RubyGems - omniauth-auth0 - Versions diffs - 3.1.0 → 3.1.1 - Mend

omniauth-auth0 3.1.0 → 3.1.1

Files changed (17) hide show

checksums.yaml +4 -4
data/.circleci/config.yml +3 -3
data/.devcontainer/devcontainer.json +1 -1
data/.github/ISSUE_TEMPLATE/Bug Report.yml +76 -0
data/.github/ISSUE_TEMPLATE/Feature Request.yml +53 -0
data/.github/ISSUE_TEMPLATE/config.yml +2 -2
data/CHANGELOG.md +15 -0
data/EXAMPLES.md +19 -5
data/Gemfile +3 -3
data/Gemfile.lock +45 -41
data/lib/omniauth/auth0/jwt_validator.rb +19 -3
data/lib/omniauth-auth0/version.rb +1 -1
data/spec/omniauth/auth0/jwt_validator_spec.rb +109 -31
data/spec/spec_helper.rb +1 -0
metadata +9 -14
data/.github/ISSUE_TEMPLATE/feature_request.md +0 -39
data/.github/ISSUE_TEMPLATE/report_a_bug.md +0 -55

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 7c56b51f9b1e20c19151c11b2ebed36d976795af342e1ddb6e2faf8adbd606dc
-  data.tar.gz: d464a395f1a95859ce5bcba3956955e489319f7efd5a263f7e1a904810ab58db
+  metadata.gz: e33cfd70eb2e126c6126dc8149d6d8789b28f40cbf6a2fea272d5b53017a7579
+  data.tar.gz: 381fac626d61d83e726a345c88e37985b43d77212007588ab6d631af1950bdf1
 SHA512:
-  metadata.gz: c24758a4b888a15d499d5a0ad612932f2e452a361fba86dc5af59c812be1c77e10a5735f267e0abfb45e382b381003592b74bbb3fdef8814e58345741a57a978
-  data.tar.gz: a8db445c711acd8b1716baef83f95fad39c7c011c7918a862aabb55b69cae02105df3beced2155298478dc580985a5791acbfa629459116244f924f85e470c57
+  metadata.gz: e0fee57eeffd9f8b97320ce6f89807009c212d046706358840e3d2230e976893a16d8c53d77b3ddad75f3a94c12af46fcc645681673ce52b2d5ca98581a0ec37
+  data.tar.gz: 6af264bce75557a00c3032a805b824d2a7b231abd4f0221d649db471a657ad3fad53e01055dec6cf8c2cab076bae6ec91faa81806dd2837ca464df2e0d60ca48

data/.circleci/config.yml CHANGED Viewed

@@ -1,14 +1,14 @@
 version: 2.1
 orbs:
-  ship: auth0/ship@0
+  ship: auth0/ship@dev:d1e3a7f
   codecov: codecov/codecov@3
 matrix_rubyversions: &matrix_rubyversions
   matrix:
     parameters:
-      rubyversion: ["2.7", "3.0", "3.1"]
+      rubyversion: ["3.0", "3.1", "3.2"]
 # Default version of ruby to use for lint and publishing
-default_rubyversion: &default_rubyversion "2.7"
+default_rubyversion: &default_rubyversion "3.2"
 executors:
   ruby:

data/.devcontainer/devcontainer.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
 	"name": "Ruby",
-	"image": "mcr.microsoft.com/devcontainers/ruby:3.1",
+	"image": "mcr.microsoft.com/devcontainers/ruby:3.2",
 	"features": {
 		"ghcr.io/devcontainers/features/node:1": {
 			"version": "lts"

