Class: OmniAuth::Strategies::OpenIDConnect

Inherits:

Object

• Object
• OmniAuth::Strategies::OpenIDConnect

Extended by:

Forwardable

Includes:

OmniAuth::Strategy

Defined in:

lib/omniauth/strategies/openid_connect.rb

Defined Under Namespace

Classes: CallbackError

Constant Summary

RESPONSE_TYPE_EXCEPTIONS =

{
  'id_token' => { exception_class: OmniAuth::OpenIDConnect::MissingIdTokenError, key: :missing_id_token }.freeze,
  'code' => { exception_class: OmniAuth::OpenIDConnect::MissingCodeError, key: :missing_code }.freeze,
}.freeze

Instance Method Summary

• #authorization_code ⇒ Object
• #authorize_uri ⇒ Object
• #callback_phase ⇒ Object
• #client ⇒ Object
• #config ⇒ Object
• #end_session_uri ⇒ Object
• #other_phase ⇒ Object
• #public_key ⇒ Object
• #request_phase ⇒ Object
• #uid ⇒ Object

Instance Method Details

#authorization_code ⇒ Object

# File 'lib/omniauth/strategies/openid_connect.rb', line 146

def authorization_code
  params['code']
end

#authorize_uri ⇒ Object

# File 'lib/omniauth/strategies/openid_connect.rb', line 158

def authorize_uri
  client.redirect_uri = redirect_uri
  opts = {
    response_type: options.response_type,
    response_mode: options.response_mode,
    scope: options.scope,
    state: new_state,
    login_hint: params['login_hint'],
    ui_locales: params['ui_locales'],
    claims_locales: params['claims_locales'],
    prompt: options.prompt,
    nonce: (new_nonce if options.send_nonce),
    hd: options.hd,
    acr_values: options.acr_values,
  }
  client.authorization_uri(opts.reject { |_k, v| v.nil? })
end

#callback_phase ⇒ Object

# File 'lib/omniauth/strategies/openid_connect.rb', line 108

def callback_phase
  error = params['error_reason'] || params['error']
  error_description = params['error_description'] || params['error_reason']
  invalid_state = params['state'].to_s.empty? || params['state'] != stored_state

  raise CallbackError.new(params['error'], error_description, params['error_uri']) if error
  raise CallbackError, 'Invalid state parameter' if invalid_state

  return unless valid_response_type?

  options.issuer = issuer if options.issuer.nil? || options.issuer.empty?

  verify_id_token!
  discover!
  client.redirect_uri = redirect_uri

  return id_token_callback_phase if configured_response_type == 'id_token'

  client.authorization_code = authorization_code
  access_token
  super
rescue CallbackError, ::Rack::OAuth2::Client::Error => e
  fail!(:invalid_credentials, e)
rescue ::Timeout::Error, ::Errno::ETIMEDOUT => e
  fail!(:timeout, e)
rescue ::SocketError => e
  fail!(:failed_to_connect, e)
end

#client ⇒ Object

# File 'lib/omniauth/strategies/openid_connect.rb', line 94

def client
  @client ||= ::OpenIDConnect::Client.new(client_options)
end

#config ⇒ Object

# File 'lib/omniauth/strategies/openid_connect.rb', line 98

def config
  @config ||= ::OpenIDConnect::Discovery::Provider::Config.discover!(options.issuer)
end

#end_session_uri ⇒ Object

# File 'lib/omniauth/strategies/openid_connect.rb', line 150

def end_session_uri
  return unless end_session_endpoint_is_valid?

  end_session_uri = URI(client_options.end_session_endpoint)
  end_session_uri.query = encoded_post_logout_redirect_uri
  end_session_uri.to_s
end

#other_phase ⇒ Object

# File 'lib/omniauth/strategies/openid_connect.rb', line 137

def other_phase
  if logout_path_pattern.match?(current_path)
    options.issuer = issuer if options.issuer.to_s.empty?
    discover!
    return redirect(end_session_uri) if end_session_uri
  end
  call_app!
end

#public_key ⇒ Object

# File 'lib/omniauth/strategies/openid_connect.rb', line 176

def public_key
  return config.jwks if options.discovery

  key_or_secret
end

#request_phase ⇒ Object

# File 'lib/omniauth/strategies/openid_connect.rb', line 102

def request_phase
  options.issuer = issuer if options.issuer.to_s.empty?
  discover!
  redirect authorize_uri
end

#uid ⇒ Object

# File 'lib/omniauth/strategies/openid_connect.rb', line 59

def uid
  user_info.public_send(options.uid_field.to_s)
rescue NoMethodError
  log :warn, "User sub:#{user_info.sub} missing info field: #{options.uid_field}"
  user_info.sub
end