omniauth-infinum_azure 0.3.0 → 1.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/.rubocop.yml +4 -0
- data/CHANGELOG.md +9 -0
- data/Gemfile.lock +13 -1
- data/README.md +4 -1
- data/lib/omniauth/infinum_azure/version.rb +1 -1
- data/lib/omniauth/infinum_azure.rb +1 -0
- data/lib/omniauth/jwt/parser.rb +47 -0
- data/lib/omniauth/strategies/infinum_azure.rb +30 -29
- data/omniauth-infinum_azure.gemspec +2 -0
- metadata +32 -3
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 459149341a832a977e44229eb81f8893a64e532697be3ddc851c2a9ddb7174ad
|
|
4
|
+
data.tar.gz: 8ab0ab169e521a9a73dd98e52cc60804d8ecc65976292e543119e98c796de46f
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 7a48500a1e468b5f4b79e7dd7bffdbbcfba1c3f2081474a1226008ae949de6f6703075dd71f72e87314046db9af33b9b4624fa85f4f9533d99a70bb884d36043
|
|
7
|
+
data.tar.gz: c46a38f511734c1add6afeef627f617ecb345be30016ac4518fd60f687118381ee71ec656207a86b048290a3ae075ece382cc9113ce352d2fbd518bbdeb1b073
|
data/.rubocop.yml
CHANGED
data/CHANGELOG.md
CHANGED
|
@@ -1,5 +1,14 @@
|
|
|
1
1
|
## [Unreleased]
|
|
2
2
|
|
|
3
|
+
## [1.0.0] - 2024-03-12
|
|
4
|
+
|
|
5
|
+
**BREAKING CHANGE**
|
|
6
|
+
- Add `domain` client option - prior versions were using a hardcoded part in the domain (b2clogin.com). Version 1 and later will require this to be provided by the client.
|
|
7
|
+
|
|
8
|
+
## [0.4.0] - 2023-09-05
|
|
9
|
+
|
|
10
|
+
- Add JWT signature validation
|
|
11
|
+
|
|
3
12
|
## [0.3.0] - 2023-06-14
|
|
4
13
|
|
|
5
14
|
- Add *provider_groups*, *avatar_url*, *deactivated_at* and *employee* to `#info`
|
data/Gemfile.lock
CHANGED
|
@@ -1,12 +1,14 @@
|
|
|
1
1
|
PATH
|
|
2
2
|
remote: .
|
|
3
3
|
specs:
|
|
4
|
-
omniauth-infinum_azure (0.
|
|
4
|
+
omniauth-infinum_azure (1.0.0)
|
|
5
5
|
omniauth-oauth2
|
|
6
6
|
|
|
7
7
|
GEM
|
|
8
8
|
remote: https://rubygems.org/
|
|
9
9
|
specs:
|
|
10
|
+
byebug (11.1.3)
|
|
11
|
+
coderay (1.1.3)
|
|
10
12
|
diff-lcs (1.5.0)
|
|
11
13
|
faraday (2.7.4)
|
|
12
14
|
faraday-net_http (>= 2.0, < 3.1)
|
|
@@ -14,6 +16,7 @@ GEM
|
|
|
14
16
|
faraday-net_http (3.0.2)
|
|
15
17
|
hashie (5.0.0)
|
|
16
18
|
jwt (2.7.0)
|
|
19
|
+
method_source (1.0.0)
|
|
17
20
|
multi_xml (0.6.0)
|
|
18
21
|
oauth2 (2.0.9)
|
|
19
22
|
faraday (>= 0.17.3, < 3.0)
|
|
@@ -29,6 +32,12 @@ GEM
|
|
|
29
32
|
omniauth-oauth2 (1.8.0)
|
|
30
33
|
oauth2 (>= 1.4, < 3)
|
|
31
34
|
omniauth (~> 2.0)
|
|
35
|
+
pry (0.14.2)
|
|
36
|
+
coderay (~> 1.1)
|
|
37
|
+
method_source (~> 1.0)
|
|
38
|
+
pry-byebug (3.10.1)
|
|
39
|
+
byebug (~> 11.0)
|
|
40
|
+
pry (>= 0.13, < 0.15)
|
|
32
41
|
rack (3.0.4.2)
|
|
33
42
|
rack-protection (3.0.5)
|
|
34
43
|
rack
|
|
@@ -54,10 +63,13 @@ GEM
|
|
|
54
63
|
|
|
55
64
|
PLATFORMS
|
|
56
65
|
arm64-darwin-21
|
|
66
|
+
arm64-darwin-22
|
|
57
67
|
|
|
58
68
|
DEPENDENCIES
|
|
59
69
|
bundler (~> 2.1)
|
|
60
70
|
omniauth-infinum_azure!
|
|
71
|
+
pry
|
|
72
|
+
pry-byebug
|
|
61
73
|
rake (~> 13.0)
|
|
62
74
|
rspec (~> 3.0)
|
|
63
75
|
|
data/README.md
CHANGED
|
@@ -33,7 +33,10 @@ config.omniauth(
|
|
|
33
33
|
:infinum_azure,
|
|
34
34
|
'InfinumAzure_client_id',
|
|
35
35
|
'InfinumAzure_client_secret',
|
|
36
|
-
client_options: {
|
|
36
|
+
client_options: {
|
|
37
|
+
domain: 'https://login.b2c.com',
|
|
38
|
+
tenant: 'InfinumAzureTenantName'
|
|
39
|
+
}
|
|
37
40
|
)
|
|
38
41
|
```
|
|
39
42
|
|
|
@@ -0,0 +1,47 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
2
|
+
|
|
3
|
+
module OmniAuth
|
|
4
|
+
module Jwt
|
|
5
|
+
class Parser
|
|
6
|
+
DEFAULT_ALG = 'RS256'
|
|
7
|
+
attr_reader :token, :client
|
|
8
|
+
|
|
9
|
+
def initialize(token, client:)
|
|
10
|
+
@token = token
|
|
11
|
+
@client = client
|
|
12
|
+
end
|
|
13
|
+
|
|
14
|
+
def validated_payload
|
|
15
|
+
::JWT.decode(token, nil, true, jwks: jwks, algorithms: algorithms).first
|
|
16
|
+
end
|
|
17
|
+
|
|
18
|
+
private
|
|
19
|
+
|
|
20
|
+
def jwks
|
|
21
|
+
@jwks ||= JWT::JWK::Set.new(
|
|
22
|
+
jwks_response['keys'].map do |key|
|
|
23
|
+
key.merge(alg: jwt_headers['alg'] || DEFAULT_ALG)
|
|
24
|
+
end
|
|
25
|
+
)
|
|
26
|
+
end
|
|
27
|
+
|
|
28
|
+
def jwks_response
|
|
29
|
+
JSON.parse(
|
|
30
|
+
client.request(:get, client.options[:jwks_url]).body
|
|
31
|
+
)
|
|
32
|
+
end
|
|
33
|
+
|
|
34
|
+
def jwt_headers
|
|
35
|
+
decoded_jwt.last
|
|
36
|
+
end
|
|
37
|
+
|
|
38
|
+
def decoded_jwt
|
|
39
|
+
@decoded_jwt ||= ::JWT.decode(token, nil, false)
|
|
40
|
+
end
|
|
41
|
+
|
|
42
|
+
def algorithms
|
|
43
|
+
jwks.map { |key| key[:alg] }.compact.uniq
|
|
44
|
+
end
|
|
45
|
+
end
|
|
46
|
+
end
|
|
47
|
+
end
|
|
@@ -9,71 +9,72 @@ module OmniAuth
|
|
|
9
9
|
option :policy, 'B2C_1A_SIGNUP_SIGNIN'
|
|
10
10
|
option :scope, 'openid'
|
|
11
11
|
|
|
12
|
-
def client
|
|
13
|
-
options.client_options.authorize_url = File.join(
|
|
14
|
-
options.client_options.token_url = File.join(
|
|
12
|
+
def client # rubocop:disable Metrics/AbcSize
|
|
13
|
+
options.client_options.authorize_url = File.join(azure_oauth_url, 'authorize')
|
|
14
|
+
options.client_options.token_url = File.join(azure_oauth_url, 'token')
|
|
15
|
+
options.client_options.jwks_url = File.join(base_azure_url, 'discovery/v2.0/keys')
|
|
16
|
+
options.client_options.logout_url = File.join(azure_oauth_url, 'logout').concat(
|
|
17
|
+
"?post_logout_redirect_uri=#{File.join(full_host, path_prefix, 'logout')}"
|
|
18
|
+
)
|
|
15
19
|
|
|
16
20
|
super
|
|
17
21
|
end
|
|
18
22
|
|
|
19
|
-
def
|
|
20
|
-
|
|
21
|
-
|
|
22
|
-
"https://#{tenant}.b2clogin.com/#{tenant}.onmicrosoft.com/#{options.policy}/oauth2/v2.0"
|
|
23
|
+
def azure_oauth_url
|
|
24
|
+
File.join(base_azure_url, 'oauth2/v2.0')
|
|
23
25
|
end
|
|
24
26
|
|
|
25
|
-
def
|
|
26
|
-
options.client_options.
|
|
27
|
+
def base_azure_url # rubocop:disable Metrics/AbcSize
|
|
28
|
+
raise 'Domain not provided' if options.client_options.domain.nil?
|
|
29
|
+
raise 'Tenant not provided' if options.client_options.tenant.nil?
|
|
30
|
+
|
|
31
|
+
"#{options.client_options.domain}/#{options.client_options.tenant}.onmicrosoft.com/#{options.policy}"
|
|
27
32
|
end
|
|
28
33
|
|
|
29
34
|
def other_phase
|
|
30
35
|
return call_app! unless current_path == File.join(path_prefix, name.to_s, 'logout')
|
|
31
36
|
|
|
32
|
-
redirect(logout_url)
|
|
33
|
-
end
|
|
34
|
-
|
|
35
|
-
def logout_url
|
|
36
|
-
File.join(base_azure_url, 'logout') + "?post_logout_redirect_uri=#{File.join(full_host, path_prefix, 'logout')}"
|
|
37
|
+
redirect(client.options[:logout_url])
|
|
37
38
|
end
|
|
38
39
|
|
|
39
40
|
uid do
|
|
40
|
-
|
|
41
|
+
jwt_payload['sub']
|
|
41
42
|
end
|
|
42
43
|
|
|
43
44
|
info do
|
|
44
45
|
{
|
|
45
|
-
email:
|
|
46
|
-
name:
|
|
47
|
-
first_name:
|
|
48
|
-
last_name:
|
|
49
|
-
provider_groups:
|
|
50
|
-
avatar_url:
|
|
46
|
+
email: jwt_payload['email'],
|
|
47
|
+
name: jwt_payload['name'],
|
|
48
|
+
first_name: jwt_payload['given_name'],
|
|
49
|
+
last_name: jwt_payload['family_name'],
|
|
50
|
+
provider_groups: jwt_payload['extension_userGroup'],
|
|
51
|
+
avatar_url: jwt_payload['extension_avatarUrl'],
|
|
51
52
|
deactivated_at: deactivated_at,
|
|
52
53
|
employee: employee
|
|
53
54
|
}
|
|
54
55
|
end
|
|
55
56
|
|
|
56
|
-
|
|
57
|
+
extra do
|
|
57
58
|
{
|
|
58
59
|
refresh_token: access_token.refresh_token,
|
|
59
60
|
refresh_token_expires_in: access_token.params[:refresh_token_expires_in],
|
|
60
61
|
params: access_token.params,
|
|
61
|
-
raw_info:
|
|
62
|
+
raw_info: jwt_payload
|
|
62
63
|
}
|
|
63
64
|
end
|
|
64
65
|
|
|
65
|
-
def raw_info
|
|
66
|
-
@raw_info ||= ::JWT.decode(access_token.token, nil, false).first
|
|
67
|
-
end
|
|
68
|
-
|
|
69
66
|
private
|
|
70
67
|
|
|
71
68
|
def deactivated_at
|
|
72
|
-
|
|
69
|
+
jwt_payload['extension_deactivated'] == false ? nil : Time.now.utc
|
|
73
70
|
end
|
|
74
71
|
|
|
75
72
|
def employee
|
|
76
|
-
|
|
73
|
+
jwt_payload['extension_userGroup'].include?('employees')
|
|
74
|
+
end
|
|
75
|
+
|
|
76
|
+
def jwt_payload
|
|
77
|
+
@jwt_payload ||= Jwt::Parser.new(access_token.token, client: client).validated_payload
|
|
77
78
|
end
|
|
78
79
|
end
|
|
79
80
|
end
|
|
@@ -31,6 +31,8 @@ Gem::Specification.new do |spec|
|
|
|
31
31
|
spec.add_development_dependency 'bundler', '~> 2.1'
|
|
32
32
|
spec.add_development_dependency 'rake', '~> 13.0'
|
|
33
33
|
