omniauth-okta 0.1.1 → 0.1.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +5 -5
- data/README.md +19 -13
- data/lib/omniauth-okta/version.rb +1 -1
- data/lib/omniauth/strategies/okta.rb +56 -31
- metadata +9 -8
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
|
-
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
2
|
+
SHA256:
|
|
3
|
+
metadata.gz: '08e11155cf8af981390447211492f2f474235ab89307ebbe93db3c3c923e526c'
|
|
4
|
+
data.tar.gz: b0c7a635b3ef99f7cf39677afe286c282cab0958af33ad36466a510763d35448
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: b819dbbdf7c63bb4eb4bf4cf0713c9e29ea687cc577ebee975c71d500be77e13495b41b4bc0eda2f4bbc11fdb4f8ed963859d6f39849fda7c581584a0f8ccb60
|
|
7
|
+
data.tar.gz: f210c8d52f9a791005205795e18835666cdb273370694eae5c20d648a7c835525d017f7ea8a80e13542cbe732a0b4ff0adef8acf081cc413ced4d712c32467ff
|
data/README.md
CHANGED
|
@@ -22,22 +22,22 @@ Or install it yourself as:
|
|
|
22
22
|
$ gem install omniauth-okta
|
|
23
23
|
```
|
|
24
24
|
|
|
25
|
-
### Environment Variables
|
|
26
|
-
|
|
27
|
-
```bash
|
|
28
|
-
OKTA_CLIENT_ID # required
|
|
29
|
-
OKTA_CLIENT_SECRET # required
|
|
30
|
-
OKTA_ORG # required - defaults to 'your-org' if unset
|
|
31
|
-
OKTA_DOMAIN # optional - defaults to 'okta.com' if unset
|
|
32
|
-
```
|
|
33
|
-
|
|
34
25
|
### OmniAuth
|
|
35
26
|
|
|
36
27
|
Here's an example for adding the middleware to a Rails app in `config/initializers/omniauth.rb`:
|
|
37
28
|
|
|
38
29
|
```ruby
|
|
39
30
|
Rails.application.config.middleware.use OmniAuth::Builder do
|
|
40
|
-
provider :okta, ENV['OKTA_CLIENT_ID'], ENV['OKTA_CLIENT_SECRET']
|
|
31
|
+
provider :okta, ENV['OKTA_CLIENT_ID'], ENV['OKTA_CLIENT_SECRET'], {
|
|
32
|
+
client_options: {
|
|
33
|
+
site: 'https://your-org.okta.com',
|
|
34
|
+
authorization_server: '<authorization_server>',
|
|
35
|
+
authorize_url: 'https://your-org.okta.com/oauth2/<authorization_server>/v1/authorize',
|
|
36
|
+
token_url: 'https://your-org.okta.com/oauth2/<authorization_server>/v1/token',
|
|
37
|
+
user_info_url: 'https://your-org.okta.com/oauth2/<authorization_server>/v1/userinfo',
|
|
38
|
+
audience: 'api://your-audience'
|
|
39
|
+
}
|
|
40
|
+
}
|
|
41
41
|
end
|
|
42
42
|
```
|
|
43
43
|
|
|
@@ -57,9 +57,15 @@ or add options like the following:
|
|
|
57
57
|
config.omniauth(:okta,
|
|
58
58
|
ENV['OKTA_CLIENT_ID'],
|
|
59
59
|
ENV['OKTA_CLIENT_SECRET'],
|
|
60
|
-
:
|
|
61
|
-
:
|
|
62
|
-
:
|
|
60
|
+
scope: 'openid profile email',
|
|
61
|
+
fields: ['profile', 'email'],
|
|
62
|
+
client_options: {
|
|
63
|
+
site: 'https://your-org.okta.com',
|
|
64
|
+
authorize_url: 'https://your-org.okta.com/oauth2/default/v1/authorize',
|
|
65
|
+
token_url: 'https://your-org.okta.com/oauth2/default/v1/token',
|
|
66
|
+
user_info_url: 'https://your-org.okta.com/oauth2/default/v1/userinfo',
|
|
67
|
+
},
|
|
68
|
+
strategy_class: OmniAuth::Strategies::Okta)
|
|
63
69
|
```
|
|
64
70
|
|
|
65
71
|
Then add the following to 'config/routes.rb' so the callback routes are defined.
