omniauth-azure-adv2 0.0.52 → 0.0.53

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 9620cb910d5ab79dea27858607cda1ead4df3a3f
4
- data.tar.gz: ca180b3dd5b8cd35af3038bc44af5c567022ec54
3
+ metadata.gz: 728c7c6ddd8134308ac8d5967c5828f439e8d47f
4
+ data.tar.gz: 5c29b916658c42a269e12e96bfccd3ad12c1491b
5
5
  SHA512:
6
- metadata.gz: 46958e6a2d4172bf426baf868ad823354f95a3e075d4e4147b17a78cf28b89baf6de03ec0bea7ef756bd877b631873bc05dc29adef025514d4fa342920ba8ee7
7
- data.tar.gz: 980c106686c1b7dd81f4650096cf17e1917b2c614545d34e0c52e11d65e47e624eb487ef2b8cb294e373ff6ed0e1286e35cb4c14c56d4abaa4f00c317d69685f
6
+ metadata.gz: d063ac9080a4b87bf910f680bd20c341bb78be6c8cded4a25a6be32250c809f687fe5112fb20736032051bfffde6b1ac2b96cc04486d9e151b59f2d9af431aa7
7
+ data.tar.gz: 424a6e2145fa47842e7c3c242b0788803280562f7b88fe5d2058ac7bf76b5ffb88b292f952c1c69d6968b1f4a415dba4e8e893ebc6f822cb97a44615606f3e95
@@ -0,0 +1,48 @@
1
+ class IDTokenDecoder
2
+ def initialize(id_token:, client_id:, nonce:, keyset:)
3
+ @id_token = id_token
4
+ @client_id = client_id
5
+ @nonce = nonce
6
+ @keyset = keyset
7
+ end
8
+
9
+ def run
10
+ fail(JWT::DecodeError, 'Nil JSON web token') unless id_token
11
+
12
+ decoder = JWT::Decode.new(id_token, nil, true, verify_options)
13
+ @header, payload, signature, signing_input = decoder.decode_segments
14
+ decoder.verify
15
+
16
+ algo, key = JWT.signature_algorithm_and_key(@header, matching_key)
17
+
18
+ if 'RS256' != algo
19
+ fail JWT::IncorrectAlgorithm, 'Expected a different algorithm'
20
+ end
21
+
22
+ JWT.verify_signature(algo, key, signing_input, signature)
23
+
24
+ fail JWT::DecodeError, 'Returned nonce did not match.' unless payload['nonce'] == nonce
25
+
26
+ [payload, @header]
27
+ end
28
+
29
+ private
30
+
31
+ attr_reader :id_token, :client_id, :nonce, :claims, :keyset
32
+
33
+ def verify_options
34
+ {
35
+ verify_expiration: true,
36
+ verify_not_before: true,
37
+ verify_iat: true,
38
+ verify_jti: false,
39
+ verify_aud: true,
40
+ aud: client_id,
41
+ leeway: 0,
42
+ }
43
+ end
44
+
45
+ def matching_key
46
+ @_matching_key ||= keyset.find(@header['kid'])
47
+ end
48
+ end
@@ -0,0 +1,52 @@
1
+ # KeySet takes a list of active key objects and supplies a method to find
2
+ # a key given it's ID.
3
+ #
4
+ # Key objects should be hashes with at least the following structure:
5
+ # {
6
+ # 'kid': 'ID',
7
+ # 'n': 'modulus',
8
+ # 'e': 'exponent',
9
+ # }
10
+ class KeySet
11
+ def initialize(keys:)
12
+ @keys = keys
13
+ end
14
+
15
+ def find(key_id)
16
+ key = find_key_or_raise_error(key_id)
17
+
18
+ generate_public_key(
19
+ modulus: decode_and_convert_to_number(key['n']),
20
+ exponent: decode_and_convert_to_number(key['e']),
21
+ )
22
+ end
23
+
24
+ private
25
+
26
+ attr_reader :keys
27
+
28
+ def find_key_or_raise_error(id)
29
+ key = keys.find { |k| k['kid'] == id }
30
+
31
+ if key.nil? || key.empty?
