omniauth-auth0 3.1.1 → 3.2.0

data/.shiprc

@@ -1,6 +1,7 @@
 {
   "files": {
-    "lib/omniauth-auth0/version.rb": []
+    "lib/omniauth-auth0/version.rb": [],
+    ".version": []
   },
   "prebump": "bundle install && bundle exec rake test",
   "postbump": "bundle update"

data/.version

@@ -0,0 +1 @@
+v3.2.0

data/CHANGELOG.md

@@ -1,17 +1,22 @@
 # Change Log
 
-## [v3.2.0](https://github.com/auth0/omniauth-auth0/tree/v3.2.0) (2023-07-14)
-[Full Changelog](https://github.com/auth0/omniauth-auth0/compare/v3.1.0...v3.2.0)
+## [v3.2.0](https://github.com/auth0/omniauth-auth0/tree/v3.2.0) (2026-05-27)
+[Full Changelog](https://github.com/auth0/omniauth-auth0/compare/v3.1.1...v3.2.0)
 
 **Added**
-- [SDK-4410] Support Organization Name in JWT validation [\#184](https://github.com/auth0/omniauth-auth0/pull/184) ([stevehobbsdev](https://github.com/stevehobbsdev))
+- Add support for client assertion signing key authentication [\#203](https://github.com/auth0/omniauth-auth0/pull/203) ([kaczowkad](https://github.com/kaczowkad))
 
-**Fixed**
-- fix: upgrade to Sinatra 3 and use Rack::Session::Cookie in tests [\#165](https://github.com/auth0/omniauth-auth0/pull/165) ([stevehobbsdev](https://github.com/stevehobbsdev))
+**Dependency Bumps**
+- Bump faraday from 2.7.10 to 2.14.1 [\#215](https://github.com/auth0/omniauth-auth0/pull/215) ([dependabot[bot]](https://github.com/apps/dependabot))
+- Bump rack from 2.2.7 to 2.2.23 [\#217](https://github.com/auth0/omniauth-auth0/pull/217) ([dependabot[bot]](https://github.com/apps/dependabot))
+- Bump rexml from 3.2.5 to 3.3.9 [\#206](https://github.com/auth0/omniauth-auth0/pull/206) ([arpit-jn](https://github.com/arpit-jn))
 
 ## [v3.1.1](https://github.com/auth0/omniauth-auth0/tree/v3.1.1) (2023-03-01)
 [Full Changelog](https://github.com/auth0/omniauth-auth0/compare/v3.1.0...v3.1.1)
 
+**Added**
+- [SDK-4410] Support Organization Name in JWT validation [\#184](https://github.com/auth0/omniauth-auth0/pull/184) ([stevehobbsdev](https://github.com/stevehobbsdev))
+
 **Fixed**
 - fix: upgrade to Sinatra 3 and use Rack::Session::Cookie in tests [\#165](https://github.com/auth0/omniauth-auth0/pull/165) ([stevehobbsdev](https://github.com/stevehobbsdev))
 

data/Gemfile

@@ -2,7 +2,6 @@ source 'https://rubygems.org'
 
 gemspec
 
-gem 'gem-release', '~> 2'
 gem 'jwt', '~> 2'
 gem 'rake', '~> 13'
 
@@ -20,7 +19,7 @@ group :test do
   gem 'listen', '~> 3'
   gem 'rack-test', '~> 2', '>= 2.0.2'
   gem 'rspec', '~> 3'
-  gem 'simplecov-cobertura', '~> 2'
+  gem 'simplecov-cobertura', '~> 3.0'
   gem 'webmock', '~> 3'
   gem 'multi_json', '~> 1'
 end

data/Gemfile.lock

@@ -1,34 +1,46 @@
 PATH
   remote: .
   specs:
-    omniauth-auth0 (3.1.1)
+    omniauth-auth0 (3.2.0)
+      jwt (~> 2)
       omniauth (~> 2)
       omniauth-oauth2 (~> 1)
 
