Class: CF::UAA::TokenIssuer
- Inherits:
-
Object
- Object
- CF::UAA::TokenIssuer
- Includes:
- Http
- Defined in:
- lib/uaa/token_issuer.rb
Overview
Client Apps that want to get access to resource servers on behalf of their users need to get tokens via authcode and implicit flows, request scopes, etc., but they don’t need to process tokens. This class is for these use cases.
In general most of this class is an implementation of the client pieces of the OAuth2 protocol. See http://tools.ietf.org/html/rfc6749
Constant Summary
Constants included from Http
Http::FORM_UTF8, Http::JSON_UTF8
Instance Method Summary collapse
-
#authcode_grant(authcode_uri, callback_query) ⇒ TokenInfo
Uses the instance client credentials in addition to
callback_query
to get a token via the authorization code grant. -
#authcode_uri(redirect_uri, scope = nil) ⇒ String
Constructs a uri that the client is to return to the browser to direct the user to the authorization server to get an authcode.
-
#autologin_uri(redirect_uri, credentials, scope = nil) ⇒ String
A UAA extension to OAuth2 that allows a client to pre-authenticate a user at the start of an authorization code flow.
-
#client_credentials_grant(scope = nil) ⇒ TokenInfo
Uses the instance client credentials to get a token with a client credentials grant.
-
#implicit_grant(implicit_uri, callback_fragment) ⇒ TokenInfo
Gets a token via an implicit grant.
-
#implicit_grant_with_creds(credentials, scope = nil) ⇒ TokenInfo
Gets an access token in a single call to the UAA with the user credentials used for authentication.
-
#implicit_uri(redirect_uri, scope = nil) ⇒ String
Constructs a uri that the client is to return to the browser to direct the user to the authorization server to get an authcode.
-
#initialize(target, client_id, client_secret = nil, options = {}) ⇒ TokenIssuer
constructor
A new instance of TokenIssuer.
-
#owner_password_credentials_grant(credentials) ⇒ TokenInfo
Gets an access token with the user credentials used for authentication via the owner password grant.
-
#owner_password_grant(username, password, scope = nil) ⇒ TokenInfo
Uses the instance client credentials in addition to the
username
andpassword
to get a token via the owner password grant. -
#passcode_grant(passcode, scope = nil) ⇒ TokenInfo
Uses a one-time passcode obtained from the UAA to get a token.
-
#prompts ⇒ Hash
Allows an app to discover what credentials are required for #implicit_grant_with_creds.
-
#refresh_token_grant(refresh_token, scope = nil) ⇒ TokenInfo
Uses the instance client credentials and the given
refresh_token
to get a new access token.
Methods included from Http
basic_auth, #logger, #logger=, #set_request_handler, #trace?
Constructor Details
#initialize(target, client_id, client_secret = nil, options = {}) ⇒ TokenIssuer
Returns a new instance of TokenIssuer.
108 109 110 111 112 113 114 115 |
# File 'lib/uaa/token_issuer.rb', line 108 def initialize(target, client_id, client_secret = nil, = {}) @target, @client_id, @client_secret = target, client_id, client_secret @token_target = [:token_target] || target @key_style = [:symbolize_keys] ? :sym : nil self.skip_ssl_validation = [:skip_ssl_validation] self.ssl_ca_file = [:ssl_ca_file] self.ssl_cert_store = [:ssl_cert_store] end |
Instance Method Details
#authcode_grant(authcode_uri, callback_query) ⇒ TokenInfo
Uses the instance client credentials in addition to callback_query
to get a token via the authorization code grant.
221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 |
# File 'lib/uaa/token_issuer.rb', line 221 def authcode_grant(authcode_uri, callback_query) ac_params = Util.decode_form(URI.parse(authcode_uri).query) unless ac_params['state'] && ac_params['redirect_uri'] raise ArgumentError, "authcode redirect must happen before authcode grant" end begin params = Util.decode_form(callback_query) authcode = params['code'] raise BadResponse unless params['state'] == ac_params['state'] && authcode rescue URI::InvalidURIError, ArgumentError, BadResponse raise BadResponse, "received invalid response from target #{@target}" end request_token(:grant_type => 'authorization_code', :code => authcode, :redirect_uri => ac_params['redirect_uri']) end |
#authcode_uri(redirect_uri, scope = nil) ⇒ String
Constructs a uri that the client is to return to the browser to direct the user to the authorization server to get an authcode.
207 208 209 |
# File 'lib/uaa/token_issuer.rb', line 207 def authcode_uri(redirect_uri, scope = nil) @target + ('code', redirect_uri, scope) end |
#autologin_uri(redirect_uri, credentials, scope = nil) ⇒ String
A UAA extension to OAuth2 that allows a client to pre-authenticate a user at the start of an authorization code flow. By passing in the user’s credentials the server can establish a session with the user’s browser without reprompting for authentication. This is useful for user account management apps so that they can create a user account, or reset a password for the user, without requiring the user to type in their credentials again.
