doorkeeper-openid_connect 1.7.0 → 1.7.5

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 9f38540bf15e49809e21423a76e0fd8313c5494aee4a3537f6b6d1bcd5645951
-  data.tar.gz: d1408e8c1a4755356746a55957dbc941242fb266ead2e5f92d29d46646258958
+  metadata.gz: 8faf5bba278059c030aab079426353b543baa68bc374991f6ba243454cd09aac
+  data.tar.gz: 06f56eb8b593086cc03fee056efb4d82447fd40cdd341b354ed371fde47dec63
 SHA512:
-  metadata.gz: 71ca0f37f65e787785550e64d4b5fc4ad05ad74ec93601e909924d1984f6b42612c4856bc8439373f8af52a8958e0e80beaf711ed78b012784eb941f46aeb889
-  data.tar.gz: f5c46bc891ed65513493cbeb7304fe76c04a62c03e8ce51b5f1849319da9be27bfa304b5064e028421a88583db4adf4e3ec71e3c4d900fd6ff850e44fa76a826
+  metadata.gz: d40202cdca7cddf5606674a4c08a4894ba9be7f8ec072520c73e81e1da48c87ba3e1c95573e0baa1ddcccaa20201eeb76d9af947e3f772223f2a4c658c730e92
+  data.tar.gz: a36e15a4cdc316a82a67cc842731149ec5522e27dc21569d2c33bdbe292afc5bc81d6c4f93679c0b7ada133dcfb5e43ae4250470709a58371664f83d983e38bb

data/CHANGELOG.md

@@ -1,8 +1,68 @@
 ## Unreleased
 
-No changes yet.
+## v1.7.5 (2020-12-15)
 
-## v1.7.0
+### Changes
+
+- [#126] Add discovery_url_options option for discovery endpoints URL generation (thanks to @phlegx)
+
+### Bugfixes
+
+- [#123] Remove reference to ApplicationRecord (thanks to @wheeyls)
+- [#124] Clone doorkeeper.grant_flows array before appending 'refresh_token' (thanks to @davidbasalla)
+- [#129] Avoid to use the config alias while supporting Doorkeeper 5.2 (thanks to @kymmt90)
+
+## v1.7.4 (2020-07-06)
+
+- [#119] Execute end_session_endpoint in the controllers context (thanks to @joeljunstrom)
+
+## v1.7.3 (2020-07-06)
+
+- [#111] Add configuration callback `select_account_for_resource_owner` to support the `prompt=select_account` param
+- [#112] Add grant_types_supported to discovery response
+- [#114] Fix user_info endpoint when used in api mode
+- [#116] Support Doorkeeper API (> 5.4) for registering custom grant flows.
+- [#117] Fix migration template to use Rails migrations DSL for association.
+- [#118] Use fragment urls for implicit flow error redirects (thanks to @joeljunstrom)
+
+## v1.7.2 (2020-05-20)
+
+### Changes
+
+- [#108] Add support for Doorkeeper 5.4
+- [#103] Add support for end_session_endpoint
+- [#109] Test against Ruby 2.7 & Rails 6.x
+
+## v1.7.1 (2020-02-07)
+
+### Upgrading
+
+This version adds `on_delete: :cascade` to the migration template for the `oauth_openid_requests` table, in order to fix #82.
+
+For existing installations, you should add a new migration in your application to drop the existing foreign key and replace it with a new one with `on_delete: :cascade` included. Depending on the database you're using and the size of your application this might bring up some concerns, but in most cases the following should be sufficient:
+
+```ruby
+class UpdateOauthOpenIdRequestsForeignKeys < ActiveRecord::Migration[5.2]
+  def up
+    remove_foreign_key(:oauth_openid_requests, column: :access_grant_id)
+    add_foreign_key(:oauth_openid_requests, :oauth_access_grants, column: :access_grant_id, on_delete: :cascade)
+  end
+
+  def down
+    remove_foreign_key(:oauth_openid_requests, column: :access_grant_id)
+    add_foreign_key(:oauth_openid_requests, :oauth_access_grants, column: :access_grant_id)
+  end
+end
+```
+
+### Bugfixes
+
+- [#96] Bump `json-jwt` because of CVE-2019-18848 (thanks to @leleabhinav)
+- [#97] Fixes for compatibility with Doorkeeper 5.2 (thanks to @linhdangduy)
+- [#98] Cascade deletes from `oauth_openid_requests` to `oauth_access_grants` (thanks to @manojmj92)
+- [#99] Fix `audience` claim when application is not set on access token (thanks to @ionut998)
+
+## v1.7.0 (2019-11-04)
 
 ### Changes
 

data/README.md

@@ -4,6 +4,8 @@
 [![Code Climate](https://codeclimate.com/github/doorkeeper-gem/doorkeeper-openid_connect.svg)](https://codeclimate.com/github/doorkeeper-gem/doorkeeper-openid_connect)
 [![Gem Version](https://badge.fury.io/rb/doorkeeper-openid_connect.svg)](https://rubygems.org/gems/doorkeeper-openid_connect)
 
+#### :warning: **This project is looking for maintainers, see [this issue](https://github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/89).**
+
 This library implements an [OpenID Connect](http://openid.net/connect/) authentication provider for Rails applications on top of the [Doorkeeper](https://github.com/doorkeeper-gem/doorkeeper) OAuth 2.0 framework.
 
 OpenID Connect is a single-sign-on and identity layer with a [growing list of server and client implementations](http://openid.net/developers/libraries/). If you're looking for a client in Ruby check out [omniauth_openid_connect](https://github.com/m0n9oose/omniauth_openid_connect/).
@@ -137,6 +139,10 @@ The following settings are optional, but recommended for better client compatibi
   - Defines how to trigger reauthentication for the current user (e.g. display a password prompt, or sign-out the user and redirect to the login form).
   - Required to support the `max_age` and `prompt=login` parameters.
   - The block is executed in the controller's scope, so you have access to methods like `params`, `redirect_to` etc.
+- `select_account_for_resource_owner`
+  - Defines how to trigger account selection to choose the current login user.
+  - Required to support the `prompt=select_account` parameter.
+  - The block is executed in the controller's scope, so you have access to methods like `params`, `redirect_to` etc.
 
 The following settings are optional:
 
@@ -150,6 +156,40 @@ The following settings are optional:
   - Note that the OIDC specification mandates HTTPS, so you shouldn't change this
     for production environments unless you have a really good reason!
 
+- `end_session_endpoint`
+  - The URL that the user is redirected to after ending the session on the client.
+  - Used by implementations like https://github.com/IdentityModel/oidc-client-js.
+  - The block is executed in the controller's scope, so you have access to your route helpers.
+
+- `discovery_url_options`
+  - The URL options for every available endpoint to use when generating the endpoint URL in the
+    discovery response. Available endpoints: `authorization`, `token`, `revocation`,
+    `introspection`, `userinfo`, `jwks`, `webfinger`.
+  - This option requires option keys with an available endpoint and
+    [URL options](https://api.rubyonrails.org/v6.0.3.3/classes/ActionDispatch/Routing/UrlFor.html#method-i-url_for)
+    as value.
+  - The default is to use the request host, just like all the other URLs in the discovery response.
+  - This is useful when you want endpoints to use a different URL than other requests.
+    For example, if your Doorkeeper server is behind a firewall with other servers, you might want
+    other servers to use an "internal" URL to communicate with Doorkeeper, but you want to present
+    an "external" URL to end-users for authentication requests. Note that this setting does not
+    actually change the URL that your Doorkeeper server responds on - that is outside the scope of
+    Doorkeeper.
+
+    ```ruby
+    # config/initializers/doorkeeper_openid_connect.rb
+    Doorkeeper::OpenidConnect.configure do
+    # ...
+      discovery_url_options do |request|
+        {
+          authorization: { host: 'host.example.com' },
+          jwks:          { protocol: request.ssl? ? :https : :http }
+        }
+      end
+    # ...
+    end
+    ```
+
 ### Scopes
 
 To perform authentication over OpenID Connect, an OAuth client needs to request the `openid` scope. This scope needs to be enabled using either `optional_scopes` in the global Doorkeeper configuration in `config/initializers/doorkeeper.rb`, or by adding it to any OAuth application's `scope` attribute.

data/app/controllers/doorkeeper/authorizations_controller.rb

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+require_dependency "#{Doorkeeper::Engine.root}/app/controllers/doorkeeper/authorizations_controller.rb"
+
+module Doorkeeper
+  class AuthorizationsController
+    module AuthorizationsExtension
+      private
+
+      def pre_auth_param_fields
+        super.append(:nonce)
+      end
+    end
+
+    Doorkeeper::AuthorizationsController.prepend AuthorizationsExtension
+  end
+end

data/app/controllers/doorkeeper/openid_connect/discovery_controller.rb

@@ -1,9 +1,11 @@
+# frozen_string_literal: true
+
 module Doorkeeper
   module OpenidConnect
     class DiscoveryController < ::Doorkeeper::ApplicationController
       include Doorkeeper::Helpers::Controller
 
