Documentation for OAuthBase feature¶ ↑
The oauth_base feature implements all basic functionality in order to set up an authorization server and verify OAuth tokens.
It sets up the token URL, used to generate OAuth access tokens.
datatracker.ietf.org/doc/html/rfc6749
In your routing block, you can require OAuth token based authorization via:
rodauth.require_oauth_authorization # or rodauth.require_oauth_authorization("books.read") # scope-based authorization
It also implements the refresh token grant flow.
Auth Value Methods¶ ↑
| oauth_application_scopes |
default scopes to assign to a client application, |
| oauth_token_type |
type of the generated access token, |
| oauth_grant_expires_in |
The number of seconds an oauth grant is valid after creation, |
| oauth_access_token_expires_in |
The number of seconds an oauth token is valid after creation, |
| oauth_refresh_token_expires_in |
The number of seconds a refresh token is valid after creation, |
| oauth_refresh_token_protection_policy |
protection policy for the refresh token ( |
| oauth_scope_separator |
character used to separate scopes in the db field value, white-space by default. |
| oauth_token_endpoint_auth_methods_supported |
list of supported auth methods for the token endpoint (contains “client_secret_basic” and “client_secret_post” by default). |
| oauth_grant_types_supported |
list of supported grant types. |
| oauth_response_types_supported |
list of supported response types. |
| oauth_response_modes_supported |
list of supported response modes. |
| oauth_valid_uri_schemes |
list of supported URI schemes for a client application’s “redirect_uri”, |
| oauth_applications_table |
the db table where oauth applications are stored, |
| oauth_applications_id_column |
the db column where the oauth application primary key is stored, |
| oauth_applications_account_id_column |
the db column where the oauth application account ID it belongs to is stored, |
| oauth_applications_name_column |
the db column where the oauth application name is stored, |
| oauth_applications_description_column |
the db column where the oauth application description is stored, |
| oauth_applications_scopes_column |
the db column where the oauth allowed scopes are stored, |
| oauth_applications_client_id_column |
the db column where the oauth application client ID is stored, |
| oauth_applications_client_secret_column |
the db column where the oauth application plaintext client secret is stored, |
| oauth_applications_client_secret_hash_column |
the db column where the oauth application hashed client secret is stored, |
| oauth_applications_redirect_uri_column |
the db column where the oauth application redirect URI is stored, |
| oauth_applications_homepage_url_column |
the db column where the oauth application homepage URL is stored, |
| oauth_applications_contacts_column |
the db column where the oauth application contacts are stored, |
| oauth_applications_grant_types_column |
the db column where the oauth application supported grant types are stored, |
| oauth_applications_response_types_column |
the db column where the oauth application supported response types are stored, |
| oauth_applications_response_modes_column |
the db column where the oauth application supported response modes are stored, |
| oauth_applications_jwks_column |
the db column where the oauth application JSON Web Keys are stored, |
| oauth_applications_jwks_uri_column |
the db column where the oauth application JSON Web Keys URI is stored, |
| oauth_applications_logo_uri_column |
the db column where the oauth application logo URL is stored, |
| oauth_applications_policy_uri_column |
the db column where the oauth application policy URL is stored, |
| oauth_applications_tos_uri_column |
the db column where the oauth application terms of service URL is stored, |
| oauth_applications_software_id_column |
the db column where the oauth application software ID is stored, |
| oauth_applications_software_version_column |
the db column where the oauth application software version is stored, |
| oauth_applications_token_endpoint_auth_method_column |
the db column where the oauth application supported auth method for the token endpoint is stored, |
| oauth_grants_table |
the db table where oauth grants are stored, |
| oauth_grants_id_column |
the db column where the oauth grant primary key is stored, |
| oauth_grants_oauth_application_id_column |
the db column where the oauth grant oauth application ID is stored, |
| oauth_grants_account_id_column |
the db column where the oauth grant account ID is stored, |
| oauth_grants_type_column |
the db column where the grant type is stored, |
