omniauth-okta 0.1.1 → 2.0.0.rc1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +5 -5
- data/README.md +19 -13
- data/lib/omniauth/strategies/okta.rb +53 -34
- data/lib/omniauth-okta/version.rb +1 -1
- metadata +18 -31
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
|
-
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
2
|
+
SHA256:
|
3
|
+
metadata.gz: 4c650d6bf54a0b04d219137098f91a7da75839050254663c761bc117d9e8db51
|
4
|
+
data.tar.gz: c87ae72be14fba06dfcff3eeb728bac5f30045e9dd578e2c3c5317dc784e7ff1
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 1a52f980b4dc26cec6b1a816c86db727254a87a3c436f662af5a15b9de7f2ba06823441bcc5ff052f156deed45fa1d8e8af0bc9ce708e1b3a6e9f813c2503862
|
7
|
+
data.tar.gz: 453c7387c83013eba0f9081374c957aafc493d972064601684f7f6b746fc3a454ff49b529f4f9f5330302693af3a1aa3f3c1b78a898824c02a84a4905433a561
|
data/README.md
CHANGED
@@ -22,22 +22,22 @@ Or install it yourself as:
|
|
22
22
|
$ gem install omniauth-okta
|
23
23
|
```
|
24
24
|
|
25
|
-
### Environment Variables
|
26
|
-
|
27
|
-
```bash
|
28
|
-
OKTA_CLIENT_ID # required
|
29
|
-
OKTA_CLIENT_SECRET # required
|
30
|
-
OKTA_ORG # required - defaults to 'your-org' if unset
|
31
|
-
OKTA_DOMAIN # optional - defaults to 'okta.com' if unset
|
32
|
-
```
|
33
|
-
|
34
25
|
### OmniAuth
|
35
26
|
|
36
27
|
Here's an example for adding the middleware to a Rails app in `config/initializers/omniauth.rb`:
|
37
28
|
|
38
29
|
```ruby
|
39
30
|
Rails.application.config.middleware.use OmniAuth::Builder do
|
40
|
-
provider :okta, ENV['OKTA_CLIENT_ID'], ENV['OKTA_CLIENT_SECRET']
|
31
|
+
provider :okta, ENV['OKTA_CLIENT_ID'], ENV['OKTA_CLIENT_SECRET'], {
|
32
|
+
client_options: {
|
33
|
+
site: 'https://your-org.okta.com',
|
34
|
+
authorization_server: '<authorization_server>',
|
35
|
+
authorize_url: 'https://your-org.okta.com/oauth2/<authorization_server>/v1/authorize',
|
36
|
+
token_url: 'https://your-org.okta.com/oauth2/<authorization_server>/v1/token',
|
37
|
+
user_info_url: 'https://your-org.okta.com/oauth2/<authorization_server>/v1/userinfo',
|
38
|
+
audience: 'api://your-audience'
|
39
|
+
}
|
40
|
+
}
|
41
41
|
end
|
42
42
|
```
|
43
43
|
|
@@ -57,9 +57,15 @@ or add options like the following:
|
|
57
57
|
config.omniauth(:okta,
|
58
58
|
ENV['OKTA_CLIENT_ID'],
|
59
59
|
ENV['OKTA_CLIENT_SECRET'],
|
60
|
-
:
|
61
|
-
:
|
62
|
-
:
|
60
|
+
scope: 'openid profile email',
|
61
|
+
fields: ['profile', 'email'],
|
62
|
+
client_options: {
|
63
|
+
site: 'https://your-org.okta.com',
|
64
|
+
authorize_url: 'https://your-org.okta.com/oauth2/default/v1/authorize',
|
65
|
+
token_url: 'https://your-org.okta.com/oauth2/default/v1/token',
|
66
|
+
user_info_url: 'https://your-org.okta.com/oauth2/default/v1/userinfo',
|
67
|
+
},
|
68
|
+
strategy_class: OmniAuth::Strategies::Okta)
|
63
69
|
```
|
64
70
|
|
65
71
|
Then add the following to 'config/routes.rb' so the callback routes are defined.
