Only enable resource owner password grant flow if ldap or pam is enabled

Resource Owner Password Grant flow is considered insecure and should not generally be used. It seems that both PAM and LDAP seem to require it, which is unfortunate, but this at least improves the security of servers that aren't using those.
2025-07-15 08:48:15 +00:00 · 2023-09-16 18:30:13 +02:00 · 2023-09-16 18:30:13 +02:00 · bf8d132557
commit bf8d132557
parent bd06c13204
1 changed files with 5 additions and 1 deletions
--- a/config/initializers/doorkeeper.rb
+++ b/config/initializers/doorkeeper.rb
@ -164,7 +164,11 @@ Doorkeeper.configure do
  #   http://tools.ietf.org/html/rfc6819#section-4.4.3
  #

-  grant_flows %w(authorization_code password client_credentials)
+  if Devise.ldap_authentication || Devise.pam_authentication
+    grant_flows %w(authorization_code client_credentials password)
+  else
+    grant_flows %w(authorization_code client_credentials)
+  end

  # Under some circumstances you might want to have applications auto-approved,
  # so that the user skips the authorization step.