RubyGems - doorkeeper-openid_connect - Versions diffs - 1.2.0 → 1.3.0 - Mend

doorkeeper-openid_connect 1.2.0 → 1.3.0

Files changed (19) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +8 -0
data/CONTRIBUTING.md +0 -27
data/README.md +14 -1
data/doorkeeper-openid_connect.gemspec +1 -1
data/lib/doorkeeper/oauth/id_token_request.rb +41 -0
data/lib/doorkeeper/oauth/id_token_response.rb +28 -0
data/lib/doorkeeper/oauth/id_token_token_request.rb +13 -0
data/lib/doorkeeper/oauth/id_token_token_response.rb +16 -0
data/lib/doorkeeper/openid_connect.rb +10 -0
data/lib/doorkeeper/openid_connect/id_token.rb +1 -1
data/lib/doorkeeper/openid_connect/id_token_token.rb +33 -0
data/lib/doorkeeper/openid_connect/oauth/authorization/token.rb +22 -0
data/lib/doorkeeper/openid_connect/orm/active_record.rb +9 -5
data/lib/doorkeeper/openid_connect/response_types_config.rb +17 -0
data/lib/doorkeeper/openid_connect/version.rb +1 -1
data/lib/doorkeeper/request/id_token.rb +17 -0
data/lib/doorkeeper/request/id_token_token.rb +17 -0
metadata +13 -4

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 219908f8f6caf6cde4e1eeec48f764e6492afa08
-  data.tar.gz: ab569c90cf0681143d2c470dcebdb906644f082f
+  metadata.gz: 3533bb17ae7ec3e41b8c43eac5bd78cc34a9aed3
+  data.tar.gz: bfe300fda2bd2658eec78cc74c33f2c63856d121
 SHA512:
-  metadata.gz: 47affadec9efd1dd9b81b858b0e1e267a5fdbb5b930331caaa7e237a7312030f4d6ef78264069c6b1f0b21b25a7ca175583db3ca4a9bab48c49c5a5c2bd86837
-  data.tar.gz: 353324e6e880db3ae6af6987a2873173160ed350f41c8f26e38bcb4b6d53a2bac93f4fe2e5a01dd347fc6ab71081a6d6a419c342d90c9aabfcd0f7f683d5aacc
+  metadata.gz: 348b4ea59e13c2a1597d2d85a2961b183c0088c64d3f055539f13175c33d7269e7e66d70c1f4fa87a17ba8627ce8548d7070809274f0abf47476f90dc38e0a0f
+  data.tar.gz: cad47c48ac11b98c657706815748cae81eb8cba177fbfa1b1369cc9c21f26eb7000aff5e46ecb231e55fb8811ffdd1e4ea13952f3421e8c614ff341cba736489

data/CHANGELOG.md CHANGED Viewed

@@ -1,3 +1,11 @@
+<a name="v1.3.0"></a>
+### v1.3.0 (2018-03-05)
+### Features
+- Support for Implicit Flow (`response_type=id_token` and `response_type=id_token token`),
+  see the updated README for usage instructions (by @nashby, @nhance and @stevenvegt)
 <a name="v1.2.0"></a>
 ### v1.2.0 (2017-08-31)

data/CONTRIBUTING.md CHANGED Viewed

@@ -37,33 +37,6 @@ Things to avoid when creating commits:
 * Mixing two unrelated functional changes.
 * Sending large new features in a single giant commit.
-## Commit Message Conventions
-We use commit messages as per [Conventional Changelog](https://github.com/conventional-changelog/conventional-changelog):
-```none
-<type>(<scope>): <subject>
-```
-Allowed types:
-* **feature**: A new feature
-* **fix**: A bug fix
-* **docs**: Documentation only changes
-* **style**: Changes that do not affect the meaning of the code (white-space, formatting, missing semi-colons, newline, line endings, etc)
-* **refactor**: A code change that neither fixes a bug or adds a feature
-* **perf**: A code change that improves performance
-* **test**: Adding missing tests
-* **chore**: Changes to the build process or auxiliary tools and libraries such as documentation generation
-You can add additional details after a new line to describe the change in detail or automatically close an issue on GitHub.
-```none
-feature: create initial CONTRIBUTING.md
-This closes #73
-```
 ## Release process
 - Bump version in `lib/doorkeeper/openid_connect/version.rb`

