okta-jwt 0.2.0 → 0.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: d86a02a18fafb45fcc0bb032360de8c925c084fb53e6d6cc1eba219befcc353a
4
- data.tar.gz: 98c2c4cfd3e45288de02c616a97660135ec77e21223b071191d2e1f49847dc54
3
+ metadata.gz: c36ef2a88c57081ef6bcc849ed38d9748a5ecde2e22ca97736f450279ae7c06d
4
+ data.tar.gz: 33d2250564526da5d3fa3afad60b64938445bd7af8b8114d63d4df2d03e02cbc
5
5
  SHA512:
6
- metadata.gz: 67f895b7796bfd0279c0225b806a36396bc53fadeee8f86ddad66de19f853e4727edda2027015182a987f2b478cabe22baf9cf77c23e1d9f1d424455a28d24d7
7
- data.tar.gz: 4cb76774add99285f65827fb7d3ef7d9a64ad4a7753fbb84be25cad44860d28724cceca9652f20372d94d2c7a2105224a90f2de014188b4c54d1cadc68e06fd8
6
+ metadata.gz: 7076073b437641283faf8636a55e043852892ab63ca34687969ca8b09e27445978cdef92907dddbc469194fbdec8239eb45d9055e39bf543e6221e89634bc742
7
+ data.tar.gz: b7a62844e4ec132db22b68188896e38546336a2e89f51471f96657120b361d0c7eba6e71a00d9fcf71beec8d42d2fa8133bc540176ab7ddbcf1e4ee6dd80014b
data/Gemfile.lock CHANGED
@@ -1,7 +1,7 @@
1
1
  PATH
2
2
  remote: .
3
3
  specs:
4
- okta-jwt (0.2.0)
4
+ okta-jwt (0.3.0)
5
5
  faraday
6
6
  json-jwt
7
7
 
data/README.md CHANGED
@@ -20,20 +20,23 @@ Or install it yourself as:
20
20
 
21
21
  ## Usage
22
22
 
23
- Configure the client:
23
+ Configure the client to sign in user (optional):
24
24
 
25
25
  ```ruby
26
- Okta::Jwt.configure! issuer_url: 'https://organization.oktapreview.com,
27
- auth_server_id: 'auth_server_id,
28
- client_id: 'client_id, # optional, used to sign in users
29
- client_secret: 'client_secret, # optional, used to sign in users
30
- logger: Logger.new(STDOUT) # optional
26
+ # client for resource owner password flow
27
+ Okta::Jwt.configure_client!(
28
+ issuer_url: 'https://organization.oktapreview.com,
29
+ auth_server_id: 'auth_server_id,
30
+ client_id: 'client_id,
31
+ client_secret: 'client_secret,
32
+ slogger: Logger.new(STDOUT) # optional
33
+ )
31
34
  ```
32
35
 
33
- Sign in user to get tokens:
36
+ Sign in user to get tokens (default scope is openid):
34
37
 
35
38
  ```ruby
36
- auth_response = Okta::Jwt.sign_in(username: 'user@example.org', password: 'password')
39
+ auth_response = Okta::Jwt.sign_in(username: 'user@example.org', password: 'password', scope: 'openid my_scope')
37
40
  parsed_auth_response = JSON.parse(auth_response.body)
38
41
  ```
39
42
 
