doorkeeper-openid_connect 1.5.3 → 1.5.4
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.ruby-version +1 -1
- data/CHANGELOG.md +19 -4
- data/Gemfile +4 -0
- data/README.md +13 -3
- data/doorkeeper-openid_connect.gemspec +1 -1
- data/lib/doorkeeper/oauth/id_token_response.rb +8 -3
- data/lib/doorkeeper/oauth/id_token_token_response.rb +6 -8
- data/lib/doorkeeper/openid_connect/helpers/controller.rb +18 -8
- data/lib/doorkeeper/openid_connect/version.rb +1 -1
- metadata +6 -6
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: b09a17901bf54012e9d0fa0e454e34fd3f12c146fe41d7e40d19124718c95186
|
|
4
|
+
data.tar.gz: 7a0e5dac4ccde54639a9f6e73f7550c3a1d86b051c0225beb7186f5ca667000e
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 45106e01b76d5f0f9727e9ad83bac894627b463fd32741cce898a54b4f2e9716a7c75ed701f0f9ef044b73e31f7f067673442defae26edf1e8591cc8d2a402ef
|
|
7
|
+
data.tar.gz: b2036d745efe2c848a531a0b29a9b6d26b0c10071ffc258a6ff607b238d95fe003fca4a29a7b395f073749f101c7283ccd3994731a9f0efcea285b41e175f59d
|
data/.ruby-version
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
2.6.
|
|
1
|
+
2.6.1
|
data/CHANGELOG.md
CHANGED
|
@@ -2,29 +2,44 @@
|
|
|
2
2
|
|
|
3
3
|
No changes yet.
|
|
4
4
|
|
|
5
|
+
## v1.5.4 (2019-02-15)
|
|
6
|
+
|
|
7
|
+
### Bugfixes
|
|
8
|
+
|
|
9
|
+
- [#66] Fix an open redirect vulnerability (thanks to @meagar)
|
|
10
|
+
- [#67] Don't delete existing tokens with `prompt=consent` (thanks to @nov)
|
|
11
|
+
|
|
12
|
+
### Changes
|
|
13
|
+
|
|
14
|
+
- [#62] Support customization of redirect params in `id_token` and `id_token token` responses (thanks to @meagar)
|
|
15
|
+
|
|
5
16
|
## v1.5.3 (2019-01-19)
|
|
6
17
|
|
|
18
|
+
### Bugfixes
|
|
19
|
+
|
|
20
|
+
- [#60] Don't break native authorization in Doorkeeper 5.x
|
|
21
|
+
|
|
7
22
|
### Changes
|
|
8
23
|
|
|
9
|
-
- Use versioned migrations for Rails 5.x (thanks to @tvongaza)
|
|
24
|
+
- [#58] Use versioned migrations for Rails 5.x (thanks to @tvongaza)
|
|
10
25
|
|
|
11
26
|
## v1.5.2 (2018-09-04)
|
|
12
27
|
|
|
13
28
|
### Changes
|
|
14
29
|
|
|
15
|
-
- The previous release was a bit premature, this fixes some compatibility issues with Doorkeeper 5.x
|
|
30
|
+
- [#56] The previous release was a bit premature, this fixes some compatibility issues with Doorkeeper 5.x
|
|
16
31
|
|
|
17
32
|
## v1.5.1 (2018-09-04)
|
|
18
33
|
|
|
19
34
|
### Changes
|
|
20
35
|
|
|
21
|
-
- This gem is now compatible with Doorkeeper 5.x
|
|
36
|
+
- [#55] This gem is now compatible with Doorkeeper 5.x
|
|
22
37
|
|
|
23
38
|
## v1.5.0 (2018-06-27)
|
|
24
39
|
|
|
25
40
|
### Features
|
|
26
41
|
|
|
27
|
-
- Custom claims can now also be returned directly in the ID token, see the updated README for usage instructions
|
|
42
|
+
- [#52] Custom claims can now also be returned directly in the ID token, see the updated README for usage instructions
|
|
28
43
|
|
|
29
44
|
## v1.4.0 (2018-05-31)
|
|
30
45
|
|
data/Gemfile
CHANGED
data/README.md
CHANGED
|
@@ -1,7 +1,6 @@
|
|
|
1
1
|
# Doorkeeper::OpenidConnect
|
|
2
2
|
|
|
3
3
|
[](https://travis-ci.org/doorkeeper-gem/doorkeeper-openid_connect)
|
|
4
|
-
[](https://gemnasium.com/doorkeeper-gem/doorkeeper-openid_connect)
|
|
5
4
|
[](https://codeclimate.com/github/doorkeeper-gem/doorkeeper-openid_connect)
|
|
6
5
|
[](https://rubygems.org/gems/doorkeeper-openid_connect)
|
|
7
6
|
|
|
@@ -12,6 +11,7 @@ OpenID Connect is a single-sign-on and identity layer with a [growing list of se
|
|
|
12
11
|
## Table of Contents
|
|
13
12
|
|
|
14
13
|
- [Status](#status)
|
|
14
|
+
- [Known Issues](#known-issues)
|
|
15
15
|
- [Example Applications](#example-applications)
|
|
16
16
|
- [Installation](#installation)
|
|
17
17
|
- [Configuration](#configuration)
|
|
@@ -37,6 +37,10 @@ In addition we also support most of [OpenID Connect Discovery 1.0](http://openid
|
|
|
37
37
|
|
|
38
38
|
Take a look at the [DiscoveryController](app/controllers/doorkeeper/openid_connect/discovery_controller.rb) for more details on supported features.
|
|
39
39
|
|
|
40
|
+
### Known Issues
|
|
41
|
+
|
|
42
|
+
- Doorkeeper's API mode (`Doorkeeper.configuration.api_only`) is not properly supported yet
|
|
43
|
+
|
|
40
44
|
### Example Applications
|
|
41
45
|
|
|
42
46
|
- [GitLab](https://gitlab.com/gitlab-org/gitlab-ce) ([original MR](https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/8018))
|
|
@@ -169,10 +173,10 @@ Doorkeeper::OpenidConnect.configure do
|
|
|
169
173
|
"#{resource_owner.first_name} #{resource_owner.last_name}"
|
|
170
174
|
end
|
|
171
175
|
|
|
172
|
-
claim :preferred_username, scope: :openid do |resource_owner,
|
|
176
|
+
claim :preferred_username, scope: :openid do |resource_owner, scopes, access_token|
|
|
173
177
|
# Pass the resource_owner's preferred_username if the application has
|
|
174
178
|
# `profile` scope access. Otherwise, provide a more generic alternative.
|
|
175
|
-
|
|
179
|
+
scopes.exists?(:profile) ? resource_owner.preferred_username : "summer-sun-9449"
|
|
176
180
|
end
|
|
177
181
|
|
|
178
182
|
claim :groups, response: [:id_token, :user_info] do |resource_owner|
|
|
@@ -182,6 +186,12 @@ Doorkeeper::OpenidConnect.configure do
|
|
|
182
186
|
end
|
|
183
187
|
```
|
|
184
188
|
|
|
189
|
+
Each claim block will be passed:
|
|
190
|
+
|
|
191
|
+
- the `resource_owner`, which is the return value of `resource_owner_authenticator` in your initializer
|
|
192
|
+
- the `scopes` granted by the access token, which is an instance of `Doorkeeper::OAuth::Scopes`
|
|
193
|
+
- the `access_token` itself, which is an instance of `Doorkeeper::AccessToken`
|
|
194
|
+
|
|
185
195
|
By default all custom claims are only returned from the `UserInfo` endpoint and not included in the ID token. You can optionally pass a `response:` keyword with one or both of the symbols `:id_token` or `:user_info` to specify where the claim should be returned.
|
|
186
196
|
|
|
187
197
|
You can also pass a `scope:` keyword argument on each claim to specify which OAuth scope should be required to access the claim. If you define any of the defined [Standard Claims](http://openid.net/specs/openid-connect-core-1_0.html#StandardClaims) they will by default use their [corresponding scopes](http://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims) (`profile`, `email`, `address` and `phone`), and any other claims will by default use the `profile` scope. Again, to use any of these scopes you need to enable them as described above.
|
|
@@ -24,7 +24,7 @@ Gem::Specification.new do |spec|
|
|
|
24
24
|
|
|
25
25
|
spec.add_development_dependency 'rspec-rails'
|
|
26
26
|
spec.add_development_dependency 'factory_bot'
|
|
27
|
-
spec.add_development_dependency 'sqlite3'
|
|
27
|
+
spec.add_development_dependency 'sqlite3', '~> 1.3.6'
|
|
28
28
|
spec.add_development_dependency 'pry-byebug'
|
|
29
29
|
spec.add_development_dependency 'conventional-changelog', '~> 1.2'
|
|
30
30
|
end
|
|
@@ -16,12 +16,17 @@ module Doorkeeper
|
|
|
16
16
|
end
|
|
17
17
|
|
|
18
18
|
def redirect_uri
|
|
19
|
-
Authorization::URIBuilder.uri_with_fragment(
|
|
20
|
-
|
|
19
|
+
Authorization::URIBuilder.uri_with_fragment(pre_auth.redirect_uri, redirect_uri_params)
|
|
20
|
+
end
|
|
21
|
+
|
|
22
|
+
private
|
|
23
|
+
|
|
24
|
+
def redirect_uri_params
|
|
25
|
+
{
|
|
21
26
|
expires_in: auth.token.expires_in_seconds,
|
|
22
27
|
state: pre_auth.state,
|
|
23
28
|
id_token: id_token.as_jws_token
|
|
24
|
-
|
|
29
|
+
}
|
|
25
30
|
end
|
|
26
31
|
end
|
|
27
32
|
end
|
|
@@ -1,15 +1,13 @@
|
|
|
1
1
|
module Doorkeeper
|
|
2
2
|
module OAuth
|
|
3
3
|
class IdTokenTokenResponse < IdTokenResponse
|
|
4
|
-
|
|
5
|
-
|
|
6
|
-
|
|
4
|
+
private
|
|
5
|
+
|
|
6
|
+
def redirect_uri_params
|
|
7
|
+
super.merge({
|
|
7
8
|
access_token: auth.token.token,
|
|
8
|
-
token_type: auth.token.token_type
|
|
9
|
-
|
|
10
|
-
state: pre_auth.state,
|
|
11
|
-
id_token: id_token.as_jws_token
|
|
12
|
-
)
|
|
9
|
+
token_type: auth.token.token_type
|
|
10
|
+
})
|
|
13
11
|
end
|
|
14
12
|
end
|
|
15
13
|
end
|
|
@@ -6,8 +6,9 @@ module Doorkeeper
|
|
|
6
6
|
|
|
7
7
|
def authenticate_resource_owner!
|
|
8
8
|
super.tap do |owner|
|
|
9
|
-
next unless
|
|
10
|
-
|
|
9
|
+
next unless controller_path == Doorkeeper::Rails::Routes.mapping[:authorizations][:controllers] &&
|
|
10
|
+
action_name == 'new'
|
|
11
|
+
next unless pre_auth.scopes.include?('openid')
|
|
11
12
|
|
|
12
13
|
handle_prompt_param!(owner)
|
|
13
14
|
handle_max_age_param!(owner)
|
|
@@ -19,13 +20,22 @@ module Doorkeeper
|
|
|
19
20
|
# FIXME: workaround for Rails 5, see https://github.com/rails/rails/issues/25106
|
|
20
21
|
@_response_body = nil
|
|
21
22
|
|
|
22
|
-
|
|
23
|
-
|
|
23
|
+
error_response = if pre_auth.valid?
|
|
24
|
+
::Doorkeeper::OAuth::ErrorResponse.new(
|
|
25
|
+
name: exception.error_name,
|
|
26
|
+
state: params[:state],
|
|
27
|
+
redirect_uri: params[:redirect_uri]
|
|
28
|
+
)
|
|
29
|
+
else
|
|
30
|
+
pre_auth.error_response
|
|
31
|
+
end
|
|
32
|
+
|
|
33
|
+
response.headers.merge!(error_response.headers)
|
|
24
34
|
|
|
25
|
-
if
|
|
26
|
-
render json:
|
|
35
|
+
if error_response.redirectable?
|
|
36
|
+
render json: error_response.body, status: :found, location: error_response.redirect_uri
|
|
27
37
|
else
|
|
28
|
-
render json:
|
|
38
|
+
render json: error_response.body, status: error_response.status
|
|
29
39
|
end
|
|
30
40
|
end
|
|
31
41
|
|
|
@@ -41,7 +51,7 @@ module Doorkeeper
|
|
|
41
51
|
when 'login' then
|
|
42
52
|
reauthenticate_resource_owner(owner) if owner
|
|
43
53
|
when 'consent' then
|
|
44
|
-
|
|
54
|
+
render :new
|
|
45
55
|
when 'select_account' then
|
|
46
56
|
# TODO: let the user implement this
|
|
47
57
|
raise Errors::AccountSelectionRequired
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: doorkeeper-openid_connect
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.5.
|
|
4
|
+
version: 1.5.4
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Sam Dengler
|
|
@@ -9,7 +9,7 @@ authors:
|
|
|
9
9
|
autorequire:
|
|
10
10
|
bindir: bin
|
|
11
11
|
cert_chain: []
|
|
12
|
-
date: 2019-
|
|
12
|
+
date: 2019-02-15 00:00:00.000000000 Z
|
|
13
13
|
dependencies:
|
|
14
14
|
- !ruby/object:Gem::Dependency
|
|
15
15
|
name: doorkeeper
|
|
@@ -71,16 +71,16 @@ dependencies:
|
|
|
71
71
|
name: sqlite3
|
|
72
72
|
requirement: !ruby/object:Gem::Requirement
|
|
73
73
|
requirements:
|
|
74
|
-
- - "
|
|
74
|
+
- - "~>"
|
|
75
75
|
- !ruby/object:Gem::Version
|
|
76
|
-
version:
|
|
76
|
+
version: 1.3.6
|
|
77
77
|
type: :development
|
|
78
78
|
prerelease: false
|
|
79
79
|
version_requirements: !ruby/object:Gem::Requirement
|
|
80
80
|
requirements:
|
|
81
|
-
- - "
|
|
81
|
+
- - "~>"
|
|
82
82
|
- !ruby/object:Gem::Version
|
|
83
|
-
version:
|
|
83
|
+
version: 1.3.6
|
|
84
84
|
- !ruby/object:Gem::Dependency
|
|
85
85
|
name: pry-byebug
|
|
86
86
|
requirement: !ruby/object:Gem::Requirement
|