omniauth-openid-connect 0.1.0 → 0.2.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 3b7008499c533fd017b461f9d06c1c4edf013bdb
-  data.tar.gz: 931b2338aa8c6b3db58f064f7a3be258b796b8c9
+  metadata.gz: 6684f874a6e6cf6c99e102d128363c74aea21591
+  data.tar.gz: 4eaaf78f7d3831ec4556bd6a11bbf48228619248
 SHA512:
-  metadata.gz: 97d00ff91a14014f3eaaa7718b6ee17dc9f9cd6c6cd7ce7f4d89740150e5ca9fd94eff3345b8b862177e7c32ca85e13b314e54435e76c92fd76c7c60ad3d688c
-  data.tar.gz: 4bc327762fe0e2ad553fa195e5861ce3f71ee840a7684c8c5356c08782a69665d02f984e5fca2f4e5654c489a7552bebc232cd484ecdaf3d13019006f62170bc
+  metadata.gz: e5cb9fc2011ceccc3eaa9b724c08177bca44c1c6f90824b89e439ec403d8dc1d133cca57626785767424707ac0667c634029dbb4420dd36ae885276c25d4e413
+  data.tar.gz: d4cd21adc087562e0251137894288deda422c48eb5a1ecb2706d9702f8bb1c84ee476afdb8edfe52b3424e557febf55494a0d7178e319524081d56921b44c40e

data/.gitignore

@@ -3,7 +3,6 @@
 .bundle
 .config
 .yardoc
-Gemfile.lock
 InstalledFiles
 _yardoc
 coverage

data/.travis.yml

@@ -2,5 +2,5 @@ rvm:
   - 1.9.3
   - 2.0.0
   - 2.1.0
-  - jruby
+  - 2.2.0
   - rbx

data/README.md

@@ -47,6 +47,17 @@ Configuration details:
   is valid. There are plans to bring in implicit flow and hybrid flow at some
   point, but it hasn't come up yet for me. Those flows aren't best practive for
   server side web apps anyway and are designed more for native/mobile apps.
+  * If you want to pass `state` paramete by yourself. You can set Proc Object.  
+  e.g. `state: Proc.new{ SecureRandom.hex(32) }`
+  * `nonce` is optional. If don't want to pass "nonce" parameter to provider, You should specify
+  `false` to `send_nonce` option. (default true)
+  * Support for other client authentication methods. If don't specified
+  `:client_auth_method` option, automatically set `:basic`.
+  * Use "OpenID Connect Discovery", You should specify `true` to `discovery` option. (default false)
+  * In "OpenID Connect Discovery", generally provider should have Webfinger endpoint.
+  If provider does not have Webfinger endpoint, You can specify "Issuer" to option.  
+  e.g. `issuer: "myprovider.com"`  
+  It means to get configuration from "https://myprovider.com/.well-known/openid-configuration".
 
 For the full low down on OpenID Connect, please check out
 [the spec](http://openid.net/specs/openid-connect-core-1_0.html).

data/lib/omniauth/openid_connect.rb

@@ -1,2 +1,3 @@
+require "omniauth/openid_connect/errors"
 require "omniauth/openid_connect/version"
 require "omniauth/strategies/openid_connect"

data/lib/omniauth/openid_connect/errors.rb

@@ -0,0 +1,6 @@
+module OmniAuth
+  module OpenIDConnect
+    class Error < RuntimeError; end
+    class MissingCodeError < Error; end
+  end
+end

data/lib/omniauth/openid_connect/version.rb

@@ -1,5 +1,5 @@
 module OmniAuth
   module OpenIDConnect
-    VERSION = "0.1.0"
+    VERSION = "0.2.1"
   end
 end

data/lib/omniauth/strategies/openid_connect.rb

@@ -1,7 +1,9 @@
 require 'addressable/uri'
-require "net/http"
+require 'timeout'
+require 'net/http'
+require 'open-uri'
 require 'omniauth'
-require "openid_connect"
+require 'openid_connect'
 
 module OmniAuth
   module Strategies
@@ -17,19 +19,27 @@ module OmniAuth
         port: 443,
         authorization_endpoint: "/authorize",
         token_endpoint: "/token",
-        userinfo_endpoint: "/userinfo"
+        userinfo_endpoint: "/userinfo",
+        jwks_uri: '/jwk'
       }
+      option :issuer
+      option :discovery, false
+      option :client_signing_alg
+      option :client_jwk_signing_key
+      option :client_x509_signing_key
       option :scope, [:openid]
       option :response_type, "code"
       option :state
       option :response_mode
-      option :display, nil#, [:page, :popup, :touch, :wap]
-      option :prompt, nil#, [:none, :login, :consent, :select_account]
+      option :display, nil #, [:page, :popup, :touch, :wap]
+      option :prompt, nil #, [:none, :login, :consent, :select_account]
       option :max_age
       option :ui_locales
       option :id_token_hint
       option :login_hint
       option :acr_values
+      option :send_nonce, true
+      option :client_auth_method
 
