omniauth_openid_connect 0.3.3 → 0.3.4
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/.github/config/rubocop_linter_action.yml +59 -0
- data/.github/stale.yml +17 -0
- data/.github/workflows/rubocop.yml +22 -0
- data/.travis.yml +3 -0
- data/CHANGELOG.md +9 -0
- data/README.md +46 -1
- data/lib/omniauth/openid_connect/version.rb +1 -1
- data/lib/omniauth/strategies/openid_connect.rb +27 -20
- data/test/lib/omniauth/strategies/openid_connect_test.rb +14 -1
- metadata +6 -3
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 0ffa620976c79075bcc1be6d53c4e4cd6f44cecb4c387902c07d2eeb633289aa
|
|
4
|
+
data.tar.gz: 910ddf1c62c01806349f1079f20f2bb51b96cf95a74e98d584335a16dd7af6f6
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: a4268d78d21672332b24a63aea04b43a0f8c531c8a9e89f9187402406bbb4e5538b576cb60fcacecebf9b57e91c14b9f31136eee3aa7c6aeda7571130ad77b9b
|
|
7
|
+
data.tar.gz: 858664147722cb80f5adf5b632ccde44ebfd79e29f0058be65a6bfe4847494cacec5255b96e646b3a18e2533489dc9a09fe31995e3aec0eebe9facbcbb37f69a
|
|
@@ -0,0 +1,59 @@
|
|
|
1
|
+
# Description: The name of the check that will be created.
|
|
2
|
+
# Valid Options: A reasonably sized string.
|
|
3
|
+
# Default: 'Rubocop Action'
|
|
4
|
+
check_name: 'Rubocop Results'
|
|
5
|
+
|
|
6
|
+
# Description: Versions required to run your RuboCop checks.
|
|
7
|
+
# Valid options: RuboCop and any RuboCop extension, by default the latest gem version will be used. You can explicitly state that
|
|
8
|
+
# (not required) or use a version number, like '1.5.1'.
|
|
9
|
+
# Default:
|
|
10
|
+
# versions:
|
|
11
|
+
# - rubocop: 'latest'
|
|
12
|
+
versions:
|
|
13
|
+
- rubocop
|
|
14
|
+
- rubocop-minitest
|
|
15
|
+
- rubocop-performance: '1.5.1'
|
|
16
|
+
|
|
17
|
+
# Description: Rubocop configuration file path relative to the workspace.
|
|
18
|
+
# Valid options: A valid file path inside of the workspace.
|
|
19
|
+
# Default: nil
|
|
20
|
+
# Note: This does not need to be filled out for Rubocop to still find your config.
|
|
21
|
+
# Resource: https://rubocop.readthedocs.io/en/stable/configuration/
|
|
22
|
+
rubocop_config_path: '.rubocop.yml'