data/.github/ISSUE_TEMPLATE/Bug Report.yml ADDED Viewed

@@ -0,0 +1,76 @@
+name: 🐞 Report a bug
+description: Have you found a bug or issue? Create a bug report for this library
+labels: ["bug"]
+body:
+  - type: markdown
+    attributes:
+      value: |
+        **Please do not report security vulnerabilities here**. The [Responsible Disclosure Program](https://auth0.com/responsible-disclosure-policy) details the procedure for disclosing security issues.
+  - type: checkboxes
+    id: checklist
+    attributes:
+      label: Checklist
+      options:
+        - label: The issue can be reproduced in the [Rails sample app](https://github.com/auth0-samples/auth0-rubyonrails-sample/tree/master/sample) (or N/A).
+          required: true
+        - label: I have looked into the [Readme](https://github.com/auth0/omniauth-auth0#readme) and the [Examples](https://github.com/auth0/omniauth-auth0/blob/master/EXAMPLES.md), and have not found a suitable solution or answer.
+          required: true
+        - label: I have looked into the [API documentation](https://www.rubydoc.info/gems/omniauth-auth0) and have not found a suitable solution or answer.
+          required: true
+        - label: I have searched the [issues](https://github.com/auth0/omniauth-auth0/issues) and have not found a suitable solution or answer.
+          required: true
+        - label: I have searched the [Auth0 Community](https://community.auth0.com) forums and have not found a suitable solution or answer.
+          required: true
+        - label: I agree to the terms within the [Auth0 Code of Conduct](https://github.com/auth0/open-source-template/blob/master/CODE-OF-CONDUCT.md).
+          required: true
+  - type: textarea
+    id: description
+    attributes:
+      label: Description
+      description: Provide a clear and concise description of the issue, including what you expected to happen.
+    validations:
+      required: true
+  - type: textarea
+    id: reproduction
+    attributes:
+      label: Reproduction
+      description: Detail the steps taken to reproduce this error, and whether this issue can be reproduced consistently or if it is intermittent.
+      placeholder: |
+        1. Step 1...
+        2. Step 2...
+        3. ...
+    validations:
+      required: true
+  - type: textarea
+    id: additional-context
+    attributes:
+      label: Additional context
+      description: Other libraries that might be involved, or any other relevant information you think would be useful.
+    validations:
+      required: false
+  - type: input
+    id: environment-version
+    attributes:
+      label: omniauth-auth0 version
+    validations:
+      required: true
+  - type: input
+    id: environment-omniauth-version
+    attributes:
+      label: OmniAuth version
+    validations:
+      required: true
+  - type: input
+    id: environment-ruby-version
+    attributes:
+      label: Ruby version
+    validations:
+      required: true

data/.github/ISSUE_TEMPLATE/Feature Request.yml ADDED Viewed

@@ -0,0 +1,53 @@
+name: 🧩 Feature request
+description: Suggest an idea or a feature for this library
+labels: ["feature request"]
+body:
+  - type: checkboxes
+    id: checklist
+    attributes:
+      label: Checklist
+      options:
+        - label: I have looked into the [Readme](https://github.com/auth0/omniauth-auth0#readme) and the [Examples](https://github.com/auth0/omniauth-auth0/blob/master/EXAMPLES.md), and have not found a suitable solution or answer.
+          required: true
+        - label: I have looked into the [API documentation](https://www.rubydoc.info/gems/omniauth-auth0) and have not found a suitable solution or answer.
+          required: true
+        - label: I have searched the [issues](https://github.com/auth0/omniauth-auth0/issues) and have not found a suitable solution or answer.
+          required: true
+        - label: I have searched the [Auth0 Community](https://community.auth0.com) forums and have not found a suitable solution or answer.
+          required: true
+        - label: I agree to the terms within the [Auth0 Code of Conduct](https://github.com/auth0/open-source-template/blob/master/CODE-OF-CONDUCT.md).
+          required: true
+  - type: textarea
+    id: description
+    attributes:
+      label: Describe the problem you'd like to have solved
+      description: A clear and concise description of what the problem is.
+      placeholder: I'm always frustrated when...
+    validations:
+      required: true
+  - type: textarea
+    id: ideal-solution
+    attributes:
+      label: Describe the ideal solution
+      description: A clear and concise description of what you want to happen.
+    validations:
+      required: true
+  - type: textarea
+    id: alternatives-and-workarounds
+    attributes:
+      label: Alternatives and current workarounds
+      description: A clear and concise description of any alternatives you've considered or any workarounds that are currently in place.
+    validations:
+      required: false
+  - type: textarea
+    id: additional-context
+    attributes:
+      label: Additional context
+      description: Add any other context or screenshots about the feature request here.
+    validations:
+      required: false

