authress-sdk 2.0.35.0 → 2.0.36.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 4ecbbf5559452b95fdcacf5f3c731c3ac910706d68563784c8dbdf9031655cd2
-  data.tar.gz: ff8fdd1c2864931948ea39a2216993bac75fbf2bdd10864c0a684d2f3c7a9640
+  metadata.gz: d53ce37eb3af2b4911e21b2e93c6f77ec7a06232c96e7ed58cbae4edcbdf4647
+  data.tar.gz: c8792e0d2b46e6f42c1a87377dc58ba83312ca9946ce4506eb88544756867a5a
 SHA512:
-  metadata.gz: ace0997dc03b122f06b10abfc79c4d0aa34004153c33eca34a403c5b8efa582d5528724416dd51715839b95ffa233c408ce710f24db80788323956b70eb26e0b
-  data.tar.gz: f3dcf7bd72fbab2f88540e54c8b67636009fc5261c831848c5e20f262a15fd7d6877bb0745443de9874fc57358a1d77e4bdc312a72752fd5bb9a47f03481c005
+  metadata.gz: 17fcb77f73b4ce14a83b375a672a6103b3811ae86f48c8a048c61899bfd8a705440e4b90d2862663096c333b3965f461d62c9bc2ba37f370858046e9850749a5
+  data.tar.gz: b13152410a514e8b88bd34e983de8e805c809a30913554116979aaa5ccd486a549385583eaf7650579fbdd2167d092b49914291217ea547db547357d4c6e0ce5

data/lib/authress-sdk/authress_client.rb

@@ -35,6 +35,13 @@ module AuthressSdk
       @@default ||= AuthressClient.new
     end
 
+    # Normalize a domain to a URL.
+    def custom_domain_url
+      domain_url = URI(@base_url)
+      domain_url = URI("https://#{domain_url}") if domain_url.scheme.nil?
+      domain_url.to_s
+    end
+
     def set_token(token)
       @token_provider = ConstantTokenProvider.new(token)
     end
@@ -242,8 +249,7 @@ module AuthressSdk
     def build_request_url(path)
       # Add leading and trailing slashes to path
       path = "/#{path}".gsub(/\/+/, '/')
-      puts self.base_url
-      @base_url + path
+      custom_domain_url + path
     end
 
     # Return Accept header based on an array of accepts provided.

data/lib/authress-sdk/omniauth.rb

@@ -0,0 +1,200 @@
+# frozen_string_literal: true
+
+require 'json'
+require 'oauth2'
+require 'omniauth-oauth2'
+require_relative './token_validator'
+require_relative './authress_client.rb'
+
+include OAuth2
+
+module OmniAuth
+  module Authress
+    VERSION = '1.1.0'
+  end
+
+  module Strategies
+    class Authress < OmniAuth::Strategies::OAuth2
+      attr_accessor :authress_client
+      attr_accessor :token_response
+
+      def initialize(*args)
+        super
+        @authress_client = AuthressSdk::AuthressClient.default
+      end
+
+      option :name, 'authress'
+      option :pkce, true
+      option :application_id, nil
+
+      # Setup client URLs used during authentication and then call the default
+      def client
+        options.client_id = options.application_id
+        options.client_options.headers = {
+          'User-Agent' => 'Ruby OmniAuth'
+        }
+        options.client_options.auth_scheme = :request_body
+        options.client_options.site = @authress_client.custom_domain_url
+        options.client_options.authorize_url = @authress_client.custom_domain_url
+        options.client_options.token_url = @authress_client.custom_domain_url + '/api/authentication/-/tokens'
+        # https://github.com/omniauth/omniauth-oauth2/blob/master/lib/omniauth/strategies/oauth2.rb#L47
+        super
+      end
+
+      # Use the "sub" key of the userinfo returned
+      # as the uid (globally unique string identifier).
+      uid { user_info['sub'] }
+
+      # Build the API credentials hash with returned auth data.
+      credentials do
+        if @token_response == nil
+          return nil
+        end
+
+        hash = {
+          'token' => @token_response['access_token'],
+          'id_token' => @token_response['id_token'],
+          'token_type' => @token_response['token_type'] || 'Bearer',
+          'expires' => true,
+          'expires_at' => @token_response['expires_at']
+        }
+
+        # Retrieve and remove authorization params from the session
+        session_authorize_params = session['authorize_params'] || {}
+        session.delete('authorize_params')
+
+        hash
+      end
+
+      # Store all raw information for use in the session.
+      extra do
+        {
+          raw_info: user_info
+        }
+      end
+
+      # Build a hash of information about the user
+      # with keys taken from the Auth Hash Schema.
+      info do
+        {
+          name: user_info['name'] || user_info['sub'],
+          nickname: user_info['nickname'],
+          email: user_info['email'],
+          image: user_info['picture']
+        }
+      end
+
+      # Define the parameters used for the /authorize endpoint
+      def authorize_params
+        params = super
+        %w[responseLocation flowType].each do |key|
+          params[key] = request.params[key] if request.params.key?(key)
+        end
+
+        # Generate nonce
+        params[:nonce] = SecureRandom.hex
+        # Generate leeway if none exists
+        params[:leeway] = 60 unless params[:leeway]
+
+        params[:responseLocation] = 'query'
+        params[:flowType] = 'code'
+
+        # Store authorize params in the session for token verification
+        session['authorize_params'] = params.to_hash
+
+        params
+      end
+
+      # Declarative override for the request phase of authentication
+      def request_phase
+        if no_application_id?
+          # Do we have a application_id for this Application?
+          fail!(:missing_application_id)
+        elsif no_domain?
+          # Do we have a domain for this Application?
+          fail!(:missing_domain)
+        else
+          # All checks pass, run the Oauth2 request_phase method.
+          super
+        end
+      end
+
+      # https://github.com/omniauth/omniauth/blob/master/lib/omniauth/strategy.rb#L416
+      def callback_phase
+        begin
+          error = request.params["error_reason"] || request.params["error"]
+          if !options.provider_ignores_state && (request.params["state"].to_s.empty? || request.params["state"] != session.delete("omniauth.state"))
+            fail!(:csrf_detected, CallbackError.new(:csrf_detected, "CSRF detected"))
+          elsif error
+            fail!(error, CallbackError.new(request.params["error"], request.params["error_description"] || request.params["error_reason"], request.params["error_uri"]))
+          else
+            params = {
+              'grant_type' => 'authorization_code',
+              'code' => request.params["code"],
+              'client_id' => options.application_id,
+              'redirect_uri' => callback_url
+            # https://github.com/omniauth/omniauth-oauth2/blob/master/lib/omniauth/strategies/oauth2.rb#L80
+            }.merge(token_params.to_hash(:symbolize_keys => true))
+
+            params_dup = params.dup
+            params.each_key do |key|
+              params_dup[key.to_s] = params_dup.delete(key) if key.is_a?(Symbol)
+            end
+
+            @token_response = complete_token_request(params_dup)      
+      
+            env['omniauth.auth'] = auth_hash
+            call_app!
+          end
+        rescue AuthressSdk::TokenValidationError => e
+          fail!(:token_validation_error, e)
+        rescue ::OAuth2::Error, CallbackError => e
+          fail!(:invalid_credentials, e)
+        rescue ::Timeout::Error, ::Errno::ETIMEDOUT => e
+          fail!(:timeout, e)
+        rescue ::SocketError => e
+          fail!(:failed_to_connect, e)
+        end
+      end
+
+      def complete_token_request(params, &block)
+        request_opts = {
+          raise_errors: options[:raise_errors]
+        }
+        request_opts[:body] = params.to_json
+        request_opts[:headers] = options.client_options.headers
+        response = client.request(:post, options.client_options.token_url, request_opts, &block)
+        @access_token = OAuth2::AccessToken.from_hash(client, JSON.parse(response.body)).tap do |access_token|
+          access_token.response = response if access_token.respond_to?(:response=)
+        end
+        return JSON.parse(response.body)
+      end
+
+      # Parse the raw user info.
+      def user_info
+        if @token_response && @token_response['id_token']
+          jwt_payload = @token_response['id_token'] && @token_response['id_token'].to_s && @token_response['id_token'].to_s.split('.')[1]
+          if jwt_payload
+            jwt_payload += '=' * (4 - jwt_payload.length.modulo(4))
+            user_identity = JSON.parse(Base64.decode64(jwt_payload.tr('-_','+/')))
+            return user_identity
+          end
+        end
+
+        return nil
+      end
+
+      # Check if the options include a application_id
+      def no_application_id?
+        ['', nil].include?(options.application_id)
+      end
+
+      # Check if the options include a domain
+      def no_domain?
+        ['', nil].include?(@authress_client.custom_domain_url)
+      end
+    end
+  end
+end
+
+OmniAuth.config.add_camelization 'authress', 'Authress'

data/lib/authress-sdk/token_validator.rb

@@ -0,0 +1,13 @@
+require 'base64'
+require 'uri'
+require 'json'
+
+module AuthressSdk
+  class TokenValidationError < StandardError
+    attr_reader :error_reason
+    def initialize(msg)
+      @error_reason = msg
+      super(msg)
+    end
+  end
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: authress-sdk
 version: !ruby/object:Gem::Version
-  version: 2.0.35.0
+  version: 2.0.36.0
 platform: ruby
 authors:
 - Authress
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2023-03-29 00:00:00.000000000 Z
+date: 2023-05-26 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: typhoeus
@@ -44,6 +44,48 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: 2.1.0
+- !ruby/object:Gem::Dependency
+  name: omniauth-oauth2
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: jwt
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: oauth2
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: rspec
   requirement: !ruby/object:Gem::Requirement
@@ -141,7 +183,9 @@ files:
 - lib/authress-sdk/models/v1usersuser_idresourcesresource_urimetadata_account.rb
 - lib/authress-sdk/models/v1usersuser_idtokens_resources.rb
 - lib/authress-sdk/models/v1usersuser_idtokens_statements.rb
+- lib/authress-sdk/omniauth.rb
 - lib/authress-sdk/service_client_token_provider.rb
+- lib/authress-sdk/token_validator.rb
 homepage: https://github.com/Authress/authress-sdk.rb
 licenses:
 - Apache-2.0