authlete 1.0.21 → 1.2.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.gitignore +2 -1
- data/Makefile +40 -0
- data/README.md +20 -20
- data/Rakefile +5 -0
- data/authlete.gemspec +2 -2
- data/lib/authlete.rb +28 -9
- data/lib/authlete/api.rb +153 -322
- data/lib/authlete/authentication-server.rb +230 -230
- data/lib/authlete/exception.rb +14 -15
- data/lib/authlete/model/base.rb +30 -0
- data/lib/authlete/model/client-extension.rb +17 -119
- data/lib/authlete/model/client.rb +203 -338
- data/lib/authlete/model/hashable.rb +13 -33
- data/lib/authlete/model/named-uri.rb +13 -74
- data/lib/authlete/model/pair.rb +13 -74
- data/lib/authlete/model/param-initializer.rb +45 -0
- data/lib/authlete/model/property.rb +15 -85
- data/lib/authlete/model/request/authentication-callback-request.rb +63 -55
- data/lib/authlete/model/request/authorization-fail-request.rb +14 -75
- data/lib/authlete/model/request/authorization-issue-request.rb +38 -119
- data/lib/authlete/model/request/authorization-request.rb +8 -73
- data/lib/authlete/model/request/backchannel-authentication-complete-request.rb +97 -0
- data/lib/authlete/model/request/backchannel-authentication-fail-request.rb +55 -0
- data/lib/authlete/model/request/backchannel-authentication-issue-request.rb +37 -0
- data/lib/authlete/model/request/backchannel-authentication-request.rb +63 -0
- data/lib/authlete/model/request/base.rb +26 -0
- data/lib/authlete/model/request/client-authorization-delete-request.rb +7 -93
- data/lib/authlete/model/request/client-authorization-get-list-request.rb +17 -89
- data/lib/authlete/model/request/client-authorization-update-request.rb +11 -86
- data/lib/authlete/model/request/client-registration-request.rb +49 -0
- data/lib/authlete/model/request/client-secret-update-request.rb +7 -89
- data/lib/authlete/model/request/developer-authentication-callback-request.rb +40 -43
- data/lib/authlete/model/request/device-authorization-request.rb +63 -0
- data/lib/authlete/model/request/device-complete-request.rb +99 -0
- data/lib/authlete/model/request/device-verification-request.rb +40 -0
- data/lib/authlete/model/request/granted-scopes-request.rb +8 -74
- data/lib/authlete/model/request/introspection-request.rb +24 -83
- data/lib/authlete/model/request/pushed-auth-req-request.rb +64 -0
- data/lib/authlete/model/request/revocation-request.rb +14 -88
- data/lib/authlete/model/request/standard-introspection-request.rb +8 -73
- data/lib/authlete/model/request/token-create-request.rb +52 -183
- data/lib/authlete/model/request/token-fail-request.rb +12 -74
- data/lib/authlete/model/request/token-issue-request.rb +22 -80
- data/lib/authlete/model/request/token-request.rb +44 -81
- data/lib/authlete/model/request/token-update-request.rb +35 -121
- data/lib/authlete/model/request/user-info-issue-request.rb +14 -80
- data/lib/authlete/model/request/user-info-request.rb +25 -70
- data/lib/authlete/model/response/access-token.rb +96 -0
- data/lib/authlete/model/response/authentication-callback-response.rb +24 -19
- data/lib/authlete/model/response/authorization-fail-response.rb +13 -15
- data/lib/authlete/model/response/authorization-issue-response.rb +29 -32
- data/lib/authlete/model/response/authorization-response.rb +97 -123
- data/lib/authlete/model/response/authorized-client-list-response.rb +37 -0
- data/lib/authlete/model/response/backchannel-authentication-complete-response.rb +143 -0
- data/lib/authlete/model/response/backchannel-authentication-fail-response.rb +47 -0
- data/lib/authlete/model/response/backchannel-authentication-issue-response.rb +63 -0
