Skip to content

Allow blank redirect URI for Applications

Jump to bottom Edit New page
Nikita Bulai edited this page Apr 1, 2019 · 4 revisions

Starting from Doorkeeper 5.1 you can allow users to create an applications with blank redirect URI in case your server configured to allow URI-less OAuth grant flows like Client Credentials or Resource Owner Password Credentials (just like Twitter does).

# config/initializers/doorkeeper.rb
Doorkeeper.configure do
  grant_flows %w[password client_credentials]
end

The only thing you need to do is to remove null: false manually in your Doorkeeper migration for t.text :redirect_uri column (in case you create a new application) or to generate a new migration to drop NULL FALSE constraint (in case you have legacy application with Doorkeeper already in use).

Doorkeeper automatically checks which grant flows you are configured and validates Redirect URI only if it is grant flows that require it (like Authorization code or Implicit grant).

You can completely disable this feature by adding next to your doorkeeper.rb initializer:

Doorkeeper.configure do
  # ...

  allow_blank_redirect_uri false
end

Or you can define your custom block with any check you need:

Doorkeeper.configure do
  # ...

  allow_blank_redirect_uri do |_grant_flows, client|
    client.superapp?
  end
end

[IMPORTANT]: don't forget that if you will enable oauth grant flows that require redirect URI (like authorization code or implicit) after some time using URI-less flows - your applications automatically becomes invalid because they have a blank value. BTW, it wouldn't break existing clients, but you wouldn't be able to create a new application without redirect URI using Doorkeeper admin panel or edit existing one with empty redirect URI. So use this feature carefully.

Add a custom footer
Add a custom sidebar
Clone this wiki locally