omniauth-microsoft-identity2 1.0.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 3af5a6cd9f8f7a4ad5c932febe95005653242fc9bd5b4a6a3b590bccded1c3da
+  data.tar.gz: 22c78044a0b051300b7dc5a26bf9d57e3389778a565ef15c84e66a645750e8e7
+SHA512:
+  metadata.gz: 98c87218aab6c1dd088145d9974d5636f37ec0e4f3585195dc6a5af535435ea2a9b7eb3ca17c63aad90c2c09e04e2cfadb849cf0ee3a6f7c499a5dd9a7f2d928
+  data.tar.gz: b7a4ab85d4153062b4bbe3b4c25764e224fd6a33bf4cd5a42d66a39c00154a4076aff2a449bb6f5f4a4f1daff33f94c1c57a93047d576546365f6d6881762998

data/LICENSE.txt

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Claudio Poli
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

data/README.md

@@ -0,0 +1,141 @@
+# OmniAuth MicrosoftIdentity2 Strategy
+
+[![Test](https://github.com/icoretech/omniauth-microsoft-identity2/actions/workflows/test.yml/badge.svg?branch=main)](https://github.com/icoretech/omniauth-microsoft-identity2/actions/workflows/test.yml?query=branch%3Amain)
+[![Gem Version](https://img.shields.io/gem/v/omniauth-microsoft-identity2.svg)](https://rubygems.org/gems/omniauth-microsoft-identity2)
+
+`omniauth-microsoft-identity2` provides a Microsoft Identity (Entra ID) OAuth2/OpenID Connect strategy for OmniAuth.
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+```ruby
+gem 'omniauth-microsoft-identity2'
+```
+
+Then run:
+
+```bash
+bundle install
+```
+
+## Usage
+
+Configure OmniAuth in your Rack/Rails app:
+
+```ruby
+Rails.application.config.middleware.use OmniAuth::Builder do
+  provider :microsoft_identity2,
+           ENV.fetch('MICROSOFT_CLIENT_ID'),
+           ENV.fetch('MICROSOFT_CLIENT_SECRET')
+end
+```
+
+Compatibility aliases are available if you want stable callback paths:
+
+```ruby
+provider :microsoft_identity, ENV.fetch('MICROSOFT_CLIENT_ID'), ENV.fetch('MICROSOFT_CLIENT_SECRET')
+provider :windowslive, ENV.fetch('MICROSOFT_CLIENT_ID'), ENV.fetch('MICROSOFT_CLIENT_SECRET')
+```
+
+Microsoft app setup:
+- [Microsoft identity platform OAuth 2.0 authorization code flow](https://learn.microsoft.com/en-us/entra/identity-platform/v2-oauth2-auth-code-flow)
+- [OpenID Connect on the Microsoft identity platform](https://learn.microsoft.com/en-us/entra/identity-platform/v2-protocols-oidc)
+
+## Options
+
+Supported options include:
+- `tenant` (default: `common`)
+- `scope` (default: `openid profile email offline_access User.Read`)
+- `prompt`
+- `login_hint`
+- `domain_hint`
+- `response_mode`
+- `redirect_uri`
+- `nonce`
+- `uid_with_tenant` (default: `true`; yields `tid:oid_or_sub` when possible)
+- `skip_jwt` (default: `false`; disable id_token decode in `extra.id_info`)
+
+Request query parameters for supported authorize options are passed through in request phase.
+
+## Auth Hash
+
+Example payload from `request.env['omniauth.auth']` (realistic shape, anonymized):
+
+```json
+{
+  "uid": "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee:11111111-2222-3333-4444-555555555555",
+  "info": {
+    "name": "Sample User",
+    "email": "sample@example.test",
+    "first_name": "Sample",
+    "last_name": "User",
+    "nickname": "sample@example.test"
+  },
+  "credentials": {
+    "token": "eyJ0eXAiOiJKV1QiLCJhbGciOi...",
+    "refresh_token": "0.AXwA...",
+    "expires_at": 1772691847,
+    "expires": true,
+    "scope": "openid profile email offline_access User.Read"
+  },
+  "extra": {
+    "raw_info": {
+      "tid": "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee",
+      "oid": "11111111-2222-3333-4444-555555555555",
+      "sub": "aaaaaaaaaaaaaaaaaaaa",
+      "name": "Sample User",
+      "given_name": "Sample",
+      "family_name": "User",
+      "preferred_username": "sample@example.test",
+      "email": "sample@example.test"
+    },
+    "id_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6I...redacted...",
+    "id_info": {
+      "tid": "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee",
+      "oid": "11111111-2222-3333-4444-555555555555",
+      "sub": "aaaaaaaaaaaaaaaaaaaa",
+      "name": "Sample User",
+      "preferred_username": "sample@example.test",
+      "iat": 1772689518,
+      "exp": 1772693118
+    }
+  }
+}
+```
+
+## Endpoints
+
+This gem uses Microsoft Identity v2 endpoints and Microsoft Graph user info endpoints:
+- `https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize`
+- `https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token`
+- `https://graph.microsoft.com/oidc/userinfo`
+- fallback: `https://graph.microsoft.com/v1.0/me`
+
+## Development
+
+```bash
+bundle install
+bundle exec rake
+```
+
+Run Rails integration tests with an explicit Rails version:
+
+```bash
+RAILS_VERSION='~> 8.1.0' bundle install
+RAILS_VERSION='~> 8.1.0' bundle exec rake test_rails_integration
+```
+
+## Compatibility
+
+- Ruby: `>= 3.2` (tested on `3.2`, `3.3`, `3.4`, `4.0`)
+- `omniauth-oauth2`: `>= 1.8`, `< 1.9`
+- Rails integration lanes: `~> 7.1.0`, `~> 7.2.0`, `~> 8.0.0`, `~> 8.1.0`
+
+## Release
+
+Tag releases as `vX.Y.Z`; GitHub Actions publishes the gem to RubyGems.
+
+## License
+
+MIT

