doorkeeper-openid_connect 1.7.0 → 1.7.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.ruby-version +1 -1
- data/CHANGELOG.md +29 -2
- data/README.md +2 -0
- data/app/controllers/doorkeeper/authorizations_controller.rb +17 -0
- data/doorkeeper-openid_connect.gemspec +2 -2
- data/lib/doorkeeper/oauth/id_token_request.rb +4 -14
- data/lib/doorkeeper/openid_connect/helpers/controller.rb +3 -12
- data/lib/doorkeeper/openid_connect/id_token.rb +1 -1
- data/lib/doorkeeper/openid_connect/oauth/pre_authorization.rb +16 -0
- data/lib/doorkeeper/openid_connect/version.rb +1 -1
- data/lib/generators/doorkeeper/openid_connect/templates/migration.rb.erb +2 -1
- metadata +17 -10
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 0bcb761a45b80b603b387474f5393d9000d154468eb7974620e9aace796836c5
|
|
4
|
+
data.tar.gz: 51809691b1ea73f5f2a28f00c2aa105c821e9e4326ae781b4dcbb433c7e034ac
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: d6e3df930e4e466ffac74df7d3e237158a34a7a831f6003749a9edf8766b762db132430c862287bd16a21a66d035cb4b62fa7f8f0f518452cf8bab3ec1fd4709
|
|
7
|
+
data.tar.gz: 32721653701e09ae2d022c627bf13f2bfce5390ffad046d976c880b186c97eaec5fa9173aed21789141056322786604224bfe62e6bfe4cdb43da030ed08b2b50
|
data/.ruby-version
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
2.6.
|
|
1
|
+
2.6.5
|
data/CHANGELOG.md
CHANGED
|
@@ -1,8 +1,35 @@
|
|
|
1
1
|
## Unreleased
|
|
2
2
|
|
|
3
|
-
|
|
3
|
+
## v1.7.1 (2020-02-07)
|
|
4
4
|
|
|
5
|
-
|
|
5
|
+
### Upgrading
|
|
6
|
+
|
|
7
|
+
This version adds `on_delete: :cascade` to the migration template for the `oauth_openid_requests` table, in order to fix #82.
|
|
8
|
+
|
|
9
|
+
For existing installations, you should add a new migration in your application to drop the existing foreign key and replace it with a new one with `on_delete: :cascade` included. Depending on the database you're using and the size of your application this might bring up some concerns, but in most cases the following should be sufficient:
|
|
10
|
+
|
|
11
|
+
```ruby
|
|
12
|
+
class UpdateOauthOpenIdRequestsForeignKeys < ActiveRecord::Migration[5.2]
|
|
13
|
+
def up
|
|
14
|
+
remove_foreign_key(:oauth_openid_requests, column: :access_grant_id)
|
|
15
|
+
add_foreign_key(:oauth_openid_requests, :oauth_access_grants, column: :access_grant_id, on_delete: :cascade)
|
|
16
|
+
end
|
|
17
|
+
|
|
18
|
+
def down
|
|
19
|
+
remove_foreign_key(:oauth_openid_requests, column: :access_grant_id)
|
|
20
|
+
add_foreign_key(:oauth_openid_requests, :oauth_access_grants, column: :access_grant_id)
|
|
21
|
+
end
|
|
22
|
+
end
|
|
23
|
+
```
|
|
24
|
+
|
|
25
|
+
### Bugfixes
|
|
26
|
+
|
|
27
|
+
- [#96] Bump `json-jwt` because of CVE-2019-18848 (thanks to @leleabhinav)
|
|
28
|
+
- [#97] Fixes for compatibility with Doorkeeper 5.2 (thanks to @linhdangduy)
|
|
29
|
+
- [#98] Cascade deletes from `oauth_openid_requests` to `oauth_access_grants` (thanks to @manojmj92)
|
|
30
|
+
- [#99] Fix `audience` claim when application is not set on access token (thanks to @ionut998)
|
|
31
|
+
|
|
32
|
+
## v1.7.0 (2019-11-04)
|
|
6
33
|
|
|
7
34
|
### Changes
|
|
8
35
|
|
data/README.md
CHANGED
|
@@ -4,6 +4,8 @@
|
|
|
4
4
|
[](https://codeclimate.com/github/doorkeeper-gem/doorkeeper-openid_connect)
|
|
5
5
|
[](https://rubygems.org/gems/doorkeeper-openid_connect)
|
|
6
6
|
|
|
7
|
+
#### :warning: **This project is looking for maintainers, see [this issue](https://github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/89).**
|
|
8
|
+
|
|
7
9
|
This library implements an [OpenID Connect](http://openid.net/connect/) authentication provider for Rails applications on top of the [Doorkeeper](https://github.com/doorkeeper-gem/doorkeeper) OAuth 2.0 framework.
