omniauth-proconnect 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 716624a37126c3740783be8dd3f69408107b5df3d0950de201ebdcab01ec1167
+  data.tar.gz: 82b492df655ad497fab377c09a5f03c86cfe7e501941463cc49d7722b2287e99
+SHA512:
+  metadata.gz: ca9f4f94268c834a1b476f3a11d953d9cadd380df0d5412d3ce6c1ce5a72a1126edf3b3a133b00d6711373659d492eaef38a2f0a6a4f8d49f0a14f894a144ef2
+  data.tar.gz: 70b7118dcc78b31435c9d50a7af2cbba2ff8cc69eaf3b9dd2ed1cb82dc0480f490e4c1ffe5bbc895b91388056f2445559da082c830af53a6bfc06f039e1613f9

data/.rspec

@@ -0,0 +1,3 @@
+--format documentation
+--color
+--require spec_helper

data/.rubocop.yml

@@ -0,0 +1,8 @@
+AllCops:
+  TargetRubyVersion: 3.1
+
+Style/StringLiterals:
+  EnforcedStyle: double_quotes
+
+Style/StringLiteralsInInterpolation:
+  EnforcedStyle: double_quotes

data/LICENSE.txt

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2025 Stéphane Maniaci
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -0,0 +1,58 @@
+# Omniauth::Proconnect
+
+Une stratégie pour [OmniAuth](https://github.com/omniauth/omniauth)
+qui permet d'intégrer [ProConnect](https://www.proconnect.gouv.fr/).
+
+## Pourquoi pas `omniauth_openid_connect` ?
+
+ProConnect comporte quelques particularités comme le retour des
+informations utilisateurs (`/userinfo`) en JWT et l'obligation
+d'intégrer le `id_token_hint` dans l'URL de fin de session quand la
+spec officielle le décrit optionnel.
+
+Ces spécificités empêchent pour le moment d'utiliser la librairie
+générique
+[`omniauth_openid_connect`](https://github.com/omniauth/omniauth_openid_connect)
+qui malgré son degré de maturité supérieure semble à l'abandon aussi.
+
+## Utilisation
+
+1. installer la gem `bundle add omniauth-proconnect` ;
+2. configurer une nouvelle stratégie pour OmniAuth :
+
+```ruby
+# config/omniauth.rb
+Rails.application.config.middleware.use OmniAuth::Builder do
+  provider(
+    :pro_connect,
+    {
+      client_id: ENV.fetch("YOUR_APP_PC_CLIENT_ID"),
+      client_secret: ENV.fetch("YOUR_APP_PC_CLIENT_SECRET"),
+      proconnect_domain: ENV.fetch("YOUR_APP_PC_HOST"),
+      redirect_uri: ENV.fetch("YOUR_APP_PC_REDIRECT_URI"),
+      post_logout_redirect_uri: ENV.fetch("YOUR_APP_PC_POST_LOGOUT_REDIRECT_URI"),
+      scope: ENV.fetch("YOUR_APP_PC_SCOPES")
+    }
+  )
+end
+```
+
+3. envoyez votre utilisateur sur la stratégie :
+
+```erb
+<%= button_to "Se connecter via ProConnect", "/auth/proconnect", method: :post, remote: false, data: { turbo: false } %>
+```
+
+4. (optionnel) proposez la déconnexion aussi : le middleware observe
+   le chemin de la page courante et déclenchera le processus de fin de
+   session s'il se trouve sur `{request_path}/logout`, donc
+   `/auth/proconnect/logout` pour la majorité des cas :
+
+```ruby
+redirect_to "/auth/proconnect/logout"
+```
+
+## Contribution
+
+La stratégie est loin d'être complète ; n'hésitez pas à contribuer des
+issues ou des changements.

data/Rakefile

@@ -0,0 +1,12 @@
+# frozen_string_literal: true
+
+require "bundler/gem_tasks"
+require "rspec/core/rake_task"
+
+RSpec::Core::RakeTask.new(:spec)
+
+require "rubocop/rake_task"
+
+RuboCop::RakeTask.new
+
+task default: %i[spec rubocop]

data/lib/omniauth/proconnect/version.rb

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+module Omniauth
+  module Proconnect
+    VERSION = "0.1.0"
+  end
+end

data/lib/omniauth/proconnect.rb

@@ -0,0 +1,151 @@
+# frozen_string_literal: true
+
+require_relative "proconnect/version"
+
+module Omniauth
+  class Proconnect
+    class Error < StandardError; end
+
+    include OmniAuth::Strategy
+
+    option :name, "proconnect"
+    option :client_id
+    option :client_secret
+    option :proconnect_domain
+    option :redirect_uri
+    option :post_logout_redirect_uri
+    option :scope, "openid email given_name usual_name"
+
+    def setup_phase
+      discover_endpoint!
+    end
+
+    def request_phase
+      redirect(authorization_uri)
+    end
+
+    def callback_phase
+      verify_state!(request.params["state"])
+
+      exchange_authorization_code!(request.params["code"])
+        .then { |response| store_tokens!(response) }
+        .then { |response| get_userinfo!(response) }
+        .then { |response| @userinfo = JSON::JWT.decode(response.body, :skip_verification) }
+        .then { super }
+    end
+
+    def other_phase
+      if on_logout_path?
+        engage_logout!
+      else
+        @app.call(env)
+      end
+    end
+
+    def uid
+      session["omniauth.pc.id_token"]["sub"]
+    end
+
+    def info
+      {
+        email: @userinfo["email"]
+      }
+    end
+
+    private
+
+    def connection
+      @connection ||= Faraday.new(url: options[:proconnect_domain]) do |c|
+        c.response :json
+        c.response :raise_error
+      end
+    end
+
+    def discovered_configuration
+      @discovered_configuration ||= discover_endpoint!
+    end
+
+    def discover_endpoint!
+      connection
+        .get(".well-known/openid-configuration")
+        .body
+    end
+
+    def authorization_uri
+      URI(discovered_configuration["authorization_endpoint"]).tap do |endpoint|
+        endpoint.query = URI.encode_www_form(
+          response_type: "code",
+          client_id: options[:client_id],
+          redirect_uri: options[:redirect_uri],
+          scope: options[:scope],
+          state: store_new_state!,
+          nonce: store_new_nonce!
+        )
+      end
+    end
+
+    def end_session_uri
+      URI(discovered_configuration["end_session_endpoint"]).tap do |endpoint|
+        endpoint.query = URI.encode_www_form(
+          id_token_hint: session["omniauth.pc.id_token"],
+          state: current_state,
+          post_logout_redirect_uri: options[:post_logout_redirect_uri]
+        )
+      end
+    end
+
+    def exchange_authorization_code!(code)
+      connection.post(URI(discovered_configuration["token_endpoint"]),
+                      URI.encode_www_form(
+                        grant_type: "authorization_code",
+                        client_id: options[:client_id],
+                        client_secret: options[:client_secret],
+                        redirect_uri: options[:redirect_uri],
+                        code: code,
+                        scope: options[:scope]
+                      ))
+    end
+
+    def store_tokens!(response)
+      response.tap do |res|
+        %w[access id refresh].each do |name|
+          session["omniauth.pc.#{name}_token"] = res.body["#{name}_token"]
+        end
+      end
+    end
+
+    def get_userinfo!
+      endpoint = URI(discovered_configuration["userinfo_endpoint"])
+      token = session["omniauth.pc.access_token"]
+
+      connection.get(endpoint, {}, "Authorization" => "Bearer #{token}")
+    end
+
+    def engage_logout!
+      redirect end_session_uri
+    end
+
+    def on_logout_path?
+      # FIXME: maybe don't hardcode this
+      request.path.end_with?("#{request_path}/logout")
+    end
+
+    def store_new_state!
+      session["omniauth.state"] = SecureRandom.hex(16)
+    end
+
+    def current_state
+      session["omniauth.state"]
+    end
+
+    def store_new_nonce!
+      session["omniauth.nonce"] = SecureRandom.hex(16)
+    end
+
+    def verify_state!(other_state)
+      if other_state != current_state
+        raise "a request came back with a different 'state' parameter than what we had last stored."
+      end
+    end
+  end
+end

data/sig/omniauth/proconnect.rbs

@@ -0,0 +1,6 @@
+module Omniauth
+  module Proconnect
+    VERSION: String
+    # See the writing guide of rbs: https://github.com/ruby/rbs#guides
+  end
+end

metadata

@@ -0,0 +1,66 @@
+--- !ruby/object:Gem::Specification
+name: omniauth-proconnect
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Stéphane Maniaci
+bindir: exe
+cert_chain: []
+date: 2025-04-30 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: faraday
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2'
+description: An OmniAuth strategy for ProConnect, an official OIDC solution for French
+  professionnals to login.
+email:
+- stephane.maniaci@gmail.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".rspec"
+- ".rubocop.yml"
+- LICENSE.txt
+- README.md
+- Rakefile
+- lib/omniauth/proconnect.rb
+- lib/omniauth/proconnect/version.rb
+- sig/omniauth/proconnect.rbs
+homepage: https://github.com/betagouv/omniauth-proconnect
+licenses:
+- MIT
+metadata:
+  homepage_uri: https://github.com/betagouv/omniauth-proconnect
+  source_code_uri: https://github.com/betagouv/omniauth-proconnect
+  changelog_uri: https://github.com/betagouv/omniauth-proconnect
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 3.1.0
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.6.2
+specification_version: 4
+summary: An OmniAuth strategy for ProConnect
+test_files: []