adal 1.0.0

data/lib/adal/util.rb

@@ -0,0 +1,49 @@
+#-------------------------------------------------------------------------------
+# Copyright (c) 2015 Micorosft Corporation
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in
+# all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+# THE SOFTWARE.
+#-------------------------------------------------------------------------------
+
+module ADAL
+  # Various helper methods that are useful across several classes and do not fit
+  # into the class hierarchy.
+  module Util
+    def fail_if_arguments_nil(*args)
+      fail ArgumentError, 'Arguments cannot be nil.' if args.any?(&:nil?)
+    end
+
+    # @param URI|String
+    # @return Net::HTTP
+    def http(uri)
+      uri = URI.parse(uri.to_s)
+      http = Net::HTTP.new(uri.host, uri.port)
+      http.use_ssl = uri.scheme == 'https'
+      http
+    end
+
+    ##
+    # Converts every key and value of a hash to string.
+    #
+    # @param Hash
+    # @return Hash
+    def string_hash(hash)
+      hash.map { |k, v| [k.to_s, v.to_s] }.to_h
+    end
+  end
+end

data/lib/adal/version.rb

@@ -0,0 +1,36 @@
+#-------------------------------------------------------------------------------
+# Copyright (c) 2015 Micorosft Corporation
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in
+# all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+# THE SOFTWARE.
+#-------------------------------------------------------------------------------
+
+module ADAL
+  # The current ADAL version.
+  class Version
+    MAJOR = 1 unless defined? MAJOR
+    MINOR = 0 unless defined? MINOR
+    UPDATE = 0 unless defined? UPDATE
+
+    class << self
+      def to_s
+        [MAJOR, MINOR, UPDATE].compact.join('.')
+      end
+    end
+  end
+end

data/lib/adal/wstrust_request.rb

@@ -0,0 +1,100 @@
+#-------------------------------------------------------------------------------
+# Copyright (c) 2015 Micorosft Corporation
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in
+# all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+# THE SOFTWARE.
+#-------------------------------------------------------------------------------
+
+require_relative './logging'
+require_relative './util'
+require_relative './wstrust_response'
+require_relative './xml_namespaces'
+
+require 'erb'
+require 'securerandom'
+
+module ADAL
+  # A request to a WS-Trust endpoint of an ADFS server. Used to obtain a SAML
+  # token that can be exchanged for an access token at a token endpoint.
+  class WSTrustRequest
+    include Logging
+    include Util
+    include XmlNamespaces
+
+    DEFAULT_APPLIES_TO = 'urn:federation:MicrosoftOnline'
+
+    ACTION_TO_RST_TEMPLATE = {
+      WSTRUST_13 =>
+        File.expand_path('../templates/rst.13.xml.erb', __FILE__),
+      WSTRUST_2005 =>
+        File.expand_path('../templates/rst.2005.xml.erb', __FILE__)
+    }
+
+    ##
+    # Constructs a new WSTrustRequest.
+    #
+    # @param String|URI endpoint
+    # @param String action
+    # @param String applies_to
+    def initialize(
+      endpoint, action = WSTRUST_13, applies_to = DEFAULT_APPLIES_TO)
+      @applies_to = applies_to
+      @endpoint = URI.parse(endpoint.to_s)
+      @action = action
+      @render = ERB.new(File.read(ACTION_TO_RST_TEMPLATE[action]))
+    end
+
+    ##
+    # Performs a WS-Trust RequestSecurityToken request with a username and
+    # password to obtain a federated token.
+    #
+    # @param String username
+    # @param String password
+    # @return WSTrustResponse
+    def execute(username, password)
+      logger.verbose("Making a WSTrust request with action #{@action}.")
+      request = Net::HTTP::Get.new(@endpoint.path)
+      add_headers(request)
+      request.body = rst(username, password)
+      response = http(@endpoint).request(request)
+      if response.code == '200'
+        WSTrustResponse.parse(response.body)
+      else
+        fail WSTrustResponse::WSTrustError, "Failed request: code #{response.code}."
+      end
+    end
+
+    private
+
+    # @param Net::HTTP::Get request
+    def add_headers(request)
+      request.add_field('Content-Type', 'application/soap+xml; charset=utf-8')
+      request.add_field('SOAPAction', @action)
+    end
+
+    # @param String username
+    # @param String password
+    # @param String message_id
+    # @return String
+    def rst(username, password, message_id = SecureRandom.uuid)
+      created = Time.now
+      expires = created + 10 * 60   # 10 minute expiration
+      @render.result(binding)
+    end
+  end
+end

