oauth2 1.4.8 → 1.4.9

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: f9cd34855e4a7388c32053dbf97a38dafc04685818b1de1244a5782944ba742d
-  data.tar.gz: e763de5d77201cfb9661458882d4a52a87268804a7455207b72f997815abba74
+  metadata.gz: ecc51b3695e669f4853934aa43c64de29380877340685e35e44ccc1be8957226
+  data.tar.gz: aa8e0e388084a5374743b1fc7122fd85729f41876fdbe9d679a441813cb3e10c
 SHA512:
-  metadata.gz: 5b0ee6b53136ba7ef8cb6614eba4bd8af80dfc274dfc0cc857e07edfcfe8a3e6f6f59e38144581c4509c3a674e7f8a6ce7389e7f2f27dae02536b07e63815bb6
-  data.tar.gz: 0ad35386515cdca17ef71ad5a7e6c98851532ea6549de173b6131289147f0745f8ae992b5d0ff49fb300125873495c81eb81f4fd48b1d0898e88f94e57bb33f1
+  metadata.gz: 06c89fbcf461bc08dce02c484b7fef1284d31bed026c606bf966fe85ca351451063763e9c580e9f716bd7a811e0dd8d2f0b3572df5190724dcaf0c539fd9d4aa
+  data.tar.gz: cf59ec61aa6d7e7c595ff2b5ea73a24441364300ba846efb52508907568ed5aa62619b69dec6428bbfbd341540a4d802709b03703e431fc83ed1de9634d10523

data/CHANGELOG.md

@@ -3,6 +3,15 @@ All notable changes to this project will be documented in this file.
 
 ## unreleased
 
+## [1.4.9] - 2022-02-20
+
+- Fixes compatibility with Faraday v2 [572](https://github.com/oauth-xx/oauth2/issues/572)
+- Includes supported versions of Faraday in test matrix:
+  - Faraday ~> 2.2.0 with Ruby >= 2.6
+  - Faraday ~> 1.10 with Ruby >= 2.4
+  - Faraday ~> 0.17.3 with Ruby >= 1.9
+- Add Windows and MacOS to test matrix
+
 ## [1.4.8] - 2022-02-18
 
 - MFA is now required to push new gem versions (@pboling)

data/README.md

@@ -39,8 +39,8 @@ branch which for version 1.4.x releases. Version 2.0 is coming! ⚠️
 | Version | Release Date | Readme                                                   |
 |---------|--------------|----------------------------------------------------------|
 | 1.4.8   | Feb 18, 2022 | https://github.com/oauth-xx/oauth2/blob/v1.4.8/README.md |
-| 1.4.7   | Mar 18, 2021 | https://github.com/oauth-xx/oauth2/blob/v1.4.7/README.md |
-| 1.4.6   | Mar 18, 2021 | https://github.com/oauth-xx/oauth2/blob/v1.4.6/README.md |
+| 1.4.7   | Mar 19, 2021 | https://github.com/oauth-xx/oauth2/blob/v1.4.7/README.md |
+| 1.4.6   | Mar 19, 2021 | https://github.com/oauth-xx/oauth2/blob/v1.4.6/README.md |
 | 1.4.5   | Mar 18, 2021 | https://github.com/oauth-xx/oauth2/blob/v1.4.5/README.md |
 | 1.4.4   | Feb 12, 2020 | https://github.com/oauth-xx/oauth2/blob/v1.4.4/README.md |
 | 1.4.3   | Jan 29, 2020 | https://github.com/oauth-xx/oauth2/blob/v1.4.3/README.md |

data/lib/oauth2/access_token.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module OAuth2
   class AccessToken
     attr_reader :client, :token, :expires_in, :expires_at, :params
@@ -38,7 +40,7 @@ module OAuth2
     # @option opts [String] :header_format ('Bearer %s') the string format to use for the Authorization header
     # @option opts [String] :param_name ('access_token') the parameter name to use for transmission of the
     #    Access Token value in :body or :query transmission mode
-    def initialize(client, token, opts = {}) # rubocop:disable Metrics/AbcSize
+    def initialize(client, token, opts = {})
       @client = client
       @token = token.to_s
       opts = opts.dup
@@ -151,7 +153,7 @@ module OAuth2
 
   private
 
-    def configure_authentication!(opts) # rubocop:disable Metrics/AbcSize
+    def configure_authentication!(opts)
       case options[:mode]
       when :header
         opts[:headers] ||= {}

data/lib/oauth2/authenticator.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'base64'
 
 module OAuth2
@@ -60,7 +62,7 @@ module OAuth2
       params.merge(:headers => headers)
     end
 
-    # @see https://tools.ietf.org/html/rfc2617#section-2
+    # @see https://datatracker.ietf.org/doc/html/rfc2617#section-2
     def basic_auth_header
       {'Authorization' => self.class.encode_basic_auth(id, secret)}
     end

data/lib/oauth2/client.rb

@@ -1,7 +1,10 @@
+# frozen_string_literal: true
+
 require 'faraday'
 require 'logger'
 
 module OAuth2
+  ConnectionError = Class.new(Faraday::ConnectionFailed)
   # The OAuth2::Client class
   class Client # rubocop:disable Metrics/ClassLength
     RESERVED_PARAM_KEYS = %w[headers parse].freeze
@@ -16,17 +19,18 @@ module OAuth2
     #
     # @param [String] client_id the client_id value
     # @param [String] client_secret the client_secret value
-    # @param [Hash] opts the options to create the client with
-    # @option opts [String] :site the OAuth2 provider site host
-    # @option opts [String] :redirect_uri the absolute URI to the Redirection Endpoint for use in authorization grants and token exchange
-    # @option opts [String] :authorize_url ('/oauth/authorize') absolute or relative URL path to the Authorization endpoint
-    # @option opts [String] :token_url ('/oauth/token') absolute or relative URL path to the Token endpoint
-    # @option opts [Symbol] :token_method (:post) HTTP method to use to request token (:get or :post)
-    # @option opts [Symbol] :auth_scheme (:basic_auth) HTTP method to use to authorize request (:basic_auth or :request_body)
-    # @option opts [Hash] :connection_opts ({}) Hash of connection options to pass to initialize Faraday with
-    # @option opts [FixNum] :max_redirects (5) maximum number of redirects to follow
-    # @option opts [Boolean] :raise_errors (true) whether or not to raise an OAuth2::Error on responses with 400+ status codes
-    # @option opts [Proc] :extract_access_token  proc that extracts the access token from the response
+    # @param [Hash] options the options to create the client with
+    # @option options [String] :site the OAuth2 provider site host
+    # @option options [String] :redirect_uri the absolute URI to the Redirection Endpoint for use in authorization grants and token exchange
+    # @option options [String] :authorize_url ('oauth/authorize') absolute or relative URL path to the Authorization endpoint
+    # @option options [String] :token_url ('oauth/token') absolute or relative URL path to the Token endpoint
+    # @option options [Symbol] :token_method (:post) HTTP method to use to request token (:get or :post)
+    # @option options [Symbol] :auth_scheme (:basic_auth) HTTP method to use to authorize request (:basic_auth or :request_body)
+    # @option options [Hash] :connection_opts ({}) Hash of connection options to pass to initialize Faraday with
+    # @option options [FixNum] :max_redirects (5) maximum number of redirects to follow
+    # @option options [Boolean] :raise_errors (true) whether or not to raise an OAuth2::Error on responses with 400+ status codes
+    # @option options [Logger] :logger (::Logger.new($stdout)) which logger to use when OAUTH_DEBUG is enabled
+    # @option options [Proc] (DEPRECATED) :extract_access_token  proc that extracts the access token from the response
     # @yield [builder] The Faraday connection builder
     def initialize(client_id, client_secret, options = {}, &block)
       opts = options.dup
@@ -34,24 +38,22 @@ module OAuth2
       @secret = client_secret
       @site = opts.delete(:site)
       ssl = opts.delete(:ssl)
-
-      @options = {
-        :authorize_url => '/oauth/authorize',
-        :token_url => '/oauth/token',
-        :token_method => :post,
-        :auth_scheme => :request_body,
-        :connection_opts => {},
-        :connection_build => block,
-        :max_redirects => 5,
-        :raise_errors => true,
-        :extract_access_token => DEFAULT_EXTRACT_ACCESS_TOKEN,
-      }.merge(opts)
+      @options = {:authorize_url => 'oauth/authorize',
+                  :token_url => 'oauth/token',
+                  :token_method => :post,
+                  :auth_scheme => :request_body,
+                  :connection_opts => {},
+                  :connection_build => block,
+                  :max_redirects => 5,
+                  :raise_errors => true,
+                  :extract_access_token => DEFAULT_EXTRACT_ACCESS_TOKEN, # DEPRECATED
+                  :logger => ::Logger.new($stdout)}.merge(opts)
       @options[:connection_opts][:ssl] = ssl if ssl
     end
 
     # Set the site host
     #
-    # @param [String] the OAuth2 provider site host
+    # @param value [String] the OAuth2 provider site host
     def site=(value)
       @connection = nil
       @site = value
@@ -61,8 +63,12 @@ module OAuth2
     def connection
       @connection ||=
         Faraday.new(site, options[:connection_opts]) do |builder|
+          oauth_debug_logging(builder)
           if options[:connection_build]
             options[:connection_build].call(builder)
+          else
+            builder.request :url_encoded             # form-encode POST params
+            builder.adapter Faraday.default_adapter  # make requests with Net::HTTP
           end
         end
     end
@@ -94,15 +100,18 @@ module OAuth2
     #   code response for this request.  Will default to client option
     # @option opts [Symbol] :parse @see Response::initialize
     # @yield [req] The Faraday request
-    def request(verb, url, opts = {}) # rubocop:disable Metrics/MethodLength, Metrics/AbcSize
-      connection.response :logger, ::Logger.new($stdout) if ENV['OAUTH_DEBUG'] == 'true'
-
+    def request(verb, url, opts = {}) # rubocop:disable Metrics/PerceivedComplexity, Metrics/CyclomaticComplexity, Metrics/AbcSize
       url = connection.build_url(url).to_s
 
-      response = connection.run_request(verb, url, opts[:body], opts[:headers]) do |req|
-        req.params.update(opts[:params]) if opts[:params]
-        yield(req) if block_given?
+      begin
+        response = connection.run_request(verb, url, opts[:body], opts[:headers]) do |req|
+          req.params.update(opts[:params]) if opts[:params]
+          yield(req) if block_given?
+        end
+      rescue Faraday::ConnectionFailed => e
+        raise ConnectionError, e
       end
+
       response = Response.new(response, :parse => opts[:parse])
 
       case response.status
@@ -115,7 +124,13 @@ module OAuth2
           verb = :get
           opts.delete(:body)
         end
-        request(verb, response.headers['location'], opts)
+        location = response.headers['location']
+        if location
+          request(verb, location, opts)
+        else
+          error = Error.new(response)
+          raise(error, "Got #{response.status} status code, but no Location header was present")
+        end
       when 200..299, 300..399
         # on non-redirecting 3xx statuses, just return the response
         response
@@ -133,11 +148,11 @@ module OAuth2
 
