omniauth-auth0 3.1.0 → 3.2.0

data/README.md

@@ -5,6 +5,7 @@
 [![codecov](https://codecov.io/gh/auth0/omniauth-auth0/branch/master/graph/badge.svg)](https://codecov.io/gh/auth0/omniauth-auth0)
 [![Gem Version](https://badge.fury.io/rb/omniauth-auth0.svg)](https://badge.fury.io/rb/omniauth-auth0)
 [![MIT licensed](https://img.shields.io/dub/l/vibe-d.svg?style=flat)](https://github.com/auth0/omniauth-auth0/blob/master/LICENSE)
+[![Ask DeepWiki](https://deepwiki.com/badge.svg)](https://deepwiki.com/auth0/omniauth-auth0)
 
 <div>
 📚 <a href="#documentation">Documentation</a> - 🚀 <a href="#getting-started">Getting started</a> - 💻 <a href="https://www.rubydoc.info/gems/omniauth-auth0">API reference</a> - 💬 <a href="#feedback">Feedback</a>
@@ -53,6 +54,8 @@ Adding the SDK to your Rails app requires a few steps:
 
 Create the file `./config/auth0.yml` within your application directory with the following content:
 
+### For client secret authentication
+
 ```yml
 development:
   auth0_domain: <YOUR_DOMAIN>
@@ -60,10 +63,25 @@ development:
   auth0_client_secret: <YOUR AUTH0 CLIENT SECRET>
 ```
 
+#### For client assertion signing key authentication
+
+```yml
+development:
+  auth0_domain: <YOUR_DOMAIN>
+  auth0_client_id: <YOUR_CLIENT_ID>
+  auth0_client_assertion_signing_key: <YOUR AUTH0 CLIENT ASSERTION SIGNING PRIVATE KEY>
+  auth0_client_assertion_signing_algorithm: <YOUR AUTH0 CLIENT ASSERTION SIGNING ALGORITHM>
+```
+**Note**: you must upload the corresponding public key to your Auth0 tenant, so that Auth0 is able to verify the JWT signature.
+
+client_assertion_signing_algorithm is optional and defaults to RS256.
+
 ### Create the initializer
 
 Create a new Ruby file in `./config/initializers/auth0.rb` to configure the OmniAuth middleware:
 
+### For client secret authentication
+
 ```ruby
 AUTH0_CONFIG = Rails.application.config_for(:auth0)
 
@@ -81,6 +99,29 @@ Rails.application.config.middleware.use OmniAuth::Builder do
 end
 ```
 
+#### For client assertion signing key authentication
+
+```ruby
+AUTH0_CONFIG = Rails.application.config_for(:auth0)
+
+Rails.application.config.middleware.use OmniAuth::Builder do
+  provider(
+    :auth0,
+    AUTH0_CONFIG['auth0_client_id'],
+    nil,
+    AUTH0_CONFIG['auth0_domain'],
+    callback_path: '/auth/auth0/callback',
+    authorize_params: {
+      scope: 'openid profile'
+    },
+    client_assertion_signing_key: OpenSSL::PKey::RSA.new(AUTH0_CONFIG[:auth0_client_assertion_signing_key]),
+    client_assertion_signing_algorithm: AUTH0_CONFIG[:auth0_client_assertion_signing_algorithm]
+  )
+end
+```
+
+**Note**: The client_assertion_signing_key must be provided as a PKey object.
+
 ### Create the callback controller
 
 Create a new controller `./app/controllers/auth0_controller.rb` to handle the callback from Auth0.
@@ -165,4 +206,4 @@ Please do not report security vulnerabilities on the public GitHub issue tracker
 </p>
 <p align="center">
   This project is licensed under the MIT license. See the <a href="https://github.com/auth0/omniauth-auth0/blob/master/LICENSE"> LICENSE</a> file for more info.
-</p>
+</p>

