RubyGems - doorkeeper-openid_connect - Versions diffs - 1.7.2 → 1.7.3 - Diffend - OSS supply chain security and management platform

doorkeeper-openid_connect 1.7.2 → 1.7.3

Files changed (17) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +10 -0
data/README.md +5 -0
data/app/controllers/doorkeeper/openid_connect/discovery_controller.rb +12 -9
data/app/controllers/doorkeeper/openid_connect/userinfo_controller.rb +3 -1
data/config/locales/en.yml +1 -0
data/lib/doorkeeper/openid_connect.rb +23 -0
data/lib/doorkeeper/openid_connect/config.rb +4 -0
data/lib/doorkeeper/openid_connect/errors.rb +0 -1
data/lib/doorkeeper/openid_connect/helpers/controller.rb +21 -5
data/lib/doorkeeper/openid_connect/oauth/pre_authorization.rb +1 -3
data/lib/doorkeeper/openid_connect/response_mode.rb +30 -0
data/lib/doorkeeper/openid_connect/response_types_config.rb +0 -2
data/lib/doorkeeper/openid_connect/version.rb +1 -1
data/lib/generators/doorkeeper/openid_connect/templates/initializer.rb +12 -0
data/lib/generators/doorkeeper/openid_connect/templates/migration.rb.erb +1 -1
metadata +4 -3

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: dd500337bf3593b1f15ab64da67dd2da940797271fd1a169e47f2542371d6930
-  data.tar.gz: 4c3fdae9aca104f74f2bcf2e2805d09fe784e75326e3fa2382de8ba74133987a
+  metadata.gz: ab0de01b3be4241280fd4846f9c38b4c915685918a6401e464dce609fb588ace
+  data.tar.gz: 999e38663483020d9c84b525f38842e0d9a5811c72ddfd04bdb7c86e1e018b2a
 SHA512:
-  metadata.gz: 887f767a61bd22be260dfb2b3d37de2e3334b25ff53aacbf9b6b41aecb88a287ae308d9fd65950e7c850ab023569d08cb1c31cceda4182cb667c3b61a984406e
-  data.tar.gz: 670454a6c3e5dbe69dcb511e68acbb63b2b558410a3ae0268400918dd11e3ae4d320fb1bd7d876cade2b7313132c925befcd51ad0bd023bfb826f36ee9d127b9
+  metadata.gz: '09f0860be72310e44989febad8997e4fce1a82bf8d2986cfa3dfe56a0c9e55414d74f19a6dae35636aa5871c5778baad7b8776627835a30bd356bbb251fc4e32'
+  data.tar.gz: d6d42d010bd3e216dd1f1c84d60f86b4944f43a64d48db2cd613fddb189c7ac6ef079b713a86dd0b95a3551756b15a4868287c1af836fc0ada87efc6e1efc630

data/CHANGELOG.md CHANGED

@@ -1,5 +1,15 @@
 ## Unreleased
+## v1.7.3 (2020-07-06)
+- [#111] Add configuration callback `select_account_for_resource_owner` to support the `prompt=select_account` param
+- [#112] Add grant_types_supported to discovery response
+- [#114] Fix user_info endpoint when used in api mode
+- [#116] Support Doorkeeper API (> 5.4) for registering custom grant flows.
+- [#117] Fix migration template to use Rails migrations DSL for association.
+- [#118] Use fragment urls for implicit flow error redirects (thanks to @joeljunstrom)
+- [#119] Execute end_session_endpoint in the controllers context (thanks to @joeljunstrom)
 ## v1.7.2 (2020-05-20)
 ### Changes

