oauth2 1.4.9 → 2.0.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +83 -23
- data/CONTRIBUTING.md +18 -0
- data/README.md +163 -77
- data/SECURITY.md +20 -0
- data/lib/oauth2/access_token.rb +28 -19
- data/lib/oauth2/authenticator.rb +9 -4
- data/lib/oauth2/client.rb +76 -60
- data/lib/oauth2/error.rb +27 -18
- data/lib/oauth2/response.rb +61 -19
- data/lib/oauth2/snaky_hash.rb +8 -0
- data/lib/oauth2/strategy/assertion.rb +63 -38
- data/lib/oauth2/strategy/auth_code.rb +12 -1
- data/lib/oauth2/strategy/implicit.rb +7 -0
- data/lib/oauth2/version.rb +1 -59
- data/lib/oauth2.rb +19 -1
- metadata +96 -77
- data/lib/oauth2/mac_token.rb +0 -130
- data/spec/fixtures/README.md +0 -11
- data/spec/fixtures/RS256/jwtRS256.key +0 -51
- data/spec/fixtures/RS256/jwtRS256.key.pub +0 -14
- data/spec/helper.rb +0 -33
- data/spec/oauth2/access_token_spec.rb +0 -218
- data/spec/oauth2/authenticator_spec.rb +0 -86
- data/spec/oauth2/client_spec.rb +0 -556
- data/spec/oauth2/mac_token_spec.rb +0 -122
- data/spec/oauth2/response_spec.rb +0 -96
- data/spec/oauth2/strategy/assertion_spec.rb +0 -113
- data/spec/oauth2/strategy/auth_code_spec.rb +0 -108
- data/spec/oauth2/strategy/base_spec.rb +0 -7
- data/spec/oauth2/strategy/client_credentials_spec.rb +0 -71
- data/spec/oauth2/strategy/implicit_spec.rb +0 -28
- data/spec/oauth2/strategy/password_spec.rb +0 -58
- data/spec/oauth2/version_spec.rb +0 -23
data/README.md
CHANGED
@@ -1,8 +1,8 @@
|
|
1
1
|
<p align="center">
|
2
|
-
<a href="http://oauth.net/2/" target="_blank" rel="noopener
|
2
|
+
<a href="http://oauth.net/2/" target="_blank" rel="noopener">
|
3
3
|
<img src="https://github.com/oauth-xx/oauth2/raw/master/docs/images/logo/oauth2-logo-124px.png?raw=true" alt="OAuth 2.0 Logo by Chris Messina, CC BY-SA 3.0">
|
4
4
|
</a>
|
5
|
-
<a href="https://www.ruby-lang.org/" target="_blank" rel="noopener
|
5
|
+
<a href="https://www.ruby-lang.org/" target="_blank" rel="noopener">
|
6
6
|
<img width="124px" src="https://github.com/oauth-xx/oauth2/raw/master/docs/images/logo/ruby-logo-198px.svg?raw=true" alt="Yukihiro Matsumoto, Ruby Visual Identity Team, CC BY-SA 2.5">
|
7
7
|
</a>
|
8
8
|
</p>
|
@@ -15,29 +15,37 @@ OAuth 2.0 focuses on client developer simplicity while providing specific author
|
|
15
15
|
This is a RubyGem for implementing OAuth 2.0 clients and servers in Ruby applications.
|
16
16
|
See the sibling `oauth` gem for OAuth 1.0 implementations in Ruby.
|
17
17
|
|
18
|
-
⚠️ **_WARNING_**: You are viewing the `README` of the soon-to-be-deprecated `1-4-stable`
|
19
|
-
branch which for version 1.4.x releases. Version 2.0 is coming! ⚠️
|
20
|
-
|
21
18
|
---
|
22
19
|
|
23
20
|
* [OAuth 2.0 Spec][oauth2-spec]
|
24
|
-
* [
|
25
|
-
* Help us finish release [![2.0.0 release milestone][next-milestone-pct-img]][next-milestone-pct] by submitting or reviewing PRs and issues.
|
26
|
-
* Oauth2 gem is _always_ looking for additional maintainers. See [#307][maintainers-discussion].
|
21
|
+
* [oauth sibling gem][sibling-gem] for OAuth 1.0 implementations in Ruby.
|
27
22
|
|
28
23
|
[oauth2-spec]: https://oauth.net/2/
|
29
24
|
[sibling-gem]: https://github.com/oauth-xx/oauth-ruby
|
30
25
|
[next-milestone-pct]: https://github.com/oauth-xx/oauth2/milestone/1
|
31
26
|
[next-milestone-pct-img]: https://img.shields.io/github/milestones/progress-percent/oauth-xx/oauth2/1
|
32
|
-
[maintainers-discussion]: https://github.com/oauth-xx/oauth2/issues/307
|
33
27
|
|
34
28
|
## Release Documentation
|
35
29
|
|
30
|
+
### Version 2.0.x
|
31
|
+
|
32
|
+
<details>
|
33
|
+
<summary>2.0.x Readmes</summary>
|
34
|
+
|
35
|
+
| Version | Release Date | Readme |
|
36
|
+
|---------|--------------|----------------------------------------------------------|
|
37
|
+
| 2.0.1 | 2022-06-22 | https://github.com/oauth-xx/oauth2/blob/master/README.md |
|
38
|
+
| 2.0.0 | 2022-06-21 | https://github.com/oauth-xx/oauth2/blob/v2.0.0/README.md |
|
39
|
+
</details>
|
40
|
+
|
41
|
+
### Older Releases
|
42
|
+
|
36
43
|
<details>
|
37
44
|
<summary>1.4.x Readmes</summary>
|
38
45
|
|
39
46
|
| Version | Release Date | Readme |
|
40
47
|
|---------|--------------|----------------------------------------------------------|
|
48
|
+
| 1.4.9 | Feb 20, 2022 | https://github.com/oauth-xx/oauth2/blob/v1.4.9/README.md |
|
41
49
|
| 1.4.8 | Feb 18, 2022 | https://github.com/oauth-xx/oauth2/blob/v1.4.8/README.md |
|
42
50
|
| 1.4.7 | Mar 19, 2021 | https://github.com/oauth-xx/oauth2/blob/v1.4.7/README.md |
|
43
51
|
| 1.4.6 | Mar 19, 2021 | https://github.com/oauth-xx/oauth2/blob/v1.4.6/README.md |
|
@@ -69,6 +77,8 @@ branch which for version 1.4.x releases. Version 2.0 is coming! ⚠️
|
|
69
77
|
| < 1.0.0 | Find here | https://github.com/oauth-xx/oauth2/tags |
|
70
78
|
</details>
|
71
79
|
|
80
|
+
## Status
|
81
|
+
|
72
82
|
<!--
|
73
83
|
Numbering rows and badges in each row as a visual "database" lookup,
|
74
84
|
as the table is extremely dense, and it can be very difficult to find anything
|
@@ -91,17 +101,20 @@ badge #s:
|
|
91
101
|
🖐
|
92
102
|
🧮
|
93
103
|
📗
|
104
|
+
|
105
|
+
appended indicators:
|
106
|
+
♻️ - URL needs to be updated from SASS integration. Find / Replace is insufficient.
|
94
107
|
-->
|
95
108
|
|
96
|
-
| | Project | oauth2
|
97
|
-
|
98
|
-
| 1️⃣ | name, license, docs | [![RubyGems.org][⛳️name-img]][⛳️gem] [![License: MIT][🖇src-license-img]][🖇src-license] [![FOSSA][🏘fossa-img]][🏘fossa] [![RubyDoc.info][🚎yard-img]][🚎yard] [![InchCI][🖐inch-ci-img]][🚎yard]
|
99
|
-
| 2️⃣ | version & activity | [![Gem Version][⛳️version-img]][⛳️gem] [![Total Downloads][🖇DL-total-img]][⛳️gem] [![Download Rank][🏘DL-rank-img]][⛳️gem] [![Source Code][🚎src-home-img]][🚎src-home] [![Open PRs][🖐prs-
|
100
|
-
| 3️⃣ | maintanence & linting | [![Maintainability][⛳cclim-maint-img]][⛳cclim-maint] [![Helpers][🖇triage-help-img]][🖇triage-help] [![Depfu][🏘depfu-img]][🏘depfu] [![Contributors][🚎contributors-img]][🚎contributors] [![Style][🖐style-wf-img]][🖐style-wf] [![Kloc Roll][🧮kloc-img]][🧮kloc]
|
101
|
-
| 4️⃣ | testing | [![
|
102
|
-
| 5️⃣ | coverage & security | [![CodeClimate][⛳cclim-cov-img]][⛳cclim-cov] [![CodeCov][🖇codecov-img]][🖇codecov] [![Coveralls][🏘coveralls-img]][🏘coveralls] [![Security Policy][🚎sec-pol-img]][🚎sec-pol] [![CodeQL][🖐codeQL-img]][🖐codeQL]
|
103
|
-
| 6️⃣ | resources | [![Discussion][⛳gh-discussions-img]][⛳gh-discussions] [![Get help on Codementor][🖇codementor-img]][🖇codementor] [![Chat][🏘chat-img]][🏘chat] [![Blog][🚎blog-img]][🚎blog] [![Blog][🖐wiki-img]][🖐wiki]
|
104
|
-
| 7️⃣ | spread 💖 | [![Liberapay Patrons][⛳liberapay-img]][⛳liberapay] [![Sponsor Me][🖇sponsor-img]][🖇sponsor] [![Tweet @ Peter][🏘tweet-img]][🏘tweet] [🌏][aboutme] [👼][angelme] [💻][coderme] [🌹][politicme]
|
109
|
+
| | Project | bundle add oauth2 |
|
110
|
+
|:----|-----------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|
111
|
+
| 1️⃣ | name, license, docs | [![RubyGems.org][⛳️name-img]][⛳️gem] [![License: MIT][🖇src-license-img]][🖇src-license] [![FOSSA][🏘fossa-img]][🏘fossa] [![RubyDoc.info][🚎yard-img]][🚎yard] [![InchCI][🖐inch-ci-img]][🚎yard] |
|
112
|
+
| 2️⃣ | version & activity | [![Gem Version][⛳️version-img]][⛳️gem] [![Total Downloads][🖇DL-total-img]][⛳️gem] [![Download Rank][🏘DL-rank-img]][⛳️gem] [![Source Code][🚎src-home-img]][🚎src-home] [![Open PRs][🖐prs-o-img]][🖐prs-o] [![Closed PRs][🧮prs-c-img]][🧮prs-c] [![Next Version][📗next-img]][📗next] |
