doorkeeper-jwt_assertion 0.0.1 → 0.0.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 27fd53398a97014fdf2e15738c0a3e8b614fe9c9
-  data.tar.gz: 122d76d1dfee424e13f85983aaf6e3bbfb69b142
+  metadata.gz: b1025f43737a9664dcc50c45898f896b533d3c63
+  data.tar.gz: f3b91579bb961c9d970d09016397bbb5e951faa1
 SHA512:
-  metadata.gz: 1f58e5c6f1ca803e953c95567729a1aba332173560c27a9c339426f2346603430c60e78f17d3088a8a650e7a79a5db1f893319f66dce708a5a93417a713d0623
-  data.tar.gz: 57f040de3c1bd245eb7ea76db943003320eade8a2dc8126e3c379def4b499c74c6e5b53417919fa857313d59931c7040ae89ea819a41eb4cf6e74bf3da2237ea
+  metadata.gz: 0a275595653379460375328fe8c5d43802d15ac096c48c2e07ad848f23f4063f50989cb0e386c235508a2182c8e8a0c139754ea4a25eeb8ae93481368852f893
+  data.tar.gz: 6ce0dbc0869904a8df606fbcc95d68a81c91548cca8b3c62df20c9f18edfdd61c6e8f382e701a1d221ff84918b1afc2ad948bf24c4e145e93ab44e8cc66ae318

data/README.md

@@ -1,8 +1,6 @@
 # Doorkeeper JWT Assertion
 
-## Description
-
-Extending (Doorkeeper)[https://github.com/doorkeeper-gem/doorkeeper] to support JWT Assertion grant type using a secret or a private key file.
+Extending [Doorkeeper](https://github.com/doorkeeper-gem/doorkeeper) to support JWT Assertion grant type using a secret or a private key file.
 
 **This library is in alpha. Future incompatible changes may be necessary.**
 
@@ -24,13 +22,18 @@ Doorkeeper.configure do
 	jwt_private_key Rails.root.join('config', 'keys', 'private.key')
 
 	jwt_secret 'notasecret'
+
+	# Optional
+	jwt_use_issuer_as_client_id true
 end
 ```
 
 This will automatically push `assertion` into the Doorkeeper's grant_types configuration attribute.
 
-You can also use the `resource_owner_authenticator` in the configuration to identify the owner based on the JWT claim values.
-If the client request a token with an invalid assertion, an error will be raised. So you can rely on the `jwt` getter if an assertion grant was requested.
+When `jwt_use_issuer_as_client_id` is set to false then the `client_id` MUST be available from the parameters. By default it will extract the 'iss' and use it as the client_id to retrieve the oauth application.
+
+Use the `resource_owner_authenticator` in the configuration to identify the owner based on the JWT claim values. This values can be accessible from `jwt`.
+If the client request a token with an invalid assertion, or an expired JWT claim, an :invalid_grant error response will be generated before retrieving the resource_owner.
 
 ``` ruby
 Doorkeeper.configure do
@@ -38,8 +41,7 @@ Doorkeeper.configure do
 	resource_owner_authenticator do
 
 		if jwt
-			head :unauthorized unless user = User.where(:email => jwt['prn']).first
-			return user
+			jwt['prn'].present? and User.find_by_email(jwt['prn'])
 		end
 
 	end
@@ -60,14 +62,20 @@ p12 = OpenSSL::PKCS12.new( Rails.root.join('config', 'keys', 'private.p12').open
 params = { :private_key => p12.key,
            :aud => 'audience',
            :prn => 'person', # or :sub => 'subject', not suported on OAuth2 1.0.0 yet.
-           :iss => 'issuer',
+           :iss => 'client_id',
            :scope => 'scope',
            :exp => Time.now.utc.to_i + 5.minutes }
 
