omniauth_openid_connect 0.3.2 → 0.4.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 0024abec2d29c79f701d7de6af9e5addf2be2e3da443413d8e1eb90ab5a1edb0
-  data.tar.gz: 4d564cf7d4f5fcf4da6a961cdf39c7d8a1e943addb3e39a82953a2aaa2757db6
+  metadata.gz: 7b5060fd9a0536e2740b340c56459f76b628912dea1ad54da415c2453921e6e3
+  data.tar.gz: ada9bd68c69837538cd485ce0595525b2109feb0f79611a3ceb06fa1bf7eed96
 SHA512:
-  metadata.gz: 5411ae4999e350a9127890ad4041c099bbefdc765a40f98db108018f9d09f4f402f93f28466c1b079412b875da00ba609906ed04da55addf2a7b486819b65887
-  data.tar.gz: 0a4b11ac66f14441d106c9d41a02f2464632592c7e746086675b8b3504570fcaf63cc9af55306dd447fa57cc502abb8fc6185beee6f09822693124221b8010aa
+  metadata.gz: 24c424fb608e45beba966b6914accdfad6e5af277c9428c94d3aec4ab3f4c010bfa66117a42d6ad1f57de9ea6d6d3ff99eaa5a33bdcbc753d1b7db568f3e870b
+  data.tar.gz: f2ebfcd68b35425cc656ecaa58151b962d0bc96a4023f1bfcf312e363e2e0878c298bc90d7fc70104220b71cdbc77346b3f64c4653222b8df1110a12bb249dd0

data/.github/config/rubocop_linter_action.yml

@@ -0,0 +1,59 @@
+# Description: The name of the check that will be created.
+# Valid Options: A reasonably sized string.
+# Default: 'Rubocop Action'
+check_name: 'Rubocop Results'
+
+# Description: Versions required to run your RuboCop checks.
+# Valid options: RuboCop and any RuboCop extension, by default the latest gem version will be used. You can explicitly state that
+# (not required) or use a version number, like '1.5.1'.
+# Default:
+#   versions:
+#     - rubocop: 'latest'
+versions:
+  - rubocop
+  - rubocop-minitest
+  - rubocop-performance: '1.5.1'
+
+# Description: Rubocop configuration file path relative to the workspace.
+# Valid options: A valid file path inside of the workspace.
+# Default: nil
+# Note: This does not need to be filled out for Rubocop to still find your config.
+# Resource: https://rubocop.readthedocs.io/en/stable/configuration/
+rubocop_config_path: '.rubocop.yml'
+
+# Run all cops enabled by configuration except this list.
+# Valid options: list of valid cop(s) and/or departments.
+# Default: nil
+# Resource: https://rubocop.readthedocs.io/en/stable/cops/
+# rubocop_excluded_cops:
+#   - 'Style/FrozenStringLiteralComment'
+
+# Minimum severity for exit with error code
+# Valid options: 'refactor', 'convention', 'warning', 'error', or 'fatal'.
+# Default: 'warning'
+# Resource: https://rubocop.readthedocs.io/en/stable/configuration/#severity
+# rubocop_fail_level: 'warning'
+
+# Whether or not to use --force-exclusion when building the rubocop command. Use this if you are only linting modified
+# files and typically excluded files have been changed. For example, if you exclude db/schema.rb in your rubocop.yml
+# but a change gets made, then with the check_scope config set to 'modified' rubocop will lint db/schema.rb. If you set
+# this to true, rubocop will ignore it.
+# Valid options: true || false
+# Default: false
+
+# Instead of installing gems from rubygems, we can run `bundle install` on your project,
+# you would need to do this if you are using something like 'rubocop-github' or if you don't
+# want to list out dependencies with the `versions` key.
+# Valid options: true || false
+# Default: false
+# bundle: false
+
+# The scope of code that Rubocop should lint. Use this if you only want to lint changed files. If this is not set
+# or not equal to 'modified', Rubocop is run against the entire codebase. Note that this will not work on the master branch.
+# Valid options: 'modified'
+# Default: nil
+
+# The base branch against which changes will be compared, if check_scope config is set to 'modified'.
+# This setting is not used if check_scope != 'modified'.
+# Valid options: 'origin/another_branch'
+# Default: 'origin/master'

data/.github/stale.yml

@@ -0,0 +1,17 @@
+# Number of days of inactivity before an issue becomes stale
+daysUntilStale: 60
+# Number of days of inactivity before a stale issue is closed
+daysUntilClose: 7
+# Issues with these labels will never be considered stale
+exemptLabels:
+  - pinned
+  - security
+# Label to use when marking an issue as stale
+staleLabel: wontfix
+# Comment to post when marking an issue as stale. Set to `false` to disable
+markComment: >
+  This issue has been automatically marked as stale because it has not had
+  recent activity. It will be closed if no further activity occurs. Thank you
+  for your contributions.
+# Comment to post when closing a stale issue. Set to `false` to disable
+closeComment: false

data/.github/workflows/main.yml

@@ -0,0 +1,31 @@
+name: Main
+on:
+  push:
+    branches:
+      - main
+      - master
+
+  pull_request:
+    types: [opened, synchronize, reopened]
+
+jobs:
+  base:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        ruby: ["2.5", "2.6", "2.7", "3.0"]
+    name: Ruby ${{ matrix.ruby }}
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v2
+
+      - name: Setup Ruby
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: ${{ matrix.ruby }}
+          bundler-cache: true
+
+      - name: Run tests
+        run: bundle exec rake

data/.github/workflows/rubocop.yml

@@ -0,0 +1,22 @@
+name: Rubocop check
+
+on:
+  pull_request:
+    branches:
+      - "*"
+  push:
+    branches:
+      - master
+jobs:
+  build:
+    name: RuboCop Action
+    runs-on: ubuntu-latest
+    steps:
+    - name: Checkout Action
+      uses: actions/checkout@v1
+    - name: Rubocop Linter Action
+      uses: andrewmcodes/rubocop-linter-action@v3.2.0
+      with:
+        action_config_path: '.github/config/rubocop_linter_action.yml'
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

data/.rubocop.yml

@@ -1,3 +1,6 @@
+Gemspec/RequiredRubyVersion:
+  Enabled: false
+
 LineLength:
   Description: 'Limit lines to 130 characters.'
   Max: 130
@@ -36,7 +39,10 @@ Documentation:
   Enabled: false
 
 Metrics/AbcSize:
-  Max: 50
+  Max: 60
+
+Metrics/ClassLength:
+  Max: 300
 
 Metrics/CyclomaticComplexity:
   Max: 50

data/CHANGELOG.md

@@ -1,3 +1,35 @@
+# v0.4.0 (02.05.2021)
+
+- Support dynamic parameters to the authorize URI [#90](https://github.com/omniauth/omniauth_openid_connect/pull/90)
+- Upgrade Faker and replace Travis with Github Actions [#102](https://github.com/omniauth/omniauth_openid_connect/pull/102)
+- Make `omniauth_openid_connect` gem compatible with `omniauth v2.0` [#95](https://github.com/omniauth/omniauth_openid_connect/pull/95)
+- Fall back to the discovered jwks when no key specified [#97](https://github.com/omniauth/omniauth_openid_connect/pull/97)
+- Allow updating to omniauth v2 [#88](https://github.com/omniauth/omniauth_openid_connect/pull/88)
+
+# v0.3.5 (07.06.2020)
+
+- bugfix: Info from decoded id_token is not exposed into `request.env['omniauth.auth']` [#61](https://github.com/m0n9oose/omniauth_openid_connect/pull/61)
+- bugfix: NoMethodError (`undefined method 'count' for #<OpenIDConnect::ResponseObject::IdToken>`) [#60](https://github.com/m0n9oose/omniauth_openid_connect/pull/60)
+
+# v0.3.4 (21.05.2020)
+
+- Try to verify id_token when response_type is code [#44](https://github.com/m0n9oose/omniauth_openid_connect/pull/44)
+- Provide more information on error [#49](https://github.com/m0n9oose/omniauth_openid_connect/pull/49)
+- Update configuration documentation [#53](https://github.com/m0n9oose/omniauth_openid_connect/pull/53)
+- Add documentation about the send_scope_to_token_endpoint config property [#52](https://github.com/m0n9oose/omniauth_openid_connect/pull/52)
+- refactor: take uid_field from raw_attributes [#54](https://github.com/m0n9oose/omniauth_openid_connect/pull/54)
+- chore(ci): add 2.7, ruby-head and jruby-head [#55](https://github.com/m0n9oose/omniauth_openid_connect/pull/55)
+
+# v0.3.3 (09.11.2019)
+
+- Pass `acr_values` to authorize url [#43](https://github.com/m0n9oose/omniauth_openid_connect/pull/43)
+- Add raw info for id token [#42](https://github.com/m0n9oose/omniauth_openid_connect/pull/42)
+- Fixed `id_token` verification when `id_token` is not used [#41](https://github.com/m0n9oose/omniauth_openid_connect/pull/41)
+- Cast `response_type` to string when checking if it is set in params [#36](https://github.com/m0n9oose/omniauth_openid_connect/pull/36)
+- Support both symbol and string version of `response_type` option [#35](https://github.com/m0n9oose/omniauth_openid_connect/pull/35)
+- Fix gemspec homepage [#33](https://github.com/m0n9oose/omniauth_openid_connect/pull/33)
+- Add support for `response_type` `id_token` [#32](https://github.com/m0n9oose/omniauth_openid_connect/pull/32)
+
 # v0.3.2 (03.08.2019)
 
 - Use response_mode in `authorize_uri` if the option is defined [#30](https://github.com/m0n9oose/omniauth_openid_connect/pull/30)

data/Guardfile

@@ -5,7 +5,7 @@
 
 guard 'minitest' do
   # with Minitest::Unit
-  watch(%r{^test/(.*)\/(.*)_test\.rb})
+  watch(%r{^test/(.*)/(.*)_test\.rb})
   watch(%r{^lib/(.*)\.rb}) { |m| "test/lib/#{m[1]}_test.rb" }
   watch(%r{^test/test_helper\.rb}) { 'test' }
 end

data/README.md

@@ -1,10 +1,19 @@
+# Maintainers Wanted
+
+This project is looking for maintainers.
+
+Due to lack of using this gem in my projects I have no time to keep it alive.
+Feel free to open an issue if you interested.
+
+_This project is built and maintained 100% voluntarily._
+
 # OmniAuth::OpenIDConnect
 
 Originally was [omniauth-openid-connect](https://github.com/jjbohn/omniauth-openid-connect)
 
 I've forked this repository and launch as separate gem because maintaining of original was dropped.
 