|
|
8
10
|
|
|
9
11
|
OpenID Connect is a single-sign-on and identity layer with a [growing list of server and client implementations](http://openid.net/developers/libraries/). If you're looking for a client in Ruby check out [omniauth_openid_connect](https://github.com/m0n9oose/omniauth_openid_connect/).
|
|
@@ -0,0 +1,17 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
2
|
+
|
|
3
|
+
require_dependency "#{Doorkeeper::Engine.root}/app/controllers/doorkeeper/authorizations_controller.rb"
|
|
4
|
+
|
|
5
|
+
module Doorkeeper
|
|
6
|
+
class AuthorizationsController
|
|
7
|
+
module AuthorizationsExtension
|
|
8
|
+
private
|
|
9
|
+
|
|
10
|
+
def pre_auth_param_fields
|
|
11
|
+
super.append(:nonce)
|
|
12
|
+
end
|
|
13
|
+
end
|
|
14
|
+
|
|
15
|
+
Doorkeeper::AuthorizationsController.send :prepend, AuthorizationsExtension
|
|
16
|
+
end
|
|
17
|
+
end
|
|
@@ -19,8 +19,8 @@ Gem::Specification.new do |spec|
|
|
|
19
19
|
|
|
20
20
|
spec.required_ruby_version = ">= 2.4"
|
|
21
21
|
|
|
22
|
-
spec.add_runtime_dependency 'doorkeeper', '
|
|
23
|
-
spec.add_runtime_dependency 'json-jwt', '
|
|
22
|
+
spec.add_runtime_dependency 'doorkeeper', '>= 5.2', '< 5.4'
|
|
23
|
+
spec.add_runtime_dependency 'json-jwt', '>= 1.11.0'
|
|
24
24
|
|
|
25
25
|
spec.add_development_dependency 'rspec-rails'
|
|
26
26
|
spec.add_development_dependency 'factory_bot'
|
|
@@ -9,18 +9,14 @@ module Doorkeeper
|
|
|
9
9
|
end
|
|
10
10
|
|
|
11
11
|
def authorize
|
|
12
|
-
|
|
13
|
-
|
|
14
|
-
|
|
15
|
-
@response = response
|
|
16
|
-
else
|
|
17
|
-
@response = error_response
|
|
18
|
-
end
|
|
12
|
+
@auth = Authorization::Token.new(pre_auth, resource_owner)
|
|
13
|
+
@auth.issue_token
|
|
14
|
+
response
|
|
19
15
|
end
|
|
20
16
|
|
|
21
17
|
def deny
|
|
22
18
|
pre_auth.error = :access_denied
|
|
23
|
-
error_response
|
|
19
|
+
pre_auth.error_response
|
|
24
20
|
end
|
|
25
21
|
|
|
26
22
|
private
|
|
@@ -30,12 +26,6 @@ module Doorkeeper
|
|
|
30
26
|
|
|
31
27
|
IdTokenResponse.new(pre_auth, auth, id_token)
|
|
32
28
|
end
|
|
33
|
-
|
|
34
|
-
def error_response
|
|
35
|
-
ErrorResponse.from_request pre_auth,
|
|
36
|
-
redirect_uri: pre_auth.redirect_uri,
|
|
37
|
-
response_on_fragment: true
|
|
38
|
-
end
|
|
39
29
|
end
|
|
40
30
|
end
|
|
41
31
|
end
|
|
@@ -19,7 +19,6 @@ module Doorkeeper
|
|
|
19
19
|
controller_path == Doorkeeper::Rails::Routes.mapping[:authorizations][:controllers] &&
|
|
20
20
|
action_name == 'new' &&
|
|
21
21
|
pre_auth.valid? &&
|
|
22
|
-
pre_auth.client &&
|
|
23
22
|
pre_auth.scopes.include?('openid')
|
|
24
23
|
end
|
|
25
24
|
|
|
@@ -61,7 +60,7 @@ module Doorkeeper
|
|
|
61
60
|
when 'none'
|
|
62
61
|
raise Errors::InvalidRequest if (prompt_values - [ 'none' ]).any?
|
|
63
62
|
raise Errors::LoginRequired unless owner
|
|
64
|
-
raise Errors::ConsentRequired if oidc_consent_required?
|
|
63
|
+
raise Errors::ConsentRequired if oidc_consent_required?
|
|
65
64
|
when 'login'
|
|
66
65
|
reauthenticate_oidc_resource_owner(owner) if owner
|
|
67
66
|
when 'consent'
|
|
@@ -105,16 +104,8 @@ module Doorkeeper
|
|
|
105
104
|
raise Errors::LoginRequired unless performed?
|
|
106
105
|
end
|
|
107
106
|
|
|
108
|
-
def
|
|
109
|
-
|
|
110
|
-
Doorkeeper::AccessToken.scopes_match?(token.scopes, pre_auth.scopes, pre_auth.client.scopes)
|
|
111
|
-
end
|
|
112
|
-
end
|
|
113
|
-
|
|
114
|
-
def oidc_consent_required?(owner)
|
|
115
|
-
return false if skip_authorization?
