Commit 699ecad7 authored by Tiago Botelho's avatar Tiago Botelho

Ports omniauth-jwt gem onto GitLab OmniAuth Strategies suite

parent e6f6f8e7
...@@ -51,7 +51,6 @@ gem 'omniauth-shibboleth', '~> 1.2.0' ...@@ -51,7 +51,6 @@ gem 'omniauth-shibboleth', '~> 1.2.0'
gem 'omniauth-twitter', '~> 1.4' gem 'omniauth-twitter', '~> 1.4'
gem 'omniauth_crowd', '~> 2.2.0' gem 'omniauth_crowd', '~> 2.2.0'
gem 'omniauth-authentiq', '~> 0.3.1' gem 'omniauth-authentiq', '~> 0.3.1'
gem 'omniauth-jwt', '~> 0.0.2'
gem 'rack-oauth2', '~> 1.2.1' gem 'rack-oauth2', '~> 1.2.1'
gem 'jwt', '~> 1.5.6' gem 'jwt', '~> 1.5.6'
......
...@@ -555,9 +555,6 @@ GEM ...@@ -555,9 +555,6 @@ GEM
jwt (>= 1.5) jwt (>= 1.5)
omniauth (>= 1.1.1) omniauth (>= 1.1.1)
omniauth-oauth2 (>= 1.5) omniauth-oauth2 (>= 1.5)
omniauth-jwt (0.0.2)
jwt
omniauth (~> 1.1)
omniauth-kerberos (0.3.0) omniauth-kerberos (0.3.0)
omniauth-multipassword omniauth-multipassword
timfel-krb5-auth (~> 0.8) timfel-krb5-auth (~> 0.8)
...@@ -1119,7 +1116,6 @@ DEPENDENCIES ...@@ -1119,7 +1116,6 @@ DEPENDENCIES
omniauth-github (~> 1.1.1) omniauth-github (~> 1.1.1)
omniauth-gitlab (~> 1.0.2) omniauth-gitlab (~> 1.0.2)
omniauth-google-oauth2 (~> 0.5.3) omniauth-google-oauth2 (~> 0.5.3)
omniauth-jwt (~> 0.0.2)
omniauth-kerberos (~> 0.3.0) omniauth-kerberos (~> 0.3.0)
omniauth-oauth2-generic (~> 0.2.2) omniauth-oauth2-generic (~> 0.2.2)
omniauth-saml (~> 1.10) omniauth-saml (~> 1.10)
......
---
title: Ports omniauth-jwt gem onto GitLab OmniAuth Strategies suite
merge_request: 18580
author:
type: fixed
...@@ -532,7 +532,7 @@ production: &base ...@@ -532,7 +532,7 @@ production: &base
# required_claims: ["name", "email"], # required_claims: ["name", "email"],
# info_map: { name: "name", email: "email" }, # info_map: { name: "name", email: "email" },
# auth_url: 'https://example.com/', # auth_url: 'https://example.com/',
# valid_within: nil, # valid_within: null,
# } # }
# } # }
# - { name: 'saml', # - { name: 'saml',
...@@ -823,7 +823,7 @@ test: ...@@ -823,7 +823,7 @@ test:
required_claims: ["name", "email"], required_claims: ["name", "email"],
info_map: { name: "name", email: "email" }, info_map: { name: "name", email: "email" },
auth_url: 'https://example.com/', auth_url: 'https://example.com/',
valid_within: nil, valid_within: null,
} }
} }
- { name: 'auth0', - { name: 'auth0',
......
...@@ -25,5 +25,6 @@ end ...@@ -25,5 +25,6 @@ end
module OmniAuth module OmniAuth
module Strategies module Strategies
autoload :Bitbucket, Rails.root.join('lib', 'omni_auth', 'strategies', 'bitbucket') autoload :Bitbucket, Rails.root.join('lib', 'omni_auth', 'strategies', 'bitbucket')
autoload :Jwt, Rails.root.join('lib', 'omni_auth', 'strategies', 'jwt')
end end
end end
...@@ -50,7 +50,7 @@ JWT will provide you with a secret key for you to use. ...@@ -50,7 +50,7 @@ JWT will provide you with a secret key for you to use.
required_claims: ["name", "email"], required_claims: ["name", "email"],
info_map: { name: "name", email: "email" }, info_map: { name: "name", email: "email" },
auth_url: 'https://example.com/', auth_url: 'https://example.com/',
valid_within: nil, valid_within: null,
} }
} }
``` ```
......
require 'omniauth'
require 'jwt'
module OmniAuth
module Strategies
class JWT
ClaimInvalid = Class.new(StandardError)
include OmniAuth::Strategy
args [:secret]
option :secret, nil
option :algorithm, 'HS256'
option :uid_claim, 'email'
option :required_claims, %w(name email)
option :info_map, { name: "name", email: "email" }
option :auth_url, nil
option :valid_within, nil
uid { decoded[options.uid_claim] }
extra do
{ raw_info: decoded }
end
info do
options.info_map.each_with_object({}) do |(k, v), h|
h[k.to_s] = decoded[v.to_s]
end
end
def request_phase
redirect options.auth_url
end
def decoded
@decoded ||= ::JWT.decode(request.params['jwt'], options.secret, options.algorithm).first
(options.required_claims || []).each do |field|
raise ClaimInvalid, "Missing required '#{field}' claim" unless @decoded.key?(field.to_s)
end
raise ClaimInvalid, "Missing required 'iat' claim" if options.valid_within && !@decoded["iat"]
if options.valid_within && (Time.now.to_i - @decoded["iat"]).abs > options.valid_within
raise ClaimInvalid, "'iat' timestamp claim is too skewed from present"
end
@decoded
end
def callback_phase
super
rescue ClaimInvalid => e
fail! :claim_invalid, e
end
end
class Jwt < JWT; end
end
end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment