No release in over 3 years
Low commit activity in last 3 years
Extend your Doorkeeper implementation adding a new grant type: assertion. And decoding JWT claim messages to generate access tokens.
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
 Dependencies

Development

~> 1.7
~> 11.0

Runtime

>= 1.5.4, ~> 1.5
 Project Readme

Doorkeeper JWT Assertion

Extending Doorkeeper to support JWT Assertion grant type using a secret or a private key file or application's public key.

This library is in alpha. Future incompatible changes may be necessary.

Install

Add the gem to the Gemfile

gem 'easyship-doorkeeper-jwt', require: 'doorkeeper/jwt_assertion'

Configuration

Inside your doorkeeper configuration file add the one of the following:

Doorkeeper.configure do

  # enable jwt handler
  jwt_enable true

  jwt_private_key Rails.root.join('config', 'keys', 'private.key')

  jwt_secret 'notasecret'

  # Optional
  jwt_use_issuer_as_client_id true

  # using public key as decode key
  jwt_use_application_public_key_as_key true

end

This will automatically push assertion into the Doorkeeper's grant_types configuration attribute.

When jwt_use_issuer_as_client_id is set to false then the client_id MUST be available from the parameters. By default it will extract the 'iss' and use it as the client_id to retrieve the oauth application.

Use the resource_owner_authenticator in the configuration to identify the owner based on the JWT claim values. This values can be accessible from jwt.

by default it setup application's owner as owner.

If the client request a token with an invalid assertion, or an expired JWT claim, an :invalid_grant error response will be generated before retrieving the resource_owner.

Doorkeeper.configure do

  resource_owner_authenticator do

    if jwt
      jwt['sub'].present? and User.find_by_email(jwt['sub'])
    end

  end

end

Client Usage

Generate an assertion request token using a private key file or a secret:

client = OAuth2::Client.new('client_id', 'client_secret', :site => 'http://my-site.com')

p12 = OpenSSL::PKCS12.new( Rails.root.join('config', 'keys', 'private.p12').open )

params = { :aud => 'audience',
           :sub => 'client_id',
           :iss => 'client_id',
           :scope => 'scope',
           :exp => Time.now.utc.to_i + 5.minutes }

token = client.assertion.get_token(params)

"[...] refresh tokens are not issued in response to assertion grant requests and access tokens will be issued with a reasonably short lifetime."

TO DO

  • Better error handling
  • JWT Client Authentication Flow
  • Testing