diff --git a/Gemfile.lock b/Gemfile.lock index 3a5b785..ea4c003 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -15,15 +15,15 @@ GEM minitest (>= 5.1) tzinfo (~> 2.0) zeitwerk (~> 2.3) - addressable (2.5.2) - public_suffix (>= 2.0.2, < 4.0) + addressable (2.8.0) + public_suffix (>= 2.0.2, < 5.0) aes_key_wrap (1.1.0) bindata (2.4.9) concurrent-ruby (1.1.8) - crack (0.4.3) - safe_yaml (~> 1.0.0) - diff-lcs (1.3) - docile (1.3.1) + crack (0.4.5) + rexml + diff-lcs (1.4.4) + docile (1.4.0) faraday (1.4.1) faraday-excon (~> 1.1) faraday-net_http (~> 1.0) @@ -33,11 +33,10 @@ GEM faraday-excon (1.1.0) faraday-net_http (1.0.1) faraday-net_http_persistent (1.1.0) - hashdiff (0.3.7) + hashdiff (1.0.1) hashie (4.1.0) i18n (1.8.10) concurrent-ruby (~> 1.0) - json (2.3.1) json-jwt (1.13.0) activesupport (>= 4.2) aes_key_wrap @@ -60,37 +59,38 @@ GEM omniauth-oauth2 (1.7.1) oauth2 (~> 1.4) omniauth (>= 1.9, < 3) - public_suffix (3.0.3) + public_suffix (4.0.6) rack (2.2.3) rack-protection (2.1.0) rack rake (13.0.1) - rspec (3.8.0) - rspec-core (~> 3.8.0) - rspec-expectations (~> 3.8.0) - rspec-mocks (~> 3.8.0) - rspec-core (3.8.0) - rspec-support (~> 3.8.0) - rspec-expectations (3.8.1) + rexml (3.2.5) + rspec (3.10.0) + rspec-core (~> 3.10.0) + rspec-expectations (~> 3.10.0) + rspec-mocks (~> 3.10.0) + rspec-core (3.10.1) + rspec-support (~> 3.10.0) + rspec-expectations (3.10.1) diff-lcs (>= 1.2.0, < 2.0) - rspec-support (~> 3.8.0) - rspec-mocks (3.8.0) + rspec-support (~> 3.10.0) + rspec-mocks (3.10.2) diff-lcs (>= 1.2.0, < 2.0) - rspec-support (~> 3.8.0) - rspec-support (3.8.0) + rspec-support (~> 3.10.0) + rspec-support (3.10.3) ruby2_keywords (0.0.4) - safe_yaml (1.0.4) - simplecov (0.16.1) + simplecov (0.21.2) docile (~> 1.1) - json (>= 1.8, < 3) - simplecov-html (~> 0.10.0) - simplecov-html (0.10.2) + simplecov-html (~> 0.11) + simplecov_json_formatter (~> 0.1) + simplecov-html (0.12.3) + simplecov_json_formatter (0.1.3) tzinfo (2.0.4) concurrent-ruby (~> 1.0) - webmock (3.4.2) - addressable (>= 2.3.6) + webmock (3.14.0) + addressable (>= 2.8.0) crack (>= 0.3.2) - hashdiff + hashdiff (>= 0.4.0, < 2.0.0) zeitwerk (2.4.2) PLATFORMS @@ -100,9 +100,9 @@ DEPENDENCIES bundler (~> 2.2) omniauth-keycloak! rake (~> 13.0) - rspec (~> 3.0) - simplecov (~> 0.16.1) - webmock (~> 3.4.2) + rspec (~> 3.10) + simplecov (~> 0.21) + webmock (~> 3.14) BUNDLED WITH - 2.2.17 + 2.2.31 diff --git a/README.md b/README.md index dc32d90..63cdd93 100755 --- a/README.md +++ b/README.md @@ -29,6 +29,7 @@ Rails.application.config.middleware.use OmniAuth::Builder do name: 'keycloak' end ``` +This will allow a POST request to `auth/keycloak` since the name is set to keycloak Or using a proc setup with a custom options: @@ -50,7 +51,6 @@ Rails.application.config.middleware.use OmniAuth::Builder do end ``` -This will allow a POST request to `auth/keycloak` ## Devise Usage Adapted from [Devise OmniAuth Instructions](https://github.com/plataformatec/devise/wiki/OmniAuth:-Overview) @@ -93,6 +93,17 @@ end ``` +## Configuration + * __Base Url other than /auth__ + This gem tries to get the keycloak configuration from `"#{site}/auth/realms/#{realm}/.well-known/openid-configuration"`. If your keycloak server has been setup to use a different "root" url other than `/auth` then you need to pass in the `base_url` option when