keycloak_rack 1.0.0 → 1.1.0

data/gemfiles/rails_6_1.gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: ..
   specs:
-    keycloak_rack (1.0.0)
+    keycloak_rack (1.1.0)
       activesupport (>= 4.2)
       anyway_config (>= 2.1.0, < 3)
       dry-auto_inject
@@ -20,115 +20,112 @@ PATH
 GEM
   remote: https://rubygems.org/
   specs:
-    actioncable (6.1.3.1)
-      actionpack (= 6.1.3.1)
-      activesupport (= 6.1.3.1)
+    actioncable (6.1.4.4)
+      actionpack (= 6.1.4.4)
+      activesupport (= 6.1.4.4)
       nio4r (~> 2.0)
       websocket-driver (>= 0.6.1)
-    actionmailbox (6.1.3.1)
-      actionpack (= 6.1.3.1)
-      activejob (= 6.1.3.1)
-      activerecord (= 6.1.3.1)
-      activestorage (= 6.1.3.1)
-      activesupport (= 6.1.3.1)
+    actionmailbox (6.1.4.4)
+      actionpack (= 6.1.4.4)
+      activejob (= 6.1.4.4)
+      activerecord (= 6.1.4.4)
+      activestorage (= 6.1.4.4)
+      activesupport (= 6.1.4.4)
       mail (>= 2.7.1)
-    actionmailer (6.1.3.1)
-      actionpack (= 6.1.3.1)
-      actionview (= 6.1.3.1)
-      activejob (= 6.1.3.1)
-      activesupport (= 6.1.3.1)
+    actionmailer (6.1.4.4)
+      actionpack (= 6.1.4.4)
+      actionview (= 6.1.4.4)
+      activejob (= 6.1.4.4)
+      activesupport (= 6.1.4.4)
       mail (~> 2.5, >= 2.5.4)
       rails-dom-testing (~> 2.0)
-    actionpack (6.1.3.1)
-      actionview (= 6.1.3.1)
-      activesupport (= 6.1.3.1)
+    actionpack (6.1.4.4)
+      actionview (= 6.1.4.4)
+      activesupport (= 6.1.4.4)
       rack (~> 2.0, >= 2.0.9)
       rack-test (>= 0.6.3)
       rails-dom-testing (~> 2.0)
       rails-html-sanitizer (~> 1.0, >= 1.2.0)
-    actiontext (6.1.3.1)
-      actionpack (= 6.1.3.1)
-      activerecord (= 6.1.3.1)
-      activestorage (= 6.1.3.1)
-      activesupport (= 6.1.3.1)
+    actiontext (6.1.4.4)
+      actionpack (= 6.1.4.4)
+      activerecord (= 6.1.4.4)
+      activestorage (= 6.1.4.4)
+      activesupport (= 6.1.4.4)
       nokogiri (>= 1.8.5)
-    actionview (6.1.3.1)
-      activesupport (= 6.1.3.1)
+    actionview (6.1.4.4)
+      activesupport (= 6.1.4.4)
       builder (~> 3.1)
       erubi (~> 1.4)
       rails-dom-testing (~> 2.0)
       rails-html-sanitizer (~> 1.1, >= 1.2.0)
-    activejob (6.1.3.1)
-      activesupport (= 6.1.3.1)
+    activejob (6.1.4.4)
+      activesupport (= 6.1.4.4)
       globalid (>= 0.3.6)
-    activemodel (6.1.3.1)
-      activesupport (= 6.1.3.1)
-    activerecord (6.1.3.1)
-      activemodel (= 6.1.3.1)
-      activesupport (= 6.1.3.1)
-    activestorage (6.1.3.1)
-      actionpack (= 6.1.3.1)
-      activejob (= 6.1.3.1)
-      activerecord (= 6.1.3.1)
-      activesupport (= 6.1.3.1)
+    activemodel (6.1.4.4)
+      activesupport (= 6.1.4.4)
