Example app missing POST /oauth/token

[tomas]

First of all, good job fine sir.

I was looking at the example app and trying to make a consumer for it using Omniauth (specifically, the omniauth-oauth2 gem). However, during the callback process, the Omniauth strategy sends a POST request to the provider at /oauth/token, and it's getting a 404 response which blows up everything.

From what I've been reading, that endpoint is supposed to verify the code that is sent and return the access_token, so that the full authorization cycle is completed. However that logic isn't there and I couldn't find anything in the documentation to point me in the right direction.

I assume I'd need to add something like:

post '/oauth/token' do
  @auth = Songkick::OAuth2::Model::Authorization.find_by_code(params[:code])

  return halt 400 unless @auth
  @auth.generate_access_token if @auth.expired?

  JSON.unparse({
    'access_token'  => @auth.access_token,
    'token_type'    => 'Bearer',
    'expires_in'    => @auth.expires_in,
    'refresh_token' => @auth.refresh_token
  })
end

Or will hell break loose if I do that?

[jon-eachscape]

It isn't entirely clear in the documentation, but the /oauth/authorize endpoint in their example handles this token exchange for you. I'd advise you follow that, as it takes care of all the validations and response generation.

In my case, I ended up setting up /oauth/authorize and /oauth/token to go to the same place, but with their Sinatra example, you'd have to tell omniauth to use /oauth/authorize for both the authorize_url and token_url.