omniauth-auth0 3.1.0 → 3.1.1

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 7c56b51f9b1e20c19151c11b2ebed36d976795af342e1ddb6e2faf8adbd606dc
4
- data.tar.gz: d464a395f1a95859ce5bcba3956955e489319f7efd5a263f7e1a904810ab58db
3
+ metadata.gz: e33cfd70eb2e126c6126dc8149d6d8789b28f40cbf6a2fea272d5b53017a7579
4
+ data.tar.gz: 381fac626d61d83e726a345c88e37985b43d77212007588ab6d631af1950bdf1
5
5
  SHA512:
6
- metadata.gz: c24758a4b888a15d499d5a0ad612932f2e452a361fba86dc5af59c812be1c77e10a5735f267e0abfb45e382b381003592b74bbb3fdef8814e58345741a57a978
7
- data.tar.gz: a8db445c711acd8b1716baef83f95fad39c7c011c7918a862aabb55b69cae02105df3beced2155298478dc580985a5791acbfa629459116244f924f85e470c57
6
+ metadata.gz: e0fee57eeffd9f8b97320ce6f89807009c212d046706358840e3d2230e976893a16d8c53d77b3ddad75f3a94c12af46fcc645681673ce52b2d5ca98581a0ec37
7
+ data.tar.gz: 6af264bce75557a00c3032a805b824d2a7b231abd4f0221d649db471a657ad3fad53e01055dec6cf8c2cab076bae6ec91faa81806dd2837ca464df2e0d60ca48
data/.circleci/config.yml CHANGED
@@ -1,14 +1,14 @@
1
1
  version: 2.1
2
2
  orbs:
3
- ship: auth0/ship@0
3
+ ship: auth0/ship@dev:d1e3a7f
4
4
  codecov: codecov/codecov@3
5
5
 
6
6
  matrix_rubyversions: &matrix_rubyversions
7
7
  matrix:
8
8
  parameters:
9
- rubyversion: ["2.7", "3.0", "3.1"]
9
+ rubyversion: ["3.0", "3.1", "3.2"]
10
10
  # Default version of ruby to use for lint and publishing
11
- default_rubyversion: &default_rubyversion "2.7"
11
+ default_rubyversion: &default_rubyversion "3.2"
12
12
 
13
13
  executors:
14
14
  ruby:
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "Ruby",
3
- "image": "mcr.microsoft.com/devcontainers/ruby:3.1",
3
+ "image": "mcr.microsoft.com/devcontainers/ruby:3.2",
4
4
  "features": {
5
5
  "ghcr.io/devcontainers/features/node:1": {
6
6
  "version": "lts"
@@ -0,0 +1,76 @@
1
+ name: 🐞 Report a bug
2
+ description: Have you found a bug or issue? Create a bug report for this library
3
+ labels: ["bug"]
4
+
5
+ body:
6
+ - type: markdown
7
+ attributes:
8
+ value: |
9
+ **Please do not report security vulnerabilities here**. The [Responsible Disclosure Program](https://auth0.com/responsible-disclosure-policy) details the procedure for disclosing security issues.
10
+
11
+ - type: checkboxes
12
+ id: checklist
13
+ attributes:
14
+ label: Checklist
15
+ options:
16
+ - label: The issue can be reproduced in the [Rails sample app](https://github.com/auth0-samples/auth0-rubyonrails-sample/tree/master/sample) (or N/A).
17
+ required: true
18
+ - label: I have looked into the [Readme](https://github.com/auth0/omniauth-auth0#readme) and the [Examples](https://github.com/auth0/omniauth-auth0/blob/master/EXAMPLES.md), and have not found a suitable solution or answer.
19
+ required: true
20
+ - label: I have looked into the [API documentation](https://www.rubydoc.info/gems/omniauth-auth0) and have not found a suitable solution or answer.
21
+ required: true
22
+ - label: I have searched the [issues](https://github.com/auth0/omniauth-auth0/issues) and have not found a suitable solution or answer.
23
+ required: true
24
+ - label: I have searched the [Auth0 Community](https://community.auth0.com) forums and have not found a suitable solution or answer.
25
+ required: true
26
+ - label: I agree to the terms within the [Auth0 Code of Conduct](https://github.com/auth0/open-source-template/blob/master/CODE-OF-CONDUCT.md).
27
+ required: true
28
+
29
+ - type: textarea
30
+ id: description
31
+ attributes:
32
+ label: Description
33
+ description: Provide a clear and concise description of the issue, including what you expected to happen.
34
+ validations:
35
+ required: true
36
+
37
+ - type: textarea
38
+ id: reproduction
39
+ attributes:
40
+ label: Reproduction
41
+ description: Detail the steps taken to reproduce this error, and whether this issue can be reproduced consistently or if it is intermittent.
42
+ placeholder: |
43
+ 1. Step 1...
44
+ 2. Step 2...
45
+ 3. ...
46
+ validations:
47
+ required: true
48
+
49
+ - type: textarea
50
+ id: additional-context
51
+ attributes:
52
+ label: Additional context
53
+ description: Other libraries that might be involved, or any other relevant information you think would be useful.
54
+ validations:
55
+ required: false
56
+
57
+ - type: input
58
+ id: environment-version
59
+ attributes:
60
+ label: omniauth-auth0 version
61
+ validations:
62
+ required: true
63
+
64
+ - type: input
65
+ id: environment-omniauth-version
66
+ attributes:
67
+ label: OmniAuth version
68
+ validations:
69
+ required: true
70
+
71
+ - type: input
72
+ id: environment-ruby-version
73
+ attributes:
74
+ label: Ruby version
75
+ validations:
76
+ required: true
@@ -0,0 +1,53 @@
1
+ name: 🧩 Feature request
2
+ description: Suggest an idea or a feature for this library
3
+ labels: ["feature request"]
4
+
5
+ body:
6
+ - type: checkboxes
7
+ id: checklist
8
+ attributes:
9
+ label: Checklist
10
+ options:
11
+ - label: I have looked into the [Readme](https://github.com/auth0/omniauth-auth0#readme) and the [Examples](https://github.com/auth0/omniauth-auth0/blob/master/EXAMPLES.md), and have not found a suitable solution or answer.
12
+ required: true
13
+ - label: I have looked into the [API documentation](https://www.rubydoc.info/gems/omniauth-auth0) and have not found a suitable solution or answer.
14
+ required: true
15
+ - label: I have searched the [issues](https://github.com/auth0/omniauth-auth0/issues) and have not found a suitable solution or answer.
16
+ required: true
17
+ - label: I have searched the [Auth0 Community](https://community.auth0.com) forums and have not found a suitable solution or answer.
18
+ required: true
19
+ - label: I agree to the terms within the [Auth0 Code of Conduct](https://github.com/auth0/open-source-template/blob/master/CODE-OF-CONDUCT.md).
20
+ required: true
21
+
22
+ - type: textarea
23
+ id: description
24
+ attributes:
25
+ label: Describe the problem you'd like to have solved
26
+ description: A clear and concise description of what the problem is.
27
+ placeholder: I'm always frustrated when...
28
+ validations:
29
+ required: true
30
+
31
+ - type: textarea
32
+ id: ideal-solution
33
+ attributes:
34
+ label: Describe the ideal solution
35
+ description: A clear and concise description of what you want to happen.
36
+ validations:
37
+ required: true
38
+
39
+ - type: textarea
40
+ id: alternatives-and-workarounds
41
+ attributes:
42
+ label: Alternatives and current workarounds
43
+ description: A clear and concise description of any alternatives you've considered or any workarounds that are currently in place.
44
+ validations:
45
+ required: false
46
+
47
+ - type: textarea
48
+ id: additional-context
49
+ attributes:
50
+ label: Additional context
51
+ description: Add any other context or screenshots about the feature request here.
52
+ validations:
53
+ required: false
@@ -1,8 +1,8 @@
1
1
  blank_issues_enabled: false
2
2
  contact_links:
3
3
  - name: Auth0 Community
4
- url: https://community.auth0.com/c/sdks/5
4
+ url: https://community.auth0.com
5
5
  about: Discuss this SDK in the Auth0 Community forums
6
6
  - name: Library Documentation
7
7
  url: https://github.com/auth0/omniauth-auth0#documentation
8
- about: Read the library docs on Auth0.com
8
+ about: Read the library docs
data/CHANGELOG.md CHANGED
@@ -1,5 +1,20 @@
1
1
  # Change Log
2
2
 
3
+ ## [v3.2.0](https://github.com/auth0/omniauth-auth0/tree/v3.2.0) (2023-07-14)
4
+ [Full Changelog](https://github.com/auth0/omniauth-auth0/compare/v3.1.0...v3.2.0)
5
+
6
+ **Added**
7
+ - [SDK-4410] Support Organization Name in JWT validation [\#184](https://github.com/auth0/omniauth-auth0/pull/184) ([stevehobbsdev](https://github.com/stevehobbsdev))
8
+
9
+ **Fixed**
10
+ - fix: upgrade to Sinatra 3 and use Rack::Session::Cookie in tests [\#165](https://github.com/auth0/omniauth-auth0/pull/165) ([stevehobbsdev](https://github.com/stevehobbsdev))
11
+
12
+ ## [v3.1.1](https://github.com/auth0/omniauth-auth0/tree/v3.1.1) (2023-03-01)
13
+ [Full Changelog](https://github.com/auth0/omniauth-auth0/compare/v3.1.0...v3.1.1)
14
+
15
+ **Fixed**
16
+ - fix: upgrade to Sinatra 3 and use Rack::Session::Cookie in tests [\#165](https://github.com/auth0/omniauth-auth0/pull/165) ([stevehobbsdev](https://github.com/stevehobbsdev))
17
+
3
18
  ## [v3.1.0](https://github.com/auth0/omniauth-auth0/tree/v3.1.0) (2022-11-04)
4
19
 
