omniauth_openid_connect 0.6.1 → 0.8.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (11) hide show
  1. checksums.yaml +4 -4
  2. data/.github/workflows/main.yml +1 -1
  3. data/CHANGELOG.md +28 -11
  4. data/README.md +65 -39
  5. data/lib/omniauth/openid_connect/version.rb +1 -1
  6. data/lib/omniauth/strategies/openid_connect.rb +14 -6
  7. data/omniauth_openid_connect.gemspec +9 -8
  8. data/test/lib/omniauth/strategies/openid_connect_test.rb +67 -11
  9. data/test/strategy_test_case.rb +1 -1
  10. data/test/test_helper.rb +1 -0
  11. metadata +28 -14
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 446a75e37d0a98638c32b054b7e4e1443b54c8d067025381ca340e2a80d5db05
4
- data.tar.gz: fe1895242ce7bd7d1910d9db085678cc5cadc9757b62a7660a232462105d21fe
3
+ metadata.gz: a88d5af43ae7fa7338b12da92488397a3d9ea250b9bdc7f285f5621f9571b609
4
+ data.tar.gz: baa1254704b191df4aebc92a78c0733585e43ae85a4f50506571e27854a2f561
5
5
  SHA512:
6
- metadata.gz: c102811330e2e73ea3a76940c4c275799ef01b8b4640a3e49203a9febec8ecdcb16d9f2a48d2df67deb402f65914842964b656e82c71e1676108db7d54577252
7
- data.tar.gz: 2c6e454846927acd7f2456b7b9653f356ac96d3a196b7299ca348c5bcb9f4853a802154da2548bfc86bc65ec3088abcabb16ea1ab37dc7cc0285cfae0c938a9c
6
+ metadata.gz: 7689fc4611d597687bf25f8ad7c3b54f8b9dd1955f4940bd126ebbcfb6bb1203d1774828cd6f6f9fcd922e82d0ddbe4de97025eeb4d883236323b78e57aacf1d
7
+ data.tar.gz: 42c6116449d17622dfc8b98d81ec315b1ee7b5c741e7f160884845413e3d2bc3aa99bf1cbf34d97c9066e0673670128b81ccea873b41e8ce559b4dbfe863e851
data/.github/workflows/main.yml CHANGED
@@ -14,7 +14,7 @@ jobs:
14
14
  strategy:
15
15
  fail-fast: false
16
16
  matrix:
17
- ruby: ["2.5", "2.6", "2.7", "3.0", "3.1", "3.2"]
17
+ ruby: ["2.7", "3.0", "3.1", "3.2", "3.3"]
18
18
  name: Ruby ${{ matrix.ruby }}
19
19
 
20
20
  steps:
data/CHANGELOG.md CHANGED
@@ -1,12 +1,29 @@
1
- # v0.6.1 (22.02.2023)
1
+ # Unreleased
2
+
3
+ # v0.8.0 (2024-07-04)
4
+
5
+ - Add `send_state` parameter to disable sending of state (https://github.com/omniauth/omniauth_openid_connect/pull/182)
6
+
7
+ # v0.7.1 (2023-04-26)
8
+
9
+ - Fix handling of JWKS response (https://github.com/omniauth/omniauth_openid_connect/pull/157)
10
+
11
+ # v0.7.0 (2023-04-25)
12
+
13
+ - Update openid_connect to 2.2 (https://github.com/omniauth/omniauth_openid_connect/pull/153)
14
+ - Drop Ruby 2.5 and 2.6 CI support (https://github.com/omniauth/omniauth_openid_connect/pull/154)
15
+ - Improvements to README (https://github.com/omniauth/omniauth_openid_connect/pull/152, https://github.com/omniauth/omniauth_openid_connect/pull/151)
16
+ - Add option `logout_path` (https://github.com/omniauth/omniauth_openid_connect/pull/143)
17
+
18
+ # v0.6.1 (2023-02-22)
2
19
 
3
20
  - Fix uninitialized constant error (https://github.com/omniauth/omniauth_openid_connect/pull/147)
4
21
 
5
- # v0.6.0 (21.01.2023)
22
+ # v0.6.0 (2023-01-22)
6
23
 
7
24
  - Support verification of HS256-signed JWTs (https://github.com/omniauth/omniauth_openid_connect/pull/134)
8
25
 
9
- # v0.5.0 (26.12.2022)
26
+ # v0.5.0 (2022-12-26)
10
27
 
11
28
  - Support the "nonce" parameter forwarding without a session [#130](https://github.com/omniauth/omniauth_openid_connect/pull/130)
12
29
  - Fetch key from JWKS URI if available [#133](https://github.com/omniauth/omniauth_openid_connect/pull/133)
@@ -14,7 +31,7 @@
14
31
  - Add email_verified claim in user info [#131](https://github.com/omniauth/omniauth_openid_connect/pull/131)
15
32
  - Add PKCE verification support [#128](https://github.com/omniauth/omniauth_openid_connect/pull/128)
16
33
 
17
- # v0.4.0 (06.02.2022)
34
+ # v0.4.0 (2022-02-06)
18
35
 
19
36
  - Support dynamic parameters to the authorize URI [#90](https://github.com/omniauth/omniauth_openid_connect/pull/90)
20
37
  - Upgrade Faker and replace Travis with Github Actions [#102](https://github.com/omniauth/omniauth_openid_connect/pull/102)
@@ -22,12 +39,12 @@
22
39
  - Fall back to the discovered jwks when no key specified [#97](https://github.com/omniauth/omniauth_openid_connect/pull/97)
23
40
  - Allow updating to omniauth v2 [#88](https://github.com/omniauth/omniauth_openid_connect/pull/88)
24
41
 
25
- # v0.3.5 (07.06.2020)
42
+ # v0.3.5 (2020-06-07)
26
43
 
27
44
  - bugfix: Info from decoded id_token is not exposed into `request.env['omniauth.auth']` [#61](https://github.com/m0n9oose/omniauth_openid_connect/pull/61)
28
45
  - bugfix: NoMethodError (`undefined method 'count' for #<OpenIDConnect::ResponseObject::IdToken>`) [#60](https://github.com/m0n9oose/omniauth_openid_connect/pull/60)
29
46
 
30
- # v0.3.4 (21.05.2020)
47
+ # v0.3.4 (2020-05-21)
31
48
 
32
49
  - Try to verify id_token when response_type is code [#44](https://github.com/m0n9oose/omniauth_openid_connect/pull/44)
33
50
  - Provide more information on error [#49](https://github.com/m0n9oose/omniauth_openid_connect/pull/49)
@@ -36,7 +53,7 @@
36
53
  - refactor: take uid_field from raw_attributes [#54](https://github.com/m0n9oose/omniauth_openid_connect/pull/54)
37
54
  - chore(ci): add 2.7, ruby-head and jruby-head [#55](https://github.com/m0n9oose/omniauth_openid_connect/pull/55)
38
55
 
39
- # v0.3.3 (09.11.2019)
56
+ # v0.3.3 (2019-11-09)
40
57
 
41
58
  - Pass `acr_values` to authorize url [#43](https://github.com/m0n9oose/omniauth_openid_connect/pull/43)
42
59
  - Add raw info for id token [#42](https://github.com/m0n9oose/omniauth_openid_connect/pull/42)
@@ -46,17 +63,17 @@
46
63
  - Fix gemspec homepage [#33](https://github.com/m0n9oose/omniauth_openid_connect/pull/33)
47
64
  - Add support for `response_type` `id_token` [#32](https://github.com/m0n9oose/omniauth_openid_connect/pull/32)
48
65
 
49
- # v0.3.2 (03.08.2019)
66
+ # v0.3.2 (2019-08-03)
50
67
 
51
68
  - Use response_mode in `authorize_uri` if the option is defined [#30](https://github.com/m0n9oose/omniauth_openid_connect/pull/30)
52
69
  - Move verification of `id_token` to before accessing tokens [#28](https://github.com/m0n9oose/omniauth_openid_connect/pull/28)
53
70
  - Update omniauth dependency [#26](https://github.com/m0n9oose/omniauth_openid_connect/pull/26)
54
71
 
55
- # v0.3.1 (08.06.2019)
72
+ # v0.3.1 (2019-06-08)
56
73
 
57
74
  - Set default OmniAuth name to openid_connect [#23](https://github.com/m0n9oose/omniauth_openid_connect/pull/23)
58
75
 
59
- # v0.3.0 (27.04.2019)
76
+ # v0.3.0 (2019-04-07)
60
77
 
61
78
  - RP-Initiated Logout phase [#5](https://github.com/m0n9oose/omniauth_openid_connect/pull/5)
62
79
  - Allows `ui_locales`, `claims_locales` and `login_hint` as request params [#6](https://github.com/m0n9oose/omniauth_openid_connect/pull/6)
@@ -65,7 +82,7 @@
65
82
  - Handle errors when fetching access_token at callback_phase [#17](https://github.com/m0n9oose/omniauth_openid_connect/pull/17)
66
83
  - Allow state method to receive env [#19](https://github.com/m0n9oose/omniauth_openid_connect/pull/19)
67
84
 
68
- # v0.2.4 (06.01.2019)
85
+ # v0.2.4 (2019-01-06)
69
86
 
70
87
  - Prompt and login hint [#4](https://github.com/m0n9oose/omniauth_openid_connect/pull/4)
71
88
  - Bump openid_connect dependency [#9](https://github.com/m0n9oose/omniauth_openid_connect/pull/9)
data/README.md CHANGED
@@ -23,53 +23,79 @@ Or install it yourself as:
23
23
 
