Class: OmniAuth::Strategies::OpenIDFederation
- Inherits:
-
OAuth2
- Object
- OAuth2
- OmniAuth::Strategies::OpenIDFederation
show all
- Includes:
- OmniauthOpenidFederation::Strategy::AuthorizationRequest, OmniauthOpenidFederation::Strategy::CallbackHandling, OmniauthOpenidFederation::Strategy::ClientConstruction, OmniauthOpenidFederation::Strategy::ClientEntityStatement, OmniauthOpenidFederation::Strategy::EndpointResolution, OmniauthOpenidFederation::Strategy::FailureHandling, OmniauthOpenidFederation::Strategy::IdTokenDecoding, OmniauthOpenidFederation::Strategy::JwksResolution, OmniauthOpenidFederation::Strategy::ProviderEntityStatement, OmniauthOpenidFederation::Strategy::UserinfoDecoding
- Defined in:
- lib/omniauth_openid_federation/strategy.rb,
sig/strategy.rbs
Constant Summary
collapse
- JWT_PARTS_COUNT =
Constants for token format validation
3
- STATE_BYTES =
Constants for random value generation
32
- NONCE_BYTES =
Number of hex bytes for state parameter (CSRF protection)
32
Instance Method Summary
collapse
-
#auth_hash ⇒ OmniAuth::AuthHash
-
#authorize_uri ⇒ String
-
#build_base_url ⇒ String
-
#build_endpoint ⇒ String
-
#callback_phase ⇒ Object
-
#client ⇒ OmniauthOpenidFederation::OidcClient
-
#client_jwk_signing_key ⇒ Object
-
#decode_id_token ⇒ OmniauthOpenidFederation::IdToken
-
#decode_userinfo ⇒ Hash[String, untyped]
-
#encrypted_token? ⇒ Boolean
-
#exchange_authorization_code ⇒ OmniauthOpenidFederation::AccessToken
-
#extract_client_jwk_signing_key ⇒ Object
-
#extract_entity_identifier_from_statement ⇒ String?
-
#extract_metadata_from_parsed ⇒ Hash[Symbol, untyped]?
-
#fetch_and_cache_entity_statement ⇒ Hash[Symbol, untyped]?
-
#fetch_jwks ⇒ Hash[String, untyped]
-
#is_entity_id? ⇒ Boolean
-
#load_client_entity_statement ⇒ Hash[Symbol, untyped]?
-
#load_client_entity_statement_from_file ⇒ Hash[Symbol, untyped]?
-
#load_client_entity_statement_from_url ⇒ Hash[Symbol, untyped]?
-
#load_metadata_for_key_extraction ⇒ Hash[Symbol, untyped]?
-
#load_provider_entity_statement ⇒ Hash[Symbol, untyped]?
-
#load_provider_metadata_for_encryption ⇒ Hash[String, untyped]?
-
#new_nonce ⇒ String
-
#new_state ⇒ String
-
#normalize_trust_anchors ⇒ Array[Hash[Symbol, untyped]]
-
#oidc_client ⇒ OmniauthOpenidFederation::OidcClient
-
#options ⇒ Object
-
#raw_info ⇒ Hash[String, untyped]
-
#request_phase ⇒ Object
Override request_phase to use signed request objects (RFC 9101).
-
#resolve_audience ⇒ String
-
#resolve_endpoints_from_metadata ⇒ Hash[Symbol, String?]
-
#resolve_endpoints_from_trust_chain ⇒ Hash[Symbol, String?]
-
#resolve_entity_statement_path ⇒ String
-
#resolve_issuer_from_metadata ⇒ String?
-
#resolve_jwks_for_validation ⇒ Hash[String, untyped]
-
#resolve_jwks_for_validation_with_kid ⇒ Hash[String, untyped]
-
#resolve_jwks_uri ⇒ String?
#fail!
#validate_provider_trust_configuration!
