deda-omniauth-keycloak 1.2.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: feb13e5fa04d0b6da319e0c62a1c5354a4ea1df224dfe6f4f9efc19688bd27f0
+  data.tar.gz: 7841e254570c27abd5a31ad5e93d97c2155899de4e50ff93f67f5f7b296eb68e
+SHA512:
+  metadata.gz: 3784b898f36e7e32873fd6cf416d48c35d3dceeffe53d5bb49789940170d6cd1f20b7478b377b1beb52469fa38d26a0853d737ff9262b62f275850fbfdbfc362
+  data.tar.gz: 443bb2d926ad9c717c18b81f9131655741a39ff6a4a2638a2e0012567871736fd8c1532520909369f54967c32841078def4a675d371273c066d3778f5bbca708

data/.gitignore

@@ -0,0 +1,11 @@
+/.bundle/
+/.yardoc
+/_yardoc/
+/coverage/
+/doc/
+/pkg/
+/spec/reports/
+/tmp/
+
+# rspec failure tracking
+.rspec_status

data/.rspec

@@ -0,0 +1,3 @@
+--format documentation
+--color
+--require spec_helper

data/.travis.yml

@@ -0,0 +1,7 @@
+---
+sudo: false
+language: ruby
+cache: bundler
+rvm:
+  - 2.5.1
+before_install: gem install bundler -v 1.16.5

data/.vscode/settings.json

@@ -0,0 +1,3 @@
+{
+    "editor.tabSize": 2
+}

data/CHANGELOG.md

@@ -0,0 +1,44 @@
+# Changelog
+
+## [v1.2.1](https://github.com/ccrockett/omniauth-keycloak/tree/HEAD)
+
+[Full Changelog](https://github.com/ccrockett/omniauth-keycloak/compare/v1.2.0...HEAD)
+
+**Closed issues:**
+
+- Dynamically load Client and Realm [\#11](https://github.com/ccrockett/omniauth-keycloak/issues/11)
+- cannot load such file -- /Library/Ruby/Gems/2.6.0/gems/omniauth-keycloak-1.2.0/lib/omniauth-keycloak.rb \(LoadError\) [\#8](https://github.com/ccrockett/omniauth-keycloak/issues/8)
+- Release json-jwt version restriction change [\#5](https://github.com/ccrockett/omniauth-keycloak/issues/5)
+
+**Merged pull requests:**
+
+- Raise errors on setup failure and logging with OmniAuth::Strategy::log method [\#10](https://github.com/ccrockett/omniauth-keycloak/pull/10) ([alexpetrov](https://github.com/alexpetrov))
+- Bump json from 2.1.0 to 2.3.1 [\#9](https://github.com/ccrockett/omniauth-keycloak/pull/9) ([dependabot[bot]](https://github.com/apps/dependabot))
+- Bump rack from 2.2.2 to 2.2.3 [\#7](https://github.com/ccrockett/omniauth-keycloak/pull/7) ([dependabot[bot]](https://github.com/apps/dependabot))
+
+## [v1.2.0](https://github.com/ccrockett/omniauth-keycloak/tree/v1.2.0) (2020-05-28)
+
+[Full Changelog](https://github.com/ccrockett/omniauth-keycloak/compare/v1.1.0...v1.2.0)
+
+**Merged pull requests:**
+
+- Bump activesupport from 6.0.1 to 6.0.3.1 [\#6](https://github.com/ccrockett/omniauth-keycloak/pull/6) ([dependabot[bot]](https://github.com/apps/dependabot))
+- Update rake requirement from ~\> 10.0 to ~\> 13.0 [\#4](https://github.com/ccrockett/omniauth-keycloak/pull/4) ([dependabot[bot]](https://github.com/apps/dependabot))
+- Bump rack from 2.0.7 to 2.0.8 [\#2](https://github.com/ccrockett/omniauth-keycloak/pull/2) ([dependabot[bot]](https://github.com/apps/dependabot))
+- Adding Devise Documentation [\#1](https://github.com/ccrockett/omniauth-keycloak/pull/1) ([masonhensley](https://github.com/masonhensley))
+
+## [v1.1.0](https://github.com/ccrockett/omniauth-keycloak/tree/v1.1.0) (2018-12-16)
+
+[Full Changelog](https://github.com/ccrockett/omniauth-keycloak/compare/v1.0.1...v1.1.0)
+
+## [v1.0.1](https://github.com/ccrockett/omniauth-keycloak/tree/v1.0.1) (2018-12-16)
+
+[Full Changelog](https://github.com/ccrockett/omniauth-keycloak/compare/v1.0.0...v1.0.1)
+
+## [v1.0.0](https://github.com/ccrockett/omniauth-keycloak/tree/v1.0.0) (2018-12-16)
+
+[Full Changelog](https://github.com/ccrockett/omniauth-keycloak/compare/7877c8a75f9e3f342b49bf808fa69965377d60b5...v1.0.0)
+
+
+
+\* *This Changelog was automatically generated by [github_changelog_generator](https://github.com/github-changelog-generator/github-changelog-generator)*

data/CODE_OF_CONDUCT.md

@@ -0,0 +1,74 @@
+# Contributor Covenant Code of Conduct
+
+## Our Pledge
+
+In the interest of fostering an open and welcoming environment, we as
+contributors and maintainers pledge to making participation in our project and
+our community a harassment-free experience for everyone, regardless of age, body
+size, disability, ethnicity, gender identity and expression, level of experience,
+nationality, personal appearance, race, religion, or sexual identity and
+orientation.
+
+## Our Standards
+
+Examples of behavior that contributes to creating a positive environment
+include:
+
+* Using welcoming and inclusive language
+* Being respectful of differing viewpoints and experiences
+* Gracefully accepting constructive criticism
+* Focusing on what is best for the community
+* Showing empathy towards other community members
+
+Examples of unacceptable behavior by participants include:
+
+* The use of sexualized language or imagery and unwelcome sexual attention or
+advances
+* Trolling, insulting/derogatory comments, and personal or political attacks
+* Public or private harassment
+* Publishing others' private information, such as a physical or electronic
+  address, without explicit permission
+* Other conduct which could reasonably be considered inappropriate in a
+  professional setting
+
+## Our Responsibilities
+
+Project maintainers are responsible for clarifying the standards of acceptable
+behavior and are expected to take appropriate and fair corrective action in
+response to any instances of unacceptable behavior.
+
+Project maintainers have the right and responsibility to remove, edit, or
+reject comments, commits, code, wiki edits, issues, and other contributions
+that are not aligned to this Code of Conduct, or to ban temporarily or
+permanently any contributor for other behaviors that they deem inappropriate,
+threatening, offensive, or harmful.
+
+## Scope
+
+This Code of Conduct applies both within project spaces and in public spaces
+when an individual is representing the project or its community. Examples of
+representing a project or community include using an official project e-mail
+address, posting via an official social media account, or acting as an appointed
+representative at an online or offline event. Representation of a project may be
+further defined and clarified by project maintainers.
+
+## Enforcement
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be
+reported by contacting the project team at cameron.crockett@abcorp.com. All
+complaints will be reviewed and investigated and will result in a response that
+is deemed necessary and appropriate to the circumstances. The project team is
+obligated to maintain confidentiality with regard to the reporter of an incident.
+Further details of specific enforcement policies may be posted separately.
+
+Project maintainers who do not follow or enforce the Code of Conduct in good
+faith may face temporary or permanent repercussions as determined by other
+members of the project's leadership.
+
+## Attribution
+
+This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4,
+available at [http://contributor-covenant.org/version/1/4][version]
+
+[homepage]: http://contributor-covenant.org
+[version]: http://contributor-covenant.org/version/1/4/

data/Gemfile

@@ -0,0 +1,6 @@
+source "https://rubygems.org"
+
+git_source(:github) {|repo_name| "https://github.com/#{repo_name}" }
+
+# Specify your gem's dependencies in omniauth-keycloak.gemspec
+gemspec

data/Gemfile.lock

@@ -0,0 +1,98 @@
+PATH
+  remote: .
+  specs:
+    omniauth-keycloak (1.2.0)
+      json-jwt (~> 1.12)
+      omniauth (~> 1.9.0)
+      omniauth-oauth2 (~> 1.6.0)
+
+GEM
+  remote: https://rubygems.org/
+  specs:
+    activesupport (6.0.3.1)
+      concurrent-ruby (~> 1.0, >= 1.0.2)
+      i18n (>= 0.7, < 2)
+      minitest (~> 5.1)
+      tzinfo (~> 1.1)
+      zeitwerk (~> 2.2, >= 2.2.2)
+    addressable (2.5.2)
+      public_suffix (>= 2.0.2, < 4.0)
+    aes_key_wrap (1.0.1)
+    bindata (2.4.7)
+    concurrent-ruby (1.1.6)
+    crack (0.4.3)
+      safe_yaml (~> 1.0.0)
+    diff-lcs (1.3)
+    docile (1.3.1)
+    faraday (1.0.1)
+      multipart-post (>= 1.2, < 3)
+    hashdiff (0.3.7)
+    hashie (4.1.0)
+    i18n (1.8.2)
+      concurrent-ruby (~> 1.0)
+    json (2.3.1)
+    json-jwt (1.12.0)
+      activesupport (>= 4.2)
+      aes_key_wrap
+      bindata
+    jwt (2.2.1)
+    minitest (5.14.1)
+    multi_json (1.14.1)
+    multi_xml (0.6.0)
+    multipart-post (2.1.1)
+    oauth2 (1.4.4)
+      faraday (>= 0.8, < 2.0)
+      jwt (>= 1.0, < 3.0)
+      multi_json (~> 1.3)
+      multi_xml (~> 0.5)
+      rack (>= 1.2, < 3)
+    omniauth (1.9.1)
+      hashie (>= 3.4.6)
+      rack (>= 1.6.2, < 3)
+    omniauth-oauth2 (1.6.0)
+      oauth2 (~> 1.1)
+      omniauth (~> 1.9)
+    public_suffix (3.0.3)
+    rack (2.2.3)
+    rake (13.0.1)
+    rspec (3.8.0)
+      rspec-core (~> 3.8.0)
+      rspec-expectations (~> 3.8.0)
+      rspec-mocks (~> 3.8.0)
+    rspec-core (3.8.0)
+      rspec-support (~> 3.8.0)
+    rspec-expectations (3.8.1)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.8.0)
+    rspec-mocks (3.8.0)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.8.0)
+    rspec-support (3.8.0)
+    safe_yaml (1.0.4)
+    simplecov (0.16.1)
+      docile (~> 1.1)
+      json (>= 1.8, < 3)
+      simplecov-html (~> 0.10.0)
+    simplecov-html (0.10.2)
+    thread_safe (0.3.6)
+    tzinfo (1.2.7)
+      thread_safe (~> 0.1)
+    webmock (3.4.2)
+      addressable (>= 2.3.6)
+      crack (>= 0.3.2)
+      hashdiff
+    zeitwerk (2.3.0)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  bundler (~> 1.16)
+  omniauth-keycloak!
+  rake (~> 13.0)
+  rspec (~> 3.0)
+  simplecov (~> 0.16.1)
+  webmock (~> 3.4.2)
+
+BUNDLED WITH
+   2.1.4

data/LICENSE.txt

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2018 Cameron Crockett
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -0,0 +1,83 @@
+# Omniauth::Keycloak
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+```ruby
+gem 'omniauth-keycloak'
+```
+
+And then execute:
+
+    $ bundle
+
+Or install it yourself as:
+
+    $ gem install omniauth-keycloak
+
+## Usage
+
+`OmniAuth::Strategies::Keycloak` is simply a Rack middleware. Read the OmniAuth docs for detailed instructions: https://github.com/intridea/omniauth.
+
+Here's a quick example, adding the middleware to a Rails app in `config/initializers/omniauth.rb`:
+
+```ruby
+Rails.application.config.middleware.use OmniAuth::Builder do
+  provider :keycloak_openid, 'Example-Client', '19cca35f-dddd-473a-bdd5-03f00d61d884',
+    client_options: {site: 'https://example.keycloak-url.com', realm: 'example-realm'}
+end
+```
+
+## Devise Usage
+Adapted from [Devise OmniAuth Instructions](https://github.com/plataformatec/devise/wiki/OmniAuth:-Overview)
+
+```ruby
+# app/models/user.rb
+class User < ApplicationRecord
+  #...
+  devise :omniauthable, omniauth_providers: %i[keycloakopenid]
+  #...
+end
+
+# config/initializers/devise.rb
+config.omniauth :keycloak_openid, "Example-Client-Name", "example-secret-if-configured", client_options: { site: "https://example.keycloak-url.com", realm: "example-realm" }, :strategy_class => OmniAuth::Strategies::KeycloakOpenId
+
+# Below controller assumes callback route configuration following 
+# in config/routes.rb
+Devise.setup do |config|
+  # ...
+  devise_for :users, controllers: { omniauth_callbacks: 'users/omniauth_callbacks' }
+end
+
+# app/controllers/users/omniauth_callbacks_controller.rb
+class Users::OmniauthCallbacksController < Devise::OmniauthCallbacksController
+  def keycloakopenid
+    Rails.logger.debug(request.env["omniauth.auth"])
+    @user = User.from_omniauth(request.env["omniauth.auth"])
+    if @user.persisted?
+      sign_in_and_redirect @user, event: :authentication
+    else
+      session["devise.keycloakopenid_data"] = request.env["omniauth.auth"]
+      redirect_to new_user_registration_url
+    end
+  end
+
+  def failure
+    redirect_to root_path
+  end
+end
+
+```
+
+## Contributing
+
+Bug reports and pull requests are welcome on GitHub at https://github.com/ccrockett/omniauth-keycloak. This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to the [Contributor Covenant](http://contributor-covenant.org) code of conduct.
+
+## License
+
+The gem is available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT).
+
+## Code of Conduct
+
+Everyone interacting in the Omniauth::Keycloak project’s codebases, issue trackers, chat rooms and mailing lists is expected to follow the [code of conduct](https://github.com/ccrockett/omniauth-keycloak/blob/master/CODE_OF_CONDUCT.md).