 token = client.assertion.get_token(params)
 ```
 
+>  "[...] refresh tokens are not issued
+>  in response to assertion grant requests and access tokens will be
+>  issued with a reasonably short lifetime."
+> - [draft-ietf-oauth-assertions-18](https://tools.ietf.org/html/draft-ietf-oauth-assertions-18#section-4.1)
+
 ## TO DO
 
 * Better error handling
+* JWT Client Authentication Flow
 * Testing

data/lib/doorkeeper/jwt_assertion.rb

@@ -7,7 +7,7 @@ require 'jwt'
 module Doorkeeper
 	module JWTAssertion
 		
-		attr_reader :jwt
+		attr_reader :jwt, :jwt_header
 
 	end
 end
@@ -22,6 +22,10 @@ module Doorkeeper
 			context.instance_variable_set('@jwt', jwt)
 		end
 
+		def jwt_header=(jwt_header)
+			@jwt_header = jwt_header
+			context.instance_variable_set('@jwt_header', jwt_header)
+		end
 
 	end
 end
@@ -30,6 +34,7 @@ module Doorkeeper
 	class Config
 
 		option :jwt_key
+		option :jwt_use_issuer_as_client_id, :default => true
 
 		class Builder
 
@@ -48,10 +53,10 @@ module Doorkeeper
 
 					Config.class_eval do
 						alias_method :remember_calculate_token_grant_types, :calculate_token_grant_types
-
 						define_method :calculate_token_grant_types do
-							remember_calculate_token_grant_types << 'assertion'
+							remember_calculate_token_grant_types << 'assertion' << 'urn:ietf:params:oauth:grant-type:jwt-bearer'
 						end
+
 					end
 
 					jwt_key key

data/lib/doorkeeper/jwt_assertion/version.rb

@@ -1,5 +1,5 @@
 module Doorkeeper
   module JwtAssertion
-    VERSION = "0.0.1"
+    VERSION = "0.0.2"
   end
 end

data/lib/doorkeeper/oauth/assertion_access_token_request.rb

@@ -0,0 +1,149 @@
+require 'doorkeeper/oauth/describable_error_response'
+
+module Doorkeeper
+	module OAuth
+		class AssertionAccessTokenRequest
+			
+			include Validations
+			include OAuth::RequestConcern
+			include OAuth::Helpers
+
+			attr_accessor :server, :original_scopes
+			attr_reader :resource_owner, :client, :configuration, :access_token, :response, :error_description
+
+			validate :assertion,      error: :invalid_grant
+			validate :client,         error: :invalid_client
+			validate :scopes,         error: :invalid_scope
+			validate :resource_owner, error: :invalid_grant
+			validate :access_token,   error: :invalid_grant
+			
+
+			##
+			# @see https://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-12#section-2.1
+			#
+			def initialize(server, configuration)
+				@server          = server
+				@configuration   = configuration
+				@response        = nil
+				@original_scopes = server.parameters[:scope]
+			end
+
+			def authorize
+				validate
+				if valid?
+					@response = TokenResponse.new(access_token)
+				else
+					@response = DescribableErrorResponse.from_request(self)
+					@response.description = error_description
+					@response
+				end
+			end
+
+
+
+			private
+
+				##
+				# >   The value of the "grant_type" is "urn:ietf:params:oauth:grant-
+				# >   type:jwt-bearer".
+				# >   The value of the "assertion" parameter MUST contain a single JWT.
+				# > - draft-ietf-oauth-jwt-bearer-12
+				#
+				# @see https://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-12#section-2.1
+				#
+				# >   assertion_type
+				# >         REQUIRED.  The format of the assertion as defined by the
+				# >         authorization server.  The value MUST be an absolute URI.
+				# >
+				# >   assertion
+				# >         REQUIRED.  The assertion.
+				# >
+				# > - draft-ietf-oauth-v2-10
+				# @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-4.1.3
+				#
+				# Newer versions of ietf-oauth-v2 don't need assertion_type. So it's still optional.
+				def validate_assertion
+					assertion, assertion_type = server.parameters.values_at(:assertion, :assertion_type)
+
+					if assertion_type and assertion_type != 'urn:ietf:params:oauth:grant-type:jwt-bearer'
+						raise StandardError.new('Assertion type not valid. Expected urn:ietf:params:oauth:grant-type:jwt-bearer') 
+					end
+
+					payload, header  = JWT.decode(assertion, configuration.jwt_key)
+					server.jwt = payload
+					server.jwt_header = header
+
+				rescue => error
+					@error_description = error.message
+					false
+				end
+
+
+
+				##
+				# If `jwt_use_issuer_as_client_id` is `true` then validate the client using the issuer as the client_id.
+				# Otherwise, use the client_id directly from the parameters.
