Class: WardenOpenidBearer::Strategy

Inherits:

Warden::Strategies::Base

• Object
• Warden::Strategies::Base
• WardenOpenidBearer::Strategy

Includes:

CacheMixin, Registerer

Defined in:

lib/warden_openid_bearer/strategy.rb

Overview

Like ‘WardenOpenidAuth::Strategy` in `lib/warden_openid_auth/strategy.rb` from the `warden_openid_auth` gem, except done right for a modern, split-backend Web application (in which the browser takes charge of the OAuth2 login dance, and the back-end only validates bearer tokens).

You shoud subclass ‘WardenOpenidBearer::Strategy` and override the `user_of_claims` protected method if you want `env.user` to be a “real” user object (instead of just a hash of OIDC claims, which is what happens when using `WardenOpenidBearer::Strategy` directly). If you want your Rails app to support more than one OIDC authentication server, you should also subclass `WardenOpenidBearer::Strategy` and override the `metadata_url` method.

This class has a ‘self.register!` method, which makes things (slightly) easier than calling `Warden::Strategies.add` yourself. See `WardenOpenidBearer::Registerer` for details.

Instance Method Summary

• #authenticate! ⇒ Object
• #config ⇒ Object

  Made public so that one may tune the ‘strategy.config.cache_timeout`:.

• #store? ⇒ Boolean

  Overridden to always return false, because we typically *don’t* want persistent sessions for an OpenID-Connect resource server — If we cached, we would break logout.

• #valid? ⇒ Boolean

  Override in a subclass to support multiple authentication servers (if tokens can be discriminated between them somehow).

Methods included from CacheMixin

#cached_by

Methods included from Registerer

included

Instance Method Details

#authenticate! ⇒ Object

# File 'lib/warden_openid_bearer/strategy.rb', line 37

def authenticate!
  res = oauth2_userinfo_response
  body = res.body

  if res.is_a?(Net::HTTPSuccess)
    success! user_of_claims(JSON.parse(body))
  else
    fail! body
  end
end

#config ⇒ Object

Made public so that one may tune the ‘strategy.config.cache_timeout`:

# File 'lib/warden_openid_bearer/strategy.rb', line 56

def config
  return @config if @config

  @config = WardenOpenidBearer::DiscoveredConfig.new(metadata_url)
  if (peer_cert = WardenOpenidBearer.config.openid_server_certificate)
    @config.peer_cert = peer_cert
  end

  @config.cache_timeout = cache_timeout
  @config
end

#store? ⇒ Boolean

Overridden to always return false, because we typically *don’t* want persistent sessions for an OpenID-Connect resource server — If we cached, we would break logout.

Returns:

• (Boolean)

# File 'lib/warden_openid_bearer/strategy.rb', line 51

def store?
  false
end

#valid? ⇒ Boolean

Override in a subclass to support multiple authentication servers (if tokens can be discriminated between them somehow). The base class returns True whenever an ‘Authentication: Bearer` request header is present.

Returns:

• (Boolean)

# File 'lib/warden_openid_bearer/strategy.rb', line 33

def valid?
  !!token
end