Class: OmniAuth::Strategies::Oauth2

Inherits:
OAuth2
  • Object
show all
Defined in:
lib/omniauth/strategies/test_openid_connect.rb

Instance Method Summary collapse

Instance Method Details

#authorize_paramsObject

def request_phase

redirect client.auth_code.authorize_url({:redirect_uri => callback_url}.merge(options.authorize_params))

end



71
72
73
74
75
76
77
78
79
80
81
82
83
84
 
# File 'lib/omniauth/strategies/test_openid_connect.rb', line 71

def authorize_params
  super.tap do |params|
    options[:passthrough_authorize_options].each do |k|
      params[k] = request.params[k.to_s] unless [nil, ''].include?(request.params[k.to_s])
    end

    params[:scope] = options[:scope]
    session['omniauth.nonce'] = params[:nonce] = SecureRandom.hex(32)

    options[:passthrough_token_options].each do |k|
      session["omniauth.param.#{k}"] = request.params[k.to_s] unless [nil, ''].include?(request.params[k.to_s])
    end
  end
end

#callback_phaseObject 



95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
 
# File 'lib/omniauth/strategies/test_openid_connect.rb', line 95

def callback_phase
  if request.params["error"] && request.params["error_description"]
    # verbose_log("Error handled, redirecting\n\n#{response.to_yaml}")
    return redirect(response)
  end

  begin
    discover!

    oauth2_callback_phase = super
    return oauth2_callback_phase if env['omniauth.error']

    if id_token_info["nonce"].nil? || id_token_info["nonce"].empty? || id_token_info["nonce"] != session.delete("omniauth.nonce")
      return fail!(:csrf_detected, CallbackError.new(:csrf_detected, "CSRF detected"))
    end
    oauth2_callback_phase
  rescue ::OmniAuth::Oauth2::DiscoveryError => e
    fail!(:openid_connect_discovery_error, e)
  rescue JWT::DecodeError => e
    fail!(:jwt_decode_failed, e)
  end
end

#discover!Object

def verbose_log(message)

options.verbose_logger.call(message)

end



34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
 
# File 'lib/omniauth/strategies/test_openid_connect.rb', line 34

def discover!
  # verbose_log("Fetching discovery document from #{options[:client_options][:discovery_document]}")
  discovery_document = client.request(:get, options[:client_options][:discovery_document], parse: :json).parsed
  # verbose_log("Discovery document loaded\n\n#{discovery_document.to_yaml}")
  puts "****************"
  puts discovery_document
  puts "****************"
  discovery_params = {
    authorize_url: "authorization_endpoint",
    token_url: "token_endpoint",
    site: "issuer"
  }

  discovery_params.each do |internal_key, external_key|
    val = discovery_document[external_key].to_s
    raise ::OmniAuth::Oauth2::DiscoveryError.new("missing discovery parameter #{external_key}") if val.nil? || val.empty?
    options[:client_options][internal_key] = val
  end

  userinfo_endpoint = options[:client_options][:userinfo_endpoint] = discovery_document["userinfo_endpoint"].to_s
  options.use_userinfo = false if userinfo_endpoint.nil? || userinfo_endpoint.empty?
end

#id_token_infoObject 



118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
 
# File 'lib/omniauth/strategies/test_openid_connect.rb', line 118

def id_token_info
  # Verify the claims in the JWT
  # The signature does not need to be verified because the
  # token was acquired via a direct server-server connection to the issuer
  @id_token_info ||= begin
    decoded = JWT.decode(access_token['id_token'], nil, false).first
    # verbose_log("Loaded JWT\n\n#{decoded.to_yaml}")
    JWT::Verify.verify_claims(decoded,
      verify_iss: true,
      iss: options[:client_options][:site],
      verify_aud: true,
      aud: options.client_id,
      verify_sub: false,
      verify_expiration: true,
      verify_not_before: true,
      verify_iat: false,
      verify_jti: false
    )
    # verbose_log("Verified JWT\n\n#{decoded.to_yaml}")

    decoded
  end
end

#request_phaseObject 



57
58
59
60
61
62
63
64
65
 
# File 'lib/omniauth/strategies/test_openid_connect.rb', line 57

def request_phase
  begin
    discover!
  rescue ::OmniAuth::Oauth2::DiscoveryError => e
    fail!(:openid_connect_discovery_error, e)
  end

  super
end

#token_paramsObject 



86
87
88
89
90
91
92
93
 
# File 'lib/omniauth/strategies/test_openid_connect.rb', line 86

def token_params
  params = {}
  options[:passthrough_token_options].each do |k|
    val = session.delete("omniauth.param.#{k}")
    params[k] = val unless [nil, ''].include?(val)
  end
  super.merge(params)
end

#userinfo_responseObject 



142
143
144
145
146
147
148
149
150
151
 
# File 'lib/omniauth/strategies/test_openid_connect.rb', line 142

def userinfo_response
  @raw_info ||= begin
    info = access_token.get(options[:client_options][:userinfo_endpoint]).parsed
    # verbose_log("Fetched userinfo response\n\n#{info.to_yaml}")
    info
  end

  return fail!(:csrf_detected, CallbackError.new(:csrf_detected, "CSRF detected")) unless @raw_info['sub'] == id_token_info['sub']
  @raw_info
end