omniauth_openid_connect 0.4.0 → 0.5.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 7b5060fd9a0536e2740b340c56459f76b628912dea1ad54da415c2453921e6e3
-  data.tar.gz: ada9bd68c69837538cd485ce0595525b2109feb0f79611a3ceb06fa1bf7eed96
+  metadata.gz: 34218d7218e2aca766623a1252b641baa20d81330cfd38c67a733f9221d76aad
+  data.tar.gz: 54f874832122f3cc1444280d8820d222a4dff7ef4c3580eb899d4da1efb38051
 SHA512:
-  metadata.gz: 24c424fb608e45beba966b6914accdfad6e5af277c9428c94d3aec4ab3f4c010bfa66117a42d6ad1f57de9ea6d6d3ff99eaa5a33bdcbc753d1b7db568f3e870b
-  data.tar.gz: f2ebfcd68b35425cc656ecaa58151b962d0bc96a4023f1bfcf312e363e2e0878c298bc90d7fc70104220b71cdbc77346b3f64c4653222b8df1110a12bb249dd0
+  metadata.gz: e4465213a06e82fd61d9997d0ec1b9f993620dead092add6ba2f07b34aa08dca53bcb63d92a256839c7310478c89ecff9359778e5721cf1cc6dcc300e5d780f8
+  data.tar.gz: 8fdbda1f579f271f6273a6380a7a9cf581b4b1239b589a1e2cb98799b8731056c3ec222c519e445d95387749ab62b58839e4005906938e0e1f76b9d396e76565

data/.github/workflows/main.yml

@@ -9,12 +9,12 @@ on:
     types: [opened, synchronize, reopened]
 
 jobs:
-  base:
+  test:
     runs-on: ubuntu-latest
     strategy:
       fail-fast: false
       matrix:
-        ruby: ["2.5", "2.6", "2.7", "3.0"]
+        ruby: ["2.5", "2.6", "2.7", "3.0", "3.1"]
     name: Ruby ${{ matrix.ruby }}
 
     steps:
@@ -29,3 +29,35 @@ jobs:
 
       - name: Run tests
         run: bundle exec rake
+
+      - name: Coveralls Parallel
+        uses: coverallsapp/github-action@master
+        with:
+          github-token: ${{ secrets.github_token }}
+          flag-name: ruby-${{ matrix.ruby }}
+          parallel: true
+
+  finish:
+    needs: test
+    runs-on: ubuntu-latest
+    steps:
+    - name: Coveralls Finished
+      uses: coverallsapp/github-action@master
+      with:
+        github-token: ${{ secrets.github_token }}
+        parallel-finished: true
+
+  rubocop:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v2
+
+      - name: Setup Ruby
+        uses: ruby/setup-ruby@v1
+        with:
+          bundler-cache: true
+          ruby-version: "2.7"
+
+      - name: rubocop
+        run: bundle exec rubocop --parallel

data/.rubocop.yml

@@ -58,7 +58,4 @@ Metrics/MethodLength:
 
 AllCops:
   Exclude:
-    - bin/**/*
-    - Rakefile
-    - config/**/*
-    - test/**/*
+    - vendor/bundle/**/*

data/CHANGELOG.md

@@ -1,4 +1,12 @@
-# v0.4.0 (02.05.2021)
+# v0.5.0 (26.12.2022)
+
+- Support the "nonce" parameter forwarding without a session [#130](https://github.com/omniauth/omniauth_openid_connect/pull/130)
+- Fetch key from JWKS URI if available [#133](https://github.com/omniauth/omniauth_openid_connect/pull/133)
+- Make the state parameter verification optional [#122](https://github.com/omniauth/omniauth_openid_connect/pull/122)
+- Add email_verified claim in user info [#131](https://github.com/omniauth/omniauth_openid_connect/pull/131)
+- Add PKCE verification support [#128](https://github.com/omniauth/omniauth_openid_connect/pull/128)
+
+# v0.4.0 (06.02.2022)
 
 - Support dynamic parameters to the authorize URI [#90](https://github.com/omniauth/omniauth_openid_connect/pull/90)
 - Upgrade Faker and replace Travis with Github Actions [#102](https://github.com/omniauth/omniauth_openid_connect/pull/102)

data/Gemfile

@@ -2,3 +2,9 @@
 
 source 'https://rubygems.org'
 gemspec
+
+if Gem::Version.new(RUBY_VERSION.dup) >= Gem::Version.new('3.1')
+  gem 'net-imap', require: false
+  gem 'net-pop', require: false
+  gem 'net-smtp', require: false
+end

data/README.md

@@ -1,12 +1,3 @@
-# Maintainers Wanted
-
-This project is looking for maintainers.
-
-Due to lack of using this gem in my projects I have no time to keep it alive.
-Feel free to open an issue if you interested.
-
-_This project is built and maintained 100% voluntarily._
-
 # OmniAuth::OpenIDConnect
 
 Originally was [omniauth-openid-connect](https://github.com/jjbohn/omniauth-openid-connect)
@@ -14,6 +5,7 @@ Originally was [omniauth-openid-connect](https://github.com/jjbohn/omniauth-open
 I've forked this repository and launch as separate gem because maintaining of original was dropped.
 
 [![Build Status](https://github.com/omniauth/omniauth_openid_connect/actions/workflows/main.yml/badge.svg)](https://github.com/omniauth/omniauth_openid_connect/actions/workflows/main.yml)
+[![Coverage Status](https://coveralls.io/repos/github/omniauth/omniauth_openid_connect/badge.svg)](https://coveralls.io/github/omniauth/omniauth_openid_connect)
 
 ## Installation
 
@@ -31,7 +23,7 @@ Or install it yourself as:
 
 ## Supported Ruby Versions
 
-OmniAuth::OpenIDConnect is tested under 2.4, 2.5, 2.6, 2.7
+OmniAuth::OpenIDConnect is tested under 2.5, 2.6, 2.7, 3.0, 3.1
 