24
24
  ## Supported Ruby Versions
25
25
 
26
- OmniAuth::OpenIDConnect is tested under 2.5, 2.6, 2.7, 3.0, 3.1
26
+ OmniAuth::OpenIDConnect is tested under 2.7, 3.0, 3.1, 3.2
27
27
 
28
28
  ## Usage
29
29
 
30
30
  Example configuration
31
+
32
+ ```ruby
33
+ Rails.application.config.middleware.use OmniAuth::Builder do
34
+ provider :openid_connect, {
35
+ name: :my_provider,
36
+ scope: [:openid, :email, :profile, :address],
37
+ response_type: :code,
38
+ uid_field: "preferred_username",
39
+ client_options: {
40
+ port: 443,
41
+ scheme: "https",
42
+ host: "myprovider.com",
43
+ identifier: ENV["OP_CLIENT_ID"],
44
+ secret: ENV["OP_SECRET_KEY"],
45
+ redirect_uri: "http://myapp.com/users/auth/openid_connect/callback",
46
+ },
47
+ }
48
+ end
49
+ ```
50
+
51
+ ### with Devise
31
52
  ```ruby
32
- config.omniauth :openid_connect, {
33
- name: :my_provider,
34
- scope: [:openid, :email, :profile, :address],
35
- response_type: :code,
36
- uid_field: "preferred_username",
37
- client_options: {
38
- port: 443,
39
- scheme: "https",
40
- host: "myprovider.com",
41
- identifier: ENV["OP_CLIENT_ID"],
42
- secret: ENV["OP_SECRET_KEY"],
43
- redirect_uri: "http://myapp.com/users/auth/openid_connect/callback",
44
- },
45
- }
53
+ Devise.setup do |config|
54
+ config.omniauth :openid_connect, {
55
+ name: :my_provider,
56
+ scope: [:openid, :email, :profile, :address],
57
+ response_type: :code,
58
+ uid_field: "preferred_username",
59
+ client_options: {
60
+ port: 443,
61
+ scheme: "https",
62
+ host: "myprovider.com",
63
+ identifier: ENV["OP_CLIENT_ID"],
64
+ secret: ENV["OP_SECRET_KEY"],
65
+ redirect_uri: "http://myapp.com/users/auth/openid_connect/callback",
66
+ },
67
+ }
68
+ end
46
69
  ```
47
70
 
48
71
  ### Options Overview
49
72
 
50
- | Field | Description | Required | Default | Example/Options |
51
- |------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------|----------|-------------------------------|-----------------------------------------------------|
52
- | name | Arbitrary string to identify connection and identify it from other openid_connect providers | no | String: openid_connect | :my_idp |
53
- | issuer | Root url for the authorization server | yes | | https://myprovider.com |
54
- | discovery | Should OpenID discovery be used. This is recommended if the IDP provides a discovery endpoint. See client config for how to manually enter discovered values. | no | false | one of: true, false |
55
- | client_auth_method | Which authentication method to use to authenticate your app with the authorization server | no | Sym: basic | "basic", "jwks" |
56
- | scope | Which OpenID scopes to include (:openid is always required) | no | Array<sym> [:openid] | [:openid, :profile, :email] |
57
- | response_type | Which OAuth2 response type to use with the authorization request | no | String: code | one of: 'code', 'id_token' |
58
- | state | A value to be used for the OAuth2 state parameter on the authorization request. Can be a proc that generates a string. | no | Random 16 character string | Proc.new { SecureRandom.hex(32) } |
59
- | require_state | Should state param be verified - this is recommended, not required by the OIDC specification | no | true | false |
60
- | response_mode | The response mode per [spec](https://openid.net/specs/oauth-v2-form-post-response-mode-1_0.html) | no | nil | one of: :query, :fragment, :form_post, :web_message |
61
- | display | An optional parameter to the authorization request to determine how the authorization and consent page | no | nil | one of: :page, :popup, :touch, :wap |
62
- | prompt | An optional parameter to the authrization request to determine what pages the user will be shown | no | nil | one of: :none, :login, :consent, :select_account |
63
- | send_scope_to_token_endpoint | Should the scope parameter be sent to the authorization token endpoint? | no | true | one of: true, false |
64
- | post_logout_redirect_uri | The logout redirect uri to use per the [session management draft](https://openid.net/specs/openid-connect-session-1_0.html) | no | empty | https://myapp.com/logout/callback |
65
- | uid_field | The field of the user info response to be used as a unique id | no | 'sub' | "sub", "preferred_username" |
66
- | extra_authorize_params | A hash of extra fixed parameters that will be merged to the authorization request | no | Hash | {"tenant" => "common"} |
67
- | allow_authorize_params | A list of allowed dynamic parameters that will be merged to the authorization request | no | Array | [:screen_name] |
68
- | pkce | Enable [PKCE flow](https://oauth.net/2/pkce/) | no | false | one of: true, false |
69
- | pkce_verifier | Specify a custom PKCE verifier code. | no | A random 128-char string | Proc.new { SecureRandom.hex(64) } |
70
- | pkce_options | Specify a custom implementation of the PKCE code challenge/method. | no | SHA256(code_challenge) in hex | Proc to customise the code challenge generation |
71
- | client_options | A hash of client options detailed in its own section | yes | | |
72
- | jwt_secret_base64 | For HMAC with SHA2 (e.g. HS256) signing algorithms, specify the base64-encoded secret used to sign the JWT token. Defaults to the OAuth2 client secret if not specified. | no | client_options.secret | "bXlzZWNyZXQ=\n"
73
+ | Field | Description | Required | Default | Example/Options |
74
+ |------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------|-------------------------------|-----------------------------------------------------|
75
+ | name | Arbitrary string to identify connection and identify it from other openid_connect providers | no | String: openid_connect | :my_idp |
76
+ | issuer | Root url for the authorization server | yes | | https://myprovider.com |
77
+ | discovery | Should OpenID discovery be used. This is recommended if the IDP provides a discovery endpoint. See client config for how to manually enter discovered values. | no | false | one of: true, false |
78
+ | client_auth_method | Which authentication method to use to authenticate your app with the authorization server | no | Sym: basic | "basic", "jwks" |
79
+ | scope | Which OpenID scopes to include (:openid is always required) | no | Array<sym> [:openid] | [:openid, :profile, :email] |
80
+ | response_type | Which OAuth2 response type to use with the authorization request | no | String: code | one of: 'code', 'id_token' |
81
+ | state | A value to be used for the OAuth2 state parameter on the authorization request. Can be a proc that generates a string. | no | Random 16 character string | Proc.new { SecureRandom.hex(32) } |
82
+ | require_state | Should the callback phase require that a state is present. If `send_state` is true, then the callback state must match the authorize state. This is recommended, not required by the OIDC specification. | no | true | false |
83
+ | send_state | Should the authorize phase send a `state` parameter - this is recommended, not required by the OIDC specification | no | true | false |
84
+ | response_mode | The response mode per [spec](https://openid.net/specs/oauth-v2-form-post-response-mode-1_0.html) | no | nil | one of: :query, :fragment, :form_post, :web_message |
85
+ | display | An optional parameter to the authorization request to determine how the authorization and consent page | no | nil | one of: :page, :popup, :touch, :wap |
86
+ | prompt | An optional parameter to the authrization request to determine what pages the user will be shown | no | nil | one of: :none, :login, :consent, :select_account |
87
+ | send_scope_to_token_endpoint | Should the scope parameter be sent to the authorization token endpoint? | no | true | one of: true, false |
88
+ | post_logout_redirect_uri | The logout redirect uri to use per the [session management draft](https://openid.net/specs/openid-connect-session-1_0.html) | no | empty | https://myapp.com/logout/callback |
89
+ | uid_field | The field of the user info response to be used as a unique id | no | 'sub' | "sub", "preferred_username" |
90
+ | extra_authorize_params | A hash of extra fixed parameters that will be merged to the authorization request | no | Hash | {"tenant" => "common"} |
91
+ | allow_authorize_params | A list of allowed dynamic parameters that will be merged to the authorization request | no | Array | [:screen_name] |
92
+ | pkce | Enable [PKCE flow](https://oauth.net/2/pkce/) | no | false | one of: true, false |
93
+ | pkce_verifier | Specify a custom PKCE verifier code. | no | A random 128-char string | Proc.new { SecureRandom.hex(64) } |
94
+ | pkce_options | Specify a custom implementation of the PKCE code challenge/method. | no | SHA256(code_challenge) in hex | Proc to customise the code challenge generation |
95
+ | client_options | A hash of client options detailed in its own section | yes | | |
96
+ | jwt_secret_base64 | For HMAC with SHA2 (e.g. HS256) signing algorithms, specify the base64-encoded secret used to sign the JWT token. Defaults to the OAuth2 client secret if not specified. | no | client_options.secret | "bXlzZWNyZXQ=\n" |
97
+ | logout_path | The log out is only triggered when the request path ends on this path | no | '/logout' | '/sign_out' |
98
+ | acr_values | Authentication Class Reference(ACR) values to be passed to the authorize_uri to enforce a specific level, see [RFC9470](https://www.rfc-editor.org/rfc/rfc9470.html) | no | nil | "c1 c2" |
73
99
 
74
100
  ### Client Config Options
75
101
 
@@ -131,7 +157,7 @@ For the full low down on OpenID Connect, please check out
131
157
 
