gitlab-omniauth-openid-connect 0.4.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: ba1a1f85a4f4302aa277a818b0c6f1a19f0aa09bd10815a6cc339cbc8e19b630
+  data.tar.gz: 91ded3eb14016b4ee15823b34e8c2b6960e7bafbcb5812596722c469b101e91f
+SHA512:
+  metadata.gz: 7f89ac2119d55244bec0c7a5f1b155b082e2e8c8d9f66ff54dbda173e167872847898d53b0d6cf6eb5d670c3d262ebfe1a0632bc25cfaf5ef178b586cae62de8
+  data.tar.gz: e29da0221ea0895ce5951239ffc347669ceff53b8574a9e463ee00392c5aec032d61ea9544b0f4ee47395e440c3c2ddde0ed42ecfe54daa78e4cb204d1c8f2d9

data/.github/config/rubocop_linter_action.yml

@@ -0,0 +1,59 @@
+# Description: The name of the check that will be created.
+# Valid Options: A reasonably sized string.
+# Default: 'Rubocop Action'
+check_name: 'Rubocop Results'
+
+# Description: Versions required to run your RuboCop checks.
+# Valid options: RuboCop and any RuboCop extension, by default the latest gem version will be used. You can explicitly state that
+# (not required) or use a version number, like '1.5.1'.
+# Default:
+#   versions:
+#     - rubocop: 'latest'
+versions:
+  - rubocop
+  - rubocop-minitest
+  - rubocop-performance: '1.5.1'
+
+# Description: Rubocop configuration file path relative to the workspace.
+# Valid options: A valid file path inside of the workspace.
+# Default: nil
+# Note: This does not need to be filled out for Rubocop to still find your config.
+# Resource: https://rubocop.readthedocs.io/en/stable/configuration/
+rubocop_config_path: '.rubocop.yml'
+
+# Run all cops enabled by configuration except this list.
+# Valid options: list of valid cop(s) and/or departments.
+# Default: nil
+# Resource: https://rubocop.readthedocs.io/en/stable/cops/
+# rubocop_excluded_cops:
+#   - 'Style/FrozenStringLiteralComment'
+
+# Minimum severity for exit with error code
+# Valid options: 'refactor', 'convention', 'warning', 'error', or 'fatal'.
+# Default: 'warning'
+# Resource: https://rubocop.readthedocs.io/en/stable/configuration/#severity
+# rubocop_fail_level: 'warning'
+
+# Whether or not to use --force-exclusion when building the rubocop command. Use this if you are only linting modified
+# files and typically excluded files have been changed. For example, if you exclude db/schema.rb in your rubocop.yml
+# but a change gets made, then with the check_scope config set to 'modified' rubocop will lint db/schema.rb. If you set
+# this to true, rubocop will ignore it.
+# Valid options: true || false
+# Default: false
+
+# Instead of installing gems from rubygems, we can run `bundle install` on your project,
+# you would need to do this if you are using something like 'rubocop-github' or if you don't
+# want to list out dependencies with the `versions` key.
+# Valid options: true || false
+# Default: false
+# bundle: false
+
+# The scope of code that Rubocop should lint. Use this if you only want to lint changed files. If this is not set
+# or not equal to 'modified', Rubocop is run against the entire codebase. Note that this will not work on the master branch.
+# Valid options: 'modified'
+# Default: nil
+
+# The base branch against which changes will be compared, if check_scope config is set to 'modified'.
+# This setting is not used if check_scope != 'modified'.
+# Valid options: 'origin/another_branch'
+# Default: 'origin/master'

data/.github/stale.yml

@@ -0,0 +1,17 @@
+# Number of days of inactivity before an issue becomes stale
+daysUntilStale: 60
+# Number of days of inactivity before a stale issue is closed
+daysUntilClose: 7
+# Issues with these labels will never be considered stale
+exemptLabels:
+  - pinned
+  - security
+# Label to use when marking an issue as stale
+staleLabel: wontfix
+# Comment to post when marking an issue as stale. Set to `false` to disable
+markComment: >
+  This issue has been automatically marked as stale because it has not had
+  recent activity. It will be closed if no further activity occurs. Thank you
+  for your contributions.
+# Comment to post when closing a stale issue. Set to `false` to disable
+closeComment: false

