omniauth-google-oauth2 0.2.2 → 0.2.3

checksums.yaml

@@ -1,15 +1,15 @@
 ---
 !binary "U0hBMQ==":
   metadata.gz: !binary |-
-    Nzk0NDc2ZmZhYjJiOTI1OWI5NDY1NDcwZTNlNWE2NTI0OTk1OWQwNQ==
+    NTE1ZjFkZmYyYTNlM2I4MTI5NmM2MmZlMWFlYjZmNjQ2YjNhNDU1MA==
   data.tar.gz: !binary |-
-    NmMzNzgxNzg3NDAxYTE5NGI1ODc5MzA1MDY3YmI1MGNlZjc5ODlkYQ==
+    OTNiNzQ4MGVhMmFkODVhZGU3Yjk0ZTFjNmY1ZDlkNjM5ZTUwMTFkOA==
 !binary "U0hBNTEy":
   metadata.gz: !binary |-
-    NWEzNjllMDY0ODRkMTY1ZTljMGYwOGQzZWI4YjE3ZWUxMGY1YWUwMjQxMjVh
-    NDhjNTRlYzVlOWFiYWU2ZjZhYWQwMThlNzU0NmI1NzE0MTc1NGRlOTYwMjk2
-    NTY5ZWE0Mjk4MjNiZTNkN2NmYWQ5ZmJlOWRhYWE2YjUxZDA3YWY=
+    ZGI2YjNkMWU5MzRjNzcyYjIxZTE1NGJhMTFkNWNmZDZmMGU1NjczODAwZjUz
+    Y2U5YWE5ZjU3ZDY4NTc5YTVhMmUyZmNhOTk0M2VjZmY3MTc5YzI4MzRiOWEw
+    MDZmY2YwNTE2YmQ1MGRiNDg5ZTBlNzI3OWU5ZDBkNmQ1NjNjOWM=
   data.tar.gz: !binary |-
-    NTFhODFlZDlkZDVmMTY4NzJkMzc4YzJmZGMzZjc4NTA2ZGE0Y2NhMDY0MTEx
-    YTg5ZmU5NGZhOWFjNWIzOThiNjMxMzlkMzljMjFlZTFlNDVhYTY5NzZhY2Iz
-    YWU5YzA4MDFiOWY5NDEyNWUxMDQxZWEzNDAzOTYwM2RlMDkzMjM=
+    YTViOTc3NTgwMTJjYjg0NjhhZDJhYzRlM2E4MmMyZjA2NWQ4YWQ1NWRmODAy
+    YjZlYjQ3OTkxYjRjNTAxNWQwMTVkN2E5ZDhlZDI1ZTg4Y2ZkNTBjYmRiYTYx
+    MjU2N2Q5ZGQxNzVjZWViNDQ4YjM3ZjQ1OGZkMGY3YTk5N2RiNDk=

data/.gitignore

@@ -3,6 +3,9 @@
 .bundle
 .config
 .yardoc
+.ruby-gemset
+.ruby-version
+.rvmrc
 Gemfile.lock
 InstalledFiles
 _yardoc

data/.travis.yml

@@ -6,3 +6,10 @@ rvm:
   - "1.9.2"
   - "1.9.3"
   - "2.0.0"
+  - "2.1.0"
+  - "rbx"
+  - "jruby"
+matrix:
+  allow_failures:
+    - rvm: "rbx"
+    - rvm: "jruby"

data/README.md

@@ -2,7 +2,7 @@
 
 Strategy to authenticate with Google via OAuth2 in OmniAuth.
 
-Get your API key at: https://code.google.com/apis/console/
+Get your API key at: https://code.google.com/apis/console/  Note the Client ID and the Client Secret.
 
 For more details, read the Google docs: https://developers.google.com/accounts/docs/OAuth2
 
@@ -22,7 +22,7 @@ Here's an example for adding the middleware to a Rails app in `config/initialize
 
 ```ruby
 Rails.application.config.middleware.use OmniAuth::Builder do
-  provider :google_oauth2, ENV["GOOGLE_KEY"], ENV["GOOGLE_SECRET"]
+  provider :google_oauth2, ENV["GOOGLE_CLIENT_ID"], ENV["GOOGLE_CLIENT_SECRET"]
 end
 ```
 
@@ -30,6 +30,8 @@ You can now access the OmniAuth Google OAuth2 URL: `/auth/google_oauth2`
 
 For more examples please check out `examples/omni_auth.rb`
 
+NOTE: While developing your application, if you change the scope in the initializer you will need to restart your app server.
+
 ## Configuration
 
 You can configure several options, which you pass in to the `provider` method via a hash:
@@ -56,11 +58,15 @@ You can configure several options, which you pass in to the `provider` method vi
 
 * `access_type`: Defaults to `offline`, so a refresh token is sent to be used when the user is not present at the browser. Can be set to `online`. Note that if you need a refresh token, google requires you to also to specify the option `prompt: 'consent'`, which is not a default.
 
