omniauth-google-oauth2 0.6.0 → 1.1.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: 81997c7fd03317eea408408d6f18159972b8f3dc
-  data.tar.gz: d16e88cdee0f4fd599d4b8d8c05ac40ebc761c07
+SHA256:
+  metadata.gz: '0532842d8362fc36a8797376dc54e09b1d11fa178d462114225eecbe87274785'
+  data.tar.gz: 63b1d0a5a3a6249b77b58cbfa4e696ae18748b59280cb73f36cb98f88abd98c1
 SHA512:
-  metadata.gz: eb2b1d82471d000a983728b92676e682d7006b0a3551bcb109cd9216a3114e6d78500bdd3d29ae71b55c95f4b7a2315f4d3930bf017edc7a2506641bb51cfc06
-  data.tar.gz: 27605544db858360570a109a922689ec100bd70ff4ea63318a67f2ba6bc5a91c1f464e9110088addba9c83fc62a6fcae13ce54f22f53abcaf5933d04cb1538ff
+  metadata.gz: 6d6f34a8629057f1f89d613155567d0bb50917648794e64527976ba7ca4c372ed8806fd57bbe5cec55d2d60545ef2e9bd038da80e1101b96642018f1d8226951
+  data.tar.gz: b00da9be3e3f97af0cdfe9a15be3d99126176a26bc21337febb893be88949da0573b4f6a843fbedac3dc982a4fda29ca532b63d3a1272fc8544468b3a42d32aa

data/.github/workflows/ci.yml

@@ -0,0 +1,21 @@
+name: CI 
+
+on: [push, pull_request]
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        ruby-version: ['2.3', '2.4', '2.5', '2.6', '2.7', '3.0', '3.1']
+
+    steps:
+    - uses: actions/checkout@v2
+    - name: Set up Ruby ${{ matrix.ruby-version }}
+      uses: ruby/setup-ruby@v1
+      with:
+        ruby-version: ${{ matrix.ruby-version }}
+        bundler-cache: true # 'bundle install' and cache
+    - name: Run specs 
+      run: |
+        bundle exec rake

data/.rubocop.yml

@@ -1,11 +1,9 @@
-ClassLength:
-  Enabled: false
-Layout/IndentHeredoc:
+Metrics/ClassLength:
   Enabled: false
 Metrics/AbcSize:
   Enabled: false
 Metrics/BlockLength:
-  ExcludedMethods: ['describe', 'context']
+  ExcludedMethods: ['describe', 'context', 'shared_examples']
 Metrics/CyclomaticComplexity:
   Enabled: false
 Metrics/LineLength:
@@ -20,4 +18,3 @@ Style/MutableConstant:
   Enabled: false
 Gemspec/RequiredRubyVersion:
   Enabled: false
-

data/.travis.yml

@@ -1,7 +1,9 @@
 language: ruby
+cache: bundler
 rvm:
-  - '2.1.10'
-  - '2.2.7'
-  - '2.3.4'
-  - '2.4.1'
-  - '2.5.0'
+  - '2.3.8'
+  - '2.4.10'
+  - '2.5.8'
+  - '2.6.6'
+  - '2.7.2'
+  - '3.0.0'

data/CHANGELOG.md

@@ -1,6 +1,135 @@
 # Changelog
 All notable changes to this project will be documented in this file.
 
+## 1.1.1 - 2022-09-05
+
+### Added
+- Nothing.
+
+### Deprecated
+- Nothing.
+
+### Removed
+- Nothing.
+
+### Fixed
+- Fixed JWT decoding issue. (Invalid segment encoding) [#431](https://github.com/zquestz/omniauth-google-oauth2/pull/431)
+
+## 1.1.0 - 2022-09-03
+
+### Added
+- `overridable_authorize_options` has been added to restrict overriding authorize_options by request params. [#423](https://github.com/zquestz/omniauth-google-oauth2/pull/423)
+- Support for oauth2 2.0.x. [#429](https://github.com/zquestz/omniauth-google-oauth2/pull/429)
+
+### Deprecated
+- Nothing.
+
+### Removed
+- Nothing.
+
+### Fixed
+- Nothing.
+
+## 1.0.1 - 2022-03-10
+
+### Added
+- Output granted scopes in credentials block of the auth hash.
+- Migrated to GitHub actions.
+
+### Deprecated
+- Nothing.
+
+### Removed
+- Nothing.
+
+### Fixed
+- Overriding the `redirect_uri` via params or JSON request body.
+
+## 1.0.0 - 2021-03-14
+
+### Added
+- Support for Omniauth 2.x!
+
+### Deprecated
+- Nothing.
+
+### Removed
+- Support for Omniauth 1.x.
+
+### Fixed
+- Nothing.
+
+## 0.8.2 - 2021-03-14
+
+### Added
+- Constrains the version to Omniauth 1.x.
+
+### Deprecated
+- Nothing.
+
+### Removed
+- Nothing.
+
+### Fixed
+- Nothing.
+
+## 0.8.1 - 2020-12-12
+
+### Added
+- Support reading the access token from a json request body.
+
+### Deprecated
+- Nothing.
+
+### Removed
+- No longer verify the iat claim for JWT.
+
+### Fixed
+- A few minor issues with .rubocop.yml.
+- Issues with image resizing code when the image came with size information from Google.
+
+## 0.8.0 - 2019-08-21
+
+### Added
+- Updated omniauth-oauth2 to v1.6.0 for security fixes.
+
+### Deprecated
+- Nothing.
+
+### Removed
+- Ruby 2.1 support.
+
+### Fixed
+- Nothing.
+
+## 0.7.0 - 2019-06-03
+
+### Added
+- Ensure `info[:email]` is always verified, and include `unverified_email`
+
+### Deprecated
+- Nothing.
+
+### Removed
+- Nothing.
+
+### Fixed
+- Nothing.
+
+## 0.6.1 - 2019-03-07
+
+### Added
+- Return `email` and `email_verified` keys in response.
+
+### Deprecated
+- Nothing.
+
+### Removed
+- Nothing.
+
+### Fixed
+- Nothing.
+
 ## 0.6.0 - 2018-12-28
 
 ### Added
@@ -12,6 +141,7 @@ All notable changes to this project will be documented in this file.
 ### Removed
 - Support for JWT 1.x.
 - Support for `raw_friend_info` and `raw_image_info`.
+- Stop using Google+ API endpoints.
 
