omniauth-auth0 3.1.0 → 3.2.0

data/.github/workflows/ruby-release.yml

@@ -0,0 +1,72 @@
+name: Create Release
+
+on:
+  workflow_call:
+    inputs:
+      ruby-version:
+        required: true
+        type: string
+    secrets:
+      github-token:
+        required: true
+      rubygems-token:
+        required: true
+
+jobs:
+  release:
+    if: github.event_name == 'workflow_dispatch' || (github.event_name == 'pull_request' && github.event.pull_request.merged && startsWith(github.event.pull_request.head.ref, 'release/'))
+    runs-on: ubuntu-latest
+    environment: release
+
+    steps:
+      # Checkout the code
+      - uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+
+      # Get the version from the branch name
+      - id: get_version
+        uses: ./.github/actions/get-version
+
+      # Get the prerelease flag from the branch name
+      - id: get_prerelease
+        uses: ./.github/actions/get-prerelease
+        with:
+          version: ${{ steps.get_version.outputs.version }}
+
+      # Get the release notes
+      # This will expose the release notes as env.RELEASE_NOTES
+      - id: get_release_notes
+        uses: ./.github/actions/get-release-notes
+        with:
+          token: ${{ secrets.github-token }}
+          version: ${{ steps.get_version.outputs.version }}
+          repo_owner: ${{ github.repository_owner }}
+          repo_name: ${{ github.event.repository.name }}
+
+      # Check if the tag already exists
+      - id: tag_exists
+        uses: ./.github/actions/tag-exists
+        with:
+          tag: ${{ steps.get_version.outputs.version }}
+          token: ${{ secrets.github-token }}
+
+      # If the tag already exists, exit with an error
+      - if: steps.tag_exists.outputs.exists == 'true'
+        run: exit 1
+
+      # Publish the release to our package manager
+      - uses: ./.github/actions/rubygems-publish
+        with:
+          ruby-version: ${{ inputs.ruby-version }}
+          rubygems-token: ${{ secrets.rubygems-token }}
+
+      # Create a release for the tag
+      - uses: ./.github/actions/release-create
+        with:
+          token: ${{ secrets.github-token }}
+          name: ${{ steps.get_version.outputs.version }}
+          body: ${{ steps.get_release_notes.outputs.release-notes }}
+          tag: ${{ steps.get_version.outputs.version }}
+          commit: ${{ github.sha }}
+          prerelease: ${{ steps.get_prerelease.outputs.prerelease }}

data/.github/workflows/snyk.yml

@@ -0,0 +1,40 @@
+name: Snyk
+
+on:
+  merge_group:
+  workflow_dispatch:
+  pull_request:
+    types:
+      - opened
+      - synchronize
+  push:
+    branches:
+      - master
+  schedule:
+    - cron: "30 0 1,15 * *"
+
+permissions:
+  contents: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: ${{ github.ref != 'refs/heads/master' }}
+
+jobs:
+  check:
+    name: Check for Vulnerabilities
+    runs-on: ubuntu-latest
+
+    steps:
+      - if: github.actor == 'dependabot[bot]' || github.event_name == 'merge_group'
+        run: exit 0 # Skip unnecessary test runs for dependabot and merge queues. Artifically flag as successful, as this is a required check for branch protection.
+
+      - uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.pull_request.head.sha || github.ref }}
+
+      - run: npm install -g snyk
+
+      - run: snyk test
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}

data/.github/workflows/test.yml

@@ -0,0 +1,69 @@
+name: Build and Test
+
+on:
+  merge_group:
+  workflow_dispatch:
+  pull_request:
+    branches:
+      - master
+  push:
+    branches:
+      - master
+
+permissions:
+  contents: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: ${{ github.ref != 'refs/heads/master' }}
+
+env:
+  CACHE_KEY: "${{ github.ref }}-${{ github.run_id }}-${{ github.run_attempt }}"
+
+jobs:
+  configure:
+    name: Configure Build Matrix
+    runs-on: ubuntu-latest
+
+    outputs:
+      matrix: ${{ steps.set-matrix.outputs.matrix }}
+
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.pull_request.head.sha || github.ref }}
+
+      - id: set-matrix
+        run: echo "matrix=$(jq -c . < ./.github/workflows/matrix.json)" >> $GITHUB_OUTPUT
+
+  unit:
+    needs: configure
+
+    name: Run Unit Tests
+    runs-on: ubuntu-latest
+
+    strategy:
+      matrix: ${{ fromJson(needs.configure.outputs.matrix) }}
+
+    env:
+      DOMAIN: example.auth0.dev
+      CLIENT_ID: example-client
+      CLIENT_SECRET: example-secret
+      MASTER_JWT: example-jwt
+      BUNDLE_PATH: vendor/bundle
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Configure Ruby
+        uses: ./.github/actions/setup
+        with:
+          ruby: ${{ matrix.ruby }}
+
+      - name: Run tests
+        run: bundle exec rake spec
+
+      - name: Upload coverage
+        if: matrix.ruby == '3.2'
+        uses: codecov/codecov-action@eaaf4bedf32dbdc6b720b63067d99c4d77d6047d # pin@3.1.4

