omniauth-vk_id 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 007616d03457b1cbb4082de6ed0b5dbd27cd50084d7e2c080757f2986f2cf29c
+  data.tar.gz: 3e741ea42c3c08f8a6d68bb0498e357a3118a3291c54f3a7f5b075c5fd135036
+SHA512:
+  metadata.gz: 9a8093a61d8978a2152864580ee5e17c5a4d2541744cac3821d73fc23f9434cc8db291cdcb274c7cea928f18221d1f58c965e501fe05a8542a637a345b499bd2
+  data.tar.gz: 7ce08576bd1dd60f448fda5fbca680182b12b16fa914965797a7f2ed19a70bdbfe6569dd16f668ad7ef9106cea881ea260b6acb1f37167ab4b840f0fe599a249

data/CHANGELOG.md

@@ -0,0 +1,21 @@
+# Changelog
+
+All notable changes to this project will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [0.1.0] - 2026-04-10
+
+### Added
+- Initial release.
+- OmniAuth 1.9-compatible strategy for VK ID (`id.vk.ru`).
+- OAuth 2.1 Authorization Code flow with PKCE (S256).
+- Support for both VK ID callback formats: `payload` JSON and flat query params.
+- Token exchange without `client_secret` (PKCE replaces it).
+- User info fetched from `https://id.vk.ru/oauth2/user_info`.
+- Standard OmniAuth auth hash with `uid`, `info`, `credentials`, `extra.raw_info`.
+- RSpec test suite covering PKCE helpers, request phase, CSRF protection, and
+  both callback formats.
+
+[0.1.0]: https://github.com/C0nstantin/omniauth-vk_id/releases/tag/v0.1.0

data/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Konstantin Karataev
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

data/README.md

@@ -0,0 +1,126 @@
+# omniauth-vk_id
+
+OmniAuth 1.9-compatible strategy for **VK ID** (`id.vk.ru`) — the new ВКонтакте authorization protocol based on OAuth 2.1 + PKCE.
+
+This is **not** compatible with the legacy `omniauth-vkontakte` gem (which uses the classic `oauth.vk.com` endpoint). VK now registers all new applications via `id.vk.com`, which requires the new protocol.
+
+## Features
+
+- Authorization Code flow with PKCE (S256)
+- Accepts the VK ID callback both as `payload` JSON and as flat query params
+- Token exchange without `client_secret` (PKCE replaces it)
+- Fetches user info from `https://id.vk.ru/oauth2/user_info`
+- Returns a standard OmniAuth auth hash with `uid`, `info.name`, `info.email`, `info.image`, `info.phone`, `credentials`, `extra.raw_info`
+
+## Requirements
+
+- Ruby >= 3.0
+- `omniauth ~> 1.9`
+- `omniauth-oauth2 ~> 1.7`
+
+## Installation
+
+In your `Gemfile`:
+
+```ruby
+gem 'omniauth-vk_id', '~> 0.1'
+```
+
+Then `bundle install`.
+
+> **Important — `full_host` behind a reverse proxy.**
+> VK ID signs the flow against the exact `redirect_uri`, which OmniAuth builds
+> from the incoming request's host/scheme. If your Rails app sits behind a
+> proxy (nginx, Cloudflare, Heroku router, …) and receives HTTP internally,
+> pin the public host explicitly, otherwise token exchange will fail with an
+> `invalid redirect_uri`:
+>
+> ```ruby
+> # config/initializers/omniauth.rb
+> OmniAuth.config.full_host = ENV.fetch('APP_HOST', 'https://your-domain.example')
+> ```
+
+## Usage
+
+### Rails + Devise
+
+```ruby
+# config/initializers/devise.rb
+Devise.setup do |config|
+  config.omniauth :vk_id,
+                  ENV['OMNIAUTH_VK_ID_APP_ID'],
+                  ENV['OMNIAUTH_VK_ID_SECRET'],
+                  scope: 'email phone' # default: 'email phone'. Drop 'phone' if not needed.
+end
+```
+
+### Options
+
+| Option         | Default          | Description                                          |
+|----------------|------------------|------------------------------------------------------|
+| `scope`        | `'email phone'`  | Space-separated VK ID scopes to request.             |
+| `lang_id`      | *(unset)*        | Optional VK ID language override (see VK ID docs).   |
+| `scheme`       | *(unset)*        | Optional UI scheme (`light`/`dark`/`auto`).          |
+| `callback_path`| `/auth/vk_id/callback` | Override if you mount OmniAuth under another path. |
+
+Routes (`/users/auth/vk_id` and `/users/auth/vk_id/callback`) are generated automatically by Devise.
+
+Add a callback handler in `app/controllers/users/omniauth_callbacks_controller.rb`:
+
+```ruby
+class Users::OmniauthCallbacksController < Devise::OmniauthCallbacksController
+  def vk_id
+    handle_callback
+  end
+end
+```
+
+### VK ID app setup
+
+1. Register at https://id.vk.com → Мои приложения → Создать
+2. Copy the numeric **App ID** and **Защищённый ключ** (Secret key)
+3. In **Доверенный Redirect URI** add:
+   - `https://your-domain.example/users/auth/vk_id/callback`
+4. Export env vars:
+   ```
+   OMNIAUTH_VK_ID_APP_ID=12345
+   OMNIAUTH_VK_ID_SECRET=yoursecret
+   ```
+
+## Auth hash
+
+```ruby
+{
+  provider: 'vk_id',
+  uid:      '1234567890',
+  info: {
+    name:       'Иван Иванов',
+    email:      'user@example.com',
+    first_name: 'Иван',
+    last_name:  'Иванов',
+    image:      'https://sun9-xxx.userapi.com/...',
+    phone:      '+7...'
+  },
+  credentials: {
+    token:         '...',
+    refresh_token: '...',
+    expires_at:    1711234567,
+    expires:       true
+  },
+  extra: {
+    raw_info: { ... },
+    id_token: '...'
+  }
+}
+```
+
+## Testing
+
+```
+bundle install
+bundle exec rspec
+```
+
+## License
+
+MIT

