doorkeeper-openid_connect 1.4.0 → 1.5.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Potentially problematic release.
This version of doorkeeper-openid_connect might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/CHANGELOG.md +8 -0
- data/README.md +9 -3
- data/lib/doorkeeper/openid_connect/claims/claim.rb +2 -1
- data/lib/doorkeeper/openid_connect/claims_builder.rb +12 -1
- data/lib/doorkeeper/openid_connect/id_token.rb +1 -1
- data/lib/doorkeeper/openid_connect/user_info.rb +3 -19
- data/lib/doorkeeper/openid_connect/version.rb +1 -1
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 5172b552ec9538b0240ad89c267e8037dd9b80af545d8be200d68b576cf9b3d2
|
|
4
|
+
data.tar.gz: c04817d1e4f4eb63820f90e020ce512ae9b83595b0cada119a18c40cd24c84cf
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 1c3fd78060e9f2404b3b31e33d7d5331080ed2598db62bed1f464be0423954be784d8183b7960ce887a5bbd1a9bb60498d8992009b2ee05499ffae09a7c43be4
|
|
7
|
+
data.tar.gz: dd96da3ef9d513120cd3b06db8dbfd5e37cfb97807e57cd109217765becd84548f969141caeb3b14c30f549e1dec94ac92f2bd55fe886dc2e01954397f7d327b
|
data/CHANGELOG.md
CHANGED
data/README.md
CHANGED
|
@@ -115,8 +115,8 @@ The following settings are required in `config/initializers/doorkeeper_openid_co
|
|
|
115
115
|
end
|
|
116
116
|
```
|
|
117
117
|
|
|
118
|
-
- `
|
|
119
|
-
- Private key for [JSON Web Signature](https://tools.ietf.org/html/draft-ietf-jose-json-web-signature-31).
|
|
118
|
+
- `signing_key`
|
|
119
|
+
- Private key to be used for [JSON Web Signature](https://tools.ietf.org/html/draft-ietf-jose-json-web-signature-31).
|
|
120
120
|
- You can generate a private key with the `openssl` command, see e.g. [Generate an RSA keypair using OpenSSL](https://en.wikibooks.org/wiki/Cryptography/Generate_a_keypair_using_OpenSSL).
|
|
121
121
|
- You should not commit the key to your repository, but use an external file (in combination with `File.read`) and/or the [dotenv-rails](https://github.com/bkeepers/dotenv) gem (in combination with `ENV[...]`).
|
|
122
122
|
- `signing_algorithm`
|
|
@@ -174,11 +174,17 @@ Doorkeeper::OpenidConnect.configure do
|
|
|
174
174
|
# `profile` scope access. Otherwise, provide a more generic alternative.
|
|
175
175
|
application_scopes.exists?(:profile) ? resource_owner.preferred_username : "summer-sun-9449"
|
|
176
176
|
end
|
|
177
|
+
|
|
178
|
+
claim :groups, response: [:id_token, :user_info] do |resource_owner|
|
|
179
|
+
resource_owner.groups
|
|
180
|
+
end
|
|
177
181
|
end
|
|
178
182
|
end
|
|
179
183
|
```
|
|
180
184
|
|
|
181
|
-
|
|
185
|
+
By default all custom claims are only returned from the `UserInfo` endpoint and not included in the ID token. You can optionally pass a `response:` keyword with one or both of the symbols `:id_token` or `:user_info` to specify where the claim should be returned.
|
|
186
|
+
|
|
187
|
+
You can also pass a `scope:` keyword argument on each claim to specify which OAuth scope should be required to access the claim. If you define any of the defined [Standard Claims](http://openid.net/specs/openid-connect-core-1_0.html#StandardClaims) they will by default use their [corresponding scopes](http://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims) (`profile`, `email`, `address` and `phone`), and any other claims will by default use the `profile` scope. Again, to use any of these scopes you need to enable them as described above.
