doorkeeper-openid_connect 1.7.0 → 1.7.5
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +62 -2
- data/README.md +40 -0
- data/app/controllers/doorkeeper/authorizations_controller.rb +17 -0
- data/app/controllers/doorkeeper/openid_connect/discovery_controller.rb +48 -26
- data/app/controllers/doorkeeper/openid_connect/userinfo_controller.rb +5 -1
- data/config/locales/en.yml +1 -0
- data/lib/doorkeeper/oauth/id_token_request.rb +8 -12
- data/lib/doorkeeper/oauth/id_token_response.rb +2 -0
- data/lib/doorkeeper/oauth/id_token_token_request.rb +2 -0
- data/lib/doorkeeper/oauth/id_token_token_response.rb +2 -0
- data/lib/doorkeeper/openid_connect.rb +26 -1
- data/lib/doorkeeper/openid_connect/claims/aggregated_claim.rb +2 -0
- data/lib/doorkeeper/openid_connect/claims/claim.rb +6 -4
- data/lib/doorkeeper/openid_connect/claims/distributed_claim.rb +2 -0
- data/lib/doorkeeper/openid_connect/claims/normal_claim.rb +2 -0
- data/lib/doorkeeper/openid_connect/claims_builder.rb +3 -1
- data/lib/doorkeeper/openid_connect/config.rb +24 -10
- data/lib/doorkeeper/openid_connect/engine.rb +2 -0
- data/lib/doorkeeper/openid_connect/errors.rb +2 -1
- data/lib/doorkeeper/openid_connect/helpers/controller.rb +45 -29
- data/lib/doorkeeper/openid_connect/id_token.rb +4 -2
- data/lib/doorkeeper/openid_connect/id_token_token.rb +2 -0
- data/lib/doorkeeper/openid_connect/oauth/authorization/code.rb +25 -8
- data/lib/doorkeeper/openid_connect/oauth/authorization_code_request.rb +4 -2
- data/lib/doorkeeper/openid_connect/oauth/password_access_token_request.rb +3 -1
- data/lib/doorkeeper/openid_connect/oauth/pre_authorization.rb +24 -3
- data/lib/doorkeeper/openid_connect/oauth/token_response.rb +3 -1
- data/lib/doorkeeper/openid_connect/orm/active_record.rb +2 -0
- data/lib/doorkeeper/openid_connect/orm/active_record/access_grant.rb +3 -1
- data/lib/doorkeeper/openid_connect/orm/active_record/request.rb +5 -3
- data/lib/doorkeeper/openid_connect/rails/routes.rb +3 -1
- data/lib/doorkeeper/openid_connect/rails/routes/mapper.rb +2 -0
- data/lib/doorkeeper/openid_connect/rails/routes/mapping.rb +2 -0
- data/lib/doorkeeper/openid_connect/response_mode.rb +30 -0
- data/lib/doorkeeper/openid_connect/response_types_config.rb +2 -2
- data/lib/doorkeeper/openid_connect/user_info.rb +2 -0
- data/lib/doorkeeper/openid_connect/version.rb +3 -1
- data/lib/doorkeeper/request/id_token.rb +2 -0
- data/lib/doorkeeper/request/id_token_token.rb +2 -0
- data/lib/generators/doorkeeper/openid_connect/install_generator.rb +4 -2
- data/lib/generators/doorkeeper/openid_connect/migration_generator.rb +3 -1
- data/lib/generators/doorkeeper/openid_connect/templates/initializer.rb +19 -5
- data/lib/generators/doorkeeper/openid_connect/templates/migration.rb.erb +3 -2
- metadata +35 -36
- data/.gitignore +0 -8
- data/.ruby-version +0 -1
- data/.travis.yml +0 -27
- data/CONTRIBUTING.md +0 -45
- data/Gemfile +0 -8
- data/Rakefile +0 -24
- data/bin/console +0 -9
- data/bin/setup +0 -8
- data/doorkeeper-openid_connect.gemspec +0 -32
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 8faf5bba278059c030aab079426353b543baa68bc374991f6ba243454cd09aac
|
4
|
+
data.tar.gz: 06f56eb8b593086cc03fee056efb4d82447fd40cdd341b354ed371fde47dec63
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: d40202cdca7cddf5606674a4c08a4894ba9be7f8ec072520c73e81e1da48c87ba3e1c95573e0baa1ddcccaa20201eeb76d9af947e3f772223f2a4c658c730e92
|
7
|
+
data.tar.gz: a36e15a4cdc316a82a67cc842731149ec5522e27dc21569d2c33bdbe292afc5bc81d6c4f93679c0b7ada133dcfb5e43ae4250470709a58371664f83d983e38bb
|
data/CHANGELOG.md
CHANGED
@@ -1,8 +1,68 @@
|
|
1
1
|
## Unreleased
|
2
2
|
|
3
|
-
|
3
|
+
## v1.7.5 (2020-12-15)
|
4
4
|
|
5
|
-
|
5
|
+
### Changes
|
6
|
+
|
7
|
+