data/.github/workflows/rubocop.yml

@@ -0,0 +1,22 @@
+name: Rubocop check
+
+on:
+  pull_request:
+    branches:
+      - "*"
+  push:
+    branches:
+      - master
+jobs:
+  build:
+    name: RuboCop Action
+    runs-on: ubuntu-latest
+    steps:
+    - name: Checkout Action
+      uses: actions/checkout@v1
+    - name: Rubocop Linter Action
+      uses: andrewmcodes/rubocop-linter-action@v3.2.0
+      with:
+        action_config_path: '.github/config/rubocop_linter_action.yml'
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

data/.gitignore

@@ -0,0 +1,20 @@
+*.gem
+*.rbc
+.bundle
+.config
+.idea
+.yardoc
+InstalledFiles
+_yardoc
+coverage
+doc/
+lib/bundler/man
+pkg
+rdoc
+spec/reports
+test/tmp
+test/version_tmp
+tmp
+.ruby-version
+.ruby-gemset
+Gemfile.lock

data/.gitlab-ci.yml

@@ -0,0 +1,27 @@
+.test-template: &test
+  cache:
+    paths:
+      - vendor/ruby
+  before_script:
+    - gem install bundler --no-document
+    - bundle config set --local path 'vendor/ruby'
+    - bundle install -j $(nproc) --path vendor  # Install dependencies into ./vendor/ruby
+    - ruby -v                                   # Print out ruby version for debugging
+  script:
+    - bundle exec rake test
+
+rspec-2.5:
+  image: "ruby:2.5"
+  <<: *test
+
+rspec-2.6:
+  image: "ruby:2.6"
+  <<: *test
+
+rspec-2.7:
+  image: "ruby:2.7"
+  <<: *test
+
+rspec-3.0:
+  image: "ruby:3.0"
+  <<: *test

data/.rubocop.yml

@@ -0,0 +1,58 @@
+LineLength:
+  Description: 'Limit lines to 130 characters.'
+  Max: 130
+
+Layout/SpaceInsideStringInterpolation:
+  Enabled: false
+
+Layout/MultilineOperationIndentation:
+  EnforcedStyle: indented
+
+StringLiterals:
+  EnforcedStyle: single_quotes
+
+Style/TrailingCommaInArrayLiteral:
+  EnforcedStyleForMultiline: comma
+Style/TrailingCommaInHashLiteral:
+  EnforcedStyleForMultiline: comma
+
+Style/SafeNavigation:
+  Enabled: false
+
+Style/EmptyMethod:
+  Description: 'Checks the formatting of empty method definitions.'
+  StyleGuide: '#no-single-line-methods'
+  Enabled: false
+
+HashSyntax:
+  Description: "Prefer Ruby 1.9 hash syntax { a: 1, b: 2 } over 1.8 syntax\n{ :a => 1, :b => 2 }"
+  EnforcedStyle: ruby19
+  Enabled: true
+
+RedundantBegin:
+  Enabled: true
+
+Documentation:
+  Enabled: false
+
+Metrics/AbcSize:
+  Max: 50
+
+Metrics/CyclomaticComplexity:
+  Max: 50
+
+Metrics/PerceivedComplexity:
+  Max: 15
+
+Metrics/BlockLength:
+  Max: 40
+
+Metrics/MethodLength:
+  Max: 45
+
+AllCops:
+  Exclude:
+    - bin/**/*
+    - Rakefile
+    - config/**/*
+    - test/**/*

data/.travis.yml

@@ -0,0 +1,9 @@
+language: ruby
+rvm:
+  - 2.4
+  - 2.5
+  - 2.6
+  - 2.7
+  - 3.0
+  - jruby-head
+  - ruby-head

