omniauth-auth0 1.4.2 → 2.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 08baf1e899468bd2eb4eeaa08ddc3cf3cc4282df
-  data.tar.gz: d7df08d4a6a624a68f48bb907b077d124e957877
+  metadata.gz: f42f79c741d55e309c3e99686af45d7f08ca5c92
+  data.tar.gz: 8b58d4f79437cb2fc1b2ee5f618ee30cef82bcea
 SHA512:
-  metadata.gz: 9f3c3b20a7edf3fca038b36ca50821af43f17826b106d083f7f317aef913438c11932c02b60c13a03ff468a8cb12418655aa548ca6959663b554bab406dbd80d
-  data.tar.gz: c9005d6fbf72f5fe14b7b20c5bb8ad2679f7fadd740251cc401bd3de7c95693ad8cb5dfdaab54154ebff3b12324e766129b1b44c6d274b929ce9104e3c1b2ab5
+  metadata.gz: 67e3c0c3fc88653047b8740dab4b89b06986b0ad943c09f67bfbec6bd4abba10c47f39e3a7cf287251a7d001804f756e0f1be80cc78874f0df1d540250310541
+  data.tar.gz: c284dd831da04571f6dedb6c9b0ab333fd40e474ea30bb433a3c6d28ee15dcddd6385c6f8c4ff0175da3b58073500973261231500e069b88fb2574db48c3723e

data/.gitignore

@@ -1,4 +1,9 @@
 .ruby-version
 coverage
 Gemfile.lock
-*.gem
+*.gem
+
+.#*
+.env
+log/
+tmp/

data/.rspec

@@ -0,0 +1,3 @@
+--color
+--require spec_helper
+--format=progress

data/.rubocop.yml

@@ -0,0 +1,20 @@
+Metrics/BlockLength:
+  Exclude:
+    - 'Rakefile'
+    - '**/*.rake'
+    - 'spec/**/*.rb'
+    - 'spec/spec_helper.rb'
+Metrics/MethodLength:
+  Exclude:
+    - 'Rakefile'
+    - '**/*.rake'
+    - 'spec/**/*.rb'
+Metrics/AbcSize:
+  Exclude:
+    - 'Rakefile'
+    - '**/*.rake'
+    - 'spec/**/*.rb'
+    - 'spec/spec_helper.rb'
+AllCops:
+  Exclude:
+    - 'omniauth-auth0.gemspec'

data/.travis.yml

@@ -1,3 +1,6 @@
 language: ruby
 rvm:
-  - 2.1.0
+- 2.2.5
+branches:
+  only:
+    - master

data/CHANGELOG.md

@@ -1,5 +1,22 @@
 # Change Log
 
+## [v2.0.0](https://github.com/auth0/omniauth-auth0/tree/v2.0.0) (2017-01-25)
+[Full Changelog](https://github.com/auth0/omniauth-auth0/compare/v1.4.1...v2.0.0)
+
+Updated library to handle OIDC conformant clients and OAuth2 features in Auth0.
+This affects how the `credentials` and `info` attributes are populated since the payload of /oauth/token and /userinfo are differnt when using OAuth2/OIDC features.
+
+The `credentials` hash will always have an `access_token` and might have a `refresh_token` (if it's allowed in your API settings in Auth0 dashboard and requested using `offline_access` scope) and an `id_token` (scope `openid` is needed for Auth0 to return it).
+
+The `info` object will use the [OmniAuth schema](https://github.com/omniauth/omniauth/wiki/Auth-Hash-Schema#schema-10-and-later) after calling /userinfo:
+
+- name: `name` attribute in userinfo response or `sub` if not available.
+- email: `email` attribute in userinfo response.
+- nickname: `nickname` attribute in userinfo response.
+- image: `picture` attribute in userinfo response.
+
+Also in `extra` will have in `raw_info` the full /userinfo response.
+
 ## [v1.4.1](https://github.com/auth0/omniauth-auth0/tree/v1.4.1) (2015-11-18)
 [Full Changelog](https://github.com/auth0/omniauth-auth0/compare/v1.4.0...v1.4.1)
 
@@ -21,4 +38,4 @@
 
 
 
-\* *This Change Log was automatically generated by [github_changelog_generator](https://github.com/skywinder/Github-Changelog-Generator)*
+\* *This Change Log was automatically generated by [github_changelog_generator](https://github.com/skywinder/Github-Changelog-Generator)*

data/Gemfile

@@ -1,4 +1,26 @@
-source "http://rubygems.org"
+source 'http://rubygems.org'
 
-# Specify your gem's dependencies in omniauth-auth0.gemspec
-gemspec
+gemspec
+
+gem 'gem-release'
+gem 'rake'
+
+group :development do
+  gem 'dotenv'
+  gem 'pry'
+  gem 'shotgun'
+  gem 'sinatra'
+  gem 'thin'
+end
+
+group :test do
+  gem 'guard-rspec', require: false
+  gem 'listen', '~> 3.1.5'
+  gem 'rack-test'
+  gem 'rspec', '~> 3.5'
+  gem 'rubocop', '>= 0.30', platforms: [
+    :ruby_19, :ruby_20, :ruby_21, :ruby_22
+  ]
+  gem 'simplecov'
+  gem 'webmock'
+end

data/Guardfile

@@ -0,0 +1,5 @@
+guard :rspec, cmd: 'bundle exec rspec' do
+  watch(%r{^spec/.+_spec\.rb$})
+  watch(%r{^lib/(.+)\.rb$})     { |m| "spec/#{m[1]}_spec.rb" }
+  watch('spec/spec_helper.rb')  { 'spec' }
+end

data/README.md

@@ -14,7 +14,7 @@ gem 'omniauth-auth0'
 
 Then `bundle install`.
 
-## Basic Usage
+## Usage
 
 ### Rails
 
@@ -24,10 +24,10 @@ Rails.application.config.middleware.use OmniAuth::Builder do
 end
 ```
 
-If you want to force an identity provider you can simply redirect to the Omniauth path like this:
+Then to redirect to your tenant's hosted login page:
 
 ```ruby
-redirect_to '/auth/auth0?connection=CONNECTION_NAME'
+redirect_to '/auth/auth0'
 ```
 
 ### Sinatra
@@ -38,20 +38,50 @@ use OmniAuth::Builder do
 end
 ```
 
-> Optional you can set the `:provider_ignores_state` passing a fourth parameter. By default it is true.
+Then to redirect to your tenant's hosted login page:
 
-If you want to force to force an identity provider you can simply redirect to Omniauth path like this:
+```ruby
+redirect to('/auth/auth0')
+```
+
+> You can customize your hosted login page in your [Auth0 Dashboard](https://manage.auth0.com/#/login_page)
+
+### Auth parameters
+
+To send additional parameters during login you can specify them when you register the provider
 
 ```ruby
-redirect to('/auth/auth0?connection=CONNECTION_NAME')
+provider 
+  :auth0,
+  ENV['AUTH0_CLIENT_ID'],
+  ENV['AUTH0_CLIENT_SECRET'],
+  ENV['AUTH0_DOMAIN'],
+  {
+    authorize_params: {
+      scope: 'openid read:users write:order',
+      audience: 'https://mydomain/api'
+    }
+  }
 ```
 
-### Login widget
+that will tell it to send those parameters on every Auth request.
 
-Integrate the widget in one of your pages as described [here](http://auth0.com/docs/lock) or use links as described in the same link.
+Or you can do it for a specific Auth request by adding them in the query parameter of the redirect url:
+
+```ruby
+redirect_to '/auth/auth0?connection=google-oauth2'
+```
 
 ### Auth Hash
 
+Auth0 strategy will have the standard OmniAuth hash attributes:
+
+- provider: the name of the strategy, in this case `auth0`
+- uid: the user identifier
+- info: the result of the call to /userinfo using OmniAuth standard attributes
+- credentials: Auth0 tokens, at least will have an access_token but can eventually have refresh_token and/or id_token
+- extra: Additional info obtained from calling /userinfo in the attribute `raw_info`
+
 ```ruby
 	{
 	  :provider => 'auth0',
@@ -60,14 +90,13 @@ Integrate the widget in one of your pages as described [here](http://auth0.com/d
 	    :name => 'John Foo',
 	    :email => 'johnfoo@example.org',
 	    :nickname => 'john',
-	    :first_name => 'John',
-	    :last_name => 'Foo',
-	    :location => 'en',
 	    :image => 'https://example.org/john.jpg'
 	  },
 	  :credentials => {
 	    :token => 'XdDadllcas2134rdfdsI',
-	    :expires => 'false',
+	    :expires_at => 1485373937,
+        :expires => true,
+        :refresh_token => 'aKNajdjfj123nBasd',
 	    :id_token => 'eyJhbGciOiJIUzI1NiIsImN0eSI6IkpXVCJ9.eyJuYW1lIjoiSm9obiBGb28ifQ.lxAiy1rqve8ZHQEQVehUlP1sommPHVJDhgPgFPnDosg',
 	    :token_type => 'bearer',
 	  },
@@ -76,22 +105,9 @@ Integrate the widget in one of your pages as described [here](http://auth0.com/d
 	      :email => 'johnfoo@example.org',
 	      :email_verified => 'true',
 	      :name => 'John Foo',
-	      :given_name => 'John',
-	      :family_name => 'Foo',
 	      :picture => 'https://example.org/john.jpg',
-	      :gender => 'male',
-	      :locale => 'en',
-	      :clientID => 'nUBkskdaYdsaxK2n9',
 	      :user_id => 'google-oauth2|this-is-the-google-id',
 	      :nickname => 'john',
-	      :identities => [{
-	        :access_token => 'this-is-the-google-access-token',
-	        :provider => 'google-oauth2',
-	        :expires_in => '3599',
-	        :user_id => 'this-is-the-google-id',
-	        :connection => 'google-oauth2',
-	        :isSocial => 'true',
-	      }],
 	      :created_at: '2014-07-15T17:19:50.387Z'
 	    }
 	  }
@@ -120,7 +136,7 @@ If you have found a bug or if you have a feature request, please report them at
 
 ## Author
 
-[Auth0](auth0.com)
+[Auth0](https://auth0.com)
 
 ## License
 

data/Rakefile

@@ -1,10 +1,30 @@
 #!/usr/bin/env rake
-require "bundler/gem_tasks"
+require 'bundler/gem_tasks'
 require 'rspec/core/rake_task'
 
-desc "Run specs"
+desc 'Run specs'
 RSpec::Core::RakeTask.new
 
+begin
+  require 'rubocop/rake_task'
+  RuboCop::RakeTask.new
+rescue LoadError
+  task :rubocop do
+    $stderr.puts 'Rubocop is disabled'
+  end
+end
+
+namespace :sinatra do
+  task :start do
+    system 'bundle exec shotgun' \
+           ' --server=thin --port=3000' \
+           ' examples/sinatra/config.ru'
+  end
+end
+
 desc 'Run specs'
-task :default => :spec
-task :test => :spec
+task default: [:spec, :rubocop]
+task test: :spec
+task :guard do
+  system 'bundle exec guard'
+end

data/examples/sinatra/app.rb

@@ -0,0 +1,14 @@
+require 'sinatra'
+require 'omniauth-auth0'
+require 'dotenv/load'
+
+use OmniAuth::Builder do
+  provider :auth0, ENV['CLIENT_ID'], ENV['CLIENT_SECRET'], ENV['DOMAIN']
+end
+
+enable :sessions
+set :session_secret, ENV['SESSION_SECRET']
+
+get '/' do
+  'Auth0 OmniAuth Example for Sinatra'
+end

data/examples/sinatra/config.ru

@@ -0,0 +1,3 @@
+require File.expand_path('app', File.dirname(__FILE__))
+
+run Sinatra::Application

data/lib/omniauth-auth0.rb

@@ -1,2 +1,2 @@
-require "omniauth-auth0/version"
-require "omniauth/strategies/auth0"
+require 'omniauth-auth0/version' # rubocop:disable Style/FileName
+require 'omniauth/strategies/auth0'

data/lib/omniauth-auth0/version.rb

@@ -1,5 +1,5 @@
 module OmniAuth
   module Auth0
-    VERSION = "1.4.2"
+    VERSION = '2.0.0'.freeze
   end
 end

data/lib/omniauth/strategies/auth0.rb

@@ -1,94 +1,104 @@
-require "base64"
-require "omniauth-oauth2"
+require 'base64'
+require 'uri'
+require 'omniauth-oauth2'
 
 module OmniAuth
   module Strategies
+    # Auth0 OmniAuth strategy
     class Auth0 < OmniAuth::Strategies::OAuth2
-      PASSTHROUGHS = %w[
-        connection
-        redirect_uri
-      ]
-
-      option :name, "auth0"
-      option :namespace, nil
-      option :provider_ignores_state, true
-      option :connection
+      option :name, 'auth0'
 
-      option :client_options, {
-        authorize_url: "/authorize",
-        token_url: "/oauth/token",
-        userinfo_url: "/userinfo"
-      }
-
-      args [:client_id, :client_secret, :namespace, :provider_ignores_state, :connection]
+      args [
+        :client_id,
+        :client_secret,
+        :domain
+      ]
 
-      def initialize(app, *args, &block)
+      def client
+        options.client_options.site = domain_url
+        options.client_options.authorize_url = '/authorize'
+        options.client_options.token_url = '/oauth/token'
+        options.client_options.userinfo_url = '/userinfo'
         super
-
-        if options[:namespace]
-          @options.provider_ignores_state = args[3] unless args[3].nil?
-          @options.connection = args[4] unless args[4].nil?
-
-          @options.client_options.site =
-            "https://#{options[:namespace]}"
-          @options.client_options.authorize_url =
-            "https://#{options[:namespace]}/authorize?#{self.class.client_info_querystring}"
-          @options.client_options.token_url =
-            "https://#{options[:namespace]}/oauth/token?#{self.class.client_info_querystring}"
-          @options.client_options.userinfo_url =
-            "https://#{options[:namespace]}/userinfo"
-        elsif !options[:setup]
-          fail(ArgumentError.new("Received wrong number of arguments. #{args.inspect}"))
-        end
       end
 
-      def authorize_params
-        super.tap do |param|
-          PASSTHROUGHS.each do |p|
-            param[p.to_sym] = request.params[p] if request.params[p]
-          end
-          if @options.connection
-            param[:connection] = @options.connection
-          end
-        end
-      end
+      uid { raw_info['sub'] }
 
       credentials do
-        hash = {'token' => access_token.token}
-        hash.merge!('expires' => true)
+        hash = { 'token' => access_token.token }
+        hash['expires'] = true
         if access_token.params
-          hash.merge!('id_token' => access_token.params['id_token'])
-          hash.merge!('token_type' => access_token.params['token_type'])
-          hash.merge!('refresh_token' => access_token.refresh_token) if access_token.refresh_token
+          hash['id_token'] = access_token.params['id_token']
+          hash['token_type'] = access_token.params['token_type']
+          hash['refresh_token'] = access_token.refresh_token
         end
         hash
       end
 
-      uid { raw_info["user_id"] }
-
       extra do
-        { :raw_info => raw_info }
+        {
+          raw_info: raw_info
+        }
       end
 
       info do
         {
-          :name => raw_info["name"],
-          :email => raw_info["email"],
-          :nickname => raw_info["nickname"],
-          :first_name => raw_info["given_name"],
-          :last_name => raw_info["family_name"],
-          :location => raw_info["locale"],
-          :image => raw_info["picture"]
+          name: raw_info['name'] || raw_info['sub'],
+          nickname: raw_info['nickname'],
+          email: raw_info['email'],
+          image: raw_info['picture']
         }
       end
 
+      def authorize_params
+        params = super
+        params['auth0Client'] = client_info
+        params
+      end
+
+      def request_phase
+        if no_client_id?
+          fail!(:missing_client_id)
+        elsif no_client_secret?
+          fail!(:missing_client_secret)
+        elsif no_domain?
+          fail!(:missing_domain)
+        else
+          super
+        end
+      end
+
+      private
+
       def raw_info
-        @raw_info ||= access_token.get(options.client_options.userinfo_url).parsed
+        userinfo_url = options.client_options.userinfo_url
+        @raw_info ||= access_token.get(userinfo_url).parsed
+      end
+
+      def no_client_id?
+        ['', nil].include?(options.client_id)
+      end
+
+      def no_client_secret?
+        ['', nil].include?(options.client_secret)
+      end
+
+      def no_domain?
+        ['', nil].include?(options.domain)
+      end
+
+      def domain_url
+        domain_url = URI(options.domain)
+        domain_url = URI("https://#{domain_url}") if domain_url.scheme.nil?
+        domain_url.to_s
       end
 
-      def self.client_info_querystring
-        client_info = JSON.dump({name: 'omniauth-auth0', version: OmniAuth::Auth0::VERSION})
-        "auth0Client=" + Base64.urlsafe_encode64(client_info)
+      def client_info
+        client_info = JSON.dump(
+          name: 'omniauth-auth0',
+          version: OmniAuth::Auth0::VERSION
+        )
+        Base64.urlsafe_encode64(client_info)
       end
     end
   end