32
+ fail JWT::VerificationError, 'No keys from key endpoint match the id token'
33
+ end
34
+
35
+ key
36
+ end
37
+
38
+ def decode_and_convert_to_number(str)
39
+ decoded = JWT.base64url_decode(str)
40
+
41
+ decoded.unpack("C*").inject(0) { |sum, (byte, _)| sum * 256 + byte }
42
+ end
43
+
44
+ def generate_public_key(modulus:, exponent:)
45
+ seq = OpenSSL::ASN1::Sequence.new([
46
+ OpenSSL::ASN1::Integer.new(modulus),
47
+ OpenSSL::ASN1::Integer.new(exponent),
48
+ ])
49
+
50
+ OpenSSL::PKey::RSA.new(seq.to_der)
51
+ end
52
+ end
@@ -0,0 +1,45 @@
1
+ class OpenIDConfig
2
+ def self.fetch(tid: 'common')
3
+ config_uri = URI("https://login.microsoftonline.com/#{tid}/v2.0/.well-known/openid-configuration")
4
+ new(config: JSON.parse(Net::HTTP.get(config_uri)))
5
+ rescue JSON::ParserError
6
+ fail StandardError, 'Unable to fetch OpenId configuration for ' \
7
+ "AzureAD tenant '#{tid}'."
8
+ end
9
+
10
+ def initialize(config:)
11
+ @config = config
12
+ end
13
+
14
+ def issuer
15
+ config['issuer']
16
+ end
17
+
18
+ def authorization_endpoint
19
+ config['authorization_endpoint']
20
+ end
21
+
22
+ def jwks_uri
23
+ config['jwks_uri']
24
+ end
25
+
26
+ def keys
27
+ @signing_keys ||= KeySet.new(keys: fetch_signing_keys)
28
+ end
29
+
30
+ private
31
+
32
+ attr_reader :config
33
+
34
+ def fetch_signing_keys
35
+ response = JSON.parse(Net::HTTP.get(URI(signing_keys_url)))
36
+ response['keys']
37
+ rescue JSON::ParserError
38
+ raise StandardError, 'Unable to fetch AzureAD signing keys.'
39
+ end
40
+
41
+ def signing_keys_url
42
+ return jwks_uri if jwks_uri
43
+ fail StandardError, 'No jwks_uri in OpenId config response.'
44
+ end
45
+ end
@@ -1,5 +1,5 @@
1
1
  module Omniauth
2
2
  module AzureADV2
3
- VERSION = '0.0.52'.freeze
3
+ VERSION = '0.0.53'.freeze
4
4
  end
5
5
  end
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: omniauth-azure-adv2
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.0.52
4
+ version: 0.0.53
5
5
  platform: ruby
6
6
  authors:
7
7
  - Tom Schaefer
@@ -115,8 +115,14 @@ files:
115
115
  - bin/setup
116
116
  - lib/omniauth-azure-adv2.rb
117
117
  - lib/omniauth/azure_adv2.rb
118
+ - lib/omniauth/azure_adv2/id_token_decoder.rb
119
+ - lib/omniauth/azure_adv2/key_set.rb
120
+ - lib/omniauth/azure_adv2/openid_config.rb
118
121
  - lib/omniauth/azure_adv2/version.rb
119
122
  - lib/omniauth/strategies/azure_adv2.rb
123
+ - omniauth-azure-adv2-0.0.5.gem
124
+ - omniauth-azure-adv2-0.0.51.gem
125
+ - omniauth-azure-adv2-0.0.52.gem
120
126
  - omniauth-azure-adv2.gemspec
121
127
  homepage: https://github.com/TEECOM/omniauth-azure-adv2
122
128
  licenses: