RubyGems - omniauth-keycloak - Versions diffs - 1.2.0 → 1.4.4 - Mend

omniauth-keycloak 1.2.0 → 1.4.4

Files changed (9) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +103 -0
data/Gemfile.lock +68 -65
data/README.md +45 -2
data/lib/keycloak/version.rb +1 -1
data/lib/omniauth/strategies/keycloak-openid.rb +74 -23
data/omniauth-keycloak.gemspec +12 -11
data/spec/omniauth/strategies/keycloak_spec.rb +164 -27
metadata +36 -21

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 6f523d3b03c2258b9b49ca70dd94a02e9104de24a6148ee2d0018c9d3301ffe0
-  data.tar.gz: 820eaba1eb35fce32c80a82293ab58ba1c154e307b191cce0b6a37b5888412d0
+  metadata.gz: 79b854153d87dedf293c8d1e4d30994169a92633d69ef4848e1a1af0356a82c2
+  data.tar.gz: 54f9007dd675375cec26c5b2c5447bc85b5077fa378723c099243501794eedb9
 SHA512:
-  metadata.gz: de576c60d232f49150b0923ec1496c1e6ffdfafdb0fa3a85e3aa17d08952faacfd955a66d292dff352740965599720e645d3866b9d39f364d141bf686445a115
-  data.tar.gz: cdf8238793033678b6a348b11111d95ea5449b61d50a63fc1b109e302d4a2616fb0e979acbdef33e5709dd0c0eee6481c9225bba57f7dbaae4a9b42688478535
+  metadata.gz: 1b0f823afd6af3f57472078f79da245b14867cfff35b1e892c777d1cdfe779524e6e68877534fdc19fc8b372705b777bf350d649a91f6b0bd7b8e7fd020b97ca
+  data.tar.gz: 8f51a1218d726e2a3de85d01355297ade8fe6e6f705752c870e374bf18684bdbf5bb2e83294e3653bf7ecc0885ce52383eec81f6dc37734b05bdf910732ddb00

data/CHANGELOG.md ADDED Viewed

@@ -0,0 +1,103 @@
+# Changelog
+## [v1.4.3](https://github.com/ccrockett/omniauth-keycloak/tree/v1.4.3) (2022-07-24)
+[Full Changelog](https://github.com/ccrockett/omniauth-keycloak/compare/v1.4.2...v1.4.3)
+**Fixed bugs:**
+- Error: uninitialized constant OmniAuth::Strategies::KeycloakOpenId::MultiJson after gem update [\#30](https://github.com/ccrockett/omniauth-keycloak/issues/30)
+## [v1.4.2](https://github.com/ccrockett/omniauth-keycloak/tree/v1.4.2) (2022-06-14)
+[Full Changelog](https://github.com/ccrockett/omniauth-keycloak/compare/v1.4.1...v1.4.2)
+**Closed issues:**
+- Adjust endpoints to updated Keycloak paths [\#29](https://github.com/ccrockett/omniauth-keycloak/issues/29)
+- Expose id\_token inside extra hash of auth hash [\#25](https://github.com/ccrockett/omniauth-keycloak/issues/25)
+**Merged pull requests:**
+- Set omniauth version to \>= 2.0 [\#28](https://github.com/ccrockett/omniauth-keycloak/pull/28) ([hobbypunk90](https://github.com/hobbypunk90))
+## [v1.4.1](https://github.com/ccrockett/omniauth-keycloak/tree/v1.4.1) (2022-05-25)
+[Full Changelog](https://github.com/ccrockett/omniauth-keycloak/compare/v1.4.0...v1.4.1)
+**Closed issues:**
+- Get Request is now Post Request [\#23](https://github.com/ccrockett/omniauth-keycloak/issues/23)
+- Is the "/auth/" part mandatory in Keycloak's configuration URL? [\#19](https://github.com/ccrockett/omniauth-keycloak/issues/19)
+- Add example instructions for Keycloak configuration [\#14](https://github.com/ccrockett/omniauth-keycloak/issues/14)
+**Merged pull requests:**
+- expose id\_token inside extra hash of auth hash [\#26](https://github.com/ccrockett/omniauth-keycloak/pull/26) ([rah-wtag](https://github.com/rah-wtag))
+- Bump bindata from 2.4.9 to 2.4.10 [\#22](https://github.com/ccrockett/omniauth-keycloak/pull/22) ([dependabot[bot]](https://github.com/apps/dependabot))
+## [v1.4.0](https://github.com/ccrockett/omniauth-keycloak/tree/v1.4.0) (2021-12-18)
+[Full Changelog](https://github.com/ccrockett/omniauth-keycloak/compare/v1.3.0...v1.4.0)
+**Closed issues:**
+- Are there any reason to specify one certificate key to decode JWT? [\#17](https://github.com/ccrockett/omniauth-keycloak/issues/17)
