omniauth-auth0 2.3.0 → 2.5.0

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 07f73634dc123aa4d6912e4d17e7c461948cf6b1fa2086003600434bfd99dcf9
4
- data.tar.gz: 29e79d38181335c08618108b96e667d24c768185432e2d5e22312e716c333b48
3
+ metadata.gz: 530b0c2ecfb26938944778585c034f1281b46f0c7e920f40b9d58c72fb892c52
4
+ data.tar.gz: 0ca3365ce632a95272eabb1b1db1ed7fcc6faacdbdc1acaa3fa9889329886cef
5
5
  SHA512:
6
- metadata.gz: 0d1fa93a13a96f24a55ea4fa475561d7252cfd39a2975277ca93be8a91b07a58222dd16e522225f1e4bf0ff3ad5a7456bdac6e640e2e372f3a415ca6b4fafe7a
7
- data.tar.gz: 6528f8a41f91bffb7a8c6285882a0f9179c51a3bc133824f896cbae7d36f7deafa2d70bf6f7b20bdb684c66831d043f91c3c9f938cc21d603da4d7788a4cca1d
6
+ metadata.gz: f1ad9ad998942bd4b081c8873352bf54d0bc5900203baee151535324533b28954e7ab3e990ada83436189bd22a17b24d3a31d7552d45570fe356d00bfbb85fd6
7
+ data.tar.gz: 60954e800d0a30ea948590cb89b90038185dfa7466bf301ef4e7b782a3b327265921cccf6ddbd4275789046a12c0e4d0956ce4a73ab35d1ea20e633432430e45
@@ -1,23 +1,38 @@
1
1
  version: 2.1
2
+ matrix_rubyversions: &matrix_rubyversions
3
+ matrix:
4
+ parameters:
5
+ rubyversion: ["2.5", "2.6", "2.7", "3.0"]
6
+ # Default version of ruby to use for lint and publishing
7
+ default_rubyversion: &default_rubyversion "2.7"
8
+
9
+ executors:
10
+ ruby:
11
+ parameters:
12
+ rubyversion:
13
+ type: string
14
+ default: *default_rubyversion
15
+ docker:
16
+ - image: circleci/ruby:<< parameters.rubyversion >>
17
+
2
18
  jobs:
3
19
  run-tests:
4
- docker:
5
- - image: circleci/ruby:2.4.6-jessie
20
+ parameters:
21
+ rubyversion:
22
+ type: string
23
+ default: *default_rubyversion
24
+ executor:
25
+ name: ruby
26
+ rubyversion: "<< parameters.rubyversion >>"
6
27
  steps:
7
28
  - checkout
8
29
  - restore_cache:
9
30
  keys:
10
- - gems-v2-{{ checksum "Gemfile.lock" }}
31
+ - gems-v2-{{ checksum "Gemfile" }}
11
32
  - gems-v2-
12
33
  - run: bundle check || bundle install
13
- - persist_to_workspace:
14
- root: .
15
- paths:
16
- - Gemfile
17
- - Gemfile.lock
18
- - .snyk
19
34
  - save_cache:
20
- key: gems-v2--{{ checksum "Gemfile.lock" }}
35
+ key: gems-v2--{{ checksum "Gemfile" }}
21
36
  paths:
22
37
  - vendor/bundle
23
38
  - run: bundle exec rake spec
@@ -25,4 +40,5 @@ jobs:
25
40
  workflows:
26
41
  tests:
27
42
  jobs:
28
- - run-tests
43
+ - run-tests:
44
+ <<: *matrix_rubyversions
@@ -1 +1 @@
1
- * @auth0/dx-sdks-approver
1
+ * @auth0/dx-sdks-engineer
@@ -0,0 +1,8 @@
1
+ blank_issues_enabled: false
2
+ contact_links:
3
+ - name: Auth0 Community
4
+ url: https://community.auth0.com/c/sdks/5
5
+ about: Discuss this SDK in the Auth0 Community forums
6
+ - name: Library Documentation
7
+ url: https://github.com/auth0/omniauth-auth0#documentation
8
+ about: Read the library docs on Auth0.com
@@ -0,0 +1,39 @@
1
+ ---
2
+ name: Feature request
3
+ about: Suggest an idea or a feature for this project
4
+ title: ''
5
+ labels: feature request
6
+ assignees: ''
7
+ ---
8
+
9
+ <!--
10
+ **Please do not report security vulnerabilities here**. The Responsible Disclosure Program (https://auth0.com/whitehat) details the procedure for disclosing security issues.
11
+
12
+ Thank you in advance for helping us to improve this library! Your attention to detail here is greatly appreciated and will help us respond as quickly as possible. For general support or usage questions, use the Auth0 Community (https://community.auth0.com/) or Auth0 Support (https://support.auth0.com/). Finally, to avoid duplicates, please search existing Issues before submitting one here.
13
+
14
+ By submitting an Issue to this repository, you agree to the terms within the Auth0 Code of Conduct (https://github.com/auth0/open-source-template/blob/master/CODE-OF-CONDUCT.md).
15
+ -->
16
+
17
+ ### Describe the problem you'd like to have solved
18
+
19
+ <!--
20
+ > A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
21
+ -->
22
+
23
+ ### Describe the ideal solution
24
+
25
+ <!--
26
+ > A clear and concise description of what you want to happen.
27
+ -->
28
+
29
+ ## Alternatives and current work-arounds
30
+
31
+ <!--
32
+ > A clear and concise description of any alternatives you've considered or any work-arounds that are currently in place.
33
+ -->
34
+
35
+ ### Additional information, if any
36
+
37
+ <!--
38
+ > Add any other context or screenshots about the feature request here.
39
+ -->
@@ -0,0 +1,55 @@
1
+ ---
2
+ name: Report a bug
3
+ about: Have you found a bug or issue? Create a bug report for this SDK
4
+ title: ''
5
+ labels: bug report
6
+ assignees: ''
7
+ ---
8
+
9
+ <!--
10
+ **Please do not report security vulnerabilities here**. The Responsible Disclosure Program (https://auth0.com/whitehat) details the procedure for disclosing security issues.
11
+
12
+ Thank you in advance for helping us to improve this library! Please read through the template below and answer all relevant questions. Your additional work here is greatly appreciated and will help us respond as quickly as possible. For general support or usage questions, use the Auth0 Community (https://community.auth0.com/) or Auth0 Support (https://support.auth0.com/). Finally, to avoid duplicates, please search existing Issues before submitting one here.
13
+
14
+ By submitting an Issue to this repository, you agree to the terms within the Auth0 Code of Conduct (https://github.com/auth0/open-source-template/blob/master/CODE-OF-CONDUCT.md).
15
+ -->
16
+
17
+ ### Describe the problem
18
+
19
+ <!--
20
+ > Provide a clear and concise description of the issue
21
+ -->
22
+
23
+ ### What was the expected behavior?
24
+
25
+ <!--
26
+ > Tell us about the behavior you expected to see
27
+ -->
28
+
29
+ ### Reproduction
30
+ <!--
31
+ > Detail the steps taken to reproduce this error, and whether this issue can be reproduced consistently or if it is intermittent.
32
+ > **Note**: If clear, reproducable steps or the smallest sample app demonstrating misbehavior cannot be provided, we may not be able to follow up on this bug report.
33
+
34
+ > Where possible, please include:
35
+ >
36
+ > - The smallest possible sample app that reproduces the undesirable behavior
37
+ > - Log files (redact/remove sensitive information)
38
+ > - Application settings (redact/remove sensitive information)
39
+ > - Screenshots
40
+ -->
41
+
42
+ - Step 1..
43
+ - Step 2..
44
+ - ...
45
+
46
+ ### Environment
47
+
48
+ <!--
49
+ > Please provide the following:
50
+ -->
51
+
52
+ - **Version of this library used:**
53
+ - **Which framework are you using, if applicable:**
54
+ - **Other modules/plugins/libraries that might be involved:**
55
+ - **Any other relevant information you think would be useful:**
@@ -29,4 +29,4 @@ Please describe how this can be tested by reviewers. Be specific about anything
29
29
  * [ ] I have read the [Auth0 contribution guidelines](https://github.com/auth0/open-source-template/blob/master/GENERAL-CONTRIBUTING.md)
30
30
  * [ ] I have read the [Auth0 Code of Conduct](https://github.com/auth0/open-source-template/blob/master/CODE-OF-CONDUCT.md)
31
31
  * [ ] All existing and new tests complete without errors
32
- * [ ] All code quality tools/guidelines in the [CONTRIBUTING documentation](CONTRIBUTING.md) have been run/followed
32
+ * [ ] All code quality tools/guidelines in the [CONTRIBUTING documentation](https://github.com/auth0/omniauth-auth0/blob/master/CONTRIBUTING.md) have been run/followed
data/.gitignore CHANGED
@@ -10,3 +10,5 @@ tmp/
10
10
  ## Environment normalization:
11
11
  /.bundle
12
12
  /vendor/bundle
13
+
14
+ Gemfile.lock
@@ -1,10 +1,61 @@
1
1
  # Change Log
2
2
 
3
+ ## [v2.5.0](https://github.com/auth0/omniauth-auth0/tree/v2.5.0) (2021-01-21)
4
+
5
+ [Full Changelog](https://github.com/auth0/omniauth-auth0/compare/v2.4.2...v2.5.0)
6
+
7
+ **Added**
8
+ - Parsing claims from the id_token [\#120](https://github.com/auth0/omniauth-auth0/pull/120) ([davidpatrick](https://github.com/davidpatrick))
9
+
10
+ **Changed**
11
+ - Setup build matrix in CI [\#116](https://github.com/auth0/omniauth-auth0/pull/116) ([dmathieu](https://github.com/dmathieu))
12
+
13
+ **Fixed**
14
+ - Fixes params passed to authorize [\#119](https://github.com/auth0/omniauth-auth0/pull/119) ([davidpatrick](https://github.com/davidpatrick))
15
+
16
+
17
+ ## [v2.4.2](https://github.com/auth0/omniauth-auth0/tree/v2.4.2) (2021-01-19)
18
+
19
+ [Full Changelog](https://github.com/auth0/omniauth-auth0/compare/v2.4.1...v2.4.2)
20
+
21
+ **Fixed**
22
+ - Lock Omniauth to 1.9 in gemspec
23
+
24
+ ## [v2.4.1](https://github.com/auth0/omniauth-auth0/tree/v2.4.1) (2020-10-08)
25
+
26
+ [Full Changelog](https://github.com/auth0/omniauth-auth0/compare/v2.4.0...v2.4.1)
27
+
28
+ **Fixed**
29
+ - Verify the JWT Signature [\#109](https://github.com/auth0/omniauth-auth0/pull/109) ([jimmyjames](https://github.com/jimmyjames))
30
+
31
+
32
+ ## [v2.4.0](https://github.com/auth0/omniauth-auth0/tree/v2.4.0) (2020-09-22)
33
+
34
+ [Full Changelog](https://github.com/auth0/omniauth-auth0/compare/v2.3.1...v2.4.0)
35
+
36
+ **Security**
37
+ - Bump rack from 2.2.2 to 2.2.3 [\#107](https://github.com/auth0/omniauth-auth0/pull/107) ([dependabot](https://github.com/dependabot))
38
+ - Update dependencies [\#100](https://github.com/auth0/omniauth-auth0/pull/100) ([Albalmaceda](https://github.com/Albalmaceda))
39
+
40
+ **Added**
41
+ - Add support for screen_hint=signup param [\#103](https://github.com/auth0/omniauth-auth0/pull/103) ([bbean86](https://github.com/bbean86))
42
+ - Add support for `connection_scope` in params [\#99](https://github.com/auth0/omniauth-auth0/pull/99) ([felixclack](https://github.com/felixclack))
43
+
44
+
45
+ ## [v2.3.1](https://github.com/auth0/omniauth-auth0/tree/v2.3.1) (2020-03-27)
46
+
47
+ [Full Changelog](https://github.com/auth0/omniauth-auth0/compare/v2.3.0...v2.3.1)
48
+
49
+ **Fixed bugs:**
50
+
51
+ - Fixes dependency issue [\#97](https://github.com/auth0/omniauth-auth0/pull/97) ([davidpatrick](https://github.com/davidpatrick))
52
+ - Fix "NameError: uninitialized constant OmniAuth::Auth0::TokenValidationError" [\#96](https://github.com/auth0/omniauth-auth0/pull/96) ([stefanwork](https://github.com/stefanwork))
53
+
3
54
  ## [v2.3.0](https://github.com/auth0/omniauth-auth0/tree/v2.3.0) (2020-03-06)
4
- [Full Changelog](https://github.com/auth0/omniauth-auth0/compare/v2.3.0...v2.2.0)
55
+ [Full Changelog](https://github.com/auth0/omniauth-auth0/compare/v2.2.0...v2.3.0)
5
56
 
6
57
  **Added**
7
- - Improved OIDC Compliance [\#74](https://github.com/auth0/omniauth-auth0/pull/92) ([davidpatrick](https://github.com/davidpatrick))
58
+ - Improved OIDC Compliance [\#92](https://github.com/auth0/omniauth-auth0/pull/92) ([davidpatrick](https://github.com/davidpatrick))
8
59
 
9
60
  ## [v2.2.0](https://github.com/auth0/omniauth-auth0/tree/v2.2.0) (2018-04-18)
10
61
  [Full Changelog](https://github.com/auth0/omniauth-auth0/compare/v2.1.0...v2.2.0)
data/Gemfile CHANGED
@@ -17,7 +17,7 @@ end
17
17
 
18
18
  group :test do
19
19
  gem 'guard-rspec', require: false
20
- gem 'listen', '~> 3.1.5'
20
+ gem 'listen', '~> 3'
21
21
  gem 'rack-test'
22
22
  gem 'rspec', '~> 3.5'
23
23
  gem 'codecov', require: false
data/README.md CHANGED
@@ -1,13 +1,14 @@
1
1
  # OmniAuth Auth0
2
2
 
3
- An [OmniAuth](https://github.com/intridea/omniauth) strategy for authenticating with [Auth0](https://auth0.com). This strategy is based on the [OmniAuth OAuth2](https://github.com/omniauth/omniauth-oauth2) strategy.
3
+ An [OmniAuth](https://github.com/intridea/omniauth) strategy for authenticating with [Auth0](https://auth0.com). This strategy is based on the [OmniAuth OAuth2](https://github.com/omniauth/omniauth-oauth2) strategy.
4
4
 
5
- **Important security note:** The parent library for this strategy currently has an unresolved security issue. Please see the discussion, including mitigations for Rails and non-Rails applications, [here](https://github.com/auth0/omniauth-auth0/issues/82).
5
+ > :warning: **Important security note:** This solution uses a 3rd party library with an unresolved [security issue(s)](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-9284). Please review the details of the vulnerability, including [Auth0](https://github.com/auth0/omniauth-auth0/issues/82 ) and other recommended [mitigations](https://github.com/omniauth/omniauth/wiki/Resolving-CVE-2015-9284), before implementing the solution.
6
6
 
7
7
  [![CircleCI](https://img.shields.io/circleci/project/github/auth0/omniauth-auth0/master.svg)](https://circleci.com/gh/auth0/omniauth-auth0)
8
8
  [![codecov](https://codecov.io/gh/auth0/omniauth-auth0/branch/master/graph/badge.svg)](https://codecov.io/gh/auth0/omniauth-auth0)
9
9
  [![Gem Version](https://badge.fury.io/rb/omniauth-auth0.svg)](https://badge.fury.io/rb/omniauth-auth0)
10
10
  [![MIT licensed](https://img.shields.io/dub/l/vibe-d.svg?style=flat)](https://github.com/auth0/omniauth-auth0/blob/master/LICENSE)
11
+ [![FOSSA Status](https://app.fossa.com/api/projects/git%2Bgithub.com%2Fauth0%2Fomniauth-auth0.svg?type=shield)](https://app.fossa.com/projects/git%2Bgithub.com%2Fauth0%2Fomniauth-auth0?ref=badge_shield)
11
12
 
12
13
  ## Table of Contents
13
14
 
@@ -24,6 +25,7 @@ An [OmniAuth](https://github.com/intridea/omniauth) strategy for authenticating
24
25
 