data/lib/omniauth/microsoft_identity2/version.rb

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+module OmniAuth
+  module MicrosoftIdentity2
+    VERSION = '1.0.0'
+  end
+end

data/lib/omniauth/microsoft_identity2.rb

@@ -0,0 +1,4 @@
+# frozen_string_literal: true
+
+require 'omniauth/microsoft_identity2/version'
+require 'omniauth/strategies/microsoft_identity2'

data/lib/omniauth/strategies/microsoft_identity2.rb

@@ -0,0 +1,218 @@
+# frozen_string_literal: true
+
+require 'jwt'
+require 'omniauth-oauth2'
+
+module OmniAuth
+  module Strategies
+    # OmniAuth strategy for Microsoft Identity (Entra ID) OAuth2/OpenID Connect.
+    class MicrosoftIdentity2 < OmniAuth::Strategies::OAuth2
+      BASE_URL = 'https://login.microsoftonline.com'
+      DEFAULT_SCOPE = 'openid profile email offline_access User.Read'
+      USER_INFO_URL = 'https://graph.microsoft.com/oidc/userinfo'
+      GRAPH_ME_URL = 'https://graph.microsoft.com/v1.0/me'
+
+      option :name, 'microsoft_identity2'
+      option :authorize_options, %i[scope state prompt login_hint domain_hint response_mode redirect_uri nonce]
+      option :tenant, 'common'
+      option :base_url, BASE_URL
+      option :scope, DEFAULT_SCOPE
+      option :skip_jwt, false
+      option :uid_with_tenant, true
+
+      option :client_options,
+             site: BASE_URL,
+             authorize_url: 'common/oauth2/v2.0/authorize',
+             token_url: 'common/oauth2/v2.0/token',
+             connection_opts: {
+               headers: {
+                 user_agent: 'icoretech-omniauth-microsoft-identity2 gem',
+                 accept: 'application/json',
+                 content_type: 'application/x-www-form-urlencoded'
+               }
+             }
+
+      uid do
+        oid_or_sub = raw_info['oid'] || raw_info['sub'] || raw_info['id']
+        tid = raw_info['tid']
+
+        if options[:uid_with_tenant] && present?(tid) && present?(oid_or_sub)
+          "#{tid}:#{oid_or_sub}"
+        else
+          oid_or_sub.to_s
+        end
+      end
+
+      info do
+        email = raw_info['email'] || raw_info['preferred_username'] || raw_info['upn'] || raw_info['mail']
+        {
+          name: raw_info['name'],
+          email: email,
+          first_name: raw_info['given_name'],
+          last_name: raw_info['family_name'],
+          nickname: raw_info['preferred_username'] || raw_info['upn'] || email || raw_info['sub'],
+          image: raw_info['picture']
+        }.compact
+      end
+
+      credentials do
+        {
+          'token' => access_token.token,
+          'refresh_token' => access_token.refresh_token,
+          'expires_at' => access_token.expires_at,
+          'expires' => access_token.expires?,
+          'scope' => token_scope
+        }.compact
+      end
+
+      extra do
+        data = { 'raw_info' => raw_info }
+        id_token = raw_id_token
+        if present?(id_token)
+          data['id_token'] = id_token
+          decoded = decoded_id_token
+          data['id_info'] = decoded if decoded
+        end
+        data
+      end
+
+      def client
+        configure_tenant_client_urls
+        super
+      end
+
+      def authorize_params
+        super.tap do |params|
+          apply_request_authorize_overrides(params)
+          params[:scope] = normalize_scope(params[:scope] || options[:scope])
+          persist_authorize_state(params)
+        end
+      end
+
+      def raw_info
+        @raw_info ||= begin
+          claims = {}
+          decoded = decoded_id_token
+          claims.merge!(decoded) if decoded
+          claims.merge!(fetch_user_info)
