omniauth-auth0 2.2.0 → 2.4.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 463fae0687e0473a0918c9c2086f3b47a60ae1448fffa3b1157ec933784c1a1c
-  data.tar.gz: d872be3b458dadf3752d58192059d6d350a90f7047de1e84b98137417880204d
+  metadata.gz: 6ad5a6389a6ed38fa4e1f63003ffac76c0450bfe06e21bda0fbd0d8c3044b1dc
+  data.tar.gz: 9c1638cc2f0681e8a258baeb4565a7bb9d3caef845f09b913374b258e51047dc
 SHA512:
-  metadata.gz: 13efc37572c71bdd5184dd9888e48f2479e5e5d52c16f454c01c88834fc2f5dffa3488b13b8b0dc9bbe423d9aa750038c12693f85e83f3375482af8857788585
-  data.tar.gz: 2240535e4f749e7ba47f587ca56ae9e1d5ee596e54391a969a5f282b852ab8f3a2970c99514014fada2d5a00b259144849e6e2db1ae559a8ab584753e4e7bce9
+  metadata.gz: 9008eb1eed6d50dd7f23943e5d1b8a5a2dc2364b2a249181cfd1a8768e347fb7b3611a4d4155fdbd58ee8938d4b0c4674f25ef665ffab5947632d83a88aa0a5f
+  data.tar.gz: 28523e968e72a6dd552fdf9615866ec46fc355e77cfd393005328be6033a875340e3badd6da8836f483a9bdee2cd371b061df5412f3caeb2c88ba1a619e1da67

data/.circleci/config.yml

@@ -2,7 +2,7 @@ version: 2.1
 jobs:
   run-tests:
     docker:
-      - image: circleci/ruby:2.4.6-jessie
+      - image: circleci/ruby:2.5.7-buster
     steps:
       - checkout
       - restore_cache:
@@ -10,40 +10,13 @@ jobs:
             - gems-v2-{{ checksum "Gemfile.lock" }}
             - gems-v2-
       - run: bundle check || bundle install
-      - persist_to_workspace:
-          root: .
-          paths:
-            - Gemfile
-            - Gemfile.lock
       - save_cache:
           key: gems-v2--{{ checksum "Gemfile.lock" }}
           paths:
             - vendor/bundle
       - run: bundle exec rake spec
-  snyk:
-    docker:
-      - image: snyk/snyk-cli:rubygems
-    steps:
-      - attach_workspace:
-          at: .
-      - run: snyk test
-      - run:
-          command: |
-            if [[ "${CIRCLE_BRANCH}" == "master" ]]
-            then
-            snyk monitor --org=auth0-sdks
-            fi
-          when: always
 
 workflows:
   tests:
     jobs:
       - run-tests
-  snyk:
-    jobs:
-      - run-tests
-      - snyk:
-          # Must define SNYK_TOKEN env
-          context: snyk-env 
-          requires: 
-            - run-tests

data/.github/CODEOWNERS

@@ -0,0 +1 @@
+*	@auth0/dx-sdks-approver

data/.github/PULL_REQUEST_TEMPLATE.md

@@ -29,4 +29,4 @@ Please describe how this can be tested by reviewers. Be specific about anything
 * [ ] I have read the [Auth0 contribution guidelines](https://github.com/auth0/open-source-template/blob/master/GENERAL-CONTRIBUTING.md)
 * [ ] I have read the [Auth0 Code of Conduct](https://github.com/auth0/open-source-template/blob/master/CODE-OF-CONDUCT.md)
 * [ ] All existing and new tests complete without errors
-* [ ] All code quality tools/guidelines in the [CONTRIBUTING documentation](CONTRIBUTING.md) have been run/followed
+* [ ] All code quality tools/guidelines in the [CONTRIBUTING documentation](https://github.com/auth0/omniauth-auth0/blob/master/CONTRIBUTING.md) have been run/followed

data/.github/stale.yml

@@ -0,0 +1,20 @@
+# Configuration for probot-stale - https://github.com/probot/stale
+
+# Number of days of inactivity before an Issue or Pull Request becomes stale
+daysUntilStale: 90
+
+# Number of days of inactivity before an Issue or Pull Request with the stale label is closed.
+daysUntilClose: 7
+
+# Issues or Pull Requests with these labels will never be considered stale. Set to `[]` to disable
+exemptLabels: []
+
+# Set to true to ignore issues with an assignee (defaults to false)
+exemptAssignees: true
+
+# Label to use when marking as stale
+staleLabel: closed:stale
+
+# Comment to post when marking as stale. Set to `false` to disable
+markComment: >
+  This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. If you have not received a response for our team (apologies for the delay) and this is still a blocker, please reply with additional information or just a ping. Thank you for your contribution! 🙇‍♂️

