omniauth_openid_connect 0.6.1 → 0.8.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (11) hide show
  1. checksums.yaml +4 -4
  2. data/.github/workflows/main.yml +1 -1
  3. data/CHANGELOG.md +28 -11
  4. data/README.md +65 -39
  5. data/lib/omniauth/openid_connect/version.rb +1 -1
  6. data/lib/omniauth/strategies/openid_connect.rb +14 -6
  7. data/omniauth_openid_connect.gemspec +9 -8
  8. data/test/lib/omniauth/strategies/openid_connect_test.rb +67 -11
  9. data/test/strategy_test_case.rb +1 -1
  10. data/test/test_helper.rb +1 -0
  11. metadata +28 -14
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 446a75e37d0a98638c32b054b7e4e1443b54c8d067025381ca340e2a80d5db05
4
- data.tar.gz: fe1895242ce7bd7d1910d9db085678cc5cadc9757b62a7660a232462105d21fe
3
+ metadata.gz: a88d5af43ae7fa7338b12da92488397a3d9ea250b9bdc7f285f5621f9571b609
4
+ data.tar.gz: baa1254704b191df4aebc92a78c0733585e43ae85a4f50506571e27854a2f561
5
5
  SHA512:
6
- metadata.gz: c102811330e2e73ea3a76940c4c275799ef01b8b4640a3e49203a9febec8ecdcb16d9f2a48d2df67deb402f65914842964b656e82c71e1676108db7d54577252
7
- data.tar.gz: 2c6e454846927acd7f2456b7b9653f356ac96d3a196b7299ca348c5bcb9f4853a802154da2548bfc86bc65ec3088abcabb16ea1ab37dc7cc0285cfae0c938a9c
6
+ metadata.gz: 7689fc4611d597687bf25f8ad7c3b54f8b9dd1955f4940bd126ebbcfb6bb1203d1774828cd6f6f9fcd922e82d0ddbe4de97025eeb4d883236323b78e57aacf1d
7
+ data.tar.gz: 42c6116449d17622dfc8b98d81ec315b1ee7b5c741e7f160884845413e3d2bc3aa99bf1cbf34d97c9066e0673670128b81ccea873b41e8ce559b4dbfe863e851
data/.github/workflows/main.yml CHANGED
@@ -14,7 +14,7 @@ jobs:
14
14
  strategy:
15
15
  fail-fast: false
16
16
  matrix:
17
- ruby: ["2.5", "2.6", "2.7", "3.0", "3.1", "3.2"]
17
+ ruby: ["2.7", "3.0", "3.1", "3.2", "3.3"]
18
18
  name: Ruby ${{ matrix.ruby }}
19
19
 
20
20
  steps:
data/CHANGELOG.md CHANGED
@@ -1,12 +1,29 @@
1
- # v0.6.1 (22.02.2023)
1
+ # Unreleased
2
+
3
+ # v0.8.0 (2024-07-04)
4
+
5
+ - Add `send_state` parameter to disable sending of state (https://github.com/omniauth/omniauth_openid_connect/pull/182)
6
+
7
+ # v0.7.1 (2023-04-26)
8
+
9
+ - Fix handling of JWKS response (https://github.com/omniauth/omniauth_openid_connect/pull/157)
10
+
11
+ # v0.7.0 (2023-04-25)
12
+
13
+ - Update openid_connect to 2.2 (https://github.com/omniauth/omniauth_openid_connect/pull/153)
14
+ - Drop Ruby 2.5 and 2.6 CI support (https://github.com/omniauth/omniauth_openid_connect/pull/154)
15
+ - Improvements to README (https://github.com/omniauth/omniauth_openid_connect/pull/152, https://github.com/omniauth/omniauth_openid_connect/pull/151)
16
+ - Add option `logout_path` (https://github.com/omniauth/omniauth_openid_connect/pull/143)
17
+
18
+ # v0.6.1 (2023-02-22)
2
19
 
3
20
  - Fix uninitialized constant error (https://github.com/omniauth/omniauth_openid_connect/pull/147)
4
21
 
5
- # v0.6.0 (21.01.2023)
22
+ # v0.6.0 (2023-01-22)
6
23
 
7
24
  - Support verification of HS256-signed JWTs (https://github.com/omniauth/omniauth_openid_connect/pull/134)
8
25
 
9
- # v0.5.0 (26.12.2022)
26
+ # v0.5.0 (2022-12-26)
10
27
 
11
28
  - Support the "nonce" parameter forwarding without a session [#130](https://github.com/omniauth/omniauth_openid_connect/pull/130)
12
29
  - Fetch key from JWKS URI if available [#133](https://github.com/omniauth/omniauth_openid_connect/pull/133)
@@ -14,7 +31,7 @@
14
31
  - Add email_verified claim in user info [#131](https://github.com/omniauth/omniauth_openid_connect/pull/131)
15
32
  - Add PKCE verification support [#128](https://github.com/omniauth/omniauth_openid_connect/pull/128)
16
33
 
