auth0 5.9.0 → 5.11.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.circleci/config.yml +3 -3
- data/.devcontainer/Dockerfile +19 -0
- data/.devcontainer/devcontainer.json +37 -0
- data/CHANGELOG.md +22 -0
- data/DEVELOPMENT.md +35 -0
- data/EXAMPLES.md +220 -0
- data/Gemfile +1 -0
- data/Gemfile.lock +59 -63
- data/README.md +68 -253
- data/auth0.gemspec +2 -4
- data/examples/ruby-api/Gemfile +3 -2
- data/examples/ruby-api/Gemfile.lock +33 -0
- data/examples/ruby-api/README.md +2 -2
- data/examples/ruby-on-rails-api/README.md +0 -2
- data/lib/auth0/api/authentication_endpoints.rb +70 -13
- data/lib/auth0/api/v2/clients.rb +42 -0
- data/lib/auth0/api/v2/jobs.rb +15 -4
- data/lib/auth0/api/v2/organizations.rb +1 -1
- data/lib/auth0/client_assertion.rb +45 -0
- data/lib/auth0/mixins/httpproxy.rb +11 -12
- data/lib/auth0/mixins/initializer.rb +2 -0
- data/lib/auth0/mixins/token_management.rb +2 -2
- data/lib/auth0/version.rb +1 -1
- data/opslevel.yml +5 -0
- data/spec/fixtures/vcr_cassettes/Auth0_Api_V2_Clients/_patch_client/should_update_the_client_with_the_correct_attributes.yml +2 -1
- data/spec/fixtures/vcr_cassettes/Auth0_Api_V2_Connections/_update_connection/should_update_the_connection.yml +1 -1
- data/spec/fixtures/vcr_cassettes/Auth0_Api_V2_Rules/_update_rule/should_update_the_disabled_rule_to_be_enabled.yml +1 -1
- data/spec/fixtures/vcr_cassettes/Auth0_Api_V2_Tenants/_update_tenant_settings/should_revert_the_tenant_name.yml +1 -1
- data/spec/fixtures/vcr_cassettes/Auth0_Api_V2_Tenants/_update_tenant_settings/should_update_the_tenant_settings_with_a_new_tenant_name.yml +1 -1
- data/spec/fixtures/vcr_cassettes/Auth0_Api_V2_Users/_add_user_roles/should_add_a_Role_to_a_User_successfully.yml +1 -1
- data/spec/fixtures/vcr_cassettes/Auth0_Api_V2_Users/_patch_user/should_patch_the_User_successfully.yml +1 -1
- data/spec/lib/auth0/api/authentication_endpoints_spec.rb +632 -0
- data/spec/lib/auth0/api/v2/clients_spec.rb +51 -0
- data/spec/lib/auth0/api/v2/jobs_spec.rb +18 -0
- data/spec/lib/auth0/mixins/httpproxy_spec.rb +53 -17
- data/spec/lib/auth0/mixins/initializer_spec.rb +79 -25
- data/spec/lib/auth0/mixins/token_management_spec.rb +47 -37
- data/spec/spec_helper.rb +4 -1
- data/spec/support/dummy_class_for_tokens.rb +2 -0
- metadata +15 -35
data/README.md
CHANGED
@@ -1,15 +1,27 @@
|
|
1
|
-
|
1
|
+
![ruby-auth0](https://cdn.auth0.com/website/sdks/banners/ruby-auth0-banner.png)
|
2
|
+
|
3
|
+
Ruby API client for the [Auth0](https://auth0.com) platform.
|
2
4
|
|
3
5
|
[![CircleCI](https://img.shields.io/circleci/project/github/auth0/ruby-auth0/master.svg)](https://circleci.com/gh/auth0/ruby-auth0)
|
4
6
|
[![Gem Version](https://badge.fury.io/rb/auth0.svg)](http://badge.fury.io/rb/auth0)
|
5
7
|
[![codecov](https://codecov.io/gh/auth0/ruby-auth0/branch/master/graph/badge.svg)](https://codecov.io/gh/auth0/ruby-auth0)
|
6
8
|
[![Yard Docs](http://img.shields.io/badge/yard-docs-blue.svg)](http://www.rubydoc.info/github/auth0/ruby-auth0/master/frames)
|
7
9
|
[![MIT licensed](https://img.shields.io/dub/l/vibe-d.svg?style=flat)](https://github.com/auth0/ruby-auth0/blob/master/LICENSE)
|
8
|
-
[![FOSSA Status](https://app.fossa.com/api/projects/git%2Bgithub.com%2Fauth0%2Fruby-auth0.svg?type=shield)](https://app.fossa.com/projects/git%2Bgithub.com%2Fauth0%2Fruby-auth0?ref=badge_shield)
|
9
10
|
|
10
|
-
|
11
|
+
<div>
|
12
|
+
📚 <a href="#documentation">Documentation</a> - 🚀 <a href="#getting-started">Getting started</a> - 💻 <a href="#api-reference">API reference</a> - 💬 <a href="#feedback">Feedback</a>
|
13
|
+
</div>
|
14
|
+
|
15
|
+
## Documentation
|
16
|
+
|
17
|
+
- [API documentation](https://www.rubydoc.info/gems/auth0) - documentation auto-generated from the code comments that explains all the available features
|
18
|
+
- [Examples](https://github.com/auth0/ruby-auth0/blob/master/EXAMPLES.md) - examples that demonstrate the different ways in which this SDK can be used
|
19
|
+
[FAQ](https://github.com/auth0/ruby-auth0/blob/master/FAQ.md) - frequently asked questions about the SDK
|
20
|
+
- [Docs Site](https://auth0.com/docs) - explore our Docs site and learn more about Auth0
|
21
|
+
|
22
|
+
## Getting Started
|
11
23
|
|
12
|
-
|
24
|
+
### Installation
|
13
25
|
|
14
26
|
This gem can be installed directly:
|
15
27
|
|
@@ -17,100 +29,48 @@ This gem can be installed directly:
|
|
17
29
|
$ gem install auth0
|
18
30
|
```
|
19
31
|
|
20
|
-
|
32
|
+
or with [Bundler](https://bundler.io/man/bundle-add.1.html):
|
21
33
|
|
22
34
|
```bash
|
23
35
|
bundle add auth0
|
24
36
|
```
|
25
37
|
|
26
|
-
|
27
|
-
|
28
|
-
https://www.rubydoc.info/gems/auth0
|
29
|
-
|
30
|
-
## Management API v2
|
31
|
-
|
32
|
-
This SDK provides access to the [Management API v2](https://auth0.com/docs/api/management/v2) via modules that help create clear and accurate calls. Most of the interaction is done through the `Auth0Client` class, instantiated with the required credentials.
