-
Notifications
You must be signed in to change notification settings - Fork 126
/
openid_connect.rb
254 lines (218 loc) · 7.07 KB
/
openid_connect.rb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
require 'addressable/uri'
require 'timeout'
require 'net/http'
require 'open-uri'
require 'omniauth'
require 'openid_connect'
module OmniAuth
module Strategies
class OpenIDConnect
include OmniAuth::Strategy
option :client_options, {
identifier: nil,
secret: nil,
redirect_uri: nil,
scheme: "https",
host: nil,
port: 443,
authorization_endpoint: "/authorize",
token_endpoint: "/token",
userinfo_endpoint: "/userinfo",
jwks_uri: '/jwk'
}
option :issuer
option :discovery, false
option :client_signing_alg
option :client_jwk_signing_key
option :client_x509_signing_key
option :scope, [:openid]
option :response_type, "code"
option :state
option :response_mode
option :display, nil #, [:page, :popup, :touch, :wap]
option :prompt, nil #, [:none, :login, :consent, :select_account]
option :max_age
option :ui_locales
option :id_token_hint
option :login_hint
option :acr_values
option :send_nonce, true
option :client_auth_method
uid { user_info.sub }
info do
{
name: user_info.name,
email: user_info.email,
nickname: user_info.preferred_username,
first_name: user_info.given_name,
last_name: user_info.family_name,
gender: user_info.gender,
image: user_info.picture,
phone: user_info.phone_number,
urls: { website: user_info.website }
}
end
extra do
{raw_info: user_info.raw_attributes}
end
credentials do
{
id_token: access_token.id_token,
token: access_token.access_token,
refresh_token: access_token.refresh_token,
expires_in: access_token.expires_in,
scope: access_token.scope
}
end
def client
@client ||= ::OpenIDConnect::Client.new(client_options)
end
def config
@config ||= ::OpenIDConnect::Discovery::Provider::Config.discover!(options.issuer)
end
def request_phase
options.issuer = issuer if options.issuer.blank?
discover! if options.discovery
redirect authorize_uri
end
def callback_phase
error = request.params['error_reason'] || request.params['error']
if error
raise CallbackError.new(request.params['error'], request.params['error_description'] || request.params['error_reason'], request.params['error_uri'])
elsif request.params['state'].to_s.empty? || request.params['state'] != stored_state
return Rack::Response.new(['401 Unauthorized'], 401).finish
elsif !request.params["code"]
return fail!(:missing_code, OmniAuth::OpenIDConnect::MissingCodeError.new(request.params["error"]))
else
options.issuer = issuer if options.issuer.blank?
discover! if options.discovery
client.redirect_uri = client_options.redirect_uri
client.authorization_code = authorization_code
access_token
super
end
rescue CallbackError => e
fail!(:invalid_credentials, e)
rescue ::Timeout::Error, ::Errno::ETIMEDOUT => e
fail!(:timeout, e)
rescue ::SocketError => e
fail!(:failed_to_connect, e)
end
def authorization_code
request.params["code"]
end
def authorize_uri
client.redirect_uri = client_options.redirect_uri
opts = {
response_type: options.response_type,
scope: options.scope,
state: new_state,
nonce: (new_nonce if options.send_nonce),
}
client.authorization_uri(opts.reject{|k,v| v.nil?})
end
def public_key
if options.discovery
config.jwks
else
key_or_secret
end
end
private
def issuer
resource = "#{client_options.scheme}://#{client_options.host}" + ((client_options.port) ? ":#{client_options.port.to_s}" : '')
::OpenIDConnect::Discovery::Provider.discover!(resource).issuer
end
def discover!
client_options.authorization_endpoint = config.authorization_endpoint
client_options.token_endpoint = config.token_endpoint
client_options.userinfo_endpoint = config.userinfo_endpoint
client_options.jwks_uri = config.jwks_uri
end
def user_info
@user_info ||= access_token.userinfo!
end
def access_token
@access_token ||= lambda {
_access_token = client.access_token!(
scope: options.scope,
client_auth_method: options.client_auth_method
)
_id_token = decode_id_token _access_token.id_token
_id_token.verify!(
issuer: options.issuer,
client_id: client_options.identifier,
nonce: stored_nonce
)
_access_token
}.call()
end
def decode_id_token(id_token)
::OpenIDConnect::ResponseObject::IdToken.decode(id_token, public_key)
end
def client_options
options.client_options
end
def new_state
state = options.state.call if options.state.respond_to? :call
session['omniauth.state'] = state || SecureRandom.hex(16)
end
def stored_state
session.delete('omniauth.state')
end
def new_nonce
session['omniauth.nonce'] = SecureRandom.hex(16)
end
def stored_nonce
session.delete('omniauth.nonce')
end
def session
@env.nil? ? {} : super
end
def key_or_secret
case options.client_signing_alg
when :HS256, :HS384, :HS512
return client_options.secret
when :RS256, :RS384, :RS512
if options.client_jwk_signing_key
return parse_jwk_key(options.client_jwk_signing_key)
elsif options.client_x509_signing_key
return parse_x509_key(options.client_x509_signing_key)
end
else
end
end
def parse_x509_key(key)
OpenSSL::X509::Certificate.new(key).public_key
end
def parse_jwk_key(key)
json = JSON.parse(key)
jwk = json['keys'].first
create_rsa_key(jwk['n'], jwk['e'])
end
def create_rsa_key(mod, exp)
key = OpenSSL::PKey::RSA.new
exponent = OpenSSL::BN.new decode(exp)
modulus = OpenSSL::BN.new decode(mod)
key.e = exponent
key.n = modulus
key
end
def decode(str)
UrlSafeBase64.decode64(str).unpack('B*').first.to_i(2).to_s
end
class CallbackError < StandardError
attr_accessor :error, :error_reason, :error_uri
def initialize(error, error_reason=nil, error_uri=nil)
self.error = error
self.error_reason = error_reason
self.error_uri = error_uri
end
def message
[error, error_reason, error_uri].compact.join(' | ')
end
end
end
end
end
OmniAuth.config.add_camelization 'openid_connect', 'OpenIDConnect'