keycloak_oauth 0.1.3 → 0.1.8

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 45b0a220afa0ca575a22ed7fd5cf958dc4d7ad2450a116f3bdf7e5e3546d6eac
-  data.tar.gz: eeb8fcb58d29e1cf18d4cf3fadddbf184029576b97bb9194e4218f4889636f05
+  metadata.gz: 5b84ab145e8572eebc11e31faff2080a82ec5f157fe5579c7076f32149f4b2b7
+  data.tar.gz: '0308c1a7e95dbd136e1cb1c659d203b355d78faecfefa4bd56d31fc222040245'
 SHA512:
-  metadata.gz: 58a27c6c046d783c0f83db3a8857d06aab9402e85d00a6d880eb0ad637d2b5f8a4e4c4e4df03065f03097bfda98439f735b8257d10c52046be85d0c210aeef3e
-  data.tar.gz: dc6cc4e9a90c8f78a09e3b2b90d19ca7973aea125678170ba2be0902d490eba1ff17cbcfcce9a22e78f9b85324f3bce77f5bb878a722dfc8113cf72b01505581
+  metadata.gz: a9c847ab0c59e5d6c4d28c51bbc5ad8ae515874cd680b312b31e264edc97748e813a319eb83f51c75ee463edaa02a9eba65ad6a444b82c59bc805b1a6eb1cfbf
+  data.tar.gz: fab61c415c9a09a4cc66a6e9986998dfc1db3c126205698938ef4f76c59a3571d1078f74456ab97201f7fa578b323430767fedd5687315a6233404f3610fb01d

data/README.md

@@ -44,6 +44,16 @@ e.g.
 
 Once authentication is performed, the access and refresh tokens are stored in the session and can be used in your app as wished.
 
+***Customising redirect URIs***
+There are situations where you would want to customise the oauth2 route (e.g. to use a localised version of the callback URL).
+In this case, you can do the following:
+- add a controller to your app: e.g. `CallbackOverrides`
+- add the following to your routes.rb file: `get 'oauth2', to: 'callback_overrides#oauth2'`
+- add whatever logic you need in the controller, e.g. a `skip_before_action`; it can also be blank
+- add redirect URI to the authorization link:
+e.g.
+`<%= link_to 'Login with Keycloak', KeycloakOauth.connection.authorization_endpoint(options: {redirect_uri: 'http://myapp.com/en/oauth2'}) %>`
+
 **Keycloak callback URL**
 Keycloak needs a callback URL to send the authorization code to once a user logs in.
 By default, once authentication is performed, we redirect to the `/` path (i.e. whatever the root path is set to in the host app).
@@ -78,6 +88,22 @@ def map_authenticatable(_request)
 end
 ```
 
+**Logging out**
+In order to log out, you can use the following API call:
+`KeycloakOauth.connection.logout(session: session)`
+
+Note that you need to pass in the session, as the gem needs to remove the Keycloak tokens from there.
+
+e.g.
+```ruby
+class SessionsController < ApplicationController
+  def destroy
+    KeycloakOauth.connection.logout(session: session)
+    redirect_to new_session_path
+  end
+end
+```
+
 ## Development
 
 After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake spec` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.

data/app/controllers/keycloak_oauth/callbacks_controller.rb

@@ -1,5 +1,5 @@
 module KeycloakOauth
-  class CallbacksController < ApplicationController
+  class CallbacksController < ::ApplicationController
     if KeycloakOauth.connection.callback_module.present?
       include KeycloakOauth.connection.callback_module
     end
@@ -18,7 +18,7 @@ module KeycloakOauth
     private
 
     def authentication_params
-      params.permit(:code)
+      params.permit(:code).merge({ redirect_uri: current_uri_without_params })
     end
 
     def map_authenticatable_if_implemented(request)
@@ -28,5 +28,15 @@ module KeycloakOauth
         raise NotImplementedError.new('User mapping must be handled by the host app. See README for more information.')
       end
     end
+
+    def current_uri_without_params
+      # If the host app has overwritten the route (e.g. to enable localised
+      # callbacks), this ensures we are using the path coming from the host app
+      # instead of the one coming from the engine.
+      main_app.url_for(only_path: false, overwrite_params: nil)
+    rescue ActionController::UrlGenerationError
+      # If the host app does not override the oauth2 path, use the engine's path.
