omniauth-auth0 2.4.0 → 3.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 33f4a34bf39a6fb628e07ed669624f1917d07353ed6f1b90d1a7e49f159c34f0
-  data.tar.gz: 75b2362d94d4dfaa802a5a858c2b6c9c01dbd594393670c69280f21b96732ff2
+  metadata.gz: 0520b864e8bb97a9d82fed1babc9caa7097e101a1189b1c42cf15b1180ceb4df
+  data.tar.gz: 87e8bd695538c9b3b1121a3a3fd1e308d5ea8426e5a9e16085958b0c494f7dc2
 SHA512:
-  metadata.gz: bd3d007acf54fdf777fd9793eb24a0512504969436bc88420f51c21647fb4099815bb099e980e1d27bcbb3e187efb3a767bdb9b59b9f08b549ebf9e011072bc9
-  data.tar.gz: 36c5a4202d76c35d52dfdf1168895a03a66cad08400150444642f1dae4c9a285b0c856ffcbed3d49763c14a9c2201dc8ab96e3dffa9c50aad3c8c201e2784f59
+  metadata.gz: ae02867645d43d7cd0002adeeba78a9a2af3022553766e4c93f64f612bcae587a1cb04c7552734b76fdf9bbc8802c1ad8821f79b28c11b24d66e20514e6bd937
+  data.tar.gz: 1d507d8fada206d902fbfd4f527728fc36918b2fa169f3c0e806b233afd10bf8ea0739afc3f57068c70e704d8ac6060b4d11929057840f7380f03e113a7b9171

data/.circleci/config.yml

@@ -1,17 +1,38 @@
 version: 2.1
+matrix_rubyversions: &matrix_rubyversions
+  matrix:
+    parameters:
+      rubyversion: ["2.5", "2.6", "2.7", "3.0"]
+# Default version of ruby to use for lint and publishing
+default_rubyversion: &default_rubyversion "2.7"
+
+executors:
+  ruby:
+    parameters:
+      rubyversion:
+        type: string
+        default: *default_rubyversion
+    docker:
+      - image: circleci/ruby:<< parameters.rubyversion >>
+
 jobs:
   run-tests:
-    docker:
-      - image: circleci/ruby:2.5.7-buster
+    parameters:
+      rubyversion:
+        type: string
+        default: *default_rubyversion
+    executor:
+      name: ruby
+      rubyversion: "<< parameters.rubyversion >>"
     steps:
       - checkout
       - restore_cache:
           keys:
-            - gems-v2-{{ checksum "Gemfile.lock" }}
+            - gems-v2-{{ checksum "Gemfile" }}
             - gems-v2-
       - run: bundle check || bundle install
       - save_cache:
-          key: gems-v2--{{ checksum "Gemfile.lock" }}
+          key: gems-v2--{{ checksum "Gemfile" }}
           paths:
             - vendor/bundle
       - run: bundle exec rake spec
@@ -19,4 +40,5 @@ jobs:
 workflows:
   tests:
     jobs:
-      - run-tests
+      - run-tests:
+          <<: *matrix_rubyversions

data/.github/CODEOWNERS

@@ -1 +1 @@
-*	@auth0/dx-sdks-approver
+*	@auth0/dx-sdks-engineer

data/.github/ISSUE_TEMPLATE/config.yml

@@ -0,0 +1,8 @@
+blank_issues_enabled: false
+contact_links:
+  - name: Auth0 Community
+    url: https://community.auth0.com/c/sdks/5
+    about: Discuss this SDK in the Auth0 Community forums
+  - name: Library Documentation
+    url: https://github.com/auth0/omniauth-auth0#documentation
+    about: Read the library docs on Auth0.com

data/.github/ISSUE_TEMPLATE/feature_request.md

@@ -0,0 +1,39 @@
+---
+name: Feature request
+about: Suggest an idea or a feature for this project
+title: ''
+labels: feature request
+assignees: ''
+---
+
+<!--
+**Please do not report security vulnerabilities here**. The Responsible Disclosure Program (https://auth0.com/whitehat) details the procedure for disclosing security issues.
+
+Thank you in advance for helping us to improve this library! Your attention to detail here is greatly appreciated and will help us respond as quickly as possible. For general support or usage questions, use the Auth0 Community (https://community.auth0.com/) or Auth0 Support (https://support.auth0.com/). Finally, to avoid duplicates, please search existing Issues before submitting one here.
+
+By submitting an Issue to this repository, you agree to the terms within the Auth0 Code of Conduct (https://github.com/auth0/open-source-template/blob/master/CODE-OF-CONDUCT.md).
+-->
+
+### Describe the problem you'd like to have solved
+
+<!--
+> A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
+-->
+
+### Describe the ideal solution
+
+<!--
+> A clear and concise description of what you want to happen.
+-->
+
+## Alternatives and current work-arounds
+
+<!--
+> A clear and concise description of any alternatives you've considered or any work-arounds that are currently in place.
+-->
+
+### Additional information, if any
+
+<!--
+> Add any other context or screenshots about the feature request here.
+-->

data/.github/ISSUE_TEMPLATE/report_a_bug.md

@@ -0,0 +1,55 @@
+---
+name: Report a bug
+about: Have you found a bug or issue? Create a bug report for this SDK
+title: ''
+labels: bug report
+assignees: ''
+---
+
+<!--
+**Please do not report security vulnerabilities here**. The Responsible Disclosure Program (https://auth0.com/whitehat) details the procedure for disclosing security issues.
+
+Thank you in advance for helping us to improve this library! Please read through the template below and answer all relevant questions. Your additional work here is greatly appreciated and will help us respond as quickly as possible. For general support or usage questions, use the Auth0 Community (https://community.auth0.com/) or Auth0 Support (https://support.auth0.com/). Finally, to avoid duplicates, please search existing Issues before submitting one here.
+
+By submitting an Issue to this repository, you agree to the terms within the Auth0 Code of Conduct (https://github.com/auth0/open-source-template/blob/master/CODE-OF-CONDUCT.md).
+-->
+
+### Describe the problem
+
+<!--
+> Provide a clear and concise description of the issue
+-->
+
+### What was the expected behavior?
+
+<!--
+> Tell us about the behavior you expected to see
+-->
+
+### Reproduction
+<!--
+> Detail the steps taken to reproduce this error, and whether this issue can be reproduced consistently or if it is intermittent.
+> **Note**: If clear, reproducable steps or the smallest sample app demonstrating misbehavior cannot be provided, we may not be able to follow up on this bug report.
+
+> Where possible, please include:
+>
+> - The smallest possible sample app that reproduces the undesirable behavior
+> - Log files (redact/remove sensitive information)
+> - Application settings (redact/remove sensitive information)
+> - Screenshots
+-->
+
+- Step 1..
+- Step 2..
+- ...
+
+### Environment
+
+<!--
+> Please provide the following:
+-->
+
+- **Version of this library used:**
+- **Which framework are you using, if applicable:**
+- **Other modules/plugins/libraries that might be involved:**
+- **Any other relevant information you think would be useful:**

data/.gitignore

@@ -10,3 +10,5 @@ tmp/
 ## Environment normalization:
 /.bundle
 /vendor/bundle
+
+Gemfile.lock

