omniauth-yahoo-oauth2 1.1.0 → 1.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: 784ac84ce174a7e01cc6ff2093f87258edaffa52
-  data.tar.gz: 6383b98740bbac0c5b93787bb869306c828710de
+SHA256:
+  metadata.gz: d5a2c23bd49d42781032387a982ba92dcf388a5946b3a75ab70e33b711959e36
+  data.tar.gz: 20b3e2e88fb855dd62a562b840a5259534da733e3a8728d683f85554db6b2cb9
 SHA512:
-  metadata.gz: 499b6375e10ac27c860f80ae59e77b21aefb0a0958e6936355207f8d85fa79637b4ab6abe3145d5020f57b80be08213ffece4369f24e3f0647500508877d0204
-  data.tar.gz: 1d635f2e19db108e51d11f0303da8f0852212064aa1e3cd31a4eb1ff0f6ed589313beac37c5f69c253bafcd3b226aaf5388bab1b02ea0fe147442b1886c1c1db
+  metadata.gz: 0f00d924baf2b6bda0c11c3d2bbd331d7afab7f82cc3fb953102adabbf5186f4ee3fab3c1f7a0cfcb87cde1a9300eea27a1f5f77b8f3e4ec7860b6ffb35941a6
+  data.tar.gz: e640145bfa89799591d54ec4d78414cbc066e3161c2c1ab662e6ab861ff5f1f3b737a469d2b5b646bd21376b3e06ccf8fa15c7adbbdac05c80a0792514c77f4f

data/README.md

@@ -1,56 +1,67 @@
 ## omniauth-yahoo-oauth2 ##
 
-An unofficial, hastily-written Oauth2 OmniAuth strategy for Yahoo. Uses the authorization flow described at https://developer.yahoo.com/oauth2/guide/flows_authcode/.
+An unofficial, hastily-written Oauth2 OmniAuth strategy for Yahoo. Uses the
+authorization flow described at
+https://developer.yahoo.com/oauth2/guide/flows_authcode/.
 
 Built using https://github.com/intridea/omniauth-oauth2.
 
 ## Setup ##
 `gem install omniauth-yahoo-oauth2`
 
-Create an app at https://developer.yahoo.com/apps to get a Yahoo client ID and secret.
+Create an app at https://developer.yahoo.com/apps to get a Yahoo client ID and
+secret.
 
 ## Usage ##
 ```ruby
 # In an initializer
 Rails.application.config.middleware.use OmniAuth::Builder do
-  provider :yahoo_oauth2, yahoo_client_id, yahoo_secret,
-    name: 'yahoo'
+  provider :yahoo_oauth2, yahoo_client_id, yahoo_secret, name: 'yahoo'
 end
 ```
 
 See https://github.com/intridea/omniauth for Omniauth instructions.
 
 ## Notes ##
-OmniAuth doesn't currently have built-in support for Basic Authentication for retrieving OAuth tokens, so `YahooOauth2#build_access_token` handles this inline.
 
-Yahoo returns an access_token, a refresh_token, and an expiration time for the access_token. They are available in the authentication hash in the callback:
+OmniAuth doesn't currently have built-in support for Basic Authentication for
+retrieving OAuth2 tokens, so `YahooOauth2::Client` overrides
+`OAuth2::Client#get_token`.  Yahoo also requires `redirect_uri` to be set when
+refreshing the `access_token`, so `YahooOauth2::AccessToken` overrides
+`OAuth2::AccessToken#refresh!` to handle that.
+
+As with other OAuth2 providers, Yahoo returns an `access_token`, a
+`refresh_token`, and an expiration time for the `access_token`. They are
+available in the credentials hash in the callback:
+
+```ruby
+credentials = request.env.fetch('omniauth.auth').fetch(:credentials)
+tokens_hash = {
+  access_token:  credentials[:token],
+  refresh_token: credentials[:refresh_token],
+  expires_at:    credentials[:expires_at]
+}
+```
+
+They should be saved to your application's database.  You can use the
+`access_token` directly or use `YahooOauth2::AccessToken` for requests:
 
 ```ruby
-auth_info = request.env['omniauth.auth']
-access_token = auth_info[:credentials][:token]
-refresh_token = auth_info[:credentials][:refresh_token]
-expires_at = auth_info[:credentials][:expires_at]
+client = YahooOauth2::Client.new(YAHOO_CLIENT_ID, YAHOO_SECRET)
+token  = YahooOauth2::AccessToken.from_hash(client, tokens_hash)
+token.get(
+  "https://social.yahooapis.com/v1/user/#{uid}/profile?format=json"
+).parsed
 ```
 
