(since v0.8)
The oauth_assertion_base feature implements the Assertion Framework for OAuth 2.0 Client Authentication and Authorization Grants.
It is the dependency on top of which the oauth_saml_bearer_grant and oauth_jwt_bearer_grant features are implemented, and can be used in standalone mode to deveop other assertion-based flows.
This is how an example "facebook" token-based assertion grant type could work:
plugin :rodauth do
enable :oauth_assertion_base
def account_from_facebook_assertion(assertion)
profile = fetch_facebook_profile_info(assertion)
db[accounts_table].where(login_column => profile[:email].first
end
def fetch_facebook_profile_info(assertion)
# use the facebook oauth API to get profile info and return as hash
end
end
require "httpx"
# using the assertion as an authorization grant
response = HTTPX.post("https://oauth-server.com/token",json: {
grant_type: "urn:ietf:params:oauth:grant-type:facebook",
assertion: "PHNhbWxwOl...[omitted for brevity]...ZT4"
})
response.raise_for_status
payload = JSON.parse(response.to_s)
puts payload #=> {"access_token" => "awr23f3h8f9d2h89...", "refresh_token" => "23fkop3kr290kc..." ....
response.raise_for_status
payload = JSON.parse(response.to_s)
puts payload #=> {"access_token" => "awr23f3h8f9d2h89...", "refresh_token" => "23fkop3kr290kc..." ....
It is meant to be used to set up an OAuth Authorization Server decoupled fromm the Identity Provider, which emits assertions that can be verified and used to generate tokens in the Authorization Server.
plugin :rodauth do
enable :oauth_assertion_base
end