auth0 5.10.0 → 5.13.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
data/README.md CHANGED
@@ -1,15 +1,26 @@
1
- # Auth0 - Ruby
1
+ ![ruby-auth0](https://cdn.auth0.com/website/sdks/banners/ruby-auth0-banner.png)
2
+
3
+ Ruby API client for the [Auth0](https://auth0.com) platform.
2
4
 
3
5
  [![CircleCI](https://img.shields.io/circleci/project/github/auth0/ruby-auth0/master.svg)](https://circleci.com/gh/auth0/ruby-auth0)
4
6
  [![Gem Version](https://badge.fury.io/rb/auth0.svg)](http://badge.fury.io/rb/auth0)
5
7
  [![codecov](https://codecov.io/gh/auth0/ruby-auth0/branch/master/graph/badge.svg)](https://codecov.io/gh/auth0/ruby-auth0)
6
8
  [![Yard Docs](http://img.shields.io/badge/yard-docs-blue.svg)](http://www.rubydoc.info/github/auth0/ruby-auth0/master/frames)
7
9
  [![MIT licensed](https://img.shields.io/dub/l/vibe-d.svg?style=flat)](https://github.com/auth0/ruby-auth0/blob/master/LICENSE)
8
- [![FOSSA Status](https://app.fossa.com/api/projects/git%2Bgithub.com%2Fauth0%2Fruby-auth0.svg?type=shield)](https://app.fossa.com/projects/git%2Bgithub.com%2Fauth0%2Fruby-auth0?ref=badge_shield)
9
10
 
10
- Ruby API client for the [Auth0](https://auth0.com) platform.
11
+ <div>
12
+ 📚 <a href="#documentation">Documentation</a> - 🚀 <a href="#getting-started">Getting started</a> - 💻 <a href="#api-reference">API reference</a> - 💬 <a href="#feedback">Feedback</a>
13
+ </div>
14
+
15
+ ## Documentation
16
+
17
+ - [API documentation](https://www.rubydoc.info/gems/auth0) - documentation auto-generated from the code comments that explains all the available features
18
+ - [Examples](https://github.com/auth0/ruby-auth0/blob/master/EXAMPLES.md) - examples that demonstrate the different ways in which this SDK can be used
19
+ - [Docs Site](https://auth0.com/docs) - explore our Docs site and learn more about Auth0
20
+
21
+ ## Getting Started
11
22
 
12
- ## Installation
23
+ ### Installation
13
24
 
14
25
  This gem can be installed directly:
15
26
 
@@ -17,100 +28,48 @@ This gem can be installed directly:
17
28
  $ gem install auth0
18
29
  ```
19
30
 
20
- ... or with [Bundler](https://bundler.io/man/bundle-add.1.html):
31
+ or with [Bundler](https://bundler.io/man/bundle-add.1.html):
21
32
 
22
33
  ```bash
23
34
  bundle add auth0
24
35
  ```
25
36
 
26
- ## API Documentation
27
-
28
- https://www.rubydoc.info/gems/auth0
29
-
30
- ## Management API v2
31
-
32
- This SDK provides access to the [Management API v2](https://auth0.com/docs/api/management/v2) via modules that help create clear and accurate calls. Most of the interaction is done through the `Auth0Client` class, instantiated with the required credentials.
33
-
34
- As a simple example of how to get started, we'll create an admin route to point to a list of all users from Auth0:
35
-
36
- ```ruby
37
- # config/routes.rb
38
- Rails.application.routes.draw do
39
- # ...
40
- get 'admin/users', to: 'all_users#index'
41
- # ...
42
- end
43
- ```
37
+ ### Usage
44
38
 
45
- ... and a Controller to handle that route:
39
+ Create an instance of `Auth0Client` to access properties and methods of the authentication and management APIs:
46
40
 
47
41
  ```ruby
48
- # app/controllers/all_users_controller.rb
49
42
  require 'auth0'
50
43
 
51
- class AllUsersController < ApplicationController
52
- # Get all users from Auth0 with "auth0" in their email.
53
- def index
54
- @params = {
55
- q: "email:*auth0*",
56
- fields: 'email,user_id,name',
57
- include_fields: true,
58
- page: 0,
59
- per_page: 50
60
- }
61
- @users = auth0_client.users @params
62
- end
63
-
64
- private
65
-
66
- # Setup the Auth0 API connection.
67
- def auth0_client
68
- @auth0_client ||= Auth0Client.new(
69
- client_id: ENV['AUTH0_RUBY_CLIENT_ID'],
70
- client_secret: ENV['AUTH0_RUBY_CLIENT_SECRET'],
71
- # If you pass in a client_secret value, the SDK will automatically try to get a
72
- # Management API token for this application. Make sure your Application can make a
73
- # Client Credentials grant (Application settings in Auth0 > Advanced > Grant Types
74
- # tab) and that the Application is authorized for the Management API:
75
- # https://auth0.com/docs/api-auth/config/using-the-auth0-dashboard
76
- #
77
- # Otherwise, you can pass in a Management API token directly for testing or temporary
78
- # access using the key below.
79
- # token: ENV['AUTH0_RUBY_API_TOKEN'],
80
- #
81
- # When passing a token, you can also specify when the token expires in seconds from epoch. Otherwise, expiry is set
82
- # by default to an hour from now.
83
- # token_expires_at: Time.now.to_i + 86400,
84
- domain: ENV['AUTH0_RUBY_DOMAIN'],
85
- api_version: 2,
86
- timeout: 15 # optional, defaults to 10
87
- )
88
- end
89
- end
90
- ```
91
-
92
- In this example, we're using environment variables to store the values needed to connect to Auth0 and authorize. The `token` used above is an API token for the Management API with the scopes required to perform a specific action (in this case `read:users`). These tokens can be [generated manually](https://auth0.com/docs/api/management/v2/tokens#get-a-token-manually) using a test Application or with the [Application](https://manage.auth0.com/#/applications) being used for your project.
93
-
94
- Finally, we'll add a view to display the results:
95
-
96
- ```ruby
97
- # app/views/all_users/index.html.erb
98
- <h1>Users</h1>
99
- <%= debug @params %>
100
- <%= debug @users %>
44
+ client = Auth0Client.new(
45
+ client_id: ENV['AUTH0_RUBY_CLIENT_ID'],
46
+ client_secret: ENV['AUTH0_RUBY_CLIENT_SECRET'],
47
+ domain: ENV['AUTH0_RUBY_DOMAIN'],
48
+ # If you pass in a client_secret value, the SDK will automatically try to get a
49
+ # Management API token for this application. Make sure your Application can make a
50
+ # Client Credentials grant (Application settings in Auth0 > Advanced > Grant Types
51
+ # tab) and that the Application is authorized for the Management API:
52
+ # https://auth0.com/docs/api-auth/config/using-the-auth0-dashboard
53
+ #
54
+ # Otherwise, you can pass in a Management API token directly for testing or temporary
55
+ # access using the key below.
56
+ # token: ENV['AUTH0_RUBY_API_TOKEN'],
57
+ #
58
+ # When passing a token, you can also specify when the token expires in seconds from epoch. Otherwise, expiry is set
59
+ # by default to an hour from now.
60
+ # token_expires_at: Time.now.to_i + 86400
61
+ )
101
62
  ```
102
63
 
103
- This should show the parameters passed to the `users` method and a list of users that matched the query (or an empty array if none).
104
-
105
- ### Token management
106
-
107
64
  If `token` is omitted, the SDK will attempt to fetch a new token using the `client_credentials` grant, provided that `client_id` and `client_secret` are provided in the configuration. Once the token is about to expire (or has already expired), a new token will be fetched and cached for future calls.
108
65
 
109
66
  For this to work, ensure your application can make a Client Credentials grant (Application settings in Auth0 > Advanced > Grant Types tab) and that the application is authorized for the Management API: https://auth0.com/docs/api-auth/config/using-the-auth0-dashboard
110
67
 
111
- ## Authentication
68
+ ## Authentication API Client
112
69
 
113
- In addition to the Management API, this SDK also provides access to [Authentication API](https://auth0.com/docs/api/authentication) endpoints with the `Auth0::API::AuthenticationEndpoints` module. For basic login capability, we suggest using our OmniAuth stategy [detailed here](https://auth0.com/docs/quickstart/webapp/rails/01-login). Other authentication tasks currently supported are:
70
+ This SDK provides access to [Authentication API](https://auth0.com/docs/api/authentication) endpoints with the `Auth0::API::AuthenticationEndpoints` module.
71
+
72
+ For basic login capability, we suggest using our OmniAuth stategy [detailed here](https://auth0.com/docs/quickstart/webapp/rails/01-login). Other authentication tasks currently supported are:
114
73
 
115
74
  - Register a new user with a database connection using the `signup` method.
116
75
  - Redirect a user to the universal login page for authentication using the `authorization_url` method.
@@ -123,160 +82,13 @@ In addition to the Management API, this SDK also provides access to [Authenticat
123
82
 
124
83
  Please note that this module implements endpoints that might be deprecated for newer tenants. If you have any questions about how and when the endpoints should be used, consult the [documentation](https://auth0.com/docs/api/authentication) or ask in our [Community forums](https://community.auth0.com/tags/wordpress).
125
84
 
126
- ### Organizations
127
-
128
- [Organizations](https://auth0.com/docs/organizations) is a set of features that provide better support for developers who build and maintain SaaS and Business-to-Business (B2B) applications.
129
-
130
- Note that Organizations is currently only available to customers on our Enterprise and Startup subscription plans.
85
+ ## Management API Client
131
86
 
132
- #### Logging in with an Organization
87
+ This SDK provides access to the [Management API](https://auth0.com/docs/api/management/v2) via modules that help create clear and accurate calls. Most of the interaction is done through the `Auth0Client` class, instantiated with the required credentials.
133
88
 
134
- Configure the Authentication API client and pass your Organization ID to the authorize url:
89
+ For an example of using the management API client to read of users, see the [examples document](https://github.com/auth0/ruby-auth0/blob/master/EXAMPLES.md).
135
90
 
136
- ```ruby
137
- require 'auth0'
138
-
139
- @auth0_client ||= Auth0Client.new(
140
- client_id: '{YOUR_APPLICATION_CLIENT_ID}',
141
- client_secret: '{YOUR_APPLICATION_CLIENT_SECRET}',
142
- domain: '{YOUR_TENANT}.auth0.com',
143
- organization: "{YOUR_ORGANIZATION_ID}"
144
- )
145
-
146
- universal_login_url = @auth0_client.authorization_url("https://{YOUR_APPLICATION_CALLBACK_URL}")
147
-
148
- # redirect_to universal_login_url
149
- ```
150
-
151
- #### Accepting user invitations
152
-
153
- Auth0 Organizations allow users to be invited using emailed links, which will direct a user back to your application. The URL the user will arrive at is based on your configured `Application Login URI`, which you can change from your Application's settings inside the Auth0 dashboard. When they arrive at this URL, a `invitation` and `organization` query parameters will be provided
154
-
155
- ```ruby
156
- require 'auth0'
157
-
158
- @auth0_client ||= Auth0Client.new(
159
- client_id: '{YOUR_APPLICATION_CLIENT_ID}',
160
- client_secret: '{YOUR_APPLICATION_CLIENT_ID}',
161
- domain: '{YOUR_TENANT}.auth0.com',
162
- organization: "{YOUR_ORGANIZATION_ID}"
163
- )
164
-
165
- universal_login_url = @auth0_client.authorization_url("https://{YOUR_APPLICATION_CALLBACK_URL}", {
166
- organization: "{ORGANIZATION_QUERY_PARAM}", # You can override organization if needed
167
- invitation: "{INVITATION_QUERY_PARAM}"
168
- })
169
-
170
- # redirect_to universal_login_url
171
- ```
172
-
173
- ## ID Token Validation
174
-
175
- An ID token may be present in the credentials received after authentication. This token contains information associated with the user that has just logged in, provided the scope used contained `openid`. You can [read more about ID tokens here](https://auth0.com/docs/tokens/concepts/id-tokens).
176
-
177
- Before accessing its contents, you must first validate the ID token to ensure it has not been tampered with and that it is meant for your application to consume. Use the `validate_id_token` method to do so:
178
-
179
- ```ruby
180
- begin
181
- @auth0_client.validate_id_token 'YOUR_ID_TOKEN'
182
- rescue Auth0::InvalidIdToken => e
183
- # In this case the ID Token contents should not be trusted
184
- end
185
- ```
186
-
187
- The method takes the following optional keyword parameters:
188
-
189
- | Parameter | Type | Description | Default value |
190
- | ------------- | -------------- | ------------- | ------------------------- |
191
- | `algorithm` | `JWTAlgorithm` | The [signing algorithm](https://auth0.com/docs/tokens/concepts/signing-algorithms) used by your Auth0 application. | `Auth0::Algorithm::RS256` (using the [JWKS URL](https://auth0.com/docs/tokens/concepts/jwks) of your **Auth0 Domain**) |
192
- | `leeway` | Integer | Number of seconds to account for clock skew when validating the `exp`, `iat` and `azp` claims. | `60` |
193
- | `nonce` | String | The `nonce` value you sent in the call to `/authorize`, if any. | `nil` |
194
- | `max_age` | Integer | The `max_age` value you sent in the call to `/authorize`, if any. | `nil` |
195
- | `issuer` | String | By default the `iss` claim will be checked against the URL of your **Auth0 Domain**. Use this parameter to override that. | `nil` |
196
- | `audience` | String | By default the `aud` claim will be compared to your **Auth0 Client ID**. Use this parameter to override that. | `nil` |
197
- | `organization`| String | By default the `org_id` claim will be compared to your **Organization ID**. Use this parameter to override that. | `nil` |
198
-
199
- You can check the signing algorithm value under **Advanced Settings > OAuth > JsonWebToken Signature Algorithm** in your Auth0 application settings panel. [We recommend](https://auth0.com/docs/tokens/concepts/signing-algorithms#our-recommendation) that you make use of asymmetric signing algorithms like `RS256` instead of symmetric ones like `HS256`.
200
-
201
- ```ruby
202
- # HS256
203
-
204
- begin
205
- @auth0_client.validate_id_token 'YOUR_ID_TOKEN', algorithm: Auth0::Algorithm::HS256.secret('YOUR_SECRET')
206
- rescue Auth0::InvalidIdToken => e
207
- # Handle error
208
- end
209
-
210
- # RS256 with a custom JWKS URL
211
-
212
- begin
213
- @auth0_client.validate_id_token 'YOUR_ID_TOKEN', algorithm: Auth0::Algorithm::RS256.jwks_url('YOUR_URL')
214
- rescue Auth0::InvalidIdToken => e
215
- # Handle error
216
- end
217
- ```
218
-
219
- ### Organization ID Token Validation
220
-
221
- If an org_id claim is present in the Access Token, then the claim should be validated by the API to ensure that the value received is expected or known.
222
-
223
- In particular:
224
-
225
- * The issuer (iss) claim should be checked to ensure the token was issued by Auth0
226
-
227
- * the org_id claim should be checked to ensure it is a value that is already known to the application. This could be validated against a known list of organization IDs, or perhaps checked in conjunction with the current request URL. e.g. the sub-domain may hint at what organization should be used to validate the Access Token.
228
-
229
- Normally, validating the issuer would be enough to ensure that the token was issued by Auth0. In the case of organizations, additional checks should be made so that the organization within an Auth0 tenant is expected.
230
-
231
- If the claim cannot be validated, then the application should deem the token invalid.
232
-
233
- ```ruby
234
- begin
235
- @auth0_client.validate_id_token 'YOUR_ID_TOKEN', organization: '{Expected org_id}'
236
- rescue Auth0::InvalidIdToken => e
237
- # In this case the ID Token contents should not be trusted
238
- end
239
- ```
240
-
241
- For more information, please read [Work with Tokens and Organizations](https://auth0.com/docs/organizations/using-tokens) on Auth0 Docs.
242
-
243
- ## Development
244
-
245
- In order to set up the local environment you'd have to have Ruby installed and a few global gems used to run and record the unit tests. A working Ruby version can be taken from the [CI script](/.circleci/config.yml). At the moment of this writting we're using Ruby `2.5.7`.
246
-
247
- > It is expected that every Pull Request introducing a fix, change or feature contains enough test coverage to assert the new behavior.
248
-
249
- ### Running the tests
250
-
251
- Install the gems required for this project.
252
-
253
- ```bash
254
- bundle install
255
- ```
256
-
257
- Finally, run the tests.
258
-
259
- ```bash
260
- bundle exec rake test
261
- ```
262
-
263
- #### Running only unit tests
264
-
265
- You can run only the unit tests and ignore the integration tests by running the following:
266
-
267
- ```bash
268
- bundle exec rake spec
269
- ```
270
-
271
- #### Running only integration tests
272
-
273
- You can run only the unit tests and ignore the integration tests by running the following:
274
-
275
- ```bash
276
- bundle exec rake integration
277
- ```
278
-
279
- ## More Information
91
+ ## Further reading
280
92
 
281
93
  - [Login using OmniAuth](https://auth0.com/docs/quickstart/webapp/rails/01-login)
282
94
  - [API authentication in Ruby](https://auth0.com/docs/quickstart/backend/ruby)
@@ -284,33 +96,35 @@ bundle exec rake integration
284
96
  - [Managing authentication with Auth0 (blog)](https://auth0.com/blog/rails-5-with-auth0/)
285
97
  - [Ruby on Rails workflow with Docker (blog)](https://auth0.com/blog/ruby-on-rails-killer-workflow-with-docker-part-1/)
286
98
 
287
- ## What is Auth0?