+          claims
+        end
+      end
+
+      # Ensure token exchange uses a stable callback URI that matches provider config.
+      def callback_url
+        options[:callback_url] || options[:redirect_uri] || super
+      end
+
+      # Prevent authorization response params from being appended to redirect_uri.
+      def query_string
+        return '' if request.params['code']
+
+        super
+      end
+
+      private
+
+      def fetch_user_info
+        normalize_user_info(access_token.get(USER_INFO_URL).parsed)
+      rescue StandardError
+        begin
+          normalize_user_info(access_token.get(GRAPH_ME_URL).parsed)
+        rescue StandardError
+          {}
+        end
+      end
+
+      def normalize_user_info(payload)
+        return {} unless payload.is_a?(Hash)
+
+        return payload unless graph_profile_payload?(payload)
+
+        upn = payload['userPrincipalName']
+        {
+          'sub' => payload['id'],
+          'oid' => payload['id'],
+          'name' => payload['displayName'],
+          'given_name' => payload['givenName'],
+          'family_name' => payload['surname'],
+          'email' => payload['mail'] || upn,
+          'preferred_username' => upn,
+          'upn' => upn
+        }.merge(payload).compact
+      end
+
+      def normalize_scope(raw_scope)
+        raw_scope.to_s.split(/[\s,]+/).reject(&:empty?).uniq.join(' ')
+      end
+
+      def apply_request_authorize_overrides(params)
+        options[:authorize_options].each do |key|
+          request_value = request.params[key.to_s]
+          params[key] = request_value unless blank?(request_value)
+        end
+      end
+
+      def graph_profile_payload?(payload)
+        payload.key?('displayName') || payload.key?('userPrincipalName')
+      end
+
+      def configure_tenant_client_urls
+        tenant = options[:tenant].to_s.strip
+        tenant = 'common' if tenant.empty?
+
+        base_url = options[:base_url].to_s.strip
+        base_url = BASE_URL if base_url.empty?
+
+        options.client_options.authorize_url = "#{base_url}/#{tenant}/oauth2/v2.0/authorize"
+        options.client_options.token_url = "#{base_url}/#{tenant}/oauth2/v2.0/token"
+      end
+
+      def persist_authorize_state(params)
+        session['omniauth.state'] = params[:state] if params[:state]
+      end
+
+      def token_scope
+        access_token.params['scope'] || access_token['scope']
+      end
+
+      def raw_id_token
+        params = access_token.respond_to?(:params) ? access_token.params : {}
+        params['id_token'] || access_token['id_token']
+      end
+
+      def decoded_id_token
+        return nil if options[:skip_jwt]
+
+        token = raw_id_token
+        return nil unless present?(token)
+
+        payload, = JWT.decode(token, nil, false)
+        payload
+      rescue JWT::DecodeError
+        nil
+      end
+
+      def blank?(value)
+        value.nil? || (value.respond_to?(:empty?) && value.empty?)
+      end
+
+      def present?(value)
+        !blank?(value)
+      end
+    end
+
+    # Backward-compatible strategy name for existing callback paths.
+    class MicrosoftIdentity < MicrosoftIdentity2
+      option :name, 'microsoft_identity'
+    end
+
+    # Compatibility alias for legacy windowslive callback paths.
+    class Windowslive < MicrosoftIdentity2
+      option :name, 'windowslive'
+    end
+  end
+end
+
+OmniAuth.config.add_camelization 'microsoft_identity2', 'MicrosoftIdentity2'
+OmniAuth.config.add_camelization 'microsoft_identity', 'MicrosoftIdentity'
+OmniAuth.config.add_camelization 'windowslive', 'Windowslive'