5
20
  [Full Changelog](https://github.com/auth0/omniauth-auth0/compare/v3.0.0...v3.1.0)
data/EXAMPLES.md CHANGED
@@ -79,6 +79,7 @@ In some scenarios, you may need to pass specific query parameters to `/authorize
79
79
  - `screen_hint` (only relevant to New Universal Login Experience)
80
80
  - `organization`
81
81
  - `invitation`
82
+ - `ui_locales` (only relevant to New Universal Login Experience)
82
83
 
83
84
  Simply pass these query parameters to your OmniAuth redirect endpoint to enable their behavior.
84
85
 
@@ -124,25 +125,38 @@ When passing `openid` to the scope and `organization` to the authorize params, y
124
125
 
125
126
  ### Validating Organizations when using Organization Login Prompt
126
127
 
127
- When Organization login prompt is enabled on your application, but you haven't specified an Organization for the application's authorization endpoint, the `org_id` claim will be present on the ID token, and should be validated to ensure that the value received is expected or known.
128
+ When Organization login prompt is enabled on your application, but you haven't specified an Organization for the application's authorization endpoint, `org_id` or `org_name` claims will be present on the ID and access tokens, and should be validated to ensure that the value received is expected or known.
128
129
 
129
130
  Normally, validating the issuer would be enough to ensure that the token was issued by Auth0, and this check is performed by the SDK. However, in the case of organizations, additional checks should be made so that the organization within an Auth0 tenant is expected.
130
131
 
131
- In particular, the `org_id` claim should be checked to ensure it is a value that is already known to the application. This could be validated against a known list of organization IDs, or perhaps checked in conjunction with the current request URL. e.g. the sub-domain may hint at what organization should be used to validate the ID Token.
132
+ In particular, the `org_id` and `org_name` claims should be checked to ensure it is a value that is already known to the application. This could be validated against a known list of organization IDs, or perhaps checked in conjunction with the current request URL. e.g. the sub-domain may hint at what organization should be used to validate the ID Token. For `org_id`, this should be a **case-sensitive, exact match check**. For `org_name`, this should be a **case-insentive check**.
133
+
134
+ The decision to validate the `org_id` or `org_name` claim is determined by the expected organization ID or name having an `org_` prefix.
132
135
 
133
136
  Here is an example using it in your `callback` method
134
137
 
135
138
  ```ruby
136
- def callback
137
- claims = request.env['omniauth.auth']['extra']['raw_info']
139
+ def callback
140
+ claims = request.env['omniauth.auth']['extra']['raw_info']
141
+
142
+ validate_as_id = expected_org.start_with?('org_')
138
143
 
139
- if claims["org"] && claims["org"] !== expected_org
144
+ if validate_as_id
145
+ if claims["org_id"] && claims["org_id"] !== expected_org
146
+ redirect_to '/unauthorized', status: 401
147
+ else
148
+ session[:userinfo] = claims
149
+ redirect_to '/dashboard'
150
+ end
151
+ else
152
+ if claims["org_name"] && claims["org_name"].downcase !== expected_org.downcase
140
153
  redirect_to '/unauthorized', status: 401
141
154
  else
142
155
  session[:userinfo] = claims
143
156
  redirect_to '/dashboard'
144
157
  end
145
158
  end
159
+ end
146
160
  ```
147
161
 
148
162
  For more information, please read [Work with Tokens and Organizations](https://auth0.com/docs/organizations/using-tokens) on Auth0 Docs.
data/Gemfile CHANGED
@@ -10,15 +10,15 @@ group :development do
10
10
  gem 'dotenv', '~> 2'
11
11
  gem 'pry', '~> 0'
12
12
  gem 'rubocop', '~> 1', require: false
13
- gem 'shotgun', '~> 0'
14
- gem 'sinatra', '~> 2'
13
+ gem 'shotgun', '~> 0', '>= 0.9.2'
14
+ gem 'sinatra', '~> 3'
15
15
  gem 'thin', '~> 1'
16
16
  end
17
17
 
18
18
  group :test do
19
19
  gem 'guard-rspec', '~> 4', require: false
20
20
  gem 'listen', '~> 3'
21
- gem 'rack-test', '~> 2'
21
+ gem 'rack-test', '~> 2', '>= 2.0.2'
22
22
  gem 'rspec', '~> 3'
23
23
  gem 'simplecov-cobertura', '~> 2'
24
24
  gem 'webmock', '~> 3'
data/Gemfile.lock CHANGED
@@ -1,14 +1,14 @@
1
1
  PATH
2
2
  remote: .
3
3
  specs:
4
- omniauth-auth0 (3.1.0)
4
+ omniauth-auth0 (3.1.1)
5
5
  omniauth (~> 2)
6
6
  omniauth-oauth2 (~> 1)
7
7
 
8
8
  GEM
9
9
  remote: https://rubygems.org/
10
10
  specs:
11
- addressable (2.8.1)
11
+ addressable (2.8.4)
12
12
  public_suffix (>= 2.0.2, < 6.0)
13
13
  ast (2.4.2)
14
14
  coderay (1.1.3)
@@ -19,7 +19,7 @@ GEM
19
19
  docile (1.4.0)
20
20
  dotenv (2.8.1)
21
21
  eventmachine (1.2.7)
22
- faraday (2.7.1)
22
+ faraday (2.7.10)
23
23
  faraday-net_http (>= 2.0, < 3.1)
24
24
  ruby2_keywords (>= 0.0.4)
25
25
  faraday-net_http (3.0.2)
@@ -43,15 +43,16 @@ GEM
43
43
  hashdiff (1.0.1)
44
44
  hashie (5.0.0)
45
45
  json (2.6.3)
46
- jwt (2.5.0)
47
- listen (3.7.1)
46
+ jwt (2.7.1)
47
+ language_server-protocol (3.17.0.3)
48
+ listen (3.8.0)
48
49
  rb-fsevent (~> 0.10, >= 0.10.3)
49
50
  rb-inotify (~> 0.9, >= 0.9.10)
50
51
  lumberjack (1.2.8)
51
52
  method_source (1.0.0)
52
53
  multi_json (1.15.0)
53
54
  multi_xml (0.6.0)
54
- mustermann (2.0.2)
55
+ mustermann (3.0.0)
55
56
  ruby2_keywords (~> 0.0.1)
56
57
  nenv (0.3.0)
57
58
  notiffany (0.1.3)
@@ -64,63 +65,66 @@ GEM
64
65
  rack (>= 1.2, < 4)
65
66
  snaky_hash (~> 2.0)
66
67
  version_gem (~> 1.1)
67
- omniauth (2.1.0)
68
+ omniauth (2.1.1)
68
69
  hashie (>= 3.4.6)
69
70
  rack (>= 2.2.3)
70
71
  rack-protection
71
72
  omniauth-oauth2 (1.8.0)
72
73
  oauth2 (>= 1.4, < 3)
73
74
  omniauth (~> 2.0)
74
- parallel (1.22.1)
75
- parser (3.1.3.0)
75
+ parallel (1.23.0)
76
+ parser (3.2.2.3)
76
77
  ast (~> 2.4.1)
77
- pry (0.14.1)
78
+ racc
79
+ pry (0.14.2)
78
80
  coderay (~> 1.1)
79
81
  method_source (~> 1.0)
80
- public_suffix (5.0.0)
81
- rack (2.2.4)
82
- rack-protection (2.2.3)
82
+ public_suffix (5.0.3)
83
+ racc (1.7.1)
84
+ rack (2.2.7)
85
+ rack-protection (3.0.6)
83
86
  rack
84
- rack-test (2.0.2)
87
+ rack-test (2.1.0)
85
88
  rack (>= 1.3)
86
89
  rainbow (3.1.1)
87
90
  rake (13.0.6)
88
91
  rb-fsevent (0.11.2)
89
92
  rb-inotify (0.10.1)
90
93
  ffi (~> 1.0)
91
- regexp_parser (2.6.1)
94
+ regexp_parser (2.8.1)
92
95
  rexml (3.2.5)
93
96
  rspec (3.12.0)
94
97
  rspec-core (~> 3.12.0)
95
98
  rspec-expectations (~> 3.12.0)
96
99
  rspec-mocks (~> 3.12.0)
97
- rspec-core (3.12.0)
100
+ rspec-core (3.12.2)
98
101
  rspec-support (~> 3.12.0)
99
- rspec-expectations (3.12.0)
102
+ rspec-expectations (3.12.3)
100
103
  diff-lcs (>= 1.2.0, < 2.0)
101
104
  rspec-support (~> 3.12.0)
102
- rspec-mocks (3.12.0)
105
+ rspec-mocks (3.12.6)
103
106
  diff-lcs (>= 1.2.0, < 2.0)
104
107
  rspec-support (~> 3.12.0)
105
- rspec-support (3.12.0)
106
- rubocop (1.39.0)
108
+ rspec-support (3.12.1)
109
+ rubocop (1.54.2)
107
110
  json (~> 2.3)
111
+ language_server-protocol (>= 3.17.0)
108
112
  parallel (~> 1.10)
109
- parser (>= 3.1.2.1)
113
+ parser (>= 3.2.2.3)
110
114
  rainbow (>= 2.2.2, < 4.0)
111
115
  regexp_parser (>= 1.8, < 3.0)
112
116
  rexml (>= 3.2.5, < 4.0)
113
- rubocop-ast (>= 1.23.0, < 2.0)
117
+ rubocop-ast (>= 1.28.0, < 2.0)
114
118
  ruby-progressbar (~> 1.7)
115
- unicode-display_width (>= 1.4.0, < 3.0)
116
- rubocop-ast (1.24.0)
117
- parser (>= 3.1.1.0)
118
- ruby-progressbar (1.11.0)
119
+ unicode-display_width (>= 2.4.0, < 3.0)
120
+ rubocop-ast (1.29.0)
121
+ parser (>= 3.2.1.0)
122
+ ruby-progressbar (1.13.0)
119
123
  ruby2_keywords (0.0.5)
120
124
  shellany (0.0.1)
121
125
  shotgun (0.9.2)
122
126
  rack (>= 1.0)
123
- simplecov (0.21.2)
127
+ simplecov (0.22.0)
124
128
  docile (~> 1.1)
125
129
  simplecov-html (~> 0.11)
126
130
  simplecov_json_formatter (~> 0.1)
@@ -129,31 +133,31 @@ GEM
129
133
  simplecov (~> 0.19)
130
134
  simplecov-html (0.12.3)
131
135
  simplecov_json_formatter (0.1.4)
132
- sinatra (2.2.3)
133
- mustermann (~> 2.0)
134
- rack (~> 2.2)
135
- rack-protection (= 2.2.3)
136
+ sinatra (3.0.6)
137
+ mustermann (~> 3.0)
138
+ rack (~> 2.2, >= 2.2.4)
139
+ rack-protection (= 3.0.6)
136
140
  tilt (~> 2.0)
137
141
  snaky_hash (2.0.1)
138
142
  hashie
139
143
  version_gem (~> 1.1, >= 1.1.1)
140
- thin (1.8.1)
144
+ thin (1.8.2)
141
145
  daemons (~> 1.0, >= 1.0.9)
142
146
  eventmachine (~> 1.0, >= 1.0.4)
143
147
  rack (>= 1, < 3)
144
- thor (1.2.1)
145
- tilt (2.0.11)
146
- unicode-display_width (2.3.0)
147
- version_gem (1.1.1)
148
+ thor (1.2.2)
149
+ tilt (2.2.0)
150
+ unicode-display_width (2.4.2)
151
+ version_gem (1.1.3)
148
152
  webmock (3.18.1)
149
153
  addressable (>= 2.8.0)
150
154
  crack (>= 0.3.2)
151
155
  hashdiff (>= 0.4.0, < 2.0.0)
152
156
 
