auth0 5.9.0 → 5.11.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.circleci/config.yml +3 -3
- data/.devcontainer/Dockerfile +19 -0
- data/.devcontainer/devcontainer.json +37 -0
- data/CHANGELOG.md +22 -0
- data/DEVELOPMENT.md +35 -0
- data/EXAMPLES.md +220 -0
- data/Gemfile +1 -0
- data/Gemfile.lock +59 -63
- data/README.md +68 -253
- data/auth0.gemspec +2 -4
- data/examples/ruby-api/Gemfile +3 -2
- data/examples/ruby-api/Gemfile.lock +33 -0
- data/examples/ruby-api/README.md +2 -2
- data/examples/ruby-on-rails-api/README.md +0 -2
- data/lib/auth0/api/authentication_endpoints.rb +70 -13
- data/lib/auth0/api/v2/clients.rb +42 -0
- data/lib/auth0/api/v2/jobs.rb +15 -4
- data/lib/auth0/api/v2/organizations.rb +1 -1
- data/lib/auth0/client_assertion.rb +45 -0
- data/lib/auth0/mixins/httpproxy.rb +11 -12
- data/lib/auth0/mixins/initializer.rb +2 -0
- data/lib/auth0/mixins/token_management.rb +2 -2
- data/lib/auth0/version.rb +1 -1
- data/opslevel.yml +5 -0
- data/spec/fixtures/vcr_cassettes/Auth0_Api_V2_Clients/_patch_client/should_update_the_client_with_the_correct_attributes.yml +2 -1
- data/spec/fixtures/vcr_cassettes/Auth0_Api_V2_Connections/_update_connection/should_update_the_connection.yml +1 -1
- data/spec/fixtures/vcr_cassettes/Auth0_Api_V2_Rules/_update_rule/should_update_the_disabled_rule_to_be_enabled.yml +1 -1
- data/spec/fixtures/vcr_cassettes/Auth0_Api_V2_Tenants/_update_tenant_settings/should_revert_the_tenant_name.yml +1 -1
- data/spec/fixtures/vcr_cassettes/Auth0_Api_V2_Tenants/_update_tenant_settings/should_update_the_tenant_settings_with_a_new_tenant_name.yml +1 -1
- data/spec/fixtures/vcr_cassettes/Auth0_Api_V2_Users/_add_user_roles/should_add_a_Role_to_a_User_successfully.yml +1 -1
- data/spec/fixtures/vcr_cassettes/Auth0_Api_V2_Users/_patch_user/should_patch_the_User_successfully.yml +1 -1
- data/spec/lib/auth0/api/authentication_endpoints_spec.rb +632 -0
- data/spec/lib/auth0/api/v2/clients_spec.rb +51 -0
- data/spec/lib/auth0/api/v2/jobs_spec.rb +18 -0
- data/spec/lib/auth0/mixins/httpproxy_spec.rb +53 -17
- data/spec/lib/auth0/mixins/initializer_spec.rb +79 -25
- data/spec/lib/auth0/mixins/token_management_spec.rb +47 -37
- data/spec/spec_helper.rb +4 -1
- data/spec/support/dummy_class_for_tokens.rb +2 -0
- metadata +15 -35
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 226246c8ebc3b3a01dfb4729ea30e1f5e348a4fef155287ae7a8d4a050022392
|
4
|
+
data.tar.gz: c720dba1ef6fb9661a981fd5a4603e212d3e9803cd1706bdd0a3b2f961551c3d
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: ec7dbd4a49e195981a2b13362e3e0ba7867194cc54a4aad4898edc82f57957415805645f2b8f99ccf6c9d3bca3dab729585c99a6aad44cae32fed094899d9795
|
7
|
+
data.tar.gz: 41221c45b0c22f5fb8ae2a31230f77aa49d60b6b1cfd59443d5e172aa8ed8704c9fb59f2c2af83a7213a7ab3ee678a330ba4b5b93bcfc24fa24985a2731a8903
|
data/.circleci/config.yml
CHANGED
@@ -6,9 +6,9 @@ orbs:
|
|
6
6
|
matrix_ruby_versions: &matrix_ruby_versions
|
7
7
|
matrix:
|
8
8
|
parameters:
|
9
|
-
ruby_version: ["2.
|
9
|
+
ruby_version: ["2.7", "3.0", "3.1", "3.2"]
|
10
10
|
# Default version of ruby to use for lint and publishing
|
11
|
-
default_ruby_version: &default_ruby_version "2
|
11
|
+
default_ruby_version: &default_ruby_version "3.2"
|
12
12
|
|
13
13
|
executors:
|
14
14
|
ruby-image:
|
@@ -30,7 +30,7 @@ jobs:
|
|
30
30
|
ruby_version: << parameters.ruby_version >>
|
31
31
|
steps:
|
32
32
|
- checkout
|
33
|
-
- run: gem install bundler:
|
33
|
+
- run: gem install bundler:2.3.22
|
34
34
|
- run: rm Gemfile.lock
|
35
35
|
- restore_cache:
|
36
36
|
key: gems-v2-{{ checksum "Gemfile.lock" }}
|
@@ -0,0 +1,19 @@
|
|
1
|
+
# See here for image contents: https://github.com/microsoft/vscode-dev-containers/tree/v0.245.2/containers/ruby/.devcontainer/base.Dockerfile
|
2
|
+
|
3
|
+
# [Choice] Ruby version (use -bullseye variants on local arm64/Apple Silicon): 3, 3.1, 3.0, 2, 2.7, 3-bullseye, 3.1-bullseye, 3.0-bullseye, 2-bullseye, 2.7-bullseye, 3-buster, 3.1-buster, 3.0-buster, 2-buster, 2.7-buster
|
4
|
+
ARG VARIANT="3.1-bullseye"
|
5
|
+
FROM mcr.microsoft.com/vscode/devcontainers/ruby:0-${VARIANT}
|
6
|
+
|
7
|
+
# [Choice] Node.js version: none, lts/*, 16, 14, 12, 10
|
8
|
+
ARG NODE_VERSION="none"
|
9
|
+
RUN if [ "${NODE_VERSION}" != "none" ]; then su vscode -c "umask 0002 && . /usr/local/share/nvm/nvm.sh && nvm install ${NODE_VERSION} 2>&1"; fi
|
10
|
+
|
11
|
+
# [Optional] Uncomment this section to install additional OS packages.
|
12
|
+
# RUN apt-get update && export DEBIAN_FRONTEND=noninteractive \
|
13
|
+
# && apt-get -y install --no-install-recommends <your-package-list-here>
|
14
|
+
|
15
|
+
# [Optional] Uncomment this line to install additional gems.
|
16
|
+
# RUN gem install <your-gem-names-here>
|
17
|
+
|
18
|
+
# [Optional] Uncomment this line to install global node packages.
|
19
|
+
# RUN su vscode -c "source /usr/local/share/nvm/nvm.sh && npm install -g <your-package-here>" 2>&1
|
@@ -0,0 +1,37 @@
|
|
1
|
+
// For format details, see https://aka.ms/devcontainer.json. For config options, see the README at:
|
2
|
+
// https://github.com/microsoft/vscode-dev-containers/tree/v0.245.2/containers/ruby
|
3
|
+
{
|
4
|
+
"name": "Ruby",
|
5
|
+
"build": {
|
6
|
+
"dockerfile": "Dockerfile",
|
7
|
+
"args": {
|
8
|
+
// Update 'VARIANT' to pick a Ruby version: 3, 3.1, 3.0, 2, 2.7
|
9
|
+
// Append -bullseye or -buster to pin to an OS version.
|
10
|
+
// Use -bullseye variants on local on arm64/Apple Silicon.
|
11
|
+
"VARIANT": "3.2",
|
12
|
+
// Options
|
13
|
+
"NODE_VERSION": "lts/*"
|
14
|
+
}
|
15
|
+
},
|
16
|
+
|
17
|
+
// Configure tool-specific properties.
|
18
|
+
"customizations": {
|
19
|
+
// Configure properties specific to VS Code.
|
20
|
+
"vscode": {
|
21
|
+
// Add the IDs of extensions you want installed when the container is created.
|
22
|
+
"extensions": [
|
23
|
+
"rebornix.Ruby"
|
24
|
+
]
|
25
|
+
}
|
26
|
+
},
|
27
|
+
|
28
|
+
// Use 'forwardPorts' to make a list of ports inside the container available locally.
|
29
|
+
// "forwardPorts": [],
|
30
|
+
|
31
|
+
// Use 'postCreateCommand' to run commands after the container is created.
|
32
|
+
// "postCreateCommand": "ruby --version",
|
33
|
+
|
34
|
+
// Comment out to connect as root instead. More info: https://aka.ms/vscode-remote/containers/non-root.
|
35
|
+
"remoteUser": "vscode"
|
36
|
+
|
37
|
+
}
|
data/CHANGELOG.md
CHANGED
@@ -1,5 +1,27 @@
|
|
1
1
|
# Change Log
|
2
2
|
|
3
|
+
## [v5.11.0](https://github.com/auth0/ruby-auth0/tree/v5.11.0) (2023-01-27)
|
4
|
+
[Full Changelog](https://github.com/auth0/ruby-auth0/compare/v5.10.0...v5.11.0)
|
5
|
+
|
6
|
+
**Added**
|
7
|
+
- feat: support exchanging OTP codes for tokens [\#438](https://github.com/auth0/ruby-auth0/pull/438) ([stevehobbsdev](https://github.com/stevehobbsdev))
|
8
|
+
- [SDK-3869] Support client credentials in management client [\#437](https://github.com/auth0/ruby-auth0/pull/437) ([stevehobbsdev](https://github.com/stevehobbsdev))
|
9
|
+
- [SDK-3863] Add support for Client Assertion in authentication endpoints [\#434](https://github.com/auth0/ruby-auth0/pull/434) ([stevehobbsdev](https://github.com/stevehobbsdev))
|
10
|
+
|
11
|
+
**Changed**
|
12
|
+
- ci: include Ruby 3.2 in test matrix [\#436](https://github.com/auth0/ruby-auth0/pull/436) ([stevehobbsdev](https://github.com/stevehobbsdev))
|
13
|
+
|
14
|
+
## [v5.10.0](https://github.com/auth0/ruby-auth0/tree/v5.10.0) (2022-10-10)
|
15
|
+
[Full Changelog](https://github.com/auth0/ruby-auth0/compare/v5.9.0...v5.10.0)
|
16
|
+
|
17
|
+
**Changed**
|
18
|
+
- Update jwt ~2.5 [\#384](https://github.com/auth0/ruby-auth0/pull/384) ([stevehobbsdev](https://github.com/stevehobbsdev))
|
19
|
+
|
20
|
+
**Fixed**
|
21
|
+
- Stop :get, :delete parameters from bleeding into subsequent requests [\#388](https://github.com/auth0/ruby-auth0/pull/388) ([stevehobbsdev](https://github.com/stevehobbsdev))
|
22
|
+
- Support complex field names in export_users [\#387](https://github.com/auth0/ruby-auth0/pull/387) ([stevehobbsdev](https://github.com/stevehobbsdev))
|
23
|
+
- Reconfigure rate limiting exponential backoff [\#386](https://github.com/auth0/ruby-auth0/pull/386) ([stevehobbsdev](https://github.com/stevehobbsdev))
|
24
|
+
|
3
25
|
## [v5.9.0](https://github.com/auth0/ruby-auth0/tree/v5.9.0) (2022-08-24)
|
4
26
|
[Full Changelog](https://github.com/auth0/ruby-auth0/compare/v5.8.1...v5.9.0)
|
5
27
|
|
data/DEVELOPMENT.md
ADDED
@@ -0,0 +1,35 @@
|
|
1
|
+
# Development
|
2
|
+
|
3
|
+
In order to set up the local environment you'd have to have Ruby installed and a few global gems used to run and record the unit tests. A working Ruby version can be taken from the [CI script](/.circleci/config.yml). At the moment of this writting we're using Ruby `2.5.7`.
|
4
|
+
|
5
|
+
> It is expected that every Pull Request introducing a fix, change or feature contains enough test coverage to assert the new behavior.
|
6
|
+
|
7
|
+
## Running the tests
|
8
|
+
|
9
|
+
Install the gems required for this project.
|
10
|
+
|
11
|
+
```bash
|
12
|
+
bundle install
|
13
|
+
```
|
14
|
+
|
15
|
+
Finally, run the tests.
|
16
|
+
|
17
|
+
```bash
|
18
|
+
bundle exec rake test
|
19
|
+
```
|
20
|
+
|
21
|
+
### Running only unit tests
|
22
|
+
|
23
|
+
You can run only the unit tests and ignore the integration tests by running the following:
|
24
|
+
|
25
|
+
```bash
|
26
|
+
bundle exec rake spec
|
27
|
+
```
|
28
|
+
|
29
|
+
### Running only integration tests
|
30
|
+
|
31
|
+
You can run only the unit tests and ignore the integration tests by running the following:
|
32
|
+
|
33
|
+
```bash
|
34
|
+
bundle exec rake integration
|
35
|
+
```
|
data/EXAMPLES.md
ADDED
@@ -0,0 +1,220 @@
|
|
1
|
+
# Examples using ruby-auth0
|
2
|
+
|
3
|
+
## Build a URL to Universal Login Page
|
4
|
+
|
5
|
+
```ruby
|
6
|
+
require 'auth0'
|
7
|
+
|
8
|
+
client = Auth0Client.new(
|
9
|
+
client_id: ENV['AUTH0_RUBY_CLIENT_ID'],
|
10
|
+
client_secret: ENV['AUTH0_RUBY_CLIENT_SECRET'],
|
11
|
+
domain: ENV['AUTH0_RUBY_DOMAIN'],
|
12
|
+
)
|
13
|
+
|
14
|
+
client.authorize_url 'http://localhost:3000'
|
15
|
+
|
16
|
+
> => #<URI::HTTPS https://YOUR_DOMAIN/authorize?client_id=YOUR_CLIENT_ID&response_type=code&redirect_uri=http%3A%2F%2Flocalhost%3A3000>
|
17
|
+
|
18
|
+
```
|
19
|
+
|
20
|
+
## Management API Client
|
21
|
+
|
22
|
+
As a simple example of how to get started with the management API, we'll create an admin route to point to a list of all users from Auth0:
