okta-jwt 0.2.0 → 0.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: d86a02a18fafb45fcc0bb032360de8c925c084fb53e6d6cc1eba219befcc353a
-  data.tar.gz: 98c2c4cfd3e45288de02c616a97660135ec77e21223b071191d2e1f49847dc54
+  metadata.gz: c36ef2a88c57081ef6bcc849ed38d9748a5ecde2e22ca97736f450279ae7c06d
+  data.tar.gz: 33d2250564526da5d3fa3afad60b64938445bd7af8b8114d63d4df2d03e02cbc
 SHA512:
-  metadata.gz: 67f895b7796bfd0279c0225b806a36396bc53fadeee8f86ddad66de19f853e4727edda2027015182a987f2b478cabe22baf9cf77c23e1d9f1d424455a28d24d7
-  data.tar.gz: 4cb76774add99285f65827fb7d3ef7d9a64ad4a7753fbb84be25cad44860d28724cceca9652f20372d94d2c7a2105224a90f2de014188b4c54d1cadc68e06fd8
+  metadata.gz: 7076073b437641283faf8636a55e043852892ab63ca34687969ca8b09e27445978cdef92907dddbc469194fbdec8239eb45d9055e39bf543e6221e89634bc742
+  data.tar.gz: b7a62844e4ec132db22b68188896e38546336a2e89f51471f96657120b361d0c7eba6e71a00d9fcf71beec8d42d2fa8133bc540176ab7ddbcf1e4ee6dd80014b

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    okta-jwt (0.2.0)
+    okta-jwt (0.3.0)
       faraday
       json-jwt
 

data/README.md

@@ -20,20 +20,23 @@ Or install it yourself as:
 
 ## Usage
 
-Configure the client:
+Configure the client to sign in user (optional):
 
 ```ruby
-Okta::Jwt.configure! issuer_url:     'https://organization.oktapreview.com,
-                     auth_server_id: 'auth_server_id,
-                     client_id:      'client_id,        # optional, used to sign in users
-                     client_secret:  'client_secret,    # optional, used to sign in users
-                     logger:         Logger.new(STDOUT) # optional
+# client for resource owner password flow
+Okta::Jwt.configure_client!(
+	issuer_url:     'https://organization.oktapreview.com,
+	auth_server_id: 'auth_server_id,
+	client_id:      'client_id,
+	client_secret:  'client_secret,
+	slogger:         Logger.new(STDOUT) # optional
+)
 ```
 
-Sign in user to get tokens:
+Sign in user to get tokens (default scope is openid):
 
 ```ruby
-auth_response = Okta::Jwt.sign_in(username: 'user@example.org', password: 'password')
+auth_response = Okta::Jwt.sign_in(username: 'user@example.org', password: 'password', scope: 'openid my_scope')
 parsed_auth_response = JSON.parse(auth_response.body)
 ```
 
@@ -43,6 +46,7 @@ Verify tokens:
 verified_id_token = Okta::Jwt.verify_token(parsed_auth_response['id_token'])
 verified_access_token = Okta::Jwt.verify_token(parsed_auth_response['access_token'])
 ```
+NOTE: tokens are validated using data from header and payload: kid, iss and cid/aud. If you are just verifying the tokens there is no need to store anything at the client side. 
 
 ## Development
 

data/lib/okta/jwt/version.rb

@@ -1,5 +1,5 @@
 module Okta
   module Jwt
-    VERSION = "0.2.0"
+    VERSION = "0.3.0"
   end
 end

data/lib/okta/jwt.rb

@@ -15,8 +15,8 @@ module Okta
       attr_accessor :issuer_url, :auth_server_id, :client_id, :client_secret, :public_key_ttl, :client, :logger
     end
   
-    # configure the client
-    def configure!(issuer_url:, auth_server_id:, client_id: nil, client_secret: nil, logger: Logger.new(IO::NULL))
+    # configure the client for signing in
+    def configure_client!(issuer_url:, auth_server_id:, client_id:, client_secret:, logger: Logger.new(IO::NULL))
       @issuer_url     = issuer_url
       @auth_server_id = auth_server_id
       @client_id      = client_id
@@ -30,12 +30,12 @@ module Okta
     end
   
     # sign in user to get tokens
-    def sign_in(username:, password:)
+    def sign_in(username:, password:, scope: 'openid')
       client.post do |req|
         req.url "/oauth2/#{auth_server_id}/v1/token"
         req.headers['Content-Type']   = 'application/x-www-form-urlencoded'
         req.headers['Authorization']  = 'Basic: ' + Base64.strict_encode64("#{client_id}:#{client_secret}")
-        req.body = URI.encode_www_form username: username, password: password, scope: 'openid', grant_type: 'password'
+        req.body = URI.encode_www_form username: username, password: password, scope: scope, grant_type: 'password'
       end
     end
   
@@ -47,12 +47,14 @@ module Okta
   
     # extract public key from metadata's jwks_uri using kid
     def get_jwk(token)
-      kid = JSON.parse(Base64.decode64(token.split('.').first))['kid']
+      header, payload = token.split('.').first(2).map{|encoded| JSON.parse(Base64.decode64(encoded))}
+
+      kid = header['kid']
       return JWKS_CACHE[kid] if JWKS_CACHE[kid] # cache hit
   
       logger.info("[Okta::Jwt] Fetching public key: kid => #{kid} ...")
       jwks_response = client.get do |req|
-        req.url get_metadata(token)['jwks_uri']
+        req.url get_metadata(payload)['jwks_uri']
       end
       jwk = JSON.parse(jwks_response.body)['keys'].find do |key|
         key.dig('kid') == kid
@@ -63,9 +65,15 @@ module Okta
     end
   
     # fetch client metadata using cid/aud
-    def get_metadata(token)
-      payload = JSON.parse(Base64.decode64(token.split('.')[1]))
-      client_id = payload['cid'] || payload['aud'] # id_token has client_id value under aud key
+    def get_metadata(payload)
+      auth_server_id  = payload['iss'].split('/').last    # iss: "https://<org>.oktapreview.com/oauth2/<auth_server_id>"
+      client_id       = payload['cid'] || payload['aud']  # id_token has client_id value under aud key
+
+      client = Faraday.new(url: payload['iss']) do |f|
+        f.use Faraday::Adapter::NetHttp
+        f.headers['Accept'] = 'application/json'
+      end
+
       metadata_response = client.get do |req|
         req.url "/oauth2/#{auth_server_id}/.well-known/oauth-authorization-server?client_id=#{client_id}"
       end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: okta-jwt
 version: !ruby/object:Gem::Version
-  version: 0.2.0
+  version: 0.3.0
 platform: ruby
 authors:
 - Damir Roso
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2018-12-05 00:00:00.000000000 Z
+date: 2018-12-10 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler