omniauth-microsoft_graph 2.0.0 → 2.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 340d76dc549fc5e3710217599a247901f775a1ae26a4ea62eb3916928bc6afac
-  data.tar.gz: 6319931d11bb4ff224c573a2fc16633b771cbd407115c1cca644d0226c05baae
+  metadata.gz: 52fd8e2974f69cc1724772712dcc133fb7ac39b5043348702d8da1cc1e6cd96f
+  data.tar.gz: 504e046b7ca25c06306a7526403e1ae9d86f568cfd83983b07b270ca984a7726
 SHA512:
-  metadata.gz: 8bc6c22cf81b3996abe32d83f0e13ca88a156e69f53465e2421fe93f96193499743d37ffe9147ded38b877964aec637314ffc178839d06c5b52330ef46010984
-  data.tar.gz: 62acd37d43f7b2e79171c328898a696c0f4c4d0583dfd817a0be54544e2b3adfd7239f9128a919b742b7131ba68ca74670059ece7e3c57424f834b6817173e70
+  metadata.gz: 359a084ad05f7d14463bc7a458dacec43d6563c3fc5a37db931dc08bf91dc652db782e1525567c8d2f921a811687e2295844b3b3d5322f4a5a436e3a020aca87
+  data.tar.gz: 05d76aefd01bc242ba5763fa6041156960f46835e2ddbd69e807b53a9404be558fe79a349addfcfb2c1a50b5e7e40b4b2cb5ff385439e8754e129115a123d691

data/.github/workflows/ruby.yml

@@ -8,24 +8,23 @@
 name: Ruby
 
 on:
-  push:
   pull_request:
 
 jobs:
   test:
 
-    runs-on: ubuntu-latest
     strategy:
       matrix:
-        ruby-version: ['3.0']
+        os: [ubuntu-latest, macos-latest]
+        ruby-version: ['3.0', '3.1', '3.2', '3.3']
+    runs-on: ${{ matrix.os }}
 
     steps:
     - uses: actions/checkout@v2
     - name: Set up Ruby
     # To automatically get bug fixes and new Ruby versions for ruby/setup-ruby,
     # change this to (see https://github.com/ruby/setup-ruby#versioning):
-    # uses: ruby/setup-ruby@v1
-      uses: ruby/setup-ruby@473e4d8fe5dd94ee328fdfca9f8c9c7afc9dae5e
+      uses: ruby/setup-ruby@v1
       with:
         ruby-version: ${{ matrix.ruby-version }}
         bundler-cache: true # runs 'bundle install' and caches installed gems automatically

data/lib/omniauth/microsoft_graph/domain_verifier.rb

@@ -9,6 +9,7 @@ module OmniAuth
     # https://www.descope.com/blog/post/noauth
     # https://clerk.com/docs/authentication/social-connections/microsoft#stay-secure-against-the-n-o-auth-vulnerability
     OIDC_CONFIG_URL = 'https://login.microsoftonline.com/organizations/v2.0/.well-known/openid-configuration'
+    COMMON_JWKS_URL = 'https://login.microsoftonline.com/common/discovery/v2.0/keys'
 
     class DomainVerificationError < OmniAuth::Error; end
 
@@ -62,13 +63,25 @@ module OmniAuth
       def domain_verified_jwt_claim
         oidc_config = access_token.get(OIDC_CONFIG_URL).parsed
         algorithms = oidc_config['id_token_signing_alg_values_supported']
-        keys = JWT::JWK::Set.new(access_token.get(oidc_config['jwks_uri']).parsed)
-        decoded_token = JWT.decode(id_token, nil, true, algorithms: algorithms, jwks: keys)
+        jwks = get_jwks(oidc_config)
+        decoded_token = JWT.decode(id_token, nil, true, algorithms: algorithms, jwks: jwks)
+        xms_edov_valid?(decoded_token)
+      rescue JWT::VerificationError, ::OAuth2::Error
+        false
+      end
+
+      def xms_edov_valid?(decoded_token)
         # https://github.com/MicrosoftDocs/azure-docs/issues/111425#issuecomment-1761043378
         # Comments seemed to indicate the value is not consistent
         ['1', 1, 'true', true].include?(decoded_token.first['xms_edov'])
-      rescue JWT::VerificationError, ::OAuth2::Error
-        false
+      end
+
+      def get_jwks(oidc_config)
+        # Depending on the tenant, the JWKS endpoint might be different. We need to
+        # consider both the JWKS from the OIDC configuration and the common JWKS endpoint.
+        oidc_config_jwk_keys = access_token.get(oidc_config['jwks_uri']).parsed[:keys]
+        common_jwk_keys = access_token.get(COMMON_JWKS_URL).parsed[:keys]
+        JWT::JWK::Set.new(oidc_config_jwk_keys + common_jwk_keys)
       end
 
       def verification_error_message

data/lib/omniauth/microsoft_graph/version.rb

@@ -1,5 +1,5 @@
 module OmniAuth
   module MicrosoftGraph
-    VERSION = "2.0.0"
+    VERSION = "2.1.0"
   end
 end