|
23
|
+
|
24
|
+
```ruby
|
25
|
+
# config/routes.rb
|
26
|
+
Rails.application.routes.draw do
|
27
|
+
# ...
|
28
|
+
get 'admin/users', to: 'all_users#index'
|
29
|
+
# ...
|
30
|
+
end
|
31
|
+
```
|
32
|
+
|
33
|
+
... and a Controller to handle that route:
|
34
|
+
|
35
|
+
```ruby
|
36
|
+
# app/controllers/all_users_controller.rb
|
37
|
+
require 'auth0'
|
38
|
+
|
39
|
+
class AllUsersController < ApplicationController
|
40
|
+
# Get all users from Auth0 with "auth0" in their email.
|
41
|
+
def index
|
42
|
+
@params = {
|
43
|
+
q: "email:*auth0*",
|
44
|
+
fields: 'email,user_id,name',
|
45
|
+
include_fields: true,
|
46
|
+
page: 0,
|
47
|
+
per_page: 50
|
48
|
+
}
|
49
|
+
@users = auth0_client.users @params
|
50
|
+
end
|
51
|
+
|
52
|
+
private
|
53
|
+
|
54
|
+
# Setup the Auth0 API connection.
|
55
|
+
def auth0_client
|
56
|
+
@auth0_client ||= Auth0Client.new(
|
57
|
+
client_id: ENV['AUTH0_RUBY_CLIENT_ID'],
|
58
|
+
client_secret: ENV['AUTH0_RUBY_CLIENT_SECRET'],
|
59
|
+
domain: ENV['AUTH0_RUBY_DOMAIN'],
|
60
|
+
api_version: 2,
|
61
|
+
timeout: 15 # optional, defaults to 10
|
62
|
+
)
|
63
|
+
end
|
64
|
+
end
|
65
|
+
```
|
66
|
+
|
67
|
+
In this example, we're using environment variables to store the values needed to connect to Auth0 and authorize. The `token` used above is an API token for the Management API with the scopes required to perform a specific action (in this case `read:users`). These tokens can be [generated manually](https://auth0.com/docs/api/management/v2/tokens#get-a-token-manually) using a test Application or with the [Application](https://manage.auth0.com/#/applications) being used for your project.
|
68
|
+
|
69
|
+
Finally, we'll add a view to display the results:
|
70
|
+
|
71
|
+
```ruby
|
72
|
+
# app/views/all_users/index.html.erb
|
73
|
+
<h1>Users</h1>
|
74
|
+
<%= debug @params %>
|
75
|
+
<%= debug @users %>
|
76
|
+
```
|
77
|
+
|
78
|
+
This should show the parameters passed to the `users` method and a list of users that matched the query (or an empty array if none).
|
79
|
+
|
80
|
+
## Organizations
|
81
|
+
|
82
|
+
[Organizations](https://auth0.com/docs/organizations) is a set of features that provide better support for developers who build and maintain SaaS and Business-to-Business (B2B) applications.
|
83
|
+
|
84
|
+
Note that Organizations is currently only available to customers on our Enterprise and Startup subscription plans.
|
85
|
+
|
86
|
+
### Logging in with an Organization
|
87
|
+
|
88
|
+
Configure the Authentication API client and pass your Organization ID to the authorize url:
|
89
|
+
|
90
|
+
```ruby
|
91
|
+
require 'auth0'
|
92
|
+
|
93
|
+
@auth0_client ||= Auth0Client.new(
|
94
|
+
client_id: '{YOUR_APPLICATION_CLIENT_ID}',
|
95
|
+
client_secret: '{YOUR_APPLICATION_CLIENT_SECRET}',
|
96
|
+
domain: '{YOUR_TENANT}.auth0.com',
|
97
|
+
organization: "{YOUR_ORGANIZATION_ID}"
|
98
|
+
)
|
99
|
+
|
100
|
+
universal_login_url = @auth0_client.authorization_url("https://{YOUR_APPLICATION_CALLBACK_URL}")
|
101
|
+
|
102
|
+
# redirect_to universal_login_url
|
103
|
+
```
|
104
|
+
|
105
|
+
### Accepting user invitations
|
106
|
+
|
107
|
+
Auth0 Organizations allow users to be invited using emailed links, which will direct a user back to your application. The URL the user will arrive at is based on your configured `Application Login URI`, which you can change from your Application's settings inside the Auth0 dashboard. When they arrive at this URL, a `invitation` and `organization` query parameters will be provided
|
108
|
+
|
109
|
+
```ruby
|
110
|
+
require 'auth0'
|
111
|
+
|
112
|
+
@auth0_client ||= Auth0Client.new(
|
113
|
+
client_id: '{YOUR_APPLICATION_CLIENT_ID}',
|
114
|
+
client_secret: '{YOUR_APPLICATION_CLIENT_ID}',
|
115
|
+
domain: '{YOUR_TENANT}.auth0.com',
|
116
|
+
organization: "{YOUR_ORGANIZATION_ID}"
|
117
|
+
)
|
118
|
+
|
119
|
+
universal_login_url = @auth0_client.authorization_url("https://{YOUR_APPLICATION_CALLBACK_URL}", {
|
120
|
+
organization: "{ORGANIZATION_QUERY_PARAM}", # You can override organization if needed
|
121
|
+
invitation: "{INVITATION_QUERY_PARAM}"
|
122
|
+
})
|
123
|
+
|
124
|
+
# redirect_to universal_login_url
|
125
|
+
```
|
126
|
+
|
127
|
+
## ID Token Validation
|
128
|
+
|
129
|
+
An ID token may be present in the credentials received after authentication. This token contains information associated with the user that has just logged in, provided the scope used contained `openid`. You can [read more about ID tokens here](https://auth0.com/docs/tokens/concepts/id-tokens).