data/lib/omniauth/auth0/jwt_token.rb

@@ -0,0 +1,38 @@
+# frozen_string_literal: true
+
+require 'jwt'
+require 'securerandom'
+
+module OmniAuth
+  module Auth0
+    # JWTToken class to generate a JWT token for client assertion
+    # as per the OAuth 2.0 Client Credentials Grant specification.
+    class JWTToken
+      attr_reader :client_id, :domain_url, :client_assertion_signing_key, :client_assertion_signing_algorithm
+
+      def initialize(client_id, domain_url, client_assertion_signing_key, client_assertion_signing_algorithm = nil)
+        @client_id = client_id
+        @domain_url = domain_url
+        @client_assertion_signing_key = client_assertion_signing_key
+        @client_assertion_signing_algorithm = client_assertion_signing_algorithm || 'RS256'
+      end
+
+      def jwt_token
+        JWT.encode(jwt_payload, client_assertion_signing_key, client_assertion_signing_algorithm)
+      end
+
+      private
+
+      def jwt_payload
+        {
+          iss: client_id,
+          sub: client_id,
+          aud: File.join(domain_url, '/oauth/token'),
+          iat: Time.now.utc.to_i,
+          exp: Time.now.utc.to_i + 60,
+          jti: SecureRandom.uuid
+        }
+      end
+    end
+  end
+end

data/lib/omniauth/auth0/jwt_validator.rb

@@ -7,6 +7,7 @@ require 'omniauth/auth0/errors'
 module OmniAuth
   module Auth0
     # JWT Validator class
+    # rubocop:disable Metrics/
     class JWTValidator
       attr_accessor :issuer, :domain
 
@@ -264,12 +265,27 @@ module OmniAuth
       end
 
       def verify_org(id_token, organization)
-        if organization
+        return unless organization
+
+        validate_as_id = organization.start_with? 'org_'
+
+        if validate_as_id
           org_id = id_token['org_id']
           if !org_id || !org_id.is_a?(String)
-            raise OmniAuth::Auth0::TokenValidationError.new("Organization Id (org_id) claim must be a string present in the ID token")
+            raise OmniAuth::Auth0::TokenValidationError,
+                  'Organization Id (org_id) claim must be a string present in the ID token'
           elsif org_id != organization
-            raise OmniAuth::Auth0::TokenValidationError.new("Organization Id (org_id) claim value mismatch in the ID token; expected '#{organization}', found '#{org_id}'")
+            raise OmniAuth::Auth0::TokenValidationError,
+                  "Organization Id (org_id) claim value mismatch in the ID token; expected '#{organization}', found '#{org_id}'"
+          end
+        else
+          org_name = id_token['org_name']
+          if !org_name || !org_name.is_a?(String)
+            raise OmniAuth::Auth0::TokenValidationError,
+                  'Organization Name (org_name) claim must be a string present in the ID token'
+          elsif org_name != organization.downcase
+            raise OmniAuth::Auth0::TokenValidationError,
+                  "Organization Name (org_name) claim value mismatch in the ID token; expected '#{organization}', found '#{org_name}'"
           end
         end
       end

data/lib/omniauth/strategies/auth0.rb

@@ -4,6 +4,7 @@ require 'base64'
 require 'uri'
 require 'securerandom'
 require 'omniauth-oauth2'
+require 'omniauth/auth0/jwt_token'
 require 'omniauth/auth0/jwt_validator'
 require 'omniauth/auth0/telemetry'
 require 'omniauth/auth0/errors'
@@ -13,6 +14,8 @@ module OmniAuth
     # Auth0 OmniAuth strategy
     class Auth0 < OmniAuth::Strategies::OAuth2
       include OmniAuth::Auth0::Telemetry
+      AUTHORIZATION_CODE_GRANT_TYPE = 'authorization_code'
+      CLIENT_ASSERTION_TYPE = 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer'
 
       option :name, 'auth0'
 
@@ -28,6 +31,8 @@ module OmniAuth
         options.client_options.authorize_url = '/authorize'
         options.client_options.token_url = '/oauth/token'
         options.client_options.userinfo_url = '/userinfo'
+        setup_client_options_auth_scheme
+
         super
       end
 
@@ -100,25 +105,20 @@ module OmniAuth
       end
 
       def build_access_token
+        options.token_params.merge!(client_assertion_signing_key_token_params) if client_assertion_signing_key_auth?
         options.token_params[:headers] = { 'Auth0-Client' => telemetry_encoded }
         super
       end
 
       # Declarative override for the request phase of authentication
       def request_phase
-        if no_client_id?
-          # Do we have a client_id for this Application?
-          fail!(:missing_client_id)
-        elsif no_client_secret?
-          # Do we have a client_secret for this Application?
-          fail!(:missing_client_secret)
-        elsif no_domain?
-          # Do we have a domain for this Application?
-          fail!(:missing_domain)
-        else
-          # All checks pass, run the Oauth2 request_phase method.
-          super
-        end
+        return fail!(:missing_client_id) if no_client_id?
+        return fail!(:missing_client_secret) if no_client_secret?
+        return fail!(:missing_domain) if no_domain?
+        return fail!(:missing_client_assertion_signing_key) if no_client_assertion_signing_key?
+
+        # All checks pass, run the Oauth2 request_phase method.
+        super
       end
 
       def callback_phase
@@ -128,10 +128,32 @@ module OmniAuth
       end
 
       private
+
+      def client_assertion_signing_key_auth?
+        options['client_assertion_signing_key']
+      end
+
+      def client_assertion_signing_key_token_params
+        {
+          grant_type: AUTHORIZATION_CODE_GRANT_TYPE,
+          client_id: options.client_id,
+          client_assertion_type: CLIENT_ASSERTION_TYPE,
+          client_assertion: jwt_token
+        }
+      end
+
       def jwt_validator
         @jwt_validator ||= OmniAuth::Auth0::JWTValidator.new(options)
       end
 
+      def jwt_token
+        OmniAuth::Auth0::JWTToken.new(options.client_id,
+                                      domain_url,
+                                      options.client_assertion_signing_key,
+                                      options.client_assertion_signing_algorithm)
+                                 .jwt_token
+      end
+
       # Parse the raw user info.
       def raw_info
         return @raw_info if @raw_info
@@ -154,7 +176,7 @@ module OmniAuth
 
       # Check if the options include a client_secret
       def no_client_secret?
-        ['', nil].include?(options.client_secret)
+        ['', nil].include?(options.client_secret) && !options.key?('client_assertion_signing_key')
       end
 
       # Check if the options include a domain
@@ -162,12 +184,24 @@ module OmniAuth
         ['', nil].include?(options.domain)
       end
 
+      # Check if the options include a client_assertion_signing_key
+      def no_client_assertion_signing_key?
+        options.key?('client_assertion_signing_key') && ['', nil].include?(options.client_assertion_signing_key)
+      end
+
       # Normalize a domain to a URL.
       def domain_url
         domain_url = URI(options.domain)
         domain_url = URI("https://#{domain_url}") if domain_url.scheme.nil?
         domain_url.to_s
       end
+
+      # Setup the auth_scheme for the client options if using client assertion signing key
+      def setup_client_options_auth_scheme
+        return unless client_assertion_signing_key_auth?
+
+        options.client_options.auth_scheme = :request_body
+      end
     end
   end
 end

data/lib/omniauth-auth0/version.rb

@@ -1,5 +1,5 @@
 module OmniAuth
   module Auth0
-    VERSION = '3.1.0'.freeze
+    VERSION = '3.2.0'.freeze
   end
 end

data/omniauth-auth0.gemspec

@@ -21,6 +21,7 @@ omniauth-auth0 is the OmniAuth strategy for Auth0.
   s.executables   = `git ls-files -- bin/*`.split('\n').map{ |f| File.basename(f) }
   s.require_paths = ['lib']
 
+  s.add_runtime_dependency 'jwt', '~> 2'
   s.add_runtime_dependency 'omniauth', '~> 2'
   s.add_runtime_dependency 'omniauth-oauth2', '~> 1'
 

data/spec/omniauth/auth0/jwt_token_spec.rb

@@ -0,0 +1,87 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+require 'json'
+require 'jwt'
+
+describe OmniAuth::Auth0::JWTToken do
+  let(:client_id) { 'CLIENT_ID' }
+  let(:domain_url) { 'https://samples.auth0.com' }
+  let(:client_assertion_signing_key) { OpenSSL::PKey::RSA.generate(2048) }
+
+  describe '#jwt_token' do
+    it 'generates a valid JWT token' do
+      uuid = '12345678-1234-5678-1234-567812345678'
+      allow(SecureRandom).to receive(:uuid).and_return(uuid)
+
+      jwt_token = described_class.new(client_id,
+                                      domain_url,
+                                      client_assertion_signing_key,
+                                      'RS256')
+                                 .jwt_token
+      decoded_token = JWT.decode(jwt_token, client_assertion_signing_key, true, { algorithm: 'RS256' })
+
+      expect(decoded_token[0]['iss']).to eq(client_id)
+      expect(decoded_token[0]['sub']).to eq(client_id)
+      expect(decoded_token[0]['aud']).to eq("#{domain_url}/oauth/token")
+      expect(decoded_token[0]['iat']).to be_within(5).of(Time.now.utc.to_i)
+      expect(decoded_token[0]['exp']).to eq(decoded_token[0]['iat'] + 60)
+      expect(decoded_token[0]['jti']).to eq(uuid)
+    end
+
+    it 'defaults to RS256 algorithm if not specified' do
+      uuid = '12345678-1234-5678-1234-567812345678'
+      allow(SecureRandom).to receive(:uuid).and_return(uuid)
+
+      jwt_token = described_class.new(client_id, domain_url, client_assertion_signing_key).jwt_token
+      decoded_token = JWT.decode(jwt_token, client_assertion_signing_key, true, { algorithm: 'RS256' })
+
+      expect(decoded_token[0]['iss']).to eq(client_id)
+      expect(decoded_token[0]['sub']).to eq(client_id)
+      expect(decoded_token[0]['aud']).to eq("#{domain_url}/oauth/token")
+      expect(decoded_token[0]['iat']).to be_within(5).of(Time.now.utc.to_i)
+      expect(decoded_token[0]['exp']).to eq(decoded_token[0]['iat'] + 60)
+      expect(decoded_token[0]['jti']).to eq(uuid)
+    end
+
+    context 'when using ES256 algorithm' do
+      let(:client_assertion_signing_key) { OpenSSL::PKey::EC.generate('prime256v1') }
+
+      it 'generates a valid JWT token' do
+        uuid = '12345678-1234-5678-1234-567812345678'
+        allow(SecureRandom).to receive(:uuid).and_return(uuid)
+        jwt_token = described_class.new(client_id,
+                                        domain_url,
+                                        client_assertion_signing_key,
+                                        'ES256')
+                                   .jwt_token
+        decoded_token = JWT.decode(jwt_token, client_assertion_signing_key, true, { algorithm: 'ES256' })
+
+        expect(decoded_token[0]['iss']).to eq(client_id)
+        expect(decoded_token[0]['sub']).to eq(client_id)
+        expect(decoded_token[0]['aud']).to eq("#{domain_url}/oauth/token")
+        expect(decoded_token[0]['iat']).to be_within(5).of(Time.now.utc.to_i)
+        expect(decoded_token[0]['exp']).to eq(decoded_token[0]['iat'] + 60)
+        expect(decoded_token[0]['jti']).to eq(uuid)
+      end
+
+      it 'accepts client_assertion_signing_key_token_params as a string' do
+        uuid = '12345678-1234-5678-1234-567812345678'
+        allow(SecureRandom).to receive(:uuid).and_return(uuid)
+        jwt_token = described_class.new(client_id,
+                                        domain_url,
+                                        client_assertion_signing_key,
+                                        'ES256')
+                                   .jwt_token
+        decoded_token = JWT.decode(jwt_token, client_assertion_signing_key, true, { algorithm: 'ES256' })
+
+        expect(decoded_token[0]['iss']).to eq(client_id)
+        expect(decoded_token[0]['sub']).to eq(client_id)
+        expect(decoded_token[0]['aud']).to eq("#{domain_url}/oauth/token")
+        expect(decoded_token[0]['iat']).to be_within(5).of(Time.now.utc.to_i)
+        expect(decoded_token[0]['exp']).to eq(decoded_token[0]['iat'] + 60)
+        expect(decoded_token[0]['jti']).to eq(uuid)
+      end
+    end
+  end
+end

data/spec/omniauth/auth0/jwt_validator_spec.rb

@@ -476,41 +476,119 @@ describe OmniAuth::Auth0::JWTValidator do
       expect(id_token['auth_time']).to eq(auth_time)
     end
 
-    it 'should fail when authorize params has organization but org_id is missing in the token' do
-      payload = {
-        iss: "https://#{domain}/",
-        sub: 'sub',
-        aud: client_id,
-        exp: future_timecode,
-        iat: past_timecode
-      }
+    context 'Organization claim validation' do
+      it 'should fail when authorize params has organization but org_id is missing in the token' do
+        payload = {
+          iss: "https://#{domain}/",
+          sub: 'sub',
+          aud: client_id,
+          exp: future_timecode,
+          iat: past_timecode
+        }
 
-      token = make_hs256_token(payload)
-      expect do
-        jwt_validator.verify(token, { organization: 'Test Org' })
-      end.to raise_error(an_instance_of(OmniAuth::Auth0::TokenValidationError).and having_attributes({
-        message: "Organization Id (org_id) claim must be a string present in the ID token"
-      }))
-    end
+        token = make_hs256_token(payload)
+        expect do
+          jwt_validator.verify(token, { organization: 'org_123' })
+        end.to raise_error(an_instance_of(OmniAuth::Auth0::TokenValidationError).and having_attributes({
+          message: "Organization Id (org_id) claim must be a string present in the ID token"
+        }))
+      end
 
-    it 'should fail when authorize params has organization but token org_id does not match' do
-      payload = {
-        iss: "https://#{domain}/",
-        sub: 'sub',
-        aud: client_id,
-        exp: future_timecode,
-        iat: past_timecode,
-        org_id: 'Wrong Org'
-      }
+      it 'should fail when authorize params has organization but org_name is missing in the token' do
+        payload = {
+          iss: "https://#{domain}/",
+          sub: 'sub',
+          aud: client_id,
+          exp: future_timecode,
+          iat: past_timecode
+        }
 
-      token = make_hs256_token(payload)
-      expect do
-        jwt_validator.verify(token, { organization: 'Test Org' })
-      end.to raise_error(an_instance_of(OmniAuth::Auth0::TokenValidationError).and having_attributes({
-        message: "Organization Id (org_id) claim value mismatch in the ID token; expected 'Test Org', found 'Wrong Org'"
-      }))
-    end
+        token = make_hs256_token(payload)
+        expect do
+          jwt_validator.verify(token, { organization: 'my-organization' })
+        end.to raise_error(an_instance_of(OmniAuth::Auth0::TokenValidationError).and(having_attributes({
+          message: 'Organization Name (org_name) claim must be a string present in the ID token'
+        })))
+      end
 
+      it 'should fail when authorize params has organization but token org_id does not match' do
+        payload = {
+          iss: "https://#{domain}/",
+          sub: 'sub',
+          aud: client_id,
+          exp: future_timecode,
+          iat: past_timecode,
+          org_id: 'org_5678'
+        }
+
+        token = make_hs256_token(payload)
+        expect do
+          jwt_validator.verify(token, { organization: 'org_1234' })
+        end.to raise_error(an_instance_of(OmniAuth::Auth0::TokenValidationError).and(having_attributes({
+          message: "Organization Id (org_id) claim value mismatch in the ID token; expected 'org_1234', found 'org_5678'"
+        })))
+      end
+
+      it 'should fail when authorize params has organization but token org_name does not match' do
+        payload = {
+          iss: "https://#{domain}/",
+          sub: 'sub',
+          aud: client_id,
+          exp: future_timecode,
+          iat: past_timecode,
+          org_name: 'another-organization'
+        }
+
+        token = make_hs256_token(payload)
+        expect do
+          jwt_validator.verify(token, { organization: 'my-organization' })
+        end.to raise_error(an_instance_of(OmniAuth::Auth0::TokenValidationError).and(having_attributes({
+          message: "Organization Name (org_name) claim value mismatch in the ID token; expected 'my-organization', found 'another-organization'"
+        })))
+      end
+
+      it 'should not fail when correctly given an organization ID' do
+        payload = {
+          iss: "https://#{domain}/",
+          sub: 'sub',
+          aud: client_id,
+          exp: future_timecode,
+          iat: past_timecode,
+          org_id: 'org_1234'
+        }
+
+        token = make_hs256_token(payload)
+        jwt_validator.verify(token, { organization: 'org_1234' })
+      end
+
+      it 'should not fail when correctly given an organization name' do
+        payload = {
+          iss: "https://#{domain}/",
+          sub: 'sub',
+          aud: client_id,
+          exp: future_timecode,
+          iat: past_timecode,
+          org_name: 'my-organization'
+        }
+
+        token = make_hs256_token(payload)
+        jwt_validator.verify(token, { organization: 'my-organization' })
+      end
+
+      it 'should not fail when given an organization name in a different casing' do
+        payload = {
+          iss: "https://#{domain}/",
+          sub: 'sub',
+          aud: client_id,
+          exp: future_timecode,
+          iat: past_timecode,
+          org_name: 'my-organization'
+        }
+
+        token = make_hs256_token(payload)
+        jwt_validator.verify(token, { organization: 'MY-ORGANIZATION' })
+      end
+    end
     it 'should fail for RS256 token when kid is incorrect' do
       domain = 'example.org'
       sub = 'abc123'