omniauth-google-oauth2 0.5.0 → 0.5.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +15 -0
- data/README.md +3 -1
- data/examples/config.ru +2 -1
- data/lib/omniauth/google_oauth2/version.rb +1 -1
- data/lib/omniauth/strategies/google_oauth2.rb +5 -5
- data/spec/omniauth/strategies/google_oauth2_spec.rb +36 -5
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: e8856da55d4dd3541aa24210676726e43c9f7afb
|
|
4
|
+
data.tar.gz: 8d34f80f64977b8eef82858f8521c31d4cb4b000
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 30137b2edafdad7c71b22f9a0f6b4f7f2897719348326facad7ad2e8a6c5ab3f22f9040cfd2a06cba42995496fcc2f644946ea467b1e0e9d76139a42b39113b6
|
|
7
|
+
data.tar.gz: 153076648f4c1eac3971a2bf67c67c75b43ddff1bca0e6c9ca1c86885fb31cdc01cdf306507f2b527931051c6b1cb8029bf93b0b928c4723d84e8de91c7b554e
|
data/CHANGELOG.md
CHANGED
|
@@ -1,6 +1,21 @@
|
|
|
1
1
|
# Changelog
|
|
2
2
|
All notable changes to this project will be documented in this file.
|
|
3
3
|
|
|
4
|
+
## 0.5.1 - 2017-07-19
|
|
5
|
+
|
|
6
|
+
### Added
|
|
7
|
+
- JWT iss verification can be enabled/disabled with the `verify_iss` flag.
|
|
8
|
+
- Authorize options now includes `device_id` and `device_name` for private ip ranges.
|
|
9
|
+
|
|
10
|
+
### Deprecated
|
|
11
|
+
- Nothing.
|
|
12
|
+
|
|
13
|
+
### Removed
|
|
14
|
+
- Nothing.
|
|
15
|
+
|
|
16
|
+
### Fixed
|
|
17
|
+
- Updated `authorize_url` and `token_url` to new endpoints.
|
|
18
|
+
|
|
4
19
|
## 0.5.0 - 2017-05-29
|
|
5
20
|
|
|
6
21
|
### Added
|
data/README.md
CHANGED
|
@@ -87,6 +87,8 @@ You can configure several options, which you pass in to the `provider` method vi
|
|
|
87
87
|
|
|
88
88
|
* `openid_realm`: Set the OpenID realm value, to allow upgrading from OpenID based authentication to OAuth 2 based authentication. When this is set correctly an `openid_id` value will be set in `[:extra][:id_info]` in the authentication hash with the value of the user's OpenID ID URL.
|
|
89
89
|
|
|
90
|
+
* `verify_iss`: Allows you to disable iss validation when decoding the JWT. This was added since Google now returns either `accounts.google.com` or `https://accounts.google.com`, and there is no way to predict what they will return, causing JWT validation failures.
|
|
91
|
+
|
|
90
92
|
Here's an example of a possible configuration where the strategy name is changed, the user is asked for extra permissions, the user is always prompted to select his account when logging in and the user's profile picture is returned as a thumbnail:
|
|
91
93
|
|
|
92
94
|
```ruby
|
|
@@ -191,7 +193,7 @@ class Users::OmniauthCallbacksController < Devise::OmniauthCallbacksController
|
|
|
191
193
|
flash[:notice] = I18n.t 'devise.omniauth_callbacks.success', kind: 'Google'
|
|
192
194
|
sign_in_and_redirect @user, event: :authentication
|
|
193
195
|
else
|
|
194
|
-
session['devise.google_data'] = request.env['omniauth.auth'].except(:extra) #Removing extra as it can overflow some session stores
|
|
196
|
+
session['devise.google_data'] = request.env['omniauth.auth'].except(:extra) # Removing extra as it can overflow some session stores
|
|
195
197
|
redirect_to new_user_registration_url, alert: @user.errors.full_messages.join("\n")
|
|
196
198
|
end
|
|
197
199
|
end
|
data/examples/config.ru
CHANGED
|
@@ -114,7 +114,8 @@ use Rack::Session::Cookie, secret: ENV['RACK_COOKIE_SECRET']
|
|
|
114
114
|
use OmniAuth::Builder do
|
|
115
115
|
# For additional provider examples please look at 'omni_auth.rb'
|
|
116
116
|
# The key provider_ignores_state is only for AJAX flows. It is not recommended for normal logins.
|
|
117
|
-
|
|
117
|
+
# Also, verify_iss is disabled because google now returns an unpredictable value for iss.
|
|
118
|
+
provider :google_oauth2, ENV['GOOGLE_KEY'], ENV['GOOGLE_SECRET'], verify_iss: false, access_type: 'offline', prompt: 'consent', provider_ignores_state: true, scope: 'email,profile,calendar'
|
|
118
119
|
end
|
|
119
120
|
|
|
120
121
|
run App.new
|
|
@@ -18,13 +18,13 @@ module OmniAuth
|
|
|
18
18
|
option :skip_image_info, true
|
|
19
19
|
option :skip_jwt, false
|
|
20
20
|
option :jwt_leeway, 60
|
|
21
|
-
option :authorize_options, %i[access_type hd login_hint prompt request_visible_actions scope state redirect_uri include_granted_scopes openid_realm]
|
|
21
|
+
option :authorize_options, %i[access_type hd login_hint prompt request_visible_actions scope state redirect_uri include_granted_scopes openid_realm device_id device_name]
|
|
22
22
|
option :authorized_client_ids, []
|
|
23
|
+
option :verify_iss, true
|
|
23
24
|
|
|
24
25
|
option :client_options,
|
|
25
|
-
|
|
26
|
-
|
|
27
|
-
token_url: '/o/oauth2/token'
|
|
26
|
+
authorize_url: 'https://accounts.google.com/o/oauth2/v2/auth',
|
|
27
|
+
token_url: 'https://www.googleapis.com/oauth2/v4/token'
|
|
28
28
|
|
|
29
29
|
def authorize_params
|
|
30
30
|
super.tap do |params|
|
|
@@ -60,7 +60,7 @@ module OmniAuth
|
|
|
60
60
|
hash[:id_token] = access_token['id_token']
|
|
61
61
|
if !options[:skip_jwt] && !access_token['id_token'].nil?
|
|
62
62
|
hash[:id_info] = JWT.decode(
|
|
63
|
-
access_token['id_token'], nil, false, verify_iss:
|
|
63
|
+
access_token['id_token'], nil, false, verify_iss: options.verify_iss,
|
|
64
64
|
iss: 'accounts.google.com',
|
|
65
65
|
verify_aud: true,
|
|
66
66
|
aud: options.client_id,
|
|
@@ -28,16 +28,16 @@ describe OmniAuth::Strategies::GoogleOauth2 do
|
|
|
28
28
|
end
|
|
29
29
|
|
|
30
30
|
describe '#client_options' do
|
|
31
|
-
it '
|
|
32
|
-
expect(subject.client.site).to eq(
|
|
31
|
+
it 'does not have site' do
|
|
32
|
+
expect(subject.client.site).to eq(nil)
|
|
33
33
|
end
|
|
34
34
|
|
|
35
35
|
it 'has correct authorize_url' do
|
|
36
|
-
expect(subject.client.options[:authorize_url]).to eq('/o/oauth2/auth')
|
|
36
|
+
expect(subject.client.options[:authorize_url]).to eq('https://accounts.google.com/o/oauth2/v2/auth')
|
|
37
37
|
end
|
|
38
38
|
|
|
39
39
|
it 'has correct token_url' do
|
|
40
|
-
expect(subject.client.options[:token_url]).to eq('/
|
|
40
|
+
expect(subject.client.options[:token_url]).to eq('https://www.googleapis.com/oauth2/v4/token')
|
|
41
41
|
end
|
|
42
42
|
|
|
43
43
|
describe 'overrides' do
|
|
@@ -78,7 +78,7 @@ describe OmniAuth::Strategies::GoogleOauth2 do
|
|
|
78
78
|
end
|
|
79
79
|
|
|
80
80
|
describe '#authorize_options' do
|
|
81
|
-
%i[access_type hd login_hint prompt scope state].each do |k|
|
|
81
|
+
%i[access_type hd login_hint prompt scope state device_id device_name].each do |k|
|
|
82
82
|
it "should support #{k}" do
|
|
83
83
|
@options = { k => 'http://someval' }
|
|
84
84
|
expect(subject.authorize_params[k.to_s]).to eq('http://someval')
|
|
@@ -593,6 +593,37 @@ describe OmniAuth::Strategies::GoogleOauth2 do
|
|
|
593
593
|
end
|
|
594
594
|
end
|
|
595
595
|
|
|
596
|
+
describe 'verify_iss option' do
|
|
597
|
+
before(:each) do
|
|
598
|
+
subject.options.client_options[:connection_build] = proc do |builder|
|
|
599
|
+
builder.request :url_encoded
|
|
600
|
+
builder.adapter :test do |stub|
|
|
601
|
+
stub.get('/oauth2/v3/tokeninfo?access_token=invalid_iss_token') do
|
|
602
|
+
[200, { 'Content-Type' => 'application/json; charset=UTF-8' },
|
|
603
|
+
MultiJson.encode(
|
|
604
|
+
aud: '000000000000.apps.googleusercontent.com',
|
|
605
|
+
sub: '123456789',
|
|
606
|
+
email_verified: 'true',
|
|
607
|
+
email: 'example@example.com',
|
|
608
|
+
access_type: 'offline',
|
|
609
|
+
scope: 'profile email',
|
|
610
|
+
expires_in: 436,
|
|
611
|
+
iss: 'foobar.com'
|
|
612
|
+
)]
|
|
613
|
+
end
|
|
614
|
+
end
|
|
615
|
+
end
|
|
616
|
+
subject.options.authorized_client_ids = ['000000000000.apps.googleusercontent.com']
|
|
617
|
+
subject.options.client_id = '000000000000.apps.googleusercontent.com'
|
|
618
|
+
subject.options[:verify_iss] = false
|
|
619
|
+
end
|
|
620
|
+
|
|
621
|
+
it 'should verify token if the iss does not match options.expected_iss' do
|
|
622
|
+
result = subject.send(:verify_token, 'invalid_iss_token')
|
|
623
|
+
expect(result).to eq(true)
|
|
624
|
+
end
|
|
625
|
+
end
|
|
626
|
+
|
|
596
627
|
describe 'verify_token' do
|
|
597
628
|
before(:each) do
|
|
598
629
|
subject.options.client_options[:connection_build] = proc do |builder|
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: omniauth-google-oauth2
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.5.
|
|
4
|
+
version: 0.5.1
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Josh Ellithorpe
|
|
@@ -9,7 +9,7 @@ authors:
|
|
|
9
9
|
autorequire:
|
|
10
10
|
bindir: bin
|
|
11
11
|
cert_chain: []
|
|
12
|
-
date: 2017-
|
|
12
|
+
date: 2017-07-20 00:00:00.000000000 Z
|
|
13
13
|
dependencies:
|
|
14
14
|
- !ruby/object:Gem::Dependency
|
|
15
15
|
name: omniauth
|