gitlab-omniauth-openid-connect 0.6.0 → 0.7.0

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 13c881e6fc6d97b86a4608afaac9f44737d83650de5f00bb102deab1dc723c89
4
- data.tar.gz: 3f116b19d3759309dfd6369671dffdddafe5362c3ecf9c4db16cc25c58b6c4ee
3
+ metadata.gz: 6e29bb982f22927953bd34344bd1f91fa458d5ca369db3cf734313b8eae6b5d9
4
+ data.tar.gz: aa557d380222987564378729c3c57864fb55140c897218dbf3c1ba3b46a9cc52
5
5
  SHA512:
6
- metadata.gz: 80d59151cc0657817732e4d85bdee536fa328c40fc0a16b379172c88b62fc7bd25bfc156a7e10885c16277a0a83984f6e34e6223c47cc746cceaa9c264c7d20f
7
- data.tar.gz: 251bbd0f19557183b39c72cc679579ce1550573786bfd41fa213f265e19158f27d491309a6199cdebf081c8ba72bffc6a11d9a25a68d0d7b7bfeac113880c061
6
+ metadata.gz: bfe9ba00c126a9547360bc691cc6eed4db0988226c1f418be3d578fa060bca009f85739bb636e7e3d6b33f9176105fcacfeaab969bf56b12d95f19639a685fa1
7
+ data.tar.gz: e1cb1b5b6a8194707a06ef43fe4b16be790f982dde57dc6cabe2e16e51df1904fc81034b7bc1d5d377297e4863ca719d176332460fe2d050bcd2b7285a2e78b7
data/CHANGELOG.md CHANGED
@@ -1,3 +1,7 @@
1
+ # v0.7.0 (07.16.2021)
2
+
3
+ - [Add `jwt_secret` option to support Keycloak private key](https://gitlab.com/gitlab-org/gitlab-omniauth-openid-connect/-/merge_requests/10)
4
+
1
5
  # v0.6.0 (07.08.2021)
2
6
 
3
7
  - [Support verification of HS256-signed JWTs](https://gitlab.com/gitlab-org/gitlab-omniauth-openid-connect/-/merge_requests/8)
data/README.md CHANGED
@@ -66,6 +66,7 @@ config.omniauth :openid_connect, {
66
66
  | post_logout_redirect_uri | The logout redirect uri to use per the [session management draft](https://openid.net/specs/openid-connect-session-1_0.html) | no | empty | https://myapp.com/logout/callback |
67
67
  | uid_field | The field of the user info response to be used as a unique id | no | 'sub' | "sub", "preferred_username" |
68
68
  | client_options | A hash of client options detailed in its own section | yes | | |
69
+ | jwt_secret | no | client_options.secret | For HMAC with SHA2 (e.g. HS256) signing algorithms, specify the secret used to sign the JWT token. Defaults to the OAuth2 client secret if not specified. |
69
70
 
70
71
  ### Client Config Options
71
72
 
@@ -2,6 +2,6 @@
2
2
 
3
3
  module OmniAuth
4
4
  module OpenIDConnect
5
- VERSION = '0.6.0'
5
+ VERSION = '0.7.0'
6
6
  end
7
7
  end
@@ -36,7 +36,8 @@ module OmniAuth
36
36
 
37
37
  option :issuer
38
38
  option :discovery, false
39
- option :client_signing_alg
39
+ option :client_signing_alg # Deprecated since we detect what is used to sign the JWT
40
+ option :jwt_secret
40
41
  option :client_jwk_signing_key
41
42
  option :client_x509_signing_key
42
43
  option :scope, [:openid]
@@ -181,14 +182,20 @@ module OmniAuth
181
182
  @public_key ||= begin
182
183
  if options.discovery
183
184
  config.jwks
184
- elsif key_or_secret
185
- key_or_secret
185
+ elsif configured_public_key
186
+ configured_public_key
186
187
  elsif client_options.jwks_uri
187
188
  fetch_key
188
189
  end
189
190
  end
190
191
  end
191
192
 
193
+ # Some OpenID providers use the OAuth2 client secret as the shared secret, but
194
+ # Keycloak uses a separate key that's stored inside the database.
195
+ def secret
196
+ options.jwt_secret || client_options.secret
197
+ end
198
+
192
199
  private
193
200
 
194
201
  def fetch_key
@@ -253,7 +260,7 @@ module OmniAuth
253
260
  when :RS256, :RS384, :RS512
254
261
  public_key
255
262
  when :HS256, :HS384, :HS512
256
- client_options.secret
263
+ secret
257
264
  end
258
265
 
259
266
  decoded.verify!(keyset)
@@ -327,17 +334,12 @@ module OmniAuth
327
334
  super
328
335
  end
329
336
 
330
- def key_or_secret
331
- @key_or_secret ||= begin
332
- case options.client_signing_alg&.to_sym
333
- when :HS256, :HS384, :HS512
334
- client_options.secret
335
- when :RS256, :RS384, :RS512
336
- if options.client_jwk_signing_key
337
- parse_jwk_key(options.client_jwk_signing_key)
338
- elsif options.client_x509_signing_key
339
- parse_x509_key(options.client_x509_signing_key)
340
- end
337
+ def configured_public_key
338
+ @configured_public_key ||= begin
339
+ if options.client_jwk_signing_key
340
+ parse_jwk_key(options.client_jwk_signing_key)
341
+ elsif options.client_x509_signing_key
342
+ parse_x509_key(options.client_x509_signing_key)
341
343
  end
342
344
  end
343
345
  end
@@ -297,6 +297,20 @@ module OmniAuth
297
297
  strategy.callback_phase
298
298
  end
299
299
 
300
+ def test_callback_phase_with_hs256_jwt_secret
301
+ state = SecureRandom.hex(16)
302
+ request.stubs(:params).returns('id_token' => jwt_with_hs256.to_s, 'state' => state)
303
+ request.stubs(:path_info).returns('')
304
+
305
+ strategy.options.issuer = issuer
306
+ strategy.options.jwt_secret = hmac_secret
307
+ strategy.options.response_type = 'id_token'
308
+
309
+ strategy.unstub(:user_info)
310
+ strategy.call!('rack.session' => { 'omniauth.state' => state, 'omniauth.nonce' => nonce })
311
+ strategy.callback_phase
312
+ end
313
+
300
314
  def test_callback_phase_with_id_token_no_matching_key
301
315
  rsa_private = OpenSSL::PKey::RSA.generate(2048)
302
316
  other_rsa_private = OpenSSL::PKey::RSA.generate(2048)
@@ -692,10 +706,10 @@ module OmniAuth
692
706
  assert_equal OpenSSL::PKey::RSA, strategy.public_key.class
693
707
  end
694
708
 
695
- def test_public_key_with_hmac
709
+ def test_secret_with_hmac
696
710
  strategy.options.client_options.secret = 'secret'
697
711
  strategy.options.client_signing_alg = :HS256
698
- assert_equal strategy.options.client_options.secret, strategy.public_key
712
+ assert_equal strategy.options.client_options.secret, strategy.secret
699
713
  end
700
714
 
701
715
  def test_id_token_auth_hash
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: gitlab-omniauth-openid-connect
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.6.0
4
+ version: 0.7.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - John Bohn
@@ -9,7 +9,7 @@ authors:
9
9
  autorequire:
10
10
  bindir: bin
11
11
  cert_chain: []
12
- date: 2021-07-08 00:00:00.000000000 Z
12
+ date: 2021-07-16 00:00:00.000000000 Z
13
13
  dependencies:
14
14
  - !ruby/object:Gem::Dependency
15
15
  name: addressable