data/README.md CHANGED Viewed

@@ -12,6 +12,7 @@ OpenID Connect is a single-sign-on and identity layer with a [growing list of se
 ## Table of Contents
 - [Status](#status)
+  - [Example Applications](#example-applications)
 - [Installation](#installation)
 - [Configuration](#configuration)
   - [Scopes](#scopes)
@@ -27,6 +28,7 @@ OpenID Connect is a single-sign-on and identity layer with a [growing list of se
 The following parts of [OpenID Connect Core 1.0](http://openid.net/specs/openid-connect-core-1_0.html) are currently supported:
 - [Authentication using the Authorization Code Flow](http://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth)
+- [Implicit Flow](http://openid.net/specs/openid-connect-core-1_0.html#ImplicitFlowAuth)
 - [Requesting Claims using Scope Values](http://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims)
 - [UserInfo Endpoint](http://openid.net/specs/openid-connect-core-1_0.html#UserInfo)
 - [Normal Claims](http://openid.net/specs/openid-connect-core-1_0.html#NormalClaims)
@@ -35,6 +37,11 @@ In addition we also support most of [OpenID Connect Discovery 1.0](http://openid
 Take a look at the [DiscoveryController](app/controllers/doorkeeper/openid_connect/discovery_controller.rb) for more details on supported features.
+### Example Applications
+- [GitLab](https://gitlab.com/gitlab-org/gitlab-ce) ([original MR](https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/8018))
+- [Testing app for this gem](https://github.com/doorkeeper-gem/doorkeeper-openid_connect/tree/master/spec/dummy)
 ## Installation
 Make sure your application is already set up with [Doorkeeper](https://github.com/doorkeeper-gem/doorkeeper#installation).
@@ -79,6 +86,12 @@ Verify your settings in `config/initializers/doorkeeper.rb`:
       end
     end
     ```
+- `grant_flows`
+  - If you want to use `id_token` or `id_token token` response types you need to add `implicit_oidc` to `grant_flows`:
+    ```ruby
+    grant_flows %w(authorization_code implicit_oidc)
+    ```
 The following settings are required in `config/initializers/doorkeeper_openid_connect.rb`:
@@ -90,7 +103,7 @@ The following settings are required in `config/initializers/doorkeeper_openid_co
   - If you want to provide a different subject identifier to each client, use [pairwise subject identifier](http://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes) with configurations like below.
     ```ruby
-    # config/initializers/doorkeeper_openid_connect.rb
+    # config/initializers/doorkeeper_openid_connect.rb
     Doorkeeper::OpenidConnect.configure do
     # ...
       subject_types_supported [:pairwise]

data/doorkeeper-openid_connect.gemspec CHANGED Viewed

@@ -19,7 +19,7 @@ Gem::Specification.new do |spec|
   spec.required_ruby_version = ">= 2.1"
-  spec.add_runtime_dependency 'doorkeeper', '~> 4.0'
+  spec.add_runtime_dependency 'doorkeeper', '~> 4.3'
   spec.add_runtime_dependency 'json-jwt', '~> 1.6'
   spec.add_development_dependency 'rspec-rails'