data/README.md CHANGED

@@ -139,6 +139,10 @@ The following settings are optional, but recommended for better client compatibi
   - Defines how to trigger reauthentication for the current user (e.g. display a password prompt, or sign-out the user and redirect to the login form).
   - Required to support the `max_age` and `prompt=login` parameters.
   - The block is executed in the controller's scope, so you have access to methods like `params`, `redirect_to` etc.
+- `select_account_for_resource_owner`
+  - Defines how to trigger account selection to choose the current login user.
+  - Required to support the `prompt=select_account` parameter.
+  - The block is executed in the controller's scope, so you have access to methods like `params`, `redirect_to` etc.
 The following settings are optional:
@@ -155,6 +159,7 @@ The following settings are optional:
 - `end_session_endpoint`
   - The URL that the user is redirected to after ending the session on the client.
   - Used by implementations like https://github.com/IdentityModel/oidc-client-js.
+  - The block is executed in the controller's scope, so you have access to your route helpers.
 ### Scopes

data/app/controllers/doorkeeper/openid_connect/discovery_controller.rb CHANGED

@@ -38,16 +38,13 @@ module Doorkeeper
           # TODO: support id_token response type
           response_types_supported: doorkeeper.authorization_response_types,
-          response_modes_supported: ['query', 'fragment'],
+          response_modes_supported: %w[query fragment],
+          grant_types_supported: grant_types_supported(doorkeeper),
-          token_endpoint_auth_methods_supported: [
-            'client_secret_basic',
-            'client_secret_post',
-            # TODO: look into doorkeeper-jwt_assertion for these
-            # 'client_secret_jwt',
-            # 'private_key_jwt'
-          ],
+          # TODO: look into doorkeeper-jwt_assertion for these
+          #  'client_secret_jwt',
+          #  'private_key_jwt'
+          token_endpoint_auth_methods_supported: %w[client_secret_basic client_secret_post],
           subject_types_supported: openid_connect.subject_types_supported,
@@ -73,6 +70,12 @@ module Doorkeeper
         }.compact
       end
+      def grant_types_supported(doorkeeper)
+        grant_types_supported = doorkeeper.grant_flows
+        grant_types_supported << 'refresh_token' if doorkeeper.refresh_token_enabled?
+        grant_types_supported
+      end
       def webfinger_response
         {
           subject: params.require(:resource),

data/app/controllers/doorkeeper/openid_connect/userinfo_controller.rb CHANGED

@@ -3,7 +3,9 @@
 module Doorkeeper
   module OpenidConnect
     class UserinfoController < ::Doorkeeper::ApplicationController
-      skip_before_action :verify_authenticity_token
+      unless Doorkeeper.config.api_only
+        skip_before_action :verify_authenticity_token
+      end
       before_action -> { doorkeeper_authorize! :openid }
       def show

data/config/locales/en.yml CHANGED

@@ -19,4 +19,5 @@ en:
           resource_owner_from_access_token_not_configured: 'Failure due to Doorkeeper::OpenidConnect.configure.resource_owner_from_access_token missing configuration.'
           auth_time_from_resource_owner_not_configured: 'Failure due to Doorkeeper::OpenidConnect.configure.auth_time_from_resource_owner missing configuration.'
           reauthenticate_resource_owner_not_configured: 'Failure due to Doorkeeper::OpenidConnect.configure.reauthenticate_resource_owner missing configuration.'
+          select_account_for_resource_owner_not_configured: 'Failure due to Doorkeeper::OpenidConnect.configure.select_account_for_resource_owner missing configuration.'
           subject_not_configured: 'ID Token generation failed due to Doorkeeper::OpenidConnect.configure.subject missing configuration.'

data/lib/doorkeeper/openid_connect.rb CHANGED

@@ -22,6 +22,7 @@ require 'doorkeeper/openid_connect/errors'
 require 'doorkeeper/openid_connect/id_token'
 require 'doorkeeper/openid_connect/id_token_token'
 require 'doorkeeper/openid_connect/user_info'
+require 'doorkeeper/openid_connect/response_mode'
 require 'doorkeeper/openid_connect/version'
 require 'doorkeeper/openid_connect/helpers/controller'
@@ -63,5 +64,27 @@ module Doorkeeper
         key.slice(:kty, :kid)
       end
     end
+    if defined?(::Doorkeeper::GrantFlow)
+      Doorkeeper::GrantFlow.register(
+        :id_token,
+        response_type_matches: 'id_token',
+        response_type_strategy: Doorkeeper::OpenidConnect::IdToken,
+      )
+      Doorkeeper::GrantFlow.register(
+        'id_token token',
+        response_type_matches: 'id_token token',
+        response_type_strategy: Doorkeeper::OpenidConnect::IdTokenToken,
+      )
+      Doorkeeper::GrantFlow.register_alias(
+        'implicit_oidc', as: ['implicit', 'id_token', 'id_token token']
+      )
+    else
+      # TODO: drop this and corresponding file when we will set minimal
+      # required Doorkeeper version to 5.5.
+      Doorkeeper::Config.prepend OpenidConnect::ResponseTypeConfig
+    end
   end
 end

data/lib/doorkeeper/openid_connect/config.rb CHANGED

@@ -115,6 +115,10 @@ module Doorkeeper
         raise Errors::InvalidConfiguration, I18n.translate('doorkeeper.openid_connect.errors.messages.reauthenticate_resource_owner_not_configured')
       }
+      option :select_account_for_resource_owner, default: lambda { |*_|
+        raise Errors::InvalidConfiguration, I18n.translate('doorkeeper.openid_connect.errors.messages.select_account_for_resource_owner_not_configured')
+      }
       option :subject, default: lambda { |*_|
         raise Errors::InvalidConfiguration, I18n.translate('doorkeeper.openid_connect.errors.messages.subject_not_configured')
       }

data/lib/doorkeeper/openid_connect/errors.rb CHANGED

@@ -26,7 +26,6 @@ module Doorkeeper
       class LoginRequired < OpenidConnectError; end
       class ConsentRequired < OpenidConnectError; end
       class InteractionRequired < OpenidConnectError; end
-      class AccountSelectionRequired < OpenidConnectError; end
     end
   end
 end

data/lib/doorkeeper/openid_connect/helpers/controller.rb CHANGED

@@ -43,12 +43,14 @@ module Doorkeeper
                                name: exception.type,
                                state: params[:state],
                                redirect_uri: params[:redirect_uri],
+                               response_on_fragment: pre_auth.response_on_fragment?,
                              )
                            else
                              ::Doorkeeper::OAuth::ErrorResponse.new(
                                name: exception.type,
                                state: params[:state],
                                redirect_uri: params[:redirect_uri],
+                               response_on_fragment: pre_auth.response_on_fragment?,
                              )
           end
@@ -75,8 +77,7 @@ module Doorkeeper
             when 'consent'
               render :new
             when 'select_account'
-              # TODO: let the user implement this
-              raise Errors::AccountSelectionRequired
+              select_account_for_oidc_resource_owner(owner)
             else
               raise Errors::InvalidRequest
             end
@@ -97,16 +98,21 @@ module Doorkeeper
           end
         end
-        def reauthenticate_oidc_resource_owner(owner)
+        def return_without_oidc_prompt_param(prompt_value)
           return_to = URI.parse(request.path)
           return_to.query = request.query_parameters.tap do |params|
-            params['prompt'] = params['prompt'].to_s.sub(/\blogin\s*\b/, '').strip
+            params['prompt'] = params['prompt'].to_s.sub(/\b#{prompt_value}\s*\b/, '').strip
             params.delete('prompt') if params['prompt'].blank?
           end.to_query
+          return_to.to_s
+        end
+        def reauthenticate_oidc_resource_owner(owner)
+          return_to = return_without_oidc_prompt_param('login')
           instance_exec(
             owner,
-            return_to.to_s,
+            return_to,
             &Doorkeeper::OpenidConnect.configuration.reauthenticate_resource_owner
           )
@@ -116,6 +122,16 @@ module Doorkeeper
         def oidc_consent_required?
           !skip_authorization? && !matching_token?
         end
+        def select_account_for_oidc_resource_owner(owner)
+          return_to = return_without_oidc_prompt_param('select_account')
+          instance_exec(
+            owner,
+            return_to,
+            &Doorkeeper::OpenidConnect.configuration.select_account_for_resource_owner
+          )
+        end
       end
     end
   end

