error": "You need to sign in or sign up before continuing."}.

            I'm confused about this, since the /oauth/token endpoint should be accessible to unauthenticated users as far as I understand. What's also weird (but perhaps a red herring) is that if I attempt to run the same POST request with curl, but remove the User-Agent header, it succeeds.

            My current suspect is this block of code in initializers/doorkeeper.rb:



            Answered 2021-May-05 at 19:47

            This problem was caused by our use of the Ahoy analytics library.

            By default, this library tracks all page visits in your Rails app. It tries to get the current user using current_user || current_resource_owner. Because current_user was still nil when POSTing to /oauth/token, getting current_resource_owner ended up calling our Doorkeeper resource_owner_authenticator, which returned the 401 error. The source code for this is here.

            This also explains why things worked as expected when unsetting the User-Agent header: with no user agent (or the user agent of e.g. curl), Ahoy treats the request as coming from a bot, and doesn't attempt to track it (source code here).

            Our solution to this is to tell Ahoy to stop tracking all page views automatically by setting Ahoy.api_only = true in its configuration.



            Doorkeeper JWT without storing the whole jwt in database
            Asked 2021-Feb-05 at 18:25

            We have an oauth server that uses doorkeeper. We want to start using doorkeeper jwt, but we can't turn it on for all oauth clients yet as some are out of our control and we are pretty sure they are storing the access tokens their apps receive in a varchar(255) column which won't work if we start to hand out JWT tokens for all apps. Also we don't really want to be storing the whole JWT in our database either if we can avoid it.

            Our idea is to have doorkeeper generate an opaque access token for all apps first, and store that in the db. Then before return the opaque access token to the app, we check to see if the app has JWT tokens turned on and if so convert the opaque access token to a JWT access token using the opaque access token as the JWT's jti claim. We are thinking of utilizing the before_successful_strategy_response callback to convert to a JWT using the doorkeeper-jwt gem if the app has JWT access tokens enabled.

            Then, when we get a request which has an access token, check to see if the access token is a JWT access token, and if so read the jti claim out of it and use that to load the access token from the db. We don't have a good place to hook into this at the moment. Right now we are thinking of monkey patching Doorkeeper::Oauth::Token in the from_request method to check to see if the token is a JWT before returning it, and if so, return the JWTs jti instead.

            Does that seem like a reasonable approach? Is there another way without monkey patching Doorkeeper::Oauth::Token?



            Answered 2021-Feb-05 at 18:25

            More recent versions of doorkeeper allow you to configure the access token model class as seen here:

            So we can hook into the access token lookup there without resorting to monkey patching.



            Do we really need client_secret to get access_token on PKCE flow?
            Asked 2020-Oct-06 at 09:28

            I am building 2 apps; a front-end, and a back-end.

            The back-end will be built using Rails API + Doorkeeper Gem (oauth2 provider) while the front-end will be built using React Native.

            Currently, I am using "Client Credentials Grant Flow" which works just fine at the moment. But after researching for a while, this flow shouldn't be used in a client-only app as it exposes the client_secret if ever someone decompiles the app.

            I have also read about "Implicit Grant Flow" which only requires client_id. But this flow seems old now?

            And according to this:

            It is recommending to use "Authorization Code Grant with PKCE" over "Implicit Grant Flow". I am able to make it work but the problem is that it still needs the client_secret in order to get an access_token, is this how it should be?

            Here is the sample flow I am doing:



            Answered 2020-Jul-23 at 17:12
            1. Do we really need client_secret to get access_token on PKCE flow?

            It depends. Originally PKCE was introduced to protect public clients (a client which cannot protect a secret). But in recent best practices, PKCE became kind of a recommendation for authorization code grant (source)

            2.1.1. Authorization Code Grant

            Clients MUST prevent injection (replay) of authorization codes into
            the authorization response by attackers. The use of PKCE [RFC7636]
            is RECOMMENDED to this end. The OpenID Connect "nonce" parameter and ID Token Claim [OpenID] MAY be used as well. The PKCE challenge or
            OpenID Connect "nonce" MUST be transaction-specific and securely
            bound to the client and the user agent in which the transaction was

            Note: although PKCE so far was designed as a mechanism to protect
            native apps, this advice applies to all kinds of OAuth clients,
            including web applications.

