authress-sdk 2.0.35.0 → 2.0.36.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/lib/authress-sdk/authress_client.rb +8 -2
- data/lib/authress-sdk/omniauth.rb +200 -0
- data/lib/authress-sdk/token_validator.rb +13 -0
- metadata +46 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: d53ce37eb3af2b4911e21b2e93c6f77ec7a06232c96e7ed58cbae4edcbdf4647
|
4
|
+
data.tar.gz: c8792e0d2b46e6f42c1a87377dc58ba83312ca9946ce4506eb88544756867a5a
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 17fcb77f73b4ce14a83b375a672a6103b3811ae86f48c8a048c61899bfd8a705440e4b90d2862663096c333b3965f461d62c9bc2ba37f370858046e9850749a5
|
7
|
+
data.tar.gz: b13152410a514e8b88bd34e983de8e805c809a30913554116979aaa5ccd486a549385583eaf7650579fbdd2167d092b49914291217ea547db547357d4c6e0ce5
|
@@ -35,6 +35,13 @@ module AuthressSdk
|
|
35
35
|
@@default ||= AuthressClient.new
|
36
36
|
end
|
37
37
|
|
38
|
+
# Normalize a domain to a URL.
|
39
|
+
def custom_domain_url
|
40
|
+
domain_url = URI(@base_url)
|
41
|
+
domain_url = URI("https://#{domain_url}") if domain_url.scheme.nil?
|
42
|
+
domain_url.to_s
|
43
|
+
end
|
44
|
+
|
38
45
|
def set_token(token)
|
39
46
|
@token_provider = ConstantTokenProvider.new(token)
|
40
47
|
end
|
@@ -242,8 +249,7 @@ module AuthressSdk
|
|
242
249
|
def build_request_url(path)
|
243
250
|
# Add leading and trailing slashes to path
|
244
251
|
path = "/#{path}".gsub(/\/+/, '/')
|
245
|
-
|
246
|
-
@base_url + path
|
252
|
+
custom_domain_url + path
|
247
253
|
end
|
248
254
|
|
249
255
|
# Return Accept header based on an array of accepts provided.
|
@@ -0,0 +1,200 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
require 'json'
|
4
|
+
require 'oauth2'
|
5
|
+
require 'omniauth-oauth2'
|
6
|
+
require_relative './token_validator'
|
7
|
+
require_relative './authress_client.rb'
|
8
|
+
|
9
|
+
include OAuth2
|
10
|
+
|
11
|
+
module OmniAuth
|
12
|
+
module Authress
|
13
|
+
VERSION = '1.1.0'
|
14
|
+
end
|
15
|
+
|
16
|
+
module Strategies
|
17
|
+
class Authress < OmniAuth::Strategies::OAuth2
|
18
|
+
attr_accessor :authress_client
|
19
|
+
attr_accessor :token_response
|
20
|
+
|
21
|
+
def initialize(*args)
|
22
|
+
super
|
23
|
+
@authress_client = AuthressSdk::AuthressClient.default
|
24
|
+
end
|
25
|
+
|
26
|
+
option :name, 'authress'
|
27
|
+
option :pkce, true
|
28
|
+
option :application_id, nil
|
29
|
+
|
30
|
+
# Setup client URLs used during authentication and then call the default
|
31
|
+
def client
|
32
|
+
options.client_id = options.application_id
|
33
|
+
options.client_options.headers = {
|
34
|
+
'User-Agent' => 'Ruby OmniAuth'
|
35
|
+
}
|
36
|
+
options.client_options.auth_scheme = :request_body
|
37
|
+
options.client_options.site = @authress_client.custom_domain_url
|
38
|
+
options.client_options.authorize_url = @authress_client.custom_domain_url
|
39
|
+
options.client_options.token_url = @authress_client.custom_domain_url + '/api/authentication/-/tokens'
|
40
|
+
# https://github.com/omniauth/omniauth-oauth2/blob/master/lib/omniauth/strategies/oauth2.rb#L47
|
41
|
+
super
|
42
|
+
end
|
43
|
+
|
44
|
+
# Use the "sub" key of the userinfo returned
|
45
|
+
# as the uid (globally unique string identifier).
|
46
|
+
uid { user_info['sub'] }
|
47
|
+
|
48
|
+
# Build the API credentials hash with returned auth data.
|
49
|
+
credentials do
|
50
|
+
if @token_response == nil
|
51
|
+
return nil
|
52
|
+
end
|
53
|
+
|
54
|
+
hash = {
|
55
|
+
'token' => @token_response['access_token'],
|
56
|
+
'id_token' => @token_response['id_token'],
|
57
|
+
'token_type' => @token_response['token_type'] || 'Bearer',
|
58
|
+
'expires' => true,
|
59
|
+
'expires_at' => @token_response['expires_at']
|
60
|
+
}
|
61
|
+
|
62
|
+
# Retrieve and remove authorization params from the session
|
63
|
+
session_authorize_params = session['authorize_params'] || {}
|
64
|
+
session.delete('authorize_params')
|
65
|
+
|
66
|
+
hash
|
67
|
+
end
|
68
|
+
|
69
|
+
# Store all raw information for use in the session.
|
70
|
+
extra do
|
71
|
+
{
|
72
|
+
raw_info: user_info
|
73
|
+
}
|
74
|
+
end
|
75
|
+
|
76
|
+
# Build a hash of information about the user
|
77
|
+
# with keys taken from the Auth Hash Schema.
|
78
|
+
info do
|
79
|
+
{
|
80
|
+
name: user_info['name'] || user_info['sub'],
|
81
|
+
nickname: user_info['nickname'],
|
82
|
+
email: user_info['email'],
|
83
|
+
image: user_info['picture']
|
84
|
+
}
|
85
|
+
end
|
86
|
+
|
87
|
+
# Define the parameters used for the /authorize endpoint
|
88
|
+
def authorize_params
|
89
|
+
params = super
|
90
|
+
%w[responseLocation flowType].each do |key|
|
91
|
+
params[key] = request.params[key] if request.params.key?(key)
|
92
|
+
end
|
93
|
+
|
94
|
+
# Generate nonce
|
95
|
+
params[:nonce] = SecureRandom.hex
|
96
|
+
# Generate leeway if none exists
|
97
|
+
params[:leeway] = 60 unless params[:leeway]
|
98
|
+
|
99
|
+
params[:responseLocation] = 'query'
|
100
|
+
params[:flowType] = 'code'
|
101
|
+
|
102
|
+
# Store authorize params in the session for token verification
|
103
|
+
session['authorize_params'] = params.to_hash
|
104
|
+
|
105
|
+
params
|
106
|
+
end
|
107
|
+
|
108
|
+
# Declarative override for the request phase of authentication
|
109
|
+
def request_phase
|
110
|
+
if no_application_id?
|
111
|
+
# Do we have a application_id for this Application?
|
112
|
+
fail!(:missing_application_id)
|
113
|
+
elsif no_domain?
|
114
|
+
# Do we have a domain for this Application?
|
115
|
+
fail!(:missing_domain)
|
116
|
+
else
|
117
|
+
# All checks pass, run the Oauth2 request_phase method.
|
118
|
+
super
|
119
|
+
end
|
120
|
+
end
|
121
|
+
|
122
|
+
# https://github.com/omniauth/omniauth/blob/master/lib/omniauth/strategy.rb#L416
|
123
|
+
def callback_phase
|
124
|
+
begin
|
125
|
+
error = request.params["error_reason"] || request.params["error"]
|
126
|
+
if !options.provider_ignores_state && (request.params["state"].to_s.empty? || request.params["state"] != session.delete("omniauth.state"))
|
127
|
+
fail!(:csrf_detected, CallbackError.new(:csrf_detected, "CSRF detected"))
|
128
|
+
elsif error
|
129
|
+
fail!(error, CallbackError.new(request.params["error"], request.params["error_description"] || request.params["error_reason"], request.params["error_uri"]))
|
130
|
+
else
|
131
|
+
params = {
|
132
|
+
'grant_type' => 'authorization_code',
|
133
|
+
'code' => request.params["code"],
|
134
|
+
'client_id' => options.application_id,
|
135
|
+
'redirect_uri' => callback_url
|
136
|
+
# https://github.com/omniauth/omniauth-oauth2/blob/master/lib/omniauth/strategies/oauth2.rb#L80
|
137
|
+
}.merge(token_params.to_hash(:symbolize_keys => true))
|
138
|
+
|
139
|
+
params_dup = params.dup
|
140
|
+
params.each_key do |key|
|
141
|
+
params_dup[key.to_s] = params_dup.delete(key) if key.is_a?(Symbol)
|
142
|
+
end
|
143
|
+
|
144
|
+
@token_response = complete_token_request(params_dup)
|
145
|
+
|
146
|
+
env['omniauth.auth'] = auth_hash
|
147
|
+
call_app!
|
148
|
+
end
|
149
|
+
rescue AuthressSdk::TokenValidationError => e
|
150
|
+
fail!(:token_validation_error, e)
|
151
|
+
rescue ::OAuth2::Error, CallbackError => e
|
152
|
+
fail!(:invalid_credentials, e)
|
153
|
+
rescue ::Timeout::Error, ::Errno::ETIMEDOUT => e
|
154
|
+
fail!(:timeout, e)
|
155
|
+
rescue ::SocketError => e
|
156
|
+
fail!(:failed_to_connect, e)
|
157
|
+
end
|
158
|
+
end
|
159
|
+
|
160
|
+
def complete_token_request(params, &block)
|
161
|
+
request_opts = {
|
162
|
+
raise_errors: options[:raise_errors]
|
163
|
+
}
|
164
|
+
request_opts[:body] = params.to_json
|
165
|
+
request_opts[:headers] = options.client_options.headers
|
166
|
+
response = client.request(:post, options.client_options.token_url, request_opts, &block)
|
167
|
+
@access_token = OAuth2::AccessToken.from_hash(client, JSON.parse(response.body)).tap do |access_token|
|
168
|
+
access_token.response = response if access_token.respond_to?(:response=)
|
169
|
+
end
|
170
|
+
return JSON.parse(response.body)
|
171
|
+
end
|
172
|
+
|
173
|
+
# Parse the raw user info.
|
174
|
+
def user_info
|
175
|
+
if @token_response && @token_response['id_token']
|
176
|
+
jwt_payload = @token_response['id_token'] && @token_response['id_token'].to_s && @token_response['id_token'].to_s.split('.')[1]
|
177
|
+
if jwt_payload
|
178
|
+
jwt_payload += '=' * (4 - jwt_payload.length.modulo(4))
|
179
|
+
user_identity = JSON.parse(Base64.decode64(jwt_payload.tr('-_','+/')))
|
180
|
+
return user_identity
|
181
|
+
end
|
182
|
+
end
|
183
|
+
|
184
|
+
return nil
|
185
|
+
end
|
186
|
+
|
187
|
+
# Check if the options include a application_id
|
188
|
+
def no_application_id?
|
189
|
+
['', nil].include?(options.application_id)
|
190
|
+
end
|
191
|
+
|
192
|
+
# Check if the options include a domain
|
193
|
+
def no_domain?
|
194
|
+
['', nil].include?(@authress_client.custom_domain_url)
|
195
|
+
end
|
196
|
+
end
|
197
|
+
end
|
198
|
+
end
|
199
|
+
|
200
|
+
OmniAuth.config.add_camelization 'authress', 'Authress'
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: authress-sdk
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 2.0.
|
4
|
+
version: 2.0.36.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Authress
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2023-
|
11
|
+
date: 2023-05-26 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: typhoeus
|
@@ -44,6 +44,48 @@ dependencies:
|
|
44
44
|
- - ">="
|
45
45
|
- !ruby/object:Gem::Version
|
46
46
|
version: 2.1.0
|
47
|
+
- !ruby/object:Gem::Dependency
|
48
|
+
name: omniauth-oauth2
|
49
|
+
requirement: !ruby/object:Gem::Requirement
|
50
|
+
requirements:
|
51
|
+
- - ">="
|
52
|
+
- !ruby/object:Gem::Version
|
53
|
+
version: '0'
|
54
|
+
type: :runtime
|
55
|
+
prerelease: false
|
56
|
+
version_requirements: !ruby/object:Gem::Requirement
|
57
|
+
requirements:
|
58
|
+
- - ">="
|
59
|
+
- !ruby/object:Gem::Version
|
60
|
+
version: '0'
|
61
|
+
- !ruby/object:Gem::Dependency
|
62
|
+
name: jwt
|
63
|
+
requirement: !ruby/object:Gem::Requirement
|
64
|
+
requirements:
|
65
|
+
- - ">="
|
66
|
+
- !ruby/object:Gem::Version
|
67
|
+
version: '0'
|
68
|
+
type: :runtime
|
69
|
+
prerelease: false
|
70
|
+
version_requirements: !ruby/object:Gem::Requirement
|
71
|
+
requirements:
|
72
|
+
- - ">="
|
73
|
+
- !ruby/object:Gem::Version
|
74
|
+
version: '0'
|
75
|
+
- !ruby/object:Gem::Dependency
|
76
|
+
name: oauth2
|
77
|
+
requirement: !ruby/object:Gem::Requirement
|
78
|
+
requirements:
|
79
|
+
- - ">="
|
80
|
+
- !ruby/object:Gem::Version
|
81
|
+
version: '0'
|
82
|
+
type: :runtime
|
83
|
+
prerelease: false
|
84
|
+
version_requirements: !ruby/object:Gem::Requirement
|
85
|
+
requirements:
|
86
|
+
- - ">="
|
87
|
+
- !ruby/object:Gem::Version
|
88
|
+
version: '0'
|
47
89
|
- !ruby/object:Gem::Dependency
|
48
90
|
name: rspec
|
49
91
|
requirement: !ruby/object:Gem::Requirement
|
@@ -141,7 +183,9 @@ files:
|
|
141
183
|
- lib/authress-sdk/models/v1usersuser_idresourcesresource_urimetadata_account.rb
|
142
184
|
- lib/authress-sdk/models/v1usersuser_idtokens_resources.rb
|
143
185
|
- lib/authress-sdk/models/v1usersuser_idtokens_statements.rb
|
186
|
+
- lib/authress-sdk/omniauth.rb
|
144
187
|
- lib/authress-sdk/service_client_token_provider.rb
|
188
|
+
- lib/authress-sdk/token_validator.rb
|
145
189
|
homepage: https://github.com/Authress/authress-sdk.rb
|
146
190
|
licenses:
|
147
191
|
- Apache-2.0
|