setting up the gem: + ```ruby + Rails.application.config.middleware.use OmniAuth::Builder do + provider :keycloak_openid, 'Example-Client', '19cca35f-dddd-473a-bdd5-03f00d61d884', + client_options: {site: 'https://example.keycloak-url.com', realm: 'example-realm', base_url: '/authorize'}, + name: 'keycloak' + end + ``` + ## Contributing Bug reports and pull requests are welcome on GitHub at https://github.com/ccrockett/omniauth-keycloak. This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to the [Contributor Covenant](http://contributor-covenant.org) code of conduct. diff --git a/lib/keycloak/version.rb b/lib/keycloak/version.rb index b0f83c4..158fd59 100755 --- a/lib/keycloak/version.rb +++ b/lib/keycloak/version.rb @@ -1,5 +1,5 @@ module Omniauth module Keycloak - VERSION = "1.3.0" + VERSION = "1.4.0" end end diff --git a/lib/omniauth/strategies/keycloak-openid.rb b/lib/omniauth/strategies/keycloak-openid.rb index 5ea8c8c..01fb8ce 100755 --- a/lib/omniauth/strategies/keycloak-openid.rb +++ b/lib/omniauth/strategies/keycloak-openid.rb @@ -26,7 +26,7 @@ module OmniAuth raise_on_failure = options.client_options.fetch(:raise_on_failure, false) - config_url = URI.join(site, "/auth/realms/#{realm}/.well-known/openid-configuration") + config_url = URI.join(site, "#{auth_url_base}/realms/#{realm}/.well-known/openid-configuration") log :debug, "Going to get Keycloak configuration. URL: #{config_url}" response = Faraday.get config_url @@ -64,6 +64,14 @@ module OmniAuth end end + def auth_url_base + return '/auth' unless options.client_options[:base_url] + base_url = options.client_options[:base_url] + return base_url if (base_url == '' || base_url[0] == '/') + + raise ConfigurationError, "Keycloak base_url option should start with '/'. Current value: #{base_url}" + end + def prevent_site_option_mistake site = options.client_options[:site] return unless site =~ /\/auth$/ @@ -83,14 +91,14 @@ module OmniAuth def build_access_token verifier = request.params["code"] - client.auth_code.get_token(verifier, + client.auth_code.get_token(verifier, {:redirect_uri => callback_url.gsub(/\?.+\Z/, "")} - .merge(token_params.to_hash(:symbolize_keys => true)), + .merge(token_params.to_hash(:symbolize_keys => true)), deep_symbolize(options.auth_token_params)) end uid{ raw_info['sub'] } - + info do { :name => raw_info['name'], @@ -99,13 +107,13 @@ module OmniAuth :last_name => raw_info['family_name'] } end - + extra do { 'raw_info' => raw_info } end - + def raw_info id_token_string = access_token.token jwks = JSON::JWK::Set.new(@certs) diff --git a/omniauth-keycloak.gemspec b/omniauth-keycloak.gemspec index 7b3be6b..249fdff 100644 --- a/omniauth-keycloak.gemspec +++ b/omniauth-keycloak.gemspec @@ -4,13 +4,13 @@ Gem::Specification.new do |spec| spec.version = Omniauth::Keycloak::VERSION spec.authors = ["Cameron Crockett"] spec.email = ["cameron.crockett@ccrockett.com"] - + spec.description = %q{Omniauth strategy for Keycloak} spec.summary = spec.description spec.homepage = "https://github.com/ccrockett/omniauth-keycloak" spec.license = "MIT" - spec.required_rubygems_version = '>= 1.3.5' - spec.required_ruby_version = '>= 2.2' + spec.required_rubygems_version = '>= 3.1.2' + spec.required_ruby_version = '>= 2.6' # Specify which files should be added to the gem when it is released. # The `git ls-files -z` loads the files in the RubyGem that have been added into git. @@ -22,14 +22,14 @@ Gem::Specification.new do |spec| spec.executables = spec.files.grep(%r{^exe/}) { |f| File.basename(f) } spec.require_paths = ["lib"] - + spec.add_dependency "omniauth", "~> 2.0.4" spec.add_dependency "omniauth-oauth2", "~> 1.7.1" spec.add_dependency "json-jwt", "~> 1.13.0" spec.add_development_dependency "bundler", "~> 2.2" spec.add_development_dependency "rake", "~> 13.0" - spec.add_development_dependency "rspec", "~> 3.0" - spec.add_development_dependency 'simplecov', '~> 0.16.1' - spec.add_development_dependency 'webmock', '~> 3.4.2' + spec.add_development_dependency "rspec", "~> 3.10" + spec.add_development_dependency 'simplecov', '~> 0.21' + spec.add_development_dependency 'webmock', '~> 3.14' end diff --git a/spec/omniauth/strategies/keycloak_spec.rb b/spec/omniauth/strategies/keycloak_spec.rb index 763b4ea..2cc8de6 100755 --- a/spec/omniauth/strategies/keycloak_spec.rb +++ b/spec/omniauth/strategies/keycloak_spec.rb @@ -1,35 +1,39 @@ require 'spec_helper' RSpec.describe OmniAuth::Strategies::KeycloakOpenId do - body = '{"issuer": "http://localhost:8080/auth/realms/example-realm", - "authorization_endpoint": "http://localhost:8080/auth/realms/example-realm/protocol/openid-connect/auth", - "token_endpoint": "http://localhost:8080/auth/realms/example-realm/protocol/openid-connect/token", - "token_introspection_endpoint": "http://localhost:8080/auth/realms/example-realm/protocol/openid-connect/token/introspect", - "userinfo_endpoint": "http://localhost:8080/auth/realms/example-realm/protocol/openid-connect/userinfo", - "end_session_endpoint": "http://localhost:8080/auth/realms/example-realm/protocol/openid-connect/logout", - "jwks_uri": "http://localhost:8080/auth/realms/example-realm/protocol/openid-connect/certs", - "check_session_iframe": "http://localhost:8080/auth/realms/example-realm/protocol/openid-connect/login-status-iframe.html", - "grant_types_supported": ["authorization_code", "implicit", "refresh_token", "password", "client_credentials"], - "response_types_supported": ["code", "none", "id_token", "token", "id_token token", "code id_token", "code token", "code id_token token"], - "subject_types_supported": ["public", "pairwise"], - "id_token_signing_alg_values_supported": ["RS256"], - "userinfo_signing_alg_values_supported": ["RS256"], - "request_object_signing_alg_values_supported": ["none", "RS256"], - "response_modes_supported": ["query", "fragment", "form_post"], - "registration_endpoint": "http://localhost:8080/auth/realms/example-realm/clients-registrations/openid-connect", - "token_endpoint_auth_methods_supported": ["private_key_jwt", "client_secret_basic", "client_secret_post"], - "token_endpoint_auth_signing_alg_values_supported": ["RS256"], - "claims_supported": ["sub", "iss", "auth_time", "name", "given_name", "family_name", "preferred_username", "email"], - "claim_types_supported": ["normal"], - "claims_parameter_supported": false, - "scopes_supported": ["openid", "offline_access"], - "request_parameter_supported": true, - "request_uri_parameter_supported": true}' + let(:body) { + { + "issuer": "http://localhost:8080/auth/realms/example-realm", + "authorization_endpoint": "http://localhost:8080/auth/realms/example-realm/protocol/openid-connect/auth", + "token_endpoint": "http://localhost:8080/auth/realms/example-realm/protocol/openid-connect/token", + "token_introspection_endpoint": "http://localhost:8080/auth/realms/example-realm/protocol/openid-connect/token/introspect", + "userinfo_endpoint": "http://localhost:8080/auth/realms/example-realm/protocol/openid-connect/userinfo", + "end_session_endpoint": "http://localhost:8080/auth/realms/example-realm/protocol/openid-connect/logout", + "jwks_uri": "http://localhost:8080/auth/realms/example-realm/protocol/openid-connect/certs", + "check_session_iframe": "http://localhost:8080/auth/realms/example-realm/protocol/openid-connect/login-status-iframe.html", + "grant_types_supported": ["authorization_code", "implicit", "refresh_token", "password", "client_credentials"], + "response_types_supported": ["code", "none", "id_token", "token", "id_token token", "code id_token", "code token", "code id_token token"], + "subject_types_supported": ["public", "pairwise"], + "id_token_signing_alg_values_supported": ["RS256"], + "userinfo_signing_alg_values_supported": ["RS256"], + "request_object_signing_alg_values_supported": ["none", "RS256"], + "response_modes_supported": ["query", "fragment", "form_post"], + "registration_endpoint": "http://localhost:8080/auth/realms/example-realm/clients-registrations/openid-connect", + "token_endpoint_auth_methods_supported": ["private_key_jwt", "client_secret_basic", "client_secret_post"], + "token_endpoint_auth_signing_alg_values_supported": ["RS256"], + "claims_supported": ["sub", "iss", "auth_time", "name", "given_name", "family_name", "preferred_username", "email"], + "claim_types_supported": ["normal"], + "claims_parameter_supported": false, + "scopes_supported": ["openid", "offline_access"], + "request_parameter_supported": true, + "request_uri_parameter_supported": true + } + } context 'client options' do subject do stub_request(:get, "http://localhost:8080/auth/realms/example-realm/.well-known/openid-configuration") - .to_return(status: 200, body: body, headers: {}) + .to_return(status: 200, body: JSON.generate(body), headers: {}) stub_request(:get, "http://localhost:8080/auth/realms/example-realm/protocol/openid-connect/certs") .to_return(status: 404, body: "", headers: {}) OmniAuth::Strategies::KeycloakOpenId.new('keycloak-openid', 'Example-Client', 'b53c572b-9f3b-4e79-bf8b-f03c799ba6ec', @@ -47,6 +51,83 @@ RSpec.describe OmniAuth::Strategies::KeycloakOpenId do end end + describe 'client base_url option set' do + context 'to blank string' do + let(:new_body_endpoints) { + { + "authorization_endpoint": "http://localhost:8080/realms/example-realm/protocol/openid-connect/auth", + "token_endpoint": "http://localhost:8080/realms/example-realm/protocol/openid-connect/token", + "jwks_uri": "http://localhost:8080/realms/example-realm/protocol/openid-connect/certs" + } + } + + subject do + stub_request(:get, "http://localhost:8080/realms/example-realm/.well-known/openid-configuration") + .to_return(status: 200, body: JSON.generate(body.merge(new_body_endpoints)), headers: {}) + stub_request(:get, "http://localhost:8080/realms/example-realm/protocol/openid-connect/certs") + .to_return(status: 404, body: "", headers: {}) + OmniAuth::Strategies::KeycloakOpenId.new('keycloak-openid', 'Example-Client', 'b53c572b-9f3b-4e79-bf8b-f03c799ba6ec', + client_options: {site: 