-      WEBFINGER_RELATION = 'http://openid.net/specs/connect/1.0/issuer'.freeze
+      WEBFINGER_RELATION = 'http://openid.net/specs/connect/1.0/issuer'
 
       def provider
         render json: provider_response
@@ -24,27 +26,25 @@ module Doorkeeper
         openid_connect = ::Doorkeeper::OpenidConnect.configuration
         {
           issuer: openid_connect.issuer,
-          authorization_endpoint: oauth_authorization_url(protocol: protocol),
-          token_endpoint: oauth_token_url(protocol: protocol),
-          revocation_endpoint: oauth_revoke_url(protocol: protocol),
-          introspection_endpoint: oauth_introspect_url(protocol: protocol),
-          userinfo_endpoint: oauth_userinfo_url(protocol: protocol),
-          jwks_uri: oauth_discovery_keys_url(protocol: protocol),
+          authorization_endpoint: oauth_authorization_url(authorization_url_options),
+          token_endpoint: oauth_token_url(token_url_options),
+          revocation_endpoint: oauth_revoke_url(revocation_url_options),
+          introspection_endpoint: oauth_introspect_url(introspection_url_options),
+          userinfo_endpoint: oauth_userinfo_url(userinfo_url_options),
+          jwks_uri: oauth_discovery_keys_url(jwks_url_options),
+          end_session_endpoint: instance_exec(&openid_connect.end_session_endpoint),
 
           scopes_supported: doorkeeper.scopes,
 
           # TODO: support id_token response type
           response_types_supported: doorkeeper.authorization_response_types,
-          response_modes_supported: [ 'query', 'fragment' ],
-
-          token_endpoint_auth_methods_supported: [
-            'client_secret_basic',
-            'client_secret_post',
+          response_modes_supported: %w[query fragment],
+          grant_types_supported: grant_types_supported(doorkeeper),
 
-            # TODO: look into doorkeeper-jwt_assertion for these
-            #'client_secret_jwt',
-            #'private_key_jwt'
-          ],
+          # TODO: look into doorkeeper-jwt_assertion for these
+          #  'client_secret_jwt',
+          #  'private_key_jwt'
+          token_endpoint_auth_methods_supported: %w[client_secret_basic client_secret_post],
 
           subject_types_supported: openid_connect.subject_types_supported,
 
@@ -56,18 +56,24 @@ module Doorkeeper
             'normal',
 
             # TODO: support these
-            #'aggregated',
-            #'distributed',
+            # 'aggregated',
+            # 'distributed',
           ],
 
-          claims_supported: [
-            'iss',
-            'sub',
-            'aud',
-            'exp',
-            'iat',
+          claims_supported: %w[
+            iss
+            sub
+            aud
+            exp
+            iat
           ] | openid_connect.claims.to_h.keys,
-        }
+        }.compact
+      end
+
+      def grant_types_supported(doorkeeper)
+        grant_types_supported = doorkeeper.grant_flows.dup
+        grant_types_supported << 'refresh_token' if doorkeeper.refresh_token_enabled?
+        grant_types_supported
       end
 
       def webfinger_response
@@ -76,7 +82,7 @@ module Doorkeeper
           links: [
             {
               rel: WEBFINGER_RELATION,
-              href: root_url(protocol: protocol),
+              href: root_url(webfinger_url_options),
             }
           ]
         }
@@ -98,6 +104,22 @@ module Doorkeeper
       def protocol
         Doorkeeper::OpenidConnect.configuration.protocol.call
       end
+
+      def discovery_url_options
+        Doorkeeper::OpenidConnect.configuration.discovery_url_options.call(request)
+      end
+
+      def discovery_url_default_options
+        {
+          protocol: protocol
+        }
+      end
+
+      %i[authorization token revocation introspection userinfo jwks webfinger].each do |endpoint|
+        define_method :"#{endpoint}_url_options" do
+          discovery_url_default_options.merge(discovery_url_options[endpoint.to_sym] || {})
+        end
+      end
     end
   end
 end

data/app/controllers/doorkeeper/openid_connect/userinfo_controller.rb

@@ -1,7 +1,11 @@
+# frozen_string_literal: true
+
 module Doorkeeper
   module OpenidConnect
     class UserinfoController < ::Doorkeeper::ApplicationController
-      skip_before_action :verify_authenticity_token
+      unless Doorkeeper.configuration.api_only
+        skip_before_action :verify_authenticity_token
+      end
       before_action -> { doorkeeper_authorize! :openid }
 
       def show

data/config/locales/en.yml

@@ -19,4 +19,5 @@ en:
           resource_owner_from_access_token_not_configured: 'Failure due to Doorkeeper::OpenidConnect.configure.resource_owner_from_access_token missing configuration.'
           auth_time_from_resource_owner_not_configured: 'Failure due to Doorkeeper::OpenidConnect.configure.auth_time_from_resource_owner missing configuration.'
           reauthenticate_resource_owner_not_configured: 'Failure due to Doorkeeper::OpenidConnect.configure.reauthenticate_resource_owner missing configuration.'
+          select_account_for_resource_owner_not_configured: 'Failure due to Doorkeeper::OpenidConnect.configure.select_account_for_resource_owner missing configuration.'
           subject_not_configured: 'ID Token generation failed due to Doorkeeper::OpenidConnect.configure.subject missing configuration.'

data/lib/doorkeeper/oauth/id_token_request.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Doorkeeper
   module OAuth
     class IdTokenRequest
@@ -9,18 +11,18 @@ module Doorkeeper
       end
 
       def authorize
-        if pre_auth.authorizable?
-          @auth = Authorization::Token.new(pre_auth, resource_owner)
-          @auth.issue_token
-          @response = response
+        @auth = Authorization::Token.new(pre_auth, resource_owner)
+        if @auth.respond_to?(:issue_token!)
+          @auth.issue_token!
         else
-          @response = error_response
+          @auth.issue_token
         end
+        response
       end
 
       def deny
         pre_auth.error = :access_denied
-        error_response
+        pre_auth.error_response
       end
 
       private
@@ -30,12 +32,6 @@ module Doorkeeper
 
         IdTokenResponse.new(pre_auth, auth, id_token)
       end
-
-      def error_response
-        ErrorResponse.from_request pre_auth,
-                                   redirect_uri: pre_auth.redirect_uri,
-                                   response_on_fragment: true
-      end
     end
   end
 end

data/lib/doorkeeper/oauth/id_token_response.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Doorkeeper
   module OAuth
     class IdTokenResponse < BaseResponse

data/lib/doorkeeper/oauth/id_token_token_request.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Doorkeeper
   module OAuth
     class IdTokenTokenRequest < IdTokenRequest

data/lib/doorkeeper/oauth/id_token_token_response.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Doorkeeper
   module OAuth
     class IdTokenTokenResponse < IdTokenResponse

data/lib/doorkeeper/openid_connect.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'doorkeeper'
 require 'active_model'
 require 'json/jwt'
@@ -20,6 +22,7 @@ require 'doorkeeper/openid_connect/errors'
 require 'doorkeeper/openid_connect/id_token'
 require 'doorkeeper/openid_connect/id_token_token'
 require 'doorkeeper/openid_connect/user_info'
+require 'doorkeeper/openid_connect/response_mode'
 require 'doorkeeper/openid_connect/version'
 
 require 'doorkeeper/openid_connect/helpers/controller'
@@ -42,7 +45,7 @@ module Doorkeeper
 
     def self.signing_key
       key =
-        if [:HS256, :HS384, :HS512].include?(signing_algorithm)
+        if %i[HS256 HS384 HS512].include?(signing_algorithm)
           configuration.signing_key
         else
           OpenSSL::PKey.read(configuration.signing_key)
@@ -61,5 +64,27 @@ module Doorkeeper
         key.slice(:kty, :kid)
       end
     end
+
+    if defined?(::Doorkeeper::GrantFlow)
+      Doorkeeper::GrantFlow.register(
+        :id_token,
+        response_type_matches: 'id_token',
+        response_type_strategy: Doorkeeper::OpenidConnect::IdToken,
+      )
+
+      Doorkeeper::GrantFlow.register(
+        'id_token token',
+        response_type_matches: 'id_token token',
+        response_type_strategy: Doorkeeper::OpenidConnect::IdTokenToken,
+      )
+
+      Doorkeeper::GrantFlow.register_alias(
+        'implicit_oidc', as: ['implicit', 'id_token', 'id_token token']
+      )
+    else
+      # TODO: drop this and corresponding file when we will set minimal
+      # required Doorkeeper version to 5.5.
+      Doorkeeper::Config.prepend OpenidConnect::ResponseTypeConfig
+    end
   end
 end

data/lib/doorkeeper/openid_connect/claims/aggregated_claim.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Doorkeeper
   module OpenidConnect
     module Claims

data/lib/doorkeeper/openid_connect/claims/claim.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Doorkeeper
   module OpenidConnect
     module Claims
@@ -11,10 +13,10 @@ module Doorkeeper
             name family_name given_name middle_name nickname preferred_username
             profile picture website gender birthdate zoneinfo locale updated_at
           ],
-          email: %i[ email email_verified ],
-          address: %i[ address ],
-          phone: %i[ phone_number phone_number_verified ],
-        }
+          email: %i[email email_verified],
+          address: %i[address],
+          phone: %i[phone_number phone_number_verified],
+        }.freeze
 
         def initialize(options = {})
           @name = options[:name].to_sym

data/lib/doorkeeper/openid_connect/claims/distributed_claim.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Doorkeeper
   module OpenidConnect
     module Claims