我通过测试API
来关注页面https://github.com/doorkeeper-gem/doorkeeper/wiki/Using-Resource-Owner-Password-Credentials-flowcurl -F grant_type=password \
-F username=foo@bar.com \
-F password=mypass \
-X POST http://localhost:3000/oauth/token
我收到了回复:
{"的access_token":" 6d4398b75d94835631a453af770161a6f58618b101b58ccf62a5a8492bce3440"" token_type":"承载"" expires_in":600 " refresh_token":" c1445d0a27a8278268c1187c2e3da7163525f1fac8093890430edd328f51c3de"" created_at":1429931390}
但是当我打电话给/ oauth /授权:
curl -F response_type=6d4398b75d94835631a453af770161a6f58618b101b58ccf62a5a8492bce3440 \
-F client_id=9c291dc4aa87bfafd6c6a4cf6930d225c106f8fe88e1d0769832047f1ee011c4 \
-F client_secret=decba5aca425095978d33653ef03d654f0b74427bcec0596bdde518016708c35 \
-F redirect_uri=urn:ietf:wg:oauth:2.0:oob \
-F username=foo@bar.com \
-X POST http://localhost:3000/oauth/authorize
但我得到了:
开始发布" / oauth / authorize"在2015-04-25 00:30:05 -0300为127.0.0.1 门卫处理:: AuthorizationsController#创建为 / 参数:{" RESPONSE_TYPE" =>" 6d4398b75d94835631a453af770161a6f58618b101b58ccf62a5a8492bce3440"," CLIENT_ID" =>" 9c291dc4aa87bfafd6c6a4cf6930d225c106f8fe88e1d0769832047f1ee011c4"," client_secret&#34 ; =>" [过滤]"," redirect_uri" =>" urn:ietf:wg:oauth:2.0:oob","用户名" = GT;" foo@bar.com"} 无法验证CSRF令牌的真实性 在1ms内完成422个不可处理的实体 ActionController :: InvalidAuthenticityToken(ActionController :: InvalidAuthenticityToken): ...
我做错了什么?
答案 0 :(得分:4)
如果你只是在使用API,我猜你可以通过添加以下行在环境文件(test / developpement / production.rb)中将其关闭:
config.action_controller.allow_forgery_protection = false'
干杯!
答案 1 :(得分:0)
在第二个请求中,您似乎正在使用response_type的令牌。我认为应该是authorization_code。
但是,从第一次回复看,它看起来像是在给你一个持有人令牌。如果是这样,那么要查看受保护的页面(具有before_action:doorkeeper_authorize),该命令将是
curl http://localhost:3000/protected_page -H "Authorization: Bearer 6d4398b75d94835631a453af770161a6f58618b101b58ccf62a5a8492bce3440"
你需要使用卷曲吗?我在CSRF真实性令牌中遇到了同样的失败,因为它认为这是一个表单请求,但是我使用了OAuth2 gem。
在/oauth/applications注册一个应用程序(可能是受保护的),转到它,点击Authorize,点击Approve,你就会看到你已经发布了一个url的东西像http://localhost:3000/oauth/authorize?client_id=abc123&redirect_uri=urn%3Aietf%3Awg%3Aoauth%3A2.0%3Aoob&response_type=code一样
params "utf8"=>"✓", "authenticity_token"=>"[FILTERED]", "state"=>"", "scope"=>"public" abc123是您的一次性身份验证代码。
但您仍然没有授权您的申请。所以,让我们得到access_token和refresh_token。
client_id = "9c291dc4aa87bfafd6c6a4cf6930d225c106f8fe88e1d0769832047f1ee011c4"
client_secret = "decba5aca425095978d33653ef03d654f0b74427bcec0596bdde518016708c35"
site = "http://localhost:3000"
redirect_uri = "urn:ietf:wg:oauth:2.0:oob"
code = "abc123" # see above
ENV['OAUTH_DEBUG'] = 'true'
client = OAuth2::Client.new(client_id, client_secret, :site => site)
token = client.auth_code.get_token(code, redirect_uri: redirect_uri)
access_token = token.token
refresh_token = token.refresh_token
# And if you want:
# if token.expired?
# new_token = token.refresh!
# new_token.token
# new_token.refresh_token
# end
如果你转到http://localhost:3000/oauth/authorized_applications,你应该会看到你的申请现在在列表中。
现在,您可以使用curl -X GET http://localhost:3000/protected_page -H "Authorization: Bearer #{access_token}"
另见https://github.com/doorkeeper-gem/doorkeeper/wiki/API-endpoint-descriptions-and-examples
可能有用的信息:门卫正在寻找验证授权码的内容
redirect_uri.present?
grant = Doorkeeper::AccessGrant.by_token(authorization_code)
grant.redirect_uri == redirect_uri
application = Doorkeeper::Application.by_uid_and_secret(client_id, client_secret)
dk_client = Doorkeeper::OAuth::Client.new(application)
!!dk_client
grant.application_id == dk_client.id
grant.accessible? # !grant.expired? && !grant.revoked?
见