omniauth-entra-id 3.0.1 → 3.1.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 8558b73bf91e883370f1545996ad524af244f85a42f2226d959f7ec5ff1aad7c
-  data.tar.gz: 20d399da5278f50bd30e286011d27f5b9bf0927137d45897ac5d3222dcdb9973
+  metadata.gz: f88d4d932a03e4edf7a69461140c83eab2a408c1c61798acc5e26bedfdf0519f
+  data.tar.gz: 78928ac033c9a312d47491c7414f0fee3962144d97bbae3150a519ff7226c6bb
 SHA512:
-  metadata.gz: aec624842a87a29eda78e9015fb3b82313ec17f8538b6d62ea8f9adf7b86d89df3f349d2880729a20c703c26a91b84a2feb69abf177080495117a00b3801f80b
-  data.tar.gz: 8e2528b185ad7577504a592cb09663e1891035c10ea65e856019374eafa03aa81c8e932bc1aedbbbdfbf1db17ede59c36cac76cb8f5088c0b47573cdeac13a1f
+  metadata.gz: f1333c75cc62116751fbb81277b8139597cc8cb776f17cfd6acae367b4d2d9f94ad8e00cafdac68ec26bd1ac8a2157333246da52b07e3145c3ca44d74d4a3865
+  data.tar.gz: f9b3ab664ca1275af9d6b8bfbe3714c47080d3c506a2188833bfa9adbc5ee32c77fed8e2f758ee22071c7d503e45c601913cbb9c19ef6e15f2ddf3b828369bbb

data/CHANGELOG.md

@@ -1,5 +1,16 @@
 # Change Log
 
+## v3.1.1 (2025-09-12)
+
+* Validates the JWT `iss` (issuer) claim for `consumers` tenants properly, using the global GUID for that use case, resolving #51 (reported by @2called-chaos)
+
+## v3.1.0 (2025-06-17)
+
+* Provides a way to ignore TID when constructing a user UID, easing migration from v2.x, via the new `ignore_tid` option, resolving #42 (reported by @s-andringa)
+* Handles a missing (`nil`) TID, via #46 (thanks to @frenkel)
+* Ruby 3.4 "officially" supported through coverage in CI, via #47 (thanks to @hakeem0114)
+* Supports JWT gem v2.9.x or v3.x, via #48 (thanks to @djpremier)
+
 ## v3.0.1 (2024-11-21)
 
 * Fixes a minor error in [`UPGRADING.md`](UPGRADING.md) reported in #38, via #40 (thanks to @kennethgeerts)

data/README.md

@@ -104,19 +104,20 @@ To have your application authenticate with Entra via a client secret, specify `c
 
 If you're using the client assertion flow, you need to register your certificate in the Entra portal. For more information, please see [the documentation](https://learn.microsoft.com/en-us/entra/identity-platform/certificate-credentials).
 
