doorkeeper-openid_connect 1.7.2 → 1.8.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +41 -0
- data/README.md +36 -0
- data/app/controllers/doorkeeper/openid_connect/discovery_controller.rb +40 -17
- data/app/controllers/doorkeeper/openid_connect/userinfo_controller.rb +3 -1
- data/config/locales/en.yml +1 -0
- data/lib/doorkeeper/oauth/id_token_response.rb +5 -7
- data/lib/doorkeeper/oauth/id_token_token_response.rb +1 -3
- data/lib/doorkeeper/openid_connect.rb +18 -1
- data/lib/doorkeeper/openid_connect/config.rb +8 -0
- data/lib/doorkeeper/openid_connect/errors.rb +0 -1
- data/lib/doorkeeper/openid_connect/helpers/controller.rb +28 -11
- data/lib/doorkeeper/openid_connect/id_token.rb +5 -1
- data/lib/doorkeeper/openid_connect/oauth/pre_authorization.rb +9 -18
- data/lib/doorkeeper/openid_connect/orm/active_record/request.rb +1 -1
- data/lib/doorkeeper/openid_connect/version.rb +1 -1
- data/lib/generators/doorkeeper/openid_connect/templates/initializer.rb +15 -1
- data/lib/generators/doorkeeper/openid_connect/templates/migration.rb.erb +1 -1
- metadata +8 -9
- data/lib/doorkeeper/openid_connect/response_types_config.rb +0 -19
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 13bf3ad72ee7edeeb5158fcf2c63193b6c8b2982070ccfbdce9a2e1854771da1
|
4
|
+
data.tar.gz: aa425930d99cef5997fbab6d02c3d6c18e2149f1ccd288afcfbc5e1d5b4f7a18
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: bab714902ba2fb3085687a08bd3fbe7c4d28d704ef94efa2aaf41863e7bf8554b3d1db7fcabe3d651280f91015aa835fd9e269a9b4bd5225e9357cfaa51f5de6
|
7
|
+
data.tar.gz: 5ecaabb2d7382974e4bc295a758f63bf3fa4e4f834b9e148671cbfa2de7aeb41452a4d8efbc49f6c7e7adaccc8f40c356b5710bf0fd9d9eca736d6b1c5268ab2
|
data/CHANGELOG.md
CHANGED
@@ -1,5 +1,46 @@
|
|
1
1
|
## Unreleased
|
2
2
|
|
3
|
+
## v1.8.0 (2021-05-11)
|
4
|
+
|
5
|
+
No changes from v1.8.0-rc1.
|
6
|
+
|
7
|
+
## v1.8.0-rc1 (2021-04-20)
|
8
|
+
|
9
|
+
### Upgrading
|
10
|
+
|
11
|
+
This gem now requires Doorkeeper 5.5 and Ruby 2.5.
|
12
|
+
|
13
|
+
### Changes
|
14
|
+
|
15
|
+
- [#138] Support form_post response mode (thanks to @linhdangduy)
|
16
|
+
- [#144] Support block syntax for `issuer` configuration (thanks to @maxxsnake)
|
17
|
+
- [#145] Register token flows with the strategy instead of the token class (thanks to @paukul)
|
18
|
+
|
19
|
+
## v1.7.5 (2020-12-15)
|
20
|
+
|
21
|
+
### Changes
|
22
|
+
|
23
|
+
- [#126] Add discovery_url_options option for discovery endpoints URL generation (thanks to @phlegx)
|
24
|
+
|
25
|
+
### Bugfixes
|
26
|
+
|
27
|
+
- [#123] Remove reference to ApplicationRecord (thanks to @wheeyls)
|
28
|
+
- [#124] Clone doorkeeper.grant_flows array before appending 'refresh_token' (thanks to @davidbasalla)
|
29
|
+
- [#129] Avoid to use the config alias while supporting Doorkeeper 5.2 (thanks to @kymmt90)
|
30
|
+
|
31
|
+
## v1.7.4 (2020-07-06)
|
32
|
+
|
33
|
+
- [#119] Execute end_session_endpoint in the controllers context (thanks to @joeljunstrom)
|
34
|
+
|
35
|
+
## v1.7.3 (2020-07-06)
|
36
|
+
|
37
|
+
- [#111] Add configuration callback `select_account_for_resource_owner` to support the `prompt=select_account` param
|
38
|
+
- [#112] Add grant_types_supported to discovery response
|
39
|
+
- [#114] Fix user_info endpoint when used in api mode
|
40
|
+
- [#116] Support Doorkeeper API (> 5.4) for registering custom grant flows.
