okta-jwt 0.4.0 → 0.5.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/Gemfile.lock +2 -2
- data/README.md +9 -9
- data/lib/okta/jwt.rb +20 -22
- data/lib/okta/jwt/version.rb +1 -1
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: c95b336fb7297f4ebb61661e9be2f297120140df657acb290b04b7568313bb33
|
|
4
|
+
data.tar.gz: 8d9397202b711994674e159f7b8e4c95cddefe06e47aacbd72feffd8d9782bdf
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: e86570f91963ca59a3e140069e4e7eb50885d31935d633651935593303deccb230abc7d1707b115ab4236b90603d6adaa312c1e15837a21f7edfe2276492de9b
|
|
7
|
+
data.tar.gz: 2be63b2da3ec1632fb2337417c51f6d2a8531fda8e016be897ba2ed4557c13d9bd21c8accca341fed0c440d61bd5bd254ccab60fcfdae2e25ca25e57fe43bbb3
|
data/Gemfile.lock
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
PATH
|
|
2
2
|
remote: .
|
|
3
3
|
specs:
|
|
4
|
-
okta-jwt (0.
|
|
4
|
+
okta-jwt (0.5.0)
|
|
5
5
|
faraday
|
|
6
6
|
json-jwt
|
|
7
7
|
|
|
@@ -19,7 +19,7 @@ GEM
|
|
|
19
19
|
diff-lcs (1.3)
|
|
20
20
|
faraday (0.15.4)
|
|
21
21
|
multipart-post (>= 1.2, < 3)
|
|
22
|
-
i18n (1.
|
|
22
|
+
i18n (1.2.0)
|
|
23
23
|
concurrent-ruby (~> 1.0)
|
|
24
24
|
json-jwt (1.9.4)
|
|
25
25
|
activesupport
|
data/README.md
CHANGED
|
@@ -25,11 +25,9 @@ Configure the client to sign in user (optional):
|
|
|
25
25
|
```ruby
|
|
26
26
|
# client for resource owner password flow
|
|
27
27
|
Okta::Jwt.configure_client!(
|
|
28
|
-
issuer: 'https://<org>.oktapreview.com/oauth2<auth_server_id
|
|
29
|
-
client_id: 'client_id,
|
|
30
|
-
client_secret: 'client_secret
|
|
31
|
-
logger: Logger.new(STDOUT) # optional
|
|
32
|
-
)
|
|
28
|
+
issuer: 'https://<org>.oktapreview.com/oauth2<auth_server_id>',
|
|
29
|
+
client_id: 'client_id',
|
|
30
|
+
client_secret: 'client_secret')
|
|
33
31
|
```
|
|
34
32
|
|
|
35
33
|
Sign in user to get access token (default scope is openid):
|
|
@@ -41,18 +39,20 @@ auth_response = Okta::Jwt.sign_in(
|
|
|
41
39
|
scope: 'openid my_scope'
|
|
42
40
|
)
|
|
43
41
|
parsed_auth_response = JSON.parse(auth_response.body)
|
|
44
|
-
access_token = parsed_auth_response['
|
|
42
|
+
access_token = parsed_auth_response['access_token']
|
|
45
43
|
```
|
|
46
44
|
|
|
47
|
-
Verify access token:
|
|
45
|
+
Verify access token (signature + claims):
|
|
48
46
|
|
|
49
47
|
```ruby
|
|
48
|
+
Okta::Jwt.logger = Logger.new(STDOUT) # set optional logger
|
|
50
49
|
verified_access_token = Okta::Jwt.verify_token(access_token,
|
|
51
|
-
issuer: 'https://<org>.oktapreview.com/oauth2<auth_server_id
|
|
52
|
-
audience: '
|
|
50
|
+
issuer: 'https://<org>.oktapreview.com/oauth2<auth_server_id>',
|
|
51
|
+
audience: 'development',
|
|
53
52
|
client_id: 'client_id'
|
|
54
53
|
)
|
|
55
54
|
```
|
|
55
|
+
NOTE: You can pass multiple client ids as an array if needed.
