Class: CF::UAA::TokenIssuer
- Inherits:
-
Object
- Object
- CF::UAA::TokenIssuer
- Includes:
- Http
- Defined in:
- lib/uaa/token_issuer.rb
Overview
Client Apps that want to get access to resource servers on behalf of their users need to get tokens via authcode and implicit flows, request scopes, etc., but they don’t need to process tokens. This class is for these use cases.
In general most of this class is an implementation of the client pieces of the OAuth2 protocol. See http://tools.ietf.org/html/rfc6749
Constant Summary
Constants included from Http
Http::FORM_UTF8, Http::JSON_UTF8
Instance Method Summary collapse
-
#authcode_grant(authcode_uri, callback_query) ⇒ TokenInfo
Uses the instance client credentials in addition to
callback_query
to get a token via the authorization code grant. -
#authcode_uri(redirect_uri, scope = nil) ⇒ String
Constructs a uri that the client is to return to the browser to direct the user to the authorization server to get an authcode.
-
#autologin_uri(redirect_uri, credentials, scope = nil) ⇒ String
A UAA extension to OAuth2 that allows a client to pre-authenticate a user at the start of an authorization code flow.
-
#client_credentials_grant(scope = nil) ⇒ TokenInfo
Uses the instance client credentials to get a token with a client credentials grant.
-
#implicit_grant(implicit_uri, callback_fragment) ⇒ TokenInfo
Gets a token via an implicit grant.
-
#implicit_grant_with_creds(credentials, scope = nil) ⇒ TokenInfo
Gets an access token in a single call to the UAA with the user credentials used for authentication.
-
#implicit_uri(redirect_uri, scope = nil) ⇒ String
Constructs a uri that the client is to return to the browser to direct the user to the authorization server to get an authcode.
-
#initialize(target, client_id, client_secret = nil, options = {}) ⇒ TokenIssuer
constructor
A new instance of TokenIssuer.
-
#owner_password_grant(username, password, scope = nil) ⇒ TokenInfo
Uses the instance client credentials in addition to the
username
andpassword
to get a token via the owner password grant. -
#prompts ⇒ Hash
Allows an app to discover what credentials are required for #implicit_grant_with_creds.
-
#refresh_token_grant(refresh_token, scope = nil) ⇒ TokenInfo
Uses the instance client credentials and the given
refresh_token
to get a new access token.
Methods included from Http
basic_auth, #logger, #logger=, #set_request_handler, #trace?
Methods included from ProxyOptions
Constructor Details
#initialize(target, client_id, client_secret = nil, options = {}) ⇒ TokenIssuer
Returns a new instance of TokenIssuer.
108 109 110 111 112 113 114 115 |
# File 'lib/uaa/token_issuer.rb', line 108 def initialize(target, client_id, client_secret = nil, = {}) @target, @client_id, @client_secret = target, client_id, client_secret @token_target = [:token_target] || target @key_style = [:symbolize_keys] ? :sym : nil self.skip_ssl_validation = [:skip_ssl_validation] self.http_proxy = [:http_proxy] self.https_proxy = [:https_proxy] end |
Instance Method Details
#authcode_grant(authcode_uri, callback_query) ⇒ TokenInfo
Uses the instance client credentials in addition to callback_query
to get a token via the authorization code grant.
217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 |
# File 'lib/uaa/token_issuer.rb', line 217 def authcode_grant(authcode_uri, callback_query) ac_params = Util.decode_form(URI.parse(authcode_uri).query) unless ac_params['state'] && ac_params['redirect_uri'] raise ArgumentError, "authcode redirect must happen before authcode grant" end begin params = Util.decode_form(callback_query) authcode = params['code'] raise BadResponse unless params['state'] == ac_params['state'] && authcode rescue URI::InvalidURIError, ArgumentError, BadResponse raise BadResponse, "received invalid response from target #{@target}" end request_token(:grant_type => 'authorization_code', :code => authcode, :redirect_uri => ac_params['redirect_uri']) end |
#authcode_uri(redirect_uri, scope = nil) ⇒ String
Constructs a uri that the client is to return to the browser to direct the user to the authorization server to get an authcode.
203 204 205 |
# File 'lib/uaa/token_issuer.rb', line 203 def authcode_uri(redirect_uri, scope = nil) @target + ('code', redirect_uri, scope) end |
#autologin_uri(redirect_uri, credentials, scope = nil) ⇒ String
A UAA extension to OAuth2 that allows a client to pre-authenticate a user at the start of an authorization code flow. By passing in the user’s credentials the server can establish a session with the user’s browser without reprompting for authentication. This is useful for user account management apps so that they can create a user account, or reset a password for the user, without requiring the user to type in their credentials again.
188 189 190 191 192 193 194 195 196 |
# File 'lib/uaa/token_issuer.rb', line 188 def autologin_uri(redirect_uri, credentials, scope = nil) headers = {'content-type' => FORM_UTF8, 'accept' => JSON_UTF8, 'authorization' => Http.basic_auth(@client_id, @client_secret) } body = Util.encode_form(credentials) reply = json_parse_reply(nil, *request(@target, :post, "/autologin", body, headers)) raise BadResponse, "no autologin code in reply" unless reply['code'] @target + ('code', redirect_uri, scope, random_state, :code => reply['code']) end |
#client_credentials_grant(scope = nil) ⇒ TokenInfo
Uses the instance client credentials to get a token with a client credentials grant. See tools.ietf.org/html/rfc6749#section-4.4
245 246 247 |
# File 'lib/uaa/token_issuer.rb', line 245 def client_credentials_grant(scope = nil) request_token(:grant_type => 'client_credentials', :scope => scope) end |
#implicit_grant(implicit_uri, callback_fragment) ⇒ TokenInfo
Gets a token via an implicit grant.
170 171 172 173 174 175 176 |
# File 'lib/uaa/token_issuer.rb', line 170 def implicit_grant(implicit_uri, callback_fragment) in_params = Util.decode_form(URI.parse(implicit_uri).query) unless in_params['state'] && in_params['redirect_uri'] raise ArgumentError, "redirect must happen before implicit grant" end parse_implicit_params(callback_fragment, in_params['state']) end |
#implicit_grant_with_creds(credentials, scope = nil) ⇒ TokenInfo
Gets an access token in a single call to the UAA with the user credentials used for authentication.
133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 |
# File 'lib/uaa/token_issuer.rb', line 133 def implicit_grant_with_creds(credentials, scope = nil) # this manufactured redirect_uri is a convention here, not part of OAuth2 redir_uri = "https://uaa.cloudfoundry.com/redirect/#{@client_id}" uri = ("token", redir_uri, scope, state = random_state) # the accept header is only here so the uaa will issue error replies in json to aid debugging headers = {'content-type' => FORM_UTF8, 'accept' => JSON_UTF8 } body = Util.encode_form(credentials.merge(:source => 'credentials')) status, body, headers = request(@target, :post, uri, body, headers) raise BadResponse, "status #{status}" unless status == 302 req_uri, reply_uri = URI.parse(redir_uri), URI.parse(headers['location']) fragment, reply_uri.fragment = reply_uri.fragment, nil raise BadResponse, "bad location header" unless req_uri == reply_uri parse_implicit_params(fragment, state) rescue URI::Error => e raise BadResponse, "bad location header in reply: #{e.}" end |
#implicit_uri(redirect_uri, scope = nil) ⇒ String
Constructs a uri that the client is to return to the browser to direct the user to the authorization server to get an authcode.
155 156 157 |
# File 'lib/uaa/token_issuer.rb', line 155 def implicit_uri(redirect_uri, scope = nil) @target + ("token", redirect_uri, scope) end |
#owner_password_grant(username, password, scope = nil) ⇒ TokenInfo
Uses the instance client credentials in addition to the username
and password
to get a token via the owner password grant. See http://tools.ietf.org/html/rfc6749#section-4.3.
237 238 239 240 |
# File 'lib/uaa/token_issuer.rb', line 237 def owner_password_grant(username, password, scope = nil) request_token(:grant_type => 'password', :username => username, :password => password, :scope => scope) end |
#prompts ⇒ Hash
Allows an app to discover what credentials are required for #implicit_grant_with_creds.
121 122 123 124 125 |
# File 'lib/uaa/token_issuer.rb', line 121 def prompts reply = json_get(@target, '/login') return reply[jkey :prompts] if reply && reply[jkey :prompts] raise BadResponse, "No prompts in response from target #{@target}" end |
#refresh_token_grant(refresh_token, scope = nil) ⇒ TokenInfo
Uses the instance client credentials and the given refresh_token
to get a new access token. See tools.ietf.org/html/rfc6749#section-6
252 253 254 |
# File 'lib/uaa/token_issuer.rb', line 252 def refresh_token_grant(refresh_token, scope = nil) request_token(:grant_type => 'refresh_token', :refresh_token => refresh_token, :scope => scope) end |