doorkeeper-openid_connect 1.5.3 → 1.5.4
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/.ruby-version +1 -1
- data/CHANGELOG.md +19 -4
- data/Gemfile +4 -0
- data/README.md +13 -3
- data/doorkeeper-openid_connect.gemspec +1 -1
- data/lib/doorkeeper/oauth/id_token_response.rb +8 -3
- data/lib/doorkeeper/oauth/id_token_token_response.rb +6 -8
- data/lib/doorkeeper/openid_connect/helpers/controller.rb +18 -8
- data/lib/doorkeeper/openid_connect/version.rb +1 -1
- metadata +6 -6
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: b09a17901bf54012e9d0fa0e454e34fd3f12c146fe41d7e40d19124718c95186
|
|
4
|
+
data.tar.gz: 7a0e5dac4ccde54639a9f6e73f7550c3a1d86b051c0225beb7186f5ca667000e
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 45106e01b76d5f0f9727e9ad83bac894627b463fd32741cce898a54b4f2e9716a7c75ed701f0f9ef044b73e31f7f067673442defae26edf1e8591cc8d2a402ef
|
|
7
|
+
data.tar.gz: b2036d745efe2c848a531a0b29a9b6d26b0c10071ffc258a6ff607b238d95fe003fca4a29a7b395f073749f101c7283ccd3994731a9f0efcea285b41e175f59d
|
data/.ruby-version
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
2.6.
|
|
1
|
+
2.6.1
|
data/CHANGELOG.md
CHANGED
|
@@ -2,29 +2,44 @@
|
|
|
2
2
|
|
|
3
3
|
No changes yet.
|
|
4
4
|
|
|
5
|
+
## v1.5.4 (2019-02-15)
|
|
6
|
+
|
|
7
|
+
### Bugfixes
|
|
8
|
+
|
|
9
|
+
- [#66] Fix an open redirect vulnerability (thanks to @meagar)
|
|
10
|
+
- [#67] Don't delete existing tokens with `prompt=consent` (thanks to @nov)
|
|
11
|
+
|
|
12
|
+
### Changes
|
|
13
|
+
|
|
14
|
+
- [#62] Support customization of redirect params in `id_token` and `id_token token` responses (thanks to @meagar)
|
|
15
|
+
|
|
5
16
|
## v1.5.3 (2019-01-19)
|
|
6
17
|
|
|
18
|
+
### Bugfixes
|
|
19
|
+
|
|
20
|
+
- [#60] Don't break native authorization in Doorkeeper 5.x
|
|
21
|
+
|
|
7
22
|
### Changes
|
|
8
23
|
|
|
9
|
-
- Use versioned migrations for Rails 5.x (thanks to @tvongaza)
|
|
24
|
+
- [#58] Use versioned migrations for Rails 5.x (thanks to @tvongaza)
|
|
10
25
|
|
|
11
26
|
## v1.5.2 (2018-09-04)
|
|
12
27
|
|
|
13
28
|
### Changes
|
|
14
29
|
|
|
15
|
-
- The previous release was a bit premature, this fixes some compatibility issues with Doorkeeper 5.x
|
|
30
|
+
- [#56] The previous release was a bit premature, this fixes some compatibility issues with Doorkeeper 5.x
|
|
16
31
|
|
|
17
32
|
## v1.5.1 (2018-09-04)
|
|
18
33
|
|
|
19
34
|
### Changes
|
|
20
35
|
|
|
21
|
-
- This gem is now compatible with Doorkeeper 5.x
|
|
36
|
+
- [#55] This gem is now compatible with Doorkeeper 5.x
|
|
22
37
|
|
|
23
38
|
## v1.5.0 (2018-06-27)
|
|
24
39
|
|
|
25
40
|
### Features
|
|
26
41
|
|
|
27
|
-
- Custom claims can now also be returned directly in the ID token, see the updated README for usage instructions
|
|
42
|
+
- [#52] Custom claims can now also be returned directly in the ID token, see the updated README for usage instructions
|
|
28
43
|
|
|
29
44
|
## v1.4.0 (2018-05-31)
|
|
30
45
|
|
data/Gemfile
CHANGED
data/README.md
CHANGED
|
@@ -1,7 +1,6 @@
|
|
|
1
1
|
# Doorkeeper::OpenidConnect
|
|
2
2
|
|
|
3
3
|
[](https://travis-ci.org/doorkeeper-gem/doorkeeper-openid_connect)
|
|
4
|
-
[](https://gemnasium.com/doorkeeper-gem/doorkeeper-openid_connect)
|
|
5
4
|
[](https://codeclimate.com/github/doorkeeper-gem/doorkeeper-openid_connect)
|
|
6
5
|
[](https://rubygems.org/gems/doorkeeper-openid_connect)
|
|
7
6
|
|
|
@@ -12,6 +11,7 @@ OpenID Connect is a single-sign-on and identity layer with a [growing list of se
|
|
|
12
11
|
## Table of Contents
|
|
13
12
|
|
|
14
13
|
- [Status](#status)
|
|
14
|
+
- [Known Issues](#known-issues)
|
|
15
15
|
- [Example Applications](#example-applications)
|
|
16
16
|
- [Installation](#installation)
|
|
17
17
|
- [Configuration](#configuration)
|
|
@@ -37,6 +37,10 @@ In addition we also support most of [OpenID Connect Discovery 1.0](http://openid
|
|
|
37
37
|
|
|
38
38
|
Take a look at the [DiscoveryController](app/controllers/doorkeeper/openid_connect/discovery_controller.rb) for more details on supported features.
|
|
39
39
|
|
|
40
|
+
### Known Issues
|
|
41
|
+
|
|
42
|
+
- Doorkeeper's API mode (`Doorkeeper.configuration.api_only`) is not properly supported yet
|
|
43
|
+
|
|
40
44
|
### Example Applications
|
|
41
45
|
|
|
42
46
|
- [GitLab](https://gitlab.com/gitlab-org/gitlab-ce) ([original MR](https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/8018))
|
|
@@ -169,10 +173,10 @@ Doorkeeper::OpenidConnect.configure do
|
|
|
169
173
|
"#{resource_owner.first_name} #{resource_owner.last_name}"
|
|
170
174
|
end
|
|
171
175
|
|
|
172
|
-
claim :preferred_username, scope: :openid do |resource_owner,
|
|
176
|
+
claim :preferred_username, scope: :openid do |resource_owner, scopes, access_token|
|
|
173
177
|
# Pass the resource_owner's preferred_username if the application has
|
|
174
178
|
# `profile` scope access. Otherwise, provide a more generic alternative.
|
|
175
|
-
|
|
179
|
+
scopes.exists?(:profile) ? resource_owner.preferred_username : "summer-sun-9449"
|
|
176
180
|
end
|
|
177
181
|
|
|
178
182
|
claim :groups, response: [:id_token, :user_info] do |resource_owner|
|
|
@@ -182,6 +186,12 @@ Doorkeeper::OpenidConnect.configure do
|
|
|
182
186
|
end
|
|
183
187
|
```
|
|
184
188
|
|
|
189
|
+
Each claim block will be passed:
|
|
190
|
+
|
|
191
|
+
- the `resource_owner`, which is the return value of `resource_owner_authenticator` in your initializer
|
|
192
|
+
- the `scopes` granted by the access token, which is an instance of `Doorkeeper::OAuth::Scopes`
|
|
193
|
+
- the `access_token` itself, which is an instance of `Doorkeeper::AccessToken`
|
|
194
|
+
|
|
185
195
|
By default all custom claims are only returned from the `UserInfo` endpoint and not included in the ID token. You can optionally pass a `response:` keyword with one or both of the symbols `:id_token` or `:user_info` to specify where the claim should be returned.
|
|
186
196
|
|
|
187
197
|
You can also pass a `scope:` keyword argument on each claim to specify which OAuth scope should be required to access the claim. If you define any of the defined [Standard Claims](http://openid.net/specs/openid-connect-core-1_0.html#StandardClaims) they will by default use their [corresponding scopes](http://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims) (`profile`, `email`, `address` and `phone`), and any other claims will by default use the `profile` scope. Again, to use any of these scopes you need to enable them as described above.
|
|
@@ -24,7 +24,7 @@ Gem::Specification.new do |spec|
|
|
|
24
24
|
|
|
25
25
|
spec.add_development_dependency 'rspec-rails'
|
|
26
26
|
spec.add_development_dependency 'factory_bot'
|
|
27
|
-
spec.add_development_dependency 'sqlite3'
|
|
27
|
+
spec.add_development_dependency 'sqlite3', '~> 1.3.6'
|
|
28
28
|
spec.add_development_dependency 'pry-byebug'
|
|
29
29
|
spec.add_development_dependency 'conventional-changelog', '~> 1.2'
|
|
30
30
|
end
|
|
@@ -16,12 +16,17 @@ module Doorkeeper
|
|
|
16
16
|
end
|
|
17
17
|
|
|
18
18
|
def redirect_uri
|
|
19
|
-
Authorization::URIBuilder.uri_with_fragment(
|
|
20
|
-
|
|
19
|
+
Authorization::URIBuilder.uri_with_fragment(pre_auth.redirect_uri, redirect_uri_params)
|
|
20
|
+
end
|
|
21
|
+
|
|
22
|
+
private
|
|
23
|
+
|
|
24
|
+
def redirect_uri_params
|
|
25
|
+
{
|
|
21
26
|
expires_in: auth.token.expires_in_seconds,
|
|
22
27
|
state: pre_auth.state,
|
|
23
28
|
id_token: id_token.as_jws_token
|
|
24
|
-
|
|
29
|
+
}
|
|
25
30
|
end
|
|
26
31
|
end
|
|
27
32
|
end
|
|
@@ -1,15 +1,13 @@
|
|
|
1
1
|
module Doorkeeper
|
|
2
2
|
module OAuth
|
|
3
3
|
class IdTokenTokenResponse < IdTokenResponse
|
|
4
|
-
|
|
5
|
-
|
|
6
|
-
|
|
4
|
+
private
|
|
5
|
+
|
|
6
|
+
def redirect_uri_params
|
|
7
|
+
super.merge({
|
|
7
8
|
access_token: auth.token.token,
|
|
8
|
-
token_type: auth.token.token_type
|
|
9
|
-
|
|
10
|
-
state: pre_auth.state,
|
|
11
|
-
id_token: id_token.as_jws_token
|
|
12
|
-
)
|
|
9
|
+
token_type: auth.token.token_type
|
|
10
|
+
})
|
|
13
11
|
end
|
|
14
12
|
end
|
|
15
13
|
end
|
|
@@ -6,8 +6,9 @@ module Doorkeeper
|
|
|
6
6
|
|
|
7
7
|
def authenticate_resource_owner!
|
|
8
8
|
super.tap do |owner|
|
|
9
|
-
next unless
|
|
10
|
-
|
|
9
|
+
next unless controller_path == Doorkeeper::Rails::Routes.mapping[:authorizations][:controllers] &&
|
|
10
|
+
action_name == 'new'
|
|
11
|
+
next unless pre_auth.scopes.include?('openid')
|
|
11
12
|
|
|
12
13
|
handle_prompt_param!(owner)
|
|
13
14
|
handle_max_age_param!(owner)
|
|
@@ -19,13 +20,22 @@ module Doorkeeper
|
|
|
19
20
|
# FIXME: workaround for Rails 5, see https://github.com/rails/rails/issues/25106
|
|
20
21
|
@_response_body = nil
|
|
21
22
|
|
|
22
|
-
|
|
23
|
-
|
|
23
|
+
error_response = if pre_auth.valid?
|
|
24
|
+
::Doorkeeper::OAuth::ErrorResponse.new(
|
|
25
|
+
name: exception.error_name,
|
|
26
|
+
state: params[:state],
|
|
27
|
+
redirect_uri: params[:redirect_uri]
|
|
28
|
+
)
|
|
29
|
+
else
|
|
30
|
+
pre_auth.error_response
|
|
31
|
+
end
|
|
32
|
+
|
|
33
|
+
response.headers.merge!(error_response.headers)
|
|
24
34
|
|
|
25
|
-
if
|
|
26
|
-
render json:
|
|
35
|
+
if error_response.redirectable?
|
|
36
|
+
render json: error_response.body, status: :found, location: error_response.redirect_uri
|
|
27
37
|
else
|
|
28
|
-
render json:
|
|
38
|
+
render json: error_response.body, status: error_response.status
|
|
29
39
|
end
|
|
30
40
|
end
|
|
31
41
|
|
|
@@ -41,7 +51,7 @@ module Doorkeeper
|
|
|
41
51
|
when 'login' then
|
|
42
52
|
reauthenticate_resource_owner(owner) if owner
|
|
43
53
|
when 'consent' then
|
|
44
|
-
|
|
54
|
+
render :new
|
|
45
55
|
when 'select_account' then
|
|
46
56
|
# TODO: let the user implement this
|
|
47
57
|
raise Errors::AccountSelectionRequired
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: doorkeeper-openid_connect
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.5.
|
|
4
|
+
version: 1.5.4
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Sam Dengler
|
|
@@ -9,7 +9,7 @@ authors:
|
|
|
9
9
|
autorequire:
|
|
10
10
|
bindir: bin
|
|
11
11
|
cert_chain: []
|
|
12
|
-
date: 2019-
|
|
12
|
+
date: 2019-02-15 00:00:00.000000000 Z
|
|
13
13
|
dependencies:
|
|
14
14
|
- !ruby/object:Gem::Dependency
|
|
15
15
|
name: doorkeeper
|
|
@@ -71,16 +71,16 @@ dependencies:
|
|
|
71
71
|
name: sqlite3
|
|
72
72
|
requirement: !ruby/object:Gem::Requirement
|
|
73
73
|
requirements:
|
|
74
|
-
- - "
|
|
74
|
+
- - "~>"
|
|
75
75
|
- !ruby/object:Gem::Version
|
|
76
|
-
version:
|
|
76
|
+
version: 1.3.6
|
|
77
77
|
type: :development
|
|
78
78
|
prerelease: false
|
|
79
79
|
version_requirements: !ruby/object:Gem::Requirement
|
|
80
80
|
requirements:
|
|
81
|
-
- - "
|
|
81
|
+
- - "~>"
|
|
82
82
|
- !ruby/object:Gem::Version
|
|
83
|
-
version:
|
|
83
|
+
version: 1.3.6
|
|
84
84
|
- !ruby/object:Gem::Dependency
|
|
85
85
|
name: pry-byebug
|
|
86
86
|
requirement: !ruby/object:Gem::Requirement
|