- [#126] Add discovery_url_options option for discovery endpoints URL generation (thanks to @phlegx)
|
8
|
+
|
9
|
+
### Bugfixes
|
10
|
+
|
11
|
+
- [#123] Remove reference to ApplicationRecord (thanks to @wheeyls)
|
12
|
+
- [#124] Clone doorkeeper.grant_flows array before appending 'refresh_token' (thanks to @davidbasalla)
|
13
|
+
- [#129] Avoid to use the config alias while supporting Doorkeeper 5.2 (thanks to @kymmt90)
|
14
|
+
|
15
|
+
## v1.7.4 (2020-07-06)
|
16
|
+
|
17
|
+
- [#119] Execute end_session_endpoint in the controllers context (thanks to @joeljunstrom)
|
18
|
+
|
19
|
+
## v1.7.3 (2020-07-06)
|
20
|
+
|
21
|
+
- [#111] Add configuration callback `select_account_for_resource_owner` to support the `prompt=select_account` param
|
22
|
+
- [#112] Add grant_types_supported to discovery response
|
23
|
+
- [#114] Fix user_info endpoint when used in api mode
|
24
|
+
- [#116] Support Doorkeeper API (> 5.4) for registering custom grant flows.
|
25
|
+
- [#117] Fix migration template to use Rails migrations DSL for association.
|
26
|
+
- [#118] Use fragment urls for implicit flow error redirects (thanks to @joeljunstrom)
|
27
|
+
|
28
|
+
## v1.7.2 (2020-05-20)
|
29
|
+
|
30
|
+
### Changes
|
31
|
+
|
32
|
+
- [#108] Add support for Doorkeeper 5.4
|
33
|
+
- [#103] Add support for end_session_endpoint
|
34
|
+
- [#109] Test against Ruby 2.7 & Rails 6.x
|
35
|
+
|
36
|
+
## v1.7.1 (2020-02-07)
|
37
|
+
|
38
|
+
### Upgrading
|
39
|
+
|
40
|
+
This version adds `on_delete: :cascade` to the migration template for the `oauth_openid_requests` table, in order to fix #82.
|
41
|
+
|
42
|
+
For existing installations, you should add a new migration in your application to drop the existing foreign key and replace it with a new one with `on_delete: :cascade` included. Depending on the database you're using and the size of your application this might bring up some concerns, but in most cases the following should be sufficient:
|
43
|
+
|
44
|
+
```ruby
|
45
|
+
class UpdateOauthOpenIdRequestsForeignKeys < ActiveRecord::Migration[5.2]
|
46
|
+
def up
|
47
|
+
remove_foreign_key(:oauth_openid_requests, column: :access_grant_id)
|
48
|
+
add_foreign_key(:oauth_openid_requests, :oauth_access_grants, column: :access_grant_id, on_delete: :cascade)
|
49
|
+
end
|
50
|
+
|
51
|
+
def down
|
52
|
+
remove_foreign_key(:oauth_openid_requests, column: :access_grant_id)
|
53
|
+
add_foreign_key(:oauth_openid_requests, :oauth_access_grants, column: :access_grant_id)
|
54
|
+
end
|
55
|
+
end
|
56
|
+
```
|
57
|
+
|
58
|
+
### Bugfixes
|
59
|
+
|
60
|
+
- [#96] Bump `json-jwt` because of CVE-2019-18848 (thanks to @leleabhinav)
|
61
|
+
- [#97] Fixes for compatibility with Doorkeeper 5.2 (thanks to @linhdangduy)
|
62
|
+
- [#98] Cascade deletes from `oauth_openid_requests` to `oauth_access_grants` (thanks to @manojmj92)
|
63
|
+
- [#99] Fix `audience` claim when application is not set on access token (thanks to @ionut998)
|
64
|
+
|
65
|
+
## v1.7.0 (2019-11-04)
|
6
66
|
|
7
67
|
### Changes
|
8
68
|
|
data/README.md
CHANGED
@@ -4,6 +4,8 @@
|
|
4
4
|
[![Code Climate](https://codeclimate.com/github/doorkeeper-gem/doorkeeper-openid_connect.svg)](https://codeclimate.com/github/doorkeeper-gem/doorkeeper-openid_connect)
|
5
5
|
[![Gem Version](https://badge.fury.io/rb/doorkeeper-openid_connect.svg)](https://rubygems.org/gems/doorkeeper-openid_connect)
|
6
6
|
|
7
|
+
#### :warning: **This project is looking for maintainers, see [this issue](https://github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/89).**
|
8
|
+
|
7
9
|
This library implements an [OpenID Connect](http://openid.net/connect/) authentication provider for Rails applications on top of the [Doorkeeper](https://github.com/doorkeeper-gem/doorkeeper) OAuth 2.0 framework.
|
8
10
|
|
9
11
|
OpenID Connect is a single-sign-on and identity layer with a [growing list of server and client implementations](http://openid.net/developers/libraries/). If you're looking for a client in Ruby check out [omniauth_openid_connect](https://github.com/m0n9oose/omniauth_openid_connect/).
|
@@ -137,6 +139,10 @@ The following settings are optional, but recommended for better client compatibi
|
|
137
139
|
- Defines how to trigger reauthentication for the current user (e.g. display a password prompt, or sign-out the user and redirect to the login form).
|
138
140
|
- Required to support the `max_age` and `prompt=login` parameters.
|
139
141
|
- The block is executed in the controller's scope, so you have access to methods like `params`, `redirect_to` etc.
|
142
|
+
- `select_account_for_resource_owner`
|
143
|
+
- Defines how to trigger account selection to choose the current login user.
|
144
|
+
- Required to support the `prompt=select_account` parameter.
|
145
|
+
- The block is executed in the controller's scope, so you have access to methods like `params`, `redirect_to` etc.
|
140
146
|
|
141
147
|
The following settings are optional:
|
142
148
|
|
@@ -150,6 +156,40 @@ The following settings are optional:
|
|
150
156
|
- Note that the OIDC specification mandates HTTPS, so you shouldn't change this
|
151
157
|
for production environments unless you have a really good reason!
|
152
158
|
|
159
|
+
- `end_session_endpoint`
|
160
|
+
- The URL that the user is redirected to after ending the session on the client.
|
161
|
+
- Used by implementations like https://github.com/IdentityModel/oidc-client-js.
|
162
|
+
- The block is executed in the controller's scope, so you have access to your route helpers.
|
163
|
+
|
164
|
+
- `discovery_url_options`
|
165
|
+
- The URL options for every available endpoint to use when generating the endpoint URL in the
|
166
|
+
discovery response. Available endpoints: `authorization`, `token`, `revocation`,
|
167
|
+
`introspection`, `userinfo`, `jwks`, `webfinger`.
|
168
|
+
- This option requires option keys with an available endpoint and
|
169
|
+
[URL options](https://api.rubyonrails.org/v6.0.3.3/classes/ActionDispatch/Routing/UrlFor.html#method-i-url_for)
|
170
|
+
as value.
|
171
|
+
- The default is to use the request host, just like all the other URLs in the discovery response.
|
172
|
+
- This is useful when you want endpoints to use a different URL than other requests.
|
173
|
+
For example, if your Doorkeeper server is behind a firewall with other servers, you might want
|
174
|
+
other servers to use an "internal" URL to communicate with Doorkeeper, but you want to present
|
175
|
+
an "external" URL to end-users for authentication requests. Note that this setting does not
|
176
|
+
actually change the URL that your Doorkeeper server responds on - that is outside the scope of
|
177
|
+
Doorkeeper.
|
178
|
+
|
179
|
+
```ruby
|
180
|
+
# config/initializers/doorkeeper_openid_connect.rb
|
181
|
+
Doorkeeper::OpenidConnect.configure do
|
182
|
+
# ...
|
183
|
+
discovery_url_options do |request|
|
184
|
+
{
|
185
|
+
authorization: { host: 'host.example.com' },
|
186
|
+
jwks: { protocol: request.ssl? ? :https : :http }
|
187
|
+
}
|
188
|
+
end
|
189
|
+
# ...
|
190
|
+
end
|
191
|
+
```
|
192
|
+
|
153
193
|
### Scopes
|
154
194
|
|
155
195
|
To perform authentication over OpenID Connect, an OAuth client needs to request the `openid` scope. This scope needs to be enabled using either `optional_scopes` in the global Doorkeeper configuration in `config/initializers/doorkeeper.rb`, or by adding it to any OAuth application's `scope` attribute.
