omniauth-suomifi 0.6.2 → 0.7.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/lib/omniauth/strategies/suomifi.rb +45 -0
- data/lib/omniauth-suomifi/version.rb +1 -1
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: bc0704db48f42ecbc14c86e3e629e611b535b427cfd23ee9d0363545d12f0ee7
|
|
4
|
+
data.tar.gz: e895872a3b621fa5e7a3fe61b45156c8ce12b05abdc55b962dd2a3d4a5e7df8b
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 4f4c2d1ffb1e80a120a832aae423ead500d3a725be94bbd776127c28892d02a70ab4f8748e0ff01a95fba14f8747b8742c63b33f49b35867add4970bbe812cba
|
|
7
|
+
data.tar.gz: 30dc8039e91aa1e6def01027596e47a060ef190fedcc68537b7c1ad0496a4e8d87efa38d2b03084744cc976adfa7e5353509814549dc95ebf3af2d5b61b8a663
|
|
@@ -529,6 +529,8 @@ module OmniAuth
|
|
|
529
529
|
authn_request = OneLogin::RubySaml::Authrequest.new
|
|
530
530
|
locale = locale_for_authn_request
|
|
531
531
|
|
|
532
|
+
session['saml_redirect_url'] = request.params['redirect_url']
|
|
533
|
+
|
|
532
534
|
with_settings do |settings|
|
|
533
535
|
url = authn_request.create(settings, additional_params_for_authn_request)
|
|
534
536
|
url += "&locale=#{CGI.escape(locale)}" unless locale.nil?
|
|
@@ -560,6 +562,49 @@ module OmniAuth
|
|
|
560
562
|
|
|
561
563
|
private
|
|
562
564
|
|
|
565
|
+
# The single log-out (SLO) in Suomi.fi is initiated in an iframe within
|
|
566
|
+
# the single logout page at Suomi.fi side. Therefore, due to browser
|
|
567
|
+
# restrictions, it is not possible to transfer session related data to the
|
|
568
|
+
# service from that page because it would require 3rd party cookies which
|
|
569
|
+
# are restricted by browsers.
|
|
570
|
+
#
|
|
571
|
+
# Therefore, the SLO request needs to be handled at the service's side by
|
|
572
|
+
# storing the Suomi.fi sessions in a database and then comparing the SAML
|
|
573
|
+
# uid of the SLO request to the values stored witin the database to log
|
|
574
|
+
# out the user who requested the logout. There is no other way to transfer
|
|
575
|
+
# this information from the
|
|
576
|
+
#
|
|
577
|
+
# The default functionality within the `omniauth-saml` strategy relies on
|
|
578
|
+
# the session variables to compare the SAML uid during the SLO request but
|
|
579
|
+
# this is not possible with Suomi.fi when the 3rd party cookies are
|
|
580
|
+
# prevented by the browser.
|
|
581
|
+
def handle_logout_request(raw_request, settings)
|
|
582
|
+
# If the "saml_uid" is set, the logout request was initiated by the
|
|
583
|
+
# application itself. If not, the code below calls the application which
|
|
584
|
+
# can do the validation against the database where the sessions are
|
|
585
|
+
# stored.
|
|
586
|
+
return super if session["saml_uid"]
|
|
587
|
+
|
|
588
|
+
# Otherwise, the application itself needs to handle the logout because
|
|
589
|
+
# this is not happening within the same session that the user has
|
|
590
|
+
# currently open at the website.
|
|
591
|
+
logout_request = OneLogin::RubySaml::SloLogoutrequest.new(
|
|
592
|
+
raw_request,
|
|
593
|
+
{ settings: settings, get_params: @request.params }
|
|
594
|
+
)
|
|
595
|
+
raise OmniAuth::Strategies::SAML::ValidationError.new("SAML failed to process LogoutRequest") unless logout_request.is_valid?
|
|
596
|
+
|
|
597
|
+
@env['omniauth.saml_request'] = logout_request
|
|
598
|
+
|
|
599
|
+
# The SAML request needs to be validated at the application side and
|
|
600
|
+
# then the user needs to be redirected to the
|
|
601
|
+
logout_request_id = logout_request.id
|
|
602
|
+
logout_response = OneLogin::RubySaml::SloLogoutresponse.new.create(settings, logout_request_id, nil, RelayState: slo_relay_state)
|
|
603
|
+
@env['omniauth.saml_response'] = logout_response
|
|
604
|
+
|
|
605
|
+
call_app!
|
|
606
|
+
end
|
|
607
|
+
|
|
563
608
|
# Suomi.fi requires that the service provider needs to end the local user
|
|
564
609
|
# session BEFORE sending the logout request to the identity provider.
|
|
565
610
|
def other_phase_for_spslo
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: omniauth-suomifi
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 0.7.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Antti Hukkanen
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date:
|
|
11
|
+
date: 2024-02-08 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: omniauth-saml
|