- data/lib/authlete/model/response/backchannel-authentication-response.rb +160 -0
- data/lib/authlete/model/response/client-list-response.rb +58 -0
- data/lib/authlete/model/response/client-registration-response.rb +50 -0
- data/lib/authlete/model/response/client-secret-refresh-response.rb +12 -12
- data/lib/authlete/model/response/client-secret-update-response.rb +12 -12
- data/lib/authlete/model/response/developer-authentication-callback-response.rb +24 -19
- data/lib/authlete/model/response/device-authorization-response.rb +134 -0
- data/lib/authlete/model/response/device-complete-response.rb +39 -0
- data/lib/authlete/model/response/device-verification-response.rb +96 -0
- data/lib/authlete/model/response/granted-scopes-get-response.rb +27 -19
- data/lib/authlete/model/response/introspection-response.rb +64 -58
- data/lib/authlete/model/response/pushed-auth-req-response.rb +59 -0
- data/lib/authlete/model/response/revocation-response.rb +12 -15
- data/lib/authlete/model/response/service-list-response.rb +54 -0
- data/lib/authlete/model/response/standard-introspection-response.rb +13 -15
- data/lib/authlete/model/response/token-create-response.rb +50 -55
- data/lib/authlete/model/response/token-fail-response.rb +14 -17
- data/lib/authlete/model/response/token-issue-response.rb +49 -62
- data/lib/authlete/model/response/token-list-response.rb +64 -0
- data/lib/authlete/model/response/token-response.rb +59 -79
- data/lib/authlete/model/response/token-update-response.rb +28 -23
- data/lib/authlete/model/response/user-info-issue-response.rb +16 -16
- data/lib/authlete/model/response/user-info-response.rb +48 -42
- data/lib/authlete/model/result.rb +14 -13
- data/lib/authlete/model/scope.rb +68 -158
- data/lib/authlete/model/service-owner.rb +32 -116
- data/lib/authlete/model/service.rb +672 -837
- data/lib/authlete/model/sns-credentials.rb +51 -124
- data/lib/authlete/model/tagged-value.rb +14 -69
- data/lib/authlete/utility.rb +70 -99
- data/lib/authlete/version.rb +3 -3
- data/test/authlete/model/request/test_authentication-callback-request.rb +100 -0
- data/test/authlete/model/request/test_authorization-fail-request.rb +67 -0
- data/test/authlete/model/request/test_authorization-issue-request.rb +94 -0
- data/test/authlete/model/request/test_authorization-request.rb +57 -0
- data/test/authlete/model/request/test_backchannel-authentication-complete-request.rb +102 -0
- data/test/authlete/model/request/test_backchannel-authentication-fail-request.rb +71 -0
- data/test/authlete/model/request/test_backchannel-authentication-issue-request.rb +57 -0
- data/test/authlete/model/request/test_backchannel-authentication-request.rb +75 -0
- data/test/authlete/model/request/test_client-authorization-delete-request.rb +57 -0
- data/test/authlete/model/request/test_client-authorization-get-list-request.rb +71 -0
- data/test/authlete/model/request/test_client-authorization-update-request.rb +63 -0
- data/test/authlete/model/request/test_client-registration-request.rb +68 -0
- data/test/authlete/model/request/test_device-authorization-request.rb +75 -0
- data/test/authlete/model/request/test_device-complete-request.rb +102 -0
- data/test/authlete/model/request/test_device-verification-request.rb +57 -0
- data/test/authlete/model/request/test_granted-scopes-request.rb +57 -0
- data/test/authlete/model/request/test_introspection-request.rb +79 -0
- data/test/authlete/model/request/test_pushed-auth-req-request.rb +75 -0
- data/test/authlete/model/request/test_revocation-request.rb +67 -0
- data/test/authlete/model/request/test_standard-introspection-request.rb +57 -0
- data/test/authlete/model/request/test_token-create-request.rb +110 -0
- data/test/authlete/model/request/test_token-fail-request.rb +63 -0
- data/test/authlete/model/request/test_token-issue-request.rb +70 -0
- data/test/authlete/model/request/test_token-request.rb +94 -0
- data/test/authlete/model/request/test_token-update-request.rb +82 -0
- data/test/authlete/model/request/test_user-info-issue-request.rb +67 -0
- data/test/authlete/model/request/test_user-info-request.rb +75 -0
- data/test/authlete/model/response/test_access-token.rb +101 -0
- data/test/authlete/model/response/test_authorization-fail-response.rb +68 -0
- data/test/authlete/model/response/test_authorization-issue-response.rb +92 -0
- data/test/authlete/model/response/test_authorization-response.rb +145 -0
- data/test/authlete/model/response/test_authorized-client-list-response.rb +83 -0
- data/test/authlete/model/response/test_backchannel-authentication-complete-response.rb +132 -0
- data/test/authlete/model/response/test_backchannel-authentication-fail-response.rb +68 -0
- data/test/authlete/model/response/test_backchannel-authentication-issue-response.rb +80 -0
- data/test/authlete/model/response/test_backchannel-authentication-response.rb +156 -0
- data/test/authlete/model/response/test_client-list-response.rb +79 -0
- data/test/authlete/model/response/test_client-secret-refresh-response.rb +68 -0
- data/test/authlete/model/response/test_client-secret-update-response.rb +68 -0
- data/test/authlete/model/response/test_device-authorization-response.rb +140 -0
- data/test/authlete/model/response/test_device-complete-response.rb +64 -0
- data/test/authlete/model/response/test_device-verification-response.rb +112 -0
- data/test/authlete/model/response/test_granted-scopes-get-response.rb +84 -0
- data/test/authlete/model/response/test_introspection-response.rb +127 -0
- data/test/authlete/model/response/test_pushed-auth-req-response.rb +76 -0
- data/test/authlete/model/response/test_revocation-response.rb +68 -0
- data/test/authlete/model/response/test_service-list-response.rb +72 -0
- data/test/authlete/model/response/test_standard-introspection-response.rb +68 -0
- data/test/authlete/model/response/test_token-create-response.rb +107 -0
- data/test/authlete/model/response/test_token-fail-response.rb +68 -0
- data/test/authlete/model/response/test_token-issue-response.rb +127 -0
- data/test/authlete/model/response/test_token-list-response.rb +84 -0
- data/test/authlete/model/response/test_token-response.rb +147 -0
- data/test/authlete/model/response/test_token-update-response.rb +87 -0
- data/test/authlete/model/response/test_user-info-issue-response.rb +68 -0
- data/test/authlete/model/response/test_user-info-response.rb +107 -0
- data/test/authlete/model/test_client-extension.rb +95 -0
- data/test/authlete/model/test_client.rb +461 -0
- data/test/authlete/model/test_named-uri.rb +85 -0
- data/test/authlete/model/test_pair.rb +85 -0
- data/test/authlete/model/test_property.rb +90 -0
- data/test/authlete/model/test_result.rb +68 -0
- data/test/authlete/model/test_scope.rb +106 -0
- data/test/authlete/model/test_service-owner.rb +80 -0
- data/test/authlete/model/test_service.rb +624 -0
- data/test/authlete/model/test_sns-credentials.rb +88 -0
- data/test/authlete/model/test_tagged-value.rb +83 -0
- data/test/authlete/test_exception.rb +70 -0
- metadata +173 -13
- data/lib/authlete/model/client-list.rb +0 -129
- data/lib/authlete/model/response/client-authorization-get-list-response.rb +0 -60
