omniauth-auth0 2.5.0 → 2.6.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 530b0c2ecfb26938944778585c034f1281b46f0c7e920f40b9d58c72fb892c52
-  data.tar.gz: 0ca3365ce632a95272eabb1b1db1ed7fcc6faacdbdc1acaa3fa9889329886cef
+  metadata.gz: f45e6ee50254603367c7de482ce5537b48c5faf1bc7a4f2797cf461f21b37198
+  data.tar.gz: 88eb699d3cf59148df15728b42d517e010bebe29617f1f9e972dc9656e5a79a2
 SHA512:
-  metadata.gz: f1ad9ad998942bd4b081c8873352bf54d0bc5900203baee151535324533b28954e7ab3e990ada83436189bd22a17b24d3a31d7552d45570fe356d00bfbb85fd6
-  data.tar.gz: 60954e800d0a30ea948590cb89b90038185dfa7466bf301ef4e7b782a3b327265921cccf6ddbd4275789046a12c0e4d0956ce4a73ab35d1ea20e633432430e45
+  metadata.gz: 829fd68186ab4685d7628b6a7c3a0cce95b1008396e6b6588e72b30ff7b077c103109bafe8e3e480539a07d715550fed27b2d73f537e505498a8b434655a0776
+  data.tar.gz: 8d03a181ad81f1b08618f542d1971d298a9751ca5d02e949bcf8f60bbf4d6ba2ce3463e6f5ce5a01945a82f24ce7e6f67881192f3e4214a2d05bb556ba6ef66e

data/CHANGELOG.md

@@ -1,5 +1,13 @@
 # Change Log
 
+## [v2.6.0](https://github.com/auth0/omniauth-auth0/tree/v2.6.0) (2021-04-01)
+
+[Full Changelog](https://github.com/auth0/omniauth-auth0/compare/v2.5.0...v2.6.0)
+
+**Added**
+- Org Support [SDK-2395]  [\#124](https://github.com/auth0/omniauth-auth0/pull/124) ([davidpatrick](https://github.com/davidpatrick))
+- Add login_hint to permitted params  [\#123](https://github.com/auth0/omniauth-auth0/pull/123) ([Roriz](https://github.com/Roriz))
+
 ## [v2.5.0](https://github.com/auth0/omniauth-auth0/tree/v2.5.0) (2021-01-21)
 
 [Full Changelog](https://github.com/auth0/omniauth-auth0/compare/v2.4.2...v2.5.0)

data/README.md

@@ -131,9 +131,78 @@ In some scenarios, you may need to pass specific query parameters to `/authorize
 - `connection_scope`
 - `prompt`
 - `screen_hint` (only relevant to New Universal Login Experience)
+- `organization`
+- `invitation`
 
 Simply pass these query parameters to your OmniAuth redirect endpoint to enable their behavior.
 
+## Examples
+
+### Auth0 Organizations (Closed Beta)
+
+Organizations is a set of features that provide better support for developers who build and maintain SaaS and Business-to-Business (B2B) applications.
+
+Using Organizations, you can:
+
+- Represent teams, business customers, partner companies, or any logical grouping of users that should have different ways of accessing your applications, as organizations.
+- Manage their membership in a variety of ways, including user invitation.
+- Configure branded, federated login flows for each organization.
+- Implement role-based access control, such that users can have different roles when authenticating in the context of different organizations.
+- Build administration capabilities into your products, using Organizations APIs, so that those businesses can manage their own organizations.
+
+Note that Organizations is currently only available to customers on our Enterprise and Startup subscription plans.
+
+#### Logging in with an Organization
+
+Logging in with an Organization is as easy as passing the parameters to the authorize endpoint.  You can do this with 
+
+```ruby
+<%= 
+    button_to 'Login', 'auth/auth0',
+    method: :post,
+    params: {
+      # Found in your Auth0 dashboard, under Organization settings:
+      organization: '{AUTH0_ORGANIZATION}'
+    }
+%>
+```
+
+Alternatively you can configure the organization when you register the provider:
+
+```ruby
+provider
+  :auth0,
+  ENV['AUTH0_CLIENT_ID'],
+  ENV['AUTH0_CLIENT_SECRET'],
+  ENV['AUTH0_DOMAIN'],
+  {
+    authorize_params: {
+      scope: 'openid read:users',
+      audience: 'https://{AUTH0_DOMAIN}/api',
+      organization: '{AUTH0_ORGANIZATION}'
+    }
+  }
+```
+
+#### Accepting user invitations
+
+Auth0 Organizations allow users to be invited using emailed links, which will direct a user back to your application. The URL the user will arrive at is based on your configured `Application Login URI`, which you can change from your Application's settings inside the Auth0 dashboard.
+
+When the user arrives at your application using an invite link, you can expect three query parameters to be provided: `invitation`, `organization`, and `organization_name`. These will always be delivered using a GET request.
+
+You can then supply those parametrs to a `button_to` or `link_to` helper
+
+```ruby
+<%= 
+    button_to 'Login', 'auth/auth0',
+    method: :post,
+    params: {
+      organization: '{YOUR_ORGANIZATION_ID}',
+      invitation: '{INVITE_CODE}'
+    }
+%>
+```
+
 ## Contribution
 
 We appreciate feedback and contribution to this repo! Before you get started, please see the following:

data/lib/omniauth-auth0/version.rb

@@ -1,5 +1,5 @@
 module OmniAuth
   module Auth0
-    VERSION = '2.5.0'.freeze
+    VERSION = '2.6.0'.freeze
   end
 end

data/lib/omniauth/auth0/jwt_validator.rb

@@ -174,6 +174,7 @@ module OmniAuth
         leeway = authorize_params[:leeway] || 60
         max_age = authorize_params[:max_age]
         nonce = authorize_params[:nonce]
+        organization = authorize_params[:organization]
 
         verify_iss(id_token)
         verify_sub(id_token)
@@ -183,6 +184,7 @@ module OmniAuth
         verify_nonce(id_token, nonce)
         verify_azp(id_token)
         verify_auth_time(id_token, leeway, max_age)
+        verify_org(id_token, organization)
       end
 
       def verify_iss(id_token)
@@ -260,6 +262,17 @@ module OmniAuth
           end
         end
       end
+
+      def verify_org(id_token, organization)
+        if organization
+          org_id = id_token['org_id']
+          if !org_id || !org_id.is_a?(String)
+            raise OmniAuth::Auth0::TokenValidationError.new("Organization Id (org_id) claim must be a string present in the ID token")
+          elsif org_id != organization
+            raise OmniAuth::Auth0::TokenValidationError.new("Organization Id (org_id) claim value mismatch in the ID token; expected '#{organization}', found '#{org_id}'")
+          end
+        end
+      end
     end
   end
 end

data/lib/omniauth/strategies/auth0.rb

@@ -84,7 +84,7 @@ module OmniAuth
       # Define the parameters used for the /authorize endpoint
       def authorize_params
         params = super
-        %w[connection connection_scope prompt screen_hint].each do |key|
+        %w[connection connection_scope prompt screen_hint login_hint organization invitation].each do |key|
           params[key] = request.params[key] if request.params.key?(key)
         end
 

data/spec/omniauth/auth0/jwt_validator_spec.rb

@@ -476,6 +476,41 @@ describe OmniAuth::Auth0::JWTValidator do
       expect(id_token['auth_time']).to eq(auth_time)
     end
 
+    it 'should fail when authorize params has organization but org_id is missing in the token', focus: true do
+      payload = {
+        iss: "https://#{domain}/",
+        sub: 'sub',
+        aud: client_id,
+        exp: future_timecode,
+        iat: past_timecode
+      }
+
+      token = make_hs256_token(payload)
+      expect do
+        jwt_validator.verify(token, { organization: 'Test Org' })
+      end.to raise_error(an_instance_of(OmniAuth::Auth0::TokenValidationError).and having_attributes({
+        message: "Organization Id (org_id) claim must be a string present in the ID token"
+      }))
+    end
+
+    it 'should fail when authorize params has organization but token org_id does not match', focus: true do
+      payload = {
+        iss: "https://#{domain}/",
+        sub: 'sub',
+        aud: client_id,
+        exp: future_timecode,
+        iat: past_timecode,
+        org_id: 'Wrong Org'
+      }
+
+      token = make_hs256_token(payload)
+      expect do
+        jwt_validator.verify(token, { organization: 'Test Org' })
+      end.to raise_error(an_instance_of(OmniAuth::Auth0::TokenValidationError).and having_attributes({
+        message: "Organization Id (org_id) claim value mismatch in the ID token; expected 'Test Org', found 'Wrong Org'"
+      }))
+    end
+
     it 'should fail for RS256 token when kid is incorrect' do
       domain = 'example.org'
       sub = 'abc123'

data/spec/omniauth/strategies/auth0_spec.rb

@@ -91,6 +91,9 @@ describe OmniAuth::Strategies::Auth0 do
       expect(redirect_url).not_to have_query('connection_scope')
       expect(redirect_url).not_to have_query('prompt')
       expect(redirect_url).not_to have_query('screen_hint')
+      expect(redirect_url).not_to have_query('login_hint')
+      expect(redirect_url).not_to have_query('organization')
+      expect(redirect_url).not_to have_query('invitation')
     end
 
     it 'redirects to hosted login page' do
@@ -107,6 +110,9 @@ describe OmniAuth::Strategies::Auth0 do
       expect(redirect_url).not_to have_query('connection_scope')
       expect(redirect_url).not_to have_query('prompt')
       expect(redirect_url).not_to have_query('screen_hint')
+      expect(redirect_url).not_to have_query('login_hint')
+      expect(redirect_url).not_to have_query('organization')
+      expect(redirect_url).not_to have_query('invitation')
     end
 
     it 'redirects to the hosted login page with connection_scope' do
@@ -130,6 +136,9 @@ describe OmniAuth::Strategies::Auth0 do
       expect(redirect_url).to have_query('prompt', 'login')
       expect(redirect_url).not_to have_query('auth0Client')
       expect(redirect_url).not_to have_query('connection')
+      expect(redirect_url).not_to have_query('login_hint')
+      expect(redirect_url).not_to have_query('organization')
+      expect(redirect_url).not_to have_query('invitation')
     end
 
     it 'redirects to hosted login page with screen_hint=signup' do
@@ -144,6 +153,47 @@ describe OmniAuth::Strategies::Auth0 do
       expect(redirect_url).to have_query('screen_hint', 'signup')
       expect(redirect_url).not_to have_query('auth0Client')
       expect(redirect_url).not_to have_query('connection')
+      expect(redirect_url).not_to have_query('login_hint')
+      expect(redirect_url).not_to have_query('organization')
+      expect(redirect_url).not_to have_query('invitation')
+    end
+
+    it 'redirects to hosted login page with organization=TestOrg and invitation=TestInvite' do
+      get 'auth/auth0?organization=TestOrg&invitation=TestInvite'
+      expect(last_response.status).to eq(302)
+      redirect_url = last_response.headers['Location']
+      expect(redirect_url).to start_with('https://samples.auth0.com/authorize')
+      expect(redirect_url).to have_query('response_type', 'code')
+      expect(redirect_url).to have_query('state')
+      expect(redirect_url).to have_query('client_id')
+      expect(redirect_url).to have_query('redirect_uri')
+      expect(redirect_url).to have_query('organization', 'TestOrg')
+      expect(redirect_url).to have_query('invitation', 'TestInvite')
+      expect(redirect_url).not_to have_query('auth0Client')
+      expect(redirect_url).not_to have_query('connection')
+      expect(redirect_url).not_to have_query('connection_scope')
+      expect(redirect_url).not_to have_query('prompt')
+      expect(redirect_url).not_to have_query('screen_hint')
+      expect(redirect_url).not_to have_query('login_hint')
+    end
+
+    it 'redirects to hosted login page with login_hint=example@mail.com' do
+      get 'auth/auth0?login_hint=example@mail.com'
+      expect(last_response.status).to eq(302)
+      redirect_url = last_response.headers['Location']
+      expect(redirect_url).to start_with('https://samples.auth0.com/authorize')
+      expect(redirect_url).to have_query('response_type', 'code')
+      expect(redirect_url).to have_query('state')
+      expect(redirect_url).to have_query('client_id')
+      expect(redirect_url).to have_query('redirect_uri')
+      expect(redirect_url).to have_query('login_hint', 'example@mail.com')
+      expect(redirect_url).not_to have_query('auth0Client')
+      expect(redirect_url).not_to have_query('connection')
+      expect(redirect_url).not_to have_query('connection_scope')
+      expect(redirect_url).not_to have_query('prompt')
+      expect(redirect_url).not_to have_query('screen_hint')
+      expect(redirect_url).not_to have_query('organization')
+      expect(redirect_url).not_to have_query('invitation')
     end
 
     describe 'callback' do

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: omniauth-auth0
 version: !ruby/object:Gem::Version
-  version: 2.5.0
+  version: 2.6.0
 platform: ruby
 authors:
 - Auth0
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2021-01-21 00:00:00.000000000 Z
+date: 2021-04-01 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: omniauth
@@ -118,7 +118,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.9
+rubygems_version: 3.1.2
 signing_key:
 specification_version: 4
 summary: OmniAuth OAuth2 strategy for the Auth0 platform.