Class: LogtoCore

Inherits:

Object

• Object
• LogtoCore

Defined in:

lib/logto/core/index.rb,
lib/logto/core/index_types.rb,
lib/logto/core/index_constants.rb

Defined Under Namespace

Classes: AccessToken, AccessTokenClaims, IdTokenClaims, OidcConfigResponse, TokenResponse, UserInfoResponse

Constant Summary

DISCOVERY_PATH =

"/oidc/.well-known/openid-configuration"

QUERY_KEY =

{
  client_id: "client_id",
  client_secret: "client_secret",
  token: "token",
  code: "code",
  code_verifier: "code_verifier",
  code_challenge: "code_challenge",
  code_challenge_method: "code_challenge_method",
  prompt: "prompt",
  redirect_uri: "redirect_uri",
  post_logout_redirect_uri: "post_logout_redirect_uri",
  grant_type: "grant_type",
  refresh_token: "refresh_token",
  scope: "scope",
  state: "state",
  response_type: "response_type",
  resource: "resource",
  organization_id: "organization_id",
  login_hint: "login_hint",
  direct_sign_in: "direct_sign_in",
  first_screen: "first_screen",
  identifier: "identifier",
  interaction_mode: "interaction_mode",
  error: "error",
  error_description: "error_description"
}

TOKEN_GRANT_TYPE =

{
  authorization_code: "authorization_code",
  refresh_token: "refresh_token"
}

CODE_CHALLENGE_METHOD =

{
  S256: "S256"
}

PROMPT =

{
  login: "login",
  none: "none",
  consent: "consent",
  select_account: "select_account"
}

RESERVED_SCOPE =

Scopes that reserved by Logto, which will be added to the auth request automatically.

{
  openid: "openid",
  offline_access: "offline_access",
  profile: "profile"
}

USER_SCOPE =

Scopes for ID Token and Userinfo Endpoint.

{
  # Scope for basic user ingo.
  profile: "profile",
  # Scope for email address.
  email: "email",
  # Scope for phone number.
  phone: "phone",
  # Scope for user's custom data.
  custom_data: "custom_data",
  # Scope for user's social identity details.
  identities: "identities",
  # Scope for user's roles.
  roles: "roles",
  # Scope for user's organization IDs and perform organization token grant per {https://github.com/logto-io/rfcs RFC 0001}.
  organizations: "urn:logto:scope:organizations",
  # Scope for user's organization roles per {https://github.com/logto-io/rfcs RFC 0001}.
  organization_roles: "urn:logto:scope:organization_roles"
}

RESERVED_RESOURCE =

Resources that reserved by Logto, which cannot be defined by users.

{
  # The resource for organization template per {https://github.com/logto-io/rfcs RFC 0001}.
  organization: "urn:logto:resource:organizations"
}

Instance Attribute Summary

• #endpoint ⇒ Object readonly

  Returns the value of attribute endpoint.

• #oidc_config ⇒ Object readonly

  Returns the value of attribute oidc_config.

Instance Method Summary

• #fetch_token_by_authorization_code(client_id:, client_secret:, redirect_uri:, code_verifier:, code:, resource: nil) ⇒ Object
• #fetch_token_by_refresh_token(client_id:, client_secret:, refresh_token:, resource: nil, organization_id: nil, scopes: nil) ⇒ Object
• #fetch_user_info(access_token:) ⇒ Object
• #generate_sign_in_uri(client_id:, redirect_uri:, code_challenge:, state:, scopes: nil, resources: nil, prompt: nil, first_screen: nil, identifiers: nil, interaction_mode: nil, login_hint: nil, direct_sign_in: nil, extra_params: nil, include_reserved_scopes: true) ⇒ Object
• #generate_sign_out_uri(client_id:, post_logout_redirect_uri: nil) ⇒ Object
• #initialize(endpoint:, cache: nil) ⇒ LogtoCore constructor

  A new instance of LogtoCore.

• #revoke_token(client_id:, client_secret:, token:) ⇒ Object

Constructor Details

#initialize(endpoint:, cache: nil) ⇒ LogtoCore

Returns a new instance of LogtoCore.

# File 'lib/logto/core/index.rb', line 12

def initialize(endpoint:, cache: nil)
  @endpoint = endpoint
  @cache = cache
  @oidc_config = fetch_oidc_config
end

Instance Attribute Details

#endpoint ⇒ Object (readonly)

Returns the value of attribute endpoint.

# File 'lib/logto/core/index.rb', line 10

def endpoint
  @endpoint
end

#oidc_config ⇒ Object (readonly)

Returns the value of attribute oidc_config.

# File 'lib/logto/core/index.rb', line 10

def oidc_config
  @oidc_config
end

Instance Method Details

#fetch_token_by_authorization_code(client_id:, client_secret:, redirect_uri:, code_verifier:, code:, resource: nil) ⇒ Object

Raises:

• (LogtoError::TokenError)

# File 'lib/logto/core/index.rb', line 32

def fetch_token_by_authorization_code(client_id:, client_secret:, redirect_uri:, code_verifier:, code:, resource: nil)
  parameters = {
    QUERY_KEY[:client_id] => client_id,
    QUERY_KEY[:client_secret] => client_secret,
    QUERY_KEY[:code] => code,
    QUERY_KEY[:code_verifier] => code_verifier,
    QUERY_KEY[:redirect_uri] => redirect_uri,
    QUERY_KEY[:grant_type] => TOKEN_GRANT_TYPE[:authorization_code]
  }
  parameters[QUERY_KEY[:resource]] = resource if resource

  response = Net::HTTP.post_form(
    URI.parse(oidc_config.token_endpoint),
    parameters
  )

  raise LogtoError::TokenError.new(response.message, response: response) unless
    response.is_a?(Net::HTTPSuccess)

  LogtoUtils.parse_json_safe(response.body, TokenResponse)
end

#fetch_token_by_refresh_token(client_id:, client_secret:, refresh_token:, resource: nil, organization_id: nil, scopes: nil) ⇒ Object

Raises:

• (ArgumentError)

# File 'lib/logto/core/index.rb', line 54

def fetch_token_by_refresh_token(client_id:, client_secret:, refresh_token:, resource: nil, organization_id: nil, scopes: nil)
  raise ArgumentError, "Scopes must be an array" if scopes && !scopes.is_a?(Array)

  parameters = {
    QUERY_KEY[:client_id] => client_id,
    QUERY_KEY[:client_secret] => client_secret,
    QUERY_KEY[:refresh_token] => refresh_token,
    QUERY_KEY[:grant_type] => TOKEN_GRANT_TYPE[:refresh_token]
  }
  parameters[QUERY_KEY[:resource]] = resource if resource
  parameters[QUERY_KEY[:organization_id]] = organization_id if organization_id
  parameters[QUERY_KEY[:scope]] = scopes.join(" ") if scopes&.any?

  response = Net::HTTP.post_form(
    URI.parse(oidc_config.token_endpoint),
    parameters
  )

  raise LogtoError::TokenError.new(response.message, response: response) unless
    response.is_a?(Net::HTTPSuccess)
  LogtoUtils.parse_json_safe(response.body, TokenResponse)
end

#fetch_user_info(access_token:) ⇒ Object

Raises:

• (LogtoError::UserInfoError)

# File 'lib/logto/core/index.rb', line 77

def fetch_user_info(access_token:)
  uri = URI.parse(oidc_config.userinfo_endpoint)
  request = Net::HTTP::Get.new(uri)
  request["Authorization"] = "Bearer #{access_token}"

  response = Net::HTTP.start(uri.host, uri.port, use_ssl: uri.scheme == "https") do |http|
    http.request(request)
  end

  raise LogtoError::UserInfoError.new(response.message, response: response) unless
    response.is_a?(Net::HTTPSuccess)
  LogtoUtils.parse_json_safe(response.body, UserInfoResponse)
end