data/lib/omniauth/strategies/vk_id.rb

@@ -0,0 +1,178 @@
+# frozen_string_literal: true
+
+require 'base64'
+require 'digest'
+require 'json'
+require 'securerandom'
+require 'omniauth-oauth2'
+
+module OmniAuth
+  module Strategies
+    # OmniAuth strategy for VK ID (https://id.vk.ru) — the new ВКонтакте auth
+    # protocol based on OAuth 2.1 + PKCE. Not compatible with the legacy
+    # omniauth-vkontakte gem which uses the classic oauth.vk.com endpoint.
+    #
+    # Official docs:
+    # https://id.vk.com/about/business/go/docs/ru/vkid/latest/vk-id/connection/start-integration/auth-without-sdk/auth-without-sdk-web
+    class VkId < OmniAuth::Strategies::OAuth2
+      AUTHORIZE_URL = 'https://id.vk.ru/authorize'
+      TOKEN_URL     = 'https://id.vk.ru/oauth2/auth'
+      USER_INFO_URL = 'https://id.vk.ru/oauth2/user_info'
+
+      SESSION_CODE_VERIFIER_KEY = 'omniauth.vk_id.code_verifier'
+      # Use the standard OmniAuth OAuth2 state session key so the parent
+      # class can verify it during super in callback_phase.
+      SESSION_STATE_KEY         = 'omniauth.state'
+      SESSION_DEVICE_ID_KEY     = 'omniauth.vk_id.device_id'
+
+      option :name, 'vk_id'
+
+      option :client_options, {
+        site:          'https://id.vk.ru',
+        authorize_url: AUTHORIZE_URL,
+        token_url:     TOKEN_URL,
+        user_info_url: USER_INFO_URL
+      }
+
+      option :authorize_options, %i[scope lang_id scheme]
+      option :scope, 'email phone'
+      option :pkce, true
+
+      uid { raw_info['user_id'].to_s }
+
+      info do
+        {
+          name:       [raw_info['first_name'], raw_info['last_name']].compact.join(' ').strip,
+          email:      raw_info['email'],
+          first_name: raw_info['first_name'],
+          last_name:  raw_info['last_name'],
+          image:      raw_info['avatar'],
+          phone:      raw_info['phone']
+        }
+      end
+
+      extra do
+        {
+          'raw_info' => raw_info,
+          'id_token' => access_token.params['id_token']
+        }
+      end
+
+      credentials do
+        hash = { 'token' => access_token.token }
+        hash['refresh_token'] = access_token.refresh_token if access_token.refresh_token
+        if access_token.expires?
+          hash['expires_at'] = access_token.expires_at
+          hash['expires']    = true
+        else
+          hash['expires'] = false
+        end
+        hash
+      end
+
+      # ----- Request phase -----
+
+      def request_phase
+        verifier  = generate_code_verifier
+        challenge = code_challenge_for(verifier)
+        state     = SecureRandom.hex(24)
+        device_id = SecureRandom.hex(16)
+
+        session[SESSION_CODE_VERIFIER_KEY] = verifier
+        session[SESSION_STATE_KEY]         = state
+        session[SESSION_DEVICE_ID_KEY]     = device_id
+
+        params = {
+          response_type:         'code',
+          client_id:             options.client_id,
+          scope:                 options.scope,
+          redirect_uri:          callback_url,
