himari 0.4.0 → 0.5.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/lib/himari/access_token.rb +5 -0
- data/lib/himari/client_registration.rb +3 -2
- data/lib/himari/services/oidc_authorization_endpoint.rb +2 -0
- data/lib/himari/services/oidc_token_endpoint.rb +12 -4
- data/lib/himari/services/oidc_userinfo_endpoint.rb +1 -1
- data/lib/himari/version.rb +1 -1
- metadata +3 -3
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 5b8557a7f7d75db91d61c20e931bfa9d05d832541b4fb9fdc05055491568e4ec
|
|
4
|
+
data.tar.gz: c50b5396fa19b2c03b2b4115d495f3f96a688016a4c8d3fb9b1833ef10de13b7
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: eac9157e67de6f6c2538b36f7d6a55e62f1d3a7e3837e72a23d0b6d407a40a2004f7a7fee8c71b036c709daf6be970a75ae45118c116bbd4ab1a085eb23af137
|
|
7
|
+
data.tar.gz: b40f7ed7a033f312871a191398ba1d74f376c89d634666b4b076a05666a66309d8886d0bd3d441144d1fea781847e6f020fa9ec39a079ac1ef3f48f9f332efba
|
data/lib/himari/access_token.rb
CHANGED
|
@@ -2,19 +2,20 @@ require 'digest/sha2'
|
|
|
2
2
|
|
|
3
3
|
module Himari
|
|
4
4
|
class ClientRegistration
|
|
5
|
-
def initialize(name:, id:, secret: nil, secret_hash: nil, redirect_uris:, preferred_key_group: nil)
|
|
5
|
+
def initialize(name:, id:, secret: nil, secret_hash: nil, redirect_uris:, preferred_key_group: nil, require_pkce: false)
|
|
6
6
|
@name = name
|
|
7
7
|
@id = id
|
|
8
8
|
@secret = secret
|
|
9
9
|
@secret_hash = secret_hash
|
|
10
10
|
@redirect_uris = redirect_uris
|
|
11
11
|
@preferred_key_group = preferred_key_group
|
|
12
|
+
@require_pkce = require_pkce
|
|
12
13
|
|
|
13
14
|
raise ArgumentError, "name starts with '_' is reserved" if @name&.start_with?('_')
|
|
14
15
|
raise ArgumentError, "either secret or secret_hash must be present" if !@secret && !@secret_hash
|
|
15
16
|
end
|
|
16
17
|
|
|
17
|
-
attr_reader :name, :id, :redirect_uris, :preferred_key_group
|
|
18
|
+
attr_reader :name, :id, :redirect_uris, :preferred_key_group, :require_pkce
|
|
18
19
|
|
|
19
20
|
def secret_hash
|
|
20
21
|
@secret_hash ||= Digest::SHA384.hexdigest(secret)
|
|
@@ -58,6 +58,8 @@ module Himari
|
|
|
58
58
|
@authz.code_challenge = req.code_challenge
|
|
59
59
|
@authz.code_challenge_method = req.code_challenge_method || 'plain'
|
|
60
60
|
next req.bad_request!(:invalid_request, 'Invalid PKCE parameters') unless @authz.pkce_valid_request?
|
|
61
|
+
elsif @client.require_pkce
|
|
62
|
+
next req.bad_request!(:invalid_request, 'PKCE is mandatory')
|
|
61
63
|
end
|
|
62
64
|
|
|
63
65
|
@storage.put_authorization(@authz)
|
|
@@ -57,11 +57,19 @@ module Himari
|
|
|
57
57
|
@logger&.warn(Himari::LogLine.new('OidcTokenEndpoint: invalid_grant, expired grant', req: env['himari.request_as_log'], client: client.as_log, grant: authz.as_log))
|
|
58
58
|
next req.invalid_grant!
|
|
59
59
|
end
|
|
60
|
-
|
|
61
|
-
|
|
62
|
-
|
|
60
|
+
|
|
61
|
+
if authz.pkce?
|
|
62
|
+
if req.verify_code_verifier!(authz.code_challenge, authz.code_challenge_method)
|
|
63
|
+
# do nothing
|
|
64
|
+
else
|
|
65
|
+
# :nocov:
|
|
66
|
+
@logger&.warn(Himari::LogLine.new('OidcTokenEndpoint: invalid_grant, invalid pkce', req: env['himari.request_as_log'], client: client.as_log, grant: authz.as_log))
|
|
67
|
+
next req.invalid_grant!
|
|
68
|
+
# :nocov:
|
|
69
|
+
end
|
|
70
|
+
elsif client.require_pkce
|
|
71
|
+
@logger&.warn(Himari::LogLine.new('OidcTokenEndpoint: invalid_grant, pkce is mandatory', req: env['himari.request_as_log'], client: client.as_log, grant: authz.as_log))
|
|
63
72
|
next req.invalid_grant!
|
|
64
|
-
# :nocov:
|
|
65
73
|
end
|
|
66
74
|
|
|
67
75
|
token = AccessToken.from_authz(authz)
|
|
@@ -45,7 +45,7 @@ module Himari
|
|
|
45
45
|
[
|
|
46
46
|
200,
|
|
47
47
|
{'Content-Type' => 'application/json; charset=utf-8'},
|
|
48
|
-
[JSON.pretty_generate(token.
|
|
48
|
+
[JSON.pretty_generate(token.userinfo), "\n"],
|
|
49
49
|
]
|
|
50
50
|
rescue InvalidToken, Himari::TokenString::SecretIncorrect, Himari::TokenString::InvalidFormat, Himari::TokenString::TokenExpired => e
|
|
51
51
|
@logger&.warn(Himari::LogLine.new('OidcUserinfoEndpoint: invalid_token', req: @env['himari.request_as_log'], err: e.class.inspect, token: token&.as_log))
|
data/lib/himari/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: himari
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 0.5.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Sorah Fukumori
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: exe
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date:
|
|
11
|
+
date: 2024-05-10 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: sinatra
|
|
@@ -166,7 +166,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
166
166
|
- !ruby/object:Gem::Version
|
|
167
167
|
version: '0'
|
|
168
168
|
requirements: []
|
|
169
|
-
rubygems_version: 3.
|
|
169
|
+
rubygems_version: 3.4.6
|
|
170
170
|
signing_key:
|
|
171
171
|
specification_version: 4
|
|
172
172
|
summary: Small OIDC IdP for small teams - Omniauth to OIDC
|