Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
Doorkeeper (with JWT token) Server and Client applications configuration, references etc

Provider(aka Server)-side configuration, routes, controllers etc


Doorkeeper 4.2.6

Devise 4.2.0


# For making this application serve as an OAuth-Provider
# which can be used by OAuth Clients like a custom Webapp
gem 'doorkeeper'

# We are using JWT as the token generator for Doorkeeper hence this gem
gem 'doorkeeper-jwt'


# Reference:
ActiveSupport::Inflector.inflections(:en) do |inflect|
  inflect.acronym 'OAuth'


Doorkeeper.configure do
  # Change the ORM that doorkeeper will use (needs plugins)
  orm :active_record

  # =======================STARTS: OVERRIDDEN CONFIG ===========================
  # Note: Default values, wherever applicable, apply for options which are
  # not overridden here.
  # References:
  resource_owner_authenticator do |routes|
    if current_user
      # Refer the HERE document at the bottom on why this session variable
      # is being set.
      session[:user_return_to] = request.fullpath

  # References:
  admin_authenticator do
    if current_user
      unless current_user.is_admin?
        redirect_to user_home_path, flash: { error: I18n.t('doorkeeper.applications_list.unauthorized_access') }

  # Access token expiration time (default 2 hours).
  # If you want to disable expiration, set this to nil.
  access_token_expires_in 1.year

  access_token_generator '::Doorkeeper::JWT'

  # Refer
  # for more details on why this is needed.

  # =======================ENDS: OVERRIDDEN CONFIG =============================

  # This block will be called to check whether the resource owner is authenticated or not.
  # resource_owner_authenticator do
  #  fail "Please configure doorkeeper resource_owner_authenticator block located in #{__FILE__}"
  #  # Put your resource owner authentication logic here.
  #  # Example implementation:
  #  #   User.find_by_id(session[:user_id]) || redirect_to(new_user_session_url)
  # end

  # If you want to restrict access to the web interface for adding oauth authorized applications, you need to declare the block below.
  # admin_authenticator do
  #   # Put your admin authentication logic here.
  #   # Example implementation:
  #   Admin.find_by_id(session[:admin_id]) || redirect_to(new_admin_session_url)
  # end

  # Authorization Code expiration time (default 10 minutes).
  # authorization_code_expires_in 10.minutes

  # Access token expiration time (default 2 hours).
  # If you want to disable expiration, set this to nil.
  # access_token_expires_in 2.hours

  # Assign a custom TTL for implicit grants.
  # custom_access_token_expires_in do |oauth_client|
  #   oauth_client.application.additional_settings.implicit_oauth_expiration
  # end

  # Use a custom class for generating the access token.
  # access_token_generator '::Doorkeeper::JWT'

  # The controller Doorkeeper::ApplicationController inherits from.
  # Defaults to ActionController::Base.
  # base_controller 'ApplicationController'

  # Reuse access token for the same resource owner within an application (disabled by default)
  # Rationale:
  # reuse_access_token

  # Issue access tokens with refresh token (disabled by default)
  # use_refresh_token

  # Provide support for an owner to be assigned to each registered application (disabled by default)
  # Optional parameter confirmation: true (default false) if you want to enforce ownership of
  # a registered application
  # Note: you must also run the rails g doorkeeper:application_owner generator to provide the necessary support
  # enable_application_owner confirmation: false

  # Define access token scopes for your provider
  # For more information go to
  # default_scopes  :public
  # optional_scopes :write, :update

  # Change the way client credentials are retrieved from the request object.
  # By default it retrieves first from the `HTTP_AUTHORIZATION` header, then
  # falls back to the `:client_id` and `:client_secret` params from the `params` object.
  # Check out the wiki for more information on customization
  # client_credentials :from_basic, :from_params

  # Change the way access token is authenticated from the request object.
  # By default it retrieves first from the `HTTP_AUTHORIZATION` header, then
  # falls back to the `:access_token` or `:bearer_token` params from the `params` object.
  # Check out the wiki for more information on customization
  # access_token_methods :from_bearer_authorization, :from_access_token_param, :from_bearer_param

  # Change the native redirect uri for client apps
  # When clients register with the following redirect uri, they won't be redirected to any server and the authorization code will be displayed within the provider
  # The value can be any string. Use nil to disable this feature. When disabled, clients must provide a valid URL
  # (Similar behaviour:
  # native_redirect_uri 'urn:ietf:wg:oauth:2.0:oob'

  # Forces the usage of the HTTPS protocol in non-native redirect uris (enabled
  # by default in non-development environments). OAuth2 delegates security in
  # communication to the HTTPS protocol so it is wise to keep this enabled.
  # force_ssl_in_redirect_uri !Rails.env.development?

  # Specify what grant flows are enabled in array of Strings. The valid
  # strings and the flows they enable are:
  # "authorization_code" => Authorization Code Grant Flow
  # "implicit"           => Implicit Grant Flow
  # "password"           => Resource Owner Password Credentials Grant Flow
  # "client_credentials" => Client Credentials Grant Flow
  # If not specified, Doorkeeper enables authorization_code and
  # client_credentials.
  # implicit and password grant flows have risks that you should understand
  # before enabling:
  # grant_flows %w(authorization_code client_credentials)

  # Under some circumstances you might want to have applications auto-approved,
  # so that the user skips the authorization step.
  # For example if dealing with a trusted application.
  # skip_authorization do |resource_owner, client|
  #   client.superapp? or resource_owner.admin?
  # end