|
130
|
+
|
131
|
+
Before accessing its contents, you must first validate the ID token to ensure it has not been tampered with and that it is meant for your application to consume. Use the `validate_id_token` method to do so:
|
132
|
+
|
133
|
+
```ruby
|
134
|
+
begin
|
135
|
+
@auth0_client.validate_id_token 'YOUR_ID_TOKEN'
|
136
|
+
rescue Auth0::InvalidIdToken => e
|
137
|
+
# In this case the ID Token contents should not be trusted
|
138
|
+
end
|
139
|
+
```
|
140
|
+
|
141
|
+
The method takes the following optional keyword parameters:
|
142
|
+
|
143
|
+
| Parameter | Type | Description | Default value |
|
144
|
+
| -------------- | -------------- | ------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------- |
|
145
|
+
| `algorithm` | `JWTAlgorithm` | The [signing algorithm](https://auth0.com/docs/tokens/concepts/signing-algorithms) used by your Auth0 application. | `Auth0::Algorithm::RS256` (using the [JWKS URL](https://auth0.com/docs/tokens/concepts/jwks) of your **Auth0 Domain**) |
|
146
|
+
| `leeway` | Integer | Number of seconds to account for clock skew when validating the `exp`, `iat` and `azp` claims. | `60` |
|
147
|
+
| `nonce` | String | The `nonce` value you sent in the call to `/authorize`, if any. | `nil` |
|
148
|
+
| `max_age` | Integer | The `max_age` value you sent in the call to `/authorize`, if any. | `nil` |
|
149
|
+
| `issuer` | String | By default the `iss` claim will be checked against the URL of your **Auth0 Domain**. Use this parameter to override that. | `nil` |
|
150
|
+
| `audience` | String | By default the `aud` claim will be compared to your **Auth0 Client ID**. Use this parameter to override that. | `nil` |
|
151
|
+
| `organization` | String | By default the `org_id` claim will be compared to your **Organization ID**. Use this parameter to override that. | `nil` |
|
152
|
+
|
153
|
+
You can check the signing algorithm value under **Advanced Settings > OAuth > JsonWebToken Signature Algorithm** in your Auth0 application settings panel. [We recommend](https://auth0.com/docs/tokens/concepts/signing-algorithms#our-recommendation) that you make use of asymmetric signing algorithms like `RS256` instead of symmetric ones like `HS256`.
|
154
|
+
|
155
|
+
```ruby
|
156
|
+
# HS256
|
157
|
+
|
158
|
+
begin
|
159
|
+
@auth0_client.validate_id_token 'YOUR_ID_TOKEN', algorithm: Auth0::Algorithm::HS256.secret('YOUR_SECRET')
|
160
|
+
rescue Auth0::InvalidIdToken => e
|
161
|
+
# Handle error
|
162
|
+
end
|
163
|
+
|
164
|
+
# RS256 with a custom JWKS URL
|
165
|
+
|
166
|
+
begin
|
167
|
+
@auth0_client.validate_id_token 'YOUR_ID_TOKEN', algorithm: Auth0::Algorithm::RS256.jwks_url('YOUR_URL')
|
168
|
+
rescue Auth0::InvalidIdToken => e
|
169
|
+
# Handle error
|
170
|
+
end
|
171
|
+
```
|
172
|
+
|
173
|
+
### Organization ID Token Validation
|
174
|
+
|
175
|
+
If an org_id claim is present in the Access Token, then the claim should be validated by the API to ensure that the value received is expected or known.
|
176
|
+
|
177
|
+
In particular:
|
178
|
+
|
179
|
+
- The issuer (iss) claim should be checked to ensure the token was issued by Auth0
|
180
|
+
|
181
|
+
- the org_id claim should be checked to ensure it is a value that is already known to the application. This could be validated against a known list of organization IDs, or perhaps checked in conjunction with the current request URL. e.g. the sub-domain may hint at what organization should be used to validate the Access Token.
