Class: OmniAuth::MicrosoftGraph::DomainVerifier

Inherits:
Object
  • Object
show all
Defined in:
lib/omniauth/microsoft_graph/domain_verifier.rb

Class Method Summary collapse

Instance Method Summary collapse

Constructor Details

#initialize(auth_hash, access_token, options) ⇒ DomainVerifier

Returns a new instance of DomainVerifier.



21
22
23
24
25
26
27
 
# File 'lib/omniauth/microsoft_graph/domain_verifier.rb', line 21

def initialize(auth_hash, access_token, options)
  @email_domain = auth_hash['info']['email']&.split('@')&.last
  @upn_domain = auth_hash['extra']['raw_info']['userPrincipalName']&.split('@')&.last
  @access_token = access_token
  @id_token = access_token.params['id_token']
  @skip_verification = options[:skip_domain_verification]
end

Class Method Details

.verify!(auth_hash, access_token, options) ⇒ Object 



17
18
19
 
# File 'lib/omniauth/microsoft_graph/domain_verifier.rb', line 17

def self.verify!(auth_hash, access_token, options)
  new(auth_hash, access_token, options).verify!
end

Instance Method Details

#verify!Object

Raises:



29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
 
# File 'lib/omniauth/microsoft_graph/domain_verifier.rb', line 29

def verify!
  # The userPrincipalName property is mutable, but must always contain a
  # verified domain:
  #
  #  "The general format is alias@domain, where domain must be present in
  #  the tenant's collection of verified domains."
  #  https://learn.microsoft.com/en-us/graph/api/resources/user?view=graph-rest-1.0
  #
  # This means while it's not suitable for consistently identifying a user
  # (the domain might change), it is suitable for verifying membership in
  # a given domain.
  return true if email_domain == upn_domain ||
    skip_verification == true ||
    (skip_verification.is_a?(Array) && skip_verification.include?(email_domain)) ||
    domain_verified_jwt_claim
  raise DomainVerificationError, verification_error_message
end