+      oauth2_path
+    end
   end
 end

data/app/services/keycloak_oauth/authentication_service.rb

@@ -1,55 +1,31 @@
-require 'net/http'
-
 module KeycloakOauth
-  class AuthenticationError < StandardError; end
-
   class AuthenticationService
-    GRANT_TYPE = 'authorization_code'.freeze
-    CONTENT_TYPE = 'application/x-www-form-urlencoded'.freeze
     ACCESS_TOKEN_KEY = 'access_token'.freeze
     REFRESH_TOKEN_KEY = 'refresh_token'.freeze
 
-    attr_reader :code, :session
+    attr_reader :session, :authentication_params
 
     def initialize(authentication_params:, session:)
-      @code = authentication_params[:code]
+      @authentication_params = authentication_params
       @session = session
     end
 
     def authenticate
-      store_credentials(get_tokens)
+      post_token_service = KeycloakOauth::PostTokenService.new(
+        connection: KeycloakOauth.connection,
+        request_params: authentication_params
+      )
+      post_token_service.perform
+      store_credentials(post_token_service)
     end
 
     private
 
-    def get_tokens
-      uri = URI.parse(KeycloakOauth.connection.authentication_endpoint)
-      Net::HTTP.start(uri.host, uri.port) do |http|
-        request = Net::HTTP::Post.new(uri)
-        request.set_content_type(CONTENT_TYPE)
-        request.set_form_data(token_request_params)
-        http.request(request)
-      end
-    end
-
-    def token_request_params
-      {
-        client_id: KeycloakOauth.connection.client_id,
-        client_secret: KeycloakOauth.connection.client_secret,
-        grant_type: GRANT_TYPE,
-        code: code
-      }
-    end
-
-    def store_credentials(http_response)
-      response_hash = JSON.parse(http_response.body)
+    def store_credentials(post_token_service)
+      response_hash = post_token_service.parsed_response_body
 
-      if http_response.code_type == Net::HTTPOK
-        session[:access_token] = response_hash[ACCESS_TOKEN_KEY]
-        session[:refresh_token] = response_hash[REFRESH_TOKEN_KEY]
-      else
-        raise KeycloakOauth::AuthenticationError.new(response_hash)
-      end
+      session[:access_token] = response_hash[ACCESS_TOKEN_KEY]
+      session[:refresh_token] = response_hash[REFRESH_TOKEN_KEY]
     end
   end
 end

data/app/services/keycloak_oauth/authorizable_service.rb

@@ -0,0 +1,50 @@
+require 'net/http'
+
+module KeycloakOauth
+  class AuthorizableError < StandardError; end
+
+  class AuthorizableService
+    HTTP_SUCCESS_CODES = [Net::HTTPOK, Net::HTTPNoContent, Net::HTTPCreated]
+    DEFAULT_CONTENT_TYPE = 'application/x-www-form-urlencoded'.freeze
+    AUTHORIZATION_HEADER = 'Authorization'.freeze
+
+    attr_reader :http_response, :parsed_response_body
+
+    def perform
+      @http_response = send_request
+      @parsed_response_body ||= parse_response_body(http_response)
+    end
+
+    private
+
+    def parse_response_body(http_response)
+      response_body = http_response.body.present? ? JSON.parse(http_response.body) : http_response.body
+
+      return response_body if HTTP_SUCCESS_CODES.include?(http_response.code_type)
+
+      # TODO: For now, we assume that the access token is always valid.
+      # We do not yet handle the case where a refresh token is passed in and
+      # used if the access token has expired.
+      raise KeycloakOauth::AuthorizableError.new(error_message_from(response_body))
+    end
+
+    def error_message_from(response)
+      # Keycloak sometimes sends back a hash containing the "errorMessage" key,
+      # other times it returns a hash containing the "error_description key" key
+      # and other times it returns an empty string. There could be more cases,
+      # but for the moment we are only handling these three.
+      case response.class.to_s
+      when 'Hash'
+        if response.has_key?('errorMessage')
+          return response['errorMessage']
+        elsif response.has_key?('error_description')
+          return response['error_description']
+        end
+      when 'String'
+        return response
+      else
+        'Unexpected Keycloak error'
+      end
+    end
+  end
+end

data/app/services/keycloak_oauth/logout_service.rb

@@ -0,0 +1,44 @@
+require 'net/http'
+
+module KeycloakOauth
+  class LogoutService < KeycloakOauth::AuthorizableService
+    def initialize(session)
+      @session = session
+    end
+
+    def send_request
+      post_logout
+    end
+
+    private
+
+    attr_accessor :session
+
+    def post_logout
+      uri = URI.parse(KeycloakOauth.connection.logout_endpoint)
+      Net::HTTP.start(uri.host, uri.port, use_ssl: uri.scheme == 'https') do |http|
+        request = Net::HTTP::Post.new(uri)
+        request.set_content_type(DEFAULT_CONTENT_TYPE)
+        request.set_form_data(logout_request_params)
+        request[AUTHORIZATION_HEADER] = "Bearer #{access_token}"
+        http.request(request)
+      end
+    end
+
+    def logout_request_params
+      {
+        client_id: KeycloakOauth.connection.client_id,
+        client_secret: KeycloakOauth.connection.client_secret,
+        refresh_token: refresh_token
+      }
+    end
+
+    def access_token
+      session[:access_token]
+    end
+
+    def refresh_token
+      session[:refresh_token]
+    end
+  end
+end

data/app/services/keycloak_oauth/post_token_service.rb

@@ -0,0 +1,40 @@
+require 'net/http'
+
+module KeycloakOauth
+  class PostTokenService < KeycloakOauth::AuthorizableService
+    DEFAULT_GRANT_TYPE = 'authorization_code'.freeze
+
+    attr_reader :request_params, :connection
+
+    def initialize(connection:, request_params:)
+      @connection = connection
+      @request_params = request_params
+    end
+
+    def send_request
+      post_token
+    end
+
+    private
+
+    attr_reader :code, :redirect_uri
+
+    def post_token
+      uri = URI.parse(connection.authentication_endpoint)
+      Net::HTTP.start(uri.host, uri.port, use_ssl: uri.scheme == 'https') do |http|
+        request = Net::HTTP::Post.new(uri)
+        request.set_content_type(DEFAULT_CONTENT_TYPE)
+        request.set_form_data(token_request_params)
+        http.request(request)
+      end
+    end
+
+    def token_request_params
+      {
+        client_id: connection.client_id,
+        client_secret: connection.client_secret,
+        grant_type: DEFAULT_GRANT_TYPE
+      }.merge(request_params)
+    end
+  end
+end

data/app/services/keycloak_oauth/post_users_service.rb

@@ -0,0 +1,49 @@
+require 'net/http'
+
+module KeycloakOauth
+  class DuplicationError < StandardError; end
+
+  class PostUsersService < KeycloakOauth::AuthorizableService
+    CONTENT_TYPE = 'application/json'.freeze
+
+    attr_reader :request_params, :connection, :user_params
+
+    def initialize(connection:, access_token:, refresh_token:, user_params:)
+      @connection = connection
+      @access_token = access_token
+      @refresh_token = refresh_token
+      @user_params = user_params
+    end
+
+    def send_request
+      post_users
+    end
+
+    private
+
+    attr_accessor :access_token, :refresh_token
+
+    def post_users
+      uri = URI.parse(connection.post_users_endpoint)
+      Net::HTTP.start(uri.host, uri.port, use_ssl: uri.scheme == 'https') do |http|
+        request = Net::HTTP::Post.new(uri)
+        request.set_content_type(CONTENT_TYPE)
+        request[AUTHORIZATION_HEADER] = "Bearer #{access_token}"
+        request.body = user_params.to_json
+        http.request(request)
+      end
+    end
+
+    def parse_response_body(http_response)
+      super
+    rescue KeycloakOauth::AuthorizableError => exception
+      raise exception unless is_exception_a_duplication?(exception)
+      raise KeycloakOauth::DuplicationError.new(exception)
+    end
+
+    def is_exception_a_duplication?(exception)
+      exception.message == "User exists with same email" ||
+      exception.message == "User exists with same username"
+    end
+  end
+end

data/app/services/keycloak_oauth/user_info_retrieval_service.rb

@@ -1,45 +1,30 @@
 require 'net/http'
 
 module KeycloakOauth
-  class UserInfoRetrievalError < StandardError; end
-
-  class UserInfoRetrievalService
-    AUTHORIZATION_HEADER = 'Authorization'.freeze
-    CONTENT_TYPE = 'application/x-www-form-urlencoded'.freeze
-
+  class UserInfoRetrievalService < KeycloakOauth::AuthorizableService
     attr_reader :user_information
 
-    def initialize(access_token:)
+    def initialize(access_token:, refresh_token:)
       @access_token = access_token
+      @refresh_token = refresh_token
     end
 
-    def retrieve
-      @user_information = parsed_user_information(get_user)
+    def send_request
+      get_user
     end
 
     private
 
-    attr_accessor :access_token
+    attr_accessor :access_token, :refresh_token
 
     def get_user
       uri = URI.parse(KeycloakOauth.connection.user_info_endpoint)
-      Net::HTTP.start(uri.host, uri.port) do |http|
+      Net::HTTP.start(uri.host, uri.port, :use_ssl => uri.scheme == 'https') do |http|
         request = Net::HTTP::Get.new(uri)
-        request.set_content_type(CONTENT_TYPE)
+        request.set_content_type(DEFAULT_CONTENT_TYPE)
         request[AUTHORIZATION_HEADER] = "Bearer #{access_token}"
         http.request(request)
       end
     end
-
-    def parsed_user_information(http_response)
-      response_hash = JSON.parse(http_response.body)
-
-      return response_hash if http_response.code_type == Net::HTTPOK
-
-      # TODO: For now, we assume that the access token is always valid.
-      # We do not yet handle the case where a refresh token is passed in and
-      # used if the access token has expired.
-      raise KeycloakOauth::UserInfoRetrievalError.new(response_hash)
-    end
   end
 end

data/lib/keycloak_oauth/connection.rb

@@ -14,10 +14,18 @@ module KeycloakOauth
       @callback_module = callback_module
     end
 
-    def get_user_information(access_token:)
-      service = KeycloakOauth::UserInfoRetrievalService.new(access_token: access_token)
-      service.retrieve
-      service.user_information
+    def get_user_information(access_token:, refresh_token:)
+      service = KeycloakOauth::UserInfoRetrievalService.new(
+        access_token: access_token,
+        refresh_token: refresh_token
+      )
+      service.perform
+      service.parsed_response_body
+    end
+
+    def logout(session:)
+      service = KeycloakOauth::LogoutService.new(session)
+      service.perform
     end
   end
 end

data/lib/keycloak_oauth/endpoints.rb

@@ -5,6 +5,8 @@ module KeycloakOauth
     def authorization_endpoint(options: {})
       endpoint = "#{auth_url}/realms/#{realm}/protocol/openid-connect/auth?client_id=#{client_id}"
       endpoint += "&response_type=#{options[:response_type] || DEFAULT_RESPONSE_TYPE}"
+      endpoint += "&redirect_uri=#{options[:redirect_uri]}" if options[:redirect_uri].present?
+      endpoint
     end
 
     def authentication_endpoint
@@ -14,5 +16,13 @@ module KeycloakOauth
     def user_info_endpoint
       "#{auth_url}/realms/#{realm}/protocol/openid-connect/userinfo"
     end
+
+    def logout_endpoint
+      "#{auth_url}/realms/#{realm}/protocol/openid-connect/logout"
+    end
+
+    def post_users_endpoint
+      "#{auth_url}/admin/realms/#{realm}/users"
+    end
   end
 end

data/lib/keycloak_oauth/version.rb

@@ -1,3 +1,3 @@
 module KeycloakOauth
-  VERSION = "0.1.3"
+  VERSION = "0.1.8"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: keycloak_oauth
 version: !ruby/object:Gem::Version
-  version: 0.1.3
+  version: 0.1.8
 platform: ruby
 authors:
 - simplificator
-autorequire:
+autorequire: 
 bindir: exe
 cert_chain: []
-date: 2020-10-27 00:00:00.000000000 Z
+date: 2020-11-17 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails
@@ -58,7 +58,7 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
-description:
+description: 
 email:
 - dev@simplificator.com
 executables: []
@@ -67,9 +67,12 @@ extra_rdoc_files: []
 files:
 - README.md
 - Rakefile
-- app/controllers/keycloak_oauth/application_controller.rb
 - app/controllers/keycloak_oauth/callbacks_controller.rb
 - app/services/keycloak_oauth/authentication_service.rb
+- app/services/keycloak_oauth/authorizable_service.rb
+- app/services/keycloak_oauth/logout_service.rb
+- app/services/keycloak_oauth/post_token_service.rb
+- app/services/keycloak_oauth/post_users_service.rb
 - app/services/keycloak_oauth/user_info_retrieval_service.rb
 - config/routes.rb
 - lib/keycloak_oauth.rb
@@ -85,7 +88,7 @@ metadata:
   homepage_uri: https://rubygems.org/gems/keycloak_oauth
   source_code_uri: https://github.com/simplificator/keycloak_oauth
   changelog_uri: https://github.com/simplificator/keycloak_oauth
-post_install_message:
+post_install_message: 
 rdoc_options: []
 require_paths:
 - lib
@@ -100,8 +103,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.8
-signing_key:
+rubygems_version: 3.1.4
+signing_key: 
 specification_version: 4
 summary: Implementing OAuth with Keycloak in Ruby
 test_files: []

data/app/controllers/keycloak_oauth/application_controller.rb

@@ -1,5 +0,0 @@
-module KeycloakOauth
-  class ApplicationController < ActionController::Base
-    protect_from_forgery with: :exception
-  end
-end