nov-doorkeeper-openid_connect 1.10.2

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 0f00bcea0c3989cfb705845e15aa74cc87ca6727af7ee7e7c51886fd591245a4
+  data.tar.gz: bd0dae8c7d5b8a24723397627a41ea23ef68c2c2730c12b7ce399affd19a03a7
+SHA512:
+  metadata.gz: f37aae11219f954fc6b53d081f92edb2d8d207cf1492dccd02158b77efecf0ed1285544c837c8a701498b0e3759aa2d2468901ff0676f87b2b1fff9945a39a63
+  data.tar.gz: a090fe8d79d4c423bd40ee72f17c73b1e4cef08243e68aab77efc3bac7130d8a5568d549892cc324fbef5513a433715b0f85b6b1e97aefe96add5895e486d5e0

data/CHANGELOG.md

@@ -0,0 +1,380 @@
+## Unreleased
+
+- Please add here
+
+## v1.10.2 (2026-06-22)
+
+- [#315] Drop support for EOL Ruby 3.1 (EOL 2025-03-25) and require Ruby `>= 3.2`. `i18n 1.15.0` uses the `Fiber[]` storage API which only exists on Ruby 3.2+, so the Ruby 3.1 CI row no longer loads; the matrix now tests Ruby 3.2 as the minimum
+- [#316] Set `fail-fast: false` in CI matrix so a single failing job no longer cancels the rest
+- [#303] execute account selection even without owner, and `select_account_for_resource_owner` can now receive `nil` as the first argument.
+- [#304] allow handle auth_time per grant
+- [#305] Document the `auth_time_from_access_token` config option in the README (per-grant `auth_time`), clarifying that it only affects the ID Token `auth_time` claim and not `max_age` enforcement
+- [#307] Fix `bundle exec rake server` for the test application
+- [#313] Move Configuration documentation from README to Wiki
+- [#312] Raise `Errors::MissingRequiredClaim` instead of silently dropping a blank REQUIRED ID Token claim (`iss`/`sub`/`aud`/`exp`/`iat`) in `IdToken#as_json`, which previously could emit a non-conformant ID Token (OIDC Core 1.0 §2). OPTIONAL claims such as `nonce`/`auth_time` are still omitted when blank
+- [#311] Include the REQUIRED `client_secret_expires_at` member (value `0`, never expires) in the Dynamic Client Registration response whenever a `client_secret` is issued (RFC 7591 §3.2.1 / OpenID Connect Dynamic Client Registration 1.0 §3.2)
+- [#309] Add a browser dashboard to the test application (`spec/dummy`) for exercising the OpenID Connect endpoints by hand — replacing the rails console + curl workflow with forms for Setup, Discovery, Authorization (code / implicit / PKCE / nonce / prompt / `max_age`), token exchange, UserInfo, introspection and revocation
+- [#308] Fix `NameError: uninitialized constant Auth::ApplicationRecord` on boot when using a namespaced custom access grant model (e.g. `Auth::OAuthAccessGrant < ApplicationRecord`). Since v1.10.0 ([#241]) the `openid_request` association was wired inside an `ActiveSupport.on_load(:active_record)` block, which fires while `ActiveRecord::Base` is first loaded and constantizes the grant model too early. The association is now added from Doorkeeper's `AccessGrant` mixin `included` callback — at the model's own load time, without constantizing — mirroring the fix doorkeeper made in [#1830](https://github.com/doorkeeper-gem/doorkeeper/pull/1830) ([#306](https://github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/306))
+
+## v1.10.1 (2026-06-03)
+
+- [#294] Drop stale `Metrics/ClassLength` and `Metrics/BlockLength` overrides from `.rubocop_todo.yml`
+- [#293] Drop `Naming/VariableNumber` from `.rubocop_todo.yml` and normalise test variable names
+- [#291] Document multi-namespace mount pattern for multiple resource owner models ([#192](https://github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/192))
+- [#292] Drop formatting cops from `.rubocop_todo.yml` and align trailing-comma style with upstream doorkeeper
+- [#296] Fix the `prompt` parameter being rejected with `invalid_request` when it contains leading or duplicate spaces (e.g. `prompt=%20none`) — blank entries in the space-delimited value are now ignored
+- [#299] Raise `InvalidConfiguration` when the `issuer` config resolves to a blank value instead of silently advertising an empty `issuer` in the discovery document. Since v1.10.0 an arity-2 `issuer` block receives `(resource_owner, application)` — both `nil` in the discovery context — so a block relying on the old v1.9.0 request argument could return `nil` and produce a discovery `issuer` that mismatched the ID token `iss` ([#298](https://github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/298))
