doorkeeper-openid_connect 1.1.0 → 1.1.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: b40bbe1bf519ac049a06984fe9aa3e4c9dd8a51a
-  data.tar.gz: 4f5b3b1fb7a274a600566b7327f8d534039085b5
+  metadata.gz: 81502614dddbd89303cca3b8672ddb66b5fb040d
+  data.tar.gz: 26b9a1a0144782f9476c72818f74440f7b4ec2c9
 SHA512:
-  metadata.gz: 5bbae464b4b78cac862eb48d36d52e55ccc22185c35f80dfc0b0cc0b0284d3ab63a935ecdd1c4a2b9a0f438b3546d07d1f99e472688c146b51ca41d6e98ec1c7
-  data.tar.gz: 5c24fce98f8baf319452109d17694eaa8562da62de8d8d5a731e0b13df0d75f8742b71807cb4b5ef5e13f0198009787661426235cc102605c12c7ea633f93303
+  metadata.gz: af7899974ca8eccfc6225039c3495ef0772920445c90e8fa3fa65b1007a2cbf29599e0e69a45070339f157a2c91f56723c119c772006556db6a5d7ca9e877cf6
+  data.tar.gz: 73504df5e1495586943d6f172550225fd114fc9665bb5fcc8a7da47ffd6a4a00abd3bc13625af183be1510dec00883d70412b7f8a2d1225eeb49948252922b8f

data/.gitignore

@@ -4,3 +4,4 @@
 /spec/dummy/log/*.log
 /spec/dummy/tmp/
 /spec/examples.txt
+/pkg

data/.ruby-version

@@ -1 +1 @@
-2.3.1
+2.3.3

data/CHANGELOG.md

@@ -1,24 +1,48 @@
+### Unreleased
+
+#### Changes
+
+<a name="v1.1.1"></a>
+### v1.1.1 (2017-01-18)
+
+#### Upgrading
+
+- The configuration setting `jws_public_key` wasn't actually used, it's deprecated now and will be removed in the next major release
+
+#### Features
+
+- Claims now receive an optional second `scopes` argument which allow you to dynamically adjust claim values based on the requesting applications' scopes (by @nbibler)
+- The `prompt` parameter values `login` and `consent` are now supported
+- The configuration setting `protocol` was added (by @gigr)
+
+#### Bugfixes
+
+- Standard Claims are now mapped correctly to their default scopes (by @tylerhunt)
+- Blank `nonce` parameters are now ignored
+
+#### Changes
+
+- `nil` values and empty strings are now removed from the UserInfo and IdToken responses
+- Allow `json-jwt` dependency at ~> 1.6. (by @nbibler)
+- Configuration blocks no longer internally use `instance_eval` which previously gave undocumented and unexpected `self` access to the caller (by @nbibler)
+
 <a name="v1.1.0"></a>
 ### v1.1.0 (2016-11-30)
 
 This release is a general clean-up and adds support for some advanced OpenID Connect features.
-Make sure to check the updated [README.md](README.md), especially the [configuration](README.md#configuration) section.
+
+#### Upgrading
+
+- This version adds a table to store temporary nonces, use the generator `doorkeeper:openid_connect:migration` to create a migration
+- Implement the new configuration callbacks `auth_time_from_resource_owner` and `reauthenticate_resource_owner` to support advanced features
 