17
- # v0.4.0 (06.02.2022)
34
+ # v0.4.0 (2022-02-06)
18
35
 
19
36
  - Support dynamic parameters to the authorize URI [#90](https://github.com/omniauth/omniauth_openid_connect/pull/90)
20
37
  - Upgrade Faker and replace Travis with Github Actions [#102](https://github.com/omniauth/omniauth_openid_connect/pull/102)
@@ -22,12 +39,12 @@
22
39
  - Fall back to the discovered jwks when no key specified [#97](https://github.com/omniauth/omniauth_openid_connect/pull/97)
23
40
  - Allow updating to omniauth v2 [#88](https://github.com/omniauth/omniauth_openid_connect/pull/88)
24
41
 
25
- # v0.3.5 (07.06.2020)
42
+ # v0.3.5 (2020-06-07)
26
43
 
27
44
  - bugfix: Info from decoded id_token is not exposed into `request.env['omniauth.auth']` [#61](https://github.com/m0n9oose/omniauth_openid_connect/pull/61)
28
45
  - bugfix: NoMethodError (`undefined method 'count' for #<OpenIDConnect::ResponseObject::IdToken>`) [#60](https://github.com/m0n9oose/omniauth_openid_connect/pull/60)
29
46
 
30
- # v0.3.4 (21.05.2020)
47
+ # v0.3.4 (2020-05-21)
31
48
 
32
49
  - Try to verify id_token when response_type is code [#44](https://github.com/m0n9oose/omniauth_openid_connect/pull/44)
33
50
  - Provide more information on error [#49](https://github.com/m0n9oose/omniauth_openid_connect/pull/49)
@@ -36,7 +53,7 @@
36
53
  - refactor: take uid_field from raw_attributes [#54](https://github.com/m0n9oose/omniauth_openid_connect/pull/54)
37
54
  - chore(ci): add 2.7, ruby-head and jruby-head [#55](https://github.com/m0n9oose/omniauth_openid_connect/pull/55)
38
55
 
39
- # v0.3.3 (09.11.2019)
56
+ # v0.3.3 (2019-11-09)
40
57
 
41
58
  - Pass `acr_values` to authorize url [#43](https://github.com/m0n9oose/omniauth_openid_connect/pull/43)
42
59
  - Add raw info for id token [#42](https://github.com/m0n9oose/omniauth_openid_connect/pull/42)
@@ -46,17 +63,17 @@
46
63
  - Fix gemspec homepage [#33](https://github.com/m0n9oose/omniauth_openid_connect/pull/33)
47
64
  - Add support for `response_type` `id_token` [#32](https://github.com/m0n9oose/omniauth_openid_connect/pull/32)
48
65
 
49
- # v0.3.2 (03.08.2019)
66
+ # v0.3.2 (2019-08-03)
50
67
 
51
68
  - Use response_mode in `authorize_uri` if the option is defined [#30](https://github.com/m0n9oose/omniauth_openid_connect/pull/30)
52
69
  - Move verification of `id_token` to before accessing tokens [#28](https://github.com/m0n9oose/omniauth_openid_connect/pull/28)
53
70
  - Update omniauth dependency [#26](https://github.com/m0n9oose/omniauth_openid_connect/pull/26)
54
71
 
55
- # v0.3.1 (08.06.2019)
72
+ # v0.3.1 (2019-06-08)
56
73
 
57
74
  - Set default OmniAuth name to openid_connect [#23](https://github.com/m0n9oose/omniauth_openid_connect/pull/23)
58
75
 
59
- # v0.3.0 (27.04.2019)
76
+ # v0.3.0 (2019-04-07)
60
77
 
61
78
  - RP-Initiated Logout phase [#5](https://github.com/m0n9oose/omniauth_openid_connect/pull/5)
62
79
  - Allows `ui_locales`, `claims_locales` and `login_hint` as request params [#6](https://github.com/m0n9oose/omniauth_openid_connect/pull/6)
@@ -65,7 +82,7 @@
65
82
  - Handle errors when fetching access_token at callback_phase [#17](https://github.com/m0n9oose/omniauth_openid_connect/pull/17)
66
83
  - Allow state method to receive env [#19](https://github.com/m0n9oose/omniauth_openid_connect/pull/19)
67
84
 
68
- # v0.2.4 (06.01.2019)
85
+ # v0.2.4 (2019-01-06)
69
86
 
70
87
  - Prompt and login hint [#4](https://github.com/m0n9oose/omniauth_openid_connect/pull/4)
71
88
  - Bump openid_connect dependency [#9](https://github.com/m0n9oose/omniauth_openid_connect/pull/9)
data/README.md CHANGED
@@ -23,53 +23,79 @@ Or install it yourself as:
23
23
 
24
24
  ## Supported Ruby Versions
25
25
 
26
- OmniAuth::OpenIDConnect is tested under 2.5, 2.6, 2.7, 3.0, 3.1
26
+ OmniAuth::OpenIDConnect is tested under 2.7, 3.0, 3.1, 3.2
27
27
 
28
28
  ## Usage
29
29
 
30
30
  Example configuration
31
+
32
+ ```ruby
33
+ Rails.application.config.middleware.use OmniAuth::Builder do
34
+ provider :openid_connect, {
35
+ name: :my_provider,
36
+ scope: [:openid, :email, :profile, :address],
37
+ response_type: :code,
38
+ uid_field: "preferred_username",
39
+ client_options: {
40
+ port: 443,
41
+ scheme: "https",
42
+ host: "myprovider.com",
43
+ identifier: ENV["OP_CLIENT_ID"],
44
+ secret: ENV["OP_SECRET_KEY"],
45
+ redirect_uri: "http://myapp.com/users/auth/openid_connect/callback",
46
+ },
47
+ }
48
+ end
49
+ ```
50
+
51
+ ### with Devise
31
52
  ```ruby
32
- config.omniauth :openid_connect, {
33
- name: :my_provider,
34
- scope: [:openid, :email, :profile, :address],
35
- response_type: :code,
36
- uid_field: "preferred_username",
37
- client_options: {
38
- port: 443,
39
- scheme: "https",
40
- host: "myprovider.com",
41
- identifier: ENV["OP_CLIENT_ID"],
42
- secret: ENV["OP_SECRET_KEY"],
43
- redirect_uri: "http://myapp.com/users/auth/openid_connect/callback",
44
- },
45
- }
53
+ Devise.setup do |config|
54
+ config.omniauth :openid_connect, {
55
+ name: :my_provider,
56
+ scope: [:openid, :email, :profile, :address],
57
+ response_type: :code,
58
+ uid_field: "preferred_username",
59
+ client_options: {
60
+ port: 443,
61
+ scheme: "https",
62
+ host: "myprovider.com",
63
+ identifier: ENV["OP_CLIENT_ID"],
64
+ secret: ENV["OP_SECRET_KEY"],
65
+ redirect_uri: "http://myapp.com/users/auth/openid_connect/callback",
66
+ },
67
+ }
68
+ end
46
69
  ```
47
70
 
