Skip to content

Instantly share code, notes, and snippets.

@nov
Last active February 21, 2018 08:11
Show Gist options
  • Save nov/98d26044e2f7c5b7d8fdba2b9bd101b4 to your computer and use it in GitHub Desktop.
Save nov/98d26044e2f7c5b7d8fdba2b9bd101b4 to your computer and use it in GitHub Desktop.
Rack::OAuth2 (& OpenIDConnect) gem's iGov profile support concept code
# NOTE:
# * rack-oauth gem v1.8.2+ is required. (openid_connect gem is largelly developed on top of the rack-oauth2 gem)
# * this feature isn't tested well yet.
# * you can replace `OpenIDConnect` with `Rack::OAuth2` if you don't need ID Token & UserInfo API support.
require 'openid_connect'
OpenIDConnect.debug!
pem = <<-PEM
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAyQCptrHnabLCNo45b/0PLqXlCb6JyEq1Ggc042s8zWiSITNt
:
+uQXtYh42jIQObLQ40EJUO3u2IzRlmcCfbUDNpeieXZuv+7jAxQgaA==
-----END RSA PRIVATE KEY-----
PEM
client = OpenIDConnect::Client.new(
identifier: 'client_id',
private_key: OpenSSL::PKey::RSA.new(pem),
host: 'idp.int.login.gov',
authorization_endpoint: '/openid_connect/authorize',
token_endpoint: '/api/openid_connect/token',
userinfo_endpoint: '/api/openid_connect/userinfo',
redirect_uri: 'https://client.example.com/callback'
)
code_verifier = SecureRandom.hex(16)
nonce = SecureRandom.hex(16)
state = SecureRandom.hex(16)
authorization_uri = client.authorization_uri(
scope: [:email, :profile],
nonce: nonce,
state: state,
code_challenge: UrlSafeBase64.encode64(OpenSSL::Digest::SHA256.digest(code_verifier)),
code_challenge_method: :S256
)
puts authorization_uri
`open "#{authorization_uri}"`
print 'code: ' and STDOUT.flush
code = gets.chop
client.authorization_code = code
token = client.access_token!(
:jwt_bearer, # NOTE: this triggers auto JWT asserion generation for client authn using `Client#secret` or `Client#private_key` with auto signature algorithm detection (ES256, RSA256 or HS256).
code_verifier: code_verifier
)
token.userinfo!
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment