omniauth-yahoojp 1.0.0 → 1.0.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 16ae4d397a52eca91f5a45f36770e3ec1162bda6f607a1c2bbd5142ee9799b9c
-  data.tar.gz: 7989bc85f42e4ae4e6b2420e5d3a6c94355a87db5ba0997b1a1a8a62249ae088
+  metadata.gz: cef0fc73e6ad6338ec0f4a4180774ab663b9a0846ad2e7658f9a4c3fd395b454
+  data.tar.gz: 37e8e9ef4282fc449ea7d489ef4a43ea4ab0d231c7ddda5a6163b932c899d7ac
 SHA512:
-  metadata.gz: c6f857f7d5604801d3aff235992b49d925a889e6ca6458400ceb746abe617594a8fa5ab229312f332f34df6fae83d3af508b33f39fd5d3c93bf4a611884395d9
-  data.tar.gz: 8c2a1ca936c8c89adbd4655d01021e14a7e669965be3015fd028df1bcb0c82164a66b90f116056c9d21963f6d5b22ae0ca3329ea9e13001336149f921f344be0
+  metadata.gz: cf6a1d9162d5855cd7ed66074b9f5d275312024602fb956a9e367e522aeaf36d3637c73856c3cd94b3dcc5f0d53ea01697aec948370689b766d0b6f6890a29c3
+  data.tar.gz: 84aa02e550b3fd6bbc286912be6181b484b2d7d1db6ab6ff8792a9819575b08b0c77e406b56045fdac3073cb4900500eb07a7ab91641de909ffb1881d8953043

data/README.md

@@ -65,9 +65,16 @@ Controls how user profile information is retrieved.
 When the `openid` scope is requested, the strategy automatically captures the `id_token` returned by Yahoo! JAPAN's token endpoint.
 
 - `credentials.id_token` — The raw JWT string as returned from the token endpoint.
-- `extra.id_token_claims` — The decoded claims hash from the `id_token`.
+- `extra.id_token_claims` — The decoded and verified claims hash from the `id_token`.
 
-The `id_token` signature verification is skipped because the token is received directly from Yahoo! JAPAN's token endpoint over TLS in the Authorization Code Flow, which guarantees its authenticity.
+The `id_token` is verified as follows:
+
+1. **RS256 signature verification** — The token signature is verified using the public key fetched from Yahoo! JAPAN's [JWKS endpoint](https://auth.login.yahoo.co.jp/yconnect/v2/jwks), matched by the `kid` header claim.
+2. **Issuer (`iss`) validation** — Must be `https://auth.login.yahoo.co.jp/yconnect/v2`.
+3. **Audience (`aud`) validation** — Must include your application's client ID.
+4. **Expiration (`exp`) validation** — The token must not be expired (with a 30-second leeway for clock skew).
+
+If any verification step fails, an `OmniAuth::Strategies::YahooJp::IdTokenValidationError` is raised, which is handled by OmniAuth's standard error flow.
 
 ### API Version
 

data/lib/omniauth/strategies/yahoojp.rb

@@ -5,6 +5,10 @@ require 'json/jwt'
 module OmniAuth
   module Strategies
     class YahooJp < OmniAuth::Strategies::OAuth2
+      class IdTokenValidationError < StandardError; end
+
+      JWKS_URI = 'https://auth.login.yahoo.co.jp/yconnect/v2/jwks'.freeze
+      ISSUER   = 'https://auth.login.yahoo.co.jp/yconnect/v2'.freeze
 
       option :name, 'yahoojp'
       option :client_options, {
@@ -75,9 +79,7 @@ module OmniAuth
 
       def id_token_claims
         return nil unless id_token
-        # Signature verification is skipped because the id_token was received
-        # directly from Yahoo's token endpoint over TLS (Authorization Code Flow).
-        @id_token_claims ||= JSON::JWT.decode(id_token, :skip_verification)
+        @id_token_claims ||= verify_id_token!
       end
 
       def prune!(hash)
@@ -102,6 +104,28 @@ module OmniAuth
         full_host + script_name + callback_path
       end
 
+      private
+
+      def verify_id_token!
+        header = JSON::JWT.decode(id_token, :skip_verification).header
+        jwk = JSON::JWK::Set::Fetcher.fetch(JWKS_URI, kid: header['kid'])
+        claims = JSON::JWT.decode(id_token, jwk, [:RS256])
+        validate_id_token_claims!(claims)
+        claims
+      end
+
+      def validate_id_token_claims!(claims)
+        unless claims['iss'] == ISSUER
+          raise IdTokenValidationError, "Invalid issuer: #{claims['iss']}"
+        end
+        unless Array(claims['aud']).include?(client.id)
+          raise IdTokenValidationError, "Invalid audience: #{claims['aud']}"
+        end
+        if claims['exp'].nil? || Time.now.to_i > claims['exp'].to_i + 30
+          raise IdTokenValidationError, 'id_token has expired'
+        end
+      end
+
     end
   end
 end

data/lib/omniauth-yahoojp/version.rb

@@ -1,5 +1,5 @@
 module OmniAuth
   module YahooJp
-    VERSION = "1.0.0"
+    VERSION = "1.0.1"
   end
 end

data/spec/omniauth/strategies/yahoojp_spec.rb

@@ -26,9 +26,34 @@ RSpec.describe OmniAuth::Strategies::YahooJp do
     end
   end
 
+  describe 'constants' do
+    it 'has correct JWKS_URI' do
+      expect(described_class::JWKS_URI).to eq('https://auth.login.yahoo.co.jp/yconnect/v2/jwks')
+    end
+
+    it 'has correct ISSUER' do
+      expect(described_class::ISSUER).to eq('https://auth.login.yahoo.co.jp/yconnect/v2')
+    end
+  end
+
   context 'with access_token' do
-    let(:jwt_payload) { { 'sub' => 'test123', 'name' => 'Test User', 'email' => 'test@example.com' } }
-    let(:jwt_string) { JSON::JWT.new(jwt_payload).to_s }
+    let(:rsa_key) { OpenSSL::PKey::RSA.generate(2048) }
+    let(:kid) { 'test-kid-1' }
+    let(:jwt_payload) do
+      {
+        'sub' => 'test123',
+        'name' => 'Test User',
+        'email' => 'test@example.com',
+        'iss' => 'https://auth.login.yahoo.co.jp/yconnect/v2',
+        'aud' => 'client_id',
+        'exp' => Time.now.to_i + 3600
+      }
+    end
+    let(:jwt_string) do
+      jwt = JSON::JWT.new(jwt_payload)
+      jwt.kid = kid
+      jwt.sign(rsa_key, :RS256).to_s
+    end
     let(:access_token) do
       instance_double(
         OAuth2::AccessToken,
@@ -43,6 +68,13 @@ RSpec.describe OmniAuth::Strategies::YahooJp do
 
     before do
       allow(strategy).to receive(:access_token).and_return(access_token)
+      jwk = JSON::JWK.new(rsa_key, kid: kid)
+      stub_request(:get, 'https://auth.login.yahoo.co.jp/yconnect/v2/jwks')
+        .to_return(
+          status: 200,
+          body: { keys: [jwk] }.to_json,
+          headers: { 'Content-Type' => 'application/json' }
+        )
     end
 
     describe '#id_token' do
@@ -62,7 +94,7 @@ RSpec.describe OmniAuth::Strategies::YahooJp do
     end
 
     describe '#id_token_claims' do
-      it 'decodes the JWT without verification' do
+      it 'decodes and verifies the JWT' do
         claims = strategy.id_token_claims
         expect(claims['sub']).to eq('test123')
         expect(claims['name']).to eq('Test User')
@@ -80,10 +112,159 @@ RSpec.describe OmniAuth::Strategies::YahooJp do
         expect(strategy.id_token_claims).to be_nil
       end
 
+      it 'returns nil without fetching JWKS when id_token is nil' do
+        allow(access_token).to receive(:params).and_return({})
+        strategy.id_token_claims
+        expect(WebMock).not_to have_requested(:get, 'https://auth.login.yahoo.co.jp/yconnect/v2/jwks')
+      end
+
       it 'raises on malformed id_token' do
         allow(access_token).to receive(:params).and_return({ 'id_token' => 'not-a-jwt' })
         expect { strategy.id_token_claims }.to raise_error(JSON::JWT::InvalidFormat)
       end
+
+      context 'with invalid signature' do
+        let(:wrong_key) { OpenSSL::PKey::RSA.generate(2048) }
+        let(:bad_jwt_string) do
+          jwt = JSON::JWT.new(jwt_payload)
+          jwt.kid = kid
+          jwt.sign(wrong_key, :RS256).to_s
+        end
+
+        before do
+          allow(access_token).to receive(:params).and_return({ 'id_token' => bad_jwt_string })
+        end
+
+        it 'raises an error' do
+          expect { strategy.id_token_claims }.to raise_error(JSON::JWS::VerificationFailed)
+        end
+      end
+
+      context 'with invalid issuer' do
+        let(:jwt_payload_bad_iss) { jwt_payload.merge('iss' => 'https://evil.example.com') }
+        let(:bad_iss_jwt) do
+          jwt = JSON::JWT.new(jwt_payload_bad_iss)
+          jwt.kid = kid
+          jwt.sign(rsa_key, :RS256).to_s
+        end
+
+        before do
+          allow(access_token).to receive(:params).and_return({ 'id_token' => bad_iss_jwt })
+        end
+
+        it 'raises IdTokenValidationError' do
+          expect { strategy.id_token_claims }.to raise_error(
+            described_class::IdTokenValidationError, /Invalid issuer/
+          )
+        end
+      end
+
+      context 'with issuer missing /yconnect/v2 suffix' do
+        let(:jwt_payload_wrong_iss) { jwt_payload.merge('iss' => 'https://auth.login.yahoo.co.jp') }
+        let(:wrong_iss_jwt) do
+          jwt = JSON::JWT.new(jwt_payload_wrong_iss)
+          jwt.kid = kid
+          jwt.sign(rsa_key, :RS256).to_s
+        end
+
+        before do
+          allow(access_token).to receive(:params).and_return({ 'id_token' => wrong_iss_jwt })
+        end
+
+        it 'raises IdTokenValidationError' do
+          expect { strategy.id_token_claims }.to raise_error(
+            described_class::IdTokenValidationError, /Invalid issuer/
+          )
+        end
+      end
+
+      context 'with invalid audience' do
+        let(:jwt_payload_bad_aud) { jwt_payload.merge('aud' => 'wrong_client_id') }
+        let(:bad_aud_jwt) do
+          jwt = JSON::JWT.new(jwt_payload_bad_aud)
+          jwt.kid = kid
+          jwt.sign(rsa_key, :RS256).to_s
+        end
+
+        before do
+          allow(access_token).to receive(:params).and_return({ 'id_token' => bad_aud_jwt })
+        end
+
+        it 'raises IdTokenValidationError' do
+          expect { strategy.id_token_claims }.to raise_error(
+            described_class::IdTokenValidationError, /Invalid audience/
+          )
+        end
+      end
+
+      context 'with audience as array including client_id' do
+        let(:jwt_payload_array_aud) { jwt_payload.merge('aud' => ['other_client', 'client_id']) }
+        let(:array_aud_jwt) do
+          jwt = JSON::JWT.new(jwt_payload_array_aud)
+          jwt.kid = kid
+          jwt.sign(rsa_key, :RS256).to_s
+        end
+
+        before do
+          allow(access_token).to receive(:params).and_return({ 'id_token' => array_aud_jwt })
+        end
+
+        it 'accepts the token' do
+          expect { strategy.id_token_claims }.not_to raise_error
+        end
+      end
+
+      context 'with expired token' do
+        let(:jwt_payload_expired) { jwt_payload.merge('exp' => Time.now.to_i - 60) }
+        let(:expired_jwt) do
+          jwt = JSON::JWT.new(jwt_payload_expired)
+          jwt.kid = kid
+          jwt.sign(rsa_key, :RS256).to_s
+        end
+
+        before do
+          allow(access_token).to receive(:params).and_return({ 'id_token' => expired_jwt })
+        end
+
+        it 'raises IdTokenValidationError' do
+          expect { strategy.id_token_claims }.to raise_error(
+            described_class::IdTokenValidationError, /expired/
+          )
+        end
+      end
+
+      context 'with token within 30-second leeway' do
+        let(:jwt_payload_just_expired) { jwt_payload.merge('exp' => Time.now.to_i - 10) }
+        let(:leeway_jwt) do
+          jwt = JSON::JWT.new(jwt_payload_just_expired)
+          jwt.kid = kid
+          jwt.sign(rsa_key, :RS256).to_s
+        end
+
+        before do
+          allow(access_token).to receive(:params).and_return({ 'id_token' => leeway_jwt })
+        end
+
+        it 'accepts the token' do
+          expect { strategy.id_token_claims }.not_to raise_error
+        end
+      end
+
+      context 'with kid not found in JWKS' do
+        let(:jwt_with_unknown_kid) do
+          jwt = JSON::JWT.new(jwt_payload)
+          jwt.kid = 'unknown-kid'
+          jwt.sign(rsa_key, :RS256).to_s
+        end
+
+        before do
+          allow(access_token).to receive(:params).and_return({ 'id_token' => jwt_with_unknown_kid })
+        end
+
+        it 'raises an error' do
+          expect { strategy.id_token_claims }.to raise_error(StandardError)
+        end
+      end
     end
 
     describe '#raw_info' do

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: omniauth-yahoojp
 version: !ruby/object:Gem::Version
-  version: 1.0.0
+  version: 1.0.1
 platform: ruby
 authors:
 - mikanmarusan
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2026-03-08 00:00:00.000000000 Z
+date: 2026-03-09 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: omniauth