omniauth-azure-adv2 0.0.52 → 0.0.53
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/lib/omniauth/azure_adv2/id_token_decoder.rb +48 -0
- data/lib/omniauth/azure_adv2/key_set.rb +52 -0
- data/lib/omniauth/azure_adv2/openid_config.rb +45 -0
- data/lib/omniauth/azure_adv2/version.rb +1 -1
- data/omniauth-azure-adv2-0.0.5.gem +0 -0
- data/omniauth-azure-adv2-0.0.51.gem +0 -0
- data/omniauth-azure-adv2-0.0.52.gem +0 -0
- metadata +7 -1
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 728c7c6ddd8134308ac8d5967c5828f439e8d47f
|
|
4
|
+
data.tar.gz: 5c29b916658c42a269e12e96bfccd3ad12c1491b
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: d063ac9080a4b87bf910f680bd20c341bb78be6c8cded4a25a6be32250c809f687fe5112fb20736032051bfffde6b1ac2b96cc04486d9e151b59f2d9af431aa7
|
|
7
|
+
data.tar.gz: 424a6e2145fa47842e7c3c242b0788803280562f7b88fe5d2058ac7bf76b5ffb88b292f952c1c69d6968b1f4a415dba4e8e893ebc6f822cb97a44615606f3e95
|
|
@@ -0,0 +1,48 @@
|
|
|
1
|
+
class IDTokenDecoder
|
|
2
|
+
def initialize(id_token:, client_id:, nonce:, keyset:)
|
|
3
|
+
@id_token = id_token
|
|
4
|
+
@client_id = client_id
|
|
5
|
+
@nonce = nonce
|
|
6
|
+
@keyset = keyset
|
|
7
|
+
end
|
|
8
|
+
|
|
9
|
+
def run
|
|
10
|
+
fail(JWT::DecodeError, 'Nil JSON web token') unless id_token
|
|
11
|
+
|
|
12
|
+
decoder = JWT::Decode.new(id_token, nil, true, verify_options)
|
|
13
|
+
@header, payload, signature, signing_input = decoder.decode_segments
|
|
14
|
+
decoder.verify
|
|
15
|
+
|
|
16
|
+
algo, key = JWT.signature_algorithm_and_key(@header, matching_key)
|
|
17
|
+
|
|
18
|
+
if 'RS256' != algo
|
|
19
|
+
fail JWT::IncorrectAlgorithm, 'Expected a different algorithm'
|
|
20
|
+
end
|
|
21
|
+
|
|
22
|
+
JWT.verify_signature(algo, key, signing_input, signature)
|
|
23
|
+
|
|
24
|
+
fail JWT::DecodeError, 'Returned nonce did not match.' unless payload['nonce'] == nonce
|
|
25
|
+
|
|
26
|
+
[payload, @header]
|
|
27
|
+
end
|
|
28
|
+
|
|
29
|
+
private
|
|
30
|
+
|
|
31
|
+
attr_reader :id_token, :client_id, :nonce, :claims, :keyset
|
|
32
|
+
|
|
33
|
+
def verify_options
|
|
34
|
+
{
|
|
35
|
+
verify_expiration: true,
|
|
36
|
+
verify_not_before: true,
|
|
37
|
+
verify_iat: true,
|
|
38
|
+
verify_jti: false,
|
|
39
|
+
verify_aud: true,
|
|
40
|
+
aud: client_id,
|
|
41
|
+
leeway: 0,
|
|
42
|
+
}
|
|
43
|
+
end
|
|
44
|
+
|
|
45
|
+
def matching_key
|
|
46
|
+
@_matching_key ||= keyset.find(@header['kid'])
|
|
47
|
+
end
|
|
48
|
+
end
|
|
@@ -0,0 +1,52 @@
|
|
|
1
|
+
# KeySet takes a list of active key objects and supplies a method to find
|
|
2
|
+
# a key given it's ID.
|
|
3
|
+
#
|
|
4
|
+
# Key objects should be hashes with at least the following structure:
|
|
5
|
+
# {
|
|
6
|
+
# 'kid': 'ID',
|
|
7
|
+
# 'n': 'modulus',
|
|
8
|
+
# 'e': 'exponent',
|
|
9
|
+
# }
|
|
10
|
+
class KeySet
|
|
11
|
+
def initialize(keys:)
|
|
12
|
+
@keys = keys
|
|
13
|
+
end
|
|
14
|
+
|
|
15
|
+
def find(key_id)
|
|
16
|
+
key = find_key_or_raise_error(key_id)
|
|
17
|
+
|
|
18
|
+
generate_public_key(
|
|
19
|
+
modulus: decode_and_convert_to_number(key['n']),
|
|
20
|
+
exponent: decode_and_convert_to_number(key['e']),
|
|
21
|
+
)
|
|
22
|
+
end
|
|
23
|
+
|
|
24
|
+
private
|
|
25
|
+
|
|
26
|
+
attr_reader :keys
|
|
27
|
+
|
|
28
|
+
def find_key_or_raise_error(id)
|
|
29
|
+
key = keys.find { |k| k['kid'] == id }
|
|
30
|
+
|
|
31
|
+
if key.nil? || key.empty?