@@ -43,6 +46,7 @@ Verify tokens:
43
46
  verified_id_token = Okta::Jwt.verify_token(parsed_auth_response['id_token'])
44
47
  verified_access_token = Okta::Jwt.verify_token(parsed_auth_response['access_token'])
45
48
  ```
49
+ NOTE: tokens are validated using data from header and payload: kid, iss and cid/aud. If you are just verifying the tokens there is no need to store anything at the client side.
46
50
 
47
51
  ## Development
48
52
 
@@ -1,5 +1,5 @@
1
1
  module Okta
2
2
  module Jwt
3
- VERSION = "0.2.0"
3
+ VERSION = "0.3.0"
4
4
  end
5
5
  end
data/lib/okta/jwt.rb CHANGED
@@ -15,8 +15,8 @@ module Okta
15
15
  attr_accessor :issuer_url, :auth_server_id, :client_id, :client_secret, :public_key_ttl, :client, :logger
16
16
  end
17
17
 
18
- # configure the client
19
- def configure!(issuer_url:, auth_server_id:, client_id: nil, client_secret: nil, logger: Logger.new(IO::NULL))
18
+ # configure the client for signing in
19
+ def configure_client!(issuer_url:, auth_server_id:, client_id:, client_secret:, logger: Logger.new(IO::NULL))
20
20
  @issuer_url = issuer_url
21
21
  @auth_server_id = auth_server_id
22
22
  @client_id = client_id
@@ -30,12 +30,12 @@ module Okta
30
30
  end
31
31
 
32
32
  # sign in user to get tokens
33
- def sign_in(username:, password:)
33
+ def sign_in(username:, password:, scope: 'openid')
34
34
  client.post do |req|
35
35
  req.url "/oauth2/#{auth_server_id}/v1/token"
36
36
  req.headers['Content-Type'] = 'application/x-www-form-urlencoded'
37
37
  req.headers['Authorization'] = 'Basic: ' + Base64.strict_encode64("#{client_id}:#{client_secret}")
38
- req.body = URI.encode_www_form username: username, password: password, scope: 'openid', grant_type: 'password'
38
+ req.body = URI.encode_www_form username: username, password: password, scope: scope, grant_type: 'password'
39
39
  end
40
40
  end
41
41
 
@@ -47,12 +47,14 @@ module Okta
47
47
 
48
48
  # extract public key from metadata's jwks_uri using kid
49
49
  def get_jwk(token)
50
- kid = JSON.parse(Base64.decode64(token.split('.').first))['kid']
50
+ header, payload = token.split('.').first(2).map{|encoded| JSON.parse(Base64.decode64(encoded))}
51
+
52
+ kid = header['kid']
51
53
  return JWKS_CACHE[kid] if JWKS_CACHE[kid] # cache hit
52
54
 
53
55
  logger.info("[Okta::Jwt] Fetching public key: kid => #{kid} ...")
54
56
  jwks_response = client.get do |req|
55
- req.url get_metadata(token)['jwks_uri']
57
+ req.url get_metadata(payload)['jwks_uri']
56
58
  end
57
59
  jwk = JSON.parse(jwks_response.body)['keys'].find do |key|
58
60
  key.dig('kid') == kid
@@ -63,9 +65,15 @@ module Okta
63
65
  end
64
66
 
65
67
  # fetch client metadata using cid/aud
66
- def get_metadata(token)
67
- payload = JSON.parse(Base64.decode64(token.split('.')[1]))
68
- client_id = payload['cid'] || payload['aud'] # id_token has client_id value under aud key
68
+ def get_metadata(payload)
69
+ auth_server_id = payload['iss'].split('/').last # iss: "https://<org>.oktapreview.com/oauth2/<auth_server_id>"
70
+ client_id = payload['cid'] || payload['aud'] # id_token has client_id value under aud key
71
+
72
+ client = Faraday.new(url: payload['iss']) do |f|
73
+ f.use Faraday::Adapter::NetHttp
74
+ f.headers['Accept'] = 'application/json'
75
+ end
76
+
69
77
  metadata_response = client.get do |req|
70
78
  req.url "/oauth2/#{auth_server_id}/.well-known/oauth-authorization-server?client_id=#{client_id}"
71
79
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: okta-jwt
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.2.0
4
+ version: 0.3.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Damir Roso
8
8
  autorequire:
9
9
  bindir: exe
10
10
  cert_chain: []
11
- date: 2018-12-05 00:00:00.000000000 Z
11
+ date: 2018-12-10 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: bundler