data/lib/omniauth-microsoft-identity2.rb

@@ -0,0 +1,3 @@
+# frozen_string_literal: true
+
+require 'omniauth/microsoft_identity2'

data/omniauth-microsoft-identity2.gemspec

@@ -0,0 +1,37 @@
+# frozen_string_literal: true
+
+lib = File.expand_path('lib', __dir__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'omniauth/microsoft_identity2/version'
+
+Gem::Specification.new do |spec|
+  spec.name = 'omniauth-microsoft-identity2'
+  spec.version = OmniAuth::MicrosoftIdentity2::VERSION
+  spec.authors = ['Claudio Poli']
+  spec.email = ['masterkain@gmail.com']
+
+  spec.summary = 'OmniAuth strategy for Microsoft Identity (Entra ID) OAuth2/OpenID Connect authentication.'
+  spec.description =
+    'OAuth2/OpenID Connect strategy for OmniAuth that authenticates users ' \
+    'with Microsoft Identity and exposes profile metadata.'
+  spec.homepage = 'https://github.com/icoretech/omniauth-microsoft-identity2'
+  spec.license = 'MIT'
+  spec.required_ruby_version = '>= 3.2'
+
+  spec.metadata['source_code_uri'] = 'https://github.com/icoretech/omniauth-microsoft-identity2'
+  spec.metadata['bug_tracker_uri'] = 'https://github.com/icoretech/omniauth-microsoft-identity2/issues'
+  spec.metadata['changelog_uri'] = 'https://github.com/icoretech/omniauth-microsoft-identity2/releases'
+  spec.metadata['rubygems_mfa_required'] = 'true'
+
+  spec.files = Dir[
+    'lib/**/*.rb',
+    'README*',
+    'LICENSE*',
+    '*.gemspec'
+  ]
+  spec.require_paths = ['lib']
+
+  spec.add_dependency 'cgi', '>= 0.3.6'
+  spec.add_dependency 'jwt', '>= 2.9.2'
+  spec.add_dependency 'omniauth-oauth2', '>= 1.8', '< 1.9'
+end

metadata

@@ -0,0 +1,101 @@
+--- !ruby/object:Gem::Specification
+name: omniauth-microsoft-identity2
+version: !ruby/object:Gem::Version
+  version: 1.0.0
+platform: ruby
+authors:
+- Claudio Poli
+bindir: bin
+cert_chain: []
+date: 1980-01-02 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: cgi
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.3.6
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.3.6
+- !ruby/object:Gem::Dependency
+  name: jwt
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 2.9.2
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 2.9.2
+- !ruby/object:Gem::Dependency
+  name: omniauth-oauth2
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '1.8'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '1.9'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '1.8'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '1.9'
+description: OAuth2/OpenID Connect strategy for OmniAuth that authenticates users
+  with Microsoft Identity and exposes profile metadata.
+email:
+- masterkain@gmail.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- LICENSE.txt
+- README.md
+- lib/omniauth-microsoft-identity2.rb
+- lib/omniauth/microsoft_identity2.rb
+- lib/omniauth/microsoft_identity2/version.rb
+- lib/omniauth/strategies/microsoft_identity2.rb
+- omniauth-microsoft-identity2.gemspec
+homepage: https://github.com/icoretech/omniauth-microsoft-identity2
+licenses:
+- MIT
+metadata:
+  source_code_uri: https://github.com/icoretech/omniauth-microsoft-identity2
+  bug_tracker_uri: https://github.com/icoretech/omniauth-microsoft-identity2/issues
+  changelog_uri: https://github.com/icoretech/omniauth-microsoft-identity2/releases
+  rubygems_mfa_required: 'true'
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '3.2'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.6.9
+specification_version: 4
+summary: OmniAuth strategy for Microsoft Identity (Entra ID) OAuth2/OpenID Connect
+  authentication.
+test_files: []