 ## Usage
 
@@ -55,24 +47,28 @@ config.omniauth :openid_connect, {
 
 ### Options Overview
 
-| Field                        | Description                                                                                                                                                   | Required | Default                    | Example/Options                                     |
-|------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------|----------|----------------------------|-----------------------------------------------------|
-| name                         | Arbitrary string to identify connection and identify it from other openid_connect providers                                                                                                                        | no       | String: openid_connect     | :my_idp                                             |
-| issuer                       | Root url for the authorization server                                                                                                                         | yes      |                            | https://myprovider.com                              |
-| discovery                    | Should OpenID discovery be used. This is recommended if the IDP provides a discovery endpoint. See client config for how to manually enter discovered values. | no       | false                      | one of: true, false                                 |
-| client_auth_method           | Which authentication method to use to authenticate your app with the authorization server                                                                     | no       | Sym: basic                 | "basic", "jwks"                                     |
-| scope                        | Which OpenID scopes to include (:openid is always required)                                                                                                   | no       | Array<sym> [:openid]       | [:openid, :profile, :email]                         |
-| response_type                | Which OAuth2 response type to use with the authorization request                                                                                              | no       | String: code               | one of: 'code', 'id_token'                          |
-| state                        | A value to be used for the OAuth2 state parameter on the authorization request. Can be a proc that generates a string.                                        | no       | Random 16 character string | Proc.new { SecureRandom.hex(32) }                   |
-| response_mode                | The response mode per [spec](https://openid.net/specs/oauth-v2-form-post-response-mode-1_0.html)                                                              | no       | nil                        | one of: :query, :fragment, :form_post, :web_message |
-| display                      | An optional parameter to the authorization request to determine how the authorization and consent page                                                        | no       | nil                        | one of: :page, :popup, :touch, :wap                 |
-| prompt                       | An optional parameter to the authrization request to determine what pages the user will be shown                                                              | no       | nil                        | one of: :none, :login, :consent, :select_account    |
-| send_scope_to_token_endpoint | Should the scope parameter be sent to the authorization token endpoint?                                                                                       | no       | true                       | one of: true, false                                 |
-| post_logout_redirect_uri     | The logout redirect uri to use per the [session management draft](https://openid.net/specs/openid-connect-session-1_0.html)                                   | no       | empty                      | https://myapp.com/logout/callback                   |
-| uid_field                    | The field of the user info response to be used as a unique id                                                                                                 | no       | 'sub'                      | "sub", "preferred_username"                         |
-| extra_authorize_params       | A hash of extra fixed parameters that will be merged to the authorization request                                                                             | no       | Hash                       | {"tenant" => "common"}                              |
-| allow_authorize_params       | A list of allowed dynamic parameters that will be merged to the authorization request                                                                         | no       | Array                      | [:screen_name]                                      |
-| client_options               | A hash of client options detailed in its own section                                                                                                          | yes      |                            |                                                     |
+| Field                        | Description                                                                                                                                                   | Required | Default                       | Example/Options                                     |
+|------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------|----------|-------------------------------|-----------------------------------------------------|
+| name                         | Arbitrary string to identify connection and identify it from other openid_connect providers                                                                   | no       | String: openid_connect        | :my_idp                                             |
+| issuer                       | Root url for the authorization server                                                                                                                         | yes      |                               | https://myprovider.com                              |
+| discovery                    | Should OpenID discovery be used. This is recommended if the IDP provides a discovery endpoint. See client config for how to manually enter discovered values. | no       | false                         | one of: true, false                                 |
+| client_auth_method           | Which authentication method to use to authenticate your app with the authorization server                                                                     | no       | Sym: basic                    | "basic", "jwks"                                     |
+| scope                        | Which OpenID scopes to include (:openid is always required)                                                                                                   | no       | Array<sym> [:openid]          | [:openid, :profile, :email]                         |
+| response_type                | Which OAuth2 response type to use with the authorization request                                                                                              | no       | String: code                  | one of: 'code', 'id_token'                          |
+| state                        | A value to be used for the OAuth2 state parameter on the authorization request. Can be a proc that generates a string.                                        | no       | Random 16 character string    | Proc.new { SecureRandom.hex(32) }                   |
+| require_state                | Should state param be verified - this is recommended, not required by the OIDC specification                                                                  | no       | true                          | false                                               |
+| response_mode                | The response mode per [spec](https://openid.net/specs/oauth-v2-form-post-response-mode-1_0.html)                                                              | no       | nil                           | one of: :query, :fragment, :form_post, :web_message |
+| display                      | An optional parameter to the authorization request to determine how the authorization and consent page                                                        | no       | nil                           | one of: :page, :popup, :touch, :wap                 |
+| prompt                       | An optional parameter to the authrization request to determine what pages the user will be shown                                                              | no       | nil                           | one of: :none, :login, :consent, :select_account    |
+| send_scope_to_token_endpoint | Should the scope parameter be sent to the authorization token endpoint?                                                                                       | no       | true                          | one of: true, false                                 |
+| post_logout_redirect_uri     | The logout redirect uri to use per the [session management draft](https://openid.net/specs/openid-connect-session-1_0.html)                                   | no       | empty                         | https://myapp.com/logout/callback                   |
+| uid_field                    | The field of the user info response to be used as a unique id                                                                                                 | no       | 'sub'                         | "sub", "preferred_username"                         |
+| extra_authorize_params       | A hash of extra fixed parameters that will be merged to the authorization request                                                                             | no       | Hash                          | {"tenant" => "common"}                              |
+| allow_authorize_params       | A list of allowed dynamic parameters that will be merged to the authorization request                                                                         | no       | Array                         | [:screen_name]                                      |
+| pkce                         | Enable [PKCE flow](https://oauth.net/2/pkce/)                                                                                                                 | no       | false                         | one of: true, false                                 |
+| pkce_verifier                | Specify a custom PKCE verifier code.                                                                                                                          | no       | A random 128-char string      | Proc.new { SecureRandom.hex(64) }                   |
+| pkce_options                 | Specify a custom implementation of the PKCE code challenge/method.                                                                                            | no       | SHA256(code_challenge) in hex | Proc to customise the code challenge generation     |
+| client_options               | A hash of client options detailed in its own section                                                                                                          | yes      |                               |                                                     |
 
 ### Client Config Options
 
@@ -102,7 +98,7 @@ These are the configuration options for the client_options hash of the configura
 
   * `response_type` tells the authorization server which grant type the application wants to use,
   currently, only `:code` (Authorization Code grant) and `:id_token` (Implicit grant) are valid.
-  * If you want to pass `state` paramete by yourself. You can set Proc Object.
+  * If you want to pass `state` parameter by yourself. You can set Proc Object.
   e.g. `state: Proc.new { SecureRandom.hex(32) }`
   * `nonce` is optional. If don't want to pass "nonce" parameter to provider, You should specify
   `false` to `send_nonce` option. (default true)
@@ -124,6 +120,11 @@ These are the configuration options for the client_options hash of the configura
   property can be used to add the attribute to the token request. Initial value is `true`, which means that the
   scope attribute is included by default.
 
+## Additional notes
+  * In some cases, you may want to go straight to the callback phase - e.g. when requested by a stateless client, like a mobile app.
+  In such example, the session is empty, so you have to forward certain parameters received from the client.
+  Currently supported ones are `code_verifier` and `nonce` - simply provide them as the `/callback` request parameters.
+
 For the full low down on OpenID Connect, please check out
 [the spec](http://openid.net/specs/openid-connect-core-1_0.html).
 

data/Rakefile

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'bundler/gem_tasks'
 require 'rake/testtask'
 

data/lib/omniauth/openid_connect/version.rb

@@ -2,6 +2,6 @@
 
 module OmniAuth
   module OpenIDConnect
-    VERSION = '0.4.0'
+    VERSION = '0.5.0'
   end
 end

data/lib/omniauth/strategies/openid_connect.rb

@@ -1,6 +1,5 @@
 # frozen_string_literal: true
 
-require 'addressable/uri'
 require 'timeout'
 require 'net/http'
 require 'open-uri'
@@ -10,7 +9,7 @@ require 'forwardable'
 
 module OmniAuth
   module Strategies
-    class OpenIDConnect
+    class OpenIDConnect # rubocop:disable Metrics/ClassLength
       include OmniAuth::Strategy
       extend Forwardable
 
@@ -41,6 +40,7 @@ module OmniAuth
       option :client_x509_signing_key
       option :scope, [:openid]
       option :response_type, 'code' # ['code', 'id_token']
+      option :require_state, true
       option :state
       option :response_mode # [:query, :fragment, :form_post, :web_message]
       option :display, nil # [:page, :popup, :touch, :wap]
@@ -57,6 +57,14 @@ module OmniAuth
       option :extra_authorize_params, {}
       option :allow_authorize_params, []
       option :uid_field, 'sub'
+      option :pkce, false
+      option :pkce_verifier, nil
+      option :pkce_options, {
+        code_challenge: proc { |verifier|
+          Base64.urlsafe_encode64(Digest::SHA2.digest(verifier), padding: false)
+        },
+        code_challenge_method: 'S256',
+      }
 
       def uid
         user_info.raw_attributes[options.uid_field.to_sym] || user_info.sub
@@ -66,6 +74,7 @@ module OmniAuth
         {
           name: user_info.name,
           email: user_info.email,
+          email_verified: user_info.email_verified,
           nickname: user_info.preferred_username,
           first_name: user_info.given_name,
           last_name: user_info.family_name,
@@ -107,7 +116,7 @@ module OmniAuth
       def callback_phase
         error = params['error_reason'] || params['error']
         error_description = params['error_description'] || params['error_reason']
-        invalid_state = params['state'].to_s.empty? || params['state'] != stored_state
+        invalid_state = (options.require_state && params['state'].to_s.empty?) || params['state'] != stored_state
 
         raise CallbackError, error: params['error'], reason: error_description, uri: params['error_uri'] if error
         raise CallbackError, error: :csrf_detected, reason: "Invalid 'state' parameter" if invalid_state
@@ -178,17 +187,40 @@ module OmniAuth
           opts[key] = request.params[key.to_s] unless opts.key?(key)
         end
 
+        if options.pkce
+          verifier = options.pkce_verifier ? options.pkce_verifier.call : SecureRandom.hex(64)
+
+          opts.merge!(pkce_authorize_params(verifier))
+          session['omniauth.pkce.verifier'] = verifier
+        end
+
         client.authorization_uri(opts.reject { |_k, v| v.nil? })
       end
 
       def public_key
-        return config.jwks if options.discovery
+        @public_key ||= if options.discovery
+                          config.jwks
+                        elsif key_or_secret
+                          key_or_secret
+                        elsif client_options.jwks_uri
+                          fetch_key
+                        end
+      end
 
-        key_or_secret || config.jwks
+      def pkce_authorize_params(verifier)
+        # NOTE: see https://tools.ietf.org/html/rfc7636#appendix-A
+        {
+          code_challenge: options.pkce_options[:code_challenge].call(verifier),
+          code_challenge_method: options.pkce_options[:code_challenge_method],
+        }
       end
 
       private
 
+      def fetch_key
+        @fetch_key ||= parse_jwk_key(::OpenIDConnect.http_client.get_content(client_options.jwks_uri))
+      end
+
       def issuer
         resource = "#{ client_options.scheme }://#{ client_options.host }"
         resource = "#{ resource }:#{ client_options.port }" if client_options.port
@@ -220,11 +252,14 @@ module OmniAuth
       def access_token
         return @access_token if @access_token
 
-        @access_token = client.access_token!(
+        token_request_params = {
           scope: (options.scope if options.send_scope_to_token_endpoint),
-          client_auth_method: options.client_auth_method
-        )
+          client_auth_method: options.client_auth_method,
+        }
+
+        token_request_params[:code_verifier] = params['code_verifier'] || session.delete('omniauth.pkce.verifier') if options.pkce
 
+        @access_token = client.access_token!(token_request_params)
         verify_id_token!(@access_token.id_token) if configured_response_type == 'code'
 
         @access_token
@@ -274,16 +309,17 @@ module OmniAuth
       end
 
       def key_or_secret
-        case options.client_signing_alg
-        when :HS256, :HS384, :HS512
-          client_options.secret
-        when :RS256, :RS384, :RS512
-          if options.client_jwk_signing_key
-            parse_jwk_key(options.client_jwk_signing_key)
-          elsif options.client_x509_signing_key
-            parse_x509_key(options.client_x509_signing_key)
+        @key_or_secret ||=
+          case options.client_signing_alg&.to_sym
+          when :HS256, :HS384, :HS512
+            client_options.secret
+          when :RS256, :RS384, :RS512
+            if options.client_jwk_signing_key
+              parse_jwk_key(options.client_jwk_signing_key)
+            elsif options.client_x509_signing_key
+              parse_x509_key(options.client_x509_signing_key)
+            end
           end
-        end
       end
 
       def parse_x509_key(key)
@@ -353,7 +389,7 @@ module OmniAuth
 
         decode_id_token(id_token).verify!(issuer: options.issuer,
                                           client_id: client_options.identifier,
-                                          nonce: stored_nonce)
+                                          nonce: params['nonce'].presence || stored_nonce)
       end
 
       class CallbackError < StandardError

data/omniauth_openid_connect.gemspec

@@ -27,10 +27,8 @@ Gem::Specification.new do |spec|
     'rubygems_mfa_required' => 'true',
   }
 
-  spec.add_dependency 'addressable', '~> 2.5'
   spec.add_dependency 'omniauth', '>= 1.9', '< 3'
   spec.add_dependency 'openid_connect', '~> 1.1'
-  spec.add_development_dependency 'coveralls', '~> 0.8'
   spec.add_development_dependency 'faker', '~> 2.0'
   spec.add_development_dependency 'guard', '~> 2.14'
   spec.add_development_dependency 'guard-bundler', '~> 2.2'
@@ -39,5 +37,6 @@ Gem::Specification.new do |spec|
   spec.add_development_dependency 'mocha', '~> 1.7'
   spec.add_development_dependency 'rake', '~> 12.0'
   spec.add_development_dependency 'rubocop', '~> 1.12'
-  spec.add_development_dependency 'simplecov', '~> 0.12'
+  spec.add_development_dependency 'simplecov', '~> 0.21'
+  spec.add_development_dependency 'simplecov-lcov', '~> 0.8'
 end

data/test/lib/omniauth/strategies/openid_connect_test.rb

@@ -1,8 +1,10 @@
+# frozen_string_literal: true
+
 require_relative '../../../test_helper'
 
 module OmniAuth
   module Strategies
-    class OpenIDConnectTest < StrategyTestCase
+    class OpenIDConnectTest < StrategyTestCase # rubocop:disable Metrics/ClassLength
       def test_client_options_defaults
         assert_equal 'https', strategy.options.client_options.scheme
         assert_equal 443, strategy.options.client_options.port
@@ -11,7 +13,7 @@ module OmniAuth
       end
 
       def test_request_phase
-        expected_redirect = /^https:\/\/example\.com\/authorize\?client_id=1234&nonce=\w{32}&response_type=code&scope=openid&state=\w{32}$/
+        expected_redirect = %r{^https://example\.com/authorize\?client_id=1234&nonce=\w{32}&response_type=code&scope=openid&state=\w{32}$}
         strategy.options.issuer = 'example.com'
         strategy.options.client_options.host = 'example.com'
         strategy.expects(:redirect).with(regexp_matches(expected_redirect))
@@ -19,7 +21,7 @@ module OmniAuth
       end
 
       def test_logout_phase_with_discovery
-        expected_redirect = %r{^https:\/\/example\.com\/logout$}
+        expected_redirect = %r{^https://example\.com/logout$}
         strategy.options.client_options.host = 'example.com'
         strategy.options.discovery = true
 
