honeyryder

Oauth

The :oauth plugin manages the handling of a given OAuth 2.0 session, in that it ships with convenience methods to generate a new access token, which it then injects in all requests.

oauth_session = HTTPX.plugin(:retries).plugin(:oauth, oauth_options: {
  issuer: "https://id-provider",
  client_id: "CLIENT_ID",
  client_secret: "SECRET",
  scope: "all"
})

oauth_session.get("https://super-secret/resource")
#=> will negotiate an access token (and refresh token) first with the issuer
#=> it'll then perform the request to "super-secret" with the access-token in the "authorization" header with "Bearer" type.
oauth_session.get("https://super-secret/resource2")
#=> it'll reuse the token
# 2 hours later, when the access token expires...
oauth_session.get("https://super-secret/resource1")
#=> first request fails with 401
#=> renegotiates new tokens with issues using the refresh_token grant if possible
#=> resends
# NOTE: the feature above only works with the `:retries` plugin. You'll have to call `oauth_session.refresh_oauth_tokens!` to manually refresh tokens otherwise.

It supports only the "client_credentials" and "refresh_token" auth flows, and “client_secret_basic” and “client_secret_post” as auth methods.

The following oauth options are supported:

  • :issuer: (mandatory) the URL of the OAuth issuer server.
  • :client_id: (mandatory) the application client ID to use in authentication schemes.
  • :client_secret: (mandatory) the application client secret to use in authentication schemes.
  • :scope: an array of the list of scopes to request grant for (if oauth server metadata is used, it’ll fall back to the "scopes_supported" value).
  • :audience: the audience which is requesting grant, usually a URL.
  • :token_endpoint: the OAuth token URL for the issuer (if oauth server metadata is used, it’ll fall back to the "token_endpoint" value, or if none, issuer + "/token").
  • :token_endpoint_auth_method: the authentication method to use in token HTTP requests (if oauth server metadata is used, it’ll pick the left-most of "token_endpoint_auth_methods_supported" supported by this plugin, otherwise it falls back to "client_secret_basic").
  • :grant_type: the type of OAuth grant to use to request for a token ((if oauth server metadata is used, it’ll pick the left-most of "grant_types_supported" supported by this plugin; if a refresh token is passed, it’ll use "refresh_token"; otherwise it falls back to "client_credentials").

(Additionally to the above, you can also pass :access_token or :refresh_token directly if you were previously granted those, nevertheless the point is to let the :oauth plugin take care of negotiating and refreshing tokens).

If the issuer supports Oauth server metadata discovery (aka the /.well-known/oauth-authorization-server path), you can forego passing most options.

Next: SSRF Filter