omniauth-infinum_azure 0.3.0 → 1.0.0

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 2500782d665615534b203f408ce34b1a62bb7f20b1e1157b61407c430526cd70
4
- data.tar.gz: 7efd370f76da93a58066a11d026818f4ce3567eee9eb023143e7c3f3a39f4a9a
3
+ metadata.gz: 459149341a832a977e44229eb81f8893a64e532697be3ddc851c2a9ddb7174ad
4
+ data.tar.gz: 8ab0ab169e521a9a73dd98e52cc60804d8ecc65976292e543119e98c796de46f
5
5
  SHA512:
6
- metadata.gz: 9d7c882dffaba7ce875458fea4995af5f4b86818694ab8774d90f983bd49c87f734e360e6ddf239a2937a5f7e672ec2c9b97855440c65d0f117e466d8fd56c0f
7
- data.tar.gz: e918d56939e2bcbf36646a448d94fe1b72886363da5811fb41a01ca034590e4291e854acbdc583a3789f0a837cc0c6a3eff796d990d0e40db87ee0c532736fad
6
+ metadata.gz: 7a48500a1e468b5f4b79e7dd7bffdbbcfba1c3f2081474a1226008ae949de6f6703075dd71f72e87314046db9af33b9b4624fa85f4f9533d99a70bb884d36043
7
+ data.tar.gz: c46a38f511734c1add6afeef627f617ecb345be30016ac4518fd60f687118381ee71ec656207a86b048290a3ae075ece382cc9113ce352d2fbd518bbdeb1b073
data/.rubocop.yml CHANGED
@@ -10,3 +10,7 @@ Style/Documentation:
10
10
 
11
11
  Layout/LineLength:
12
12
  Max: 120
13
+
14
+ Metrics/BlockLength:
15
+ Exclude:
16
+ - 'spec/**/*_spec.rb'
data/CHANGELOG.md CHANGED
@@ -1,5 +1,14 @@
1
1
  ## [Unreleased]
2
2
 
3
+ ## [1.0.0] - 2024-03-12
4
+
5
+ **BREAKING CHANGE**
6
+ - Add `domain` client option - prior versions were using a hardcoded part in the domain (b2clogin.com). Version 1 and later will require this to be provided by the client.
7
+
8
+ ## [0.4.0] - 2023-09-05
9
+
10
+ - Add JWT signature validation
11
+
3
12
  ## [0.3.0] - 2023-06-14
4
13
 
5
14
  - Add *provider_groups*, *avatar_url*, *deactivated_at* and *employee* to `#info`
data/Gemfile.lock CHANGED
@@ -1,12 +1,14 @@
1
1
  PATH
2
2
  remote: .
3
3
  specs:
4
- omniauth-infinum_azure (0.3.0)
4
+ omniauth-infinum_azure (1.0.0)
5
5
  omniauth-oauth2
6
6
 
7
7
  GEM
8
8
  remote: https://rubygems.org/
9
9
  specs:
10
+ byebug (11.1.3)
11
+ coderay (1.1.3)
10
12
  diff-lcs (1.5.0)
11
13
  faraday (2.7.4)
12
14
  faraday-net_http (>= 2.0, < 3.1)
@@ -14,6 +16,7 @@ GEM
14
16
  faraday-net_http (3.0.2)
15
17
  hashie (5.0.0)
16
18
  jwt (2.7.0)
19
+ method_source (1.0.0)
17
20
  multi_xml (0.6.0)
18
21
  oauth2 (2.0.9)
19
22
  faraday (>= 0.17.3, < 3.0)
@@ -29,6 +32,12 @@ GEM
29
32
  omniauth-oauth2 (1.8.0)
30
33
  oauth2 (>= 1.4, < 3)
31
34
  omniauth (~> 2.0)
35
+ pry (0.14.2)
36
+ coderay (~> 1.1)
37
+ method_source (~> 1.0)
38
+ pry-byebug (3.10.1)
39
+ byebug (~> 11.0)
40
+ pry (>= 0.13, < 0.15)
32
41
  rack (3.0.4.2)
33
42
  rack-protection (3.0.5)
34
43
  rack
@@ -54,10 +63,13 @@ GEM
54
63
 