data/.snyk

@@ -0,0 +1,9 @@
+# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.
+version: v1.13.5
+# ignores vulnerabilities until expiry date; change duration by modifying expiry date
+ignore:
+  SNYK-RUBY-OMNIAUTH-174820:
+    - '*':
+        reason: Not affected.
+        expires: 2020-01-01T00:00:00.000Z
+patch: {}

data/CHANGELOG.md

@@ -1,5 +1,48 @@
 # Change Log
 
+## [v2.4.2](https://github.com/auth0/omniauth-auth0/tree/v2.4.2) (2021-01-19)
+
+[Full Changelog](https://github.com/auth0/omniauth-auth0/compare/v2.4.1...v2.4.2)
+
+**Fixed**
+- Lock Omniauth to 1.9 in gemspec
+
+## [v2.4.1](https://github.com/auth0/omniauth-auth0/tree/v2.4.1) (2020-10-08)
+
+[Full Changelog](https://github.com/auth0/omniauth-auth0/compare/v2.4.0...v2.4.1)
+
+**Fixed**
+- Verify the JWT Signature [\#109](https://github.com/auth0/omniauth-auth0/pull/109) ([jimmyjames](https://github.com/jimmyjames))
+
+
+## [v2.4.0](https://github.com/auth0/omniauth-auth0/tree/v2.4.0) (2020-09-22)
+
+[Full Changelog](https://github.com/auth0/omniauth-auth0/compare/v2.3.1...v2.4.0)
+
+**Security**
+- Bump rack from 2.2.2 to 2.2.3 [\#107](https://github.com/auth0/omniauth-auth0/pull/107) ([dependabot](https://github.com/dependabot))
+- Update dependencies [\#100](https://github.com/auth0/omniauth-auth0/pull/100) ([Albalmaceda](https://github.com/Albalmaceda))
+
+**Added**
+- Add support for screen_hint=signup param [\#103](https://github.com/auth0/omniauth-auth0/pull/103) ([bbean86](https://github.com/bbean86))
+- Add support for `connection_scope` in params [\#99](https://github.com/auth0/omniauth-auth0/pull/99) ([felixclack](https://github.com/felixclack))
+
+
+## [v2.3.1](https://github.com/auth0/omniauth-auth0/tree/v2.3.1) (2020-03-27)
+
+[Full Changelog](https://github.com/auth0/omniauth-auth0/compare/v2.3.0...v2.3.1)
+
+**Fixed bugs:**
+
+- Fixes dependency issue [\#97](https://github.com/auth0/omniauth-auth0/pull/97) ([davidpatrick](https://github.com/davidpatrick))
+- Fix "NameError: uninitialized constant OmniAuth::Auth0::TokenValidationError" [\#96](https://github.com/auth0/omniauth-auth0/pull/96) ([stefanwork](https://github.com/stefanwork))
+
+## [v2.3.0](https://github.com/auth0/omniauth-auth0/tree/v2.3.0) (2020-03-06)
+[Full Changelog](https://github.com/auth0/omniauth-auth0/compare/v2.2.0...v2.3.0)
+
+**Added**
+- Improved OIDC Compliance [\#92](https://github.com/auth0/omniauth-auth0/pull/92) ([davidpatrick](https://github.com/davidpatrick))
+
 ## [v2.2.0](https://github.com/auth0/omniauth-auth0/tree/v2.2.0) (2018-04-18)
 [Full Changelog](https://github.com/auth0/omniauth-auth0/compare/v2.1.0...v2.2.0)
 

data/Gemfile.lock

@@ -1,33 +1,35 @@
 PATH
   remote: .
   specs:
-    omniauth-auth0 (2.2.0)
+    omniauth-auth0 (2.4.2)
+      omniauth (~> 1.9)
       omniauth-oauth2 (~> 1.5)
 
