omniauth-auth0 2.2.0 → 2.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 463fae0687e0473a0918c9c2086f3b47a60ae1448fffa3b1157ec933784c1a1c
-  data.tar.gz: d872be3b458dadf3752d58192059d6d350a90f7047de1e84b98137417880204d
+  metadata.gz: 07f73634dc123aa4d6912e4d17e7c461948cf6b1fa2086003600434bfd99dcf9
+  data.tar.gz: 29e79d38181335c08618108b96e667d24c768185432e2d5e22312e716c333b48
 SHA512:
-  metadata.gz: 13efc37572c71bdd5184dd9888e48f2479e5e5d52c16f454c01c88834fc2f5dffa3488b13b8b0dc9bbe423d9aa750038c12693f85e83f3375482af8857788585
-  data.tar.gz: 2240535e4f749e7ba47f587ca56ae9e1d5ee596e54391a969a5f282b852ab8f3a2970c99514014fada2d5a00b259144849e6e2db1ae559a8ab584753e4e7bce9
+  metadata.gz: 0d1fa93a13a96f24a55ea4fa475561d7252cfd39a2975277ca93be8a91b07a58222dd16e522225f1e4bf0ff3ad5a7456bdac6e640e2e372f3a415ca6b4fafe7a
+  data.tar.gz: 6528f8a41f91bffb7a8c6285882a0f9179c51a3bc133824f896cbae7d36f7deafa2d70bf6f7b20bdb684c66831d043f91c3c9f938cc21d603da4d7788a4cca1d

data/.circleci/config.yml

@@ -15,35 +15,14 @@ jobs:
           paths:
             - Gemfile
             - Gemfile.lock
+            - .snyk
       - save_cache:
           key: gems-v2--{{ checksum "Gemfile.lock" }}
           paths:
             - vendor/bundle
       - run: bundle exec rake spec
-  snyk:
-    docker:
-      - image: snyk/snyk-cli:rubygems
-    steps:
-      - attach_workspace:
-          at: .
-      - run: snyk test
-      - run:
-          command: |
-            if [[ "${CIRCLE_BRANCH}" == "master" ]]
-            then
-            snyk monitor --org=auth0-sdks
-            fi
-          when: always
 
 workflows:
   tests:
     jobs:
       - run-tests
-  snyk:
-    jobs:
-      - run-tests
-      - snyk:
-          # Must define SNYK_TOKEN env
-          context: snyk-env 
-          requires: 
-            - run-tests

data/.github/CODEOWNERS

@@ -0,0 +1 @@
+*	@auth0/dx-sdks-approver

data/.github/stale.yml

@@ -0,0 +1,20 @@
+# Configuration for probot-stale - https://github.com/probot/stale
+
+# Number of days of inactivity before an Issue or Pull Request becomes stale
+daysUntilStale: 90
+
+# Number of days of inactivity before an Issue or Pull Request with the stale label is closed.
+daysUntilClose: 7
+
+# Issues or Pull Requests with these labels will never be considered stale. Set to `[]` to disable
+exemptLabels: []
+
+# Set to true to ignore issues with an assignee (defaults to false)
+exemptAssignees: true
+
+# Label to use when marking as stale
+staleLabel: closed:stale
+
+# Comment to post when marking as stale. Set to `false` to disable
+markComment: >
+  This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. If you have not received a response for our team (apologies for the delay) and this is still a blocker, please reply with additional information or just a ping. Thank you for your contribution! 🙇‍♂️

data/.snyk

@@ -0,0 +1,9 @@
+# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.
+version: v1.13.5
+# ignores vulnerabilities until expiry date; change duration by modifying expiry date
+ignore:
+  SNYK-RUBY-OMNIAUTH-174820:
+    - '*':
+        reason: Not affected.
+        expires: 2020-01-01T00:00:00.000Z
+patch: {}

data/CHANGELOG.md

@@ -1,5 +1,11 @@
 # Change Log
 
+## [v2.3.0](https://github.com/auth0/omniauth-auth0/tree/v2.3.0) (2020-03-06)
+[Full Changelog](https://github.com/auth0/omniauth-auth0/compare/v2.3.0...v2.2.0)
+
+**Added**
+- Improved OIDC Compliance [\#74](https://github.com/auth0/omniauth-auth0/pull/92) ([davidpatrick](https://github.com/davidpatrick))
+
 ## [v2.2.0](https://github.com/auth0/omniauth-auth0/tree/v2.2.0) (2018-04-18)
 [Full Changelog](https://github.com/auth0/omniauth-auth0/compare/v2.1.0...v2.2.0)
 

data/Gemfile.lock

@@ -1,16 +1,16 @@
 PATH
   remote: .
   specs:
-    omniauth-auth0 (2.2.0)
+    omniauth-auth0 (2.3.0)
       omniauth-oauth2 (~> 1.5)
 
