Module: Auth0::Api::AuthenticationEndpoints

Defined in:

lib/auth0/api/authentication_endpoints.rb

Overview

https://auth0.com/docs/api/authentication Methods to use the Authentication API

Constant Summary

UP_AUTH =

'Username-Password-Authentication'.freeze

JWT_BEARER =

'urn:ietf:params:oauth:grant-type:jwt-bearer'.freeze

Instance Method Summary

• #api_token(client_id: @client_id, client_secret: @client_secret, audience: "https://#{@domain}/api/v2/") ⇒ json

  Request an API access token using a Client Credentials grant.

• #authorization_url(redirect_uri, options = {}) ⇒ url

  Return an authorization URL.

• #change_password(email, password, connection_name = UP_AUTH) ⇒ Object

  Change a user’s password or trigger a password reset email.

• #delegation(id_token, target, scope = 'openid', api_type = 'app', extra_parameters = {}) ⇒ json deprecated Deprecated.

  4.5.0 - Feature is disabled, no replacement currently; see auth0.com/docs/api-auth/tutorials/adoption/delegation

• #exchange_auth_code_for_tokens(code, redirect_uri: nil, client_id: @client_id, client_secret: @client_secret) ⇒ AccessToken

  Get access and ID tokens using an Authorization Code.

• #exchange_refresh_token(refresh_token, client_id: @client_id, client_secret: @client_secret) ⇒ AccessToken

  Get access and ID tokens using a refresh token.

• #impersonate(user_id, app_client_id, impersonator_id, options) ⇒ string deprecated Deprecated.

  4.5.0 - Feature is disabled.

• #login(username, password, id_token = nil, connection_name = UP_AUTH, options = {}) ⇒ json deprecated Deprecated.

  4.6.0 - Use the login_with_resource_owner method instead.

• #login_with_resource_owner(login_name, password, client_id: @client_id, client_secret: @client_secret, realm: nil, audience: nil, scope: 'openid') ⇒ json

  rubocop:disable Metrics/ParameterLists Get access and ID tokens using Resource Owner Password.

• #logout_url(return_to, include_client: false, federated: false) ⇒ url

  Returns an Auth0 logout URL with a return URL.

• #obtain_access_token(access_token = nil, connection = 'facebook', scope = 'openid') ⇒ json deprecated Deprecated.

  4.6.0 - Use the api_token method instead.

• #obtain_user_tokens(code, redirect_uri, connection = 'facebook', scope = 'openid') ⇒ json deprecated Deprecated.

  4.6.0 - Use the exchange_auth_code_for_tokens method instead.

• #phone_login(phone_number, code, scope = 'openid') ⇒ json deprecated Deprecated.

  4.5.0 - Legacy authentication pipeline; use a Password Grant instead - auth0.com/docs/api-auth/tutorials/password-grant

• #refresh_delegation(refresh_token, target, scope = 'openid', api_type = 'app', extra_parameters = {}) ⇒ json deprecated Deprecated.

  4.5.0 - Feature is disabled, no replacement currently; see auth0.com/docs/api-auth/tutorials/adoption/delegation

• #saml_metadata ⇒ xml

  Retrive SAML 2.0 metadata XML for an Application.

• #samlp_url(connection = UP_AUTH) ⇒ url

  Return a SAMLP URL.

• #signup(email, password, connection_name = UP_AUTH) ⇒ json

  Sign up with a database connection using a username and password.

• #start_passwordless_email_flow(email, send = 'link', auth_params = {}) ⇒ Object

  Start Passwordless email login flow.

• #start_passwordless_sms_flow(phone_number) ⇒ Object

  Start Passwordless SMS login flow.

• #token_info(id_token) ⇒ Object deprecated Deprecated.

  4.5.0 - Legacy endpoint, use /userinfo instead.

• #unlink_user(access_token, user_id) ⇒ Object deprecated Deprecated.

  4.5.0 - Endpoint is disabled in favor of the Management API; see auth0.com/docs/migrations/guides/account-linking

• #user_info ⇒ json deprecated Deprecated.

  4.6.0 - Use the userinfo method instead.

• #userinfo(access_token) ⇒ json

  Return the user information based on the Auth0 access token.

• #validate_id_token(id_token, algorithm: nil, leeway: 60, nonce: nil, max_age: nil, issuer: nil, audience: nil) ⇒ Object

  Validate an ID token (signature and expiration).

• #wsfed_metadata ⇒ xml

  Retrieve WS-Federation metadata XML for a tenant.

• #wsfed_url(connection = UP_AUTH, options = {}) ⇒ url

  Return a WS-Federation URL.

Instance Method Details

#api_token(client_id: @client_id, client_secret: @client_secret, audience: "https://#{@domain}/api/v2/") ⇒ json

Request an API access token using a Client Credentials grant

Parameters:

• audience (string) (defaults to: "https://#{@domain}/api/v2/") —

  API audience to use

Returns:

• (json) —

  Returns the API token

See Also:

• https://auth0.com/docs/api-auth/tutorials/client-credentials

# File 'lib/auth0/api/authentication_endpoints.rb', line 18

def api_token(
  client_id: @client_id,
  client_secret: @client_secret,
  audience: "https://#{@domain}/api/v2/"
)
  request_params = {
    grant_type: 'client_credentials',
    client_id: client_id,
    client_secret: client_secret,
    audience: audience
  }
  response = post('/oauth/token', request_params)
  ApiToken.new(response['access_token'], response['scope'], response['expires_in'])
end

#authorization_url(redirect_uri, options = {}) ⇒ url

Return an authorization URL.

Parameters:

• redirect_uri (string) —

  URL to redirect after authorization

• options (hash) (defaults to: {}) —

  Can contain response_type, connection, state and additional_parameters.

Returns:

• (url) —

  Authorization URL.

Raises:

• (Auth0::InvalidParameter)

See Also:

• https://auth0.com/docs/api/authentication#authorization-code-grant

# File 'lib/auth0/api/authentication_endpoints.rb', line 225

def authorization_url(redirect_uri, options = {})
  raise Auth0::InvalidParameter, 'Must supply a valid redirect_uri' if redirect_uri.to_s.empty?

  request_params = {
    client_id: @client_id,
    response_type: options.fetch(:response_type, 'code'),
    connection: options.fetch(:connection, nil),
    redirect_uri: redirect_uri,
    state: options.fetch(:state, nil),
    scope: options.fetch(:scope, nil)
  }.merge(options.fetch(:additional_parameters, {}))

  URI::HTTPS.build(host: @domain, path: '/authorize', query: to_query(request_params))
end

#change_password(email, password, connection_name = UP_AUTH) ⇒ Object

Change a user’s password or trigger a password reset email.

Parameters:

• email (string) —

  User’s current email

• password (string) —

  User’s new password; empty to trigger a password reset email

• connection_name (string) (defaults to: UP_AUTH) —

  Database connection name

Raises:

• (Auth0::InvalidParameter)

See Also:

• https://auth0.com/docs/api/authentication#change-password
• https://auth0.com/docs/connections/database/password-change

# File 'lib/auth0/api/authentication_endpoints.rb', line 151

def change_password(email, password, connection_name = UP_AUTH)
  raise Auth0::InvalidParameter, 'Must supply a valid email' if email.to_s.empty?

  request_params = {
    email: email,
    password: password,
    connection: connection_name,
    client_id: @client_id
  }
  post('/dbconnections/change_password', request_params)
end

#delegation(id_token, target, scope = 'openid', api_type = 'app', extra_parameters = {}) ⇒ json

Deprecated.

4.5.0 - Feature is disabled, no replacement currently; see auth0.com/docs/api-auth/tutorials/adoption/delegation

Retrieve a delegation token.

Parameters:

• id_token (string) —

  Token’s id.

• target (string) —

  Target to sign the new token.

• scope (string) (defaults to: 'openid') —

  Defaults to openid. Can be ‘openid name email’.

