/
bosa_fas_omniauth.rb
70 lines (61 loc) · 2.21 KB
/
bosa_fas_omniauth.rb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
# frozen_string_literal: true
module IdBosaFas
class BosaFasOmniauth < OmniauthMethods::Base
include BosaFasVerification
ENVIRONMENTS = {
'integration' => {
host: 'idp.iamfas.int.belgium.be',
jwks_uri: 'https://idp.iamfas.int.belgium.be/fas/oauth2/connect/jwk_uri'
},
'production' => {
host: 'idp.iamfas.belgium.be',
jwks_uri: 'https://idp.iamfas.belgium.be/fas/oauth2/connect/jwk_uri'
}
}
def profile_to_user_attrs(auth)
{}.tap do |info|
info[:first_name] = auth.dig('extra', 'raw_info', 'givenName') if auth.dig('extra', 'raw_info', 'givenName')
info[:last_name] = auth.dig('extra', 'raw_info', 'surname') if auth.dig('extra', 'raw_info', 'surname')
end
end
# @param [AppConfiguration] configuration
def omniauth_setup(configuration, env)
return unless Verification::VerificationService.new.active?(configuration, name)
options = env['omniauth.strategy'].options
options[:scope] = %i[openid profile egovnrn]
options[:response_type] = :code
options[:state] = true
options[:nonce] = true
options[:issuer] = "https://#{host}/fas/oauth2"
options[:acr_values] = 'urn:be:fedict:iam:fas:Level450'
options[:send_scope_to_token_endpoint] = false
options[:client_signing_alg] = :RS256
options[:client_jwk_signing_key] = jwks
options[:client_options] = {
identifier: config[:identifier],
secret: config[:secret],
port: 443,
scheme: 'https',
host: host,
authorization_endpoint: '/fas/oauth2/authorize',
token_endpoint: '/fas/oauth2/access_token',
userinfo_endpoint: '/fas/oauth2/userinfo',
redirect_uri: "#{configuration.base_backend_uri}/auth/bosa_fas/callback"
}
end
def host
ENVIRONMENTS.fetch(config[:environment]).fetch(:host)
end
def jwks_uri
ENVIRONMENTS.fetch(config[:environment]).fetch(:jwks_uri)
end
# Returns the JSON Web Key Set (JWKS) that can be used to validate JSON tokens
# issued by BOSA FAS.
def jwks
@jwks ||= URI.parse(jwks_uri).read
end
def updateable_user_attrs
super + %i[first_name last_name]
end
end
end