+- No route matches \[POST\] "/auth/keycloak\_openid" [\#15](https://github.com/ccrockett/omniauth-keycloak/issues/15)
+**Merged pull requests:**
+- Use JSON::JWK::Set instead of JSON::JWK [\#21](https://github.com/ccrockett/omniauth-keycloak/pull/21) ([hobbypunk90](https://github.com/hobbypunk90))
+- Allow pass a Proc to the setup option when you specify a strategy [\#18](https://github.com/ccrockett/omniauth-keycloak/pull/18) ([Cambero](https://github.com/Cambero))
+- Add information on how to use it to readme [\#16](https://github.com/ccrockett/omniauth-keycloak/pull/16) ([frenesim](https://github.com/frenesim))
+## [v1.3.0](https://github.com/ccrockett/omniauth-keycloak/tree/v1.3.0) (2021-05-17)
+[Full Changelog](https://github.com/ccrockett/omniauth-keycloak/compare/v1.2.1...v1.3.0)
+**Merged pull requests:**
+- Bump Omniauth dependencies to v2 [\#13](https://github.com/ccrockett/omniauth-keycloak/pull/13) ([offner](https://github.com/offner))
+## [v1.2.1](https://github.com/ccrockett/omniauth-keycloak/tree/v1.2.1) (2020-12-19)
+[Full Changelog](https://github.com/ccrockett/omniauth-keycloak/compare/v1.2.0...v1.2.1)
+**Closed issues:**
+- Dynamically load Client and Realm [\#11](https://github.com/ccrockett/omniauth-keycloak/issues/11)
+- cannot load such file -- /Library/Ruby/Gems/2.6.0/gems/omniauth-keycloak-1.2.0/lib/omniauth-keycloak.rb \(LoadError\) [\#8](https://github.com/ccrockett/omniauth-keycloak/issues/8)
+- Release json-jwt version restriction change [\#5](https://github.com/ccrockett/omniauth-keycloak/issues/5)
+**Merged pull requests:**
+- Raise errors on setup failure and logging with OmniAuth::Strategy::log method [\#10](https://github.com/ccrockett/omniauth-keycloak/pull/10) ([alexpetrov](https://github.com/alexpetrov))
+- Bump json from 2.1.0 to 2.3.1 [\#9](https://github.com/ccrockett/omniauth-keycloak/pull/9) ([dependabot[bot]](https://github.com/apps/dependabot))
+- Bump rack from 2.2.2 to 2.2.3 [\#7](https://github.com/ccrockett/omniauth-keycloak/pull/7) ([dependabot[bot]](https://github.com/apps/dependabot))
+## [v1.2.0](https://github.com/ccrockett/omniauth-keycloak/tree/v1.2.0) (2020-05-28)
+[Full Changelog](https://github.com/ccrockett/omniauth-keycloak/compare/v1.1.0...v1.2.0)
+**Merged pull requests:**
+- Bump activesupport from 6.0.1 to 6.0.3.1 [\#6](https://github.com/ccrockett/omniauth-keycloak/pull/6) ([dependabot[bot]](https://github.com/apps/dependabot))
+- Update rake requirement from ~\> 10.0 to ~\> 13.0 [\#4](https://github.com/ccrockett/omniauth-keycloak/pull/4) ([dependabot[bot]](https://github.com/apps/dependabot))
+- Bump rack from 2.0.7 to 2.0.8 [\#2](https://github.com/ccrockett/omniauth-keycloak/pull/2) ([dependabot[bot]](https://github.com/apps/dependabot))
+- Adding Devise Documentation [\#1](https://github.com/ccrockett/omniauth-keycloak/pull/1) ([masonhensley](https://github.com/masonhensley))
+## [v1.1.0](https://github.com/ccrockett/omniauth-keycloak/tree/v1.1.0) (2018-12-16)
+[Full Changelog](https://github.com/ccrockett/omniauth-keycloak/compare/v1.0.1...v1.1.0)
+## [v1.0.1](https://github.com/ccrockett/omniauth-keycloak/tree/v1.0.1) (2018-12-16)
+[Full Changelog](https://github.com/ccrockett/omniauth-keycloak/compare/v1.0.0...v1.0.1)
+## [v1.0.0](https://github.com/ccrockett/omniauth-keycloak/tree/v1.0.0) (2018-12-16)
+[Full Changelog](https://github.com/ccrockett/omniauth-keycloak/compare/7877c8a75f9e3f342b49bf808fa69965377d60b5...v1.0.0)
+\* *This Changelog was automatically generated by [github_changelog_generator](https://github.com/github-changelog-generator/github-changelog-generator)*

data/Gemfile.lock CHANGED Viewed

@@ -1,98 +1,101 @@
 PATH
   remote: .
   specs:
-    omniauth-keycloak (1.2.0)
-      json-jwt (~> 1.12)
-      omniauth (~> 1.9.0)
-      omniauth-oauth2 (~> 1.6.0)
+    omniauth-keycloak (1.4.2)
+      faraday
+      json-jwt (~> 1.13.0)
+      omniauth (>= 2.0)
+      omniauth-oauth2 (~> 1.7.1)
 GEM
   remote: https://rubygems.org/
   specs:
-    activesupport (6.0.3.1)
+    activesupport (7.0.3)
       concurrent-ruby (~> 1.0, >= 1.0.2)
-      i18n (>= 0.7, < 2)
-      minitest (~> 5.1)
-      tzinfo (~> 1.1)
-      zeitwerk (~> 2.2, >= 2.2.2)
-    addressable (2.5.2)
-      public_suffix (>= 2.0.2, < 4.0)
-    aes_key_wrap (1.0.1)
-    bindata (2.4.7)
-    concurrent-ruby (1.1.6)
-    crack (0.4.3)
-      safe_yaml (~> 1.0.0)
-    diff-lcs (1.3)
-    docile (1.3.1)
-    faraday (1.0.1)
-      multipart-post (>= 1.2, < 3)
-    hashdiff (0.3.7)
-    hashie (4.1.0)
-    i18n (1.8.2)
+      i18n (>= 1.6, < 2)
+      minitest (>= 5.1)
+      tzinfo (~> 2.0)
+    addressable (2.8.0)
+      public_suffix (>= 2.0.2, < 5.0)
+    aes_key_wrap (1.1.0)
+    bindata (2.4.10)
+    concurrent-ruby (1.1.10)
+    crack (0.4.5)
+      rexml
+    diff-lcs (1.4.4)
+    docile (1.4.0)
+    faraday (2.3.0)
+      faraday-net_http (~> 2.0)
+      ruby2_keywords (>= 0.0.4)
+    faraday-net_http (2.0.3)
+    hashdiff (1.0.1)
+    hashie (5.0.0)
+    i18n (1.10.0)
       concurrent-ruby (~> 1.0)
-    json (2.1.0)
-    json-jwt (1.12.0)
+    json-jwt (1.13.0)
       activesupport (>= 4.2)
       aes_key_wrap
       bindata
-    jwt (2.2.1)
-    minitest (5.14.1)
-    multi_json (1.14.1)
+    jwt (2.3.0)
+    minitest (5.15.0)
+    multi_json (1.15.0)
     multi_xml (0.6.0)
-    multipart-post (2.1.1)
-    oauth2 (1.4.4)
-      faraday (>= 0.8, < 2.0)
+    oauth2 (1.4.9)
+      faraday (>= 0.17.3, < 3.0)
       jwt (>= 1.0, < 3.0)
       multi_json (~> 1.3)
       multi_xml (~> 0.5)
       rack (>= 1.2, < 3)
-    omniauth (1.9.1)
+    omniauth (2.0.4)
       hashie (>= 3.4.6)
       rack (>= 1.6.2, < 3)
-    omniauth-oauth2 (1.6.0)
-      oauth2 (~> 1.1)
-      omniauth (~> 1.9)
-    public_suffix (3.0.3)
-    rack (2.2.2)
+      rack-protection
+    omniauth-oauth2 (1.7.2)
+      oauth2 (~> 1.4)
+      omniauth (>= 1.9, < 3)
+    public_suffix (4.0.6)
+    rack (2.2.3)
+    rack-protection (2.2.0)
+      rack
     rake (13.0.1)
-    rspec (3.8.0)
-      rspec-core (~> 3.8.0)
-      rspec-expectations (~> 3.8.0)
-      rspec-mocks (~> 3.8.0)
-    rspec-core (3.8.0)
-      rspec-support (~> 3.8.0)
-    rspec-expectations (3.8.1)
+    rexml (3.2.5)
+    rspec (3.10.0)
+      rspec-core (~> 3.10.0)
+      rspec-expectations (~> 3.10.0)
+      rspec-mocks (~> 3.10.0)
+    rspec-core (3.10.1)
+      rspec-support (~> 3.10.0)
+    rspec-expectations (3.10.1)
       diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.8.0)
-    rspec-mocks (3.8.0)
+      rspec-support (~> 3.10.0)
+    rspec-mocks (3.10.2)
       diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.8.0)
-    rspec-support (3.8.0)
-    safe_yaml (1.0.4)
-    simplecov (0.16.1)
+      rspec-support (~> 3.10.0)
+    rspec-support (3.10.3)
+    ruby2_keywords (0.0.5)
+    simplecov (0.21.2)
       docile (~> 1.1)
-      json (>= 1.8, < 3)
-      simplecov-html (~> 0.10.0)
-    simplecov-html (0.10.2)
-    thread_safe (0.3.6)
-    tzinfo (1.2.7)
-      thread_safe (~> 0.1)
-    webmock (3.4.2)
-      addressable (>= 2.3.6)
+      simplecov-html (~> 0.11)
+      simplecov_json_formatter (~> 0.1)
+    simplecov-html (0.12.3)
+    simplecov_json_formatter (0.1.3)
+    tzinfo (2.0.4)
+      concurrent-ruby (~> 1.0)
+    webmock (3.14.0)
+      addressable (>= 2.8.0)
       crack (>= 0.3.2)
-      hashdiff
-    zeitwerk (2.3.0)
+      hashdiff (>= 0.4.0, < 2.0.0)
 PLATFORMS
   ruby
 DEPENDENCIES
-  bundler (~> 1.16)
+  bundler (~> 2.2)
   omniauth-keycloak!
   rake (~> 13.0)
-  rspec (~> 3.0)
-  simplecov (~> 0.16.1)
-  webmock (~> 3.4.2)
+  rspec (~> 3.10)
+  simplecov (~> 0.21)
+  webmock (~> 3.14)
 BUNDLED WITH
-   2.1.4
+   2.2.31

data/README.md CHANGED Viewed

@@ -16,6 +16,15 @@ Or install it yourself as:
     $ gem install omniauth-keycloak
+## Use with Keycloak >= 17 (Quarkus distribution)
+In version 17 of Keycloak, `/auth` was removed from the default context path. (See Issue [#29](https://github.com/ccrockett/omniauth-keycloak/issues/29))
+In order to reduce breaking existing user's setup, this gem assumes `/auth` as the default context.
