doorkeeper-openid_connect 1.4.0 → 1.5.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: defedf139499d938426be645c79d6ebb7820ecd4baf0ba3ba6c336d34a875ac4
-  data.tar.gz: 3f15400f9072e08e94b4a9cf981eda471cbe40b42a36fcf4677f2c3ab7c90baa
+  metadata.gz: 5172b552ec9538b0240ad89c267e8037dd9b80af545d8be200d68b576cf9b3d2
+  data.tar.gz: c04817d1e4f4eb63820f90e020ce512ae9b83595b0cada119a18c40cd24c84cf
 SHA512:
-  metadata.gz: 1e14d1999dd2e03825db07580b0f09543ec7d71774e9362481873c27bc75fc5752396cb0b3c707756a07e7d45df50437386d61eabe41b883bddc8e9c6a1da860
-  data.tar.gz: 8c0b028d6062dff302ec108f3f893f1f36a0e2f75a6f1829688fc7b5d81ae335949bb7d6b3308d3532c0cbd91f0c1f569ec11b05511e60b2357e080e1cfb9d57
+  metadata.gz: 1c3fd78060e9f2404b3b31e33d7d5331080ed2598db62bed1f464be0423954be784d8183b7960ce887a5bbd1a9bb60498d8992009b2ee05499ffae09a7c43be4
+  data.tar.gz: dd96da3ef9d513120cd3b06db8dbfd5e37cfb97807e57cd109217765becd84548f969141caeb3b14c30f549e1dec94ac92f2bd55fe886dc2e01954397f7d327b

data/CHANGELOG.md

@@ -1,5 +1,13 @@
 ## Unreleased
 
+No changes yet.
+
+## v1.5.0 (2018-06-27)
+
+### Features
+
+- Custom claims can now also be returned directly in the ID token, see the updated README for usage instructions
+
 ## v1.4.0 (2018-05-31)
 
 ### Upgrading

data/README.md

@@ -115,8 +115,8 @@ The following settings are required in `config/initializers/doorkeeper_openid_co
     end
     ```
 
