Skip to content

add support for private_key_jwt and tls_client_auth #495

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Jan 28, 2020
Merged

add support for private_key_jwt and tls_client_auth #495

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 10 additions & 0 deletions lib/oauth2/authenticator.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,10 @@ def apply(params)
apply_basic_auth(params)
when :request_body
apply_params_auth(params)
when :tls_client_auth
apply_client_id(params)
when :private_key_jwt
params
Copy link
Member

@pboling pboling Jan 27, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@SteveyblamFreeagent just straight params? The comment on line 49 appears to imply that apply_client_id would be used for private_key_jwt also.

Copy link
Author

@SteveyblamWork SteveyblamWork Jan 28, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for looking at this Peter. Straight params is expected behaviour as private_key_jwt wraps up the client_id in the assertion so it's not passed in the request body. But you're absolutely right the comment was from a previous commit where I was applying the client_id. I'll change the comment now.

Many thanks

else
raise NotImplementedError
end
Expand All @@ -42,6 +46,12 @@ def apply_params_auth(params)
{'client_id' => id, 'client_secret' => secret}.merge(params)
end

# When using schemes that don't require the client_secret to be passed i.e TLS Client Auth,
# we don't want to send the secret
def apply_client_id(params)
{ 'client_id' => id }.merge(params)
end

# Adds an `Authorization` header with Basic Auth credentials if and only if
# it is not already set in the params.
def apply_basic_auth(params)
Expand Down
18 changes: 18 additions & 0 deletions spec/oauth2/authenticator_spec.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,24 @@
:headers => {'A' => 'b'}
)
end

context 'using tls client authentication' do
let(:mode) { :tls_client_auth }

it 'does not add client_secret' do
output = subject.apply({})
expect(output).to eq('client_id' => 'foo')
end
end

context 'using private key jwt authentication' do
let(:mode) { :private_key_jwt }

it 'does not add client_secret or client_id' do
output = subject.apply({})
expect(output).to eq({})
end
end
end

context 'with Basic authentication' do
Expand Down
6 changes: 3 additions & 3 deletions spec/oauth2/client_spec.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -251,9 +251,9 @@
subject.request(:get, '/success')
end
logs = [
'INFO -- request: GET https://api.example.com/success',
'INFO -- response: Status 200',
'DEBUG -- response: Content-Type: "text/awesome"'
'-- request: GET https://api.example.com/success',
'-- response: Status 200',
'-- response: Content-Type: "text/awesome"'
]
expect(output).to include(*logs)
end
Expand Down