doorkeeper-openid_connect 1.7.4 → 1.8.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: e1c45a5eaa2846559e44cfc7d7526c18dafaca9bec5bad06eead06983819ad6c
-  data.tar.gz: 7705035b123d843861e8850854ce9a06d8b4dd4f21f478785aac050509f0e891
+  metadata.gz: '09f27d32ffb416432a70412926bdd053ef3c715615d503ea468fe00471e00dc0'
+  data.tar.gz: 36c769e0736aba2a90576b9837201b692205bbd4506db709b70e9cd544b7e15f
 SHA512:
-  metadata.gz: dec4fdd4c2be0301a8b812c710055fa610567902a023a84c83615edf3390e0ea135cc520de315f18091e165536d0e27553d8a83eddd7f9485f2a2fd926304197
-  data.tar.gz: 287118857266949e24cb44ca74cc3762277baffe08e010e687b9f5fa886f0d74b1dc328cdce88de887ec3794247a49ddc7abb5fc725c12780fa05c0e292b81e6
+  metadata.gz: 9d9a70bf130b96e1f1d51d28781c7d2bab443876c7d2a25f8fa3ab674b5bcc406342e7787f8681fa6ec81ea8223011f48600e2c9b257c774766c522a8e74c1b9
+  data.tar.gz: 063e9d61009275044b6b6ff98bfd068a7873d7986e407616c5363aedba127989f48da9ff1fe6489895d6ea62b3db5ed69185557b505d02391dc6f935c3dbbc7b

data/CHANGELOG.md

@@ -1,5 +1,41 @@
 ## Unreleased
 
+- [#] Add here
+
+## v1.8.1 (2022-02-09)
+
+- [#153] Fix ArgumentError caused by client credential validation introduced in Doorkeeper 5.5.1 (thanks to @CircumnavigatingFlatEarther)
+- [#161] Fix .well-known/openid-connect issuer (respond to block if provided) (thanks to @fkowal).
+- [#152] Expose oauth-authorization-server in routes (thanks to @mitar)
+
+## v1.8.0 (2021-05-11)
+
+No changes from v1.8.0-rc1.
+
+## v1.8.0-rc1 (2021-04-20)
+
+### Upgrading
+
+This gem now requires Doorkeeper 5.5 and Ruby 2.5.
+
+### Changes
+
+- [#138] Support form_post response mode (thanks to @linhdangduy)
+- [#144] Support block syntax for `issuer` configuration (thanks to @maxxsnake)
+- [#145] Register token flows with the strategy instead of the token class (thanks to @paukul)
+
+## v1.7.5 (2020-12-15)
+
+### Changes
+
+- [#126] Add discovery_url_options option for discovery endpoints URL generation (thanks to @phlegx)
+
+### Bugfixes
+
+- [#123] Remove reference to ApplicationRecord (thanks to @wheeyls)
+- [#124] Clone doorkeeper.grant_flows array before appending 'refresh_token' (thanks to @davidbasalla)
+- [#129] Avoid to use the config alias while supporting Doorkeeper 5.2 (thanks to @kymmt90)
+
 ## v1.7.4 (2020-07-06)
 
 - [#119] Execute end_session_endpoint in the controllers context (thanks to @joeljunstrom)

data/README.md

@@ -34,6 +34,7 @@ The following parts of [OpenID Connect Core 1.0](http://openid.net/specs/openid-
 - [Requesting Claims using Scope Values](http://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims)
 - [UserInfo Endpoint](http://openid.net/specs/openid-connect-core-1_0.html#UserInfo)
 - [Normal Claims](http://openid.net/specs/openid-connect-core-1_0.html#NormalClaims)
+- [OAuth 2.0 Form Post Response Mode](https://openid.net/specs/oauth-v2-form-post-response-mode-1_0.html)
 
 In addition we also support most of [OpenID Connect Discovery 1.0](http://openid.net/specs/openid-connect-discovery-1_0.html) for automatic configuration discovery.
 
