RubyGems - omniauth-google-oauth2 - Versions diffs - 0.5.4 → 0.6.0 - Mend

omniauth-google-oauth2 0.5.4 → 0.6.0

Files changed (8) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +15 -0
data/README.md +31 -49
data/lib/omniauth/google_oauth2/version.rb +1 -1
data/lib/omniauth/strategies/google_oauth2.rb +21 -25
data/omniauth-google-oauth2.gemspec +1 -1
data/spec/omniauth/strategies/google_oauth2_spec.rb +48 -116
metadata +5 -5

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 2a7656373110c92e06996caa456eea2a5dd429b6
-  data.tar.gz: 54fa84ae8d29ab08e9387e79a7dde7796b4f5ddf
+  metadata.gz: 81997c7fd03317eea408408d6f18159972b8f3dc
+  data.tar.gz: d16e88cdee0f4fd599d4b8d8c05ac40ebc761c07
 SHA512:
-  metadata.gz: d8c0b4beb4561a205866bbb36ef4fe5b438d95e07cf8832f1e657e48f04657e98d99c28bf69ad3f53b564c47017435cc8d38a7c9eb48700a0b07a642a6012624
-  data.tar.gz: 7e3fd2adca8bb3227da30c0492c5738fdbeb7e50c8ccb8df2dac2379407ad5230092d26f4942e1654fdf680c2c961556ad111ab71d5fb788f48dcc1e24f3f324
+  metadata.gz: eb2b1d82471d000a983728b92676e682d7006b0a3551bcb109cd9216a3114e6d78500bdd3d29ae71b55c95f4b7a2315f4d3930bf017edc7a2506641bb51cfc06
+  data.tar.gz: 27605544db858360570a109a922689ec100bd70ff4ea63318a67f2ba6bc5a91c1f464e9110088addba9c83fc62a6fcae13ce54f22f53abcaf5933d04cb1538ff

data/CHANGELOG.md CHANGED

@@ -1,6 +1,21 @@
 # Changelog
 All notable changes to this project will be documented in this file.
+## 0.6.0 - 2018-12-28
+### Added
+- Support for JWT 2.x.
+### Deprecated
+- Nothing.
+### Removed
+- Support for JWT 1.x.
+- Support for `raw_friend_info` and `raw_image_info`.
+### Fixed
+- Nothing.
 ## 0.5.4 - 2018-12-07
 ### Added

data/README.md CHANGED

@@ -7,8 +7,6 @@ Strategy to authenticate with Google via OAuth2 in OmniAuth.
 Get your API key at: https://code.google.com/apis/console/  Note the Client ID and the Client Secret.
-**Note**: You must enable the "Contacts API" and "Google+ API" via the Google API console. Otherwise, you will receive an `OAuth2::Error`(`Error: "Invalid credentials"`) stating that access is not configured when you attempt to authenticate.
 For more details, read the Google docs: https://developers.google.com/accounts/docs/OAuth2
 ## Installation
@@ -25,8 +23,6 @@ Then `bundle install`.
 * Go to 'https://console.developers.google.com'
 * Select your project.
-* Click 'Enable and manage APIs'.
-* Make sure "Contacts API" and "Google+ API" are on.
 * Go to Credentials, then select the "OAuth consent screen" tab on top, and provide an 'EMAIL ADDRESS' and a 'PRODUCT NAME'
 * Wait 10 minutes for changes to take effect.
@@ -87,15 +83,13 @@ You can configure several options, which you pass in to the `provider` method vi
 * `openid_realm`: Set the OpenID realm value, to allow upgrading from OpenID based authentication to OAuth 2 based authentication. When this is set correctly an `openid_id` value will be set in `[:extra][:id_info]` in the authentication hash with the value of the user's OpenID ID URL.
-* `verify_iss`: Allows you to disable iss validation when decoding the JWT. This was added since Google now returns either `accounts.google.com` or `https://accounts.google.com`, and there is no way to predict what they will return, causing JWT validation failures.
 Here's an example of a possible configuration where the strategy name is changed, the user is asked for extra permissions, the user is always prompted to select his account when logging in and the user's profile picture is returned as a thumbnail:
 ```ruby
 Rails.application.config.middleware.use OmniAuth::Builder do
   provider :google_oauth2, ENV['GOOGLE_CLIENT_ID'], ENV['GOOGLE_CLIENT_SECRET'],
     {
-      scope: 'userinfo.email, userinfo.profile, plus.me, http://gdata.youtube.com',
+      scope: 'userinfo.email, userinfo.profile, http://gdata.youtube.com',
       prompt: 'select_account',
       image_aspect_ratio: 'square',
       image_size: 50
@@ -141,8 +135,6 @@ Here's an example of an authentication hash available in the callback by accessi
       "exp" => 1496120719
     },
     "raw_info" => {
-      "kind" => "plus#personOpenIdConnect",
-      "gender" => "male",
       "sub" => "100000000000000000000",
       "name" => "John Smith",
       "given_name" => "John",
@@ -244,48 +236,38 @@ The omniauth-google-oauth2 gem supports this mode of operation out of the box.
 ```javascript
 // Basic hybrid auth example following the pattern at:
-// https://developers.google.com/api-client-library/javascript/features/authentication#Authexample
-jQuery(function() {
-  return $.ajax({
-    url: 'https://apis.google.com/js/client:plus.js?onload=gpAsyncInit',
-    dataType: 'script',
-    cache: true
-  });
-});
-window.gpAsyncInit = function() {
-  gapi.auth.authorize({
-    immediate: true,
-    response_type: 'code',
-    cookie_policy: 'single_host_origin',
-    client_id: 'YOUR_CLIENT_ID',
-    scope: 'email profile'
-  }, function(response) {
-    return;
-  });
-  $('.googleplus-login').click(function(e) {
-    e.preventDefault();
-    gapi.auth.authorize({
-      immediate: false,
-      response_type: 'code',
-      cookie_policy: 'single_host_origin',
-      client_id: 'YOUR_CLIENT_ID',
-      scope: 'email profile'
-    }, function(response) {
-      if (response && !response.error) {
-        // google authentication succeed, now post data to server.
-        jQuery.ajax({type: 'POST', url: '/auth/google_oauth2/callback', data: response,
-          success: function(data) {
-            // response from server
-          }
-        });
-      } else {
-        // google authentication failed
-      }
+// https://developers.google.com/identity/sign-in/web/reference
+<script src="https://apis.google.com/js/platform.js?onload=init" async defer></script>
+...
+function init() {
+  gapi.load('auth2', function() {
+    // Ready.
+    $('.google-login-button').click(function(e) {
+      e.preventDefault();
+      gapi.auth2.authorize({
+        client_id: 'YOUR_CLIENT_ID',
+        cookie_policy: 'single_host_origin',
+        scope: 'email profile',
+        response_type: 'code'
+      }, function(response) {
+        if (response && !response.error) {
+          // google authentication succeed, now post data to server.
+          jQuery.ajax({type: 'POST', url: '/auth/google_oauth2/callback', data: response,
+            success: function(data) {
+              // response from server
+            }
+          });
+        } else {
+          // google authentication failed
+        }
+      });
     });
   });
 };
 ```
 #### Note about mobile clients (iOS, Android)
@@ -309,7 +291,7 @@ OmniAuth.config.full_host = Rails.env.production? ? 'https://domain.com' : 'http
 ## License
-Copyright (c) 2017 by Josh Ellithorpe
+Copyright (c) 2018 by Josh Ellithorpe
 Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:

data/lib/omniauth/google_oauth2/version.rb CHANGED

@@ -2,6 +2,6 @@
 module OmniAuth
   module GoogleOauth2
-    VERSION = '0.5.4'
+    VERSION = '0.6.0'
   end
 end

data/lib/omniauth/strategies/google_oauth2.rb CHANGED

@@ -8,9 +8,11 @@ module OmniAuth
   module Strategies
     # Main class for Google OAuth2 strategy.
     class GoogleOauth2 < OmniAuth::Strategies::OAuth2
+      ALLOWED_ISSUERS = ['accounts.google.com', 'https://accounts.google.com'].freeze
       BASE_SCOPE_URL = 'https://www.googleapis.com/auth/'
       BASE_SCOPES = %w[profile email openid].freeze
       DEFAULT_SCOPE = 'email,profile'
+      USER_INFO_URL = 'https://www.googleapis.com/oauth2/v3/userinfo'
       option :name, 'google_oauth2'
       option :skip_friends, true
@@ -19,7 +21,6 @@ module OmniAuth
       option :jwt_leeway, 60
       option :authorize_options, %i[access_type hd login_hint prompt request_visible_actions scope state redirect_uri include_granted_scopes openid_realm device_id device_name]
       option :authorized_client_ids, []
-      option :verify_iss, true
       option :client_options,
              site: 'https://oauth2.googleapis.com',
@@ -59,35 +60,30 @@ module OmniAuth
         hash = {}
         hash[:id_token] = access_token['id_token']
         if !options[:skip_jwt] && !access_token['id_token'].nil?
-          hash[:id_info] = ::JWT.decode(
-            access_token['id_token'], nil, false, verify_iss: options.verify_iss,
-                                                  iss: 'accounts.google.com',
-                                                  verify_aud: true,
-                                                  aud: options.client_id,
-                                                  verify_sub: false,
-                                                  verify_expiration: true,
-                                                  verify_not_before: true,
-                                                  verify_iat: true,
-                                                  verify_jti: false,
-                                                  leeway: options[:jwt_leeway]
-          ).first
+          decoded = ::JWT.decode(access_token['id_token'], nil, false).first
+          # We have to manually verify the claims because the third parameter to
+          # JWT.decode is false since no verification key is provided.
+          ::JWT::Verify.verify_claims(decoded,
+                                      verify_iss: true,
+                                      iss: ALLOWED_ISSUERS,
+                                      verify_aud: true,
+                                      aud: options.client_id,
+                                      verify_sub: false,
+                                      verify_expiration: true,
+                                      verify_not_before: true,
+                                      verify_iat: true,
+                                      verify_jti: false,
+                                      leeway: options[:jwt_leeway])
+          hash[:id_info] = decoded
         end
         hash[:raw_info] = raw_info unless skip_info?
-        hash[:raw_friend_info] = raw_friend_info(raw_info['sub']) unless skip_info? || options[:skip_friends]
-        hash[:raw_image_info] = raw_image_info(raw_info['sub']) unless skip_info? || options[:skip_image_info]
         prune! hash
       end
       def raw_info
-        @raw_info ||= access_token.get('https://www.googleapis.com/plus/v1/people/me/openIdConnect').parsed
-      end
-      def raw_friend_info(id)
-        @raw_friend_info ||= access_token.get("https://www.googleapis.com/plus/v1/people/#{id}/people/visible").parsed
-      end
-      def raw_image_info(id)
-        @raw_image_info ||= access_token.get("https://www.googleapis.com/plus/v1/people/#{id}?fields=image").parsed
+        @raw_info ||= access_token.get(USER_INFO_URL).parsed
       end
       def custom_build_access_token
@@ -202,7 +198,7 @@ module OmniAuth
       def verify_hd(access_token)
         return true unless options.hd
-        @raw_info ||= access_token.get('https://www.googleapis.com/plus/v1/people/me/openIdConnect').parsed
+        @raw_info ||= access_token.get(USER_INFO_URL).parsed
         options.hd = options.hd.call if options.hd.is_a? Proc
         allowed_hosted_domains = Array(options.hd)

data/omniauth-google-oauth2.gemspec CHANGED

@@ -20,7 +20,7 @@ Gem::Specification.new do |gem|
   gem.required_ruby_version = '>= 2.1'
-  gem.add_runtime_dependency 'jwt', '>= 1.5'
+  gem.add_runtime_dependency 'jwt', '>= 2.0'
   gem.add_runtime_dependency 'omniauth', '>= 1.1.1'
   gem.add_runtime_dependency 'omniauth-oauth2', '>= 1.5'

data/spec/omniauth/strategies/google_oauth2_spec.rb CHANGED

@@ -304,9 +304,7 @@ describe OmniAuth::Strategies::GoogleOauth2 do
       OAuth2::Client.new('abc', 'def') do |builder|
         builder.request :url_encoded
         builder.adapter :test do |stub|
-          stub.get('/plus/v1/people/me/openIdConnect') { [200, { 'content-type' => 'application/json' }, '{"sub": "12345"}'] }
-          stub.get('/plus/v1/people/12345/people/visible') { [200, { 'content-type' => 'application/json' }, '[{"foo":"bar"}]'] }
-          stub.get('/plus/v1/people/12345?fields=image') { [200, { 'content-type' => 'application/json' }, '{"image":"imageData"}'] }
+          stub.get('/oauth2/v3/userinfo') { [200, { 'content-type' => 'application/json' }, '{"sub": "12345"}'] }
         end
       end
     end
@@ -315,35 +313,60 @@ describe OmniAuth::Strategies::GoogleOauth2 do
     before { allow(subject).to receive(:access_token).and_return(access_token) }