+__So if you want to use Keycloak 17 or greater then you must do one of the following:__
+1. Pass in `--http-relative-path '/auth'` option with the keycloak start command
+2. Pass in a empty string for you base_url client_option:
+  `client_options: {base_url: '', site: 'https://example.keycloak-url.com', realm: 'example-realm'}`
 ## Usage
 `OmniAuth::Strategies::Keycloak` is simply a Rack middleware. Read the OmniAuth docs for detailed instructions: https://github.com/intridea/omniauth.
@@ -25,10 +34,33 @@ Here's a quick example, adding the middleware to a Rails app in `config/initiali
 ```ruby
 Rails.application.config.middleware.use OmniAuth::Builder do
   provider :keycloak_openid, 'Example-Client', '19cca35f-dddd-473a-bdd5-03f00d61d884',
-    client_options: {site: 'https://example.keycloak-url.com', realm: 'example-realm'}
+    client_options: {site: 'https://example.keycloak-url.com', realm: 'example-realm'},
+    name: 'keycloak'
+end
+```
+This will allow a POST request to `auth/keycloak` since the name is set to keycloak
+Or using a proc setup with a custom options:
+```ruby
+Rails.application.config.middleware.use OmniAuth::Builder do
+  SETUP_PROC = lambda do |env|
+    request = Rack::Request.new(env)
+    organization = Organization.find_by(host: request.host)
+    provider_config = organization.enabled_omniauth_providers[:keycloakopenid]
+    env["omniauth.strategy"].options[:client_id] = provider_config[:client_id]
+    env["omniauth.strategy"].options[:client_secret] = provider_config[:client_secret]
+    env["omniauth.strategy"].options[:client_options] = { site: provider_config[:site],  realm: provider_config[:realm] }
+  end
+  Rails.application.config.middleware.use OmniAuth::Builder do
+    provider :keycloak_openid, setup: SETUP_PROC
+  end
 end
 ```
 ## Devise Usage
 Adapted from [Devise OmniAuth Instructions](https://github.com/plataformatec/devise/wiki/OmniAuth:-Overview)
@@ -43,7 +75,7 @@ end
 # config/initializers/devise.rb
 config.omniauth :keycloak_openid, "Example-Client-Name", "example-secret-if-configured", client_options: { site: "https://example.keycloak-url.com", realm: "example-realm" }, :strategy_class => OmniAuth::Strategies::KeycloakOpenId
-# Below controller assumes callback route configuration following
+# Below controller assumes callback route configuration following
 # in config/routes.rb
 Devise.setup do |config|
   # ...
@@ -70,6 +102,17 @@ end
 ```
+## Configuration
+  * __Base Url other than /auth__
+  This gem tries to get the keycloak configuration from `"#{site}/auth/realms/#{realm}/.well-known/openid-configuration"`. If your keycloak server has been setup to use a different "root" url other than `/auth` then you need to pass in the `base_url` option when setting up the gem:
+    ```ruby
+    Rails.application.config.middleware.use OmniAuth::Builder do
+      provider :keycloak_openid, 'Example-Client', '19cca35f-dddd-473a-bdd5-03f00d61d884',
+        client_options: {site: 'https://example.keycloak-url.com', realm: 'example-realm', base_url: '/authorize'},
+        name: 'keycloak'
+    end
+    ```
 ## Contributing
 Bug reports and pull requests are welcome on GitHub at https://github.com/ccrockett/omniauth-keycloak. This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to the [Contributor Covenant](http://contributor-covenant.org) code of conduct.

data/lib/keycloak/version.rb CHANGED Viewed

@@ -1,5 +1,5 @@
 module Omniauth
   module Keycloak
-    VERSION = "1.2.0"
+    VERSION = "1.4.4"
   end
 end

data/lib/omniauth/strategies/keycloak-openid.rb CHANGED Viewed

@@ -1,54 +1,104 @@
 require 'omniauth'
 require 'omniauth-oauth2'
 require 'json/jwt'
+require 'uri'
 module OmniAuth
     module Strategies
         class KeycloakOpenId < OmniAuth::Strategies::OAuth2
+            class Error < RuntimeError; end
+            class ConfigurationError < Error; end
+            class IntegrationError < Error; end
             attr_reader :authorize_url
             attr_reader :token_url
-            attr_reader :cert
+            attr_reader :certs
             def setup_phase
+                super
                 if @authorize_url.nil? || @token_url.nil?