|
113
|
+
| 3️⃣ | maintanence & linting | [![Maintainability][⛳cclim-maint-img♻️]][⛳cclim-maint] [![Helpers][🖇triage-help-img]][🖇triage-help] [![Depfu][🏘depfu-img♻️]][🏘depfu♻️] [![Contributors][🚎contributors-img]][🚎contributors] [![Style][🖐style-wf-img]][🖐style-wf] [![Kloc Roll][🧮kloc-img]][🧮kloc] |
|
114
|
+
| 4️⃣ | testing | [![Open Issues][⛳iss-o-img]][⛳iss-o] [![Closed Issues][🖇iss-c-img]][🖇iss-c] [![Supported][🏘sup-wf-img]][🏘sup-wf] [![Heads][🚎heads-wf-img]][🚎heads-wf] [![Unofficial Support][🖐uns-wf-img]][🖐uns-wf] [![MacOS][🧮mac-wf-img]][🧮mac-wf] [![Windows][📗win-wf-img]][📗win-wf] |
|
115
|
+
| 5️⃣ | coverage & security | [![CodeClimate][⛳cclim-cov-img♻️]][⛳cclim-cov] [![CodeCov][🖇codecov-img♻️]][🖇codecov] [![Coveralls][🏘coveralls-img]][🏘coveralls] [![Security Policy][🚎sec-pol-img]][🚎sec-pol] [![CodeQL][🖐codeQL-img]][🖐codeQL] [![Code Coverage][🧮cov-wf-img]][🧮cov-wf] |
|
116
|
+
| 6️⃣ | resources | [![Discussion][⛳gh-discussions-img]][⛳gh-discussions] [![Get help on Codementor][🖇codementor-img]][🖇codementor] [![Chat][🏘chat-img]][🏘chat] [![Blog][🚎blog-img]][🚎blog] [![Blog][🖐wiki-img]][🖐wiki] |
|
117
|
+
| 7️⃣ | spread 💖 | [![Liberapay Patrons][⛳liberapay-img]][⛳liberapay] [![Sponsor Me][🖇sponsor-img]][🖇sponsor] [![Tweet @ Peter][🏘tweet-img]][🏘tweet] [🌏][aboutme] [👼][angelme] [💻][coderme] [🌹][politicme] |
|
105
118
|
|
106
119
|
<!--
|
107
120
|
The link tokens in the following sections should be kept ordered by the row and badge numbering scheme
|
@@ -124,18 +137,20 @@ The link tokens in the following sections should be kept ordered by the row and
|
|
124
137
|
[🏘DL-rank-img]: https://img.shields.io/gem/rt/oauth2.svg
|
125
138
|
[🚎src-home]: https://github.com/oauth-xx/oauth2
|
126
139
|
[🚎src-home-img]: https://img.shields.io/badge/source-github-brightgreen.svg?style=flat
|
127
|
-
[🖐prs-
|
128
|
-
[🖐prs-
|
129
|
-
[🧮prs-
|
130
|
-
[🧮prs-
|
140
|
+
[🖐prs-o]: https://github.com/oauth-xx/oauth2/pulls
|
141
|
+
[🖐prs-o-img]: https://img.shields.io/github/issues-pr/oauth-xx/oauth2
|
142
|
+
[🧮prs-c]: https://github.com/oauth-xx/oauth2/pulls?q=is%3Apr+is%3Aclosed
|
143
|
+
[🧮prs-c-img]: https://img.shields.io/github/issues-pr-closed/oauth-xx/oauth2
|
144
|
+
[📗next]: https://github.com/oauth-xx/oauth2/milestone/12
|
145
|
+
[📗next-img]: https://img.shields.io/github/milestones/progress/oauth-xx/oauth2/12?label=Next%20Version
|
131
146
|
|
132
147
|
<!-- 3️⃣ maintanence & linting -->
|
133
148
|
[⛳cclim-maint]: https://codeclimate.com/github/oauth-xx/oauth2/maintainability
|
134
|
-
[⛳cclim-maint-img]: https://api.codeclimate.com/v1/badges/688c612528ff90a46955/maintainability
|
149
|
+
[⛳cclim-maint-img♻️]: https://api.codeclimate.com/v1/badges/688c612528ff90a46955/maintainability
|
135
150
|
[🖇triage-help]: https://www.codetriage.com/oauth-xx/oauth2
|
136
151
|
[🖇triage-help-img]: https://www.codetriage.com/oauth-xx/oauth2/badges/users.svg
|
137
|
-
[🏘depfu]: https://depfu.com/github/oauth-xx/oauth2?project_id=4445
|
138
|
-
[🏘depfu-img]: https://badges.depfu.com/badges/6d34dc1ba682bbdf9ae2a97848241743/count.svg
|
152
|
+
[🏘depfu♻️]: https://depfu.com/github/oauth-xx/oauth2?project_id=4445
|
153
|
+
[🏘depfu-img♻️]: https://badges.depfu.com/badges/6d34dc1ba682bbdf9ae2a97848241743/count.svg
|
139
154
|
[🚎contributors]: https://github.com/oauth-xx/oauth2/graphs/contributors
|
140
155
|
[🚎contributors-img]: https://img.shields.io/github/contributors-anon/oauth-xx/oauth2
|
141
156
|
[🖐style-wf]: https://github.com/oauth-xx/oauth2/actions/workflows/style.yml
|
@@ -144,28 +159,34 @@ The link tokens in the following sections should be kept ordered by the row and
|
|
144
159
|
[🧮kloc-img]: https://img.shields.io/tokei/lines/github.com/oauth-xx/oauth2
|
145
160
|
|
146
161
|
<!-- 4️⃣ testing -->
|
147
|
-
[
|
148
|
-
[
|
149
|
-
[🖇
|
150
|
-
[🖇
|
151
|
-
[🏘
|
152
|
-
[🏘
|
153
|
-
[🚎
|
154
|
-
[🚎
|
155
|
-
[🖐
|
156
|
-
[🖐
|
162
|
+
[⛳iss-o]: https://github.com/oauth-xx/oauth2/issues
|
163
|
+
[⛳iss-o-img]: https://img.shields.io/github/issues-raw/oauth-xx/oauth2
|
164
|