@@ -78,7 +80,7 @@ module OmniAuth
       end
 
       def test_request_phase_with_params
-        expected_redirect = /^https:\/\/example\.com\/authorize\?claims_locales=es&client_id=1234&login_hint=john.doe%40example.com&nonce=\w{32}&response_type=code&scope=openid&state=\w{32}&ui_locales=en$/
+        expected_redirect = %r{^https://example\.com/authorize\?claims_locales=es&client_id=1234&login_hint=john.doe%40example.com&nonce=\w{32}&response_type=code&scope=openid&state=\w{32}&ui_locales=en$}
         strategy.options.issuer = 'example.com'
         strategy.options.client_options.host = 'example.com'
         request.stubs(:params).returns('login_hint' => 'john.doe@example.com', 'ui_locales' => 'en', 'claims_locales' => 'es')
@@ -88,7 +90,7 @@ module OmniAuth
       end
 
       def test_request_phase_with_discovery
-        expected_redirect = /^https:\/\/example\.com\/authorization\?client_id=1234&nonce=\w{32}&response_type=code&scope=openid&state=\w{32}$/
+        expected_redirect = %r{^https://example\.com/authorization\?client_id=1234&nonce=\w{32}&response_type=code&scope=openid&state=\w{32}$}
         strategy.options.client_options.host = 'example.com'
         strategy.options.discovery = true
 
@@ -115,7 +117,7 @@ module OmniAuth
       end
 
       def test_request_phase_with_response_mode
-        expected_redirect = /^https:\/\/example\.com\/authorize\?client_id=1234&nonce=\w{32}&response_mode=form_post&response_type=id_token&scope=openid&state=\w{32}$/
+        expected_redirect = %r{^https://example\.com/authorize\?client_id=1234&nonce=\w{32}&response_mode=form_post&response_type=id_token&scope=openid&state=\w{32}$}
         strategy.options.issuer = 'example.com'
         strategy.options.response_mode = 'form_post'
         strategy.options.response_type = 'id_token'
@@ -126,7 +128,7 @@ module OmniAuth
       end
 
       def test_request_phase_with_response_mode_symbol
-        expected_redirect = /^https:\/\/example\.com\/authorize\?client_id=1234&nonce=\w{32}&response_mode=form_post&response_type=id_token&scope=openid&state=\w{32}$/
+        expected_redirect = %r{^https://example\.com/authorize\?client_id=1234&nonce=\w{32}&response_mode=form_post&response_type=id_token&scope=openid&state=\w{32}$}
         strategy.options.issuer = 'example.com'
         strategy.options.response_mode = 'form_post'
         strategy.options.response_type = :id_token
@@ -139,25 +141,26 @@ module OmniAuth
       def test_option_acr_values
         strategy.options.client_options[:host] = 'foobar.com'
 
-        assert(!(strategy.authorize_uri =~ /acr_values=/), 'URI must not contain acr_values')
+        refute_match(/acr_values=/, strategy.authorize_uri, 'URI must not contain acr_values')
 
         strategy.options.acr_values = 'urn:some:acr:values:value'
-        assert(strategy.authorize_uri =~ /acr_values=/, 'URI must contain acr_values')
+        assert_match(/acr_values=/, strategy.authorize_uri, 'URI must contain acr_values')
       end
 
       def test_option_custom_attributes
         strategy.options.client_options[:host] = 'foobar.com'
-        strategy.options.extra_authorize_params = {resource: 'xyz'}
+        strategy.options.extra_authorize_params = { resource: 'xyz' }
 
         assert(strategy.authorize_uri =~ /resource=xyz/, 'URI must contain custom params')
       end
 
       def test_request_phase_with_allowed_params
         strategy.options.issuer = 'example.com'
-        strategy.options.allow_authorize_params = [:name, :logo, :resource]
-        strategy.options.extra_authorize_params = {resource: 'xyz'}
+        strategy.options.allow_authorize_params = %i[name logo resource]
+        strategy.options.extra_authorize_params = { resource: 'xyz' }
         strategy.options.client_options.host = 'example.com'
-        request.stubs(:params).returns('name' => 'example', 'logo' => 'example_logo', 'resource' => 'abc', 'not_allowed' => 'filter_me')
+        request.stubs(:params).returns('name' => 'example', 'logo' => 'example_logo', 'resource' => 'abc',
+                                       'not_allowed' => 'filter_me')
 
         assert(strategy.authorize_uri =~ /resource=xyz/, 'URI must contain fixed param resource')
         assert(strategy.authorize_uri =~ /name=example/, 'URI must contain dynamic param name')
@@ -175,16 +178,15 @@ module OmniAuth
         assert_equal user_info.sub, strategy.uid
       end
 
-      def test_callback_phase(session = {}, params = {})
+      def test_callback_phase(_session = {}, _params = {}) # rubocop:disable Metrics/AbcSize
         code = SecureRandom.hex(16)
         state = SecureRandom.hex(16)
-        nonce = SecureRandom.hex(16)
         request.stubs(:params).returns('code' => code, 'state' => state)
         request.stubs(:path).returns('')
 
         strategy.options.issuer = 'example.com'
         strategy.options.client_signing_alg = :RS256
-        strategy.options.client_jwk_signing_key = File.read('test/fixtures/jwks.json')
+        strategy.options.client_jwk_signing_key = jwks.to_s
         strategy.options.response_type = 'code'
 
         strategy.unstub(:user_info)
@@ -193,7 +195,7 @@ module OmniAuth
         access_token.stubs(:refresh_token)
         access_token.stubs(:expires_in)
         access_token.stubs(:scope)
-        access_token.stubs(:id_token).returns(File.read('test/fixtures/id_token.txt'))
+        access_token.stubs(:id_token).returns(jwt.to_s)
         client.expects(:access_token!).at_least_once.returns(access_token)
         access_token.expects(:userinfo!).returns(user_info)
 
@@ -208,15 +210,13 @@ module OmniAuth
       end
 
       def test_callback_phase_with_id_token
-        code = SecureRandom.hex(16)
         state = SecureRandom.hex(16)
-        nonce = SecureRandom.hex(16)
-        request.stubs(:params).returns('id_token' => code, 'state' => state)
+        request.stubs(:params).returns('id_token' => jwt.to_s, 'state' => state)
         request.stubs(:path).returns('')
 
         strategy.options.issuer = 'example.com'
         strategy.options.client_signing_alg = :RS256
-        strategy.options.client_jwk_signing_key = File.read('test/fixtures/jwks.json')
+        strategy.options.client_jwk_signing_key = jwks.to_json
         strategy.options.response_type = 'id_token'
 
         strategy.unstub(:user_info)
@@ -225,7 +225,7 @@ module OmniAuth
         access_token.stubs(:refresh_token)
         access_token.stubs(:expires_in)
         access_token.stubs(:scope)
-        access_token.stubs(:id_token).returns(File.read('test/fixtures/id_token.txt'))
+        access_token.stubs(:id_token).returns(jwt.to_s)
 
         id_token = stub('OpenIDConnect::ResponseObject::IdToken')
         id_token.stubs(:raw_attributes).returns('sub' => 'sub', 'name' => 'name', 'email' => 'email')
@@ -237,13 +237,85 @@ module OmniAuth
         strategy.callback_phase
       end
 
-      def test_callback_phase_with_discovery
+      def test_callback_phase_with_id_token_and_param_provided_nonce # rubocop:disable Metrics/AbcSize
         code = SecureRandom.hex(16)
         state = SecureRandom.hex(16)
         nonce = SecureRandom.hex(16)
-        jwks = JSON::JWK::Set.new(JSON.parse(File.read('test/fixtures/jwks.json'))['keys'])
+        request.stubs(:params).returns('code' => code, 'state' => state, 'nonce' => nonce)
+        request.stubs(:path).returns('')
 
-        request.stubs(:params).returns('code' => code, 'state' => state)
+        strategy.options.issuer = 'example.com'
+        strategy.options.client_signing_alg = :RS256
+        strategy.options.client_jwk_signing_key = jwks.to_s
+        strategy.options.response_type = 'code'
+
+        strategy.unstub(:user_info)
+        access_token = stub('OpenIDConnect::AccessToken')
+        access_token.stubs(:access_token)
+        access_token.stubs(:refresh_token)
+        access_token.stubs(:expires_in)
+        access_token.stubs(:scope)
+        access_token.stubs(:id_token).returns(jwt.to_s)
+        client.expects(:access_token!).at_least_once.returns(access_token)
+        access_token.expects(:userinfo!).returns(user_info)
+
+        id_token = stub('OpenIDConnect::ResponseObject::IdToken')
+        id_token.stubs(:raw_attributes).returns('sub' => 'sub', 'name' => 'name', 'email' => 'email')
+        id_token.stubs(:verify!).with(issuer: strategy.options.issuer, client_id: @identifier, nonce: nonce).returns(true)
+        id_token.expects(:verify!)
+
+        strategy.expects(:decode_id_token).twice.with(access_token.id_token).returns(id_token)
+        strategy.call!('rack.session' => { 'omniauth.state' => state })
+        strategy.callback_phase
+      end
+
+      def test_callback_phase_with_discovery # rubocop:disable Metrics/AbcSize
+        state = SecureRandom.hex(16)
+
+        request.stubs(:params).returns('code' => jwt.to_s, 'state' => state)
+        request.stubs(:path).returns('')
+
+        strategy.options.client_options.host = 'example.com'
+        strategy.options.discovery = true
+
+        issuer = stub('OpenIDConnect::Discovery::Issuer')
+        issuer.stubs(:issuer).returns('https://example.com/')
+        ::OpenIDConnect::Discovery::Provider.stubs(:discover!).returns(issuer)
+
+        config = stub('OpenIDConnect::Discovery::Provder::Config')
+        config.stubs(:authorization_endpoint).returns('https://example.com/authorization')
+        config.stubs(:token_endpoint).returns('https://example.com/token')
+        config.stubs(:userinfo_endpoint).returns('https://example.com/userinfo')
+        config.stubs(:jwks_uri).returns('https://example.com/jwks')
+        config.stubs(:jwks).returns(JSON::JWK::Set.new(jwks['keys']))
+
+        ::OpenIDConnect::Discovery::Provider::Config.stubs(:discover!).with('https://example.com/').returns(config)
+
+        id_token = stub('OpenIDConnect::ResponseObject::IdToken')
+        id_token.stubs(:raw_attributes).returns('sub' => 'sub', 'name' => 'name', 'email' => 'email')
+        id_token.stubs(:verify!).with(issuer: 'https://example.com/', client_id: @identifier, nonce: nonce).returns(true)
+        ::OpenIDConnect::ResponseObject::IdToken.stubs(:decode).returns(id_token)
+
+        strategy.unstub(:user_info)
+        access_token = stub('OpenIDConnect::AccessToken')
+        access_token.stubs(:access_token)
+        access_token.stubs(:refresh_token)
+        access_token.stubs(:expires_in)
+        access_token.stubs(:scope)
+        access_token.stubs(:id_token).returns(jwt.to_s)
+        client.expects(:access_token!).at_least_once.returns(access_token)
+        access_token.expects(:userinfo!).returns(user_info)
+
+        strategy.call!('rack.session' => { 'omniauth.state' => state, 'omniauth.nonce' => nonce })
+        strategy.callback_phase
+      end
+
+      def test_callback_phase_with_no_state_without_state_verification # rubocop:disable Metrics/AbcSize
+        code = SecureRandom.hex(16)
+
+        strategy.options.require_state = false
+
+        request.stubs(:params).returns('code' => code)
         request.stubs(:path).returns('')
 
         strategy.options.client_options.host = 'example.com'
@@ -258,7 +330,7 @@ module OmniAuth
         config.stubs(:token_endpoint).returns('https://example.com/token')
         config.stubs(:userinfo_endpoint).returns('https://example.com/userinfo')
         config.stubs(:jwks_uri).returns('https://example.com/jwks')
-        config.stubs(:jwks).returns(jwks)
+        config.stubs(:jwks).returns(JSON::JWK::Set.new(jwks['keys']))
 
         ::OpenIDConnect::Discovery::Provider::Config.stubs(:discover!).with('https://example.com/').returns(config)
 
@@ -273,21 +345,67 @@ module OmniAuth
         access_token.stubs(:refresh_token)
         access_token.stubs(:expires_in)
         access_token.stubs(:scope)
-        access_token.stubs(:id_token).returns(File.read('test/fixtures/id_token.txt'))
+        access_token.stubs(:id_token).returns(jwt.to_s)
         client.expects(:access_token!).at_least_once.returns(access_token)
         access_token.expects(:userinfo!).returns(user_info)
 
+        strategy.call!('rack.session' => { 'omniauth.nonce' => nonce })
+        strategy.callback_phase
+      end
+
+      def test_callback_phase_with_invalid_state_without_state_verification
+        code = SecureRandom.hex(16)
+        state = SecureRandom.hex(16)
+
+        strategy.options.require_state = false
+
+        request.stubs(:params).returns('code' => code, 'state' => 'foobar')
+        request.stubs(:path).returns('')
+
+        strategy.call!('rack.session' => { 'omniauth.state' => state, 'omniauth.nonce' => nonce })
+        strategy.expects(:fail!)
+        strategy.callback_phase
+      end
+
+      def test_callback_phase_with_jwks_uri
+        id_token = jwt.to_s
+        state = SecureRandom.hex(16)
+        request.stubs(:params).returns('id_token' => id_token, 'state' => state)
+        request.stubs(:path_info).returns('')
+
+        strategy.options.issuer = 'example.com'
+        strategy.options.client_options.jwks_uri = 'https://jwks.example.com'
+        strategy.options.response_type = 'id_token'
+
+        HTTPClient
+          .any_instance.stubs(:get_content)
+          .with(strategy.options.client_options.jwks_uri)
+          .returns(jwks.to_json)
+
+        strategy.unstub(:user_info)
+        access_token = stub('OpenIDConnect::AccessToken')
+        access_token.stubs(:access_token)
+        access_token.stubs(:refresh_token)
+        access_token.stubs(:expires_in)
+        access_token.stubs(:scope)
+        access_token.stubs(:id_token).returns(id_token)
+
+        id_token = stub('OpenIDConnect::ResponseObject::IdToken')
+        id_token.stubs(:raw_attributes).returns('sub' => 'sub', 'name' => 'name', 'email' => 'email')
+        id_token.stubs(:verify!).with(issuer: strategy.options.issuer, client_id: @identifier, nonce: nonce).returns(true)
+        ::OpenIDConnect::ResponseObject::IdToken.stubs(:decode).returns(id_token)
+        id_token.expects(:verify!)
+
         strategy.call!('rack.session' => { 'omniauth.state' => state, 'omniauth.nonce' => nonce })
         strategy.callback_phase
       end
 
       def test_callback_phase_with_error
         state = SecureRandom.hex(16)
-        nonce = SecureRandom.hex(16)
         request.stubs(:params).returns('error' => 'invalid_request')
         request.stubs(:path).returns('')
 