spec.add_development_dependency 'rspec', '~> 3.0'
|
|
34
|
+
spec.add_development_dependency 'pry'
|
|
35
|
+
spec.add_development_dependency 'pry-byebug'
|
|
34
36
|
|
|
35
37
|
spec.add_dependency 'omniauth-oauth2'
|
|
36
38
|
end
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: omniauth-infinum_azure
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 1.0.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Marko Ćilimković
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: exe
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date:
|
|
11
|
+
date: 2024-03-12 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: bundler
|
|
@@ -52,6 +52,34 @@ dependencies:
|
|
|
52
52
|
- - "~>"
|
|
53
53
|
- !ruby/object:Gem::Version
|
|
54
54
|
version: '3.0'
|
|
55
|
+
- !ruby/object:Gem::Dependency
|
|
56
|
+
name: pry
|
|
57
|
+
requirement: !ruby/object:Gem::Requirement
|
|
58
|
+
requirements:
|
|
59
|
+
- - ">="
|
|
60
|
+
- !ruby/object:Gem::Version
|
|
61
|
+
version: '0'
|
|
62
|
+
type: :development
|
|
63
|
+
prerelease: false
|
|
64
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
65
|
+
requirements:
|
|
66
|
+
- - ">="
|
|
67
|
+
- !ruby/object:Gem::Version
|
|
68
|
+
version: '0'
|
|
69
|
+
- !ruby/object:Gem::Dependency
|
|
70
|
+
name: pry-byebug
|
|
71
|
+
requirement: !ruby/object:Gem::Requirement
|
|
72
|
+
requirements:
|
|
73
|
+
- - ">="
|
|
74
|
+
- !ruby/object:Gem::Version
|
|
75
|
+
version: '0'
|
|
76
|
+
type: :development
|
|
77
|
+
prerelease: false
|
|
78
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
79
|
+
requirements:
|
|
80
|
+
- - ">="
|
|
81
|
+
- !ruby/object:Gem::Version
|
|
82
|
+
version: '0'
|
|
55
83
|
- !ruby/object:Gem::Dependency
|
|
56
84
|
name: omniauth-oauth2
|
|
57
85
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -87,6 +115,7 @@ files:
|
|
|
87
115
|
- bin/setup
|
|
88
116
|
- lib/omniauth/infinum_azure.rb
|
|
89
117
|
- lib/omniauth/infinum_azure/version.rb
|
|
118
|
+
- lib/omniauth/jwt/parser.rb
|
|
90
119
|
- lib/omniauth/strategies/infinum_azure.rb
|
|
91
120
|
- omniauth-infinum_azure.gemspec
|
|
92
121
|
homepage: https://github.com/infinum/ruby-infinum-azure-omniauth
|
|
@@ -112,7 +141,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
112
141
|
- !ruby/object:Gem::Version
|
|
113
142
|
version: '0'
|
|
114
143
|
requirements: []
|
|
115
|
-
rubygems_version: 3.
|
|
144
|
+
rubygems_version: 3.4.17
|
|
116
145
|
signing_key:
|
|
117
146
|
specification_version: 4
|
|
118
147
|
summary: Gem that contains OAuth2 strategies for Infinum, such as Infinum Azure AD
|