RubyGems - omniauth-keycloak - Versions diffs - 1.2.0 → 1.4.4 - Mend

omniauth-keycloak 1.2.0 → 1.4.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +103 -0
data/Gemfile.lock +68 -65
data/README.md +45 -2
data/lib/keycloak/version.rb +1 -1
data/lib/omniauth/strategies/keycloak-openid.rb +74 -23
data/omniauth-keycloak.gemspec +12 -11
data/spec/omniauth/strategies/keycloak_spec.rb +164 -27
metadata +36 -21

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 6f523d3b03c2258b9b49ca70dd94a02e9104de24a6148ee2d0018c9d3301ffe0
-  data.tar.gz: 820eaba1eb35fce32c80a82293ab58ba1c154e307b191cce0b6a37b5888412d0
+  metadata.gz: 79b854153d87dedf293c8d1e4d30994169a92633d69ef4848e1a1af0356a82c2
+  data.tar.gz: 54f9007dd675375cec26c5b2c5447bc85b5077fa378723c099243501794eedb9
 SHA512:
-  metadata.gz: de576c60d232f49150b0923ec1496c1e6ffdfafdb0fa3a85e3aa17d08952faacfd955a66d292dff352740965599720e645d3866b9d39f364d141bf686445a115
-  data.tar.gz: cdf8238793033678b6a348b11111d95ea5449b61d50a63fc1b109e302d4a2616fb0e979acbdef33e5709dd0c0eee6481c9225bba57f7dbaae4a9b42688478535
+  metadata.gz: 1b0f823afd6af3f57472078f79da245b14867cfff35b1e892c777d1cdfe779524e6e68877534fdc19fc8b372705b777bf350d649a91f6b0bd7b8e7fd020b97ca
+  data.tar.gz: 8f51a1218d726e2a3de85d01355297ade8fe6e6f705752c870e374bf18684bdbf5bb2e83294e3653bf7ecc0885ce52383eec81f6dc37734b05bdf910732ddb00

data/CHANGELOG.md ADDED Viewed

@@ -0,0 +1,103 @@
+# Changelog
+## [v1.4.3](https://github.com/ccrockett/omniauth-keycloak/tree/v1.4.3) (2022-07-24)
+[Full Changelog](https://github.com/ccrockett/omniauth-keycloak/compare/v1.4.2...v1.4.3)
+**Fixed bugs:**
+- Error: uninitialized constant OmniAuth::Strategies::KeycloakOpenId::MultiJson after gem update [\#30](https://github.com/ccrockett/omniauth-keycloak/issues/30)
+## [v1.4.2](https://github.com/ccrockett/omniauth-keycloak/tree/v1.4.2) (2022-06-14)
+[Full Changelog](https://github.com/ccrockett/omniauth-keycloak/compare/v1.4.1...v1.4.2)
+**Closed issues:**
+- Adjust endpoints to updated Keycloak paths [\#29](https://github.com/ccrockett/omniauth-keycloak/issues/29)
+- Expose id\_token inside extra hash of auth hash [\#25](https://github.com/ccrockett/omniauth-keycloak/issues/25)
+**Merged pull requests:**
+- Set omniauth version to \>= 2.0 [\#28](https://github.com/ccrockett/omniauth-keycloak/pull/28) ([hobbypunk90](https://github.com/hobbypunk90))
+## [v1.4.1](https://github.com/ccrockett/omniauth-keycloak/tree/v1.4.1) (2022-05-25)
+[Full Changelog](https://github.com/ccrockett/omniauth-keycloak/compare/v1.4.0...v1.4.1)
+**Closed issues:**
+- Get Request is now Post Request [\#23](https://github.com/ccrockett/omniauth-keycloak/issues/23)
+- Is the "/auth/" part mandatory in Keycloak's configuration URL? [\#19](https://github.com/ccrockett/omniauth-keycloak/issues/19)
+- Add example instructions for Keycloak configuration [\#14](https://github.com/ccrockett/omniauth-keycloak/issues/14)
+**Merged pull requests:**
+- expose id\_token inside extra hash of auth hash [\#26](https://github.com/ccrockett/omniauth-keycloak/pull/26) ([rah-wtag](https://github.com/rah-wtag))
+- Bump bindata from 2.4.9 to 2.4.10 [\#22](https://github.com/ccrockett/omniauth-keycloak/pull/22) ([dependabot[bot]](https://github.com/apps/dependabot))
+## [v1.4.0](https://github.com/ccrockett/omniauth-keycloak/tree/v1.4.0) (2021-12-18)
+[Full Changelog](https://github.com/ccrockett/omniauth-keycloak/compare/v1.3.0...v1.4.0)
+**Closed issues:**
+- Are there any reason to specify one certificate key to decode JWT? [\#17](https://github.com/ccrockett/omniauth-keycloak/issues/17)
