RubyGems - omniauth-openid-connector - Versions diffs - 1.1.2 - Mend

omniauth-openid-connector 1.1.2

Files changed (21) hide show

checksums.yaml +7 -0
data/.gitignore +17 -0
data/.travis.yml +10 -0
data/Gemfile +2 -0
data/Guardfile +14 -0
data/LICENSE.txt +22 -0
data/README.md +71 -0
data/Rakefile +10 -0
data/lib/omniauth-openid-connect.rb +1 -0
data/lib/omniauth/openid_connect.rb +3 -0
data/lib/omniauth/openid_connect/errors.rb +6 -0
data/lib/omniauth/openid_connect/version.rb +5 -0
data/lib/omniauth/strategies/openid_connect.rb +251 -0
data/omniauth-openid-connector.gemspec +35 -0
data/test/fixtures/id_token.txt +1 -0
data/test/fixtures/jwks.json +8 -0
data/test/fixtures/test.crt +19 -0
data/test/lib/omniauth/openid_connect/version_test.rb +7 -0
data/test/lib/omniauth/strategies/openid_connect_test.rb +344 -0
data/test/test_helper.rb +66 -0
metadata +266 -0

checksums.yaml ADDED

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 67ab07bdc7de6392ea111c03ce898b0d4f9309de
+  data.tar.gz: 0351d132a18e0259a8bb4632766878cc794dde03
+SHA512:
+  metadata.gz: 8d2e5d1d3ea9aa808f32280471f019bebeef2d85c9a631aadbbf6571c5a034b8f6f661ee340d5993b6f8b6448ceb40e172417d2530070883583da6f429664234
+  data.tar.gz: 77e63ee5d19773c83c888f911b39b1a0eb2c299465c66edbad4810f3c1f9c03258c9d750b24e52755c39d25235732b777b821920ac02f9d9122e2d52d391fec6

data/.gitignore ADDED

@@ -0,0 +1,17 @@
+*.gem
+*.rbc
+.bundle
+.config
+.yardoc
+InstalledFiles
+_yardoc
+coverage
+doc/
+lib/bundler/man
+pkg
+rdoc
+spec/reports
+test/tmp
+test/version_tmp
+tmp
+.ruby-version

data/.travis.yml ADDED

@@ -0,0 +1,10 @@
+before_install:
+  - gem update bundler
+rvm:
+  - 1.9.3
+  - 2.0.0
+  - 2.1.0
+  - 2.2.0
+  - 2.3.0
+  - 2.3.3
+  - rbx

data/Gemfile ADDED

	@@ -0,0 +1,2 @@
1	+ source 'https://rubygems.org'
2	+ gemspec

data/Guardfile ADDED

@@ -0,0 +1,14 @@
+# A sample Guardfile
+# More info at https://github.com/guard/guard#readme
+guard 'minitest' do
+  # with Minitest::Unit
+  watch(%r|^test/(.*)\/(.*)_test\.rb|)
+  watch(%r|^lib/(.*)\.rb|)     { |m| "test/lib/#{m[1]}_test.rb" }
+  watch(%r|^test/test_helper\.rb|)    { "test" }
+end
+guard :bundler do
+  watch('Gemfile')
+  watch(/^.+\.gemspec/)
+end

data/LICENSE.txt ADDED

@@ -0,0 +1,22 @@
+Copyright (c) 2014 John Bohn
+MIT License
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md ADDED

@@ -0,0 +1,71 @@
+# OmniAuth::OpenIDConnect
+OpenID Connect strategy for OmniAuth
+[![Gem Version](https://badge.fury.io/rb/omniauth-openid-connector.png)](http://badge.fury.io/rb/omniauth-openid-connector)
+[![Build Status](https://travis-ci.org/jjbohn/omniauth-openid-connector.png?branch=master)](https://travis-ci.org/doberg/omniauth-openid-connector)
+[![Coverage Status](https://coveralls.io/repos/doberg/omniauth-openid-connector/badge.png?branch=master)](https://coveralls.io/r/doberg/omniauth-openid-connector?branch=master)
+[![Code Climate](https://codeclimate.com/github/doberg/omniauth-openid-connector.png)](https://codeclimate.com/github/doberg/omniauth-openid-connector)
+## Installation
+Add this line to your application's Gemfile:
+    gem 'omniauth-openid-connector'
+And then execute:
+    $ bundle
+Or install it yourself as:
+    $ gem install omniauth-openid-connector
+## Usage
+Example configuration
+```ruby
+config.omniauth :openid_connect, {
+  name: :my_provider,
+  scope: [:openid, :email, :profile, :address],
+  response_type: :code,
+  client_options: {
+    port: 443,
+    scheme: "https",
+    host: "myprovider.com",
+    identifier: ENV["OP_CLIENT_ID"],
+    secret: ENV["OP_SECRET_KEY"],
+    redirect_uri: "http://myapp.com/users/auth/openid_connect/callback",
+  },
+}
+```
+Configuration details:
+  * `name` is arbitrary, I recommend using the name of your provider. The name
+  configuration exists because you could be using multiple OpenID Connect
+  providers in a single app.
+  * Although `response_type` is an available option, currently, only `:code`
+  is valid. There are plans to bring in implicit flow and hybrid flow at some
+  point, but it hasn't come up yet for me. Those flows aren't best practive for
+  server side web apps anyway and are designed more for native/mobile apps.
+  * If you want to pass `state` paramete by yourself. You can set Proc Object.
+  e.g. `state: Proc.new{ SecureRandom.hex(32) }`
+  * `nonce` is optional. If don't want to pass "nonce" parameter to provider, You should specify
+  `false` to `send_nonce` option. (default true)
+  * Support for other client authentication methods. If don't specified
+  `:client_auth_method` option, automatically set `:basic`.
+  * Use "OpenID Connect Discovery", You should specify `true` to `discovery` option. (default false)
+  * In "OpenID Connect Discovery", generally provider should have Webfinger endpoint.
+  If provider does not have Webfinger endpoint, You can specify "Issuer" to option.
+  e.g. `issuer: "https://myprovider.com"`
+  It means to get configuration from "https://myprovider.com/.well-known/openid-configuration".
+For the full low down on OpenID Connect, please check out
+[the spec](http://openid.net/specs/openid-connect-core-1_0.html).
+## Contributing
+1. Fork it ( http://github.com/jjbohn/omniauth-openid-connector/fork )
+2. Create your feature branch (`git checkout -b my-new-feature`)
+3. Commit your changes (`git commit -am 'Add some feature'`)
+4. Push to the branch (`git push origin my-new-feature`)
+5. Create new Pull Request