@@ -103,6 +104,7 @@ The following settings are required in `config/initializers/doorkeeper_openid_co
 
 - `issuer`
   - Identifier for the issuer of the response (i.e. your application URL). The value is a case sensitive URL using the `https` scheme that contains scheme, host, and optionally, port number and path components and no query or fragment components.
+  - You can either pass a string value, or a block to generate the issuer dynamically based on the `resource_owner` and `application` or [request](app/controllers/doorkeeper/openid_connect/discovery_controller.rb#L123) passed to the block.
 - `subject`
   - Identifier for the resource owner (i.e. the authenticated user). A locally unique and never reassigned identifier within the issuer for the end-user, which is intended to be consumed by the client. The value is a case-sensitive string and must not exceed 255 ASCII characters in length.
   - The database ID of the user is an acceptable choice if you don't mind leaking that information.
@@ -161,6 +163,35 @@ The following settings are optional:
   - Used by implementations like https://github.com/IdentityModel/oidc-client-js.
   - The block is executed in the controller's scope, so you have access to your route helpers.
 
+- `discovery_url_options`
+  - The URL options for every available endpoint to use when generating the endpoint URL in the
+    discovery response. Available endpoints: `authorization`, `token`, `revocation`,
+    `introspection`, `userinfo`, `jwks`, `webfinger`.
+  - This option requires option keys with an available endpoint and
+    [URL options](https://api.rubyonrails.org/v6.0.3.3/classes/ActionDispatch/Routing/UrlFor.html#method-i-url_for)
+    as value.
+  - The default is to use the request host, just like all the other URLs in the discovery response.
+  - This is useful when you want endpoints to use a different URL than other requests.
+    For example, if your Doorkeeper server is behind a firewall with other servers, you might want
+    other servers to use an "internal" URL to communicate with Doorkeeper, but you want to present
+    an "external" URL to end-users for authentication requests. Note that this setting does not
+    actually change the URL that your Doorkeeper server responds on - that is outside the scope of
+    Doorkeeper.
+
+    ```ruby
+    # config/initializers/doorkeeper_openid_connect.rb
+    Doorkeeper::OpenidConnect.configure do
+    # ...
+      discovery_url_options do |request|
+        {
+          authorization: { host: 'host.example.com' },
+          jwks:          { protocol: request.ssl? ? :https : :http }
+        }
+      end
+    # ...
+    end
+    ```
+
 ### Scopes
 
 To perform authentication over OpenID Connect, an OAuth client needs to request the `openid` scope. This scope needs to be enabled using either `optional_scopes` in the global Doorkeeper configuration in `config/initializers/doorkeeper.rb`, or by adding it to any OAuth application's `scope` attribute.

data/app/controllers/doorkeeper/openid_connect/discovery_controller.rb

@@ -24,21 +24,22 @@ module Doorkeeper
       def provider_response
         doorkeeper = ::Doorkeeper.configuration
         openid_connect = ::Doorkeeper::OpenidConnect.configuration
+
         {
-          issuer: openid_connect.issuer,
-          authorization_endpoint: oauth_authorization_url(protocol: protocol),
-          token_endpoint: oauth_token_url(protocol: protocol),
-          revocation_endpoint: oauth_revoke_url(protocol: protocol),
-          introspection_endpoint: oauth_introspect_url(protocol: protocol),
-          userinfo_endpoint: oauth_userinfo_url(protocol: protocol),
-          jwks_uri: oauth_discovery_keys_url(protocol: protocol),
+          issuer: issuer,
+          authorization_endpoint: oauth_authorization_url(authorization_url_options),
+          token_endpoint: oauth_token_url(token_url_options),
+          revocation_endpoint: oauth_revoke_url(revocation_url_options),
+          introspection_endpoint: oauth_introspect_url(introspection_url_options),
+          userinfo_endpoint: oauth_userinfo_url(userinfo_url_options),
+          jwks_uri: oauth_discovery_keys_url(jwks_url_options),
           end_session_endpoint: instance_exec(&openid_connect.end_session_endpoint),
 
           scopes_supported: doorkeeper.scopes,
 
           # TODO: support id_token response type
           response_types_supported: doorkeeper.authorization_response_types,
-          response_modes_supported: %w[query fragment],
+          response_modes_supported: response_modes_supported(doorkeeper),
           grant_types_supported: grant_types_supported(doorkeeper),
 
           # TODO: look into doorkeeper-jwt_assertion for these
@@ -71,18 +72,22 @@ module Doorkeeper
       end
 
       def grant_types_supported(doorkeeper)
-        grant_types_supported = doorkeeper.grant_flows
+        grant_types_supported = doorkeeper.grant_flows.dup
         grant_types_supported << 'refresh_token' if doorkeeper.refresh_token_enabled?
         grant_types_supported
       end
 
+      def response_modes_supported(doorkeeper)
+        doorkeeper.authorization_response_flows.flat_map(&:response_mode_matches).uniq
+      end
+
       def webfinger_response
         {
           subject: params.require(:resource),
           links: [
             {
               rel: WEBFINGER_RELATION,
-              href: root_url(protocol: protocol),
+              href: root_url(webfinger_url_options),
             }
           ]
         }
@@ -104,6 +109,30 @@ module Doorkeeper
       def protocol
         Doorkeeper::OpenidConnect.configuration.protocol.call
       end
+
+      def discovery_url_options
+        Doorkeeper::OpenidConnect.configuration.discovery_url_options.call(request)
+      end
+
+      def discovery_url_default_options
+        {
+          protocol: protocol
+        }
+      end
+
+      def issuer
+        if Doorkeeper::OpenidConnect.configuration.issuer.respond_to?(:call)
+          Doorkeeper::OpenidConnect.configuration.issuer.call(request).to_s
+        else
+          Doorkeeper::OpenidConnect.configuration.issuer
+        end
+      end
+
+      %i[authorization token revocation introspection userinfo jwks webfinger].each do |endpoint|
+        define_method :"#{endpoint}_url_options" do
+          discovery_url_default_options.merge(discovery_url_options[endpoint.to_sym] || {})
+        end
+      end
     end
   end
 end

data/app/controllers/doorkeeper/openid_connect/userinfo_controller.rb

@@ -3,7 +3,7 @@
 module Doorkeeper
   module OpenidConnect
     class UserinfoController < ::Doorkeeper::ApplicationController
-      unless Doorkeeper.config.api_only
+      unless Doorkeeper.configuration.api_only
         skip_before_action :verify_authenticity_token
       end
       before_action -> { doorkeeper_authorize! :openid }

data/lib/doorkeeper/oauth/id_token_response.rb

@@ -17,19 +17,17 @@ module Doorkeeper
         true
       end
 
-      def redirect_uri
-        Authorization::URIBuilder.uri_with_fragment(pre_auth.redirect_uri, redirect_uri_params)
-      end
-
-      private
-
-      def redirect_uri_params
+      def body
         {
           expires_in: auth.token.expires_in_seconds,
           state: pre_auth.state,
           id_token: id_token.as_jws_token
         }
       end
+
+      def redirect_uri
+        Authorization::URIBuilder.uri_with_fragment(pre_auth.redirect_uri, body)
+      end
     end
   end
 end

data/lib/doorkeeper/oauth/id_token_token_response.rb

@@ -3,9 +3,7 @@
 module Doorkeeper
   module OAuth
     class IdTokenTokenResponse < IdTokenResponse
-      private
-
-      def redirect_uri_params
+      def body
         super.merge({
           access_token: auth.token.token,
           token_type: auth.token.token_type

data/lib/doorkeeper/openid_connect/config.rb

@@ -134,6 +134,10 @@ module Doorkeeper
       option :end_session_endpoint, default: lambda { |*_|
         nil
       }
+
+      option :discovery_url_options, default: lambda { |*_|
+        {}
+      }
     end
   end
 end

data/lib/doorkeeper/openid_connect/helpers/controller.rb

@@ -52,15 +52,16 @@ module Doorkeeper
                                redirect_uri: params[:redirect_uri],
                                response_on_fragment: pre_auth.response_on_fragment?,
                              )
-          end
+                           end
 
           response.headers.merge!(error_response.headers)
 
-          if error_response.redirectable?
-            render json: error_response.body, status: :found, location: error_response.redirect_uri
-          else
-            render json: error_response.body, status: error_response.status
-          end
+          # NOTE: Assign error_response to @authorize_response then use redirect_or_render method that are defined at
+          #   doorkeeper's authorizations_controller.
+          # - https://github.com/doorkeeper-gem/doorkeeper/blob/v5.5.0/app/controllers/doorkeeper/authorizations_controller.rb#L110
+          # - https://github.com/doorkeeper-gem/doorkeeper/blob/v5.5.0/app/controllers/doorkeeper/authorizations_controller.rb#L52
+          @authorize_response = error_response
+          redirect_or_render(@authorize_response)
         end
 
         def handle_oidc_prompt_param!(owner)

data/lib/doorkeeper/openid_connect/id_token.rb

@@ -40,7 +40,11 @@ module Doorkeeper
       private
 
       def issuer
-        Doorkeeper::OpenidConnect.configuration.issuer
+        if Doorkeeper::OpenidConnect.configuration.issuer.respond_to?(:call)
+          Doorkeeper::OpenidConnect.configuration.issuer.call(@resource_owner, @access_token.application).to_s
+        else
+          Doorkeeper::OpenidConnect.configuration.issuer
+        end
       end
 
       def subject

data/lib/doorkeeper/openid_connect/oauth/password_access_token_request.rb

@@ -6,9 +6,16 @@ module Doorkeeper
       module PasswordAccessTokenRequest
         attr_reader :nonce
 
