omniauth_oidc 0.2.7 → 1.0.1

data/lib/omniauth/strategies/oidc/callback.rb

@@ -3,120 +3,147 @@
 module OmniAuth
   module Strategies
     class Oidc
-      # Callback phase
-      module Callback
-        def callback_phase # rubocop:disable Metrics
-          error = params["error_reason"] || params["error"]
-          error_description = params["error_description"] || params["error_reason"]
-          invalid_state = (options.require_state && params["state"].to_s.empty?) || params["state"] != stored_state
+      # Callback phase - handles OIDC provider response
+      module Callback # rubocop:disable Metrics/ModuleLength
+        def callback_phase
+          OmniauthOidc::Logging.instrument("callback_phase.start", provider: name) do
+            handle_callback_errors do
+              validate_callback_params!
 
-          raise CallbackError, error: params["error"], reason: error_description, uri: params["error_uri"] if error
-          raise CallbackError, error: :csrf_detected, reason: "Invalid 'state' parameter" if invalid_state
+              options.issuer = issuer if options.issuer.nil? || options.issuer.empty?
 
-          return unless valid_response_type?
+              verify_id_token!(params["id_token"]) if configured_response_type == "id_token"
 
-          options.issuer = issuer if options.issuer.nil? || options.issuer.empty?
+              client.redirect_uri = redirect_uri
 
-          verify_id_token!(params["id_token"]) if configured_response_type == "id_token"
+              if configured_response_type == "id_token"
+                handle_id_token_response
+              else
+                handle_code_response
+              end
 
-          client.redirect_uri = redirect_uri
-
-          return id_token_callback_phase if configured_response_type == "id_token"
+              super
+            end
+          end
+        end
 
-          client.authorization_code = authorization_code
+        private
 
-          access_token
+        def handle_callback_errors
+          yield
         rescue CallbackError => e
+          OmniauthOidc::Logging.error("Callback error", error: e.error, reason: e.error_reason)
           fail!(e.error, e)
-        rescue ::Rack::OAuth2::Client::Error => e
-          fail!(e.response[:error], e)
+        rescue OmniauthOidc::TokenError => e
+          OmniauthOidc::Logging.error("Token error", error: e.class.name, message: e.message)
+          fail!(:token_error, e)
+        rescue OmniauthOidc::HttpClient::HttpError => e
+          OmniauthOidc::Logging.error("HTTP error", message: e.message)
+          fail!(:http_error, e)
         rescue ::Timeout::Error, ::Errno::ETIMEDOUT => e
+          OmniauthOidc::Logging.error("Timeout error", message: e.message)
           fail!(:timeout, e)
         rescue ::SocketError => e
+          OmniauthOidc::Logging.error("Connection error", message: e.message)
           fail!(:failed_to_connect, e)
         end
 
-        private
-
-        def access_token
-          return @access_token if @access_token
-
-          token_request_params = {
-            scope: (scope if options.send_scope_to_token_endpoint),
-            client_auth_method: options.client_auth_method
-          }
+        def validate_callback_params! # rubocop:disable Naming/PredicateMethod
+          error = params["error_reason"] || params["error"]
+          error_description = params["error_description"] || params["error_reason"]
+          invalid_state = (options.require_state && params["state"].to_s.empty?) || params["state"] != stored_state
 
-          if options.pkce
-            token_request_params[:code_verifier] =
-              params["code_verifier"] || session.delete("omniauth.pkce.verifier")
+          if error
+            raise CallbackError, error: params["error"], error_reason: error_description,
+                                 error_uri: params["error_uri"]
           end
+          raise CallbackError, error: :csrf_detected, error_reason: "Invalid 'state' parameter" if invalid_state
 
-          set_client_options_for_callback_phase
+          valid_response_type?
+        end
+
+        def handle_code_response
+          # Get access token via token exchange
+          @access_token = fetch_access_token
 
-          @access_token = client.access_token!(token_request_params)
+          # Verify the ID token from the token response
+          verify_id_token!(@access_token.id_token) if @access_token.id_token
 
-          verify_id_token!(@access_token.id_token) if configured_response_type == "code"
+          # Fetch and set user info
+          @user_info = fetch_user_info
+        end
 