|
41
|
+
- [#117] Fix migration template to use Rails migrations DSL for association.
|
42
|
+
- [#118] Use fragment urls for implicit flow error redirects (thanks to @joeljunstrom)
|
43
|
+
|
3
44
|
## v1.7.2 (2020-05-20)
|
4
45
|
|
5
46
|
### Changes
|
data/README.md
CHANGED
@@ -34,6 +34,7 @@ The following parts of [OpenID Connect Core 1.0](http://openid.net/specs/openid-
|
|
34
34
|
- [Requesting Claims using Scope Values](http://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims)
|
35
35
|
- [UserInfo Endpoint](http://openid.net/specs/openid-connect-core-1_0.html#UserInfo)
|
36
36
|
- [Normal Claims](http://openid.net/specs/openid-connect-core-1_0.html#NormalClaims)
|
37
|
+
- [OAuth 2.0 Form Post Response Mode](https://openid.net/specs/oauth-v2-form-post-response-mode-1_0.html)
|
37
38
|
|
38
39
|
In addition we also support most of [OpenID Connect Discovery 1.0](http://openid.net/specs/openid-connect-discovery-1_0.html) for automatic configuration discovery.
|
39
40
|
|
@@ -103,6 +104,7 @@ The following settings are required in `config/initializers/doorkeeper_openid_co
|
|
103
104
|
|
104
105
|
- `issuer`
|
105
106
|
- Identifier for the issuer of the response (i.e. your application URL). The value is a case sensitive URL using the `https` scheme that contains scheme, host, and optionally, port number and path components and no query or fragment components.
|
107
|
+
- You can either pass a string value, or a block to generate the issuer dynamically based on the `resource_owner` and `application` passed to the block.
|
106
108
|
- `subject`
|
107
109
|
- Identifier for the resource owner (i.e. the authenticated user). A locally unique and never reassigned identifier within the issuer for the end-user, which is intended to be consumed by the client. The value is a case-sensitive string and must not exceed 255 ASCII characters in length.
|
108
110
|
- The database ID of the user is an acceptable choice if you don't mind leaking that information.
|
@@ -139,6 +141,10 @@ The following settings are optional, but recommended for better client compatibi
|
|
139
141
|
- Defines how to trigger reauthentication for the current user (e.g. display a password prompt, or sign-out the user and redirect to the login form).
|
140
142
|
- Required to support the `max_age` and `prompt=login` parameters.
|
141
143
|
- The block is executed in the controller's scope, so you have access to methods like `params`, `redirect_to` etc.
|
144
|
+
- `select_account_for_resource_owner`
|
145
|
+
- Defines how to trigger account selection to choose the current login user.
|
146
|
+
- Required to support the `prompt=select_account` parameter.
|
147
|
+
- The block is executed in the controller's scope, so you have access to methods like `params`, `redirect_to` etc.
|
142
148
|
|
143
149
|
The following settings are optional:
|
144
150
|
|
@@ -155,6 +161,36 @@ The following settings are optional:
|
|
155
161
|
- `end_session_endpoint`
|
156
162
|
- The URL that the user is redirected to after ending the session on the client.
|
157
163
|
- Used by implementations like https://github.com/IdentityModel/oidc-client-js.
|
164
|
+
- The block is executed in the controller's scope, so you have access to your route helpers.
|
165
|
+
|
166
|
+
- `discovery_url_options`
|
167
|
+
- The URL options for every available endpoint to use when generating the endpoint URL in the
|
168
|
+
discovery response. Available endpoints: `authorization`, `token`, `revocation`,
|
169
|
+
`introspection`, `userinfo`, `jwks`, `webfinger`.
|
170
|
+
- This option requires option keys with an available endpoint and
|
171
|
+
[URL options](https://api.rubyonrails.org/v6.0.3.3/classes/ActionDispatch/Routing/UrlFor.html#method-i-url_for)
|
172
|
+
as value.
|
173
|
+
- The default is to use the request host, just like all the other URLs in the discovery response.
|
174
|
+
- This is useful when you want endpoints to use a different URL than other requests.
|
175
|
+
For example, if your Doorkeeper server is behind a firewall with other servers, you might want
|
176
|
+
other servers to use an "internal" URL to communicate with Doorkeeper, but you want to present
|
177
|
+
an "external" URL to end-users for authentication requests. Note that this setting does not
|
178
|
+
actually change the URL that your Doorkeeper server responds on - that is outside the scope of
|
179
|
+
Doorkeeper.
|
180
|
+
|
181
|
+
```ruby
|
182
|
+
# config/initializers/doorkeeper_openid_connect.rb
|
183
|
+
Doorkeeper::OpenidConnect.configure do
|
184
|
+
# ...
|
185
|
+
discovery_url_options do |request|
|
186
|
+
{
|
187
|
+
authorization: { host: 'host.example.com' },
|
188
|
+
jwks: { protocol: request.ssl? ? :https : :http }
|
189
|
+
}
|
190
|
+
end
|
191
|
+
# ...
|
192
|
+
end
|
193
|
+
```
|
158
194
|
|
159
195
|
### Scopes
|
160
196
|
|
@@ -26,28 +26,25 @@ module Doorkeeper
|
|
26
26
|
openid_connect = ::Doorkeeper::OpenidConnect.configuration
|
27
27
|
{
|
28
28
|
issuer: openid_connect.issuer,
|
29
|
-
authorization_endpoint: oauth_authorization_url(
|
30
|
-
token_endpoint: oauth_token_url(
|
31
|
-
revocation_endpoint: oauth_revoke_url(
|
32
|
-
introspection_endpoint: oauth_introspect_url(
|
33
|
-
userinfo_endpoint: oauth_userinfo_url(
|
34
|
-
jwks_uri: oauth_discovery_keys_url(
|
35
|
-
end_session_endpoint: openid_connect.end_session_endpoint
|
29
|
+
authorization_endpoint: oauth_authorization_url(authorization_url_options),
|
30
|
+
token_endpoint: oauth_token_url(token_url_options),
|
31
|
+
revocation_endpoint: oauth_revoke_url(revocation_url_options),
|
32
|
+
introspection_endpoint: oauth_introspect_url(introspection_url_options),
|
33
|
+
userinfo_endpoint: oauth_userinfo_url(userinfo_url_options),
|
34
|
+
jwks_uri: oauth_discovery_keys_url(jwks_url_options),
|
35
|
+
end_session_endpoint: instance_exec(&openid_connect.end_session_endpoint),
|
36
36
|
|
37
37
|
scopes_supported: doorkeeper.scopes,
|
38
38
|
|
39
39
|
# TODO: support id_token response type
|
40
40
|
response_types_supported: doorkeeper.authorization_response_types,
|
41
|
-
response_modes_supported:
|
41
|
+
response_modes_supported: response_modes_supported(doorkeeper),
|
42
|
+
grant_types_supported: grant_types_supported(doorkeeper),
|
42
43
|
|
43
|
-
|
44
|
-
|
45
|
-
|
46
|
-
|
47
|
-
# TODO: look into doorkeeper-jwt_assertion for these
|
48
|
-
# 'client_secret_jwt',
|
49
|
-
# 'private_key_jwt'
|
50
|
-
],
|
44
|
+
# TODO: look into doorkeeper-jwt_assertion for these
|
45
|
+
# 'client_secret_jwt',
|
46
|
+
# 'private_key_jwt'
|
47
|
+
token_endpoint_auth_methods_supported: %w[client_secret_basic client_secret_post],
|
51
48
|
|
52
49
|
subject_types_supported: openid_connect.subject_types_supported,
|
53
50
|
|
@@ -73,13 +70,23 @@ module Doorkeeper
|
|
73
70
|
}.compact
|
74
71
|
end
|
75
72
|
|
73
|
+
def grant_types_supported(doorkeeper)
|
74
|
+
grant_types_supported = doorkeeper.grant_flows.dup
|
75
|
+
grant_types_supported << 'refresh_token' if doorkeeper.refresh_token_enabled?
|
76
|
+
grant_types_supported
|
77
|
+
end
|
78
|
+
|
79
|
+
def response_modes_supported(doorkeeper)
|
80
|
+
doorkeeper.authorization_response_flows.flat_map(&:response_mode_matches).uniq
|
81
|
+
end
|
82
|
+
|
76
83
|
def webfinger_response
|
77
84
|
{
|
78
85
|
subject: params.require(:resource),
|
79
86
|
links: [
|
80
87
|
{
|
81
88
|
rel: WEBFINGER_RELATION,
|
82
|
-
href: root_url(
|
89
|
+
href: root_url(webfinger_url_options),
|
83
90
|
}
|
84
91
|
]
|
85
92
|
}
|
@@ -101,6 +108,22 @@ module Doorkeeper
|
|
101
108
|
def protocol
|
102
109
|
Doorkeeper::OpenidConnect.configuration.protocol.call
|
103
110
|
end
|
111
|
+
|
112
|
+
def discovery_url_options
|
113
|
+
Doorkeeper::OpenidConnect.configuration.discovery_url_options.call(request)
|
114
|
+
end
|
115
|
+
|
116
|
+
def discovery_url_default_options
|
117
|
+
{
|
118
|
+
protocol: protocol
|
119
|
+
}
|
120
|
+
end
|
121
|
+
|
122
|
+
%i[authorization token revocation introspection userinfo jwks webfinger].each do |endpoint|
|
123
|
+
define_method :"#{endpoint}_url_options" do
|
124
|
+
discovery_url_default_options.merge(discovery_url_options[endpoint.to_sym] || {})
|
125
|
+
end
|
126
|
+
end
|
104
127
|
end
|
105
128
|
end
|
106
129
|
end
|
@@ -3,7 +3,9 @@
|
|
3
3
|
module Doorkeeper
|
4
4
|
module OpenidConnect
|
5
5
|
class UserinfoController < ::Doorkeeper::ApplicationController
|
6
|
-
|
6
|
+
unless Doorkeeper.configuration.api_only
|
7
|
+
skip_before_action :verify_authenticity_token
|
8
|
+
end
|
7
9
|
before_action -> { doorkeeper_authorize! :openid }
|
8
10
|
|
9
11
|
def show
|
data/config/locales/en.yml
CHANGED
@@ -19,4 +19,5 @@ en:
|
|
19
19
|
resource_owner_from_access_token_not_configured: 'Failure due to Doorkeeper::OpenidConnect.configure.resource_owner_from_access_token missing configuration.'
|
20
20
|
auth_time_from_resource_owner_not_configured: 'Failure due to Doorkeeper::OpenidConnect.configure.auth_time_from_resource_owner missing configuration.'
|
21
21
|
reauthenticate_resource_owner_not_configured: 'Failure due to Doorkeeper::OpenidConnect.configure.reauthenticate_resource_owner missing configuration.'
|
22
|
+
select_account_for_resource_owner_not_configured: 'Failure due to Doorkeeper::OpenidConnect.configure.select_account_for_resource_owner missing configuration.'
|
22
23
|
subject_not_configured: 'ID Token generation failed due to Doorkeeper::OpenidConnect.configure.subject missing configuration.'
|
@@ -17,19 +17,17 @@ module Doorkeeper
|
|
17
17
|
true
|
18
18
|
end
|
19
19
|
|
20
|
-
def
|
21
|
-
Authorization::URIBuilder.uri_with_fragment(pre_auth.redirect_uri, redirect_uri_params)
|
22
|
-
end
|
23
|
-
|
24
|
-
private
|
25
|
-
|
26
|
-
def redirect_uri_params
|
20
|
+
def body
|
27
21
|
{
|
28
22
|
expires_in: auth.token.expires_in_seconds,
|
29
23
|
state: pre_auth.state,
|
30
24
|
id_token: id_token.as_jws_token
|
31
25
|
}
|
32
26
|
end
|
27
|
+
|
28
|
+
def redirect_uri
|
29
|
+
Authorization::URIBuilder.uri_with_fragment(pre_auth.redirect_uri, body)
|
30
|
+
end
|
33
31
|
end
|
34
32
|
end
|
35
33
|
end
|
@@ -16,7 +16,6 @@ require 'doorkeeper/openid_connect/claims_builder'
|
|
16
16
|
require 'doorkeeper/openid_connect/claims/claim'
|
17
17
|
require 'doorkeeper/openid_connect/claims/normal_claim'
|
18
18
|
require 'doorkeeper/openid_connect/config'
|
19
|
-
require 'doorkeeper/openid_connect/response_types_config'
|
20
19
|
require 'doorkeeper/openid_connect/engine'
|
21
20
|
require 'doorkeeper/openid_connect/errors'
|
22
21
|
require 'doorkeeper/openid_connect/id_token'
|
@@ -63,5 +62,23 @@ module Doorkeeper
|
|
63
62
|
key.slice(:kty, :kid)
|
64
63
|
end
|
65
64
|
end
|
65
|
+
|
66
|
+
Doorkeeper::GrantFlow.register(
|
67
|
+
:id_token,
|
68
|
+
response_type_matches: 'id_token',
|
69
|
+
response_mode_matches: %w[fragment form_post],
|
70
|
+
response_type_strategy: Doorkeeper::Request::IdToken,
|
71
|
+
)
|
72
|
+
|
73
|
+
Doorkeeper::GrantFlow.register(
|
74
|
+
'id_token token',
|
75
|
+
response_type_matches: 'id_token token',
|
76
|
+
response_mode_matches: %w[fragment form_post],
|
77
|
+
response_type_strategy: Doorkeeper::Request::IdTokenToken,
|
78
|
+
)
|
79
|
+
|
80
|
+
Doorkeeper::GrantFlow.register_alias(
|
81
|
+
'implicit_oidc', as: ['implicit', 'id_token', 'id_token token']
|
82
|
+
)
|
66
83
|
end
|
67
84
|
end
|
@@ -115,6 +115,10 @@ module Doorkeeper
|
|
115
115
|
raise Errors::InvalidConfiguration, I18n.translate('doorkeeper.openid_connect.errors.messages.reauthenticate_resource_owner_not_configured')
|
116
116
|
}
|
117
117
|
|
118
|
+
option :select_account_for_resource_owner, default: lambda { |*_|
|
119
|
+
raise Errors::InvalidConfiguration, I18n.translate('doorkeeper.openid_connect.errors.messages.select_account_for_resource_owner_not_configured')
|
120
|
+
}
|
121
|
+
|
118
122
|
option :subject, default: lambda { |*_|
|
119
123
|
raise Errors::InvalidConfiguration, I18n.translate('doorkeeper.openid_connect.errors.messages.subject_not_configured')
|
120
124
|
}
|
@@ -130,6 +134,10 @@ module Doorkeeper
|
|
130
134
|
option :end_session_endpoint, default: lambda { |*_|
|
131
135
|
nil
|
132
136
|
}
|
137
|
+
|
138
|
+
option :discovery_url_options, default: lambda { |*_|
|
139
|
+
{}
|
140
|
+
}
|
133
141
|
end
|
134
142
|
end
|
135
143
|
end
|
@@ -43,22 +43,25 @@ module Doorkeeper
|
|
43
43
|
name: exception.type,
|
44
44
|
state: params[:state],
|
45
45
|
redirect_uri: params[:redirect_uri],
|
46
|
+
response_on_fragment: pre_auth.response_on_fragment?,
|
46
47
|
)
|
47
48
|
else
|
48
49
|
::Doorkeeper::OAuth::ErrorResponse.new(
|
49
50
|
name: exception.type,
|
50
51
|
state: params[:state],
|
51
52
|
redirect_uri: params[:redirect_uri],
|
53
|
+
response_on_fragment: pre_auth.response_on_fragment?,
|
52
54
|
)
|
53
|
-
|
55
|
+
end
|
54
56
|
|
55
57
|
response.headers.merge!(error_response.headers)
|
56
58
|
|
57
|
-
|
58
|
-
|
59
|
-
|
60
|
-
|
61
|
-
|
59
|
+
# NOTE: Assign error_response to @authorize_response then use redirect_or_render method that are defined at
|
60
|
+
# doorkeeper's authorizations_controller.
|
61
|
+
# - https://github.com/doorkeeper-gem/doorkeeper/blob/v5.5.0/app/controllers/doorkeeper/authorizations_controller.rb#L110
|
62
|
+
# - https://github.com/doorkeeper-gem/doorkeeper/blob/v5.5.0/app/controllers/doorkeeper/authorizations_controller.rb#L52
|
63
|
+
@authorize_response = error_response
|
64
|
+
redirect_or_render(@authorize_response)
|
62
65
|
end
|
63
66
|
|
64
67
|
def handle_oidc_prompt_param!(owner)
|
@@ -75,8 +78,7 @@ module Doorkeeper
|
|
75
78
|
when 'consent'
|
76
79
|
render :new
|
77
80
|
when 'select_account'
|
78
|
-
|
79
|
-
raise Errors::AccountSelectionRequired
|
81
|
+
select_account_for_oidc_resource_owner(owner)
|
80
82
|
else
|
81
83
|
raise Errors::InvalidRequest
|
82
84
|
end
|
@@ -97,16 +99,21 @@ module Doorkeeper
|
|
97
99
|
end
|
98
100
|
end
|
99
101
|
|
100
|
-
def
|
102
|
+
def return_without_oidc_prompt_param(prompt_value)
|
101
103
|
return_to = URI.parse(request.path)
|
102
104
|
return_to.query = request.query_parameters.tap do |params|
|
103
|
-
params['prompt'] = params['prompt'].to_s.sub(/\
|
105
|
+
params['prompt'] = params['prompt'].to_s.sub(/\b#{prompt_value}\s*\b/, '').strip
|
104
106
|
params.delete('prompt') if params['prompt'].blank?
|
105
107
|
end.to_query
|
108
|
+
return_to.to_s
|
109
|
+
end
|
110
|
+
|
111
|
+
def reauthenticate_oidc_resource_owner(owner)
|
112
|
+
return_to = return_without_oidc_prompt_param('login')
|
106
113
|
|
107
114
|
instance_exec(
|
108
115
|
owner,
|
109
|
-
return_to
|
116
|
+
return_to,
|
110
117
|
&Doorkeeper::OpenidConnect.configuration.reauthenticate_resource_owner
|
111
118
|
)
|
112
119
|
|
@@ -116,6 +123,16 @@ module Doorkeeper
|
|
116
123
|
def oidc_consent_required?
|
117
124
|
!skip_authorization? && !matching_token?
