gitlab-org--gitlab-foss/config/initializers/doorkeeper.rb

Doorkeeper.configure do
  # Change the ORM that doorkeeper will use.
  # Currently supported options are :active_record, :mongoid2, :mongoid3, :mongo_mapper
  orm :active_record

  # This block will be called to check whether the resource owner is authenticated or not.
  resource_owner_authenticator do
    # Put your resource owner authentication logic here.
    if current_user
      current_user
    else
      # Ensure user is redirected to redirect_uri after login
      session[:user_return_to] = request.fullpath
      redirect_to(new_user_session_url)
      nil
    end
  end

  resource_owner_from_credentials do |routes|
    user = Gitlab::Auth.find_with_user_password(params[:username], params[:password])
    user unless user.try(:two_factor_enabled?)
  end

  # If you want to restrict access to the web interface for adding oauth authorized applications, you need to declare the block below.
  # admin_authenticator do
  #   # Put your admin authentication logic here.
  #   # Example implementation:
  #   Admin.find_by_id(session[:admin_id]) || redirect_to(new_admin_session_url)
  # end

  # Authorization Code expiration time (default 10 minutes).
  # authorization_code_expires_in 10.minutes

  # Access token expiration time (default 2 hours).
  # If you want to disable expiration, set this to nil.
  access_token_expires_in nil

  # Reuse access token for the same resource owner within an application (disabled by default)
  # Rationale: https://github.com/doorkeeper-gem/doorkeeper/issues/383
  # reuse_access_token

  # Issue access tokens with refresh token (disabled by default)
  use_refresh_token

  # Forces the usage of the HTTPS protocol in non-native redirect uris (enabled
  # by default in non-development environments). OAuth2 delegates security in
  # communication to the HTTPS protocol so it is wise to keep this enabled.
  #
  force_ssl_in_redirect_uri false

  # Provide support for an owner to be assigned to each registered application (disabled by default)
  # Optional parameter confirmation: true (default false) if you want to enforce ownership of
  # a registered application
  # Note: you must also run the rails g doorkeeper:application_owner generator to provide the necessary support
  enable_application_owner confirmation: false

  # Define access token scopes for your provider
  # For more information go to
  # https://github.com/doorkeeper-gem/doorkeeper/wiki/Using-Scopes
  default_scopes(*Gitlab::Auth::DEFAULT_SCOPES)
  optional_scopes(*Gitlab::Auth::OPTIONAL_SCOPES)

  # Change the way client credentials are retrieved from the request object.
  # By default it retrieves first from the `HTTP_AUTHORIZATION` header, then
  # falls back to the `:client_id` and `:client_secret` params from the `params` object.
  # Check out the wiki for more information on customization
  # client_credentials :from_basic, :from_params

  # Change the way access token is authenticated from the request object.
  # By default it retrieves first from the `HTTP_AUTHORIZATION` header, then
  # falls back to the `:access_token` or `:bearer_token` params from the `params` object.
  # Check out the wiki for more information on customization
  access_token_methods :from_access_token_param, :from_bearer_authorization, :from_bearer_param

  # Change the native redirect uri for client apps
  # When clients register with the following redirect uri, they won't be redirected to any server and the authorization code will be displayed within the provider
  # The value can be any string. Use nil to disable this feature. When disabled, clients must provide a valid URL
  # (Similar behaviour: https://developers.google.com/accounts/docs/OAuth2InstalledApp#choosingredirecturi)
  #
  native_redirect_uri nil # 'urn:ietf:wg:oauth:2.0:oob'

  # Specify what grant flows are enabled in array of Strings. The valid
  # strings and the flows they enable are:
  #
  # "authorization_code" => Authorization Code Grant Flow
  # "implicit"           => Implicit Grant Flow
  # "password"           => Resource Owner Password Credentials Grant Flow
  # "client_credentials" => Client Credentials Grant Flow
  #
  grant_flows %w(authorization_code implicit password client_credentials)

  # Under some circumstances you might want to have applications auto-approved,
  # so that the user skips the authorization step.
  # For example if dealing with trusted a application.
  skip_authorization do |resource_owner, client|
    client.application.trusted?
  end

  # WWW-Authenticate Realm (default "Doorkeeper").
  # realm "Doorkeeper"

  # Allow dynamic query parameters (disabled by default)
  # Some applications require dynamic query parameters on their request_uri
  # set to true if you want this to be allowed
  # wildcard_redirect_uri false
end
Doorkeeper integration 2014-12-19 09:15:29 -05:00			`Doorkeeper.configure do`
			`# Change the ORM that doorkeeper will use.`
			`# Currently supported options are :active_record, :mongoid2, :mongoid3, :mongo_mapper`
			`orm :active_record`

			`# This block will be called to check whether the resource owner is authenticated or not.`
			`resource_owner_authenticator do`
			`# Put your resource owner authentication logic here.`
Implement OpenID Connect identity provider 2016-12-09 12:36:50 -05:00			`if current_user`
			`current_user`
			`else`
Add specs for Doorkeeper resource_owner_authenticator 2017-02-08 14:23:43 -05:00			`# Ensure user is redirected to redirect_uri after login`
			`session[:user_return_to] = request.fullpath`
Implement OpenID Connect identity provider 2016-12-09 12:36:50 -05:00			`redirect_to(new_user_session_url)`
			`nil`
			`end`
Doorkeeper integration 2014-12-19 09:15:29 -05:00			`end`

OAuth API documentation update 2015-01-12 18:30:34 -05:00			`resource_owner_from_credentials do \|routes\|`
Removed unnecessary service for user retrieval and improved API error message. 2016-08-17 12:56:50 -04:00			`user = Gitlab::Auth.find_with_user_password(params[:username], params[:password])`
Small refactor and syntax fixes. 2016-08-17 18:39:20 -04:00			`user unless user.try(:two_factor_enabled?)`
OAuth API documentation update 2015-01-12 18:30:34 -05:00			`end`

Doorkeeper integration 2014-12-19 09:15:29 -05:00			`# If you want to restrict access to the web interface for adding oauth authorized applications, you need to declare the block below.`
			`# admin_authenticator do`
			`# # Put your admin authentication logic here.`
			`# # Example implementation:`
			`# Admin.find_by_id(session[:admin_id]) \|\| redirect_to(new_admin_session_url)`
			`# end`

			`# Authorization Code expiration time (default 10 minutes).`
			`# authorization_code_expires_in 10.minutes`

			`# Access token expiration time (default 2 hours).`
			`# If you want to disable expiration, set this to nil.`
GitLab integration. Importer 2015-01-27 18:37:19 -05:00			`access_token_expires_in nil`
Doorkeeper integration 2014-12-19 09:15:29 -05:00
			`# Reuse access token for the same resource owner within an application (disabled by default)`
			`# Rationale: https://github.com/doorkeeper-gem/doorkeeper/issues/383`
			`# reuse_access_token`

			`# Issue access tokens with refresh token (disabled by default)`
			`use_refresh_token`

allow to use http in redirect url 2015-01-22 21:39:05 -05:00			`# Forces the usage of the HTTPS protocol in non-native redirect uris (enabled`
			`# by default in non-development environments). OAuth2 delegates security in`
			`# communication to the HTTPS protocol so it is wise to keep this enabled.`
			`#`
			`force_ssl_in_redirect_uri false`

Doorkeeper integration 2014-12-19 09:15:29 -05:00			`# Provide support for an owner to be assigned to each registered application (disabled by default)`
Convert hashes to ruby 1.9 style 2015-02-02 22:30:09 -05:00			`# Optional parameter confirmation: true (default false) if you want to enforce ownership of`
Doorkeeper integration 2014-12-19 09:15:29 -05:00			`# a registered application`
			`# Note: you must also run the rails g doorkeeper:application_owner generator to provide the necessary support`
Convert hashes to ruby 1.9 style 2015-02-02 22:30:09 -05:00			`enable_application_owner confirmation: false`
Doorkeeper integration 2014-12-19 09:15:29 -05:00
			`# Define access token scopes for your provider`
			`# For more information go to`
			`# https://github.com/doorkeeper-gem/doorkeeper/wiki/Using-Scopes`
Calls to the API are checked for scope. - Move the `Oauth2::AccessTokenValidationService` class to `AccessTokenValidationService`, since it is now being used for personal access token validation as well. - Each API endpoint declares the scopes it accepts (if any). Currently, the top level API module declares the `api` scope, and the `Users` API module declares the `read_user` scope (for GET requests). - Move the `find_user_by_private_token` from the API `Helpers` module to the `APIGuard` module, to avoid littering `Helpers` with more auth-related methods to support `find_user_by_private_token` 2016-11-22 04:04:23 -05:00			`default_scopes(*Gitlab::Auth::DEFAULT_SCOPES)`
			`optional_scopes(*Gitlab::Auth::OPTIONAL_SCOPES)`
Doorkeeper integration 2014-12-19 09:15:29 -05:00
			`# Change the way client credentials are retrieved from the request object.`
			# By default it retrieves first from the `HTTP_AUTHORIZATION` header, then
			# falls back to the `:client_id` and `:client_secret` params from the `params` object.
			`# Check out the wiki for more information on customization`
			`# client_credentials :from_basic, :from_params`

			`# Change the way access token is authenticated from the request object.`
			# By default it retrieves first from the `HTTP_AUTHORIZATION` header, then
			# falls back to the `:access_token` or `:bearer_token` params from the `params` object.
			`# Check out the wiki for more information on customization`
			`access_token_methods :from_access_token_param, :from_bearer_authorization, :from_bearer_param`

			`# Change the native redirect uri for client apps`
			`# When clients register with the following redirect uri, they won't be redirected to any server and the authorization code will be displayed within the provider`
			`# The value can be any string. Use nil to disable this feature. When disabled, clients must provide a valid URL`
			`# (Similar behaviour: https://developers.google.com/accounts/docs/OAuth2InstalledApp#choosingredirecturi)`
			`#`
Add leading comment space cop 2016-05-31 18:33:46 -04:00			`native_redirect_uri nil # 'urn:ietf:wg:oauth:2.0:oob'`
Doorkeeper integration 2014-12-19 09:15:29 -05:00
			`# Specify what grant flows are enabled in array of Strings. The valid`
			`# strings and the flows they enable are:`
			`#`
			`# "authorization_code" => Authorization Code Grant Flow`
			`# "implicit" => Implicit Grant Flow`
			`# "password" => Resource Owner Password Credentials Grant Flow`
			`# "client_credentials" => Client Credentials Grant Flow`
			`#`
#20628 Enable implicit flow in Gitlab as OAuth Provider Closes #20628 by re-enabling implicit grant in Doorkeeper config. OAuth2 documentation refactored. 2017-07-07 10:52:45 -04:00			`grant_flows %w(authorization_code implicit password client_credentials)`
Doorkeeper integration 2014-12-19 09:15:29 -05:00
			`# Under some circumstances you might want to have applications auto-approved,`
			`# so that the user skips the authorization step.`
			`# For example if dealing with trusted a application.`
Backport gitlab-ee!2456 2017-07-24 16:45:12 -04:00			`skip_authorization do \|resource_owner, client\|`
			`client.application.trusted?`
			`end`
Doorkeeper integration 2014-12-19 09:15:29 -05:00
			`# WWW-Authenticate Realm (default "Doorkeeper").`
			`# realm "Doorkeeper"`

			`# Allow dynamic query parameters (disabled by default)`
			`# Some applications require dynamic query parameters on their request_uri`
			`# set to true if you want this to be allowed`
			`# wildcard_redirect_uri false`
			`end`