+
+## v1.10.0 (2026-06-01)
+
+>[!IMPORTANT]
+>
+>- **Breaking (arity-2 issuer blocks):** `resolve_issuer` now dispatches arity-2 blocks with `(resource_owner, application)` in all contexts, including discovery. In v1.9.0 `DiscoveryController` passed `request` as the first argument; existing arity-2 blocks that relied on this receive `(nil, nil)` in v1.10.0 and should migrate to arity-3 — see [#298](https://github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/298) for details and migration examples
+
+- [#241] Fix NameError on doorkeeper master by deferring AR model loading in run_hooks (see [Doorkeeper PR](https://github.com/doorkeeper-gem/doorkeeper/pull/1804))
+- [#242] Fix `NoMethodError` for openid_request in testing environments.
+- [#246] Fix `at_hash` to use correct hash algorithm based on `signing_algorithm`
+- [#250] Return configured `issuer` instead of `root_url` in WebFinger response (thanks to @sato11 for the original work in #172)
+- [#248] Fix `max_age` always triggering reauthentication when `auth_time_from_resource_owner` returns Integer
+- [#254] **Breaking:** Omit `expires_in` from the `response_type=id_token` response (OIDC Core §3.2.2.5 — `expires_in` represents the Access Token lifetime; it is still returned for `response_type=id_token token`)
+- [#252] Treat `auth_time_from_resource_owner` as optional in `IdToken` — omit `auth_time` claim when unconfigured instead of raising `InvalidConfiguration`
+- [#256] Accept non-callable values (symbol / string) for the `protocol` config option, matching the pattern used by `issuer` / `signing_algorithm` / `signing_key` / `expiration`
+- [#258] Skip `IdToken` construction on password grants without the `openid` scope
+- [#259] Skip `IdToken` construction on authorization code grants without the `openid` scope
+- [#261] Fix obsolete RuboCop configuration (`require:` → `plugins:`, `RSpec/FilePath` split, remove `Capybara/FeatureMethods`)
+- [#263] **Security/Breaking:** Determine dynamically registered client's `confidential` flag from `token_endpoint_auth_method` per RFC 7591 — previously every dynamically registered client was created as public (`confidential: false`), which let callers authenticate with only `client_id` (`by_uid_and_secret(uid, nil)` bypass). Default is now `client_secret_basic` (confidential); `none` produces a public client; unsupported values (e.g. `private_key_jwt`) are rejected with `invalid_client_metadata`. Also derive `token_endpoint_auth_methods_supported` in the response from `Doorkeeper.configuration.client_credentials_methods` instead of a hardcoded list, matching #236
+- [#264] Apply safe RuboCop autocorrections and fix resulting artifacts
+- [#265] Add Dynamic Client Registration section to README
+- [#266] Validate `application_type`, `response_types`, and `grant_types` parameters in dynamic client registration per RFC 7591 — reject unsupported values with `invalid_client_metadata` and echo the requested values back in the registration response, instead of silently ignoring them and returning the server's global configuration
+- [#267] Add `authorize_dynamic_client_registration` config option to gate the dynamic client registration endpoint per RFC 7591 §3.1 — when set to a callable, the block is evaluated in the controller scope (with access to `request`, `params`, `request.headers`, etc.) and falsy return values reject the request with `401 invalid_token`. Default is `nil` so the endpoint remains open for backward compatibility; consumers should configure this to validate an Initial Access Token (or any other authorization scheme) before allowing client registration
+- [#268] Update Dynamic Client Registration README for validated metadata parameters
+- [#269] Document `authorize_dynamic_client_registration` in README
+- [#270] Document the unified issuer block signature in README
+- [#278] Test against Ruby 4.0.