+- No route matches \[POST\] "/auth/keycloak\_openid" [\#15](https://github.com/ccrockett/omniauth-keycloak/issues/15)
+**Merged pull requests:**
+- Use JSON::JWK::Set instead of JSON::JWK [\#21](https://github.com/ccrockett/omniauth-keycloak/pull/21) ([hobbypunk90](https://github.com/hobbypunk90))
+- Allow pass a Proc to the setup option when you specify a strategy [\#18](https://github.com/ccrockett/omniauth-keycloak/pull/18) ([Cambero](https://github.com/Cambero))
+- Add information on how to use it to readme [\#16](https://github.com/ccrockett/omniauth-keycloak/pull/16) ([frenesim](https://github.com/frenesim))
+## [v1.3.0](https://github.com/ccrockett/omniauth-keycloak/tree/v1.3.0) (2021-05-17)
+[Full Changelog](https://github.com/ccrockett/omniauth-keycloak/compare/v1.2.1...v1.3.0)
+**Merged pull requests:**
+- Bump Omniauth dependencies to v2 [\#13](https://github.com/ccrockett/omniauth-keycloak/pull/13) ([offner](https://github.com/offner))
+## [v1.2.1](https://github.com/ccrockett/omniauth-keycloak/tree/v1.2.1) (2020-12-19)
+[Full Changelog](https://github.com/ccrockett/omniauth-keycloak/compare/v1.2.0...v1.2.1)
+**Closed issues:**
+- Dynamically load Client and Realm [\#11](https://github.com/ccrockett/omniauth-keycloak/issues/11)
+- cannot load such file -- /Library/Ruby/Gems/2.6.0/gems/omniauth-keycloak-1.2.0/lib/omniauth-keycloak.rb \(LoadError\) [\#8](https://github.com/ccrockett/omniauth-keycloak/issues/8)
+- Release json-jwt version restriction change [\#5](https://github.com/ccrockett/omniauth-keycloak/issues/5)
+**Merged pull requests:**
+- Raise errors on setup failure and logging with OmniAuth::Strategy::log method [\#10](https://github.com/ccrockett/omniauth-keycloak/pull/10) ([alexpetrov](https://github.com/alexpetrov))
+- Bump json from 2.1.0 to 2.3.1 [\#9](https://github.com/ccrockett/omniauth-keycloak/pull/9) ([dependabot[bot]](https://github.com/apps/dependabot))
+- Bump rack from 2.2.2 to 2.2.3 [\#7](https://github.com/ccrockett/omniauth-keycloak/pull/7) ([dependabot[bot]](https://github.com/apps/dependabot))
+## [v1.2.0](https://github.com/ccrockett/omniauth-keycloak/tree/v1.2.0) (2020-05-28)
+[Full Changelog](https://github.com/ccrockett/omniauth-keycloak/compare/v1.1.0...v1.2.0)
+**Merged pull requests:**
+- Bump activesupport from 6.0.1 to 6.0.3.1 [\#6](https://github.com/ccrockett/omniauth-keycloak/pull/6) ([dependabot[bot]](https://github.com/apps/dependabot))
+- Update rake requirement from ~\> 10.0 to ~\> 13.0 [\#4](https://github.com/ccrockett/omniauth-keycloak/pull/4) ([dependabot[bot]](https://github.com/apps/dependabot))
+- Bump rack from 2.0.7 to 2.0.8 [\#2](https://github.com/ccrockett/omniauth-keycloak/pull/2) ([dependabot[bot]](https://github.com/apps/dependabot))
+- Adding Devise Documentation [\#1](https://github.com/ccrockett/omniauth-keycloak/pull/1) ([masonhensley](https://github.com/masonhensley))
+## [v1.1.0](https://github.com/ccrockett/omniauth-keycloak/tree/v1.1.0) (2018-12-16)
+[Full Changelog](https://github.com/ccrockett/omniauth-keycloak/compare/v1.0.1...v1.1.0)
+## [v1.0.1](https://github.com/ccrockett/omniauth-keycloak/tree/v1.0.1) (2018-12-16)
+[Full Changelog](https://github.com/ccrockett/omniauth-keycloak/compare/v1.0.0...v1.0.1)
+## [v1.0.0](https://github.com/ccrockett/omniauth-keycloak/tree/v1.0.0) (2018-12-16)
+[Full Changelog](https://github.com/ccrockett/omniauth-keycloak/compare/7877c8a75f9e3f342b49bf808fa69965377d60b5...v1.0.0)
+\* *This Changelog was automatically generated by [github_changelog_generator](https://github.com/github-changelog-generator/github-changelog-generator)*

data/Gemfile.lock CHANGED Viewed

@@ -1,98 +1,101 @@
 PATH
   remote: .
   specs:
-    omniauth-keycloak (1.2.0)
-      json-jwt (~> 1.12)
-      omniauth (~> 1.9.0)
-      omniauth-oauth2 (~> 1.6.0)
+    omniauth-keycloak (1.4.2)
+      faraday
+      json-jwt (~> 1.13.0)
+      omniauth (>= 2.0)
+      omniauth-oauth2 (~> 1.7.1)
 GEM
   remote: https://rubygems.org/
   specs:
-    activesupport (6.0.3.1)
+    activesupport (7.0.3)
       concurrent-ruby (~> 1.0, >= 1.0.2)
-      i18n (>= 0.7, < 2)
-      minitest (~> 5.1)
-      tzinfo (~> 1.1)
-      zeitwerk (~> 2.2, >= 2.2.2)
-    addressable (2.5.2)
-      public_suffix (>= 2.0.2, < 4.0)
-    aes_key_wrap (1.0.1)
-    bindata (2.4.7)
-    concurrent-ruby (1.1.6)
-    crack (0.4.3)
-      safe_yaml (~> 1.0.0)
-    diff-lcs (1.3)
-    docile (1.3.1)
-    faraday (1.0.1)
-      multipart-post (>= 1.2, < 3)
-    hashdiff (0.3.7)
-    hashie (4.1.0)
-    i18n (1.8.2)
+      i18n (>= 1.6, < 2)
+      minitest (>= 5.1)
+      tzinfo (~> 2.0)
+    addressable (2.8.0)
+      public_suffix (>= 2.0.2, < 5.0)
+    aes_key_wrap (1.1.0)
+    bindata (2.4.10)
+    concurrent-ruby (1.1.10)
+    crack (0.4.5)
+      rexml
+    diff-lcs (1.4.4)
+    docile (1.4.0)
+    faraday (2.3.0)
+      faraday-net_http (~> 2.0)
+      ruby2_keywords (>= 0.0.4)
+    faraday-net_http (2.0.3)
+    hashdiff (1.0.1)
+    hashie (5.0.0)
+    i18n (1.10.0)
       concurrent-ruby (~> 1.0)
-    json (2.1.0)
-    json-jwt (1.12.0)
+    json-jwt (1.13.0)
       activesupport (>= 4.2)
       aes_key_wrap
       bindata
-    jwt (2.2.1)
-    minitest (5.14.1)
-    multi_json (1.14.1)
+    jwt (2.3.0)
+    minitest (5.15.0)
+    multi_json (1.15.0)
     multi_xml (0.6.0)
-    multipart-post (2.1.1)
-    oauth2 (1.4.4)
-      faraday (>= 0.8, < 2.0)
+    oauth2 (1.4.9)
+      faraday (>= 0.17.3, < 3.0)
       jwt (>= 1.0, < 3.0)
       multi_json (~> 1.3)
       multi_xml (~> 0.5)
       rack (>= 1.2, < 3)
-    omniauth (1.9.1)
+    omniauth (2.0.4)
       hashie (>= 3.4.6)
       rack (>= 1.6.2, < 3)
-    omniauth-oauth2 (1.6.0)
-      oauth2 (~> 1.1)
-      omniauth (~> 1.9)
-    public_suffix (3.0.3)
-    rack (2.2.2)
+      rack-protection
+    omniauth-oauth2 (1.7.2)
+      oauth2 (~> 1.4)
+      omniauth (>= 1.9, < 3)
+    public_suffix (4.0.6)
+    rack (2.2.3)
+    rack-protection (2.2.0)
+      rack
     rake (13.0.1)
-    rspec (3.8.0)
-      rspec-core (~> 3.8.0)
-      rspec-expectations (~> 3.8.0)
-      rspec-mocks (~> 3.8.0)
-    rspec-core (3.8.0)
-      rspec-support (~> 3.8.0)
-    rspec-expectations (3.8.1)
+    rexml (3.2.5)
+    rspec (3.10.0)
+      rspec-core (~> 3.10.0)
+      rspec-expectations (~> 3.10.0)
+      rspec-mocks (~> 3.10.0)
+    rspec-core (3.10.1)
+      rspec-support (~> 3.10.0)
+    rspec-expectations (3.10.1)
       diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.8.0)
-    rspec-mocks (3.8.0)
+      rspec-support (~> 3.10.0)
+    rspec-mocks (3.10.2)
       diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.8.0)
-    rspec-support (3.8.0)
-    safe_yaml (1.0.4)
-    simplecov (0.16.1)
+      rspec-support (~> 3.10.0)
+    rspec-support (3.10.3)
+    ruby2_keywords (0.0.5)
+    simplecov (0.21.2)
       docile (~> 1.1)
-      json (>= 1.8, < 3)
-      simplecov-html (~> 0.10.0)
-    simplecov-html (0.10.2)
-    thread_safe (0.3.6)
-    tzinfo (1.2.7)
-      thread_safe (~> 0.1)
-    webmock (3.4.2)
-      addressable (>= 2.3.6)
+      simplecov-html (~> 0.11)
+      simplecov_json_formatter (~> 0.1)
+    simplecov-html (0.12.3)
+    simplecov_json_formatter (0.1.3)
+    tzinfo (2.0.4)
+      concurrent-ruby (~> 1.0)
+    webmock (3.14.0)
+      addressable (>= 2.8.0)
       crack (>= 0.3.2)
-      hashdiff
-    zeitwerk (2.3.0)
+      hashdiff (>= 0.4.0, < 2.0.0)
 PLATFORMS
   ruby
 DEPENDENCIES
-  bundler (~> 1.16)
+  bundler (~> 2.2)
   omniauth-keycloak!
   rake (~> 13.0)
-  rspec (~> 3.0)
-  simplecov (~> 0.16.1)
-  webmock (~> 3.4.2)
+  rspec (~> 3.10)
+  simplecov (~> 0.21)
+  webmock (~> 3.14)
 BUNDLED WITH
-   2.1.4
+   2.2.31

data/README.md CHANGED Viewed

@@ -16,6 +16,15 @@ Or install it yourself as:
     $ gem install omniauth-keycloak
+## Use with Keycloak >= 17 (Quarkus distribution)
+In version 17 of Keycloak, `/auth` was removed from the default context path. (See Issue [#29](https://github.com/ccrockett/omniauth-keycloak/issues/29))
+In order to reduce breaking existing user's setup, this gem assumes `/auth` as the default context.
+__So if you want to use Keycloak 17 or greater then you must do one of the following:__
+1. Pass in `--http-relative-path '/auth'` option with the keycloak start command
+2. Pass in a empty string for you base_url client_option:
+  `client_options: {base_url: '', site: 'https://example.keycloak-url.com', realm: 'example-realm'}`
 ## Usage
 `OmniAuth::Strategies::Keycloak` is simply a Rack middleware. Read the OmniAuth docs for detailed instructions: https://github.com/intridea/omniauth.
@@ -25,10 +34,33 @@ Here's a quick example, adding the middleware to a Rails app in `config/initiali
 ```ruby
 Rails.application.config.middleware.use OmniAuth::Builder do
   provider :keycloak_openid, 'Example-Client', '19cca35f-dddd-473a-bdd5-03f00d61d884',
-    client_options: {site: 'https://example.keycloak-url.com', realm: 'example-realm'}
+    client_options: {site: 'https://example.keycloak-url.com', realm: 'example-realm'},
+    name: 'keycloak'
+end
+```
+This will allow a POST request to `auth/keycloak` since the name is set to keycloak
+Or using a proc setup with a custom options:
+```ruby
+Rails.application.config.middleware.use OmniAuth::Builder do
+  SETUP_PROC = lambda do |env|
+    request = Rack::Request.new(env)
+    organization = Organization.find_by(host: request.host)
+    provider_config = organization.enabled_omniauth_providers[:keycloakopenid]
+    env["omniauth.strategy"].options[:client_id] = provider_config[:client_id]
+    env["omniauth.strategy"].options[:client_secret] = provider_config[:client_secret]
+    env["omniauth.strategy"].options[:client_options] = { site: provider_config[:site],  realm: provider_config[:realm] }
+  end
+  Rails.application.config.middleware.use OmniAuth::Builder do
+    provider :keycloak_openid, setup: SETUP_PROC
+  end
 end
 ```
 ## Devise Usage
 Adapted from [Devise OmniAuth Instructions](https://github.com/plataformatec/devise/wiki/OmniAuth:-Overview)
@@ -43,7 +75,7 @@ end
 # config/initializers/devise.rb
 config.omniauth :keycloak_openid, "Example-Client-Name", "example-secret-if-configured", client_options: { site: "https://example.keycloak-url.com", realm: "example-realm" }, :strategy_class => OmniAuth::Strategies::KeycloakOpenId
-# Below controller assumes callback route configuration following
+# Below controller assumes callback route configuration following
 # in config/routes.rb
 Devise.setup do |config|
   # ...
@@ -70,6 +102,17 @@ end
 ```
+## Configuration
+  * __Base Url other than /auth__
+  This gem tries to get the keycloak configuration from `"#{site}/auth/realms/#{realm}/.well-known/openid-configuration"`. If your keycloak server has been setup to use a different "root" url other than `/auth` then you need to pass in the `base_url` option when setting up the gem:
+    ```ruby
+    Rails.application.config.middleware.use OmniAuth::Builder do
+      provider :keycloak_openid, 'Example-Client', '19cca35f-dddd-473a-bdd5-03f00d61d884',
+        client_options: {site: 'https://example.keycloak-url.com', realm: 'example-realm', base_url: '/authorize'},
+        name: 'keycloak'
+    end
+    ```
 ## Contributing
 Bug reports and pull requests are welcome on GitHub at https://github.com/ccrockett/omniauth-keycloak. This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to the [Contributor Covenant](http://contributor-covenant.org) code of conduct.

data/lib/keycloak/version.rb CHANGED Viewed

@@ -1,5 +1,5 @@
 module Omniauth
   module Keycloak
-    VERSION = "1.2.0"
+    VERSION = "1.4.4"
   end
 end

data/lib/omniauth/strategies/keycloak-openid.rb CHANGED Viewed

@@ -1,54 +1,104 @@
 require 'omniauth'
 require 'omniauth-oauth2'
 require 'json/jwt'
+require 'uri'
 module OmniAuth
     module Strategies
         class KeycloakOpenId < OmniAuth::Strategies::OAuth2
+            class Error < RuntimeError; end
+            class ConfigurationError < Error; end
+            class IntegrationError < Error; end
             attr_reader :authorize_url
             attr_reader :token_url
-            attr_reader :cert
+            attr_reader :certs
             def setup_phase
+                super
                 if @authorize_url.nil? || @token_url.nil?
