gitlab-omniauth-openid-connect 0.7.0 → 0.8.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (7) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +4 -0
  3. data/README.md +2 -1
  4. data/lib/omniauth/openid_connect/version.rb +1 -1
  5. data/lib/omniauth/strategies/openid_connect.rb +9 -1
  6. data/test/lib/omniauth/strategies/openid_connect_test.rb +14 -0
  7. metadata +1 -1
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 6e29bb982f22927953bd34344bd1f91fa458d5ca369db3cf734313b8eae6b5d9
4
- data.tar.gz: aa557d380222987564378729c3c57864fb55140c897218dbf3c1ba3b46a9cc52
3
+ metadata.gz: 62584a1fdd8af0168b5b81d04cce7f90284f9b8fcc97a59d6c4de38fc55e9ce7
4
+ data.tar.gz: d17b803694124786490472be60eccc9f717843c3a3b93e0fa4b449d8868b6a14
5
5
  SHA512:
6
- metadata.gz: bfe9ba00c126a9547360bc691cc6eed4db0988226c1f418be3d578fa060bca009f85739bb636e7e3d6b33f9176105fcacfeaab969bf56b12d95f19639a685fa1
7
- data.tar.gz: e1cb1b5b6a8194707a06ef43fe4b16be790f982dde57dc6cabe2e16e51df1904fc81034b7bc1d5d377297e4863ca719d176332460fe2d050bcd2b7285a2e78b7
6
+ metadata.gz: 77e2a464db549e4bdc30a7ba1d37a6e160688274819af19e8caa0f10ad606d837c40f49c0f887570881d92687dc5c7db1b705e6ed4afa347d97d578365ec5d41
7
+ data.tar.gz: 66f5ebc52581daf1c45b2be51e5ec50096a40f979e7d8684b281c84e8fe13edf05e71e7b25d623d75049fed5b8bb1339d509560278014b680cab7247398b9019
data/CHANGELOG.md CHANGED
@@ -1,3 +1,7 @@
1
+ # v0.8.0 (07.16.2021)
2
+
3
+ - [Add `jwt_secret_base64` option to support binary secrets](https://gitlab.com/gitlab-org/gitlab-omniauth-openid-connect/-/merge_requests/12)
4
+
1
5
  # v0.7.0 (07.16.2021)
2
6
 
3
7
  - [Add `jwt_secret` option to support Keycloak private key](https://gitlab.com/gitlab-org/gitlab-omniauth-openid-connect/-/merge_requests/10)
data/README.md CHANGED
@@ -66,7 +66,8 @@ config.omniauth :openid_connect, {
66
66
  | post_logout_redirect_uri | The logout redirect uri to use per the [session management draft](https://openid.net/specs/openid-connect-session-1_0.html) | no | empty | https://myapp.com/logout/callback |
67
67
  | uid_field | The field of the user info response to be used as a unique id | no | 'sub' | "sub", "preferred_username" |
68
68
  | client_options | A hash of client options detailed in its own section | yes | | |
69
- | jwt_secret | no | client_options.secret | For HMAC with SHA2 (e.g. HS256) signing algorithms, specify the secret used to sign the JWT token. Defaults to the OAuth2 client secret if not specified. |
69
+ | jwt_secret | no | client_options.secret | For HMAC with SHA2 (e.g. HS256) signing algorithms, specify the secret used to sign the JWT token. Defaults to the OAuth2 client secret if not specified. For secrets in binary, use `jwt_secret_base64`. |
70
+ | jwt_secret_base64 | no | client_options.secret | For HMAC with SHA2 (e.g. HS256) signing algorithms, specify the base64-encoded secret used to sign the JWT token. Defaults to the OAuth2 client secret if not specified. |
70
71
 
71
72
  ### Client Config Options
72
73
 
data/lib/omniauth/openid_connect/version.rb CHANGED
@@ -2,6 +2,6 @@
2
2
 
3
3
  module OmniAuth
4
4
  module OpenIDConnect
5
- VERSION = '0.7.0'
5
+ VERSION = '0.8.0'
6
6
  end
7
7
  end
data/lib/omniauth/strategies/openid_connect.rb CHANGED
@@ -1,6 +1,7 @@
1
1
  # frozen_string_literal: true
2
2
 
3
3
  require 'addressable/uri'
4
+ require 'base64'
4
5
  require 'timeout'
5
6
  require 'net/http'
6
7
  require 'open-uri'
@@ -38,6 +39,7 @@ module OmniAuth
38
39
  option :discovery, false
39
40
  option :client_signing_alg # Deprecated since we detect what is used to sign the JWT
40
41
  option :jwt_secret
42
+ option :jwt_secret_base64
41
43
  option :client_jwk_signing_key
42
44
  option :client_x509_signing_key
43
45
  option :scope, [:openid]
@@ -193,11 +195,17 @@ module OmniAuth
193
195
  # Some OpenID providers use the OAuth2 client secret as the shared secret, but
194
196
  # Keycloak uses a separate key that's stored inside the database.
195
197
  def secret
196
- options.jwt_secret || client_options.secret
198
+ options.jwt_secret || base64_decoded_jwt_secret || client_options.secret
197
199
  end
198
200
 
199
201
  private
200
202
 
203
+ def base64_decoded_jwt_secret
204
+ return unless options.jwt_secret_base64
205
+
206
+ Base64.decode64(options.jwt_secret_base64)
207
+ end
208
+
201
209
  def fetch_key
202
210
  @fetch_key ||= parse_jwk_key(::OpenIDConnect.http_client.get_content(client_options.jwks_uri))
203
211
  end
data/test/lib/omniauth/strategies/openid_connect_test.rb CHANGED
@@ -311,6 +311,20 @@ module OmniAuth
311
311
  strategy.callback_phase
312
312
  end
313
313
 
314
+ def test_callback_phase_with_hs256_base64_jwt_secret
315
+ state = SecureRandom.hex(16)
316
+ request.stubs(:params).returns('id_token' => jwt_with_hs256.to_s, 'state' => state)
317
+ request.stubs(:path_info).returns('')
318
+
319
+ strategy.options.issuer = issuer
320
+ strategy.options.jwt_secret_base64 = Base64.encode64(hmac_secret)
321
+ strategy.options.response_type = 'id_token'
322
+
323
+ strategy.unstub(:user_info)
324
+ strategy.call!('rack.session' => { 'omniauth.state' => state, 'omniauth.nonce' => nonce })
325
+ strategy.callback_phase
326
+ end
327
+
314
328
  def test_callback_phase_with_id_token_no_matching_key
315
329
  rsa_private = OpenSSL::PKey::RSA.generate(2048)
316
330
  other_rsa_private = OpenSSL::PKey::RSA.generate(2048)
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: gitlab-omniauth-openid-connect
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.7.0
4
+ version: 0.8.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - John Bohn