 ### Fixed
 - Nothing.

data/README.md

@@ -1,5 +1,4 @@
 [![Gem Version](https://badge.fury.io/rb/omniauth-google-oauth2.svg)](https://badge.fury.io/rb/omniauth-google-oauth2)
-[![Build Status](https://travis-ci.org/zquestz/omniauth-google-oauth2.svg)](https://travis-ci.org/zquestz/omniauth-google-oauth2)
 
 # OmniAuth Google OAuth2 Strategy
 
@@ -34,6 +33,7 @@ Here's an example for adding the middleware to a Rails app in `config/initialize
 Rails.application.config.middleware.use OmniAuth::Builder do
   provider :google_oauth2, ENV['GOOGLE_CLIENT_ID'], ENV['GOOGLE_CLIENT_SECRET']
 end
+OmniAuth.config.allowed_request_methods = %i[get]
 ```
 
 You can now access the OmniAuth Google OAuth2 URL: `/auth/google_oauth2`
@@ -54,10 +54,10 @@ You can configure several options, which you pass in to the `provider` method vi
 
 * `prompt`: A space-delimited list of string values that determines whether the user is re-prompted for authentication and/or consent. Possible values are:
   * `none`: No authentication or consent pages will be displayed; it will return an error if the user is not already authenticated and has not pre-configured consent for the requested scopes. This can be used as a method to check for existing authentication and/or consent.
-  * `consent`: The user will always be prompted for consent, even if he has previously allowed access a given set of scopes.
+  * `consent`: The user will always be prompted for consent, even if they have previously allowed access a given set of scopes.
   * `select_account`: The user will always be prompted to select a user account. This allows a user who has multiple current account sessions to select one amongst them.
 
-  If no value is specified, the user only sees the authentication page if he is not logged in and only sees the consent page the first time he authorizes a given set of scopes.
+  If no value is specified, the user only sees the authentication page if they are not logged in and only sees the consent page the first time they authorize a given set of scopes.
 
 * `image_aspect_ratio`: The shape of the user's profile picture. Possible values are:
   * `original`: Picture maintains its original aspect ratio.
@@ -73,7 +73,7 @@ You can configure several options, which you pass in to the `provider` method vi
 
 * `hd`: (Optional) Limit sign-in to a particular Google Apps hosted domain. This can be simply string `'domain.com'` or an array `%w(domain.com domain.co)`. More information at: https://developers.google.com/accounts/docs/OpenIDConnect#hd-param
 
-* `jwt_leeway`: Number of seconds passed to the JWT library as leeway. Defaults to 60 seconds.
+* `jwt_leeway`: Number of seconds passed to the JWT library as leeway. Defaults to 60 seconds. Note this only works if you use jwt 2.1, as the leeway option was removed in later versions.
 
 * `skip_jwt`: Skip JWT processing. This is for users who are seeing JWT decoding errors with the `iat` field. Always try adjusting the leeway before disabling JWT processing.
 
@@ -81,15 +81,19 @@ You can configure several options, which you pass in to the `provider` method vi
 
 * `include_granted_scopes`: If this is provided with the value true, and the authorization request is granted, the authorization will include any previous authorizations granted to this user/application combination for other scopes. See Google's [Incremental Authorization](https://developers.google.com/accounts/docs/OAuth2WebServer#incrementalAuth) for additional details.
 
-* `openid_realm`: Set the OpenID realm value, to allow upgrading from OpenID based authentication to OAuth 2 based authentication. When this is set correctly an `openid_id` value will be set in `[:extra][:id_info]` in the authentication hash with the value of the user's OpenID ID URL.
+* `openid_realm`: Set the OpenID realm value, to allow upgrading from OpenID based authentication to OAuth 2 based authentication. When this is set correctly an `openid_id` value will be set in `['extra']['id_info']` in the authentication hash with the value of the user's OpenID ID URL.
 
-Here's an example of a possible configuration where the strategy name is changed, the user is asked for extra permissions, the user is always prompted to select his account when logging in and the user's profile picture is returned as a thumbnail:
+* `provider_ignores_state`: You will need to set this to `true` when using the `One-time Code Flow` below. In this flow there is no server side redirect that would set the state.
+
+* `overridable_authorize_options`: By default, all `authorize_options` can be overridden with request parameters. You can restrict the behavior by using this option.
+
+Here's an example of a possible configuration where the strategy name is changed, the user is asked for extra permissions, the user is always prompted to select their account when logging in and the user's profile picture is returned as a thumbnail:
 
 ```ruby
 Rails.application.config.middleware.use OmniAuth::Builder do
   provider :google_oauth2, ENV['GOOGLE_CLIENT_ID'], ENV['GOOGLE_CLIENT_SECRET'],
     {
-      scope: 'userinfo.email, userinfo.profile, http://gdata.youtube.com',
+      scope: 'email, profile, http://gdata.youtube.com',
       prompt: 'select_account',
       image_aspect_ratio: 'square',
       image_size: 50
@@ -176,6 +180,8 @@ devise :omniauthable, omniauth_providers: [:google_oauth2]
 Then make sure your callbacks controller is setup.
 
 ```ruby
+# app/controllers/users/omniauth_callbacks_controller.rb:
+
 class Users::OmniauthCallbacksController < Devise::OmniauthCallbacksController
   def google_oauth2
       # You need to implement the method below in your model (e.g. app/models/user.rb)
@@ -185,7 +191,7 @@ class Users::OmniauthCallbacksController < Devise::OmniauthCallbacksController
         flash[:notice] = I18n.t 'devise.omniauth_callbacks.success', kind: 'Google'
         sign_in_and_redirect @user, event: :authentication
       else
-        session['devise.google_data'] = request.env['omniauth.auth'].except(:extra) # Removing extra as it can overflow some session stores
+        session['devise.google_data'] = request.env['omniauth.auth'].except('extra') # Removing extra as it can overflow some session stores
         redirect_to new_user_registration_url, alert: @user.errors.full_messages.join("\n")
       end
   end
@@ -213,6 +219,10 @@ end
 For your views you can login using:
 
