Class: CF::UAA::TokenIssuer

Inherits:

Object

• Object
• CF::UAA::TokenIssuer

Includes:

Http

Defined in:

lib/uaa/token_issuer.rb

Overview

Client Apps that want to get access to resource servers on behalf of their users need to get tokens via authcode and implicit flows, request scopes, etc., but they don’t need to process tokens. This class is for these use cases.

In general most of this class is an implementation of the client pieces of the OAuth2 protocol. See http://tools.ietf.org/html/rfc6749

Constant Summary

Constants included from Http

Http::FORM_UTF8, Http::JSON_UTF8

Instance Method Summary

• #authcode_grant(authcode_uri, callback_query) ⇒ TokenInfo

  Uses the instance client credentials in addition to callback_query to get a token via the authorization code grant.

• #authcode_uri(redirect_uri, scope = nil) ⇒ String

  Constructs a uri that the client is to return to the browser to direct the user to the authorization server to get an authcode.

• #autologin_uri(redirect_uri, credentials, scope = nil) ⇒ String

  A UAA extension to OAuth2 that allows a client to pre-authenticate a user at the start of an authorization code flow.

• #client_credentials_grant(scope = nil) ⇒ TokenInfo

  Uses the instance client credentials to get a token with a client credentials grant.

• #get_challenge ⇒ Object

  Calculates the challenge from code_verifier.

• #get_verifier ⇒ Object

  Generates a random verifier for PKCE usage.

• #implicit_grant(implicit_uri, callback_fragment) ⇒ TokenInfo

  Gets a token via an implicit grant.

• #implicit_grant_with_creds(credentials, scope = nil) ⇒ TokenInfo

  Gets an access token in a single call to the UAA with the user credentials used for authentication.

• #implicit_uri(redirect_uri, scope = nil) ⇒ String

  Constructs a uri that the client is to return to the browser to direct the user to the authorization server to get an authcode.

• #initialize(target, client_id, client_secret = nil, options = {}) ⇒ TokenIssuer constructor

  A new instance of TokenIssuer.

• #owner_password_credentials_grant(credentials) ⇒ TokenInfo

  Gets an access token with the user credentials used for authentication via the owner password grant.

• #owner_password_grant(username, password, scope = nil) ⇒ TokenInfo

  Uses the instance client credentials in addition to the username and password to get a token via the owner password grant.

• #passcode_grant(passcode, scope = nil) ⇒ TokenInfo

  Uses a one-time passcode obtained from the UAA to get a token.

• #prompts ⇒ Hash

  Allows an app to discover what credentials are required for #implicit_grant_with_creds.

• #refresh_token_grant(refresh_token, scope = nil) ⇒ TokenInfo

  Uses the instance client credentials and the given refresh_token to get a new access token.

Methods included from Http

basic_auth, #initialize_http_options, #logger, #logger=, #set_request_handler, #trace?

Constructor Details

#initialize(target, client_id, client_secret = nil, options = {}) ⇒ TokenIssuer

Returns a new instance of TokenIssuer.

Parameters:

• target (String) —

  The base URL of a UAA’s oauth authorize endpoint. For example the target would be https://login.cloudfoundry.com if the endpoint is https://login.cloudfoundry.com/oauth/authorize. The target would be http://localhost:8080/uaa if the endpoint is http://localhost:8080/uaa/oauth/authorize.

• client_id (String) —

  The oauth2 client id, see http://tools.ietf.org/html/rfc6749#section-2.2

• client_secret (String) (defaults to: nil) —

  Needed to authenticate the client for all grant types except implicit.

• options (Hash) (defaults to: {}) —

  can be

  • :token_target, the base URL of the oauth token endpoint – if not specified, target is used.

  • :symbolize_keys, if true, returned hash keys are symbols.

# File 'lib/uaa/token_issuer.rb', line 130

def initialize(target, client_id, client_secret = nil, options = {})
  @target, @client_id, @client_secret = target, client_id, client_secret
  @token_target = options[:token_target] || target
  @key_style = options[:symbolize_keys] ? :sym : nil
  @basic_auth = options[:basic_auth] == true ? true : false
  @client_auth_method = options[:client_auth_method] || 'client_secret_basic'
  @code_verifier = options[:code_verifier] || nil
  if @code_verifier.nil? && options[:use_pkce] && options[:use_pkce] == true
    @code_verifier = get_verifier
  end
  initialize_http_options(options)
end

Instance Method Details

#authcode_grant(authcode_uri, callback_query) ⇒ TokenInfo

Uses the instance client credentials in addition to callback_query to get a token via the authorization code grant.

Parameters:

• authcode_uri (String) —

  must be from a previous call to #authcode_uri and contains state used to validate the contents of the reply from the server.