|
182
|
+
|
183
|
+
Normally, validating the issuer would be enough to ensure that the token was issued by Auth0. In the case of organizations, additional checks should be made so that the organization within an Auth0 tenant is expected.
|
184
|
+
|
185
|
+
If the claim cannot be validated, then the application should deem the token invalid.
|
186
|
+
|
187
|
+
```ruby
|
188
|
+
begin
|
189
|
+
@auth0_client.validate_id_token 'YOUR_ID_TOKEN', organization: '{Expected org_id}'
|
190
|
+
rescue Auth0::InvalidIdToken => e
|
191
|
+
# In this case the ID Token contents should not be trusted
|
192
|
+
end
|
193
|
+
```
|
194
|
+
|
195
|
+
For more information, please read [Work with Tokens and Organizations](https://auth0.com/docs/organizations/using-tokens) on Auth0 Docs.
|
196
|
+
|
197
|
+
## Use a private key to authenticate with Auth0
|
198
|
+
|
199
|
+
You are able to take advantage of using a JWT signed with a private key to authenticate with Auth0 in place of using a client secret.
|
200
|
+
|
201
|
+
**Note:** you must upload the corresponding public key to your Auth0 tenant, so that Auth0 is able to verify the JWT signature.
|
202
|
+
|
203
|
+
Specify the client assertion key when creating the Auth0 client as in the following example:
|
204
|
+
|
205
|
+
```ruby
|
206
|
+
key_string = File.read 'key.pem'
|
207
|
+
key = OpenSSL::PKey::RSA.new key_string
|
208
|
+
|
209
|
+
client = Auth0Client.new(
|
210
|
+
domain: 'AUTH0_DOMAIN',
|
211
|
+
client_id: 'AUTH0_CLIENT_ID',
|
212
|
+
client_assertion_signing_key: key,
|
213
|
+
client_assertion_signing_alg: 'RS256')
|
214
|
+
```
|
215
|
+
|
216
|
+
Some notes:
|
217
|
+
|
218
|
+
* If both `client_secret` and `client_assertion_signing_key` are specified, `client_assertion_signing_key` takes precedence
|
219
|
+
* `client_assertion_signing_alg` is optional and defaults to `RS256` if omitted
|
220
|
+
* Only `RS256`, `RS384` and `PS256` algorithms are supported by Auth0 currently
|
data/Gemfile
CHANGED
data/Gemfile.lock
CHANGED
@@ -1,9 +1,9 @@
|
|
1
1
|
PATH
|
2
2
|
remote: .
|
3
3
|
specs:
|
4
|
-
auth0 (5.
|
4
|
+
auth0 (5.11.0)
|
5
5
|
addressable (~> 2.8)
|
6
|
-
jwt (~> 2.
|
6
|
+
jwt (~> 2.5)
|
7
7
|
rest-client (~> 2.1)
|
8
8
|
retryable (~> 3.0)
|
9
9
|
zache (~> 0.12)
|
@@ -11,20 +11,20 @@ PATH
|
|
11
11
|
GEM
|
12
12
|
remote: https://rubygems.org/
|
13
13
|
specs:
|
14
|
-
actionpack (7.0.
|
15
|
-
actionview (= 7.0.
|
16
|
-
activesupport (= 7.0.
|
14
|
+
actionpack (7.0.4.2)
|
15
|
+
actionview (= 7.0.4.2)
|
16
|
+
activesupport (= 7.0.4.2)
|
17
17
|
rack (~> 2.0, >= 2.2.0)
|
18
18
|
rack-test (>= 0.6.3)
|
19
19
|
rails-dom-testing (~> 2.0)
|
20
20
|
rails-html-sanitizer (~> 1.0, >= 1.2.0)
|
21
|
-
actionview (7.0.
|
22
|
-
activesupport (= 7.0.
|
21
|
+
actionview (7.0.4.2)
|
22
|
+
activesupport (= 7.0.4.2)
|
23
23
|
builder (~> 3.1)
|
24
24
|
erubi (~> 1.4)
|
25
25
|
rails-dom-testing (~> 2.0)
|
26
26
|
rails-html-sanitizer (~> 1.1, >= 1.2.0)
|
27
|
-
activesupport (7.0.
|
27
|
+
activesupport (7.0.4.2)
|
28
28
|
concurrent-ruby (~> 1.0, >= 1.0.2)
|
29
29
|
i18n (>= 1.6, < 2)
|
30
30
|
minitest (>= 5.1)
|
@@ -33,8 +33,7 @@ GEM
|
|
33
33
|
public_suffix (>= 2.0.2, < 6.0)
|
34
34
|
ast (2.4.2)
|
35
35
|
builder (3.2.4)
|
36
|
-
|
37
|
-
concurrent-ruby (1.1.10)
|
36
|
+
concurrent-ruby (1.2.0)
|
38
37
|
coveralls (0.7.1)
|
39
38
|
multi_json (~> 1.3)
|
40
39
|
rest-client
|
@@ -52,8 +51,8 @@ GEM
|
|
52
51
|
dotenv-rails (2.8.1)
|
53
52
|
dotenv (= 2.8.1)
|
54
53
|
railties (>= 3.2)
|
55
|
-
erubi (1.