+                    prevent_site_option_mistake
                     realm = options.client_options[:realm].nil? ? options.client_id : options.client_options[:realm]
                     site = options.client_options[:site]
-                    response = Faraday.get "#{options.client_options[:site]}/auth/realms/#{realm}/.well-known/openid-configuration"
+                    raise_on_failure = options.client_options.fetch(:raise_on_failure, false)
+                    config_url = URI.join(site, "#{auth_url_base}/realms/#{realm}/.well-known/openid-configuration")
+                    log :debug, "Going to get Keycloak configuration. URL: #{config_url}"
+                    response = Faraday.get config_url
                     if (response.status == 200)
-                        json = MultiJson.load(response.body)
+                        json = JSON.parse(response.body)
                         @certs_endpoint = json["jwks_uri"]
                         @userinfo_endpoint = json["userinfo_endpoint"]
-                        @authorize_url = json["authorization_endpoint"].gsub(site, "")
-                        @token_url = json["token_endpoint"].gsub(site, "")
+                        @authorize_url = URI(json["authorization_endpoint"]).path
+                        @token_url = URI(json["token_endpoint"]).path
+                        log_config(json)
                         options.client_options.merge!({
                             authorize_url: @authorize_url,
                             token_url: @token_url
-                        })
+                                                      })
+                        log :debug, "Going to get certificates. URL: #{@certs_endpoint}"
                         certs = Faraday.get @certs_endpoint
                         if (certs.status == 200)
-                            json = MultiJson.load(certs.body)
-                            @cert = json["keys"][0]
+                            json = JSON.parse(certs.body)
+                            @certs = json["keys"]
+                            log :debug, "Successfully got certificate. Certificate length: #{@certs.length}"
                         else
-                            #TODO: Throw Error
-                            puts "Couldn't get Cert"
-                        end
+                            message = "Coundn't get certificate. URL: #{@certs_endpoint}"
+                            log :error, message
+                            raise IntegrationError, message if raise_on_failure
+                        end
                     else
-                        #TODO: Throw Error
-                        puts response.status
+                        message = "Keycloak configuration request failed with status: #{response.status}. " \
+                                  "URL: #{config_url}"
+                        log :error, message
+                        raise IntegrationError, message if raise_on_failure
                     end
                 end
             end
+            def auth_url_base
+              return '/auth' unless options.client_options[:base_url]
+              base_url = options.client_options[:base_url]
+              return base_url if (base_url == '' || base_url[0] == '/')
+              raise ConfigurationError, "Keycloak base_url option should start with '/'. Current value: #{base_url}"
+            end
+            def prevent_site_option_mistake
+              site = options.client_options[:site]
+              return unless site =~ /\/auth$/
+              raise ConfigurationError, "Keycloak site parameter should not include /auth part, only domain. Current value: #{site}"
+            end
+            def log_config(config_json)
+              log_keycloak_config = options.client_options.fetch(:log_keycloak_config, false)
+              log :debug, "Successfully got Keycloak config"
+              log :debug, "Keycloak config: #{config_json}" if log_keycloak_config
+              log :debug, "Certs endpoint: #{@certs_endpoint}"
+              log :debug, "Userinfo endpoint: #{@userinfo_endpoint}"
+              log :debug, "Authorize url: #{@authorize_url}"
+              log :debug, "Token url: #{@token_url}"
+            end
             def build_access_token
                 verifier = request.params["code"]
-                client.auth_code.get_token(verifier,
+                client.auth_code.get_token(verifier,
                     {:redirect_uri => callback_url.gsub(/\?.+\Z/, "")}
-                    .merge(token_params.to_hash(:symbolize_keys => true)),
+                    .merge(token_params.to_hash(:symbolize_keys => true)),
                     deep_symbolize(options.auth_token_params))
             end
             uid{ raw_info['sub'] }
             info do
             {
                 :name => raw_info['name'],
@@ -57,21 +107,22 @@ module OmniAuth
                 :last_name => raw_info['family_name']
             }
             end
             extra do
             {
-                'raw_info' => raw_info
+                'raw_info' => raw_info,
+                'id_token' => access_token['id_token']
             }
             end
             def raw_info
                 id_token_string = access_token.token
-                jwk = JSON::JWK.new(@cert)
-                id_token = JSON::JWT.decode id_token_string, jwk
+                jwks = JSON::JWK::Set.new(@certs)
+                id_token = JSON::JWT.decode id_token_string, jwks
                 id_token
             end
             OmniAuth.config.add_camelization('keycloak_openid', 'KeycloakOpenId')
         end
     end
-end
+end

data/omniauth-keycloak.gemspec CHANGED Viewed

@@ -4,13 +4,13 @@ Gem::Specification.new do |spec|
   spec.version       = Omniauth::Keycloak::VERSION
   spec.authors       = ["Cameron Crockett"]
   spec.email         = ["cameron.crockett@ccrockett.com"]
   spec.description   = %q{Omniauth strategy for Keycloak}
   spec.summary       = spec.description
   spec.homepage      = "https://github.com/ccrockett/omniauth-keycloak"
   spec.license       = "MIT"
-  spec.required_rubygems_version = '>= 1.3.5'
-  spec.required_ruby_version = '>= 2.2'
+  spec.required_rubygems_version = '>= 3.1.2'
+  spec.required_ruby_version = '>= 2.6'
   # Specify which files should be added to the gem when it is released.
   # The `git ls-files -z` loads the files in the RubyGem that have been added into git.
@@ -22,14 +22,15 @@ Gem::Specification.new do |spec|
   spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
   spec.require_paths = ["lib"]
-  spec.add_dependency "omniauth", "~> 1.9.0"
-  spec.add_dependency "omniauth-oauth2", "~> 1.6.0"
-  spec.add_dependency "json-jwt", "~> 1.12"
-  spec.add_development_dependency "bundler", "~> 1.16"
+  spec.add_dependency "omniauth", ">= 2.0"
+  spec.add_dependency "omniauth-oauth2", "~> 1.7.1"
+  spec.add_dependency "json-jwt", "~> 1.13.0"
+  spec.add_dependency "faraday"
+  spec.add_development_dependency "bundler", "~> 2.2"
   spec.add_development_dependency "rake", "~> 13.0"
-  spec.add_development_dependency "rspec", "~> 3.0"
-  spec.add_development_dependency 'simplecov', '~> 0.16.1'
-  spec.add_development_dependency 'webmock', '~> 3.4.2'
+  spec.add_development_dependency "rspec", "~> 3.10"
+  spec.add_development_dependency 'simplecov', '~> 0.21'
+  spec.add_development_dependency 'webmock', '~> 3.14'
 end

data/spec/omniauth/strategies/keycloak_spec.rb CHANGED Viewed

@@ -1,41 +1,45 @@
 require 'spec_helper'
 RSpec.describe OmniAuth::Strategies::KeycloakOpenId do
-  body = '{"issuer": "http://localhost:8080/auth/realms/example-realm",
-  "authorization_endpoint": "http://localhost:8080/auth/realms/example-realm/protocol/openid-connect/auth",
-  "token_endpoint": "http://localhost:8080/auth/realms/example-realm/protocol/openid-connect/token",
-  "token_introspection_endpoint": "http://localhost:8080/auth/realms/example-realm/protocol/openid-connect/token/introspect",
-  "userinfo_endpoint": "http://localhost:8080/auth/realms/example-realm/protocol/openid-connect/userinfo",
-  "end_session_endpoint": "http://localhost:8080/auth/realms/example-realm/protocol/openid-connect/logout",
-  "jwks_uri": "http://localhost:8080/auth/realms/example-realm/protocol/openid-connect/certs",
-  "check_session_iframe": "http://localhost:8080/auth/realms/example-realm/protocol/openid-connect/login-status-iframe.html",
-  "grant_types_supported": ["authorization_code", "implicit", "refresh_token", "password", "client_credentials"],
-  "response_types_supported": ["code", "none", "id_token", "token", "id_token token", "code id_token", "code token", "code id_token token"],
-  "subject_types_supported": ["public", "pairwise"],
-  "id_token_signing_alg_values_supported": ["RS256"],
-  "userinfo_signing_alg_values_supported": ["RS256"],
-  "request_object_signing_alg_values_supported": ["none", "RS256"],
-  "response_modes_supported": ["query", "fragment", "form_post"],
-  "registration_endpoint": "http://localhost:8080/auth/realms/example-realm/clients-registrations/openid-connect",
-  "token_endpoint_auth_methods_supported": ["private_key_jwt", "client_secret_basic", "client_secret_post"],
-  "token_endpoint_auth_signing_alg_values_supported": ["RS256"],
-  "claims_supported": ["sub", "iss", "auth_time", "name", "given_name", "family_name", "preferred_username", "email"],
-  "claim_types_supported": ["normal"],
-  "claims_parameter_supported": false,
-  "scopes_supported": ["openid", "offline_access"],
-  "request_parameter_supported": true,
-  "request_uri_parameter_supported": true}'
+  let(:body) {
+    {
+      "issuer": "http://localhost:8080/auth/realms/example-realm",
+      "authorization_endpoint": "http://localhost:8080/auth/realms/example-realm/protocol/openid-connect/auth",
+      "token_endpoint": "http://localhost:8080/auth/realms/example-realm/protocol/openid-connect/token",
+      "token_introspection_endpoint": "http://localhost:8080/auth/realms/example-realm/protocol/openid-connect/token/introspect",
+      "userinfo_endpoint": "http://localhost:8080/auth/realms/example-realm/protocol/openid-connect/userinfo",
+      "end_session_endpoint": "http://localhost:8080/auth/realms/example-realm/protocol/openid-connect/logout",
+      "jwks_uri": "http://localhost:8080/auth/realms/example-realm/protocol/openid-connect/certs",
+      "check_session_iframe": "http://localhost:8080/auth/realms/example-realm/protocol/openid-connect/login-status-iframe.html",
+      "grant_types_supported": ["authorization_code", "implicit", "refresh_token", "password", "client_credentials"],
+      "response_types_supported": ["code", "none", "id_token", "token", "id_token token", "code id_token", "code token", "code id_token token"],
+      "subject_types_supported": ["public", "pairwise"],
+      "id_token_signing_alg_values_supported": ["RS256"],
+      "userinfo_signing_alg_values_supported": ["RS256"],
+      "request_object_signing_alg_values_supported": ["none", "RS256"],
+      "response_modes_supported": ["query", "fragment", "form_post"],
+      "registration_endpoint": "http://localhost:8080/auth/realms/example-realm/clients-registrations/openid-connect",
+      "token_endpoint_auth_methods_supported": ["private_key_jwt", "client_secret_basic", "client_secret_post"],
+      "token_endpoint_auth_signing_alg_values_supported": ["RS256"],
+      "claims_supported": ["sub", "iss", "auth_time", "name", "given_name", "family_name", "preferred_username", "email"],
+      "claim_types_supported": ["normal"],
+      "claims_parameter_supported": false,
+      "scopes_supported": ["openid", "offline_access"],
+      "request_parameter_supported": true,
+      "request_uri_parameter_supported": true
+    }
+  }
   context 'client options' do
     subject do
       stub_request(:get, "http://localhost:8080/auth/realms/example-realm/.well-known/openid-configuration")
-        .to_return(status: 200, body: body, headers: {})
+        .to_return(status: 200, body: JSON.generate(body), headers: {})
       stub_request(:get, "http://localhost:8080/auth/realms/example-realm/protocol/openid-connect/certs")
         .to_return(status: 404, body: "", headers: {})
       OmniAuth::Strategies::KeycloakOpenId.new('keycloak-openid', 'Example-Client', 'b53c572b-9f3b-4e79-bf8b-f03c799ba6ec',
-        client_options: {site: 'http://localhost:8080', realm: 'example-realm'})
+        client_options: {site: 'http://localhost:8080/', realm: 'example-realm'})
     end
     it 'should have the correct keycloak token url' do
       subject.setup_phase
       expect(subject.token_url).to eq('/auth/realms/example-realm/protocol/openid-connect/token')
@@ -46,4 +50,137 @@ RSpec.describe OmniAuth::Strategies::KeycloakOpenId do
       expect(subject.authorize_url).to eq('/auth/realms/example-realm/protocol/openid-connect/auth')
     end
   end
+  describe 'client base_url option set' do
+    context 'to blank string' do
+      let(:new_body_endpoints) {
+        {
+          "authorization_endpoint": "http://localhost:8080/realms/example-realm/protocol/openid-connect/auth",
+          "token_endpoint": "http://localhost:8080/realms/example-realm/protocol/openid-connect/token",
+          "jwks_uri": "http://localhost:8080/realms/example-realm/protocol/openid-connect/certs"
+        }
+      }
+      subject do
+        stub_request(:get, "http://localhost:8080/realms/example-realm/.well-known/openid-configuration")
+          .to_return(status: 200, body: JSON.generate(body.merge(new_body_endpoints)), headers: {})
+        stub_request(:get, "http://localhost:8080/realms/example-realm/protocol/openid-connect/certs")
+          .to_return(status: 404, body: "", headers: {})
+        OmniAuth::Strategies::KeycloakOpenId.new('keycloak-openid', 'Example-Client', 'b53c572b-9f3b-4e79-bf8b-f03c799ba6ec',
+          client_options: {site: 'http://localhost:8080/', realm: 'example-realm', base_url: ''})
+      end
+      it 'should have the correct keycloak token url' do
+        subject.setup_phase
+        expect(subject.token_url).to eq('/realms/example-realm/protocol/openid-connect/token')
+      end
+      it 'should have the correct keycloak authorization url' do
+        subject.setup_phase
+        expect(subject.authorize_url).to eq('/realms/example-realm/protocol/openid-connect/auth')
+      end
+    end
+    context 'to invalid string' do
+      subject do
+        stub_request(:get, "http://localhost:8080/realms/example-realm/.well-known/openid-configuration")
+          .to_return(status: 200, body: JSON.generate(body), headers: {})
+        stub_request(:get, "http://localhost:8080/auth/realms/example-realm/protocol/openid-connect/certs")
+          .to_return(status: 404, body: "", headers: {})
+        OmniAuth::Strategies::KeycloakOpenId.new('keycloak-openid', 'Example-Client', 'b53c572b-9f3b-4e79-bf8b-f03c799ba6ec',
+          client_options: {site: 'http://localhost:8080/', realm: 'example-realm', base_url: 'test'})
+      end
+      it 'raises Configuration Error' do
+        expect{ subject.setup_phase }
+          .to raise_error(OmniAuth::Strategies::KeycloakOpenId::ConfigurationError)
+      end
+    end
+    context 'to /authorize' do
+      let(:new_body_endpoints) {
+        {
+          "authorization_endpoint": "http://localhost:8080/authorize/realms/example-realm/protocol/openid-connect/auth",
+          "token_endpoint": "http://localhost:8080/authorize/realms/example-realm/protocol/openid-connect/token",
+          "jwks_uri": "http://localhost:8080/authorize/realms/example-realm/protocol/openid-connect/certs"
+        }
+      }
+      subject do
+        stub_request(:get, "http://localhost:8080/authorize/realms/example-realm/.well-known/openid-configuration")
+          .to_return(status: 200, body: JSON.generate(body.merge(new_body_endpoints)), headers: {})
+        stub_request(:get, "http://localhost:8080/authorize/realms/example-realm/protocol/openid-connect/certs")
+          .to_return(status: 404, body: "", headers: {})
+        OmniAuth::Strategies::KeycloakOpenId.new('keycloak-openid', 'Example-Client', 'b53c572b-9f3b-4e79-bf8b-f03c799ba6ec',
+          client_options: {site: 'http://localhost:8080/', realm: 'example-realm', base_url: '/authorize'})
+      end
+      it 'should have the correct keycloak token url' do
+        subject.setup_phase
+        expect(subject.token_url).to eq('/authorize/realms/example-realm/protocol/openid-connect/token')
+      end
+      it 'should have the correct keycloak authorization url' do
+        subject.setup_phase
