RubyGems - doorkeeper-openid_connect - Versions diffs - 1.7.2 → 1.7.3 - Mend

doorkeeper-openid_connect 1.7.2 → 1.7.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (17) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +10 -0
data/README.md +5 -0
data/app/controllers/doorkeeper/openid_connect/discovery_controller.rb +12 -9
data/app/controllers/doorkeeper/openid_connect/userinfo_controller.rb +3 -1
data/config/locales/en.yml +1 -0
data/lib/doorkeeper/openid_connect.rb +23 -0
data/lib/doorkeeper/openid_connect/config.rb +4 -0
data/lib/doorkeeper/openid_connect/errors.rb +0 -1
data/lib/doorkeeper/openid_connect/helpers/controller.rb +21 -5
data/lib/doorkeeper/openid_connect/oauth/pre_authorization.rb +1 -3
data/lib/doorkeeper/openid_connect/response_mode.rb +30 -0
data/lib/doorkeeper/openid_connect/response_types_config.rb +0 -2
data/lib/doorkeeper/openid_connect/version.rb +1 -1
data/lib/generators/doorkeeper/openid_connect/templates/initializer.rb +12 -0
data/lib/generators/doorkeeper/openid_connect/templates/migration.rb.erb +1 -1
metadata +4 -3

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: dd500337bf3593b1f15ab64da67dd2da940797271fd1a169e47f2542371d6930
-  data.tar.gz: 4c3fdae9aca104f74f2bcf2e2805d09fe784e75326e3fa2382de8ba74133987a
+  metadata.gz: ab0de01b3be4241280fd4846f9c38b4c915685918a6401e464dce609fb588ace
+  data.tar.gz: 999e38663483020d9c84b525f38842e0d9a5811c72ddfd04bdb7c86e1e018b2a
 SHA512:
-  metadata.gz: 887f767a61bd22be260dfb2b3d37de2e3334b25ff53aacbf9b6b41aecb88a287ae308d9fd65950e7c850ab023569d08cb1c31cceda4182cb667c3b61a984406e
-  data.tar.gz: 670454a6c3e5dbe69dcb511e68acbb63b2b558410a3ae0268400918dd11e3ae4d320fb1bd7d876cade2b7313132c925befcd51ad0bd023bfb826f36ee9d127b9
+  metadata.gz: '09f0860be72310e44989febad8997e4fce1a82bf8d2986cfa3dfe56a0c9e55414d74f19a6dae35636aa5871c5778baad7b8776627835a30bd356bbb251fc4e32'
+  data.tar.gz: d6d42d010bd3e216dd1f1c84d60f86b4944f43a64d48db2cd613fddb189c7ac6ef079b713a86dd0b95a3551756b15a4868287c1af836fc0ada87efc6e1efc630

data/CHANGELOG.md CHANGED

@@ -1,5 +1,15 @@
 ## Unreleased
+## v1.7.3 (2020-07-06)
+- [#111] Add configuration callback `select_account_for_resource_owner` to support the `prompt=select_account` param
+- [#112] Add grant_types_supported to discovery response
+- [#114] Fix user_info endpoint when used in api mode
+- [#116] Support Doorkeeper API (> 5.4) for registering custom grant flows.
+- [#117] Fix migration template to use Rails migrations DSL for association.
+- [#118] Use fragment urls for implicit flow error redirects (thanks to @joeljunstrom)
+- [#119] Execute end_session_endpoint in the controllers context (thanks to @joeljunstrom)
 ## v1.7.2 (2020-05-20)
 ### Changes

data/README.md CHANGED

@@ -139,6 +139,10 @@ The following settings are optional, but recommended for better client compatibi
   - Defines how to trigger reauthentication for the current user (e.g. display a password prompt, or sign-out the user and redirect to the login form).
   - Required to support the `max_age` and `prompt=login` parameters.
   - The block is executed in the controller's scope, so you have access to methods like `params`, `redirect_to` etc.
+- `select_account_for_resource_owner`
+  - Defines how to trigger account selection to choose the current login user.
+  - Required to support the `prompt=select_account` parameter.
+  - The block is executed in the controller's scope, so you have access to methods like `params`, `redirect_to` etc.
 The following settings are optional:
@@ -155,6 +159,7 @@ The following settings are optional:
 - `end_session_endpoint`
   - The URL that the user is redirected to after ending the session on the client.
   - Used by implementations like https://github.com/IdentityModel/oidc-client-js.
+  - The block is executed in the controller's scope, so you have access to your route helpers.
 ### Scopes

data/app/controllers/doorkeeper/openid_connect/discovery_controller.rb CHANGED

@@ -38,16 +38,13 @@ module Doorkeeper
           # TODO: support id_token response type
           response_types_supported: doorkeeper.authorization_response_types,
-          response_modes_supported: ['query', 'fragment'],
+          response_modes_supported: %w[query fragment],
+          grant_types_supported: grant_types_supported(doorkeeper),
-          token_endpoint_auth_methods_supported: [
-            'client_secret_basic',
-            'client_secret_post',
-            # TODO: look into doorkeeper-jwt_assertion for these
-            # 'client_secret_jwt',
-            # 'private_key_jwt'
-          ],
+          # TODO: look into doorkeeper-jwt_assertion for these
+          #  'client_secret_jwt',
+          #  'private_key_jwt'
+          token_endpoint_auth_methods_supported: %w[client_secret_basic client_secret_post],
           subject_types_supported: openid_connect.subject_types_supported,
@@ -73,6 +70,12 @@ module Doorkeeper
         }.compact
       end
+      def grant_types_supported(doorkeeper)
+        grant_types_supported = doorkeeper.grant_flows
+        grant_types_supported << 'refresh_token' if doorkeeper.refresh_token_enabled?
+        grant_types_supported
+      end
       def webfinger_response
         {
           subject: params.require(:resource),

data/app/controllers/doorkeeper/openid_connect/userinfo_controller.rb CHANGED

@@ -3,7 +3,9 @@
 module Doorkeeper
   module OpenidConnect
     class UserinfoController < ::Doorkeeper::ApplicationController
-      skip_before_action :verify_authenticity_token
+      unless Doorkeeper.config.api_only
+        skip_before_action :verify_authenticity_token
+      end
       before_action -> { doorkeeper_authorize! :openid }
       def show

data/config/locales/en.yml CHANGED

@@ -19,4 +19,5 @@ en:
           resource_owner_from_access_token_not_configured: 'Failure due to Doorkeeper::OpenidConnect.configure.resource_owner_from_access_token missing configuration.'
           auth_time_from_resource_owner_not_configured: 'Failure due to Doorkeeper::OpenidConnect.configure.auth_time_from_resource_owner missing configuration.'
           reauthenticate_resource_owner_not_configured: 'Failure due to Doorkeeper::OpenidConnect.configure.reauthenticate_resource_owner missing configuration.'
+          select_account_for_resource_owner_not_configured: 'Failure due to Doorkeeper::OpenidConnect.configure.select_account_for_resource_owner missing configuration.'
           subject_not_configured: 'ID Token generation failed due to Doorkeeper::OpenidConnect.configure.subject missing configuration.'

data/lib/doorkeeper/openid_connect.rb CHANGED

@@ -22,6 +22,7 @@ require 'doorkeeper/openid_connect/errors'
 require 'doorkeeper/openid_connect/id_token'
 require 'doorkeeper/openid_connect/id_token_token'
 require 'doorkeeper/openid_connect/user_info'
+require 'doorkeeper/openid_connect/response_mode'
 require 'doorkeeper/openid_connect/version'
 require 'doorkeeper/openid_connect/helpers/controller'
@@ -63,5 +64,27 @@ module Doorkeeper
         key.slice(:kty, :kid)
       end
     end
+    if defined?(::Doorkeeper::GrantFlow)
+      Doorkeeper::GrantFlow.register(
+        :id_token,
+        response_type_matches: 'id_token',
+        response_type_strategy: Doorkeeper::OpenidConnect::IdToken,
+      )
+      Doorkeeper::GrantFlow.register(
+        'id_token token',
+        response_type_matches: 'id_token token',
+        response_type_strategy: Doorkeeper::OpenidConnect::IdTokenToken,
+      )
+      Doorkeeper::GrantFlow.register_alias(
+        'implicit_oidc', as: ['implicit', 'id_token', 'id_token token']
+      )
+    else
+      # TODO: drop this and corresponding file when we will set minimal
+      # required Doorkeeper version to 5.5.
+      Doorkeeper::Config.prepend OpenidConnect::ResponseTypeConfig
+    end
   end
 end

data/lib/doorkeeper/openid_connect/config.rb CHANGED

@@ -115,6 +115,10 @@ module Doorkeeper
         raise Errors::InvalidConfiguration, I18n.translate('doorkeeper.openid_connect.errors.messages.reauthenticate_resource_owner_not_configured')
       }
+      option :select_account_for_resource_owner, default: lambda { |*_|
+        raise Errors::InvalidConfiguration, I18n.translate('doorkeeper.openid_connect.errors.messages.select_account_for_resource_owner_not_configured')
+      }
       option :subject, default: lambda { |*_|
         raise Errors::InvalidConfiguration, I18n.translate('doorkeeper.openid_connect.errors.messages.subject_not_configured')
       }

data/lib/doorkeeper/openid_connect/errors.rb CHANGED

@@ -26,7 +26,6 @@ module Doorkeeper
       class LoginRequired < OpenidConnectError; end
       class ConsentRequired < OpenidConnectError; end
       class InteractionRequired < OpenidConnectError; end
-      class AccountSelectionRequired < OpenidConnectError; end
     end
   end
 end

data/lib/doorkeeper/openid_connect/helpers/controller.rb CHANGED

@@ -43,12 +43,14 @@ module Doorkeeper
                                name: exception.type,
                                state: params[:state],
                                redirect_uri: params[:redirect_uri],
+                               response_on_fragment: pre_auth.response_on_fragment?,
                              )
                            else
                              ::Doorkeeper::OAuth::ErrorResponse.new(
                                name: exception.type,
                                state: params[:state],
                                redirect_uri: params[:redirect_uri],
+                               response_on_fragment: pre_auth.response_on_fragment?,
                              )
           end
@@ -75,8 +77,7 @@ module Doorkeeper
             when 'consent'
               render :new
             when 'select_account'
-              # TODO: let the user implement this
-              raise Errors::AccountSelectionRequired
+              select_account_for_oidc_resource_owner(owner)
             else
               raise Errors::InvalidRequest
             end
@@ -97,16 +98,21 @@ module Doorkeeper
           end
         end
-        def reauthenticate_oidc_resource_owner(owner)
+        def return_without_oidc_prompt_param(prompt_value)
           return_to = URI.parse(request.path)
           return_to.query = request.query_parameters.tap do |params|
-            params['prompt'] = params['prompt'].to_s.sub(/\blogin\s*\b/, '').strip
+            params['prompt'] = params['prompt'].to_s.sub(/\b#{prompt_value}\s*\b/, '').strip
             params.delete('prompt') if params['prompt'].blank?
           end.to_query
+          return_to.to_s
+        end
+        def reauthenticate_oidc_resource_owner(owner)
+          return_to = return_without_oidc_prompt_param('login')
           instance_exec(
             owner,
-            return_to.to_s,
+            return_to,
             &Doorkeeper::OpenidConnect.configuration.reauthenticate_resource_owner
           )
@@ -116,6 +122,16 @@ module Doorkeeper
         def oidc_consent_required?
           !skip_authorization? && !matching_token?
         end
+        def select_account_for_oidc_resource_owner(owner)
+          return_to = return_without_oidc_prompt_param('select_account')
+          instance_exec(
+            owner,
+            return_to,
+            &Doorkeeper::OpenidConnect.configuration.select_account_for_resource_owner
+          )
+        end
       end
     end
   end

data/lib/doorkeeper/openid_connect/oauth/pre_authorization.rb CHANGED

@@ -26,10 +26,8 @@ module Doorkeeper
           end
         end
-        private
         def response_on_fragment?
-          response_type == 'token' || response_type == 'id_token' || response_type == 'id_token token'
+          Doorkeeper::OpenidConnect::ResponseMode.new(response_type).fragment?
         end
       end
     end

data/lib/doorkeeper/openid_connect/response_mode.rb ADDED

@@ -0,0 +1,30 @@
+# frozen_string_literal: true
+module Doorkeeper
+  module OpenidConnect
+    class ResponseMode
+      attr_reader :type
+      def initialize(response_type)
+        @type = response_type
+      end
+      def fragment?
+        mode == 'fragment'
+      end
+      def query?
+        mode == 'query'
+      end
+      def mode
+        case type
+        when 'token', 'id_token', 'id_token token'
+          'fragment'
+        else
+          'query'
+        end
+      end
+    end
+  end
+end

data/lib/doorkeeper/openid_connect/response_types_config.rb CHANGED

@@ -14,6 +14,4 @@ module Doorkeeper
       end
     end
   end
-  Config.prepend OpenidConnect::ResponseTypeConfig
 end

data/lib/doorkeeper/openid_connect/version.rb CHANGED

@@ -2,6 +2,6 @@
 module Doorkeeper
   module OpenidConnect
-    VERSION = '1.7.2'
+    VERSION = '1.7.3'
   end
 end

data/lib/generators/doorkeeper/openid_connect/templates/initializer.rb CHANGED

@@ -28,6 +28,18 @@ Doorkeeper::OpenidConnect.configure do
     # redirect_to new_user_session_url
   end
+  # Depending on your configuration, a DoubleRenderError could be raised
+  # if render/redirect_to is called at some point before this callback is executed.
+  # To avoid the DoubleRenderError, you could add these two lines at the beginning
+  #  of this callback: (Reference: https://github.com/rails/rails/issues/25106)
+  #   self.response_body = nil
+  #   @_response_body = nil
+  select_account_for_resource_owner do |resource_owner, return_to|
+    # Example implementation:
+    # store_location_for resource_owner, return_to
+    # redirect_to account_select_url
+  end
   subject do |resource_owner, application|
     # Example implementation:
     # resource_owner.id

data/lib/generators/doorkeeper/openid_connect/templates/migration.rb.erb CHANGED

@@ -1,7 +1,7 @@
 class CreateDoorkeeperOpenidConnectTables < ActiveRecord::Migration<%= migration_version %>
   def change
     create_table :oauth_openid_requests do |t|
-      t.integer :access_grant_id, null: false
+      t.references :access_grant, null: false, index: true
       t.string :nonce, null: false
     end

metadata CHANGED

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: doorkeeper-openid_connect
 version: !ruby/object:Gem::Version
-  version: 1.7.2
+  version: 1.7.3
 platform: ruby
 authors:
 - Sam Dengler
@@ -9,7 +9,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2020-05-20 00:00:00.000000000 Z
+date: 2020-07-06 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: doorkeeper
@@ -157,6 +157,7 @@ files:
 - lib/doorkeeper/openid_connect/rails/routes.rb
 - lib/doorkeeper/openid_connect/rails/routes/mapper.rb
 - lib/doorkeeper/openid_connect/rails/routes/mapping.rb
+- lib/doorkeeper/openid_connect/response_mode.rb
 - lib/doorkeeper/openid_connect/response_types_config.rb
 - lib/doorkeeper/openid_connect/user_info.rb
 - lib/doorkeeper/openid_connect/version.rb
@@ -185,7 +186,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.2
+rubygems_version: 3.0.3
 signing_key:
 specification_version: 4
 summary: OpenID Connect extension for Doorkeeper.