omniauth-okta 0.1.1 → 0.1.3

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
- SHA1:
3
- metadata.gz: f6beba3ded666b26386e13ad2a44f90311fabe71
4
- data.tar.gz: 7b5477d3778a419c681a99115b8ee10d189927d0
2
+ SHA256:
3
+ metadata.gz: '08e11155cf8af981390447211492f2f474235ab89307ebbe93db3c3c923e526c'
4
+ data.tar.gz: b0c7a635b3ef99f7cf39677afe286c282cab0958af33ad36466a510763d35448
5
5
  SHA512:
6
- metadata.gz: d672bc7b7ddd5f842ddbdc6984bb27c975fcc026927169f0be70d84e9ce8c200871e56edf400ba2425bb886e834c65005e65c06d1dc1553f2f24488c62d17037
7
- data.tar.gz: 66f716dea467f6a1f299ea1cfc201fa2ea1b927dbb4585dbe061afb26b7f605ba8ea82c0462346399cd3533f11a3eef7d342ba980751a949fffc741edb658e86
6
+ metadata.gz: b819dbbdf7c63bb4eb4bf4cf0713c9e29ea687cc577ebee975c71d500be77e13495b41b4bc0eda2f4bbc11fdb4f8ed963859d6f39849fda7c581584a0f8ccb60
7
+ data.tar.gz: f210c8d52f9a791005205795e18835666cdb273370694eae5c20d648a7c835525d017f7ea8a80e13542cbe732a0b4ff0adef8acf081cc413ced4d712c32467ff
data/README.md CHANGED
@@ -22,22 +22,22 @@ Or install it yourself as:
22
22
  $ gem install omniauth-okta
23
23
  ```
24
24
 
25
- ### Environment Variables
26
-
27
- ```bash
28
- OKTA_CLIENT_ID # required
29
- OKTA_CLIENT_SECRET # required
30
- OKTA_ORG # required - defaults to 'your-org' if unset
31
- OKTA_DOMAIN # optional - defaults to 'okta.com' if unset
32
- ```
33
-
34
25
  ### OmniAuth
35
26
 
36
27
  Here's an example for adding the middleware to a Rails app in `config/initializers/omniauth.rb`:
37
28
 
38
29
  ```ruby
39
30
  Rails.application.config.middleware.use OmniAuth::Builder do
40
- provider :okta, ENV['OKTA_CLIENT_ID'], ENV['OKTA_CLIENT_SECRET']
31
+ provider :okta, ENV['OKTA_CLIENT_ID'], ENV['OKTA_CLIENT_SECRET'], {
32
+ client_options: {
33
+ site: 'https://your-org.okta.com',
34
+ authorization_server: '<authorization_server>',
35
+ authorize_url: 'https://your-org.okta.com/oauth2/<authorization_server>/v1/authorize',
36
+ token_url: 'https://your-org.okta.com/oauth2/<authorization_server>/v1/token',
37
+ user_info_url: 'https://your-org.okta.com/oauth2/<authorization_server>/v1/userinfo',
38
+ audience: 'api://your-audience'
39
+ }
40
+ }
41
41
  end
42
42
  ```
43
43
 
@@ -57,9 +57,15 @@ or add options like the following:
57
57
  config.omniauth(:okta,
58
58
  ENV['OKTA_CLIENT_ID'],
59
59
  ENV['OKTA_CLIENT_SECRET'],
60
- :scope => 'openid profile email',
61
- :fields => ['profile', 'email'],
62
- :strategy_class => OmniAuth::Strategies::Okta)
60
+ scope: 'openid profile email',
61
+ fields: ['profile', 'email'],
62
+ client_options: {
63
+ site: 'https://your-org.okta.com',
64
+ authorize_url: 'https://your-org.okta.com/oauth2/default/v1/authorize',
65
+ token_url: 'https://your-org.okta.com/oauth2/default/v1/token',
66
+ user_info_url: 'https://your-org.okta.com/oauth2/default/v1/userinfo',
67
+ },
68
+ strategy_class: OmniAuth::Strategies::Okta)
63
69
  ```
64
70
 