-- `jws_private_key`
-  - Private key for [JSON Web Signature](https://tools.ietf.org/html/draft-ietf-jose-json-web-signature-31).
+- `signing_key`
+  - Private key to be used for [JSON Web Signature](https://tools.ietf.org/html/draft-ietf-jose-json-web-signature-31).
   - You can generate a private key with the `openssl` command, see e.g. [Generate an RSA keypair using OpenSSL](https://en.wikibooks.org/wiki/Cryptography/Generate_a_keypair_using_OpenSSL).
   - You should not commit the key to your repository, but use an external file (in combination with `File.read`) and/or the [dotenv-rails](https://github.com/bkeepers/dotenv) gem (in combination with `ENV[...]`).
 - `signing_algorithm`
@@ -174,11 +174,17 @@ Doorkeeper::OpenidConnect.configure do
       # `profile` scope access. Otherwise, provide a more generic alternative.
       application_scopes.exists?(:profile) ? resource_owner.preferred_username : "summer-sun-9449"
     end
+
+    claim :groups, response: [:id_token, :user_info] do |resource_owner|
+      resource_owner.groups
+    end
   end
 end
 ```
 
-You can pass a `scope:` keyword argument on each claim to specify which OAuth scope should be required to access the claim. If you define any of the defined [Standard Claims](http://openid.net/specs/openid-connect-core-1_0.html#StandardClaims) they will by default use their [corresponding scopes](http://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims) (`profile`, `email`, `address` and `phone`), and any other claims will by default use the `profile` scope. Again, to use any of these scopes you need to enable them as described above.
+By default all custom claims are only returned from the `UserInfo` endpoint and not included in the ID token. You can optionally pass a `response:` keyword with one or both of the symbols `:id_token` or `:user_info` to specify where the claim should be returned.
+
+You can also pass a `scope:` keyword argument on each claim to specify which OAuth scope should be required to access the claim. If you define any of the defined [Standard Claims](http://openid.net/specs/openid-connect-core-1_0.html#StandardClaims) they will by default use their [corresponding scopes](http://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims) (`profile`, `email`, `address` and `phone`), and any other claims will by default use the `profile` scope. Again, to use any of these scopes you need to enable them as described above.
 
 ### Routes
 

data/lib/doorkeeper/openid_connect/claims/claim.rb

@@ -2,7 +2,7 @@ module Doorkeeper
   module OpenidConnect
     module Claims
       class Claim
-        attr_accessor :name, :scope
+        attr_accessor :name, :response, :scope
 
         # http://openid.net/specs/openid-connect-core-1_0.html#StandardClaims
         # http://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims
@@ -18,6 +18,7 @@ module Doorkeeper
 
         def initialize(options = {})
           @name = options[:name].to_sym
+          @response = Array.wrap(options[:response])
           @scope = options[:scope].to_sym if options[:scope]
 
           # use default scope for Standard Claims

data/lib/doorkeeper/openid_connect/claims_builder.rb

@@ -3,6 +3,16 @@ require 'ostruct'
 module Doorkeeper
   module OpenidConnect
     class ClaimsBuilder
+      def self.generate(access_token, response)
+        resource_owner = Doorkeeper::OpenidConnect.configuration.resource_owner_from_access_token.call(access_token)
+
+        Doorkeeper::OpenidConnect.configuration.claims.to_h.map do |name, claim|
+          if access_token.scopes.exists?(claim.scope) && claim.response.include?(response)
+            [name, claim.generator.call(resource_owner, access_token.scopes, access_token)]
+          end
+        end.compact.to_h
+      end
+
       def initialize(&block)
         @claims = OpenStruct.new
         instance_eval(&block)
@@ -12,10 +22,11 @@ module Doorkeeper
         @claims
       end
 
-      def normal_claim(name, scope: nil, &block)
+      def normal_claim(name, response: [:user_info], scope: nil, &block)
         @claims[name] =
           Claims::NormalClaim.new(
             name: name,
+            response: response,
             scope: scope,
             generator: block
           )

data/lib/doorkeeper/openid_connect/id_token.rb

@@ -21,7 +21,7 @@ module Doorkeeper
           iat: issued_at,
           nonce: nonce,
           auth_time: auth_time
-        }
+        }.merge ClaimsBuilder.generate(@access_token, :id_token)
       end
 
       def as_json(*_)

data/lib/doorkeeper/openid_connect/user_info.rb

@@ -8,7 +8,9 @@ module Doorkeeper
       end
 
       def claims
-        base_claims.merge resource_owner_claims
+        {
+          sub: subject
+        }.merge ClaimsBuilder.generate(@access_token, :user_info)
       end
 
       def as_json(*_)
@@ -17,20 +19,6 @@ module Doorkeeper
 
       private
 
-      def base_claims
-        {
-          sub: subject
-        }
-      end
-
-      def resource_owner_claims
-        Doorkeeper::OpenidConnect.configuration.claims.to_h.map do |name, claim|
-          if scopes.exists? claim.scope
-            [name, claim.generator.call(resource_owner, scopes, @access_token)]
-          end
-        end.compact.to_h
-      end
-
       def subject
         Doorkeeper::OpenidConnect.configuration.subject.call(resource_owner, application).to_s
       end
@@ -42,10 +30,6 @@ module Doorkeeper
       def application
         @application ||= @access_token.application
       end
-
-      def scopes
-        @scopes ||= @access_token.scopes
-      end
     end
   end
 end

data/lib/doorkeeper/openid_connect/version.rb

@@ -1,5 +1,5 @@
 module Doorkeeper
   module OpenidConnect
-    VERSION = '1.4.0'.freeze
+    VERSION = '1.5.0'.freeze
   end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: doorkeeper-openid_connect
 version: !ruby/object:Gem::Version
-  version: 1.4.0
+  version: 1.5.0
 platform: ruby
 authors:
 - Sam Dengler
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2018-05-31 00:00:00.000000000 Z
+date: 2018-06-27 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: doorkeeper