data/Rakefile ADDED

@@ -0,0 +1,10 @@
+require 'bundler/gem_tasks'
+require 'rake/testtask'
+Rake::TestTask.new do |t|
+  t.libs << 'lib/omniauth-openid-connect'
+  t.test_files = FileList['test/lib/omniauth/**/*_test.rb']
+  t.verbose = true
+end
+task default: :test

data/lib/omniauth-openid-connect.rb ADDED

	@@ -0,0 +1 @@
1	+ require "omniauth/openid_connect"

data/lib/omniauth/openid_connect.rb ADDED

@@ -0,0 +1,3 @@
+require "omniauth/openid_connect/errors"
+require "omniauth/openid_connect/version"
+require "omniauth/strategies/openid_connect"

data/lib/omniauth/openid_connect/errors.rb ADDED

@@ -0,0 +1,6 @@
+module OmniAuth
+  module OpenIDConnect
+    class Error < RuntimeError; end
+    class MissingCodeError < Error; end
+  end
+end

data/lib/omniauth/openid_connect/version.rb ADDED

@@ -0,0 +1,5 @@
+module OmniAuth
+  module OpenIDConnect
+    VERSION = "1.1.2"
+  end
+end

data/lib/omniauth/strategies/openid_connect.rb ADDED

@@ -0,0 +1,251 @@
+require 'addressable/uri'
+require 'timeout'
+require 'net/http'
+require 'open-uri'
+require 'omniauth'
+require 'openid_connect'
+module OmniAuth
+  module Strategies
+    class OpenIDConnect
+      include OmniAuth::Strategy
+      option :client_options, {
+        identifier: nil,
+        secret: nil,
+        redirect_uri: nil,
+        scheme: "https",
+        host: nil,
+        port: 443,
+        authorization_endpoint: "/authorize",
+        token_endpoint: "/token",
+        userinfo_endpoint: "/userinfo",
+        jwks_uri: '/jwk'
+      }
+      option :issuer
+      option :discovery, false
+      option :client_signing_alg
+      option :client_jwk_signing_key
+      option :client_x509_signing_key
+      option :scope, [:openid]
+      option :response_type, "code"
+      option :state
+      option :response_mode
+      option :display, nil #, [:page, :popup, :touch, :wap]
+      option :prompt, nil #, [:none, :login, :consent, :select_account]
+      option :hd, nil
+      option :max_age
+      option :ui_locales
+      option :id_token_hint
+      option :login_hint
+      option :acr_values
+      option :send_nonce, true
+      option :send_scope_to_token_endpoint, true
+      option :client_auth_method
+      uid { user_info.sub }
+      info do
+        {
+          name: user_info.name,
+          email: user_info.email,
+          nickname: user_info.preferred_username,
+          first_name: user_info.given_name,
+          last_name: user_info.family_name,
+          gender: user_info.gender,
+          image: user_info.picture,
+          phone: user_info.phone_number,
+          urls: { website: user_info.website }
+        }
+      end
+      extra do
+        {raw_info: user_info.raw_attributes}
+      end
+      credentials do
+        {
+            id_token: access_token.id_token,
+            token: access_token.access_token,
+            refresh_token: access_token.refresh_token,
+            expires_in: access_token.expires_in,
+            scope: access_token.scope
+        }
+      end
+      def client
+        @client ||= ::OpenIDConnect::Client.new(client_options)
+      end
+      def config
+        @config ||= ::OpenIDConnect::Discovery::Provider::Config.discover!(options.issuer)
+      end
+      def request_phase
+        options.issuer = issuer if options.issuer.blank?
+        discover! if options.discovery
+        redirect authorize_uri
+      end
+      def callback_phase
+        error = request.params['error_reason'] || request.params['error']
+        if error
+          raise CallbackError.new(request.params['error'], request.params['error_description'] || request.params['error_reason'], request.params['error_uri'])
+        elsif request.params['state'].to_s.empty? || request.params['state'] != stored_state
+          return Rack::Response.new(['401 Unauthorized'], 401).finish
+        elsif !request.params["code"]
+          return fail!(:missing_code, OmniAuth::OpenIDConnect::MissingCodeError.new(request.params["error"]))
+        else
+          options.issuer = issuer if options.issuer.blank?
+          discover! if options.discovery
+          client.redirect_uri = client_options.redirect_uri
+          client.authorization_code = authorization_code
+          access_token
+          super
+        end
+      rescue CallbackError => e
+        fail!(:invalid_credentials, e)
+      rescue ::Timeout::Error, ::Errno::ETIMEDOUT => e
+        fail!(:timeout, e)
+      rescue ::SocketError => e
+        fail!(:failed_to_connect, e)
+      end
+      def authorization_code
+        request.params["code"]
+      end
+      def authorize_uri
+        client.redirect_uri = client_options.redirect_uri
+        opts = {
+            response_type: options.response_type,
+            scope: options.scope,
+            state: new_state,
+            nonce: (new_nonce if options.send_nonce),
+            hd: options.hd,
+        }
+        client.authorization_uri(opts.reject{|k,v| v.nil?})
+      end
+      def public_key
+        if options.discovery
+          config.jwks
+        else
+          key_or_secret
+        end
+      end
+      private
+      def issuer
+        resource = "#{client_options.scheme}://#{client_options.host}" + ((client_options.port) ? ":#{client_options.port.to_s}" : '')
+        ::OpenIDConnect::Discovery::Provider.discover!(resource).issuer
+      end
+      def discover!
+        client_options.authorization_endpoint = config.authorization_endpoint
+        client_options.token_endpoint = config.token_endpoint
+        client_options.userinfo_endpoint = config.userinfo_endpoint
+        client_options.jwks_uri = config.jwks_uri
+      end
+      def user_info
+        @user_info ||= access_token.userinfo!
+      end
+      def access_token
+        @access_token ||= lambda {
+          _access_token = client.access_token!(
+          scope: (options.scope if options.send_scope_to_token_endpoint),
+          client_auth_method: options.client_auth_method
+          )
+          _id_token = decode_id_token _access_token.id_token
+          _id_token.verify!(
+              issuer: options.issuer,
+              client_id: client_options.identifier,
+              nonce: stored_nonce
+          )
+          _access_token
+        }.call()
+      end
+      def decode_id_token(id_token)
+        ::OpenIDConnect::ResponseObject::IdToken.decode(id_token, public_key)
+      end
+      def client_options
+        options.client_options
+      end
+      def new_state
+        state = options.state.call if options.state.respond_to? :call
+        session['omniauth.state'] = state || SecureRandom.hex(16)
+      end
+      def stored_state
+        session.delete('omniauth.state')
+      end
+      def new_nonce
+        session['omniauth.nonce'] = SecureRandom.hex(16)
+      end
+      def stored_nonce
+        session.delete('omniauth.nonce')
+      end
+      def session
+        @env.nil? ? {} : super
+      end
+      def key_or_secret
+        case options.client_signing_alg
+          when :HS256, :HS384, :HS512
+            return client_options.secret
+          when :RS256, :RS384, :RS512
+            if options.client_jwk_signing_key
+              return parse_jwk_key(options.client_jwk_signing_key)
+            elsif options.client_x509_signing_key
+              return parse_x509_key(options.client_x509_signing_key)
+            end
+          else
+        end
+      end
+      def parse_x509_key(key)
+        OpenSSL::X509::Certificate.new(key).public_key
+      end
+      def parse_jwk_key(key)
+        json = JSON.parse(key)
+        if json.has_key?('keys')
+          JSON::JWK::Set.new json['keys']
+        else
+          JSON::JWK.new json
+        end
+      end
+      def decode(str)
+        UrlSafeBase64.decode64(str).unpack('B*').first.to_i(2).to_s
+      end
+      class CallbackError < StandardError
+        attr_accessor :error, :error_reason, :error_uri
+        def initialize(error, error_reason=nil, error_uri=nil)
+          self.error = error
+          self.error_reason = error_reason
+          self.error_uri = error_uri
+        end
+        def message
+          [error, error_reason, error_uri].compact.join(' | ')
+        end
+      end
+    end
+  end
+end
+OmniAuth.config.add_camelization 'openid_connect', 'OpenIDConnect'

