Class: StandardId::Web::ConsentController

Inherits:

BaseController

Object
ApplicationController
BaseController
StandardId::Web::ConsentController

show all

Includes:: InertiaRendering

Defined in:: app/controllers/standard_id/web/consent_controller.rb

Overview

Renders the OAuth consent screen and records the user’s decision.

The consent screen is authenticated HTML, so it lives on the WebEngine (full ERB / Inertia stack with ‘layout “public”`), alongside login. The API authorize endpoint (ActionController::API, JSON/redirect only) hands off here with a signed payload of the original /authorize params when a client has require_consent enabled and no prior grant exists.

Flow:

GET  /consent?consent_request=<signed>  -> show the screen
POST /consent (decision=approve|deny)   -> record + resume, or deny

On approve we persist a ClientGrant and resume issuing the authorization code by running the same AuthorizationCodeAuthorizationFlow the API endpoint would have run — so redirect_uri and PKCE are revalidated here, not duplicated. On deny we redirect to redirect_uri with error=access_denied (+ state), per RFC 6749 §4.1.2.1.

Constant Summary

Constants included from RateLimitHandling

RateLimitHandling::RATE_LIMIT_STORE

Methods included from StandardId::WebAuthentication

#current_account, #current_scope_names, #current_session, #revoke_current_session!

Methods included from ControllerPolicy

all_controllers, authenticated_controllers, public_controllers, register, registry_snapshot, reset_registry!

Instance Method Details

#create ⇒ `Object`

Raises:

(StandardId::InvalidClientError)

# File 'app/controllers/standard_id/web/consent_controller.rb', line 45

def create
  @client = consent_client
  raise StandardId::InvalidClientError, "Invalid client_id" unless @client

  if params[:decision].to_s == "approve"
    approve!
  else
    deny!
  end
end

#show ⇒ `Object`