+
[🖇iss-c]: https://github.com/oauth-xx/oauth2/issues?q=is%3Aissue+is%3Aclosed
|
165
|
+
[🖇iss-c-img]: https://img.shields.io/github/issues-closed-raw/oauth-xx/oauth2
|
166
|
+
[🏘sup-wf]: https://github.com/oauth-xx/oauth2/actions/workflows/supported.yml
|
167
|
+
[🏘sup-wf-img]: https://github.com/oauth-xx/oauth2/actions/workflows/supported.yml/badge.svg
|
168
|
+
[🚎heads-wf]: https://github.com/oauth-xx/oauth2/actions/workflows/heads.yml
|
169
|
+
[🚎heads-wf-img]: https://github.com/oauth-xx/oauth2/actions/workflows/heads.yml/badge.svg
|
170
|
+
[🖐uns-wf]: https://github.com/oauth-xx/oauth2/actions/workflows/unsupported.yml
|
171
|
+
[🖐uns-wf-img]: https://github.com/oauth-xx/oauth2/actions/workflows/unsupported.yml/badge.svg
|
172
|
+
[🧮mac-wf]: https://github.com/oauth-xx/oauth2/actions/workflows/macos.yml
|
173
|
+
[🧮mac-wf-img]: https://github.com/oauth-xx/oauth2/actions/workflows/macos.yml/badge.svg
|
174
|
+
[📗win-wf]: https://github.com/oauth-xx/oauth2/actions/workflows/windows.yml
|
175
|
+
[📗win-wf-img]: https://github.com/oauth-xx/oauth2/actions/workflows/windows.yml/badge.svg
|
157
176
|
|
158
177
|
<!-- 5️⃣ coverage & security -->
|
159
178
|
[⛳cclim-cov]: https://codeclimate.com/github/oauth-xx/oauth2/test_coverage
|
160
|
-
[⛳cclim-cov-img]: https://api.codeclimate.com/v1/badges/688c612528ff90a46955/test_coverage
|
161
|
-
[🖇codecov-img]: https://codecov.io/gh/oauth-xx/oauth2/branch/
|
179
|
+
[⛳cclim-cov-img♻️]: https://api.codeclimate.com/v1/badges/688c612528ff90a46955/test_coverage
|
180
|
+
[🖇codecov-img♻️]: https://codecov.io/gh/oauth-xx/oauth2/branch/master/graph/badge.svg?token=bNqSzNiuo2
|
162
181
|
[🖇codecov]: https://codecov.io/gh/oauth-xx/oauth2
|
163
|
-
[🏘coveralls]: https://coveralls.io/github/oauth-xx/oauth2?branch=
|
164
|
-
[🏘coveralls-img]: https://coveralls.io/repos/github/oauth-xx/oauth2/badge.svg?branch=
|
182
|
+
[🏘coveralls]: https://coveralls.io/github/oauth-xx/oauth2?branch=master
|
183
|
+
[🏘coveralls-img]: https://coveralls.io/repos/github/oauth-xx/oauth2/badge.svg?branch=master
|
165
184
|
[🚎sec-pol]: https://github.com/oauth-xx/oauth2/blob/master/SECURITY.md
|
166
185
|
[🚎sec-pol-img]: https://img.shields.io/badge/security-policy-brightgreen.svg?style=flat
|
167
186
|
[🖐codeQL]: https://github.com/oauth-xx/oauth2/security/code-scanning
|
168
187
|
[🖐codeQL-img]: https://github.com/oauth-xx/oauth2/actions/workflows/codeql-analysis.yml/badge.svg
|
188
|
+
[🧮cov-wf]: https://github.com/oauth-xx/oauth2/actions/workflows/coverage.yml
|
189
|
+
[🧮cov-wf-img]: https://github.com/oauth-xx/oauth2/actions/workflows/coverage.yml/badge.svg
|
169
190
|
|
170
191
|
<!-- 6️⃣ resources -->
|
171
192
|
[⛳gh-discussions]: https://github.com/oauth-xx/oauth2/discussions
|
@@ -195,29 +216,51 @@ The link tokens in the following sections should be kept ordered by the row and
|
|
195
216
|
[coderme]:http://coderwall.com/pboling
|
196
217
|
[politicme]: https://nationalprogressiveparty.org
|
197
218
|
|
198
|
-
|
199
219
|
## Installation
|
200
220
|
|
201
|
-
|
202
|
-
gem install oauth2
|
203
|
-
```
|
221
|
+
Install the gem and add to the application's Gemfile by executing:
|
204
222
|
|
205
|
-
|
223
|
+
$ bundle add oauth2
|
206
224
|
|
207
|
-
|
208
|
-
|
209
|
-
|
210
|
-
|
211
|
-
|
212
|
-
|
213
|
-
|
225
|
+
If bundler is not being used to manage dependencies, install the gem by executing:
|
226
|
+
|
227
|
+
$ gem install oauth2
|
228
|
+
|
229
|
+
## OAuth2 for Enterprise
|
230
|
+
|
231
|
+
Available as part of the Tidelift Subscription.
|
232
|
+
|
233
|
+
The maintainers of OAuth2 and thousands of other packages are working with Tidelift to deliver commercial support and maintenance for the open source packages you use to build your applications. Save time, reduce risk, and improve code health, while paying the maintainers of the exact packages you use. [Learn more.](https://tidelift.com/subscription/pkg/rubygems-oauth2?utm_source=rubygems-oauth2&utm_medium=referral&utm_campaign=enterprise)
|
214
234
|
|
235
|
+
## Security contact information
|
236
|
+
|
237
|
+
To report a security vulnerability, please use the [Tidelift security contact](https://tidelift.com/security).
|
238
|
+
Tidelift will coordinate the fix and disclosure.
|
239
|
+
|
240
|
+
For more see [SECURITY.md][🚎sec-pol].
|
241
|
+
|
242
|
+
## What is new for v2.0?
|
243
|
+
|
244
|
+
- Officially support Ruby versions >= 2.7
|
245
|
+
- Unofficially support Ruby versions >= 2.5
|
246
|
+
- Incidentally support Ruby versions >= 2.2
|
247
|
+
- Drop support for the expired MAC Draft (all versions)
|
248
|
+
- Support IETF rfc7523 JWT Bearer Tokens
|
249
|
+
- Support IETF rfc7231 Relative Location in Redirect
|
250
|
+
- Support IETF rfc6749 Don't set oauth params when nil
|
251
|
+
- Support [OIDC 1.0 Private Key JWT](https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication); based on the OAuth JWT assertion specification [(RFC 7523)](https://tools.ietf.org/html/rfc7523)
|
252
|
+
- Support new formats, including from [jsonapi.org](http://jsonapi.org/format/): `application/vdn.api+json`, `application/vnd.collection+json`, `application/hal+json`, `application/problem+json`
|
253
|
+
- Adds new option to `OAuth2::Client#get_token`:
|
254
|
+
- `:access_token_class` (`AccessToken`); user specified class to use for all calls to `get_token`
|
255
|
+
- Adds new option to `OAuth2::AccessToken#initialize`:
|
256
|
+
- `:expires_latency` (`nil`); number of seconds by which AccessToken validity will be reduced to offset latency
|
257
|
+
- [... A lot more](https://github.com/oauth-xx/oauth2/blob/master/CHANGELOG.md#2.0.0)
|
215
258
|
|
216
259
|
## Compatibility
|
217
260
|
|
218
261
|
Targeted ruby compatibility is non-EOL versions of Ruby, currently 2.7, 3.0 and
|
219
262
|
3.1. Compatibility is further distinguished by supported and unsupported versions of Ruby.
|
220
|
-
Ruby is limited to
|
263
|
+
Ruby is limited to 2.2+ for 2.x releases. See `1-4-stable` branch for older rubies.
|
221
264
|
|
222
265
|
<details>
|
223
266
|
<summary>Ruby Engine Compatibility Policy</summary>
|
@@ -249,28 +292,57 @@ of a major release, support for that Ruby version may be dropped.
|
|
249
292
|
|
250
293
|
| | Ruby OAuth 2 Version | Maintenance Branch | Supported Officially | Supported Unofficially | Supported Incidentally |
|
251
294
|
|:----|----------------------|--------------------|-------------------------|------------------------|------------------------|
|
252
|
-
| 1️⃣ | 2.0.x
|
253
|
-
| 2️⃣ | 1.4.x | `1-4-stable` | 2.5, 2.6, 2.7, 3.0, 3.1 | 2.1, 2.2, 2.3, 2.4 |
|
295
|
+
| 1️⃣ | 2.0.x | `master` | 2.7, 3.0, 3.1 | 2.5, 2.6 | 2.2, 2.3, 2.4 |
|
296
|
+
| 2️⃣ | 1.4.x | `1-4-stable` | 2.5, 2.6, 2.7, 3.0, 3.1 | 2.1, 2.2, 2.3, 2.4 | 1.9, 2.0 |
|
254
297
|
| 3️⃣ | older | N/A | Best of luck to you! | Please upgrade! | |
|
255
298
|
|
256
|
-
NOTE:
|
299
|
+
NOTE: The 1.4 series will only receive critical bug and security updates.
|
257
300
|
See [SECURITY.md][🚎sec-pol]
|
258
301
|
|
259
302
|
## Usage Examples
|
260
303
|
|
304
|
+
### `authorize_url` and `token_url` are on site root (Just Works!)
|
305
|
+
|
261
306
|
```ruby
|
262
307
|
require 'oauth2'
|
263
|
-
client = OAuth2::Client.new('client_id', 'client_secret', :
|
308
|
+
client = OAuth2::Client.new('client_id', 'client_secret', site: 'https://example.org')
|
309
|
+
# => #<OAuth2::Client:0x00000001204c8288 @id="client_id", @secret="client_sec...
|
310
|
+
client.auth_code.authorize_url(redirect_uri: 'http://localhost:8080/oauth2/callback')
|
311
|
+
# => "https://example.org/oauth/authorize?client_id=client_id&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Foauth2%2Fcallback&response_type=code"
|
264
312
|
|
265
|
-
client.auth_code.
|
266
|
-
|
267
|
-
|
268
|
-
token = client.auth_code.get_token('authorization_code_value', :redirect_uri => 'http://localhost:8080/oauth2/callback', :headers => {'Authorization' => 'Basic some_password'})
|
269
|
-
response = token.get('/api/resource', :params => {'query_foo' => 'bar'})
|
313
|
+
access = client.auth_code.get_token('authorization_code_value', redirect_uri: 'http://localhost:8080/oauth2/callback', headers: {'Authorization' => 'Basic some_password'})
|
314
|
+
response = access.get('/api/resource', params: {'query_foo' => 'bar'})
|
270
315
|
response.class.name
|
271
316
|
# => OAuth2::Response
|
272
317
|
```
|
273
318
|
|
319
|
+
### Relative `authorize_url` and `token_url` (Not on site root, Just Works!)
|
320
|
+
|
321
|
+
In above example, the default Authorization URL is `oauth/authorize` and default Access Token URL is `oauth/token`, and, as they are missing a leading `/`, both are relative.
|
322
|
+
|
323
|
+
```ruby
|
324
|
+
client = OAuth2::Client.new('client_id', 'client_secret', site: 'https://example.org/nested/directory/on/your/server')
|
325
|
+
# => #<OAuth2::Client:0x00000001204c8288 @id="client_id", @secret="client_sec...
|
326
|
+
client.auth_code.authorize_url(redirect_uri: 'http://localhost:8080/oauth2/callback')
|
327
|
+
# => "https://example.org/nested/directory/on/your/server/oauth/authorize?client_id=client_id&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Foauth2%2Fcallback&response_type=code"
|
328
|
+
```
|
329
|
+
|
330
|
+
### Customize `authorize_url` and `token_url`
|
331
|
+
|
332
|
+
You can specify custom URLs for authorization and access token, and when using a leading `/` they will _not be relative_, as shown below:
|
333
|
+
|
334
|
+
```ruby
|
335
|
+
client = OAuth2::Client.new('client_id', 'client_secret',
|
336
|
+
site: 'https://example.org/nested/directory/on/your/server',
|
337
|
+
authorize_url: '/jaunty/authorize/',
|
338
|
+
token_url: '/stirrups/access_token')
|
339
|
+
# => #<OAuth2::Client:0x00000001204c8288 @id="client_id", @secret="client_sec...
|
340
|
+
client.auth_code.authorize_url(redirect_uri: 'http://localhost:8080/oauth2/callback')
|
341
|
+
# => "https://example.org/jaunty/authorize/?client_id=client_id&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Foauth2%2Fcallback&response_type=code"
|
342
|
+
client.class.name
|
343
|
+
# => OAuth2::Client
|
344
|
+
```
|
345
|
+
|
274
346
|
<details>
|
275
347
|
<summary>Debugging</summary>
|
276
348
|
|
@@ -289,8 +361,8 @@ require 'oauth2'
|
|
289
361
|
client = OAuth2::Client.new(
|
290
362
|
'client_id',
|
291
363
|
'client_secret',
|
292
|
-
:
|
293
|
-
:
|
364
|
+
site: 'https://example.org',
|
365
|
+
logger: Logger.new('example.log', 'weekly')
|
294
366
|
)
|
295
367
|
```
|
296
368
|
</details>
|
@@ -331,28 +403,42 @@ Response instance will contain the `OAuth2::Error` instance.
|
|
331
403
|
|
332
404
|
Currently the Authorization Code, Implicit, Resource Owner Password Credentials, Client Credentials, and Assertion
|
333
405
|
authentication grant types have helper strategy classes that simplify client
|
334
|
-
use. They are available via the `#auth_code
|
406
|
+
use. They are available via the [`#auth_code`](https://github.com/oauth-xx/oauth2/blob/master/lib/oauth2/strategy/auth_code.rb), [`#implicit`](https://github.com/oauth-xx/oauth2/blob/master/lib/oauth2/strategy/implicit.rb), [`#password`](https://github.com/oauth-xx/oauth2/blob/master/lib/oauth2/strategy/password.rb), [`#client_credentials`](https://github.com/oauth-xx/oauth2/blob/master/lib/oauth2/strategy/client_credentials.rb), and [`#assertion`](https://github.com/oauth-xx/oauth2/blob/master/lib/oauth2/strategy/assertion.rb) methods respectively.
|
335
407
|
|
408
|
+
These aren't full examples, but demonstrative of the differences between usage for each strategy.
|
336
409
|
```ruby
|
337
|
-
auth_url = client.auth_code.authorize_url(:
|
338
|
-
|
410
|
+
auth_url = client.auth_code.authorize_url(redirect_uri: 'http://localhost:8080/oauth/callback')
|
411
|
+
access = client.auth_code.get_token('code_value', redirect_uri: 'http://localhost:8080/oauth/callback')
|
339
412
|
|
340
|
-
auth_url = client.implicit.authorize_url(:
|
413
|
+
auth_url = client.implicit.authorize_url(redirect_uri: 'http://localhost:8080/oauth/callback')
|
341
414
|
# get the token params in the callback and
|
342
|
-
|
343
|
-
|
344
|
-
|
345
|
-
|
346
|
-
|
347
|
-
|
348
|
-
|
415
|
+
access = OAuth2::AccessToken.from_kvform(client, query_string)
|
416
|
+
|
417
|
+
access = client.password.get_token('username', 'password')
|
418
|
+
|
419
|
+
access = client.client_credentials.get_token
|
420
|
+
|
421
|
+
# Client Assertion Strategy
|
422
|
+
# see: https://tools.ietf.org/html/rfc7523
|
423
|
+
claimset = {
|
424
|
+
:iss => "http://localhost:3001",
|
425
|
+
:aud => "http://localhost:8080/oauth2/token",
|
426
|
+
:sub => "me@example.com",
|
427
|
+
:exp => Time.now.utc.to_i + 3600
|
428
|
+
}
|
429
|
+
assertion_params = [claimset, 'HS256', 'secret_key']
|
430
|
+
access = client.assertion.get_token(assertion_params)
|
431
|
+
|
432
|
+
# The `access` (i.e. access token) is then used like so:
|
433
|
+
access.token # actual access_token string, if you need it somewhere
|
434
|
+
access.get("/api/stuff") # making api calls with access token
|
349
435
|
```
|
350
436
|
|
351
437
|
If you want to specify additional headers to be sent out with the
|
352
438
|
request, add a 'headers' hash under 'params':
|
353
439
|
|
354
440
|
```ruby
|
355
|
-
|
441
|
+
access = client.auth_code.get_token('code_value', redirect_uri: 'http://localhost:8080/oauth/callback', headers: {'Some' => 'Header'})
|
356
442
|
```
|
357
443
|
|
358
444
|
You can always use the `#request` method on the `OAuth2::Client` instance to make
|
@@ -373,7 +459,7 @@ dependency on this gem using the [Pessimistic Version Constraint][pvc] with two
|
|
373
459
|
For example:
|
374
460
|
|
375
461
|
```ruby
|
376
|
-
spec.add_dependency 'oauth2', '~>
|
462
|
+
spec.add_dependency 'oauth2', '~> 2.0'
|
377
463
|
```
|
378
464
|
|
379
465
|
[semver]: http://semver.org/
|
@@ -395,7 +481,7 @@ spec.add_dependency 'oauth2', '~> 1.4'
|
|
395
481
|
|
396
482
|
## Development
|
397
483
|
|
398
|
-
After checking out the repo, run `
|
484
|
+
After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake spec` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
|
399
485
|
|
400
486
|
To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).
