omniauth-auth0 2.3.0 → 2.5.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.circleci/config.yml +27 -11
- data/.github/CODEOWNERS +1 -1
- data/.github/ISSUE_TEMPLATE/config.yml +8 -0
- data/.github/ISSUE_TEMPLATE/feature_request.md +39 -0
- data/.github/ISSUE_TEMPLATE/report_a_bug.md +55 -0
- data/.github/PULL_REQUEST_TEMPLATE.md +1 -1
- data/.gitignore +2 -0
- data/CHANGELOG.md +53 -2
- data/Gemfile +1 -1
- data/README.md +21 -5
- data/lib/omniauth-auth0/version.rb +1 -1
- data/lib/omniauth/auth0/jwt_validator.rb +51 -13
- data/lib/omniauth/strategies/auth0.rb +19 -8
- data/omniauth-auth0.gemspec +2 -3
- data/spec/omniauth/auth0/jwt_validator_spec.rb +226 -34
- data/spec/omniauth/strategies/auth0_spec.rb +49 -17
- metadata +27 -12
- data/.github/ISSUE_TEMPLATE.md +0 -39
- data/Gemfile.lock +0 -168
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 530b0c2ecfb26938944778585c034f1281b46f0c7e920f40b9d58c72fb892c52
|
4
|
+
data.tar.gz: 0ca3365ce632a95272eabb1b1db1ed7fcc6faacdbdc1acaa3fa9889329886cef
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: f1ad9ad998942bd4b081c8873352bf54d0bc5900203baee151535324533b28954e7ab3e990ada83436189bd22a17b24d3a31d7552d45570fe356d00bfbb85fd6
|
7
|
+
data.tar.gz: 60954e800d0a30ea948590cb89b90038185dfa7466bf301ef4e7b782a3b327265921cccf6ddbd4275789046a12c0e4d0956ce4a73ab35d1ea20e633432430e45
|
data/.circleci/config.yml
CHANGED
@@ -1,23 +1,38 @@
|
|
1
1
|
version: 2.1
|
2
|
+
matrix_rubyversions: &matrix_rubyversions
|
3
|
+
matrix:
|
4
|
+
parameters:
|
5
|
+
rubyversion: ["2.5", "2.6", "2.7", "3.0"]
|
6
|
+
# Default version of ruby to use for lint and publishing
|
7
|
+
default_rubyversion: &default_rubyversion "2.7"
|
8
|
+
|
9
|
+
executors:
|
10
|
+
ruby:
|
11
|
+
parameters:
|
12
|
+
rubyversion:
|
13
|
+
type: string
|
14
|
+
default: *default_rubyversion
|
15
|
+
docker:
|
16
|
+
- image: circleci/ruby:<< parameters.rubyversion >>
|
17
|
+
|
2
18
|
jobs:
|
3
19
|
run-tests:
|
4
|
-
|
5
|
-
|
20
|
+
parameters:
|
21
|
+
rubyversion:
|
22
|
+
type: string
|
23
|
+
default: *default_rubyversion
|
24
|
+
executor:
|
25
|
+
name: ruby
|
26
|
+
rubyversion: "<< parameters.rubyversion >>"
|
6
27
|
steps:
|
7
28
|
- checkout
|
8
29
|
- restore_cache:
|
9
30
|
keys:
|
10
|
-
- gems-v2-{{ checksum "Gemfile
|
31
|
+
- gems-v2-{{ checksum "Gemfile" }}
|
11
32
|
- gems-v2-
|
12
33
|
- run: bundle check || bundle install
|
13
|
-
- persist_to_workspace:
|
14
|
-
root: .
|
15
|
-
paths:
|
16
|
-
- Gemfile
|
17
|
-
- Gemfile.lock
|
18
|
-
- .snyk
|
19
34
|
- save_cache:
|
20
|
-
key: gems-v2--{{ checksum "Gemfile
|
35
|
+
key: gems-v2--{{ checksum "Gemfile" }}
|
21
36
|
paths:
|
22
37
|
- vendor/bundle
|
23
38
|
- run: bundle exec rake spec
|
@@ -25,4 +40,5 @@ jobs:
|
|
25
40
|
workflows:
|
26
41
|
tests:
|
27
42
|
jobs:
|
28
|
-
- run-tests
|
43
|
+
- run-tests:
|
44
|
+
<<: *matrix_rubyversions
|
data/.github/CODEOWNERS
CHANGED
@@ -1 +1 @@
|
|
1
|
-
* @auth0/dx-sdks-
|
1
|
+
* @auth0/dx-sdks-engineer
|
@@ -0,0 +1,8 @@
|
|
1
|
+
blank_issues_enabled: false
|
2
|
+
contact_links:
|
3
|
+
- name: Auth0 Community
|
4
|
+
url: https://community.auth0.com/c/sdks/5
|
5
|
+
about: Discuss this SDK in the Auth0 Community forums
|
6
|
+
- name: Library Documentation
|
7
|
+
url: https://github.com/auth0/omniauth-auth0#documentation
|
8
|
+
about: Read the library docs on Auth0.com
|
@@ -0,0 +1,39 @@
|
|
1
|
+
---
|
2
|
+
name: Feature request
|
3
|
+
about: Suggest an idea or a feature for this project
|
4
|
+
title: ''
|
5
|
+
labels: feature request
|
6
|
+
assignees: ''
|
7
|
+
---
|
8
|
+
|
9
|
+
<!--
|
10
|
+
**Please do not report security vulnerabilities here**. The Responsible Disclosure Program (https://auth0.com/whitehat) details the procedure for disclosing security issues.
|
11
|
+
|
12
|
+
Thank you in advance for helping us to improve this library! Your attention to detail here is greatly appreciated and will help us respond as quickly as possible. For general support or usage questions, use the Auth0 Community (https://community.auth0.com/) or Auth0 Support (https://support.auth0.com/). Finally, to avoid duplicates, please search existing Issues before submitting one here.
|
13
|
+
|
14
|
+
By submitting an Issue to this repository, you agree to the terms within the Auth0 Code of Conduct (https://github.com/auth0/open-source-template/blob/master/CODE-OF-CONDUCT.md).
|
15
|
+
-->
|
16
|
+
|
17
|
+
### Describe the problem you'd like to have solved
|
18
|
+
|
19
|
+
<!--
|
20
|
+
> A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
|
21
|
+
-->
|
22
|
+
|
23
|
+
### Describe the ideal solution
|
24
|
+
|
25
|
+
<!--
|
26
|
+
> A clear and concise description of what you want to happen.
|
27
|
+
-->
|
28
|
+
|
29
|
+
## Alternatives and current work-arounds
|
30
|
+
|
31
|
+
<!--
|
32
|
+
> A clear and concise description of any alternatives you've considered or any work-arounds that are currently in place.
|
33
|
+
-->
|
34
|
+
|
35
|
+
### Additional information, if any
|
36
|
+
|
37
|
+
<!--
|
38
|
+
> Add any other context or screenshots about the feature request here.
|
39
|
+
-->
|
@@ -0,0 +1,55 @@
|
|
1
|
+
---
|
2
|
+
name: Report a bug
|
3
|
+
about: Have you found a bug or issue? Create a bug report for this SDK
|
4
|
+
title: ''
|
5
|
+
labels: bug report
|
6
|
+
assignees: ''
|
7
|
+
---
|
8
|
+
|
9
|
+
<!--
|
10
|
+
**Please do not report security vulnerabilities here**. The Responsible Disclosure Program (https://auth0.com/whitehat) details the procedure for disclosing security issues.
|
11
|
+
|
12
|
+
Thank you in advance for helping us to improve this library! Please read through the template below and answer all relevant questions. Your additional work here is greatly appreciated and will help us respond as quickly as possible. For general support or usage questions, use the Auth0 Community (https://community.auth0.com/) or Auth0 Support (https://support.auth0.com/). Finally, to avoid duplicates, please search existing Issues before submitting one here.
|
13
|
+
|
14
|
+
By submitting an Issue to this repository, you agree to the terms within the Auth0 Code of Conduct (https://github.com/auth0/open-source-template/blob/master/CODE-OF-CONDUCT.md).
|
15
|
+
-->
|
16
|
+
|
17
|
+
### Describe the problem
|
18
|
+
|
19
|
+
<!--
|
20
|
+
> Provide a clear and concise description of the issue
|
21
|
+
-->
|
22
|
+
|
23
|
+
### What was the expected behavior?
|
24
|
+
|
25
|
+
<!--
|
26
|
+
> Tell us about the behavior you expected to see
|
27
|
+
-->
|
28
|
+
|
29
|
+
### Reproduction
|
30
|
+
<!--
|
31
|
+
> Detail the steps taken to reproduce this error, and whether this issue can be reproduced consistently or if it is intermittent.
|
32
|
+
> **Note**: If clear, reproducable steps or the smallest sample app demonstrating misbehavior cannot be provided, we may not be able to follow up on this bug report.
|
33
|
+
|
34
|
+
> Where possible, please include:
|
35
|
+
>
|
36
|
+
> - The smallest possible sample app that reproduces the undesirable behavior
|
37
|
+
> - Log files (redact/remove sensitive information)
|
38
|
+
> - Application settings (redact/remove sensitive information)
|
39
|
+
> - Screenshots
|
40
|
+
-->
|
41
|
+
|
42
|
+
- Step 1..
|
43
|
+
- Step 2..
|
44
|
+
- ...
|
45
|
+
|
46
|
+
### Environment
|
47
|
+
|
48
|
+
<!--
|
49
|
+
> Please provide the following:
|
50
|
+
-->
|
51
|
+
|
52
|
+
- **Version of this library used:**
|
53
|
+
- **Which framework are you using, if applicable:**
|
54
|
+
- **Other modules/plugins/libraries that might be involved:**
|
55
|
+
- **Any other relevant information you think would be useful:**
|
@@ -29,4 +29,4 @@ Please describe how this can be tested by reviewers. Be specific about anything
|
|
29
29
|
* [ ] I have read the [Auth0 contribution guidelines](https://github.com/auth0/open-source-template/blob/master/GENERAL-CONTRIBUTING.md)
|
30
30
|
* [ ] I have read the [Auth0 Code of Conduct](https://github.com/auth0/open-source-template/blob/master/CODE-OF-CONDUCT.md)
|
31
31
|
* [ ] All existing and new tests complete without errors
|
32
|
-
* [ ] All code quality tools/guidelines in the [CONTRIBUTING documentation](CONTRIBUTING.md) have been run/followed
|
32
|
+
* [ ] All code quality tools/guidelines in the [CONTRIBUTING documentation](https://github.com/auth0/omniauth-auth0/blob/master/CONTRIBUTING.md) have been run/followed
|
data/.gitignore
CHANGED
data/CHANGELOG.md
CHANGED
@@ -1,10 +1,61 @@
|
|
1
1
|
# Change Log
|
2
2
|
|
3
|
+
## [v2.5.0](https://github.com/auth0/omniauth-auth0/tree/v2.5.0) (2021-01-21)
|
4
|
+
|
5
|
+
[Full Changelog](https://github.com/auth0/omniauth-auth0/compare/v2.4.2...v2.5.0)
|
6
|
+
|
7
|
+
**Added**
|
8
|
+
- Parsing claims from the id_token [\#120](https://github.com/auth0/omniauth-auth0/pull/120) ([davidpatrick](https://github.com/davidpatrick))
|
9
|
+
|
10
|
+
**Changed**
|
11
|
+
- Setup build matrix in CI [\#116](https://github.com/auth0/omniauth-auth0/pull/116) ([dmathieu](https://github.com/dmathieu))
|
12
|
+
|
13
|
+
**Fixed**
|
14
|
+
- Fixes params passed to authorize [\#119](https://github.com/auth0/omniauth-auth0/pull/119) ([davidpatrick](https://github.com/davidpatrick))
|
15
|
+
|
16
|
+
|
17
|
+
## [v2.4.2](https://github.com/auth0/omniauth-auth0/tree/v2.4.2) (2021-01-19)
|
18
|
+
|
19
|
+
[Full Changelog](https://github.com/auth0/omniauth-auth0/compare/v2.4.1...v2.4.2)
|
20
|
+
|
21
|
+
**Fixed**
|
22
|
+
- Lock Omniauth to 1.9 in gemspec
|
23
|
+
|
24
|
+
## [v2.4.1](https://github.com/auth0/omniauth-auth0/tree/v2.4.1) (2020-10-08)
|
25
|
+
|
26
|
+
[Full Changelog](https://github.com/auth0/omniauth-auth0/compare/v2.4.0...v2.4.1)
|
27
|
+
|
28
|
+
**Fixed**
|
29
|
+
- Verify the JWT Signature [\#109](https://github.com/auth0/omniauth-auth0/pull/109) ([jimmyjames](https://github.com/jimmyjames))
|
30
|
+
|
31
|
+
|
32
|
+
## [v2.4.0](https://github.com/auth0/omniauth-auth0/tree/v2.4.0) (2020-09-22)
|
33
|
+
|
34
|
+
[Full Changelog](https://github.com/auth0/omniauth-auth0/compare/v2.3.1...v2.4.0)
|
35
|
+
|
36
|
+
**Security**
|
37
|
+
- Bump rack from 2.2.2 to 2.2.3 [\#107](https://github.com/auth0/omniauth-auth0/pull/107) ([dependabot](https://github.com/dependabot))
|
38
|
+
- Update dependencies [\#100](https://github.com/auth0/omniauth-auth0/pull/100) ([Albalmaceda](https://github.com/Albalmaceda))
|
39
|
+
|
40
|
+
**Added**
|
41
|
+
- Add support for screen_hint=signup param [\#103](https://github.com/auth0/omniauth-auth0/pull/103) ([bbean86](https://github.com/bbean86))
|
42
|
+
- Add support for `connection_scope` in params [\#99](https://github.com/auth0/omniauth-auth0/pull/99) ([felixclack](https://github.com/felixclack))
|
43
|
+
|
44
|
+
|
45
|
+
## [v2.3.1](https://github.com/auth0/omniauth-auth0/tree/v2.3.1) (2020-03-27)
|
46
|
+
|
47
|
+
[Full Changelog](https://github.com/auth0/omniauth-auth0/compare/v2.3.0...v2.3.1)
|
48
|
+
|
49
|
+
**Fixed bugs:**
|
50
|
+
|
51
|
+
- Fixes dependency issue [\#97](https://github.com/auth0/omniauth-auth0/pull/97) ([davidpatrick](https://github.com/davidpatrick))
|
52
|
+
- Fix "NameError: uninitialized constant OmniAuth::Auth0::TokenValidationError" [\#96](https://github.com/auth0/omniauth-auth0/pull/96) ([stefanwork](https://github.com/stefanwork))
|
53
|
+
|
3
54
|
## [v2.3.0](https://github.com/auth0/omniauth-auth0/tree/v2.3.0) (2020-03-06)
|
4
|
-
[Full Changelog](https://github.com/auth0/omniauth-auth0/compare/v2.
