doorkeeper-openid_connect 1.7.0 → 1.7.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (13) hide show
  1. checksums.yaml +4 -4
  2. data/.ruby-version +1 -1
  3. data/CHANGELOG.md +29 -2
  4. data/README.md +2 -0
  5. data/app/controllers/doorkeeper/authorizations_controller.rb +17 -0
  6. data/doorkeeper-openid_connect.gemspec +2 -2
  7. data/lib/doorkeeper/oauth/id_token_request.rb +4 -14
  8. data/lib/doorkeeper/openid_connect/helpers/controller.rb +3 -12
  9. data/lib/doorkeeper/openid_connect/id_token.rb +1 -1
  10. data/lib/doorkeeper/openid_connect/oauth/pre_authorization.rb +16 -0
  11. data/lib/doorkeeper/openid_connect/version.rb +1 -1
  12. data/lib/generators/doorkeeper/openid_connect/templates/migration.rb.erb +2 -1
  13. metadata +17 -10
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 9f38540bf15e49809e21423a76e0fd8313c5494aee4a3537f6b6d1bcd5645951
4
- data.tar.gz: d1408e8c1a4755356746a55957dbc941242fb266ead2e5f92d29d46646258958
3
+ metadata.gz: 0bcb761a45b80b603b387474f5393d9000d154468eb7974620e9aace796836c5
4
+ data.tar.gz: 51809691b1ea73f5f2a28f00c2aa105c821e9e4326ae781b4dcbb433c7e034ac
5
5
  SHA512:
6
- metadata.gz: 71ca0f37f65e787785550e64d4b5fc4ad05ad74ec93601e909924d1984f6b42612c4856bc8439373f8af52a8958e0e80beaf711ed78b012784eb941f46aeb889
7
- data.tar.gz: f5c46bc891ed65513493cbeb7304fe76c04a62c03e8ce51b5f1849319da9be27bfa304b5064e028421a88583db4adf4e3ec71e3c4d900fd6ff850e44fa76a826
6
+ metadata.gz: d6e3df930e4e466ffac74df7d3e237158a34a7a831f6003749a9edf8766b762db132430c862287bd16a21a66d035cb4b62fa7f8f0f518452cf8bab3ec1fd4709
7
+ data.tar.gz: 32721653701e09ae2d022c627bf13f2bfce5390ffad046d976c880b186c97eaec5fa9173aed21789141056322786604224bfe62e6bfe4cdb43da030ed08b2b50
data/.ruby-version CHANGED
@@ -1 +1 @@
1
- 2.6.3
1
+ 2.6.5
data/CHANGELOG.md CHANGED
@@ -1,8 +1,35 @@
1
1
  ## Unreleased
2
2
 
3
- No changes yet.
3
+ ## v1.7.1 (2020-02-07)
4
4
 
5
- ## v1.7.0
5
+ ### Upgrading
6
+
7
+ This version adds `on_delete: :cascade` to the migration template for the `oauth_openid_requests` table, in order to fix #82.
8
+
9
+ For existing installations, you should add a new migration in your application to drop the existing foreign key and replace it with a new one with `on_delete: :cascade` included. Depending on the database you're using and the size of your application this might bring up some concerns, but in most cases the following should be sufficient:
10
+
11
+ ```ruby
12
+ class UpdateOauthOpenIdRequestsForeignKeys < ActiveRecord::Migration[5.2]
13
+ def up
14
+ remove_foreign_key(:oauth_openid_requests, column: :access_grant_id)
15
+ add_foreign_key(:oauth_openid_requests, :oauth_access_grants, column: :access_grant_id, on_delete: :cascade)
16
+ end
17
+
18
+ def down
19
+ remove_foreign_key(:oauth_openid_requests, column: :access_grant_id)
20
+ add_foreign_key(:oauth_openid_requests, :oauth_access_grants, column: :access_grant_id)
21
+ end
22
+ end
23
+ ```
24
+
25
+ ### Bugfixes
26
+
27
+ - [#96] Bump `json-jwt` because of CVE-2019-18848 (thanks to @leleabhinav)
28
+ - [#97] Fixes for compatibility with Doorkeeper 5.2 (thanks to @linhdangduy)
29
+ - [#98] Cascade deletes from `oauth_openid_requests` to `oauth_access_grants` (thanks to @manojmj92)
30
+ - [#99] Fix `audience` claim when application is not set on access token (thanks to @ionut998)
31
+
32
+ ## v1.7.0 (2019-11-04)
6
33
 
7
34
  ### Changes
8
35
 
data/README.md CHANGED
@@ -4,6 +4,8 @@
4
4
  [![Code Climate](https://codeclimate.com/github/doorkeeper-gem/doorkeeper-openid_connect.svg)](https://codeclimate.com/github/doorkeeper-gem/doorkeeper-openid_connect)
5
5
  [![Gem Version](https://badge.fury.io/rb/doorkeeper-openid_connect.svg)](https://rubygems.org/gems/doorkeeper-openid_connect)
6
6
 