| oauth_grants_code_column |
the db column where the oauth grant authorization code is stored, |
| oauth_grants_redirect_uri_column |
the db column where the oauth grant redirect URI is stored, |
| oauth_grants_scopes_column |
the db column where the oauth grant scopes are stored, <tt>:scopes<tt> by default. |
| oauth_grants_expires_in_column |
the db column where the oauth grant expiration time is stored, |
| oauth_grants_revoked_at_column |
the db column where the oauth grant revocation time is stored, |
| oauth_grants_token_column |
the db column where the oauth token access token is stored (when it’s stored), |
| oauth_grants_refresh_token_column |
the db column where the refresh token is stored, |
| oauth_grants_token_hash_column |
the db column where the access token hash is stored, <tt>:token<tt> by default. |
| oauth_grants_refresh_token_hash_column |
the db column where the refresh token hash is stored, <tt>:refresh_token<tt> by default. |
| json_response_content_type |
The content type to set for json responses, |
| json_request_regexp |
The regexp to retrieve a valid json content type. |
| oauth_authorization_required_error_status |
HTTP status code used for authorization errors, |
| oauth_invalid_response_status |
HTTP status code used for invalid responses, |
| oauth_already_in_use_response_status |
HTTP status code used for already in use responses, |
| only_json? |
whether the application responds only with json. |
| oauth_invalid_client_message |
error description for the “invalid_client” OAuth error code, |
| oauth_invalid_grant_type_message |
error description for the “invalid_grant_type” OAuth error code, |
| oauth_invalid_grant_type_error_code |
oauth error code for using invalid grants, |
| oauth_invalid_grant_message |
error description for the “invalid_grant” OAuth error code, |
| oauth_invalid_scope_message |
error description for the “invalid_scope” OAuth error code, |
| oauth_unsupported_token_type_message |
error description for the “unsupported_token_type” OAuth error code, |
| oauth_already_in_use_error_code |
oauth error code for when a token is already in use, |
| oauth_already_in_use_message |
error description for the “already_in_use” OAuth error code. |
| oauth_metadata_service_documentation |
OAuth service documentation URL, |
| oauth_metadata_ui_locales_supported |
UI locales supported in the OAuth journey, |
| oauth_metadata_op_policy_uri |
OAuth use of data and client requirements URL, |
| oauth_metadata_op_tos_uri |
OAuth terms of service, |
| is_authorization_server? |
flag to signal whether it’s an authorization server, |
| token_route |
the route for token generation, defaults to |
| oauth_unique_id_generation_retries |
max retries for token generation. |
| oauth_reuse_access_token |
when true, it’ll reuse the same access token for a given account/client application for each new verified grant. |
| require_authorization_error_flash |
The flash error to display when authorization is required. |
| revoke_unauthorized_account_error_flash |
The flash error to display when an unauthorized account tries to revoke a token. |
| oauth_cancel_button |
button label which cancels the device verification. |
| http_request |
performs a GET http request to the given URL (or a POST with url-encoded body, if form data is passed) |
| http_request_cache |
store where http requests get cached according to the HTTP cache rules. |
| authorization_server_url |
returns the authorization server origin URL. |
| oauth_grants_unique_columns |
uniqueness index to use in ON CONFLICT queries (when supported). |
Auth Methods¶ ↑
| before_token_route |
Run arbitrary code before the token route. |
| before_token |
Run arbitrary code before generating an access token. |
| fetch_access_token |
retrieves the access token from the request (defaults to fetching from the “Authorization” header). |
| secret_matches? |
verifies if provided secret matches the application’s client secret. |
| secret_hash |
calculates the hash of a given client secret. |
| generate_token_hash |
hashes an access token (when the token hash is stored in the db). |
| oauth_unique_id_generator |
generates random base64 strings, used for raw access tokens, client IDs, etc. |
| require_authorizable_account |
requires the account to be logged in by default (calls ‘require_account`), can be overriden to add more functionality (i.e. requiring 2FA before authorization). |
| oauth_account_ds |
returns a dataset filtered for an account id (overriden in rails to use Active Record |
| oauth_application_ds |
returns a dataset filtered for an oauth application id (overriden in rails to use Active Record |