omniauth_oidc 0.2.7 → 1.0.1

data/lib/omniauth/strategies/oidc.rb

@@ -5,16 +5,19 @@ require "timeout"
 require "net/http"
 require "open-uri"
 require "omniauth"
-require "openid_connect"
-require "openid_config_parser"
 require "forwardable"
-require "httparty"
+require "jwt"
+require "ostruct"
+require "openssl"
 
-Dir[File.join(File.dirname(__FILE__), "oidc", "*.rb")].sort.each { |file| require_relative file }
+# Explicit requires instead of Dir glob for clarity and load order control
+require_relative "oidc/request"
+require_relative "oidc/callback"
+require_relative "oidc/verify"
 
 module OmniAuth
   module Strategies
-    # OIDC strategy for omniauth
+    # OIDC strategy for OmniAuth
     class Oidc
       include OmniAuth::Strategy
       include Request
@@ -28,6 +31,8 @@ module OmniAuth
         "code" => { exception_class: OmniauthOidc::MissingCodeError, key: :missing_code }.freeze
       }.freeze
 
+      REQUIRED_OPTIONS = %i[identifier secret config_endpoint].freeze
+
       def_delegator :request, :params
 
       option :name, :oidc                                   # to separate each oidc provider available in the app
@@ -79,6 +84,9 @@ module OmniAuth
 
       option :logout_path, "/logout"
 
+      # JWKS cache configuration
+      option :jwks_cache_ttl, 3600 # 1 hour default
+
       def uid
         user_info.raw_attributes[options.uid_field.to_sym] || user_info.sub
       end
@@ -104,27 +112,44 @@ module OmniAuth
 
       credentials do
         {
-          id_token: access_token.id_token,
-          token: access_token.access_token,
-          refresh_token: access_token.refresh_token,
-          expires_in: access_token.expires_in,
-          scope: access_token.scope
+          id_token: access_token&.id_token,
+          token: access_token&.access_token,
+          refresh_token: access_token&.refresh_token,
+          expires_in: access_token&.expires_in,
+          scope: access_token&.scope
         }
       end
 
-      # Initialize OpenIDConnect Client with options
+      # Initialize our custom OIDC Client with options
       def client
-        @client ||= ::OpenIDConnect::Client.new(client_options)
+        @client ||= begin
+          set_client_endpoints
+          OmniauthOidc::Client.new(
+            identifier: client_options.identifier,
+            secret: client_options.secret,
+            authorization_endpoint: client_options.authorization_endpoint,
+            token_endpoint: client_options.token_endpoint,
+            userinfo_endpoint: client_options.userinfo_endpoint,
+            redirect_uri: redirect_uri
+          )
+        end
+      end
+
+      def set_client_endpoints
+        client_options.authorization_endpoint ||= config.authorization_endpoint
+        client_options.token_endpoint ||= config.token_endpoint
+        client_options.userinfo_endpoint ||= config.userinfo_endpoint
+        client_options.jwks_uri ||= config.jwks_uri
+        client_options.end_session_endpoint ||= config.end_session_endpoint
       end
 
-      # Config is build from the json response from the OIDC config endpoint
+      # Config is built from the json response from the OIDC config endpoint
       def config
-        unless client_options.config_endpoint || params["config_endpoint"]
-          raise Error,
-                "Configuration endpoint is missing from options"
-        end
+        validate_configuration!
 
-        @config ||= OpenidConfigParser.fetch_openid_configuration(client_options.config_endpoint)
+        @config ||= OmniauthOidc::Logging.instrument("config.fetch", config_endpoint: client_options.config_endpoint) do
+          OmniauthOidc::ConfigFetcher.fetch(client_options.config_endpoint)
+        end
       end
 
       # Detects if current request is for the logout url and makes a redirect to end session with OIDC provider
@@ -148,6 +173,18 @@ module OmniAuth
 
       private
 
+      def validate_configuration!
+        missing = []
+        missing << :identifier if client_options.identifier.to_s.empty?
+        missing << :secret if client_options.secret.to_s.empty?
+        missing << :config_endpoint if client_options.config_endpoint.to_s.empty?
+
+        return if missing.empty?
+
+        raise OmniauthOidc::MissingConfigurationError,
+              "Missing required configuration: #{missing.join(", ")}"
+      end
+
       def issuer
         @issuer ||= config.issuer
       end
@@ -158,7 +195,8 @@ module OmniAuth
 
