Class: OmniAuth::Strategies::OpenIDConnect

Inherits:

Object

• Object
• OmniAuth::Strategies::OpenIDConnect

Extended by:

Forwardable

Includes:

OmniAuth::Strategy

Defined in:

lib/omniauth/strategies/openid_connect.rb

Defined Under Namespace

Classes: CallbackError

Constant Summary

RESPONSE_TYPE_EXCEPTIONS =

{
  'id_token' => { exception_class: OmniAuth::OpenIDConnect::MissingIdTokenError, key: :missing_id_token }.freeze,
  'code' => { exception_class: OmniAuth::OpenIDConnect::MissingCodeError, key: :missing_code }.freeze,
}.freeze

Instance Method Summary

• #authorization_code ⇒ Object
• #authorize_uri ⇒ Object
• #callback_phase ⇒ Object
• #client ⇒ Object
• #config ⇒ Object
• #end_session_uri ⇒ Object
• #other_phase ⇒ Object
• #public_key ⇒ Object
• #request_phase ⇒ Object
• #secret ⇒ Object

  Some OpenID providers use the OAuth2 client secret as the shared secret, but Keycloak uses a separate key that’s stored inside the database.

• #uid ⇒ Object

Instance Method Details

#authorization_code ⇒ Object

# File 'lib/omniauth/strategies/openid_connect.rb', line 150

def authorization_code
  params['code']
end

#authorize_uri ⇒ Object

# File 'lib/omniauth/strategies/openid_connect.rb', line 162

def authorize_uri
  client.redirect_uri = redirect_uri
  opts = {
    response_type: options.response_type,
    response_mode: options.response_mode,
    scope: options.scope,
    state: new_state,
    login_hint: params['login_hint'],
    ui_locales: params['ui_locales'],
    claims_locales: params['claims_locales'],
    prompt: options.prompt,
    nonce: (new_nonce if options.send_nonce),
    hd: options.hd,
    acr_values: options.acr_values,
  }

  opts.merge!(options.extra_authorize_params) unless options.extra_authorize_params.empty?

  client.authorization_uri(opts.reject { |_k, v| v.nil? })
end

#callback_phase ⇒ Object

# File 'lib/omniauth/strategies/openid_connect.rb', line 110

def callback_phase
  error = params['error_reason'] || params['error']
  error_description = params['error_description'] || params['error_reason']
  invalid_state = params['state'].to_s.empty? || params['state'] != stored_state

  raise CallbackError, error: params['error'], reason: error_description, uri: params['error_uri'] if error
  raise CallbackError, error: :csrf_detected, reason: "Invalid 'state' parameter" if invalid_state

  return unless valid_response_type?

  options.issuer = issuer if options.issuer.nil? || options.issuer.empty?

  verify_id_token!(params['id_token']) if configured_response_type == 'id_token'
  discover!
  client.redirect_uri = redirect_uri

  return id_token_callback_phase if configured_response_type == 'id_token'

  client.authorization_code = authorization_code
  access_token
  super
rescue CallbackError => e
  fail!(e.error, e)
rescue ::Rack::OAuth2::Client::Error => e
  fail!(e.response[:error], e)
rescue ::Timeout::Error, ::Errno::ETIMEDOUT => e
  fail!(:timeout, e)
rescue ::SocketError => e
  fail!(:failed_to_connect, e)
end

#client ⇒ Object

# File 'lib/omniauth/strategies/openid_connect.rb', line 96

def client
  @client ||= ::OpenIDConnect::Client.new(client_options)
end

#config ⇒ Object

# File 'lib/omniauth/strategies/openid_connect.rb', line 100

def config
  @config ||= ::OpenIDConnect::Discovery::Provider::Config.discover!(options.issuer)
end

#end_session_uri ⇒ Object

# File 'lib/omniauth/strategies/openid_connect.rb', line 154

def end_session_uri
  return unless end_session_endpoint_is_valid?

  end_session_uri = URI(client_options.end_session_endpoint)
  end_session_uri.query = encoded_post_logout_redirect_uri
  end_session_uri.to_s
end

#other_phase ⇒ Object

# File 'lib/omniauth/strategies/openid_connect.rb', line 141

def other_phase
  if logout_path_pattern.match?(current_path)
    options.issuer = issuer if options.issuer.to_s.empty?
    discover!
    return redirect(end_session_uri) if end_session_uri
  end
  call_app!
end

#public_key ⇒ Object

# File 'lib/omniauth/strategies/openid_connect.rb', line 183

def public_key
  @public_key ||= begin
    if options.discovery
      config.jwks
    elsif configured_public_key
      configured_public_key
    elsif client_options.jwks_uri
      fetch_key
    end
  end
end

#request_phase ⇒ Object

# File 'lib/omniauth/strategies/openid_connect.rb', line 104

def request_phase
  options.issuer = issuer if options.issuer.to_s.empty?
  discover!
  redirect authorize_uri
end

#secret ⇒ Object

Some OpenID providers use the OAuth2 client secret as the shared secret, but Keycloak uses a separate key that’s stored inside the database.

# File 'lib/omniauth/strategies/openid_connect.rb', line 197

def secret
  options.jwt_secret || base64_decoded_jwt_secret || client_options.secret
end

#uid ⇒ Object

# File 'lib/omniauth/strategies/openid_connect.rb', line 63

def uid
  user_info.raw_attributes[options.uid_field.to_sym] || user_info.sub
end