omniauth-entra_id_jwt 0.1.0

data/lib/omniauth/entra_id_jwt/version.rb

@@ -0,0 +1,11 @@
+# frozen_string_literal: true
+
+module OmniAuth
+  module Entra
+    module Id
+      module JWT
+        VERSION = "0.1.0"
+      end
+    end
+  end
+end

data/lib/omniauth/entra_id_jwt.rb

@@ -0,0 +1,2 @@
+require File.join("omniauth", "entra_id_jwt", "version")
+require File.join("omniauth", "strategies", "entra_id_jwt")

data/lib/omniauth/strategies/entra_id_jwt.rb

@@ -0,0 +1,138 @@
+# frozen_string_literal: true
+
+require "omniauth-oauth2"
+
+module OmniAuth
+  module Strategies
+    class EntraIdJWT < OmniAuth::Strategies::OAuth2
+      BASE_URL = "https://login.microsoftonline.com"
+
+      option :name, "entra_id_jwt"
+      option :tenant_provider, nil
+
+      DEFAULT_SCOPE    = "openid profile email"
+      COMMON_TENANT_ID = "common"
+
+      # The tenant_provider must return client_id, client_secret and,
+      # optionally, tenant_id and base_url.
+      #
+      args [:tenant_provider]
+
+      def client
+        provider = options.tenant_provider ? options.tenant_provider.new(self) : options
+        options.client_id = provider.client_id
+
+        unless provider.respond_to?(:client_secret) && provider.client_secret
+          raise ArgumentError, "You must provide client_secret"
+        end
+
+        options.client_secret = provider.client_secret
+
+        tenant_id = provider.respond_to?(:tenant_id) ? provider.tenant_id : COMMON_TENANT_ID
+        base_url =  provider.respond_to?(:base_url) ? provider.base_url : BASE_URL
+
+        options.authorize_params = provider.authorize_params if provider.respond_to?(:authorize_params)
+        options.token_params.scope = if defined?(request) && request.params["scope"]
+                                       request.params["scope"]
+                                     elsif provider.respond_to?(:scope) && provider.scope
+                                       provider.scope
+                                     else
+                                       DEFAULT_SCOPE
+                                     end
+        oauth2 = "oauth2/v2.0"
+
+        tenanted_endpoint_base_url = "#{base_url}/#{tenant_id}"
+
+        options.client_options.authorize_url = "#{tenanted_endpoint_base_url}/#{oauth2}/authorize"
+        options.client_options.token_url     = "#{tenanted_endpoint_base_url}/#{oauth2}/token"
+
+        # On Behalf Of flow requires the default as the grant_type, so should only need to be configured
+        # in the provider (if at all).
+        options.token_params.grant_type = if provider.respond_to?(:grant_type) && provider.grant_type
+                                            provider.grant_type
+                                          else
+                                            grant_type
+                                          end
+
+        # On Behalf Of flow requires the default as the requested_token_use, so should only need to be configured
+        # in the provider (if at all).
+        options.token_params.requested_token_use = if provider.respond_to?(:requested_token_use) && provider.requested_token_use
+                                                     provider.requested_token_use
+                                                   else
+                                                     requested_token_use
+                                                   end
+
+        super
+      end
+
+      uid do
+        raw_info["userPrincipalName"]
+      end
+
+      # As per omniauth-microsoft_graph definition
+      # https://github.com/omniauth/omniauth/wiki/Auth-Hash-Schema
+      info do
+        {
+          "name" =>       [raw_info["givenName"], raw_info["surname"]].join(' '),
+          "email" =>      raw_info["mail"],
+          "first_name" => raw_info["givenName"],
+          "last_name" =>  raw_info["surname"],
+          "nickname" =>   raw_info["displayName"],
+          "phone" =>      raw_info["mobilePhone"]
+        }
+      end
+
+
+      # Although the only extra referred to in https://github.com/omniauth/omniauth/wiki/Auth-Hash-Schema
+      # is raw_info, include other useful information such as tenant identifier as other keys.
+      # Probably best not to merge them all into the raw_info key, so they remain different.
+      extra do
+        {
+          'raw_info' => raw_info,
+          'params' => access_token.params,
+          'aud' => options.client_id,
+          'tid' => @jwt_data["tid"]
+        }
+      end
+
+      def callback_url
+        raise NotImplementedError, "Callback URL is not supported in on behalf of flow"
+      end
+
+      def raw_info
+        @raw_info = access_token.request(:get, "https://graph.microsoft.com/v1.0/me").parsed if @raw_info.nil?
+        @raw_info
+      end
+
+      def callback_phase
+        options.provider_ignores_state = true
+        super
+      end
+
+      protected
+
+      def grant_type
+        "urn:ietf:params:oauth:grant-type:jwt-bearer"
+      end
+
+      def requested_token_use
+        "on_behalf_of"
+      end
+
+      # This requires examining the request body, as it is almost definitely delivered as
+      # ContentType application/json
+      def build_access_token
+        body = JSON.parse(request.body.read)
+        request.body.rewind
+        # Need to store the JWT token here, as otherwise the actual tenant (tid)
+        # is not found in the subsequent /me API call.
+        # Check for tid claim, as it will be useful.
+        @jwt_data = JWT.decode(body['code'], nil, false, { required_claims: "tid" })[0]
+
+        client.get_token({ assertion: body['code'] }.merge(token_params))
+      end
+    end
+  end
+end
+
+OmniAuth.config.add_camelization 'entra_id_jwt', 'EntraIdJWT'

