Oauth Applications And Grant Management

rodauth-oauth provides management dashboards via the following features:

  • oauth_application_management - dashboards where the authorization server users can create client applications, edit parameters, and list and revoke grants for each of these client applications.
  • oauth_grant_management - dashboards where the authorization server users can list and revoke grants where they are the resource owners.

Who is it for

If you want to integrate client application or issued grants management in your application for your users.

How to enable it

In the roda app, after you load rodauth-oauth. However, make sure you protect access to it, as it does not require authentication by default!


plugin :rodauth do
  enable :oauth_application_management, :oauth_grant_management, :oauth_token_revocation
end
# on roda app
route do |r|
  r.rodauth

  r.require_authentication

  # oauth application dashboard
  # users can read/modify/delete their oauth client applications
  # users can see and revoke grants which were issued for their applications
  r.load_oauth_application_management_routes

  # oauth grants dashboard
  # users can see details about and revoke grants issued for their accounts
  r.load_oauth_grant_management_routes

end

Routes

Calling r.load_oauth_application_management_routes will generate the following URLs:

  • GET /oauth-applications: displays the OAuth applications dashboard;
  • GET /oauth-applications/{application_id}: returns an OAuth application page;
  • GET /oauth-applications/{application_id}/oauth-grants: returns the OAuth grants from an OAuth application page;
  • GET /oauth-applications/new: returns a new OAuth application form;
  • POST /oauth-applications: processes a new OAuth application request;

Calling r.load_oauth_grant_management_routes will generate the following URLs:

  • GET /oauth-grants: returns the OAuth grants dashboard;
  • POST /oauth-grants/{grant_id}: revokes the grant;

Views

As with the authorization form, you have to bundle the following erb/html views:

  • oauth_applications.(erb|str|...): the list of OAuth applications;
  • oauth_application.(erb|str|...): the OAuth application page;
  • new_oauth_application.(erb|str|...): the new OAuth application form;
  • oauth_application_oauth_grants.(erb|str|...): the list of OAuth grants from an application;
  • oauth_grants.(erb|str|...): the list of OAuth grants issued for the authenticated user;

Client Secret Security

Default client application forms contain a client secret input. You can keep it or removed it (and let the provider generate a random secret for you). In both cases, the client secret will be hashed before being stored (using bcrypt), thereby being more resistant to potential database leaks.

Example

the roda example app is a good place to start.

Home