doorkeeper-openid_connect 1.10.3 → 1.10.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 4bedc8346eca194f64043d9326c448e386f3cf3ba3a9f1e3be620bef94f809f2
4
- data.tar.gz: 04a5b33f8edb2ddd2ae4dc792ce40649aa1e65548953565cdf0edc9332e5013b
3
+ metadata.gz: 7c7b483ae4502881dca6aece41d05d538677d0e8d53f2fa3b82d9b89dc9aa1d8
4
+ data.tar.gz: dd8ed48877f8c68199c466afba4bd27a3b26671a00bd5af949146e103849544e
5
5
  SHA512:
6
- metadata.gz: c125fedebc47c300e44a8c62e0424e180cdb48173a4cea5faab0928e9698738495f5cd9ddb7a55d482919dd84dbf02a059e268fb239d60c95648a935fb0b8b6e
7
- data.tar.gz: fbedda34c90a57041aab6683f88ab5c57135894f86f6dc0c5872f062cdb881a029323ae05c59e63d4286108ed492122a3269c67fd8244a214a43f6713545a0ca
6
+ metadata.gz: 18b20b9a1d04b2dfe1bfd6a169057e08fee82d538990e506f46df58f70ff29a8681d30055e18542f2af82fdb3ebceb11dc976d8b4d55f2b0f01e41fb406b931c
7
+ data.tar.gz: 86b69e55903f371666178cfcaa8989e4d0c82939172a79bb070d3e50742ad4cac885edfd498d5c53af18cc98643c25cb63dc094b0c55f91c1279aec446f039a0
data/CHANGELOG.md CHANGED
@@ -2,6 +2,10 @@
2
2
 
3
3
  - Please add here
4
4
 
5
+ ## v1.10.4 (2026-07-07)
6
+
7
+ - Validate the `scope` supplied to Dynamic Client Registration against the server's configured scopes (`default_scopes` + `optional_scopes`) before persisting it. Unrecognized scopes are silently dropped and the confirmed set is echoed in the registration response (RFC 7591 §2); a request whose scopes are all unsupported is rejected with `invalid_client_metadata` instead of being registered with an empty scope set.
8
+
5
9
  ## v1.10.3 (2026-06-23)
6
10
 
7
11
  - [#308] Fix `NameError: uninitialized constant Auth::ApplicationRecord` on boot when using a namespaced custom access grant model (e.g. `Auth::OAuthAccessGrant < ApplicationRecord`). Since v1.10.0 ([#241]) the `openid_request` association was wired inside an `ActiveSupport.on_load(:active_record)` block, which fires while `ActiveRecord::Base` is first loaded and constantizes the grant model too early. The association is now added from Doorkeeper's `AccessGrant` mixin `included` callback — at the model's own load time, without constantizing — mirroring the fix doorkeeper made in [#1830](https://github.com/doorkeeper-gem/doorkeeper/pull/1830) ([#306](https://github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/306))
@@ -51,7 +51,7 @@ module Doorkeeper
51
51
  {
52
52
  name: params[:client_name],
53
53
  redirect_uri: params[:redirect_uris] || [],
54
- scopes: params[:scope],
54
+ scopes: registration.permitted_scopes,
55
55
  confidential: registration.confidential_client?,
56
56
  }
57
57
  end
@@ -17,6 +17,7 @@ module Doorkeeper
17
17
  validate :application_type, error: :invalid_client_metadata
18
18
  validate :response_types, error: :invalid_client_metadata
19
19
  validate :grant_types, error: :invalid_client_metadata
20
+ validate :scope, error: :invalid_client_metadata
20
21
 
21
22
  def initialize(server, params)
22
23
  @server = server
@@ -45,6 +46,26 @@ module Doorkeeper
45
46
  token_endpoint_auth_method != PUBLIC_CLIENT_AUTH_METHOD
46
47
  end
47
48
 
49
+ # RFC 7591 §2 lets the authorization server replace or omit requested
50
+ # scopes. The requested scope is intersected against the server's
51
+ # configured scopes (default + optional): partially unrecognized
52
+ # scopes are silently dropped, while a request whose scopes are all
53
+ # unsupported is rejected via #validate_scope, since persisting an
54
+ # empty scope set would make Doorkeeper's ScopeChecker fall back to
55
+ # the full server scope set. `Scopes#allowed` honors dynamic scopes
56
+ # and preserves the requested order, but only exists on Doorkeeper
57
+ # 5.8.1+; older versions fall back to plain intersection (dynamic
58
+ # scopes do not exist there, so nothing is lost).
59
+ def permitted_scopes
60
+ server_scopes = server.scopes
61
+
62
+ if server_scopes.respond_to?(:allowed)
63
+ server_scopes.allowed(requested_scopes).to_s
64
+ else
65
+ (server_scopes & requested_scopes).to_s
66
+ end
67
+ end
68
+
48
69
  def error_response
49
70
  { error: error.to_s, error_description: @error_description }
50
71
  end
@@ -91,6 +112,19 @@ module Doorkeeper
91
112
  false
92
113
  end
93
114
 
115
+ def requested_scopes
116
+ ::Doorkeeper::OAuth::Scopes.from_string(@params[:scope].to_s)
117
+ end
118
+
119
+ def validate_scope
120
+ return true if requested_scopes.blank? || permitted_scopes.present?
121
+
122
+ @error_description =
123
+ "scope '#{requested_scopes}' contains no scopes supported by this server. " \
124
+ "Supported scopes: #{server.scopes}"
125
+ false
126
+ end
127
+
94
128
  def server_response_types
95
129
  server.authorization_response_types
96
130
  end
@@ -4,7 +4,7 @@ module Doorkeeper
4
4
  module OpenidConnect
5
5
  MAJOR = 1
6
6
  MINOR = 10
7
- TINY = 3
7
+ TINY = 4
8
8
  PRE = nil
9
9
 
10
10
  # Full version number
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: doorkeeper-openid_connect
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.10.3
4
+ version: 1.10.4
5
5
  platform: ruby
6
6
  authors:
7
7
  - Sam Dengler
@@ -10,7 +10,7 @@ authors:
10
10
  autorequire:
11
11
  bindir: bin
12
12
  cert_chain: []
13
- date: 2026-06-23 00:00:00.000000000 Z
13
+ date: 2026-07-07 00:00:00.000000000 Z
14
14
  dependencies:
15
15
  - !ruby/object:Gem::Dependency
16
16
  name: doorkeeper