omniauth-authentiq 0.2.2 → 0.2.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 8560d7ad601092c667fe1c25e4455a0131bb7c38
-  data.tar.gz: 38099791a64a96d54f65c5b9a0e18505a985512c
+  metadata.gz: 5d7e7b3e51f99cded0ba659c1161ece4f4f0d0c3
+  data.tar.gz: fb5c1e16c513836280b96a756789d79eeb38c4fe
 SHA512:
-  metadata.gz: a6c4d1d27f4f163e5ff83b9e43f140a63356f5fcccf8c6e74872b00094759cbb09fc775eeaa92cd4ee5cf0fd7b7ae682cc081e8483bb55503c4a06989c1ff40e
-  data.tar.gz: 87920c93b8f43e0a62df1afa4e3026ad75bec0b2e97e7d590f4f6fb0ab1a53e38d88a303ab0548ab3e0ec12d9ec25a173c27eb5735689548dab828df2351e9e5
+  metadata.gz: ff537913cec88b237d0820091b988dec465f6c981e4a2c52b3fd93ee49c4f707dd5d39c7c489ae258fa0adbc63f7ea6df0a592efac508821f1c57777d203323f
+  data.tar.gz: a7b172b8ff284d0fd07c085e6fcc59e5adfd85dcbbfdb899d6b681508a16fef0bb1575bd22120e3c08dc3051d50f6d205998064d80c9c5ae7d4a5fee6a02fd65

data/.gitignore

@@ -15,6 +15,5 @@
 InstalledFiles
 lib/bundler/man
 rdoc
-omniauth-authentiq-0.2.0.gem
-omniauth-authentiq-0.2.1.gem
+omniauth-authentiq-*
 .ruby-version

data/README.md

@@ -1,14 +1,15 @@
 # OmniAuth Authentiq
 
 Official [OmniAuth](https://github.com/omniauth/omniauth/wiki) strategy for authenticating with an  Authentiq ID mobile app ([iOS](https://itunes.apple.com/us/app/authentiq-id/id964932341),  [Android](https://play.google.com/store/apps/details?id=com.authentiq.authentiqid)).
-Application credentials can be obtained [at Authentiq](https://www.authentiq.com/register/?utm_source=github&utm_medium=readme&utm_campaign=omniauth).
+
+Application credentials (YOUR_CLIENT_ID and YOUR_CLIENT_SECRET below) can be obtained [at Authentiq](https://www.authentiq.com/register/?utm_source=github&utm_medium=readme&utm_campaign=omniauth).
 
 ## Installation
 
 Add this line to your application's Gemfile
 
 ```ruby
-gem 'omniauth-authentiq', '~> 0.2.0'
+gem 'omniauth-authentiq', '~> 0.2.3'
 ```
 
 Then bundle:
@@ -20,41 +21,17 @@ Then bundle:
 ```ruby
 use OmniAuth::Builder do
   provider :authentiq, ENV['AUTHENTIQ_KEY'], ENV['AUTHENTIQ_SECRET'],
-           scope: 'aq:name email~rs aq:push'
-end
-```
-
-# Scopes
-
-Authentiq adds the capability to request personal information like name, email, phone number, and address from the Authentiq ID app ([iOS](https://itunes.apple.com/us/app/authentiq-id/id964932341),  [Android](https://play.google.com/store/apps/details?id=com.authentiq.authentiqid)).
-During authentication, and only after the user consents, this information will be shared by the Authentiq ID app.
-
-Requesting specific information or "scopes" is done by modifying the `scope` parameter in the basic usage example above.
-Depending on your implementation, you may also need to provide the `redirect_uri` parameter. 
-
-Example:
-```ruby
-use OmniAuth::Builder do
-  provider :authentiq, ENV['AUTHENTIQ_KEY'], ENV['AUTHENTIQ_SECRET'], 
-           scope: 'aq:name email~rs aq:push phone address',
-           redirect_uri: '<REDIRECT_URI>'
+           scope: 'aq:name email~rs aq:push',
+           enable_remote_sign_out: false
 end
 ```
 
