omniauth-okta 0.1.1 → 0.1.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: f6beba3ded666b26386e13ad2a44f90311fabe71
-  data.tar.gz: 7b5477d3778a419c681a99115b8ee10d189927d0
+SHA256:
+  metadata.gz: '08e11155cf8af981390447211492f2f474235ab89307ebbe93db3c3c923e526c'
+  data.tar.gz: b0c7a635b3ef99f7cf39677afe286c282cab0958af33ad36466a510763d35448
 SHA512:
-  metadata.gz: d672bc7b7ddd5f842ddbdc6984bb27c975fcc026927169f0be70d84e9ce8c200871e56edf400ba2425bb886e834c65005e65c06d1dc1553f2f24488c62d17037
-  data.tar.gz: 66f716dea467f6a1f299ea1cfc201fa2ea1b927dbb4585dbe061afb26b7f605ba8ea82c0462346399cd3533f11a3eef7d342ba980751a949fffc741edb658e86
+  metadata.gz: b819dbbdf7c63bb4eb4bf4cf0713c9e29ea687cc577ebee975c71d500be77e13495b41b4bc0eda2f4bbc11fdb4f8ed963859d6f39849fda7c581584a0f8ccb60
+  data.tar.gz: f210c8d52f9a791005205795e18835666cdb273370694eae5c20d648a7c835525d017f7ea8a80e13542cbe732a0b4ff0adef8acf081cc413ced4d712c32467ff

data/README.md

@@ -22,22 +22,22 @@ Or install it yourself as:
 $ gem install omniauth-okta
 ```
 
-### Environment Variables
-
-```bash
-OKTA_CLIENT_ID     # required
-OKTA_CLIENT_SECRET # required
-OKTA_ORG           # required - defaults to 'your-org' if unset
-OKTA_DOMAIN        # optional - defaults to 'okta.com' if unset
-```
-
 ### OmniAuth
 
 Here's an example for adding the middleware to a Rails app in `config/initializers/omniauth.rb`:
 
 ```ruby
 Rails.application.config.middleware.use OmniAuth::Builder do
-  provider :okta, ENV['OKTA_CLIENT_ID'], ENV['OKTA_CLIENT_SECRET']
+  provider :okta, ENV['OKTA_CLIENT_ID'], ENV['OKTA_CLIENT_SECRET'], {
+    client_options: {
+      site:                 'https://your-org.okta.com',
+      authorization_server: '<authorization_server>',
+      authorize_url:        'https://your-org.okta.com/oauth2/<authorization_server>/v1/authorize',
+      token_url:            'https://your-org.okta.com/oauth2/<authorization_server>/v1/token',
+      user_info_url:        'https://your-org.okta.com/oauth2/<authorization_server>/v1/userinfo',
+      audience:             'api://your-audience'
+    }
+  }
 end
 ```
 
@@ -57,9 +57,15 @@ or add options like the following:
   config.omniauth(:okta,
                   ENV['OKTA_CLIENT_ID'],
                   ENV['OKTA_CLIENT_SECRET'],
-                  :scope => 'openid profile email',
-                  :fields => ['profile', 'email'],
-                  :strategy_class => OmniAuth::Strategies::Okta)
+                  scope: 'openid profile email',
+                  fields: ['profile', 'email'],
+                  client_options: {
+                    site:          'https://your-org.okta.com',
+                    authorize_url: 'https://your-org.okta.com/oauth2/default/v1/authorize',
+                    token_url:     'https://your-org.okta.com/oauth2/default/v1/token',
+                    user_info_url: 'https://your-org.okta.com/oauth2/default/v1/userinfo',
+                  },
+                  strategy_class: OmniAuth::Strategies::Okta)
 ```
 
 Then add the following to 'config/routes.rb' so the callback routes are defined.

data/lib/omniauth-okta/version.rb

@@ -2,6 +2,6 @@
 
 module OmniAuth
   module Okta
-    VERSION = '0.1.1'
+    VERSION = '0.1.3'.freeze
   end
 end

data/lib/omniauth/strategies/okta.rb

@@ -5,24 +5,22 @@ require 'omniauth-oauth2'
 module OmniAuth
   module Strategies
     class Okta < OmniAuth::Strategies::OAuth2
-
-      ORG           = ENV['OKTA_ORG']    || 'your-org'
-      DOMAIN        = ENV['OKTA_DOMAIN'] || 'okta'
-      BASE_URL      = "https://#{ORG}.#{DOMAIN}.com"
-      DEFAULT_SCOPE = %[openid profile email].freeze
+      DEFAULT_SCOPE = %{openid profile email}.freeze
 
       option :name, 'okta'
-
       option :skip_jwt, false
       option :jwt_leeway, 60
 
+      # These are defaults that need to be overriden on an implementation
       option :client_options, {
-        site:          BASE_URL,
-        authorize_url: "#{BASE_URL}/oauth2/v1/authorize",
-        token_url:     "#{BASE_URL}/oauth2/v1/token",
-        response_type: 'id_token'
+        site:                 'https://your-org.okta.com',
+        authorize_url:        'https://your-org.okta.com/oauth2/default/v1/authorize',
+        token_url:            'https://your-org.okta.com/oauth2/default/v1/token',
+        user_info_url:        'https://your-org.okta.com/oauth2/default/v1/userinfo',
+        response_type:        'id_token',
+        authorization_server: 'default',
+        audience:             'api://default'
       }
-
       option :scope, DEFAULT_SCOPE
 
       uid { raw_info['sub'] }
@@ -38,40 +36,67 @@ module OmniAuth
       end
 
       extra do
-        hash = {}
-        hash[:raw_info] = raw_info unless skip_info?
-        hash[:id_token] = access_token.token
-        if !options[:skip_jwt] && !access_token.token.nil?
-          hash[:id_info] = validated_token(access_token.token)
+        {}.tap do |h|
+          h[:raw_info] = raw_info unless skip_info?
+
+          if access_token
+            h[:id_token] = access_token.token
+
+            if !options[:skip_jwt] && !access_token.token.nil?
+              h[:id_info] = validated_token(access_token.token)
+            end
+          end
         end
-        hash
+      end
+
+      def client_options
+        options.fetch(:client_options)
       end
 
       alias :oauth2_access_token :access_token
 
       def access_token
-        ::OAuth2::AccessToken.new(client, oauth2_access_token.token, {
-          :expires_in => oauth2_access_token.expires_in,
-          :expires_at => oauth2_access_token.expires_at
-        })
+        if oauth2_access_token
+          ::OAuth2::AccessToken.new(client, oauth2_access_token.token, {
+            refresh_token: oauth2_access_token.refresh_token,
+            expires_in:    oauth2_access_token.expires_in,
+            expires_at:    oauth2_access_token.expires_at
+          })
+        end
       end
 
       def raw_info
-        @_raw_info ||= access_token.get('/oauth2/v1/userinfo').parsed || {}
+        @_raw_info ||= access_token.get(client_options.fetch(:user_info_url)).parsed || {}
       rescue ::Errno::ETIMEDOUT
         raise ::Timeout::Error
       end
 
-      def request_phase
-        super
+      def callback_url
+        options[:redirect_uri] || (full_host + script_name + callback_path)
       end
 
-      def callback_phase
-        super
+      # Returns the qualified URL for the authorization server
+      #
+      # This is necessary in the case where there is a custom authorization server.
+      #
+      # Okta provides a default, by default.
+      #
+      # @return [String]
+      def authorization_server_path
+        site                 = client_options.fetch(:site)
+        authorization_server = client_options.fetch(:authorization_server, 'default')
+
+        "#{site}/oauth2/#{authorization_server}"
       end
 
-      def callback_url
-        options[:redirect_uri] || (full_host + script_name + callback_path)
+      # Specifies the audience for the authorization server
+      #
+      # By default, this is +'default'+. If using a custom authorization
+      # server, this will need to be set
+      #
+      # @return [String]
+      def authorization_server_audience
+        client_options.fetch(:audience, 'default')
       end
 
       def validated_token(token)
@@ -79,16 +104,16 @@ module OmniAuth
                    nil,
                    false,
                    verify_iss:        true,
-                   iss:               BASE_URL,
                    verify_aud:        true,
-                   aud:               BASE_URL,
+                   iss:               authorization_server_path,
+                   aud:               authorization_server_audience,
                    verify_sub:        true,
                    verify_expiration: true,
                    verify_not_before: true,
                    verify_iat:        true,
                    verify_jti:        false,
                    leeway:            options[:jwt_leeway]
-                   ).first
+        ).first
       end
     end
   end

metadata

@@ -1,14 +1,15 @@
 --- !ruby/object:Gem::Specification
 name: omniauth-okta
 version: !ruby/object:Gem::Version
-  version: 0.1.1
+  version: 0.1.3
 platform: ruby
 authors:
 - Dan Andrews
+- Hector Rios
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2017-11-08 00:00:00.000000000 Z
+date: 2021-04-06 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: omniauth
@@ -30,7 +31,7 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 1.4.0
+        version: 1.6.0
     - - "<"
       - !ruby/object:Gem::Version
         version: '2.0'
@@ -40,7 +41,7 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 1.4.0
+        version: 1.6.0
     - - "<"
       - !ruby/object:Gem::Version
         version: '2.0'
@@ -78,14 +79,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.7'
+        version: '3'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.7'
+        version: '3'
 - !ruby/object:Gem::Dependency
   name: rack-test
   requirement: !ruby/object:Gem::Requirement
@@ -103,6 +104,7 @@ dependencies:
 description: Unofficial OmniAuth OAuth2 strategy for Okta
 email:
 - daniel.raymond.andrews@gmail.com
+- that.hector@gmail.com
 executables: []
 extensions: []
 extra_rdoc_files: []
@@ -132,8 +134,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.6.8
+rubygems_version: 3.0.0
 signing_key: 
 specification_version: 4
 summary: Unofficial OmniAuth OAuth2 strategy for Okta