 GEM
   remote: https://rubygems.org/
   specs:
-    addressable (2.6.0)
-      public_suffix (>= 2.0.2, < 4.0)
-    ast (2.4.0)
-    codecov (0.1.14)
-      json
-      simplecov
-      url
-    coderay (1.1.2)
-    crack (0.4.3)
-      safe_yaml (~> 1.0.0)
+    addressable (2.7.0)
+      public_suffix (>= 2.0.2, < 5.0)
+    ast (2.4.1)
+    codecov (0.3.0)
+      simplecov (>= 0.15, < 0.22)
+    coderay (1.1.3)
+    crack (0.4.5)
+      rexml
     daemons (1.3.1)
-    diff-lcs (1.3)
-    docile (1.3.1)
-    dotenv (2.7.2)
+    diff-lcs (1.4.4)
+    docile (1.3.5)
+    dotenv (2.7.6)
     eventmachine (1.2.7)
-    faraday (0.15.4)
+    faraday (1.3.0)
+      faraday-net_http (~> 1.0)
       multipart-post (>= 1.2, < 3)
-    ffi (1.10.0)
+      ruby2_keywords
+    faraday-net_http (1.0.1)
+    ffi (1.14.2)
     formatador (0.2.5)
-    gem-release (2.0.1)
-    guard (2.15.0)
+    gem-release (2.2.0)
+    guard (2.16.2)
       formatador (>= 0.2.4)
       listen (>= 2.7, < 4.0)
       lumberjack (>= 1.0.12, < 2.0)
@@ -41,104 +43,107 @@ GEM
       guard (~> 2.1)
       guard-compat (~> 1.1)
       rspec (>= 2.99.0, < 4.0)
-    hashdiff (0.3.8)
-    hashie (3.6.0)
-    jaro_winkler (1.5.2)
-    json (2.2.0)
-    jwt (2.1.0)
+    hashdiff (1.0.1)
+    hashie (4.1.0)
+    jwt (2.2.2)
     listen (3.1.5)
       rb-fsevent (~> 0.9, >= 0.9.4)
       rb-inotify (~> 0.9, >= 0.9.7)
       ruby_dep (~> 1.2)
-    lumberjack (1.0.13)
-    method_source (0.9.2)
-    multi_json (1.13.1)
+    lumberjack (1.2.8)
+    method_source (1.0.0)
+    multi_json (1.15.0)
     multi_xml (0.6.0)
-    multipart-post (2.0.0)
-    mustermann (1.0.3)
+    multipart-post (2.1.1)
+    mustermann (1.1.1)
+      ruby2_keywords (~> 0.0.1)
     nenv (0.3.0)
-    notiffany (0.1.1)
+    notiffany (0.1.3)
       nenv (~> 0.1)
       shellany (~> 0.0)
-    oauth2 (1.4.1)
-      faraday (>= 0.8, < 0.16.0)
+    oauth2 (1.4.4)
+      faraday (>= 0.8, < 2.0)
       jwt (>= 1.0, < 3.0)
       multi_json (~> 1.3)
       multi_xml (~> 0.5)
       rack (>= 1.2, < 3)
-    omniauth (1.9.0)
-      hashie (>= 3.4.6, < 3.7.0)
+    omniauth (1.9.1)
+      hashie (>= 3.4.6)
       rack (>= 1.6.2, < 3)
-    omniauth-oauth2 (1.6.0)
-      oauth2 (~> 1.1)
-      omniauth (~> 1.9)
-    parallel (1.17.0)
-    parser (2.6.2.1)
-      ast (~> 2.4.0)
-    pry (0.12.2)
-      coderay (~> 1.1.0)
-      method_source (~> 0.9.0)
-    psych (3.1.0)
-    public_suffix (3.0.3)
-    rack (2.0.7)
-    rack-protection (2.0.5)
+    omniauth-oauth2 (1.7.1)
+      oauth2 (~> 1.4)
+      omniauth (>= 1.9, < 3)
+    parallel (1.20.1)
+    parser (3.0.0.0)
+      ast (~> 2.4.1)
+    pry (0.13.1)
+      coderay (~> 1.1)
+      method_source (~> 1.0)