|
55
|
+
[Full Changelog](https://github.com/auth0/omniauth-auth0/compare/v2.2.0...v2.3.0)
|
5
56
|
|
6
57
|
**Added**
|
7
|
-
- Improved OIDC Compliance [\#
|
58
|
+
- Improved OIDC Compliance [\#92](https://github.com/auth0/omniauth-auth0/pull/92) ([davidpatrick](https://github.com/davidpatrick))
|
8
59
|
|
9
60
|
## [v2.2.0](https://github.com/auth0/omniauth-auth0/tree/v2.2.0) (2018-04-18)
|
10
61
|
[Full Changelog](https://github.com/auth0/omniauth-auth0/compare/v2.1.0...v2.2.0)
|
data/Gemfile
CHANGED
data/README.md
CHANGED
@@ -1,13 +1,14 @@
|
|
1
1
|
# OmniAuth Auth0
|
2
2
|
|
3
|
-
An [OmniAuth](https://github.com/intridea/omniauth) strategy for authenticating with [Auth0](https://auth0.com). This strategy is based on the [OmniAuth OAuth2](https://github.com/omniauth/omniauth-oauth2) strategy.
|
3
|
+
An [OmniAuth](https://github.com/intridea/omniauth) strategy for authenticating with [Auth0](https://auth0.com). This strategy is based on the [OmniAuth OAuth2](https://github.com/omniauth/omniauth-oauth2) strategy.
|
4
4
|
|
5
|
-
**Important security note:**
|
5
|
+
> :warning: **Important security note:** This solution uses a 3rd party library with an unresolved [security issue(s)](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-9284). Please review the details of the vulnerability, including [Auth0](https://github.com/auth0/omniauth-auth0/issues/82 ) and other recommended [mitigations](https://github.com/omniauth/omniauth/wiki/Resolving-CVE-2015-9284), before implementing the solution.
|
6
6
|
|
7
7
|
[![CircleCI](https://img.shields.io/circleci/project/github/auth0/omniauth-auth0/master.svg)](https://circleci.com/gh/auth0/omniauth-auth0)
|
8
8
|
[![codecov](https://codecov.io/gh/auth0/omniauth-auth0/branch/master/graph/badge.svg)](https://codecov.io/gh/auth0/omniauth-auth0)
|
9
9
|
[![Gem Version](https://badge.fury.io/rb/omniauth-auth0.svg)](https://badge.fury.io/rb/omniauth-auth0)
|
10
10
|
[![MIT licensed](https://img.shields.io/dub/l/vibe-d.svg?style=flat)](https://github.com/auth0/omniauth-auth0/blob/master/LICENSE)
|
11
|
+
[![FOSSA Status](https://app.fossa.com/api/projects/git%2Bgithub.com%2Fauth0%2Fomniauth-auth0.svg?type=shield)](https://app.fossa.com/projects/git%2Bgithub.com%2Fauth0%2Fomniauth-auth0?ref=badge_shield)
|
11
12
|
|
12
13
|
## Table of Contents
|
13
14
|
|
@@ -24,6 +25,7 @@ An [OmniAuth](https://github.com/intridea/omniauth) strategy for authenticating
|
|
24
25
|
|
25
26
|
- [Ruby on Rails Quickstart](https://auth0.com/docs/quickstart/webapp/rails)
|
26
27
|
- [Sample projects](https://github.com/auth0-samples/auth0-rubyonrails-sample)
|
28
|
+
- [API Reference](https://www.rubydoc.info/gems/omniauth-auth0)
|
27
29
|
|
28
30
|
## Installation
|
29
31
|
|
@@ -45,7 +47,7 @@ Then install:
|
|
45
47
|
$ bundle install
|
46
48
|
```
|
47
49
|
|
48
|
-
See our [contributing guide](CONTRIBUTING.md) for information on local installation for development.
|
50
|
+
See our [contributing guide](CONTRIBUTING.md) for information on local installation for development.
