Class: Google::Auth::UserAuthorizer
- Inherits:
-
Object
- Object
- Google::Auth::UserAuthorizer
- Defined in:
- lib/googleauth/user_authorizer.rb
Overview
Handles an interactive 3-Legged-OAuth2 (3LO) user consent authorization.
Example usage for a simple command line app:
credentials = authorizer.get_credentials(user_id)
if credentials.nil?
url = authorizer.get_authorization_url(
base_url: OOB_URI)
puts "Open the following URL in the browser and enter the " +
"resulting code after authorization"
puts url
code = gets
credentials = authorizer.get_and_store_credentials_from_code(
user_id: user_id, code: code, base_url: OOB_URI)
end
# Credentials ready to use, call APIs
...
Direct Known Subclasses
Constant Summary collapse
- MISMATCHED_CLIENT_ID_ERROR =
"Token client ID of %s does not match configured client id %s".freeze
- NIL_CLIENT_ID_ERROR =
"Client id can not be nil.".freeze
- NIL_SCOPE_ERROR =
"Scope can not be nil.".freeze
- NIL_USER_ID_ERROR =
"User ID can not be nil.".freeze
- NIL_TOKEN_STORE_ERROR =
"Can not call method if token store is nil".freeze
- MISSING_ABSOLUTE_URL_ERROR =
'Absolute base url required for relative callback url "%s"'.freeze
Class Method Summary collapse
-
.generate_code_verifier ⇒ Object
Generate the code verifier needed to be sent while fetching authorization URL.
Instance Method Summary collapse
-
#code_verifier=(new_code_verifier) ⇒ Object
The code verifier for PKCE for OAuth 2.0.
-
#get_and_store_credentials_from_code(options = {}) ⇒ Google::Auth::UserRefreshCredentials
Exchanges an authorization code returned in the oauth callback.
-
#get_authorization_url(options = {}) ⇒ String
Build the URL for requesting authorization.
-
#get_credentials(user_id, scope = nil) ⇒ Google::Auth::UserRefreshCredentials
Fetch stored credentials for the user.
-
#get_credentials_from_code(options = {}) ⇒ Google::Auth::UserRefreshCredentials
Exchanges an authorization code returned in the oauth callback.
-
#initialize(client_id, scope, token_store, legacy_callback_uri = nil, callback_uri: nil, code_verifier: nil) ⇒ UserAuthorizer
constructor
Initialize the authorizer.
-
#revoke_authorization(user_id) ⇒ Object
Revokes a user's credentials.
-
#store_credentials(user_id, credentials) ⇒ Google::Auth::UserRefreshCredentials
Store credentials for a user.
Constructor Details
#initialize(client_id, scope, token_store, legacy_callback_uri = nil, callback_uri: nil, code_verifier: nil) ⇒ UserAuthorizer
Initialize the authorizer
68 69 70 71 72 73 74 75 76 77 78 79 80 |
# File 'lib/googleauth/user_authorizer.rb', line 68 def initialize client_id, scope, token_store, legacy_callback_uri = nil, callback_uri: nil, code_verifier: nil raise InitializationError, NIL_CLIENT_ID_ERROR if client_id.nil? raise InitializationError, NIL_SCOPE_ERROR if scope.nil? @client_id = client_id @scope = Array(scope) @token_store = token_store @callback_uri = legacy_callback_uri || callback_uri || "/oauth2callback" @code_verifier = code_verifier end |
Class Method Details
.generate_code_verifier ⇒ Object
Generate the code verifier needed to be sent while fetching authorization URL.
276 277 278 279 |
# File 'lib/googleauth/user_authorizer.rb', line 276 def self.generate_code_verifier random_number = rand 32..96 SecureRandom.alphanumeric random_number end |
Instance Method Details
#code_verifier=(new_code_verifier) ⇒ Object
The code verifier for PKCE for OAuth 2.0. When set, the authorization URI will contain the Code Challenge and Code Challenge Method querystring parameters, and the token URI will contain the Code Verifier parameter.
270 271 272 |
# File 'lib/googleauth/user_authorizer.rb', line 270 def code_verifier= new_code_verifier @code_verifier = new_code_verifier end |
#get_and_store_credentials_from_code(options = {}) ⇒ Google::Auth::UserRefreshCredentials
Exchanges an authorization code returned in the oauth callback. Additionally, stores the resulting credentials in the token store if the exchange is successful.
220 221 222 223 |
# File 'lib/googleauth/user_authorizer.rb', line 220 def get_and_store_credentials_from_code = {} credentials = get_credentials_from_code store_credentials [:user_id], credentials end |
#get_authorization_url(options = {}) ⇒ String
Build the URL for requesting authorization.
99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 |
# File 'lib/googleauth/user_authorizer.rb', line 99 def = {} scope = [:scope] || @scope [:additional_parameters] ||= {} if @code_verifier [:additional_parameters].merge!( { code_challenge: generate_code_challenge(@code_verifier), code_challenge_method: code_challenge_method } ) end credentials = UserRefreshCredentials.new( client_id: @client_id.id, client_secret: @client_id.secret, scope: scope, additional_parameters: [:additional_parameters] ) redirect_uri = redirect_uri_for [:base_url] url = credentials.(access_type: "offline", redirect_uri: redirect_uri, approval_prompt: "force", state: [:state], include_granted_scopes: true, login_hint: [:login_hint]) url.to_s end |
#get_credentials(user_id, scope = nil) ⇒ Google::Auth::UserRefreshCredentials
Fetch stored credentials for the user.
140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 |
# File 'lib/googleauth/user_authorizer.rb', line 140 def get_credentials user_id, scope = nil saved_token = stored_token user_id return nil if saved_token.nil? data = MultiJson.load saved_token if data.fetch("client_id", @client_id.id) != @client_id.id raise CredentialsError.with_details( format(MISMATCHED_CLIENT_ID_ERROR, data["client_id"], @client_id.id), credential_type_name: self.class.name, principal: principal ) end credentials = UserRefreshCredentials.new( client_id: @client_id.id, client_secret: @client_id.secret, scope: data["scope"] || @scope, access_token: data["access_token"], refresh_token: data["refresh_token"], expires_at: data.fetch("expiration_time_millis", 0) / 1000 ) scope ||= @scope return monitor_credentials user_id, credentials if credentials.includes_scope? scope nil end |
#get_credentials_from_code(options = {}) ⇒ Google::Auth::UserRefreshCredentials
Exchanges an authorization code returned in the oauth callback
184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 |
# File 'lib/googleauth/user_authorizer.rb', line 184 def get_credentials_from_code = {} user_id = [:user_id] code = [:code] scope = [:scope] || @scope base_url = [:base_url] [:additional_parameters] ||= {} [:additional_parameters].merge!({ code_verifier: @code_verifier }) credentials = UserRefreshCredentials.new( client_id: @client_id.id, client_secret: @client_id.secret, redirect_uri: redirect_uri_for(base_url), scope: scope, additional_parameters: [:additional_parameters] ) credentials.code = code credentials.fetch_access_token!({}) monitor_credentials user_id, credentials end |
#revoke_authorization(user_id) ⇒ Object
Revokes a user's credentials. This both revokes the actual grant as well as removes the token from the token store.
230 231 232 233 234 235 236 237 238 239 240 |
# File 'lib/googleauth/user_authorizer.rb', line 230 def user_id credentials = get_credentials user_id if credentials begin @token_store.delete user_id ensure credentials.revoke! end end nil end |
#store_credentials(user_id, credentials) ⇒ Google::Auth::UserRefreshCredentials
Store credentials for a user. Generally not required to be called directly, but may be used to migrate tokens from one store to another.
252 253 254 255 256 257 258 259 260 261 262 |
# File 'lib/googleauth/user_authorizer.rb', line 252 def store_credentials user_id, credentials json = MultiJson.dump( client_id: credentials.client_id, access_token: credentials.access_token, refresh_token: credentials.refresh_token, scope: credentials.scope, expiration_time_millis: credentials.expires_at.to_i * 1000 ) @token_store.store user_id, json credentials end |