doorkeeper-openid_connect 1.7.2 → 1.7.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +10 -0
- data/README.md +5 -0
- data/app/controllers/doorkeeper/openid_connect/discovery_controller.rb +12 -9
- data/app/controllers/doorkeeper/openid_connect/userinfo_controller.rb +3 -1
- data/config/locales/en.yml +1 -0
- data/lib/doorkeeper/openid_connect.rb +23 -0
- data/lib/doorkeeper/openid_connect/config.rb +4 -0
- data/lib/doorkeeper/openid_connect/errors.rb +0 -1
- data/lib/doorkeeper/openid_connect/helpers/controller.rb +21 -5
- data/lib/doorkeeper/openid_connect/oauth/pre_authorization.rb +1 -3
- data/lib/doorkeeper/openid_connect/response_mode.rb +30 -0
- data/lib/doorkeeper/openid_connect/response_types_config.rb +0 -2
- data/lib/doorkeeper/openid_connect/version.rb +1 -1
- data/lib/generators/doorkeeper/openid_connect/templates/initializer.rb +12 -0
- data/lib/generators/doorkeeper/openid_connect/templates/migration.rb.erb +1 -1
- metadata +4 -3
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: ab0de01b3be4241280fd4846f9c38b4c915685918a6401e464dce609fb588ace
|
4
|
+
data.tar.gz: 999e38663483020d9c84b525f38842e0d9a5811c72ddfd04bdb7c86e1e018b2a
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: '09f0860be72310e44989febad8997e4fce1a82bf8d2986cfa3dfe56a0c9e55414d74f19a6dae35636aa5871c5778baad7b8776627835a30bd356bbb251fc4e32'
|
7
|
+
data.tar.gz: d6d42d010bd3e216dd1f1c84d60f86b4944f43a64d48db2cd613fddb189c7ac6ef079b713a86dd0b95a3551756b15a4868287c1af836fc0ada87efc6e1efc630
|
data/CHANGELOG.md
CHANGED
@@ -1,5 +1,15 @@
|
|
1
1
|
## Unreleased
|
2
2
|
|
3
|
+
## v1.7.3 (2020-07-06)
|
4
|
+
|
5
|
+
- [#111] Add configuration callback `select_account_for_resource_owner` to support the `prompt=select_account` param
|
6
|
+
- [#112] Add grant_types_supported to discovery response
|
7
|
+
- [#114] Fix user_info endpoint when used in api mode
|
8
|
+
- [#116] Support Doorkeeper API (> 5.4) for registering custom grant flows.
|
9
|
+
- [#117] Fix migration template to use Rails migrations DSL for association.
|
10
|
+
- [#118] Use fragment urls for implicit flow error redirects (thanks to @joeljunstrom)
|
11
|
+
- [#119] Execute end_session_endpoint in the controllers context (thanks to @joeljunstrom)
|
12
|
+
|
3
13
|
## v1.7.2 (2020-05-20)
|
4
14
|
|
5
15
|
### Changes
|
data/README.md
CHANGED
@@ -139,6 +139,10 @@ The following settings are optional, but recommended for better client compatibi
|
|
139
139
|
- Defines how to trigger reauthentication for the current user (e.g. display a password prompt, or sign-out the user and redirect to the login form).
|
140
140
|
- Required to support the `max_age` and `prompt=login` parameters.
|
141
141
|
- The block is executed in the controller's scope, so you have access to methods like `params`, `redirect_to` etc.
|
142
|
+
- `select_account_for_resource_owner`
|
143
|
+
- Defines how to trigger account selection to choose the current login user.
|
144
|
+
- Required to support the `prompt=select_account` parameter.
|
145
|
+
- The block is executed in the controller's scope, so you have access to methods like `params`, `redirect_to` etc.
|
142
146
|
|
143
147
|
The following settings are optional:
|
144
148
|
|
@@ -155,6 +159,7 @@ The following settings are optional:
|
|
155
159
|
- `end_session_endpoint`
|
156
160
|
- The URL that the user is redirected to after ending the session on the client.
|
157
161
|
- Used by implementations like https://github.com/IdentityModel/oidc-client-js.
|
162
|
+
- The block is executed in the controller's scope, so you have access to your route helpers.
|
158
163
|
|
159
164
|
### Scopes
|
160
165
|
|
@@ -38,16 +38,13 @@ module Doorkeeper
|
|
38
38
|
|
39
39
|
# TODO: support id_token response type
|
40
40
|
response_types_supported: doorkeeper.authorization_response_types,
|
41
|
-
response_modes_supported: [
|
41
|
+
response_modes_supported: %w[query fragment],
|
42
|
+
grant_types_supported: grant_types_supported(doorkeeper),
|
42
43
|
|
43
|
-
|
44
|
-
|
45
|
-
|
46
|
-
|
47
|
-
# TODO: look into doorkeeper-jwt_assertion for these
|
48
|
-
# 'client_secret_jwt',
|
49
|
-
# 'private_key_jwt'
|
50
|
-
],
|
44
|
+
# TODO: look into doorkeeper-jwt_assertion for these
|
45
|
+
# 'client_secret_jwt',
|
46
|
+
# 'private_key_jwt'
|
47
|
+
token_endpoint_auth_methods_supported: %w[client_secret_basic client_secret_post],
|
51
48
|
|
52
49
|
subject_types_supported: openid_connect.subject_types_supported,
|
53
50
|
|
@@ -73,6 +70,12 @@ module Doorkeeper
|
|
73
70
|
}.compact
|
74
71
|
end
|
75
72
|
|
73
|
+
def grant_types_supported(doorkeeper)
|
74
|
+
grant_types_supported = doorkeeper.grant_flows
|
75
|
+
grant_types_supported << 'refresh_token' if doorkeeper.refresh_token_enabled?
|
76
|
+
grant_types_supported
|
77
|
+
end
|
78
|
+
|
76
79
|
def webfinger_response
|
77
80
|
{
|
78
81
|
subject: params.require(:resource),
|
@@ -3,7 +3,9 @@
|
|
3
3
|
module Doorkeeper
|
4
4
|
module OpenidConnect
|
5
5
|
class UserinfoController < ::Doorkeeper::ApplicationController
|
6
|
-
|
6
|
+
unless Doorkeeper.config.api_only
|
7
|
+
skip_before_action :verify_authenticity_token
|
8
|
+
end
|
7
9
|
before_action -> { doorkeeper_authorize! :openid }
|
8
10
|
|
9
11
|
def show
|
data/config/locales/en.yml
CHANGED
@@ -19,4 +19,5 @@ en:
|
|
19
19
|
resource_owner_from_access_token_not_configured: 'Failure due to Doorkeeper::OpenidConnect.configure.resource_owner_from_access_token missing configuration.'
|
20
20
|
auth_time_from_resource_owner_not_configured: 'Failure due to Doorkeeper::OpenidConnect.configure.auth_time_from_resource_owner missing configuration.'
|
21
21
|
reauthenticate_resource_owner_not_configured: 'Failure due to Doorkeeper::OpenidConnect.configure.reauthenticate_resource_owner missing configuration.'
|
22
|
+
select_account_for_resource_owner_not_configured: 'Failure due to Doorkeeper::OpenidConnect.configure.select_account_for_resource_owner missing configuration.'
|
22
23
|
subject_not_configured: 'ID Token generation failed due to Doorkeeper::OpenidConnect.configure.subject missing configuration.'
|
@@ -22,6 +22,7 @@ require 'doorkeeper/openid_connect/errors'
|
|
22
22
|
require 'doorkeeper/openid_connect/id_token'
|
23
23
|
require 'doorkeeper/openid_connect/id_token_token'
|
24
24
|
require 'doorkeeper/openid_connect/user_info'
|
25
|
+
require 'doorkeeper/openid_connect/response_mode'
|
25
26
|
require 'doorkeeper/openid_connect/version'
|
26
27
|
|
27
28
|
require 'doorkeeper/openid_connect/helpers/controller'
|
@@ -63,5 +64,27 @@ module Doorkeeper
|
|
63
64
|
key.slice(:kty, :kid)
|
64
65
|
end
|
65
66
|
end
|
67
|
+
|
68
|
+
if defined?(::Doorkeeper::GrantFlow)
|
69
|
+
Doorkeeper::GrantFlow.register(
|
70
|
+
:id_token,
|
71
|
+
response_type_matches: 'id_token',
|
72
|
+
response_type_strategy: Doorkeeper::OpenidConnect::IdToken,
|
73
|
+
)
|
74
|
+
|
75
|
+
Doorkeeper::GrantFlow.register(
|
76
|
+
'id_token token',
|
77
|
+
response_type_matches: 'id_token token',
|
78
|
+
response_type_strategy: Doorkeeper::OpenidConnect::IdTokenToken,
|
79
|
+
)
|
80
|
+
|
81
|
+
Doorkeeper::GrantFlow.register_alias(
|
82
|
+
'implicit_oidc', as: ['implicit', 'id_token', 'id_token token']
|
83
|
+
)
|
84
|
+
else
|
85
|
+
# TODO: drop this and corresponding file when we will set minimal
|
86
|
+
# required Doorkeeper version to 5.5.
|
87
|
+
Doorkeeper::Config.prepend OpenidConnect::ResponseTypeConfig
|
88
|
+
end
|
66
89
|
end
|
67
90
|
end
|
@@ -115,6 +115,10 @@ module Doorkeeper
|
|
115
115
|
raise Errors::InvalidConfiguration, I18n.translate('doorkeeper.openid_connect.errors.messages.reauthenticate_resource_owner_not_configured')
|
116
116
|
}
|
117
117
|
|
118
|
+
option :select_account_for_resource_owner, default: lambda { |*_|
|
119
|
+
raise Errors::InvalidConfiguration, I18n.translate('doorkeeper.openid_connect.errors.messages.select_account_for_resource_owner_not_configured')
|
120
|
+
}
|
121
|
+
|
118
122
|
option :subject, default: lambda { |*_|
|
119
123
|
raise Errors::InvalidConfiguration, I18n.translate('doorkeeper.openid_connect.errors.messages.subject_not_configured')
|
120
124
|
}
|
@@ -43,12 +43,14 @@ module Doorkeeper
|
|
43
43
|
name: exception.type,
|
44
44
|
state: params[:state],
|
45
45
|
redirect_uri: params[:redirect_uri],
|
46
|
+
response_on_fragment: pre_auth.response_on_fragment?,
|
46
47
|
)
|
47
48
|
else
|
48
49
|
::Doorkeeper::OAuth::ErrorResponse.new(
|
49
50
|
name: exception.type,
|
50
51
|
state: params[:state],
|
51
52
|
redirect_uri: params[:redirect_uri],
|
53
|
+
response_on_fragment: pre_auth.response_on_fragment?,
|
52
54
|
)
|
53
55
|
end
|
54
56
|
|
@@ -75,8 +77,7 @@ module Doorkeeper
|
|
75
77
|
when 'consent'
|
76
78
|
render :new
|
77
79
|
when 'select_account'
|
78
|
-
|
79
|
-
raise Errors::AccountSelectionRequired
|
80
|
+
select_account_for_oidc_resource_owner(owner)
|
80
81
|
else
|
81
82
|
raise Errors::InvalidRequest
|
82
83
|
end
|
@@ -97,16 +98,21 @@ module Doorkeeper
|
|
97
98
|
end
|
98
99
|
end
|
99
100
|
|
100
|
-
def
|
101
|
+
def return_without_oidc_prompt_param(prompt_value)
|
101
102
|
return_to = URI.parse(request.path)
|
102
103
|
return_to.query = request.query_parameters.tap do |params|
|
103
|
-
params['prompt'] = params['prompt'].to_s.sub(/\
|
104
|
+
params['prompt'] = params['prompt'].to_s.sub(/\b#{prompt_value}\s*\b/, '').strip
|
104
105
|
params.delete('prompt') if params['prompt'].blank?
|
105
106
|
end.to_query
|
107
|
+
return_to.to_s
|
108
|
+
end
|
109
|
+
|
110
|
+
def reauthenticate_oidc_resource_owner(owner)
|
111
|
+
return_to = return_without_oidc_prompt_param('login')
|
106
112
|
|
107
113
|
instance_exec(
|
108
114
|
owner,
|
109
|
-
return_to
|
115
|
+
return_to,
|
110
116
|
&Doorkeeper::OpenidConnect.configuration.reauthenticate_resource_owner
|
111
117
|
)
|
112
118
|
|
@@ -116,6 +122,16 @@ module Doorkeeper
|
|
116
122
|
def oidc_consent_required?
|
117
123
|
!skip_authorization? && !matching_token?
|
118
124
|
end
|
125
|
+
|
126
|
+
def select_account_for_oidc_resource_owner(owner)
|
127
|
+
return_to = return_without_oidc_prompt_param('select_account')
|
128
|
+
|
129
|
+
instance_exec(
|
130
|
+
owner,
|
131
|
+
return_to,
|
132
|
+
&Doorkeeper::OpenidConnect.configuration.select_account_for_resource_owner
|
133
|
+
)
|
134
|
+
end
|
119
135
|
end
|
120
136
|
end
|
121
137
|
end
|
@@ -26,10 +26,8 @@ module Doorkeeper
|
|
26
26
|
end
|
27
27
|
end
|
28
28
|
|
29
|
-
private
|
30
|
-
|
31
29
|
def response_on_fragment?
