RubyGems - doorkeeper-openid_connect - Versions diffs - 1.2.0 → 1.3.0 - Mend

doorkeeper-openid_connect 1.2.0 → 1.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (19) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +8 -0
data/CONTRIBUTING.md +0 -27
data/README.md +14 -1
data/doorkeeper-openid_connect.gemspec +1 -1
data/lib/doorkeeper/oauth/id_token_request.rb +41 -0
data/lib/doorkeeper/oauth/id_token_response.rb +28 -0
data/lib/doorkeeper/oauth/id_token_token_request.rb +13 -0
data/lib/doorkeeper/oauth/id_token_token_response.rb +16 -0
data/lib/doorkeeper/openid_connect.rb +10 -0
data/lib/doorkeeper/openid_connect/id_token.rb +1 -1
data/lib/doorkeeper/openid_connect/id_token_token.rb +33 -0
data/lib/doorkeeper/openid_connect/oauth/authorization/token.rb +22 -0
data/lib/doorkeeper/openid_connect/orm/active_record.rb +9 -5
data/lib/doorkeeper/openid_connect/response_types_config.rb +17 -0
data/lib/doorkeeper/openid_connect/version.rb +1 -1
data/lib/doorkeeper/request/id_token.rb +17 -0
data/lib/doorkeeper/request/id_token_token.rb +17 -0
metadata +13 -4

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 219908f8f6caf6cde4e1eeec48f764e6492afa08
-  data.tar.gz: ab569c90cf0681143d2c470dcebdb906644f082f
+  metadata.gz: 3533bb17ae7ec3e41b8c43eac5bd78cc34a9aed3
+  data.tar.gz: bfe300fda2bd2658eec78cc74c33f2c63856d121
 SHA512:
-  metadata.gz: 47affadec9efd1dd9b81b858b0e1e267a5fdbb5b930331caaa7e237a7312030f4d6ef78264069c6b1f0b21b25a7ca175583db3ca4a9bab48c49c5a5c2bd86837
-  data.tar.gz: 353324e6e880db3ae6af6987a2873173160ed350f41c8f26e38bcb4b6d53a2bac93f4fe2e5a01dd347fc6ab71081a6d6a419c342d90c9aabfcd0f7f683d5aacc
+  metadata.gz: 348b4ea59e13c2a1597d2d85a2961b183c0088c64d3f055539f13175c33d7269e7e66d70c1f4fa87a17ba8627ce8548d7070809274f0abf47476f90dc38e0a0f
+  data.tar.gz: cad47c48ac11b98c657706815748cae81eb8cba177fbfa1b1369cc9c21f26eb7000aff5e46ecb231e55fb8811ffdd1e4ea13952f3421e8c614ff341cba736489

data/CHANGELOG.md CHANGED Viewed

@@ -1,3 +1,11 @@
+<a name="v1.3.0"></a>
+### v1.3.0 (2018-03-05)
+### Features
+- Support for Implicit Flow (`response_type=id_token` and `response_type=id_token token`),
+  see the updated README for usage instructions (by @nashby, @nhance and @stevenvegt)
 <a name="v1.2.0"></a>
 ### v1.2.0 (2017-08-31)

data/CONTRIBUTING.md CHANGED Viewed

@@ -37,33 +37,6 @@ Things to avoid when creating commits:
 * Mixing two unrelated functional changes.
 * Sending large new features in a single giant commit.
-## Commit Message Conventions
-We use commit messages as per [Conventional Changelog](https://github.com/conventional-changelog/conventional-changelog):
-```none
-<type>(<scope>): <subject>
-```
-Allowed types:
-* **feature**: A new feature
-* **fix**: A bug fix
-* **docs**: Documentation only changes
-* **style**: Changes that do not affect the meaning of the code (white-space, formatting, missing semi-colons, newline, line endings, etc)
-* **refactor**: A code change that neither fixes a bug or adds a feature
-* **perf**: A code change that improves performance
-* **test**: Adding missing tests
-* **chore**: Changes to the build process or auxiliary tools and libraries such as documentation generation
-You can add additional details after a new line to describe the change in detail or automatically close an issue on GitHub.
-```none
-feature: create initial CONTRIBUTING.md
-This closes #73
-```
 ## Release process
 - Bump version in `lib/doorkeeper/openid_connect/version.rb`

data/README.md CHANGED Viewed

@@ -12,6 +12,7 @@ OpenID Connect is a single-sign-on and identity layer with a [growing list of se
 ## Table of Contents
 - [Status](#status)
+  - [Example Applications](#example-applications)
 - [Installation](#installation)
 - [Configuration](#configuration)
   - [Scopes](#scopes)
@@ -27,6 +28,7 @@ OpenID Connect is a single-sign-on and identity layer with a [growing list of se
 The following parts of [OpenID Connect Core 1.0](http://openid.net/specs/openid-connect-core-1_0.html) are currently supported:
 - [Authentication using the Authorization Code Flow](http://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth)
+- [Implicit Flow](http://openid.net/specs/openid-connect-core-1_0.html#ImplicitFlowAuth)
 - [Requesting Claims using Scope Values](http://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims)
 - [UserInfo Endpoint](http://openid.net/specs/openid-connect-core-1_0.html#UserInfo)
 - [Normal Claims](http://openid.net/specs/openid-connect-core-1_0.html#NormalClaims)
@@ -35,6 +37,11 @@ In addition we also support most of [OpenID Connect Discovery 1.0](http://openid
 Take a look at the [DiscoveryController](app/controllers/doorkeeper/openid_connect/discovery_controller.rb) for more details on supported features.
+### Example Applications
+- [GitLab](https://gitlab.com/gitlab-org/gitlab-ce) ([original MR](https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/8018))
+- [Testing app for this gem](https://github.com/doorkeeper-gem/doorkeeper-openid_connect/tree/master/spec/dummy)
 ## Installation
 Make sure your application is already set up with [Doorkeeper](https://github.com/doorkeeper-gem/doorkeeper#installation).
@@ -79,6 +86,12 @@ Verify your settings in `config/initializers/doorkeeper.rb`:
       end
     end
     ```
+- `grant_flows`
+  - If you want to use `id_token` or `id_token token` response types you need to add `implicit_oidc` to `grant_flows`:
+    ```ruby
+    grant_flows %w(authorization_code implicit_oidc)
+    ```
 The following settings are required in `config/initializers/doorkeeper_openid_connect.rb`:
@@ -90,7 +103,7 @@ The following settings are required in `config/initializers/doorkeeper_openid_co
   - If you want to provide a different subject identifier to each client, use [pairwise subject identifier](http://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes) with configurations like below.
     ```ruby
-    # config/initializers/doorkeeper_openid_connect.rb
+    # config/initializers/doorkeeper_openid_connect.rb
     Doorkeeper::OpenidConnect.configure do
     # ...
       subject_types_supported [:pairwise]

data/doorkeeper-openid_connect.gemspec CHANGED Viewed

@@ -19,7 +19,7 @@ Gem::Specification.new do |spec|
   spec.required_ruby_version = ">= 2.1"
-  spec.add_runtime_dependency 'doorkeeper', '~> 4.0'
+  spec.add_runtime_dependency 'doorkeeper', '~> 4.3'
   spec.add_runtime_dependency 'json-jwt', '~> 1.6'
   spec.add_development_dependency 'rspec-rails'

data/lib/doorkeeper/oauth/id_token_request.rb ADDED Viewed

@@ -0,0 +1,41 @@
+module Doorkeeper
+  module OAuth
+    class IdTokenRequest
+      attr_accessor :pre_auth, :auth, :resource_owner
+      def initialize(pre_auth, resource_owner)
+        @pre_auth       = pre_auth
+        @resource_owner = resource_owner
+      end
+      def authorize
+        if pre_auth.authorizable?
+          @auth = Authorization::Token.new(pre_auth, resource_owner)
+          @auth.issue_token
+          @response = response
+        else
+          @response = error_response
+        end
+      end
+      def deny
+        pre_auth.error = :access_denied
+        error_response
+      end
+      private
+      def response
+        id_token = Doorkeeper::OpenidConnect::IdToken.new(auth.token, pre_auth.nonce)
+        IdTokenResponse.new(pre_auth, auth, id_token)
+      end
+      def error_response
+        ErrorResponse.from_request pre_auth,
+                                   redirect_uri: pre_auth.redirect_uri,
+                                   response_on_fragment: true
+      end
+    end
+  end
+end

data/lib/doorkeeper/oauth/id_token_response.rb ADDED Viewed

@@ -0,0 +1,28 @@
+module Doorkeeper
+  module OAuth
+    class IdTokenResponse < BaseResponse
+      include OAuth::Helpers
+      attr_accessor :pre_auth, :auth, :id_token
+      def initialize(pre_auth, auth, id_token)
+        @pre_auth = pre_auth
+        @auth = auth
+        @id_token = id_token
+      end
+      def redirectable?
+        true
+      end
+      def redirect_uri
+        Authorization::URIBuilder.uri_with_fragment(
+          pre_auth.redirect_uri,
+          expires_in: auth.token.expires_in_seconds,
+          state: pre_auth.state,
+          id_token: id_token.as_jws_token
+        )
+      end
+    end
+  end
+end

data/lib/doorkeeper/oauth/id_token_token_request.rb ADDED Viewed

@@ -0,0 +1,13 @@
+module Doorkeeper
+  module OAuth
+    class IdTokenTokenRequest < IdTokenRequest
+      private
+      def response
+        id_token_token = Doorkeeper::OpenidConnect::IdTokenToken.new(auth.token, pre_auth.nonce)
+        IdTokenTokenResponse.new(pre_auth, auth, id_token_token)
+      end
+    end
+  end
+end

data/lib/doorkeeper/oauth/id_token_token_response.rb ADDED Viewed

@@ -0,0 +1,16 @@
+module Doorkeeper
+  module OAuth
+    class IdTokenTokenResponse < IdTokenResponse
+      def redirect_uri
+        Authorization::URIBuilder.uri_with_fragment(
+          pre_auth.redirect_uri,
+          access_token: auth.token.token,
+          token_type: auth.token.token_type,
+          expires_in: auth.token.expires_in_seconds,
+          state: pre_auth.state,
+          id_token: id_token.as_jws_token
+        )
+      end
+    end
+  end
+end

data/lib/doorkeeper/openid_connect.rb CHANGED Viewed

@@ -2,13 +2,23 @@ require 'doorkeeper'
 require 'active_model'
 require 'json/jwt'
+require 'doorkeeper/request'
+require 'doorkeeper/request/id_token'
+require 'doorkeeper/request/id_token_token'
+require 'doorkeeper/oauth/id_token_request'
+require 'doorkeeper/oauth/id_token_token_request'
+require 'doorkeeper/oauth/id_token_response'
+require 'doorkeeper/oauth/id_token_token_response'
 require 'doorkeeper/openid_connect/claims_builder'
 require 'doorkeeper/openid_connect/claims/claim'
 require 'doorkeeper/openid_connect/claims/normal_claim'
 require 'doorkeeper/openid_connect/config'
+require 'doorkeeper/openid_connect/response_types_config'
 require 'doorkeeper/openid_connect/engine'
 require 'doorkeeper/openid_connect/errors'
 require 'doorkeeper/openid_connect/id_token'
+require 'doorkeeper/openid_connect/id_token_token'
 require 'doorkeeper/openid_connect/user_info'
 require 'doorkeeper/openid_connect/version'

data/lib/doorkeeper/openid_connect/id_token.rb CHANGED Viewed

@@ -20,7 +20,7 @@ module Doorkeeper
           exp: expiration,
           iat: issued_at,
           nonce: nonce,
-          auth_time: auth_time,
+          auth_time: auth_time
         }
       end