-[![Build Status](https://travis-ci.org/m0n9oose/omniauth_openid_connect.png?branch=master)](https://travis-ci.org/m0n9oose/omniauth_openid_connect)
+[![Build Status](https://github.com/omniauth/omniauth_openid_connect/actions/workflows/main.yml/badge.svg)](https://github.com/omniauth/omniauth_openid_connect/actions/workflows/main.yml)
 
 ## Installation
 
@@ -20,6 +29,10 @@ Or install it yourself as:
 
     $ gem install omniauth_openid_connect
 
+## Supported Ruby Versions
+
+OmniAuth::OpenIDConnect is tested under 2.4, 2.5, 2.6, 2.7
+
 ## Usage
 
 Example configuration
@@ -40,7 +53,46 @@ config.omniauth :openid_connect, {
 }
 ```
 
-Configuration details:
+### Options Overview
+
+| Field                        | Description                                                                                                                                                   | Required | Default                    | Example/Options                                     |
+|------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------|----------|----------------------------|-----------------------------------------------------|
+| name                         | Arbitrary string to identify connection and identify it from other openid_connect providers                                                                                                                        | no       | String: openid_connect     | :my_idp                                             |
+| issuer                       | Root url for the authorization server                                                                                                                         | yes      |                            | https://myprovider.com                              |
+| discovery                    | Should OpenID discovery be used. This is recommended if the IDP provides a discovery endpoint. See client config for how to manually enter discovered values. | no       | false                      | one of: true, false                                 |
+| client_auth_method           | Which authentication method to use to authenticate your app with the authorization server                                                                     | no       | Sym: basic                 | "basic", "jwks"                                     |
+| scope                        | Which OpenID scopes to include (:openid is always required)                                                                                                   | no       | Array<sym> [:openid]       | [:openid, :profile, :email]                         |
+| response_type                | Which OAuth2 response type to use with the authorization request                                                                                              | no       | String: code               | one of: 'code', 'id_token'                          |
+| state                        | A value to be used for the OAuth2 state parameter on the authorization request. Can be a proc that generates a string.                                        | no       | Random 16 character string | Proc.new { SecureRandom.hex(32) }                   |
+| response_mode                | The response mode per [spec](https://openid.net/specs/oauth-v2-form-post-response-mode-1_0.html)                                                              | no       | nil                        | one of: :query, :fragment, :form_post, :web_message |
+| display                      | An optional parameter to the authorization request to determine how the authorization and consent page                                                        | no       | nil                        | one of: :page, :popup, :touch, :wap                 |
+| prompt                       | An optional parameter to the authrization request to determine what pages the user will be shown                                                              | no       | nil                        | one of: :none, :login, :consent, :select_account    |
+| send_scope_to_token_endpoint | Should the scope parameter be sent to the authorization token endpoint?                                                                                       | no       | true                       | one of: true, false                                 |
+| post_logout_redirect_uri     | The logout redirect uri to use per the [session management draft](https://openid.net/specs/openid-connect-session-1_0.html)                                   | no       | empty                      | https://myapp.com/logout/callback                   |
+| uid_field                    | The field of the user info response to be used as a unique id                                                                                                 | no       | 'sub'                      | "sub", "preferred_username"                         |
+| extra_authorize_params       | A hash of extra fixed parameters that will be merged to the authorization request                                                                             | no       | Hash                       | {"tenant" => "common"}                              |
+| allow_authorize_params       | A list of allowed dynamic parameters that will be merged to the authorization request                                                                         | no       | Array                      | [:screen_name]                                      |
+| client_options               | A hash of client options detailed in its own section                                                                                                          | yes      |                            |                                                     |
+
+### Client Config Options
+
+These are the configuration options for the client_options hash of the configuration.
+
+| Field                  | Description                                                     | Default    | Replaced by discovery? |
+|------------------------|-----------------------------------------------------------------|------------|------------------------|
+| identifier             | The OAuth2 client_id                                            |            |                        |
+| secret                 | The OAuth2 client secret                                        |            |                        |
+| redirect_uri           | The OAuth2 authorization callback url in your app               |            |                        |
+| scheme                 | The http scheme to use                                          | https      |                        |
+| host                   | The host of the authorization server                            | nil        |                        |
+| port                   | The port for the authorization server                           | 443        |                        |
+| authorization_endpoint | The authorize endpoint on the authorization server              | /authorize | yes                    |
+| token_endpoint         | The token endpoint on the authorization server                  | /token     | yes                    |
+| userinfo_endpoint      | The user info endpoint on the authorization server              | /userinfo  | yes                    |
+| jwks_uri               | The jwks_uri on the authorization server                        | /jwk       | yes                    |
+| end_session_endpoint   | The url to call to log the user out at the authorization server | nil        | yes                    |
+
+### Additional Configuration Notes
   * `name` is arbitrary, I recommend using the name of your provider. The name
   configuration exists because you could be using multiple OpenID Connect
   providers in a single app.
@@ -48,11 +100,9 @@ Configuration details:
   **NOTE**: if you use this gem with Devise you should use `:openid_connect` name,
   or Devise would route to 'users/auth/:provider' rather than 'users/auth/openid_connect'
 
-  * Although `response_type` is an available option, currently, only `:code`
-  is valid. There are plans to bring in implicit flow and hybrid flow at some
-  point, but it hasn't come up yet for me. Those flows aren't best practive for
-  server side web apps anyway and are designed more for native/mobile apps.
-  * If you want to pass `state` paramete by yourself. You can set Proc Object.  
+  * `response_type` tells the authorization server which grant type the application wants to use,
+  currently, only `:code` (Authorization Code grant) and `:id_token` (Implicit grant) are valid.
+  * If you want to pass `state` paramete by yourself. You can set Proc Object.
   e.g. `state: Proc.new { SecureRandom.hex(32) }`
   * `nonce` is optional. If don't want to pass "nonce" parameter to provider, You should specify
   `false` to `send_nonce` option. (default true)
@@ -60,8 +110,8 @@ Configuration details:
   `:client_auth_method` option, automatically set `:basic`.
   * Use "OpenID Connect Discovery", You should specify `true` to `discovery` option. (default false)
   * In "OpenID Connect Discovery", generally provider should have Webfinger endpoint.
-  If provider does not have Webfinger endpoint, You can specify "Issuer" to option.  
-  e.g. `issuer: "https://myprovider.com"`  
+  If provider does not have Webfinger endpoint, You can specify "Issuer" to option.
+  e.g. `issuer: "https://myprovider.com"`
   It means to get configuration from "https://myprovider.com/.well-known/openid-configuration".
   * The uid is by default using the `sub` value from the `user_info` response,
   which in some applications is not the expected value. To avoid such limitations, the uid label can be
@@ -69,6 +119,10 @@ Configuration details:
   that appears in the `user_info` details.
   * The `issuer` property should exactly match the provider's issuer link.
   * The `response_mode` option is optional and specifies how the result of the authorization request is formatted.
+  * Some OpenID Connect providers require the `scope` attribute in requests to the token endpoint, even if
+  this is not in the protocol specifications. In those cases, the `send_scope_to_token_endpoint`
+  property can be used to add the attribute to the token request. Initial value is `true`, which means that the
+  scope attribute is included by default.
 
 For the full low down on OpenID Connect, please check out
 [the spec](http://openid.net/specs/openid-connect-core-1_0.html).

data/lib/omniauth/openid_connect/errors.rb

@@ -3,6 +3,9 @@
 module OmniAuth
   module OpenIDConnect
     class Error < RuntimeError; end
+
     class MissingCodeError < Error; end
+
+    class MissingIdTokenError < Error; end
   end
 end

data/lib/omniauth/openid_connect/version.rb

@@ -2,6 +2,6 @@
 
 module OmniAuth
   module OpenIDConnect
-    VERSION = '0.3.2'
+    VERSION = '0.4.0'
   end
 end

data/lib/omniauth/strategies/openid_connect.rb

@@ -14,6 +14,11 @@ module OmniAuth
       include OmniAuth::Strategy
       extend Forwardable
 
+      RESPONSE_TYPE_EXCEPTIONS = {
+        'id_token' => { exception_class: OmniAuth::OpenIDConnect::MissingIdTokenError, key: :missing_id_token }.freeze,
+        'code' => { exception_class: OmniAuth::OpenIDConnect::MissingCodeError, key: :missing_code }.freeze,
+      }.freeze
+
       def_delegator :request, :params
 
       option :name, 'openid_connect'
@@ -35,7 +40,7 @@ module OmniAuth
       option :client_jwk_signing_key
       option :client_x509_signing_key
       option :scope, [:openid]
-      option :response_type, 'code'
+      option :response_type, 'code' # ['code', 'id_token']
       option :state
       option :response_mode # [:query, :fragment, :form_post, :web_message]
       option :display, nil # [:page, :popup, :touch, :wap]
@@ -49,13 +54,12 @@ module OmniAuth
       option :send_scope_to_token_endpoint, true
       option :client_auth_method
       option :post_logout_redirect_uri
+      option :extra_authorize_params, {}
+      option :allow_authorize_params, []
       option :uid_field, 'sub'
 
       def uid
-        user_info.public_send(options.uid_field.to_s)
-      rescue NoMethodError
-        log :warn, "User sub:#{user_info.sub} missing info field: #{options.uid_field}"