+- [#271] **Security:** Add `auth_time_from_session` config for per-session `max_age` enforcement. The legacy `auth_time_from_resource_owner` cannot distinguish between concurrent sessions and is now deprecated for `max_age` use (see [#150](https://github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/150))
+- [#272] Document `auth_time_from_session` in README (follow-up to [#271](https://github.com/doorkeeper-gem/doorkeeper-openid_connect/pull/271))
+- [#273] **Security/Hardening:** Merge framework-controlled registered claims last — `iss`/`sub`/`aud`/`exp`/`iat`/`nonce`/`auth_time` for the ID Token and `sub` for UserInfo — so a custom claim block can no longer override security-critical values. No legitimate configuration relied on this; custom claims that intentionally shadowed a registered claim name will now be ignored for that key (OIDC Core §2 / §3.1.3.7 / §5.3.2).
+- [#276] Get RuboCop to zero offenses: fix `Lint/MissingSuper` in `IdTokenResponse`, replace `puts` with `warn` for deprecation notices, and modernise spec style
+- [#277] Fix README inaccuracies (`signing_algorithm` description and link, `discovery_url_options` endpoint list, `oauth-authorization-server` route) and use constant-time comparison in the DCR authorization example to prevent timing attacks on the Initial Access Token
+- [#279] Return `account_selection_required` when a `prompt=select_account` handler does not generate a response, per [OIDC Core 1.0 §3.1.2.6](https://openid.net/specs/openid-connect-core-1_0.html#AuthError) — previously the authorization silently continued without account selection. Adds the missing `Errors::AccountSelectionRequired` class, mirroring the existing `login_required` backstop for `reauthenticate_resource_owner`
+- [#275] Return `login_required` for `max_age` reauthentication when `prompt=none`, instead of triggering the interactive `reauthenticate_resource_owner` flow (OIDC Core §3.1.2.1)
+- [#284] Document `acr` / `amr` claims in README — show how to expose Authentication Context Class Reference and Authentication Methods References via the `claim` DSL, with callouts for the `response:` and `scope:` defaults that silently bite
+- [#288] Document `offline_access` scope recipe in README — show how to wire `use_refresh_token` with scope-based filtering for OIDC offline access
+- [#281] Fix `NoMethodError` / `DoubleRenderError` when `resource_owner_authenticator` redirects with a truthy non-model value (e.g. `current_user || redirect_to(login_url)`). Normalize the leaked value to `nil` when `performed?` and add missing `if owner` guard on `select_account`.
+- [#285] Document custom `jwks_uri` path pattern in README — show how to advertise a non-default path in the discovery document using Rails' `direct` URL helper
+- [#283] Support multiple signing keys in the JWKS response — `signing_key` now also accepts an array (and callables returning an array). The first entry is the active key used to sign new ID tokens; the remaining entries are published in the JWKS so clients can still validate tokens signed with a retired key during a rotation window. Single-value and callable forms continue to work unchanged
+- [#286] Allow claims to be assigned to multiple scopes via `scope: [:profile, :all_data]` — the claim is returned whenever the access token grants any of the listed scopes. **Note:** the previously implicit `Claim#scope=` writer (from `attr_accessor :scope`) is no longer provided; rebuild the claim instead of mutating it
+- [#287] Add `apply_prompt_to_non_oidc_requests` option to honor the `prompt` parameter on plain OAuth requests that do not include the `openid` scope
+- [#282] Allow `prompt=none` reauthorization with a narrower subset of previously-granted scopes (issue #63). Per RFC 6749 §1.5, narrower-or-equal scopes do not require fresh user consent; previously these requests returned `consent_required`.
+- [#290] Freeze `Claim#scopes` and `Claim#response` arrays at construction so callers can't accidentally mutate the claim's internal state from outside
+- [#297] Fix the generated initializer's `issuer` example referencing an undefined `request` local (the block parameter is `_request`), which raised `NameError` when copied verbatim
+
+## v1.9.0 (2026-03-16)
+
+- [#229] Allow to application manage signing key and algorithm
+- [#230] Add dynamic client registration
+- [#233] fix: handle `DoubleRenderError` in library instead of requiring consumer workaround
+- [#232] Implements customizable OpenID request class
+- [#236] Derive `token_endpoint_auth_methods_supported` from Doorkeeper's client_credentials config
+- [#225] Allow configuration of id_token expiration using a block.
+- [#237] Fix dynamic client registration returning hashed secret when `hash_application_secrets` is enabled
+- [#226] Respect Doorkeeper's configured `pkce_code_challenge_methods`
+
+## v1.8.11 (2025-02-10)
+
+- [#219] Test against Ruby 3.4.
+- [#216] Test against Rails 7.1, 7.2, 8.0.
+- [#222] Support max_age=0
+- [#221] Avoid raising invalid_request error on prompt=create
+- [#220] Define priority on possible prompt values to statically & successfully process multiple prompt values
+- [#224] Define priority between max_age & prompt
+
+## v1.8.10 (2024-11-29)
+
+- [#215] Drop support for Ruby 2.7, 3.0 and Rails 6.
+- [#209] Configuration per IdToken expiration (thanks to @martinezcoder)
+
+## v1.8.9 (2024-05-07)
+
+- Support Doorkeeper 5.7
+
+## v1.8.8 (2024-02-26)
+
+- [#201] Add back typ=JWT to header
+
+## v1.8.7 (2023-05-18)
+
+- [#198] Fully qualify `JWT::JWK::Thumbprint` constant with :: (thanks to @stanhu)
+
+## v1.8.6 (2023-05-12)
+
+- [#194] Default to RFC 7638 kid fingerprint generation (thanks to @stanhu).
+
+## v1.8.5 (2023-02-02)
+
+- [#186] Simplify gem configuration reusing Doorkeeper configuration option DSL (thanks to @nbulaj).
+- [#182] Drop support for Ruby 2.6 and Rails 5 (thanks to @sato11).
+- [#188] Fix dookeeper-jwt compatibility (thanks to @zavan).
+
+## v1.8.4 (2023-02-01)
+
+Note that v1.8.4 changed the default kid fingerprint generation from RFC 7638 to a format
+based on the SHA256 digest of the key element. To restore the previous behavior, upgrade to v1.8.6.
+
+- [#177] Replace `json-jwt` with `ruby-jwt` to align with doorkeeper-jwt (thanks to @kristof-mattei).
+- [#185] Don't call active_record_options for Doorkeeper >= 5.6.3 (thanks to @zavan).
+- [#183] Stop render consent screen when user is not logged-in (thanks to @nov).
+
+## v1.8.3 (2022-12-02)
+
+- [#180] Add PKCE support to OpenID discovery endpoint (thanks to @stanhu).
+
+## v1.8.2 (2022-07-13)
+
+- [#168] Allow to use custom doorkeeper access grant model (thanks @nov).
+- [#170] Controllers inherit `Doorkeeper::AppliactionMetalController` (thanks @sato11).
+- [#171] Correctly override `AuthorizationsController` params (thanks to @nbulaj).
+
+## v1.8.1 (2022-02-09)
+
+- [#153] Fix ArgumentError caused by client credential validation introduced in Doorkeeper 5.5.1 (thanks to @CircumnavigatingFlatEarther)
+- [#161] Fix .well-known/openid-connect issuer (respond to block if provided) (thanks to @fkowal).
+- [#152] Expose oauth-authorization-server in routes (thanks to @mitar)
+
+## v1.8.0 (2021-05-11)
+
+No changes from v1.8.0-rc1.
+
+## v1.8.0-rc1 (2021-04-20)
+
+### Upgrading
+
+This gem now requires Doorkeeper 5.5 and Ruby 2.5.
+
+### Changes
+
+- [#138] Support form_post response mode (thanks to @linhdangduy)
+- [#144] Support block syntax for `issuer` configuration (thanks to @maxxsnake)
+- [#145] Register token flows with the strategy instead of the token class (thanks to @paukul)
+
+## v1.7.5 (2020-12-15)
+
+### Changes
+
+- [#126] Add discovery_url_options option for discovery endpoints URL generation (thanks to @phlegx)
+
+### Bugfixes
+
+- [#123] Remove reference to ApplicationRecord (thanks to @wheeyls)
+- [#124] Clone doorkeeper.grant_flows array before appending 'refresh_token' (thanks to @davidbasalla)
+- [#129] Avoid to use the config alias while supporting Doorkeeper 5.2 (thanks to @kymmt90)
+
+## v1.7.4 (2020-07-06)
+
+- [#119] Execute end_session_endpoint in the controllers context (thanks to @joeljunstrom)
+
+## v1.7.3 (2020-07-06)
+
+- [#111] Add configuration callback `select_account_for_resource_owner` to support the `prompt=select_account` param
+- [#112] Add grant_types_supported to discovery response
+- [#114] Fix user_info endpoint when used in api mode
+- [#116] Support Doorkeeper API (> 5.4) for registering custom grant flows.
+- [#117] Fix migration template to use Rails migrations DSL for association.
+- [#118] Use fragment urls for implicit flow error redirects (thanks to @joeljunstrom)
+
+## v1.7.2 (2020-05-20)
+
+### Changes
+
+- [#108] Add support for Doorkeeper 5.4
+- [#103] Add support for end_session_endpoint
+- [#109] Test against Ruby 2.7 & Rails 6.x
+
+## v1.7.1 (2020-02-07)
+
+### Upgrading
+
+This version adds `on_delete: :cascade` to the migration template for the `oauth_openid_requests` table, in order to fix #82.
+
+For existing installations, you should add a new migration in your application to drop the existing foreign key and replace it with a new one with `on_delete: :cascade` included. Depending on the database you're using and the size of your application this might bring up some concerns, but in most cases the following should be sufficient:
+
+```ruby
+class UpdateOauthOpenIdRequestsForeignKeys < ActiveRecord::Migration[5.2]
+  def up
+    remove_foreign_key(:oauth_openid_requests, column: :access_grant_id)
+    add_foreign_key(:oauth_openid_requests, :oauth_access_grants, column: :access_grant_id, on_delete: :cascade)
+  end
+
+  def down
+    remove_foreign_key(:oauth_openid_requests, column: :access_grant_id)
+    add_foreign_key(:oauth_openid_requests, :oauth_access_grants, column: :access_grant_id)
+  end
+end
+```
+
+### Bugfixes
+
+- [#96] Bump `json-jwt` because of CVE-2019-18848 (thanks to @leleabhinav)
+- [#97] Fixes for compatibility with Doorkeeper 5.2 (thanks to @linhdangduy)
+- [#98] Cascade deletes from `oauth_openid_requests` to `oauth_access_grants` (thanks to @manojmj92)
+- [#99] Fix `audience` claim when application is not set on access token (thanks to @ionut998)
+
+## v1.7.0 (2019-11-04)
+
+### Changes
+
+- [#85] This gem now requires Doorkeeper 5.2, Rails 5, and Ruby 2.4
+
+## v1.6.3 (2019-09-24)
+
+### Changes
+
+- [#81] Allow silent authentication without user consent (thanks to @jarosan)
+- Don't support Doorkeeper >= 5.2 due to breaking changes
+
+## v1.6.2 (2019-08-09)
+
+### Bugfixes
+
+- [#80] Check for client presence in controller, fixes a 500 error when `client_id` is missing (thanks to @cincospenguinos @urnf @isabellechalhoub)
+
+## v1.6.1 (2019-06-07)
+
+### Bugfixes
+
+- [#75] Fix return value for `after_successful_response` (thanks to @daveed)
+
+### Changes