|
49
51
|
|
50
52
|
## Getting Started
|
51
53
|
|
@@ -63,7 +65,7 @@ All of these tasks and more are covered in our [Ruby on Rails Quickstart](https:
|
|
63
65
|
To send additional parameters during login, you can specify them when you register the provider:
|
64
66
|
|
65
67
|
```ruby
|
66
|
-
provider
|
68
|
+
provider
|
67
69
|
:auth0,
|
68
70
|
ENV['AUTH0_CLIENT_ID'],
|
69
71
|
ENV['AUTH0_CLIENT_SECRET'],
|
@@ -121,6 +123,17 @@ The Auth0 strategy will provide the standard OmniAuth hash attributes:
|
|
121
123
|
}
|
122
124
|
```
|
123
125
|
|
126
|
+
### Query Parameter Options
|
127
|
+
|
128
|
+
In some scenarios, you may need to pass specific query parameters to `/authorize`. The following parameters are available to enable this:
|
129
|
+
|
130
|
+
- `connection`
|
131
|
+
- `connection_scope`
|
132
|
+
- `prompt`
|
133
|
+
- `screen_hint` (only relevant to New Universal Login Experience)
|
134
|
+
|
135
|
+
Simply pass these query parameters to your OmniAuth redirect endpoint to enable their behavior.
|
136
|
+
|
124
137
|
## Contribution
|
125
138
|
|
126
139
|
We appreciate feedback and contribution to this repo! Before you get started, please see the following:
|
@@ -133,7 +146,7 @@ We appreciate feedback and contribution to this repo! Before you get started, pl
|
|
133
146
|
|
134
147
|
- Use [Community](https://community.auth0.com/) for usage, questions, specific cases.
|
135
148
|
- Use [Issues](https://github.com/auth0/omniauth-auth0/issues) here for code-level support and bug reports.
|
136
|
-
- Paid customers can use [Support](https://support.auth0.com/) to submit a trouble ticket for production-affecting issues.
|
149
|
+
- Paid customers can use [Support](https://support.auth0.com/) to submit a trouble ticket for production-affecting issues.
|
137
150
|
|
138
151
|
## Vulnerability Reporting
|
139
152
|
|
@@ -155,3 +168,6 @@ Auth0 helps you to easily:
|
|
155
168
|
## License
|
156
169
|
|
157
170
|
The OmniAuth Auth0 strategy is licensed under MIT - [LICENSE](LICENSE)
|
171
|
+
|
172
|
+
|
173
|
+
[![FOSSA Status](https://app.fossa.com/api/projects/git%2Bgithub.com%2Fauth0%2Fomniauth-auth0.svg?type=large)](https://app.fossa.com/projects/git%2Bgithub.com%2Fauth0%2Fomniauth-auth0?ref=badge_large)
|
@@ -2,6 +2,7 @@ require 'base64'
|
|
2
2
|
require 'uri'
|
3
3
|
require 'json'
|
4
4
|
require 'omniauth'
|
5
|
+
require 'omniauth/auth0/errors'
|
5
6
|
|
6
7
|
module OmniAuth
|
7
8
|
module Auth0
|
@@ -27,23 +28,34 @@ module OmniAuth
|
|
27
28
|
@client_secret = options.client_secret
|
28
29
|
end
|
29
30
|
|
31
|
+
# Verify a token's signature. Only tokens signed with the RS256 or HS256 signatures are supported.
|
32
|
+
# Deprecated: Please use `decode` instead
|
33
|
+
# @return array - The token's key and signing algorithm
|
30
34
|
def verify_signature(jwt)
|
31
35
|
head = token_head(jwt)
|
36
|
+
key, alg = extract_key(head)
|
32
37
|
|
33
|
-
#
|
34
|
-
|
35
|
-
|
36
|
-
|
37
|
-
|
38
|
-
|
39
|
-
|
40
|
-
|
38
|
+
# Call decode to verify the signature
|
39
|
+
JWT.decode(jwt, key, true, decode_opts(alg))
|
40
|
+
return key, alg
|
41
|
+
end
|
42
|
+
|
43
|
+
# Decodes a JWT and verifies it's signature. Only tokens signed with the RS256 or HS256 signatures are supported.
|
44
|
+
# @param jwt string - JWT to verify.
|
45
|
+
# @return hash - The decoded token, if there were no exceptions.
|
46
|
+
# @see https://github.com/jwt/ruby-jwt
|
47
|
+
def decode(jwt)
|
48
|
+
head = token_head(jwt)
|
49
|
+
key, alg = extract_key(head)
|
50
|
+
|
51
|
+
# Call decode to verify the signature
|
52
|
+
JWT.decode(jwt, key, true, decode_opts(alg))
|
41
53
|
end
|
42
54
|
|
43
55
|
# Verify a JWT.
|
44
56
|
# @param jwt string - JWT to verify.
|
45
57
|
# @param authorize_params hash - Authorization params to verify on the JWT
|
46
|
-
# @return hash - The verified token, if there were no exceptions.
|
58
|
+
# @return hash - The verified token payload, if there were no exceptions.
|
47
59
|
def verify(jwt, authorize_params = {})
|
48
60
|
if !jwt
|
49
61
|
raise OmniAuth::Auth0::TokenValidationError.new('ID token is required but missing')
|
@@ -54,8 +66,7 @@ module OmniAuth
|
|
54
66
|
raise OmniAuth::Auth0::TokenValidationError.new('ID token could not be decoded')
|
55
67
|
end
|
56
68
|
|
57
|
-
|
58
|
-
id_token, header = JWT.decode(jwt, key, false)
|
69
|
+
id_token, header = decode(jwt)
|
59
70
|
verify_claims(id_token, authorize_params)
|
60
71
|
|
61
72
|
return id_token
|
@@ -92,11 +103,37 @@ module OmniAuth
|
|
92
103
|
end
|
93
104
|
|
94
105
|
private
|
106
|
+
# Get the JWT decode options. We disable the claim checks since we perform our claim validation logic
|
107
|
+
# Docs: https://github.com/jwt/ruby-jwt
|
108
|
+
# @return hash
|
109
|
+
def decode_opts(alg)
|
110
|
+
{
|
111
|
+
algorithm: alg,
|
112
|
+
verify_expiration: false,
|
113
|
+
verify_iat: false,
|
114
|
+
verify_iss: false,
|
115
|
+
verify_aud: false,
|
116
|
+
verify_jti: false,
|
117
|
+
verify_subj: false,
|
118
|
+
verify_not_before: false
|
119
|
+
}
|
120
|
+
end
|
121
|
+
|
122
|
+
def extract_key(head)
|
123
|
+
if head[:alg] == 'RS256'
|
124
|
+
key, alg = [rs256_decode_key(head[:kid]), head[:alg]]
|
125
|
+
elsif head[:alg] == 'HS256'
|
126
|
+
key, alg = [@client_secret, head[:alg]]
|
127
|
+
else
|
128
|
+
raise OmniAuth::Auth0::TokenValidationError.new("Signature algorithm of #{head[:alg]} is not supported. Expected the ID token to be signed with RS256 or HS256")
|
129
|
+
end
|
130
|
+
end
|
131
|
+
|
95
132
|
def rs256_decode_key(kid)
|
96
133
|
jwks_x5c = jwks_key(:x5c, kid)
|
97
134
|
|
98
135
|
if jwks_x5c.nil?
|
99
|
-
raise OmniAuth::Auth0::TokenValidationError.new("Could not find a public key for Key ID (kid) '#{kid}'
|
136
|
+
raise OmniAuth::Auth0::TokenValidationError.new("Could not find a public key for Key ID (kid) '#{kid}'")
|
100
137
|
end
|
101
138
|
|
102
139
|
jwks_public_cert(jwks_x5c.first)
|
@@ -129,7 +166,8 @@ module OmniAuth
|
|
129
166
|
def uri_string(uri)
|
130
167
|
temp_domain = URI(uri)
|
131
168
|
temp_domain = URI("https://#{uri}") unless temp_domain.scheme
|
132
|
-
|
169
|
+
temp_domain = temp_domain.to_s
|
170
|
+
temp_domain.end_with?('/') ? temp_domain : "#{temp_domain}/"
|
133
171
|
end
|
134
172
|
|
135
173
|
def verify_claims(id_token, authorize_params)
|