omniauth-azure_active_directory_b2c 0.2.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 0c0f7094e772b9c4aeeac8eba5ee0e5f8664c863
+  data.tar.gz: d48a92be522a55bb07ebbaca2d279a7fb84e825c
+SHA512:
+  metadata.gz: 8dd3cdf6e26aec04a21bd50d7030ba583cc1d76a31b5e48dc7f726d1aa792bfacc2ef0dff1535b79a3e29aa52b7d7f8f4cafb28c09f543b308601042807bd567
+  data.tar.gz: 996b5025889be29a5dd93f4964f0aed570be8fe26ca2aef3506b4dcd34b53c82aa66e8c18906117242297f479f69c193bf80a453546ed2c4b87fff6d85c5f6ea

data/lib/omniauth-azure_active_directory_b2c.rb

@@ -0,0 +1 @@
+require_relative 'omniauth/strategies/azure_active_directory_b2c.rb'

data/lib/omniauth/strategies/azure_active_directory_b2c.rb

@@ -0,0 +1,163 @@
+require 'omniauth'
+require 'proc_evaluate'
+
+require_relative 'azure_active_directory_b2c/authentication_request.rb'
+require_relative 'azure_active_directory_b2c/authentication_response.rb'
+require_relative 'azure_active_directory_b2c/client.rb'
+require_relative 'azure_active_directory_b2c/jwt_validator.rb'
+require_relative 'azure_active_directory_b2c/policy_options.rb'
+require_relative 'azure_active_directory_b2c/policy.rb'
+require_relative 'azure_active_directory_b2c/version.rb'
+
+module OmniAuth
+  module Strategies
+    class AzureActiveDirectoryB2C
+
+      include OmniAuth::Strategy
+
+      using ProcEvaluate # adds the `evaluate` refinement method to Object and Proc instances
+
+      #########################################
+      # Error definitions
+      #########################################
+
+      GenericError = Class.new(StandardError)
+
+      # Errors raised du to missing options or settings
+      MissingOptionError = Class.new(GenericError)
+
+      # Errors raised during the callback stage
+      CallbackError = Class.new(GenericError) do
+          attr_reader :failure_message_key
+          def self.failure_message_key(key)
+            define_method(:failure_message_key) { key }
+          end
+        end
+      InvalidCredentialsError = Class.new(CallbackError) { failure_message_key :invalid_credentials }
+      UnauthorizedError = Class.new(CallbackError) { failure_message_key :unauthorized }
+      MissingCodeError = Class.new(CallbackError) { failure_message_key :missing_code }
+      IdTokenValidationError = Class.new(CallbackError) { failure_message_key :id_token_validation_failed }
+
+      #########################################
+      # Strategy options
+      #########################################
+
+      option :name, 'azure_active_directory_b2c'
+      option :redirect_uri # the url to return to in the callback phase
+      option :policy_options
+
+      #########################################
+      # Strategy - setup
+      #########################################
+
+      def policy_options
+        @policy_options ||= options.policy_options || (raise MissingOptionError, '`policy_options` not defined')
+      end
+
+      def policy
+        @policy = Policy.new(**policy_options.symbolize_keys)
+      end
+
+      def redirect_uri
+        @redirect_uri ||= options.redirect_uri.evaluate(self) || (raise MissingOptionError, '`redirect_uri` not defined')
+      end
+
+      def setup_phase
+      end
+
+      #########################################
+      # Strategy - request
+      #########################################
+
+      def authentication_request
+        @authentication_request ||= AuthenticationRequest.new(policy, redirect_uri: redirect_uri)
+      end
+
+      def authorization_uri
+        authentication_request.authorization_uri
+      end
+
+      def set_session_variables!
+        # set the session details to check against in the callback_phase
+        session['omniauth.nonce'] = authentication_request.nonce
+        session['omniauth.state'] = authentication_request.state
+      end
+
+      def request_phase
+        # this phase needs to redirect to B2C with the correct params and record the state and nonce in the session to check against in the callback_phase
+        set_session_variables!
+        redirect authentication_request.authorization_uri
+      end
+
+      #########################################
+      # Strategy - callback
+      #########################################
+
+      def authentication_response
+        @authentication_response ||= AuthenticationResponse.new(policy, request.params['code'])
+      end
+
+      def callback_phase
+        validate_callback_response!
+        validate_id_token!
+        super # required to complete the callback phase
+
+      rescue UnauthorizedError => e
+        return Rack::Response.new(['401 Unauthorized'], 401).finish
+      rescue CallbackError => e
+        fail!(e.failure_message_key, e)
+      rescue ::Timeout::Error, ::Errno::ETIMEDOUT => e
+        fail!(:timeout, e)
+      rescue ::SocketError => e
+        fail!(:failed_to_connect, e)
+      end
+
+      def validate_callback_response!
+        state, code, error, error_reason, error_description = request.params.values_at('state', 'code', 'error', 'error_reason', 'error_description')
+
+        if error || error_reason || error_description
+          raise InvalidCredentialsError, [error, error_reason, error_description].compact.join('. ')
+        elsif state.to_s.empty? || state != session.delete('omniauth.state')
+          raise UnauthorizedError
+        elsif !code
+          raise MissingCodeError, 'Code was not returned from OpenID Connect Provider'
+        end
+      end
+
+      def validate_id_token!
+        results = authentication_response.validate_id_token
+        if results.has_errors?
+          raise IdTokenValidationError, results.full_messages.join('. ')
+        end
+      end
+
+      #########################################
+      # Auth Hash Schema
+      #########################################
+
+      def user_info
+        authentication_response.user_info
+      end
+
+      def subject_id
+        authentication_response.subject_id
+      end
+
+      def extra_info
+        authentication_response.extra_info
+      end
+
+      def credentials
+        authentication_response.credentials
+      end
+
+      # return the details required by OmniAuth
+      info { user_info }
+      uid { subject_id }
+      extra { extra_info }
+      credentials { credentials }
+
+    end
+  end
+end
+OmniAuth.config.add_camelization('azure_active_directory_b2c', 'AzureActiveDirectoryB2C')

data/lib/omniauth/strategies/azure_active_directory_b2c/authentication_request.rb

@@ -0,0 +1,48 @@
+module OmniAuth
+  module Strategies
+    class AzureActiveDirectoryB2C
+      class AuthenticationRequest
+
+        class ResponseType
+          # TODO: provide constants for each option
+          CODE = 'code'
+        end
+
+        attr_reader :policy, :client
+
+        def initialize(policy, redirect_uri:, **override_options)
+          @policy = policy
+          @client = policy.initialize_client({ redirect_uri: redirect_uri, **override_options })
+        end
+
+        def authorization_uri(**override_options)
+          options = default_authorization_uri_options.merge(override_options)
+          options = options.select {|k, v| v }
+          client.authorization_uri(options)
+        end
+
+        def state
+          @state ||= SecureRandom.hex(16)
+        end
+
+        def nonce
+          @nonce ||= SecureRandom.hex(16)
+        end
+
+        def response_type
+          ResponseType::CODE
+        end
+
+        def default_authorization_uri_options
+          {
+            response_type: response_type,
+            scope: policy.scope,
+            state: state,
+            nonce: nonce,
+          }
+        end
+
+      end # AuthenticationRequest
+    end # AzureActiveDirectoryB2C
+  end # Strategies
+end # OmniAuth

data/lib/omniauth/strategies/azure_active_directory_b2c/authentication_response.rb