-          options.fetch_user_info ? user_info_from_access_token : define_access_token
+        def handle_id_token_response
+          # For id_token response type, extract user data directly from the token
+          decoded_token = decode_id_token(params["id_token"])
+          @user_info = OmniauthOidc::ResponseObjects::UserInfo.new(decoded_token.raw_attributes)
+
+          # Create a minimal access token structure for credentials
+          @access_token = OmniauthOidc::ResponseObjects::AccessToken.new(
+            id_token: params["id_token"],
+            access_token: nil,
+            refresh_token: nil,
+            expires_in: nil,
+            scope: nil
+          )
         end
 
-        def id_token_callback_phase
-          user_data = decode_id_token(params["id_token"]).raw_attributes
+        def fetch_access_token
+          OmniauthOidc::Logging.instrument("token.exchange", provider: name) do
+            token_request_params = {
+              code: authorization_code,
+              redirect_uri: redirect_uri
+            }
+
+            if options.pkce
+              token_request_params[:code_verifier] =
+                params["code_verifier"] || session.delete(session_key("pkce.verifier"))
+            end
 
-          define_user_info(user_data)
+            set_client_options_for_callback_phase
+
+            client.access_token!(token_request_params)
+          end
         end
 
-        def valid_response_type?
-          return true if params.key?(configured_response_type)
+        def fetch_user_info
+          return minimal_user_info_from_token unless options.fetch_user_info
 
-          error_attrs = RESPONSE_TYPE_EXCEPTIONS[configured_response_type]
-          fail!(error_attrs[:key], error_attrs[:exception_class].new(params["error"]))
+          OmniauthOidc::Logging.instrument("userinfo.fetch", provider: name) do
+            # Use our custom client to fetch userinfo
+            userinfo_data = client.userinfo!(@access_token.access_token).raw_attributes
 
-          false
+            # Merge with ID token claims if available
+            if @access_token.id_token
+              id_token_claims = decode_id_token(@access_token.id_token).raw_attributes
+              userinfo_data = id_token_claims.merge(userinfo_data)
+            end
+
+            OmniauthOidc::ResponseObjects::UserInfo.new(userinfo_data)
+          end
+        rescue StandardError => e
+          OmniauthOidc::Logging.warn("Failed to fetch userinfo, falling back to ID token", error: e.message)
+          minimal_user_info_from_token
         end
 
-        def user_info_from_access_token
-          user_data = HTTParty.get(
-            config.userinfo_endpoint, {
-              headers: {
-                "Authorization" => "Bearer #{@access_token}",
-                "Content-Type" => "application/json"
-              }
-            }
-          )
+        def minimal_user_info_from_token
+          return empty_user_info unless @access_token&.id_token
 
-          define_user_info(user_data.parsed_response)
+          decoded = decode_id_token(@access_token.id_token)
+          OmniauthOidc::ResponseObjects::UserInfo.new(decoded.raw_attributes)
         end
 
-        def define_user_info(user_data)
-          env["omniauth.auth"] = AuthHash.new(
-            provider: name,
-            uid: user_data["sub"],
-            info: { name: user_data["name"], email: user_data["email"] },
-            extra: { raw_info: user_data },
-            credentials: {
-              id_token: @access_token.id_token,
-              token: @access_token.access_token,
-              refresh_token: @access_token.refresh_token,
-              expires_in: @access_token.expires_in,
-              scope: @access_token.scope
-            }
-          )
-          call_app!
+        def empty_user_info
+          OmniauthOidc::ResponseObjects::UserInfo.new({})
         end
 
-        def define_access_token
-          env["omniauth.auth"] = AuthHash.new(
-            provider: name,
-            credentials: {
-              id_token: @access_token.id_token,
-              token: @access_token.access_token,
-              refresh_token: @access_token.refresh_token,
-              expires_in: @access_token.expires_in,
-              scope: @access_token.scope
-            }
-          )
-          call_app!
+        def valid_response_type?
+          return true if params.key?(configured_response_type)
+
+          error_attrs = RESPONSE_TYPE_EXCEPTIONS[configured_response_type]
+          fail!(error_attrs[:key], error_attrs[:exception_class].new(params["error"]))
+
+          false
         end
 