data/lib/doorkeeper/oauth/id_token_request.rb ADDED Viewed

@@ -0,0 +1,41 @@
+module Doorkeeper
+  module OAuth
+    class IdTokenRequest
+      attr_accessor :pre_auth, :auth, :resource_owner
+      def initialize(pre_auth, resource_owner)
+        @pre_auth       = pre_auth
+        @resource_owner = resource_owner
+      end
+      def authorize
+        if pre_auth.authorizable?
+          @auth = Authorization::Token.new(pre_auth, resource_owner)
+          @auth.issue_token
+          @response = response
+        else
+          @response = error_response
+        end
+      end
+      def deny
+        pre_auth.error = :access_denied
+        error_response
+      end
+      private
+      def response
+        id_token = Doorkeeper::OpenidConnect::IdToken.new(auth.token, pre_auth.nonce)
+        IdTokenResponse.new(pre_auth, auth, id_token)
+      end
+      def error_response
+        ErrorResponse.from_request pre_auth,
+                                   redirect_uri: pre_auth.redirect_uri,
+                                   response_on_fragment: true
+      end
+    end
+  end
+end

data/lib/doorkeeper/oauth/id_token_response.rb ADDED Viewed

@@ -0,0 +1,28 @@
+module Doorkeeper
+  module OAuth
+    class IdTokenResponse < BaseResponse
+      include OAuth::Helpers
+      attr_accessor :pre_auth, :auth, :id_token
+      def initialize(pre_auth, auth, id_token)
+        @pre_auth = pre_auth
+        @auth = auth
+        @id_token = id_token
+      end
+      def redirectable?
+        true
+      end
+      def redirect_uri
+        Authorization::URIBuilder.uri_with_fragment(
+          pre_auth.redirect_uri,
+          expires_in: auth.token.expires_in_seconds,
+          state: pre_auth.state,
+          id_token: id_token.as_jws_token
+        )
+      end
+    end
+  end
+end

data/lib/doorkeeper/oauth/id_token_token_request.rb ADDED Viewed

@@ -0,0 +1,13 @@
+module Doorkeeper
+  module OAuth
+    class IdTokenTokenRequest < IdTokenRequest
+      private
+      def response
+        id_token_token = Doorkeeper::OpenidConnect::IdTokenToken.new(auth.token, pre_auth.nonce)
+        IdTokenTokenResponse.new(pre_auth, auth, id_token_token)
+      end
+    end
+  end
+end

data/lib/doorkeeper/oauth/id_token_token_response.rb ADDED Viewed

@@ -0,0 +1,16 @@
+module Doorkeeper
+  module OAuth
+    class IdTokenTokenResponse < IdTokenResponse
+      def redirect_uri
+        Authorization::URIBuilder.uri_with_fragment(
+          pre_auth.redirect_uri,
+          access_token: auth.token.token,
+          token_type: auth.token.token_type,
+          expires_in: auth.token.expires_in_seconds,
+          state: pre_auth.state,
+          id_token: id_token.as_jws_token
+        )
+      end
+    end
+  end
+end

data/lib/doorkeeper/openid_connect.rb CHANGED Viewed

@@ -2,13 +2,23 @@ require 'doorkeeper'
 require 'active_model'
 require 'json/jwt'
+require 'doorkeeper/request'
+require 'doorkeeper/request/id_token'
+require 'doorkeeper/request/id_token_token'
+require 'doorkeeper/oauth/id_token_request'
+require 'doorkeeper/oauth/id_token_token_request'
+require 'doorkeeper/oauth/id_token_response'
+require 'doorkeeper/oauth/id_token_token_response'
 require 'doorkeeper/openid_connect/claims_builder'
 require 'doorkeeper/openid_connect/claims/claim'
 require 'doorkeeper/openid_connect/claims/normal_claim'
 require 'doorkeeper/openid_connect/config'
+require 'doorkeeper/openid_connect/response_types_config'
 require 'doorkeeper/openid_connect/engine'
 require 'doorkeeper/openid_connect/errors'
 require 'doorkeeper/openid_connect/id_token'
+require 'doorkeeper/openid_connect/id_token_token'
 require 'doorkeeper/openid_connect/user_info'
 require 'doorkeeper/openid_connect/version'

data/lib/doorkeeper/openid_connect/id_token.rb CHANGED Viewed

@@ -20,7 +20,7 @@ module Doorkeeper
           exp: expiration,
           iat: issued_at,
           nonce: nonce,
-          auth_time: auth_time,
+          auth_time: auth_time
         }
       end