data/CHANGELOG.md

@@ -1,5 +1,75 @@
 # Change Log
 
+## [v3.0.0](https://github.com/auth0/omniauth-auth0/tree/v3.0.0) (2021-04-14)
+Version 3.0 introduces [Omniauth v2.0](https://github.com/omniauth/omniauth/releases/tag/v2.0.0) which addresses [CVE-2015-9284](https://nvd.nist.gov/vuln/detail/CVE-2015-9284). Omniauth now defaults to only allow `POST` as the allowed request_phase method. This was previously handled through the recommended [mitigation](https://github.com/omniauth/omniauth/wiki/Resolving-CVE-2015-9284) using the `omniauth-rails_csrf_protection v0.x.x` gem to provide CSRF protection.
+
+### Upgrading to omniauth-rails_csrf_protection v1.0.0
+If you are using `omniauth-rails_csrf_protection` to provide CSRF protection, you will need to be upgrade to `1.x.x`.
+
+### BREAKING CHANGES
+Now that OmniAuth now defaults to only `POST` as the allowed request_phase method, if you aren't already, you will need to convert any login links to use [form helpers](https://api.rubyonrails.org/classes/ActionView/Helpers/FormHelper.html#method-i-form_for) with the `POST` method.
+
+```html+ruby
+# OLD -- GET request
+<a href='/auth/auth0'>Login</a>
+
+# NEW Example #1 -- POST request
+<%= link_to 'Login', 'auth/auth0', method: :post %>
+
+# NEW Example #2 -- POST request
+<%= button_to 'Login', 'auth/auth0', method: :post %>
+
+# NEW Example #3 -- POST request
+<%= form_tag('/auth/auth0', method: :post) do %>
+  <button type='submit'></button>
+<% end %>
+```
+
+### Allowing GET Requests
+In the scenario you absolutely must use GET requests as an allowed request method for authentication, you can override the protection provided with the following config override:
+
+```ruby
+# Allowing GET requests will expose you to CVE-2015-9284 
+OmniAuth.config.allowed_request_methods = [:get, :post]
+```
+
+## [v2.6.0](https://github.com/auth0/omniauth-auth0/tree/v2.6.0) (2021-04-01)
+
+[Full Changelog](https://github.com/auth0/omniauth-auth0/compare/v2.5.0...v2.6.0)
+
+**Added**
+- Org Support [SDK-2395]  [\#124](https://github.com/auth0/omniauth-auth0/pull/124) ([davidpatrick](https://github.com/davidpatrick))
+- Add login_hint to permitted params  [\#123](https://github.com/auth0/omniauth-auth0/pull/123) ([Roriz](https://github.com/Roriz))
+
+## [v2.5.0](https://github.com/auth0/omniauth-auth0/tree/v2.5.0) (2021-01-21)
+
+[Full Changelog](https://github.com/auth0/omniauth-auth0/compare/v2.4.2...v2.5.0)
+
+**Added**
+- Parsing claims from the id_token [\#120](https://github.com/auth0/omniauth-auth0/pull/120) ([davidpatrick](https://github.com/davidpatrick))
+
+**Changed**
+- Setup build matrix in CI [\#116](https://github.com/auth0/omniauth-auth0/pull/116) ([dmathieu](https://github.com/dmathieu))
+
+**Fixed**
+- Fixes params passed to authorize [\#119](https://github.com/auth0/omniauth-auth0/pull/119) ([davidpatrick](https://github.com/davidpatrick))
+
+
+## [v2.4.2](https://github.com/auth0/omniauth-auth0/tree/v2.4.2) (2021-01-19)
+
+[Full Changelog](https://github.com/auth0/omniauth-auth0/compare/v2.4.1...v2.4.2)
+
+**Fixed**
+- Lock Omniauth to 1.9 in gemspec
+
+## [v2.4.1](https://github.com/auth0/omniauth-auth0/tree/v2.4.1) (2020-10-08)
+
+[Full Changelog](https://github.com/auth0/omniauth-auth0/compare/v2.4.0...v2.4.1)
+
+**Fixed**
+- Verify the JWT Signature [\#109](https://github.com/auth0/omniauth-auth0/pull/109) ([jimmyjames](https://github.com/jimmyjames))
+
+
 ## [v2.4.0](https://github.com/auth0/omniauth-auth0/tree/v2.4.0) (2020-09-22)
 
 [Full Changelog](https://github.com/auth0/omniauth-auth0/compare/v2.3.1...v2.4.0)

data/Gemfile

@@ -17,7 +17,7 @@ end
 
 group :test do
   gem 'guard-rspec', require: false
-  gem 'listen', '~> 3.1.5'
+  gem 'listen', '~> 3'
   gem 'rack-test'
   gem 'rspec', '~> 3.5'
   gem 'codecov', require: false

data/README.md

@@ -2,7 +2,7 @@
 
 An [OmniAuth](https://github.com/intridea/omniauth) strategy for authenticating with [Auth0](https://auth0.com). This strategy is based on the [OmniAuth OAuth2](https://github.com/omniauth/omniauth-oauth2) strategy.
 
-> :warning:  **Important security note:** This solution uses a 3rd party library with an unresolved [security issue(s)](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-9284). Please review the details of the vulnerability, including [Auth0](https://github.com/auth0/omniauth-auth0/issues/82 ) and other recommended [mitigations](https://github.com/omniauth/omniauth/wiki/Resolving-CVE-2015-9284), before implementing the solution.
+> :warning:  **Important security note for v2:** This solution uses a 3rd party library that had a [security issue(s)](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-9284) in v2. Please review the details of the vulnerability, including [Auth0](https://github.com/auth0/omniauth-auth0/issues/82 ) and other recommended [mitigations](https://github.com/omniauth/omniauth/wiki/Resolving-CVE-2015-9284), before implementing the solution in v2.  **[Upgrading to v3](https://github.com/auth0/omniauth-auth0/pull/128) of this library resolves the issue.**
 
 [![CircleCI](https://img.shields.io/circleci/project/github/auth0/omniauth-auth0/master.svg)](https://circleci.com/gh/auth0/omniauth-auth0)
 [![codecov](https://codecov.io/gh/auth0/omniauth-auth0/branch/master/graph/badge.svg)](https://codecov.io/gh/auth0/omniauth-auth0)
@@ -25,6 +25,7 @@ An [OmniAuth](https://github.com/intridea/omniauth) strategy for authenticating
 
 - [Ruby on Rails Quickstart](https://auth0.com/docs/quickstart/webapp/rails)
 - [Sample projects](https://github.com/auth0-samples/auth0-rubyonrails-sample)
+- [API Reference](https://www.rubydoc.info/gems/omniauth-auth0)
 
 ## Installation
 
@@ -130,9 +131,105 @@ In some scenarios, you may need to pass specific query parameters to `/authorize
 - `connection_scope`
 - `prompt`
 - `screen_hint` (only relevant to New Universal Login Experience)
+- `organization`
+- `invitation`
 
 Simply pass these query parameters to your OmniAuth redirect endpoint to enable their behavior.
 
+## Examples
+
+### Auth0 Organizations
+
+[Organizations](https://auth0.com/docs/organizations) is a set of features that provide better support for developers who build and maintain SaaS and Business-to-Business (B2B) applications.
+
+Using Organizations, you can:
+
+- Represent teams, business customers, partner companies, or any logical grouping of users that should have different ways of accessing your applications, as organizations.
+- Manage their membership in a variety of ways, including user invitation.
+- Configure branded, federated login flows for each organization.
+- Implement role-based access control, such that users can have different roles when authenticating in the context of different organizations.
+- Build administration capabilities into your products, using Organizations APIs, so that those businesses can manage their own organizations.
+
+Note that Organizations is currently only available to customers on our Enterprise and Startup subscription plans.
+
+#### Logging in with an Organization
+
+Logging in with an Organization is as easy as passing the parameters to the authorize endpoint.  You can do this with 
+
+```ruby
+<%= 
+    button_to 'Login', 'auth/auth0',
+    method: :post,
+    params: {
+      # Found in your Auth0 dashboard, under Organization settings:
+      organization: '{AUTH0_ORGANIZATION}'
+    }
+%>
+```
+
+Alternatively you can configure the organization when you register the provider:
+
+```ruby
+provider
+  :auth0,
+  ENV['AUTH0_CLIENT_ID'],
+  ENV['AUTH0_CLIENT_SECRET'],
+  ENV['AUTH0_DOMAIN']
+  {
+    authorize_params: {
+      scope: 'openid read:users',
+      audience: 'https://{AUTH0_DOMAIN}/api',
+      organization: '{AUTH0_ORGANIZATION}'
+    }
+  }
+```
+
+When passing `openid` to the scope and `organization` to the authorize params, you will receive an ID token on callback with the `org_id` claim.  This claim is validated for you by the SDK.
+
+#### Validating Organizations when using Organization Login Prompt
+
+When Organization login prompt is enabled on your application, but you haven't specified an Organization for the application's authorization endpoint, the `org_id` claim will be present on the ID token, and should be validated to ensure that the value received is expected or known.
+
+Normally, validating the issuer would be enough to ensure that the token was issued by Auth0, and this check is performed by the SDK. However, in the case of organizations, additional checks should be made so that the organization within an Auth0 tenant is expected.
+
+In particular, the `org_id` claim should be checked to ensure it is a value that is already known to the application. This could be validated against a known list of organization IDs, or perhaps checked in conjunction with the current request URL. e.g. the sub-domain may hint at what organization should be used to validate the ID Token.
+
+Here is an example using it in your `callback` method
+
+```ruby
+  def callback
+    claims = request.env['omniauth.auth']['extra']['raw_info']
+
+    if claims["org"] && claims["org"] !== expected_org
+      redirect_to '/unauthorized', status: 401
+    else
+      session[:userinfo] = claims
+      redirect_to '/dashboard'
+    end
+  end
+```
+
+For more information, please read [Work with Tokens and Organizations](https://auth0.com/docs/organizations/using-tokens) on Auth0 Docs.
+
+#### Accepting user invitations
+
+Auth0 Organizations allow users to be invited using emailed links, which will direct a user back to your application. The URL the user will arrive at is based on your configured `Application Login URI`, which you can change from your Application's settings inside the Auth0 dashboard.
+
+When the user arrives at your application using an invite link, you can expect three query parameters to be provided: `invitation`, `organization`, and `organization_name`. These will always be delivered using a GET request.
+
+You can then supply those parametrs to a `button_to` or `link_to` helper
+
+```ruby
+<%= 
+    button_to 'Login', 'auth/auth0',
+    method: :post,
+    params: {
+      organization: '{YOUR_ORGANIZATION_ID}',
+      invitation: '{INVITE_CODE}'
+    }
+%>
+```
+
 ## Contribution
 
