omniauth-auth0 2.3.1 → 2.6.0

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 735b9218b77206e4e3c8d2a3e0aa983fa4b5fc41591a593ea681d5bcaa8c12d6
4
- data.tar.gz: d66683b025e4dbe28c3986e5f271b71087145d1f3b9f8c425b89bc139a77750f
3
+ metadata.gz: f45e6ee50254603367c7de482ce5537b48c5faf1bc7a4f2797cf461f21b37198
4
+ data.tar.gz: 88eb699d3cf59148df15728b42d517e010bebe29617f1f9e972dc9656e5a79a2
5
5
  SHA512:
6
- metadata.gz: '02885a905400e376c738b6fd01892e372902f8394b10d5c1436d6105127e28055827c4ca2b09f3d31df0d163dd01ea8f5dd8d53fdf2f8fc1201ba116cdcb6b9f'
7
- data.tar.gz: e7b50a03c9ed21e981d89a4fa36f220da3bac9e963999fc56762ada02b19873e3452d6084198595924fa4e2be8480bfac6150e56d4536c5cf93b53369ded3253
6
+ metadata.gz: 829fd68186ab4685d7628b6a7c3a0cce95b1008396e6b6588e72b30ff7b077c103109bafe8e3e480539a07d715550fed27b2d73f537e505498a8b434655a0776
7
+ data.tar.gz: 8d03a181ad81f1b08618f542d1971d298a9751ca5d02e949bcf8f60bbf4d6ba2ce3463e6f5ce5a01945a82f24ce7e6f67881192f3e4214a2d05bb556ba6ef66e
data/.circleci/config.yml CHANGED
@@ -1,23 +1,38 @@
1
1
  version: 2.1
2
+ matrix_rubyversions: &matrix_rubyversions
3
+ matrix:
4
+ parameters:
5
+ rubyversion: ["2.5", "2.6", "2.7", "3.0"]
6
+ # Default version of ruby to use for lint and publishing
7
+ default_rubyversion: &default_rubyversion "2.7"
8
+
9
+ executors:
10
+ ruby:
11
+ parameters:
12
+ rubyversion:
13
+ type: string
14
+ default: *default_rubyversion
15
+ docker:
16
+ - image: circleci/ruby:<< parameters.rubyversion >>
17
+
2
18
  jobs:
3
19
  run-tests:
4
- docker:
5
- - image: circleci/ruby:2.4.6-jessie
20
+ parameters:
21
+ rubyversion:
22
+ type: string
23
+ default: *default_rubyversion
24
+ executor:
25
+ name: ruby
26
+ rubyversion: "<< parameters.rubyversion >>"
6
27
  steps:
7
28
  - checkout
8
29
  - restore_cache:
9
30
  keys:
10
- - gems-v2-{{ checksum "Gemfile.lock" }}
31
+ - gems-v2-{{ checksum "Gemfile" }}
11
32
  - gems-v2-
12
33
  - run: bundle check || bundle install
13
- - persist_to_workspace:
14
- root: .
15
- paths:
16
- - Gemfile
17
- - Gemfile.lock
18
- - .snyk
19
34
  - save_cache:
20
- key: gems-v2--{{ checksum "Gemfile.lock" }}
35
+ key: gems-v2--{{ checksum "Gemfile" }}
21
36
  paths:
22
37
  - vendor/bundle
23
38
  - run: bundle exec rake spec
@@ -25,4 +40,5 @@ jobs:
25
40
  workflows:
26
41
  tests:
27
42
  jobs:
28
- - run-tests
43
+ - run-tests:
44
+ <<: *matrix_rubyversions
data/.github/CODEOWNERS CHANGED
@@ -1 +1 @@
1
- * @auth0/dx-sdks-approver
1
+ * @auth0/dx-sdks-engineer
@@ -0,0 +1,8 @@
1
+ blank_issues_enabled: false
2
+ contact_links:
3
+ - name: Auth0 Community
4
+ url: https://community.auth0.com/c/sdks/5
5
+ about: Discuss this SDK in the Auth0 Community forums
6
+ - name: Library Documentation
7
+ url: https://github.com/auth0/omniauth-auth0#documentation
8
+ about: Read the library docs on Auth0.com
@@ -0,0 +1,39 @@
1
+ ---
2
+ name: Feature request
3
+ about: Suggest an idea or a feature for this project
4
+ title: ''
5
+ labels: feature request
6
+ assignees: ''
7
+ ---
8
+
9
+ <!--
10
+ **Please do not report security vulnerabilities here**. The Responsible Disclosure Program (https://auth0.com/whitehat) details the procedure for disclosing security issues.