 GEM
   remote: https://rubygems.org/
   specs:
-    addressable (2.8.4)
-      public_suffix (>= 2.0.2, < 6.0)
-    ast (2.4.2)
+    addressable (2.9.0)
+      public_suffix (>= 2.0.2, < 8.0)
+    ast (2.4.3)
+    auth-sanitizer (0.1.4)
+      version_gem (~> 1.1, >= 1.1.9)
+    base64 (0.3.0)
+    bigdecimal (4.1.2)
     coderay (1.1.3)
-    crack (0.4.5)
+    crack (1.0.1)
+      bigdecimal
       rexml
     daemons (1.4.1)
-    diff-lcs (1.5.0)
-    docile (1.4.0)
+    diff-lcs (1.6.2)
+    docile (1.4.1)
     dotenv (2.8.1)
     eventmachine (1.2.7)
-    faraday (2.7.10)
-      faraday-net_http (>= 2.0, < 3.1)
-      ruby2_keywords (>= 0.0.4)
-    faraday-net_http (3.0.2)
-    ffi (1.15.5)
-    formatador (1.1.0)
-    gem-release (2.2.2)
-    guard (2.18.0)
+    faraday (2.14.2)
+      faraday-net_http (>= 2.0, < 3.5)
+      json
+      logger
+    faraday-net_http (3.4.3)
+      net-http (~> 0.5)
+    ffi (1.17.4-aarch64-linux-gnu)
+    ffi (1.17.4-arm64-darwin)
+    ffi (1.17.4-x86_64-darwin)
+    ffi (1.17.4-x86_64-linux-gnu)
+    formatador (1.2.3)
+      reline
+    guard (2.20.1)
       formatador (>= 0.2.4)
       listen (>= 2.7, < 4.0)
+      logger (~> 1.6)
       lumberjack (>= 1.0.12, < 2.0)
       nenv (~> 0.1)
       notiffany (~> 0.0)
@@ -40,87 +52,103 @@ GEM
       guard (~> 2.1)
       guard-compat (~> 1.1)
       rspec (>= 2.99.0, < 4.0)
-    hashdiff (1.0.1)
-    hashie (5.0.0)
-    json (2.6.3)
-    jwt (2.7.1)
-    language_server-protocol (3.17.0.3)
-    listen (3.8.0)
+    hashdiff (1.2.1)
+    hashie (5.1.0)
+      logger
+    io-console (0.8.2)
+    json (2.19.7)
+    jwt (2.10.3)
+      base64
+    language_server-protocol (3.17.0.5)
+    lint_roller (1.1.0)
+    listen (3.10.0)
+      logger
       rb-fsevent (~> 0.10, >= 0.10.3)
       rb-inotify (~> 0.9, >= 0.9.10)
-    lumberjack (1.2.8)
-    method_source (1.0.0)
-    multi_json (1.15.0)
-    multi_xml (0.6.0)
-    mustermann (3.0.0)
-      ruby2_keywords (~> 0.0.1)
+    logger (1.7.0)
+    lumberjack (1.4.2)
+    method_source (1.1.0)
+    multi_json (1.21.1)
+    multi_xml (0.9.1)
+      bigdecimal (>= 3.1, < 5)
+    mustermann (3.1.1)
     nenv (0.3.0)
+    net-http (0.9.1)
+      uri (>= 0.11.1)
     notiffany (0.1.3)
       nenv (~> 0.1)
       shellany (~> 0.0)
-    oauth2 (2.0.9)
-      faraday (>= 0.17.3, < 3.0)
-      jwt (>= 1.0, < 3.0)
+    oauth2 (2.0.20)
+      auth-sanitizer (~> 0.1, >= 0.1.3)
+      faraday (>= 0.17.3, < 4.0)
+      jwt (>= 1.0, < 4.0)
+      logger (~> 1.2)
       multi_xml (~> 0.5)
       rack (>= 1.2, < 4)
-      snaky_hash (~> 2.0)
-      version_gem (~> 1.1)
-    omniauth (2.1.1)
+      snaky_hash (~> 2.0, >= 2.0.4)
+      version_gem (~> 1.1, >= 1.1.9)
+    omniauth (2.1.4)
       hashie (>= 3.4.6)
+      logger
       rack (>= 2.2.3)
       rack-protection
-    omniauth-oauth2 (1.8.0)
-      oauth2 (>= 1.4, < 3)
+    omniauth-oauth2 (1.9.0)
+      oauth2 (>= 2.0.2, < 3)
       omniauth (~> 2.0)
-    parallel (1.23.0)
-    parser (3.2.2.3)
+    parallel (1.28.0)
+    parser (3.3.11.1)
       ast (~> 2.4.1)
       racc
-    pry (0.14.2)
+    prism (1.9.0)
+    pry (0.16.0)
       coderay (~> 1.1)
       method_source (~> 1.0)
-    public_suffix (5.0.3)
-    racc (1.7.1)
-    rack (2.2.7)
-    rack-protection (3.0.6)
-      rack
-    rack-test (2.1.0)
+      reline (>= 0.6.0)
+    public_suffix (7.0.5)
+    racc (1.8.1)