+* `login_hint`: When your app knows which user it is trying to authenticate, it can provide this parameter as a hint to the authentication server. Passing this hint suppresses the account chooser and either pre-fill the email box on the sign-in form, or select the proper session (if the user is using multiple sign-in), which can help you avoid problems that occur if your app logs in the wrong user account. The value can be either an email address or the sub string, which is equivalent to the user's Google+ ID.
+
+* `include_granted_scopes`: If this is provided with the value true, and the authorization request is granted, the authorization will include any previous authorizations granted to this user/application combination for other scopes. See Google's [Incremental Autorization](https://developers.google.com/accounts/docs/OAuth2WebServer#incrementalAuth) for additional details.
+
 Here's an example of a possible configuration where the strategy name is changed, the user is asked for extra permissions, the user is always prompted to select his account when logging in and the user's profile picture is returned as a thumbnail:
 
 ```ruby
 Rails.application.config.middleware.use OmniAuth::Builder do
-  provider :google_oauth2, ENV["GOOGLE_KEY"], ENV["GOOGLE_SECRET"],
+  provider :google_oauth2, ENV["GOOGLE_CLIENT_ID"], ENV["GOOGLE_CLIENT_SECRET"],
     {
       :name => "google",
       :scope => "userinfo.email, userinfo.profile, plus.me, http://gdata.youtube.com",
@@ -150,6 +156,53 @@ end
 ```
 Detailed example at https://github.com/plataformatec/devise/wiki/OmniAuth:-Overview#google-oauth2-example
 
+### One-time Code Flow (Hybrid Authentication)
+
+Google describes the One-time Code Flow [here](https://developers.google.com/+/web/signin/server-side-flow).  This hybrid authentication flow has significant functional and security advantages over a pure server-side or pure client-side flow.  The following steps occur in this flow:
+
+1. The client (web browser) authenticates the user directly via Google's JS API.  During this process assorted modals may be rendered by Google.
+2. On successful authentication, Google returns a one-time use code, which requires the Google client secret (which is only available server-side).
+3. Using a AJAX request, the code is POSTed to the Omniauth Google OAuth2 callback.
+4. The Omniauth Google OAuth2 gem will validate the code via a server-side request to Google.  If the code is valid, then Google will return an access token and, if this is the first time this user is authenticating against this application, a refresh token.  Both of these should be stored on the server.  The response to the AJAX request indicates the success or failure of this process.
+
+This flow is immune to replay attacks, and conveys no useful information to a man in the middle.
+
+The omniauth-google-oauth2 gem supports this mode of operation out of the box.  Implementors simply need to add the appropriate JavaScript to their web page, and they can take advantage of this flow.  An example JavaScript snippet follows.
+
+```javascript
+jQuery(function() {
+  return $.ajax({
+    url: 'https://apis.google.com/js/client:plus.js?onload=gpAsyncInit',
+    dataType: 'script',
+    cache: true
+  });
+});
+
+window.gpAsyncInit = function() {
+  $('.googleplus-login').click(function(e) {
+    e.preventDefault();
+    gapi.auth.authorize({
+      immediate: true,
+      response_type: 'code',
+      cookie_policy: 'single_host_origin',
+      client_id: '000000000000.apps.googleusercontent.com',
+      scope: 'email profile'
+    }, function(response) {
+      if (response && !response.error) {
+        // google authentication succeed, now post data to server and handle data securely
+        jQuery.ajax({type: 'POST', url: "/auth/google_oauth2/callback", dataType: 'json', data: response,
+          success: function(json) {
+            // response from server
+        });
+      } else {
+        // google authentication failed
+      }
+    });
+  });
+};
+```
+
+
 ## Build Status
 [![Build Status](https://travis-ci.org/zquestz/omniauth-google-oauth2.png)](https://travis-ci.org/zquestz/omniauth-google-oauth2)
 

data/examples/omni_auth.rb

@@ -4,9 +4,11 @@
 
 Rails.application.config.middleware.use OmniAuth::Builder do
   # Default usage, this will give you offline access and a refresh token
-  # using default scopes 'userinfo.email' and 'userinfo.profile'
+  # using default scopes 'email' and 'profile'
   #
-  provider :google_oauth2, ENV['GOOGLE_KEY'], ENV['GOOGLE_SECRET'], {}
+  provider :google_oauth2, ENV['GOOGLE_KEY'], ENV['GOOGLE_SECRET'], {
+    :scope => 'email,profile'
+  }
 
   # Manual setup for offline access with a refresh token.
   # The prompt must be set to 'consent'
@@ -17,10 +19,10 @@ Rails.application.config.middleware.use OmniAuth::Builder do
   # }
 
   # Custom scope supporting youtube. If you are customizing scopes, remember
-  # to include the default scopes 'userinfo.email' and 'userinfo.profile'
+  # to include the default scopes 'email' and 'profile'
   #
   # provider :google_oauth2, ENV['GOOGLE_KEY'], ENV['GOOGLE_SECRET'], {
-  #   :scope => 'http://gdata.youtube.com,userinfo.email,userinfo.profile,plus.me'
+  #   :scope => 'http://gdata.youtube.com,email,profile,plus.me'
   # }
 