25
26
  - [Ruby on Rails Quickstart](https://auth0.com/docs/quickstart/webapp/rails)
26
27
  - [Sample projects](https://github.com/auth0-samples/auth0-rubyonrails-sample)
28
+ - [API Reference](https://www.rubydoc.info/gems/omniauth-auth0)
27
29
 
28
30
  ## Installation
29
31
 
@@ -45,7 +47,7 @@ Then install:
45
47
  $ bundle install
46
48
  ```
47
49
 
48
- See our [contributing guide](CONTRIBUTING.md) for information on local installation for development.
50
+ See our [contributing guide](CONTRIBUTING.md) for information on local installation for development.
49
51
 
50
52
  ## Getting Started
51
53
 
@@ -63,7 +65,7 @@ All of these tasks and more are covered in our [Ruby on Rails Quickstart](https:
63
65
  To send additional parameters during login, you can specify them when you register the provider:
64
66
 
65
67
  ```ruby
66
- provider
68
+ provider
67
69
  :auth0,
68
70
  ENV['AUTH0_CLIENT_ID'],
69
71
  ENV['AUTH0_CLIENT_SECRET'],
@@ -121,6 +123,17 @@ The Auth0 strategy will provide the standard OmniAuth hash attributes:
121
123
  }
122
124
  ```
123
125
 
126
+ ### Query Parameter Options
127
+
128
+ In some scenarios, you may need to pass specific query parameters to `/authorize`. The following parameters are available to enable this:
129
+
130
+ - `connection`
131
+ - `connection_scope`
132
+ - `prompt`
133
+ - `screen_hint` (only relevant to New Universal Login Experience)
134
+
135
+ Simply pass these query parameters to your OmniAuth redirect endpoint to enable their behavior.
136
+
124
137
  ## Contribution
125
138
 
126
139
  We appreciate feedback and contribution to this repo! Before you get started, please see the following:
@@ -133,7 +146,7 @@ We appreciate feedback and contribution to this repo! Before you get started, pl
133
146
 
134
147
  - Use [Community](https://community.auth0.com/) for usage, questions, specific cases.
135
148
  - Use [Issues](https://github.com/auth0/omniauth-auth0/issues) here for code-level support and bug reports.
136
- - Paid customers can use [Support](https://support.auth0.com/) to submit a trouble ticket for production-affecting issues.
149
+ - Paid customers can use [Support](https://support.auth0.com/) to submit a trouble ticket for production-affecting issues.
137
150
 
138
151
  ## Vulnerability Reporting
139
152
 
@@ -155,3 +168,6 @@ Auth0 helps you to easily:
155
168
  ## License
156
169
 
157
170
  The OmniAuth Auth0 strategy is licensed under MIT - [LICENSE](LICENSE)
171
+
172
+
173
+ [![FOSSA Status](https://app.fossa.com/api/projects/git%2Bgithub.com%2Fauth0%2Fomniauth-auth0.svg?type=large)](https://app.fossa.com/projects/git%2Bgithub.com%2Fauth0%2Fomniauth-auth0?ref=badge_large)
@@ -1,5 +1,5 @@
1
1
  module OmniAuth
2
2
  module Auth0
3
- VERSION = '2.3.0'.freeze
3
+ VERSION = '2.5.0'.freeze
4
4
  end
5
5
  end
@@ -2,6 +2,7 @@ require 'base64'
2
2
  require 'uri'
3
3
  require 'json'
4
4
  require 'omniauth'
5
+ require 'omniauth/auth0/errors'
5
6
 
6
7
  module OmniAuth
7
8
  module Auth0
@@ -27,23 +28,34 @@ module OmniAuth
27
28
  @client_secret = options.client_secret
28
29
  end
29
30
 
31
+ # Verify a token's signature. Only tokens signed with the RS256 or HS256 signatures are supported.
32
+ # Deprecated: Please use `decode` instead
33
+ # @return array - The token's key and signing algorithm
30
34
  def verify_signature(jwt)
31
35
  head = token_head(jwt)
36
+ key, alg = extract_key(head)
32
37
 
33
- # Make sure the algorithm is supported and get the decode key.