       uid { user_info.sub }
 
@@ -40,6 +50,7 @@ module OmniAuth
           nickname: user_info.preferred_username,
           first_name: user_info.given_name,
           last_name: user_info.family_name,
+          gender: user_info.gender,
           image: user_info.picture,
           phone: user_info.phone_number,
           urls: { website: user_info.website }
@@ -47,62 +58,200 @@ module OmniAuth
       end
 
       extra do
-        { raw_info: user_info.as_json } # UserInfo#as_json actually returns a hash
+        {raw_info: user_info.raw_attributes}
       end
 
       credentials do
-        { token: access_token.access_token }
+        {
+            id_token: access_token.id_token,
+            token: access_token.access_token,
+            refresh_token: access_token.refresh_token,
+            expires_in: access_token.expires_in,
+            scope: access_token.scope
+        }
       end
 
       def client
         @client ||= ::OpenIDConnect::Client.new(client_options)
       end
 
+      def config
+        @config ||= ::OpenIDConnect::Discovery::Provider::Config.discover!(options.issuer)
+      end
+
       def request_phase
+        options.issuer = issuer if options.issuer.blank?
+        discover! if options.discovery
         redirect authorize_uri
       end
 
       def callback_phase
-        client.redirect_uri = client_options.redirect_uri
-        client.authorization_code = authorization_code
-        access_token
-        super
+        error = request.params['error_reason'] || request.params['error']
+        if error
+          raise CallbackError.new(request.params['error'], request.params['error_description'] || request.params['error_reason'], request.params['error_uri'])
+        elsif request.params['state'].to_s.empty? || request.params['state'] != stored_state
+          return Rack::Response.new(['401 Unauthorized'], 401).finish
+        elsif !request.params["code"]
+          return fail!(:missing_code, OmniAuth::OpenIDConnect::MissingCodeError.new(request.params["error"]))
+        else
+          options.issuer = issuer if options.issuer.blank?
+          discover! if options.discovery
+          client.redirect_uri = client_options.redirect_uri
+          client.authorization_code = authorization_code
+          access_token
+          super
+        end
+      rescue CallbackError => e
+        fail!(:invalid_credentials, e)
+      rescue ::Timeout::Error, ::Errno::ETIMEDOUT => e
+        fail!(:timeout, e)
+      rescue ::SocketError => e
+        fail!(:failed_to_connect, e)
       end
 
+
       def authorization_code
         request.params["code"]
       end
 
+      def authorize_uri
+        client.redirect_uri = client_options.redirect_uri
+        opts = {
+            response_type: options.response_type,
+            scope: options.scope,
+            state: new_state,
+            nonce: (new_nonce if options.send_nonce),
+        }
+        client.authorization_uri(opts.reject{|k,v| v.nil?})
+      end
+
+      def public_key
+        if options.discovery
+          config.jwks
+        else
+          key_or_secret
+        end
+      end
+
       private
 
+      def issuer
+        resource = "#{client_options.scheme}://#{client_options.host}" + ((client_options.port) ? ":#{client_options.port.to_s}" : '')
+        ::OpenIDConnect::Discovery::Provider.discover!(resource).issuer
+      end
+
+      def discover!
+        client_options.authorization_endpoint = config.authorization_endpoint
+        client_options.token_endpoint = config.token_endpoint
+        client_options.userinfo_endpoint = config.userinfo_endpoint
+        client_options.jwks_uri = config.jwks_uri
+      end
+
       def user_info
         @user_info ||= access_token.userinfo!
       end
 
       def access_token
-        @access_token ||= client.access_token!
+        @access_token ||= lambda {
+          _access_token = client.access_token!(
+          scope: options.scope,
+          client_auth_method: options.client_auth_method
+          )
+          _id_token = decode_id_token _access_token.id_token
+          _id_token.verify!(
+              issuer: options.issuer,
+              client_id: client_options.identifier,
+              nonce: stored_nonce
+          )
+          _access_token
+        }.call()
       end
 
-      def authorize_uri
-        client.redirect_uri = client_options.redirect_uri
-        client.authorization_uri(
-          response_type: options.response_type,
-          scope: options.scope,
-          nonce: nonce,
-        )
+      def decode_id_token(id_token)
+        header = JSON.parse(UrlSafeBase64.decode64(id_token.split('.').first))
+        if header.has_key?('kid')
+          keys = public_key.inject({}) do |keys, jwk|
+            key = JSON::JWK.new(jwk)
+            keys.merge! jwk['kid'] => key.to_key.public_key
+          end
+          ::OpenIDConnect::ResponseObject::IdToken.decode(id_token, keys[header[:kid]])
+        else
+          case public_key.class
+            when JSON::JWK::Set
+              jwk = JSON::JWK.new(public_key.first)
+              ::OpenIDConnect::ResponseObject::IdToken.decode(id_token, jwk.to_key)
+            else
+              ::OpenIDConnect::ResponseObject::IdToken.decode(id_token, public_key)
+          end
+        end
       end
 
+
       def client_options
         options.client_options
       end
 
-      def nonce
-        session[:nonce] = SecureRandom.hex(16)
+      def new_state
+        state = options.state.call if options.state.respond_to? :call
+        session['omniauth.state'] = state || SecureRandom.hex(16)
+      end
+
+      def stored_state
+        session.delete('omniauth.state')
+      end
+
+      def new_nonce
+        session['omniauth.nonce'] = SecureRandom.hex(16)
+      end
+
+      def stored_nonce
+        session.delete('omniauth.nonce')
       end
 
       def session
         @env.nil? ? {} : super
       end
+
+      def key_or_secret
+        case options.client_signing_alg
+          when :HS256, :HS384, :HS512
+            return client_options.secret
+          when :RS256, :RS384, :RS512
+            if options.client_jwk_signing_key
+              return parse_jwk_key(options.client_jwk_signing_key)
+            elsif options.client_x509_signing_key
+              return parse_x509_key(options.client_x509_signing_key)
+            end
+          else
+        end
+      end
+
+      def parse_x509_key(key)
+        OpenSSL::X509::Certificate.new(key).public_key
+      end
+
+      def parse_jwk_key(key)
+        json = JSON.parse(key)
+        JSON::JWK::Set.new json['keys']
+      end
+
+      def decode(str)
+        UrlSafeBase64.decode64(str).unpack('B*').first.to_i(2).to_s
+      end
+
+      class CallbackError < StandardError
+        attr_accessor :error, :error_reason, :error_uri
+
+        def initialize(error, error_reason=nil, error_uri=nil)
+          self.error = error
+          self.error_reason = error_reason
+          self.error_uri = error_uri
+        end
+
+        def message
+          [error, error_reason, error_uri].compact.join(' | ')
+        end
+      end
     end
   end
 end

data/omniauth-openid-connect.gemspec

@@ -19,7 +19,7 @@ Gem::Specification.new do |spec|
   spec.require_paths = ["lib"]
 
   spec.add_dependency 'omniauth', '~> 1.1'
-  spec.add_dependency 'openid_connect', '= 0.7.3'
+  spec.add_dependency 'openid_connect', '~> 0.9.2'
   spec.add_dependency 'addressable', '~> 2.3'
   spec.add_development_dependency "bundler", "~> 1.5"
   spec.add_development_dependency "minitest"

data/test/fixtures/id_token.txt

@@ -0,0 +1 @@
+eyJhbGciOiJSUzI1NiIsImtpZCI6IjFlOWdkazcifQ.ewogImlzcyI6ICJodHRwOi8vc2VydmVyLmV4YW1wbGUuY29tIiwKICJzdWIiOiAiMjQ4Mjg5NzYxMDAxIiwKICJhdWQiOiAiczZCaGRSa3F0MyIsCiAibm9uY2UiOiAibi0wUzZfV3pBMk1qIiwKICJleHAiOiAxMzExMjgxOTcwLAogImlhdCI6IDEzMTEyODA5NzAKfQ.ggW8hZ1EuVLuxNuuIJKX_V8a_OMXzR0EHR9R6jgdqrOOF4daGU96Sr_P6qJp6IcmD3HP99Obi1PRs-cwh3LO-p146waJ8IhehcwL7F09JdijmBqkvPeB2T9CJNqeGpe-gccMg4vfKjkM8FcGvnzZUN4_KSP0aAp1tOJ1zZwgjxqGByKHiOtX7TpdQyHE5lcMiKPXfEIQILVq0pc_E2DzL7emopWoaoZTF_m0_N0YzFC6g6EJbOEoRoSK5hoDalrcvRYLSrQAZZKflyuVCyixEoV9GfNQC3_osjzw2PAithfubEEBLuVVk4XUVrWOLrLl0nx7RkKU8NXNHq-rvKMzqg

