Class: OmniAuth::Strategies::Okta

Inherits:

OAuth2

• Object
• OAuth2
• OmniAuth::Strategies::Okta

Defined in:

lib/omniauth/strategies/okta.rb

Constant Summary

DEFAULT_SCOPE =

%{openid profile email}.freeze

Instance Method Summary

• #access_token ⇒ Object
• #authorization_server_audience ⇒ String

  Specifies the audience for the authorization server.

• #authorization_server_path ⇒ String

  Returns the qualified URL for the authorization server.

• #callback_url ⇒ Object
• #client_options ⇒ Object
• #oauth2_access_token ⇒ Object
• #raw_info ⇒ Object
• #validated_token(token) ⇒ Object

Instance Method Details

#access_token ⇒ Object

# File 'lib/omniauth/strategies/okta.rb', line 58

def access_token
  if oauth2_access_token
    ::OAuth2::AccessToken.new(client, oauth2_access_token.token, {
      refresh_token: oauth2_access_token.refresh_token,
      expires_in:    oauth2_access_token.expires_in,
      expires_at:    oauth2_access_token.expires_at
    })
  end
end

#authorization_server_audience ⇒ String

Specifies the audience for the authorization server

By default, this is ‘default’. If using a custom authorization server, this will need to be set

Returns:

• (String)

# File 'lib/omniauth/strategies/okta.rb', line 98

def authorization_server_audience
  client_options.fetch(:audience, 'default')
end

#authorization_server_path ⇒ String

Returns the qualified URL for the authorization server

This is necessary in the case where there is a custom authorization server.

Okta provides a default, by default.

Returns:

• (String)

# File 'lib/omniauth/strategies/okta.rb', line 85

def authorization_server_path
  site                 = client_options.fetch(:site)
  authorization_server = client_options.fetch(:authorization_server, 'default')

  "#{site}/oauth2/#{authorization_server}"
end

#callback_url ⇒ Object

# File 'lib/omniauth/strategies/okta.rb', line 74

def callback_url
  options[:redirect_uri] || (full_host + callback_path)
end

#client_options ⇒ Object

# File 'lib/omniauth/strategies/okta.rb', line 52

def client_options
  options.fetch(:client_options)
end

#oauth2_access_token ⇒ Object

# File 'lib/omniauth/strategies/okta.rb', line 56

alias :oauth2_access_token :access_token

#raw_info ⇒ Object

# File 'lib/omniauth/strategies/okta.rb', line 68

def raw_info
  @_raw_info ||= access_token.get(client_options.fetch(:user_info_url)).parsed || {}
rescue ::Errno::ETIMEDOUT
  raise ::Timeout::Error
end

#validated_token(token) ⇒ Object

# File 'lib/omniauth/strategies/okta.rb', line 102

def validated_token(token)
  JWT.decode(token,
             nil,
             false,
             verify_iss:        true,
             verify_aud:        true,
             iss:               authorization_server_path,
             aud:               authorization_server_audience,
             verify_sub:        true,
             verify_expiration: true,
             verify_not_before: true,
             verify_iat:        true,
             verify_jti:        false,
             leeway:            options[:jwt_leeway]
  ).first
end