 ```erb
+<%# omniauth-google-oauth2 1.0.x uses OmniAuth 2 and requires using HTTP Post to initiate authentication: %>
+<%= link_to "Sign in with Google", user_google_oauth2_omniauth_authorize_path, method: :post %>
+
+<%# omniauth-google-oauth2 prior 1.0.0: %>
 <%= link_to "Sign in with Google", user_google_oauth2_omniauth_authorize_path %>
 
 <%# Devise prior 4.1.0: %>
@@ -223,7 +233,7 @@ An overview is available at https://github.com/plataformatec/devise/wiki/OmniAut
 
 ### One-time Code Flow (Hybrid Authentication)
 
-Google describes the One-time Code Flow [here](https://developers.google.com/+/web/signin/server-side-flow).  This hybrid authentication flow has significant functional and security advantages over a pure server-side or pure client-side flow.  The following steps occur in this flow:
+Google describes the One-time Code Flow [here](https://developers.google.com/identity/sign-in/web/server-side-flow).  This hybrid authentication flow has significant functional and security advantages over a pure server-side or pure client-side flow.  The following steps occur in this flow:
 
 1. The client (web browser) authenticates the user directly via Google's JS API.  During this process assorted modals may be rendered by Google.
 2. On successful authentication, Google returns a one-time use code, which requires the Google client secret (which is only available server-side).
@@ -232,7 +242,7 @@ Google describes the One-time Code Flow [here](https://developers.google.com/+/w
 
 This flow is immune to replay attacks, and conveys no useful information to a man in the middle.
 
-The omniauth-google-oauth2 gem supports this mode of operation out of the box.  Implementors simply need to add the appropriate JavaScript to their web page, and they can take advantage of this flow.  An example JavaScript snippet follows.
+The omniauth-google-oauth2 gem supports this mode of operation when `provider_ignores_state` is set to `true`.  Implementors simply need to add the appropriate JavaScript to their web page, and they can take advantage of this flow.  An example JavaScript snippet follows.
 
 ```javascript
 // Basic hybrid auth example following the pattern at:
@@ -247,7 +257,7 @@ function init() {
     // Ready.
     $('.google-login-button').click(function(e) {
       e.preventDefault();
-      
+
       gapi.auth2.authorize({
         client_id: 'YOUR_CLIENT_ID',
         cookie_policy: 'single_host_origin',
@@ -260,7 +270,7 @@ function init() {
             success: function(data) {
               // response from server
             }
-          });        
+          });
         } else {
           // google authentication failed
         }
@@ -280,6 +290,66 @@ In that case, ensure to send an additional parameter `redirect_uri=` (empty stri
 
 If you're making POST requests to `/auth/google_oauth2/callback` from another domain, then you need to make sure `'X-Requested-With': 'XMLHttpRequest'` header is included with your request, otherwise your server might respond with `OAuth2::Error, : Invalid Value` error.
 
+#### Getting around the `redirect_uri_mismatch` error (See [Issue #365](https://github.com/zquestz/omniauth-google-oauth2/issues/365))
+
+If you are struggling with a persistent `redirect_uri_mismatch`, you can instead pass the `access_token` from [`getAuthResponse`](https://developers.google.com/identity/sign-in/web/reference#googleusergetauthresponseincludeauthorizationdata) directly to the `auth/google_oauth2/callback` endpoint, like so:
+
+```javascript
+// Initialize the GoogleAuth object
+let googleAuth;
+gapi.load('client:auth2', async () => {
+  await gapi.client.init({ scope: '...', client_id: '...' });
+  googleAuth = gapi.auth2.getAuthInstance();
+});
+
+// Call this when the Google Sign In button is clicked
+async function signInGoogle() {
+  const googleUser = await googleAuth.signIn(); // wait for the user to authorize through the modal
+  const { access_token } = googleUser.getAuthResponse();
+
+  const data = new FormData();
+  data.append('access_token', access_token);
+
+  const response = await api.post('/auth/google_oauth2/callback', data)
+  console.log(response);
+}
+```
+
+#### Using Axios
+If you're making a GET resquests from another domain using `access_token`.
+```
+axios
+  .get(
+    'url(path to your callback}',
+    { params: { access_token: 'token' } },
+    headers....
+    )
+```
+
+If you're making a POST resquests from another domain using `access_token`.
+```
+axios
+  .post(
+    'url(path to your callback}',
+    { access_token: 'token' },
+    headers....
+    )
+
+--OR--
+
+axios
+  .post(
+    'url(path to your callback}',
+    null,
+      {
+        params: {
+          access_token: 'token'
+        },
+        headers....
+      }
+    )
+```
+
 ## Fixing Protocol Mismatch for `redirect_uri` in Rails
 
 Just set the `full_host` in OmniAuth based on the Rails.env.

data/examples/Gemfile

@@ -2,6 +2,7 @@
 
 source 'https://rubygems.org'
 
-gem 'omniauth-google-oauth2', '~> 0.5'
+gem 'omniauth-google-oauth2', '~> 1.1.1'
 gem 'rubocop'
 gem 'sinatra', '~> 1.4'
+gem 'webrick'

data/examples/config.ru

@@ -19,6 +19,19 @@ OpenSSL::SSL::VERIFY_PEER = OpenSSL::SSL::VERIFY_NONE
 
 # Main example app for omniauth-google-oauth2
 class App < Sinatra::Base
+  configure do
+    set :sessions, true
+    set :inline_templates, true
+  end
+
+  use Rack::Session::Cookie, secret: ENV['RACK_COOKIE_SECRET']
+
+  use OmniAuth::Builder do
+    # For additional provider examples please look at 'omni_auth.rb'
+    # The key provider_ignores_state is only for AJAX flows. It is not recommended for normal logins.
+    provider :google_oauth2, ENV['GOOGLE_KEY'], ENV['GOOGLE_SECRET'], access_type: 'offline', prompt: 'consent', provider_ignores_state: true, scope: 'email,profile,calendar'
+  end
+
   get '/' do
     <<-HTML
     <!DOCTYPE html>
@@ -73,7 +86,12 @@ class App < Sinatra::Base
       </head>
       <body>
       <ul>
-        <li><a href='/auth/google_oauth2'>Sign in with Google</a></li>
+        <li>
+          <form method='post' action='/auth/google_oauth2'>
+            <input type="hidden" name="authenticity_token" value="#{request.env['rack.session']['csrf']}">
+            <button type='submit'>Login with Google</button>
+          </form>
+        </li>
         <li><a href='#' class="googleplus-login">Sign in with Google via AJAX</a></li>
       </ul>
       </body>
@@ -109,12 +127,4 @@ class App < Sinatra::Base
   end
 end
 
-use Rack::Session::Cookie, secret: ENV['RACK_COOKIE_SECRET']
-
-use OmniAuth::Builder do
-  # For additional provider examples please look at 'omni_auth.rb'
-  # The key provider_ignores_state is only for AJAX flows. It is not recommended for normal logins.
-  provider :google_oauth2, ENV['GOOGLE_KEY'], ENV['GOOGLE_SECRET'], access_type: 'offline', prompt: 'consent', provider_ignores_state: true, scope: 'email,profile,calendar'
-end
-
 run App.new

data/examples/omni_auth.rb

@@ -10,6 +10,10 @@ Rails.application.config.middleware.use OmniAuth::Builder do
   #
   provider :google_oauth2, ENV['GOOGLE_KEY'], ENV['GOOGLE_SECRET'], scope: 'email,profile'
 
+  # Custom redirect_uri
+  #
+  # provider :google_oauth2, ENV['GOOGLE_KEY'], ENV['GOOGLE_SECRET'], scope: 'email,profile', redirect_uri: 'https://localhost:3000/redirect'
+
   # Manual setup for offline access with a refresh token.
   #
   # provider :google_oauth2, ENV['GOOGLE_KEY'], ENV['GOOGLE_SECRET'], access_type: 'offline'

data/lib/omniauth/google_oauth2/version.rb

@@ -2,6 +2,6 @@
 
 module OmniAuth
   module GoogleOauth2
-    VERSION = '0.6.0'
+    VERSION = '1.1.1'
   end
 end

data/lib/omniauth/strategies/google_oauth2.rb

@@ -1,6 +1,7 @@
 # frozen_string_literal: true
 
 require 'jwt'
+require 'oauth2'
 require 'omniauth/strategies/oauth2'
 require 'uri'
 
@@ -13,13 +14,16 @@ module OmniAuth
       BASE_SCOPES = %w[profile email openid].freeze
       DEFAULT_SCOPE = 'email,profile'
       USER_INFO_URL = 'https://www.googleapis.com/oauth2/v3/userinfo'
+      IMAGE_SIZE_REGEXP = /(s\d+(-c)?)|(w\d+-h\d+(-c)?)|(w\d+(-c)?)|(h\d+(-c)?)|c/
+      AUTHORIZE_OPTIONS = %i[access_type hd login_hint prompt request_visible_actions scope state redirect_uri include_granted_scopes openid_realm device_id device_name]
 
       option :name, 'google_oauth2'