+                    prevent_site_option_mistake
                     realm = options.client_options[:realm].nil? ? options.client_id : options.client_options[:realm]
                     site = options.client_options[:site]
-                    response = Faraday.get "#{options.client_options[:site]}/auth/realms/#{realm}/.well-known/openid-configuration"
+                    raise_on_failure = options.client_options.fetch(:raise_on_failure, false)
+                    config_url = URI.join(site, "#{auth_url_base}/realms/#{realm}/.well-known/openid-configuration")
+                    log :debug, "Going to get Keycloak configuration. URL: #{config_url}"
+                    response = Faraday.get config_url
                     if (response.status == 200)
-                        json = MultiJson.load(response.body)
+                        json = JSON.parse(response.body)
                         @certs_endpoint = json["jwks_uri"]
                         @userinfo_endpoint = json["userinfo_endpoint"]
-                        @authorize_url = json["authorization_endpoint"].gsub(site, "")
-                        @token_url = json["token_endpoint"].gsub(site, "")
+                        @authorize_url = URI(json["authorization_endpoint"]).path
+                        @token_url = URI(json["token_endpoint"]).path
+                        log_config(json)
                         options.client_options.merge!({
                             authorize_url: @authorize_url,
                             token_url: @token_url
-                        })
+                                                      })
+                        log :debug, "Going to get certificates. URL: #{@certs_endpoint}"
                         certs = Faraday.get @certs_endpoint
                         if (certs.status == 200)
-                            json = MultiJson.load(certs.body)
-                            @cert = json["keys"][0]
+                            json = JSON.parse(certs.body)
+                            @certs = json["keys"]
+                            log :debug, "Successfully got certificate. Certificate length: #{@certs.length}"
                         else
-                            #TODO: Throw Error
-                            puts "Couldn't get Cert"
-                        end
+                            message = "Coundn't get certificate. URL: #{@certs_endpoint}"
+                            log :error, message
+                            raise IntegrationError, message if raise_on_failure
+                        end
                     else
-                        #TODO: Throw Error
-                        puts response.status
+                        message = "Keycloak configuration request failed with status: #{response.status}. " \
+                                  "URL: #{config_url}"
+                        log :error, message
+                        raise IntegrationError, message if raise_on_failure
                     end
                 end
             end
+            def auth_url_base
+              return '/auth' unless options.client_options[:base_url]
+              base_url = options.client_options[:base_url]
+              return base_url if (base_url == '' || base_url[0] == '/')
+              raise ConfigurationError, "Keycloak base_url option should start with '/'. Current value: #{base_url}"
+            end
+            def prevent_site_option_mistake
+              site = options.client_options[:site]
+              return unless site =~ /\/auth$/
+              raise ConfigurationError, "Keycloak site parameter should not include /auth part, only domain. Current value: #{site}"
+            end
+            def log_config(config_json)
+              log_keycloak_config = options.client_options.fetch(:log_keycloak_config, false)
+              log :debug, "Successfully got Keycloak config"
+              log :debug, "Keycloak config: #{config_json}" if log_keycloak_config
+              log :debug, "Certs endpoint: #{@certs_endpoint}"
+              log :debug, "Userinfo endpoint: #{@userinfo_endpoint}"
+              log :debug, "Authorize url: #{@authorize_url}"
+              log :debug, "Token url: #{@token_url}"
+            end
             def build_access_token
                 verifier = request.params["code"]
-                client.auth_code.get_token(verifier,
+                client.auth_code.get_token(verifier,
                     {:redirect_uri => callback_url.gsub(/\?.+\Z/, "")}
-                    .merge(token_params.to_hash(:symbolize_keys => true)),
+                    .merge(token_params.to_hash(:symbolize_keys => true)),
                     deep_symbolize(options.auth_token_params))
             end
             uid{ raw_info['sub'] }
             info do
             {
                 :name => raw_info['name'],
@@ -57,21 +107,22 @@ module OmniAuth
                 :last_name => raw_info['family_name']
             }
             end
             extra do
             {
-                'raw_info' => raw_info
+                'raw_info' => raw_info,
+                'id_token' => access_token['id_token']
             }
             end
             def raw_info
                 id_token_string = access_token.token
-                jwk = JSON::JWK.new(@cert)
-                id_token = JSON::JWT.decode id_token_string, jwk
+                jwks = JSON::JWK::Set.new(@certs)
+                id_token = JSON::JWT.decode id_token_string, jwks
                 id_token
             end
             OmniAuth.config.add_camelization('keycloak_openid', 'KeycloakOpenId')
         end
     end
-end
+end

data/omniauth-keycloak.gemspec CHANGED Viewed

@@ -4,13 +4,13 @@ Gem::Specification.new do |spec|
   spec.version       = Omniauth::Keycloak::VERSION
   spec.authors       = ["Cameron Crockett"]
   spec.email         = ["cameron.crockett@ccrockett.com"]
   spec.description   = %q{Omniauth strategy for Keycloak}
   spec.summary       = spec.description
   spec.homepage      = "https://github.com/ccrockett/omniauth-keycloak"
   spec.license       = "MIT"
-  spec.required_rubygems_version = '>= 1.3.5'
-  spec.required_ruby_version = '>= 2.2'
+  spec.required_rubygems_version = '>= 3.1.2'
+  spec.required_ruby_version = '>= 2.6'
