oauth_im 0.7.2 → 0.8.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: fa5dbaae2a3e5884523e938a1a2c1a5009297260c2ced57a69eb6b9b43bc0116
-  data.tar.gz: 5d80271d7c2aa8d9baa53119180c7889da5c47f30f51cf92d8f0aa2f1c2e5376
+  metadata.gz: be1d2aa7d9e5c1ac97a5e5aabd89671a48bfc2afc17c53276f961be0a29d357e
+  data.tar.gz: 64f150ae67c0b67efd6a8db20c1390bb69ca21f29837446ad07264947e8e863d
 SHA512:
-  metadata.gz: 873154c1389b866c7d68d209d6bf83e107c7db64e01ab0bffcba9578ad5f6e0df22ea91a66fda1dd67ee9675ad18c330716c7572b772e9e721a241e5a473369c
-  data.tar.gz: 8e1c2d0c1ef24d23f4348788fee37befbf216af10b9425f4dc861739dc745ab57db76b3c7b0a3d8869457aa1b701d7a5fe6940358a47ec104fe7aca9027fb9b0
+  metadata.gz: 11624bb0650c05d8a5f63edee7b8918f6e043f6a4b6d15b25cd593da5940af18ab320a5d4587479ab96c836ef60b99b4e45f49fabfe3a08e23870dd1d1489499
+  data.tar.gz: 4018866ef76985ec65ccb37ab95e7e973caf0e8f07086a25ad3f55b2eb17659d130e75421466f60f8d526aa8929239c935d87fb905d7358edfceae6c81540ff5

data/README.md

@@ -23,20 +23,46 @@ Once the gem is installed, add an initializer. Here is an example:
 # config/initializers/oauth_im.rb
 module OauthIm
   configure do |config|
-    config.api_key        = ENV['FUSION_AUTH_API_KEY']
-    config.callback_route = ENV['FUSION_CALLBACK_ROUTE] || DEFAULT_CALLBACK_ROUTE
+    #####################################
+    # these routes are local to the app #
+    #####################################
+    config.authorize_url  = ENV.fetch 'FUSION_AUTH_AUTHORIZE_URL', DEFAULT_AUTHORIZE_URL
+    config.callback_route = ENV.fetch 'FUSION_CALLBACK_ROUTE',     DEFAULT_CALLBACK_ROUTE
+    config.token_url      = ENV.fetch 'FUSION_AUTH_TOKEN_URL',     DEFAULT_TOKEN_URL
+
+    ##############################################
+    # identity provider url (e.g., fusion auth): #
+    ##############################################
+    config.idp_url        = ENV.fetch 'FUSION_AUTH_IDP_URL',       DEFAULT_IDP_URL
+
+    ################################################
+    # Issuer domain: find on FA tenant General tab #
+    ################################################
+    config.iss_domain     = ENV.fetch 'FUSION_AUTH_ISS_DOMAIN',    DEFAULT_ISS_DOMAIN
+
+    ####################################
+    # find on FA application OAuth tab #
+    ####################################
     config.client_id      = ENV['FUSION_AUTH_CLIENT_ID']
     config.client_secret  = ENV['FUSION_AUTH_CLIENT_SECRET']
-    config.domain         = ENV['FUSION_AUTH_DOMAIN']
+
+    #################################################################################
+    # 1. Find signing key name on the app details name.                             #
+    # 2. Look up the key (by name) under Key Master tab under Settings:             #
+    #    https://illustrativemath-dev.fusionauth.io/admin/key/                      #
+    # 3. The key should be either HMAC or RSA.                                      #
+    #   - If HMAC, view the Secret under Details. You will need to click to reveal. #
+    #   - If RSA, copy the PEM encoded public key as-is.                            #
+    # Note: You don't need both keys --- TokenDecoder will use the one available.   #
+    #################################################################################
     config.hmac           = ENV['FUSION_AUTH_HMAC']
-    config.iss_domain     = ENV['FUSION_AUTH_ISS_DOMAIN']
-    config.authorize_url  = ENV['FUSION_AUTH_AUTHORIZE_URL'] || DEFAULT_AUTHORIZE_URL
-    config.token_url      = ENV['FUSION_AUTH_TOKEN_URL']     || DEFAULT_TOKEN_URL
+    config.rsa_public     = ENV['FUSION_AUTH_RSA_PUBLIC]
   end
 end
 ```
 
 * The `ENV` variable values can be obtained from the OAuth provider.
+* Here is [an article at FusionAuth](https://fusionauth.io/blog/2020/12/14/how-to-securely-implement-oauth-rails) describing many of these settings.
 * The `callback_route` setting is used in two related ways:
   * It [defines a route](https://github.com/illustrativemathematics/oauth_im/blob/main/config/routes.rb#L4) to the [`OAuthIm::ClientController#callback`
     action](https://github.com/illustrativemathematics/oauth_im/blob/main/app/controllers/oauth_im/client_controller.rb#L7-L12).
@@ -54,9 +80,9 @@ end
 The engine provides [two endpoints](https://github.com/illustrativemathematics/oauth_im/blob/main/config/routes.rb#L5-L6) for logging in and out, and exposes
 corresponding view helpers. These are accessible from the main app as:
 
-| path | url |
-|------|-----|
-| `oauth_im.login_path` | `oauth_im.login_url` |
+| path                   | url                   |
+|------------------------|-----------------------|
+| `oauth_im.login_path`  | `oauth_im.login_url`  |
 | `oauth_im.logout_path` | `oauth_im.logout_url` |
 
 * Note that the helpers are namespaced to the engine.