11
+
12
+ Thank you in advance for helping us to improve this library! Your attention to detail here is greatly appreciated and will help us respond as quickly as possible. For general support or usage questions, use the Auth0 Community (https://community.auth0.com/) or Auth0 Support (https://support.auth0.com/). Finally, to avoid duplicates, please search existing Issues before submitting one here.
13
+
14
+ By submitting an Issue to this repository, you agree to the terms within the Auth0 Code of Conduct (https://github.com/auth0/open-source-template/blob/master/CODE-OF-CONDUCT.md).
15
+ -->
16
+
17
+ ### Describe the problem you'd like to have solved
18
+
19
+ <!--
20
+ > A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
21
+ -->
22
+
23
+ ### Describe the ideal solution
24
+
25
+ <!--
26
+ > A clear and concise description of what you want to happen.
27
+ -->
28
+
29
+ ## Alternatives and current work-arounds
30
+
31
+ <!--
32
+ > A clear and concise description of any alternatives you've considered or any work-arounds that are currently in place.
33
+ -->
34
+
35
+ ### Additional information, if any
36
+
37
+ <!--
38
+ > Add any other context or screenshots about the feature request here.
39
+ -->
@@ -0,0 +1,55 @@
1
+ ---
2
+ name: Report a bug
3
+ about: Have you found a bug or issue? Create a bug report for this SDK
4
+ title: ''
5
+ labels: bug report
6
+ assignees: ''
7
+ ---
8
+
9
+ <!--
10
+ **Please do not report security vulnerabilities here**. The Responsible Disclosure Program (https://auth0.com/whitehat) details the procedure for disclosing security issues.
11
+
12
+ Thank you in advance for helping us to improve this library! Please read through the template below and answer all relevant questions. Your additional work here is greatly appreciated and will help us respond as quickly as possible. For general support or usage questions, use the Auth0 Community (https://community.auth0.com/) or Auth0 Support (https://support.auth0.com/). Finally, to avoid duplicates, please search existing Issues before submitting one here.
13
+
14
+ By submitting an Issue to this repository, you agree to the terms within the Auth0 Code of Conduct (https://github.com/auth0/open-source-template/blob/master/CODE-OF-CONDUCT.md).
15
+ -->
16
+
17
+ ### Describe the problem
18
+
19
+ <!--
20
+ > Provide a clear and concise description of the issue
21
+ -->
22
+
23
+ ### What was the expected behavior?
24
+
25
+ <!--
26
+ > Tell us about the behavior you expected to see
27
+ -->
28
+
29
+ ### Reproduction
30
+ <!--
31
+ > Detail the steps taken to reproduce this error, and whether this issue can be reproduced consistently or if it is intermittent.
32
+ > **Note**: If clear, reproducable steps or the smallest sample app demonstrating misbehavior cannot be provided, we may not be able to follow up on this bug report.
33
+
34
+ > Where possible, please include:
35
+ >
36
+ > - The smallest possible sample app that reproduces the undesirable behavior
37
+ > - Log files (redact/remove sensitive information)
38
+ > - Application settings (redact/remove sensitive information)
39
+ > - Screenshots
40
+ -->
41
+
42
+ - Step 1..
43
+ - Step 2..
44
+ - ...
45
+
46
+ ### Environment
47
+
48
+ <!--
49
+ > Please provide the following:
50
+ -->
51
+
52
+ - **Version of this library used:**
53
+ - **Which framework are you using, if applicable:**
54
+ - **Other modules/plugins/libraries that might be involved:**
55
+ - **Any other relevant information you think would be useful:**
data/.gitignore CHANGED
@@ -10,3 +10,5 @@ tmp/
10
10
  ## Environment normalization:
11
11
  /.bundle
12
12
  /vendor/bundle
13
+
14
+ Gemfile.lock
data/CHANGELOG.md CHANGED
@@ -1,5 +1,55 @@
1
1
  # Change Log
2
2
 
3
+ ## [v2.6.0](https://github.com/auth0/omniauth-auth0/tree/v2.6.0) (2021-04-01)
4
+
5
+ [Full Changelog](https://github.com/auth0/omniauth-auth0/compare/v2.5.0...v2.6.0)
6
+
7
+ **Added**
8
+ - Org Support [SDK-2395] [\#124](https://github.com/auth0/omniauth-auth0/pull/124) ([davidpatrick](https://github.com/davidpatrick))
9
+ - Add login_hint to permitted params [\#123](https://github.com/auth0/omniauth-auth0/pull/123) ([Roriz](https://github.com/Roriz))
10
+
11
+ ## [v2.5.0](https://github.com/auth0/omniauth-auth0/tree/v2.5.0) (2021-01-21)
12
+
13
+ [Full Changelog](https://github.com/auth0/omniauth-auth0/compare/v2.4.2...v2.5.0)
14
+
15
+ **Added**
16
+ - Parsing claims from the id_token [\#120](https://github.com/auth0/omniauth-auth0/pull/120) ([davidpatrick](https://github.com/davidpatrick))
17
+
18
+ **Changed**
19
+ - Setup build matrix in CI [\#116](https://github.com/auth0/omniauth-auth0/pull/116) ([dmathieu](https://github.com/dmathieu))
20
+
21
+ **Fixed**
22
+ - Fixes params passed to authorize [\#119](https://github.com/auth0/omniauth-auth0/pull/119) ([davidpatrick](https://github.com/davidpatrick))
23
+
24
+
25
+ ## [v2.4.2](https://github.com/auth0/omniauth-auth0/tree/v2.4.2) (2021-01-19)
26
+
27
+ [Full Changelog](https://github.com/auth0/omniauth-auth0/compare/v2.4.1...v2.4.2)
28
+
29
+ **Fixed**
30
+ - Lock Omniauth to 1.9 in gemspec
31
+
32
+ ## [v2.4.1](https://github.com/auth0/omniauth-auth0/tree/v2.4.1) (2020-10-08)
33
+
34
+ [Full Changelog](https://github.com/auth0/omniauth-auth0/compare/v2.4.0...v2.4.1)
35
+
36
+ **Fixed**
37
+ - Verify the JWT Signature [\#109](https://github.com/auth0/omniauth-auth0/pull/109) ([jimmyjames](https://github.com/jimmyjames))
38
+
39
+
40
+ ## [v2.4.0](https://github.com/auth0/omniauth-auth0/tree/v2.4.0) (2020-09-22)
41
+
42
+ [Full Changelog](https://github.com/auth0/omniauth-auth0/compare/v2.3.1...v2.4.0)
43
+
44
+ **Security**
45
+ - Bump rack from 2.2.2 to 2.2.3 [\#107](https://github.com/auth0/omniauth-auth0/pull/107) ([dependabot](https://github.com/dependabot))
46
+ - Update dependencies [\#100](https://github.com/auth0/omniauth-auth0/pull/100) ([Albalmaceda](https://github.com/Albalmaceda))
47
+
48
+ **Added**
49
+ - Add support for screen_hint=signup param [\#103](https://github.com/auth0/omniauth-auth0/pull/103) ([bbean86](https://github.com/bbean86))
50
+ - Add support for `connection_scope` in params [\#99](https://github.com/auth0/omniauth-auth0/pull/99) ([felixclack](https://github.com/felixclack))
