omniauth-google2 1.0.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 63427f9dc5e660bfe619a6bd03f8bdb8855dba46af54e2e7be226295505d262e
+  data.tar.gz: 339499439c68c4ea05ff007bde1b8721656f242257fb4c341156b2e3b4d725d9
+SHA512:
+  metadata.gz: a57c2acf7b6207936fa2c209ce152e2789c1265aded76521b6c13681344859fea96b7e714282af807f542de2edcb80957e4fce6b926efab666cbe949b050595d
+  data.tar.gz: 7eade7ca6129243f8c05d5bdbd25f0a574e3ebd5337e2d564c087ff2b30f44281984fce7e4cd875a1a859a7db0083cc970f5d15c35b81c22ae3b8d73a4bc6410

data/LICENSE.txt

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Claudio Poli
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

data/README.md

@@ -0,0 +1,151 @@
+# OmniAuth Google2 Strategy
+
+[![Test](https://github.com/icoretech/omniauth-google2/actions/workflows/test.yml/badge.svg?branch=main)](https://github.com/icoretech/omniauth-google2/actions/workflows/test.yml?query=branch%3Amain)
+[![Gem Version](https://img.shields.io/gem/v/omniauth-google2.svg)](https://rubygems.org/gems/omniauth-google2)
+
+`omniauth-google2` provides a Google OAuth2/OpenID Connect strategy for OmniAuth.
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+```ruby
+gem 'omniauth-google2'
+```
+
+Then run:
+
+```bash
+bundle install
+```
+
+## Usage
+
+Configure OmniAuth in your Rack/Rails app:
+
+```ruby
+Rails.application.config.middleware.use OmniAuth::Builder do
+  provider :google2,
+           ENV.fetch('GOOGLE_CLIENT_ID'),
+           ENV.fetch('GOOGLE_CLIENT_SECRET')
+end
+```
+
+Compatibility alias is available, so you can keep existing callback paths using `google_oauth2`:
+
+```ruby
+Rails.application.config.middleware.use OmniAuth::Builder do
+  provider :google_oauth2,
+           ENV.fetch('GOOGLE_CLIENT_ID'),
+           ENV.fetch('GOOGLE_CLIENT_SECRET')
+end
+```
+
+Google OAuth app setup: [Google Cloud Console](https://console.cloud.google.com/apis/credentials)
+
+## Options
+
+Supported request options include:
+- `scope` (default: `openid email profile`)
+- `access_type` (default: `offline`)
+- `include_granted_scopes`
+- `prompt`
+- `login_hint`
+- `hd`
+- `redirect_uri`
+- `nonce`
+
+Scopes are normalized so short names like `email profile` are converted to Google OAuth scope URLs when required.
+
+## Auth Hash
+
+Example payload from `request.env['omniauth.auth']` (realistic shape, anonymized):
+
+```json
+{
+  "uid": "111111111111111111111",
+  "info": {
+    "name": "sample-user",
+    "email": "sample@gmail.com",
+    "unverified_email": "sample@gmail.com",
+    "email_verified": true,
+    "first_name": "sample-user",
+    "image": "https://lh3.googleusercontent.com/a/example-avatar=s96-c"
+  },
+  "credentials": {
+    "token": "ya29.a0AfH6SM...",
+    "refresh_token": "1//0gAbCdEf123456",
+    "expires_at": 1772691847,
+    "expires": true,
+    "scope": "https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo.email openid"
+  },
+  "extra": {
+    "raw_info": {
+      "sub": "111111111111111111111",
+      "name": "sample-user",
+      "given_name": "sample-user",
+      "picture": "https://lh3.googleusercontent.com/a/example-avatar=s96-c",
+      "email": "sample@gmail.com",
+      "email_verified": true
+    },
+    "id_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6I...redacted...",
+    "id_info": {
+      "iss": "https://accounts.google.com",
+      "aud": "1012003270838.apps.googleusercontent.com",
+      "sub": "111111111111111111111",
+      "email": "sample@gmail.com",
+      "email_verified": true,
+      "name": "sample-user",
+      "picture": "https://lh3.googleusercontent.com/a/example-avatar=s96-c",
+      "given_name": "sample-user",
+      "iat": 1772689518,
+      "exp": 1772693118
+    }
+  }
+}
+```
+
+## Development
+
+```bash
+bundle install
+bundle exec rake
+```
+
+Run Rails integration tests with an explicit Rails version:
+
+```bash
+RAILS_VERSION='~> 8.1.0' bundle install
+RAILS_VERSION='~> 8.1.0' bundle exec rake test_rails_integration
+```
+
+## Compatibility
+
+- Ruby: `>= 3.2` (tested on `3.2`, `3.3`, `3.4`, `4.0`)
+- `omniauth-oauth2`: `>= 1.8`, `< 1.9`
+- Rails integration lanes: `~> 7.1.0`, `~> 7.2.0`, `~> 8.0.0`, `~> 8.1.0`
+
+## Endpoints
+
+This gem uses Google OpenID Connect discovery endpoints:
+- `https://accounts.google.com/o/oauth2/v2/auth`
+- `https://oauth2.googleapis.com/token`
+- `https://openidconnect.googleapis.com/v1/userinfo`
+
+## Smoke Variants
+
+After a baseline smoke succeeds, run these extra request-phase variants:
+- `?prompt=consent select_account`
+- `?login_hint=user@example.com`
+- `?hd=example.com`
+- `?include_granted_scopes=true`
+
+These verify option pass-through and help catch provider-side UX or consent regressions.
+
+## Release
+
+Tag releases as `vX.Y.Z`; GitHub Actions publishes the gem to RubyGems.
+
+## License
+
+MIT

