gitlab-omniauth-openid-connect 0.6.0 → 0.7.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 13c881e6fc6d97b86a4608afaac9f44737d83650de5f00bb102deab1dc723c89
-  data.tar.gz: 3f116b19d3759309dfd6369671dffdddafe5362c3ecf9c4db16cc25c58b6c4ee
+  metadata.gz: 6e29bb982f22927953bd34344bd1f91fa458d5ca369db3cf734313b8eae6b5d9
+  data.tar.gz: aa557d380222987564378729c3c57864fb55140c897218dbf3c1ba3b46a9cc52
 SHA512:
-  metadata.gz: 80d59151cc0657817732e4d85bdee536fa328c40fc0a16b379172c88b62fc7bd25bfc156a7e10885c16277a0a83984f6e34e6223c47cc746cceaa9c264c7d20f
-  data.tar.gz: 251bbd0f19557183b39c72cc679579ce1550573786bfd41fa213f265e19158f27d491309a6199cdebf081c8ba72bffc6a11d9a25a68d0d7b7bfeac113880c061
+  metadata.gz: bfe9ba00c126a9547360bc691cc6eed4db0988226c1f418be3d578fa060bca009f85739bb636e7e3d6b33f9176105fcacfeaab969bf56b12d95f19639a685fa1
+  data.tar.gz: e1cb1b5b6a8194707a06ef43fe4b16be790f982dde57dc6cabe2e16e51df1904fc81034b7bc1d5d377297e4863ca719d176332460fe2d050bcd2b7285a2e78b7

data/CHANGELOG.md

@@ -1,3 +1,7 @@
+# v0.7.0 (07.16.2021)
+
+- [Add `jwt_secret` option to support Keycloak private key](https://gitlab.com/gitlab-org/gitlab-omniauth-openid-connect/-/merge_requests/10)
+
 # v0.6.0 (07.08.2021)
 
 - [Support verification of HS256-signed JWTs](https://gitlab.com/gitlab-org/gitlab-omniauth-openid-connect/-/merge_requests/8)

data/README.md

@@ -66,6 +66,7 @@ config.omniauth :openid_connect, {
 | post_logout_redirect_uri     | The logout redirect uri to use per the [session management draft](https://openid.net/specs/openid-connect-session-1_0.html)                                   | no       | empty                      | https://myapp.com/logout/callback                   |
 | uid_field                    | The field of the user info response to be used as a unique id                                                                                                 | no       | 'sub'                      | "sub", "preferred_username"                         |
 | client_options               | A hash of client options detailed in its own section                                                                                                          | yes      |                            |                                                     |
+| jwt_secret | no | client_options.secret | For HMAC with SHA2 (e.g. HS256) signing algorithms, specify the secret used to sign the JWT token. Defaults to the OAuth2 client secret if not specified. |
 
 ### Client Config Options
 

data/lib/omniauth/openid_connect/version.rb

@@ -2,6 +2,6 @@
 
 module OmniAuth
   module OpenIDConnect
-    VERSION = '0.6.0'
+    VERSION = '0.7.0'
   end
 end

data/lib/omniauth/strategies/openid_connect.rb

@@ -36,7 +36,8 @@ module OmniAuth
 
       option :issuer
       option :discovery, false
-      option :client_signing_alg
+      option :client_signing_alg # Deprecated since we detect what is used to sign the JWT
+      option :jwt_secret
       option :client_jwk_signing_key
       option :client_x509_signing_key
       option :scope, [:openid]
@@ -181,14 +182,20 @@ module OmniAuth
         @public_key ||= begin
           if options.discovery
             config.jwks
-          elsif key_or_secret
-            key_or_secret
+          elsif configured_public_key
+            configured_public_key
           elsif client_options.jwks_uri
             fetch_key
           end
         end
       end
 
+      # Some OpenID providers use the OAuth2 client secret as the shared secret, but
+      # Keycloak uses a separate key that's stored inside the database.
+      def secret
+        options.jwt_secret || client_options.secret
+      end
+
       private
 
       def fetch_key
@@ -253,7 +260,7 @@ module OmniAuth
           when :RS256, :RS384, :RS512
             public_key
           when :HS256, :HS384, :HS512
-            client_options.secret
+            secret
           end
 
         decoded.verify!(keyset)
@@ -327,17 +334,12 @@ module OmniAuth
         super
       end
 
-      def key_or_secret
-        @key_or_secret ||= begin
-          case options.client_signing_alg&.to_sym
-          when :HS256, :HS384, :HS512
-            client_options.secret
-          when :RS256, :RS384, :RS512
-            if options.client_jwk_signing_key
-              parse_jwk_key(options.client_jwk_signing_key)
-            elsif options.client_x509_signing_key
-              parse_x509_key(options.client_x509_signing_key)
-            end
+      def configured_public_key
+        @configured_public_key ||= begin
+          if options.client_jwk_signing_key
+            parse_jwk_key(options.client_jwk_signing_key)
+          elsif options.client_x509_signing_key
+            parse_x509_key(options.client_x509_signing_key)
           end
         end
       end

data/test/lib/omniauth/strategies/openid_connect_test.rb

@@ -297,6 +297,20 @@ module OmniAuth
         strategy.callback_phase
       end
 
+      def test_callback_phase_with_hs256_jwt_secret
+        state = SecureRandom.hex(16)
+        request.stubs(:params).returns('id_token' => jwt_with_hs256.to_s, 'state' => state)
+        request.stubs(:path_info).returns('')
+
+        strategy.options.issuer = issuer
+        strategy.options.jwt_secret = hmac_secret
+        strategy.options.response_type = 'id_token'
+
+        strategy.unstub(:user_info)
+        strategy.call!('rack.session' => { 'omniauth.state' => state, 'omniauth.nonce' => nonce })
+        strategy.callback_phase
+      end
+
       def test_callback_phase_with_id_token_no_matching_key
         rsa_private = OpenSSL::PKey::RSA.generate(2048)
         other_rsa_private = OpenSSL::PKey::RSA.generate(2048)
@@ -692,10 +706,10 @@ module OmniAuth
         assert_equal OpenSSL::PKey::RSA, strategy.public_key.class
       end
 
-      def test_public_key_with_hmac
+      def test_secret_with_hmac
         strategy.options.client_options.secret = 'secret'
         strategy.options.client_signing_alg = :HS256
-        assert_equal strategy.options.client_options.secret, strategy.public_key
+        assert_equal strategy.options.client_options.secret, strategy.secret
       end
 
       def test_id_token_auth_hash

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: gitlab-omniauth-openid-connect
 version: !ruby/object:Gem::Version
-  version: 0.6.0
+  version: 0.7.0
 platform: ruby
 authors:
 - John Bohn
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2021-07-08 00:00:00.000000000 Z
+date: 2021-07-16 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: addressable