|
33
|
-
|
34
|
-
As a simple example of how to get started, we'll create an admin route to point to a list of all users from Auth0:
|
35
|
-
|
36
|
-
```ruby
|
37
|
-
# config/routes.rb
|
38
|
-
Rails.application.routes.draw do
|
39
|
-
# ...
|
40
|
-
get 'admin/users', to: 'all_users#index'
|
41
|
-
# ...
|
42
|
-
end
|
43
|
-
```
|
38
|
+
### Usage
|
44
39
|
|
45
|
-
|
40
|
+
Create an instance of `Auth0Client` to access properties and methods of the authentication and management APIs:
|
46
41
|
|
47
42
|
```ruby
|
48
|
-
# app/controllers/all_users_controller.rb
|
49
43
|
require 'auth0'
|
50
44
|
|
51
|
-
|
52
|
-
|
53
|
-
|
54
|
-
|
55
|
-
|
56
|
-
|
57
|
-
|
58
|
-
|
59
|
-
|
60
|
-
|
61
|
-
|
62
|
-
|
63
|
-
|
64
|
-
|
65
|
-
|
66
|
-
#
|
67
|
-
|
68
|
-
|
69
|
-
client_id: ENV['AUTH0_RUBY_CLIENT_ID'],
|
70
|
-
client_secret: ENV['AUTH0_RUBY_CLIENT_SECRET'],
|
71
|
-
# If you pass in a client_secret value, the SDK will automatically try to get a
|
72
|
-
# Management API token for this application. Make sure your Application can make a
|
73
|
-
# Client Credentials grant (Application settings in Auth0 > Advanced > Grant Types
|
74
|
-
# tab) and that the Application is authorized for the Management API:
|
75
|
-
# https://auth0.com/docs/api-auth/config/using-the-auth0-dashboard
|
76
|
-
#
|
77
|
-
# Otherwise, you can pass in a Management API token directly for testing or temporary
|
78
|
-
# access using the key below.
|
79
|
-
# token: ENV['AUTH0_RUBY_API_TOKEN'],
|
80
|
-
#
|
81
|
-
# When passing a token, you can also specify when the token expires in seconds from epoch. Otherwise, expiry is set
|
82
|
-
# by default to an hour from now.
|
83
|
-
# token_expires_at: Time.now.to_i + 86400,
|
84
|
-
domain: ENV['AUTH0_RUBY_DOMAIN'],
|
85
|
-
api_version: 2,
|
86
|
-
timeout: 15 # optional, defaults to 10
|
87
|
-
)
|
88
|
-
end
|
89
|
-
end
|
90
|
-
```
|
91
|
-
|
92
|
-
In this example, we're using environment variables to store the values needed to connect to Auth0 and authorize. The `token` used above is an API token for the Management API with the scopes required to perform a specific action (in this case `read:users`). These tokens can be [generated manually](https://auth0.com/docs/api/management/v2/tokens#get-a-token-manually) using a test Application or with the [Application](https://manage.auth0.com/#/applications) being used for your project.
