Class: Signet::OAuth2::Client

Inherits:
Object
  • Object
show all
Defined in:
lib/signet/oauth_2/client.rb

Constant Summary collapse

OOB_MODES =
["urn:ietf:wg:oauth:2.0:oob:auto", "urn:ietf:wg:oauth:2.0:oob", "oob"].freeze

Instance Attribute Summary collapse

Instance Method Summary collapse

Constructor Details

#initialize(options = {}) ⇒ Client

Creates an OAuth 2.0 client.

Examples:

client = Signet::OAuth2::Client.new(
  :authorization_uri =>
    'https://example.server.com/authorization',
  :token_credential_uri =>
    'https://example.server.com/token',
  :client_id => 'anonymous',
  :client_secret => 'anonymous',
  :scope => 'example',
  :redirect_uri => 'https://example.client.com/oauth'
)

Parameters:

  • options (Hash) (defaults to: {})

    The configuration parameters for the client.

    • :authorization_uri - The authorization server's HTTP endpoint capable of authenticating the end-user and obtaining authorization.
    • :token_credential_uri - The authorization server's HTTP endpoint capable of issuing tokens and refreshing expired tokens.
    • :client_id - A unique identifier issued to the client to identify itself to the authorization server.
    • :client_secret - A shared symmetric secret issued by the authorization server, which is used to authenticate the client.
    • :scope - The scope of the access request, expressed either as an Array or as a space-delimited String.
    • :target_audience - The final target audience for ID tokens fetched by this client, as a String.
    • :state - An arbitrary string designed to allow the client to maintain state.
    • :code - The authorization code received from the authorization server.
    • :redirect_uri - The redirection URI used in the initial request.
    • :username - The resource owner's username.
    • :password - The resource owner's password.
    • :issuer - Issuer ID when using assertion profile
    • :person - Target user for assertions
    • :expiry - Number of seconds assertions are valid for
    • :signing_key - Signing key when using assertion profile
    • :refresh_token - The refresh token associated with the access token to be refreshed.
    • :access_token - The current access token for this client.
    • :id_token - The current ID token for this client.
    • :extension_parameters - When using an extension grant type, this the set of parameters used by that extension.

See Also:


95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
# File 'lib/signet/oauth_2/client.rb', line 95

def initialize options = {}
  @authorization_uri    = nil
  @token_credential_uri = nil
  @client_id            = nil
  @client_secret        = nil
  @code                 = nil
  @expires_at           = nil
  @issued_at            = nil
  @issuer               = nil
  @password             = nil
  @principal            = nil
  @redirect_uri         = nil
  @scope                = nil
  @target_audience      = nil
  @state                = nil
  @username             = nil
  @access_type          = nil
  update! options
end

Instance Attribute Details

#subObject

The target "sub" when issuing assertions. Used in some Admin SDK APIs.


596
597
598
# File 'lib/signet/oauth_2/client.rb', line 596

def sub
  @sub
end

Instance Method Details

#access_tokenString

Returns the access token associated with this client.

Returns:

  • (String)

    The access token.


710
711
712
# File 'lib/signet/oauth_2/client.rb', line 710

def access_token
  @access_token ||= nil
end

#access_token=(new_access_token) ⇒ Object

Sets the access token associated with this client.

Parameters:

  • new_access_token (String)

    The access token.


719
720
721
# File 'lib/signet/oauth_2/client.rb', line 719

def access_token= new_access_token
  @access_token = new_access_token
end

#access_typeString, Symbol

Returns the current access type parameter for #authorization_uri.

Returns:

  • (String, Symbol)

    The current access type.


337
338
339
# File 'lib/signet/oauth_2/client.rb', line 337

def access_type
  @access_type
end

#access_type=(new_access_type) ⇒ Object

Sets the current access type parameter for #authorization_uri.

Parameters:

  • new_access_type (String, Symbol)

    The current access type.


346
347
348
# File 'lib/signet/oauth_2/client.rb', line 346

def access_type= new_access_type
  @access_type = new_access_type
end

#additional_parametersHash

Returns the set of additional (non standard) parameters to be used by the client.

Returns:

  • (Hash)

    The pass through parameters.


671
672
673
# File 'lib/signet/oauth_2/client.rb', line 671

def additional_parameters
  @additional_parameters ||= {}
end

#additional_parameters=(new_additional_parameters) ⇒ Object

Sets additional (non standard) parameters to be used by the client.

Parameters:

  • new_additional_parameters (Hash)

    The parameters.


680
681
682
683
684
685
686
687
# File 'lib/signet/oauth_2/client.rb', line 680

def additional_parameters= new_additional_parameters
  if new_additional_parameters.respond_to? :to_hash
    @additional_parameters = new_additional_parameters.to_hash
  else
    raise TypeError,
          "Expected Hash, got #{new_additional_parameters.class}."
  end
end

#audienceString

Returns the target audience ID when issuing assertions. Used only by the assertion grant type.

Returns:

  • (String)

    Target audience ID.


556
557
558
# File 'lib/signet/oauth_2/client.rb', line 556

def audience
  @audience
end

#audience=(new_audience) ⇒ Object

Sets the target audience ID when issuing assertions. Used only by the assertion grant type.

Parameters:

  • new_audience (String)

    Target audience ID


566
567
568
# File 'lib/signet/oauth_2/client.rb', line 566

def audience= new_audience
  @audience = new_audience
end

#authorization_uri(options = {}) ⇒ Addressable::URI

Returns the authorization URI that the user should be redirected to.

Returns:

  • (Addressable::URI)

    The authorization URI.

Raises:

  • (ArgumentError)

See Also:


266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
# File 'lib/signet/oauth_2/client.rb', line 266

def authorization_uri options = {}
  # Normalize external input
  options = deep_hash_normalize options

  return nil if @authorization_uri.nil?
  options[:response_type] = :code unless options[:response_type]
  options[:access_type] = access_type if !options[:access_type] && access_type
  options[:client_id] ||= client_id
  options[:redirect_uri] ||= redirect_uri
  if options[:prompt] && options[:approval_prompt]
    raise ArgumentError, "prompt and approval_prompt are mutually exclusive parameters"
  end
  raise ArgumentError, "Missing required client identifier." unless options[:client_id]
  raise ArgumentError, "Missing required redirect URI." unless options[:redirect_uri]
  options[:scope] = scope.join " " if !options[:scope] && scope
  options[:state] = state unless options[:state]
  options.merge!(additional_parameters.merge(options[:additional_parameters] || {}))
  options.delete :additional_parameters
  options = options.transform_keys(&:to_s)
  uri = Addressable::URI.parse(
    ::Signet::OAuth2.generate_authorization_uri(
      @authorization_uri, options
    )
  )
  if uri.normalized_scheme != "https"
    raise Signet::UnsafeOperationError,
          "Authorization endpoint must be protected by TLS."
  end
  uri
end

#authorization_uri=(new_authorization_uri) ⇒ Object

Sets the authorization URI for this client.

Parameters:

  • new_authorization_uri (Addressable::URI, Hash, String, #to_str)

    The authorization URI.


302
303
304
# File 'lib/signet/oauth_2/client.rb', line 302

def authorization_uri= new_authorization_uri
  @authorization_uri = coerce_uri new_authorization_uri
end

#clear_credentials!Object

Removes all credentials from the client.


851
852
853
854
855
856
857
858
859
860
# File 'lib/signet/oauth_2/client.rb', line 851

def clear_credentials!
  @access_token = nil
  @refresh_token = nil
  @id_token = nil
  @username = nil
  @password = nil
  @code = nil
  @issued_at = nil
  @expires_at = nil
end

#client_idString

Returns the client identifier for this client.

Returns:

  • (String)

    The client identifier.


354
355
356
# File 'lib/signet/oauth_2/client.rb', line 354

def client_id
  @client_id
end

#client_id=(new_client_id) ⇒ Object

Sets the client identifier for this client.

Parameters:

  • new_client_id (String)

    The client identifier.


363
364
365
# File 'lib/signet/oauth_2/client.rb', line 363

def client_id= new_client_id
  @client_id = new_client_id
end

#client_secretString

Returns the client secret for this client.

Returns:

  • (String)

    The client secret.


371
372
373
# File 'lib/signet/oauth_2/client.rb', line 371

def client_secret
  @client_secret
end

#client_secret=(new_client_secret) ⇒ Object

Sets the client secret for this client.

Parameters:

  • new_client_secret (String)

    The client secret.


380
381
382
# File 'lib/signet/oauth_2/client.rb', line 380

def client_secret= new_client_secret
  @client_secret = new_client_secret
end

#codeString

Returns the authorization code issued to this client. Used only by the authorization code access grant type.

Returns:

  • (String)

    The authorization code.


457
458
459
# File 'lib/signet/oauth_2/client.rb', line 457

def code
  @code
end

#code=(new_code) ⇒ Object

Sets the authorization code issued to this client. Used only by the authorization code access grant type.

Parameters:

  • new_code (String)

    The authorization code.


467
468
469
# File 'lib/signet/oauth_2/client.rb', line 467

def code= new_code
  @code = new_code
end

#coerce_uri(incoming_uri) ⇒ Object

Addressable expects URIs formatted as hashes to come in with symbols as keys. Returns nil implicitly for the nil case.


