omniauth-auth0 2.6.0 → 3.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: f45e6ee50254603367c7de482ce5537b48c5faf1bc7a4f2797cf461f21b37198
-  data.tar.gz: 88eb699d3cf59148df15728b42d517e010bebe29617f1f9e972dc9656e5a79a2
+  metadata.gz: 7c56b51f9b1e20c19151c11b2ebed36d976795af342e1ddb6e2faf8adbd606dc
+  data.tar.gz: d464a395f1a95859ce5bcba3956955e489319f7efd5a263f7e1a904810ab58db
 SHA512:
-  metadata.gz: 829fd68186ab4685d7628b6a7c3a0cce95b1008396e6b6588e72b30ff7b077c103109bafe8e3e480539a07d715550fed27b2d73f537e505498a8b434655a0776
-  data.tar.gz: 8d03a181ad81f1b08618f542d1971d298a9751ca5d02e949bcf8f60bbf4d6ba2ce3463e6f5ce5a01945a82f24ce7e6f67881192f3e4214a2d05bb556ba6ef66e
+  metadata.gz: c24758a4b888a15d499d5a0ad612932f2e452a361fba86dc5af59c812be1c77e10a5735f267e0abfb45e382b381003592b74bbb3fdef8814e58345741a57a978
+  data.tar.gz: a8db445c711acd8b1716baef83f95fad39c7c011c7918a862aabb55b69cae02105df3beced2155298478dc580985a5791acbfa629459116244f924f85e470c57

data/.circleci/config.yml

@@ -1,8 +1,12 @@
 version: 2.1
+orbs:
+  ship: auth0/ship@0
+  codecov: codecov/codecov@3
+
 matrix_rubyversions: &matrix_rubyversions
   matrix:
     parameters:
-      rubyversion: ["2.5", "2.6", "2.7", "3.0"]
+      rubyversion: ["2.7", "3.0", "3.1"]
 # Default version of ruby to use for lint and publishing
 default_rubyversion: &default_rubyversion "2.7"
 
@@ -13,7 +17,7 @@ executors:
         type: string
         default: *default_rubyversion
     docker:
-      - image: circleci/ruby:<< parameters.rubyversion >>
+      - image: cimg/ruby:<< parameters.rubyversion >>
 
 jobs:
   run-tests:
@@ -30,15 +34,30 @@ jobs:
           keys:
             - gems-v2-{{ checksum "Gemfile" }}
             - gems-v2-
-      - run: bundle check || bundle install
+      - run: |
+          echo 'export BUNDLER_VERSION=$(cat Gemfile.lock | tail -1 | tr -d " ")' >> $BASH_ENV
+          source $BASH_ENV
+          gem install bundler
+          bundle check || bundle install
       - save_cache:
           key: gems-v2--{{ checksum "Gemfile" }}
           paths:
             - vendor/bundle
       - run: bundle exec rake spec
+      - codecov/upload
 
 workflows:
   tests:
     jobs:
       - run-tests:
           <<: *matrix_rubyversions
+      - ship/ruby-publish:
+          context:
+            - publish-rubygems
+            - publish-gh
+          filters:
+            branches:
+              only:
+                - master
+          requires:
+            - run-tests

data/.devcontainer/devcontainer.json

@@ -0,0 +1,18 @@
+{
+	"name": "Ruby",
+	"image": "mcr.microsoft.com/devcontainers/ruby:3.1",
+	"features": {
+		"ghcr.io/devcontainers/features/node:1": {
+			"version": "lts"
+		}
+	},
+	
+	// Use 'forwardPorts' to make a list of ports inside the container available locally.
+	// "forwardPorts": [],
+
+	// Use 'postCreateCommand' to run commands after the container is created.
+	// "postCreateCommand": "ruby --version",
+
+	// Set `remoteUser` to `root` to connect as root instead. More info: https://aka.ms/vscode-remote/containers/non-root.
+	"remoteUser": "vscode"
+}

data/.github/workflows/semgrep.yml

@@ -0,0 +1,24 @@
+name: Semgrep
+
+on:
+  pull_request: {}
+
+  push:
+    branches: ["master", "main"]
+
+  schedule:
+    - cron: '30 0 1,15 * *'
+
+jobs:
+  semgrep:
+    name: Scan
+    runs-on: ubuntu-latest
+    container:
+      image: returntocorp/semgrep
+    if: (github.actor != 'dependabot[bot]')
+    steps:
+      - uses: actions/checkout@v3
+
+      - run: semgrep ci
+        env:
+          SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }}

data/.gitignore

@@ -10,5 +10,3 @@ tmp/
 ## Environment normalization:
 /.bundle
 /vendor/bundle
-
-Gemfile.lock

data/.semgrepignore

@@ -0,0 +1,4 @@
+examples/
+spec/
+CHANGELOG.md
+README.md

data/.shiprc

@@ -0,0 +1,7 @@
+{
+  "files": {
+    "lib/omniauth-auth0/version.rb": []
+  },
+  "prebump": "bundle install && bundle exec rake test",
+  "postbump": "bundle update"
+}

data/CHANGELOG.md

@@ -1,32 +1,96 @@
 # Change Log
 
+## [v3.1.0](https://github.com/auth0/omniauth-auth0/tree/v3.1.0) (2022-11-04)
+
+[Full Changelog](https://github.com/auth0/omniauth-auth0/compare/v3.0.0...v3.1.0)
+
+**Added**
+
+- Add ui_locales to permitted params [\#135](https://github.com/auth0/omniauth-auth0/pull/135) ([martijn](https://github.com/martijn))
+
+**Changed**
+
+- Store plain Hash in session['authorize_params'] [\#150](https://github.com/auth0/omniauth-auth0/pull/150) ([santry](https://github.com/santry))
+- Redesign readme to match new style [\#148](https://github.com/auth0/omniauth-auth0/pull/148) ([stevehobbsdev](https://github.com/stevehobbsdev))
+
+**Fixed**
+
+- Fix authentication hash link in code sample [\#153](https://github.com/auth0/omniauth-auth0/pull/153) ([ewanharris](https://github.com/ewanharris))
+
+**Security**
+
+- [Snyk] Fix for 1 vulnerabilities [\#149](https://github.com/auth0/omniauth-auth0/pull/149) ([snyk-bot](https://github.com/snyk-bot))
+- Bump addressable from 2.7.0 to 2.8.0 [\#133](https://github.com/auth0/omniauth-auth0/pull/133) ([dependabot[bot]](https://github.com/apps/dependabot))
+- [Snyk] Security upgrade webmock from 3.12.2 to 3.12.2 [\#134](https://github.com/auth0/omniauth-auth0/pull/134) ([snyk-bot](https://github.com/snyk-bot))
+
+## [v3.0.0](https://github.com/auth0/omniauth-auth0/tree/v3.0.0) (2021-04-14)
+
+Version 3.0 introduces [Omniauth v2.0](https://github.com/omniauth/omniauth/releases/tag/v2.0.0) which addresses [CVE-2015-9284](https://nvd.nist.gov/vuln/detail/CVE-2015-9284). Omniauth now defaults to only allow `POST` as the allowed request_phase method. This was previously handled through the recommended [mitigation](https://github.com/omniauth/omniauth/wiki/Resolving-CVE-2015-9284) using the `omniauth-rails_csrf_protection v0.x.x` gem to provide CSRF protection.
+
+### Upgrading to omniauth-rails_csrf_protection v1.0.0
+
+If you are using `omniauth-rails_csrf_protection` to provide CSRF protection, you will need to be upgrade to `1.x.x`.
+
+### BREAKING CHANGES
+
+Now that OmniAuth now defaults to only `POST` as the allowed request_phase method, if you aren't already, you will need to convert any login links to use [form helpers](https://api.rubyonrails.org/classes/ActionView/Helpers/FormHelper.html#method-i-form_for) with the `POST` method.
+
+```html+ruby
+# OLD -- GET request
+<a href='/auth/auth0'>Login</a>
+
+# NEW Example #1 -- POST request
+<%= link_to 'Login', 'auth/auth0', method: :post %>
+
+# NEW Example #2 -- POST request
+<%= button_to 'Login', 'auth/auth0', method: :post %>
+
+# NEW Example #3 -- POST request
+<%= form_tag('/auth/auth0', method: :post) do %>
+  <button type='submit'></button>
+<% end %>
+```
+
+### Allowing GET Requests
+
+In the scenario you absolutely must use GET requests as an allowed request method for authentication, you can override the protection provided with the following config override:
+
+```ruby
+# Allowing GET requests will expose you to CVE-2015-9284
+OmniAuth.config.allowed_request_methods = [:get, :post]
+```
+
 ## [v2.6.0](https://github.com/auth0/omniauth-auth0/tree/v2.6.0) (2021-04-01)
 
 [Full Changelog](https://github.com/auth0/omniauth-auth0/compare/v2.5.0...v2.6.0)
 
 **Added**
-- Org Support [SDK-2395]  [\#124](https://github.com/auth0/omniauth-auth0/pull/124) ([davidpatrick](https://github.com/davidpatrick))
-- Add login_hint to permitted params  [\#123](https://github.com/auth0/omniauth-auth0/pull/123) ([Roriz](https://github.com/Roriz))
+
+- Org Support [SDK-2395] [\#124](https://github.com/auth0/omniauth-auth0/pull/124) ([davidpatrick](https://github.com/davidpatrick))
+- Add login_hint to permitted params [\#123](https://github.com/auth0/omniauth-auth0/pull/123) ([Roriz](https://github.com/Roriz))
 
 ## [v2.5.0](https://github.com/auth0/omniauth-auth0/tree/v2.5.0) (2021-01-21)
 
 [Full Changelog](https://github.com/auth0/omniauth-auth0/compare/v2.4.2...v2.5.0)
 
 **Added**
+
 - Parsing claims from the id_token [\#120](https://github.com/auth0/omniauth-auth0/pull/120) ([davidpatrick](https://github.com/davidpatrick))
 
 **Changed**
+
 - Setup build matrix in CI [\#116](https://github.com/auth0/omniauth-auth0/pull/116) ([dmathieu](https://github.com/dmathieu))
 
 **Fixed**
-- Fixes params passed to authorize [\#119](https://github.com/auth0/omniauth-auth0/pull/119) ([davidpatrick](https://github.com/davidpatrick))
 
+- Fixes params passed to authorize [\#119](https://github.com/auth0/omniauth-auth0/pull/119) ([davidpatrick](https://github.com/davidpatrick))
 
 ## [v2.4.2](https://github.com/auth0/omniauth-auth0/tree/v2.4.2) (2021-01-19)
 
 [Full Changelog](https://github.com/auth0/omniauth-auth0/compare/v2.4.1...v2.4.2)
 
 **Fixed**
+
 - Lock Omniauth to 1.9 in gemspec
 
 ## [v2.4.1](https://github.com/auth0/omniauth-auth0/tree/v2.4.1) (2020-10-08)
@@ -34,22 +98,23 @@
 [Full Changelog](https://github.com/auth0/omniauth-auth0/compare/v2.4.0...v2.4.1)
 
 **Fixed**
-- Verify the JWT Signature [\#109](https://github.com/auth0/omniauth-auth0/pull/109) ([jimmyjames](https://github.com/jimmyjames))
 
+- Verify the JWT Signature [\#109](https://github.com/auth0/omniauth-auth0/pull/109) ([jimmyjames](https://github.com/jimmyjames))
 
 ## [v2.4.0](https://github.com/auth0/omniauth-auth0/tree/v2.4.0) (2020-09-22)
 
 [Full Changelog](https://github.com/auth0/omniauth-auth0/compare/v2.3.1...v2.4.0)
 
 **Security**
+
 - Bump rack from 2.2.2 to 2.2.3 [\#107](https://github.com/auth0/omniauth-auth0/pull/107) ([dependabot](https://github.com/dependabot))
 - Update dependencies [\#100](https://github.com/auth0/omniauth-auth0/pull/100) ([Albalmaceda](https://github.com/Albalmaceda))
 
