oauth2 1.4.9 → 2.0.0.rc1

data/lib/oauth2/strategy/assertion.rb

@@ -10,15 +10,22 @@ module OAuth2
     #
     # Sample usage:
     #   client = OAuth2::Client.new(client_id, client_secret,
-    #                               :site => 'http://localhost:8080')
+    #                               :site => 'http://localhost:8080',
+    #                               :auth_scheme => :request_body)
     #
-    #   params = {:hmac_secret => "some secret",
-    #             # or :private_key => "private key string",
-    #             :iss => "http://localhost:3001",
-    #             :prn => "me@here.com",
-    #             :exp => Time.now.utc.to_i + 3600}
+    #   claim_set = {
+    #     :iss => "http://localhost:3001",
+    #     :aud => "http://localhost:8080/oauth2/token"
+    #     :sub => "me@example.com",
+    #     :exp => Time.now.utc.to_i + 3600,
+    #   }
     #
-    #   access = client.assertion.get_token(params)
+    #   encoding = {
+    #     :algorithm => 'HS256',
+    #     :key => 'secret_key',
+    #   }
+    #
+    #   access = client.assertion.get_token(claim_set, encoding)
     #   access.token                 # actual access_token string
     #   access.get("/api/stuff")     # making api calls with access token in header
     #
@@ -32,45 +39,63 @@ module OAuth2
 
       # Retrieve an access token given the specified client.
       #
-      # @param [Hash] params assertion params
-      # pass either :hmac_secret or :private_key, but not both.
+      # @param [Hash] claims the hash representation of the claims that should be encoded as a JWT (JSON Web Token)
+      #
+      # For reading on JWT and claim keys:
+      #   @see https://github.com/jwt/ruby-jwt
+      #   @see https://datatracker.ietf.org/doc/html/rfc7519#section-4.1
+      #   @see https://datatracker.ietf.org/doc/html/rfc7523#section-3
+      #   @see https://www.iana.org/assignments/jwt/jwt.xhtml
+      #
+      # There are many possible claim keys, and applications may ask for their own custom keys.
+      # Some typically required ones:
+      #   :iss (issuer)
+      #   :aud (audience)
+      #   :sub (subject) -- formerly :prn https://datatracker.ietf.org/doc/html/draft-ietf-oauth-json-web-token-06#appendix-F
+      #   :exp, (expiration time) -- in seconds, e.g. Time.now.utc.to_i + 3600
+      #
+      # Note that this method does *not* validate presence of those four claim keys indicated as required by RFC 7523.
+      # There are endpoints that may not conform with this RFC, and this gem should still work for those use cases.
+      #
+      # @param [Hash] encoding_opts a hash containing instructions on how the JWT should be encoded
+      # @option algorithm [String] the algorithm with which you would like the JWT to be encoded
+      # @option key [Object] the key with which you would like to encode the JWT
       #
-      #   params :hmac_secret, secret string.
-      #   params :private_key, private key string.
+      # These two options are passed directly to `JWT.encode`.  For supported encoding arguments:
+      #   @see https://github.com/jwt/ruby-jwt#algorithms-and-usage
+      #   @see https://datatracker.ietf.org/doc/html/rfc7518#section-3.1
       #
-      #   params :iss, issuer
-      #   params :aud, audience, optional
-      #   params :prn, principal, current user
-      #   params :exp, expired at, in seconds, like Time.now.utc.to_i + 3600
+      # The object type of `:key` may depend on the value of `:algorithm`.  Sample arguments:
+      #   get_token(claim_set, {:algorithm => 'HS256', :key => 'secret_key'})
+      #   get_token(claim_set, {:algorithm => 'RS256', :key => OpenSSL::PKCS12.new(File.read('my_key.p12'), 'not_secret')})
       #
-      # @param [Hash] opts options
-      def get_token(params = {}, opts = {})
-        hash = build_request(params)
-        @client.get_token(hash, opts.merge('refresh_token' => nil))
+      # @param [Hash] request_opts options that will be used to assemble the request
+      # @option request_opts [String] :scope the url parameter `scope` that may be required by some endpoints
+      #   @see https://datatracker.ietf.org/doc/html/rfc7521#section-4.1
+      #
+      # @param [Hash] response_opts this will be merged with the token response to create the AccessToken object
+      #   @see the access_token_opts argument to Client#get_token
+
+      def get_token(claims, encoding_opts, request_opts = {}, response_opts = {})
+        assertion = build_assertion(claims, encoding_opts)
+        params = build_request(assertion, request_opts)
+
+        @client.get_token(params, response_opts.merge('refresh_token' => nil))
       end
 
-      def build_request(params)
-        assertion = build_assertion(params)
+    private
+
+      def build_request(assertion, request_opts = {})
         {
-          :grant_type => 'assertion',
-          :assertion_type => 'urn:ietf:params:oauth:grant-type:jwt-bearer',
-          :assertion => assertion,
-          :scope => params[:scope],
-        }
+          grant_type: 'urn:ietf:params:oauth:grant-type:jwt-bearer',
+          assertion: assertion,
+        }.merge(request_opts)
       end
 
-      def build_assertion(params)
-        claims = {
-          :iss => params[:iss],
-          :aud => params[:aud],
-          :prn => params[:prn],
-          :exp => params[:exp],
-        }
-        if params[:hmac_secret]
-          JWT.encode(claims, params[:hmac_secret], 'HS256')
-        elsif params[:private_key]
-          JWT.encode(claims, params[:private_key], 'RS256')
-        end
+      def build_assertion(claims, encoding_opts)
+        raise ArgumentError.new(message: 'Please provide an encoding_opts hash with :algorithm and :key') if !encoding_opts.is_a?(Hash) || (%i[algorithm key] - encoding_opts.keys).any?
+
+        JWT.encode(claims, encoding_opts[:key], encoding_opts[:algorithm])
       end
     end
   end

data/lib/oauth2/strategy/auth_code.rb

@@ -17,6 +17,7 @@ module OAuth2
       #
       # @param [Hash] params additional query parameters for the URL
       def authorize_url(params = {})
+        assert_valid_params(params)
         @client.authorize_url(authorize_params.merge(params))
       end
 
@@ -28,8 +29,18 @@ module OAuth2
       # @note that you must also provide a :redirect_uri with most OAuth 2.0 providers
       def get_token(code, params = {}, opts = {})
         params = {'grant_type' => 'authorization_code', 'code' => code}.merge(@client.redirection_params).merge(params)
+        params_dup = params.dup
+        params.each_key do |key|
+          params_dup[key.to_s] = params_dup.delete(key) if key.is_a?(Symbol)
+        end
 
-        @client.get_token(params, opts)
+        @client.get_token(params_dup, opts)
+      end
+
+    private
+
+      def assert_valid_params(params)
+        raise(ArgumentError, 'client_secret is not allowed in authorize URL query params') if params.key?(:client_secret) || params.key?('client_secret')
       end
     end
   end

data/lib/oauth2/strategy/implicit.rb

@@ -17,6 +17,7 @@ module OAuth2
       #
       # @param [Hash] params additional query parameters for the URL
       def authorize_url(params = {})
+        assert_valid_params(params)
         @client.authorize_url(authorize_params.merge(params))
       end
 
@@ -26,6 +27,12 @@ module OAuth2
       def get_token(*)
         raise(NotImplementedError, 'The token is accessed differently in this strategy')
       end
+
+    private
+
+      def assert_valid_params(params)
+        raise(ArgumentError, 'client_secret is not allowed in authorize URL query params') if params.key?(:client_secret) || params.key?('client_secret')
+      end
     end
   end
 end

data/lib/oauth2/version.rb

@@ -2,36 +2,43 @@
 
 module OAuth2
   module Version
-    VERSION = to_s
+    VERSION = '2.0.0.rc1'.freeze
 
   module_function
 
+    # The version number as a string
+    #
+    # @return [String]
+    def to_s
+      VERSION
+    end
+
     # The major version
     #
     # @return [Integer]
     def major
-      1
+      to_a[0].to_i
     end
 