288
-
289
- Auth0 helps you to:
290
-
291
- - Add authentication with [multiple authentication sources](https://docs.auth0.com/identityproviders), either social like **Google, Facebook, Microsoft Account, LinkedIn, GitHub, Twitter, Box, Salesforce** among others, or enterprise identity systems like **Windows Azure AD, Google Apps, Active Directory, ADFS or any SAML Identity Provider**.
292
- - Add authentication through more traditional **[username/password databases](https://docs.auth0.com/mysql-connection-tutorial)**.
293
- - Add support for **[linking different user accounts](https://docs.auth0.com/link-accounts)** with the same user.
294
- - Support for generating signed [JSON Web Tokens](https://docs.auth0.com/jwt) to call your APIs and **flow the user identity** securely.
295
- - Analytics of how, when, and where users are logging in.
296
- - Pull data from other sources and add it to the user profile with [JavaScript rules](https://docs.auth0.com/rules).
297
-
298
- ## Create a free Auth0 Account
99
+ ## Feedback
299
100
 
300
- 1. Go to [Auth0](https://auth0.com) and click Sign Up.
301
- 2. Use Google, GitHub or Microsoft Account to login.
101
+ ### Contributing
302
102
 
303
- ## Issue Reporting
103
+ We appreciate feedback and contribution to this repo! Before you get started, please see the following:
304
104
 
305
- If you find a bug or have a feature request, please report them in this repository's [Issues tab](https://github.com/auth0/ruby-auth0/issues). Please do not report security vulnerabilities on the public GitHub issue tracker. The [Responsible Disclosure Program](https://auth0.com/whitehat) details the procedure for disclosing security issues.
105
+ - [Auth0's general contribution guidelines](https://github.com/auth0/open-source-template/blob/master/GENERAL-CONTRIBUTING.md)
106
+ - [Auth0's code of conduct guidelines](https://github.com/auth0/open-source-template/blob/master/CODE-OF-CONDUCT.md)
306
107
 
307
- ## Author
108
+ ### Raise an issue
308
109
 
309
- [Auth0](https://auth0.com)
110
+ To provide feedback or report a bug, please [raise an issue on our issue tracker](https://github.com/auth0/ruby-auth0/issues).
310
111
 
311
- ## License
112
+ ### Vulnerability Reporting
312
113
 
313
- This project is licensed under the MIT license. See the [LICENSE](LICENSE) file for more info.
114
+ Please do not report security vulnerabilities on the public GitHub issue tracker. The [Responsible Disclosure Program](https://auth0.com/whitehat) details the procedure for disclosing security issues.
314
115
 
116
+ ---
315
117
 
316
- [![FOSSA Status](https://app.fossa.com/api/projects/git%2Bgithub.com%2Fauth0%2Fruby-auth0.svg?type=large)](https://app.fossa.com/projects/git%2Bgithub.com%2Fauth0%2Fruby-auth0?ref=badge_large)
118
+ <p align="center">
119
+ <picture>
120
+ <source media="(prefers-color-scheme: dark)" srcset="https://cdn.auth0.com/website/sdks/logos/auth0_dark_mode.png" width="150">
121
+ <source media="(prefers-color-scheme: light)" srcset="https://cdn.auth0.com/website/sdks/logos/auth0_light_mode.png" width="150">
122
+ <img alt="Auth0 Logo" src="https://cdn.auth0.com/website/sdks/logos/auth0_light_mode.png" width="150">
123
+ </picture>
124
+ </p>
125
+ <p align="center">
126
+ Auth0 is an easy to implement, adaptable authentication and authorization platform. To learn more checkout <a href="https://auth0.com/why-auth0">Why Auth0?</a>
127
+ </p>
128
+ <p align="center">
129
+ This project is licensed under the MIT license. See the <a href="https://github.com/auth0/ruby-auth0/blob/master/LICENSE"> LICENSE</a> file for more info.
