class Doorkeeper::TokensController

def authorized?

https://tools.ietf.org/html/rfc7009
https://tools.ietf.org/html/rfc6749#section-2.1

verified).
types, they set the application_id as null (since the claim cannot be
clients authenticate the resource owner via "password" or "implicit" grant
OAuth client associated with a given access or refresh token. Since public
Doorkeeper determines the client type implicitly via the presence of the

cannot revoke another's tokens.
revoke the provided access or refresh token. This ensures one client
Once a confidential client is authenticated, it must be authorized to

confidential clients must be authenticated for their token revocation.
Public clients (as per RFC 7009) do not require authentication whereas
OAuth 2.0 Section 2.1 defines two client types, "public" & "confidential".

def authorized?
  return unless token.present?
  # Client is confidential, therefore client authentication & authorization
  # is required
  if token.application_id? && token.application.confidential?
    # We authorize client by checking token's application
    server.client && server.client.application == token.application
  else
    # Client is public, authentication unnecessary
    true
  end
end

Modules

Classes

class Doorkeeper::TokensController

def authorized?

Instance Methods