|
|
182
188
|
|
|
183
189
|
### Routes
|
|
184
190
|
|
|
@@ -2,7 +2,7 @@ module Doorkeeper
|
|
|
2
2
|
module OpenidConnect
|
|
3
3
|
module Claims
|
|
4
4
|
class Claim
|
|
5
|
-
attr_accessor :name, :scope
|
|
5
|
+
attr_accessor :name, :response, :scope
|
|
6
6
|
|
|
7
7
|
# http://openid.net/specs/openid-connect-core-1_0.html#StandardClaims
|
|
8
8
|
# http://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims
|
|
@@ -18,6 +18,7 @@ module Doorkeeper
|
|
|
18
18
|
|
|
19
19
|
def initialize(options = {})
|
|
20
20
|
@name = options[:name].to_sym
|
|
21
|
+
@response = Array.wrap(options[:response])
|
|
21
22
|
@scope = options[:scope].to_sym if options[:scope]
|
|
22
23
|
|
|
23
24
|
# use default scope for Standard Claims
|
|
@@ -3,6 +3,16 @@ require 'ostruct'
|
|
|
3
3
|
module Doorkeeper
|
|
4
4
|
module OpenidConnect
|
|
5
5
|
class ClaimsBuilder
|
|
6
|
+
def self.generate(access_token, response)
|
|
7
|
+
resource_owner = Doorkeeper::OpenidConnect.configuration.resource_owner_from_access_token.call(access_token)
|
|
8
|
+
|
|
9
|
+
Doorkeeper::OpenidConnect.configuration.claims.to_h.map do |name, claim|
|
|
10
|
+
if access_token.scopes.exists?(claim.scope) && claim.response.include?(response)
|
|
11
|
+
[name, claim.generator.call(resource_owner, access_token.scopes, access_token)]
|
|
12
|
+
end
|
|
13
|
+
end.compact.to_h
|
|
14
|
+
end
|
|
15
|
+
|
|
6
16
|
def initialize(&block)
|
|
7
17
|
@claims = OpenStruct.new
|
|
8
18
|
instance_eval(&block)
|
|
@@ -12,10 +22,11 @@ module Doorkeeper
|
|
|
12
22
|
@claims
|
|
13
23
|
end
|
|
14
24
|
|
|
15
|
-
def normal_claim(name, scope: nil, &block)
|
|
25
|
+
def normal_claim(name, response: [:user_info], scope: nil, &block)
|
|
16
26
|
@claims[name] =
|
|
17
27
|
Claims::NormalClaim.new(
|
|
18
28
|
name: name,
|
|
29
|
+
response: response,
|
|
19
30
|
scope: scope,
|
|
20
31
|
generator: block
|
|
21
32
|
)
|
|
@@ -8,7 +8,9 @@ module Doorkeeper
|
|
|
8
8
|
end
|
|
9
9
|
|
|
10
10
|
def claims
|
|
11
|
-
|
|
11
|
+
{
|
|
12
|
+
sub: subject
|
|
13
|
+
}.merge ClaimsBuilder.generate(@access_token, :user_info)
|
|
12
14
|
end
|
|
13
15
|
|
|
14
16
|
def as_json(*_)
|
|
@@ -17,20 +19,6 @@ module Doorkeeper
|
|
|
17
19
|
|
|
18
20
|
private
|
|
19
21
|
|
|
20
|
-
def base_claims
|
|
21
|
-
{
|
|
22
|
-
sub: subject
|
|
23
|
-
}
|
|
24
|
-
end
|
|
25
|
-
|
|
26
|
-
def resource_owner_claims
|
|
27
|
-
Doorkeeper::OpenidConnect.configuration.claims.to_h.map do |name, claim|
|
|
28
|
-
if scopes.exists? claim.scope
|
|
29
|
-
[name, claim.generator.call(resource_owner, scopes, @access_token)]
|
|
30
|
-
end
|
|
31
|
-
end.compact.to_h
|
|
32
|
-
end
|
|
33
|
-
|
|
34
22
|
def subject
|
|
35
23
|
Doorkeeper::OpenidConnect.configuration.subject.call(resource_owner, application).to_s
|
|
36
24
|
end
|
|
@@ -42,10 +30,6 @@ module Doorkeeper
|
|
|
42
30
|
def application
|
|
43
31
|
@application ||= @access_token.application
|
|
44
32
|
end
|
|
45
|
-
|
|
46
|
-
def scopes
|
|
47
|
-
@scopes ||= @access_token.scopes
|
|
48
|
-
end
|
|
49
33
|
end
|
|
50
34
|
end
|
|
51
35
|
end
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: doorkeeper-openid_connect
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.
|
|
4
|
+
version: 1.5.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Sam Dengler
|
|
@@ -9,7 +9,7 @@ authors:
|
|
|
9
9
|
autorequire:
|
|
10
10
|
bindir: bin
|
|
11
11
|
cert_chain: []
|
|
12
|
-
date: 2018-
|
|
12
|
+
date: 2018-06-27 00:00:00.000000000 Z
|
|
13
13
|
dependencies:
|
|
14
14
|
- !ruby/object:Gem::Dependency
|
|
15
15
|
name: doorkeeper
|