From 0870e66c4ae8d2c7e96cf15563d4c97976a014e1 Mon Sep 17 00:00:00 2001
From: Stephen Greer <stephen.greer@powerhrg.com>
Date: Wed, 14 Dec 2022 15:33:53 -0600
Subject: [PATCH] Allow id token hint param (#8)

* Add id_token_hint param to end_session_endpoint

* Don't use discovery when set to false

* Correct variable update

* Linting
---
 lib/extensions/discovery.rb              | 24 +++++++++++
 lib/omniauth/strategies/base_strategy.rb | 55 ++++++++++++++++++++++++
 lib/omniauth/strategies/nitro_id.rb      | 14 +++---
 lib/omniauth/strategies/tempo_id.rb      | 14 +++---
 4 files changed, 89 insertions(+), 18 deletions(-)
 create mode 100644 lib/extensions/discovery.rb
 create mode 100644 lib/omniauth/strategies/base_strategy.rb

diff --git a/lib/extensions/discovery.rb b/lib/extensions/discovery.rb
new file mode 100644
index 0000000..829b64c
--- /dev/null
+++ b/lib/extensions/discovery.rb
@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+module Extensions
+  module Discovery
+    Module.new do
+      # Monkey patch allow HTTP instead of forcing HTTPS for discovery.
+
+      attr_reader :scheme
+
+      def initialize(uri)
+        @scheme = uri.scheme
+        super
+      end
+
+      def endpoint
+        URI::Generic.build(scheme: scheme, host: host, port: port, path: path)
+      rescue URI::Error => e
+        raise SWD::Exception, e.message
+      end
+
+      prepend_features(::OpenIDConnect::Discovery::Provider::Config::Resource)
+    end
+  end
+end
diff --git a/lib/omniauth/strategies/base_strategy.rb b/lib/omniauth/strategies/base_strategy.rb
new file mode 100644
index 0000000..3a28e52
--- /dev/null
+++ b/lib/omniauth/strategies/base_strategy.rb
@@ -0,0 +1,55 @@
+# frozen_string_literal: true
+
+require "omniauth_openid_connect"
+require_relative "../../extensions/discovery"
+
+module OmniAuth
+  module Strategies
+    class BaseStrategy < OmniAuth::Strategies::OpenIDConnect
+      def public_key
+        @public_key ||= if options.discovery
+                          config.jwks
+                        elsif key_or_secret
+                          key_or_secret
+                        elsif client_options.jwks_uri
+                          fetch_key
+                        end
+      end
+
+    private
+
+      def fetch_key
+        @fetch_key ||= parse_jwk_key(::OpenIDConnect.http_client.get_content(client_options.jwks_uri))
+      end
+
+      def key_or_secret
+        @key_or_secret ||=
+          case options.client_signing_alg&.to_sym
+          when :HS256, :HS384, :HS512
+            client_options.secret
+          when :RS256, :RS384, :RS512
+            parse_key
+          end
+      end
+
+      def encoded_post_logout_redirect_uri
+        return unless options.post_logout_redirect_uri
+
+        query = {
+          post_logout_redirect_uri: options.post_logout_redirect_uri,
+        }
+        query = query.merge({ id_token_hint: params["id_token_hint"] }) if params["id_token_hint"]
+
+        URI.encode_www_form(query)
+      end
+
+      def parse_key
+        if options.client_jwk_signing_key
+          parse_jwk_key(options.client_jwk_signing_key)
+        elsif options.client_x509_signing_key
+          parse_x509_key(options.client_x509_signing_key)
+        end
+      end
+    end
+  end
+end
diff --git a/lib/omniauth/strategies/nitro_id.rb b/lib/omniauth/strategies/nitro_id.rb
index 7e5ae05..7164fd1 100644
--- a/lib/omniauth/strategies/nitro_id.rb
+++ b/lib/omniauth/strategies/nitro_id.rb
@@ -1,18 +1,14 @@
 # frozen_string_literal: true
 
-require "omniauth_openid_connect"
+require_relative "base_strategy"
 
 module OmniAuth
   module Strategies
-    class NitroId < OmniAuth::Strategies::OpenIDConnect
-      DEFAULT_STRATEGY_NAME = "nitro_id"
-      DEFAULT_ISSUER = "https://id.powerhrg.com/"
-      DEFAULT_HOST = "id.powerhrg.com"
-
-      option :name, DEFAULT_STRATEGY_NAME
+    class NitroId < BaseStrategy
+      option :name, "nitro_id"
       option :discovery, true
-      option :issuer, DEFAULT_ISSUER
-      option :client_options, host: DEFAULT_HOST
+      option :issuer, "https://id.powerhrg.com/"
+      option :client_options, host: "id.powerhrg.com"
     end
   end
 end
diff --git a/lib/omniauth/strategies/tempo_id.rb b/lib/omniauth/strategies/tempo_id.rb
index 85a5d93..e2fe078 100644
--- a/lib/omniauth/strategies/tempo_id.rb
+++ b/lib/omniauth/strategies/tempo_id.rb
@@ -1,18 +1,14 @@
 # frozen_string_literal: true
 
-require "omniauth_openid_connect"
+require_relative "base_strategy"
 
 module OmniAuth
   module Strategies
-    class TempoId < OmniAuth::Strategies::OpenIDConnect
-      DEFAULT_STRATEGY_NAME = "tempo_id"
-      DEFAULT_ISSUER = "https://id.streamfinancial.io/"
-      DEFAULT_HOST = "id.streamfinancial.io"
-
-      option :name, DEFAULT_STRATEGY_NAME
+    class TempoId < BaseStrategy
+      option :name, "tempo_id"
       option :discovery, true
-      option :issuer, DEFAULT_ISSUER
-      option :client_options, host: DEFAULT_HOST
+      option :issuer, "https://id.streamfinancial.io/"
+      option :client_options, host: "id.streamfinancial.io"
     end
   end
 end