omniauth-auth0 2.0.0 → 2.4.0

data/lib/omniauth/auth0/telemetry.rb

@@ -0,0 +1,36 @@
+require 'json'
+
+module OmniAuth
+  module Auth0
+    # Module to provide necessary telemetry for API requests.
+    module Telemetry
+
+      # Return a telemetry hash to be encoded and sent to Auth0.
+      # @return hash
+      def telemetry
+        telemetry = {
+          name: 'omniauth-auth0',
+          version: OmniAuth::Auth0::VERSION,
+          env: {
+            ruby: RUBY_VERSION
+          }
+        }
+        add_rails_version telemetry
+      end
+
+      # JSON-ify and base64 encode the current telemetry.
+      # @return string
+      def telemetry_encoded
+        Base64.urlsafe_encode64(JSON.dump(telemetry))
+      end
+
+      private
+
+      def add_rails_version(telemetry)
+        return telemetry unless Gem.loaded_specs['rails'].respond_to? :version
+        telemetry[:env][:rails] = Gem.loaded_specs['rails'].version.to_s
+        telemetry
+      end
+    end
+  end
+end

data/lib/omniauth/strategies/auth0.rb

@@ -1,19 +1,28 @@
+# frozen_string_literal: true
+
 require 'base64'
 require 'uri'
+require 'securerandom'
 require 'omniauth-oauth2'
+require 'omniauth/auth0/jwt_validator'
+require 'omniauth/auth0/telemetry'
+require 'omniauth/auth0/errors'
 
 module OmniAuth
   module Strategies
     # Auth0 OmniAuth strategy
     class Auth0 < OmniAuth::Strategies::OAuth2
+      include OmniAuth::Auth0::Telemetry
+
       option :name, 'auth0'
 
-      args [
-        :client_id,
-        :client_secret,
-        :domain
+      args %i[
+        client_id
+        client_secret
+        domain
       ]
 
+      # Setup client URLs used during authentication
       def client
         options.client_options.site = domain_url
         options.client_options.authorize_url = '/authorize'
@@ -22,25 +31,48 @@ module OmniAuth
         super
       end
 
+      # Use the "sub" key of the userinfo returned
+      # as the uid (globally unique string identifier).
       uid { raw_info['sub'] }
 
+      # Build the API credentials hash with returned auth data.
       credentials do
-        hash = { 'token' => access_token.token }
-        hash['expires'] = true
+        credentials = {
+          'token' => access_token.token,
+          'expires' => true
+        }
+
         if access_token.params
-          hash['id_token'] = access_token.params['id_token']
-          hash['token_type'] = access_token.params['token_type']
-          hash['refresh_token'] = access_token.refresh_token
+          credentials.merge!(
+            'id_token' => access_token.params['id_token'],
+            'token_type' => access_token.params['token_type'],
+            'refresh_token' => access_token.refresh_token
+          )
+        end
+
+        # Retrieve and remove authorization params from the session
+        session_authorize_params = session['authorize_params'] || {}
+        session.delete('authorize_params')
+
+        auth_scope = session_authorize_params[:scope]
+        if auth_scope.respond_to?(:include?) && auth_scope.include?('openid')
+          # Make sure the ID token can be verified and decoded.
+          auth0_jwt = OmniAuth::Auth0::JWTValidator.new(options)
+          auth0_jwt.verify(credentials['id_token'], session_authorize_params)
         end
-        hash
+
+        credentials
       end
 
+      # Store all raw information for use in the session.
       extra do
         {
           raw_info: raw_info
         }
       end
 
+      # Build a hash of information about the user
+      # with keys taken from the Auth Hash Schema.
       info do
         {
           name: raw_info['name'] || raw_info['sub'],
@@ -50,56 +82,82 @@ module OmniAuth
         }
       end
 