data/lib/omniauth/google2/version.rb

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+module OmniAuth
+  module Google2
+    VERSION = '1.0.0'
+  end
+end

data/lib/omniauth/google2.rb

@@ -0,0 +1,4 @@
+# frozen_string_literal: true
+
+require 'omniauth/google2/version'
+require 'omniauth/strategies/google2'

data/lib/omniauth/strategies/google2.rb

@@ -0,0 +1,144 @@
+# frozen_string_literal: true
+
+require 'jwt'
+require 'omniauth-oauth2'
+
+module OmniAuth
+  module Strategies
+    # OmniAuth strategy for Google OAuth2/OpenID Connect.
+    class Google2 < OmniAuth::Strategies::OAuth2
+      BASE_SCOPE_URL = 'https://www.googleapis.com/auth/'
+      BASE_SCOPES = %w[openid email profile].freeze
+      DEFAULT_SCOPE = 'openid email profile'
+      USER_INFO_URL = 'https://openidconnect.googleapis.com/v1/userinfo'
+
+      option :name, 'google2'
+      option :authorize_options,
+             %i[scope state access_type include_granted_scopes prompt login_hint hd redirect_uri nonce]
+      option :scope, DEFAULT_SCOPE
+      option :skip_jwt, false
+
+      option :client_options,
+             site: 'https://openidconnect.googleapis.com',
+             authorize_url: 'https://accounts.google.com/o/oauth2/v2/auth',
+             token_url: 'https://oauth2.googleapis.com/token',
+             connection_opts: {
+               headers: {
+                 user_agent: 'icoretech-omniauth-google2 gem',
+                 accept: 'application/json',
+                 content_type: 'application/json'
+               }
+             }
+
+      uid { raw_info['sub'] || raw_info['id'].to_s }
+
+      info do
+        {
+          name: raw_info['name'],
+          email: raw_info['email_verified'] ? raw_info['email'] : nil,
+          unverified_email: raw_info['email'],
+          email_verified: raw_info['email_verified'],
+          first_name: raw_info['given_name'],
+          last_name: raw_info['family_name'],
+          image: raw_info['picture'],
+          urls: raw_info['profile'] ? { google: raw_info['profile'] } : nil
+        }.compact
+      end
+
+      credentials do
+        {
+          'token' => access_token.token,
+          'refresh_token' => access_token.refresh_token,
+          'expires_at' => access_token.expires_at,
+          'expires' => access_token.expires?,
+          'scope' => token_scope
+        }.compact
+      end
+
+      extra do
+        data = { 'raw_info' => raw_info }
+        id_token = access_token['id_token']
+        return data if blank?(id_token)
+
+        data['id_token'] = id_token
+        decoded = decode_id_token(id_token)
+        data['id_info'] = decoded if decoded
+        data
+      end
+
+      def authorize_params
+        super.tap do |params|
+          apply_request_authorize_overrides(params)
+          params[:scope] = normalize_scope(params[:scope] || options[:scope])
+          params[:access_type] ||= 'offline'
+          params[:include_granted_scopes] = normalize_include_granted_scopes(params[:include_granted_scopes])
+          persist_authorize_state(params)
+        end
+      end
+
+      def raw_info
+        @raw_info ||= access_token.get(USER_INFO_URL).parsed
+      end
+
+      # Ensure token exchange uses a stable callback URI that matches provider config.
+      def callback_url
+        options[:callback_url] || options[:redirect_uri] || super
+      end
+
+      # Prevent authorization response params from being appended to redirect_uri.
+      def query_string
+        return '' if request.params['code']
+
+        super
+      end
+
+      private
+
+      def normalize_scope(raw_scope)
+        raw_scope.to_s.split(/[\s,]+/).reject(&:empty?).map do |scope|
+          scope.start_with?('https://') || BASE_SCOPES.include?(scope) ? scope : "#{BASE_SCOPE_URL}#{scope}"
+        end.join(' ')
+      end
+
+      def apply_request_authorize_overrides(params)
+        options[:authorize_options].each do |key|
+          request_value = request.params[key.to_s]
+          params[key] = request_value unless blank?(request_value)
+        end
+      end
+
+      def normalize_include_granted_scopes(value)
+        value == true ? 'true' : value
+      end
+
+      def persist_authorize_state(params)
+        session['omniauth.state'] = params[:state] if params[:state]
+      end
+
+      def token_scope
+        access_token.params['scope'] || access_token['scope']
+      end
+
+      def decode_id_token(token)
+        return nil if options[:skip_jwt]
+
+        payload, = JWT.decode(token, nil, false)
+        payload
+      rescue JWT::DecodeError
+        nil
+      end
+
+      def blank?(value)
+        value.nil? || (value.respond_to?(:empty?) && value.empty?)
+      end
+    end
+
+    # Backward-compatible strategy name for existing `google_oauth2` callback paths.
+    class GoogleOauth2 < Google2
+      option :name, 'google_oauth2'
+    end
+  end
+end
+
+OmniAuth.config.add_camelization 'google2', 'Google2'
+OmniAuth.config.add_camelization 'google_oauth2', 'GoogleOauth2'

data/lib/omniauth-google2.rb

@@ -0,0 +1,3 @@
+# frozen_string_literal: true
+
+require 'omniauth/google2'

data/omniauth-google2.gemspec

@@ -0,0 +1,36 @@
+# frozen_string_literal: true
+
+lib = File.expand_path('lib', __dir__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'omniauth/google2/version'
+
+Gem::Specification.new do |spec|
+  spec.name = 'omniauth-google2'
+  spec.version = OmniAuth::Google2::VERSION
+  spec.authors = ['Claudio Poli']
+  spec.email = ['masterkain@gmail.com']
+
+  spec.summary = 'OmniAuth strategy for Google OAuth2/OpenID Connect authentication.'
+  spec.description =
+    'OAuth2/OpenID Connect strategy for OmniAuth that authenticates users with Google and exposes profile metadata.'
+  spec.homepage = 'https://github.com/icoretech/omniauth-google2'
+  spec.license = 'MIT'
+  spec.required_ruby_version = '>= 3.2'
+
+  spec.metadata['source_code_uri'] = 'https://github.com/icoretech/omniauth-google2'
+  spec.metadata['bug_tracker_uri'] = 'https://github.com/icoretech/omniauth-google2/issues'
+  spec.metadata['changelog_uri'] = 'https://github.com/icoretech/omniauth-google2/releases'
+  spec.metadata['rubygems_mfa_required'] = 'true'
+
+  spec.files = Dir[
+    'lib/**/*.rb',
+    'README*',
+    'LICENSE*',
+    '*.gemspec'
+  ]
+  spec.require_paths = ['lib']
+
+  spec.add_dependency 'cgi', '>= 0.3.6'
+  spec.add_dependency 'jwt', '>= 2.9.2'
+  spec.add_dependency 'omniauth-oauth2', '>= 1.8', '< 1.9'
+end

metadata

@@ -0,0 +1,100 @@
+--- !ruby/object:Gem::Specification
+name: omniauth-google2
+version: !ruby/object:Gem::Version
+  version: 1.0.0
+platform: ruby
+authors:
+- Claudio Poli
+bindir: bin
+cert_chain: []
+date: 1980-01-02 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: cgi
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.3.6
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.3.6
+- !ruby/object:Gem::Dependency
+  name: jwt
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 2.9.2
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 2.9.2
+- !ruby/object:Gem::Dependency
+  name: omniauth-oauth2
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '1.8'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '1.9'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '1.8'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '1.9'
+description: OAuth2/OpenID Connect strategy for OmniAuth that authenticates users
+  with Google and exposes profile metadata.
+email:
+- masterkain@gmail.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- LICENSE.txt
+- README.md
+- lib/omniauth-google2.rb
+- lib/omniauth/google2.rb
+- lib/omniauth/google2/version.rb
+- lib/omniauth/strategies/google2.rb
+- omniauth-google2.gemspec
+homepage: https://github.com/icoretech/omniauth-google2
+licenses:
+- MIT
+metadata:
+  source_code_uri: https://github.com/icoretech/omniauth-google2
+  bug_tracker_uri: https://github.com/icoretech/omniauth-google2/issues
+  changelog_uri: https://github.com/icoretech/omniauth-google2/releases
+  rubygems_mfa_required: 'true'
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '3.2'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.6.9
+specification_version: 4
+summary: OmniAuth strategy for Google OAuth2/OpenID Connect authentication.
+test_files: []