       # By default Returns all scopes supported by the OIDC provider
       def scope
-        options.scope || config.scopes_supported || [:open_id]
+        value = options.scope || config.scopes_supported || [:openid]
+        value.is_a?(Array) ? value.join(" ") : value
       end
 
       def authorization_code
@@ -169,12 +207,21 @@ module OmniAuth
         options.client_options
       end
 
+      # Session key helpers with provider namespacing
+      def session_key(suffix)
+        "omniauth.#{name}.#{suffix}"
+      end
+
       def stored_state
-        session.delete("omniauth.state")
+        session.delete(session_key("state"))
       end
 
       def new_nonce
-        session["omniauth.nonce"] = SecureRandom.hex(16)
+        session[session_key("nonce")] = SecureRandom.hex(16)
+      end
+
+      def stored_nonce
+        session.delete(session_key("nonce"))
       end
 
       def script_name
@@ -210,14 +257,6 @@ module OmniAuth
         @logout_path_pattern ||= /\A#{Regexp.quote(request.base_url)}#{options.logout_path}/
       end
 
-      # Strips port and host from strings with OIDC endpoints
-      def resolve_endpoint_from_host(host, endpoint)
-        start_index = endpoint.index(host) + host.length
-        endpoint = endpoint[start_index..]
-        endpoint = "/#{endpoint}" unless endpoint.start_with?("/")
-        endpoint
-      end
-
       # Override for the CallbackError class
       class CallbackError < StandardError
         attr_accessor :error, :error_reason, :error_uri
@@ -225,8 +264,8 @@ module OmniAuth
         def initialize(data)
           super
           self.error = data[:error]
-          self.error_reason = data[:reason]
-          self.error_uri = data[:uri]
+          self.error_reason = data[:error_reason] || data[:reason]
+          self.error_uri = data[:error_uri] || data[:uri]
         end
 
         def message

data/lib/omniauth_oidc.rb

@@ -2,4 +2,11 @@
 
 require_relative "omniauth/oidc/version"
 require_relative "omniauth/oidc/errors"
+require_relative "omniauth/oidc/logging"
+require_relative "omniauth/oidc/jwks_cache"
+require_relative "omniauth/oidc/http_client"
+require_relative "omniauth/oidc/response_objects"
+require_relative "omniauth/oidc/client"
+require_relative "omniauth/oidc/config_fetcher"
+require_relative "omniauth/oidc/jwk_handler"
 require_relative "omniauth/strategies/oidc"

data/omniauth_oidc.gemspec

@@ -18,6 +18,7 @@ Gem::Specification.new do |spec|
   spec.metadata["homepage_uri"] = spec.homepage
   spec.metadata["source_code_uri"] = "https://github.com/msuliq/omniauth_oidc"
   spec.metadata["changelog_uri"] = "https://github.com/msuliq/omniauth_oidc/blob/main/CHANGELOG.md"
+  spec.metadata["rubygems_mfa_required"] = "true"
 
   # Specify which files should be added to the gem when it is released.
   # The `git ls-files -z` loads the files in the RubyGem that have been added into git.
@@ -31,11 +32,12 @@ Gem::Specification.new do |spec|
   spec.executables = spec.files.grep(%r{\Aexe/}) { |f| File.basename(f) }
   spec.require_paths = ["lib"]
 
-  # Uncomment to register a new dependency of your gem
-  spec.add_dependency "httparty"
-  spec.add_dependency "omniauth"
-  spec.add_dependency "openid_config_parser"
-  spec.add_dependency "openid_connect"
+  # Runtime dependencies
+  spec.add_dependency "jwt", ">= 2.7", "< 4.0"
+  spec.add_dependency "omniauth", "~> 2.1"
+
+  # Ruby 4.0+ compatibility - ostruct no longer in default gems
+  # Users on Ruby 4.0+ should add 'gem "ostruct"' to their Gemfile
 