51
+
52
+
3
53
  ## [v2.3.1](https://github.com/auth0/omniauth-auth0/tree/v2.3.1) (2020-03-27)
4
54
 
5
55
  [Full Changelog](https://github.com/auth0/omniauth-auth0/compare/v2.3.0...v2.3.1)
data/Gemfile CHANGED
@@ -17,7 +17,7 @@ end
17
17
 
18
18
  group :test do
19
19
  gem 'guard-rspec', require: false
20
- gem 'listen', '~> 3.1.5'
20
+ gem 'listen', '~> 3'
21
21
  gem 'rack-test'
22
22
  gem 'rspec', '~> 3.5'
23
23
  gem 'codecov', require: false
data/README.md CHANGED
@@ -1,13 +1,14 @@
1
1
  # OmniAuth Auth0
2
2
 
3
- An [OmniAuth](https://github.com/intridea/omniauth) strategy for authenticating with [Auth0](https://auth0.com). This strategy is based on the [OmniAuth OAuth2](https://github.com/omniauth/omniauth-oauth2) strategy.
3
+ An [OmniAuth](https://github.com/intridea/omniauth) strategy for authenticating with [Auth0](https://auth0.com). This strategy is based on the [OmniAuth OAuth2](https://github.com/omniauth/omniauth-oauth2) strategy.
4
4
 
5
- **Important security note:** The parent library for this strategy currently has an unresolved security issue. Please see the discussion, including mitigations for Rails and non-Rails applications, [here](https://github.com/auth0/omniauth-auth0/issues/82).
5
+ > :warning: **Important security note:** This solution uses a 3rd party library with an unresolved [security issue(s)](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-9284). Please review the details of the vulnerability, including [Auth0](https://github.com/auth0/omniauth-auth0/issues/82 ) and other recommended [mitigations](https://github.com/omniauth/omniauth/wiki/Resolving-CVE-2015-9284), before implementing the solution.
6
6
 
7
7
  [![CircleCI](https://img.shields.io/circleci/project/github/auth0/omniauth-auth0/master.svg)](https://circleci.com/gh/auth0/omniauth-auth0)
8
8
  [![codecov](https://codecov.io/gh/auth0/omniauth-auth0/branch/master/graph/badge.svg)](https://codecov.io/gh/auth0/omniauth-auth0)
9
9
  [![Gem Version](https://badge.fury.io/rb/omniauth-auth0.svg)](https://badge.fury.io/rb/omniauth-auth0)
10
10
  [![MIT licensed](https://img.shields.io/dub/l/vibe-d.svg?style=flat)](https://github.com/auth0/omniauth-auth0/blob/master/LICENSE)
11
+ [![FOSSA Status](https://app.fossa.com/api/projects/git%2Bgithub.com%2Fauth0%2Fomniauth-auth0.svg?type=shield)](https://app.fossa.com/projects/git%2Bgithub.com%2Fauth0%2Fomniauth-auth0?ref=badge_shield)
11
12
 
12
13
  ## Table of Contents
13
14
 
@@ -24,6 +25,7 @@ An [OmniAuth](https://github.com/intridea/omniauth) strategy for authenticating
24
25
 
25
26
  - [Ruby on Rails Quickstart](https://auth0.com/docs/quickstart/webapp/rails)
26
27
  - [Sample projects](https://github.com/auth0-samples/auth0-rubyonrails-sample)
28
+ - [API Reference](https://www.rubydoc.info/gems/omniauth-auth0)
27
29
 
28
30
  ## Installation
29
31
 
@@ -45,7 +47,7 @@ Then install:
45
47
  $ bundle install
46
48
  ```
47
49
 
48
- See our [contributing guide](CONTRIBUTING.md) for information on local installation for development.