data/lib/doorkeeper/openid_connect/id_token_token.rb ADDED Viewed

@@ -0,0 +1,33 @@
+module Doorkeeper
+  module OpenidConnect
+    class IdTokenToken < IdToken
+      def claims
+        super.merge(at_hash: at_hash)
+      end
+      private
+      # The at_hash is build according to the following standard:
+      #
+      # http://openid.net/specs/openid-connect-implicit-1_0.html#IDToken
+      #
+      # at_hash:
+      #   REQUIRED. Access Token hash value. If the ID Token is issued with an
+      #   access_token in an Implicit Flow, this is REQUIRED, which is the case
+      #   for this subset of OpenID Connect. Its value is the base64url encoding
+      #   of the left-most half of the hash of the octets of the ASCII
+      #   representation of the access_token value, where the hash algorithm
+      #   used is the hash algorithm used in the alg Header Parameter of the
+      #   ID Token's JOSE Header. For instance, if the alg is RS256, hash the
+      #   access_token value with SHA-256, then take the left-most 128 bits and
+      #   base64url-encode them. The at_hash value is a case-sensitive string.
+      def at_hash
+        sha256 = Digest::SHA256.new
+        token = @access_token.token
+        hashed_token = sha256.digest(token)
+        first_half = hashed_token[0...hashed_token.length / 2]
+        Base64.urlsafe_encode64(first_half).tr('=', '')
+      end
+    end
+  end
+end

data/lib/doorkeeper/openid_connect/oauth/authorization/token.rb ADDED Viewed

@@ -0,0 +1,22 @@
+module Doorkeeper
+  module OpenidConnect
+    module OAuth
+      module Authorization
+        module Code
+          def issue_token
+            super.tap do |access_grant|
+              if pre_auth.nonce.present?
+                ::Doorkeeper::OpenidConnect::Request.create!(
+                  access_grant: access_grant,
+                  nonce: pre_auth.nonce
+                )
+              end
+            end
+          end
+        end
+      end
+    end
+  end
+  OAuth::Authorization::Code.send :prepend, OpenidConnect::OAuth::Authorization::Code
+end

data/lib/doorkeeper/openid_connect/orm/active_record.rb CHANGED Viewed

@@ -1,15 +1,19 @@
+require 'active_support/lazy_load_hooks'
 module Doorkeeper
   module OpenidConnect
     module Orm
       module ActiveRecord
         def initialize_models!
           super
-          require 'doorkeeper/openid_connect/orm/active_record/access_grant'
-          require 'doorkeeper/openid_connect/orm/active_record/request'
+          ActiveSupport.on_load(:active_record) do
+            require 'doorkeeper/openid_connect/orm/active_record/access_grant'
+            require 'doorkeeper/openid_connect/orm/active_record/request'
-          if Doorkeeper.configuration.active_record_options[:establish_connection]
-            [Doorkeeper::OpenidConnect::Request].each do |c|
-              c.send :establish_connection, Doorkeeper.configuration.active_record_options[:establish_connection]
+            if Doorkeeper.configuration.active_record_options[:establish_connection]
+              [Doorkeeper::OpenidConnect::Request].each do |c|
+                c.send :establish_connection, Doorkeeper.configuration.active_record_options[:establish_connection]
+              end
             end
           end
         end

data/lib/doorkeeper/openid_connect/response_types_config.rb ADDED Viewed

@@ -0,0 +1,17 @@
+module Doorkeeper
+  module OpenidConnect
+    module ResponseTypeConfig
+      private def calculate_authorization_response_types
+        types = super
+        if grant_flows.include? 'implicit_oidc'
+          types << 'token'
+          types << 'id_token'
+          types << 'id_token token'
+        end
+        types
+      end
+    end
+  end
+  Config.send :prepend, OpenidConnect::ResponseTypeConfig
+end

data/lib/doorkeeper/openid_connect/version.rb CHANGED Viewed

@@ -1,5 +1,5 @@
 module Doorkeeper
   module OpenidConnect
-    VERSION = '1.2.0'.freeze
+    VERSION = '1.3.0'.freeze
   end
 end

data/lib/doorkeeper/request/id_token.rb ADDED Viewed

@@ -0,0 +1,17 @@
+require 'doorkeeper/request/strategy'
+module Doorkeeper
+  module Request
+    class IdToken < Strategy
+      delegate :current_resource_owner, to: :server
+      def pre_auth
+        server.context.send(:pre_auth)
+      end
+      def request
+        @request ||= OAuth::IdTokenRequest.new(pre_auth, current_resource_owner)
+      end
+    end
+  end
+end

data/lib/doorkeeper/request/id_token_token.rb ADDED Viewed

@@ -0,0 +1,17 @@
+require 'doorkeeper/request/strategy'
+module Doorkeeper
+  module Request
+    class IdTokenToken < Strategy
+      delegate :current_resource_owner, to: :server
+      def pre_auth
+        server.context.send(:pre_auth)
+      end
+      def request
+        @request ||= OAuth::IdTokenTokenRequest.new(pre_auth, current_resource_owner)
+      end
+    end
+  end
+end

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: doorkeeper-openid_connect
 version: !ruby/object:Gem::Version
-  version: 1.2.0
+  version: 1.3.0
 platform: ruby
 authors:
 - Sam Dengler
@@ -9,7 +9,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2017-08-31 00:00:00.000000000 Z
+date: 2018-03-05 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: doorkeeper
@@ -17,14 +17,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '4.0'
+        version: '4.3'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '4.0'
+        version: '4.3'
 - !ruby/object:Gem::Dependency
   name: json-jwt
   requirement: !ruby/object:Gem::Requirement
@@ -132,6 +132,10 @@ files:
 - bin/setup
 - config/locales/en.yml
 - doorkeeper-openid_connect.gemspec
+- lib/doorkeeper/oauth/id_token_request.rb
+- lib/doorkeeper/oauth/id_token_response.rb
+- lib/doorkeeper/oauth/id_token_token_request.rb
+- lib/doorkeeper/oauth/id_token_token_response.rb
 - lib/doorkeeper/openid_connect.rb
 - lib/doorkeeper/openid_connect/claims/aggregated_claim.rb
 - lib/doorkeeper/openid_connect/claims/claim.rb
@@ -143,7 +147,9 @@ files:
 - lib/doorkeeper/openid_connect/errors.rb
 - lib/doorkeeper/openid_connect/helpers/controller.rb
 - lib/doorkeeper/openid_connect/id_token.rb
+- lib/doorkeeper/openid_connect/id_token_token.rb
 - lib/doorkeeper/openid_connect/oauth/authorization/code.rb
+- lib/doorkeeper/openid_connect/oauth/authorization/token.rb
 - lib/doorkeeper/openid_connect/oauth/authorization_code_request.rb
 - lib/doorkeeper/openid_connect/oauth/password_access_token_request.rb
 - lib/doorkeeper/openid_connect/oauth/pre_authorization.rb
@@ -154,8 +160,11 @@ files:
 - lib/doorkeeper/openid_connect/rails/routes.rb
 - lib/doorkeeper/openid_connect/rails/routes/mapper.rb
 - lib/doorkeeper/openid_connect/rails/routes/mapping.rb
+- lib/doorkeeper/openid_connect/response_types_config.rb
 - lib/doorkeeper/openid_connect/user_info.rb
 - lib/doorkeeper/openid_connect/version.rb
+- lib/doorkeeper/request/id_token.rb
+- lib/doorkeeper/request/id_token_token.rb
 - lib/generators/doorkeeper/openid_connect/install_generator.rb
 - lib/generators/doorkeeper/openid_connect/migration_generator.rb
 - lib/generators/doorkeeper/openid_connect/templates/initializer.rb