|
93
|
-
|
94
|
-
Finally, we'll add a view to display the results:
|
95
|
-
|
96
|
-
```ruby
|
97
|
-
# app/views/all_users/index.html.erb
|
98
|
-
<h1>Users</h1>
|
99
|
-
<%= debug @params %>
|
100
|
-
<%= debug @users %>
|
45
|
+
client = Auth0Client.new(
|
46
|
+
client_id: ENV['AUTH0_RUBY_CLIENT_ID'],
|
47
|
+
client_secret: ENV['AUTH0_RUBY_CLIENT_SECRET'],
|
48
|
+
domain: ENV['AUTH0_RUBY_DOMAIN'],
|
49
|
+
# If you pass in a client_secret value, the SDK will automatically try to get a
|
50
|
+
# Management API token for this application. Make sure your Application can make a
|
51
|
+
# Client Credentials grant (Application settings in Auth0 > Advanced > Grant Types
|
52
|
+
# tab) and that the Application is authorized for the Management API:
|
53
|
+
# https://auth0.com/docs/api-auth/config/using-the-auth0-dashboard
|
54
|
+
#
|
55
|
+
# Otherwise, you can pass in a Management API token directly for testing or temporary
|
56
|
+
# access using the key below.
|
57
|
+
# token: ENV['AUTH0_RUBY_API_TOKEN'],
|
58
|
+
#
|
59
|
+
# When passing a token, you can also specify when the token expires in seconds from epoch. Otherwise, expiry is set
|
60
|
+
# by default to an hour from now.
|
61
|
+
# token_expires_at: Time.now.to_i + 86400
|
62
|
+
)
|
101
63
|
```
|
102
64
|
|
103
|
-
This should show the parameters passed to the `users` method and a list of users that matched the query (or an empty array if none).
|
104
|
-
|
105
|
-
### Token management
|
106
|
-
|
107
65
|
If `token` is omitted, the SDK will attempt to fetch a new token using the `client_credentials` grant, provided that `client_id` and `client_secret` are provided in the configuration. Once the token is about to expire (or has already expired), a new token will be fetched and cached for future calls.
|
108
66
|
|
109
67
|
For this to work, ensure your application can make a Client Credentials grant (Application settings in Auth0 > Advanced > Grant Types tab) and that the application is authorized for the Management API: https://auth0.com/docs/api-auth/config/using-the-auth0-dashboard
|
110
68
|
|
111
|
-
## Authentication
|
69
|
+
## Authentication API Client
|
112
70
|
|
113
|
-
|
71
|
+
This SDK provides access to [Authentication API](https://auth0.com/docs/api/authentication) endpoints with the `Auth0::API::AuthenticationEndpoints` module.
|
72
|
+
|
73
|
+
For basic login capability, we suggest using our OmniAuth stategy [detailed here](https://auth0.com/docs/quickstart/webapp/rails/01-login). Other authentication tasks currently supported are:
|
114
74
|
|
115
75
|
- Register a new user with a database connection using the `signup` method.
|
116
76
|
- Redirect a user to the universal login page for authentication using the `authorization_url` method.
|
@@ -123,160 +83,13 @@ In addition to the Management API, this SDK also provides access to [Authenticat
|
|
123
83
|
|
124
84
|
Please note that this module implements endpoints that might be deprecated for newer tenants. If you have any questions about how and when the endpoints should be used, consult the [documentation](https://auth0.com/docs/api/authentication) or ask in our [Community forums](https://community.auth0.com/tags/wordpress).
|
125
85
|
|
126
|
-
|
127
|
-
|
128
|
-
[Organizations](https://auth0.com/docs/organizations) is a set of features that provide better support for developers who build and maintain SaaS and Business-to-Business (B2B) applications.
|
129
|
-
|
130
|
-
Note that Organizations is currently only available to customers on our Enterprise and Startup subscription plans.
|
86
|
+
## Management API Client
|
131
87
|
|
132
|
-
|
88
|
+
This SDK provides access to the [Management API](https://auth0.com/docs/api/management/v2) via modules that help create clear and accurate calls. Most of the interaction is done through the `Auth0Client` class, instantiated with the required credentials.
|
133
89
|
|
134
|
-
|
90
|
+
For an example of using the management API client to read of users, see the [examples document](https://github.com/auth0/ruby-auth0/blob/master/EXAMPLES.md).
|
135
91
|
|
136
|
-
|
137
|
-
require 'auth0'
|
138
|
-
|
139
|
-
@auth0_client ||= Auth0Client.new(
|
140
|
-
client_id: '{YOUR_APPLICATION_CLIENT_ID}',
|
141
|
-
client_secret: '{YOUR_APPLICATION_CLIENT_SECRET}',
|
142
|
-
domain: '{YOUR_TENANT}.auth0.com',
|
143
|
-
organization: "{YOUR_ORGANIZATION_ID}"
|
144
|
-
)
|
145
|
-
|
146
|
-
universal_login_url = @auth0_client.authorization_url("https://{YOUR_APPLICATION_CALLBACK_URL}")
|
147
|
-
|
148
|
-
# redirect_to universal_login_url
|
149
|
-
```
|
150
|
-
|
151
|
-
#### Accepting user invitations
|
152
|
-
|
153
|
-
Auth0 Organizations allow users to be invited using emailed links, which will direct a user back to your application. The URL the user will arrive at is based on your configured `Application Login URI`, which you can change from your Application's settings inside the Auth0 dashboard. When they arrive at this URL, a `invitation` and `organization` query parameters will be provided
|
154
|
-
|
155
|
-
```ruby
|
156
|
-
require 'auth0'
|
157
|
-
|
158
|
-
@auth0_client ||= Auth0Client.new(
|
159
|
-
client_id: '{YOUR_APPLICATION_CLIENT_ID}',
|
160
|
-
client_secret: '{YOUR_APPLICATION_CLIENT_ID}',
|
161
|
-
domain: '{YOUR_TENANT}.auth0.com',
|
162
|
-
organization: "{YOUR_ORGANIZATION_ID}"
|
163
|
-
)
|
164
|
-
|
165
|
-
universal_login_url = @auth0_client.authorization_url("https://{YOUR_APPLICATION_CALLBACK_URL}", {
|
166
|
-
organization: "{ORGANIZATION_QUERY_PARAM}", # You can override organization if needed
|
167
|
-
invitation: "{INVITATION_QUERY_PARAM}"
|
168
|
-
})
|
169
|
-
|
170
|
-
# redirect_to universal_login_url
|
171
|
-
```
|
172
|
-
|
173
|
-
## ID Token Validation
|
174
|
-
|
175
|
-
An ID token may be present in the credentials received after authentication. This token contains information associated with the user that has just logged in, provided the scope used contained `openid`. You can [read more about ID tokens here](https://auth0.com/docs/tokens/concepts/id-tokens).