+      # Define the parameters used for the /authorize endpoint
       def authorize_params
         params = super
-        params['auth0Client'] = client_info
+        parsed_query = Rack::Utils.parse_query(request.query_string)
+        %w[connection connection_scope prompt screen_hint].each do |key|
+          params[key] = parsed_query[key] if parsed_query.key?(key)
+        end
+
+        # Generate nonce
+        params[:nonce] = SecureRandom.hex
+        # Generate leeway if none exists
+        params[:leeway] = 60 unless params[:leeway]
+
+        # Store authorize params in the session for token verification
+        session['authorize_params'] = params
+
         params
       end
 
+      def build_access_token
+        options.token_params[:headers] = { 'Auth0-Client' => telemetry_encoded }
+        super
+      end
+
+      # Declarative override for the request phase of authentication
       def request_phase
         if no_client_id?
+          # Do we have a client_id for this Application?
           fail!(:missing_client_id)
         elsif no_client_secret?
+          # Do we have a client_secret for this Application?
           fail!(:missing_client_secret)
         elsif no_domain?
+          # Do we have a domain for this Application?
           fail!(:missing_domain)
         else
+          # All checks pass, run the Oauth2 request_phase method.
           super
         end
       end
 
+      def callback_phase
+        super
+      rescue OmniAuth::Auth0::TokenValidationError => e
+        fail!(:token_validation_error, e)
+      end
+
       private
 
+      # Parse the raw user info.
       def raw_info
         userinfo_url = options.client_options.userinfo_url
         @raw_info ||= access_token.get(userinfo_url).parsed
       end
 
+      # Check if the options include a client_id
       def no_client_id?
         ['', nil].include?(options.client_id)
       end
 
+      # Check if the options include a client_secret
       def no_client_secret?
         ['', nil].include?(options.client_secret)
       end
 
+      # Check if the options include a domain
       def no_domain?
         ['', nil].include?(options.domain)
       end
 
+      # Normalize a domain to a URL.
       def domain_url
         domain_url = URI(options.domain)
         domain_url = URI("https://#{domain_url}") if domain_url.scheme.nil?
         domain_url.to_s
       end
-
-      def client_info
-        client_info = JSON.dump(
-          name: 'omniauth-auth0',
-          version: OmniAuth::Auth0::VERSION
-        )
-        Base64.urlsafe_encode64(client_info)
-      end
     end
   end
 end

data/omniauth-auth0.gemspec

@@ -8,22 +8,20 @@ Gem::Specification.new do |s|
   s.authors     = ['Auth0']
   s.email       = ['info@auth0.com']
   s.homepage    = 'https://github.com/auth0/omniauth-auth0'
-  s.summary     = 'Omniauth OAuth2 strategy for the Auth0 platform.'
+  s.summary     = 'OmniAuth OAuth2 strategy for the Auth0 platform.'
   s.description = %q{Auth0 is an authentication broker that supports social identity providers as well as enterprise identity providers such as Active Directory, LDAP, Google Apps, Salesforce.
 
 OmniAuth is a library that standardizes multi-provider authentication for web applications. It was created to be powerful, flexible, and do as little as possible.
 
-omniauth-auth0 is the omniauth strategy for Auth0.
+omniauth-auth0 is the OmniAuth strategy for Auth0.
 }
 
-  s.rubyforge_project = 'omniauth-auth0'
-
   s.files         = `git ls-files`.split("\n")
   s.test_files    = `git ls-files -- {test,spec,features}/*`.split("\n")
   s.executables   = `git ls-files -- bin/*`.split('\n').map{ |f| File.basename(f) }
   s.require_paths = ['lib']
 
-  s.add_runtime_dependency 'omniauth-oauth2', '~> 1.4'
+  s.add_runtime_dependency 'omniauth-oauth2', '~> 1.5'
 
   s.add_development_dependency 'bundler', '~> 1.9'
   