@@ -0,0 +1,122 @@
+module OmniAuth
+  module Strategies
+    class AzureActiveDirectoryB2C
+      class AuthenticationResponse
+
+        class AuthenticationMethod
+          BASIC = 'basic'
+          BODY = 'body'
+          POST = 'post'
+        end
+
+        attr_reader :policy, :client, :code
+
+        def initialize(policy, code, **override_options)
+          @policy = policy
+          @client = policy.initialize_client({ redirect_uri: nil, **override_options })
+          @client.authorization_code = code
+          @code = code
+        end
+
+        def access_token
+          @access_token ||= get_access_token!
+        end
+
+        def id_token
+          @id_token ||= get_id_token!
+        end
+
+        def refresh_token
+          access_token.refresh_token
+        end
+
+        def expires_in
+          access_token.expires_in
+        end
+
+        def subject_id
+          id_token.sub
+        end
+
+        def user_info
+          {
+            name: id_token.raw_attributes['name'],
+            email: ([*id_token.raw_attributes['emails']].first),
+            nickname: id_token.raw_attributes['preferred_username'],
+            first_name: id_token.raw_attributes['given_name'],
+            last_name: id_token.raw_attributes['family_name'],
+            gender: id_token.raw_attributes['gender'],
+            image: id_token.raw_attributes['picture'],
+            phone: id_token.raw_attributes['phone_number'],
+            urls: { website: id_token.raw_attributes['website'] }
+          }
+        end
+
+        def extra_info
+          { raw_info: id_token.raw_attributes }
+        end
+
+        def scope
+          policy.scope
+        end
+
+        def authentication_method
+          AuthenticationMethod::BODY
+        end
+
+        def credentials
+          {
+            id_token: id_token,
+            token: access_token.access_token,
+            refresh_token: refresh_token,
+            expires_in: expires_in,
+            scope: scope,
+          }
+        end
+
+        def default_access_token_options
+          {
+            scope: scope,
+            client_auth_method: authentication_method,
+          }
+        end
+
+        def get_access_token!
+          client.access_token!(default_access_token_options)
+        end
+
+        def get_id_token!
+          # TODO: if the id_token is not passed back, we could get the id token from the userinfo endpoint (or fail if no endpoint is defined?)
+          encrypted_id_token = access_token.id_token
+          decoded_id_token = decode_id_token!(encrypted_id_token)
+        end
+
+        def decode_id_token!(id_token)
+          ::OpenIDConnect::ResponseObject::IdToken.decode(id_token, public_key)
+        end
+
+        def public_key
+          if policy.jwk_signing_algorithm == :RS256 && policy.jwk_signing_keys
+            jwk_key
+          else
+            raise 'id_token signing algorithm is currently not supported: %s' % policy.jwk_signing_algorithm
+          end
+        end
+
+        def jwk_key
+          key = policy.jwk_signing_keys
+          if key.has_key?('keys')
+            JSON::JWK::Set.new(key['keys']) # a set of keys
+          else
+            JSON::JWK.new(key) # a single key
+          end
+        end
+
+        def validate_id_token(seconds_since_epoc = Time.now.to_i)
+          JwtValidator.validate(id_token.raw_attributes, public_key, policy, seconds_since_epoc)
+        end
+
+      end # AuthenticationResponse
+    end # AzureActiveDirectoryB2C
+  end # Strategies
+end # OmniAuth

data/lib/omniauth/strategies/azure_active_directory_b2c/client.rb

@@ -0,0 +1,14 @@
+require 'openid_connect'
+
+module OmniAuth
+  module Strategies
+    class AzureActiveDirectoryB2C
+
+      class Client < ::OpenIDConnect::Client
+        # developers can override this class as required
+        # Be sure to also override MicrosoftAzureB2C::Policy#initialize_client
+      end
+
+    end
+  end
+end