data/test/fixtures/jwks.json

@@ -0,0 +1,8 @@
+{"keys": [{
+    "kty": "RSA",
+    "n": "0vx7agoebGcQSuuPiLJXZptN9nndrQmbXEps2aiAFbWhM78LhWx4cbbfAAtVT86zwu1RK7aPFFxuhDR1L6tSoc_BJECPebWKRXjBZCiFV4n3oknjhMstn64tZ_2W-5JsGY4Hc5n9yBXArwl93lqt7_RN5w6Cf0h4QyQ5v-65YGjQR0_FDW2QvzqY368QQMicAtaSqzs8KJZgnYb9c7d0zgdAZHzu6qMQvRL5hajrn1n91CbOpbISD08qNLyrdkt-bFTWhAI4vMQFh6WeZu0fM4lFd2NcRwr3XPksINHaQ-G_xBniIqbw0Ls1jF44-csFCur-kEgU8awapJzKnqDKgw",
+    "e": "AQAB",
+    "alg": "RS256",
+    "kid": "1e9gdk7"
+  }]
+}

data/test/fixtures/test.crt

@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDJDCCAgwCCQC57Ob2JfXb+DANBgkqhkiG9w0BAQUFADBUMQswCQYDVQQGEwJK
+UDEOMAwGA1UECBMFVG9reW8xITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5
+IEx0ZDESMBAGA1UEAxMJbG9jYWxob3N0MB4XDTE0MDgwMTA4NTAxM1oXDTE1MDgw
+MTA4NTAxM1owVDELMAkGA1UEBhMCSlAxDjAMBgNVBAgTBVRva3lvMSEwHwYDVQQK
+ExhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxEjAQBgNVBAMTCWxvY2FsaG9zdDCC
+ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAN+7czSGHN2087T+oX2kBCY/
+XN6UOS/mdU2Gn//omZlyxsQXIqvgBLNWeCVt4QdlFUbgPLggfXUelECV/RUOCIIi
+F2Th4t3x1LviN2XkUiva0DZBnOycqEaJdkyreEuGL1CLVZgZjKmSzNqLl0Yci3D0
+zgVsXFZSadQebietm4CCmfJYREt9NJxXcrLxVDgat/Xm/KJBsohs3f+cbBT8EXer
+7+2oZjZoVUgw1hu0alaOvAfE4mxsVwjn3g2mjDqRJLbbuWqgDobjMHah+d4zwJvN
+ePK8E0hfaz/XBLsJ4e6bQA3M3bANEgSvsicup/qb/0th4gUdc/kj4aJGj0RP7oEC
+AwEAATANBgkqhkiG9w0BAQUFAAOCAQEADuVec/8u2qJiq6K2W/gSLGYCBZq64OrA
+s7L2+S82m9/3gAb62wGcDNZjIGFDQubXmO6RhHv7JUT5YZqv9/kRGTJcHDUrwwoN
+IE99CIPizp7VfnrZ6GsYeszSsw3m+mKTETm+6ELmaSDbYAsrCg4IpGwUF0L88ATv
+CJ8QzW4X7b9dYVc7UAYyCie2N65GXfesBbRlSwFLuVqIzZfMdNpNijTIUwUqGSME
+b8IjLYzvekP53CO4wEBRrAVIPNXgftorxIE30OLWua2Qw3y6Pn+Qp5fLe47025S7
+Lcec18/FbHG0Vbq0qO9cKQw80XyK31N6z556wr2GN2WyixkzVRddXA==
+-----END CERTIFICATE-----

data/test/lib/omniauth/strategies/openid_connect_test.rb

@@ -2,35 +2,189 @@ require_relative '../../../test_helper'
 
 class OmniAuth::Strategies::OpenIDConnectTest < StrategyTestCase
   def test_client_options_defaults
-    assert_equal "https", strategy.options.client_options.scheme
+    assert_equal 'https', strategy.options.client_options.scheme
     assert_equal 443, strategy.options.client_options.port
-    assert_equal "/authorize", strategy.options.client_options.authorization_endpoint
-    assert_equal "/token", strategy.options.client_options.token_endpoint
+    assert_equal '/authorize', strategy.options.client_options.authorization_endpoint
+    assert_equal '/token', strategy.options.client_options.token_endpoint
   end
 
