omniauth_oidc 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: ead4b54097f07fbdf676bb450ce3ba1b4d477b47f07b61e30ecd445706ced854
+  data.tar.gz: fe6e02df8acd530cdd2c4d6ec649e7914248eb42ec47b3573d4775f48449b7dd
+SHA512:
+  metadata.gz: 6c4e2b5d1aee856a8703bfb228e42e45d620d08e7dd8151ea39d484e6a1576f05433038fa357c933ca0a792e52d85b772e95d5660ff116ca0c0c41c04215785b
+  data.tar.gz: dc0dab4d599d6717589f0c160fee8755d28523a494c165bee1fba7b154a9ff873309e0d00b4d06653ac96bdbbd0e3b36efec92a258a8a0f0349dc545dac53321

data/.rubocop.yml

@@ -0,0 +1,28 @@
+AllCops:
+  TargetRubyVersion: 2.7
+
+Style/StringLiterals:
+  Enabled: true
+  EnforcedStyle: double_quotes
+
+Style/StringLiteralsInInterpolation:
+  Enabled: true
+  EnforcedStyle: double_quotes
+
+Layout/LineLength:
+  Max: 120
+
+Metrics/ClassLength:
+  Max: 200
+
+Metrics/MethodLength:
+  Max: 20
+
+Metrics/AbcSize:
+  Max: 35
+
+Metrics/Metrics/CyclomaticComplexity:
+  Max: 10
+
+Metrics/PerceivedComplexity:
+  Max: 10

data/CHANGELOG.md

@@ -0,0 +1,4 @@
+## [Released]
+
+## [0.1.0] - 2024-06-13
+- Initial release

data/CODE_OF_CONDUCT.md

@@ -0,0 +1,84 @@
+# Contributor Covenant Code of Conduct
+
+## Our Pledge
+
+We as members, contributors, and leaders pledge to make participation in our community a harassment-free experience for everyone, regardless of age, body size, visible or invisible disability, ethnicity, sex characteristics, gender identity and expression, level of experience, education, socio-economic status, nationality, personal appearance, race, religion, or sexual identity and orientation.
+
+We pledge to act and interact in ways that contribute to an open, welcoming, diverse, inclusive, and healthy community.
+
+## Our Standards
+
+Examples of behavior that contributes to a positive environment for our community include:
+
+* Demonstrating empathy and kindness toward other people
+* Being respectful of differing opinions, viewpoints, and experiences
+* Giving and gracefully accepting constructive feedback
+* Accepting responsibility and apologizing to those affected by our mistakes, and learning from the experience
+* Focusing on what is best not just for us as individuals, but for the overall community
+
+Examples of unacceptable behavior include:
+
+* The use of sexualized language or imagery, and sexual attention or
+  advances of any kind
+* Trolling, insulting or derogatory comments, and personal or political attacks
+* Public or private harassment
+* Publishing others' private information, such as a physical or email
+  address, without their explicit permission
+* Other conduct which could reasonably be considered inappropriate in a
+  professional setting
+
+## Enforcement Responsibilities
+
+Community leaders are responsible for clarifying and enforcing our standards of acceptable behavior and will take appropriate and fair corrective action in response to any behavior that they deem inappropriate, threatening, offensive, or harmful.
+
+Community leaders have the right and responsibility to remove, edit, or reject comments, commits, code, wiki edits, issues, and other contributions that are not aligned to this Code of Conduct, and will communicate reasons for moderation decisions when appropriate.
+
+## Scope
+
+This Code of Conduct applies within all community spaces, and also applies when an individual is officially representing the community in public spaces. Examples of representing our community include using an official e-mail address, posting via an official social media account, or acting as an appointed representative at an online or offline event.
+
+## Enforcement
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be reported to the community leaders responsible for enforcement at slmusayev@gmail.com. All complaints will be reviewed and investigated promptly and fairly.
+
+All community leaders are obligated to respect the privacy and security of the reporter of any incident.
+
+## Enforcement Guidelines
+
+Community leaders will follow these Community Impact Guidelines in determining the consequences for any action they deem in violation of this Code of Conduct:
+
+### 1. Correction
+
+**Community Impact**: Use of inappropriate language or other behavior deemed unprofessional or unwelcome in the community.
+
+**Consequence**: A private, written warning from community leaders, providing clarity around the nature of the violation and an explanation of why the behavior was inappropriate. A public apology may be requested.
+
+### 2. Warning
+
+**Community Impact**: A violation through a single incident or series of actions.
+
+**Consequence**: A warning with consequences for continued behavior. No interaction with the people involved, including unsolicited interaction with those enforcing the Code of Conduct, for a specified period of time. This includes avoiding interactions in community spaces as well as external channels like social media. Violating these terms may lead to a temporary or permanent ban.
+
+### 3. Temporary Ban
+
+**Community Impact**: A serious violation of community standards, including sustained inappropriate behavior.
+
+**Consequence**: A temporary ban from any sort of interaction or public communication with the community for a specified period of time. No public or private interaction with the people involved, including unsolicited interaction with those enforcing the Code of Conduct, is allowed during this period. Violating these terms may lead to a permanent ban.
+
+### 4. Permanent Ban
+
+**Community Impact**: Demonstrating a pattern of violation of community standards, including sustained inappropriate behavior,  harassment of an individual, or aggression toward or disparagement of classes of individuals.
+
+**Consequence**: A permanent ban from any sort of public interaction within the community.
+
+## Attribution
+
+This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 2.0,
+available at https://www.contributor-covenant.org/version/2/0/code_of_conduct.html.
+
+Community Impact Guidelines were inspired by [Mozilla's code of conduct enforcement ladder](https://github.com/mozilla/diversity).
+
+[homepage]: https://www.contributor-covenant.org
+
+For answers to common questions about this code of conduct, see the FAQ at
+https://www.contributor-covenant.org/faq. Translations are available at https://www.contributor-covenant.org/translations.

