intuit-oauth 1.0.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 917700b85f046e6e952c1f166e3c96e0282f7c0e
+  data.tar.gz: 948f26d5fa00930af1aed91da1bf7106878b4bf7
+SHA512:
+  metadata.gz: fa1cd5b48ac1ca359eafc48615b7feaca03aa050dab44b5ca26ada1cb58a7dd672a4f905741ca57a6b18d5da842321348567b1eec052da408bab577e4fd688e4
+  data.tar.gz: 3b0fb963c737087bb5ee9200f0ab3cc0f7bb49c2d0f9cd274d6fea9eff39cec46d24abd44cd47b6f243b8fa0d6c4f55af237432b3ed25f78682914cfe7876795

data/Gemfile

@@ -0,0 +1,5 @@
+source 'https://rubygems.org'
+
+gem 'rspec'
+gem 'json'
+gem 'httparty'

data/Gemfile.lock

@@ -0,0 +1,32 @@
+GEM
+  remote: https://rubygems.org/
+  specs:
+    diff-lcs (1.3)
+    httparty (0.16.2)
+      multi_xml (>= 0.5.2)
+    json (2.1.0)
+    multi_xml (0.6.0)
+    rspec (3.8.0)
+      rspec-core (~> 3.8.0)
+      rspec-expectations (~> 3.8.0)
+      rspec-mocks (~> 3.8.0)
+    rspec-core (3.8.0)
+      rspec-support (~> 3.8.0)
+    rspec-expectations (3.8.2)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.8.0)
+    rspec-mocks (3.8.0)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.8.0)
+    rspec-support (3.8.0)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  httparty
+  json
+  rspec
+
+BUNDLED WITH
+   1.16.2

data/LICENSE

@@ -0,0 +1,201 @@
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "{}"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright 2018 Intuit, Inc.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.

data/README.md

@@ -0,0 +1,107 @@
+# oauth-rubyclient
+
+Intuit OAuth Ruby Client
+==========================
+
+This client library is meant to work with Intuit's OAuth and OpenID implementation. The `AuthClient` object response can be used for User Info API, Accounting API and Payments API. This library supports:
+
+- Generating Authorization URL
+- Getting OAuth2 Bearer Token 
+- Getting User Info 
+- Validating OpenID token
+- Refreshing OAuth2 Token
+- Revoking OAuth2 Token
+- Migrating tokens from OAuth1.0 to OAuth2
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+```ruby
+gem 'intuit-oauth'
+```
+
+And then execute:
+
+    $ bundle
+
+Or install it yourself as:
+
+    $ gem install 'intuit-oauth'
+    
+## Usage Examples
+
+The below example tells how to construct the IntuitOAuth Client and use it to generate an OAuth 2 token.
+
+```ruby
+require 'intuit-oauth'
+
+client = IntuitOAuth::Client.new('client_id', 'client_secret', 'redirectUrl', 'environment')
+scopes = [
+    IntuitOAuth::Scopes::ACCOUNTING
+]
+
+authorizationCodeUrl = oauth_client.code.get_auth_uri(scopes)
+# => https://appcenter.intuit.com/connect/oauth2?client_id=clientId&redirect_uri=redirectUrl&response_type=code&scope=com.intuit.quickbooks.accounting&state=rMwcoDITc2N6FJsUGGO9
+
+oauth2Token = oauth_client.token.get_bearer_token('the authorization code returned from authorizationCodeUrl')
+# => #<IntuitOAuth::ClientResponse:0x00007f9152b5c418 @access_token="the access token", @expires_in=3600, @refresh_token="the refresh token", @x_refresh_token_expires_in=8726400>
+
+```
+
+### Initialize OAuth client object
+
+Create an OAuth 2 client to send requests
+
+    oauth_client = IntuitOAuth::Client.new('YourClientID', 'YourClientSecret', 'http://localhost:3000/token/new', 'sandbox')
+
+### Add scopes
+
+Define the scopes for the app
+
+    scopes = [
+        IntuitOAuth::Scopes::ACCOUNTING
+    ]
+    
+### General Authorization Code URL
+
+The URL for users to click on the "Authorizate" button. An authorization code will sent to the redirect URL defined in your app
+
+    url = oauth_client.code.get_auth_uri(scopes)
+    
+### Exchange Authorization Code for OAuth 2.0 Token
+
+Once the user has authorized your app, an authorization code will be sent to your Redirect_URL defined in your client. Exchange the authorization code for an OAuth 2.0 token object.
+
+    result = oauth_client.token.get_bearer_token('The_authorization_code')
+    
+    
+### Refresh Token
+
+Refresh the OAuth 2.0 token using refresh token. Remember to store the OAuth 2.0 refresh token to your own database.
+
+    newToken = oauth_client.token.refresh_tokens('Your_refresh_token')
+    
+### Get User Info
+
+Get the user info based on the scopes for OpenID
+
+    result=oauth_client.openid.get_user_info('accessToken')
+
+### Call migration method
+
+If you have migrated your OAuth 1.0 app to OAuth 2.0 app, and want to exchange your OAuth 1.0 token to OAuth 2.0 token, use migrate_tokens method
+
+    result=oauth_client.Migrate.migrate_tokens(consumer_key, consumer_secret, access_token, access_secret, scopes)
+    
+Issues and Contributions
+------------------------
+
+Please open an `issue <https://github.com/intuit/oauth-rubyclient/issues>` on GitHub if you have a problem, suggestion, or other comment.
+
+Pull requests are welcome and encouraged! Any contributions should include new or updated unit tests as necessary to maintain thorough test coverage.
+
+License
+-------
+
+intuit-oauth is provided under Apache 2.0 found `<https://github.intuit.com/hlu2/oauth-rubyclient/blob/master/LICENSE>`__

data/intuit-oauth.gemspec

@@ -0,0 +1,38 @@
+# coding: utf-8
+
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+
+Gem::Specification.new do |spec|
+  spec.add_dependency 'httparty', '~> 0.16.3'
+  spec.add_dependency 'json', '~> 2.1'
+  spec.add_dependency 'json_web_token', '~> 0.3.5'
+  spec.add_dependency 'rsa-pem-from-mod-exp', '~> 0.1.0'
+
+  spec.authors       = ['Intuit Inc']
+  spec.description   = 'A Ruby wrapper Intuit\'s OAuth and OpenID implementation.'
+  spec.email         = ['idgsdk@intuit.com']
+  spec.homepage      = 'https://github.com/intuit/oauth-rubyclient'
+  spec.licenses      = ['Apache-2.0']
+  spec.name          = 'intuit-oauth'
+  spec.required_ruby_version = '>= 1.9.0'
+  spec.required_rubygems_version = '>= 1.3.5'
+  spec.summary       = 'A Ruby wrapper for the OAuth 2.0 protocol.'
+  spec.version       = '1.0.0'
+
+  spec.require_paths = %w[lib]
+  spec.bindir        = 'exe'
+  spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
+  spec.files         = `git ls-files -z`.split("\x0").reject do |f|
+    f.match(%r{^(bin|test|spec|features)/})
+  end
+
+  spec.add_development_dependency 'addressable', '~> 2.3'
+  spec.add_development_dependency 'backports', '~> 3.11'
+  spec.add_development_dependency 'bundler', '~> 1.16'
+  spec.add_development_dependency 'coveralls', '~> 0.8'
+  spec.add_development_dependency 'rake', '~> 11.0'
+  spec.add_development_dependency 'rdoc', ['>= 5.0', '< 7']
+  spec.add_development_dependency 'rspec', '~> 3.0'
+  spec.add_development_dependency 'wwtd', '~> 0'
+end

