warden-auth0 1.0.0 → 2.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/README.md +23 -0
- data/lib/warden/auth0/strategy.rb +23 -9
- data/lib/warden/auth0/version.rb +1 -1
- data/lib/warden/auth0.rb +0 -19
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 8c9e553549199de29e2c2bc57d460446f5ab3a703713062a0a6a813814c47af2
|
|
4
|
+
data.tar.gz: 62bcd022d6d526c3bfc80963754476ad8b698ad3b7d7f2a3c6a30efc0ba2e536
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: e6fd5caf3bfd2f5474f990fe424a5be1c42b82b9e7577a843b7721041d57e53a0909a6b7d1b25885305a8f375e0e812088b9587ef3c1ae1ec8ca1da96a2516cd
|
|
7
|
+
data.tar.gz: aefd93fdc3655f844ca867ad08c75bd8410c3096f17b1bc3b028aa4c18b413c92f34e055fe2d8b3d1aeb946fdd8f12c95e2b7d72bb113e8461c796927b5b5528
|
data/README.md
CHANGED
|
@@ -39,6 +39,29 @@ Or install it yourself as:
|
|
|
39
39
|
|
|
40
40
|
You can look at this gem's wiki to see some [example applications](https://github.com/waiting-for-dev/warden-jwt_auth/wiki). Please, add yours if you think it can help somebody.
|
|
41
41
|
|
|
42
|
+
### Auth0 JWT strategy and JWKS
|
|
43
|
+
|
|
44
|
+
Tokens are verified with `issuer`, `audience`, `algorithm`, and a **JWKS** object passed to `ruby-jwt`. The strategy does **not** define a `jwks_url` setting: you assign `jwks` yourself, usually once at boot.
|
|
45
|
+
|
|
46
|
+
```ruby
|
|
47
|
+
Warden::Auth0::Strategy.configure do |config|
|
|
48
|
+
config.issuer = 'https://YOUR_DOMAIN.auth0.com/'
|
|
49
|
+
config.aud = 'https://your-api-identifier' # Auth0 API audience
|
|
50
|
+
config.algorithm = 'RS256'
|
|
51
|
+
config.jwks = Warden::Auth0::Strategy.fetch_jwks(
|
|
52
|
+
'https://YOUR_DOMAIN.auth0.com/.well-known/jwks.json'
|
|
53
|
+
)
|
|
54
|
+
# Optional: TLS verification for JWKS HTTP fetch (default: true)
|
|
55
|
+
# config.verify_ssl = true
|
|
56
|
+
end
|
|
57
|
+
```
|
|
58
|
+
|
|
59
|
+
`fetch_jwks` returns signing keys (`use: sig`) suitable for verification. For tests or advanced cases, set `config.jwks` to any value accepted by `JWT.decode`’s `jwks:` option (see [ruby-jwt](https://github.com/jwt/ruby-jwt)).
|
|
60
|
+
|
|
61
|
+
**Migration:** If you previously relied on a `jwks_url` strategy setting, remove it and set `jwks` explicitly as above (or load keys another way and assign `config.jwks`).
|
|
62
|
+
|
|
63
|
+
Register the strategy and implement a resolver for your Warden scope (e.g. `user_resolver`) as in the examples under [Warden scopes configuration](#warden-scopes-configuration).
|
|
64
|
+
|
|
42
65
|
At its core, this library consists of:
|
|
43
66
|
|
|
44
67
|
- A Warden strategy that authenticates a user if a valid JWT token is present in the request headers.
|
|
@@ -8,15 +8,17 @@ module Warden
|
|
|
8
8
|
# Warden strategy to authenticate a user through a JWT token in the
|
|
9
9
|
# request header (see Warden::Auth0.config.token_header).
|
|
10
10
|
#
|
|
11
|
-
# Configure issuer, aud, algorithm
|
|
11
|
+
# Configure issuer, aud, algorithm on the strategy before adding to Warden.
|
|
12
12
|
class Strategy < Warden::Strategies::Base
|
|
13
13
|
extend Dry::Configurable
|
|
14
14
|
|
|
15
15
|
setting :algorithm
|
|
16
16
|
setting :issuer
|
|
17
17
|
setting :aud
|
|
18
|
-
setting :
|
|
19
|
-
|
|
18
|
+
setting :verify_ssl, default: true
|
|
19
|
+
|
|
20
|
+
# Store the JWKS after fetching it
|
|
21
|
+
setting :jwks
|
|
20
22
|
|
|
21
23
|
def valid?
|
|
22
24
|
token_exists? && issuer_claim_valid? && aud_claim_valid?
|
|
@@ -54,7 +56,7 @@ module Warden
|
|
|
54
56
|
|
|
55
57
|
def decoded_token
|
|
56
58
|
cfg = self.class.config
|
|
57
|
-
TokenDecoder.new(algorithm: cfg.algorithm, jwks: jwks).call(token)
|
|
59
|
+
TokenDecoder.new(algorithm: cfg.algorithm, jwks: cfg.jwks).call(token)
|
|
58
60
|
end
|
|
59
61
|
|
|
60
62
|
def issuer_claim_valid?
|
|
@@ -85,11 +87,6 @@ module Warden
|
|
|
85
87
|
configured_issuer
|
|
86
88
|
end
|
|
87
89
|
|
|
88
|
-
def jwks
|
|
89
|
-
cfg = self.class.config
|
|
90
|
-
cfg.jwks || Warden::Auth0.fetch_jwks(cfg.jwks_url)
|
|
91
|
-
end
|
|
92
|
-
|
|
93
90
|
def issuer_matches?(payload, issuer_config)
|
|
94
91
|
token_issuer = payload['iss'].to_s
|
|
95
92
|
return false unless token_issuer
|
|
@@ -117,6 +114,23 @@ module Warden
|
|
|
117
114
|
|
|
118
115
|
false
|
|
119
116
|
end
|
|
117
|
+
|
|
118
|
+
# Fetches JWKS from the given URL.
|
|
119
|
+
def self.fetch_jwks(jwks_url)
|
|
120
|
+
puts "Fetching JWKS from #{jwks_url}"
|
|
121
|
+
raise 'No url provided for fetching jwks' if jwks_url.nil?
|
|
122
|
+
jwks_response = self.connection.get(jwks_url).body
|
|
123
|
+
jwks = JWT::JWK::Set.new(jwks_response)
|
|
124
|
+
jwks.select { |key| key[:use] == 'sig' }
|
|
125
|
+
rescue StandardError => e
|
|
126
|
+
raise "Failed to fetch JWKS: #{e.message}"
|
|
127
|
+
end
|
|
128
|
+
|
|
129
|
+
def self.connection
|
|
130
|
+
Faraday.new(request: { timeout: 5 }, ssl: { verify: config.verify_ssl }) do |conn|
|
|
131
|
+
conn.response :json
|
|
132
|
+
end
|
|
133
|
+
end
|
|
120
134
|
end
|
|
121
135
|
end
|
|
122
136
|
end
|
data/lib/warden/auth0/version.rb
CHANGED
data/lib/warden/auth0.rb
CHANGED
|
@@ -16,25 +16,6 @@ module Warden
|
|
|
16
16
|
|
|
17
17
|
# Request header used for receiving and returning the token.
|
|
18
18
|
setting :token_header, default: 'Authorization'
|
|
19
|
-
|
|
20
|
-
setting :verify_ssl, default: true
|
|
21
|
-
|
|
22
|
-
# Fetches JWKS from the given URL. Used by the strategy when jwks_url is configured.
|
|
23
|
-
def self.fetch_jwks(jwks_url)
|
|
24
|
-
raise 'No url provided for fetching jwks' if jwks_url.nil?
|
|
25
|
-
|
|
26
|
-
jwks_response = connection.get(jwks_url).body
|
|
27
|
-
jwks = JWT::JWK::Set.new(jwks_response)
|
|
28
|
-
jwks.select { |key| key[:use] == 'sig' }
|
|
29
|
-
rescue StandardError => e
|
|
30
|
-
raise "Failed to fetch JWKS: #{e.message}"
|
|
31
|
-
end
|
|
32
|
-
|
|
33
|
-
def self.connection
|
|
34
|
-
Faraday.new(request: { timeout: 5 }, ssl: { verify: config.verify_ssl }) do |conn|
|
|
35
|
-
conn.response :json
|
|
36
|
-
end
|
|
37
|
-
end
|
|
38
19
|
end
|
|
39
20
|
end
|
|
40
21
|
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: warden-auth0
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version:
|
|
4
|
+
version: 2.0.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- 1KOMMA5º
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: exe
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2026-
|
|
11
|
+
date: 2026-04-08 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: dry-configurable
|