added base_url option, updated dev dependencies
parent
09b68aab71
commit
c54046348a
64
Gemfile.lock
64
Gemfile.lock
|
@ -15,15 +15,15 @@ GEM
|
|||
minitest (>= 5.1)
|
||||
tzinfo (~> 2.0)
|
||||
zeitwerk (~> 2.3)
|
||||
addressable (2.5.2)
|
||||
public_suffix (>= 2.0.2, < 4.0)
|
||||
addressable (2.8.0)
|
||||
public_suffix (>= 2.0.2, < 5.0)
|
||||
aes_key_wrap (1.1.0)
|
||||
bindata (2.4.9)
|
||||
concurrent-ruby (1.1.8)
|
||||
crack (0.4.3)
|
||||
safe_yaml (~> 1.0.0)
|
||||
diff-lcs (1.3)
|
||||
docile (1.3.1)
|
||||
crack (0.4.5)
|
||||
rexml
|
||||
diff-lcs (1.4.4)
|
||||
docile (1.4.0)
|
||||
faraday (1.4.1)
|
||||
faraday-excon (~> 1.1)
|
||||
faraday-net_http (~> 1.0)
|
||||
|
@ -33,11 +33,10 @@ GEM
|
|||
faraday-excon (1.1.0)
|
||||
faraday-net_http (1.0.1)
|
||||
faraday-net_http_persistent (1.1.0)
|
||||
hashdiff (0.3.7)
|
||||
hashdiff (1.0.1)
|
||||
hashie (4.1.0)
|
||||
i18n (1.8.10)
|
||||
concurrent-ruby (~> 1.0)
|
||||
json (2.3.1)
|
||||
json-jwt (1.13.0)
|
||||
activesupport (>= 4.2)
|
||||
aes_key_wrap
|
||||
|
@ -60,37 +59,38 @@ GEM
|
|||
omniauth-oauth2 (1.7.1)
|
||||
oauth2 (~> 1.4)
|
||||
omniauth (>= 1.9, < 3)
|
||||
public_suffix (3.0.3)
|
||||
public_suffix (4.0.6)
|
||||
rack (2.2.3)
|
||||
rack-protection (2.1.0)
|
||||
rack
|
||||
rake (13.0.1)
|
||||
rspec (3.8.0)
|
||||
rspec-core (~> 3.8.0)
|
||||
rspec-expectations (~> 3.8.0)
|
||||
rspec-mocks (~> 3.8.0)
|
||||
rspec-core (3.8.0)
|
||||
rspec-support (~> 3.8.0)
|
||||
rspec-expectations (3.8.1)
|
||||
rexml (3.2.5)
|
||||
rspec (3.10.0)
|
||||
rspec-core (~> 3.10.0)
|
||||
rspec-expectations (~> 3.10.0)
|
||||
rspec-mocks (~> 3.10.0)
|
||||
rspec-core (3.10.1)
|
||||
rspec-support (~> 3.10.0)
|
||||
rspec-expectations (3.10.1)
|
||||
diff-lcs (>= 1.2.0, < 2.0)
|
||||
rspec-support (~> 3.8.0)
|
||||
rspec-mocks (3.8.0)
|
||||
rspec-support (~> 3.10.0)
|
||||
rspec-mocks (3.10.2)
|
||||
diff-lcs (>= 1.2.0, < 2.0)
|
||||
rspec-support (~> 3.8.0)
|
||||
rspec-support (3.8.0)
|
||||
rspec-support (~> 3.10.0)
|
||||
rspec-support (3.10.3)
|
||||
ruby2_keywords (0.0.4)
|
||||
safe_yaml (1.0.4)
|
||||
simplecov (0.16.1)
|
||||
simplecov (0.21.2)
|
||||
docile (~> 1.1)
|
||||
json (>= 1.8, < 3)
|
||||
simplecov-html (~> 0.10.0)
|
||||
simplecov-html (0.10.2)
|
||||
simplecov-html (~> 0.11)
|
||||
simplecov_json_formatter (~> 0.1)
|
||||
simplecov-html (0.12.3)
|
||||
simplecov_json_formatter (0.1.3)
|
||||
tzinfo (2.0.4)
|
||||
concurrent-ruby (~> 1.0)
|
||||
webmock (3.4.2)
|
||||
addressable (>= 2.3.6)
|
||||
webmock (3.14.0)
|
||||
addressable (>= 2.8.0)
|
||||
crack (>= 0.3.2)
|
||||
hashdiff
|
||||
hashdiff (>= 0.4.0, < 2.0.0)
|
||||
zeitwerk (2.4.2)
|
||||
|
||||
PLATFORMS
|
||||
|
@ -100,9 +100,9 @@ DEPENDENCIES
|
|||
bundler (~> 2.2)
|
||||
omniauth-keycloak!
|
||||
rake (~> 13.0)
|
||||
rspec (~> 3.0)
|
||||
simplecov (~> 0.16.1)
|
||||
webmock (~> 3.4.2)
|
||||
rspec (~> 3.10)
|
||||
simplecov (~> 0.21)
|
||||
webmock (~> 3.14)
|
||||
|
||||
BUNDLED WITH
|
||||
2.2.17
|
||||
2.2.31
|
||||
|
|
13
README.md
13
README.md
|
@ -29,6 +29,7 @@ Rails.application.config.middleware.use OmniAuth::Builder do
|
|||
name: 'keycloak'
|
||||
end
|
||||
```
|
||||
This will allow a POST request to `auth/keycloak` since the name is set to keycloak
|
||||
|
||||
Or using a proc setup with a custom options:
|
||||
|
||||
|
@ -50,7 +51,6 @@ Rails.application.config.middleware.use OmniAuth::Builder do
|
|||
end
|
||||
```
|
||||
|
||||
This will allow a POST request to `auth/keycloak`
|
||||
|
||||
## Devise Usage
|
||||
Adapted from [Devise OmniAuth Instructions](https://github.com/plataformatec/devise/wiki/OmniAuth:-Overview)
|
||||
|
@ -93,6 +93,17 @@ end
|
|||
|
||||
```
|
||||
|
||||
## Configuration
|
||||
* __Base Url other than /auth__
|
||||
This gem tries to get the keycloak configuration from `"#{site}/auth/realms/#{realm}/.well-known/openid-configuration"`. If your keycloak server has been setup to use a different "root" url other than `/auth` then you need to pass in the `base_url` option when setting up the gem:
|
||||
```ruby
|
||||
Rails.application.config.middleware.use OmniAuth::Builder do
|
||||
provider :keycloak_openid, 'Example-Client', '19cca35f-dddd-473a-bdd5-03f00d61d884',
|
||||
client_options: {site: 'https://example.keycloak-url.com', realm: 'example-realm', base_url: '/authorize'},
|
||||
name: 'keycloak'
|
||||
end
|
||||
```
|
||||
|
||||
## Contributing
|
||||
|
||||
Bug reports and pull requests are welcome on GitHub at https://github.com/ccrockett/omniauth-keycloak. This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to the [Contributor Covenant](http://contributor-covenant.org) code of conduct.
