Project

doorkeeper-jwt_assertion

0.0
Bugfix fork ofeasyship-doorkeeper-jwt
No commit activity in last 3 years
No release in over 3 years
doorkeeper-jwt_assertionkioru/doorkeeper-jwt_assertionHomepageDocumentationSource CodeBug TrackerWiki
Extend your Doorkeeper implementation adding a new grant type: assertion. And decoding JWT claim messages to generate access tokens.
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
 Popularity
Downloads
5,822
Stars
1
Forks
2
Watchers
3
 Releases
Current version
0.0.2
Total releases
2
First release
2015-04-27
Latest release
2015-04-30
 Development
Primary Language
Ruby
Licenses
MIT
Average date of last 50 commits
2015-04-28
Reverse Dependencies
0

 Dependencies

Development

bundler
~> 1.7
rake
~> 10.0

Runtime

doorkeeper
~> 2.1
jwt
~> 1.4
 Project Readme

Doorkeeper JWT Assertion

Extending Doorkeeper to support JWT Assertion grant type using a secret or a private key file.

This library is in alpha. Future incompatible changes may be necessary.

Install

Add the gem to the Gemfile

gem 'doorkeeper-jwt_assertion'

Configuration

Inside your doorkeeper configuration file add the one of the fallowing:

Doorkeeper.configure do
	
	jwt_private_key Rails.root.join('config', 'keys', 'private.key')

	jwt_secret 'notasecret'

	# Optional
	jwt_use_issuer_as_client_id true
end

This will automatically push assertion into the Doorkeeper's grant_types configuration attribute.

When jwt_use_issuer_as_client_id is set to false then the client_id MUST be available from the parameters. By default it will extract the 'iss' and use it as the client_id to retrieve the oauth application.

Use the resource_owner_authenticator in the configuration to identify the owner based on the JWT claim values. This values can be accessible from jwt. If the client request a token with an invalid assertion, or an expired JWT claim, an :invalid_grant error response will be generated before retrieving the resource_owner.

Doorkeeper.configure do
	
	resource_owner_authenticator do

		if jwt
			jwt['prn'].present? and User.find_by_email(jwt['prn'])
		end

	end

end

Client Usage

Generate an assertion request token using a private key file or a secret:

client = OAuth2::Client.new('client_id', 'client_secret', :site => 'http://my-site.com')

p12 = OpenSSL::PKCS12.new( Rails.root.join('config', 'keys', 'private.p12').open )

params = { :private_key => p12.key,
           :aud => 'audience',
           :prn => 'person', # or :sub => 'subject', not suported on OAuth2 1.0.0 yet.
           :iss => 'client_id',
           :scope => 'scope',
           :exp => Time.now.utc.to_i + 5.minutes }

token = client.assertion.get_token(params)

"[...] refresh tokens are not issued in response to assertion grant requests and access tokens will be issued with a reasonably short lifetime."

TO DO

  • Better error handling
  • JWT Client Authentication Flow
  • Testing