data/spec/omniauth/auth0/jwt_validator_spec.rb

@@ -0,0 +1,501 @@
+require 'spec_helper'
+require 'json'
+require 'jwt'
+
+describe OmniAuth::Auth0::JWTValidator do
+  #
+  # Reused data
+  #
+
+  let(:client_id) { 'CLIENT_ID' }
+  let(:client_secret) { 'CLIENT_SECRET' }
+  let(:domain) { 'samples.auth0.com' }
+  let(:future_timecode) { 32_503_680_000 }
+  let(:past_timecode) { 303_912_000 }
+  let(:jwks_kid) { 'NkJCQzIyQzRBMEU4NjhGNUU4MzU4RkY0M0ZDQzkwOUQ0Q0VGNUMwQg' }
+
+  let(:rsa_private_key) do
+    OpenSSL::PKey::RSA.generate 2048
+  end
+
+  let(:rsa_token_jwks) do
+    {
+      keys: [
+        {
+          kid: jwks_kid,
+          x5c: [Base64.encode64(make_cert(rsa_private_key).to_der)]
+        }
+      ]
+    }.to_json
+  end
+
+  let(:jwks) do
+    current_dir = File.dirname(__FILE__)
+    jwks_file = File.read("#{current_dir}/../../resources/jwks.json")
+    JSON.parse(jwks_file, symbolize_names: true)
+  end
+
+  #
+  # Specs
+  #
+
+  describe 'JWT verifier default values' do
+    let(:jwt_validator) do
+      make_jwt_validator
+    end
+
+    it 'should have the correct issuer' do
+      expect(jwt_validator.issuer).to eq('https://samples.auth0.com/')
+    end
+  end
+
+  describe 'JWT verifier token_head' do
+    let(:jwt_validator) do
+      make_jwt_validator
+    end
+
+    it 'should parse the head of a valid JWT' do
+      expect(jwt_validator.token_head(make_hs256_token)[:alg]).to eq('HS256')
+    end
+
+    it 'should fail parsing the head of a blank JWT' do
+      expect(jwt_validator.token_head('')).to eq({})
+    end
+
+    it 'should fail parsing the head of an invalid JWT' do
+      expect(jwt_validator.token_head('.')).to eq({})
+    end
+
+    it 'should throw an exception for invalid JSON' do
+      expect do
+        jwt_validator.token_head('QXV0aDA=')
+      end.to raise_error(JSON::ParserError)
+    end
+  end
+
+  describe 'JWT verifier jwks_public_cert' do
+    let(:jwt_validator) do
+      make_jwt_validator
+    end
+
+    it 'should return a public_key' do
+      x5c = jwks[:keys].first[:x5c].first
+      public_cert = jwt_validator.jwks_public_cert(x5c)
+      expect(public_cert.instance_of?(OpenSSL::PKey::RSA)).to eq(true)
+    end
+
+    it 'should fail with an invalid x5c' do
+      expect do
+        jwt_validator.jwks_public_cert('QXV0aDA=')
+      end.to raise_error(OpenSSL::X509::CertificateError)
+    end
+  end
+
+  describe 'JWT verifier jwks_key' do
+    let(:jwt_validator) do
+      make_jwt_validator
+    end
+
+    before do
+      stub_jwks
+    end
+
+    it 'should return a key' do
+      expect(jwt_validator.jwks_key(:alg, jwks_kid)).to eq('RS256')
+    end
+
+    it 'should return an x5c key' do
+      expect(jwt_validator.jwks_key(:x5c, jwks_kid).length).to eq(1)
+    end
+
+    it 'should return nil if there is not key' do
+      expect(jwt_validator.jwks_key(:auth0, jwks_kid)).to eq(nil)
+    end
+
+    it 'should return nil if the key ID is invalid' do
+      expect(jwt_validator.jwks_key(:alg, "#{jwks_kid}_invalid")).to eq(nil)
+    end
+  end
+
+  describe 'JWT verifier custom issuer' do
+    context 'same as domain' do
+      let(:jwt_validator) do
+        make_jwt_validator(opt_issuer: domain)
+      end
+
+      it 'should have the correct issuer' do
+        expect(jwt_validator.issuer).to eq('https://samples.auth0.com/')
+      end
+
+      it 'should have the correct domain' do
+        expect(jwt_validator.issuer).to eq('https://samples.auth0.com/')
+      end
+    end
+
+    context 'different from domain' do
+      let(:jwt_validator) do
+        make_jwt_validator(opt_issuer: 'different.auth0.com')
+      end
+
+      it 'should have the correct issuer' do
+        expect(jwt_validator.issuer).to eq('https://different.auth0.com/')
+      end
+
+      it 'should have the correct domain' do
+        expect(jwt_validator.domain).to eq('https://samples.auth0.com/')
+      end
+    end
+  end
+
+  describe 'JWT verifier verify' do
+    let(:jwt_validator) do
+      make_jwt_validator
+    end
+
+    before do
+      stub_jwks
+      stub_dummy_jwks
+    end
+
+    it 'should fail with missing issuer' do
+      expect do
+        jwt_validator.verify(make_hs256_token)
+      end.to raise_error(an_instance_of(OmniAuth::Auth0::TokenValidationError).and having_attributes({
+        message: "Issuer (iss) claim must be a string present in the ID token"
+      }))
+    end
+
+    it 'should fail with invalid issuer' do
+      payload = {
+        iss: 'https://auth0.com/'
+      }
+      token = make_hs256_token(payload)
+      expect do
+        jwt_validator.verify(token)
+      end.to raise_error(an_instance_of(OmniAuth::Auth0::TokenValidationError).and having_attributes({
+        message: "Issuer (iss) claim mismatch in the ID token, expected (https://samples.auth0.com/), found (https://auth0.com/)"
+      }))
+    end
+
+    it 'should fail when subject is missing' do
+      payload = {
+        iss: "https://#{domain}/",
+        sub: ''
+      }
+      token = make_hs256_token(payload)
+      expect do
+        jwt_validator.verify(token)
+      end.to raise_error(an_instance_of(OmniAuth::Auth0::TokenValidationError).and having_attributes({
+        message: "Subject (sub) claim must be a string present in the ID token"
+      }))
+    end
+
+    it 'should fail with missing audience' do
+      payload = {
+        iss: "https://#{domain}/",
+        sub: 'sub'
+      }
+      token = make_hs256_token(payload)
+      expect do
+        jwt_validator.verify(token)
+      end.to raise_error(an_instance_of(OmniAuth::Auth0::TokenValidationError).and having_attributes({
+        message: "Audience (aud) claim must be a string or array of strings present in the ID token"
+      }))
+    end
+
+    it 'should fail with invalid audience' do
+      payload = {
+        iss: "https://#{domain}/",
+        sub: 'sub',
+        aud: 'Auth0'
+      }
+      token = make_hs256_token(payload)
+      expect do
+        jwt_validator.verify(token)
+      end.to raise_error(an_instance_of(OmniAuth::Auth0::TokenValidationError).and having_attributes({
+        message: "Audience (aud) claim mismatch in the ID token; expected #{client_id} but found Auth0"
+      }))
+    end
+
+    it 'should fail when missing expiration' do
+      payload = {
+        iss: "https://#{domain}/",
+        sub: 'sub',
+        aud: client_id
+      }
+
+      token = make_hs256_token(payload)
+      expect do
+        jwt_validator.verify(token)
+      end.to raise_error(an_instance_of(OmniAuth::Auth0::TokenValidationError).and having_attributes({
+        message: "Expiration time (exp) claim must be a number present in the ID token"
+      }))
+    end
+
+    it 'should fail when past expiration' do
+      payload = {
+        iss: "https://#{domain}/",
+        sub: 'sub',
+        aud: client_id,
+        exp: past_timecode
+      }
+
+      token = make_hs256_token(payload)
+      expect do
+        jwt_validator.verify(token)
+      end.to raise_error(an_instance_of(OmniAuth::Auth0::TokenValidationError).and having_attributes({
+        message: "Expiration time (exp) claim error in the ID token; current time (#{Time.now}) is after expiration time (#{Time.at(past_timecode + 60)})"
+      }))
+    end
+
+    it 'should fail when missing iat' do
+      payload = {
+        iss: "https://#{domain}/",
+        sub: 'sub',
+        aud: client_id,
+        exp: future_timecode
+      }
+
+      token = make_hs256_token(payload)
+      expect do
+        jwt_validator.verify(token)
+      end.to raise_error(an_instance_of(OmniAuth::Auth0::TokenValidationError).and having_attributes({