data/LICENSE.txt

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2024 Suleyman Musayev
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -0,0 +1,216 @@
+# OmniAuth::Oidc
+
+This gem provides an OmniAuth strategy for integrating OpenID Connect (OIDC) authentication into your Ruby on Rails application. It allows seamless login using various OIDC providers.
+
+Developed with reference to [omniauth-openid-connect](https://github.com/jjbohn/omniauth-openid-connect) and [omniauth_openid_connect](https://github.dev/omniauth/omniauth_openid_connect).
+
+## Installation
+
+To install the gem run the following command in the terminal:
+
+    $ bundle add omniauth_oidc
+
+If bundler is not being used to manage dependencies, install the gem by executing:
+
+    $ gem install omniauth_oidc
+
+
+## Usage
+
+To use the OmniAuth OIDC strategy, you need to configure your Rails application and set up the necessary environment variables for OIDC client credentials.
+
+### Configuration
+You have to provide Client ID, Client Secret and url for the OIDC configuration endpoint as a bare minimum for the `omniauth_oidc` to work properly.
+Create an initializer file at `config/initializers/omniauth.rb`
+
+```ruby
+# config/initializers/omniauth.rb
+Rails.application.config.middleware.use OmniAuth::Builder do
+  provider :oidc, {
+    name: :simple_provider, # used for dynamic routing
+    client_options: {
+      identifier: '23575f4602bebbd9a17dbc38d85bd1a77',
+      secret: ENV['SIMPLE_PROVIDER_CLIENT_SECRET'],
+      config_endpoint: 'https://simpleprovider.com/cdn-cgi/access/sso/oidc/23575f4602bebbd9a17dbc38d85bd1a77/.well-known/openid-configuration'
+    }
+  }
+end
+```
+
+With Devise
+
+```ruby
+Devise.setup do |config|
+  config.omniauth :oidc, {
+    name: :simple_provider,
+    scope: [:openid, :email, :profile, :address],
+    response_type: :code,
+    uid_field: "preferred_username",
+    client_options: {
+      identifier: '23575f4602bebbd9a17dbc38d85bd1a77',
+      secret: ENV['SIMPLE_PROVIDER_CLIENT_SECRET'],
+      config_endpoint: 'https://simpleprovider.com/cdn-cgi/access/sso/oidc/23575f4602bebbd9a17dbc38d85bd1a77/.well-known/openid-configuration'
+    }
+  }
+end
+```
+
+The gem also supports a wide range of optional parameters for higher degree of configurability.
+
+```ruby
+# config/initializers/omniauth.rb
+Rails.application.config.middleware.use OmniAuth::Builder do
+  provider :oidc, {
+    name: :complex_provider, # used for dynamic routing
+    issuer: 'https://complexprovider.com/cdn-cgi/access/sso/oidc/23575f4602bebbd9a17dbc38d85bd1a77',
+    scope: [:openid],
+    response_type: 'id_token',
+    require_state: true,
+    response_mode: :query,
+    prompt: :login,
+    send_nonce: false,
+    uid_field: "sub",
+    pkce: false,
+    client_options: {
+      identifier: '23575f4602bebbd9a17dbc38d85bd1a77',
+      secret: ENV['COMPLEX_PROVIDER_CLIENT_SECRET'],
+      config_endpoint: 'https://complexprovider.com/cdn-cgi/access/sso/oidc/23575f4602bebbd9a17dbc38d85bd1a77/.well-known/openid-configuration',
+      host: 'complexprovider.com'
+      scheme: "https",
+      port: 443,
+      authorization_endpoint: 'https://complexprovider.com/cdn-cgi/access/sso/oidc/23575f4602bebbd9a17dbc38d85bd1a77/authorization',
+      token_endpoint: 'https://complexprovider.com/cdn-cgi/access/sso/oidc/23575f4602bebbd9a17dbc38d85bd1a77/token',
+      userinfo_endpoint: 'https://complexprovider.com/cdn-cgi/access/sso/oidc/23575f4602bebbd9a17dbc38d85bd1a77/userinfo',
+      jwks_uri: 'https://complexprovider.com/cdn-cgi/access/sso/oidc/23575f4602bebbd9a17dbc38d85bd1a77/jwks',
+      end_session_endpoint: '/signout'
+    }
+  }
+end
+```
+
+Ensure to replace identifier, secret, configuration endpoint url and others with credentials received from your OIDC provider.
+
+### Redirecting for Authentication
+
+Buttons and links to initialize the authentication request can be placed on relevant pages as below:
+
+```ruby
+<%= button_to "Login with Simple Provider", "/auth/simple_provider" %>
+```
+
+### Handling Callbacks
+
+The gem uses dyanmic routes to handle different phases, and while you can use same routes in your Rails application, for
+better experience you should have a controller to process the authenticated user. Create a CallbacksController:
+
+```ruby
+# app/controllers/callbacks_controller.rb
+class CallbacksController < ApplicationController
+  def omniauth
+    # user info received from OIDC provider will be available in `request.env['omniauth.auth']`
+    auth = request.env['omniauth.auth']
+
+    user = User.find_or_create_by(uid: auth['uid']) do |user|
+      user.name = auth['info']['name']
+      user.email = auth['info']['email']
+    end
+
+    session[:user_id] = user.id
+    redirect_to root_path, notice: 'Successfully logged in!'
+  end
+end
+```
+
+### Routes
+
+The gem uses dynamic routes when making requests to the OIDC provider endpoints. These routes follow the naming pattern
+of `https://your_app.com/auth/<simple_provider>/callback`, where `<simple_provider>` is the provider name defined
+within the configuration of the `omniauth.rb` initializer.
+
+Dynamic routes are used to process responses and perform intermediary steps by the middleware, e.g. request phase,
+token verification. While you can define and use same routes within your Rails app, you can modify your `routes.rb`
+to perform a dynamic redirect to a another controller method. In an example below, all OIDC responses are ultimately
+redirected to the `omniauth` method of the `callbacks_controller`, which is a universal method to handle authentication
+with various omniauth providers:
+
+```ruby
+# config/routes.rb
+Rails.application.routes.draw do
+  match 'auth/:provider/callback', via: :get, to: "callbacks#omniauth"
+end
+```
+
+Alternatively, you can specify separate redirects for some of your OIDC providers, in case you need to handle responses
+differently:
+
+```ruby
+# config/routes.rb
+Rails.application.routes.draw do
+  match 'auth/simple_provider/callback', via: :get, to: "callbacks#simple_provider"
+  match 'auth/complex_provider/callback', via: :get, to: "callbacks#complex_provider"
+
+  # you can add the line below if you would like the rest of the providers to be redirected to a universal `omniauth` method
+  match 'auth/:provider/callback', via: :get, to: "callbacks#omniauth"
+end
+```
+
+**Please note that you should register `https://your_app.com/auth/<simple_provider>/callback` with your OIDC provider
+as a callback redirect url.**
+
+
+### Advanced Configuration
+You can customize the OIDC strategy further by adding additional configuration options:
+
+| Field                        | Description                                                                                                                                                           | Required                | Default Value                       | Example/Notes                                         |
+|------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------|-------------------------------------|-------------------------------------------------------|
+| name                         | Arbitrary string to identify OIDC provider and segregate it from other OIDC providers                                                                                 | no                      | `"oidc"`                            | `:simple_provider`                                    |
+| issuer                       | Root url for the OIDC authorization server                                                                                                                            | no                      | retrived from config_endpoint       | `"https://simpleprovider.com"`                        |
+| client_auth_method           | Authentication method to be used with the OIDC authorization server                                                                                                   | no                      | `:basic`                            | `"basic"`, `"jwks"`                                   |
+| scope                        | OIDC scopes to be included in the server's response                                                                                                                   | `[:openid]` is required | all scopes offered by OIDC provider | `[:openid, :profile, :email]`                         |
+| response_type                | OAuth2 response type expected from OIDC provider during authorization                                                                                                 | no                      | `"code"`                            | `"code"` or `"id_token"`                              |
+| state                        | Value to be used for the OAuth2 state parameter on the authorization request. Can be a proc that generates a string                                                   | no                      | Random 16 character string          | `Proc.new { SecureRandom.hex(32) }`                   |
+| require_state                | Boolean to indicate if state param should be verified. This is a recommendation by OIDC spec                                                                          | no                      | `true`                              | `true` or `false`                                     |
+| response_mode                | The response mode per [OIDC spec](https://openid.net/specs/oauth-v2-form-post-response-mode-1_0.html)                                                                 | no                      | `nil`                               | `:query`, `:fragment`, `:form_post` or `:web_message` |
+| display                      | Specifies how OIDC authorization server should display the authentication and consent UI pages to the end user                                                        | no                      | `nil`                               | `:page`, `:popup`, `:touch` or `:wap`                 |
+| prompt                       | Specifies whether the OIDC authorization server prompts the end user for reauthentication and consent                                                                 | no                      | `nil`                               | `:none`, `:login`, `:consent` or `:select_account`    |
+| send_scope_to_token_endpoint | Should the scope parameter be sent to the authorization token endpoint                                                                                                | no                      | `true`                              | `true` or `false`                                     |
+| post_logout_redirect_uri     | Logout redirect uri to use per the [session management draft](https://openid.net/specs/openid-connect-session-1_0.html)                                               | no                      | `nil`                               | `"https://your_app.com/logout/callback"`              |
+| uid_field                    | Field of the user info response to be used as a unique ID                                                                                                             | no                      | `'sub'`                             | `"sub"` or `"preferred_username"`                     |
+| extra_authorize_params       | Hash of extra fixed parameters that will be merged to the authorization request                                                                                       | no                      | `{}`                                | `{"tenant" => "common"}`                              |
+| allow_authorize_params       | List of allowed dynamic parameters that will be merged to the authorization request                                                                                   | no                      | `[]`                                | `[:screen_name]`                                      |
+| pkce                         | Enable [PKCE flow](https://oauth.net/2/pkce/)                                                                                                                         | no                      | `false`                             | `true` or `false`                                     |
+| pkce_verifier                | Specify custom PKCE verifier code                                                                                                                                     | no                      | Random 128-character string         | `Proc.new { SecureRandom.hex(64) }`                   |
+| pkce_options                 | Specify custom implementation of the PKCE code challenge/method                                                                                                       | no                      | SHA256(code_challenge) in hex       | Proc to customise the code challenge generation       |
+| client_options               | Hash of client options detailed below in a separate table                                                                                                             | yes                     | see below                           | see below                                             |
+| jwt_secret_base64            | Specify the base64-encoded secret used to sign the JWT token for HMAC with SHA2 (e.g. HS256) signing algorithms                                                       | no                      | `client_options.secret`             | `"bXlzZWNyZXQ=\n"`                                    |
+| logout_path                  | Log out is only triggered when the request path ends on this path                                                                                                     | no                      | `'/logout'`                         | '/sign_out'                                           |
+| acr_values                   | Authentication Class Reference (ACR) values to be passed to the authorize_uri to enforce a specific level, see [RFC9470](https://www.rfc-editor.org/rfc/rfc9470.html) | no                      | `nil`                               | `"c1 c2"`                                             å|
+
+
+Below are options for the `client_options` hash of the configuration:
+
+| Field                  | Description                                                 | Required | Default value                 |
+|------------------------|-------------------------------------------------------------|----------|-------------------------------|
+| identifier             | OAuth2 client_id                                            |    yes   | `nil`                         |
+| secret                 | OAuth2 client secret                                        |    yes   | `nil`                         |
+| config_endpoint        | OIDC configuration endpoint                                 |    yes   | `nil`                         |
+| scheme                 | http scheme to use                                          |     no   | https                         |
+| host                   | host of the authorization server                            |     no   | nil                           |
+| port                   | port for the authorization server                           |     no   | 443                           |
+| authorization_endpoint | authorize endpoint on the authorization server              |     no   | retrived from config_endpoint |
+| token_endpoint         | token endpoint on the authorization server                  |     no   | retrived from config_endpoint |
+| userinfo_endpoint      | user info endpoint on the authorization server              |     no   | retrived from config_endpoint |
+| jwks_uri               | jwks_uri on the authorization server                        |     no   | retrived from config_endpoint |
+| end_session_endpoint   | url to call to log the user out at the authorization server |     no   | `nil`                         |
+
+## Contributing
+
+Bug reports and pull requests are welcome on GitHub at https://github.com/msuliq/omniauth_oidc. This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to the [code of conduct](https://github.com/msuliq/omniauth_oidc/blob/main/CODE_OF_CONDUCT.md).
+
+## License
+
+The gem is available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT).
+
+## Code of Conduct
+
+Everyone interacting in the OmniauthOidc project's codebases, issue trackers, chat rooms and mailing lists is expected to follow the [code of conduct](https://github.com/msuliq/omniauth_oidc/blob/main/CODE_OF_CONDUCT.md).

data/Rakefile

@@ -0,0 +1,12 @@
+# frozen_string_literal: true
+
+require "bundler/gem_tasks"
+require "minitest/test_task"
+
+Minitest::TestTask.create
+
+require "rubocop/rake_task"
+
+RuboCop::RakeTask.new
+
+task default: %i[test rubocop]

data/lib/omniauth/oidc/errors.rb

@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+module OmniauthOidc
+  class Error < RuntimeError; end
+
+  class MissingCodeError < Error; end
+
+  class MissingIdTokenError < Error; end
+end

data/lib/omniauth/oidc/version.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+module OmniauthOidc
+  VERSION = "0.1.0"
+end

data/lib/omniauth/strategies/oidc/callback.rb

@@ -0,0 +1,124 @@
+# frozen_string_literal: true
+
+module OmniAuth
+  module Strategies
+    class Oidc
+      # Callback phase
+      module Callback
+        def callback_phase # rubocop:disable Metrics
+          error = params["error_reason"] || params["error"]
+          error_description = params["error_description"] || params["error_reason"]
+          invalid_state = (options.require_state && params["state"].to_s.empty?) || params["state"] != stored_state
+
+          raise CallbackError, error: params["error"], reason: error_description, uri: params["error_uri"] if error
+          raise CallbackError, error: :csrf_detected, reason: "Invalid 'state' parameter" if invalid_state
+
+          return unless valid_response_type?
+
+          options.issuer = issuer if options.issuer.nil? || options.issuer.empty?
+
+          verify_id_token!(params["id_token"]) if configured_response_type == "id_token"
+
+          client.redirect_uri = redirect_uri
+
+          return id_token_callback_phase if configured_response_type == "id_token"
+
+          client.authorization_code = authorization_code
+
+          access_token
+          super
+        rescue CallbackError => e
+          fail!(e.error, e)
+        rescue ::Rack::OAuth2::Client::Error => e
+          fail!(e.response[:error], e)
+        rescue ::Timeout::Error, ::Errno::ETIMEDOUT => e
+          fail!(:timeout, e)
+        rescue ::SocketError => e
+          fail!(:failed_to_connect, e)
+        end
+
+        private
+
+        def access_token
+          return @access_token if @access_token
+
+          token_request_params = {
+            scope: (scope if options.send_scope_to_token_endpoint),
+            client_auth_method: options.client_auth_method
+          }
+
+          if options.pkce
+            token_request_params[:code_verifier] =
+              params["code_verifier"] || session.delete("omniauth.pkce.verifier")
+          end
+
+          set_client_options_for_callback_phase
+
+          @access_token = client.access_token!(token_request_params)
+
+          verify_id_token!(@access_token.id_token) if configured_response_type == "code"
+
+          user_info_from_access_token
+        end
+
+        def id_token_callback_phase
+          user_data = decode_id_token(params["id_token"]).raw_attributes
+
+          define_user_info(user_data)
+        end
+
+        def valid_response_type?
+          return true if params.key?(configured_response_type)
+
+          error_attrs = RESPONSE_TYPE_EXCEPTIONS[configured_response_type]
+          fail!(error_attrs[:key], error_attrs[:exception_class].new(params["error"]))
+
+          false
+        end
+
+        def user_info_from_access_token
+          user_data = HTTParty.get(
+            config.userinfo_endpoint, {
+              headers: {
+                "Authorization" => "Bearer #{@access_token}",
+                "Content-Type" => "application/json"
+              }
+            }
+          )
+
+          define_user_info(user_data.parsed_response)
+        end
+
+        def define_user_info(user_data)
+          env["omniauth.auth"] = AuthHash.new(
+            provider: name,
+            uid: user_data["sub"],
+            info: { name: user_data["name"], email: user_data["email"] },
+            extra: { raw_info: user_data },
+            credentials: {
+              id_token: @access_token.id_token,
+              token: @access_token.access_token,
+              refresh_token: @access_token.refresh_token,
+              expires_in: @access_token.expires_in,
+              scope: @access_token.scope
+            }
+          )
+          call_app!
+        end
+
+        def configured_response_type
+          @configured_response_type ||= options.response_type.to_s
+        end
+
+        # Parse response from OIDC endpoint and set client options for callback phase
+        def set_client_options_for_callback_phase
+          client.host = host
+          client.redirect_uri = redirect_uri
+          client.authorization_endpoint = resolve_endpoint_from_host(host, config.authorization_endpoint)
+          client.token_endpoint = resolve_endpoint_from_host(host, config.token_endpoint)
+          client.userinfo_endpoint = resolve_endpoint_from_host(host, config.userinfo_endpoint)
+        end
+      end
+    end
+  end
+end

data/lib/omniauth/strategies/oidc/request.rb

@@ -0,0 +1,81 @@
+# frozen_string_literal: true
+
+module OmniAuth
+  module Strategies
+    class Oidc
+      # Code request phase
+      module Request
+        def request_phase
+          @identifier = client_options.identifier
+          @secret = secret
+
+          set_client_options_for_request_phase
+          redirect authorize_uri
+        end
+
+        def authorize_uri # rubocop:disable Metrics/AbcSize
+          client.redirect_uri = redirect_uri
+          opts = request_options
+
+          opts.merge!(options.extra_authorize_params) unless options.extra_authorize_params.empty?
+
+          options.allow_authorize_params.each do |key|
+            opts[key] = request.params[key.to_s] unless opts.key?(key)
+          end
+
+          if options.pkce
+            verifier = options.pkce_verifier ? options.pkce_verifier.call : SecureRandom.hex(64)
+
+            opts.merge!(pkce_authorize_params(verifier))
+            session["omniauth.pkce.verifier"] = verifier
+          end
+
+          client.authorization_uri(opts.reject { |_k, v| v.nil? })
+        end
+
+        private
+
+        def request_options
+          {
+            response_type: options.response_type,
+            response_mode: options.response_mode,
+            scope: scope,
+            state: new_state,
+            login_hint: params["login_hint"],
+            ui_locales: params["ui_locales"],
+            claims_locales: params["claims_locales"],
+            prompt: options.prompt,
+            nonce: (new_nonce if options.send_nonce),
+            hd: options.hd,
+            acr_values: options.acr_values
+          }
+        end
+
+        def new_state
+          state = if options.state.respond_to?(:call)
+                    if options.state.arity == 1
+                      options.state.call(env)
+                    else
+                      options.state.call
+                    end
+                  end
+          session["omniauth.state"] = state || SecureRandom.hex(16)
+        end
+
+        # Parse response from OIDC endpoint and set client options for request phase
+        def set_client_options_for_request_phase # rubocop:disable Metrics/AbcSize
+          client_options.host = host
+          client_options.authorization_endpoint = resolve_endpoint_from_host(host, config.authorization_endpoint)
+          client_options.token_endpoint = resolve_endpoint_from_host(host, config.token_endpoint)
+          client_options.userinfo_endpoint = resolve_endpoint_from_host(host, config.userinfo_endpoint)
+          client_options.jwks_uri = resolve_endpoint_from_host(host, config.jwks_uri)
+
+          return unless config.respond_to?(:end_session_endpoint)
+
+          client_options.end_session_endpoint = resolve_endpoint_from_host(host,
+                                                                           config.end_session_endpoint)
+        end
+      end
+    end
+  end
+end

data/lib/omniauth/strategies/oidc/verify.rb

@@ -0,0 +1,153 @@
+# frozen_string_literal: true
+
+module OmniAuth
+  module Strategies
+    class Oidc
+      # Token verification phase
+      module Verify # rubocop:disable Metrics/ModuleLength
+        def secret
+          base64_decoded_jwt_secret || client_options.secret
+        end
+
+        # https://tools.ietf.org/html/rfc7636#appendix-A
+        def pkce_authorize_params(verifier)
+          {
+            code_challenge: options.pkce_options[:code_challenge].call(verifier),
+            code_challenge_method: options.pkce_options[:code_challenge_method]
+          }
+        end
+
+        # Looks for key defined in omniauth initializer, if none is defined
+        # falls back to using jwks_uri returned by OIDC config_endpoint
+        def public_key
+          @public_key ||= if configured_public_key
+                            configured_public_key
+                          elsif config.jwks_uri
+                            fetch_key
+                          end
+        end
+
+        private
+
+        def fetch_key
+          @fetch_key ||= parse_jwk_key(::OpenIDConnect.http_client.get(config.jwks_uri).body)
+        end
+
+        def base64_decoded_jwt_secret
+          return unless options.jwt_secret_base64
+
+          Base64.decode64(options.jwt_secret_base64)
+        end
+
+        def verify_id_token!(id_token)
+          return unless id_token
+
+          decode_id_token(id_token).verify!(issuer: config.issuer,
+                                            client_id: client_options.identifier,
+                                            nonce: params["nonce"].presence || stored_nonce)
+        end
+
+        # Workaround for https://github.com/nov/openid_connect/issues/61
+        def decode_id_token(id_token)
+          decoded = JSON::JWT.decode(id_token, :skip_verification)
+          algorithm = decoded.algorithm.to_sym
+
+          validate_client_algorithm!(algorithm)
+
+          keyset =
+            case algorithm
+            when :HS256, :HS384, :HS512
+              secret
+            else
+              public_key
+            end
+
+          decoded.verify!(keyset)
+          ::OpenIDConnect::ResponseObject::IdToken.new(decoded)
+        rescue JSON::JWK::Set::KidNotFound
+          # Workaround for https://github.com/nov/json-jwt/pull/92#issuecomment-824654949
+          raise if decoded&.header&.key?("kid")
+
+          decoded = decode_with_each_key!(id_token, keyset)
+
+          raise unless decoded
+
+          decoded
+        end
+
+        # Check for jwt to match defined client_signing_alg
+        def validate_client_algorithm!(algorithm)
+          client_signing_alg = options.client_signing_alg&.to_sym
+
+          return unless client_signing_alg
+          return if algorithm == client_signing_alg
+
+          reason = "Received JWT is signed with #{algorithm}, but client_singing_alg is \
+            configured for #{client_signing_alg}"
+          raise CallbackError, error: :invalid_jwt_algorithm, reason: reason, uri: params["error_uri"]
+        end
+
+        def decode!(id_token, key)
+          ::OpenIDConnect::ResponseObject::IdToken.decode(id_token, key)
+        end
+
+        def decode_with_each_key!(id_token, keyset)
+          return unless keyset.is_a?(JSON::JWK::Set)
+
+          keyset.each do |key|
+            begin
+              decoded = decode!(id_token, key)
+            rescue JSON::JWS::VerificationFailed, JSON::JWS::UnexpectedAlgorithm, JSON::JWK::UnknownAlgorithm
+              next
+            end
+
+            return decoded if decoded
+          end
+
+          nil
+        end
+
+        def stored_nonce
+          session.delete("omniauth.nonce")
+        end
+
+        def configured_public_key
+          @configured_public_key ||= if options.client_jwk_signing_key
+                                       parse_jwk_key(options.client_jwk_signing_key)
+                                     elsif options.client_x509_signing_key
+                                       parse_x509_key(options.client_x509_signing_key)
+                                     end
+        end
+
+        def parse_x509_key(key)
+          OpenSSL::X509::Certificate.new(key).public_key
+        end
+
+        def parse_jwk_key(key)
+          json = key.is_a?(String) ? JSON.parse(key) : key
+          return JSON::JWK::Set.new(json["keys"]) if json.key?("keys")
+
+          JSON::JWK.new(json)
+        end
+
+        def decode(str)
+          UrlSafeBase64.decode64(str).unpack1("B*").to_i(2).to_s
+        end
+
+        def user_info
+          return @user_info if @user_info
+
+          if access_token.id_token
+            decoded = decode_id_token(access_token.id_token).raw_attributes
+
+            @user_info = ::OpenIDConnect::ResponseObject::UserInfo.new(
+              access_token.userinfo!.raw_attributes.merge(decoded)
+            )
+          else
+            @user_info = access_token.userinfo!
+          end
+        end
+      end
+    end
+  end
+end

