Twitter has application-only authentication for their api: https://dev.twitter.com/docs/auth/application-only-auth
Twitter offers applications the ability to issue authenticated requests on behalf of the application itself (as opposed to on behalf of a specific user)
I want to do the same with doorkeeper in Rails, but I'm not sure how to do that. It seems to be only possible to authenticate users via a callback url, but how can I access my API using the applications context (only by using the app ID and app secret)
My first idea was to do a password credentials login with the app's ID and secret to obtain an access token that belongs to the application. Is this a bad idea? Is it safe from a security point of view? I am wondering because the app's secret is saved as plain text in the db, which is a no go for user authentication.
It is something you can definitely do : you can see on the example here where it generate a token with client_credentials, but no username / password :
curl -i http://localhost:5100/oauth/token \
-F grant_type="client_credentials" \
-F client_id="your_application_id" \
-F client_secret="your_secret"
Up to you after to check if you have a resource_owner associated to your doorkeeper_token.
来源:https://stackoverflow.com/questions/25203229/how-to-do-application-only-authentication-in-doorkeeper-oauth2