|
|
23
|
+
|
|
24
|
+
# Run all cops enabled by configuration except this list.
|
|
25
|
+
# Valid options: list of valid cop(s) and/or departments.
|
|
26
|
+
# Default: nil
|
|
27
|
+
# Resource: https://rubocop.readthedocs.io/en/stable/cops/
|
|
28
|
+
# rubocop_excluded_cops:
|
|
29
|
+
# - 'Style/FrozenStringLiteralComment'
|
|
30
|
+
|
|
31
|
+
# Minimum severity for exit with error code
|
|
32
|
+
# Valid options: 'refactor', 'convention', 'warning', 'error', or 'fatal'.
|
|
33
|
+
# Default: 'warning'
|
|
34
|
+
# Resource: https://rubocop.readthedocs.io/en/stable/configuration/#severity
|
|
35
|
+
# rubocop_fail_level: 'warning'
|
|
36
|
+
|
|
37
|
+
# Whether or not to use --force-exclusion when building the rubocop command. Use this if you are only linting modified
|
|
38
|
+
# files and typically excluded files have been changed. For example, if you exclude db/schema.rb in your rubocop.yml
|
|
39
|
+
# but a change gets made, then with the check_scope config set to 'modified' rubocop will lint db/schema.rb. If you set
|
|
40
|
+
# this to true, rubocop will ignore it.
|
|
41
|
+
# Valid options: true || false
|
|
42
|
+
# Default: false
|
|
43
|
+
|
|
44
|
+
# Instead of installing gems from rubygems, we can run `bundle install` on your project,
|
|
45
|
+
# you would need to do this if you are using something like 'rubocop-github' or if you don't
|
|
46
|
+
# want to list out dependencies with the `versions` key.
|
|
47
|
+
# Valid options: true || false
|
|
48
|
+
# Default: false
|
|
49
|
+
# bundle: false
|
|
50
|
+
|
|
51
|
+
# The scope of code that Rubocop should lint. Use this if you only want to lint changed files. If this is not set
|
|
52
|
+
# or not equal to 'modified', Rubocop is run against the entire codebase. Note that this will not work on the master branch.
|
|
53
|
+
# Valid options: 'modified'
|
|
54
|
+
# Default: nil
|
|
55
|
+
|
|
56
|
+
# The base branch against which changes will be compared, if check_scope config is set to 'modified'.
|
|
57
|
+
# This setting is not used if check_scope != 'modified'.
|
|
58
|
+
# Valid options: 'origin/another_branch'
|
|
59
|
+
# Default: 'origin/master'
|
data/.github/stale.yml
ADDED
|
@@ -0,0 +1,17 @@
|
|
|
1
|
+
# Number of days of inactivity before an issue becomes stale
|
|
2
|
+
daysUntilStale: 60
|
|
3
|
+
# Number of days of inactivity before a stale issue is closed
|
|
4
|
+
daysUntilClose: 7
|
|
5
|
+
# Issues with these labels will never be considered stale
|
|
6
|
+
exemptLabels:
|
|
7
|
+
- pinned
|
|
8
|
+
- security
|
|
9
|
+
# Label to use when marking an issue as stale
|
|
10
|
+
staleLabel: wontfix
|
|
11
|
+
# Comment to post when marking an issue as stale. Set to `false` to disable
|
|
12
|
+
markComment: >
|
|
13
|
+
This issue has been automatically marked as stale because it has not had
|
|
14
|
+
recent activity. It will be closed if no further activity occurs. Thank you
|
|
15
|
+
for your contributions.
|
|
16
|
+
# Comment to post when closing a stale issue. Set to `false` to disable
|
|
17
|
+
closeComment: false
|
|
@@ -0,0 +1,22 @@
|
|
|
1
|
+
name: Rubocop check
|
|
2
|
+
|
|
3
|
+
on:
|
|
4
|
+
pull_request:
|
|
5
|
+
branches:
|
|
6
|
+
- "*"
|
|
7
|
+
push:
|
|
8
|
+
branches:
|
|
9
|
+
- master
|
|
10
|
+
jobs:
|
|
11
|
+
build:
|
|
12
|
+
name: RuboCop Action
|
|
13
|
+
runs-on: ubuntu-latest
|
|
14
|
+
steps:
|
|
15
|
+
- name: Checkout Action
|
|
16
|
+
uses: actions/checkout@v1
|
|
17
|
+
- name: Rubocop Linter Action
|
|
18
|
+
uses: andrewmcodes/rubocop-linter-action@v3.2.0
|
|
19
|
+
with:
|
|
20
|
+
action_config_path: '.github/config/rubocop_linter_action.yml'
|
|
21
|
+
env:
|
|
22
|
+
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
data/.travis.yml
CHANGED
data/CHANGELOG.md
CHANGED
|
@@ -1,3 +1,12 @@
|
|
|
1
|
+
# v0.3.4 (21.05.2020)
|
|
2
|
+
|
|
3
|
+
- Try to verify id_token when response_type is code [#44](https://github.com/m0n9oose/omniauth_openid_connect/pull/44)
|