130
+ </p>
data/auth0.gemspec CHANGED
@@ -27,8 +27,6 @@ Gem::Specification.new do |s|
27
27
  s.add_development_dependency 'fuubar', '~> 2.0'
28
28
  s.add_development_dependency 'guard-rspec', '~> 4.5' unless ENV['CIRCLECI']
29
29
  s.add_development_dependency 'dotenv-rails', '~> 2.0'
30
- s.add_development_dependency 'pry', '~> 0.10'
31
- s.add_development_dependency 'pry-nav', '~> 0.2'
32
30
  s.add_development_dependency 'rspec', '~> 3.11'
33
31
  s.add_development_dependency 'rack-test', '~> 0.6'
34
32
  s.add_development_dependency 'rack', '~> 2.1'
@@ -8,19 +8,20 @@ GEM
8
8
  nio4r (2.5.8)
9
9
  puma (5.6.5)
10
10
  nio4r (~> 2.0)
11
- rack (2.2.4)
12
- rack-protection (2.2.2)
11
+ rack (2.2.6.4)
12
+ rack-protection (2.2.3)
13
13
  rack
14
14
  ruby2_keywords (0.0.5)
15
- sinatra (2.2.2)
15
+ sinatra (2.2.3)
16
16
  mustermann (~> 2.0)
17
17
  rack (~> 2.2)
18
- rack-protection (= 2.2.2)
18
+ rack-protection (= 2.2.3)
19
19
  tilt (~> 2.0)
20
20
  tilt (2.0.11)
21
21
 
22
22
  PLATFORMS
23
23
  aarch64-linux
24
+ x86_64-linux
24
25
 
25
26
  DEPENDENCIES
26
27
  dotenv
@@ -2,8 +2,6 @@
2
2
 
3
3
  This is the seed project you need to use if you're going to create a Ruby on Rails API. You'll mostly use this API either for a SPA or a Mobile app. If you just want to create a Regular Ruby on Rails WebApp, please check this [other seed project](https://github.com/auth0/omniauth-auth0)
4
4
 
5
- This example is deployed at Heroku at http://auth0-rorapi-sample.herokuapp.com/ping
6
-
7
5
  #Running the example
8
6
 
9
7
  In order to run the example you need to have ruby installed.
@@ -2,17 +2,23 @@
2
2
  # rubocop:disable Metrics/ModuleLength
3
3
 
4
4
  require 'jwt'
5
+ require_relative '../client_assertion'
5
6
 
6
7
  module Auth0
7
8
  module Api
8
9
  # {https://auth0.com/docs/api/authentication}
9
10
  # Methods to use the Authentication API
10
11
  module AuthenticationEndpoints
12
+ include Auth0::ClientAssertion
13
+
11
14
  UP_AUTH = 'Username-Password-Authentication'.freeze
12
15
  JWT_BEARER = 'urn:ietf:params:oauth:grant-type:jwt-bearer'.freeze
16
+ GRANT_TYPE_PASSWORDLESS_OPT = 'http://auth0.com/oauth/grant-type/passwordless/otp'.freeze
13
17
 
14
18
  # Request an API access token using a Client Credentials grant
15
19
  # @see https://auth0.com/docs/api-auth/tutorials/client-credentials
20
+ # @param client_id [string] Client ID for the application
21
+ # @param client_secret [string] Client secret for the application. Ignored if using Client Assertion
16
22
  # @param audience [string] API audience to use
17
23
  # @param organization [string] Organization ID
18
24
  # @return [json] Returns the API token
@@ -25,10 +31,11 @@ module Auth0
25
31
  request_params = {
26
32
  grant_type: 'client_credentials',
27
33
  client_id: client_id,
28
- client_secret: client_secret,
29
34
  audience: audience
30
35
  }
31
36
 
37
+ populate_client_assertion_or_secret(request_params, client_id: client_id, client_secret: client_secret)
38
+
32
39
  response = request_with_retry(:post, '/oauth/token', request_params)
33
40
  ::Auth0::ApiToken.new(response['access_token'], response['scope'], response['expires_in'])
34
41
  end
@@ -37,9 +44,9 @@ module Auth0
37
44
  # @see https://auth0.com/docs/api/authentication#authorization-code
38
45
  # @param code [string] The authentication code obtained from /authorize
39
46
  # @param redirect_uri [string] URL to redirect to after authorization.
47
+ # @param client_id [string] Client ID for the application
48
+ # @param client_secret [string] Client secret for the application. Ignored if using Client Assertion
40
49
  # Required only if it was set at the GET /authorize endpoint
41
- # @param client_id [string] Client ID for the Application
42
- # @param client_secret [string] Client Secret for the Application.