48
71
  ### Options Overview
49
72
 
50
- | Field | Description | Required | Default | Example/Options |
51
- |------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------|----------|-------------------------------|-----------------------------------------------------|
52
- | name | Arbitrary string to identify connection and identify it from other openid_connect providers | no | String: openid_connect | :my_idp |
53
- | issuer | Root url for the authorization server | yes | | https://myprovider.com |
54
- | discovery | Should OpenID discovery be used. This is recommended if the IDP provides a discovery endpoint. See client config for how to manually enter discovered values. | no | false | one of: true, false |
55
- | client_auth_method | Which authentication method to use to authenticate your app with the authorization server | no | Sym: basic | "basic", "jwks" |
56
- | scope | Which OpenID scopes to include (:openid is always required) | no | Array<sym> [:openid] | [:openid, :profile, :email] |
57
- | response_type | Which OAuth2 response type to use with the authorization request | no | String: code | one of: 'code', 'id_token' |
58
- | state | A value to be used for the OAuth2 state parameter on the authorization request. Can be a proc that generates a string. | no | Random 16 character string | Proc.new { SecureRandom.hex(32) } |
59
- | require_state | Should state param be verified - this is recommended, not required by the OIDC specification | no | true | false |
60
- | response_mode | The response mode per [spec](https://openid.net/specs/oauth-v2-form-post-response-mode-1_0.html) | no | nil | one of: :query, :fragment, :form_post, :web_message |
61
- | display | An optional parameter to the authorization request to determine how the authorization and consent page | no | nil | one of: :page, :popup, :touch, :wap |
62
- | prompt | An optional parameter to the authrization request to determine what pages the user will be shown | no | nil | one of: :none, :login, :consent, :select_account |
63
- | send_scope_to_token_endpoint | Should the scope parameter be sent to the authorization token endpoint? | no | true | one of: true, false |
64
- | post_logout_redirect_uri | The logout redirect uri to use per the [session management draft](https://openid.net/specs/openid-connect-session-1_0.html) | no | empty | https://myapp.com/logout/callback |
65
- | uid_field | The field of the user info response to be used as a unique id | no | 'sub' | "sub", "preferred_username" |
66
- | extra_authorize_params | A hash of extra fixed parameters that will be merged to the authorization request | no | Hash | {"tenant" => "common"} |
67
- | allow_authorize_params | A list of allowed dynamic parameters that will be merged to the authorization request | no | Array | [:screen_name] |
68
- | pkce | Enable [PKCE flow](https://oauth.net/2/pkce/) | no | false | one of: true, false |
69
- | pkce_verifier | Specify a custom PKCE verifier code. | no | A random 128-char string | Proc.new { SecureRandom.hex(64) } |
70
- | pkce_options | Specify a custom implementation of the PKCE code challenge/method. | no | SHA256(code_challenge) in hex | Proc to customise the code challenge generation |
71
- | client_options | A hash of client options detailed in its own section | yes | | |
72
- | jwt_secret_base64 | For HMAC with SHA2 (e.g. HS256) signing algorithms, specify the base64-encoded secret used to sign the JWT token. Defaults to the OAuth2 client secret if not specified. | no | client_options.secret | "bXlzZWNyZXQ=\n"
73
+ | Field | Description | Required | Default | Example/Options |
74
+ |------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------|-------------------------------|-----------------------------------------------------|
75
+ | name | Arbitrary string to identify connection and identify it from other openid_connect providers | no | String: openid_connect | :my_idp |
76
+ | issuer | Root url for the authorization server | yes | | https://myprovider.com |
77
+ | discovery | Should OpenID discovery be used. This is recommended if the IDP provides a discovery endpoint. See client config for how to manually enter discovered values. | no | false | one of: true, false |
78
+ | client_auth_method | Which authentication method to use to authenticate your app with the authorization server | no | Sym: basic | "basic", "jwks" |
79
+ | scope | Which OpenID scopes to include (:openid is always required) | no | Array<sym> [:openid] | [:openid, :profile, :email] |
80
+ | response_type | Which OAuth2 response type to use with the authorization request | no | String: code | one of: 'code', 'id_token' |
81
+ | state | A value to be used for the OAuth2 state parameter on the authorization request. Can be a proc that generates a string. | no | Random 16 character string | Proc.new { SecureRandom.hex(32) } |
82
+ | require_state | Should the callback phase require that a state is present. If `send_state` is true, then the callback state must match the authorize state. This is recommended, not required by the OIDC specification. | no | true | false |
83
+ | send_state | Should the authorize phase send a `state` parameter - this is recommended, not required by the OIDC specification | no | true | false |
84
+ | response_mode | The response mode per [spec](https://openid.net/specs/oauth-v2-form-post-response-mode-1_0.html) | no | nil | one of: :query, :fragment, :form_post, :web_message |
85
+ | display | An optional parameter to the authorization request to determine how the authorization and consent page | no | nil | one of: :page, :popup, :touch, :wap |
86
+ | prompt | An optional parameter to the authrization request to determine what pages the user will be shown | no | nil | one of: :none, :login, :consent, :select_account |
87
+ | send_scope_to_token_endpoint | Should the scope parameter be sent to the authorization token endpoint? | no | true | one of: true, false |
88
+ | post_logout_redirect_uri | The logout redirect uri to use per the [session management draft](https://openid.net/specs/openid-connect-session-1_0.html) | no | empty | https://myapp.com/logout/callback |
89
+ | uid_field | The field of the user info response to be used as a unique id | no | 'sub' | "sub", "preferred_username" |
90
+ | extra_authorize_params | A hash of extra fixed parameters that will be merged to the authorization request | no | Hash | {"tenant" => "common"} |
91
+ | allow_authorize_params | A list of allowed dynamic parameters that will be merged to the authorization request | no | Array | [:screen_name] |
92
+ | pkce | Enable [PKCE flow](https://oauth.net/2/pkce/) | no | false | one of: true, false |
93
+ | pkce_verifier | Specify a custom PKCE verifier code. | no | A random 128-char string | Proc.new { SecureRandom.hex(64) } |
94
+ | pkce_options | Specify a custom implementation of the PKCE code challenge/method. | no | SHA256(code_challenge) in hex | Proc to customise the code challenge generation |
95
+ | client_options | A hash of client options detailed in its own section | yes | | |
96
+ | jwt_secret_base64 | For HMAC with SHA2 (e.g. HS256) signing algorithms, specify the base64-encoded secret used to sign the JWT token. Defaults to the OAuth2 client secret if not specified. | no | client_options.secret | "bXlzZWNyZXQ=\n" |
97
+ | logout_path | The log out is only triggered when the request path ends on this path | no | '/logout' | '/sign_out' |
98
+ | acr_values | Authentication Class Reference(ACR) values to be passed to the authorize_uri to enforce a specific level, see [RFC9470](https://www.rfc-editor.org/rfc/rfc9470.html) | no | nil | "c1 c2" |
73
99
 
74
100
  ### Client Config Options
75
101
 
@@ -131,7 +157,7 @@ For the full low down on OpenID Connect, please check out
131
157
 
