omniauth-oktaoauth 0.1.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: b695f67514cd436ccab6c0b388006fe403cfa20370af91cdc56224c70c640358
+  data.tar.gz: f8b08d8665ef58cf0fdb1dafabc35c15d3a8f02362f17e87825e73741de7de08
+SHA512:
+  metadata.gz: 1a23a2ad5f7af234cd336d19cfdc93854ea491ab9c9ea3dbee08a6f2d9d0b0a268bc9af3b7309885027e92f5f9cd081515a40ae82b2dd153c6429712ee649640
+  data.tar.gz: e4c1e01ea10b9b6bf4cc38f391e7686bbd5cd0096524b4bc0485f87d7ef843dac91c19fd4951f25de214f00e65ed7d70a99dda0d6f7f9188acf5152cfb8c5755

data/MIT-LICENSE

@@ -0,0 +1,20 @@
+Copyright 2017 Dan Andrews
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,135 @@
+# omniauth-oktaoauth OmniAuth Okta OAuth2 Strategy
+
+
+Continues the great work done by Danandrews at the original repo: https://github.com/dandrews/omniauth-oktaoauth.
+
+This newer version now supports options for Okta's Api Access Management and Custom Oauth Tokens and Urls.  Important to note that is this not an officially released tool and maybe subject to change.
+
+
+
+This strategy can both use Okta's OIDC and Api Access Management Flows. See [developer docs](https://developer.okta.com/docs/api/resources/oidc.html) for more details.
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+```ruby
+gem 'omniauth-oktaoauth'
+```
+
+And then execute:
+```bash
+$ bundle install
+```
+
+Or install it yourself as:
+```bash
+$ gem install omniauth-oktaoauth
+```
+
+### Environment Variables
+
+```bash
+OKTA_CLIENT_ID     # required
+OKTA_CLIENT_SECRET # required
+# optional - defaults to 'okta.com' if unset
+required client options are
+site: "your okta org or full issuer with okta"
+authorize_url: "your authorization url"
+token_url: "your token url"
+
+These end points for custom auth servers can be found at {your okta org or custom url}/oauth2/{your server id}/.well-known/oauth-authorization-server
+
+For Oidc only it is {your okta org or custom url}/.well-known/openid-configuration
+
+
+
+### Devise
+
+Here is an example with Devise in `config/initializers/devise.rb`.
+
+Configuration options can be passed as the last parameter here as key/value pairs.
+
+or add options like the following:
+
+```ruby
+  require 'omniauth-oktaoauth'
+  config.omniauth(:oktaoauth,
+                ENV['OKTA_CLIENT_ID'],
+                ENV['OKTA_CLIENT_SECRET'],
+                :scope => 'openid profile email',
+                :fields => ['profile', 'email'],
+                :client_options => {site: ENV['OKTA_ISSUER'], authorize_url: ENV['OKTA_ISSUER'] + "/v1/authorize", token_url: ENV['OKTA_ISSUER'] + "/v1/token"},
+                :redirect_uri => ENV["OKTA_REDIRECT_URI"],
+                :auth_server_id => ENV['OKTA_AUTH_SERVER_ID'],
+                :issuer => ENV['OKTA_ISSUER'],
+                :strategy_class => OmniAuth::Strategies::Oktaoauth)
+```
+
+Then add the following to 'config/routes.rb' so the callback routes are defined.
+
+```ruby
+devise_for :users, controllers: { omniauth_callbacks: 'users/omniauth_callbacks' }
+```
+
+Make sure your model is omniauthable. Generally this is "/app/models/user.rb"
+
+```ruby
+devise :omniauthable, omniauth_providers: [:oktaoauth]
+```
+
+## Auth Hash
+
+Here's an example of an authentication hash available in the callback by accessing `request.env['omniauth.auth']`:
+
+```ruby
+{
+  "provider" => "okta",
+  "uid" => "0000000000000001",
+  "info" => {
+    "name" => "John Smith",
+    "email" => "john@example.com",
+    "first_name" => "John",
+    "last_name" => "Smith",
+    "image" => "https://photohosting.com/john.jpg"
+  },
+  "credentials" => {
+    "token" => "TOKEN",
+    "expires_at" => 1496617411,
+    "expires" => true
+  },
+  "extra" => {
+    "raw_info" => {
+      "sub" => "0000000000000001",
+      "name" => "John Smith",
+      "locale" => "en-US",
+      "email" => "john@example.com",
+      "picture" => "https://photohosting.com/john.jpg",
+      "website" => "https://example.com",
+      "preferred_username" => "john@example.com",
+      "given_name" => "John",
+      "family_name" => "Smith",
+      "zoneinfo" => "America/Los_Angeles",
+      "updated_at" => 1496611646,
+      "email_verified" => true
+    },
+    "id_token" => "TOKEN",
+    "id_info" => {
+      "ver" => 1,
+      "jti" => "AT.D2sslkfjdsldjf899n090sldkfj",
+      "iss" => "https://your-org.okta.com",
+      "aud" => "https://your-org.okta.com",
+      "sub" => "john@example.com",
+      "iat" => 1496613811,
+      "exp" => 1496617411,
+      "cid" => "CLIENT_ID",
+      "uid" => "0000000000000001",
+      "scp" => ["email", "profile", "openid"]
+    }
+  }
+}
+```
+
+
+## License
+The gem is available as open source under the terms of the [MIT License](http://opensource.org/licenses/MIT).

data/Rakefile

@@ -0,0 +1,34 @@
+begin
+  require 'bundler/setup'
+rescue LoadError
+  puts 'You must `gem install bundler` and `bundle install` to run rake tasks'
+end
+
+require 'rdoc/task'
+
+RDoc::Task.new(:rdoc) do |rdoc|
+  rdoc.rdoc_dir = 'rdoc'
+  rdoc.title    = 'Omniauth::Okta'
+  rdoc.options << '--line-numbers'
+  rdoc.rdoc_files.include('README.md')
+  rdoc.rdoc_files.include('lib/**/*.rb')
+end
+
+
+
+
+
+
+require 'bundler/gem_tasks'
+
+require 'rake/testtask'
+
+Rake::TestTask.new(:test) do |t|
+  t.libs << 'lib'
+  t.libs << 'test'
+  t.pattern = 'test/**/*_test.rb'
+  t.verbose = false
+end
+
+
+task default: :test

data/lib/omniauth-okta.rb

@@ -0,0 +1,4 @@
+# frozen_string_literal: true
+
+require "omniauth-oktaoauth/version"
+require "omniauth/strategies/oktaoauth"

data/lib/omniauth-okta/version.rb

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+module OmniAuth
+  module Oktaoauth
+    VERSION = '0.1.1'
+  end
+end

data/lib/omniauth/strategies/okta.rb

@@ -0,0 +1,100 @@
+# frozen_string_literal: true
+
+require 'omniauth-oauth2'
+
+module OmniAuth
+  module Strategies
+    class Okta < OmniAuth::Strategies::OAuth2
+
+      
+      DEFAULT_SCOPE = %[openid profile email].freeze
+
+      option :name, 'okta'
+
+      option :skip_jwt, false
+      option :jwt_leeway, 60
+    
+      option :client_options, {
+        site:          "configure this part ins client options with devise",
+        authorize_url: "configure this part in client options with devise",
+        token_url:     "configure this part in client options with devise",
+        response_type: 'id_token'
+      }
+
+      option :scope, DEFAULT_SCOPE
+
+      uid { raw_info['sub'] }
+
+      info do
+        {
+          name:       raw_info['name'],
+          email:      raw_info['email'],
+          first_name: raw_info['given_name'],
+          last_name:  raw_info['family_name'],
+          image:      raw_info['picture']
+        }
+      end
+
+      extra do
+        hash = {}
+        
+        hash[:raw_info] = raw_info unless skip_info?
+        hash[:id_token] = access_token.token
+        if !options[:skip_jwt] && !access_token.token.nil?
+          hash[:id_info] = validated_token(access_token.token)
+        end
+        hash
+      end
+
+      alias :oauth2_access_token :access_token
+
+      def access_token
+        ::OAuth2::AccessToken.new(client, oauth2_access_token.token, {
+          :expires_in => oauth2_access_token.expires_in,
+          :expires_at => oauth2_access_token.expires_at
+        })
+      end
+
+      def raw_info
+        if options[:auth_server_id]
+          options[:auth_server_id] = options[:auth_server_id] + "/"
+        else
+          options[:auth_server_id] = ""
+        end
+        
+        @_raw_info ||= access_token.get('/oauth2/' + options[:auth_server_id] + 'v1/userinfo').parsed || {}
+      rescue ::Errno::ETIMEDOUT
+        raise ::Timeout::Error
+      end
+
+      def request_phase
+        super
+      end
+
+      def callback_phase
+        super
+      end
+
+      def callback_url
+        options[:redirect_uri] || (full_host + script_name + callback_path)
+      end
+
+      def validated_token(token)
+        JWT.decode(token,
+                   nil,
+                   false,
+                   verify_iss:        true,
+                   iss:               options[:issuer],
+                   verify_aud:        true,
+                   aud:               options[:audience],
+                   verify_sub:        true,
+                   verify_expiration: true,
+                   verify_not_before: true,
+                   verify_iat:        true,
+                   verify_jti:        false,
+                   leeway:            options[:jwt_leeway]
+                   ).first
+      end
+    end
+  end
+end

metadata

@@ -0,0 +1,141 @@
+--- !ruby/object:Gem::Specification
+name: omniauth-oktaoauth
+version: !ruby/object:Gem::Version
+  version: 0.1.1
+platform: ruby
+authors:
+- Dan Andrews
+- Andrew Van Beek
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2018-06-03 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: omniauth
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.5'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.5'
+- !ruby/object:Gem::Dependency
+  name: omniauth-oauth2
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.4.0
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.4.0
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.5'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.5'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.7'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.7'
+- !ruby/object:Gem::Dependency
+  name: rack-test
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: OmniAuth OAuth2 strategy for Okta
+email:
+- andrew.vanbeek@okta.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- MIT-LICENSE
+- README.md
+- Rakefile
+- lib/omniauth-okta.rb
+- lib/omniauth-okta/version.rb
+- lib/omniauth/strategies/okta.rb
+homepage: ''
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.7.7
+signing_key: 
+specification_version: 4
+summary: OmniAuth OAuth2 strategy for Okta
+test_files: []