okta-jwt 0.2.0 → 0.3.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/Gemfile.lock +1 -1
- data/README.md +12 -8
- data/lib/okta/jwt/version.rb +1 -1
- data/lib/okta/jwt.rb +17 -9
- metadata +2 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: c36ef2a88c57081ef6bcc849ed38d9748a5ecde2e22ca97736f450279ae7c06d
|
4
|
+
data.tar.gz: 33d2250564526da5d3fa3afad60b64938445bd7af8b8114d63d4df2d03e02cbc
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 7076073b437641283faf8636a55e043852892ab63ca34687969ca8b09e27445978cdef92907dddbc469194fbdec8239eb45d9055e39bf543e6221e89634bc742
|
7
|
+
data.tar.gz: b7a62844e4ec132db22b68188896e38546336a2e89f51471f96657120b361d0c7eba6e71a00d9fcf71beec8d42d2fa8133bc540176ab7ddbcf1e4ee6dd80014b
|
data/Gemfile.lock
CHANGED
data/README.md
CHANGED
@@ -20,20 +20,23 @@ Or install it yourself as:
|
|
20
20
|
|
21
21
|
## Usage
|
22
22
|
|
23
|
-
Configure the client:
|
23
|
+
Configure the client to sign in user (optional):
|
24
24
|
|
25
25
|
```ruby
|
26
|
-
|
27
|
-
|
28
|
-
|
29
|
-
|
30
|
-
|
26
|
+
# client for resource owner password flow
|
27
|
+
Okta::Jwt.configure_client!(
|
28
|
+
issuer_url: 'https://organization.oktapreview.com,
|
29
|
+
auth_server_id: 'auth_server_id,
|
30
|
+
client_id: 'client_id,
|
31
|
+
client_secret: 'client_secret,
|
32
|
+
slogger: Logger.new(STDOUT) # optional
|
33
|
+
)
|
31
34
|
```
|
32
35
|
|
33
|
-
Sign in user to get tokens:
|
36
|
+
Sign in user to get tokens (default scope is openid):
|
34
37
|
|
35
38
|
```ruby
|
36
|
-
auth_response = Okta::Jwt.sign_in(username: 'user@example.org', password: 'password')
|
39
|
+
auth_response = Okta::Jwt.sign_in(username: 'user@example.org', password: 'password', scope: 'openid my_scope')
|
37
40
|
parsed_auth_response = JSON.parse(auth_response.body)
|
38
41
|
```
|
39
42
|
|
@@ -43,6 +46,7 @@ Verify tokens:
|
|
43
46
|
verified_id_token = Okta::Jwt.verify_token(parsed_auth_response['id_token'])
|
44
47
|
verified_access_token = Okta::Jwt.verify_token(parsed_auth_response['access_token'])
|
45
48
|
```
|
49
|
+
NOTE: tokens are validated using data from header and payload: kid, iss and cid/aud. If you are just verifying the tokens there is no need to store anything at the client side.
|
46
50
|
|
47
51
|
## Development
|
48
52
|
|
data/lib/okta/jwt/version.rb
CHANGED
data/lib/okta/jwt.rb
CHANGED
@@ -15,8 +15,8 @@ module Okta
|
|
15
15
|
attr_accessor :issuer_url, :auth_server_id, :client_id, :client_secret, :public_key_ttl, :client, :logger
|
16
16
|
end
|
17
17
|
|
18
|
-
# configure the client
|
19
|
-
def
|
18
|
+
# configure the client for signing in
|
19
|
+
def configure_client!(issuer_url:, auth_server_id:, client_id:, client_secret:, logger: Logger.new(IO::NULL))
|
20
20
|
@issuer_url = issuer_url
|
21
21
|
@auth_server_id = auth_server_id
|
22
22
|
@client_id = client_id
|
@@ -30,12 +30,12 @@ module Okta
|
|
30
30
|
end
|
31
31
|
|
32
32
|
# sign in user to get tokens
|
33
|
-
def sign_in(username:, password:)
|
33
|
+
def sign_in(username:, password:, scope: 'openid')
|
34
34
|
client.post do |req|
|
35
35
|
req.url "/oauth2/#{auth_server_id}/v1/token"
|
36
36
|
req.headers['Content-Type'] = 'application/x-www-form-urlencoded'
|
37
37
|
req.headers['Authorization'] = 'Basic: ' + Base64.strict_encode64("#{client_id}:#{client_secret}")
|
38
|
-
req.body = URI.encode_www_form username: username, password: password, scope:
|
38
|
+
req.body = URI.encode_www_form username: username, password: password, scope: scope, grant_type: 'password'
|
39
39
|
end
|
40
40
|
end
|
41
41
|
|
@@ -47,12 +47,14 @@ module Okta
|
|
47
47
|
|
48
48
|
# extract public key from metadata's jwks_uri using kid
|
49
49
|
def get_jwk(token)
|
50
|
-
|
50
|
+
header, payload = token.split('.').first(2).map{|encoded| JSON.parse(Base64.decode64(encoded))}
|
51
|
+
|
52
|
+
kid = header['kid']
|
51
53
|
return JWKS_CACHE[kid] if JWKS_CACHE[kid] # cache hit
|
52
54
|
|
53
55
|
logger.info("[Okta::Jwt] Fetching public key: kid => #{kid} ...")
|
54
56
|
jwks_response = client.get do |req|
|
55
|
-
req.url get_metadata(
|
57
|
+
req.url get_metadata(payload)['jwks_uri']
|
56
58
|
end
|
57
59
|
jwk = JSON.parse(jwks_response.body)['keys'].find do |key|
|
58
60
|
key.dig('kid') == kid
|
@@ -63,9 +65,15 @@ module Okta
|
|
63
65
|
end
|
64
66
|
|
65
67
|
# fetch client metadata using cid/aud
|
66
|
-
def get_metadata(
|
67
|
-
|
68
|
-
client_id
|
68
|
+
def get_metadata(payload)
|
69
|
+
auth_server_id = payload['iss'].split('/').last # iss: "https://<org>.oktapreview.com/oauth2/<auth_server_id>"
|
70
|
+
client_id = payload['cid'] || payload['aud'] # id_token has client_id value under aud key
|
71
|
+
|
72
|
+
client = Faraday.new(url: payload['iss']) do |f|
|
73
|
+
f.use Faraday::Adapter::NetHttp
|
74
|
+
f.headers['Accept'] = 'application/json'
|
75
|
+
end
|
76
|
+
|
69
77
|
metadata_response = client.get do |req|
|
70
78
|
req.url "/oauth2/#{auth_server_id}/.well-known/oauth-authorization-server?client_id=#{client_id}"
|
71
79
|
end
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: okta-jwt
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.
|
4
|
+
version: 0.3.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Damir Roso
|
8
8
|
autorequire:
|
9
9
|
bindir: exe
|
10
10
|
cert_chain: []
|
11
|
-
date: 2018-12-
|
11
|
+
date: 2018-12-10 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: bundler
|