keycloak_oauth 0.1.2 → 0.1.7

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 36235d5a3f0e96e1b1ddac55c9825545ee11244ec785fff42c30029ee1ba33eb
-  data.tar.gz: 7778aeab5443dcaa32dd301e2fe45a0b4c099e0ea9cd6fe289b6d2de8f1dc113
+  metadata.gz: 0121cf149dea17f792d3f007cfb5b55247e8e886c9a5d53ded44db08c0b7ebaa
+  data.tar.gz: c9a3cba0eb30bba3684be95b5270df88156d90a90b72889c3c6dc29c5b816bd7
 SHA512:
-  metadata.gz: 4284790fc0cf71a7dd853d7e45f2b894500ff485b1e502857801ce5b453abb5658db95f078bb4c32b132a3f075e7ca7460b42093583a9eeba688cb3ebf1f6cf7
-  data.tar.gz: 8d81ce99e61b047f6c1cd426d73e700b8c27dd9361ae5639994932e5b3c2ed06ba844fea3c5bf69ac1ca92a0206c19154fbe0a42e34a72bae9e07f65acba3b60
+  metadata.gz: 1db6f2a45c114e3360951aaa73a663364f94425f731c54581b8e0d713117b9cb8efa89dc8826962c58d2b578f581d6202bbb499249085d6d657c2f54cc1df061
+  data.tar.gz: 436dad25dd2d4987adb0abed086d23bc08a50e197d036b37df913414e1fe1bc84fddabc3e56532dadbb5d916050291be7d63266c28e7bac34ee798e2d0be24f1

data/README.md

@@ -44,6 +44,16 @@ e.g.
 
 Once authentication is performed, the access and refresh tokens are stored in the session and can be used in your app as wished.
 
