9

I can't figure out the difference between Token and Grant in Doorkeeper. In which moment, Doorkeeper creates an Access Grant and when an Access Token? The documentation doesn't seems to say nothing about it and now I'm reading the code but is not a dozen lines.

Holger Just
  • 52,918
  • 14
  • 115
  • 123
Tute
  • 200
  • 1
  • 10
  • Can you post a link to both documentations? I mean, one link in the documentation talking about Access Grant and other talking about the Access Token? – Rael Gugelmin Cunha Jan 28 '15 at 11:08
  • There is not documentation. I only see them in the code but not a mention in the docs. – Tute Jan 29 '15 at 11:34

2 Answers2

19

I recommend to also read the documentation of oauth2
As I understand, Doorkeeper is based on the protocol described in that documentation too.

In doorkeeper, you will get access grant first and then access token.

Access grant usually only lives very short (the default in doorkeeper is 10 minutes). You will get this by requesting GET to api-url/oauth/authorize (don't forget to put client_id, redirect_uri, and response_type as parameter. response_type will have value "code").

Once user allow the apps (user clicks "allow" button), doorkeeper will return the access grant as parameter in the returning url. Get that code and you can now use it to make POST request to api-url/oauth/token to get your access_token and refresh_token.

Using access_token, you can get the resources of the API in a limited time (Doorkeeper's default is one hour if I'm not mistaken). When acces_tooken expired, use refresh_token to get new access_token and so on.

In summary, access grant is the key that given as the sign that user has allowed the apps to use its resources.
Access token is the key that is given to permit an apps to use resources in a limited time which has defined.

Hope it can help.

Community
  • 1
  • 1
lutfianasari
  • 375
  • 4
  • 15
  • 4
    I would also add that an important things is the grant code is passed in the clear through the web agent (usually the web browser) which is untrusted by the application. It then uses this code combined with a secret sent over that POST request mentioned above to get the token securely. – peterept Mar 16 '15 at 01:44
3

I'm assuming you're talking about the Web Server flow, as you're using a Ruby gem in a Rails app (as you know, there are 4 flows).

Usually in the Web Server flow, Grant is the moment when the user clicks in a link to consent authorization: he/she will be asked to authorize the app to read/write data.

If consent is granted, then the app will get a temp code. With this code, in the background, the app will ask the Token for the service provider.

Then, only with the Token, the app will be able to use the service provider APIs.

Rael Gugelmin Cunha
  • 3,327
  • 30
  • 25