-        strategy.call!({'rack.session' => {'omniauth.state' => state, 'omniauth.nonce' => nonce}})
+        strategy.call!({ 'rack.session' => { 'omniauth.state' => state, 'omniauth.nonce' => nonce } })
         strategy.expects(:fail!)
         strategy.callback_phase
       end
@@ -295,7 +413,6 @@ module OmniAuth
       def test_callback_phase_with_invalid_state
         code = SecureRandom.hex(16)
         state = SecureRandom.hex(16)
-        nonce = SecureRandom.hex(16)
         request.stubs(:params).returns('code' => code, 'state' => 'foobar')
         request.stubs(:path).returns('')
 
@@ -306,7 +423,6 @@ module OmniAuth
 
       def test_callback_phase_without_code
         state = SecureRandom.hex(16)
-        nonce = SecureRandom.hex(16)
         request.stubs(:params).returns('state' => state)
         request.stubs(:path).returns('')
 
@@ -318,7 +434,6 @@ module OmniAuth
 
       def test_callback_phase_without_id_token
         state = SecureRandom.hex(16)
-        nonce = SecureRandom.hex(16)
         request.stubs(:params).returns('state' => state)
         request.stubs(:path).returns('')
         strategy.options.response_type = 'id_token'
@@ -331,7 +446,6 @@ module OmniAuth
 
       def test_callback_phase_without_id_token_symbol
         state = SecureRandom.hex(16)
-        nonce = SecureRandom.hex(16)
         request.stubs(:params).returns('state' => state)
         request.stubs(:path).returns('')
         strategy.options.response_type = :id_token
@@ -345,7 +459,6 @@ module OmniAuth
       def test_callback_phase_with_timeout
         code = SecureRandom.hex(16)
         state = SecureRandom.hex(16)
-        nonce = SecureRandom.hex(16)
         request.stubs(:params).returns('code' => code, 'state' => state)
         request.stubs(:path).returns('')
 
@@ -365,7 +478,6 @@ module OmniAuth
       def test_callback_phase_with_etimeout
         code = SecureRandom.hex(16)
         state = SecureRandom.hex(16)
-        nonce = SecureRandom.hex(16)
         request.stubs(:params).returns('code' => code, 'state' => state)
         request.stubs(:path).returns('')
 
@@ -385,7 +497,6 @@ module OmniAuth
       def test_callback_phase_with_socket_error
         code = SecureRandom.hex(16)
         state = SecureRandom.hex(16)
-        nonce = SecureRandom.hex(16)
         request.stubs(:params).returns('code' => code, 'state' => state)
         request.stubs(:path).returns('')
 
@@ -405,7 +516,6 @@ module OmniAuth
       def test_callback_phase_with_rack_oauth2_client_error
         code = SecureRandom.hex(16)
         state = SecureRandom.hex(16)
-        nonce = SecureRandom.hex(16)
         request.stubs(:params).returns('code' => code, 'state' => state)
         request.stubs(:path).returns('')
 
@@ -426,6 +536,7 @@ module OmniAuth
         info = strategy.info
         assert_equal user_info.name, info[:name]
         assert_equal user_info.email, info[:email]
+        assert_equal user_info.email_verified, info[:email_verified]
         assert_equal user_info.preferred_username, info[:nickname]
         assert_equal user_info.given_name, info[:first_name]
         assert_equal user_info.family_name, info[:last_name]
@@ -442,7 +553,7 @@ module OmniAuth
       def test_credentials
         strategy.options.issuer = 'example.com'
         strategy.options.client_signing_alg = :RS256
-        strategy.options.client_jwk_signing_key = File.read('test/fixtures/jwks.json')
+        strategy.options.client_jwk_signing_key = jwks.to_json
 
         id_token = stub('OpenIDConnect::ResponseObject::IdToken')
         id_token.stubs(:verify!).returns(true)
@@ -453,7 +564,7 @@ module OmniAuth
         access_token.stubs(:refresh_token).returns(SecureRandom.hex(16))
         access_token.stubs(:expires_in).returns(Time.now)
         access_token.stubs(:scope).returns('openidconnect')
-        access_token.stubs(:id_token).returns(File.read('test/fixtures/id_token.txt'))
+        access_token.stubs(:id_token).returns(jwt.to_s)
 
         client.expects(:access_token!).returns(access_token)
         access_token.expects(:refresh_token).returns(access_token.refresh_token)
@@ -465,7 +576,7 @@ module OmniAuth
             token: access_token.access_token,
             refresh_token: access_token.refresh_token,
             expires_in: access_token.expires_in,
-            scope: access_token.scope
+            scope: access_token.scope,
           },
           strategy.credentials
         )
@@ -473,11 +584,10 @@ module OmniAuth
 
       def test_option_send_nonce
         strategy.options.client_options[:host] = 'foobar.com'
-
-        assert(strategy.authorize_uri =~ /nonce=/, 'URI must contain nonce')
+        assert_match(/nonce/, strategy.authorize_uri, 'URI must contain nonce')
 
         strategy.options.send_nonce = false
-        assert(!(strategy.authorize_uri =~ /nonce=/), 'URI must not contain nonce')
+        refute_match(/nonce/, strategy.authorize_uri, 'URI must not contain nonce')
       end
 
       def test_failure_endpoint_redirect
@@ -487,9 +597,9 @@ module OmniAuth
 
         result = strategy.callback_phase
 
-        assert(result.is_a? Array)
+        assert(result.is_a?(Array))
         assert(result[0] == 302, 'Redirect')
-        assert(result[1]["Location"] =~ /\/auth\/failure/)
+        assert(result[1]['Location'] =~ %r{/auth/failure})
       end
 
       def test_state
@@ -518,7 +628,7 @@ module OmniAuth
       def test_dynamic_state
         # Stub request parameters
         request.stubs(:path).returns('')
-        strategy.call!('rack.session' => { }, QUERY_STRING: { state: 'abc', client_id: '123' } )
+        strategy.call!('rack.session' => {}, QUERY_STRING: { state: 'abc', client_id: '123' })
 
         strategy.options.state = lambda { |env|
           # Get params from request, e.g. CGI.parse(env['QUERY_STRING'])
@@ -534,18 +644,17 @@ module OmniAuth
 
       def test_option_client_auth_method
         state = SecureRandom.hex(16)
-        nonce = SecureRandom.hex(16)
 
         opts = strategy.options.client_options
         opts[:host] = 'foobar.com'
         strategy.options.issuer = 'foobar.com'
         strategy.options.client_auth_method = :not_basic
         strategy.options.client_signing_alg = :RS256
-        strategy.options.client_jwk_signing_key = File.read('test/fixtures/jwks.json')
+        strategy.options.client_jwk_signing_key = jwks.to_json
 
         json_response = {
           access_token: 'test_access_token',
-          id_token: File.read('test/fixtures/id_token.txt'),
+          id_token: jwt.to_s,
           token_type: 'Bearer',
         }.to_json
         success = Struct.new(:status, :body).new(200, json_response)
@@ -563,21 +672,19 @@ module OmniAuth
           {}
         ).returns(success)
 