   # Custom scope for users only using Google for account creation/auth and do not require a refresh token.
@@ -29,4 +31,11 @@ Rails.application.config.middleware.use OmniAuth::Builder do
   #   :access_type => 'online',
   #   :prompt => ''
   # }
+
+  # To include information about people in your circles you must include the 'plus.login' scope.
+  #
+  # provider :google_oauth2, ENV['GOOGLE_KEY'], ENV['GOOGLE_SECRET'], {
+  #   :skip_friends => false,
+  #   :scope => "email,profile,plus.login"
+  # }
 end

data/lib/omniauth/google_oauth2/version.rb

@@ -1,5 +1,5 @@
 module OmniAuth
   module GoogleOauth2
-    VERSION = "0.2.2"
+    VERSION = "0.2.3"
   end
 end

data/lib/omniauth/strategies/google_oauth2.rb

@@ -4,13 +4,14 @@ module OmniAuth
   module Strategies
     class GoogleOauth2 < OmniAuth::Strategies::OAuth2
       BASE_SCOPE_URL = "https://www.googleapis.com/auth/"
-      DEFAULT_SCOPE = "userinfo.email,userinfo.profile"
+      BASE_SCOPES = %w[profile email openid]
+      DEFAULT_SCOPE = "email,profile"
 
       option :name, 'google_oauth2'
 
       option :skip_friends, true
 
-      option :authorize_options, [:access_type, :hd, :login_hint, :prompt, :request_visible_actions, :scope, :state, :redirect_uri]
+      option :authorize_options, [:access_type, :hd, :login_hint, :prompt, :request_visible_actions, :scope, :state, :redirect_uri, :include_granted_scopes]
 
       option :client_options, {
         :site          => 'https://accounts.google.com',
@@ -26,7 +27,7 @@ module OmniAuth
 
           raw_scope = params[:scope] || DEFAULT_SCOPE
           scope_list = raw_scope.split(" ").map {|item| item.split(",")}.flatten
-          scope_list.map! { |s| s =~ /^https?:\/\// ? s : "#{BASE_SCOPE_URL}#{s}" }
+          scope_list.map! { |s| s =~ /^https?:\/\// || BASE_SCOPES.include?(s) ? s : "#{BASE_SCOPE_URL}#{s}" }
           params[:scope] = scope_list.join(" ")
           params[:access_type] = 'offline' if params[:access_type].nil?
 
@@ -34,7 +35,7 @@ module OmniAuth
         end
       end
 
-      uid { raw_info['id'] || verified_email }
+      uid { raw_info['sub'] || verified_email }
 
       info do
         prune!({
@@ -42,9 +43,9 @@ module OmniAuth
           :email      => verified_email,
           :first_name => raw_info['given_name'],
           :last_name  => raw_info['family_name'],
-          :image      => image_url(options),
+          :image      => image_url,
           :urls => {
-            'Google' => raw_info['link']
+            'Google' => raw_info['profile']
           }
         })
       end
@@ -53,12 +54,12 @@ module OmniAuth
         hash = {}
         hash[:id_token] = access_token['id_token']
         hash[:raw_info] = raw_info unless skip_info?
-        hash[:raw_friend_info] = raw_friend_info(raw_info['id']) unless skip_info? || options[:skip_friends]
+        hash[:raw_friend_info] = raw_friend_info(raw_info['sub']) unless skip_info? || options[:skip_friends]
         prune! hash
       end
 
       def raw_info
-        @raw_info ||= access_token.get('https://www.googleapis.com/oauth2/v1/userinfo').parsed
+        @raw_info ||= access_token.get('https://www.googleapis.com/plus/v1/people/me/openIdConnect').parsed
       end
 
       def raw_friend_info(id)
@@ -66,7 +67,11 @@ module OmniAuth
       end
 
       def custom_build_access_token
-        if verify_token(request.params['id_token'], request.params['access_token'])
+        if request.xhr? && request.params['code']
+          verifier = request.params['code']
+          client.auth_code.get_token(verifier, { :redirect_uri => 'postmessage'}.merge(token_params.to_hash(:symbolize_keys => true)),
+                                     deep_symbolize(options.auth_token_params || {}))
+        elsif verify_token(request.params['id_token'], request.params['access_token'])
           ::OAuth2::AccessToken.from_hash(client, request.params.dup)
         else
           orig_build_access_token
@@ -85,13 +90,25 @@ module OmniAuth
       end
 
       def verified_email
-        raw_info['verified_email'] ? raw_info['email'] : nil
+        raw_info['email_verified'] ? raw_info['email'] : nil
       end
 
-      def image_url(options)
+      def image_url
         original_url = raw_info['picture']
-        return original_url if original_url.nil? || (!options[:image_size] && !options[:image_aspect_ratio])
+        params_index = original_url.index('/photo.jpg') if original_url
 
+        if params_index && image_size_opts_passed?
+          original_url.insert(params_index, image_params)
+        else
+          original_url
+        end
+      end
+
+      def image_size_opts_passed?
+        !!(options[:image_size] || options[:image_aspect_ratio])
+      end
+
+      def image_params
         image_params = []
         if options[:image_size].is_a?(Integer)
           image_params << "s#{options[:image_size]}"
@@ -101,8 +118,7 @@ module OmniAuth
         end
         image_params << 'c' if options[:image_aspect_ratio] == 'square'
 
-        params_index = original_url.index('/photo.jpg')
-        original_url.insert(params_index, ('/' + image_params.join('-')))
+        '/' + image_params.join('-')
       end
 
       def verify_token(id_token, access_token)

data/omniauth-contrib.gemspec

@@ -17,8 +17,8 @@ Gem::Specification.new do |gem|
   gem.require_paths = ["lib"]
   gem.version       = OmniAuth::GoogleOauth2::VERSION
 
-  gem.add_runtime_dependency 'omniauth-oauth2'
+  gem.add_runtime_dependency 'omniauth-oauth2', '~> 1.1'
 
-  gem.add_development_dependency 'rspec', '~> 2.6.0'
+  gem.add_development_dependency 'rspec', '>= 2.14.0'
   gem.add_development_dependency 'rake'
 end

data/spec/omniauth/strategies/google_oauth2_spec.rb

@@ -11,7 +11,7 @@ describe OmniAuth::Strategies::GoogleOauth2 do
 
   subject do
     OmniAuth::Strategies::GoogleOauth2.new(app, 'appid', 'secret', @options || {}).tap do |strategy|
-      strategy.stub(:request) {
+      allow(strategy).to receive(:request) {
         request
       }
     end
@@ -27,31 +27,31 @@ describe OmniAuth::Strategies::GoogleOauth2 do
 
   describe '#client_options' do
     it 'has correct site' do
-      subject.client.site.should eq('https://accounts.google.com')
+      expect(subject.client.site).to eq('https://accounts.google.com')
     end
 
     it 'has correct authorize_url' do
-      subject.client.options[:authorize_url].should eq('/o/oauth2/auth')
+      expect(subject.client.options[:authorize_url]).to eq('/o/oauth2/auth')
     end
 
     it 'has correct token_url' do
-      subject.client.options[:token_url].should eq('/o/oauth2/token')
+      expect(subject.client.options[:token_url]).to eq('/o/oauth2/token')
     end
 
     describe "overrides" do
       it 'should allow overriding the site' do
         @options = {:client_options => {'site' => 'https://example.com'}}
-        subject.client.site.should == 'https://example.com'
+        expect(subject.client.site).to eq('https://example.com')
       end
 
       it 'should allow overriding the authorize_url' do
         @options = {:client_options => {'authorize_url' => 'https://example.com'}}
-        subject.client.options[:authorize_url].should == 'https://example.com'
+        expect(subject.client.options[:authorize_url]).to eq('https://example.com')
       end
 
       it 'should allow overriding the token_url' do
         @options = {:client_options => {'token_url' => 'https://example.com'}}
-        subject.client.options[:token_url].should == 'https://example.com'
+        expect(subject.client.options[:token_url]).to eq('https://example.com')
       end
     end
   end
@@ -60,135 +60,146 @@ describe OmniAuth::Strategies::GoogleOauth2 do
     [:access_type, :hd, :login_hint, :prompt, :scope, :state].each do |k|
       it "should support #{k}" do
         @options = {k => 'http://someval'}
-        subject.authorize_params[k.to_s].should eq('http://someval')
+        expect(subject.authorize_params[k.to_s]).to eq('http://someval')
       end
     end
 
     describe "redirect_uri" do
       it 'should default to nil' do
         @options = {}
-        subject.authorize_params['redirect_uri'].should eq(nil)
+        expect(subject.authorize_params['redirect_uri']).to eq(nil)
       end
 
       it 'should set the redirect_uri parameter if present' do
         @options = {:redirect_uri => 'https://example.com'}
-        subject.authorize_params['redirect_uri'].should eq('https://example.com')
+        expect(subject.authorize_params['redirect_uri']).to eq('https://example.com')
       end
     end
 
     describe 'access_type' do
       it 'should default to "offline"' do
         @options = {}
-        subject.authorize_params['access_type'].should eq('offline')
+        expect(subject.authorize_params['access_type']).to eq('offline')
       end
 
       it 'should set the access_type parameter if present' do
         @options = {:access_type => 'online'}
-        subject.authorize_params['access_type'].should eq('online')
+        expect(subject.authorize_params['access_type']).to eq('online')
       end
     end
 
     describe 'hd' do
       it "should default to nil" do
-        subject.authorize_params['hd'].should eq(nil)
+        expect(subject.authorize_params['hd']).to eq(nil)
       end
 
       it 'should set the hd (hosted domain) parameter if present' do
         @options = {:hd => 'example.com'}
-        subject.authorize_params['hd'].should eq('example.com')
+        expect(subject.authorize_params['hd']).to eq('example.com')
       end
     end
 
     describe 'login_hint' do
       it "should default to nil" do
-        subject.authorize_params['login_hint'].should eq(nil)
+        expect(subject.authorize_params['login_hint']).to eq(nil)
       end
 
       it 'should set the login_hint parameter if present' do
         @options = {:login_hint => 'john@example.com'}
-        subject.authorize_params['login_hint'].should eq('john@example.com')
+        expect(subject.authorize_params['login_hint']).to eq('john@example.com')
       end
     end
 
     describe 'prompt' do
       it "should default to nil" do
-        subject.authorize_params['prompt'].should eq(nil)
+        expect(subject.authorize_params['prompt']).to eq(nil)
       end
 
       it 'should set the prompt parameter if present' do
         @options = {:prompt => 'consent select_account'}
-        subject.authorize_params['prompt'].should eq('consent select_account')
+        expect(subject.authorize_params['prompt']).to eq('consent select_account')
       end
     end
 
     describe 'request_visible_actions' do
       it "should default to nil" do
-        subject.authorize_params['request_visible_actions'].should eq(nil)
+        expect(subject.authorize_params['request_visible_actions']).to eq(nil)
       end
 
       it 'should set the request_visible_actions parameter if present' do
         @options = {:request_visible_actions => 'something'}
-        subject.authorize_params['request_visible_actions'].should eq('something')
+        expect(subject.authorize_params['request_visible_actions']).to eq('something')
+      end
+    end
+
+    describe 'include_granted_scopes' do
+      it 'should default to nil' do
+        expect(subject.authorize_params['include_granted_scopes']).to eq(nil)
+      end
+
+      it 'should set the include_granted_scopes parameter if present' do
+        @options = {:include_granted_scopes => 'true'}
+        expect(subject.authorize_params['include_granted_scopes']).to eq('true')
       end
     end
 
     describe 'scope' do
       it 'should expand scope shortcuts' do
-        @options = {:scope => 'userinfo.email'}
-        subject.authorize_params['scope'].should eq('https://www.googleapis.com/auth/userinfo.email')
+        @options = {:scope => 'plus.me'}
+        expect(subject.authorize_params['scope']).to eq('https://www.googleapis.com/auth/plus.me')
       end
 
-      it 'should leave full scopes as is' do
-        @options = {:scope => 'https://www.googleapis.com/auth/userinfo.profile'}
-        subject.authorize_params['scope'].should eq('https://www.googleapis.com/auth/userinfo.profile')
+      it 'should leave base scopes as is' do
+        @options = {:scope => 'profile'}
+        expect(subject.authorize_params['scope']).to eq('profile')
       end
 
       it 'should join scopes' do
-        @options = {:scope => 'userinfo.profile,userinfo.email'}
-        subject.authorize_params['scope'].should eq('https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo.email')
+        @options = {:scope => 'profile,email'}
+        expect(subject.authorize_params['scope']).to eq('profile email')
       end
 
       it 'should deal with whitespace when joining scopes' do
-        @options = {:scope => 'userinfo.profile, userinfo.email'}
-        subject.authorize_params['scope'].should eq('https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo.email')
+        @options = {:scope => 'profile, email'}
+        expect(subject.authorize_params['scope']).to eq('profile email')
       end
 
-      it 'should set default scope to userinfo.email,userinfo.profile' do
-        subject.authorize_params['scope'].should eq('https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/userinfo.profile')
+      it 'should set default scope to email,profile' do
+        expect(subject.authorize_params['scope']).to eq('email profile')
       end
 
       it 'should support space delimited scopes' do
-        @options = {:scope => 'userinfo.profile userinfo.email'}
-        subject.authorize_params['scope'].should eq('https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo.email')
+        @options = {:scope => 'profile email'}
+        expect(subject.authorize_params['scope']).to eq('profile email')
       end
 
       it "should support extremely badly formed scopes" do
-        @options = {:scope => 'userinfo.profile userinfo.email,foo,steve yeah http://example.com'}
-        subject.authorize_params['scope'].should eq('https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/foo https://www.googleapis.com/auth/steve https://www.googleapis.com/auth/yeah http://example.com')
+        @options = {:scope => 'profile email,foo,steve yeah http://example.com'}
+        expect(subject.authorize_params['scope']).to eq('profile email https://www.googleapis.com/auth/foo https://www.googleapis.com/auth/steve https://www.googleapis.com/auth/yeah http://example.com')
       end
     end
 
     describe 'state' do
       it 'should set the state parameter' do
         @options = {:state => 'some_state'}
-        subject.authorize_params['state'].should eq('some_state')
-        subject.session['omniauth.state'].should eq('some_state')
+        expect(subject.authorize_params['state']).to eq('some_state')
+        expect(subject.session['omniauth.state']).to eq('some_state')
       end
 
       it 'should set the omniauth.state dynamically' do
-        subject.stub(:request) { double('Request', {:params => {'state' => 'some_state'}, :env => {}}) }
-        subject.authorize_params['state'].should eq('some_state')
-        subject.session['omniauth.state'].should eq('some_state')
+        allow(subject).to receive(:request) { double('Request', {:params => {'state' => 'some_state'}, :env => {}}) }
+        expect(subject.authorize_params['state']).to eq('some_state')
+        expect(subject.session['omniauth.state']).to eq('some_state')
       end
     end
 
     describe "overrides" do
       it 'should include top-level options that are marked as :authorize_options' do
         @options = {:authorize_options => [:scope, :foo, :request_visible_actions], :scope => 'http://bar', :foo => 'baz', :hd => "wow", :request_visible_actions => "something"}
-        subject.authorize_params['scope'].should eq('http://bar')
-        subject.authorize_params['foo'].should eq('baz')
-        subject.authorize_params['hd'].should eq(nil)
-        subject.authorize_params['request_visible_actions'].should eq('something')
+        expect(subject.authorize_params['scope']).to eq('http://bar')
+        expect(subject.authorize_params['foo']).to eq('baz')
+        expect(subject.authorize_params['hd']).to eq(nil)
+        expect(subject.authorize_params['request_visible_actions']).to eq('something')
       end
 
       describe "request overrides" do
@@ -198,7 +209,7 @@ describe OmniAuth::Strategies::GoogleOauth2 do
 
             it "should set the #{k} authorize option dynamically in the request" do
               @options = {k => ''}
-              subject.authorize_params[k.to_s].should eq('http://example.com')
+              expect(subject.authorize_params[k.to_s]).to eq('http://example.com')
             end
           end
         end
@@ -208,7 +219,7 @@ describe OmniAuth::Strategies::GoogleOauth2 do
 
           it "should support request overrides from custom authorize_options" do
             @options = {:authorize_options => [:foo], :foo => ''}
-            subject.authorize_params['foo'].should eq('something')
+            expect(subject.authorize_params['foo']).to eq('something')
           end
         end
       end
@@ -218,34 +229,34 @@ describe OmniAuth::Strategies::GoogleOauth2 do
   describe '#authorize_params' do
     it 'should include any authorize params passed in the :authorize_params option' do
       @options = {:authorize_params => {:request_visible_actions => 'something', :foo => 'bar', :baz => 'zip'}, :hd => 'wow', :bad => 'not_included'}
-      subject.authorize_params['request_visible_actions'].should eq('something')
-      subject.authorize_params['foo'].should eq('bar')
-      subject.authorize_params['baz'].should eq('zip')
-      subject.authorize_params['hd'].should eq('wow')
-      subject.authorize_params['bad'].should eq(nil)
+      expect(subject.authorize_params['request_visible_actions']).to eq('something')
+      expect(subject.authorize_params['foo']).to eq('bar')
+      expect(subject.authorize_params['baz']).to eq('zip')
+      expect(subject.authorize_params['hd']).to eq('wow')
+      expect(subject.authorize_params['bad']).to eq(nil)
     end
   end
 
   describe '#token_params' do
     it 'should include any token params passed in the :token_params option' do
       @options = {:token_params => {:foo => 'bar', :baz => 'zip'}}
-      subject.token_params['foo'].should eq('bar')
-      subject.token_params['baz'].should eq('zip')
+      expect(subject.token_params['foo']).to eq('bar')
+      expect(subject.token_params['baz']).to eq('zip')
     end
   end
 
   describe "#token_options" do
     it 'should include top-level options that are marked as :token_options' do
       @options = {:token_options => [:scope, :foo], :scope => 'bar', :foo => 'baz', :bad => 'not_included'}
-      subject.token_params['scope'].should eq('bar')
-      subject.token_params['foo'].should eq('baz')
-      subject.token_params['bad'].should eq(nil)
+      expect(subject.token_params['scope']).to eq('bar')
+      expect(subject.token_params['foo']).to eq('baz')
+      expect(subject.token_params['bad']).to eq(nil)
     end
   end
 
   describe '#callback_path' do
     it 'has the correct callback path' do
-      subject.callback_path.should eq('/auth/google_oauth2/callback')
+      expect(subject.callback_path).to eq('/auth/google_oauth2/callback')
     end
   end
 
@@ -254,7 +265,7 @@ describe OmniAuth::Strategies::GoogleOauth2 do
       OAuth2::Client.new('abc', 'def') do |builder|
         builder.request :url_encoded
         builder.adapter :test do |stub|
-          stub.get('/oauth2/v1/userinfo') {|env| [200, {'content-type' => 'application/json'}, '{"id": "12345"}']}
+          stub.get('/plus/v1/people/me/openIdConnect') {|env| [200, {'content-type' => 'application/json'}, '{"sub": "12345"}']}
           stub.get('/plus/v1/people/12345/people/visible') {|env| [200, {'content-type' => 'application/json'}, '[{"foo":"bar"}]']}
         end
       end
@@ -268,13 +279,13 @@ describe OmniAuth::Strategies::GoogleOauth2 do
        let(:access_token) { OAuth2::AccessToken.from_hash(client, {'id_token' => 'xyz'}) }
 
         it 'should include id_token when set on the access_token' do
-          subject.extra.should include(:id_token => 'xyz')
+          expect(subject.extra).to include(:id_token => 'xyz')
         end
       end
 
       context 'when the id_token is missing' do
         it 'should not include id_token' do
-          subject.extra.should_not have_key(:id_token)
+          expect(subject.extra).not_to have_key(:id_token)
         end
       end
     end
@@ -284,7 +295,7 @@ describe OmniAuth::Strategies::GoogleOauth2 do
         before { subject.options[:skip_info] = true }
 
         it 'should not include raw_info' do
-          subject.extra.should_not have_key(:raw_info)
+          expect(subject.extra).not_to have_key(:raw_info)
         end
       end
 
@@ -292,7 +303,7 @@ describe OmniAuth::Strategies::GoogleOauth2 do
         before { subject.options[:skip_info] = false }
 
         it 'should include raw_info' do
-          subject.extra[:raw_info].should eq('id' => '12345')
+          expect(subject.extra[:raw_info]).to eq('sub' => '12345')
         end
       end
     end
@@ -302,7 +313,7 @@ describe OmniAuth::Strategies::GoogleOauth2 do
         before { subject.options[:skip_info] = true }
 
         it 'should not include raw_friend_info' do
-          subject.extra.should_not have_key(:raw_friend_info)
+          expect(subject.extra).not_to have_key(:raw_friend_info)
         end
       end
 
@@ -313,7 +324,7 @@ describe OmniAuth::Strategies::GoogleOauth2 do
           before { subject.options[:skip_friends] = true }
 
           it 'should not include raw_friend_info' do
-            subject.extra.should_not have_key(:raw_friend_info)
+            expect(subject.extra).not_to have_key(:raw_friend_info)
           end
         end
 
@@ -321,7 +332,7 @@ describe OmniAuth::Strategies::GoogleOauth2 do
           before { subject.options[:skip_friends] = false }
 
           it 'should not include raw_friend_info' do
-            subject.extra[:raw_friend_info].should eq([{'foo' => 'bar'}])
+            expect(subject.extra[:raw_friend_info]).to eq([{'foo' => 'bar'}])
           end
         end
       end
@@ -330,75 +341,98 @@ describe OmniAuth::Strategies::GoogleOauth2 do
 
   describe 'populate auth hash urls' do
     it 'should populate url map in auth hash if link present in raw_info' do
-      subject.stub(:raw_info) { {'name' => 'Foo', 'link' => 'https://plus.google.com/123456'} }
-      subject.info[:urls]['Google'].should eq('https://plus.google.com/123456')
+      allow(subject).to receive(:raw_info) { {'name' => 'Foo', 'profile' => 'https://plus.google.com/123456'} }
+      expect(subject.info[:urls]['Google']).to eq('https://plus.google.com/123456')
     end
 
     it 'should not populate url map in auth hash if no link present in raw_info' do
-      subject.stub(:raw_info) { {'name' => 'Foo'} }
-      subject.info.should_not have_key(:urls)
+      allow(subject).to receive(:raw_info) { {'name' => 'Foo'} }
+      expect(subject.info).not_to have_key(:urls)
     end
   end
 
   describe 'image options' do
     it "should have no image if a picture isn't present" do
       @options = {:image_aspect_ratio => 'square'}
-      subject.stub(:raw_info) { {'name' => 'User Without Pic'} }
-      subject.info[:image].should be_nil
+      allow(subject).to receive(:raw_info) { {'name' => 'User Without Pic'} }
+      expect(subject.info[:image]).to be_nil
     end
 
     describe "when a picture is returned from google" do
       it 'should return the image with size specified in the `image_size` option' do
         @options = {:image_size => 50}
-        subject.stub(:raw_info) { {'picture' => 'https://lh3.googleusercontent.com/url/photo.jpg'} }
-        subject.info[:image].should eq('https://lh3.googleusercontent.com/url/s50/photo.jpg')
+        allow(subject).to receive(:raw_info) { {'picture' => 'https://lh3.googleusercontent.com/url/photo.jpg'} }
+        expect(subject.info[:image]).to eq('https://lh3.googleusercontent.com/url/s50/photo.jpg')
       end
 
       it 'should return the image with width and height specified in the `image_size` option' do
         @options = {:image_size => {:width => 50, :height => 40}}
-        subject.stub(:raw_info) { {'picture' => 'https://lh3.googleusercontent.com/url/photo.jpg'} }
-        subject.info[:image].should eq('https://lh3.googleusercontent.com/url/w50-h40/photo.jpg')
+        allow(subject).to receive(:raw_info) { {'picture' => 'https://lh3.googleusercontent.com/url/photo.jpg'} }
+        expect(subject.info[:image]).to eq('https://lh3.googleusercontent.com/url/w50-h40/photo.jpg')
       end
 
       it 'should return square image when `image_aspect_ratio` is specified' do
         @options = {:image_aspect_ratio => 'square'}
-        subject.stub(:raw_info) { {'picture' => 'https://lh3.googleusercontent.com/url/photo.jpg'} }
-        subject.info[:image].should eq('https://lh3.googleusercontent.com/url/c/photo.jpg')
+        allow(subject).to receive(:raw_info) { {'picture' => 'https://lh3.googleusercontent.com/url/photo.jpg'} }
+        expect(subject.info[:image]).to eq('https://lh3.googleusercontent.com/url/c/photo.jpg')
       end
 
       it 'should return square sized image when `image_aspect_ratio` and `image_size` is set' do
         @options = {:image_aspect_ratio => 'square', :image_size => 50}
-        subject.stub(:raw_info) { {'picture' => 'https://lh3.googleusercontent.com/url/photo.jpg'} }
-        subject.info[:image].should eq('https://lh3.googleusercontent.com/url/s50-c/photo.jpg')
+        allow(subject).to receive(:raw_info) { {'picture' => 'https://lh3.googleusercontent.com/url/photo.jpg'} }
+        expect(subject.info[:image]).to eq('https://lh3.googleusercontent.com/url/s50-c/photo.jpg')
       end
 
       it 'should return square sized image when `image_aspect_ratio` and `image_size` has height and width' do
         @options = {:image_aspect_ratio => 'square', :image_size => {:width => 50, :height => 40}}
-        subject.stub(:raw_info) { {'picture' => 'https://lh3.googleusercontent.com/url/photo.jpg'} }
-        subject.info[:image].should eq('https://lh3.googleusercontent.com/url/w50-h40-c/photo.jpg')
+        allow(subject).to receive(:raw_info) { {'picture' => 'https://lh3.googleusercontent.com/url/photo.jpg'} }
+        expect(subject.info[:image]).to eq('https://lh3.googleusercontent.com/url/w50-h40-c/photo.jpg')
+      end
+
+      it 'should return original image if image url does not end in `photo.jpg`' do
+        @options = {:image_size => 50}
+        subject.stub(:raw_info) { {'picture' => 'https://lh3.googleusercontent.com/url/photograph.jpg'} }
+        subject.info[:image].should eq('https://lh3.googleusercontent.com/url/photograph.jpg')
       end
     end
 
     it 'should return original image if no options are provided' do
-      subject.stub(:raw_info) { {'picture' => 'https://lh3.googleusercontent.com/url/photo.jpg'} }
-      subject.info[:image].should eq('https://lh3.googleusercontent.com/url/photo.jpg')
+      allow(subject).to receive(:raw_info) { {'picture' => 'https://lh3.googleusercontent.com/url/photo.jpg'} }
+      expect(subject.info[:image]).to eq('https://lh3.googleusercontent.com/url/photo.jpg')
     end
   end
 
   describe 'build_access_token' do
-    it 'should read access_token from hash' do
-      request.stub(:params).and_return('id_token' => 'valid_id_token', 'access_token' => 'valid_access_token')
-      subject.should_receive(:verify_token).with('valid_id_token', 'valid_access_token').and_return true
-      subject.should_receive(:client).and_return(:client)
+    it 'should use a hybrid authorization request_uri if this is an AJAX request with a code parameter' do
+      allow(request).to receive(:xhr?).and_return(true)
+      allow(request).to receive(:params).and_return('code' => 'valid_code')
+
+      client = double(:client)
+      auth_code = double(:auth_code)
+      allow(client).to receive(:auth_code).and_return(auth_code)
+      expect(subject).to receive(:client).and_return(client)
+      expect(auth_code).to receive(:get_token).with('valid_code', { :redirect_uri => 'postmessage'}, {})
+
+      expect(subject).not_to receive(:orig_build_access_token)
+      subject.build_access_token
+    end
+
+    it 'should read access_token from hash if this is not an AJAX request with a code parameter' do
+      allow(request).to receive(:xhr?).and_return(false)
+      allow(request).to receive(:params).and_return('id_token' => 'valid_id_token', 'access_token' => 'valid_access_token')
+      expect(subject).to receive(:verify_token).with('valid_id_token', 'valid_access_token').and_return true
+      expect(subject).to receive(:client).and_return(:client)
 
       token = subject.build_access_token
-      token.should be_instance_of(::OAuth2::AccessToken)
-      token.token.should eq('valid_access_token')
-      token.client.should eq(:client)
+      expect(token).to be_instance_of(::OAuth2::AccessToken)
+      expect(token.token).to eq('valid_access_token')
+      expect(token.client).to eq(:client)
     end
 
-    it 'should call super' do
-      subject.should_receive(:orig_build_access_token)
+    it 'should call super if this is not an AJAX request' do
+      allow(request).to receive(:xhr?).and_return(false)
+      allow(request).to receive(:params).and_return('code' => 'valid_code')
+      expect(subject).to receive(:orig_build_access_token)
       subject.build_access_token
     end
   end
@@ -413,7 +447,7 @@ describe OmniAuth::Strategies::GoogleOauth2 do
               :issued_to => '000000000000.apps.googleusercontent.com',
               :audience => '000000000000.apps.googleusercontent.com',
               :user_id => '000000000000000000000',
-              :scope => 'https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo.email',
+              :scope => 'profile email',
               :expires_in => 3514,
               :email => 'me@example.com',
               :verified_email => true,
@@ -429,11 +463,11 @@ describe OmniAuth::Strategies::GoogleOauth2 do
 
     it 'should verify token if access_token and id_token are valid and app_id equals' do
       subject.options.client_id = '000000000000.apps.googleusercontent.com'
-      subject.send(:verify_token, 'valid_id_token', 'valid_access_token').should == true
+      expect(subject.send(:verify_token, 'valid_id_token', 'valid_access_token')).to eq(true)
     end
 
     it 'should not verify token if access_token and id_token are valid but app_id is false' do
-      subject.send(:verify_token, 'valid_id_token', 'valid_access_token').should == false
+      expect(subject.send(:verify_token, 'valid_id_token', 'valid_access_token')).to eq(false)
     end
 
     it 'should raise error if access_token or id_token is invalid' do

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: omniauth-google-oauth2
 version: !ruby/object:Gem::Version
-  version: 0.2.2
+  version: 0.2.3
 platform: ruby
 authors:
 - Josh Ellithorpe
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2013-12-31 00:00:00.000000000 Z
+date: 2014-04-17 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: omniauth
@@ -29,30 +29,30 @@ dependencies:
   name: omniauth-oauth2
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ! '>='
+    - - ~>
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '1.1'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ! '>='
+    - - ~>
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '1.1'
 - !ruby/object:Gem::Dependency
   name: rspec
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ~>
+    - - ! '>='
       - !ruby/object:Gem::Version
-        version: 2.6.0
+        version: 2.14.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ~>
+    - - ! '>='
       - !ruby/object:Gem::Version
-        version: 2.6.0
+        version: 2.14.0
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
@@ -75,9 +75,6 @@ extensions: []
 extra_rdoc_files: []
 files:
 - .gitignore
-- .ruby-gemset
-- .ruby-version
-- .rvmrc
 - .travis.yml
 - Gemfile
 - README.md

data/.ruby-gemset

@@ -1 +0,0 @@
-omniauth-google-oauth2

data/.ruby-version

@@ -1 +0,0 @@
-1.9.3-p484

data/.rvmrc

@@ -1 +0,0 @@
-rvm use 1.9.3@omniauth-google-oauth2 --create