data/omniauth-openid-connector.gemspec ADDED

@@ -0,0 +1,35 @@
+# coding: utf-8
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'omniauth/openid_connect/version'
+Gem::Specification.new do |spec|
+  spec.name          = "omniauth-openid-connector"
+  spec.version       = OmniAuth::OpenIDConnect::VERSION
+  spec.authors       = ["Danial Oberg"]
+  spec.email         = ["doberg@verisys.com"]
+  spec.summary       = %q{OpenID Connect Strategy for OmniAuth}
+  spec.description   = %q{OpenID Connect Strategy for OmniAuth}
+  spec.homepage      = "https://github.com/doberg/omniauth-openid-connector"
+  spec.license       = "MIT"
+  spec.files         = `git ls-files -z`.split("\x0")
+  spec.executables   = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
+  spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
+  spec.require_paths = ["lib"]
+  spec.add_dependency 'omniauth', '~> 1.6.1'
+  spec.add_dependency 'openid_connect', '~> 1.1.2'
+  spec.add_dependency 'addressable', '~> 2.4'
+  spec.add_development_dependency "bundler", "~> 1.15.1"
+  spec.add_development_dependency "minitest"
+  spec.add_development_dependency "mocha"
+  spec.add_development_dependency "guard"
+  spec.add_development_dependency "guard-minitest"
+  spec.add_development_dependency "guard-bundler"
+  spec.add_development_dependency "rake"
+  spec.add_development_dependency "simplecov"
+  spec.add_development_dependency "pry"
+  spec.add_development_dependency "coveralls"
+  spec.add_development_dependency "faker"
+end

data/test/fixtures/id_token.txt ADDED

@@ -0,0 +1 @@

+ eyJhbGciOiJSUzI1NiIsImtpZCI6IjFlOWdkazcifQ.ewogImlzcyI6ICJodHRwOi8vc2VydmVyLmV4YW1wbGUuY29tIiwKICJzdWIiOiAiMjQ4Mjg5NzYxMDAxIiwKICJhdWQiOiAiczZCaGRSa3F0MyIsCiAibm9uY2UiOiAibi0wUzZfV3pBMk1qIiwKICJleHAiOiAxMzExMjgxOTcwLAogImlhdCI6IDEzMTEyODA5NzAKfQ.ggW8hZ1EuVLuxNuuIJKX_V8a_OMXzR0EHR9R6jgdqrOOF4daGU96Sr_P6qJp6IcmD3HP99Obi1PRs-cwh3LO-p146waJ8IhehcwL7F09JdijmBqkvPeB2T9CJNqeGpe-gccMg4vfKjkM8FcGvnzZUN4_KSP0aAp1tOJ1zZwgjxqGByKHiOtX7TpdQyHE5lcMiKPXfEIQILVq0pc_E2DzL7emopWoaoZTF_m0_N0YzFC6g6EJbOEoRoSK5hoDalrcvRYLSrQAZZKflyuVCyixEoV9GfNQC3_osjzw2PAithfubEEBLuVVk4XUVrWOLrLl0nx7RkKU8NXNHq-rvKMzqg

data/test/fixtures/jwks.json ADDED

@@ -0,0 +1,8 @@
+{"keys": [{
+    "kty": "RSA",
+    "n": "0vx7agoebGcQSuuPiLJXZptN9nndrQmbXEps2aiAFbWhM78LhWx4cbbfAAtVT86zwu1RK7aPFFxuhDR1L6tSoc_BJECPebWKRXjBZCiFV4n3oknjhMstn64tZ_2W-5JsGY4Hc5n9yBXArwl93lqt7_RN5w6Cf0h4QyQ5v-65YGjQR0_FDW2QvzqY368QQMicAtaSqzs8KJZgnYb9c7d0zgdAZHzu6qMQvRL5hajrn1n91CbOpbISD08qNLyrdkt-bFTWhAI4vMQFh6WeZu0fM4lFd2NcRwr3XPksINHaQ-G_xBniIqbw0Ls1jF44-csFCur-kEgU8awapJzKnqDKgw",
+    "e": "AQAB",
+    "alg": "RS256",
+    "kid": "1e9gdk7"
+  }]
+}

data/test/fixtures/test.crt ADDED

@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDJDCCAgwCCQC57Ob2JfXb+DANBgkqhkiG9w0BAQUFADBUMQswCQYDVQQGEwJK
+UDEOMAwGA1UECBMFVG9reW8xITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5
+IEx0ZDESMBAGA1UEAxMJbG9jYWxob3N0MB4XDTE0MDgwMTA4NTAxM1oXDTE1MDgw
+MTA4NTAxM1owVDELMAkGA1UEBhMCSlAxDjAMBgNVBAgTBVRva3lvMSEwHwYDVQQK
+ExhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxEjAQBgNVBAMTCWxvY2FsaG9zdDCC
+ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAN+7czSGHN2087T+oX2kBCY/
+XN6UOS/mdU2Gn//omZlyxsQXIqvgBLNWeCVt4QdlFUbgPLggfXUelECV/RUOCIIi
+F2Th4t3x1LviN2XkUiva0DZBnOycqEaJdkyreEuGL1CLVZgZjKmSzNqLl0Yci3D0
+zgVsXFZSadQebietm4CCmfJYREt9NJxXcrLxVDgat/Xm/KJBsohs3f+cbBT8EXer
+7+2oZjZoVUgw1hu0alaOvAfE4mxsVwjn3g2mjDqRJLbbuWqgDobjMHah+d4zwJvN
+ePK8E0hfaz/XBLsJ4e6bQA3M3bANEgSvsicup/qb/0th4gUdc/kj4aJGj0RP7oEC
+AwEAATANBgkqhkiG9w0BAQUFAAOCAQEADuVec/8u2qJiq6K2W/gSLGYCBZq64OrA
+s7L2+S82m9/3gAb62wGcDNZjIGFDQubXmO6RhHv7JUT5YZqv9/kRGTJcHDUrwwoN
+IE99CIPizp7VfnrZ6GsYeszSsw3m+mKTETm+6ELmaSDbYAsrCg4IpGwUF0L88ATv
+CJ8QzW4X7b9dYVc7UAYyCie2N65GXfesBbRlSwFLuVqIzZfMdNpNijTIUwUqGSME
+b8IjLYzvekP53CO4wEBRrAVIPNXgftorxIE30OLWua2Qw3y6Pn+Qp5fLe47025S7
+Lcec18/FbHG0Vbq0qO9cKQw80XyK31N6z556wr2GN2WyixkzVRddXA==
+-----END CERTIFICATE-----

data/test/lib/omniauth/openid_connect/version_test.rb ADDED

@@ -0,0 +1,7 @@
+require_relative '../../../test_helper'
+class OmniAuth::OpenIDConnect::VersionTest < MiniTest::Test
+  def test_version_defined
+    refute_nil OmniAuth::OpenIDConnect::VERSION
+  end
+end

data/test/lib/omniauth/strategies/openid_connect_test.rb ADDED

@@ -0,0 +1,344 @@
+require_relative '../../../test_helper'
+class OmniAuth::Strategies::OpenIDConnectTest < StrategyTestCase
+  def test_client_options_defaults
+    assert_equal 'https', strategy.options.client_options.scheme
+    assert_equal 443, strategy.options.client_options.port
+    assert_equal '/authorize', strategy.options.client_options.authorization_endpoint
+    assert_equal '/token', strategy.options.client_options.token_endpoint
+  end
+  def test_request_phase
+    expected_redirect = /^https:\/\/example\.com\/authorize\?client_id=1234&nonce=[\w\d]{32}&response_type=code&scope=openid&state=[\w\d]{32}$/
+    strategy.options.issuer = 'example.com'
+    strategy.options.client_options.host = 'example.com'
+    strategy.expects(:redirect).with(regexp_matches(expected_redirect))
+    strategy.request_phase
+  end
+  def test_request_phase_with_discovery
+    expected_redirect = /^https:\/\/example\.com\/authorization\?client_id=1234&nonce=[\w\d]{32}&response_type=code&scope=openid&state=[\w\d]{32}$/
+    strategy.options.client_options.host = 'example.com'
+    strategy.options.discovery = true
+    issuer = stub('OpenIDConnect::Discovery::Issuer')
+    issuer.stubs(:issuer).returns('https://example.com/')
+    ::OpenIDConnect::Discovery::Provider.stubs(:discover!).returns(issuer)
+    config = stub('OpenIDConnect::Discovery::Provder::Config')
+    config.stubs(:authorization_endpoint).returns('https://example.com/authorization')
+    config.stubs(:token_endpoint).returns('https://example.com/token')
+    config.stubs(:userinfo_endpoint).returns('https://example.com/userinfo')
+    config.stubs(:jwks_uri).returns('https://example.com/jwks')
+    ::OpenIDConnect::Discovery::Provider::Config.stubs(:discover!).with('https://example.com/').returns(config)
+    strategy.expects(:redirect).with(regexp_matches(expected_redirect))
+    strategy.request_phase
+    assert_equal strategy.options.issuer, 'https://example.com/'
+    assert_equal strategy.options.client_options.authorization_endpoint, 'https://example.com/authorization'
+    assert_equal strategy.options.client_options.token_endpoint, 'https://example.com/token'
+    assert_equal strategy.options.client_options.userinfo_endpoint, 'https://example.com/userinfo'
+    assert_equal strategy.options.client_options.jwks_uri, 'https://example.com/jwks'
+  end
+  def test_uid
+    assert_equal user_info.sub, strategy.uid
+  end
+  def test_callback_phase(session = {}, params = {})
+    code = SecureRandom.hex(16)
+    state = SecureRandom.hex(16)
+    nonce = SecureRandom.hex(16)
+    request.stubs(:params).returns({'code' => code,'state' => state})
+    request.stubs(:path_info).returns('')
+    strategy.options.issuer = 'example.com'
+    strategy.options.client_signing_alg = :RS256
+    strategy.options.client_jwk_signing_key = File.read('test/fixtures/jwks.json')
+    id_token = stub('OpenIDConnect::ResponseObject::IdToken')
+    id_token.stubs(:verify!).with({:issuer => strategy.options.issuer, :client_id => @identifier, :nonce => nonce}).returns(true)
+    ::OpenIDConnect::ResponseObject::IdToken.stubs(:decode).returns(id_token)
+    strategy.unstub(:user_info)
+    access_token = stub('OpenIDConnect::AccessToken')
+    access_token.stubs(:access_token)
+    access_token.stubs(:refresh_token)
+    access_token.stubs(:expires_in)
+    access_token.stubs(:scope)
+    access_token.stubs(:id_token).returns(File.read('test/fixtures/id_token.txt'))
+    client.expects(:access_token!).at_least_once.returns(access_token)
+    access_token.expects(:userinfo!).returns(user_info)
+    strategy.call!({'rack.session' => {'omniauth.state' => state, 'omniauth.nonce' => nonce}})
+    strategy.callback_phase
+  end
+  def test_callback_phase_with_discovery
+    code = SecureRandom.hex(16)
+    state = SecureRandom.hex(16)
+    nonce = SecureRandom.hex(16)
+    jwks = JSON::JWK::Set.new(JSON.parse(File.read('test/fixtures/jwks.json'))['keys'])
+    request.stubs(:params).returns({'code' => code,'state' => state})
+    request.stubs(:path_info).returns('')
+    strategy.options.client_options.host = 'example.com'
+    strategy.options.discovery = true
+    issuer = stub('OpenIDConnect::Discovery::Issuer')
+    issuer.stubs(:issuer).returns('https://example.com/')
+    ::OpenIDConnect::Discovery::Provider.stubs(:discover!).returns(issuer)
+    config = stub('OpenIDConnect::Discovery::Provder::Config')
+    config.stubs(:authorization_endpoint).returns('https://example.com/authorization')
+    config.stubs(:token_endpoint).returns('https://example.com/token')
+    config.stubs(:userinfo_endpoint).returns('https://example.com/userinfo')
+    config.stubs(:jwks_uri).returns('https://example.com/jwks')
+    config.stubs(:jwks).returns(jwks)
+    ::OpenIDConnect::Discovery::Provider::Config.stubs(:discover!).with('https://example.com/').returns(config)
+    id_token = stub('OpenIDConnect::ResponseObject::IdToken')
+    id_token.stubs(:verify!).with({:issuer => 'https://example.com/', :client_id => @identifier, :nonce => nonce}).returns(true)
+    ::OpenIDConnect::ResponseObject::IdToken.stubs(:decode).returns(id_token)
+    strategy.unstub(:user_info)
+    access_token = stub('OpenIDConnect::AccessToken')
+    access_token.stubs(:access_token)
+    access_token.stubs(:refresh_token)
+    access_token.stubs(:expires_in)
+    access_token.stubs(:scope)
+    access_token.stubs(:id_token).returns(File.read('test/fixtures/id_token.txt'))
+    client.expects(:access_token!).at_least_once.returns(access_token)
+    access_token.expects(:userinfo!).returns(user_info)
+    strategy.call!({'rack.session' => {'omniauth.state' => state, 'omniauth.nonce' => nonce}})
+    strategy.callback_phase
+  end
+  def test_callback_phase_with_error
+    state = SecureRandom.hex(16)
+    nonce = SecureRandom.hex(16)
+    request.stubs(:params).returns({'error' => 'invalid_request'})
+    request.stubs(:path_info).returns('')
+    strategy.call!({'rack.session' => {'omniauth.state' => state, 'omniauth.nonce' => nonce}})
+    strategy.expects(:fail!)
+    strategy.callback_phase
+  end
+  def test_callback_phase_with_invalid_state
+    code = SecureRandom.hex(16)
+    state = SecureRandom.hex(16)
+    nonce = SecureRandom.hex(16)
+    request.stubs(:params).returns({'code' => code,'state' => 'foobar'})
+    request.stubs(:path_info).returns('')
+    strategy.call!({'rack.session' => {'omniauth.state' => state, 'omniauth.nonce' => nonce}})
+    result = strategy.callback_phase
+    assert result.kind_of?(Array)
+    assert result.first == 401, "Expecting unauthorized"
+  end
+  def test_callback_phase_with_timeout
+    code = SecureRandom.hex(16)
+    state = SecureRandom.hex(16)
+    nonce = SecureRandom.hex(16)
+    request.stubs(:params).returns({'code' => code,'state' => state})
+    request.stubs(:path_info).returns('')
+    strategy.options.issuer = 'example.com'
+    strategy.stubs(:access_token).raises(::Timeout::Error.new('error'))
+    strategy.call!({'rack.session' => {'omniauth.state' => state, 'omniauth.nonce' => nonce}})
+    strategy.expects(:fail!)
+    strategy.callback_phase
+  end
+  def test_callback_phase_with_etimeout
+    code = SecureRandom.hex(16)
+    state = SecureRandom.hex(16)
+    nonce = SecureRandom.hex(16)
+    request.stubs(:params).returns({'code' => code,'state' => state})
+    request.stubs(:path_info).returns('')
+    strategy.options.issuer = 'example.com'
+    strategy.stubs(:access_token).raises(::Errno::ETIMEDOUT.new('error'))
+    strategy.call!({'rack.session' => {'omniauth.state' => state, 'omniauth.nonce' => nonce}})
+    strategy.expects(:fail!)
+    strategy.callback_phase
+  end
+  def test_callback_phase_with_socket_error
+    code = SecureRandom.hex(16)
+    state = SecureRandom.hex(16)
+    nonce = SecureRandom.hex(16)
+    request.stubs(:params).returns({'code' => code,'state' => state})
+    request.stubs(:path_info).returns('')
+    strategy.options.issuer = 'example.com'
+    strategy.stubs(:access_token).raises(::SocketError.new('error'))
+    strategy.call!({'rack.session' => {'omniauth.state' => state, 'omniauth.nonce' => nonce}})
+    strategy.expects(:fail!)
+    strategy.callback_phase
+  end
+  def test_info
+    info = strategy.info
+    assert_equal user_info.name, info[:name]
+    assert_equal user_info.email, info[:email]
+    assert_equal user_info.preferred_username, info[:nickname]
+    assert_equal user_info.given_name, info[:first_name]
+    assert_equal user_info.family_name, info[:last_name]
+    assert_equal user_info.gender, info[:gender]
+    assert_equal user_info.picture, info[:image]
+    assert_equal user_info.phone_number, info[:phone]
+    assert_equal({ website: user_info.website }, info[:urls])
+  end
+  def test_extra
+    assert_equal({ raw_info: user_info.as_json }, strategy.extra)
+  end
+  def test_credentials
+    strategy.options.issuer = 'example.com'
+    strategy.options.client_signing_alg = :RS256
+    strategy.options.client_jwk_signing_key = File.read('test/fixtures/jwks.json')
+    id_token = stub('OpenIDConnect::ResponseObject::IdToken')
+    id_token.stubs(:verify!).returns(true)
+    ::OpenIDConnect::ResponseObject::IdToken.stubs(:decode).returns(id_token)
+    access_token = stub('OpenIDConnect::AccessToken')
+    access_token.stubs(:access_token).returns(SecureRandom.hex(16))