|
176
|
-
|
177
|
-
Before accessing its contents, you must first validate the ID token to ensure it has not been tampered with and that it is meant for your application to consume. Use the `validate_id_token` method to do so:
|
178
|
-
|
179
|
-
```ruby
|
180
|
-
begin
|
181
|
-
@auth0_client.validate_id_token 'YOUR_ID_TOKEN'
|
182
|
-
rescue Auth0::InvalidIdToken => e
|
183
|
-
# In this case the ID Token contents should not be trusted
|
184
|
-
end
|
185
|
-
```
|
186
|
-
|
187
|
-
The method takes the following optional keyword parameters:
|
188
|
-
|
189
|
-
| Parameter | Type | Description | Default value |
|
190
|
-
| ------------- | -------------- | ------------- | ------------------------- |
|
191
|
-
| `algorithm` | `JWTAlgorithm` | The [signing algorithm](https://auth0.com/docs/tokens/concepts/signing-algorithms) used by your Auth0 application. | `Auth0::Algorithm::RS256` (using the [JWKS URL](https://auth0.com/docs/tokens/concepts/jwks) of your **Auth0 Domain**) |
|
192
|
-
| `leeway` | Integer | Number of seconds to account for clock skew when validating the `exp`, `iat` and `azp` claims. | `60` |
|
193
|
-
| `nonce` | String | The `nonce` value you sent in the call to `/authorize`, if any. | `nil` |
|
194
|
-
| `max_age` | Integer | The `max_age` value you sent in the call to `/authorize`, if any. | `nil` |
|
195
|
-
| `issuer` | String | By default the `iss` claim will be checked against the URL of your **Auth0 Domain**. Use this parameter to override that. | `nil` |
|
196
|
-
| `audience` | String | By default the `aud` claim will be compared to your **Auth0 Client ID**. Use this parameter to override that. | `nil` |
|
197
|
-
| `organization`| String | By default the `org_id` claim will be compared to your **Organization ID**. Use this parameter to override that. | `nil` |
|
198
|
-
|
199
|
-
You can check the signing algorithm value under **Advanced Settings > OAuth > JsonWebToken Signature Algorithm** in your Auth0 application settings panel. [We recommend](https://auth0.com/docs/tokens/concepts/signing-algorithms#our-recommendation) that you make use of asymmetric signing algorithms like `RS256` instead of symmetric ones like `HS256`.
|
200
|
-
|
201
|
-
```ruby
|
202
|
-
# HS256
|
203
|
-
|
204
|
-
begin
|
205
|
-
@auth0_client.validate_id_token 'YOUR_ID_TOKEN', algorithm: Auth0::Algorithm::HS256.secret('YOUR_SECRET')
|
206
|
-
rescue Auth0::InvalidIdToken => e
|
207
|
-
# Handle error
|
208
|
-
end
|
209
|
-
|
210
|
-
# RS256 with a custom JWKS URL
|
211
|
-
|
212
|
-
begin
|
213
|
-
@auth0_client.validate_id_token 'YOUR_ID_TOKEN', algorithm: Auth0::Algorithm::RS256.jwks_url('YOUR_URL')
|
214
|
-
rescue Auth0::InvalidIdToken => e
|
215
|
-
# Handle error
|
216
|
-
end
|
217
|
-
```
|
218
|
-
|
219
|
-
### Organization ID Token Validation
|
220
|
-
|
221
|
-
If an org_id claim is present in the Access Token, then the claim should be validated by the API to ensure that the value received is expected or known.
|
222
|
-
|
223
|
-
In particular:
|
224
|
-
|
225
|
-
* The issuer (iss) claim should be checked to ensure the token was issued by Auth0
|
226
|
-
|
227
|
-
* the org_id claim should be checked to ensure it is a value that is already known to the application. This could be validated against a known list of organization IDs, or perhaps checked in conjunction with the current request URL. e.g. the sub-domain may hint at what organization should be used to validate the Access Token.
|
228
|
-
|
229
|
-
Normally, validating the issuer would be enough to ensure that the token was issued by Auth0. In the case of organizations, additional checks should be made so that the organization within an Auth0 tenant is expected.
|
230
|
-
|
231
|
-
If the claim cannot be validated, then the application should deem the token invalid.
|
232
|
-
|
233
|
-
```ruby
|
234
|
-
begin
|
235
|
-
@auth0_client.validate_id_token 'YOUR_ID_TOKEN', organization: '{Expected org_id}'
|
236
|
-
rescue Auth0::InvalidIdToken => e
|
237
|
-
# In this case the ID Token contents should not be trusted
|
238
|
-
end
|
239
|
-
```
|
240
|
-
|
241
|
-
For more information, please read [Work with Tokens and Organizations](https://auth0.com/docs/organizations/using-tokens) on Auth0 Docs.
|
242
|
-
|
243
|
-
## Development
|
244
|
-
|
245
|
-
In order to set up the local environment you'd have to have Ruby installed and a few global gems used to run and record the unit tests. A working Ruby version can be taken from the [CI script](/.circleci/config.yml). At the moment of this writting we're using Ruby `2.5.7`.
|
246
|
-
|
247
|
-
> It is expected that every Pull Request introducing a fix, change or feature contains enough test coverage to assert the new behavior.
|
248
|
-
|
249
|
-
### Running the tests
|
250
|
-
|
251
|
-
Install the gems required for this project.
|
252
|
-
|
253
|
-
```bash
|
254
|
-
bundle install
|
255
|
-
```
|
256
|
-
|
257
|
-
Finally, run the tests.
|
258
|
-
|
259
|
-
```bash
|
260
|
-
bundle exec rake test
|
261
|
-
```
|
262
|
-
|
263
|
-
#### Running only unit tests
|
264
|
-
|
265
|
-
You can run only the unit tests and ignore the integration tests by running the following:
|
266
|
-
|
267
|
-
```bash
|
268
|
-
bundle exec rake spec
|
269
|
-
```
|
270
|
-
|
271
|
-
#### Running only integration tests
|
272
|
-
|
273
|
-
You can run only the unit tests and ignore the integration tests by running the following:
|
274
|
-
|
275
|
-
```bash
|
276
|
-
bundle exec rake integration
|
277
|
-
```
|
278
|
-
|
279
|
-
## More Information
|
92
|
+
## Further reading
|
280
93
|
|
281
94
|
- [Login using OmniAuth](https://auth0.com/docs/quickstart/webapp/rails/01-login)
|
282
95
|
- [API authentication in Ruby](https://auth0.com/docs/quickstart/backend/ruby)
|
@@ -284,33 +97,35 @@ bundle exec rake integration
|
|
284
97
|
- [Managing authentication with Auth0 (blog)](https://auth0.com/blog/rails-5-with-auth0/)
|
285
98
|
- [Ruby on Rails workflow with Docker (blog)](https://auth0.com/blog/ruby-on-rails-killer-workflow-with-docker-part-1/)
|
286
99
|
|
287
|
-
##
|
288
|
-
|
289
|
-
Auth0 helps you to:
|
290
|
-
|
291
|
-
- Add authentication with [multiple authentication sources](https://docs.auth0.com/identityproviders), either social like **Google, Facebook, Microsoft Account, LinkedIn, GitHub, Twitter, Box, Salesforce** among others, or enterprise identity systems like **Windows Azure AD, Google Apps, Active Directory, ADFS or any SAML Identity Provider**.
|
292
|
-
- Add authentication through more traditional **[username/password databases](https://docs.auth0.com/mysql-connection-tutorial)**.
|
293
|
-
- Add support for **[linking different user accounts](https://docs.auth0.com/link-accounts)** with the same user.
|
294
|
-
- Support for generating signed [JSON Web Tokens](https://docs.auth0.com/jwt) to call your APIs and **flow the user identity** securely.
|
295
|
-
- Analytics of how, when, and where users are logging in.
|
296
|
-
- Pull data from other sources and add it to the user profile with [JavaScript rules](https://docs.auth0.com/rules).
|
297
|
-
|
298
|
-
## Create a free Auth0 Account
|
100
|
+
## Feedback
|
299
101
|
|
300
|
-
|
301
|
-
2. Use Google, GitHub or Microsoft Account to login.
|
102
|
+
### Contributing
|
302
103
|
|
303
|
-
|
104
|
+
We appreciate feedback and contribution to this repo! Before you get started, please see the following:
|
304
105
|
|
305
|
-
|
106
|
+
- [Auth0's general contribution guidelines](https://github.com/auth0/open-source-template/blob/master/GENERAL-CONTRIBUTING.md)
|
107
|
+
- [Auth0's code of conduct guidelines](https://github.com/auth0/open-source-template/blob/master/CODE-OF-CONDUCT.md)
|
306
108
|
|
307
|
-
|
109
|
+
### Raise an issue
|
308
110
|
|
309
|
-
[
|
111
|
+
To provide feedback or report a bug, please [raise an issue on our issue tracker](https://github.com/auth0/ruby-auth0/issues).
|
310
112
|
|
311
|
-
|
113
|
+
### Vulnerability Reporting
|
312
114
|
|
313
|
-
|
115
|
+
Please do not report security vulnerabilities on the public GitHub issue tracker. The [Responsible Disclosure Program](https://auth0.com/whitehat) details the procedure for disclosing security issues.