data/lib/doorkeeper/openid_connect/oauth/pre_authorization.rb CHANGED

@@ -26,10 +26,8 @@ module Doorkeeper
           end
         end
-        private
         def response_on_fragment?
-          response_type == 'token' || response_type == 'id_token' || response_type == 'id_token token'
+          Doorkeeper::OpenidConnect::ResponseMode.new(response_type).fragment?
         end
       end
     end

data/lib/doorkeeper/openid_connect/response_mode.rb ADDED

@@ -0,0 +1,30 @@
+# frozen_string_literal: true
+module Doorkeeper
+  module OpenidConnect
+    class ResponseMode
+      attr_reader :type
+      def initialize(response_type)
+        @type = response_type
+      end
+      def fragment?
+        mode == 'fragment'
+      end
+      def query?
+        mode == 'query'
+      end
+      def mode
+        case type
+        when 'token', 'id_token', 'id_token token'
+          'fragment'
+        else
+          'query'
+        end
+      end
+    end
+  end
+end

data/lib/doorkeeper/openid_connect/response_types_config.rb CHANGED

@@ -14,6 +14,4 @@ module Doorkeeper
       end
     end
   end
-  Config.prepend OpenidConnect::ResponseTypeConfig
 end

data/lib/doorkeeper/openid_connect/version.rb CHANGED

@@ -2,6 +2,6 @@
 module Doorkeeper
   module OpenidConnect
-    VERSION = '1.7.2'
+    VERSION = '1.7.3'
   end
 end

data/lib/generators/doorkeeper/openid_connect/templates/initializer.rb CHANGED

@@ -28,6 +28,18 @@ Doorkeeper::OpenidConnect.configure do
     # redirect_to new_user_session_url
   end
+  # Depending on your configuration, a DoubleRenderError could be raised
+  # if render/redirect_to is called at some point before this callback is executed.
+  # To avoid the DoubleRenderError, you could add these two lines at the beginning
+  #  of this callback: (Reference: https://github.com/rails/rails/issues/25106)
+  #   self.response_body = nil
+  #   @_response_body = nil
+  select_account_for_resource_owner do |resource_owner, return_to|
+    # Example implementation:
+    # store_location_for resource_owner, return_to
+    # redirect_to account_select_url
+  end
   subject do |resource_owner, application|
     # Example implementation:
     # resource_owner.id

data/lib/generators/doorkeeper/openid_connect/templates/migration.rb.erb CHANGED

@@ -1,7 +1,7 @@
 class CreateDoorkeeperOpenidConnectTables < ActiveRecord::Migration<%= migration_version %>
   def change
     create_table :oauth_openid_requests do |t|
-      t.integer :access_grant_id, null: false
+      t.references :access_grant, null: false, index: true
       t.string :nonce, null: false
     end

metadata CHANGED

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: doorkeeper-openid_connect
 version: !ruby/object:Gem::Version
-  version: 1.7.2
+  version: 1.7.3
 platform: ruby
 authors:
 - Sam Dengler
@@ -9,7 +9,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2020-05-20 00:00:00.000000000 Z
+date: 2020-07-06 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: doorkeeper
@@ -157,6 +157,7 @@ files:
 - lib/doorkeeper/openid_connect/rails/routes.rb
 - lib/doorkeeper/openid_connect/rails/routes/mapper.rb
 - lib/doorkeeper/openid_connect/rails/routes/mapping.rb
+- lib/doorkeeper/openid_connect/response_mode.rb
 - lib/doorkeeper/openid_connect/response_types_config.rb
 - lib/doorkeeper/openid_connect/user_info.rb
 - lib/doorkeeper/openid_connect/version.rb
@@ -185,7 +186,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.2
+rubygems_version: 3.0.3
 signing_key:
 specification_version: 4
 summary: OpenID Connect extension for Doorkeeper.