Instance Method Details
#auth_hash ⇒ OmniAuth::AuthHash
115
116
117
118
119
120
121
122
123
124
125
126
127
128
|
# File 'lib/omniauth_openid_federation/strategy.rb', line 115
def auth_hash
OmniAuth::AuthHash.new(
provider: "openid_federation",
uid: uid,
info: info,
credentials: {
token: @access_token&.access_token,
refresh_token: @access_token&.refresh_token,
expires_at: @access_token&.expires_in ? Time.now.to_i + @access_token.expires_in : nil,
expires: @access_token&.expires_in ? true : false
},
extra:
)
end
|
#authorize_uri ⇒ String
9
|
# File 'sig/strategy.rbs', line 9
def authorize_uri: () -> String
|
#build_base_url ⇒ String
22
|
# File 'sig/strategy.rbs', line 22
def build_base_url: (Hash[Symbol, untyped] client_options_hash) -> String
|
#build_endpoint ⇒ String
23
|
# File 'sig/strategy.rbs', line 23
def build_endpoint: (String base_url, String path) -> String
|
#callback_phase ⇒ Object
7
|
# File 'sig/strategy.rbs', line 7
def callback_phase: () -> untyped
|
4
|
# File 'sig/strategy.rbs', line 4
def client: () -> OmniauthOpenidFederation::OidcClient
|
#client_jwk_signing_key ⇒ Object
11
|
# File 'sig/strategy.rbs', line 11
def client_jwk_signing_key: () -> untyped
|
24
|
# File 'sig/strategy.rbs', line 24
def decode_id_token: (String id_token) -> OmniauthOpenidFederation::IdToken
|
#decode_userinfo ⇒ Hash[String, untyped]
26
|
# File 'sig/strategy.rbs', line 26
def decode_userinfo: (untyped userinfo) -> Hash[String, untyped]
|
#encrypted_token? ⇒ Boolean
25
|
# File 'sig/strategy.rbs', line 25
def encrypted_token?: (String token) -> bool
|
13
|
# File 'sig/strategy.rbs', line 13
def exchange_authorization_code: (String authorization_code) -> OmniauthOpenidFederation::AccessToken
|
38
|
# File 'sig/strategy.rbs', line 38
def extract_client_jwk_signing_key: () -> untyped
|
39
|
# File 'sig/strategy.rbs', line 39
def extract_entity_identifier_from_statement: (Hash[Symbol, untyped] entity_statement, String? configured_identifier) -> String?
|
30
|
# File 'sig/strategy.rbs', line 30
def extract_metadata_from_parsed: (Hash[Symbol, untyped] parsed) -> Hash[Symbol, untyped]?
|
#fetch_and_cache_entity_statement ⇒ Hash[Symbol, untyped]?
28
|
# File 'sig/strategy.rbs', line 28
def fetch_and_cache_entity_statement: (String url, ?fingerprint: String?) -> Hash[Symbol, untyped]?
|
#fetch_jwks ⇒ Hash[String, untyped]
41
|
# File 'sig/strategy.rbs', line 41
def fetch_jwks: (String jwks_uri) -> Hash[String, untyped]
|
#is_entity_id? ⇒ Boolean
32
|
# File 'sig/strategy.rbs', line 32
def is_entity_id?: (String str) -> bool
|
#load_client_entity_statement ⇒ Hash[Symbol, untyped]?
35
|
# File 'sig/strategy.rbs', line 35
def load_client_entity_statement: (?entity_statement_path: String?, ?entity_statement_url: String?) -> Hash[Symbol, untyped]?
|
#load_client_entity_statement_from_file ⇒ Hash[Symbol, untyped]?
36
|
# File 'sig/strategy.rbs', line 36
def load_client_entity_statement_from_file: (String entity_statement_path) -> Hash[Symbol, untyped]?
|
#load_client_entity_statement_from_url ⇒ Hash[Symbol, untyped]?
37
|
# File 'sig/strategy.rbs', line 37
def load_client_entity_statement_from_url: (String entity_statement_url) -> Hash[Symbol, untyped]?
|
34
|
# File 'sig/strategy.rbs', line 34
def load_metadata_for_key_extraction: () -> Hash[Symbol, untyped]?
|
#load_provider_entity_statement ⇒ Hash[Symbol, untyped]?
