RubyGems - doorkeeper-openid_connect - Versions diffs - 1.10.0 → 1.10.1 - Mend

doorkeeper-openid_connect 1.10.0 → 1.10.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (22) hide show

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 1b09f0d036559583b3db8dd63e6e35452e5f9c42c90ce098ab263c1817016994
-  data.tar.gz: f9c9584568d90c9d351a347d435ba471d8e798aa42c9ac28edebefcd59d33c1a
+  metadata.gz: f6e40af64a066cdb6b80a91eb5ecb97016c6c4a0695c4a362f72942577b7a1bd
+  data.tar.gz: 57999fcd4eba595ca726f41767c301dbd652b76ea039787d9f00fa5177b7aefa
 SHA512:
-  metadata.gz: a5a7f986bd19adcc2f3b4a03467d6052e32722f06162446b5ba944a8b905a111aa27528ccfc827e493382e95ab9dc89834a4ee483895951883291bda1387db81
-  data.tar.gz: c9fc3444e391e9b971bd193b18f388dafa47c5f5d6188d055fad2f524f9c8d6ceb67929a6b2ab5179ab50ff3c854e8d4883c9f6a43b9cd650cceba97a2e4dee2
+  metadata.gz: 7a722b6a8cf208f7c9ba6af64c8b4518a20d206d991f81f45d0a5fa21fffead56f6c134c0bb65f1de9e8d0addba5b3db408df02ed10d9a70f55b4d343ee3fb6c
+  data.tar.gz: afd99576ba3f10b38b55cd9cb2ed721ebed97a33aba778939c6aabae07ca91a07a2f4531a178716dda14adb2b4641a627c2bf9d38a8fe8b89d65a1e971ecd5c4

data/CHANGELOG.md CHANGED Viewed

@@ -2,8 +2,21 @@
 - Please add here
+## v1.10.1 (2026-06-03)
+- [#294] Drop stale `Metrics/ClassLength` and `Metrics/BlockLength` overrides from `.rubocop_todo.yml`
+- [#293] Drop `Naming/VariableNumber` from `.rubocop_todo.yml` and normalise test variable names
+- [#291] Document multi-namespace mount pattern for multiple resource owner models ([#192](https://github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/192))
+- [#292] Drop formatting cops from `.rubocop_todo.yml` and align trailing-comma style with upstream doorkeeper
+- [#296] Fix the `prompt` parameter being rejected with `invalid_request` when it contains leading or duplicate spaces (e.g. `prompt=%20none`) — blank entries in the space-delimited value are now ignored
+- [#299] Raise `InvalidConfiguration` when the `issuer` config resolves to a blank value instead of silently advertising an empty `issuer` in the discovery document. Since v1.10.0 an arity-2 `issuer` block receives `(resource_owner, application)` — both `nil` in the discovery context — so a block relying on the old v1.9.0 request argument could return `nil` and produce a discovery `issuer` that mismatched the ID token `iss` ([#298](https://github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/298))
 ## v1.10.0 (2026-06-01)
+>[!IMPORTANT]
+>
+>- **Breaking (arity-2 issuer blocks):** `resolve_issuer` now dispatches arity-2 blocks with `(resource_owner, application)` in all contexts, including discovery. In v1.9.0 `DiscoveryController` passed `request` as the first argument; existing arity-2 blocks that relied on this receive `(nil, nil)` in v1.10.0 and should migrate to arity-3 — see [#298](https://github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/298) for details and migration examples
 - [#241] Fix NameError on doorkeeper master by deferring AR model loading in run_hooks (see [Doorkeeper PR](https://github.com/doorkeeper-gem/doorkeeper/pull/1804))
 - [#242] Fix `NoMethodError` for openid_request in testing environments.
 - [#246] Fix `at_hash` to use correct hash algorithm based on `signing_algorithm`

data/README.md CHANGED Viewed

@@ -414,6 +414,92 @@ After this, `.well-known/openid-configuration` returns `"jwks_uri": "https://exa
 > [!Note]
 > A naive `match "/-/jwks", ..., as: :oauth_discovery_keys` won't work — Rails has refused to reuse a route name [since 4.0](https://github.com/rails/rails/commit/a2b7c0e69d) and raises `ArgumentError: Invalid route name, already in use: 'oauth_discovery_keys'`. The `direct` helper sidesteps this by overriding the URL helper itself rather than re-declaring the route name.
+#### Mounting under multiple namespaces (multiple resource owner models)
+If your app authenticates more than one kind of resource owner (e.g. a `User`
+and a `Customer` Devise model) you may want to mount Doorkeeper — and this engine
+— more than once, each under its own namespace:
+```ruby
+# config/routes.rb
+Rails.application.routes.draw do
+  scope :users, as: :users do
+    use_doorkeeper { controllers authorizations: "users/authorizations" }
+    use_doorkeeper_openid_connect
+  end
+  scope :customers, as: :customers do
+    use_doorkeeper { controllers authorizations: "customers/authorizations" }
+    use_doorkeeper_openid_connect
+  end
+end
+```
+Most of the request flow is model-agnostic: the `resource_owner_authenticator`
+block can dispatch on whichever owner is signed in (`current_user ||
+current_customer`), and claims / userinfo / ID token generation follow from
+whatever it returns.
+The one piece that needs attention is the **discovery document**.
+[`DiscoveryController#provider_response`](app/controllers/doorkeeper/openid_connect/discovery_controller.rb)
+builds the published endpoints by calling named route helpers
+(`oauth_authorization_url`, `oauth_token_url`, …) directly. The
+[`discovery_url_options`](#configuration) setting (added in #126) lets you
+override the `host` / `protocol` / `port` of those URLs, but not *which* named
+helper is resolved — so under multiple mounts every namespace's discovery
+document would point at the same set of endpoints.
+The idiomatic fix is to subclass the discovery controller per namespace and
+re-point the helper calls at that namespace's routes:
+```ruby
+# app/controllers/users/discovery_controller.rb
+module Users
+  class DiscoveryController < Doorkeeper::OpenidConnect::DiscoveryController
+    private
+    # Re-point each helper used by `provider_response` at the namespaced route.
+    def oauth_authorization_url(opts = {})
+      users_oauth_authorization_url(opts)
+    end
+    def oauth_token_url(opts = {})
+      users_oauth_token_url(opts)
+    end
+    def oauth_revoke_url(opts = {})
+      users_oauth_revoke_url(opts)
+    end
+    def oauth_userinfo_url(opts = {})
+      users_oauth_userinfo_url(opts)
+    end
+    def oauth_discovery_keys_url(opts = {})
+      users_oauth_discovery_keys_url(opts)
+    end
+    # ...and `oauth_introspect_url` / `oauth_dynamic_client_registration_url`
+    # if you advertise those.
+  end
+end
+```
+```ruby
+# config/routes.rb (inside the `:users` scope)
+get "/.well-known/openid-configuration",
+    to: "users/discovery#provider", as: :users_openid_connect_config
+```
+Repeat for the `customers` namespace. Each `.well-known/openid-configuration`
+then advertises the endpoints for its own namespace.
+> [!Note]
+> See [#192](https://github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/192)
+> for the original discussion. First-class multi-mount support is not provided
+> out of the box; the per-namespace controller override above is the supported
+> extension pattern for now.
 ### Nonces
 To support clients who send nonces you have to tweak Doorkeeper's authorization view so the parameter is passed on.

data/app/controllers/doorkeeper/openid_connect/discovery_controller.rb CHANGED Viewed