data/Rakefile

@@ -0,0 +1,6 @@
+require "bundler/gem_tasks"
+require "rspec/core/rake_task"
+
+RSpec::Core::RakeTask.new(:spec)
+
+task :default => :spec

data/bin/console

@@ -0,0 +1,14 @@
+#!/usr/bin/env ruby
+
+require "bundler/setup"
+require "omniauth/omniauth-keycloak"
+
+# You can add fixtures and/or initialization code here to make experimenting
+# with your gem easier. You can also use a different console, if you like.
+
+# (If you use this, don't forget to add pry to your Gemfile!)
+# require "pry"
+# Pry.start
+
+require "irb"
+IRB.start(__FILE__)

data/bin/setup

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+set -euo pipefail
+IFS=$'\n\t'
+set -vx
+
+bundle install
+
+# Do any other automated setup that you need to do here

data/deda-omniauth-keycloak.gemspec

@@ -0,0 +1,35 @@
+require File.expand_path("../lib/keycloak/version", __FILE__)
+Gem::Specification.new do |spec|
+  spec.name          = "deda-omniauth-keycloak"
+  spec.version       = Omniauth::Keycloak::VERSION
+  spec.authors       = ["Cameron Crockett","Fabiano Pavan"]
+  spec.email         = ["cameron.crockett@ccrockett.com"]
+  
+  spec.description   = %q{Omniauth strategy for Keycloak}
+  spec.summary       = spec.description
+  spec.homepage      = "https://github.com/ccrockett/omniauth-keycloak"
+  spec.license       = "MIT"
+  spec.required_rubygems_version = '>= 1.3.5'
+  spec.required_ruby_version = '>= 2.2'
+
+  # Specify which files should be added to the gem when it is released.
+  # The `git ls-files -z` loads the files in the RubyGem that have been added into git.
+  spec.files         = Dir.chdir(File.expand_path('..', __FILE__)) do
+    `git ls-files -z`.split("\x0")
+  end
+
+  spec.bindir        = "exe"
+  spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
+  spec.require_paths = ["lib"]
+
+  
+  spec.add_dependency "omniauth", "~> 1.9.0"
+  spec.add_dependency "omniauth-oauth2", "~> 1.6.0"
+  spec.add_dependency "json-jwt", "~> 1.12"
+
+  spec.add_development_dependency "bundler", "~> 1.16"
+  spec.add_development_dependency "rake", "~> 13.0"
+  spec.add_development_dependency "rspec", "~> 3.0"
+  spec.add_development_dependency 'simplecov', '~> 0.16.1'
+  spec.add_development_dependency 'webmock', '~> 3.4.2'
+end

data/lib/deda-omniauth-keycloak.rb

@@ -0,0 +1,2 @@
+require "keycloak/version"
+require "omniauth/strategies/keycloak-openid"

data/lib/keycloak/version.rb

@@ -0,0 +1,5 @@
+module Omniauth
+  module Keycloak
+    VERSION = "1.2.1"
+  end
+end

