Class: OmniAuth::Strategies::OpenIDConnect

Inherits:

Object

• Object
• OmniAuth::Strategies::OpenIDConnect

Extended by:

Forwardable

Includes:

OmniAuth::Strategy

Defined in:

lib/omniauth/strategies/openid_connect.rb

Defined Under Namespace

Classes: CallbackError

Constant Summary

RESPONSE_TYPE_EXCEPTIONS =

{
  'id_token' => { exception_class: OmniAuth::OpenIDConnect::MissingIdTokenError, key: :missing_id_token }.freeze,
  'code' => { exception_class: OmniAuth::OpenIDConnect::MissingCodeError, key: :missing_code }.freeze,
}.freeze

Instance Method Summary

• #authorization_code ⇒ Object
• #authorize_uri ⇒ Object
• #callback_phase ⇒ Object
• #client ⇒ Object
• #config ⇒ Object
• #end_session_uri ⇒ Object
• #other_phase ⇒ Object
• #pkce_authorize_params ⇒ Object
• #pkce_token_params ⇒ Object
• #public_key ⇒ Object
• #request_phase ⇒ Object
• #uid ⇒ Object

Instance Method Details

#authorization_code ⇒ Object

# File 'lib/omniauth/strategies/openid_connect.rb', line 158

def authorization_code
  params['code']
end

#authorize_uri ⇒ Object

# File 'lib/omniauth/strategies/openid_connect.rb', line 170

def authorize_uri
  client.redirect_uri = redirect_uri
  opts = {
    response_type: options.response_type,
    response_mode: options.response_mode,
    scope: options.scope,
    state: new_state,
    login_hint: params['login_hint'],
    ui_locales: params['ui_locales'],
    claims_locales: params['claims_locales'],
    prompt: options.prompt,
    nonce: (new_nonce if options.send_nonce),
    hd: options.hd,
    acr_values: options.acr_values,
  }

  opts.merge!(options.extra_authorize_params) unless options.extra_authorize_params.empty?

  if options.pkce
    opts.merge!(pkce_authorize_params)
    session["omniauth.pkce.verifier"] = options.pkce_verifier
  end

  options.allow_authorize_params.each do |key|
    opts[key] = request.params[key.to_s] unless opts.key?(key)
  end

  client.authorization_uri(opts.reject { |_k, v| v.nil? })
end

#callback_phase ⇒ Object

# File 'lib/omniauth/strategies/openid_connect.rb', line 118

def callback_phase
  error = params['error_reason'] || params['error']
  error_description = params['error_description'] || params['error_reason']
  invalid_state = params['state'].to_s.empty? || params['state'] != stored_state

  raise CallbackError, error: params['error'], reason: error_description, uri: params['error_uri'] if error
  raise CallbackError, error: :csrf_detected, reason: "Invalid 'state' parameter" if invalid_state

  return unless valid_response_type?

  options.issuer = issuer if options.issuer.nil? || options.issuer.empty?

  verify_id_token!(params['id_token']) if configured_response_type == 'id_token'
  discover!
  client.redirect_uri = redirect_uri

  return id_token_callback_phase if configured_response_type == 'id_token'

  client.authorization_code = authorization_code
  access_token
  super
rescue CallbackError => e
  fail!(e.error, e)
rescue ::Rack::OAuth2::Client::Error => e
  fail!(e.response[:error], e)
rescue ::Timeout::Error, ::Errno::ETIMEDOUT => e
  fail!(:timeout, e)
rescue ::SocketError => e
  fail!(:failed_to_connect, e)
end

#client ⇒ Object

# File 'lib/omniauth/strategies/openid_connect.rb', line 104

def client
  @client ||= ::OpenIDConnect::Client.new(client_options)
end

#config ⇒ Object

# File 'lib/omniauth/strategies/openid_connect.rb', line 108

def config
  @config ||= ::OpenIDConnect::Discovery::Provider::Config.discover!(options.issuer)
end

#end_session_uri ⇒ Object

# File 'lib/omniauth/strategies/openid_connect.rb', line 162

def end_session_uri
  return unless end_session_endpoint_is_valid?

  end_session_uri = URI(client_options.end_session_endpoint)
  end_session_uri.query = encoded_post_logout_redirect_uri
  end_session_uri.to_s
end

#other_phase ⇒ Object

# File 'lib/omniauth/strategies/openid_connect.rb', line 149

def other_phase
  if logout_path_pattern.match?(current_path)
    options.issuer = issuer if options.issuer.to_s.empty?
    discover!
    return redirect(end_session_uri) if end_session_uri
  end
  call_app!
end

#pkce_authorize_params ⇒ Object

# File 'lib/omniauth/strategies/openid_connect.rb', line 206

def pkce_authorize_params
  options.pkce_verifier = SecureRandom.hex(64) if options.pkce_verifier.nil?

  # NOTE: see https://tools.ietf.org/html/rfc7636#appendix-A
  {
    :code_challenge => options.pkce_options[:code_challenge].call(options.pkce_verifier),
    :code_challenge_method => options.pkce_options[:code_challenge_method],
  }
end

#pkce_token_params ⇒ Object

# File 'lib/omniauth/strategies/openid_connect.rb', line 216

def pkce_token_params
  return {} unless options.pkce

  {:code_verifier => session.delete("omniauth.pkce.verifier")}
end

#public_key ⇒ Object

# File 'lib/omniauth/strategies/openid_connect.rb', line 200

def public_key
  return config.jwks if options.discovery

  key_or_secret
end

#request_phase ⇒ Object

# File 'lib/omniauth/strategies/openid_connect.rb', line 112

def request_phase
  options.issuer = issuer if options.issuer.to_s.empty?
  discover!
  redirect authorize_uri
end

#uid ⇒ Object

# File 'lib/omniauth/strategies/openid_connect.rb', line 72

def uid
  user_info.raw_attributes[options.uid_field.to_sym] || user_info.sub
end