     # The minor version
     #
     # @return [Integer]
     def minor
-      4
+      to_a[1].to_i
     end
 
     # The patch version
     #
     # @return [Integer]
     def patch
-      9
+      to_a[2].to_i
     end
 
     # The pre-release version, if any
     #
     # @return [String, NilClass]
     def pre
-      nil
+      to_a[3]
     end
 
     # The version number as a hash
@@ -39,10 +46,10 @@ module OAuth2
     # @return [Hash]
     def to_h
       {
-        :major => major,
-        :minor => minor,
-        :patch => patch,
-        :pre => pre,
+        major: major,
+        minor: minor,
+        patch: patch,
+        pre: pre,
       }
     end
 
@@ -50,16 +57,7 @@ module OAuth2
     #
     # @return [Array]
     def to_a
-      [major, minor, patch, pre].compact
-    end
-
-    # The version number as a string
-    #
-    # @return [String]
-    def to_s
-      v = [major, minor, patch].compact.join('.')
-      v += "-#{pre}" if pre
-      v
+      VERSION.split('.')
     end
   end
 end

data/lib/oauth2.rb

@@ -1,6 +1,16 @@
 # frozen_string_literal: true
 
+# includes modules from stdlib
+require 'cgi'
+require 'time'
+
+# third party gems
+require 'rash'
+
+# includes gem files
+require 'oauth2/version'
 require 'oauth2/error'
+require 'oauth2/snaky_hash'
 require 'oauth2/authenticator'
 require 'oauth2/client'
 require 'oauth2/strategy/base'
@@ -10,5 +20,8 @@ require 'oauth2/strategy/password'
 require 'oauth2/strategy/client_credentials'
 require 'oauth2/strategy/assertion'
 require 'oauth2/access_token'
-require 'oauth2/mac_token'
 require 'oauth2/response'
+
+# The namespace of this library
+module OAuth2
+end

metadata

@@ -1,16 +1,16 @@
 --- !ruby/object:Gem::Specification
 name: oauth2
 version: !ruby/object:Gem::Version
-  version: 1.4.9
+  version: 2.0.0.rc1
 platform: ruby
 authors:
 - Peter Boling
 - Michael Bleigh
 - Erik Michaels-Ober
-autorequire:
+autorequire: 
 bindir: exe
 cert_chain: []
-date: 2022-02-20 00:00:00.000000000 Z
+date: 2022-06-10 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: faraday
@@ -53,123 +53,143 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '3.0'
 - !ruby/object:Gem::Dependency
-  name: multi_json
+  name: multi_xml
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.3'
+        version: '0.5'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.3'
+        version: '0.5'
 - !ruby/object:Gem::Dependency
-  name: multi_xml
+  name: rack
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '0.5'
+        version: '1.2'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '3'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '0.5'
+        version: '1.2'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '3'
 - !ruby/object:Gem::Dependency
-  name: rack
+  name: rash_alt
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '1.2'
+        version: '0.4'
     - - "<"
       - !ruby/object:Gem::Version
-        version: '3'
+        version: '1'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '1.2'
+        version: '0.4'
     - - "<"
       - !ruby/object:Gem::Version
-        version: '3'
+        version: '1'
 - !ruby/object:Gem::Dependency
   name: addressable
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '2.3'
+        version: '2'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '2.3'
+        version: '2'
+- !ruby/object:Gem::Dependency
+  name: backports
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '3'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '3'
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '1.16'
+        version: '2'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '1.16'
+        version: '2'
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '12.3'
+        version: '12'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '12.3'
+        version: '12'
 - !ruby/object:Gem::Dependency
   name: rexml
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '3.2'
+        version: '3'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '3.2'
+        version: '3'
 - !ruby/object:Gem::Dependency
   name: rspec
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '3.0'
+        version: '3'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '3.0'
+        version: '3'
 - !ruby/object:Gem::Dependency
   name: rspec-block_is_expected
   requirement: !ruby/object:Gem::Requirement
@@ -212,6 +232,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: rubocop-lts
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '8.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '8.0'
 - !ruby/object:Gem::Dependency
   name: silent_stream
   requirement: !ruby/object:Gem::Requirement
@@ -236,15 +270,17 @@ extra_rdoc_files: []
 files:
 - CHANGELOG.md
 - CODE_OF_CONDUCT.md
+- CONTRIBUTING.md
 - LICENSE
 - README.md
+- SECURITY.md
 - lib/oauth2.rb
 - lib/oauth2/access_token.rb
 - lib/oauth2/authenticator.rb
 - lib/oauth2/client.rb
 - lib/oauth2/error.rb
-- lib/oauth2/mac_token.rb
 - lib/oauth2/response.rb
+- lib/oauth2/snaky_hash.rb
 - lib/oauth2/strategy/assertion.rb
 - lib/oauth2/strategy/auth_code.rb
 - lib/oauth2/strategy/base.rb
@@ -252,33 +288,18 @@ files:
 - lib/oauth2/strategy/implicit.rb
 - lib/oauth2/strategy/password.rb
 - lib/oauth2/version.rb
-- spec/fixtures/README.md
-- spec/fixtures/RS256/jwtRS256.key
-- spec/fixtures/RS256/jwtRS256.key.pub
-- spec/helper.rb
-- spec/oauth2/access_token_spec.rb
-- spec/oauth2/authenticator_spec.rb
-- spec/oauth2/client_spec.rb
-- spec/oauth2/mac_token_spec.rb
-- spec/oauth2/response_spec.rb
-- spec/oauth2/strategy/assertion_spec.rb
-- spec/oauth2/strategy/auth_code_spec.rb
-- spec/oauth2/strategy/base_spec.rb
-- spec/oauth2/strategy/client_credentials_spec.rb
-- spec/oauth2/strategy/implicit_spec.rb
-- spec/oauth2/strategy/password_spec.rb
-- spec/oauth2/version_spec.rb
 homepage: https://github.com/oauth-xx/oauth2
 licenses:
 - MIT
 metadata:
+  homepage_uri: https://github.com/oauth-xx/oauth2
+  source_code_uri: https://github.com/oauth-xx/oauth2/tree/v2.0.0.rc1
+  changelog_uri: https://github.com/oauth-xx/oauth2/blob/v2.0.0.rc1/CHANGELOG.md
   bug_tracker_uri: https://github.com/oauth-xx/oauth2/issues
-  changelog_uri: https://github.com/oauth-xx/oauth2/blob/v1.4.9/CHANGELOG.md
-  documentation_uri: https://www.rubydoc.info/gems/oauth2/1.4.9
-  source_code_uri: https://github.com/oauth-xx/oauth2/tree/v1.4.9
+  documentation_uri: https://www.rubydoc.info/gems/oauth2/2.0.0.rc1
   wiki_uri: https://github.com/oauth-xx/oauth2/wiki
   rubygems_mfa_required: 'true'
-post_install_message:
+post_install_message: 
 rdoc_options: []
 require_paths:
 - lib
@@ -286,31 +307,15 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: 1.9.0
+      version: 2.2.0
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ">="
+  - - ">"
     - !ruby/object:Gem::Version
-      version: 1.3.5
+      version: 1.3.1
 requirements: []
-rubygems_version: 3.3.7
-signing_key:
+rubygems_version: 3.3.15
+signing_key: 
 specification_version: 4
 summary: A Ruby wrapper for the OAuth 2.0 protocol.
-test_files:
-- spec/fixtures/README.md
-- spec/fixtures/RS256/jwtRS256.key
-- spec/fixtures/RS256/jwtRS256.key.pub
-- spec/helper.rb
-- spec/oauth2/access_token_spec.rb
-- spec/oauth2/authenticator_spec.rb
-- spec/oauth2/client_spec.rb
-- spec/oauth2/mac_token_spec.rb
-- spec/oauth2/response_spec.rb
-- spec/oauth2/strategy/assertion_spec.rb
-- spec/oauth2/strategy/auth_code_spec.rb
-- spec/oauth2/strategy/base_spec.rb
-- spec/oauth2/strategy/client_credentials_spec.rb
-- spec/oauth2/strategy/implicit_spec.rb
-- spec/oauth2/strategy/password_spec.rb
-- spec/oauth2/version_spec.rb
+test_files: []