7
+ #### :warning: **This project is looking for maintainers, see [this issue](https://github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/89).**
8
+
7
9
  This library implements an [OpenID Connect](http://openid.net/connect/) authentication provider for Rails applications on top of the [Doorkeeper](https://github.com/doorkeeper-gem/doorkeeper) OAuth 2.0 framework.
8
10
 
9
11
  OpenID Connect is a single-sign-on and identity layer with a [growing list of server and client implementations](http://openid.net/developers/libraries/). If you're looking for a client in Ruby check out [omniauth_openid_connect](https://github.com/m0n9oose/omniauth_openid_connect/).
data/app/controllers/doorkeeper/authorizations_controller.rb ADDED
@@ -0,0 +1,17 @@
1
+ # frozen_string_literal: true
2
+
3
+ require_dependency "#{Doorkeeper::Engine.root}/app/controllers/doorkeeper/authorizations_controller.rb"
4
+
5
+ module Doorkeeper
6
+ class AuthorizationsController
7
+ module AuthorizationsExtension
8
+ private
9
+
10
+ def pre_auth_param_fields
11
+ super.append(:nonce)
12
+ end
13
+ end
14
+
15
+ Doorkeeper::AuthorizationsController.send :prepend, AuthorizationsExtension
16
+ end
17
+ end
data/doorkeeper-openid_connect.gemspec CHANGED
@@ -19,8 +19,8 @@ Gem::Specification.new do |spec|
19
19
 
20
20
  spec.required_ruby_version = ">= 2.4"
21
21
 
22
- spec.add_runtime_dependency 'doorkeeper', '~> 5.2.0'
23
- spec.add_runtime_dependency 'json-jwt', '~> 1.6'
22
+ spec.add_runtime_dependency 'doorkeeper', '>= 5.2', '< 5.4'
23
+ spec.add_runtime_dependency 'json-jwt', '>= 1.11.0'
24
24
 
25
25
  spec.add_development_dependency 'rspec-rails'
26
26
  spec.add_development_dependency 'factory_bot'
data/lib/doorkeeper/oauth/id_token_request.rb CHANGED
@@ -9,18 +9,14 @@ module Doorkeeper
9
9
  end
10
10
 
11
11
  def authorize
12
- if pre_auth.authorizable?
13
- @auth = Authorization::Token.new(pre_auth, resource_owner)
14
- @auth.issue_token
15
- @response = response
16
- else
17
- @response = error_response
18
- end
12
+ @auth = Authorization::Token.new(pre_auth, resource_owner)
13
+ @auth.issue_token
14
+ response
19
15
  end
20
16
 
21
17
  def deny
22
18
  pre_auth.error = :access_denied
23
- error_response
19
+ pre_auth.error_response
24
20
  end
25
21
 
26
22
  private
@@ -30,12 +26,6 @@ module Doorkeeper
30
26
 
31
27
  IdTokenResponse.new(pre_auth, auth, id_token)
32
28
  end
33
-
34
- def error_response
35
- ErrorResponse.from_request pre_auth,
36
- redirect_uri: pre_auth.redirect_uri,
37
- response_on_fragment: true
38
- end
39
29
  end
40
30
  end
41
31
  end
data/lib/doorkeeper/openid_connect/helpers/controller.rb CHANGED
@@ -19,7 +19,6 @@ module Doorkeeper
19
19
  controller_path == Doorkeeper::Rails::Routes.mapping[:authorizations][:controllers] &&
20
20
  action_name == 'new' &&
21
21
  pre_auth.valid? &&
22
- pre_auth.client &&
23
22
  pre_auth.scopes.include?('openid')
24
23
  end
25
24
 
@@ -61,7 +60,7 @@ module Doorkeeper
61
60
  when 'none'
62
61
  raise Errors::InvalidRequest if (prompt_values - [ 'none' ]).any?
63
62
  raise Errors::LoginRequired unless owner
64
- raise Errors::ConsentRequired if oidc_consent_required?(owner)
63
+ raise Errors::ConsentRequired if oidc_consent_required?
65
64
  when 'login'
66
65
  reauthenticate_oidc_resource_owner(owner) if owner
67
66
  when 'consent'
@@ -105,16 +104,8 @@ module Doorkeeper
105
104
  raise Errors::LoginRequired unless performed?
106
105
  end
107
106
 
108
- def matching_tokens_for_oidc_resource_owner(owner)
109
- Doorkeeper::AccessToken.authorized_tokens_for(pre_auth.client.id, owner.id).select do |token|
110
- Doorkeeper::AccessToken.scopes_match?(token.scopes, pre_auth.scopes, pre_auth.client.scopes)
111
- end
112
- end
113
-
114
- def oidc_consent_required?(owner)
115
- return false if skip_authorization?
116
-
117
- matching_tokens_for_oidc_resource_owner(owner).blank?
107
+ def oidc_consent_required?
108
+ !skip_authorization? && !matching_token?
118
109
  end
119
110
  end
120
111
  end
data/lib/doorkeeper/openid_connect/id_token.rb CHANGED
@@ -46,7 +46,7 @@ module Doorkeeper
46
46
  end
47
47
 