data/.shiprc

@@ -1,6 +1,7 @@
 {
   "files": {
-    "lib/omniauth-auth0/version.rb": []
+    "lib/omniauth-auth0/version.rb": [],
+    ".version": []
   },
   "prebump": "bundle install && bundle exec rake test",
   "postbump": "bundle update"

data/.version

@@ -0,0 +1 @@
+v3.2.0

data/CHANGELOG.md

@@ -1,5 +1,25 @@
 # Change Log
 
+## [v3.2.0](https://github.com/auth0/omniauth-auth0/tree/v3.2.0) (2026-05-27)
+[Full Changelog](https://github.com/auth0/omniauth-auth0/compare/v3.1.1...v3.2.0)
+
+**Added**
+- Add support for client assertion signing key authentication [\#203](https://github.com/auth0/omniauth-auth0/pull/203) ([kaczowkad](https://github.com/kaczowkad))
+
+**Dependency Bumps**
+- Bump faraday from 2.7.10 to 2.14.1 [\#215](https://github.com/auth0/omniauth-auth0/pull/215) ([dependabot[bot]](https://github.com/apps/dependabot))
+- Bump rack from 2.2.7 to 2.2.23 [\#217](https://github.com/auth0/omniauth-auth0/pull/217) ([dependabot[bot]](https://github.com/apps/dependabot))
+- Bump rexml from 3.2.5 to 3.3.9 [\#206](https://github.com/auth0/omniauth-auth0/pull/206) ([arpit-jn](https://github.com/arpit-jn))
+
+## [v3.1.1](https://github.com/auth0/omniauth-auth0/tree/v3.1.1) (2023-03-01)
+[Full Changelog](https://github.com/auth0/omniauth-auth0/compare/v3.1.0...v3.1.1)
+
+**Added**
+- [SDK-4410] Support Organization Name in JWT validation [\#184](https://github.com/auth0/omniauth-auth0/pull/184) ([stevehobbsdev](https://github.com/stevehobbsdev))
+
+**Fixed**
+- fix: upgrade to Sinatra 3 and use Rack::Session::Cookie in tests [\#165](https://github.com/auth0/omniauth-auth0/pull/165) ([stevehobbsdev](https://github.com/stevehobbsdev))
+
 ## [v3.1.0](https://github.com/auth0/omniauth-auth0/tree/v3.1.0) (2022-11-04)
 
 [Full Changelog](https://github.com/auth0/omniauth-auth0/compare/v3.0.0...v3.1.0)

data/EXAMPLES.md

@@ -79,6 +79,7 @@ In some scenarios, you may need to pass specific query parameters to `/authorize
 - `screen_hint` (only relevant to New Universal Login Experience)
 - `organization`
 - `invitation`
+- `ui_locales` (only relevant to New Universal Login Experience)
 
 Simply pass these query parameters to your OmniAuth redirect endpoint to enable their behavior.
 
@@ -124,25 +125,38 @@ When passing `openid` to the scope and `organization` to the authorize params, y
 
 ### Validating Organizations when using Organization Login Prompt
 
-When Organization login prompt is enabled on your application, but you haven't specified an Organization for the application's authorization endpoint, the `org_id` claim will be present on the ID token, and should be validated to ensure that the value received is expected or known.
+When Organization login prompt is enabled on your application, but you haven't specified an Organization for the application's authorization endpoint, `org_id` or `org_name` claims will be present on the ID and access tokens, and should be validated to ensure that the value received is expected or known.
 
 Normally, validating the issuer would be enough to ensure that the token was issued by Auth0, and this check is performed by the SDK. However, in the case of organizations, additional checks should be made so that the organization within an Auth0 tenant is expected.
 