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
module Omniauth
|
||||
module Keycloak
|
||||
VERSION = "1.3.0"
|
||||
VERSION = "1.4.0"
|
||||
end
|
||||
end
|
||||
|
|
|
@ -26,7 +26,7 @@ module OmniAuth
|
|||
|
||||
raise_on_failure = options.client_options.fetch(:raise_on_failure, false)
|
||||
|
||||
config_url = URI.join(site, "/auth/realms/#{realm}/.well-known/openid-configuration")
|
||||
config_url = URI.join(site, "#{auth_url_base}/realms/#{realm}/.well-known/openid-configuration")
|
||||
|
||||
log :debug, "Going to get Keycloak configuration. URL: #{config_url}"
|
||||
response = Faraday.get config_url
|
||||
|
@ -64,6 +64,14 @@ module OmniAuth
|
|||
end
|
||||
end
|
||||
|
||||
def auth_url_base
|
||||
return '/auth' unless options.client_options[:base_url]
|
||||
base_url = options.client_options[:base_url]
|
||||
return base_url if (base_url == '' || base_url[0] == '/')
|
||||
|
||||
raise ConfigurationError, "Keycloak base_url option should start with '/'. Current value: #{base_url}"
|
||||
end
|
||||
|
||||
def prevent_site_option_mistake
|
||||
site = options.client_options[:site]
|
||||
return unless site =~ /\/auth$/
|
||||
|
@ -83,14 +91,14 @@ module OmniAuth
|
|||
|
||||
def build_access_token
|
||||
verifier = request.params["code"]
|
||||
client.auth_code.get_token(verifier,
|
||||
client.auth_code.get_token(verifier,
|
||||
{:redirect_uri => callback_url.gsub(/\?.+\Z/, "")}
|
||||
.merge(token_params.to_hash(:symbolize_keys => true)),
|
||||
.merge(token_params.to_hash(:symbolize_keys => true)),
|
||||
deep_symbolize(options.auth_token_params))
|
||||
end
|
||||
|
||||
uid{ raw_info['sub'] }
|
||||
|
||||
|
||||
info do
|
||||
{
|
||||
:name => raw_info['name'],
|
||||
|
@ -99,13 +107,13 @@ module OmniAuth
|
|||
:last_name => raw_info['family_name']
|
||||
}
|
||||
end
|
||||
|
||||
|
||||
extra do
|
||||
{
|
||||
'raw_info' => raw_info
|
||||
}
|
||||
end
|
||||
|
||||
|
||||
def raw_info
|
||||
id_token_string = access_token.token
|
||||
jwks = JSON::JWK::Set.new(@certs)
|
||||
|
|
|
@ -4,13 +4,13 @@ Gem::Specification.new do |spec|
|
|||
spec.version = Omniauth::Keycloak::VERSION
|
||||
spec.authors = ["Cameron Crockett"]
|
||||
spec.email = ["cameron.crockett@ccrockett.com"]
|
||||
|
||||
|
||||
spec.description = %q{Omniauth strategy for Keycloak}
|
||||
spec.summary = spec.description
|
||||
spec.homepage = "https://github.com/ccrockett/omniauth-keycloak"
|
||||
spec.license = "MIT"
|
||||
spec.required_rubygems_version = '>= 1.3.5'
|
||||
spec.required_ruby_version = '>= 2.2'
|
||||
spec.required_rubygems_version = '>= 3.1.2'
|
||||
spec.required_ruby_version = '>= 2.6'
|
||||
|
||||
# Specify which files should be added to the gem when it is released.
|
||||
# The `git ls-files -z` loads the files in the RubyGem that have been added into git.
|
||||
|
@ -22,14 +22,14 @@ Gem::Specification.new do |spec|
|
|||
spec.executables = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
|
||||
spec.require_paths = ["lib"]
|
||||
|
||||
|
||||
|
||||
spec.add_dependency "omniauth", "~> 2.0.4"
|
||||
spec.add_dependency "omniauth-oauth2", "~> 1.7.1"
|
||||
spec.add_dependency "json-jwt", "~> 1.13.0"
|
||||
|
||||
spec.add_development_dependency "bundler", "~> 2.2"
|
||||
spec.add_development_dependency "rake", "~> 13.0"
|
||||
spec.add_development_dependency "rspec", "~> 3.0"
|
||||
spec.add_development_dependency 'simplecov', '~> 0.16.1'
|
||||
spec.add_development_dependency 'webmock', '~> 3.4.2'
|
||||
spec.add_development_dependency "rspec", "~> 3.10"
|
||||
spec.add_development_dependency 'simplecov', '~> 0.21'
|
||||
spec.add_development_dependency 'webmock', '~> 3.14'
|
||||
end
|
||||
|
|
|
@ -1,35 +1,39 @@
|
|||
require 'spec_helper'
|
||||
|
||||
RSpec.describe OmniAuth::Strategies::KeycloakOpenId do
|
||||
body = '{"issuer": "http://localhost:8080/auth/realms/example-realm",
|
||||
"authorization_endpoint": "http://localhost:8080/auth/realms/example-realm/protocol/openid-connect/auth",
|
||||
"token_endpoint": "http://localhost:8080/auth/realms/example-realm/protocol/openid-connect/token",
|
||||
"token_introspection_endpoint": "http://localhost:8080/auth/realms/example-realm/protocol/openid-connect/token/introspect",
|
||||
"userinfo_endpoint": "http://localhost:8080/auth/realms/example-realm/protocol/openid-connect/userinfo",
|
||||
"end_session_endpoint": "http://localhost:8080/auth/realms/example-realm/protocol/openid-connect/logout",
|
||||
"jwks_uri": "http://localhost:8080/auth/realms/example-realm/protocol/openid-connect/certs",
|
||||
"check_session_iframe": "http://localhost:8080/auth/realms/example-realm/protocol/openid-connect/login-status-iframe.html",
|
||||
"grant_types_supported": ["authorization_code", "implicit", "refresh_token", "password", "client_credentials"],
|
||||
"response_types_supported": ["code", "none", "id_token", "token", "id_token token", "code id_token", "code token", "code id_token token"],
|
||||
"subject_types_supported": ["public", "pairwise"],
|
||||
"id_token_signing_alg_values_supported": ["RS256"],
|
||||
"userinfo_signing_alg_values_supported": ["RS256"],
|
||||
"request_object_signing_alg_values_supported": ["none", "RS256"],
|
||||
"response_modes_supported": ["query", "fragment", "form_post"],
|
||||
"registration_endpoint": "http://localhost:8080/auth/realms/example-realm/clients-registrations/openid-connect",
|
||||
"token_endpoint_auth_methods_supported": ["private_key_jwt", "client_secret_basic", "client_secret_post"],
|
||||
"token_endpoint_auth_signing_alg_values_supported": ["RS256"],
|
||||
"claims_supported": ["sub", "iss", "auth_time", "name", "given_name", "family_name", "preferred_username", "email"],
|
||||
"claim_types_supported": ["normal"],
|
||||
"claims_parameter_supported": false,
|
||||
"scopes_supported": ["openid", "offline_access"],
|
||||
"request_parameter_supported": true,
|
||||
"request_uri_parameter_supported": true}'
|
||||
let(:body) {
|
||||
{
|
||||
"issuer": "http://localhost:8080/auth/realms/example-realm",
|
||||
"authorization_endpoint": "http://localhost:8080/auth/realms/example-realm/protocol/openid-connect/auth",
|
||||
"token_endpoint": "http://localhost:8080/auth/realms/example-realm/protocol/openid-connect/token",
|
||||