48
48
  def audience
49
- @access_token.application.uid
49
+ @access_token.application.try(:uid)
50
50
  end
51
51
 
52
52
  def expiration
data/lib/doorkeeper/openid_connect/oauth/pre_authorization.rb CHANGED
@@ -8,6 +8,22 @@ module Doorkeeper
8
8
  super
9
9
  @nonce = attrs[:nonce]
10
10
  end
11
+
12
+ # This method will be updated when doorkeeper move to version > 5.2.2
13
+ # TODO: delete this method and refactor response_on_fragment? method (below) when doorkeeper gem version constrains is > 5.2.2
14
+ def error_response
15
+ if error == :invalid_request
16
+ Doorkeeper::OAuth::InvalidRequestResponse.from_request(self, response_on_fragment: response_on_fragment?)
17
+ else
18
+ Doorkeeper::OAuth::ErrorResponse.from_request(self, response_on_fragment: response_on_fragment?)
19
+ end
20
+ end
21
+
22
+ private
23
+
24
+ def response_on_fragment?
25
+ response_type == "token" || response_type == "id_token" || response_type == "id_token token"
26
+ end
11
27
  end
12
28
  end
13
29
  end
data/lib/doorkeeper/openid_connect/version.rb CHANGED
@@ -1,5 +1,5 @@
1
1
  module Doorkeeper
2
2
  module OpenidConnect
3
- VERSION = '1.7.0'.freeze
3
+ VERSION = '1.7.1'.freeze
4
4
  end
5
5
  end
data/lib/generators/doorkeeper/openid_connect/templates/migration.rb.erb CHANGED
@@ -8,7 +8,8 @@ class CreateDoorkeeperOpenidConnectTables < ActiveRecord::Migration<%= migration
8
8
  add_foreign_key(
9
9
  :oauth_openid_requests,
10
10
  :oauth_access_grants,
11
- column: :access_grant_id
11
+ column: :access_grant_id,
12
+ on_delete: :cascade
12
13
  )
13
14
  end
14
15
  end
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: doorkeeper-openid_connect
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.7.0
4
+ version: 1.7.1
5
5
  platform: ruby
6
6
  authors:
7
7
  - Sam Dengler
@@ -9,36 +9,42 @@ authors:
9
9
  autorequire:
10
10
  bindir: bin
11
11
  cert_chain: []
12
- date: 2019-11-04 00:00:00.000000000 Z
12
+ date: 2020-02-07 00:00:00.000000000 Z
13
13
  dependencies:
14
14
  - !ruby/object:Gem::Dependency
15
15
  name: doorkeeper
16
16
  requirement: !ruby/object:Gem::Requirement
17
17
  requirements:
18
- - - "~>"
18
+ - - ">="
19
+ - !ruby/object:Gem::Version
20
+ version: '5.2'
21
+ - - "<"
19
22
  - !ruby/object:Gem::Version
20
- version: 5.2.0
23
+ version: '5.4'
21
24
  type: :runtime
22
25
  prerelease: false
23
26
  version_requirements: !ruby/object:Gem::Requirement
24
27
  requirements:
25
- - - "~>"
28
+ - - ">="
26
29
  - !ruby/object:Gem::Version
27
- version: 5.2.0
30
+ version: '5.2'
31
+ - - "<"
32
+ - !ruby/object:Gem::Version
33
+ version: '5.4'
28
34
  - !ruby/object:Gem::Dependency
29
35
  name: json-jwt
30
36
  requirement: !ruby/object:Gem::Requirement
31
37
  requirements:
32
- - - "~>"
38
+ - - ">="
33
39
  - !ruby/object:Gem::Version
34
- version: '1.6'
40
+ version: 1.11.0
35
41
  type: :runtime
36
42
  prerelease: false
37
43
  version_requirements: !ruby/object:Gem::Requirement
38
44
  requirements:
39
- - - "~>"
45
+ - - ">="
40
46
  - !ruby/object:Gem::Version
41
- version: '1.6'
47
+ version: 1.11.0
42
48
  - !ruby/object:Gem::Dependency
43
49
  name: rspec-rails
44
50
  requirement: !ruby/object:Gem::Requirement
@@ -126,6 +132,7 @@ files:
126
132
  - LICENSE.txt
127
133
  - README.md
128
134
  - Rakefile
135
+ - app/controllers/doorkeeper/authorizations_controller.rb
129
136
  - app/controllers/doorkeeper/openid_connect/discovery_controller.rb
130
137
  - app/controllers/doorkeeper/openid_connect/userinfo_controller.rb
131
138
  - bin/console