omniauth-oidc-strategy 0.3.2

data/lib/omniauth/strategies/oidc/serializer.rb

@@ -0,0 +1,71 @@
+# frozen_string_literal: true
+
+module OmniAuth
+  module Strategies
+    class Oidc
+      module Serializer
+        def serialized_access_token_auth_hash
+          {
+            provider: name,
+            credentials: serialized_credentials
+          }
+        end
+
+        def serialized_credentials
+          {
+            id_token: access_token.id_token,
+            token: access_token.access_token,
+            refresh_token: access_token.refresh_token,
+            expires_in: access_token.expires_in,
+            scope: access_token.scope
+          }
+        end
+
+        def serialized_extra
+          {
+            claims: id_token_raw_attributes,
+            scope: scope
+          }
+        end
+
+        def serialized_request_options
+          {
+            response_type: options.response_type,
+            response_mode: options.response_mode,
+            scope: scope,
+            state: new_state,
+            login_hint: params["login_hint"],
+            ui_locales: params["ui_locales"],
+            claims_locales: params["claims_locales"],
+            prompt: options.prompt,
+            nonce: (new_nonce if options.send_nonce),
+            hd: options.hd,
+            acr_values: options.acr_values
+          }
+        end
+
+        def serialized_user_info
+          {
+            name: user_info.name,
+            email: user_info.email,
+            email_verified: user_info.email_verified,
+            first_name: user_info.given_name,
+            last_name: user_info.family_name,
+            phone: user_info.phone_number,
+            address: user_info.address
+          }
+        end
+
+        def serialized_user_info_auth_hash
+          {
+            provider: name,
+            uid: user_info.sub,
+            info: serialized_user_info,
+            extra: serialized_extra,
+            credentials: serialized_credentials
+          }
+        end
+      end
+    end
+  end
+end

data/lib/omniauth/strategies/oidc/transport.rb

@@ -0,0 +1,47 @@
+# frozen_string_literal: true
+
+require "faraday"
+require "faraday/net_http_persistent"
+require "faraday/retry"
+
+module OmniAuth
+  module Strategies
+    class Oidc
+      # HTTP transport layer using Faraday
+      module Transport
+        module_function
+
+        def connection
+          @connection ||= Faraday.new do |f|
+            f.request :retry, max: 2, interval: 0.5, backoff_factor: 2
+            f.headers["User-Agent"] = OmniauthOidc::USER_AGENT
+            f.ssl.min_version = OpenSSL::SSL::TLS1_2_VERSION
+            f.adapter :net_http_persistent
+          end
+        end
+
+        def get(url, headers: {})
+          connection.get(url) do |req|
+            req.headers.merge!(headers)
+          end
+        end
+
+        def post(url, headers: {}, body: nil)
+          connection.post(url) do |req|
+            req.headers.merge!(headers)
+            req.body = body
+          end
+        end
+
+        def fetch_json(url, headers: {})
+          response = get(url, headers: headers)
+          JSON.parse(response.body)
+        end
+
+        def reset!
+          @connection = nil
+        end
+      end
+    end
+  end
+end