- data/lib/authlete/model/response/service-creatable-response.rb +0 -51
- data/lib/authlete/model/service-list.rb +0 -128
@@ -1,230 +1,230 @@
|
|
1
|
-
# :nodoc:
|
2
|
-
#
|
3
|
-
# Copyright (C) 2014-
|
4
|
-
#
|
5
|
-
# Licensed under the Apache License, Version 2.0 (the "License");
|
6
|
-
# you may not use this file except in compliance with the License.
|
7
|
-
# You may obtain a copy of the License at
|
8
|
-
#
|
9
|
-
# http://www.apache.org/licenses/LICENSE-2.0
|
10
|
-
#
|
11
|
-
# Unless required by applicable law or agreed to in writing, software
|
12
|
-
# distributed under the License is distributed on an "AS IS" BASIS,
|
13
|
-
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
14
|
-
# See the License for the specific language governing permissions and
|
15
|
-
# limitations under the License.
|
16
|
-
|
17
|
-
|
18
|
-
require 'rack'
|
19
|
-
|
20
|
-
|
21
|
-
module Authlete
|
22
|
-
# == Authlete::AuthenticationServer class
|
23
|
-
#
|
24
|
-
# This class is a base class for an authentication server based on Rack.
|
25
|
-
# Some method must/should be overridden by subclasses.
|
26
|
-
#
|
27
|
-
# 1. <tt>authenticate_api_call</tt>
|
28
|
-
# 2. <tt>authenticate_user</tt>
|
29
|
-
# 3. <tt>collect_claims</tt>
|
30
|
-
# 4. <tt>authentication_callback_endpoint_path</tt>
|
31
|
-
class AuthenticationServer
|
32
|
-
def initialize(app = nil)
|
33
|
-
# Accept 'app' so that this class can work as a Rack middleware
|
34
|
-
# as well as a Rack application.
|
35
|
-
@app = app
|
36
|
-
end
|
37
|
-
|
38
|
-
def call(env)
|
39
|
-
# Request
|
40
|
-
request = Rack::Request.new(env)
|
41
|
-
|
42
|
-
# If the request is not an authentication callback request.
|
43
|
-
if match_authentication_callback_request(request) == false
|
44
|
-
# If this class is used as a Rack middleware.
|
45
|
-
if @app && @app.respond_to?(:call)
|
46
|
-
# Call chain to the next Rack middleware.
|
47
|
-
return @app.call(env)
|
48
|
-
else
|
49
|
-
# 404 Not Found
|
50
|
-
return generate_not_found(request)
|
51
|
-
end
|
52
|
-
end
|
53
|
-
|
54
|
-
# Basic Authentication for the API call.
|
55
|
-
authenticated = do_authenticate_api_call(env)
|
56
|
-
if authenticated == false
|
57
|
-
# 401 Unauthorized
|
58
|
-
return generate_api_call_authentication_failure()
|
59
|
-
end
|
60
|
-
|
61
|
-
begin
|
62
|
-
# Parse the request body as AuthenticationCallbackRequest.
|
63
|
-
req = parse_authentication_callback_request(request)
|
64
|
-
rescue => e
|
65
|
-
# 400 Bad Request
|
66
|
-
return generate_authentication_callback_request_format_error(e)
|
67
|
-
end
|
68
|
-
|
69
|
-
# Prepare an empty response.
|
70
|
-
res = Authlete::Model::Response::AuthenticationCallbackResponse.new
|
71
|
-
|
72
|
-
# Let the subclass authenticate the end-user.
|
73
|
-
# When authenticated successfully, a non-nil value is returned.
|
74
|
-
subject = authenticate_user(req)
|
75
|
-
if subject.nil?
|
76
|
-
# End-user authentication failed.
|
77
|
-
# Return {"authenticated": false} to Authlete.
|
78
|
-
res.authenticated = false
|
79
|
-
return res.to_rack_response
|
80
|
-
end
|
81
|
-
|
82
|
-
# The end-user has been authenticated successfully.
|
83
|
-
res.authenticated = true
|
84
|
-
res.subject = subject
|
85
|
-
|
86
|
-
if req.claims.nil? == false && req.claims.length != 0
|
87
|
-
# Make the subclass collect values of the requested claims.
|
88
|
-
res.claims = collect_claims(req, subject)
|
89
|
-
end
|
90
|
-
|
91
|
-
# Return {"authenticated": true, ...} to Authlete.
|
92
|
-
return res.to_rack_response
|
93
|
-
end
|
94
|
-
|
95
|
-
private
|
96
|
-
|
97
|
-
def match_authentication_callback_request(request)
|
98
|
-
request.post? &&
|
99
|
-
request.path_info == authentication_callback_endpoint_path() &&
|
100
|
-
%r{^application/json}i === request.content_type
|
101
|
-
end
|
102
|
-
|
103
|
-
def do_authenticate_api_call(env)
|
104
|
-
# API key and secret for the API call to the authentication endpoint.
|
105
|
-
api_key, api_secret = nil, nil
|
106
|
-
|
107
|
-
# Basic Authentication for the API call.
|
108
|
-
auth = Rack::Auth::Basic::Request.new(env)
|
109
|
-
|
110
|
-
if auth.provided? && auth.basic?
