omniauth-infinum_azure 0.3.0 → 0.4.0

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 2500782d665615534b203f408ce34b1a62bb7f20b1e1157b61407c430526cd70
4
- data.tar.gz: 7efd370f76da93a58066a11d026818f4ce3567eee9eb023143e7c3f3a39f4a9a
3
+ metadata.gz: 5f65c0ecb50026f5054eb06ec283fa5e0c6ee9b1d441f953af5e26c8c3c2e894
4
+ data.tar.gz: acbe8eca776bc740a8e7169d03d034027709aac1a4ad6fb09d56ad462263a0a5
5
5
  SHA512:
6
- metadata.gz: 9d7c882dffaba7ce875458fea4995af5f4b86818694ab8774d90f983bd49c87f734e360e6ddf239a2937a5f7e672ec2c9b97855440c65d0f117e466d8fd56c0f
7
- data.tar.gz: e918d56939e2bcbf36646a448d94fe1b72886363da5811fb41a01ca034590e4291e854acbdc583a3789f0a837cc0c6a3eff796d990d0e40db87ee0c532736fad
6
+ metadata.gz: 61f8278bb79690f2b487807edeee3041a47421474cae2601394f45d02e514f2abe555ea0d594efec9dc46929879c1660920effff7585987985cea29a5139cf87
7
+ data.tar.gz: 152cef7c3c1036b22546e0dcb49cc01ce4f8ea98f454b95f077752a914fc5d7c10507cbf1f9372679fa54944b76077126857aa422a1d78022edb364e309ddf4b
data/.rubocop.yml CHANGED
@@ -10,3 +10,7 @@ Style/Documentation:
10
10
 
11
11
  Layout/LineLength:
12
12
  Max: 120
13
+
14
+ Metrics/BlockLength:
15
+ Exclude:
16
+ - 'spec/**/*_spec.rb'
data/CHANGELOG.md CHANGED
@@ -1,5 +1,9 @@
1
1
  ## [Unreleased]
2
2
 
3
+ ## [0.4.0] - 2023-09-05
4
+
5
+ - Add JWT signature validation
6
+
3
7
  ## [0.3.0] - 2023-06-14
4
8
 
5
9
  - Add *provider_groups*, *avatar_url*, *deactivated_at* and *employee* to `#info`
data/Gemfile.lock CHANGED
@@ -1,12 +1,14 @@
1
1
  PATH
2
2
  remote: .
3
3
  specs:
4
- omniauth-infinum_azure (0.3.0)
4
+ omniauth-infinum_azure (0.4.0)
5
5
  omniauth-oauth2
6
6
 
7
7
  GEM
8
8
  remote: https://rubygems.org/
9
9
  specs:
10
+ byebug (11.1.3)
11
+ coderay (1.1.3)
10
12
  diff-lcs (1.5.0)
11
13
  faraday (2.7.4)
12
14
  faraday-net_http (>= 2.0, < 3.1)
@@ -14,6 +16,7 @@ GEM
14
16
  faraday-net_http (3.0.2)
15
17
  hashie (5.0.0)
16
18
  jwt (2.7.0)
19
+ method_source (1.0.0)
17
20
  multi_xml (0.6.0)
18
21
  oauth2 (2.0.9)
19
22
  faraday (>= 0.17.3, < 3.0)
@@ -29,6 +32,12 @@ GEM
29
32
  omniauth-oauth2 (1.8.0)
30
33
  oauth2 (>= 1.4, < 3)
31
34
  omniauth (~> 2.0)
35
+ pry (0.14.2)
36
+ coderay (~> 1.1)
37
+ method_source (~> 1.0)
38
+ pry-byebug (3.10.1)
39
+ byebug (~> 11.0)
40
+ pry (>= 0.13, < 0.15)
32
41
  rack (3.0.4.2)
33
42
  rack-protection (3.0.5)
34
43
  rack
@@ -58,6 +67,8 @@ PLATFORMS
58
67
  DEPENDENCIES
59
68
  bundler (~> 2.1)
60
69
  omniauth-infinum_azure!
70
+ pry
71
+ pry-byebug
61
72
  rake (~> 13.0)
62
73
  rspec (~> 3.0)
63
74
 
@@ -2,6 +2,6 @@
2
2
 
3
3
  module Omniauth
4
4
  module InfinumAzure
5
- VERSION = '0.3.0'
5
+ VERSION = '0.4.0'
6
6
  end
7
7
  end
@@ -3,4 +3,5 @@
3
3
  require 'omniauth-oauth2'
4
4
 