132
158
  ## Contributing
133
159
 
134
- 1. Fork it ( http://github.com/m0n9oose/omniauth-openid-connect/fork )
160
+ 1. Fork it ( http://github.com/omniauth/omniauth_openid_connect/fork )
135
161
  2. Create your feature branch (`git checkout -b my-new-feature`)
136
162
  3. Cover your changes with tests and make sure they're green (`bundle install && bundle exec rake test`)
137
163
  4. Commit your changes (`git commit -am 'Add some feature'`)
data/lib/omniauth/openid_connect/version.rb CHANGED
@@ -2,6 +2,6 @@
2
2
 
3
3
  module OmniAuth
4
4
  module OpenIDConnect
5
- VERSION = '0.6.1'
5
+ VERSION = '0.8.0'
6
6
  end
7
7
  end
data/lib/omniauth/strategies/openid_connect.rb CHANGED
@@ -42,6 +42,7 @@ module OmniAuth
42
42
  option :client_x509_signing_key
43
43
  option :scope, [:openid]
44
44
  option :response_type, 'code' # ['code', 'id_token']
45
+ option :send_state, true
45
46
  option :require_state, true
46
47
  option :state
47
48
  option :response_mode # [:query, :fragment, :form_post, :web_message]
@@ -68,6 +69,8 @@ module OmniAuth
68
69
  code_challenge_method: 'S256',
69
70
  }
70
71
 
72
+ option :logout_path, '/logout'
73
+
71
74
  def uid
72
75
  user_info.raw_attributes[options.uid_field.to_sym] || user_info.sub
73
76
  end
@@ -118,7 +121,12 @@ module OmniAuth
118
121
  def callback_phase
119
122
  error = params['error_reason'] || params['error']
120
123
  error_description = params['error_description'] || params['error_reason']
121
- invalid_state = (options.require_state && params['state'].to_s.empty?) || params['state'] != stored_state
124
+ invalid_state =
125
+ if options.send_state
126
+ (options.require_state && params['state'].to_s.empty?) || params['state'] != stored_state
127
+ else
128
+ false
129
+ end
122
130
 
123
131
  raise CallbackError, error: params['error'], reason: error_description, uri: params['error_uri'] if error
124
132
  raise CallbackError, error: :csrf_detected, reason: "Invalid 'state' parameter" if invalid_state
@@ -167,13 +175,12 @@ module OmniAuth
167
175
  end_session_uri.to_s
168
176
  end
169
177
 
170
- def authorize_uri
178
+ def authorize_uri # rubocop:disable Metrics/AbcSize
171
179
  client.redirect_uri = redirect_uri
172
180
  opts = {
173
181
  response_type: options.response_type,
174
182
  response_mode: options.response_mode,
175
183
  scope: options.scope,
176
- state: new_state,
177
184
  login_hint: params['login_hint'],
178
185
  ui_locales: params['ui_locales'],
179
186
  claims_locales: params['claims_locales'],
@@ -183,6 +190,7 @@ module OmniAuth
183
190
  acr_values: options.acr_values,
184
191
  }
185
192
 
193
+ opts[:state] = new_state if options.send_state
186
194
  opts.merge!(options.extra_authorize_params) unless options.extra_authorize_params.empty?
187
195
 
188
196
  options.allow_authorize_params.each do |key|
@@ -226,7 +234,7 @@ module OmniAuth
226
234
  private
227
235
 
228
236
  def fetch_key
229
- @fetch_key ||= parse_jwk_key(::OpenIDConnect.http_client.get_content(client_options.jwks_uri))
237
+ @fetch_key ||= parse_jwk_key(::OpenIDConnect.http_client.get(client_options.jwks_uri).body)
230
238
  end
231
239
 
232
240
  def base64_decoded_jwt_secret
@@ -402,7 +410,7 @@ module OmniAuth
402
410
  end
403
411
 
404
412
  def parse_jwk_key(key)
405
- json = JSON.parse(key)
413
+ json = key.is_a?(String) ? JSON.parse(key) : key
406
414
  return JSON::JWK::Set.new(json['keys']) if json.key?('keys')
407
415
 
408
416
  JSON::JWK.new(json)
@@ -432,7 +440,7 @@ module OmniAuth
432
440
  end
433
441
 
434
442
  def logout_path_pattern
435
- @logout_path_pattern ||= %r{\A#{Regexp.quote(request_path)}(/logout)}
443
+ @logout_path_pattern ||= /\A#{Regexp.quote(request_path)}#{options.logout_path}/
436
444
  end
437
445
 
438
446
  def id_token_callback_phase
data/omniauth_openid_connect.gemspec CHANGED
@@ -11,7 +11,7 @@ Gem::Specification.new do |spec|
11
11
  spec.email = ['jjbohn@gmail.com', 'm0n9oose@gmail.com']
12
12
  spec.summary = 'OpenID Connect Strategy for OmniAuth'
13
13
  spec.description = 'OpenID Connect Strategy for OmniAuth.'
14
- spec.homepage = 'https://github.com/m0n9oose/omniauth_openid_connect'
14
+ spec.homepage = 'https://github.com/omniauth/omniauth_openid_connect'
15
15
  spec.license = 'MIT'
16
16
 