+    activerecord (6.1.4.4)
+      activemodel (= 6.1.4.4)
+      activesupport (= 6.1.4.4)
+    activestorage (6.1.4.4)
+      actionpack (= 6.1.4.4)
+      activejob (= 6.1.4.4)
+      activerecord (= 6.1.4.4)
+      activesupport (= 6.1.4.4)
       marcel (~> 1.0.0)
-      mini_mime (~> 1.0.2)
-    activesupport (6.1.3.1)
+      mini_mime (>= 1.1.0)
+    activesupport (6.1.4.4)
       concurrent-ruby (~> 1.0, >= 1.0.2)
       i18n (>= 1.6, < 2)
       minitest (>= 5.1)
       tzinfo (~> 2.0)
       zeitwerk (~> 2.3)
-    addressable (2.7.0)
+    addressable (2.8.0)
       public_suffix (>= 2.0.2, < 5.0)
-    anyway_config (2.1.0)
-      ruby-next-core (>= 0.11.0)
+    anyway_config (2.2.3)
+      ruby-next-core (>= 0.14.0)
     appraisal (2.4.0)
       bundler
       rake
       thor (>= 0.14.0)
     ast (2.4.2)
-    backports (3.21.0)
+    backports (3.23.0)
     builder (3.2.4)
     coderay (1.1.3)
-    concurrent-ruby (1.1.8)
+    concurrent-ruby (1.1.9)
     crack (0.4.5)
       rexml
     crass (1.0.6)
-    diff-lcs (1.4.4)
-    docile (1.3.5)
-    dry-auto_inject (0.7.0)
+    diff-lcs (1.5.0)
+    docile (1.4.0)
+    dry-auto_inject (0.9.0)
       dry-container (>= 0.3.4)
-    dry-configurable (0.12.1)
+    dry-configurable (0.14.0)
       concurrent-ruby (~> 1.0)
-      dry-core (~> 0.5, >= 0.5.0)
-    dry-container (0.7.2)
+      dry-core (~> 0.6)
+    dry-container (0.9.0)
       concurrent-ruby (~> 1.0)
-      dry-configurable (~> 0.1, >= 0.1.3)
-    dry-core (0.5.0)
+      dry-configurable (~> 0.13, >= 0.13.0)
+    dry-core (0.7.1)
       concurrent-ruby (~> 1.0)
-    dry-effects (0.1.5)
+    dry-effects (0.2.0)
       concurrent-ruby (~> 1.0)
       dry-container (~> 0.7, >= 0.7.2)
-      dry-core (~> 0.4, >= 0.4.7)
-      dry-equalizer (~> 0.2, >= 0.2.2)
+      dry-core (~> 0.5, >= 0.5)
       dry-inflector (~> 0.1, >= 0.1.2)
       dry-initializer (~> 3.0)
-    dry-equalizer (0.3.0)
-    dry-inflector (0.2.0)
-    dry-initializer (3.0.4)
+    dry-inflector (0.2.1)
+    dry-initializer (3.1.1)
     dry-logic (1.2.0)
       concurrent-ruby (~> 1.0)
       dry-core (~> 0.5, >= 0.5)
     dry-matcher (0.9.0)
       dry-core (~> 0.4, >= 0.4.8)
-    dry-monads (1.3.5)
+    dry-monads (1.4.0)
       concurrent-ruby (~> 1.0)
-      dry-core (~> 0.4, >= 0.4.4)
-      dry-equalizer
-    dry-schema (1.6.2)
+      dry-core (~> 0.7)
+    dry-schema (1.8.0)
       concurrent-ruby (~> 1.0)
-      dry-configurable (~> 0.8, >= 0.8.3)
+      dry-configurable (~> 0.13, >= 0.13.0)
       dry-core (~> 0.5, >= 0.5)
       dry-initializer (~> 3.0)
       dry-logic (~> 1.0)
@@ -143,96 +140,95 @@ GEM
       dry-core (~> 0.5, >= 0.5)
       dry-inflector (~> 0.1, >= 0.1.2)
       dry-logic (~> 1.0, >= 1.0.2)