• api_type (string) (defaults to: 'app') —

  Defaults to app. Can be aws, azure_sb, azure_blob, firebase, layer, salesforce_api, salesforce_sandbox_api, sap_api or wams

• extra_parameters (hash) (defaults to: {}) —

  Extra parameters.

Returns:

• (json) —

  Returns the refreshed delegation token

Raises:

• (Auth0::InvalidParameter)

See Also:

• https://auth0.com/docs/api/authentication#delegation

# File 'lib/auth0/api/authentication_endpoints.rb', line 445

def delegation(id_token, target, scope = 'openid', api_type = 'app', extra_parameters = {})
  raise Auth0::InvalidParameter, 'Must supply a valid id_token' if id_token.to_s.empty?

  request_params = {
    client_id: @client_id,
    grant_type: JWT_BEARER,
    id_token: id_token,
    target: target,
    api_type: api_type,
    scope: scope
  }.merge(extra_parameters)
  post('/delegation', request_params)
end

#exchange_auth_code_for_tokens(code, redirect_uri: nil, client_id: @client_id, client_secret: @client_secret) ⇒ AccessToken

Get access and ID tokens using an Authorization Code.

Parameters:

• code (string) —

  The authentication code obtained from /authorize

• redirect_uri (string) (defaults to: nil) —

  URL to redirect to after authorization. Required only if it was set at the GET /authorize endpoint

• client_id (string) (defaults to: @client_id) —

  Client ID for the Application

• client_secret (string) (defaults to: @client_secret) —

  Client Secret for the Application.

Returns:

• (AccessToken) —

  Returns the access_token and id_token

Raises:

• (Auth0::InvalidParameter)

See Also:

• https://auth0.com/docs/api/authentication#authorization-code

# File 'lib/auth0/api/authentication_endpoints.rb', line 41

def exchange_auth_code_for_tokens(
  code,
  redirect_uri: nil,
  client_id: @client_id,
  client_secret: @client_secret
)
  raise Auth0::InvalidParameter, 'Must provide an authorization code' if code.to_s.empty?

  request_params = {
    grant_type: 'authorization_code',
    client_id: client_id,
    client_secret: client_secret,
    code: code,
    redirect_uri: redirect_uri
  }
  AccessToken.from_response post('/oauth/token', request_params)
end

#exchange_refresh_token(refresh_token, client_id: @client_id, client_secret: @client_secret) ⇒ AccessToken

Get access and ID tokens using a refresh token.

Parameters:

• refresh_token (string) —

  Refresh token to use. Request this with the offline_access scope when logging in.

• client_id (string) (defaults to: @client_id) —

  Client ID for the Application

• client_secret (string) (defaults to: @client_secret) —

  Client Secret for the Application. Required when the Application’s Token Endpoint Authentication Method is Post or Basic.

Returns:

• (AccessToken) —

  Returns tokens allowed in the refresh_token

Raises:

• (Auth0::InvalidParameter)

See Also:

• https://auth0.com/docs/api/authentication#refresh-token

# File 'lib/auth0/api/authentication_endpoints.rb', line 68

def exchange_refresh_token(
  refresh_token,
  client_id: @client_id,
  client_secret: @client_secret
)
  raise Auth0::InvalidParameter, 'Must provide a refresh token' if refresh_token.to_s.empty?

  request_params = {
    grant_type: 'refresh_token',
    client_id: client_id,
    client_secret: client_secret,
    refresh_token: refresh_token
  }
  AccessToken.from_response post('/oauth/token', request_params)
end

#impersonate(user_id, app_client_id, impersonator_id, options) ⇒ string

Deprecated.

4.5.0 - Feature is disabled.

Retrieve an impersonation URL to login as another user. rubocop:disable Metrics/MethodLength, Metrics/AbcSize

Parameters:

• user_id (string) —

  Impersonate user id

• app_client_id (string) —

  Application client id

• impersonator_id (string) —

  Impersonator user id id.

• options (string) —

  Additional Parameters

Returns:

• (string) —

  Impersonation URL

Raises:

• (Auth0::InvalidParameter)

See Also:

• https://auth0.com/docs/api/authentication#impersonation

# File 'lib/auth0/api/authentication_endpoints.rb', line 468

def impersonate(user_id, app_client_id, impersonator_id, options)
  raise Auth0::InvalidParameter, 'Must supply a valid user_id' if user_id.to_s.empty?
  raise Auth0::InvalidParameter, 'Must supply a valid app_client_id' if app_client_id.to_s.empty?
  raise Auth0::InvalidParameter, 'Must supply a valid impersonator_id' if impersonator_id.to_s.empty?
  raise Auth0::MissingParameter, 'Must supply client_secret' if @client_secret.nil?

  authorization_header obtain_access_token
  request_params = {
    protocol: options.fetch(:protocol, 'oauth2'),
    impersonator_id: impersonator_id,
    client_id: app_client_id,
    additionalParameters: {
      response_type: options.fetch(:response_type, 'code'),
      state: options.fetch(:state, ''),
      scope: options.fetch(:scope, 'openid'),
      callback_url: options.fetch(:callback_url, '')
    }
  }
  result = post("/users/#{user_id}/impersonate", request_params)
  authorization_header @token
  result
end

#login(username, password, id_token = nil, connection_name = UP_AUTH, options = {}) ⇒ json

Deprecated.

4.6.0 - Use the login_with_resource_owner method instead.

Get access and ID tokens using Resource Owner Password.

Parameters:

• username (string) —

  Username or email

• password (string) —

  Password

• id_token (string) (defaults to: nil) —

  Token’s id

• connection_name (string) (defaults to: UP_AUTH) —

  Connection name; use a database or passwordless connection, Active Directory/LDAP, Windows Azure or ADF

• options (hash) (defaults to: {}) —

  Additional options - :scope, :grant_type, :device

Returns:

• (json) —

  Returns the access_token and id_token

Raises:

• (Auth0::InvalidParameter)

See Also:

• https://auth0.com/docs/api/authentication#resource-owner-password

# File 'lib/auth0/api/authentication_endpoints.rb', line 349

def login(username, password, id_token = nil, connection_name = UP_AUTH, options = {})
  raise Auth0::InvalidParameter, 'Must supply a valid username' if username.to_s.empty?
  raise Auth0::InvalidParameter, 'Must supply a valid password' if password.to_s.empty?

  request_params = {
    client_id: @client_id,
    client_secret: @client_secret,
    username: username,
    password: password,
    scope: options.fetch(:scope, 'openid'),
    connection: connection_name,
    grant_type: options.fetch(:grant_type, 'password'),
    id_token: id_token,
    device: options.fetch(:device, nil)
  }
  post('/oauth/token', request_params)
end

#login_with_resource_owner(login_name, password, client_id: @client_id, client_secret: @client_secret, realm: nil, audience: nil, scope: 'openid') ⇒ json

rubocop:disable Metrics/ParameterLists Get access and ID tokens using Resource Owner Password. Requires that your tenant has a Default Audience or Default Directory.

Parameters:

• login_name (string) —

  Email or username for the connection

• password (string) —

  Password

• client_id (string) (defaults to: @client_id) —

  Client ID from Application settings

• client_secret (string) (defaults to: @client_secret) —

  Client Secret from Application settings

• realm (string) (defaults to: nil) —

  Specific realm to authenticate against

• audience (string) (defaults to: nil) —

  API audience

• scope (string) (defaults to: 'openid') —

  Scope(s) requested

  • Include an audience (above) for API access scopes

  • Use the default “openid” for userinfo calls

Returns:

• (json) —

  Returns the access_token and id_token

Raises:

• (Auth0::InvalidParameter)

See Also:

• https://auth0.com/docs/api/authentication#resource-owner-password

# File 'lib/auth0/api/authentication_endpoints.rb', line 98

def login_with_resource_owner(
  login_name,
  password,
  client_id: @client_id,
  client_secret: @client_secret,
  realm: nil,
  audience: nil,
  scope: 'openid'
)

  raise Auth0::InvalidParameter, 'Must supply a valid login_name' if login_name.empty?
  raise Auth0::InvalidParameter, 'Must supply a valid password' if password.empty?