34
- if head[:alg] == 'RS256'
35
- [rs256_decode_key(head[:kid]), head[:alg]]
36
- elsif head[:alg] == 'HS256'
37
- [@client_secret, head[:alg]]
38
- else
39
- raise OmniAuth::Auth0::TokenValidationError.new("Signature algorithm of #{head[:alg]} is not supported. Expected the ID token to be signed with RS256 or HS256")
40
- end
38
+ # Call decode to verify the signature
39
+ JWT.decode(jwt, key, true, decode_opts(alg))
40
+ return key, alg
41
+ end
42
+
43
+ # Decodes a JWT and verifies it's signature. Only tokens signed with the RS256 or HS256 signatures are supported.
44
+ # @param jwt string - JWT to verify.
45
+ # @return hash - The decoded token, if there were no exceptions.
46
+ # @see https://github.com/jwt/ruby-jwt
47
+ def decode(jwt)
48
+ head = token_head(jwt)
49
+ key, alg = extract_key(head)
50
+
51
+ # Call decode to verify the signature
52
+ JWT.decode(jwt, key, true, decode_opts(alg))
41
53
  end
42
54
 
43
55
  # Verify a JWT.
44
56
  # @param jwt string - JWT to verify.
45
57
  # @param authorize_params hash - Authorization params to verify on the JWT
46
- # @return hash - The verified token, if there were no exceptions.
58
+ # @return hash - The verified token payload, if there were no exceptions.
47
59
  def verify(jwt, authorize_params = {})
48
60
  if !jwt
49
61
  raise OmniAuth::Auth0::TokenValidationError.new('ID token is required but missing')
@@ -54,8 +66,7 @@ module OmniAuth
54
66
  raise OmniAuth::Auth0::TokenValidationError.new('ID token could not be decoded')
55
67
  end
56
68
 
57
- key, alg = verify_signature(jwt)
58
- id_token, header = JWT.decode(jwt, key, false)
69
+ id_token, header = decode(jwt)
59
70
  verify_claims(id_token, authorize_params)
60
71
 
61
72
  return id_token
@@ -92,11 +103,37 @@ module OmniAuth
92
103
  end
93
104
 
94
105
  private
106
+ # Get the JWT decode options. We disable the claim checks since we perform our claim validation logic
107
+ # Docs: https://github.com/jwt/ruby-jwt
108
+ # @return hash
109
+ def decode_opts(alg)
110
+ {
111
+ algorithm: alg,
112
+ verify_expiration: false,
113
+ verify_iat: false,
114
+ verify_iss: false,
115
+ verify_aud: false,
116
+ verify_jti: false,
117
+ verify_subj: false,
118
+ verify_not_before: false
119
+ }
120
+ end
121
+
122
+ def extract_key(head)
123
+ if head[:alg] == 'RS256'
124
+ key, alg = [rs256_decode_key(head[:kid]), head[:alg]]
125
+ elsif head[:alg] == 'HS256'
126
+ key, alg = [@client_secret, head[:alg]]
127
+ else
128
+ raise OmniAuth::Auth0::TokenValidationError.new("Signature algorithm of #{head[:alg]} is not supported. Expected the ID token to be signed with RS256 or HS256")
129
+ end
130
+ end
131
+
95
132
  def rs256_decode_key(kid)
96
133
  jwks_x5c = jwks_key(:x5c, kid)
97
134
 
98
135
  if jwks_x5c.nil?
99
- raise OmniAuth::Auth0::TokenValidationError.new("Could not find a public key for Key ID (kid) '#{kid}''")
136
+ raise OmniAuth::Auth0::TokenValidationError.new("Could not find a public key for Key ID (kid) '#{kid}'")
100
137
  end
101
138
 
102
139
  jwks_public_cert(jwks_x5c.first)
@@ -129,7 +166,8 @@ module OmniAuth
129
166
  def uri_string(uri)
130
167
  temp_domain = URI(uri)
131
168
  temp_domain = URI("https://#{uri}") unless temp_domain.scheme
132
- "#{temp_domain}/"
169
+ temp_domain = temp_domain.to_s
170
+ temp_domain.end_with?('/') ? temp_domain : "#{temp_domain}/"
133
171
  end
134
172
 
135
173
  def verify_claims(id_token, authorize_params)