27
|
# File 'sig/strategy.rbs', line 27
def load_provider_entity_statement: () -> Hash[Symbol, untyped]?
|
40
|
# File 'sig/strategy.rbs', line 40
def load_provider_metadata_for_encryption: () -> Hash[String, untyped]?
|
#new_nonce ⇒ String
15
|
# File 'sig/strategy.rbs', line 15
def new_nonce: () -> String
|
#new_state ⇒ String
14
|
# File 'sig/strategy.rbs', line 14
def new_state: () -> String
|
#normalize_trust_anchors ⇒ Array[Hash[Symbol, untyped]]
31
|
# File 'sig/strategy.rbs', line 31
def normalize_trust_anchors: (untyped trust_anchors) -> Array[Hash[Symbol, untyped]]
|
5
|
# File 'sig/strategy.rbs', line 5
def oidc_client: () -> OmniauthOpenidFederation::OidcClient
|
#options ⇒ Object
12
|
# File 'sig/strategy.rbs', line 12
def options: () -> untyped
|
#raw_info ⇒ Hash[String, untyped]
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
|
# File 'lib/omniauth_openid_federation/strategy.rb', line 151
def raw_info
@raw_info ||= begin
access_token = @access_token
access_token ||= exchange_authorization_code(request.params["code"])
id_token = decode_id_token(access_token.id_token)
id_token_claims = id_token.raw_attributes || {}
if options.fetch_userinfo
begin
userinfo = access_token.userinfo!
userinfo_hash = decode_userinfo(userinfo)
id_token_claims.merge(userinfo_hash)
rescue => e
error_msg = "Failed to fetch or decode userinfo: #{e.class} - #{e.message}"
OmniauthOpenidFederation::Logger.error("[Strategy] #{error_msg}")
OmniauthOpenidFederation::Logger.warn("[Strategy] Falling back to ID token claims only")
id_token_claims
end
else
OmniauthOpenidFederation::Logger.debug("[Strategy] Userinfo fetching disabled, using ID token claims only")
id_token_claims
end
end
end
|
#request_phase ⇒ Object
Override request_phase to use signed request objects (RFC 9101)
111
112
113
|
# File 'lib/omniauth_openid_federation/strategy.rb', line 111
def request_phase
redirect authorize_uri
end
|
#resolve_audience ⇒ String
18
|
# File 'sig/strategy.rbs', line 18
def resolve_audience: (Hash[Symbol, untyped] client_options_hash, String? resolved_issuer) -> String
|
16
|
# File 'sig/strategy.rbs', line 16
def resolve_endpoints_from_metadata: (Hash[Symbol, untyped] client_options_hash) -> Hash[Symbol, String?]
|
#resolve_endpoints_from_trust_chain ⇒ Hash[Symbol, String?]
29
|
# File 'sig/strategy.rbs', line 29
def resolve_endpoints_from_trust_chain: (String issuer_entity_id, Hash[Symbol, untyped] client_options_hash) -> Hash[Symbol, String?]
|
#resolve_entity_statement_path ⇒ String
33
|
# File 'sig/strategy.rbs', line 33
def resolve_entity_statement_path: (String path) -> String
|
17
|
# File 'sig/strategy.rbs', line 17
def resolve_issuer_from_metadata: () -> String?
|
#resolve_jwks_for_validation ⇒ Hash[String, untyped]
19
|
# File 'sig/strategy.rbs', line 19
def resolve_jwks_for_validation: (Hash[Symbol, untyped] normalized_options) -> Hash[String, untyped]
|
#resolve_jwks_for_validation_with_kid ⇒ Hash[String, untyped]
20
|
# File 'sig/strategy.rbs', line 20
def resolve_jwks_for_validation_with_kid: (Hash[Symbol, untyped] normalized_options, String kid) -> Hash[String, untyped]
|
#resolve_jwks_uri ⇒ String?
21
|
# File 'sig/strategy.rbs', line 21
def resolve_jwks_uri: (Hash[Symbol, untyped] normalized_options) -> String?
|