+    public_suffix (4.0.6)
+    rack (2.2.3)
+    rack-protection (2.1.0)
       rack
     rack-test (1.1.0)
       rack (>= 1.0, < 3)
     rainbow (3.0.0)
-    rake (12.3.2)
-    rb-fsevent (0.10.3)
-    rb-inotify (0.10.0)
+    rake (13.0.3)
+    rb-fsevent (0.10.4)
+    rb-inotify (0.10.1)
       ffi (~> 1.0)
-    rspec (3.8.0)
-      rspec-core (~> 3.8.0)
-      rspec-expectations (~> 3.8.0)
-      rspec-mocks (~> 3.8.0)
-    rspec-core (3.8.0)
-      rspec-support (~> 3.8.0)
-    rspec-expectations (3.8.2)
+    regexp_parser (2.0.3)
+    rexml (3.2.4)
+    rspec (3.10.0)
+      rspec-core (~> 3.10.0)
+      rspec-expectations (~> 3.10.0)
+      rspec-mocks (~> 3.10.0)
+    rspec-core (3.10.1)
+      rspec-support (~> 3.10.0)
+    rspec-expectations (3.10.1)
       diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.8.0)
-    rspec-mocks (3.8.0)
+      rspec-support (~> 3.10.0)
+    rspec-mocks (3.10.1)
       diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.8.0)
-    rspec-support (3.8.0)
-    rubocop (0.67.2)
-      jaro_winkler (~> 1.5.1)
+      rspec-support (~> 3.10.0)
+    rspec-support (3.10.1)
+    rubocop (1.8.1)
       parallel (~> 1.10)
-      parser (>= 2.5, != 2.5.1.1)
-      psych (>= 3.1.0)
+      parser (>= 3.0.0.0)
       rainbow (>= 2.2.2, < 4.0)
+      regexp_parser (>= 1.8, < 3.0)
+      rexml
+      rubocop-ast (>= 1.2.0, < 2.0)
       ruby-progressbar (~> 1.7)
-      unicode-display_width (>= 1.4.0, < 1.6)
-    ruby-progressbar (1.10.0)
+      unicode-display_width (>= 1.4.0, < 3.0)
+    rubocop-ast (1.4.0)
+      parser (>= 2.7.1.5)
+    ruby-progressbar (1.11.0)
+    ruby2_keywords (0.0.4)
     ruby_dep (1.5.0)
-    safe_yaml (1.0.5)
     shellany (0.0.1)
     shotgun (0.9.2)
       rack (>= 1.0)
-    simplecov (0.16.1)
+    simplecov (0.21.2)
       docile (~> 1.1)
-      json (>= 1.8, < 3)
-      simplecov-html (~> 0.10.0)
-    simplecov-html (0.10.2)
-    sinatra (2.0.5)
+      simplecov-html (~> 0.11)
+      simplecov_json_formatter (~> 0.1)
+    simplecov-html (0.12.3)
+    simplecov_json_formatter (0.1.2)
+    sinatra (2.1.0)
       mustermann (~> 1.0)
-      rack (~> 2.0)
-      rack-protection (= 2.0.5)
+      rack (~> 2.2)
+      rack-protection (= 2.1.0)
       tilt (~> 2.0)
-    thin (1.7.2)
+    thin (1.8.0)
       daemons (~> 1.0, >= 1.0.9)
       eventmachine (~> 1.0, >= 1.0.4)
       rack (>= 1, < 3)
-    thor (0.20.3)
-    tilt (2.0.9)
-    unicode-display_width (1.5.0)
-    url (0.3.2)
-    webmock (3.5.1)
+    thor (1.0.1)
+    tilt (2.0.10)
+    unicode-display_width (2.0.0)
+    webmock (3.11.1)
       addressable (>= 2.3.6)
       crack (>= 0.3.2)
-      hashdiff
+      hashdiff (>= 0.4.0, < 2.0.0)
 
 PLATFORMS
   ruby

data/README.md

@@ -1,11 +1,14 @@
 # OmniAuth Auth0
 
-An [OmniAuth](https://github.com/intridea/omniauth) strategy for authenticating with [Auth0](https://auth0.com). This strategy is based on the [OmniAuth OAuth2](https://github.com/omniauth/omniauth-oauth2) strategy. 
+An [OmniAuth](https://github.com/intridea/omniauth) strategy for authenticating with [Auth0](https://auth0.com). This strategy is based on the [OmniAuth OAuth2](https://github.com/omniauth/omniauth-oauth2) strategy.
+
+> :warning:  **Important security note:** This solution uses a 3rd party library with an unresolved [security issue(s)](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-9284). Please review the details of the vulnerability, including [Auth0](https://github.com/auth0/omniauth-auth0/issues/82 ) and other recommended [mitigations](https://github.com/omniauth/omniauth/wiki/Resolving-CVE-2015-9284), before implementing the solution.
 
 [![CircleCI](https://img.shields.io/circleci/project/github/auth0/omniauth-auth0/master.svg)](https://circleci.com/gh/auth0/omniauth-auth0)
 [![codecov](https://codecov.io/gh/auth0/omniauth-auth0/branch/master/graph/badge.svg)](https://codecov.io/gh/auth0/omniauth-auth0)
 [![Gem Version](https://badge.fury.io/rb/omniauth-auth0.svg)](https://badge.fury.io/rb/omniauth-auth0)
 [![MIT licensed](https://img.shields.io/dub/l/vibe-d.svg?style=flat)](https://github.com/auth0/omniauth-auth0/blob/master/LICENSE)
+[![FOSSA Status](https://app.fossa.com/api/projects/git%2Bgithub.com%2Fauth0%2Fomniauth-auth0.svg?type=shield)](https://app.fossa.com/projects/git%2Bgithub.com%2Fauth0%2Fomniauth-auth0?ref=badge_shield)
 
 ## Table of Contents
 
@@ -31,13 +34,19 @@ Add the following line to your `Gemfile`:
 gem 'omniauth-auth0'
 ```
 
+If you're using this strategy with Rails, also add the following for CSRF protection:
+
+```ruby
+gem 'omniauth-rails_csrf_protection'
+```
+
 Then install:
 
 ```bash
 $ bundle install
 ```
 
-See our [contributing guide](CONTRIBUTING.md) for information on local installation for development. 
+See our [contributing guide](CONTRIBUTING.md) for information on local installation for development.
 
 ## Getting Started
 
@@ -55,7 +64,7 @@ All of these tasks and more are covered in our [Ruby on Rails Quickstart](https:
 To send additional parameters during login, you can specify them when you register the provider:
 
 ```ruby
-provider 
+provider
   :auth0,
   ENV['AUTH0_CLIENT_ID'],
   ENV['AUTH0_CLIENT_SECRET'],
@@ -63,19 +72,13 @@ provider
   {
     authorize_params: {
       scope: 'openid read:users write:order',
-      audience: 'https://mydomain/api'
+      audience: 'https://mydomain/api',
+      max_age: 3600 # time in seconds authentication is valid
     }
   }
 ```
 
-... which will tell the strategy to send those parameters on every Auth request.
-
-Or you can do it for a specific authentication request by adding them to the query parameters of the redirect URL. Allowed parameters are `connection` and `prompt`:
-
-```ruby
-redirect_to '/auth/auth0?connection=google-oauth2'
-redirect_to '/auth/auth0?prompt=none'
-```
+... which will tell the strategy to send those parameters on every authentication request.
 
 ### Authentication hash
 
@@ -119,6 +122,17 @@ The Auth0 strategy will provide the standard OmniAuth hash attributes:
 }
 ```
 
+### Query Parameter Options
+
+In some scenarios, you may need to pass specific query parameters to `/authorize`. The following parameters are available to enable this:
+
+- `connection`
+- `connection_scope`
+- `prompt`
+- `screen_hint` (only relevant to New Universal Login Experience)
+
+Simply pass these query parameters to your OmniAuth redirect endpoint to enable their behavior.
+
 ## Contribution
 
 We appreciate feedback and contribution to this repo! Before you get started, please see the following:
@@ -129,10 +143,9 @@ We appreciate feedback and contribution to this repo! Before you get started, pl
 
 ## Support + Feedback
 
-
 - Use [Community](https://community.auth0.com/) for usage, questions, specific cases.
 - Use [Issues](https://github.com/auth0/omniauth-auth0/issues) here for code-level support and bug reports.
-- Paid customers can use [Support](https://support.auth0.com/) to submit a trouble ticket for production-affecting issues. 
+- Paid customers can use [Support](https://support.auth0.com/) to submit a trouble ticket for production-affecting issues.
 
 ## Vulnerability Reporting
 
@@ -154,3 +167,6 @@ Auth0 helps you to easily:
 ## License
 
 The OmniAuth Auth0 strategy is licensed under MIT - [LICENSE](LICENSE)
+
+
+[![FOSSA Status](https://app.fossa.com/api/projects/git%2Bgithub.com%2Fauth0%2Fomniauth-auth0.svg?type=large)](https://app.fossa.com/projects/git%2Bgithub.com%2Fauth0%2Fomniauth-auth0?ref=badge_large)