       option :skip_friends, true
       option :skip_image_info, true
       option :skip_jwt, false
       option :jwt_leeway, 60
-      option :authorize_options, %i[access_type hd login_hint prompt request_visible_actions scope state redirect_uri include_granted_scopes openid_realm device_id device_name]
+      option :authorize_options, AUTHORIZE_OPTIONS
+      option :overridable_authorize_options, AUTHORIZE_OPTIONS
       option :authorized_client_ids, []
 
       option :client_options,
@@ -29,7 +33,7 @@ module OmniAuth
 
       def authorize_params
         super.tap do |params|
-          options[:authorize_options].each do |k|
+          (options[:authorize_options] & options[:overridable_authorize_options]).each do |k|
             params[k] = request.params[k.to_s] unless [nil, ''].include?(request.params[k.to_s])
           end
 
@@ -47,6 +51,8 @@ module OmniAuth
         prune!(
           name: raw_info['name'],
           email: verified_email,
+          unverified_email: raw_info['email'],
+          email_verified: raw_info['email_verified'],
           first_name: raw_info['given_name'],
           last_name: raw_info['family_name'],
           image: image_url,
@@ -56,11 +62,17 @@ module OmniAuth
         )
       end
 
+      credentials do
+        # Tokens and expiration will be used from OAuth2 strategy credentials block
+        prune!({ 'scope' => token_info(access_token.token)['scope'] })
+      end
+
       extra do
         hash = {}
-        hash[:id_token] = access_token['id_token']
-        if !options[:skip_jwt] && !access_token['id_token'].nil?
-          decoded = ::JWT.decode(access_token['id_token'], nil, false).first
+        token = nil_or_empty?(access_token['id_token']) ? access_token.token : access_token['id_token']
+        hash[:id_token] = token
+        if !options[:skip_jwt] && !nil_or_empty?(token)
+          decoded = ::JWT.decode(token, nil, false).first
 
           # We have to manually verify the claims because the third parameter to
           # JWT.decode is false since no verification key is provided.
@@ -72,7 +84,7 @@ module OmniAuth
                                       verify_sub: false,
                                       verify_expiration: true,
                                       verify_not_before: true,
-                                      verify_iat: true,
+                                      verify_iat: false,
                                       verify_jti: false,
                                       leeway: options[:jwt_leeway])
 
@@ -92,31 +104,55 @@ module OmniAuth
         verify_hd(access_token)
         access_token
       end
+
       alias build_access_token custom_build_access_token
 
       private
 
+      def nil_or_empty?(obj)
+        obj.is_a?(String) ? obj.empty? : obj.nil?
+      end
+
       def callback_url
-        options[:redirect_uri] || (full_host + script_name + callback_path)
+        options[:redirect_uri] || (full_host + callback_path)
       end
 
       def get_access_token(request)
-        if request.xhr? && request.params['code']
-          verifier = request.params['code']
-          redirect_uri = request.params['redirect_uri'] || 'postmessage'
-          client.auth_code.get_token(verifier, get_token_options(redirect_uri), deep_symbolize(options.auth_token_params || {}))
-        elsif request.params['code'] && request.params['redirect_uri']
-          verifier = request.params['code']
-          redirect_uri = request.params['redirect_uri']
-          client.auth_code.get_token(verifier, get_token_options(redirect_uri), deep_symbolize(options.auth_token_params || {}))
-        elsif verify_token(request.params['access_token'])
+        verifier = request.params['code']
+        redirect_uri = request.params['redirect_uri']
+        access_token = request.params['access_token']
+        if verifier && request.xhr?
+          client_get_token(verifier, redirect_uri || 'postmessage')
+        elsif verifier
+          client_get_token(verifier, redirect_uri || callback_url)
+        elsif access_token && verify_token(access_token)
           ::OAuth2::AccessToken.from_hash(client, request.params.dup)
-        else
-          verifier = request.params['code']
-          client.auth_code.get_token(verifier, get_token_options(callback_url), deep_symbolize(options.auth_token_params))
+        elsif request.content_type =~ /json/i
+          begin
+            body = JSON.parse(request.body.read)
+            request.body.rewind # rewind request body for downstream middlewares
+            verifier = body && body['code']
+            access_token = body && body['access_token']
+            redirect_uri ||= body && body['redirect_uri']
+            if verifier
+              client_get_token(verifier, redirect_uri || 'postmessage')
+            elsif verify_token(access_token)
+              ::OAuth2::AccessToken.from_hash(client, body.dup)
+            end
+          rescue JSON::ParserError => e
+            warn "[omniauth google-oauth2] JSON parse error=#{e}"
+          end
         end
       end
 
+      def client_get_token(verifier, redirect_uri)
+        client.auth_code.get_token(verifier, get_token_options(redirect_uri), get_token_params)
+      end
+
+      def get_token_params
+        deep_symbolize(options.auth_token_params || {})
+      end
+
       def get_scope(params)
         raw_scope = params[:scope] || DEFAULT_SCOPE
         scope_list = raw_scope.split(' ').map { |item| item.split(',') }.flatten
@@ -124,7 +160,11 @@ module OmniAuth
         scope_list.join(' ')
       end
 
-      def get_token_options(redirect_uri)
+      def verified_email
+        raw_info['email_verified'] ? raw_info['email'] : nil
+      end
+
+      def get_token_options(redirect_uri = '')
         { redirect_uri: redirect_uri }.merge(token_params.to_hash(symbolize_keys: true))
       end
 
@@ -135,10 +175,6 @@ module OmniAuth
         end
       end
 
-      def verified_email
-        raw_info['email_verified'] ? raw_info['email'] : nil
-      end
-
       def image_url
         return nil unless raw_info['picture']
 
@@ -149,6 +185,10 @@ module OmniAuth
         if path_index && image_size_opts_passed?
           u.path.insert(path_index, image_params)
           u.path = u.path.gsub('//', '/')
+
+          # Check if the image is already sized!
+          split_path = u.path.split('/')
+          u.path = u.path.sub("/#{split_path[-3]}", '') if split_path[-3] =~ IMAGE_SIZE_REGEXP
         end
 
         u.query = strip_unnecessary_query_parameters(u.query)
@@ -187,12 +227,21 @@ module OmniAuth
         URI.encode_www_form(stripped_params)
       end
 
+      def token_info(access_token)
+        return nil unless access_token
+
+        @token_info ||= Hash.new do |h, k|
+          h[k] = client.request(:get, 'https://www.googleapis.com/oauth2/v3/tokeninfo', params: { access_token: access_token }).parsed
+        end
+
+        @token_info[access_token]
+      end
+
       def verify_token(access_token)
         return false unless access_token
 
-        raw_response = client.request(:get, 'https://www.googleapis.com/oauth2/v3/tokeninfo',
-                                      params: { access_token: access_token }).parsed
-        raw_response['aud'] == options.client_id || options.authorized_client_ids.include?(raw_response['aud'])
+        token_info = token_info(access_token)
+        token_info['aud'] == options.client_id || options.authorized_client_ids.include?(token_info['aud'])
       end
 
       def verify_hd(access_token)

data/omniauth-google-oauth2.gemspec

@@ -18,11 +18,12 @@ Gem::Specification.new do |gem|
   gem.files         = `git ls-files`.split("\n")
   gem.require_paths = ['lib']
 
-  gem.required_ruby_version = '>= 2.1'
+  gem.required_ruby_version = '>= 2.2'
 
   gem.add_runtime_dependency 'jwt', '>= 2.0'
-  gem.add_runtime_dependency 'omniauth', '>= 1.1.1'
-  gem.add_runtime_dependency 'omniauth-oauth2', '>= 1.5'
+  gem.add_runtime_dependency 'oauth2', '~> 2.0.6'
+  gem.add_runtime_dependency 'omniauth', '~> 2.0'
+  gem.add_runtime_dependency 'omniauth-oauth2', '~> 1.8.0'
 
   gem.add_development_dependency 'rake', '~> 12.0'
   gem.add_development_dependency 'rspec', '~> 3.6'

data/spec/omniauth/strategies/google_oauth2_spec.rb

@@ -3,6 +3,7 @@
 require 'spec_helper'
 require 'json'
 require 'omniauth-google-oauth2'
+require 'stringio'
 
 describe OmniAuth::Strategies::GoogleOauth2 do
   let(:request) { double('Request', params: {}, cookies: {}, env: {}) }
@@ -177,8 +178,8 @@ describe OmniAuth::Strategies::GoogleOauth2 do
 
     describe 'scope' do
       it 'should expand scope shortcuts' do
-        @options = { scope: 'plus.me' }
-        expect(subject.authorize_params['scope']).to eq('https://www.googleapis.com/auth/plus.me')
+        @options = { scope: 'calendar' }
+        expect(subject.authorize_params['scope']).to eq('https://www.googleapis.com/auth/calendar')
       end
 
       it 'should leave base scopes as is' do
@@ -241,9 +242,18 @@ describe OmniAuth::Strategies::GoogleOauth2 do
           context "authorize option #{k}" do
             let(:request) { double('Request', params: { k.to_s => 'http://example.com' }, cookies: {}, env: {}) }
 
-            it "should set the #{k} authorize option dynamically in the request" do
-              @options = { k: '' }
-              expect(subject.authorize_params[k.to_s]).to eq('http://example.com')
+            context 'when overridable_authorize_options is default' do
+              it "should set the #{k} authorize option dynamically in the request" do
+                @options = { k: '' }
+                expect(subject.authorize_params[k.to_s]).to eq('http://example.com')
+              end
+            end
+
+            context 'when overridable_authorize_options is empty' do
+              it "should not set the #{k} authorize option dynamically in the request" do
+                @options = { k: '', overridable_authorize_options: [] }
+                expect(subject.authorize_params[k.to_s]).not_to eq('http://example.com')
+              end
             end
           end
         end
@@ -251,9 +261,18 @@ describe OmniAuth::Strategies::GoogleOauth2 do
         describe 'custom authorize_options' do
           let(:request) { double('Request', params: { 'foo' => 'something' }, cookies: {}, env: {}) }
 
-          it 'should support request overrides from custom authorize_options' do
-            @options = { authorize_options: [:foo], foo: '' }
-            expect(subject.authorize_params['foo']).to eq('something')
+          context 'when overridable_authorize_options is default' do
+            it 'should not support request overrides from custom authorize_options' do
+              @options = { authorize_options: [:foo], foo: '' }
+              expect(subject.authorize_params['foo']).not_to eq('something')
+            end
+          end
+
+          context 'when overridable_authorize_options is customized' do
+            it 'should support request overrides from custom authorize_options' do
+              @options = { authorize_options: [:foo], overridable_authorize_options: [:foo], foo: '' }
+              expect(subject.authorize_params['foo']).to eq('something')
+            end
           end
         end
       end
@@ -288,14 +307,92 @@ describe OmniAuth::Strategies::GoogleOauth2 do
     end
   end
 
-  describe '#callback_path' do
+  describe '#callback_url' do
+    let(:base_url) { 'https://example.com' }
+
     it 'has the correct default callback path' do
-      expect(subject.callback_path).to eq('/auth/google_oauth2/callback')
+      allow(subject).to receive(:full_host) { base_url }
+      allow(subject).to receive(:script_name) { '' }
+      expect(subject.send(:callback_url)).to eq(base_url + '/auth/google_oauth2/callback')
+    end
+
+    it 'should set the callback path with script_name if present' do
+      allow(subject).to receive(:full_host) { base_url }
+      allow(subject).to receive(:script_name) { '/v1' }
+      expect(subject.send(:callback_url)).to eq(base_url + '/v1/auth/google_oauth2/callback')
     end
 
     it 'should set the callback_path parameter if present' do
       @options = { callback_path: '/auth/foo/callback' }
-      expect(subject.callback_path).to eq('/auth/foo/callback')
+      allow(subject).to receive(:full_host) { base_url }
+      allow(subject).to receive(:script_name) { '' }
+      expect(subject.send(:callback_url)).to eq(base_url + '/auth/foo/callback')
+    end
+  end
+
+  describe '#info' do
+    let(:client) do
+      OAuth2::Client.new('abc', 'def') do |builder|
+        builder.request :url_encoded
+        builder.adapter :test do |stub|
+          stub.get('/oauth2/v3/userinfo') { [200, { 'content-type' => 'application/json' }, response_hash.to_json] }
+        end
+      end
+    end
+    let(:access_token) { OAuth2::AccessToken.from_hash(client, { 'access_token' => 'a' }) }
+    before { allow(subject).to receive(:access_token).and_return(access_token) }
+
+    context 'with verified email' do
+      let(:response_hash) do
+        { email: 'something@domain.invalid', email_verified: true }
+      end
+
+      it 'should return equal email and unverified_email' do
+        expect(subject.info[:email]).to eq('something@domain.invalid')
+        expect(subject.info[:unverified_email]).to eq('something@domain.invalid')
+      end
+    end
+
