doorkeeper-openid_connect 1.1.2 → 1.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: eb8f0c135989160ec85abaf36372b7c2c26555dc
-  data.tar.gz: 6e90f7e3ec846f681ca07812dff8598b487d3823
+  metadata.gz: 219908f8f6caf6cde4e1eeec48f764e6492afa08
+  data.tar.gz: ab569c90cf0681143d2c470dcebdb906644f082f
 SHA512:
-  metadata.gz: 151b1bb6832b6d9b9f9a0ef6bd7ff4d964fbd242b65c085050e5a000a5230697bfc028be27158aa618060ca2cc557cc7865279fcf0657a87dd214f3f6e7fdc63
-  data.tar.gz: 0eb9415cb8a01c978d494cefd82fc495bf76230b77e849a979270ce899049bed45c8ee0b7e1e130e41f1fcf2e84814c61a3c8914d48e5ec35ee0591d034a5f64
+  metadata.gz: 47affadec9efd1dd9b81b858b0e1e267a5fdbb5b930331caaa7e237a7312030f4d6ef78264069c6b1f0b21b25a7ca175583db3ca4a9bab48c49c5a5c2bd86837
+  data.tar.gz: 353324e6e880db3ae6af6987a2873173160ed350f41c8f26e38bcb4b6d53a2bac93f4fe2e5a01dd347fc6ab71081a6d6a419c342d90c9aabfcd0f7f683d5aacc

data/.travis.yml

@@ -17,8 +17,9 @@ env:
 
 rvm:
   - 2.1
-  - 2.2.5
-  - 2.3.1
+  - 2.2.7
+  - 2.3.4
+  - 2.4.1
 
 matrix:
   exclude:

data/CHANGELOG.md

@@ -1,6 +1,17 @@
-### Unreleased
+<a name="v1.2.0"></a>
+### v1.2.0 (2017-08-31)
 
-#### Changes
+### Upgrading
+
+- The configuration setting `jws_private_key` was renamed to `signing_key`, you can still use the old name until it's removed in the next major release
+
+### Features
+
+- Support for pairwise subject identifiers (by @travisofthenorth)
+- Support for EC and HMAC signing algorithms (by @110y)
+- Claims now receive an optional third `access_token` argument which allow you to dynamically adjust claim values based on the client's token (by @gigr)
+
+### Bugfixes
 
 <a name="v1.1.2"></a>
 ### v1.1.2 (2017-01-18)

data/CONTRIBUTING.md

@@ -9,7 +9,7 @@ Our first line of defense is the [Travis CI](https://travis-ci.org/doorkeeper-ge
 Create a feature branch:
 
 ```sh
-git checkout -B feat/contributing
+git checkout -B feature/contributing
 ```
 
 ## Creating Good Commits
@@ -47,7 +47,7 @@ We use commit messages as per [Conventional Changelog](https://github.com/conven
 
 Allowed types:
 
-* **feat**: A new feature
+* **feature**: A new feature
 * **fix**: A bug fix
 * **docs**: Documentation only changes
 * **style**: Changes that do not affect the meaning of the code (white-space, formatting, missing semi-colons, newline, line endings, etc)
@@ -59,7 +59,7 @@ Allowed types:
 You can add additional details after a new line to describe the change in detail or automatically close an issue on GitHub.
 
 ```none
-feat: create initial CONTRIBUTING.md
+feature: create initial CONTRIBUTING.md
 
 This closes #73
 ```

data/README.md

@@ -7,7 +7,7 @@
 
 This library implements an [OpenID Connect](http://openid.net/connect/) authentication provider for Rails applications on top of the [Doorkeeper](https://github.com/doorkeeper-gem/doorkeeper) OAuth 2.0 framework.
 
-OpenID Connect is a single-sign-on and identity layer with a [growing list of server and client implementations](http://openid.net/developers/libraries/). If you're looking for a client in Ruby check out [omniauth-openid-connect](https://github.com/jjbohn/omniauth-openid-connect/).
+OpenID Connect is a single-sign-on and identity layer with a [growing list of server and client implementations](http://openid.net/developers/libraries/). If you're looking for a client in Ruby check out [omniauth_openid_connect](https://github.com/m0n9oose/omniauth_openid_connect/).
 
 ## Table of Contents
 
@@ -87,10 +87,27 @@ The following settings are required in `config/initializers/doorkeeper_openid_co
 - `subject`
   - Identifier for the resource owner (i.e. the authenticated user). A locally unique and never reassigned identifier within the issuer for the end-user, which is intended to be consumed by the client. The value is a case-sensitive string and must not exceed 255 ASCII characters in length.
   - The database ID of the user is an acceptable choice if you don't mind leaking that information.
+  - If you want to provide a different subject identifier to each client, use [pairwise subject identifier](http://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes) with configurations like below.
+
+    ```ruby
+    # config/initializers/doorkeeper_openid_connect.rb 
+    Doorkeeper::OpenidConnect.configure do
+    # ...
+      subject_types_supported [:pairwise]
+
+      subject do |resource_owner, application|
+        Digest::SHA256.hexdigest("#{resource_owner.id}#{URI.parse(application.redirect_uri).host}#{'your_secret_salt'}")
+      end
+    # ...
+    end
+    ```
+
 - `jws_private_key`
-  - Private RSA key for [JSON Web Signature](https://tools.ietf.org/html/draft-ietf-jose-json-web-signature-31).
-  - You can generate a private key with the `openssl` command, see e.g. [Generate a keypair using OpenSSL](https://en.wikibooks.org/wiki/Cryptography/Generate_a_keypair_using_OpenSSL).
+  - Private key for [JSON Web Signature](https://tools.ietf.org/html/draft-ietf-jose-json-web-signature-31).
+  - You can generate a private key with the `openssl` command, see e.g. [Generate an RSA keypair using OpenSSL](https://en.wikibooks.org/wiki/Cryptography/Generate_a_keypair_using_OpenSSL).
   - You should not commit the key to your repository, but use an external file (in combination with `File.read`) and/or the [dotenv-rails](https://github.com/bkeepers/dotenv) gem (in combination with `ENV[...]`).
+- `signing_algorithm`
+  - The encryption type of the private key which defaults to `:rs256`. The list of supported algorithms can be found [here](https://github.com/nov/json-jwt/wiki/JWE#supported-algorithms)
 - `resource_owner_from_access_token`
   - Defines how to translate the Doorkeeper access token to a resource owner model.
 
@@ -139,7 +156,7 @@ Doorkeeper::OpenidConnect.configure do
       "#{resource_owner.first_name} #{resource_owner.last_name}"
     end
 
-    claim :preferred_username, scope: :openid do |resource_owner, application_scopes|
+    claim :preferred_username, scope: :openid do |resource_owner, application_scopes, access_token|
       # Pass the resource_owner's preferred_username if the application has
       # `profile` scope access. Otherwise, provide a more generic alternative.
       application_scopes.exists?(:profile) ? resource_owner.preferred_username : "summer-sun-9449"

data/app/controllers/doorkeeper/openid_connect/discovery_controller.rb

@@ -44,14 +44,10 @@ module Doorkeeper
             #'private_key_jwt'
           ],
 
-          # TODO: make this configurable
-          subject_types_supported: [
-            'public',
-          ],
+          subject_types_supported: openid_connect.subject_types_supported,
 
-          # TODO: make this configurable
           id_token_signing_alg_values_supported: [
-            'RS256',
+            ::Doorkeeper::OpenidConnect.signing_algorithm
           ],
 
           claim_types_supported: [
@@ -85,13 +81,13 @@ module Doorkeeper
       end
 
       def keys_response
-        signing_key = Doorkeeper::OpenidConnect.signing_key
+        signing_key = Doorkeeper::OpenidConnect.signing_key_normalized
 
         {
           keys: [
-            signing_key.slice(:kty, :kid, :e, :n).merge(
+            signing_key.merge(
               use: 'sig',
-              alg: Doorkeeper::OpenidConnect::SIGNING_ALGORITHM
+              alg: Doorkeeper::OpenidConnect.signing_algorithm
             )
           ]
         }

data/app/controllers/doorkeeper/openid_connect/userinfo_controller.rb

@@ -5,9 +5,7 @@ module Doorkeeper
       before_action -> { doorkeeper_authorize! :openid }
 
       def show
-        resource_owner = Doorkeeper::OpenidConnect.configuration.resource_owner_from_access_token.call(doorkeeper_token)
-        user_info = Doorkeeper::OpenidConnect::UserInfo.new(resource_owner, doorkeeper_token.scopes)
-        render json: user_info, status: :ok
+        render json: Doorkeeper::OpenidConnect::UserInfo.new(doorkeeper_token), status: :ok
       end
     end
   end

data/lib/doorkeeper/openid_connect/config.rb

@@ -26,6 +26,11 @@ module Doorkeeper
         def jws_public_key(*args)
           puts "DEPRECATION WARNING: `jws_public_key` is not needed anymore and will be removed in a future version, please remove it from config/initializers/doorkeeper_openid_connect.rb"
         end
+
+        def jws_private_key(*args)
+          puts "DEPRECATION WARNING: `jws_private_key` has been replaced by `signing_key` and will be removed in a future version, please remove it from config/initializers/doorkeeper_openid_connect.rb"
+          signing_key(*args)
+        end
       end
 
       module Option
@@ -91,8 +96,10 @@ module Doorkeeper
 
       extend Option
 
-      option :jws_private_key
       option :issuer
+      option :signing_key
+      option :signing_algorithm, default: :rs256
+      option :subject_types_supported, default: [:public]
 
       option :resource_owner_from_access_token, default: lambda { |*_|
         fail Errors::InvalidConfiguration, I18n.translate('doorkeeper.openid_connect.errors.messages.resource_owner_from_access_token_not_configured')