+          state:                 state,
+          code_challenge:        challenge,
+          code_challenge_method: 'S256'
+        }
+        params[:lang_id] = options.lang_id if options.respond_to?(:lang_id) && options.lang_id
+        params[:scheme]  = options.scheme  if options.respond_to?(:scheme)  && options.scheme
+
+        redirect "#{options.client_options.authorize_url}?#{URI.encode_www_form(params)}"
+      end
+
+      # ----- Callback phase -----
+
+      def callback_phase
+        extract_payload_params!
+        super
+      rescue JSON::ParserError => e
+        fail!(:invalid_payload, e)
+      end
+
+      # ----- Token exchange -----
+
+      def build_access_token
+        verifier  = session.delete(SESSION_CODE_VERIFIER_KEY)
+        device_id = request.params['device_id'] || session.delete(SESSION_DEVICE_ID_KEY)
+
+        body = {
+          grant_type:    'authorization_code',
+          code:          request.params['code'],
+          code_verifier: verifier,
+          client_id:     options.client_id,
+          device_id:     device_id,
+          redirect_uri:  callback_url,
+          state:         request.params['state']
+        }
+
+        response = client.request(
+          :post,
+          options.client_options.token_url,
+          body:    body,
+          headers: { 'Content-Type' => 'application/x-www-form-urlencoded' }
+        )
+
+        ::OAuth2::AccessToken.from_hash(client, response.parsed)
+      end
+
+      # ----- User info -----
+
+      def raw_info
+        @raw_info ||= begin
+          response = client.request(
+            :post,
+            options.client_options.user_info_url,
+            body:    {
+              client_id:    options.client_id,
+              access_token: access_token.token
+            },
+            headers: { 'Content-Type' => 'application/x-www-form-urlencoded' }
+          )
+          parsed = response.parsed || {}
+          parsed.is_a?(Hash) ? (parsed['user'] || {}) : {}
+        end
+      end
+
+      # ----- Helpers -----
+
+      def generate_code_verifier
+        SecureRandom.urlsafe_base64(64).gsub(/[^A-Za-z0-9\-._~]/, '')[0, 128]
+      end
+
+      def code_challenge_for(verifier)
+        Base64.urlsafe_encode64(Digest::SHA256.digest(verifier), padding: false)
+      end
+
+      private
+
+      def extract_payload_params!
+        payload = request.params['payload']
+        return if payload.nil? || payload.empty?
+
+        data = JSON.parse(payload)
+        request.params['code']       ||= data['code']
+        request.params['state']      ||= data['state']
+        request.params['device_id']  ||= data['device_id']
+      end
+    end
+  end
+end
+
+OmniAuth.config.add_camelization 'vk_id', 'VkId'

data/lib/omniauth/vk_id/version.rb

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+module OmniAuth
+  module VkId
+    VERSION = '0.1.0'
+  end
+end

data/lib/omniauth-vk_id.rb

@@ -0,0 +1,4 @@
+# frozen_string_literal: true
+
+require 'omniauth/vk_id/version'
+require 'omniauth/strategies/vk_id'