data/lib/intuit-oauth.rb

@@ -0,0 +1,9 @@
+require 'intuit-oauth/client'
+require 'intuit-oauth/constants'
+require 'intuit-oauth/exception'
+require 'intuit-oauth/migration'
+require 'intuit-oauth/transport'
+
+
+
+

data/lib/intuit-oauth/base.rb

@@ -0,0 +1,9 @@
+module IntuitOAuth
+  class Base
+    attr_accessor :client
+
+    def initialize(client)
+      @client = client
+    end
+  end
+end

data/lib/intuit-oauth/client.rb

@@ -0,0 +1,74 @@
+# Copyright (c) 2018 Intuit
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#  http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+require_relative './constants'
+require_relative './transport'
+require_relative './migration'
+require_relative './flow/code'
+require_relative './flow/token'
+require_relative './flow/openid'
+
+
+module IntuitOAuth
+  class Client
+    attr_reader :id, :secret, :redirect_uri, :environment,
+    :auth_endpoint, :token_endpoint, :revoke_endpoint, :issuer_uri, :jwks_uri, :user_info_url, :state_token, :realm_id
+    attr_writer :realm_id, :state_token
+
+    def initialize(client_id, client_secret, redirect_uri, environment)
+      @id = client_id
+      @secret = client_secret
+      @redirect_uri = redirect_uri
+      @environment = environment
+
+      # Discovery Doc containes endpoints required for OAuth fow
+      @discovery_doc = get_discovery_doc(@environment)
+      @auth_endpoint = @discovery_doc['authorization_endpoint']
+      @token_endpoint = @discovery_doc['token_endpoint']
+      @revoke_endpoint = @discovery_doc['revocation_endpoint']
+      @issuer_uri = @discovery_doc['issuer']
+      @jwks_uri = @discovery_doc['jwks_uri']
+      @user_info_url = @discovery_doc['userinfo_endpoint']
+
+      # optionally set realm_id
+      @realm_id = ''
+      @state_token = ''
+    end
+
+    def get_discovery_doc(environment)
+      if ['production', 'prod'].include? environment.downcase
+        url = IntuitOAuth::Config::DISCOVERY_URL_PROD
+      else
+        url = IntuitOAuth::Config::DISCOVERY_URL_SANDBOX
+      end
+      IntuitOAuth::Transport.request('GET', url)
+    end
+
+    def code
+      IntuitOAuth::Flow::AuthCode.new(self)
+    end
+
+    def token
+      IntuitOAuth::Flow::Token.new(self)
+    end
+
+    def openid
+      IntuitOAuth::Flow::OpenID.new(self)
+    end
+
+    def migration
+      IntuitOAuth::Migration::Migrate.new(self)
+    end
+  end
+end

data/lib/intuit-oauth/constants.rb

@@ -0,0 +1,28 @@
+module IntuitOAuth
+  class Config
+    DISCOVERY_URL_SANDBOX = 'https://developer.intuit.com/.well-known/openid_sandbox_configuration/'
+    DISCOVERY_URL_PROD = 'https://developer.intuit.com/.well-known/openid_configuration/'
+    MIGRATION_URL_SANDBOX = 'https://developer-sandbox.api.intuit.com/v2/oauth2/tokens/migrate'
+    MIGRATION_URL_PROD = 'https://developer.api.intuit.com/v2/oauth2/tokens/migrate' 
+  end
+
+  class Scopes
+    ACCOUNTING = 'com.intuit.quickbooks.accounting'
+    PAYMENTS = 'com.intuit.quickbooks.payment'
+    OPENID = 'openid'
+    PROFILE = 'profile'
+    EMAIL = 'email'
+    PHONE = 'phone'
+    ADDRESS = 'address'
+
+    # whitelisted BETA apps only
+    PAYROLL = 'com.intuit.quickbooks.payroll'
+    PAYROLL_TIMETRACKING = 'com.intuit.quickbooks.payroll.timetracking'
+    PAYROLL_BENEFITS = 'com.intuit.quickbooks.payroll.benefits'
+  end
+
+  class Version
+    VERSION = '0.0.1'
+    USER_AGENT = "Intuit-OAuthClient-Ruby#{VERSION}-#{RUBY_PLATFORM}"
+  end
+end

data/lib/intuit-oauth/exception.rb

@@ -0,0 +1,12 @@
+module IntuitOAuth
+  class OAuth2ClientException < StandardError
+    def initialize(response)
+      @satus_code = response.code
+      @body = response.body
+      @headers = response.headers
+      @intuit_tid = response.headers['intuit_tid']
+      @timestamp = response.headers['date']
+      super("HTTP status #{@satus_code}, error message: #{@body}, intuit_tid: #{@intuit_tid} on #{@timestamp}")
+    end
+  end
+end

data/lib/intuit-oauth/flow/code.rb

@@ -0,0 +1,46 @@
+# Copyright (c) 2018 Intuit
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#  http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+require_relative '../base'
+require_relative '../utils'
+require 'active_support/all'
+
+
+module IntuitOAuth
+  module Flow
+    class AuthCode < Base
+
+      # Generate the Authorization Code URL
+      #
+      # @param [Scope] the Scope for the token to be generated
+      # @param [state_token] an option state token to be passed
+      # @return [URL] the authorization code URL
+      def get_auth_uri(scopes, state_token=nil)
+        if state_token.nil?
+          state_token = IntuitOAuth::Utils.generate_random_string()
+        end
+        @client.state_token = state_token
+        url_params = {
+          client_id: @client.id,
+          scope: IntuitOAuth::Utils.scopes_to_string(scopes),
+          redirect_uri: @client.redirect_uri,
+          response_type: 'code',
+          state: state_token,
+        }
+
+        "#{@client.auth_endpoint}?#{url_params.to_param}"
+      end
+    end
+  end
+end

data/lib/intuit-oauth/flow/openid.rb

@@ -0,0 +1,97 @@
+# Copyright (c) 2018 Intuit
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#  http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+require 'rsa_pem'
+require 'json_web_token'
+
+require_relative '../base'
+
+
+module IntuitOAuth
+  module Flow
+    class OpenID < Base
+
+      # Get the User Info
+      #
+      # @param [access_token] the access token needs to access the user info
+      # @return [Response] the response object
+      def get_user_info(access_token)
+        headers = {
+          Authorization: "Bearer #{access_token}"
+        }
+
+        IntuitOAuth::Transport.request('GET', @client.user_info_url, headers=headers)
+      end
+
+      ##
+      #  If the token can be correctly validated, returns True. Otherwise, return false
+      #  The validation rules are:
+      #  1.You have to provide the client_id value, which must match the
+      #  token's aud field
+      #  2.The payload issuer is from Intuit
+      #  3.The expire time is not expired.
+      #  4.The signature is correct
+      #
+      # If something fails, raises an error
+      #
+      # @param [String] id_token
+      #   The string form of the token
+      #
+      # @return [Boolean]
+
+      def validate_id_token(id_token)
+
+        id_token_header_raw, id_token_payload_raw, id_token_signature_raw = id_token.split(".")
+
+        # base 64 decode
+        id_token_header_json = JSON.parse(Base64.decode64(id_token_header_raw.strip))
+        id_token_payload_json = JSON.parse(Base64.decode64(id_token_payload_raw.strip))
+        id_token_signature = Base64.decode64(id_token_signature_raw.strip)
+
+        # 1. check if payload's issuer is from Intuit
+        issue = id_token_payload_json.fetch('iss')
+        unless issue.eql? @client.issuer_uri
+          return false
+        end
+
+        # 2. check if the aud matches the client id
+        aud = id_token_payload_json.fetch('aud').first
+        unless aud.eql? @client.id
+          return false
+        end
+
+        # 3. check if the expire time is not expired
+        exp = id_token_payload_json.fetch('exp')
+        if exp < Time.now.to_i
+          return false
+        end
+
+        # 4. check if the signature is correct
+        response = IntuitOAuth::Transport.request('GET', @client.jwks_uri, nil, nil, false)
+        body = response.body
+
+        keys = JSON.parse(body).fetch('keys').first
+        standard_kid = keys.fetch('kid')
+        kid_in_id_token = id_token_header_json.fetch('kid')
+
+        unless standard_kid.eql? kid_in_id_token
+          return false
+        end
+
+        return true
+
+        end
+    end
+  end
+end

data/lib/intuit-oauth/flow/token.rb

@@ -0,0 +1,93 @@
+# Copyright (c) 2018 Intuit
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#  http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+require 'uri'
+require 'json'
+require_relative '../utils'
+require_relative '../transport'
+require_relative '../base'
+
+
+module IntuitOAuth
+  module Flow
+    class Token < Base
+
+      # Exchange the authorization Code for the Bearer Token
+      #
+      # @param [auth_code] the Code send to your redirect_uri
+      # @param [realm_id] the company ID for the Company
+      # @return [AccessToken] the AccessToken
+      def get_bearer_token(auth_code, realm_id=nil)
+        if realm_id != nil
+          @client.realm_id = realm_id
+        end
+
+        headers = {
+          Accept: 'application/json',
+          "Content-Type": 'application/x-www-form-urlencoded',
+          Authorization: IntuitOAuth::Utils.get_auth_header(@client.id, @client.secret)
+        }
+
+        body = {
+          grant_type: 'authorization_code',
+          code: auth_code,
+          redirect_uri: @client.redirect_uri
+        }
+
+        IntuitOAuth::Transport.request('POST', @client.token_endpoint, headers, URI.encode_www_form(body))
+      end
+
+      # Using the token passed to generate a new refresh token and access token
+      #
+      # @param [token] the refresh token used to refresh token
+      # @return [AccessToken] the AccessToken
+      def refresh_tokens(token)
+        headers = {
+          "Content-Type": 'application/x-www-form-urlencoded',
+          Authorization: IntuitOAuth::Utils.get_auth_header(@client.id, @client.secret)
+        }
+
+        body = {
+          grant_type: 'refresh_token',
+          refresh_token: token
+        }
+
+        IntuitOAuth::Transport.request('POST', @client.token_endpoint, headers, URI.encode_www_form(body))
+      end
+
+      # Revoke the specific access token or refresh token. Return true if success, false otherwise
+      #
+      # @param [token] the refresh token or access token to be invoked
+      # @return [boolean] True if successfully revoked. False otherwise
+      def revoke_tokens(token)
+        headers = {
+          "Content-Type": 'application/json',
+          Authorization: IntuitOAuth::Utils.get_auth_header(@client.id, @client.secret)
+        }
+
+        body = {
+          token: token
+        }
+
+        response = IntuitOAuth::Transport.request('POST', @client.revoke_endpoint, headers, body.to_json, false)
+        if response.code == 200
+          return true
+        end
+
+        return false
+      end
+
+    end
+  end
+end

data/lib/intuit-oauth/migration.rb

@@ -0,0 +1,65 @@
+# Copyright (c) 2018 Intuit
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#  http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+require_relative './utils'
+require_relative './transport'
+require_relative './constants'
+require_relative './base'
+
+
+module IntuitOAuth
+  module Migration
+    class Migrate < Base
+      
+      # Exchange an OAuth 1 token for an OAuth 2 token pair. It is used for apps that are using OAuth 1.0 and want to migrate
+      # to OAuth 2.0.
+      #
+      # @param [cusomer_key] the OAuth 1.0 Consumer key
+      # @param [consumer_secret] the OAuth 1.0 Consumer Secret
+      # @param [access_token] the OAuth 1.0 Access Token
+      # @param [access_secret] the OAuth 1.0 Access Token Secret
+      # @param [scopes] the scopes for the token.
+      # @return [OAuth2Token] the OAuth2 Token object
+      def migrate_tokens(consumer_key, consumer_secret, access_token, access_secret, scopes)
+        if %w[production prod].include? @client.environment.downcase
+          migration_endpoint = IntuitOAuth::Config::MIGRATION_URL_PROD
+        else
+          migration_endpoint = IntuitOAuth::Config::MIGRATION_URL_SANDBOX
+        end
+
+        oauth1_tokens = {
+          consumer_key: consumer_key,
+          consumer_secret: consumer_secret,
+          access_token: access_token,
+          access_secret: access_secret
+        }
+        oauth1_header = IntuitOAuth::Utils.get_oauth1_header('POST', migration_endpoint, oauth1_tokens)
+        headers = {
+          'Content-Type': 'application/json',
+          Authorization: oauth1_header
+        }
+
+        body = {
+          scope: IntuitOAuth::Utils.scopes_to_string(scopes),
+          redirect_uri: @client.redirect_uri,
+          client_id: @client.id,
+          client_secret: @client.secret
+        }
+
+        IntuitOAuth::Transport.request('POST', migration_endpoint, headers, body)
+      end
+
+    end
+  end
+end

data/lib/intuit-oauth/response.rb

@@ -0,0 +1,37 @@
+# Copyright (c) 2018 Intuit
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#  http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+module IntuitOAuth
+  class ClientResponse
+    attr_reader :access_token, :expires_in, :refresh_token, :x_refresh_token_expires_in,
+    :id_token, :headers, :body, :code, :realm_id
+
+    def initialize(response)
+      @access_token = response['access_token']
+      @expires_in = response['expires_in']
+      @refresh_token = response['refresh_token']
+      @x_refresh_token_expires_in = response['x_refresh_token_expires_in']
+      if response['id_token']
+        @id_token = response['id_token']
+      end
+      if response['realmId']
+        @realm_id = response['realmId']
+      end
+
+      @headers = response.headers
+      @body = response
+      @code = response.code
+    end
+  end
+end

data/lib/intuit-oauth/transport.rb

@@ -0,0 +1,52 @@
+# Copyright (c) 2018 Intuit
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#  http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+require 'uri'
+require 'json'
+require 'httparty'
+require_relative './utils'
+
+module IntuitOAuth
+  class Transport
+    include HTTParty
+    ssl_version :TLSv1_2
+
+    def self.request(method, url, headers=nil, body=nil, isBuildResponse=true)
+      uri = URI(url)
+
+      user_agent_header = {
+        'User-Agent': IntuitOAuth::Version::USER_AGENT
+      }
+      req_headers = headers.nil? ? user_agent_header : user_agent_header.merge!(headers)
+
+      if method == 'GET'
+        response = HTTParty.get(url,
+          headers: req_headers
+        )
+
+      elsif method == 'POST'
+        response = HTTParty.post(url,
+          headers: req_headers,
+          body: body
+        )
+      end
+
+      if isBuildResponse == true
+        IntuitOAuth::Utils.build_response_object(response)
+      else
+        response
+      end
+    end
+  end
+end

