OmniAuth Okta OAuth2 Strategy
Strategy to authenticate with Okta via OAuth2 in OmniAuth.
This strategy uses Okta's OpenID Connect API with OAuth2. See their developer docs for more details.
Installation
Add this line to your application's Gemfile:
gem 'omniauth-okta'
And then execute:
$ bundle install
Or install it yourself as:
$ gem install omniauth-okta
OmniAuth
Here's an example for adding the middleware to a Rails app in config/initializers/omniauth.rb:
Rails.application.config.middleware.use OmniAuth::Builder do
provider :okta, ENV['OKTA_CLIENT_ID'], ENV['OKTA_CLIENT_SECRET'], {
client_options: {
site: 'https://your-org.okta.com',
authorization_server: '<authorization_server>',
authorize_url: 'https://your-org.okta.com/oauth2/<authorization_server>/v1/authorize',
token_url: 'https://your-org.okta.com/oauth2/<authorization_server>/v1/token',
user_info_url: 'https://your-org.okta.com/oauth2/<authorization_server>/v1/userinfo',
audience: 'api://your-audience'
}
}
end
Devise
First define your application id and secret in config/initializers/devise.rb.
Configuration options can be passed as the last parameter here as key/value pairs.
config.omniauth :okta, ENV['OKTA_CLIENT_ID'], ENV['OKTA_CLIENT_SECRET'], {}
or add options like the following:
require 'omniauth-okta'
config.omniauth(:okta,
ENV['OKTA_CLIENT_ID'],
ENV['OKTA_CLIENT_SECRET'],
scope: 'openid profile email',
fields: ['profile', 'email'],
client_options: {
site: 'https://your-org.okta.com',
authorize_url: 'https://your-org.okta.com/oauth2/default/v1/authorize',
token_url: 'https://your-org.okta.com/oauth2/default/v1/token',
user_info_url: 'https://your-org.okta.com/oauth2/default/v1/userinfo',
},
strategy_class: OmniAuth::Strategies::Okta)
Then add the following to 'config/routes.rb' so the callback routes are defined.
devise_for :users, controllers: { omniauth_callbacks: 'users/omniauth_callbacks' }
Make sure your model is omniauthable. Generally this is "/app/models/user.rb"
devise :omniauthable, omniauth_providers: [:okta]
Auth Hash
Here's an example of an authentication hash available in the callback by accessing request.env['omniauth.auth']:
{
"provider" => "okta",
"uid" => "0000000000000001",
"info" => {
"name" => "John Smith",
"email" => "[email protected]",
"first_name" => "John",
"last_name" => "Smith",
"image" => "https://photohosting.com/john.jpg"
},
"credentials" => {
"token" => "TOKEN",
"expires_at" => 1496617411,
"expires" => true
},
"extra" => {
"raw_info" => {
"sub" => "0000000000000001",
"name" => "John Smith",
"locale" => "en-US",
"email" => "[email protected]",
"picture" => "https://photohosting.com/john.jpg",
"website" => "https://example.com",
"preferred_username" => "[email protected]",
"given_name" => "John",
"family_name" => "Smith",
"zoneinfo" => "America/Los_Angeles",
"updated_at" => 1496611646,
"email_verified" => true
},
"id_token" => "TOKEN",
"id_info" => {
"ver" => 1,
"jti" => "AT.D2sslkfjdsldjf899n090sldkfj",
"iss" => "https://your-org.okta.com",
"aud" => "https://your-org.okta.com",
"sub" => "[email protected]",
"iat" => 1496613811,
"exp" => 1496617411,
"cid" => "CLIENT_ID",
"uid" => "0000000000000001",
"scp" => ["email", "profile", "openid"]
}
}
}
Contributing
- Fork it
- Create your feature branch (
git checkout -b my-new-feature) - Commit your changes (
git commit -am 'Add some feature') - Push to the branch (
git push origin my-new-feature) - Create new Pull Request
License
The gem is available as open source under the terms of the MIT License.