doorkeeper-openid_connect 1.0.1 → 1.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: ae67f5718e8a89e0ebca2879c0e160d85b605f05
-  data.tar.gz: eb28b2f5e753cd4844830358b7cca3c81ef4de6f
+  metadata.gz: b40bbe1bf519ac049a06984fe9aa3e4c9dd8a51a
+  data.tar.gz: 4f5b3b1fb7a274a600566b7327f8d534039085b5
 SHA512:
-  metadata.gz: 20967d5bcc944e7afd6a0788c67b4618d8c250e97afa180f8a11b27aef970e917d64229866feccfbb6900fd01c44ee0b0c2b6697186af96ef1f48cbacb518346
-  data.tar.gz: 57f7f47f3dcdbf6a6e226ad7416c4dbb75912d7bc2ab8dfe73002d4e969780e8cbb8190e27eaabd8f2682006afe8f09952dc173cbbb0ac9ea0ac3b370c9805d5
+  metadata.gz: 5bbae464b4b78cac862eb48d36d52e55ccc22185c35f80dfc0b0cc0b0284d3ab63a935ecdd1c4a2b9a0f438b3546d07d1f99e472688c146b51ca41d6e98ec1c7
+  data.tar.gz: 5c24fce98f8baf319452109d17694eaa8562da62de8d8d5a731e0b13df0d75f8742b71807cb4b5ef5e13f0198009787661426235cc102605c12c7ea633f93303

data/.gitignore

@@ -1,18 +1,6 @@
-*.gem
-*.rbc
-.bundle
-.config
-.yardoc
-Gemfile.lock
-InstalledFiles
-_yardoc
-coverage
-doc/
-lib/bundler/man
-pkg
-rdoc
-spec/reports
-test/tmp
-test/version_tmp
-tmp
-.idea/
+/.bundle
+/Gemfile.lock
+/spec/dummy/db/*.sqlite3
+/spec/dummy/log/*.log
+/spec/dummy/tmp/
+/spec/examples.txt

data/.ruby-version

@@ -1 +1 @@
-2.1.0
+2.3.1

data/.travis.yml

@@ -0,0 +1,26 @@
+sudo: false
+language: ruby
+cache: bundler
+
+before_install:
+  - gem update bundler
+
+before_script:
+  - bundle update
+
+script:
+  - bundle exec rake spec
+
+env:
+  - rails=4.2.0
+  - rails=5.0.0
+
+rvm:
+  - 2.1
+  - 2.2.5
+  - 2.3.1
+
+matrix:
+  exclude:
+    - env: rails=5.0.0
+      rvm: 2.1

data/CHANGELOG.md

@@ -0,0 +1,24 @@
+<a name="v1.1.0"></a>
+### v1.1.0 (2016-11-30)
+
+This release is a general clean-up and adds support for some advanced OpenID Connect features.
+Make sure to check the updated [README.md](README.md), especially the [configuration](README.md#configuration) section.
+
+#### Features
+
+* Respect scope grants in UserInfo response	 ([25f2170](/../../commit/25f2170))
+* Support max_age parameter	 ([aabe3aa](/../../commit/aabe3aa))
+* Add generator for initializer	 ([80399fd](/../../commit/80399fd))
+* Store and return nonces in IdToken responses	 ([d28ca8c](/../../commit/d28ca8c))
+* Support prompt=none parameter	 ([c775d8b](/../../commit/c775d8b))
+* Add supported claims to discovery response	 ([1d8f9ea](/../../commit/1d8f9ea))
+* Add webfinger and keys endpoints for discovery	 ([f70898b](/../../commit/f70898b))
+* Add discovery endpoint	 ([a16caa8](/../../commit/a16caa8))
+
+#### Bug Fixes
+
+* Work around response_body issue on Rails 5, fix specs	 ([bc4ac76](/../../commit/bc4ac76))
+* Return auth_time in ID token claims	 ([490f756](/../../commit/490f756))
+* Don't require nonce	 ([d2945da](/../../commit/d2945da))
+* Also support POST requests to userinfo	 ([87a6577](/../../commit/87a6577))
+* Add openid scope to Doorkeeper configuration	 ([8169c2d](/../../commit/8169c2d))

data/CONTRIBUTING.md

@@ -0,0 +1,72 @@
+# Contributing
+
+## Workflow
+
+We are using the [Feature Branch Workflow (also known as GitHub Flow)](https://guides.github.com/introduction/flow/), and prefer delivery as pull requests.
+
+Our first line of defense is the [Travis CI](https://travis-ci.org/doorkeeper-gem/doorkeeper-openid_connect) build defined within [.travis.yml](.travis.yml) and triggered for every pull request.
+
+Create a feature branch:
+
+```sh
+git checkout -B feat/contributing
+```
+
+## Creating Good Commits
+
+The cardinal rule for creating good commits is to ensure there is only one
+"logical change" per commit. Why is this an important rule?
+
+* The smaller the amount of code being changed, the quicker & easier it is to
+  review & identify potential flaws.
+
+* If a change is found to be flawed later, it may be necessary to revert the
+  broken commit. This is much easier to do if there are not other unrelated
+  code changes entangled with the original commit.
+
+* When troubleshooting problems using Git's bisect capability, small well
+  defined changes will aid in isolating exactly where the code problem was
+  introduced.
+
+* When browsing history using Git annotate/blame, small well defined changes
+  also aid in isolating exactly where & why a piece of code came from.
+
+Things to avoid when creating commits:
+
+* Mixing whitespace changes with functional code changes.
+* Mixing two unrelated functional changes.
+* Sending large new features in a single giant commit.
+
+## Commit Message Conventions
+
+We use commit messages as per [Conventional Changelog](https://github.com/conventional-changelog/conventional-changelog):
+
+```none
+<type>(<scope>): <subject>
+```
+
+Allowed types:
+
+* **feat**: A new feature
+* **fix**: A bug fix
+* **docs**: Documentation only changes
+* **style**: Changes that do not affect the meaning of the code (white-space, formatting, missing semi-colons, newline, line endings, etc)
+* **refactor**: A code change that neither fixes a bug or adds a feature
+* **perf**: A code change that improves performance
+* **test**: Adding missing tests
+* **chore**: Changes to the build process or auxiliary tools and libraries such as documentation generation
+
+You can add additional details after a new line to describe the change in detail or automatically close an issue on GitHub.
+
+```none
+feat: create initial CONTRIBUTING.md
+
+This closes #73
+```
+
+## Release process
+
+- Bump version in `lib/doorkeeper/openid_connect/version.rb`
+- Update `CHANGELOG.md`
+- Commit all changes
+- Tag release and publish gem with `rake release`

data/Gemfile

@@ -1,10 +1,7 @@
-ENV['rails'] ||= ENV['orm'] == "mongoid4" ? '4.0.2' : '3.2.13'
-
 source 'https://rubygems.org'
 
-# Define Rails version
-gem 'rails', ENV['rails']
-
-gem 'doorkeeper'
+# use Rails version specified by environment
+ENV['rails'] ||= '5.0.0'
+gem 'rails', "~> #{ENV['rails']}"
 
 gemspec

data/LICENSE.txt

@@ -1,7 +1,7 @@
-Copyright (c) 2014 Sam Dengler
-
 MIT License
 
+Copyright (c) 2014 PlayOn! Sports
+
 Permission is hereby granted, free of charge, to any person obtaining
 a copy of this software and associated documentation files (the
 "Software"), to deal in the Software without restriction, including

data/README.md

@@ -1,104 +1,214 @@
 # Doorkeeper::OpenidConnect
 
-This library is a plugin to the Doorkeeper OAuth Ruby framework that implements the OpenID Connect specification incompletely (http://openid.net/specs/openid-connect-core-1_0.html).
+[![Build Status](https://travis-ci.org/doorkeeper-gem/doorkeeper-openid_connect.svg?branch=master)](https://travis-ci.org/doorkeeper-gem/doorkeeper-openid_connect)
+[![Dependency Status](https://gemnasium.com/doorkeeper-gem/doorkeeper-openid_connect.svg?travis)](https://gemnasium.com/doorkeeper-gem/doorkeeper-openid_connect)
+[![Code Climate](https://codeclimate.com/github/doorkeeper-gem/doorkeeper-openid_connect.svg)](https://codeclimate.com/github/doorkeeper-gem/doorkeeper-openid_connect)
+[![Gem Version](https://badge.fury.io/rb/doorkeeper-openid_connect.svg)](https://rubygems.org/gems/doorkeeper-openid_connect)
 
-## Version 1.x
+This library implements [OpenID Connect](http://openid.net/connect/) for Rails applications on top of the [Doorkeeper](https://github.com/doorkeeper-gem/doorkeeper) OAuth 2.0 framework.
 
-This library is still pretty raw, but the latest changes are not backwards compatible with the 0.x version of the gem, so the version has been bumped to 1.x according to Semantic Versioning (http://semver.org/) conventions.
+## Table of Contents
 
-## Installation
+- [Status](#status)
+- [Installation](#installation)
+- [Configuration](#configuration)
+  - [Scopes](#scopes)
+  - [Claims](#claims)
+  - [Routes](#routes)
+  - [Nonces](#nonces)
+- [Development](#development)
+- [License](#license)
+- [Sponsors](#sponsors)
+
+## Status
 
-Add this line to your application's Gemfile:
+The following parts of [OpenID Connect Core 1.0](http://openid.net/specs/openid-connect-core-1_0.html) are currently supported:
+- [Authentication using the Authorization Code Flow](http://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth)
+- [Requesting Claims using Scope Values](http://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims)
+- [UserInfo Endpoint](http://openid.net/specs/openid-connect-core-1_0.html#UserInfo)
+- [Normal Claims](http://openid.net/specs/openid-connect-core-1_0.html#NormalClaims)
 
-    gem 'doorkeeper-openid_connect', '~> 1.0.0'
+In addition we also support most of [OpenID Connect Discovery 1.0](http://openid.net/specs/openid-connect-discovery-1_0.html) for automatic configuration discovery.
 
-And then execute:
+Take a look at the [DiscoveryController](app/controllers/doorkeeper/openid_connect/discovery_controller.rb) for more details on supported features.
 
-    $ bundle
+## Installation
 
-Or install it yourself as:
+Add this line to your application's `Gemfile` and run `bundle install`:
 
-    $ gem install doorkeeper-openid_connect -v '~> 1.0.0'
+```ruby
+gem 'doorkeeper-openid_connect'
+```
 
-## Usage
+Run the installation generator to update routes and create the initializer:
 
-Add the following to your config/routes.rb:
+```sh
+rails generate doorkeeper:openid_connect:install
+```
 
-    use_doorkeeper_openid_connect
+Generate a migration for Active Record (other ORMs are currently not supported):
 
-Add the following to your config/initializers/doorkeeper_openid_connect.rb:
+```sh
+rails generate doorkeeper:openid_connect:migration
+rake db:migrate
+```
 
-    Doorkeeper::OpenidConnect.configure do
+## Configuration
 
-      jws_private_key <<eol
-    -----BEGIN RSA PRIVATE KEY-----
-    ....
-    -----END RSA PRIVATE KEY-----
-    eol
+Verify your settings in `config/initializers/doorkeeper.rb`:
 
-      jws_public_key <<eol
-    -----BEGIN RSA PUBLIC KEY-----
-    ....
-    -----END RSA PUBLIC KEY-----
-    eol
+- `resource_owner_authenticator`
+  - Make sure this returns a falsey value if the current user can't be determined:
 
-      resource_owner_from_access_token do |access_token|
-        # Example implementation:
-        # User.find_by(id: access_token.resource_owner_id)
+    ```ruby
+    resource_owner_authenticator do
+      if current_user
+        current_user
+      else
+        redirect_to(new_user_session_url)
+        nil
       end
+    end
+    ```
 
-      issuer 'issuer string'
+The following settings are required in `config/initializers/doorkeeper_openid_connect.rb`:
 
-      subject do |resource_owner|
-        # Example implementation:
-        # resource_owner.key
-      end
+- `issuer`
+  - Identifier for the issuer of the response (i.e. your application URL). The value is a case sensitive URL using the `https` scheme that contains scheme, host, and optionally, port number and path components and no query or fragment components.
+- `subject`
+  - Identifier for the resource owner (i.e. the authenticated user). A locally unique and never reassigned identifier within the issuer for the end-user, which is intended to be consumed by the client. The value is a case-sensitive string and must not exceed 255 ASCII characters in length.
+  - The database ID of the user is an acceptable choice if you don't mind leaking that information.
+- `jws_private_key`, `jws_public_key`
+  - Private and public RSA key pair for [JSON Web Signature](https://tools.ietf.org/html/draft-ietf-jose-json-web-signature-31).
+  - You can generate these with the `openssl` command, see e.g. [Generate a keypair using OpenSSL](https://en.wikibooks.org/wiki/Cryptography/Generate_a_keypair_using_OpenSSL).
+  - You should not commit these keys to your repository, but use external files (in combination with `File.read`) and/or the [dotenv-rails](https://github.com/bkeepers/dotenv) gem (in combination with `ENV[...]`).
+- `resource_owner_from_access_token`
+  - Defines how to translate the Doorkeeper access token to a resource owner model.
 
-      # Expiration time on or after which the ID Token MUST NOT be accepted for processing. (default 120 seconds).
-      # expiration 600
+The following settings are optional, but recommended for better client compatibility:
 
-      claims do
-        claim :_foo_ do |resource_owner|
-          resource_owner.foo
-        end
+- `auth_time_from_resource_owner`
+  - Returns the time of the user's last login, this can be a `Time`, `DateTime`, or any other class that responds to `to_i`
+  - Required to support the `max_age` parameter and the `auth_time` claim.
+- `reauthenticate_resource_owner`
+  - Defines how to trigger reauthentication for the current user (e.g. display a password prompt, or sign-out the user and redirect to the login form).
+  - Required to support the `max_age` and `prompt=login` parameters.
 
-        claim :_bar_ do |resource_owner|
-          resource_owner.bar
-        end
-      end
+The following settings are optional:
+
+- `expiration`
+  - Expiration time after which the ID Token must not be accepted for processing by clients.
+  - The default is 120 seconds
 
+### Scopes
+
+To perform authentication over OpenID Connect, an OAuth client needs to request the `openid` scope. This scope needs to be enabled using either `optional_scopes` in the global Doorkeeper configuration in `config/initializers/doorkeeper.rb`, or by adding it to any OAuth application's `scope` attribute.
+
+> Note that any application defining its own scopes won't inherit the scopes defined in the initializer, so you might have to update existing applications as well.
+>
+> See [Using Scopes](https://github.com/doorkeeper-gem/doorkeeper/wiki/Using-Scopes) in the Doorkeeper wiki for more information.
+
+### Claims
+
+Claims can be defined in a `claims` block inside `config/initializers/doorkeeper_openid_connect.rb`:
+
+```ruby
+Doorkeeper::OpenidConnect.configure do
+  claims do
+    claim :email do |resource_owner|
+      resource_owner.email
     end
 
-where:
+    claim :full_name do |resource_owner|
+      "#{resource_owner.first_name} #{resource_owner.last_name}"
+    end
+  end
+end
+```
+
+You can pass a `scope:` keyword argument on each claim to specify which OAuth scope should be required to access the claim. If you define any of the defined [Standard Claims](http://openid.net/specs/openid-connect-core-1_0.html#StandardClaims) they will by default use their [corresponding scopes](http://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims) (`profile`, `email`, `address` and `phone`), and any other claims will by default use the `profile` scope. Again, to use any of these scopes you need to enable them as described above.
+
+### Routes
+
+The installation generator will update your `config/routes.rb` to define all required routes:
+
+``` ruby
+Rails.application.routes.draw do
+  use_doorkeeper_openid_connect
+  # your routes
+end
+```
+
+This will mount the following routes:
+
+```
+GET   /oauth/userinfo
+POST  /oauth/userinfo
+GET   /oauth/discovery/keys
+GET   /.well-known/openid-configuration
+GET   /.well-known/webfinger
+```
+
+### Nonces
+
+To support clients who send nonces you have to tweak Doorkeeper's authorization view so the parameter is passed on.
+
+If you don't already have custom templates, run this generator in your Rails application to add them:
+
+```sh
+rails generate doorkeeper:views
+```
+
+Then tweak the template as follows:
+
+```patch
+--- i/app/views/doorkeeper/authorizations/new.html.erb
++++ w/app/views/doorkeeper/authorizations/new.html.erb
+@@ -26,6 +26,7 @@
+       <%= hidden_field_tag :state, @pre_auth.state %>
+       <%= hidden_field_tag :response_type, @pre_auth.response_type %>
+       <%= hidden_field_tag :scope, @pre_auth.scope %>
++      <%= hidden_field_tag :nonce, @pre_auth.nonce %>
+       <%= submit_tag t('doorkeeper.authorizations.buttons.authorize'), class: "btn btn-success btn-lg btn-block" %>
+     <% end %>
+     <%= form_tag oauth_authorization_path, method: :delete do %>
+@@ -34,6 +35,7 @@
+       <%= hidden_field_tag :state, @pre_auth.state %>
+       <%= hidden_field_tag :response_type, @pre_auth.response_type %>
+       <%= hidden_field_tag :scope, @pre_auth.scope %>
++      <%= hidden_field_tag :nonce, @pre_auth.nonce %>
+       <%= submit_tag t('doorkeeper.authorizations.buttons.deny'), class: "btn btn-danger btn-lg btn-block" %>
+     <% end %>
+   </div>
+```
 
-The following configurations are required:
+## Development
 
-* jws_private_key - private key for JSON Web Signature(https://tools.ietf.org/html/draft-ietf-jose-json-web-signature-31)
-* jws_public_key  - public key for JSON Web Signature(https://tools.ietf.org/html/draft-ietf-jose-json-web-signature-31)
-* resource_owner_from_access_token - defines how to translate the doorkeeper access_token to a resource owner model
+Run `bundle install` to setup all development dependencies.
 
-Given a resource owner, the following claims are required:
+To run all specs:
 
-* issuer - REQUIRED. Issuer Identifier for the Issuer of the response. The iss value is a case sensitive URL using the https scheme that contains scheme, host, and optionally, port number and path components and no query or fragment components.
-* subject - REQUIRED. Subject Identifier. A locally unique and never reassigned identifier within the Issuer for the End-User, which is intended to be consumed by the Client, e.g., 24400320 or AItOawmwtWwcT0k51BayewNvutrJUqsvl6qs7A4. It MUST NOT exceed 255 ASCII characters in length. The sub value is a case sensitive string.
+```sh
+bundle exec rspec
+```
 
-Exp claim can optionally be specified by expiration configuration.
+To run the local engine server:
 
-* exp - REQUIRED. Expiration time on or after which the ID Token MUST NOT be accepted for processing. The processing of this parameter requires that the current date/time MUST be before the expiration date/time listed in the value. Implementers MAY provide for some small leeway, usually no more than a few minutes, to account for clock skew. Its value is a JSON number representing the number of seconds from 1970-01-01T0:0:0Z as measured in UTC until the date/time. See RFC 3339 [RFC3339] for details regarding date/times in general and UTC in particular.
-    * Default 120 seconds
+```sh
+cd spec/dummy
+bundle exec rails server
+```
 
-Custom claims can optionally be specified in a `claims` block.  The following claim types are currently supported:
+By default, the latest Rails version is used. To use a specific version run:
 
-* normal_claim - Normal claims (http://openid.net/specs/openid-connect-core-1_0.html#NormalClaims) - specify claim name and a block using resource_owner to determine the claim value.
+```
+rails=4.2.0 bundle update
+```
 
-## TODO
+## License
 
-1. Move jws_private_key and jws_public_key to a lamba expression to avoid committing keys to code
+Doorkeeper::OpenidConnect is released under the [MIT License](http://www.opensource.org/licenses/MIT).
 
-## Contributing
+## Sponsors
 
-1. Fork it ( http://github.com/<my-github-username>/doorkeeper-openid_connect/fork )
-2. Create your feature branch (`git checkout -b my-new-feature`)
-3. Commit your changes (`git commit -am 'Add some feature'`)
-4. Push to the branch (`git push origin my-new-feature`)
-5. Create new Pull Request
+Initial development of this project was sponsored by [PlayOn! Sports](https://github.com/playon).