|
@@ -5,24 +5,22 @@ require 'omniauth-oauth2'
|
|
5
5
|
module OmniAuth
|
6
6
|
module Strategies
|
7
7
|
class Okta < OmniAuth::Strategies::OAuth2
|
8
|
-
|
9
|
-
ORG = ENV['OKTA_ORG'] || 'your-org'
|
10
|
-
DOMAIN = ENV['OKTA_DOMAIN'] || 'okta'
|
11
|
-
BASE_URL = "https://#{ORG}.#{DOMAIN}.com"
|
12
|
-
DEFAULT_SCOPE = %[openid profile email].freeze
|
8
|
+
DEFAULT_SCOPE = %{openid profile email}.freeze
|
13
9
|
|
14
10
|
option :name, 'okta'
|
15
|
-
|
16
11
|
option :skip_jwt, false
|
17
12
|
option :jwt_leeway, 60
|
18
13
|
|
14
|
+
# These are defaults that need to be overriden on an implementation
|
19
15
|
option :client_options, {
|
20
|
-
site:
|
21
|
-
authorize_url:
|
22
|
-
token_url:
|
23
|
-
|
16
|
+
site: 'https://your-org.okta.com',
|
17
|
+
authorize_url: 'https://your-org.okta.com/oauth2/default/v1/authorize',
|
18
|
+
token_url: 'https://your-org.okta.com/oauth2/default/v1/token',
|
19
|
+
user_info_url: 'https://your-org.okta.com/oauth2/default/v1/userinfo',
|
20
|
+
response_type: 'id_token',
|
21
|
+
authorization_server: 'default',
|
22
|
+
audience: 'api://default'
|
24
23
|
}
|
25
|
-
|
26
24
|
option :scope, DEFAULT_SCOPE
|
27
25
|
|
28
26
|
uid { raw_info['sub'] }
|
@@ -38,40 +36,61 @@ module OmniAuth
|
|
38
36
|
end
|
39
37
|
|
40
38
|
extra do
|
41
|
-
|
42
|
-
|
43
|
-
|
44
|
-
|
45
|
-
|
39
|
+
{}.tap do |h|
|
40
|
+
h[:raw_info] = raw_info unless skip_info?
|
41
|
+
|
42
|
+
if access_token
|
43
|
+
h[:id_token] = id_token
|
44
|
+
|
45
|
+
if !options[:skip_jwt] && !id_token.nil?
|
46
|
+
h[:id_info] = validated_token(id_token)
|
47
|
+
end
|
48
|
+
end
|
46
49
|
end
|
47
|
-
hash
|
48
50
|
end
|
49
51
|
|
50
|
-
|
51
|
-
|
52
|
-
def access_token
|
53
|
-
::OAuth2::AccessToken.new(client, oauth2_access_token.token, {
|
54
|
-
:expires_in => oauth2_access_token.expires_in,
|
55
|
-
:expires_at => oauth2_access_token.expires_at
|
56
|
-
})
|
52
|
+
def client_options
|
53
|
+
options.fetch(:client_options)
|
57
54
|
end
|
58
55
|
|
59
56
|
def raw_info
|
60
|
-
@_raw_info ||= access_token.get(
|
57
|
+
@_raw_info ||= access_token.get(client_options.fetch(:user_info_url)).parsed || {}
|
61
58
|
rescue ::Errno::ETIMEDOUT
|
62
59
|
raise ::Timeout::Error
|
63
60
|
end
|
64
61
|
|
65
|
-
def
|
66
|
-
|
62
|
+
def callback_url
|
63
|
+
options[:redirect_uri] || (full_host + callback_path)
|
67
64
|
end
|
68
65
|
|
69
|
-
def
|
70
|
-
|
66
|
+
def id_token
|
67
|
+
return if access_token.nil?
|
68
|
+
|
69
|
+
access_token['id_token']
|
71
70
|
end
|
72
71
|
|
73
|
-
|
74
|
-
|
72
|
+
# Returns the qualified URL for the authorization server
|
73
|
+
#
|
74
|
+
# This is necessary in the case where there is a custom authorization server.
|
75
|
+
#
|
76
|
+
# Okta provides a default, by default.
|
77
|
+
#
|
78
|
+
# @return [String]
|
79
|
+
def authorization_server_path
|
80
|
+
site = client_options.fetch(:site)
|
81
|
+
authorization_server = client_options.fetch(:authorization_server, 'default')
|
82
|
+
|
83
|
+
"#{site}/oauth2/#{authorization_server}"
|
84
|
+
end
|
85
|
+
|
86
|
+
# Specifies the audience for the authorization server
|
87
|
+
#
|
88
|
+
# By default, this is +'default'+. If using a custom authorization
|
89
|
+
# server, this will need to be set
|
90
|
+
#
|
91
|
+
# @return [String]
|
92
|
+
def authorization_server_audience
|
93
|
+
client_options.fetch(:audience, 'default')
|
75
94
|
end
|
76
95
|
|
77
96
|
def validated_token(token)
|
@@ -79,16 +98,16 @@ module OmniAuth
|
|
79
98
|
nil,
|
80
99
|
false,
|
81
100
|
verify_iss: true,
|
82
|
-
iss: BASE_URL,
|
83
101
|
verify_aud: true,
|
84
|
-
|
102
|
+
iss: authorization_server_path,
|
103
|
+
aud: authorization_server_audience,
|
85
104
|
verify_sub: true,
|
86
105
|
verify_expiration: true,
|
87
106
|
verify_not_before: true,
|
88
107
|
verify_iat: true,
|
89
108
|
verify_jti: false,
|
90
109
|
leeway: options[:jwt_leeway]
|
91
|
-
|
110
|
+
).first
|
92
111
|
end
|
93
112
|
end
|
94
113
|
end
|
metadata
CHANGED
@@ -1,14 +1,15 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: omniauth-okta
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.
|
4
|
+
version: 2.0.0.rc1
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Dan Andrews
|
8
|
+
- Hector Rios
|
8
9
|
autorequire:
|
9
10
|
bindir: bin
|
10
11
|
cert_chain: []
|
11
|
-
date:
|
12
|
+
date: 2022-04-14 00:00:00.000000000 Z
|
12
13
|
dependencies:
|
13
14
|
- !ruby/object:Gem::Dependency
|
14
15
|
name: omniauth
|
@@ -16,48 +17,34 @@ dependencies:
|
|
16
17
|
requirements:
|
17
18
|
- - "~>"
|
18
19
|
- !ruby/object:Gem::Version
|
19
|
-
version: '
|
20
|
+
version: '2.0'
|
20
21
|
type: :runtime
|
21
22
|
prerelease: false
|
22
23
|
version_requirements: !ruby/object:Gem::Requirement
|
23
24
|
requirements:
|
24
25
|
- - "~>"
|
25
26
|
- !ruby/object:Gem::Version
|
26
|
-
version: '
|
27
|
+
version: '2.0'
|
27
28
|
- !ruby/object:Gem::Dependency
|
28
29
|
name: omniauth-oauth2
|
29
30
|
requirement: !ruby/object:Gem::Requirement
|
30
31
|
requirements:
|
31
|
-
- - "
|
32
|
+
- - "~>"
|
32
33
|
- !ruby/object:Gem::Version
|
33
|
-
version: 1.
|
34
|
-
- - "
|
34
|
+
version: '1.7'
|
35
|
+
- - ">="
|
35
36
|
- !ruby/object:Gem::Version
|
36
|
-
version:
|
37
|
+
version: 1.7.1
|
37
38
|
type: :runtime
|
38
39
|
prerelease: false
|
39
40
|
version_requirements: !ruby/object:Gem::Requirement
|
40
|
-
requirements:
|
41
|
-
- - ">="
|
42
|
-
- !ruby/object:Gem::Version
|
43
|
-
version: 1.4.0
|
44
|
-
- - "<"
|
45
|
-
- !ruby/object:Gem::Version
|
46
|
-
version: '2.0'
|
47
|
-
- !ruby/object:Gem::Dependency
|
48
|
-
name: bundler
|
49
|
-
requirement: !ruby/object:Gem::Requirement
|
50
41
|
requirements:
|
51
42
|
- - "~>"
|
52
43
|
- !ruby/object:Gem::Version
|
53
|
-
version: '1.
|
54
|
-
|
55
|
-
prerelease: false
|
56
|
-
version_requirements: !ruby/object:Gem::Requirement
|
57
|
-
requirements:
|
58
|
-
- - "~>"
|
44
|
+
version: '1.7'
|
45
|
+
- - ">="
|
59
46
|
- !ruby/object:Gem::Version
|
60
|
-
version:
|
47
|
+
version: 1.7.1
|
61
48
|
- !ruby/object:Gem::Dependency
|
62
49
|
name: rake
|
63
50
|
requirement: !ruby/object:Gem::Requirement
|
@@ -78,14 +65,14 @@ dependencies:
|
|
78
65
|
requirements:
|
79
66
|
- - "~>"
|
80
67
|
- !ruby/object:Gem::Version
|
81
|
-
version: '
|
68
|
+
version: '3'
|
82
69
|
type: :development
|
83
70
|
prerelease: false
|
84
71
|
version_requirements: !ruby/object:Gem::Requirement
|
85
72
|
requirements:
|
86
73
|
- - "~>"
|
87
74
|
- !ruby/object:Gem::Version
|
88
|
-
version: '
|
75
|
+
version: '3'
|
89
76
|
- !ruby/object:Gem::Dependency
|
90
77
|
name: rack-test
|
91
78
|
requirement: !ruby/object:Gem::Requirement
|
@@ -103,6 +90,7 @@ dependencies:
|
|
103
90
|
description: Unofficial OmniAuth OAuth2 strategy for Okta
|
104
91
|
email:
|
105
92
|
- daniel.raymond.andrews@gmail.com
|
93
|
+
- that.hector@gmail.com
|
106
94
|
executables: []
|
107
95
|
extensions: []
|
108
96
|
extra_rdoc_files: []
|
@@ -128,12 +116,11 @@ required_ruby_version: !ruby/object:Gem::Requirement
|
|
128
116
|
version: '0'
|
129
117
|
required_rubygems_version: !ruby/object:Gem::Requirement
|
130
118
|
requirements:
|
131
|
-
- - "
|
119
|
+
- - ">"
|
132
120
|
- !ruby/object:Gem::Version
|
133
|
-
version:
|
121
|
+
version: 1.3.1
|
134
122
|
requirements: []
|
135
|
-
|
136
|
-
rubygems_version: 2.6.8
|
123
|
+
rubygems_version: 3.0.3.1
|
137
124
|
signing_key:
|
138
125
|
specification_version: 4
|
139
126
|
summary: Unofficial OmniAuth OAuth2 strategy for Okta
|