omniauth_strong_auth_oidc 0.1.0

data/lib/omniauth/strategies/strong_auth_oidc.rb

@@ -0,0 +1,210 @@
+require 'omniauth-oauth2'
+require 'jwt'
+require 'jwe'
+
+module OmniAuth
+  module Strategies
+    class StrongAuthOidc < OmniAuth::Strategies::OAuth2
+      option :name, :strong_auth_oidc
+
+      # Custom options for Telia authentication
+      option :scope, 'openid'
+      option :response_type, 'code'
+      option :relying_party_jwks_storage
+      option :provider_jwks_loader
+      option :provider_entity_statement_fetcher, nil
+      option :redirect_uri, nil
+
+      def redirect_uri
+        return options.redirect_uri if options.redirect_uri.present?
+
+        # omniauth adds query prarameters from the original request to the callback_url
+        # if we don't strip them, the OIDC provider will reject the redirect_uri mismatch
+        uri = URI(callback_url)
+        uri.query = nil
+        uri.to_s
+      end
+
+      # Override authorize_params to support signed request
+      def authorize_params
+        params = super.dup
+        params[:request] = build_authorize_param_jwt_request(params)
+        params[:redirect_uri] = redirect_uri
+
+        # Remove parameters that are now in the signed request JWT
+        # Keep client_id and optionally state/nonce outside the JWT
+        params.delete(:scope)
+        params.delete(:response_type)
+        params.delete(:acr_values)
+        params.delete(:audience)
+        params
+      end
+
+      # Build signed request JWT for authorization
+      def build_authorize_param_jwt_request(params)
+        now = Time.now.to_i
+
+        jwt_payload = {
+          iss: options.client_id,
+          aud: entity_statement ? entity_statement.openid_configuration.dig(:issuer) : options.authorize_params[:audience],
+          client_id: options.client_id,
+          response_type: options.response_type,
+          scope: options.scope,
+          redirect_uri: redirect_uri,
+          jti: SecureRandom.uuid,
+          exp: now + 900, # 15 minutes
+          iat: now,
+          nbf: now
+        }
+
+        # Add acr_values if present
+        if params['acr_values']
+          jwt_payload[:acr_values] = params['acr_values']
+        end
+
+        # Add state if present
+        if params[:state]
+          jwt_payload[:state] = params[:state]
+        end
+
+        # Add nonce for OIDC
+        jwt_payload[:nonce] = SecureRandom.hex(16)
+
+        JWT.encode(jwt_payload, signing_key.keypair, 'RS256', kid: signing_key.kid)
+      end
+
+      # Override token_params to use JWT bearer authentication
+      def token_params
+        super.tap do |params|
+          params[:grant_type] = 'authorization_code'
+          params[:redirect_uri] = redirect_uri
+          params[:client_id] = options.client_id
+          params[:client_assertion_type] = 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer'
+          params[:client_assertion] = client_assertion
+        end
+      end
+
+      # Build client assertion JWT for authentication
+      def client_assertion
+        now = Time.now.to_i
+
+        jwt_payload = {
+          iss: options.client_id,
+          sub: options.client_id,
+          aud: token_url,
+          jti: SecureRandom.uuid,
+          exp: now + 900, # 15 minutes
+          iat: now
+        }
+
+        JWT.encode(jwt_payload, signing_key.keypair, 'RS256', kid: signing_key.kid)
+      end
+
+      # Get user info from ID token
+      def raw_info
+        @raw_info ||= begin
+          # The ID token is returned in the token response
+          id_token = access_token.params['id_token']
+
+          if id_token
+            # Decrypt and verify the ID token
+            decrypt_and_verify_jwt(id_token)
+          else
+            raise "No id_token in token response"
+          end
+        end
+      end
+
+      def token_url
+        if entity_statement
+          return entity_statement.openid_configuration.dig(:token_endpoint)
+        end
+        client.connection.build_url(options.client_options.token_url)
+      end
+
+      # Decrypt and verify JWT response
+      def decrypt_and_verify_jwt(jwt_string)
+        # if key was rotated the first attempt can fail
+        begin
+          encryption_key_index = 0
+          # Telia returns JWE (encrypted JWT) which contains a JWS (signed JWT)
+          # If our private key was rotated, we may need to try multiple keys
+          inner_jwt = JWE.decrypt(jwt_string, encryption_keys[encryption_key_index].keypair)
+
+          # Then verify the inner JWT signature with JWKS
+          jwt_data = JWT.decode(
+            inner_jwt,
+            nil,
+            true,
+            algorithms: ['RS256'],
+            jwks: options.provider_jwks_loader
+          )
+
+          jwt_data.first
+        rescue OpenSSL::PKey::RSAError => e
+          encryption_key_index += 1
+          if encryption_keys[encryption_key_index]
+            retry
+          else
+            raise e
+          end
+        end
+      end
+
+      # Build auth hash
+      uid { raw_info['sub'] }
+
+      info do
+        {
+          identity_number: raw_info['urn:oid:1.2.246.21'],
+          first_name: raw_info['urn:oid:1.2.246.575.1.14'],
+          last_name: raw_info['urn:oid:2.5.4.4']
+        }
+      end
+
+      extra do
+        {
+          raw_info: raw_info
+        }
+      end
+
+      # Override client to use custom identifier
+      # @return [OAuth2::Client]
+      def client
+        client_options = {}
+        if entity_statement
+          # Fetch OIDC provider configuration from entity statement
+          oidc_provider_config = entity_statement.openid_configuration
+          client_options[:site] = oidc_provider_config.dig(:issuer)
+          client_options[:authorize_url] = oidc_provider_config.dig(:authorization_endpoint)
+          client_options[:token_url] = oidc_provider_config.dig(:token_endpoint)
+          client_options[:userinfo_url] = oidc_provider_config.dig(:userinfo_endpoint)
+        else
+          client_options = options.client_options.dup
+        end
+        ::OAuth2::Client.new(
+          options.client_id,
+          nil, # No client secret needed for JWT bearer
+          client_options.deep_symbolize_keys
+        )
+      end
+
+      private
+
+      def entity_statement
+        return nil unless options.provider_entity_statement_fetcher
+        options.provider_entity_statement_fetcher.entity_statement
+      end
+
+      # Get signing key from key storage
+      def signing_key
+        options.relying_party_jwks_storage.current_jwks.select { |key| key[:use] == 'sig' }.first
+      end
+
+      # Get encryption key from key storage
+      def encryption_keys
+        options.relying_party_jwks_storage.jwks.select { |key| key[:use] == 'enc' }
+      end
+    end
+  end
+end

data/lib/omniauth_strong_auth_oidc/entity_statement.rb

@@ -0,0 +1,22 @@
+module OmniauthStrongAuthOidc
+  class EntityStatement
+    attr_reader :entity_statement_data, :metadata_key
+
+    def initialize(entity_statement_data, metadata_key: :openid_provider)
+      @entity_statement_data = entity_statement_data
+      @metadata_key = metadata_key
+    end
+
+    def openid_configuration
+      entity_statement_data.dig(:metadata, metadata_key)
+    end
+
+    def signed_jwks_uri
+      entity_statement_data.dig(:metadata, metadata_key, :signed_jwks_uri)
+    end
+
+    def configuration_jwks
+      JWT::JWK::Set.new(entity_statement_data.dig(:jwks))
+    end
+  end
+end

data/lib/omniauth_strong_auth_oidc/entity_statement_fetcher/base.rb

@@ -0,0 +1,37 @@
+module OmniauthStrongAuthOidc
+  # Abstract interface for OpenID key storage
+  # Implementations must provide a JWK set containing both signing and encryption keys
+  module EntityStatementFetcher
+    class Base
+      attr_reader :entity_statement
+      attr_reader :statement_type
+
+      def initialize(statement_type: :openid_provider)
+        @statement_type = statement_type
+      end
+
+      def entity_statement
+        @entity_statement ||= EntityStatement.new(fetch_entity_statement, metadata_key: statement_type)
+      end
+
+      def reload!
+        @entity_statement = nil
+      end
+
+      private def fetch_entity_statement
+        raise NotImplementedError, "Subclasses must implement fetch_entity_statement"
+      end
+
+      private def decode_with_verification(signed_jwt, entity_statement)
+        jwks = entity_statement['jwks']
+        JWT.decode(
+          signed_jwt,
+          nil,
+          true,
+          algorithms: ['RS256'],
+          jwks: jwks
+        ).first.deep_symbolize_keys
+      end
+    end
+  end
+end

data/lib/omniauth_strong_auth_oidc/entity_statement_fetcher/federation_url_fetcher.rb

@@ -0,0 +1,29 @@
+module OmniauthStrongAuthOidc
+  module EntityStatementFetcher
+    class FederationUrlFetcher < Base
+      attr_reader :entity_statement_url
+
+      def initialize(issuer_url:, entity_statement_path: "/.well-known/openid-federation", statement_type: :openid_provider)
+        @entity_statement_url = "#{issuer_url}#{entity_statement_path}"
+        super(statement_type: statement_type)
+      end
+
+      # Fetch Telia's Entity Statement
+      # The Entity Statement is a signed JWT containing metadata including JWKS
+      # @return [Hash] Decoded entity statement payload
+      private def fetch_entity_statement
+        response = HTTP.get(entity_statement_url)
+
+        unless response.status.success?
+          raise "Failed to fetch entity statement: #{response.status}"
+        end
+
+        # Decode without verification (trusting HTTPS) to get the payload
+        entity_statement_raw = response.body.to_s
+
+        # Check signature with the embedded JWKS
+        decode_with_verification(entity_statement_raw, JWT.decode(entity_statement_raw, nil, false).first)
+      end
+    end
+  end
+end

data/lib/omniauth_strong_auth_oidc/entity_statement_fetcher/file_fetcher.rb

@@ -0,0 +1,22 @@
+module OmniauthStrongAuthOidc
+  module EntityStatementFetcher
+    class FileFetcher < Base
+      attr_reader :entity_statement_url
+
+      def initialize(path_to_file:, statement_type: :openid_provider)
+        @path_to_file = path_to_file
+        super(statement_type: statement_type)
+      end
+
+      # Fetch Telia's Entity Statement
+      # The Entity Statement is a signed JWT containing metadata including JWKS
+      # @return [Hash] Decoded entity statement payload
+      private def fetch_entity_statement
+        File.open(@path_to_file, 'r') do |file|
+          entity_statement_raw = file.read
+          decode_with_verification(entity_statement_raw, JWT.decode(entity_statement_raw, nil, false).first)
+        end
+      end
+    end
+  end
+end

data/lib/omniauth_strong_auth_oidc/entity_statement_fetcher.rb

@@ -0,0 +1,9 @@
+require_relative 'entity_statement_fetcher/base'
+require_relative 'entity_statement_fetcher/federation_url_fetcher'
+require_relative 'entity_statement_fetcher/file_fetcher'
+
+module OmniauthStrongAuthOidc
+  module EntityStatementFetcher
+
+  end
+end

data/lib/omniauth_strong_auth_oidc/jwks_cache.rb

@@ -0,0 +1,31 @@
+module OmniauthStrongAuthOidc
+  class JwksCache
+    # Implmlement call method for use as a JWK loader in JWT.decode
+    # Example:
+    #  JWT.decode(token, nil, true, { jwks: OmniauthStrongAuthOidc::JwksCache.new(jwks_source) })
+    #  where jwks_source responds to .jwks and .reload! (optional)
+    def initialize(jwks_source, timeout_sec = 300)
+      @jwks_source = jwks_source
+      @timeout_sec = timeout_sec
+      @cache_last_update = 0
+    end
+
+    def call(options = {})
+      # The jwk loader would fetch the set of JWKs from a trusted source.
+      # To avoid malicious requests triggering cache invalidations there needs to be
+      # some kind of grace time or other logic for determining the validity of the invalidation.
+      # This example only allows cache invalidations every 5 minutes.
+      # and at least once a day.
+      if (options[:kid_not_found] && @cache_last_update < Time.now.to_i - @timeout_sec)
+        @cached_keys = nil
+        @jwks_source.reload! if @jwks_source.respond_to?(:reload!)
+      end
+      @cached_keys ||= begin
+        @cache_last_update = Time.now.to_i
+        # Replace with your own JWKS fetching routine
+        jwks = @jwks_source.jwks
+        jwks.select { |key| key[:use] == 'sig' } # Signing Keys only
+      end
+    end
+  end
+end

data/lib/omniauth_strong_auth_oidc/jwks_fetcher.rb

@@ -0,0 +1,87 @@
+require 'http'
+require 'jwt'
+
+module OmniauthStrongAuthOidc
+  # Service to fetch and verify Telia's JWKS
+  class JwksFetcher
+    attr_reader :signed_jwks_uri
+    attr_reader :configuration_jwks
+    attr_reader :entity_statement_fetcher
+
+    def initialize(signed_jwks_uri: nil, configuration_jwks: nil, entity_statement_fetcher: nil)
+      # either entity stament or signed_jwks_uri + configuration_jwks must be provided
+      if entity_statement_fetcher && (signed_jwks_uri || configuration_jwks)
+        raise ArgumentError, "Provide either entity_statement_fetcher or both signed_jwks_uri and configuration_jwks, not both"
+      end
+
+      if !entity_statement_fetcher && (!signed_jwks_uri || !configuration_jwks)
+        raise ArgumentError, "Must provide either entity_statement_fetcher or both signed_jwks_uri and configuration_jwks"
+      end
+
+      @signed_jwks_uri = signed_jwks_uri
+      @configuration_jwks = configuration_jwks
+      @entity_statement_fetcher = entity_statement_fetcher
+    end
+
+    def jwks
+      @jwks ||= fetch_and_verify_jwks
+    end
+
+    def reload!
+      if entity_statement_fetcher
+        entity_statement_fetcher.reload!
+      end
+      @jwks = nil
+    end
+
+    def signed_jwks_uri
+      if entity_statement_fetcher
+        return entity_statement_fetcher.entity_statement.signed_jwks_uri
+      end
+      @signed_jwks_uri
+    end
+
+    def configuration_jwks
+      if entity_statement_fetcher
+        return entity_statement_fetcher.entity_statement.configuration_jwks
+      end
+      @configuration_jwks
+    end
+
+    private
+
+    def fetch_and_verify_jwks
+      unless signed_jwks_uri
+        raise "No signed_jwks_uri found in entity statement metadata"
+      end
+
+      # Fetch the signed JWKS
+      signed_response = HTTP.get(signed_jwks_uri)
+
+      unless signed_response.status.success?
+        raise "Failed to fetch signed JWKS"
+      end
+
+      # Verify and extract JWKS from the signed JWT
+      verify_signed_jwks(signed_response.body.to_s, configuration_jwks)
+    end
+
+    # Verify and extract JWKS from signed JWT
+    # Uses the JWKS from the entity statement to verify the signature
+    def verify_signed_jwks(signed_jwt, configuration_jwks)
+      #TODO: Check if configuration_jwks can expire or be rotated
+      decoded = nil
+
+      # Decode and verify the signed JWKS JWT using entity statement's JWKS
+      decoded = JWT.decode(
+        signed_jwt,
+        nil,
+        true,
+        algorithms: ['RS256'],
+        jwks: configuration_jwks
+      )
+
+      JWT::JWK::Set.new(decoded.first)
+    end
+  end
+end

data/lib/omniauth_strong_auth_oidc/relying_party_entity_statement_generator.rb

@@ -0,0 +1,77 @@
+module OmniauthStrongAuthOidc
+  # Generates OpenID Federation Entity Statement for the relying party (client)
+  # This statement contains client metadata and a link to the client's JWKS
+  class RelyingPartyEntityStatementGenerator
+    attr_reader :iss, :org_name, :jwks_uri, :signed_jwks_uri, :redirect_uris, :configuration_jwks_storage
+
+    def initialize(iss:, org_name:, jwks_uri:, signed_jwks_uri:, redirect_uris:, configuration_jwks_storage:)
+      @iss = iss
+      @org_name = org_name
+      @jwks_uri = jwks_uri
+      @signed_jwks_uri = signed_jwks_uri
+      @redirect_uris = redirect_uris
+      @configuration_jwks_storage = configuration_jwks_storage
+    end
+
+    # Generate the entity statement JWT
+    # @return [String] Signed JWT entity statement
+    def generate
+      now = Time.now.to_i
+
+      {
+        iss: iss,
+        sub: iss,
+        iat: now,
+        exp: now + (365 * 24 * 60 * 60), # Valid for 1 year
+        metadata: {
+          openid_relying_party: openid_relying_party_metadata
+        },
+        jwks: {
+          keys: signing_keys_for_entity_statement
+        }
+      }
+    end
+
+    def generate_signed
+      sign_entity_statement(generate)
+    end
+
+    private
+
+    def openid_relying_party_metadata
+      {
+        client_name: org_name,
+        application_type: "web",
+        jwks_uri: jwks_uri,
+        signed_jwks_uri: signed_jwks_uri,
+        redirect_uris: redirect_uris,
+        response_types: ['code'],
+        grant_types: ['authorization_code'],
+        token_endpoint_auth_method: 'private_key_jwt'
+      }
+    end
+
+    def signing_keys_for_entity_statement
+      # Export the entity statement signing key (public part)
+      # This is the key used to verify the entity statement signature
+        configuration_jwks_storage.current_jwks.export[:keys]
+    end
+
+    def sign_entity_statement(payload)
+      # Use the separate entity statement signing key
+      current_jwks = configuration_jwks_storage.current_jwks
+      signing_jwk = current_jwks.select { |k| k[:use] == 'sig' }.first
+
+      signing_key = signing_jwk.keypair
+      kid = signing_jwk[:kid]
+
+      headers = {
+        typ: 'entity-statement+jwt',
+        kid: kid,
+        alg: 'RS256'
+      }
+
+      JWT.encode(payload, signing_key, 'RS256', headers)
+    end
+  end
+end

data/lib/omniauth_strong_auth_oidc/relying_party_jwks_generator.rb

@@ -0,0 +1,50 @@
+module OmniauthStrongAuthOidc
+  # Generates a signed JWKS JWT containing the client's public keys
+  # This is separate from the plain JWKS endpoint and is signed by the entity statement key
+  class RelyingPartyJwksGenerator
+    attr_reader :relying_party_jwks_storage, :relying_party_configuration_jwks_storage, :issuer
+
+    def initialize(relying_party_jwks_storage:, relying_party_configuration_jwks_storage:, issuer:)
+      @relying_party_jwks_storage = relying_party_jwks_storage
+      @relying_party_configuration_jwks_storage = relying_party_configuration_jwks_storage
+      @issuer = issuer
+    end
+
+    # Generate the signed JWKS JWT
+    # @return [String] Signed JWT containing JWKS
+    def generate
+      now = Time.now.to_i
+
+      {
+        iss: issuer,
+        sub: issuer,
+        iat: now
+      }.merge(
+        relying_party_jwks_storage.current_jwks.export,
+      )
+    end
+
+    def generate_signed
+      sign_jwks(generate)
+    end
+
+    private
+
+    def sign_jwks(payload)
+      # Use the entity statement key for signing
+      entity_jwks = relying_party_configuration_jwks_storage.jwks
+      signing_jwk = entity_jwks.select { |k| k[:use] == 'sig' }.first
+
+      signing_key = signing_jwk.keypair
+      kid = signing_jwk[:kid]
+
+      headers = {
+        typ: 'jwks+jwt',
+        kid: kid,
+        alg: 'RS256'
+      }
+
+      JWT.encode(payload, signing_key, 'RS256', headers)
+    end
+  end
+end

data/lib/omniauth_strong_auth_oidc/relying_party_jwks_storage/base.rb

@@ -0,0 +1,101 @@
+module OmniauthStrongAuthOidc
+  # Abstract interface for OpenID key storage
+  # Implementations must provide a JWK set containing both signing and encryption keys
+  module RelyingPartyJwksStorage
+    class Base
+        MINIMUM_KEY_LENGTH = 2048
+        DEFAULT_KEY_LENGTH = 4096
+
+        class << self
+          attr_accessor :instance
+        end
+
+        def support_rotation?
+          false
+        end
+
+        # Returns the JWK set containing all keys (signing + encryption, current + previous)
+        # @return [JWT::JWK::Set]
+        def jwks
+          raise NotImplementedError, "#{self.class} must implement #jwks"
+        end
+
+        # Returns first signing and encryption keys only
+        # Current keys alsways go first
+        def current_jwks
+          taken_keys = []
+          current_jwks = jwks.select do |key|
+            if (key[:use] == 'sig' && !taken_keys.include?('sig')) ||
+              (key[:use] == 'enc' && !taken_keys.include?('enc'))
+              taken_keys << key[:use]
+              true
+            else
+              false
+            end
+          end
+          JWT::JWK::Set.new(current_jwks)
+        end
+
+        # Rotates the signing key
+        # @return [void]
+        def rotate_signing_key!
+          raise NotImplementedError, "#{self.class} must implement #rotate_signing_key!"
+        end
+
+        # Rotates the encryption key
+        # @return [void]
+        def rotate_encryption_key!
+          raise NotImplementedError, "#{self.class} must implement #rotate_encryption_key!"
+        end
+
+        protected
+
+        # Generates a new RSA key pair with the specified key length
+        # @param key_length [Integer] The length of the key in bits (minimum 2048)
+        # @return [OpenSSL::PKey::RSA]
+        def generate_rsa_key(key_length = DEFAULT_KEY_LENGTH)
+          raise ArgumentError, "Key length must be at least #{MINIMUM_KEY_LENGTH} bits" if key_length < MINIMUM_KEY_LENGTH
+
+          OpenSSL::PKey::RSA.new(key_length)
+        end
+
+        # Converts an RSA key to a JWK with the specified parameters
+        # Uses JWT's built-in kid generation if not provided
+        # @param key [OpenSSL::PKey::RSA] The RSA key to convert
+        # @param kid [String, nil] The key ID (optional, will auto-generate if nil)
+        # @param use [String] The key use ('sig' for signing, 'enc' for encryption)
+        # @return [JWT::JWK]
+        def key_to_jwk(key, kid: nil, use:)
+          if kid
+            JWT::JWK.new(key, { use: use, kid: kid })
+          else
+            JWT::JWK.new(key, { use: use })
+          end
+        end
+
+        # Creates a JWK set from signing and encryption key data
+        # @param signing_key_data [Array<Hash>] Array of signing key data hashes
+        # @param encryption_key_data [Array<Hash>] Array of encryption key data hashes
+        # @return [JWT::JWK::Set]
+        def create_jwk_set(signing_key_data:, encryption_key_data:)
+          jwks = []
+
+          # Add signing keys
+          signing_key_data.each do |key_data|
+            key = OpenSSL::PKey::RSA.new(key_data[:pem])
+            # Use kid from key_data if available (for backward compatibility)
+            jwks << key_to_jwk(key, kid: key_data[:kid], use: 'sig')
+          end
+
+          # Add encryption keys
+          encryption_key_data.each do |key_data|
+            key = OpenSSL::PKey::RSA.new(key_data[:pem])
+            # Use kid from key_data if available (for backward compatibility)
+            jwks << key_to_jwk(key, kid: key_data[:kid], use: 'enc')
+          end
+
+          JWT::JWK::Set.new(jwks)
+        end
+      end
+  end
+end