   def test_request_phase
-    expected_redirect = /^https:\/\/example\.com\/authorize\?client_id=1234&nonce=[\w\d]{32}&response_type=code&scope=openid$/
-    strategy.options.client_options.host = "example.com"
+    expected_redirect = /^https:\/\/example\.com\/authorize\?client_id=1234&nonce=[\w\d]{32}&response_type=code&scope=openid&state=[\w\d]{32}$/
+    strategy.options.issuer = 'example.com'
+    strategy.options.client_options.host = 'example.com'
+    strategy.expects(:redirect).with(regexp_matches(expected_redirect))
+    strategy.request_phase
+  end
+
+  def test_request_phase_with_discovery
+    expected_redirect = /^https:\/\/example\.com\/authorization\?client_id=1234&nonce=[\w\d]{32}&response_type=code&scope=openid&state=[\w\d]{32}$/
+    strategy.options.client_options.host = 'example.com'
+    strategy.options.discovery = true
+
+    issuer = stub('OpenIDConnect::Discovery::Issuer')
+    issuer.stubs(:issuer).returns('https://example.com/')
+    ::OpenIDConnect::Discovery::Provider.stubs(:discover!).returns(issuer)
+
+    config = stub('OpenIDConnect::Discovery::Provder::Config')
+    config.stubs(:authorization_endpoint).returns('https://example.com/authorization')
+    config.stubs(:token_endpoint).returns('https://example.com/token')
+    config.stubs(:userinfo_endpoint).returns('https://example.com/userinfo')
+    config.stubs(:jwks_uri).returns('https://example.com/jwks')
+    ::OpenIDConnect::Discovery::Provider::Config.stubs(:discover!).with('https://example.com/').returns(config)
+
     strategy.expects(:redirect).with(regexp_matches(expected_redirect))
     strategy.request_phase
+
+    assert_equal strategy.options.issuer, 'https://example.com/'
+    assert_equal strategy.options.client_options.authorization_endpoint, 'https://example.com/authorization'
+    assert_equal strategy.options.client_options.token_endpoint, 'https://example.com/token'
+    assert_equal strategy.options.client_options.userinfo_endpoint, 'https://example.com/userinfo'
+    assert_equal strategy.options.client_options.jwks_uri, 'https://example.com/jwks'
   end
 
   def test_uid
     assert_equal user_info.sub, strategy.uid
   end
 
-  def test_callback_phase
+  def test_callback_phase(session = {}, params = {})
     code = SecureRandom.hex(16)
-    request.stubs(:params).returns({"code" => code})
-    request.stubs(:path_info).returns("")
+    state = SecureRandom.hex(16)
+    nonce = SecureRandom.hex(16)
+    request.stubs(:params).returns({'code' => code,'state' => state})
+    request.stubs(:path_info).returns('')
+
+    strategy.options.issuer = 'example.com'
+    strategy.options.client_signing_alg = :RS256
+    strategy.options.client_jwk_signing_key = File.read('test/fixtures/jwks.json')
+
+    id_token = stub('OpenIDConnect::ResponseObject::IdToken')
+    id_token.stubs(:verify!).with({:issuer => strategy.options.issuer, :client_id => @identifier, :nonce => nonce}).returns(true)
+    ::OpenIDConnect::ResponseObject::IdToken.stubs(:decode).returns(id_token)
 
     strategy.unstub(:user_info)
     access_token = stub('OpenIDConnect::AccessToken')
     access_token.stubs(:access_token)
-    client.expects(:access_token!).returns(access_token)
+    access_token.stubs(:refresh_token)
+    access_token.stubs(:expires_in)
+    access_token.stubs(:scope)
+    access_token.stubs(:id_token).returns(File.read('test/fixtures/id_token.txt'))
+    client.expects(:access_token!).at_least_once.returns(access_token)
+    access_token.expects(:userinfo!).returns(user_info)
+
+    strategy.call!({'rack.session' => {'omniauth.state' => state, 'omniauth.nonce' => nonce}})
+    strategy.callback_phase
+  end
+
+  def test_callback_phase_with_discovery
+    code = SecureRandom.hex(16)
+    state = SecureRandom.hex(16)
+    nonce = SecureRandom.hex(16)
+    jwks = JSON::JWK::Set.new(JSON.parse(File.read('test/fixtures/jwks.json'))['keys'])
+
+    request.stubs(:params).returns({'code' => code,'state' => state})
+    request.stubs(:path_info).returns('')
+
+    strategy.options.client_options.host = 'example.com'
+    strategy.options.discovery = true
+
+    issuer = stub('OpenIDConnect::Discovery::Issuer')
+    issuer.stubs(:issuer).returns('https://example.com/')
+    ::OpenIDConnect::Discovery::Provider.stubs(:discover!).returns(issuer)
+
+    config = stub('OpenIDConnect::Discovery::Provder::Config')
+    config.stubs(:authorization_endpoint).returns('https://example.com/authorization')
+    config.stubs(:token_endpoint).returns('https://example.com/token')
+    config.stubs(:userinfo_endpoint).returns('https://example.com/userinfo')
+    config.stubs(:jwks_uri).returns('https://example.com/jwks')
+    config.stubs(:jwks).returns(jwks)
+
+    ::OpenIDConnect::Discovery::Provider::Config.stubs(:discover!).with('https://example.com/').returns(config)
+
+    id_token = stub('OpenIDConnect::ResponseObject::IdToken')
+    id_token.stubs(:verify!).with({:issuer => 'https://example.com/', :client_id => @identifier, :nonce => nonce}).returns(true)
+    ::OpenIDConnect::ResponseObject::IdToken.stubs(:decode).returns(id_token)
+
+    strategy.unstub(:user_info)
+    access_token = stub('OpenIDConnect::AccessToken')
+    access_token.stubs(:access_token)
+    access_token.stubs(:refresh_token)
+    access_token.stubs(:expires_in)
+    access_token.stubs(:scope)
+    access_token.stubs(:id_token).returns(File.read('test/fixtures/id_token.txt'))
+    client.expects(:access_token!).at_least_once.returns(access_token)
     access_token.expects(:userinfo!).returns(user_info)
 
-    strategy.call!({"rack.session" => {}})
+    strategy.call!({'rack.session' => {'omniauth.state' => state, 'omniauth.nonce' => nonce}})
+    strategy.callback_phase
+  end
+
+  def test_callback_phase_with_error
+    state = SecureRandom.hex(16)
+    nonce = SecureRandom.hex(16)
+    request.stubs(:params).returns({'error' => 'invalid_request'})
+    request.stubs(:path_info).returns('')
+
+    strategy.call!({'rack.session' => {'omniauth.state' => state, 'omniauth.nonce' => nonce}})
+    strategy.expects(:fail!)
+    strategy.callback_phase
+  end
+
+  def test_callback_phase_with_invalid_state
+    code = SecureRandom.hex(16)
+    state = SecureRandom.hex(16)
+    nonce = SecureRandom.hex(16)
+    request.stubs(:params).returns({'code' => code,'state' => 'foobar'})
+    request.stubs(:path_info).returns('')
+
+    strategy.call!({'rack.session' => {'omniauth.state' => state, 'omniauth.nonce' => nonce}})
+    result = strategy.callback_phase
+
+    assert result.kind_of?(Array)
+    assert result.first == 401, "Expecting unauthorized"
+  end
+
+  def test_callback_phase_with_timeout
+    code = SecureRandom.hex(16)
+    state = SecureRandom.hex(16)
+    nonce = SecureRandom.hex(16)
+    request.stubs(:params).returns({'code' => code,'state' => state})
+    request.stubs(:path_info).returns('')
+
+    strategy.options.issuer = 'example.com'
+
+    strategy.stubs(:access_token).raises(::Timeout::Error.new('error'))
+    strategy.call!({'rack.session' => {'omniauth.state' => state, 'omniauth.nonce' => nonce}})
+    strategy.expects(:fail!)
+    strategy.callback_phase
+  end
+
+  def test_callback_phase_with_etimeout
+    code = SecureRandom.hex(16)
+    state = SecureRandom.hex(16)
+    nonce = SecureRandom.hex(16)
+    request.stubs(:params).returns({'code' => code,'state' => state})
+    request.stubs(:path_info).returns('')
+
+    strategy.options.issuer = 'example.com'
+
+    strategy.stubs(:access_token).raises(::Errno::ETIMEDOUT.new('error'))
+    strategy.call!({'rack.session' => {'omniauth.state' => state, 'omniauth.nonce' => nonce}})
+    strategy.expects(:fail!)
+    strategy.callback_phase
+  end
+
+  def test_callback_phase_with_socket_error
+    code = SecureRandom.hex(16)
+    state = SecureRandom.hex(16)
+    nonce = SecureRandom.hex(16)
+    request.stubs(:params).returns({'code' => code,'state' => state})
+    request.stubs(:path_info).returns('')
+
+    strategy.options.issuer = 'example.com'
+
+    strategy.stubs(:access_token).raises(::SocketError.new('error'))
+    strategy.call!({'rack.session' => {'omniauth.state' => state, 'omniauth.nonce' => nonce}})
+    strategy.expects(:fail!)
     strategy.callback_phase
   end
 
