omniauth_oidc 0.2.0 → 0.2.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 219bb4ddd444b494db9e5c1ac72f93e66ef442d3c3243609e62485b186c5c9ff
-  data.tar.gz: b28c370148e1a6b3245c4f02defa7dde129354d66885807bcf0dd4d262a2a78d
+  metadata.gz: 74463844a516326572c11a06efb05d658c8f62a14046ef8348f0940296c16433
+  data.tar.gz: 4756f11d552dc0d39085125210631161eaa6fa5ecf27b2388a0a90becec96abc
 SHA512:
-  metadata.gz: 8536b7161da3774d5246bb465de5c24d3cb87fd2b164763df1fb01df11e85c87538f314c5a3ada969ae9e43cfa4b0ccbb22c161034ff0b3da70b91d3b93832be
-  data.tar.gz: 183943792aa52d5fdccb05b77dcd66d65c5d4c1500936e153733692429c51457fb4da61b28b666c0ceebb04e9a925c04a8d17af4ed6033ce8d96b2da2b6dd512
+  metadata.gz: 11a227e37b5878b9ac0e61ee4956acc36e905a17271d06bc33992d37aad3e5a6e33f777e6f9118f3b60ada81570b9a2b884876d6db08febfa917de59dd721b4b
+  data.tar.gz: 786fbde9d9929102212c954bee84769f5a8a4d92f36347ec3dfb299d785f94a9a26ffd0057395e96d385a12a6e720aacf42b3b6476cbe3622b5ed394563ff19a

data/CHANGELOG.md

@@ -1,5 +1,11 @@
 ## [Released]
 
+## [0.2.2] - 2024-08-04
+- Update dependencies, update documentation, fix end_session_uri, update other_phase
+
+## [0.2.1] - 2024-07-21
+- Update dependencies
+
 ## [0.2.0] - 2024-07-06
 - Add option to fetch user info or skip it
 

data/README.md

@@ -91,6 +91,7 @@ end
 ```
 
 Ensure to replace identifier, secret, configuration endpoint url and others with credentials received from your OIDC provider.
+Please note that the gem does not accept `redirect_uri` as a configurable option. For details please see section Routes.
 
 ### Redirecting for Authentication
 
@@ -125,15 +126,20 @@ end
 
 ### Routes
 
-The gem uses dynamic routes when making requests to the OIDC provider endpoints. These routes follow the naming pattern
-of `https://your_app.com/auth/<simple_provider>/callback`, where `<simple_provider>` is the provider name defined
-within the configuration of the `omniauth.rb` initializer.
+The gem uses dynamic routes when making requests to the OIDC provider endpoints, so called `redirect_uri` which is a
+non-configurable value that follows the naming pattern of `https://your_app.com/auth/<simple_provider>/callback`, 
+where `<simple_provider>` is the provider name defined within the configuration of the `omniauth.rb` initializer.
+This represents the `redirect_uri` that will be passed with the authorization request to your OIDC provider and that
+has to be registered with your OIDC provider as permitted `redirect_uri`.
 
 Dynamic routes are used to process responses and perform intermediary steps by the middleware, e.g. request phase,
-token verification. While you can define and use same routes within your Rails app, you can modify your `routes.rb`
-to perform a dynamic redirect to a another controller method. In an example below, all OIDC responses are ultimately
-redirected to the `omniauth` method of the `callbacks_controller`, which is a universal method to handle authentication
-with various omniauth providers:
+token verification. While you can define and use same routes within your Rails app, it is highly recommended to modify 
+your `routes.rb` to perform a dynamic redirect to a another controller method so this does not cause any conflicts with
+the middleware or the authorization flow.
+
+In an example below, `auth/:provider/callback` is generalized `redirect_uri` value that is passed in the authorization
+flow, while all OIDC provider responses are ultimately redirected to the `omniauth` method of the `callbacks_controller`,
+which could be a "Swiss army knife" method to handle authentication or user data from various omniauth providers:
 
 ```ruby
 # config/routes.rb
@@ -202,6 +208,41 @@ class CallbacksController < ApplicationController
 end
 ```
 
+### Ending Session
+
+The gem provides two configuration options to allow ending a session simultaneously with your client application and the
+OIDC provider.
+
+To use this feature, you need to provide a `logout_path` in the options and an `end_session_endpoint` in the client 
+options. Here’s a sample setup:
+
+``` ruby
+  provider :oidc, {
+    name: :simple_provider,
+    client_options: {
+      identifier: ENV['SIMPLE_PROVIDER_CLIENT_ID'],
+      secret: ENV['SIMPLE_PROVIDER_SECRET'],
+      config_endpoint: 'https://simpleprovider.com/1234567890/.well-known/openid-configuration',
+      end_session_endpoint: 'https://simpleprovider.com/signout' # URL to end session with OIDC provider
+    },
+    logout_path: '/logout' # path in your application to end user session
+  }
+```
+
+* `end_session_endpoint` is the URL to which your client app can redirect to log out the user from the OIDC provider's application. It can be dynamically fetched from the `config_endpoint` response if your OIDC provider specifies it there. Alternatively, you can explicitly provide it in the client options.
+
+* `logout_path` is the URL in your application that can be called to terminate the current user's session.
+
+Using these two configurations, you can ensure that when a user logs out from your application, they are also logged out
+from the OIDC provider, providing a seamless logout across multiple services.
+
+This works by calling `other_phase` on every request in your application, which checks if the requested URL matches the 
+defined `logout_path`. If it does, meaning that the current user has requested to log out from your application, 
+`other_phase` redirects to the `end_session_endpoin`t to terminate the user's session with the OIDC provider if such a 
+session exists. Then it returns back to your application and concludes the request to end the session.
+
+For additional details please refer to the [OIDC specification](https://openid.net/specs/openid-connect-session-1_0-17.html#:~:text=%C2%A0TOC-,5.%C2%A0%20RP%2DInitiated%20Logout,-An%20RP%20can).
+
 ### Advanced Configuration
 You can customize the OIDC strategy further by adding additional configuration options:
 

data/lib/omniauth/oidc/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module OmniauthOidc
-  VERSION = "0.2.0"
+  VERSION = "0.2.2"
 end

data/lib/omniauth/strategies/oidc/verify.rb

@@ -30,7 +30,7 @@ module OmniAuth
         private
 
         def fetch_key
-          @fetch_key ||= parse_jwk_key(::OpenIDConnect.http_client.get(config.jwks_uri).body)
+          @fetch_key ||= parse_jwk_key(::Oidc.http_client.get(config.jwks_uri).body)
         end
 
         def base64_decoded_jwt_secret
@@ -47,7 +47,6 @@ module OmniAuth
                                             nonce: params["nonce"].presence || stored_nonce)
         end
 
-        # Workaround for https://github.com/nov/openid_connect/issues/61
         def decode_id_token(id_token)
           decoded = JSON::JWT.decode(id_token, :skip_verification)
           algorithm = decoded.algorithm.to_sym

data/lib/omniauth/strategies/oidc.rb

@@ -127,8 +127,9 @@ module OmniAuth
         @config ||= OpenidConfigParser.fetch_openid_configuration(client_options.config_endpoint)
       end
 
+      # Detects if current request is for the logout url and makes a redirect to end session with OIDC provider
       def other_phase
-        if logout_path_pattern.match?(current_path)
+        if logout_path_pattern.match?(request.url)
           options.issuer = issuer if options.issuer.to_s.empty?
 
           return redirect(end_session_uri) if end_session_uri
@@ -136,6 +137,7 @@ module OmniAuth
         call_app!
       end
 
+      # URL to end authenticated user's session with OIDC provider
       def end_session_uri
         return unless end_session_endpoint_is_valid?
 
@@ -205,7 +207,7 @@ module OmniAuth
       end
 
       def logout_path_pattern
-        @logout_path_pattern ||= /\A#{Regexp.quote(request_path)}#{options.logout_path}/
+        @logout_path_pattern ||= /\A#{Regexp.quote(request.base_url)}#{options.logout_path}/
       end
 
       # Strips port and host from strings with OIDC endpoints

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: omniauth_oidc
 version: !ruby/object:Gem::Version
-  version: 0.2.0
+  version: 0.2.2
 platform: ruby
 authors:
 - Suleyman Musayev
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2024-07-06 00:00:00.000000000 Z
+date: 2024-08-04 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: httparty