omniauth-auth0 2.6.0 → 3.0.0

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: f45e6ee50254603367c7de482ce5537b48c5faf1bc7a4f2797cf461f21b37198
4
- data.tar.gz: 88eb699d3cf59148df15728b42d517e010bebe29617f1f9e972dc9656e5a79a2
3
+ metadata.gz: 0520b864e8bb97a9d82fed1babc9caa7097e101a1189b1c42cf15b1180ceb4df
4
+ data.tar.gz: 87e8bd695538c9b3b1121a3a3fd1e308d5ea8426e5a9e16085958b0c494f7dc2
5
5
  SHA512:
6
- metadata.gz: 829fd68186ab4685d7628b6a7c3a0cce95b1008396e6b6588e72b30ff7b077c103109bafe8e3e480539a07d715550fed27b2d73f537e505498a8b434655a0776
7
- data.tar.gz: 8d03a181ad81f1b08618f542d1971d298a9751ca5d02e949bcf8f60bbf4d6ba2ce3463e6f5ce5a01945a82f24ce7e6f67881192f3e4214a2d05bb556ba6ef66e
6
+ metadata.gz: ae02867645d43d7cd0002adeeba78a9a2af3022553766e4c93f64f612bcae587a1cb04c7552734b76fdf9bbc8802c1ad8821f79b28c11b24d66e20514e6bd937
7
+ data.tar.gz: 1d507d8fada206d902fbfd4f527728fc36918b2fa169f3c0e806b233afd10bf8ea0739afc3f57068c70e704d8ac6060b4d11929057840f7380f03e113a7b9171
data/CHANGELOG.md CHANGED
@@ -1,5 +1,38 @@
1
1
  # Change Log
2
2
 
3
+ ## [v3.0.0](https://github.com/auth0/omniauth-auth0/tree/v3.0.0) (2021-04-14)
4
+ Version 3.0 introduces [Omniauth v2.0](https://github.com/omniauth/omniauth/releases/tag/v2.0.0) which addresses [CVE-2015-9284](https://nvd.nist.gov/vuln/detail/CVE-2015-9284). Omniauth now defaults to only allow `POST` as the allowed request_phase method. This was previously handled through the recommended [mitigation](https://github.com/omniauth/omniauth/wiki/Resolving-CVE-2015-9284) using the `omniauth-rails_csrf_protection v0.x.x` gem to provide CSRF protection.
5
+
6
+ ### Upgrading to omniauth-rails_csrf_protection v1.0.0
7
+ If you are using `omniauth-rails_csrf_protection` to provide CSRF protection, you will need to be upgrade to `1.x.x`.
8
+
9
+ ### BREAKING CHANGES
10
+ Now that OmniAuth now defaults to only `POST` as the allowed request_phase method, if you aren't already, you will need to convert any login links to use [form helpers](https://api.rubyonrails.org/classes/ActionView/Helpers/FormHelper.html#method-i-form_for) with the `POST` method.
11
+
12
+ ```html+ruby
13
+ # OLD -- GET request
14
+ <a href='/auth/auth0'>Login</a>
15
+
16
+ # NEW Example #1 -- POST request
17
+ <%= link_to 'Login', 'auth/auth0', method: :post %>
18
+
19
+ # NEW Example #2 -- POST request
20
+ <%= button_to 'Login', 'auth/auth0', method: :post %>
21
+
22
+ # NEW Example #3 -- POST request
23
+ <%= form_tag('/auth/auth0', method: :post) do %>
24
+ <button type='submit'></button>
25
+ <% end %>
26
+ ```
27
+
28
+ ### Allowing GET Requests
29
+ In the scenario you absolutely must use GET requests as an allowed request method for authentication, you can override the protection provided with the following config override:
30
+
31
+ ```ruby
32
+ # Allowing GET requests will expose you to CVE-2015-9284
33
+ OmniAuth.config.allowed_request_methods = [:get, :post]
34
+ ```
35
+
3
36
  ## [v2.6.0](https://github.com/auth0/omniauth-auth0/tree/v2.6.0) (2021-04-01)
4
37
 
5
38
  [Full Changelog](https://github.com/auth0/omniauth-auth0/compare/v2.5.0...v2.6.0)
data/README.md CHANGED
@@ -2,7 +2,7 @@
2
2
 
3
3
  An [OmniAuth](https://github.com/intridea/omniauth) strategy for authenticating with [Auth0](https://auth0.com). This strategy is based on the [OmniAuth OAuth2](https://github.com/omniauth/omniauth-oauth2) strategy.
4
4
 
5
- > :warning: **Important security note:** This solution uses a 3rd party library with an unresolved [security issue(s)](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-9284). Please review the details of the vulnerability, including [Auth0](https://github.com/auth0/omniauth-auth0/issues/82 ) and other recommended [mitigations](https://github.com/omniauth/omniauth/wiki/Resolving-CVE-2015-9284), before implementing the solution.
5
+ > :warning: **Important security note for v2:** This solution uses a 3rd party library that had a [security issue(s)](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-9284) in v2. Please review the details of the vulnerability, including [Auth0](https://github.com/auth0/omniauth-auth0/issues/82 ) and other recommended [mitigations](https://github.com/omniauth/omniauth/wiki/Resolving-CVE-2015-9284), before implementing the solution in v2. **[Upgrading to v3](https://github.com/auth0/omniauth-auth0/pull/128) of this library resolves the issue.**
6
6
 
7
7
  [![CircleCI](https://img.shields.io/circleci/project/github/auth0/omniauth-auth0/master.svg)](https://circleci.com/gh/auth0/omniauth-auth0)
8
8
  [![codecov](https://codecov.io/gh/auth0/omniauth-auth0/branch/master/graph/badge.svg)](https://codecov.io/gh/auth0/omniauth-auth0)
@@ -138,9 +138,9 @@ Simply pass these query parameters to your OmniAuth redirect endpoint to enable
138
138
 
139
139
  ## Examples
140
140
 
141
- ### Auth0 Organizations (Closed Beta)
141
+ ### Auth0 Organizations
142
142
 
143
- Organizations is a set of features that provide better support for developers who build and maintain SaaS and Business-to-Business (B2B) applications.
143
+ [Organizations](https://auth0.com/docs/organizations) is a set of features that provide better support for developers who build and maintain SaaS and Business-to-Business (B2B) applications.
144
144
 
145
145
  Using Organizations, you can:
146
146
 
@@ -174,7 +174,7 @@ provider
174
174
  :auth0,
175
175
  ENV['AUTH0_CLIENT_ID'],
176
176
  ENV['AUTH0_CLIENT_SECRET'],
177
- ENV['AUTH0_DOMAIN'],
177
+ ENV['AUTH0_DOMAIN']
178
178
  {
179
179
  authorize_params: {
180
180
  scope: 'openid read:users',
@@ -184,6 +184,33 @@ provider
184
184
  }
185
185
  ```
186
186
 
187
+ When passing `openid` to the scope and `organization` to the authorize params, you will receive an ID token on callback with the `org_id` claim. This claim is validated for you by the SDK.
188
+
189
+ #### Validating Organizations when using Organization Login Prompt
190
+
191
+ When Organization login prompt is enabled on your application, but you haven't specified an Organization for the application's authorization endpoint, the `org_id` claim will be present on the ID token, and should be validated to ensure that the value received is expected or known.
192
+
193
+ Normally, validating the issuer would be enough to ensure that the token was issued by Auth0, and this check is performed by the SDK. However, in the case of organizations, additional checks should be made so that the organization within an Auth0 tenant is expected.
194
+
195
+ In particular, the `org_id` claim should be checked to ensure it is a value that is already known to the application. This could be validated against a known list of organization IDs, or perhaps checked in conjunction with the current request URL. e.g. the sub-domain may hint at what organization should be used to validate the ID Token.
196
+
197
+ Here is an example using it in your `callback` method
198
+
199
+ ```ruby
200
+ def callback
201
+ claims = request.env['omniauth.auth']['extra']['raw_info']
202
+
203
+ if claims["org"] && claims["org"] !== expected_org
204
+ redirect_to '/unauthorized', status: 401
205
+ else
206
+ session[:userinfo] = claims
207
+ redirect_to '/dashboard'
208
+ end
209
+ end
210
+ ```
211
+
212
+ For more information, please read [Work with Tokens and Organizations](https://auth0.com/docs/organizations/using-tokens) on Auth0 Docs.
213
+
187
214
  #### Accepting user invitations
188
215
 
189
216
  Auth0 Organizations allow users to be invited using emailed links, which will direct a user back to your application. The URL the user will arrive at is based on your configured `Application Login URI`, which you can change from your Application's settings inside the Auth0 dashboard.
@@ -1,5 +1,5 @@
1
1
  module OmniAuth
2
2
  module Auth0
3
- VERSION = '2.6.0'.freeze
3
+ VERSION = '3.0.0'.freeze
4
4
  end
5
5
  end
@@ -21,8 +21,8 @@ omniauth-auth0 is the OmniAuth strategy for Auth0.
21
21
  s.executables = `git ls-files -- bin/*`.split('\n').map{ |f| File.basename(f) }
22
22
  s.require_paths = ['lib']
23
23
 
24
- s.add_runtime_dependency 'omniauth', '~> 1.9'
25
- s.add_runtime_dependency 'omniauth-oauth2', '~> 1.5'
24
+ s.add_runtime_dependency 'omniauth', '~> 2.0'
25
+ s.add_runtime_dependency 'omniauth-oauth2', '~> 1.7'
26
26
 
27
27
  s.add_development_dependency 'bundler'
28
28
 
@@ -3,6 +3,8 @@
3
3
  require 'spec_helper'
4
4
  require 'jwt'
5
5
 
6
+ OmniAuth.config.allowed_request_methods = [:get, :post]
7
+
6
8
  RSpec.shared_examples 'site has valid domain url' do |url|
7
9
  it { expect(subject.site).to eq(url) }
8
10
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: omniauth-auth0
3
3
  version: !ruby/object:Gem::Version
4
- version: 2.6.0
4
+ version: 3.0.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Auth0
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2021-04-01 00:00:00.000000000 Z
11
+ date: 2021-04-19 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: omniauth
@@ -16,28 +16,28 @@ dependencies:
16
16
  requirements:
17
17
  - - "~>"
18
18
  - !ruby/object:Gem::Version
19
- version: '1.9'
19
+ version: '2.0'
20
20
  type: :runtime
21
21
  prerelease: false
22
22
  version_requirements: !ruby/object:Gem::Requirement
23
23
  requirements:
24
24
  - - "~>"
25
25
  - !ruby/object:Gem::Version
26
- version: '1.9'
26
+ version: '2.0'
27
27
  - !ruby/object:Gem::Dependency
28
28
  name: omniauth-oauth2
29
29
  requirement: !ruby/object:Gem::Requirement
30
30
  requirements:
31
31
  - - "~>"
32
32
  - !ruby/object:Gem::Version
33
- version: '1.5'
33
+ version: '1.7'
34
34
  type: :runtime
35
35
  prerelease: false
36
36
  version_requirements: !ruby/object:Gem::Requirement
37
37
  requirements:
38
38
  - - "~>"
39
39
  - !ruby/object:Gem::Version
40
- version: '1.5'
40
+ version: '1.7'
41
41
  - !ruby/object:Gem::Dependency
42
42
  name: bundler
43
43
  requirement: !ruby/object:Gem::Requirement
@@ -118,7 +118,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
118
118
  - !ruby/object:Gem::Version
119
119
  version: '0'
120
120
  requirements: []
121
- rubygems_version: 3.1.2
121
+ rubygems_version: 3.2.16
122
122
  signing_key:
123
123
  specification_version: 4
124
124
  summary: OmniAuth OAuth2 strategy for the Auth0 platform.