|
@@ -0,0 +1,17 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
require_dependency "#{Doorkeeper::Engine.root}/app/controllers/doorkeeper/authorizations_controller.rb"
|
4
|
+
|
5
|
+
module Doorkeeper
|
6
|
+
class AuthorizationsController
|
7
|
+
module AuthorizationsExtension
|
8
|
+
private
|
9
|
+
|
10
|
+
def pre_auth_param_fields
|
11
|
+
super.append(:nonce)
|
12
|
+
end
|
13
|
+
end
|
14
|
+
|
15
|
+
Doorkeeper::AuthorizationsController.prepend AuthorizationsExtension
|
16
|
+
end
|
17
|
+
end
|
@@ -1,9 +1,11 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
1
3
|
module Doorkeeper
|
2
4
|
module OpenidConnect
|
3
5
|
class DiscoveryController < ::Doorkeeper::ApplicationController
|
4
6
|
include Doorkeeper::Helpers::Controller
|
5
7
|
|
6
|
-
WEBFINGER_RELATION = 'http://openid.net/specs/connect/1.0/issuer'
|
8
|
+
WEBFINGER_RELATION = 'http://openid.net/specs/connect/1.0/issuer'
|
7
9
|
|
8
10
|
def provider
|
9
11
|
render json: provider_response
|
@@ -24,27 +26,25 @@ module Doorkeeper
|
|
24
26
|
openid_connect = ::Doorkeeper::OpenidConnect.configuration
|
25
27
|
{
|
26
28
|
issuer: openid_connect.issuer,
|
27
|
-
authorization_endpoint: oauth_authorization_url(
|
28
|
-
token_endpoint: oauth_token_url(
|
29
|
-
revocation_endpoint: oauth_revoke_url(
|
30
|
-
introspection_endpoint: oauth_introspect_url(
|
31
|
-
userinfo_endpoint: oauth_userinfo_url(
|
32
|
-
jwks_uri: oauth_discovery_keys_url(
|
29
|
+
authorization_endpoint: oauth_authorization_url(authorization_url_options),
|
30
|
+
token_endpoint: oauth_token_url(token_url_options),
|
31
|
+
revocation_endpoint: oauth_revoke_url(revocation_url_options),
|
32
|
+
introspection_endpoint: oauth_introspect_url(introspection_url_options),
|
33
|
+
userinfo_endpoint: oauth_userinfo_url(userinfo_url_options),
|
34
|
+
jwks_uri: oauth_discovery_keys_url(jwks_url_options),
|
35
|
+
end_session_endpoint: instance_exec(&openid_connect.end_session_endpoint),
|
33
36
|
|
34
37
|
scopes_supported: doorkeeper.scopes,
|
35
38
|
|
36
39
|
# TODO: support id_token response type
|
37
40
|
response_types_supported: doorkeeper.authorization_response_types,
|
38
|
-
response_modes_supported: [
|
39
|
-
|
40
|
-
token_endpoint_auth_methods_supported: [
|
41
|
-
'client_secret_basic',
|
42
|
-
'client_secret_post',
|
41
|
+
response_modes_supported: %w[query fragment],
|
42
|
+
grant_types_supported: grant_types_supported(doorkeeper),
|
43
43
|
|
44
|
-
|
45
|
-
|
46
|
-
|
47
|
-
],
|
44
|
+
# TODO: look into doorkeeper-jwt_assertion for these
|
45
|
+
# 'client_secret_jwt',
|
46
|
+
# 'private_key_jwt'
|
47
|
+
token_endpoint_auth_methods_supported: %w[client_secret_basic client_secret_post],
|
48
48
|
|
49
49
|
subject_types_supported: openid_connect.subject_types_supported,
|
50
50
|
|
@@ -56,18 +56,24 @@ module Doorkeeper
|
|
56
56
|
'normal',
|
57
57
|
|
58
58
|
# TODO: support these
|
59
|
-
#'aggregated',
|
60
|
-
#'distributed',
|
59
|
+
# 'aggregated',
|
60
|
+
# 'distributed',
|
61
61
|
],
|
62
62
|
|
63
|
-
claims_supported: [
|
64
|
-
|
65
|
-
|
66
|
-
|
67
|
-
|
68
|
-
|
63
|
+
claims_supported: %w[
|
64
|
+
iss
|
65
|
+
sub
|
66
|
+
aud
|
67
|
+
exp
|
68
|
+
iat
|
69
69
|
] | openid_connect.claims.to_h.keys,
|
70
|
-
}
|
70
|
+
}.compact
|
71
|
+
end
|
72
|
+
|
73
|
+
def grant_types_supported(doorkeeper)
|
74
|
+
grant_types_supported = doorkeeper.grant_flows.dup
|
75
|
+
grant_types_supported << 'refresh_token' if doorkeeper.refresh_token_enabled?