|
|
32
|
+
fail JWT::VerificationError, 'No keys from key endpoint match the id token'
|
|
33
|
+
end
|
|
34
|
+
|
|
35
|
+
key
|
|
36
|
+
end
|
|
37
|
+
|
|
38
|
+
def decode_and_convert_to_number(str)
|
|
39
|
+
decoded = JWT.base64url_decode(str)
|
|
40
|
+
|
|
41
|
+
decoded.unpack("C*").inject(0) { |sum, (byte, _)| sum * 256 + byte }
|
|
42
|
+
end
|
|
43
|
+
|
|
44
|
+
def generate_public_key(modulus:, exponent:)
|
|
45
|
+
seq = OpenSSL::ASN1::Sequence.new([
|
|
46
|
+
OpenSSL::ASN1::Integer.new(modulus),
|
|
47
|
+
OpenSSL::ASN1::Integer.new(exponent),
|
|
48
|
+
])
|
|
49
|
+
|
|
50
|
+
OpenSSL::PKey::RSA.new(seq.to_der)
|
|
51
|
+
end
|
|
52
|
+
end
|
|
@@ -0,0 +1,45 @@
|
|
|
1
|
+
class OpenIDConfig
|
|
2
|
+
def self.fetch(tid: 'common')
|
|
3
|
+
config_uri = URI("https://login.microsoftonline.com/#{tid}/v2.0/.well-known/openid-configuration")
|
|
4
|
+
new(config: JSON.parse(Net::HTTP.get(config_uri)))
|
|
5
|
+
rescue JSON::ParserError
|
|
6
|
+
fail StandardError, 'Unable to fetch OpenId configuration for ' \
|
|
7
|
+
"AzureAD tenant '#{tid}'."
|
|
8
|
+
end
|
|
9
|
+
|
|
10
|
+
def initialize(config:)
|
|
11
|
+
@config = config
|
|
12
|
+
end
|
|
13
|
+
|
|
14
|
+
def issuer
|
|
15
|
+
config['issuer']
|
|
16
|
+
end
|
|
17
|
+
|
|
18
|
+
def authorization_endpoint
|
|
19
|
+
config['authorization_endpoint']
|
|
20
|
+
end
|
|
21
|
+
|
|
22
|
+
def jwks_uri
|
|
23
|
+
config['jwks_uri']
|
|
24
|
+
end
|
|
25
|
+
|
|
26
|
+
def keys
|
|
27
|
+
@signing_keys ||= KeySet.new(keys: fetch_signing_keys)
|
|
28
|
+
end
|
|
29
|
+
|
|
30
|
+
private
|
|
31
|
+
|
|
32
|
+
attr_reader :config
|
|
33
|
+
|
|
34
|
+
def fetch_signing_keys
|
|
35
|
+
response = JSON.parse(Net::HTTP.get(URI(signing_keys_url)))
|
|
36
|
+
response['keys']
|
|
37
|
+
rescue JSON::ParserError
|
|
38
|
+
raise StandardError, 'Unable to fetch AzureAD signing keys.'
|
|
39
|
+
end
|
|
40
|
+
|
|
41
|
+
def signing_keys_url
|
|
42
|
+
return jwks_uri if jwks_uri
|
|
43
|
+
fail StandardError, 'No jwks_uri in OpenId config response.'
|
|
44
|
+
end
|
|
45
|
+
end
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: omniauth-azure-adv2
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.0.
|
|
4
|
+
version: 0.0.53
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Tom Schaefer
|
|
@@ -115,8 +115,14 @@ files:
|
|
|
115
115
|
- bin/setup
|
|
116
116
|
- lib/omniauth-azure-adv2.rb
|
|
117
117
|
- lib/omniauth/azure_adv2.rb
|
|
118
|
+
- lib/omniauth/azure_adv2/id_token_decoder.rb
|
|
119
|
+
- lib/omniauth/azure_adv2/key_set.rb
|
|
120
|
+
- lib/omniauth/azure_adv2/openid_config.rb
|
|
118
121
|
- lib/omniauth/azure_adv2/version.rb
|
|
119
122
|
- lib/omniauth/strategies/azure_adv2.rb
|
|
123
|
+
- omniauth-azure-adv2-0.0.5.gem
|
|
124
|
+
- omniauth-azure-adv2-0.0.51.gem
|
|
125
|
+
- omniauth-azure-adv2-0.0.52.gem
|
|
120
126
|
- omniauth-azure-adv2.gemspec
|
|
121
127
|
homepage: https://github.com/TEECOM/omniauth-azure-adv2
|
|
122
128
|
licenses:
|