data/omniauth-vk_id.gemspec

@@ -0,0 +1,41 @@
+# frozen_string_literal: true
+
+lib = File.expand_path('lib', __dir__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'omniauth/vk_id/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = 'omniauth-vk_id'
+  spec.version       = OmniAuth::VkId::VERSION
+  spec.authors       = ['Konstantin Karataev']
+  spec.email         = ['karataev@users.noreply.github.com']
+  spec.summary       = 'OmniAuth strategy for VK ID (id.vk.ru) with PKCE'
+  spec.description   = 'Server-side OmniAuth 1.9 strategy implementing the ' \
+                       'VK ID OAuth 2.1 authorization code flow with PKCE. ' \
+                       'Works with VK apps registered via id.vk.com (not the ' \
+                       'legacy dev.vk.com classic OAuth).'
+  spec.license       = 'MIT'
+  spec.homepage      = 'https://github.com/C0nstantin/omniauth-vk_id'
+
+  spec.metadata = {
+    'homepage_uri'          => spec.homepage,
+    'source_code_uri'       => "#{spec.homepage}/tree/main",
+    'bug_tracker_uri'       => "#{spec.homepage}/issues",
+    'changelog_uri'         => "#{spec.homepage}/blob/main/CHANGELOG.md",
+    'documentation_uri'     => "#{spec.homepage}#readme",
+    'rubygems_mfa_required' => 'true'
+  }
+
+  spec.required_ruby_version = '>= 3.0'
+
+  spec.files = Dir['lib/**/*.rb'] + %w[README.md CHANGELOG.md LICENSE omniauth-vk_id.gemspec]
+  spec.require_paths = ['lib']
+
+  spec.add_runtime_dependency 'omniauth', '~> 1.9'
+  spec.add_runtime_dependency 'omniauth-oauth2', '~> 1.7'
+
+  spec.add_development_dependency 'rack-test', '~> 2.1'
+  spec.add_development_dependency 'rake',      '~> 13.0'
+  spec.add_development_dependency 'rspec',     '~> 3.12'
+  spec.add_development_dependency 'webmock',   '~> 3.18'
+end

metadata

@@ -0,0 +1,139 @@
+--- !ruby/object:Gem::Specification
+name: omniauth-vk_id
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Konstantin Karataev
+bindir: bin
+cert_chain: []
+date: 1980-01-02 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: omniauth
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.9'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.9'
+- !ruby/object:Gem::Dependency
+  name: omniauth-oauth2
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.7'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.7'
+- !ruby/object:Gem::Dependency
+  name: rack-test
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.1'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.1'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '13.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '13.0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.12'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.12'
+- !ruby/object:Gem::Dependency
+  name: webmock
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.18'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.18'
+description: Server-side OmniAuth 1.9 strategy implementing the VK ID OAuth 2.1 authorization
+  code flow with PKCE. Works with VK apps registered via id.vk.com (not the legacy
+  dev.vk.com classic OAuth).
+email:
+- karataev@users.noreply.github.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- CHANGELOG.md
+- LICENSE
+- README.md
+- lib/omniauth-vk_id.rb
+- lib/omniauth/strategies/vk_id.rb
+- lib/omniauth/vk_id/version.rb
+- omniauth-vk_id.gemspec
+homepage: https://github.com/C0nstantin/omniauth-vk_id
+licenses:
+- MIT
+metadata:
+  homepage_uri: https://github.com/C0nstantin/omniauth-vk_id
+  source_code_uri: https://github.com/C0nstantin/omniauth-vk_id/tree/main
+  bug_tracker_uri: https://github.com/C0nstantin/omniauth-vk_id/issues
+  changelog_uri: https://github.com/C0nstantin/omniauth-vk_id/blob/main/CHANGELOG.md
+  documentation_uri: https://github.com/C0nstantin/omniauth-vk_id#readme
+  rubygems_mfa_required: 'true'
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '3.0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 4.0.3
+specification_version: 4
+summary: OmniAuth strategy for VK ID (id.vk.ru) with PKCE
+test_files: []