|
111
|
-
api_key, api_secret = *auth.credentials
|
112
|
-
end
|
113
|
-
|
114
|
-
# Let the subclass authenticate the API call.
|
115
|
-
authenticate_api_call(api_key, api_secret)
|
116
|
-
end
|
117
|
-
|
118
|
-
# 404 Not Found
|
119
|
-
def generate_not_found(request)
|
120
|
-
[
|
121
|
-
404,
|
122
|
-
{
|
123
|
-
'Content-Type' => 'text/plain'
|
124
|
-
},
|
125
|
-
[
|
126
|
-
"Not Found: #{request.request_method} #{request.path_info} (#{request.content_type})"
|
127
|
-
]
|
128
|
-
]
|
129
|
-
end
|
130
|
-
|
131
|
-
# 401 Unauthorized
|
132
|
-
def generate_api_call_authentication_failure
|
133
|
-
[
|
134
|
-
401,
|
135
|
-
{
|
136
|
-
'Content-Type' => 'text/plain',
|
137
|
-
'WWW-Authenticate' => 'Basic realm="Authentication Callback Endpoint"'
|
138
|
-
},
|
139
|
-
[
|
140
|
-
'Authentication of the API call to the authentication callback endpoint failed.'
|
141
|
-
]
|
142
|
-
]
|
143
|
-
end
|
144
|
-
|
145
|
-
# 400 Bad Request
|
146
|
-
def generate_authentication_callback_request_format_error(exception)
|
147
|
-
[
|
148
|
-
400,
|
149
|
-
{
|
150
|
-
'Content-Type' => 'text/plain',
|
151
|
-
},
|
152
|
-
[
|
153
|
-
"The format of the authentication callback request was wrong: #{exception.to_s}"
|
154
|
-
]
|
155
|
-
]
|
156
|
-
end
|
157
|
-
|
158
|
-
def parse_authentication_callback_request(request)
|
159
|
-
# In case someone has already read it.
|
160
|
-
request.body.rewind
|
161
|
-
|
162
|
-
# JSON
|
163
|
-
json = request.body.read
|
164
|
-
|
165
|
-
# Parse the authentication callback request.
|
166
|
-
Authlete::Model::Request::AuthenticationCallbackRequest.parse(json)
|
167
|
-
end
|
168
|
-
|
169
|
-
protected
|
170
|
-
|
171
|
-
# Authenticate the API call to the authentication callback endpoint
|
172
|
-
# from Authlete. Subclasses must override this method. This default
|
173
|
-
# implementation returns false, meaning 'unauthorized API call'.
|
174
|
-
#
|
175
|
-
# The argument of this method is the API key and the API secret that
|
176
|
-
# the caller has presented. When the pair of the API credentials is
|
177
|
-
# valid, return true. Otherwise, return false.
|
178
|
-
def authenticate_api_call(api_key, api_secret)
|
179
|
-
# Unauthorized API call.
|
180
|
-
false
|
181
|
-
end
|
182
|
-
|
183
|
-
# Authenticate the end-user. Subclasses must override this method.
|
184
|
-
# This default implementation returns nil, meaning 'invalid end-user'.
|
185
|
-
#
|
186
|
-
# The argument of this method is an instance of
|
187
|
-
# <tt>Authlete::Model::Request::AuthenticationCallbackRequest</tt>.
|
188
|
-
# When the end-user is successfully authenticated, this method must
|
189
|
-
# return a unique identifier (= subject) of the end-user. Otherwise,
|
190
|
-
# nil must be returned to indicate authentication failure.
|
191
|
-
def authenticate_user(req)
|
192
|
-
# Invalid end-user.
|
193
|
-
nil
|
194
|
-
end
|
195
|
-
|
196
|
-
# Collect claim values of the end-user. Subclasses should override this
|
197
|
-
# method. This default implementation returns nil, meaning 'no claim values'.
|
198
|
-
#
|
199
|
-
# The argument of this method is an instance of
|
200
|
-
# <tt>Authlete::Model::Request::AuthenticationCallbackRequest</tt> and the subject
|
201
|
-
# which has been returned from the preceding call of <tt>authenticate_user</tt>
|
202
|
-
# method.
|
203
|
-
#
|
204
|
-
# 'Claim' is a piece of information about an end-user. A subclass should
|
205
|
-
# collect values of requested claims (<tt>req.claims</tt>) as many as
|
206
|
-
# possible and format them in JSON format like below.
|
207
|
-
#
|
208
|
-
# {
|
209
|
-
# "name": "Takahiko Kawasaki",
|
210
|
-
# "gender": "male"
|
211
|
-
# }
|
212
|
-
#
|
213
|
-
# Collected claim values are used to generate an {ID token}
|
214
|
-
# [http://openid.net/specs/openid-connect-core-1_0.html#IDToken].
|
215
|
-
#
|
216
|
-
# If no claim values are available, or if you don't want to provide any
|
217
|
-
# claim value, return nil.
|
218
|
-
def collect_claims(req, subject)
|
219
|
-
# No claim values.
|
220
|
-
nil
|
221
|
-
end
|
222
|
-
|
223
|
-
# Get the path of the authentication callback endpoint. This default
|
224
|
-
# implementation returns '/authentication'. Subclasses may override
|
225
|
-
# this method to change the path.
|
226
|
-
def authentication_callback_endpoint_path
|
227
|
-
'/authentication'
|
228
|
-
end
|
229
|
-
end
|
230
|
-
end
|
1
|
+
# :nodoc:
|
2
|
+
#
|
3
|
+
# Copyright (C) 2014-2020 Authlete, Inc.
|
4
|
+
#
|
5
|
+
# Licensed under the Apache License, Version 2.0 (the "License");
|
6
|
+
# you may not use this file except in compliance with the License.
|
7
|
+
# You may obtain a copy of the License at
|
8
|
+
#
|
9
|
+
# http://www.apache.org/licenses/LICENSE-2.0
|
10
|
+
#
|
11
|
+
# Unless required by applicable law or agreed to in writing, software
|
12
|
+
# distributed under the License is distributed on an "AS IS" BASIS,
|
13
|
+
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
14
|
+
# See the License for the specific language governing permissions and
|
15
|
+
# limitations under the License.
|
16
|
+
|
17
|
+
|
18
|
+
require 'rack'
|
19
|
+
|
20
|
+
|
21
|
+
module Authlete
|
22
|
+
# == Authlete::AuthenticationServer class
|
23
|
+
#
|
24
|
+
# This class is a base class for an authentication server based on Rack.
|
25
|
+
# Some method must/should be overridden by subclasses.
|
26
|
+
#
|
27
|
+
# 1. <tt>authenticate_api_call</tt>
|
28
|
+
# 2. <tt>authenticate_user</tt>
|
29
|
+
# 3. <tt>collect_claims</tt>
|
30
|
+
# 4. <tt>authentication_callback_endpoint_path</tt>
|
31
|
+
class AuthenticationServer
|
32
|
+
def initialize(app = nil)
|
33
|
+
# Accept 'app' so that this class can work as a Rack middleware
|
34
|
+
# as well as a Rack application.
|
35
|
+
@app = app
|
36
|
+
end
|
37
|
+
|
38
|
+
def call(env)
|
39
|
+
# Request
|
40
|
+
request = Rack::Request.new(env)
|
41
|
+
|
42
|
+
# If the request is not an authentication callback request.
|
43
|
+
if match_authentication_callback_request(request) == false
|
44
|
+
# If this class is used as a Rack middleware.
|
45
|
+
if @app && @app.respond_to?(:call)
|
46
|
+
# Call chain to the next Rack middleware.
|
47
|
+
return @app.call(env)
|
48
|
+
else
|
49
|
+
# 404 Not Found
|
50
|
+
return generate_not_found(request)
|
51
|
+
end
|
52
|
+
end
|
53
|
+
|
54
|
+
# Basic Authentication for the API call.
|
55
|
+
authenticated = do_authenticate_api_call(env)
|
56
|
+
if authenticated == false
|
57
|
+
# 401 Unauthorized
|
58
|
+
return generate_api_call_authentication_failure()
|
59
|
+
end
|
60
|
+
|
61
|
+
begin
|
62
|
+
# Parse the request body as AuthenticationCallbackRequest.
|
63
|
+
req = parse_authentication_callback_request(request)
|
64
|
+
rescue => e
|
65
|
+
# 400 Bad Request
|
66
|
+
return generate_authentication_callback_request_format_error(e)
|
67
|
+
end
|
68
|
+
|
69
|
+
# Prepare an empty response.
|
70
|
+
res = Authlete::Model::Response::AuthenticationCallbackResponse.new
|
71
|
+
|
72
|
+
# Let the subclass authenticate the end-user.
|
73
|
+
# When authenticated successfully, a non-nil value is returned.
|
74
|
+
subject = authenticate_user(req)
|
75
|
+
if subject.nil?
|
76
|
+
# End-user authentication failed.
|
77
|
+
# Return {"authenticated": false} to Authlete.
|
78
|
+
res.authenticated = false
|
79
|
+
return res.to_rack_response
|
80
|
+
end
|
81
|
+
|
82
|
+
# The end-user has been authenticated successfully.
|
83
|
+
res.authenticated = true
|
84
|
+
res.subject = subject
|
85
|
+
|
86
|
+
if req.claims.nil? == false && req.claims.length != 0
|
87
|
+
# Make the subclass collect values of the requested claims.
|
88
|
+
res.claims = collect_claims(req, subject)
|
89
|
+
end
|
90
|
+
|
91
|
+
# Return {"authenticated": true, ...} to Authlete.
|
92
|
+
return res.to_rack_response
|
93
|
+
end
|
94
|
+
|
95
|
+
private
|
96
|
+
|
97
|
+
def match_authentication_callback_request(request)
|
98
|
+
request.post? &&
|
99
|
+
request.path_info == authentication_callback_endpoint_path() &&
|
100
|
+
%r{^application/json}i === request.content_type
|
101
|
+
end
|
102
|
+
|
103
|
+
def do_authenticate_api_call(env)
|
104
|
+
# API key and secret for the API call to the authentication endpoint.
|
105
|
+
api_key, api_secret = nil, nil
|
106
|
+
|
107
|
+
# Basic Authentication for the API call.
|
108
|
+
auth = Rack::Auth::Basic::Request.new(env)
|
109
|
+
|
110
|
+
if auth.provided? && auth.basic?
|
111
|
+
api_key, api_secret = *auth.credentials
|
112
|
+
end
|
113
|
+
|
114
|
+
# Let the subclass authenticate the API call.
|
115
|
+
authenticate_api_call(api_key, api_secret)
|
116
|
+
end
|
117
|
+
|
118
|
+
# 404 Not Found
|
119
|
+
def generate_not_found(request)
|
120
|
+
[
|
121
|
+
404,
|
122
|
+
{
|
123
|
+
'Content-Type' => 'text/plain'
|
124
|
+
},
|
125
|
+
[
|
126
|
+
"Not Found: #{request.request_method} #{request.path_info} (#{request.content_type})"
|
127
|
+
]
|
128
|
+
]
|
129
|
+
end
|
130
|
+
|
131
|
+
# 401 Unauthorized
|
132
|
+
def generate_api_call_authentication_failure
|
133
|
+
[
|
134
|
+
401,
|
135
|
+
{
|
136
|
+
'Content-Type' => 'text/plain',
|
137
|
+
'WWW-Authenticate' => 'Basic realm="Authentication Callback Endpoint"'
|
138
|
+
},
|
139
|
+
[
|
140
|
+
'Authentication of the API call to the authentication callback endpoint failed.'
|
141
|
+
]
|
142
|
+
]
|
143
|
+
end
|
144
|
+
|
145
|
+
# 400 Bad Request
|
146
|
+
def generate_authentication_callback_request_format_error(exception)
|
147
|
+
[
|
148
|
+
400,
|
149
|
+
{
|
150
|
+
'Content-Type' => 'text/plain',
|
151
|
+
},
|
152
|
+
[
|
153
|
+
"The format of the authentication callback request was wrong: #{exception.to_s}"
|
154
|
+
]
|
155
|
+
]
|
156
|
+
end
|
157
|
+
|
158
|
+
def parse_authentication_callback_request(request)
|
159
|
+
# In case someone has already read it.
|
160
|
+
request.body.rewind
|
161
|
+
|
162
|
+
# JSON
|
163
|
+
json = request.body.read
|
164
|
+
|
165
|
+
# Parse the authentication callback request.
|
166
|
+
Authlete::Model::Request::AuthenticationCallbackRequest.parse(json)
|
167
|
+
end
|
168
|
+
|
169
|
+
protected
|
170
|
+
|
171
|
+
# Authenticate the API call to the authentication callback endpoint
|
172
|
+
# from Authlete. Subclasses must override this method. This default
|
173
|
+
# implementation returns false, meaning 'unauthorized API call'.
|
174
|
+
#
|
175
|
+
# The argument of this method is the API key and the API secret that
|
176
|
+
# the caller has presented. When the pair of the API credentials is
|
177
|
+
# valid, return true. Otherwise, return false.
|
178
|
+
def authenticate_api_call(api_key, api_secret)
|
179
|
+
# Unauthorized API call.
|
180
|
+
false
|
181
|
+
end
|
182
|
+
|
183
|
+
# Authenticate the end-user. Subclasses must override this method.
|
184
|
+
# This default implementation returns nil, meaning 'invalid end-user'.
|
185
|
+
#
|
186
|
+
# The argument of this method is an instance of
|
187
|
+
# <tt>Authlete::Model::Request::AuthenticationCallbackRequest</tt>.
|
188
|
+
# When the end-user is successfully authenticated, this method must
|
189
|
+
# return a unique identifier (= subject) of the end-user. Otherwise,
|
190
|
+
# nil must be returned to indicate authentication failure.
|
191
|
+
def authenticate_user(req)
|
192
|
+
# Invalid end-user.
|
193
|
+
nil
|
194
|
+
end
|
195
|
+
|
196
|
+
# Collect claim values of the end-user. Subclasses should override this
|
197
|
+
# method. This default implementation returns nil, meaning 'no claim values'.
|
198
|
+
#
|
199
|
+
# The argument of this method is an instance of
|
200
|
+
# <tt>Authlete::Model::Request::AuthenticationCallbackRequest</tt> and the subject
|
201
|
+
# which has been returned from the preceding call of <tt>authenticate_user</tt>
|
202
|
+
# method.
|
203
|
+
#
|
204
|
+
# 'Claim' is a piece of information about an end-user. A subclass should
|
205
|
+
# collect values of requested claims (<tt>req.claims</tt>) as many as
|
206
|
+
# possible and format them in JSON format like below.
|
207
|
+
#
|
208
|
+
# {
|
209
|
+
# "name": "Takahiko Kawasaki",
|
210
|
+
# "gender": "male"
|
211
|
+
# }
|
212
|
+
#
|
213
|
+
# Collected claim values are used to generate an {ID token}
|
214
|
+
# [http://openid.net/specs/openid-connect-core-1_0.html#IDToken].
|
215
|
+
#
|
216
|
+
# If no claim values are available, or if you don't want to provide any
|
217
|
+
# claim value, return nil.
|
218
|
+
def collect_claims(req, subject)
|
219
|
+
# No claim values.
|
220
|
+
nil
|
221
|
+
end
|
222
|
+
|
223
|
+
# Get the path of the authentication callback endpoint. This default
|
224
|
+
# implementation returns '/authentication'. Subclasses may override
|
225
|
+
# this method to change the path.
|
226
|
+
def authentication_callback_endpoint_path
|
227
|
+
'/authentication'
|
228
|
+
end
|
229
|
+
end
|
230
|
+
end
|