Extending Doorkeeper to support JWT Assertion grant type using a secret or a private key file.
This library is in alpha. Future incompatible changes may be necessary.
Add the gem to the Gemfile
gem 'doorkeeper-jwt_assertion'
Inside your doorkeeper configuration file add the one of the fallowing:
Doorkeeper.configure do
jwt_private_key Rails.root.join('config', 'keys', 'private.key')
jwt_secret 'notasecret'
# Optional
jwt_use_issuer_as_client_id true
end
This will automatically push assertion
into the Doorkeeper's grant_types configuration attribute.
When jwt_use_issuer_as_client_id
is set to false then the client_id
MUST be available from the parameters. By default it will extract the 'iss' and use it as the client_id to retrieve the oauth application.
Use the resource_owner_authenticator
in the configuration to identify the owner based on the JWT claim values. This values can be accessible from jwt
.
If the client request a token with an invalid assertion, or an expired JWT claim, an :invalid_grant error response will be generated before retrieving the resource_owner.
Doorkeeper.configure do
resource_owner_authenticator do
if jwt
jwt['prn'].present? and User.find_by_email(jwt['prn'])
end
end
end
Generate an assertion request token using a private key file or a secret:
client = OAuth2::Client.new('client_id', 'client_secret', :site => 'http://my-site.com')
p12 = OpenSSL::PKCS12.new( Rails.root.join('config', 'keys', 'private.p12').open )
params = { :private_key => p12.key,
:aud => 'audience',
:prn => 'person', # or :sub => 'subject', not suported on OAuth2 1.0.0 yet.
:iss => 'client_id',
:scope => 'scope',
:exp => Time.now.utc.to_i + 5.minutes }
token = client.assertion.get_token(params)
"[...] refresh tokens are not issued in response to assertion grant requests and access tokens will be issued with a reasonably short lifetime."
- Better error handling
- JWT Client Authentication Flow
- Testing