65
71
  Then add the following to 'config/routes.rb' so the callback routes are defined.
@@ -2,6 +2,6 @@
2
2
 
3
3
  module OmniAuth
4
4
  module Okta
5
- VERSION = '0.1.1'
5
+ VERSION = '0.1.3'.freeze
6
6
  end
7
7
  end
@@ -5,24 +5,22 @@ require 'omniauth-oauth2'
5
5
  module OmniAuth
6
6
  module Strategies
7
7
  class Okta < OmniAuth::Strategies::OAuth2
8
-
9
- ORG = ENV['OKTA_ORG'] || 'your-org'
10
- DOMAIN = ENV['OKTA_DOMAIN'] || 'okta'
11
- BASE_URL = "https://#{ORG}.#{DOMAIN}.com"
12
- DEFAULT_SCOPE = %[openid profile email].freeze
8
+ DEFAULT_SCOPE = %{openid profile email}.freeze
13
9
 
14
10
  option :name, 'okta'
15
-
16
11
  option :skip_jwt, false
17
12
  option :jwt_leeway, 60
18
13
 
14
+ # These are defaults that need to be overriden on an implementation
19
15
  option :client_options, {
20
- site: BASE_URL,
21
- authorize_url: "#{BASE_URL}/oauth2/v1/authorize",
22
- token_url: "#{BASE_URL}/oauth2/v1/token",
23
- response_type: 'id_token'
16
+ site: 'https://your-org.okta.com',
17
+ authorize_url: 'https://your-org.okta.com/oauth2/default/v1/authorize',
18
+ token_url: 'https://your-org.okta.com/oauth2/default/v1/token',
19
+ user_info_url: 'https://your-org.okta.com/oauth2/default/v1/userinfo',
20
+ response_type: 'id_token',
21
+ authorization_server: 'default',
22
+ audience: 'api://default'
24
23
  }
25
-
26
24
  option :scope, DEFAULT_SCOPE
27
25
 
28
26
  uid { raw_info['sub'] }
@@ -38,40 +36,67 @@ module OmniAuth
38
36
  end
39
37
 
40
38
  extra do
41
- hash = {}
42
- hash[:raw_info] = raw_info unless skip_info?
43
- hash[:id_token] = access_token.token
44
- if !options[:skip_jwt] && !access_token.token.nil?
45
- hash[:id_info] = validated_token(access_token.token)
39
+ {}.tap do |h|
40
+ h[:raw_info] = raw_info unless skip_info?
41
+
42
+ if access_token
43
+ h[:id_token] = access_token.token
44
+
45
+ if !options[:skip_jwt] && !access_token.token.nil?
46
+ h[:id_info] = validated_token(access_token.token)
47
+ end
48
+ end
46
49
  end
47
- hash
50
+ end
51
+
52
+ def client_options
53
+ options.fetch(:client_options)
48
54
  end
49
55
 
50
56
  alias :oauth2_access_token :access_token
51
57
 
52
58
  def access_token
53
- ::OAuth2::AccessToken.new(client, oauth2_access_token.token, {
54
- :expires_in => oauth2_access_token.expires_in,
55
- :expires_at => oauth2_access_token.expires_at
56
- })
59
+ if oauth2_access_token
60
+ ::OAuth2::AccessToken.new(client, oauth2_access_token.token, {
61
+ refresh_token: oauth2_access_token.refresh_token,
62
+ expires_in: oauth2_access_token.expires_in,
63
+ expires_at: oauth2_access_token.expires_at
64
+ })
65
+ end
57
66
  end
58
67
 
59
68
  def raw_info
60
- @_raw_info ||= access_token.get('/oauth2/v1/userinfo').parsed || {}
69
+ @_raw_info ||= access_token.get(client_options.fetch(:user_info_url)).parsed || {}
61
70
  rescue ::Errno::ETIMEDOUT
62
71
  raise ::Timeout::Error
63
72
  end
64
73
 
65
- def request_phase
66
- super
74
+ def callback_url
75
+ options[:redirect_uri] || (full_host + script_name + callback_path)
67
76
  end
68
77
 
69
- def callback_phase
70
- super
78
+ # Returns the qualified URL for the authorization server
79
+ #
80
+ # This is necessary in the case where there is a custom authorization server.
81
+ #
82
+ # Okta provides a default, by default.
83
+ #
84
+ # @return [String]
85
+ def authorization_server_path
86
+ site = client_options.fetch(:site)
87
+ authorization_server = client_options.fetch(:authorization_server, 'default')
88
+
89
+ "#{site}/oauth2/#{authorization_server}"
71
90
  end
72
91
 
73
- def callback_url
74
- options[:redirect_uri] || (full_host + script_name + callback_path)
92
+ # Specifies the audience for the authorization server
93
+ #
94
+ # By default, this is +'default'+. If using a custom authorization
95
+ # server, this will need to be set
96
+ #
97
+ # @return [String]
98
+ def authorization_server_audience
99
+ client_options.fetch(:audience, 'default')
75
100
  end
76
101
 
77
102
  def validated_token(token)
@@ -79,16 +104,16 @@ module OmniAuth
79
104
  nil,
80
105
  false,
81
106
  verify_iss: true,
82
- iss: BASE_URL,
83
107
  verify_aud: true,
84
- aud: BASE_URL,
108
+ iss: authorization_server_path,
109
+ aud: authorization_server_audience,
85
110
  verify_sub: true,
86
111
  verify_expiration: true,
87
112
  verify_not_before: true,
88
113
  verify_iat: true,
89
114
  verify_jti: false,
90
115
  leeway: options[:jwt_leeway]
91
- ).first
116
+ ).first
92
117
  end
93
118
  end
94
119
  end
metadata CHANGED
@@ -1,14 +1,15 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: omniauth-okta
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.1.1
4
+ version: 0.1.3
5
5
  platform: ruby
6
6
  authors:
7
7
  - Dan Andrews
8
+ - Hector Rios
8
9
  autorequire:
9
10
  bindir: bin
10
11
  cert_chain: []
11
- date: 2017-11-08 00:00:00.000000000 Z
12
+ date: 2021-04-06 00:00:00.000000000 Z
12
13
  dependencies:
13
14
  - !ruby/object:Gem::Dependency
14
15
  name: omniauth
@@ -30,7 +31,7 @@ dependencies:
30
31
  requirements:
31
32
  - - ">="
32
33
  - !ruby/object:Gem::Version
33
- version: 1.4.0
34
+ version: 1.6.0
34
35
  - - "<"
35
36
  - !ruby/object:Gem::Version
36
37
  version: '2.0'
@@ -40,7 +41,7 @@ dependencies:
40
41
  requirements:
41
42
  - - ">="
42
43
  - !ruby/object:Gem::Version
43
- version: 1.4.0
44
+ version: 1.6.0
44
45
  - - "<"
45
46
  - !ruby/object:Gem::Version
46
47
  version: '2.0'
@@ -78,14 +79,14 @@ dependencies:
78
79
  requirements:
79
80
  - - "~>"
80
81
  - !ruby/object:Gem::Version
81
- version: '2.7'
82
+ version: '3'
82
83
  type: :development
83
84
  prerelease: false
84
85
  version_requirements: !ruby/object:Gem::Requirement
85
86
  requirements:
86
87
  - - "~>"
87
88
  - !ruby/object:Gem::Version
88
- version: '2.7'
89
+ version: '3'
89
90
  - !ruby/object:Gem::Dependency
90
91
  name: rack-test
91
92
  requirement: !ruby/object:Gem::Requirement
@@ -103,6 +104,7 @@ dependencies:
103
104
  description: Unofficial OmniAuth OAuth2 strategy for Okta
104
105
  email:
105
106
  - daniel.raymond.andrews@gmail.com
107
+ - that.hector@gmail.com
106
108
  executables: []
107
109
  extensions: []
108
110
  extra_rdoc_files: []
@@ -132,8 +134,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
132
134
  - !ruby/object:Gem::Version
133
135
  version: '0'
134
136
  requirements: []
135
- rubyforge_project:
136
- rubygems_version: 2.6.8
137
+ rubygems_version: 3.0.0
137
138
  signing_key:
138
139
  specification_version: 4
139
140
  summary: Unofficial OmniAuth OAuth2 strategy for Okta