-Available scopes are: 
-- `aq:name` for Name
-- `email` for Email
-- `phone` for Phone
-- `address` for Address
-- `aq:location` for Location (geo coordinates)
-- `aq:push` to request permission to sign in via Push Notifications in the Authentiq ID app
-
-Append `~r` to a scope to explicitly require it from the user.
-
-Append `~s` to phone or email scope to explicitly require a verified (signed) scope.
-
-The `~s` and `~r` can be combined to `~rs` to indicate that the scope is both required and should be / have been verified.
+You can read the wiki for more extensive infomation on how to use the Authentiq Omniauth strategy for your rails application
 
+* [Homepage](https://github.com/AuthentiqID/omniauth-authentiq/wiki)
+* [Installation and basic usage](https://github.com/AuthentiqID/omniauth-authentiq/wiki/Installation-and-basic-usage)
+* [Scopes, redirect uri configuration and response data](https://github.com/AuthentiqID/omniauth-authentiq/wiki/Scopes,-redirect-URI-configuration-and-responses)
+* [Remote Logout (Backchannel-logout)](https://github.com/AuthentiqID/omniauth-authentiq/wiki/Remote-logout)
 
 ## Tests
 
@@ -62,4 +39,4 @@ Tests are coming soon.
 
 ## Contributing
 
-Bug reports and pull requests are welcome on GitHub at https://github.com/AuthentiqID/omniauth-authentiq.
+Bug reports and pull requests are welcome [here](https://github.com/AuthentiqID/omniauth-authentiq)

data/lib/omniauth/authentiq/version.rb

@@ -1,5 +1,5 @@
 module OmniAuth
   module Authentiq
-    VERSION = "0.2.2"
+    VERSION = "0.2.3"
   end
 end

data/lib/omniauth/strategies/authentiq.rb

@@ -3,29 +3,26 @@ require 'omniauth-oauth2'
 module OmniAuth
   module Strategies
     class Authentiq < OmniAuth::Strategies::OAuth2
-      #Set the base URL
+      autoload :BackChannelLogoutRequest, 'omniauth/strategies/oidc/back_channel_logout_request'
+
       BASE_URL = 'https://connect.authentiq.io/'
 
-      # Authentiq strategy name
       option :name, 'authentiq'
 
-      # Build the basic client options (url, authorization url, token url)
       option :client_options, {
           :site => BASE_URL,
           :authorize_url => '/authorize',
           :token_url => '/token'
       }
 
-      # Get options from parameters
-      option :authorize_options, [:scope, :display]
+      option :authorize_options, [:scope]
 
       # These are called after authentication has succeeded. If
       # possible, you should try to set the UID without making
-      # additional calls (if the user id is returned with the token
-      # or as a URI parameter). This may not be possible with all
-      # providers.
+      # additional calls (if the user id is returned with the
+      # token or as a URI parameter). This may not be possible
+      # with all providers.
 
-      # Get the user id from raw info
       uid { raw_info['sub'] }
 
       info do
@@ -51,18 +48,51 @@ module OmniAuth
         }.reject { |k, v| v.nil? }
       end
 
+      def request_phase
+        add_openid
+        super
+      end
+
       def raw_info
-        @raw_info ||= access_token.get('/userinfo').parsed
+        @raw_info ||= decode_idtoken(access_token.params['id_token'])
+        request.update_param('sid', @raw_info['sid'])
+        @raw_info
       end
 
-      # Over-ride callback_url definition to maintain
-      # compatibility with omniauth-oauth2 >= 1.4.0
-      #
-      # See: https://github.com/intridea/omniauth-oauth2/issues/81
       def callback_url
-        # Fixes regression in omniauth-oauth2 v1.4.0 by https://github.com/intridea/omniauth-oauth2/commit/85fdbe117c2a4400d001a6368cc359d88f40abc7
         options[:callback_url] || (full_host + script_name + callback_path)
       end
+
+      def callback_phase
+        should_sign_out? ? sign_out_phase : super
+      end
+
+      def add_openid
+        unless options.scope.split.include? 'openid'
+          options.scope = options.scope.split.push('openid').join(' ')
+        end
+      end
+
+      def decode_idtoken(idtoken)
+        @jwt_info = JWT.decode idtoken, nil, false
+        @jwt_info[0]
+      end
+
+      def should_sign_out?
+        request.post? && request.params.has_key?('logout_token')
+      end
+
+      def sign_out_phase
+        if options[:enable_remote_sign_out]
+          backchannel_logout_request.new(self, request).call(options)
+        end
+      end
+
+      private
+
+      def backchannel_logout_request
+        BackChannelLogoutRequest
+      end
     end
   end
-end
+end

data/lib/omniauth/strategies/oidc/back_channel_logout_request.rb

@@ -0,0 +1,103 @@
+module OmniAuth
+  module Strategies
+    class Authentiq
+      class BackChannelLogoutRequest
+
+        def initialize(strategy, request)
+          @strategy, @request = strategy, request
+        end
+
+        def call(options = {})
+          @options = options
+
+          begin
+            # for sign_out_callback.call(*back_channel_logout_request) to execute
+            # a proc must be set in the devise.rb initializer of the rails app
+            result = sign_out_callback.call(*back_channel_logout_request)
+          rescue StandardError => err
+            result = back_channel_logout_response(400, [err.to_s])
+          else
+            if result
+              result = back_channel_logout_response(200, ['Logout succeeded'])
+            else
+              result = back_channel_logout_response(501, ['Authentiq session does not exist'])
+            end
+          ensure
+            return unless result
+            return result.finish
+          end
+        end
+
+        private
+
+        def back_channel_logout_request
+          @logout_request || begin
+            decode_logout_token(@request.params['logout_token'])
+            @request
+          end
+        end
+
+        def decode_logout_token(logout_token)
+          begin
+            logout_jwt = JWT.decode logout_token, @options.client_secret, true, {
+                :algorithm => algorithm,
+                :iss => issuer,
+                :verify_iss => true,
+                :aud => @options.client_id,
+                :verify_aud => true,
+                :verify_iat => true,
+                :verify_jti => true,
+                :verify_sub => true,
+                :leeway => 60
+            }
+            if validate_events(logout_jwt[0]) && validate_nonce(logout_jwt[0]) && validate_sid(logout_jwt[0])
+              @request.update_param('sid', logout_jwt[0]['sid'])
+            else
+              raise 'Logout JWT validation failed. Missing session, events claim or nonce claim is present'
+            end
+          end
+        end
+
+        def validate_events(logout_jwt)
+          logout_jwt.key?('events') &&
+              (logout_jwt['events'][0] == 'http://schemas.openid.net/event/backchannel-logout' ||
+                  logout_jwt['events'].key?('http://schemas.openid.net/event/backchannel-logout'))
+        end
+
+        def validate_nonce(logout_jwt)
+          !logout_jwt.key?('nonce')
+        end
+
+        def sign_out_callback
+          @options[:enable_remote_sign_out]
+        end
+
+        def validate_sid(logout_jwt)
+          logout_jwt.key?('sid')
+        end
+
+        def back_channel_logout_response(code, body)
+          response = Rack::Response.new
+          response.status = code
+          response['Cache-Control'] = 'no-cache, no-store'
+          response['Pragma'] = 'no-cache'
+          response.headers['Content-Type'] = 'text/plain; charset=utf-8'
+          response.body = body
+          response
+        end
+
+        def issuer
+          @options.issuer.nil? ? 'https://connect.authentiq.io/' : @options.issuer
+        end
+
+        def algorithm
+          if @options.algorithm != nil && (%w(HS256 RS256 ES256).include? @options.client_signed_response_alg)
+            @options.client_signed_response_alg
+          else
+            'HS256'
+          end
+        end
+      end
+    end
+  end
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: omniauth-authentiq
 version: !ruby/object:Gem::Version
-  version: 0.2.2
+  version: 0.2.3
 platform: ruby
 authors:
 - Alexandros Keramidas
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2016-12-14 00:00:00.000000000 Z
+date: 2017-02-08 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: omniauth-oauth2
@@ -48,6 +48,7 @@ files:
 - lib/omniauth/authentiq.rb
 - lib/omniauth/authentiq/version.rb
 - lib/omniauth/strategies/authentiq.rb
+- lib/omniauth/strategies/oidc/back_channel_logout_request.rb
 - omniauth-authentiq.gemspec
 homepage: https://github.com/AuthentiqID/omniauth-authentiq
 licenses: