omniauth-google-id-token 1.0.1 → 1.1.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: c02ed8f51100b53f1a10ffd42db64294c227301291cd80560b03bed96e1c6e23
|
|
4
|
+
data.tar.gz: e79e6c4ce22a9f3b7a7eb7ab83df37f337208e2e76675c37b23089a90c81e1fe
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 2f429d86224146727b18ea4b462c81eadfefe070e971e92c099572030a8bacd4d73be63d296b8730e9628e6b075709a3cea6ea3c093fb31abf4b3721b8ab94ee
|
|
7
|
+
data.tar.gz: 43672c465cf5ed00ac25ca7f94e3fc0d555d22dca99a97af5a19b043fd89863d5e4ac63d0189a300df38a7e94ce6c1bd764556ab0da89b2a10babf43feac8fdf
|
data/Gemfile
CHANGED
|
@@ -11,15 +11,13 @@ module OmniAuth
|
|
|
11
11
|
OmniAuth::Strategy.included(subclass)
|
|
12
12
|
end
|
|
13
13
|
|
|
14
|
-
BASE_SCOPES = %w[profile email openid].freeze
|
|
15
14
|
RESPONSE_TYPES = %w[token id_token].freeze
|
|
16
15
|
|
|
17
16
|
option :name, 'google_id_token'
|
|
18
|
-
option :uid_claim, 'sub'
|
|
19
17
|
option :client_id, nil # Required for request_phase e.g. redirect to auth page
|
|
20
|
-
option :
|
|
21
|
-
option :azp_claim, nil
|
|
18
|
+
option :uid_claim, 'sub'
|
|
22
19
|
option :required_claims, %w[email]
|
|
20
|
+
option :scope, %w[profile email openid].freeze
|
|
23
21
|
option :info_map, { 'name' => 'name', 'email' => 'email' }
|
|
24
22
|
|
|
25
23
|
def request_phase
|
|
@@ -30,7 +28,7 @@ module OmniAuth
|
|
|
30
28
|
|
|
31
29
|
def authorize_params # rubocop:disable Metrics/AbcSize
|
|
32
30
|
params = {}
|
|
33
|
-
params[:scope] =
|
|
31
|
+
params[:scope] = options.scope.join(' ')
|
|
34
32
|
params[:access_type] = 'offline'
|
|
35
33
|
params[:include_granted_scopes] = true
|
|
36
34
|
params[:state] = SecureRandom.hex(24)
|
|
@@ -41,10 +39,10 @@ module OmniAuth
|
|
|
41
39
|
params
|
|
42
40
|
end
|
|
43
41
|
|
|
44
|
-
def decoded # rubocop:disable Metrics/
|
|
42
|
+
def decoded # rubocop:disable Metrics/MethodLength
|
|
45
43
|
unless @decoded
|
|
46
44
|
begin
|
|
47
|
-
@decoded = validator.verify_oidc(request.params['id_token'], aud: options.
|
|
45
|
+
@decoded = validator.verify_oidc(request.params['id_token'], aud: options.client_id)
|
|
48
46
|
rescue StandardError => e
|
|
49
47
|
raise ClaimInvalid, e.message
|
|
50
48
|
end
|
|
@@ -79,7 +77,7 @@ module OmniAuth
|
|
|
79
77
|
private
|
|
80
78
|
|
|
81
79
|
def validator
|
|
82
|
-
::Google::Auth::IDTokens
|
|
80
|
+
::Google::Auth::IDTokens
|
|
83
81
|
end
|
|
84
82
|
|
|
85
83
|
def uid_lookup
|
|
@@ -11,7 +11,7 @@ describe OmniAuth::Strategies::GoogleIdToken do # rubocop:disable Metrics/BlockL
|
|
|
11
11
|
let(:payload) do
|
|
12
12
|
{ 'iss' => 'https://accounts.google.com',
|
|
13
13
|
'nbf' => 161_803_398_874,
|
|
14
|
-
'aud' => '
|
|
14
|
+
'aud' => 'test_client_id',
|
|
15
15
|
'sub' => '3141592653589793238',
|
|
16
16
|
'hd' => 'gmail.com',
|
|
17
17
|
'email' => 'bob@example.com',
|
|
@@ -25,16 +25,16 @@ describe OmniAuth::Strategies::GoogleIdToken do # rubocop:disable Metrics/BlockL
|
|
|
25
25
|
'exp' => 1_596_477_600,
|
|
26
26
|
'jti' => 'abc161803398874def' }
|
|
27
27
|
end
|
|
28
|
-
let(:
|
|
28
|
+
let(:client_id) { payload[:aud] }
|
|
29
29
|
let(:azp_claim) { payload[:azp] }
|
|
30
30
|
|
|
31
|
-
let(:client_id) { 'test_client_id' }
|
|
32
31
|
let(:args) do
|
|
33
32
|
[
|
|
34
33
|
{
|
|
35
34
|
aud_claim: payload[:aud],
|
|
36
35
|
azp_claim: payload[:azp],
|
|
37
|
-
client_id: client_id
|
|
36
|
+
client_id: client_id,
|
|
37
|
+
provider_ignores_state: true
|
|
38
38
|
}
|
|
39
39
|
]
|
|
40
40
|
end
|
|
@@ -59,6 +59,9 @@ describe OmniAuth::Strategies::GoogleIdToken do # rubocop:disable Metrics/BlockL
|
|
|
59
59
|
end
|
|
60
60
|
|
|
61
61
|
describe 'request phase' do
|
|
62
|
+
before do
|
|
63
|
+
OmniAuth::AuthenticityTokenProtection.default_options(key: 'csrf.token', authenticity_param: '_csrf')
|
|
64
|
+
end
|
|
62
65
|
it 'should redirect to the configured login url' do
|
|
63
66
|
post api_url
|
|
64
67
|
expect(last_response.status).to eq(302)
|
|
@@ -70,8 +73,8 @@ describe OmniAuth::Strategies::GoogleIdToken do # rubocop:disable Metrics/BlockL
|
|
|
70
73
|
|
|
71
74
|
context 'callback phase' do
|
|
72
75
|
it 'should decode the response' do
|
|
73
|
-
allow(::Google::Auth::IDTokens
|
|
74
|
-
.with(id_token, aud:
|
|
76
|
+
allow(::Google::Auth::IDTokens).to receive(:verify_oidc)
|
|
77
|
+
.with(id_token, aud: client_id)
|
|
75
78
|
.and_return(payload)
|
|
76
79
|
|
|
77
80
|
post "#{api_url}/callback", id_token: id_token
|
|
@@ -80,8 +83,8 @@ describe OmniAuth::Strategies::GoogleIdToken do # rubocop:disable Metrics/BlockL
|
|
|
80
83
|
|
|
81
84
|
it 'should not work without required fields' do
|
|
82
85
|
payload.delete('email')
|
|
83
|
-
allow(::Google::Auth::IDTokens
|
|
84
|
-
.with(id_token, aud:
|
|
86
|
+
allow(::Google::Auth::IDTokens).to receive(:verify_oidc)
|
|
87
|
+
.with(id_token, aud: client_id)
|
|
85
88
|
.and_return(payload)
|
|
86
89
|
|
|
87
90
|
post "#{api_url}/callback", id_token: id_token
|
|
@@ -89,8 +92,8 @@ describe OmniAuth::Strategies::GoogleIdToken do # rubocop:disable Metrics/BlockL
|
|
|
89
92
|
end
|
|
90
93
|
|
|
91
94
|
it 'should assign the uid' do
|
|
92
|
-
allow(::Google::Auth::IDTokens
|
|
93
|
-
.with(id_token, aud:
|
|
95
|
+
allow(::Google::Auth::IDTokens).to receive(:verify_oidc)
|
|
96
|
+
.with(id_token, aud: client_id)
|
|
94
97
|
.and_return(payload)
|
|
95
98
|
post "#{api_url}/callback", id_token: id_token
|
|
96
99
|
expect(response_json['uid']).to eq('3141592653589793238')
|