192 193 194 195 196 197 198 199 200 |
# File 'lib/uaa/token_issuer.rb', line 192 def autologin_uri(redirect_uri, credentials, scope = nil) headers = {'content-type' => FORM_UTF8, 'accept' => JSON_UTF8, 'authorization' => Http.basic_auth(@client_id, @client_secret) } body = Util.encode_form(credentials) reply = json_parse_reply(nil, *request(@target, :post, "/autologin", body, headers)) raise BadResponse, "no autologin code in reply" unless reply['code'] @target + ('code', redirect_uri, scope, random_state, :code => reply['code']) end |
#client_credentials_grant(scope = nil) ⇒ TokenInfo
Uses the instance client credentials to get a token with a client credentials grant. See tools.ietf.org/html/rfc6749#section-4.4
268 269 270 |
# File 'lib/uaa/token_issuer.rb', line 268 def client_credentials_grant(scope = nil) request_token(:grant_type => 'client_credentials', :scope => scope) end |
#implicit_grant(implicit_uri, callback_fragment) ⇒ TokenInfo
Gets a token via an implicit grant.
174 175 176 177 178 179 180 |
# File 'lib/uaa/token_issuer.rb', line 174 def implicit_grant(implicit_uri, callback_fragment) in_params = Util.decode_form(URI.parse(implicit_uri).query) unless in_params['state'] && in_params['redirect_uri'] raise ArgumentError, "redirect must happen before implicit grant" end parse_implicit_params(callback_fragment, in_params['state']) end |
#implicit_grant_with_creds(credentials, scope = nil) ⇒ TokenInfo
Gets an access token in a single call to the UAA with the user credentials used for authentication.
133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 |
# File 'lib/uaa/token_issuer.rb', line 133 def implicit_grant_with_creds(credentials, scope = nil) # this manufactured redirect_uri is a convention here, not part of OAuth2 redir_uri = "https://uaa.cloudfoundry.com/redirect/#{@client_id}" response_type = "token" response_type = "#{response_type} id_token" if scope && (scope.include? "openid") uri = (response_type, redir_uri, scope, state = random_state) # the accept header is only here so the uaa will issue error replies in json to aid debugging headers = {'content-type' => FORM_UTF8, 'accept' => JSON_UTF8 } body = Util.encode_form(credentials.merge(:source => 'credentials')) status, body, headers = request(@target, :post, uri, body, headers) raise BadResponse, "status #{status}" unless status == 302 req_uri, reply_uri = URI.parse(redir_uri), URI.parse(headers['location']) fragment, reply_uri.fragment = reply_uri.fragment, nil raise BadResponse, "bad location header" unless req_uri == reply_uri parse_implicit_params(fragment, state) rescue URI::Error => e raise BadResponse, "bad location header in reply: #{e.}" end |
#implicit_uri(redirect_uri, scope = nil) ⇒ String
Constructs a uri that the client is to return to the browser to direct the user to the authorization server to get an authcode.
157 158 159 160 161 |
# File 'lib/uaa/token_issuer.rb', line 157 def implicit_uri(redirect_uri, scope = nil) response_type = "token" response_type = "#{response_type} id_token" if scope && (scope.include? "openid") @target + (response_type, redirect_uri, scope) end |
#owner_password_credentials_grant(credentials) ⇒ TokenInfo
Gets an access token with the user credentials used for authentication via the owner password grant. See http://tools.ietf.org/html/rfc6749#section-4.3.
260 261 262 263 |
# File 'lib/uaa/token_issuer.rb', line 260 def owner_password_credentials_grant(credentials) credentials[:grant_type] = 'password' request_token(credentials) end |
#owner_password_grant(username, password, scope = nil) ⇒ TokenInfo
Uses the instance client credentials in addition to the username
and password
to get a token via the owner password grant. See http://tools.ietf.org/html/rfc6749#section-4.3.
241 242 243 244 |
# File 'lib/uaa/token_issuer.rb', line 241 def owner_password_grant(username, password, scope = nil) request_token(:grant_type => 'password', :username => username, :password => password, :scope => scope) end |
#passcode_grant(passcode, scope = nil) ⇒ TokenInfo
Uses a one-time passcode obtained from the UAA to get a token.
249 250 251 |
# File 'lib/uaa/token_issuer.rb', line 249 def passcode_grant(passcode, scope = nil) request_token(:grant_type => 'password', :passcode => passcode, :scope => scope) end |
#prompts ⇒ Hash
Allows an app to discover what credentials are required for #implicit_grant_with_creds.
121 122 123 124 125 |
# File 'lib/uaa/token_issuer.rb', line 121 def prompts reply = json_get(@target, '/login') return reply[jkey :prompts] if reply && reply[jkey :prompts] raise BadResponse, "No prompts in response from target #{@target}" end |
#refresh_token_grant(refresh_token, scope = nil) ⇒ TokenInfo
Uses the instance client credentials and the given refresh_token
to get a new access token. See tools.ietf.org/html/rfc6749#section-6
275 276 277 |
# File 'lib/uaa/token_issuer.rb', line 275 def refresh_token_grant(refresh_token, scope = nil) request_token(:grant_type => 'refresh_token', :refresh_token => refresh_token, :scope => scope) end |