-
Notifications
You must be signed in to change notification settings - Fork 2
/
oidc_demo.rb
85 lines (72 loc) · 2.16 KB
/
oidc_demo.rb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
require "sinatra"
require "omniauth"
require "omniauth_openid_connect"
enable :sessions
set :session_secret, ENV["RACK_SESSION_SECRET"]
configure :development do
OmniAuth.config.logger.level = Logger::DEBUG
set :logging, Logger::DEBUG
end
# use MyMiddleware
use OmniAuth::Builder do
provider :openid_connect, {
issuer: ENV["OIDC_ISSUER"],
discovery: true,
client_auth_method: "jwks",
scope: [:openid, :profile],
client_options: {
identifier: ENV["OIDC_CLIENT_ID"],
secret: ENV["OIDC_CLIENT_SECRET"],
redirect_uri: "#{ENV["BASE_URL"]}/auth/openid_connect/callback"
}
}
end
get "/auth/openid_connect/callback" do
auth = request.env["omniauth.auth"]
info = auth[:info]
session[:authenticated] = true
session[:expires_at] = Time.now.utc + 1.hour
session[:info] = info
redirect "/"
end
get "/auth/failure" do
"You are not authorized"
end
get "/logout" do
session.clear
# This is the Cosign logout CGI on the SHIBBOLETH IDP
# This lets you put a redirect link after the cosign logout
redirect "https://shibboleth.umich.edu/cgi-bin/logout?https://lib.umich.edu/"
# This is the IDP initiated logout endpoint; It will redirect to http://umich.edu
# redirect "https://shibboleth.umich.edu/idp/profile/Logout"
end
get "/" do
"<p>session[:info] #{session[:info].to_h}</p>" \
"<p><a href='/logout'>Logout</a></p>"
end
get "/login" do
<<~HTML
<h1>Logging You In...<h1>
<script>
window.onload = function(){
document.forms['login_form'].submit();
}
</script>
<form id='login_form' method='post' action='/auth/openid_connect'>
<input type="hidden" name="authenticity_token" value='#{request.env["rack.session"]["csrf"]}'>
<noscript>
<button type="submit">Login</button>
</noscript>
</form>
HTML
end
before do
# pass if the first part of the path is exempted from authentication;
# in this case any paths under 'auth', 'logout', and 'login' should be exempted
pass if ["auth", "logout", "login"].include? request.path_info.split("/")[1]
if !session[:authenticated] || Time.now.utc > session[:expires_at]
redirect "/login"
else
pass
end
end