omniauth-auth0 2.1.0 → 2.4.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 934d8fc4286b19102f56b0ac05dce7cc655c4d93dc7e4808bcec7e208542ddce
-  data.tar.gz: 9fc0b0a4060f90da65113c2123c69eb9d04566910afe942f7f9eb5bc0a172afa
+  metadata.gz: baf9ee46a227506a7f43d571bbf9b6afd3639f8bf83cb32cc8ef8a55af5041ab
+  data.tar.gz: a7529eca35711ab1217e9946c4c5872a4a8d5296773bc49425f63a2792bf40f0
 SHA512:
-  metadata.gz: 2bc7c98c7a6b411e2e1572a61e143ba949a02000ce153aa864ffd9c5211d7c36a32bbf6394c846e50c42d39836b2bee2d6ed4bd1d805f780d22e708a3597ca5c
-  data.tar.gz: 0c2ba38df3e347b84c61e97db2b2d78a6aa1a3eabb5de04b27fb9dd1f0a04f60c6eb8858d1171f90b06ca4417e166bd1f9ab8fa3e49512029f7624b5636123db
+  metadata.gz: b315bd912671314bcb0fd2f3bb19878ee1029fe3738c7887b732c3c346794011e23c26a39d0d77f9644846c302480469d00d1b307d6d72e6be61d9a6aa8b9e37
+  data.tar.gz: e29b464b82e4d4c3ef8870d06e1eee5f279afaf3330afa8a1167dbf4bfe0795ae4c966006c8bc6ebd993ac579ffe1cbd9cecb4aceb827a153af9e651020ea8cd

data/.circleci/config.yml

@@ -0,0 +1,22 @@
+version: 2.1
+jobs:
+  run-tests:
+    docker:
+      - image: circleci/ruby:2.5.7-buster
+    steps:
+      - checkout
+      - restore_cache:
+          keys:
+            - gems-v2-{{ checksum "Gemfile.lock" }}
+            - gems-v2-
+      - run: bundle check || bundle install
+      - save_cache:
+          key: gems-v2--{{ checksum "Gemfile.lock" }}
+          paths:
+            - vendor/bundle
+      - run: bundle exec rake spec
+
+workflows:
+  tests:
+    jobs:
+      - run-tests

data/.github/CODEOWNERS

@@ -0,0 +1 @@
+*	@auth0/dx-sdks-approver

data/.github/PULL_REQUEST_TEMPLATE.md

@@ -29,4 +29,4 @@ Please describe how this can be tested by reviewers. Be specific about anything
 * [ ] I have read the [Auth0 contribution guidelines](https://github.com/auth0/open-source-template/blob/master/GENERAL-CONTRIBUTING.md)
 * [ ] I have read the [Auth0 Code of Conduct](https://github.com/auth0/open-source-template/blob/master/CODE-OF-CONDUCT.md)
 * [ ] All existing and new tests complete without errors
-* [ ] All code quality tools/guidelines in the [CONTRIBUTING documentation](CONTRIBUTING.md) have been run/followed
+* [ ] All code quality tools/guidelines in the [CONTRIBUTING documentation](https://github.com/auth0/omniauth-auth0/blob/master/CONTRIBUTING.md) have been run/followed

data/.github/stale.yml

@@ -0,0 +1,20 @@
+# Configuration for probot-stale - https://github.com/probot/stale
+
+# Number of days of inactivity before an Issue or Pull Request becomes stale
+daysUntilStale: 90
+
+# Number of days of inactivity before an Issue or Pull Request with the stale label is closed.
+daysUntilClose: 7
+
+# Issues or Pull Requests with these labels will never be considered stale. Set to `[]` to disable
+exemptLabels: []
+
+# Set to true to ignore issues with an assignee (defaults to false)
+exemptAssignees: true
+
+# Label to use when marking as stale
+staleLabel: closed:stale
+
+# Comment to post when marking as stale. Set to `false` to disable
+markComment: >
+  This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. If you have not received a response for our team (apologies for the delay) and this is still a blocker, please reply with additional information or just a ping. Thank you for your contribution! 🙇‍♂️

data/.gitignore

@@ -1,6 +1,5 @@
 .ruby-version
 coverage
-Gemfile.lock
 *.gem
 
 .#*
@@ -10,4 +9,4 @@ tmp/
 
 ## Environment normalization:
 /.bundle
-/vendor/bundle
+/vendor/bundle

data/.snyk

@@ -0,0 +1,9 @@
+# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.
+version: v1.13.5
+# ignores vulnerabilities until expiry date; change duration by modifying expiry date
+ignore:
+  SNYK-RUBY-OMNIAUTH-174820:
+    - '*':
+        reason: Not affected.
+        expires: 2020-01-01T00:00:00.000Z
+patch: {}

data/CHANGELOG.md

@@ -1,5 +1,55 @@
 # Change Log
 
+## [v2.4.1](https://github.com/auth0/omniauth-auth0/tree/v2.4.1) (2020-10-08)
+
+[Full Changelog](https://github.com/auth0/omniauth-auth0/compare/v2.4.0...v2.4.1)
+
+**Fixed**
+- Verify the JWT Signature [\#109](https://github.com/auth0/omniauth-auth0/pull/109) ([jimmyjames](https://github.com/jimmyjames))
+
+
+## [v2.4.0](https://github.com/auth0/omniauth-auth0/tree/v2.4.0) (2020-09-22)
+
+[Full Changelog](https://github.com/auth0/omniauth-auth0/compare/v2.3.1...v2.4.0)
+
+**Security**
+- Bump rack from 2.2.2 to 2.2.3 [\#107](https://github.com/auth0/omniauth-auth0/pull/107) ([dependabot](https://github.com/dependabot))
+- Update dependencies [\#100](https://github.com/auth0/omniauth-auth0/pull/100) ([Albalmaceda](https://github.com/Albalmaceda))
+
+**Added**
+- Add support for screen_hint=signup param [\#103](https://github.com/auth0/omniauth-auth0/pull/103) ([bbean86](https://github.com/bbean86))
+- Add support for `connection_scope` in params [\#99](https://github.com/auth0/omniauth-auth0/pull/99) ([felixclack](https://github.com/felixclack))
+
+
+## [v2.3.1](https://github.com/auth0/omniauth-auth0/tree/v2.3.1) (2020-03-27)
+
+[Full Changelog](https://github.com/auth0/omniauth-auth0/compare/v2.3.0...v2.3.1)
+
+**Fixed bugs:**
+
+- Fixes dependency issue [\#97](https://github.com/auth0/omniauth-auth0/pull/97) ([davidpatrick](https://github.com/davidpatrick))
+- Fix "NameError: uninitialized constant OmniAuth::Auth0::TokenValidationError" [\#96](https://github.com/auth0/omniauth-auth0/pull/96) ([stefanwork](https://github.com/stefanwork))
+
+## [v2.3.0](https://github.com/auth0/omniauth-auth0/tree/v2.3.0) (2020-03-06)
+[Full Changelog](https://github.com/auth0/omniauth-auth0/compare/v2.2.0...v2.3.0)
+
+**Added**
+- Improved OIDC Compliance [\#92](https://github.com/auth0/omniauth-auth0/pull/92) ([davidpatrick](https://github.com/davidpatrick))
+
+## [v2.2.0](https://github.com/auth0/omniauth-auth0/tree/v2.2.0) (2018-04-18)
+[Full Changelog](https://github.com/auth0/omniauth-auth0/compare/v2.1.0...v2.2.0)
+
+**Closed issues**
+- It supports custom domain? [\#71](https://github.com/auth0/omniauth-auth0/issues/71)
+- Valid Login, No Details: email=nil image=nil name="github|38257089" nickname=nil [\#70](https://github.com/auth0/omniauth-auth0/issues/70)
+
+**Added**
+- Custom issuer [\#77](https://github.com/auth0/omniauth-auth0/pull/77) ([ryan-rosenfeld](https://github.com/ryan-rosenfeld))
+- Add telemetry to token endpoint [\#74](https://github.com/auth0/omniauth-auth0/pull/74) ([joshcanhelp](https://github.com/joshcanhelp))
+
+**Changed**
+- Remove telemetry from authorize URL [\#75](https://github.com/auth0/omniauth-auth0/pull/75) ([joshcanhelp](https://github.com/joshcanhelp))
+
 ## [v2.1.0](https://github.com/auth0/omniauth-auth0/tree/v2.1.0) (2018-10-30)
 [Full Changelog](https://github.com/auth0/omniauth-auth0/compare/v2.0.0...v2.1.0)
 

data/Gemfile

@@ -9,10 +9,10 @@ gem 'rake'
 group :development do
   gem 'dotenv'
   gem 'pry'
+  gem 'rubocop', require: false
   gem 'shotgun'
   gem 'sinatra'
   gem 'thin'
-  gem 'rubocop', require: false
 end
 
 group :test do
@@ -20,6 +20,7 @@ group :test do
   gem 'listen', '~> 3.1.5'
   gem 'rack-test'
   gem 'rspec', '~> 3.5'
+  gem 'codecov', require: false
   gem 'simplecov'
   gem 'webmock'
 end

data/Gemfile.lock

@@ -0,0 +1,167 @@
+PATH
+  remote: .
+  specs:
+    omniauth-auth0 (2.4.1)
+      omniauth-oauth2 (~> 1.5)
+
+GEM
+  remote: https://rubygems.org/
+  specs:
+    addressable (2.7.0)
+      public_suffix (>= 2.0.2, < 5.0)
+    ast (2.4.1)
+    codecov (0.2.11)
+      json
+      simplecov
+    coderay (1.1.3)
+    crack (0.4.4)
+    daemons (1.3.1)
+    diff-lcs (1.4.4)
+    docile (1.3.2)
+    dotenv (2.7.6)
+    eventmachine (1.2.7)
+    faraday (1.0.1)
+      multipart-post (>= 1.2, < 3)
+    ffi (1.13.1)
+    formatador (0.2.5)
+    gem-release (2.1.1)
+    guard (2.16.2)
+      formatador (>= 0.2.4)
+      listen (>= 2.7, < 4.0)
+      lumberjack (>= 1.0.12, < 2.0)
+      nenv (~> 0.1)
+      notiffany (~> 0.0)
+      pry (>= 0.9.12)
+      shellany (~> 0.0)
+      thor (>= 0.18.1)
+    guard-compat (1.2.1)
+    guard-rspec (4.7.3)
+      guard (~> 2.1)
+      guard-compat (~> 1.1)
+      rspec (>= 2.99.0, < 4.0)
+    hashdiff (1.0.1)
+    hashie (4.1.0)
+    json (2.3.1)
+    jwt (2.2.2)
+    listen (3.1.5)
+      rb-fsevent (~> 0.9, >= 0.9.4)
+      rb-inotify (~> 0.9, >= 0.9.7)
+      ruby_dep (~> 1.2)
+    lumberjack (1.2.8)
+    method_source (1.0.0)
+    multi_json (1.15.0)
+    multi_xml (0.6.0)
+    multipart-post (2.1.1)
+    mustermann (1.1.1)
+      ruby2_keywords (~> 0.0.1)
+    nenv (0.3.0)
+    notiffany (0.1.3)
+      nenv (~> 0.1)
+      shellany (~> 0.0)
+    oauth2 (1.4.4)
+      faraday (>= 0.8, < 2.0)
+      jwt (>= 1.0, < 3.0)
+      multi_json (~> 1.3)
+      multi_xml (~> 0.5)
+      rack (>= 1.2, < 3)
+    omniauth (1.9.1)
+      hashie (>= 3.4.6)
+      rack (>= 1.6.2, < 3)
+    omniauth-oauth2 (1.7.0)
+      oauth2 (~> 1.4)
+      omniauth (~> 1.9)
+    parallel (1.19.2)
+    parser (2.7.2.0)
+      ast (~> 2.4.1)
+    pry (0.13.1)
+      coderay (~> 1.1)
+      method_source (~> 1.0)
+    public_suffix (4.0.6)
+    rack (2.2.3)
+    rack-protection (2.1.0)
+      rack
+    rack-test (1.1.0)
+      rack (>= 1.0, < 3)
+    rainbow (3.0.0)
+    rake (13.0.1)
+    rb-fsevent (0.10.4)
+    rb-inotify (0.10.1)
+      ffi (~> 1.0)
+    regexp_parser (1.8.1)
+    rexml (3.2.4)
+    rspec (3.9.0)
+      rspec-core (~> 3.9.0)
+      rspec-expectations (~> 3.9.0)
+      rspec-mocks (~> 3.9.0)
+    rspec-core (3.9.3)
+      rspec-support (~> 3.9.3)
+    rspec-expectations (3.9.2)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.9.0)
+    rspec-mocks (3.9.1)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.9.0)
+    rspec-support (3.9.3)
+    rubocop (0.93.0)
+      parallel (~> 1.10)
+      parser (>= 2.7.1.5)
+      rainbow (>= 2.2.2, < 4.0)
+      regexp_parser (>= 1.8)
+      rexml
+      rubocop-ast (>= 0.6.0)
+      ruby-progressbar (~> 1.7)
+      unicode-display_width (>= 1.4.0, < 2.0)
+    rubocop-ast (0.7.1)
+      parser (>= 2.7.1.5)
+    ruby-progressbar (1.10.1)
+    ruby2_keywords (0.0.2)
+    ruby_dep (1.5.0)
+    shellany (0.0.1)
+    shotgun (0.9.2)
+      rack (>= 1.0)
+    simplecov (0.19.0)
+      docile (~> 1.1)
+      simplecov-html (~> 0.11)
+    simplecov-html (0.12.3)
+    sinatra (2.1.0)
+      mustermann (~> 1.0)
+      rack (~> 2.2)
+      rack-protection (= 2.1.0)
+      tilt (~> 2.0)
+    thin (1.7.2)
+      daemons (~> 1.0, >= 1.0.9)
+      eventmachine (~> 1.0, >= 1.0.4)
+      rack (>= 1, < 3)
+    thor (1.0.1)
+    tilt (2.0.10)
+    unicode-display_width (1.7.0)
+    webmock (3.9.1)
+      addressable (>= 2.3.6)
+      crack (>= 0.3.2)
+      hashdiff (>= 0.4.0, < 2.0.0)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  bundler (~> 1.9)
+  codecov
+  dotenv
+  gem-release
+  guard-rspec
+  jwt
+  listen (~> 3.1.5)
+  omniauth-auth0!
+  pry
+  rack-test
+  rake
+  rspec (~> 3.5)
+  rubocop
+  shotgun
+  simplecov
+  sinatra
+  thin
+  webmock
+
+BUNDLED WITH
+   1.17.3

data/README.md

@@ -1,10 +1,14 @@
 # OmniAuth Auth0
 
-An [OmniAuth](https://github.com/intridea/omniauth) strategy for authenticating with [Auth0](https://auth0.com). This strategy is based on the [OmniAuth OAuth2](https://github.com/omniauth/omniauth-oauth2) strategy. 
+An [OmniAuth](https://github.com/intridea/omniauth) strategy for authenticating with [Auth0](https://auth0.com). This strategy is based on the [OmniAuth OAuth2](https://github.com/omniauth/omniauth-oauth2) strategy.
 
-[![Build Status](https://travis-ci.org/auth0/omniauth-auth0.svg)](https://travis-ci.org/auth0/omniauth-auth0)
-[![Gem Version](https://badge.fury.io/rb/auth0.svg)](http://badge.fury.io/rb/auth0)
-[![MIT licensed](https://img.shields.io/dub/l/vibe-d.svg?style=flat)](https://github.com/auth0/ruby-auth0/blob/master/LICENSE)
+> :warning:  **Important security note:** This solution uses a 3rd party library with an unresolved [security issue(s)](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-9284). Please review the details of the vulnerability, including [Auth0](https://github.com/auth0/omniauth-auth0/issues/82 ) and other recommended [mitigations](https://github.com/omniauth/omniauth/wiki/Resolving-CVE-2015-9284), before implementing the solution.
+
+[![CircleCI](https://img.shields.io/circleci/project/github/auth0/omniauth-auth0/master.svg)](https://circleci.com/gh/auth0/omniauth-auth0)
+[![codecov](https://codecov.io/gh/auth0/omniauth-auth0/branch/master/graph/badge.svg)](https://codecov.io/gh/auth0/omniauth-auth0)
+[![Gem Version](https://badge.fury.io/rb/omniauth-auth0.svg)](https://badge.fury.io/rb/omniauth-auth0)
+[![MIT licensed](https://img.shields.io/dub/l/vibe-d.svg?style=flat)](https://github.com/auth0/omniauth-auth0/blob/master/LICENSE)
+[![FOSSA Status](https://app.fossa.com/api/projects/git%2Bgithub.com%2Fauth0%2Fomniauth-auth0.svg?type=shield)](https://app.fossa.com/projects/git%2Bgithub.com%2Fauth0%2Fomniauth-auth0?ref=badge_shield)
 
 ## Table of Contents
 
@@ -30,13 +34,19 @@ Add the following line to your `Gemfile`:
 gem 'omniauth-auth0'
 ```
 
+If you're using this strategy with Rails, also add the following for CSRF protection:
+
+```ruby
+gem 'omniauth-rails_csrf_protection'
+```
+
 Then install:
 
 ```bash
 $ bundle install
 ```
 
-See our [contributing guide](CONTRIBUTING.md) for information on local installation for development. 
+See our [contributing guide](CONTRIBUTING.md) for information on local installation for development.
 
 ## Getting Started
 
@@ -54,7 +64,7 @@ All of these tasks and more are covered in our [Ruby on Rails Quickstart](https:
 To send additional parameters during login, you can specify them when you register the provider:
 
 ```ruby
-provider 
+provider
   :auth0,
   ENV['AUTH0_CLIENT_ID'],
   ENV['AUTH0_CLIENT_SECRET'],
@@ -62,19 +72,13 @@ provider
   {
     authorize_params: {
       scope: 'openid read:users write:order',
-      audience: 'https://mydomain/api'
+      audience: 'https://mydomain/api',
+      max_age: 3600 # time in seconds authentication is valid
     }
   }
 ```
 
-... which will tell the strategy to send those parameters on every Auth request.
-
-Or you can do it for a specific authentication request by adding them to the query parameters of the redirect URL. Allowed parameters are `connection` and `prompt`:
-
-```ruby
-redirect_to '/auth/auth0?connection=google-oauth2'
-redirect_to '/auth/auth0?prompt=none'
-```
+... which will tell the strategy to send those parameters on every authentication request.
 
 ### Authentication hash
 
@@ -118,6 +122,17 @@ The Auth0 strategy will provide the standard OmniAuth hash attributes:
 }
 ```
 
+### Query Parameter Options
+
+In some scenarios, you may need to pass specific query parameters to `/authorize`. The following parameters are available to enable this:
+
+- `connection`
+- `connection_scope`
+- `prompt`
+- `screen_hint` (only relevant to New Universal Login Experience)
+
+Simply pass these query parameters to your OmniAuth redirect endpoint to enable their behavior.
+
 ## Contribution
 
 We appreciate feedback and contribution to this repo! Before you get started, please see the following:
@@ -128,10 +143,9 @@ We appreciate feedback and contribution to this repo! Before you get started, pl
 
 ## Support + Feedback
 
-
 - Use [Community](https://community.auth0.com/) for usage, questions, specific cases.
 - Use [Issues](https://github.com/auth0/omniauth-auth0/issues) here for code-level support and bug reports.
-- Paid customers can use [Support](https://support.auth0.com/) to submit a trouble ticket for production-affecting issues. 
+- Paid customers can use [Support](https://support.auth0.com/) to submit a trouble ticket for production-affecting issues.
 
 ## Vulnerability Reporting
 
@@ -153,3 +167,6 @@ Auth0 helps you to easily:
 ## License
 
 The OmniAuth Auth0 strategy is licensed under MIT - [LICENSE](LICENSE)
+
+
+[![FOSSA Status](https://app.fossa.com/api/projects/git%2Bgithub.com%2Fauth0%2Fomniauth-auth0.svg?type=large)](https://app.fossa.com/projects/git%2Bgithub.com%2Fauth0%2Fomniauth-auth0?ref=badge_large)

data/codecov.yml

@@ -0,0 +1,22 @@
+coverage:
+  precision: 2
+  round: down
+  range: "60...100"
+  status:
+    project:
+      default:
+        enabled: true
+        target: auto
+        threshold: 5%
+        if_no_uploads: error
+    patch:
+      default:
+        enabled: true
+        target: 80%
+        threshold: 30%
+        if_no_uploads: error
+    changes:
+      default:
+        enabled: true
+        if_no_uploads: error
+comment: false