doorkeeper-openid_connect 1.6.3 → 1.7.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 87cffdb0b8767c7cb1a254e74fd4c7b3ce5f4b92a8502538b9c09ee6a68915af
-  data.tar.gz: 050c8765bb944400e148a4d981371d4a560cb2295d47036e45d57cfa64914aae
+  metadata.gz: e1c45a5eaa2846559e44cfc7d7526c18dafaca9bec5bad06eead06983819ad6c
+  data.tar.gz: 7705035b123d843861e8850854ce9a06d8b4dd4f21f478785aac050509f0e891
 SHA512:
-  metadata.gz: 0e90c44c55b03ab497357b6d3abfc3d8652ff53b88e41556733e2f30584b13f64bd0cca9721f0127c12f0c08a3676668c9a2164c5805c8db6cad375d94f72d2e
-  data.tar.gz: 51f41fa2dc0d4f26104f6a96a656bde761d9df1754001b645cad625f44657f44b7d54cc17a48c9b4dbf6fc53c294f716fe08de9a80bb7a748f78c4a798933542
+  metadata.gz: dec4fdd4c2be0301a8b812c710055fa610567902a023a84c83615edf3390e0ea135cc520de315f18091e165536d0e27553d8a83eddd7f9485f2a2fd926304197
+  data.tar.gz: 287118857266949e24cb44ca74cc3762277baffe08e010e687b9f5fa886f0d74b1dc328cdce88de887ec3794247a49ddc7abb5fc725c12780fa05c0e292b81e6

data/CHANGELOG.md

@@ -1,6 +1,60 @@
 ## Unreleased
 
-No changes yet.
+## v1.7.4 (2020-07-06)
+
+- [#119] Execute end_session_endpoint in the controllers context (thanks to @joeljunstrom)
+
+## v1.7.3 (2020-07-06)
+
+- [#111] Add configuration callback `select_account_for_resource_owner` to support the `prompt=select_account` param
+- [#112] Add grant_types_supported to discovery response
+- [#114] Fix user_info endpoint when used in api mode
+- [#116] Support Doorkeeper API (> 5.4) for registering custom grant flows.
+- [#117] Fix migration template to use Rails migrations DSL for association.
+- [#118] Use fragment urls for implicit flow error redirects (thanks to @joeljunstrom)
+
+## v1.7.2 (2020-05-20)
+
+### Changes
+
+- [#108] Add support for Doorkeeper 5.4
+- [#103] Add support for end_session_endpoint
+- [#109] Test against Ruby 2.7 & Rails 6.x
+
+## v1.7.1 (2020-02-07)
+
+### Upgrading
+
+This version adds `on_delete: :cascade` to the migration template for the `oauth_openid_requests` table, in order to fix #82.
+
+For existing installations, you should add a new migration in your application to drop the existing foreign key and replace it with a new one with `on_delete: :cascade` included. Depending on the database you're using and the size of your application this might bring up some concerns, but in most cases the following should be sufficient:
+
+```ruby
+class UpdateOauthOpenIdRequestsForeignKeys < ActiveRecord::Migration[5.2]
+  def up
+    remove_foreign_key(:oauth_openid_requests, column: :access_grant_id)
+    add_foreign_key(:oauth_openid_requests, :oauth_access_grants, column: :access_grant_id, on_delete: :cascade)
+  end
+
+  def down
+    remove_foreign_key(:oauth_openid_requests, column: :access_grant_id)
+    add_foreign_key(:oauth_openid_requests, :oauth_access_grants, column: :access_grant_id)
+  end
+end
+```
+
+### Bugfixes
+
+- [#96] Bump `json-jwt` because of CVE-2019-18848 (thanks to @leleabhinav)
+- [#97] Fixes for compatibility with Doorkeeper 5.2 (thanks to @linhdangduy)
+- [#98] Cascade deletes from `oauth_openid_requests` to `oauth_access_grants` (thanks to @manojmj92)
+- [#99] Fix `audience` claim when application is not set on access token (thanks to @ionut998)
+
+## v1.7.0 (2019-11-04)
+
+### Changes
+
+- [#85] This gem now requires Doorkeeper 5.2, Rails 5, and Ruby 2.4
 
 ## v1.6.3 (2019-09-24)
 

data/README.md

@@ -4,6 +4,8 @@
 [![Code Climate](https://codeclimate.com/github/doorkeeper-gem/doorkeeper-openid_connect.svg)](https://codeclimate.com/github/doorkeeper-gem/doorkeeper-openid_connect)
 [![Gem Version](https://badge.fury.io/rb/doorkeeper-openid_connect.svg)](https://rubygems.org/gems/doorkeeper-openid_connect)
 
+#### :warning: **This project is looking for maintainers, see [this issue](https://github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/89).**
+
 This library implements an [OpenID Connect](http://openid.net/connect/) authentication provider for Rails applications on top of the [Doorkeeper](https://github.com/doorkeeper-gem/doorkeeper) OAuth 2.0 framework.
 
 OpenID Connect is a single-sign-on and identity layer with a [growing list of server and client implementations](http://openid.net/developers/libraries/). If you're looking for a client in Ruby check out [omniauth_openid_connect](https://github.com/m0n9oose/omniauth_openid_connect/).
@@ -137,6 +139,10 @@ The following settings are optional, but recommended for better client compatibi
   - Defines how to trigger reauthentication for the current user (e.g. display a password prompt, or sign-out the user and redirect to the login form).
   - Required to support the `max_age` and `prompt=login` parameters.
   - The block is executed in the controller's scope, so you have access to methods like `params`, `redirect_to` etc.
+- `select_account_for_resource_owner`
+  - Defines how to trigger account selection to choose the current login user.
+  - Required to support the `prompt=select_account` parameter.
+  - The block is executed in the controller's scope, so you have access to methods like `params`, `redirect_to` etc.
 
 The following settings are optional:
 
@@ -150,6 +156,11 @@ The following settings are optional:
   - Note that the OIDC specification mandates HTTPS, so you shouldn't change this
     for production environments unless you have a really good reason!
 
+- `end_session_endpoint`
+  - The URL that the user is redirected to after ending the session on the client.
+  - Used by implementations like https://github.com/IdentityModel/oidc-client-js.
+  - The block is executed in the controller's scope, so you have access to your route helpers.
+
 ### Scopes
 
 To perform authentication over OpenID Connect, an OAuth client needs to request the `openid` scope. This scope needs to be enabled using either `optional_scopes` in the global Doorkeeper configuration in `config/initializers/doorkeeper.rb`, or by adding it to any OAuth application's `scope` attribute.

data/app/controllers/doorkeeper/authorizations_controller.rb

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+require_dependency "#{Doorkeeper::Engine.root}/app/controllers/doorkeeper/authorizations_controller.rb"
+
+module Doorkeeper
+  class AuthorizationsController
+    module AuthorizationsExtension
+      private
+
+      def pre_auth_param_fields
+        super.append(:nonce)
+      end
+    end
+
+    Doorkeeper::AuthorizationsController.prepend AuthorizationsExtension
+  end
+end

data/app/controllers/doorkeeper/openid_connect/discovery_controller.rb

@@ -1,9 +1,11 @@
+# frozen_string_literal: true
+
 module Doorkeeper
   module OpenidConnect
     class DiscoveryController < ::Doorkeeper::ApplicationController
       include Doorkeeper::Helpers::Controller
 
-      WEBFINGER_RELATION = 'http://openid.net/specs/connect/1.0/issuer'.freeze
+      WEBFINGER_RELATION = 'http://openid.net/specs/connect/1.0/issuer'
 
       def provider
         render json: provider_response
@@ -30,21 +32,19 @@ module Doorkeeper
           introspection_endpoint: oauth_introspect_url(protocol: protocol),
           userinfo_endpoint: oauth_userinfo_url(protocol: protocol),
           jwks_uri: oauth_discovery_keys_url(protocol: protocol),
+          end_session_endpoint: instance_exec(&openid_connect.end_session_endpoint),
 
           scopes_supported: doorkeeper.scopes,
 
           # TODO: support id_token response type
           response_types_supported: doorkeeper.authorization_response_types,
-          response_modes_supported: [ 'query', 'fragment' ],
-
-          token_endpoint_auth_methods_supported: [
-            'client_secret_basic',
-            'client_secret_post',
+          response_modes_supported: %w[query fragment],
+          grant_types_supported: grant_types_supported(doorkeeper),
 
-            # TODO: look into doorkeeper-jwt_assertion for these
-            #'client_secret_jwt',
-            #'private_key_jwt'
-          ],
+          # TODO: look into doorkeeper-jwt_assertion for these
+          #  'client_secret_jwt',
+          #  'private_key_jwt'
+          token_endpoint_auth_methods_supported: %w[client_secret_basic client_secret_post],
 
           subject_types_supported: openid_connect.subject_types_supported,
 
@@ -56,18 +56,24 @@ module Doorkeeper
             'normal',
 
             # TODO: support these
-            #'aggregated',
-            #'distributed',
+            # 'aggregated',
+            # 'distributed',
           ],
 
-          claims_supported: [
-            'iss',
-            'sub',
-            'aud',
-            'exp',
-            'iat',
+          claims_supported: %w[
+            iss
+            sub
+            aud
+            exp
+            iat
           ] | openid_connect.claims.to_h.keys,
-        }
+        }.compact
+      end
+
+      def grant_types_supported(doorkeeper)
+        grant_types_supported = doorkeeper.grant_flows
+        grant_types_supported << 'refresh_token' if doorkeeper.refresh_token_enabled?
+        grant_types_supported
       end
 
       def webfinger_response

data/app/controllers/doorkeeper/openid_connect/userinfo_controller.rb

@@ -1,7 +1,11 @@
+# frozen_string_literal: true
+
 module Doorkeeper
   module OpenidConnect
     class UserinfoController < ::Doorkeeper::ApplicationController
-      skip_before_action :verify_authenticity_token
+      unless Doorkeeper.config.api_only
+        skip_before_action :verify_authenticity_token
+      end
       before_action -> { doorkeeper_authorize! :openid }
 
       def show

data/config/locales/en.yml

@@ -19,4 +19,5 @@ en:
           resource_owner_from_access_token_not_configured: 'Failure due to Doorkeeper::OpenidConnect.configure.resource_owner_from_access_token missing configuration.'
           auth_time_from_resource_owner_not_configured: 'Failure due to Doorkeeper::OpenidConnect.configure.auth_time_from_resource_owner missing configuration.'
           reauthenticate_resource_owner_not_configured: 'Failure due to Doorkeeper::OpenidConnect.configure.reauthenticate_resource_owner missing configuration.'
+          select_account_for_resource_owner_not_configured: 'Failure due to Doorkeeper::OpenidConnect.configure.select_account_for_resource_owner missing configuration.'
           subject_not_configured: 'ID Token generation failed due to Doorkeeper::OpenidConnect.configure.subject missing configuration.'

data/lib/doorkeeper/oauth/id_token_request.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Doorkeeper
   module OAuth
     class IdTokenRequest
@@ -9,18 +11,18 @@ module Doorkeeper
       end
 
       def authorize
-        if pre_auth.authorizable?
-          @auth = Authorization::Token.new(pre_auth, resource_owner)
-          @auth.issue_token
-          @response = response
+        @auth = Authorization::Token.new(pre_auth, resource_owner)
+        if @auth.respond_to?(:issue_token!)
+          @auth.issue_token!
         else
-          @response = error_response
+          @auth.issue_token
         end
+        response
       end
 
       def deny
         pre_auth.error = :access_denied
-        error_response
+        pre_auth.error_response
       end
 
       private
@@ -30,12 +32,6 @@ module Doorkeeper
 
         IdTokenResponse.new(pre_auth, auth, id_token)
       end
-
-      def error_response
-        ErrorResponse.from_request pre_auth,
-                                   redirect_uri: pre_auth.redirect_uri,
-                                   response_on_fragment: true
-      end
     end
   end
 end

data/lib/doorkeeper/oauth/id_token_response.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Doorkeeper
   module OAuth
     class IdTokenResponse < BaseResponse

data/lib/doorkeeper/oauth/id_token_token_request.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Doorkeeper
   module OAuth
     class IdTokenTokenRequest < IdTokenRequest

data/lib/doorkeeper/oauth/id_token_token_response.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Doorkeeper
   module OAuth
     class IdTokenTokenResponse < IdTokenResponse

data/lib/doorkeeper/openid_connect.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'doorkeeper'
 require 'active_model'
 require 'json/jwt'
@@ -20,6 +22,7 @@ require 'doorkeeper/openid_connect/errors'
 require 'doorkeeper/openid_connect/id_token'
 require 'doorkeeper/openid_connect/id_token_token'
 require 'doorkeeper/openid_connect/user_info'
+require 'doorkeeper/openid_connect/response_mode'
 require 'doorkeeper/openid_connect/version'
 
 require 'doorkeeper/openid_connect/helpers/controller'
@@ -42,7 +45,7 @@ module Doorkeeper
 
     def self.signing_key
       key =
-        if [:HS256, :HS384, :HS512].include?(signing_algorithm)
+        if %i[HS256 HS384 HS512].include?(signing_algorithm)
           configuration.signing_key
         else
           OpenSSL::PKey.read(configuration.signing_key)
@@ -61,5 +64,27 @@ module Doorkeeper
         key.slice(:kty, :kid)
       end
     end
+
+    if defined?(::Doorkeeper::GrantFlow)
+      Doorkeeper::GrantFlow.register(
+        :id_token,
+        response_type_matches: 'id_token',
+        response_type_strategy: Doorkeeper::OpenidConnect::IdToken,
+      )
+
+      Doorkeeper::GrantFlow.register(
+        'id_token token',
+        response_type_matches: 'id_token token',
+        response_type_strategy: Doorkeeper::OpenidConnect::IdTokenToken,
+      )
+
+      Doorkeeper::GrantFlow.register_alias(
+        'implicit_oidc', as: ['implicit', 'id_token', 'id_token token']
+      )
+    else
+      # TODO: drop this and corresponding file when we will set minimal
+      # required Doorkeeper version to 5.5.
+      Doorkeeper::Config.prepend OpenidConnect::ResponseTypeConfig
+    end
   end
 end

data/lib/doorkeeper/openid_connect/claims/aggregated_claim.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Doorkeeper
   module OpenidConnect
     module Claims

data/lib/doorkeeper/openid_connect/claims/claim.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Doorkeeper
   module OpenidConnect
     module Claims
@@ -11,10 +13,10 @@ module Doorkeeper
             name family_name given_name middle_name nickname preferred_username
             profile picture website gender birthdate zoneinfo locale updated_at
           ],
-          email: %i[ email email_verified ],
-          address: %i[ address ],
-          phone: %i[ phone_number phone_number_verified ],
-        }
+          email: %i[email email_verified],
+          address: %i[address],
+          phone: %i[phone_number phone_number_verified],
+        }.freeze
 
         def initialize(options = {})
           @name = options[:name].to_sym

data/lib/doorkeeper/openid_connect/claims/distributed_claim.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Doorkeeper
   module OpenidConnect
     module Claims

data/lib/doorkeeper/openid_connect/claims/normal_claim.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Doorkeeper
   module OpenidConnect
     module Claims

data/lib/doorkeeper/openid_connect/claims_builder.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'ostruct'
 
 module Doorkeeper
@@ -31,7 +33,7 @@ module Doorkeeper
             generator: block
           )
       end
-      alias_method :claim, :normal_claim
+      alias claim normal_claim
     end
   end
 end

data/lib/doorkeeper/openid_connect/config.rb

@@ -1,15 +1,17 @@
+# frozen_string_literal: true
+
 module Doorkeeper
   module OpenidConnect
     def self.configure(&block)
       if Doorkeeper.configuration.orm != :active_record
-        fail Errors::InvalidConfiguration, 'Doorkeeper OpenID Connect currently only supports the ActiveRecord ORM adapter'
+        raise Errors::InvalidConfiguration, 'Doorkeeper OpenID Connect currently only supports the ActiveRecord ORM adapter'
       end
 