         def configured_response_type
@@ -127,9 +154,19 @@ module OmniAuth
         def set_client_options_for_callback_phase
           client.host = host
           client.redirect_uri = redirect_uri
-          client.authorization_endpoint = resolve_endpoint_from_host(host, config.authorization_endpoint)
-          client.token_endpoint = resolve_endpoint_from_host(host, config.token_endpoint)
-          client.userinfo_endpoint = resolve_endpoint_from_host(host, config.userinfo_endpoint)
+          client.authorization_endpoint = config.authorization_endpoint
+          client.token_endpoint = config.token_endpoint
+          client.userinfo_endpoint = config.userinfo_endpoint
+        end
+
+        # Accessor for OmniAuth DSL blocks
+        def user_info
+          @user_info
+        end
+
+        # Accessor for OmniAuth DSL blocks
+        def access_token
+          @access_token
         end
       end
     end

data/lib/omniauth/strategies/oidc/request.rb

@@ -6,15 +6,16 @@ module OmniAuth
       # Code request phase
       module Request
         def request_phase
-          @identifier = client_options.identifier
-          @secret = secret
+          OmniauthOidc::Logging.instrument("request_phase.start", provider: name) do
+            @identifier = client_options.identifier
+            @secret = secret
 
-          set_client_options_for_request_phase
-          redirect authorize_uri
+            set_client_options_for_request_phase
+            redirect authorize_uri
+          end
         end
 
         def authorize_uri # rubocop:disable Metrics/AbcSize
-          client.redirect_uri = redirect_uri
           opts = request_options
 
           opts.merge!(options.extra_authorize_params) unless options.extra_authorize_params.empty?
@@ -27,10 +28,14 @@ module OmniAuth
             verifier = options.pkce_verifier ? options.pkce_verifier.call : SecureRandom.hex(64)
 
             opts.merge!(pkce_authorize_params(verifier))
-            session["omniauth.pkce.verifier"] = verifier
+            session[session_key("pkce.verifier")] = verifier
           end
 
-          client.authorization_uri(opts.reject { |_k, v| v.nil? })
+          # Add redirect_uri and extra_params to opts
+          opts[:redirect_uri] = redirect_uri
+          opts[:extra_params] = opts.compact
+
+          client.authorization_uri(opts)
         end
 
         private
@@ -59,21 +64,20 @@ module OmniAuth
                       options.state.call
                     end
                   end
-          session["omniauth.state"] = state || SecureRandom.hex(16)
+          session[session_key("state")] = state || SecureRandom.hex(16)
         end
 
         # Parse response from OIDC endpoint and set client options for request phase
-        def set_client_options_for_request_phase # rubocop:disable Metrics/AbcSize
+        def set_client_options_for_request_phase
           client_options.host = host
-          client_options.authorization_endpoint = resolve_endpoint_from_host(host, config.authorization_endpoint)
-          client_options.token_endpoint = resolve_endpoint_from_host(host, config.token_endpoint)
-          client_options.userinfo_endpoint = resolve_endpoint_from_host(host, config.userinfo_endpoint)
-          client_options.jwks_uri = resolve_endpoint_from_host(host, config.jwks_uri)
+          client_options.authorization_endpoint = config.authorization_endpoint
+          client_options.token_endpoint = config.token_endpoint
+          client_options.userinfo_endpoint = config.userinfo_endpoint
+          client_options.jwks_uri = config.jwks_uri
 
-          return unless config.respond_to?(:end_session_endpoint)
+          return unless config.respond_to?(:end_session_endpoint) && config.end_session_endpoint
 
-          client_options.end_session_endpoint = resolve_endpoint_from_host(host,
-                                                                           config.end_session_endpoint)
+          client_options.end_session_endpoint = config.end_session_endpoint
         end
       end
     end

data/lib/omniauth/strategies/oidc/verify.rb

@@ -27,10 +27,27 @@ module OmniAuth
                           end
         end
 
+        # Force refresh JWKS cache and retry verification
+        def public_key_with_refresh
+          OmniauthOidc::Logging.info("Force refreshing JWKS cache")
+          OmniauthOidc::JwksCache.invalidate(config.jwks_uri)
+          @public_key = nil
+          @fetch_key = nil
+          public_key
+        end
+
         private
 
