diff options
Diffstat (limited to 'bin/idp')
| -rwxr-xr-x | bin/idp | 33 |
1 files changed, 28 insertions, 5 deletions
@@ -99,8 +99,20 @@ module Authn end end - def find_by_username(username) + def find_by all.find do |user| + yield user + end + end + + def find_by_email(email) + find_by do |user| + user[:email] == email + end + end + + def find_by_username(username) + find_by do |user| user[:username] == username end end @@ -443,7 +455,7 @@ module Authz client_credentials_grant(params) when 'password' password_grant(params[:username], params[:password]) - when 'urn:ietf:params:oauth:grant-type:saml2-bearer' # RFC7522 + when "urn:ietf:params:oauth:grant-type:saml2-bearer" # RFC-7522 saml_assertion_grant(params[:assertion]) when 'urn:ietf:params:oauth:grant-type:jwt-bearer' # RFC7523 jwt_bearer_grant(params) @@ -469,8 +481,19 @@ module Authz raise NotImplementedError end - def saml_assertion_grant(saml_assertion) - raise NotImplementedError + def saml_assertion_grant(encoded_saml_assertion) + xml = Base64.decode64(encoded_saml_assertion) + saml_response = Saml::Kit::Document.to_saml_document(xml) + saml_assertion = saml_response.assertion + # TODO:: Validate signature and prevent assertion reuse + + user = case saml_assertion.name_id_format + when Saml::Kit::Namespaces::EMAIL_ADDRESS + ::Authn::User.find_by_email(saml_assertion.name_id) + when Saml::Kit::Namespaces::PERSISTENT + ::Authn::User.find(saml_assertion.name_id) + end + new(user, saml_assertion: saml_assertion) end def jwt_bearer_grant(params) @@ -517,7 +540,7 @@ module Authz expires_in: 3600, refresh_token: SecureRandom.hex(32) }.tap do |body| - if params['scope'].include?("openid") + if params["scope"]&.include?("openid") body[:id_token] = user.create_id_token.to_jwt end end |