omniauth_openid_connect 0.3.1 → 0.3.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 0024abec2d29c79f701d7de6af9e5addf2be2e3da443413d8e1eb90ab5a1edb0
|
|
4
|
+
data.tar.gz: 4d564cf7d4f5fcf4da6a961cdf39c7d8a1e943addb3e39a82953a2aaa2757db6
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 5411ae4999e350a9127890ad4041c099bbefdc765a40f98db108018f9d09f4f402f93f28466c1b079412b875da00ba609906ed04da55addf2a7b486819b65887
|
|
7
|
+
data.tar.gz: 0a4b11ac66f14441d106c9d41a02f2464632592c7e746086675b8b3504570fcaf63cc9af55306dd447fa57cc502abb8fc6185beee6f09822693124221b8010aa
|
data/CHANGELOG.md
CHANGED
|
@@ -1,3 +1,9 @@
|
|
|
1
|
+
# v0.3.2 (03.08.2019)
|
|
2
|
+
|
|
3
|
+
- Use response_mode in `authorize_uri` if the option is defined [#30](https://github.com/m0n9oose/omniauth_openid_connect/pull/30)
|
|
4
|
+
- Move verification of `id_token` to before accessing tokens [#28](https://github.com/m0n9oose/omniauth_openid_connect/pull/28)
|
|
5
|
+
- Update omniauth dependency [#26](https://github.com/m0n9oose/omniauth_openid_connect/pull/26)
|
|
6
|
+
|
|
1
7
|
# v0.3.1 (08.06.2019)
|
|
2
8
|
|
|
3
9
|
- Set default OmniAuth name to openid_connect [#23](https://github.com/m0n9oose/omniauth_openid_connect/pull/23)
|
data/README.md
CHANGED
|
@@ -68,6 +68,7 @@ Configuration details:
|
|
|
68
68
|
configured by providing the omniauth `uid_field` option to a different label (i.e. `preferred_username`)
|
|
69
69
|
that appears in the `user_info` details.
|
|
70
70
|
* The `issuer` property should exactly match the provider's issuer link.
|
|
71
|
+
* The `response_mode` option is optional and specifies how the result of the authorization request is formatted.
|
|
71
72
|
|
|
72
73
|
For the full low down on OpenID Connect, please check out
|
|
73
74
|
[the spec](http://openid.net/specs/openid-connect-core-1_0.html).
|
|
@@ -37,7 +37,7 @@ module OmniAuth
|
|
|
37
37
|
option :scope, [:openid]
|
|
38
38
|
option :response_type, 'code'
|
|
39
39
|
option :state
|
|
40
|
-
option :response_mode
|
|
40
|
+
option :response_mode # [:query, :fragment, :form_post, :web_message]
|
|
41
41
|
option :display, nil # [:page, :popup, :touch, :wap]
|
|
42
42
|
option :prompt, nil # [:none, :login, :consent, :select_account]
|
|
43
43
|
option :hd, nil
|
|
@@ -112,6 +112,12 @@ module OmniAuth
|
|
|
112
112
|
return fail!(:missing_code, OmniAuth::OpenIDConnect::MissingCodeError.new(params['error'])) unless params['code']
|
|
113
113
|
|
|
114
114
|
options.issuer = issuer if options.issuer.nil? || options.issuer.empty?
|
|
115
|
+
|
|
116
|
+
decode_id_token(params['id_token'])
|
|
117
|
+
.verify! issuer: options.issuer,
|
|
118
|
+
client_id: client_options.identifier,
|
|
119
|
+
nonce: stored_nonce
|
|
120
|
+
|
|
115
121
|
discover!