 **Added**
+
 - Add support for screen_hint=signup param [\#103](https://github.com/auth0/omniauth-auth0/pull/103) ([bbean86](https://github.com/bbean86))
 - Add support for `connection_scope` in params [\#99](https://github.com/auth0/omniauth-auth0/pull/99) ([felixclack](https://github.com/felixclack))
 
-
 ## [v2.3.1](https://github.com/auth0/omniauth-auth0/tree/v2.3.1) (2020-03-27)
 
 [Full Changelog](https://github.com/auth0/omniauth-auth0/compare/v2.3.0...v2.3.1)
@@ -60,29 +125,37 @@
 - Fix "NameError: uninitialized constant OmniAuth::Auth0::TokenValidationError" [\#96](https://github.com/auth0/omniauth-auth0/pull/96) ([stefanwork](https://github.com/stefanwork))
 
 ## [v2.3.0](https://github.com/auth0/omniauth-auth0/tree/v2.3.0) (2020-03-06)
+
 [Full Changelog](https://github.com/auth0/omniauth-auth0/compare/v2.2.0...v2.3.0)
 
 **Added**
+
 - Improved OIDC Compliance [\#92](https://github.com/auth0/omniauth-auth0/pull/92) ([davidpatrick](https://github.com/davidpatrick))
 
 ## [v2.2.0](https://github.com/auth0/omniauth-auth0/tree/v2.2.0) (2018-04-18)
+
 [Full Changelog](https://github.com/auth0/omniauth-auth0/compare/v2.1.0...v2.2.0)
 
 **Closed issues**
+
 - It supports custom domain? [\#71](https://github.com/auth0/omniauth-auth0/issues/71)
 - Valid Login, No Details: email=nil image=nil name="github|38257089" nickname=nil [\#70](https://github.com/auth0/omniauth-auth0/issues/70)
 
 **Added**
+
 - Custom issuer [\#77](https://github.com/auth0/omniauth-auth0/pull/77) ([ryan-rosenfeld](https://github.com/ryan-rosenfeld))
 - Add telemetry to token endpoint [\#74](https://github.com/auth0/omniauth-auth0/pull/74) ([joshcanhelp](https://github.com/joshcanhelp))
 
 **Changed**
+
 - Remove telemetry from authorize URL [\#75](https://github.com/auth0/omniauth-auth0/pull/75) ([joshcanhelp](https://github.com/joshcanhelp))
 
 ## [v2.1.0](https://github.com/auth0/omniauth-auth0/tree/v2.1.0) (2018-10-30)
+
 [Full Changelog](https://github.com/auth0/omniauth-auth0/compare/v2.0.0...v2.1.0)
 
 **Closed issues**
+
 - URL should be spelled uppercase outside of code [\#64](https://github.com/auth0/omniauth-auth0/issues/64)
 - Add prompt=none authorization param handler [\#58](https://github.com/auth0/omniauth-auth0/issues/58)
 - Could not find a valid mapping for path "/auth/oauth2/callback" [\#56](https://github.com/auth0/omniauth-auth0/issues/56)
@@ -91,18 +164,22 @@
 - /auth/:provider route not registered? [\#47](https://github.com/auth0/omniauth-auth0/issues/47)
 
 **Added**
+
 - Add ID token validation [\#62](https://github.com/auth0/omniauth-auth0/pull/62) ([joshcanhelp](https://github.com/joshcanhelp))
 - Silent authentication [\#59](https://github.com/auth0/omniauth-auth0/pull/59) ([batalla3692](https://github.com/batalla3692))
 - Pass connection parameter to auth0 [\#54](https://github.com/auth0/omniauth-auth0/pull/54) ([tomgi](https://github.com/tomgi))
 
 **Changed**
+
 - Update to omniauth-oauth2 [\#55](https://github.com/auth0/omniauth-auth0/pull/55) ([chills42](https://github.com/chills42))
 
 **Fixed**
+
 - Fix Rubocop errors [\#66](https://github.com/auth0/omniauth-auth0/pull/66) ([joshcanhelp](https://github.com/joshcanhelp))
 - Fix minute bug in README.md [\#63](https://github.com/auth0/omniauth-auth0/pull/63) ([rahuldess](https://github.com/rahuldess))
 
 ## [v2.0.0](https://github.com/auth0/omniauth-auth0/tree/v2.0.0) (2017-01-25)
+
 [Full Changelog](https://github.com/auth0/omniauth-auth0/compare/v1.4.1...v2.0.0)
 
 Updated library to handle OIDC conformant clients and OAuth2 features in Auth0.
@@ -120,31 +197,36 @@ The `info` object will use the [OmniAuth schema](https://github.com/omniauth/omn
 Also in `extra` will have in `raw_info` the full /userinfo response.
 
 **Fixed**
+
 - Use image attribute of omniauth instead of picture [\#45](https://github.com/auth0/omniauth-auth0/pull/45) ([hzalaz](https://github.com/hzalaz))
-- Rework strategy to handle OAuth and OIDC  [\#44](https://github.com/auth0/omniauth-auth0/pull/44) ([hzalaz](https://github.com/hzalaz))
+- Rework strategy to handle OAuth and OIDC [\#44](https://github.com/auth0/omniauth-auth0/pull/44) ([hzalaz](https://github.com/hzalaz))
 - lock v10 update, dependencies update [\#41](https://github.com/auth0/omniauth-auth0/pull/41) ([Amialc](https://github.com/Amialc))
 
 ## [v1.4.2](https://github.com/auth0/omniauth-auth0/tree/v1.4.2) (2016-06-13)
+
 [Full Changelog](https://github.com/auth0/omniauth-auth0/compare/v1.4.1...v1.4.2)
 
 **Added**
+
 - Link to OmniAuth site [\#36](https://github.com/auth0/omniauth-auth0/pull/36) ([jghaines](https://github.com/jghaines))
 - add ssl fix to RoR example [\#31](https://github.com/auth0/omniauth-auth0/pull/31) ([Amialc](https://github.com/Amialc))
 - Update LICENSE [\#17](https://github.com/auth0/omniauth-auth0/pull/17) ([aguerere](https://github.com/aguerere))
 
 **Changed**
+
 - Update lock to version 9 [\#34](https://github.com/auth0/omniauth-auth0/pull/34) ([Annyv2](https://github.com/Annyv2))
 - Update Gemfile [\#22](https://github.com/auth0/omniauth-auth0/pull/22) ([Annyv2](https://github.com/Annyv2))
 - Update lock [\#15](https://github.com/auth0/omniauth-auth0/pull/15) ([Annyv2](https://github.com/Annyv2))
 
 **Fixed**
+
 - Fix setup [\#38](https://github.com/auth0/omniauth-auth0/pull/38) ([deepak](https://github.com/deepak))
 - Added missing instruction [\#30](https://github.com/auth0/omniauth-auth0/pull/30) ([Annyv2](https://github.com/Annyv2))
 - Fixes undefined Auth0Lock issue [\#28](https://github.com/auth0/omniauth-auth0/pull/28) ([Annyv2](https://github.com/Annyv2))
 - Update Readme [\#27](https://github.com/auth0/omniauth-auth0/pull/27) ([Annyv2](https://github.com/Annyv2))
 
-
 ## [v1.4.1](https://github.com/auth0/omniauth-auth0/tree/v1.4.1) (2015-11-18)
+
 [Full Changelog](https://github.com/auth0/omniauth-auth0/compare/v1.4.0...v1.4.1)
 
 **Merged pull requests:**
@@ -155,6 +237,7 @@ Also in `extra` will have in `raw_info` the full /userinfo response.
 - Add nested module in version.rb [\#9](https://github.com/auth0/omniauth-auth0/pull/9) ([l4u](https://github.com/l4u))
 
 ## [v1.4.0](https://github.com/auth0/omniauth-auth0/tree/v1.4.0) (2015-06-01)
+
 **Merged pull requests:**
 
 - Client headers [\#8](https://github.com/auth0/omniauth-auth0/pull/8) ([benschwarz](https://github.com/benschwarz))
@@ -163,6 +246,4 @@ Also in `extra` will have in `raw_info` the full /userinfo response.
 - Update README.md [\#3](https://github.com/auth0/omniauth-auth0/pull/3) ([pose](https://github.com/pose))
 - Fix Markdown typo [\#2](https://github.com/auth0/omniauth-auth0/pull/2) ([dentarg](https://github.com/dentarg))
 