@@ -123,6 +149,14 @@ After many false starts, this repo includes two (seemingly functional) github wo
   you.
 
 ## Version History
+### 0.8.0
+* Allow RSA signing keys in addition to HMAC.
+  This is because Terraform creates RSA keys during runs.
+### 0.7.4
+* Use https protocol for callback in production; http otherwise
+
+### 0.7.3
+* Cleaned up configuration
 
 ### 0.7.2
 * Using :http protocol in tests (not https)

data/app/controllers/oauth_im/client_controller.rb

@@ -7,8 +7,6 @@ module OauthIm
     def callback
       session[:user_jwt] = user_jwt
       redirect_to main_app.root_path
-    rescue StandardError
-      head :forbidden
     end
 
     def login

data/app/services/oauth_im/client.rb

@@ -13,7 +13,7 @@ module OauthIm
     end
 
     def logout_url
-      @logout_url ||= "#{domain}/oauth2/logout" \
+      @logout_url ||= "#{idp_url}/oauth2/logout" \
                       "?post_logout_redirect_uri=#{return_to_url}" \
                       "&client_id=#{client_id}"
     end
@@ -26,7 +26,7 @@ module OauthIm
 
     delegate :host_with_port, :params, to: :request
     delegate :configuration, to: OauthIm
-    delegate :authorize_url, :client_id, :client_secret, :domain, :token_url,
+    delegate :authorize_url, :token_url, :idp_url, :client_id, :client_secret,
              to: :configuration
     delegate :auth_code, to: :oauth_client
 
@@ -49,7 +49,7 @@ module OauthIm
     end
 
     def protocol
-      @protocol ||= Rails.env.test? ? :http : :https
+      @protocol ||= Rails.env.production? ? :https : :http
     end
 
     def decoded_token
@@ -64,7 +64,7 @@ module OauthIm
       @oauth_client ||= ::OAuth2::Client.new client_id,
                                              client_secret,
                                              authorize_url: authorize_url,
-                                             site: domain,
+                                             site: idp_url,
                                              token_url: token_url,
                                              redirect_uri: redirect_url
     end

data/app/services/oauth_im/token_decoder.rb

@@ -20,14 +20,30 @@ module OauthIm
     private
 
     delegate :configuration, to: OauthIm
-    delegate :hmac, :iss_domain, to: :configuration
+    delegate :hmac, :rsa_public, :iss_domain, to: :configuration
 
     def decoded_token
-      @decoded_token ||= JWT.decode token, hmac, true, decode_params
+      @decoded_token ||= JWT.decode token, key, verify?, decode_params
     end
 
-    def decode_algorithm
-      DEFAULT_DECODE_ALGORITHM
+    def decode_using_hmac?
+      hmac.present?
+    end
+
+    def key
+      @key ||= decode_using_hmac? ? hmac : rsa_public_key
+    end
+
+    def rsa_public_key
+      @rsa_public_key ||= OpenSSL::PKey::RSA.new rsa_public
+    end
+
+    def algorithm
+      @algorithm ||= decode_using_hmac? ? 'HS256' : 'RS256'
+    end
+
+    def verify?
+      true
     end
 
     def verify_iss?
@@ -43,7 +59,7 @@ module OauthIm
                            iss: iss_domain,
                            verify_aud: verify_aud?,
                            aud: aud,
-                           algorithm: decode_algorithm }.freeze
+                           algorithm: algorithm }.freeze
     end
   end
 end

data/lib/oauth_im/configuration.rb

@@ -1,16 +1,22 @@
 # frozen_string_literal: true
 
+########################################################################################
+# edc: see https://fusionauth.io/blog/2020/12/14/how-to-securely-implement-oauth-rails #
+########################################################################################
+
 module OauthIm
   CONFIGURABLE_FIELDS =
-    %i[api_key
-       authorize_url
-       callback_route
-       client_id
-       client_secret
-       domain
-       hmac
-       iss_domain
-       token_url].freeze
+    %i[
+      authorize_url
+      callback_route
+      token_url
+      idp_url
+      iss_domain
+      client_id
+      client_secret
+      hmac
+      rsa_public
+    ].freeze
 
   class Configuration
     attr_reader(* CONFIGURABLE_FIELDS)

data/lib/oauth_im/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module OauthIm
-  VERSION = '0.7.2'
+  VERSION = '0.8.0'
 end

data/lib/oauth_im.rb

@@ -1,13 +1,19 @@
 # frozen_string_literal: true
 
+########################################################################################
+# edc: see https://fusionauth.io/blog/2020/12/14/how-to-securely-implement-oauth-rails #
+########################################################################################
+
 require 'oauth_im/version'
 require 'oauth_im/engine'
 require 'oauth_im/configuration'
 
 module OauthIm
   DEFAULT_AUTHORIZE_URL  = '/oauth2/authorize'
-  DEFAULT_TOKEN_URL      = '/oauth2/token'
   DEFAULT_CALLBACK_ROUTE = 'callback'
+  DEFAULT_TOKEN_URL      = '/oauth2/token'
+  DEFAULT_IDP_URL        = 'https://illustrativemath-dev.fusionauth.io'
+  DEFAULT_ISS_DOMAIN     = 'illustrativemathematics.org'
 
   class << self
     attr_reader :configuration

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: oauth_im
 version: !ruby/object:Gem::Version
-  version: 0.7.2
+  version: 0.8.0
 platform: ruby
 authors:
 - Eric Connally
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2022-05-24 00:00:00.000000000 Z
+date: 2022-05-25 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: jwt