17
17
  spec.files = `git ls-files -z`.split("\x0")
@@ -20,23 +20,24 @@ Gem::Specification.new do |spec|
20
20
  spec.require_paths = ['lib']
21
21
 
22
22
  spec.metadata = {
23
- 'bug_tracker_uri' => 'https://github.com/m0n9oose/omniauth_openid_connect/issues',
24
- 'changelog_uri' => 'https://github.com/m0n9oose/omniauth_openid_connect/releases',
25
- 'documentation_uri' => "https://github.com/m0n9oose/omniauth_openid_connect/tree/v#{spec.version}#readme",
26
- 'source_code_uri' => "https://github.com/m0n9oose/omniauth_openid_connect/tree/v#{spec.version}",
23
+ 'bug_tracker_uri' => 'https://github.com/omniauth/omniauth_openid_connect/issues',
24
+ 'changelog_uri' => 'https://github.com/omniauth/omniauth_openid_connect/releases',
25
+ 'documentation_uri' => "https://github.com/omniauth/omniauth_openid_connect/tree/v#{spec.version}#readme",
26
+ 'source_code_uri' => "https://github.com/omniauth/omniauth_openid_connect/tree/v#{spec.version}",
27
27
  'rubygems_mfa_required' => 'true',
28
28
  }
29
29
 
30
30
  spec.add_dependency 'omniauth', '>= 1.9', '< 3'
31
- spec.add_dependency 'openid_connect', '~> 1.1'
31
+ spec.add_dependency 'openid_connect', '~> 2.2'
32
32
  spec.add_development_dependency 'faker', '~> 2.0'
33
33
  spec.add_development_dependency 'guard', '~> 2.14'
34
34
  spec.add_development_dependency 'guard-bundler', '~> 2.2'
35
35
  spec.add_development_dependency 'guard-minitest', '~> 2.4'
36
- spec.add_development_dependency 'minitest', '~> 5.1'
37
- spec.add_development_dependency 'mocha', '~> 1.7'
36
+ spec.add_development_dependency 'minitest', '~> 5.20'
37
+ spec.add_development_dependency 'mocha', '~> 2.1'
38
38
  spec.add_development_dependency 'rake', '~> 12.0'
39
39
  spec.add_development_dependency 'rubocop', '~> 1.12'
40
40
  spec.add_development_dependency 'simplecov', '~> 0.21'
41
41
  spec.add_development_dependency 'simplecov-lcov', '~> 0.8'
42
+ spec.add_development_dependency 'webmock', '~> 3.18'
42
43
  end
data/test/lib/omniauth/strategies/openid_connect_test.rb CHANGED
@@ -69,6 +69,17 @@ module OmniAuth
69
69
  strategy.other_phase
70
70
  end
71
71
 
72
+ def test_logout_phase_with_logout_path
73
+ strategy.options.issuer = 'example.com'
74
+ strategy.options.client_options.host = 'example.com'
75
+ strategy.options.logout_path = '/sign_out'
76
+
77
+ request.stubs(:path).returns('/auth/openid_connect/sign_out')
78
+
79
+ strategy.expects(:call_app!)
80
+ strategy.other_phase
81
+ end
82
+
72
83
  def test_logout_phase
73
84
  strategy.options.issuer = 'example.com'
74
85
  strategy.options.client_options.host = 'example.com'
@@ -442,6 +453,50 @@ module OmniAuth
442
453
  strategy.callback_phase
443
454
  end
444
455
 
456
+ def test_callback_phase_with_send_state_disabled # rubocop:disable Metrics/AbcSize
457
+ code = SecureRandom.hex(16)
458
+
459
+ strategy.options.client_options.host = 'example.com'
460
+ strategy.options.require_state = true
461
+ strategy.options.send_state = false
462
+ strategy.options.discovery = true
463
+ refute_match(/state/, strategy.authorize_uri, 'URI must not contain state')
464
+
465
+ request.stubs(:params).returns('code' => code)
466
+ request.stubs(:path).returns('')
467
+
468
+ issuer = stub('OpenIDConnect::Discovery::Issuer')
469
+ issuer.stubs(:issuer).returns('https://example.com/')
470
+ ::OpenIDConnect::Discovery::Provider.stubs(:discover!).returns(issuer)
471
+
472
+ config = stub('OpenIDConnect::Discovery::Provder::Config')
473
+ config.stubs(:authorization_endpoint).returns('https://example.com/authorization')
474
+ config.stubs(:token_endpoint).returns('https://example.com/token')
475
+ config.stubs(:userinfo_endpoint).returns('https://example.com/userinfo')
476
+ config.stubs(:jwks_uri).returns('https://example.com/jwks')
477
+ config.stubs(:jwks).returns(JSON::JWK::Set.new(jwks['keys']))
478
+
479
+ ::OpenIDConnect::Discovery::Provider::Config.stubs(:discover!).with('https://example.com/').returns(config)
480
+
481
+ id_token = stub('OpenIDConnect::ResponseObject::IdToken')
482
+ id_token.stubs(:raw_attributes).returns('sub' => 'sub', 'name' => 'name', 'email' => 'email')
483
+ id_token.stubs(:verify!).with(issuer: 'https://example.com/', client_id: @identifier, nonce: nonce).returns(true)
484
+ ::OpenIDConnect::ResponseObject::IdToken.stubs(:decode).returns(id_token)
485
+
486
+ strategy.unstub(:user_info)
487
+ access_token = stub('OpenIDConnect::AccessToken')
488
+ access_token.stubs(:access_token)
489
+ access_token.stubs(:refresh_token)
490
+ access_token.stubs(:expires_in)
491
+ access_token.stubs(:scope)
492
+ access_token.stubs(:id_token).returns(jwt.to_s)
493
+ client.expects(:access_token!).at_least_once.returns(access_token)
494
+ access_token.expects(:userinfo!).returns(user_info)
495
+
496
+ strategy.call!('rack.session' => { 'omniauth.nonce' => nonce })
497
+ strategy.callback_phase
498
+ end
499
+
445
500
  def test_callback_phase_with_no_state_without_state_verification # rubocop:disable Metrics/AbcSize
446
501
  code = SecureRandom.hex(16)
447
502
 
@@ -509,10 +564,10 @@ module OmniAuth
509
564
  strategy.options.client_options.jwks_uri = 'https://jwks.example.com'
510
565
  strategy.options.response_type = 'id_token'
511
566
 
512
- HTTPClient
513
- .any_instance.stubs(:get_content)
514
- .with(strategy.options.client_options.jwks_uri)
515
- .returns(jwks.to_json)
567
+ stub_request(:get, strategy.options.client_options.jwks_uri).to_return(
568
+ body: jwks.to_json,
569
+ headers: { 'Content-Type' => 'application/json' }
570
+ )
516
571
 
517
572
  strategy.unstub(:user_info)
518
573
  access_token = stub('OpenIDConnect::AccessToken')
@@ -788,8 +843,7 @@ module OmniAuth
788
843
  access_token: 'test_access_token',
789
844
  id_token: jwt.to_s,
790
845
  token_type: 'Bearer',
791
- }.to_json
792
- success = Struct.new(:status, :body).new(200, json_response)
846
+ }
793
847
 
794
848
  request.stubs(:path).returns('')
795
849
  strategy.call!('rack.session' => { 'omniauth.state' => state, 'omniauth.nonce' => nonce })
@@ -798,11 +852,13 @@ module OmniAuth
798
852
  id_token.stubs(:verify!).with(issuer: strategy.options.issuer, client_id: @identifier, nonce: nonce).returns(true)
799
853
  ::OpenIDConnect::ResponseObject::IdToken.stubs(:decode).returns(id_token)
800
854
 
801
- HTTPClient.any_instance.stubs(:post).with(
802
- "#{ opts.scheme }://#{ opts.host }:#{ opts.port }#{ opts.token_endpoint }",
803
- { scope: 'openid', grant_type: :client_credentials, client_id: @identifier, client_secret: @secret },
804
- {}
805
- ).returns(success)
855
+ url = "#{ opts.scheme }://#{ opts.host }:#{ opts.port }#{ opts.token_endpoint }"
856
+ body = { scope: 'openid', grant_type: 'client_credentials', client_id: @identifier, client_secret: @secret }
857
+
858
+ stub_request(:post, url).with(body: body).to_return(
859
+ body: json_response.to_json,
860
+ headers: { 'Content-Type' => 'application/json' }
861
+ )
806
862
 
807
863
  assert(strategy.send(:access_token))
808
864
  end
data/test/strategy_test_case.rb CHANGED
@@ -1,6 +1,6 @@
1
1
  # frozen_string_literal: true
2
2
 
3
- class StrategyTestCase < MiniTest::Test
3
+ class StrategyTestCase < Minitest::Test
4
4
  class DummyApp
5
5
  def call(env); end
6
6
  end
data/test/test_helper.rb CHANGED
@@ -5,6 +5,7 @@ require 'minitest/autorun'
5
5
  require 'mocha/minitest'
6
6
  require 'faker'
7
7
  require 'active_support'
8
+ require 'webmock/minitest'
8
9
 
