RubyGems - gitlab-omniauth-openid-connect - Versions diffs - 0.7.0 → 0.8.0 - Mend

gitlab-omniauth-openid-connect 0.7.0 → 0.8.0

Files changed (7) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +4 -0
data/README.md +2 -1
data/lib/omniauth/openid_connect/version.rb +1 -1
data/lib/omniauth/strategies/openid_connect.rb +9 -1
data/test/lib/omniauth/strategies/openid_connect_test.rb +14 -0
metadata +1 -1

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 6e29bb982f22927953bd34344bd1f91fa458d5ca369db3cf734313b8eae6b5d9
-  data.tar.gz: aa557d380222987564378729c3c57864fb55140c897218dbf3c1ba3b46a9cc52
+  metadata.gz: 62584a1fdd8af0168b5b81d04cce7f90284f9b8fcc97a59d6c4de38fc55e9ce7
+  data.tar.gz: d17b803694124786490472be60eccc9f717843c3a3b93e0fa4b449d8868b6a14
 SHA512:
-  metadata.gz: bfe9ba00c126a9547360bc691cc6eed4db0988226c1f418be3d578fa060bca009f85739bb636e7e3d6b33f9176105fcacfeaab969bf56b12d95f19639a685fa1
-  data.tar.gz: e1cb1b5b6a8194707a06ef43fe4b16be790f982dde57dc6cabe2e16e51df1904fc81034b7bc1d5d377297e4863ca719d176332460fe2d050bcd2b7285a2e78b7
+  metadata.gz: 77e2a464db549e4bdc30a7ba1d37a6e160688274819af19e8caa0f10ad606d837c40f49c0f887570881d92687dc5c7db1b705e6ed4afa347d97d578365ec5d41
+  data.tar.gz: 66f5ebc52581daf1c45b2be51e5ec50096a40f979e7d8684b281c84e8fe13edf05e71e7b25d623d75049fed5b8bb1339d509560278014b680cab7247398b9019

data/CHANGELOG.md CHANGED Viewed

@@ -1,3 +1,7 @@
+# v0.8.0 (07.16.2021)
+- [Add `jwt_secret_base64` option to support binary secrets](https://gitlab.com/gitlab-org/gitlab-omniauth-openid-connect/-/merge_requests/12)
 # v0.7.0 (07.16.2021)
 - [Add `jwt_secret` option to support Keycloak private key](https://gitlab.com/gitlab-org/gitlab-omniauth-openid-connect/-/merge_requests/10)

data/README.md CHANGED Viewed

@@ -66,7 +66,8 @@ config.omniauth :openid_connect, {
 | post_logout_redirect_uri     | The logout redirect uri to use per the [session management draft](https://openid.net/specs/openid-connect-session-1_0.html)                                   | no       | empty                      | https://myapp.com/logout/callback                   |
 | uid_field                    | The field of the user info response to be used as a unique id                                                                                                 | no       | 'sub'                      | "sub", "preferred_username"                         |
 | client_options               | A hash of client options detailed in its own section                                                                                                          | yes      |                            |                                                     |
-| jwt_secret | no | client_options.secret | For HMAC with SHA2 (e.g. HS256) signing algorithms, specify the secret used to sign the JWT token. Defaults to the OAuth2 client secret if not specified. |
+| jwt_secret | no | client_options.secret | For HMAC with SHA2 (e.g. HS256) signing algorithms, specify the secret used to sign the JWT token. Defaults to the OAuth2 client secret if not specified. For secrets in binary, use `jwt_secret_base64`. |
+| jwt_secret_base64 | no | client_options.secret | For HMAC with SHA2 (e.g. HS256) signing algorithms, specify the base64-encoded secret used to sign the JWT token. Defaults to the OAuth2 client secret if not specified. |
 ### Client Config Options

data/lib/omniauth/openid_connect/version.rb CHANGED Viewed

@@ -2,6 +2,6 @@
 module OmniAuth
   module OpenIDConnect
-    VERSION = '0.7.0'
+    VERSION = '0.8.0'
   end
 end

data/lib/omniauth/strategies/openid_connect.rb CHANGED Viewed

@@ -1,6 +1,7 @@
 # frozen_string_literal: true
 require 'addressable/uri'
+require 'base64'
 require 'timeout'
 require 'net/http'
 require 'open-uri'
@@ -38,6 +39,7 @@ module OmniAuth
       option :discovery, false
       option :client_signing_alg # Deprecated since we detect what is used to sign the JWT
       option :jwt_secret
+      option :jwt_secret_base64
       option :client_jwk_signing_key
       option :client_x509_signing_key
       option :scope, [:openid]
@@ -193,11 +195,17 @@ module OmniAuth
       # Some OpenID providers use the OAuth2 client secret as the shared secret, but
       # Keycloak uses a separate key that's stored inside the database.
       def secret
-        options.jwt_secret || client_options.secret
+        options.jwt_secret || base64_decoded_jwt_secret || client_options.secret
       end
       private
+      def base64_decoded_jwt_secret
+        return unless options.jwt_secret_base64
+        Base64.decode64(options.jwt_secret_base64)
+      end
       def fetch_key
         @fetch_key ||= parse_jwk_key(::OpenIDConnect.http_client.get_content(client_options.jwks_uri))
       end

data/test/lib/omniauth/strategies/openid_connect_test.rb CHANGED Viewed

@@ -311,6 +311,20 @@ module OmniAuth
         strategy.callback_phase
       end
+      def test_callback_phase_with_hs256_base64_jwt_secret
+        state = SecureRandom.hex(16)
+        request.stubs(:params).returns('id_token' => jwt_with_hs256.to_s, 'state' => state)
+        request.stubs(:path_info).returns('')
+        strategy.options.issuer = issuer
+        strategy.options.jwt_secret_base64 = Base64.encode64(hmac_secret)
+        strategy.options.response_type = 'id_token'
+        strategy.unstub(:user_info)
+        strategy.call!('rack.session' => { 'omniauth.state' => state, 'omniauth.nonce' => nonce })
+        strategy.callback_phase
+      end
       def test_callback_phase_with_id_token_no_matching_key
         rsa_private = OpenSSL::PKey::RSA.generate(2048)
         other_rsa_private = OpenSSL::PKey::RSA.generate(2048)

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: gitlab-omniauth-openid-connect
 version: !ruby/object:Gem::Version
-  version: 0.7.0
+  version: 0.8.0
 platform: ruby
 authors:
 - John Bohn