data/lib/omniauth/strategies/keycloak-openid.rb

@@ -0,0 +1,134 @@
+require 'omniauth'
+require 'omniauth-oauth2'
+require 'json/jwt'
+require 'uri'
+
+module OmniAuth
+    module Strategies
+        class KeycloakOpenId < OmniAuth::Strategies::OAuth2
+
+            class Error < RuntimeError; end
+            class ConfigurationError < Error; end
+            class IntegrationError < Error; end
+
+            attr_reader :authorize_url
+            attr_reader :token_url
+            attr_reader :cert
+
+            
+            def setup_phase        
+                super       
+                if @authorize_url.nil? || @token_url.nil? 
+                                        
+                    prevent_site_option_mistake
+                    realm = options.client_options[:realm].nil? ? options.client_id : options.client_options[:realm]
+                    site = options.client_options[:site]
+
+                    raise_on_failure = options.client_options.fetch(:raise_on_failure, false)
+                    config_url = URI.join(site, "#{auth_url_base}/realms/#{realm}/.well-known/openid-configuration")
+
+                    log :debug, "Going to get Keycloak configuration. URL: #{config_url}"
+                    response = Faraday.get config_url
+                    if (response.status == 200)
+                        json = MultiJson.load(response.body)
+
+                        @certs_endpoint = json["jwks_uri"]
+                        @userinfo_endpoint = json["userinfo_endpoint"]
+                        @authorize_url = URI(json["authorization_endpoint"]).path
+                        @token_url = URI(json["token_endpoint"]).path
+
+                        log_config(json)
+
+                        options.client_options.merge!({
+                            authorize_url: @authorize_url,
+                            token_url: @token_url
+                                                      })
+                        log :debug, "Going to get certificates. URL: #{@certs_endpoint}"
+                        certs = Faraday.get @certs_endpoint
+                        if (certs.status == 200)
+                            json = MultiJson.load(certs.body)
+                            @cert = json["keys"][0]
+                            log :debug, "Successfully got certificate. Certificate length: #{@cert.length}"
+                        else
+                            message = "Coundn't get certificate. URL: #{@certs_endpoint}"
+                            log :error, message
+                            raise IntegrationError, message if raise_on_failure
+                        end
+                    else
+                        message = "Keycloak configuration request failed with status: #{response.status}. " \
+                                  "URL: #{config_url}"
+                        log :error, message
+                        raise IntegrationError, message if raise_on_failure
+                    end
+                end
+            end
+
+            def request_phase
+                options.authorize_options.each {|key| options[key] = request.params[key.to_s] }
+                redirect client.auth_code.authorize_url(authorize_params.merge({:redirect_uri => callback_url}))
+            end
+
+
+            def auth_url_base
+              return '/auth' unless options.client_options[:base_url]
+              base_url = options.client_options[:base_url]
+              return base_url if (base_url == '' || base_url[0] == '/')
+
+              raise ConfigurationError, "Keycloak base_url option should start with '/'. Current value: #{base_url}"
+            end
+
+            def prevent_site_option_mistake
+              site = options.client_options[:site]
+              return unless site =~ /\/auth$/
+
+              raise ConfigurationError, "Keycloak site parameter should not include /auth part, only domain. Current value: #{site}"
+            end
+
+            def log_config(config_json)
+              log_keycloak_config = options.client_options.fetch(:log_keycloak_config, false)
+              log :debug, "Successfully got Keycloak config"
+              log :debug, "Keycloak config: #{config_json}" if log_keycloak_config
+              log :debug, "Certs endpoint: #{@certs_endpoint}"
+              log :debug, "Userinfo endpoint: #{@userinfo_endpoint}"
+              log :debug, "Authorize url: #{@authorize_url}"
+              log :debug, "Token url: #{@token_url}"
+            end
+
+            #1.5.1
+            def build_access_token
+                verifier = request.params["code"]
+                client.auth_code.get_token(verifier,
+                    {:redirect_uri => callback_url.gsub(/\?.+\Z/, "")}
+                    .merge(token_params.to_hash(:symbolize_keys => true)),
+                    deep_symbolize(options.auth_token_params))
+            end
+
+
+            uid{ raw_info['sub'] }
+        
+            info do
+            {
+                :name => raw_info['name'],
+                :email => raw_info['email'],
+                :first_name => raw_info['given_name'],
+                :last_name => raw_info['family_name']
+            }
+            end
+        
+            extra do
+            {
+                'raw_info' => raw_info
+            }
+            end
+        
+            def raw_info
+                id_token_string = access_token.token
+                jwk = JSON::JWK.new(@cert)
+                id_token = JSON::JWT.decode id_token_string, jwk
+                id_token
+            end
+
+            OmniAuth.config.add_camelization('keycloak_openid', 'KeycloakOpenId')
+        end
+    end
+end