325
326
327
328
329
330
331
# File 'lib/signet/oauth_2/client.rb', line 325

def coerce_uri incoming_uri
  if incoming_uri.is_a? Hash
    Addressable::URI.new deep_hash_normalize(incoming_uri)
  elsif incoming_uri
    Addressable::URI.parse incoming_uri
  end
end

#decoded_id_token(public_key = nil, options = {}, &keyfinder) ⇒ String

Returns the decoded ID token associated with this client.

Parameters:

  • public_key (OpenSSL::PKey::RSA, Object) (defaults to: nil)

    The public key to use to verify the ID token. Skips verification if omitted.

Returns:

  • (String)

    The decoded ID token.

Raises:


748
749
750
751
752
753
754
755
756
757
758
# File 'lib/signet/oauth_2/client.rb', line 748

def decoded_id_token public_key = nil, options = {}, &keyfinder
  options[:algorithm] ||= signing_algorithm
  verify = !public_key.nil? || block_given?
  payload, _header = JWT.decode(id_token, public_key, verify, options, &keyfinder)
  raise Signet::UnsafeOperationError, "No ID token audience declared." unless payload.key? "aud"
  unless Array(payload["aud"]).include?(client_id)
    raise Signet::UnsafeOperationError,
          "ID token audience did not match Client ID."
  end
  payload
end

#expired?TrueClass, FalseClass

Returns true if the access token has expired. Returns false if the token has not expired or has an nil @expires_at.

Returns:

  • (TrueClass, FalseClass)

    The expiration state of the access token.


832
833
834
# File 'lib/signet/oauth_2/client.rb', line 832

def expired?
  !expires_at.nil? && Time.now >= expires_at
end

#expires_atTime?

Returns the timestamp the access token will expire at. Returns nil if the token does not expire.

Returns:

  • (Time, nil)

    The access token lifetime.


812
813
814
# File 'lib/signet/oauth_2/client.rb', line 812

def expires_at
  @expires_at
end

#expires_at=(new_expires_at) ⇒ Object

Limits the lifetime of the access token as number of seconds since the Epoch. Nil values will be treated as though the token does not expire.

Parameters:

  • new_expires_at (String, Integer, Time, nil)

    The access token expiration time.


822
823
824
# File 'lib/signet/oauth_2/client.rb', line 822

def expires_at= new_expires_at
  @expires_at = normalize_timestamp new_expires_at
end

#expires_inInteger?

Returns the lifetime of the access token in seconds. Returns nil if the token does not expire.

Returns:

  • (Integer, nil)

    The access token lifetime.


765
766
767
768
769
770
771
# File 'lib/signet/oauth_2/client.rb', line 765

def expires_in
  if @expires_at.nil? || @issued_at.nil?
    nil
  else
    (@expires_at - @issued_at).to_i
  end
end

#expires_in=(new_expires_in) ⇒ Object

Sets the lifetime of the access token in seconds. Resets the issued_at timestamp. Nil values will be treated as though the token does not expire.

Parameters:

  • new_expires_in (String, Integer, nil)

    The access token lifetime.


780
781
782
783
784
785
786
787
788
# File 'lib/signet/oauth_2/client.rb', line 780

def expires_in= new_expires_in
  if new_expires_in.nil?
    @expires_at = nil
    @issued_at = nil
  else
    @issued_at = Time.now
    @expires_at = @issued_at + new_expires_in.to_i
  end
end

#expires_within?(sec) ⇒ TrueClass, FalseClass

Returns true if the access token has expired or expires within the next n seconds. Returns false for tokens with a nil @expires_at.

Parameters:

  • sec (Integer)

    Max number of seconds from now where a token is still considered expired.

Returns:

  • (TrueClass, FalseClass)

    The expiration state of the access token.


845
846
847
# File 'lib/signet/oauth_2/client.rb', line 845

def expires_within? sec
  !expires_at.nil? && Time.now >= (expires_at - sec)
end

#expiryInteger

Returns the number of seconds assertions are valid for Used only by the assertion grant type.

Returns:

  • (Integer)

    Assertion expiry, in seconds


603
604
605
# File 'lib/signet/oauth_2/client.rb', line 603

def expiry
  @expiry
end

#expiry=(new_expiry) ⇒ Object

Sets the number of seconds assertions are valid for Used only by the assertion grant type.

Parameters:

  • new_expiry (Integer, String)

    Assertion expiry, in seconds


613
614
615
# File 'lib/signet/oauth_2/client.rb', line 613

def expiry= new_expiry
  @expiry = new_expiry ? new_expiry.to_i : nil
end

#extension_parametersHash

Returns the set of extension parameters used by the client. Used only by extension access grant types.

