Class: OmniAuth::Strategies::KeycloakOpenId

Inherits:

OAuth2

• Object
• OAuth2
• OmniAuth::Strategies::KeycloakOpenId

Defined in:

lib/omniauth/strategies/keycloak-openid.rb

Defined Under Namespace

Classes: ConfigurationError, Error, IntegrationError

Instance Attribute Summary

• #authorize_url ⇒ Object readonly

  Returns the value of attribute authorize_url.

• #certs ⇒ Object readonly

  Returns the value of attribute certs.

• #token_url ⇒ Object readonly

  Returns the value of attribute token_url.

Instance Method Summary

• #auth_url_base ⇒ Object
• #build_access_token ⇒ Object
• #log_config(config_json) ⇒ Object
• #prevent_site_option_mistake ⇒ Object
• #raw_info ⇒ Object
• #request_phase ⇒ Object
• #setup_phase ⇒ Object

Instance Attribute Details

#authorize_url ⇒ Object (readonly)

Returns the value of attribute authorize_url.

# File 'lib/omniauth/strategies/keycloak-openid.rb', line 14

def authorize_url
  @authorize_url
end

#certs ⇒ Object (readonly)

Returns the value of attribute certs.

# File 'lib/omniauth/strategies/keycloak-openid.rb', line 16

def certs
  @certs
end

#token_url ⇒ Object (readonly)

Returns the value of attribute token_url.

# File 'lib/omniauth/strategies/keycloak-openid.rb', line 15

def token_url
  @token_url
end

Instance Method Details

#auth_url_base ⇒ Object

Raises:

• (ConfigurationError)

# File 'lib/omniauth/strategies/keycloak-openid.rb', line 68

def auth_url_base
  return '/auth' unless options.client_options[:base_url]
  base_url = options.client_options[:base_url]
  return base_url if (base_url == '' || base_url[0] == '/')

  raise ConfigurationError, "Keycloak base_url option should start with '/'. Current value: #{base_url}"
end

#build_access_token ⇒ Object

# File 'lib/omniauth/strategies/keycloak-openid.rb', line 93

def build_access_token
    verifier = request.params["code"]
    client.auth_code.get_token(verifier,
        {:redirect_uri => callback_url.gsub(/\?.+\Z/, "")}
        .merge(token_params.to_hash(:symbolize_keys => true)),
        deep_symbolize(options.auth_token_params))
end

#log_config(config_json) ⇒ Object

# File 'lib/omniauth/strategies/keycloak-openid.rb', line 83

def log_config(config_json)
  log_keycloak_config = options.client_options.fetch(:log_keycloak_config, false)
  log :debug, "Successfully got Keycloak config"
  log :debug, "Keycloak config: #{config_json}" if log_keycloak_config
  log :debug, "Certs endpoint: #{@certs_endpoint}"
  log :debug, "Userinfo endpoint: #{@userinfo_endpoint}"
  log :debug, "Authorize url: #{@authorize_url}"
  log :debug, "Token url: #{@token_url}"
end

#prevent_site_option_mistake ⇒ Object

Raises:

• (ConfigurationError)

# File 'lib/omniauth/strategies/keycloak-openid.rb', line 76

def prevent_site_option_mistake
  site = options.client_options[:site]
  return unless site =~ /\/auth$/

  raise ConfigurationError, "Keycloak site parameter should not include /auth part, only domain. Current value: #{site}"
end

#raw_info ⇒ Object

# File 'lib/omniauth/strategies/keycloak-openid.rb', line 124

def raw_info
    id_token_string = access_token.token
    jwks = JSON::JWK::Set.new(@certs)
    id_token = JSON::JWT.decode id_token_string, jwks
    id_token
end

#request_phase ⇒ Object

# File 'lib/omniauth/strategies/keycloak-openid.rb', line 101

def request_phase
    options.authorize_options.each {|key| options[key] = request.params[key.to_s] }
    super
end

#setup_phase ⇒ Object

# File 'lib/omniauth/strategies/keycloak-openid.rb', line 18

def setup_phase
    super

    if (@authorize_url.nil? || @token_url.nil?) && !OmniAuth.config.test_mode

        prevent_site_option_mistake

        realm = options.client_options[:realm].nil? ? options.client_id : options.client_options[:realm]
        site = options.client_options[:site]

        raise_on_failure = options.client_options.fetch(:raise_on_failure, false)

        config_url = URI.join(site, "#{auth_url_base}/realms/#{realm}/.well-known/openid-configuration")

        log :debug, "Going to get Keycloak configuration. URL: #{config_url}"
        response = Faraday.get config_url
        if (response.status == 200)
            json = JSON.parse(response.body)

            @certs_endpoint = json["jwks_uri"]
            @userinfo_endpoint = json["userinfo_endpoint"]
            @authorize_url = URI(json["authorization_endpoint"]).path
            @token_url = URI(json["token_endpoint"]).path

            log_config(json)

            options.client_options.merge!({
                authorize_url: @authorize_url,
                token_url: @token_url
                                          })
            log :debug, "Going to get certificates. URL: #{@certs_endpoint}"
            certs = Faraday.get @certs_endpoint
            if (certs.status == 200)
                json = JSON.parse(certs.body)
                @certs = json["keys"]
                log :debug, "Successfully got certificate. Certificate length: #{@certs.length}"
            else
                message = "Couldn't get certificate. URL: #{@certs_endpoint}"
                log :error, message
                raise IntegrationError, message if raise_on_failure
            end
        else
            message = "Keycloak configuration request failed with status: #{response.status}. " \
                      "URL: #{config_url}"
            log :error, message
            raise IntegrationError, message if raise_on_failure
        end
    end
end