okta-jwt 0.4.0 → 0.5.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/Gemfile.lock +2 -2
- data/README.md +9 -9
- data/lib/okta/jwt.rb +20 -22
- data/lib/okta/jwt/version.rb +1 -1
- metadata +2 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: c95b336fb7297f4ebb61661e9be2f297120140df657acb290b04b7568313bb33
|
4
|
+
data.tar.gz: 8d9397202b711994674e159f7b8e4c95cddefe06e47aacbd72feffd8d9782bdf
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: e86570f91963ca59a3e140069e4e7eb50885d31935d633651935593303deccb230abc7d1707b115ab4236b90603d6adaa312c1e15837a21f7edfe2276492de9b
|
7
|
+
data.tar.gz: 2be63b2da3ec1632fb2337417c51f6d2a8531fda8e016be897ba2ed4557c13d9bd21c8accca341fed0c440d61bd5bd254ccab60fcfdae2e25ca25e57fe43bbb3
|
data/Gemfile.lock
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
PATH
|
2
2
|
remote: .
|
3
3
|
specs:
|
4
|
-
okta-jwt (0.
|
4
|
+
okta-jwt (0.5.0)
|
5
5
|
faraday
|
6
6
|
json-jwt
|
7
7
|
|
@@ -19,7 +19,7 @@ GEM
|
|
19
19
|
diff-lcs (1.3)
|
20
20
|
faraday (0.15.4)
|
21
21
|
multipart-post (>= 1.2, < 3)
|
22
|
-
i18n (1.
|
22
|
+
i18n (1.2.0)
|
23
23
|
concurrent-ruby (~> 1.0)
|
24
24
|
json-jwt (1.9.4)
|
25
25
|
activesupport
|
data/README.md
CHANGED
@@ -25,11 +25,9 @@ Configure the client to sign in user (optional):
|
|
25
25
|
```ruby
|
26
26
|
# client for resource owner password flow
|
27
27
|
Okta::Jwt.configure_client!(
|
28
|
-
issuer: 'https://<org>.oktapreview.com/oauth2<auth_server_id
|
29
|
-
client_id: 'client_id,
|
30
|
-
client_secret: 'client_secret
|
31
|
-
logger: Logger.new(STDOUT) # optional
|
32
|
-
)
|
28
|
+
issuer: 'https://<org>.oktapreview.com/oauth2<auth_server_id>',
|
29
|
+
client_id: 'client_id',
|
30
|
+
client_secret: 'client_secret')
|
33
31
|
```
|
34
32
|
|
35
33
|
Sign in user to get access token (default scope is openid):
|
@@ -41,18 +39,20 @@ auth_response = Okta::Jwt.sign_in(
|
|
41
39
|
scope: 'openid my_scope'
|
42
40
|
)
|
43
41
|
parsed_auth_response = JSON.parse(auth_response.body)
|
44
|
-
access_token = parsed_auth_response['
|
42
|
+
access_token = parsed_auth_response['access_token']
|
45
43
|
```
|
46
44
|
|
47
|
-
Verify access token:
|
45
|
+
Verify access token (signature + claims):
|
48
46
|
|
49
47
|
```ruby
|
48
|
+
Okta::Jwt.logger = Logger.new(STDOUT) # set optional logger
|
50
49
|
verified_access_token = Okta::Jwt.verify_token(access_token,
|
51
|
-
issuer: 'https://<org>.oktapreview.com/oauth2<auth_server_id
|
52
|
-
audience: '
|
50
|
+
issuer: 'https://<org>.oktapreview.com/oauth2<auth_server_id>',
|
51
|
+
audience: 'development',
|
53
52
|
client_id: 'client_id'
|
54
53
|
)
|
55
54
|
```
|
55
|
+
NOTE: You can pass multiple client ids as an array if needed.