 We appreciate feedback and contribution to this repo! Before you get started, please see the following:
@@ -169,4 +266,4 @@ Auth0 helps you to easily:
 The OmniAuth Auth0 strategy is licensed under MIT - [LICENSE](LICENSE)
 
 
-[![FOSSA Status](https://app.fossa.com/api/projects/git%2Bgithub.com%2Fauth0%2Fomniauth-auth0.svg?type=large)](https://app.fossa.com/projects/git%2Bgithub.com%2Fauth0%2Fomniauth-auth0?ref=badge_large)
+[![FOSSA Status](https://app.fossa.com/api/projects/git%2Bgithub.com%2Fauth0%2Fomniauth-auth0.svg?type=large)](https://app.fossa.com/projects/git%2Bgithub.com%2Fauth0%2Fomniauth-auth0?ref=badge_large)

data/lib/omniauth-auth0/version.rb

@@ -1,5 +1,5 @@
 module OmniAuth
   module Auth0
-    VERSION = '2.4.0'.freeze
+    VERSION = '3.0.0'.freeze
   end
 end

data/lib/omniauth/auth0/jwt_validator.rb

@@ -28,23 +28,34 @@ module OmniAuth
         @client_secret = options.client_secret
       end
 
+      # Verify a token's signature. Only tokens signed with the RS256 or HS256 signatures are supported.
+      # Deprecated: Please use `decode` instead
+      # @return array - The token's key and signing algorithm
       def verify_signature(jwt)
         head = token_head(jwt)
+        key, alg = extract_key(head)
 
-        # Make sure the algorithm is supported and get the decode key.
-        if head[:alg] == 'RS256'
-          [rs256_decode_key(head[:kid]), head[:alg]]
-        elsif head[:alg] == 'HS256'
-          [@client_secret, head[:alg]]
-        else
-          raise OmniAuth::Auth0::TokenValidationError.new("Signature algorithm of #{head[:alg]} is not supported. Expected the ID token to be signed with RS256 or HS256")
-        end
+        # Call decode to verify the signature
+        JWT.decode(jwt, key, true, decode_opts(alg))
+        return key, alg
+      end
+
+      # Decodes a JWT and verifies it's signature. Only tokens signed with the RS256 or HS256 signatures are supported.
+      # @param jwt string - JWT to verify.
+      # @return hash - The decoded token, if there were no exceptions.
+      # @see https://github.com/jwt/ruby-jwt
+      def decode(jwt)
+        head = token_head(jwt)
+        key, alg = extract_key(head)
+
+        # Call decode to verify the signature
+        JWT.decode(jwt, key, true, decode_opts(alg))
       end
 
       # Verify a JWT.
       # @param jwt string - JWT to verify.
       # @param authorize_params hash - Authorization params to verify on the JWT
-      # @return hash - The verified token, if there were no exceptions.
+      # @return hash - The verified token payload, if there were no exceptions.
       def verify(jwt, authorize_params = {})
         if !jwt
           raise OmniAuth::Auth0::TokenValidationError.new('ID token is required but missing')
@@ -55,8 +66,7 @@ module OmniAuth
           raise OmniAuth::Auth0::TokenValidationError.new('ID token could not be decoded')
         end
 
-        key, alg = verify_signature(jwt)
-        id_token, header = JWT.decode(jwt, key, false)
+        id_token, header = decode(jwt)
         verify_claims(id_token, authorize_params)
 
         return id_token
@@ -93,11 +103,37 @@ module OmniAuth
       end
 
       private
+      # Get the JWT decode options. We disable the claim checks since we perform our claim validation logic
+      # Docs: https://github.com/jwt/ruby-jwt
+      # @return hash
+      def decode_opts(alg)
+        {
+          algorithm: alg,
+          verify_expiration: false,
+          verify_iat: false,
+          verify_iss: false,
+          verify_aud: false,
+          verify_jti: false,
+          verify_subj: false,
+          verify_not_before: false
+        }
+      end
+
+      def extract_key(head)
+        if head[:alg] == 'RS256'
+          key, alg = [rs256_decode_key(head[:kid]), head[:alg]]
+        elsif head[:alg] == 'HS256'
+          key, alg = [@client_secret, head[:alg]]
+        else
+          raise OmniAuth::Auth0::TokenValidationError.new("Signature algorithm of #{head[:alg]} is not supported. Expected the ID token to be signed with RS256 or HS256")
+        end
+      end
+
       def rs256_decode_key(kid)
         jwks_x5c = jwks_key(:x5c, kid)
 
         if jwks_x5c.nil?
-          raise OmniAuth::Auth0::TokenValidationError.new("Could not find a public key for Key ID (kid) '#{kid}''")
+          raise OmniAuth::Auth0::TokenValidationError.new("Could not find a public key for Key ID (kid) '#{kid}'")
         end
 
         jwks_public_cert(jwks_x5c.first)
@@ -130,13 +166,15 @@ module OmniAuth
       def uri_string(uri)
         temp_domain = URI(uri)
         temp_domain = URI("https://#{uri}") unless temp_domain.scheme
-        "#{temp_domain}/"
+        temp_domain = temp_domain.to_s
+        temp_domain.end_with?('/') ? temp_domain : "#{temp_domain}/"
       end
 
       def verify_claims(id_token, authorize_params)
         leeway = authorize_params[:leeway] || 60
         max_age = authorize_params[:max_age]
         nonce = authorize_params[:nonce]
+        organization = authorize_params[:organization]
 
         verify_iss(id_token)
         verify_sub(id_token)
@@ -146,6 +184,7 @@ module OmniAuth
         verify_nonce(id_token, nonce)
         verify_azp(id_token)
         verify_auth_time(id_token, leeway, max_age)
+        verify_org(id_token, organization)
       end
 
       def verify_iss(id_token)
@@ -223,6 +262,17 @@ module OmniAuth
           end
         end
       end
+
+      def verify_org(id_token, organization)
+        if organization
+          org_id = id_token['org_id']
+          if !org_id || !org_id.is_a?(String)
+            raise OmniAuth::Auth0::TokenValidationError.new("Organization Id (org_id) claim must be a string present in the ID token")
+          elsif org_id != organization
+            raise OmniAuth::Auth0::TokenValidationError.new("Organization Id (org_id) claim value mismatch in the ID token; expected '#{organization}', found '#{org_id}'")
+          end
+        end
+      end
     end
   end
 end