Class: Identizer::Handlers::Oidc

Inherits:

Base

• Object
• Base
• Identizer::Handlers::Oidc

Defined in:

lib/identizer/handlers/oidc.rb

Overview

OpenID Connect: the authorization-code + refresh-token grants, PKCE, the discovery and JWKS documents, and the end-session (logout) endpoint.

Instance Method Summary

• #discovery ⇒ Object
• #introspect(request) ⇒ Object

  RFC 7662 token introspection (access or refresh token).

• #jwks ⇒ Object
• #logout(request) ⇒ Object

  RP-initiated logout: bounce back to post_logout_redirect_uri if given and allowed.

• #revoke(request) ⇒ Object

  RFC 7009 token revocation: revoke the submitted token AND its paired access/refresh token.

• #token(request) ⇒ Object

Methods inherited from Base

#initialize

Methods included from Responses

#amz_json, #escape_html, #html, #json, #no_content, #not_found, #notice_page, #redirect, #xml

Constructor Details

This class inherits a constructor from Identizer::Handlers::Base

Instance Method Details

#discovery ⇒ Object

# File 'lib/identizer/handlers/oidc.rb', line 15

def discovery
  json(200, minter.discovery)
end

#introspect(request) ⇒ Object

RFC 7662 token introspection (access or refresh token).

# File 'lib/identizer/handlers/oidc.rb', line 24

def introspect(request)
  token = merged_params(request)["token"]
  authorization = token && (access_tokens.get(token) || refresh_tokens.get(token))
  return json(200, { active: false }) if authorization.nil?

  identity = authorization.identity
  json(200, {
    active: true, sub: identity.sub, username: identity.email,
    scope: authorization.scope, client_id: authorization.client_id, token_type: "Bearer"
  }.compact)
end

#jwks ⇒ Object

# File 'lib/identizer/handlers/oidc.rb', line 19

def jwks
  json(200, minter.jwks)
end

#logout(request) ⇒ Object

RP-initiated logout: bounce back to post_logout_redirect_uri if given and allowed.

# File 'lib/identizer/handlers/oidc.rb', line 53

def logout(request)
  target = request.params["post_logout_redirect_uri"].to_s
  return notice_page("Signed out", "You have been signed out.") if target.empty?
  unless config.post_logout_redirect_allowed?(request.params["client_id"], target)
    return notice_page("Signed out", "The post_logout_redirect_uri is not registered.")
  end

  state = request.params["state"]
  separator = target.include?("?") ? "&" : "?"
  location = state.to_s.empty? ? target : "#{target}#{separator}state=#{Rack::Utils.escape(state)}"
  redirect(location)
end

#revoke(request) ⇒ Object

RFC 7009 token revocation: revoke the submitted token AND its paired access/refresh token. Always 200, even for unknown tokens.

# File 'lib/identizer/handlers/oidc.rb', line 38

def revoke(request)
  token = merged_params(request)["token"]
  authorization = token && (access_tokens.get(token) || refresh_tokens.get(token))
  if authorization
    access_tokens.take(authorization.access_token)
    refresh_tokens.take(authorization.refresh_token)
  end
  if token
    access_tokens.take(token)
    refresh_tokens.take(token)
  end
  json(200, {})
end

#token(request) ⇒ Object

# File 'lib/identizer/handlers/oidc.rb', line 8

def token(request)
  case request.params["grant_type"]
  when "refresh_token" then refresh(request)
  else authorization_code(request)
  end
end