|
|
@@ -5,24 +5,22 @@ require 'omniauth-oauth2'
|
|
|
5
5
|
module OmniAuth
|
|
6
6
|
module Strategies
|
|
7
7
|
class Okta < OmniAuth::Strategies::OAuth2
|
|
8
|
-
|
|
9
|
-
ORG = ENV['OKTA_ORG'] || 'your-org'
|
|
10
|
-
DOMAIN = ENV['OKTA_DOMAIN'] || 'okta'
|
|
11
|
-
BASE_URL = "https://#{ORG}.#{DOMAIN}.com"
|
|
12
|
-
DEFAULT_SCOPE = %[openid profile email].freeze
|
|
8
|
+
DEFAULT_SCOPE = %{openid profile email}.freeze
|
|
13
9
|
|
|
14
10
|
option :name, 'okta'
|
|
15
|
-
|
|
16
11
|
option :skip_jwt, false
|
|
17
12
|
option :jwt_leeway, 60
|
|
18
13
|
|
|
14
|
+
# These are defaults that need to be overriden on an implementation
|
|
19
15
|
option :client_options, {
|
|
20
|
-
site:
|
|
21
|
-
authorize_url:
|
|
22
|
-
token_url:
|
|
23
|
-
|
|
16
|
+
site: 'https://your-org.okta.com',
|
|
17
|
+
authorize_url: 'https://your-org.okta.com/oauth2/default/v1/authorize',
|
|
18
|
+
token_url: 'https://your-org.okta.com/oauth2/default/v1/token',
|
|
19
|
+
user_info_url: 'https://your-org.okta.com/oauth2/default/v1/userinfo',
|
|
20
|
+
response_type: 'id_token',
|
|
21
|
+
authorization_server: 'default',
|
|
22
|
+
audience: 'api://default'
|
|
24
23
|
}
|
|
25
|
-
|
|
26
24
|
option :scope, DEFAULT_SCOPE
|
|
27
25
|
|
|
28
26
|
uid { raw_info['sub'] }
|
|
@@ -38,40 +36,67 @@ module OmniAuth
|
|
|
38
36
|
end
|
|
39
37
|
|
|
40
38
|
extra do
|
|
41
|
-
|
|
42
|
-
|
|
43
|
-
|
|
44
|
-
|
|
45
|
-
|
|
39
|
+
{}.tap do |h|
|
|
40
|
+
h[:raw_info] = raw_info unless skip_info?
|
|
41
|
+
|
|
42
|
+
if access_token
|
|
43
|
+
h[:id_token] = access_token.token
|
|
44
|
+
|
|
45
|
+
if !options[:skip_jwt] && !access_token.token.nil?
|
|
46
|
+
h[:id_info] = validated_token(access_token.token)
|
|
47
|
+
end
|
|
48
|
+
end
|
|
46
49
|
end
|
|
47
|
-
|
|
50
|
+
end
|
|
51
|
+
|
|
52
|
+
def client_options
|
|
53
|
+
options.fetch(:client_options)
|
|
48
54
|
end
|
|
49
55
|
|
|
50
56
|
alias :oauth2_access_token :access_token
|
|
51
57
|
|
|
52
58
|
def access_token
|
|
53
|
-
|
|
54
|
-
|
|
55
|
-
|
|
56
|
-
|
|
59
|
+
if oauth2_access_token
|
|
60
|
+
::OAuth2::AccessToken.new(client, oauth2_access_token.token, {
|
|
61
|
+
refresh_token: oauth2_access_token.refresh_token,
|
|
62
|
+
expires_in: oauth2_access_token.expires_in,
|
|
63
|
+
expires_at: oauth2_access_token.expires_at
|
|
64
|
+
})
|
|
65
|
+
end
|
|
57
66
|
end
|
|
58
67
|
|
|
59
68
|
def raw_info
|
|
60
|
-
@_raw_info ||= access_token.get(
|
|
69
|
+
@_raw_info ||= access_token.get(client_options.fetch(:user_info_url)).parsed || {}
|
|
61
70
|
rescue ::Errno::ETIMEDOUT
|
|
62
71
|
raise ::Timeout::Error
|
|
63
72
|
end
|
|
64
73
|
|
|
65
|
-
def
|
|
66
|
-
|
|
74
|
+
def callback_url
|
|
75
|
+
options[:redirect_uri] || (full_host + script_name + callback_path)