 #### Features
 
-* Respect scope grants in UserInfo response	 ([25f2170](/../../commit/25f2170))
-* Support max_age parameter	 ([aabe3aa](/../../commit/aabe3aa))
-* Add generator for initializer	 ([80399fd](/../../commit/80399fd))
-* Store and return nonces in IdToken responses	 ([d28ca8c](/../../commit/d28ca8c))
-* Support prompt=none parameter	 ([c775d8b](/../../commit/c775d8b))
-* Add supported claims to discovery response	 ([1d8f9ea](/../../commit/1d8f9ea))
-* Add webfinger and keys endpoints for discovery	 ([f70898b](/../../commit/f70898b))
-* Add discovery endpoint	 ([a16caa8](/../../commit/a16caa8))
-
-#### Bug Fixes
-
-* Work around response_body issue on Rails 5, fix specs	 ([bc4ac76](/../../commit/bc4ac76))
-* Return auth_time in ID token claims	 ([490f756](/../../commit/490f756))
-* Don't require nonce	 ([d2945da](/../../commit/d2945da))
-* Also support POST requests to userinfo	 ([87a6577](/../../commit/87a6577))
-* Add openid scope to Doorkeeper configuration	 ([8169c2d](/../../commit/8169c2d))
+- Add discovery endpoint	 ([a16caa8](/../../commit/a16caa8))
+- Add webfinger and keys endpoints for discovery	 ([f70898b](/../../commit/f70898b))
+- Add supported claims to discovery response	 ([1d8f9ea](/../../commit/1d8f9ea))
+- Support prompt=none parameter	 ([c775d8b](/../../commit/c775d8b))
+- Store and return nonces in IdToken responses	 ([d28ca8c](/../../commit/d28ca8c))
+- Add generator for initializer	 ([80399fd](/../../commit/80399fd))
+- Support max_age parameter	 ([aabe3aa](/../../commit/aabe3aa))
+- Respect scope grants in UserInfo response	 ([25f2170](/../../commit/25f2170))

data/README.md

@@ -5,7 +5,9 @@
 [![Code Climate](https://codeclimate.com/github/doorkeeper-gem/doorkeeper-openid_connect.svg)](https://codeclimate.com/github/doorkeeper-gem/doorkeeper-openid_connect)
 [![Gem Version](https://badge.fury.io/rb/doorkeeper-openid_connect.svg)](https://rubygems.org/gems/doorkeeper-openid_connect)
 
-This library implements [OpenID Connect](http://openid.net/connect/) for Rails applications on top of the [Doorkeeper](https://github.com/doorkeeper-gem/doorkeeper) OAuth 2.0 framework.
+This library implements an [OpenID Connect](http://openid.net/connect/) authentication provider for Rails applications on top of the [Doorkeeper](https://github.com/doorkeeper-gem/doorkeeper) OAuth 2.0 framework.
+
+OpenID Connect is a single-sign-on and identity layer with a [growing list of server and client implementations](http://openid.net/developers/libraries/). If you're looking for a client in Ruby check out [omniauth-openid-connect](https://github.com/jjbohn/omniauth-openid-connect/).
 
 ## Table of Contents
 
@@ -16,6 +18,7 @@ This library implements [OpenID Connect](http://openid.net/connect/) for Rails a
   - [Claims](#claims)
   - [Routes](#routes)
   - [Nonces](#nonces)
+  - [Internationalization (I18n)](#internationalization-i18n)
 - [Development](#development)
 - [License](#license)
 - [Sponsors](#sponsors)
@@ -34,6 +37,8 @@ Take a look at the [DiscoveryController](app/controllers/doorkeeper/openid_conne
 
 ## Installation
 
+Make sure your application is already set up with [Doorkeeper](https://github.com/doorkeeper-gem/doorkeeper#installation).
+
 Add this line to your application's `Gemfile` and run `bundle install`:
 
 ```ruby
@@ -53,12 +58,16 @@ rails generate doorkeeper:openid_connect:migration
 rake db:migrate
 ```
 
+If you're upgrading from an earlier version, check [CHANGELOG.md](CHANGELOG.md) for upgrade instructions.
+
 ## Configuration
 
+Make sure you've [configured Doorkeeper](https://github.com/doorkeeper-gem/doorkeeper#configuration) before continuing.
+
 Verify your settings in `config/initializers/doorkeeper.rb`:
 
 - `resource_owner_authenticator`
-  - Make sure this returns a falsey value if the current user can't be determined:
+  - This callback needs to returns a falsey value if the current user can't be determined:
 
     ```ruby
     resource_owner_authenticator do
@@ -78,10 +87,10 @@ The following settings are required in `config/initializers/doorkeeper_openid_co
 - `subject`
   - Identifier for the resource owner (i.e. the authenticated user). A locally unique and never reassigned identifier within the issuer for the end-user, which is intended to be consumed by the client. The value is a case-sensitive string and must not exceed 255 ASCII characters in length.
   - The database ID of the user is an acceptable choice if you don't mind leaking that information.
-- `jws_private_key`, `jws_public_key`
-  - Private and public RSA key pair for [JSON Web Signature](https://tools.ietf.org/html/draft-ietf-jose-json-web-signature-31).
-  - You can generate these with the `openssl` command, see e.g. [Generate a keypair using OpenSSL](https://en.wikibooks.org/wiki/Cryptography/Generate_a_keypair_using_OpenSSL).
-  - You should not commit these keys to your repository, but use external files (in combination with `File.read`) and/or the [dotenv-rails](https://github.com/bkeepers/dotenv) gem (in combination with `ENV[...]`).
+- `jws_private_key`
+  - Private RSA key for [JSON Web Signature](https://tools.ietf.org/html/draft-ietf-jose-json-web-signature-31).
+  - You can generate a private key with the `openssl` command, see e.g. [Generate a keypair using OpenSSL](https://en.wikibooks.org/wiki/Cryptography/Generate_a_keypair_using_OpenSSL).
+  - You should not commit the key to your repository, but use an external file (in combination with `File.read`) and/or the [dotenv-rails](https://github.com/bkeepers/dotenv) gem (in combination with `ENV[...]`).
 - `resource_owner_from_access_token`
   - Defines how to translate the Doorkeeper access token to a resource owner model.
 
@@ -93,6 +102,7 @@ The following settings are optional, but recommended for better client compatibi
 - `reauthenticate_resource_owner`
   - Defines how to trigger reauthentication for the current user (e.g. display a password prompt, or sign-out the user and redirect to the login form).
   - Required to support the `max_age` and `prompt=login` parameters.
+  - The block is executed in the controller's scope, so you have access to methods like `params`, `redirect_to` etc.
 
 The following settings are optional:
 
@@ -100,6 +110,12 @@ The following settings are optional:
   - Expiration time after which the ID Token must not be accepted for processing by clients.
   - The default is 120 seconds
 
+- `protocol`
+  - The protocol to use when generating URIs for the discovery endpoints.
+  - The default is `https` for production, and `http` for all other environments
+  - Note that the OIC specification mandates HTTPS, so you shouldn't change this
+    for production environments unless you have a really good reason!
+
 ### Scopes
 
 To perform authentication over OpenID Connect, an OAuth client needs to request the `openid` scope. This scope needs to be enabled using either `optional_scopes` in the global Doorkeeper configuration in `config/initializers/doorkeeper.rb`, or by adding it to any OAuth application's `scope` attribute.
@@ -122,6 +138,12 @@ Doorkeeper::OpenidConnect.configure do
     claim :full_name do |resource_owner|
       "#{resource_owner.first_name} #{resource_owner.last_name}"
     end
+
+    claim :preferred_username, scope: :openid do |resource_owner, application_scopes|
+      # Pass the resource_owner's preferred_username if the application has
+      # `profile` scope access. Otherwise, provide a more generic alternative.
+      application_scopes.exists?(:profile) ? resource_owner.preferred_username : "summer-sun-9449"
+    end
   end
 end
 ```
@@ -149,6 +171,8 @@ GET   /.well-known/openid-configuration
 GET   /.well-known/webfinger
 ```
 
+With the exception of the hard-coded `/.well-known` paths (see [RFC 5785](https://tools.ietf.org/html/rfc5785)) you can customize routes in the same way as with Doorkeeper, please refer to [this page on their wiki](https://github.com/doorkeeper-gem/doorkeeper/wiki/Customizing-routes#version--05-1).
+
 ### Nonces
 