|
56
56
|
|
57
57
|
## Development
|
58
58
|
|
data/lib/okta/jwt.rb
CHANGED
@@ -14,26 +14,20 @@ module Okta
|
|
14
14
|
JWKS_CACHE = {}
|
15
15
|
|
16
16
|
class << self
|
17
|
-
attr_accessor :issuer, :auth_server_id, :client_id, :client_secret, :
|
17
|
+
attr_accessor :issuer, :auth_server_id, :client_id, :client_secret, :logger
|
18
18
|
end
|
19
19
|
|
20
20
|
# configure the client for signing in
|
21
|
-
def configure_client!(issuer:, client_id:, client_secret
|
21
|
+
def configure_client!(issuer:, client_id:, client_secret:)
|
22
22
|
@issuer = issuer
|
23
23
|
@client_id = client_id
|
24
24
|
@client_secret = client_secret
|
25
|
-
@logger = logger
|
26
25
|
@auth_server_id = issuer.split('/').last
|
27
|
-
|
28
|
-
@client = Faraday.new(url: issuer) do |f|
|
29
|
-
f.use Faraday::Adapter::NetHttp
|
30
|
-
f.headers['Accept'] = 'application/json'
|
31
|
-
end
|
32
26
|
end
|
33
27
|
|
34
28
|
# sign in user to get tokens
|
35
29
|
def sign_in(username:, password:, scope: 'openid')
|
36
|
-
client.post do |req|
|
30
|
+
client(issuer).post do |req|
|
37
31
|
req.url "/oauth2/#{auth_server_id}/v1/token"
|
38
32
|
req.headers['Content-Type'] = 'application/x-www-form-urlencoded'
|
39
33
|
req.headers['Authorization'] = 'Basic: ' + Base64.strict_encode64("#{client_id}:#{client_secret}")
|
@@ -48,7 +42,7 @@ module Okta
|
|
48
42
|
# validate claims
|
49
43
|
raise InvalidToken.new('Invalid issuer') if payload['iss'] != issuer
|
50
44
|
raise InvalidToken.new('Invalid audience') if payload['aud'] != audience
|
51
|
-
raise InvalidToken.new('Invalid client') if payload['cid']
|
45
|
+
raise InvalidToken.new('Invalid client') if !Array(client_id).include?(payload['cid'])
|
52
46
|
raise InvalidToken.new('Token is expired') if payload['exp'].to_i <= Time.now.to_i
|
53
47
|
|
54
48
|
# validate signature
|
@@ -58,12 +52,14 @@ module Okta
|
|
58
52
|
|
59
53
|
# extract public key from metadata's jwks_uri using kid
|
60
54
|
def get_jwk(header, payload)
|
61
|
-
|
62
55
|
kid = header['kid']
|
63
|
-
|
56
|
+
|
57
|
+
# cache hit
|
58
|
+
return JWKS_CACHE[kid] if JWKS_CACHE[kid]
|
64
59
|
|
65
|
-
|
66
|
-
|
60
|
+
# fetch jwk
|
61
|
+
logger.info("[Okta::Jwt] Fetching public key: kid => #{kid} ...") if logger
|
62
|
+
jwks_response = client(payload['iss']).get do |req|
|
67
63
|
req.url get_metadata(payload)['jwks_uri']
|
68
64
|
end
|
69
65
|
jwk = JSON.parse(jwks_response.body)['keys'].find do |key|
|
@@ -76,18 +72,20 @@ module Okta
|
|
76
72
|
|
77
73
|
# fetch client metadata using cid/aud
|
78
74
|
def get_metadata(payload)
|
79
|
-
auth_server_id
|
80
|
-
client_id
|
75
|
+
auth_server_id = payload['iss'].split('/').last # iss: "https://<org>.oktapreview.com/oauth2/<auth_server_id>"
|
76
|
+
client_id = payload['cid']
|
77
|
+
metadata_response = client(payload['iss']).get do |req|
|
78
|
+
req.url "/oauth2/#{auth_server_id}/.well-known/oauth-authorization-server?client_id=#{client_id}"
|
79
|
+
end
|
80
|
+
JSON.parse(metadata_response.body)
|
81
|
+
end
|
81
82
|
|
82
|
-
|
83
|
+
# init client
|
84
|
+
def client(issuer)
|
85
|
+
Faraday.new(url: issuer) do |f|
|
83
86
|
f.use Faraday::Adapter::NetHttp
|
84
87
|
f.headers['Accept'] = 'application/json'
|
85
88
|
end
|
86
|
-
|
87
|
-
metadata_response = client.get do |req|
|
88
|
-
req.url "/oauth2/#{auth_server_id}/.well-known/oauth-authorization-server?client_id=#{client_id}"
|
89
|
-
end
|
90
|
-
JSON.parse(metadata_response.body)
|
91
89
|
end
|
92
90
|
end
|
93
91
|
end
|
data/lib/okta/jwt/version.rb
CHANGED
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: okta-jwt
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.
|
4
|
+
version: 0.5.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Damir Roso
|
8
8
|
autorequire:
|
9
9
|
bindir: exe
|
10
10
|
cert_chain: []
|
11
|
-
date: 2018-12-
|
11
|
+
date: 2018-12-12 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: bundler
|