|
4
|
+
- Provide more information on error [#49](https://github.com/m0n9oose/omniauth_openid_connect/pull/49)
|
|
5
|
+
- Update configuration documentation [#53](https://github.com/m0n9oose/omniauth_openid_connect/pull/53)
|
|
6
|
+
- Add documentation about the send_scope_to_token_endpoint config property [#52](https://github.com/m0n9oose/omniauth_openid_connect/pull/52)
|
|
7
|
+
- refactor: take uid_field from raw_attributes [#54](https://github.com/m0n9oose/omniauth_openid_connect/pull/54)
|
|
8
|
+
- chore(ci): add 2.7, ruby-head and jruby-head [#55](https://github.com/m0n9oose/omniauth_openid_connect/pull/55)
|
|
9
|
+
|
|
1
10
|
# v0.3.3 (09.11.2019)
|
|
2
11
|
|
|
3
12
|
- Pass `acr_values` to authorize url [#43](https://github.com/m0n9oose/omniauth_openid_connect/pull/43)
|
data/README.md
CHANGED
|
@@ -19,6 +19,10 @@ And then execute:
|
|
|
19
19
|
Or install it yourself as:
|
|
20
20
|
|
|
21
21
|
$ gem install omniauth_openid_connect
|
|
22
|
+
|
|
23
|
+
## Supported Ruby Versions
|
|
24
|
+
|
|
25
|
+
OmniAuth::OpenIDConnect is tested under 2.4, 2.5, 2.6, 2.7
|
|
22
26
|
|
|
23
27
|
## Usage
|
|
24
28
|
|
|
@@ -40,7 +44,44 @@ config.omniauth :openid_connect, {
|
|
|
40
44
|
}
|
|
41
45
|
```
|
|
42
46
|
|
|
43
|
-
|
|
47
|
+
### Options Overview
|
|
48
|
+
|
|
49
|
+
| Field | Description | Required | Default | Example/Options |
|
|
50
|
+
|------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------|----------|----------------------------|-----------------------------------------------------|
|
|
51
|
+
| name | Arbitrary string to identify connection and identify it from other openid_connect providers | no | String: openid_connect | :my_idp |
|
|
52
|
+
| issuer | Root url for the authorization server | yes | | https://myprovider.com |
|
|
53
|
+
| discovery | Should OpenID discovery be used. This is recommended if the IDP provides a discovery endpoint. See client config for how to manually enter discovered values. | no | false | one of: true, false |
|
|
54
|
+
| client_auth_method | Which authentication method to use to authenticate your app with the authorization server | no | Sym: basic | "basic", "jwks" |
|
|
55
|
+
| scope | Which OpenID scopes to include (:openid is always required) | no | Array<sym> [:openid] | [:openid, :profile, :email] |
|
|
56
|
+
| response_type | Which OAuth2 response type to use with the authorization request | no | String: code | one of: 'code', 'id_token' |
|
|
57
|
+
| state | A value to be used for the OAuth2 state parameter on the authorization request. Can be a proc that generates a string. | no | Random 16 character string | Proc.new { SecureRandom.hex(32) } |
|
|
58
|
+
| response_mode | The response mode per [spec](https://openid.net/specs/oauth-v2-form-post-response-mode-1_0.html) | no | nil | one of: :query, :fragment, :form_post, :web_message |
|
|
59
|
+
| display | An optional parameter to the authorization request to determine how the authorization and consent page | no | nil | one of: :page, :popup, :touch, :wap |
|
|
60
|
+
| prompt | An optional parameter to the authrization request to determine what pages the user will be shown | no | nil | one of: :none, :login, :consent, :select_account |
|
|
61
|
+
| send_scope_to_token_endpoint | Should the scope parameter be sent to the authorization token endpoint? | no | true | one of: true, false |
|
|
62
|
+
| post_logout_redirect_uri | The logout redirect uri to use per the [session management draft](https://openid.net/specs/openid-connect-session-1_0.html) | no | empty | https://myapp.com/logout/callback |
|
|
63
|
+
| uid_field | The field of the user info response to be used as a unique id | no | 'sub' | "sub", "preferred_username" |
|
|
64
|
+
| client_options | A hash of client options detailed in its own section | yes | | |
|
|
65
|
+
|
|
66
|
+
### Client Config Options
|
|
67
|
+
|
|
68
|
+
These are the configuration options for the client_options hash of the configuration.
|
|
69
|
+
|
|
70
|
+
| Field | Description | Default | Replaced by discovery? |
|
|
71
|
+
|------------------------|-----------------------------------------------------------------|------------|------------------------|
|
|
72
|
+
| identifier | The OAuth2 client_id | | |
|
|
73
|
+
| secret | The OAuth2 client secret | | |
|
|
74
|
+
| redirect_uri | The OAuth2 authorization callback url in your app | | |
|
|
75
|
+
| scheme | The http scheme to use | https | |
|
|
76
|
+
| host | The host of the authorization server | nil | |
|
|
77
|
+
| port | The port for the authorization server | 443 | |
|
|
78
|
+
| authorization_endpoint | The authorize endpoint on the authorization server | /authorize | yes |
|
|
79
|
+
| token_endpoint | The token endpoint on the authorization server | /token | yes |
|
|
80
|
+
| userinfo_endpoint | The user info endpoint on the authorization server | /userinfo | yes |
|
|
81
|
+
| jwks_uri | The jwks_uri on the authorization server | /jwk | yes |
|
|
82
|
+
| end_session_endpoint | The url to call to log the user out at the authorization server | nil | yes |
|
|
83
|
+
|
|
84
|
+
### Additional Configuration Notes
|
|
44
85
|
* `name` is arbitrary, I recommend using the name of your provider. The name
|
|
45
86
|
configuration exists because you could be using multiple OpenID Connect
|
|
46
87
|
providers in a single app.
|
|
@@ -67,6 +108,10 @@ Configuration details:
|
|
|
67
108
|
that appears in the `user_info` details.
|
|
68
109
|
* The `issuer` property should exactly match the provider's issuer link.
|
|
69
110
|
* The `response_mode` option is optional and specifies how the result of the authorization request is formatted.
|
|
111
|
+
* Some OpenID Connect providers require the `scope` attribute in requests to the token endpoint, even if
|
|
112
|
+
this is not in the protocol specifications. In those cases, the `send_scope_to_token_endpoint`
|
|
113
|
+
property can be used to add the attribute to the token request. Initial value is `true`, which means that the
|
|
114
|
+
scope attribute is included by default.
|
|
70
115
|
|
|
71
116
|
For the full low down on OpenID Connect, please check out
|
|
72
117
|
[the spec](http://openid.net/specs/openid-connect-core-1_0.html).
|
|
@@ -54,13 +54,11 @@ module OmniAuth
|
|
|
54
54
|
option :send_scope_to_token_endpoint, true
|
|
55
55
|
option :client_auth_method
|
|
56
56
|
option :post_logout_redirect_uri
|
|
57
|
+
option :extra_authorize_params, {}
|
|
57
58
|
option :uid_field, 'sub'
|
|
58
59
|
|
|
59
60
|
def uid
|
|
60
|
-
user_info.
|
|
61
|
-
rescue NoMethodError
|
|
62
|
-
log :warn, "User sub:#{user_info.sub} missing info field: #{options.uid_field}"
|
|
63
|
-
user_info.sub
|
|
61
|
+
user_info.raw_attributes[options.uid_field.to_sym] || user_info.sub
|
|
64
62
|
end
|
|
65
63
|
|
|
66
64
|
info do
|
|
@@ -110,14 +108,14 @@ module OmniAuth
|
|
|
110
108
|
error_description = params['error_description'] || params['error_reason']
|
|
111
109
|
invalid_state = params['state'].to_s.empty? || params['state'] != stored_state
|
|
112
110
|
|
|
113
|
-
raise CallbackError
|
|
114
|
-
raise CallbackError,
|
|
111
|
+
raise CallbackError, error: params['error'], reason: error_description, uri: params['error_uri'] if error
|
|
112
|
+
raise CallbackError, error: :csrf_detected, reason: "Invalid 'state' parameter" if invalid_state
|
|
115
113
|
|
|
116
114
|
return unless valid_response_type?