-        assert(strategy.send :access_token)
+        assert(strategy.send(:access_token))
       end
 
       def test_public_key_with_jwks
         strategy.options.client_signing_alg = :RS256
-        strategy.options.client_jwk_signing_key = File.read('./test/fixtures/jwks.json')
+        strategy.options.client_jwk_signing_key = jwks.to_json
 
         assert_equal JSON::JWK::Set, strategy.public_key.class
       end
 
       def test_public_key_with_jwk
         strategy.options.client_signing_alg = :RS256
-        jwks_str = File.read('./test/fixtures/jwks.json')
-        jwks = JSON.parse(jwks_str)
-        jwk = jwks['keys'].first
+        jwk = jwks[:keys].first
         strategy.options.client_jwk_signing_key = jwk.to_json
 
         assert_equal JSON::JWK, strategy.public_key.class
@@ -597,22 +704,12 @@ module OmniAuth
 
       def test_id_token_auth_hash
         state = SecureRandom.hex(16)
-        nonce = SecureRandom.hex(16)
         strategy.options.response_type = 'id_token'
         strategy.options.issuer = 'example.com'
 
         id_token = stub('OpenIDConnect::ResponseObject::IdToken')
         id_token.stubs(:verify!).returns(true)
-        id_token.stubs(:raw_attributes, :to_h).returns(
-          {
-            "iss": "http://server.example.com",
-            "sub": "248289761001",
-            "aud": "s6BhdRkqt3",
-            "nonce": "n-0S6_WzA2Mj",
-            "exp": 1311281970,
-            "iat": 1311280970,
-          }
-        )
+        id_token.stubs(:raw_attributes, :to_h).returns(payload)
 
         request.stubs(:params).returns('state' => state, 'nounce' => nonce, 'id_token' => id_token)
         request.stubs(:path).returns('')
@@ -630,6 +727,41 @@ module OmniAuth
         assert auth_hash.key?('extra')
         assert auth_hash['extra'].key?('raw_info')
       end
+
+      def test_option_pkce
+        strategy.options.client_options[:host] = 'example.com'
+
+        # test pkce disabled
+        strategy.options.pkce = false
+
+        assert((strategy.authorize_uri !~ /code_challenge=/), 'URI must not contain code challenge param')
+        assert((strategy.authorize_uri !~ /code_challenge_method=/), 'URI must not contain code challenge method param')
+
+        # test pkce enabled with default opts
+        strategy.options.pkce = true
+
+        assert(strategy.authorize_uri =~ /code_challenge=/, 'URI must contain code challenge param')
+        assert(strategy.authorize_uri =~ /code_challenge_method=/, 'URI must contain code challenge method param')
+
+        # test pkce with custom verifier code
+        strategy.options.pkce_verifier = proc { 'dummy_verifier' }
+        code_challenge_value = Base64.urlsafe_encode64(
+          Digest::SHA2.digest(strategy.options.pkce_verifier.call),
+          padding: false
+        )
+
+        assert(strategy.authorize_uri =~ /#{Regexp.quote(code_challenge_value)}/, 'URI must contain code challenge value')
+
+        # test pkce with custom options and plain text code
+        strategy.options.pkce_options =
+          {
+            code_challenge: proc { |verifier| verifier },
+            code_challenge_method: 'plain',
+          }
+
+        assert(strategy.authorize_uri =~ /#{Regexp.quote(strategy.options.pkce_verifier.call)}/,
+               'URI must contain code challenge value')
+      end
     end
   end
 end

data/test/strategy_test_case.rb

@@ -1,32 +1,64 @@
+# frozen_string_literal: true
+
 class StrategyTestCase < MiniTest::Test
   class DummyApp
     def call(env); end
   end
 
-  attr_accessor :identifier, :secret
+  attr_accessor :identifier, :secret, :issuer, :nonce
 
   def setup
     @identifier = '1234'
     @secret = '1234asdgat3'
+    @issuer = 'https://server.example.com'
+    @nonce = SecureRandom.hex(16)
   end
 
   def client
     strategy.client
   end
 
+  def payload
+    {
+      "iss": issuer,
+      "aud": identifier,
+      "sub": '248289761001',
+      "nonce": nonce,
+      "exp": Time.now.to_i + 1000,
+      "iat": Time.now.to_i,
+    }
+  end
+
+  def private_key
+    @private_key ||= OpenSSL::PKey::RSA.generate(512)
+  end
+
+  def jwt
+    @jwt ||= JSON::JWT.new(payload).sign(private_key, :RS256)
+  end
+
+  def jwks
+    @jwks ||= begin
+      key = JSON::JWK.new(private_key)
+      keyset = JSON::JWK::Set.new(key)
+      { keys: keyset }
+    end
+  end
+
   def user_info
     @user_info ||= OpenIDConnect::ResponseObject::UserInfo.new(
       sub: SecureRandom.hex(16),
       name: Faker::Name.name,
       email: Faker::Internet.email,
+      email_verified: Faker::Boolean.boolean,
       nickname: Faker::Name.first_name,
       preferred_username: Faker::Internet.user_name,
       given_name: Faker::Name.first_name,
       family_name: Faker::Name.last_name,
       gender: 'female',
-      picture: Faker::Internet.url + '.png',
+      picture: "#{Faker::Internet.url}.png",
       phone_number: Faker::PhoneNumber.phone_number,
-      website: Faker::Internet.url,
+      website: Faker::Internet.url
     )
   end
 

data/test/test_helper.rb

@@ -1,16 +1,26 @@
-lib = File.expand_path('../../lib', __FILE__)
-$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+# frozen_string_literal: true
 
 require 'simplecov'
-require 'coveralls'
 require 'minitest/autorun'
 require 'mocha/minitest'
 require 'faker'
 require 'active_support'
+
+SimpleCov.start do
+  if ENV['CI']
+    require 'simplecov-lcov'
+
+    SimpleCov::Formatter::LcovFormatter.config do |c|
+      c.report_with_single_file = true
+      c.single_report_path = 'coverage/lcov.info'
+    end
+
+    formatter SimpleCov::Formatter::LcovFormatter
+  end
+end
+
+lib = File.expand_path('../lib', __dir__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
 require 'omniauth_openid_connect'
 require_relative 'strategy_test_case'
-
-SimpleCov.command_name 'test'
-SimpleCov.start
-Coveralls.wear!
 OmniAuth.config.test_mode = true

metadata

@@ -1,30 +1,16 @@
 --- !ruby/object:Gem::Specification
 name: omniauth_openid_connect
 version: !ruby/object:Gem::Version
-  version: 0.4.0
+  version: 0.5.0
 platform: ruby
 authors:
 - John Bohn
 - Ilya Shcherbinin
-autorequire: 
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2022-02-06 00:00:00.000000000 Z
+date: 2022-12-26 00:00:00.000000000 Z
 dependencies:
-- !ruby/object:Gem::Dependency
-  name: addressable
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '2.5'
-  type: :runtime
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '2.5'
 - !ruby/object:Gem::Dependency
   name: omniauth
   requirement: !ruby/object:Gem::Requirement
@@ -59,20 +45,6 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '1.1'
-- !ruby/object:Gem::Dependency
-  name: coveralls
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '0.8'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '0.8'
 - !ruby/object:Gem::Dependency
   name: faker
   requirement: !ruby/object:Gem::Requirement
@@ -191,14 +163,28 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.12'
+        version: '0.21'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.21'
+- !ruby/object:Gem::Dependency
+  name: simplecov-lcov
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.8'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.12'
+        version: '0.8'
 description: OpenID Connect Strategy for OmniAuth.
 email:
 - jjbohn@gmail.com
@@ -207,10 +193,8 @@ executables: []
 extensions: []
 extra_rdoc_files: []
 files:
-- ".github/config/rubocop_linter_action.yml"
 - ".github/stale.yml"
 - ".github/workflows/main.yml"
-- ".github/workflows/rubocop.yml"
 - ".gitignore"
 - ".rubocop.yml"
 - CHANGELOG.md
@@ -225,8 +209,6 @@ files:
 - lib/omniauth/strategies/openid_connect.rb
 - lib/omniauth_openid_connect.rb
 - omniauth_openid_connect.gemspec
-- test/fixtures/id_token.txt
-- test/fixtures/jwks.json
 - test/fixtures/test.crt
 - test/lib/omniauth/strategies/openid_connect_test.rb
 - test/strategy_test_case.rb
@@ -237,10 +219,10 @@ licenses:
 metadata:
   bug_tracker_uri: https://github.com/m0n9oose/omniauth_openid_connect/issues
   changelog_uri: https://github.com/m0n9oose/omniauth_openid_connect/releases
-  documentation_uri: https://github.com/m0n9oose/omniauth_openid_connect/tree/v0.4.0#readme
-  source_code_uri: https://github.com/m0n9oose/omniauth_openid_connect/tree/v0.4.0
+  documentation_uri: https://github.com/m0n9oose/omniauth_openid_connect/tree/v0.5.0#readme
+  source_code_uri: https://github.com/m0n9oose/omniauth_openid_connect/tree/v0.5.0
   rubygems_mfa_required: 'true'
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -255,13 +237,11 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.3.5
-signing_key: 
+rubygems_version: 3.3.26
+signing_key:
 specification_version: 4
 summary: OpenID Connect Strategy for OmniAuth
 test_files:
-- test/fixtures/id_token.txt
-- test/fixtures/jwks.json
 - test/fixtures/test.crt
 - test/lib/omniauth/strategies/openid_connect_test.rb
 - test/strategy_test_case.rb

data/.github/config/rubocop_linter_action.yml

@@ -1,59 +0,0 @@
-# Description: The name of the check that will be created.
-# Valid Options: A reasonably sized string.
-# Default: 'Rubocop Action'
-check_name: 'Rubocop Results'
-
-# Description: Versions required to run your RuboCop checks.
-# Valid options: RuboCop and any RuboCop extension, by default the latest gem version will be used. You can explicitly state that
-# (not required) or use a version number, like '1.5.1'.
-# Default:
-#   versions:
-#     - rubocop: 'latest'
-versions:
-  - rubocop
-  - rubocop-minitest
-  - rubocop-performance: '1.5.1'
-
-# Description: Rubocop configuration file path relative to the workspace.
-# Valid options: A valid file path inside of the workspace.
-# Default: nil
-# Note: This does not need to be filled out for Rubocop to still find your config.
-# Resource: https://rubocop.readthedocs.io/en/stable/configuration/
-rubocop_config_path: '.rubocop.yml'
-
-# Run all cops enabled by configuration except this list.
-# Valid options: list of valid cop(s) and/or departments.
-# Default: nil
-# Resource: https://rubocop.readthedocs.io/en/stable/cops/
-# rubocop_excluded_cops:
-#   - 'Style/FrozenStringLiteralComment'
-
-# Minimum severity for exit with error code
-# Valid options: 'refactor', 'convention', 'warning', 'error', or 'fatal'.
-# Default: 'warning'
-# Resource: https://rubocop.readthedocs.io/en/stable/configuration/#severity
-# rubocop_fail_level: 'warning'
-
-# Whether or not to use --force-exclusion when building the rubocop command. Use this if you are only linting modified
-# files and typically excluded files have been changed. For example, if you exclude db/schema.rb in your rubocop.yml
-# but a change gets made, then with the check_scope config set to 'modified' rubocop will lint db/schema.rb. If you set
-# this to true, rubocop will ignore it.
-# Valid options: true || false
-# Default: false
-
-# Instead of installing gems from rubygems, we can run `bundle install` on your project,
-# you would need to do this if you are using something like 'rubocop-github' or if you don't
-# want to list out dependencies with the `versions` key.
-# Valid options: true || false
-# Default: false
-# bundle: false
-
-# The scope of code that Rubocop should lint. Use this if you only want to lint changed files. If this is not set
-# or not equal to 'modified', Rubocop is run against the entire codebase. Note that this will not work on the master branch.
-# Valid options: 'modified'
-# Default: nil
-
-# The base branch against which changes will be compared, if check_scope config is set to 'modified'.
-# This setting is not used if check_scope != 'modified'.
-# Valid options: 'origin/another_branch'
-# Default: 'origin/master'

data/.github/workflows/rubocop.yml

@@ -1,22 +0,0 @@
-name: Rubocop check
-
-on:
-  pull_request:
-    branches:
-      - "*"
-  push:
-    branches:
-      - master
-jobs:
-  build:
-    name: RuboCop Action
-    runs-on: ubuntu-latest
-    steps:
-    - name: Checkout Action
-      uses: actions/checkout@v1
-    - name: Rubocop Linter Action
-      uses: andrewmcodes/rubocop-linter-action@v3.2.0
-      with:
-        action_config_path: '.github/config/rubocop_linter_action.yml'
-      env:
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

data/test/fixtures/id_token.txt

@@ -1 +0,0 @@
-eyJhbGciOiJSUzI1NiIsImtpZCI6IjFlOWdkazcifQ.ewogImlzcyI6ICJodHRwOi8vc2VydmVyLmV4YW1wbGUuY29tIiwKICJzdWIiOiAiMjQ4Mjg5NzYxMDAxIiwKICJhdWQiOiAiczZCaGRSa3F0MyIsCiAibm9uY2UiOiAibi0wUzZfV3pBMk1qIiwKICJleHAiOiAxMzExMjgxOTcwLAogImlhdCI6IDEzMTEyODA5NzAKfQ.ggW8hZ1EuVLuxNuuIJKX_V8a_OMXzR0EHR9R6jgdqrOOF4daGU96Sr_P6qJp6IcmD3HP99Obi1PRs-cwh3LO-p146waJ8IhehcwL7F09JdijmBqkvPeB2T9CJNqeGpe-gccMg4vfKjkM8FcGvnzZUN4_KSP0aAp1tOJ1zZwgjxqGByKHiOtX7TpdQyHE5lcMiKPXfEIQILVq0pc_E2DzL7emopWoaoZTF_m0_N0YzFC6g6EJbOEoRoSK5hoDalrcvRYLSrQAZZKflyuVCyixEoV9GfNQC3_osjzw2PAithfubEEBLuVVk4XUVrWOLrLl0nx7RkKU8NXNHq-rvKMzqg

data/test/fixtures/jwks.json

@@ -1,8 +0,0 @@
-{"keys": [{
-    "kty": "RSA",
-    "n": "0vx7agoebGcQSuuPiLJXZptN9nndrQmbXEps2aiAFbWhM78LhWx4cbbfAAtVT86zwu1RK7aPFFxuhDR1L6tSoc_BJECPebWKRXjBZCiFV4n3oknjhMstn64tZ_2W-5JsGY4Hc5n9yBXArwl93lqt7_RN5w6Cf0h4QyQ5v-65YGjQR0_FDW2QvzqY368QQMicAtaSqzs8KJZgnYb9c7d0zgdAZHzu6qMQvRL5hajrn1n91CbOpbISD08qNLyrdkt-bFTWhAI4vMQFh6WeZu0fM4lFd2NcRwr3XPksINHaQ-G_xBniIqbw0Ls1jF44-csFCur-kEgU8awapJzKnqDKgw",
-    "e": "AQAB",
-    "alg": "RS256",
-    "kid": "1e9gdk7"
-  }]
-}