|
76
|
+
grant_types_supported
|
71
77
|
end
|
72
78
|
|
73
79
|
def webfinger_response
|
@@ -76,7 +82,7 @@ module Doorkeeper
|
|
76
82
|
links: [
|
77
83
|
{
|
78
84
|
rel: WEBFINGER_RELATION,
|
79
|
-
href: root_url(
|
85
|
+
href: root_url(webfinger_url_options),
|
80
86
|
}
|
81
87
|
]
|
82
88
|
}
|
@@ -98,6 +104,22 @@ module Doorkeeper
|
|
98
104
|
def protocol
|
99
105
|
Doorkeeper::OpenidConnect.configuration.protocol.call
|
100
106
|
end
|
107
|
+
|
108
|
+
def discovery_url_options
|
109
|
+
Doorkeeper::OpenidConnect.configuration.discovery_url_options.call(request)
|
110
|
+
end
|
111
|
+
|
112
|
+
def discovery_url_default_options
|
113
|
+
{
|
114
|
+
protocol: protocol
|
115
|
+
}
|
116
|
+
end
|
117
|
+
|
118
|
+
%i[authorization token revocation introspection userinfo jwks webfinger].each do |endpoint|
|
119
|
+
define_method :"#{endpoint}_url_options" do
|
120
|
+
discovery_url_default_options.merge(discovery_url_options[endpoint.to_sym] || {})
|
121
|
+
end
|
122
|
+
end
|
101
123
|
end
|
102
124
|
end
|
103
125
|
end
|
@@ -1,7 +1,11 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
1
3
|
module Doorkeeper
|
2
4
|
module OpenidConnect
|
3
5
|
class UserinfoController < ::Doorkeeper::ApplicationController
|
4
|
-
|
6
|
+
unless Doorkeeper.configuration.api_only
|
7
|
+
skip_before_action :verify_authenticity_token
|
8
|
+
end
|
5
9
|
before_action -> { doorkeeper_authorize! :openid }
|
6
10
|
|
7
11
|
def show
|
data/config/locales/en.yml
CHANGED
@@ -19,4 +19,5 @@ en:
|
|
19
19
|
resource_owner_from_access_token_not_configured: 'Failure due to Doorkeeper::OpenidConnect.configure.resource_owner_from_access_token missing configuration.'
|
20
20
|
auth_time_from_resource_owner_not_configured: 'Failure due to Doorkeeper::OpenidConnect.configure.auth_time_from_resource_owner missing configuration.'
|
21
21
|
reauthenticate_resource_owner_not_configured: 'Failure due to Doorkeeper::OpenidConnect.configure.reauthenticate_resource_owner missing configuration.'
|
22
|
+
select_account_for_resource_owner_not_configured: 'Failure due to Doorkeeper::OpenidConnect.configure.select_account_for_resource_owner missing configuration.'
|
22
23
|
subject_not_configured: 'ID Token generation failed due to Doorkeeper::OpenidConnect.configure.subject missing configuration.'
|
@@ -1,3 +1,5 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
1
3
|
module Doorkeeper
|
2
4
|
module OAuth
|
3
5
|
class IdTokenRequest
|
@@ -9,18 +11,18 @@ module Doorkeeper
|
|
9
11
|
end
|
10
12
|
|
11
13
|
def authorize
|
12
|
-
|
13
|
-
|
14
|
-
@auth.issue_token
|
15
|
-
@response = response
|
14
|
+
@auth = Authorization::Token.new(pre_auth, resource_owner)
|
15
|
+
if @auth.respond_to?(:issue_token!)
|
16
|
+
@auth.issue_token!
