class Doorkeeper::TokensController
def authorized?
https://datatracker.ietf.org/doc/html/rfc6749#section-2.1
verified).
types, they set the application_id as null (since the claim cannot be
clients authenticate the resource owner via "password" or "implicit" grant
OAuth client associated with a given access or refresh token. Since public
Doorkeeper determines the client type implicitly via the presence of the
cannot revoke another's tokens.
revoke the provided access or refresh token. This ensures one client
Once a confidential client is authenticated, it must be authorized to
revoked must also belong to the requesting client.
credentials, in the case of a confidential client. The token being
valid client_id, in the case of a public client, or valid client
According to this specification, a client's request must contain a
by making revocation requests against potential token strings.
A malicious client may attempt to guess valid tokens on this endpoint
Section 5. Security Considerations
RFC7009
OAuth 2.0 Section 2.1 defines two client types, "public" & "confidential".
def authorized? # Token belongs to specific client, so we need to check if # authenticated client could access it. if token.application_id? && token.application.confidential? # We authorize client by checking token's application server.client && server.client.application == token.application else # Token was issued without client, authorization unnecessary true end end