doorkeeper-openid_connect 1.0.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 4a7c3aedaa20bdd3901db1b929c3c3bb99657741
+  data.tar.gz: 87ac0f39c66b33ddbbf37507f3aed1d1982077b7
+SHA512:
+  metadata.gz: 0a9d2fc390e85c552b1cfe7bd316864b5d86973044233f276e46dd442ce4fc566ff55e7b5132c671b04c045c761ffcedbe35419c5f3d70b1e30852300c1ab13b
+  data.tar.gz: ae08481f8d98779741c9cd7daaceaea8825b178c8591e3d33423f9cb6bcfc399fa0331e899e776c4481a71bf8b384e7af7dbb77f980140d0d4c199aa342f585b

data/.gitignore

@@ -0,0 +1,18 @@
+*.gem
+*.rbc
+.bundle
+.config
+.yardoc
+Gemfile.lock
+InstalledFiles
+_yardoc
+coverage
+doc/
+lib/bundler/man
+pkg
+rdoc
+spec/reports
+test/tmp
+test/version_tmp
+tmp
+.idea/

data/.ruby-version

@@ -0,0 +1 @@
+2.1.0

data/Gemfile

@@ -0,0 +1,10 @@
+ENV['rails'] ||= ENV['orm'] == "mongoid4" ? '4.0.2' : '3.2.13'
+
+source 'https://rubygems.org'
+
+# Define Rails version
+gem 'rails', ENV['rails']
+
+gem 'doorkeeper'
+
+gemspec

data/LICENSE.txt

@@ -0,0 +1,22 @@
+Copyright (c) 2014 Sam Dengler
+
+MIT License
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,90 @@
+# Doorkeeper::OpenidConnect
+
+This library is a plugin to the Doorkeeper OAuth Ruby framework that implements the OpenID Connect specification incompletely (http://openid.net/specs/openid-connect-core-1_0.html).
+
+## Version 1.x
+
+This library is still pretty raw, but the latest changes are not backwards compatible with the 0.x version of the gem, so the version has been bumped to 1.x according to Semantic Versioning (http://semver.org/) conventions.
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+    gem 'doorkeeper-openid_connect', '~> 1.0.0'
+
+And then execute:
+
+    $ bundle
+
+Or install it yourself as:
+
+    $ gem install doorkeeper-openid_connect -v '~> 1.0.0'
+
+## Usage
+
+Add the following to your config/routes.rb:
+
+    use_doorkeeper_openid_connect
+
+Add the following to your config/initializers/doorkeeper_openid_connect.rb:
+
+    Doorkeeper::OpenidConnect.configure do
+
+      jws_private_key <<eol
+    -----BEGIN RSA PRIVATE KEY-----
+    ....
+    -----END RSA PRIVATE KEY-----
+    eol
+
+      jws_public_key <<eol
+    -----BEGIN RSA PUBLIC KEY-----
+    ....
+    -----END RSA PUBLIC KEY-----
+    eol
+
+      issuer 'issuer string'
+
+      subject do |resource_owner|
+        resource_owner.key
+      end
+
+      claims do
+        claim :_foo_ do |resource_owner|
+          resource_owner.foo
+        end
+
+        claim :_bar_ do |resource_owner|
+          resource_owner.bar
+        end
+      end
+
+    end
+
+where:
+
+The following configurations are required:
+
+* jws_private_key - private key for JSON Web Signature(https://tools.ietf.org/html/draft-ietf-jose-json-web-signature-31)
+* jws_public_key  - public key for JSON Web Signature(https://tools.ietf.org/html/draft-ietf-jose-json-web-signature-31)
+* issuer - Issuer Identifier for the Issuer of the response. The iss value is a case sensitive URL using the https scheme that contains scheme, host, and optionally, port number and path components and no query or fragment components.
+* resource_owner_from_access_token - defines how to translate the doorkeeper access_token to a resource owner model
+
+Given a resource owner, the following claims are required:
+
+* subject - REQUIRED. Subject Identifier. A locally unique and never reassigned identifier within the Issuer for the End-User, which is intended to be consumed by the Client, e.g., 24400320 or AItOawmwtWwcT0k51BayewNvutrJUqsvl6qs7A4. It MUST NOT exceed 255 ASCII characters in length. The sub value is a case sensitive string.
+
+Custom claims can optionally be specified in a `claims` block.  The following claim types are currently supported:
+
+* normal_claim - Normal claims (http://openid.net/specs/openid-connect-core-1_0.html#NormalClaims) - specify claim name and a block using resource_owner to determine the claim value.
+
+## TODO
+
+1. Move jws_private_key and jws_public_key to a lamba expression to avoid committing keys to code
+
+## Contributing
+
+1. Fork it ( http://github.com/<my-github-username>/doorkeeper-openid_connect/fork )
+2. Create your feature branch (`git checkout -b my-new-feature`)
+3. Commit your changes (`git commit -am 'Add some feature'`)
+4. Push to the branch (`git push origin my-new-feature`)
+5. Create new Pull Request