Returns:

  • (Hash)

    The extension parameters.


648
649
650
# File 'lib/signet/oauth_2/client.rb', line 648

def extension_parameters
  @extension_parameters ||= {}
end

#extension_parameters=(new_extension_parameters) ⇒ Object

Sets extension parameters used by the client. Used only by extension access grant types.

Parameters:

  • new_extension_parameters (Hash)

    The parameters.


658
659
660
661
662
663
664
665
# File 'lib/signet/oauth_2/client.rb', line 658

def extension_parameters= new_extension_parameters
  if new_extension_parameters.respond_to? :to_hash
    @extension_parameters = new_extension_parameters.to_hash
  else
    raise TypeError,
          "Expected Hash, got #{new_extension_parameters.class}."
  end
end

#fetch_access_token(options = {}) ⇒ Object

Raises:

  • (ArgumentError)

988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
# File 'lib/signet/oauth_2/client.rb', line 988

def fetch_access_token options = {}
  raise ArgumentError, "Missing token endpoint URI." if token_credential_uri.nil?

  options = deep_hash_normalize options

  client = options[:connection] ||= Faraday.default_connection
  url = Addressable::URI.parse token_credential_uri
  parameters = generate_access_token_request options
  if client.is_a? Faraday::Connection
    if options[:use_basic_auth]
      # The Basic Auth middleware usage differs before and after Faraday v2
      if Gem::Version.new(Faraday::VERSION).segments.first >= 2
        client.request :authorization, :basic, client_id, client_secret
      else
        client.request :basic_auth, client_id, client_secret
      end
    end
    response = client.post url.normalize.to_s,
                           Addressable::URI.form_encode(parameters),
                           "Content-Type" => "application/x-www-form-urlencoded"
    status = response.status.to_i
    body = response.body
    content_type = response.headers["Content-type"]
  else
    # Hurley
    if options[:use_basic_auth]
      url.user = client_id
      url.password = client_secret
    end
    response = client.post url.normalize.to_s, parameters
    status = response.status_code.to_i
    body = response.body
    content_type = response.header[:content_type]
  end

  return ::Signet::OAuth2.parse_credentials body, content_type if status == 200

  message = "  Server message:\n#{response.body.to_s.strip}" unless body.to_s.strip.empty?
  if [400, 401, 403].include? status
    message = "Authorization failed.#{message}"
    raise ::Signet::AuthorizationError.new message, response: response
  elsif status.to_s[0] == "5"
    message = "Remote server error.#{message}"
    raise ::Signet::RemoteServerError, message
  else
    message = "Unexpected status code: #{response.status}.#{message}"
    raise ::Signet::UnexpectedStatusError, message
  end
end

#fetch_access_token!(options = {}) ⇒ Object


1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
# File 'lib/signet/oauth_2/client.rb', line 1038

def fetch_access_token! options = {}
  token_hash = fetch_access_token options
  if token_hash
    # No-op for grant types other than `authorization_code`.
    # An authorization code is a one-time use token and is immediately
    # revoked after usage.
    self.code = nil
    self.issued_at = Time.now
    update_token! token_hash
  end
  token_hash
end

#fetch_protected_resource(options = {}) ⇒ Array

Transmits a request for a protected resource.

Examples:

# Using Net::HTTP
response = client.fetch_protected_resource(
  :uri => 'http://www.example.com/protected/resource'
)

Parameters:

  • options (Hash) (defaults to: {})

    The configuration parameters for the request.

    • :request - A pre-constructed request. An OAuth 2 Authorization header will be added to it, as well as an explicit Cache-Control no-store directive.
    • :method - The HTTP method for the request. Defaults to 'GET'.
    • :uri - The URI for the request.
    • :headers - The HTTP headers for the request.
    • :body - The HTTP body for the request.
    • :realm - The Authorization realm. See RFC 2617.
    • :connection - The HTTP connection to use. Must be of type Faraday::Connection.

Returns:

  • (Array)

    The response object.

Raises:


1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
# File 'lib/signet/oauth_2/client.rb', line 1153

def fetch_protected_resource options = {}
  options = deep_hash_normalize options

  options[:connection] ||= Faraday.default_connection
  request = generate_authenticated_request options
  request_env = request.to_env options[:connection]
  request_env[:request] ||= request
  response = options[:connection].app.call request_env
  return response unless response.status.to_i == 401
  # When accessing a protected resource, we only want to raise an
  # error for 401 responses.
  message = "Authorization failed."
  message += "  Server message:\n#{response.body.to_s.strip}" unless response.body.to_s.strip.empty?
  raise ::Signet::AuthorizationError.new(
    message, request: request, response: response
  )
end

#generate_authenticated_request(options = {}) ⇒ Faraday::Request

Generates an authenticated request for protected resources.

