Class: OmniAuth::Strategies::AzureActivedirectoryV3

Inherits:

OAuth2

• Object
• OAuth2
• OmniAuth::Strategies::AzureActivedirectoryV3

Defined in:

lib/omniauth/strategies/azure_activedirectory_v3.rb

Constant Summary

BASE_AZURE_URL =

'https://login.microsoftonline.com'

DEFAULT_SCOPE =

'openid profile email'

Instance Method Summary

• #callback_url ⇒ Object
• #client ⇒ Object
• #raw_info ⇒ Object

  docs.microsoft.com/en-us/azure/active-directory/develop/id-tokens.

Instance Method Details

#callback_url ⇒ Object

# File 'lib/omniauth/strategies/azure_activedirectory_v3.rb', line 63

def callback_url
  full_host + script_name + callback_path
end

#client ⇒ Object

# File 'lib/omniauth/strategies/azure_activedirectory_v3.rb', line 16

def client
  provider = if options.tenant_provider
               options.tenant_provider.new(self)
             else
               options # if pass has to config, get mapped right on to options
             end

  options.client_id = provider.client_id
  options.client_secret = provider.client_secret
  options.tenant_id =
    provider.respond_to?(:tenant_id) ? provider.tenant_id : 'common'
  options.base_azure_url =
    provider.respond_to?(:base_azure_url) ? provider.base_azure_url : BASE_AZURE_URL

  options.authorize_params = provider.authorize_params if provider.respond_to?(:authorize_params)
  if provider.respond_to?(:domain_hint) && provider.domain_hint
    options.authorize_params.domain_hint = provider.domain_hint
  end
  options.authorize_params.prompt = request.params['prompt'] if defined? request && request.params['prompt']
  options.authorize_params.scope = (if provider.respond_to?(:scope) && provider.scope
                                      provider.scope
                                    end) || DEFAULT_SCOPE

  options.client_options.authorize_url = "#{options.base_azure_url}/#{options.tenant_id}/oauth2/v3.0/authorize"
  options.client_options.token_url = "#{options.base_azure_url}/#{options.tenant_id}/oauth2/v3.0/token"

  super
end

#raw_info ⇒ Object

docs.microsoft.com/en-us/azure/active-directory/develop/id-tokens

Some account types from Microsoft seem to only have a decodable ID token, with JWT unable to decode the access token. Information is limited in those cases. Other account types provide an expanded set of data inside the auth token, which does decode as a JWT.

Merge the two, allowing the expanded auth token data to overwrite the ID token data if keys collide, and use this as raw info.

# File 'lib/omniauth/strategies/azure_activedirectory_v3.rb', line 77

def raw_info
  if @raw_info.nil?
    id_token_data = begin
      ::JWT.decode(access_token.params['id_token'], nil, false).first
    rescue StandardError
      {}
    end
    auth_token_data = begin
      ::JWT.decode(access_token.token, nil, false).first
    rescue StandardError
      {}
    end

    id_token_data.merge!(auth_token_data)
    @raw_info = id_token_data
  end

  @raw_info
end