omniauth-yufu

OmniAuth::Yufu

OmniAuth::Yufu provides a clean, simple wrapper on top of JWT so that you can easily implement this kind of SSO either between your own applications or allow third parties to delegate authentication.

Installation

Add this line to your application's Gemfile:

gem 'omniauth-yufu'

And then execute:

$ bundle

Or install it yourself as:

$ gem install omniauth-yufu

Usage

You use OmniAuth::Yufu just like you do any other OmniAuth strategy:

use OmniAuth::Yufu, 'PUBLIC_KEY', auth_url: 'http://example.com/login'

Authentication Process

When you authenticate through omniauth-jwt you can send users to /auth/jwt and it will redirect them to the URL specified in the auth_url option. From there, the provider must generate a JWT and send it to the /auth/jwt/callback URL as a "jwt" parameter:

/auth/jwt/callback?jwt=ENCODEDJWTGOESHERE

The sub of the jwt should be the unique email address of the tenant users

An example of how to do that in Sinatra:

require 'jwt'

get '/login/sso/other-app' do
  # assuming the user is already logged in and this is available as current_user
  claims = {
    id: current_user.id,
    name: current_user.name,
    email: current_user.email,
    iat: Time.now.to_i
  }
  
  payload = JWT.encode(claims, ENV['PUBLIC_KEY'])
  redirect "http://other-app.com/auth/jwt/callback?jwt=#{payload}"
end