doorkeeper-openid_connect 1.7.0 → 1.7.1

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 9f38540bf15e49809e21423a76e0fd8313c5494aee4a3537f6b6d1bcd5645951
4
- data.tar.gz: d1408e8c1a4755356746a55957dbc941242fb266ead2e5f92d29d46646258958
3
+ metadata.gz: 0bcb761a45b80b603b387474f5393d9000d154468eb7974620e9aace796836c5
4
+ data.tar.gz: 51809691b1ea73f5f2a28f00c2aa105c821e9e4326ae781b4dcbb433c7e034ac
5
5
  SHA512:
6
- metadata.gz: 71ca0f37f65e787785550e64d4b5fc4ad05ad74ec93601e909924d1984f6b42612c4856bc8439373f8af52a8958e0e80beaf711ed78b012784eb941f46aeb889
7
- data.tar.gz: f5c46bc891ed65513493cbeb7304fe76c04a62c03e8ce51b5f1849319da9be27bfa304b5064e028421a88583db4adf4e3ec71e3c4d900fd6ff850e44fa76a826
6
+ metadata.gz: d6e3df930e4e466ffac74df7d3e237158a34a7a831f6003749a9edf8766b762db132430c862287bd16a21a66d035cb4b62fa7f8f0f518452cf8bab3ec1fd4709
7
+ data.tar.gz: 32721653701e09ae2d022c627bf13f2bfce5390ffad046d976c880b186c97eaec5fa9173aed21789141056322786604224bfe62e6bfe4cdb43da030ed08b2b50
@@ -1 +1 @@
1
- 2.6.3
1
+ 2.6.5
@@ -1,8 +1,35 @@
1
1
  ## Unreleased
2
2
 
3
- No changes yet.
3
+ ## v1.7.1 (2020-02-07)
4
4
 
5
- ## v1.7.0
5
+ ### Upgrading
6
+
7
+ This version adds `on_delete: :cascade` to the migration template for the `oauth_openid_requests` table, in order to fix #82.
8
+
9
+ For existing installations, you should add a new migration in your application to drop the existing foreign key and replace it with a new one with `on_delete: :cascade` included. Depending on the database you're using and the size of your application this might bring up some concerns, but in most cases the following should be sufficient:
10
+
11
+ ```ruby
12
+ class UpdateOauthOpenIdRequestsForeignKeys < ActiveRecord::Migration[5.2]
13
+ def up
14
+ remove_foreign_key(:oauth_openid_requests, column: :access_grant_id)
15
+ add_foreign_key(:oauth_openid_requests, :oauth_access_grants, column: :access_grant_id, on_delete: :cascade)
16
+ end
17
+
18
+ def down
19
+ remove_foreign_key(:oauth_openid_requests, column: :access_grant_id)
20
+ add_foreign_key(:oauth_openid_requests, :oauth_access_grants, column: :access_grant_id)
21
+ end
22
+ end
23
+ ```
24
+
25
+ ### Bugfixes
26
+
27
+ - [#96] Bump `json-jwt` because of CVE-2019-18848 (thanks to @leleabhinav)
28
+ - [#97] Fixes for compatibility with Doorkeeper 5.2 (thanks to @linhdangduy)
29
+ - [#98] Cascade deletes from `oauth_openid_requests` to `oauth_access_grants` (thanks to @manojmj92)
30
+ - [#99] Fix `audience` claim when application is not set on access token (thanks to @ionut998)
31
+
32
+ ## v1.7.0 (2019-11-04)
6
33
 
7
34
  ### Changes
8
35
 
data/README.md CHANGED
@@ -4,6 +4,8 @@
4
4
  [![Code Climate](https://codeclimate.com/github/doorkeeper-gem/doorkeeper-openid_connect.svg)](https://codeclimate.com/github/doorkeeper-gem/doorkeeper-openid_connect)
5
5
  [![Gem Version](https://badge.fury.io/rb/doorkeeper-openid_connect.svg)](https://rubygems.org/gems/doorkeeper-openid_connect)
6
6
 
7
+ #### :warning: **This project is looking for maintainers, see [this issue](https://github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/89).**
8
+
7
9
  This library implements an [OpenID Connect](http://openid.net/connect/) authentication provider for Rails applications on top of the [Doorkeeper](https://github.com/doorkeeper-gem/doorkeeper) OAuth 2.0 framework.
8
10
 