+				#
+				# >   Authentication of the client is optional, as described in
+				# >   Section 3.2.1 of OAuth 2.0 [RFC6749] and consequently, the
+				# >   "client_id" is only needed when a form of client authentication that
+				# >   relies on the parameter is used.
+				# > - draft-ietf-oauth-assertions-18
+				#
+				# @see https://tools.ietf.org/html/draft-ietf-oauth-assertions-18#section-4.1
+				#
+				# >   The JWT MUST contain an "iss" (issuer) claim that contains a
+				# >   unique identifier for the entity that issued the JWT.  
+				# > - draft-ietf-oauth-jwt-bearer-12
+				#
+				# @see https://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-12#section-3
+				#
+				def validate_client
+					@client ||= if configuration.jwt_use_issuer_as_client_id
+						OAuth::Client.find(server.jwt['iss']) if server.jwt['iss'].present?
+					
+					elsif sever.parameters[:client_id].present?
+						OAuth::Client.find( sever.parameters[:client_id] )
+
+					end 
+				end
+
+
+				##
+				# >   The "scope" parameter may be used, as defined in the Assertion
+				# >   Framework for OAuth 2.0 Client Authentication and Authorization
+				# >   Grants [I-D.ietf-oauth-assertions] specification, to indicate the
+				# >   requested scope.
+				#
+				# @see https://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-12#section-2.1
+				#
+				def validate_scopes
+					return true unless @original_scopes.present?
+					ScopeChecker.valid? @original_scopes, configuration.scopes, client.try(:scopes)
+				end
+
+
+				def validate_resource_owner
+					resource_owner || (@resource_owner = server.current_resource_owner)
+				end
+
+				def validate_access_token
+					access_token or create_token
+				end
+
+
+				##
+				# >  [...] refresh tokens are not issued
+				# >  in response to assertion grant requests and access tokens will be
+				# >  issued with a reasonably short lifetime.
+				#
+				# @see https://tools.ietf.org/html/draft-ietf-oauth-assertions-18#section-4.1
+				#
+				def create_token
+					expires_in = Authorization::Token.access_token_expires_in(configuration, client)
+					@access_token = AccessToken.find_or_create_for(client, resource_owner.id, scopes, expires_in, false)
+				end
+			
+		end
+	end
+end

data/lib/doorkeeper/oauth/describable_error_response.rb

@@ -0,0 +1,8 @@
+module Doorkeeper
+	module OAuth
+
+		class DescribableErrorResponse < ErrorResponse
+			attr_accessor :description
+		end
+	end
+end

data/lib/doorkeeper/request/assertion.rb

@@ -1,38 +1,27 @@
+require 'doorkeeper/oauth/assertion_access_token_request'
+
 module Doorkeeper
 	module Request
 
 		class Assertion
 			def self.build(server)
-				assertion = server.parameters[:assertion]
-				begin
-					jwt = JWT.decode(assertion, Doorkeeper.configuration.jwt_key)
-				rescue JWT::ExpiredSignature => e
-					raise Errors::ExpiredSignature
-				end
-				server.jwt = jwt.is_a?(Array) ? jwt.first : jwt
-
-				new(server.credentials, server.current_resource_owner, server)
+				new(server)
 			end
 
-			attr_accessor :credentials, :resource_owner, :server
+			attr_reader :server
 
-			def initialize(credentials, resource_owner, server)
-				@credentials = credentials
-				@resource_owner = resource_owner
+			def initialize(server)
 				@server = server
 			end
 
 			def request
-				@request ||= OAuth::PasswordAccessTokenRequest.new(
-					Doorkeeper.configuration,
-					credentials,
-					resource_owner,
-					server.parameters)
+				@request ||= OAuth::AssertionAccessTokenRequest.new(server, Doorkeeper.configuration)
 			end
 
 			def authorize
 				request.authorize
 			end
+
 		end
 
 	end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: doorkeeper-jwt_assertion
 version: !ruby/object:Gem::Version
-  version: 0.0.1
+  version: 0.0.2
 platform: ruby
 authors:
 - Omac
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2015-04-27 00:00:00.000000000 Z
+date: 2015-04-30 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: doorkeeper
@@ -83,6 +83,8 @@ files:
 - lib/doorkeeper/jwt_assertion.rb
 - lib/doorkeeper/jwt_assertion/railtie.rb
 - lib/doorkeeper/jwt_assertion/version.rb
+- lib/doorkeeper/oauth/assertion_access_token_request.rb
+- lib/doorkeeper/oauth/describable_error_response.rb
 - lib/doorkeeper/request/assertion.rb
 homepage: https://github.com/kioru/doorkeeper-jwt_assertion
 licenses: