oauth2 2.0.16 → 2.0.18

data/SECURITY.md

@@ -12,6 +12,8 @@ To report a security vulnerability, please use the
 [Tidelift security contact](https://tidelift.com/security).
 Tidelift will coordinate the fix and disclosure.
 
+More detailed explanation of the process is in [IRP.md][IRP]
+
 ## Additional Support
 
 If you are interested in support for versions older than the latest release,
@@ -19,3 +21,4 @@ please consider sponsoring the project / maintainer @ https://liberapay.com/pbol
 or find other sponsorship links in the [README].
 
 [README]: README.md
+[IRP]: IRP.md

data/THREAT_MODEL.md

@@ -0,0 +1,85 @@
+# Threat Model Outline for oauth2 Ruby Gem
+
+## 1. Overview
+This document outlines the threat model for the `oauth2` Ruby gem, which implements OAuth 2.0, 2.1, and OIDC Core protocols. The gem is used to facilitate secure authorization and authentication in Ruby applications.
+
+## 2. Assets to Protect
+- OAuth access tokens, refresh tokens, and ID tokens
+- User credentials (if handled)
+- Client secrets and application credentials
+- Sensitive user data accessed via OAuth
+- Private keys and certificates (for signing/verifying tokens)
+
+## 3. Potential Threat Actors
+- External attackers (internet-based)
+- Malicious OAuth clients or resource servers
+- Insiders (developers, maintainers)
+- Compromised dependencies
+
+## 4. Attack Surfaces
+- OAuth endpoints (authorization, token, revocation, introspection)
+- HTTP request/response handling
+- Token storage and management
+- Configuration files and environment variables
+- Dependency supply chain
+
+## 5. Threats and Mitigations
+
+### 5.1 Token Leakage
+- **Threat:** Tokens exposed via logs, URLs, or insecure storage
+- **Mitigations:**
+  - Avoid logging sensitive tokens
+  - Use secure storage mechanisms
+  - Never expose tokens in URLs
+
+### 5.2 Token Replay and Forgery
+- **Threat:** Attackers reuse or forge tokens
+- **Mitigations:**
+  - Validate token signatures and claims
+  - Use short-lived tokens and refresh tokens
+  - Implement token revocation
+
+### 5.3 Insecure Communication
+- **Threat:** Data intercepted via MITM attacks
+- **Mitigations:**
+  - Enforce HTTPS for all communications
+  - Validate SSL/TLS certificates
+
+### 5.4 Client Secret Exposure
+- **Threat:** Client secrets leaked in code or version control
+- **Mitigations:**
+  - Store secrets in environment variables or secure vaults
+  - Never commit secrets to source control
+
+### 5.5 Dependency Vulnerabilities
+- **Threat:** Vulnerabilities in third-party libraries
+- **Mitigations:**
+  - Regularly update dependencies
+  - Use tools like `bundler-audit` for vulnerability scanning
+
+### 5.6 Improper Input Validation
+- **Threat:** Injection attacks via untrusted input
+- **Mitigations:**
+  - Validate and sanitize all inputs
+  - Use parameterized queries and safe APIs
+
+### 5.7 Insufficient Logging and Monitoring
+- **Threat:** Attacks go undetected
+- **Mitigations:**
+  - Log security-relevant events (without sensitive data)
+  - Monitor for suspicious activity
+
+## 6. Assumptions
+- The gem is used in a secure environment with up-to-date Ruby and dependencies
+- End-users are responsible for secure configuration and deployment
+
+## 7. Out of Scope
+- Security of external OAuth providers
+- Application-level business logic
+
+## 8. References
+- [OAuth 2.0 Threat Model and Security Considerations (RFC 6819)](https://tools.ietf.org/html/rfc6819)
+- [OWASP Top Ten](https://owasp.org/www-project-top-ten/)
+
+---
+This outline should be reviewed and updated regularly as the project evolves.

data/lib/oauth2/access_token.rb

@@ -132,10 +132,15 @@ You may need to set `snaky: false`. See inline documentation for more info.
     # @option opts [FixNum, String] :expires_in (nil) the number of seconds in which the AccessToken will expire
     # @option opts [FixNum, String] :expires_at (nil) the epoch time in seconds in which AccessToken will expire
     # @option opts [FixNum, String] :expires_latency (nil) the number of seconds by which AccessToken validity will be reduced to offset latency, @version 2.0+
-    # @option opts [Symbol or callable] :mode (:header) the transmission mode of the Access Token parameter value:
-    #    either one of :header, :body or :query, or a callable that accepts a request-verb parameter
+    # @option opts [Symbol, Hash, or callable] :mode (:header) the transmission mode of the Access Token parameter value:
+    #    either one of :header, :body or :query; or a Hash with verb symbols as keys mapping to one of these symbols
+    #    (e.g., `{get: :query, post: :header, delete: :header}`); or a callable that accepts a request-verb parameter
     #    and returns one of these three symbols.
     # @option opts [String] :header_format ('Bearer %s') the string format to use for the Authorization header
+    #
+    # @example Verb-dependent Hash mode
+    #   # Send token in query for GET, in header for POST/DELETE, in body for PUT/PATCH
+    #   OAuth2::AccessToken.new(client, token, mode: {get: :query, post: :header, delete: :header, put: :body, patch: :body})
     # @option opts [String] :param_name ('access_token') the parameter name to use for transmission of the
     #    Access Token value in :body or :query transmission mode
     # @option opts [String] :token_name (nil) the name of the response parameter that identifies the access token
@@ -372,7 +377,18 @@ You may need to set `snaky: false`. See inline documentation for more info.
   private
 
     def configure_authentication!(opts, verb)
-      mode = options[:mode].respond_to?(:call) ? options[:mode].call(verb) : options[:mode]
+      mode_opt = options[:mode]
+      mode =
+        if mode_opt.respond_to?(:call)
+          mode_opt.call(verb)
+        elsif mode_opt.is_a?(Hash)
+          key = verb.to_sym
+          # Try symbol key first, then string key; default to :header when missing
+          mode_opt[key] || mode_opt[key.to_s] || :header
+        else
+          mode_opt
+        end
+
       case mode
       when :header
         opts[:headers] ||= {}

data/lib/oauth2/strategy/assertion.rb

@@ -66,8 +66,8 @@ module OAuth2
       #   @see https://datatracker.ietf.org/doc/html/rfc7518#section-3.1
       #
       # The object type of `:key` may depend on the value of `:algorithm`.  Sample arguments:
-      #   get_token(claim_set, {:algorithm => 'HS256', :key => 'secret_key'})
-      #   get_token(claim_set, {:algorithm => 'RS256', :key => OpenSSL::PKCS12.new(File.read('my_key.p12'), 'not_secret')})
+      #   `get_token(claim_set, {:algorithm => 'HS256', :key => 'secret_key'})`
+      #   `get_token(claim_set, {:algorithm => 'RS256', :key => OpenSSL::PKCS12.new(File.read('my_key.p12'), 'not_secret')})`
       #
       # @param [Hash] request_opts options that will be used to assemble the request
       # @option request_opts [String] :scope the url parameter `scope` that may be required by some endpoints

data/lib/oauth2/version.rb

@@ -2,6 +2,6 @@
 
 module OAuth2
   module Version
-    VERSION = "2.0.16"
+    VERSION = "2.0.18"
   end
 end

data/sig/oauth2/access_token.rbs

@@ -17,7 +17,7 @@ module OAuth2
     def patch: (String, ?Hash[Symbol, untyped]) { (untyped) -> void } -> OAuth2::Response
     def delete: (String, ?Hash[Symbol, untyped]) { (untyped) -> void } -> OAuth2::Response
     def headers: () -> Hash[String, String]
-    def configure_authentication!: (Hash[Symbol, untyped]) -> void
+    def configure_authentication!: (Hash[Symbol, untyped], Symbol) -> void
     def convert_expires_at: (untyped) -> (Time | Integer | nil)
 
     attr_accessor response: OAuth2::Response

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: oauth2
 version: !ruby/object:Gem::Version
-  version: 2.0.16
+  version: 2.0.18
 platform: ruby
 authors:
 - Peter Boling
@@ -156,7 +156,7 @@ dependencies:
         version: '1.1'
     - - ">="
       - !ruby/object:Gem::Version
-        version: 1.1.8
+        version: 1.1.9
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -166,7 +166,7 @@ dependencies:
         version: '1.1'
     - - ">="
       - !ruby/object:Gem::Version
-        version: 1.1.8
+        version: 1.1.9
 - !ruby/object:Gem::Dependency
   name: addressable
   requirement: !ruby/object:Gem::Requirement
@@ -228,9 +228,6 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '1.1'
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: 1.1.9
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -238,9 +235,6 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '1.1'
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: 1.1.9
 - !ruby/object:Gem::Dependency
   name: bundler-audit
   requirement: !ruby/object:Gem::Requirement
@@ -310,33 +304,19 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '1.0'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '1.0'
-- !ruby/object:Gem::Dependency
-  name: rspec-pending_for
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '0.0'
     - - ">="
       - !ruby/object:Gem::Version
-        version: 0.0.17
+        version: 1.0.6
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.0'
+        version: '1.0'
     - - ">="
       - !ruby/object:Gem::Version
-        version: 0.0.17
+        version: 1.0.6
 - !ruby/object:Gem::Dependency
   name: ruby-progressbar
   requirement: !ruby/object:Gem::Requirement
@@ -411,34 +391,6 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: 3.25.1
-- !ruby/object:Gem::Dependency
-  name: vcr
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '4'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '4'
-- !ruby/object:Gem::Dependency
-  name: webmock
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '3'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '3'
 description: "\U0001F510 A Ruby wrapper for the OAuth 2.0 Authorization Framework,
   including the OAuth 2.1 draft spec, and OpenID Connect (OIDC)"
 email:
@@ -452,24 +404,28 @@ extra_rdoc_files:
 - CODE_OF_CONDUCT.md
 - CONTRIBUTING.md
 - FUNDING.md
+- IRP.md
 - LICENSE.txt
 - OIDC.md
 - README.md
 - REEK
 - RUBOCOP.md
 - SECURITY.md
+- THREAT_MODEL.md
 files:
 - CHANGELOG.md
 - CITATION.cff
 - CODE_OF_CONDUCT.md
 - CONTRIBUTING.md
 - FUNDING.md
+- IRP.md
 - LICENSE.txt
 - OIDC.md
 - README.md
 - REEK
 - RUBOCOP.md
 - SECURITY.md
+- THREAT_MODEL.md
 - lib/oauth2.rb
 - lib/oauth2/access_token.rb
 - lib/oauth2/authenticator.rb
@@ -498,10 +454,10 @@ licenses:
 - MIT
 metadata:
   homepage_uri: https://oauth2.galtzo.com/
-  source_code_uri: https://github.com/ruby-oauth/oauth2/tree/v2.0.16
-  changelog_uri: https://github.com/ruby-oauth/oauth2/blob/v2.0.16/CHANGELOG.md
+  source_code_uri: https://github.com/ruby-oauth/oauth2/tree/v2.0.18
+  changelog_uri: https://github.com/ruby-oauth/oauth2/blob/v2.0.18/CHANGELOG.md
   bug_tracker_uri: https://github.com/ruby-oauth/oauth2/issues
-  documentation_uri: https://www.rubydoc.info/gems/oauth2/2.0.16
+  documentation_uri: https://www.rubydoc.info/gems/oauth2/2.0.18
   mailing_list_uri: https://groups.google.com/g/oauth-ruby
   funding_uri: https://github.com/sponsors/pboling
   wiki_uri: https://gitlab.com/ruby-oauth/oauth2/-/wiki
@@ -510,11 +466,11 @@ metadata:
   rubygems_mfa_required: 'true'
 post_install_message: |2
 
-  ---+++--- oauth2 v2.0.16 ---+++---
+  ---+++--- oauth2 v2.0.18 ---+++---
 
   (minor) ⚠️ BREAKING CHANGES ⚠️ when upgrading from < v2
   • Summary of breaking changes: https://gitlab.com/ruby-oauth/oauth2#what-is-new-for-v20
-  • Changes in this patch: https://gitlab.com/ruby-oauth/oauth2/-/blob/v2.0.16/CHANGELOG.md#2015-2025-09-08
+  • Changes in this patch: https://gitlab.com/ruby-oauth/oauth2/-/blob/v2.0.18/CHANGELOG.md#2015-2025-09-08
 
   News:
   1. New documentation website, including for OAuth 2.1 and OIDC: https://oauth2.galtzo.com