|
56
|
-
faker (2.
|
54
|
+
erubi (1.12.0)
|
55
|
+
faker (2.23.0)
|
57
56
|
i18n (>= 1.8.11, < 2)
|
58
57
|
fuubar (2.5.1)
|
59
58
|
rspec-core (~> 3.0)
|
@@ -65,52 +64,50 @@ GEM
|
|
65
64
|
domain_name (~> 0.5)
|
66
65
|
i18n (1.12.0)
|
67
66
|
concurrent-ruby (~> 1.0)
|
68
|
-
io-console (0.
|
69
|
-
irb (1.
|
67
|
+
io-console (0.6.0)
|
68
|
+
irb (1.6.2)
|
70
69
|
reline (>= 0.3.0)
|
71
|
-
json (2.6.
|
72
|
-
jwt (2.
|
73
|
-
loofah (2.
|
70
|
+
json (2.6.3)
|
71
|
+
jwt (2.6.0)
|
72
|
+
loofah (2.19.1)
|
74
73
|
crass (~> 1.0.2)
|
75
74
|
nokogiri (>= 1.5.9)
|
76
|
-
method_source (0.
|
75
|
+
method_source (1.0.0)
|
77
76
|
mime-types (3.4.1)
|
78
77
|
mime-types-data (~> 3.2015)
|
79
78
|
mime-types-data (3.2022.0105)
|
80
|
-
minitest (5.
|
79
|
+
minitest (5.17.0)
|
81
80
|
multi_json (1.15.0)
|
82
81
|
netrc (0.11.0)
|
83
|
-
nokogiri (1.
|
82
|
+
nokogiri (1.14.0-x86_64-linux)
|
84
83
|
racc (~> 1.4)
|
85
84
|
parallel (1.22.1)
|
86
|
-
parser (3.
|
85
|
+
parser (3.2.0.0)
|
87
86
|
ast (~> 2.4.1)
|
88
|
-
|
89
|
-
|
90
|
-
|
91
|
-
|
92
|
-
|
93
|
-
|
94
|
-
racc (1.6.0)
|
95
|
-
rack (2.2.4)
|
87
|
+
pp (0.4.0)
|
88
|
+
prettyprint
|
89
|
+
prettyprint (0.1.1)
|
90
|
+
public_suffix (5.0.1)
|
91
|
+
racc (1.6.2)
|
92
|
+
rack (2.2.6.2)
|
96
93
|
rack-test (0.8.3)
|
97
94
|
rack (>= 1.0, < 3)
|
98
95
|
rails-dom-testing (2.0.3)
|
99
96
|
activesupport (>= 4.2.0)
|
100
97
|
nokogiri (>= 1.6)
|
101
|
-
rails-html-sanitizer (1.
|
102
|
-
loofah (~> 2.
|
103
|
-
railties (7.0.
|
104
|
-
actionpack (= 7.0.
|
105
|
-
activesupport (= 7.0.
|
98
|
+
rails-html-sanitizer (1.5.0)
|
99
|
+
loofah (~> 2.19, >= 2.19.1)
|
100
|
+
railties (7.0.4.2)
|
101
|
+
actionpack (= 7.0.4.2)
|
102
|
+
activesupport (= 7.0.4.2)
|
106
103
|
method_source
|
107
104
|
rake (>= 12.2)
|
108
105
|
thor (~> 1.0)
|
109
106
|
zeitwerk (~> 2.5)
|
110
107
|
rainbow (3.1.1)
|
111
108
|
rake (13.0.6)
|
112
|
-
regexp_parser (2.
|
113
|
-
reline (0.3.
|
109
|
+
regexp_parser (2.6.2)
|
110
|
+
reline (0.3.2)
|
114
111
|
io-console (~> 0.5)
|
115
112
|
rest-client (2.1.0)
|
116
113
|
http-accept (>= 1.7.0, < 2.0)
|
@@ -119,37 +116,37 @@ GEM
|
|
119
116
|
netrc (~> 0.8)
|
120
117
|
retryable (3.0.5)
|
121
118
|
rexml (3.2.5)
|
122
|
-
rspec (3.
|
123
|
-
rspec-core (~> 3.
|
124
|
-
rspec-expectations (~> 3.
|
125
|
-
rspec-mocks (~> 3.
|
126
|
-
rspec-core (3.
|
127
|
-
rspec-support (~> 3.
|
128
|
-
rspec-expectations (3.