43
50
  # @return [Auth0::AccessToken] Returns the access_token and id_token
44
51
  def exchange_auth_code_for_tokens(
45
52
  code,
@@ -51,11 +58,13 @@ module Auth0
51
58
 
52
59
  request_params = {
53
60
  grant_type: 'authorization_code',
54
- client_id: client_id,
55
- client_secret: client_secret,
61
+ client_id: client_id,
56
62
  code: code,
57
63
  redirect_uri: redirect_uri
58
64
  }
65
+
66
+ populate_client_assertion_or_secret(request_params, client_id: client_id, client_secret: client_secret)
67
+
59
68
  ::Auth0::AccessToken.from_response request_with_retry(:post, '/oauth/token', request_params)
60
69
  end
61
70
 
@@ -63,8 +72,8 @@ module Auth0
63
72
  # @see https://auth0.com/docs/api/authentication#refresh-token
64
73
  # @param refresh_token [string] Refresh token to use. Request this with
65
74
  # the offline_access scope when logging in.
66
- # @param client_id [string] Client ID for the Application
67
- # @param client_secret [string] Client Secret for the Application.
75
+ # @param client_id [string] Client ID for the application
76
+ # @param client_secret [string] Client secret for the application. Ignored if using Client Assertion
68
77
  # Required when the Application's Token Endpoint Authentication Method
69
78
  # is Post or Basic.
70
79
  # @return [Auth0::AccessToken] Returns tokens allowed in the refresh_token
@@ -78,9 +87,53 @@ module Auth0
78
87
  request_params = {
79
88
  grant_type: 'refresh_token',
80
89
  client_id: client_id,
81
- client_secret: client_secret,
82
90
  refresh_token: refresh_token
83
91
  }
92
+
93
+ populate_client_assertion_or_secret(request_params, client_id: client_id, client_secret: client_secret)
94
+
95
+ ::Auth0::AccessToken.from_response request_with_retry(:post, '/oauth/token', request_params)
96
+ end
97
+
98
+ # Exchange an OTP recieved through SMS for ID and access tokens
99
+ # @param phone_number [string] The user's phone number used to receive the OTP
100
+ # @param otp [string] The OTP contained in the SMS
101
+ # @param audience [string] The audience for the access token (defaults to nil)
102
+ # @param scope [string] The scope (defaults to 'openid profile email')
103
+ def exchange_sms_otp_for_tokens(phone_number, otp, audience: nil, scope: nil)
104
+ request_params = {
105
+ grant_type: GRANT_TYPE_PASSWORDLESS_OPT,
106
+ client_id: @client_id,
107
+ username: phone_number,
108
+ otp: otp,
109
+ realm: 'sms',
110
+ audience: audience,
111
+ scope: scope || 'openid profile email'
112
+ }
113
+
114
+ populate_client_assertion_or_secret(request_params)
115
+
116
+ ::Auth0::AccessToken.from_response request_with_retry(:post, '/oauth/token', request_params)
117
+ end
118
+
119
+ # Exchange an OTP recieved through email for ID and access tokens
120
+ # @param email_address [string] The user's email address used to receive the OTP
121
+ # @param otp [string] The OTP contained in the email
122
+ # @param audience [string] The audience for the access token (defaults to nil)
123
+ # @param scope [string] The scope (defaults to 'openid profile email')
124
+ def exchange_email_otp_for_tokens(email_address, otp, audience: nil, scope: nil)
125
+ request_params = {
126
+ grant_type: GRANT_TYPE_PASSWORDLESS_OPT,
127
+ client_id: @client_id,
128
+ username: email_address,
129
+ otp: otp,
130
+ realm: 'email',
131
+ audience: audience,
132
+ scope: scope || 'openid profile email'
133
+ }
134
+
135
+ populate_client_assertion_or_secret(request_params)
136
+
84
137
  ::Auth0::AccessToken.from_response request_with_retry(:post, '/oauth/token', request_params)
85
138
  end
86
139
 
@@ -90,8 +143,8 @@ module Auth0
90
143
  # @see https://auth0.com/docs/api/authentication#resource-owner-password
91
144
  # @param login_name [string] Email or username for the connection
92
145
  # @param password [string] Password
93
- # @param client_id [string] Client ID from Application settings
94
- # @param client_secret [string] Client Secret from Application settings
146
+ # @param client_id [string] Client ID for the application
