chore(agent_connect): update code to work with newer openid connect

remove AGENT_CONNECT_JWKS env key
This commit is contained in:
simon lehericey 2023-12-11 12:08:58 +01:00
parent b981b9a3ed
commit a811a72ab2
3 changed files with 4 additions and 63 deletions

View file

@ -13,8 +13,8 @@ class AgentConnectService
uri = client.authorization_uri( uri = client.authorization_uri(
scope: [:openid, :email], scope: [:openid, :email],
state: state, state:,
nonce: nonce, nonce:,
acr_values: 'eidas1' acr_values: 'eidas1'
) )

View file

@ -56,7 +56,6 @@ FC_PARTICULIER_BASE_URL=""
AGENT_CONNECT_ID="" AGENT_CONNECT_ID=""
AGENT_CONNECT_SECRET="" AGENT_CONNECT_SECRET=""
AGENT_CONNECT_BASE_URL="" AGENT_CONNECT_BASE_URL=""
AGENT_CONNECT_JWKS=""
AGENT_CONNECT_REDIRECT="" AGENT_CONNECT_REDIRECT=""
# External service: integration with HelpScout (optional) # External service: integration with HelpScout (optional)

View file

@ -1,61 +1,3 @@
OpenIDConnect.debug! OpenIDConnect.http_config do |config|
OpenIDConnect.logger = Rails.logger config.response :jwt
Rack::OAuth2.logger = Rails.logger
# Webfinger.logger = Rails.logger
SWD.logger = Rails.logger
# the openid_connect gem does not support
# jwt format in the userinfo call.
# A PR is open to improve the situation
# https://github.com/nov/openid_connect/pull/54
module OpenIDConnect
class AccessToken < Rack::OAuth2::AccessToken::Bearer
private
def jwk_loader
JSON.parse(URI.parse(ENV['AGENT_CONNECT_JWKS']).read).deep_symbolize_keys
end
def decode_jwt(requested_host, jwt)
agent_connect_host = URI.parse(ENV['AGENT_CONNECT_BASE_URL']).host
if requested_host == agent_connect_host
# rubocop:disable Lint/UselessAssignment
JWT.decode(jwt, key = nil, verify = true, { algorithms: ['ES256'], jwks: jwk_loader })[0]
# rubocop:enable Lint/UselessAssignment
else
raise "unknwon host : #{requested_host}"
end
end
def resource_request
res = yield
case res.status
when 200
hash = case parse_type_and_subtype(res.content_type)
when 'application/jwt'
requested_host = URI.parse(client.userinfo_endpoint).host
decode_jwt(requested_host, res.body)
when 'application/json'
JSON.parse(res.body)
end
hash&.with_indifferent_access
when 400
raise BadRequest.new('API Access Faild', res)
when 401
raise Unauthorized.new('Access Token Invalid or Expired', res)
when 403
raise Forbidden.new('Insufficient Scope', res)
else
raise HttpError.new(res.status, 'Unknown HttpError', res)
end
end
# https://datatracker.ietf.org/doc/html/rfc2045#section-5.1
# - type and subtype are the first member
# they are case insensitive
def parse_type_and_subtype(content_type)
content_type.split(';')[0].strip.downcase
end
end
end end