+    context 'with unverified email' do
+      let(:response_hash) do
+        { email: 'something@domain.invalid', email_verified: false }
+      end
+
+      it 'should return nil email, and correct unverified email' do
+        expect(subject.info[:email]).to eq(nil)
+        expect(subject.info[:unverified_email]).to eq('something@domain.invalid')
+      end
+    end
+  end
+
+  describe '#credentials' do
+    let(:client) { OAuth2::Client.new('abc', 'def') }
+    let(:access_token) { OAuth2::AccessToken.from_hash(client, access_token: 'valid_access_token', expires_at: 123_456_789, refresh_token: 'valid_refresh_token') }
+    before(:each) do
+      allow(subject).to receive(:access_token).and_return(access_token)
+      subject.options.client_options[:connection_build] = proc do |builder|
+        builder.request :url_encoded
+        builder.adapter :test do |stub|
+          stub.get('/oauth2/v3/tokeninfo?access_token=valid_access_token') do
+            [200, { 'Content-Type' => 'application/json; charset=UTF-8' }, JSON.dump(
+              aud: '000000000000.apps.googleusercontent.com',
+              sub: '123456789',
+              scope: 'profile email'
+            )]
+          end
+        end
+      end
+    end
+
+    it 'should return access token and (optionally) refresh token' do
+      expect(subject.credentials.to_h).to \
+        match(hash_including(
+                'token' => 'valid_access_token',
+                'refresh_token' => 'valid_refresh_token',
+                'scope' => 'profile email',
+                'expires_at' => 123_456_789,
+                'expires' => true
+              ))
     end
   end
 
@@ -308,12 +405,10 @@ describe OmniAuth::Strategies::GoogleOauth2 do
         end
       end
     end
-    let(:access_token) { OAuth2::AccessToken.from_hash(client, {}) }
-
     before { allow(subject).to receive(:access_token).and_return(access_token) }
 
     describe 'id_token' do
-      shared_examples 'id_token issued by valid issuer' do |issuer| # rubocop:disable Metrics/BlockLength
+      shared_examples 'id_token issued by valid issuer' do |issuer|
         context 'when the id_token is passed into the access token' do
           let(:token_info) do
             {
@@ -370,7 +465,10 @@ describe OmniAuth::Strategies::GoogleOauth2 do
         end
       end
 
-      context 'when the id_token is missing' do
+      context 'when the access token is empty or nil' do
+        let(:access_token) { OAuth2::AccessToken.new(client, nil, { 'refresh_token' => 'foo' }) }
+        before { allow(subject.extra).to receive(:access_token).and_return(access_token) }
+
         it 'should not include id_token' do
           expect(subject.extra).not_to have_key(:id_token)
         end
@@ -382,6 +480,19 @@ describe OmniAuth::Strategies::GoogleOauth2 do
     end
 
     describe 'raw_info' do
+      let(:token_info) do
+        {
+          'abc' => 'xyz',
+          'exp' => Time.now.to_i + 3600,
+          'nbf' => Time.now.to_i - 60,
+          'iat' => Time.now.to_i,
+          'aud' => 'appid',
+          'iss' => 'accounts.google.com'
+        }
+      end
+      let(:id_token) { JWT.encode(token_info, 'secret') }
+      let(:access_token) { OAuth2::AccessToken.from_hash(client, 'id_token' => id_token) }
+
       context 'when skip_info is true' do
         before { subject.options[:skip_info] = true }
 
@@ -426,6 +537,12 @@ describe OmniAuth::Strategies::GoogleOauth2 do
         expect(subject.info[:image]).to eq('https://lh3.googleusercontent.com/url/s50/photo.jpg')
       end
 
+      it 'should return the image with size specified in the `image_size` option when sizing is in the picture' do
+        @options = { image_size: 50 }
+        allow(subject).to receive(:raw_info) { { 'picture' => 'https://lh4.googleusercontent.com/url/s96-c/photo.jpg' } }
+        expect(subject.info[:image]).to eq('https://lh4.googleusercontent.com/url/s50/photo.jpg')
+      end
+
       it 'should handle a picture with too many slashes correctly' do
         @options = { image_size: 50 }
         allow(subject).to receive(:raw_info) { { 'picture' => 'https://lh3.googleusercontent.com/url//photo.jpg' } }
@@ -456,24 +573,48 @@ describe OmniAuth::Strategies::GoogleOauth2 do
         expect(subject.info[:image]).to eq('https://lh3.googleusercontent.com/url/w50-h40/photo.jpg')
       end
 
+      it 'should return the image with width and height specified in the `image_size` option when sizing is in the picture' do
+        @options = { image_size: { width: 50, height: 40 } }
+        allow(subject).to receive(:raw_info) { { 'picture' => 'https://lh3.googleusercontent.com/url/w100-h80-c/photo.jpg' } }
+        expect(subject.info[:image]).to eq('https://lh3.googleusercontent.com/url/w50-h40/photo.jpg')
+      end
+
       it 'should return square image when `image_aspect_ratio` is specified' do
         @options = { image_aspect_ratio: 'square' }
         allow(subject).to receive(:raw_info) { { 'picture' => 'https://lh3.googleusercontent.com/url/photo.jpg' } }
         expect(subject.info[:image]).to eq('https://lh3.googleusercontent.com/url/c/photo.jpg')
       end
 
+      it 'should return square image when `image_aspect_ratio` is specified and sizing is in the picture' do
+        @options = { image_aspect_ratio: 'square' }
+        allow(subject).to receive(:raw_info) { { 'picture' => 'https://lh3.googleusercontent.com/url/c/photo.jpg' } }
+        expect(subject.info[:image]).to eq('https://lh3.googleusercontent.com/url/c/photo.jpg')
+      end
+
       it 'should return square sized image when `image_aspect_ratio` and `image_size` is set' do
         @options = { image_aspect_ratio: 'square', image_size: 50 }
         allow(subject).to receive(:raw_info) { { 'picture' => 'https://lh3.googleusercontent.com/url/photo.jpg' } }
         expect(subject.info[:image]).to eq('https://lh3.googleusercontent.com/url/s50-c/photo.jpg')
       end
 
+      it 'should return square sized image when `image_aspect_ratio` and `image_size` is set and sizing is in the picture' do
+        @options = { image_aspect_ratio: 'square', image_size: 50 }
+        allow(subject).to receive(:raw_info) { { 'picture' => 'https://lh3.googleusercontent.com/url/s90/photo.jpg' } }
+        expect(subject.info[:image]).to eq('https://lh3.googleusercontent.com/url/s50-c/photo.jpg')
+      end
+
       it 'should return square sized image when `image_aspect_ratio` and `image_size` has height and width' do
         @options = { image_aspect_ratio: 'square', image_size: { width: 50, height: 40 } }
         allow(subject).to receive(:raw_info) { { 'picture' => 'https://lh3.googleusercontent.com/url/photo.jpg' } }
