omniauth-authentiq 0.2.4 → 0.3.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/Gemfile +2 -1
- data/README.md +2 -3
- data/lib/omniauth/authentiq/version.rb +1 -1
- data/lib/omniauth/strategies/authentiq.rb +19 -10
- data/lib/omniauth/strategies/helpers/helpers.rb +10 -0
- data/lib/omniauth/strategies/oidc/back_channel_logout_request.rb +18 -22
- metadata +3 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: b92dff3fe5645a8c22d26e3622920fb71668a534
|
4
|
+
data.tar.gz: b9f25da6236d3573fb99c7743a79632912707611
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 0d40049eeb8b95172ae2d8804afe3b9529913c1c4146aac457c8d3a5f1f4642744045fc4b85946681cf579b102593b5f77f4c1d48d01da9565863149e278ea18
|
7
|
+
data.tar.gz: d6fc8fdf6090da341bc0b70fdfbe455aab1c6245be9c15c4f985a970b02c6f2cb8ecbaf522b45346e56dfc380499080945bad7918a14c6a13e1bc1d551408f14
|
data/Gemfile
CHANGED
data/README.md
CHANGED
@@ -9,7 +9,7 @@ Application credentials (YOUR_CLIENT_ID and YOUR_CLIENT_SECRET below) can be obt
|
|
9
9
|
Add this line to your application's Gemfile
|
10
10
|
|
11
11
|
```ruby
|
12
|
-
gem 'omniauth-authentiq', '~> 0.
|
12
|
+
gem 'omniauth-authentiq', '~> 0.3.0'
|
13
13
|
```
|
14
14
|
|
15
15
|
Then bundle:
|
@@ -21,8 +21,7 @@ Then bundle:
|
|
21
21
|
```ruby
|
22
22
|
use OmniAuth::Builder do
|
23
23
|
provider :authentiq, ENV['AUTHENTIQ_KEY'], ENV['AUTHENTIQ_SECRET'],
|
24
|
-
scope: 'aq:name email~rs aq:push'
|
25
|
-
enable_remote_sign_out: false
|
24
|
+
scope: 'aq:name email~rs aq:push'
|
26
25
|
end
|
27
26
|
```
|
28
27
|
|
@@ -1,22 +1,18 @@
|
|
1
1
|
require 'omniauth-oauth2'
|
2
|
-
|
2
|
+
require_relative 'helpers/helpers'
|
3
3
|
module OmniAuth
|
4
4
|
module Strategies
|
5
5
|
class Authentiq < OmniAuth::Strategies::OAuth2
|
6
6
|
autoload :BackChannelLogoutRequest, 'omniauth/strategies/oidc/back_channel_logout_request'
|
7
7
|
|
8
|
-
BASE_URL = 'https://connect.authentiq.io/'
|
9
|
-
|
10
8
|
option :name, 'authentiq'
|
11
9
|
|
12
10
|
option :client_options, {
|
13
|
-
:site =>
|
14
|
-
:authorize_url => '/authorize',
|
15
|
-
:token_url => '/token'
|
11
|
+
:site => 'https://connect.authentiq.io/',
|
12
|
+
:authorize_url => 'https://connect.authentiq.io/authorize',
|
13
|
+
:token_url => 'https://connect.authentiq.io/token'
|
16
14
|
}
|
17
15
|
|
18
|
-
option :authorize_options, [:scope]
|
19
|
-
|
20
16
|
# These are called after authentication has succeeded. If
|
21
17
|
# possible, you should try to set the UID without making
|
22
18
|
# additional calls (if the user id is returned with the
|
@@ -74,8 +70,17 @@ module OmniAuth
|
|
74
70
|
end
|
75
71
|
|
76
72
|
def decode_idtoken(idtoken)
|
77
|
-
|
78
|
-
|
73
|
+
(JWT.decode idtoken, @options.client_secret, true, {
|
74
|
+
:algorithm => helpers.algorithm(@options),
|
75
|
+
:iss => @options.client_options.site,
|
76
|
+
:verify_iss => true,
|
77
|
+
:aud => @options.client_id,
|
78
|
+
:verify_aud => true,
|
79
|
+
:verify_iat => true,
|
80
|
+
:verify_jti => false,
|
81
|
+
:verify_sub => true,
|
82
|
+
:leeway => 60
|
83
|
+
})[0]
|
79
84
|
end
|
80
85
|
|
81
86
|
def should_sign_out?