+        expect(subject.authorize_url).to eq('/authorize/realms/example-realm/protocol/openid-connect/auth')
+      end
+    end
+  end
+  context 'client setup with a proc' do
+    subject do
+      OmniAuth::Strategies::KeycloakOpenId.new('keycloak-openid', setup: proc { throw :setup_proc_was_called })
+    end
+    it 'should call the proc' do
+      expect { subject.setup_phase }.to throw_symbol :setup_proc_was_called
+    end
+  end
+  describe 'errors processing' do
+    context 'when site contains /auth part' do
+      subject do
+        OmniAuth::Strategies::KeycloakOpenId.new('keycloak-openid', 'Example-Client', 'b53c572b-9f3b-4e79-bf8b-f03c799ba6ec',
+                                                 client_options: {site: 'http://localhost:8080/auth', realm: 'example-realm', raise_on_failure: true})
+      end
+      it 'raises Configuration Error' do
+        expect{ subject.setup_phase }
+          .to raise_error(OmniAuth::Strategies::KeycloakOpenId::ConfigurationError)
+      end
+    end
+    context 'when raise_on_failure option is true' do
+      context 'when openid configuration endpoint returns error response' do
+        subject do
+          stub_request(:get, "http://localhost:8080/auth/realms/example-realm/.well-known/openid-configuration")
+            .to_return(status: 404, body: "", headers: {})
+          OmniAuth::Strategies::KeycloakOpenId.new('keycloak-openid', 'Example-Client', 'b53c572b-9f3b-4e79-bf8b-f03c799ba6ec',
+                                                   client_options: {site: 'http://localhost:8080', realm: 'example-realm', raise_on_failure: true})
+        end
+        it 'raises Integration Error' do
+          expect{ subject.setup_phase }
+            .to raise_error(OmniAuth::Strategies::KeycloakOpenId::IntegrationError)
+        end
+      end
+      context 'when certificates endpoint returns error response' do
+        subject do
+          stub_request(:get, "http://localhost:8080/auth/realms/example-realm/.well-known/openid-configuration")
+            .to_return(status: 200, body: JSON.generate(body), headers: {})
+          stub_request(:get, "http://localhost:8080/auth/realms/example-realm/protocol/openid-connect/certs")
+            .to_return(status: 404, body: "", headers: {})
+          OmniAuth::Strategies::KeycloakOpenId.new('keycloak-openid', 'Example-Client', 'b53c572b-9f3b-4e79-bf8b-f03c799ba6ec',
+                                                   client_options: {site: 'http://localhost:8080', realm: 'example-realm', raise_on_failure: true})
+        end
+        it 'raises Integration Error' do
+          expect{ subject.setup_phase }
+            .to raise_error(OmniAuth::Strategies::KeycloakOpenId::IntegrationError)
+        end
+      end
+    end
+  end
 end

metadata CHANGED Viewed

@@ -1,71 +1,85 @@
 --- !ruby/object:Gem::Specification
 name: omniauth-keycloak
 version: !ruby/object:Gem::Version
-  version: 1.2.0
+  version: 1.4.4
 platform: ruby
 authors:
 - Cameron Crockett
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2020-05-28 00:00:00.000000000 Z
+date: 2022-07-25 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: omniauth
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: 1.9.0
+        version: '2.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: 1.9.0
+        version: '2.0'
 - !ruby/object:Gem::Dependency
   name: omniauth-oauth2
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.6.0
+        version: 1.7.1
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.6.0
+        version: 1.7.1
 - !ruby/object:Gem::Dependency
   name: json-jwt
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.12'
+        version: 1.13.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.12'
+        version: 1.13.0
+- !ruby/object:Gem::Dependency
+  name: faraday
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.16'
+        version: '2.2'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.16'
+        version: '2.2'
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
@@ -86,42 +100,42 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.0'
+        version: '3.10'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.0'
+        version: '3.10'
 - !ruby/object:Gem::Dependency
   name: simplecov
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.16.1
+        version: '0.21'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.16.1
+        version: '0.21'
 - !ruby/object:Gem::Dependency
   name: webmock
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 3.4.2
+        version: '3.14'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 3.4.2
+        version: '3.14'
 description: Omniauth strategy for Keycloak
 email:
 - cameron.crockett@ccrockett.com
@@ -133,6 +147,7 @@ files:
 - ".rspec"
 - ".travis.yml"
 - ".vscode/settings.json"
+- CHANGELOG.md
 - CODE_OF_CONDUCT.md
 - Gemfile
 - Gemfile.lock
@@ -159,14 +174,14 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: '2.2'
+      version: '2.6'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: 1.3.5
+      version: 3.1.2
 requirements: []
-rubygems_version: 3.0.3
+rubygems_version: 3.1.6
 signing_key:
 specification_version: 4
 summary: Omniauth strategy for Keycloak