doorkeeper-openid_connect 1.7.4 → 1.7.5

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: e1c45a5eaa2846559e44cfc7d7526c18dafaca9bec5bad06eead06983819ad6c
-  data.tar.gz: 7705035b123d843861e8850854ce9a06d8b4dd4f21f478785aac050509f0e891
+  metadata.gz: 8faf5bba278059c030aab079426353b543baa68bc374991f6ba243454cd09aac
+  data.tar.gz: 06f56eb8b593086cc03fee056efb4d82447fd40cdd341b354ed371fde47dec63
 SHA512:
-  metadata.gz: dec4fdd4c2be0301a8b812c710055fa610567902a023a84c83615edf3390e0ea135cc520de315f18091e165536d0e27553d8a83eddd7f9485f2a2fd926304197
-  data.tar.gz: 287118857266949e24cb44ca74cc3762277baffe08e010e687b9f5fa886f0d74b1dc328cdce88de887ec3794247a49ddc7abb5fc725c12780fa05c0e292b81e6
+  metadata.gz: d40202cdca7cddf5606674a4c08a4894ba9be7f8ec072520c73e81e1da48c87ba3e1c95573e0baa1ddcccaa20201eeb76d9af947e3f772223f2a4c658c730e92
+  data.tar.gz: a36e15a4cdc316a82a67cc842731149ec5522e27dc21569d2c33bdbe292afc5bc81d6c4f93679c0b7ada133dcfb5e43ae4250470709a58371664f83d983e38bb

data/CHANGELOG.md

@@ -1,5 +1,17 @@
 ## Unreleased
 
+## v1.7.5 (2020-12-15)
+
+### Changes
+
+- [#126] Add discovery_url_options option for discovery endpoints URL generation (thanks to @phlegx)
+
+### Bugfixes
+
+- [#123] Remove reference to ApplicationRecord (thanks to @wheeyls)
+- [#124] Clone doorkeeper.grant_flows array before appending 'refresh_token' (thanks to @davidbasalla)
+- [#129] Avoid to use the config alias while supporting Doorkeeper 5.2 (thanks to @kymmt90)
+
 ## v1.7.4 (2020-07-06)
 
 - [#119] Execute end_session_endpoint in the controllers context (thanks to @joeljunstrom)

data/README.md

@@ -161,6 +161,35 @@ The following settings are optional:
   - Used by implementations like https://github.com/IdentityModel/oidc-client-js.
   - The block is executed in the controller's scope, so you have access to your route helpers.
 
+- `discovery_url_options`
+  - The URL options for every available endpoint to use when generating the endpoint URL in the
+    discovery response. Available endpoints: `authorization`, `token`, `revocation`,
+    `introspection`, `userinfo`, `jwks`, `webfinger`.
+  - This option requires option keys with an available endpoint and
+    [URL options](https://api.rubyonrails.org/v6.0.3.3/classes/ActionDispatch/Routing/UrlFor.html#method-i-url_for)
+    as value.
+  - The default is to use the request host, just like all the other URLs in the discovery response.
+  - This is useful when you want endpoints to use a different URL than other requests.
+    For example, if your Doorkeeper server is behind a firewall with other servers, you might want
+    other servers to use an "internal" URL to communicate with Doorkeeper, but you want to present
+    an "external" URL to end-users for authentication requests. Note that this setting does not
+    actually change the URL that your Doorkeeper server responds on - that is outside the scope of
+    Doorkeeper.
+
+    ```ruby
+    # config/initializers/doorkeeper_openid_connect.rb
+    Doorkeeper::OpenidConnect.configure do
+    # ...
+      discovery_url_options do |request|
+        {
+          authorization: { host: 'host.example.com' },
+          jwks:          { protocol: request.ssl? ? :https : :http }
+        }
+      end
+    # ...
+    end
+    ```
+
 ### Scopes
 
 To perform authentication over OpenID Connect, an OAuth client needs to request the `openid` scope. This scope needs to be enabled using either `optional_scopes` in the global Doorkeeper configuration in `config/initializers/doorkeeper.rb`, or by adding it to any OAuth application's `scope` attribute.

data/app/controllers/doorkeeper/openid_connect/discovery_controller.rb

@@ -26,12 +26,12 @@ module Doorkeeper
         openid_connect = ::Doorkeeper::OpenidConnect.configuration
         {
           issuer: openid_connect.issuer,
-          authorization_endpoint: oauth_authorization_url(protocol: protocol),
-          token_endpoint: oauth_token_url(protocol: protocol),
-          revocation_endpoint: oauth_revoke_url(protocol: protocol),
-          introspection_endpoint: oauth_introspect_url(protocol: protocol),
-          userinfo_endpoint: oauth_userinfo_url(protocol: protocol),
-          jwks_uri: oauth_discovery_keys_url(protocol: protocol),
+          authorization_endpoint: oauth_authorization_url(authorization_url_options),
+          token_endpoint: oauth_token_url(token_url_options),
+          revocation_endpoint: oauth_revoke_url(revocation_url_options),
+          introspection_endpoint: oauth_introspect_url(introspection_url_options),
+          userinfo_endpoint: oauth_userinfo_url(userinfo_url_options),
+          jwks_uri: oauth_discovery_keys_url(jwks_url_options),
           end_session_endpoint: instance_exec(&openid_connect.end_session_endpoint),
 
           scopes_supported: doorkeeper.scopes,
@@ -71,7 +71,7 @@ module Doorkeeper
       end
 
       def grant_types_supported(doorkeeper)
-        grant_types_supported = doorkeeper.grant_flows
+        grant_types_supported = doorkeeper.grant_flows.dup
         grant_types_supported << 'refresh_token' if doorkeeper.refresh_token_enabled?
         grant_types_supported
       end
@@ -82,7 +82,7 @@ module Doorkeeper
           links: [
             {
               rel: WEBFINGER_RELATION,
-              href: root_url(protocol: protocol),
+              href: root_url(webfinger_url_options),
             }
           ]
         }
@@ -104,6 +104,22 @@ module Doorkeeper
       def protocol
         Doorkeeper::OpenidConnect.configuration.protocol.call
       end
+
+      def discovery_url_options
+        Doorkeeper::OpenidConnect.configuration.discovery_url_options.call(request)
+      end
+
+      def discovery_url_default_options
+        {
+          protocol: protocol
+        }
+      end
+
+      %i[authorization token revocation introspection userinfo jwks webfinger].each do |endpoint|
+        define_method :"#{endpoint}_url_options" do
+          discovery_url_default_options.merge(discovery_url_options[endpoint.to_sym] || {})
+        end
+      end
     end
   end
 end

data/app/controllers/doorkeeper/openid_connect/userinfo_controller.rb

@@ -3,7 +3,7 @@
 module Doorkeeper
   module OpenidConnect
     class UserinfoController < ::Doorkeeper::ApplicationController
-      unless Doorkeeper.config.api_only
+      unless Doorkeeper.configuration.api_only
         skip_before_action :verify_authenticity_token
       end
       before_action -> { doorkeeper_authorize! :openid }

data/lib/doorkeeper/openid_connect/config.rb

@@ -134,6 +134,10 @@ module Doorkeeper
       option :end_session_endpoint, default: lambda { |*_|
         nil
       }
+
+      option :discovery_url_options, default: lambda { |*_|
+        {}
+      }
     end
   end
 end

data/lib/doorkeeper/openid_connect/orm/active_record/request.rb

@@ -2,7 +2,7 @@
 
 module Doorkeeper
   module OpenidConnect
-    class Request < ApplicationRecord
+    class Request < ::ActiveRecord::Base
       self.table_name = "#{table_name_prefix}oauth_openid_requests#{table_name_suffix}".to_sym
 
       validates :access_grant_id, :nonce, presence: true

data/lib/doorkeeper/openid_connect/version.rb

@@ -2,6 +2,6 @@
 
 module Doorkeeper
   module OpenidConnect
-    VERSION = '1.7.4'
+    VERSION = '1.7.5'
   end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: doorkeeper-openid_connect
 version: !ruby/object:Gem::Version
-  version: 1.7.4
+  version: 1.7.5
 platform: ruby
 authors:
 - Sam Dengler
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-07-06 00:00:00.000000000 Z
+date: 2020-12-16 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: doorkeeper
@@ -186,7 +186,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.3
+rubygems_version: 3.1.4
 signing_key: 
 specification_version: 4
 summary: OpenID Connect extension for Doorkeeper.