|
118
125
|
end
|
126
|
+
|
127
|
+
def select_account_for_oidc_resource_owner(owner)
|
128
|
+
return_to = return_without_oidc_prompt_param('select_account')
|
129
|
+
|
130
|
+
instance_exec(
|
131
|
+
owner,
|
132
|
+
return_to,
|
133
|
+
&Doorkeeper::OpenidConnect.configuration.select_account_for_resource_owner
|
134
|
+
)
|
135
|
+
end
|
119
136
|
end
|
120
137
|
end
|
121
138
|
end
|
@@ -40,7 +40,11 @@ module Doorkeeper
|
|
40
40
|
private
|
41
41
|
|
42
42
|
def issuer
|
43
|
-
Doorkeeper::OpenidConnect.configuration.issuer
|
43
|
+
if Doorkeeper::OpenidConnect.configuration.issuer.respond_to?(:call)
|
44
|
+
Doorkeeper::OpenidConnect.configuration.issuer.call(@resource_owner, @access_token.application).to_s
|
45
|
+
else
|
46
|
+
Doorkeeper::OpenidConnect.configuration.issuer
|
47
|
+
end
|
44
48
|
end
|
45
49
|
|
46
50
|
def subject
|
@@ -7,29 +7,20 @@ module Doorkeeper
|
|
7
7
|
attr_reader :nonce
|
8
8
|
|
9
9
|
def initialize(server, attrs = {}, resource_owner = nil)
|
10
|
-
|
11
|
-
Doorkeeper::VERSION::MAJOR >= 6
|
12
|
-
super
|
13
|
-
else
|
14
|
-
super(server, attrs)
|
15
|
-
end
|
10
|
+
super
|
16
11
|
@nonce = attrs[:nonce]
|
17
12
|
end
|
18
13
|
|
19
|
-
#
|
20
|
-
#
|
21
|
-
def
|
22
|
-
|
23
|
-
Doorkeeper::OAuth::InvalidRequestResponse.from_request(self, response_on_fragment: response_on_fragment?)
|
24
|
-
else
|
25
|
-
Doorkeeper::OAuth::ErrorResponse.from_request(self, response_on_fragment: response_on_fragment?)
|
26
|
-
end
|
27
|
-
end
|
14
|
+
# NOTE: Auto get default response_mode of specified response_type if response_mode is not
|
15
|
+
# yet present. We can delete this method after Doorkeeper's minimize version support it.
|
16
|
+
def response_on_fragment?
|
17
|
+
return response_mode == 'fragment' if response_mode.present?
|
28
18
|
|
29
|
-
|
19
|
+
grant_flow = server.authorization_response_flows.detect do |flow|
|
20
|
+
flow.matches_response_type?(response_type)
|
21
|
+
end
|
30
22
|
|
31
|
-
|
32
|
-
response_type == 'token' || response_type == 'id_token' || response_type == 'id_token token'
|
23
|
+
grant_flow&.default_response_mode == 'fragment'
|
33
24
|
end
|
34
25
|
end
|
35
26
|
end
|
@@ -1,7 +1,9 @@
|
|
1
1
|
# frozen_string_literal: true
|
2
2
|
|
3
3
|
Doorkeeper::OpenidConnect.configure do
|
4
|
-
issuer
|
4
|
+
issuer do |resource_owner, application|
|
5
|
+
'issuer string'
|
6
|
+
end
|
5
7
|
|
6
8
|
signing_key <<~KEY
|
7
9
|
-----BEGIN RSA PRIVATE KEY-----
|
@@ -28,6 +30,18 @@ Doorkeeper::OpenidConnect.configure do
|
|
28
30
|
# redirect_to new_user_session_url
|
29
31
|
end
|
30
32
|
|
33
|
+
# Depending on your configuration, a DoubleRenderError could be raised
|
34
|
+
# if render/redirect_to is called at some point before this callback is executed.
|
35
|
+
# To avoid the DoubleRenderError, you could add these two lines at the beginning
|
36
|
+
# of this callback: (Reference: https://github.com/rails/rails/issues/25106)
|
37
|
+
# self.response_body = nil
|
38
|
+
# @_response_body = nil
|
39
|
+
select_account_for_resource_owner do |resource_owner, return_to|
|
40
|
+
# Example implementation:
|
41
|
+
# store_location_for resource_owner, return_to
|
42
|
+
# redirect_to account_select_url
|
43
|
+
end
|
44
|
+
|
31
45
|
subject do |resource_owner, application|
|
32
46
|
# Example implementation:
|
33
47
|
# resource_owner.id
|
@@ -1,7 +1,7 @@
|
|
1
1
|
class CreateDoorkeeperOpenidConnectTables < ActiveRecord::Migration<%= migration_version %>
|
2
2
|
def change
|
3
3
|
create_table :oauth_openid_requests do |t|
|
4
|
-
t.