Parameters:

  • options (Hash) (defaults to: {})

    The configuration parameters for the request.

    • :request - A pre-constructed request. An OAuth 2 Authorization header will be added to it, as well as an explicit Cache-Control no-store directive.
    • :method - The HTTP method for the request. Defaults to 'GET'.
    • :uri - The URI for the request.
    • :headers - The HTTP headers for the request.
    • :body - The HTTP body for the request.
    • :realm - The Authorization realm. See RFC 2617.

Returns:

  • (Faraday::Request)

    The request object.

Raises:

  • (ArgumentError)

1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
# File 'lib/signet/oauth_2/client.rb', line 1077

def generate_authenticated_request options = {}
  options = deep_hash_normalize options

  raise ArgumentError, "Missing access token." if access_token.nil?
  options = {
    realm: nil
  }.merge(options)

  if options[:request].is_a? Faraday::Request
    request = options[:request]
  else
    if options[:request].is_a? Array
      method, uri, headers, body = options[:request]
    else
      method = options[:method] || :get
      uri = options[:uri]
      headers = options[:headers] || []
      body = options[:body] || ""
    end
    headers = headers.to_a if headers.is_a? Hash
    request_components = {
      method:  method,
      uri:     uri,
      headers: headers,
      body:    body
    }
    # Verify that we have all pieces required to return an HTTP request
    request_components.each do |(key, value)|
      raise ArgumentError, "Missing :#{key} parameter." unless value
    end
    method = method.to_s.downcase.to_sym
    request = options[:connection].build_request method.to_s.downcase.to_sym do |req|
      req.url Addressable::URI.parse(uri).normalize.to_s
      req.headers = Faraday::Utils::Headers.new headers
      req.body = body
    end
  end

  request["Authorization"] = ::Signet::OAuth2.generate_bearer_authorization_header(
    access_token,
    options[:realm] ? [["realm", options[:realm]]] : nil
  )
  request["Cache-Control"] = "no-store"
  request
end

#grant_typeString

Returns the inferred grant type, based on the current state of the client object. Returns "none" if the client has insufficient information to make an in-band authorization request.

Returns:

  • (String)

    The inferred grant type.


869
870
871
872
873
874
875
876
877
878
879
880
881
# File 'lib/signet/oauth_2/client.rb', line 869

def grant_type
  @grant_type ||= nil
  return @grant_type if @grant_type
  if code && redirect_uri
    "authorization_code"
  elsif refresh_token
    "refresh_token"
  elsif username && password
    "password"
  elsif issuer && signing_key
    "urn:ietf:params:oauth:grant-type:jwt-bearer"
  end
end

#grant_type=(new_grant_type) ⇒ Object


883
884
885
886
887
888
889
890
891
# File 'lib/signet/oauth_2/client.rb', line 883

def grant_type= new_grant_type
  @grant_type =
    case new_grant_type
    when "authorization_code", "refresh_token", "password", "client_credentials"
      new_grant_type
    else
      Addressable::URI.parse new_grant_type
    end
end

#id_tokenString

Returns the ID token associated with this client.

Returns:

  • (String)

    The ID token.


727
728
729
# File 'lib/signet/oauth_2/client.rb', line 727

def id_token
  @id_token ||= nil
end

#id_token=(new_id_token) ⇒ Object

Sets the ID token associated with this client.

Parameters:

  • new_id_token (String)

    The ID token.


736
737
738
# File 'lib/signet/oauth_2/client.rb', line 736

def id_token= new_id_token
  @id_token = new_id_token
end

#issued_atTime?

Returns the timestamp the access token was issued at.

Returns:

  • (Time, nil)

    The access token issuance time.


794
795
796
# File 'lib/signet/oauth_2/client.rb', line 794

def issued_at
  @issued_at
end

#issued_at=(new_issued_at) ⇒ Object

Sets the timestamp the access token was issued at.

Parameters:

  • new_issued_at (String, Integer, Time)

    The access token issuance time.


803
804
805
# File 'lib/signet/oauth_2/client.rb', line 803

def issued_at= new_issued_at
  @issued_at = normalize_timestamp new_issued_at
end

#issuerString

Returns the issuer ID associated with this client. Used only by the assertion grant type.

Returns:

  • (String)

    Issuer id.


537
538
539
# File 'lib/signet/oauth_2/client.rb', line 537

def issuer
  @issuer
end

#issuer=(new_issuer) ⇒ Object

Sets the issuer ID associated with this client. Used only by the assertion grant type.