|
16
17
|
else
|
17
|
-
@
|
18
|
+
@auth.issue_token
|
18
19
|
end
|
20
|
+
response
|
19
21
|
end
|
20
22
|
|
21
23
|
def deny
|
22
24
|
pre_auth.error = :access_denied
|
23
|
-
error_response
|
25
|
+
pre_auth.error_response
|
24
26
|
end
|
25
27
|
|
26
28
|
private
|
@@ -30,12 +32,6 @@ module Doorkeeper
|
|
30
32
|
|
31
33
|
IdTokenResponse.new(pre_auth, auth, id_token)
|
32
34
|
end
|
33
|
-
|
34
|
-
def error_response
|
35
|
-
ErrorResponse.from_request pre_auth,
|
36
|
-
redirect_uri: pre_auth.redirect_uri,
|
37
|
-
response_on_fragment: true
|
38
|
-
end
|
39
35
|
end
|
40
36
|
end
|
41
37
|
end
|
@@ -1,3 +1,5 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
1
3
|
require 'doorkeeper'
|
2
4
|
require 'active_model'
|
3
5
|
require 'json/jwt'
|
@@ -20,6 +22,7 @@ require 'doorkeeper/openid_connect/errors'
|
|
20
22
|
require 'doorkeeper/openid_connect/id_token'
|
21
23
|
require 'doorkeeper/openid_connect/id_token_token'
|
22
24
|
require 'doorkeeper/openid_connect/user_info'
|
25
|
+
require 'doorkeeper/openid_connect/response_mode'
|
23
26
|
require 'doorkeeper/openid_connect/version'
|
24
27
|
|
25
28
|
require 'doorkeeper/openid_connect/helpers/controller'
|
@@ -42,7 +45,7 @@ module Doorkeeper
|
|
42
45
|
|
43
46
|
def self.signing_key
|
44
47
|
key =
|
45
|
-
if [
|
48
|
+
if %i[HS256 HS384 HS512].include?(signing_algorithm)
|
46
49
|
configuration.signing_key
|
47
50
|
else
|
48
51
|
OpenSSL::PKey.read(configuration.signing_key)
|
@@ -61,5 +64,27 @@ module Doorkeeper
|
|
61
64
|
key.slice(:kty, :kid)
|
62
65
|
end
|
63
66
|
end
|
67
|
+
|
68
|
+
if defined?(::Doorkeeper::GrantFlow)
|
69
|
+
Doorkeeper::GrantFlow.register(
|
70
|
+
:id_token,
|
71
|
+
response_type_matches: 'id_token',
|
72
|
+
response_type_strategy: Doorkeeper::OpenidConnect::IdToken,
|
73
|
+
)
|
74
|
+
|
75
|
+
Doorkeeper::GrantFlow.register(
|
76
|
+
'id_token token',
|
77
|
+
response_type_matches: 'id_token token',
|
78
|
+
response_type_strategy: Doorkeeper::OpenidConnect::IdTokenToken,
|
79
|
+
)
|
80
|
+
|
81
|
+
Doorkeeper::GrantFlow.register_alias(
|
82
|
+
'implicit_oidc', as: ['implicit', 'id_token', 'id_token token']
|
83
|
+
)
|
84
|
+
else
|
85
|
+
# TODO: drop this and corresponding file when we will set minimal
|
86
|
+
# required Doorkeeper version to 5.5.
|
87
|
+
Doorkeeper::Config.prepend OpenidConnect::ResponseTypeConfig
|
88
|
+
end
|
64
89
|
end
|
65
90
|
end
|
@@ -1,3 +1,5 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
1
3
|
module Doorkeeper
|
2
4
|
module OpenidConnect
|
3
5
|
module Claims
|
@@ -11,10 +13,10 @@ module Doorkeeper
|
|
11
13
|
name family_name given_name middle_name nickname preferred_username
|
12
14
|
profile picture website gender birthdate zoneinfo locale updated_at
|
13
15
|
],
|
14
|
-
email: %i[
|
15
|
-
address: %i[
|
16
|
-
phone: %i[
|
17
|
-
}
|
16
|
+
email: %i[email email_verified],
|
17
|
+
address: %i[address],
|
18
|
+
phone: %i[phone_number phone_number_verified],
|
19
|
+
}.freeze
|
18
20
|
|
19
21
|
def initialize(options = {})
|
20
22
|
@name = options[:name].to_sym
|