   # For more information and examples about making a new gem, check out our
   # guide at: https://bundler.io/guides/creating_gem.html

data/sig/omniauth_oidc.rbs

@@ -1,4 +1,195 @@
 module OmniauthOidc
   VERSION: String
-  # See the writing guide of rbs: https://github.com/ruby/rbs#guides
+
+  # Errors
+  class Error < RuntimeError
+  end
+
+  class MissingCodeError < Error
+  end
+
+  class MissingIdTokenError < Error
+  end
+
+  class ConfigurationError < Error
+  end
+
+  class MissingConfigurationError < ConfigurationError
+  end
+
+  class TokenError < Error
+  end
+
+  class TokenVerificationError < TokenError
+  end
+
+  class TokenExpiredError < TokenError
+  end
+
+  class InvalidAlgorithmError < TokenError
+  end
+
+  class InvalidSignatureError < TokenError
+  end
+
+  class InvalidIssuerError < TokenError
+  end
+
+  class InvalidAudienceError < TokenError
+  end
+
+  class InvalidNonceError < TokenError
+  end
+
+  class JwksError < Error
+  end
+
+  class JwksFetchError < JwksError
+  end
+
+  class KeyNotFoundError < JwksError
+  end
+
+  # HTTP Client
+  class HttpClient
+    class HttpError < StandardError
+    end
+
+    MAX_REDIRECTS: Integer
+
+    def self.get: (String url, ?headers: Hash[String, String]) -> Hash[String, untyped]
+    def self.post: (String url, ?body: String?, ?headers: Hash[String, String]) -> Hash[String, untyped]
+  end
+
+  # OIDC Client
+  class Client
+    attr_accessor identifier: String?
+    attr_accessor secret: String?
+    attr_accessor authorization_endpoint: String?
+    attr_accessor token_endpoint: String?
+    attr_accessor userinfo_endpoint: String?
+    attr_accessor host: String?
+    attr_accessor redirect_uri: String?
+
+    def initialize: (?Hash[Symbol | String, untyped] options) -> void
+    def authorization_uri: (?Hash[Symbol, untyped] params) -> String
+    def access_token!: (?Hash[Symbol, untyped] params) -> ResponseObjects::AccessToken
+    def userinfo!: (String access_token) -> ResponseObjects::UserInfo
+  end
+
+  # JWK Handler
+  class JwkHandler
+    class KeyWithId
+      attr_accessor kid: String?
+      attr_accessor keypair: OpenSSL::PKey::PKey
+
+      def initialize: (?kid: String?, ?keypair: OpenSSL::PKey::PKey) -> void
+    end
+
+    def self.parse_jwks: (String | Hash[String, untyped] | nil jwks_data) -> Array[KeyWithId]?
+    def self.jwk_to_key: (Hash[String, untyped] jwk_data) -> KeyWithId?
+    def self.find_key: (Array[KeyWithId] keys, ?String? kid) -> OpenSSL::PKey::PKey?
+  end
+
+  # JWKS Cache
+  class JwksCache
+    DEFAULT_TTL: Integer
+
+    class CacheEntry
+      attr_accessor keys: untyped
+      attr_accessor fetched_at: Time
+
+      def initialize: (?keys: untyped, ?fetched_at: Time) -> void
+    end
+
+    def self.instance: () -> JwksCache
+    def self.clear!: () -> void
+    def self.invalidate: (String jwks_uri) -> void
+
+    attr_reader ttl: Integer
+
+    def initialize: (?ttl: Integer) -> void
+    def fetch: (String jwks_uri, ?force_refresh: bool) { () -> untyped } -> untyped
+    def valid?: (String jwks_uri) -> bool
+    def invalidate: (String jwks_uri) -> void
+    def clear!: () -> void
+    def ttl=: (Integer value) -> void
+  end
+
+  # Config Fetcher
+  class ConfigFetcher
+    class Config
+      def initialize: (?Hash[Symbol | String, untyped] attributes) -> void
+      def []: (String | Symbol key) -> untyped
+      def []=: (String | Symbol key, untyped value) -> untyped
+      def respond_to_missing?: (Symbol method_name, ?bool include_private) -> bool
+    end
+
+    def self.fetch: (String endpoint_url, ?max_retries: Integer) -> Config
+  end
+
+  # Response Objects
+  module ResponseObjects
+    class IdToken
+      attr_reader raw_attributes: Hash[String, untyped]
+
+      def initialize: (?Hash[String, untyped] attributes) -> void
+      def sub: () -> String?
+      def iss: () -> String?
+      def aud: () -> (String | Array[String])?
+      def exp: () -> Integer?
+      def iat: () -> Integer?
+      def nonce: () -> String?
+    end
+
+    class UserInfo
+      attr_reader raw_attributes: Hash[String, untyped]
+
+      def initialize: (?Hash[String, untyped] attributes) -> void
+      def sub: () -> String?
+      def name: () -> String?
+      def given_name: () -> String?
+      def family_name: () -> String?
+      def middle_name: () -> String?
+      def nickname: () -> String?
+      def preferred_username: () -> String?
+      def profile: () -> String?
+      def picture: () -> String?
+      def website: () -> String?
+      def email: () -> String?
+      def email_verified: () -> bool?
+      def gender: () -> String?
+      def birthdate: () -> String?
+      def zoneinfo: () -> String?
+      def locale: () -> String?
+      def phone_number: () -> String?
+      def phone_number_verified: () -> bool?
+      def address: () -> Hash[String, untyped]?
+      def updated_at: () -> Integer?
+    end
+
+    class AccessToken
+      attr_reader access_token: String?
+      attr_reader token_type: String?
+      attr_reader expires_in: Integer?
+      attr_reader refresh_token: String?
+      attr_reader scope: String?
+      attr_reader id_token: String?
+
+      def initialize: (?Hash[String | Symbol, untyped] attributes) -> void
+      def to_h: () -> Hash[String, untyped]
+    end
+  end
+
+  # Logging
+  module Logging
+    def self.logger: () -> Logger
+    def self.logger=: (Logger logger) -> void
+    def self.log_level=: (Integer level) -> void
+    def self.instrument: (String event_name, ?Hash[Symbol, untyped] payload) ?{ (Hash[Symbol, untyped]) -> untyped } -> untyped
+    def self.debug: (String message, ?Hash[Symbol, untyped] context) -> void
+    def self.info: (String message, ?Hash[Symbol, untyped] context) -> void
+    def self.warn: (String message, ?Hash[Symbol, untyped] context) -> void
+    def self.error: (String message, ?Hash[Symbol, untyped] context) -> void
+  end
 end