+    rack (2.2.23)
+    rack-protection (3.2.0)
+      base64 (>= 0.1.0)
+      rack (~> 2.2, >= 2.2.4)
+    rack-test (2.2.0)
       rack (>= 1.3)
     rainbow (3.1.1)
-    rake (13.0.6)
+    rake (13.4.2)
     rb-fsevent (0.11.2)
-    rb-inotify (0.10.1)
+    rb-inotify (0.11.1)
       ffi (~> 1.0)
-    regexp_parser (2.8.1)
-    rexml (3.2.5)
-    rspec (3.12.0)
-      rspec-core (~> 3.12.0)
-      rspec-expectations (~> 3.12.0)
-      rspec-mocks (~> 3.12.0)
-    rspec-core (3.12.2)
-      rspec-support (~> 3.12.0)
-    rspec-expectations (3.12.3)
+    regexp_parser (2.12.0)
+    reline (0.6.3)
+      io-console (~> 0.5)
+    rexml (3.4.4)
+    rspec (3.13.2)
+      rspec-core (~> 3.13.0)
+      rspec-expectations (~> 3.13.0)
+      rspec-mocks (~> 3.13.0)
+    rspec-core (3.13.6)
+      rspec-support (~> 3.13.0)
+    rspec-expectations (3.13.5)
       diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.12.0)
-    rspec-mocks (3.12.6)
+      rspec-support (~> 3.13.0)
+    rspec-mocks (3.13.8)
       diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.12.0)
-    rspec-support (3.12.1)
-    rubocop (1.54.2)
+      rspec-support (~> 3.13.0)
+    rspec-support (3.13.7)
+    rubocop (1.86.2)
       json (~> 2.3)
-      language_server-protocol (>= 3.17.0)
-      parallel (~> 1.10)
-      parser (>= 3.2.2.3)
+      language_server-protocol (~> 3.17.0.2)
+      lint_roller (~> 1.1.0)
+      parallel (>= 1.10)
+      parser (>= 3.3.0.2)
       rainbow (>= 2.2.2, < 4.0)
-      regexp_parser (>= 1.8, < 3.0)
-      rexml (>= 3.2.5, < 4.0)
-      rubocop-ast (>= 1.28.0, < 2.0)
+      regexp_parser (>= 2.9.3, < 3.0)
+      rubocop-ast (>= 1.49.0, < 2.0)
       ruby-progressbar (~> 1.7)
-      unicode-display_width (>= 2.4.0, < 3.0)
-    rubocop-ast (1.29.0)
-      parser (>= 3.2.1.0)
+      unicode-display_width (>= 2.4.0, < 4.0)
+    rubocop-ast (1.49.1)
+      parser (>= 3.3.7.2)
+      prism (~> 1.7)
     ruby-progressbar (1.13.0)
-    ruby2_keywords (0.0.5)
     shellany (0.0.1)
     shotgun (0.9.2)
       rack (>= 1.0)
@@ -128,28 +156,31 @@ GEM
       docile (~> 1.1)
       simplecov-html (~> 0.11)
       simplecov_json_formatter (~> 0.1)
-    simplecov-cobertura (2.1.0)
+    simplecov-cobertura (3.1.0)
       rexml
       simplecov (~> 0.19)
-    simplecov-html (0.12.3)
+    simplecov-html (0.13.2)
     simplecov_json_formatter (0.1.4)
-    sinatra (3.0.6)
+    sinatra (3.2.0)
       mustermann (~> 3.0)
       rack (~> 2.2, >= 2.2.4)
-      rack-protection (= 3.0.6)
+      rack-protection (= 3.2.0)
       tilt (~> 2.0)
-    snaky_hash (2.0.1)
-      hashie
-      version_gem (~> 1.1, >= 1.1.1)
+    snaky_hash (2.0.4)
+      hashie (>= 0.1.0, < 6)
+      version_gem (>= 1.1.8, < 3)
     thin (1.8.2)
       daemons (~> 1.0, >= 1.0.9)
       eventmachine (~> 1.0, >= 1.0.4)
       rack (>= 1, < 3)
-    thor (1.2.2)
-    tilt (2.2.0)
-    unicode-display_width (2.4.2)
-    version_gem (1.1.3)
-    webmock (3.18.1)
+    thor (1.5.0)
+    tilt (2.7.0)
+    unicode-display_width (3.2.0)
+      unicode-emoji (~> 4.1)
+    unicode-emoji (4.2.0)
+    uri (1.1.1)
+    version_gem (1.1.9)
+    webmock (3.26.2)
       addressable (>= 2.8.0)
       crack (>= 0.3.2)
       hashdiff (>= 0.4.0, < 2.0.0)
@@ -157,13 +188,15 @@ GEM
 PLATFORMS
   aarch64-linux
   arm64-darwin-21
+  arm64-darwin-22
+  arm64-darwin-23
+  arm64-darwin-25
   x86_64-darwin-22
   x86_64-linux
 
 DEPENDENCIES
   bundler
   dotenv (~> 2)
-  gem-release (~> 2)
   guard-rspec (~> 4)
   jwt (~> 2)
   listen (~> 3)
@@ -175,7 +208,7 @@ DEPENDENCIES
   rspec (~> 3)
   rubocop (~> 1)
   shotgun (~> 0, >= 0.9.2)
-  simplecov-cobertura (~> 2)
+  simplecov-cobertura (~> 3.0)
   sinatra (~> 3)
   thin (~> 1)
   webmock (~> 3)

data/README.md

@@ -5,6 +5,7 @@
 [![codecov](https://codecov.io/gh/auth0/omniauth-auth0/branch/master/graph/badge.svg)](https://codecov.io/gh/auth0/omniauth-auth0)
 [![Gem Version](https://badge.fury.io/rb/omniauth-auth0.svg)](https://badge.fury.io/rb/omniauth-auth0)
 [![MIT licensed](https://img.shields.io/dub/l/vibe-d.svg?style=flat)](https://github.com/auth0/omniauth-auth0/blob/master/LICENSE)
+[![Ask DeepWiki](https://deepwiki.com/badge.svg)](https://deepwiki.com/auth0/omniauth-auth0)
 
 <div>
 📚 <a href="#documentation">Documentation</a> - 🚀 <a href="#getting-started">Getting started</a> - 💻 <a href="https://www.rubydoc.info/gems/omniauth-auth0">API reference</a> - 💬 <a href="#feedback">Feedback</a>
@@ -53,6 +54,8 @@ Adding the SDK to your Rails app requires a few steps:
 
 Create the file `./config/auth0.yml` within your application directory with the following content:
 
+### For client secret authentication
+
 ```yml
 development:
   auth0_domain: <YOUR_DOMAIN>
@@ -60,10 +63,25 @@ development:
   auth0_client_secret: <YOUR AUTH0 CLIENT SECRET>
 ```
 
+#### For client assertion signing key authentication
+
+```yml
+development:
+  auth0_domain: <YOUR_DOMAIN>
+  auth0_client_id: <YOUR_CLIENT_ID>
+  auth0_client_assertion_signing_key: <YOUR AUTH0 CLIENT ASSERTION SIGNING PRIVATE KEY>
+  auth0_client_assertion_signing_algorithm: <YOUR AUTH0 CLIENT ASSERTION SIGNING ALGORITHM>
+```
+**Note**: you must upload the corresponding public key to your Auth0 tenant, so that Auth0 is able to verify the JWT signature.
+
+client_assertion_signing_algorithm is optional and defaults to RS256.
+
 ### Create the initializer
 
 Create a new Ruby file in `./config/initializers/auth0.rb` to configure the OmniAuth middleware:
 
+### For client secret authentication
+
 ```ruby
 AUTH0_CONFIG = Rails.application.config_for(:auth0)
 
@@ -81,6 +99,29 @@ Rails.application.config.middleware.use OmniAuth::Builder do
 end
 ```
 
+#### For client assertion signing key authentication
+
+```ruby
+AUTH0_CONFIG = Rails.application.config_for(:auth0)
+
+Rails.application.config.middleware.use OmniAuth::Builder do
+  provider(
+    :auth0,
+    AUTH0_CONFIG['auth0_client_id'],
+    nil,
+    AUTH0_CONFIG['auth0_domain'],
+    callback_path: '/auth/auth0/callback',
+    authorize_params: {
+      scope: 'openid profile'
+    },
+    client_assertion_signing_key: OpenSSL::PKey::RSA.new(AUTH0_CONFIG[:auth0_client_assertion_signing_key]),
+    client_assertion_signing_algorithm: AUTH0_CONFIG[:auth0_client_assertion_signing_algorithm]
+  )
+end
+```
+
+**Note**: The client_assertion_signing_key must be provided as a PKey object.
+
 ### Create the callback controller
 
 Create a new controller `./app/controllers/auth0_controller.rb` to handle the callback from Auth0.
@@ -165,4 +206,4 @@ Please do not report security vulnerabilities on the public GitHub issue tracker
 </p>
 <p align="center">
   This project is licensed under the MIT license. See the <a href="https://github.com/auth0/omniauth-auth0/blob/master/LICENSE"> LICENSE</a> file for more info.
-</p>
+</p>

data/lib/omniauth/auth0/jwt_token.rb

@@ -0,0 +1,38 @@
+# frozen_string_literal: true
+
+require 'jwt'
+require 'securerandom'
+
+module OmniAuth
+  module Auth0
+    # JWTToken class to generate a JWT token for client assertion
+    # as per the OAuth 2.0 Client Credentials Grant specification.
+    class JWTToken
+      attr_reader :client_id, :domain_url, :client_assertion_signing_key, :client_assertion_signing_algorithm
+
+      def initialize(client_id, domain_url, client_assertion_signing_key, client_assertion_signing_algorithm = nil)
+        @client_id = client_id
+        @domain_url = domain_url
+        @client_assertion_signing_key = client_assertion_signing_key
+        @client_assertion_signing_algorithm = client_assertion_signing_algorithm || 'RS256'
+      end
+
+      def jwt_token
+        JWT.encode(jwt_payload, client_assertion_signing_key, client_assertion_signing_algorithm)
+      end
+
+      private
+
+      def jwt_payload
+        {
+          iss: client_id,
+          sub: client_id,
+          aud: File.join(domain_url, '/oauth/token'),
+          iat: Time.now.utc.to_i,
+          exp: Time.now.utc.to_i + 60,
+          jti: SecureRandom.uuid
+        }
+      end
+    end
+  end
+end

data/lib/omniauth/auth0/jwt_validator.rb

@@ -272,10 +272,10 @@ module OmniAuth
         if validate_as_id
           org_id = id_token['org_id']
           if !org_id || !org_id.is_a?(String)
-            raise OmniAuth::Auth0::TokenValidationError, 
+            raise OmniAuth::Auth0::TokenValidationError,
                   'Organization Id (org_id) claim must be a string present in the ID token'
           elsif org_id != organization
-            raise OmniAuth::Auth0::TokenValidationError, 
+            raise OmniAuth::Auth0::TokenValidationError,
                   "Organization Id (org_id) claim value mismatch in the ID token; expected '#{organization}', found '#{org_id}'"
           end
         else

data/lib/omniauth/strategies/auth0.rb

@@ -4,6 +4,7 @@ require 'base64'
 require 'uri'
 require 'securerandom'
 require 'omniauth-oauth2'
+require 'omniauth/auth0/jwt_token'
 require 'omniauth/auth0/jwt_validator'
 require 'omniauth/auth0/telemetry'
 require 'omniauth/auth0/errors'
@@ -13,6 +14,8 @@ module OmniAuth
     # Auth0 OmniAuth strategy
     class Auth0 < OmniAuth::Strategies::OAuth2
       include OmniAuth::Auth0::Telemetry
+      AUTHORIZATION_CODE_GRANT_TYPE = 'authorization_code'
+      CLIENT_ASSERTION_TYPE = 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer'
 
       option :name, 'auth0'
 
@@ -28,6 +31,8 @@ module OmniAuth
         options.client_options.authorize_url = '/authorize'
         options.client_options.token_url = '/oauth/token'
         options.client_options.userinfo_url = '/userinfo'
+        setup_client_options_auth_scheme
+
         super
       end
 
@@ -100,25 +105,20 @@ module OmniAuth
       end
 
       def build_access_token
+        options.token_params.merge!(client_assertion_signing_key_token_params) if client_assertion_signing_key_auth?
         options.token_params[:headers] = { 'Auth0-Client' => telemetry_encoded }
         super
       end
 
       # Declarative override for the request phase of authentication
       def request_phase
-        if no_client_id?
-          # Do we have a client_id for this Application?
-          fail!(:missing_client_id)
-        elsif no_client_secret?
-          # Do we have a client_secret for this Application?
-          fail!(:missing_client_secret)
-        elsif no_domain?
-          # Do we have a domain for this Application?
-          fail!(:missing_domain)
-        else
-          # All checks pass, run the Oauth2 request_phase method.
-          super
-        end
+        return fail!(:missing_client_id) if no_client_id?
+        return fail!(:missing_client_secret) if no_client_secret?
+        return fail!(:missing_domain) if no_domain?
+        return fail!(:missing_client_assertion_signing_key) if no_client_assertion_signing_key?
+
+        # All checks pass, run the Oauth2 request_phase method.
+        super
       end
 
       def callback_phase
@@ -128,10 +128,32 @@ module OmniAuth
       end
 
       private
+
+      def client_assertion_signing_key_auth?
+        options['client_assertion_signing_key']
+      end
+
+      def client_assertion_signing_key_token_params
+        {
+          grant_type: AUTHORIZATION_CODE_GRANT_TYPE,
+          client_id: options.client_id,
+          client_assertion_type: CLIENT_ASSERTION_TYPE,
+          client_assertion: jwt_token
+        }
+      end
+
       def jwt_validator
         @jwt_validator ||= OmniAuth::Auth0::JWTValidator.new(options)
       end
 
+      def jwt_token
+        OmniAuth::Auth0::JWTToken.new(options.client_id,
+                                      domain_url,
+                                      options.client_assertion_signing_key,
+                                      options.client_assertion_signing_algorithm)
+                                 .jwt_token
+      end
+
       # Parse the raw user info.
       def raw_info
         return @raw_info if @raw_info
@@ -154,7 +176,7 @@ module OmniAuth
 
       # Check if the options include a client_secret
       def no_client_secret?
-        ['', nil].include?(options.client_secret)
+        ['', nil].include?(options.client_secret) && !options.key?('client_assertion_signing_key')
       end
 
       # Check if the options include a domain
@@ -162,12 +184,24 @@ module OmniAuth
         ['', nil].include?(options.domain)
       end
 
+      # Check if the options include a client_assertion_signing_key
+      def no_client_assertion_signing_key?
+        options.key?('client_assertion_signing_key') && ['', nil].include?(options.client_assertion_signing_key)
+      end
+
       # Normalize a domain to a URL.
       def domain_url
         domain_url = URI(options.domain)
         domain_url = URI("https://#{domain_url}") if domain_url.scheme.nil?
         domain_url.to_s
       end
+
+      # Setup the auth_scheme for the client options if using client assertion signing key
+      def setup_client_options_auth_scheme
+        return unless client_assertion_signing_key_auth?
+
+        options.client_options.auth_scheme = :request_body
+      end
     end
   end
 end

data/lib/omniauth-auth0/version.rb

@@ -1,5 +1,5 @@
 module OmniAuth
   module Auth0
-    VERSION = '3.1.1'.freeze
+    VERSION = '3.2.0'.freeze
   end
 end

data/omniauth-auth0.gemspec

@@ -21,6 +21,7 @@ omniauth-auth0 is the OmniAuth strategy for Auth0.
   s.executables   = `git ls-files -- bin/*`.split('\n').map{ |f| File.basename(f) }
   s.require_paths = ['lib']
 
+  s.add_runtime_dependency 'jwt', '~> 2'
   s.add_runtime_dependency 'omniauth', '~> 2'
   s.add_runtime_dependency 'omniauth-oauth2', '~> 1'