|
|
116
|
-
|
|
117
|
-
matching_tokens_for_oidc_resource_owner(owner).blank?
|
|
107
|
+
def oidc_consent_required?
|
|
108
|
+
!skip_authorization? && !matching_token?
|
|
118
109
|
end
|
|
119
110
|
end
|
|
120
111
|
end
|
|
@@ -8,6 +8,22 @@ module Doorkeeper
|
|
|
8
8
|
super
|
|
9
9
|
@nonce = attrs[:nonce]
|
|
10
10
|
end
|
|
11
|
+
|
|
12
|
+
# This method will be updated when doorkeeper move to version > 5.2.2
|
|
13
|
+
# TODO: delete this method and refactor response_on_fragment? method (below) when doorkeeper gem version constrains is > 5.2.2
|
|
14
|
+
def error_response
|
|
15
|
+
if error == :invalid_request
|
|
16
|
+
Doorkeeper::OAuth::InvalidRequestResponse.from_request(self, response_on_fragment: response_on_fragment?)
|
|
17
|
+
else
|
|
18
|
+
Doorkeeper::OAuth::ErrorResponse.from_request(self, response_on_fragment: response_on_fragment?)
|
|
19
|
+
end
|
|
20
|
+
end
|
|
21
|
+
|
|
22
|
+
private
|
|
23
|
+
|
|
24
|
+
def response_on_fragment?
|
|
25
|
+
response_type == "token" || response_type == "id_token" || response_type == "id_token token"
|
|
26
|
+
end
|
|
11
27
|
end
|
|
12
28
|
end
|
|
13
29
|
end
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: doorkeeper-openid_connect
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.7.
|
|
4
|
+
version: 1.7.1
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Sam Dengler
|
|
@@ -9,36 +9,42 @@ authors:
|
|
|
9
9
|
autorequire:
|
|
10
10
|
bindir: bin
|
|
11
11
|
cert_chain: []
|
|
12
|
-
date:
|
|
12
|
+
date: 2020-02-07 00:00:00.000000000 Z
|
|
13
13
|
dependencies:
|
|
14
14
|
- !ruby/object:Gem::Dependency
|
|
15
15
|
name: doorkeeper
|
|
16
16
|
requirement: !ruby/object:Gem::Requirement
|
|
17
17
|
requirements:
|
|
18
|
-
- - "
|
|
18
|
+
- - ">="
|
|
19
|
+
- !ruby/object:Gem::Version
|
|
20
|
+
version: '5.2'
|
|
21
|
+
- - "<"
|
|
19
22
|
- !ruby/object:Gem::Version
|
|
20
|
-
version: 5.
|
|
23
|
+
version: '5.4'
|
|
21
24
|
type: :runtime
|
|
22
25
|
prerelease: false
|
|
23
26
|
version_requirements: !ruby/object:Gem::Requirement
|
|
24
27
|
requirements:
|
|
25
|
-
- - "
|
|
28
|
+
- - ">="
|
|
26
29
|
- !ruby/object:Gem::Version
|
|
27
|
-
version: 5.2
|
|
30
|
+
version: '5.2'
|
|
31
|
+
- - "<"
|
|
32
|
+
- !ruby/object:Gem::Version
|
|
33
|
+
version: '5.4'
|
|
28
34
|
- !ruby/object:Gem::Dependency
|
|
29
35
|
name: json-jwt
|
|
30
36
|
requirement: !ruby/object:Gem::Requirement
|
|
31
37
|
requirements:
|
|
32
|
-
- - "
|
|
38
|
+
- - ">="
|
|
33
39
|
- !ruby/object:Gem::Version
|
|
34
|
-
version:
|
|
40
|
+
version: 1.11.0
|
|
35
41
|
type: :runtime
|
|
36
42
|
prerelease: false
|
|
37
43
|
version_requirements: !ruby/object:Gem::Requirement
|
|
38
44
|
requirements:
|
|
39
|
-
- - "
|
|
45
|
+
- - ">="
|
|
40
46
|
- !ruby/object:Gem::Version
|
|
41
|
-
version:
|
|
47
|
+
version: 1.11.0
|
|
42
48
|
- !ruby/object:Gem::Dependency
|
|
43
49
|
name: rspec-rails
|
|
44
50
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -126,6 +132,7 @@ files:
|
|
|
126
132
|
- LICENSE.txt
|
|
127
133
|
- README.md
|
|
128
134
|
- Rakefile
|
|
135
|
+
- app/controllers/doorkeeper/authorizations_controller.rb
|
|
129
136
|
- app/controllers/doorkeeper/openid_connect/discovery_controller.rb
|
|
130
137
|
- app/controllers/doorkeeper/openid_connect/userinfo_controller.rb
|
|
131
138
|
- bin/console
|