153
157
  PLATFORMS
158
+ aarch64-linux
154
159
  arm64-darwin-21
155
- x86_64-darwin-20
156
- x86_64-darwin-21
160
+ x86_64-darwin-22
157
161
  x86_64-linux
158
162
 
159
163
  DEPENDENCIES
@@ -166,13 +170,13 @@ DEPENDENCIES
166
170
  multi_json (~> 1)
167
171
  omniauth-auth0!
168
172
  pry (~> 0)
169
- rack-test (~> 2)
173
+ rack-test (~> 2, >= 2.0.2)
170
174
  rake (~> 13)
171
175
  rspec (~> 3)
172
176
  rubocop (~> 1)
173
- shotgun (~> 0)
177
+ shotgun (~> 0, >= 0.9.2)
174
178
  simplecov-cobertura (~> 2)
175
- sinatra (~> 2)
179
+ sinatra (~> 3)
176
180
  thin (~> 1)
177
181
  webmock (~> 3)
178
182
 
@@ -7,6 +7,7 @@ require 'omniauth/auth0/errors'
7
7
  module OmniAuth
8
8
  module Auth0
9
9
  # JWT Validator class
10
+ # rubocop:disable Metrics/
10
11
  class JWTValidator
11
12
  attr_accessor :issuer, :domain
12
13
 
@@ -264,12 +265,27 @@ module OmniAuth
264
265
  end
265
266
 
266
267
  def verify_org(id_token, organization)
267
- if organization
268
+ return unless organization
269
+
270
+ validate_as_id = organization.start_with? 'org_'
271
+
272
+ if validate_as_id
268
273
  org_id = id_token['org_id']
269
274
  if !org_id || !org_id.is_a?(String)
270
- raise OmniAuth::Auth0::TokenValidationError.new("Organization Id (org_id) claim must be a string present in the ID token")
275
+ raise OmniAuth::Auth0::TokenValidationError,
276
+ 'Organization Id (org_id) claim must be a string present in the ID token'
271
277
  elsif org_id != organization
272
- raise OmniAuth::Auth0::TokenValidationError.new("Organization Id (org_id) claim value mismatch in the ID token; expected '#{organization}', found '#{org_id}'")
278
+ raise OmniAuth::Auth0::TokenValidationError,
279
+ "Organization Id (org_id) claim value mismatch in the ID token; expected '#{organization}', found '#{org_id}'"
280
+ end
281
+ else
282
+ org_name = id_token['org_name']
283
+ if !org_name || !org_name.is_a?(String)
284
+ raise OmniAuth::Auth0::TokenValidationError,
285
+ 'Organization Name (org_name) claim must be a string present in the ID token'
286
+ elsif org_name != organization.downcase
287
+ raise OmniAuth::Auth0::TokenValidationError,
288
+ "Organization Name (org_name) claim value mismatch in the ID token; expected '#{organization}', found '#{org_name}'"
273
289
  end
274
290
  end
275
291
  end
@@ -1,5 +1,5 @@
1
1
  module OmniAuth
2
2
  module Auth0
3
- VERSION = '3.1.0'.freeze
3
+ VERSION = '3.1.1'.freeze
4
4
  end
5
5
  end
@@ -476,41 +476,119 @@ describe OmniAuth::Auth0::JWTValidator do
476
476
  expect(id_token['auth_time']).to eq(auth_time)
477
477
  end
478
478
 
479
- it 'should fail when authorize params has organization but org_id is missing in the token' do
480
- payload = {
481
- iss: "https://#{domain}/",
482
- sub: 'sub',
483
- aud: client_id,
484
- exp: future_timecode,
485
- iat: past_timecode
486
- }
479
+ context 'Organization claim validation' do
480
+ it 'should fail when authorize params has organization but org_id is missing in the token' do
481
+ payload = {
482
+ iss: "https://#{domain}/",
483
+ sub: 'sub',
484
+ aud: client_id,
485
+ exp: future_timecode,
486
+ iat: past_timecode
487
+ }
487
488
 
488
- token = make_hs256_token(payload)
489
- expect do
490
- jwt_validator.verify(token, { organization: 'Test Org' })
491
- end.to raise_error(an_instance_of(OmniAuth::Auth0::TokenValidationError).and having_attributes({
492
- message: "Organization Id (org_id) claim must be a string present in the ID token"
493
- }))
494
- end
489
+ token = make_hs256_token(payload)
490
+ expect do
491
+ jwt_validator.verify(token, { organization: 'org_123' })
492
+ end.to raise_error(an_instance_of(OmniAuth::Auth0::TokenValidationError).and having_attributes({
493
+ message: "Organization Id (org_id) claim must be a string present in the ID token"
494
+ }))
495
+ end
495
496
 
496
- it 'should fail when authorize params has organization but token org_id does not match' do
497
- payload = {
498
- iss: "https://#{domain}/",
499
- sub: 'sub',
500
- aud: client_id,
501
- exp: future_timecode,
502
- iat: past_timecode,
503
- org_id: 'Wrong Org'
504
- }
497
+ it 'should fail when authorize params has organization but org_name is missing in the token' do
498
+ payload = {
499
+ iss: "https://#{domain}/",
500
+ sub: 'sub',
501
+ aud: client_id,
502
+ exp: future_timecode,
503
+ iat: past_timecode
504
+ }
505
505
 
506
- token = make_hs256_token(payload)
507
- expect do
508
- jwt_validator.verify(token, { organization: 'Test Org' })
509
- end.to raise_error(an_instance_of(OmniAuth::Auth0::TokenValidationError).and having_attributes({
510
- message: "Organization Id (org_id) claim value mismatch in the ID token; expected 'Test Org', found 'Wrong Org'"
511
- }))
512
- end
506
+ token = make_hs256_token(payload)
507
+ expect do
508
+ jwt_validator.verify(token, { organization: 'my-organization' })
509
+ end.to raise_error(an_instance_of(OmniAuth::Auth0::TokenValidationError).and(having_attributes({
510
+ message: 'Organization Name (org_name) claim must be a string present in the ID token'
511
+ })))
512
+ end
513
513
 
514
+ it 'should fail when authorize params has organization but token org_id does not match' do
515
+ payload = {
516
+ iss: "https://#{domain}/",
517
+ sub: 'sub',
518
+ aud: client_id,
519
+ exp: future_timecode,
520
+ iat: past_timecode,
521
+ org_id: 'org_5678'
522
+ }
523
+
524
+ token = make_hs256_token(payload)
525
+ expect do
526
+ jwt_validator.verify(token, { organization: 'org_1234' })
527
+ end.to raise_error(an_instance_of(OmniAuth::Auth0::TokenValidationError).and(having_attributes({
528
+ message: "Organization Id (org_id) claim value mismatch in the ID token; expected 'org_1234', found 'org_5678'"
529
+ })))
530
+ end
531
+
532
+ it 'should fail when authorize params has organization but token org_name does not match' do
533
+ payload = {
534
+ iss: "https://#{domain}/",
535
+ sub: 'sub',
536
+ aud: client_id,
537
+ exp: future_timecode,
538
+ iat: past_timecode,
539
+ org_name: 'another-organization'
540
+ }
541
+
542
+ token = make_hs256_token(payload)
543
+ expect do
544
+ jwt_validator.verify(token, { organization: 'my-organization' })
545
+ end.to raise_error(an_instance_of(OmniAuth::Auth0::TokenValidationError).and(having_attributes({
546
+ message: "Organization Name (org_name) claim value mismatch in the ID token; expected 'my-organization', found 'another-organization'"
547
+ })))
548
+ end
549
+
550
+ it 'should not fail when correctly given an organization ID' do
551
+ payload = {
552
+ iss: "https://#{domain}/",
553
+ sub: 'sub',
554
+ aud: client_id,
555
+ exp: future_timecode,
556
+ iat: past_timecode,
557
+ org_id: 'org_1234'
558
+ }
559
+
560
+ token = make_hs256_token(payload)
561
+ jwt_validator.verify(token, { organization: 'org_1234' })
562
+ end
563
+
564
+ it 'should not fail when correctly given an organization name' do
565
+ payload = {
566
+ iss: "https://#{domain}/",
567
+ sub: 'sub',
568
+ aud: client_id,
569
+ exp: future_timecode,
570
+ iat: past_timecode,
571
+ org_name: 'my-organization'
572
+ }
573
+
574
+ token = make_hs256_token(payload)
575
+ jwt_validator.verify(token, { organization: 'my-organization' })
576
+ end
577
+
578
+ it 'should not fail when given an organization name in a different casing' do
579
+ payload = {
580
+ iss: "https://#{domain}/",
581
+ sub: 'sub',
582
+ aud: client_id,
583
+ exp: future_timecode,
584
+ iat: past_timecode,
585
+ org_name: 'my-organization'
586
+ }
587
+
588
+ token = make_hs256_token(payload)
589
+ jwt_validator.verify(token, { organization: 'MY-ORGANIZATION' })
590
+ end
591
+ end
514
592
  it 'should fail for RS256 token when kid is incorrect' do
515
593
  domain = 'example.org'
516
594
  sub = 'abc123'
data/spec/spec_helper.rb CHANGED
@@ -43,6 +43,7 @@ RSpec.configure do |config|
43
43
  enable :sessions
44
44
  set :show_exceptions, false
45
45
  set :session_secret, '9771aff2c634257053c62ba072c54754bd2cc92739b37e81c3eda505da48c2ec'
46
+ set :session_store, Rack::Session::Cookie
46
47
  end
47
48
 
48
49
  use OmniAuth::Builder do
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: omniauth-auth0
3
3
  version: !ruby/object:Gem::Version
4
- version: 3.1.0
4
+ version: 3.1.1
5
5
  platform: ruby
6
6
  authors:
7
7
  - Auth0
8
- autorequire:
8
+ autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2022-12-08 00:00:00.000000000 Z
11
+ date: 2023-07-25 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: omniauth
@@ -68,9 +68,9 @@ files:
68
68
  - ".devcontainer/devcontainer.json"
69
69
  - ".gemrelease"
70
70
  - ".github/CODEOWNERS"
71
+ - ".github/ISSUE_TEMPLATE/Bug Report.yml"
72
+ - ".github/ISSUE_TEMPLATE/Feature Request.yml"
71
73
  - ".github/ISSUE_TEMPLATE/config.yml"
72
- - ".github/ISSUE_TEMPLATE/feature_request.md"
73
- - ".github/ISSUE_TEMPLATE/report_a_bug.md"
74
74
  - ".github/PULL_REQUEST_TEMPLATE.md"
75
75
  - ".github/stale.yml"
76
76
  - ".github/workflows/semgrep.yml"
@@ -109,7 +109,7 @@ homepage: https://github.com/auth0/omniauth-auth0
109
109
  licenses:
110
110
  - MIT
111
111
  metadata: {}
112
- post_install_message:
112
+ post_install_message:
113
113
  rdoc_options: []
114
114
  require_paths:
115
115
  - lib
@@ -124,13 +124,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
124
124
  - !ruby/object:Gem::Version
125
125
  version: '0'
126
126
  requirements: []
127
- rubygems_version: 3.2.22
128
- signing_key:
127
+ rubygems_version: 3.4.10
128
+ signing_key:
129
129
  specification_version: 4
130
130
  summary: OmniAuth OAuth2 strategy for the Auth0 platform.
131
- test_files:
132
- - spec/omniauth/auth0/jwt_validator_spec.rb
133
- - spec/omniauth/auth0/telemetry_spec.rb
134
- - spec/omniauth/strategies/auth0_spec.rb
135
- - spec/resources/jwks.json
136
- - spec/spec_helper.rb
131
+ test_files: []
@@ -1,39 +0,0 @@
1
- ---
2
- name: Feature request
3
- about: Suggest an idea or a feature for this project
4
- title: ''
5
- labels: feature request
6
- assignees: ''
7
- ---
8
-
9
- <!--
10
- **Please do not report security vulnerabilities here**. The Responsible Disclosure Program (https://auth0.com/whitehat) details the procedure for disclosing security issues.
11
-
12
- Thank you in advance for helping us to improve this library! Your attention to detail here is greatly appreciated and will help us respond as quickly as possible. For general support or usage questions, use the Auth0 Community (https://community.auth0.com/) or Auth0 Support (https://support.auth0.com/). Finally, to avoid duplicates, please search existing Issues before submitting one here.
13
-
14
- By submitting an Issue to this repository, you agree to the terms within the Auth0 Code of Conduct (https://github.com/auth0/open-source-template/blob/master/CODE-OF-CONDUCT.md).
15
- -->
16
-
17
- ### Describe the problem you'd like to have solved
18
-
19
- <!--
20
- > A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
21
- -->
22
-
23
- ### Describe the ideal solution
24
-
25
- <!--
26
- > A clear and concise description of what you want to happen.
27
- -->
28
-
29
- ## Alternatives and current work-arounds
30
-
31
- <!--
32
- > A clear and concise description of any alternatives you've considered or any work-arounds that are currently in place.
33
- -->
34
-
35
- ### Additional information, if any
36
-
37
- <!--
38
- > Add any other context or screenshots about the feature request here.
39
- -->
@@ -1,55 +0,0 @@
1
- ---
2
- name: Report a bug
3
- about: Have you found a bug or issue? Create a bug report for this SDK
4
- title: ''
5
- labels: bug report
6
- assignees: ''
7
- ---
8
-
9
- <!--
10
- **Please do not report security vulnerabilities here**. The Responsible Disclosure Program (https://auth0.com/whitehat) details the procedure for disclosing security issues.
11
-
12
- Thank you in advance for helping us to improve this library! Please read through the template below and answer all relevant questions. Your additional work here is greatly appreciated and will help us respond as quickly as possible. For general support or usage questions, use the Auth0 Community (https://community.auth0.com/) or Auth0 Support (https://support.auth0.com/). Finally, to avoid duplicates, please search existing Issues before submitting one here.
13
-
14
- By submitting an Issue to this repository, you agree to the terms within the Auth0 Code of Conduct (https://github.com/auth0/open-source-template/blob/master/CODE-OF-CONDUCT.md).
15
- -->
16
-
17
- ### Describe the problem
18
-
19
- <!--
20
- > Provide a clear and concise description of the issue
21
- -->
22
-
23
- ### What was the expected behavior?
24
-
25
- <!--
26
- > Tell us about the behavior you expected to see
27
- -->
28
-
29
- ### Reproduction
30
- <!--
31
- > Detail the steps taken to reproduce this error, and whether this issue can be reproduced consistently or if it is intermittent.
32
- > **Note**: If clear, reproducable steps or the smallest sample app demonstrating misbehavior cannot be provided, we may not be able to follow up on this bug report.
33
-
34
- > Where possible, please include:
35
- >
36
- > - The smallest possible sample app that reproduces the undesirable behavior
37
- > - Log files (redact/remove sensitive information)
38
- > - Application settings (redact/remove sensitive information)
39
- > - Screenshots
40
- -->
41
-
42
- - Step 1..
43
- - Step 2..
44
- - ...
45
-
46
- ### Environment
47
-
48
- <!--
49
- > Please provide the following:
50
- -->
51
-
52
- - **Version of this library used:**
53
- - **Which framework are you using, if applicable:**
54
- - **Other modules/plugins/libraries that might be involved:**
55
- - **Any other relevant information you think would be useful:**