Reputation: 4306
How to do Application-only authentication in doorkeeper (oauth2)
Twitter has application-only authentication for their api: https://dev.twitter.com/docs/auth/application-only-auth
Twitter offers applications the ability to issue authenticated requests on behalf of the application itself (as opposed to on behalf of a specific user)
I want to do the same with doorkeeper in Rails, but I'm not sure how to do that. It seems to be only possible to authenticate users via a callback url, but how can I access my API using the applications context (only by using the app ID and app secret)
My first idea was to do a password credentials login with the app's ID and secret to obtain an access token that belongs to the application. Is this a bad idea? Is it safe from a security point of view? I am wondering because the app's secret is saved as plain text in the db, which is a no go for user authentication.
Upvotes: 1
Views: 1874
Answers (1)
Reputation: 412
It is something you can definitely do : you can see on the example here where it generate a token with client_credentials, but no username / password :
curl -i http://localhost:5100/oauth/token \
-F grant_type="client_credentials" \
-F client_id="your_application_id" \
-F client_secret="your_secret"
Up to you after to check if you have a resource_owner associated to your doorkeeper_token.
Upvotes: 5
Related Questions
- How do I create a new application when using Doorkeeper and Rails in api_only mode?
- Learning Doorkeeper
- Using doorkeeper without session management
- oAuth2 login on the api for web app in ruby on rails using doorkeeper with the help of devise
- Doorkeeper limit application scopes
- Rails 3: How to restrict access to the web interface for adding oauth authorized applications using Doorkeeper gem
- Doorkeeper without web views
- Doorkeeper access token
- User Authentication with Rails App
- Doorkeeper and OAuth2