"token_introspection_endpoint": "http://localhost:8080/auth/realms/example-realm/protocol/openid-connect/token/introspect",
|
||||
"userinfo_endpoint": "http://localhost:8080/auth/realms/example-realm/protocol/openid-connect/userinfo",
|
||||
"end_session_endpoint": "http://localhost:8080/auth/realms/example-realm/protocol/openid-connect/logout",
|
||||
"jwks_uri": "http://localhost:8080/auth/realms/example-realm/protocol/openid-connect/certs",
|
||||
"check_session_iframe": "http://localhost:8080/auth/realms/example-realm/protocol/openid-connect/login-status-iframe.html",
|
||||
"grant_types_supported": ["authorization_code", "implicit", "refresh_token", "password", "client_credentials"],
|
||||
"response_types_supported": ["code", "none", "id_token", "token", "id_token token", "code id_token", "code token", "code id_token token"],
|
||||
"subject_types_supported": ["public", "pairwise"],
|
||||
"id_token_signing_alg_values_supported": ["RS256"],
|
||||
"userinfo_signing_alg_values_supported": ["RS256"],
|
||||
"request_object_signing_alg_values_supported": ["none", "RS256"],
|
||||
"response_modes_supported": ["query", "fragment", "form_post"],
|
||||
"registration_endpoint": "http://localhost:8080/auth/realms/example-realm/clients-registrations/openid-connect",
|
||||
"token_endpoint_auth_methods_supported": ["private_key_jwt", "client_secret_basic", "client_secret_post"],
|
||||
"token_endpoint_auth_signing_alg_values_supported": ["RS256"],
|
||||
"claims_supported": ["sub", "iss", "auth_time", "name", "given_name", "family_name", "preferred_username", "email"],
|
||||
"claim_types_supported": ["normal"],
|
||||
"claims_parameter_supported": false,
|
||||
"scopes_supported": ["openid", "offline_access"],
|
||||
"request_parameter_supported": true,
|
||||
"request_uri_parameter_supported": true
|
||||
}
|
||||
}
|
||||
|
||||
context 'client options' do
|
||||
subject do
|
||||
stub_request(:get, "http://localhost:8080/auth/realms/example-realm/.well-known/openid-configuration")
|
||||
.to_return(status: 200, body: body, headers: {})
|
||||
.to_return(status: 200, body: JSON.generate(body), headers: {})
|
||||
stub_request(:get, "http://localhost:8080/auth/realms/example-realm/protocol/openid-connect/certs")
|
||||
.to_return(status: 404, body: "", headers: {})
|
||||
OmniAuth::Strategies::KeycloakOpenId.new('keycloak-openid', 'Example-Client', 'b53c572b-9f3b-4e79-bf8b-f03c799ba6ec',
|
||||
|
@ -47,6 +51,83 @@ RSpec.describe OmniAuth::Strategies::KeycloakOpenId do
|
|||
end
|
||||
end
|
||||
|
||||
describe 'client base_url option set' do
|
||||
context 'to blank string' do
|
||||
let(:new_body_endpoints) {
|
||||
{
|
||||
"authorization_endpoint": "http://localhost:8080/realms/example-realm/protocol/openid-connect/auth",
|
||||
"token_endpoint": "http://localhost:8080/realms/example-realm/protocol/openid-connect/token",
|
||||
"jwks_uri": "http://localhost:8080/realms/example-realm/protocol/openid-connect/certs"
|
||||
}
|
||||
}
|
||||
|
||||
subject do
|
||||
stub_request(:get, "http://localhost:8080/realms/example-realm/.well-known/openid-configuration")
|
||||
.to_return(status: 200, body: JSON.generate(body.merge(new_body_endpoints)), headers: {})
|
||||
stub_request(:get, "http://localhost:8080/realms/example-realm/protocol/openid-connect/certs")
|
||||
.to_return(status: 404, body: "", headers: {})
|
||||
OmniAuth::Strategies::KeycloakOpenId.new('keycloak-openid', 'Example-Client', 'b53c572b-9f3b-4e79-bf8b-f03c799ba6ec',
|
||||
client_options: {site: 'http://localhost:8080/', realm: 'example-realm', base_url: ''})
|
||||
end
|
||||
|
||||
it 'should have the correct keycloak token url' do