|
@@ -91,6 +96,10 @@ module OmniAuth
|
|
91
96
|
def backchannel_logout_request
|
92
97
|
BackChannelLogoutRequest
|
93
98
|
end
|
99
|
+
|
100
|
+
def helpers
|
101
|
+
Helpers
|
102
|
+
end
|
94
103
|
end
|
95
104
|
end
|
96
105
|
end
|
@@ -1,3 +1,5 @@
|
|
1
|
+
require_relative '../helpers/helpers'
|
2
|
+
|
1
3
|
module OmniAuth
|
2
4
|
module Strategies
|
3
5
|
class Authentiq
|
@@ -12,13 +14,19 @@ module OmniAuth
|
|
12
14
|
|
13
15
|
begin
|
14
16
|
result = sign_out_callback.call(*back_channel_logout_request)
|
15
|
-
rescue StandardError => err
|
16
|
-
|
17
|
+
rescue StandardError, ArgumentError, NotImplementedError => err
|
18
|
+
if err.class.equal?(ArgumentError)
|
19
|
+
result = back_channel_logout_response(400, [err.to_s])
|
20
|
+
elsif err.class.equal?(NotImplementedError)
|
21
|
+
result = back_channel_logout_response(501, [err.to_s])
|
22
|
+
else
|
23
|
+
result = back_channel_logout_response(400, [err.to_s])
|
24
|
+
end
|
17
25
|
else
|
18
26
|
if result
|
19
27
|
result = back_channel_logout_response(200, ['Logout succeeded'])
|
20
28
|
else
|
21
|
-
result = back_channel_logout_response(
|
29
|
+
result = back_channel_logout_response(404, ['Unknown session'])
|
22
30
|
end
|
23
31
|
ensure
|
24
32
|
return unless result
|
@@ -38,8 +46,8 @@ module OmniAuth
|
|
38
46
|
def decode_logout_token(logout_token)
|
39
47
|
begin
|
40
48
|
logout_jwt = JWT.decode logout_token, @options.client_secret, true, {
|
41
|
-
:algorithm => algorithm,
|
42
|
-
:iss =>
|
49
|
+
:algorithm => helpers.algorithm(@options),
|
50
|
+
:iss => @options.client_options.site,
|
43
51
|
:verify_iss => true,
|
44
52
|
:aud => @options.client_id,
|
45
53
|
:verify_aud => true,
|
@@ -51,15 +59,13 @@ module OmniAuth
|
|
51
59
|
if validate_events(logout_jwt[0]) && validate_nonce(logout_jwt[0]) && validate_sid(logout_jwt[0])
|
52
60
|
@request.update_param('sid', logout_jwt[0]['sid'])
|
53
61
|
else
|
54
|
-
raise 'Logout JWT validation failed. Missing session, events claim or nonce claim is present'
|
62
|
+
raise(ArgumentError, 'Logout JWT validation failed. Missing session, events claim or nonce claim is present')
|
55
63
|
end
|
56
64
|
end
|
57
65
|
end
|
58
66
|
|
59
67
|
def validate_events(logout_jwt)
|
60
|
-
logout_jwt.key?('events') &&
|
61
|
-
(logout_jwt['events'][0] == 'http://schemas.openid.net/event/backchannel-logout' ||
|
62
|
-
logout_jwt['events'].key?('http://schemas.openid.net/event/backchannel-logout'))
|
68
|
+
logout_jwt.key?('events') && logout_jwt['events'].key?('http://schemas.openid.net/event/backchannel-logout')
|
63
69
|
end
|
64
70
|
|
65
71
|
def validate_nonce(logout_jwt)
|
@@ -71,10 +77,8 @@ module OmniAuth
|
|
71
77
|
@options[:remote_sign_out_handler]
|
72
78
|
else
|
73
79
|
OmniAuth::logger.send(:warn, 'It look like remote logout is configured on your Authentiq client but \':remote_sign_out_handler\' is not implemented on devise or omniauth')
|
74
|
-
raise 'Remote sign out failed because the client\'s \':remote_sign_out_handler\' is not implemented on devise or omniauth'
|
80
|
+
raise(NotImplementedError, 'Remote sign out failed because the client\'s \':remote_sign_out_handler\' is not implemented on devise or omniauth')
|
75
81
|
end
|
76
|
-
|
77
|
-
|
78
82
|
end
|
79
83
|
|
80
84
|
def validate_sid(logout_jwt)
|
@@ -91,16 +95,8 @@ module OmniAuth
|
|
91
95
|
response
|
92
96
|
end
|
93
97
|
|
94
|
-
def
|
95
|
-
|
96
|
-
end
|
97
|
-
|
98
|
-
def algorithm
|
99
|
-
if @options.algorithm != nil && (%w(HS256 RS256 ES256).include? @options.client_signed_response_alg)
|
100
|
-
@options.client_signed_response_alg
|
101
|
-
else
|
102
|
-
'HS256'
|
103
|
-
end
|
98
|
+
def helpers
|
99
|
+
Helpers
|
104
100
|
end
|
105
101
|
end
|
106
102
|
end
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: omniauth-authentiq
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.
|
4
|
+
version: 0.3.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Alexandros Keramidas
|
8
8
|
autorequire:
|
9
9
|
bindir: exe
|
10
10
|
cert_chain: []
|
11
|
-
date: 2017-02-
|
11
|
+
date: 2017-02-17 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: omniauth-oauth2
|
@@ -48,6 +48,7 @@ files:
|
|
48
48
|
- lib/omniauth/authentiq.rb
|
49
49
|
- lib/omniauth/authentiq/version.rb
|
50
50
|
- lib/omniauth/strategies/authentiq.rb
|
51
|
+
- lib/omniauth/strategies/helpers/helpers.rb
|
51
52
|
- lib/omniauth/strategies/oidc/back_channel_logout_request.rb
|
52
53
|
- omniauth-authentiq.gemspec
|
53
54
|
homepage: https://github.com/AuthentiqID/omniauth-authentiq
|