Class: CF::UAA::TokenIssuer
- Inherits:
-
Object
- Object
- CF::UAA::TokenIssuer
- Includes:
- Http
- Defined in:
- lib/uaa/token_issuer.rb
Overview
Client Apps that want to get access to resource servers on behalf of their users need to get tokens via authcode and implicit flows, request scopes, etc., but they don’t need to process tokens. This class is for these use cases.
In general most of this class is an implementation of the client pieces of the OAuth2 protocol. See http://tools.ietf.org/html/rfc6749
Instance Method Summary collapse
-
#authcode_grant(authcode_uri, callback_query) ⇒ TokenInfo
Uses the instance client credentials in addition to
callback_query
to get a token via the authorization code grant. -
#authcode_uri(redirect_uri, scope = nil) ⇒ String
Constructs a uri that the client is to return to the browser to direct the user to the authorization server to get an authcode.
-
#autologin_uri(redirect_uri, credentials, scope = nil) ⇒ String
A UAA extension to OAuth2 that allows a client to pre-authenticate a user at the start of an authorization code flow.
-
#client_credentials_grant(scope = nil) ⇒ TokenInfo
Uses the instance client credentials to get a token with a client credentials grant.
-
#implicit_grant(implicit_uri, callback_fragment) ⇒ TokenInfo
Gets a token via an implicit grant.
-
#implicit_grant_with_creds(credentials, scope = nil) ⇒ TokenInfo
Gets an access token in a single call to the UAA with the user credentials used for authentication.
-
#implicit_uri(redirect_uri, scope = nil) ⇒ String
Constructs a uri that the client is to return to the browser to direct the user to the authorization server to get an authcode.
-
#initialize(target, client_id, client_secret = nil, options = {}) ⇒ TokenIssuer
constructor
A new instance of TokenIssuer.
-
#owner_password_grant(username, password, scope = nil) ⇒ TokenInfo
Uses the instance client credentials in addition to the
username
andpassword
to get a token via the owner password grant. -
#prompts ⇒ Hash
Allows an app to discover what credentials are required for #implicit_grant_with_creds.
-
#refresh_token_grant(refresh_token, scope = nil) ⇒ TokenInfo
Uses the instance client credentials and the given
refresh_token
to get a new access token.
Methods included from Http
basic_auth, #logger, #logger=, #set_request_handler, #trace?
Constructor Details
#initialize(target, client_id, client_secret = nil, options = {}) ⇒ TokenIssuer
Returns a new instance of TokenIssuer.
109 110 111 112 113 |
# File 'lib/uaa/token_issuer.rb', line 109 def initialize(target, client_id, client_secret = nil, = {}) @target, @client_id, @client_secret = target, client_id, client_secret @token_target = [:token_target] || target @key_style = [:symbolize_keys] ? :sym : nil end |
Instance Method Details
#authcode_grant(authcode_uri, callback_query) ⇒ TokenInfo
Uses the instance client credentials in addition to callback_query
to get a token via the authorization code grant.
216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 |
# File 'lib/uaa/token_issuer.rb', line 216 def authcode_grant(authcode_uri, callback_query) ac_params = Util.decode_form(URI.parse(authcode_uri).query) unless ac_params['state'] && ac_params['redirect_uri'] raise ArgumentError, "authcode redirect must happen before authcode grant" end begin params = Util.decode_form(callback_query) authcode = params['code'] raise BadResponse unless params['state'] == ac_params['state'] && authcode rescue URI::InvalidURIError, ArgumentError, BadResponse raise BadResponse, "received invalid response from target #{@target}" end request_token(:grant_type => 'authorization_code', :code => authcode, :redirect_uri => ac_params['redirect_uri']) end |
#authcode_uri(redirect_uri, scope = nil) ⇒ String
Constructs a uri that the client is to return to the browser to direct the user to the authorization server to get an authcode.
202 203 204 |
# File 'lib/uaa/token_issuer.rb', line 202 def authcode_uri(redirect_uri, scope = nil) @target + ('code', redirect_uri, scope) end |
#autologin_uri(redirect_uri, credentials, scope = nil) ⇒ String
A UAA extension to OAuth2 that allows a client to pre-authenticate a user at the start of an authorization code flow. By passing in the user’s credentials the server can establish a session with the user’s browser without reprompting for authentication. This is useful for user account management apps so that they can create a user account, or reset a password for the user, without requiring the user to type in their credentials again.
186 187 188 189 190 191 192 193 194 195 |
# File 'lib/uaa/token_issuer.rb', line 186 def autologin_uri(redirect_uri, credentials, scope = nil) headers = {'content-type' => 'application/x-www-form-urlencoded', 'accept' => 'application/json', 'authorization' => Http.basic_auth(@client_id, @client_secret) } body = Util.encode_form(credentials) reply = json_parse_reply(nil, *request(@target, :post, "/autologin", body, headers)) raise BadResponse, "no autologin code in reply" unless reply['code'] @target + ('code', redirect_uri, scope, random_state, :code => reply['code']) end |
#client_credentials_grant(scope = nil) ⇒ TokenInfo
Uses the instance client credentials to get a token with a client credentials grant. See tools.ietf.org/html/rfc6749#section-4.4
244 245 246 |
# File 'lib/uaa/token_issuer.rb', line 244 def client_credentials_grant(scope = nil) request_token(:grant_type => 'client_credentials', :scope => scope) end |
#implicit_grant(implicit_uri, callback_fragment) ⇒ TokenInfo
Gets a token via an implicit grant.
168 169 170 171 172 173 174 |
# File 'lib/uaa/token_issuer.rb', line 168 def implicit_grant(implicit_uri, callback_fragment) in_params = Util.decode_form(URI.parse(implicit_uri).query) unless in_params['state'] && in_params['redirect_uri'] raise ArgumentError, "redirect must happen before implicit grant" end parse_implicit_params(callback_fragment, in_params['state']) end |
#implicit_grant_with_creds(credentials, scope = nil) ⇒ TokenInfo
Gets an access token in a single call to the UAA with the user credentials used for authentication.
131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 |
# File 'lib/uaa/token_issuer.rb', line 131 def implicit_grant_with_creds(credentials, scope = nil) # this manufactured redirect_uri is a convention here, not part of OAuth2 redir_uri = "https://uaa.cloudfoundry.com/redirect/#{@client_id}" uri = ("token", redir_uri, scope, state = random_state) # the accept header is only here so the uaa will issue error replies in json to aid debugging headers = {'content-type' => 'application/x-www-form-urlencoded', 'accept' => 'application/json' } body = Util.encode_form(credentials.merge(:source => 'credentials')) status, body, headers = request(@target, :post, uri, body, headers) raise BadResponse, "status #{status}" unless status == 302 req_uri, reply_uri = URI.parse(redir_uri), URI.parse(headers['location']) fragment, reply_uri.fragment = reply_uri.fragment, nil raise BadResponse, "bad location header" unless req_uri == reply_uri parse_implicit_params(fragment, state) rescue URI::Error => e raise BadResponse, "bad location header in reply: #{e.}" end |
#implicit_uri(redirect_uri, scope = nil) ⇒ String
Constructs a uri that the client is to return to the browser to direct the user to the authorization server to get an authcode.
153 154 155 |
# File 'lib/uaa/token_issuer.rb', line 153 def implicit_uri(redirect_uri, scope = nil) @target + ("token", redirect_uri, scope) end |
#owner_password_grant(username, password, scope = nil) ⇒ TokenInfo
Uses the instance client credentials in addition to the username
and password
to get a token via the owner password grant. See http://tools.ietf.org/html/rfc6749#section-4.3.
236 237 238 239 |
# File 'lib/uaa/token_issuer.rb', line 236 def owner_password_grant(username, password, scope = nil) request_token(:grant_type => 'password', :username => username, :password => password, :scope => scope) end |
#prompts ⇒ Hash
Allows an app to discover what credentials are required for #implicit_grant_with_creds.
119 120 121 122 123 |
# File 'lib/uaa/token_issuer.rb', line 119 def prompts reply = json_get(@target, '/login') return reply[jkey :prompts] if reply && reply[jkey :prompts] raise BadResponse, "No prompts in response from target #{@target}" end |
#refresh_token_grant(refresh_token, scope = nil) ⇒ TokenInfo
Uses the instance client credentials and the given refresh_token
to get a new access token. See tools.ietf.org/html/rfc6749#section-6
251 252 253 |
# File 'lib/uaa/token_issuer.rb', line 251 def refresh_token_grant(refresh_token, scope = nil) request_token(:grant_type => 'refresh_token', :refresh_token => refresh_token, :scope => scope) end |