Class: Google::Auth::UserAuthorizer
- Inherits:
-
Object
- Object
- Google::Auth::UserAuthorizer
- Defined in:
- lib/googleauth/user_authorizer.rb
Overview
Handles an interactive 3-Legged-OAuth2 (3LO) user consent authorization.
Example usage for a simple command line app:
credentials = authorizer.get_credentials(user_id)
if credentials.nil?
url = authorizer.get_authorization_url(
base_url: OOB_URI)
puts "Open the following URL in the browser and enter the " +
"resulting code after authorization"
puts url
code = gets
credentials = authorizer.get_and_store_credentials_from_code(
user_id: user_id, code: code, base_url: OOB_URI)
end
# Credentials ready to use, call APIs
...
Direct Known Subclasses
Constant Summary collapse
- MISMATCHED_CLIENT_ID_ERROR =
"Token client ID of %s does not match configured client id %s".freeze
- NIL_CLIENT_ID_ERROR =
"Client id can not be nil.".freeze
- NIL_SCOPE_ERROR =
"Scope can not be nil.".freeze
- NIL_USER_ID_ERROR =
"User ID can not be nil.".freeze
- NIL_TOKEN_STORE_ERROR =
"Can not call method if token store is nil".freeze
- MISSING_ABSOLUTE_URL_ERROR =
'Absolute base url required for relative callback url "%s"'.freeze
Class Method Summary collapse
-
.generate_code_verifier ⇒ Object
Generate the code verifier needed to be sent while fetching authorization URL.
Instance Method Summary collapse
-
#code_verifier=(new_code_verifier) ⇒ Object
The code verifier for PKCE for OAuth 2.0.
-
#get_and_store_credentials_from_code(options = {}) ⇒ Google::Auth::UserRefreshCredentials
Exchanges an authorization code returned in the oauth callback.
-
#get_authorization_url(options = {}) ⇒ String
Build the URL for requesting authorization.
-
#get_credentials(user_id, scope = nil) ⇒ Google::Auth::UserRefreshCredentials
Fetch stored credentials for the user.
-
#get_credentials_from_code(options = {}) ⇒ Google::Auth::UserRefreshCredentials
Exchanges an authorization code returned in the oauth callback.
-
#initialize(client_id, scope, token_store, callback_uri = nil, code_verifier: nil) ⇒ UserAuthorizer
constructor
Initialize the authorizer.
-
#revoke_authorization(user_id) ⇒ Object
Revokes a user's credentials.
-
#store_credentials(user_id, credentials) ⇒ Object
Store credentials for a user.
Constructor Details
#initialize(client_id, scope, token_store, callback_uri = nil, code_verifier: nil) ⇒ UserAuthorizer
Initialize the authorizer
64 65 66 67 68 69 70 71 72 73 74 |
# File 'lib/googleauth/user_authorizer.rb', line 64 def initialize client_id, scope, token_store, callback_uri = nil, code_verifier: nil raise NIL_CLIENT_ID_ERROR if client_id.nil? raise NIL_SCOPE_ERROR if scope.nil? @client_id = client_id @scope = Array(scope) @token_store = token_store @callback_uri = callback_uri || "/oauth2callback" @code_verifier = code_verifier end |
Class Method Details
.generate_code_verifier ⇒ Object
Generate the code verifier needed to be sent while fetching authorization URL.
263 264 265 266 |
# File 'lib/googleauth/user_authorizer.rb', line 263 def self.generate_code_verifier random_number = rand 32..96 SecureRandom.alphanumeric random_number end |
Instance Method Details
#code_verifier=(new_code_verifier) ⇒ Object
The code verifier for PKCE for OAuth 2.0. When set, the authorization URI will contain the Code Challenge and Code Challenge Method querystring parameters, and the token URI will contain the Code Verifier parameter.
