Class: OmniAuth::Strategies::OpenIDFederation

Constant Summary collapse

JWT_PARTS_COUNT =

Constants for token format validation

3
STATE_BYTES =

Constants for random value generation

32
NONCE_BYTES =

Number of hex bytes for state parameter (CSRF protection)

32

Instance Method Summary collapse

Methods included from OmniauthOpenidFederation::Strategy::FailureHandling

#fail!

Methods included from OmniauthOpenidFederation::Strategy::AuthorizationRequest

#validate_provider_trust_configuration!

Instance Method Details

#auth_hashOmniAuth::AuthHash

Returns:

  • (OmniAuth::AuthHash)


115
116
117
118
119
120
121
122
123
124
125
126
127
128
# File 'lib/omniauth_openid_federation/strategy.rb', line 115

def auth_hash
  OmniAuth::AuthHash.new(
    provider: "openid_federation",
    uid: uid,
    info: info,
    credentials: {
      token: @access_token&.access_token,
      refresh_token: @access_token&.refresh_token,
      expires_at: @access_token&.expires_in ? Time.now.to_i + @access_token.expires_in : nil,
      expires: @access_token&.expires_in ? true : false
    },
    extra: extra
  )
end

#authorize_uriString

Returns:

  • (String)


9
# File 'sig/strategy.rbs', line 9

def authorize_uri: () -> String

#build_base_urlString

Parameters:

  • client_options_hash (Hash[Symbol, untyped])

Returns:

  • (String)


22
# File 'sig/strategy.rbs', line 22

def build_base_url: (Hash[Symbol, untyped] client_options_hash) -> String

#build_endpointString

Parameters:

  • base_url (String)
  • path (String)

Returns:

  • (String)


23
# File 'sig/strategy.rbs', line 23

def build_endpoint: (String base_url, String path) -> String

#callback_phaseObject

Returns:

  • (Object)


7
# File 'sig/strategy.rbs', line 7

def callback_phase: () -> untyped

#clientOmniauthOpenidFederation::OidcClient



4
# File 'sig/strategy.rbs', line 4

def client: () -> OmniauthOpenidFederation::OidcClient

#client_jwk_signing_keyObject

Returns:

  • (Object)


11
# File 'sig/strategy.rbs', line 11

def client_jwk_signing_key: () -> untyped

#decode_id_tokenOmniauthOpenidFederation::IdToken

Parameters:

  • id_token (String)

Returns:



24
# File 'sig/strategy.rbs', line 24

def decode_id_token: (String id_token) -> OmniauthOpenidFederation::IdToken

#decode_userinfoHash[String, untyped]

Parameters:

  • userinfo (Object)

Returns:

  • (Hash[String, untyped])


26
# File 'sig/strategy.rbs', line 26

def decode_userinfo: (untyped userinfo) -> Hash[String, untyped]

#encrypted_token?Boolean

Parameters:

  • token (String)

Returns:

  • (Boolean)


25
# File 'sig/strategy.rbs', line 25

def encrypted_token?: (String token) -> bool

#exchange_authorization_codeOmniauthOpenidFederation::AccessToken

Parameters:

  • authorization_code (String)

Returns:



13
# File 'sig/strategy.rbs', line 13

def exchange_authorization_code: (String authorization_code) -> OmniauthOpenidFederation::AccessToken

#extract_client_jwk_signing_keyObject

Returns:

  • (Object)


38
# File 'sig/strategy.rbs', line 38

def extract_client_jwk_signing_key: () -> untyped

#extract_entity_identifier_from_statementString?

Parameters:

  • entity_statement (Hash[Symbol, untyped])
  • configured_identifier (String, nil)

Returns:

  • (String, nil)


39
# File 'sig/strategy.rbs', line 39

def extract_entity_identifier_from_statement: (Hash[Symbol, untyped] entity_statement, String? configured_identifier) -> String?

#extract_metadata_from_parsedHash[Symbol, untyped]?

Parameters:

  • parsed (Hash[Symbol, untyped])

Returns:

  • (Hash[Symbol, untyped], nil)


30
# File 'sig/strategy.rbs', line 30

def extract_metadata_from_parsed: (Hash[Symbol, untyped] parsed) -> Hash[Symbol, untyped]?

#fetch_and_cache_entity_statementHash[Symbol, untyped]?

Parameters:

  • url (String)
  • fingerprint: (String, nil)

Returns:

  • (Hash[Symbol, untyped], nil)


28
# File 'sig/strategy.rbs', line 28

def fetch_and_cache_entity_statement: (String url, ?fingerprint: String?) -> Hash[Symbol, untyped]?

#fetch_jwksHash[String, untyped]

Parameters:

  • jwks_uri (String)

Returns:

  • (Hash[String, untyped])


41
# File 'sig/strategy.rbs', line 41

def fetch_jwks: (String jwks_uri) -> Hash[String, untyped]

#is_entity_id?Boolean

Parameters:

  • str (String)

Returns:

  • (Boolean)


32
# File 'sig/strategy.rbs', line 32

def is_entity_id?: (String str) -> bool

#load_client_entity_statementHash[Symbol, untyped]?

Parameters:

  • entity_statement_path: (String, nil)
  • entity_statement_url: (String, nil)

Returns:

  • (Hash[Symbol, untyped], nil)


35
# File 'sig/strategy.rbs', line 35

def load_client_entity_statement: (?entity_statement_path: String?, ?entity_statement_url: String?) -> Hash[Symbol, untyped]?

#load_client_entity_statement_from_fileHash[Symbol, untyped]?

Parameters:

  • entity_statement_path (String)

Returns:

  • (Hash[Symbol, untyped], nil)


36
# File 'sig/strategy.rbs', line 36

def load_client_entity_statement_from_file: (String entity_statement_path) -> Hash[Symbol, untyped]?

#load_client_entity_statement_from_urlHash[Symbol, untyped]?

Parameters:

  • entity_statement_url (String)

Returns:

  • (Hash[Symbol, untyped], nil)


37
# File 'sig/strategy.rbs', line 37

def load_client_entity_statement_from_url: (String entity_statement_url) -> Hash[Symbol, untyped]?

#load_metadata_for_key_extractionHash[Symbol, untyped]?

Returns:

  • (Hash[Symbol, untyped], nil)


34
# File 'sig/strategy.rbs', line 34

def load_metadata_for_key_extraction: () -> Hash[Symbol, untyped]?

#load_provider_entity_statementHash[Symbol, untyped]?

Returns:

  • (Hash[Symbol, untyped], nil)


27
# File 'sig/strategy.rbs', line 27

def load_provider_entity_statement: () -> Hash[Symbol, untyped]?

#load_provider_metadata_for_encryptionHash[String, untyped]?

Returns:

  • (Hash[String, untyped], nil)


40
# File 'sig/strategy.rbs', line 40

def load_provider_metadata_for_encryption: () -> Hash[String, untyped]?

#new_nonceString

Returns:

  • (String)


15
# File 'sig/strategy.rbs', line 15

def new_nonce: () -> String

#new_stateString

Returns:

  • (String)


14
# File 'sig/strategy.rbs', line 14

def new_state: () -> String

#normalize_trust_anchorsArray[Hash[Symbol, untyped]]

Parameters:

  • trust_anchors (Object)

Returns:

  • (Array[Hash[Symbol, untyped]])


31
# File 'sig/strategy.rbs', line 31

def normalize_trust_anchors: (untyped trust_anchors) -> Array[Hash[Symbol, untyped]]

#oidc_clientOmniauthOpenidFederation::OidcClient



5
# File 'sig/strategy.rbs', line 5

def oidc_client: () -> OmniauthOpenidFederation::OidcClient

#optionsObject

Returns:

  • (Object)


12
# File 'sig/strategy.rbs', line 12

def options: () -> untyped

#raw_infoHash[String, untyped]

Returns:

  • (Hash[String, untyped])


151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
# File 'lib/omniauth_openid_federation/strategy.rb', line 151

def raw_info
  @raw_info ||= begin
    # Use access token from callback_phase (already exchanged)
    # If not available, exchange it now (fallback for direct calls)
    access_token = @access_token
    access_token ||= exchange_authorization_code(request.params["code"])

    id_token = decode_id_token(access_token.id_token)
    id_token_claims = id_token.raw_attributes || {}

    if options.fetch_userinfo
      begin
        userinfo = access_token.userinfo!
        userinfo_hash = decode_userinfo(userinfo)
        id_token_claims.merge(userinfo_hash)
      rescue => e
        error_msg = "Failed to fetch or decode userinfo: #{e.class} - #{e.message}"
        OmniauthOpenidFederation::Logger.error("[Strategy] #{error_msg}")
        OmniauthOpenidFederation::Logger.warn("[Strategy] Falling back to ID token claims only")
        id_token_claims
      end
    else
      OmniauthOpenidFederation::Logger.debug("[Strategy] Userinfo fetching disabled, using ID token claims only")
      id_token_claims
    end
  end
end

#request_phaseObject

Override request_phase to use signed request objects (RFC 9101)

Returns:

  • (Object)


111
112
113
# File 'lib/omniauth_openid_federation/strategy.rb', line 111

def request_phase
  redirect authorize_uri
end

#resolve_audienceString

Parameters:

  • client_options_hash (Hash[Symbol, untyped])
  • resolved_issuer (String, nil)

Returns:

  • (String)


18
# File 'sig/strategy.rbs', line 18

def resolve_audience: (Hash[Symbol, untyped] client_options_hash, String? resolved_issuer) -> String

#resolve_endpoints_from_metadataHash[Symbol, String?]

Parameters:

  • client_options_hash (Hash[Symbol, untyped])

Returns:

  • (Hash[Symbol, String?])


16
# File 'sig/strategy.rbs', line 16

def resolve_endpoints_from_metadata: (Hash[Symbol, untyped] client_options_hash) -> Hash[Symbol, String?]

#resolve_endpoints_from_trust_chainHash[Symbol, String?]

Parameters:

  • issuer_entity_id (String)
  • client_options_hash (Hash[Symbol, untyped])

Returns:

  • (Hash[Symbol, String?])


29
# File 'sig/strategy.rbs', line 29

def resolve_endpoints_from_trust_chain: (String issuer_entity_id, Hash[Symbol, untyped] client_options_hash) -> Hash[Symbol, String?]

#resolve_entity_statement_pathString

Parameters:

  • path (String)

Returns:

  • (String)


33
# File 'sig/strategy.rbs', line 33

def resolve_entity_statement_path: (String path) -> String

#resolve_issuer_from_metadataString?

Returns:

  • (String, nil)


17
# File 'sig/strategy.rbs', line 17

def resolve_issuer_from_metadata: () -> String?

#resolve_jwks_for_validationHash[String, untyped]

Parameters:

  • normalized_options (Hash[Symbol, untyped])

Returns:

  • (Hash[String, untyped])


19
# File 'sig/strategy.rbs', line 19

def resolve_jwks_for_validation: (Hash[Symbol, untyped] normalized_options) -> Hash[String, untyped]

#resolve_jwks_for_validation_with_kidHash[String, untyped]

Parameters:

  • normalized_options (Hash[Symbol, untyped])
  • kid (String)

Returns:

  • (Hash[String, untyped])


20
# File 'sig/strategy.rbs', line 20

def resolve_jwks_for_validation_with_kid: (Hash[Symbol, untyped] normalized_options, String kid) -> Hash[String, untyped]

#resolve_jwks_uriString?

Parameters:

  • normalized_options (Hash[Symbol, untyped])

Returns:

  • (String, nil)


21
# File 'sig/strategy.rbs', line 21

def resolve_jwks_uri: (Hash[Symbol, untyped] normalized_options) -> String?