9
11
  OpenID Connect is a single-sign-on and identity layer with a [growing list of server and client implementations](http://openid.net/developers/libraries/). If you're looking for a client in Ruby check out [omniauth_openid_connect](https://github.com/m0n9oose/omniauth_openid_connect/).
@@ -0,0 +1,17 @@
1
+ # frozen_string_literal: true
2
+
3
+ require_dependency "#{Doorkeeper::Engine.root}/app/controllers/doorkeeper/authorizations_controller.rb"
4
+
5
+ module Doorkeeper
6
+ class AuthorizationsController
7
+ module AuthorizationsExtension
8
+ private
9
+
10
+ def pre_auth_param_fields
11
+ super.append(:nonce)
12
+ end
13
+ end
14
+
15
+ Doorkeeper::AuthorizationsController.send :prepend, AuthorizationsExtension
16
+ end
17
+ end
@@ -19,8 +19,8 @@ Gem::Specification.new do |spec|
19
19
 
20
20
  spec.required_ruby_version = ">= 2.4"
21
21
 
22
- spec.add_runtime_dependency 'doorkeeper', '~> 5.2.0'
23
- spec.add_runtime_dependency 'json-jwt', '~> 1.6'
22
+ spec.add_runtime_dependency 'doorkeeper', '>= 5.2', '< 5.4'
23
+ spec.add_runtime_dependency 'json-jwt', '>= 1.11.0'
24
24
 
25
25
  spec.add_development_dependency 'rspec-rails'
26
26
  spec.add_development_dependency 'factory_bot'
@@ -9,18 +9,14 @@ module Doorkeeper
9
9
  end
10
10
 
11
11
  def authorize
12
- if pre_auth.authorizable?
13
- @auth = Authorization::Token.new(pre_auth, resource_owner)
14
- @auth.issue_token
15
- @response = response
16
- else
17
- @response = error_response
18
- end
12
+ @auth = Authorization::Token.new(pre_auth, resource_owner)
13
+ @auth.issue_token
14
+ response
19
15
  end
20
16
 
21
17
  def deny
22
18
  pre_auth.error = :access_denied
23
- error_response
19
+ pre_auth.error_response
24
20
  end
25
21
 
26
22
  private
@@ -30,12 +26,6 @@ module Doorkeeper
30
26
 
31
27
  IdTokenResponse.new(pre_auth, auth, id_token)
32
28
  end
33
-
34
- def error_response
35
- ErrorResponse.from_request pre_auth,
36
- redirect_uri: pre_auth.redirect_uri,
37
- response_on_fragment: true
38
- end
39
29
  end
40
30
  end
41
31
  end
@@ -19,7 +19,6 @@ module Doorkeeper
19
19
  controller_path == Doorkeeper::Rails::Routes.mapping[:authorizations][:controllers] &&
20
20
  action_name == 'new' &&
21
21
  pre_auth.valid? &&
22
- pre_auth.client &&
23
22
  pre_auth.scopes.include?('openid')
24
23
  end
25
24
 
@@ -61,7 +60,7 @@ module Doorkeeper
61
60
  when 'none'
62
61
  raise Errors::InvalidRequest if (prompt_values - [ 'none' ]).any?
63
62
  raise Errors::LoginRequired unless owner
64
- raise Errors::ConsentRequired if oidc_consent_required?(owner)
63
+ raise Errors::ConsentRequired if oidc_consent_required?
65
64
  when 'login'
66
65
  reauthenticate_oidc_resource_owner(owner) if owner
67
66
  when 'consent'
@@ -105,16 +104,8 @@ module Doorkeeper
105
104
  raise Errors::LoginRequired unless performed?
106
105
  end
107
106
 
108
- def matching_tokens_for_oidc_resource_owner(owner)
109
- Doorkeeper::AccessToken.authorized_tokens_for(pre_auth.client.id, owner.id).select do |token|
110
- Doorkeeper::AccessToken.scopes_match?(token.scopes, pre_auth.scopes, pre_auth.client.scopes)
111
- end
112
- end
113
-
114
- def oidc_consent_required?(owner)
115
- return false if skip_authorization?
116
-
117
- matching_tokens_for_oidc_resource_owner(owner).blank?
107
+ def oidc_consent_required?
108
+ !skip_authorization? && !matching_token?
118
109
  end
119
110
  end
120
111
  end
@@ -46,7 +46,7 @@ module Doorkeeper
46
46
  end
47
47
 
48
48
  def audience
49
- @access_token.application.uid
49
+ @access_token.application.try(:uid)
50
50
  end
51
51
 
52
52
  def expiration
@@ -8,6 +8,22 @@ module Doorkeeper
8
8
  super
9
9
  @nonce = attrs[:nonce]
10
10
  end
11
+
12
+ # This method will be updated when doorkeeper move to version > 5.2.2
13
+ # TODO: delete this method and refactor response_on_fragment? method (below) when doorkeeper gem version constrains is > 5.2.2
14
+ def error_response
15
+ if error == :invalid_request
16
+ Doorkeeper::OAuth::InvalidRequestResponse.from_request(self, response_on_fragment: response_on_fragment?)
17
+ else
18
+ Doorkeeper::OAuth::ErrorResponse.from_request(self, response_on_fragment: response_on_fragment?)
19
+ end
20
+ end
21
+
22
+ private
23
+
24
+ def response_on_fragment?
25
+ response_type == "token" || response_type == "id_token" || response_type == "id_token token"
26
+ end
11
27
  end
12
28
  end
13
29
  end
@@ -1,5 +1,5 @@
1
1
  module Doorkeeper
2
2
  module OpenidConnect
3
- VERSION = '1.7.0'.freeze
3
+ VERSION = '1.7.1'.freeze
4
4
  end
5
5
  end
@@ -8,7 +8,8 @@ class CreateDoorkeeperOpenidConnectTables < ActiveRecord::Migration<%= migration
8
8
  add_foreign_key(
9
9
  :oauth_openid_requests,
10
10
  :oauth_access_grants,
11
- column: :access_grant_id
11
+ column: :access_grant_id,
12
+ on_delete: :cascade
12
13
  )
13
14
  end
14
15
  end
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: doorkeeper-openid_connect
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.7.0
4
+ version: 1.7.1
5
5
  platform: ruby
6
6
  authors:
7
7
  - Sam Dengler
@@ -9,36 +9,42 @@ authors:
9
9
  autorequire:
10
10
  bindir: bin
11
11
  cert_chain: []
12
- date: 2019-11-04 00:00:00.000000000 Z
12
+ date: 2020-02-07 00:00:00.000000000 Z
13
13
  dependencies:
14
14
  - !ruby/object:Gem::Dependency
15
15
  name: doorkeeper
16
16
  requirement: !ruby/object:Gem::Requirement
17
17
  requirements:
18
- - - "~>"
18
+ - - ">="
19
+ - !ruby/object:Gem::Version
20
+ version: '5.2'
21
+ - - "<"
19
22
  - !ruby/object:Gem::Version
20
- version: 5.2.0
23
+ version: '5.4'
21
24
  type: :runtime
22
25
  prerelease: false
23
26
  version_requirements: !ruby/object:Gem::Requirement
24
27
  requirements:
25
- - - "~>"
28
+ - - ">="
26
29
  - !ruby/object:Gem::Version
27
- version: 5.2.0
30
+ version: '5.2'
31
+ - - "<"
32
+ - !ruby/object:Gem::Version
33
+ version: '5.4'
28
34
  - !ruby/object:Gem::Dependency
29
35
  name: json-jwt
30
36
  requirement: !ruby/object:Gem::Requirement
31
37
  requirements:
32
- - - "~>"
38
+ - - ">="
33
39
  - !ruby/object:Gem::Version
34
- version: '1.6'
40
+ version: 1.11.0
35
41
  type: :runtime
36
42
  prerelease: false
37
43
  version_requirements: !ruby/object:Gem::Requirement
38
44
  requirements:
39
- - - "~>"
45
+ - - ">="
40
46
  - !ruby/object:Gem::Version
41
- version: '1.6'
47
+ version: 1.11.0
42
48
  - !ruby/object:Gem::Dependency
43
49
  name: rspec-rails
44
50
  requirement: !ruby/object:Gem::Requirement
@@ -126,6 +132,7 @@ files:
126
132
  - LICENSE.txt
127
133
  - README.md
128
134
  - Rakefile
135
+ - app/controllers/doorkeeper/authorizations_controller.rb
129
136
  - app/controllers/doorkeeper/openid_connect/discovery_controller.rb
130
137
  - app/controllers/doorkeeper/openid_connect/userinfo_controller.rb
131
138
  - bin/console