     # Initializes an AccessToken by making a request to the token endpoint
     #
-    # @param [Hash] params a Hash of params for the token endpoint
-    # @param [Hash] access token options, to pass to the AccessToken object
-    # @param [Class] class of access token for easier subclassing OAuth2::AccessToken
+    # @param params [Hash] a Hash of params for the token endpoint
+    # @param access_token_opts [Hash] access token options, to pass to the AccessToken object
+    # @param access_token_class [Class] class of access token for easier subclassing OAuth2::AccessToken
     # @return [AccessToken] the initialized AccessToken
-    def get_token(params, access_token_opts = {}, extract_access_token = options[:extract_access_token]) # rubocop:disable Metrics/AbcSize, Metrics/MethodLength
+    def get_token(params, access_token_opts = {}, extract_access_token = options[:extract_access_token]) # # rubocop:disable Metrics/PerceivedComplexity, Metrics/CyclomaticComplexity Metrics/AbcSize, Metrics/MethodLength
       params = params.map do |key, value|
         if RESERVED_PARAM_KEYS.include?(key)
           [key.to_sym, value]
@@ -147,7 +162,7 @@ module OAuth2
       end
       params = Hash[params]
 
-      params = Authenticator.new(id, secret, options[:auth_scheme]).apply(params)
+      params = authenticator.apply(params)
       opts = {:raise_errors => options[:raise_errors], :parse => params.delete(:parse)}
       headers = params.delete(:headers) || {}
       if options[:token_method] == :post
@@ -157,8 +172,9 @@ module OAuth2
         opts[:params] = params
         opts[:headers] = {}
       end
-      opts[:headers].merge!(headers)
-      response = request(options[:token_method], token_url, opts)
+      opts[:headers] = opts[:headers].merge(headers)
+      http_method = options[:token_method]
+      response = request(http_method, token_url, opts)
 
       access_token = begin
         build_access_token(response, access_token_opts, extract_access_token)
@@ -166,37 +182,45 @@ module OAuth2
         nil
       end
 
-      if options[:raise_errors] && !access_token
+      response_contains_token = access_token || (
+                                  response.parsed.is_a?(Hash) &&
+                                  (response.parsed['access_token'] || response.parsed['id_token'])
+                                )
+
+      if options[:raise_errors] && !response_contains_token
         error = Error.new(response)
         raise(error)
+      elsif !response_contains_token
+        return nil
       end
+
       access_token
     end
 
     # The Authorization Code strategy
     #
-    # @see http://tools.ietf.org/html/draft-ietf-oauth-v2-15#section-4.1
+    # @see http://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-15#section-4.1
     def auth_code
       @auth_code ||= OAuth2::Strategy::AuthCode.new(self)
     end
 
     # The Implicit strategy
     #
-    # @see http://tools.ietf.org/html/draft-ietf-oauth-v2-26#section-4.2
+    # @see http://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-26#section-4.2
     def implicit
       @implicit ||= OAuth2::Strategy::Implicit.new(self)
     end
 
     # The Resource Owner Password Credentials strategy
     #
-    # @see http://tools.ietf.org/html/draft-ietf-oauth-v2-15#section-4.3
+    # @see http://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-15#section-4.3
     def password
       @password ||= OAuth2::Strategy::Password.new(self)
     end
 
     # The Client Credentials strategy
     #
-    # @see http://tools.ietf.org/html/draft-ietf-oauth-v2-15#section-4.4
+    # @see http://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-15#section-4.4
     def client_credentials
       @client_credentials ||= OAuth2::Strategy::ClientCredentials.new(self)
     end
@@ -216,10 +240,10 @@ module OAuth2
     #
     # @api semipublic
     #
-    # @see https://tools.ietf.org/html/rfc6749#section-4.1
-    # @see https://tools.ietf.org/html/rfc6749#section-4.1.3
-    # @see https://tools.ietf.org/html/rfc6749#section-4.2.1
-    # @see https://tools.ietf.org/html/rfc6749#section-10.6
+    # @see https://datatracker.ietf.org/doc/html/rfc6749#section-4.1
+    # @see https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.3
+    # @see https://datatracker.ietf.org/doc/html/rfc6749#section-4.2.1
+    # @see https://datatracker.ietf.org/doc/html/rfc6749#section-10.6
     # @return [Hash] the params to add to a request or URL
     def redirection_params
       if options[:redirect_uri]
@@ -236,19 +260,33 @@ module OAuth2
 
   private
 
+    # Returns the authenticator object
+    #
+    # @return [Authenticator] the initialized Authenticator
+    def authenticator
+      Authenticator.new(id, secret, options[:auth_scheme])
+    end
+
+    # Builds the access token from the response of the HTTP call
+    #
+    # @return [AccessToken] the initialized AccessToken
     def build_access_token(response, access_token_opts, extract_access_token)
       parsed_response = response.parsed.dup
       return unless parsed_response.is_a?(Hash)
 
       hash = parsed_response.merge(access_token_opts)
 
-      # Provide backwards compatibility for old AcessToken.form_hash pattern
-      # Should be deprecated in 2.x
+      # Provide backwards compatibility for old AccessToken.form_hash pattern
+      # Will be deprecated in 2.x
       if extract_access_token.is_a?(Class) && extract_access_token.respond_to?(:from_hash)
         extract_access_token.from_hash(self, hash)
       else
         extract_access_token.call(self, hash)
       end
     end
+
+    def oauth_debug_logging(builder)
+      builder.response :logger, options[:logger], :bodies => true if ENV['OAUTH_DEBUG'] == 'true'
+    end
   end
 end

data/lib/oauth2/error.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module OAuth2
   class Error < StandardError
     attr_reader :response, :code, :description

data/lib/oauth2/mac_token.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'base64'
 require 'digest'
 require 'openssl'

data/lib/oauth2/response.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'multi_json'
 require 'multi_xml'
 require 'rack'

data/lib/oauth2/strategy/assertion.rb

@@ -1,10 +1,12 @@
+# frozen_string_literal: true
+
 require 'jwt'
 
 module OAuth2
   module Strategy
     # The Client Assertion Strategy
     #
-    # @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-4.1.3
+    # @see https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-10#section-4.1.3
     #
     # Sample usage:
     #   client = OAuth2::Client.new(client_id, client_secret,

data/lib/oauth2/strategy/auth_code.rb

@@ -1,8 +1,10 @@
+# frozen_string_literal: true
+
 module OAuth2
   module Strategy
     # The Authorization Code Strategy
     #
-    # @see http://tools.ietf.org/html/draft-ietf-oauth-v2-15#section-4.1
+    # @see http://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-15#section-4.1
     class AuthCode < Base
       # The required query parameters for the authorize URL
       #

data/lib/oauth2/strategy/base.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module OAuth2
   module Strategy
     class Base

data/lib/oauth2/strategy/client_credentials.rb

@@ -1,8 +1,10 @@
+# frozen_string_literal: true
+
 module OAuth2
   module Strategy
     # The Client Credentials Strategy
     #
-    # @see http://tools.ietf.org/html/draft-ietf-oauth-v2-15#section-4.4
+    # @see http://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-15#section-4.4
     class ClientCredentials < Base
       # Not used for this strategy
       #

data/lib/oauth2/strategy/implicit.rb

@@ -1,8 +1,10 @@
+# frozen_string_literal: true
+
 module OAuth2
   module Strategy
     # The Implicit Strategy
     #
-    # @see http://tools.ietf.org/html/draft-ietf-oauth-v2-26#section-4.2
+    # @see http://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-26#section-4.2
     class Implicit < Base
       # The required query parameters for the authorize URL
       #

data/lib/oauth2/strategy/password.rb

@@ -1,8 +1,10 @@
+# frozen_string_literal: true
+
 module OAuth2
   module Strategy
     # The Resource Owner Password Credentials Authorization Strategy
     #
-    # @see http://tools.ietf.org/html/draft-ietf-oauth-v2-15#section-4.3
+    # @see http://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-15#section-4.3
     class Password < Base
       # Not used for this strategy
       #

data/lib/oauth2/version.rb

@@ -24,7 +24,7 @@ module OAuth2
     #
     # @return [Integer]
     def patch
-      8
+      9
     end
 
     # The pre-release version, if any

data/lib/oauth2.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'oauth2/error'
 require 'oauth2/authenticator'
 require 'oauth2/client'

data/spec/fixtures/README.md

@@ -0,0 +1,11 @@
+# RS256
+
+## How keys were made
+
+```shell
+# No passphrase
+# Generates the public and private keys:
+ssh-keygen -t rsa -b 4096 -m PEM -f jwtRS256.key
+# Converts the key to PEM format
+openssl rsa -in jwtRS256.key -pubout -outform PEM -out jwtRS256.key.pub
+```

data/spec/fixtures/RS256/jwtRS256.key

@@ -0,0 +1,51 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIJKwIBAAKCAgEA5hdXV/4YSymY1T9VNvK2bWRfulwIty1RnAPNINQmfh3aRRkV
++PNrbC2Crji9G0AHmQwgW1bZ3kgkkpIm6RVn44fHvBvuXkZ9ABgXw0d2cLIHmwOF
+xSKmWAm/EW//GszUTLLLsMZUe2udtFJW0jxXB2GRY0WVYuo6Oo58RCeP719lw3Ag
+s0YF9/IobxKkGd4BautUPw6ZszAa3o+j0zR74x7ouPxybZAOuPsMxqanyeYJeH4o
+sJjLMYV9qem9uG2sj7GENJ8UszcpmGbqxBhexPEB7mgDeONIF0XJF23zdOf8ANE5
+mAU2h2v7M6moAfkdUzJ+j48+VT2omHAzAL5yNcmrl2xiWdyoxOw1Y1UmfEmJYV5V
+gGYyZ12JZRKY+szPT+vR+MDuYxbquF40O7kvkFNBfL1yCpzfSQCLnEs4rX8qRzZX
+ciLeyq4Ht5FLuRFgxjA//XI8LAmp0u7gk+Q7FUH1UgW3kmJDTG0XaxQxYTBSIO7m
+cmyjDyBgKVuQmt5E1ycFeteOVdPD/CG/fPYhthvc4UytEFwsMdNy3iD6/wuUH68t
+AKam28UZaOb0qK+00cQQD8fulY9rKtSL10LvJFWUOa/SJyLvk9vUmfvFn182il1n
+X6GpyxyMmE/FCnH4CT/DjrSZf08mOO8eL5ofYHMK/oiXr1eODqx+pOwClNsCAwEA
+AQKCAgEAy34vMFI4WBk04rx9d/hWoQ7Znu8QgjihaZLvEy6t0HJEfUH/bcqS4fyq
+C72Aeh452gCgiUeZrf4t4jdCFHhrBg8q9dHaEiTTHocwVPPZ6zd4hH8sCrpnVYth
+IWHkw2YOCLtEbFYrl3AI7Na5lHvrGEsREzQSN4Yh83Has0guAy1iyeNb+FFgq/XO
+DtX0ri/rHw1717zo8FIGIXn2EK/lNWw7tIcICKAUdUMK/JGd6XD6RUeGYxDu/CAs
+kF55/Sd6Kyd7XjKnUwzhS7kRvlYzUog4BgqVr4+LTZHZlFAYtfcJqAtinXFW1ZQJ
+eZp9TSlt5wvMZNjx7t92QUNRyEGmrQAU+8COHnT0/drFf0MCiyHSUN0E7/5fswhc
+uMSU9XiJA9G0wYvJl4zIuOuIYWZWhIqvjYSkvdlP70t9XO2gk/ZcCWsMW8i+xbwC
+w1+MMjsKsNedXxI99TIPPHcCNMxqlt1E1kHH3SAwCuEH/ez7PRMyEQQ0EyAk22x/
+piYIWXkX5835cLbLRIYafXgOiugWZjCwIqfRIcIpscmcijZwCF2DyevveYdx3krR
+FGA2PFydFyxCNG7XwvKb9kHb7WBERUPV/H3eCqu2SZ/RvF+I94LUYP4bu6CmFdO9
+wCJcGJoL1P7tVhS9lA5Oj0QWczrjnejCoI9XMMduWk032rR1VYECggEBAPZDnTBY
+H2uiVmGdMfWTAmX86kiHVpkL03OG6rgvDMsMOYKnik9Lb3gNeUIuPeAWFNrXCoD1
+qp0loxPhKSojNOOM8Yiz/GwQ/QI9dzgtxs7E7rFFyTuJcY48Do8uOFyUHbAbeOBF
+b9UL/uBfWZGVV1YY753xyqYlCpxTVQGms1jsbVFdZE1iVpOwAkFVuoLYaHLut4zB
+01ORyBSoWan173P+IQH6F1uNXE2Kk/FIMDN6bgP1pXkdkrTx4WjAmRnP/Sc4r38/
+F1xN+gxnWGPUKDVRPYBpVzDR036w65ODgg2FROK2vIxlStiAC/rc0JLsvaWfb1Rn
+dsWdJJ1V6mZ6a5sCggEBAO8wC1jcIoiBz3xoA8E5BSt8qLJ7ZuSFaaidvWX2/xj6
+lSWJxCGQfhR7P6ozvH6UDo1WbJT6nNyXPkiDkAzcmAdsYVjULW3K2LI9oPajaJxY
+L7KJpylgh9JhMvbMz3VVjTgYRt+kjX+3uFMZNx1YfiBP+S6xx5sjK9CKDz3H99kC
+q9bX95YFqZ7yFE3aBCR6CENo2tXpMN96CLQGpwa0bwt3xNzC4MhZMXbGR3DdBYbD
+tS9lJfQvAVUYxbSE/2FBgjpO6ArMyU2ZUEDFx9J6IhfhVbQV4VeITMyRNo0XwBiQ
+/+XpLXgHkw7LiNMIoc7d+M7yLA1Vz7+r8XxWHHZCL8ECggEBAPK8VrYORno7e1Wg
+MlxS2WxZzTxMWmlkpLoc5END7SI/HHjSV5wtSORWs40uM0MrwMasa+gNPmzDamjv
+6Tllln4ssO8EKe0DGcAZgefYBzxMFNKbbOzIXyvJurga4Ocv/8tUaOL2znJ67nGO
+yqSbRYjR724JpKv7mufXo9SK0gD2mhI3MeSs55WPScnIjJzoXpva/QU7D+gxq7vg
+7PCAP9RfS329W0Sco7yyuXx8oTY8mTBB8ybcpXzBZmNwY/hzcJ42W5XbRFVxbuTH
+APL1beSP/UUTkCPIzuTz0mCGoaxeDjZB1Lu2I/4eyLAu80+/FneoHX5etU23xR1o
+UDFOvb0CggEBALTTc6CoPAtLaBs7X6tSelAYHEli9bTKD8kEB83wX4b42ozYjEh7
+vnWpf8Yi+twO/rlnnws6NCCoztNvcxXmJ6FlFGtdbULV2eFWqjwL6ehY2yZ03sVv
+Tv+DsE3ZJPYlyW+hGuO0uazWrilUpNAwuJmhHFdq2+azPkqYNVGVvhB37oWsHGd0
+vHmHtkXtDris8VZVDSwu8V3iGnZPmTJ+cn0O/OuRAPM2SyjqWdQ/pA/wIShFpd3n
+M3CsG7uP2KokJloCkXaov39E6uEtJRZAc0nudyaAbC4Kw1Tca4tba0SnSm78S/20
+bD8BLN2uZvXH5nQ9rYQfXcIgMZ64UygsfYECggEBAIw0fQaIVmafa0Hz3ipD4PJI
+5QNkh2t9hvOCSKm1xYTNATl0q/VIkZoy1WoxY6SSchcObLxQKbJ9ORi4XNr+IJK5
+3C1Qz/3iv/S3/ktgmqGhQiqybkkHZcbqTXB2wxrx+aaLS7PEfYiuYCrPbX93160k
+MVns8PjvYU8KCNMbL2e+AiKEt1KkKAZIpNQdeeJOEhV9wuLYFosd400aYssuSOVW
+IkJhGI0lT/7FDJaw0LV98DhQtauANPSUQKN5iw6vciwtsaF1kXMfGlMXj58ntiMq
+NizQPR6/Ar1ewLPMh1exDoAfLnCIMk8nbSraW+cebLAZctPugUpfpu3j2LM98aE=
+-----END RSA PRIVATE KEY-----

data/spec/fixtures/RS256/jwtRS256.key.pub

@@ -0,0 +1,14 @@
+-----BEGIN PUBLIC KEY-----
+MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA5hdXV/4YSymY1T9VNvK2
+bWRfulwIty1RnAPNINQmfh3aRRkV+PNrbC2Crji9G0AHmQwgW1bZ3kgkkpIm6RVn
+44fHvBvuXkZ9ABgXw0d2cLIHmwOFxSKmWAm/EW//GszUTLLLsMZUe2udtFJW0jxX
+B2GRY0WVYuo6Oo58RCeP719lw3Ags0YF9/IobxKkGd4BautUPw6ZszAa3o+j0zR7
+4x7ouPxybZAOuPsMxqanyeYJeH4osJjLMYV9qem9uG2sj7GENJ8UszcpmGbqxBhe
+xPEB7mgDeONIF0XJF23zdOf8ANE5mAU2h2v7M6moAfkdUzJ+j48+VT2omHAzAL5y
+Ncmrl2xiWdyoxOw1Y1UmfEmJYV5VgGYyZ12JZRKY+szPT+vR+MDuYxbquF40O7kv
+kFNBfL1yCpzfSQCLnEs4rX8qRzZXciLeyq4Ht5FLuRFgxjA//XI8LAmp0u7gk+Q7
+FUH1UgW3kmJDTG0XaxQxYTBSIO7mcmyjDyBgKVuQmt5E1ycFeteOVdPD/CG/fPYh
+thvc4UytEFwsMdNy3iD6/wuUH68tAKam28UZaOb0qK+00cQQD8fulY9rKtSL10Lv
+JFWUOa/SJyLvk9vUmfvFn182il1nX6GpyxyMmE/FCnH4CT/DjrSZf08mOO8eL5of
+YHMK/oiXr1eODqx+pOwClNsCAwEAAQ==
+-----END PUBLIC KEY-----

data/spec/helper.rb

@@ -1,12 +1,15 @@
+# frozen_string_literal: true
+
 DEBUG = ENV['DEBUG'] == 'true'
+RUN_COVERAGE = ENV['CI_CODECOV'] || ENV['CI'].nil?
 
 ruby_version = Gem::Version.new(RUBY_VERSION)
 minimum_version = ->(version) { ruby_version >= Gem::Version.new(version) && RUBY_ENGINE == 'ruby' }
-coverage = minimum_version.call('2.7')
-debug = minimum_version.call('2.5')
+coverage = minimum_version.call('2.7') && RUN_COVERAGE
+debug = minimum_version.call('2.5') && DEBUG
 
 require 'simplecov' if coverage
-require 'byebug' if DEBUG && debug
+require 'byebug' if debug
 
 require 'oauth2'
 require 'addressable/uri'

data/spec/oauth2/access_token_spec.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 describe OAuth2::AccessToken do
   subject { described_class.new(client, token) }
 
@@ -30,7 +32,7 @@ describe OAuth2::AccessToken do
       expect(target.params['foo']).to eq('bar')
     end
 
-    def assert_initialized_token(target) # rubocop:disable Metrics/AbcSize
+    def assert_initialized_token(target)
       expect(target.token).to eq(token)
       expect(target).to be_expires
       expect(target.params.keys).to include('foo')

data/spec/oauth2/authenticator_spec.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 describe OAuth2::Authenticator do
   subject do
     described_class.new(client_id, client_secret, mode)

data/spec/oauth2/client_spec.rb

@@ -1,11 +1,11 @@
 # coding: utf-8
+# frozen_string_literal: true
 
-require 'helper'
 require 'nkf'
 
 describe OAuth2::Client do
   subject do
-    described_class.new('abc', 'def', :site => 'https://api.example.com') do |builder|
+    described_class.new('abc', 'def', {:site => 'https://api.example.com'}.merge(options)) do |builder|
       builder.adapter :test do |stub|
         stub.get('/success')             { |env| [200, {'Content-Type' => 'text/awesome'}, 'yay'] }
         stub.get('/reflect')             { |env| [200, {}, env[:body]] }
@@ -13,6 +13,7 @@ describe OAuth2::Client do
         stub.get('/unauthorized')        { |env| [401, {'Content-Type' => 'application/json'}, MultiJson.encode(:error => error_value, :error_description => error_description_value)] }
         stub.get('/conflict')            { |env| [409, {'Content-Type' => 'text/plain'}, 'not authorized'] }
         stub.get('/redirect')            { |env| [302, {'Content-Type' => 'text/plain', 'location' => '/success'}, ''] }
+        stub.get('/redirect_no_loc')     { |_env| [302, {'Content-Type' => 'text/plain'}, ''] }
         stub.post('/redirect')           { |env| [303, {'Content-Type' => 'text/plain', 'location' => '/reflect'}, ''] }
         stub.get('/error')               { |env| [500, {'Content-Type' => 'text/plain'}, 'unknown error'] }
         stub.get('/empty_get')           { |env| [204, {}, nil] }
@@ -24,6 +25,7 @@ describe OAuth2::Client do
 
   let!(:error_value) { 'invalid_token' }
   let!(:error_description_value) { 'bad bad token' }
+  let(:options) { {} }
 
   describe '#initialize' do
     it 'assigns id and secret' do
@@ -44,10 +46,10 @@ describe OAuth2::Client do
     end
 
     it 'is able to pass a block to configure the connection' do
-      connection = double('connection')
       builder = double('builder')
+
       allow(Faraday).to receive(:new).and_yield(builder)
-      allow(Faraday::Connection).to receive(:new).and_return(connection)
+      allow(builder).to receive(:response)
 
       expect(builder).to receive(:adapter).with(:test)
 
@@ -70,7 +72,7 @@ describe OAuth2::Client do
     it 'allows override of raise_errors option' do
       client = described_class.new('abc', 'def', :site => 'https://api.example.com', :raise_errors => true) do |builder|
         builder.adapter :test do |stub|
-          stub.get('/notfound') { |env| [404, {}, nil] }
+          stub.get('/notfound') { |_env| [404, {}, nil] }
         end
       end
       expect(client.options[:raise_errors]).to be true
@@ -109,6 +111,30 @@ describe OAuth2::Client do
         subject.options[:"#{url_type}_url"] = 'https://api.foo.com/oauth/custom'
         expect(subject.send("#{url_type}_url")).to eq('https://api.foo.com/oauth/custom')
       end
+
+      context 'when a URL with path is used in the site' do
+        let(:options) do
+          {:site => 'https://example.com/blog'}
+        end
+
+        it 'generates an authorization URL relative to the site' do
+          expect(subject.send("#{url_type}_url")).to eq("https://example.com/blog/oauth/#{url_type}")
+        end
+      end
+
+      context 'when a URL with path is used in the site and urls overridden' do
+        let(:options) do
+          {
+            :site => 'https://example.com/blog',
+            :authorize_url => "oauth/#{url_type}/lampoon",
+            :token_url => "oauth/#{url_type}/lampoon",
+          }
+        end
+
+        it 'generates an authorization URL relative to the site' do
+          expect(subject.send("#{url_type}_url")).to eq("https://example.com/blog/oauth/#{url_type}/lampoon")
+        end
+      end
     end
   end
 

data/spec/oauth2/mac_token_spec.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 describe OAuth2::MACToken do
   subject { described_class.new(client, token, 'abc123') }
 

data/spec/oauth2/response_spec.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 describe OAuth2::Response do
   describe '#initialize' do
     let(:status) { 200 }
@@ -75,6 +77,10 @@ describe OAuth2::Response do
   end
 
   context 'with xml parser registration' do
+    before do
+      MultiXml.parser = :rexml
+    end
+
     it 'tries to load multi_xml and use it' do
       expect(described_class.send(:class_variable_get, :@@parsers)[:xml]).not_to be_nil
     end

data/spec/oauth2/strategy/assertion_spec.rb

@@ -1,5 +1,9 @@
+# frozen_string_literal: true
+
+require 'openssl'
+
 describe OAuth2::Strategy::Assertion do
-  subject { client.assertion }
+  let(:client_assertion) { client.assertion }
 
   let(:client) do
     cli = OAuth2::Client.new('abc', 'def', :site => 'http://api.example.com')
@@ -28,31 +32,81 @@ describe OAuth2::Strategy::Assertion do
 
   describe '#authorize_url' do
     it 'raises NotImplementedError' do
-      expect { subject.authorize_url }.to raise_error(NotImplementedError)
+      expect { client_assertion.authorize_url }.to raise_error(NotImplementedError)
     end
   end
 
   %w[json formencoded].each do |mode|
-    describe "#get_token (#{mode})" do
-      before do
-        @mode = mode
-        @access = subject.get_token(params)
-      end
+    before { @mode = mode }
 
-      it 'returns AccessToken with same Client' do
-        expect(@access.client).to eq(client)
-      end
+    shared_examples_for "get_token #{mode}" do
+      describe "#get_token (#{mode})" do
+        subject(:get_token) { client_assertion.get_token(params) }
+
+        it 'returns AccessToken with same Client' do
+          expect(get_token.client).to eq(client)
+        end
 
-      it 'returns AccessToken with #token' do
-        expect(@access.token).to eq('salmon')
+        it 'returns AccessToken with #token' do
+          expect(get_token.token).to eq('salmon')
+        end
+
+        it 'returns AccessToken with #expires_in' do
+          expect(get_token.expires_in).to eq(600)
+        end
+
+        it 'returns AccessToken with #expires_at' do
+          expect(get_token.expires_at).not_to be_nil
+        end
       end
+    end
+
+    it_behaves_like "get_token #{mode}"
+    describe "#build_assertion (#{mode})" do
+      context 'with hmac_secret' do
+        subject(:build_assertion) { client_assertion.build_assertion(params) }
+
+        let(:hmac_secret) { '1883be842495c3b58f68ca71fbf1397fbb9ed2fdf8990f8404a25d0a1b995943' }
+        let(:params) do
+          {
+            :iss => 2345,
+            :aud => 'too',
+            :prn => 'much',
+            :exp => 123_456_789,
+            :hmac_secret => hmac_secret,
+          }
+        end
+        let(:jwt) { 'eyJhbGciOiJIUzI1NiJ9.eyJpc3MiOjIzNDUsImF1ZCI6InRvbyIsInBybiI6Im11Y2giLCJleHAiOjEyMzQ1Njc4OX0.GnZjgcdc5WSWKNW0p9S4GuhpBs3LJCEqjPm6turLG-c' }
+
+        it 'returns JWT' do
+          expect(build_assertion).to eq(jwt)
+        end
 
-      it 'returns AccessToken with #expires_in' do
-        expect(@access.expires_in).to eq(600)
+        it_behaves_like "get_token #{mode}"
       end
 
-      it 'returns AccessToken with #expires_at' do
-        expect(@access.expires_at).not_to be_nil
+      context 'with private_key' do
+        subject(:build_assertion) { client_assertion.build_assertion(params) }
+
+        let(:private_key_file) { 'spec/fixtures/RS256/jwtRS256.key' }
+        let(:password) { '' }
+        let(:private_key) { OpenSSL::PKey::RSA.new(File.read(private_key_file), password) }
+        let(:params) do
+          {
+            :iss => 2345,
+            :aud => 'too',
+            :prn => 'much',
+            :exp => 123_456_789,
+            :private_key => private_key,
+          }
+        end
+        let(:jwt) { 'eyJhbGciOiJSUzI1NiJ9.eyJpc3MiOjIzNDUsImF1ZCI6InRvbyIsInBybiI6Im11Y2giLCJleHAiOjEyMzQ1Njc4OX0.vJ32OiPVMdJrlNkPw02Y9u6beiFY0Mfndhg_CkEDLtOYn8dscQIEpWoR4GzH8tiQVOQ1fOkqxE95tNIKOTjnIoskmYnfzhzIl9fnfQ_lsEuLC-nq45KhPzSM2wYgF2ZEIjDq51daK70bRPzTBr1Id45cTY-jJSito0lbKXj2nPa_Gs-_vyEU2MSxjiMaIxxccfY4Ow5zN3AUMTKp6LjrpDKFxag3fJ1nrb6iDATa504gyJHVLift3ovhAwYidkA81WnmEtISWBY904CKIcZD9Cx3ifS5bc3JaLAteIBKAAyD8o7D60vOKutsjCMHUCKL357BQ36bW7fmaEtW367Ri-xgOsCY0_HeWp991vrJ-DxhFPeuF-8hn_9KggBzKbA2eKEOOY4iDKSFwjWQUFOcRdvHw9RgbGt0IjY3wdo8CaJVlhynh54YlaLgOFhTBPeMgZdqQUHOztljaK9zubeVkrDGNnGuSuq0KR82KArb1x2z7XyZpxiV5ZatP9SNyhn-YIWk7UeQYXaS0UfsBX7L5T1y_FZj84r7Vl42lj1DfdR5DyGvHfZyHotTnejdIrDuQfDL_bGe24eHsilzuEFaajYmu10hxflZ6Apm-lekRRV47tbxTF1zI5we14XsTeklrTXqgDkSw6gyOoNUJm-cQkJpfdvBgUHYGInC1ttz7NU' }
+
+        it 'returns JWT' do
+          expect(build_assertion).to eq(jwt)
+        end
+
+        it_behaves_like "get_token #{mode}"
       end
     end
   end

data/spec/oauth2/strategy/auth_code_spec.rb

@@ -1,4 +1,5 @@
 # encoding: utf-8
+# frozen_string_literal: true
 
 describe OAuth2::Strategy::AuthCode do
   subject { client.auth_code }

data/spec/oauth2/strategy/base_spec.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 describe OAuth2::Strategy::Base do
   it 'initializes with a Client' do
     expect { described_class.new(OAuth2::Client.new('abc', 'def')) }.not_to raise_error

data/spec/oauth2/strategy/client_credentials_spec.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 describe OAuth2::Strategy::ClientCredentials do
   subject { client.client_credentials }
 

data/spec/oauth2/strategy/implicit_spec.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 describe OAuth2::Strategy::Implicit do
   subject { client.implicit }
 

data/spec/oauth2/strategy/password_spec.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 describe OAuth2::Strategy::Password do
   subject { client.password }
 

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: oauth2
 version: !ruby/object:Gem::Version
-  version: 1.4.8
+  version: 1.4.9
 platform: ruby
 authors:
 - Peter Boling
@@ -10,7 +10,7 @@ authors:
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2022-02-18 00:00:00.000000000 Z
+date: 2022-02-20 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: faraday
@@ -18,7 +18,7 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '0.8'
+        version: 0.17.3
     - - "<"
       - !ruby/object:Gem::Version
         version: '3.0'
@@ -28,7 +28,7 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '0.8'
+        version: 0.17.3
     - - "<"
       - !ruby/object:Gem::Version
         version: '3.0'
@@ -114,20 +114,6 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '2.3'
-- !ruby/object:Gem::Dependency
-  name: backports
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '3.11'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '3.11'
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
@@ -157,25 +143,19 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '12.3'
 - !ruby/object:Gem::Dependency
-  name: rdoc
+  name: rexml
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '5.0'
-    - - "<"
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '7'
+        version: '3.2'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '5.0'
-    - - "<"
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '7'
+        version: '3.2'
 - !ruby/object:Gem::Dependency
   name: rspec
   requirement: !ruby/object:Gem::Requirement
@@ -246,20 +226,6 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
-- !ruby/object:Gem::Dependency
-  name: wwtd
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
 description: A Ruby wrapper for the OAuth 2.0 protocol built with a similar style
   to the original OAuth spec.
 email:
@@ -286,6 +252,9 @@ files:
 - lib/oauth2/strategy/implicit.rb
 - lib/oauth2/strategy/password.rb
 - lib/oauth2/version.rb
+- spec/fixtures/README.md
+- spec/fixtures/RS256/jwtRS256.key
+- spec/fixtures/RS256/jwtRS256.key.pub
 - spec/helper.rb
 - spec/oauth2/access_token_spec.rb
 - spec/oauth2/authenticator_spec.rb
@@ -304,9 +273,9 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/oauth-xx/oauth2/issues
-  changelog_uri: https://github.com/oauth-xx/oauth2/blob/v1.4.8/CHANGELOG.md
-  documentation_uri: https://www.rubydoc.info/gems/oauth2/1.4.8
-  source_code_uri: https://github.com/oauth-xx/oauth2/tree/v1.4.8
+  changelog_uri: https://github.com/oauth-xx/oauth2/blob/v1.4.9/CHANGELOG.md
+  documentation_uri: https://www.rubydoc.info/gems/oauth2/1.4.9
+  source_code_uri: https://github.com/oauth-xx/oauth2/tree/v1.4.9
   wiki_uri: https://github.com/oauth-xx/oauth2/wiki
   rubygems_mfa_required: 'true'
 post_install_message:
@@ -329,6 +298,9 @@ signing_key:
 specification_version: 4
 summary: A Ruby wrapper for the OAuth 2.0 protocol.
 test_files:
+- spec/fixtures/README.md
+- spec/fixtures/RS256/jwtRS256.key
+- spec/fixtures/RS256/jwtRS256.key.pub
 - spec/helper.rb
 - spec/oauth2/access_token_spec.rb
 - spec/oauth2/authenticator_spec.rb