   # Specify which files should be added to the gem when it is released.
   # The `git ls-files -z` loads the files in the RubyGem that have been added into git.
@@ -22,14 +22,15 @@ Gem::Specification.new do |spec|
   spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
   spec.require_paths = ["lib"]
-  spec.add_dependency "omniauth", "~> 1.9.0"
-  spec.add_dependency "omniauth-oauth2", "~> 1.6.0"
-  spec.add_dependency "json-jwt", "~> 1.12"
-  spec.add_development_dependency "bundler", "~> 1.16"
+  spec.add_dependency "omniauth", ">= 2.0"
+  spec.add_dependency "omniauth-oauth2", "~> 1.7.1"
+  spec.add_dependency "json-jwt", "~> 1.13.0"
+  spec.add_dependency "faraday"
+  spec.add_development_dependency "bundler", "~> 2.2"
   spec.add_development_dependency "rake", "~> 13.0"
-  spec.add_development_dependency "rspec", "~> 3.0"
-  spec.add_development_dependency 'simplecov', '~> 0.16.1'
-  spec.add_development_dependency 'webmock', '~> 3.4.2'
+  spec.add_development_dependency "rspec", "~> 3.10"
+  spec.add_development_dependency 'simplecov', '~> 0.21'
+  spec.add_development_dependency 'webmock', '~> 3.14'
 end

data/spec/omniauth/strategies/keycloak_spec.rb CHANGED Viewed

@@ -1,41 +1,45 @@
 require 'spec_helper'
 RSpec.describe OmniAuth::Strategies::KeycloakOpenId do
-  body = '{"issuer": "http://localhost:8080/auth/realms/example-realm",
-  "authorization_endpoint": "http://localhost:8080/auth/realms/example-realm/protocol/openid-connect/auth",
-  "token_endpoint": "http://localhost:8080/auth/realms/example-realm/protocol/openid-connect/token",
-  "token_introspection_endpoint": "http://localhost:8080/auth/realms/example-realm/protocol/openid-connect/token/introspect",
-  "userinfo_endpoint": "http://localhost:8080/auth/realms/example-realm/protocol/openid-connect/userinfo",
-  "end_session_endpoint": "http://localhost:8080/auth/realms/example-realm/protocol/openid-connect/logout",
-  "jwks_uri": "http://localhost:8080/auth/realms/example-realm/protocol/openid-connect/certs",
-  "check_session_iframe": "http://localhost:8080/auth/realms/example-realm/protocol/openid-connect/login-status-iframe.html",
-  "grant_types_supported": ["authorization_code", "implicit", "refresh_token", "password", "client_credentials"],
-  "response_types_supported": ["code", "none", "id_token", "token", "id_token token", "code id_token", "code token", "code id_token token"],
-  "subject_types_supported": ["public", "pairwise"],
-  "id_token_signing_alg_values_supported": ["RS256"],
-  "userinfo_signing_alg_values_supported": ["RS256"],
-  "request_object_signing_alg_values_supported": ["none", "RS256"],
-  "response_modes_supported": ["query", "fragment", "form_post"],
-  "registration_endpoint": "http://localhost:8080/auth/realms/example-realm/clients-registrations/openid-connect",
-  "token_endpoint_auth_methods_supported": ["private_key_jwt", "client_secret_basic", "client_secret_post"],
-  "token_endpoint_auth_signing_alg_values_supported": ["RS256"],
-  "claims_supported": ["sub", "iss", "auth_time", "name", "given_name", "family_name", "preferred_username", "email"],
-  "claim_types_supported": ["normal"],
-  "claims_parameter_supported": false,
-  "scopes_supported": ["openid", "offline_access"],
-  "request_parameter_supported": true,
-  "request_uri_parameter_supported": true}'
+  let(:body) {
+    {
+      "issuer": "http://localhost:8080/auth/realms/example-realm",
+      "authorization_endpoint": "http://localhost:8080/auth/realms/example-realm/protocol/openid-connect/auth",
+      "token_endpoint": "http://localhost:8080/auth/realms/example-realm/protocol/openid-connect/token",
+      "token_introspection_endpoint": "http://localhost:8080/auth/realms/example-realm/protocol/openid-connect/token/introspect",
+      "userinfo_endpoint": "http://localhost:8080/auth/realms/example-realm/protocol/openid-connect/userinfo",
+      "end_session_endpoint": "http://localhost:8080/auth/realms/example-realm/protocol/openid-connect/logout",
+      "jwks_uri": "http://localhost:8080/auth/realms/example-realm/protocol/openid-connect/certs",
+      "check_session_iframe": "http://localhost:8080/auth/realms/example-realm/protocol/openid-connect/login-status-iframe.html",
+      "grant_types_supported": ["authorization_code", "implicit", "refresh_token", "password", "client_credentials"],
+      "response_types_supported": ["code", "none", "id_token", "token", "id_token token", "code id_token", "code token", "code id_token token"],
+      "subject_types_supported": ["public", "pairwise"],
+      "id_token_signing_alg_values_supported": ["RS256"],
+      "userinfo_signing_alg_values_supported": ["RS256"],
+      "request_object_signing_alg_values_supported": ["none", "RS256"],
+      "response_modes_supported": ["query", "fragment", "form_post"],
+      "registration_endpoint": "http://localhost:8080/auth/realms/example-realm/clients-registrations/openid-connect",
+      "token_endpoint_auth_methods_supported": ["private_key_jwt", "client_secret_basic", "client_secret_post"],
+      "token_endpoint_auth_signing_alg_values_supported": ["RS256"],
+      "claims_supported": ["sub", "iss", "auth_time", "name", "given_name", "family_name", "preferred_username", "email"],