data/.github/ISSUE_TEMPLATE/config.yml CHANGED Viewed

@@ -1,8 +1,8 @@
 blank_issues_enabled: false
 contact_links:
   - name: Auth0 Community
-    url: https://community.auth0.com/c/sdks/5
+    url: https://community.auth0.com
     about: Discuss this SDK in the Auth0 Community forums
   - name: Library Documentation
     url: https://github.com/auth0/omniauth-auth0#documentation
-    about: Read the library docs on Auth0.com
+    about: Read the library docs

data/CHANGELOG.md CHANGED Viewed

@@ -1,5 +1,20 @@
 # Change Log
+## [v3.2.0](https://github.com/auth0/omniauth-auth0/tree/v3.2.0) (2023-07-14)
+[Full Changelog](https://github.com/auth0/omniauth-auth0/compare/v3.1.0...v3.2.0)
+**Added**
+- [SDK-4410] Support Organization Name in JWT validation [\#184](https://github.com/auth0/omniauth-auth0/pull/184) ([stevehobbsdev](https://github.com/stevehobbsdev))
+**Fixed**
+- fix: upgrade to Sinatra 3 and use Rack::Session::Cookie in tests [\#165](https://github.com/auth0/omniauth-auth0/pull/165) ([stevehobbsdev](https://github.com/stevehobbsdev))
+## [v3.1.1](https://github.com/auth0/omniauth-auth0/tree/v3.1.1) (2023-03-01)
+[Full Changelog](https://github.com/auth0/omniauth-auth0/compare/v3.1.0...v3.1.1)
+**Fixed**
+- fix: upgrade to Sinatra 3 and use Rack::Session::Cookie in tests [\#165](https://github.com/auth0/omniauth-auth0/pull/165) ([stevehobbsdev](https://github.com/stevehobbsdev))
 ## [v3.1.0](https://github.com/auth0/omniauth-auth0/tree/v3.1.0) (2022-11-04)
 [Full Changelog](https://github.com/auth0/omniauth-auth0/compare/v3.0.0...v3.1.0)

data/EXAMPLES.md CHANGED Viewed

@@ -79,6 +79,7 @@ In some scenarios, you may need to pass specific query parameters to `/authorize
 - `screen_hint` (only relevant to New Universal Login Experience)
 - `organization`
 - `invitation`
+- `ui_locales` (only relevant to New Universal Login Experience)
 Simply pass these query parameters to your OmniAuth redirect endpoint to enable their behavior.
@@ -124,25 +125,38 @@ When passing `openid` to the scope and `organization` to the authorize params, y
 ### Validating Organizations when using Organization Login Prompt
-When Organization login prompt is enabled on your application, but you haven't specified an Organization for the application's authorization endpoint, the `org_id` claim will be present on the ID token, and should be validated to ensure that the value received is expected or known.
+When Organization login prompt is enabled on your application, but you haven't specified an Organization for the application's authorization endpoint, `org_id` or `org_name` claims will be present on the ID and access tokens, and should be validated to ensure that the value received is expected or known.
 Normally, validating the issuer would be enough to ensure that the token was issued by Auth0, and this check is performed by the SDK. However, in the case of organizations, additional checks should be made so that the organization within an Auth0 tenant is expected.
-In particular, the `org_id` claim should be checked to ensure it is a value that is already known to the application. This could be validated against a known list of organization IDs, or perhaps checked in conjunction with the current request URL. e.g. the sub-domain may hint at what organization should be used to validate the ID Token.
+In particular, the `org_id` and `org_name` claims should be checked to ensure it is a value that is already known to the application. This could be validated against a known list of organization IDs, or perhaps checked in conjunction with the current request URL. e.g. the sub-domain may hint at what organization should be used to validate the ID Token. For `org_id`, this should be a **case-sensitive, exact match check**. For `org_name`, this should be a **case-insentive check**.
+The decision to validate the `org_id` or `org_name` claim is determined by the expected organization ID or name having an `org_` prefix.
 Here is an example using it in your `callback` method
 ```ruby
-  def callback
-    claims = request.env['omniauth.auth']['extra']['raw_info']
+def callback
+  claims = request.env['omniauth.auth']['extra']['raw_info']
+  validate_as_id = expected_org.start_with?('org_')
-    if claims["org"] && claims["org"] !== expected_org
+  if validate_as_id
+    if claims["org_id"] && claims["org_id"] !== expected_org
+      redirect_to '/unauthorized', status: 401
+    else
+      session[:userinfo] = claims
+      redirect_to '/dashboard'
+    end
+  else
+    if claims["org_name"] && claims["org_name"].downcase !== expected_org.downcase
       redirect_to '/unauthorized', status: 401
     else
       session[:userinfo] = claims
       redirect_to '/dashboard'
     end
   end
+end
 ```
 For more information, please read [Work with Tokens and Organizations](https://auth0.com/docs/organizations/using-tokens) on Auth0 Docs.