-        user_info.sub
+        user_info.raw_attributes[options.uid_field.to_sym] || user_info.sub
       end
 
       info do
@@ -105,26 +109,26 @@ module OmniAuth
         error_description = params['error_description'] || params['error_reason']
         invalid_state = params['state'].to_s.empty? || params['state'] != stored_state
 
-        raise CallbackError.new(params['error'], error_description, params['error_uri']) if error
-
-        raise CallbackError, 'Invalid state parameter' if invalid_state
+        raise CallbackError, error: params['error'], reason: error_description, uri: params['error_uri'] if error
+        raise CallbackError, error: :csrf_detected, reason: "Invalid 'state' parameter" if invalid_state
 
-        return fail!(:missing_code, OmniAuth::OpenIDConnect::MissingCodeError.new(params['error'])) unless params['code']
+        return unless valid_response_type?
 
         options.issuer = issuer if options.issuer.nil? || options.issuer.empty?
 
-        decode_id_token(params['id_token'])
-          .verify! issuer: options.issuer,
-                   client_id: client_options.identifier,
-                   nonce: stored_nonce
-
+        verify_id_token!(params['id_token']) if configured_response_type == 'id_token'
         discover!
         client.redirect_uri = redirect_uri
+
+        return id_token_callback_phase if configured_response_type == 'id_token'
+
         client.authorization_code = authorization_code
         access_token
         super
-      rescue CallbackError, ::Rack::OAuth2::Client::Error => e
-        fail!(:invalid_credentials, e)
+      rescue CallbackError => e
+        fail!(e.error, e)
+      rescue ::Rack::OAuth2::Client::Error => e
+        fail!(e.response[:error], e)
       rescue ::Timeout::Error, ::Errno::ETIMEDOUT => e
         fail!(:timeout, e)
       rescue ::SocketError => e
@@ -165,14 +169,22 @@ module OmniAuth
           prompt: options.prompt,
           nonce: (new_nonce if options.send_nonce),
           hd: options.hd,
+          acr_values: options.acr_values,
         }
+
+        opts.merge!(options.extra_authorize_params) unless options.extra_authorize_params.empty?
+
+        options.allow_authorize_params.each do |key|
+          opts[key] = request.params[key.to_s] unless opts.key?(key)
+        end
+
         client.authorization_uri(opts.reject { |_k, v| v.nil? })
       end
 
       def public_key
         return config.jwks if options.discovery
 
-        key_or_secret
+        key_or_secret || config.jwks
       end
 
       private
@@ -194,7 +206,15 @@ module OmniAuth
       end
 
       def user_info
-        @user_info ||= access_token.userinfo!
+        return @user_info if @user_info
+
+        if access_token.id_token
+          decoded = decode_id_token(access_token.id_token).raw_attributes
+
+          @user_info = ::OpenIDConnect::ResponseObject::UserInfo.new access_token.userinfo!.raw_attributes.merge(decoded)
+        else
+          @user_info = access_token.userinfo!
+        end
       end
 
       def access_token
@@ -204,6 +224,10 @@ module OmniAuth
           scope: (options.scope if options.send_scope_to_token_endpoint),
           client_auth_method: options.client_auth_method
         )
+
+        verify_id_token!(@access_token.id_token) if configured_response_type == 'code'
+
+        @access_token
       end
 
       def decode_id_token(id_token)
@@ -237,6 +261,12 @@ module OmniAuth
         session.delete('omniauth.nonce')
       end
 
+      def script_name
+        return '' if @env.nil?
+
+        super
+      end
+
       def session
         return {} if @env.nil?
 
@@ -294,13 +324,46 @@ module OmniAuth
         @logout_path_pattern ||= %r{\A#{Regexp.quote(request_path)}(/logout)}
       end
 
+      def id_token_callback_phase
+        user_data = decode_id_token(params['id_token']).raw_attributes
+        env['omniauth.auth'] = AuthHash.new(
+          provider: name,
+          uid: user_data['sub'],
+          info: { name: user_data['name'], email: user_data['email'] },
+          extra: { raw_info: user_data }
+        )
+        call_app!
+      end
+
+      def valid_response_type?
+        return true if params.key?(configured_response_type)
+
+        error_attrs = RESPONSE_TYPE_EXCEPTIONS[configured_response_type]
+        fail!(error_attrs[:key], error_attrs[:exception_class].new(params['error']))
+
+        false
+      end
+
+      def configured_response_type
+        @configured_response_type ||= options.response_type.to_s
+      end
+
+      def verify_id_token!(id_token)
+        return unless id_token
+
+        decode_id_token(id_token).verify!(issuer: options.issuer,
+                                          client_id: client_options.identifier,
+                                          nonce: stored_nonce)
+      end
+
       class CallbackError < StandardError
         attr_accessor :error, :error_reason, :error_uri
 
-        def initialize(error, error_reason = nil, error_uri = nil)
-          self.error = error
-          self.error_reason = error_reason
-          self.error_uri = error_uri
+        def initialize(data)
+          super
+          self.error = data[:error]
+          self.error_reason = data[:reason]
+          self.error_uri = data[:uri]
         end
 
         def message

data/omniauth_openid_connect.gemspec

@@ -11,7 +11,7 @@ Gem::Specification.new do |spec|
   spec.email         = ['jjbohn@gmail.com', 'm0n9oose@gmail.com']
   spec.summary       = 'OpenID Connect Strategy for OmniAuth'
   spec.description   = 'OpenID Connect Strategy for OmniAuth.'
-  spec.homepage      = 'https://github.com/jjbohn/omniauth-openid-connect'
+  spec.homepage      = 'https://github.com/m0n9oose/omniauth_openid_connect'
   spec.license       = 'MIT'
 
   spec.files         = `git ls-files -z`.split("\x0")
@@ -19,17 +19,25 @@ Gem::Specification.new do |spec|
   spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
   spec.require_paths = ['lib']
 
+  spec.metadata = {
+    'bug_tracker_uri' => 'https://github.com/m0n9oose/omniauth_openid_connect/issues',
