RubyGems - gitlab-omniauth-openid-connect - Versions diffs - 0.6.0 → 0.7.0 - Mend

gitlab-omniauth-openid-connect 0.6.0 → 0.7.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +4 -0
data/README.md +1 -0
data/lib/omniauth/openid_connect/version.rb +1 -1
data/lib/omniauth/strategies/openid_connect.rb +17 -15
data/test/lib/omniauth/strategies/openid_connect_test.rb +16 -2
metadata +2 -2

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 13c881e6fc6d97b86a4608afaac9f44737d83650de5f00bb102deab1dc723c89
-  data.tar.gz: 3f116b19d3759309dfd6369671dffdddafe5362c3ecf9c4db16cc25c58b6c4ee
+  metadata.gz: 6e29bb982f22927953bd34344bd1f91fa458d5ca369db3cf734313b8eae6b5d9
+  data.tar.gz: aa557d380222987564378729c3c57864fb55140c897218dbf3c1ba3b46a9cc52
 SHA512:
-  metadata.gz: 80d59151cc0657817732e4d85bdee536fa328c40fc0a16b379172c88b62fc7bd25bfc156a7e10885c16277a0a83984f6e34e6223c47cc746cceaa9c264c7d20f
-  data.tar.gz: 251bbd0f19557183b39c72cc679579ce1550573786bfd41fa213f265e19158f27d491309a6199cdebf081c8ba72bffc6a11d9a25a68d0d7b7bfeac113880c061
+  metadata.gz: bfe9ba00c126a9547360bc691cc6eed4db0988226c1f418be3d578fa060bca009f85739bb636e7e3d6b33f9176105fcacfeaab969bf56b12d95f19639a685fa1
+  data.tar.gz: e1cb1b5b6a8194707a06ef43fe4b16be790f982dde57dc6cabe2e16e51df1904fc81034b7bc1d5d377297e4863ca719d176332460fe2d050bcd2b7285a2e78b7

data/CHANGELOG.md CHANGED Viewed

@@ -1,3 +1,7 @@
+# v0.7.0 (07.16.2021)
+- [Add `jwt_secret` option to support Keycloak private key](https://gitlab.com/gitlab-org/gitlab-omniauth-openid-connect/-/merge_requests/10)
 # v0.6.0 (07.08.2021)
 - [Support verification of HS256-signed JWTs](https://gitlab.com/gitlab-org/gitlab-omniauth-openid-connect/-/merge_requests/8)

data/README.md CHANGED Viewed

@@ -66,6 +66,7 @@ config.omniauth :openid_connect, {
 | post_logout_redirect_uri     | The logout redirect uri to use per the [session management draft](https://openid.net/specs/openid-connect-session-1_0.html)                                   | no       | empty                      | https://myapp.com/logout/callback                   |
 | uid_field                    | The field of the user info response to be used as a unique id                                                                                                 | no       | 'sub'                      | "sub", "preferred_username"                         |
 | client_options               | A hash of client options detailed in its own section                                                                                                          | yes      |                            |                                                     |
+| jwt_secret | no | client_options.secret | For HMAC with SHA2 (e.g. HS256) signing algorithms, specify the secret used to sign the JWT token. Defaults to the OAuth2 client secret if not specified. |
 ### Client Config Options

data/lib/omniauth/openid_connect/version.rb CHANGED Viewed

@@ -2,6 +2,6 @@
 module OmniAuth
   module OpenIDConnect
-    VERSION = '0.6.0'
+    VERSION = '0.7.0'
   end
 end

data/lib/omniauth/strategies/openid_connect.rb CHANGED Viewed

@@ -36,7 +36,8 @@ module OmniAuth
       option :issuer
       option :discovery, false
-      option :client_signing_alg
+      option :client_signing_alg # Deprecated since we detect what is used to sign the JWT
+      option :jwt_secret
       option :client_jwk_signing_key
       option :client_x509_signing_key
       option :scope, [:openid]
@@ -181,14 +182,20 @@ module OmniAuth
         @public_key ||= begin
           if options.discovery
             config.jwks
-          elsif key_or_secret
-            key_or_secret
+          elsif configured_public_key
+            configured_public_key
           elsif client_options.jwks_uri
             fetch_key
           end
         end
       end
+      # Some OpenID providers use the OAuth2 client secret as the shared secret, but
+      # Keycloak uses a separate key that's stored inside the database.
+      def secret
+        options.jwt_secret || client_options.secret
+      end
       private
       def fetch_key
@@ -253,7 +260,7 @@ module OmniAuth
           when :RS256, :RS384, :RS512
             public_key
           when :HS256, :HS384, :HS512
-            client_options.secret
+            secret
           end
         decoded.verify!(keyset)
@@ -327,17 +334,12 @@ module OmniAuth
         super
       end
-      def key_or_secret
-        @key_or_secret ||= begin
-          case options.client_signing_alg&.to_sym
-          when :HS256, :HS384, :HS512
-            client_options.secret
-          when :RS256, :RS384, :RS512
-            if options.client_jwk_signing_key
-              parse_jwk_key(options.client_jwk_signing_key)
-            elsif options.client_x509_signing_key
-              parse_x509_key(options.client_x509_signing_key)
-            end
+      def configured_public_key
+        @configured_public_key ||= begin
+          if options.client_jwk_signing_key
+            parse_jwk_key(options.client_jwk_signing_key)
+          elsif options.client_x509_signing_key
+            parse_x509_key(options.client_x509_signing_key)
           end
         end
       end

data/test/lib/omniauth/strategies/openid_connect_test.rb CHANGED Viewed

@@ -297,6 +297,20 @@ module OmniAuth
         strategy.callback_phase
       end
+      def test_callback_phase_with_hs256_jwt_secret
+        state = SecureRandom.hex(16)
+        request.stubs(:params).returns('id_token' => jwt_with_hs256.to_s, 'state' => state)
+        request.stubs(:path_info).returns('')
+        strategy.options.issuer = issuer
+        strategy.options.jwt_secret = hmac_secret
+        strategy.options.response_type = 'id_token'
+        strategy.unstub(:user_info)
+        strategy.call!('rack.session' => { 'omniauth.state' => state, 'omniauth.nonce' => nonce })
+        strategy.callback_phase
+      end
       def test_callback_phase_with_id_token_no_matching_key
         rsa_private = OpenSSL::PKey::RSA.generate(2048)
         other_rsa_private = OpenSSL::PKey::RSA.generate(2048)
@@ -692,10 +706,10 @@ module OmniAuth
         assert_equal OpenSSL::PKey::RSA, strategy.public_key.class
       end
-      def test_public_key_with_hmac
+      def test_secret_with_hmac
         strategy.options.client_options.secret = 'secret'
         strategy.options.client_signing_alg = :HS256
-        assert_equal strategy.options.client_options.secret, strategy.public_key
+        assert_equal strategy.options.client_options.secret, strategy.secret
       end
       def test_id_token_auth_hash

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: gitlab-omniauth-openid-connect
 version: !ruby/object:Gem::Version
-  version: 0.6.0
+  version: 0.7.0
 platform: ruby
 authors:
 - John Bohn
@@ -9,7 +9,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2021-07-08 00:00:00.000000000 Z
+date: 2021-07-16 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: addressable