-    dry-validation (1.6.0)
+    dry-validation (1.7.0)
       concurrent-ruby (~> 1.0)
       dry-container (~> 0.7, >= 0.7.1)
-      dry-core (~> 0.4)
-      dry-equalizer (~> 0.2)
+      dry-core (~> 0.5, >= 0.5)
       dry-initializer (~> 3.0)
-      dry-schema (~> 1.5, >= 1.5.2)
+      dry-schema (~> 1.8, >= 1.8.0)
     erubi (1.10.0)
     factory_bot (6.1.0)
       activesupport (>= 5.0.0)
-    faker (2.17.0)
+    faker (2.19.0)
       i18n (>= 1.6, < 2)
-    globalid (0.4.2)
-      activesupport (>= 4.2.0)
+    globalid (1.0.0)
+      activesupport (>= 5.0)
     hashdiff (1.0.1)
-    i18n (1.8.10)
+    i18n (1.9.1)
       concurrent-ruby (~> 1.0)
     ice_nine (0.11.2)
-    jwt (2.2.3)
-    loofah (2.9.1)
+    jwt (2.3.0)
+    loofah (2.13.0)
       crass (~> 1.0.2)
       nokogiri (>= 1.5.9)
     mail (2.7.1)
       mini_mime (>= 0.1.1)
-    marcel (1.0.1)
+    marcel (1.0.2)
     method_source (1.0.0)
-    mini_mime (1.0.3)
-    mini_portile2 (2.5.1)
-    minitest (5.14.4)
-    nio4r (2.5.7)
-    nokogiri (1.11.3)
-      mini_portile2 (~> 2.5.0)
+    mini_mime (1.1.2)
+    mini_portile2 (2.7.1)
+    minitest (5.15.0)
+    nio4r (2.5.8)
+    nokogiri (1.13.1)
+      mini_portile2 (~> 2.7.0)
       racc (~> 1.4)
-    nokogiri (1.11.3-x86_64-darwin)
+    nokogiri (1.13.1-x86_64-darwin)
       racc (~> 1.4)
-    nokogiri (1.11.3-x86_64-linux)
+    nokogiri (1.13.1-x86_64-linux)
       racc (~> 1.4)
-    parallel (1.20.1)
-    parser (3.0.1.1)
+    parallel (1.21.0)
+    parser (3.1.0.0)
       ast (~> 2.4.1)
     pry (0.14.1)
       coderay (~> 1.1)
       method_source (~> 1.0)
     public_suffix (4.0.6)
-    racc (1.5.2)
+    racc (1.6.0)
     rack (2.2.3)
     rack-test (1.1.0)
       rack (>= 1.0, < 3)
-    rails (6.1.3.1)
-      actioncable (= 6.1.3.1)
-      actionmailbox (= 6.1.3.1)
-      actionmailer (= 6.1.3.1)
-      actionpack (= 6.1.3.1)
-      actiontext (= 6.1.3.1)
-      actionview (= 6.1.3.1)
-      activejob (= 6.1.3.1)
-      activemodel (= 6.1.3.1)
-      activerecord (= 6.1.3.1)
-      activestorage (= 6.1.3.1)
-      activesupport (= 6.1.3.1)
+    rails (6.1.4.4)
+      actioncable (= 6.1.4.4)
+      actionmailbox (= 6.1.4.4)
+      actionmailer (= 6.1.4.4)
+      actionpack (= 6.1.4.4)
+      actiontext (= 6.1.4.4)
+      actionview (= 6.1.4.4)
+      activejob (= 6.1.4.4)
+      activemodel (= 6.1.4.4)
+      activerecord (= 6.1.4.4)
+      activestorage (= 6.1.4.4)
+      activesupport (= 6.1.4.4)
       bundler (>= 1.15.0)
-      railties (= 6.1.3.1)
+      railties (= 6.1.4.4)
       sprockets-rails (>= 2.0.0)
     rails-dom-testing (2.0.3)
       activesupport (>= 4.2.0)
       nokogiri (>= 1.6)
-    rails-html-sanitizer (1.3.0)
+    rails-html-sanitizer (1.4.2)
       loofah (~> 2.3)
-    railties (6.1.3.1)
-      actionpack (= 6.1.3.1)
-      activesupport (= 6.1.3.1)
+    railties (6.1.4.4)
+      actionpack (= 6.1.4.4)
+      activesupport (= 6.1.4.4)
       method_source
-      rake (>= 0.8.7)
+      rake (>= 0.13)
       thor (~> 1.0)
-    rainbow (3.0.0)
-    rake (13.0.3)
+    rainbow (3.1.1)
+    rake (13.0.6)
     redcarpet (3.5.1)
-    regexp_parser (2.1.1)
+    regexp_parser (2.2.0)
     rexml (3.2.5)
     rspec (3.10.0)
       rspec-core (~> 3.10.0)
       rspec-expectations (~> 3.10.0)
       rspec-mocks (~> 3.10.0)
-    rspec-core (3.10.1)
+    rspec-core (3.10.2)
       rspec-support (~> 3.10.0)
-    rspec-expectations (3.10.1)
+    rspec-expectations (3.10.2)
       diff-lcs (>= 1.2.0, < 2.0)
       rspec-support (~> 3.10.0)
     rspec-json_expectations (2.2.0)
-    rspec-mocks (3.10.2)
+    rspec-mocks (3.10.3)
       diff-lcs (>= 1.2.0, < 2.0)
       rspec-support (~> 3.10.0)
     rspec-rails (5.0.1)
@@ -243,7 +239,7 @@ GEM
       rspec-expectations (~> 3.10)
       rspec-mocks (~> 3.10)
       rspec-support (~> 3.10)
-    rspec-support (3.10.2)
+    rspec-support (3.10.3)
     rubocop (1.13.0)
       parallel (~> 1.10)
       parser (>= 3.0.0.0)
@@ -253,38 +249,38 @@ GEM
       rubocop-ast (>= 1.2.0, < 2.0)
       ruby-progressbar (~> 1.7)
       unicode-display_width (>= 1.4.0, < 3.0)
-    rubocop-ast (1.5.0)
+    rubocop-ast (1.15.1)
       parser (>= 3.0.1.1)
     rubocop-rake (0.5.1)
       rubocop
     rubocop-rspec (2.3.0)
       rubocop (~> 1.0)
       rubocop-ast (>= 1.1.0)
-    ruby-next-core (0.12.0)
+    ruby-next-core (0.14.1)
     ruby-progressbar (1.11.0)
     simplecov (0.21.2)
       docile (~> 1.1)
       simplecov-html (~> 0.11)
       simplecov_json_formatter (~> 0.1)
     simplecov-html (0.12.3)
-    simplecov_json_formatter (0.1.2)
+    simplecov_json_formatter (0.1.3)
     sprockets (4.0.2)
       concurrent-ruby (~> 1.0)
       rack (> 1, < 3)
-    sprockets-rails (3.2.2)
-      actionpack (>= 4.0)
-      activesupport (>= 4.0)
+    sprockets-rails (3.4.2)
+      actionpack (>= 5.2)
+      activesupport (>= 5.2)
       sprockets (>= 3.0.0)
-    thor (1.1.0)
+    thor (1.2.1)
     timecop (0.9.4)
     tzinfo (2.0.4)
       concurrent-ruby (~> 1.0)
-    unicode-display_width (2.0.0)
+    unicode-display_width (2.1.0)
     webmock (3.12.2)
       addressable (>= 2.3.6)
       crack (>= 0.3.2)
       hashdiff (>= 0.4.0, < 2.0.0)
-    websocket-driver (0.7.3)
+    websocket-driver (0.7.5)
       websocket-extensions (>= 0.1.0)
     websocket-extensions (0.1.5)
     yard (0.9.26)
@@ -292,7 +288,7 @@ GEM
       backports (>= 3.18)
       rainbow
       yard
-    zeitwerk (2.4.2)
+    zeitwerk (2.5.4)
 
