summaryrefslogtreecommitdiff
path: root/lib/omni_auth
diff options
context:
space:
mode:
authorMichael Tsyganov <mikhail.tsyganov@sap.com>2018-10-08 17:32:43 +0200
committerRémy Coutable <remy@rymai.me>2018-12-05 18:17:40 +0100
commita009381380d3b63fb1c133dbe63b2557e505f4c6 (patch)
tree45a99a71db54bb9546bfd605e577591afc7d0ea2 /lib/omni_auth
parent5f1bb1a70a6a62af3f54fad9dc650d9fbeae8423 (diff)
downloadgitlab-ce-a009381380d3b63fb1c133dbe63b2557e505f4c6.tar.gz
Support RSA and ECDSA algorithms in Omniauth JWT
Signed-off-by: Rémy Coutable <remy@rymai.me>
Diffstat (limited to 'lib/omni_auth')
-rw-r--r--lib/omni_auth/strategies/jwt.rb17
1 files changed, 15 insertions, 2 deletions
diff --git a/lib/omni_auth/strategies/jwt.rb b/lib/omni_auth/strategies/jwt.rb
index a792903fde7..2f3d477a591 100644
--- a/lib/omni_auth/strategies/jwt.rb
+++ b/lib/omni_auth/strategies/jwt.rb
@@ -1,6 +1,7 @@
# frozen_string_literal: true
require 'omniauth'
+require 'openssl'
require 'jwt'
module OmniAuth
@@ -37,7 +38,19 @@ module OmniAuth
end
def decoded
- @decoded ||= ::JWT.decode(request.params['jwt'], options.secret, options.algorithm).first
+ secret =
+ case options.algorithm
+ when *%w[RS256 RS384 RS512]
+ OpenSSL::PKey::RSA.new(options.secret).public_key
+ when *%w[ES256 ES384 ES512]
+ OpenSSL::PKey::EC.new(options.secret).tap { |key| key.private_key = nil }
+ when *%w(HS256 HS384 HS512)
+ options.secret
+ else
+ raise NotImplementedError, "Unsupported algorithm: #{options.algorithm}"
+ end
+
+ @decoded ||= ::JWT.decode(request.params['jwt'], secret, true, { algorithm: options.algorithm }).first
(options.required_claims || []).each do |field|
raise ClaimInvalid, "Missing required '#{field}' claim" unless @decoded.key?(field.to_s)
@@ -45,7 +58,7 @@ module OmniAuth
raise ClaimInvalid, "Missing required 'iat' claim" if options.valid_within && !@decoded["iat"]
- if options.valid_within && (Time.now.to_i - @decoded["iat"]).abs > options.valid_within
+ if options.valid_within && (Time.now.to_i - @decoded["iat"]).abs > options.valid_within.to_i
raise ClaimInvalid, "'iat' timestamp claim is too skewed from present"
end