okta-jwt 0.2.0 → 0.3.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/Gemfile.lock +1 -1
- data/README.md +12 -8
- data/lib/okta/jwt/version.rb +1 -1
- data/lib/okta/jwt.rb +17 -9
- metadata +2 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: c36ef2a88c57081ef6bcc849ed38d9748a5ecde2e22ca97736f450279ae7c06d
|
4
|
+
data.tar.gz: 33d2250564526da5d3fa3afad60b64938445bd7af8b8114d63d4df2d03e02cbc
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 7076073b437641283faf8636a55e043852892ab63ca34687969ca8b09e27445978cdef92907dddbc469194fbdec8239eb45d9055e39bf543e6221e89634bc742
|
7
|
+
data.tar.gz: b7a62844e4ec132db22b68188896e38546336a2e89f51471f96657120b361d0c7eba6e71a00d9fcf71beec8d42d2fa8133bc540176ab7ddbcf1e4ee6dd80014b
|
data/Gemfile.lock
CHANGED
data/README.md
CHANGED
@@ -20,20 +20,23 @@ Or install it yourself as:
|
|
20
20
|
|
21
21
|
## Usage
|
22
22
|
|
23
|
-
Configure the client:
|
23
|
+
Configure the client to sign in user (optional):
|
24
24
|
|
25
25
|
```ruby
|
26
|
-
|
27
|
-
|
28
|
-
|
29
|
-
|
30
|
-
|
26
|
+
# client for resource owner password flow
|
27
|
+
Okta::Jwt.configure_client!(
|
28
|
+
issuer_url: 'https://organization.oktapreview.com,
|
29
|
+
auth_server_id: 'auth_server_id,
|
30
|
+
client_id: 'client_id,
|
31
|
+
client_secret: 'client_secret,
|
32
|
+
slogger: Logger.new(STDOUT) # optional
|
33
|
+
)
|
31
34
|
```
|
32
35
|
|
33
|
-
Sign in user to get tokens:
|
36
|
+
Sign in user to get tokens (default scope is openid):
|
34
37
|
|
35
38
|
```ruby
|
36
|
-
auth_response = Okta::Jwt.sign_in(username: 'user@example.org', password: 'password')
|
39
|
+
auth_response = Okta::Jwt.sign_in(username: 'user@example.org', password: 'password', scope: 'openid my_scope')
|
37
40
|
parsed_auth_response = JSON.parse(auth_response.body)
|
38
41
|
```
|
39
42
|
|
@@ -43,6 +46,7 @@ Verify tokens:
|
|
43
46
|
verified_id_token = Okta::Jwt.verify_token(parsed_auth_response['id_token'])
|
44
47
|
verified_access_token = Okta::Jwt.verify_token(parsed_auth_response['access_token'])
|
45
48
|
```
|
49
|
+
NOTE: tokens are validated using data from header and payload: kid, iss and cid/aud. If you are just verifying the tokens there is no need to store anything at the client side.
|
46
50
|
|
47
51
|
## Development
|
48
52
|
|
data/lib/okta/jwt/version.rb
CHANGED
data/lib/okta/jwt.rb
CHANGED
@@ -15,8 +15,8 @@ module Okta
|
|
15
15
|
attr_accessor :issuer_url, :auth_server_id, :client_id, :client_secret, :public_key_ttl, :client, :logger
|
16
16
|
end
|
17
17
|
|
18
|
-
# configure the client
|
19
|
-
def
|
18
|
+
# configure the client for signing in
|
19
|
+
def configure_client!(issuer_url:, auth_server_id:, client_id:, client_secret:, logger: Logger.new(IO::NULL))
|
20
20
|
@issuer_url = issuer_url
|
21
21
|
@auth_server_id = auth_server_id
|
22
22
|
@client_id = client_id
|
@@ -30,12 +30,12 @@ module Okta
|
|
30
30
|
end
|
31
31
|
|
32
32
|
# sign in user to get tokens
|
33
|
-
def sign_in(username:, password:)
|
33
|
+
def sign_in(username:, password:, scope: 'openid')
|
34
34
|
client.post do |req|
|
35
35
|
req.url "/oauth2/#{auth_server_id}/v1/token"
|
36
36
|
req.headers['Content-Type'] = 'application/x-www-form-urlencoded'
|
37
37
|
req.headers['Authorization'] = 'Basic: ' + Base64.strict_encode64("#{client_id}:#{client_secret}")
|
38
|
-
req.body = URI.encode_www_form username: username, password: password, scope:
|
38
|
+
req.body = URI.encode_www_form username: username, password: password, scope: scope, grant_type: 'password'
|
39
39
|
end
|
40
40
|
end
|
41
41
|
|
@@ -47,12 +47,14 @@ module Okta
|
|
47
47
|
|
48
48
|
# extract public key from metadata's jwks_uri using kid
|
49
49
|
def get_jwk(token)
|
50
|
-
|
50
|
+
header, payload = token.split('.').first(2).map{|encoded| JSON.parse(Base64.decode64(encoded))}
|
51
|
+
|
52
|
+
kid = header['kid']
|
51
53
|
return JWKS_CACHE[kid] if JWKS_CACHE[kid] # cache hit
|
52
54
|
|
53
55
|
logger.info("[Okta::Jwt] Fetching public key: kid => #{kid} ...")
|
54
56
|
jwks_response = client.get do |req|
|
55
|
-
req.url get_metadata(
|
57
|
+
req.url get_metadata(payload)['jwks_uri']
|
56
58
|
end
|
57
59
|
jwk = JSON.parse(jwks_response.body)['keys'].find do |key|
|
58
60
|
key.dig('kid') == kid
|
@@ -63,9 +65,15 @@ module Okta
|
|
63
65
|
end
|
64
66
|
|
65
67
|
# fetch client metadata using cid/aud
|
66
|
-
def get_metadata(
|
67
|
-
|
68
|
-
client_id
|
68
|
+
def get_metadata(payload)
|
69
|
+
auth_server_id = payload['iss'].split('/').last # iss: "https://<org>.oktapreview.com/oauth2/<auth_server_id>"
|
70
|
+
client_id = payload['cid'] || payload['aud'] # id_token has client_id value under aud key
|
71
|
+
|
72
|
+
client = Faraday.new(url: payload['iss']) do |f|
|
73
|
+
f.use Faraday::Adapter::NetHttp
|
74
|
+
f.headers['Accept'] = 'application/json'
|
75
|
+
end
|
76
|
+
|
69
77
|
metadata_response = client.get do |req|
|
70
78
|
req.url "/oauth2/#{auth_server_id}/.well-known/oauth-authorization-server?client_id=#{client_id}"
|
71
79
|
end
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: okta-jwt
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.
|
4
|
+
version: 0.3.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Damir Roso
|
8
8
|
autorequire:
|
9
9
|
bindir: exe
|
10
10
|
cert_chain: []
|
11
|
-
date: 2018-12-
|
11
|
+
date: 2018-12-10 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: bundler
|