data/lib/adal/wstrust_response.rb

@@ -0,0 +1,168 @@
+#-------------------------------------------------------------------------------
+# Copyright (c) 2015 Micorosft Corporation
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in
+# all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+# THE SOFTWARE.
+#-------------------------------------------------------------------------------
+
+require_relative './logging'
+require_relative './token_request'
+require_relative './util'
+require_relative './xml_namespaces'
+
+require 'nokogiri'
+
+module ADAL
+  # Relevant fields from a WS-Trust response.
+  class WSTrustResponse
+    include XmlNamespaces
+
+    class << self
+      include Logging
+      include Util
+    end
+
+    # All recognized SAML token types.
+    module TokenType
+      V1 = 'urn:oasis:names:tc:SAML:1.0:assertion'
+      V2 = 'urn:oasis:names:tc:SAML:2.0:assertion'
+
+      ALL_TYPES = [V1, V2]
+    end
+
+    class WSTrustError < StandardError; end
+    class UnrecognizedTokenTypeError < WSTrustError; end
+
+    ACTION_XPATH = '//s:Envelope/s:Header/a:Action/text()'
+    ERROR_XPATH = '//s:Envelope/s:Body/s:Fault/s:Code/s:Subcode/s:Value/text()'
+    FAULT_XPATH = '//s:Envelope/s:Body/s:Fault/s:Reason'
+    SECURITY_TOKEN_XPATH = './trust:RequestedSecurityToken'
+    TOKEN_RESPONSE_XPATH =
+      '//s:Envelope/s:Body/trust:RequestSecurityTokenResponse|//s:Envelope/s:' \
+      'Body/trust:RequestSecurityTokenResponseCollection/trust:RequestSecurit' \
+      'yTokenResponse'
+    TOKEN_TYPE_XPATH = "./*[local-name() = 'TokenType']/text()"
+    TOKEN_XPATH = "./*[local-name() = 'Assertion']"
+
+    ##
+    # Parses a WS-Trust response from raw XML into an ADAL::WSTrustResponse
+    # object. Throws an error if the response contains an error.
+    #
+    # @param String|Nokogiri::XML raw_xml
+    # @return ADAL::WSTrustResponse
+    def self.parse(raw_xml)
+      fail_if_arguments_nil(raw_xml)
+      xml = Nokogiri::XML(raw_xml.to_s)
+      parse_error(xml)
+      namespace = ACTION_TO_NAMESPACE[parse_action(xml)]
+      token, token_type = parse_token(xml, namespace)
+      if token && token_type
+        WSTrustResponse.new(format_xml(token), format_xml(token_type))
+      else
+        fail WSTrustError, 'Unable to parse token from response.'
+      end
+    end
+
+    ##
+    # Determines whether the response uses WS-Trust 2005 or WS-Trust 1.3.
+    #
+    # @param Nokogiri::XML::Document xml
+    # @return String
+    def self.parse_action(xml)
+      xml.xpath(ACTION_XPATH, NAMESPACES).to_s
+    end
+
+    ##
+    # Checks a WS-Trust response for properly formatted error codes and
+    # descriptions. If found, raises an appropriate exception.
+    #
+    # @param Nokogiri::XML::Document xml
+    def self.parse_error(xml)
+      fault = xml.xpath(FAULT_XPATH, NAMESPACES).first
+      error = xml.xpath(ERROR_XPATH, NAMESPACES).first
+      error = format_xml(error).split(':')[1] || error if error
+      fail WSTrustError, "Fault: #{fault}. Error: #{error}." if fault || error
+    end
+
+    # @param Nokogiri::XML::Document xml
+    # @return String
+    def self.format_xml(xml)
+      xml.to_s.split("\n").map(&:strip).join
+    end
+    private_class_method :format_xml
+
+    # @param Nokogiri::XML::Document
+    # @return [Nokogiri::XML::Element, Nokogiri::XML::Text]
+    def self.parse_token(xml, namespace)
+      xml.xpath(TOKEN_RESPONSE_XPATH, namespace).select do |node|
+        requested_token = node.xpath(SECURITY_TOKEN_XPATH, namespace)
+        case requested_token.size
+        when 0
+          logger.warn('No security token in token response.')
+          next
+        when 1
+          token = requested_token.xpath(TOKEN_XPATH, namespace).first
+          next if token.nil?
+          return token, parse_token_type(node)
+        else
+          fail WSTrustError, 'Found too many RequestedSecurityTokens.'
+        end
+      end
+    end
+    private_class_method :parse_token
+
+    # @param Nokogiri::XML::Element token_response_node
+    # @return Nokogiri::XML::Text
+    def self.parse_token_type(token_response_node)
+      type = token_response_node.xpath(TOKEN_TYPE_XPATH, NAMESPACES).first
+      logger.warn('No type in token response node.') if type.nil?
+      type
+    end
+    private_class_method :parse_token_type
+
+    attr_reader :token
+
+    ##
+    # Constructs a WSTrustResponse.
+    #
+    # @param String token
+    #   The content of the returned token.
+    # @param WSTrustResponse::TokenType token_type
+    #   The type of the token contained within the WS-Trust response.
+    def initialize(token, token_type)
+      unless TokenType::ALL_TYPES.include? token_type
+        fail UnrecognizedTokenTypeError, token_type
+      end
+      @token = token
+      @token_type = token_type
+    end
+
+    ##
+    # Gets the OAuth grant type for the SAML token type of the response.
+    #
+    # @return TokenRequest::GrantType
+    def grant_type
+      case @token_type
+      when TokenType::V1
+        TokenRequest::GrantType::SAML1
+      when TokenType::V2
+        TokenRequest::GrantType::SAML2
+      end
+    end
+  end
+end

data/lib/adal/xml_namespaces.rb

@@ -0,0 +1,64 @@
+#-------------------------------------------------------------------------------
+# Copyright (c) 2015 Micorosft Corporation
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in
+# all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+# THE SOFTWARE.
+#-------------------------------------------------------------------------------
+
+require 'nokogiri'
+require 'uri'
+
+module ADAL
+  # WSTrust namespaces for the username/password OAuth flow as well as action
+  # constants and maps to go between bindings, actions and namespaces.
+  module XmlNamespaces
+    NAMESPACES = {
+      'a' => 'http://www.w3.org/2005/08/addressing',
+      'o' => 'http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd',
+      's' => 'http://www.w3.org/2003/05/soap-envelope',
+      'u' => 'http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd',
+      'wsa' => 'http://www.w3.org/2005/08/addressing',
+      'wsdl' => 'http://schemas.xmlsoap.org/wsdl/',
+      'wsp' => 'http://schemas.xmlsoap.org/ws/2004/09/policy',
+      'soap12' => 'http://schemas.xmlsoap.org/wsdl/soap12/',
+      'sp' => 'http://schemas.xmlsoap.org/ws/2005/07/securitypolicy',
+      'ssp' => 'http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702'
+    }
+
+    NAMESPACES_2005 =
+      NAMESPACES.merge(
+        'trust' => 'http://schemas.xmlsoap.org/ws/2005/02/trust')
+
+    NAMESPACES_13 =
+      NAMESPACES.merge(
+        'trust' => 'http://docs.oasis-open.org/ws-sx/ws-trust/200512')
+
+    WSTRUST_2005 = 'http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue'
+    WSTRUST_13 = 'http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTRC/IssueFinal'
+
+    ACTION_TO_NAMESPACE = { WSTRUST_13 => NAMESPACES_13,
+                            WSTRUST_2005 => NAMESPACES_2005 }
+
+    BINDING_TO_ACTION = {
+      'UserNameWSTrustBinding_IWSTrustFeb2005Async' => WSTRUST_2005,
+      'UserNameWSTrustBinding_IWSTrustFeb2005Async1' => WSTRUST_2005,
+      'UserNameWSTrustBinding_IWSTrust13Async' => WSTRUST_13,
+      'UserNameWSTrustBinding_IWSTrust13Async1' => WSTRUST_13
+    }
+  end
+end

data/samples/authorization_code_example/README.md

@@ -0,0 +1,10 @@
+This web app demonstrates the authorization code flow of obtaining access tokens
+with ADAL.
+
+To run this web app, you need to:
+
+1. Register a web application under your Azure Active Directory account.
+2. Replace `CLIENT_ID`, `CLIENT_SECRET` and `TENANT` with your values.
+3. Ensure that Ruby and Sinatra are installed on your system.
+4. Install ADAL with `gem install adal`.
+5. Start Sinatra with `ruby web_app.rb`.

data/samples/authorization_code_example/web_app.rb

@@ -0,0 +1,139 @@
+#-------------------------------------------------------------------------------
+# Copyright (c) 2015 Micorosft Corporation
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in
+# all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+# THE SOFTWARE.
+#-------------------------------------------------------------------------------
+
+require 'adal'
+require 'json'
+require 'net/http'
+require 'securerandom'
+require 'sinatra'
+require 'uri'
+
+AUTHORITY = 'login.windows.net'
+CLIENT_ID = 'your_client_id_here'
+CLIENT_SECRET = 'your_client_secret_here'
+RESOURCE = 'https://graph.windows.net'
+TENANT = 'your_tenant_here.onmicrosoft.com'
+
+# AuthenticationContext is specific to a tenant. Our application only cares
+# about one tenant, so we only need one AuthenticationContext.
+auth_ctx = ADAL::AuthenticationContext.new(AUTHORITY, TENANT)
+
+# ADAL::ClientCredential is one of several ways that you can identify your
+# client application. It contains a client id and a client secret, which are
+# assigned to you by Azure when you register your application.
+client_cred = ADAL::ClientCredential.new(CLIENT_ID, CLIENT_SECRET)
+
+# ADAL supports four logging options: VERBOSE, INFO, WARN and ERROR.
+# They are defined as constants in ADAL::Logger and are used in ADAL::Logging,
+# the mix-in factory module that provides Loggers to the various ADAL classes.
+# By default, log_level = ADAL::Logger::ERROR so only error messages will be
+# displayed.
+ADAL::Logging.log_level = ADAL::Logger::VERBOSE
+
+# ADAL allows you to redirect log outputs to a file or any Ruby object
+# that implements IO. By default they are sent to STDOUT.
+ADAL::Logging.log_output = 'my_adal_logs.log'
+
+# This is Sinatra specific code that allows storing data as a browser cookie.
+configure do
+  enable :sessions
+  set :session_secret, 'secret'
+end
+
+# Public landing page for the web app.
+get '/' do
+  'This is a public page. Anyone can see it.<br/>' \
+  'If you have credentials, you can view the protected phone book ' \
+  "for your organization <a href='/secure'>here</a>."
+end
+
+# In order to access /secure, the user needs an access token for the resource
+# (https://graph.windows.net) that /secure will be displaying.
+before '/secure' do
+  redirect to('/auth') unless session[:access_token]
+end
+
+# Now that we have an access token, we use it to access the resource.
+# The details here are specific to your resource.
+get '/secure' do
+  resource_uri = URI(RESOURCE + '/' + TENANT + '/users?api-version=2013-04-05')
+  headers = { 'authorization' => session[:access_token] }
+  http = Net::HTTP.new(resource_uri.hostname, resource_uri.port)
+  http.use_ssl = true
+  graph = JSON.parse(http.get(resource_uri, headers).body)
+
+  # The resource is displayed to the user.
+  'Here is your phone book.<br/><br/>' +
+    graph['value'].map do |user|
+      %(Given Name: #{user['givenName']}<br/>
+        Surname: #{user['surname']}<br/>
+        Address: #{user['streetAddress']}, #{user['city']}, #{user['country']}
+        <br/><br/>)
+    end.join(' ') +
+    "You can log out <a href='/logout'>here</a>.<br/>" \
+    "Or refresh the token <a href='/refresh'>here.</a>"
+end
+
+# Removes the access token from the session. The user will have to authenticate
+# again if they wish to revisit their phone book.
+get '/logout' do
+  session.clear
+  redirect to('/')
+end
+
+get '/auth' do
+  # Request authorization by redirecting the user. ADAL will help create the
+  # URL, but it will not make the actual request for you. In this case, the
+  # request is made by Sinatra's redirect function.
+  redirect auth_ctx.authorization_request_url(RESOURCE, CLIENT_ID, uri), 303
+end
+
+# The authorization code is returned from the authorization server as
+# params[:code]. We pass this to ADAL to acquire an access_token.
+post '/auth' do
+  token_response = auth_ctx.acquire_token_with_authorization_code(
+    params[:code], uri, client_cred, RESOURCE)
+  case token_response
+  when ADAL::SuccessResponse
+    # ADAL successfully exchanged the authorization code for an access_token.
+    # The token_response includes other information but we only care about the
+    # access token and the refresh token.
+    session[:access_token] = token_response.access_token
+    session[:refresh_token] = token_response.refresh_token
+    redirect to('/secure')
+  when ADAL::ErrorResponse
+    # ADAL failed to exchange the authorization code for an access_token.
+    redirect to('/')
+  end
+end
+
+before '/refresh' do
+  redirect to('/auth') unless session[:refresh_token]
+end
+
+get '/refresh' do
+  token_response = auth_ctx.acquire_token_with_refresh_token(
+    session[:refresh_token], client_cred, RESOURCE)
+  session[:access_token] = token_response.access_token
+  session[:refresh_token] = token_response.refresh_token
+  redirect to('/secure')
+end