RubyGems - omniauth-microsoft_graph - Versions diffs - 2.0.0 → 2.0.1 - Mend

omniauth-microsoft_graph 2.0.0 → 2.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

checksums.yaml +4 -4
data/.github/workflows/ruby.yml +4 -5
data/lib/omniauth/microsoft_graph/domain_verifier.rb +17 -4
data/lib/omniauth/microsoft_graph/version.rb +1 -1
data/omniauth-microsoft_graph.gemspec +1 -1
data/spec/omniauth/microsoft_graph/domain_verifier_spec.rb +44 -13
metadata +5 -5

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 340d76dc549fc5e3710217599a247901f775a1ae26a4ea62eb3916928bc6afac
-  data.tar.gz: 6319931d11bb4ff224c573a2fc16633b771cbd407115c1cca644d0226c05baae
+  metadata.gz: d89d349bdaa2e7c2d75edf01ef55baa73fb647ec0ce79a6542ad946e84f6cfe4
+  data.tar.gz: 7d1f758e047e86b318f8d71007d3ba5735b771a1075726c49b8a2e95bc7cbdff
 SHA512:
-  metadata.gz: 8bc6c22cf81b3996abe32d83f0e13ca88a156e69f53465e2421fe93f96193499743d37ffe9147ded38b877964aec637314ffc178839d06c5b52330ef46010984
-  data.tar.gz: 62acd37d43f7b2e79171c328898a696c0f4c4d0583dfd817a0be54544e2b3adfd7239f9128a919b742b7131ba68ca74670059ece7e3c57424f834b6817173e70
+  metadata.gz: afdcf7236c17dc9a213c64a44b7dc8a81e6ee46bd34696ad3889ef9207066eb46b51a8efe5cf88612975356d8d126b24714f0f0bdf8a4e3fad216eeb26b34b8c
+  data.tar.gz: a6f547877dacd8c7dbfcd1f8299a2fc432de9b1712b2bf74f8ae50326c360b524a790f1b63a1f9803795b51c49ff88ac9e4d2f94572454482dc4972f39334a35

data/.github/workflows/ruby.yml CHANGED Viewed

@@ -8,24 +8,23 @@
 name: Ruby
 on:
-  push:
   pull_request:
 jobs:
   test:
-    runs-on: ubuntu-latest
     strategy:
       matrix:
-        ruby-version: ['3.0']
+        os: [ubuntu-latest, macos-latest]
+        ruby-version: ['3.0', '3.1', '3.2', '3.3']
+    runs-on: ${{ matrix.os }}
     steps:
     - uses: actions/checkout@v2
     - name: Set up Ruby
     # To automatically get bug fixes and new Ruby versions for ruby/setup-ruby,
     # change this to (see https://github.com/ruby/setup-ruby#versioning):
-    # uses: ruby/setup-ruby@v1
-      uses: ruby/setup-ruby@473e4d8fe5dd94ee328fdfca9f8c9c7afc9dae5e
+      uses: ruby/setup-ruby@v1
       with:
         ruby-version: ${{ matrix.ruby-version }}
         bundler-cache: true # runs 'bundle install' and caches installed gems automatically

data/lib/omniauth/microsoft_graph/domain_verifier.rb CHANGED Viewed

@@ -9,6 +9,7 @@ module OmniAuth
     # https://www.descope.com/blog/post/noauth
     # https://clerk.com/docs/authentication/social-connections/microsoft#stay-secure-against-the-n-o-auth-vulnerability
     OIDC_CONFIG_URL = 'https://login.microsoftonline.com/organizations/v2.0/.well-known/openid-configuration'
+    COMMON_JWKS_URL = 'https://login.microsoftonline.com/common/discovery/v2.0/keys'
     class DomainVerificationError < OmniAuth::Error; end
@@ -62,13 +63,25 @@ module OmniAuth
       def domain_verified_jwt_claim
         oidc_config = access_token.get(OIDC_CONFIG_URL).parsed
         algorithms = oidc_config['id_token_signing_alg_values_supported']
-        keys = JWT::JWK::Set.new(access_token.get(oidc_config['jwks_uri']).parsed)
-        decoded_token = JWT.decode(id_token, nil, true, algorithms: algorithms, jwks: keys)
+        jwks = get_jwks(oidc_config)
+        decoded_token = JWT.decode(id_token, nil, true, algorithms: algorithms, jwks: jwks)
+        xms_edov_valid?(decoded_token)
+      rescue JWT::VerificationError, ::OAuth2::Error
+        false
+      end
+      def xms_edov_valid?(decoded_token)
         # https://github.com/MicrosoftDocs/azure-docs/issues/111425#issuecomment-1761043378
         # Comments seemed to indicate the value is not consistent
         ['1', 1, 'true', true].include?(decoded_token.first['xms_edov'])
-      rescue JWT::VerificationError, ::OAuth2::Error
-        false
+      end
+      def get_jwks(oidc_config)
+        # Depending on the tenant, the JWKS endpoint might be different. We need to
+        # consider both the JWKS from the OIDC configuration and the common JWKS endpoint.
+        oidc_config_jwk_keys = access_token.get(oidc_config['jwks_uri']).parsed[:keys]
+        common_jwk_keys = access_token.get(COMMON_JWKS_URL).parsed[:keys]
+        JWT::JWK::Set.new(oidc_config_jwk_keys + common_jwk_keys)
       end
       def verification_error_message

