Client Obtain Token - nov/openid_connect GitHub Wiki

NOTE

openid_connect gem is based on rack-oauth2 gem. The way to obtain access tokens is basically following rack-oauth2 style.

Only differences between Rack::OAuth2::Client and OpenIDConnect::Client are

  • OpenIDConnect::Client#authorization_uri automatically adds openid scope if it's not given
  • OpenIDConnect::Client#access_token! returns OpenIDConnect::AccessToken instance, instead of Rack::OAuth2::AccessToken::Bearer

Below is the sample of code flow. See Rack::OAuth2 wiki for other flows.

session[:state] = SecureRandom.hex(16)
session[:nonce] = SecureRandom.hex(16)

# Authorization Request
authorization_uri = client.authorization_uri(
  scope: [:profile, :email],
  state: session[:state],
  nonce: session[:nonce]
)
`open "#{authorization_uri}"`

# Authorization Response
puts "# Authorization Code"
code = gets.strip

# Token Request
client.authorization_code = code
access_token = client.access_token! # => OpenIDConnect::AccessToken
id_token = OpenIDConnect::ResponseObject::IdToken.decode access_token.id_token, public_key # => OpenIDConnect::ResponseObject::IdToken

If your OAuth Server requires JWT bearer client assertion (a.k.a. private_key_jwt) like iGov-complient IdPs, follow this gist. https://gist.github.com/nov/98d26044e2f7c5b7d8fdba2b9bd101b4