         expect(subject.info[:image]).to eq('https://lh3.googleusercontent.com/url/w50-h40-c/photo.jpg')
       end
 
+      it 'should return square sized image when `image_aspect_ratio` and `image_size` has height and width and sizing is in the picture' do
+        @options = { image_aspect_ratio: 'square', image_size: { width: 50, height: 40 } }
+        allow(subject).to receive(:raw_info) { { 'picture' => 'https://lh3.googleusercontent.com/url/w100-h80/photo.jpg' } }
+        expect(subject.info[:image]).to eq('https://lh3.googleusercontent.com/url/w50-h40-c/photo.jpg')
+      end
+
       it 'should return original image if image url does not end in `photo.jpg`' do
         @options = { image_size: 50 }
         allow(subject).to receive(:raw_info) { { 'picture' => 'https://lh3.googleusercontent.com/url/photograph.jpg' } }
@@ -536,20 +677,82 @@ describe OmniAuth::Strategies::GoogleOauth2 do
     end
 
     it 'should read access_token from hash if this is not an AJAX request with a code parameter' do
+      client = OAuth2::Client.new('abc', 'def') do |builder|
+        builder.request :url_encoded
+        builder.adapter :test do |stub|
+          stub.get('/oauth2/v3/userinfo') { [200, { 'content-type' => 'application/json' }, '{"sub": "12345"}'] }
+        end
+      end
+
       allow(request).to receive(:xhr?).and_return(false)
       allow(request).to receive(:params).and_return('access_token' => 'valid_access_token')
       expect(subject).to receive(:verify_token).with('valid_access_token').and_return true
-      expect(subject).to receive(:client).and_return(:client)
+      expect(subject).to receive(:client).and_return(client)
+
+      token = subject.build_access_token
+      expect(token).to be_instance_of(::OAuth2::AccessToken)
+      expect(token.token).to eq('valid_access_token')
+      expect(token.client).to eq(client)
+    end
+
+    it 'reads the code from a json request body' do
+      body = StringIO.new(%({"code":"json_access_token"}))
+      client = double(:client)
+      auth_code = double(:auth_code)
+
+      allow(request).to receive(:xhr?).and_return(false)
+      allow(request).to receive(:content_type).and_return('application/json')
+      allow(request).to receive(:body).and_return(body)
+      allow(client).to receive(:auth_code).and_return(auth_code)
+      expect(subject).to receive(:client).and_return(client)
+
+      expect(auth_code).to receive(:get_token).with('json_access_token', { redirect_uri: 'postmessage' }, {})
+
+      subject.build_access_token
+    end
+
+    it 'reads the redirect uri from a json request body' do
+      body = StringIO.new(%({"code":"json_access_token", "redirect_uri":"sample"}))
+      client = double(:client)
+      auth_code = double(:auth_code)
+
+      allow(request).to receive(:xhr?).and_return(false)
+      allow(request).to receive(:content_type).and_return('application/json')
+      allow(request).to receive(:body).and_return(body)
+      allow(client).to receive(:auth_code).and_return(auth_code)
+      expect(subject).to receive(:client).and_return(client)
+
+      expect(auth_code).to receive(:get_token).with('json_access_token', { redirect_uri: 'sample' }, {})
+
+      subject.build_access_token
+    end
+
+    it 'reads the access token from a json request body' do
+      body = StringIO.new(%({"access_token":"valid_access_token"}))
+      client = OAuth2::Client.new('abc', 'def') do |builder|
+        builder.request :url_encoded
+        builder.adapter :test do |stub|
+          stub.get('/oauth2/v3/userinfo') { [200, { 'content-type' => 'application/json' }, '{"sub": "12345"}'] }
+        end
+      end
+
+      allow(request).to receive(:xhr?).and_return(false)
+      allow(request).to receive(:content_type).and_return('application/json')
+      allow(request).to receive(:body).and_return(body)
+      expect(subject).to receive(:client).and_return(client)
+
+      expect(subject).to receive(:verify_token).with('valid_access_token').and_return true
 
       token = subject.build_access_token
       expect(token).to be_instance_of(::OAuth2::AccessToken)
       expect(token.token).to eq('valid_access_token')
-      expect(token.client).to eq(:client)
+      expect(token.client).to eq(client)
     end
 
     it 'should use callback_url without query_string if this is not an AJAX request' do
       allow(request).to receive(:xhr?).and_return(false)
       allow(request).to receive(:params).and_return('code' => 'valid_code')
+      allow(request).to receive(:content_type).and_return('application/x-www-form-urlencoded')
 
       client = double(:client)
       auth_code = double(:auth_code)
@@ -619,7 +822,7 @@ describe OmniAuth::Strategies::GoogleOauth2 do
         end
       end
     end
-    let(:access_token) { OAuth2::AccessToken.from_hash(client, {}) }
+    let(:access_token) { OAuth2::AccessToken.from_hash(client, { 'access_token' => 'foo' }) }
 
     context 'when domain is nil' do
       let(:client) do

metadata

@@ -1,15 +1,15 @@
 --- !ruby/object:Gem::Specification
 name: omniauth-google-oauth2
 version: !ruby/object:Gem::Version
-  version: 0.6.0
+  version: 1.1.1
 platform: ruby
 authors:
 - Josh Ellithorpe
 - Yury Korolev
-autorequire: 
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2018-12-29 00:00:00.000000000 Z
+date: 2022-09-05 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: jwt
@@ -25,34 +25,48 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '2.0'
+- !ruby/object:Gem::Dependency
+  name: oauth2
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 2.0.6
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 2.0.6
 - !ruby/object:Gem::Dependency
   name: omniauth
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.1.1
+        version: '2.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.1.1
+        version: '2.0'
 - !ruby/object:Gem::Dependency
   name: omniauth-oauth2
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.5'
+        version: 1.8.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.5'
+        version: 1.8.0
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
@@ -103,6 +117,7 @@ executables: []
 extensions: []
 extra_rdoc_files: []
 files:
+- ".github/workflows/ci.yml"
 - ".gitignore"
 - ".rubocop.yml"
 - ".travis.yml"
@@ -125,7 +140,7 @@ homepage: https://github.com/zquestz/omniauth-google-oauth2
 licenses:
 - MIT
 metadata: {}
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -133,16 +148,15 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: '2.1'
+      version: '2.2'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.6.11
-signing_key: 
+rubygems_version: 3.0.9
+signing_key:
 specification_version: 4
 summary: A Google OAuth2 strategy for OmniAuth 1.x
 test_files: []