I want to read data from an API which requires authorization with openid-connect. My client should be written in ruby, so I can use it in a task to import data into my rails app.
I am given a configuration under theapi/.well-known/openid-configuration along with a client_id and a client_secret.
Having never worked with openid before I did some research an found the following gems that might help to obtain an auth token:
https://github.com/nov/openid_connect
https://github.com/m0n9oose/omniauth_openid_connect
Both gems lack of any documentation or examples to get started, in fact I am not even sure if they are useful for my case.
Also there is a similar SO-post, but it's five years old with zero answers:
Ruby Openid connect library with client consumption example
Could anybody help me out with a simple example on how to authorize against openid_connect in ruby, possibly using one of the mentioned gems?
I had the same issue and found a nice tutorial to solve this challenge FusionAuth
You require these 2 gems in your gemfile:
gem 'jwt' and
gem 'oauth2'
You will also be able to initialize the OAuth Client while replacing actual values of your Identity Server:
#oauth_client = OAuth2::Client.new(Rails.configuration.x.oauth.client_id,
Rails.configuration.x.oauth.client_secret,
authorize_url: '/oauth2/authorize',
site: Rails.configuration.x.oauth.idp_url,
token_url: '/oauth2/token',
redirect_uri: Rails.configuration.x.oauth.redirect_uri)
With the OAuthClient initalised you can be able to perform your desired OAuth Flow.
For Authorization with password_credentials you can use:
response = #oauth_client.client_credentials.get_token
token = response.token
You can find more Authorization Type References here: OAuth2 Docs
These two resources should enable you to complete your integration with any IdentityServer. Hope these resources stay updated.
Related
In the link below is explained how to generate JWT token with header and payload to access the Apple API
However I don't see how to combine header and payload.
Can someone make an example in ruby
https://developer.apple.com/documentation/appstoreserverapi/generating_tokens_for_api_requests
Just use the jwt gem. It's a well-maintained library with regular updates. It's probably possible to do it without a gem too, but anything having to do with security should be air-tight in production, so I would just go with the gem.
Look for the correct encryption algorithm (Apple seems to be using ES256) and find it in the documentation to see an example of how to create a token with that.
The format for creating a basic JWT token with the gem (custom header fields are optional) is this:
JWT.encode your_payload, your_private_key, encryption_algorithm, custom_header_fields
I am trying to connect React app and Rails app using Auth0. It used to be super simple since tokens were signed with HS256. But since auth.js v8 jwt tokens signed with RS256. I don't have problems with frontend but can't make RoR (I use Knock) work with new signing algorithm. I've added
config.token_signature_algorithm = 'RS256'
and
config.token_public_key = key.public_key
into Knock initializer but still no luck.
Key seems to be correct, at least it works in jwt.io or pure ruby-jwt (at least I was able to read information from token).
I am no expert working with asymmetric algorithms so any help would be appreciated. What I am trying to do right now is to get "access_token" from frontend and to send it in "authorization" header to the backend. I know I need to add "Bearer" into header but is there is any other operation I need to do with token first?
Best, Iurii
Just in case anyone interested here is short discussion on GitHub here is a link
I found a related question with no satisfactory answer, so asking here again:
I'm using Doorkeeper GEM for API calls for my application. I have followed the steps given in oauth2 gem docs:
require 'oauth2'
client = OAuth2::Client.new('client_id', 'client_secret', :site => 'https://example.org')
client.auth_code.authorize_url(:redirect_uri => 'http://localhost:8080/oauth2/callback')
As we see the last line execution gives a URL to be used in browser and get authorization code after clicking "Authorize".
But, I want to do all these in Rails model level, so that I don't have to hit the browser for authorization code and it should internally get the code which I can use later for token generation.
Is it possible?
It sounds like you want to use the resource owner password credentials flow for OAuth2. It is best described how to set this up with Doorkeeper and the OAuth2 gem in the Doorkeeper wiki.
I am trying to build a service that authenticates users using an oauth 1 signed request. The request includes an oauth token, signature, nonce, and consumer key. The server has access to the corresponding secrets, but it is unclear how to use the oauth gem to validate the token and retrieve the corresponding user. The token was originally generated using the oauth-rails plugin, but the validation needs to take place on a different server from the original rails application (but has access to the same underlying database).
How can I use the oauth gem to accomplish this?
I have looked through the source for the oauth and oauth-plugin gems, but I can't tell where this validation actually happens. Almost all of the documentation I can find refers to using the oauth gem as a consumer, not a provider.
I finally figured out the answer to this, so I'll put it here in the hopes of helping someone in the future.
Once you've retrieved the AccessToken and ClientApplication objects from the underlying database and checked the nonce and timestamp, verifying the signature is as easy as:
signature = OAuth::Signature.verify(request, {}) do |sigblock|
[token.secret, ca.secret]
end
If the signature checks out, signature will be true. Beware - if you're behind an http proxy such as nginx, the SERVER_PORT environment variable may not be correctly set for https requests and you may have to set it manually. If this (or any other seemingly tiny part of the request) is off, it can cause the signature verification to fail even if the request is valid.
I used to do the following to get user timelines:
https://api.twitter.com/1/statuses/user_timeline.json?screen_name=twitterapi&count=2
Now that I'm switching to Twitter API 1.1, I thought all I would have to do is this:
https://api.twitter.com/1.1/statuses/user_timeline.json?screen_name=twitterapi&count=2
but I'm getting the bad authentication data error from Twitter. I had no authentication setup previously with twitter, does API version 1.1 require authentication?
I guess I can use the Twitter gem, looks like it makes things pretty simple. But I just want to know whether I can use the above URL like I used to!
Take a read of this. Your initial assumption is correct, authentication is now required for all endpoints in v1.1. So to answer your question your request is correct you just need to pass an OAuth token or use application-only authentication.