omniauth_oidc 0.2.1 → 0.2.2

Sign up to get free protection for your applications and to get access to all the features.
Files changed (8) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +4 -1
  3. data/README.md +48 -7
  4. data/lib/omniauth/oidc/version.rb +1 -1
  5. data/lib/omniauth/strategies/oidc/verify.rb +3 -3
  6. data/lib/omniauth/strategies/oidc.rb +7 -5
  7. data/omniauth_oidc.gemspec +1 -1
  8. metadata +5 -5
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 801521d0f3ce8e7cdfa427b09c09689db790784bbacb90f9c1d46e8194db1bb6
4
- data.tar.gz: 5a5ddd24e583e982304fca72de602dc8b405b11c98c2d019fbc88fe7058ad48f
3
+ metadata.gz: 74463844a516326572c11a06efb05d658c8f62a14046ef8348f0940296c16433
4
+ data.tar.gz: 4756f11d552dc0d39085125210631161eaa6fa5ecf27b2388a0a90becec96abc
5
5
  SHA512:
6
- metadata.gz: 8480664bb2f337914f7eefc8aa012d58bc9b67fa66fb0e206d2aef09c0352f9228a4d9212e5a1a36a5689676b01dacc00d888dd5a186fbd6af5a69f69f519174
7
- data.tar.gz: 45645700fc002901880944adc41cf1d97ee9d108132c5416718198955b7620203e293938646e225d798e7fd86f028c9bd4f5108aa41f2e3ba822fe6489eef936
6
+ metadata.gz: 11a227e37b5878b9ac0e61ee4956acc36e905a17271d06bc33992d37aad3e5a6e33f777e6f9118f3b60ada81570b9a2b884876d6db08febfa917de59dd721b4b
7
+ data.tar.gz: 786fbde9d9929102212c954bee84769f5a8a4d92f36347ec3dfb299d785f94a9a26ffd0057395e96d385a12a6e720aacf42b3b6476cbe3622b5ed394563ff19a
data/CHANGELOG.md CHANGED
@@ -1,6 +1,9 @@
1
1
  ## [Released]
2
2
 
3
- ## [0.2.0] - 2024-07-21
3
+ ## [0.2.2] - 2024-08-04
4
+ - Update dependencies, update documentation, fix end_session_uri, update other_phase
5
+
6
+ ## [0.2.1] - 2024-07-21
4
7
  - Update dependencies
5
8
 
6
9
  ## [0.2.0] - 2024-07-06
data/README.md CHANGED
@@ -91,6 +91,7 @@ end
91
91
  ```
92
92
 
93
93
  Ensure to replace identifier, secret, configuration endpoint url and others with credentials received from your OIDC provider.
94
+ Please note that the gem does not accept `redirect_uri` as a configurable option. For details please see section Routes.
94
95
 
95
96
  ### Redirecting for Authentication
96
97
 
@@ -125,15 +126,20 @@ end
125
126
 
126
127
  ### Routes
127
128
 
128
- The gem uses dynamic routes when making requests to the OIDC provider endpoints. These routes follow the naming pattern
129
- of `https://your_app.com/auth/<simple_provider>/callback`, where `<simple_provider>` is the provider name defined
130
- within the configuration of the `omniauth.rb` initializer.
129
+ The gem uses dynamic routes when making requests to the OIDC provider endpoints, so called `redirect_uri` which is a
130
+ non-configurable value that follows the naming pattern of `https://your_app.com/auth/<simple_provider>/callback`,
131
+ where `<simple_provider>` is the provider name defined within the configuration of the `omniauth.rb` initializer.
132
+ This represents the `redirect_uri` that will be passed with the authorization request to your OIDC provider and that
133
+ has to be registered with your OIDC provider as permitted `redirect_uri`.
131
134
 
132
135
  Dynamic routes are used to process responses and perform intermediary steps by the middleware, e.g. request phase,
133
- token verification. While you can define and use same routes within your Rails app, you can modify your `routes.rb`
134
- to perform a dynamic redirect to a another controller method. In an example below, all OIDC responses are ultimately
135
- redirected to the `omniauth` method of the `callbacks_controller`, which is a universal method to handle authentication
136
- with various omniauth providers:
136
+ token verification. While you can define and use same routes within your Rails app, it is highly recommended to modify
137
+ your `routes.rb` to perform a dynamic redirect to a another controller method so this does not cause any conflicts with
138
+ the middleware or the authorization flow.
139
+
140
+ In an example below, `auth/:provider/callback` is generalized `redirect_uri` value that is passed in the authorization
141
+ flow, while all OIDC provider responses are ultimately redirected to the `omniauth` method of the `callbacks_controller`,
142
+ which could be a "Swiss army knife" method to handle authentication or user data from various omniauth providers:
137
143
 
138
144
  ```ruby
139
145
  # config/routes.rb
@@ -202,6 +208,41 @@ class CallbacksController < ApplicationController
202
208
  end
203
209
  ```
204
210
 
211
+ ### Ending Session
212
+
213
+ The gem provides two configuration options to allow ending a session simultaneously with your client application and the
214
+ OIDC provider.
215
+
216
+ To use this feature, you need to provide a `logout_path` in the options and an `end_session_endpoint` in the client
217
+ options. Here’s a sample setup:
218
+
219
+ ``` ruby
220
+ provider :oidc, {
221
+ name: :simple_provider,
222
+ client_options: {
223
+ identifier: ENV['SIMPLE_PROVIDER_CLIENT_ID'],
224
+ secret: ENV['SIMPLE_PROVIDER_SECRET'],
225
+ config_endpoint: 'https://simpleprovider.com/1234567890/.well-known/openid-configuration',
226
+ end_session_endpoint: 'https://simpleprovider.com/signout' # URL to end session with OIDC provider
227
+ },
228
+ logout_path: '/logout' # path in your application to end user session
229
+ }
230
+ ```
231
+
232
+ * `end_session_endpoint` is the URL to which your client app can redirect to log out the user from the OIDC provider's application. It can be dynamically fetched from the `config_endpoint` response if your OIDC provider specifies it there. Alternatively, you can explicitly provide it in the client options.
233
+
234
+ * `logout_path` is the URL in your application that can be called to terminate the current user's session.
235
+
236
+ Using these two configurations, you can ensure that when a user logs out from your application, they are also logged out
237
+ from the OIDC provider, providing a seamless logout across multiple services.
238
+
239
+ This works by calling `other_phase` on every request in your application, which checks if the requested URL matches the
240
+ defined `logout_path`. If it does, meaning that the current user has requested to log out from your application,
241
+ `other_phase` redirects to the `end_session_endpoin`t to terminate the user's session with the OIDC provider if such a
242
+ session exists. Then it returns back to your application and concludes the request to end the session.
243
+
244
+ For additional details please refer to the [OIDC specification](https://openid.net/specs/openid-connect-session-1_0-17.html#:~:text=%C2%A0TOC-,5.%C2%A0%20RP%2DInitiated%20Logout,-An%20RP%20can).
245
+
205
246
  ### Advanced Configuration
206
247
  You can customize the OIDC strategy further by adding additional configuration options:
207
248
 
data/lib/omniauth/oidc/version.rb CHANGED
@@ -1,5 +1,5 @@
1
1
  # frozen_string_literal: true
2
2
 
3
3
  module OmniauthOidc
4
- VERSION = "0.2.1"
4
+ VERSION = "0.2.2"
5
5
  end
data/lib/omniauth/strategies/oidc/verify.rb CHANGED
@@ -62,7 +62,7 @@ module OmniAuth
62
62
  end
63
63
 
64
64
  decoded.verify!(keyset)
65
- ::Oidc::ResponseObject::IdToken.new(decoded)
65
+ ::OpenIDConnect::ResponseObject::IdToken.new(decoded)
66
66
  rescue JSON::JWK::Set::KidNotFound
67
67
  # Workaround for https://github.com/nov/json-jwt/pull/92#issuecomment-824654949
68
68
  raise if decoded&.header&.key?("kid")
@@ -87,7 +87,7 @@ module OmniAuth
87
87
  end
88
88
 
89
89
  def decode!(id_token, key)
90
- ::Oidc::ResponseObject::IdToken.decode(id_token, key)
90
+ ::OpenIDConnect::ResponseObject::IdToken.decode(id_token, key)
91
91
  end
92
92
 
93
93
  def decode_with_each_key!(id_token, keyset)
@@ -139,7 +139,7 @@ module OmniAuth
139
139
  if access_token.id_token
140
140
  decoded = decode_id_token(access_token.id_token).raw_attributes
141
141
 
142
- @user_info = ::Oidc::ResponseObject::UserInfo.new(
142
+ @user_info = ::OpenIDConnect::ResponseObject::UserInfo.new(
143
143
  access_token.userinfo!.raw_attributes.merge(decoded)
144
144
  )
145
145
  else
data/lib/omniauth/strategies/oidc.rb CHANGED
@@ -5,7 +5,7 @@ require "timeout"
5
5
  require "net/http"
6
6
  require "open-uri"
7
7
  require "omniauth"
8
- require "oidc"
8
+ require "openid_connect"
9
9
  require "openid_config_parser"
10
10
  require "forwardable"
11
11
  require "httparty"
@@ -112,9 +112,9 @@ module OmniAuth
112
112
  }
113
113
  end
114
114
 
115
- # Initialize Oidc Client with options
115
+ # Initialize OpenIDConnect Client with options
116
116
  def client
117
- @client ||= ::Oidc::Client.new(client_options)
117
+ @client ||= ::OpenIDConnect::Client.new(client_options)
118
118
  end
119
119
 
120
120
  # Config is build from the json response from the OIDC config endpoint
@@ -127,8 +127,9 @@ module OmniAuth
127
127
  @config ||= OpenidConfigParser.fetch_openid_configuration(client_options.config_endpoint)
128
128
  end
129
129
 
130
+ # Detects if current request is for the logout url and makes a redirect to end session with OIDC provider
130
131
  def other_phase
131
- if logout_path_pattern.match?(current_path)
132
+ if logout_path_pattern.match?(request.url)
132
133
  options.issuer = issuer if options.issuer.to_s.empty?
133
134
 
134
135
  return redirect(end_session_uri) if end_session_uri
@@ -136,6 +137,7 @@ module OmniAuth
136
137
  call_app!
137
138
  end
138
139
 
140
+ # URL to end authenticated user's session with OIDC provider
139
141
  def end_session_uri
140
142
  return unless end_session_endpoint_is_valid?
141
143
 
@@ -205,7 +207,7 @@ module OmniAuth
205
207
  end
206
208
 
207
209
  def logout_path_pattern
208
- @logout_path_pattern ||= /\A#{Regexp.quote(request_path)}#{options.logout_path}/
210
+ @logout_path_pattern ||= /\A#{Regexp.quote(request.base_url)}#{options.logout_path}/
209
211
  end
210
212
 
211
213
  # Strips port and host from strings with OIDC endpoints
data/omniauth_oidc.gemspec CHANGED
@@ -33,9 +33,9 @@ Gem::Specification.new do |spec|
33
33
 
34
34
  # Uncomment to register a new dependency of your gem
35
35
  spec.add_dependency "httparty"
36
- spec.add_dependency "oidc"
37
36
  spec.add_dependency "omniauth"
38
37
  spec.add_dependency "openid_config_parser"
38
+ spec.add_dependency "openid_connect"
39
39
 
40
40
  # For more information and examples about making a new gem, check out our
41
41
  # guide at: https://bundler.io/guides/creating_gem.html
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: omniauth_oidc
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.2.1
4
+ version: 0.2.2
5
5
  platform: ruby
6
6
  authors:
7
7
  - Suleyman Musayev
8
8
  autorequire:
9
9
  bindir: exe
10
10
  cert_chain: []
11
- date: 2024-07-21 00:00:00.000000000 Z
11
+ date: 2024-08-04 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: httparty
@@ -25,7 +25,7 @@ dependencies:
25
25
  - !ruby/object:Gem::Version
26
26
  version: '0'
27
27
  - !ruby/object:Gem::Dependency
28
- name: oidc
28
+ name: omniauth
29
29
  requirement: !ruby/object:Gem::Requirement
30
30
  requirements:
31
31
  - - ">="
@@ -39,7 +39,7 @@ dependencies:
39
39
  - !ruby/object:Gem::Version
40
40
  version: '0'
41
41
  - !ruby/object:Gem::Dependency
42
- name: omniauth
42
+ name: openid_config_parser
43
43
  requirement: !ruby/object:Gem::Requirement
44
44
  requirements:
45
45
  - - ">="
@@ -53,7 +53,7 @@ dependencies:
53
53
  - !ruby/object:Gem::Version
54
54
  version: '0'
55
55
  - !ruby/object:Gem::Dependency
56
- name: openid_config_parser
56
+ name: openid_connect
57
57
  requirement: !ruby/object:Gem::Requirement
58
58
  requirements:
59
59
  - - ">="