omniauth-azure-activedirectory-v2 2.0.1 → 2.1.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (6) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +8 -0
  3. data/README.md +25 -1
  4. data/lib/omniauth/azure_activedirectory_v2/version.rb +2 -2
  5. data/lib/omniauth/strategies/azure_activedirectory_v2.rb +49 -21
  6. metadata +3 -3
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: c7b7178785e2c99c41ee6151625a0fe7015b6d739b6acec990869170ccc9279b
4
- data.tar.gz: 212532541fef751fb142fc03c6bcc52edf120300732f0b475c05ee0ac22ee7e1
3
+ metadata.gz: 82d3c5122483452eb3e9b37dba4ae4faab9ccad50e343e8f91834ee87771bcb2
4
+ data.tar.gz: 75cb855f9c40ea1d0d3186dc3282ad89e6054c1da576e8b9d5e5983a5b617a85
5
5
  SHA512:
6
- metadata.gz: 27831a75a2ced722e99022c230d1c2fa9beaeaafc692ccb4248ad58532321895e1b95764a9f25ee031d6c58e8a5dbae6ec4aa1b937988f65a7d43928b32611b2
7
- data.tar.gz: decf7f79d5998bce54df815bf286f681101a8bcdbac134e6c9856c53c619bcd5e218fe9643724f5caaca415911c24f576da25eafe6f76422998d284fc426819a
6
+ metadata.gz: d26b6339a494b85458791b95b52302456f34930d1ea9dd445fdb24b3eda589602ffb5088bfa2ec8c37a71238317c82759dd07b30f0ae4975c2b295bc3ca6e5eb
7
+ data.tar.gz: 6d1ca0c3c8e6946c2a40cbf3939ab6da98e6f6004a600f09b5096d8a2dc0e65643d0b2028d80c5ce91ca5d7f29998c1cec34d4989b6d01d9c070008dfea1e1d0
data/CHANGELOG.md CHANGED
@@ -1,5 +1,13 @@
1
1
  # Change Log
2
2
 
3
+ ## v2.1.0 (2023-09-16)
4
+
5
+ [Implements](https://github.com/RIPAGlobal/omniauth-azure-activedirectory-v2/pull/19) support for custom policies when using Microsoft Azure AD - thanks @stevenchanin!
6
+
7
+ ## v2.0.2 (2023-03-31)
8
+
9
+ [Fixes](https://github.com/RIPAGlobal/omniauth-azure-activedirectory-v2/pull/16) inability to override prompt in authorisation parameters - thanks @lamroger!
10
+
3
11
  ## v2.0.1 (2023-01-11)
4
12
 
5
13
  Renames:
data/README.md CHANGED
@@ -99,12 +99,25 @@ All of the items listed below are optional, unless noted otherwise. They can be
99
99
  | `client_secret` | **Mandatory.** Client secret for the 'application' (integration) configured on the Azure side. Found via the Azure UI. |
100
100
  | `base_azure_url` | Location of Azure login page, for specialised requirements; default is `OmniAuth::Strategies::AzureActivedirectoryV2::BASE_AZURE_URL` (at the time of writing, this is `https://login.microsoftonline.com`). |
101
101
  | `tenant_id` | _Azure_ tenant ID for multi-tenanted use. Default is `common`. Forms part of the Azure OAuth URL - `{base}/{tenant_id}/oauth2/v2.0/...` |
102
+ | `custom_policy` | _Azure_ custom policy. Default is nil. Forms part of the Azure Token URL - `{base}/{tenant_id}/{custom_policy}/oauth2/v2.0/...` |
102
103
  | `authorize_params` | Additional parameters passed as URL query data in the initial OAuth redirection to Microsoft. See below for more. Empty Hash default. |
103
104
  | `domain_hint` | If defined, sets (overwriting, if already present) `domain_hint` inside `authorize_params`. Default `nil` / none. |
104
105
  | `scope` | If defined, sets (overwriting, if already present) `scope` inside `authorize_params`. Default is `OmniAuth::Strategies::AzureActivedirectoryV2::DEFAULT_SCOPE` (at the time of writing, this is `'openid profile email'`). |
105
106
 
106
107
  In addition, as a special case, if the request URL contains a query parameter `prompt`, then this will be written into `authorize_params` under that key, overwriting if present any other value there. Note that this comes from the current request URL at the time OAuth flow is commencing, _not_ via static options Hash data or via a custom provider class - but you _could_ just as easily set `scope` inside a custom `authorize_params` returned from a provider class, as shown in an example later; the request URL query mechanism is just another way of doing the same thing.
107
108
 
109
+ #### Explaining `custom_policy`
110
+
111
+ In the documentation for [requesting a token](https://learn.microsoft.com/en-us/azure/active-directory-b2c/access-tokens#request-a-token), Microsoft indicate that they want the name of custom policies to be given in the URL rather than in the body of the request:
112
+
113
+ ```
114
+ POST <tenant-name>.b2clogin.com/<tenant-name>.onmicrosoft.com/<policy-name>/oauth2/v2.0/token
115
+ ```
116
+
117
+ When the underlying `oath2` gem creates the request for getting a token via POST, it places all `params` (which would include anything you've provided in the normal configuration to name your custom policy) in the `body` of the request. Unfortunately, Microsoft ignores custom policies in the body and only looks for them in the URL.
118
+
119
+ If you set a `custom_policy` in your configuration, it will be included in the URL between the `tenant_id` and the remaining parts of the path (`/oauth2/v2.0/token`).
120
+
108
121
  #### Explaining `authorize_params`
109
122
 
110
123
  The `authorize_params` hash-like object contains key-value pairs which are transformed into URL query string data and added to existing standard OAuth query data in the URL used for the initial redirection from your web site, to the Microsoft Azure AD login page, at the start of OAuth flow. You can find these listed some way down the table just below an OAuth URL example at:
@@ -151,12 +164,23 @@ In method `#authorize_params` above, the request object is used to look for a `l
151
164
 
152
165
 
153
166
 
154
-
155
167
  ## Contributing
156
168
 
157
169
  Bug reports and pull requests are welcome on GitHub at https://github.com/RIPAGlobal/omniauth-azure-activedirectory-v2. This project is intended to be a safe, welcoming space for collaboration so contributors must adhere to the [code of conduct](https://github.com/RIPAGlobal/omniauth-azure-activedirectory-v2/blob/master/CODE_OF_CONDUCT.md).
158
170
 
171
+ ### Getting running
172
+
173
+ * Fork the repository
174
+ * Check out your fork
175
+ * `cd` into the repository
176
+ * `bin/setup`
177
+ * `bundle exec rspec` to make sure all the tests run
178
+
179
+ ### Making changes
159
180
 
181
+ * Make your change
182
+ * Add tests and check that `bundle exec rspec` still runs successfully
183
+ * For new features (rather than bug fixes), update `README.md` with details
160
184
 
161
185
  ## License
162
186
 
data/lib/omniauth/azure_activedirectory_v2/version.rb CHANGED
@@ -2,8 +2,8 @@ module OmniAuth
2
2
  module Azure
3
3
  module Activedirectory
4
4
  module V2
5
- VERSION = "2.0.1"
6
- DATE = "2023-01-11"
5
+ VERSION = "2.1.0"
6
+ DATE = "2023-09-16"
7
7
  end
8
8
  end
9
9
  end
data/lib/omniauth/strategies/azure_activedirectory_v2.rb CHANGED
@@ -1,3 +1,5 @@
1
+ # frozen_string_literal: true
2
+
1
3
  require 'omniauth-oauth2'
2
4
 
3
5
  module OmniAuth
@@ -14,41 +16,60 @@ module OmniAuth
14
16
  args [:tenant_provider]
15
17
 
16
18
  def client
17
- if options.tenant_provider
18
- provider = options.tenant_provider.new(self)
19
+ provider = if options.tenant_provider
20
+ options.tenant_provider.new(self)
19
21
  else
20
- provider = options # if pass has to config, get mapped right on to options
22
+ options
21
23
  end
22
24
 
23
25
  options.client_id = provider.client_id
24
26
  options.client_secret = provider.client_secret
25
27
  options.tenant_id =
26
- provider.respond_to?(:tenant_id) ? provider.tenant_id : 'common'
28
+ provider.respond_to?(:tenant_id) ? provider.tenant_id : 'common'
27
29
  options.base_azure_url =
28
- provider.respond_to?(:base_azure_url) ? provider.base_azure_url : BASE_AZURE_URL
30
+ provider.respond_to?(:base_azure_url) ? provider.base_azure_url : BASE_AZURE_URL
31
+
32
+ if provider.respond_to?(:authorize_params)
33
+ options.authorize_params = provider.authorize_params
34
+ end
29
35
 
30
- options.authorize_params = provider.authorize_params if provider.respond_to?(:authorize_params)
31
- options.authorize_params.domain_hint = provider.domain_hint if provider.respond_to?(:domain_hint) && provider.domain_hint
32
- options.authorize_params.prompt = request.params['prompt'] if defined? request && request.params['prompt']
33
- options.authorize_params.scope = (provider.scope if provider.respond_to?(:scope) && provider.scope) || DEFAULT_SCOPE
36
+ if provider.respond_to?(:domain_hint) && provider.domain_hint
37
+ options.authorize_params.domain_hint = provider.domain_hint
38
+ end
39
+
40
+ if defined?(request) && request.params['prompt']
41
+ options.authorize_params.prompt = request.params['prompt']
42
+ end
43
+
44
+ options.authorize_params.scope = if provider.respond_to?(:scope) && provider.scope
45
+ provider.scope
46
+ else
47
+ DEFAULT_SCOPE
48
+ end
49
+
50
+ options.custom_policy =
51
+ provider.respond_to?(:custom_policy) ? provider.custom_policy : nil
34
52
 
35
53
  options.client_options.authorize_url = "#{options.base_azure_url}/#{options.tenant_id}/oauth2/v2.0/authorize"
36
- options.client_options.token_url = "#{options.base_azure_url}/#{options.tenant_id}/oauth2/v2.0/token"
54
+ options.client_options.token_url =
55
+ if options.custom_policy
56
+ "#{options.base_azure_url}/#{options.tenant_id}/#{options.custom_policy}/oauth2/v2.0/token"
57
+ else
58
+ "#{options.base_azure_url}/#{options.tenant_id}/oauth2/v2.0/token"
59
+ end
37
60
 
38
61
  super
39
62
  end
40
63
 
41
- uid {
42
- raw_info['oid']
43
- }
64
+ uid { raw_info['oid'] }
44
65
 
45
66
  info do
46
67
  {
47
- name: raw_info['name'],
48
- email: raw_info['email'] || raw_info['upn'],
49
- nickname: raw_info['unique_name'],
50
- first_name: raw_info['given_name'],
51
- last_name: raw_info['family_name']
68
+ name: raw_info['name'],
69
+ email: raw_info['email'] || raw_info['upn'],
70
+ nickname: raw_info['unique_name'],
71
+ first_name: raw_info['given_name'],
72
+ last_name: raw_info['family_name']
52
73
  }
53
74
  end
54
75
 
@@ -72,8 +93,16 @@ module OmniAuth
72
93
  #
73
94
  def raw_info
74
95
  if @raw_info.nil?
75
- id_token_data = ::JWT.decode(access_token.params['id_token'], nil, false).first rescue {}
76
- auth_token_data = ::JWT.decode(access_token.token, nil, false).first rescue {}
96
+ id_token_data = begin
97
+ ::JWT.decode(access_token.params['id_token'], nil, false).first
98
+ rescue StandardError
99
+ {}
100
+ end
101
+ auth_token_data = begin
102
+ ::JWT.decode(access_token.token, nil, false).first
103
+ rescue StandardError
104
+ {}
105
+ end
77
106
 
78
107
  id_token_data.merge!(auth_token_data)
79
108
  @raw_info = id_token_data
@@ -81,7 +110,6 @@ module OmniAuth
81
110
 
82
111
  @raw_info
83
112
  end
84
-
85
113
  end
86
114
  end
87
115
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: omniauth-azure-activedirectory-v2
3
3
  version: !ruby/object:Gem::Version
4
- version: 2.0.1
4
+ version: 2.1.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - RIPA Global
8
8
  autorequire:
9
9
  bindir: exe
10
10
  cert_chain: []
11
- date: 2023-01-11 00:00:00.000000000 Z
11
+ date: 2023-09-16 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: omniauth-oauth2
@@ -66,7 +66,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
66
66
  - !ruby/object:Gem::Version
67
67
  version: '0'
68
68
  requirements: []
69
- rubygems_version: 3.3.7
69
+ rubygems_version: 3.4.4
70
70
  signing_key:
71
71
  specification_version: 4
72
72
  summary: OAuth 2 authentication with the Azure ActiveDirectory V2 API.