data/Gemfile CHANGED Viewed

@@ -10,15 +10,15 @@ group :development do
   gem 'dotenv', '~> 2'
   gem 'pry', '~> 0'
   gem 'rubocop', '~> 1', require: false
-  gem 'shotgun', '~> 0'
-  gem 'sinatra', '~> 2'
+  gem 'shotgun', '~> 0', '>= 0.9.2'
+  gem 'sinatra', '~> 3'
   gem 'thin', '~> 1'
 end
 group :test do
   gem 'guard-rspec', '~> 4', require: false
   gem 'listen', '~> 3'
-  gem 'rack-test', '~> 2'
+  gem 'rack-test', '~> 2', '>= 2.0.2'
   gem 'rspec', '~> 3'
   gem 'simplecov-cobertura', '~> 2'
   gem 'webmock', '~> 3'

data/Gemfile.lock CHANGED Viewed

@@ -1,14 +1,14 @@
 PATH
   remote: .
   specs:
-    omniauth-auth0 (3.1.0)
+    omniauth-auth0 (3.1.1)
       omniauth (~> 2)
       omniauth-oauth2 (~> 1)
 GEM
   remote: https://rubygems.org/
   specs:
-    addressable (2.8.1)
+    addressable (2.8.4)
       public_suffix (>= 2.0.2, < 6.0)
     ast (2.4.2)
     coderay (1.1.3)
@@ -19,7 +19,7 @@ GEM
     docile (1.4.0)
     dotenv (2.8.1)
     eventmachine (1.2.7)
-    faraday (2.7.1)
+    faraday (2.7.10)
       faraday-net_http (>= 2.0, < 3.1)
       ruby2_keywords (>= 0.0.4)
     faraday-net_http (3.0.2)
@@ -43,15 +43,16 @@ GEM
     hashdiff (1.0.1)
     hashie (5.0.0)
     json (2.6.3)
-    jwt (2.5.0)
-    listen (3.7.1)
+    jwt (2.7.1)
+    language_server-protocol (3.17.0.3)
+    listen (3.8.0)
       rb-fsevent (~> 0.10, >= 0.10.3)
       rb-inotify (~> 0.9, >= 0.9.10)
     lumberjack (1.2.8)
     method_source (1.0.0)
     multi_json (1.15.0)
     multi_xml (0.6.0)
-    mustermann (2.0.2)
+    mustermann (3.0.0)
       ruby2_keywords (~> 0.0.1)
     nenv (0.3.0)
     notiffany (0.1.3)
@@ -64,63 +65,66 @@ GEM
       rack (>= 1.2, < 4)
       snaky_hash (~> 2.0)
       version_gem (~> 1.1)
-    omniauth (2.1.0)
+    omniauth (2.1.1)
       hashie (>= 3.4.6)
       rack (>= 2.2.3)
       rack-protection
     omniauth-oauth2 (1.8.0)
       oauth2 (>= 1.4, < 3)
       omniauth (~> 2.0)
-    parallel (1.22.1)
-    parser (3.1.3.0)
+    parallel (1.23.0)
+    parser (3.2.2.3)
       ast (~> 2.4.1)
-    pry (0.14.1)
+      racc
+    pry (0.14.2)
       coderay (~> 1.1)
       method_source (~> 1.0)
-    public_suffix (5.0.0)
-    rack (2.2.4)
-    rack-protection (2.2.3)
+    public_suffix (5.0.3)
+    racc (1.7.1)
+    rack (2.2.7)
+    rack-protection (3.0.6)
       rack
-    rack-test (2.0.2)
+    rack-test (2.1.0)
       rack (>= 1.3)
     rainbow (3.1.1)
     rake (13.0.6)
     rb-fsevent (0.11.2)
     rb-inotify (0.10.1)
       ffi (~> 1.0)
-    regexp_parser (2.6.1)
+    regexp_parser (2.8.1)
     rexml (3.2.5)
     rspec (3.12.0)
       rspec-core (~> 3.12.0)
       rspec-expectations (~> 3.12.0)
       rspec-mocks (~> 3.12.0)
-    rspec-core (3.12.0)
+    rspec-core (3.12.2)
       rspec-support (~> 3.12.0)
-    rspec-expectations (3.12.0)
+    rspec-expectations (3.12.3)
       diff-lcs (>= 1.2.0, < 2.0)
       rspec-support (~> 3.12.0)
-    rspec-mocks (3.12.0)
+    rspec-mocks (3.12.6)
       diff-lcs (>= 1.2.0, < 2.0)
       rspec-support (~> 3.12.0)
-    rspec-support (3.12.0)
-    rubocop (1.39.0)
+    rspec-support (3.12.1)
+    rubocop (1.54.2)
       json (~> 2.3)
+      language_server-protocol (>= 3.17.0)
       parallel (~> 1.10)
-      parser (>= 3.1.2.1)
+      parser (>= 3.2.2.3)
       rainbow (>= 2.2.2, < 4.0)
       regexp_parser (>= 1.8, < 3.0)
       rexml (>= 3.2.5, < 4.0)
-      rubocop-ast (>= 1.23.0, < 2.0)
+      rubocop-ast (>= 1.28.0, < 2.0)
       ruby-progressbar (~> 1.7)
-      unicode-display_width (>= 1.4.0, < 3.0)
-    rubocop-ast (1.24.0)
-      parser (>= 3.1.1.0)
-    ruby-progressbar (1.11.0)
+      unicode-display_width (>= 2.4.0, < 3.0)
+    rubocop-ast (1.29.0)
+      parser (>= 3.2.1.0)
+    ruby-progressbar (1.13.0)
     ruby2_keywords (0.0.5)
     shellany (0.0.1)
     shotgun (0.9.2)
       rack (>= 1.0)
-    simplecov (0.21.2)
+    simplecov (0.22.0)
       docile (~> 1.1)
       simplecov-html (~> 0.11)
       simplecov_json_formatter (~> 0.1)
@@ -129,31 +133,31 @@ GEM
       simplecov (~> 0.19)
     simplecov-html (0.12.3)
     simplecov_json_formatter (0.1.4)
-    sinatra (2.2.3)
-      mustermann (~> 2.0)
-      rack (~> 2.2)
-      rack-protection (= 2.2.3)
+    sinatra (3.0.6)
+      mustermann (~> 3.0)
+      rack (~> 2.2, >= 2.2.4)
+      rack-protection (= 3.0.6)
       tilt (~> 2.0)
     snaky_hash (2.0.1)
       hashie
       version_gem (~> 1.1, >= 1.1.1)
-    thin (1.8.1)
+    thin (1.8.2)
       daemons (~> 1.0, >= 1.0.9)
       eventmachine (~> 1.0, >= 1.0.4)
       rack (>= 1, < 3)
-    thor (1.2.1)
-    tilt (2.0.11)
-    unicode-display_width (2.3.0)
-    version_gem (1.1.1)
+    thor (1.2.2)
+    tilt (2.2.0)
+    unicode-display_width (2.4.2)
+    version_gem (1.1.3)
     webmock (3.18.1)
       addressable (>= 2.8.0)
       crack (>= 0.3.2)
       hashdiff (>= 0.4.0, < 2.0.0)
 PLATFORMS
+  aarch64-linux
   arm64-darwin-21
-  x86_64-darwin-20
-  x86_64-darwin-21
+  x86_64-darwin-22
   x86_64-linux
 DEPENDENCIES
@@ -166,13 +170,13 @@ DEPENDENCIES
   multi_json (~> 1)
   omniauth-auth0!
   pry (~> 0)
-  rack-test (~> 2)
+  rack-test (~> 2, >= 2.0.2)
   rake (~> 13)
   rspec (~> 3)
   rubocop (~> 1)
-  shotgun (~> 0)
+  shotgun (~> 0, >= 0.9.2)
   simplecov-cobertura (~> 2)
-  sinatra (~> 2)
+  sinatra (~> 3)
   thin (~> 1)
   webmock (~> 3)

data/lib/omniauth/auth0/jwt_validator.rb CHANGED Viewed

@@ -7,6 +7,7 @@ require 'omniauth/auth0/errors'
 module OmniAuth
   module Auth0
     # JWT Validator class
+    # rubocop:disable Metrics/
     class JWTValidator
       attr_accessor :issuer, :domain
@@ -264,12 +265,27 @@ module OmniAuth
       end
       def verify_org(id_token, organization)
-        if organization
+        return unless organization
+        validate_as_id = organization.start_with? 'org_'
+        if validate_as_id
           org_id = id_token['org_id']
           if !org_id || !org_id.is_a?(String)
-            raise OmniAuth::Auth0::TokenValidationError.new("Organization Id (org_id) claim must be a string present in the ID token")
+            raise OmniAuth::Auth0::TokenValidationError,
+                  'Organization Id (org_id) claim must be a string present in the ID token'
           elsif org_id != organization
-            raise OmniAuth::Auth0::TokenValidationError.new("Organization Id (org_id) claim value mismatch in the ID token; expected '#{organization}', found '#{org_id}'")
+            raise OmniAuth::Auth0::TokenValidationError,
+                  "Organization Id (org_id) claim value mismatch in the ID token; expected '#{organization}', found '#{org_id}'"
+          end
+        else
+          org_name = id_token['org_name']
+          if !org_name || !org_name.is_a?(String)
+            raise OmniAuth::Auth0::TokenValidationError,
+                  'Organization Name (org_name) claim must be a string present in the ID token'
+          elsif org_name != organization.downcase
+            raise OmniAuth::Auth0::TokenValidationError,
+                  "Organization Name (org_name) claim value mismatch in the ID token; expected '#{organization}', found '#{org_name}'"
           end
         end
       end

data/lib/omniauth-auth0/version.rb CHANGED Viewed

@@ -1,5 +1,5 @@
 module OmniAuth
   module Auth0
-    VERSION = '3.1.0'.freeze
+    VERSION = '3.1.1'.freeze
   end
 end

data/spec/omniauth/auth0/jwt_validator_spec.rb CHANGED Viewed

@@ -476,41 +476,119 @@ describe OmniAuth::Auth0::JWTValidator do
       expect(id_token['auth_time']).to eq(auth_time)
     end
-    it 'should fail when authorize params has organization but org_id is missing in the token' do
-      payload = {
-        iss: "https://#{domain}/",
-        sub: 'sub',
-        aud: client_id,
-        exp: future_timecode,
-        iat: past_timecode
-      }
+    context 'Organization claim validation' do
+      it 'should fail when authorize params has organization but org_id is missing in the token' do
+        payload = {
+          iss: "https://#{domain}/",
+          sub: 'sub',
+          aud: client_id,
+          exp: future_timecode,
+          iat: past_timecode
+        }
-      token = make_hs256_token(payload)
-      expect do
-        jwt_validator.verify(token, { organization: 'Test Org' })
-      end.to raise_error(an_instance_of(OmniAuth::Auth0::TokenValidationError).and having_attributes({
-        message: "Organization Id (org_id) claim must be a string present in the ID token"
-      }))
-    end
+        token = make_hs256_token(payload)
+        expect do
+          jwt_validator.verify(token, { organization: 'org_123' })
+        end.to raise_error(an_instance_of(OmniAuth::Auth0::TokenValidationError).and having_attributes({
+          message: "Organization Id (org_id) claim must be a string present in the ID token"
+        }))
+      end
-    it 'should fail when authorize params has organization but token org_id does not match' do
-      payload = {
-        iss: "https://#{domain}/",
-        sub: 'sub',
-        aud: client_id,
-        exp: future_timecode,
-        iat: past_timecode,
-        org_id: 'Wrong Org'
-      }
+      it 'should fail when authorize params has organization but org_name is missing in the token' do
+        payload = {
+          iss: "https://#{domain}/",
+          sub: 'sub',
+          aud: client_id,
+          exp: future_timecode,
+          iat: past_timecode
+        }
-      token = make_hs256_token(payload)
-      expect do
-        jwt_validator.verify(token, { organization: 'Test Org' })
-      end.to raise_error(an_instance_of(OmniAuth::Auth0::TokenValidationError).and having_attributes({
-        message: "Organization Id (org_id) claim value mismatch in the ID token; expected 'Test Org', found 'Wrong Org'"
-      }))
-    end
+        token = make_hs256_token(payload)
+        expect do
+          jwt_validator.verify(token, { organization: 'my-organization' })
+        end.to raise_error(an_instance_of(OmniAuth::Auth0::TokenValidationError).and(having_attributes({
+          message: 'Organization Name (org_name) claim must be a string present in the ID token'
+        })))
+      end
+      it 'should fail when authorize params has organization but token org_id does not match' do
+        payload = {
+          iss: "https://#{domain}/",
+          sub: 'sub',
+          aud: client_id,
+          exp: future_timecode,
+          iat: past_timecode,
+          org_id: 'org_5678'
+        }
+        token = make_hs256_token(payload)
+        expect do
+          jwt_validator.verify(token, { organization: 'org_1234' })
+        end.to raise_error(an_instance_of(OmniAuth::Auth0::TokenValidationError).and(having_attributes({
+          message: "Organization Id (org_id) claim value mismatch in the ID token; expected 'org_1234', found 'org_5678'"
+        })))
+      end
+      it 'should fail when authorize params has organization but token org_name does not match' do
+        payload = {
+          iss: "https://#{domain}/",
+          sub: 'sub',
+          aud: client_id,
+          exp: future_timecode,
+          iat: past_timecode,
+          org_name: 'another-organization'
+        }
+        token = make_hs256_token(payload)
+        expect do
+          jwt_validator.verify(token, { organization: 'my-organization' })
+        end.to raise_error(an_instance_of(OmniAuth::Auth0::TokenValidationError).and(having_attributes({
+          message: "Organization Name (org_name) claim value mismatch in the ID token; expected 'my-organization', found 'another-organization'"
+        })))
+      end
+      it 'should not fail when correctly given an organization ID' do
+        payload = {
+          iss: "https://#{domain}/",
+          sub: 'sub',
+          aud: client_id,
+          exp: future_timecode,
+          iat: past_timecode,
+          org_id: 'org_1234'
+        }
+        token = make_hs256_token(payload)
+        jwt_validator.verify(token, { organization: 'org_1234' })
+      end
+      it 'should not fail when correctly given an organization name' do
+        payload = {
+          iss: "https://#{domain}/",
+          sub: 'sub',
+          aud: client_id,
+          exp: future_timecode,
+          iat: past_timecode,
+          org_name: 'my-organization'
+        }
+        token = make_hs256_token(payload)
+        jwt_validator.verify(token, { organization: 'my-organization' })
+      end
+      it 'should not fail when given an organization name in a different casing' do
+        payload = {
+          iss: "https://#{domain}/",
+          sub: 'sub',
+          aud: client_id,
+          exp: future_timecode,
+          iat: past_timecode,
+          org_name: 'my-organization'
+        }
+        token = make_hs256_token(payload)
+        jwt_validator.verify(token, { organization: 'MY-ORGANIZATION' })
+      end
+    end
     it 'should fail for RS256 token when kid is incorrect' do
       domain = 'example.org'
       sub = 'abc123'

data/spec/spec_helper.rb CHANGED Viewed

@@ -43,6 +43,7 @@ RSpec.configure do |config|
         enable :sessions
         set :show_exceptions, false
         set :session_secret, '9771aff2c634257053c62ba072c54754bd2cc92739b37e81c3eda505da48c2ec'
+        set :session_store, Rack::Session::Cookie
       end
       use OmniAuth::Builder do

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: omniauth-auth0
 version: !ruby/object:Gem::Version
-  version: 3.1.0
+  version: 3.1.1
 platform: ruby
 authors:
 - Auth0
-autorequire:
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2022-12-08 00:00:00.000000000 Z
+date: 2023-07-25 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: omniauth
@@ -68,9 +68,9 @@ files:
 - ".devcontainer/devcontainer.json"
 - ".gemrelease"
 - ".github/CODEOWNERS"
+- ".github/ISSUE_TEMPLATE/Bug Report.yml"
+- ".github/ISSUE_TEMPLATE/Feature Request.yml"
 - ".github/ISSUE_TEMPLATE/config.yml"
-- ".github/ISSUE_TEMPLATE/feature_request.md"
-- ".github/ISSUE_TEMPLATE/report_a_bug.md"
 - ".github/PULL_REQUEST_TEMPLATE.md"
 - ".github/stale.yml"
 - ".github/workflows/semgrep.yml"
@@ -109,7 +109,7 @@ homepage: https://github.com/auth0/omniauth-auth0
 licenses:
 - MIT
 metadata: {}
-post_install_message:
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -124,13 +124,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.2.22
-signing_key:
+rubygems_version: 3.4.10
+signing_key:
 specification_version: 4
 summary: OmniAuth OAuth2 strategy for the Auth0 platform.
-test_files:
-- spec/omniauth/auth0/jwt_validator_spec.rb
-- spec/omniauth/auth0/telemetry_spec.rb
-- spec/omniauth/strategies/auth0_spec.rb
-- spec/resources/jwks.json
-- spec/spec_helper.rb
+test_files: []

data/.github/ISSUE_TEMPLATE/feature_request.md DELETED Viewed

@@ -1,39 +0,0 @@
----
-name: Feature request
-about: Suggest an idea or a feature for this project
-title: ''
-labels: feature request
-assignees: ''
----
-<!--
-**Please do not report security vulnerabilities here**. The Responsible Disclosure Program (https://auth0.com/whitehat) details the procedure for disclosing security issues.
-Thank you in advance for helping us to improve this library! Your attention to detail here is greatly appreciated and will help us respond as quickly as possible. For general support or usage questions, use the Auth0 Community (https://community.auth0.com/) or Auth0 Support (https://support.auth0.com/). Finally, to avoid duplicates, please search existing Issues before submitting one here.
-By submitting an Issue to this repository, you agree to the terms within the Auth0 Code of Conduct (https://github.com/auth0/open-source-template/blob/master/CODE-OF-CONDUCT.md).
--->
-### Describe the problem you'd like to have solved
-<!--
-> A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
--->
-### Describe the ideal solution
-<!--
-> A clear and concise description of what you want to happen.
--->
-## Alternatives and current work-arounds
-<!--
-> A clear and concise description of any alternatives you've considered or any work-arounds that are currently in place.
--->
-### Additional information, if any
-<!--
-> Add any other context or screenshots about the feature request here.
--->

data/.github/ISSUE_TEMPLATE/report_a_bug.md DELETED Viewed

@@ -1,55 +0,0 @@
----
-name: Report a bug
-about: Have you found a bug or issue? Create a bug report for this SDK
-title: ''
-labels: bug report
-assignees: ''
----
-<!--
-**Please do not report security vulnerabilities here**. The Responsible Disclosure Program (https://auth0.com/whitehat) details the procedure for disclosing security issues.
-Thank you in advance for helping us to improve this library! Please read through the template below and answer all relevant questions. Your additional work here is greatly appreciated and will help us respond as quickly as possible. For general support or usage questions, use the Auth0 Community (https://community.auth0.com/) or Auth0 Support (https://support.auth0.com/). Finally, to avoid duplicates, please search existing Issues before submitting one here.
-By submitting an Issue to this repository, you agree to the terms within the Auth0 Code of Conduct (https://github.com/auth0/open-source-template/blob/master/CODE-OF-CONDUCT.md).
--->
-### Describe the problem
-<!--
-> Provide a clear and concise description of the issue
--->
-### What was the expected behavior?
-<!--
-> Tell us about the behavior you expected to see
--->
-### Reproduction
-<!--
-> Detail the steps taken to reproduce this error, and whether this issue can be reproduced consistently or if it is intermittent.
-> **Note**: If clear, reproducable steps or the smallest sample app demonstrating misbehavior cannot be provided, we may not be able to follow up on this bug report.
-> Where possible, please include:
->
-> - The smallest possible sample app that reproduces the undesirable behavior
-> - Log files (redact/remove sensitive information)
-> - Application settings (redact/remove sensitive information)
-> - Screenshots
--->
-- Step 1..
-- Step 2..
-- ...
-### Environment
-<!--
-> Please provide the following:
--->
-- **Version of this library used:**
-- **Which framework are you using, if applicable:**
-- **Other modules/plugins/libraries that might be involved:**
-- **Any other relevant information you think would be useful:**