+    access_token.stubs(:refresh_token).returns(SecureRandom.hex(16))
+    access_token.stubs(:expires_in).returns(Time.now)
+    access_token.stubs(:scope).returns('openidconnect')
+    access_token.stubs(:id_token).returns(File.read('test/fixtures/id_token.txt'))
+    client.expects(:access_token!).returns(access_token)
+    access_token.expects(:refresh_token).returns(access_token.refresh_token)
+    access_token.expects(:expires_in).returns(access_token.expires_in)
+    assert_equal({ id_token: access_token.id_token,
+                   token: access_token.access_token,
+                   refresh_token: access_token.refresh_token,
+                   expires_in: access_token.expires_in,
+                   scope: access_token.scope
+                 }, strategy.credentials)
+  end
+  def test_option_send_nonce
+    strategy.options.client_options[:host] = "foobar.com"
+    assert(strategy.authorize_uri =~ /nonce=/, "URI must contain nonce")
+    strategy.options.send_nonce = false
+    assert(!(strategy.authorize_uri =~ /nonce=/), "URI must not contain nonce")
+  end
+  def test_failure_endpoint_redirect
+    OmniAuth.config.stubs(:failure_raise_out_environments).returns([])
+    strategy.stubs(:env).returns({})
+    request.stubs(:params).returns({"error" => "access denied"})
+    result = strategy.callback_phase
+    assert(result.is_a? Array)
+    assert(result[0] == 302, "Redirect")
+    assert(result[1]["Location"] =~ /\/auth\/failure/)
+  end
+  def test_state
+    strategy.options.state = lambda { 42 }
+    session = { "state" => 42 }
+    expected_redirect = /&state=/
+    strategy.options.issuer = 'example.com'
+    strategy.options.client_options.host = "example.com"
+    strategy.expects(:redirect).with(regexp_matches(expected_redirect))
+    strategy.request_phase
+    # this should succeed as the correct state is passed with the request
+    test_callback_phase(session, { "state" => 42 })
+    # the following should fail because the wrong state is passed to the callback
+    code = SecureRandom.hex(16)
+    request.stubs(:params).returns({"code" => code, "state" => 43})
+    request.stubs(:path_info).returns("")
+    strategy.call!({"rack.session" => session})
+    result = strategy.callback_phase
+    assert result.kind_of?(Array)
+    assert result.first == 401, "Expecting unauthorized"
+  end
+  def test_option_client_auth_method
+    code = SecureRandom.hex(16)
+    state = SecureRandom.hex(16)
+    nonce = SecureRandom.hex(16)
+    opts = strategy.options.client_options
+    opts[:host] = "foobar.com"
+    strategy.options.issuer = "foobar.com"
+    strategy.options.client_auth_method = :not_basic
+    strategy.options.client_signing_alg = :RS256
+    strategy.options.client_jwk_signing_key = File.read('test/fixtures/jwks.json')
+    json_response = {access_token: 'test_access_token',
+                     id_token: File.read('test/fixtures/id_token.txt'),
+                     token_type: 'Bearer',
+    }.to_json
+    success = Struct.new(:status, :body).new(200, json_response)
+    request.stubs(:path_info).returns('')
+    strategy.call!({'rack.session' => {'omniauth.state' => state, 'omniauth.nonce' => nonce}})
+    id_token = stub('OpenIDConnect::ResponseObject::IdToken')
+    id_token.stubs(:verify!).with({:issuer => strategy.options.issuer, :client_id => @identifier, :nonce => nonce}).returns(true)
+    ::OpenIDConnect::ResponseObject::IdToken.stubs(:decode).returns(id_token)
+    HTTPClient.any_instance.stubs(:post).with(
+      "#{opts.scheme}://#{opts.host}:#{opts.port}#{opts.token_endpoint}",
+      {scope: 'openid', :grant_type => :client_credentials, :client_id => @identifier, :client_secret => @secret},
+      {}
+    ).returns(success)
+    assert(strategy.send :access_token)
+  end
+  def test_public_key_with_jwks
+    strategy.options.client_signing_alg = :RS256
+    strategy.options.client_jwk_signing_key = File.read('./test/fixtures/jwks.json')
+    assert_equal JSON::JWK::Set, strategy.public_key.class
+  end
+  def test_public_key_with_jwk
+    strategy.options.client_signing_alg = :RS256
+    jwks_str = File.read('./test/fixtures/jwks.json')
+    jwks = JSON.parse(jwks_str)
+    jwk = jwks['keys'].first
+    strategy.options.client_jwk_signing_key = jwk.to_json
+    assert_equal JSON::JWK, strategy.public_key.class
+  end
+  def test_public_key_with_x509
+    strategy.options.client_signing_alg = :RS256
+    strategy.options.client_x509_signing_key = File.read('./test/fixtures/test.crt')
+    assert_equal OpenSSL::PKey::RSA, strategy.public_key.class
+  end
+  def test_public_key_with_hmac
+    strategy.options.client_options.secret = 'secret'
+    strategy.options.client_signing_alg = :HS256
+    assert_equal strategy.options.client_options.secret, strategy.public_key
+  end
+end