+
+- [#72] Add `revocation_endpoint` and `introspection_endpoint` to discovery response (thanks to @scarfacedeb)
+
+## v1.6.0 (2019-03-06)
+
+### Changes
+
+- [#70] This gem now requires Doorkeeper 5.0, and actually has done so since v1.5.4 (thanks to @michaelglass)
+
+## v1.5.5 (2019-03-03)
+
+- [#69] Return `crv` parameter for EC keys (thanks to @marco-nicola)
+
+## v1.5.4 (2019-02-15)
+
+### Bugfixes
+
+- [#66] Fix an open redirect vulnerability ([CVE-2019-9837](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9837), thanks to @meagar)
+- [#67] Don't delete existing tokens with `prompt=consent` (thanks to @nov)
+
+### Changes
+
+- [#62] Support customization of redirect params in `id_token` and `id_token token` responses (thanks to @meagar)
+
+## v1.5.3 (2019-01-19)
+
+### Bugfixes
+
+- [#60] Don't break native authorization in Doorkeeper 5.x
+
+### Changes
+
+- [#58] Use versioned migrations for Rails 5.x (thanks to @tvongaza)
+
+## v1.5.2 (2018-09-04)
+
+### Changes
+
+- [#56] The previous release was a bit premature, this fixes some compatibility issues with Doorkeeper 5.x
+
+## v1.5.1 (2018-09-04)
+
+### Changes
+
+- [#55] This gem is now compatible with Doorkeeper 5.x
+
+## v1.5.0 (2018-06-27)
+
+### Features
+
+- [#52] Custom claims can now also be returned directly in the ID token, see the updated README for usage instructions
+
+## v1.4.0 (2018-05-31)
+
+### Upgrading
+
+- Support for Ruby versions older than 2.3 was dropped
+
+### Features
+
+- Redirect errors per Section 3.1.2.6 of OpenID Connect 1.0 (by @ryands)
+- Set `id_token` when it's nil in token response (it's used in `refresh_token` requests) (by @Miouge1)
+
+## v1.3.0 (2018-03-05)
+
+### Features
+
+- Support for Implicit Flow (`response_type=id_token` and `response_type=id_token token`),
+  see the updated README for usage instructions (by @nashby, @nhance and @stevenvegt)
+
+## v1.2.0 (2017-08-31)
+
+### Upgrading
+
+- The configuration setting `jws_private_key` was renamed to `signing_key`, you can still use the old name until it's removed in the next major release
+
+### Features
+
+- Support for pairwise subject identifiers (by @travisofthenorth)
+- Support for EC and HMAC signing algorithms (by @110y)
+- Claims now receive an optional third `access_token` argument which allow you to dynamically adjust claim values based on the client's token (by @gigr)
+
+### Bugfixes
+
+## v1.1.2 (2017-01-18)
+
+### Bugfixes
+
+- Fixes the `undefined local variable or method 'pre_auth'` error
+
+## v1.1.1 (2017-01-18)
+
+#### Upgrading
+
+- The configuration setting `jws_public_key` wasn't actually used, it's deprecated now and will be removed in the next major release
+- The undocumented shorthand `to_proc` syntax for defining claims (`claim :user, &:name`) is not supported anymore
+
+#### Features
+
+- Claims now receive an optional second `scopes` argument which allow you to dynamically adjust claim values based on the requesting applications' scopes (by @nbibler)
+- The `prompt` parameter values `login` and `consent` are now supported
+- The configuration setting `protocol` was added (by @gigr)
+
+#### Bugfixes
+
+- Standard Claims are now mapped correctly to their default scopes (by @tylerhunt)
+- Blank `nonce` parameters are now ignored
+
+#### Changes
+
+- `nil` values and empty strings are now removed from the UserInfo and IdToken responses
+- Allow `json-jwt` dependency at ~> 1.6. (by @nbibler)
+- Configuration blocks no longer internally use `instance_eval` which previously gave undocumented and unexpected `self` access to the caller (by @nbibler)
+
+## v1.1.0 (2016-11-30)
+
+This release is a general clean-up and adds support for some advanced OpenID Connect features.
+
+#### Upgrading
+
+- This version adds a table to store temporary nonces, use the generator `doorkeeper:openid_connect:migration` to create a migration
+- Implement the new configuration callbacks `auth_time_from_resource_owner` and `reauthenticate_resource_owner` to support advanced features
+
+#### Features
+
+- Add discovery endpoint	 ([a16caa8](/../../commit/a16caa8))
+- Add webfinger and keys endpoints for discovery	 ([f70898b](/../../commit/f70898b))
+- Add supported claims to discovery response	 ([1d8f9ea](/../../commit/1d8f9ea))
+- Support prompt=none parameter	 ([c775d8b](/../../commit/c775d8b))
+- Store and return nonces in IdToken responses	 ([d28ca8c](/../../commit/d28ca8c))
+- Add generator for initializer	 ([80399fd](/../../commit/80399fd))
+- Support max_age parameter	 ([aabe3aa](/../../commit/aabe3aa))
+- Respect scope grants in UserInfo response	 ([25f2170](/../../commit/25f2170))

data/LICENSE.txt

@@ -0,0 +1,22 @@
+MIT License
+
+Copyright (c) 2014 PlayOn! Sports
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,117 @@
+# Doorkeeper::OpenidConnect
+
+[![CI](https://github.com/doorkeeper-gem/doorkeeper-openid_connect/actions/workflows/ci.yml/badge.svg)](https://github.com/doorkeeper-gem/doorkeeper-openid_connect/actions/workflows/ci.yml)
+[![Maintainability](https://qlty.sh/gh/doorkeeper-gem/projects/doorkeeper-openid_connect/maintainability.svg)](https://qlty.sh/gh/doorkeeper-gem/projects/doorkeeper-openid_connect)
+[![Gem Version](https://badge.fury.io/rb/doorkeeper-openid_connect.svg)](https://rubygems.org/gems/doorkeeper-openid_connect)
+
+This library implements an [OpenID Connect](http://openid.net/connect/) authentication provider for Rails applications on top of the [Doorkeeper](https://github.com/doorkeeper-gem/doorkeeper) OAuth 2.0 framework.
+
+OpenID Connect is a single-sign-on and identity layer with a [growing list of server and client implementations](http://openid.net/developers/libraries/). If you're looking for a client in Ruby check out [omniauth_openid_connect](https://github.com/m0n9oose/omniauth_openid_connect/).
+
+## Table of Contents
+
+- [Status](#status)
+  - [Known Issues](#known-issues)
+  - [Example Applications](#example-applications)
+- [Installation](#installation)
+- [Configuration](https://github.com/doorkeeper-gem/doorkeeper-openid_connect/wiki/Configuration)
+- [Development](#development)
+- [License](#license)
+- [Sponsors](#sponsors)
+
+## Status
+
+The following parts of [OpenID Connect Core 1.0](http://openid.net/specs/openid-connect-core-1_0.html) are currently supported:
+- [Authentication using the Authorization Code Flow](http://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth)
+- [Authentication using the Implicit Flow](http://openid.net/specs/openid-connect-core-1_0.html#ImplicitFlowAuth)
+- [Requesting Claims using Scope Values](http://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims)
+- [UserInfo Endpoint](http://openid.net/specs/openid-connect-core-1_0.html#UserInfo)
+- [Normal Claims](http://openid.net/specs/openid-connect-core-1_0.html#NormalClaims)
+- [OAuth 2.0 Form Post Response Mode](https://openid.net/specs/oauth-v2-form-post-response-mode-1_0.html)
+- [OAuth 2.0 Dynamic Client Registration Protocol](https://datatracker.ietf.org/doc/html/rfc7591)
+
+In addition, we also support most of [OpenID Connect Discovery 1.0](http://openid.net/specs/openid-connect-discovery-1_0.html) for automatic configuration discovery.
+
+Take a look at the [DiscoveryController](app/controllers/doorkeeper/openid_connect/discovery_controller.rb) for more details on supported features.
+
+### Known Issues
+
+- Doorkeeper's API mode (`Doorkeeper.configuration.api_only`) is not properly supported yet
+
+### Example Applications
+
+- [GitLab](https://gitlab.com/gitlab-org/gitlab-ce) ([original MR](https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/8018))
+- [Testing app for this gem](https://github.com/doorkeeper-gem/doorkeeper-openid_connect/tree/master/spec/dummy)
+
+## Installation
+
+Make sure your application is already set up with [Doorkeeper](https://github.com/doorkeeper-gem/doorkeeper#installation).
+
+Add this line to your application's `Gemfile` and run `bundle install`:
+
+```ruby
+gem 'doorkeeper-openid_connect'
+```
+
+Run the installation generator to update routes and create the initializer:
+
+```sh
+rails generate doorkeeper:openid_connect:install
+```
+
+Generate a migration for Active Record (other ORMs are currently not supported):
+
+```sh
+rails generate doorkeeper:openid_connect:migration
+rake db:migrate
+```
+
+If you're upgrading from an earlier version, check [Migration from old versions](https://github.com/doorkeeper-gem/doorkeeper-openid_connect/wiki/Migration%E2%80%90from%E2%80%90old%E2%80%90versions)
+wiki and [CHANGELOG.md](CHANGELOG.md) for upgrade instructions.
+
+## Configuration
+
+See the [wiki](https://github.com/doorkeeper-gem/doorkeeper-openid_connect/wiki/Configuration) for detailed configuration instructions, including:
+
+- [Scopes](https://github.com/doorkeeper-gem/doorkeeper-openid_connect/wiki/Scopes)
+- [Claims](https://github.com/doorkeeper-gem/doorkeeper-openid_connect/wiki/Claims)
+- [Routes](https://github.com/doorkeeper-gem/doorkeeper-openid_connect/wiki/Routes)
+- [Nonces](https://github.com/doorkeeper-gem/doorkeeper-openid_connect/wiki/Nonces)
+- [Internationalization (I18n)](https://github.com/doorkeeper-gem/doorkeeper-openid_connect/wiki/I18n)
+- [Dynamic Client Registration](https://github.com/doorkeeper-gem/doorkeeper-openid_connect/wiki/Dynamic-Client-Registration)
+
+## Development
+
+Run `bundle install` to setup all development dependencies.
+
+To run all specs:
+
+```sh
+bundle exec rake spec
+```
+
+To generate and run migrations in the test application:
+
+```sh
+bundle exec rake migrate
+```
+
+To run the local engine server:
+
+```sh
+bundle exec rake server
+```
+
+By default, the latest Rails version is used. To use a specific version run:
+
+```
+rails=7.2 bundle update
+```
+
+## License
+
+Doorkeeper::OpenidConnect is released under the [MIT License](http://www.opensource.org/licenses/MIT).
+
+## Sponsors
+
+Initial development of this project was sponsored by [PlayOn! Sports](https://github.com/playon).

data/app/controllers/concerns/doorkeeper/openid_connect/authorizations_extension.rb

@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+
+module Doorkeeper
+  module OpenidConnect
+    module AuthorizationsExtension
+      private
+
+      def pre_auth_param_fields
+        super.append(:nonce)
+      end
+    end
+  end
+end