omniauth-infinum_azure 0.3.0 → 0.4.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 2500782d665615534b203f408ce34b1a62bb7f20b1e1157b61407c430526cd70
-  data.tar.gz: 7efd370f76da93a58066a11d026818f4ce3567eee9eb023143e7c3f3a39f4a9a
+  metadata.gz: 5f65c0ecb50026f5054eb06ec283fa5e0c6ee9b1d441f953af5e26c8c3c2e894
+  data.tar.gz: acbe8eca776bc740a8e7169d03d034027709aac1a4ad6fb09d56ad462263a0a5
 SHA512:
-  metadata.gz: 9d7c882dffaba7ce875458fea4995af5f4b86818694ab8774d90f983bd49c87f734e360e6ddf239a2937a5f7e672ec2c9b97855440c65d0f117e466d8fd56c0f
-  data.tar.gz: e918d56939e2bcbf36646a448d94fe1b72886363da5811fb41a01ca034590e4291e854acbdc583a3789f0a837cc0c6a3eff796d990d0e40db87ee0c532736fad
+  metadata.gz: 61f8278bb79690f2b487807edeee3041a47421474cae2601394f45d02e514f2abe555ea0d594efec9dc46929879c1660920effff7585987985cea29a5139cf87
+  data.tar.gz: 152cef7c3c1036b22546e0dcb49cc01ce4f8ea98f454b95f077752a914fc5d7c10507cbf1f9372679fa54944b76077126857aa422a1d78022edb364e309ddf4b

data/.rubocop.yml

@@ -10,3 +10,7 @@ Style/Documentation:
 
 Layout/LineLength:
   Max: 120
+
+Metrics/BlockLength:
+  Exclude:
+    - 'spec/**/*_spec.rb'

data/CHANGELOG.md

@@ -1,5 +1,9 @@
 ## [Unreleased]
 
+## [0.4.0] - 2023-09-05
+
+- Add JWT signature validation
+
 ## [0.3.0] - 2023-06-14
 
 - Add *provider_groups*, *avatar_url*, *deactivated_at* and *employee* to `#info`

data/Gemfile.lock

@@ -1,12 +1,14 @@
 PATH
   remote: .
   specs:
-    omniauth-infinum_azure (0.3.0)
+    omniauth-infinum_azure (0.4.0)
       omniauth-oauth2
 
 GEM
   remote: https://rubygems.org/
   specs:
+    byebug (11.1.3)
+    coderay (1.1.3)
     diff-lcs (1.5.0)
     faraday (2.7.4)
       faraday-net_http (>= 2.0, < 3.1)
@@ -14,6 +16,7 @@ GEM
     faraday-net_http (3.0.2)
     hashie (5.0.0)
     jwt (2.7.0)
+    method_source (1.0.0)
     multi_xml (0.6.0)
     oauth2 (2.0.9)
       faraday (>= 0.17.3, < 3.0)
@@ -29,6 +32,12 @@ GEM
     omniauth-oauth2 (1.8.0)
       oauth2 (>= 1.4, < 3)
       omniauth (~> 2.0)
+    pry (0.14.2)
+      coderay (~> 1.1)
+      method_source (~> 1.0)
+    pry-byebug (3.10.1)
+      byebug (~> 11.0)
+      pry (>= 0.13, < 0.15)
     rack (3.0.4.2)
     rack-protection (3.0.5)
       rack
@@ -58,6 +67,8 @@ PLATFORMS
 DEPENDENCIES
   bundler (~> 2.1)
   omniauth-infinum_azure!
+  pry
+  pry-byebug
   rake (~> 13.0)
   rspec (~> 3.0)
 

data/lib/omniauth/infinum_azure/version.rb

@@ -2,6 +2,6 @@
 
 module Omniauth
   module InfinumAzure
-    VERSION = '0.3.0'
+    VERSION = '0.4.0'
   end
 end

data/lib/omniauth/infinum_azure.rb

@@ -3,4 +3,5 @@
 require 'omniauth-oauth2'
 
 require 'omniauth/infinum_azure/version'
+require 'omniauth/jwt/parser'
 require 'omniauth/strategies/infinum_azure'

data/lib/omniauth/jwt/parser.rb

@@ -0,0 +1,47 @@
+# frozen_string_literal: true
+
+module OmniAuth
+  module Jwt
+    class Parser
+      DEFAULT_ALG = 'RS256'
+      attr_reader :token, :client
+
+      def initialize(token, client:)
+        @token = token
+        @client = client
+      end
+
+      def validated_payload
+        ::JWT.decode(token, nil, true, jwks: jwks, algorithms: algorithms).first
+      end
+
+      private
+
+      def jwks
+        @jwks ||= JWT::JWK::Set.new(
+          jwks_response['keys'].map do |key|
+            key.merge(alg: jwt_headers['alg'] || DEFAULT_ALG)
+          end
+        )
+      end
+
+      def jwks_response
+        JSON.parse(
+          client.request(:get, client.options[:jwks_url]).body
+        )
+      end
+
+      def jwt_headers
+        decoded_jwt.last
+      end
+
+      def decoded_jwt
+        @decoded_jwt ||= ::JWT.decode(token, nil, false)
+      end
+
+      def algorithms
+        jwks.map { |key| key[:alg] }.compact.uniq
+      end
+    end
+  end
+end

data/lib/omniauth/strategies/infinum_azure.rb

@@ -9,71 +9,71 @@ module OmniAuth
       option :policy, 'B2C_1A_SIGNUP_SIGNIN'
       option :scope, 'openid'
 
