omniauth-auth0 2.0.0 → 3.1.0

data/codecov.yml

@@ -0,0 +1,22 @@
+coverage:
+  precision: 2
+  round: down
+  range: "60...100"
+  status:
+    project:
+      default:
+        enabled: true
+        target: auto
+        threshold: 5%
+        if_no_uploads: error
+    patch:
+      default:
+        enabled: true
+        target: 80%
+        threshold: 30%
+        if_no_uploads: error
+    changes:
+      default:
+        enabled: true
+        if_no_uploads: error
+comment: false 

data/lib/omniauth/auth0/errors.rb

@@ -0,0 +1,11 @@
+module OmniAuth
+  module Auth0
+    class TokenValidationError < StandardError
+      attr_reader :error_reason
+      def initialize(msg)
+        @error_reason = msg
+        super(msg)
+      end
+    end
+  end
+end

data/lib/omniauth/auth0/jwt_validator.rb

@@ -0,0 +1,278 @@
+require 'base64'
+require 'uri'
+require 'json'
+require 'omniauth'
+require 'omniauth/auth0/errors'
+
+module OmniAuth
+  module Auth0
+    # JWT Validator class
+    class JWTValidator
+      attr_accessor :issuer, :domain
+
+      # Initializer
+      # @param options object
+      #   options.domain - Application domain.
+      #   options.issuer - Application issuer (optional).
+      #   options.client_id - Application Client ID.
+      #   options.client_secret - Application Client Secret.
+
+      def initialize(options, authorize_params = {})
+        @domain = uri_string(options.domain)
+
+        # Use custom issuer if provided, otherwise use domain
+        @issuer = @domain
+        @issuer = uri_string(options.issuer) if options.respond_to?(:issuer)
+
+        @client_id = options.client_id
+        @client_secret = options.client_secret
+      end
+
+      # Verify a token's signature. Only tokens signed with the RS256 or HS256 signatures are supported.
+      # Deprecated: Please use `decode` instead
+      # @return array - The token's key and signing algorithm
+      def verify_signature(jwt)
+        head = token_head(jwt)
+        key, alg = extract_key(head)
+
+        # Call decode to verify the signature
+        JWT.decode(jwt, key, true, decode_opts(alg))
+        return key, alg
+      end
+
+      # Decodes a JWT and verifies it's signature. Only tokens signed with the RS256 or HS256 signatures are supported.
+      # @param jwt string - JWT to verify.
+      # @return hash - The decoded token, if there were no exceptions.
+      # @see https://github.com/jwt/ruby-jwt
+      def decode(jwt)
+        head = token_head(jwt)
+        key, alg = extract_key(head)
+
+        # Call decode to verify the signature
+        JWT.decode(jwt, key, true, decode_opts(alg))
+      end
+
+      # Verify a JWT.
+      # @param jwt string - JWT to verify.
+      # @param authorize_params hash - Authorization params to verify on the JWT
+      # @return hash - The verified token payload, if there were no exceptions.
+      def verify(jwt, authorize_params = {})
+        if !jwt
+          raise OmniAuth::Auth0::TokenValidationError.new('ID token is required but missing')
+        end
+
+        parts = jwt.split('.')
+        if parts.length != 3
+          raise OmniAuth::Auth0::TokenValidationError.new('ID token could not be decoded')
+        end
+
+        id_token, header = decode(jwt)
+        verify_claims(id_token, authorize_params)
+
+        return id_token
+      end
+
+      # Get the decoded head segment from a JWT.
+      # @return hash - The parsed head of the JWT passed, empty hash if not.
+      def token_head(jwt)
+        jwt_parts = jwt.split('.')
+        return {} if blank?(jwt_parts) || blank?(jwt_parts[0])
+
+        json_parse(Base64.decode64(jwt_parts[0]))
+      end
+
+      # Get the JWKS from the issuer and return a public key.
+      # @param x5c string - X.509 certificate chain from a JWKS.
+      # @return key - The X.509 certificate public key.
+      def jwks_public_cert(x5c)
+        x5c = Base64.decode64(x5c)
+
+        # https://docs.ruby-lang.org/en/2.4.0/OpenSSL/X509/Certificate.html
