omniauth-central_login 0.1.1 → 0.1.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 3b793818ae26da1e2cc4ba307f830fbb2d08b181830993887cb7727c6420cb5c
-  data.tar.gz: f38f0d304c5aba3d17bc9be324880bd99a8fa3ba51c22ec9ad5c7fd57ad71d8f
+  metadata.gz: 7a2e042cb3c151ef206a36de06beff6f563001d8faae0a9b561e1c647b44566a
+  data.tar.gz: 7546815597889a165e18312fdb71cd8cf7b01e8b0d659260775e4baa8fcf7209
 SHA512:
-  metadata.gz: a854db70b3305e814b79c289780d9fed8951681d55c90d7dfdc4aa291f4448f4834dc8d75b3fd87055b82b4a3c74f1b76ba6eb9c213d2f9b0604c333971fe2d6
-  data.tar.gz: dfe05e3bc5546926bf7dcdb48bc42e4da1ada46c4bfdfb32f79790fbfd639ec267bba8243a245febd2194adbd9e6cd56ff73d7589d7adca2ee3459d776967eb5
+  metadata.gz: 1382ebbea861023fd931f1452bea972132e132bbe1cff539f5060e26e8768931bd83d5bf5f6a1eef822ee4dda79d193b7a1155b233437244fa9a4337f072d0b9
+  data.tar.gz: 0bd4fef9ca7a379aa66258b32614f0971c4b42c1a3f8eb27b0c219e8ce677da064cdc93df95970257e8015269a390659f8feb8f89ae11b64db380e7fc808375f

data/CHANGELOG.md

@@ -1,4 +1,6 @@
-## [Unreleased]
+## [0.1.2]
+
+- Parse (and return) ID token using JKT validation (using jwks); instead of requesting userinfo
 
 ## [0.1.1] - 2021-12-02
 

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    omniauth-central_login (0.1.0)
+    omniauth-central_login (0.1.1)
       omniauth-oauth2 (~> 1.7)
 
 GEM
@@ -47,7 +47,7 @@ GEM
       oauth2 (~> 1.4)
       omniauth (>= 1.9, < 3)
     parallel (1.21.0)
-    parser (3.0.2.0)
+    parser (3.0.3.1)
       ast (~> 2.4.1)
     rack (2.2.3)
     rack-protection (2.1.0)
@@ -65,7 +65,7 @@ GEM
       rubocop-ast (>= 1.12.0, < 2.0)
       ruby-progressbar (~> 1.7)
       unicode-display_width (>= 1.4.0, < 3.0)
-    rubocop-ast (1.13.0)
+    rubocop-ast (1.14.0)
       parser (>= 3.0.1.1)
     rubocop-minitest (0.17.0)
       rubocop (>= 0.90, < 2.0)

data/README.md

@@ -27,13 +27,14 @@ Configuring Omniauth:
         scope: "openid email profile",
         client_options: {
           site: ENV['CENTRAL_LOGIN_URL']
-        }
+          },
+        response_type: "id_token" # saves another round trip, but is optional
       }
     end
 
 Configuration for Devise (using omniauthable):
 
-    config.omniauth :central_login, Rails.application.secrets.central_login_id, Rails.application.secrets.central_login_secret, {client_options: {site: Rails.application.secrets.central_login_site}, scope: "openid email profile"}
+    config.omniauth :central_login, Rails.application.secrets.central_login_id, Rails.application.secrets.central_login_secret, {client_options: {site: Rails.application.secrets.central_login_site}, scope: "openid email profile", response_type: "id_token"}
 
 ## Development
 

data/lib/omniauth/central_login/version.rb

@@ -2,6 +2,6 @@
 
 module Omniauth
   module CentralLogin
-    VERSION = "0.1.1"
+    VERSION = "0.1.2"
   end
 end

data/lib/omniauth/strategies/central_login.rb

@@ -27,11 +27,12 @@ module OmniAuth
     #     {client_options: {site: Rails.application.secrets.central_login_site}, scope: "openid email profile"}
     #
     class CentralLogin < OmniAuth::Strategies::OAuth2
+
       # /.well-known/openid-configuration
       option :name, "central_login"
-      option :client_options, site: ""
-
+      option :client_options, {site: ""}
       option :redirect_url
+      option :scope, "openid"
 
       uid { raw_info["uid"].to_s }
 
@@ -44,27 +45,51 @@ module OmniAuth
       end
 
       extra do
-        { raw_info: raw_info }
+        { raw_info: raw_info, id_token: id_token }
+      end
+
+      def id_token
+        if options.response_type.to_s == "id_token"
+          @id_token ||= access_token["id_token"]
+        end
+      end
+
+      def validate_id_token(id_token)
+        JWT.decode(id_token, nil, true, {
+          algorithms: ["RS256"],
+          jwks: jwks,
+          iss: options.client_options[:site]
+        })[0]
       end
 
       def raw_info
         return @raw_info if @raw_info
 
-        @raw_info = access_token.get("/oauth/userinfo").parsed
-        @raw_info["id_token"] = access_token["id_token"]
+        if id_token
+          @raw_info = validate_id_token(id_token)
+        else
+          @raw_info = access_token.get("/oauth/userinfo").parsed
 
-        if @raw_info
-          @raw_info["issuer"] = access_token
-                                .get("/.well-known/webfinger?resource=#{@raw_info["email"]}")
-                                .parsed["links"]
-                                .select { |a| a["rel"] == "http://openid.net/specs/connect/1.0/issuer" }[0]["href"]
+          if @raw_info
+            @raw_info["issuer"] = access_token
+                                  .get("/.well-known/webfinger?resource=#{@raw_info["email"]}")
+                                  .parsed["links"]
+                                  .select { |a| a["rel"] == "http://openid.net/specs/connect/1.0/issuer" }[0]["href"]
+          end
         end
 
         @raw_info
+
+      rescue ::OAuth2::Error => e
+        raise ::Omniauth::CentralLogin::Error, "Make sure you have 'openid' added as scope (OAuth2::error: #{e.message})"
       end
 
       private
 
+      def jwks
+        JSON.parse(Faraday::Connection.new(URI.join(options.client_options[:site], "oauth/discovery/keys")).get.body)
+      end
+
       def callback_url
         options.redirect_url || (full_host + script_name + callback_path)
       end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: omniauth-central_login
 version: !ruby/object:Gem::Version
-  version: 0.1.1
+  version: 0.1.2
 platform: ruby
 authors:
 - murb
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2021-12-02 00:00:00.000000000 Z
+date: 2021-12-31 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: omniauth-oauth2