doorkeeper-openid_connect 1.7.2 → 1.8.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: dd500337bf3593b1f15ab64da67dd2da940797271fd1a169e47f2542371d6930
-  data.tar.gz: 4c3fdae9aca104f74f2bcf2e2805d09fe784e75326e3fa2382de8ba74133987a
+  metadata.gz: 13bf3ad72ee7edeeb5158fcf2c63193b6c8b2982070ccfbdce9a2e1854771da1
+  data.tar.gz: aa425930d99cef5997fbab6d02c3d6c18e2149f1ccd288afcfbc5e1d5b4f7a18
 SHA512:
-  metadata.gz: 887f767a61bd22be260dfb2b3d37de2e3334b25ff53aacbf9b6b41aecb88a287ae308d9fd65950e7c850ab023569d08cb1c31cceda4182cb667c3b61a984406e
-  data.tar.gz: 670454a6c3e5dbe69dcb511e68acbb63b2b558410a3ae0268400918dd11e3ae4d320fb1bd7d876cade2b7313132c925befcd51ad0bd023bfb826f36ee9d127b9
+  metadata.gz: bab714902ba2fb3085687a08bd3fbe7c4d28d704ef94efa2aaf41863e7bf8554b3d1db7fcabe3d651280f91015aa835fd9e269a9b4bd5225e9357cfaa51f5de6
+  data.tar.gz: 5ecaabb2d7382974e4bc295a758f63bf3fa4e4f834b9e148671cbfa2de7aeb41452a4d8efbc49f6c7e7adaccc8f40c356b5710bf0fd9d9eca736d6b1c5268ab2

data/CHANGELOG.md

@@ -1,5 +1,46 @@
 ## Unreleased
 
+## v1.8.0 (2021-05-11)
+
+No changes from v1.8.0-rc1.
+
+## v1.8.0-rc1 (2021-04-20)
+
+### Upgrading
+
+This gem now requires Doorkeeper 5.5 and Ruby 2.5.
+
+### Changes
+
+- [#138] Support form_post response mode (thanks to @linhdangduy)
+- [#144] Support block syntax for `issuer` configuration (thanks to @maxxsnake)
+- [#145] Register token flows with the strategy instead of the token class (thanks to @paukul)
+
+## v1.7.5 (2020-12-15)
+
+### Changes
+
+- [#126] Add discovery_url_options option for discovery endpoints URL generation (thanks to @phlegx)
+
+### Bugfixes
+
+- [#123] Remove reference to ApplicationRecord (thanks to @wheeyls)
+- [#124] Clone doorkeeper.grant_flows array before appending 'refresh_token' (thanks to @davidbasalla)
+- [#129] Avoid to use the config alias while supporting Doorkeeper 5.2 (thanks to @kymmt90)
+
+## v1.7.4 (2020-07-06)
+
+- [#119] Execute end_session_endpoint in the controllers context (thanks to @joeljunstrom)
+
+## v1.7.3 (2020-07-06)
+
+- [#111] Add configuration callback `select_account_for_resource_owner` to support the `prompt=select_account` param
+- [#112] Add grant_types_supported to discovery response
+- [#114] Fix user_info endpoint when used in api mode
+- [#116] Support Doorkeeper API (> 5.4) for registering custom grant flows.
+- [#117] Fix migration template to use Rails migrations DSL for association.
+- [#118] Use fragment urls for implicit flow error redirects (thanks to @joeljunstrom)
+
 ## v1.7.2 (2020-05-20)
 
 ### Changes

data/README.md

@@ -34,6 +34,7 @@ The following parts of [OpenID Connect Core 1.0](http://openid.net/specs/openid-
 - [Requesting Claims using Scope Values](http://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims)
 - [UserInfo Endpoint](http://openid.net/specs/openid-connect-core-1_0.html#UserInfo)
 - [Normal Claims](http://openid.net/specs/openid-connect-core-1_0.html#NormalClaims)
+- [OAuth 2.0 Form Post Response Mode](https://openid.net/specs/oauth-v2-form-post-response-mode-1_0.html)
 
 In addition we also support most of [OpenID Connect Discovery 1.0](http://openid.net/specs/openid-connect-discovery-1_0.html) for automatic configuration discovery.
 