data/lib/doorkeeper/openid_connect/id_token_token.rb ADDED Viewed

@@ -0,0 +1,33 @@
+module Doorkeeper
+  module OpenidConnect
+    class IdTokenToken < IdToken
+      def claims
+        super.merge(at_hash: at_hash)
+      end
+      private
+      # The at_hash is build according to the following standard:
+      #
+      # http://openid.net/specs/openid-connect-implicit-1_0.html#IDToken
+      #
+      # at_hash:
+      #   REQUIRED. Access Token hash value. If the ID Token is issued with an
+      #   access_token in an Implicit Flow, this is REQUIRED, which is the case
+      #   for this subset of OpenID Connect. Its value is the base64url encoding
+      #   of the left-most half of the hash of the octets of the ASCII
+      #   representation of the access_token value, where the hash algorithm
+      #   used is the hash algorithm used in the alg Header Parameter of the
+      #   ID Token's JOSE Header. For instance, if the alg is RS256, hash the
+      #   access_token value with SHA-256, then take the left-most 128 bits and
+      #   base64url-encode them. The at_hash value is a case-sensitive string.
+      def at_hash
+        sha256 = Digest::SHA256.new
+        token = @access_token.token
+        hashed_token = sha256.digest(token)
+        first_half = hashed_token[0...hashed_token.length / 2]
+        Base64.urlsafe_encode64(first_half).tr('=', '')
+      end
+    end
+  end
+end

data/lib/doorkeeper/openid_connect/oauth/authorization/token.rb ADDED Viewed

@@ -0,0 +1,22 @@
+module Doorkeeper
+  module OpenidConnect
+    module OAuth
+      module Authorization
+        module Code
+          def issue_token
+            super.tap do |access_grant|
+              if pre_auth.nonce.present?
+                ::Doorkeeper::OpenidConnect::Request.create!(
+                  access_grant: access_grant,
+                  nonce: pre_auth.nonce
+                )
+              end
+            end
+          end
+        end
+      end
+    end
+  end
+  OAuth::Authorization::Code.send :prepend, OpenidConnect::OAuth::Authorization::Code
+end

data/lib/doorkeeper/openid_connect/orm/active_record.rb CHANGED Viewed

@@ -1,15 +1,19 @@
+require 'active_support/lazy_load_hooks'
 module Doorkeeper
   module OpenidConnect
     module Orm
       module ActiveRecord
         def initialize_models!
           super
-          require 'doorkeeper/openid_connect/orm/active_record/access_grant'
-          require 'doorkeeper/openid_connect/orm/active_record/request'
+          ActiveSupport.on_load(:active_record) do
+            require 'doorkeeper/openid_connect/orm/active_record/access_grant'
+            require 'doorkeeper/openid_connect/orm/active_record/request'
-          if Doorkeeper.configuration.active_record_options[:establish_connection]
-            [Doorkeeper::OpenidConnect::Request].each do |c|
-              c.send :establish_connection, Doorkeeper.configuration.active_record_options[:establish_connection]
+            if Doorkeeper.configuration.active_record_options[:establish_connection]
+              [Doorkeeper::OpenidConnect::Request].each do |c|
+                c.send :establish_connection, Doorkeeper.configuration.active_record_options[:establish_connection]
+              end
             end
           end
         end

data/lib/doorkeeper/openid_connect/response_types_config.rb ADDED Viewed

@@ -0,0 +1,17 @@
+module Doorkeeper
+  module OpenidConnect
+    module ResponseTypeConfig
+      private def calculate_authorization_response_types
+        types = super
+        if grant_flows.include? 'implicit_oidc'
+          types << 'token'
+          types << 'id_token'
+          types << 'id_token token'
+        end
+        types
+      end
+    end
+  end
+  Config.send :prepend, OpenidConnect::ResponseTypeConfig
+end

