omniauth-azure-adv2 0.0.52 → 0.0.53

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 9620cb910d5ab79dea27858607cda1ead4df3a3f
-  data.tar.gz: ca180b3dd5b8cd35af3038bc44af5c567022ec54
+  metadata.gz: 728c7c6ddd8134308ac8d5967c5828f439e8d47f
+  data.tar.gz: 5c29b916658c42a269e12e96bfccd3ad12c1491b
 SHA512:
-  metadata.gz: 46958e6a2d4172bf426baf868ad823354f95a3e075d4e4147b17a78cf28b89baf6de03ec0bea7ef756bd877b631873bc05dc29adef025514d4fa342920ba8ee7
-  data.tar.gz: 980c106686c1b7dd81f4650096cf17e1917b2c614545d34e0c52e11d65e47e624eb487ef2b8cb294e373ff6ed0e1286e35cb4c14c56d4abaa4f00c317d69685f
+  metadata.gz: d063ac9080a4b87bf910f680bd20c341bb78be6c8cded4a25a6be32250c809f687fe5112fb20736032051bfffde6b1ac2b96cc04486d9e151b59f2d9af431aa7
+  data.tar.gz: 424a6e2145fa47842e7c3c242b0788803280562f7b88fe5d2058ac7bf76b5ffb88b292f952c1c69d6968b1f4a415dba4e8e893ebc6f822cb97a44615606f3e95

data/lib/omniauth/azure_adv2/id_token_decoder.rb

@@ -0,0 +1,48 @@
+class IDTokenDecoder
+  def initialize(id_token:, client_id:, nonce:, keyset:)
+    @id_token = id_token
+    @client_id = client_id
+    @nonce = nonce
+    @keyset = keyset
+  end
+
+  def run
+    fail(JWT::DecodeError, 'Nil JSON web token') unless id_token
+
+    decoder = JWT::Decode.new(id_token, nil, true, verify_options)
+    @header, payload, signature, signing_input = decoder.decode_segments
+    decoder.verify
+
+    algo, key = JWT.signature_algorithm_and_key(@header, matching_key)
+
+    if 'RS256' != algo
+      fail JWT::IncorrectAlgorithm, 'Expected a different algorithm'
+    end
+
+    JWT.verify_signature(algo, key, signing_input, signature)
+
+    fail JWT::DecodeError, 'Returned nonce did not match.' unless payload['nonce'] == nonce
+
+    [payload, @header]
+  end
+
+  private
+
+  attr_reader :id_token, :client_id, :nonce, :claims, :keyset
+
+  def verify_options
+    {
+      verify_expiration: true,
+      verify_not_before: true,
+      verify_iat: true,
+      verify_jti: false,
+      verify_aud: true,
+      aud: client_id,
+      leeway: 0,
+    }
+  end
+
+  def matching_key
+    @_matching_key ||= keyset.find(@header['kid'])
+  end
+end

data/lib/omniauth/azure_adv2/key_set.rb

@@ -0,0 +1,52 @@
+# KeySet takes a list of active key objects and supplies a method to find
+# a key given it's ID.
+#
+# Key objects should be hashes with at least the following structure:
+# {
+#   'kid': 'ID',
+#   'n': 'modulus',
+#   'e': 'exponent',
+# }
+class KeySet
+  def initialize(keys:)
+    @keys = keys
+  end
+
+  def find(key_id)
+    key = find_key_or_raise_error(key_id)
+
+    generate_public_key(
+      modulus: decode_and_convert_to_number(key['n']),
+      exponent: decode_and_convert_to_number(key['e']),
+    )
+  end
+
+  private
+
+  attr_reader :keys
+
+  def find_key_or_raise_error(id)
+    key = keys.find { |k| k['kid'] == id }
+
+    if key.nil? || key.empty?
+      fail JWT::VerificationError, 'No keys from key endpoint match the id token'
+    end
+
+    key
+  end
+
+  def decode_and_convert_to_number(str)
+    decoded = JWT.base64url_decode(str)
+
+    decoded.unpack("C*").inject(0) { |sum, (byte, _)| sum * 256 + byte }
+  end
+
+  def generate_public_key(modulus:, exponent:)
+    seq = OpenSSL::ASN1::Sequence.new([
+      OpenSSL::ASN1::Integer.new(modulus),
+      OpenSSL::ASN1::Integer.new(exponent),
+    ])
+
+    OpenSSL::PKey::RSA.new(seq.to_der)
+  end
+end

data/lib/omniauth/azure_adv2/openid_config.rb

@@ -0,0 +1,45 @@
+class OpenIDConfig
+  def self.fetch(tid: 'common')
+    config_uri = URI("https://login.microsoftonline.com/#{tid}/v2.0/.well-known/openid-configuration")
+    new(config: JSON.parse(Net::HTTP.get(config_uri)))
+  rescue JSON::ParserError
+    fail StandardError, 'Unable to fetch OpenId configuration for ' \
+      "AzureAD tenant '#{tid}'."
+  end
+
+  def initialize(config:)
+    @config = config
+  end
+
+  def issuer
+    config['issuer']
+  end
+
+  def authorization_endpoint
+    config['authorization_endpoint']
+  end
+
+  def jwks_uri
+    config['jwks_uri']
+  end
+
+  def keys
+    @signing_keys ||= KeySet.new(keys: fetch_signing_keys)
+  end
+
+  private
+
+  attr_reader :config
+
+  def fetch_signing_keys
+    response = JSON.parse(Net::HTTP.get(URI(signing_keys_url)))
+    response['keys']
+  rescue JSON::ParserError
+    raise StandardError, 'Unable to fetch AzureAD signing keys.'
+  end
+
+  def signing_keys_url
+    return jwks_uri if jwks_uri
+    fail StandardError, 'No jwks_uri in OpenId config response.'
+  end
+end

data/lib/omniauth/azure_adv2/version.rb

@@ -1,5 +1,5 @@
 module Omniauth
   module AzureADV2
-    VERSION = '0.0.52'.freeze
+    VERSION = '0.0.53'.freeze
   end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: omniauth-azure-adv2
 version: !ruby/object:Gem::Version
-  version: 0.0.52
+  version: 0.0.53
 platform: ruby
 authors:
 - Tom Schaefer
@@ -115,8 +115,14 @@ files:
 - bin/setup
 - lib/omniauth-azure-adv2.rb
 - lib/omniauth/azure_adv2.rb
+- lib/omniauth/azure_adv2/id_token_decoder.rb
+- lib/omniauth/azure_adv2/key_set.rb
+- lib/omniauth/azure_adv2/openid_config.rb
 - lib/omniauth/azure_adv2/version.rb
 - lib/omniauth/strategies/azure_adv2.rb
+- omniauth-azure-adv2-0.0.5.gem
+- omniauth-azure-adv2-0.0.51.gem
+- omniauth-azure-adv2-0.0.52.gem
 - omniauth-azure-adv2.gemspec
 homepage: https://github.com/TEECOM/omniauth-azure-adv2
 licenses: