/
openid_connect.rb
314 lines (260 loc) · 9.13 KB
/
openid_connect.rb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
# frozen_string_literal: true
require 'addressable/uri'
require 'timeout'
require 'net/http'
require 'open-uri'
require 'omniauth'
require 'openid_connect'
require 'forwardable'
module OmniAuth
module Strategies
class OpenIDConnect
include OmniAuth::Strategy
extend Forwardable
def_delegator :request, :params
option :name, 'openid_connect'
option(:client_options, identifier: nil,
secret: nil,
redirect_uri: nil,
scheme: 'https',
host: nil,
port: 443,
authorization_endpoint: '/authorize',
token_endpoint: '/token',
userinfo_endpoint: '/userinfo',
jwks_uri: '/jwk',
end_session_endpoint: nil)
option :issuer
option :discovery, false
option :client_signing_alg
option :client_jwk_signing_key
option :client_x509_signing_key
option :scope, [:openid]
option :response_type, 'code'
option :state
option :response_mode
option :display, nil # [:page, :popup, :touch, :wap]
option :prompt, nil # [:none, :login, :consent, :select_account]
option :hd, nil
option :max_age
option :ui_locales
option :id_token_hint
option :acr_values
option :send_nonce, true
option :send_scope_to_token_endpoint, true
option :client_auth_method
option :post_logout_redirect_uri
option :uid_field, 'sub'
def uid
user_info.public_send(options.uid_field.to_s)
rescue NoMethodError
log :warn, "User sub:#{user_info.sub} missing info field: #{options.uid_field}"
user_info.sub
end
info do
{
name: user_info.name,
email: user_info.email,
nickname: user_info.preferred_username,
first_name: user_info.given_name,
last_name: user_info.family_name,
gender: user_info.gender,
image: user_info.picture,
phone: user_info.phone_number,
urls: { website: user_info.website },
}
end
extra do
{ raw_info: user_info.raw_attributes }
end
credentials do
{
id_token: access_token.id_token,
token: access_token.access_token,
refresh_token: access_token.refresh_token,
expires_in: access_token.expires_in,
scope: access_token.scope,
}
end
def client
@client ||= ::OpenIDConnect::Client.new(client_options)
end
def config
@config ||= ::OpenIDConnect::Discovery::Provider::Config.discover!(options.issuer)
end
def request_phase
options.issuer = issuer if options.issuer.to_s.empty?
discover!
redirect authorize_uri
end
def callback_phase
error = params['error_reason'] || params['error']
error_description = params['error_description'] || params['error_reason']
invalid_state = params['state'].to_s.empty? || params['state'] != stored_state
raise CallbackError.new(params['error'], error_description, params['error_uri']) if error
raise CallbackError, 'Invalid state parameter' if invalid_state
return fail!(:missing_code, OmniAuth::OpenIDConnect::MissingCodeError.new(params['error'])) unless params['code']
options.issuer = issuer if options.issuer.nil? || options.issuer.empty?
discover!
client.redirect_uri = redirect_uri
client.authorization_code = authorization_code
access_token
super
rescue CallbackError, ::Rack::OAuth2::Client::Error => e
fail!(:invalid_credentials, e)
rescue ::Timeout::Error, ::Errno::ETIMEDOUT => e
fail!(:timeout, e)
rescue ::SocketError => e
fail!(:failed_to_connect, e)
end
def other_phase
if logout_path_pattern.match?(current_path)
options.issuer = issuer if options.issuer.to_s.empty?
discover!
return redirect(end_session_uri) if end_session_uri
end
call_app!
end
def authorization_code
params['code']
end
def end_session_uri
return unless end_session_endpoint_is_valid?
end_session_uri = URI(client_options.end_session_endpoint)
end_session_uri.query = encoded_post_logout_redirect_uri
end_session_uri.to_s
end
def authorize_uri
client.redirect_uri = redirect_uri
opts = {
response_type: options.response_type,
scope: options.scope,
state: new_state,
login_hint: params['login_hint'],
ui_locales: params['ui_locales'],
claims_locales: params['claims_locales'],
prompt: options.prompt,
nonce: (new_nonce if options.send_nonce),
hd: options.hd,
}
client.authorization_uri(opts.reject { |_k, v| v.nil? })
end
def public_key
return config.jwks if options.discovery
key_or_secret
end
private
def issuer
resource = "#{ client_options.scheme }://#{ client_options.host }"
resource = "#{ resource }:#{ client_options.port }" if client_options.port
::OpenIDConnect::Discovery::Provider.discover!(resource).issuer
end
def discover!
return unless options.discovery
client_options.authorization_endpoint = config.authorization_endpoint
client_options.token_endpoint = config.token_endpoint
client_options.userinfo_endpoint = config.userinfo_endpoint
client_options.jwks_uri = config.jwks_uri
client_options.end_session_endpoint = config.end_session_endpoint if config.respond_to?(:end_session_endpoint)
end
def user_info
@user_info ||= access_token.userinfo!
end
def access_token
return @access_token if @access_token
@access_token = client.access_token!(
scope: (options.scope if options.send_scope_to_token_endpoint),
client_auth_method: options.client_auth_method
)
id_token = decode_id_token(@access_token.id_token)
id_token.verify!(
issuer: options.issuer,
client_id: client_options.identifier,
nonce: stored_nonce
)
@access_token
end
def decode_id_token(id_token)
::OpenIDConnect::ResponseObject::IdToken.decode(id_token, public_key)
end
def client_options
options.client_options
end
def new_state
state = if options.state.respond_to?(:call)
if options.state.arity == 1
options.state.call(env)
else
options.state.call
end
end
session['omniauth.state'] = state || SecureRandom.hex(16)
end
def stored_state
session.delete('omniauth.state')
end
def new_nonce
session['omniauth.nonce'] = SecureRandom.hex(16)
end
def stored_nonce
session.delete('omniauth.nonce')
end
def session
return {} if @env.nil?
super
end
def key_or_secret
case options.client_signing_alg
when :HS256, :HS384, :HS512
client_options.secret
when :RS256, :RS384, :RS512
if options.client_jwk_signing_key
parse_jwk_key(options.client_jwk_signing_key)
elsif options.client_x509_signing_key
parse_x509_key(options.client_x509_signing_key)
end
end
end
def parse_x509_key(key)
OpenSSL::X509::Certificate.new(key).public_key
end
def parse_jwk_key(key)
json = JSON.parse(key)
return JSON::JWK::Set.new(json['keys']) if json.key?('keys')
JSON::JWK.new(json)
end
def decode(str)
UrlSafeBase64.decode64(str).unpack1('B*').to_i(2).to_s
end
def redirect_uri
return client_options.redirect_uri unless params['redirect_uri']
"#{ client_options.redirect_uri }?redirect_uri=#{ CGI.escape(params['redirect_uri']) }"
end
def encoded_post_logout_redirect_uri
return unless options.post_logout_redirect_uri
URI.encode_www_form(
post_logout_redirect_uri: options.post_logout_redirect_uri
)
end
def end_session_endpoint_is_valid?
client_options.end_session_endpoint &&
client_options.end_session_endpoint =~ URI::DEFAULT_PARSER.make_regexp
end
def logout_path_pattern
@logout_path_pattern ||= %r{\A#{Regexp.quote(request_path)}(/logout)}
end
class CallbackError < StandardError
attr_accessor :error, :error_reason, :error_uri
def initialize(error, error_reason = nil, error_uri = nil)
self.error = error
self.error_reason = error_reason
self.error_uri = error_uri
end
def message
[error, error_reason, error_uri].compact.join(' | ')
end
end
end
end
end
OmniAuth.config.add_camelization 'openid_connect', 'OpenIDConnect'