omniauth-entra-id 3.0.0 → 3.0.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 12d51e6e7781fc58e98afb3631c673ffe033f6b606ddb549df20e8baaae1c5af
-  data.tar.gz: 8b507bae0a8bbf2e72601e3e3be9c9d0513977528988ee04f9f70b5a8ce1672d
+  metadata.gz: 8558b73bf91e883370f1545996ad524af244f85a42f2226d959f7ec5ff1aad7c
+  data.tar.gz: 20d399da5278f50bd30e286011d27f5b9bf0927137d45897ac5d3222dcdb9973
 SHA512:
-  metadata.gz: 3595a1f659a7429216de6f00a39949b4a70655e4505bf6d126e9ea158569b977f0a7af8ebddb3df7791f89e85ad1ca35b53d926fc8bc6727d5477a06b20fc18a
-  data.tar.gz: c090da890e3c2c2edd5a4f36e922f5eadae2caf498c5cd9ba398eaba6c62c2ef055ff4cf4da487dc353cf79438abd8004c2c6cb09e9fe8024184c51b2e77642d
+  metadata.gz: aec624842a87a29eda78e9015fb3b82313ec17f8538b6d62ea8f9adf7b86d89df3f349d2880729a20c703c26a91b84a2feb69abf177080495117a00b3801f80b
+  data.tar.gz: 8e2528b185ad7577504a592cb09663e1891035c10ea65e856019374eafa03aa81c8e932bc1aedbbbdfbf1db17ede59c36cac76cb8f5088c0b47573cdeac13a1f

data/CHANGELOG.md

@@ -1,5 +1,10 @@
 # Change Log
 
+## v3.0.1 (2024-11-21)
+
+* Fixes a minor error in [`UPGRADING.md`](UPGRADING.md) reported in #38, via #40 (thanks to @kennethgeerts)
+* Fixes incorrect attempt to verify JWT token issuer when the AD FS tenant `adfs` is specified, via #39 (thanks to @washu)
+
 ## v3.0.0 (2024-10-22)
 
 * To upgrade from the Azure ActiveDirectory V2 gem, please see [`UPGRADING.md`](UPGRADING.md)

data/README.md

@@ -116,7 +116,7 @@ If you're using the client assertion flow, you need to register your certificate
 | `authorize_params` | Additional parameters passed as URL query data in the initial OAuth redirection to Microsoft. See below for more. Empty Hash default. |
 | `domain_hint`      | If defined, sets (overwriting, if already present) `domain_hint` inside `authorize_params`. Default `nil` / none. |
 | `scope`            | If defined, sets (overwriting, if already present) `scope` inside `authorize_params`. Default is `OmniAuth::Strategies::EntraId::DEFAULT_SCOPE` (at the time of writing, this is `'openid profile email'`).  |
-| `adfs`             | If defined, modifies the URLs so they work with an on premise ADFS server. In order to use this you also need to set the `base_url` correctly and fill the `tenant_id` with `'adfs'`. |
+| `adfs?` or `adfs`  | If set to `true`, modifies the URLs so they work with an on-premise AD FS server (Active Directory Federation Services). In order to use this you also need to set the `base_url` correctly and fill the `tenant_id` with `'adfs'`. Note that the option name variation without the question mark only works for directly-specified options; provider classes must always define an override method called `adfs?`. |
 
 In addition, as a special case, if the request URL contains a query parameter `prompt`, then this will be written into `authorize_params` under that key, overwriting if present any other value there. Note that this comes from the current request URL at the time OAuth flow is commencing, _not_ via static options Hash data or via a custom provider class - but you _could_ just as easily set `scope` inside a custom `authorize_params` returned from a provider class, as shown in an example later; the request URL query mechanism is just another way of doing the same thing.
 

data/UPGRADING.md

@@ -45,7 +45,7 @@ https://example.com/v1/auth/azure_activedirectory_v2/callback
 ...is now:
 
 ```
-https://example.com/v1/auth/entra/callback
+https://example.com/v1/auth/entra_id/callback
 ```
 
 ### URL generation
@@ -65,8 +65,8 @@ omniauth_authorize_url('resource_name_eg_user', 'entra_id', scope: '...')
 
 
 ## Updates due to other breaking changes
-
-### Critical breaking change for all gem users
+### Change affecting all gem users
+#### UIDs will change
 
 This change is for UIDs and is the main reason for creating a V3 gem, whether or not it included the Entra name change.
 
@@ -85,13 +85,68 @@ You have two options, should the issue affect you (and it almost certainly will)
   - For better security add something like an indexed boolean column indicating whether or not the user has been thus migrated and only perform old OID lookups on users which have not yet been migrated.
   - If the user can't be found by either means, then they've not been connected to your system yet. Your existing handling path for such a condition applies.
 
-### Applications that handle multiple OAuth providers
+#### Applications that handle multiple OAuth providers
 
 If your user records contain users that have 'connected' to more than one kind of OAuth provider, then as well as the third party's UID being stored for future logins, you'll most likely have stored the OmniAuth provider name too so that the UID can be looked up in a provider's context (there's no guarantee, of course, that UIDs are unique *between providers* since they're entirely independent entities with their own strategies for allocating unique IDs).
 
 In that case, you will need to migrate records from the old `azure_activedirectory_v2` name to `entra_id`. **Zero-downtime deployment of this change would be very hard since your codebase would need to update from the Azure ActiveDirectory V2 gem to the Entra ID gem with the migration running simultaneously**, so if you need to do such a migration, then you probably should plan for a small maintenance window. At the scheduled time, go into maintenance mode, migrate, deploy, and restore normal service. Even without this, though, the 'worst that can happen' (in theory!) would be temporary user login failures. Either the Entra gem will be causing you to look for a user with an `entra_id` provider but the migration to set this hasn't run yet, or the other way round, with the old gem looking for the old provider name but it's already updated.
 
-### Breaking changes that depend on whether or not you use a certain feature
+#### Example migration code
+
+Suppose you support multiple providers and your User table stores their chosen provider in a column `auth_provider`, with their UID in `auth_uid`. An (irreversible) database migration might do this:
+
+```ruby
+def up
+  add_column :users, :migrated_to_entra, :boolean
+
+  User
+    .where(auth_provider: 'azure_activedirectory_v2')
+    .update_all(
+      auth_provider:     'entra_id',
+      migrated_to_entra: false
+    )
+end
+
+def down
+  raise ActiveRecord::IrreversibleMigration
+end
+```
+
+This means the `migrated_to_entra` column is only ever `false` for existing users that were linked using the V2 gem. Everything else will be at `NULL`. Now you lazy-move those users to the new UID format in the code you use to look up a user in your OmniAuth OAuth 2 callback handler, e.g. via a method such as this:
+
+```ruby
+# Here, "raw_info" comes from e.g.:
+#
+#   request.env['omniauth.auth'].extra&.dig('raw_info') || {}
+#
+def find_user_for_omniauth(auth_provider:, auth_uid:, raw_info:)
+  found_user = User.find_by(
+    auth_provider: auth_provider,
+    auth_uid:      auth_uid
+  )
+
+  if found_user.nil? && auth_provider == 'entra_id'
+    found = User.find_by(
+      auth_provider:     'entra_id',
+      auth_uid:          raw_info['oid'],
+      migrated_to_entra: false
+    )
+
+    if found
+      found.update_columns(
+        auth_uid:          auth_uid,
+        migrated_to_entra: true
+      )
+    end
+  end
+
+  return found_user
+end
+```
+
+Once there are no rows with a `migrated_to_entra` value of `false` for _active_ users, you will be able to drop the column and remove the lazy migration code.
+
+### Other changes that might affect you
 
 * If you refer to `OmniAuth::Strategies::AzureActivedirectoryV2` at all, then this becomes `OmniAuth::Strategies::EntraId` (note lower case "d").
 * `base_azure_url` option renamed to just `base_url` with corresponding rename of `OmniAuth::Strategies::AzureActivedirectoryV2::BASE_AZURE_URL` to `OmniAuth::Strategies::EntraId::BASE_URL`.

data/lib/omniauth/entra_id/version.rb

@@ -1,8 +1,8 @@
 module OmniAuth
   module Entra
     module Id
-      VERSION = "3.0.0"
-      DATE    = "2024-10-22"
+      VERSION = "3.0.1"
+      DATE    = "2024-11-21"
     end
   end
 end

data/lib/omniauth/strategies/entra_id.rb

@@ -13,6 +13,7 @@ module OmniAuth
 
       DEFAULT_SCOPE    = 'openid profile email'
       COMMON_TENANT_ID = 'common'
+      AD_FS_TENANT_ID  = 'adfs'
 
       # The tenant_provider must return client_id, client_secret and,
       # optionally, tenant_id and base_url.
@@ -135,9 +136,17 @@ module OmniAuth
 
           # For multi-tenant apps (the 'common' tenant_id) it doesn't make any
           # sense to verify the token issuer, because the value of 'iss' in the
-          # token depends on the 'tid' in the token itself.
+          # token depends on the 'tid' in the token itself. We should also skip
+          # for AD FS local instances, as we don't put a valid tenant ID in its
+          # place, but "adfs" (see AD_FS_TENANT_ID) instead.
           #
-          issuer = if options.tenant_id.nil? || options.tenant_id == COMMON_TENANT_ID
+          do_not_verify = (
+            options.tenant_id.nil? ||
+            options.tenant_id == COMMON_TENANT_ID ||
+            options.tenant_id == AD_FS_TENANT_ID
+          )
+
+          issuer = if do_not_verify
             nil
           else
             "#{options.base_url || BASE_URL}/#{options.tenant_id}/v2.0"

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: omniauth-entra-id
 version: !ruby/object:Gem::Version
-  version: 3.0.0
+  version: 3.0.1
 platform: ruby
 authors:
 - RIPA Global
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2024-10-22 00:00:00.000000000 Z
+date: 2024-11-21 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: omniauth-oauth2