omniauth-authentiq 0.2.4 → 0.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: c323614903427d91eb0d56b75f1907c9209d5765
-  data.tar.gz: b0dad720d7799dcbe8772cd17ac38d8f36457d34
+  metadata.gz: b92dff3fe5645a8c22d26e3622920fb71668a534
+  data.tar.gz: b9f25da6236d3573fb99c7743a79632912707611
 SHA512:
-  metadata.gz: f2d7770e2302fb1b19d86d2e80f4869dba3bb0f8f32e52e54d6982d606ff24333b8cb3e7d16f2353cd2acb3ca59343396fde0366c2ac81771ff089a344660ef8
-  data.tar.gz: 9c2f2e24cfab3d7f50cccefec1791bbaceed59071e55750b04d19a177425f45b4385c2f269fa3493e61910f74c60506dc6426cee7799ed3ec6c9c8fe94350ac0
+  metadata.gz: 0d40049eeb8b95172ae2d8804afe3b9529913c1c4146aac457c8d3a5f1f4642744045fc4b85946681cf579b102593b5f77f4c1d48d01da9565863149e278ea18
+  data.tar.gz: d6fc8fdf6090da341bc0b70fdfbe455aab1c6245be9c15c4f985a970b02c6f2cb8ecbaf522b45346e56dfc380499080945bad7918a14c6a13e1bc1d551408f14

data/Gemfile

@@ -11,4 +11,5 @@ group :development, :test do
   gem 'guard-bundler'
   gem 'rb-fsevent'
   gem 'growl'
-end
+  gem 'simplecov'
+end

data/README.md

@@ -9,7 +9,7 @@ Application credentials (YOUR_CLIENT_ID and YOUR_CLIENT_SECRET below) can be obt
 Add this line to your application's Gemfile
 
 ```ruby
-gem 'omniauth-authentiq', '~> 0.2.3'
+gem 'omniauth-authentiq', '~> 0.3.0'
 ```
 
 Then bundle:
@@ -21,8 +21,7 @@ Then bundle:
 ```ruby
 use OmniAuth::Builder do
   provider :authentiq, ENV['AUTHENTIQ_KEY'], ENV['AUTHENTIQ_SECRET'],
-           scope: 'aq:name email~rs aq:push',
-           enable_remote_sign_out: false
+           scope: 'aq:name email~rs aq:push'
 end
 ```
 

data/lib/omniauth/authentiq/version.rb

@@ -1,5 +1,5 @@
 module OmniAuth
   module Authentiq
-    VERSION = "0.2.4"
+    VERSION = "0.3.0"
   end
 end

data/lib/omniauth/strategies/authentiq.rb

@@ -1,22 +1,18 @@
 require 'omniauth-oauth2'
-
+require_relative 'helpers/helpers'
 module OmniAuth
   module Strategies
     class Authentiq < OmniAuth::Strategies::OAuth2
       autoload :BackChannelLogoutRequest, 'omniauth/strategies/oidc/back_channel_logout_request'
 
-      BASE_URL = 'https://connect.authentiq.io/'
-
       option :name, 'authentiq'
 
       option :client_options, {
-          :site => BASE_URL,
-          :authorize_url => '/authorize',
-          :token_url => '/token'
+          :site => 'https://connect.authentiq.io/',
+          :authorize_url => 'https://connect.authentiq.io/authorize',
+          :token_url => 'https://connect.authentiq.io/token'
       }
 
-      option :authorize_options, [:scope]
-
       # These are called after authentication has succeeded. If
       # possible, you should try to set the UID without making
       # additional calls (if the user id is returned with the
@@ -74,8 +70,17 @@ module OmniAuth
       end
 
       def decode_idtoken(idtoken)
-        @jwt_info = JWT.decode idtoken, nil, false
-        @jwt_info[0]
+        (JWT.decode idtoken, @options.client_secret, true, {
+            :algorithm => helpers.algorithm(@options),
+            :iss => @options.client_options.site,
+            :verify_iss => true,
+            :aud => @options.client_id,
+            :verify_aud => true,
+            :verify_iat => true,
+            :verify_jti => false,
+            :verify_sub => true,
+            :leeway => 60
+        })[0]
       end
 
       def should_sign_out?
@@ -91,6 +96,10 @@ module OmniAuth
       def backchannel_logout_request
         BackChannelLogoutRequest
       end
+
+      def helpers
+        Helpers
+      end
     end
   end
 end

data/lib/omniauth/strategies/helpers/helpers.rb

@@ -0,0 +1,10 @@
+class Helpers
+  def self.algorithm(options = {})
+    @options = options
+    if @options.algorithm != nil && (%w(HS256 RS256 ES256).include? @options.client_signed_response_alg)
+      @options.client_signed_response_alg
+    else
+      'HS256'
+    end
+  end
+end

data/lib/omniauth/strategies/oidc/back_channel_logout_request.rb

@@ -1,3 +1,5 @@
+require_relative '../helpers/helpers'
+
 module OmniAuth
   module Strategies
     class Authentiq
@@ -12,13 +14,19 @@ module OmniAuth
 
           begin
             result = sign_out_callback.call(*back_channel_logout_request)
-          rescue StandardError => err
-            result = back_channel_logout_response(400, [err.to_s])
+          rescue StandardError, ArgumentError, NotImplementedError => err
+            if err.class.equal?(ArgumentError)
+              result = back_channel_logout_response(400, [err.to_s])
+            elsif err.class.equal?(NotImplementedError)
+              result = back_channel_logout_response(501, [err.to_s])
+            else
+              result = back_channel_logout_response(400, [err.to_s])
+            end
           else
             if result
               result = back_channel_logout_response(200, ['Logout succeeded'])
             else
-              result = back_channel_logout_response(501, ['Authentiq session does not exist'])
+              result = back_channel_logout_response(404, ['Unknown session'])
             end
           ensure
             return unless result
@@ -38,8 +46,8 @@ module OmniAuth
         def decode_logout_token(logout_token)
           begin
             logout_jwt = JWT.decode logout_token, @options.client_secret, true, {
-                :algorithm => algorithm,
-                :iss => issuer,
+                :algorithm => helpers.algorithm(@options),
+                :iss => @options.client_options.site,
                 :verify_iss => true,
                 :aud => @options.client_id,
                 :verify_aud => true,
@@ -51,15 +59,13 @@ module OmniAuth
             if validate_events(logout_jwt[0]) && validate_nonce(logout_jwt[0]) && validate_sid(logout_jwt[0])
               @request.update_param('sid', logout_jwt[0]['sid'])
             else
-              raise 'Logout JWT validation failed. Missing session, events claim or nonce claim is present'
+              raise(ArgumentError, 'Logout JWT validation failed. Missing session, events claim or nonce claim is present')
             end
           end
         end
 
         def validate_events(logout_jwt)
-          logout_jwt.key?('events') &&
-              (logout_jwt['events'][0] == 'http://schemas.openid.net/event/backchannel-logout' ||
-                  logout_jwt['events'].key?('http://schemas.openid.net/event/backchannel-logout'))
+          logout_jwt.key?('events') && logout_jwt['events'].key?('http://schemas.openid.net/event/backchannel-logout')
         end
 
         def validate_nonce(logout_jwt)
@@ -71,10 +77,8 @@ module OmniAuth
             @options[:remote_sign_out_handler]
           else
             OmniAuth::logger.send(:warn, 'It look like remote logout is configured on your Authentiq client but \':remote_sign_out_handler\' is not implemented on devise or omniauth')
-            raise 'Remote sign out failed because the client\'s \':remote_sign_out_handler\' is not implemented on devise or omniauth'
+            raise(NotImplementedError, 'Remote sign out failed because the client\'s \':remote_sign_out_handler\' is not implemented on devise or omniauth')
           end
-
-
         end
 
         def validate_sid(logout_jwt)
@@ -91,16 +95,8 @@ module OmniAuth
           response
         end
 
-        def issuer
-          @options.issuer.nil? ? 'https://connect.authentiq.io/' : @options.issuer
-        end
-
-        def algorithm
-          if @options.algorithm != nil && (%w(HS256 RS256 ES256).include? @options.client_signed_response_alg)
-            @options.client_signed_response_alg
-          else
-            'HS256'
-          end
+        def helpers
+          Helpers
         end
       end
     end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: omniauth-authentiq
 version: !ruby/object:Gem::Version
-  version: 0.2.4
+  version: 0.3.0
 platform: ruby
 authors:
 - Alexandros Keramidas
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2017-02-10 00:00:00.000000000 Z
+date: 2017-02-17 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: omniauth-oauth2
@@ -48,6 +48,7 @@ files:
 - lib/omniauth/authentiq.rb
 - lib/omniauth/authentiq/version.rb
 - lib/omniauth/strategies/authentiq.rb
+- lib/omniauth/strategies/helpers/helpers.rb
 - lib/omniauth/strategies/oidc/back_channel_logout_request.rb
 - omniauth-authentiq.gemspec
 homepage: https://github.com/AuthentiqID/omniauth-authentiq