• callback_query (String) —

  must be the query portion of the URL received by the client after the user’s browser is redirected back from the server. It contains the authorization code.

Returns:

• (TokenInfo)

See Also:

• http://tools.ietf.org/html/rfc6749#section-4.1

# File 'lib/uaa/token_issuer.rb', line 247

def authcode_grant(authcode_uri, callback_query)
  ac_params = Util.decode_form(URI.parse(authcode_uri).query)
  unless ac_params['state'] && ac_params['redirect_uri']
    raise ArgumentError, "authcode redirect must happen before authcode grant"
  end
  begin
    params = Util.decode_form(callback_query)
    authcode = params['code']
    raise BadResponse unless params['state'] == ac_params['state'] && authcode
  rescue URI::InvalidURIError, ArgumentError, BadResponse
    raise BadResponse, "received invalid response from target #{@target}"
  end
  if not @code_verifier.nil?
    request_token(grant_type: 'authorization_code', code: authcode,
        redirect_uri: ac_params['redirect_uri'], code_verifier: @code_verifier)
  else
    request_token(grant_type: 'authorization_code', code: authcode,
                  redirect_uri: ac_params['redirect_uri'])
  end
end

#authcode_uri(redirect_uri, scope = nil) ⇒ String

Constructs a uri that the client is to return to the browser to direct the user to the authorization server to get an authcode.

Parameters:

• redirect_uri (String) —

  is embedded in the returned uri so the server can redirect the user back to the caller’s endpoint.

Returns:

• (String) —

  uri which

# File 'lib/uaa/token_issuer.rb', line 233

def authcode_uri(redirect_uri, scope = nil)
  @target + authorize_path_args('code', redirect_uri, scope)
end

#autologin_uri(redirect_uri, credentials, scope = nil) ⇒ String

A UAA extension to OAuth2 that allows a client to pre-authenticate a user at the start of an authorization code flow. By passing in the user’s credentials the server can establish a session with the user’s browser without reprompting for authentication. This is useful for user account management apps so that they can create a user account, or reset a password for the user, without requiring the user to type in their credentials again.

Parameters:

• credentials (String) —

  (see #implicit_grant_with_creds)

• redirect_uri (String) —

  (see #authcode_uri)

Returns:

• (String) —

  uri which

Raises:

• (BadResponse)

# File 'lib/uaa/token_issuer.rb', line 218

def autologin_uri(redirect_uri, credentials, scope = nil)
  headers = {'content-type' => FORM_UTF8, 'accept' => JSON_UTF8,
      'authorization' => Http.basic_auth(@client_id, @client_secret) }
  body = Util.encode_form(credentials)
  reply = json_parse_reply(nil, *request(@target, :post, "/autologin", body, headers))
  raise BadResponse, "no autologin code in reply" unless reply['code']
  @target + authorize_path_args('code', redirect_uri, scope,
      random_state, code: reply['code'])
end

#client_credentials_grant(scope = nil) ⇒ TokenInfo

Uses the instance client credentials to get a token with a client credentials grant. See tools.ietf.org/html/rfc6749#section-4.4

Returns:

• (TokenInfo)

# File 'lib/uaa/token_issuer.rb', line 313

def client_credentials_grant(scope = nil)
  request_token(grant_type: 'client_credentials', scope: scope)
end

#get_challenge ⇒ Object

Calculates the challenge from code_verifier

# File 'lib/uaa/token_issuer.rb', line 278

def get_challenge
  @challenge ||= Digest::SHA256.base64digest(get_verifier).tr("+/", "-_").tr("=", "")
end

#get_verifier ⇒ Object

Generates a random verifier for PKCE usage

# File 'lib/uaa/token_issuer.rb', line 269

def get_verifier
  if not @code_verifier.nil?
    @verifier = @code_verifier
  else
    @verifier ||= SecureRandom.base64(96).tr("+/", "-_").tr("=", "")
  end
end

#implicit_grant(implicit_uri, callback_fragment) ⇒ TokenInfo

Gets a token via an implicit grant.

Parameters:

• implicit_uri (String) —

  must be from a previous call to #implicit_uri, contains state used to validate the contents of the reply from the server.

• callback_fragment (String) —

  must be the fragment portion of the URL received by the user’s browser after the server redirects back to the redirect_uri that was given to #implicit_uri. How the application gets the contents of the fragment is application specific – usually some javascript in the page at the redirect_uri.