+        OpenSSL::X509::Certificate.new(x5c).public_key
+      end
+
+      # Return a specific key from a JWKS object.
+      # @param key string - Key to find in the JWKS.
+      # @param kid string - Key ID to identify the right JWK.
+      # @return nil|string
+      def jwks_key(key, kid)
+        return nil if blank?(jwks[:keys])
+
+        matching_jwk = jwks[:keys].find { |jwk| jwk[:kid] == kid }
+        matching_jwk[key] if matching_jwk
+      end
+
+      private
+      # Get the JWT decode options. We disable the claim checks since we perform our claim validation logic
+      # Docs: https://github.com/jwt/ruby-jwt
+      # @return hash
+      def decode_opts(alg)
+        {
+          algorithm: alg,
+          verify_expiration: false,
+          verify_iat: false,
+          verify_iss: false,
+          verify_aud: false,
+          verify_jti: false,
+          verify_subj: false,
+          verify_not_before: false
+        }
+      end
+
+      def extract_key(head)
+        if head[:alg] == 'RS256'
+          key, alg = [rs256_decode_key(head[:kid]), head[:alg]]
+        elsif head[:alg] == 'HS256'
+          key, alg = [@client_secret, head[:alg]]
+        else
+          raise OmniAuth::Auth0::TokenValidationError.new("Signature algorithm of #{head[:alg]} is not supported. Expected the ID token to be signed with RS256 or HS256")
+        end
+      end
+
+      def rs256_decode_key(kid)
+        jwks_x5c = jwks_key(:x5c, kid)
+
+        if jwks_x5c.nil?
+          raise OmniAuth::Auth0::TokenValidationError.new("Could not find a public key for Key ID (kid) '#{kid}'")
+        end
+
+        jwks_public_cert(jwks_x5c.first)
+      end
+
+      # Get a JWKS from the domain
+      # @return void
+      def jwks
+        jwks_uri = URI(@domain + '.well-known/jwks.json')
+        @jwks ||= json_parse(Net::HTTP.get(jwks_uri))
+      end
+
+      # Rails Active Support blank method.
+      # @param obj object - Object to check for blankness.
+      # @return boolean
+      def blank?(obj)
+        obj.respond_to?(:empty?) ? obj.empty? : !obj
+      end
+
+      # Parse JSON with symbolized names.
+      # @param json string - JSON to parse.
+      # @return hash
+      def json_parse(json)
+        JSON.parse(json, symbolize_names: true)
+      end
+
+      # Parse a URI into the desired string format
+      # @param uri - the URI to parse
+      # @return string
+      def uri_string(uri)
+        temp_domain = URI(uri)
+        temp_domain = URI("https://#{uri}") unless temp_domain.scheme
+        temp_domain = temp_domain.to_s
+        temp_domain.end_with?('/') ? temp_domain : "#{temp_domain}/"
+      end
+
+      def verify_claims(id_token, authorize_params)
+        leeway = authorize_params[:leeway] || 60
+        max_age = authorize_params[:max_age]
+        nonce = authorize_params[:nonce]
+        organization = authorize_params[:organization]
+
+        verify_iss(id_token)
+        verify_sub(id_token)
+        verify_aud(id_token)
+        verify_expiration(id_token, leeway)
+        verify_iat(id_token)
+        verify_nonce(id_token, nonce)
+        verify_azp(id_token)
+        verify_auth_time(id_token, leeway, max_age)
+        verify_org(id_token, organization)
+      end
+
+      def verify_iss(id_token)
+        issuer = id_token['iss']
+        if !issuer
+          raise OmniAuth::Auth0::TokenValidationError.new("Issuer (iss) claim must be a string present in the ID token")
+        elsif @issuer != issuer
+          raise OmniAuth::Auth0::TokenValidationError.new("Issuer (iss) claim mismatch in the ID token, expected (#{@issuer}), found (#{id_token['iss']})")
+        end
+      end
+
+      def verify_sub(id_token)
+        subject = id_token['sub']
+        if !subject || !subject.is_a?(String) || subject.empty?
+          raise OmniAuth::Auth0::TokenValidationError.new('Subject (sub) claim must be a string present in the ID token')
+        end
