gitlab-omniauth-openid-connect 0.5.0 → 0.6.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: cee603f7fbf49710ecee6e6953ca205feb9620c25dc9d865d7b44dda22a7b0dc
-  data.tar.gz: 18ecc1ef7a21e86a2e2554d10d3a95dc2c9dcd26cf0a66509f931a62ce0b4e7d
+  metadata.gz: 13c881e6fc6d97b86a4608afaac9f44737d83650de5f00bb102deab1dc723c89
+  data.tar.gz: 3f116b19d3759309dfd6369671dffdddafe5362c3ecf9c4db16cc25c58b6c4ee
 SHA512:
-  metadata.gz: 2959c9ee30ca4e8c84b57f578d142744fea140c94c60daafcefb83c6aabfb707610f47c9f1ae2186033bf98d992e799614c24760393a63ce03473a1fb4301e77
-  data.tar.gz: 1fd6fb3c3d009d011ca4fd595756ea6d46d34d7ad8a0fc93d4921684f0e4cec92b1e20a4ecc1d49beaa28eff6731e02df616e2f7f99e3ec4419273a179aeb139
+  metadata.gz: 80d59151cc0657817732e4d85bdee536fa328c40fc0a16b379172c88b62fc7bd25bfc156a7e10885c16277a0a83984f6e34e6223c47cc746cceaa9c264c7d20f
+  data.tar.gz: 251bbd0f19557183b39c72cc679579ce1550573786bfd41fa213f265e19158f27d491309a6199cdebf081c8ba72bffc6a11d9a25a68d0d7b7bfeac113880c061

data/CHANGELOG.md

@@ -1,3 +1,7 @@
+# v0.6.0 (07.08.2021)
+
+- [Support verification of HS256-signed JWTs](https://gitlab.com/gitlab-org/gitlab-omniauth-openid-connect/-/merge_requests/8)
+
 # v0.5.0 (05.07.2021)
 
 - [Add email_verified field to info dict](https://gitlab.com/gitlab-org/gitlab-omniauth-openid-connect/-/merge_requests/7)

data/lib/omniauth/openid_connect/version.rb

@@ -2,6 +2,6 @@
 
 module OmniAuth
   module OpenIDConnect
-    VERSION = '0.5.0'
+    VERSION = '0.6.0'
   end
 end

data/lib/omniauth/strategies/openid_connect.rb

@@ -236,31 +236,55 @@ module OmniAuth
         @access_token
       end
 
+      # Unlike ::OpenIDConnect::ResponseObject::IdToken.decode, this
+      # method splits the decoding and verification of JWT into two
+      # steps. First, we decode the JWT without verifying it to
+      # determine the algorithm used to sign. Then, we verify it using
+      # the appropriate public key (e.g. if algorithm is RS256) or
+      # shared secret (e.g. if algorithm is HS256).  This works around a
+      # limitation in the openid_connect gem:
+      # https://github.com/nov/openid_connect/issues/61
       def decode_id_token(id_token)
-        decode!(id_token, public_key)
+        decoded = JSON::JWT.decode(id_token, :skip_verification)
+        algorithm = decoded.algorithm.to_sym
+
+        keyset =
+          case algorithm
+          when :RS256, :RS384, :RS512
+            public_key
+          when :HS256, :HS384, :HS512
+            client_options.secret
+          end
+
+        decoded.verify!(keyset)
+        ::OpenIDConnect::ResponseObject::IdToken.new(decoded)
       rescue JSON::JWK::Set::KidNotFound
-        # Either the JWT doesn't have kid specified or the set of keys doesn't
-        # have a matching key. Since we can't tell the first case from the second,
-        # try each key individually to see if one works.
+        # If the JWT has a key ID (kid), then we know that the set of
+        # keys supplied doesn't contain the one we want, and we're
+        # done. However, if there is no kid, then we try each key
+        # individually to see if one works:
         # https://github.com/nov/json-jwt/pull/92#issuecomment-824654949
-        decoded = decode_with_each_key!(id_token)
+        raise if decoded&.header&.key?('kid')
+
+        decoded = decode_with_each_key!(id_token, keyset)
 
         raise unless decoded
 
         decoded
+
       end
 
       def decode!(id_token, key)
         ::OpenIDConnect::ResponseObject::IdToken.decode(id_token, key)
       end
 