data/lib/omniauth/microsoft_graph/version.rb CHANGED Viewed

@@ -1,5 +1,5 @@
 module OmniAuth
   module MicrosoftGraph
-    VERSION = "2.0.0"
+    VERSION = "2.0.1"
   end
 end

data/omniauth-microsoft_graph.gemspec CHANGED Viewed

@@ -21,7 +21,7 @@ Gem::Specification.new do |spec|
   spec.add_runtime_dependency 'jwt', '~> 2.0'
   spec.add_runtime_dependency 'omniauth', '~> 2.0'
   spec.add_runtime_dependency 'omniauth-oauth2', '~> 1.8.0'
-  spec.add_development_dependency "sinatra", '~> 0'
+  spec.add_development_dependency "sinatra", '~> 2.2'
   spec.add_development_dependency "rake", '~> 12.3.3', '>= 12.3.3'
   spec.add_development_dependency 'rspec', '~> 3.6'
   spec.add_development_dependency "mocha", '~> 0'

data/spec/omniauth/microsoft_graph/domain_verifier_spec.rb CHANGED Viewed

@@ -41,34 +41,65 @@ RSpec.describe OmniAuth::MicrosoftGraph::DomainVerifier do
     end
     context 'when the ID token indicates domain verification' do
-      # Sign a fake ID token with our own local key
-      let(:mock_key) do
-        optional_parameters = { kid: 'mock-kid', use: 'sig', alg: 'RS256' }
+      let(:mock_oidc_key) do
+        optional_parameters = { kid: 'mock_oidc_key', use: 'sig', alg: 'RS256' }
         JWT::JWK.new(OpenSSL::PKey::RSA.new(2048), optional_parameters)
       end
-      let(:id_token) do
-        payload = { email: email, xms_edov: true }
-        JWT.encode(payload, mock_key.signing_key, mock_key[:alg], kid: mock_key[:kid])
+      let(:mock_common_key) do
+        optional_parameters = { kid: 'mock_common_key', use: 'sig', alg: 'RS256' }
+        JWT::JWK.new(OpenSSL::PKey::RSA.new(2048), optional_parameters)
       end
-      # Mock the API responses to return the local key
+      # Mock the API responses to return the mock keys
       before do
         allow(access_token).to receive(:get)
           .with(OmniAuth::MicrosoftGraph::OIDC_CONFIG_URL)
           .and_return(
-            double('OAuth2::Response', parsed: {
-              'id_token_signing_alg_values_supported' => ['RS256'],
-              'jwks_uri' => 'https://example.com/jwks-keys'
-            })
+            double(
+              'OAuth2::Response',
+              parsed: {
+                'id_token_signing_alg_values_supported' => ['RS256'],
+                'jwks_uri' => 'https://example.com/jwks-keys',
+              }
+            )
           )
         allow(access_token).to receive(:get)
           .with('https://example.com/jwks-keys')
           .and_return(
-            double('OAuth2::Response', parsed: JWT::JWK::Set.new(mock_key).export)
+            double(
+              'OAuth2::Response',
+              parsed: JWT::JWK::Set.new(mock_oidc_key).export
+            )
+          )
+        allow(access_token).to receive(:get)
+          .with(OmniAuth::MicrosoftGraph::COMMON_JWKS_URL)
+          .and_return(
+            double(
+              'OAuth2::Response',
+              parsed: JWT::JWK::Set.new(mock_common_key).export,
+              body: JWT::JWK::Set.new(mock_common_key).export.to_json
+            )
           )
       end
-      it { is_expected.to be_truthy }
+      context 'when the kid exists in the oidc key' do
+        let(:id_token) do
+          payload = { email: email, xms_edov: true }
+          JWT.encode(payload, mock_oidc_key.signing_key, mock_oidc_key[:alg], kid: mock_oidc_key[:kid])
+        end
+        it { is_expected.to be_truthy }
+      end
+      context "when the kid exists in the common key" do
+        let(:id_token) do
+          payload = { email: email, xms_edov: true }
+          JWT.encode(payload, mock_common_key.signing_key, mock_common_key[:alg], kid: mock_common_key[:kid])
+        end
+        it { is_expected.to be_truthy }
+      end
     end
     context 'when all verification strategies fail' do

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: omniauth-microsoft_graph
 version: !ruby/object:Gem::Version
-  version: 2.0.0
+  version: 2.0.1
 platform: ruby
 authors:
 - Peter Philips
@@ -9,7 +9,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2023-12-30 00:00:00.000000000 Z
+date: 2024-06-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: jwt
@@ -59,14 +59,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '2.2'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '2.2'
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
@@ -160,7 +160,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.4.22
+rubygems_version: 3.3.26
 signing_key:
 specification_version: 4
 summary: omniauth provider for Microsoft Graph