doorkeeper-openid_connect 1.7.0 → 1.7.5

data/lib/doorkeeper/openid_connect/claims/normal_claim.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Doorkeeper
   module OpenidConnect
     module Claims

data/lib/doorkeeper/openid_connect/claims_builder.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'ostruct'
 
 module Doorkeeper
@@ -31,7 +33,7 @@ module Doorkeeper
             generator: block
           )
       end
-      alias_method :claim, :normal_claim
+      alias claim normal_claim
     end
   end
 end

data/lib/doorkeeper/openid_connect/config.rb

@@ -1,15 +1,17 @@
+# frozen_string_literal: true
+
 module Doorkeeper
   module OpenidConnect
     def self.configure(&block)
       if Doorkeeper.configuration.orm != :active_record
-        fail Errors::InvalidConfiguration, 'Doorkeeper OpenID Connect currently only supports the ActiveRecord ORM adapter'
+        raise Errors::InvalidConfiguration, 'Doorkeeper OpenID Connect currently only supports the ActiveRecord ORM adapter'
       end
 
       @config = Config::Builder.new(&block).build
     end
 
     def self.configuration
-      @config || (fail Errors::MissingConfiguration)
+      @config || (raise Errors::MissingConfiguration)
     end
 
     class Config
@@ -23,12 +25,12 @@ module Doorkeeper
           @config
         end
 
-        def jws_public_key(*args)
-          puts "DEPRECATION WARNING: `jws_public_key` is not needed anymore and will be removed in a future version, please remove it from config/initializers/doorkeeper_openid_connect.rb"
+        def jws_public_key(*_args)
+          puts 'DEPRECATION WARNING: `jws_public_key` is not needed anymore and will be removed in a future version, please remove it from config/initializers/doorkeeper_openid_connect.rb'
         end
 
         def jws_private_key(*args)
-          puts "DEPRECATION WARNING: `jws_private_key` has been replaced by `signing_key` and will be removed in a future version, please remove it from config/initializers/doorkeeper_openid_connect.rb"
+          puts 'DEPRECATION WARNING: `jws_private_key` has been replaced by `signing_key` and will be removed in a future version, please remove it from config/initializers/doorkeeper_openid_connect.rb'
           signing_key(*args)
         end
       end
@@ -71,7 +73,7 @@ module Doorkeeper
               value = if attribute_builder
                         attribute_builder.new(&block).build
                       else
-                        block ? block : args.first
+                        block || args.first
                       end
 
               @config.instance_variable_set(:"@#{attribute}", value)
@@ -102,19 +104,23 @@ module Doorkeeper
       option :subject_types_supported, default: [:public]
 
       option :resource_owner_from_access_token, default: lambda { |*_|
-        fail Errors::InvalidConfiguration, I18n.translate('doorkeeper.openid_connect.errors.messages.resource_owner_from_access_token_not_configured')
+        raise Errors::InvalidConfiguration, I18n.translate('doorkeeper.openid_connect.errors.messages.resource_owner_from_access_token_not_configured')
       }
 
       option :auth_time_from_resource_owner, default: lambda { |*_|
-        fail Errors::InvalidConfiguration, I18n.translate('doorkeeper.openid_connect.errors.messages.auth_time_from_resource_owner_not_configured')
+        raise Errors::InvalidConfiguration, I18n.translate('doorkeeper.openid_connect.errors.messages.auth_time_from_resource_owner_not_configured')
       }
 
       option :reauthenticate_resource_owner, default: lambda { |*_|
-        fail Errors::InvalidConfiguration, I18n.translate('doorkeeper.openid_connect.errors.messages.reauthenticate_resource_owner_not_configured')
+        raise Errors::InvalidConfiguration, I18n.translate('doorkeeper.openid_connect.errors.messages.reauthenticate_resource_owner_not_configured')
+      }
+
+      option :select_account_for_resource_owner, default: lambda { |*_|
+        raise Errors::InvalidConfiguration, I18n.translate('doorkeeper.openid_connect.errors.messages.select_account_for_resource_owner_not_configured')
       }
 
       option :subject, default: lambda { |*_|
-        fail Errors::InvalidConfiguration, I18n.translate('doorkeeper.openid_connect.errors.messages.subject_not_configured')
+        raise Errors::InvalidConfiguration, I18n.translate('doorkeeper.openid_connect.errors.messages.subject_not_configured')
       }
 
       option :expiration, default: 120
@@ -124,6 +130,14 @@ module Doorkeeper
       option :protocol, default: lambda { |*_|
         ::Rails.env.production? ? :https : :http
       }
+
+      option :end_session_endpoint, default: lambda { |*_|
+        nil
+      }
+
+      option :discovery_url_options, default: lambda { |*_|
+        {}
+      }
     end
   end
 end

data/lib/doorkeeper/openid_connect/engine.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Doorkeeper
   module OpenidConnect
     class Engine < ::Rails::Engine

data/lib/doorkeeper/openid_connect/errors.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Doorkeeper
   module OpenidConnect
     module Errors
@@ -24,7 +26,6 @@ module Doorkeeper
       class LoginRequired < OpenidConnectError; end
       class ConsentRequired < OpenidConnectError; end
       class InteractionRequired < OpenidConnectError; end
-      class AccountSelectionRequired < OpenidConnectError; end
     end
   end
 end

data/lib/doorkeeper/openid_connect/helpers/controller.rb

@@ -1,9 +1,18 @@
+# frozen_string_literal: true
+
 module Doorkeeper
   module OpenidConnect
     module Helpers
       module Controller
         private
 
+        # FIXME: remove after Doorkeeper will merge it
+        def current_resource_owner
+          return @current_resource_owner if defined?(@current_resource_owner)
+
+          super
+        end
+
         def authenticate_resource_owner!
           super.tap do |owner|
             next unless oidc_authorization_request?
@@ -11,15 +20,14 @@ module Doorkeeper
             handle_oidc_prompt_param!(owner)
             handle_oidc_max_age_param!(owner)
           end
-        rescue Errors::OpenidConnectError => exception
-          handle_oidc_error!(exception)
+        rescue Errors::OpenidConnectError => e
+          handle_oidc_error!(e)
         end
 
         def oidc_authorization_request?
           controller_path == Doorkeeper::Rails::Routes.mapping[:authorizations][:controllers] &&
             action_name == 'new' &&
             pre_auth.valid? &&
-            pre_auth.client &&
             pre_auth.scopes.include?('openid')
         end
 
@@ -31,17 +39,19 @@ module Doorkeeper
           @_response_body = nil
 
           error_response = if exception.type == :invalid_request
-            ::Doorkeeper::OAuth::InvalidRequestResponse.new(
-              name: exception.type,
-              state: params[:state],
-              redirect_uri: params[:redirect_uri],
-            )
-          else
-            ::Doorkeeper::OAuth::ErrorResponse.new(
-              name: exception.type,
-              state: params[:state],
-              redirect_uri: params[:redirect_uri],
-            )
+                             ::Doorkeeper::OAuth::InvalidRequestResponse.new(
+                               name: exception.type,
+                               state: params[:state],
+                               redirect_uri: params[:redirect_uri],
+                               response_on_fragment: pre_auth.response_on_fragment?,
+                             )
+                           else
+                             ::Doorkeeper::OAuth::ErrorResponse.new(
+                               name: exception.type,
+                               state: params[:state],
+                               redirect_uri: params[:redirect_uri],
+                               response_on_fragment: pre_auth.response_on_fragment?,
+                             )
           end
 
           response.headers.merge!(error_response.headers)
@@ -59,16 +69,15 @@ module Doorkeeper
           prompt_values.each do |prompt|
             case prompt
             when 'none'
-              raise Errors::InvalidRequest if (prompt_values - [ 'none' ]).any?
+              raise Errors::InvalidRequest if (prompt_values - ['none']).any?
               raise Errors::LoginRequired unless owner
-              raise Errors::ConsentRequired if oidc_consent_required?(owner)
+              raise Errors::ConsentRequired if oidc_consent_required?
             when 'login'
               reauthenticate_oidc_resource_owner(owner) if owner
             when 'consent'
               render :new
             when 'select_account'
-              # TODO: let the user implement this
-              raise Errors::AccountSelectionRequired
+              select_account_for_oidc_resource_owner(owner)
             else
               raise Errors::InvalidRequest
             end
@@ -89,36 +98,43 @@ module Doorkeeper
           end
         end
 
-        def reauthenticate_oidc_resource_owner(owner)
+        def return_without_oidc_prompt_param(prompt_value)
           return_to = URI.parse(request.path)
           return_to.query = request.query_parameters.tap do |params|
-            params['prompt'] = params['prompt'].to_s.sub(/\blogin\s*\b/, '').strip
+            params['prompt'] = params['prompt'].to_s.sub(/\b#{prompt_value}\s*\b/, '').strip
             params.delete('prompt') if params['prompt'].blank?
           end.to_query
+          return_to.to_s
+        end
+
+        def reauthenticate_oidc_resource_owner(owner)
+          return_to = return_without_oidc_prompt_param('login')
 
           instance_exec(
             owner,
-            return_to.to_s,
+            return_to,
             &Doorkeeper::OpenidConnect.configuration.reauthenticate_resource_owner
           )
 
           raise Errors::LoginRequired unless performed?
         end
 
-        def matching_tokens_for_oidc_resource_owner(owner)
-          Doorkeeper::AccessToken.authorized_tokens_for(pre_auth.client.id, owner.id).select do |token|
-            Doorkeeper::AccessToken.scopes_match?(token.scopes, pre_auth.scopes, pre_auth.client.scopes)
-          end
+        def oidc_consent_required?
+          !skip_authorization? && !matching_token?
         end
 
-        def oidc_consent_required?(owner)
-          return false if skip_authorization?
+        def select_account_for_oidc_resource_owner(owner)
+          return_to = return_without_oidc_prompt_param('select_account')
 
-          matching_tokens_for_oidc_resource_owner(owner).blank?
+          instance_exec(
+            owner,
+            return_to,
+            &Doorkeeper::OpenidConnect.configuration.select_account_for_resource_owner
+          )
         end
       end
     end
   end
 
-  Helpers::Controller.send :prepend, OpenidConnect::Helpers::Controller
+  Helpers::Controller.prepend OpenidConnect::Helpers::Controller
 end

data/lib/doorkeeper/openid_connect/id_token.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Doorkeeper
   module OpenidConnect
     class IdToken
@@ -9,7 +11,7 @@ module Doorkeeper
         @access_token = access_token
         @nonce = nonce
         @resource_owner = Doorkeeper::OpenidConnect.configuration.resource_owner_from_access_token.call(access_token)
-        @issued_at = Time.now
+        @issued_at = Time.zone.now
       end
 
       def claims
@@ -46,7 +48,7 @@ module Doorkeeper
       end
 
       def audience
-        @access_token.application.uid
+        @access_token.application.try(:uid)
       end
 
       def expiration

data/lib/doorkeeper/openid_connect/id_token_token.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Doorkeeper
   module OpenidConnect
     class IdTokenToken < IdToken

data/lib/doorkeeper/openid_connect/oauth/authorization/code.rb

@@ -1,22 +1,39 @@
+# frozen_string_literal: true
+
 module Doorkeeper
   module OpenidConnect
     module OAuth
       module Authorization
         module Code
-          def issue_token
-            super.tap do |access_grant|
-              if pre_auth.nonce.present?
-                ::Doorkeeper::OpenidConnect::Request.create!(
-                  access_grant: access_grant,
-                  nonce: pre_auth.nonce
-                )
+          if Doorkeeper::OAuth::Authorization::Code.method_defined?(:issue_token!)
+            def issue_token!
+              super.tap do |access_grant|
+                create_openid_request(access_grant) if pre_auth.nonce.present?
+              end
+            end
+
+            alias issue_token issue_token!
+          else
+            # FIXME: drop this after dropping support of Doorkeeper < 5.4
+            def issue_token
+              super.tap do |access_grant|
+                create_openid_request(access_grant) if pre_auth.nonce.present?
               end
             end
           end
+
+          private
+
+          def create_openid_request(access_grant)
+            ::Doorkeeper::OpenidConnect::Request.create!(
+              access_grant: access_grant,
+              nonce: pre_auth.nonce
+            )
+          end
         end
       end
     end
   end
 
-  OAuth::Authorization::Code.send :prepend, OpenidConnect::OAuth::Authorization::Code
+  OAuth::Authorization::Code.prepend OpenidConnect::OAuth::Authorization::Code
 end

data/lib/doorkeeper/openid_connect/oauth/authorization_code_request.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Doorkeeper
   module OpenidConnect
     module OAuth
@@ -8,7 +10,7 @@ module Doorkeeper
           super
 
           nonce =
-            if openid_request = grant.openid_request
+            if (openid_request = grant.openid_request)
               openid_request.destroy!
               openid_request.nonce
             end
@@ -20,5 +22,5 @@ module Doorkeeper
     end
   end
 
-  OAuth::AuthorizationCodeRequest.send :prepend, OpenidConnect::OAuth::AuthorizationCodeRequest
+  OAuth::AuthorizationCodeRequest.prepend OpenidConnect::OAuth::AuthorizationCodeRequest
 end

data/lib/doorkeeper/openid_connect/oauth/password_access_token_request.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Doorkeeper
   module OpenidConnect
     module OAuth
@@ -20,5 +22,5 @@ module Doorkeeper
     end
   end
 
-  OAuth::PasswordAccessTokenRequest.send :prepend, OpenidConnect::OAuth::PasswordAccessTokenRequest
+  OAuth::PasswordAccessTokenRequest.prepend OpenidConnect::OAuth::PasswordAccessTokenRequest
 end

data/lib/doorkeeper/openid_connect/oauth/pre_authorization.rb

@@ -1,16 +1,37 @@
+# frozen_string_literal: true
+
 module Doorkeeper
   module OpenidConnect
     module OAuth
       module PreAuthorization
         attr_reader :nonce
 
-        def initialize(server, attrs = {})
-          super
+        def initialize(server, attrs = {}, resource_owner = nil)
+          if (Doorkeeper::VERSION::MAJOR >= 5 && Doorkeeper::VERSION::MINOR >= 4) ||
+             Doorkeeper::VERSION::MAJOR >= 6
+            super
+          else
+            super(server, attrs)
+          end
           @nonce = attrs[:nonce]
         end
+
+        # This method will be updated when doorkeeper move to version > 5.2.2
+        # TODO: delete this method and refactor response_on_fragment? method (below) when doorkeeper gem version constrains is > 5.2.2
+        def error_response
+          if error == :invalid_request
+            Doorkeeper::OAuth::InvalidRequestResponse.from_request(self, response_on_fragment: response_on_fragment?)
+          else
+            Doorkeeper::OAuth::ErrorResponse.from_request(self, response_on_fragment: response_on_fragment?)
+          end
+        end
+
+        def response_on_fragment?
+          Doorkeeper::OpenidConnect::ResponseMode.new(response_type).fragment?
+        end
       end
     end
   end
 
-  OAuth::PreAuthorization.send :prepend, OpenidConnect::OAuth::PreAuthorization
+  OAuth::PreAuthorization.prepend OpenidConnect::OAuth::PreAuthorization
 end

data/lib/doorkeeper/openid_connect/oauth/token_response.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Doorkeeper
   module OpenidConnect
     module OAuth
@@ -19,5 +21,5 @@ module Doorkeeper
     end
   end
 
-  OAuth::TokenResponse.send :prepend, OpenidConnect::OAuth::TokenResponse
+  OAuth::TokenResponse.prepend OpenidConnect::OAuth::TokenResponse
 end

data/lib/doorkeeper/openid_connect/orm/active_record.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'active_support/lazy_load_hooks'
 
 module Doorkeeper

data/lib/doorkeeper/openid_connect/orm/active_record/access_grant.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Doorkeeper
   module OpenidConnect
     module AccessGrant
@@ -12,5 +14,5 @@ module Doorkeeper
     end
   end
 
-  AccessGrant.send :prepend, OpenidConnect::AccessGrant
+  AccessGrant.prepend OpenidConnect::AccessGrant
 end