|
|
116
122
|
client.redirect_uri = redirect_uri
|
|
117
123
|
client.authorization_code = authorization_code
|
|
@@ -150,6 +156,7 @@ module OmniAuth
|
|
|
150
156
|
client.redirect_uri = redirect_uri
|
|
151
157
|
opts = {
|
|
152
158
|
response_type: options.response_type,
|
|
159
|
+
response_mode: options.response_mode,
|
|
153
160
|
scope: options.scope,
|
|
154
161
|
state: new_state,
|
|
155
162
|
login_hint: params['login_hint'],
|
|
@@ -197,13 +204,6 @@ module OmniAuth
|
|
|
197
204
|
scope: (options.scope if options.send_scope_to_token_endpoint),
|
|
198
205
|
client_auth_method: options.client_auth_method
|
|
199
206
|
)
|
|
200
|
-
id_token = decode_id_token(@access_token.id_token)
|
|
201
|
-
id_token.verify!(
|
|
202
|
-
issuer: options.issuer,
|
|
203
|
-
client_id: client_options.identifier,
|
|
204
|
-
nonce: stored_nonce
|
|
205
|
-
)
|
|
206
|
-
@access_token
|
|
207
207
|
end
|
|
208
208
|
|
|
209
209
|
def decode_id_token(id_token)
|
|
@@ -20,7 +20,7 @@ Gem::Specification.new do |spec|
|
|
|
20
20
|
spec.require_paths = ['lib']
|
|
21
21
|
|
|
22
22
|
spec.add_dependency 'addressable', '~> 2.5'
|
|
23
|
-
spec.add_dependency 'omniauth', '~> 1.
|
|
23
|
+
spec.add_dependency 'omniauth', '~> 1.9'
|
|
24
24
|
spec.add_dependency 'openid_connect', '~> 1.1'
|
|
25
25
|
spec.add_development_dependency 'coveralls', '~> 0.8'
|
|
26
26
|
spec.add_development_dependency 'faker', '~> 1.6'
|
|
@@ -112,6 +112,17 @@ module OmniAuth
|
|
|
112
112
|
assert_nil strategy.options.client_options.end_session_endpoint
|
|
113
113
|
end
|
|
114
114
|
|
|
115
|
+
def test_request_phase_with_response_mode
|
|
116
|
+
expected_redirect = /^https:\/\/example\.com\/authorize\?client_id=1234&nonce=\w{32}&response_mode=form_post&response_type=id_token&scope=openid&state=\w{32}$/
|
|
117
|
+
strategy.options.issuer = 'example.com'
|
|
118
|
+
strategy.options.response_mode = 'form_post'
|
|
119
|
+
strategy.options.response_type = 'id_token'
|
|
120
|
+
strategy.options.client_options.host = 'example.com'
|
|
121
|
+
|
|
122
|
+
strategy.expects(:redirect).with(regexp_matches(expected_redirect))
|
|
123
|
+
strategy.request_phase
|
|
124
|
+
end
|
|
125
|
+
|
|
115
126
|
def test_uid
|
|
116
127
|
assert_equal user_info.sub, strategy.uid
|
|
117
128
|
|
|
@@ -136,6 +147,7 @@ module OmniAuth
|
|
|
136
147
|
id_token = stub('OpenIDConnect::ResponseObject::IdToken')
|
|
137
148
|
id_token.stubs(:verify!).with(issuer: strategy.options.issuer, client_id: @identifier, nonce: nonce).returns(true)
|
|
138
149
|
::OpenIDConnect::ResponseObject::IdToken.stubs(:decode).returns(id_token)
|
|
150
|
+
id_token.expects(:verify!)
|
|
139
151
|
|
|
140
152
|
strategy.unstub(:user_info)
|
|
141
153
|
access_token = stub('OpenIDConnect::AccessToken')
|
|
@@ -241,6 +253,11 @@ module OmniAuth
|
|
|
241
253
|
strategy.stubs(:access_token).raises(::Timeout::Error.new('error'))
|
|
242
254
|
strategy.call!('rack.session' => { 'omniauth.state' => state, 'omniauth.nonce' => nonce })
|
|
243
255
|
strategy.expects(:fail!)
|
|
256
|
+
|
|
257
|
+
id_token = stub('OpenIDConnect::ResponseObject::IdToken')
|
|
258
|
+
id_token.stubs(:verify!).with(issuer: 'example.com', client_id: @identifier, nonce: nonce).returns(true)
|
|
259
|
+
::OpenIDConnect::ResponseObject::IdToken.stubs(:decode).returns(id_token)
|
|
260
|
+
|
|
244
261
|
strategy.callback_phase
|
|
245
262
|
end
|
|
246
263
|
|
|
@@ -256,6 +273,11 @@ module OmniAuth
|
|
|
256
273
|
strategy.stubs(:access_token).raises(::Errno::ETIMEDOUT.new('error'))
|
|
257
274
|
strategy.call!('rack.session' => { 'omniauth.state' => state, 'omniauth.nonce' => nonce })
|
|
258
275
|
strategy.expects(:fail!)
|
|
276
|
+
|
|
277
|
+
id_token = stub('OpenIDConnect::ResponseObject::IdToken')
|
|
278
|
+
id_token.stubs(:verify!).with(issuer: 'example.com', client_id: @identifier, nonce: nonce).returns(true)
|
|
279
|
+
::OpenIDConnect::ResponseObject::IdToken.stubs(:decode).returns(id_token)
|
|
280
|
+
|
|
259
281
|
strategy.callback_phase
|
|
260
282
|
end
|
|
261
283
|
|
|
@@ -271,6 +293,11 @@ module OmniAuth
|
|
|
271
293
|
strategy.stubs(:access_token).raises(::SocketError.new('error'))
|
|
272
294
|
strategy.call!('rack.session' => { 'omniauth.state' => state, 'omniauth.nonce' => nonce })
|
|
273
295
|
strategy.expects(:fail!)
|
|
296
|
+
|
|
297
|
+
id_token = stub('OpenIDConnect::ResponseObject::IdToken')
|
|
298
|
+
id_token.stubs(:verify!).with(issuer: 'example.com', client_id: @identifier, nonce: nonce).returns(true)
|
|
299
|
+
::OpenIDConnect::ResponseObject::IdToken.stubs(:decode).returns(id_token)
|
|
300
|
+
|
|
274
301
|
strategy.callback_phase
|
|
275
302
|
end
|
|
276
303
|
|
|
@@ -286,6 +313,11 @@ module OmniAuth
|
|
|
286
313
|
strategy.stubs(:access_token).raises(::Rack::OAuth2::Client::Error.new('error', error: 'Unknown'))
|
|
287
314
|
strategy.call!('rack.session' => { 'omniauth.state' => state, 'omniauth.nonce' => nonce })
|
|
288
315
|
strategy.expects(:fail!)
|
|
316
|
+
|
|
317
|
+
id_token = stub('OpenIDConnect::ResponseObject::IdToken')
|
|
318
|
+
id_token.stubs(:verify!).with(issuer: 'example.com', client_id: @identifier, nonce: nonce).returns(true)
|
|
319
|
+
::OpenIDConnect::ResponseObject::IdToken.stubs(:decode).returns(id_token)
|
|
320
|
+
|
|
289
321
|
strategy.callback_phase
|
|
290
322
|
end
|
|
291
323
|
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: omniauth_openid_connect
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.3.
|
|
4
|
+
version: 0.3.2
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- John Bohn
|
|
@@ -9,7 +9,7 @@ authors:
|
|
|
9
9
|
autorequire:
|
|
10
10
|
bindir: bin
|
|
11
11
|
cert_chain: []
|
|
12
|
-
date: 2019-
|
|
12
|
+
date: 2019-08-03 00:00:00.000000000 Z
|
|
13
13
|
dependencies:
|
|
14
14
|
- !ruby/object:Gem::Dependency
|
|
15
15
|
name: addressable
|
|
@@ -31,14 +31,14 @@ dependencies:
|
|
|
31
31
|
requirements:
|
|
32
32
|
- - "~>"
|
|
33
33
|
- !ruby/object:Gem::Version
|
|
34
|
-
version: '1.
|
|
34
|
+
version: '1.9'
|
|
35
35
|
type: :runtime
|
|
36
36
|
prerelease: false
|
|
37
37
|
version_requirements: !ruby/object:Gem::Requirement
|
|
38
38
|
requirements:
|
|
39
39
|
- - "~>"
|
|
40
40
|
- !ruby/object:Gem::Version
|
|
41
|
-
version: '1.
|
|
41
|
+
version: '1.9'
|
|
42
42
|
- !ruby/object:Gem::Dependency
|
|
43
43
|
name: openid_connect
|
|
44
44
|
requirement: !ruby/object:Gem::Requirement
|