'http://localhost:8080/', realm: 'example-realm', base_url: ''}) + end + + it 'should have the correct keycloak token url' do + subject.setup_phase + expect(subject.token_url).to eq('/realms/example-realm/protocol/openid-connect/token') + end + + it 'should have the correct keycloak authorization url' do + subject.setup_phase + expect(subject.authorize_url).to eq('/realms/example-realm/protocol/openid-connect/auth') + end + end + + context 'to invalid string' do + subject do + stub_request(:get, "http://localhost:8080/realms/example-realm/.well-known/openid-configuration") + .to_return(status: 200, body: JSON.generate(body), headers: {}) + stub_request(:get, "http://localhost:8080/auth/realms/example-realm/protocol/openid-connect/certs") + .to_return(status: 404, body: "", headers: {}) + OmniAuth::Strategies::KeycloakOpenId.new('keycloak-openid', 'Example-Client', 'b53c572b-9f3b-4e79-bf8b-f03c799ba6ec', + client_options: {site: 'http://localhost:8080/', realm: 'example-realm', base_url: 'test'}) + end + + it 'raises Configuration Error' do + expect{ subject.setup_phase } + .to raise_error(OmniAuth::Strategies::KeycloakOpenId::ConfigurationError) + end + end + + context 'to /authorize' do + + let(:new_body_endpoints) { + { + "authorization_endpoint": "http://localhost:8080/authorize/realms/example-realm/protocol/openid-connect/auth", + "token_endpoint": "http://localhost:8080/authorize/realms/example-realm/protocol/openid-connect/token", + "jwks_uri": "http://localhost:8080/authorize/realms/example-realm/protocol/openid-connect/certs" + } + } + + subject do + stub_request(:get, "http://localhost:8080/authorize/realms/example-realm/.well-known/openid-configuration") + .to_return(status: 200, body: JSON.generate(body.merge(new_body_endpoints)), headers: {}) + stub_request(:get, "http://localhost:8080/authorize/realms/example-realm/protocol/openid-connect/certs") + .to_return(status: 404, body: "", headers: {}) + OmniAuth::Strategies::KeycloakOpenId.new('keycloak-openid', 'Example-Client', 'b53c572b-9f3b-4e79-bf8b-f03c799ba6ec', + client_options: {site: 'http://localhost:8080/', realm: 'example-realm', base_url: '/authorize'}) + end + + it 'should have the correct keycloak token url' do + subject.setup_phase + expect(subject.token_url).to eq('/authorize/realms/example-realm/protocol/openid-connect/token') + end + + it 'should have the correct keycloak authorization url' do + subject.setup_phase + expect(subject.authorize_url).to eq('/authorize/realms/example-realm/protocol/openid-connect/auth') + end + end + end + context 'client setup with a proc' do subject do OmniAuth::Strategies::KeycloakOpenId.new('keycloak-openid', setup: proc { throw :setup_proc_was_called }) @@ -88,7 +169,7 @@ RSpec.describe OmniAuth::Strategies::KeycloakOpenId do context 'when certificates endpoint returns error response' do subject do stub_request(:get, "http://localhost:8080/auth/realms/example-realm/.well-known/openid-configuration") - .to_return(status: 200, body: body, headers: {}) + .to_return(status: 200, body: JSON.generate(body), headers: {}) stub_request(:get, "http://localhost:8080/auth/realms/example-realm/protocol/openid-connect/certs") .to_return(status: 404, body: "", headers: {}) OmniAuth::Strategies::KeycloakOpenId.new('keycloak-openid', 'Example-Client', 'b53c572b-9f3b-4e79-bf8b-f03c799ba6ec',