data/test/test_helper.rb ADDED

@@ -0,0 +1,66 @@
+require 'simplecov'
+SimpleCov.command_name 'test'
+SimpleCov.start
+require 'coveralls'
+Coveralls.wear!
+require 'minitest/autorun'
+require 'mocha/mini_test'
+require 'faker'
+require 'active_support'
+require_relative '../lib/omniauth-openid-connect'
+OmniAuth.config.test_mode = true
+class StrategyTestCase < MiniTest::Test
+  class DummyApp
+    def call(env); end
+  end
+  attr_accessor :identifier, :secret
+  def setup
+    @identifier = "1234"
+    @secret = "1234asdgat3"
+  end
+  def client
+    strategy.client
+  end
+  def user_info
+    @user_info ||= OpenIDConnect::ResponseObject::UserInfo.new(
+      sub: SecureRandom.hex(16),
+      name: Faker::Name.name,
+      email: Faker::Internet.email,
+      nickname: Faker::Name.first_name,
+      preferred_username: Faker::Internet.user_name,
+      given_name: Faker::Name.first_name,
+      family_name: Faker::Name.last_name,
+      gender: 'female',
+      picture: Faker::Internet.url + ".png",
+      phone_number: Faker::PhoneNumber.phone_number,
+      website: Faker::Internet.url,
+    )
+  end
+  def request
+    @request ||= stub('Request').tap do |request|
+      request.stubs(:params).returns({})
+      request.stubs(:cookies).returns({})
+      request.stubs(:env).returns({})
+      request.stubs(:scheme).returns({})
+      request.stubs(:ssl?).returns(false)
+    end
+  end
+  def strategy
+    @strategy ||= OmniAuth::Strategies::OpenIDConnect.new(DummyApp.new).tap do |strategy|
+      strategy.options.client_options.identifier = @identifier
+      strategy.options.client_options.secret = @secret
+      strategy.stubs(:request).returns(request)
+      strategy.stubs(:user_info).returns(user_info)
+    end
+  end
+end

metadata ADDED

@@ -0,0 +1,266 @@
+--- !ruby/object:Gem::Specification
+name: omniauth-openid-connector
+version: !ruby/object:Gem::Version
+  version: 1.1.2
+platform: ruby
+authors:
+- Danial Oberg
+autorequire:
+bindir: bin
+cert_chain: []
+date: 2017-07-07 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: omniauth
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 1.6.1
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 1.6.1
+- !ruby/object:Gem::Dependency
+  name: openid_connect
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 1.1.2
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 1.1.2
+- !ruby/object:Gem::Dependency
+  name: addressable
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.4'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.4'
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 1.15.1
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 1.15.1
+- !ruby/object:Gem::Dependency
+  name: minitest
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: mocha
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: guard
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: guard-minitest
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: guard-bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: simplecov
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: pry
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: coveralls
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: faker
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: OpenID Connect Strategy for OmniAuth
+email:
+- doberg@verisys.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gitignore"
+- ".travis.yml"
+- Gemfile
+- Guardfile
+- LICENSE.txt
+- README.md
+- Rakefile
+- lib/omniauth-openid-connect.rb
+- lib/omniauth/openid_connect.rb
+- lib/omniauth/openid_connect/errors.rb
+- lib/omniauth/openid_connect/version.rb
+- lib/omniauth/strategies/openid_connect.rb
+- omniauth-openid-connector.gemspec
+- test/fixtures/id_token.txt
+- test/fixtures/jwks.json
+- test/fixtures/test.crt
+- test/lib/omniauth/openid_connect/version_test.rb
+- test/lib/omniauth/strategies/openid_connect_test.rb
+- test/test_helper.rb
+homepage: https://github.com/doberg/omniauth-openid-connector
+licenses:
+- MIT
+metadata: {}
+post_install_message:
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project:
+rubygems_version: 2.4.5.1
+signing_key:
+specification_version: 4
+summary: OpenID Connect Strategy for OmniAuth
+test_files:
+- test/fixtures/id_token.txt
+- test/fixtures/jwks.json
+- test/fixtures/test.crt
+- test/lib/omniauth/openid_connect/version_test.rb
+- test/lib/omniauth/strategies/openid_connect_test.rb
+- test/test_helper.rb
+has_rdoc: