Closed xiaotian closed 12 years ago
Can you provide code to reproduce this? How are you processing password exchanges currently?
Thanks for your quick response James,
here are the provider side code in a rails controller class I have briefly looked at the source of oauth2 provider, seems the exchange code always set the refresh_token to nil.
class Oauth2Controller < ApplicationController before_filter :setup_oauth
def authorize login = Login.with_username(params[:username]).first oauth2 = OAuth2::Provider.parse(login, request.env) response.headers.merge!(oauth2.response_headers) render :text => oauth2.response_body, :status => oauth2.response_status end
private
def setup_oauth
OAuth2::Provider.handle_passwords do |client, username, password|
login = Login.with_username(username).first
is_authentic = login && login.try_authentication_test_with_threat_of_suspension { |l|
l.authenticated? password
}
if is_authentic and login.active? and login.user?
# self.current_login = login
login.last_seen_at = Time.now
login.save
login.grant_access!(client)
else
nil
end
end
end
Xiaotian Guo
On Friday, July 20, 2012 at 11:43 AM, James Coglan wrote:
Can you provide code to reproduce this? How are you processing password exchanges currently?
Reply to this email directly or view it on GitHub: https://github.com/songkick/oauth2-provider/issues/30#issuecomment-7137923
Quick tip: you shouldn't be doing OAuth2::Provider.handle_passwords
on every request, you can move this block up to the top level. It's basically configuration, or like declaring a controller.
I'll follow up once I've investigated the problem more.
Thanks much James!
BTW, I am using OAuth2 gem on the client side, seems by default the client sends "Bearer
Xiaotian Guo
On Friday, July 20, 2012 at 11:56 AM, James Coglan wrote:
Quick tip: you shouldn't be doing
OAuth2::Provider.handle_passwords
on every request, you can move this block up to the top level. It's basically configuration, or like declaring a controller.I'll follow up once I've investigated the problem more.
Reply to this email directly or view it on GitHub: https://github.com/songkick/oauth2-provider/issues/30#issuecomment-7138225
It implements draft-10, which requires Authorization: OAuth $token
header or oauth_token
in the query string or body. I've personally never found it necessary to use a client library for OAuth 2.0, especially with the number of different drafts and no final version. Might make more sense if/when the spec is finalized.
James, wondering if you have had chance to look into the refresh token expires_in issue, I'd be happy to work on this and your advice/suggestion would be much appreciated.
This should be fixed in 46eb31e. You can now do, for example:
resource_owner.grant_access! client, :durarion => 7.days
It does not implement refresh tokens, but that's not implemented at all yet and I'd consider it a separate issue.
Thanks, I will try that out.
On Thursday, August 23, 2012 at 9:40 AM, James Coglan wrote:
resource_owner.grant_access! client, :durarion => 7.days
Only access token is returned. I plan to add this and create a pull request, it'd be great if you can give some suggestions on how to integrate this. Thanks!