|
|
67
76
|
end
|
|
68
77
|
|
|
69
|
-
|
|
70
|
-
|
|
78
|
+
# Returns the qualified URL for the authorization server
|
|
79
|
+
#
|
|
80
|
+
# This is necessary in the case where there is a custom authorization server.
|
|
81
|
+
#
|
|
82
|
+
# Okta provides a default, by default.
|
|
83
|
+
#
|
|
84
|
+
# @return [String]
|
|
85
|
+
def authorization_server_path
|
|
86
|
+
site = client_options.fetch(:site)
|
|
87
|
+
authorization_server = client_options.fetch(:authorization_server, 'default')
|
|
88
|
+
|
|
89
|
+
"#{site}/oauth2/#{authorization_server}"
|
|
71
90
|
end
|
|
72
91
|
|
|
73
|
-
|
|
74
|
-
|
|
92
|
+
# Specifies the audience for the authorization server
|
|
93
|
+
#
|
|
94
|
+
# By default, this is +'default'+. If using a custom authorization
|
|
95
|
+
# server, this will need to be set
|
|
96
|
+
#
|
|
97
|
+
# @return [String]
|
|
98
|
+
def authorization_server_audience
|
|
99
|
+
client_options.fetch(:audience, 'default')
|
|
75
100
|
end
|
|
76
101
|
|
|
77
102
|
def validated_token(token)
|
|
@@ -79,16 +104,16 @@ module OmniAuth
|
|
|
79
104
|
nil,
|
|
80
105
|
false,
|
|
81
106
|
verify_iss: true,
|
|
82
|
-
iss: BASE_URL,
|
|
83
107
|
verify_aud: true,
|
|
84
|
-
|
|
108
|
+
iss: authorization_server_path,
|
|
109
|
+
aud: authorization_server_audience,
|
|
85
110
|
verify_sub: true,
|
|
86
111
|
verify_expiration: true,
|
|
87
112
|
verify_not_before: true,
|
|
88
113
|
verify_iat: true,
|
|
89
114
|
verify_jti: false,
|
|
90
115
|
leeway: options[:jwt_leeway]
|
|
91
|
-
|
|
116
|
+
).first
|
|
92
117
|
end
|
|
93
118
|
end
|
|
94
119
|
end
|
metadata
CHANGED
|
@@ -1,14 +1,15 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: omniauth-okta
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.1.
|
|
4
|
+
version: 0.1.3
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Dan Andrews
|
|
8
|
+
- Hector Rios
|
|
8
9
|
autorequire:
|
|
9
10
|
bindir: bin
|
|
10
11
|
cert_chain: []
|
|
11
|
-
date:
|
|
12
|
+
date: 2021-04-06 00:00:00.000000000 Z
|
|
12
13
|
dependencies:
|
|
13
14
|
- !ruby/object:Gem::Dependency
|
|
14
15
|
name: omniauth
|
|
@@ -30,7 +31,7 @@ dependencies:
|
|
|
30
31
|
requirements:
|
|
31
32
|
- - ">="
|
|
32
33
|
- !ruby/object:Gem::Version
|
|
33
|
-
version: 1.
|
|
34
|
+
version: 1.6.0
|
|
34
35
|
- - "<"
|
|
35
36
|
- !ruby/object:Gem::Version
|
|
36
37
|
version: '2.0'
|
|
@@ -40,7 +41,7 @@ dependencies:
|
|
|
40
41
|
requirements:
|
|
41
42
|
- - ">="
|
|
42
43
|
- !ruby/object:Gem::Version
|
|
43
|
-
version: 1.
|
|
44
|
+
version: 1.6.0
|
|
44
45
|
- - "<"
|
|
45
46
|
- !ruby/object:Gem::Version
|
|
46
47
|
version: '2.0'
|
|
@@ -78,14 +79,14 @@ dependencies:
|
|
|
78
79
|
requirements:
|
|
79
80
|
- - "~>"
|
|
80
81
|
- !ruby/object:Gem::Version
|
|
81
|
-
version: '
|
|
82
|
+
version: '3'
|
|
82
83
|
type: :development
|
|
83
84
|
prerelease: false
|
|
84
85
|
version_requirements: !ruby/object:Gem::Requirement
|
|
85
86
|
requirements:
|
|
86
87
|
- - "~>"
|
|
87
88
|
- !ruby/object:Gem::Version
|
|
88
|
-
version: '
|
|
89
|
+
version: '3'
|
|
89
90
|
- !ruby/object:Gem::Dependency
|
|
90
91
|
name: rack-test
|
|
91
92
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -103,6 +104,7 @@ dependencies:
|
|
|
103
104
|
description: Unofficial OmniAuth OAuth2 strategy for Okta
|
|
104
105
|
email:
|
|
105
106
|
- daniel.raymond.andrews@gmail.com
|
|
107
|
+
- that.hector@gmail.com
|
|
106
108
|
executables: []
|
|
107
109
|
extensions: []
|
|
108
110
|
extra_rdoc_files: []
|
|
@@ -132,8 +134,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
132
134
|
- !ruby/object:Gem::Version
|
|
133
135
|
version: '0'
|
|
134
136
|
requirements: []
|
|
135
|
-
|
|
136
|
-
rubygems_version: 2.6.8
|
|
137
|
+
rubygems_version: 3.0.0
|
|
137
138
|
signing_key:
|
|
138
139
|
specification_version: 4
|
|
139
140
|
summary: Unofficial OmniAuth OAuth2 strategy for Okta
|