-In particular, the `org_id` claim should be checked to ensure it is a value that is already known to the application. This could be validated against a known list of organization IDs, or perhaps checked in conjunction with the current request URL. e.g. the sub-domain may hint at what organization should be used to validate the ID Token.
+In particular, the `org_id` and `org_name` claims should be checked to ensure it is a value that is already known to the application. This could be validated against a known list of organization IDs, or perhaps checked in conjunction with the current request URL. e.g. the sub-domain may hint at what organization should be used to validate the ID Token. For `org_id`, this should be a **case-sensitive, exact match check**. For `org_name`, this should be a **case-insentive check**.
+
+The decision to validate the `org_id` or `org_name` claim is determined by the expected organization ID or name having an `org_` prefix.
 
 Here is an example using it in your `callback` method
 
 ```ruby
-  def callback
-    claims = request.env['omniauth.auth']['extra']['raw_info']
+def callback
+  claims = request.env['omniauth.auth']['extra']['raw_info']
+
+  validate_as_id = expected_org.start_with?('org_')
 
-    if claims["org"] && claims["org"] !== expected_org
+  if validate_as_id
+    if claims["org_id"] && claims["org_id"] !== expected_org
+      redirect_to '/unauthorized', status: 401
+    else
+      session[:userinfo] = claims
+      redirect_to '/dashboard'
+    end
+  else
+    if claims["org_name"] && claims["org_name"].downcase !== expected_org.downcase
       redirect_to '/unauthorized', status: 401
     else
       session[:userinfo] = claims
       redirect_to '/dashboard'
     end
   end
+end
 ```
 
 For more information, please read [Work with Tokens and Organizations](https://auth0.com/docs/organizations/using-tokens) on Auth0 Docs.

data/Gemfile

@@ -2,7 +2,6 @@ source 'https://rubygems.org'
 
 gemspec
 
-gem 'gem-release', '~> 2'
 gem 'jwt', '~> 2'
 gem 'rake', '~> 13'
 
@@ -10,17 +9,17 @@ group :development do
   gem 'dotenv', '~> 2'
   gem 'pry', '~> 0'
   gem 'rubocop', '~> 1', require: false
-  gem 'shotgun', '~> 0'
-  gem 'sinatra', '~> 2'
+  gem 'shotgun', '~> 0', '>= 0.9.2'
+  gem 'sinatra', '~> 3'
   gem 'thin', '~> 1'
 end
 
 group :test do
   gem 'guard-rspec', '~> 4', require: false
   gem 'listen', '~> 3'
-  gem 'rack-test', '~> 2'
+  gem 'rack-test', '~> 2', '>= 2.0.2'
   gem 'rspec', '~> 3'
-  gem 'simplecov-cobertura', '~> 2'
+  gem 'simplecov-cobertura', '~> 3.0'
   gem 'webmock', '~> 3'
   gem 'multi_json', '~> 1'
 end

data/Gemfile.lock

@@ -1,34 +1,46 @@
 PATH
   remote: .
   specs:
-    omniauth-auth0 (3.1.0)
+    omniauth-auth0 (3.2.0)
+      jwt (~> 2)
       omniauth (~> 2)
       omniauth-oauth2 (~> 1)
 
 GEM
   remote: https://rubygems.org/
   specs:
-    addressable (2.8.1)
-      public_suffix (>= 2.0.2, < 6.0)
-    ast (2.4.2)
+    addressable (2.9.0)
+      public_suffix (>= 2.0.2, < 8.0)
+    ast (2.4.3)
+    auth-sanitizer (0.1.4)
+      version_gem (~> 1.1, >= 1.1.9)
+    base64 (0.3.0)
+    bigdecimal (4.1.2)
     coderay (1.1.3)
-    crack (0.4.5)
+    crack (1.0.1)
+      bigdecimal
       rexml
     daemons (1.4.1)
-    diff-lcs (1.5.0)
-    docile (1.4.0)
+    diff-lcs (1.6.2)
+    docile (1.4.1)
     dotenv (2.8.1)
     eventmachine (1.2.7)
-    faraday (2.7.1)
-      faraday-net_http (>= 2.0, < 3.1)
-      ruby2_keywords (>= 0.0.4)
-    faraday-net_http (3.0.2)
-    ffi (1.15.5)
-    formatador (1.1.0)
-    gem-release (2.2.2)
-    guard (2.18.0)
+    faraday (2.14.2)
+      faraday-net_http (>= 2.0, < 3.5)
+      json
+      logger
+    faraday-net_http (3.4.3)
+      net-http (~> 0.5)
+    ffi (1.17.4-aarch64-linux-gnu)
+    ffi (1.17.4-arm64-darwin)
+    ffi (1.17.4-x86_64-darwin)
+    ffi (1.17.4-x86_64-linux-gnu)
+    formatador (1.2.3)
+      reline
+    guard (2.20.1)
       formatador (>= 0.2.4)
       listen (>= 2.7, < 4.0)
+      logger (~> 1.6)
       lumberjack (>= 1.0.12, < 2.0)
       nenv (~> 0.1)
       notiffany (~> 0.0)
@@ -40,139 +52,164 @@ GEM
       guard (~> 2.1)
       guard-compat (~> 1.1)
       rspec (>= 2.99.0, < 4.0)
-    hashdiff (1.0.1)
-    hashie (5.0.0)
-    json (2.6.3)
-    jwt (2.5.0)
-    listen (3.7.1)
+    hashdiff (1.2.1)
+    hashie (5.1.0)
+      logger
+    io-console (0.8.2)
+    json (2.19.7)
+    jwt (2.10.3)
+      base64
+    language_server-protocol (3.17.0.5)
+    lint_roller (1.1.0)
+    listen (3.10.0)
+      logger
       rb-fsevent (~> 0.10, >= 0.10.3)
       rb-inotify (~> 0.9, >= 0.9.10)
-    lumberjack (1.2.8)
-    method_source (1.0.0)
-    multi_json (1.15.0)
-    multi_xml (0.6.0)
-    mustermann (2.0.2)
-      ruby2_keywords (~> 0.0.1)
+    logger (1.7.0)
+    lumberjack (1.4.2)
+    method_source (1.1.0)
+    multi_json (1.21.1)
+    multi_xml (0.9.1)
+      bigdecimal (>= 3.1, < 5)
+    mustermann (3.1.1)
     nenv (0.3.0)
+    net-http (0.9.1)
+      uri (>= 0.11.1)
     notiffany (0.1.3)
       nenv (~> 0.1)
       shellany (~> 0.0)
-    oauth2 (2.0.9)
-      faraday (>= 0.17.3, < 3.0)
-      jwt (>= 1.0, < 3.0)
+    oauth2 (2.0.20)
+      auth-sanitizer (~> 0.1, >= 0.1.3)
+      faraday (>= 0.17.3, < 4.0)
+      jwt (>= 1.0, < 4.0)
+      logger (~> 1.2)
       multi_xml (~> 0.5)
       rack (>= 1.2, < 4)
-      snaky_hash (~> 2.0)
-      version_gem (~> 1.1)
-    omniauth (2.1.0)
+      snaky_hash (~> 2.0, >= 2.0.4)
+      version_gem (~> 1.1, >= 1.1.9)
+    omniauth (2.1.4)
       hashie (>= 3.4.6)
+      logger
       rack (>= 2.2.3)
       rack-protection
-    omniauth-oauth2 (1.8.0)
-      oauth2 (>= 1.4, < 3)
+    omniauth-oauth2 (1.9.0)
+      oauth2 (>= 2.0.2, < 3)
       omniauth (~> 2.0)
-    parallel (1.22.1)
-    parser (3.1.3.0)
+    parallel (1.28.0)
+    parser (3.3.11.1)
       ast (~> 2.4.1)
-    pry (0.14.1)
+      racc
+    prism (1.9.0)
+    pry (0.16.0)
       coderay (~> 1.1)
       method_source (~> 1.0)
-    public_suffix (5.0.0)
-    rack (2.2.4)
-    rack-protection (2.2.3)
-      rack
-    rack-test (2.0.2)
+      reline (>= 0.6.0)
+    public_suffix (7.0.5)
+    racc (1.8.1)
+    rack (2.2.23)
+    rack-protection (3.2.0)
+      base64 (>= 0.1.0)
+      rack (~> 2.2, >= 2.2.4)
+    rack-test (2.2.0)
       rack (>= 1.3)
     rainbow (3.1.1)
-    rake (13.0.6)
+    rake (13.4.2)
     rb-fsevent (0.11.2)
-    rb-inotify (0.10.1)
+    rb-inotify (0.11.1)
       ffi (~> 1.0)
-    regexp_parser (2.6.1)
-    rexml (3.2.5)
-    rspec (3.12.0)
-      rspec-core (~> 3.12.0)
-      rspec-expectations (~> 3.12.0)
-      rspec-mocks (~> 3.12.0)
-    rspec-core (3.12.0)
-      rspec-support (~> 3.12.0)
-    rspec-expectations (3.12.0)
+    regexp_parser (2.12.0)
+    reline (0.6.3)
+      io-console (~> 0.5)
+    rexml (3.4.4)
+    rspec (3.13.2)
+      rspec-core (~> 3.13.0)
+      rspec-expectations (~> 3.13.0)
+      rspec-mocks (~> 3.13.0)
+    rspec-core (3.13.6)
+      rspec-support (~> 3.13.0)
+    rspec-expectations (3.13.5)
       diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.12.0)
-    rspec-mocks (3.12.0)
+      rspec-support (~> 3.13.0)
+    rspec-mocks (3.13.8)
       diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.12.0)
-    rspec-support (3.12.0)
-    rubocop (1.39.0)
+      rspec-support (~> 3.13.0)
+    rspec-support (3.13.7)
+    rubocop (1.86.2)
       json (~> 2.3)
-      parallel (~> 1.10)
-      parser (>= 3.1.2.1)
+      language_server-protocol (~> 3.17.0.2)
+      lint_roller (~> 1.1.0)
+      parallel (>= 1.10)
+      parser (>= 3.3.0.2)
       rainbow (>= 2.2.2, < 4.0)
-      regexp_parser (>= 1.8, < 3.0)
-      rexml (>= 3.2.5, < 4.0)
-      rubocop-ast (>= 1.23.0, < 2.0)
+      regexp_parser (>= 2.9.3, < 3.0)
+      rubocop-ast (>= 1.49.0, < 2.0)
       ruby-progressbar (~> 1.7)
-      unicode-display_width (>= 1.4.0, < 3.0)
-    rubocop-ast (1.24.0)
-      parser (>= 3.1.1.0)
-    ruby-progressbar (1.11.0)
-    ruby2_keywords (0.0.5)
+      unicode-display_width (>= 2.4.0, < 4.0)
+    rubocop-ast (1.49.1)
+      parser (>= 3.3.7.2)
+      prism (~> 1.7)
+    ruby-progressbar (1.13.0)
     shellany (0.0.1)
     shotgun (0.9.2)
       rack (>= 1.0)
-    simplecov (0.21.2)
+    simplecov (0.22.0)
       docile (~> 1.1)
       simplecov-html (~> 0.11)
       simplecov_json_formatter (~> 0.1)
-    simplecov-cobertura (2.1.0)
+    simplecov-cobertura (3.1.0)
       rexml
       simplecov (~> 0.19)
-    simplecov-html (0.12.3)
+    simplecov-html (0.13.2)
     simplecov_json_formatter (0.1.4)
-    sinatra (2.2.3)
-      mustermann (~> 2.0)
-      rack (~> 2.2)
-      rack-protection (= 2.2.3)
+    sinatra (3.2.0)
+      mustermann (~> 3.0)
+      rack (~> 2.2, >= 2.2.4)
+      rack-protection (= 3.2.0)
       tilt (~> 2.0)
-    snaky_hash (2.0.1)
-      hashie
-      version_gem (~> 1.1, >= 1.1.1)
-    thin (1.8.1)
+    snaky_hash (2.0.4)
+      hashie (>= 0.1.0, < 6)
+      version_gem (>= 1.1.8, < 3)
+    thin (1.8.2)
       daemons (~> 1.0, >= 1.0.9)
       eventmachine (~> 1.0, >= 1.0.4)
       rack (>= 1, < 3)
-    thor (1.2.1)
-    tilt (2.0.11)
-    unicode-display_width (2.3.0)
-    version_gem (1.1.1)
-    webmock (3.18.1)
+    thor (1.5.0)
+    tilt (2.7.0)
+    unicode-display_width (3.2.0)
+      unicode-emoji (~> 4.1)
+    unicode-emoji (4.2.0)
+    uri (1.1.1)
+    version_gem (1.1.9)
+    webmock (3.26.2)
       addressable (>= 2.8.0)
       crack (>= 0.3.2)
       hashdiff (>= 0.4.0, < 2.0.0)
 
 PLATFORMS
+  aarch64-linux
   arm64-darwin-21
-  x86_64-darwin-20
-  x86_64-darwin-21
+  arm64-darwin-22
+  arm64-darwin-23
+  arm64-darwin-25
+  x86_64-darwin-22
   x86_64-linux
 
 DEPENDENCIES
   bundler
   dotenv (~> 2)
-  gem-release (~> 2)
   guard-rspec (~> 4)
   jwt (~> 2)
   listen (~> 3)
   multi_json (~> 1)
   omniauth-auth0!
   pry (~> 0)
-  rack-test (~> 2)
+  rack-test (~> 2, >= 2.0.2)
   rake (~> 13)
   rspec (~> 3)
   rubocop (~> 1)
-  shotgun (~> 0)
-  simplecov-cobertura (~> 2)
-  sinatra (~> 2)
+  shotgun (~> 0, >= 0.9.2)
+  simplecov-cobertura (~> 3.0)
+  sinatra (~> 3)
   thin (~> 1)
   webmock (~> 3)