|
119
|
+
rspec (3.12.0)
|
120
|
+
rspec-core (~> 3.12.0)
|
121
|
+
rspec-expectations (~> 3.12.0)
|
122
|
+
rspec-mocks (~> 3.12.0)
|
123
|
+
rspec-core (3.12.0)
|
124
|
+
rspec-support (~> 3.12.0)
|
125
|
+
rspec-expectations (3.12.2)
|
129
126
|
diff-lcs (>= 1.2.0, < 2.0)
|
130
|
-
rspec-support (~> 3.
|
131
|
-
rspec-mocks (3.
|
127
|
+
rspec-support (~> 3.12.0)
|
128
|
+
rspec-mocks (3.12.3)
|
132
129
|
diff-lcs (>= 1.2.0, < 2.0)
|
133
|
-
rspec-support (~> 3.
|
134
|
-
rspec-support (3.
|
135
|
-
rubocop (1.
|
130
|
+
rspec-support (~> 3.12.0)
|
131
|
+
rspec-support (3.12.0)
|
132
|
+
rubocop (1.44.1)
|
136
133
|
json (~> 2.3)
|
137
134
|
parallel (~> 1.10)
|
138
|
-
parser (>= 3.
|
135
|
+
parser (>= 3.2.0.0)
|
139
136
|
rainbow (>= 2.2.2, < 4.0)
|
140
137
|
regexp_parser (>= 1.8, < 3.0)
|
141
138
|
rexml (>= 3.2.5, < 4.0)
|
142
|
-
rubocop-ast (>= 1.
|
139
|
+
rubocop-ast (>= 1.24.1, < 2.0)
|
143
140
|
ruby-progressbar (~> 1.7)
|
144
|
-
unicode-display_width (>=
|
145
|
-
rubocop-ast (1.
|
141
|
+
unicode-display_width (>= 2.4.0, < 3.0)
|
142
|
+
rubocop-ast (1.24.1)
|
146
143
|
parser (>= 3.1.1.0)
|
147
|
-
rubocop-rails (2.
|
144
|
+
rubocop-rails (2.17.4)
|
148
145
|
activesupport (>= 4.2.0)
|
149
146
|
rack (>= 1.1)
|
150
|
-
rubocop (>= 1.
|
147
|
+
rubocop (>= 1.33.0, < 2.0)
|
151
148
|
ruby-progressbar (1.11.0)
|
152
|
-
simplecov (0.
|
149
|
+
simplecov (0.22.0)
|
153
150
|
docile (~> 1.1)
|
154
151
|
simplecov-html (~> 0.11)
|
155
152
|
simplecov_json_formatter (~> 0.1)
|
@@ -162,22 +159,22 @@ GEM
|
|
162
159
|
term-ansicolor (1.7.1)
|
163
160
|
tins (~> 1.0)
|
164
161
|
thor (1.2.1)
|
165
|
-
timecop (0.9.
|
166
|
-
tins (1.
|
162
|
+
timecop (0.9.6)
|
163
|
+
tins (1.32.1)
|
167
164
|
sync
|
168
165
|
tzinfo (2.0.5)
|
169
166
|
concurrent-ruby (~> 1.0)
|
170
167
|
unf (0.1.4)
|
171
168
|
unf_ext
|
172
169
|
unf_ext (0.0.8.2)
|
173
|
-
unicode-display_width (2.2
|
170
|
+
unicode-display_width (2.4.2)
|
174
171
|
vcr (6.1.0)
|
175
172
|
webmock (3.18.1)
|
176
173
|
addressable (>= 2.8.0)
|
177
174
|
crack (>= 0.3.2)
|
178
175
|
hashdiff (>= 0.4.0, < 2.0.0)
|
179
176
|
zache (0.12.0)
|
180
|
-
zeitwerk (2.6.
|
177
|
+
zeitwerk (2.6.6)
|
181
178
|
|
182
179
|
PLATFORMS
|
183
180
|
x86_64-linux
|
@@ -191,12 +188,11 @@ DEPENDENCIES
|
|
191
188
|
fuubar (~> 2.0)
|
192
189
|
gem-release (~> 0.7)
|
193
190
|
irb
|
194
|
-
|
195
|
-
pry-nav (~> 0.2)
|
191
|
+
pp
|
196
192
|
rack (~> 2.1)
|
197
193
|
rack-test (~> 0.6)
|
198
194
|
rake (~> 13.0)
|
199
|
-
rspec (~> 3.
|
195
|
+
rspec (~> 3.11)
|
200
196
|
rubocop
|
201
197
|
rubocop-rails
|
202
198
|
simplecov (~> 0.9)
|
@@ -206,4 +202,4 @@ DEPENDENCIES
|
|
206
202
|
webmock
|
207
203
|
|
208
204
|
BUNDLED WITH
|
209
|
-
2.3.
|
205
|
+
2.3.26
|