+***Customising redirect URIs***
+There are situations where you would want to customise the oauth2 route (e.g. to use a localised version of the callback URL).
+In this case, you can do the following:
+- add a controller to your app: e.g. `CallbackOverrides`
+- add the following to your routes.rb file: `get 'oauth2', to: 'callback_overrides#oauth2'`
+- add whatever logic you need in the controller, e.g. a `skip_before_action`; it can also be blank
+- add redirect URI to the authorization link:
+e.g.
+`<%= link_to 'Login with Keycloak', KeycloakOauth.connection.authorization_endpoint(options: {redirect_uri: 'http://myapp.com/en/oauth2'}) %>`
+
 **Keycloak callback URL**
 Keycloak needs a callback URL to send the authorization code to once a user logs in.
 By default, once authentication is performed, we redirect to the `/` path (i.e. whatever the root path is set to in the host app).
@@ -65,6 +75,35 @@ KeycloakOauth.configure do |config|
 end
 ```
 
+**User mapping**
+The host app is responsible for mapping a Keycloak session with a Rails user session. This can be achieved
+by implementing the `map_authenticatable` method in the module configured above (e.g. `KeycloakOauthCallbacks` in our example).
+You can get the user information by making a call to `KeycloakOauth.connection.get_user_information` to which you pass in the access token.
+See here an example of retrieving the user information and saving the email address in the Rails session:
+
+```ruby
+def map_authenticatable(_request)
+  service = KeycloakOauth.connection.get_user_information(access_token: session[:access_token])
+  session[:user_email_address] = service.user_information['email']
+end
+```
+
+**Logging out**
+In order to log out, you can use the following API call:
+`KeycloakOauth.connection.logout(session: session)`
+
+Note that you need to pass in the session, as the gem needs to remove the Keycloak tokens from there.
+
+e.g.
+```ruby
+class SessionsController < ApplicationController
+  def destroy
+    KeycloakOauth.connection.logout(session: session)
+    redirect_to new_session_path
+  end
+end
+```
+
 ## Development
 
 After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake spec` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.

data/app/controllers/keycloak_oauth/callbacks_controller.rb

@@ -1,5 +1,5 @@
 module KeycloakOauth
-  class CallbacksController < ApplicationController
+  class CallbacksController < ::ApplicationController
     if KeycloakOauth.connection.callback_module.present?
       include KeycloakOauth.connection.callback_module
     end
@@ -7,9 +7,11 @@ module KeycloakOauth
     def oauth2
       authentication_service = KeycloakOauth::AuthenticationService.new(
         authentication_params: authentication_params,
-        session: session
+        session: session,
+        redirect_uri: current_uri_without_params
       )
       authentication_service.authenticate
+      map_authenticatable_if_implemented(session)
 
       redirect_to self.class.method_defined?(:after_sign_in_path) ? after_sign_in_path(request) : '/'
     end
@@ -19,5 +21,23 @@ module KeycloakOauth
     def authentication_params
       params.permit(:code)
     end
+
+    def map_authenticatable_if_implemented(request)
+      if self.class.method_defined?(:map_authenticatable)
+        map_authenticatable(request)
+      else
+        raise NotImplementedError.new('User mapping must be handled by the host app. See README for more information.')
+      end
+    end
+
+    def current_uri_without_params
+      # If the host app has overwritten the route (e.g. to enable localised
+      # callbacks), this ensures we are using the path coming from the host app
+      # instead of the one coming from the engine.
+      main_app.url_for(only_path: false, overwrite_params: nil)
+    rescue ActionController::UrlGenerationError
+      # If the host app does not override the oauth2 path, use the engine's path.
+      oauth2_path
+    end
   end
 end

data/app/services/keycloak_oauth/authentication_service.rb

@@ -9,11 +9,12 @@ module KeycloakOauth
     ACCESS_TOKEN_KEY = 'access_token'.freeze
     REFRESH_TOKEN_KEY = 'refresh_token'.freeze
 
-    attr_reader :code, :session
+    attr_reader :session
 
-    def initialize(authentication_params:, session:)
+    def initialize(authentication_params:, session:, redirect_uri:)
       @code = authentication_params[:code]
       @session = session
+      @redirect_uri = redirect_uri
     end
 
     def authenticate
@@ -22,9 +23,11 @@ module KeycloakOauth
 
     private
 
+    attr_reader :code, :redirect_uri
+
     def get_tokens
       uri = URI.parse(KeycloakOauth.connection.authentication_endpoint)
-      Net::HTTP.start(uri.host, uri.port) do |http|
+      Net::HTTP.start(uri.host, uri.port, :use_ssl => uri.scheme == 'https') do |http|
         request = Net::HTTP::Post.new(uri)
         request.set_content_type(CONTENT_TYPE)
         request.set_form_data(token_request_params)
@@ -37,7 +40,8 @@ module KeycloakOauth
         client_id: KeycloakOauth.connection.client_id,
         client_secret: KeycloakOauth.connection.client_secret,
         grant_type: GRANT_TYPE,
-        code: code
+        code: code,
+        redirect_uri: redirect_uri
       }
     end
 

data/app/services/keycloak_oauth/authorizable_service.rb

@@ -0,0 +1,24 @@
+require 'net/http'
+
+module KeycloakOauth
+  class AuthorizableError < StandardError; end
+
+  class AuthorizableService
+    HTTP_SUCCESS_CODES = [Net::HTTPOK, Net::HTTPNoContent]
+    DEFAULT_CONTENT_TYPE = 'application/x-www-form-urlencoded'.freeze
+    AUTHORIZATION_HEADER = 'Authorization'.freeze
+
+    private
+
+    def parsed_response(http_response)
+      response = http_response.body.present? ? JSON.parse(http_response.body) : http_response.body
+
+      return response if HTTP_SUCCESS_CODES.include?(http_response.code_type)
+
+      # TODO: For now, we assume that the access token is always valid.
+      # We do not yet handle the case where a refresh token is passed in and
+      # used if the access token has expired.