|
4
|
+
t.references :access_grant, null: false, index: true
|
5
5
|
t.string :nonce, null: false
|
6
6
|
end
|
7
7
|
|
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: doorkeeper-openid_connect
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 1.
|
4
|
+
version: 1.8.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Sam Dengler
|
@@ -9,7 +9,7 @@ authors:
|
|
9
9
|
autorequire:
|
10
10
|
bindir: bin
|
11
11
|
cert_chain: []
|
12
|
-
date:
|
12
|
+
date: 2021-05-11 00:00:00.000000000 Z
|
13
13
|
dependencies:
|
14
14
|
- !ruby/object:Gem::Dependency
|
15
15
|
name: doorkeeper
|
@@ -17,20 +17,20 @@ dependencies:
|
|
17
17
|
requirements:
|
18
18
|
- - ">="
|
19
19
|
- !ruby/object:Gem::Version
|
20
|
-
version: '5.
|
20
|
+
version: '5.5'
|
21
21
|
- - "<"
|
22
22
|
- !ruby/object:Gem::Version
|
23
|
-
version: '5.
|
23
|
+
version: '5.6'
|
24
24
|
type: :runtime
|
25
25
|
prerelease: false
|
26
26
|
version_requirements: !ruby/object:Gem::Requirement
|
27
27
|
requirements:
|
28
28
|
- - ">="
|
29
29
|
- !ruby/object:Gem::Version
|
30
|
-
version: '5.
|
30
|
+
version: '5.5'
|
31
31
|
- - "<"
|
32
32
|
- !ruby/object:Gem::Version
|
33
|
-
version: '5.
|
33
|
+
version: '5.6'
|
34
34
|
- !ruby/object:Gem::Dependency
|
35
35
|
name: json-jwt
|
36
36
|
requirement: !ruby/object:Gem::Requirement
|
@@ -157,7 +157,6 @@ files:
|
|
157
157
|
- lib/doorkeeper/openid_connect/rails/routes.rb
|
158
158
|
- lib/doorkeeper/openid_connect/rails/routes/mapper.rb
|
159
159
|
- lib/doorkeeper/openid_connect/rails/routes/mapping.rb
|
160
|
-
- lib/doorkeeper/openid_connect/response_types_config.rb
|
161
160
|
- lib/doorkeeper/openid_connect/user_info.rb
|
162
161
|
- lib/doorkeeper/openid_connect/version.rb
|
163
162
|
- lib/doorkeeper/request/id_token.rb
|
@@ -178,14 +177,14 @@ required_ruby_version: !ruby/object:Gem::Requirement
|
|
178
177
|
requirements:
|
179
178
|
- - ">="
|
180
179
|
- !ruby/object:Gem::Version
|
181
|
-
version: '2.
|
180
|
+
version: '2.5'
|
182
181
|
required_rubygems_version: !ruby/object:Gem::Requirement
|
183
182
|
requirements:
|
184
183
|
- - ">="
|
185
184
|
- !ruby/object:Gem::Version
|
186
185
|
version: '0'
|
187
186
|
requirements: []
|
188
|
-
rubygems_version: 3.
|
187
|
+
rubygems_version: 3.1.4
|
189
188
|
signing_key:
|
190
189
|
specification_version: 4
|
191
190
|
summary: OpenID Connect extension for Doorkeeper.
|
@@ -1,19 +0,0 @@
|
|
1
|
-
# frozen_string_literal: true
|
2
|
-
|
3
|
-
module Doorkeeper
|
4
|
-
module OpenidConnect
|
5
|
-
module ResponseTypeConfig
|
6
|
-
private def calculate_authorization_response_types
|
7
|
-
types = super
|
8
|
-
if grant_flows.include? 'implicit_oidc'
|
9
|
-
types << 'token'
|
10
|
-
types << 'id_token'
|
11
|
-
types << 'id_token token'
|
12
|
-
end
|
13
|
-
types
|
14
|
-
end
|
15
|
-
end
|
16
|
-
end
|
17
|
-
|
18
|
-
Config.prepend OpenidConnect::ResponseTypeConfig
|
19
|
-
end
|