+        message: "Issued At (iat) claim must be a number present in the ID token"
+      }))
+    end
+
+    it 'should fail when authorize params has nonce but nonce is missing in the token' do
+      payload = {
+        iss: "https://#{domain}/",
+        sub: 'sub',
+        aud: client_id,
+        exp: future_timecode,
+        iat: past_timecode
+      }
+
+      token = make_hs256_token(payload)
+      expect do
+        jwt_validator.verify(token, { nonce: 'noncey' })
+      end.to raise_error(an_instance_of(OmniAuth::Auth0::TokenValidationError).and having_attributes({
+        message: "Nonce (nonce) claim must be a string present in the ID token"
+      }))
+    end
+
+    it 'should fail when authorize params has nonce but token nonce does not match' do
+      payload = {
+        iss: "https://#{domain}/",
+        sub: 'sub',
+        aud: client_id,
+        exp: future_timecode,
+        iat: past_timecode,
+        nonce: 'mismatch'
+      }
+
+      token = make_hs256_token(payload)
+      expect do
+        jwt_validator.verify(token, { nonce: 'noncey' })
+      end.to raise_error(an_instance_of(OmniAuth::Auth0::TokenValidationError).and having_attributes({
+        message: "Nonce (nonce) claim value mismatch in the ID token; expected (noncey), found (mismatch)"
+      }))
+    end
+    
+    it 'should fail when “aud” is an array of strings and azp claim is not present' do
+      aud = [
+        client_id,
+        "https://#{domain}/userinfo"
+      ]
+      payload = {
+        iss: "https://#{domain}/",
+        sub: 'sub',
+        aud: aud,
+        exp: future_timecode,
+        iat: past_timecode
+      }
+
+      token = make_hs256_token(payload)
+      expect do
+        jwt_validator.verify(token)
+      end.to raise_error(an_instance_of(OmniAuth::Auth0::TokenValidationError).and having_attributes({
+        message: "Authorized Party (azp) claim must be a string present in the ID token when Audience (aud) claim has multiple values"
+      }))
+    end
+
+    it 'should fail when "azp" claim doesnt match the expected aud' do
+      aud = [
+        client_id,
+        "https://#{domain}/userinfo"
+      ]
+      payload = {
+        iss: "https://#{domain}/",
+        sub: 'sub',
+        aud: aud,
+        exp: future_timecode,
+        iat: past_timecode,
+        azp: 'not_expected'
+      }
+
+      token = make_hs256_token(payload)
+      expect do
+        jwt_validator.verify(token)
+      end.to raise_error(an_instance_of(OmniAuth::Auth0::TokenValidationError).and having_attributes({
+        message: "Authorized Party (azp) claim mismatch in the ID token; expected (#{client_id}), found (not_expected)"
+      }))
+    end
+
+    it 'should fail when “max_age” sent on the authentication request and this claim is not present' do
+      payload = {
+        iss: "https://#{domain}/",
+        sub: 'sub',
+        aud: client_id,
+        exp: future_timecode,
+        iat: past_timecode
+      }
+
+      token = make_hs256_token(payload)
+      expect do
+        jwt_validator.verify(token, { max_age: 60 })
+      end.to raise_error(an_instance_of(OmniAuth::Auth0::TokenValidationError).and having_attributes({
+        message: "Authentication Time (auth_time) claim must be a number present in the ID token when Max Age (max_age) is specified"
+      }))
+    end
+
+    it 'should fail when “max_age” sent on the authentication request and this claim added the “max_age” value doesn’t represent a date in the future' do
+      payload = {
+        iss: "https://#{domain}/",
+        sub: 'sub',
+        aud: client_id,
+        exp: future_timecode,
+        iat: past_timecode,
+        auth_time: past_timecode
+      }
+
+      token = make_hs256_token(payload)
+      expect do
+        jwt_validator.verify(token, { max_age: 60 })
+      end.to raise_error(an_instance_of(OmniAuth::Auth0::TokenValidationError).and having_attributes({
+        message: "Authentication Time (auth_time) claim in the ID token indicates that too much time has passed since the last end-user authentication. Current time (#{Time.now}) is after last auth time (#{Time.at(past_timecode + 60 + 60)})"
+      }))
+    end
+
+    it 'should verify a valid HS256 token with multiple audiences' do
+      audience = [
+        client_id,
+        "https://#{domain}/userinfo"
+      ]
+      payload = {
+        iss: "https://#{domain}/",
+        sub: 'sub',
+        aud: audience,
+        exp: future_timecode,
+        iat: past_timecode,
+        azp: client_id
+      }
+      token = make_hs256_token(payload)
+      id_token = jwt_validator.verify(token)
+      expect(id_token['aud']).to eq(audience)
+    end
+
+    it 'should verify a standard HS256 token' do
+      sub = 'abc123'
+      payload = {
+        iss: "https://#{domain}/",
+        sub: sub,
+        aud: client_id,
+        exp: future_timecode,
+        iat: past_timecode
+      }
+      token = make_hs256_token(payload)
+      verified_token = jwt_validator.verify(token)
+      expect(verified_token['sub']).to eq(sub)
+    end
+
+    it 'should verify a standard RS256 token' do
+      domain = 'example.org'
+      sub = 'abc123'
+      payload = {
+        sub: sub,
+        exp: future_timecode,
+        iss: "https://#{domain}/",
+        iat: past_timecode,
+        aud: client_id,
+        kid: jwks_kid
+      }
+      token = make_rs256_token(payload)
+      verified_token = make_jwt_validator(opt_domain: domain).verify(token)
+      expect(verified_token['sub']).to eq(sub)
+    end
+  end
+
+  private
+
+  def make_jwt_validator(opt_domain: domain, opt_issuer: nil)
+    opts = OpenStruct.new(
+      domain: opt_domain,
+      client_id: client_id,
+      client_secret: client_secret
+    )
+    opts[:issuer] = opt_issuer unless opt_issuer.nil?
+
+    OmniAuth::Auth0::JWTValidator.new(opts)
+  end
+
+  def make_hs256_token(payload = nil)
+    payload = { sub: 'abc123' } if payload.nil?
+    JWT.encode payload, client_secret, 'HS256'
+  end
+
+  def make_rs256_token(payload = nil)
+    payload = { sub: 'abc123' } if payload.nil?
+    JWT.encode payload, rsa_private_key, 'RS256', kid: jwks_kid
+  end
+
+  def make_cert(private_key)
+    cert = OpenSSL::X509::Certificate.new
+    cert.issuer = OpenSSL::X509::Name.parse('/C=BE/O=Auth0/OU=Auth0/CN=Auth0')
+    cert.subject = cert.issuer
+    cert.not_before = Time.now
+    cert.not_after = Time.now + 365 * 24 * 60 * 60
+    cert.public_key = private_key.public_key
+    cert.serial = 0x0
+    cert.version = 2
+
+    ef = OpenSSL::X509::ExtensionFactory.new
+    ef.subject_certificate = cert
+    ef.issuer_certificate = cert
+    cert.extensions = [
+      ef.create_extension('basicConstraints', 'CA:TRUE', true),
+      ef.create_extension('subjectKeyIdentifier', 'hash')
+    ]
+    cert.add_extension ef.create_extension(
+      'authorityKeyIdentifier',
+      'keyid:always,issuer:always'
+    )
+
+    cert.sign private_key, OpenSSL::Digest::SHA1.new
+  end
+
+  def stub_jwks
+    stub_request(:get, 'https://samples.auth0.com/.well-known/jwks.json')
+      .to_return(
+        headers: { 'Content-Type' => 'application/json' },
+        body: jwks.to_json,
+        status: 200
+      )
+  end
+
+  def stub_bad_jwks
+    stub_request(:get, 'https://samples.auth0.com/.well-known/jwks-bad.json')
+      .to_return(
+        status: 404
+      )
+  end
+
+  def stub_dummy_jwks
+    stub_request(:get, 'https://example.org/.well-known/jwks.json')
+      .to_return(
+        headers: { 'Content-Type' => 'application/json' },
+        body: rsa_token_jwks,
+        status: 200
+      )
+  end
+end