A grant represents a resource owner’s authorization for a client application to access its resources.
The grants are stored in a database table identified by the oauth_grants_table option (:oauth_grants by default). You can see an example of a db migration to create the grants table here
An grant is identified by:
The client application ID identifies the client application this grant is for.
The account ID identifies the account of the resource owner (for grants which do not specify a resource owner, such as the client credentials grants, it is not used).
oauth_grants_type_column:typeSpecifies the process by which the grant was established (i.e. authorization_code, implicit, client_credentials….)
oauth_grants_code_column:codeA unique code identifying the grant. For the authorization code grant, it is generated when the resource owner grants access to a client application. For the device code grant, it is used as the device code.
oauth_grants_expires_in_column:expires_inThe timestamp after which the grant can’t be used anymore.
oauth_grants_redirect_uri_column:redirect_uriThe redirect URI this grant’s code can be sent to.
oauth_grants_revoked_at_column:revoked_atThe timestamp signaling if and when the grant was revoked.
oauth_grants_scopes_column:scopesThe permission scopes this grant will have access to.
Multiple scopes are stored as a whitespace-separated string.
They must match or be a subset of the scopes defined in the client application.
oauth_grants_access_type_column:access_typeWhen “offline”, the grant can be refreshed using a refresh token; when “online”, a new grant needs to be generated.
oauth_grants_token_hash_columndefault: :token
oauth_grants_token_column:tokenThis column can be omitted when using the oauth_jwt feature.
Access tokens will be hashed before being stored, in the column pointed in oauth_grants_token_hash_column.
However, if you need to store access tokens in plain-text, you’ll have to set that to nil and define the column using oauth_grants_token_column:
oauth_grants_token_hash_column inl
oauth_grants_token_column :token
The access token associated to this grant.
oauth_grants_refresh_token_hash_columndefault: :refresh_token
oauth_grants_refresh_token_column:refresh_tokenRefresh tokens will be hashed before being stored, in the column pointed in oauth_grants_refresh_token_hash_column.
However, if you need to store refresh tokens in plain-text, you’ll have to set that to nil and define the column using oauth_grants_refresh_token_column:
oauth_grants_refresh_token_hash_column nil
oauth_grants_refresh_token_column :refresh_token
The refresh token associated to this grant.
This column can be omitted unless you’re using the oauth_pkce feature.
oauth_grants_code_challenge_column:code_challengeThe PKCE code challenge associated to this grant.
This column can be omitted unless you’re using the oauth_pkce feature.
oauth_grants_code_challenge_method_column:code_challenge_methodThe PKCE code challenge method associated to this grant (ex: "S256").
This column can be omitted unless you’re using the oauth_device_code_grant feature.
oauth_grants_user_code_column:user_codeThe user code associated to this grant, as described in the Device Code Grant RFC.
This column can be omitted unless you’re using the oauth_device_code_grant feature.
oauth_grants_last_polled_at_column:last_polled_atStores the timestamp of the last time the token endpoint was polled, as described in the Device Code Grant RFC.
This column can be omitted unless you’re using the oauth_resource_indicators feature.
oauth_grants_resource_column:resourceThe resources this grant is asking access for.
Multiple scopes are stored as a whitespace-separated string.
This column can be omitted unless you’re using the oauth_tls_client_auth feature with certificate-bound access tokens.
oauth_grants_certificate_thumbprint_column:certificate_thumbprintThe thumbprint of the certificate used to generate this grant.