RubyGems - oidc_provider - Versions diffs - 0.3.9 → 0.4.0 - Mend

oidc_provider 0.3.9 → 0.4.0

Files changed (14) hide show

checksums.yaml +4 -4
data/README.md +10 -5
data/app/controllers/oidc_provider/application_controller.rb +21 -1
data/app/controllers/oidc_provider/authorizations_controller.rb +30 -13
data/app/models/oidc_provider/id_token.rb +16 -8
data/lib/oidc_provider/client.rb +4 -2
data/lib/oidc_provider/engine.rb +2 -0
data/lib/oidc_provider/token_endpoint.rb +25 -12
data/lib/oidc_provider/version.rb +1 -1
data/lib/oidc_provider.rb +2 -0
data/lib/tasks/oidc_provider.rake +33 -0
metadata +8 -9
data/app/controllers/oidc_provider/concerns/authentication.rb +0 -27
data/lib/tasks/openid/connect/provider_tasks.rake +0 -4

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 4da8e2299c7665d720c58eac0e36869b933d65295ce2e90ec5362431bdcb22aa
-  data.tar.gz: 5b6d2d403368ec78709ce3e9ccedd0cf0ffe267d778db03e0c673c4402b85ea6
+  metadata.gz: 29ccfbd4c57f22b63424ddbd7998bde94566c24e06721b43bfa5b07df0852ef6
+  data.tar.gz: fdeaa21ebbc146987ed9547988d4f7d59449a8dae6609477e72f1f78b47e7f91
 SHA512:
-  metadata.gz: a2d92c3d60315fe73a367de0447f0f9f7155f12062b90e9440560e6d5d5011c21914ea16ba085381b8a5fa8ca23f9b0570e936c63893d27090f88924d20b4e84
-  data.tar.gz: 3ede21e99bfc0cf3b48145ac28889a4ddef6ddeac15ac931030bcf67f18d6df16b055ccf9338751df687dad8c949f616fe5e184300a2e9e230baee14395e6537
+  metadata.gz: 82cd93fa057ecf8522d3ae4754360e202da2e102a9ee4b8ac8d52cbfa2df6da8a86532de765cf52ddea63080b182f9605c37c87db8097066ac019b6091e70812
+  data.tar.gz: 5a8cd740d69fb544665b7262ccb8124d4ce51791ca052495b12369b01a5d8b40d4eabf6d0efc2a0b469086a8123d52ad898821083838d6d80e862be475262409

data/README.md CHANGED Viewed

@@ -41,14 +41,19 @@ $ rails db:migrate
 ### Private Key
-You will need to generate a unique private key per application.
+This gem signs the generated [JWT (JSON Web Tokens)](https://jwt.io/) using a
+private key that should exist at the path `lib/oidc_provider_key.pem` in your
+Rails application.
+You can pass its passphrase using the `OIDC_PROVIDER_KEY_PASSPHRASE` environment
+variable.
+This gem provide a convenient way of generating one if you need it by running :
 ```bash
-$ ssh-keygen
+$ rails oidc_provider:generate_key
 ```
-Due to Docker Composes' lack of support for multiline `.env` variables, put a passphrase on it. Then add the key to your application at `lib/oidc_provider_key.pem` and add the passphrase as an environment variables in your application: `ENV["OIDC_PROVIDER_KEY_PASSPHRASE"]`.
 # Testing
 Visit: https://demo.c2id.com/oidc-client/
@@ -92,5 +97,5 @@ The gem is available as open source under the terms of the [MIT License](https:/
 ```
 gem build oidc_provider.gemspec
-gem push oidc_provider-0.3.2.gem
+gem push oidc_provider-0.3.10.gem
 ```

data/app/controllers/oidc_provider/application_controller.rb CHANGED Viewed

@@ -1,5 +1,25 @@
 module OIDCProvider
   class ApplicationController < ActionController::Base
-    include Concerns::Authentication
+    def oidc_current_account
+      send(OIDCProvider.current_account_method)
+    end
+    def current_token
+      @current_token ||= request.env[Rack::OAuth2::Server::Resource::ACCESS_TOKEN]
+    end
+    def require_authentication
+      send(OIDCProvider.current_authentication_method)
+    end
+    def require_access_token
+      unless current_token
+        raise Rack::OAuth2::Server::Resource::Bearer::Unauthorized.new
+      end
+    end
+    def unauthenticate!
+      send(OIDCProvider.current_unauthenticate_method)
+    end
   end
 end

data/app/controllers/oidc_provider/authorizations_controller.rb CHANGED Viewed

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
 module OIDCProvider
   class AuthorizationsController < ApplicationController
     include Concerns::ConnectEndpoint
@@ -5,16 +7,13 @@ module OIDCProvider
     before_action :require_oauth_request
     before_action :require_response_type_code
     before_action :require_client
+    before_action :reset_login_if_necessary
     before_action :require_authentication
     def create
-      puts "scopes: #{requested_scopes}"
-      authorization = Authorization.create(
-        client_id: @client.identifier,
-        nonce: oauth_request.nonce,
-        scopes: requested_scopes,
-        account: oidc_current_account
-      )
+      Rails.logger.info "scopes: #{requested_scopes}"
+      authorization = build_authorization_with(requested_scopes)
       oauth_response.code = authorization.code
       oauth_response.redirect_uri = @redirect_uri
@@ -27,21 +26,39 @@ module OIDCProvider
     private
+    def build_authorization_with(scopes)
+      Authorization.create(
+        client_id: @client.identifier,
+        nonce: oauth_request.nonce,
+        scopes: scopes,
+        account: oidc_current_account
+      )
+    end
     def require_client
       @client = ClientStore.new.find_by(identifier: oauth_request.client_id) or oauth_request.invalid_request! 'not a valid client'
-      @redirect_uri = oauth_request.verify_redirect_uri! [oauth_request.redirect_uri, @client.redirect_uri]
+      @redirect_uri = oauth_request.verify_redirect_uri! @client.redirect_uri
     end
     def requested_scopes
-      @requested_scopes ||= (["openid"] + OIDCProvider.supported_scopes.map(&:name)) & oauth_request.scope
+      @requested_scopes ||= (['openid'] + OIDCProvider.supported_scopes.map(&:name)) & oauth_request.scope
     end
     helper_method :requested_scopes
     def require_response_type_code
-      unless oauth_request.response_type == :code
-        oauth_request.unsupported_response_type!
+      return if oauth_request.response_type == :code
+      oauth_request.unsupported_response_type!
+    end
+    def reset_login_if_necessary
+      if params[:prompt] == "login"
+        # A `prompt=login` param means that we must prompt the user for sign in.
+        # So we will forcibly sign out the user here and then redirect them so they
+        # don't get redirected back to the url that contains `prompt=login`
+        unauthenticate!
+        redirect_to url_for(request.query_parameters.except(:prompt))
       end
     end
   end
-end
+end

data/app/models/oidc_provider/id_token.rb CHANGED Viewed

@@ -1,5 +1,9 @@
+# frozen_string_literal: true
 module OIDCProvider
   class IdToken < ApplicationRecord
+    PASSPHRASE_ENV_VAR = 'OIDC_PROVIDER_KEY_PASSPHRASE'
     belongs_to :authorization
     attribute :expires_at, :datetime, default: -> { 1.hour.from_now }
@@ -24,8 +28,19 @@ module OIDCProvider
     private
     class << self
+      def config
+        {
+          issuer: OIDCProvider.issuer,
+          jwk_set: JSON::JWK::Set.new(public_jwk)
+        }
+      end
+      def oidc_provider_key_path
+        Rails.root.join("lib/oidc_provider_key.pem")
+      end
       def key_pair
-        @key_pair ||= OpenSSL::PKey::RSA.new(File.read(Rails.root.join("lib/oidc_provider_key.pem")), ENV["OIDC_PROVIDER_KEY_PASSPHRASE"])
+        @key_pair ||= OpenSSL::PKey::RSA.new(File.read(oidc_provider_key_path), ENV[PASSPHRASE_ENV_VAR])
       end
       def private_jwk
@@ -35,13 +50,6 @@ module OIDCProvider
       def public_jwk
         JSON::JWK.new key_pair.public_key
       end
-      def config
-        {
-          issuer: OIDCProvider.issuer,
-          jwk_set: JSON::JWK::Set.new(public_jwk)
-        }
-      end
     end
   end
 end

data/lib/oidc_provider/client.rb CHANGED Viewed

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
 module OIDCProvider
   class Client
     attr_accessor :identifier, :secret, :redirect_uri, :name
@@ -5,10 +7,10 @@ module OIDCProvider
     def initialize(options = {})
       @identifier = options[:identifier]
       @secret = options[:secret]
-      @redirect_uri = options[:redirect_uri]
+      @redirect_uri = Array(options[:redirect_uri])
       @name = options[:name]
     end
   end
 end
-require 'oidc_provider/client/builder'
+require 'oidc_provider/client/builder'

data/lib/oidc_provider/engine.rb CHANGED Viewed

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
 require 'rack/oauth2'
 module OIDCProvider

data/lib/oidc_provider/token_endpoint.rb CHANGED Viewed

@@ -1,6 +1,9 @@
+# frozen_string_literal: true
 module OIDCProvider
   class TokenEndpoint
     attr_accessor :app
     delegate :call, to: :app
     def initialize
@@ -8,26 +11,36 @@ module OIDCProvider
         Rails.logger.info "Client ID: #{req.client_id}"
         Rails.logger.info "Client secret: #{req.client_secret}"
         Rails.logger.info "Redirect URI: #{req.redirect_uri}"
-        client = ClientStore.new.find_by(
-          identifier: req.client_id,
-          secret: req.client_secret,
-          redirect_uri: req.redirect_uri
-        ) || req.invalid_client!
-        Rails.logger.info "Found a client!"
+        client = find_valid_client_from(req) || req.invalid_client!
+        Rails.logger.info 'Found a client!'
         case req.grant_type
         when :authorization_code
-          Rails.logger.info "Grant type was an authorization code. Correct!"
+          Rails.logger.info 'Grant type was an authorization code. Correct!'
           authorization = Authorization.valid.where(client_id: client.identifier, code: req.code).first || req.invalid_grant!
-          Rails.logger.info "We found an authorization matching this code!"
+          Rails.logger.info 'We found an authorization matching this code!'
           res.access_token = authorization.access_token.to_bearer_token
-          res.id_token = authorization.id_token.to_jwt if authorization.scopes.include?("openid")
+          res.id_token = authorization.id_token.to_jwt if authorization.scopes.include?('openid')
         else
-          Rails.logger.info "Unsupported grant type"
+          Rails.logger.info "Unsupported grant type: #{req.grant_type.inspect}"
           req.unsupported_grant_type!
         end
       end
     end
+    private
+    def find_valid_client_from(req)
+      client = ClientStore.new.find_by(
+        identifier: req.client_id,
+        secret: req.client_secret
+      )
+      return nil unless client
+      client.redirect_uri.include?(req.redirect_uri) ? client : nil
+    end
   end
-end
+end

data/lib/oidc_provider/version.rb CHANGED Viewed

@@ -1,3 +1,3 @@
 module OIDCProvider
-  VERSION = '0.3.9'
+  VERSION = '0.4.0'
 end

data/lib/oidc_provider.rb CHANGED Viewed

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
 require "openid_connect"
 require "oidc_provider/engine"

data/lib/tasks/oidc_provider.rake ADDED Viewed

@@ -0,0 +1,33 @@
+# frozen_string_literal: true
+namespace :oidc_provider do
+  desc 'Generate the lib/oidc_provider_key.pem key file'
+  task generate_key: :environment do
+    key_filepath = OIDCProvider::IdToken.oidc_provider_key_path
+    File.exist?(key_filepath) && raise("ERROR: A key file already exists at #{key_filepath}.")
+    passphrase_env_var = OIDCProvider::IdToken::PASSPHRASE_ENV_VAR
+    pass_phrase = ENV.fetch(passphrase_env_var, '')
+    if pass_phrase == ''
+      puts "\033[33mWARNING: You haven't defined a passphrase to be used to " \
+           'generate the new key which is concidered as insecured. You can ' \
+           "do it by setting the #{passphrase_env_var} environment variable " \
+           "and re-run this task.\033[0m"
+      raise
+    end
+    key_file_content = OpenSSL::PKey::RSA.new(2048).export(
+      OpenSSL::Cipher.new('AES-128-CBC'),
+      pass_phrase
+    )
+    File.write(key_filepath, key_file_content)
+    FileUtils.chmod(0_600, key_filepath)
+    puts "SUCCESS: A new key file has been created at #{key_filepath}."
+  end
+end

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: oidc_provider
 version: !ruby/object:Gem::Version
-  version: 0.3.9
+  version: 0.4.0
 platform: ruby
 authors:
 - William Carey
-autorequire:
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2021-09-30 00:00:00.000000000 Z
+date: 2023-09-01 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails
@@ -50,7 +50,6 @@ files:
 - Rakefile
 - app/controllers/oidc_provider/application_controller.rb
 - app/controllers/oidc_provider/authorizations_controller.rb
-- app/controllers/oidc_provider/concerns/authentication.rb
 - app/controllers/oidc_provider/concerns/connect_endpoint.rb
 - app/controllers/oidc_provider/discovery_controller.rb
 - app/controllers/oidc_provider/sessions_controller.rb
@@ -74,12 +73,12 @@ files:
 - lib/oidc_provider/token_endpoint.rb
 - lib/oidc_provider/user_info_builder.rb
 - lib/oidc_provider/version.rb
-- lib/tasks/openid/connect/provider_tasks.rake
-homepage: http://brandnewbox.com
+- lib/tasks/oidc_provider.rake
+homepage: https://github.com/brandnewbox/oidc_provider
 licenses:
 - MIT
 metadata: {}
-post_install_message:
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -94,8 +93,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.3
-signing_key:
+rubygems_version: 3.3.7
+signing_key:
 specification_version: 4
 summary: Uses the openid_connect gem to turn a Rails app into an OpenID Connect provider.
 test_files: []

data/app/controllers/oidc_provider/concerns/authentication.rb DELETED Viewed

@@ -1,27 +0,0 @@
-module OIDCProvider
-  module Concerns
-    module Authentication
-      def oidc_current_account
-        send(OIDCProvider.current_account_method)
-      end
-      def current_token
-        @current_token ||= request.env[Rack::OAuth2::Server::Resource::ACCESS_TOKEN]
-      end
-      def require_authentication
-        send(OIDCProvider.current_authentication_method)
-      end
-      def require_access_token
-        unless current_token
-          raise Rack::OAuth2::Server::Resource::Bearer::Unauthorized.new
-        end
-      end
-      def unauthenticate!
-        send(OIDCProvider.current_unauthenticate_method)
-      end
-    end
-  end
-end

data/lib/tasks/openid/connect/provider_tasks.rake DELETED Viewed

@@ -1,4 +0,0 @@
-# desc "Explaining what the task does"
-# task :openid_connect_provider do
-#   # Task goes here
-# end