-        def initialize(server, client, resource_owner, parameters = {})
-          super
-          @nonce = parameters[:nonce]
+        if Gem.loaded_specs['doorkeeper'].version >= Gem::Version.create('5.5.1')
+          def initialize(server, client, credentials, resource_owner, parameters = {})
+            super
+            @nonce = parameters[:nonce]
+          end
+        else
+          def initialize(server, client, resource_owner, parameters = {})
+            super
+            @nonce = parameters[:nonce]
+          end
         end
 
         private

data/lib/doorkeeper/openid_connect/oauth/pre_authorization.rb

@@ -7,27 +7,20 @@ module Doorkeeper
         attr_reader :nonce
 
         def initialize(server, attrs = {}, resource_owner = nil)
-          if (Doorkeeper::VERSION::MAJOR >= 5 && Doorkeeper::VERSION::MINOR >= 4) ||
-             Doorkeeper::VERSION::MAJOR >= 6
-            super
-          else
-            super(server, attrs)
-          end
+          super
           @nonce = attrs[:nonce]
         end
 
-        # This method will be updated when doorkeeper move to version > 5.2.2
-        # TODO: delete this method and refactor response_on_fragment? method (below) when doorkeeper gem version constrains is > 5.2.2
-        def error_response
-          if error == :invalid_request
-            Doorkeeper::OAuth::InvalidRequestResponse.from_request(self, response_on_fragment: response_on_fragment?)
-          else
-            Doorkeeper::OAuth::ErrorResponse.from_request(self, response_on_fragment: response_on_fragment?)
+        # NOTE: Auto get default response_mode of specified response_type if response_mode is not
+        #   yet present. We can delete this method after Doorkeeper's minimize version support it.
+        def response_on_fragment?
+          return response_mode == 'fragment' if response_mode.present?
+
+          grant_flow = server.authorization_response_flows.detect do |flow|
+            flow.matches_response_type?(response_type)
           end
-        end
 
-        def response_on_fragment?
-          Doorkeeper::OpenidConnect::ResponseMode.new(response_type).fragment?
+          grant_flow&.default_response_mode == 'fragment'
         end
       end
     end

data/lib/doorkeeper/openid_connect/orm/active_record/request.rb

@@ -2,7 +2,7 @@
 
 module Doorkeeper
   module OpenidConnect
-    class Request < ApplicationRecord
+    class Request < ::ActiveRecord::Base
       self.table_name = "#{table_name_prefix}oauth_openid_requests#{table_name_suffix}".to_sym
 
       validates :access_grant_id, :nonce, presence: true

data/lib/doorkeeper/openid_connect/rails/routes.rb

@@ -62,6 +62,7 @@ module Doorkeeper
         def discovery_well_known_routes
           routes.scope path: '.well-known' do
             routes.get :provider, path: 'openid-configuration'
+            routes.get :provider, path: 'oauth-authorization-server'
             routes.get :webfinger
           end
         end

data/lib/doorkeeper/openid_connect/version.rb

@@ -2,6 +2,6 @@
 
 module Doorkeeper
   module OpenidConnect
-    VERSION = '1.7.4'
+    VERSION = '1.8.1'
   end
 end

data/lib/doorkeeper/openid_connect.rb

@@ -16,13 +16,11 @@ require 'doorkeeper/openid_connect/claims_builder'
 require 'doorkeeper/openid_connect/claims/claim'
 require 'doorkeeper/openid_connect/claims/normal_claim'
 require 'doorkeeper/openid_connect/config'
-require 'doorkeeper/openid_connect/response_types_config'
 require 'doorkeeper/openid_connect/engine'
 require 'doorkeeper/openid_connect/errors'
 require 'doorkeeper/openid_connect/id_token'
 require 'doorkeeper/openid_connect/id_token_token'
 require 'doorkeeper/openid_connect/user_info'
-require 'doorkeeper/openid_connect/response_mode'
 require 'doorkeeper/openid_connect/version'
 
 require 'doorkeeper/openid_connect/helpers/controller'
@@ -65,26 +63,22 @@ module Doorkeeper
       end
     end
 
-    if defined?(::Doorkeeper::GrantFlow)
-      Doorkeeper::GrantFlow.register(
-        :id_token,
-        response_type_matches: 'id_token',
-        response_type_strategy: Doorkeeper::OpenidConnect::IdToken,
-      )
+    Doorkeeper::GrantFlow.register(
+      :id_token,
+      response_type_matches: 'id_token',
+      response_mode_matches: %w[fragment form_post],
+      response_type_strategy: Doorkeeper::Request::IdToken,
+    )
 
-      Doorkeeper::GrantFlow.register(
-        'id_token token',
-        response_type_matches: 'id_token token',
-        response_type_strategy: Doorkeeper::OpenidConnect::IdTokenToken,
-      )
+    Doorkeeper::GrantFlow.register(
+      'id_token token',
+      response_type_matches: 'id_token token',
+      response_mode_matches: %w[fragment form_post],
+      response_type_strategy: Doorkeeper::Request::IdTokenToken,
+    )
 
-      Doorkeeper::GrantFlow.register_alias(
-        'implicit_oidc', as: ['implicit', 'id_token', 'id_token token']
-      )
-    else
-      # TODO: drop this and corresponding file when we will set minimal
-      # required Doorkeeper version to 5.5.
-      Doorkeeper::Config.prepend OpenidConnect::ResponseTypeConfig
-    end
+    Doorkeeper::GrantFlow.register_alias(
+      'implicit_oidc', as: ['implicit', 'id_token', 'id_token token']
+    )
   end
 end

data/lib/generators/doorkeeper/openid_connect/templates/initializer.rb

@@ -1,7 +1,9 @@
 # frozen_string_literal: true
 
 Doorkeeper::OpenidConnect.configure do
-  issuer 'issuer string'
+  issuer do |resource_owner, application|
+    'issuer string'
+  end
 
   signing_key <<~KEY
     -----BEGIN RSA PRIVATE KEY-----

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: doorkeeper-openid_connect
 version: !ruby/object:Gem::Version
-  version: 1.7.4
+  version: 1.8.1
 platform: ruby
 authors:
 - Sam Dengler
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-07-06 00:00:00.000000000 Z
+date: 2022-02-09 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: doorkeeper
@@ -17,20 +17,20 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '5.2'
+        version: '5.5'
     - - "<"
       - !ruby/object:Gem::Version
-        version: '5.5'
+        version: '5.6'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '5.2'
+        version: '5.5'
     - - "<"
       - !ruby/object:Gem::Version
-        version: '5.5'
+        version: '5.6'
 - !ruby/object:Gem::Dependency
   name: json-jwt
   requirement: !ruby/object:Gem::Requirement
@@ -157,8 +157,6 @@ files:
 - lib/doorkeeper/openid_connect/rails/routes.rb
 - lib/doorkeeper/openid_connect/rails/routes/mapper.rb
 - lib/doorkeeper/openid_connect/rails/routes/mapping.rb
-- lib/doorkeeper/openid_connect/response_mode.rb
-- lib/doorkeeper/openid_connect/response_types_config.rb
 - lib/doorkeeper/openid_connect/user_info.rb
 - lib/doorkeeper/openid_connect/version.rb
 - lib/doorkeeper/request/id_token.rb
@@ -179,14 +177,14 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: '2.4'
+      version: '2.5'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.3
+rubygems_version: 3.0.8
 signing_key: 
 specification_version: 4
 summary: OpenID Connect extension for Doorkeeper.

data/lib/doorkeeper/openid_connect/response_mode.rb

@@ -1,30 +0,0 @@
-# frozen_string_literal: true
-
-module Doorkeeper
-  module OpenidConnect
-    class ResponseMode
-      attr_reader :type
-
-      def initialize(response_type)
-        @type = response_type
-      end
-
-      def fragment?
-        mode == 'fragment'
-      end
-
-      def query?
-        mode == 'query'
-      end
-
-      def mode
-        case type
-        when 'token', 'id_token', 'id_token token'
-          'fragment'
-        else
-          'query'
-        end
-      end
-    end
-  end
-end

data/lib/doorkeeper/openid_connect/response_types_config.rb

@@ -1,17 +0,0 @@
-# frozen_string_literal: true
-
-module Doorkeeper
-  module OpenidConnect
-    module ResponseTypeConfig
-      private def calculate_authorization_response_types
-        types = super
-        if grant_flows.include? 'implicit_oidc'
-          types << 'token'
-          types << 'id_token'
-          types << 'id_token token'
-        end
-        types
-      end
-    end
-  end
-end