data/lib/omniauth/strategies/oidc.rb

@@ -0,0 +1,237 @@
+# frozen_string_literal: true
+
+require "base64"
+require "timeout"
+require "net/http"
+require "open-uri"
+require "omniauth"
+require "openid_connect"
+require "openid_config_parser"
+require "forwardable"
+require "httparty"
+
+Dir[File.join(File.dirname(__FILE__), "oidc", "*.rb")].sort.each { |file| require_relative file }
+
+module OmniAuth
+  module Strategies
+    # OIDC strategy for omniauth
+    class Oidc
+      include OmniAuth::Strategy
+      include Request
+      include Callback
+      include Verify
+
+      extend Forwardable
+
+      RESPONSE_TYPE_EXCEPTIONS = {
+        "id_token" => { exception_class: OmniauthOidc::MissingIdTokenError, key: :missing_id_token }.freeze,
+        "code" => { exception_class: OmniauthOidc::MissingCodeError, key: :missing_code }.freeze
+      }.freeze
+
+      def_delegator :request, :params
+
+      option :name, "oidc"                                  # to separate each oidc provider available in the app
+      option(:client_options, identifier: nil,              # client id, required
+                              secret: nil,                  # client secret, required
+                              host: nil,                    # oidc provider host, optional
+                              scheme: "https",              # connection scheme, optional
+                              port: 443,                    # connection port, optional
+                              config_endpoint: nil,         # all data will be fetched from here, required
+                              authorization_endpoint: nil,  # optional
+                              token_endpoint: nil,          # optional
+                              userinfo_endpoint: nil,       # optional
+                              jwks_uri: nil,                # optional
+                              end_session_endpoint: nil)    # optional
+
+      option :issuer
+      option :client_signing_alg
+      option :jwt_secret_base64
+      option :client_jwk_signing_key
+      option :client_x509_signing_key
+      option :scope, [:openid]
+      option :response_type, "code" # ['code', 'id_token']
+      option :require_state, true
+      option :state
+      option :response_mode # [:query, :fragment, :form_post, :web_message]
+      option :display, nil # [:page, :popup, :touch, :wap]
+      option :prompt, nil # [:none, :login, :consent, :select_account]
+      option :hd, nil
+      option :max_age
+      option :ui_locales
+      option :id_token_hint
+      option :acr_values
+      option :send_nonce, true
+      option :send_scope_to_token_endpoint, true
+      option :client_auth_method
+      option :post_logout_redirect_uri
+      option :extra_authorize_params, {}
+      option :allow_authorize_params, []
+      option :uid_field, "sub"
+      option :pkce, false
+      option :pkce_verifier, nil
+      option :pkce_options, {
+        code_challenge: proc { |verifier|
+          Base64.urlsafe_encode64(Digest::SHA2.digest(verifier), padding: false)
+        },
+        code_challenge_method: "S256"
+      }
+
+      option :logout_path, "/logout"
+
+      def uid
+        user_info.raw_attributes[options.uid_field.to_sym] || user_info.sub
+      end
+
+      info do
+        {
+          name: user_info.name,
+          email: user_info.email,
+          email_verified: user_info.email_verified,
+          nickname: user_info.preferred_username,
+          first_name: user_info.given_name,
+          last_name: user_info.family_name,
+          gender: user_info.gender,
+          image: user_info.picture,
+          phone: user_info.phone_number,
+          urls: { website: user_info.website }
+        }
+      end
+
+      extra do
+        { raw_info: user_info.raw_attributes }
+      end
+
+      credentials do
+        {
+          id_token: access_token.id_token,
+          token: access_token.access_token,
+          refresh_token: access_token.refresh_token,
+          expires_in: access_token.expires_in,
+          scope: access_token.scope
+        }
+      end
+
+      # Initialize OpenIDConnect Client with options
+      def client
+        @client ||= ::OpenIDConnect::Client.new(client_options)
+      end
+
+      # Config is build from the json response from the OIDC config endpoint
+      def config
+        unless client_options.config_endpoint || params["config_endpoint"]
+          raise Error,
+                "Configuration endpoint is missing from options"
+        end
+
+        @config ||= OpenidConfigParser.fetch_openid_configuration(client_options.config_endpoint)
+      end
+
+      def other_phase
+        if logout_path_pattern.match?(current_path)
+          options.issuer = issuer if options.issuer.to_s.empty?
+
+          return redirect(end_session_uri) if end_session_uri
+        end
+        call_app!
+      end
+
+      def end_session_uri
+        return unless end_session_endpoint_is_valid?
+
+        end_session_uri = URI(client_options.end_session_endpoint)
+        end_session_uri.query = encoded_post_logout_redirect_uri
+        end_session_uri.to_s
+      end
+
+      private
+
+      def issuer
+        @issuer ||= config.issuer
+      end
+
+      def host
+        @host ||= URI.parse(config.issuer).host
+      end
+
+      # By default Returns all scopes supported by the OIDC provider
+      def scope
+        config.scopes_supported || options.scope
+      end
+
+      def authorization_code
+        params["code"]
+      end
+
+      def client_options
+        options.client_options
+      end
+
+      def stored_state
+        session.delete("omniauth.state")
+      end
+
+      def new_nonce
+        session["omniauth.nonce"] = SecureRandom.hex(16)
+      end
+
+      def script_name
+        return "" if @env.nil?
+
+        super
+      end
+
+      def session
+        return {} if @env.nil?
+
+        super
+      end
+
+      def redirect_uri
+        "#{request.base_url}/auth/#{name}/callback"
+      end
+
+      def encoded_post_logout_redirect_uri
+        return unless options.post_logout_redirect_uri
+
+        URI.encode_www_form(
+          post_logout_redirect_uri: options.post_logout_redirect_uri
+        )
+      end
+
+      def end_session_endpoint_is_valid?
+        client_options.end_session_endpoint &&
+          client_options.end_session_endpoint =~ URI::DEFAULT_PARSER.make_regexp
+      end
+
+      def logout_path_pattern
+        @logout_path_pattern ||= /\A#{Regexp.quote(request_path)}#{options.logout_path}/
+      end
+
+      # Strips port and host from strings with OIDC endpoints
+      def resolve_endpoint_from_host(host, endpoint)
+        start_index = endpoint.index(host) + host.length
+        endpoint = endpoint[start_index..]
+        endpoint = "/#{endpoint}" unless endpoint.start_with?("/")
+        endpoint
+      end
+
+      # Override for the CallbackError class
+      class CallbackError < StandardError
+        attr_accessor :error, :error_reason, :error_uri
+
+        def initialize(data)
+          super
+          self.error = data[:error]
+          self.error_reason = data[:reason]
+          self.error_uri = data[:uri]
+        end
+
+        def message
+          [error, error_reason, error_uri].compact.join(" | ")
+        end
+      end
+    end
+  end
+end
+
+OmniAuth.config.add_camelization "OmniauthOidc", "OmniAuthOidc"

data/lib/omniauth_oidc.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+require_relative "omniauth/oidc/version"
+require_relative "omniauth/oidc/errors"
+require_relative "omniauth/strategies/oidc"

data/omniauth_oidc.gemspec

@@ -0,0 +1,42 @@
+# frozen_string_literal: true
+
+require_relative "lib/omniauth/oidc/version"
+
+Gem::Specification.new do |spec|
+  spec.name = "omniauth_oidc"
+  spec.version = OmniauthOidc::VERSION
+  spec.authors = ["Suleyman Musayev"]
+  spec.email = ["slmusayev@gmail.com"]
+
+  spec.summary = "Omniauth strategy to authenticate and retrieve user data using OpenID Connect (OIDC)"
+  spec.description = "Omniauth strategy to authenticate and retrieve user data as a client using OpenID Connect (OIDC)
+    suited for multiple OIDC providers."
+  spec.homepage = "https://github.com/msuliq/omniauth_oidc"
+  spec.license = "MIT"
+  spec.required_ruby_version = ">= 2.7.0"
+
+  spec.metadata["homepage_uri"] = spec.homepage
+  spec.metadata["source_code_uri"] = "https://github.com/msuliq/omniauth_oidc"
+  spec.metadata["changelog_uri"] = "https://github.com/msuliq/omniauth_oidc/blob/main/CHANGELOG.md"
+
+  # Specify which files should be added to the gem when it is released.
+  # The `git ls-files -z` loads the files in the RubyGem that have been added into git.
+  spec.files = Dir.chdir(__dir__) do
+    `git ls-files -z`.split("\x0").reject do |f|
+      (File.expand_path(f) == __FILE__) ||
+        f.start_with?(*%w[bin/ test/ spec/ features/ .git .github appveyor Gemfile])
+    end
+  end
+  spec.bindir = "exe"
+  spec.executables = spec.files.grep(%r{\Aexe/}) { |f| File.basename(f) }
+  spec.require_paths = ["lib"]
+
+  # Uncomment to register a new dependency of your gem
+  spec.add_dependency "httparty"
+  spec.add_dependency "omniauth"
+  spec.add_dependency "openid_config_parser"
+  spec.add_dependency "openid_connect"
+
+  # For more information and examples about making a new gem, check out our
+  # guide at: https://bundler.io/guides/creating_gem.html
+end

data/sig/omniauth_oidc.rbs

@@ -0,0 +1,4 @@
+module OmniauthOidc
+  VERSION: String
+  # See the writing guide of rbs: https://github.com/ruby/rbs#guides
+end

metadata

@@ -0,0 +1,120 @@
+--- !ruby/object:Gem::Specification
+name: omniauth_oidc
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Suleyman Musayev
+autorequire: 
+bindir: exe
+cert_chain: []
+date: 2024-06-13 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: httparty
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: omniauth
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: openid_config_parser
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: openid_connect
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: |-
+  Omniauth strategy to authenticate and retrieve user data as a client using OpenID Connect (OIDC)
+      suited for multiple OIDC providers.
+email:
+- slmusayev@gmail.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".rubocop.yml"
+- CHANGELOG.md
+- CODE_OF_CONDUCT.md
+- LICENSE.txt
+- README.md
+- Rakefile
+- lib/omniauth/oidc/errors.rb
+- lib/omniauth/oidc/version.rb
+- lib/omniauth/strategies/oidc.rb
+- lib/omniauth/strategies/oidc/callback.rb
+- lib/omniauth/strategies/oidc/request.rb
+- lib/omniauth/strategies/oidc/verify.rb
+- lib/omniauth_oidc.rb
+- omniauth_oidc.gemspec
+- sig/omniauth_oidc.rbs
+homepage: https://github.com/msuliq/omniauth_oidc
+licenses:
+- MIT
+metadata:
+  homepage_uri: https://github.com/msuliq/omniauth_oidc
+  source_code_uri: https://github.com/msuliq/omniauth_oidc
+  changelog_uri: https://github.com/msuliq/omniauth_oidc/blob/main/CHANGELOG.md
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 2.7.0
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.1.6
+signing_key: 
+specification_version: 4
+summary: Omniauth strategy to authenticate and retrieve user data using OpenID Connect
+  (OIDC)
+test_files: []