doorkeeper-openid_connect 1.10.2 → 1.10.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: a7213362be6e1d40b9d790e35b6b860d6cbf80691282732e1257a4a01998ee39
4
- data.tar.gz: 0f0830786b8f43e64ee75c69c4ffadcfae0e1af2d5d4ace18214879740dbb7c3
3
+ metadata.gz: 7c7b483ae4502881dca6aece41d05d538677d0e8d53f2fa3b82d9b89dc9aa1d8
4
+ data.tar.gz: dd8ed48877f8c68199c466afba4bd27a3b26671a00bd5af949146e103849544e
5
5
  SHA512:
6
- metadata.gz: 626d292fa7351472982a54e48001973c7d9202bf146ce6dbd5f2577def44ee22d3f753117db18ae175134e727caaca64a4ab05b5b87f38e821254af13e93416b
7
- data.tar.gz: d48ae4ce304b01e15f45200b9c3bf47e987decf85bd6c7270c87f56bb3f463617ac5de287b9b243d2538ff3c92f2b84d03771df81b5edea50360694029afa5dc
6
+ metadata.gz: 18b20b9a1d04b2dfe1bfd6a169057e08fee82d538990e506f46df58f70ff29a8681d30055e18542f2af82fdb3ebceb11dc976d8b4d55f2b0f01e41fb406b931c
7
+ data.tar.gz: 86b69e55903f371666178cfcaa8989e4d0c82939172a79bb070d3e50742ad4cac885edfd498d5c53af18cc98643c25cb63dc094b0c55f91c1279aec446f039a0
data/CHANGELOG.md CHANGED
@@ -2,6 +2,14 @@
2
2
 
3
3
  - Please add here
4
4
 
5
+ ## v1.10.4 (2026-07-07)
6
+
7
+ - Validate the `scope` supplied to Dynamic Client Registration against the server's configured scopes (`default_scopes` + `optional_scopes`) before persisting it. Unrecognized scopes are silently dropped and the confirmed set is echoed in the registration response (RFC 7591 §2); a request whose scopes are all unsupported is rejected with `invalid_client_metadata` instead of being registered with an empty scope set.
8
+
9
+ ## v1.10.3 (2026-06-23)
10
+
11
+ - [#308] Fix `NameError: uninitialized constant Auth::ApplicationRecord` on boot when using a namespaced custom access grant model (e.g. `Auth::OAuthAccessGrant < ApplicationRecord`). Since v1.10.0 ([#241]) the `openid_request` association was wired inside an `ActiveSupport.on_load(:active_record)` block, which fires while `ActiveRecord::Base` is first loaded and constantizes the grant model too early. The association is now added from Doorkeeper's `AccessGrant` mixin `included` callback — at the model's own load time, without constantizing — mirroring the fix doorkeeper made in [#1830](https://github.com/doorkeeper-gem/doorkeeper/pull/1830) ([#306](https://github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/306))
12
+
5
13
  ## v1.10.2 (2026-06-22)
6
14
 
7
15
  - [#315] Drop support for EOL Ruby 3.1 (EOL 2025-03-25) and require Ruby `>= 3.2`. `i18n 1.15.0` uses the `Fiber[]` storage API which only exists on Ruby 3.2+, so the Ruby 3.1 CI row no longer loads; the matrix now tests Ruby 3.2 as the minimum
@@ -51,7 +51,7 @@ module Doorkeeper
51
51
  {
52
52
  name: params[:client_name],
53
53
  redirect_uri: params[:redirect_uris] || [],
54
- scopes: params[:scope],
54
+ scopes: registration.permitted_scopes,
55
55
  confidential: registration.confidential_client?,
56
56
  }
57
57
  end
@@ -17,6 +17,7 @@ module Doorkeeper
17
17
  validate :application_type, error: :invalid_client_metadata
18
18
  validate :response_types, error: :invalid_client_metadata
19
19
  validate :grant_types, error: :invalid_client_metadata
20
+ validate :scope, error: :invalid_client_metadata
20
21
 
21
22
  def initialize(server, params)
22
23
  @server = server
@@ -45,6 +46,26 @@ module Doorkeeper
45
46
  token_endpoint_auth_method != PUBLIC_CLIENT_AUTH_METHOD
46
47
  end
47
48
 
