doorkeeper
  • Doorkeeper Guides
  • Ruby on Rails
    • Getting Started
    • Routes
    • Configuration
    • Scopes
    • Securing the API
    • API Mode
    • PKCE Flow
    • Polymorphic Resource Owner
  • Grape
    • Grape
  • ORMs
    • Active Record
    • MongoDB
    • Sequel
    • Couchbase
  • Internals
    • Database Design
    • Internationalization (i18n)
    • Rake
    • Testing
    • Upgrading
    • Creating extensions
  • Security
    • Token and Application Secrets
  • Configuration
    • Models
    • Scopes
    • Skip Authorization
    • Other Configurations
    • Route Constraints and other integrations
Powered by GitBook
On this page

Was this helpful?

  1. Configuration

Scopes

Access Token Scopes

You can also require the access token to have specific scopes in certain actions:

First configure the scopes in initializers/doorkeeper.rb

Doorkeeper.configure do
  default_scopes :public # if no scope was requested, this will be the default
  optional_scopes :admin, :write
end

And in your controllers:

class Api::V1::ProductsController < Api::V1::ApiController
  before_action -> { doorkeeper_authorize! :public }, only: :index
  before_action only: [:create, :update, :destroy] do
    doorkeeper_authorize! :admin, :write
  end
end

Please note that there is a logical OR between multiple required scopes. In the above example, doorkeeper_authorize! :admin, :write means that the access token is required to have either :admin scope or :write scope, but does not need to have both of them.

If you want to require the access token to have multiple scopes at the same time, use multiple doorkeeper_authorize!, for example:

class Api::V1::ProductsController < Api::V1::ApiController
  before_action -> { doorkeeper_authorize! :public }, only: :index
  before_action only: [:create, :update, :destroy] do
    doorkeeper_authorize! :admin
    doorkeeper_authorize! :write
  end
end

In the above example, a client can call :create action only if its access token has both :admin and :write scopes.

PreviousModelsNextSkip Authorization

Last updated 6 years ago

Was this helpful?