|
314
116
|
|
117
|
+
---
|
315
118
|
|
316
|
-
|
119
|
+
<p align="center">
|
120
|
+
<picture>
|
121
|
+
<source media="(prefers-color-scheme: dark)" srcset="https://cdn.auth0.com/website/sdks/logos/auth0_dark_mode.png" width="150">
|
122
|
+
<source media="(prefers-color-scheme: light)" srcset="https://cdn.auth0.com/website/sdks/logos/auth0_light_mode.png" width="150">
|
123
|
+
<img alt="Auth0 Logo" src="https://cdn.auth0.com/website/sdks/logos/auth0_light_mode.png" width="150">
|
124
|
+
</picture>
|
125
|
+
</p>
|
126
|
+
<p align="center">
|
127
|
+
Auth0 is an easy to implement, adaptable authentication and authorization platform. To learn more checkout <a href="https://auth0.com/why-auth0">Why Auth0?</a>
|
128
|
+
</p>
|
129
|
+
<p align="center">
|
130
|
+
This project is licensed under the MIT license. See the <a href="https://github.com/auth0/ruby-auth0/blob/master/LICENSE"> LICENSE</a> file for more info.
|
131
|
+
</p>
|
data/auth0.gemspec
CHANGED
@@ -17,7 +17,7 @@ Gem::Specification.new do |s|
|
|
17
17
|
s.require_paths = ['lib']
|
18
18
|
|
19
19
|
s.add_runtime_dependency 'rest-client', '~> 2.1'
|
20
|
-
s.add_runtime_dependency 'jwt', '~> 2.
|
20
|
+
s.add_runtime_dependency 'jwt', '~> 2.5'
|
21
21
|
s.add_runtime_dependency 'zache', '~> 0.12'
|
22
22
|
s.add_runtime_dependency 'addressable', '~> 2.8'
|
23
23
|
s.add_runtime_dependency 'retryable', '~> 3.0'
|
@@ -27,9 +27,7 @@ Gem::Specification.new do |s|
|
|
27
27
|
s.add_development_dependency 'fuubar', '~> 2.0'
|
28
28
|
s.add_development_dependency 'guard-rspec', '~> 4.5' unless ENV['CIRCLECI']
|
29
29
|
s.add_development_dependency 'dotenv-rails', '~> 2.0'
|
30
|
-
s.add_development_dependency '
|
31
|
-
s.add_development_dependency 'pry-nav', '~> 0.2'
|
32
|
-
s.add_development_dependency 'rspec', '~> 3.5'
|
30
|
+
s.add_development_dependency 'rspec', '~> 3.11'
|
33
31
|
s.add_development_dependency 'rack-test', '~> 0.6'
|
34
32
|
s.add_development_dependency 'rack', '~> 2.1'
|
35
33
|
s.add_development_dependency 'simplecov', '~> 0.9'
|
data/examples/ruby-api/Gemfile
CHANGED
@@ -0,0 +1,33 @@
|
|
1
|
+
GEM
|
2
|
+
remote: http://rubygems.org/
|
3
|
+
specs:
|
4
|
+
dotenv (2.8.1)
|
5
|
+
jwt (2.5.0)
|
6
|
+
mustermann (2.0.2)
|
7
|
+
ruby2_keywords (~> 0.0.1)
|
8
|
+
nio4r (2.5.8)
|
9
|
+
puma (5.6.5)
|
10
|
+
nio4r (~> 2.0)
|
11
|
+
rack (2.2.6.2)
|
12
|
+
rack-protection (2.2.3)
|
13
|
+
rack
|
14
|
+
ruby2_keywords (0.0.5)
|
15
|
+
sinatra (2.2.3)
|
16
|
+
mustermann (~> 2.0)
|
17
|
+
rack (~> 2.2)
|
18
|
+
rack-protection (= 2.2.3)
|
19
|
+
tilt (~> 2.0)
|
20
|
+
tilt (2.0.11)
|
21
|
+
|
22
|
+
PLATFORMS
|
23
|
+
aarch64-linux
|
24
|
+
x86_64-linux
|
25
|
+
|
26
|
+
DEPENDENCIES
|
27
|
+
dotenv
|
28
|
+
jwt (~> 2.5)
|
29
|
+
puma
|
30
|
+
sinatra (~> 2.2)
|
31
|
+
|
32
|
+
BUNDLED WITH
|
33
|
+
2.3.7
|
data/examples/ruby-api/README.md
CHANGED
@@ -1,8 +1,8 @@
|
|
1
|
-
#Auth0 + Ruby API Seed
|
1
|
+
# Auth0 + Ruby API Seed
|
2
2
|
|
3
3
|
This is the seed project you need to use if you're going to create a Ruby API. You'll mostly use this API either for a SPA or a Mobile app.
|
4
4
|
|
5
|
-
#Running the example
|
5
|
+
# Running the example
|
6
6
|
|
7
7
|
In order to run the example you need to have ruby installed.