  # WWW-Authenticate Realm (default "Doorkeeper").
  # realm "Doorkeeper"

Doorkeeper::JWT.configure do
  # Set the payload for the JWT token. This should contain unique information
  # about the user.
  # Defaults to a randomly generated token in a hash
  # { token: "RANDOM-TOKEN" }
  # Additional references to prevent
  # ```
  #   422 error
  #   ActiveRecord::RecordInvalid (Validation failed: Token has already been taken):
  # ```
  token_payload do |opts|
    user = User.find(opts[:resource_owner_id])

      iss: Rails.application.class.parent.to_s.underscore,
      jti: SecureRandom.uuid,

      user: {

  # Optionally set additional headers for the JWT. See
  # token_headers do |opts|
  #  {
  #    kid: opts[:application][:uid]
  #  }
  # end

  # Use the application secret specified in the Access Grant token
  # Defaults to false
  # If you specify `use_application_secret true`, both secret_key and secret_key_path will be ignored
  # use_application_secret false

  # Set the encryption secret. This would be shared with any other applications
  # that should be able to read the payload of the token.
  # Defaults to "secret"

  # If you want to use RS* encoding specify the path to the RSA key
  # to use for signing.
  # If you specify a secret_key_path it will be used instead of secret_key
  # secret_key_path "path/to/file.pem"

  # Specify encryption type. Supports any algorithim in
  # defaults to nil
  encryption_method :hs256


 Why this specific session variable? Because Devise looks for this name
 Refer `after_sign_in_path_for(resource_or_scope)` method
 implementation and documentation at

 and you should get it why.

 And `after_sign_in_path_for` method should come into picture when Client-app
 sends an authorization request to this Provider-app and the user is not
 found to be logged-in on the Provider-app. So Devise should throw
 the user to the Sign-in page and after successful sign-in user should
 be redirected to the Client-app. So we are storing the Client-app's
 path here in a session key supported by Devise in out-of-the-box fashion
 for handling redirects to original page after signing-in.

 So just setting this session variable Devise should handle the redirect
 to Client-app AFTER SUCCESSFUL SIGN-IN without any additional changes
 in it's SessionsController implementation.


 Note that if this session variable is NOT set then what would happen is
 that when user from Client-app sends authorization request and user
 is not NOT found logged-in by Devise on this Provider-app
 the Provider-app display's Sign Page but after successful login
 Provider-app doesn't redirect the logged-in user to Client-app.

 However that's not the case when user is found logged-in on this Provider-app
 In that case Provider-app displays the Authorize/Deny page facilitated
 by Doorkeeper. Clicking either on Authorize or Deny button the redirect



 in your ApplicationController like following

   def after_sign_in_path_for(resource)

 If that is the case then setting this session variable should have NO EFFECT.
 And to fix that you will need to do this

    def after_sign_in_path_for(resource)
      stored_location_for(resource) || user_home_path



Rails.application.routes.draw do

  # This should be automatically added by Doorkeeper when installing it 
  # using the insructions at
  # OAuth protected routes which can be requested by Client-app  
  namespace :oauth_protected, path: 'oauthorized' do
    defaults format: :json do
      get :me, to: 'users#me', as: :me


module OAuthProtected
  class BaseController < ::ActionController::Base

    # Reference:
    before_action :doorkeeper_authorize! # Require access token for all actions


    # Find the user that owns the access token
    # Reference:
    def current_resource_owner
      User.find(doorkeeper_token.resource_owner_id) if doorkeeper_token



module OAuthProtected
  class UsersController < BaseController

    # GET /oauthorized/me(.:format)
    def me
      user_json = current_resource_owner.as_json

      render json: user_json, status: 200


Client application for interacting with the Provider(aka Server)

A sample Client application for interacting with the Provider(aka Server) having above shown configuration can be found at . Please follow its README to setup and use the application.

Copy link

jiggneshhgohel commented Aug 23, 2017


      Started GET "/users/auth/doorkeeper" for at 2017-08-22 17:45:02 +0530
      I, [2017-08-22T17:45:02.386866 #14535]  INFO -- omniauth: (doorkeeper) Request phase initiated.
      Started GET "/users/auth/doorkeeper/callback?code=1b833bcc09651f98b0424a7afb1e60bd50fdcc765daf7d499bcefb5554457187&state=c215fd707ecd71c6ad0f6b5e58fa0d2da7210d86946d41e3" for at 2017-08-22 17:45:03 +0530
      I, [2017-08-22T17:45:03.506424 #14535]  INFO -- omniauth: (doorkeeper) Callback phase initiated.
      E, [2017-08-22T17:45:03.523737 #14535] ERROR -- omniauth: (doorkeeper) Authentication failure! invalid_credentials: OAuth2::Error, invalid_grant: The provided authorization grant is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client.
      {"error":"invalid_grant","error_description":"The provided authorization grant is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client."}
      Processing by Users::OmniauthCallbacksController#failure as HTML
        Parameters: {"code"=>"1b833bcc09651f98b0424a7afb1e60bd50fdcc765daf7d499bcefb5554457187", "state"=>"c215fd707ecd71c6ad0f6b5e58fa0d2da7210d86946d41e3"}
      Redirected to http://localhost:5000/
      Completed 302 Found in 0ms (ActiveRecord: 0.0ms)

Copy link

jiggneshhgohel commented Aug 28, 2017

References for Alexa Account Linking with a Doorkeeper Provider

Once your Doorkeeper Provider(aka Server) application is ready and you want to test Alexa Account Linking and Testing your Alexa skill please go through the detailed and to-the-point tutorial at

Please feel free in case anybody encounters any problem or confusion while implementing this.

Copy link

mbijon commented Jun 2, 2020

Excellent, this should save me some time.

Thanks for noting file paths & names. Much better than the docs.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment