Skip to content

Commit f101895

Browse files
nbudinclaude
andcommitted
Fix OAuth redirect loop by restoring NullResourceOwner behavior
v6.16.0 (1bfb22d) changed resource_owner_authenticator to redirect unauthenticated users to /users/sign_in, storing the OAuth authorize URL in session[:user_return_to]. SessionsController#new then called redirect_with_authentication, which read that URL and appended show_authentication=signIn — sending the user straight back to /oauth/authorize, which Doorkeeper immediately bounced back to /users/sign_in, creating an infinite loop. The correct fix is to revert resource_owner_authenticator to return NullResourceOwner.new for unauthenticated requests. This lets Doorkeeper render the authorization page, and the AuthorizationPrompt React component already handles the unauthenticated case: it opens the sign-in modal and sets afterSignInPath to the OAuth URL so the user is returned to the consent page after signing in. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
1 parent a774d7b commit f101895

2 files changed

Lines changed: 2 additions & 27 deletions

File tree

app/controllers/sessions_controller.rb

Lines changed: 1 addition & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -5,27 +5,11 @@ class SessionsController < Devise::SessionsController
55
prepend_before_action :set_return_to, only: [:new]
66

77
def new
8-
respond_to do |format|
9-
format.html do
10-
if oauth_authorize_flow?
11-
# Redirecting back to the OAuth URL would loop: Doorkeeper would
12-
# again see no signed-in user and send us right back here. Instead,
13-
# open the sign-in modal on the root page; after sign-in Devise will
14-
# redirect to session[:user_return_to] (the OAuth URL).
15-
redirect_to root_url(show_authentication: "signIn")
16-
else
17-
redirect_with_authentication("signIn")
18-
end
19-
end
20-
end
8+
respond_to { |format| format.html { redirect_with_authentication("signIn") } }
219
end
2210

2311
private
2412

25-
def oauth_authorize_flow?
26-
session[:user_return_to]&.start_with?("/oauth/authorize")
27-
end
28-
2913
def set_return_to
3014
return if params[:user_return_to].blank?
3115
session[:user_return_to] = params[:user_return_to]

config/initializers/doorkeeper.rb

Lines changed: 1 addition & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -13,16 +13,7 @@ def id
1313
orm :active_record
1414

1515
# This block will be called to check whether the resource owner is authenticated or not.
16-
resource_owner_authenticator do
17-
if user_signed_in?
18-
current_user
19-
else
20-
# Redirect to login page, preserving the OAuth parameters
21-
session[:user_return_to] = request.fullpath
22-
redirect_to new_user_session_url
23-
nil
24-
end
25-
end
16+
resource_owner_authenticator { user_signed_in? ? current_user : NullResourceOwner.new }
2617

2718
# If you didn't skip applications controller from Doorkeeper routes in your application routes.rb
2819
# file then you need to declare this block in order to restrict access to the web interface for

0 commit comments

Comments
 (0)