Reputation: 97
Doorkeeper - limit grant types on specific endpoint
I have a grape API that provides some endpoints, and doorkeeper to handle authorization. By default, doorkeeper enable authorization code grant as well as client credentials grant. So I can request an access token only with those two grants.
I wonder if there is a way in doorkeeper to limit or at least get the grant type used to request a provided access token?
For example, if someone request a token with the authorization code grant, when he is requesting a resource on the API, I want to know that he used the authorization code grant to get his token. I can then check for every request made if the given token is made from an authorization code grant or not and provide the resource or not.
I know there is application's scopes to handle specific authorization, but I wanted to know if there is a solution to this problem. This might not be a legit problem, I might be missing something from the OAuth specification, so all comments are welcome!
Upvotes: 0
Views: 687
Answers (1)
Reputation: 18991
Access tokens issued by Client Credentials flow are not associated with any resource owner. So, in your use case, you can tell whether an access token has been issued by Authorization Code flow or Client Credentials flow by checking whether the access token is associated with a resource owner or not.
Upvotes: 1
Related Questions
- Using an authorization header with Fetch in React Native
- What is the purpose of the implicit grant authorization type in OAuth 2?
- Why is there an "Authorization Code" flow in OAuth2 when "Implicit" flow works so well?
- What is the difference between the OAuth Authorization Code and Implicit workflows? When to use each one?
- What's the right OAuth 2.0 flow for a mobile app
- OAuth v2 communication between authentication and resource server
- authenticate grape api with doorkeeper
- Doorkeeper limit application scopes
- Doorkeeper without web views
- Doorkeeper separate resource server from the authorization server