50
+ See our [contributing guide](CONTRIBUTING.md) for information on local installation for development.
49
51
 
50
52
  ## Getting Started
51
53
 
@@ -63,7 +65,7 @@ All of these tasks and more are covered in our [Ruby on Rails Quickstart](https:
63
65
  To send additional parameters during login, you can specify them when you register the provider:
64
66
 
65
67
  ```ruby
66
- provider
68
+ provider
67
69
  :auth0,
68
70
  ENV['AUTH0_CLIENT_ID'],
69
71
  ENV['AUTH0_CLIENT_SECRET'],
@@ -121,6 +123,86 @@ The Auth0 strategy will provide the standard OmniAuth hash attributes:
121
123
  }
122
124
  ```
123
125
 
126
+ ### Query Parameter Options
127
+
128
+ In some scenarios, you may need to pass specific query parameters to `/authorize`. The following parameters are available to enable this:
129
+
130
+ - `connection`
131
+ - `connection_scope`
132
+ - `prompt`
133
+ - `screen_hint` (only relevant to New Universal Login Experience)
134
+ - `organization`
135
+ - `invitation`
136
+
137
+ Simply pass these query parameters to your OmniAuth redirect endpoint to enable their behavior.
138
+
139
+ ## Examples
140
+
141
+ ### Auth0 Organizations (Closed Beta)
142
+
143
+ Organizations is a set of features that provide better support for developers who build and maintain SaaS and Business-to-Business (B2B) applications.
144
+
145
+ Using Organizations, you can:
146
+
147
+ - Represent teams, business customers, partner companies, or any logical grouping of users that should have different ways of accessing your applications, as organizations.
148
+ - Manage their membership in a variety of ways, including user invitation.
149
+ - Configure branded, federated login flows for each organization.
150
+ - Implement role-based access control, such that users can have different roles when authenticating in the context of different organizations.
151
+ - Build administration capabilities into your products, using Organizations APIs, so that those businesses can manage their own organizations.
152
+
153
+ Note that Organizations is currently only available to customers on our Enterprise and Startup subscription plans.
154
+
155
+ #### Logging in with an Organization
156
+
157
+ Logging in with an Organization is as easy as passing the parameters to the authorize endpoint. You can do this with
158
+
159
+ ```ruby
160
+ <%=
161
+ button_to 'Login', 'auth/auth0',
162
+ method: :post,
163
+ params: {
164
+ # Found in your Auth0 dashboard, under Organization settings:
165
+ organization: '{AUTH0_ORGANIZATION}'
166
+ }
167
+ %>
168
+ ```
169
+
170
+ Alternatively you can configure the organization when you register the provider:
171
+
172
+ ```ruby
173
+ provider
174
+ :auth0,
175
+ ENV['AUTH0_CLIENT_ID'],
176
+ ENV['AUTH0_CLIENT_SECRET'],
177
+ ENV['AUTH0_DOMAIN'],
178
+ {
179
+ authorize_params: {
180
+ scope: 'openid read:users',
181
+ audience: 'https://{AUTH0_DOMAIN}/api',
182
+ organization: '{AUTH0_ORGANIZATION}'
183
+ }
184
+ }
185
+ ```
186
+
187
+ #### Accepting user invitations
188
+
189
+ Auth0 Organizations allow users to be invited using emailed links, which will direct a user back to your application. The URL the user will arrive at is based on your configured `Application Login URI`, which you can change from your Application's settings inside the Auth0 dashboard.
190
+
191
+ When the user arrives at your application using an invite link, you can expect three query parameters to be provided: `invitation`, `organization`, and `organization_name`. These will always be delivered using a GET request.