@@ -103,6 +104,7 @@ The following settings are required in `config/initializers/doorkeeper_openid_co
 
 - `issuer`
   - Identifier for the issuer of the response (i.e. your application URL). The value is a case sensitive URL using the `https` scheme that contains scheme, host, and optionally, port number and path components and no query or fragment components.
+  - You can either pass a string value, or a block to generate the issuer dynamically based on the `resource_owner` and `application` passed to the block.
 - `subject`
   - Identifier for the resource owner (i.e. the authenticated user). A locally unique and never reassigned identifier within the issuer for the end-user, which is intended to be consumed by the client. The value is a case-sensitive string and must not exceed 255 ASCII characters in length.
   - The database ID of the user is an acceptable choice if you don't mind leaking that information.
@@ -139,6 +141,10 @@ The following settings are optional, but recommended for better client compatibi
   - Defines how to trigger reauthentication for the current user (e.g. display a password prompt, or sign-out the user and redirect to the login form).
   - Required to support the `max_age` and `prompt=login` parameters.
   - The block is executed in the controller's scope, so you have access to methods like `params`, `redirect_to` etc.
+- `select_account_for_resource_owner`
+  - Defines how to trigger account selection to choose the current login user.
+  - Required to support the `prompt=select_account` parameter.
+  - The block is executed in the controller's scope, so you have access to methods like `params`, `redirect_to` etc.
 
 The following settings are optional:
 
@@ -155,6 +161,36 @@ The following settings are optional:
 - `end_session_endpoint`
   - The URL that the user is redirected to after ending the session on the client.
   - Used by implementations like https://github.com/IdentityModel/oidc-client-js.
+  - The block is executed in the controller's scope, so you have access to your route helpers.
+
+- `discovery_url_options`
+  - The URL options for every available endpoint to use when generating the endpoint URL in the
+    discovery response. Available endpoints: `authorization`, `token`, `revocation`,
+    `introspection`, `userinfo`, `jwks`, `webfinger`.
+  - This option requires option keys with an available endpoint and
+    [URL options](https://api.rubyonrails.org/v6.0.3.3/classes/ActionDispatch/Routing/UrlFor.html#method-i-url_for)
+    as value.
+  - The default is to use the request host, just like all the other URLs in the discovery response.
+  - This is useful when you want endpoints to use a different URL than other requests.
+    For example, if your Doorkeeper server is behind a firewall with other servers, you might want
+    other servers to use an "internal" URL to communicate with Doorkeeper, but you want to present
+    an "external" URL to end-users for authentication requests. Note that this setting does not
+    actually change the URL that your Doorkeeper server responds on - that is outside the scope of
+    Doorkeeper.
+
+    ```ruby
+    # config/initializers/doorkeeper_openid_connect.rb
+    Doorkeeper::OpenidConnect.configure do
+    # ...
+      discovery_url_options do |request|
+        {
+          authorization: { host: 'host.example.com' },
+          jwks:          { protocol: request.ssl? ? :https : :http }
+        }
+      end
+    # ...
+    end
+    ```
 
 ### Scopes
 

data/app/controllers/doorkeeper/openid_connect/discovery_controller.rb

@@ -26,28 +26,25 @@ module Doorkeeper
         openid_connect = ::Doorkeeper::OpenidConnect.configuration
         {
           issuer: openid_connect.issuer,
-          authorization_endpoint: oauth_authorization_url(protocol: protocol),
-          token_endpoint: oauth_token_url(protocol: protocol),
-          revocation_endpoint: oauth_revoke_url(protocol: protocol),
-          introspection_endpoint: oauth_introspect_url(protocol: protocol),
-          userinfo_endpoint: oauth_userinfo_url(protocol: protocol),
-          jwks_uri: oauth_discovery_keys_url(protocol: protocol),
-          end_session_endpoint: openid_connect.end_session_endpoint.call,
+          authorization_endpoint: oauth_authorization_url(authorization_url_options),
+          token_endpoint: oauth_token_url(token_url_options),
+          revocation_endpoint: oauth_revoke_url(revocation_url_options),
+          introspection_endpoint: oauth_introspect_url(introspection_url_options),
+          userinfo_endpoint: oauth_userinfo_url(userinfo_url_options),
+          jwks_uri: oauth_discovery_keys_url(jwks_url_options),
+          end_session_endpoint: instance_exec(&openid_connect.end_session_endpoint),
 
           scopes_supported: doorkeeper.scopes,
 
           # TODO: support id_token response type
           response_types_supported: doorkeeper.authorization_response_types,
-          response_modes_supported: ['query', 'fragment'],
+          response_modes_supported: response_modes_supported(doorkeeper),
+          grant_types_supported: grant_types_supported(doorkeeper),
 