     describe 'id_token' do
-      context 'when the id_token is passed into the access token' do
-        token_info =
+      shared_examples 'id_token issued by valid issuer' do |issuer| # rubocop:disable Metrics/BlockLength
+        context 'when the id_token is passed into the access token' do
+          let(:token_info) do
+            {
+              'abc' => 'xyz',
+              'exp' => Time.now.to_i + 3600,
+              'nbf' => Time.now.to_i - 60,
+              'iat' => Time.now.to_i,
+              'aud' => 'appid',
+              'iss' => issuer
+            }
+          end
+          let(:id_token) { JWT.encode(token_info, 'secret') }
+          let(:access_token) { OAuth2::AccessToken.from_hash(client, 'id_token' => id_token) }
+          it 'should include id_token when set on the access_token' do
+            expect(subject.extra).to include(id_token: id_token)
+          end
+          it 'should include id_info when id_token is set on the access_token and skip_jwt is false' do
+            subject.options[:skip_jwt] = false
+            expect(subject.extra).to include(id_info: token_info)
+          end
+          it 'should not include id_info when id_token is set on the access_token and skip_jwt is true' do
+            subject.options[:skip_jwt] = true
+            expect(subject.extra).not_to have_key(:id_info)
+          end
+          it 'should include id_info when id_token is set on the access_token by default' do
+            expect(subject.extra).to include(id_info: token_info)
+          end
+        end
+      end
+      it_behaves_like 'id_token issued by valid issuer', 'accounts.google.com'
+      it_behaves_like 'id_token issued by valid issuer', 'https://accounts.google.com'
+      context 'when the id_token is issued by an invalid issuer' do
+        let(:token_info) do
           {
             'abc' => 'xyz',
             'exp' => Time.now.to_i + 3600,
             'nbf' => Time.now.to_i - 60,
             'iat' => Time.now.to_i,
             'aud' => 'appid',
-            'iss' => 'accounts.google.com'
+            'iss' => 'fake.google.com'
           }
-        id_token = JWT.encode(token_info, 'secret')
-        let(:access_token) { OAuth2::AccessToken.from_hash(client, 'id_token' => id_token) }
-        it 'should include id_token when set on the access_token' do
-          expect(subject.extra).to include(id_token: id_token)
-        end
-        it 'should include id_info when id_token is set on the access_token and skip_jwt is false' do
-          subject.options[:skip_jwt] = false
-          expect(subject.extra).to include(id_info: token_info)
-        end
-        it 'should not include id_info when id_token is set on the access_token and skip_jwt is true' do
-          subject.options[:skip_jwt] = true
-          expect(subject.extra).not_to have_key(:id_info)
         end
+        let(:id_token) { JWT.encode(token_info, 'secret') }
+        let(:access_token) { OAuth2::AccessToken.from_hash(client, 'id_token' => id_token) }
-        it 'should include id_info when id_token is set on the access_token by default' do
-          expect(subject.extra).to include(id_info: token_info)
+        it 'raises JWT::InvalidIssuerError' do
+          expect { subject.extra }.to raise_error(JWT::InvalidIssuerError)
         end
       end
@@ -375,66 +398,6 @@ describe OmniAuth::Strategies::GoogleOauth2 do
         end
       end
     end
-    describe 'raw_friend_info' do
-      context 'when skip_info is true' do
-        before { subject.options[:skip_info] = true }
-        it 'should not include raw_friend_info' do
-          expect(subject.extra).not_to have_key(:raw_friend_info)
-        end
-      end
-      context 'when skip_info is false' do
-        before { subject.options[:skip_info] = false }
-        context 'when skip_friends is true' do
-          before { subject.options[:skip_friends] = true }
-          it 'should not include raw_friend_info' do
-            expect(subject.extra).not_to have_key(:raw_friend_info)
-          end
-        end
-        context 'when skip_friends is false' do
-          before { subject.options[:skip_friends] = false }
-          it 'should not include raw_friend_info' do
-            expect(subject.extra[:raw_friend_info]).to eq([{ 'foo' => 'bar' }])
-          end
-        end
-      end
-    end
-    describe 'raw_image_info' do
-      context 'when skip_info is true' do
-        before { subject.options[:skip_info] = true }
-        it 'should not include raw_image_info' do
-          expect(subject.extra).not_to have_key(:raw_image_info)
-        end
-      end
-      context 'when skip_info is false' do
-        before { subject.options[:skip_info] = false }
-        context 'when skip_image_info is true' do
-          before { subject.options[:skip_image_info] = true }
-          it 'should not include raw_image_info' do
-            expect(subject.extra).not_to have_key(:raw_image_info)
-          end
-        end
-        context 'when skip_image_info is false' do
-          before { subject.options[:skip_image_info] = false }
-          it 'should include raw_image_info' do
-            expect(subject.extra[:raw_image_info]).to eq('image' => 'imageData')
-          end
-        end
-      end
-    end
   end
   describe 'populate auth hash urls' do
@@ -599,37 +562,6 @@ describe OmniAuth::Strategies::GoogleOauth2 do
     end
   end
-  describe 'verify_iss option' do
-    before(:each) do
-      subject.options.client_options[:connection_build] = proc do |builder|
-        builder.request :url_encoded
-        builder.adapter :test do |stub|
-          stub.get('/oauth2/v3/tokeninfo?access_token=invalid_iss_token') do
-            [200, { 'Content-Type' => 'application/json; charset=UTF-8' },
-             JSON.dump(
-               aud: '000000000000.apps.googleusercontent.com',
-               sub: '123456789',
-               email_verified: 'true',
-               email: 'example@example.com',
-               access_type: 'offline',
-               scope: 'profile email',
-               expires_in: 436,
-               iss: 'foobar.com'
-             )]
-          end
-        end
-      end
-      subject.options.authorized_client_ids = ['000000000000.apps.googleusercontent.com']
-      subject.options.client_id = '000000000000.apps.googleusercontent.com'
-      subject.options[:verify_iss] = false
-    end
-    it 'should verify token if the iss does not match options.expected_iss' do
-      result = subject.send(:verify_token, 'invalid_iss_token')
-      expect(result).to eq(true)
-    end
-  end
   describe 'verify_token' do
     before(:each) do
       subject.options.client_options[:connection_build] = proc do |builder|
@@ -679,7 +611,7 @@ describe OmniAuth::Strategies::GoogleOauth2 do
       OAuth2::Client.new('abc', 'def') do |builder|
         builder.request :url_encoded
         builder.adapter :test do |stub|
-          stub.get('/plus/v1/people/me/openIdConnect') do
+          stub.get('/oauth2/v3/userinfo') do
             [200, { 'Content-Type' => 'application/json; charset=UTF-8' }, JSON.dump(
               hd: 'example.com'
             )]
@@ -694,7 +626,7 @@ describe OmniAuth::Strategies::GoogleOauth2 do
         OAuth2::Client.new('abc', 'def') do |builder|
           builder.request :url_encoded
           builder.adapter :test do |stub|
-            stub.get('/plus/v1/people/me/openIdConnect') do
+            stub.get('/oauth2/v3/userinfo') do
               [200, { 'Content-Type' => 'application/json; charset=UTF-8' }, JSON.dump({})]
             end
           end

metadata CHANGED

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: omniauth-google-oauth2
 version: !ruby/object:Gem::Version
-  version: 0.5.4
+  version: 0.6.0
 platform: ruby
 authors:
 - Josh Ellithorpe
@@ -9,7 +9,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2018-12-07 00:00:00.000000000 Z
+date: 2018-12-29 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: jwt
@@ -17,14 +17,14 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '1.5'
+        version: '2.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '1.5'
+        version: '2.0'
 - !ruby/object:Gem::Dependency
   name: omniauth
   requirement: !ruby/object:Gem::Requirement
@@ -141,7 +141,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project:
-rubygems_version: 2.6.13
+rubygems_version: 2.6.11
 signing_key:
 specification_version: 4
 summary: A Google OAuth2 strategy for OmniAuth 1.x