+      end
+
+      def verify_aud(id_token)
+        audience = id_token['aud']
+        if !audience || !(audience.is_a?(String) || audience.is_a?(Array))
+          raise OmniAuth::Auth0::TokenValidationError.new("Audience (aud) claim must be a string or array of strings present in the ID token")
+        elsif audience.is_a?(Array) && !audience.include?(@client_id)
+          raise OmniAuth::Auth0::TokenValidationError.new("Audience (aud) claim mismatch in the ID token; expected #{@client_id} but was not one of #{audience.join(', ')}")
+        elsif audience.is_a?(String) && audience != @client_id
+          raise OmniAuth::Auth0::TokenValidationError.new("Audience (aud) claim mismatch in the ID token; expected #{@client_id} but found #{audience}")
+        end
+      end
+
+      def verify_expiration(id_token, leeway)
+        expiration = id_token['exp']
+        if !expiration || !expiration.is_a?(Integer)
+          raise OmniAuth::Auth0::TokenValidationError.new("Expiration time (exp) claim must be a number present in the ID token")
+        elsif expiration <= Time.now.to_i - leeway
+          raise OmniAuth::Auth0::TokenValidationError.new("Expiration time (exp) claim error in the ID token; current time (#{Time.now}) is after expiration time (#{Time.at(expiration + leeway)})")
+        end
+      end
+
+      def verify_iat(id_token)
+        if !id_token['iat']
+          raise OmniAuth::Auth0::TokenValidationError.new("Issued At (iat) claim must be a number present in the ID token")
+        end
+      end
+
+      def verify_nonce(id_token, nonce)
+        if nonce
+          received_nonce = id_token['nonce']
+          if !received_nonce
+            raise OmniAuth::Auth0::TokenValidationError.new("Nonce (nonce) claim must be a string present in the ID token")
+          elsif nonce != received_nonce
+            raise OmniAuth::Auth0::TokenValidationError.new("Nonce (nonce) claim value mismatch in the ID token; expected (#{nonce}), found (#{received_nonce})")
+          end
+        end
+      end
+
+      def verify_azp(id_token)
+        audience = id_token['aud']
+        if audience.is_a?(Array) && audience.length > 1
+          azp = id_token['azp']
+          if !azp || !azp.is_a?(String)
+            raise OmniAuth::Auth0::TokenValidationError.new("Authorized Party (azp) claim must be a string present in the ID token when Audience (aud) claim has multiple values")
+          elsif azp != @client_id
+            raise OmniAuth::Auth0::TokenValidationError.new("Authorized Party (azp) claim mismatch in the ID token; expected (#{@client_id}), found (#{azp})")
+          end
+        end
+      end
+
+      def verify_auth_time(id_token, leeway, max_age)
+        if max_age
+          auth_time = id_token['auth_time']
+          if !auth_time || !auth_time.is_a?(Integer)
+            raise OmniAuth::Auth0::TokenValidationError.new("Authentication Time (auth_time) claim must be a number present in the ID token when Max Age (max_age) is specified")
+          elsif Time.now.to_i >  auth_time + max_age + leeway;
+            raise OmniAuth::Auth0::TokenValidationError.new("Authentication Time (auth_time) claim in the ID token indicates that too much time has passed since the last end-user authentication. Current time (#{Time.now}) is after last auth time (#{Time.at(auth_time + max_age + leeway)})")
+          end
+        end
+      end
+
+      def verify_org(id_token, organization)
+        if organization
+          org_id = id_token['org_id']
+          if !org_id || !org_id.is_a?(String)
+            raise OmniAuth::Auth0::TokenValidationError.new("Organization Id (org_id) claim must be a string present in the ID token")
+          elsif org_id != organization
+            raise OmniAuth::Auth0::TokenValidationError.new("Organization Id (org_id) claim value mismatch in the ID token; expected '#{organization}', found '#{org_id}'")
+          end
+        end
+      end
+    end
+  end
+end