data/lib/omniauth/strategies/microsoft_graph.rb

@@ -6,6 +6,8 @@ module OmniAuth
       BASE_SCOPE_URL = 'https://graph.microsoft.com/'
       BASE_SCOPES = %w[offline_access openid email profile].freeze
       DEFAULT_SCOPE = 'offline_access openid email profile User.Read'.freeze
+      YAMMER_PROFILE_URL = 'https://www.yammer.com/api/v1/users/current.json'
+      MICROSOFT_GRAPH_PROFILE_URL = 'https://graph.microsoft.com/v1.0/me'
 
       option :name, :microsoft_graph
 
@@ -64,7 +66,7 @@ module OmniAuth
       end
 
       def raw_info
-        @raw_info ||= access_token.get('https://graph.microsoft.com/v1.0/me').parsed
+        @raw_info ||= access_token.get(profile_endpoint).parsed
       end
 
       def callback_url
@@ -73,11 +75,27 @@ module OmniAuth
 
       def custom_build_access_token
         access_token = get_access_token(request)
+        # Get the profile(microsoft graph / yammer) endpoint choice based on returned bearer token
+        @profile_endpoint = determine_profile_endpoint(request)
         access_token
       end
 
       alias build_access_token custom_build_access_token
 
+      def profile_endpoint
+        @profile_endpoint ||= MICROSOFT_GRAPH_PROFILE_URL
+      end
+
+      def determine_profile_endpoint(request)
+        scope = request&.env&.dig('omniauth.params', 'scope')
+
+        if scope&.include?('yammer')
+          YAMMER_PROFILE_URL
+        else
+          MICROSOFT_GRAPH_PROFILE_URL
+        end
+      end
+
       private
 
       def get_access_token(request)

data/omniauth-microsoft_graph.gemspec

@@ -21,7 +21,7 @@ Gem::Specification.new do |spec|
   spec.add_runtime_dependency 'jwt', '~> 2.0'
   spec.add_runtime_dependency 'omniauth', '~> 2.0'
   spec.add_runtime_dependency 'omniauth-oauth2', '~> 1.8.0'
-  spec.add_development_dependency "sinatra", '~> 0'
+  spec.add_development_dependency "sinatra", '~> 2.2'
   spec.add_development_dependency "rake", '~> 12.3.3', '>= 12.3.3'
   spec.add_development_dependency 'rspec', '~> 3.6'
   spec.add_development_dependency "mocha", '~> 0'

data/spec/omniauth/microsoft_graph/domain_verifier_spec.rb

@@ -41,34 +41,65 @@ RSpec.describe OmniAuth::MicrosoftGraph::DomainVerifier do
     end
 
     context 'when the ID token indicates domain verification' do
-      # Sign a fake ID token with our own local key
-      let(:mock_key) do
-        optional_parameters = { kid: 'mock-kid', use: 'sig', alg: 'RS256' }
+      let(:mock_oidc_key) do
+        optional_parameters = { kid: 'mock_oidc_key', use: 'sig', alg: 'RS256' }
         JWT::JWK.new(OpenSSL::PKey::RSA.new(2048), optional_parameters)
       end
-      let(:id_token) do
-        payload = { email: email, xms_edov: true }
-        JWT.encode(payload, mock_key.signing_key, mock_key[:alg], kid: mock_key[:kid])
+
+      let(:mock_common_key) do
+        optional_parameters = { kid: 'mock_common_key', use: 'sig', alg: 'RS256' }
+        JWT::JWK.new(OpenSSL::PKey::RSA.new(2048), optional_parameters)
       end
 
-      # Mock the API responses to return the local key
+      # Mock the API responses to return the mock keys
       before do
         allow(access_token).to receive(:get)
           .with(OmniAuth::MicrosoftGraph::OIDC_CONFIG_URL)
           .and_return(
-            double('OAuth2::Response', parsed: {
-              'id_token_signing_alg_values_supported' => ['RS256'],
-              'jwks_uri' => 'https://example.com/jwks-keys'
-            })
+            double(
+              'OAuth2::Response',
+              parsed: {
+                'id_token_signing_alg_values_supported' => ['RS256'],
+                'jwks_uri' => 'https://example.com/jwks-keys',
+              }
+            )
           )
         allow(access_token).to receive(:get)
           .with('https://example.com/jwks-keys')
           .and_return(
-            double('OAuth2::Response', parsed: JWT::JWK::Set.new(mock_key).export)
+            double(
+              'OAuth2::Response',
+              parsed: JWT::JWK::Set.new(mock_oidc_key).export
+            )
+          )
+        allow(access_token).to receive(:get)
+          .with(OmniAuth::MicrosoftGraph::COMMON_JWKS_URL)
+          .and_return(
+            double(
+              'OAuth2::Response',
+              parsed: JWT::JWK::Set.new(mock_common_key).export,
+              body: JWT::JWK::Set.new(mock_common_key).export.to_json
+            )
           )
       end
 
-      it { is_expected.to be_truthy }
+      context 'when the kid exists in the oidc key' do
+        let(:id_token) do
+          payload = { email: email, xms_edov: true }
+          JWT.encode(payload, mock_oidc_key.signing_key, mock_oidc_key[:alg], kid: mock_oidc_key[:kid])
+        end
+
+        it { is_expected.to be_truthy }
+      end
+
+      context "when the kid exists in the common key" do
+        let(:id_token) do
+          payload = { email: email, xms_edov: true }
+          JWT.encode(payload, mock_common_key.signing_key, mock_common_key[:alg], kid: mock_common_key[:kid])
+        end
+
+        it { is_expected.to be_truthy }
+      end
     end
 
     context 'when all verification strategies fail' do

data/spec/omniauth/strategies/microsoft_graph_oauth2_spec.rb

@@ -457,4 +457,82 @@ describe OmniAuth::Strategies::MicrosoftGraph do
       end.to raise_error(OAuth2::Error)
     end
   end
+
+  describe 'Yammer profile endpoint support' do
+    describe '#profile_endpoint' do
+      context 'when no profile endpoint is determined' do
+        it 'defaults to Microsoft Graph profile URL' do
+          expect(subject.profile_endpoint).to eq('https://graph.microsoft.com/v1.0/me')
+        end
+      end
+
+      context 'when profile endpoint is already set' do
+        before { subject.instance_variable_set(:@profile_endpoint, 'https://custom.endpoint.com') }
+
+        it 'returns the previously set endpoint' do
+          expect(subject.profile_endpoint).to eq('https://custom.endpoint.com')
+        end
+      end
+    end
+
+    describe '#determine_profile_endpoint' do
+      let(:request) { double('Request', env: request_env) }
+
+      context 'when scope includes Yammer access_as_user scope' do
+        let(:request_env) { { 'omniauth.params' => { 'scope' => 'https://api.yammer.com/access_as_user' } } }
+
+        it 'returns Yammer profile URL' do
+          expect(subject.determine_profile_endpoint(request)).to eq('https://www.yammer.com/api/v1/users/current.json')
+        end
+      end
+
+      context 'when scope includes Yammer user_impersonation scope' do
+        let(:request_env) { { 'omniauth.params' => { 'scope' => 'openid profile https://api.yammer.com/user_impersonation' } } }
+
+        it 'returns Yammer profile URL' do
+          expect(subject.determine_profile_endpoint(request)).to eq('https://www.yammer.com/api/v1/users/current.json')
+        end
+      end
+
+      context 'when scope includes Yammer scope among other scopes' do
+        let(:request_env) { { 'omniauth.params' => { 'scope' => 'offline_access openid email profile https://api.yammer.com/access_as_user User.Read' } } }
+
+        it 'returns Yammer profile URL' do
+          expect(subject.determine_profile_endpoint(request)).to eq('https://www.yammer.com/api/v1/users/current.json')
+        end
+      end
+
+      context 'when scope includes multiple Yammer scopes' do
+        let(:request_env) { { 'omniauth.params' => { 'scope' => 'openid profile https://api.yammer.com/access_as_user https://api.yammer.com/user_impersonation' } } }
+
+        it 'returns Yammer profile URL' do
+          expect(subject.determine_profile_endpoint(request)).to eq('https://www.yammer.com/api/v1/users/current.json')
+        end
+      end
+
+      context 'when scope does not include any Yammer scopes' do
+        let(:request_env) { { 'omniauth.params' => { 'scope' => 'openid profile User.Read' } } }
+
+        it 'returns Microsoft Graph profile URL' do
+          expect(subject.determine_profile_endpoint(request)).to eq('https://graph.microsoft.com/v1.0/me')
+        end
+      end
+
+      context 'when scope is nil' do
+        let(:request_env) { { 'omniauth.params' => { 'scope' => nil } } }
+
+        it 'returns Microsoft Graph profile URL' do
+          expect(subject.determine_profile_endpoint(request)).to eq('https://graph.microsoft.com/v1.0/me')
+        end
+      end
+
+      context 'when omniauth.params is nil' do
+        let(:request_env) { { 'omniauth.params' => nil } }
+
+        it 'returns Microsoft Graph profile URL' do
+          expect(subject.determine_profile_endpoint(request)).to eq('https://graph.microsoft.com/v1.0/me')
+        end
+      end
+    end
+  end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: omniauth-microsoft_graph
 version: !ruby/object:Gem::Version
-  version: 2.0.0
+  version: 2.1.0
 platform: ruby
 authors:
 - Peter Philips
@@ -9,7 +9,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2023-12-30 00:00:00.000000000 Z
+date: 2025-07-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: jwt
@@ -59,14 +59,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '2.2'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '2.2'
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
@@ -160,7 +160,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.4.22
+rubygems_version: 3.3.26
 signing_key:
 specification_version: 4
 summary: omniauth provider for Microsoft Graph