|
|
56
56
|
|
|
57
57
|
## Development
|
|
58
58
|
|
data/lib/okta/jwt.rb
CHANGED
|
@@ -14,26 +14,20 @@ module Okta
|
|
|
14
14
|
JWKS_CACHE = {}
|
|
15
15
|
|
|
16
16
|
class << self
|
|
17
|
-
attr_accessor :issuer, :auth_server_id, :client_id, :client_secret, :
|
|
17
|
+
attr_accessor :issuer, :auth_server_id, :client_id, :client_secret, :logger
|
|
18
18
|
end
|
|
19
19
|
|
|
20
20
|
# configure the client for signing in
|
|
21
|
-
def configure_client!(issuer:, client_id:, client_secret
|
|
21
|
+
def configure_client!(issuer:, client_id:, client_secret:)
|
|
22
22
|
@issuer = issuer
|
|
23
23
|
@client_id = client_id
|
|
24
24
|
@client_secret = client_secret
|
|
25
|
-
@logger = logger
|
|
26
25
|
@auth_server_id = issuer.split('/').last
|
|
27
|
-
|
|
28
|
-
@client = Faraday.new(url: issuer) do |f|
|
|
29
|
-
f.use Faraday::Adapter::NetHttp
|
|
30
|
-
f.headers['Accept'] = 'application/json'
|
|
31
|
-
end
|
|
32
26
|
end
|
|
33
27
|
|
|
34
28
|
# sign in user to get tokens
|
|
35
29
|
def sign_in(username:, password:, scope: 'openid')
|
|
36
|
-
client.post do |req|
|
|
30
|
+
client(issuer).post do |req|
|
|
37
31
|
req.url "/oauth2/#{auth_server_id}/v1/token"
|
|
38
32
|
req.headers['Content-Type'] = 'application/x-www-form-urlencoded'
|
|
39
33
|
req.headers['Authorization'] = 'Basic: ' + Base64.strict_encode64("#{client_id}:#{client_secret}")
|
|
@@ -48,7 +42,7 @@ module Okta
|
|
|
48
42
|
# validate claims
|
|
49
43
|
raise InvalidToken.new('Invalid issuer') if payload['iss'] != issuer
|
|
50
44
|
raise InvalidToken.new('Invalid audience') if payload['aud'] != audience
|
|
51
|
-
raise InvalidToken.new('Invalid client') if payload['cid']
|
|
45
|
+
raise InvalidToken.new('Invalid client') if !Array(client_id).include?(payload['cid'])
|
|
52
46
|
raise InvalidToken.new('Token is expired') if payload['exp'].to_i <= Time.now.to_i
|
|
53
47
|
|
|
54
48
|
# validate signature
|
|
@@ -58,12 +52,14 @@ module Okta
|
|
|
58
52
|
|
|
59
53
|
# extract public key from metadata's jwks_uri using kid
|
|
60
54
|
def get_jwk(header, payload)
|
|
61
|
-
|
|
62
55
|
kid = header['kid']
|
|
63
|
-
|
|
56
|
+
|
|
57
|
+
# cache hit
|
|
58
|
+
return JWKS_CACHE[kid] if JWKS_CACHE[kid]
|
|
64
59
|
|
|
65
|
-
|
|
66
|
-
|
|
60
|
+
# fetch jwk
|
|
61
|
+
logger.info("[Okta::Jwt] Fetching public key: kid => #{kid} ...") if logger
|
|
62
|
+
jwks_response = client(payload['iss']).get do |req|
|
|
67
63
|
req.url get_metadata(payload)['jwks_uri']
|
|
68
64
|
end
|
|
69
65
|
jwk = JSON.parse(jwks_response.body)['keys'].find do |key|
|
|
@@ -76,18 +72,20 @@ module Okta
|
|
|
76
72
|
|
|
77
73
|
# fetch client metadata using cid/aud
|
|
78
74
|
def get_metadata(payload)
|
|
79
|
-
auth_server_id
|
|
80
|
-
client_id
|
|
75
|
+
auth_server_id = payload['iss'].split('/').last # iss: "https://<org>.oktapreview.com/oauth2/<auth_server_id>"
|
|
76
|
+
client_id = payload['cid']
|
|
77
|
+
metadata_response = client(payload['iss']).get do |req|
|
|
78
|
+
req.url "/oauth2/#{auth_server_id}/.well-known/oauth-authorization-server?client_id=#{client_id}"
|
|
79
|
+
end
|
|
80
|
+
JSON.parse(metadata_response.body)
|
|
81
|
+
end
|
|
81
82
|
|
|
82
|
-
|
|
83
|
+
# init client
|
|
84
|
+
def client(issuer)
|
|
85
|
+
Faraday.new(url: issuer) do |f|
|
|
83
86
|
f.use Faraday::Adapter::NetHttp
|
|
84
87
|
f.headers['Accept'] = 'application/json'
|
|
85
88
|
end
|
|
86
|
-
|
|
87
|
-
metadata_response = client.get do |req|
|
|
88
|
-
req.url "/oauth2/#{auth_server_id}/.well-known/oauth-authorization-server?client_id=#{client_id}"
|
|
89
|
-
end
|
|
90
|
-
JSON.parse(metadata_response.body)
|
|
91
89
|
end
|
|
92
90
|
end
|
|
93
91
|
end
|
data/lib/okta/jwt/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: okta-jwt
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 0.5.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Damir Roso
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: exe
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2018-12-
|
|
11
|
+
date: 2018-12-12 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: bundler
|