0

So I am using doorkeeper in my Rails 4 app and built an API wrapper for it to help my ruby users out. Almost everything works the way it's supposed to. I added an OAuth2 client that looks like this:

require 'oauth2-client'

module MyApiWrapper
  class OAuth2Client < OAuth2Client::Client

    SITE_URL       = 'https://myapp.com'
    TOKEN_PATH     = '/oauth/token'
    AUTHORIZE_PATH = '/oauth/authorize'

    def initialize(client_id, client_secret, opts={})
      site_url = opts.delete(:site_url) || SITE_URL
      opts[:token_path]     ||= TOKEN_PATH
      opts[:authorize_path] ||= AUTHORIZE_PATH
      super(site_url, client_id, client_secret, opts)
      yield self if block_given?
      self
    end

    ...

    def refresh!(token, opts={})
      opts[:authenticate] = :body
      refresh_token.get_token(token, opts)
    end
  end
end

When I first create an instance of the OAuth2Client and authorize a user it looks like this:

client = MyApiWrapper::OAuth2Client.new(ENV['CLIENT_ID'], ENV['CLIENT_SECRET'])
response = client.exchange_auth_code_for_token(:params => {
  :code => params[:code],
  :redirect_uri => 'http://localhost:3000/auth/myapp/callback'
})
token = JSON.parse response.body
access_token = token["access_token"]
@refresh_token = token["refresh_token"]

It responds with a token pair (with the refresh_token) the way that it's supposed to. Using that same OAuth2Client instance as before, I can successfully refresh the token in order to get a new token pair, like so:

response = client.refresh!(@refresh_token)

However, if I try to do the same thing with a new instance of an OAuth2Client (at a later time or in another controller, etc.) then I get the following error response from doorkeeper:

The request is missing a required parameter, includes an unsupported parameter value, or is otherwise malformed.
topher
  • 301
  • 1
  • 5
  • 14
  • Is there anything useful being spilled to your server logs? Perhaps indicating how the inbound requests are incorrect? – stevenharman Feb 18 '15 at 00:44
  • Thanks for the reminder to check my logs. For some reason, the logs are showing two POSTs to doorkeeper, the first completes with a 200 and of course the second ends in a 401 unauthorized since the refresh_token is no longer valid for the second POST. I'm not sure why it's doing it twice though. The time stamps are identical. – topher Feb 18 '15 at 16:51
  • I'm embarrassed to say that turbolinks was the culprit. It wasn't doorkeeper, any part of my API, it wasn't OAuth or my gem wrapper, it was turbolinks that was causing the post to be sent twice in my demo app that was showing how to use the gem wrapper. – topher Feb 18 '15 at 19:45

0 Answers0