data/lib/omniauth/strategies/azure_active_directory_b2c/jwt_validator.rb

@@ -0,0 +1,93 @@
+module OmniAuth
+  module Strategies
+    class AzureActiveDirectoryB2C
+
+      class ValidationResult
+        def error_messages
+          @error_messages ||= []
+        end
+
+        def add_error(key, message)
+          error_messages << { error: key, message: message }
+        end
+
+        def has_errors?
+          error_messages.any?
+        end
+
+        def okay?
+          error_messages.empty?
+        end
+
+        def full_messages
+          error_messages.collect {|err| err[:message] }
+        end
+      end # ValidationResult
+
+      class JwtValidator
+
+        EPOC_TIME_LEEWAY_SECONDS = 10
+
+        attr_reader :jwt, :jwt_key, :policy, :seconds_since_epoc
+
+        def self.validate(jwt, jwt_key, policy, seconds_since_epoc = Time.now.to_i)
+          new(jwt, jwt_key, policy, seconds_since_epoc).validate
+        end
+
+        def initialize(jwt, jwt_key, policy, seconds_since_epoc = Time.now.to_i)
+          @jwt = jwt
+          @jwt_key = jwt_key
+          @policy = policy
+          @seconds_since_epoc = seconds_since_epoc
+        end
+
+        def validate
+          results = ValidationResult.new
+          results.add_error(:algorithm_mismatch, "Signing algorithm mismatch: Expected `#{policy.jwk_signing_algorithm} but got #{jwt.algorithm}`") unless signing_algoritm_matches?
+          results.add_error(:issue_mismatch, "Issue mismatch: Expected `#{policy.issuer}` but got `#{jwt[:iss]}`") unless issuer_matches?
+          results.add_error(:audience_mismatch, "Audience mismatch: Expected `#{policy.aud}` but got `#{jwt[:aud]}`") unless audience_matches?
+          results.add_error(:before_start_time, "Token has not yet commenced: Valid at #{jwt[:nbf]} but currently #{seconds_since_epoc}") unless on_or_after_not_before_time?
+          results.add_error(:after_expiry_time, "Token has expired: Expired at #{jwt[:exp]} but currently #{seconds_since_epoc}") unless before_expiration_time?
+
+          begin
+            verify_signature!
+          rescue JSON::JWS::VerificationFailed
+            results.add_error(:signiture_verification_failed, 'Signture verification failed') unless signature_verified?
+          rescue JSON::JWS::UnexpectedAlgorithm
+            results.add_error(:unexpected_signiture_algorithm, 'Unexpected signature algorithm') unless signature_verified?
+          rescue => e
+            results.add_error(:signiture_verification_failed, e.message || 'Signature verification failed') unless signature_verified?
+          end
+
+          results # return results
+        end
+
+        def signing_algoritm_matches?
+          # An attacker may change the signing algorith to provide a forged signature
+          jwt.algorithm.to_sym == policy.jwk_signing_algorithm
+        end
+
+        def issuer_matches?
+          jwt[:iss] && jwt[:iss] != '' && jwt[:iss] == policy.issuer
+        end
+
+        def audience_matches?
+          jwt[:aud] && jwt[:aud] != '' && jwt[:aud] == policy.application_identifier
+        end
+
+        def on_or_after_not_before_time?
+          (seconds_since_epoc + EPOC_TIME_LEEWAY_SECONDS) >= jwt[:nbf]
+        end
+
+        def before_expiration_time?
+          (seconds_since_epoc - EPOC_TIME_LEEWAY_SECONDS) < jwt[:exp]
+        end
+
+        def verify_signature!
+          jwt.verify!(jwt_key)
+        end
+
+      end # JwtVerifier
+    end # AzureActiveDirectoryB2C
+  end # Strategies
+end # OmniAuth

data/lib/omniauth/strategies/azure_active_directory_b2c/policy.rb

@@ -0,0 +1,26 @@
+module OmniAuth
+  module Strategies
+    class AzureActiveDirectoryB2C
+      class Policy
+        include AzureActiveDirectoryB2C::PolicyOptions
+
+        attr_reader :application_identifier, :application_secret, :issuer, :tenant_name, :policy_name, :jwk_signing_algorithm, :jwk_signing_keys
+
+        def initialize(application_identifier:, application_secret:, issuer:, tenant_name:, policy_name:, jwk_signing_algorithm:, jwk_signing_keys:, scope: nil)
+          @application_identifier = application_identifier
+          @application_secret = application_secret
+          @issuer = issuer
+          @tenant_name = tenant_name
+          @policy_name = policy_name
+          @jwk_signing_algorithm = jwk_signing_algorithm
+          @jwk_signing_keys = jwk_signing_keys
+          @scope = *scope
+        end
+
+        def scope
+          @scope.any? ? @scope : super
+        end
+      end # Policy
+    end # AzureActiveDirectoryB2C
+  end # Strategies
+end # OmniAuth

data/lib/omniauth/strategies/azure_active_directory_b2c/policy_options.rb

@@ -0,0 +1,97 @@
+module OmniAuth
+  module Strategies
+    class AzureActiveDirectoryB2C
+      module PolicyOptions
+
+        def respond_to_missing?(method_name, *args)
+          self.class.instance_methods.include?("policy_#{method_name}".to_sym) || super
+        end
+
+        def method_missing(method_name, *args, &block)
+          policy_method_name = 'policy_%s' % method_name
+          if respond_to?(policy_method_name)
+            send(policy_method_name, *args, &block)
+          else
+            super
+          end
+        end
+
+        def policy_application_identifier
+          raise MissingOptionError, '`application_identifier` not defined'
+        end
+
+        def policy_application_secret
+          raise MissingOptionError, '`application_secret` not defined'
+        end
+
+        def policy_issuer
+          raise MissingOptionError, '`issuer` not defined'
+        end
+
+        def policy_tenant_name
+          raise MissingOptionError, '`tenant_name` not defined'
+        end
+
+        def policy_policy_name
+          raise MissingOptionError, '`policy_name` not defined'
+        end
+
+        def policy_host_name
+          'https://login.microsoftonline.com/te/%s/%s' % [tenant_name, policy_name]
+        end
+
+        def policy_authorization_endpoint
+          '%s/oauth2/v2.0/authorize' % host_name
+        end
+
+        def policy_token_endpoint
+          '%s/oauth2/v2.0/token' % host_name
+        end
+
+        def policy_jwks_uri
+          '%s/discovery/v2.0/keys' % host_name
+        end
+
+        def policy_jwk_signing_algorithm
+          # this can be "discovered" from the `jwks_uri` property at .well-known/openid-configuration
+          'RS256'.to_sym
+        end
+
+        def policy_id_token_signing_algorithm
+          policy_jwk_signing_algorithm
+        end
+
+        def policy_scope
+          [
+            :openid, # This requests an ID token
+            # :offline_access, # This requests a refresh token using Auth Code flows.  See: https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-reference-oauth-code).
+            # Request API permissions.  See https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-access-tokens
+          ]
+        end
+
+        def policy_jwk_signing_keys
+          # public keys are listed at the url specified in the the `jwks_uri` property at .well-known/openid-configuration
+          # eg. https://login.microsoftonline.com/mipwtest.onmicrosoft.com/discovery/v2.0/keys?p=b2c_1_signupin
+          raise MissingOptionError, '`jwk_signing_keys` not defined'
+        end
+
+        def policy_default_client_options
+          {
+            identifier: application_identifier,
+            secret: application_secret,
+            authorization_endpoint: authorization_endpoint,
+            token_endpoint: token_endpoint,
+            jwks_uri: jwks_uri,
+          }
+        end
+
+        def policy_initialize_client(redirect_uri:, **override_options)
+          options = default_client_options.merge(override_options)
+          options[:redirect_uri] = redirect_uri
+          Client.new(options)
+        end
+
+      end # PolicyOptions
+    end # AzureActiveDirectoryB2C
+  end # Strategies
+end # OmniAuth

data/lib/omniauth/strategies/azure_active_directory_b2c/version.rb

@@ -0,0 +1,9 @@
+module OmniAuth
+  module Strategies
+    class AzureActiveDirectoryB2C
+
+      VERSION = '0.2.0'
+
+    end
+  end
+end

metadata

@@ -0,0 +1,96 @@
+--- !ruby/object:Gem::Specification
+name: omniauth-azure_active_directory_b2c
+version: !ruby/object:Gem::Version
+  version: 0.2.0
+platform: ruby
+authors:
+- Brent Jacobs
+- NextFaze
+- Meeco
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2017-10-27 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: omniauth
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.3'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.3'
+- !ruby/object:Gem::Dependency
+  name: openid_connect
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.1'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.1'
+- !ruby/object:Gem::Dependency
+  name: proc_evaluate
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+description: 
+email: developers@meeco.me
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- lib/omniauth-azure_active_directory_b2c.rb
+- lib/omniauth/strategies/azure_active_directory_b2c.rb
+- lib/omniauth/strategies/azure_active_directory_b2c/authentication_request.rb
+- lib/omniauth/strategies/azure_active_directory_b2c/authentication_response.rb
+- lib/omniauth/strategies/azure_active_directory_b2c/client.rb
+- lib/omniauth/strategies/azure_active_directory_b2c/jwt_validator.rb
+- lib/omniauth/strategies/azure_active_directory_b2c/policy.rb
+- lib/omniauth/strategies/azure_active_directory_b2c/policy_options.rb
+- lib/omniauth/strategies/azure_active_directory_b2c/version.rb
+homepage: https://github.com/Meeco/omniauth-azure_active_directory_b2c
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.6.12
+signing_key: 
+specification_version: 4
+summary: Azure AD B2C Strategy for OmniAuth.
+test_files: []