5
5
  require 'omniauth/infinum_azure/version'
6
+ require 'omniauth/jwt/parser'
6
7
  require 'omniauth/strategies/infinum_azure'
@@ -0,0 +1,47 @@
1
+ # frozen_string_literal: true
2
+
3
+ module OmniAuth
4
+ module Jwt
5
+ class Parser
6
+ DEFAULT_ALG = 'RS256'
7
+ attr_reader :token, :client
8
+
9
+ def initialize(token, client:)
10
+ @token = token
11
+ @client = client
12
+ end
13
+
14
+ def validated_payload
15
+ ::JWT.decode(token, nil, true, jwks: jwks, algorithms: algorithms).first
16
+ end
17
+
18
+ private
19
+
20
+ def jwks
21
+ @jwks ||= JWT::JWK::Set.new(
22
+ jwks_response['keys'].map do |key|
23
+ key.merge(alg: jwt_headers['alg'] || DEFAULT_ALG)
24
+ end
25
+ )
26
+ end
27
+
28
+ def jwks_response
29
+ JSON.parse(
30
+ client.request(:get, client.options[:jwks_url]).body
31
+ )
32
+ end
33
+
34
+ def jwt_headers
35
+ decoded_jwt.last
36
+ end
37
+
38
+ def decoded_jwt
39
+ @decoded_jwt ||= ::JWT.decode(token, nil, false)
40
+ end
41
+
42
+ def algorithms
43
+ jwks.map { |key| key[:alg] }.compact.uniq
44
+ end
45
+ end
46
+ end
47
+ end
@@ -9,71 +9,71 @@ module OmniAuth
9
9
  option :policy, 'B2C_1A_SIGNUP_SIGNIN'
10
10
  option :scope, 'openid'
11
11
 
12
- def client
13
- options.client_options.authorize_url = File.join(base_azure_url, 'authorize')
14
- options.client_options.token_url = File.join(base_azure_url, 'token')
12
+ def client # rubocop:disable Metrics/AbcSize
13
+ options.client_options.authorize_url = File.join(azure_oauth_url, 'authorize')
14
+ options.client_options.token_url = File.join(azure_oauth_url, 'token')
15
+ options.client_options.jwks_url = File.join(base_azure_url, 'discovery/v2.0/keys')
16
+ options.client_options.logout_url = File.join(azure_oauth_url, 'logout').concat(
17
+ "?post_logout_redirect_uri=#{File.join(full_host, path_prefix, 'logout')}"
18
+ )
15
19
 
16
20
  super
17
21
  end
18
22
 
19
- def base_azure_url
20
- raise 'Tenant not provided' if tenant.nil?
21
-
22
- "https://#{tenant}.b2clogin.com/#{tenant}.onmicrosoft.com/#{options.policy}/oauth2/v2.0"
23
+ def azure_oauth_url
24
+ File.join(base_azure_url, 'oauth2/v2.0')
23
25
  end
24
26
 
25
- def tenant
26
- options.client_options.tenant
27
+ def base_azure_url
28
+ raise 'Tenant not provided' if options.client_options.tenant.nil?
29
+
30
+ "https://#{options.client_options.tenant}.b2clogin.com/#{options.client_options.tenant}.onmicrosoft.com/#{options.policy}"
27
31
  end
28
32
 
29
33
  def other_phase
30
34
  return call_app! unless current_path == File.join(path_prefix, name.to_s, 'logout')
31
35
 
32
- redirect(logout_url)
33
- end
34
-
35
- def logout_url
36
- File.join(base_azure_url, 'logout') + "?post_logout_redirect_uri=#{File.join(full_host, path_prefix, 'logout')}"
36
+ redirect(client.options[:logout_url])
37
37
  end
38
38
 
39
39
  uid do
40
- raw_info['sub']
40
+ jwt_payload['sub']
41
41
  end
42
42
 
43
43
  info do
44
44
  {
45
- email: raw_info['email'],
46
- name: raw_info['name'],
47
- first_name: raw_info['given_name'],
48
- last_name: raw_info['family_name'],
49
- provider_groups: raw_info['extension_userGroup'],
50
- avatar_url: raw_info['extension_avatarUrl'],
45
+ email: jwt_payload['email'],
46
+ name: jwt_payload['name'],
47
+ first_name: jwt_payload['given_name'],
48
+ last_name: jwt_payload['family_name'],
49
+ provider_groups: jwt_payload['extension_userGroup'],
50
+ avatar_url: jwt_payload['extension_avatarUrl'],
51
51
  deactivated_at: deactivated_at,
52
52
  employee: employee
53
53
  }
54
54
  end
55
55
 
56
- def extra
56
+ extra do
57
57
  {
58
58
  refresh_token: access_token.refresh_token,
59
59
  refresh_token_expires_in: access_token.params[:refresh_token_expires_in],
60
60
  params: access_token.params,
61
- raw_info: raw_info
61
+ raw_info: jwt_payload
62
62
  }
63
63
  end
64
64
 
65
- def raw_info
66
- @raw_info ||= ::JWT.decode(access_token.token, nil, false).first
67
- end
68
-
69
65
  private
70
66
 
71
67
  def deactivated_at
72
- raw_info['extension_deactivated'] == false ? nil : Time.now.utc
68
+ jwt_payload['extension_deactivated'] == false ? nil : Time.now.utc
73
69
  end
74
70
 
75
71
  def employee
76
- raw_info['extension_userGroup'].include?('employees')
72
+ jwt_payload['extension_userGroup'].include?('employees')
73
+ end
74
+
75
+ def jwt_payload
76
+ @jwt_payload ||= Jwt::Parser.new(access_token.token, client: client).validated_payload
77
77
  end
78
78
  end
79
79
  end
@@ -31,6 +31,8 @@ Gem::Specification.new do |spec|
31
31
  spec.add_development_dependency 'bundler', '~> 2.1'
32
32
  spec.add_development_dependency 'rake', '~> 13.0'
33
33
  spec.add_development_dependency 'rspec', '~> 3.0'
34
+ spec.add_development_dependency 'pry'
35
+ spec.add_development_dependency 'pry-byebug'
34
36
 
35
37
  spec.add_dependency 'omniauth-oauth2'
36
38
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: omniauth-infinum_azure
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.3.0
4
+ version: 0.4.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Marko Ćilimković
8
8
  autorequire:
9
9
  bindir: exe
10
10
  cert_chain: []
11
- date: 2023-06-14 00:00:00.000000000 Z
11
+ date: 2023-09-05 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: bundler
@@ -52,6 +52,34 @@ dependencies:
52
52
  - - "~>"
53
53
  - !ruby/object:Gem::Version
54
54
  version: '3.0'
55
+ - !ruby/object:Gem::Dependency
56
+ name: pry
57
+ requirement: !ruby/object:Gem::Requirement
58
+ requirements:
59
+ - - ">="
60
+ - !ruby/object:Gem::Version
61
+ version: '0'
62
+ type: :development
63
+ prerelease: false
64
+ version_requirements: !ruby/object:Gem::Requirement
65
+ requirements:
66
+ - - ">="
67
+ - !ruby/object:Gem::Version
68
+ version: '0'
69
+ - !ruby/object:Gem::Dependency
70
+ name: pry-byebug
71
+ requirement: !ruby/object:Gem::Requirement
72
+ requirements:
73
+ - - ">="
74
+ - !ruby/object:Gem::Version
75
+ version: '0'
76
+ type: :development
77
+ prerelease: false
78
+ version_requirements: !ruby/object:Gem::Requirement
79
+ requirements:
80
+ - - ">="
81
+ - !ruby/object:Gem::Version
82
+ version: '0'
55
83
  - !ruby/object:Gem::Dependency
56
84
  name: omniauth-oauth2
57
85
  requirement: !ruby/object:Gem::Requirement
@@ -87,6 +115,7 @@ files:
87
115
  - bin/setup
88
116
  - lib/omniauth/infinum_azure.rb
89
117
  - lib/omniauth/infinum_azure/version.rb
118
+ - lib/omniauth/jwt/parser.rb
90
119
  - lib/omniauth/strategies/infinum_azure.rb
91
120
  - omniauth-infinum_azure.gemspec
92
121
  homepage: https://github.com/infinum/ruby-infinum-azure-omniauth
@@ -112,7 +141,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
112
141
  - !ruby/object:Gem::Version
113
142
  version: '0'
114
143
  requirements: []
115
- rubygems_version: 3.3.7
144
+ rubygems_version: 3.4.17
116
145
  signing_key:
117
146
  specification_version: 4
118
147
  summary: Gem that contains OAuth2 strategies for Infinum, such as Infinum Azure AD