NOTE: This repo has been archived and is no longer maintained or supported. For current active projects visit authlete.com/developers.
A sample implementation of OAuth 2.0 server in Ruby using Authlete.
server.rb
is the script which implements OAuth 2.0 endpoints (the
authorization endpoint and the token endpoint) and two protected
resource endpoints (/fortune
and /saying
) as examples. HTMLs
used by the endpoints are embedded in the script (after __END__
).
See Authlete Getting Started for details.
Apache License, Version 2.0
git clone https://github.com/authlete/authlete-ruby-sample-server.git
gem install sinatra
gem install thin
gem install rest-client
After downloading the source code, open server.rb
with a text editor and
change the values of the following global variables.
$SERVICE_API_KEY
$SERVICE_API_SECRET
$SERVICE_API_KEY
and $SERVICE_API_SECRET
are the credentials of a service
which you have created by calling Authlete's /service/create
API.
As necessary, change the value of the following global variable, too.
$AUTHLETE_BASE_URL
$AUTHLETE_BASE_URL
is the URL of the Authlete server you use. For evaluation,
set https://evaluation-dot-authlete.appspot.com
to the variable.
server.rb
implements the following endpoints.
-
The top page
-
The authorization endpoint
-
The token endpoint
-
The protected resource endpoints
-
The redirection endpoint (for client)
Note that it is not an OAuth 2.0 server that should implement a redirection endpoint. Instead, it is the developer of the client application who has to prepare the redirection endpoint. However, this sample server implements an redirection endpoint (= the last one in the list above) just to show what a redirection endpoint receives. Please don't be confused.
-
Run
server.rb
. -
Access the top page (http://localhost:4567/)
-
At the top page, input the client ID of your client application (which you have registered by calling Authlete's
/client/create
API) and press "Authorization Request" button, and the web browser is redirected to the authorization endpoint (http://localhost:4567/authorization). -
At the authorization endpoint, press "Authorize" button, and the web browser is redirected to the client's redirection endpoint (http://localhost:4567/callback). On success, an authorization code is displayed in the endpoint.
-
At the redirection endpoint, input the client ID of your client application and press "Token Request" button, and you receive a JSON containing an access token.
-
Access a protected resource endpoint with the access token issued at the step above. For example,
The quality of this source code does not satisfy the commercial level. Especially:
-
The endpoints are not protected by TLS.
-
The authorization endpoint does not support HTTP POST method (OpenID Connect requires it).
-
The authorization endpoint does not authenticate the end-user. End-user authentication always succeeds as if
joe
logged in the service every time. Authentication Context Class Reference, Maximum Authentication Age and others that should be taken into consideration are ignored. -
The authorization endpoint always fails when the request contains
prompt=none
. -
'Claims' and 'ACR' are not set in the request for
/auth/authorization/issue
API. They are needed when the authorization endpoint supports any ofresponse_type
s which issue an ID token. -
The token endpoint does not support "Resource Owner Password Credentials", so it always fails when the token request contains
grant_type=password
.