-| Option | Use |
-| ------ | --- |
-| `client_id`        | **Mandatory.** Client ID for the 'application' (integration) configured on the Entra side. Found via the Entra UI. |
-| `client_secret`    | **Mandatory for client secret flow.** Client secret for the 'application' (integration) configured on the Entra side. Found via the Entra UI. Don't give this if using client assertion flow. |
-| `certificate_path` | **Mandatory for client assertion flow.** Don't give this if using a client secret instead of client assertion. This should be the filepath to a PKCS#12 file. |
-| `tenant_id`        | **Mandatory for client assertion flow.** Entra Tenant ID for multi-tenanted use. Default is `common`. Forms part of the Entra OAuth URL - `{base}/{tenant_id}/oauth2/v2.0/...` |
-| `base_url`         | Location of Entra login page, for specialised requirements; default is `OmniAuth::Strategies::EntraId::BASE_URL` (at the time of writing, this is `https://login.microsoftonline.com`). |
-| `tenant_name`      | For what is currently known by its old name of "Azure ActiveDirectory B2C" (and only active if `custom_policy` is also provided - see below), set the tenancy name to constructs the correct B2C endpoint of `{tenant_name}.b2clogin.com/{tenant_name}.onmicrosoft.com/{custom_policy>}" and uses that for auth calls. This is a convenience feature; the `base_entra_url` option could also be manually built up in the same way. |
-| `custom_policy`    | Custom policy. Default is nil. Used in conjunction with `tenant_name`- see above. |
-| `authorize_params` | Additional parameters passed as URL query data in the initial OAuth redirection to Microsoft. See below for more. Empty Hash default. |
-| `domain_hint`      | If defined, sets (overwriting, if already present) `domain_hint` inside `authorize_params`. Default `nil` / none. |
-| `scope`            | If defined, sets (overwriting, if already present) `scope` inside `authorize_params`. Default is `OmniAuth::Strategies::EntraId::DEFAULT_SCOPE` (at the time of writing, this is `'openid profile email'`).  |
-| `adfs?` or `adfs`  | If set to `true`, modifies the URLs so they work with an on-premise AD FS server (Active Directory Federation Services). In order to use this you also need to set the `base_url` correctly and fill the `tenant_id` with `'adfs'`. Note that the option name variation without the question mark only works for directly-specified options; provider classes must always define an override method called `adfs?`. |
+| Option                        | Use |
+| ----------------------------- | --- |
+| `client_id`                   | **Mandatory.** Client ID for the 'application' (integration) configured on the Entra side. Found via the Entra UI. |
+| `client_secret`               | **Mandatory for client secret flow.** Client secret for the 'application' (integration) configured on the Entra side. Found via the Entra UI. Don't give this if using client assertion flow. |
+| `certificate_path`            | **Mandatory for client assertion flow.** Don't give this if using a client secret instead of client assertion. This should be the filepath to a PKCS#12 file. |
+| `tenant_id`                   | **Mandatory for client assertion flow.** Entra Tenant ID for multi-tenanted use. Default is `common`. Forms part of the Entra OAuth URL - `{base}/{tenant_id}/oauth2/v2.0/...` |
+| `base_url`                    | Location of Entra login page, for specialised requirements; default is `OmniAuth::Strategies::EntraId::BASE_URL` (at the time of writing, this is `https://login.microsoftonline.com`). |
+| `tenant_name`                 | For what is currently known by its old name of "Azure ActiveDirectory B2C" (and only active if `custom_policy` is also provided - see below), set the tenancy name to constructs the correct B2C endpoint of `{tenant_name}.b2clogin.com/{tenant_name}.onmicrosoft.com/{custom_policy>}" and uses that for auth calls. This is a convenience feature; the `base_entra_url` option could also be manually built up in the same way. |
+| `custom_policy`               | Custom policy. Default is nil. Used in conjunction with `tenant_name`- see above. |
+| `authorize_params`            | Additional parameters passed as URL query data in the initial OAuth redirection to Microsoft. See below for more. Empty Hash default. |
+| `domain_hint`                 | If defined, sets (overwriting, if already present) `domain_hint` inside `authorize_params`. Default `nil` / none. |
+| `scope`                       | If defined, sets (overwriting, if already present) `scope` inside `authorize_params`. Default is `OmniAuth::Strategies::EntraId::DEFAULT_SCOPE` (at the time of writing, this is `'openid profile email'`). |
+| `ìgnore_tid?` or `ignore_tid` | If set to `true`, tenant ID (TID) is *not* included for a user's UID from Entra. Use if you are confident that an Entra OID will be globally unique and have existing OID-only UIDs in use. Default is `false`; both TID and OID are used to form a UID. Note that the option name variation without the question mark only works for directly-specified options; provider classes must always define an override method called `ignore_tid?`. |
+| `adfs?` or `adfs`             | If set to `true`, modifies the URLs so they work with an on-premise AD FS server (Active Directory Federation Services). In order to use this you also need to set the `base_url` correctly and fill the `tenant_id` with `'adfs'`. Note that the option name variation without the question mark only works for directly-specified options; provider classes must always define an override method called `adfs?`. |
 
 In addition, as a special case, if the request URL contains a query parameter `prompt`, then this will be written into `authorize_params` under that key, overwriting if present any other value there. Note that this comes from the current request URL at the time OAuth flow is commencing, _not_ via static options Hash data or via a custom provider class - but you _could_ just as easily set `scope` inside a custom `authorize_params` returned from a provider class, as shown in an example later; the request URL query mechanism is just another way of doing the same thing.
 

data/UPGRADING.md

@@ -73,9 +73,11 @@ This change is for UIDs and is the main reason for creating a V3 gem, whether or
 * The UID returned by OmniAuth for a user previously depended upon the `oid` (object ID) returned by Microsoft. As noted in #33 and fixed in #34, this _might not be unique_ and tenant ID (`tid`) is supposed to be considered too.
 * Out-of-box, Entra ID will do this. If you were an Azure ActiveDirectory V2 (old-name gem, version 2.x) user, then you will have been receiving different UIDs based only on the `oid` from Microsoft.
 * **The change of OID might break the connection between a previously-registered and logged in user and a new login** as usually, you need to store the OmniAuth UID somewhere alongside or within your User records when a user is "connected to" an external OAuth service such as Entra ID.
+* **However, there is a strong argument that TID is not needed** - see https://github.com/pond/omniauth-entra-id/issues/42 for a good argument to that end.
 
-You have two options, should the issue affect you (and it almost certainly will).
+You have three options, should the issue affect you (and it almost certainly will).
 
+* If you are confident that you still only need the OID, set the `ignore_tid` option to `true` alongside `client_id` and `client_secret` in your OmniAuth Entra ID initialiser or your custom provider class given to that initialiser, if you use one. See the top-level `README.md` for more.
 * If you can determine the tenant IDs for all users in your database, you can just migrate the UIDs. The new UID is just a simple concatenation of tenant ID and object ID, so treating the UID as a string, add the tenant ID as a prefix without any other changes in your migration and things should work fine thereafter.
 * Otherwise, you should lazy-migrate:
   - As usual, in your OAuth callback handler, `request.env['omniauth.auth'].uid` gives the UID - but now that's the "new" Entra gem's value which includes tenant ID.

data/lib/omniauth/entra_id/version.rb

@@ -1,8 +1,8 @@
 module OmniAuth
   module Entra
     module Id
-      VERSION = "3.0.1"
-      DATE    = "2024-11-21"
+      VERSION = "3.1.1"
+      DATE    = "2025-09-12"
     end
   end
 end

data/lib/omniauth/strategies/entra_id.rb

@@ -9,14 +9,18 @@ module OmniAuth
 
       option :name,            'entra_id'
       option :tenant_provider, nil
+      option :ignore_tid,      false
       option :jwt_leeway,      60
 
-      DEFAULT_SCOPE    = 'openid profile email'
-      COMMON_TENANT_ID = 'common'
-      AD_FS_TENANT_ID  = 'adfs'
+      DEFAULT_SCOPE           = 'openid profile email'
+      COMMON_TENANT_ID        = 'common'
+      AD_FS_TENANT_ID         = 'adfs'
+      ORGANIZATIONS_TENANT_ID = 'organizations'
+      CONSUMERS_TENANT_ID     = 'consumers'
+      CONSUMERS_TENANT_GUID   = '9188040d-6c67-4c5b-b112-36a304b66dad'
 
-      # The tenant_provider must return client_id, client_secret and,
-      # optionally, tenant_id and base_url.
+      # The tenant_provider argument is how the provider class is eventually
+      # passed to us, if one is used instead of an options Hash.
       #
       args [:tenant_provider]
 
@@ -58,6 +62,7 @@ module OmniAuth
         options.custom_policy                = provider.custom_policy    if provider.respond_to?(:custom_policy)
         options.authorize_params             = provider.authorize_params if provider.respond_to?(:authorize_params)
         options.authorize_params.domain_hint = provider.domain_hint      if provider.respond_to?(:domain_hint) && provider.domain_hint
+        options.ignore_tid                   = provider.ignore_tid?      if provider.respond_to?(:ignore_tid?) && provider.ignore_tid?
         options.authorize_params.prompt      = request.params['prompt']  if defined?(request) && request.params['prompt']
 
         options.authorize_params.scope = if defined?(request) && request.params['scope']
@@ -88,14 +93,32 @@ module OmniAuth
 
       uid do
         #
-        # https://learn.microsoft.com/en-us/entra/identity-platform/migrate-off-email-claim-authorization
+        # Note 1:
+        #
+        #   https://learn.microsoft.com/en-us/entra/identity-platform/migrate-off-email-claim-authorization
         #
         # OID alone might not be unique; TID must be included. An alternative
         # would be to use 'sub' but this is only unique in client/app
         # registration context. If a different app registration is used, the
-        # 'sub' values can be different too.
+        # 'sub' values can be different too...
+        #
+        # Note 2:
+        #
+        #   https://github.com/pond/omniauth-entra-id/issues/42
         #
-        raw_info['tid'] + raw_info['oid']
+        # ...but not everyone agrees on the necessity of a TID and if migrating
+        # from an earlier version of this gem where user data already includes
+        # OID-only identifiers, you might elect to avoid a difficult migration
+        # by opting out - set the "ignore_tid" option to 'true'.
+        #
+        # NB: If the TID is missing or blank the UID uses only the OID, just as
+        # if the "ignore_tid" option were set.
+        #
+        if options.ignore_tid? || raw_info['tid'].nil?
+          raw_info['oid']
+        else
+          raw_info['tid'] + raw_info['oid']
+        end
       end
 
       info do
@@ -140,6 +163,8 @@ module OmniAuth
           # for AD FS local instances, as we don't put a valid tenant ID in its
           # place, but "adfs" (see AD_FS_TENANT_ID) instead.
           #
+          # TODO: Unclear about approach to use for ORGANIZATIONS_TENANT_ID.
+          #
           do_not_verify = (
             options.tenant_id.nil? ||
             options.tenant_id == COMMON_TENANT_ID ||
@@ -148,22 +173,22 @@ module OmniAuth
 
           issuer = if do_not_verify
             nil
+          elsif options.tenant_id == CONSUMERS_TENANT_ID
+            "#{options.base_url || BASE_URL}/#{CONSUMERS_TENANT_GUID}/v2.0"
           else
             "#{options.base_url || BASE_URL}/#{options.tenant_id}/v2.0"
           end
 
           # https://learn.microsoft.com/en-us/entra/identity-platform/id-tokens#validate-tokens
           #
-          JWT::Verify.verify_claims(
-            id_token_data,
-            verify_iss:        !issuer.nil?,
-            iss:               issuer,
-            verify_aud:        true,
-            aud:               options.client_id,
-            verify_expiration: true,
-            verify_not_before: true,
-            leeway:            options[:jwt_leeway]
-          )
+          verify_params = {
+            aud: options.client_id,
+            exp: { leeway: options.jwt_leeway },
+            nbf: { leeway: options.jwt_leeway }
+          }
+          verify_params[:iss] = issuer unless issuer.nil?
+
+          ::JWT::Claims.verify_payload!(id_token_data, verify_params)
 
           auth_token_data = begin
             ::JWT.decode(access_token.token, nil, false).first

data/omniauth-entra-id.gemspec

@@ -14,7 +14,7 @@ Gem::Specification.new do |s|
   s.authors               = [ 'RIPA Global'        ]
   s.email                 = [ 'dev@ripaglobal.com' ]
   s.licenses              = [ 'MIT'               ]
-  s.homepage              = 'https://github.com/RIPAGlobal/omniauth-entra-id'
+  s.homepage              = 'https://github.com/pond/omniauth-entra-id'
 
   s.required_ruby_version = Gem::Requirement.new('>= 3.0.0')
   s.require_paths         = ['lib']
@@ -39,15 +39,16 @@ Gem::Specification.new do |s|
   }
 
   s.metadata = {
-    'homepage_uri'    => 'https://www.ripaglobal.com/',
-    'bug_tracker_uri' => 'https://github.com/RIPAGlobal/omniauth-entra-id/issues/',
-    'changelog_uri'   => 'https://github.com/RIPAGlobal/omniauth-entra-id/blob/master/CHANGELOG.md',
-    'source_code_uri' => 'https://github.com/RIPAGlobal/omniauth-entra-id'
+    'homepage_uri'    => s.homepage,
+    'bug_tracker_uri' => 'https://github.com/pond/omniauth-entra-id/issues/',
+    'changelog_uri'   => 'https://github.com/pond/omniauth-entra-id/blob/master/CHANGELOG.md',
+    'source_code_uri' => 'https://github.com/pond/omniauth-entra-id'
   }
 
-  s.add_runtime_dependency('omniauth-oauth2', '~> 1.8')
+  s.add_runtime_dependency 'jwt',             '>= 2.9.2'
+  s.add_runtime_dependency 'omniauth-oauth2', '~> 1.8'
 
-  s.add_development_dependency('debug', '~>  1.9 ')
-  s.add_development_dependency('rake',  '~> 13.2 ')
-  s.add_development_dependency('rspec', '~>  3.13')
+  s.add_development_dependency 'debug', '~>  1.11'
+  s.add_development_dependency 'rake',  '~> 13.3'
+  s.add_development_dependency 'rspec', '~>  3.13'
 end

metadata

@@ -1,15 +1,29 @@
 --- !ruby/object:Gem::Specification
 name: omniauth-entra-id
 version: !ruby/object:Gem::Version
-  version: 3.0.1
+  version: 3.1.1
 platform: ruby
 authors:
 - RIPA Global
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2024-11-21 00:00:00.000000000 Z
+date: 2025-09-12 00:00:00.000000000 Z
 dependencies:
+- !ruby/object:Gem::Dependency
+  name: jwt
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 2.9.2
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 2.9.2
 - !ruby/object:Gem::Dependency
   name: omniauth-oauth2
   requirement: !ruby/object:Gem::Requirement
@@ -30,28 +44,28 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.9'
+        version: '1.11'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.9'
+        version: '1.11'
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '13.2'
+        version: '13.3'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '13.2'
+        version: '13.3'
 - !ruby/object:Gem::Dependency
   name: rspec
   requirement: !ruby/object:Gem::Requirement
@@ -86,14 +100,14 @@ files:
 - lib/omniauth/entra_id/version.rb
 - lib/omniauth/strategies/entra_id.rb
 - omniauth-entra-id.gemspec
-homepage: https://github.com/RIPAGlobal/omniauth-entra-id
+homepage: https://github.com/pond/omniauth-entra-id
 licenses:
 - MIT
 metadata:
-  homepage_uri: https://www.ripaglobal.com/
-  bug_tracker_uri: https://github.com/RIPAGlobal/omniauth-entra-id/issues/
-  changelog_uri: https://github.com/RIPAGlobal/omniauth-entra-id/blob/master/CHANGELOG.md
-  source_code_uri: https://github.com/RIPAGlobal/omniauth-entra-id
+  homepage_uri: https://github.com/pond/omniauth-entra-id
+  bug_tracker_uri: https://github.com/pond/omniauth-entra-id/issues/
+  changelog_uri: https://github.com/pond/omniauth-entra-id/blob/master/CHANGELOG.md
+  source_code_uri: https://github.com/pond/omniauth-entra-id
 post_install_message:
 rdoc_options: []
 require_paths:
@@ -109,7 +123,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.5.21
+rubygems_version: 3.5.16
 signing_key:
 specification_version: 4
 summary: OAuth 2 authentication with the Entra ID API.