data/lib/omniauth/auth0/telemetry.rb

@@ -0,0 +1,36 @@
+require 'json'
+
+module OmniAuth
+  module Auth0
+    # Module to provide necessary telemetry for API requests.
+    module Telemetry
+
+      # Return a telemetry hash to be encoded and sent to Auth0.
+      # @return hash
+      def telemetry
+        telemetry = {
+          name: 'omniauth-auth0',
+          version: OmniAuth::Auth0::VERSION,
+          env: {
+            ruby: RUBY_VERSION
+          }
+        }
+        add_rails_version telemetry
+      end
+
+      # JSON-ify and base64 encode the current telemetry.
+      # @return string
+      def telemetry_encoded
+        Base64.urlsafe_encode64(JSON.dump(telemetry))
+      end
+
+      private
+
+      def add_rails_version(telemetry)
+        return telemetry unless Gem.loaded_specs['rails'].respond_to? :version
+        telemetry[:env][:rails] = Gem.loaded_specs['rails'].version.to_s
+        telemetry
+      end
+    end
+  end
+end

data/lib/omniauth/strategies/auth0.rb

@@ -1,19 +1,28 @@
+# frozen_string_literal: true
+
 require 'base64'
 require 'uri'
+require 'securerandom'
 require 'omniauth-oauth2'
+require 'omniauth/auth0/jwt_validator'
+require 'omniauth/auth0/telemetry'
+require 'omniauth/auth0/errors'
 
 module OmniAuth
   module Strategies
     # Auth0 OmniAuth strategy
     class Auth0 < OmniAuth::Strategies::OAuth2
+      include OmniAuth::Auth0::Telemetry
+
       option :name, 'auth0'
 
-      args [
-        :client_id,
-        :client_secret,
-        :domain
+      args %i[
+        client_id
+        client_secret
+        domain
       ]
 
+      # Setup client URLs used during authentication
       def client
         options.client_options.site = domain_url
         options.client_options.authorize_url = '/authorize'
@@ -22,25 +31,47 @@ module OmniAuth
         super
       end
 
+      # Use the "sub" key of the userinfo returned
+      # as the uid (globally unique string identifier).
       uid { raw_info['sub'] }
 
+      # Build the API credentials hash with returned auth data.
       credentials do
-        hash = { 'token' => access_token.token }
-        hash['expires'] = true
+        credentials = {
+          'token' => access_token.token,
+          'expires' => true
+        }
+
         if access_token.params
-          hash['id_token'] = access_token.params['id_token']
-          hash['token_type'] = access_token.params['token_type']
-          hash['refresh_token'] = access_token.refresh_token
+          credentials.merge!(
+            'id_token' => access_token.params['id_token'],
+            'token_type' => access_token.params['token_type'],
+            'refresh_token' => access_token.refresh_token
+          )
+        end
+
+        # Retrieve and remove authorization params from the session
+        session_authorize_params = session['authorize_params'] || {}
+        session.delete('authorize_params')
+
+        auth_scope = session_authorize_params[:scope]
+        if auth_scope.respond_to?(:include?) && auth_scope.include?('openid')
+          # Make sure the ID token can be verified and decoded.
+          jwt_validator.verify(credentials['id_token'], session_authorize_params)
         end
-        hash
+
+        credentials
       end
 
+      # Store all raw information for use in the session.
       extra do
         {
           raw_info: raw_info
         }
       end
 
+      # Build a hash of information about the user
+      # with keys taken from the Auth Hash Schema.
       info do
         {
           name: raw_info['name'] || raw_info['sub'],
@@ -50,56 +81,93 @@ module OmniAuth
         }
       end
 
+      # Define the parameters used for the /authorize endpoint
       def authorize_params
         params = super
-        params['auth0Client'] = client_info
+        %w[connection connection_scope prompt screen_hint login_hint organization invitation ui_locales].each do |key|
+          params[key] = request.params[key] if request.params.key?(key)
+        end
+
+        # Generate nonce
+        params[:nonce] = SecureRandom.hex
+        # Generate leeway if none exists
+        params[:leeway] = 60 unless params[:leeway]
+
+        # Store authorize params in the session for token verification
+        session['authorize_params'] = params.to_hash
+
         params
       end
 
+      def build_access_token
+        options.token_params[:headers] = { 'Auth0-Client' => telemetry_encoded }
+        super
+      end
+
+      # Declarative override for the request phase of authentication
       def request_phase
         if no_client_id?
+          # Do we have a client_id for this Application?
           fail!(:missing_client_id)
         elsif no_client_secret?
+          # Do we have a client_secret for this Application?
           fail!(:missing_client_secret)
         elsif no_domain?
+          # Do we have a domain for this Application?
           fail!(:missing_domain)
         else
+          # All checks pass, run the Oauth2 request_phase method.
           super
         end
       end
 
+      def callback_phase
+        super
+      rescue OmniAuth::Auth0::TokenValidationError => e
+        fail!(:token_validation_error, e)
+      end
+
       private
+      def jwt_validator
+        @jwt_validator ||= OmniAuth::Auth0::JWTValidator.new(options)
+      end
 
+      # Parse the raw user info.
       def raw_info
-        userinfo_url = options.client_options.userinfo_url
-        @raw_info ||= access_token.get(userinfo_url).parsed
+        return @raw_info if @raw_info
+
+        if access_token["id_token"]
+          claims, header = jwt_validator.decode(access_token["id_token"])
+          @raw_info = claims
+        else
+          userinfo_url = options.client_options.userinfo_url
+          @raw_info = access_token.get(userinfo_url).parsed
+        end
+
+        return @raw_info
       end
 
+      # Check if the options include a client_id
       def no_client_id?
         ['', nil].include?(options.client_id)
       end
 
+      # Check if the options include a client_secret
       def no_client_secret?
         ['', nil].include?(options.client_secret)
       end
 
+      # Check if the options include a domain
       def no_domain?
         ['', nil].include?(options.domain)
       end
 
+      # Normalize a domain to a URL.
       def domain_url
         domain_url = URI(options.domain)
         domain_url = URI("https://#{domain_url}") if domain_url.scheme.nil?
         domain_url.to_s
       end
-
-      def client_info
-        client_info = JSON.dump(
-          name: 'omniauth-auth0',
-          version: OmniAuth::Auth0::VERSION
-        )
-        Base64.urlsafe_encode64(client_info)
-      end
     end
   end
 end

data/lib/omniauth-auth0/version.rb

@@ -1,5 +1,5 @@
 module OmniAuth
   module Auth0
-    VERSION = '2.0.0'.freeze
+    VERSION = '3.1.0'.freeze
   end
 end

data/lib/omniauth-auth0.rb

@@ -1,2 +1,2 @@
-require 'omniauth-auth0/version' # rubocop:disable Style/FileName
+require 'omniauth-auth0/version'
 require 'omniauth/strategies/auth0'

data/omniauth-auth0.gemspec

@@ -8,24 +8,23 @@ Gem::Specification.new do |s|
   s.authors     = ['Auth0']
   s.email       = ['info@auth0.com']
   s.homepage    = 'https://github.com/auth0/omniauth-auth0'
-  s.summary     = 'Omniauth OAuth2 strategy for the Auth0 platform.'
+  s.summary     = 'OmniAuth OAuth2 strategy for the Auth0 platform.'
   s.description = %q{Auth0 is an authentication broker that supports social identity providers as well as enterprise identity providers such as Active Directory, LDAP, Google Apps, Salesforce.
 
 OmniAuth is a library that standardizes multi-provider authentication for web applications. It was created to be powerful, flexible, and do as little as possible.
 
-omniauth-auth0 is the omniauth strategy for Auth0.
+omniauth-auth0 is the OmniAuth strategy for Auth0.
 }
 
-  s.rubyforge_project = 'omniauth-auth0'
-
   s.files         = `git ls-files`.split("\n")
   s.test_files    = `git ls-files -- {test,spec,features}/*`.split("\n")
   s.executables   = `git ls-files -- bin/*`.split('\n').map{ |f| File.basename(f) }
   s.require_paths = ['lib']
 
-  s.add_runtime_dependency 'omniauth-oauth2', '~> 1.4'
+  s.add_runtime_dependency 'omniauth', '~> 2'
+  s.add_runtime_dependency 'omniauth-oauth2', '~> 1'
+
+  s.add_development_dependency 'bundler'
 
-  s.add_development_dependency 'bundler', '~> 1.9'
-  
   s.license = 'MIT'
 end

data/opslevel.yml

@@ -0,0 +1,6 @@
+---
+version: 1
+repository:
+  owner: dx_sdks
+  tier:
+  tags: