RubyGems - omniauth_openid_connect - Versions diffs - 0.3.1 → 0.3.2 - Mend

omniauth_openid_connect 0.3.1 → 0.3.2

Files changed (8) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +6 -0
data/README.md +1 -0
data/lib/omniauth/openid_connect/version.rb +1 -1
data/lib/omniauth/strategies/openid_connect.rb +8 -8
data/omniauth_openid_connect.gemspec +1 -1
data/test/lib/omniauth/strategies/openid_connect_test.rb +32 -0
metadata +4 -4

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: a57713d348ab1dcc7869b8d10ed8b616958019a0c7003a0b5e43e00e85650b0a
-  data.tar.gz: e6ff5320c65348937e7fa2cf140aff27f89957415ded839debcd645e01031353
+  metadata.gz: 0024abec2d29c79f701d7de6af9e5addf2be2e3da443413d8e1eb90ab5a1edb0
+  data.tar.gz: 4d564cf7d4f5fcf4da6a961cdf39c7d8a1e943addb3e39a82953a2aaa2757db6
 SHA512:
-  metadata.gz: 5664e73c24e1521b4b29461eb3ee558dfb143d75322c83f2c3d3f3ee48cd24c8e99f1a348915de574abb1b907103de948cf0c16ebfebd11fa13a2e8206f13d78
-  data.tar.gz: 272a32b0b75f54ca1d861fe361c380d6ee2d9170b9862322f7e9b6edd12e7e2a9cfc37db95b2b549896f9ebc1d6e90272ec0a24cefc4ed195ccc90edff5476d5
+  metadata.gz: 5411ae4999e350a9127890ad4041c099bbefdc765a40f98db108018f9d09f4f402f93f28466c1b079412b875da00ba609906ed04da55addf2a7b486819b65887
+  data.tar.gz: 0a4b11ac66f14441d106c9d41a02f2464632592c7e746086675b8b3504570fcaf63cc9af55306dd447fa57cc502abb8fc6185beee6f09822693124221b8010aa

data/CHANGELOG.md CHANGED

@@ -1,3 +1,9 @@
+# v0.3.2 (03.08.2019)
+- Use response_mode in `authorize_uri` if the option is defined [#30](https://github.com/m0n9oose/omniauth_openid_connect/pull/30)
+- Move verification of `id_token` to before accessing tokens [#28](https://github.com/m0n9oose/omniauth_openid_connect/pull/28)
+- Update omniauth dependency [#26](https://github.com/m0n9oose/omniauth_openid_connect/pull/26)
 # v0.3.1 (08.06.2019)
 - Set default OmniAuth name to openid_connect [#23](https://github.com/m0n9oose/omniauth_openid_connect/pull/23)

data/README.md CHANGED

@@ -68,6 +68,7 @@ Configuration details:
   configured by providing the omniauth `uid_field` option to a different label (i.e. `preferred_username`)
   that appears in the `user_info` details.
   * The `issuer` property should exactly match the provider's issuer link.
+  * The `response_mode` option is optional and specifies how the result of the authorization request is formatted.
 For the full low down on OpenID Connect, please check out
 [the spec](http://openid.net/specs/openid-connect-core-1_0.html).

data/lib/omniauth/openid_connect/version.rb CHANGED

@@ -2,6 +2,6 @@
 module OmniAuth
   module OpenIDConnect
-    VERSION = '0.3.1'
+    VERSION = '0.3.2'
   end
 end

data/lib/omniauth/strategies/openid_connect.rb CHANGED

@@ -37,7 +37,7 @@ module OmniAuth
       option :scope, [:openid]
       option :response_type, 'code'
       option :state
-      option :response_mode
+      option :response_mode # [:query, :fragment, :form_post, :web_message]
       option :display, nil # [:page, :popup, :touch, :wap]
       option :prompt, nil # [:none, :login, :consent, :select_account]
       option :hd, nil
@@ -112,6 +112,12 @@ module OmniAuth
         return fail!(:missing_code, OmniAuth::OpenIDConnect::MissingCodeError.new(params['error'])) unless params['code']
         options.issuer = issuer if options.issuer.nil? || options.issuer.empty?
+        decode_id_token(params['id_token'])
+          .verify! issuer: options.issuer,
+                   client_id: client_options.identifier,
+                   nonce: stored_nonce
         discover!
         client.redirect_uri = redirect_uri
         client.authorization_code = authorization_code
@@ -150,6 +156,7 @@ module OmniAuth
         client.redirect_uri = redirect_uri
         opts = {
           response_type: options.response_type,
+          response_mode: options.response_mode,
           scope: options.scope,
           state: new_state,
           login_hint: params['login_hint'],
@@ -197,13 +204,6 @@ module OmniAuth
           scope: (options.scope if options.send_scope_to_token_endpoint),
           client_auth_method: options.client_auth_method
         )
-        id_token = decode_id_token(@access_token.id_token)
-        id_token.verify!(
-          issuer: options.issuer,
-          client_id: client_options.identifier,
-          nonce: stored_nonce
-        )
-        @access_token
       end
       def decode_id_token(id_token)

data/omniauth_openid_connect.gemspec CHANGED

@@ -20,7 +20,7 @@ Gem::Specification.new do |spec|
   spec.require_paths = ['lib']
   spec.add_dependency 'addressable', '~> 2.5'
-  spec.add_dependency 'omniauth', '~> 1.3'
+  spec.add_dependency 'omniauth', '~> 1.9'
   spec.add_dependency 'openid_connect', '~> 1.1'
   spec.add_development_dependency 'coveralls', '~> 0.8'
   spec.add_development_dependency 'faker', '~> 1.6'

data/test/lib/omniauth/strategies/openid_connect_test.rb CHANGED

@@ -112,6 +112,17 @@ module OmniAuth
         assert_nil strategy.options.client_options.end_session_endpoint
       end
+      def test_request_phase_with_response_mode
+        expected_redirect = /^https:\/\/example\.com\/authorize\?client_id=1234&nonce=\w{32}&response_mode=form_post&response_type=id_token&scope=openid&state=\w{32}$/
+        strategy.options.issuer = 'example.com'
+        strategy.options.response_mode = 'form_post'
+        strategy.options.response_type = 'id_token'
+        strategy.options.client_options.host = 'example.com'
+        strategy.expects(:redirect).with(regexp_matches(expected_redirect))
+        strategy.request_phase
+      end
       def test_uid
         assert_equal user_info.sub, strategy.uid
@@ -136,6 +147,7 @@ module OmniAuth
         id_token = stub('OpenIDConnect::ResponseObject::IdToken')
         id_token.stubs(:verify!).with(issuer: strategy.options.issuer, client_id: @identifier, nonce: nonce).returns(true)
         ::OpenIDConnect::ResponseObject::IdToken.stubs(:decode).returns(id_token)
+        id_token.expects(:verify!)
         strategy.unstub(:user_info)
         access_token = stub('OpenIDConnect::AccessToken')
@@ -241,6 +253,11 @@ module OmniAuth
         strategy.stubs(:access_token).raises(::Timeout::Error.new('error'))
         strategy.call!('rack.session' => { 'omniauth.state' => state, 'omniauth.nonce' => nonce })
         strategy.expects(:fail!)
+        id_token = stub('OpenIDConnect::ResponseObject::IdToken')
+        id_token.stubs(:verify!).with(issuer: 'example.com', client_id: @identifier, nonce: nonce).returns(true)
+        ::OpenIDConnect::ResponseObject::IdToken.stubs(:decode).returns(id_token)
         strategy.callback_phase
       end
@@ -256,6 +273,11 @@ module OmniAuth
         strategy.stubs(:access_token).raises(::Errno::ETIMEDOUT.new('error'))
         strategy.call!('rack.session' => { 'omniauth.state' => state, 'omniauth.nonce' => nonce })
         strategy.expects(:fail!)
+        id_token = stub('OpenIDConnect::ResponseObject::IdToken')
+        id_token.stubs(:verify!).with(issuer: 'example.com', client_id: @identifier, nonce: nonce).returns(true)
+        ::OpenIDConnect::ResponseObject::IdToken.stubs(:decode).returns(id_token)
         strategy.callback_phase
       end
@@ -271,6 +293,11 @@ module OmniAuth
         strategy.stubs(:access_token).raises(::SocketError.new('error'))
         strategy.call!('rack.session' => { 'omniauth.state' => state, 'omniauth.nonce' => nonce })
         strategy.expects(:fail!)
+        id_token = stub('OpenIDConnect::ResponseObject::IdToken')
+        id_token.stubs(:verify!).with(issuer: 'example.com', client_id: @identifier, nonce: nonce).returns(true)
+        ::OpenIDConnect::ResponseObject::IdToken.stubs(:decode).returns(id_token)
         strategy.callback_phase
       end
@@ -286,6 +313,11 @@ module OmniAuth
         strategy.stubs(:access_token).raises(::Rack::OAuth2::Client::Error.new('error', error: 'Unknown'))
         strategy.call!('rack.session' => { 'omniauth.state' => state, 'omniauth.nonce' => nonce })
         strategy.expects(:fail!)
+        id_token = stub('OpenIDConnect::ResponseObject::IdToken')
+        id_token.stubs(:verify!).with(issuer: 'example.com', client_id: @identifier, nonce: nonce).returns(true)
+        ::OpenIDConnect::ResponseObject::IdToken.stubs(:decode).returns(id_token)
         strategy.callback_phase
       end

metadata CHANGED

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: omniauth_openid_connect
 version: !ruby/object:Gem::Version
-  version: 0.3.1
+  version: 0.3.2
 platform: ruby
 authors:
 - John Bohn
@@ -9,7 +9,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2019-06-08 00:00:00.000000000 Z
+date: 2019-08-03 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: addressable
@@ -31,14 +31,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.3'
+        version: '1.9'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.3'
+        version: '1.9'
 - !ruby/object:Gem::Dependency
   name: openid_connect
   requirement: !ruby/object:Gem::Requirement