+    'changelog_uri' => 'https://github.com/m0n9oose/omniauth_openid_connect/releases',
+    'documentation_uri' => "https://github.com/m0n9oose/omniauth_openid_connect/tree/v#{spec.version}#readme",
+    'source_code_uri' => "https://github.com/m0n9oose/omniauth_openid_connect/tree/v#{spec.version}",
+    'rubygems_mfa_required' => 'true',
+  }
+
   spec.add_dependency 'addressable', '~> 2.5'
-  spec.add_dependency 'omniauth', '~> 1.9'
+  spec.add_dependency 'omniauth', '>= 1.9', '< 3'
   spec.add_dependency 'openid_connect', '~> 1.1'
   spec.add_development_dependency 'coveralls', '~> 0.8'
-  spec.add_development_dependency 'faker', '~> 1.6'
+  spec.add_development_dependency 'faker', '~> 2.0'
   spec.add_development_dependency 'guard', '~> 2.14'
   spec.add_development_dependency 'guard-bundler', '~> 2.2'
   spec.add_development_dependency 'guard-minitest', '~> 2.4'
   spec.add_development_dependency 'minitest', '~> 5.1'
   spec.add_development_dependency 'mocha', '~> 1.7'
   spec.add_development_dependency 'rake', '~> 12.0'
-  spec.add_development_dependency 'rubocop', '~> 0.63'
+  spec.add_development_dependency 'rubocop', '~> 1.12'
   spec.add_development_dependency 'simplecov', '~> 0.12'
 end

data/test/lib/omniauth/strategies/openid_connect_test.rb

@@ -36,6 +36,7 @@ module OmniAuth
         ::OpenIDConnect::Discovery::Provider::Config.stubs(:discover!).with('https://example.com/').returns(config)
 
         request.stubs(:path_info).returns('/auth/openid_connect/logout')
+        request.stubs(:path).returns('/auth/openid_connect/logout')
 
         strategy.expects(:redirect).with(regexp_matches(expected_redirect))
         strategy.other_phase
@@ -60,6 +61,7 @@ module OmniAuth
         ::OpenIDConnect::Discovery::Provider::Config.stubs(:discover!).with('https://example.com/').returns(config)
 
         request.stubs(:path_info).returns('/auth/openid_connect/logout')
+        request.stubs(:path).returns('/auth/openid_connect/logout')
 
         strategy.expects(:redirect).with(expected_redirect)
         strategy.other_phase
@@ -69,7 +71,7 @@ module OmniAuth
         strategy.options.issuer = 'example.com'
         strategy.options.client_options.host = 'example.com'
 
-        request.stubs(:path_info).returns('/auth/openid_connect/logout')
+        request.stubs(:path).returns('/auth/openid_connect/logout')
 
         strategy.expects(:call_app!)
         strategy.other_phase
@@ -123,6 +125,46 @@ module OmniAuth
         strategy.request_phase
       end
 
+      def test_request_phase_with_response_mode_symbol
+        expected_redirect = /^https:\/\/example\.com\/authorize\?client_id=1234&nonce=\w{32}&response_mode=form_post&response_type=id_token&scope=openid&state=\w{32}$/
+        strategy.options.issuer = 'example.com'
+        strategy.options.response_mode = 'form_post'
+        strategy.options.response_type = :id_token
+        strategy.options.client_options.host = 'example.com'
+
+        strategy.expects(:redirect).with(regexp_matches(expected_redirect))
+        strategy.request_phase
+      end
+
+      def test_option_acr_values
+        strategy.options.client_options[:host] = 'foobar.com'
+
+        assert(!(strategy.authorize_uri =~ /acr_values=/), 'URI must not contain acr_values')
+
+        strategy.options.acr_values = 'urn:some:acr:values:value'
+        assert(strategy.authorize_uri =~ /acr_values=/, 'URI must contain acr_values')
+      end
+
+      def test_option_custom_attributes
+        strategy.options.client_options[:host] = 'foobar.com'
+        strategy.options.extra_authorize_params = {resource: 'xyz'}
+
+        assert(strategy.authorize_uri =~ /resource=xyz/, 'URI must contain custom params')
+      end
+
+      def test_request_phase_with_allowed_params
+        strategy.options.issuer = 'example.com'
+        strategy.options.allow_authorize_params = [:name, :logo, :resource]
+        strategy.options.extra_authorize_params = {resource: 'xyz'}
+        strategy.options.client_options.host = 'example.com'
+        request.stubs(:params).returns('name' => 'example', 'logo' => 'example_logo', 'resource' => 'abc', 'not_allowed' => 'filter_me')
+
+        assert(strategy.authorize_uri =~ /resource=xyz/, 'URI must contain fixed param resource')
+        assert(strategy.authorize_uri =~ /name=example/, 'URI must contain dynamic param name')
+        assert(strategy.authorize_uri =~ /logo=example_logo/, 'URI must contain dynamic param logo')
+        refute(strategy.authorize_uri =~ /not_allowed=filter_me/, 'URI must filter not allowed param')
+      end
+
       def test_uid
         assert_equal user_info.sub, strategy.uid
 
@@ -138,17 +180,45 @@ module OmniAuth
         state = SecureRandom.hex(16)
         nonce = SecureRandom.hex(16)
         request.stubs(:params).returns('code' => code, 'state' => state)
-        request.stubs(:path_info).returns('')
+        request.stubs(:path).returns('')
 
         strategy.options.issuer = 'example.com'
         strategy.options.client_signing_alg = :RS256
         strategy.options.client_jwk_signing_key = File.read('test/fixtures/jwks.json')
+        strategy.options.response_type = 'code'
+
+        strategy.unstub(:user_info)
+        access_token = stub('OpenIDConnect::AccessToken')
+        access_token.stubs(:access_token)
+        access_token.stubs(:refresh_token)
+        access_token.stubs(:expires_in)
+        access_token.stubs(:scope)
+        access_token.stubs(:id_token).returns(File.read('test/fixtures/id_token.txt'))
+        client.expects(:access_token!).at_least_once.returns(access_token)
+        access_token.expects(:userinfo!).returns(user_info)
 
         id_token = stub('OpenIDConnect::ResponseObject::IdToken')
+        id_token.stubs(:raw_attributes).returns('sub' => 'sub', 'name' => 'name', 'email' => 'email')
         id_token.stubs(:verify!).with(issuer: strategy.options.issuer, client_id: @identifier, nonce: nonce).returns(true)
-        ::OpenIDConnect::ResponseObject::IdToken.stubs(:decode).returns(id_token)
         id_token.expects(:verify!)
 
+        strategy.expects(:decode_id_token).twice.with(access_token.id_token).returns(id_token)
+        strategy.call!('rack.session' => { 'omniauth.state' => state, 'omniauth.nonce' => nonce })
+        strategy.callback_phase
+      end
+
+      def test_callback_phase_with_id_token
+        code = SecureRandom.hex(16)
+        state = SecureRandom.hex(16)
+        nonce = SecureRandom.hex(16)
+        request.stubs(:params).returns('id_token' => code, 'state' => state)
+        request.stubs(:path).returns('')
+
+        strategy.options.issuer = 'example.com'
+        strategy.options.client_signing_alg = :RS256
+        strategy.options.client_jwk_signing_key = File.read('test/fixtures/jwks.json')
+        strategy.options.response_type = 'id_token'
+
         strategy.unstub(:user_info)
         access_token = stub('OpenIDConnect::AccessToken')
         access_token.stubs(:access_token)
@@ -156,8 +226,12 @@ module OmniAuth
         access_token.stubs(:expires_in)
         access_token.stubs(:scope)
         access_token.stubs(:id_token).returns(File.read('test/fixtures/id_token.txt'))
-        client.expects(:access_token!).at_least_once.returns(access_token)
-        access_token.expects(:userinfo!).returns(user_info)
+
+        id_token = stub('OpenIDConnect::ResponseObject::IdToken')
+        id_token.stubs(:raw_attributes).returns('sub' => 'sub', 'name' => 'name', 'email' => 'email')
+        id_token.stubs(:verify!).with(issuer: strategy.options.issuer, client_id: @identifier, nonce: nonce).returns(true)
+        ::OpenIDConnect::ResponseObject::IdToken.stubs(:decode).returns(id_token)
+        id_token.expects(:verify!)
 
         strategy.call!('rack.session' => { 'omniauth.state' => state, 'omniauth.nonce' => nonce })
         strategy.callback_phase
@@ -170,7 +244,7 @@ module OmniAuth
         jwks = JSON::JWK::Set.new(JSON.parse(File.read('test/fixtures/jwks.json'))['keys'])
 
         request.stubs(:params).returns('code' => code, 'state' => state)
-        request.stubs(:path_info).returns('')
+        request.stubs(:path).returns('')
 
         strategy.options.client_options.host = 'example.com'
         strategy.options.discovery = true
@@ -189,6 +263,7 @@ module OmniAuth
         ::OpenIDConnect::Discovery::Provider::Config.stubs(:discover!).with('https://example.com/').returns(config)
 
         id_token = stub('OpenIDConnect::ResponseObject::IdToken')
+        id_token.stubs(:raw_attributes).returns('sub' => 'sub', 'name' => 'name', 'email' => 'email')
         id_token.stubs(:verify!).with(issuer: 'https://example.com/', client_id: @identifier, nonce: nonce).returns(true)
         ::OpenIDConnect::ResponseObject::IdToken.stubs(:decode).returns(id_token)
 
@@ -210,7 +285,7 @@ module OmniAuth
         state = SecureRandom.hex(16)
         nonce = SecureRandom.hex(16)
         request.stubs(:params).returns('error' => 'invalid_request')
-        request.stubs(:path_info).returns('')
+        request.stubs(:path).returns('')
 
         strategy.call!({'rack.session' => {'omniauth.state' => state, 'omniauth.nonce' => nonce}})
         strategy.expects(:fail!)
@@ -222,7 +297,7 @@ module OmniAuth
         state = SecureRandom.hex(16)
         nonce = SecureRandom.hex(16)
         request.stubs(:params).returns('code' => code, 'state' => 'foobar')
-        request.stubs(:path_info).returns('')
+        request.stubs(:path).returns('')
 
         strategy.call!('rack.session' => { 'omniauth.state' => state, 'omniauth.nonce' => nonce })
         strategy.expects(:fail!)
@@ -233,11 +308,37 @@ module OmniAuth
         state = SecureRandom.hex(16)
         nonce = SecureRandom.hex(16)
         request.stubs(:params).returns('state' => state)
-        request.stubs(:path_info).returns('')
+        request.stubs(:path).returns('')
 
         strategy.call!('rack.session' => { 'omniauth.state' => state, 'omniauth.nonce' => nonce })
 
-        strategy.expects(:fail!)
+        strategy.expects(:fail!).with(:missing_code, is_a(OmniAuth::OpenIDConnect::MissingCodeError))
+        strategy.callback_phase
+      end
+
+      def test_callback_phase_without_id_token
+        state = SecureRandom.hex(16)
+        nonce = SecureRandom.hex(16)
+        request.stubs(:params).returns('state' => state)
+        request.stubs(:path).returns('')
+        strategy.options.response_type = 'id_token'
+
+        strategy.call!('rack.session' => { 'omniauth.state' => state, 'omniauth.nonce' => nonce })
+
+        strategy.expects(:fail!).with(:missing_id_token, is_a(OmniAuth::OpenIDConnect::MissingIdTokenError))
+        strategy.callback_phase
+      end
+
+      def test_callback_phase_without_id_token_symbol
+        state = SecureRandom.hex(16)
+        nonce = SecureRandom.hex(16)
+        request.stubs(:params).returns('state' => state)
+        request.stubs(:path).returns('')
+        strategy.options.response_type = :id_token
+
+        strategy.call!('rack.session' => { 'omniauth.state' => state, 'omniauth.nonce' => nonce })
+
+        strategy.expects(:fail!).with(:missing_id_token, is_a(OmniAuth::OpenIDConnect::MissingIdTokenError))
         strategy.callback_phase
       end
 
@@ -246,7 +347,7 @@ module OmniAuth
         state = SecureRandom.hex(16)
         nonce = SecureRandom.hex(16)
         request.stubs(:params).returns('code' => code, 'state' => state)
-        request.stubs(:path_info).returns('')
+        request.stubs(:path).returns('')
 
         strategy.options.issuer = 'example.com'
 
@@ -266,7 +367,7 @@ module OmniAuth
         state = SecureRandom.hex(16)
         nonce = SecureRandom.hex(16)
         request.stubs(:params).returns('code' => code, 'state' => state)
-        request.stubs(:path_info).returns('')
+        request.stubs(:path).returns('')
 
         strategy.options.issuer = 'example.com'
 
@@ -286,7 +387,7 @@ module OmniAuth
         state = SecureRandom.hex(16)
         nonce = SecureRandom.hex(16)
         request.stubs(:params).returns('code' => code, 'state' => state)
-        request.stubs(:path_info).returns('')
+        request.stubs(:path).returns('')
 
         strategy.options.issuer = 'example.com'
 
@@ -306,7 +407,7 @@ module OmniAuth
         state = SecureRandom.hex(16)
         nonce = SecureRandom.hex(16)