132
158
  ## Contributing
133
159
 
134
- 1. Fork it ( http://github.com/m0n9oose/omniauth-openid-connect/fork )
160
+ 1. Fork it ( http://github.com/omniauth/omniauth_openid_connect/fork )
135
161
  2. Create your feature branch (`git checkout -b my-new-feature`)
136
162
  3. Cover your changes with tests and make sure they're green (`bundle install && bundle exec rake test`)
137
163
  4. Commit your changes (`git commit -am 'Add some feature'`)
data/lib/omniauth/openid_connect/version.rb CHANGED
@@ -2,6 +2,6 @@
2
2
 
3
3
  module OmniAuth
4
4
  module OpenIDConnect
5
- VERSION = '0.6.1'
5
+ VERSION = '0.8.0'
6
6
  end
7
7
  end
data/lib/omniauth/strategies/openid_connect.rb CHANGED
@@ -42,6 +42,7 @@ module OmniAuth
42
42
  option :client_x509_signing_key
43
43
  option :scope, [:openid]
44
44
  option :response_type, 'code' # ['code', 'id_token']
45
+ option :send_state, true
45
46
  option :require_state, true
46
47
  option :state
47
48
  option :response_mode # [:query, :fragment, :form_post, :web_message]
@@ -68,6 +69,8 @@ module OmniAuth
68
69
  code_challenge_method: 'S256',
69
70
  }
70
71
 
72
+ option :logout_path, '/logout'
73
+
71
74
  def uid
72
75
  user_info.raw_attributes[options.uid_field.to_sym] || user_info.sub
73
76
  end
@@ -118,7 +121,12 @@ module OmniAuth
118
121
  def callback_phase
119
122
  error = params['error_reason'] || params['error']
120
123
  error_description = params['error_description'] || params['error_reason']
121
- invalid_state = (options.require_state && params['state'].to_s.empty?) || params['state'] != stored_state
124
+ invalid_state =
125
+ if options.send_state
126
+ (options.require_state && params['state'].to_s.empty?) || params['state'] != stored_state
127
+ else
128
+ false
129
+ end
122
130
 
123
131
  raise CallbackError, error: params['error'], reason: error_description, uri: params['error_uri'] if error
124
132
  raise CallbackError, error: :csrf_detected, reason: "Invalid 'state' parameter" if invalid_state
@@ -167,13 +175,12 @@ module OmniAuth
167
175
  end_session_uri.to_s
168
176
  end
169
177
 
170
- def authorize_uri
178
+ def authorize_uri # rubocop:disable Metrics/AbcSize
171
179
  client.redirect_uri = redirect_uri
172
180
  opts = {
173
181
  response_type: options.response_type,
174
182
  response_mode: options.response_mode,
175
183
  scope: options.scope,
176
- state: new_state,
177
184
  login_hint: params['login_hint'],
178
185
  ui_locales: params['ui_locales'],
179
186
  claims_locales: params['claims_locales'],
@@ -183,6 +190,7 @@ module OmniAuth
183
190
  acr_values: options.acr_values,
184
191
  }
185
192
 
193
+ opts[:state] = new_state if options.send_state
186
194
  opts.merge!(options.extra_authorize_params) unless options.extra_authorize_params.empty?
187
195
 
188
196
  options.allow_authorize_params.each do |key|
@@ -226,7 +234,7 @@ module OmniAuth
226
234
  private
227
235
 
228
236
  def fetch_key
229
- @fetch_key ||= parse_jwk_key(::OpenIDConnect.http_client.get_content(client_options.jwks_uri))
237
+ @fetch_key ||= parse_jwk_key(::OpenIDConnect.http_client.get(client_options.jwks_uri).body)
230
238
  end
231
239
 
232
240
  def base64_decoded_jwt_secret
@@ -402,7 +410,7 @@ module OmniAuth
402
410
  end
403
411
 
404
412
  def parse_jwk_key(key)
405
- json = JSON.parse(key)
413
+ json = key.is_a?(String) ? JSON.parse(key) : key
406
414
  return JSON::JWK::Set.new(json['keys']) if json.key?('keys')
407
415
 
408
416
  JSON::JWK.new(json)
@@ -432,7 +440,7 @@ module OmniAuth
432
440
  end
433
441
 
434
442
  def logout_path_pattern
435
- @logout_path_pattern ||= %r{\A#{Regexp.quote(request_path)}(/logout)}
443
+ @logout_path_pattern ||= /\A#{Regexp.quote(request_path)}#{options.logout_path}/
436
444
  end
437
445
 
438
446
  def id_token_callback_phase
data/omniauth_openid_connect.gemspec CHANGED
@@ -11,7 +11,7 @@ Gem::Specification.new do |spec|
11
11
  spec.email = ['jjbohn@gmail.com', 'm0n9oose@gmail.com']
12
12
  spec.summary = 'OpenID Connect Strategy for OmniAuth'
13
13
  spec.description = 'OpenID Connect Strategy for OmniAuth.'
14
- spec.homepage = 'https://github.com/m0n9oose/omniauth_openid_connect'
14
+ spec.homepage = 'https://github.com/omniauth/omniauth_openid_connect'
15
15
  spec.license = 'MIT'
16
16
 