data/lib/doorkeeper/openid_connect/id_token.rb

@@ -29,7 +29,10 @@ module Doorkeeper
       end
 
       def as_jws_token
-        JSON::JWT.new(as_json).sign(Doorkeeper::OpenidConnect.signing_key).to_s
+        JSON::JWT.new(as_json).sign(
+          Doorkeeper::OpenidConnect.signing_key,
+          Doorkeeper::OpenidConnect.signing_algorithm
+        ).to_s
       end
 
       private
@@ -39,7 +42,7 @@ module Doorkeeper
       end
 
       def subject
-        Doorkeeper::OpenidConnect.configuration.subject.call(@resource_owner).to_s
+        Doorkeeper::OpenidConnect.configuration.subject.call(@resource_owner, @access_token.application).to_s
       end
 
       def audience

data/lib/doorkeeper/openid_connect/user_info.rb

@@ -3,9 +3,8 @@ module Doorkeeper
     class UserInfo
       include ActiveModel::Validations
 
-      def initialize(resource_owner, scopes)
-        @resource_owner = resource_owner
-        @scopes = scopes
+      def initialize(access_token)
+        @access_token = access_token
       end
 
       def claims
@@ -26,14 +25,26 @@ module Doorkeeper
 
       def resource_owner_claims
         Doorkeeper::OpenidConnect.configuration.claims.to_h.map do |name, claim|
-          if @scopes.exists? claim.scope
-            [name, claim.generator.call(@resource_owner, @scopes)]
+          if scopes.exists? claim.scope
+            [name, claim.generator.call(resource_owner, scopes, @access_token)]
           end
         end.compact.to_h
       end
 
       def subject
-        Doorkeeper::OpenidConnect.configuration.subject.call(@resource_owner).to_s
+        Doorkeeper::OpenidConnect.configuration.subject.call(resource_owner, application).to_s
+      end
+
+      def resource_owner
+        @resource_owner ||= Doorkeeper::OpenidConnect.configuration.resource_owner_from_access_token.call(@access_token)
+      end
+
+      def application
+        @application ||= @access_token.application
+      end
+
+      def scopes
+        @scopes ||= @access_token.scopes
       end
     end
   end

data/lib/doorkeeper/openid_connect/version.rb

@@ -1,5 +1,5 @@
 module Doorkeeper
   module OpenidConnect
-    VERSION = '1.1.2'.freeze
+    VERSION = '1.2.0'.freeze
   end
 end

data/lib/doorkeeper/openid_connect.rb

@@ -26,11 +26,30 @@ require 'doorkeeper/openid_connect/rails/routes'
 
 module Doorkeeper
   module OpenidConnect
-    # TODO: make this configurable
-    SIGNING_ALGORITHM = 'RS256'.freeze
+    def self.signing_algorithm
+      configuration.signing_algorithm.to_s.upcase.to_sym
+    end
 
     def self.signing_key
-      JSON::JWK.new(OpenSSL::PKey.read(configuration.jws_private_key))
+      key =
+        if [:HS256, :HS384, :HS512].include?(signing_algorithm)
+          configuration.signing_key
+        else
+          OpenSSL::PKey.read(configuration.signing_key)
+        end
+      JSON::JWK.new(key)
+    end
+
+    def self.signing_key_normalized
+      key = signing_key
+      case key[:kty].to_sym
+      when :RSA
+        key.slice(:kty, :kid, :e, :n)
+      when :EC
+        key.slice(:kty, :kid, :x, :y)
+      when :oct
+        key.slice(:kty, :kid)
+      end
     end
   end
 end

data/lib/generators/doorkeeper/openid_connect/templates/initializer.rb

@@ -1,12 +1,14 @@
 Doorkeeper::OpenidConnect.configure do
   issuer 'issuer string'
 
-  jws_private_key <<-EOL
+  signing_key <<-EOL
 -----BEGIN RSA PRIVATE KEY-----
 ....
 -----END RSA PRIVATE KEY-----
 EOL
 
+  subject_types_supported [:public]
+
   resource_owner_from_access_token do |access_token|
     # Example implementation:
     # User.find_by(id: access_token.resource_owner_id)
@@ -24,9 +26,12 @@ EOL
     # redirect_to new_user_session_url
   end
 
-  subject do |resource_owner|
+  subject do |resource_owner, application|
     # Example implementation:
-    # resource_owner.key
+    # resource_owner.id
+
+    # or if you need pairwise subject identifier, implement like below:
+    # Digest::SHA256.hexdigest("#{resource_owner.id}#{URI.parse(application.redirect_uri).host}#{'your_secret_salt'}")
   end
 
   # Protocol to use when generating URIs for the discovery endpoint,

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: doorkeeper-openid_connect
 version: !ruby/object:Gem::Version
-  version: 1.1.2
+  version: 1.2.0
 platform: ruby
 authors:
 - Sam Dengler
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2017-01-18 00:00:00.000000000 Z
+date: 2017-08-31 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: doorkeeper
@@ -180,7 +180,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.5.2
+rubygems_version: 2.6.10
 signing_key: 
 specification_version: 4
 summary: OpenID Connect extension for Doorkeeper.