         request.stubs(:params).returns('code' => code, 'state' => state)
-        request.stubs(:path_info).returns('')
+        request.stubs(:path).returns('')
 
         strategy.options.issuer = 'example.com'
 
@@ -407,7 +508,7 @@ module OmniAuth
         # the following should fail because the wrong state is passed to the callback
         code = SecureRandom.hex(16)
         request.stubs(:params).returns('code' => code, 'state' => 43)
-        request.stubs(:path_info).returns('')
+        request.stubs(:path).returns('')
 
         strategy.call!('rack.session' => session)
         strategy.expects(:fail!)
@@ -416,7 +517,8 @@ module OmniAuth
 
       def test_dynamic_state
         # Stub request parameters
-        Strategy.send(:define_method, 'env', -> { { QUERY_STRING: { state: 'abc', client_id: '123' } } })
+        request.stubs(:path).returns('')
+        strategy.call!('rack.session' => { }, QUERY_STRING: { state: 'abc', client_id: '123' } )
 
         strategy.options.state = lambda { |env|
           # Get params from request, e.g. CGI.parse(env['QUERY_STRING'])
@@ -448,7 +550,7 @@ module OmniAuth
         }.to_json
         success = Struct.new(:status, :body).new(200, json_response)
 
-        request.stubs(:path_info).returns('')
+        request.stubs(:path).returns('')
         strategy.call!('rack.session' => { 'omniauth.state' => state, 'omniauth.nonce' => nonce })
 
         id_token = stub('OpenIDConnect::ResponseObject::IdToken')
@@ -492,6 +594,42 @@ module OmniAuth
         strategy.options.client_signing_alg = :HS256
         assert_equal strategy.options.client_options.secret, strategy.public_key
       end
+
+      def test_id_token_auth_hash
+        state = SecureRandom.hex(16)
+        nonce = SecureRandom.hex(16)
+        strategy.options.response_type = 'id_token'
+        strategy.options.issuer = 'example.com'
+
+        id_token = stub('OpenIDConnect::ResponseObject::IdToken')
+        id_token.stubs(:verify!).returns(true)
+        id_token.stubs(:raw_attributes, :to_h).returns(
+          {
+            "iss": "http://server.example.com",
+            "sub": "248289761001",
+            "aud": "s6BhdRkqt3",
+            "nonce": "n-0S6_WzA2Mj",
+            "exp": 1311281970,
+            "iat": 1311280970,
+          }
+        )
+
+        request.stubs(:params).returns('state' => state, 'nounce' => nonce, 'id_token' => id_token)
+        request.stubs(:path).returns('')
+
+        strategy.stubs(:decode_id_token).returns(id_token)
+        strategy.stubs(:stored_state).returns(state)
+
+        strategy.call!('rack.session' => { 'omniauth.state' => state, 'omniauth.nonce' => nonce })
+        strategy.callback_phase
+
+        auth_hash = strategy.send(:env)['omniauth.auth']
+        assert auth_hash.key?('provider')
+        assert auth_hash.key?('uid')
+        assert auth_hash.key?('info')
+        assert auth_hash.key?('extra')
+        assert auth_hash['extra'].key?('raw_info')
+      end
     end
   end
 end

data/test/strategy_test_case.rb

@@ -37,6 +37,7 @@ class StrategyTestCase < MiniTest::Test
       request.stubs(:env).returns({})
       request.stubs(:scheme).returns({})
       request.stubs(:ssl?).returns(false)
+      request.stubs(:path).returns('')
     end
   end
 
@@ -46,6 +47,7 @@ class StrategyTestCase < MiniTest::Test
       strategy.options.client_options.secret = @secret
       strategy.stubs(:request).returns(request)
       strategy.stubs(:user_info).returns(user_info)
+      strategy.stubs(:script_name).returns('')
     end
   end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: omniauth_openid_connect
 version: !ruby/object:Gem::Version
-  version: 0.3.2
+  version: 0.4.0
 platform: ruby
 authors:
 - John Bohn
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2019-08-03 00:00:00.000000000 Z
+date: 2022-02-06 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: addressable
@@ -29,16 +29,22 @@ dependencies:
   name: omniauth
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: '1.9'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '3'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: '1.9'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '3'
 - !ruby/object:Gem::Dependency
   name: openid_connect
   requirement: !ruby/object:Gem::Requirement
@@ -73,14 +79,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.6'
+        version: '2.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.6'
+        version: '2.0'
 - !ruby/object:Gem::Dependency
   name: guard
   requirement: !ruby/object:Gem::Requirement
@@ -171,14 +177,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.63'
+        version: '1.12'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.63'
+        version: '1.12'
 - !ruby/object:Gem::Dependency
   name: simplecov
   requirement: !ruby/object:Gem::Requirement
@@ -201,9 +207,12 @@ executables: []
 extensions: []
 extra_rdoc_files: []
 files:
+- ".github/config/rubocop_linter_action.yml"
+- ".github/stale.yml"
+- ".github/workflows/main.yml"
+- ".github/workflows/rubocop.yml"
 - ".gitignore"
 - ".rubocop.yml"
-- ".travis.yml"
 - CHANGELOG.md
 - Gemfile
 - Guardfile
@@ -222,10 +231,15 @@ files:
 - test/lib/omniauth/strategies/openid_connect_test.rb
 - test/strategy_test_case.rb
 - test/test_helper.rb
-homepage: https://github.com/jjbohn/omniauth-openid-connect
+homepage: https://github.com/m0n9oose/omniauth_openid_connect
 licenses:
 - MIT
-metadata: {}
+metadata:
+  bug_tracker_uri: https://github.com/m0n9oose/omniauth_openid_connect/issues
+  changelog_uri: https://github.com/m0n9oose/omniauth_openid_connect/releases
+  documentation_uri: https://github.com/m0n9oose/omniauth_openid_connect/tree/v0.4.0#readme
+  source_code_uri: https://github.com/m0n9oose/omniauth_openid_connect/tree/v0.4.0
+  rubygems_mfa_required: 'true'
 post_install_message: 
 rdoc_options: []
 require_paths:
@@ -241,7 +255,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.2
+rubygems_version: 3.3.5
 signing_key: 
 specification_version: 4
 summary: OpenID Connect Strategy for OmniAuth

data/.travis.yml

@@ -1,5 +0,0 @@
-language: ruby
-rvm:
-  - 2.4
-  - 2.5
-  - 2.6