192
+
193
+ You can then supply those parametrs to a `button_to` or `link_to` helper
194
+
195
+ ```ruby
196
+ <%=
197
+ button_to 'Login', 'auth/auth0',
198
+ method: :post,
199
+ params: {
200
+ organization: '{YOUR_ORGANIZATION_ID}',
201
+ invitation: '{INVITE_CODE}'
202
+ }
203
+ %>
204
+ ```
205
+
124
206
  ## Contribution
125
207
 
126
208
  We appreciate feedback and contribution to this repo! Before you get started, please see the following:
@@ -133,7 +215,7 @@ We appreciate feedback and contribution to this repo! Before you get started, pl
133
215
 
134
216
  - Use [Community](https://community.auth0.com/) for usage, questions, specific cases.
135
217
  - Use [Issues](https://github.com/auth0/omniauth-auth0/issues) here for code-level support and bug reports.
136
- - Paid customers can use [Support](https://support.auth0.com/) to submit a trouble ticket for production-affecting issues.
218
+ - Paid customers can use [Support](https://support.auth0.com/) to submit a trouble ticket for production-affecting issues.
137
219
 
138
220
  ## Vulnerability Reporting
139
221
 
@@ -155,3 +237,6 @@ Auth0 helps you to easily:
155
237
  ## License
156
238
 
157
239
  The OmniAuth Auth0 strategy is licensed under MIT - [LICENSE](LICENSE)
240
+
241
+
242
+ [![FOSSA Status](https://app.fossa.com/api/projects/git%2Bgithub.com%2Fauth0%2Fomniauth-auth0.svg?type=large)](https://app.fossa.com/projects/git%2Bgithub.com%2Fauth0%2Fomniauth-auth0?ref=badge_large)
@@ -1,5 +1,5 @@
1
1
  module OmniAuth
2
2
  module Auth0
3
- VERSION = '2.3.1'.freeze
3
+ VERSION = '2.6.0'.freeze
4
4
  end
5
5
  end
@@ -28,23 +28,34 @@ module OmniAuth
28
28
  @client_secret = options.client_secret
29
29
  end
30
30
 
31
+ # Verify a token's signature. Only tokens signed with the RS256 or HS256 signatures are supported.
32
+ # Deprecated: Please use `decode` instead
33
+ # @return array - The token's key and signing algorithm
31
34
  def verify_signature(jwt)
32
35
  head = token_head(jwt)
36
+ key, alg = extract_key(head)
33
37
 
34
- # Make sure the algorithm is supported and get the decode key.
35
- if head[:alg] == 'RS256'
36
- [rs256_decode_key(head[:kid]), head[:alg]]
37
- elsif head[:alg] == 'HS256'
38
- [@client_secret, head[:alg]]
39
- else
40
- raise OmniAuth::Auth0::TokenValidationError.new("Signature algorithm of #{head[:alg]} is not supported. Expected the ID token to be signed with RS256 or HS256")
41
- end
38
+ # Call decode to verify the signature
39
+ JWT.decode(jwt, key, true, decode_opts(alg))
40
+ return key, alg
41
+ end
42
+
43
+ # Decodes a JWT and verifies it's signature. Only tokens signed with the RS256 or HS256 signatures are supported.
44
+ # @param jwt string - JWT to verify.
45
+ # @return hash - The decoded token, if there were no exceptions.
46
+ # @see https://github.com/jwt/ruby-jwt
47
+ def decode(jwt)
48
+ head = token_head(jwt)
49
+ key, alg = extract_key(head)
50
+
51
+ # Call decode to verify the signature
52
+ JWT.decode(jwt, key, true, decode_opts(alg))
42
53
  end
43
54
 
44
55
  # Verify a JWT.
45
56
  # @param jwt string - JWT to verify.
46
57
  # @param authorize_params hash - Authorization params to verify on the JWT
47
- # @return hash - The verified token, if there were no exceptions.
58
+ # @return hash - The verified token payload, if there were no exceptions.
48
59
  def verify(jwt, authorize_params = {})
49
60
  if !jwt
50
61
  raise OmniAuth::Auth0::TokenValidationError.new('ID token is required but missing')
@@ -55,8 +66,7 @@ module OmniAuth
55
66
  raise OmniAuth::Auth0::TokenValidationError.new('ID token could not be decoded')
56
67
  end
57
68
 
58
- key, alg = verify_signature(jwt)
59
- id_token, header = JWT.decode(jwt, key, false)
69
+ id_token, header = decode(jwt)
60
70
  verify_claims(id_token, authorize_params)
61
71
 
62
72
  return id_token
@@ -93,11 +103,37 @@ module OmniAuth
93
103
  end
94
104
 
95
105
  private
106
+ # Get the JWT decode options. We disable the claim checks since we perform our claim validation logic
107
+ # Docs: https://github.com/jwt/ruby-jwt
108
+ # @return hash
109
+ def decode_opts(alg)
110
+ {
111
+ algorithm: alg,
112
+ verify_expiration: false,
113
+ verify_iat: false,
114
+ verify_iss: false,
115
+ verify_aud: false,
116
+ verify_jti: false,
117
+ verify_subj: false,
118
+ verify_not_before: false
119
+ }
120
+ end
121
+
122
+ def extract_key(head)
123
+ if head[:alg] == 'RS256'
124
+ key, alg = [rs256_decode_key(head[:kid]), head[:alg]]
125
+ elsif head[:alg] == 'HS256'
126
+ key, alg = [@client_secret, head[:alg]]
127
+ else
128
+ raise OmniAuth::Auth0::TokenValidationError.new("Signature algorithm of #{head[:alg]} is not supported. Expected the ID token to be signed with RS256 or HS256")
129
+ end
130
+ end
131
+
96
132
  def rs256_decode_key(kid)
97
133
  jwks_x5c = jwks_key(:x5c, kid)
98
134
 
99
135
  if jwks_x5c.nil?
100
- raise OmniAuth::Auth0::TokenValidationError.new("Could not find a public key for Key ID (kid) '#{kid}''")
136
+ raise OmniAuth::Auth0::TokenValidationError.new("Could not find a public key for Key ID (kid) '#{kid}'")
101
137
  end
102
138
 
103
139
  jwks_public_cert(jwks_x5c.first)
@@ -130,13 +166,15 @@ module OmniAuth
130
166
  def uri_string(uri)
131
167
  temp_domain = URI(uri)
132
168
  temp_domain = URI("https://#{uri}") unless temp_domain.scheme
133
- "#{temp_domain}/"
169
+ temp_domain = temp_domain.to_s
170
+ temp_domain.end_with?('/') ? temp_domain : "#{temp_domain}/"
134
171
  end
135
172
 
136
173
  def verify_claims(id_token, authorize_params)
137
174
  leeway = authorize_params[:leeway] || 60
138
175
  max_age = authorize_params[:max_age]
139
176
  nonce = authorize_params[:nonce]
177
+ organization = authorize_params[:organization]
140
178
 
141
179
  verify_iss(id_token)
142
180
  verify_sub(id_token)
@@ -146,6 +184,7 @@ module OmniAuth
146
184
  verify_nonce(id_token, nonce)
147
185
  verify_azp(id_token)
148
186
  verify_auth_time(id_token, leeway, max_age)
187
+ verify_org(id_token, organization)
149
188
  end
150
189
 
151
190
  def verify_iss(id_token)
@@ -223,6 +262,17 @@ module OmniAuth
223
262
  end
224
263
  end
225
264
  end
265
+
266
+ def verify_org(id_token, organization)
267
+ if organization
268
+ org_id = id_token['org_id']
269
+ if !org_id || !org_id.is_a?(String)
270
+ raise OmniAuth::Auth0::TokenValidationError.new("Organization Id (org_id) claim must be a string present in the ID token")
271
+ elsif org_id != organization
272
+ raise OmniAuth::Auth0::TokenValidationError.new("Organization Id (org_id) claim value mismatch in the ID token; expected '#{organization}', found '#{org_id}'")
273
+ end
274
+ end
275
+ end
226
276
  end
227
277
  end
228
278
  end