+      raise KeycloakOauth::AuthorizableError.new(response)
+    end
+  end
+end

data/app/services/keycloak_oauth/logout_service.rb

@@ -0,0 +1,44 @@
+require 'net/http'
+
+module KeycloakOauth
+  class LogoutService < KeycloakOauth::AuthorizableService
+    def initialize(session)
+      @session = session
+    end
+
+    def logout
+      parsed_response(post_logout)
+    end
+
+    private
+
+    attr_accessor :session
+
+    def post_logout
+      uri = URI.parse(KeycloakOauth.connection.logout_endpoint)
+      Net::HTTP.start(uri.host, uri.port, use_ssl: uri.scheme == 'https') do |http|
+        request = Net::HTTP::Post.new(uri)
+        request.set_content_type(DEFAULT_CONTENT_TYPE)
+        request.set_form_data(logout_request_params)
+        request[AUTHORIZATION_HEADER] = "Bearer #{access_token}"
+        http.request(request)
+      end
+    end
+
+    def logout_request_params
+      {
+        client_id: KeycloakOauth.connection.client_id,
+        client_secret: KeycloakOauth.connection.client_secret,
+        refresh_token: refresh_token
+      }
+    end
+
+    def access_token
+      session[:access_token]
+    end
+
+    def refresh_token
+      session[:refresh_token]
+    end
+  end
+end

data/app/services/keycloak_oauth/user_info_retrieval_service.rb

@@ -0,0 +1,30 @@
+require 'net/http'
+
+module KeycloakOauth
+  class UserInfoRetrievalService < KeycloakOauth::AuthorizableService
+    attr_reader :user_information
+
+    def initialize(access_token:, refresh_token:)
+      @access_token = access_token
+      @refresh_token = refresh_token
+    end
+
+    def retrieve
+      @user_information = parsed_response(get_user)
+    end
+
+    private
+
+    attr_accessor :access_token, :refresh_token
+
+    def get_user
+      uri = URI.parse(KeycloakOauth.connection.user_info_endpoint)
+      Net::HTTP.start(uri.host, uri.port, :use_ssl => uri.scheme == 'https') do |http|
+        request = Net::HTTP::Get.new(uri)
+        request.set_content_type(DEFAULT_CONTENT_TYPE)
+        request[AUTHORIZATION_HEADER] = "Bearer #{access_token}"
+        http.request(request)
+      end
+    end
+  end
+end

data/lib/keycloak_oauth/connection.rb

@@ -1,8 +1,10 @@
+require 'keycloak_oauth/endpoints'
+
 module KeycloakOauth
   class Connection
-    attr_reader :auth_url, :realm, :client_id, :client_secret, :callback_module
+    include KeycloakOauth::Endpoints
 
-    DEFAULT_RESPONSE_TYPE = 'code'.freeze
+    attr_reader :auth_url, :realm, :client_id, :client_secret, :callback_module
 
     def initialize(auth_url:, realm:, client_id:, client_secret:, callback_module: nil)
       @auth_url = auth_url
@@ -12,13 +14,18 @@ module KeycloakOauth
       @callback_module = callback_module
     end
 
-    def authorization_endpoint(options: {})
-      endpoint = "#{auth_url}/realms/#{realm}/protocol/openid-connect/auth?client_id=#{client_id}"
-      endpoint += "&response_type=#{options[:response_type] || DEFAULT_RESPONSE_TYPE}"
+    def get_user_information(access_token:, refresh_token:)
+      service = KeycloakOauth::UserInfoRetrievalService.new(
+        access_token: access_token,
+        refresh_token: refresh_token
+      )
+      service.retrieve
+      service.user_information
     end
 
-    def authentication_endpoint
-      "#{auth_url}/realms/#{realm}/protocol/openid-connect/token"
+    def logout(session:)
+      service = KeycloakOauth::LogoutService.new(session)
+      service.logout
     end
   end
 end

data/lib/keycloak_oauth/endpoints.rb

@@ -0,0 +1,24 @@
+module KeycloakOauth
+  module Endpoints
+    DEFAULT_RESPONSE_TYPE = 'code'.freeze
+
+    def authorization_endpoint(options: {})
+      endpoint = "#{auth_url}/realms/#{realm}/protocol/openid-connect/auth?client_id=#{client_id}"
+      endpoint += "&response_type=#{options[:response_type] || DEFAULT_RESPONSE_TYPE}"
+      endpoint += "&redirect_uri=#{options[:redirect_uri]}" if options[:redirect_uri].present?
+      endpoint
+    end
+
+    def authentication_endpoint
+      "#{auth_url}/realms/#{realm}/protocol/openid-connect/token"
+    end
+
+    def user_info_endpoint
+      "#{auth_url}/realms/#{realm}/protocol/openid-connect/userinfo"
+    end
+
+    def logout_endpoint
+      "#{auth_url}/realms/#{realm}/protocol/openid-connect/logout"
+    end
+  end
+end

data/lib/keycloak_oauth/version.rb

@@ -1,3 +1,3 @@
 module KeycloakOauth
-  VERSION = "0.1.2"
+  VERSION = "0.1.7"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: keycloak_oauth
 version: !ruby/object:Gem::Version
-  version: 0.1.2
+  version: 0.1.7
 platform: ruby
 authors:
 - simplificator
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2020-10-27 00:00:00.000000000 Z
+date: 2020-11-04 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails
@@ -19,7 +19,7 @@ dependencies:
         version: 6.0.3
     - - ">="
       - !ruby/object:Gem::Version
-        version: 6.0.3.3
+        version: 6.0.3.2
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -29,7 +29,7 @@ dependencies:
         version: 6.0.3
     - - ">="
       - !ruby/object:Gem::Version
-        version: 6.0.3.3
+        version: 6.0.3.2
 - !ruby/object:Gem::Dependency
   name: rspec-rails
   requirement: !ruby/object:Gem::Requirement
@@ -67,13 +67,16 @@ extra_rdoc_files: []
 files:
 - README.md
 - Rakefile
-- app/controllers/keycloak_oauth/application_controller.rb
 - app/controllers/keycloak_oauth/callbacks_controller.rb
 - app/services/keycloak_oauth/authentication_service.rb
+- app/services/keycloak_oauth/authorizable_service.rb
+- app/services/keycloak_oauth/logout_service.rb
+- app/services/keycloak_oauth/user_info_retrieval_service.rb
 - config/routes.rb
 - lib/keycloak_oauth.rb
 - lib/keycloak_oauth/configuration.rb
 - lib/keycloak_oauth/connection.rb
+- lib/keycloak_oauth/endpoints.rb
 - lib/keycloak_oauth/engine.rb
 - lib/keycloak_oauth/version.rb
 homepage: https://rubygems.org/gems/keycloak_oauth

data/app/controllers/keycloak_oauth/application_controller.rb

@@ -1,5 +0,0 @@
-module KeycloakOauth
-  class ApplicationController < ActionController::Base
-    protect_from_forgery with: :exception
-  end
-end