@@ -41,6 +195,7 @@ class OmniAuth::Strategies::OpenIDConnectTest < StrategyTestCase
     assert_equal user_info.preferred_username, info[:nickname]
     assert_equal user_info.given_name, info[:first_name]
     assert_equal user_info.family_name, info[:last_name]
+    assert_equal user_info.gender, info[:gender]
     assert_equal user_info.picture, info[:image]
     assert_equal user_info.phone_number, info[:phone]
     assert_equal({ website: user_info.website }, info[:urls])
@@ -51,10 +206,129 @@ class OmniAuth::Strategies::OpenIDConnectTest < StrategyTestCase
   end
 
   def test_credentials
+    strategy.options.issuer = 'example.com'
+    strategy.options.client_signing_alg = :RS256
+    strategy.options.client_jwk_signing_key = File.read('test/fixtures/jwks.json')
+
+    id_token = stub('OpenIDConnect::ResponseObject::IdToken')
+    id_token.stubs(:verify!).returns(true)
+    ::OpenIDConnect::ResponseObject::IdToken.stubs(:decode).returns(id_token)
+
     access_token = stub('OpenIDConnect::AccessToken')
     access_token.stubs(:access_token).returns(SecureRandom.hex(16))
+    access_token.stubs(:refresh_token).returns(SecureRandom.hex(16))
+    access_token.stubs(:expires_in).returns(Time.now)
+    access_token.stubs(:scope).returns('openidconnect')
+    access_token.stubs(:id_token).returns(File.read('test/fixtures/id_token.txt'))
+
     client.expects(:access_token!).returns(access_token)
+    access_token.expects(:refresh_token).returns(access_token.refresh_token)
+    access_token.expects(:expires_in).returns(access_token.expires_in)
+
+    assert_equal({ id_token: access_token.id_token,
+                   token: access_token.access_token,
+                   refresh_token: access_token.refresh_token,
+                   expires_in: access_token.expires_in,
+                   scope: access_token.scope
+                 }, strategy.credentials)
+  end
+
+  def test_option_send_nonce
+    strategy.options.client_options[:host] = "foobar.com"
+
+    assert(strategy.authorize_uri =~ /nonce=/, "URI must contain nonce")
+
+    strategy.options.send_nonce = false
+    assert(!(strategy.authorize_uri =~ /nonce=/), "URI must not contain nonce")
+  end
+
+  def test_failure_endpoint_redirect
+    OmniAuth.config.stubs(:failure_raise_out_environments).returns([])
+    strategy.stubs(:env).returns({})
+    request.stubs(:params).returns({"error" => "access denied"})
+
+    result = strategy.callback_phase
+
+    assert(result.is_a? Array)
+    assert(result[0] == 302, "Redirect")
+    assert(result[1]["Location"] =~ /\/auth\/failure/)
+  end
+
+  def test_state
+    strategy.options.state = lambda { 42 }
+    session = { "state" => 42 }
+
+    expected_redirect = /&state=/
+    strategy.options.issuer = 'example.com'
+    strategy.options.client_options.host = "example.com"
+    strategy.expects(:redirect).with(regexp_matches(expected_redirect))
+    strategy.request_phase
+
+    # this should succeed as the correct state is passed with the request
+    test_callback_phase(session, { "state" => 42 })
+
+    # the following should fail because the wrong state is passed to the callback
+    code = SecureRandom.hex(16)
+    request.stubs(:params).returns({"code" => code, "state" => 43})
+    request.stubs(:path_info).returns("")
+    strategy.call!({"rack.session" => session})
+
+    result = strategy.callback_phase
+
+    assert result.kind_of?(Array)
+    assert result.first == 401, "Expecting unauthorized"
+  end
+
+  def test_option_client_auth_method
+    code = SecureRandom.hex(16)
+    state = SecureRandom.hex(16)
+    nonce = SecureRandom.hex(16)
+
+    opts = strategy.options.client_options
+    opts[:host] = "foobar.com"
+    strategy.options.issuer = "foobar.com"
+    strategy.options.client_auth_method = :not_basic
+    strategy.options.client_signing_alg = :RS256
+    strategy.options.client_jwk_signing_key = File.read('test/fixtures/jwks.json')
+
+    json_response = {access_token: 'test_access_token',
+                     id_token: File.read('test/fixtures/id_token.txt'),
+                     token_type: 'Bearer',
+    }.to_json
+    success = Struct.new(:status, :body).new(200, json_response)
+
+    request.stubs(:path_info).returns('')
+    strategy.call!({'rack.session' => {'omniauth.state' => state, 'omniauth.nonce' => nonce}})
+
+    id_token = stub('OpenIDConnect::ResponseObject::IdToken')
+    id_token.stubs(:verify!).with({:issuer => strategy.options.issuer, :client_id => @identifier, :nonce => nonce}).returns(true)
+    ::OpenIDConnect::ResponseObject::IdToken.stubs(:decode).returns(id_token)
+
+    HTTPClient.any_instance.stubs(:post).with(
+      "#{opts.scheme}://#{opts.host}:#{opts.port}#{opts.token_endpoint}",
+      {scope: 'openid', :grant_type => :client_credentials, :client_id => @identifier, :client_secret => @secret},
+      {}
+    ).returns(success)
+
+    assert(strategy.send :access_token)
+  end
+
+  def test_public_key_with_jwk
+    strategy.options.client_signing_alg = :RS256
+    strategy.options.client_jwk_signing_key = File.read('./test/fixtures/jwks.json')
+
+    assert_equal JSON::JWK::Set, strategy.public_key.class
+  end
+
+  def test_public_key_with_x509
+    strategy.options.client_signing_alg = :RS256
+    strategy.options.client_x509_signing_key = File.read('./test/fixtures/test.crt')
+    assert_equal OpenSSL::PKey::RSA, strategy.public_key.class
+  end
 
-    assert_equal({ token: access_token.access_token }, strategy.credentials)
+  def test_public_key_with_hmac
+    strategy.options.client_options.secret = 'secret'
+    strategy.options.client_signing_alg = :HS256
+    assert_equal strategy.options.client_options.secret, strategy.public_key
   end
 end

data/test/test_helper.rb

@@ -8,6 +8,7 @@ Coveralls.wear!
 require 'minitest/autorun'
 require 'mocha/mini_test'
 require 'faker'
+require 'active_support'
 require_relative '../lib/omniauth-openid-connect'
 
 OmniAuth.config.test_mode = true
@@ -29,7 +30,7 @@ class StrategyTestCase < MiniTest::Test
   end
 
   def user_info
-    @user_info ||= OpenIDConnect::ResponseObject::UserInfo::OpenID.new(
+    @user_info ||= OpenIDConnect::ResponseObject::UserInfo.new(
       sub: SecureRandom.hex(16),
       name: Faker::Name.name,
       email: Faker::Internet.email,
@@ -37,6 +38,7 @@ class StrategyTestCase < MiniTest::Test
       preferred_username: Faker::Internet.user_name,
       given_name: Faker::Name.first_name,
       family_name: Faker::Name.last_name,
+      gender: 'female',
       picture: Faker::Internet.url + ".png",
       phone_number: Faker::PhoneNumber.phone_number,
       website: Faker::Internet.url,

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: omniauth-openid-connect
 version: !ruby/object:Gem::Version
-  version: 0.1.0
+  version: 0.2.1
 platform: ruby
 authors:
 - John Bohn
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2014-03-15 00:00:00.000000000 Z
+date: 2015-11-13 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: omniauth
@@ -28,16 +28,16 @@ dependencies:
   name: openid_connect
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - '='
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.7.3
+        version: 0.9.2
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - '='
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.7.3
+        version: 0.9.2
 - !ruby/object:Gem::Dependency
   name: addressable
   requirement: !ruby/object:Gem::Requirement
@@ -222,9 +222,13 @@ files:
 - Rakefile
 - lib/omniauth-openid-connect.rb
 - lib/omniauth/openid_connect.rb
+- lib/omniauth/openid_connect/errors.rb
 - lib/omniauth/openid_connect/version.rb
 - lib/omniauth/strategies/openid_connect.rb
 - omniauth-openid-connect.gemspec
+- test/fixtures/id_token.txt
+- test/fixtures/jwks.json
+- test/fixtures/test.crt
 - test/lib/omniauth/openid_connect/version_test.rb
 - test/lib/omniauth/strategies/openid_connect_test.rb
 - test/test_helper.rb
@@ -248,11 +252,14 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.2.0
+rubygems_version: 2.4.5.1
 signing_key: 
 specification_version: 4
 summary: OpenID Connect Strategy for OmniAuth
 test_files:
+- test/fixtures/id_token.txt
+- test/fixtures/jwks.json
+- test/fixtures/test.crt
 - test/lib/omniauth/openid_connect/version_test.rb
 - test/lib/omniauth/strategies/openid_connect_test.rb
 - test/test_helper.rb