Oauth2, CanCan and doorkeeper integration

I have an app “Client” that allows users to authenticate through “Provider” using Doorkeeper and Oauth2. My flow is this: user on Client clicks Login, it sends to user to login on Provider and then returns the user as a “signed_in” user on Client.

The next step is that I need to have roles implemented on the Provider and send that information along (with the user) to the Client, where the user can then do role-based things on Client.

Is there a suggested way to do this. My theory is that I put CanCan on the Provider, do a role check when a user logs in through Provider and send some param back to client that establishes the role.

Any ideas?

We do something less complicated but similar on this forum when you log in via our endpoint. learn.thoughtbot.com sends back a has_forum_access flag that Discourse knows to look for. You only get access if it’s true.

Since you have more complicated permissions, your situation is a little trickier. Can you get away with just sending a few booleans like we are? If not, you may need to send over what role the user has, and then define permissions for a particular role on the Client side. You may end up with duplication of role definitions between Provider and Client though.

Thanks for the great answer. In fact, I ended up using the boolean style. When a user logs in on the Provider, the role of the user is sent to the client with the auth_hash, so it worked perfectly well.