data/CHANGELOG.md

@@ -0,0 +1,53 @@
+# v0.4.0 (04.23.2021)
+
+- [Fetch key from JWKS URI if available](https://gitlab.com/gitlab-org/gitlab-omniauth-openid-connect/-/merge_requests/3)
+- [Fix handling of JWT without key ID](https://gitlab.com/gitlab-org/gitlab-omniauth-openid-connect/-/merge_requests/2)
+- [Add .gitlab-ci.yml and test with Ruby 3.0](https://gitlab.com/gitlab-org/gitlab-omniauth-openid-connect/-/merge_requests/1)
+
+# v0.3.5 (07.06.2020)
+
+- bugfix: Info from decoded id_token is not exposed into `request.env['omniauth.auth']` [#61](https://github.com/m0n9oose/omniauth_openid_connect/pull/61)
+- bugfix: NoMethodError (`undefined method 'count' for #<OpenIDConnect::ResponseObject::IdToken>`) [#60](https://github.com/m0n9oose/omniauth_openid_connect/pull/60)
+
+# v0.3.4 (21.05.2020)
+
+- Try to verify id_token when response_type is code [#44](https://github.com/m0n9oose/omniauth_openid_connect/pull/44)
+- Provide more information on error [#49](https://github.com/m0n9oose/omniauth_openid_connect/pull/49)
+- Update configuration documentation [#53](https://github.com/m0n9oose/omniauth_openid_connect/pull/53)
+- Add documentation about the send_scope_to_token_endpoint config property [#52](https://github.com/m0n9oose/omniauth_openid_connect/pull/52)
+- refactor: take uid_field from raw_attributes [#54](https://github.com/m0n9oose/omniauth_openid_connect/pull/54)
+- chore(ci): add 2.7, ruby-head and jruby-head [#55](https://github.com/m0n9oose/omniauth_openid_connect/pull/55)
+
+# v0.3.3 (09.11.2019)
+
+- Pass `acr_values` to authorize url [#43](https://github.com/m0n9oose/omniauth_openid_connect/pull/43)
+- Add raw info for id token [#42](https://github.com/m0n9oose/omniauth_openid_connect/pull/42)
+- Fixed `id_token` verification when `id_token` is not used [#41](https://github.com/m0n9oose/omniauth_openid_connect/pull/41)
+- Cast `response_type` to string when checking if it is set in params [#36](https://github.com/m0n9oose/omniauth_openid_connect/pull/36)
+- Support both symbol and string version of `response_type` option [#35](https://github.com/m0n9oose/omniauth_openid_connect/pull/35)
+- Fix gemspec homepage [#33](https://github.com/m0n9oose/omniauth_openid_connect/pull/33)
+- Add support for `response_type` `id_token` [#32](https://github.com/m0n9oose/omniauth_openid_connect/pull/32)
+
+# v0.3.2 (03.08.2019)
+
+- Use response_mode in `authorize_uri` if the option is defined [#30](https://github.com/m0n9oose/omniauth_openid_connect/pull/30)
+- Move verification of `id_token` to before accessing tokens [#28](https://github.com/m0n9oose/omniauth_openid_connect/pull/28)
+- Update omniauth dependency [#26](https://github.com/m0n9oose/omniauth_openid_connect/pull/26)
+
+# v0.3.1 (08.06.2019)
+
+- Set default OmniAuth name to openid_connect [#23](https://github.com/m0n9oose/omniauth_openid_connect/pull/23)
+
+# v0.3.0 (27.04.2019)
+
+- RP-Initiated Logout phase [#5](https://github.com/m0n9oose/omniauth_openid_connect/pull/5)
+- Allows `ui_locales`, `claims_locales` and `login_hint` as request params [#6](https://github.com/m0n9oose/omniauth_openid_connect/pull/6)
+- Make uid label configurable [#11](https://github.com/m0n9oose/omniauth_openid_connect/pull/11)
+- Allow rails applications to handle state mismatch [#14](https://github.com/m0n9oose/omniauth_openid_connect/pull/14)
+- Handle errors when fetching access_token at callback_phase [#17](https://github.com/m0n9oose/omniauth_openid_connect/pull/17)
+- Allow state method to receive env [#19](https://github.com/m0n9oose/omniauth_openid_connect/pull/19)
+
+# v0.2.4 (06.01.2019)
+
+- Prompt and login hint [#4](https://github.com/m0n9oose/omniauth_openid_connect/pull/4)
+- Bump openid_connect dependency [#9](https://github.com/m0n9oose/omniauth_openid_connect/pull/9)

data/Gemfile

@@ -0,0 +1,4 @@
+# frozen_string_literal: true
+
+source 'https://rubygems.org'
+gemspec

data/Guardfile

@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+# A sample Guardfile
+# More info at https://github.com/guard/guard#readme
+
+guard 'minitest' do
+  # with Minitest::Unit
+  watch(%r{^test/(.*)\/(.*)_test\.rb})
+  watch(%r{^lib/(.*)\.rb}) { |m| "test/lib/#{m[1]}_test.rb" }
+  watch(%r{^test/test_helper\.rb}) { 'test' }
+end
+
+guard :bundler do
+  watch('Gemfile')
+  watch(/^.+\.gemspec/)
+end

data/LICENSE.txt

@@ -0,0 +1,22 @@
+Copyright (c) 2014 John Bohn
+
+MIT License
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,130 @@
+# OmniAuth::OpenIDConnect
+
+This project was forked from
+[m0n9oose/omniauth_openid_connect](https://github.com/m0n9oose/omniauth_openid_connect)
+since a number of important bug fixes have not been merged in the past year.
+
+Originally was [omniauth-openid-connect](https://github.com/jjbohn/omniauth-openid-connect)
+
+I've forked this repository and launch as separate gem because maintaining of original was dropped.
+
+[![Build Status](https://travis-ci.org/m0n9oose/omniauth_openid_connect.png?branch=master)](https://travis-ci.org/m0n9oose/omniauth_openid_connect)
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+    gem 'gitlab-omniauth-openid-connect', require: 'omniauth_openid_connect'
+
+And then execute:
+
+    $ bundle
+
+Or install it yourself as:
+
+    $ gem install omniauth_openid_connect
+
+## Supported Ruby Versions
+
+OmniAuth::OpenIDConnect is tested under 2.4, 2.5, 2.6, 2.7
+
+## Usage
+
+Example configuration
+```ruby
+config.omniauth :openid_connect, {
+  name: :my_provider,
+  scope: [:openid, :email, :profile, :address],
+  response_type: :code,
+  uid_field: "preferred_username",
+  client_options: {
+    port: 443,
+    scheme: "https",
+    host: "myprovider.com",
+    identifier: ENV["OP_CLIENT_ID"],
+    secret: ENV["OP_SECRET_KEY"],
+    redirect_uri: "http://myapp.com/users/auth/openid_connect/callback",
+  },
+}
+```
+
+### Options Overview
+
+| Field                        | Description                                                                                                                                                   | Required | Default                    | Example/Options                                     |
+|------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------|----------|----------------------------|-----------------------------------------------------|
+| name                         | Arbitrary string to identify connection and identify it from other openid_connect providers                                                                                                                        | no       | String: openid_connect     | :my_idp                                             |
+| issuer                       | Root url for the authorization server                                                                                                                         | yes      |                            | https://myprovider.com                              |
+| discovery                    | Should OpenID discovery be used. This is recommended if the IDP provides a discovery endpoint. See client config for how to manually enter discovered values. | no       | false                      | one of: true, false                                 |
+| client_auth_method           | Which authentication method to use to authenticate your app with the authorization server                                                                     | no       | Sym: basic                 | "basic", "jwks"                                     |
+| scope                        | Which OpenID scopes to include (:openid is always required)                                                                                                   | no       | Array<sym> [:openid]       | [:openid, :profile, :email]                         |
+| response_type                | Which OAuth2 response type to use with the authorization request                                                                                              | no       | String: code               | one of: 'code', 'id_token'                          |
+| state                        | A value to be used for the OAuth2 state parameter on the authorization request. Can be a proc that generates a string.                                        | no       | Random 16 character string | Proc.new { SecureRandom.hex(32) }                   |
+| response_mode                | The response mode per [spec](https://openid.net/specs/oauth-v2-form-post-response-mode-1_0.html)                                                              | no       | nil                        | one of: :query, :fragment, :form_post, :web_message |
+| display                      | An optional parameter to the authorization request to determine how the authorization and consent page                                                        | no       | nil                        | one of: :page, :popup, :touch, :wap                 |
+| prompt                       | An optional parameter to the authrization request to determine what pages the user will be shown                                                              | no       | nil                        | one of: :none, :login, :consent, :select_account    |
+| send_scope_to_token_endpoint | Should the scope parameter be sent to the authorization token endpoint?                                                                                       | no       | true                       | one of: true, false                                 |
+| post_logout_redirect_uri     | The logout redirect uri to use per the [session management draft](https://openid.net/specs/openid-connect-session-1_0.html)                                   | no       | empty                      | https://myapp.com/logout/callback                   |
+| uid_field                    | The field of the user info response to be used as a unique id                                                                                                 | no       | 'sub'                      | "sub", "preferred_username"                         |
+| client_options               | A hash of client options detailed in its own section                                                                                                          | yes      |                            |                                                     |
+
+### Client Config Options
+
+These are the configuration options for the client_options hash of the configuration.
+
+| Field                  | Description                                                     | Default    | Replaced by discovery? |
+|------------------------|-----------------------------------------------------------------|------------|------------------------|
+| identifier             | The OAuth2 client_id                                            |            |                        |
+| secret                 | The OAuth2 client secret                                        |            |                        |
+| redirect_uri           | The OAuth2 authorization callback url in your app               |            |                        |
+| scheme                 | The http scheme to use                                          | https      |                        |
+| host                   | The host of the authorization server                            | nil        |                        |
+| port                   | The port for the authorization server                           | 443        |                        |
+| authorization_endpoint | The authorize endpoint on the authorization server              | /authorize | yes                    |
+| token_endpoint         | The token endpoint on the authorization server                  | /token     | yes                    |
+| userinfo_endpoint      | The user info endpoint on the authorization server              | /userinfo  | yes                    |
+| jwks_uri               | The jwks_uri on the authorization server                        | /jwk       | yes                    |
+| end_session_endpoint   | The url to call to log the user out at the authorization server | nil        | yes                    |
+
+### Additional Configuration Notes
+  * `name` is arbitrary, I recommend using the name of your provider. The name
+  configuration exists because you could be using multiple OpenID Connect
+  providers in a single app.
+
+  **NOTE**: if you use this gem with Devise you should use `:openid_connect` name,
+  or Devise would route to 'users/auth/:provider' rather than 'users/auth/openid_connect'
+
+  * `response_type` tells the authorization server which grant type the application wants to use,
+  currently, only `:code` (Authorization Code grant) and `:id_token` (Implicit grant) are valid.
+  * If you want to pass `state` paramete by yourself. You can set Proc Object.
+  e.g. `state: Proc.new { SecureRandom.hex(32) }`
+  * `nonce` is optional. If don't want to pass "nonce" parameter to provider, You should specify
+  `false` to `send_nonce` option. (default true)
+  * Support for other client authentication methods. If don't specified
+  `:client_auth_method` option, automatically set `:basic`.
+  * Use "OpenID Connect Discovery", You should specify `true` to `discovery` option. (default false)
+  * In "OpenID Connect Discovery", generally provider should have Webfinger endpoint.
+  If provider does not have Webfinger endpoint, You can specify "Issuer" to option.
+  e.g. `issuer: "https://myprovider.com"`
+  It means to get configuration from "https://myprovider.com/.well-known/openid-configuration".
+  * The uid is by default using the `sub` value from the `user_info` response,
+  which in some applications is not the expected value. To avoid such limitations, the uid label can be
+  configured by providing the omniauth `uid_field` option to a different label (i.e. `preferred_username`)
+  that appears in the `user_info` details.
+  * The `issuer` property should exactly match the provider's issuer link.
+  * The `response_mode` option is optional and specifies how the result of the authorization request is formatted.
+  * Some OpenID Connect providers require the `scope` attribute in requests to the token endpoint, even if
+  this is not in the protocol specifications. In those cases, the `send_scope_to_token_endpoint`
+  property can be used to add the attribute to the token request. Initial value is `true`, which means that the
+  scope attribute is included by default.
+
+For the full low down on OpenID Connect, please check out
+[the spec](http://openid.net/specs/openid-connect-core-1_0.html).
+
+## Contributing
+
+1. Fork it ( http://github.com/m0n9oose/omniauth-openid-connect/fork )
+2. Create your feature branch (`git checkout -b my-new-feature`)
+3. Cover your changes with tests and make sure they're green (`bundle install && bundle exec rake test`)
+4. Commit your changes (`git commit -am 'Add some feature'`)
+5. Push to the branch (`git push origin my-new-feature`)
+6. Create new Pull Request