Skip to content

Commit

Permalink
Org Support
Browse files Browse the repository at this point in the history
  • Loading branch information
davidpatrick committed Apr 1, 2021
1 parent 37ebf00 commit 77b9732
Show file tree
Hide file tree
Showing 4 changed files with 118 additions and 1 deletion.
69 changes: 69 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -131,9 +131,78 @@ In some scenarios, you may need to pass specific query parameters to `/authorize
- `connection_scope`
- `prompt`
- `screen_hint` (only relevant to New Universal Login Experience)
- `organization`
- `invitation`

Simply pass these query parameters to your OmniAuth redirect endpoint to enable their behavior.

## Examples

### Auth0 Organizations (Closed Beta)

Organizations is a set of features that provide better support for developers who build and maintain SaaS and Business-to-Business (B2B) applications.

Using Organizations, you can:

- Represent teams, business customers, partner companies, or any logical grouping of users that should have different ways of accessing your applications, as organizations.
- Manage their membership in a variety of ways, including user invitation.
- Configure branded, federated login flows for each organization.
- Implement role-based access control, such that users can have different roles when authenticating in the context of different organizations.
- Build administration capabilities into your products, using Organizations APIs, so that those businesses can manage their own organizations.

Note that Organizations is currently only available to customers on our Enterprise and Startup subscription plans.

#### Logging in with an Organization

Logging in with an Organization is as easy as passing the parameters to the authorize endpoint. You can do this with

```ruby
<%=
button_to 'Login', 'auth/auth0',
method: :post,
params: {
# Found in your Auth0 dashboard, under Organization settings:
organization: '{AUTH0_ORGANIZATION}'
}
%>
```
Alternatively you can configure the organization when you register the provider:
```ruby
provider
:auth0,
ENV['AUTH0_CLIENT_ID'],
ENV['AUTH0_CLIENT_SECRET'],
ENV['AUTH0_DOMAIN'],
{
authorize_params: {
scope: 'openid read:users',
audience: 'https://{AUTH0_DOMAIN}/api',
organization: '{AUTH0_ORGANIZATION}'
}
}
```
#### Accepting user invitations
Auth0 Organizations allow users to be invited using emailed links, which will direct a user back to your application. The URL the user will arrive at is based on your configured `Application Login URI`, which you can change from your Application's settings inside the Auth0 dashboard.
When the user arrives at your application using an invite link, you can expect three query parameters to be provided: `invitation`, `organization`, and `organization_name`. These will always be delivered using a GET request.
You can then supply those parametrs to a `button_to` or `link_to` helper
```ruby
<%=
button_to 'Login', 'auth/auth0',
method: :post,
params: {
organization: '{YOUR_ORGANIZATION_ID}',
invitation: '{INVITE_CODE}'
}
%>
```

## Contribution

We appreciate feedback and contribution to this repo! Before you get started, please see the following:
Expand Down
13 changes: 13 additions & 0 deletions lib/omniauth/auth0/jwt_validator.rb
Original file line number Diff line number Diff line change
Expand Up @@ -174,6 +174,7 @@ def verify_claims(id_token, authorize_params)
leeway = authorize_params[:leeway] || 60
max_age = authorize_params[:max_age]
nonce = authorize_params[:nonce]
organization = authorize_params[:organization]

verify_iss(id_token)
verify_sub(id_token)
Expand All @@ -183,6 +184,7 @@ def verify_claims(id_token, authorize_params)
verify_nonce(id_token, nonce)
verify_azp(id_token)
verify_auth_time(id_token, leeway, max_age)
verify_org(id_token, organization)
end

def verify_iss(id_token)
Expand Down Expand Up @@ -260,6 +262,17 @@ def verify_auth_time(id_token, leeway, max_age)
end
end
end

def verify_org(id_token, organization)
if organization
org_id = id_token['org_id']
if !org_id || !org_id.is_a?(String)
raise OmniAuth::Auth0::TokenValidationError.new("Organization Id (org_id) claim must be a string present in the ID token")
elsif org_id != organization
raise OmniAuth::Auth0::TokenValidationError.new("Organization Id (org_id) claim value mismatch in the ID token; expected '#{organization}', found '#{org_id}'")
end
end
end
end
end
end
2 changes: 1 addition & 1 deletion lib/omniauth/strategies/auth0.rb
Original file line number Diff line number Diff line change
Expand Up @@ -84,7 +84,7 @@ def client
# Define the parameters used for the /authorize endpoint
def authorize_params
params = super
%w[connection connection_scope prompt screen_hint].each do |key|
%w[connection connection_scope prompt screen_hint organization invitation].each do |key|
params[key] = request.params[key] if request.params.key?(key)
end

Expand Down
35 changes: 35 additions & 0 deletions spec/omniauth/auth0/jwt_validator_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -476,6 +476,41 @@
expect(id_token['auth_time']).to eq(auth_time)
end

it 'should fail when authorize params has organization but org_id is missing in the token', focus: true do
payload = {
iss: "https://#{domain}/",
sub: 'sub',
aud: client_id,
exp: future_timecode,
iat: past_timecode
}

token = make_hs256_token(payload)
expect do
jwt_validator.verify(token, { organization: 'Test Org' })
end.to raise_error(an_instance_of(OmniAuth::Auth0::TokenValidationError).and having_attributes({
message: "Organization Id (org_id) claim must be a string present in the ID token"
}))
end

it 'should fail when authorize params has organization but token org_id does not match', focus: true do
payload = {
iss: "https://#{domain}/",
sub: 'sub',
aud: client_id,
exp: future_timecode,
iat: past_timecode,
org_id: 'Wrong Org'
}

token = make_hs256_token(payload)
expect do
jwt_validator.verify(token, { organization: 'Test Org' })
end.to raise_error(an_instance_of(OmniAuth::Auth0::TokenValidationError).and having_attributes({
message: "Organization Id (org_id) claim value mismatch in the ID token; expected 'Test Org', found 'Wrong Org'"
}))
end

it 'should fail for RS256 token when kid is incorrect' do
domain = 'example.org'
sub = 'abc123'
Expand Down

0 comments on commit 77b9732

Please sign in to comment.