|
|
117
115
|
|
|
118
116
|
options.issuer = issuer if options.issuer.nil? || options.issuer.empty?
|
|
119
117
|
|
|
120
|
-
verify_id_token!
|
|
118
|
+
verify_id_token!(params['id_token']) if configured_response_type == 'id_token'
|
|
121
119
|
discover!
|
|
122
120
|
client.redirect_uri = redirect_uri
|
|
123
121
|
|
|
@@ -126,8 +124,10 @@ module OmniAuth
|
|
|
126
124
|
client.authorization_code = authorization_code
|
|
127
125
|
access_token
|
|
128
126
|
super
|
|
129
|
-
rescue CallbackError
|
|
130
|
-
fail!(
|
|
127
|
+
rescue CallbackError => e
|
|
128
|
+
fail!(e.error, e)
|
|
129
|
+
rescue ::Rack::OAuth2::Client::Error => e
|
|
130
|
+
fail!(e.response[:error], e)
|
|
131
131
|
rescue ::Timeout::Error, ::Errno::ETIMEDOUT => e
|
|
132
132
|
fail!(:timeout, e)
|
|
133
133
|
rescue ::SocketError => e
|
|
@@ -170,6 +170,9 @@ module OmniAuth
|
|
|
170
170
|
hd: options.hd,
|
|
171
171
|
acr_values: options.acr_values,
|
|
172
172
|
}
|
|
173
|
+
|
|
174
|
+
opts.merge!(options.extra_authorize_params) unless options.extra_authorize_params.empty?
|
|
175
|
+
|
|
173
176
|
client.authorization_uri(opts.reject { |_k, v| v.nil? })
|
|
174
177
|
end
|
|
175
178
|
|
|
@@ -202,10 +205,16 @@ module OmniAuth
|
|
|
202
205
|
end
|
|
203
206
|
|
|
204
207
|
def access_token
|
|
205
|
-
@access_token
|
|
208
|
+
return @access_token if @access_token
|
|
209
|
+
|
|
210
|
+
@access_token = client.access_token!(
|
|
206
211
|
scope: (options.scope if options.send_scope_to_token_endpoint),
|
|
207
212
|
client_auth_method: options.client_auth_method
|
|
208
213
|
)
|
|
214
|
+
|
|
215
|
+
verify_id_token!(decode_id_token(@access_token.id_token)) if configured_response_type == 'code'
|
|
216
|
+
|
|
217
|
+
@access_token
|
|
209
218
|
end
|
|
210
219
|
|
|
211
220
|
def decode_id_token(id_token)
|
|
@@ -320,21 +329,19 @@ module OmniAuth
|
|
|
320
329
|
@configured_response_type ||= options.response_type.to_s
|
|
321
330
|
end
|
|
322
331
|
|
|
323
|
-
def verify_id_token!