+      "claim_types_supported": ["normal"],
+      "claims_parameter_supported": false,
+      "scopes_supported": ["openid", "offline_access"],
+      "request_parameter_supported": true,
+      "request_uri_parameter_supported": true
+    }
+  }
   context 'client options' do
     subject do
       stub_request(:get, "http://localhost:8080/auth/realms/example-realm/.well-known/openid-configuration")
-        .to_return(status: 200, body: body, headers: {})
+        .to_return(status: 200, body: JSON.generate(body), headers: {})
       stub_request(:get, "http://localhost:8080/auth/realms/example-realm/protocol/openid-connect/certs")
         .to_return(status: 404, body: "", headers: {})
       OmniAuth::Strategies::KeycloakOpenId.new('keycloak-openid', 'Example-Client', 'b53c572b-9f3b-4e79-bf8b-f03c799ba6ec',
-        client_options: {site: 'http://localhost:8080', realm: 'example-realm'})
+        client_options: {site: 'http://localhost:8080/', realm: 'example-realm'})
     end
     it 'should have the correct keycloak token url' do
       subject.setup_phase
       expect(subject.token_url).to eq('/auth/realms/example-realm/protocol/openid-connect/token')
@@ -46,4 +50,137 @@ RSpec.describe OmniAuth::Strategies::KeycloakOpenId do
       expect(subject.authorize_url).to eq('/auth/realms/example-realm/protocol/openid-connect/auth')
     end
   end
+  describe 'client base_url option set' do
+    context 'to blank string' do
+      let(:new_body_endpoints) {
+        {
+          "authorization_endpoint": "http://localhost:8080/realms/example-realm/protocol/openid-connect/auth",
+          "token_endpoint": "http://localhost:8080/realms/example-realm/protocol/openid-connect/token",
+          "jwks_uri": "http://localhost:8080/realms/example-realm/protocol/openid-connect/certs"
+        }
+      }
+      subject do
+        stub_request(:get, "http://localhost:8080/realms/example-realm/.well-known/openid-configuration")
+          .to_return(status: 200, body: JSON.generate(body.merge(new_body_endpoints)), headers: {})
+        stub_request(:get, "http://localhost:8080/realms/example-realm/protocol/openid-connect/certs")
+          .to_return(status: 404, body: "", headers: {})
+        OmniAuth::Strategies::KeycloakOpenId.new('keycloak-openid', 'Example-Client', 'b53c572b-9f3b-4e79-bf8b-f03c799ba6ec',
+          client_options: {site: 'http://localhost:8080/', realm: 'example-realm', base_url: ''})
+      end
+      it 'should have the correct keycloak token url' do
+        subject.setup_phase
+        expect(subject.token_url).to eq('/realms/example-realm/protocol/openid-connect/token')
+      end
+      it 'should have the correct keycloak authorization url' do
+        subject.setup_phase
+        expect(subject.authorize_url).to eq('/realms/example-realm/protocol/openid-connect/auth')
+      end
+    end
+    context 'to invalid string' do
+      subject do
+        stub_request(:get, "http://localhost:8080/realms/example-realm/.well-known/openid-configuration")
+          .to_return(status: 200, body: JSON.generate(body), headers: {})
+        stub_request(:get, "http://localhost:8080/auth/realms/example-realm/protocol/openid-connect/certs")
+          .to_return(status: 404, body: "", headers: {})
+        OmniAuth::Strategies::KeycloakOpenId.new('keycloak-openid', 'Example-Client', 'b53c572b-9f3b-4e79-bf8b-f03c799ba6ec',
+          client_options: {site: 'http://localhost:8080/', realm: 'example-realm', base_url: 'test'})
+      end
+      it 'raises Configuration Error' do
+        expect{ subject.setup_phase }
+          .to raise_error(OmniAuth::Strategies::KeycloakOpenId::ConfigurationError)
+      end
+    end
+    context 'to /authorize' do
+      let(:new_body_endpoints) {
+        {
+          "authorization_endpoint": "http://localhost:8080/authorize/realms/example-realm/protocol/openid-connect/auth",
+          "token_endpoint": "http://localhost:8080/authorize/realms/example-realm/protocol/openid-connect/token",
+          "jwks_uri": "http://localhost:8080/authorize/realms/example-realm/protocol/openid-connect/certs"
+        }
+      }
+      subject do
+        stub_request(:get, "http://localhost:8080/authorize/realms/example-realm/.well-known/openid-configuration")
+          .to_return(status: 200, body: JSON.generate(body.merge(new_body_endpoints)), headers: {})
+        stub_request(:get, "http://localhost:8080/authorize/realms/example-realm/protocol/openid-connect/certs")
+          .to_return(status: 404, body: "", headers: {})
+        OmniAuth::Strategies::KeycloakOpenId.new('keycloak-openid', 'Example-Client', 'b53c572b-9f3b-4e79-bf8b-f03c799ba6ec',
+          client_options: {site: 'http://localhost:8080/', realm: 'example-realm', base_url: '/authorize'})
+      end
+      it 'should have the correct keycloak token url' do
+        subject.setup_phase
+        expect(subject.token_url).to eq('/authorize/realms/example-realm/protocol/openid-connect/token')
+      end
+      it 'should have the correct keycloak authorization url' do
+        subject.setup_phase
+        expect(subject.authorize_url).to eq('/authorize/realms/example-realm/protocol/openid-connect/auth')
+      end
+    end
+  end
+  context 'client setup with a proc' do
+    subject do
+      OmniAuth::Strategies::KeycloakOpenId.new('keycloak-openid', setup: proc { throw :setup_proc_was_called })
+    end
+    it 'should call the proc' do
+      expect { subject.setup_phase }.to throw_symbol :setup_proc_was_called
+    end
+  end
+  describe 'errors processing' do
+    context 'when site contains /auth part' do
+      subject do
+        OmniAuth::Strategies::KeycloakOpenId.new('keycloak-openid', 'Example-Client', 'b53c572b-9f3b-4e79-bf8b-f03c799ba6ec',
+                                                 client_options: {site: 'http://localhost:8080/auth', realm: 'example-realm', raise_on_failure: true})
+      end
+      it 'raises Configuration Error' do
+        expect{ subject.setup_phase }
+          .to raise_error(OmniAuth::Strategies::KeycloakOpenId::ConfigurationError)
+      end
+    end
+    context 'when raise_on_failure option is true' do
+      context 'when openid configuration endpoint returns error response' do
+        subject do
+          stub_request(:get, "http://localhost:8080/auth/realms/example-realm/.well-known/openid-configuration")
+            .to_return(status: 404, body: "", headers: {})
+          OmniAuth::Strategies::KeycloakOpenId.new('keycloak-openid', 'Example-Client', 'b53c572b-9f3b-4e79-bf8b-f03c799ba6ec',
+                                                   client_options: {site: 'http://localhost:8080', realm: 'example-realm', raise_on_failure: true})
+        end
+        it 'raises Integration Error' do
+          expect{ subject.setup_phase }
+            .to raise_error(OmniAuth::Strategies::KeycloakOpenId::IntegrationError)
+        end
+      end
+      context 'when certificates endpoint returns error response' do
+        subject do
+          stub_request(:get, "http://localhost:8080/auth/realms/example-realm/.well-known/openid-configuration")
+            .to_return(status: 200, body: JSON.generate(body), headers: {})
+          stub_request(:get, "http://localhost:8080/auth/realms/example-realm/protocol/openid-connect/certs")
+            .to_return(status: 404, body: "", headers: {})
+          OmniAuth::Strategies::KeycloakOpenId.new('keycloak-openid', 'Example-Client', 'b53c572b-9f3b-4e79-bf8b-f03c799ba6ec',
+                                                   client_options: {site: 'http://localhost:8080', realm: 'example-realm', raise_on_failure: true})
+        end
+        it 'raises Integration Error' do
+          expect{ subject.setup_phase }
+            .to raise_error(OmniAuth::Strategies::KeycloakOpenId::IntegrationError)
+        end
+      end
+    end
+  end
 end

metadata CHANGED Viewed

@@ -1,71 +1,85 @@
 --- !ruby/object:Gem::Specification
 name: omniauth-keycloak
 version: !ruby/object:Gem::Version
-  version: 1.2.0
+  version: 1.4.4
 platform: ruby
 authors:
 - Cameron Crockett
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2020-05-28 00:00:00.000000000 Z
+date: 2022-07-25 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: omniauth
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: 1.9.0
+        version: '2.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: 1.9.0
+        version: '2.0'
 - !ruby/object:Gem::Dependency
   name: omniauth-oauth2
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.6.0
+        version: 1.7.1
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.6.0
+        version: 1.7.1
 - !ruby/object:Gem::Dependency
   name: json-jwt
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.12'
+        version: 1.13.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.12'
+        version: 1.13.0
+- !ruby/object:Gem::Dependency
+  name: faraday
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.16'
+        version: '2.2'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.16'
+        version: '2.2'
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
@@ -86,42 +100,42 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.0'
+        version: '3.10'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.0'
+        version: '3.10'
 - !ruby/object:Gem::Dependency
   name: simplecov
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.16.1
+        version: '0.21'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.16.1
+        version: '0.21'
 - !ruby/object:Gem::Dependency
   name: webmock
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 3.4.2
+        version: '3.14'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 3.4.2
+        version: '3.14'
 description: Omniauth strategy for Keycloak
 email:
 - cameron.crockett@ccrockett.com
@@ -133,6 +147,7 @@ files:
 - ".rspec"
 - ".travis.yml"
 - ".vscode/settings.json"
+- CHANGELOG.md
 - CODE_OF_CONDUCT.md
 - Gemfile
 - Gemfile.lock
@@ -159,14 +174,14 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: '2.2'
+      version: '2.6'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: 1.3.5
+      version: 3.1.2
 requirements: []
-rubygems_version: 3.0.3
+rubygems_version: 3.1.6
 signing_key:
 specification_version: 4
 summary: Omniauth strategy for Keycloak