doorkeeper-openid_connect 1.7.1 → 1.8.0.pre.rc1

data/lib/doorkeeper/openid_connect/config.rb

@@ -1,15 +1,17 @@
+# frozen_string_literal: true
+
 module Doorkeeper
   module OpenidConnect
     def self.configure(&block)
       if Doorkeeper.configuration.orm != :active_record
-        fail Errors::InvalidConfiguration, 'Doorkeeper OpenID Connect currently only supports the ActiveRecord ORM adapter'
+        raise Errors::InvalidConfiguration, 'Doorkeeper OpenID Connect currently only supports the ActiveRecord ORM adapter'
       end
 
       @config = Config::Builder.new(&block).build
     end
 
     def self.configuration
-      @config || (fail Errors::MissingConfiguration)
+      @config || (raise Errors::MissingConfiguration)
     end
 
     class Config
@@ -23,12 +25,12 @@ module Doorkeeper
           @config
         end
 
-        def jws_public_key(*args)
-          puts "DEPRECATION WARNING: `jws_public_key` is not needed anymore and will be removed in a future version, please remove it from config/initializers/doorkeeper_openid_connect.rb"
+        def jws_public_key(*_args)
+          puts 'DEPRECATION WARNING: `jws_public_key` is not needed anymore and will be removed in a future version, please remove it from config/initializers/doorkeeper_openid_connect.rb'
         end
 
         def jws_private_key(*args)
-          puts "DEPRECATION WARNING: `jws_private_key` has been replaced by `signing_key` and will be removed in a future version, please remove it from config/initializers/doorkeeper_openid_connect.rb"
+          puts 'DEPRECATION WARNING: `jws_private_key` has been replaced by `signing_key` and will be removed in a future version, please remove it from config/initializers/doorkeeper_openid_connect.rb'
           signing_key(*args)
         end
       end
@@ -71,7 +73,7 @@ module Doorkeeper
               value = if attribute_builder
                         attribute_builder.new(&block).build
                       else
-                        block ? block : args.first
+                        block || args.first
                       end
 
               @config.instance_variable_set(:"@#{attribute}", value)
@@ -102,19 +104,23 @@ module Doorkeeper
       option :subject_types_supported, default: [:public]
 
       option :resource_owner_from_access_token, default: lambda { |*_|
-        fail Errors::InvalidConfiguration, I18n.translate('doorkeeper.openid_connect.errors.messages.resource_owner_from_access_token_not_configured')
+        raise Errors::InvalidConfiguration, I18n.translate('doorkeeper.openid_connect.errors.messages.resource_owner_from_access_token_not_configured')
       }
 
       option :auth_time_from_resource_owner, default: lambda { |*_|
-        fail Errors::InvalidConfiguration, I18n.translate('doorkeeper.openid_connect.errors.messages.auth_time_from_resource_owner_not_configured')
+        raise Errors::InvalidConfiguration, I18n.translate('doorkeeper.openid_connect.errors.messages.auth_time_from_resource_owner_not_configured')
       }
 
       option :reauthenticate_resource_owner, default: lambda { |*_|
-        fail Errors::InvalidConfiguration, I18n.translate('doorkeeper.openid_connect.errors.messages.reauthenticate_resource_owner_not_configured')
+        raise Errors::InvalidConfiguration, I18n.translate('doorkeeper.openid_connect.errors.messages.reauthenticate_resource_owner_not_configured')
+      }
+
+      option :select_account_for_resource_owner, default: lambda { |*_|
+        raise Errors::InvalidConfiguration, I18n.translate('doorkeeper.openid_connect.errors.messages.select_account_for_resource_owner_not_configured')
       }
 
       option :subject, default: lambda { |*_|
-        fail Errors::InvalidConfiguration, I18n.translate('doorkeeper.openid_connect.errors.messages.subject_not_configured')
+        raise Errors::InvalidConfiguration, I18n.translate('doorkeeper.openid_connect.errors.messages.subject_not_configured')
       }
 
       option :expiration, default: 120
@@ -124,6 +130,14 @@ module Doorkeeper
       option :protocol, default: lambda { |*_|
         ::Rails.env.production? ? :https : :http
       }
+
+      option :end_session_endpoint, default: lambda { |*_|
+        nil
+      }
+
+      option :discovery_url_options, default: lambda { |*_|
+        {}
+      }
     end
   end
 end

data/lib/doorkeeper/openid_connect/engine.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Doorkeeper
   module OpenidConnect
     class Engine < ::Rails::Engine

data/lib/doorkeeper/openid_connect/errors.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Doorkeeper
   module OpenidConnect
     module Errors
@@ -24,7 +26,6 @@ module Doorkeeper
       class LoginRequired < OpenidConnectError; end
       class ConsentRequired < OpenidConnectError; end
       class InteractionRequired < OpenidConnectError; end
-      class AccountSelectionRequired < OpenidConnectError; end
     end
   end
 end

data/lib/doorkeeper/openid_connect/helpers/controller.rb

@@ -1,9 +1,18 @@
+# frozen_string_literal: true
+
 module Doorkeeper
   module OpenidConnect
     module Helpers
       module Controller
         private
 
+        # FIXME: remove after Doorkeeper will merge it
+        def current_resource_owner
+          return @current_resource_owner if defined?(@current_resource_owner)
+
+          super
+        end
+
         def authenticate_resource_owner!
           super.tap do |owner|
             next unless oidc_authorization_request?
@@ -11,8 +20,8 @@ module Doorkeeper
             handle_oidc_prompt_param!(owner)
             handle_oidc_max_age_param!(owner)
           end
-        rescue Errors::OpenidConnectError => exception
-          handle_oidc_error!(exception)
+        rescue Errors::OpenidConnectError => e
+          handle_oidc_error!(e)
         end
 
         def oidc_authorization_request?
@@ -30,26 +39,29 @@ module Doorkeeper
           @_response_body = nil
 
           error_response = if exception.type == :invalid_request
-            ::Doorkeeper::OAuth::InvalidRequestResponse.new(
-              name: exception.type,
-              state: params[:state],
-              redirect_uri: params[:redirect_uri],
-            )
-          else
-            ::Doorkeeper::OAuth::ErrorResponse.new(
-              name: exception.type,
-              state: params[:state],
-              redirect_uri: params[:redirect_uri],
-            )
-          end
+                             ::Doorkeeper::OAuth::InvalidRequestResponse.new(
+                               name: exception.type,
+                               state: params[:state],
+                               redirect_uri: params[:redirect_uri],
+                               response_on_fragment: pre_auth.response_on_fragment?,
+                             )
+                           else
+                             ::Doorkeeper::OAuth::ErrorResponse.new(
+                               name: exception.type,
+                               state: params[:state],
+                               redirect_uri: params[:redirect_uri],
+                               response_on_fragment: pre_auth.response_on_fragment?,
+                             )
+                           end
 
           response.headers.merge!(error_response.headers)
 
-          if error_response.redirectable?
-            render json: error_response.body, status: :found, location: error_response.redirect_uri
-          else
-            render json: error_response.body, status: error_response.status
-          end
+          # NOTE: Assign error_response to @authorize_response then use redirect_or_render method that are defined at
+          #   doorkeeper's authorizations_controller.
+          # - https://github.com/doorkeeper-gem/doorkeeper/blob/v5.5.0/app/controllers/doorkeeper/authorizations_controller.rb#L110
+          # - https://github.com/doorkeeper-gem/doorkeeper/blob/v5.5.0/app/controllers/doorkeeper/authorizations_controller.rb#L52
+          @authorize_response = error_response
+          redirect_or_render(@authorize_response)
         end
 
         def handle_oidc_prompt_param!(owner)
@@ -58,7 +70,7 @@ module Doorkeeper
           prompt_values.each do |prompt|
             case prompt
             when 'none'
-              raise Errors::InvalidRequest if (prompt_values - [ 'none' ]).any?
+              raise Errors::InvalidRequest if (prompt_values - ['none']).any?
               raise Errors::LoginRequired unless owner
               raise Errors::ConsentRequired if oidc_consent_required?
             when 'login'
@@ -66,8 +78,7 @@ module Doorkeeper
             when 'consent'
               render :new
             when 'select_account'
-              # TODO: let the user implement this
-              raise Errors::AccountSelectionRequired
+              select_account_for_oidc_resource_owner(owner)
             else
               raise Errors::InvalidRequest
             end
@@ -88,16 +99,21 @@ module Doorkeeper
           end
         end
 
-        def reauthenticate_oidc_resource_owner(owner)
+        def return_without_oidc_prompt_param(prompt_value)
           return_to = URI.parse(request.path)
           return_to.query = request.query_parameters.tap do |params|
-            params['prompt'] = params['prompt'].to_s.sub(/\blogin\s*\b/, '').strip
+            params['prompt'] = params['prompt'].to_s.sub(/\b#{prompt_value}\s*\b/, '').strip
             params.delete('prompt') if params['prompt'].blank?
           end.to_query
+          return_to.to_s
+        end
+
+        def reauthenticate_oidc_resource_owner(owner)
+          return_to = return_without_oidc_prompt_param('login')
 
           instance_exec(
             owner,
-            return_to.to_s,
+            return_to,
             &Doorkeeper::OpenidConnect.configuration.reauthenticate_resource_owner
           )
 
@@ -107,9 +123,19 @@ module Doorkeeper
         def oidc_consent_required?
           !skip_authorization? && !matching_token?
         end
+
+        def select_account_for_oidc_resource_owner(owner)
+          return_to = return_without_oidc_prompt_param('select_account')
+
+          instance_exec(
+            owner,
+            return_to,
+            &Doorkeeper::OpenidConnect.configuration.select_account_for_resource_owner
+          )
+        end
       end
     end
   end
 
-  Helpers::Controller.send :prepend, OpenidConnect::Helpers::Controller
+  Helpers::Controller.prepend OpenidConnect::Helpers::Controller
 end

data/lib/doorkeeper/openid_connect/id_token.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Doorkeeper
   module OpenidConnect
     class IdToken
@@ -9,7 +11,7 @@ module Doorkeeper
         @access_token = access_token
         @nonce = nonce
         @resource_owner = Doorkeeper::OpenidConnect.configuration.resource_owner_from_access_token.call(access_token)
-        @issued_at = Time.now
+        @issued_at = Time.zone.now
       end
 
       def claims
@@ -38,7 +40,11 @@ module Doorkeeper
       private
 
       def issuer
-        Doorkeeper::OpenidConnect.configuration.issuer
+        if Doorkeeper::OpenidConnect.configuration.issuer.respond_to?(:call)
+          Doorkeeper::OpenidConnect.configuration.issuer.call(@resource_owner, @access_token.application).to_s
+        else
+          Doorkeeper::OpenidConnect.configuration.issuer
+        end
       end
 
       def subject

data/lib/doorkeeper/openid_connect/id_token_token.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Doorkeeper
   module OpenidConnect
     class IdTokenToken < IdToken

data/lib/doorkeeper/openid_connect/oauth/authorization/code.rb

@@ -1,22 +1,39 @@
+# frozen_string_literal: true
+
 module Doorkeeper
   module OpenidConnect
     module OAuth
       module Authorization
         module Code
-          def issue_token
-            super.tap do |access_grant|
-              if pre_auth.nonce.present?
-                ::Doorkeeper::OpenidConnect::Request.create!(
-                  access_grant: access_grant,
-                  nonce: pre_auth.nonce
-                )
+          if Doorkeeper::OAuth::Authorization::Code.method_defined?(:issue_token!)
+            def issue_token!
+              super.tap do |access_grant|
+                create_openid_request(access_grant) if pre_auth.nonce.present?
+              end
+            end
+
+            alias issue_token issue_token!
+          else
+            # FIXME: drop this after dropping support of Doorkeeper < 5.4
+            def issue_token
+              super.tap do |access_grant|
+                create_openid_request(access_grant) if pre_auth.nonce.present?
               end
             end
           end
+
+          private
+
+          def create_openid_request(access_grant)
+            ::Doorkeeper::OpenidConnect::Request.create!(
+              access_grant: access_grant,
+              nonce: pre_auth.nonce
+            )
+          end
         end
       end
     end
   end
 
-  OAuth::Authorization::Code.send :prepend, OpenidConnect::OAuth::Authorization::Code
+  OAuth::Authorization::Code.prepend OpenidConnect::OAuth::Authorization::Code
 end

data/lib/doorkeeper/openid_connect/oauth/authorization_code_request.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Doorkeeper
   module OpenidConnect
     module OAuth
@@ -8,7 +10,7 @@ module Doorkeeper
           super
 
           nonce =
-            if openid_request = grant.openid_request
+            if (openid_request = grant.openid_request)
               openid_request.destroy!
               openid_request.nonce
             end
@@ -20,5 +22,5 @@ module Doorkeeper
     end
   end
 
-  OAuth::AuthorizationCodeRequest.send :prepend, OpenidConnect::OAuth::AuthorizationCodeRequest
+  OAuth::AuthorizationCodeRequest.prepend OpenidConnect::OAuth::AuthorizationCodeRequest
 end

data/lib/doorkeeper/openid_connect/oauth/password_access_token_request.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Doorkeeper
   module OpenidConnect
     module OAuth
@@ -20,5 +22,5 @@ module Doorkeeper
     end
   end
 
-  OAuth::PasswordAccessTokenRequest.send :prepend, OpenidConnect::OAuth::PasswordAccessTokenRequest
+  OAuth::PasswordAccessTokenRequest.prepend OpenidConnect::OAuth::PasswordAccessTokenRequest
 end

data/lib/doorkeeper/openid_connect/oauth/pre_authorization.rb

@@ -1,32 +1,30 @@
+# frozen_string_literal: true
+
 module Doorkeeper
   module OpenidConnect
     module OAuth
       module PreAuthorization
         attr_reader :nonce
 
-        def initialize(server, attrs = {})
+        def initialize(server, attrs = {}, resource_owner = nil)
           super
           @nonce = attrs[:nonce]
         end
 
-        # This method will be updated when doorkeeper move to version > 5.2.2
-        # TODO: delete this method and refactor response_on_fragment? method (below) when doorkeeper gem version constrains is > 5.2.2
-        def error_response
-          if error == :invalid_request
-            Doorkeeper::OAuth::InvalidRequestResponse.from_request(self, response_on_fragment: response_on_fragment?)
-          else
-            Doorkeeper::OAuth::ErrorResponse.from_request(self, response_on_fragment: response_on_fragment?)
-          end
-        end
+        # NOTE: Auto get default response_mode of specified response_type if response_mode is not
+        #   yet present. We can delete this method after Doorkeeper's minimize version support it.
+        def response_on_fragment?
+          return response_mode == 'fragment' if response_mode.present?
 
-        private
+          grant_flow = server.authorization_response_flows.detect do |flow|
+            flow.matches_response_type?(response_type)
+          end
 
-        def response_on_fragment?
-          response_type == "token" || response_type == "id_token" || response_type == "id_token token"
+          grant_flow&.default_response_mode == 'fragment'
         end
       end
     end
   end
 
-  OAuth::PreAuthorization.send :prepend, OpenidConnect::OAuth::PreAuthorization
+  OAuth::PreAuthorization.prepend OpenidConnect::OAuth::PreAuthorization
 end

data/lib/doorkeeper/openid_connect/oauth/token_response.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Doorkeeper
   module OpenidConnect
     module OAuth
@@ -19,5 +21,5 @@ module Doorkeeper
     end
   end
 
-  OAuth::TokenResponse.send :prepend, OpenidConnect::OAuth::TokenResponse
+  OAuth::TokenResponse.prepend OpenidConnect::OAuth::TokenResponse
 end

data/lib/doorkeeper/openid_connect/orm/active_record.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'active_support/lazy_load_hooks'
 
 module Doorkeeper

data/lib/doorkeeper/openid_connect/orm/active_record/access_grant.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Doorkeeper
   module OpenidConnect
     module AccessGrant
@@ -12,5 +14,5 @@ module Doorkeeper
     end
   end
 
-  AccessGrant.send :prepend, OpenidConnect::AccessGrant
+  AccessGrant.prepend OpenidConnect::AccessGrant
 end