doorkeeper-openid_connect 1.10.3 → 1.10.4
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 7c7b483ae4502881dca6aece41d05d538677d0e8d53f2fa3b82d9b89dc9aa1d8
|
|
4
|
+
data.tar.gz: dd8ed48877f8c68199c466afba4bd27a3b26671a00bd5af949146e103849544e
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 18b20b9a1d04b2dfe1bfd6a169057e08fee82d538990e506f46df58f70ff29a8681d30055e18542f2af82fdb3ebceb11dc976d8b4d55f2b0f01e41fb406b931c
|
|
7
|
+
data.tar.gz: 86b69e55903f371666178cfcaa8989e4d0c82939172a79bb070d3e50742ad4cac885edfd498d5c53af18cc98643c25cb63dc094b0c55f91c1279aec446f039a0
|
data/CHANGELOG.md
CHANGED
|
@@ -2,6 +2,10 @@
|
|
|
2
2
|
|
|
3
3
|
- Please add here
|
|
4
4
|
|
|
5
|
+
## v1.10.4 (2026-07-07)
|
|
6
|
+
|
|
7
|
+
- Validate the `scope` supplied to Dynamic Client Registration against the server's configured scopes (`default_scopes` + `optional_scopes`) before persisting it. Unrecognized scopes are silently dropped and the confirmed set is echoed in the registration response (RFC 7591 §2); a request whose scopes are all unsupported is rejected with `invalid_client_metadata` instead of being registered with an empty scope set.
|
|
8
|
+
|
|
5
9
|
## v1.10.3 (2026-06-23)
|
|
6
10
|
|
|
7
11
|
- [#308] Fix `NameError: uninitialized constant Auth::ApplicationRecord` on boot when using a namespaced custom access grant model (e.g. `Auth::OAuthAccessGrant < ApplicationRecord`). Since v1.10.0 ([#241]) the `openid_request` association was wired inside an `ActiveSupport.on_load(:active_record)` block, which fires while `ActiveRecord::Base` is first loaded and constantizes the grant model too early. The association is now added from Doorkeeper's `AccessGrant` mixin `included` callback — at the model's own load time, without constantizing — mirroring the fix doorkeeper made in [#1830](https://github.com/doorkeeper-gem/doorkeeper/pull/1830) ([#306](https://github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/306))
|
|
@@ -17,6 +17,7 @@ module Doorkeeper
|
|
|
17
17
|
validate :application_type, error: :invalid_client_metadata
|
|
18
18
|
validate :response_types, error: :invalid_client_metadata
|
|
19
19
|
validate :grant_types, error: :invalid_client_metadata
|
|
20
|
+
validate :scope, error: :invalid_client_metadata
|
|
20
21
|
|
|
21
22
|
def initialize(server, params)
|
|
22
23
|
@server = server
|
|
@@ -45,6 +46,26 @@ module Doorkeeper
|
|
|
45
46
|
token_endpoint_auth_method != PUBLIC_CLIENT_AUTH_METHOD
|
|
46
47
|
end
|
|
47
48
|
|
|
49
|
+
# RFC 7591 §2 lets the authorization server replace or omit requested
|
|
50
|
+
# scopes. The requested scope is intersected against the server's
|
|
51
|
+
# configured scopes (default + optional): partially unrecognized
|
|
52
|
+
# scopes are silently dropped, while a request whose scopes are all
|
|
53
|
+
# unsupported is rejected via #validate_scope, since persisting an
|
|
54
|
+
# empty scope set would make Doorkeeper's ScopeChecker fall back to
|
|
55
|
+
# the full server scope set. `Scopes#allowed` honors dynamic scopes
|
|
56
|
+
# and preserves the requested order, but only exists on Doorkeeper
|
|
57
|
+
# 5.8.1+; older versions fall back to plain intersection (dynamic
|
|
58
|
+
# scopes do not exist there, so nothing is lost).
|
|
59
|
+
def permitted_scopes
|
|
60
|
+
server_scopes = server.scopes
|
|
61
|
+
|
|
62
|
+
if server_scopes.respond_to?(:allowed)
|
|
63
|
+
server_scopes.allowed(requested_scopes).to_s
|
|
64
|
+
else
|
|
65
|
+
(server_scopes & requested_scopes).to_s
|
|
66
|
+
end
|
|
67
|
+
end
|
|
68
|
+
|
|
48
69
|
def error_response
|
|
49
70
|
{ error: error.to_s, error_description: @error_description }
|
|
50
71
|
end
|
|
@@ -91,6 +112,19 @@ module Doorkeeper
|
|
|
91
112
|
false
|
|
92
113
|
end
|
|
93
114
|
|
|
115
|
+
def requested_scopes
|
|
116
|
+
::Doorkeeper::OAuth::Scopes.from_string(@params[:scope].to_s)
|
|
117
|
+
end
|
|
118
|
+
|
|
119
|
+
def validate_scope
|
|
120
|
+
return true if requested_scopes.blank? || permitted_scopes.present?
|
|
121
|
+
|
|
122
|
+
@error_description =
|
|
123
|
+
"scope '#{requested_scopes}' contains no scopes supported by this server. " \
|
|
124
|
+
"Supported scopes: #{server.scopes}"
|
|
125
|
+
false
|
|
126
|
+
end
|
|
127
|
+
|
|
94
128
|
def server_response_types
|
|
95
129
|
server.authorization_response_types
|
|
96
130
|
end
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: doorkeeper-openid_connect
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.10.
|
|
4
|
+
version: 1.10.4
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Sam Dengler
|
|
@@ -10,7 +10,7 @@ authors:
|
|
|
10
10
|
autorequire:
|
|
11
11
|
bindir: bin
|
|
12
12
|
cert_chain: []
|
|
13
|
-
date: 2026-
|
|
13
|
+
date: 2026-07-07 00:00:00.000000000 Z
|
|
14
14
|
dependencies:
|
|
15
15
|
- !ruby/object:Gem::Dependency
|
|
16
16
|
name: doorkeeper
|