Fix oauth2 middleware compatibility with draft-ietf-oauth-v2-31 spec.

CHANGELOG.md

@@ -33,6 +33,7 @@ Next Release
 * [#549](https://github.com/intridea/grape/pull/549): Fixed handling of invalid version headers to return 406 if a header cannot be parsed - [@bwalex](https://github.com/bwalex).
 * [#557](https://github.com/intridea/grape/pull/557): Pass `content_types` option to `Grape::Middleware::Error` to fix the content-type header for custom formats. - [@bernd](https://github.com/bernd).
 * [#585](https://github.com/intridea/grape/pull/585): Fix after boot thread-safety issue - [@etehtsea](https://github.com/etehtsea).
+* [#587](https://github.com/intridea/grape/pull/587): Fix oauth2 middleware compatibility with draft-ietf-oauth-v2-31 spec - [@etehtsea](https://github.com/etehtsea).
 
 0.6.1 (10/19/2013)
 ==================

lib/grape/middleware/auth/oauth2.rb

@@ -5,7 +5,7 @@ def default_options
       {
         token_class: 'AccessToken',
         realm: 'OAuth API',
-        parameter: %w(bearer_token oauth_token),
+        parameter: %w(bearer_token oauth_token access_token),
         accepted_headers: %w(HTTP_AUTHORIZATION X_HTTP_AUTHORIZATION X-HTTP_AUTHORIZATION REDIRECT_X_HTTP_AUTHORIZATION),
         header: [/Bearer (.*)/i, /OAuth (.*)/i],
         required: true
@@ -54,7 +54,7 @@ def verify_token(token)
       token = token_class.verify(token)
       if token
         if token.respond_to?(:expired?) && token.expired?
-          error_out(401, 'expired_token')
+          error_out(401, 'invalid_grant')
         else
           if !token.respond_to?(:permission_for?) || token.permission_for?(env)
             env['api.token'] = token
@@ -63,7 +63,7 @@ def verify_token(token)
           end
         end
       elsif !!options[:required]
-        error_out(401, 'invalid_token')
+        error_out(401, 'invalid_grant')
       end
     end
 

spec/grape/middleware/auth/oauth2_spec.rb

@@ -30,7 +30,7 @@ def app
 
   context 'with the token in the query string' do
     context 'and a valid token' do
-      before { get '/awesome?oauth_token=g123' }
+      before { get '/awesome?access_token=g123' }
 
       it 'sets env["api.token"]' do
         last_response.body.should == 'g123'
@@ -40,7 +40,7 @@ def app
     context 'and an invalid token' do
       before do
         @err = catch :error do
-          get '/awesome?oauth_token=b123'
+          get '/awesome?access_token=b123'
         end
       end
 
@@ -49,20 +49,20 @@ def app
       end
 
       it 'sets the WWW-Authenticate header in the response' do
-        @err[:headers]['WWW-Authenticate'].should == "OAuth realm='OAuth API', error='invalid_token'"
+        @err[:headers]['WWW-Authenticate'].should == "OAuth realm='OAuth API', error='invalid_grant'"
       end
     end
   end
 
   context 'with an expired token' do
     before do
       @err = catch :error do
-        get '/awesome?oauth_token=e123'
+        get '/awesome?access_token=e123'
       end
     end
 
     it { @err[:status].should == 401 }
-    it { @err[:headers]['WWW-Authenticate'].should == "OAuth realm='OAuth API', error='expired_token'" }
+    it { @err[:headers]['WWW-Authenticate'].should == "OAuth realm='OAuth API', error='invalid_grant'" }
   end
 
   %w(HTTP_AUTHORIZATION X_HTTP_AUTHORIZATION X-HTTP_AUTHORIZATION REDIRECT_X_HTTP_AUTHORIZATION).each do |head|
@@ -73,14 +73,14 @@ def app
   end
 
   context 'with the token in the POST body' do
-    before { post '/awesome', 'oauth_token' => 'g123' }
+    before { post '/awesome', 'access_token' => 'g123' }
     it { last_response.body.should == 'g123' }
   end
 
   context 'when accessing something outside its scope' do
     before do
       @err = catch :error do
-        get '/forbidden?oauth_token=g123'
+        get '/forbidden?access_token=g123'
       end
     end
 
@@ -105,7 +105,7 @@ def app
     end
 
     context 'with a valid token' do
-      before { get '/awesome?oauth_token=g123' }
+      before { get '/awesome?access_token=g123' }
 
       it 'sets env["api.token"]' do
         last_response.body.should == 'g123'