data/lib/omniauth/strategies/oidc/verify.rb

@@ -0,0 +1,171 @@
+# frozen_string_literal: true
+
+module OmniAuth
+  module Strategies
+    class Oidc
+      # Token verification phase
+      module Verify # rubocop:disable Metrics/ModuleLength
+        def secret
+          base64_decoded_jwt_secret || client_options.secret
+        end
+
+        # https://tools.ietf.org/html/rfc7636#appendix-A
+        def pkce_authorize_params(verifier)
+          {
+            code_challenge: options.pkce_options[:code_challenge].call(verifier),
+            code_challenge_method: options.pkce_options[:code_challenge_method]
+          }
+        end
+
+        # Looks for key defined in omniauth initializer, if none is defined
+        # falls back to using jwks_uri returned by OIDC config_endpoint
+        def public_key
+          @public_key ||= if configured_public_key
+                            configured_public_key
+          elsif config.jwks_uri
+                            fetch_key
+          end
+        end
+
+        private
+
+        attr_reader :decoded_id_token
+
+        def fetch_key
+          parse_jwk_key(jwks_key)
+        end
+
+        def jwks_key
+          @jwks_key ||= Transport.fetch_json(config.jwks_uri)
+        end
+
+        def base64_decoded_jwt_secret
+          return unless options.jwt_secret_base64
+
+          Base64.decode64(options.jwt_secret_base64)
+        end
+
+        def verify_id_token!(id_token)
+          return unless id_token
+          decode_id_token(id_token).verify!(issuer: config.issuer,
+                                            client_id: client_options.identifier,
+                                            nonce: stored_nonce)
+        end
+
+        def decode_id_token(id_token)
+          decoded = JSON::JWT.decode(id_token, :skip_verification)
+          algorithm = decoded.algorithm.to_sym
+
+          validate_client_algorithm!(algorithm)
+
+          keyset =
+            case algorithm
+            when :HS256, :HS384, :HS512
+              secret
+            else
+              public_key
+            end
+
+          decoded.verify!(keyset)
+          @decoded_id_token = ::OpenIDConnect::ResponseObject::IdToken.new(decoded)
+        rescue JSON::JWK::Set::KidNotFound
+          # Workaround for https://github.com/nov/json-jwt/pull/92#issuecomment-824654949
+          raise if decoded&.header&.key?("kid")
+
+          decoded = decode_with_each_key!(id_token, keyset)
+
+          raise unless decoded
+
+          @decoded_id_token = decoded
+        end
+
+        # Check for jwt to match defined client_signing_alg
+        def validate_client_algorithm!(algorithm)
+          client_signing_alg = options.client_signing_alg&.to_sym
+
+          return unless client_signing_alg
+          return if algorithm == client_signing_alg
+
+          reason = "Received JWT is signed with #{algorithm}, but client_signing_alg is \
+            configured for #{client_signing_alg}"
+          raise CallbackError, error: :invalid_jwt_algorithm, reason: reason, uri: params["error_uri"]
+        end
+
+        def decode!(id_token, key)
+          ::OpenIDConnect::ResponseObject::IdToken.decode(id_token, key)
+        end
+
+        def decode_with_each_key!(id_token, keyset)
+          return unless keyset.is_a?(JSON::JWK::Set)
+
+          keyset.each do |key|
+            begin
+              decoded = decode!(id_token, key)
+            rescue JSON::JWS::VerificationFailed, JSON::JWS::UnexpectedAlgorithm, JSON::JWK::UnknownAlgorithm
+              next
+            end
+
+            return decoded if decoded
+          end
+
+          nil
+        end
+
+        def stored_nonce
+          session.delete("omniauth.nonce")
+        end
+
+        def configured_public_key
+          @configured_public_key ||= if options.client_jwk_signing_key
+                                       parse_jwk_key(options.client_jwk_signing_key)
+          elsif options.client_x509_signing_key
+                                       parse_x509_key(options.client_x509_signing_key)
+          end
+        end
+
+        def parse_x509_key(key)
+          OpenSSL::X509::Certificate.new(key).public_key
+        end
+
+        def parse_jwk_key(key)
+          json = key.is_a?(String) ? JSON.parse(key) : key
+          return JSON::JWK::Set.new(json["keys"]) if json.key?("keys")
+
+          JSON::JWK.new(json)
+        end
+
+        def decode(str)
+          UrlSafeBase64.decode64(str).unpack1("B*").to_i(2).to_s
+        end
+
+        # Converts camelCase keys to snake_case symbols. Handles standard OIDC
+        # claim names (e.g. "givenName" → :given_name). Does not handle acronym
+        # runs like "HTTPSEnabled" — not expected in OIDC responses.
+        def deep_underscore_keys(hash)
+          hash.each_with_object({}) do |(key, value), result|
+            new_key = key.to_s.gsub(/([A-Z])/, '_\1').sub(/^_/, "").downcase.to_sym
+            result[new_key] = value.is_a?(Hash) ? deep_underscore_keys(value) : value
+          end
+        end
+
+        def id_token_raw_attributes
+          decoded_id_token.raw_attributes
+        end
+
+        def user_info
+          return @user_info if @user_info
+
+          if id_token_raw_attributes
+            merged_user_info = access_token.userinfo!.raw_attributes.merge(id_token_raw_attributes)
+
+            @user_info = ::OpenIDConnect::ResponseObject::UserInfo.new(
+              deep_underscore_keys(merged_user_info)
+            )
+          else
+            @user_info = access_token.userinfo!
+          end
+        end
+      end
+    end
+  end
+end