-      def client
-        options.client_options.authorize_url = File.join(base_azure_url, 'authorize')
-        options.client_options.token_url = File.join(base_azure_url, 'token')
+      def client # rubocop:disable Metrics/AbcSize
+        options.client_options.authorize_url = File.join(azure_oauth_url, 'authorize')
+        options.client_options.token_url = File.join(azure_oauth_url, 'token')
+        options.client_options.jwks_url = File.join(base_azure_url, 'discovery/v2.0/keys')
+        options.client_options.logout_url = File.join(azure_oauth_url, 'logout').concat(
+          "?post_logout_redirect_uri=#{File.join(full_host, path_prefix, 'logout')}"
+        )
 
         super
       end
 
-      def base_azure_url
-        raise 'Tenant not provided' if tenant.nil?
-
-        "https://#{tenant}.b2clogin.com/#{tenant}.onmicrosoft.com/#{options.policy}/oauth2/v2.0"
+      def azure_oauth_url
+        File.join(base_azure_url, 'oauth2/v2.0')
       end
 
-      def tenant
-        options.client_options.tenant
+      def base_azure_url
+        raise 'Tenant not provided' if options.client_options.tenant.nil?
+
+        "https://#{options.client_options.tenant}.b2clogin.com/#{options.client_options.tenant}.onmicrosoft.com/#{options.policy}"
       end
 
       def other_phase
         return call_app! unless current_path == File.join(path_prefix, name.to_s, 'logout')
 
-        redirect(logout_url)
-      end
-
-      def logout_url
-        File.join(base_azure_url, 'logout') + "?post_logout_redirect_uri=#{File.join(full_host, path_prefix, 'logout')}"
+        redirect(client.options[:logout_url])
       end
 
       uid do
-        raw_info['sub']
+        jwt_payload['sub']
       end
 
       info do
         {
-          email: raw_info['email'],
-          name: raw_info['name'],
-          first_name: raw_info['given_name'],
-          last_name: raw_info['family_name'],
-          provider_groups: raw_info['extension_userGroup'],
-          avatar_url: raw_info['extension_avatarUrl'],
+          email: jwt_payload['email'],
+          name: jwt_payload['name'],
+          first_name: jwt_payload['given_name'],
+          last_name: jwt_payload['family_name'],
+          provider_groups: jwt_payload['extension_userGroup'],
+          avatar_url: jwt_payload['extension_avatarUrl'],
           deactivated_at: deactivated_at,
           employee: employee
         }
       end
 
-      def extra
+      extra do
         {
           refresh_token: access_token.refresh_token,
           refresh_token_expires_in: access_token.params[:refresh_token_expires_in],
           params: access_token.params,
-          raw_info: raw_info
+          raw_info: jwt_payload
         }
       end
 
-      def raw_info
-        @raw_info ||= ::JWT.decode(access_token.token, nil, false).first
-      end
-
       private
 
       def deactivated_at
-        raw_info['extension_deactivated'] == false ? nil : Time.now.utc
+        jwt_payload['extension_deactivated'] == false ? nil : Time.now.utc
       end
 
       def employee
-        raw_info['extension_userGroup'].include?('employees')
+        jwt_payload['extension_userGroup'].include?('employees')
+      end
+
+      def jwt_payload
+        @jwt_payload ||= Jwt::Parser.new(access_token.token, client: client).validated_payload
       end
     end
   end

data/omniauth-infinum_azure.gemspec

@@ -31,6 +31,8 @@ Gem::Specification.new do |spec|
   spec.add_development_dependency 'bundler', '~> 2.1'
   spec.add_development_dependency 'rake', '~> 13.0'
   spec.add_development_dependency 'rspec', '~> 3.0'
+  spec.add_development_dependency 'pry'
+  spec.add_development_dependency 'pry-byebug'
 
   spec.add_dependency 'omniauth-oauth2'
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: omniauth-infinum_azure
 version: !ruby/object:Gem::Version
-  version: 0.3.0
+  version: 0.4.0
 platform: ruby
 authors:
 - Marko Ćilimković
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2023-06-14 00:00:00.000000000 Z
+date: 2023-09-05 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -52,6 +52,34 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '3.0'
+- !ruby/object:Gem::Dependency
+  name: pry
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: pry-byebug
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: omniauth-oauth2
   requirement: !ruby/object:Gem::Requirement
@@ -87,6 +115,7 @@ files:
 - bin/setup
 - lib/omniauth/infinum_azure.rb
 - lib/omniauth/infinum_azure/version.rb
+- lib/omniauth/jwt/parser.rb
 - lib/omniauth/strategies/infinum_azure.rb
 - omniauth-infinum_azure.gemspec
 homepage: https://github.com/infinum/ruby-infinum-azure-omniauth
@@ -112,7 +141,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.3.7
+rubygems_version: 3.4.17
 signing_key:
 specification_version: 4
 summary: Gem that contains OAuth2 strategies for Infinum, such as Infinum Azure AD