49
+ # RFC 7591 §2 lets the authorization server replace or omit requested
50
+ # scopes. The requested scope is intersected against the server's
51
+ # configured scopes (default + optional): partially unrecognized
52
+ # scopes are silently dropped, while a request whose scopes are all
53
+ # unsupported is rejected via #validate_scope, since persisting an
54
+ # empty scope set would make Doorkeeper's ScopeChecker fall back to
55
+ # the full server scope set. `Scopes#allowed` honors dynamic scopes
56
+ # and preserves the requested order, but only exists on Doorkeeper
57
+ # 5.8.1+; older versions fall back to plain intersection (dynamic
58
+ # scopes do not exist there, so nothing is lost).
59
+ def permitted_scopes
60
+ server_scopes = server.scopes
61
+
62
+ if server_scopes.respond_to?(:allowed)
63
+ server_scopes.allowed(requested_scopes).to_s
64
+ else
65
+ (server_scopes & requested_scopes).to_s
66
+ end
67
+ end
68
+
48
69
  def error_response
49
70
  { error: error.to_s, error_description: @error_description }
50
71
  end
@@ -91,6 +112,19 @@ module Doorkeeper
91
112
  false
92
113
  end
93
114
 
115
+ def requested_scopes
116
+ ::Doorkeeper::OAuth::Scopes.from_string(@params[:scope].to_s)
117
+ end
118
+
119
+ def validate_scope
120
+ return true if requested_scopes.blank? || permitted_scopes.present?
121
+
122
+ @error_description =
123
+ "scope '#{requested_scopes}' contains no scopes supported by this server. " \
124
+ "Supported scopes: #{server.scopes}"
125
+ false
126
+ end
127
+
94
128
  def server_response_types
95
129
  server.authorization_response_types
96
130
  end
@@ -11,6 +11,18 @@ module Doorkeeper
11
11
  included do
12
12
  self.table_name = "#{table_name_prefix}oauth_openid_requests#{table_name_suffix}".to_sym
13
13
 
14
+ # Legacy multi-database support: older Doorkeeper releases let
15
+ # users route the ORM models to a separate connection via
16
+ # `active_record_options[:establish_connection]`. Doorkeeper
17
+ # 5.9.x no longer exposes `active_record_options`, so the guard
18
+ # makes this a no-op there. It used to live in the ORM adapter's
19
+ # `run_hooks`; wiring it from the model's own `included` block
20
+ # keeps it off the re-entrant `on_load(:active_record)` path.
21
+ if Doorkeeper.configuration.respond_to?(:active_record_options) &&
22
+ (connection_options = Doorkeeper.configuration.active_record_options[:establish_connection])
23
+ establish_connection(connection_options)
24
+ end
25
+
14
26
  validates :access_grant_id, :nonce, presence: true
15
27
 
16
28
  if Gem.loaded_specs["doorkeeper"].version >= Gem::Version.create("5.5.0")
@@ -1,7 +1,5 @@
1
1
  # frozen_string_literal: true
2
2
 
3
- require "active_support/lazy_load_hooks"
4
-
5
3
  module Doorkeeper
6
4
  module OpenidConnect
7
5
  autoload :AccessGrant, "doorkeeper/openid_connect/orm/active_record/access_grant"
@@ -14,51 +12,43 @@ module Doorkeeper
14
12
  "doorkeeper/openid_connect/orm/active_record/mixins/openid_request"
15
13
  end
16
14
 
17
- def run_hooks
18
- super
19
-
20
- ActiveSupport.on_load(:active_record) do
21
- require "doorkeeper/openid_connect/orm/active_record/access_grant"
22
- require "doorkeeper/openid_connect/orm/active_record/request"
23
-
24
- if Gem.loaded_specs["doorkeeper"].version >= Gem::Version.create("5.5.0")
25
- Doorkeeper.config.access_grant_model.prepend Doorkeeper::OpenidConnect::AccessGrant
26
- else
27
- Doorkeeper::AccessGrant.prepend Doorkeeper::OpenidConnect::AccessGrant
28
- end
29
-
30
- if Doorkeeper.configuration.respond_to?(:active_record_options) && Doorkeeper.configuration.active_record_options[:establish_connection]
31
- [Doorkeeper::OpenidConnect.configuration.open_id_request_model].each do |c|
32
- c.send :establish_connection,
33
- Doorkeeper.configuration.active_record_options[:establish_connection]
34
- end
35
- end
36
- end
37
- end
38
-
39
- def initialize_models!
40
- super
41
- ActiveSupport.on_load(:active_record) do
42
- require "doorkeeper/openid_connect/orm/active_record/access_grant"
43
- require "doorkeeper/openid_connect/orm/active_record/request"
44
-
45
- if Gem.loaded_specs["doorkeeper"].version >= Gem::Version.create("5.5.0")
46
- Doorkeeper.config.access_grant_model.prepend Doorkeeper::OpenidConnect::AccessGrant
47
- else
48
- Doorkeeper::AccessGrant.prepend Doorkeeper::OpenidConnect::AccessGrant
49
- end
50
-
51
- if Doorkeeper.configuration.active_record_options[:establish_connection]
52
- [Doorkeeper::OpenidConnect.configuration.open_id_request_model].each do |c|
53
- c.send :establish_connection,
54
- Doorkeeper.configuration.active_record_options[:establish_connection]
55
- end
56
- end
15
+ # Prepended onto the singleton class of Doorkeeper's AccessGrant
16
+ # mixin so that every model which includes
17
+ # `Doorkeeper::Orm::ActiveRecord::Mixins::AccessGrant` — the default
18
+ # `Doorkeeper::AccessGrant` as well as any (possibly namespaced)
19
+ # custom access grant model — also gains the OpenID Connect
20
+ # `openid_request` association.
21
+ #
22
+ # The association is wired from the mixin's `included` callback, at
23
+ # the moment the host model is loaded: `base` is the model class
24
+ # itself, handed to us by Ruby. Nothing reaches out to constantize
25
+ # the configured grant class, so the re-entrant
26
+ # `ActiveSupport.on_load(:active_record)` window that broke
27
+ # namespaced custom models is gone.
28
+ #
29
+ # Background: doorkeeper-openid_connect v1.10.0 (#241) wrapped the
30
+ # grant-model prepend in `ActiveSupport.on_load(:active_record)`,
31
+ # following doorkeeper #1804. doorkeeper later reverted that in
32
+ # #1830 (v5.9.2) because the hook fires while `ActiveRecord::Base`
33
+ # is first loaded — e.g. mid-evaluation of
34
+ # `class ApplicationRecord < ActiveRecord::Base` — at which point
35
+ # constantizing `Auth::OAuthAccessGrant < ApplicationRecord` raises
36
+ # `NameError: uninitialized constant Auth::ApplicationRecord` (#306).
37
+ # We follow the same fix: wire from the mixin instead of on_load.
38
+ module AccessGrantExtension
39
+ def included(base)
40
+ super
41
+ # `base` is a Module (not the model) when the mixin is included
42
+ # into an intermediate ActiveSupport::Concern; the concern defers
43
+ # the include, so this hook fires again with the model class.
44
+ base.prepend(OpenidConnect::AccessGrant) if base.is_a?(Class)
57
45
  end
58
46
  end
59
47
  end
60
48
  end
61
49
  end
62
50
 
63
- Orm::ActiveRecord.singleton_class.send :prepend, OpenidConnect::Orm::ActiveRecord
51
+ Orm::ActiveRecord::Mixins::AccessGrant.singleton_class.prepend(
52
+ OpenidConnect::Orm::ActiveRecord::AccessGrantExtension,
53
+ )
64
54
  end
@@ -4,7 +4,7 @@ module Doorkeeper
4
4
  module OpenidConnect
5
5
  MAJOR = 1
6
6
  MINOR = 10
7
- TINY = 2
7
+ TINY = 4
8
8
  PRE = nil
9
9
 
10
10
  # Full version number
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: doorkeeper-openid_connect
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.10.2
4
+ version: 1.10.4
5
5
  platform: ruby
6
6
  authors:
7
7
  - Sam Dengler
@@ -10,7 +10,7 @@ authors:
10
10
  autorequire:
11
11
  bindir: bin
12
12
  cert_chain: []
13
- date: 2026-06-22 00:00:00.000000000 Z
13
+ date: 2026-07-07 00:00:00.000000000 Z
14
14
  dependencies:
15
15
  - !ruby/object:Gem::Dependency
16
16
  name: doorkeeper