|
32
|
-
response_type
|
30
|
+
Doorkeeper::OpenidConnect::ResponseMode.new(response_type).fragment?
|
33
31
|
end
|
34
32
|
end
|
35
33
|
end
|
@@ -0,0 +1,30 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
module Doorkeeper
|
4
|
+
module OpenidConnect
|
5
|
+
class ResponseMode
|
6
|
+
attr_reader :type
|
7
|
+
|
8
|
+
def initialize(response_type)
|
9
|
+
@type = response_type
|
10
|
+
end
|
11
|
+
|
12
|
+
def fragment?
|
13
|
+
mode == 'fragment'
|
14
|
+
end
|
15
|
+
|
16
|
+
def query?
|
17
|
+
mode == 'query'
|
18
|
+
end
|
19
|
+
|
20
|
+
def mode
|
21
|
+
case type
|
22
|
+
when 'token', 'id_token', 'id_token token'
|
23
|
+
'fragment'
|
24
|
+
else
|
25
|
+
'query'
|
26
|
+
end
|
27
|
+
end
|
28
|
+
end
|
29
|
+
end
|
30
|
+
end
|
@@ -28,6 +28,18 @@ Doorkeeper::OpenidConnect.configure do
|
|
28
28
|
# redirect_to new_user_session_url
|
29
29
|
end
|
30
30
|
|
31
|
+
# Depending on your configuration, a DoubleRenderError could be raised
|
32
|
+
# if render/redirect_to is called at some point before this callback is executed.
|
33
|
+
# To avoid the DoubleRenderError, you could add these two lines at the beginning
|
34
|
+
# of this callback: (Reference: https://github.com/rails/rails/issues/25106)
|
35
|
+
# self.response_body = nil
|
36
|
+
# @_response_body = nil
|
37
|
+
select_account_for_resource_owner do |resource_owner, return_to|
|
38
|
+
# Example implementation:
|
39
|
+
# store_location_for resource_owner, return_to
|
40
|
+
# redirect_to account_select_url
|
41
|
+
end
|
42
|
+
|
31
43
|
subject do |resource_owner, application|
|
32
44
|
# Example implementation:
|
33
45
|
# resource_owner.id
|
@@ -1,7 +1,7 @@
|
|
1
1
|
class CreateDoorkeeperOpenidConnectTables < ActiveRecord::Migration<%= migration_version %>
|
2
2
|
def change
|
3
3
|
create_table :oauth_openid_requests do |t|
|
4
|
-
t.
|
4
|
+
t.references :access_grant, null: false, index: true
|
5
5
|
t.string :nonce, null: false
|
6
6
|
end
|
7
7
|
|
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: doorkeeper-openid_connect
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 1.7.
|
4
|
+
version: 1.7.3
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Sam Dengler
|
@@ -9,7 +9,7 @@ authors:
|
|
9
9
|
autorequire:
|
10
10
|
bindir: bin
|
11
11
|
cert_chain: []
|
12
|
-
date: 2020-
|
12
|
+
date: 2020-07-06 00:00:00.000000000 Z
|
13
13
|
dependencies:
|
14
14
|
- !ruby/object:Gem::Dependency
|
15
15
|
name: doorkeeper
|
@@ -157,6 +157,7 @@ files:
|
|
157
157
|
- lib/doorkeeper/openid_connect/rails/routes.rb
|
158
158
|
- lib/doorkeeper/openid_connect/rails/routes/mapper.rb
|
159
159
|
- lib/doorkeeper/openid_connect/rails/routes/mapping.rb
|
160
|
+
- lib/doorkeeper/openid_connect/response_mode.rb
|
160
161
|
- lib/doorkeeper/openid_connect/response_types_config.rb
|
161
162
|
- lib/doorkeeper/openid_connect/user_info.rb
|
162
163
|
- lib/doorkeeper/openid_connect/version.rb
|
@@ -185,7 +186,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
185
186
|
- !ruby/object:Gem::Version
|
186
187
|
version: '0'
|
187
188
|
requirements: []
|
188
|
-
rubygems_version: 3.0.
|
189
|
+
rubygems_version: 3.0.3
|
189
190
|
signing_key:
|
190
191
|
specification_version: 4
|
191
192
|
summary: OpenID Connect extension for Doorkeeper.
|