data/lib/omniauth/strategies/oidc.rb

@@ -0,0 +1,271 @@
+# frozen_string_literal: true
+
+require "base64"
+require "timeout"
+require "oauth2"
+require "omniauth"
+require "openid_connect"
+require "forwardable"
+
+require_relative "oidc/callback"
+require_relative "oidc/request"
+require_relative "oidc/serializer"
+require_relative "oidc/transport"
+require_relative "oidc/verify"
+
+module OmniAuth
+  module Strategies
+    # OIDC strategy for omniauth
+    class Oidc
+      include OmniAuth::Strategy
+      include Callback
+      include Request
+      include Serializer
+      include Verify
+
+      extend Forwardable
+
+      RESPONSE_TYPE_EXCEPTIONS = {
+        "id_token" => { exception_class: OmniauthOidc::MissingIdTokenError, key: :missing_id_token }.freeze,
+        "code" => { exception_class: OmniauthOidc::MissingCodeError, key: :missing_code }.freeze
+      }.freeze
+
+      def_delegator :request, :params
+
+      option :name, :oidc                                   # to separate each oidc provider available in the app
+      option(:client_options, identifier: nil,              # client id, required
+                              secret: nil,                  # client secret, required
+                              host: nil,                    # oidc provider host, optional
+                              scheme: "https",              # connection scheme, optional
+                              port: 443,                    # connection port, optional
+                              config_endpoint: nil,         # all data will be fetched from here, required
+                              authorization_endpoint: nil,  # optional
+                              token_endpoint: nil,          # optional
+                              userinfo_endpoint: nil,       # optional
+                              jwks_uri: nil,                # optional
+                              end_session_endpoint: nil,    # optional
+                              environment: nil)             # optional
+
+      option :issuer
+      option :client_signing_alg
+      option :jwt_secret_base64
+      option :client_jwk_signing_key
+      option :client_x509_signing_key
+      option :scope, [ :openid ]
+      option :response_type, "code" # ['code', 'id_token']
+      option :require_state, true
+      option :state
+      option :response_mode # [:query, :fragment, :form_post, :web_message]
+      option :display, nil # [:page, :popup, :touch, :wap]
+      option :prompt, nil # [:none, :login, :consent, :select_account]
+      option :hd, nil
+      option :max_age
+      option :ui_locales
+      option :id_token_hint
+      option :acr_values
+      option :send_nonce, true
+      option :fetch_user_info, true
+      option :send_scope_to_token_endpoint, true
+      option :client_auth_method
+      option :post_logout_redirect_uri
+      option :extra_authorize_params, {}
+      option :allow_authorize_params, []
+      option :uid_field, "sub"
+      option :pkce, false
+      option :pkce_verifier, nil
+      option :pkce_options, {
+        code_challenge: proc { |verifier|
+          Base64.urlsafe_encode64(Digest::SHA2.digest(verifier), padding: false)
+        },
+        code_challenge_method: "S256"
+      }
+
+      option :logout_path, "/logout"
+
+      # Cross-module state contract. These methods and instance variables are
+      # shared between Callback, Verify, and Serializer modules during the
+      # callback phase:
+      #
+      # Callback provides:
+      #   access_token  — OpenIDConnect access token (lazy-initialized, memoized)
+      #   store_id_token — persists id_token to session for RP-Initiated Logout
+      #
+      # Verify provides:
+      #   user_info          — merged UserInfo from access token + id_token claims
+      #   decoded_id_token   — decoded and verified JWT (attr_reader)
+      #   verify_id_token!   — verifies id_token signature, issuer, nonce
+      #   decode_id_token    — decodes JWT, sets @decoded_id_token
+      #   secret, public_key — signing key resolution
+      #
+      # Serializer reads:
+      #   access_token, user_info, decoded_id_token (via id_token_raw_attributes)
+      #
+      # Oidc (this class) provides to all modules:
+      #   client, config, client_options, scope, session, params, options,
+      #   redirect_uri, stored_state, new_nonce, host, issuer
+
+      SECURITY_HEADERS = {
+        "Cache-Control" => "no-cache, no-store, must-revalidate",
+        "Pragma" => "no-cache",
+        "Referrer-Policy" => "no-referrer"
+      }.freeze
+
+      def redirect(uri)
+        response = super
+        SECURITY_HEADERS.each { |k, v| response[1][k] = v }
+        response
