Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
A minimal Sinatra OAuth 2.0 client and resource server.
require 'sinatra'
require 'open-uri'
require 'json'
# This application is the bare minimum to authorize with OAuth 2.0
# using the authorization grant scheme. No error handling included.
# The application is both a client and a resource server.
# Start it by using 'ruby <file>' and navigate to http://localhost:4567
# The application also needs the oauth-server written in Java.
# See
# Start it with 'mvn jetty:run' for now.
configure do
set client_id: "123456789"
set client_secret: "kakekake"
set oauth_host: "http://localhost:8080/api"
# Global variables. So much ugly...
@@access_token = ""
@@redirect_uri = 'http://localhost:4567/oauth/callback'
# Client paths
# Root path. Begin here.
get '/' do
"<a href='/oauth/redirect'>Authorize this app, motherfucker.</a>"
# The button on the main page takes the user here.
# Here, we build a redirect uri to the authorization server with
# the client id, state, redirect_uri to our callback and more.
get '/oauth/redirect' do
# Set some easy to read variables.
response_type = "code"
state = "kake"
redirect_uri = @@redirect_uri
# Build redirect uri
uri = settings.oauth_host + "/oauth/auth"
uri += "?client_id=#{settings.client_id}"
uri += "&response_type=#{response_type}"
uri += "&state=#{state}"
uri += "&redirect_uri=#{redirect_uri}"
# Send a 302 Temporary Redirect to the user-agent.
# This will redirect the user to the Authorization server.
redirect uri
# The user-agent is redirected here by the oauth-server after the app was given authorization.
# Here, we extract the authorization code and do an internal request to the token endpoint
# to retrieve the access token and optional refresh token.
get '/oauth/callback' do
# Set some easy to read variables.
code = params[:code]
grant_type = "authorization_code"
redirect_uri = @@redirect_uri
# Build request URI
uri = URI(settings.oauth_host + "/oauth/token")
uri.query = "code=#{code}&grant_type=#{grant_type}&redirect_uri=#{redirect_uri}"
# Open an HTTP connection to the authorization server using basic auth.
open(uri, :http_basic_authentication=>[settings.client_id, settings.client_secret]) do |http|
@respons = JSON.parse(
# Extract the access token from the json response.
@@access_token = @respons["access_token"]
# Redirect the user to another url to hide the ugly authcode url.
redirect to('/oauth/finish')
# The user has now authorized our app, and the client has procured an access token.
# Here, we just present the user with a simple message and a prompt to fetch a protected resource.
# In reality, the client doesn't need user action to use the access token during the lifetime of the token.
get '/oauth/finish' do
path = "/rs/protected?access_token=#{@@access_token}&client_id=#{settings.client_id}"
"Authorized.<br><a href='#{path}'>Fetch protected resource</a>"
# Resource Server paths.
# This is our resource server path. It is protected from everyone that do not have an access token.
# This can usually be a users watched movies, the phone number of the user or similar.
# The resource server MUST validate the token and verify that the audience field matches the supplied client_id.
get '/rs/protected' do
access_token = params[:access_token]
client_id = params[:client_id]
if valid_token?(access_token, client_id)
return "Congratulations! You have access to this token."
"You do not have access to this resource."
# A convenience method to validate a token by requesting token information from the authorization server.
def valid_token?(token, client_id)
# Build request URI
uri = URI(settings.oauth_host + "/oauth/tokeninfo")
uri.query = "access_token=#{token}"
puts uri.to_s
# Open an HTTP connection to uri
open(uri) do |http|
@respons = JSON.parse(
# Only return true if the server returns successfully, and the audience field matches the client id.
if not @respons["audience"].nil? && @respons["audience"] == client_id
return true
return false
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment