zaikio-oauth_client 0.0.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: fecfed2440981eaf2c59ba4384fdea548e92fa367d6450a7807d75abce1ae75c
+  data.tar.gz: c2b1bdeaa040528a057407a5eed4d63823aa40c1f46f2f669d0ea547f1e9b388
+SHA512:
+  metadata.gz: 58f935b305aad9ac07f0363258978aae4d72a50de4f10a70d5435581dc270e146f4affb663ebfc500c40313c1f63bf5d1139bd8118d0eacfa7b508b0636254bf
+  data.tar.gz: cfa0466451e2d7e026281b808932520b21fb5ef253075982619472f15adf8e8c1961b9b172b5b5185a860f964ea402c9118b08b1e446e6d4c706b017fdc08fc2

data/MIT-LICENSE

@@ -0,0 +1,20 @@
+Copyright 2019 Christian Weyer
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,248 @@
+# Zaikio::OAuthClient
+
+This Gem enables you to easily connect to the Zaikio Directory and use the OAuth2 flow and easily lookup matching Access Tokens.
+
+
+## Installation
+
+Simply add the following in your Gemfile:
+
+```ruby
+gem "zaikio-oauth_client"
+```
+Then run `bundle install`.
+
+## Setup & Configuration
+
+### 1. Copy & run Migrations
+
+```bash
+rails zaikio_oauth_client:install:migrations
+rails db:migrate
+```
+
+This will create the tables:
++ `zaikio_access_tokens`
+
+### 2. Mount routes
+
+Add this to `config/routes.rb`:
+
+```rb
+mount Zaikio::OAuthClient::Engine => "/zaikio"
+```
+
+### 3. Configure Gem
+
+```rb
+# config/initializers/zaikio_oauth_client.rb
+Zaikio::OAuthClient.configure do |config|
+  config.environment = :sandbox
+
+  config.register_client :warehouse do |warehouse|
+    warehouse.client_id       = "52022d7a-7ba2-41ed-8890-97d88e6472f6"
+    warehouse.client_secret   = "ShiKTnHqEf3M8nyHQPyZgbz7"
+    warehouse.default_scopes  = %w[directory.person.r]
+
+    warehouse.register_organization_connection do |org|
+      org.default_scopes = %w[directory.organization.r]
+    end
+  end
+
+  config.register_client :warehouse_goods_call_of do |warehouse_goods_call_of|
+    warehouse_goods_call_of.client_id       = "12345-7ba2-41ed-8890-97d88e6472f6"
+    warehouse_goods_call_of.client_secret   = "secret"
+    warehouse_goods_call_of.default_scopes  = %w[directory.person.r]
+
+    warehouse_goods_call_of.register_organization_connection do |org|
+      org.default_scopes = %w[directory.organization.r]
+    end
+  end
+
+  config.around_auth do |access_token, block|
+    Zaikio::Directory.with_token(access_token.token) do
+      block.call(access_token)
+    end
+  end
+end
+```
+
+
+### 4. Clean up outdated access tokens (recommended)
+
+To avoid keeping all expired oath and refresh tokens in your database, we recommend to implement their scheduled deletion. We recommend therefore to use a schedule gems such as [sidekiq](https://github.com/mperham/sidekiq) and [sidekiq-scheduler](https://github.com/moove-it/sidekiq-scheduler).
+
+Simply add the following to your Gemfile:
+
+```rb
+gem "sidekiq"
+gem "sidekiq-scheduler"
+```
+Then run `bundle install`.
+
+Configure sidekiq scheduler in `config/sidekiq.yml`:
+```yaml
+:schedule:
+  cleanup_acces_tokens_job:
+    cron: '0 3 * * *'               # This will delete all expired tokens every day at 3am.
+    class: 'Zaikio::CleanupAccessTokensJob'
+```
+
+
+## Usage
+
+### OAuth Flow
+
+From any point in your application you can start using the Zaikio Directory OAuth2 flow with
+
+```rb
+redirect_to zaikio_oauth_client.new_session_path
+# or
+redirect_to zaikio_oauth_client.new_session_path(client_name: 'my_other_client')
+# or install as organization
+redirect_to zaikio_oauth_client.new_connection_path(client_name: 'my_other_client')
+```
+
+This will redirect the user to the OAuth Authorize endpoint of the Zaikio Directory `.../oauth/authorize` and include all necessary parameters like your client_id.
+
+#### Session handling
+
+The Zaikio gem engine will set a cookie for the user after a successful OAuth flow: `cookies.encrypted[:zaikio_person_id]`.
+
+If you are using for example `Zaikio::Directory::Models`, you can use this snippet to set the current user:
+
+```ruby
+Current.user ||= Zaikio::Directory::Models::Person.find_by(id: cookies.encrypted[:zaikio_person_id])
+````
+
+You can then use `Current.user` anywhere.
+
+For **logout** use: `zaikio_oauth_client.session_path, method: :delete` or build your own controller for deleting the cookie.
+
+#### Multiple clients
+
+When performing requests against directory APIs, it is important to always provide the correct client in order to use the client credentials flow correctly. Otherwise always the first client will be used. It is recommended to specify an `around_action`:
+
+```rb
+class ApplicationController < ActionController::Base
+  around_action :with_client
+
+  private
+
+  def with_client
+    Zaikio::OAuthClient.with_client Current.client_name do
+      yield
+    end
+  end
+end
+```
+
+#### Redirecting
+
+The `zaikio_oauth_client.new_session_path` which was used for the first initiation of the OAuth flow, accepts an optional parameter `origin` which will then be used to redirect the user at the end of a completed & successful OAuth flow.
+
+Additionally you can also specify your own redirect handlers in your `ApplicationController`:
+
+```rb
+class ApplicationController < ActionController::Base
+  def after_approve_path_for(access_token, origin)
+    cookies.encrypted[:zaikio_person_id] = access_token.bearer_id unless access_token.organization?
+
+    # Sync data on login
+    Zaikio::Directory.with_token(access_token.token) do
+      access_token.bearer_klass.find_and_reload!(access_token.bearer_id, includes: :all)
+    end
+
+    origin || main_app.root_path
+  end
+
+  def after_destroy_path_for(access_token_id)
+    cookies.delete :zaikio_person_id
+
+    main_app.root_path
+  end
+end
+```
+
+#### Custom behavior
+
+Since the built in `SessionsController` and `ConnectionsController` are inheriting from the main app's `ApplicationController` all behaviour will be added there, too. In some cases you might want to explicitly skip a `before_action` or add custom `before_action` callbacks.
+
+You can achieve this by adding a custom controller name to your configuration:
+
+```rb
+# app/controllers/sessions_controller.rb
+class SessionsController < Zaikio::OAuthClient::SessionsController
+  skip_before_action :redirect_unless_authenticated
+end
+
+# config/initializers/zaikio_oauth_client.rb
+Zaikio::OAuthClient.configure do |config|
+  # ...
+  config.sessions_controller_name = "sessions"
+  # config.connections_controller_name = "connections"
+  # ...
+end
+```
+
+#### Testing
+
+You can use our test helper to login different users:
+
+```rb
+# test_helper.rb
+class ActiveSupport::TestCase
+  # ...
+  include Zaikio::OAuthClient::TestHelper
+  # ...
+end
+
+# my_controller_test.rb
+class MyControllerTest < ActionDispatch::IntegrationTest
+  test "does request" do
+    person = people(:my_person)
+    logged_in_as(person)
+
+    # ... make the request
+  end
+end
+```
+
+#### Authenticated requests
+
+Now further requests to the Directory API or to other Zaikio APIs should be made. For this purpose the OAuthClient provides a helper method `with_auth` that automatically fetches an access token from the database, requests a refresh token or creates a new access token via client credentials flow.
+
+```rb
+Zaikio::OAuthClient.with_auth(bearer_type: "Organization", bearer_id: "fd61f5f5-038b-44cf-b554-dfe9555f1e29", scopes: %w[directory.organization.r directory.organization_members.r]) do |access_token|
+  # call config.around_auth with given access token
+end
+```
+
+## Use of dummy app
+
+You can use the included dummy app as a showcase for the workflow and to adjust your own application. To set up the dummy application properly, go into `test/dummy` and use [puma-dev](https://github.com/puma/puma-dev) like this:
+
+```shell
+puma-dev link -n 'zaikio-oauth-client'
+```
+This will make the dummy app available at: [http://zaikio-oauth-client.test](http://zaikio-oauth-client.test/)
+
+If you use the provided OAuth credentials from above and test this against the Sandbox, everything should work as the redirect URLs for [http://zaikio-oauth-client.test](http://zaikio-oauth-client.test/) are approved within the Sandbox.
+
+
+## Contributing
+
+**Make sure you have the dummy app running locally to validate your changes.**
+
+Make your changes and adjust `version.rb`. Please make sure to update `CHANGELOG.md`.
+
+**To push a new release:**
+
+- `gem build zaikio-oauth_client.gemspec`
+- `gem push zaikio-oauth_client-0.1.0.gem`
+*Adjust the version accordingly.*
+
+
+## License
+
+The gem is available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT).

data/Rakefile

@@ -0,0 +1,43 @@
+begin
+  require 'bundler/setup'
+rescue LoadError
+  puts 'You must `gem install bundler` and `bundle install` to run rake tasks'
+end
+
+require 'rdoc/task'
+
+RDoc::Task.new(:rdoc) do |rdoc|
+  rdoc.rdoc_dir = 'rdoc'
+  rdoc.title    = 'Zaikio'
+  rdoc.options << '--line-numbers'
+  rdoc.rdoc_files.include('README.md')
+  rdoc.rdoc_files.include('lib/**/*.rb')
+end
+
+APP_RAKEFILE = File.expand_path("test/dummy/Rakefile", __dir__)
+load 'rails/tasks/engine.rake'
+
+load 'rails/tasks/statistics.rake'
+
+require 'bundler/gem_tasks'
+
+require 'rake/testtask'
+
+Rake::TestTask.new(:test) do |t|
+  t.libs << 'test'
+  t.pattern = 'test/**/*_test.rb'
+  t.verbose = false
+end
+
+task default: :test
+
+require 'rubocop/rake_task'
+
+namespace :test do
+  desc 'Runs RuboCop on specified directories'
+  RuboCop::RakeTask.new(:rubocop) do |task|
+    task.fail_on_error = false
+  end
+end
+
+Rake::Task[:test].enhance ['test:rubocop']

data/app/controllers/zaikio/oauth_client/connections_controller.rb

@@ -0,0 +1,17 @@
+module Zaikio
+  module OAuthClient
+    class ConnectionsController < ApplicationController
+      include Zaikio::OAuthClient::Authenticatable
+
+      private
+
+      def approve_url(client_name = nil)
+        zaikio_oauth_client.approve_connection_url(client_name)
+      end
+
+      def use_org_config?
+        true
+      end
+    end
+  end
+end

data/app/controllers/zaikio/oauth_client/sessions_controller.rb

@@ -0,0 +1,7 @@
+module Zaikio
+  module OAuthClient
+    class SessionsController < ApplicationController
+      include Zaikio::OAuthClient::Authenticatable
+    end
+  end
+end

data/app/helpers/zaikio/application_helper.rb

@@ -0,0 +1,4 @@
+module Zaikio
+  module ApplicationHelper
+  end
+end

data/app/jobs/zaikio/application_job.rb

@@ -0,0 +1,4 @@
+module Zaikio
+  class ApplicationJob < ActiveJob::Base
+  end
+end

data/app/jobs/zaikio/cleanup_access_tokens_job.rb

@@ -0,0 +1,7 @@
+module Zaikio
+  class CleanupAccessTokensJob < ApplicationJob
+    def perform
+      Zaikio::AccessToken.with_invalid_refresh_token.delete_all
+    end
+  end
+end

data/app/models/zaikio/access_token.rb

@@ -0,0 +1,87 @@
+require "jwt"
+require "zaikio/jwt_auth"
+
+module Zaikio
+  class AccessToken < ApplicationRecord
+    self.table_name = "zaikio_access_tokens"
+
+    def self.build_from_access_token(access_token) # rubocop:disable Metrics/AbcSize
+      payload = JWT.decode(access_token.token, nil, false).first rescue {} # rubocop:disable Style/RescueModifier
+      new(
+        id: payload["jti"],
+        bearer_type: access_token.params["bearer"]["type"],
+        bearer_id: access_token.params["bearer"]["id"],
+        audience: access_token.params["audiences"].first,
+        token: access_token.token,
+        refresh_token: access_token.refresh_token,
+        expires_at: Time.strptime(access_token.expires_at.to_s, "%s"),
+        scopes: access_token.params["scope"].split(",")
+      )
+    end
+
+    def self.refresh_token_valid_for
+      7.days
+    end
+
+    # Scopes
+    scope :valid, lambda {
+      where("expires_at > :now", now: Time.current)
+        .where.not(id: Zaikio::JWTAuth.revoked_token_ids)
+    }
+    scope :with_invalid_refresh_token, lambda {
+      where("created_at <= ?", Time.current - Zaikio::AccessToken.refresh_token_valid_for)
+    }
+    scope :valid_refresh, lambda {
+      where("expires_at <= :now AND created_at > :created_at_max",
+            now: Time.current,
+            created_at_max: Time.current - refresh_token_valid_for)
+        .where("refresh_token IS NOT NULL")
+        .where.not(id: Zaikio::JWTAuth.revoked_token_ids)
+    }
+    scope :by_bearer, lambda { |bearer_type: "Person", bearer_id:, scopes: []|
+      where(bearer_type: bearer_type, bearer_id: bearer_id)
+        .where("scopes @> ARRAY[?]::varchar[]", scopes)
+    }
+    scope :usable, lambda { |options|
+      by_bearer(**options).valid.or(by_bearer(**options).valid_refresh)
+                        .order(expires_at: :desc)
+    }
+
+    def expired?
+      expires_at < Time.current
+    end
+
+    def organization?
+      bearer_type == "Organization"
+    end
+
+    def expires_in
+      (expires_at - Time.current).to_i
+    end
+
+    def bearer_klass
+      return unless Zaikio.const_defined?("Directory::Models")
+
+      if Zaikio::Directory::Models.configuration.respond_to?(:"#{bearer_type.underscore}_class_name")
+        Zaikio::Directory::Models.configuration.public_send(:"#{bearer_type.underscore}_class_name").constantize
+      else
+        "Zaikio::#{bearer_type}".constantize
+      end
+    end
+
+    def refresh!
+      Zaikio::OAuthClient.with_oauth_scheme(:basic_auth) do
+        refreshed_token = OAuth2::AccessToken.from_hash(
+          Zaikio::OAuthClient.for(audience),
+          attributes.slice("token", "refresh_token")
+        ).refresh!
+
+        access_token = self.class.build_from_access_token(refreshed_token)
+
+        transaction { destroy if access_token.save! }
+
+        access_token
+      end
+    end
+  end
+end

data/config/initializers/inflections.rb

@@ -0,0 +1,17 @@
+# Be sure to restart your server when you modify this file.
+
+# Add new inflection rules using the following format. Inflections
+# are locale specific, and you may define rules for as many different
+# locales as you wish. All of these examples are active by default:
+# ActiveSupport::Inflector.inflections(:en) do |inflect|
+#   inflect.plural /^(ox)$/i, '\1en'
+#   inflect.singular /^(ox)en/i, '\1'
+#   inflect.irregular 'person', 'people'
+#   inflect.uncountable %w( fish sheep )
+# end
+
+# These inflection rules are supported but not enabled by default:
+ActiveSupport::Inflector.inflections(:en) do |inflect|
+  inflect.acronym "JSON"
+  inflect.acronym "OAuth"
+end

data/config/locales/en.yml

@@ -0,0 +1,6 @@
+en:
+  zaikio:
+    forms:
+      optional: Optional
+      learn_more: Learn more
+

data/config/routes.rb

@@ -0,0 +1,15 @@
+Zaikio::OAuthClient::Engine.routes.draw do
+  sessions_controller = Zaikio::OAuthClient.configuration.sessions_controller_name
+  connections_controller = Zaikio::OAuthClient.configuration.connections_controller_name
+
+  # People
+  get "(/:client_name)/sessions/new", action: :new, controller: sessions_controller, as: :new_session
+  get "(/:client_name)/sessions/approve", action: :approve, controller: sessions_controller, as: :approve_session
+  delete "(/:client_name)/session", action: :destroy, controller: sessions_controller, as: :session
+
+  # Organizations
+  get "(/:client_name)/connections/new", action: :new,
+                                         controller: connections_controller, as: :new_connection
+  get "(/:client_name)/connections/approve", action: :approve,
+                                             controller: connections_controller, as: :approve_connection
+end

data/db/migrate/20190426155505_enable_postgres_extensions_for_uuids.rb

@@ -0,0 +1,5 @@
+class EnablePostgresExtensionsForUuids < ActiveRecord::Migration[6.0]
+  def change
+    enable_extension 'pgcrypto' unless extension_enabled?('pgcrypto')
+  end
+end

data/db/migrate/20191017132048_create_zaikio_access_tokens.rb

@@ -0,0 +1,16 @@
+class CreateZaikioAccessTokens < ActiveRecord::Migration[6.0]
+  def change
+    create_table :zaikio_access_tokens, id: :uuid do |t|
+      t.string :bearer_type, null: false, default: "Organization"
+      t.string :bearer_id, null: false
+      t.string :audience, null: false
+      t.string :token, null: false, index: { unique: true }
+      t.string :refresh_token, index: { unique: true }
+      t.datetime :expires_at, index: true
+      t.string :scopes, array: true, default: [], null: false
+      t.timestamps
+    end
+
+    add_index :zaikio_access_tokens, %i[bearer_type bearer_id]
+  end
+end

data/lib/tasks/zaikio_tasks.rake

@@ -0,0 +1,4 @@
+# desc "Explaining what the task does"
+# task :zaikio do
+#   # Task goes here
+# end

data/lib/zaikio/oauth_client.rb

@@ -0,0 +1,101 @@
+require "oauth2"
+
+require "zaikio/oauth_client/engine"
+require "zaikio/oauth_client/configuration"
+require "zaikio/oauth_client/authenticatable"
+
+module Zaikio
+  module OAuthClient
+    class << self
+      attr_reader :client_name
+
+      def configure
+        @configuration ||= Configuration.new
+        yield(configuration)
+      end
+
+      def configuration
+        @configuration ||= Configuration.new
+      end
+
+      def for(client_name = nil)
+        client_config_for(client_name).oauth_client
+      end
+
+      def oauth_scheme
+        @oauth_scheme ||= :request_body
+      end
+
+      def with_oauth_scheme(scheme = :request_body)
+        @oauth_scheme = scheme
+        yield
+      ensure
+        @oauth_scheme = :request_body
+      end
+
+      def with_client(client_name)
+        original_client_name = @client_name || nil
+        @client_name = client_name
+        yield
+      ensure
+        @client_name = original_client_name
+      end
+
+      def with_auth(options_or_access_token, &block)
+        access_token = if options_or_access_token.is_a?(Zaikio::AccessToken)
+                         options_or_access_token
+                       else
+                         get_access_token(options_or_access_token)
+                       end
+
+        return unless block_given?
+
+        if configuration.around_auth_block
+          configuration.around_auth_block.call(access_token, block)
+        else
+          yield(access_token)
+        end
+      end
+
+      def get_access_token(client_name: nil, bearer_type: "Person", bearer_id: nil, scopes: nil) # rubocop:disable Metrics/MethodLength
+        client_name ||= self.client_name
+        client_config = client_config_for(client_name)
+        scopes ||= client_config.default_scopes_for(bearer_type)
+
+        access_token = Zaikio::AccessToken.where(audience: client_config.client_name)
+                                          .usable(bearer_type: bearer_type, bearer_id: bearer_id, scopes: scopes)
+                                          .first
+
+        if access_token.blank?
+          access_token = Zaikio::AccessToken.build_from_access_token(
+            client_config.token_by_client_credentials(
+              bearer_type: bearer_type,
+              bearer_id: bearer_id,
+              scopes: scopes
+            )
+          )
+          access_token.save!
+        elsif access_token&.expired?
+          access_token = access_token.refresh!
+        end
+
+        access_token
+      end
+
+      def get_plain_scopes(scopes)
+        regex = /^((Org|Per)\.)?(.*)$/
+        scopes.map do |scope|
+          (regex.match(scope) || [])[3]
+        end.compact
+      end
+
+      private
+
+      def client_config_for(client_name = nil)
+        raise StandardError.new, "Zaikio::OAuthClient was not configured" unless configuration
+
+        configuration.find!(client_name || configuration.all_client_names.first)
+      end
+    end
+  end
+end

data/lib/zaikio/oauth_client/authenticatable.rb

@@ -0,0 +1,90 @@
+module Zaikio
+  module OAuthClient
+    module Authenticatable
+      extend ActiveSupport::Concern
+
+      def new
+        cookies.encrypted[:origin] = params[:origin]
+
+        redirect_to oauth_client.auth_code.authorize_url(
+          redirect_uri: approve_url(params[:client_name]),
+          scope: oauth_scope
+        )
+      end
+
+      def approve
+        access_token = create_access_token
+
+        origin = cookies.encrypted[:origin]
+        cookies.delete :origin
+
+        cookies.encrypted[:zaikio_access_token_id] = access_token.id unless access_token.organization?
+
+        redirect_to send(
+          respond_to?(:after_approve_path_for) ? :after_approve_path_for : :default_after_approve_path_for,
+          access_token, origin
+        )
+      end
+
+      def destroy
+        access_token_id = cookies.encrypted[:zaikio_access_token_id]
+        cookies.delete :zaikio_access_token_id
+
+        redirect_to send(
+          respond_to?(:after_destroy_path_for) ? :after_destroy_path_for : :default_after_destroy_path_for,
+          access_token_id
+        )
+      end
+
+      private
+
+      def approve_url(client_name = nil)
+        zaikio_oauth_client.approve_session_url(client_name)
+      end
+
+      def use_org_config?
+        false
+      end
+
+      def create_access_token
+        access_token_response = oauth_client.auth_code.get_token(params[:code])
+
+        access_token = Zaikio::AccessToken.build_from_access_token(access_token_response)
+        access_token.save!
+
+        access_token
+      end
+
+      def client_name
+        params[:client_name] || Zaikio::OAuthClient.configuration.all_client_names.first
+      end
+
+      def client_config
+        client_config = Zaikio::OAuthClient.configuration.find!(client_name)
+        client_config = use_org_config? ? client_config.org_config : client_config
+
+        client_config or raise ActiveRecord::RecordNotFound
+      end
+
+      def oauth_client
+        Zaikio::OAuthClient.for(client_name)
+      end
+
+      def oauth_scope
+        client_config.scopes_for_auth(params[:organization_id]).join(",")
+      end
+
+      def default_after_approve_path_for(access_token, origin)
+        cookies.encrypted[:zaikio_person_id] = access_token.bearer_id unless access_token.organization?
+
+        origin || main_app.root_path
+      end
+
+      def default_after_destroy_path_for(_access_token_id)
+        cookies.delete :zaikio_person_id
+
+        main_app.root_path
+      end
+    end
+  end
+end

data/lib/zaikio/oauth_client/client_configuration.rb

@@ -0,0 +1,68 @@
+module Zaikio
+  module OAuthClient
+    class ClientConfiguration
+      attr_reader :org_config, :client_name
+      attr_accessor :client_id, :client_secret, :default_scopes
+
+      def initialize(client_name)
+        @default_scopes = []
+        @client_name = client_name
+      end
+
+      def register_organization_connection
+        @org_config ||= OrganizationConnection.new
+        yield(@org_config)
+      end
+
+      def oauth_client
+        @oauth_client ||= OAuth2::Client.new(
+          client_id,
+          client_secret,
+          authorize_url: "oauth/authorize",
+          token_url: "oauth/access_token",
+          connection_opts: { headers: { "Accept": "application/json" } },
+          site: Zaikio::OAuthClient.configuration.host
+        )
+
+        @oauth_client.options[:auth_scheme] = Zaikio::OAuthClient.oauth_scheme
+
+        @oauth_client
+      end
+
+      def scopes_for_auth(_id = nil)
+        default_scopes
+      end
+
+      def default_scopes_for(type = "Person")
+        type == "Organization" ? org_config.default_scopes : default_scopes
+      end
+
+      def token_by_client_credentials(bearer_id: nil, bearer_type: "Person", scopes: [])
+        plain_scopes = Zaikio::OAuthClient.get_plain_scopes(scopes)
+        scopes_with_prefix = plain_scopes.map do |scope|
+          "#{bearer_type[0..2]}/#{bearer_id}.#{scope}"
+        end
+
+        Zaikio::OAuthClient.with_oauth_scheme(:basic_auth) do
+          oauth_client.client_credentials.get_token(scope: scopes_with_prefix.join(","))
+        end
+      end
+
+      class OrganizationConnection
+        attr_accessor :default_scopes
+
+        def initialize
+          @default_scopes = []
+        end
+
+        def scopes_for_auth(id = nil)
+          plain_scopes = Zaikio::OAuthClient.get_plain_scopes(default_scopes)
+
+          plain_scopes.map do |scope|
+            id ? "Org/#{id}.#{scope}" : "Org.#{scope}"
+          end
+        end
+      end
+    end
+  end
+end

data/lib/zaikio/oauth_client/configuration.rb

@@ -0,0 +1,70 @@
+require "logger"
+require "zaikio/oauth_client/client_configuration"
+
+module Zaikio
+  module OAuthClient
+    class Configuration
+      HOSTS = {
+        development: "http://hub.zaikio.test",
+        test: "http://hub.zaikio.test",
+        staging: "https://hub.staging.zaikio.com",
+        sandbox: "https://hub.sandbox.zaikio.com",
+        production: "https://hub.zaikio.com"
+      }.freeze
+
+      attr_accessor :host
+      attr_writer :logger
+      attr_reader :client_configurations, :environment, :around_auth_block,
+                  :sessions_controller_name, :connections_controller_name
+
+      def initialize
+        @client_configurations = {}
+        @around_auth_block = nil
+        @sessions_controller_name = "sessions"
+        @connections_controller_name = "connections"
+      end
+
+      def logger
+        @logger ||= Logger.new(STDOUT)
+      end
+
+      def register_client(name)
+        @client_configurations[name.to_s] ||= ClientConfiguration.new(name.to_s)
+        yield(@client_configurations[name.to_s])
+      end
+
+      def find!(name)
+        @client_configurations[name.to_s] or raise ActiveRecord::RecordNotFound
+      end
+
+      def all_client_names
+        client_configurations.keys
+      end
+
+      def environment=(env)
+        @environment = env.to_sym
+        @host = host_for(environment)
+      end
+
+      def around_auth(&block)
+        @around_auth_block = block
+      end
+
+      def sessions_controller_name=(name)
+        @sessions_controller_name = "/#{name}"
+      end
+
+      def connections_controller_name=(name)
+        @connections_controller_name = "/#{name}"
+      end
+
+      private
+
+      def host_for(environment)
+        HOSTS.fetch(environment) do
+          raise StandardError.new, "Invalid Zaikio::OAuthClient environment '#{environment}'"
+        end
+      end
+    end
+  end
+end

data/lib/zaikio/oauth_client/engine.rb

@@ -0,0 +1,9 @@
+module Zaikio
+  module OAuthClient
+    class Engine < ::Rails::Engine
+      isolate_namespace Zaikio::OAuthClient
+      engine_name "zaikio_oauth_client"
+      config.generators.api_only = true
+    end
+  end
+end

data/lib/zaikio/oauth_client/test_helper.rb

@@ -0,0 +1,16 @@
+module Zaikio
+  module OAuthClient
+    module TestHelper
+      extend ActiveSupport::Concern
+
+      def logged_in_as(person)
+        # We need to manually encrypt the value since the tests cookie jar does not
+        # support encrypted or signed cookies
+        encrypted_cookies = ActionDispatch::Request.new(Rails.application.env_config.deep_dup).cookie_jar
+        encrypted_cookies.encrypted[:zaikio_person_id] = person.id
+
+        cookies["zaikio_person_id"] = encrypted_cookies["zaikio_person_id"]
+      end
+    end
+  end
+end

data/lib/zaikio/oauth_client/version.rb

@@ -0,0 +1,5 @@
+module Zaikio
+  module OAuthClient
+    VERSION = "0.0.0".freeze
+  end
+end

metadata

@@ -0,0 +1,146 @@
+--- !ruby/object:Gem::Specification
+name: zaikio-oauth_client
+version: !ruby/object:Gem::Version
+  version: 0.0.0
+platform: ruby
+authors:
+- Zaikio GmbH
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2021-01-15 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: rails
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 5.0.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 5.0.0
+- !ruby/object:Gem::Dependency
+  name: oauth2
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: zaikio-jwt_auth
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.2.1
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: 0.5.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.2.1
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: 0.5.0
+- !ruby/object:Gem::Dependency
+  name: pg
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: byebug
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: This gem provides a mountable Rails engine that provides single sign
+  on, directory access and further Zaikio platform connectivity.
+email:
+- sb@zaikio.com
+- cw@zaikio.com
+- mp@zaikio.com
+- js@zaikio.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- MIT-LICENSE
+- README.md
+- Rakefile
+- app/controllers/zaikio/oauth_client/connections_controller.rb
+- app/controllers/zaikio/oauth_client/sessions_controller.rb
+- app/helpers/zaikio/application_helper.rb
+- app/jobs/zaikio/application_job.rb
+- app/jobs/zaikio/cleanup_access_tokens_job.rb
+- app/models/zaikio/access_token.rb
+- config/initializers/inflections.rb
+- config/locales/en.yml
+- config/routes.rb
+- db/migrate/20190426155505_enable_postgres_extensions_for_uuids.rb
+- db/migrate/20191017132048_create_zaikio_access_tokens.rb
+- lib/tasks/zaikio_tasks.rake
+- lib/zaikio/oauth_client.rb
+- lib/zaikio/oauth_client/authenticatable.rb
+- lib/zaikio/oauth_client/client_configuration.rb
+- lib/zaikio/oauth_client/configuration.rb
+- lib/zaikio/oauth_client/engine.rb
+- lib/zaikio/oauth_client/test_helper.rb
+- lib/zaikio/oauth_client/version.rb
+homepage: https://www.zaikio.com
+licenses:
+- MIT
+metadata:
+  changelog_uri: https://github.com/zaikio/zaikio-oauth_client/blob/master/CHANGELOG.md
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.2.3
+signing_key: 
+specification_version: 4
+summary: Zaikio Platform Connectivity
+test_files: []