|
8
8
|
|
@@ -2,8 +2,6 @@
|
|
2
2
|
|
3
3
|
This is the seed project you need to use if you're going to create a Ruby on Rails API. You'll mostly use this API either for a SPA or a Mobile app. If you just want to create a Regular Ruby on Rails WebApp, please check this [other seed project](https://github.com/auth0/omniauth-auth0)
|
4
4
|
|
5
|
-
This example is deployed at Heroku at http://auth0-rorapi-sample.herokuapp.com/ping
|
6
|
-
|
7
5
|
#Running the example
|
8
6
|
|
9
7
|
In order to run the example you need to have ruby installed.
|
@@ -2,17 +2,23 @@
|
|
2
2
|
# rubocop:disable Metrics/ModuleLength
|
3
3
|
|
4
4
|
require 'jwt'
|
5
|
+
require_relative '../client_assertion'
|
5
6
|
|
6
7
|
module Auth0
|
7
8
|
module Api
|
8
9
|
# {https://auth0.com/docs/api/authentication}
|
9
10
|
# Methods to use the Authentication API
|
10
11
|
module AuthenticationEndpoints
|
12
|
+
include Auth0::ClientAssertion
|
13
|
+
|
11
14
|
UP_AUTH = 'Username-Password-Authentication'.freeze
|
12
15
|
JWT_BEARER = 'urn:ietf:params:oauth:grant-type:jwt-bearer'.freeze
|
16
|
+
GRANT_TYPE_PASSWORDLESS_OPT = 'http://auth0.com/oauth/grant-type/passwordless/otp'.freeze
|
13
17
|
|
14
18
|
# Request an API access token using a Client Credentials grant
|
15
19
|
# @see https://auth0.com/docs/api-auth/tutorials/client-credentials
|
20
|
+
# @param client_id [string] Client ID for the application
|
21
|
+
# @param client_secret [string] Client secret for the application. Ignored if using Client Assertion
|
16
22
|
# @param audience [string] API audience to use
|
17
23
|
# @param organization [string] Organization ID
|
18
24
|
# @return [json] Returns the API token
|
@@ -25,10 +31,11 @@ module Auth0
|
|
25
31
|
request_params = {
|
26
32
|
grant_type: 'client_credentials',
|
27
33
|
client_id: client_id,
|
28
|
-
client_secret: client_secret,
|
29
34
|
audience: audience
|
30
35
|
}
|
31
36
|
|
37
|
+
populate_client_assertion_or_secret(request_params, client_id: client_id, client_secret: client_secret)
|
38
|
+
|
32
39
|
response = request_with_retry(:post, '/oauth/token', request_params)
|
33
40
|
::Auth0::ApiToken.new(response['access_token'], response['scope'], response['expires_in'])
|
34
41
|
end
|
@@ -37,9 +44,9 @@ module Auth0
|
|
37
44
|
# @see https://auth0.com/docs/api/authentication#authorization-code
|
38
45
|
# @param code [string] The authentication code obtained from /authorize
|
39
46
|
# @param redirect_uri [string] URL to redirect to after authorization.
|
47
|
+
# @param client_id [string] Client ID for the application
|
48
|
+
# @param client_secret [string] Client secret for the application. Ignored if using Client Assertion
|
40
49
|
# Required only if it was set at the GET /authorize endpoint
|
41
|
-
# @param client_id [string] Client ID for the Application
|
42
|
-
# @param client_secret [string] Client Secret for the Application.
|
43
50
|
# @return [Auth0::AccessToken] Returns the access_token and id_token
|
44
51
|
def exchange_auth_code_for_tokens(
|
45
52
|
code,
|
@@ -51,11 +58,13 @@ module Auth0
|
|
51
58
|
|
52
59
|
request_params = {
|
53
60
|
grant_type: 'authorization_code',
|
54
|
-
client_id: client_id,
|
55
|
-
client_secret: client_secret,
|
61
|
+
client_id: client_id,
|
56
62
|
code: code,
|
57
63
|
redirect_uri: redirect_uri
|
58
64
|
}
|
65
|
+
|
66
|
+
populate_client_assertion_or_secret(request_params, client_id: client_id, client_secret: client_secret)
|
67
|
+
|
59
68
|
::Auth0::AccessToken.from_response request_with_retry(:post, '/oauth/token', request_params)
|
60
69
|
end
|
61
70
|
|
@@ -63,8 +72,8 @@ module Auth0
|
|
63
72
|
# @see https://auth0.com/docs/api/authentication#refresh-token
|
64
73
|
# @param refresh_token [string] Refresh token to use. Request this with
|
65
74
|
# the offline_access scope when logging in.
|
66
|
-
# @param client_id [string] Client ID for the
|
67
|
-
# @param client_secret [string] Client
|
75
|
+
# @param client_id [string] Client ID for the application
|
76
|
+
# @param client_secret [string] Client secret for the application. Ignored if using Client Assertion
|
68
77
|
# Required when the Application's Token Endpoint Authentication Method
|
69
78
|
# is Post or Basic.
|
70
79
|
# @return [Auth0::AccessToken] Returns tokens allowed in the refresh_token
|
@@ -78,9 +87,53 @@ module Auth0
|
|
78
87
|
request_params = {
|
79
88
|
grant_type: 'refresh_token',
|
80
89
|
client_id: client_id,
|
81
|
-
client_secret: client_secret,
|
82
90
|
refresh_token: refresh_token
|
83
91
|
}
|
92
|
+
|
93
|
+
populate_client_assertion_or_secret(request_params, client_id: client_id, client_secret: client_secret)
|
94
|
+
|
95
|
+
::Auth0::AccessToken.from_response request_with_retry(:post, '/oauth/token', request_params)
|
96
|
+
end
|
97
|
+
|
98
|
+
# Exchange an OTP recieved through SMS for ID and access tokens
|
99
|
+
# @param phone_number [string] The user's phone number used to receive the OTP
|
100
|
+
# @param otp [string] The OTP contained in the SMS
|
101
|
+
# @param audience [string] The audience for the access token (defaults to nil)
|
102
|
+
# @param scope [string] The scope (defaults to 'openid profile email')
|
103
|
+
def exchange_sms_otp_for_tokens(phone_number, otp, audience: nil, scope: nil)
|
104
|
+
request_params = {
|
105
|
+
grant_type: GRANT_TYPE_PASSWORDLESS_OPT,
|
106
|
+
client_id: @client_id,
|
107
|
+
username: phone_number,
|
108
|
+
otp: otp,
|
109
|
+
realm: 'sms',
|
110
|
+
audience: audience,
|
111
|
+
scope: scope || 'openid profile email'
|
112
|
+
}
|
113
|
+
|
114
|
+
populate_client_assertion_or_secret(request_params)
|
115
|
+
|
116
|
+
::Auth0::AccessToken.from_response request_with_retry(:post, '/oauth/token', request_params)
|
117
|
+
end
|
118
|
+
|
119
|
+
# Exchange an OTP recieved through email for ID and access tokens
|
120
|
+
# @param email_address [string] The user's email address used to receive the OTP
|
121
|
+
# @param otp [string] The OTP contained in the email
|
122
|
+
# @param audience [string] The audience for the access token (defaults to nil)
|
123
|
+
# @param scope [string] The scope (defaults to 'openid profile email')
|
124
|
+
def exchange_email_otp_for_tokens(email_address, otp, audience: nil, scope: nil)
|
125
|
+
request_params = {
|
126
|
+
grant_type: GRANT_TYPE_PASSWORDLESS_OPT,
|
127
|
+
client_id: @client_id,
|
128
|
+
username: email_address,
|
129
|
+
otp: otp,
|
130
|
+
realm: 'email',
|
131
|
+
audience: audience,
|
132
|
+
scope: scope || 'openid profile email'
|
133
|
+
}
|
134
|
+
|
135
|
+
populate_client_assertion_or_secret(request_params)
|
136
|
+
|
84
137
|
::Auth0::AccessToken.from_response request_with_retry(:post, '/oauth/token', request_params)
|
85
138
|
end
|
86
139
|
|
@@ -90,8 +143,8 @@ module Auth0
|
|
90
143
|
# @see https://auth0.com/docs/api/authentication#resource-owner-password
|
91
144
|
# @param login_name [string] Email or username for the connection
|
92
145
|
# @param password [string] Password
|
93
|
-
# @param client_id [string] Client ID
|
94
|
-
# @param client_secret [string] Client
|
146
|
+
# @param client_id [string] Client ID for the application
|
147
|
+
# @param client_secret [string] Client secret for the application. Ignored if using Client Assertion
|
95
148
|
# @param realm [string] Specific realm to authenticate against
|
96
149
|
# @param audience [string] API audience
|
97
150
|
# @param scope [string] Scope(s) requested
|
@@ -115,12 +168,14 @@ module Auth0
|
|
115
168
|
username: login_name,
|
116
169
|
password: password,
|
117
170
|
client_id: client_id,
|
118
|
-
client_secret: client_secret,
|
119
171
|
realm: realm,
|
120
172
|
scope: scope,
|
121
173
|
audience: audience,
|
122
174
|
grant_type: realm ? 'http://auth0.com/oauth/grant-type/password-realm' : 'password'
|
123
175
|
}
|
176
|
+
|
177
|
+
populate_client_assertion_or_secret(request_params, client_id: client_id, client_secret: client_secret)
|
178
|
+
|
124
179
|
::Auth0::AccessToken.from_response request_with_retry(:post, '/oauth/token', request_params)
|
125
180
|
end
|
126
181
|
# rubocop:enable Metrics/ParameterLists
|
@@ -200,9 +255,10 @@ module Auth0
|
|
200
255
|
authParams: auth_params,
|
201
256
|
connection: 'email',
|
202
257
|
client_id: @client_id,
|
203
|
-
client_secret: @client_secret
|
204
258
|
}
|
205
259
|
|
260
|
+
populate_client_assertion_or_secret(request_params)
|
261
|
+
|
206
262
|
request_with_retry(:post, '/passwordless/start', request_params)
|
207
263
|
end
|
208
264
|
|
@@ -217,9 +273,10 @@ module Auth0
|
|
217
273
|
phone_number: phone_number,
|
218
274
|
connection: 'sms',
|
219
275
|
client_id: @client_id,
|
220
|
-
client_secret: @client_secret
|
221
276
|
}
|
222
277
|
|
278
|
+
populate_client_assertion_or_secret(request_params)
|
279
|
+
|
223
280
|
request_with_retry(:post, '/passwordless/start', request_params)
|
224
281
|
end
|
225
282
|
|