data/lib/doorkeeper/openid_connect/version.rb CHANGED Viewed

@@ -1,5 +1,5 @@
 module Doorkeeper
   module OpenidConnect
-    VERSION = '1.2.0'.freeze
+    VERSION = '1.3.0'.freeze
   end
 end

data/lib/doorkeeper/request/id_token.rb ADDED Viewed

@@ -0,0 +1,17 @@
+require 'doorkeeper/request/strategy'
+module Doorkeeper
+  module Request
+    class IdToken < Strategy
+      delegate :current_resource_owner, to: :server
+      def pre_auth
+        server.context.send(:pre_auth)
+      end
+      def request
+        @request ||= OAuth::IdTokenRequest.new(pre_auth, current_resource_owner)
+      end
+    end
+  end
+end

data/lib/doorkeeper/request/id_token_token.rb ADDED Viewed

@@ -0,0 +1,17 @@
+require 'doorkeeper/request/strategy'
+module Doorkeeper
+  module Request
+    class IdTokenToken < Strategy
+      delegate :current_resource_owner, to: :server
+      def pre_auth
+        server.context.send(:pre_auth)
+      end
+      def request
+        @request ||= OAuth::IdTokenTokenRequest.new(pre_auth, current_resource_owner)
+      end
+    end
+  end
+end

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: doorkeeper-openid_connect
 version: !ruby/object:Gem::Version
-  version: 1.2.0
+  version: 1.3.0
 platform: ruby
 authors:
 - Sam Dengler
@@ -9,7 +9,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2017-08-31 00:00:00.000000000 Z
+date: 2018-03-05 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: doorkeeper
@@ -17,14 +17,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '4.0'
+        version: '4.3'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '4.0'
+        version: '4.3'
 - !ruby/object:Gem::Dependency
   name: json-jwt
   requirement: !ruby/object:Gem::Requirement
@@ -132,6 +132,10 @@ files:
 - bin/setup
 - config/locales/en.yml
 - doorkeeper-openid_connect.gemspec
+- lib/doorkeeper/oauth/id_token_request.rb
+- lib/doorkeeper/oauth/id_token_response.rb
+- lib/doorkeeper/oauth/id_token_token_request.rb
+- lib/doorkeeper/oauth/id_token_token_response.rb
 - lib/doorkeeper/openid_connect.rb
 - lib/doorkeeper/openid_connect/claims/aggregated_claim.rb
 - lib/doorkeeper/openid_connect/claims/claim.rb
@@ -143,7 +147,9 @@ files:
 - lib/doorkeeper/openid_connect/errors.rb
 - lib/doorkeeper/openid_connect/helpers/controller.rb
 - lib/doorkeeper/openid_connect/id_token.rb
+- lib/doorkeeper/openid_connect/id_token_token.rb
 - lib/doorkeeper/openid_connect/oauth/authorization/code.rb
+- lib/doorkeeper/openid_connect/oauth/authorization/token.rb
 - lib/doorkeeper/openid_connect/oauth/authorization_code_request.rb
 - lib/doorkeeper/openid_connect/oauth/password_access_token_request.rb
 - lib/doorkeeper/openid_connect/oauth/pre_authorization.rb
@@ -154,8 +160,11 @@ files:
 - lib/doorkeeper/openid_connect/rails/routes.rb
 - lib/doorkeeper/openid_connect/rails/routes/mapper.rb
 - lib/doorkeeper/openid_connect/rails/routes/mapping.rb
+- lib/doorkeeper/openid_connect/response_types_config.rb
 - lib/doorkeeper/openid_connect/user_info.rb
 - lib/doorkeeper/openid_connect/version.rb
+- lib/doorkeeper/request/id_token.rb
+- lib/doorkeeper/request/id_token_token.rb
 - lib/generators/doorkeeper/openid_connect/install_generator.rb
 - lib/generators/doorkeeper/openid_connect/migration_generator.rb
 - lib/generators/doorkeeper/openid_connect/templates/initializer.rb