17
17
  spec.files = `git ls-files -z`.split("\x0")
@@ -20,23 +20,24 @@ Gem::Specification.new do |spec|
20
20
  spec.require_paths = ['lib']
21
21
 
22
22
  spec.metadata = {
23
- 'bug_tracker_uri' => 'https://github.com/m0n9oose/omniauth_openid_connect/issues',
24
- 'changelog_uri' => 'https://github.com/m0n9oose/omniauth_openid_connect/releases',
25
- 'documentation_uri' => "https://github.com/m0n9oose/omniauth_openid_connect/tree/v#{spec.version}#readme",
26
- 'source_code_uri' => "https://github.com/m0n9oose/omniauth_openid_connect/tree/v#{spec.version}",
23
+ 'bug_tracker_uri' => 'https://github.com/omniauth/omniauth_openid_connect/issues',
24
+ 'changelog_uri' => 'https://github.com/omniauth/omniauth_openid_connect/releases',
25
+ 'documentation_uri' => "https://github.com/omniauth/omniauth_openid_connect/tree/v#{spec.version}#readme",
26
+ 'source_code_uri' => "https://github.com/omniauth/omniauth_openid_connect/tree/v#{spec.version}",
27
27
  'rubygems_mfa_required' => 'true',
28
28
  }
29
29
 
30
30
  spec.add_dependency 'omniauth', '>= 1.9', '< 3'
31
- spec.add_dependency 'openid_connect', '~> 1.1'
31
+ spec.add_dependency 'openid_connect', '~> 2.2'
32
32
  spec.add_development_dependency 'faker', '~> 2.0'
33
33
  spec.add_development_dependency 'guard', '~> 2.14'
34
34
  spec.add_development_dependency 'guard-bundler', '~> 2.2'
35
35
  spec.add_development_dependency 'guard-minitest', '~> 2.4'
36
- spec.add_development_dependency 'minitest', '~> 5.1'
37
- spec.add_development_dependency 'mocha', '~> 1.7'
36
+ spec.add_development_dependency 'minitest', '~> 5.20'
37
+ spec.add_development_dependency 'mocha', '~> 2.1'
38
38
  spec.add_development_dependency 'rake', '~> 12.0'
39
39
  spec.add_development_dependency 'rubocop', '~> 1.12'
40
40
  spec.add_development_dependency 'simplecov', '~> 0.21'
41
41
  spec.add_development_dependency 'simplecov-lcov', '~> 0.8'
42
+ spec.add_development_dependency 'webmock', '~> 3.18'
42
43
  end
data/test/lib/omniauth/strategies/openid_connect_test.rb CHANGED
@@ -69,6 +69,17 @@ module OmniAuth
69
69
  strategy.other_phase
70
70
  end
71
71
 
72
+ def test_logout_phase_with_logout_path
73
+ strategy.options.issuer = 'example.com'
74
+ strategy.options.client_options.host = 'example.com'
75
+ strategy.options.logout_path = '/sign_out'
76
+
77
+ request.stubs(:path).returns('/auth/openid_connect/sign_out')
78
+
79
+ strategy.expects(:call_app!)
80
+ strategy.other_phase
81
+ end
82
+
72
83
  def test_logout_phase
73
84
  strategy.options.issuer = 'example.com'
74
85
  strategy.options.client_options.host = 'example.com'
@@ -442,6 +453,50 @@ module OmniAuth
442
453
  strategy.callback_phase
443
454
  end
444
455
 
456
+ def test_callback_phase_with_send_state_disabled # rubocop:disable Metrics/AbcSize
457
+ code = SecureRandom.hex(16)
458
+
459
+ strategy.options.client_options.host = 'example.com'
460
+ strategy.options.require_state = true
461
+ strategy.options.send_state = false
462
+ strategy.options.discovery = true
463
+ refute_match(/state/, strategy.authorize_uri, 'URI must not contain state')
464
+
465
+ request.stubs(:params).returns('code' => code)
466
+ request.stubs(:path).returns('')
467
+
468
+ issuer = stub('OpenIDConnect::Discovery::Issuer')
469
+ issuer.stubs(:issuer).returns('https://example.com/')
470
+ ::OpenIDConnect::Discovery::Provider.stubs(:discover!).returns(issuer)
471
+
472
+ config = stub('OpenIDConnect::Discovery::Provder::Config')
473
+ config.stubs(:authorization_endpoint).returns('https://example.com/authorization')
474
+ config.stubs(:token_endpoint).returns('https://example.com/token')
475
+ config.stubs(:userinfo_endpoint).returns('https://example.com/userinfo')
476
+ config.stubs(:jwks_uri).returns('https://example.com/jwks')
477
+ config.stubs(:jwks).returns(JSON::JWK::Set.new(jwks['keys']))
478
+
479
+ ::OpenIDConnect::Discovery::Provider::Config.stubs(:discover!).with('https://example.com/').returns(config)
480
+
481
+ id_token = stub('OpenIDConnect::ResponseObject::IdToken')
482
+ id_token.stubs(:raw_attributes).returns('sub' => 'sub', 'name' => 'name', 'email' => 'email')
483
+ id_token.stubs(:verify!).with(issuer: 'https://example.com/', client_id: @identifier, nonce: nonce).returns(true)
484
+ ::OpenIDConnect::ResponseObject::IdToken.stubs(:decode).returns(id_token)
485
+
486
+ strategy.unstub(:user_info)
487
+ access_token = stub('OpenIDConnect::AccessToken')
488
+ access_token.stubs(:access_token)
489
+ access_token.stubs(:refresh_token)
490
+ access_token.stubs(:expires_in)
491
+ access_token.stubs(:scope)
492
+ access_token.stubs(:id_token).returns(jwt.to_s)
493
+ client.expects(:access_token!).at_least_once.returns(access_token)
494
+ access_token.expects(:userinfo!).returns(user_info)
495
+
496
+ strategy.call!('rack.session' => { 'omniauth.nonce' => nonce })
497
+ strategy.callback_phase
498
+ end
499
+
445
500
  def test_callback_phase_with_no_state_without_state_verification # rubocop:disable Metrics/AbcSize
446
501
  code = SecureRandom.hex(16)
447
502
 
@@ -509,10 +564,10 @@ module OmniAuth
509
564
  strategy.options.client_options.jwks_uri = 'https://jwks.example.com'
510
565
  strategy.options.response_type = 'id_token'
511
566
 
512
- HTTPClient
513
- .any_instance.stubs(:get_content)
514
- .with(strategy.options.client_options.jwks_uri)
515
- .returns(jwks.to_json)
567
+ stub_request(:get, strategy.options.client_options.jwks_uri).to_return(
568
+ body: jwks.to_json,
569
+ headers: { 'Content-Type' => 'application/json' }
570
+ )
516
571
 
517
572
  strategy.unstub(:user_info)
518
573
  access_token = stub('OpenIDConnect::AccessToken')
@@ -788,8 +843,7 @@ module OmniAuth
788
843
  access_token: 'test_access_token',
789
844
  id_token: jwt.to_s,
790
845
  token_type: 'Bearer',
791
- }.to_json
792
- success = Struct.new(:status, :body).new(200, json_response)
846
+ }
793
847
 
794
848
  request.stubs(:path).returns('')
795
849
  strategy.call!('rack.session' => { 'omniauth.state' => state, 'omniauth.nonce' => nonce })
@@ -798,11 +852,13 @@ module OmniAuth
798
852
  id_token.stubs(:verify!).with(issuer: strategy.options.issuer, client_id: @identifier, nonce: nonce).returns(true)
799
853
  ::OpenIDConnect::ResponseObject::IdToken.stubs(:decode).returns(id_token)
800
854
 
801
- HTTPClient.any_instance.stubs(:post).with(
802
- "#{ opts.scheme }://#{ opts.host }:#{ opts.port }#{ opts.token_endpoint }",
803
- { scope: 'openid', grant_type: :client_credentials, client_id: @identifier, client_secret: @secret },
804
- {}
805
- ).returns(success)
855
+ url = "#{ opts.scheme }://#{ opts.host }:#{ opts.port }#{ opts.token_endpoint }"
856
+ body = { scope: 'openid', grant_type: 'client_credentials', client_id: @identifier, client_secret: @secret }
857
+
858
+ stub_request(:post, url).with(body: body).to_return(
859
+ body: json_response.to_json,
860
+ headers: { 'Content-Type' => 'application/json' }
861
+ )
806
862
 
807
863
  assert(strategy.send(:access_token))
808
864
  end
data/test/strategy_test_case.rb CHANGED
@@ -1,6 +1,6 @@
1
1
  # frozen_string_literal: true
2
2
 
3
- class StrategyTestCase < MiniTest::Test
3
+ class StrategyTestCase < Minitest::Test
4
4
  class DummyApp
5
5
  def call(env); end
6
6
  end
data/test/test_helper.rb CHANGED
@@ -5,6 +5,7 @@ require 'minitest/autorun'
5
5
  require 'mocha/minitest'
6
6
  require 'faker'
7
7
  require 'active_support'
8
+ require 'webmock/minitest'
8
9
 
9
10
  SimpleCov.start do
10
11
  if ENV['CI']
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: omniauth_openid_connect
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.6.1
4
+ version: 0.8.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - John Bohn
@@ -9,7 +9,7 @@ authors:
9
9
  autorequire:
10
10
  bindir: bin
11
11
  cert_chain: []
12
- date: 2023-02-23 00:00:00.000000000 Z
12
+ date: 2024-07-04 00:00:00.000000000 Z
13
13
  dependencies:
14
14
  - !ruby/object:Gem::Dependency
15
15
  name: omniauth
@@ -37,14 +37,14 @@ dependencies:
37
37
  requirements:
38
38
  - - "~>"
39
39
  - !ruby/object:Gem::Version
40
- version: '1.1'
40
+ version: '2.2'
41
41
  type: :runtime
42
42
  prerelease: false
43
43
  version_requirements: !ruby/object:Gem::Requirement
44
44
  requirements:
45
45
  - - "~>"
46
46
  - !ruby/object:Gem::Version
47
- version: '1.1'
47
+ version: '2.2'
48
48
  - !ruby/object:Gem::Dependency
49
49
  name: faker
50
50
  requirement: !ruby/object:Gem::Requirement
@@ -107,28 +107,28 @@ dependencies:
107
107
  requirements:
108
108
  - - "~>"
109
109
  - !ruby/object:Gem::Version
110
- version: '5.1'
110
+ version: '5.20'
111
111
  type: :development
112
112
  prerelease: false
113
113
  version_requirements: !ruby/object:Gem::Requirement
114
114
  requirements:
115
115
  - - "~>"
116
116
  - !ruby/object:Gem::Version
117
- version: '5.1'
117
+ version: '5.20'
118
118
  - !ruby/object:Gem::Dependency
119
119
  name: mocha
120
120
  requirement: !ruby/object:Gem::Requirement
121
121
  requirements:
122
122
  - - "~>"
123
123
  - !ruby/object:Gem::Version
124
- version: '1.7'
124
+ version: '2.1'
125
125
  type: :development
126
126
  prerelease: false
127
127
  version_requirements: !ruby/object:Gem::Requirement
128
128
  requirements:
129
129
  - - "~>"
130
130
  - !ruby/object:Gem::Version
131
- version: '1.7'
131
+ version: '2.1'
132
132
  - !ruby/object:Gem::Dependency
133
133
  name: rake
134
134
  requirement: !ruby/object:Gem::Requirement
@@ -185,6 +185,20 @@ dependencies:
185
185
  - - "~>"
186
186
  - !ruby/object:Gem::Version
187
187
  version: '0.8'
188
+ - !ruby/object:Gem::Dependency
189
+ name: webmock
190
+ requirement: !ruby/object:Gem::Requirement
191
+ requirements:
192
+ - - "~>"
193
+ - !ruby/object:Gem::Version
194
+ version: '3.18'
195
+ type: :development
196
+ prerelease: false
197
+ version_requirements: !ruby/object:Gem::Requirement
198
+ requirements:
199
+ - - "~>"
200
+ - !ruby/object:Gem::Version
201
+ version: '3.18'
188
202
  description: OpenID Connect Strategy for OmniAuth.
189
203
  email:
190
204
  - jjbohn@gmail.com
@@ -213,14 +227,14 @@ files:
213
227
  - test/lib/omniauth/strategies/openid_connect_test.rb
214
228
  - test/strategy_test_case.rb
215
229
  - test/test_helper.rb
216
- homepage: https://github.com/m0n9oose/omniauth_openid_connect
230
+ homepage: https://github.com/omniauth/omniauth_openid_connect
217
231
  licenses:
218
232
  - MIT
219
233
  metadata:
220
- bug_tracker_uri: https://github.com/m0n9oose/omniauth_openid_connect/issues
221
- changelog_uri: https://github.com/m0n9oose/omniauth_openid_connect/releases
222
- documentation_uri: https://github.com/m0n9oose/omniauth_openid_connect/tree/v0.6.1#readme
223
- source_code_uri: https://github.com/m0n9oose/omniauth_openid_connect/tree/v0.6.1
234
+ bug_tracker_uri: https://github.com/omniauth/omniauth_openid_connect/issues
235
+ changelog_uri: https://github.com/omniauth/omniauth_openid_connect/releases
236
+ documentation_uri: https://github.com/omniauth/omniauth_openid_connect/tree/v0.8.0#readme
237
+ source_code_uri: https://github.com/omniauth/omniauth_openid_connect/tree/v0.8.0
224
238
  rubygems_mfa_required: 'true'
225
239
  post_install_message:
226
240
  rdoc_options: []
@@ -237,7 +251,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
237
251
  - !ruby/object:Gem::Version
238
252
  version: '0'
239
253
  requirements: []
240
- rubygems_version: 3.4.7
254
+ rubygems_version: 3.5.14
241
255
  signing_key:
242
256
  specification_version: 4
243
257
  summary: OpenID Connect Strategy for OmniAuth