Locked out after update


#1

hi all,

unfortunately the recent change of the HTTP method for the token url (/oauth/token) from POST to GET just locked me out after the update :slightly_frowning_face: I had to use the rails console in my instance to generate the SiteSetting manually to fix it. I must be able to run the forum with OAuth login only.

I use a rails app with doorkeeper as the authorization server. It unfortunately does not offer a GET route for /oauth/token.

Would it make sense to stick to POST as the default method?

Not sure, if itโ€™s violating the OAuth specification though.


OAuth2 Basic Support
(Robin Ward) #2

This has been put back to the default after we got some error reports. We had no desire to change the default. It was done accidentally.


#3

:smiley: :+1: Thanks a lot!


#4

That was on me, sorry about that.

On a different subject, Iโ€™m running into another use case for this plugin, I need to ping the user json user url in arbitrary before_action's, which means that I need to keep the unhashed access token in memory.

Iโ€™m thinking about setting it in session[:oauth2_access_token] within after_authenticate, and offer the class method OAuth2BasicAuthenticator.get_bearer_token.

Is that the right place to do something like this? Are there any concerns about keeping the access_token in session?