More complete oidc
This commit is contained in:
Dan Milne
@@ -5,6 +5,7 @@ class Application < ApplicationRecord
|
||||
has_many :allowed_groups, through: :application_groups, source: :group
|
||||
has_many :oidc_authorization_codes, dependent: :destroy
|
||||
has_many :oidc_access_tokens, dependent: :destroy
|
||||
has_many :oidc_refresh_tokens, dependent: :destroy
|
||||
has_many :oidc_user_consents, dependent: :destroy
|
||||
|
||||
validates :name, presence: true
|
||||
@@ -17,6 +18,11 @@ class Application < ApplicationRecord
|
||||
validates :domain_pattern, presence: true, uniqueness: { case_sensitive: false }, if: :forward_auth?
|
||||
validates :landing_url, format: { with: URI::regexp(%w[http https]), allow_nil: true, message: "must be a valid URL" }
|
||||
|
||||
# Token TTL validations (for OIDC apps)
|
||||
validates :access_token_ttl, numericality: { greater_than_or_equal_to: 300, less_than_or_equal_to: 86400 }, if: :oidc? # 5 min - 24 hours
|
||||
validates :refresh_token_ttl, numericality: { greater_than_or_equal_to: 86400, less_than_or_equal_to: 7776000 }, if: :oidc? # 1 day - 90 days
|
||||
validates :id_token_ttl, numericality: { greater_than_or_equal_to: 300, less_than_or_equal_to: 86400 }, if: :oidc? # 5 min - 24 hours
|
||||
|
||||
normalizes :slug, with: ->(slug) { slug.strip.downcase }
|
||||
normalizes :domain_pattern, with: ->(pattern) {
|
||||
normalized = pattern&.strip&.downcase
|
||||
@@ -154,8 +160,44 @@ class Application < ApplicationRecord
|
||||
secret
|
||||
end
|
||||
|
||||
# Token TTL helper methods (for OIDC)
|
||||
def access_token_expiry
|
||||
(access_token_ttl || 3600).seconds.from_now
|
||||
end
|
||||
|
||||
def refresh_token_expiry
|
||||
(refresh_token_ttl || 2592000).seconds.from_now
|
||||
end
|
||||
|
||||
def id_token_expiry_seconds
|
||||
id_token_ttl || 3600
|
||||
end
|
||||
|
||||
# Human-readable TTL for display
|
||||
def access_token_ttl_human
|
||||
duration_to_human(access_token_ttl || 3600)
|
||||
end
|
||||
|
||||
def refresh_token_ttl_human
|
||||
duration_to_human(refresh_token_ttl || 2592000)
|
||||
end
|
||||
|
||||
def id_token_ttl_human
|
||||
duration_to_human(id_token_ttl || 3600)
|
||||
end
|
||||
|
||||
private
|
||||
|
||||
def duration_to_human(seconds)
|
||||
if seconds < 3600
|
||||
"#{seconds / 60} minutes"
|
||||
elsif seconds < 86400
|
||||
"#{seconds / 3600} hours"
|
||||
else
|
||||
"#{seconds / 86400} days"
|
||||
end
|
||||
end
|
||||
|
||||
def generate_client_credentials
|
||||
self.client_id ||= SecureRandom.urlsafe_base64(32)
|
||||
# Generate and hash the client secret
|
||||
|
||||
@@ -1,34 +1,83 @@
|
||||
class OidcAccessToken < ApplicationRecord
|
||||
belongs_to :application
|
||||
belongs_to :user
|
||||
has_many :oidc_refresh_tokens, dependent: :destroy
|
||||
|
||||
before_validation :generate_token, on: :create
|
||||
before_validation :set_expiry, on: :create
|
||||
|
||||
validates :token, presence: true, uniqueness: true
|
||||
validates :token, uniqueness: true, presence: true
|
||||
|
||||
scope :valid, -> { where("expires_at > ?", Time.current) }
|
||||
scope :valid, -> { where("expires_at > ?", Time.current).where(revoked_at: nil) }
|
||||
scope :expired, -> { where("expires_at <= ?", Time.current) }
|
||||
scope :revoked, -> { where.not(revoked_at: nil) }
|
||||
scope :active, -> { valid }
|
||||
|
||||
attr_accessor :plaintext_token # Store plaintext temporarily for returning to client
|
||||
|
||||
def expired?
|
||||
expires_at <= Time.current
|
||||
end
|
||||
|
||||
def revoked?
|
||||
revoked_at.present?
|
||||
end
|
||||
|
||||
def active?
|
||||
!expired?
|
||||
!expired? && !revoked?
|
||||
end
|
||||
|
||||
def revoke!
|
||||
update!(expires_at: Time.current)
|
||||
update!(revoked_at: Time.current)
|
||||
# Also revoke associated refresh tokens
|
||||
oidc_refresh_tokens.each(&:revoke!)
|
||||
end
|
||||
|
||||
# Check if a plaintext token matches the hashed token
|
||||
def token_matches?(plaintext_token)
|
||||
return false if plaintext_token.blank?
|
||||
|
||||
# Use BCrypt to compare if token_digest exists
|
||||
if token_digest.present?
|
||||
BCrypt::Password.new(token_digest) == plaintext_token
|
||||
# Fall back to direct comparison for backward compatibility
|
||||
elsif token.present?
|
||||
token == plaintext_token
|
||||
else
|
||||
false
|
||||
end
|
||||
end
|
||||
|
||||
# Find by token (validates and checks if revoked)
|
||||
def self.find_by_token(plaintext_token)
|
||||
return nil if plaintext_token.blank?
|
||||
|
||||
# Find all non-revoked, non-expired tokens
|
||||
valid.find_each do |access_token|
|
||||
# Use BCrypt to compare (if token_digest exists) or direct comparison
|
||||
if access_token.token_digest.present?
|
||||
return access_token if BCrypt::Password.new(access_token.token_digest) == plaintext_token
|
||||
elsif access_token.token == plaintext_token
|
||||
return access_token
|
||||
end
|
||||
end
|
||||
nil
|
||||
end
|
||||
|
||||
private
|
||||
|
||||
def generate_token
|
||||
self.token ||= SecureRandom.urlsafe_base64(48)
|
||||
return if token.present?
|
||||
|
||||
# Generate opaque access token
|
||||
plaintext = SecureRandom.urlsafe_base64(48)
|
||||
self.plaintext_token = plaintext # Store temporarily for returning to client
|
||||
self.token_digest = BCrypt::Password.create(plaintext)
|
||||
# Keep token column for backward compatibility during migration
|
||||
self.token = plaintext
|
||||
end
|
||||
|
||||
def set_expiry
|
||||
self.expires_at ||= 1.hour.from_now
|
||||
self.expires_at ||= application.access_token_expiry
|
||||
end
|
||||
end
|
||||
|
||||
Reference in New Issue
Block a user