Returns:

• (TokenInfo)

See Also:

• http://tools.ietf.org/html/rfc6749#section-4.2

# File 'lib/uaa/token_issuer.rb', line 200

def implicit_grant(implicit_uri, callback_fragment)
  in_params = Util.decode_form(URI.parse(implicit_uri).query)
  unless in_params['state'] && in_params['redirect_uri']
    raise ArgumentError, "redirect must happen before implicit grant"
  end
  parse_implicit_params(callback_fragment, in_params['state'])
end

#implicit_grant_with_creds(credentials, scope = nil) ⇒ TokenInfo

Gets an access token in a single call to the UAA with the user credentials used for authentication.

Parameters:

• credentials —

  should be an object such as a hash that can be converted to a json representation of the credential name/value pairs corresponding to the keys retrieved by #prompts.

Returns:

• (TokenInfo)

# File 'lib/uaa/token_issuer.rb', line 159

def implicit_grant_with_creds(credentials, scope = nil)
  # this manufactured redirect_uri is a convention here, not part of OAuth2
  redir_uri = "https://uaa.cloudfoundry.com/redirect/#{@client_id}"
  response_type = "token"
  response_type = "#{response_type} id_token" if scope && (scope.include? "openid")
  uri = authorize_path_args(response_type, redir_uri, scope, state = random_state)

  # the accept header is only here so the uaa will issue error replies in json to aid debugging
  headers = {'content-type' => FORM_UTF8, 'accept' => JSON_UTF8 }
  body = Util.encode_form(credentials.merge(source: 'credentials'))
  status, body, headers = request(@target, :post, uri, body, headers)
  raise BadResponse, "status #{status}" unless status == 302
  req_uri, reply_uri = URI.parse(redir_uri), URI.parse(headers['location'])
  fragment, reply_uri.fragment = reply_uri.fragment, nil
  raise BadResponse, "bad location header" unless req_uri == reply_uri
  parse_implicit_params(fragment, state)
rescue URI::Error => e
  raise BadResponse, "bad location header in reply: #{e.message}"
end

#implicit_uri(redirect_uri, scope = nil) ⇒ String

Constructs a uri that the client is to return to the browser to direct the user to the authorization server to get an authcode.

Parameters:

• redirect_uri (String) —

  (see #authcode_uri)

Returns:

• (String)

# File 'lib/uaa/token_issuer.rb', line 183

def implicit_uri(redirect_uri, scope = nil)
  response_type = "token"
  response_type = "#{response_type} id_token" if scope && (scope.include? "openid")
  @target + authorize_path_args(response_type, redirect_uri, scope)
end

#owner_password_credentials_grant(credentials) ⇒ TokenInfo

Gets an access token with the user credentials used for authentication via the owner password grant. See http://tools.ietf.org/html/rfc6749#section-4.3.

Parameters:

• credentials —

  should be an object such as a hash that can be converted to a json representation of the credential name/value pairs corresponding to the keys retrieved by #prompts.

Returns:

• (TokenInfo)

# File 'lib/uaa/token_issuer.rb', line 305

def owner_password_credentials_grant(credentials)
  credentials[:grant_type] = 'password'
  request_token(credentials)
end

#owner_password_grant(username, password, scope = nil) ⇒ TokenInfo

Uses the instance client credentials in addition to the username and password to get a token via the owner password grant. See http://tools.ietf.org/html/rfc6749#section-4.3.

Returns:

• (TokenInfo)

# File 'lib/uaa/token_issuer.rb', line 286

def owner_password_grant(username, password, scope = nil)
  request_token(grant_type: 'password', username: username,
      password: password, scope: scope)
end

#passcode_grant(passcode, scope = nil) ⇒ TokenInfo

Uses a one-time passcode obtained from the UAA to get a token.

Returns:

• (TokenInfo)

# File 'lib/uaa/token_issuer.rb', line 294

def passcode_grant(passcode, scope = nil)
  request_token(grant_type: 'password', passcode: passcode, scope: scope)
end

#prompts ⇒ Hash

Allows an app to discover what credentials are required for #implicit_grant_with_creds.

Returns:

• (Hash) —

  of credential names with type and suggested prompt value, e.g. {“username”:,“password”:}

Raises:

• (BadResponse)

# File 'lib/uaa/token_issuer.rb', line 147

def prompts
  reply = json_get(@target, '/login')
  return reply[jkey :prompts] if reply && reply[jkey :prompts]
  raise BadResponse, "No prompts in response from target #{@target}"
end

#refresh_token_grant(refresh_token, scope = nil) ⇒ TokenInfo

Uses the instance client credentials and the given refresh_token to get a new access token. See tools.ietf.org/html/rfc6749#section-6

Returns:

• (TokenInfo) —

  which may include a new refresh token as well as an access token.

# File 'lib/uaa/token_issuer.rb', line 320

def refresh_token_grant(refresh_token, scope = nil)
  request_token(grant_type: 'refresh_token', refresh_token: refresh_token, scope: scope)
end