在提供授权的Rails(5.2.3)应用程序上将doorkeeper从5.1.0 gem升级到5.2.1后,请求授权的应用程序的登录不再起作用。授权应用程序上的页面指出缺少必需参数:范围。尽管我们不使用范围。
迁移说明中有一些关于范围的内容,但它们对我没有意义。 https://github.com/doorkeeper-gem/doorkeeper/wiki/Migration-from-old-versions#database-changes
我知道我必须创建这样的迁移,但问题仍然存在:
# frozen_string_literal: true
class ChangeScopesOnOAuthAccessGrants < ActiveRecord::Migration[5.2]
def up
change_column_default :oauth_access_grants, :scopes, from: nil, to: ''
change_column_null :oauth_access_grants, :scopes, false
end
def down
change_column_default :oauth_access_grants, :scopes, from: '', to: nil
change_column_null :oauth_access_grants, :scopes, true
end
end
授权应用程序上的配置doorkeeper.rb非常简单:
Doorkeeper.configure do
orm :active_record
resource_owner_authenticator do
current_admin_user || redirect_to(new_admin_user_session_path(params.permit(:client_id, :redirect_uri, :response_type, :state)))
end
admin_authenticator do
current_admin_user || redirect_to(new_admin_user_session_path)
end
access_token_expires_in 24.hours
end
我在运行迁移之前和之后更深入地研究了响应。在 Doorkeeper 模块的 AuthorizationsController#new (继承自 Doorkeeper::ApplicationController)中使用 binding.pry,我可以确认 的实例>Doorkeeper::OAuth::PreAuthorization 对于属性 scope 返回 nil,但对于 scopes 则不返回。
调用 pre_auth.authorized? 后,我得到这个对象和这些值:
#<Doorkeeper::OAuth::PreAuthorization:0x00007fad33f25390
@client=
#<Doorkeeper::OAuth::Client:0x00007fad364b22e8
@application=
#<Doorkeeper::Application:0x00007fad364b26d0
id: 2,
name: "...",
uid: "...",
secret: "..",
redirect_uri:
"http://localhost:3001/users/auth/doorkeeper/callback",
scopes: "",
created_at: Tue, 24 Oct 2017 11:56:13 CEST +02:00,
updated_at: Thu, 03 Oct 2019 18:53:35 CEST +02:00,
confidential: true>>,
@client_id="...",
@code_challenge=nil,
@code_challenge_method=nil,
@error=:invalid_request,
@missing_param=:scope,
@redirect_uri="http://localhost:3001/users/auth/doorkeeper/callback",
@response_type="code",
@scope=nil,
@server=
#<Doorkeeper::Config:0x00007fad33b72180
@access_token_expires_in=24 hours,
@api_only=false,
@application_secret_strategy=Doorkeeper::SecretStoring::???,
@authenticate_admin=#<Proc:0x00007fad33b71d20@/Users/.../config/initializers/doorkeeper.rb:11>,
@authenticate_resource_owner=#<Proc:0x00007fad33b71eb0@/Users/.../config/initializers/doorkeeper.rb:6>,
@default_scopes=#<Doorkeeper::OAuth::Scopes:0x00007fad364cb7c0 @scopes=[]>,
@orm=:active_record,
@token_secret_strategy=Doorkeeper::SecretStoring::???>,
@state="...">
我目前没有任何解决问题的线索。感谢您的提示!
最佳答案
我也遇到了同样的问题。似乎您总是需要在授权请求中提供 scope 参数或配置 default_scope (配置中有一个示例)。此外,默认或请求的范围必须与您的客户端应用程序范围之一匹配,否则您将收到请求的范围无效、未知或格式错误。。
Migration from old versions中提到了这一点,但解释为数据库更改。链接RFC6749#section-3.3更清楚地说明新要求:
If the client omits the scope parameter when requesting authorization, the authorization server MUST either process the request using a pre-defined default value or fail the request indicating an invalid scope. The authorization server SHOULD document its scope requirements and default value (if defined).
我同意 Migration from old versions 中似乎没有充分记录这一点或Scopes但他们更忠实于 RFC6749 似乎很重要。我正在使用 grant_type: 'authorization_code',并且 Authorization Code Flow 中甚至没有提到“范围” .
关于ruby-on-rails - 门卫 gem 从 5.1.0 升级到 5.2.1 后缺少必需参数 : scope.,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/58150462/