+      end
+
+      def uid
+        user_info.raw_attributes[options.uid_field.to_sym] || user_info.sub
+      end
+
+      info { serialized_user_info }
+
+      extra { serialized_extra }
+
+      credentials { serialized_credentials }
+
+      # Initialize OpenIDConnect Client with options
+      def client
+        @client ||= ::OpenIDConnect::Client.new(client_options)
+      end
+
+      # Returns an OAuth2::Client (from the oauth2 gem) configured with the
+      # discovered token endpoint. Useful for token refresh flows where
+      # OAuth2::AccessToken requires an OAuth2::Client rather than the
+      # OpenIDConnect/Rack::OAuth2 client returned by #client.
+      def oauth2_client
+        @oauth2_client ||= ::OAuth2::Client.new(
+          client_options.identifier,
+          client_options.secret,
+          site: config.issuer,
+          token_url: config.token_endpoint
+        )
+      end
+
+      # Config is built from the JSON response from the OIDC config endpoint
+      def config
+        unless client_options.config_endpoint || params["config_endpoint"]
+          raise Error,
+                "Configuration endpoint is missing from options"
+        end
+
+        @config ||= OmniauthOidc::Config.fetch(client_options.config_endpoint)
+      end
+
+      # Detects if current request is for the logout url and makes a redirect to end session with OIDC provider
+      def other_phase
+        if logout_path_pattern.match?(request.url)
+          options.issuer = issuer if options.issuer.to_s.empty?
+
+          return redirect(end_session_uri) if end_session_uri
+        end
+        call_app!
+      end
+
+      # URL to end authenticated user's session with OIDC provider
+      def end_session_uri
+        return unless end_session_endpoint_is_valid?
+
+        end_session = URI(client_options.end_session_endpoint)
+        end_session_params = {}
+        end_session_params[:post_logout_redirect_uri] = options.post_logout_redirect_uri if options.post_logout_redirect_uri
+        end_session_params[:id_token_hint] = session["omniauth.id_token"] if session["omniauth.id_token"]
+        end_session.query = URI.encode_www_form(end_session_params) unless end_session_params.empty?
+        end_session.to_s
+      end
+
+      private
+
+      def issuer
+        @issuer ||= config.issuer
+      end
+
+      def host
+        @host ||= URI.parse(config.issuer).host
+      end
+
+      # get scope list from options or provider config defaults
+      def scope
+        options.scope || config.scopes_supported
+      end
+
+      def authorization_code
+        params["code"]
+      end
+
+      def client_options
+        options.client_options
+      end
+
+      def stored_state
+        session.delete("omniauth.state")
+      end
+
+      def new_nonce
+        session["omniauth.nonce"] = SecureRandom.hex(16)
+      end
+
+      def script_name
+        return "" if @env.nil?
+
+        super
+      end
+
+      def session
+        return {} if @env.nil?
+
+        super
+      end
+
+      def redirect_uri
+        options.redirect_uri || full_host + callback_path
+      end
+
+      # Configure OIDC discovery endpoints on a target object (client_options or client).
+      # Called by both Request and Callback phases to avoid duplication.
+      def configure_discovery_endpoints(target)
+        target.host = host
+        target.authorization_endpoint = config.authorization_endpoint
+        target.token_endpoint = config.token_endpoint
+        target.userinfo_endpoint = config.userinfo_endpoint
+
+        if target.respond_to?(:jwks_uri=)
+          target.jwks_uri = config.jwks_uri
+        end
+
+        if config.end_session_endpoint && target.respond_to?(:end_session_endpoint=)
+          target.end_session_endpoint = config.end_session_endpoint
+        end
+      end
+
+      def end_session_endpoint_is_valid?
+        client_options.end_session_endpoint &&
+          client_options.end_session_endpoint.match?(URI::RFC2396_PARSER.make_regexp)
+      end
+
+      def logout_path_pattern
+        @logout_path_pattern ||= /\A#{Regexp.quote(request.base_url)}#{options.logout_path}/
+      end
+
+      # Override for the CallbackError class
+      class CallbackError < StandardError
+        attr_accessor :error, :error_reason, :error_uri
+
+        def initialize(data)
+          super
+          self.error = data[:error]
+          self.error_reason = data[:reason]
+          self.error_uri = data[:uri]
+        end
+
+        def message
+          [ error, error_reason, error_uri ].compact.join(" | ")
+        end
+      end
+    end
+  end
+end
+
+OmniAuth.config.add_camelization "OmniauthOidc", "OmniAuthOidc"