  request_params = {
    username: login_name,
    password: password,
    client_id: client_id,
    client_secret: client_secret,
    realm: realm,
    scope: scope,
    audience: audience,
    grant_type: realm ? 'http://auth0.com/oauth/grant-type/password-realm' : 'password'
  }
  AccessToken.from_response post('/oauth/token', request_params)
end

#logout_url(return_to, include_client: false, federated: false) ⇒ url

Returns an Auth0 logout URL with a return URL.

Parameters:

• return_to (string) —

  URL to redirect after logout.

• include_client (bool) (defaults to: false) —

  Include the client_id in the logout URL.

• federated (boolean) (defaults to: false) —

  Perform a federated logout.

Returns:

• (url) —

  Logout URI

See Also:

• https://auth0.com/docs/api/authentication#logout
• https://auth0.com/docs/logout

# File 'lib/auth0/api/authentication_endpoints.rb', line 247

def logout_url(return_to, include_client: false, federated: false)
  request_params = {
    returnTo: return_to,
    client_id: include_client ? @client_id : nil,
    federated: federated ? '1' : nil
  }

  URI::HTTPS.build(
    host: @domain,
    path: '/v2/logout',
    query: to_query(request_params)
  )
end

#obtain_access_token(access_token = nil, connection = 'facebook', scope = 'openid') ⇒ json

Deprecated.

4.6.0 - Use the api_token method instead.

Retrieve an access token.

Parameters:

• access_token (string) (defaults to: nil) —

  Social provider’s access_token

• connection (string) (defaults to: 'facebook') —

  Currently, this endpoint only works for Facebook, Google, Twitter and Weibo

Returns:

• (json) —

  Returns the access token

See Also:

• https://auth0.com/docs/api/authentication#client-credentials

# File 'lib/auth0/api/authentication_endpoints.rb', line 305

def obtain_access_token(access_token = nil, connection = 'facebook', scope = 'openid')
  if access_token
    request_params = { client_id: @client_id, access_token: access_token, connection: connection, scope: scope }
    post('/oauth/access_token', request_params)['access_token']
  else
    request_params = { client_id: @client_id, client_secret: @client_secret, grant_type: 'client_credentials' }
    post('/oauth/token', request_params)['access_token']
  end
end

#obtain_user_tokens(code, redirect_uri, connection = 'facebook', scope = 'openid') ⇒ json

Deprecated.

4.6.0 - Use the exchange_auth_code_for_tokens method instead.

Get access and ID tokens using an Authorization Code.

Parameters:

• code (string) —

  The access code obtained through passive authentication

• redirect_uri (string) —

  Url to redirect after authorization

• connection (string) (defaults to: 'facebook') —

  Currently, this endpoint only works for Facebook, Google, Twitter and Weibo

• scope (string) (defaults to: 'openid') —

  Defaults to openid. Can be ‘openid name email’, ‘openid offline_access’

Returns:

• (json) —

  Returns the access_token and id_token

Raises:

• (Auth0::InvalidParameter)

See Also:

• https://auth0.com/docs/api/authentication#authorization-code

# File 'lib/auth0/api/authentication_endpoints.rb', line 323

def obtain_user_tokens(code, redirect_uri, connection = 'facebook', scope = 'openid')
  raise Auth0::InvalidParameter, 'Must supply a valid code' if code.to_s.empty?
  raise Auth0::InvalidParameter, 'Must supply a valid redirect_uri' if redirect_uri.to_s.empty?

  request_params = {
    client_id: @client_id,
    client_secret: @client_secret,
    connection: connection,
    grant_type: 'authorization_code',
    code: code,
    scope: scope,
    redirect_uri: redirect_uri
  }
  post('/oauth/token', request_params)
end

#phone_login(phone_number, code, scope = 'openid') ⇒ json

Deprecated.

4.5.0 - Legacy authentication pipeline; use a Password Grant instead - auth0.com/docs/api-auth/tutorials/password-grant

Login using phone number + verification code.

Parameters:

• phone_number (string) —

  User’s phone number.

• code (string) —

  Verification code.

Returns:

• (json) —

  Returns the access token and id token

Raises:

• (Auth0::InvalidParameter)

See Also:

• https://auth0.com/docs/api/authentication#resource-owner

# File 'lib/auth0/api/authentication_endpoints.rb', line 382

def phone_login(phone_number, code, scope = 'openid')
  raise Auth0::InvalidParameter, 'Must supply a valid phone number' if phone_number.to_s.empty?
  raise Auth0::InvalidParameter, 'Must supply a valid code' if code.to_s.empty?

  request_params = {
    client_id: @client_id,
    username: phone_number,
    password: code,
    scope: scope,
    connection: 'sms',
    grant_type: 'password'
  }
  post('/oauth/ro', request_params)
end

#refresh_delegation(refresh_token, target, scope = 'openid', api_type = 'app', extra_parameters = {}) ⇒ json

Deprecated.

4.5.0 - Feature is disabled, no replacement currently; see auth0.com/docs/api-auth/tutorials/adoption/delegation

Refresh a delegation token.

Parameters:

• refresh_token (string) —

  Token to refresh

• target (string) —

  Target to sign the new token.

• scope (string) (defaults to: 'openid') —

  Defaults to openid. Can be ‘openid name email’.

• api_type (string) (defaults to: 'app') —

  Defaults to app. Can be aws, azure_sb, azure_blob, firebase, layer, salesforce_api, salesforce_sandbox_api, sap_api or wams

• extra_parameters (hash) (defaults to: {}) —

  Extra parameters.

Returns:

• (json) —

  Returns the refreshed delegation token

Raises:

• (Auth0::InvalidParameter)

See Also:

• https://auth0.com/docs/api/authentication#delegation

# File 'lib/auth0/api/authentication_endpoints.rb', line 420

def refresh_delegation(refresh_token, target, scope = 'openid', api_type = 'app', extra_parameters = {})
  raise Auth0::InvalidParameter, 'Must supply a valid token to refresh' if refresh_token.to_s.empty?

  request_params = {
    client_id: @client_id,
    grant_type: JWT_BEARER,
    refresh_token: refresh_token,
    target: target,
    api_type: api_type,
    scope: scope
  }.merge(extra_parameters)
  post('/delegation', request_params)
end

#saml_metadata ⇒ xml

Retrive SAML 2.0 metadata XML for an Application.

Returns:

• (xml) —

  SAML 2.0 metadata

See Also:

• https://auth0.com/docs/api/authentication#get-metadata

# File 'lib/auth0/api/authentication_endpoints.rb', line 202

def saml_metadata
  get("/samlp/metadata/#{@client_id}")
end

#samlp_url(connection = UP_AUTH) ⇒ url

Return a SAMLP URL. The SAML Request AssertionConsumerServiceURL will be used to POST back the assertion and it must match with the application callback URL.

Parameters:

• connection (string) (defaults to: UP_AUTH) —

  Connection to use; empty to show all

Returns:

• (url) —

  SAMLP URL

See Also:

• https://auth0.com/docs/api/authentication#accept-request

# File 'lib/auth0/api/authentication_endpoints.rb', line 267

def samlp_url(connection = UP_AUTH)
  request_params = {
    connection: connection
  }
  URI::HTTPS.build(host: @domain, path: "/samlp/#{@client_id}", query: to_query(request_params))
end

#signup(email, password, connection_name = UP_AUTH) ⇒ json

Sign up with a database connection using a username and password.

Parameters:

• email (string) —

  New user’s email

• password (string) —

  New user’s password

• connection_name (string) (defaults to: UP_AUTH) —

  Database connection name

Returns:

• (json) —

  Returns the created user

Raises:

• (Auth0::InvalidParameter)

See Also:

• https://auth0.com/docs/api/authentication#signup

# File 'lib/auth0/api/authentication_endpoints.rb', line 131

def signup(email, password, connection_name = UP_AUTH)
  raise Auth0::InvalidParameter, 'Must supply a valid email' if email.to_s.empty?
  raise Auth0::InvalidParameter, 'Must supply a valid password' if password.to_s.empty?

  request_params = {
    email: email,
    password: password,
    connection: connection_name,
    client_id: @client_id
  }
  post('/dbconnections/signup', request_params)
end

#start_passwordless_email_flow(email, send = 'link', auth_params = {}) ⇒ Object

Start Passwordless email login flow.

Parameters:

• email (string) —

  Email to send a link or code

• send (string) (defaults to: 'link') —

  Pass ‘link’ to send a magic link, ‘code’ to send a code

• auth_params (hash) (defaults to: {}) —

  Append or override the magic link parameters

Raises:

• (Auth0::InvalidParameter)

See Also:

• https://auth0.com/docs/api/authentication#get-code-or-link
• https://auth0.com/docs/connections/passwordless#passwordless-on-regular-web-apps

# File 'lib/auth0/api/authentication_endpoints.rb', line 169

def start_passwordless_email_flow(email, send = 'link', auth_params = {})
  raise Auth0::InvalidParameter, 'Must supply a valid email' if email.to_s.empty?

  request_params = {
    email: email,
    send: send,
    authParams: auth_params,
    connection: 'email',
    client_id: @client_id,
    client_secret: @client_secret
  }
  post('/passwordless/start', request_params)
end

#start_passwordless_sms_flow(phone_number) ⇒ Object

Start Passwordless SMS login flow.

Parameters:

• phone_number (string) —

  User’s phone number.

Raises:

• (Auth0::InvalidParameter)

See Also:

• https://auth0.com/docs/api/authentication#get-code-or-link
• https://auth0.com/docs/connections/passwordless#passwordless-on-regular-web-apps

# File 'lib/auth0/api/authentication_endpoints.rb', line 187

def start_passwordless_sms_flow(phone_number)
  raise Auth0::InvalidParameter, 'Must supply a valid phone number' if phone_number.to_s.empty?

  request_params = {
    phone_number: phone_number,
    connection: 'sms',
    client_id: @client_id,
    client_secret: @client_secret
  }
  post('/passwordless/start', request_params)
end

#token_info(id_token) ⇒ Object

Deprecated.

4.5.0 - Legacy endpoint, use /userinfo instead.

Validate a JSON Web Token (signature and expiration).

Parameters:

• id_token (string) —

  ID Token to use

Returns:

• User information associated with the user id (sub property) of the token.

Raises:

• (Auth0::InvalidParameter)

See Also:

• https://auth0.com/docs/api/authentication#get-token-info

# File 'lib/auth0/api/authentication_endpoints.rb', line 402

def token_info(id_token)
  raise Auth0::InvalidParameter, 'Must supply a valid id_token' if id_token.to_s.empty?

  request_params = { id_token: id_token }
  post('/tokeninfo', request_params)
end

#unlink_user(access_token, user_id) ⇒ Object

Deprecated.

4.5.0 - Endpoint is disabled in favor of the Management API; see auth0.com/docs/migrations/guides/account-linking

Unlink a user’s account from the identity provider.

Parameters:

• access_token (string) —

  Logged-in user access token

• user_id (string) —

  User Id

Raises:

• (Auth0::InvalidParameter)

See Also:

• https://auth0.com/docs/api/authentication#unlink

# File 'lib/auth0/api/authentication_endpoints.rb', line 498

def unlink_user(access_token, user_id)
  raise Auth0::InvalidParameter, 'Must supply a valid access_token' if access_token.to_s.empty?
  raise Auth0::InvalidParameter, 'Must supply a valid user_id' if user_id.to_s.empty?

  request_params = {
    access_token: access_token,
    user_id: user_id
  }
  post('/unlink', request_params)
end

#user_info ⇒ json

Deprecated.

4.6.0 - Use the userinfo method instead.

Return the user information based on the Auth0 access token.

Returns:

• (json) —

  User information based on the Auth0 access token

See Also:

• https://auth0.com/docs/api/authentication#get-user-info

# File 'lib/auth0/api/authentication_endpoints.rb', line 371

def user_info
  get('/userinfo')
end

#userinfo(access_token) ⇒ json

Return the user information based on the Auth0 access token.

Returns:

• (json) —

  User information based on the Auth0 access token

See Also:

• https://auth0.com/docs/api/authentication#get-user-info

# File 'lib/auth0/api/authentication_endpoints.rb', line 216

def userinfo(access_token)
  get('/userinfo', {}, 'Authorization' => "Bearer #{access_token}")
end

#validate_id_token(id_token, algorithm: nil, leeway: 60, nonce: nil, max_age: nil, issuer: nil, audience: nil) ⇒ Object

Validate an ID token (signature and expiration). rubocop:disable Metrics/MethodLength, Metrics/AbcSize, Metrics/ParameterLists

Parameters:

• id_token (string) —

  The JWT to validate.

• algorithm (JWKAlgorithm) (defaults to: nil) —

  The expected signing algorithm. Defaults to Auth0::Algorithm::RS256.jwks_url(“YOUR_AUTH0_DOMAIN/.well-known/jwks.json”, lifetime: 10 * 60).

• leeway (integer) (defaults to: 60) —

  The clock skew to accept when verifying date related claims in seconds. Must be a non-negative value. Defaults to *60 seconds*.

• nonce (string) (defaults to: nil) —

  The nonce value sent during authentication.

• max_age (integer) (defaults to: nil) —

  The max_age value sent during authentication. Must be a non-negative value.

• issuer (string) (defaults to: nil) —

  The expected issuer claim value. Defaults to https://YOUR_AUTH0_DOMAIN/.

• audience (string) (defaults to: nil) —

  The expected audience claim value. Defaults to your *Auth0 Client ID*.

See Also:

• https://auth0.com/docs/tokens/guides/validate-id-tokens

# File 'lib/auth0/api/authentication_endpoints.rb', line 524

def validate_id_token(id_token, algorithm: nil, leeway: 60, nonce: nil, max_age: nil, issuer: nil, audience: nil)
  context = {
    issuer: issuer || "https://#{@domain}/",
    audience: audience || @client_id,
    algorithm: algorithm || Auth0::Algorithm::RS256.jwks_url("https://#{@domain}/.well-known/jwks.json"),
    leeway: leeway
  }

  context[:nonce] = nonce unless nonce.nil?
  context[:max_age] = max_age unless max_age.nil?

  Auth0::Mixins::Validation::IdTokenValidator.new(context).validate(id_token)
end

#wsfed_metadata ⇒ xml

Retrieve WS-Federation metadata XML for a tenant.

Returns:

• (xml) —

  WS-Federation metadata

See Also:

• https://auth0.com/docs/api/authentication#get-metadata36

# File 'lib/auth0/api/authentication_endpoints.rb', line 209

def wsfed_metadata
  get('/wsfed/FederationMetadata/2007-06/FederationMetadata.xml')
end

#wsfed_url(connection = UP_AUTH, options = {}) ⇒ url

Return a WS-Federation URL.

Parameters:

• connection (string) (defaults to: UP_AUTH) —

  Connection to use; empty to show all

• options (hash) (defaults to: {}) —

  Extra options; supports wtrealm, wctx, wreply

Returns:

• (url) —

  WS-Federation URL

See Also:

• https://auth0.com/docs/api/authentication#accept-request35

# File 'lib/auth0/api/authentication_endpoints.rb', line 279

def wsfed_url(connection = UP_AUTH, options = {})
  request_params = {
    whr: connection,
    wtrealm: options[:wtrealm],
    wctx: options[:wctx],
    wreply: options[:wreply]
  }

  url_client_id = @client_id unless request_params[:wtrealm]
  URI::HTTPS.build(
    host: @domain,
    path: "/wsfed/#{url_client_id}",
    query: to_query(request_params)
  )
end