-
-
-\* *This Change Log was automatically generated by [github_changelog_generator](https://github.com/skywinder/Github-Changelog-Generator)*
+\* _This Change Log was automatically generated by [github_changelog_generator](https://github.com/skywinder/Github-Changelog-Generator)_

data/EXAMPLES.md

@@ -0,0 +1,167 @@
+* [Example of the resulting authentication hash](#example-of-the-resulting-authentication-hash)
+* [Send additional authentication parameters](#send-additional-authentication-parameters)
+* [Query Parameter Options](#query-parameter-options)
+* [Auth0 Organizations](#auth0-organizations)
+  - [Logging in with an Organization](#logging-in-with-an-organization)
+  - [Validating Organizations when using Organization Login Prompt](#validating-organizations-when-using-organization-login-prompt)
+  - [Accepting user invitations](#accepting-user-invitations)
+
+### Example of the resulting authentication hash
+
+The Auth0 strategy will provide the standard OmniAuth hash attributes:
+
+- `:provider` - the name of the strategy, in this case `auth0`
+- `:uid` - the user identifier
+- `:info` - the result of the call to `/userinfo` using OmniAuth standard attributes
+- `:credentials` - tokens requested and data
+- `:extra` - Additional info obtained from calling `/userinfo` in the `:raw_info` property
+
+```ruby
+{
+  :provider => 'auth0',
+  :uid => 'auth0|USER_ID',
+  :info => {
+    :name => 'John Foo',
+    :email => 'johnfoo@example.org',
+    :nickname => 'john',
+    :image => 'https://example.org/john.jpg'
+  },
+  :credentials => {
+    :token => 'ACCESS_TOKEN',
+    :expires_at => 1485373937,
+    :expires => true,
+    :refresh_token => 'REFRESH_TOKEN',
+    :id_token => 'JWT_ID_TOKEN',
+    :token_type => 'bearer',
+  },
+  :extra => {
+    :raw_info => {
+      :email => 'johnfoo@example.org',
+      :email_verified => 'true',
+      :name => 'John Foo',
+      :picture => 'https://example.org/john.jpg',
+      :user_id => 'auth0|USER_ID',
+      :nickname => 'john',
+      :created_at => '2014-07-15T17:19:50.387Z'
+    }
+  }
+}
+```
+
+## Send additional authentication parameters
+
+To send additional parameters during login, you can specify them when you register the provider:
+
+```ruby
+provider
+  :auth0,
+  ENV['AUTH0_CLIENT_ID'],
+  ENV['AUTH0_CLIENT_SECRET'],
+  ENV['AUTH0_DOMAIN'],
+  {
+    authorize_params: {
+      scope: 'openid read:users write:order',
+      audience: 'https://mydomain/api',
+      max_age: 3600 # time in seconds authentication is valid
+    }
+  }
+```
+
+This will tell the strategy to send those parameters on every authentication request.
+
+## Query Parameter Options
+
+In some scenarios, you may need to pass specific query parameters to `/authorize`. The following parameters are available to enable this:
+
+- `connection`
+- `connection_scope`
+- `prompt`
+- `screen_hint` (only relevant to New Universal Login Experience)
+- `organization`
+- `invitation`
+
+Simply pass these query parameters to your OmniAuth redirect endpoint to enable their behavior.
+
+## Auth0 Organizations
+
+[Organizations](https://auth0.com/docs/organizations) is a set of features that provide better support for developers who build and maintain SaaS and Business-to-Business (B2B) applications.
+
+Note that Organizations is currently only available to customers on our Enterprise and Startup subscription plans.
+
+### Logging in with an Organization
+
+Logging in with an Organization is as easy as passing the parameters to the authorize endpoint. You can do this with
+
+```ruby
+<%=
+    button_to 'Login', 'auth/auth0',
+    method: :post,
+    params: {
+      # Found in your Auth0 dashboard, under Organization settings:
+      organization: '{AUTH0_ORGANIZATION}'
+    }
+%>
+```
+
+Alternatively you can configure the organization when you register the provider:
+
+```ruby
+provider
+  :auth0,
+  ENV['AUTH0_CLIENT_ID'],
+  ENV['AUTH0_CLIENT_SECRET'],
+  ENV['AUTH0_DOMAIN']
+  {
+    authorize_params: {
+      scope: 'openid read:users',
+      audience: 'https://{AUTH0_DOMAIN}/api',
+      organization: '{AUTH0_ORGANIZATION}'
+    }
+  }
+```
+
+When passing `openid` to the scope and `organization` to the authorize params, you will receive an ID token on callback with the `org_id` claim. This claim is validated for you by the SDK.
+
+### Validating Organizations when using Organization Login Prompt
+
+When Organization login prompt is enabled on your application, but you haven't specified an Organization for the application's authorization endpoint, the `org_id` claim will be present on the ID token, and should be validated to ensure that the value received is expected or known.
+
+Normally, validating the issuer would be enough to ensure that the token was issued by Auth0, and this check is performed by the SDK. However, in the case of organizations, additional checks should be made so that the organization within an Auth0 tenant is expected.
+
+In particular, the `org_id` claim should be checked to ensure it is a value that is already known to the application. This could be validated against a known list of organization IDs, or perhaps checked in conjunction with the current request URL. e.g. the sub-domain may hint at what organization should be used to validate the ID Token.
+
+Here is an example using it in your `callback` method
+
+```ruby
+  def callback
+    claims = request.env['omniauth.auth']['extra']['raw_info']
+
+    if claims["org"] && claims["org"] !== expected_org
+      redirect_to '/unauthorized', status: 401
+    else
+      session[:userinfo] = claims
+      redirect_to '/dashboard'
+    end
+  end
+```
+
+For more information, please read [Work with Tokens and Organizations](https://auth0.com/docs/organizations/using-tokens) on Auth0 Docs.
+
+### Accepting user invitations
+
+Auth0 Organizations allow users to be invited using emailed links, which will direct a user back to your application. The URL the user will arrive at is based on your configured `Application Login URI`, which you can change from your Application's settings inside the Auth0 dashboard.
+
+When the user arrives at your application using an invite link, you can expect three query parameters to be provided: `invitation`, `organization`, and `organization_name`. These will always be delivered using a GET request.
+
+You can then supply those parametrs to a `button_to` or `link_to` helper
+
+```ruby
+<%=
+    button_to 'Login', 'auth/auth0',
+    method: :post,
+    params: {
+      organization: '{YOUR_ORGANIZATION_ID}',
+      invitation: '{INVITE_CODE}'
+    }
+%>
+```

data/Gemfile

@@ -2,25 +2,25 @@ source 'https://rubygems.org'
 
 gemspec
 
-gem 'gem-release'
-gem 'jwt'
-gem 'rake'
+gem 'gem-release', '~> 2'
+gem 'jwt', '~> 2'
+gem 'rake', '~> 13'
 
 group :development do
-  gem 'dotenv'
-  gem 'pry'
-  gem 'rubocop', require: false
-  gem 'shotgun'
-  gem 'sinatra'
-  gem 'thin'
+  gem 'dotenv', '~> 2'
+  gem 'pry', '~> 0'
+  gem 'rubocop', '~> 1', require: false
+  gem 'shotgun', '~> 0'
+  gem 'sinatra', '~> 2'
+  gem 'thin', '~> 1'
 end
 
 group :test do
-  gem 'guard-rspec', require: false
+  gem 'guard-rspec', '~> 4', require: false
   gem 'listen', '~> 3'
-  gem 'rack-test'
-  gem 'rspec', '~> 3.5'
-  gem 'codecov', require: false
-  gem 'simplecov'
-  gem 'webmock'
+  gem 'rack-test', '~> 2'
+  gem 'rspec', '~> 3'
+  gem 'simplecov-cobertura', '~> 2'
+  gem 'webmock', '~> 3'
+  gem 'multi_json', '~> 1'
 end