CD2H gitForager

discourse/discourse-omniauth-jwt

Name: discourse-omniauth-jwt

Owner: Discourse

Description: An OmniAuth strategy that uses JSON Web Token for Single Sign-On

Created: 2015-09-14 20:51:46.0

Updated: 2018-01-17 15:25:40.0

Pushed: 2015-09-14 20:56:55.0

Homepage: null

Size: 97

Language: Ruby

GitHub Committers

User	Most Recent Commit	# Commits

Other Committers

User	Email	Most Recent Commit	# Commits

README

OmniAuth::JWT

JSON Web Token (JWT) is a simple way to send verified information between two parties online. This can be useful as a mechanism for providing Single Sign-On (SSO) to an application by allowing an authentication server to send a validated claim and log the user in. This is how Zendesk does SSO, for example.

OmniAuth::JWT provides a clean, simple wrapper on top of JWT so that you can easily implement this kind of SSO either between your own applications or allow third parties to delegate authentication.

Installation

Add this line to your application's Gemfile:

gem 'omniauth-jwt'

And then execute:

$ bundle

Or install it yourself as:

$ gem install omniauth-jwt

Usage

You use OmniAuth::JWT just like you do any other OmniAuth strategy:

OmniAuth::JWT, 'SHAREDSECRET', auth_url: 'http://example.com/login'

The first parameter is the shared secret that will be used by the external authenticator to verify that. You must also specify the auth_url option to tell the strategy where to redirect to log in. Other available options are:

algorithm: the algorithm to use to decode the JWT token. This is HS256 by default but can be set to anything supported by ruby-jwt
uid_claim: this determines which claim will be used to uniquely identify the user. Defaults to email
required_claims: array of claims that are required to make this a valid authentication call. Defaults to ['name', 'email']
info_map: array mapping claim values to info hash values. Defaults to mapping name and email to the same in the info hash.
valid_within: integer of how many seconds of time skew you will allow. Defaults to nil. If this is set, the iat claim becomes required and must be within the specified number of seconds of the current time. This helps to prevent replay attacks.

Authentication Process

When you authenticate through omniauth-jwt you can send users to /auth/jwt and it will redirect them to the URL specified in the auth_url option. From there, the provider must generate a JWT and send it to the /auth/jwt/callback URL as a “jwt” parameter:

/auth/jwt/callback?jwt=ENCODEDJWTGOESHERE

An example of how to do that in Sinatra:

ire 'jwt'

'/login/sso/other-app' do
assuming the user is already logged in and this is available as current_user
aims = {
id: current_user.id,
name: current_user.name,
email: current_user.email,
iat: Time.now.to_i


yload = JWT.encode(claims, ENV['SSO_SECRET'])
direct "http://other-app.com/auth/jwt/callback?jwt=#{payload}"

Contributing

Fork it
Create your feature branch (git checkout -b my-new-feature)
Commit your changes (git commit -am 'Add some feature')
Push to the branch (git push origin my-new-feature)
Create new Pull Request

This work is supported by the National Institutes of Health's National Center for Advancing Translational Sciences, Grant Number U24TR002306. This work is solely the responsibility of the creators and does not necessarily represent the official views of the National Institutes of Health.