doorkeeper-openid_connect 1.10.2 → 1.10.4
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +8 -0
- data/app/controllers/doorkeeper/openid_connect/dynamic_client_registration_controller.rb +1 -1
- data/lib/doorkeeper/openid_connect/oauth/dynamic_registration_request.rb +34 -0
- data/lib/doorkeeper/openid_connect/orm/active_record/mixins/openid_request.rb +12 -0
- data/lib/doorkeeper/openid_connect/orm/active_record.rb +33 -43
- data/lib/doorkeeper/openid_connect/version.rb +1 -1
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 7c7b483ae4502881dca6aece41d05d538677d0e8d53f2fa3b82d9b89dc9aa1d8
|
|
4
|
+
data.tar.gz: dd8ed48877f8c68199c466afba4bd27a3b26671a00bd5af949146e103849544e
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 18b20b9a1d04b2dfe1bfd6a169057e08fee82d538990e506f46df58f70ff29a8681d30055e18542f2af82fdb3ebceb11dc976d8b4d55f2b0f01e41fb406b931c
|
|
7
|
+
data.tar.gz: 86b69e55903f371666178cfcaa8989e4d0c82939172a79bb070d3e50742ad4cac885edfd498d5c53af18cc98643c25cb63dc094b0c55f91c1279aec446f039a0
|
data/CHANGELOG.md
CHANGED
|
@@ -2,6 +2,14 @@
|
|
|
2
2
|
|
|
3
3
|
- Please add here
|
|
4
4
|
|
|
5
|
+
## v1.10.4 (2026-07-07)
|
|
6
|
+
|
|
7
|
+
- Validate the `scope` supplied to Dynamic Client Registration against the server's configured scopes (`default_scopes` + `optional_scopes`) before persisting it. Unrecognized scopes are silently dropped and the confirmed set is echoed in the registration response (RFC 7591 §2); a request whose scopes are all unsupported is rejected with `invalid_client_metadata` instead of being registered with an empty scope set.
|
|
8
|
+
|
|
9
|
+
## v1.10.3 (2026-06-23)
|
|
10
|
+
|
|
11
|
+
- [#308] Fix `NameError: uninitialized constant Auth::ApplicationRecord` on boot when using a namespaced custom access grant model (e.g. `Auth::OAuthAccessGrant < ApplicationRecord`). Since v1.10.0 ([#241]) the `openid_request` association was wired inside an `ActiveSupport.on_load(:active_record)` block, which fires while `ActiveRecord::Base` is first loaded and constantizes the grant model too early. The association is now added from Doorkeeper's `AccessGrant` mixin `included` callback — at the model's own load time, without constantizing — mirroring the fix doorkeeper made in [#1830](https://github.com/doorkeeper-gem/doorkeeper/pull/1830) ([#306](https://github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/306))
|
|
12
|
+
|
|
5
13
|
## v1.10.2 (2026-06-22)
|
|
6
14
|
|
|
7
15
|
- [#315] Drop support for EOL Ruby 3.1 (EOL 2025-03-25) and require Ruby `>= 3.2`. `i18n 1.15.0` uses the `Fiber[]` storage API which only exists on Ruby 3.2+, so the Ruby 3.1 CI row no longer loads; the matrix now tests Ruby 3.2 as the minimum
|
|
@@ -17,6 +17,7 @@ module Doorkeeper
|
|
|
17
17
|
validate :application_type, error: :invalid_client_metadata
|
|
18
18
|
validate :response_types, error: :invalid_client_metadata
|
|
19
19
|
validate :grant_types, error: :invalid_client_metadata
|
|
20
|
+
validate :scope, error: :invalid_client_metadata
|
|
20
21
|
|
|
21
22
|
def initialize(server, params)