9
10
  SimpleCov.start do
10
11
  if ENV['CI']
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: omniauth_openid_connect
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.6.1
4
+ version: 0.8.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - John Bohn
@@ -9,7 +9,7 @@ authors:
9
9
  autorequire:
10
10
  bindir: bin
11
11
  cert_chain: []
12
- date: 2023-02-23 00:00:00.000000000 Z
12
+ date: 2024-07-04 00:00:00.000000000 Z
13
13
  dependencies:
14
14
  - !ruby/object:Gem::Dependency
15
15
  name: omniauth
@@ -37,14 +37,14 @@ dependencies:
37
37
  requirements:
38
38
  - - "~>"
39
39
  - !ruby/object:Gem::Version
40
- version: '1.1'
40
+ version: '2.2'
41
41
  type: :runtime
42
42
  prerelease: false
43
43
  version_requirements: !ruby/object:Gem::Requirement
44
44
  requirements:
45
45
  - - "~>"
46
46
  - !ruby/object:Gem::Version
47
- version: '1.1'
47
+ version: '2.2'
48
48
  - !ruby/object:Gem::Dependency
49
49
  name: faker
50
50
  requirement: !ruby/object:Gem::Requirement
@@ -107,28 +107,28 @@ dependencies:
107
107
  requirements:
108
108
  - - "~>"
109
109
  - !ruby/object:Gem::Version
110
- version: '5.1'
110
+ version: '5.20'
111
111
  type: :development
112
112
  prerelease: false
113
113
  version_requirements: !ruby/object:Gem::Requirement
114
114
  requirements:
115
115
  - - "~>"
116
116
  - !ruby/object:Gem::Version
117
- version: '5.1'
117
+ version: '5.20'
118
118
  - !ruby/object:Gem::Dependency
119
119
  name: mocha
120
120
  requirement: !ruby/object:Gem::Requirement
121
121
  requirements:
122
122
  - - "~>"
123
123
  - !ruby/object:Gem::Version
124
- version: '1.7'
124
+ version: '2.1'
125
125
  type: :development
126
126
  prerelease: false
127
127
  version_requirements: !ruby/object:Gem::Requirement
128
128
  requirements:
129
129
  - - "~>"
130
130
  - !ruby/object:Gem::Version
131
- version: '1.7'
131
+ version: '2.1'
132
132
  - !ruby/object:Gem::Dependency
133
133
  name: rake
134
134
  requirement: !ruby/object:Gem::Requirement
@@ -185,6 +185,20 @@ dependencies:
185
185
  - - "~>"
186
186
  - !ruby/object:Gem::Version
187
187
  version: '0.8'
188
+ - !ruby/object:Gem::Dependency
189
+ name: webmock
190
+ requirement: !ruby/object:Gem::Requirement
191
+ requirements:
192
+ - - "~>"
193
+ - !ruby/object:Gem::Version
194
+ version: '3.18'
195
+ type: :development
196
+ prerelease: false
197
+ version_requirements: !ruby/object:Gem::Requirement
198
+ requirements:
199
+ - - "~>"
200
+ - !ruby/object:Gem::Version
201
+ version: '3.18'
188
202
  description: OpenID Connect Strategy for OmniAuth.
189
203
  email:
190
204
  - jjbohn@gmail.com
@@ -213,14 +227,14 @@ files:
213
227
  - test/lib/omniauth/strategies/openid_connect_test.rb
214
228
  - test/strategy_test_case.rb
215
229
  - test/test_helper.rb
216
- homepage: https://github.com/m0n9oose/omniauth_openid_connect
230
+ homepage: https://github.com/omniauth/omniauth_openid_connect
217
231
  licenses:
218
232
  - MIT
219
233
  metadata:
220
- bug_tracker_uri: https://github.com/m0n9oose/omniauth_openid_connect/issues
221
- changelog_uri: https://github.com/m0n9oose/omniauth_openid_connect/releases
222
- documentation_uri: https://github.com/m0n9oose/omniauth_openid_connect/tree/v0.6.1#readme
223
- source_code_uri: https://github.com/m0n9oose/omniauth_openid_connect/tree/v0.6.1
234
+ bug_tracker_uri: https://github.com/omniauth/omniauth_openid_connect/issues
235
+ changelog_uri: https://github.com/omniauth/omniauth_openid_connect/releases
236
+ documentation_uri: https://github.com/omniauth/omniauth_openid_connect/tree/v0.8.0#readme
237
+ source_code_uri: https://github.com/omniauth/omniauth_openid_connect/tree/v0.8.0
224
238
  rubygems_mfa_required: 'true'
225
239
  post_install_message:
226
240
  rdoc_options: []
@@ -237,7 +251,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
237
251
  - !ruby/object:Gem::Version
238
252
  version: '0'
239
253
  requirements: []
240
- rubygems_version: 3.4.7
254
+ rubygems_version: 3.5.14
241
255
  signing_key:
242
256
  specification_version: 4
243
257
  summary: OpenID Connect Strategy for OmniAuth