data/lib/intuit-oauth/utils.rb

@@ -0,0 +1,75 @@
+# Copyright (c) 2018 Intuit
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#  http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+require 'base64'
+require 'active_support/all'
+require 'cgi'
+require 'openssl'
+require_relative './response'
+require_relative './exception'
+
+module IntuitOAuth
+  class Utils
+    def self.scopes_to_string(scopes)
+      scopes_str = scopes.join(' ')
+      scopes_str.chomp(' ')
+    end
+
+    def self.get_auth_header(client_id, client_secret)
+      encoded = Base64.strict_encode64("#{client_id}:#{client_secret}")
+      "Basic #{encoded}"
+    end
+
+    def self.generate_random_string(length=20)
+      Array.new(length){[*'A'..'Z', *'0'..'9', *'a'..'z'].sample}.join
+    end
+
+    def self.get_oauth1_header(method, uri, oauth1_tokens, uri_params={})
+      params = {
+        oauth_consumer_key: oauth1_tokens[:consumer_key],
+        oauth_token: oauth1_tokens[:access_token],
+        oauth_signature_method: 'HMAC-SHA1',
+        oauth_timestamp: Time.now.getutc.to_i.to_s,
+        oauth_nonce: generate_random_string(7),
+        oauth_version: '1.0'
+      }
+
+      all_params = params.merge(uri_params).sort.to_h
+      base_string = "#{method.upcase}&#{CGI.escape(uri)}&#{CGI.escape(all_params.to_param)}"
+      key = "#{oauth1_tokens[:consumer_secret]}&#{oauth1_tokens[:access_secret]}"
+
+      signature = CGI.escape(Base64.strict_encode64(OpenSSL::HMAC.digest('sha1', key, base_string).to_s))
+      params[:oauth_signature] = signature
+      "OAuth #{format_string_delimiter(params, ',', true)}"
+    end
+
+    def self.format_string_delimiter(params, delimiter, with_quotes=false)
+      if with_quotes
+        return params.map { |k, v| "#{k}=\"#{v}\"" }.join(delimiter)
+      end
+      params.map { |k, v| "#{k}=#{v}" }.join(delimiter)
+    end
+
+    def self.build_response_object(response)
+      url = response.request.last_uri.to_s
+      if response.code != 200
+        raise OAuth2ClientException.new(response)
+      elsif url['openid_sandbox_configuration'] || url['openid_configuration'] || url['openid_connect/userinfo']
+        response
+      else
+        IntuitOAuth::ClientResponse.new(response)
+      end
+    end
+  end
+end

metadata

@@ -0,0 +1,235 @@
+--- !ruby/object:Gem::Specification
+name: intuit-oauth
+version: !ruby/object:Gem::Version
+  version: 1.0.0
+platform: ruby
+authors:
+- Intuit Inc
+autorequire: 
+bindir: exe
+cert_chain: []
+date: 2019-01-03 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: httparty
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.16.3
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.16.3
+- !ruby/object:Gem::Dependency
+  name: json
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.1'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.1'
+- !ruby/object:Gem::Dependency
+  name: json_web_token
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.3.5
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.3.5
+- !ruby/object:Gem::Dependency
+  name: rsa-pem-from-mod-exp
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.1.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.1.0
+- !ruby/object:Gem::Dependency
+  name: addressable
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.3'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.3'
+- !ruby/object:Gem::Dependency
+  name: backports
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.11'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.11'
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.16'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.16'
+- !ruby/object:Gem::Dependency
+  name: coveralls
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.8'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.8'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '11.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '11.0'
+- !ruby/object:Gem::Dependency
+  name: rdoc
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '5.0'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '7'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '5.0'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '7'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+- !ruby/object:Gem::Dependency
+  name: wwtd
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0'
+description: A Ruby wrapper Intuit's OAuth and OpenID implementation.
+email:
+- idgsdk@intuit.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- Gemfile
+- Gemfile.lock
+- LICENSE
+- README.md
+- intuit-oauth.gemspec
+- lib/intuit-oauth.rb
+- lib/intuit-oauth/base.rb
+- lib/intuit-oauth/client.rb
+- lib/intuit-oauth/constants.rb
+- lib/intuit-oauth/exception.rb
+- lib/intuit-oauth/flow/code.rb
+- lib/intuit-oauth/flow/openid.rb
+- lib/intuit-oauth/flow/token.rb
+- lib/intuit-oauth/migration.rb
+- lib/intuit-oauth/response.rb
+- lib/intuit-oauth/transport.rb
+- lib/intuit-oauth/utils.rb
+homepage: https://github.com/intuit/oauth-rubyclient
+licenses:
+- Apache-2.0
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 1.9.0
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 1.3.5
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.6.13
+signing_key: 
+specification_version: 4
+summary: A Ruby wrapper for the OAuth 2.0 protocol.
+test_files: []