metadata

@@ -1,71 +1,49 @@
 --- !ruby/object:Gem::Specification
 name: omniauth_oidc
 version: !ruby/object:Gem::Version
-  version: 0.2.7
+  version: 1.0.1
 platform: ruby
 authors:
 - Suleyman Musayev
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2025-10-10 00:00:00.000000000 Z
+date: 2026-03-23 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
-  name: httparty
+  name: jwt
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '0'
-  type: :runtime
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-- !ruby/object:Gem::Dependency
-  name: omniauth
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
+        version: '2.7'
+    - - "<"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '4.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '0'
-- !ruby/object:Gem::Dependency
-  name: openid_config_parser
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-  type: :runtime
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
+        version: '2.7'
+    - - "<"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '4.0'
 - !ruby/object:Gem::Dependency
-  name: openid_connect
+  name: omniauth
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '2.1'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '2.1'
 description: |-
   Omniauth strategy to authenticate and retrieve user data as a client using OpenID Connect (OIDC)
       suited for multiple OIDC providers.
@@ -81,7 +59,14 @@ files:
 - LICENSE.txt
 - README.md
 - Rakefile
+- lib/omniauth/oidc/client.rb
+- lib/omniauth/oidc/config_fetcher.rb
 - lib/omniauth/oidc/errors.rb
+- lib/omniauth/oidc/http_client.rb
+- lib/omniauth/oidc/jwk_handler.rb
+- lib/omniauth/oidc/jwks_cache.rb
+- lib/omniauth/oidc/logging.rb
+- lib/omniauth/oidc/response_objects.rb
 - lib/omniauth/oidc/version.rb
 - lib/omniauth/strategies/oidc.rb
 - lib/omniauth/strategies/oidc/callback.rb
@@ -97,6 +82,7 @@ metadata:
   homepage_uri: https://github.com/msuliq/omniauth_oidc
   source_code_uri: https://github.com/msuliq/omniauth_oidc
   changelog_uri: https://github.com/msuliq/omniauth_oidc/blob/main/CHANGELOG.md
+  rubygems_mfa_required: 'true'
 post_install_message:
 rdoc_options: []
 require_paths: