ruby_jwk 0.1.0 → 0.1.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/README.md +42 -1
- data/app/controllers/concerns/ruby_jwk/authenticate.rb +13 -13
- data/app/controllers/ruby_jwk/application_controller.rb +0 -3
- data/lib/ruby_jwk/version.rb +1 -1
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: acbc90c2694f4c2e36ad46ef10bad76f202bcbcaf2475ffc6a8abfdc54ea79ff
|
|
4
|
+
data.tar.gz: 5418fc821dee941ba7dfda69871e068a42303a35b43ab710cf8166d50037a619
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 1c772e723e5d79550bf4e373a5f7fe319ae22223c53968d303f8936f7eb1fe47f08b78964b69fee2915421a330fea872af0b6e02753b0a0b06b72e5525e54320
|
|
7
|
+
data.tar.gz: 546ddbdddde062611a4644644052fb97690433bfc22c6b5afebfe8b5167885202eec2a01d958e79517e9ec8d5e5582940024916e3862ecd996fce45a23676162
|
data/README.md
CHANGED
|
@@ -1,5 +1,5 @@
|
|
|
1
1
|
# RubyJwk
|
|
2
|
-
Authenticate
|
|
2
|
+
Authenticate JWT with JWKs.
|
|
3
3
|
|
|
4
4
|
## Usage
|
|
5
5
|
How to use my plugin.
|
|
@@ -20,6 +20,47 @@ Or install it yourself as:
|
|
|
20
20
|
```bash
|
|
21
21
|
$ gem install ruby_jwk
|
|
22
22
|
```
|
|
23
|
+
## Getting started
|
|
24
|
+
|
|
25
|
+
Authentication system exposes a JWKS endpoint for each tenant, which looks like `https://YOUR_DOMAIN/.well-known/jwks.json`. This endpoint will contain the JWK used to verify all Authentication JWTs for this tenant. This endpoint has to be configured like below in initializer file.
|
|
26
|
+
|
|
27
|
+
```ruby
|
|
28
|
+
RubyJwk.jwk_url = 'https://YOUR_DOMAIN/.well-known/jwks.json'
|
|
29
|
+
RubyJwk.skip_issuers = [] # to skip authentication for certain issuers
|
|
30
|
+
```
|
|
31
|
+
|
|
32
|
+
Suppose each tenant has different endpoint then configure it as below. Here `:tenant_name` gets replaced by `tenant` attribute in JWT payload.
|
|
33
|
+
|
|
34
|
+
```ruby
|
|
35
|
+
RubyJwk.jwk_url = 'https://:tenant_name/.well-known/jwks.json'
|
|
36
|
+
```
|
|
37
|
+
|
|
38
|
+
To set up a controller with tenant authentication, just add this before_action
|
|
39
|
+
|
|
40
|
+
```ruby
|
|
41
|
+
class ApplicationController < ActionController::API
|
|
42
|
+
include RubyJwk::Authenticate
|
|
43
|
+
before_action :authenticate_tenant!
|
|
44
|
+
end
|
|
45
|
+
```
|
|
46
|
+
To get the JWT payload, use the following helper:
|
|
47
|
+
```ruby
|
|
48
|
+
jwt_payload
|
|
49
|
+
```
|
|
50
|
+
|
|
51
|
+
To get tenant name from JWT, use the following helper:
|
|
52
|
+
```ruby
|
|
53
|
+
jwt_tenant_name
|
|
54
|
+
```
|
|
55
|
+
|
|
56
|
+
### Token verification
|
|
57
|
+
Currently, we support below verifications
|
|
58
|
+
* Signature
|
|
59
|
+
* Token expiry
|
|
60
|
+
* nbf
|
|
61
|
+
|
|
62
|
+
## Reference
|
|
63
|
+
https://blog.unathichonco.com/verifying-jwts-with-jwks-in-ruby
|
|
23
64
|
|
|
24
65
|
## Contributing
|
|
25
66
|
Contribution directions go here.
|
|
@@ -1,19 +1,29 @@
|
|
|
1
1
|
module RubyJwk
|
|
2
2
|
module Authenticate
|
|
3
3
|
def authenticate_tenant!
|
|
4
|
-
return if RubyJwk.skip_issuers.to_a.include?(
|
|
4
|
+
return if RubyJwk.skip_issuers.to_a.include?(jwt_payload['iss'])
|
|
5
5
|
|
|
6
|
-
JWT.decode(
|
|
6
|
+
JWT.decode(jwt_token, nil, true, { algorithm: 'RS256', jwks: jwk_loader})
|
|
7
7
|
rescue JWT::DecodeError => e
|
|
8
8
|
render status: 401, json: error_response_template("Authentication failed! - #{e.message}")
|
|
9
9
|
end
|
|
10
10
|
|
|
11
11
|
def jwt_payload
|
|
12
|
-
@jwt_payload ||= JWT.decode(
|
|
12
|
+
@jwt_payload ||= JWT.decode(jwt_token, nil, false).first
|
|
13
13
|
rescue JWT::DecodeError => e
|
|
14
14
|
render status: 401, json: error_response_template("Authentication failed! - #{e.message}")
|
|
15
15
|
end
|
|
16
16
|
|
|
17
|
+
def jwt_tenant_name
|
|
18
|
+
@jwt_payload.dig('tenant')
|
|
19
|
+
end
|
|
20
|
+
|
|
21
|
+
def jwt_token
|
|
22
|
+
return unless auth_header.starts_with?('Bearer ')
|
|
23
|
+
|
|
24
|
+
auth_header.to_s.gsub('Bearer ', '')
|
|
25
|
+
end
|
|
26
|
+
|
|
17
27
|
private
|
|
18
28
|
|
|
19
29
|
# invalidate becomes true when kid not found
|
|
@@ -30,10 +40,6 @@ module RubyJwk
|
|
|
30
40
|
end
|
|
31
41
|
end
|
|
32
42
|
|
|
33
|
-
def tenant_name
|
|
34
|
-
@payload.fetch('tenant')
|
|
35
|
-
end
|
|
36
|
-
|
|
37
43
|
def error_response_template(msg)
|
|
38
44
|
{
|
|
39
45
|
error: {
|
|
@@ -48,11 +54,5 @@ module RubyJwk
|
|
|
48
54
|
def auth_header
|
|
49
55
|
request.headers['Authorization'].to_s
|
|
50
56
|
end
|
|
51
|
-
|
|
52
|
-
def token
|
|
53
|
-
return unless auth_header.starts_with?('Bearer ')
|
|
54
|
-
|
|
55
|
-
auth_header.to_s.gsub('Bearer ', '')
|
|
56
|
-
end
|
|
57
57
|
end
|
|
58
58
|
end
|
data/lib/ruby_jwk/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: ruby_jwk
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.1.
|
|
4
|
+
version: 0.1.3
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- santhanakarthikeyan
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2022-02-
|
|
11
|
+
date: 2022-02-25 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: rails
|