data/Rakefile

@@ -0,0 +1,7 @@
+require "bundler/gem_tasks"
+require "rspec/core/rake_task"
+
+RSpec::Core::RakeTask.new
+
+task default: :spec
+task test: :spec

data/app/controllers/doorkeeper/openid_connect/userinfo_controller.rb

@@ -0,0 +1,19 @@
+module Doorkeeper
+  module OpenidConnect
+    class UserinfoController < ::Doorkeeper::ApplicationController
+      include Doorkeeper::Helpers::Controller
+
+      def show
+        if doorkeeper_token && doorkeeper_token.accessible?
+          resource_owner = doorkeeper_token.instance_eval(&Doorkeeper::OpenidConnect.configuration.resource_owner_from_access_token)
+          user_info = Doorkeeper::OpenidConnect::Models::UserInfo.new(resource_owner)
+          render json: user_info, status: :ok
+        else
+          error = OAuth::ErrorResponse.new(name: :invalid_request)
+          response.headers.merge!(error.headers)
+          render json: error.body, status: error.status
+        end
+      end
+    end
+  end
+end

data/config/locales/en.yml

@@ -0,0 +1,20 @@
+en:
+  doorkeeper:
+    openid_connect:
+      errors:
+        messages:
+          # Common error messages
+          invalid_request: 'The request is missing a required parameter, includes an unsupported parameter value, or is otherwise malformed.'
+          invalid_redirect_uri: 'The redirect uri included is not valid.'
+          unauthorized_client: 'The client is not authorized to perform this request using this method.'
+          access_denied: 'The resource owner or authorization server denied the request.'
+          invalid_scope: 'The requested scope is invalid, unknown, or malformed.'
+          server_error: 'The authorization server encountered an unexpected condition which prevented it from fulfilling the request.'
+          temporarily_unavailable: 'The authorization server is currently unable to handle the request due to a temporary overloading or maintenance of the server.'
+
+          #configuration error messages
+          jwt_private_key_configured: 'ID Token generation failed due to Doorkeeper::OpenidConnect.configure.jwt_private_key missing configuration.'
+          jwt_public_key_configured: 'ID Token generation failed due to Doorkeeper::OpenidConnect.configure.jwt_public_key missing configuration.'
+          issuer: 'ID Token generation failed due to Doorkeeper::OpenidConnect.configure.issuer missing configuration.'
+          resource_owner_from_access_token_configured: 'Failure due to Doorkeeper::OpenidConnect.configure.resource_owner_from_access_token missing configuration.'
+          subject_configured: 'ID Token generation failed due to Doorkeeper::OpenidConnect.configure.subject missing configuration.'

data/doorkeeper-openid_connect.gemspec

@@ -0,0 +1,27 @@
+# coding: utf-8
+$:.push File.expand_path('../lib', __FILE__)
+require 'doorkeeper/openid_connect/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = 'doorkeeper-openid_connect'
+  spec.version       = Doorkeeper::OpenidConnect::VERSION
+  spec.authors       = ['Sam Dengler']
+  spec.email         = ['sam.dengler@playonsports.com']
+  spec.homepage      = 'https://github.com/playon/doorkeeper-openid_connect'
+  spec.summary       = %q{OpenID Connect extension to Doorkeeper.}
+  spec.description   = %q{OpenID Connect extension to Doorkeeper.}
+  spec.license       = %q{MIT}
+
+  spec.files         = `git ls-files -z`.split("\x0")
+  spec.executables   = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
+  spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
+  spec.require_paths = ['lib']
+
+  spec.add_dependency 'railties', '>= 3.1'
+  spec.add_dependency 'doorkeeper', '>= 1.3'
+  spec.add_dependency 'sandal', '~> 0.6.0'
+
+  spec.add_development_dependency 'rspec-rails', '~> 2.99.0'
+  spec.add_development_dependency 'generator_spec', '~> 0.9.0'
+  spec.add_development_dependency 'factory_girl', '~> 2.6.4'
+end

data/lib/doorkeeper/openid_connect.rb

@@ -0,0 +1,65 @@
+require 'doorkeeper/openid_connect/version'
+require 'doorkeeper/openid_connect/engine'
+
+require 'doorkeeper/openid_connect/models/id_token'
+require 'doorkeeper/openid_connect/models/user_info'
+require 'doorkeeper/openid_connect/models/claims/claim'
+require 'doorkeeper/openid_connect/models/claims/normal_claim'
+
+require 'doorkeeper/openid_connect/claims_builder'
+require 'doorkeeper/openid_connect/config'
+
+require 'doorkeeper/openid_connect/rails/routes'
+
+module Doorkeeper
+  module OpenidConnect
+    def self.configured?
+      @config.present?
+    end
+
+    def self.installed?
+      configured?
+    end
+  end
+end
+
+module Doorkeeper
+  module OAuth
+    class PasswordAccessTokenRequest
+      private
+
+      def after_successful_response
+        id_token = Doorkeeper::OpenidConnect::Models::IdToken.new(access_token)
+        @response.id_token = id_token
+      end
+    end
+  end
+end
+
+module Doorkeeper
+  module OAuth
+    class AuthorizationCodeRequest
+      private
+
+      def after_successful_response
+        id_token = Doorkeeper::OpenidConnect::Models::IdToken.new(access_token)
+        @response.id_token = id_token
+      end
+    end
+  end
+end
+
+module Doorkeeper
+  module OAuth
+    class TokenResponse
+      attr_accessor :id_token
+      alias_method :original_body, :body
+
+      def body
+        original_body.
+          merge({:id_token => id_token.as_jws_token}).
+          reject { |_, value| value.blank? }
+      end
+    end
+  end
+end

data/lib/doorkeeper/openid_connect/claims_builder.rb

@@ -0,0 +1,24 @@
+require 'ostruct'
+
+module Doorkeeper
+  module OpenidConnect
+    class ClaimsBuilder
+      def initialize(&block)
+        @claims = OpenStruct.new
+        instance_eval(&block)
+      end
+
+      def build
+        @claims
+      end
+
+      def normal_claim(name, &block)
+        @claims[name] =
+          Doorkeeper::OpenidConnect::Models::Claims::NormalClaim.new(
+            name: name,
+            value: block
+          )
+      end
+    end
+  end
+end

data/lib/doorkeeper/openid_connect/config.rb

@@ -0,0 +1,125 @@
+module Doorkeeper
+  module OpenidConnect
+    class MissingConfiguration < StandardError
+      def initialize
+        super('Configuration for Doorkeeper OpenID Connect missing. Do you have doorkeeper_openid_connect initializer?')
+      end
+    end
+
+    def self.configure(&block)
+      @config = Config::Builder.new(&block).build
+    end
+
+    def self.configuration
+      @config || (fail MissingConfiguration.new)
+    end
+
+    class Config
+      class Builder
+        def initialize(&block)
+          @config = Config.new
+          instance_eval(&block)
+        end
+
+        def build
+          @config
+        end
+      end
+
+      module Option
+        # Defines configuration option
+        #
+        # When you call option, it defines two methods. One method will take place
+        # in the +Config+ class and the other method will take place in the
+        # +Builder+ class.
+        #
+        # The +name+ parameter will set both builder method and config attribute.
+        # If the +:as+ option is defined, the builder method will be the specified
+        # option while the config attribute will be the +name+ parameter.
+        #
+        # If you want to introduce another level of config DSL you can
+        # define +builder_class+ parameter.
+        # Builder should take a block as the initializer parameter and respond to function +build+
+        # that returns the value of the config attribute.
+        #
+        # ==== Options
+        #
+        # * [:+as+] Set the builder method that goes inside +configure+ block
+        # * [+:default+] The default value in case no option was set
+        #
+        # ==== Examples
+        #
+        #    option :name
+        #    option :name, as: :set_name
+        #    option :name, default: 'My Name'
+        #    option :scopes builder_class: ScopesBuilder
+        #
+        def option(name, options = {})
+          attribute = options[:as] || name
+          attribute_builder = options[:builder_class]
+
+          Builder.instance_eval do
+            define_method name do |*args, &block|
+              # TODO: is builder_class option being used?
+              value = unless attribute_builder
+                        block ? block : args.first
+                      else
+                        attribute_builder.new(&block).build
+                      end
+
+              @config.instance_variable_set(:"@#{attribute}", value)
+            end
+          end
+
+          define_method attribute do |*args|
+            if instance_variable_defined?(:"@#{attribute}")
+              instance_variable_get(:"@#{attribute}")
+            else
+              options[:default]
+            end
+          end
+
+          public attribute
+        end
+
+        def extended(base)
+          base.send(:private, :option)
+        end
+      end
+
+      extend Option
+
+      option :jws_private_key,
+             default: (lambda do
+               logger.warn(I18n.translate('doorkeeper.openid_connect.errors.messages.jws_private_key_configured'))
+               nil
+             end)
+
+      option :jws_public_key,
+             default: (lambda do
+               logger.warn(I18n.translate('doorkeeper.openid_connect.errors.messages.jws_public_key_configured'))
+               nil
+             end)
+
+      option :issuer,
+             default: (lambda do
+               logger.warn(I18n.translate('doorkeeper.openid_connect.errors.messages.issuer_configured'))
+               nil
+             end)
+
+      option :resource_owner_from_access_token,
+             default: (lambda do
+               logger.warn(I18n.translate('doorkeeper.openid_connect.errors.messages.resource_owner_from_access_token_configured'))
+               nil
+             end)
+
+      option :subject,
+             default: (lambda do
+               logger.warn(I18n.translate('doorkeeper.openid_connect.errors.messages.subject_configured'))
+               nil
+             end)
+
+      option :claims, builder_class: ClaimsBuilder
+    end
+  end
+end