Parameters:

  • new_issuer (String)

    Issuer ID (typical in email adddress form).


547
548
549
# File 'lib/signet/oauth_2/client.rb', line 547

def issuer= new_issuer
  @issuer = new_issuer
end

#passwordString

Returns the password associated with this client. Used only by the resource owner password credential access grant type.

Returns:

  • (String)

    The password.


518
519
520
# File 'lib/signet/oauth_2/client.rb', line 518

def password
  @password
end

#password=(new_password) ⇒ Object

Sets the password associated with this client. Used only by the resource owner password credential access grant type.

Parameters:

  • new_password (String)

    The password.


528
529
530
# File 'lib/signet/oauth_2/client.rb', line 528

def password= new_password
  @password = new_password
end

#principalString Also known as: person

Returns the target resource owner for impersonation. Used only by the assertion grant type.

Returns:

  • (String)

    Target user for impersonation.


575
576
577
# File 'lib/signet/oauth_2/client.rb', line 575

def principal
  @principal
end

#principal=(new_person) ⇒ Object Also known as: person=

Sets the target resource owner for impersonation. Used only by the assertion grant type.

Parameters:

  • new_person (String)

    Target user for impersonation


585
586
587
# File 'lib/signet/oauth_2/client.rb', line 585

def principal= new_person
  @principal = new_person
end

#redirect_uriString

Returns the redirect URI for this client.

Returns:

  • (String)

    The redirect URI.


475
476
477
# File 'lib/signet/oauth_2/client.rb', line 475

def redirect_uri
  @redirect_uri
end

#redirect_uri=(new_redirect_uri) ⇒ Object

Sets the redirect URI for this client.

Parameters:

  • new_redirect_uri (String)

    The redirect URI.


484
485
486
487
488
489
490
491
492
# File 'lib/signet/oauth_2/client.rb', line 484

def redirect_uri= new_redirect_uri
  new_redirect_uri = Addressable::URI.parse new_redirect_uri
  # TODO: - Better solution to allow google postmessage flow. For now, make an exception to the spec.
  unless new_redirect_uri.nil? || new_redirect_uri.absolute? || uri_is_postmessage?(new_redirect_uri) ||
         uri_is_oob?(new_redirect_uri)
    raise ArgumentError, "Redirect URI must be an absolute URI."
  end
  @redirect_uri = new_redirect_uri
end

#refresh!(options = {}) ⇒ Object

Refresh the access token, if possible


1053
1054
1055
# File 'lib/signet/oauth_2/client.rb', line 1053

def refresh! options = {}
  fetch_access_token! options
end

#refresh_tokenString

Returns the refresh token associated with this client.

Returns:

  • (String)

    The refresh token.


693
694
695
# File 'lib/signet/oauth_2/client.rb', line 693

def refresh_token
  @refresh_token ||= nil
end

#refresh_token=(new_refresh_token) ⇒ Object

Sets the refresh token associated with this client.

Parameters:

  • new_refresh_token (String)

    The refresh token.


702
703
704
# File 'lib/signet/oauth_2/client.rb', line 702

def refresh_token= new_refresh_token
  @refresh_token = new_refresh_token
end

#scopeArray

Returns the scope for this client. Scope is a list of access ranges defined by the authorization server.

Returns:

  • (Array)

    The scope of access the client is requesting.


389
390
391
# File 'lib/signet/oauth_2/client.rb', line 389

def scope
  @scope
end

#scope=(new_scope) ⇒ Object

Sets the scope for this client.

Parameters:

  • new_scope (Array, String)

    The scope of access the client is requesting. This may be expressed as either an Array of String objects or as a space-delimited String.


400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
# File 'lib/signet/oauth_2/client.rb', line 400

def scope= new_scope
  case new_scope
  when Array
    new_scope.each do |scope|
      if scope.include? " "
        raise ArgumentError,
              "Individual scopes cannot contain the space character."
      end
    end
    @scope = new_scope
  when String
    @scope = new_scope.split
  when nil
    @scope = nil
  else
    raise TypeError, "Expected Array or String, got #{new_scope.class}"
  end
end

#signing_algorithmString

Algorithm used for signing JWTs

Returns:

  • (String)

    Signing algorithm


639
640
641
# File 'lib/signet/oauth_2/client.rb', line 639

def signing_algorithm
  signing_key.is_a?(String) ? "HS256" : "RS256"
end

#signing_keyString, OpenSSL::PKey

Returns the signing key associated with this client. Used only by the assertion grant type.