257 258 259 |
# File 'lib/googleauth/user_authorizer.rb', line 257 def code_verifier= new_code_verifier @code_verifier = new_code_verifier end |
#get_and_store_credentials_from_code(options = {}) ⇒ Google::Auth::UserRefreshCredentials
Exchanges an authorization code returned in the oauth callback. Additionally, stores the resulting credentials in the token store if the exchange is successful.
209 210 211 212 |
# File 'lib/googleauth/user_authorizer.rb', line 209 def get_and_store_credentials_from_code = {} credentials = get_credentials_from_code store_credentials [:user_id], credentials end |
#get_authorization_url(options = {}) ⇒ String
Build the URL for requesting authorization.
93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 |
# File 'lib/googleauth/user_authorizer.rb', line 93 def = {} scope = [:scope] || @scope [:additional_parameters] ||= {} if @code_verifier [:additional_parameters].merge!( { code_challenge: generate_code_challenge(@code_verifier), code_challenge_method: code_challenge_method } ) end credentials = UserRefreshCredentials.new( client_id: @client_id.id, client_secret: @client_id.secret, scope: scope, additional_parameters: [:additional_parameters] ) redirect_uri = redirect_uri_for [:base_url] url = credentials.(access_type: "offline", redirect_uri: redirect_uri, approval_prompt: "force", state: [:state], include_granted_scopes: true, login_hint: [:login_hint]) url.to_s end |
#get_credentials(user_id, scope = nil) ⇒ Google::Auth::UserRefreshCredentials
Fetch stored credentials for the user.
132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 |
# File 'lib/googleauth/user_authorizer.rb', line 132 def get_credentials user_id, scope = nil saved_token = stored_token user_id return nil if saved_token.nil? data = MultiJson.load saved_token if data.fetch("client_id", @client_id.id) != @client_id.id raise format(MISMATCHED_CLIENT_ID_ERROR, data["client_id"], @client_id.id) end credentials = UserRefreshCredentials.new( client_id: @client_id.id, client_secret: @client_id.secret, scope: data["scope"] || @scope, access_token: data["access_token"], refresh_token: data["refresh_token"], expires_at: data.fetch("expiration_time_millis", 0) / 1000 ) scope ||= @scope return monitor_credentials user_id, credentials if credentials.includes_scope? scope nil end |
#get_credentials_from_code(options = {}) ⇒ Google::Auth::UserRefreshCredentials
Exchanges an authorization code returned in the oauth callback
173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 |
# File 'lib/googleauth/user_authorizer.rb', line 173 def get_credentials_from_code = {} user_id = [:user_id] code = [:code] scope = [:scope] || @scope base_url = [:base_url] [:additional_parameters] ||= {} [:additional_parameters].merge!({ code_verifier: @code_verifier }) credentials = UserRefreshCredentials.new( client_id: @client_id.id, client_secret: @client_id.secret, redirect_uri: redirect_uri_for(base_url), scope: scope, additional_parameters: [:additional_parameters] ) credentials.code = code credentials.fetch_access_token!({}) monitor_credentials user_id, credentials end |
#revoke_authorization(user_id) ⇒ Object
Revokes a user's credentials. This both revokes the actual grant as well as removes the token from the token store.
219 220 221 222 223 224 225 226 227 228 229 |
# File 'lib/googleauth/user_authorizer.rb', line 219 def user_id credentials = get_credentials user_id if credentials begin @token_store.delete user_id ensure credentials.revoke! end end nil end |
#store_credentials(user_id, credentials) ⇒ Object
Store credentials for a user. Generally not required to be called directly, but may be used to migrate tokens from one store to another.
239 240 241 242 243 244 245 246 247 248 249 |
# File 'lib/googleauth/user_authorizer.rb', line 239 def store_credentials user_id, credentials json = MultiJson.dump( client_id: credentials.client_id, access_token: credentials.access_token, refresh_token: credentials.refresh_token, scope: credentials.scope, expiration_time_millis: credentials.expires_at.to_i * 1000 ) @token_store.store user_id, json credentials end |