-      def decode_with_each_key!(id_token)
-        return unless public_key.is_a?(JSON::JWK::Set)
+      def decode_with_each_key!(id_token, keyset)
+        return unless keyset.is_a?(JSON::JWK::Set)
 
-        public_key.each do |key|
+        keyset.each do |key|
           begin
             decoded = decode!(id_token, key)
-          rescue JSON::JWS::VerificationFailed
+          rescue JSON::JWS::VerificationFailed, JSON::JWS::UnexpectedAlgorithm, JSON::JWS::UnknownAlgorithm
             next
           end
 
@@ -304,7 +328,7 @@ module OmniAuth
       end
 
       def key_or_secret
-        @key_or_secret ||=
+        @key_or_secret ||= begin
           case options.client_signing_alg&.to_sym
           when :HS256, :HS384, :HS512
             client_options.secret
@@ -315,6 +339,7 @@ module OmniAuth
               parse_x509_key(options.client_x509_signing_key)
             end
           end
+        end
       end
 
       def parse_x509_key(key)

data/test/lib/omniauth/strategies/openid_connect_test.rb

@@ -168,7 +168,7 @@ module OmniAuth
 
         strategy.options.issuer = 'example.com'
         strategy.options.client_signing_alg = :RS256
-        strategy.options.client_jwk_signing_key = File.read('test/fixtures/jwks.json')
+        strategy.options.client_jwk_signing_key = jwks.to_s
         strategy.options.response_type = 'code'
 
         strategy.unstub(:user_info)
@@ -177,7 +177,7 @@ module OmniAuth
         access_token.stubs(:refresh_token)
         access_token.stubs(:expires_in)
         access_token.stubs(:scope)
-        access_token.stubs(:id_token).returns(File.read('test/fixtures/id_token.txt'))
+        access_token.stubs(:id_token).returns(jwt.to_s)
         client.expects(:access_token!).at_least_once.returns(access_token)
         access_token.expects(:userinfo!).returns(user_info)
 
@@ -192,14 +192,13 @@ module OmniAuth
       end
 
       def test_callback_phase_with_id_token
-        code = SecureRandom.hex(16)
         state = SecureRandom.hex(16)
-        request.stubs(:params).returns('id_token' => code, 'state' => state)
+        request.stubs(:params).returns('id_token' => jwt.to_s, 'state' => state)
         request.stubs(:path_info).returns('')
 
         strategy.options.issuer = 'example.com'
         strategy.options.client_signing_alg = :RS256
-        strategy.options.client_jwk_signing_key = File.read('test/fixtures/jwks.json')
+        strategy.options.client_jwk_signing_key = jwks.to_json
         strategy.options.response_type = 'id_token'
 
         strategy.unstub(:user_info)
@@ -208,7 +207,7 @@ module OmniAuth
         access_token.stubs(:refresh_token)
         access_token.stubs(:expires_in)
         access_token.stubs(:scope)
-        access_token.stubs(:id_token).returns(File.read('test/fixtures/id_token.txt'))
+        access_token.stubs(:id_token).returns(jwt.to_s)
 
         id_token = stub('OpenIDConnect::ResponseObject::IdToken')
         id_token.stubs(:raw_attributes).returns('sub' => 'sub', 'name' => 'name', 'email' => 'email')
@@ -221,14 +220,32 @@ module OmniAuth
       end
 
       def test_callback_phase_with_id_token_no_kid
-        rsa_private = OpenSSL::PKey::RSA.generate(2048)
         other_rsa_private = OpenSSL::PKey::RSA.generate(2048)
 
-        key = JSON::JWK.new(rsa_private)
+        key = JSON::JWK.new(private_key)
         other_key = JSON::JWK.new(other_rsa_private)
-        token = JSON::JWT.new(payload).sign(rsa_private, :RS256).to_s
         state = SecureRandom.hex(16)
-        request.stubs(:params).returns('id_token' => token, 'state' => state)
+        request.stubs(:params).returns('id_token' => jwt.to_s, 'state' => state)
+        request.stubs(:path_info).returns('')
+
+        strategy.options.issuer = issuer
+        strategy.options.client_signing_alg = :RS256
+        strategy.options.client_jwk_signing_key = { 'keys' => [other_key, key] }.to_json
+        strategy.options.response_type = 'id_token'
+
+        strategy.unstub(:user_info)
+        strategy.call!('rack.session' => { 'omniauth.state' => state, 'omniauth.nonce' => nonce })
+        strategy.callback_phase
+      end
+
+      def test_callback_phase_with_id_token_with_kid
+        other_rsa_private = OpenSSL::PKey::RSA.generate(2048)
+
+        key = JSON::JWK.new(private_key)
+        other_key = JSON::JWK.new(other_rsa_private)
+        state = SecureRandom.hex(16)
+        jwt_with_kid = JSON::JWT.new(payload).sign(key, :RS256)
+        request.stubs(:params).returns('id_token' => jwt_with_kid.to_s, 'state' => state)
         request.stubs(:path_info).returns('')
 
         strategy.options.issuer = issuer
@@ -241,6 +258,45 @@ module OmniAuth
         strategy.callback_phase
       end
 
+      def test_callback_phase_with_id_token_with_kid_and_no_matching_kid
+        other_rsa_private = OpenSSL::PKey::RSA.generate(2048)
+
+        key = JSON::JWK.new(private_key)
+        other_key = JSON::JWK.new(other_rsa_private)
+        state = SecureRandom.hex(16)
+        jwt_with_kid = JSON::JWT.new(payload).sign(key, :RS256)
+        request.stubs(:params).returns('id_token' => jwt_with_kid.to_s, 'state' => state)
+        request.stubs(:path_info).returns('')
+
+        strategy.options.issuer = issuer
+        strategy.options.client_signing_alg = :RS256
+        # We use private_key here instead of the wrapped key, which contains a kid
+        strategy.options.client_jwk_signing_key = { 'keys' => [other_key, private_key] }.to_json
+        strategy.options.response_type = 'id_token'
+
+        strategy.unstub(:user_info)
+        strategy.call!('rack.session' => { 'omniauth.state' => state, 'omniauth.nonce' => nonce })
+
+        assert_raises JSON::JWK::Set::KidNotFound do
+          strategy.callback_phase
+        end
+      end
+
+      def test_callback_phase_with_id_token_with_hs256
+        state = SecureRandom.hex(16)
+        request.stubs(:params).returns('id_token' => jwt_with_hs256.to_s, 'state' => state)
+        request.stubs(:path_info).returns('')
+
+        strategy.options.issuer = issuer
+        strategy.options.client_options.secret = hmac_secret
+        strategy.options.client_signing_alg = :HS256
+        strategy.options.response_type = 'id_token'
+
+        strategy.unstub(:user_info)
+        strategy.call!('rack.session' => { 'omniauth.state' => state, 'omniauth.nonce' => nonce })
+        strategy.callback_phase
+      end
+
       def test_callback_phase_with_id_token_no_matching_key
         rsa_private = OpenSSL::PKey::RSA.generate(2048)
         other_rsa_private = OpenSSL::PKey::RSA.generate(2048)
@@ -266,11 +322,9 @@ module OmniAuth
       end
 
       def test_callback_phase_with_discovery
-        code = SecureRandom.hex(16)
         state = SecureRandom.hex(16)
-        jwks = JSON::JWK::Set.new(JSON.parse(File.read('test/fixtures/jwks.json'))['keys'])
 
-        request.stubs(:params).returns('code' => code, 'state' => state)
+        request.stubs(:params).returns('code' => jwt.to_s, 'state' => state)
         request.stubs(:path_info).returns('')
 
         strategy.options.client_options.host = 'example.com'
@@ -285,7 +339,7 @@ module OmniAuth
         config.stubs(:token_endpoint).returns('https://example.com/token')
         config.stubs(:userinfo_endpoint).returns('https://example.com/userinfo')
         config.stubs(:jwks_uri).returns('https://example.com/jwks')
-        config.stubs(:jwks).returns(jwks)
+        config.stubs(:jwks).returns(JSON::JWK::Set.new(jwks['keys']))
 
         ::OpenIDConnect::Discovery::Provider::Config.stubs(:discover!).with('https://example.com/').returns(config)
 