Returns:

  • (String, OpenSSL::PKey)

    Signing key


622
623
624
# File 'lib/signet/oauth_2/client.rb', line 622

def signing_key
  @signing_key
end

#signing_key=(new_key) ⇒ Object

Sets the signing key when issuing assertions. Used only by the assertion grant type.

Parameters:

  • new_key (String, OpenSSL::Pkey)

    Signing key. Either private key for RSA or string for HMAC algorithm


632
633
634
# File 'lib/signet/oauth_2/client.rb', line 632

def signing_key= new_key
  @signing_key = new_key
end

#stateString

Returns the client's current state value.

Returns:

  • (String)

    The state value.


439
440
441
# File 'lib/signet/oauth_2/client.rb', line 439

def state
  @state
end

#state=(new_state) ⇒ Object

Sets the client's current state value.

Parameters:

  • new_state (String)

    The state value.


448
449
450
# File 'lib/signet/oauth_2/client.rb', line 448

def state= new_state
  @state = new_state
end

#target_audienceString

Returns the final target audience for ID tokens fetched by this client.

Returns:

  • (String)

    The target audience.


423
424
425
# File 'lib/signet/oauth_2/client.rb', line 423

def target_audience
  @target_audience
end

#target_audience=(new_target_audience) ⇒ Object

Sets the final target audience for ID tokens fetched by this client.

Parameters:

  • new_target_audience (String)

    The new target audience.


431
432
433
# File 'lib/signet/oauth_2/client.rb', line 431

def target_audience= new_target_audience
  @target_audience = new_target_audience
end

#to_json(*_args) ⇒ String

Note:

A serialized client contains sensitive information. Persist or transmit with care.

Serialize the client object to JSON.

Returns:

  • (String)

    A serialized JSON representation of the client.


917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
# File 'lib/signet/oauth_2/client.rb', line 917

def to_json *_args
  MultiJson.dump(
    "authorization_uri"    => authorization_uri ? authorization_uri.to_s : nil,
    "token_credential_uri" => token_credential_uri ? token_credential_uri.to_s : nil,
    "client_id"            => client_id,
    "client_secret"        => client_secret,
    "scope"                => scope,
    "target_audience"      => target_audience,
    "state"                => state,
    "code"                 => code,
    "redirect_uri"         => redirect_uri ? redirect_uri.to_s : nil,
    "username"             => username,
    "password"             => password,
    "issuer"               => issuer,
    "audience"             => audience,
    "person"               => person,
    "expiry"               => expiry,
    "expires_at"           => expires_at ? expires_at.to_i : nil,
    "signing_key"          => signing_key,
    "refresh_token"        => refresh_token,
    "access_token"         => access_token,
    "id_token"             => id_token,
    "extension_parameters" => extension_parameters
  )
end

#to_jwt(options = {}) ⇒ Object


893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
# File 'lib/signet/oauth_2/client.rb', line 893

def to_jwt options = {}
  options = deep_hash_normalize options

  now = Time.new
  skew = options[:skew] || 60
  assertion = {
    "iss" => issuer,
    "aud" => audience,
    "exp" => (now + expiry).to_i,
    "iat" => (now - skew).to_i
  }
  assertion["scope"] = scope.join " " unless scope.nil?
  assertion["target_audience"] = target_audience unless target_audience.nil?
  assertion["prn"] = person unless person.nil?
  assertion["sub"] = sub unless sub.nil?
  JWT.encode assertion, signing_key, signing_algorithm
end

#token_credential_uriAddressable::URI

Returns the token credential URI for this client.

Returns:

  • (Addressable::URI)

    The token credential URI.


310
311
312
# File 'lib/signet/oauth_2/client.rb', line 310

def token_credential_uri
  @token_credential_uri
end

#token_credential_uri=(new_token_credential_uri) ⇒ Object

Sets the token credential URI for this client.

Parameters:

  • new_token_credential_uri (Addressable::URI, Hash, String, #to_str)

    The token credential URI.


319
320
321
# File 'lib/signet/oauth_2/client.rb', line 319

def token_credential_uri= new_token_credential_uri
  @token_credential_uri = coerce_uri new_token_credential_uri
end

#update!(options = {}) ⇒ Object

Updates an OAuth 2.0 client.

Examples:

client.update!(
  :code => 'i1WsRn1uB1',
  :access_token => 'FJQbwq9',
  :expires_in => 3600
)

Parameters:

  • options (Hash) (defaults to: {})

    The configuration parameters for the client.

    • :authorization_uri - The authorization server's HTTP endpoint capable of authenticating the end-user and obtaining authorization.
    • :token_credential_uri - The authorization server's HTTP endpoint capable of issuing tokens and refreshing expired tokens.
    • :client_id - A unique identifier issued to the client to identify itself to the authorization server.
    • :client_secret - A shared symmetric secret issued by the authorization server, which is used to authenticate the client.
    • :scope - The scope of the access request, expressed either as an Array or as a space-delimited String.
    • :target_audience - The final target audience for ID tokens fetched by this client, as a String.
    • :state - An arbitrary string designed to allow the client to maintain state.
    • :code - The authorization code received from the authorization server.
    • :redirect_uri - The redirection URI used in the initial request.
    • :username - The resource owner's username.
    • :password - The resource owner's password.
    • :issuer - Issuer ID when using assertion profile
    • :audience - Target audience for assertions
    • :person - Target user for assertions
    • :expiry - Number of seconds assertions are valid for
    • :signing_key - Signing key when using assertion profile
    • :refresh_token - The refresh token associated with the access token to be refreshed.
    • :access_token - The current access token for this client.
    • :access_type - The current access type parameter for #authorization_uri.
    • :id_token - The current ID token for this client.
    • :extension_parameters - When using an extension grant type, this is the set of parameters used by that extension.

See Also:


180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
# File 'lib/signet/oauth_2/client.rb', line 180

def update! options = {}
  # Normalize all keys to symbols to allow indifferent access.
  options = deep_hash_normalize options

  self.authorization_uri = options[:authorization_uri] if options.key? :authorization_uri
  self.token_credential_uri = options[:token_credential_uri] if options.key? :token_credential_uri
  self.client_id = options[:client_id] if options.key? :client_id
  self.client_secret = options[:client_secret] if options.key? :client_secret
  self.scope = options[:scope] if options.key? :scope
  self.target_audience = options[:target_audience] if options.key? :target_audience
  self.state = options[:state] if options.key? :state
  self.code = options[:code] if options.key? :code
  self.redirect_uri = options[:redirect_uri] if options.key? :redirect_uri
  self.username = options[:username] if options.key? :username
  self.password = options[:password] if options.key? :password
  self.issuer = options[:issuer] if options.key? :issuer
  self.person = options[:person] if options.key? :person
  self.sub = options[:sub] if options.key? :sub
  self.expiry = options[:expiry] || 60
  self.audience = options[:audience] if options.key? :audience
  self.signing_key = options[:signing_key] if options.key? :signing_key
  self.extension_parameters = options[:extension_parameters] || {}
  self.additional_parameters = options[:additional_parameters] || {}
  self.access_type = options.fetch :access_type, :offline
  update_token! options
  self
end

#update_token!(options = {}) ⇒ Object

Updates an OAuth 2.0 client.

Examples:

client.update!(
  :refresh_token => 'n4E9O119d',
  :access_token => 'FJQbwq9',
  :expires_in => 3600
)

Parameters:

  • options (Hash) (defaults to: {})

    The configuration parameters related to the token.

    • :refresh_token - The refresh token associated with the access token to be refreshed.
    • :access_token - The current access token for this client.
    • :id_token - The current ID token for this client.
    • :expires_in - The time in seconds until access token expiration.
    • :expires_at - The time as an integer number of seconds since the Epoch
    • :issued_at - The timestamp that the token was issued at.

See Also:


236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
# File 'lib/signet/oauth_2/client.rb', line 236

def update_token! options = {}
  # Normalize all keys to symbols to allow indifferent access internally
  options = deep_hash_normalize options

  self.expires_in = options[:expires] if options.key? :expires
  self.expires_in = options[:expires_in] if options.key? :expires_in
  self.expires_at = options[:expires_at] if options.key? :expires_at

  # By default, the token is issued at `Time.now` when `expires_in` is
  # set, but this can be used to supply a more precise time.
  self.issued_at = options[:issued_at] if options.key? :issued_at

  # Special case where we want expires_at to be relative to issued_at
  if options.key?(:issued_at) && options.key?(:expires_in)
    set_relative_expires_at options[:issued_at], options[:expires_in]
  end

  self.access_token = options[:access_token] if options.key? :access_token
  self.refresh_token = options[:refresh_token] if options.key? :refresh_token
  self.id_token = options[:id_token] if options.key? :id_token

  self
end

#usernameString

Returns the username associated with this client. Used only by the resource owner password credential access grant type.

Returns:

  • (String)

    The username.


499
500
501
# File 'lib/signet/oauth_2/client.rb', line 499

def username
  @username
end

#username=(new_username) ⇒ Object

Sets the username associated with this client. Used only by the resource owner password credential access grant type.

Parameters:

  • new_username (String)

    The username.


509
510
511
# File 'lib/signet/oauth_2/client.rb', line 509

def username= new_username
  @username = new_username
end