omniauth_oidc 0.2.0 → 0.2.2

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 219bb4ddd444b494db9e5c1ac72f93e66ef442d3c3243609e62485b186c5c9ff
4
- data.tar.gz: b28c370148e1a6b3245c4f02defa7dde129354d66885807bcf0dd4d262a2a78d
3
+ metadata.gz: 74463844a516326572c11a06efb05d658c8f62a14046ef8348f0940296c16433
4
+ data.tar.gz: 4756f11d552dc0d39085125210631161eaa6fa5ecf27b2388a0a90becec96abc
5
5
  SHA512:
6
- metadata.gz: 8536b7161da3774d5246bb465de5c24d3cb87fd2b164763df1fb01df11e85c87538f314c5a3ada969ae9e43cfa4b0ccbb22c161034ff0b3da70b91d3b93832be
7
- data.tar.gz: 183943792aa52d5fdccb05b77dcd66d65c5d4c1500936e153733692429c51457fb4da61b28b666c0ceebb04e9a925c04a8d17af4ed6033ce8d96b2da2b6dd512
6
+ metadata.gz: 11a227e37b5878b9ac0e61ee4956acc36e905a17271d06bc33992d37aad3e5a6e33f777e6f9118f3b60ada81570b9a2b884876d6db08febfa917de59dd721b4b
7
+ data.tar.gz: 786fbde9d9929102212c954bee84769f5a8a4d92f36347ec3dfb299d785f94a9a26ffd0057395e96d385a12a6e720aacf42b3b6476cbe3622b5ed394563ff19a
data/CHANGELOG.md CHANGED
@@ -1,5 +1,11 @@
1
1
  ## [Released]
2
2
 
3
+ ## [0.2.2] - 2024-08-04
4
+ - Update dependencies, update documentation, fix end_session_uri, update other_phase
5
+
6
+ ## [0.2.1] - 2024-07-21
7
+ - Update dependencies
8
+
3
9
  ## [0.2.0] - 2024-07-06
4
10
  - Add option to fetch user info or skip it
5
11
 
data/README.md CHANGED
@@ -91,6 +91,7 @@ end
91
91
  ```
92
92
 
93
93
  Ensure to replace identifier, secret, configuration endpoint url and others with credentials received from your OIDC provider.
94
+ Please note that the gem does not accept `redirect_uri` as a configurable option. For details please see section Routes.
94
95
 
95
96
  ### Redirecting for Authentication
96
97
 
@@ -125,15 +126,20 @@ end
125
126
 
126
127
  ### Routes
127
128
 
128
- The gem uses dynamic routes when making requests to the OIDC provider endpoints. These routes follow the naming pattern
129
- of `https://your_app.com/auth/<simple_provider>/callback`, where `<simple_provider>` is the provider name defined
130
- within the configuration of the `omniauth.rb` initializer.
129
+ The gem uses dynamic routes when making requests to the OIDC provider endpoints, so called `redirect_uri` which is a
130
+ non-configurable value that follows the naming pattern of `https://your_app.com/auth/<simple_provider>/callback`,
131
+ where `<simple_provider>` is the provider name defined within the configuration of the `omniauth.rb` initializer.
132
+ This represents the `redirect_uri` that will be passed with the authorization request to your OIDC provider and that
133
+ has to be registered with your OIDC provider as permitted `redirect_uri`.
131
134
 
132
135
  Dynamic routes are used to process responses and perform intermediary steps by the middleware, e.g. request phase,
133
- token verification. While you can define and use same routes within your Rails app, you can modify your `routes.rb`
134
- to perform a dynamic redirect to a another controller method. In an example below, all OIDC responses are ultimately
135
- redirected to the `omniauth` method of the `callbacks_controller`, which is a universal method to handle authentication
136
- with various omniauth providers:
136
+ token verification. While you can define and use same routes within your Rails app, it is highly recommended to modify
137
+ your `routes.rb` to perform a dynamic redirect to a another controller method so this does not cause any conflicts with
138
+ the middleware or the authorization flow.
139
+
140
+ In an example below, `auth/:provider/callback` is generalized `redirect_uri` value that is passed in the authorization
141
+ flow, while all OIDC provider responses are ultimately redirected to the `omniauth` method of the `callbacks_controller`,
142
+ which could be a "Swiss army knife" method to handle authentication or user data from various omniauth providers:
137
143
 
138
144
  ```ruby
139
145
  # config/routes.rb
@@ -202,6 +208,41 @@ class CallbacksController < ApplicationController
202
208
  end
203
209
  ```
204
210
 
211
+ ### Ending Session
212
+
213
+ The gem provides two configuration options to allow ending a session simultaneously with your client application and the
214
+ OIDC provider.
215
+
216
+ To use this feature, you need to provide a `logout_path` in the options and an `end_session_endpoint` in the client
217
+ options. Here’s a sample setup:
218
+
219
+ ``` ruby
220
+ provider :oidc, {
221
+ name: :simple_provider,
222
+ client_options: {
223
+ identifier: ENV['SIMPLE_PROVIDER_CLIENT_ID'],
224
+ secret: ENV['SIMPLE_PROVIDER_SECRET'],
225
+ config_endpoint: 'https://simpleprovider.com/1234567890/.well-known/openid-configuration',
226
+ end_session_endpoint: 'https://simpleprovider.com/signout' # URL to end session with OIDC provider
227
+ },
228
+ logout_path: '/logout' # path in your application to end user session
229
+ }
230
+ ```
231
+
232
+ * `end_session_endpoint` is the URL to which your client app can redirect to log out the user from the OIDC provider's application. It can be dynamically fetched from the `config_endpoint` response if your OIDC provider specifies it there. Alternatively, you can explicitly provide it in the client options.
233
+
234
+ * `logout_path` is the URL in your application that can be called to terminate the current user's session.
235
+
236
+ Using these two configurations, you can ensure that when a user logs out from your application, they are also logged out
237
+ from the OIDC provider, providing a seamless logout across multiple services.
238
+
239
+ This works by calling `other_phase` on every request in your application, which checks if the requested URL matches the
240
+ defined `logout_path`. If it does, meaning that the current user has requested to log out from your application,
241
+ `other_phase` redirects to the `end_session_endpoin`t to terminate the user's session with the OIDC provider if such a
242
+ session exists. Then it returns back to your application and concludes the request to end the session.
243
+
244
+ For additional details please refer to the [OIDC specification](https://openid.net/specs/openid-connect-session-1_0-17.html#:~:text=%C2%A0TOC-,5.%C2%A0%20RP%2DInitiated%20Logout,-An%20RP%20can).
245
+
205
246
  ### Advanced Configuration
206
247
  You can customize the OIDC strategy further by adding additional configuration options:
207
248
 
@@ -1,5 +1,5 @@
1
1
  # frozen_string_literal: true
2
2
 
3
3
  module OmniauthOidc
4
- VERSION = "0.2.0"
4
+ VERSION = "0.2.2"
5
5
  end
@@ -30,7 +30,7 @@ module OmniAuth
30
30
  private
31
31
 
32
32
  def fetch_key
33
- @fetch_key ||= parse_jwk_key(::OpenIDConnect.http_client.get(config.jwks_uri).body)
33
+ @fetch_key ||= parse_jwk_key(::Oidc.http_client.get(config.jwks_uri).body)
34
34
  end
35
35
 
36
36
  def base64_decoded_jwt_secret
@@ -47,7 +47,6 @@ module OmniAuth
47
47
  nonce: params["nonce"].presence || stored_nonce)
48
48
  end
49
49
 
50
- # Workaround for https://github.com/nov/openid_connect/issues/61
51
50
  def decode_id_token(id_token)
52
51
  decoded = JSON::JWT.decode(id_token, :skip_verification)
53
52
  algorithm = decoded.algorithm.to_sym
@@ -127,8 +127,9 @@ module OmniAuth
127
127
  @config ||= OpenidConfigParser.fetch_openid_configuration(client_options.config_endpoint)
128
128
  end
129
129
 
130
+ # Detects if current request is for the logout url and makes a redirect to end session with OIDC provider
130
131
  def other_phase
131
- if logout_path_pattern.match?(current_path)
132
+ if logout_path_pattern.match?(request.url)
132
133
  options.issuer = issuer if options.issuer.to_s.empty?
133
134
 
134
135
  return redirect(end_session_uri) if end_session_uri
@@ -136,6 +137,7 @@ module OmniAuth
136
137
  call_app!
137
138
  end
138
139
 
140
+ # URL to end authenticated user's session with OIDC provider
139
141
  def end_session_uri
140
142
  return unless end_session_endpoint_is_valid?
141
143
 
@@ -205,7 +207,7 @@ module OmniAuth
205
207
  end
206
208
 
207
209
  def logout_path_pattern
208
- @logout_path_pattern ||= /\A#{Regexp.quote(request_path)}#{options.logout_path}/
210
+ @logout_path_pattern ||= /\A#{Regexp.quote(request.base_url)}#{options.logout_path}/
209
211
  end
210
212
 
211
213
  # Strips port and host from strings with OIDC endpoints
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: omniauth_oidc
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.2.0
4
+ version: 0.2.2
5
5
  platform: ruby
6
6
  authors:
7
7
  - Suleyman Musayev
8
8
  autorequire:
9
9
  bindir: exe
10
10
  cert_chain: []
11
- date: 2024-07-06 00:00:00.000000000 Z
11
+ date: 2024-08-04 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: httparty