@@ -300,7 +354,7 @@ module OmniAuth
         access_token.stubs(:refresh_token)
         access_token.stubs(:expires_in)
         access_token.stubs(:scope)
-        access_token.stubs(:id_token).returns(File.read('test/fixtures/id_token.txt'))
+        access_token.stubs(:id_token).returns(jwt.to_s)
         client.expects(:access_token!).at_least_once.returns(access_token)
         access_token.expects(:userinfo!).returns(user_info)
 
@@ -309,9 +363,9 @@ module OmniAuth
       end
 
       def test_callback_phase_with_jwks_uri
-        code = SecureRandom.hex(16)
+        id_token = jwt.to_s
         state = SecureRandom.hex(16)
-        request.stubs(:params).returns('id_token' => code, 'state' => state)
+        request.stubs(:params).returns('id_token' => id_token, 'state' => state)
         request.stubs(:path_info).returns('')
 
         strategy.options.issuer = 'example.com'
@@ -321,7 +375,7 @@ module OmniAuth
         HTTPClient
           .any_instance.stubs(:get_content)
           .with(strategy.options.client_options.jwks_uri)
-          .returns(File.read('test/fixtures/jwks.json'))
+          .returns(jwks.to_json)
 
         strategy.unstub(:user_info)
         access_token = stub('OpenIDConnect::AccessToken')
@@ -329,7 +383,7 @@ module OmniAuth
         access_token.stubs(:refresh_token)
         access_token.stubs(:expires_in)
         access_token.stubs(:scope)
-        access_token.stubs(:id_token).returns(File.read('test/fixtures/id_token.txt'))
+        access_token.stubs(:id_token).returns(id_token)
 
         id_token = stub('OpenIDConnect::ResponseObject::IdToken')
         id_token.stubs(:raw_attributes).returns('sub' => 'sub', 'name' => 'name', 'email' => 'email')
@@ -494,7 +548,7 @@ module OmniAuth
       def test_credentials
         strategy.options.issuer = 'example.com'
         strategy.options.client_signing_alg = :RS256
-        strategy.options.client_jwk_signing_key = File.read('test/fixtures/jwks.json')
+        strategy.options.client_jwk_signing_key = jwks.to_json
 
         id_token = stub('OpenIDConnect::ResponseObject::IdToken')
         id_token.stubs(:verify!).returns(true)
@@ -505,7 +559,7 @@ module OmniAuth
         access_token.stubs(:refresh_token).returns(SecureRandom.hex(16))
         access_token.stubs(:expires_in).returns(Time.now)
         access_token.stubs(:scope).returns('openidconnect')
-        access_token.stubs(:id_token).returns(File.read('test/fixtures/id_token.txt'))
+        access_token.stubs(:id_token).returns(jwt.to_s)
 
         client.expects(:access_token!).returns(access_token)
         access_token.expects(:refresh_token).returns(access_token.refresh_token)
@@ -592,11 +646,11 @@ module OmniAuth
         strategy.options.issuer = 'foobar.com'
         strategy.options.client_auth_method = :not_basic
         strategy.options.client_signing_alg = :RS256
-        strategy.options.client_jwk_signing_key = File.read('test/fixtures/jwks.json')
+        strategy.options.client_jwk_signing_key = jwks.to_json
 
         json_response = {
           access_token: 'test_access_token',
-          id_token: File.read('test/fixtures/id_token.txt'),
+          id_token: jwt.to_s,
           token_type: 'Bearer',
         }.to_json
         success = Struct.new(:status, :body).new(200, json_response)
@@ -619,16 +673,14 @@ module OmniAuth
 
       def test_public_key_with_jwks
         strategy.options.client_signing_alg = :RS256
-        strategy.options.client_jwk_signing_key = File.read('./test/fixtures/jwks.json')
+        strategy.options.client_jwk_signing_key = jwks.to_json
 
         assert_equal JSON::JWK::Set, strategy.public_key.class
       end
 
       def test_public_key_with_jwk
         strategy.options.client_signing_alg = :RS256
-        jwks_str = File.read('./test/fixtures/jwks.json')
-        jwks = JSON.parse(jwks_str)
-        jwk = jwks['keys'].first
+        jwk = jwks[:keys].first
         strategy.options.client_jwk_signing_key = jwk.to_json
 
         assert_equal JSON::JWK, strategy.public_key.class
@@ -653,16 +705,7 @@ module OmniAuth
 
         id_token = stub('OpenIDConnect::ResponseObject::IdToken')
         id_token.stubs(:verify!).returns(true)
-        id_token.stubs(:raw_attributes, :to_h).returns(
-          {
-            "iss": "http://server.example.com",
-            "sub": "248289761001",
-            "aud": "s6BhdRkqt3",
-            "nonce": "n-0S6_WzA2Mj",
-            "exp": 1311281970,
-            "iat": 1311280970,
-          }
-        )
+        id_token.stubs(:raw_attributes, :to_h).returns(payload)
 
         request.stubs(:params).returns('state' => state, 'nounce' => nonce, 'id_token' => id_token)
         request.stubs(:path_info).returns('')

data/test/strategy_test_case.rb

@@ -27,6 +27,30 @@ class StrategyTestCase < MiniTest::Test
     }
   end
 
+  def private_key
+    @private_key ||= OpenSSL::PKey::RSA.generate(512)
+  end
+
+  def jwt
+    @jwt ||= JSON::JWT.new(payload).sign(private_key, :RS256)
+  end
+
+  def hmac_secret
+    @hmac_secret ||= SecureRandom.hex(16)
+  end
+
+  def jwt_with_hs256
+    @jwt_with_hs256 ||= JSON::JWT.new(payload).sign(hmac_secret, :HS256)
+  end
+
+  def jwks
+    @jwks ||= begin
+      key = JSON::JWK.new(private_key)
+      keyset = JSON::JWK::Set.new(key)
+      { keys: keyset }
+    end
+  end
+
   def user_info
     @user_info ||= OpenIDConnect::ResponseObject::UserInfo.new(
       sub: SecureRandom.hex(16),

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: gitlab-omniauth-openid-connect
 version: !ruby/object:Gem::Version
-  version: 0.5.0
+  version: 0.6.0
 platform: ruby
 authors:
 - John Bohn
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2021-05-07 00:00:00.000000000 Z
+date: 2021-07-08 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: addressable
@@ -220,7 +220,6 @@ files:
 - lib/omniauth/openid_connect/version.rb
 - lib/omniauth/strategies/openid_connect.rb
 - lib/omniauth_openid_connect.rb
-- test/fixtures/id_token.txt
 - test/fixtures/jwks.json
 - test/fixtures/test.crt
 - test/lib/omniauth/strategies/openid_connect_test.rb
@@ -250,7 +249,6 @@ signing_key:
 specification_version: 4
 summary: OpenID Connect Strategy for OmniAuth
 test_files:
-- test/fixtures/id_token.txt
 - test/fixtures/jwks.json
 - test/fixtures/test.crt
 - test/lib/omniauth/strategies/openid_connect_test.rb

data/test/fixtures/id_token.txt

@@ -1 +0,0 @@
-eyJhbGciOiJSUzI1NiIsImtpZCI6IjFlOWdkazcifQ.ewogImlzcyI6ICJodHRwOi8vc2VydmVyLmV4YW1wbGUuY29tIiwKICJzdWIiOiAiMjQ4Mjg5NzYxMDAxIiwKICJhdWQiOiAiczZCaGRSa3F0MyIsCiAibm9uY2UiOiAibi0wUzZfV3pBMk1qIiwKICJleHAiOiAxMzExMjgxOTcwLAogImlhdCI6IDEzMTEyODA5NzAKfQ.ggW8hZ1EuVLuxNuuIJKX_V8a_OMXzR0EHR9R6jgdqrOOF4daGU96Sr_P6qJp6IcmD3HP99Obi1PRs-cwh3LO-p146waJ8IhehcwL7F09JdijmBqkvPeB2T9CJNqeGpe-gccMg4vfKjkM8FcGvnzZUN4_KSP0aAp1tOJ1zZwgjxqGByKHiOtX7TpdQyHE5lcMiKPXfEIQILVq0pc_E2DzL7emopWoaoZTF_m0_N0YzFC6g6EJbOEoRoSK5hoDalrcvRYLSrQAZZKflyuVCyixEoV9GfNQC3_osjzw2PAithfubEEBLuVVk4XUVrWOLrLl0nx7RkKU8NXNHq-rvKMzqg