       @config = Config::Builder.new(&block).build
     end
 
     def self.configuration
-      @config || (fail Errors::MissingConfiguration)
+      @config || (raise Errors::MissingConfiguration)
     end
 
     class Config
@@ -23,12 +25,12 @@ module Doorkeeper
           @config
         end
 
-        def jws_public_key(*args)
-          puts "DEPRECATION WARNING: `jws_public_key` is not needed anymore and will be removed in a future version, please remove it from config/initializers/doorkeeper_openid_connect.rb"
+        def jws_public_key(*_args)
+          puts 'DEPRECATION WARNING: `jws_public_key` is not needed anymore and will be removed in a future version, please remove it from config/initializers/doorkeeper_openid_connect.rb'
         end
 
         def jws_private_key(*args)
-          puts "DEPRECATION WARNING: `jws_private_key` has been replaced by `signing_key` and will be removed in a future version, please remove it from config/initializers/doorkeeper_openid_connect.rb"
+          puts 'DEPRECATION WARNING: `jws_private_key` has been replaced by `signing_key` and will be removed in a future version, please remove it from config/initializers/doorkeeper_openid_connect.rb'
           signing_key(*args)
         end
       end
@@ -71,7 +73,7 @@ module Doorkeeper
               value = if attribute_builder
                         attribute_builder.new(&block).build
                       else
-                        block ? block : args.first
+                        block || args.first
                       end
 
               @config.instance_variable_set(:"@#{attribute}", value)
@@ -102,19 +104,23 @@ module Doorkeeper
       option :subject_types_supported, default: [:public]
 
       option :resource_owner_from_access_token, default: lambda { |*_|
-        fail Errors::InvalidConfiguration, I18n.translate('doorkeeper.openid_connect.errors.messages.resource_owner_from_access_token_not_configured')
+        raise Errors::InvalidConfiguration, I18n.translate('doorkeeper.openid_connect.errors.messages.resource_owner_from_access_token_not_configured')
       }
 
       option :auth_time_from_resource_owner, default: lambda { |*_|
-        fail Errors::InvalidConfiguration, I18n.translate('doorkeeper.openid_connect.errors.messages.auth_time_from_resource_owner_not_configured')
+        raise Errors::InvalidConfiguration, I18n.translate('doorkeeper.openid_connect.errors.messages.auth_time_from_resource_owner_not_configured')
       }
 
       option :reauthenticate_resource_owner, default: lambda { |*_|
-        fail Errors::InvalidConfiguration, I18n.translate('doorkeeper.openid_connect.errors.messages.reauthenticate_resource_owner_not_configured')
+        raise Errors::InvalidConfiguration, I18n.translate('doorkeeper.openid_connect.errors.messages.reauthenticate_resource_owner_not_configured')
+      }
+
+      option :select_account_for_resource_owner, default: lambda { |*_|
+        raise Errors::InvalidConfiguration, I18n.translate('doorkeeper.openid_connect.errors.messages.select_account_for_resource_owner_not_configured')
       }
 
       option :subject, default: lambda { |*_|
-        fail Errors::InvalidConfiguration, I18n.translate('doorkeeper.openid_connect.errors.messages.subject_not_configured')
+        raise Errors::InvalidConfiguration, I18n.translate('doorkeeper.openid_connect.errors.messages.subject_not_configured')
       }
 
       option :expiration, default: 120
@@ -124,6 +130,10 @@ module Doorkeeper
       option :protocol, default: lambda { |*_|
         ::Rails.env.production? ? :https : :http
       }
+
+      option :end_session_endpoint, default: lambda { |*_|
+        nil
+      }
     end
   end
 end