 GEM
   remote: https://rubygems.org/
   specs:
-    addressable (2.6.0)
-      public_suffix (>= 2.0.2, < 4.0)
+    addressable (2.7.0)
+      public_suffix (>= 2.0.2, < 5.0)
     ast (2.4.0)
-    codecov (0.1.14)
+    codecov (0.1.16)
       json
       simplecov
       url
@@ -19,15 +19,15 @@ GEM
       safe_yaml (~> 1.0.0)
     daemons (1.3.1)
     diff-lcs (1.3)
-    docile (1.3.1)
-    dotenv (2.7.2)
+    docile (1.3.2)
+    dotenv (2.7.5)
     eventmachine (1.2.7)
-    faraday (0.15.4)
+    faraday (1.0.0)
       multipart-post (>= 1.2, < 3)
-    ffi (1.10.0)
+    ffi (1.12.2)
     formatador (0.2.5)
-    gem-release (2.0.1)
-    guard (2.15.0)
+    gem-release (2.1.1)
+    guard (2.16.1)
       formatador (>= 0.2.4)
       listen (>= 2.7, < 4.0)
       lumberjack (>= 1.0.12, < 2.0)
@@ -41,104 +41,105 @@ GEM
       guard (~> 2.1)
       guard-compat (~> 1.1)
       rspec (>= 2.99.0, < 4.0)
-    hashdiff (0.3.8)
-    hashie (3.6.0)
-    jaro_winkler (1.5.2)
-    json (2.2.0)
-    jwt (2.1.0)
+    hashdiff (1.0.1)
+    hashie (4.1.0)
+    jaro_winkler (1.5.4)
+    json (2.3.0)
+    jwt (2.2.1)
     listen (3.1.5)
       rb-fsevent (~> 0.9, >= 0.9.4)
       rb-inotify (~> 0.9, >= 0.9.7)
       ruby_dep (~> 1.2)
-    lumberjack (1.0.13)
+    lumberjack (1.2.4)
     method_source (0.9.2)
-    multi_json (1.13.1)
+    multi_json (1.14.1)
     multi_xml (0.6.0)
-    multipart-post (2.0.0)
-    mustermann (1.0.3)
+    multipart-post (2.1.1)
+    mustermann (1.1.1)
+      ruby2_keywords (~> 0.0.1)
     nenv (0.3.0)
-    notiffany (0.1.1)
+    notiffany (0.1.3)
       nenv (~> 0.1)
       shellany (~> 0.0)
-    oauth2 (1.4.1)
-      faraday (>= 0.8, < 0.16.0)
+    oauth2 (1.4.4)
+      faraday (>= 0.8, < 2.0)
       jwt (>= 1.0, < 3.0)
       multi_json (~> 1.3)
       multi_xml (~> 0.5)
       rack (>= 1.2, < 3)
-    omniauth (1.9.0)
-      hashie (>= 3.4.6, < 3.7.0)
+    omniauth (1.9.1)
+      hashie (>= 3.4.6)
       rack (>= 1.6.2, < 3)
     omniauth-oauth2 (1.6.0)
       oauth2 (~> 1.1)
       omniauth (~> 1.9)
-    parallel (1.17.0)
-    parser (2.6.2.1)
+    parallel (1.19.1)
+    parser (2.7.0.4)
       ast (~> 2.4.0)
     pry (0.12.2)
       coderay (~> 1.1.0)
       method_source (~> 0.9.0)
-    psych (3.1.0)
-    public_suffix (3.0.3)
-    rack (2.0.7)
-    rack-protection (2.0.5)
+    public_suffix (4.0.3)
+    rack (2.2.2)
+    rack-protection (2.0.8.1)
       rack
     rack-test (1.1.0)
       rack (>= 1.0, < 3)
     rainbow (3.0.0)
-    rake (12.3.2)
+    rake (13.0.1)
     rb-fsevent (0.10.3)
-    rb-inotify (0.10.0)
+    rb-inotify (0.10.1)
       ffi (~> 1.0)
-    rspec (3.8.0)
-      rspec-core (~> 3.8.0)
-      rspec-expectations (~> 3.8.0)
-      rspec-mocks (~> 3.8.0)
-    rspec-core (3.8.0)
-      rspec-support (~> 3.8.0)
-    rspec-expectations (3.8.2)
+    rexml (3.2.4)
+    rspec (3.9.0)
+      rspec-core (~> 3.9.0)
+      rspec-expectations (~> 3.9.0)
+      rspec-mocks (~> 3.9.0)
+    rspec-core (3.9.1)
+      rspec-support (~> 3.9.1)
+    rspec-expectations (3.9.0)
       diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.8.0)
-    rspec-mocks (3.8.0)
+      rspec-support (~> 3.9.0)
+    rspec-mocks (3.9.1)
       diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.8.0)
-    rspec-support (3.8.0)
-    rubocop (0.67.2)
+      rspec-support (~> 3.9.0)
+    rspec-support (3.9.2)
+    rubocop (0.80.1)
       jaro_winkler (~> 1.5.1)
       parallel (~> 1.10)
-      parser (>= 2.5, != 2.5.1.1)
-      psych (>= 3.1.0)
+      parser (>= 2.7.0.1)
       rainbow (>= 2.2.2, < 4.0)
+      rexml
       ruby-progressbar (~> 1.7)
-      unicode-display_width (>= 1.4.0, < 1.6)
-    ruby-progressbar (1.10.0)
+      unicode-display_width (>= 1.4.0, < 1.7)
+    ruby-progressbar (1.10.1)
+    ruby2_keywords (0.0.2)
     ruby_dep (1.5.0)
     safe_yaml (1.0.5)
     shellany (0.0.1)
     shotgun (0.9.2)
       rack (>= 1.0)
-    simplecov (0.16.1)
+    simplecov (0.18.5)
       docile (~> 1.1)
-      json (>= 1.8, < 3)
-      simplecov-html (~> 0.10.0)
-    simplecov-html (0.10.2)
-    sinatra (2.0.5)
+      simplecov-html (~> 0.11)
+    simplecov-html (0.12.2)
+    sinatra (2.0.8.1)
       mustermann (~> 1.0)
       rack (~> 2.0)
-      rack-protection (= 2.0.5)
+      rack-protection (= 2.0.8.1)
       tilt (~> 2.0)
     thin (1.7.2)
       daemons (~> 1.0, >= 1.0.9)
       eventmachine (~> 1.0, >= 1.0.4)
       rack (>= 1, < 3)
-    thor (0.20.3)
-    tilt (2.0.9)
-    unicode-display_width (1.5.0)
+    thor (1.0.1)
+    tilt (2.0.10)
+    unicode-display_width (1.6.1)
     url (0.3.2)
-    webmock (3.5.1)
+    webmock (3.8.2)
       addressable (>= 2.3.6)
       crack (>= 0.3.2)
-      hashdiff
+      hashdiff (>= 0.4.0, < 2.0.0)
 
 PLATFORMS
   ruby

data/README.md

@@ -2,6 +2,8 @@
 
 An [OmniAuth](https://github.com/intridea/omniauth) strategy for authenticating with [Auth0](https://auth0.com). This strategy is based on the [OmniAuth OAuth2](https://github.com/omniauth/omniauth-oauth2) strategy. 
 
+**Important security note:** The parent library for this strategy currently has an unresolved security issue. Please see the discussion, including mitigations for Rails and non-Rails applications, [here](https://github.com/auth0/omniauth-auth0/issues/82).
+
 [![CircleCI](https://img.shields.io/circleci/project/github/auth0/omniauth-auth0/master.svg)](https://circleci.com/gh/auth0/omniauth-auth0)
 [![codecov](https://codecov.io/gh/auth0/omniauth-auth0/branch/master/graph/badge.svg)](https://codecov.io/gh/auth0/omniauth-auth0)
 [![Gem Version](https://badge.fury.io/rb/omniauth-auth0.svg)](https://badge.fury.io/rb/omniauth-auth0)
@@ -31,6 +33,12 @@ Add the following line to your `Gemfile`:
 gem 'omniauth-auth0'
 ```
 
+If you're using this strategy with Rails, also add the following for CSRF protection:
+
+```ruby
+gem 'omniauth-rails_csrf_protection'
+```
+
 Then install:
 
 ```bash
@@ -63,19 +71,13 @@ provider
   {
     authorize_params: {
       scope: 'openid read:users write:order',
-      audience: 'https://mydomain/api'
+      audience: 'https://mydomain/api',
+      max_age: 3600 # time in seconds authentication is valid
     }
   }
 ```
 
-... which will tell the strategy to send those parameters on every Auth request.
-
-Or you can do it for a specific authentication request by adding them to the query parameters of the redirect URL. Allowed parameters are `connection` and `prompt`:
-
-```ruby
-redirect_to '/auth/auth0?connection=google-oauth2'
-redirect_to '/auth/auth0?prompt=none'
-```
+... which will tell the strategy to send those parameters on every authentication request.
 
 ### Authentication hash
 
@@ -129,7 +131,6 @@ We appreciate feedback and contribution to this repo! Before you get started, pl
 
 ## Support + Feedback
 
-
 - Use [Community](https://community.auth0.com/) for usage, questions, specific cases.
 - Use [Issues](https://github.com/auth0/omniauth-auth0/issues) here for code-level support and bug reports.
 - Paid customers can use [Support](https://support.auth0.com/) to submit a trouble ticket for production-affecting issues. 

data/lib/omniauth-auth0/version.rb

@@ -1,5 +1,5 @@
 module OmniAuth
   module Auth0
-    VERSION = '2.2.0'.freeze
+    VERSION = '2.3.0'.freeze
   end
 end

data/lib/omniauth/auth0/errors.rb

@@ -0,0 +1,11 @@
+module OmniAuth
+  module Auth0
+    class TokenValidationError < StandardError
+      attr_reader :error_reason
+      def initialize(msg)
+        @error_reason = msg
+        super(msg)
+      end
+    end
+  end
+end

data/lib/omniauth/auth0/jwt_validator.rb

@@ -15,7 +15,8 @@ module OmniAuth
       #   options.issuer - Application issuer (optional).
       #   options.client_id - Application Client ID.
       #   options.client_secret - Application Client Secret.
-      def initialize(options)
+
+      def initialize(options, authorize_params = {})
         @domain = uri_string(options.domain)
 
         # Use custom issuer if provided, otherwise use domain
@@ -26,23 +27,38 @@ module OmniAuth
         @client_secret = options.client_secret
       end
 
-      # Decode a JWT.
-      # @param jwt string - JWT to decode.
-      # @return hash - The decoded token, if there were no exceptions.
-      # @see https://github.com/jwt/ruby-jwt
-      def decode(jwt)
+      def verify_signature(jwt)
         head = token_head(jwt)
 
         # Make sure the algorithm is supported and get the decode key.
-        decode_key = @client_secret
         if head[:alg] == 'RS256'
-          decode_key = rs256_decode_key(head[:kid])
-        elsif head[:alg] != 'HS256'
-          raise JWT::VerificationError, :id_token_alg_unsupported
+          [rs256_decode_key(head[:kid]), head[:alg]]
+        elsif head[:alg] == 'HS256'
+          [@client_secret, head[:alg]]
+        else
+          raise OmniAuth::Auth0::TokenValidationError.new("Signature algorithm of #{head[:alg]} is not supported. Expected the ID token to be signed with RS256 or HS256")
+        end
+      end
+
+      # Verify a JWT.
+      # @param jwt string - JWT to verify.
+      # @param authorize_params hash - Authorization params to verify on the JWT
+      # @return hash - The verified token, if there were no exceptions.
+      def verify(jwt, authorize_params = {})
+        if !jwt
+          raise OmniAuth::Auth0::TokenValidationError.new('ID token is required but missing')
+        end
+
+        parts = jwt.split('.')
+        if parts.length != 3
+          raise OmniAuth::Auth0::TokenValidationError.new('ID token could not be decoded')
         end
 
-        # Docs: https://github.com/jwt/ruby-jwt#algorithms-and-usage
-        JWT.decode(jwt, decode_key, true, decode_opts(head[:alg]))
+        key, alg = verify_signature(jwt)
+        id_token, header = JWT.decode(jwt, key, false)
+        verify_claims(id_token, authorize_params)
+
+        return id_token
       end
 
       # Get the decoded head segment from a JWT.
@@ -76,26 +92,12 @@ module OmniAuth
       end
 
       private
-
-      # Get the JWT decode options
-      # Docs: https://github.com/jwt/ruby-jwt#add-custom-header-fields
-      # @return hash
-      def decode_opts(alg)
-        {
-          algorithm: alg,
-          leeway: 30,
-          verify_expiration: true,
-          verify_iss: true,
-          iss: @issuer,
-          verify_aud: true,
-          aud: @client_id,
-          verify_not_before: true
-        }
-      end
-
       def rs256_decode_key(kid)
         jwks_x5c = jwks_key(:x5c, kid)
-        raise JWT::VerificationError, :jwks_missing_x5c if jwks_x5c.nil?
+
+        if jwks_x5c.nil?
+          raise OmniAuth::Auth0::TokenValidationError.new("Could not find a public key for Key ID (kid) '#{kid}''")
+        end
 
         jwks_public_cert(jwks_x5c.first)
       end
@@ -129,6 +131,97 @@ module OmniAuth
         temp_domain = URI("https://#{uri}") unless temp_domain.scheme
         "#{temp_domain}/"
       end
+
+      def verify_claims(id_token, authorize_params)
+        leeway = authorize_params[:leeway] || 60
+        max_age = authorize_params[:max_age]
+        nonce = authorize_params[:nonce]
+
+        verify_iss(id_token)
+        verify_sub(id_token)
+        verify_aud(id_token)
+        verify_expiration(id_token, leeway)
+        verify_iat(id_token)
+        verify_nonce(id_token, nonce)
+        verify_azp(id_token)
+        verify_auth_time(id_token, leeway, max_age)
+      end
+
+      def verify_iss(id_token)
+        issuer = id_token['iss']
+        if !issuer
+          raise OmniAuth::Auth0::TokenValidationError.new("Issuer (iss) claim must be a string present in the ID token")
+        elsif @issuer != issuer
+          raise OmniAuth::Auth0::TokenValidationError.new("Issuer (iss) claim mismatch in the ID token, expected (#{@issuer}), found (#{id_token['iss']})")
+        end
+      end
+
+      def verify_sub(id_token)
+        subject = id_token['sub']
+        if !subject || !subject.is_a?(String) || subject.empty?
+          raise OmniAuth::Auth0::TokenValidationError.new('Subject (sub) claim must be a string present in the ID token')
+        end
+      end
+
+      def verify_aud(id_token)
+        audience = id_token['aud']
+        if !audience || !(audience.is_a?(String) || audience.is_a?(Array))
+          raise OmniAuth::Auth0::TokenValidationError.new("Audience (aud) claim must be a string or array of strings present in the ID token")
+        elsif audience.is_a?(Array) && !audience.include?(@client_id)
+          raise OmniAuth::Auth0::TokenValidationError.new("Audience (aud) claim mismatch in the ID token; expected #{@client_id} but was not one of #{audience.join(', ')}")
+        elsif audience.is_a?(String) && audience != @client_id
+          raise OmniAuth::Auth0::TokenValidationError.new("Audience (aud) claim mismatch in the ID token; expected #{@client_id} but found #{audience}")
+        end
+      end
+
+      def verify_expiration(id_token, leeway)
+        expiration = id_token['exp']
+        if !expiration || !expiration.is_a?(Integer)
+          raise OmniAuth::Auth0::TokenValidationError.new("Expiration time (exp) claim must be a number present in the ID token")
+        elsif expiration <= Time.now.to_i - leeway
+          raise OmniAuth::Auth0::TokenValidationError.new("Expiration time (exp) claim error in the ID token; current time (#{Time.now}) is after expiration time (#{Time.at(expiration + leeway)})")
+        end
+      end
+
+      def verify_iat(id_token)
+        if !id_token['iat']
+          raise OmniAuth::Auth0::TokenValidationError.new("Issued At (iat) claim must be a number present in the ID token")
+        end
+      end
+
+      def verify_nonce(id_token, nonce)
+        if nonce
+          received_nonce = id_token['nonce']
+          if !received_nonce
+            raise OmniAuth::Auth0::TokenValidationError.new("Nonce (nonce) claim must be a string present in the ID token")
+          elsif nonce != received_nonce
+            raise OmniAuth::Auth0::TokenValidationError.new("Nonce (nonce) claim value mismatch in the ID token; expected (#{nonce}), found (#{received_nonce})")
+          end
+        end
+      end
+
+      def verify_azp(id_token)
+        audience = id_token['aud']
+        if audience.is_a?(Array) && audience.length > 1
+          azp = id_token['azp']
+          if !azp || !azp.is_a?(String)
+            raise OmniAuth::Auth0::TokenValidationError.new("Authorized Party (azp) claim must be a string present in the ID token when Audience (aud) claim has multiple values")
+          elsif azp != @client_id
+            raise OmniAuth::Auth0::TokenValidationError.new("Authorized Party (azp) claim mismatch in the ID token; expected (#{@client_id}), found (#{azp})")
+          end
+        end
+      end
+
+      def verify_auth_time(id_token, leeway, max_age)
+        if max_age
+          auth_time = id_token['auth_time']
+          if !auth_time || !auth_time.is_a?(Integer)
+            raise OmniAuth::Auth0::TokenValidationError.new("Authentication Time (auth_time) claim must be a number present in the ID token when Max Age (max_age) is specified")
+          elsif Time.now.to_i >  auth_time + max_age + leeway;
+            raise OmniAuth::Auth0::TokenValidationError.new("Authentication Time (auth_time) claim in the ID token indicates that too much time has passed since the last end-user authentication. Current time (#{Time.now}) is after last auth time (#{Time.at(auth_time + max_age + leeway)})")
+          end
+        end
+      end
     end
   end
 end

data/lib/omniauth/strategies/auth0.rb

@@ -2,6 +2,7 @@
 
 require 'base64'
 require 'uri'
+require 'securerandom'
 require 'omniauth-oauth2'
 require 'omniauth/auth0/jwt_validator'
 require 'omniauth/auth0/telemetry'
@@ -48,10 +49,16 @@ module OmniAuth
           )
         end
 
-        # Make sure the ID token can be verified and decoded.
-        auth0_jwt = OmniAuth::Auth0::JWTValidator.new(options)
-        jwt_decoded = auth0_jwt.decode(credentials['id_token'])
-        fail!(:invalid_id_token) unless jwt_decoded.length
+        # Retrieve and remove authorization params from the session
+        session_authorize_params = session['authorize_params'] || {}
+        session.delete('authorize_params')
+
+        auth_scope = session_authorize_params[:scope]
+        if auth_scope.respond_to?(:include?) && auth_scope.include?('openid')
+          # Make sure the ID token can be verified and decoded.
+          auth0_jwt = OmniAuth::Auth0::JWTValidator.new(options)
+          auth0_jwt.verify(credentials['id_token'], session_authorize_params)
+        end
 
         credentials
       end
@@ -78,8 +85,18 @@ module OmniAuth
       def authorize_params
         params = super
         parsed_query = Rack::Utils.parse_query(request.query_string)
-        params['connection'] = parsed_query['connection']
-        params['prompt'] = parsed_query['prompt']
+        %w[connection prompt].each do |key|
+          params[key] = parsed_query[key] if parsed_query.key?(key)
+        end
+
+        # Generate nonce
+        params[:nonce] = SecureRandom.hex
+        # Generate leeway if none exists
+        params[:leeway] = 60 unless params[:leeway]
+        
+        # Store authorize params in the session for token verification
+        session['authorize_params'] = params
+
         params
       end
 
@@ -105,6 +122,12 @@ module OmniAuth
         end
       end
 
+      def callback_phase
+        super
+      rescue OmniAuth::Auth0::TokenValidationError => e
+        fail!(:token_validation_error, e)
+      end
+
       private
 
       # Parse the raw user info.

data/spec/omniauth/auth0/jwt_validator_spec.rb

@@ -1,6 +1,7 @@
 require 'spec_helper'
 require 'json'
 require 'jwt'
+require 'omniauth/auth0/errors'
 
 describe OmniAuth::Auth0::JWTValidator do
   #
@@ -147,7 +148,7 @@ describe OmniAuth::Auth0::JWTValidator do
     end
   end
 
-  describe 'JWT verifier decode' do
+  describe 'JWT verifier verify' do
     let(:jwt_validator) do
       make_jwt_validator
     end
@@ -157,91 +158,259 @@ describe OmniAuth::Auth0::JWTValidator do
       stub_dummy_jwks
     end
 
-    it 'should fail with passed expiration' do
+    it 'should fail with missing issuer' do
+      expect do
+        jwt_validator.verify(make_hs256_token)
+      end.to raise_error(an_instance_of(OmniAuth::Auth0::TokenValidationError).and having_attributes({
+        message: "Issuer (iss) claim must be a string present in the ID token"
+      }))
+    end
+
+    it 'should fail with invalid issuer' do
+      payload = {
+        iss: 'https://auth0.com/'
+      }
+      token = make_hs256_token(payload)
+      expect do
+        jwt_validator.verify(token)
+      end.to raise_error(an_instance_of(OmniAuth::Auth0::TokenValidationError).and having_attributes({
+        message: "Issuer (iss) claim mismatch in the ID token, expected (https://samples.auth0.com/), found (https://auth0.com/)"
+      }))
+    end
+
+    it 'should fail when subject is missing' do
       payload = {
+        iss: "https://#{domain}/",
+        sub: ''
+      }
+      token = make_hs256_token(payload)
+      expect do
+        jwt_validator.verify(token)
+      end.to raise_error(an_instance_of(OmniAuth::Auth0::TokenValidationError).and having_attributes({
+        message: "Subject (sub) claim must be a string present in the ID token"
+      }))
+    end
+
+    it 'should fail with missing audience' do
+      payload = {
+        iss: "https://#{domain}/",
+        sub: 'sub'
+      }
+      token = make_hs256_token(payload)
+      expect do
+        jwt_validator.verify(token)
+      end.to raise_error(an_instance_of(OmniAuth::Auth0::TokenValidationError).and having_attributes({
+        message: "Audience (aud) claim must be a string or array of strings present in the ID token"
+      }))
+    end
+
+    it 'should fail with invalid audience' do
+      payload = {
+        iss: "https://#{domain}/",
+        sub: 'sub',
+        aud: 'Auth0'
+      }
+      token = make_hs256_token(payload)
+      expect do
+        jwt_validator.verify(token)
+      end.to raise_error(an_instance_of(OmniAuth::Auth0::TokenValidationError).and having_attributes({
+        message: "Audience (aud) claim mismatch in the ID token; expected #{client_id} but found Auth0"
+      }))
+    end
+
+    it 'should fail when missing expiration' do
+      payload = {
+        iss: "https://#{domain}/",
+        sub: 'sub',
+        aud: client_id
+      }
+
+      token = make_hs256_token(payload)
+      expect do
+        jwt_validator.verify(token)
+      end.to raise_error(an_instance_of(OmniAuth::Auth0::TokenValidationError).and having_attributes({
+        message: "Expiration time (exp) claim must be a number present in the ID token"
+      }))
+    end
+
+    it 'should fail when past expiration' do
+      payload = {
+        iss: "https://#{domain}/",
+        sub: 'sub',
+        aud: client_id,
         exp: past_timecode
       }
+
       token = make_hs256_token(payload)
       expect do
-        jwt_validator.decode(token)
-      end.to raise_error(JWT::ExpiredSignature)
+        jwt_validator.verify(token)
+      end.to raise_error(an_instance_of(OmniAuth::Auth0::TokenValidationError).and having_attributes({
+        message: "Expiration time (exp) claim error in the ID token; current time (#{Time.now}) is after expiration time (#{Time.at(past_timecode + 60)})"
+      }))
     end
 
-    it 'should fail with missing issuer' do
+    it 'should fail when missing iat' do
+      payload = {
+        iss: "https://#{domain}/",
+        sub: 'sub',
+        aud: client_id,
+        exp: future_timecode
+      }
+
+      token = make_hs256_token(payload)
       expect do
-        jwt_validator.decode(make_hs256_token)
-      end.to raise_error(JWT::InvalidIssuerError)
+        jwt_validator.verify(token)
+      end.to raise_error(an_instance_of(OmniAuth::Auth0::TokenValidationError).and having_attributes({
+        message: "Issued At (iat) claim must be a number present in the ID token"
+      }))
     end
 
-    it 'should fail with invalid issuer' do
+    it 'should fail when authorize params has nonce but nonce is missing in the token' do
       payload = {
-        iss: 'https://auth0.com/'
+        iss: "https://#{domain}/",
+        sub: 'sub',
+        aud: client_id,
+        exp: future_timecode,
+        iat: past_timecode
       }
+
       token = make_hs256_token(payload)
       expect do
-        jwt_validator.decode(token)
-      end.to raise_error(JWT::InvalidIssuerError)
+        jwt_validator.verify(token, { nonce: 'noncey' })
+      end.to raise_error(an_instance_of(OmniAuth::Auth0::TokenValidationError).and having_attributes({
+        message: "Nonce (nonce) claim must be a string present in the ID token"
+      }))
     end
 
-    it 'should fail with a future not before' do
+    it 'should fail when authorize params has nonce but token nonce does not match' do
+      payload = {
+        iss: "https://#{domain}/",
+        sub: 'sub',
+        aud: client_id,
+        exp: future_timecode,
+        iat: past_timecode,
+        nonce: 'mismatch'
+      }
+
+      token = make_hs256_token(payload)
+      expect do
+        jwt_validator.verify(token, { nonce: 'noncey' })
+      end.to raise_error(an_instance_of(OmniAuth::Auth0::TokenValidationError).and having_attributes({
+        message: "Nonce (nonce) claim value mismatch in the ID token; expected (noncey), found (mismatch)"
+      }))
+    end
+    
+    it 'should fail when “aud” is an array of strings and azp claim is not present' do
+      aud = [
+        client_id,
+        "https://#{domain}/userinfo"
+      ]
       payload = {
-        nbf: future_timecode,
-        iss: "https://#{domain}/"
+        iss: "https://#{domain}/",
+        sub: 'sub',
+        aud: aud,
+        exp: future_timecode,
+        iat: past_timecode
       }
+
       token = make_hs256_token(payload)
       expect do
-        jwt_validator.decode(token)
-      end.to raise_error(JWT::ImmatureSignature)
+        jwt_validator.verify(token)
+      end.to raise_error(an_instance_of(OmniAuth::Auth0::TokenValidationError).and having_attributes({
+        message: "Authorized Party (azp) claim must be a string present in the ID token when Audience (aud) claim has multiple values"
+      }))
     end
 
-    it 'should fail with missing audience' do
+    it 'should fail when "azp" claim doesnt match the expected aud' do
+      aud = [
+        client_id,
+        "https://#{domain}/userinfo"
+      ]
+      payload = {
+        iss: "https://#{domain}/",
+        sub: 'sub',
+        aud: aud,
+        exp: future_timecode,
+        iat: past_timecode,
+        azp: 'not_expected'
+      }
+
+      token = make_hs256_token(payload)
+      expect do
+        jwt_validator.verify(token)
+      end.to raise_error(an_instance_of(OmniAuth::Auth0::TokenValidationError).and having_attributes({
+        message: "Authorized Party (azp) claim mismatch in the ID token; expected (#{client_id}), found (not_expected)"
+      }))
+    end
+
+    it 'should fail when “max_age” sent on the authentication request and this claim is not present' do
       payload = {
-        iss: "https://#{domain}/"
+        iss: "https://#{domain}/",
+        sub: 'sub',
+        aud: client_id,
+        exp: future_timecode,
+        iat: past_timecode
       }
+
       token = make_hs256_token(payload)
       expect do
-        jwt_validator.decode(token)
-      end.to raise_error(JWT::InvalidAudError)
+        jwt_validator.verify(token, { max_age: 60 })
+      end.to raise_error(an_instance_of(OmniAuth::Auth0::TokenValidationError).and having_attributes({
+        message: "Authentication Time (auth_time) claim must be a number present in the ID token when Max Age (max_age) is specified"
+      }))
     end
 
-    it 'should fail with invalid audience' do
+    it 'should fail when “max_age” sent on the authentication request and this claim added the “max_age” value doesn’t represent a date in the future' do
       payload = {
         iss: "https://#{domain}/",
-        aud: 'Auth0'
+        sub: 'sub',
+        aud: client_id,
+        exp: future_timecode,
+        iat: past_timecode,
+        auth_time: past_timecode
       }
+
       token = make_hs256_token(payload)
       expect do
-        jwt_validator.decode(token)
-      end.to raise_error(JWT::InvalidAudError)
+        jwt_validator.verify(token, { max_age: 60 })
+      end.to raise_error(an_instance_of(OmniAuth::Auth0::TokenValidationError).and having_attributes({
+        message: "Authentication Time (auth_time) claim in the ID token indicates that too much time has passed since the last end-user authentication. Current time (#{Time.now}) is after last auth time (#{Time.at(past_timecode + 60 + 60)})"
+      }))
     end
 
-    it 'should decode a valid HS256 token with multiple audiences' do
+    it 'should verify a valid HS256 token with multiple audiences' do
+      audience = [
+        client_id,
+        "https://#{domain}/userinfo"
+      ]
       payload = {
         iss: "https://#{domain}/",
-        aud: [
-          client_id,
-          "https://#{domain}/userinfo"
-        ]
+        sub: 'sub',
+        aud: audience,
+        exp: future_timecode,
+        iat: past_timecode,
+        azp: client_id
       }
       token = make_hs256_token(payload)
-      expect(jwt_validator.decode(token).length).to eq(2)
+      id_token = jwt_validator.verify(token)
+      expect(id_token['aud']).to eq(audience)
     end
 
-    it 'should decode a standard HS256 token' do
+    it 'should verify a standard HS256 token' do
       sub = 'abc123'
       payload = {
+        iss: "https://#{domain}/",
         sub: sub,
+        aud: client_id,
         exp: future_timecode,
-        iss: "https://#{domain}/",
-        iat: past_timecode,
-        aud: client_id
+        iat: past_timecode
       }
       token = make_hs256_token(payload)
-      decoded_token = jwt_validator.decode(token)
-      expect(decoded_token.first['sub']).to eq(sub)
+      verified_token = jwt_validator.verify(token)
+      expect(verified_token['sub']).to eq(sub)
     end
 
-    it 'should decode a standard RS256 token' do
+    it 'should verify a standard RS256 token' do
       domain = 'example.org'
       sub = 'abc123'
       payload = {
@@ -253,8 +422,8 @@ describe OmniAuth::Auth0::JWTValidator do
         kid: jwks_kid
       }
       token = make_rs256_token(payload)
-      decoded_token = make_jwt_validator(opt_domain: domain).decode(token)
-      expect(decoded_token.first['sub']).to eq(sub)
+      verified_token = make_jwt_validator(opt_domain: domain).verify(token)
+      expect(verified_token['sub']).to eq(sub)
     end
   end
 

data/spec/omniauth/strategies/auth0_spec.rb

@@ -82,6 +82,8 @@ describe OmniAuth::Strategies::Auth0 do
       expect(redirect_url).to have_query('client_id')
       expect(redirect_url).to have_query('redirect_uri')
       expect(redirect_url).not_to have_query('auth0Client')
+      expect(redirect_url).not_to have_query('connection')
+      expect(redirect_url).not_to have_query('prompt')
     end
 
     it 'redirects to hosted login page' do
@@ -95,6 +97,21 @@ describe OmniAuth::Strategies::Auth0 do
       expect(redirect_url).to have_query('redirect_uri')
       expect(redirect_url).to have_query('connection', 'abcd')
       expect(redirect_url).not_to have_query('auth0Client')
+      expect(redirect_url).not_to have_query('prompt')
+    end
+
+    it 'redirects to hosted login page with prompt=login' do
+      get 'auth/auth0?prompt=login'
+      expect(last_response.status).to eq(302)
+      redirect_url = last_response.headers['Location']
+      expect(redirect_url).to start_with('https://samples.auth0.com/authorize')
+      expect(redirect_url).to have_query('response_type', 'code')
+      expect(redirect_url).to have_query('state')
+      expect(redirect_url).to have_query('client_id')
+      expect(redirect_url).to have_query('redirect_uri')
+      expect(redirect_url).to have_query('prompt', 'login')
+      expect(redirect_url).not_to have_query('auth0Client')
+      expect(redirect_url).not_to have_query('connection')
     end
 
     describe 'callback' do
@@ -300,7 +317,7 @@ RSpec::Matchers.define :have_query do |key, value|
     uri = redirect_uri(actual)
     query = query(uri)
     if value.nil?
-      query[key].length == 1
+      query.key?(key)
     else
       query[key] == [value]
     end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: omniauth-auth0
 version: !ruby/object:Gem::Version
-  version: 2.2.0
+  version: 2.3.0
 platform: ruby
 authors:
 - Auth0
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2019-04-18 00:00:00.000000000 Z
+date: 2020-03-10 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: omniauth-oauth2
@@ -52,11 +52,14 @@ extra_rdoc_files: []
 files:
 - ".circleci/config.yml"
 - ".gemrelease"
+- ".github/CODEOWNERS"
 - ".github/ISSUE_TEMPLATE.md"
 - ".github/PULL_REQUEST_TEMPLATE.md"
+- ".github/stale.yml"
 - ".gitignore"
 - ".rspec"
 - ".rubocop.yml"
+- ".snyk"
 - CHANGELOG.md
 - CODE_OF_CONDUCT.md
 - CONTRIBUTING.md
@@ -71,6 +74,7 @@ files:
 - examples/sinatra/config.ru
 - lib/omniauth-auth0.rb
 - lib/omniauth-auth0/version.rb
+- lib/omniauth/auth0/errors.rb
 - lib/omniauth/auth0/jwt_validator.rb
 - lib/omniauth/auth0/telemetry.rb
 - lib/omniauth/strategies/auth0.rb
@@ -99,7 +103,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.3
+rubygems_version: 3.0.1
 signing_key: 
 specification_version: 4
 summary: OmniAuth OAuth2 strategy for the Auth0 platform.