warden-auth0 0.5.1 → 1.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/lib/warden/auth0/strategy.rb +21 -4
- data/lib/warden/auth0/token_decoder.rb +9 -11
- data/lib/warden/auth0/version.rb +1 -1
- data/lib/warden/auth0.rb +5 -27
- data/warden-auth0.gemspec +0 -1
- metadata +2 -22
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: c0393f5a1b3774024bb3c8eecd94658c1b99e40b9305f0aca2d57419e739d366
|
|
4
|
+
data.tar.gz: 995ab21d0112fcb53ff6065f3d92b605e7436d0d3b7cfa94d6fbf409f7db8d30
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: a3c52ab6403319bc1b555b67670bc622c29946983f2d7cfdfc6f23b29e5530006caa043bc802aae282a1fba840c132d1dca7773db103588ed351b5ba5e8c10eb
|
|
7
|
+
data.tar.gz: 1cbe71324f0769f76ecbfbd7dc01c7658430e3eeab6d155e79bf26a15907c054858ebf8d733b4b56972a9c92e6edca3ee658ea15f7c4fca6fa70f7a9b416b80d
|
|
@@ -1,12 +1,23 @@
|
|
|
1
1
|
# frozen_string_literal: true
|
|
2
2
|
|
|
3
3
|
require 'warden'
|
|
4
|
+
require 'dry/configurable'
|
|
4
5
|
|
|
5
6
|
module Warden
|
|
6
7
|
module Auth0
|
|
7
8
|
# Warden strategy to authenticate a user through a JWT token in the
|
|
8
|
-
#
|
|
9
|
+
# request header (see Warden::Auth0.config.token_header).
|
|
10
|
+
#
|
|
11
|
+
# Configure issuer, aud, algorithm, jwks_url on the strategy before adding to Warden.
|
|
9
12
|
class Strategy < Warden::Strategies::Base
|
|
13
|
+
extend Dry::Configurable
|
|
14
|
+
|
|
15
|
+
setting :algorithm
|
|
16
|
+
setting :issuer
|
|
17
|
+
setting :aud
|
|
18
|
+
setting :jwks_url
|
|
19
|
+
setting :jwks, default: nil
|
|
20
|
+
|
|
10
21
|
def valid?
|
|
11
22
|
token_exists? && issuer_claim_valid? && aud_claim_valid?
|
|
12
23
|
end
|
|
@@ -42,7 +53,8 @@ module Warden
|
|
|
42
53
|
end
|
|
43
54
|
|
|
44
55
|
def decoded_token
|
|
45
|
-
|
|
56
|
+
cfg = self.class.config
|
|
57
|
+
TokenDecoder.new(algorithm: cfg.algorithm, jwks: jwks).call(token)
|
|
46
58
|
end
|
|
47
59
|
|
|
48
60
|
def issuer_claim_valid?
|
|
@@ -60,19 +72,24 @@ module Warden
|
|
|
60
72
|
end
|
|
61
73
|
|
|
62
74
|
def configured_aud
|
|
63
|
-
audience =
|
|
75
|
+
audience = self.class.config.aud
|
|
64
76
|
raise Errors::NoConfiguredAud if audience.nil?
|
|
65
77
|
|
|
66
78
|
audience
|
|
67
79
|
end
|
|
68
80
|
|
|
69
81
|
def configured_issuer
|
|
70
|
-
configured_issuer =
|
|
82
|
+
configured_issuer = self.class.config.issuer
|
|
71
83
|
raise Errors::NoConfiguredIssuer if configured_issuer.nil?
|
|
72
84
|
|
|
73
85
|
configured_issuer
|
|
74
86
|
end
|
|
75
87
|
|
|
88
|
+
def jwks
|
|
89
|
+
cfg = self.class.config
|
|
90
|
+
cfg.jwks || Warden::Auth0.fetch_jwks(cfg.jwks_url)
|
|
91
|
+
end
|
|
92
|
+
|
|
76
93
|
def issuer_matches?(payload, issuer_config)
|
|
77
94
|
token_issuer = payload['iss'].to_s
|
|
78
95
|
return false unless token_issuer
|
|
@@ -4,24 +4,22 @@ require 'jwt/error'
|
|
|
4
4
|
|
|
5
5
|
module Warden
|
|
6
6
|
module Auth0
|
|
7
|
-
# Decodes a JWT into a hash payload
|
|
7
|
+
# Decodes a JWT into a hash payload. Algorithm and JWKS are provided by the strategy config.
|
|
8
8
|
class TokenDecoder
|
|
9
|
-
|
|
9
|
+
attr_reader :algorithm, :jwks
|
|
10
|
+
|
|
11
|
+
# @param algorithm [String] algorithm (e.g. 'RS256')
|
|
12
|
+
# @param jwks [Object] JWKS used to verify (e.g. JWT::JWK::Set)
|
|
13
|
+
def initialize(algorithm:, jwks:)
|
|
14
|
+
@algorithm = algorithm
|
|
15
|
+
@jwks = jwks
|
|
16
|
+
end
|
|
10
17
|
|
|
11
18
|
# Decodes the payload from a JWT as a hash
|
|
12
19
|
#
|
|
13
|
-
# @see JWT.decode for all the exceptions than can be raised when given
|
|
14
|
-
# token is invalid
|
|
15
|
-
#
|
|
16
20
|
# @param token [String] a JWT
|
|
17
21
|
# @return [Hash] payload decoded from the JWT
|
|
18
22
|
def call(token)
|
|
19
|
-
decode(token)
|
|
20
|
-
end
|
|
21
|
-
|
|
22
|
-
private
|
|
23
|
-
|
|
24
|
-
def decode(token)
|
|
25
23
|
JWT.decode(token, nil, true, algorithms: algorithm, jwks: jwks)[0]
|
|
26
24
|
end
|
|
27
25
|
end
|
data/lib/warden/auth0/version.rb
CHANGED
data/lib/warden/auth0.rb
CHANGED
|
@@ -1,7 +1,6 @@
|
|
|
1
1
|
# frozen_string_literal: true
|
|
2
2
|
|
|
3
3
|
require 'dry/configurable'
|
|
4
|
-
require 'dry/auto_inject'
|
|
5
4
|
require 'jwt'
|
|
6
5
|
require 'warden'
|
|
7
6
|
require 'faraday'
|
|
@@ -10,38 +9,17 @@ module Warden
|
|
|
10
9
|
# Auth0 authentication plugin for warden.
|
|
11
10
|
#
|
|
12
11
|
# It consists of a strategy which tries to authenticate an user decoding a
|
|
13
|
-
# token present in the
|
|
12
|
+
# token present in the request header (as `Bearer %token%`). The header name
|
|
13
|
+
# is configured via +token_header+.
|
|
14
14
|
module Auth0
|
|
15
15
|
extend Dry::Configurable
|
|
16
|
-
# Request header that will be used for receiving and returning the token.
|
|
17
|
-
setting :token_header, default: 'Authorization'
|
|
18
|
-
|
|
19
|
-
# The algorithm used to encode the token
|
|
20
|
-
setting :algorithm
|
|
21
|
-
|
|
22
|
-
# The issuer claims associated with the tokens
|
|
23
|
-
#
|
|
24
|
-
# Will be used to only apply the warden strategy when the issuer matches.
|
|
25
|
-
# This allows for multiple token issuers being used.
|
|
26
|
-
# @see https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.1
|
|
27
|
-
setting :issuer, default: nil
|
|
28
|
-
|
|
29
|
-
# The aud claims associated with the tokens
|
|
30
|
-
#
|
|
31
|
-
# Will be used to only apply the warden strategy when the audience matches.
|
|
32
|
-
setting :aud, default: nil
|
|
33
16
|
|
|
34
|
-
#
|
|
35
|
-
setting :
|
|
17
|
+
# Request header used for receiving and returning the token.
|
|
18
|
+
setting :token_header, default: 'Authorization'
|
|
36
19
|
|
|
37
20
|
setting :verify_ssl, default: true
|
|
38
21
|
|
|
39
|
-
#
|
|
40
|
-
setting :jwks, constructor: ->(jwks) { jwks || fetch_jwks(config.jwks_url) }
|
|
41
|
-
|
|
42
|
-
Import = Dry::AutoInject(config)
|
|
43
|
-
|
|
44
|
-
# Method to fetch JWKS from the specified URL
|
|
22
|
+
# Fetches JWKS from the given URL. Used by the strategy when jwks_url is configured.
|
|
45
23
|
def self.fetch_jwks(jwks_url)
|
|
46
24
|
raise 'No url provided for fetching jwks' if jwks_url.nil?
|
|
47
25
|
|
data/warden-auth0.gemspec
CHANGED
|
@@ -21,7 +21,6 @@ Gem::Specification.new do |spec|
|
|
|
21
21
|
|
|
22
22
|
spec.metadata['rubygems_mfa_required'] = 'true'
|
|
23
23
|
|
|
24
|
-
spec.add_dependency 'dry-auto_inject', '>= 0.8', '< 2'
|
|
25
24
|
spec.add_dependency 'dry-configurable', '>= 0.13', '< 2'
|
|
26
25
|
spec.add_dependency 'faraday', '2.9.0'
|
|
27
26
|
spec.add_dependency 'jwt', '~> 2.1'
|
metadata
CHANGED
|
@@ -1,35 +1,15 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: warden-auth0
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 1.0.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- 1KOMMA5º
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: exe
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date:
|
|
11
|
+
date: 2026-03-12 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
|
-
- !ruby/object:Gem::Dependency
|
|
14
|
-
name: dry-auto_inject
|
|
15
|
-
requirement: !ruby/object:Gem::Requirement
|
|
16
|
-
requirements:
|
|
17
|
-
- - ">="
|
|
18
|
-
- !ruby/object:Gem::Version
|
|
19
|
-
version: '0.8'
|
|
20
|
-
- - "<"
|
|
21
|
-
- !ruby/object:Gem::Version
|
|
22
|
-
version: '2'
|
|
23
|
-
type: :runtime
|
|
24
|
-
prerelease: false
|
|
25
|
-
version_requirements: !ruby/object:Gem::Requirement
|
|
26
|
-
requirements:
|
|
27
|
-
- - ">="
|
|
28
|
-
- !ruby/object:Gem::Version
|
|
29
|
-
version: '0.8'
|
|
30
|
-
- - "<"
|
|
31
|
-
- !ruby/object:Gem::Version
|
|
32
|
-
version: '2'
|
|
33
13
|
- !ruby/object:Gem::Dependency
|
|
34
14
|
name: dry-configurable
|
|
35
15
|
requirement: !ruby/object:Gem::Requirement
|