Home

Awesome

<meta name="author" content="Carlos Eduardo Gorges"/>

Doorkeeper::OpenidConnect::Ciba

Doorkeeper support for OpenID Connect Client Initiated Backchannel Authentication Flow

This library implements the OpenID Connect Client-Initiated Backchannel Authentication Flow - Core 1.0 for Rails applications on top of the Doorkeeper OAuth 2.0 framework and Doorkeeper::OpenidConnect extention.

This is a OpenSource implementation of CIBA specification.

Table of Contents

Status

The following parts of OpenID Connect Client-Initiated Backchannel Authentication Flow - Core 1.0 are planned to be supported for v1.0:

Affected endpoints:

ps. auth_req_id --> "authentication request ID" (transaction identifier) issued from the backchannel authentication endpoint.

POLL FLOW:

<pre> +-------------+ +-------------------------------------------------------------------------+ | Consumption | | doorkeeper-ciba | | Device | | +---------------------+ +---------------------------+ | | | | | Inside CIBA spec | (3) | Outside CIBA spec | | | | (1) POST | | +---------------+ | Notify pending | +----------------------+ | | | | -------------------> | BackChannel | | consent approval | | Authorization Device | | | | | <-[auth_req_id]-(2)- | Authorize | ---[Auth Result ID]--> |- OID Auth | | | | | | | | | (4) | |- Consent Approval | | | | | | | +---------------+ <-- [Get Auth Info] -- +----------------------+ | | | | | | ------ auth info ---> | | | | | | | +------------|--------------+ | | | | | | (5) | | | | | | | [Auth Result ID] | | | | | | | | | | | | --------------------------------V------------+ | | | (6) POST | | +---------------+ (7) +--------------------+ | | | | -[auth_req_id]-----> | CIBA Token | --[Auth Result ID]--> | Update BackChannel | | | | | <-Error or token--| | Request/Reply | <-------------------- | Request Id Status | | | | | | | +---------------+ +--------------------+ | | | | | +------------------------------------------------------------------+ | +-------------+ +-------------------------------------------------------------------------+ --> BackChannel Authorize - /backchannel/authorize --> OID Auth - /oauth/authorize --> Get Auth Info /backchannel/authinfo --> Consent Aproval (or disaproval) - /backchannel/complete --> CIBA Token Request/Reply - /oauth/token w/ grant_type = urn:openid:params:grant-type:ciba --> Notify pending consent approval - Consuption device solution dependent (eg. via e-mail, SMS, etc) --> 6 and 7 repeat until it expires or receive the consent response, limited by a minimum trial interval (parameters returned by backchannel-authorize). --> Authorization Device will use a sample web application (currently in development) </pre>

Known Issues

Example Applications

<pre> appciba = Doorkeeper::Application.create!( name: 'CIBA', redirect_uri: 'https://localhost:3000/someapp', uid: 'CIBAUID', secret: 'CIBASECRET', scopes: 'openid ciba', ciba_notify_type: 'POLL', # PING OR PUSH # ASYNC NOTIFY ENDPOINT IS MANDATORY FOR PING OR PUSH ciba_notify_endpoint: 'https://localhost:3000/backchannel/testcibacallback' ) puts " Client: #{appciba.name} Client ID: #{appciba.uid} Client Secret: #{appciba.secret} Redirect URI: #{appciba.redirect_uri} Scopes: #{appciba.scopes} ciba_notify_type: #{appciba.ciba_notify_type} ciba_notify_endpoint: #{appciba.ciba_notify_endpoint}" </pre>

Installation

Make sure your application is already set up with Doorkeeper and Doorkeeper::OpenidConnect.

Add this line to your application's Gemfile and run bundle install:

gem 'doorkeeper-ciba', git: https://github.com/autoseg/doorkeeper-ciba, branch: 'main'

ps. you can exec "bundle add doorkeeper-ciba --git https://github.com/autoseg/doorkeeper-ciba --branch 'main'" also.

Run the installation generator to update routes and create the initializer:

rails generate doorkeeper:openid_connect:ciba:install

Generate a migration for Active Record (other ORMs are currently not supported):

rails generate doorkeeper:openid_connect:ciba:migration
rake db:migrate

Configuration

After the installation process, an initialization file with configurable options will be created in config/initializers/doorkeeper_openid_connect_ciba.rb, edit as recommended in the comments.

<pre> Doorkeeper::OpenidConnect::Ciba.configure do # Expiration time for the req_id_token. # default_req_id_expiration 600 # Max Expiration time for the req_id_token (default 1 day). # max_req_id_expiration 86400 # Default minimum wait interval for token execution in poll mode #default_poll_interval 5 # Max bind message size # option :max_bind_message_size, default: 128 # mandatory configuration with the logic to validate the login_hint filled in both backchannel authentication and backchannel complete # must return the id of the user as uuid #resolve_user_identity do |login_hint| # user = User.find_by(email: login_hint, email_verified: true) # user.id unless user.nil? #end # mandatory configuration with the logic to get the e-mail of the user based on auth req id #resolve_email_by_auth_req_id do |auth_req_id| # user = User.select('users.email').joins("inner join backchannel_auth_requests authreq on users.id = authreq.identified_user_id").where("authreq.auth_req_id" => auth_req_id) # user.first.email if user.count > 0 #end # mandatory config : add new permission to grant type ciba Doorkeeper.configuration.grant_flows.append("urn:openid:params:grant-type:ciba") end </pre>

Routes

The installation generator will update your config/routes.rb to define all required routes:

Rails.application.routes.draw do
  use_doorkeeper_openid_connect
  use_doorkeeper_openid_connect_ciba
  # your custom routes here
end

This will mount the following routes:

POST  /backchannel/authorize
GET /backchannel/authinfo
POST  /backchannel/complete
POST /backchannel/clientconfig 

Internationalization (I18n)

We use Rails locale files for error messages and scope descriptions, see config/locales/en.yml. You can override these by adding them to your own translations in config/locales.

Development

Run bundle install to setup all development dependencies.

To run all specs:

bundle exec rake spec

To generate and run migrations in the test application:

bundle exec rake migrate

To run the local engine server:

bundle exec rake server

By default, the latest Rails version is used. To use a specific version run:

rails=4.2.0 bundle update

License

Doorkeeper::OpenidConnect::Ciba is released under the MIT License.

Author

<a href="https://github.com/carlosgorges">Carlos Eduardo Gorges</a>

Sponsors

Initial development of this project was sponsored by TODO.