 PLATFORMS
   ruby
@@ -302,9 +298,8 @@ PLATFORMS
 DEPENDENCIES
   appraisal (= 2.4.0)
   factory_bot (~> 6.1.0)
-  faker (= 2.17.0)
+  faker (= 2.19.0)
   keycloak_rack!
-  nokogiri
   pry (= 0.14.1)
   rack-test (= 1.1.0)
   rails (>= 6.1.0, < 6.2.0)
@@ -323,4 +318,4 @@ DEPENDENCIES
   yard-junk
 
 BUNDLED WITH
-   2.2.16
+   2.2.19

data/keycloak_rack.gemspec

@@ -36,7 +36,7 @@ Gem::Specification.new do |spec|
 
   spec.add_development_dependency "appraisal", "2.4.0"
   spec.add_development_dependency "factory_bot", "~> 6.1.0"
-  spec.add_development_dependency "faker", "2.17.0"
+  spec.add_development_dependency "faker", "2.19.0"
   spec.add_development_dependency "pry", "0.14.1"
   spec.add_development_dependency "rack-test", "1.1.0"
   spec.add_development_dependency "rake", ">= 13", "< 14"

data/lib/keycloak_rack/authenticate.rb

@@ -50,20 +50,18 @@ module KeycloakRack
     include Dry::Monads[:do, :result]
 
     include Import[
-      config: "keycloak-rack.config",
-      key_resolver: "keycloak-rack.key_resolver",
+      decode_and_verify: "keycloak-rack.decode_and_verify",
       read_token: "keycloak-rack.read_token",
-      skip_authentication: "keycloak-rack.skip_authentication"
+      skip_authentication: "keycloak-rack.skip_authentication",
+      wrap: "keycloak-rack.wrap_token",
     ]
 
-    delegate :token_leeway, to: :config
-
     # @param [Hash] env the rack environment
     # @return [Dry::Monads::Success(:authenticated, KeycloakRack::DecodedToken)]
     # @return [Dry::Monads::Success(:skipped, String)]
     # @return [Dry::Monads::Success(:unauthenticated)]
     # @return [Dry::Monads::Failure(:expired, String, String, Exception)]
-    # @return [Dry::Monads::Failure(:decoding_failed, String, String, Exception)]
+    # @return [Dry::Monads::Failure(:decoding_failed, String, Exception)]
     def call(env)
       return Success[:skipped] if yield skip_authentication.call(env)
 
@@ -71,45 +69,11 @@ module KeycloakRack
 
       return Success[:unauthenticated] if token.blank?
 
-      decoded_token = yield decode_and_verify token
-
-      Success[:authenticated, decoded_token]
-    end
-
-    private
+      payload, headers = yield decode_and_verify.call token
 
-    # @param [String] token
-    # @return [Dry::Monads::Success(KeycloakRack::DecodedToken)]
-    # @return [Dry::Monads::Failure(:expired, String, String, Exception)]
-    # @return [Dry::Monads::Failure(:decoding_failed, String, String, Exception)]
-    def decode_and_verify(token)
-      jwks = yield key_resolver.find_public_keys
+      decoded_token = yield wrap.call payload, headers
 
-      algorithms = yield algorithms_for jwks
-
-      options = {
-        algorithms: algorithms,
-        leeway: token_leeway,
-        jwks: jwks
-      }
-
-      payload, headers = JWT.decode token, nil, true, options
-    rescue JWT::ExpiredSignature => e
-      Failure[:expired, "JWT is expired", token, e]
-    rescue JWT::DecodeError => e
-      Failure[:decoding_failed, "Failed to decode JWT", token, e]
-    else
-      Success DecodedToken.new payload.merge(original_payload: payload, headers: headers)
-    end
-
-    # @param [{ Symbol => <{ Symbol => String }> }] jwks
-    # @return [<String>]
-    def algorithms_for(jwks)
-      jwks.fetch(:keys, []).map do |k|
-        k[:alg]
-      end.uniq.compact.then do |algs|
-        algs.present? ? Success(algs) : Failure[:no_algorithms, "Could not derive algorithms from JWKS"]
-      end
+      Success[:authenticated, decoded_token]
     end
   end
 end

data/lib/keycloak_rack/container.rb

@@ -19,6 +19,10 @@ module KeycloakRack
         KeycloakRack::Authenticate.new
       end
 
+      register :decode_and_verify do
+        KeycloakRack::DecodeAndVerify.new
+      end
+
       register :http_client do
         KeycloakRack::HTTPClient.new
       end
@@ -48,6 +52,10 @@ module KeycloakRack
       register :x509_store do
         resolve(:config).build_x509_store
       end
+
+      register :wrap_token do
+        KeycloakRack::WrapToken.new
+      end
     end
   end
 end

data/lib/keycloak_rack/decode_and_verify.rb

@@ -0,0 +1,51 @@
+# frozen_string_literal: true
+
+module KeycloakRack
+  # Accept an encoded JWT and return the raw token.
+  class DecodeAndVerify
+    include Dry::Monads[:do, :result]
+
+    include Import[
+      config: "keycloak-rack.config",
+      key_resolver: "keycloak-rack.key_resolver",
+    ]
+
+    delegate :token_leeway, to: :config
+
+    # @param [String] token
+    # @return [Dry::Monads::Success(Hash, Hash)] a tuple of the JWT payload and its headers
+    # @return [Dry::Monads::Failure(:expired, String, String, Exception)]
+    # @return [Dry::Monads::Failure(:decoding_failed, String, Exception)]
+    def call(token)
+      jwks = yield key_resolver.find_public_keys
+
+      algorithms = yield algorithms_for jwks
+
+      options = {
+        algorithms: algorithms,
+        leeway: token_leeway,
+        jwks: jwks
+      }
+
+      payload, headers = JWT.decode token, nil, true, options
+    rescue JWT::ExpiredSignature => e
+      Failure[:expired, "JWT is expired", token, e]
+    rescue JWT::DecodeError => e
+      Failure[:decoding_failed, "Failed to decode JWT", e]
+    else
+      Success[payload, headers]
+    end
+
+    private
+
+    # @param [{ Symbol => <{ Symbol => String }> }] jwks
+    # @return [<String>]
+    def algorithms_for(jwks)
+      jwks.fetch(:keys, []).map do |k|
+        k[:alg]
+      end.uniq.compact.then do |algs|
+        algs.present? ? Success(algs) : Failure[:no_algorithms, "Could not derive algorithms from JWKS"]
+      end
+    end
+  end
+end

data/lib/keycloak_rack/decoded_token.rb

@@ -18,6 +18,8 @@ module KeycloakRack
 
     private_constant :KEY_MAP
 
+    ALIAS_MAP = KEY_MAP.invert.freeze
+
     transform_keys do |k|
       KEY_MAP[k] || k.to_sym
     end
@@ -65,17 +67,17 @@ module KeycloakRack
     # @!attribute [r] expires_at
     # The `exp` claim
     # @return [Time]
-    attribute :expires_at, Types::Timestamp
+    attribute? :expires_at, Types::Timestamp
 
     # @!attribute [r] issued_at
     # The `iat` claim
     # @return [Time]
-    attribute :issued_at, Types::Timestamp
+    attribute? :issued_at, Types::Timestamp
 
     # @!attribute [r] authorized_at
     # The `auth_time` value from Keycloak.
     # @return [Time]
-    attribute :authorized_at, Types::Timestamp
+    attribute? :authorized_at, Types::Timestamp
 
     # @!attribute [r] jti
     # @return [String]
@@ -93,20 +95,20 @@ module KeycloakRack
     # @!attribute [r] authorized_party
     # The `azp` claim
     # @return [String]
-    attribute :authorized_party, Types::String
+    attribute? :authorized_party, Types::String
 
     # @!attribute [r] nonce
     # Cryptographic nonce for the token
     # @return [String]
-    attribute :nonce, Types::String
+    attribute? :nonce, Types::String
 
     # @!attribute [r] scope
     # @return [String]
-    attribute :scope, Types::String
+    attribute? :scope, Types::String
 
     # @!attribute [r] session_state
     # @return [String]
-    attribute :session_state, Types::String
+    attribute? :session_state, Types::String
 
     # @!attribute [r] locale
     # @return [String, nil]
@@ -114,7 +116,7 @@ module KeycloakRack
 
     # @!attribute [r] allowed_origins
     # @return [<String>]
-    attribute :allowed_origins, Types::StringList
+    attribute? :allowed_origins, Types::StringList
 
     # @!attribute [r] headers
     # The JWT headers, provided for debugging
@@ -187,5 +189,13 @@ module KeycloakRack
     # An error raised by {KeycloakRack::DecodedToken#fetch} when
     # trying to fetch something the token doesn't know about
     class UnknownAttribute < KeyError; end
+
+    class << self
+      # @param [Symbol] key
+      # @return [Symbol]
+      def maybe_unalias_key(key)
+        ALIAS_MAP.fetch(key, key).to_sym
+      end
+    end
   end
 end

data/lib/keycloak_rack/middleware.rb

@@ -84,7 +84,7 @@ module KeycloakRack
         401
       in Failure[:expired, String, String, Exception]
         403
-      in Failure[Symbol, String, String, Exception]
+      in Failure[Symbol, String, Exception]
         400
       else
         500

data/lib/keycloak_rack/version.rb

@@ -2,5 +2,5 @@
 
 module KeycloakRack
   # Gem version
-  VERSION = "1.0.0"
+  VERSION = "1.1.0"
 end