omniauth_oidc 0.1.1 → 0.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: c9938b98ee466c6cc178261c9ae304cfe35ab8e8944aa4c267717badbde1aa2d
-  data.tar.gz: aa202f151604d5f83d087541af1810b87645a0a49c14206ac92eedc579314c9c
+  metadata.gz: 219bb4ddd444b494db9e5c1ac72f93e66ef442d3c3243609e62485b186c5c9ff
+  data.tar.gz: b28c370148e1a6b3245c4f02defa7dde129354d66885807bcf0dd4d262a2a78d
 SHA512:
-  metadata.gz: 7b01ce26e049dd86893188edd3662fb52d1de8c553773812dca9900c47912d4e7259602e114dd8dff35cb03889408dac6f4e110140fcf4d4b805348604095f56
-  data.tar.gz: bdb799687fa7b29a16d35a9b417f0c55df59c3f47e94daa7d68b59a2c5baea28b692fec8862957e76e6a441af7c75e36023bd45401f078c297b5192f2d32911e
+  metadata.gz: 8536b7161da3774d5246bb465de5c24d3cb87fd2b164763df1fb01df11e85c87538f314c5a3ada969ae9e43cfa4b0ccbb22c161034ff0b3da70b91d3b93832be
+  data.tar.gz: 183943792aa52d5fdccb05b77dcd66d65c5d4c1500936e153733692429c51457fb4da61b28b666c0ceebb04e9a925c04a8d17af4ed6033ce8d96b2da2b6dd512

data/CHANGELOG.md

@@ -1,5 +1,8 @@
 ## [Released]
 
+## [0.2.0] - 2024-07-06
+- Add option to fetch user info or skip it
+
 ## [0.1.1] - 2024-06-16
 - Add dependabot
 

data/README.md

@@ -4,6 +4,8 @@ This gem provides an OmniAuth strategy for integrating OpenID Connect (OIDC) aut
 
 Developed with reference to [omniauth-openid-connect](https://github.com/jjbohn/omniauth-openid-connect) and [omniauth_openid_connect](https://github.dev/omniauth/omniauth_openid_connect).
 
+[Article on Medium](https://msuliq.medium.com/authenticating-with-omniauth-and-openid-connect-oidc-in-ruby-on-rails-applications-e136ec5b48c0) about the development of this gem.
+
 ## Installation
 
 To install the gem run the following command in the terminal:
@@ -157,6 +159,48 @@ end
 **Please note that you should register `https://your_app.com/auth/<simple_provider>/callback` with your OIDC provider
 as a callback redirect url.**
 
+### Using Access Token Without User Info
+
+In case your app requries only an access token and not the user information, then you can specify an optional
+configuration in the omniauth initializer:
+
+```ruby
+# config/initializers/omniauth.rb
+Rails.application.config.middleware.use OmniAuth::Builder do
+  provider :oidc, {
+    name: :simple_provider_access_token_only,
+    fetch_user_info: false, # if not specified, default value of true will be applied
+    client_options: {
+      identifier: '23575f4602bebbd9a17dbc38d85bd1a77',
+      secret: ENV['SIMPLE_PROVIDER_CLIENT_SECRET'],
+      config_endpoint: 'https://simpleprovider.com/cdn-cgi/access/sso/oidc/23575f4602bebbd9a17dbc38d85bd1a77/.well-known/openid-configuration'
+    }
+  }
+end
+```
+
+Then the callback returned once your user authenticates with the OIDC provider will contain only access token parameters:
+
+```ruby
+# app/controllers/callbacks_controller.rb
+class CallbacksController < ApplicationController
+  def omniauth
+    # access token parameters received from OIDC provider will be available in `request.env['omniauth.auth']`
+    omniauth_params = request.env['omniauth.auth']
+
+    # omniauth_params will contain similar data as shown below
+    # {"provider"=>:simple_provider_access_token_only,
+    #  "credentials"=>
+    #   {"id_token"=> "id token value",
+    #    "token"=> "token value",
+    #    "refresh_token"=>"refresh token value",
+    #    "expires_in"=>300,
+    #    "scope"=>nil
+    #   }
+    # }
+  end
+end
+```
 
 ### Advanced Configuration
 You can customize the OIDC strategy further by adding additional configuration options:
@@ -165,6 +209,7 @@ You can customize the OIDC strategy further by adding additional configuration o
 |------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------|-------------------------------------|-------------------------------------------------------|
 | name                         | Arbitrary string to identify OIDC provider and segregate it from other OIDC providers                                                                                 | no                      | `"oidc"`                            | `:simple_provider`                                    |
 | issuer                       | Root url for the OIDC authorization server                                                                                                                            | no                      | retrived from config_endpoint       | `"https://simpleprovider.com"`                        |
+| fetch_user_info              | Fetches user information from user_info_endpoint using the access token. If set to false the omniauth params will include only access token                           | no                      | `true`                              | `fetch_user_info: false`                              |
 | client_auth_method           | Authentication method to be used with the OIDC authorization server                                                                                                   | no                      | `:basic`                            | `"basic"`, `"jwks"`                                   |
 | scope                        | OIDC scopes to be included in the server's response                                                                                                                   | `[:openid]` is required | all scopes offered by OIDC provider | `[:openid, :profile, :email]`                         |
 | response_type                | OAuth2 response type expected from OIDC provider during authorization                                                                                                 | no                      | `"code"`                            | `"code"` or `"id_token"`                              |

data/lib/omniauth/oidc/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module OmniauthOidc
-  VERSION = "0.1.1"
+  VERSION = "0.2.0"
 end

data/lib/omniauth/strategies/oidc/callback.rb

@@ -58,7 +58,7 @@ module OmniAuth
 
           verify_id_token!(@access_token.id_token) if configured_response_type == "code"
 
-          user_info_from_access_token
+          options.fetch_user_info ? user_info_from_access_token : define_access_token
         end
 
         def id_token_callback_phase
@@ -106,6 +106,20 @@ module OmniAuth
           call_app!
         end
 
+        def define_access_token
+          env["omniauth.auth"] = AuthHash.new(
+            provider: name,
+            credentials: {
+              id_token: @access_token.id_token,
+              token: @access_token.access_token,
+              refresh_token: @access_token.refresh_token,
+              expires_in: @access_token.expires_in,
+              scope: @access_token.scope
+            }
+          )
+          call_app!
+        end
+
         def configured_response_type
           @configured_response_type ||= options.response_type.to_s
         end

data/lib/omniauth/strategies/oidc.rb

@@ -61,6 +61,7 @@ module OmniAuth
       option :id_token_hint
       option :acr_values
       option :send_nonce, true
+      option :fetch_user_info, true
       option :send_scope_to_token_endpoint, true
       option :client_auth_method
       option :post_logout_redirect_uri

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: omniauth_oidc
 version: !ruby/object:Gem::Version
-  version: 0.1.1
+  version: 0.2.0
 platform: ruby
 authors:
 - Suleyman Musayev
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2024-06-16 00:00:00.000000000 Z
+date: 2024-07-06 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: httparty