omniauth-himari 0.3.0 → 0.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (6) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +6 -0
  3. data/README.md +1 -0
  4. data/lib/omniauth/strategies/himari.rb +14 -0
  5. data/lib/omniauth-himari/version.rb +1 -1
  6. metadata +1 -1
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: ab98117f1451b0b99efcfa2b448295700d9c3ea50bb1ff7fce9857c887fb1884
4
- data.tar.gz: 5a5f6efcdb3b9e325b266a962dd7aeae2a0986724cdd4b00cf3c9a18072a9892
3
+ metadata.gz: a70212c826202aee2e5c9d0f434f9db87fda6e60f4b52d790e191a092b569b56
4
+ data.tar.gz: 00eadabe52c3141d9726d6dcf33c4246cf5933f999017eddae60f9d888416ed6
5
5
  SHA512:
6
- metadata.gz: 0c3660a3595d98d24c535ccf7a9c518c71830163d2d344ff8d7077cca0c7f409dd1dda2c28e84cbcabeee229e371186d2e020dac7c7ee94b98ef763be340a008
7
- data.tar.gz: 48fdb5b0cd2ad8900fba76a848564e2bdb9cf80e952bbe3fe994bb5aaf63c57e8d54b22788f72f89c92cbfcf2aff19909a05beafbf67389220f6c5d334a529ed
6
+ metadata.gz: 42f2e88ef993741fd2efa65549693c2efdca2d9d19edc6942cede102a792448a01cb4f5182d3e373c538cd645bde32962ed2d7e5fcbfc2410090cb12ff22360b
7
+ data.tar.gz: 5e7b941fe46a0a0eef79674c92cd844663a5b0047bb4efe878ac5b64d31b18a8e8d1235ae5ce78a0e3edf2826c8b571ce718f7a003ce5ecdb9534c41ffa8b454
data/CHANGELOG.md CHANGED
@@ -1,3 +1,9 @@
1
+ ## [0.4.0] - 2026-06-06
2
+
3
+ ### Enhancements
4
+
5
+ - Validate the Authorization Server Issuer Identification `iss` parameter (RFC 9207) on the authorization response, defending against mix-up attacks; controlled by the new `verify_iss` option (default enabled)
6
+
1
7
  ## [0.3.0] - 2026-06-03
2
8
 
3
9
  ### Enhancements
data/README.md CHANGED
@@ -22,6 +22,7 @@ use OmniAuth::Builder do
22
22
 
23
23
  # verify_options: { ... } # JWT.decode verify options override
24
24
  # verify_at_hash: true, # Verify at_hash returned in ID token
25
+ # verify_iss: true, # Verify RFC 9207 iss parameter on the authorization response
25
26
 
26
27
  # use_userinfo: false # force use of userinfo endpoint for raw_info
27
28
  # jwks_url: '...' # JWKs url to override (default=/public/jwks)
data/lib/omniauth/strategies/himari.rb CHANGED
@@ -24,6 +24,7 @@ module OmniAuth
24
24
 
25
25
  option :verify_options, {}
26
26
  option :verify_at_hash, true
27
+ option :verify_iss, true
27
28
 
28
29
  option :use_userinfo, false
29
30
 
@@ -52,6 +53,19 @@ module OmniAuth
52
53
  super
53
54
  end
54
55
 
56
+ # RFC 9207: validate the authorization server's issuer identifier returned alongside the
57
+ # authorization response before exchanging the code, defending against mix-up attacks.
58
+ def callback_phase
59
+ if options.verify_iss
60
+ iss = request.params['iss']
61
+ if iss && iss != options.site
62
+ return fail!(:issuer_mismatch, VerificationError.new("iss mismatch: #{iss.inspect} != #{options.site.inspect}"))
63
+ end
64
+ end
65
+
66
+ super
67
+ end
68
+
55
69
  uid { raw_info['sub'] }
56
70
 
57
71
  credentials do
data/lib/omniauth-himari/version.rb CHANGED
@@ -2,6 +2,6 @@
2
2
 
3
3
  module Omniauth
4
4
  module Himari
5
- VERSION = "0.3.0"
5
+ VERSION = "0.4.0"
6
6
  end
7
7
  end
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: omniauth-himari
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.3.0
4
+ version: 0.4.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Sorah Fukumori