|
|
324
|
-
|
|
325
|
-
|
|
326
|
-
|
|
327
|
-
client_id: client_options.identifier,
|
|
328
|
-
nonce: stored_nonce)
|
|
332
|
+
def verify_id_token!(id_token)
|
|
333
|
+
decode_id_token(id_token).verify!(issuer: options.issuer,
|
|
334
|
+
client_id: client_options.identifier,
|
|
335
|
+
nonce: stored_nonce)
|
|
329
336
|
end
|
|
330
337
|
|
|
331
338
|
class CallbackError < StandardError
|
|
332
339
|
attr_accessor :error, :error_reason, :error_uri
|
|
333
340
|
|
|
334
|
-
def initialize(
|
|
335
|
-
self.error = error
|
|
336
|
-
self.error_reason =
|
|
337
|
-
self.error_uri =
|
|
341
|
+
def initialize(data)
|
|
342
|
+
self.error = data[:error]
|
|
343
|
+
self.error_reason = data[:reason]
|
|
344
|
+
self.error_uri = data[:uri]
|
|
338
345
|
end
|
|
339
346
|
|
|
340
347
|
def message
|
|
@@ -143,6 +143,13 @@ module OmniAuth
|
|
|
143
143
|
assert(strategy.authorize_uri =~ /acr_values=/, 'URI must contain acr_values')
|
|
144
144
|
end
|
|
145
145
|
|
|
146
|
+
def test_option_custom_attributes
|
|
147
|
+
strategy.options.client_options[:host] = 'foobar.com'
|
|
148
|
+
strategy.options.extra_authorize_params = {resource: 'xyz'}
|
|
149
|
+
|
|
150
|
+
assert(strategy.authorize_uri =~ /resource=xyz/, 'URI must contain custom params')
|
|
151
|
+
end
|
|
152
|
+
|
|
146
153
|
def test_uid
|
|
147
154
|
assert_equal user_info.sub, strategy.uid
|
|
148
155
|
|
|
@@ -163,7 +170,7 @@ module OmniAuth
|
|
|
163
170
|
strategy.options.issuer = 'example.com'
|
|
164
171
|
strategy.options.client_signing_alg = :RS256
|
|
165
172
|
strategy.options.client_jwk_signing_key = File.read('test/fixtures/jwks.json')
|
|
166
|
-
strategy.options.response_type =
|
|
173
|
+
strategy.options.response_type = 'code'
|
|
167
174
|
|
|
168
175
|
strategy.unstub(:user_info)
|
|
169
176
|
access_token = stub('OpenIDConnect::AccessToken')
|
|
@@ -175,6 +182,12 @@ module OmniAuth
|
|
|
175
182
|
client.expects(:access_token!).at_least_once.returns(access_token)
|
|
176
183
|
access_token.expects(:userinfo!).returns(user_info)
|
|
177
184
|
|
|
185
|
+
id_token = stub('OpenIDConnect::ResponseObject::IdToken')
|
|
186
|
+
id_token.stubs(:raw_attributes).returns('sub' => 'sub', 'name' => 'name', 'email' => 'email')
|
|
187
|
+
id_token.stubs(:verify!).with(issuer: strategy.options.issuer, client_id: @identifier, nonce: nonce).returns(true)
|
|
188
|
+
::OpenIDConnect::ResponseObject::IdToken.stubs(:decode).returns(id_token)
|
|
189
|
+
id_token.expects(:verify!)
|
|
190
|
+
|
|
178
191
|
strategy.call!('rack.session' => { 'omniauth.state' => state, 'omniauth.nonce' => nonce })
|
|
179
192
|
strategy.callback_phase
|
|
180
193
|
end
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: omniauth_openid_connect
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.3.
|
|
4
|
+
version: 0.3.4
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- John Bohn
|
|
@@ -9,7 +9,7 @@ authors:
|
|
|
9
9
|
autorequire:
|
|
10
10
|
bindir: bin
|
|
11
11
|
cert_chain: []
|
|
12
|
-
date:
|
|
12
|
+
date: 2020-05-21 00:00:00.000000000 Z
|
|
13
13
|
dependencies:
|
|
14
14
|
- !ruby/object:Gem::Dependency
|
|
15
15
|
name: addressable
|
|
@@ -201,6 +201,9 @@ executables: []
|
|
|
201
201
|
extensions: []
|
|
202
202
|
extra_rdoc_files: []
|
|
203
203
|
files:
|
|
204
|
+
- ".github/config/rubocop_linter_action.yml"
|
|
205
|
+
- ".github/stale.yml"
|
|
206
|
+
- ".github/workflows/rubocop.yml"
|
|
204
207
|
- ".gitignore"
|
|
205
208
|
- ".rubocop.yml"
|
|
206
209
|
- ".travis.yml"
|
|
@@ -241,7 +244,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
241
244
|
- !ruby/object:Gem::Version
|
|
242
245
|
version: '0'
|
|
243
246
|
requirements: []
|
|
244
|
-
rubygems_version: 3.0.
|
|
247
|
+
rubygems_version: 3.0.6
|
|
245
248
|
signing_key:
|
|
246
249
|
specification_version: 4
|
|
247
250
|
summary: OpenID Connect Strategy for OmniAuth
|