Class: OmniAuth::Strategies::AzureActivedirectoryV2

Inherits:
OAuth2
  • Object
show all
Defined in:
lib/omniauth/strategies/azure_activedirectory_v2.rb

Constant Summary collapse

BASE_AZURE_URL = 
'https://login.microsoftonline.com'
DEFAULT_SCOPE = 
'openid profile email'

Instance Method Summary collapse

Instance Method Details

#callback_urlObject 



83
84
85
 
# File 'lib/omniauth/strategies/azure_activedirectory_v2.rb', line 83

def callback_url
  full_host + callback_path
end

#clientObject 



18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
 
# File 'lib/omniauth/strategies/azure_activedirectory_v2.rb', line 18

def client
  provider = if options.tenant_provider
    options.tenant_provider.new(self)
  else
    options
  end

  options.client_id = provider.client_id
  options.client_secret = provider.client_secret
  options.tenant_id =
    provider.respond_to?(:tenant_id) ? provider.tenant_id : 'common'
  options.base_azure_url =
    provider.respond_to?(:base_azure_url) ? provider.base_azure_url : BASE_AZURE_URL

  if provider.respond_to?(:authorize_params)
    options.authorize_params = provider.authorize_params
  end

  if provider.respond_to?(:domain_hint) && provider.domain_hint
    options.authorize_params.domain_hint = provider.domain_hint
  end

  if defined?(request) && request.params['prompt']
    options.authorize_params.prompt = request.params['prompt']
  end

  options.authorize_params.scope = if defined?(request) && request.params['scope']
    request.params['scope']
  elsif provider.respond_to?(:scope) && provider.scope
    provider.scope
  else
    DEFAULT_SCOPE
  end

  options.custom_policy =
    provider.respond_to?(:custom_policy) ? provider.custom_policy : nil

  oauth2 = provider.respond_to?(:adfs?) && provider.adfs? ? 'oauth2' : 'oauth2/v2.0'
  options.client_options.authorize_url = "#{options.base_azure_url}/#{options.tenant_id}/#{oauth2}/authorize"
  options.client_options.token_url =
    if options.custom_policy
      "#{options.base_azure_url}/#{options.tenant_id}/#{options.custom_policy}/#{oauth2}/token"
    else
      "#{options.base_azure_url}/#{options.tenant_id}/#{oauth2}/token"
    end

  super
end

#raw_infoObject

docs.microsoft.com/en-us/azure/active-directory/develop/id-tokens

Some account types from Microsoft seem to only have a decodable ID token, with JWT unable to decode the access token. Information is limited in those cases. Other account types provide an expanded set of data inside the auth token, which does decode as a JWT.

Merge the two, allowing the expanded auth token data to overwrite the ID token data if keys collide, and use this as raw info.



97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
 
# File 'lib/omniauth/strategies/azure_activedirectory_v2.rb', line 97

def raw_info
  if @raw_info.nil?
    id_token_data = begin
      ::JWT.decode(access_token.params['id_token'], nil, false).first
    rescue StandardError
      {}
    end
    auth_token_data = begin
      ::JWT.decode(access_token.token, nil, false).first
    rescue StandardError
      {}
    end

    id_token_data.merge!(auth_token_data)
    @raw_info = id_token_data
  end

  @raw_info
end