data/lib/omniauth-oidc-strategy.rb

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+require_relative "omniauth/oidc/config"
+require_relative "omniauth/oidc/errors"
+require_relative "omniauth/oidc/user_agent"
+require_relative "omniauth/oidc/version"
+require_relative "omniauth/strategies/oidc"

data/omniauth-oidc-strategy.gemspec

@@ -0,0 +1,43 @@
+# frozen_string_literal: true
+
+require_relative "lib/omniauth/oidc/version"
+
+Gem::Specification.new do |spec|
+  spec.name = "omniauth-oidc-strategy"
+  spec.version = OmniauthOidc::VERSION
+  spec.authors = [ 'mc' ]
+  spec.email = [ 'test@example.com' ]
+
+  spec.summary = "Omniauth strategy to authenticate and retrieve user data using OpenID Connect (OIDC)"
+  spec.description = "Omniauth strategy to authenticate and retrieve user data as a client using OpenID Connect (OIDC)
+    suited for multiple OIDC providers."
+  spec.homepage = "https://github.com/CanalWestStudio/omniauth-oidc"
+  spec.license = "MIT"
+  spec.required_ruby_version = ">= 3.1.0"
+
+  spec.metadata["homepage_uri"] = spec.homepage
+  spec.metadata["source_code_uri"] = "https://github.com/CanalWestStudio/omniauth-oidc"
+  spec.metadata["changelog_uri"] = "https://github.com/CanalWestStudio/omniauth-oidc/blob/main/CHANGELOG.md"
+
+  # Specify which files should be added to the gem when it is released.
+  # The `git ls-files -z` loads the files in the RubyGem that have been added into git.
+  spec.files = Dir.chdir(__dir__) do
+    `git ls-files -z`.split("\x0").reject do |f|
+      (File.expand_path(f) == __FILE__) ||
+        f.start_with?(*%w[bin/ test/ spec/ features/ .git .github appveyor Gemfile])
+    end
+  end
+  spec.bindir = "exe"
+  spec.executables = spec.files.grep(%r{\Aexe/}) { |f| File.basename(f) }
+  spec.require_paths = [ "lib" ]
+
+  spec.add_dependency "faraday", "~> 2.0"
+  spec.add_dependency "faraday-net_http_persistent", "~> 2.0"
+  spec.add_dependency "faraday-retry", "~> 2.0"
+  spec.add_dependency "oauth2", ">= 1.4"
+  spec.add_dependency "omniauth"
+  spec.add_dependency "openid_connect"
+
+  # For more information and examples about making a new gem, check out our
+  # guide at: https://bundler.io/guides/creating_gem.html
+end

data/sig/omniauth_oidc.rbs

@@ -0,0 +1,4 @@
+module OmniauthOidc
+  VERSION: String
+  # See the writing guide of rbs: https://github.com/ruby/rbs#guides
+end