Class: OmniauthOpenidFederation::Configuration

Inherits:
Object
  • Object
show all
Defined in:
lib/omniauth_openid_federation/configuration.rb

Instance Attribute Summary collapse

Class Method Summary collapse

Instance Method Summary collapse

Constructor Details

#initializeConfiguration

Returns a new instance of Configuration.



94
95
96
97
98
99
100
101
102
103
104
105
106
107
 
# File 'lib/omniauth_openid_federation/configuration.rb', line 94

def initialize
  @verify_ssl = true # Default to secure
  @cache_ttl = nil # Default: manual rotation (never expires)
  @rotate_on_errors = false # Default: manual rotation only
  @http_timeout = 10
  @max_retries = 3
  @retry_delay = 1
  @http_options = nil
  @cache_adapter = nil
  @root_path = nil
  @clock_skew_tolerance = 60 # Default: 60 seconds clock skew tolerance
  @instrumentation = nil # Default: no instrumentation
  @max_string_length = 8192 # Default: 8KB - prevents DoS while allowing legitimate use cases
end

Instance Attribute Details

#cache_adapterObject?

Custom cache adapter (optional) If not set, automatically detects Rails.cache or ActiveSupport::Cache

Examples:

class MyCacheAdapter
  def fetch(key, expires_in: nil, &block)
    # Your implementation
  end
end
config.cache_adapter = MyCacheAdapter.new

Returns:

  • (Object, nil)

    Cache adapter instance or nil



52
53
54
 
# File 'lib/omniauth_openid_federation/configuration.rb', line 52

def cache_adapter
  @cache_adapter
end

#cache_ttlInteger?

Cache TTL for JWKS in seconds

Returns:

  • (Integer, nil)

    Cache TTL in seconds, or nil for manual rotation (never expires)

    • nil: Cache forever, manual rotation only (default)

    • positive integer: Cache expires after this many seconds



13
14
15
 
# File 'lib/omniauth_openid_federation/configuration.rb', line 13

def cache_ttl
  @cache_ttl
end

#clock_skew_toleranceInteger

Clock skew tolerance in seconds for entity statement time validation Per OpenID Federation 1.0 Section 3.2.1, time validation MUST allow for clock skew

Examples:

config.clock_skew_tolerance = 120  # Allow 2 minutes of clock skew

Returns:

  • (Integer)

    Clock skew tolerance in seconds (default: 60)



66
67
68
 
# File 'lib/omniauth_openid_federation/configuration.rb', line 66

def clock_skew_tolerance
  @clock_skew_tolerance
end

#http_optionsHash, ...

HTTP options for HTTP::Options.new Can be a Hash or a Proc that returns a Hash

Examples:

config.http_options = { ssl: { verify_mode: OpenSSL::SSL::VERIFY_NONE } }
# Or with a proc for dynamic configuration:
config.http_options = -> { { ssl: { verify_mode: OpenSSL::SSL::VERIFY_NONE } } }

Returns:

  • (Hash, Proc, nil)

    HTTP options hash or proc that returns hash



40
41
42
 
# File 'lib/omniauth_openid_federation/configuration.rb', line 40

def http_options
  @http_options
end

#http_timeoutInteger

HTTP request timeout in seconds

Returns:

  • (Integer)

    Timeout in seconds



23
24
25
 
# File 'lib/omniauth_openid_federation/configuration.rb', line 23

def http_timeout
  @http_timeout
end

#instrumentationProc, ...

Custom instrumentation callback for security events Can be a Proc, object with #call or #notify method, or logger-like object

Examples:

Configure with Sentry

config.instrumentation = ->(event, data) do
  Sentry.capture_message("OpenID Federation: #{event}", level: :warning, extra: data)
end

Configure with Honeybadger

config.instrumentation = ->(event, data) do
  Honeybadger.notify("OpenID Federation: #{event}", context: data)
end

Configure with custom logger

config.instrumentation = ->(event, data) do
  Rails.logger.warn("[Security] #{event}: #{data.inspect}")
end

Disable instrumentation

config.instrumentation = nil

Returns:

  • (Proc, Object, nil)

    Instrumentation callback or nil to disable



85
86
87
 
# File 'lib/omniauth_openid_federation/configuration.rb', line 85

def instrumentation
  @instrumentation
end

#max_retriesInteger

Maximum number of retries for HTTP requests

Returns:

  • (Integer)

    Maximum retry count



27
28
29
 
# File 'lib/omniauth_openid_federation/configuration.rb', line 27

def max_retries
  @max_retries
end

#max_string_lengthInteger

Maximum string length for request parameters (default: 8192 / 8KB) Prevents DoS attacks while allowing legitimate use cases (e.g., encrypted JWT authorization codes)

Examples:

config.max_string_length = 16384  # Increase to 16KB

Returns:

  • (Integer)

    Maximum string length in characters



92
93
94
 
# File 'lib/omniauth_openid_federation/configuration.rb', line 92

def max_string_length
  @max_string_length
end

#retry_delayInteger

Retry delay in seconds (will be multiplied by retry attempt)

Returns:

  • (Integer)

    Base retry delay in seconds



31
32
33
 
# File 'lib/omniauth_openid_federation/configuration.rb', line 31

def retry_delay
  @retry_delay
end

#root_pathString?

Root path for file operations (optional) Used for resolving relative file paths when Rails.root is not available

Examples:

config.root_path = "/path/to/app"

Returns:

  • (String, nil)

    Root path or nil



59
60
61
 
# File 'lib/omniauth_openid_federation/configuration.rb', line 59

def root_path
  @root_path
end

#rotate_on_errorsBoolean

Rotate JWKS cache on key-related errors

Returns:

  • (Boolean)

    true to automatically rotate cache on key-related errors, false to require manual rotation

    • false: Manual rotation only (default)

    • true: Automatically rotate cache when key-related errors occur (401, 403, 404, signature failures)



19
20
21
 
# File 'lib/omniauth_openid_federation/configuration.rb', line 19

def rotate_on_errors
  @rotate_on_errors
end

#verify_sslBoolean

SSL verification setting

Returns:

  • (Boolean)

    true to verify SSL certificates, false to skip verification



7
8
9
 
# File 'lib/omniauth_openid_federation/configuration.rb', line 7

def verify_ssl
  @verify_ssl
end

Class Method Details

.configConfiguration

Get the global configuration instance (thread-safe)

Returns:



126
127
128
129
130
131
 
# File 'lib/omniauth_openid_federation/configuration.rb', line 126

def self.config
  @config_mutex ||= Mutex.new
  @config_mutex.synchronize do
    @config ||= new
  end
end

.configure {|config| ... } ⇒ Object

Configure the gem

Examples:

OmniauthOpenidFederation.configure do |config|
  config.verify_ssl = false # Only for development
  config.cache_ttl = 3600  # Cache expires after 1 hour
  config.rotate_on_errors = true  # Rotate on key-related errors
end

Yields:

  • (config)

    Yields the configuration object



118
119
120
121
 
# File 'lib/omniauth_openid_federation/configuration.rb', line 118

def self.configure
  yield(config) if block_given?
  config
end

.reset!void

This method returns an undefined value.

Reset configuration (useful for testing)



136
137
138
139
140
141
 
# File 'lib/omniauth_openid_federation/configuration.rb', line 136

def self.reset!
  @config_mutex ||= Mutex.new
  @config_mutex.synchronize do
    @config = nil
  end
end