 To support clients who send nonces you have to tweak Doorkeeper's authorization view so the parameter is passed on.
@@ -182,6 +206,10 @@ Then tweak the template as follows:
    </div>
 ```
 
+### Internationalization (I18n)
+
+We use Rails locale files for error messages and scope descriptions, see [config/locales/en.yml](config/locales/en.yml). You can override these by adding them to your own translations in `config/locale`.
+
 ## Development
 
 Run `bundle install` to setup all development dependencies.

data/app/controllers/doorkeeper/openid_connect/discovery_controller.rb

@@ -98,11 +98,7 @@ module Doorkeeper
       end
 
       def protocol
-        if ::Rails.env.production?
-          :https
-        else
-          :http
-        end
+        Doorkeeper::OpenidConnect.configuration.protocol.call
       end
     end
   end

data/app/controllers/doorkeeper/openid_connect/userinfo_controller.rb

@@ -5,7 +5,7 @@ module Doorkeeper
       before_action -> { doorkeeper_authorize! :openid }
 
       def show
-        resource_owner = doorkeeper_token.instance_eval(&Doorkeeper::OpenidConnect.configuration.resource_owner_from_access_token)
+        resource_owner = Doorkeeper::OpenidConnect.configuration.resource_owner_from_access_token.call(doorkeeper_token)
         user_info = Doorkeeper::OpenidConnect::UserInfo.new(resource_owner, doorkeeper_token.scopes)
         render json: user_info, status: :ok
       end

data/config/locales/en.yml

@@ -2,9 +2,16 @@ en:
   doorkeeper:
     scopes:
       openid: 'Authenticate your account'
+      profile: 'View your profile information'
+      email: 'View your email address'
+      address: 'View your physical address'
+      phone: 'View your phone number'
     errors:
       messages:
         login_required: 'The authorization server requires end-user authentication'
+        consent_required: 'The authorization server requires end-user consent'
+        interaction_required: 'The authorization server requires end-user interaction'
+        account_selection_required: 'The authorization server requires end-user account selection'
     openid_connect:
       errors:
         messages:

data/doorkeeper-openid_connect.gemspec

@@ -20,7 +20,7 @@ Gem::Specification.new do |spec|
   spec.required_ruby_version = ">= 2.1"
 
   spec.add_runtime_dependency 'doorkeeper', '~> 4.0'
-  spec.add_runtime_dependency 'json-jwt', '~> 1.6.5'
+  spec.add_runtime_dependency 'json-jwt', '~> 1.6'
 
   spec.add_development_dependency 'rspec-rails'
   spec.add_development_dependency 'factory_girl'

data/lib/doorkeeper/openid_connect/claims/claim.rb

@@ -7,18 +7,18 @@ module Doorkeeper
         # http://openid.net/specs/openid-connect-core-1_0.html#StandardClaims
         # http://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims
         STANDARD_CLAIMS = {
-          profile: %w[
+          profile: %i[
             name family_name given_name middle_name nickname preferred_username
             profile picture website gender birthdate zoneinfo locale updated_at
           ],
-          email: %w[ email email_verified ],
-          address: %w[ address ],
-          phone: %w[ phone_number phone_number_verified ],
+          email: %i[ email email_verified ],
+          address: %i[ address ],
+          phone: %i[ phone_number phone_number_verified ],
         }
 
         def initialize(options = {})
-          @name = options[:name]
-          @scope = options[:scope]
+          @name = options[:name].to_sym
+          @scope = options[:scope].to_sym if options[:scope]
 
           # use default scope for Standard Claims
           @scope ||= STANDARD_CLAIMS.find do |_scope, claims|

data/lib/doorkeeper/openid_connect/config.rb

@@ -1,22 +1,15 @@
 module Doorkeeper
   module OpenidConnect
-    class ConfigurationError < StandardError; end
-    class MissingConfiguration < StandardError
-      def initialize
-        super('Configuration for Doorkeeper OpenID Connect missing. Do you have doorkeeper_openid_connect initializer?')
-      end
-    end
-
     def self.configure(&block)
       if Doorkeeper.configuration.orm != :active_record
-        fail ConfigurationError, 'Doorkeeper OpenID Connect currently only supports the ActiveRecord ORM adapter'