@@ -53,7 +53,7 @@ module Doorkeeper
           subject_types_supported: openid_connect.subject_types_supported,
           id_token_signing_alg_values_supported: [
-            ::Doorkeeper::OpenidConnect.signing_algorithm
+            ::Doorkeeper::OpenidConnect.signing_algorithm,
           ],
           claim_types_supported: [
@@ -93,8 +93,8 @@ module Doorkeeper
             {
               rel: WEBFINGER_RELATION,
               href: issuer,
-            }
-          ]
+            },
+          ],
         }
       end
@@ -113,7 +113,7 @@ module Doorkeeper
       def discovery_url_default_options
         {
-          protocol: protocol
+          protocol: protocol,
         }
       end

data/app/controllers/doorkeeper/openid_connect/dynamic_client_registration_controller.rb CHANGED Viewed

@@ -17,7 +17,7 @@ module Doorkeeper
         render json: registration_response(client, registration), status: :created
       rescue ActiveRecord::RecordInvalid => e
         render json: { error: "invalid_client_params", error_description: e.record.errors.full_messages.join(", ") },
-          status: :bad_request
+               status: :bad_request
       end
       private

data/config/locales/en.yml CHANGED Viewed

@@ -22,4 +22,5 @@ en:
           select_account_for_resource_owner_not_configured: 'Failure due to Doorkeeper::OpenidConnect.configure.select_account_for_resource_owner missing configuration.'
           subject_not_configured: 'ID Token generation failed due to Doorkeeper::OpenidConnect.configure.subject missing configuration.'
           signing_key_not_configured: 'Doorkeeper::OpenidConnect.configure.signing_key must resolve to at least one key.'
+          issuer_not_configured: 'Doorkeeper::OpenidConnect.configure.issuer must resolve to a non-blank value.'
           dynamic_client_registration_unauthorized: 'Authorization required for client registration'

data/lib/doorkeeper/oauth/id_token_response.rb CHANGED Viewed

@@ -21,7 +21,7 @@ module Doorkeeper
       def body
         {
           state: pre_auth.state,
-          id_token: id_token.as_jws_token
+          id_token: id_token.as_jws_token,
         }
       end

data/lib/doorkeeper/oauth/id_token_token_response.rb CHANGED Viewed

@@ -7,7 +7,7 @@ module Doorkeeper
         super.merge({
           access_token: auth.token.token,
           token_type: auth.token.token_type,
-          expires_in: auth.token.expires_in_seconds
+          expires_in: auth.token.expires_in_seconds,
         })
       end
     end

data/lib/doorkeeper/openid_connect/claims_builder.rb CHANGED Viewed

@@ -31,7 +31,7 @@ module Doorkeeper
             name: name,
             response: response,
             scope: scope,
-            generator: block
+            generator: block,
           )
       end
       alias claim normal_claim

data/lib/doorkeeper/openid_connect/config.rb CHANGED Viewed

@@ -5,7 +5,7 @@ module Doorkeeper
     def self.configure(&block)
       if Doorkeeper.configuration.orm != :active_record
         raise Errors::InvalidConfiguration,
-"Doorkeeper OpenID Connect currently only supports the ActiveRecord ORM adapter"
+              "Doorkeeper OpenID Connect currently only supports the ActiveRecord ORM adapter"
       end
       @config = Config::Builder.new(&block).build

data/lib/doorkeeper/openid_connect/helpers/controller.rb CHANGED Viewed

@@ -176,7 +176,11 @@ module Doorkeeper
         end
         def oidc_prompt_values
-          @oidc_prompt_values ||= params[:prompt].to_s.split(/ +/).uniq
+          # Reject blank entries so leading/duplicate spaces in the
+          # space-delimited `prompt` parameter don't surface as an empty
+          # value (which would otherwise be treated as an unknown prompt and
+          # rejected with `invalid_request`).
+          @oidc_prompt_values ||= params[:prompt].to_s.split(/ +/).reject(&:blank?).uniq
         end
         # Resolve auth_time for max_age enforcement.

data/lib/doorkeeper/openid_connect/id_token.rb CHANGED Viewed

@@ -26,7 +26,7 @@ module Doorkeeper
           exp: expiration,
           iat: issued_at,
           nonce: nonce,
-          auth_time: auth_time
+          auth_time: auth_time,
         )
       end
@@ -36,9 +36,9 @@ module Doorkeeper
       def as_jws_token
         ::JWT.encode(as_json,
-          Doorkeeper::OpenidConnect.signing_key.keypair,
-          Doorkeeper::OpenidConnect.signing_algorithm.to_s,
-          { typ: "JWT", kid: Doorkeeper::OpenidConnect.signing_key.kid }).to_s
+                     Doorkeeper::OpenidConnect.signing_key.keypair,
+                     Doorkeeper::OpenidConnect.signing_algorithm.to_s,
+                     { typ: "JWT", kid: Doorkeeper::OpenidConnect.signing_key.kid }).to_s
       end
       private
@@ -46,13 +46,15 @@ module Doorkeeper
       def issuer
         Doorkeeper::OpenidConnect.resolve_issuer(
           resource_owner: @resource_owner,
-          application: @access_token.application
+          application: @access_token.application,
         )
       end
       def subject
-        Doorkeeper::OpenidConnect.configuration.subject.call(@resource_owner,
-@access_token.application).to_s
+        Doorkeeper::OpenidConnect.configuration.subject.call(
+          @resource_owner,
+          @access_token.application,
+        ).to_s
       end
       def audience

data/lib/doorkeeper/openid_connect/oauth/authorization/code.rb CHANGED Viewed

@@ -27,7 +27,7 @@ module Doorkeeper
           def create_openid_request(access_grant)
             ::Doorkeeper::OpenidConnect.configuration.open_id_request_model.create!(
               access_grant: access_grant,
-              nonce: pre_auth.nonce
+              nonce: pre_auth.nonce,
             )
           end
         end

data/lib/doorkeeper/openid_connect/orm/active_record/access_grant.rb CHANGED Viewed

@@ -6,10 +6,10 @@ module Doorkeeper
       def self.prepended(base)
         base.class_eval do
           has_one :openid_request,
-            class_name: Doorkeeper::OpenidConnect.configuration.open_id_request_class,
-            foreign_key: "access_grant_id",
-            inverse_of: :access_grant,
-            dependent: :delete
+                  class_name: Doorkeeper::OpenidConnect.configuration.open_id_request_class,
+                  foreign_key: "access_grant_id",
+                  inverse_of: :access_grant,
+                  dependent: :delete
         end
       end
     end

data/lib/doorkeeper/openid_connect/orm/active_record.rb CHANGED Viewed

@@ -11,7 +11,7 @@ module Doorkeeper
       module ActiveRecord
         module Mixins
           autoload :OpenidRequest,
-"doorkeeper/openid_connect/orm/active_record/mixins/openid_request"
+                   "doorkeeper/openid_connect/orm/active_record/mixins/openid_request"
         end
         def run_hooks
@@ -30,7 +30,7 @@ module Doorkeeper
             if Doorkeeper.configuration.respond_to?(:active_record_options) && Doorkeeper.configuration.active_record_options[:establish_connection]
               [Doorkeeper::OpenidConnect.configuration.open_id_request_model].each do |c|
                 c.send :establish_connection,
-Doorkeeper.configuration.active_record_options[:establish_connection]
+                       Doorkeeper.configuration.active_record_options[:establish_connection]
               end
             end
           end
@@ -51,7 +51,7 @@ Doorkeeper.configuration.active_record_options[:establish_connection]
             if Doorkeeper.configuration.active_record_options[:establish_connection]
               [Doorkeeper::OpenidConnect.configuration.open_id_request_model].each do |c|
                 c.send :establish_connection,
-Doorkeeper.configuration.active_record_options[:establish_connection]
+                       Doorkeeper.configuration.active_record_options[:establish_connection]
               end
             end
           end

data/lib/doorkeeper/openid_connect/rails/routes/mapping.rb CHANGED Viewed

@@ -11,13 +11,13 @@ module Doorkeeper
             @controllers = {
               userinfo: "doorkeeper/openid_connect/userinfo",
               discovery: "doorkeeper/openid_connect/discovery",
-              dynamic_client_registration: "doorkeeper/openid_connect/dynamic_client_registration"
+              dynamic_client_registration: "doorkeeper/openid_connect/dynamic_client_registration",
             }
             @as = {
               userinfo: :userinfo,
               discovery: :discovery,
-              dynamic_client_registration: :dynamic_client_registration
+              dynamic_client_registration: :dynamic_client_registration,
             }
             @skips = []
@@ -26,7 +26,7 @@ module Doorkeeper
           def [](routes)
             {
               controllers: @controllers[routes],
-              as: @as[routes]
+              as: @as[routes],
             }
           end

data/lib/doorkeeper/openid_connect/user_info.rb CHANGED Viewed

@@ -14,7 +14,7 @@ module Doorkeeper
         # the canonical subject identifier (which would defeat pairwise /
         # subject-type guarantees).
         ClaimsBuilder.generate(@access_token, :user_info).merge(
-          sub: subject
+          sub: subject,
         )
       end

data/lib/doorkeeper/openid_connect/version.rb CHANGED Viewed

@@ -4,7 +4,7 @@ module Doorkeeper
   module OpenidConnect
     MAJOR = 1
     MINOR = 10
-    TINY = 0
+    TINY = 1
     PRE = nil
     # Full version number

data/lib/doorkeeper/openid_connect.rb CHANGED Viewed

@@ -132,18 +132,29 @@ module Doorkeeper
     # @return [String] the issuer string
     def self.resolve_issuer(resource_owner: nil, application: nil, request: nil)
       issuer = configuration.issuer
-      return issuer.to_s unless issuer.respond_to?(:call)
-      case issuer.arity
-      when 0
-        issuer.call
-      when 1
-        issuer.call(request || resource_owner)
-      when 2
-        issuer.call(resource_owner, application)
-      else
-        issuer.call(resource_owner, application, request)
-      end.to_s
+      value =
+        if issuer.respond_to?(:call)
+          case issuer.arity
+          when 0
+            issuer.call
+          when 1
+            issuer.call(request || resource_owner)
+          when 2
+            issuer.call(resource_owner, application)
+          else
+            issuer.call(resource_owner, application, request)
+          end
+        else
+          issuer
+        end.to_s
+      if value.blank?
+        raise Errors::InvalidConfiguration,
+              I18n.translate("doorkeeper.openid_connect.errors.messages.issuer_not_configured")
+      end
+      value
     end
     Doorkeeper::GrantFlow.register(
@@ -161,7 +172,7 @@ module Doorkeeper
     )
     Doorkeeper::GrantFlow.register_alias(
-      "implicit_oidc", as: ["implicit", "id_token", "id_token token"]
+      "implicit_oidc", as: ["implicit", "id_token", "id_token token"],
     )
   end
 end

data/lib/generators/doorkeeper/openid_connect/install_generator.rb CHANGED Viewed

@@ -10,7 +10,7 @@ module Doorkeeper
       def install
         template "initializer.rb", "config/initializers/doorkeeper_openid_connect.rb"
         copy_file File.expand_path("../../../../config/locales/en.yml", __dir__),
-"config/locales/doorkeeper_openid_connect.en.yml"
+                  "config/locales/doorkeeper_openid_connect.en.yml"
         route "use_doorkeeper_openid_connect"
       end
     end

data/lib/generators/doorkeeper/openid_connect/migration_generator.rb CHANGED Viewed

@@ -13,7 +13,7 @@ module Doorkeeper
         migration_template(
           "migration.rb.erb",
           "db/migrate/create_doorkeeper_openid_connect_tables.rb",
-          migration_version: migration_version
+          migration_version: migration_version,
         )
       end

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: doorkeeper-openid_connect
 version: !ruby/object:Gem::Version
-  version: 1.10.0
+  version: 1.10.1
 platform: ruby
 authors:
 - Sam Dengler
@@ -10,7 +10,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2026-06-01 00:00:00.000000000 Z
+date: 2026-06-03 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: doorkeeper