#generate_sign_in_uri(client_id:, redirect_uri:, code_challenge:, state:, scopes: nil, resources: nil, prompt: nil, first_screen: nil, identifiers: nil, interaction_mode: nil, login_hint: nil, direct_sign_in: nil, extra_params: nil, include_reserved_scopes: true) ⇒ Object

# File 'lib/logto/core/index.rb', line 91

def generate_sign_in_uri(
  client_id:,
  redirect_uri:,
  code_challenge:,
  state:,
  scopes: nil,
  resources: nil,
  prompt: nil,
  first_screen: nil,
  identifiers: nil,
  interaction_mode: nil,
  login_hint: nil,
  direct_sign_in: nil,
  extra_params: nil,
  include_reserved_scopes: true
)
  parameters = {
    QUERY_KEY[:client_id] => client_id,
    QUERY_KEY[:redirect_uri] => redirect_uri,
    QUERY_KEY[:code_challenge] => code_challenge,
    QUERY_KEY[:code_challenge_method] => CODE_CHALLENGE_METHOD[:S256],
    QUERY_KEY[:state] => state,
    QUERY_KEY[:response_type] => "code"
  }

  parameters[QUERY_KEY[:prompt]] = prompt&.any? ? prompt.join(" ") : PROMPT[:consent]

  computed_scopes = include_reserved_scopes ? LogtoUtils.with_reserved_scopes(scopes).join(" ") : scopes&.join(" ")
  parameters[QUERY_KEY[:scope]] = computed_scopes if computed_scopes

  parameters[QUERY_KEY[:login_hint]] = login_hint if login_hint

  if direct_sign_in
    parameters[QUERY_KEY[:direct_sign_in]] = "#{direct_sign_in[:method]}:#{direct_sign_in[:target]}"
  end

  parameters[QUERY_KEY[:resource]] = resources if resources&.any?

  if first_screen
    parameters[QUERY_KEY[:first_screen]] = first_screen
  elsif interaction_mode
    parameters[QUERY_KEY[:interaction_mode]] = interaction_mode
  end

  parameters[QUERY_KEY[:identifier]] = identifiers.join(" ") if identifiers&.any?

  extra_params&.each do |key, value|
    parameters[key] = value
  end

  parameters.each_key do |key|
    raise ArgumentError, "Parameters contain nil key, please check the input" if key.nil?
  end

  uri = URI.parse(oidc_config.authorization_endpoint)
  uri.query = URI.encode_www_form(parameters)
  uri.to_s
end

#generate_sign_out_uri(client_id:, post_logout_redirect_uri: nil) ⇒ Object

# File 'lib/logto/core/index.rb', line 150

def generate_sign_out_uri(client_id:, post_logout_redirect_uri: nil)
  parameters = {
    QUERY_KEY[:client_id] => client_id
  }
  parameters[QUERY_KEY[:post_logout_redirect_uri]] = post_logout_redirect_uri if post_logout_redirect_uri

  uri = URI.parse(oidc_config.end_session_endpoint)
  uri.query = URI.encode_www_form(parameters)
  uri.to_s
end

#revoke_token(client_id:, client_secret:, token:) ⇒ Object

Raises:

• (LogtoError::RevocationError)

# File 'lib/logto/core/index.rb', line 18

def revoke_token(client_id:, client_secret:, token:)
  response = Net::HTTP.post_form(
    URI.parse(oidc_config.revocation_endpoint),
    {
      QUERY_KEY[:token] => token,
      QUERY_KEY[:client_id] => client_id,
      QUERY_KEY[:client_secret] => client_secret
    }
  )

  raise LogtoError::RevocationError.new(response.message, response: response) unless
    response.is_a?(Net::HTTPSuccess)
end