|
||||
subject.setup_phase
|
||||
expect(subject.token_url).to eq('/realms/example-realm/protocol/openid-connect/token')
|
||||
end
|
||||
|
||||
it 'should have the correct keycloak authorization url' do
|
||||
subject.setup_phase
|
||||
expect(subject.authorize_url).to eq('/realms/example-realm/protocol/openid-connect/auth')
|
||||
end
|
||||
end
|
||||
|
||||
context 'to invalid string' do
|
||||
subject do
|
||||
stub_request(:get, "http://localhost:8080/realms/example-realm/.well-known/openid-configuration")
|
||||
.to_return(status: 200, body: JSON.generate(body), headers: {})
|
||||
stub_request(:get, "http://localhost:8080/auth/realms/example-realm/protocol/openid-connect/certs")
|
||||
.to_return(status: 404, body: "", headers: {})
|
||||
OmniAuth::Strategies::KeycloakOpenId.new('keycloak-openid', 'Example-Client', 'b53c572b-9f3b-4e79-bf8b-f03c799ba6ec',
|
||||
client_options: {site: 'http://localhost:8080/', realm: 'example-realm', base_url: 'test'})
|
||||
end
|
||||
|
||||
it 'raises Configuration Error' do
|
||||
expect{ subject.setup_phase }
|
||||
.to raise_error(OmniAuth::Strategies::KeycloakOpenId::ConfigurationError)
|
||||
end
|
||||
end
|
||||
|
||||
context 'to /authorize' do
|
||||
|
||||
let(:new_body_endpoints) {
|
||||
{
|
||||
"authorization_endpoint": "http://localhost:8080/authorize/realms/example-realm/protocol/openid-connect/auth",
|
||||
"token_endpoint": "http://localhost:8080/authorize/realms/example-realm/protocol/openid-connect/token",
|
||||
"jwks_uri": "http://localhost:8080/authorize/realms/example-realm/protocol/openid-connect/certs"
|
||||
}
|
||||
}
|
||||
|
||||
subject do
|
||||
stub_request(:get, "http://localhost:8080/authorize/realms/example-realm/.well-known/openid-configuration")
|
||||
.to_return(status: 200, body: JSON.generate(body.merge(new_body_endpoints)), headers: {})
|
||||
stub_request(:get, "http://localhost:8080/authorize/realms/example-realm/protocol/openid-connect/certs")
|
||||
.to_return(status: 404, body: "", headers: {})
|
||||
OmniAuth::Strategies::KeycloakOpenId.new('keycloak-openid', 'Example-Client', 'b53c572b-9f3b-4e79-bf8b-f03c799ba6ec',
|
||||
client_options: {site: 'http://localhost:8080/', realm: 'example-realm', base_url: '/authorize'})
|
||||
end
|
||||
|
||||
it 'should have the correct keycloak token url' do
|
||||
subject.setup_phase
|
||||
expect(subject.token_url).to eq('/authorize/realms/example-realm/protocol/openid-connect/token')
|
||||
end
|
||||
|
||||
it 'should have the correct keycloak authorization url' do
|
||||
subject.setup_phase
|
||||
expect(subject.authorize_url).to eq('/authorize/realms/example-realm/protocol/openid-connect/auth')
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
context 'client setup with a proc' do
|
||||
subject do
|
||||
OmniAuth::Strategies::KeycloakOpenId.new('keycloak-openid', setup: proc { throw :setup_proc_was_called })
|
||||
|
@ -88,7 +169,7 @@ RSpec.describe OmniAuth::Strategies::KeycloakOpenId do
|
|||
context 'when certificates endpoint returns error response' do
|
||||
subject do
|
||||
stub_request(:get, "http://localhost:8080/auth/realms/example-realm/.well-known/openid-configuration")
|
||||
.to_return(status: 200, body: body, headers: {})
|
||||
.to_return(status: 200, body: JSON.generate(body), headers: {})
|
||||
stub_request(:get, "http://localhost:8080/auth/realms/example-realm/protocol/openid-connect/certs")
|
||||
.to_return(status: 404, body: "", headers: {})
|
||||
OmniAuth::Strategies::KeycloakOpenId.new('keycloak-openid', 'Example-Client', 'b53c572b-9f3b-4e79-bf8b-f03c799ba6ec',
|
||||
|
|
Loading…
Reference in New Issue