+        fail Errors::InvalidConfiguration, 'Doorkeeper OpenID Connect currently only supports the ActiveRecord ORM adapter'
       end
 
       @config = Config::Builder.new(&block).build
     end
 
     def self.configuration
-      @config || (fail MissingConfiguration)
+      @config || (fail Errors::MissingConfiguration)
     end
 
     class Config
@@ -29,6 +22,10 @@ module Doorkeeper
         def build
           @config
         end
+
+        def jws_public_key(*args)
+          puts "DEPRECATION WARNING: `jws_public_key` is not needed anymore and will be removed in a future version, please remove it from config/initializers/doorkeeper_openid_connect.rb"
+        end
       end
 
       module Option
@@ -95,28 +92,31 @@ module Doorkeeper
       extend Option
 
       option :jws_private_key
-      option :jws_public_key
       option :issuer
 
       option :resource_owner_from_access_token, default: lambda { |*_|
-        fail ConfigurationError, I18n.translate('doorkeeper.openid_connect.errors.messages.resource_owner_from_access_token_not_configured')
+        fail Errors::InvalidConfiguration, I18n.translate('doorkeeper.openid_connect.errors.messages.resource_owner_from_access_token_not_configured')
       }
 
       option :auth_time_from_resource_owner, default: lambda { |*_|
-        fail ConfigurationError, I18n.translate('doorkeeper.openid_connect.errors.messages.auth_time_from_resource_owner_not_configured')
+        fail Errors::InvalidConfiguration, I18n.translate('doorkeeper.openid_connect.errors.messages.auth_time_from_resource_owner_not_configured')
       }
 
       option :reauthenticate_resource_owner, default: lambda { |*_|
-        fail ConfigurationError, I18n.translate('doorkeeper.openid_connect.errors.messages.reauthenticate_resource_owner_not_configured')
+        fail Errors::InvalidConfiguration, I18n.translate('doorkeeper.openid_connect.errors.messages.reauthenticate_resource_owner_not_configured')
       }
 
       option :subject, default: lambda { |*_|
-        fail ConfigurationError, I18n.translate('doorkeeper.openid_connect.errors.messages.subject_not_configured')
+        fail Errors::InvalidConfiguration, I18n.translate('doorkeeper.openid_connect.errors.messages.subject_not_configured')
       }
 
       option :expiration, default: 120
 
       option :claims, builder_class: ClaimsBuilder
+
+      option :protocol, default: lambda { |*_|
+        ::Rails.env.production? ? :https : :http
+      }
     end
   end
 end

data/lib/doorkeeper/openid_connect/errors.rb

@@ -0,0 +1,30 @@
+module Doorkeeper
+  module OpenidConnect
+    module Errors
+      class OpenidConnectError < StandardError
+        def error_name
+          self.class.name.demodulize.underscore
+        end
+      end
+
+      # internal errors
+      class InvalidConfiguration < OpenidConnectError; end
+      class MissingConfiguration < OpenidConnectError
+        def initialize
+          super('Configuration for Doorkeeper OpenID Connect missing. Do you have doorkeeper_openid_connect initializer?')
+        end
+      end
+
+      # OAuth 2.0 errors
+      # https://tools.ietf.org/html/rfc6749#section-4.1.2.1
+      class InvalidRequest < OpenidConnectError; end
+
+      # OpenID Connect 1.0 errors
+      # http://openid.net/specs/openid-connect-core-1_0.html#AuthError
+      class LoginRequired < OpenidConnectError; end
+      class ConsentRequired < OpenidConnectError; end
+      class InteractionRequired < OpenidConnectError; end
+      class AccountSelectionRequired < OpenidConnectError; end
+    end
+  end
+end

data/lib/doorkeeper/openid_connect/helpers/controller.rb

@@ -5,42 +5,80 @@ module Doorkeeper
         private
 
         def authenticate_resource_owner!
-          owner = super
-          if validate_prompt_param!(owner) && validate_max_age_param!(owner)
-            owner
-          end
-        end
-
-        def validate_prompt_param!(owner)
-          prompt_values ||= params[:prompt].to_s.split(/ +/)
-          return true unless prompt_values.include?('none') && !owner
+          super.tap do |owner|
+            next unless pre_auth.scopes.include? 'openid'
 
+            handle_prompt_param!(owner)
+            handle_max_age_param!(owner)
+          end
+        rescue Errors::OpenidConnectError => exception
           # clear the previous response body to avoid a DoubleRenderError
           self.response_body = nil
 
           # FIXME: workaround for Rails 5, see https://github.com/rails/rails/issues/25106
           @_response_body = nil
 
-          error = ::Doorkeeper::OAuth::ErrorResponse.new(name: :login_required)
+          error = ::Doorkeeper::OAuth::ErrorResponse.new(name: exception.error_name)
           response.headers.merge!(error.headers)
           render json: error.body, status: error.status
+        end
+
+        def handle_prompt_param!(owner)
+          prompt_values ||= params[:prompt].to_s.split(/ +/).uniq
 
-          false
+          prompt_values.each do |prompt|
+            case prompt
+            when 'none' then
+              raise Errors::InvalidRequest if (prompt_values - [ 'none' ]).any?
+              raise Errors::LoginRequired unless owner
+              raise Errors::ConsentRequired unless matching_tokens_for_resource_owner(owner).present?
+            when 'login' then
+              reauthenticate_resource_owner(owner) if owner
+            when 'consent' then
+              matching_tokens_for_resource_owner(owner).map(&:destroy)
+            when 'select_account' then
+              # TODO: let the user implement this
+              raise Errors::AccountSelectionRequired
+            else
+              raise Errors::InvalidRequest
+            end
+          end
         end
 
-        def validate_max_age_param!(owner)
+        def handle_max_age_param!(owner)
           max_age = params[:max_age].to_i
-          return true unless max_age > 0
+          return unless max_age > 0 && owner
 
           auth_time = instance_exec owner,
             &Doorkeeper::OpenidConnect.configuration.auth_time_from_resource_owner
 
           if !auth_time || (Time.zone.now - auth_time) > max_age
-            instance_exec owner,
-              &Doorkeeper::OpenidConnect.configuration.reauthenticate_resource_owner
-            false
-          else
-            true
+            reauthenticate_resource_owner(owner)
+          end
+        end
+
+        def reauthenticate_resource_owner(owner)
+          return_to = URI.parse(request.path)
+          return_to.query = request.query_parameters.tap do |params|
+            params['prompt'] = params['prompt'].to_s.sub(/\blogin\s*\b/, '').strip
+            params.delete('prompt') if params['prompt'].blank?
+          end.to_query
+
+          instance_exec owner, return_to.to_s,
+            &Doorkeeper::OpenidConnect.configuration.reauthenticate_resource_owner
+
+          raise Errors::LoginRequired unless performed?
+        end
+
+        def matching_tokens_for_resource_owner(owner)
+          # TODO: maybe use Doorkeeper::AccessToken.matching_token_for once
+          # https://github.com/doorkeeper-gem/doorkeeper/pull/907 is merged
+          Doorkeeper::AccessToken.where(
+            application_id: pre_auth.client.id,
+            resource_owner_id: owner.id,
+            revoked_at: nil,
+          ).select do |token|
+            Doorkeeper::AccessToken.scopes_match?(token.scopes, pre_auth.scopes, nil)
           end
         end
       end

data/lib/doorkeeper/openid_connect/id_token.rb

@@ -8,7 +8,7 @@ module Doorkeeper
       def initialize(access_token, nonce = nil)
         @access_token = access_token
         @nonce = nonce
-        @resource_owner = access_token.instance_eval(&Doorkeeper::OpenidConnect.configuration.resource_owner_from_access_token)
+        @resource_owner = Doorkeeper::OpenidConnect.configuration.resource_owner_from_access_token.call(access_token)
         @issued_at = Time.now
       end
 
@@ -25,7 +25,7 @@ module Doorkeeper
       end
 
       def as_json(*_)
-        claims.reject { |_, value| value.blank? }
+        claims.reject { |_, value| value.nil? || value == '' }
       end
 
       def as_jws_token
@@ -39,7 +39,7 @@ module Doorkeeper
       end
 
       def subject
-        @resource_owner.instance_eval(&Doorkeeper::OpenidConnect.configuration.subject).to_s
+        Doorkeeper::OpenidConnect.configuration.subject.call(@resource_owner).to_s
       end
 
       def audience
@@ -55,7 +55,7 @@ module Doorkeeper
       end
 
       def auth_time
-        @resource_owner.instance_eval(&Doorkeeper::OpenidConnect.configuration.auth_time_from_resource_owner).try(:to_i)
+        Doorkeeper::OpenidConnect.configuration.auth_time_from_resource_owner.call(@resource_owner).try(:to_i)
       end
     end
   end

data/lib/doorkeeper/openid_connect/oauth/authorization/code.rb

@@ -5,7 +5,7 @@ module Doorkeeper
         module Code
           def issue_token
             super.tap do |access_grant|
-              if pre_auth.nonce
+              if pre_auth.nonce.present?
                 ::Doorkeeper::OpenidConnect::Request.create!(
                   access_grant: access_grant,
                   nonce: pre_auth.nonce

data/lib/doorkeeper/openid_connect/user_info.rb

@@ -13,7 +13,7 @@ module Doorkeeper
       end
 
       def as_json(*_)
-        claims
+        claims.reject { |_, value| value.nil? || value == '' }
       end
 
       private
@@ -27,13 +27,13 @@ module Doorkeeper
       def resource_owner_claims
         Doorkeeper::OpenidConnect.configuration.claims.to_h.map do |name, claim|
           if @scopes.exists? claim.scope
-            [name, @resource_owner.instance_eval(&claim.generator)]
+            [name, claim.generator.call(@resource_owner, @scopes)]
           end
         end.compact.to_h
       end
 
       def subject
-        @resource_owner.instance_eval(&Doorkeeper::OpenidConnect.configuration.subject).to_s
+        Doorkeeper::OpenidConnect.configuration.subject.call(@resource_owner).to_s
       end
     end
   end

data/lib/doorkeeper/openid_connect/version.rb

@@ -1,5 +1,5 @@
 module Doorkeeper
   module OpenidConnect
-    VERSION = '1.1.0'.freeze
+    VERSION = '1.1.1'.freeze
   end
 end

data/lib/doorkeeper/openid_connect.rb

@@ -7,6 +7,7 @@ require 'doorkeeper/openid_connect/claims/claim'
 require 'doorkeeper/openid_connect/claims/normal_claim'
 require 'doorkeeper/openid_connect/config'
 require 'doorkeeper/openid_connect/engine'
+require 'doorkeeper/openid_connect/errors'
 require 'doorkeeper/openid_connect/id_token'
 require 'doorkeeper/openid_connect/user_info'
 require 'doorkeeper/openid_connect/version'

data/lib/generators/doorkeeper/openid_connect/templates/initializer.rb

@@ -5,12 +5,6 @@ Doorkeeper::OpenidConnect.configure do
 -----BEGIN RSA PRIVATE KEY-----
 ....
 -----END RSA PRIVATE KEY-----
-EOL
-
-  jws_public_key <<-EOL
------BEGIN RSA PUBLIC KEY-----
-....
------END RSA PUBLIC KEY-----
 EOL
 
   resource_owner_from_access_token do |access_token|
@@ -23,9 +17,9 @@ EOL
     # resource_owner.current_sign_in_at
   end
 
-  reauthenticate_resource_owner do |resource_owner|
+  reauthenticate_resource_owner do |resource_owner, return_to|
     # Example implementation:
-    # store_location_for resource_owner, request.fullpath
+    # store_location_for resource_owner, return_to
     # sign_out resource_owner
     # redirect_to new_user_session_url
   end
@@ -35,6 +29,12 @@ EOL
     # resource_owner.key
   end
 
+  # Protocol to use when generating URIs for the discovery endpoint,
+  # for example if you also use HTTPS in development
+  # protocol do
+  #   :https
+  # end
+
   # Expiration time on or after which the ID Token MUST NOT be accepted for processing. (default 120 seconds).
   # expiration 600
 

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: doorkeeper-openid_connect
 version: !ruby/object:Gem::Version
-  version: 1.1.0
+  version: 1.1.1
 platform: ruby
 authors:
 - Sam Dengler
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2016-12-01 00:00:00.000000000 Z
+date: 2017-01-18 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: doorkeeper
@@ -31,14 +31,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.6.5
+        version: '1.6'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.6.5
+        version: '1.6'
 - !ruby/object:Gem::Dependency
   name: rspec-rails
   requirement: !ruby/object:Gem::Requirement
@@ -140,6 +140,7 @@ files:
 - lib/doorkeeper/openid_connect/claims_builder.rb
 - lib/doorkeeper/openid_connect/config.rb
 - lib/doorkeeper/openid_connect/engine.rb
+- lib/doorkeeper/openid_connect/errors.rb
 - lib/doorkeeper/openid_connect/helpers/controller.rb
 - lib/doorkeeper/openid_connect/id_token.rb
 - lib/doorkeeper/openid_connect/oauth/authorization/code.rb
@@ -179,7 +180,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.5.1
+rubygems_version: 2.5.2
 signing_key: 
 specification_version: 4
 summary: OpenID Connect extension for Doorkeeper.