diff options
-rw-r--r-- | Gemfile | 1 | ||||
-rw-r--r-- | Gemfile.lock | 4 | ||||
-rw-r--r-- | changelogs/unreleased/add-jwt-strategy-to-gitlab-suite.yml | 5 | ||||
-rw-r--r-- | config/gitlab.yml.example | 4 | ||||
-rw-r--r-- | config/initializers/omniauth.rb | 1 | ||||
-rw-r--r-- | doc/administration/auth/jwt.md | 2 | ||||
-rw-r--r-- | lib/omni_auth/strategies/jwt.rb | 62 |
7 files changed, 71 insertions, 8 deletions
@@ -51,7 +51,6 @@ gem 'omniauth-shibboleth', '~> 1.2.0' gem 'omniauth-twitter', '~> 1.4' gem 'omniauth_crowd', '~> 2.2.0' gem 'omniauth-authentiq', '~> 0.3.1' -gem 'omniauth-jwt', '~> 0.0.2' gem 'rack-oauth2', '~> 1.2.1' gem 'jwt', '~> 1.5.6' diff --git a/Gemfile.lock b/Gemfile.lock index d5e1c428e25..29161429f23 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -555,9 +555,6 @@ GEM jwt (>= 1.5) omniauth (>= 1.1.1) omniauth-oauth2 (>= 1.5) - omniauth-jwt (0.0.2) - jwt - omniauth (~> 1.1) omniauth-kerberos (0.3.0) omniauth-multipassword timfel-krb5-auth (~> 0.8) @@ -1119,7 +1116,6 @@ DEPENDENCIES omniauth-github (~> 1.1.1) omniauth-gitlab (~> 1.0.2) omniauth-google-oauth2 (~> 0.5.3) - omniauth-jwt (~> 0.0.2) omniauth-kerberos (~> 0.3.0) omniauth-oauth2-generic (~> 0.2.2) omniauth-saml (~> 1.10) diff --git a/changelogs/unreleased/add-jwt-strategy-to-gitlab-suite.yml b/changelogs/unreleased/add-jwt-strategy-to-gitlab-suite.yml new file mode 100644 index 00000000000..22a839cef56 --- /dev/null +++ b/changelogs/unreleased/add-jwt-strategy-to-gitlab-suite.yml @@ -0,0 +1,5 @@ +--- +title: Ports omniauth-jwt gem onto GitLab OmniAuth Strategies suite +merge_request: 18580 +author: +type: fixed diff --git a/config/gitlab.yml.example b/config/gitlab.yml.example index 8c39a1f2aa9..722ac67da0b 100644 --- a/config/gitlab.yml.example +++ b/config/gitlab.yml.example @@ -532,7 +532,7 @@ production: &base # required_claims: ["name", "email"], # info_map: { name: "name", email: "email" }, # auth_url: 'https://example.com/', - # valid_within: nil, + # valid_within: null, # } # } # - { name: 'saml', @@ -823,7 +823,7 @@ test: required_claims: ["name", "email"], info_map: { name: "name", email: "email" }, auth_url: 'https://example.com/', - valid_within: nil, + valid_within: null, } } - { name: 'auth0', diff --git a/config/initializers/omniauth.rb b/config/initializers/omniauth.rb index 00baea08613..e33ebb25c4c 100644 --- a/config/initializers/omniauth.rb +++ b/config/initializers/omniauth.rb @@ -25,5 +25,6 @@ end module OmniAuth module Strategies autoload :Bitbucket, Rails.root.join('lib', 'omni_auth', 'strategies', 'bitbucket') + autoload :Jwt, Rails.root.join('lib', 'omni_auth', 'strategies', 'jwt') end end diff --git a/doc/administration/auth/jwt.md b/doc/administration/auth/jwt.md index b51e705ab52..8b00f52ffc1 100644 --- a/doc/administration/auth/jwt.md +++ b/doc/administration/auth/jwt.md @@ -50,7 +50,7 @@ JWT will provide you with a secret key for you to use. required_claims: ["name", "email"], info_map: { name: "name", email: "email" }, auth_url: 'https://example.com/', - valid_within: nil, + valid_within: null, } } ``` diff --git a/lib/omni_auth/strategies/jwt.rb b/lib/omni_auth/strategies/jwt.rb new file mode 100644 index 00000000000..2349b2a28aa --- /dev/null +++ b/lib/omni_auth/strategies/jwt.rb @@ -0,0 +1,62 @@ +require 'omniauth' +require 'jwt' + +module OmniAuth + module Strategies + class JWT + ClaimInvalid = Class.new(StandardError) + + include OmniAuth::Strategy + + args [:secret] + + option :secret, nil + option :algorithm, 'HS256' + option :uid_claim, 'email' + option :required_claims, %w(name email) + option :info_map, { name: "name", email: "email" } + option :auth_url, nil + option :valid_within, nil + + uid { decoded[options.uid_claim] } + + extra do + { raw_info: decoded } + end + + info do + options.info_map.each_with_object({}) do |(k, v), h| + h[k.to_s] = decoded[v.to_s] + end + end + + def request_phase + redirect options.auth_url + end + + def decoded + @decoded ||= ::JWT.decode(request.params['jwt'], options.secret, options.algorithm).first + + (options.required_claims || []).each do |field| + raise ClaimInvalid, "Missing required '#{field}' claim" unless @decoded.key?(field.to_s) + end + + raise ClaimInvalid, "Missing required 'iat' claim" if options.valid_within && !@decoded["iat"] + + if options.valid_within && (Time.now.to_i - @decoded["iat"]).abs > options.valid_within + raise ClaimInvalid, "'iat' timestamp claim is too skewed from present" + end + + @decoded + end + + def callback_phase + super + rescue ClaimInvalid => e + fail! :claim_invalid, e + end + end + + class Jwt < JWT; end + end +end |