Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Customize unauthorized response to failed resource_owner_from_credentials #1006

Closed
kueda opened this issue Dec 9, 2017 · 3 comments
Closed

Customize unauthorized response to failed resource_owner_from_credentials #1006

kueda opened this issue Dec 9, 2017 · 3 comments
Labels
more info needed

Comments

@kueda
Copy link

kueda commented Dec 9, 2017
edited
Loading

When using the Resource Owner Password Credentials flow, it would be helpful if we could customized the JSON response to POST /oauth/token. For example, we might want to tell the client that the password was wrong, or the user has been suspended, or something else unique to the user requesting the token. I don't think the approach described at https://github.com/doorkeeper-gem/doorkeeper/wiki/Customizing-the-response-body-when-unauthorized will work because it just creates a customized response for all failed attempts to retrieve an access token and doesn't allow us to customize the response to explain why a specific request failed. Maybe a configuration block that takes the request as an argument, or the ability to raise an error with some customizable response JSON in the resource_owner_from_credentials config block? It would also be useful to change the response code, e.g. return a 403 Forbidden if the user exists, the credentials are fine, but they've been suspended.
@f3ndot
Copy link
Contributor

f3ndot commented Feb 17, 2018

#1032 (and its less-good predecessor #1001 available in v4.3.0) allows you to hook into the response for all grant types. You could be able to if guard for the password grant type and customize your response as you see fit.

I've done a similar thing in my own projects.

@nbulaj
Copy link
Member

nbulaj commented Mar 4, 2018

@kueda configurable callbacks for the oauth2 requests (#1032) already accessible in Doorkeeper 4.3.1 and you can use them.

@kueda
Copy link
Author

kueda commented Mar 4, 2018

I ended up working around this by subclassing Doorkeeper::TokensController which gave be complete control over the response. I'm not sure #1032 would allow me to do the same thing because

  1. It only allows me to hook in when authorization was successful. I'm more interested in customizing error responses to tell the client why authorization failed.
  2. Even if I perform an additional check on the authenticated user in after_successful_response, I just get a mostly immutable Doorkeeper::OAuth::TokenResponse (if I'm reading the TokenResponse class correctly, it seems like the only thing I can change is its token attribute). I can't change the body or the headers on that without type casting the response object in some way, which seems messy.

Anyway, I figured out a solution that works for me based on a custom controller. Since this is a pretty niche request, maybe that's the best option. If so, please feel free to close.

@nbulaj nbulaj closed this as completed Mar 4, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
more info needed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@kueda @f3ndot @nbulaj