data/lib/omniauth-entra_id_jwt.rb

@@ -0,0 +1 @@
+require File.join("omniauth", "entra_id_jwt")

data/sig/omniauth/entra/id/jwt.rbs

@@ -0,0 +1,10 @@
+module OmniAuth
+  module Entra
+    module Id
+      module JWT
+        VERSION: String
+        # See the writing guide of rbs: https://github.com/ruby/rbs#guides
+      end
+    end
+  end
+end

metadata

@@ -0,0 +1,157 @@
+--- !ruby/object:Gem::Specification
+name: omniauth-entra_id_jwt
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Benjamin Elias
+autorequire:
+bindir: exe
+cert_chain: []
+date: 2025-06-20 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: omniauth-oauth2
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.8'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.8'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.13'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.13'
+- !ruby/object:Gem::Dependency
+  name: simplecov
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.22'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.22'
+- !ruby/object:Gem::Dependency
+  name: webmock
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.25'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.25'
+- !ruby/object:Gem::Dependency
+  name: debug
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+description:
+email:
+- 12136262+collabital@users.noreply.github.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- CHANGELOG.md
+- CODE_OF_CONDUCT.md
+- LICENSE
+- LICENSE.txt
+- README.md
+- Rakefile
+- coverage/.last_run.json
+- coverage/.resultset.json
+- coverage/.resultset.json.lock
+- coverage/assets/0.13.1/DataTables-1.10.20/images/sort_asc.png
+- coverage/assets/0.13.1/DataTables-1.10.20/images/sort_asc_disabled.png
+- coverage/assets/0.13.1/DataTables-1.10.20/images/sort_both.png
+- coverage/assets/0.13.1/DataTables-1.10.20/images/sort_desc.png
+- coverage/assets/0.13.1/DataTables-1.10.20/images/sort_desc_disabled.png
+- coverage/assets/0.13.1/application.css
+- coverage/assets/0.13.1/application.js
+- coverage/assets/0.13.1/colorbox/border.png
+- coverage/assets/0.13.1/colorbox/controls.png
+- coverage/assets/0.13.1/colorbox/loading.gif
+- coverage/assets/0.13.1/colorbox/loading_background.png
+- coverage/assets/0.13.1/favicon_green.png
+- coverage/assets/0.13.1/favicon_red.png
+- coverage/assets/0.13.1/favicon_yellow.png
+- coverage/assets/0.13.1/images/ui-bg_flat_0_aaaaaa_40x100.png
+- coverage/assets/0.13.1/images/ui-bg_flat_75_ffffff_40x100.png
+- coverage/assets/0.13.1/images/ui-bg_glass_55_fbf9ee_1x400.png
+- coverage/assets/0.13.1/images/ui-bg_glass_65_ffffff_1x400.png
+- coverage/assets/0.13.1/images/ui-bg_glass_75_dadada_1x400.png
+- coverage/assets/0.13.1/images/ui-bg_glass_75_e6e6e6_1x400.png
+- coverage/assets/0.13.1/images/ui-bg_glass_95_fef1ec_1x400.png
+- coverage/assets/0.13.1/images/ui-bg_highlight-soft_75_cccccc_1x100.png
+- coverage/assets/0.13.1/images/ui-icons_222222_256x240.png
+- coverage/assets/0.13.1/images/ui-icons_2e83ff_256x240.png
+- coverage/assets/0.13.1/images/ui-icons_454545_256x240.png
+- coverage/assets/0.13.1/images/ui-icons_888888_256x240.png
+- coverage/assets/0.13.1/images/ui-icons_cd0a0a_256x240.png
+- coverage/assets/0.13.1/loading.gif
+- coverage/assets/0.13.1/magnify.png
+- coverage/index.html
+- lib/omniauth-entra_id_jwt.rb
+- lib/omniauth/entra_id_jwt.rb
+- lib/omniauth/entra_id_jwt/version.rb
+- lib/omniauth/strategies/entra_id_jwt.rb
+- sig/omniauth/entra/id/jwt.rbs
+homepage: https://github.com/collabital/omniauth-entra_id_jwt
+licenses:
+- MIT
+metadata: {}
+post_install_message:
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 3.0.0
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.5.23
+signing_key:
+specification_version: 4
+summary: OAuth 2 authentication with the Entra ID API using an On Behalf Of JWT token.
+test_files: []