            1. Why is it recommended to use "PKCE Flow" if it will just expose the client_secret?

            In short, to avoid authorization code replay attacks (spec - introduction). And this happens inside end user's device and not in the transmission of data. TLS is mandatory for OAuth 2.0 token request.

            1. How is it different from "Client Credentials Grant Flow" which also exposes the client_secret?

            No grant will expose credentials as token requests are done via TLS.

            I think in your case, the client is a confidential client (spec - client types). So I would recommend to check this aspect in authorization server.



            JSON API Rails 6 with Devise - SignUp Problems
            Asked 2020-Apr-30 at 22:40

            When i try to use the sign_up method of Devise, i get an internal server error but, after create the user.

            My application.rb:



            Answered 2020-Apr-30 at 22:40

            This issue seems to be the problem you are having:


            They suggest clearing the cookies of your browser

            this usually happens when you are upgrading a bunch of stuck including devise in one branch And than you get back to some other branch for something and you have this newer cookie in your browser. Simple solution is to clear cookies in browser.

            Other answers mention upgrading devise version



            Invalid access_token when using RSpec request specs to authorize a request
            Asked 2020-Mar-19 at 20:36

            I'm trying to test CredentialsController, which works fine in production, using RSpec request specs.

            Code Controller ...


            Answered 2020-Mar-19 at 20:36

            I was passing the token wrong. Instead of:



            RSpec: Stub controller method in request spec
            Asked 2020-Mar-19 at 17:30

            I'm writing an RSpec request spec, which looks roughly like (somewhat shortened for brevity):



            Answered 2020-Mar-19 at 07:18

            have you thought not to mock current_user at all?

            if you write a test helper to sign in a user before your request spec, current_user will be populate automatically as if it was a real user. The code would look like this:



            Have latest Doorkeeper return 401 for unauthorized (reinstate old behaviour)
            Asked 2020-Feb-07 at 22:21

            In the upgrade docs there's a note about the default response status moving from 401 to 400 (

            This is going to break my clients until we can get them to upgrade (/handle both cases in the short term).

            How can I reinstate the 401 response until such a time as my clients can update?




            Answered 2020-Feb-07 at 22:21

            You can check the changes made in and try to patch Doorkeeper::OAuth::ErrorResponse to return status you need. Then when you would be ready to migrate - just remove the patch. All you need is to overrida status method. Also check InvalidTokenResponse class, maybe you need to patch it too.

            There is no built-in option to switch status code in DOorkeeper so you can only patch its' internals.


            Community Discussions, Code Snippets contain sources that include Stack Exchange Network


            No vulnerabilities reported

            Install doorkeeper

            Installation depends on the framework you're using. The first step is to add the following to your Gemfile:. And run bundle install. After this, check out the guide related to the framework you're using.


            This documentation is valid for main branch. Please check the documentation for the version of doorkeeper you are using in:
            Find more information at:

            Find, review, and download reusable Libraries, Code Snippets, Cloud APIs from over 650 million Knowledge Items

            Find more libraries
          • HTTPS


          • CLI

            gh repo clone doorkeeper-gem/doorkeeper

          • sshUrl


          • Stay Updated

            Subscribe to our newsletter for trending solutions and developer bootcamps

            Agree to Sign up and Terms & Conditions

            Share this Page

            share link

            Explore Related Topics

            Consider Popular OAuth Libraries


            by sahat


            by microsoft


            by thephpleague


            by scribejava


            by laravel

            Try Top Libraries by doorkeeper-gem


            by doorkeeper-gemRuby


            by doorkeeper-gemRuby


            by doorkeeper-gemRuby


            by doorkeeper-gemRuby


            by doorkeeper-gemRuby