|
|
22
23
|
@server = server
|
|
@@ -45,6 +46,26 @@ module Doorkeeper
|
|
|
45
46
|
token_endpoint_auth_method != PUBLIC_CLIENT_AUTH_METHOD
|
|
46
47
|
end
|
|
47
48
|
|
|
49
|
+
# RFC 7591 §2 lets the authorization server replace or omit requested
|
|
50
|
+
# scopes. The requested scope is intersected against the server's
|
|
51
|
+
# configured scopes (default + optional): partially unrecognized
|
|
52
|
+
# scopes are silently dropped, while a request whose scopes are all
|
|
53
|
+
# unsupported is rejected via #validate_scope, since persisting an
|
|
54
|
+
# empty scope set would make Doorkeeper's ScopeChecker fall back to
|
|
55
|
+
# the full server scope set. `Scopes#allowed` honors dynamic scopes
|
|
56
|
+
# and preserves the requested order, but only exists on Doorkeeper
|
|
57
|
+
# 5.8.1+; older versions fall back to plain intersection (dynamic
|
|
58
|
+
# scopes do not exist there, so nothing is lost).
|
|
59
|
+
def permitted_scopes
|
|
60
|
+
server_scopes = server.scopes
|
|
61
|
+
|
|
62
|
+
if server_scopes.respond_to?(:allowed)
|
|
63
|
+
server_scopes.allowed(requested_scopes).to_s
|
|
64
|
+
else
|
|
65
|
+
(server_scopes & requested_scopes).to_s
|
|
66
|
+
end
|
|
67
|
+
end
|
|
68
|
+
|
|
48
69
|
def error_response
|
|
49
70
|
{ error: error.to_s, error_description: @error_description }
|
|
50
71
|
end
|
|
@@ -91,6 +112,19 @@ module Doorkeeper
|
|
|
91
112
|
false
|
|
92
113
|
end
|
|
93
114
|
|
|
115
|
+
def requested_scopes
|
|
116
|
+
::Doorkeeper::OAuth::Scopes.from_string(@params[:scope].to_s)
|
|
117
|
+
end
|
|
118
|
+
|
|
119
|
+
def validate_scope
|
|
120
|
+
return true if requested_scopes.blank? || permitted_scopes.present?
|
|
121
|
+
|
|
122
|
+
@error_description =
|
|
123
|
+
"scope '#{requested_scopes}' contains no scopes supported by this server. " \
|
|
124
|
+
"Supported scopes: #{server.scopes}"
|
|
125
|
+
false
|
|
126
|
+
end
|
|
127
|
+
|
|
94
128
|
def server_response_types
|
|
95
129
|
server.authorization_response_types
|
|
96
130
|
end
|
|
@@ -11,6 +11,18 @@ module Doorkeeper
|
|
|
11
11
|
included do
|
|
12
12
|
self.table_name = "#{table_name_prefix}oauth_openid_requests#{table_name_suffix}".to_sym
|
|
13
13
|
|
|
14
|
+
# Legacy multi-database support: older Doorkeeper releases let
|
|
15
|
+
# users route the ORM models to a separate connection via
|
|
16
|
+
# `active_record_options[:establish_connection]`. Doorkeeper
|
|
17
|
+
# 5.9.x no longer exposes `active_record_options`, so the guard
|
|
18
|
+
# makes this a no-op there. It used to live in the ORM adapter's
|
|
19
|
+
# `run_hooks`; wiring it from the model's own `included` block
|
|
20
|
+
# keeps it off the re-entrant `on_load(:active_record)` path.
|
|
21
|
+
if Doorkeeper.configuration.respond_to?(:active_record_options) &&
|
|
22
|
+
(connection_options = Doorkeeper.configuration.active_record_options[:establish_connection])
|
|
23
|
+
establish_connection(connection_options)
|
|
24
|
+
end
|
|
25
|
+
|
|
14
26
|
validates :access_grant_id, :nonce, presence: true
|
|
15
27
|
|
|
16
28
|
if Gem.loaded_specs["doorkeeper"].version >= Gem::Version.create("5.5.0")
|
|
@@ -1,7 +1,5 @@
|
|
|
1
1
|
# frozen_string_literal: true
|
|
2
2
|
|
|
3
|
-
require "active_support/lazy_load_hooks"
|
|
4
|
-
|
|
5
3
|
module Doorkeeper
|
|
6
4
|
module OpenidConnect
|
|
7
5
|
autoload :AccessGrant, "doorkeeper/openid_connect/orm/active_record/access_grant"
|
|
@@ -14,51 +12,43 @@ module Doorkeeper
|
|
|
14
12
|
"doorkeeper/openid_connect/orm/active_record/mixins/openid_request"
|
|
15
13
|
end
|
|
16
14
|
|
|
17
|
-
|
|
18
|
-
|
|
19
|
-
|
|
20
|
-
|
|
21
|
-
|
|
22
|
-
|
|
23
|
-
|
|
24
|
-
|
|
25
|
-
|
|
26
|
-
|
|
27
|
-
|
|
28
|
-
|
|
29
|
-
|
|
30
|
-
|
|
31
|
-
|
|
32
|
-
|
|
33
|
-
|
|
34
|
-
|
|
35
|
-
|
|
36
|
-
|
|
37
|
-
|
|
38
|
-
|
|
39
|
-
|
|
40
|
-
|
|
41
|
-
|
|
42
|
-
|
|
43
|
-
|
|
44
|
-
|
|
45
|
-
|
|
46
|
-
|
|
47
|
-
else
|
|
48
|
-
Doorkeeper::AccessGrant.prepend Doorkeeper::OpenidConnect::AccessGrant
|
|
49
|
-
end
|
|
50
|
-
|
|
51
|
-
if Doorkeeper.configuration.active_record_options[:establish_connection]
|
|
52
|
-
[Doorkeeper::OpenidConnect.configuration.open_id_request_model].each do |c|
|
|
53
|
-
c.send :establish_connection,
|
|
54
|
-
Doorkeeper.configuration.active_record_options[:establish_connection]
|
|
55
|
-
end
|
|
56
|
-
end
|
|
15
|
+
# Prepended onto the singleton class of Doorkeeper's AccessGrant
|
|
16
|
+
# mixin so that every model which includes
|
|
17
|
+
# `Doorkeeper::Orm::ActiveRecord::Mixins::AccessGrant` — the default
|
|
18
|
+
# `Doorkeeper::AccessGrant` as well as any (possibly namespaced)
|
|
19
|
+
# custom access grant model — also gains the OpenID Connect
|
|
20
|
+
# `openid_request` association.
|
|
21
|
+
#
|
|
22
|
+
# The association is wired from the mixin's `included` callback, at
|
|
23
|
+
# the moment the host model is loaded: `base` is the model class
|
|
24
|
+
# itself, handed to us by Ruby. Nothing reaches out to constantize
|
|
25
|
+
# the configured grant class, so the re-entrant
|
|
26
|
+
# `ActiveSupport.on_load(:active_record)` window that broke
|
|
27
|
+
# namespaced custom models is gone.
|
|
28
|
+
#
|
|
29
|
+
# Background: doorkeeper-openid_connect v1.10.0 (#241) wrapped the
|
|
30
|
+
# grant-model prepend in `ActiveSupport.on_load(:active_record)`,
|
|
31
|
+
# following doorkeeper #1804. doorkeeper later reverted that in
|
|
32
|
+
# #1830 (v5.9.2) because the hook fires while `ActiveRecord::Base`
|
|
33
|
+
# is first loaded — e.g. mid-evaluation of
|
|
34
|
+
# `class ApplicationRecord < ActiveRecord::Base` — at which point
|
|
35
|
+
# constantizing `Auth::OAuthAccessGrant < ApplicationRecord` raises
|
|
36
|
+
# `NameError: uninitialized constant Auth::ApplicationRecord` (#306).
|
|
37
|
+
# We follow the same fix: wire from the mixin instead of on_load.
|
|
38
|
+
module AccessGrantExtension
|
|
39
|
+
def included(base)
|
|
40
|
+
super
|
|
41
|
+
# `base` is a Module (not the model) when the mixin is included
|
|
42
|
+
# into an intermediate ActiveSupport::Concern; the concern defers
|
|
43
|
+
# the include, so this hook fires again with the model class.
|
|
44
|
+
base.prepend(OpenidConnect::AccessGrant) if base.is_a?(Class)
|
|
57
45
|
end
|
|
58
46
|
end
|
|
59
47
|
end
|
|
60
48
|
end
|
|
61
49
|
end
|
|
62
50
|
|
|
63
|
-
Orm::ActiveRecord.singleton_class.
|
|
51
|
+
Orm::ActiveRecord::Mixins::AccessGrant.singleton_class.prepend(
|
|
52
|
+
OpenidConnect::Orm::ActiveRecord::AccessGrantExtension,
|
|
53
|
+
)
|
|
64
54
|
end
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: doorkeeper-openid_connect
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.10.
|
|
4
|
+
version: 1.10.4
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Sam Dengler
|
|
@@ -10,7 +10,7 @@ authors:
|
|
|
10
10
|
autorequire:
|
|
11
11
|
bindir: bin
|
|
12
12
|
cert_chain: []
|
|
13
|
-
date: 2026-
|
|
13
|
+
date: 2026-07-07 00:00:00.000000000 Z
|
|
14
14
|
dependencies:
|
|
15
15
|
- !ruby/object:Gem::Dependency
|
|
16
16
|
name: doorkeeper
|