55
64
  PLATFORMS
56
65
  arm64-darwin-21
66
+ arm64-darwin-22
57
67
 
58
68
  DEPENDENCIES
59
69
  bundler (~> 2.1)
60
70
  omniauth-infinum_azure!
71
+ pry
72
+ pry-byebug
61
73
  rake (~> 13.0)
62
74
  rspec (~> 3.0)
63
75
 
data/README.md CHANGED
@@ -33,7 +33,10 @@ config.omniauth(
33
33
  :infinum_azure,
34
34
  'InfinumAzure_client_id',
35
35
  'InfinumAzure_client_secret',
36
- client_options: { tenant: 'InfinumAzureTenantName' }
36
+ client_options: {
37
+ domain: 'https://login.b2c.com',
38
+ tenant: 'InfinumAzureTenantName'
39
+ }
37
40
  )
38
41
  ```
39
42
 
@@ -2,6 +2,6 @@
2
2
 
3
3
  module Omniauth
4
4
  module InfinumAzure
5
- VERSION = '0.3.0'
5
+ VERSION = '1.0.0'
6
6
  end
7
7
  end
@@ -3,4 +3,5 @@
3
3
  require 'omniauth-oauth2'
4
4
 
5
5
  require 'omniauth/infinum_azure/version'
6
+ require 'omniauth/jwt/parser'
6
7
  require 'omniauth/strategies/infinum_azure'
@@ -0,0 +1,47 @@
1
+ # frozen_string_literal: true
2
+
3
+ module OmniAuth
4
+ module Jwt
5
+ class Parser
6
+ DEFAULT_ALG = 'RS256'
7
+ attr_reader :token, :client
8
+
9
+ def initialize(token, client:)
10
+ @token = token
11
+ @client = client
12
+ end
13
+
14
+ def validated_payload
15
+ ::JWT.decode(token, nil, true, jwks: jwks, algorithms: algorithms).first
16
+ end
17
+
18
+ private
19
+
20
+ def jwks
21
+ @jwks ||= JWT::JWK::Set.new(
22
+ jwks_response['keys'].map do |key|
23
+ key.merge(alg: jwt_headers['alg'] || DEFAULT_ALG)
24
+ end
25
+ )
26
+ end
27
+
28
+ def jwks_response
29
+ JSON.parse(
30
+ client.request(:get, client.options[:jwks_url]).body
31
+ )
32
+ end
33
+
34
+ def jwt_headers
35
+ decoded_jwt.last
36
+ end
37
+
38
+ def decoded_jwt
39
+ @decoded_jwt ||= ::JWT.decode(token, nil, false)
40
+ end
41
+
42
+ def algorithms
43
+ jwks.map { |key| key[:alg] }.compact.uniq
44
+ end
45
+ end
46
+ end
47
+ end
@@ -9,71 +9,72 @@ module OmniAuth
9
9
  option :policy, 'B2C_1A_SIGNUP_SIGNIN'
10
10
  option :scope, 'openid'
11
11
 
12
- def client
13
- options.client_options.authorize_url = File.join(base_azure_url, 'authorize')
14
- options.client_options.token_url = File.join(base_azure_url, 'token')
12
+ def client # rubocop:disable Metrics/AbcSize
13
+ options.client_options.authorize_url = File.join(azure_oauth_url, 'authorize')
14
+ options.client_options.token_url = File.join(azure_oauth_url, 'token')
15
+ options.client_options.jwks_url = File.join(base_azure_url, 'discovery/v2.0/keys')
16
+ options.client_options.logout_url = File.join(azure_oauth_url, 'logout').concat(
17
+ "?post_logout_redirect_uri=#{File.join(full_host, path_prefix, 'logout')}"
18
+ )
15
19
 
16
20
  super
17
21
  end
18
22
 
19
- def base_azure_url
20
- raise 'Tenant not provided' if tenant.nil?
21
-
22
- "https://#{tenant}.b2clogin.com/#{tenant}.onmicrosoft.com/#{options.policy}/oauth2/v2.0"
23
+ def azure_oauth_url
24
+ File.join(base_azure_url, 'oauth2/v2.0')
23
25
  end
24
26
 
25
- def tenant
26
- options.client_options.tenant
27
+ def base_azure_url # rubocop:disable Metrics/AbcSize
28
+ raise 'Domain not provided' if options.client_options.domain.nil?
29
+ raise 'Tenant not provided' if options.client_options.tenant.nil?
30
+
31
+ "#{options.client_options.domain}/#{options.client_options.tenant}.onmicrosoft.com/#{options.policy}"
27
32
  end
28
33
 
29
34
  def other_phase
30
35
  return call_app! unless current_path == File.join(path_prefix, name.to_s, 'logout')
31
36
 
32
- redirect(logout_url)
33
- end
34
-
35
- def logout_url
36
- File.join(base_azure_url, 'logout') + "?post_logout_redirect_uri=#{File.join(full_host, path_prefix, 'logout')}"
37
+ redirect(client.options[:logout_url])
37
38
  end
38
39
 
39
40
  uid do
40
- raw_info['sub']
41
+ jwt_payload['sub']
41
42
  end
42
43
 
43
44
  info do
44
45
  {
45
- email: raw_info['email'],
46
- name: raw_info['name'],
47
- first_name: raw_info['given_name'],
48
- last_name: raw_info['family_name'],
49
- provider_groups: raw_info['extension_userGroup'],
50
- avatar_url: raw_info['extension_avatarUrl'],
46
+ email: jwt_payload['email'],
47
+ name: jwt_payload['name'],
48
+ first_name: jwt_payload['given_name'],
49
+ last_name: jwt_payload['family_name'],
50
+ provider_groups: jwt_payload['extension_userGroup'],
51
+ avatar_url: jwt_payload['extension_avatarUrl'],
51
52
  deactivated_at: deactivated_at,
52
53
  employee: employee
53
54
  }
54
55
  end
55
56
 
56
- def extra
57
+ extra do
57
58
  {
58
59
  refresh_token: access_token.refresh_token,
59
60
  refresh_token_expires_in: access_token.params[:refresh_token_expires_in],
60
61
  params: access_token.params,
61
- raw_info: raw_info
62
+ raw_info: jwt_payload
62
63
  }
63
64
  end
64
65
 
65
- def raw_info
66
- @raw_info ||= ::JWT.decode(access_token.token, nil, false).first
67
- end
68
-
69
66
  private
70
67
 
71
68
  def deactivated_at
72
- raw_info['extension_deactivated'] == false ? nil : Time.now.utc
69
+ jwt_payload['extension_deactivated'] == false ? nil : Time.now.utc
73
70
  end
74
71
 
75
72
  def employee
76
- raw_info['extension_userGroup'].include?('employees')
73
+ jwt_payload['extension_userGroup'].include?('employees')
74
+ end
75
+
76
+ def jwt_payload
77
+ @jwt_payload ||= Jwt::Parser.new(access_token.token, client: client).validated_payload
77
78
  end
78
79
  end
79
80
  end
@@ -31,6 +31,8 @@ Gem::Specification.new do |spec|
31
31
  spec.add_development_dependency 'bundler', '~> 2.1'
32
32
  spec.add_development_dependency 'rake', '~> 13.0'
33
33
  spec.add_development_dependency 'rspec', '~> 3.0'
34
+ spec.add_development_dependency 'pry'
35
+ spec.add_development_dependency 'pry-byebug'
34
36
 
35
37
  spec.add_dependency 'omniauth-oauth2'
36
38
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: omniauth-infinum_azure
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.3.0
4
+ version: 1.0.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Marko Ćilimković
8
8
  autorequire:
9
9
  bindir: exe
10
10
  cert_chain: []
11
- date: 2023-06-14 00:00:00.000000000 Z
11
+ date: 2024-03-12 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: bundler
@@ -52,6 +52,34 @@ dependencies:
52
52
  - - "~>"
53
53
  - !ruby/object:Gem::Version
54
54
  version: '3.0'
55
+ - !ruby/object:Gem::Dependency
56
+ name: pry
57
+ requirement: !ruby/object:Gem::Requirement
58
+ requirements:
59
+ - - ">="
60
+ - !ruby/object:Gem::Version
61
+ version: '0'
62
+ type: :development
63
+ prerelease: false
64
+ version_requirements: !ruby/object:Gem::Requirement
65
+ requirements:
66
+ - - ">="
67
+ - !ruby/object:Gem::Version
68
+ version: '0'
69
+ - !ruby/object:Gem::Dependency
70
+ name: pry-byebug
71
+ requirement: !ruby/object:Gem::Requirement
72
+ requirements:
73
+ - - ">="
74
+ - !ruby/object:Gem::Version
75
+ version: '0'
76
+ type: :development
77
+ prerelease: false
78
+ version_requirements: !ruby/object:Gem::Requirement
79
+ requirements:
80
+ - - ">="
81
+ - !ruby/object:Gem::Version
82
+ version: '0'
55
83
  - !ruby/object:Gem::Dependency
56
84
  name: omniauth-oauth2
57
85
  requirement: !ruby/object:Gem::Requirement
@@ -87,6 +115,7 @@ files:
87
115
  - bin/setup
88
116
  - lib/omniauth/infinum_azure.rb
89
117
  - lib/omniauth/infinum_azure/version.rb
118
+ - lib/omniauth/jwt/parser.rb
90
119
  - lib/omniauth/strategies/infinum_azure.rb
91
120
  - omniauth-infinum_azure.gemspec
92
121
  homepage: https://github.com/infinum/ruby-infinum-azure-omniauth
@@ -112,7 +141,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
112
141
  - !ruby/object:Gem::Version
113
142
  version: '0'
114
143
  requirements: []
115
- rubygems_version: 3.3.7
144
+ rubygems_version: 3.4.17
116
145
  signing_key:
117
146
  specification_version: 4
118
147
  summary: Gem that contains OAuth2 strategies for Infinum, such as Infinum Azure AD