← Back to Upcase

Oauth2, CanCan and doorkeeper integration

(Brian Dear) #1

I have an app “Client” that allows users to authenticate through “Provider” using Doorkeeper and Oauth2. My flow is this: user on Client clicks Login, it sends to user to login on Provider and then returns the user as a “signed_in” user on Client.

The next step is that I need to have roles implemented on the Provider and send that information along (with the user) to the Client, where the user can then do role-based things on Client.

Is there a suggested way to do this. My theory is that I put CanCan on the Provider, do a role check when a user logs in through Provider and send some param back to client that establishes the role.

Any ideas?

(Ben Orenstein) #2

We do something less complicated but similar on this forum when you log in via our endpoint. learn.thoughtbot.com sends back a has_forum_access flag that Discourse knows to look for. You only get access if it’s true.

Since you have more complicated permissions, your situation is a little trickier. Can you get away with just sending a few booleans like we are? If not, you may need to send over what role the user has, and then define permissions for a particular role on the Client side. You may end up with duplication of role definitions between Provider and Client though.

(Brian Dear) #3

Thanks for the great answer. In fact, I ended up using the boolean style. When a user logs in on the Provider, the role of the user is sent to the client with the auth_hash, so it worked perfectly well.