data/spec/omniauth/strategies/keycloak_spec.rb

@@ -0,0 +1,95 @@
+require 'spec_helper'
+
+RSpec.describe OmniAuth::Strategies::KeycloakOpenId do
+  body = '{"issuer": "http://localhost:8080/auth/realms/example-realm",
+  "authorization_endpoint": "http://localhost:8080/auth/realms/example-realm/protocol/openid-connect/auth",
+  "token_endpoint": "http://localhost:8080/auth/realms/example-realm/protocol/openid-connect/token",
+  "token_introspection_endpoint": "http://localhost:8080/auth/realms/example-realm/protocol/openid-connect/token/introspect",
+  "userinfo_endpoint": "http://localhost:8080/auth/realms/example-realm/protocol/openid-connect/userinfo",
+  "end_session_endpoint": "http://localhost:8080/auth/realms/example-realm/protocol/openid-connect/logout",
+  "jwks_uri": "http://localhost:8080/auth/realms/example-realm/protocol/openid-connect/certs",
+  "check_session_iframe": "http://localhost:8080/auth/realms/example-realm/protocol/openid-connect/login-status-iframe.html",
+  "grant_types_supported": ["authorization_code", "implicit", "refresh_token", "password", "client_credentials"],
+  "response_types_supported": ["code", "none", "id_token", "token", "id_token token", "code id_token", "code token", "code id_token token"],
+  "subject_types_supported": ["public", "pairwise"],
+  "id_token_signing_alg_values_supported": ["RS256"],
+  "userinfo_signing_alg_values_supported": ["RS256"],
+  "request_object_signing_alg_values_supported": ["none", "RS256"],
+  "response_modes_supported": ["query", "fragment", "form_post"],
+  "registration_endpoint": "http://localhost:8080/auth/realms/example-realm/clients-registrations/openid-connect",
+  "token_endpoint_auth_methods_supported": ["private_key_jwt", "client_secret_basic", "client_secret_post"],
+  "token_endpoint_auth_signing_alg_values_supported": ["RS256"],
+  "claims_supported": ["sub", "iss", "auth_time", "name", "given_name", "family_name", "preferred_username", "email"],
+  "claim_types_supported": ["normal"],
+  "claims_parameter_supported": false,
+  "scopes_supported": ["openid", "offline_access"],
+  "request_parameter_supported": true,
+  "request_uri_parameter_supported": true}'
+
+  context 'client options' do
+    subject do
+      stub_request(:get, "http://localhost:8080/auth/realms/example-realm/.well-known/openid-configuration")
+        .to_return(status: 200, body: body, headers: {})
+      stub_request(:get, "http://localhost:8080/auth/realms/example-realm/protocol/openid-connect/certs")
+        .to_return(status: 404, body: "", headers: {})
+      OmniAuth::Strategies::KeycloakOpenId.new('keycloak-openid', 'Example-Client', 'b53c572b-9f3b-4e79-bf8b-f03c799ba6ec',
+        client_options: {site: 'http://localhost:8080/', realm: 'example-realm'})
+    end
+    
+    it 'should have the correct keycloak token url' do
+      subject.setup_phase
+      expect(subject.token_url).to eq('/auth/realms/example-realm/protocol/openid-connect/token')
+    end
+
+    it 'should have the correct keycloak authorization url' do
+      subject.setup_phase
+      expect(subject.authorize_url).to eq('/auth/realms/example-realm/protocol/openid-connect/auth')
+    end
+  end
+
+  describe 'errors processing' do
+    context 'when site contains /auth part' do
+      subject do
+        OmniAuth::Strategies::KeycloakOpenId.new('keycloak-openid', 'Example-Client', 'b53c572b-9f3b-4e79-bf8b-f03c799ba6ec',
+                                                 client_options: {site: 'http://localhost:8080/auth', realm: 'example-realm', raise_on_failure: true})
+      end
+
+      it 'raises Configuration Error' do
+        expect{ subject.setup_phase }
+          .to raise_error(OmniAuth::Strategies::KeycloakOpenId::ConfigurationError)
+      end
+    end
+
+    context 'when raise_on_failure option is true' do
+      context 'when openid configuration endpoint returns error response' do
+        subject do
+          stub_request(:get, "http://localhost:8080/auth/realms/example-realm/.well-known/openid-configuration")
+            .to_return(status: 404, body: "", headers: {})
+          OmniAuth::Strategies::KeycloakOpenId.new('keycloak-openid', 'Example-Client', 'b53c572b-9f3b-4e79-bf8b-f03c799ba6ec',
+                                                   client_options: {site: 'http://localhost:8080', realm: 'example-realm', raise_on_failure: true})
+        end
+
+        it 'raises Integration Error' do
+          expect{ subject.setup_phase }
+            .to raise_error(OmniAuth::Strategies::KeycloakOpenId::IntegrationError)
+        end
+      end
+
+      context 'when certificates endpoint returns error response' do
+        subject do
+          stub_request(:get, "http://localhost:8080/auth/realms/example-realm/.well-known/openid-configuration")
+            .to_return(status: 200, body: body, headers: {})
+          stub_request(:get, "http://localhost:8080/auth/realms/example-realm/protocol/openid-connect/certs")
+            .to_return(status: 404, body: "", headers: {})
+          OmniAuth::Strategies::KeycloakOpenId.new('keycloak-openid', 'Example-Client', 'b53c572b-9f3b-4e79-bf8b-f03c799ba6ec',
+                                                   client_options: {site: 'http://localhost:8080', realm: 'example-realm', raise_on_failure: true})
+        end
+
+        it 'raises Integration Error' do
+          expect{ subject.setup_phase }
+            .to raise_error(OmniAuth::Strategies::KeycloakOpenId::IntegrationError)
+        end
+      end
+    end
+  end
+end

data/spec/spec_helper.rb

@@ -0,0 +1,27 @@
+require "bundler/setup"
+require "omniauth/strategies/keycloak-openid"
+require "webmock/rspec"
+
+if RUBY_VERSION >= "1.9"
+  require "simplecov"
+
+  SimpleCov.start do
+    minimum_coverage(93.00)
+  end
+end
+
+require "rspec"
+require "omniauth"
+
+RSpec.configure do |config|
+  # Enable flags like --only-failures and --next-failure
+  config.example_status_persistence_file_path = ".rspec_status"
+
+  # Disable RSpec exposing methods globally on `Module` and `main`
+  config.disable_monkey_patching!
+
+  config.expect_with :rspec do |c|
+    c.syntax = :expect
+  end
+  config.extend OmniAuth::Test::StrategyMacros, :type => :strategy
+end

metadata

@@ -0,0 +1,175 @@
+--- !ruby/object:Gem::Specification
+name: deda-omniauth-keycloak
+version: !ruby/object:Gem::Version
+  version: 1.2.1
+platform: ruby
+authors:
+- Cameron Crockett
+- Fabiano Pavan
+autorequire: 
+bindir: exe
+cert_chain: []
+date: 2023-12-13 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: omniauth
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 1.9.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 1.9.0
+- !ruby/object:Gem::Dependency
+  name: omniauth-oauth2
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 1.6.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 1.6.0
+- !ruby/object:Gem::Dependency
+  name: json-jwt
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.12'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.12'
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.16'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.16'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '13.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '13.0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+- !ruby/object:Gem::Dependency
+  name: simplecov
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.16.1
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.16.1
+- !ruby/object:Gem::Dependency
+  name: webmock
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 3.4.2
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 3.4.2
+description: Omniauth strategy for Keycloak
+email:
+- cameron.crockett@ccrockett.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gitignore"
+- ".rspec"
+- ".travis.yml"
+- ".vscode/settings.json"
+- CHANGELOG.md
+- CODE_OF_CONDUCT.md
+- Gemfile
+- Gemfile.lock
+- LICENSE.txt
+- README.md
+- Rakefile
+- bin/console
+- bin/setup
+- deda-omniauth-keycloak.gemspec
+- lib/deda-omniauth-keycloak.rb
+- lib/keycloak/version.rb
+- lib/omniauth/strategies/keycloak-openid.rb
+- spec/omniauth/strategies/keycloak_spec.rb
+- spec/spec_helper.rb
+homepage: https://github.com/ccrockett/omniauth-keycloak
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '2.2'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 1.3.5
+requirements: []
+rubygems_version: 3.0.8
+signing_key: 
+specification_version: 4
+summary: Omniauth strategy for Keycloak
+test_files: []