-You can use the refresh_token to generate new access tokens:
+And to refresh the access token once it has expired:
 
 ```ruby
-require 'oauth2'
-require 'base64'
-
-oauth_client = OAuth2::Client.new(YAHOO_CLIENT_ID, YAHOO_SECRET, {
-  site: 'https://api.login.yahoo.com',
-  authorize_url: '/oauth2/request_auth',
-  token_url: '/oauth2/get_token',
-})
-
-auth = "Basic #{Base64.strict_encode64("#{YAHOO_CLIENT_ID}:#{YAHOO_SECRET}")}"
-
-new_token = oauth_client.get_token({
-  redirect_uri: YOUR_CALLBACK_URL,
-  refresh_token: YOUR_REFRESH_TOKEN,
-  grant_type: 'refresh_token',
-  headers: { 'Authorization' => auth } })
+old_token = YahooOauth2::AccessToken.from_hash(client, tokens_hash)
+if old_token.expired?
+  new_token = old_token.refresh!
+  new_token.to_hash # => update your database with this
+end
 ```
 
 ## TODO ##

data/lib/omniauth-yahoo-oauth2.rb

@@ -1 +1 @@
-require File.join('omniauth', 'yahoo_oauth2')
+require 'omniauth/yahoo_oauth2'

data/lib/omniauth/strategies/yahoo_oauth2.rb

@@ -1,49 +1,153 @@
+# frozen_string_literal: true
+
+require "jwt"
 require 'omniauth/strategies/oauth2'
-require 'base64'
 
 module OmniAuth
   module Strategies
     class YahooOauth2 < OmniAuth::Strategies::OAuth2
-      option :name, 'yahoo_oauth2'
-      
+
+      OPEN_ID_CONNECT_SCOPES = "openid,profile,email"
+
+      ALLOWED_ISSUERS = %w[
+        https://api.login.yahoo.com
+        api.login.yahoo.com
+        login.yahoo.com
+      ].freeze
+
+      option :name, 'yahoo'
+
+      option :userinfo_url, "/openid/v1/userinfo"
+
       option :client_options, {
-        site: 'https://api.login.yahoo.com',
-        authorize_url: '/oauth2/request_auth',
-        token_url: '/oauth2/get_token',
+        site:              "https://api.login.yahoo.com",
+        authorize_url:     "/oauth2/request_auth",
+        token_url:         "/oauth2/get_token",
       }
 
-      uid { access_token.params['xoauth_yahoo_guid'] }
+      option :skip_jwt, false
+      option :jwt_leeway, 300
+
+      option :authorize_params, {
+        response_type: 'code',
+      }
+
+      option :authorize_options, %i[
+        language
+        login_hint
+        max_age
+        prompt
+        redirect_uri
+        scope
+        state
+      ]
+
+      uid { raw_info['sub'] }
 