-          token_endpoint_auth_methods_supported: [
-            'client_secret_basic',
-            'client_secret_post',
-
-            # TODO: look into doorkeeper-jwt_assertion for these
-            # 'client_secret_jwt',
-            # 'private_key_jwt'
-          ],
+          # TODO: look into doorkeeper-jwt_assertion for these
+          #  'client_secret_jwt',
+          #  'private_key_jwt'
+          token_endpoint_auth_methods_supported: %w[client_secret_basic client_secret_post],
 
           subject_types_supported: openid_connect.subject_types_supported,
 
@@ -73,13 +70,23 @@ module Doorkeeper
         }.compact
       end
 
+      def grant_types_supported(doorkeeper)
+        grant_types_supported = doorkeeper.grant_flows.dup
+        grant_types_supported << 'refresh_token' if doorkeeper.refresh_token_enabled?
+        grant_types_supported
+      end
+
+      def response_modes_supported(doorkeeper)
+        doorkeeper.authorization_response_flows.flat_map(&:response_mode_matches).uniq
+      end
+
       def webfinger_response
         {
           subject: params.require(:resource),
           links: [
             {
               rel: WEBFINGER_RELATION,
-              href: root_url(protocol: protocol),
+              href: root_url(webfinger_url_options),
             }
           ]
         }
@@ -101,6 +108,22 @@ module Doorkeeper
       def protocol
         Doorkeeper::OpenidConnect.configuration.protocol.call
       end
+
+      def discovery_url_options
+        Doorkeeper::OpenidConnect.configuration.discovery_url_options.call(request)
+      end
+
+      def discovery_url_default_options
+        {
+          protocol: protocol
+        }
+      end
+
+      %i[authorization token revocation introspection userinfo jwks webfinger].each do |endpoint|
+        define_method :"#{endpoint}_url_options" do
+          discovery_url_default_options.merge(discovery_url_options[endpoint.to_sym] || {})
+        end
+      end
     end
   end
 end

data/app/controllers/doorkeeper/openid_connect/userinfo_controller.rb

@@ -3,7 +3,9 @@
 module Doorkeeper
   module OpenidConnect
     class UserinfoController < ::Doorkeeper::ApplicationController
-      skip_before_action :verify_authenticity_token
+      unless Doorkeeper.configuration.api_only
+        skip_before_action :verify_authenticity_token
+      end
       before_action -> { doorkeeper_authorize! :openid }
 
       def show

data/config/locales/en.yml

@@ -19,4 +19,5 @@ en:
           resource_owner_from_access_token_not_configured: 'Failure due to Doorkeeper::OpenidConnect.configure.resource_owner_from_access_token missing configuration.'
           auth_time_from_resource_owner_not_configured: 'Failure due to Doorkeeper::OpenidConnect.configure.auth_time_from_resource_owner missing configuration.'
           reauthenticate_resource_owner_not_configured: 'Failure due to Doorkeeper::OpenidConnect.configure.reauthenticate_resource_owner missing configuration.'
+          select_account_for_resource_owner_not_configured: 'Failure due to Doorkeeper::OpenidConnect.configure.select_account_for_resource_owner missing configuration.'
           subject_not_configured: 'ID Token generation failed due to Doorkeeper::OpenidConnect.configure.subject missing configuration.'

data/lib/doorkeeper/oauth/id_token_response.rb

@@ -17,19 +17,17 @@ module Doorkeeper
         true
       end
 
-      def redirect_uri
-        Authorization::URIBuilder.uri_with_fragment(pre_auth.redirect_uri, redirect_uri_params)
-      end
-
-      private
-
-      def redirect_uri_params
+      def body
         {
           expires_in: auth.token.expires_in_seconds,
           state: pre_auth.state,
           id_token: id_token.as_jws_token
         }
       end
+
+      def redirect_uri
+        Authorization::URIBuilder.uri_with_fragment(pre_auth.redirect_uri, body)
+      end
     end
   end
 end

data/lib/doorkeeper/oauth/id_token_token_response.rb

@@ -3,9 +3,7 @@
 module Doorkeeper
   module OAuth
     class IdTokenTokenResponse < IdTokenResponse
-      private
-
-      def redirect_uri_params
+      def body
         super.merge({
           access_token: auth.token.token,
           token_type: auth.token.token_type

data/lib/doorkeeper/openid_connect.rb

@@ -16,7 +16,6 @@ require 'doorkeeper/openid_connect/claims_builder'
 require 'doorkeeper/openid_connect/claims/claim'
 require 'doorkeeper/openid_connect/claims/normal_claim'
 require 'doorkeeper/openid_connect/config'
-require 'doorkeeper/openid_connect/response_types_config'
 require 'doorkeeper/openid_connect/engine'
 require 'doorkeeper/openid_connect/errors'
 require 'doorkeeper/openid_connect/id_token'
@@ -63,5 +62,23 @@ module Doorkeeper
         key.slice(:kty, :kid)
       end
     end
+
+    Doorkeeper::GrantFlow.register(
+      :id_token,
+      response_type_matches: 'id_token',
+      response_mode_matches: %w[fragment form_post],
+      response_type_strategy: Doorkeeper::Request::IdToken,
+    )
+
+    Doorkeeper::GrantFlow.register(
+      'id_token token',
+      response_type_matches: 'id_token token',
+      response_mode_matches: %w[fragment form_post],
+      response_type_strategy: Doorkeeper::Request::IdTokenToken,
+    )
+
+    Doorkeeper::GrantFlow.register_alias(
+      'implicit_oidc', as: ['implicit', 'id_token', 'id_token token']
+    )
   end
 end

data/lib/doorkeeper/openid_connect/config.rb

@@ -115,6 +115,10 @@ module Doorkeeper
         raise Errors::InvalidConfiguration, I18n.translate('doorkeeper.openid_connect.errors.messages.reauthenticate_resource_owner_not_configured')
       }
 
+      option :select_account_for_resource_owner, default: lambda { |*_|
+        raise Errors::InvalidConfiguration, I18n.translate('doorkeeper.openid_connect.errors.messages.select_account_for_resource_owner_not_configured')
+      }
+
       option :subject, default: lambda { |*_|
         raise Errors::InvalidConfiguration, I18n.translate('doorkeeper.openid_connect.errors.messages.subject_not_configured')
       }
@@ -130,6 +134,10 @@ module Doorkeeper
       option :end_session_endpoint, default: lambda { |*_|
         nil
       }
+
+      option :discovery_url_options, default: lambda { |*_|
+        {}
+      }
     end
   end
 end

data/lib/doorkeeper/openid_connect/errors.rb

@@ -26,7 +26,6 @@ module Doorkeeper
       class LoginRequired < OpenidConnectError; end
       class ConsentRequired < OpenidConnectError; end
       class InteractionRequired < OpenidConnectError; end
-      class AccountSelectionRequired < OpenidConnectError; end
     end
   end
 end

data/lib/doorkeeper/openid_connect/helpers/controller.rb

@@ -43,22 +43,25 @@ module Doorkeeper
                                name: exception.type,
                                state: params[:state],
                                redirect_uri: params[:redirect_uri],
+                               response_on_fragment: pre_auth.response_on_fragment?,
                              )
                            else
                              ::Doorkeeper::OAuth::ErrorResponse.new(
                                name: exception.type,
                                state: params[:state],
                                redirect_uri: params[:redirect_uri],
+                               response_on_fragment: pre_auth.response_on_fragment?,
                              )
-          end
+                           end
 
           response.headers.merge!(error_response.headers)
 
-          if error_response.redirectable?
-            render json: error_response.body, status: :found, location: error_response.redirect_uri
-          else
-            render json: error_response.body, status: error_response.status
-          end
+          # NOTE: Assign error_response to @authorize_response then use redirect_or_render method that are defined at
+          #   doorkeeper's authorizations_controller.
+          # - https://github.com/doorkeeper-gem/doorkeeper/blob/v5.5.0/app/controllers/doorkeeper/authorizations_controller.rb#L110
+          # - https://github.com/doorkeeper-gem/doorkeeper/blob/v5.5.0/app/controllers/doorkeeper/authorizations_controller.rb#L52
+          @authorize_response = error_response
+          redirect_or_render(@authorize_response)
         end
 
         def handle_oidc_prompt_param!(owner)
@@ -75,8 +78,7 @@ module Doorkeeper
             when 'consent'
               render :new
             when 'select_account'
-              # TODO: let the user implement this
-              raise Errors::AccountSelectionRequired
+              select_account_for_oidc_resource_owner(owner)
             else
               raise Errors::InvalidRequest
             end
@@ -97,16 +99,21 @@ module Doorkeeper
           end
         end
 
-        def reauthenticate_oidc_resource_owner(owner)
+        def return_without_oidc_prompt_param(prompt_value)
           return_to = URI.parse(request.path)
           return_to.query = request.query_parameters.tap do |params|
-            params['prompt'] = params['prompt'].to_s.sub(/\blogin\s*\b/, '').strip
+            params['prompt'] = params['prompt'].to_s.sub(/\b#{prompt_value}\s*\b/, '').strip
             params.delete('prompt') if params['prompt'].blank?
           end.to_query
+          return_to.to_s
+        end
+
+        def reauthenticate_oidc_resource_owner(owner)
+          return_to = return_without_oidc_prompt_param('login')
 
           instance_exec(
             owner,
-            return_to.to_s,
+            return_to,
             &Doorkeeper::OpenidConnect.configuration.reauthenticate_resource_owner
           )
 
@@ -116,6 +123,16 @@ module Doorkeeper
         def oidc_consent_required?
           !skip_authorization? && !matching_token?
         end
+
+        def select_account_for_oidc_resource_owner(owner)
+          return_to = return_without_oidc_prompt_param('select_account')
+
+          instance_exec(
+            owner,
+            return_to,
+            &Doorkeeper::OpenidConnect.configuration.select_account_for_resource_owner
+          )
+        end
       end
     end
   end

data/lib/doorkeeper/openid_connect/id_token.rb

@@ -40,7 +40,11 @@ module Doorkeeper
       private
 
       def issuer
-        Doorkeeper::OpenidConnect.configuration.issuer
+        if Doorkeeper::OpenidConnect.configuration.issuer.respond_to?(:call)
+          Doorkeeper::OpenidConnect.configuration.issuer.call(@resource_owner, @access_token.application).to_s
+        else
+          Doorkeeper::OpenidConnect.configuration.issuer
+        end
       end
 
       def subject

data/lib/doorkeeper/openid_connect/oauth/pre_authorization.rb

@@ -7,29 +7,20 @@ module Doorkeeper
         attr_reader :nonce
 
         def initialize(server, attrs = {}, resource_owner = nil)
-          if (Doorkeeper::VERSION::MAJOR >= 5 && Doorkeeper::VERSION::MINOR >= 4) ||
-             Doorkeeper::VERSION::MAJOR >= 6
-            super
-          else
-            super(server, attrs)
-          end
+          super
           @nonce = attrs[:nonce]
         end
 
-        # This method will be updated when doorkeeper move to version > 5.2.2
-        # TODO: delete this method and refactor response_on_fragment? method (below) when doorkeeper gem version constrains is > 5.2.2
-        def error_response
-          if error == :invalid_request
-            Doorkeeper::OAuth::InvalidRequestResponse.from_request(self, response_on_fragment: response_on_fragment?)
-          else
-            Doorkeeper::OAuth::ErrorResponse.from_request(self, response_on_fragment: response_on_fragment?)
-          end
-        end
+        # NOTE: Auto get default response_mode of specified response_type if response_mode is not
+        #   yet present. We can delete this method after Doorkeeper's minimize version support it.
+        def response_on_fragment?
+          return response_mode == 'fragment' if response_mode.present?
 
-        private
+          grant_flow = server.authorization_response_flows.detect do |flow|
+            flow.matches_response_type?(response_type)
+          end
 
-        def response_on_fragment?
-          response_type == 'token' || response_type == 'id_token' || response_type == 'id_token token'
+          grant_flow&.default_response_mode == 'fragment'
         end
       end
     end

data/lib/doorkeeper/openid_connect/orm/active_record/request.rb

@@ -2,7 +2,7 @@
 
 module Doorkeeper
   module OpenidConnect
-    class Request < ApplicationRecord
+    class Request < ::ActiveRecord::Base
       self.table_name = "#{table_name_prefix}oauth_openid_requests#{table_name_suffix}".to_sym
 
       validates :access_grant_id, :nonce, presence: true

data/lib/doorkeeper/openid_connect/version.rb

@@ -2,6 +2,6 @@
 
 module Doorkeeper
   module OpenidConnect
-    VERSION = '1.7.2'
+    VERSION = '1.8.0'
   end
 end

data/lib/generators/doorkeeper/openid_connect/templates/initializer.rb

@@ -1,7 +1,9 @@
 # frozen_string_literal: true
 
 Doorkeeper::OpenidConnect.configure do
-  issuer 'issuer string'
+  issuer do |resource_owner, application|
+    'issuer string'
+  end
 
   signing_key <<~KEY
     -----BEGIN RSA PRIVATE KEY-----
@@ -28,6 +30,18 @@ Doorkeeper::OpenidConnect.configure do
     # redirect_to new_user_session_url
   end
 
+  # Depending on your configuration, a DoubleRenderError could be raised
+  # if render/redirect_to is called at some point before this callback is executed.
+  # To avoid the DoubleRenderError, you could add these two lines at the beginning
+  #  of this callback: (Reference: https://github.com/rails/rails/issues/25106)
+  #   self.response_body = nil
+  #   @_response_body = nil
+  select_account_for_resource_owner do |resource_owner, return_to|
+    # Example implementation:
+    # store_location_for resource_owner, return_to
+    # redirect_to account_select_url
+  end
+
   subject do |resource_owner, application|
     # Example implementation:
     # resource_owner.id

data/lib/generators/doorkeeper/openid_connect/templates/migration.rb.erb

@@ -1,7 +1,7 @@
 class CreateDoorkeeperOpenidConnectTables < ActiveRecord::Migration<%= migration_version %>
   def change
     create_table :oauth_openid_requests do |t|
-      t.integer :access_grant_id, null: false
+      t.references :access_grant, null: false, index: true
       t.string :nonce, null: false
     end
 

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: doorkeeper-openid_connect
 version: !ruby/object:Gem::Version
-  version: 1.7.2
+  version: 1.8.0
 platform: ruby
 authors:
 - Sam Dengler
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-05-20 00:00:00.000000000 Z
+date: 2021-05-11 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: doorkeeper
@@ -17,20 +17,20 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '5.2'
+        version: '5.5'
     - - "<"
       - !ruby/object:Gem::Version
-        version: '5.5'
+        version: '5.6'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '5.2'
+        version: '5.5'
     - - "<"
       - !ruby/object:Gem::Version
-        version: '5.5'
+        version: '5.6'
 - !ruby/object:Gem::Dependency
   name: json-jwt
   requirement: !ruby/object:Gem::Requirement
@@ -157,7 +157,6 @@ files:
 - lib/doorkeeper/openid_connect/rails/routes.rb
 - lib/doorkeeper/openid_connect/rails/routes/mapper.rb
 - lib/doorkeeper/openid_connect/rails/routes/mapping.rb
-- lib/doorkeeper/openid_connect/response_types_config.rb
 - lib/doorkeeper/openid_connect/user_info.rb
 - lib/doorkeeper/openid_connect/version.rb
 - lib/doorkeeper/request/id_token.rb
@@ -178,14 +177,14 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: '2.4'
+      version: '2.5'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.2
+rubygems_version: 3.1.4
 signing_key: 
 specification_version: 4
 summary: OpenID Connect extension for Doorkeeper.

data/lib/doorkeeper/openid_connect/response_types_config.rb

@@ -1,19 +0,0 @@
-# frozen_string_literal: true
-
-module Doorkeeper
-  module OpenidConnect
-    module ResponseTypeConfig
-      private def calculate_authorization_response_types
-        types = super
-        if grant_flows.include? 'implicit_oidc'
-          types << 'token'
-          types << 'id_token'
-          types << 'id_token token'
-        end
-        types
-      end
-    end
-  end
-
-  Config.prepend OpenidConnect::ResponseTypeConfig
-end