|
401
487
|
|
data/SECURITY.md
ADDED
@@ -0,0 +1,20 @@
|
|
1
|
+
# Security Policy
|
2
|
+
|
3
|
+
## Supported Versions
|
4
|
+
|
5
|
+
| Version | Supported |
|
6
|
+
|--------------|-----------|
|
7
|
+
| 2.0.<latest> | ✅ |
|
8
|
+
| 1.4.<latest> | ✅ |
|
9
|
+
| older | ⛔️ |
|
10
|
+
|
11
|
+
## Reporting a Vulnerability
|
12
|
+
|
13
|
+
To report a security vulnerability, please use the [Tidelift security contact](https://tidelift.com/security).
|
14
|
+
Tidelift will coordinate the fix and disclosure.
|
15
|
+
|
16
|
+
## OAuth2 for Enterprise
|
17
|
+
|
18
|
+
Available as part of the Tidelift Subscription.
|
19
|
+
|
20
|
+
The maintainers of oauth2 and thousands of other packages are working with Tidelift to deliver commercial support and maintenance for the open source packages you use to build your applications. Save time, reduce risk, and improve code health, while paying the maintainers of the exact packages you use. [Learn more.](https://tidelift.com/subscription/pkg/rubygems-oauth2?utm_source=rubygems-oauth2&utm_medium=referral&utm_campaign=enterprise&utm_term=repo)
|
data/lib/oauth2/access_token.rb
CHANGED
@@ -1,33 +1,36 @@
|
|
1
1
|
# frozen_string_literal: true
|
2
2
|
|
3
3
|
module OAuth2
|
4
|
-
class AccessToken
|
5
|
-
attr_reader :client, :token, :expires_in, :expires_at, :params
|
6
|
-
attr_accessor :options, :refresh_token
|
4
|
+
class AccessToken # rubocop:disable Metrics/ClassLength
|
5
|
+
attr_reader :client, :token, :expires_in, :expires_at, :expires_latency, :params
|
6
|
+
attr_accessor :options, :refresh_token, :response
|
7
7
|
|
8
|
-
# Should these methods be deprecated?
|
9
8
|
class << self
|
10
9
|
# Initializes an AccessToken from a Hash
|
11
10
|
#
|
12
|
-
# @param [Client] the OAuth2::Client instance
|
13
|
-
# @param [Hash] a hash of AccessToken property values
|
14
|
-
# @return [AccessToken] the
|
11
|
+
# @param client [Client] the OAuth2::Client instance
|
12
|
+
# @param hash [Hash] a hash of AccessToken property values
|
13
|
+
# @return [AccessToken] the initialized AccessToken
|
15
14
|
def from_hash(client, hash)
|
16
15
|
hash = hash.dup
|
17
|
-
new(client, hash.delete('access_token') || hash.delete(:access_token), hash)
|
16
|
+
new(client, hash.delete('access_token') || hash.delete(:access_token) || hash.delete('token') || hash.delete(:token), hash)
|
18
17
|
end
|
19
18
|
|
20
19
|
# Initializes an AccessToken from a key/value application/x-www-form-urlencoded string
|
21
20
|
#
|
22
21
|
# @param [Client] client the OAuth2::Client instance
|
23
22
|
# @param [String] kvform the application/x-www-form-urlencoded string
|
24
|
-
# @return [AccessToken] the
|
23
|
+
# @return [AccessToken] the initialized AccessToken
|
25
24
|
def from_kvform(client, kvform)
|
26
25
|
from_hash(client, Rack::Utils.parse_query(kvform))
|
27
26
|
end
|
27
|
+
|
28
|
+
def contains_token?(hash)
|
29
|
+
hash.key?('access_token') || hash.key?('id_token') || hash.key?('token')
|
30
|
+
end
|
28
31
|
end
|
29
32
|
|
30
|
-
#
|
33
|
+
# Initialize an AccessToken
|
31
34
|
#
|
32
35
|
# @param [Client] client the OAuth2::Client instance
|
33
36
|
# @param [String] token the Access Token value
|
@@ -35,6 +38,7 @@ module OAuth2
|
|
35
38
|
# @option opts [String] :refresh_token (nil) the refresh_token value
|
36
39
|
# @option opts [FixNum, String] :expires_in (nil) the number of seconds in which the AccessToken will expire
|
37
40
|
# @option opts [FixNum, String] :expires_at (nil) the epoch time in seconds in which AccessToken will expire
|
41
|
+
# @option opts [FixNum, String] :expires_latency (nil) the number of seconds by which AccessToken validity will be reduced to offset latency, @version 2.0+
|
38
42
|
# @option opts [Symbol] :mode (:header) the transmission mode of the Access Token parameter value
|
39
43
|
# one of :header, :body or :query
|
40
44
|
# @option opts [String] :header_format ('Bearer %s') the string format to use for the Authorization header
|
@@ -44,16 +48,18 @@ module OAuth2
|
|
44
48
|
@client = client
|
45
49
|
@token = token.to_s
|
46
50
|
opts = opts.dup
|
47
|
-
[
|
51
|
+
%i[refresh_token expires_in expires_at expires_latency].each do |arg|
|
48
52
|
instance_variable_set("@#{arg}", opts.delete(arg) || opts.delete(arg.to_s))
|
49
53
|
end
|
50
54
|
@expires_in ||= opts.delete('expires')
|
51
55
|
@expires_in &&= @expires_in.to_i
|
52
56
|
@expires_at &&= convert_expires_at(@expires_at)
|
57
|
+
@expires_latency &&= @expires_latency.to_i
|
53
58
|
@expires_at ||= Time.now.to_i + @expires_in if @expires_in
|
54
|
-
@
|
55
|
-
|
56
|
-
:
|
59
|
+
@expires_at -= @expires_latency if @expires_latency
|
60
|
+
@options = {mode: opts.delete(:mode) || :header,
|
61
|
+
header_format: opts.delete(:header_format) || 'Bearer %s',
|
62
|
+
param_name: opts.delete(:param_name) || 'access_token'}
|
57
63
|
@params = opts
|
58
64
|
end
|
59
65
|
|
@@ -75,29 +81,32 @@ module OAuth2
|
|
75
81
|
#
|
76
82
|
# @return [Boolean]
|
77
83
|
def expired?
|
78
|
-
expires? && (expires_at
|
84
|
+
expires? && (expires_at <= Time.now.to_i)
|
79
85
|
end
|
80
86
|
|
81
87
|
# Refreshes the current Access Token
|
82
88
|
#
|
83
89
|
# @return [AccessToken] a new AccessToken
|
84
90
|
# @note options should be carried over to the new AccessToken
|
85
|
-
def refresh
|
91
|
+
def refresh(params = {}, access_token_opts = {}, access_token_class: self.class)
|
86
92
|
raise('A refresh_token is not available') unless refresh_token
|
87
93
|
|
88
94
|
params[:grant_type] = 'refresh_token'
|
89
95
|
params[:refresh_token] = refresh_token
|
90
|
-
new_token = @client.get_token(params)
|
96
|
+
new_token = @client.get_token(params, access_token_opts, access_token_class: access_token_class)
|
91
97
|
new_token.options = options
|
92
98
|
new_token.refresh_token = refresh_token unless new_token.refresh_token
|
93
99
|
new_token
|
94
100
|
end
|
101
|
+
# A compatibility alias
|
102
|
+
# @note does not modify the receiver, so bang is not the default method
|
103
|
+
alias refresh! refresh
|
95
104
|
|
96
105
|
# Convert AccessToken to a hash which can be used to rebuild itself with AccessToken.from_hash
|
97
106
|
#
|
98
107
|
# @return [Hash] a hash of AccessToken property values
|
99
108
|
def to_hash
|
100
|
-
params.merge(:
|
109
|
+
params.merge(access_token: token, refresh_token: refresh_token, expires_at: expires_at)
|
101
110
|
end
|
102
111
|
|
103
112
|
# Make a request with the Access Token
|
@@ -166,7 +175,7 @@ module OAuth2
|
|
166
175
|
if opts[:body].is_a?(Hash)
|
167
176
|
opts[:body][options[:param_name]] = token
|
168
177
|
else
|
169
|
-
opts[:body]
|
178
|
+
opts[:body] += "&#{options[:param_name]}=#{token}"
|
170
179
|
end
|
171
180
|
# @todo support for multi-part (file uploads)
|
172
181
|
else
|
data/lib/oauth2/authenticator.rb
CHANGED
@@ -37,7 +37,7 @@ module OAuth2
|
|
37
37
|
end
|
38
38
|
|
39
39
|
def self.encode_basic_auth(user, password)
|
40
|
-
|
40
|
+
"Basic #{Base64.strict_encode64("#{user}:#{password}")}"
|
41
41
|
end
|
42
42
|
|
43
43
|
private
|
@@ -45,13 +45,18 @@ module OAuth2
|
|
45
45
|
# Adds client_id and client_secret request parameters if they are not
|
46
46
|
# already set.
|
47
47
|
def apply_params_auth(params)
|
48
|
-
|
48
|
+
result = {}
|
49
|
+
result['client_id'] = id unless id.nil?
|
50
|
+
result['client_secret'] = secret unless secret.nil?
|
51
|
+
result.merge(params)
|
49
52
|
end
|
50
53
|
|
51
54
|
# When using schemes that don't require the client_secret to be passed i.e TLS Client Auth,
|
52
55
|
# we don't want to send the secret
|
53
56
|
def apply_client_id(params)
|
54
|
-
|
57
|
+
result = {}
|
58
|
+
result['client_id'] = id unless id.nil?
|
59
|
+
result.merge(params)
|
55
60
|
end
|
56
61
|
|
57
62
|
# Adds an `Authorization` header with Basic Auth credentials if and only if
|
@@ -59,7 +64,7 @@ module OAuth2
|
|
59
64
|
def apply_basic_auth(params)
|
60
65
|
headers = params.fetch(:headers, {})
|
61
66
|
headers = basic_auth_header.merge(headers)
|
62
|
-
params.merge(:
|
67
|
+
params.merge(headers: headers)
|
63
68
|
end
|
64
69
|
|
65
70
|
# @see https://datatracker.ietf.org/doc/html/rfc2617#section-2
|