omniauth_oidc 0.1.1 → 0.2.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +6 -0
- data/README.md +45 -0
- data/lib/omniauth/oidc/version.rb +1 -1
- data/lib/omniauth/strategies/oidc/callback.rb +15 -1
- data/lib/omniauth/strategies/oidc/verify.rb +4 -5
- data/lib/omniauth/strategies/oidc.rb +4 -3
- data/omniauth_oidc.gemspec +1 -1
- metadata +5 -5
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 801521d0f3ce8e7cdfa427b09c09689db790784bbacb90f9c1d46e8194db1bb6
|
4
|
+
data.tar.gz: 5a5ddd24e583e982304fca72de602dc8b405b11c98c2d019fbc88fe7058ad48f
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 8480664bb2f337914f7eefc8aa012d58bc9b67fa66fb0e206d2aef09c0352f9228a4d9212e5a1a36a5689676b01dacc00d888dd5a186fbd6af5a69f69f519174
|
7
|
+
data.tar.gz: 45645700fc002901880944adc41cf1d97ee9d108132c5416718198955b7620203e293938646e225d798e7fd86f028c9bd4f5108aa41f2e3ba822fe6489eef936
|
data/CHANGELOG.md
CHANGED
data/README.md
CHANGED
@@ -4,6 +4,8 @@ This gem provides an OmniAuth strategy for integrating OpenID Connect (OIDC) aut
|
|
4
4
|
|
5
5
|
Developed with reference to [omniauth-openid-connect](https://github.com/jjbohn/omniauth-openid-connect) and [omniauth_openid_connect](https://github.dev/omniauth/omniauth_openid_connect).
|
6
6
|
|
7
|
+
[Article on Medium](https://msuliq.medium.com/authenticating-with-omniauth-and-openid-connect-oidc-in-ruby-on-rails-applications-e136ec5b48c0) about the development of this gem.
|
8
|
+
|
7
9
|
## Installation
|
8
10
|
|
9
11
|
To install the gem run the following command in the terminal:
|
@@ -157,6 +159,48 @@ end
|
|
157
159
|
**Please note that you should register `https://your_app.com/auth/<simple_provider>/callback` with your OIDC provider
|
158
160
|
as a callback redirect url.**
|
159
161
|
|
162
|
+
### Using Access Token Without User Info
|
163
|
+
|
164
|
+
In case your app requries only an access token and not the user information, then you can specify an optional
|
165
|
+
configuration in the omniauth initializer:
|
166
|
+
|
167
|
+
```ruby
|
168
|
+
# config/initializers/omniauth.rb
|
169
|
+
Rails.application.config.middleware.use OmniAuth::Builder do
|
170
|
+
provider :oidc, {
|
171
|
+
name: :simple_provider_access_token_only,
|
172
|
+
fetch_user_info: false, # if not specified, default value of true will be applied
|
173
|
+
client_options: {
|
174
|
+
identifier: '23575f4602bebbd9a17dbc38d85bd1a77',
|
175
|
+
secret: ENV['SIMPLE_PROVIDER_CLIENT_SECRET'],
|
176
|
+
config_endpoint: 'https://simpleprovider.com/cdn-cgi/access/sso/oidc/23575f4602bebbd9a17dbc38d85bd1a77/.well-known/openid-configuration'
|
177
|
+
}
|
178
|
+
}
|
179
|
+
end
|
180
|
+
```
|
181
|
+
|
182
|
+
Then the callback returned once your user authenticates with the OIDC provider will contain only access token parameters:
|
183
|
+
|
184
|
+
```ruby
|
185
|
+
# app/controllers/callbacks_controller.rb
|
186
|
+
class CallbacksController < ApplicationController
|
187
|
+
def omniauth
|
188
|
+
# access token parameters received from OIDC provider will be available in `request.env['omniauth.auth']`
|
189
|
+
omniauth_params = request.env['omniauth.auth']
|
190
|
+
|
191
|
+
# omniauth_params will contain similar data as shown below
|
192
|
+
# {"provider"=>:simple_provider_access_token_only,
|
193
|
+
# "credentials"=>
|
194
|
+
# {"id_token"=> "id token value",
|
195
|
+
# "token"=> "token value",
|
196
|
+
# "refresh_token"=>"refresh token value",
|
197
|
+
# "expires_in"=>300,
|
198
|
+
# "scope"=>nil
|
199
|
+
# }
|
200
|
+
# }
|
201
|
+
end
|
202
|
+
end
|
203
|
+
```
|
160
204
|
|
161
205
|
### Advanced Configuration
|
162
206
|
You can customize the OIDC strategy further by adding additional configuration options:
|
@@ -165,6 +209,7 @@ You can customize the OIDC strategy further by adding additional configuration o
|
|
165
209
|
|------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------|-------------------------------------|-------------------------------------------------------|
|
166
210
|
| name | Arbitrary string to identify OIDC provider and segregate it from other OIDC providers | no | `"oidc"` | `:simple_provider` |
|
167
211
|
| issuer | Root url for the OIDC authorization server | no | retrived from config_endpoint | `"https://simpleprovider.com"` |
|
212
|
+
| fetch_user_info | Fetches user information from user_info_endpoint using the access token. If set to false the omniauth params will include only access token | no | `true` | `fetch_user_info: false` |
|
168
213
|
| client_auth_method | Authentication method to be used with the OIDC authorization server | no | `:basic` | `"basic"`, `"jwks"` |
|
169
214
|
| scope | OIDC scopes to be included in the server's response | `[:openid]` is required | all scopes offered by OIDC provider | `[:openid, :profile, :email]` |
|
170
215
|
| response_type | OAuth2 response type expected from OIDC provider during authorization | no | `"code"` | `"code"` or `"id_token"` |
|
@@ -58,7 +58,7 @@ module OmniAuth
|
|
58
58
|
|
59
59
|
verify_id_token!(@access_token.id_token) if configured_response_type == "code"
|
60
60
|
|
61
|
-
user_info_from_access_token
|
61
|
+
options.fetch_user_info ? user_info_from_access_token : define_access_token
|
62
62
|
end
|
63
63
|
|
64
64
|
def id_token_callback_phase
|
@@ -106,6 +106,20 @@ module OmniAuth
|
|
106
106
|
call_app!
|
107
107
|
end
|
108
108
|
|
109
|
+
def define_access_token
|
110
|
+
env["omniauth.auth"] = AuthHash.new(
|
111
|
+
provider: name,
|
112
|
+
credentials: {
|
113
|
+
id_token: @access_token.id_token,
|
114
|
+
token: @access_token.access_token,
|
115
|
+
refresh_token: @access_token.refresh_token,
|
116
|
+
expires_in: @access_token.expires_in,
|
117
|
+
scope: @access_token.scope
|
118
|
+
}
|
119
|
+
)
|
120
|
+
call_app!
|
121
|
+
end
|
122
|
+
|
109
123
|
def configured_response_type
|
110
124
|
@configured_response_type ||= options.response_type.to_s
|
111
125
|
end
|
@@ -30,7 +30,7 @@ module OmniAuth
|
|
30
30
|
private
|
31
31
|
|
32
32
|
def fetch_key
|
33
|
-
@fetch_key ||= parse_jwk_key(::
|
33
|
+
@fetch_key ||= parse_jwk_key(::Oidc.http_client.get(config.jwks_uri).body)
|
34
34
|
end
|
35
35
|
|
36
36
|
def base64_decoded_jwt_secret
|
@@ -47,7 +47,6 @@ module OmniAuth
|
|
47
47
|
nonce: params["nonce"].presence || stored_nonce)
|
48
48
|
end
|
49
49
|
|
50
|
-
# Workaround for https://github.com/nov/openid_connect/issues/61
|
51
50
|
def decode_id_token(id_token)
|
52
51
|
decoded = JSON::JWT.decode(id_token, :skip_verification)
|
53
52
|
algorithm = decoded.algorithm.to_sym
|
@@ -63,7 +62,7 @@ module OmniAuth
|
|
63
62
|
end
|
64
63
|
|
65
64
|
decoded.verify!(keyset)
|
66
|
-
::
|
65
|
+
::Oidc::ResponseObject::IdToken.new(decoded)
|
67
66
|
rescue JSON::JWK::Set::KidNotFound
|
68
67
|
# Workaround for https://github.com/nov/json-jwt/pull/92#issuecomment-824654949
|
69
68
|
raise if decoded&.header&.key?("kid")
|
@@ -88,7 +87,7 @@ module OmniAuth
|
|
88
87
|
end
|
89
88
|
|
90
89
|
def decode!(id_token, key)
|
91
|
-
::
|
90
|
+
::Oidc::ResponseObject::IdToken.decode(id_token, key)
|
92
91
|
end
|
93
92
|
|
94
93
|
def decode_with_each_key!(id_token, keyset)
|
@@ -140,7 +139,7 @@ module OmniAuth
|
|
140
139
|
if access_token.id_token
|
141
140
|
decoded = decode_id_token(access_token.id_token).raw_attributes
|
142
141
|
|
143
|
-
@user_info = ::
|
142
|
+
@user_info = ::Oidc::ResponseObject::UserInfo.new(
|
144
143
|
access_token.userinfo!.raw_attributes.merge(decoded)
|
145
144
|
)
|
146
145
|
else
|
@@ -5,7 +5,7 @@ require "timeout"
|
|
5
5
|
require "net/http"
|
6
6
|
require "open-uri"
|
7
7
|
require "omniauth"
|
8
|
-
require "
|
8
|
+
require "oidc"
|
9
9
|
require "openid_config_parser"
|
10
10
|
require "forwardable"
|
11
11
|
require "httparty"
|
@@ -61,6 +61,7 @@ module OmniAuth
|
|
61
61
|
option :id_token_hint
|
62
62
|
option :acr_values
|
63
63
|
option :send_nonce, true
|
64
|
+
option :fetch_user_info, true
|
64
65
|
option :send_scope_to_token_endpoint, true
|
65
66
|
option :client_auth_method
|
66
67
|
option :post_logout_redirect_uri
|
@@ -111,9 +112,9 @@ module OmniAuth
|
|
111
112
|
}
|
112
113
|
end
|
113
114
|
|
114
|
-
# Initialize
|
115
|
+
# Initialize Oidc Client with options
|
115
116
|
def client
|
116
|
-
@client ||= ::
|
117
|
+
@client ||= ::Oidc::Client.new(client_options)
|
117
118
|
end
|
118
119
|
|
119
120
|
# Config is build from the json response from the OIDC config endpoint
|
data/omniauth_oidc.gemspec
CHANGED
@@ -33,9 +33,9 @@ Gem::Specification.new do |spec|
|
|
33
33
|
|
34
34
|
# Uncomment to register a new dependency of your gem
|
35
35
|
spec.add_dependency "httparty"
|
36
|
+
spec.add_dependency "oidc"
|
36
37
|
spec.add_dependency "omniauth"
|
37
38
|
spec.add_dependency "openid_config_parser"
|
38
|
-
spec.add_dependency "openid_connect"
|
39
39
|
|
40
40
|
# For more information and examples about making a new gem, check out our
|
41
41
|
# guide at: https://bundler.io/guides/creating_gem.html
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: omniauth_oidc
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.
|
4
|
+
version: 0.2.1
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Suleyman Musayev
|
8
8
|
autorequire:
|
9
9
|
bindir: exe
|
10
10
|
cert_chain: []
|
11
|
-
date: 2024-
|
11
|
+
date: 2024-07-21 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: httparty
|
@@ -25,7 +25,7 @@ dependencies:
|
|
25
25
|
- !ruby/object:Gem::Version
|
26
26
|
version: '0'
|
27
27
|
- !ruby/object:Gem::Dependency
|
28
|
-
name:
|
28
|
+
name: oidc
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|
30
30
|
requirements:
|
31
31
|
- - ">="
|
@@ -39,7 +39,7 @@ dependencies:
|
|
39
39
|
- !ruby/object:Gem::Version
|
40
40
|
version: '0'
|
41
41
|
- !ruby/object:Gem::Dependency
|
42
|
-
name:
|
42
|
+
name: omniauth
|
43
43
|
requirement: !ruby/object:Gem::Requirement
|
44
44
|
requirements:
|
45
45
|
- - ">="
|
@@ -53,7 +53,7 @@ dependencies:
|
|
53
53
|
- !ruby/object:Gem::Version
|
54
54
|
version: '0'
|
55
55
|
- !ruby/object:Gem::Dependency
|
56
|
-
name:
|
56
|
+
name: openid_config_parser
|
57
57
|
requirement: !ruby/object:Gem::Requirement
|
58
58
|
requirements:
|
59
59
|
- - ">="
|