147
+ # @param client_secret [string] Client secret for the application. Ignored if using Client Assertion
95
148
  # @param realm [string] Specific realm to authenticate against
96
149
  # @param audience [string] API audience
97
150
  # @param scope [string] Scope(s) requested
@@ -115,12 +168,14 @@ module Auth0
115
168
  username: login_name,
116
169
  password: password,
117
170
  client_id: client_id,
118
- client_secret: client_secret,
119
171
  realm: realm,
120
172
  scope: scope,
121
173
  audience: audience,
122
174
  grant_type: realm ? 'http://auth0.com/oauth/grant-type/password-realm' : 'password'
123
175
  }
176
+
177
+ populate_client_assertion_or_secret(request_params, client_id: client_id, client_secret: client_secret)
178
+
124
179
  ::Auth0::AccessToken.from_response request_with_retry(:post, '/oauth/token', request_params)
125
180
  end
126
181
  # rubocop:enable Metrics/ParameterLists
@@ -200,9 +255,10 @@ module Auth0
200
255
  authParams: auth_params,
201
256
  connection: 'email',
202
257
  client_id: @client_id,
203
- client_secret: @client_secret
204
258
  }
205
259
 
260
+ populate_client_assertion_or_secret(request_params)
261
+
206
262
  request_with_retry(:post, '/passwordless/start', request_params)
207
263
  end
208
264
 
@@ -217,9 +273,10 @@ module Auth0
217
273
  phone_number: phone_number,
218
274
  connection: 'sms',
219
275
  client_id: @client_id,
220
- client_secret: @client_secret
221
276
  }
222
277
 
278
+ populate_client_assertion_or_secret(request_params)
279
+
223
280
  request_with_retry(:post, '/passwordless/start', request_params)
224
281
  end
225
282
 
@@ -266,6 +323,21 @@ module Auth0
266
323
  URI::HTTPS.build(host: @domain, path: '/authorize', query: to_query(request_params))
267
324
  end
268
325
 
326
+ # Return an authorization URL for PAR requests
327
+ # @see https://www.rfc-editor.org/rfc/rfc9126.html
328
+ # @param request_uri [string] The request_uri as obtained by calling `pushed_authorization_request`
329
+ # @param additional_parameters Any additional parameters to send
330
+ def par_authorization_url(request_uri)
331
+ raise Auth0::InvalidParameter, 'Must supply a valid request_uri' if request_uri.to_s.empty?
332
+
333
+ request_params = {
334
+ client_id: @client_id,
335
+ request_uri: request_uri,
336
+ }
337
+
338
+ URI::HTTPS.build(host: @domain, path: '/authorize', query: to_query(request_params))
339
+ end
340
+
269
341
  # Returns an Auth0 logout URL with a return URL.
270
342
  # @see https://auth0.com/docs/api/authentication#logout
271
343
  # @see https://auth0.com/docs/logout
@@ -287,6 +359,28 @@ module Auth0
287
359
  )
288
360
  end
289
361
 
362
+ # Make a request to the PAR endpoint and receive a `request_uri` to send to the '/authorize' endpoint.
363
+ # @see https://auth0.com/docs/api/authentication#authorization-code-grant
364
+ # @param redirect_uri [string] URL to redirect after authorization
365
+ # @param options [hash] Can contain response_type, connection, state, organization, invitation, and additional_parameters.
366
+ # @return [url] Authorization URL.
367
+ def pushed_authorization_request(parameters = {})
368
+ request_params = {
369
+ client_id: @client_id,
370
+ response_type: parameters.fetch(:response_type, 'code'),
371
+ connection: parameters.fetch(:connection, nil),
372
+ redirect_uri: parameters.fetch(:redirect_uri, nil),
373
+ state: parameters.fetch(:state, nil),
374
+ scope: parameters.fetch(:scope, nil),
375
+ organization: parameters.fetch(:organization, nil),
376
+ invitation: parameters.fetch(:invitation, nil)
377
+ }.merge(parameters.fetch(:additional_parameters, {}))
378
+
379
+ populate_client_assertion_or_secret(request_params)
380
+
381
+ request_with_retry(:post_form, '/oauth/par', request_params, {})
382
+ end
383
+
290
384
  # Return a SAMLP URL.
291
385
  # The SAML Request AssertionConsumerServiceURL will be used to POST back
292
386
  # the assertion and it must match with the application callback URL.