         def fetch_key
-          @fetch_key ||= parse_jwk_key(::OpenIDConnect.http_client.get(config.jwks_uri).body)
+          @fetch_key ||= OmniauthOidc::JwksCache.instance.fetch(config.jwks_uri) do
+            OmniauthOidc::Logging.instrument("jwks.fetch", jwks_uri: config.jwks_uri) do
+              response = OmniauthOidc::HttpClient.get(config.jwks_uri)
+              OmniauthOidc::JwkHandler.parse_jwks(response)
+            end
+          end
+        rescue StandardError => e
+          OmniauthOidc::Logging.error("Failed to fetch JWKS", error: e.message, jwks_uri: config.jwks_uri)
+          raise OmniauthOidc::JwksFetchError, "Failed to fetch JWKS from #{config.jwks_uri}: #{e.message}"
         end
 
         def base64_decoded_jwt_secret
@@ -42,72 +59,121 @@ module OmniAuth
         def verify_id_token!(id_token)
           return unless id_token
 
-          decode_id_token(id_token).verify!(issuer: config.issuer,
-                                            client_id: client_options.identifier,
-                                            nonce: params["nonce"].presence || stored_nonce)
+          OmniauthOidc::Logging.instrument("id_token.verify", provider: name) do
+            decoded = decode_id_token(id_token)
+            verify_claims!(decoded)
+            decoded
+          end
         end
 
-        def decode_id_token(id_token)
-          decoded = JSON::JWT.decode(id_token, :skip_verification)
-          algorithm = decoded.algorithm.to_sym
+        def verify_claims!(decoded_token) # rubocop:disable Metrics/MethodLength
+          claims = decoded_token.raw_attributes
 
-          validate_client_algorithm!(algorithm)
+          # Verify issuer
+          if config.issuer && claims["iss"] != config.issuer
+            raise OmniauthOidc::InvalidIssuerError,
+                  "Issuer mismatch. Expected: #{config.issuer}, Got: #{claims["iss"]}"
+          end
 
-          keyset =
-            case algorithm
-            when :HS256, :HS384, :HS512
-              secret
-            else
-              public_key
-            end
+          # Verify audience
+          audience = claims["aud"]
+          expected_aud = client_options.identifier
+          unless audience_matches?(audience, expected_aud)
+            raise OmniauthOidc::InvalidAudienceError,
+                  "Audience mismatch. Expected: #{expected_aud}, Got: #{audience}"
+          end
+
+          # Verify nonce if present
+          expected_nonce = params["nonce"].presence || stored_nonce
+          if expected_nonce && claims["nonce"] != expected_nonce
+            raise OmniauthOidc::InvalidNonceError,
+                  "Nonce mismatch. Expected: #{expected_nonce}, Got: #{claims["nonce"]}"
+          end
 
-          decoded.verify!(keyset)
-          ::OpenIDConnect::ResponseObject::IdToken.new(decoded)
-        rescue JSON::JWK::Set::KidNotFound
-          # Workaround for https://github.com/nov/json-jwt/pull/92#issuecomment-824654949
-          raise if decoded&.header&.key?("kid")
+          # Verify expiration
+          if claims["exp"] && Time.at(claims["exp"].to_i) < Time.now
+            raise OmniauthOidc::TokenExpiredError,
+                  "Token expired at #{Time.at(claims["exp"].to_i)}"
+          end
 
-          decoded = decode_with_each_key!(id_token, keyset)
+          decoded_token
+        end
 
-          raise unless decoded
+        def audience_matches?(audience, expected)
+          return audience == expected if audience.is_a?(String)
+          return audience.include?(expected) if audience.is_a?(Array)
 
-          decoded
+          false
         end
 
-        # Check for jwt to match defined client_signing_alg
-        def validate_client_algorithm!(algorithm)
-          client_signing_alg = options.client_signing_alg&.to_sym
+        def decode_id_token(id_token)
+          # First decode without verification to get the algorithm and kid
+          _unverified_payload, unverified_header = JWT.decode(id_token, nil, false)
+          algorithm = unverified_header["alg"]
+          kid = unverified_header["kid"]
 
-          return unless client_signing_alg
-          return if algorithm == client_signing_alg
+          validate_client_algorithm!(algorithm.to_sym)
 
-          reason = "Received JWT is signed with #{algorithm}, but client_singing_alg is \
-            configured for #{client_signing_alg}"
-          raise CallbackError, error: :invalid_jwt_algorithm, reason: reason, uri: params["error_uri"]
-        end
+          # Get the appropriate key/secret for verification
+          key = keyset_for_algorithm(algorithm.to_sym, kid)
 
-        def decode!(id_token, key)
-          ::OpenIDConnect::ResponseObject::IdToken.decode(id_token, key)
+          # Decode and verify
+          verify_signature!(id_token, key, algorithm)
+        rescue JWT::DecodeError => e
+          raise OmniauthOidc::TokenVerificationError, "Invalid JWT format: #{e.message}"
         end
 
-        def decode_with_each_key!(id_token, keyset)
-          return unless keyset.is_a?(JSON::JWK::Set)
-
-          keyset.each do |key|
-            begin
-              decoded = decode!(id_token, key)
-            rescue JSON::JWS::VerificationFailed, JSON::JWS::UnexpectedAlgorithm, JSON::JWK::UnknownAlgorithm
-              next
+        def keyset_for_algorithm(algorithm, kid = nil)
+          case algorithm
+          when :HS256, :HS384, :HS512
+            secret
+          else
+            keys = public_key
+            if keys.is_a?(Array)
+              OmniauthOidc::JwkHandler.find_key(keys, kid)
+            else
+              keys
             end
-
-            return decoded if decoded
           end
+        end
 
-          nil
+        def verify_signature!(id_token, key, algorithm)
+          # Use jwt gem to decode and verify
+          payload, _header = JWT.decode(
+            id_token,
+            key,
+            true, # verify signature
+            {
+              algorithm: algorithm,
+              verify_expiration: false # We verify this manually in verify_claims!
+            }
+          )
+
+          # Create our custom IdToken object
+          OmniauthOidc::ResponseObjects::IdToken.new(payload.merge("algorithm" => algorithm))
+        rescue JWT::VerificationError => e
+          # Try refreshing JWKS cache and retry once
+          if key.is_a?(Array) && !@signature_retry_attempted
+            @signature_retry_attempted = true
+            OmniauthOidc::Logging.warn("Signature verification failed, refreshing JWKS and retrying")
+            refreshed_key = public_key_with_refresh
+            return verify_signature!(id_token, refreshed_key, algorithm)
+          end
+          raise OmniauthOidc::InvalidSignatureError, "JWT signature verification failed: #{e.message}"
+        rescue JWT::IncorrectAlgorithm => e
+          raise OmniauthOidc::InvalidAlgorithmError, "Unexpected JWT algorithm: #{e.message}"
         end
 
-        def stored_nonce
-          session.delete("omniauth.nonce")
+        # Check for jwt to match defined client_signing_alg
+        def validate_client_algorithm!(algorithm)
+          client_signing_alg = options.client_signing_alg&.to_sym
+
+          return unless client_signing_alg
+          return if algorithm == client_signing_alg
+
+          reason = "Received JWT is signed with #{algorithm}, but client_signing_alg is " \
+                   "configured for #{client_signing_alg}"
+          raise OmniauthOidc::InvalidAlgorithmError, reason
         end
 
         def configured_public_key
@@ -120,31 +186,15 @@ module OmniAuth
 
         def parse_x509_key(key)
           OpenSSL::X509::Certificate.new(key).public_key
+        rescue OpenSSL::X509::CertificateError => e
+          raise OmniauthOidc::TokenVerificationError, "Invalid X.509 certificate: #{e.message}"
         end
 
         def parse_jwk_key(key)
           json = key.is_a?(String) ? JSON.parse(key) : key
-          return JSON::JWK::Set.new(json["keys"]) if json.key?("keys")
-
-          JSON::JWK.new(json)
-        end
-
-        def decode(str)
-          UrlSafeBase64.decode64(str).unpack1("B*").to_i(2).to_s
-        end
-
-        def user_info
-          return @user_info if @user_info
-
-          if access_token.id_token
-            decoded = decode_id_token(access_token.id_token).raw_attributes
-
-            @user_info = ::OpenIDConnect::ResponseObject::UserInfo.new(
-              access_token.userinfo!.raw_attributes.merge(decoded)
-            )
-          else
-            @user_info = access_token.userinfo!
-          end
+          OmniauthOidc::JwkHandler.parse_jwks(json)
+        rescue JSON::ParserError => e
+          raise OmniauthOidc::TokenVerificationError, "Invalid JWK format: #{e.message}"
         end
       end
     end