omniauth_oidc 0.2.1 → 0.2.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +4 -1
- data/README.md +48 -7
- data/lib/omniauth/oidc/version.rb +1 -1
- data/lib/omniauth/strategies/oidc/verify.rb +3 -3
- data/lib/omniauth/strategies/oidc.rb +7 -5
- data/omniauth_oidc.gemspec +1 -1
- metadata +5 -5
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 74463844a516326572c11a06efb05d658c8f62a14046ef8348f0940296c16433
|
|
4
|
+
data.tar.gz: 4756f11d552dc0d39085125210631161eaa6fa5ecf27b2388a0a90becec96abc
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 11a227e37b5878b9ac0e61ee4956acc36e905a17271d06bc33992d37aad3e5a6e33f777e6f9118f3b60ada81570b9a2b884876d6db08febfa917de59dd721b4b
|
|
7
|
+
data.tar.gz: 786fbde9d9929102212c954bee84769f5a8a4d92f36347ec3dfb299d785f94a9a26ffd0057395e96d385a12a6e720aacf42b3b6476cbe3622b5ed394563ff19a
|
data/CHANGELOG.md
CHANGED
data/README.md
CHANGED
|
@@ -91,6 +91,7 @@ end
|
|
|
91
91
|
```
|
|
92
92
|
|
|
93
93
|
Ensure to replace identifier, secret, configuration endpoint url and others with credentials received from your OIDC provider.
|
|
94
|
+
Please note that the gem does not accept `redirect_uri` as a configurable option. For details please see section Routes.
|
|
94
95
|
|
|
95
96
|
### Redirecting for Authentication
|
|
96
97
|
|
|
@@ -125,15 +126,20 @@ end
|
|
|
125
126
|
|
|
126
127
|
### Routes
|
|
127
128
|
|
|
128
|
-
The gem uses dynamic routes when making requests to the OIDC provider endpoints
|
|
129
|
-
of `https://your_app.com/auth/<simple_provider>/callback`,
|
|
130
|
-
within the configuration of the `omniauth.rb` initializer.
|
|
129
|
+
The gem uses dynamic routes when making requests to the OIDC provider endpoints, so called `redirect_uri` which is a
|
|
130
|
+
non-configurable value that follows the naming pattern of `https://your_app.com/auth/<simple_provider>/callback`,
|
|
131
|
+
where `<simple_provider>` is the provider name defined within the configuration of the `omniauth.rb` initializer.
|
|
132
|
+
This represents the `redirect_uri` that will be passed with the authorization request to your OIDC provider and that
|
|
133
|
+
has to be registered with your OIDC provider as permitted `redirect_uri`.
|
|
131
134
|
|
|
132
135
|
Dynamic routes are used to process responses and perform intermediary steps by the middleware, e.g. request phase,
|
|
133
|
-
token verification. While you can define and use same routes within your Rails app,
|
|
134
|
-
to perform a dynamic redirect to a another controller method
|
|
135
|
-
|
|
136
|
-
|
|
136
|
+
token verification. While you can define and use same routes within your Rails app, it is highly recommended to modify
|
|
137
|
+
your `routes.rb` to perform a dynamic redirect to a another controller method so this does not cause any conflicts with
|
|
138
|
+
the middleware or the authorization flow.
|
|
139
|
+
|
|
140
|
+
In an example below, `auth/:provider/callback` is generalized `redirect_uri` value that is passed in the authorization
|
|
141
|
+
flow, while all OIDC provider responses are ultimately redirected to the `omniauth` method of the `callbacks_controller`,
|
|
142
|
+
which could be a "Swiss army knife" method to handle authentication or user data from various omniauth providers:
|
|
137
143
|
|
|
138
144
|
```ruby
|
|
139
145
|
# config/routes.rb
|
|
@@ -202,6 +208,41 @@ class CallbacksController < ApplicationController
|
|
|
202
208
|
end
|
|
203
209
|
```
|
|
204
210
|
|
|
211
|
+
### Ending Session
|
|
212
|
+
|
|
213
|
+
The gem provides two configuration options to allow ending a session simultaneously with your client application and the
|
|
214
|
+
OIDC provider.
|
|
215
|
+
|
|
216
|
+
To use this feature, you need to provide a `logout_path` in the options and an `end_session_endpoint` in the client
|
|
217
|
+
options. Here’s a sample setup:
|
|
218
|
+
|
|
219
|
+
``` ruby
|
|
220
|
+
provider :oidc, {
|
|
221
|
+
name: :simple_provider,
|
|
222
|
+
client_options: {
|
|
223
|
+
identifier: ENV['SIMPLE_PROVIDER_CLIENT_ID'],
|
|
224
|
+
secret: ENV['SIMPLE_PROVIDER_SECRET'],
|
|
225
|
+
config_endpoint: 'https://simpleprovider.com/1234567890/.well-known/openid-configuration',
|
|
226
|
+
end_session_endpoint: 'https://simpleprovider.com/signout' # URL to end session with OIDC provider
|
|
227
|
+
},
|
|
228
|
+
logout_path: '/logout' # path in your application to end user session
|
|
229
|
+
}
|
|
230
|
+
```
|
|
231
|
+
|
|
232
|
+
* `end_session_endpoint` is the URL to which your client app can redirect to log out the user from the OIDC provider's application. It can be dynamically fetched from the `config_endpoint` response if your OIDC provider specifies it there. Alternatively, you can explicitly provide it in the client options.
|
|
233
|
+
|
|
234
|
+
* `logout_path` is the URL in your application that can be called to terminate the current user's session.
|
|
235
|
+
|
|
236
|
+
Using these two configurations, you can ensure that when a user logs out from your application, they are also logged out
|
|
237
|
+
from the OIDC provider, providing a seamless logout across multiple services.
|
|
238
|
+
|
|
239
|
+
This works by calling `other_phase` on every request in your application, which checks if the requested URL matches the
|
|
240
|
+
defined `logout_path`. If it does, meaning that the current user has requested to log out from your application,
|
|
241
|
+
`other_phase` redirects to the `end_session_endpoin`t to terminate the user's session with the OIDC provider if such a
|
|
242
|
+
session exists. Then it returns back to your application and concludes the request to end the session.
|
|
243
|
+
|
|
244
|
+
For additional details please refer to the [OIDC specification](https://openid.net/specs/openid-connect-session-1_0-17.html#:~:text=%C2%A0TOC-,5.%C2%A0%20RP%2DInitiated%20Logout,-An%20RP%20can).
|
|
245
|
+
|
|
205
246
|
### Advanced Configuration
|
|
206
247
|
You can customize the OIDC strategy further by adding additional configuration options:
|
|
207
248
|
|
|
@@ -62,7 +62,7 @@ module OmniAuth
|
|
|
62
62
|
end
|
|
63
63
|
|
|
64
64
|
decoded.verify!(keyset)
|
|
65
|
-
::
|
|
65
|
+
::OpenIDConnect::ResponseObject::IdToken.new(decoded)
|
|
66
66
|
rescue JSON::JWK::Set::KidNotFound
|
|
67
67
|
# Workaround for https://github.com/nov/json-jwt/pull/92#issuecomment-824654949
|
|
68
68
|
raise if decoded&.header&.key?("kid")
|
|
@@ -87,7 +87,7 @@ module OmniAuth
|
|
|
87
87
|
end
|
|
88
88
|
|
|
89
89
|
def decode!(id_token, key)
|
|
90
|
-
::
|
|
90
|
+
::OpenIDConnect::ResponseObject::IdToken.decode(id_token, key)
|
|
91
91
|
end
|
|
92
92
|
|
|
93
93
|
def decode_with_each_key!(id_token, keyset)
|
|
@@ -139,7 +139,7 @@ module OmniAuth
|
|
|
139
139
|
if access_token.id_token
|
|
140
140
|
decoded = decode_id_token(access_token.id_token).raw_attributes
|
|
141
141
|
|
|
142
|
-
@user_info = ::
|
|
142
|
+
@user_info = ::OpenIDConnect::ResponseObject::UserInfo.new(
|
|
143
143
|
access_token.userinfo!.raw_attributes.merge(decoded)
|
|
144
144
|
)
|
|
145
145
|
else
|
|
@@ -5,7 +5,7 @@ require "timeout"
|
|
|
5
5
|
require "net/http"
|
|
6
6
|
require "open-uri"
|
|
7
7
|
require "omniauth"
|
|
8
|
-
require "
|
|
8
|
+
require "openid_connect"
|
|
9
9
|
require "openid_config_parser"
|
|
10
10
|
require "forwardable"
|
|
11
11
|
require "httparty"
|
|
@@ -112,9 +112,9 @@ module OmniAuth
|
|
|
112
112
|
}
|
|
113
113
|
end
|
|
114
114
|
|
|
115
|
-
# Initialize
|
|
115
|
+
# Initialize OpenIDConnect Client with options
|
|
116
116
|
def client
|
|
117
|
-
@client ||= ::
|
|
117
|
+
@client ||= ::OpenIDConnect::Client.new(client_options)
|
|
118
118
|
end
|
|
119
119
|
|
|
120
120
|
# Config is build from the json response from the OIDC config endpoint
|
|
@@ -127,8 +127,9 @@ module OmniAuth
|
|
|
127
127
|
@config ||= OpenidConfigParser.fetch_openid_configuration(client_options.config_endpoint)
|
|
128
128
|
end
|
|
129
129
|
|
|
130
|
+
# Detects if current request is for the logout url and makes a redirect to end session with OIDC provider
|
|
130
131
|
def other_phase
|
|
131
|
-
if logout_path_pattern.match?(
|
|
132
|
+
if logout_path_pattern.match?(request.url)
|
|
132
133
|
options.issuer = issuer if options.issuer.to_s.empty?
|
|
133
134
|
|
|
134
135
|
return redirect(end_session_uri) if end_session_uri
|
|
@@ -136,6 +137,7 @@ module OmniAuth
|
|
|
136
137
|
call_app!
|
|
137
138
|
end
|
|
138
139
|
|
|
140
|
+
# URL to end authenticated user's session with OIDC provider
|
|
139
141
|
def end_session_uri
|
|
140
142
|
return unless end_session_endpoint_is_valid?
|
|
141
143
|
|
|
@@ -205,7 +207,7 @@ module OmniAuth
|
|
|
205
207
|
end
|
|
206
208
|
|
|
207
209
|
def logout_path_pattern
|
|
208
|
-
@logout_path_pattern ||= /\A#{Regexp.quote(
|
|
210
|
+
@logout_path_pattern ||= /\A#{Regexp.quote(request.base_url)}#{options.logout_path}/
|
|
209
211
|
end
|
|
210
212
|
|
|
211
213
|
# Strips port and host from strings with OIDC endpoints
|
data/omniauth_oidc.gemspec
CHANGED
|
@@ -33,9 +33,9 @@ Gem::Specification.new do |spec|
|
|
|
33
33
|
|
|
34
34
|
# Uncomment to register a new dependency of your gem
|
|
35
35
|
spec.add_dependency "httparty"
|
|
36
|
-
spec.add_dependency "oidc"
|
|
37
36
|
spec.add_dependency "omniauth"
|
|
38
37
|
spec.add_dependency "openid_config_parser"
|
|
38
|
+
spec.add_dependency "openid_connect"
|
|
39
39
|
|
|
40
40
|
# For more information and examples about making a new gem, check out our
|
|
41
41
|
# guide at: https://bundler.io/guides/creating_gem.html
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: omniauth_oidc
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.2.
|
|
4
|
+
version: 0.2.2
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Suleyman Musayev
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: exe
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2024-
|
|
11
|
+
date: 2024-08-04 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: httparty
|
|
@@ -25,7 +25,7 @@ dependencies:
|
|
|
25
25
|
- !ruby/object:Gem::Version
|
|
26
26
|
version: '0'
|
|
27
27
|
- !ruby/object:Gem::Dependency
|
|
28
|
-
name:
|
|
28
|
+
name: omniauth
|
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|
|
30
30
|
requirements:
|
|
31
31
|
- - ">="
|
|
@@ -39,7 +39,7 @@ dependencies:
|
|
|
39
39
|
- !ruby/object:Gem::Version
|
|
40
40
|
version: '0'
|
|
41
41
|
- !ruby/object:Gem::Dependency
|
|
42
|
-
name:
|
|
42
|
+
name: openid_config_parser
|
|
43
43
|
requirement: !ruby/object:Gem::Requirement
|
|
44
44
|
requirements:
|
|
45
45
|
- - ">="
|
|
@@ -53,7 +53,7 @@ dependencies:
|
|
|
53
53
|
- !ruby/object:Gem::Version
|
|
54
54
|
version: '0'
|
|
55
55
|
- !ruby/object:Gem::Dependency
|
|
56
|
-
name:
|
|
56
|
+
name: openid_connect
|
|
57
57
|
requirement: !ruby/object:Gem::Requirement
|
|
58
58
|
requirements:
|
|
59
59
|
- - ">="
|