       info do
-        {
-          name: raw_info['profile']['nickname'],
-          nickname: raw_info['profile']['nickname'],
-          gender: raw_info['profile']['gender'],
-          language: raw_info['profile']['lang'],
-          location: raw_info['profile']['location'],
+        prune!({
+          name:       raw_info["name"],
+          email:      verified_email,
+          unverified_email: raw_info['email'],
+          email_verified:   raw_info["email_verified"],
+          first_name: raw_info["given_name"],
+          last_name:  raw_info["family_name"],
+          nickname:   raw_info["nickname"],
+          gender:     raw_info["gender"],
+          locale:     raw_info['locale'],
+          image:      raw_info['picture'],
+          phone:      raw_info["phone_number"],
+          phone_verified: raw_info["phone_number_verified"],
           urls: {
-            image: raw_info['profile']['image']['imageUrl'],
-            profile: raw_info['profile']['profileUrl']
-          }
-        }
-      end
-
-      def build_access_token
-        verifier = request.params['code']
-        
-        auth = "Basic #{Base64.strict_encode64("#{options.client_id}:#{options.client_secret}")}"
-        
-        token = client.get_token(
-          { redirect_uri: callback_url, code: verifier, grant_type: 'authorization_code', headers: { 'Authorization' => auth } }.
-          merge(token_params.to_hash(symbolize_keys: true)), deep_symbolize(options.auth_token_params))
-        
-        token
-      end
-      
+            profile: raw_info['profile'],
+            website: raw_info['website'],
+          },
+        })
+      end
+
+      # n.b. renamed raw_info to userinfo. Userinfo is part of the OIDc standard.
+      extra do
+        hash = {}
+        hash[:userinfo] = raw_info unless skip_info?
+        hash[:id_token] = access_token["id_token"]
+        hash[:id_info]  = decode_info_token
+        prune! hash
+      end
+
       def raw_info
-        raw_info_url = "https://social.yahooapis.com/v1/user/#{uid}/profile?format=json"
-        @raw_info ||= access_token.get(raw_info_url).parsed
+        @raw_info ||= access_token.get(userinfo_url).parsed
+      end
+
+      private
+
+      # This follows the example in omniauth-google-oauth2.
+      #
+      # Probably better to set the redirect_uri as a client option when creating
+      # the client, because OAuth2::Client knows how to handle it, but that
+      # requires updating OmniAuth::Strategies::OAuth2.
+      def callback_url
+        options[:redirect_uri] || (full_host + script_name + callback_path)
+      end
+
+      def userinfo_url
+        options.client_options.site + options.userinfo_url
+      end
+
+      # This is copied from the omniauth-google-oauth2 gem
+      def verified_email
+        raw_info['email_verified'] ? raw_info['email'] : nil
+      end
+
+      # This is copied from the omniauth-google-oauth2 gem
+      def prune!(hash)
+        hash.delete_if do |_, v|
+          prune!(v) if v.is_a?(Hash)
+          v.nil? || (v.respond_to?(:empty?) && v.empty?)
+        end
       end
+
+      # super saves SecureRandom state to session and merges authorize_options
+      #
+      # This follows the example in omniauth-google-oauth2 and
+      # merges any request param with the same name as an authorize_option.
+      # It then saves state to the session (in case it was overwritten).
+      #
+      # Probably the better way to handle this is to build it into "options_for"
+      # and have another option (e.g. authorize_request_params).
+      def authorize_params
+        super.tap do |params|
+          options[:authorize_options].each do |k|
+            unless [nil, ''].include?(request.params[k.to_s])
+              params[k] = request.params[k.to_s]
+            end
+            session['omniauth.state'] = params[:state] if params[:state]
+          end
+        end
+      end
+
+      # This is copied from the omniauth-google-oauth2 gem
+      def decode_info_token
+        unless options[:skip_jwt] || access_token['id_token'].nil?
+          decoded = ::JWT.decode(access_token['id_token'], nil, false).first
+
+          # We have to manually verify the claims because the third parameter to
+          # JWT.decode is false since no verification key is provided.
+          ::JWT::Verify.verify_claims(decoded,
+                                      verify_iss: true,
+                                      iss: ALLOWED_ISSUERS,
+                                      verify_aud: true,
+                                      aud: options.client_id,
+                                      verify_sub: false,
+                                      verify_expiration: true,
+                                      verify_not_before: true,
+                                      verify_iat: true,
+                                      verify_jti: false,
+                                      leeway: options[:jwt_leeway])
+
+          decoded
+        end
+      end
+
     end
   end
 end

data/lib/omniauth/yahoo_oauth2.rb

@@ -1 +1 @@
-require File.join('omniauth', 'strategies', 'yahoo_oauth2')
+require 'omniauth/strategies/yahoo_oauth2'

data/lib/omniauth/yahoo_oauth2/version.rb

@@ -1,5 +1,5 @@
 module OmniAuth
   module YahooOauth2
-    VERSION = '1.1.0'
+    VERSION = '1.2.0'
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: omniauth-yahoo-oauth2
 version: !ruby/object:Gem::Version
-  version: 1.1.0
+  version: 1.2.0
 platform: ruby
 authors:
 - Amir Manji
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2015-05-06 00:00:00.000000000 Z
+date: 2020-05-28 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: omniauth
@@ -86,8 +86,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.2.2
+rubygems_version: 3.0.3
 signing_key: 
 specification_version: 4
 summary: A Yahoo OAuth2 strategy for OmniAuth.