omniauth_openid_connect 0.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: acc382de3a9187fc1fc72053e311d7d82f579351
+  data.tar.gz: 38f48f09a1c3886b5a5e64da87614f76ce7d157b
+SHA512:
+  metadata.gz: 300022e2fbe8589c5e3d791e468263015260256e51a34f8da390c30b5ee46c5da22d5556cb4acc7d89f40bbad6b2aae6dbcc916b997ee6aeb8eebd1ad8dd77f2
+  data.tar.gz: dbc66b01bec8c313449b56f4248925989621eab47790ff541fb338719287014926f208a1b0cf2e22ce53e938c98b8ee622a25eafb7c955d4ce7332ddd4683429

data/.gitignore

@@ -0,0 +1,19 @@
+*.gem
+*.rbc
+.bundle
+.config
+.yardoc
+InstalledFiles
+_yardoc
+coverage
+doc/
+lib/bundler/man
+pkg
+rdoc
+spec/reports
+test/tmp
+test/version_tmp
+tmp
+.ruby-version
+.ruby-gemset
+Gemfile.lock

data/.travis.yml

@@ -0,0 +1,9 @@
+before_install:
+  - gem update bundler
+rvm:
+  - 1.9.3
+  - 2.0.0
+  - 2.1.0
+  - 2.2.0
+  - 2.3.0
+  - rbx

data/Gemfile

@@ -0,0 +1,2 @@
+source 'https://rubygems.org'
+gemspec

data/Guardfile

@@ -0,0 +1,14 @@
+# A sample Guardfile
+# More info at https://github.com/guard/guard#readme
+
+guard 'minitest' do
+  # with Minitest::Unit
+  watch(%r|^test/(.*)\/(.*)_test\.rb|)
+  watch(%r|^lib/(.*)\.rb|)     { |m| "test/lib/#{m[1]}_test.rb" }
+  watch(%r|^test/test_helper\.rb|)    { "test" }
+end
+
+guard :bundler do
+  watch('Gemfile')
+  watch(/^.+\.gemspec/)
+end

data/LICENSE.txt

@@ -0,0 +1,22 @@
+Copyright (c) 2014 John Bohn
+
+MIT License
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,71 @@
+# OmniAuth::OpenIDConnect
+
+OpenID Connect strategy for OmniAuth
+[![Gem Version](https://badge.fury.io/rb/omniauth-openid-connect.png)](http://badge.fury.io/rb/omniauth-openid-connect)
+[![Build Status](https://travis-ci.org/jjbohn/omniauth-openid-connect.png?branch=master)](https://travis-ci.org/jjbohn/omniauth-openid-connect)
+[![Coverage Status](https://coveralls.io/repos/jjbohn/omniauth-openid-connect/badge.png?branch=master)](https://coveralls.io/r/jjbohn/omniauth-openid-connect?branch=master)
+[![Code Climate](https://codeclimate.com/github/jjbohn/omniauth-openid-connect.png)](https://codeclimate.com/github/jjbohn/omniauth-openid-connect)
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+    gem 'omniauth-openid-connect'
+
+And then execute:
+
+    $ bundle
+
+Or install it yourself as:
+
+    $ gem install omniauth-openid-connect
+
+## Usage
+
+Example configuration
+```ruby
+config.omniauth :openid_connect, {
+  name: :my_provider,
+  scope: [:openid, :email, :profile, :address],
+  response_type: :code,
+  client_options: {
+    port: 443,
+    scheme: "https",
+    host: "myprovider.com",
+    identifier: ENV["OP_CLIENT_ID"],
+    secret: ENV["OP_SECRET_KEY"],
+    redirect_uri: "http://myapp.com/users/auth/openid_connect/callback",
+  },
+}
+```
+
+Configuration details:
+  * `name` is arbitrary, I recommend using the name of your provider. The name
+  configuration exists because you could be using multiple OpenID Connect
+  providers in a single app.
+  * Although `response_type` is an available option, currently, only `:code`
+  is valid. There are plans to bring in implicit flow and hybrid flow at some
+  point, but it hasn't come up yet for me. Those flows aren't best practive for
+  server side web apps anyway and are designed more for native/mobile apps.
+  * If you want to pass `state` paramete by yourself. You can set Proc Object.  
+  e.g. `state: Proc.new{ SecureRandom.hex(32) }`
+  * `nonce` is optional. If don't want to pass "nonce" parameter to provider, You should specify
+  `false` to `send_nonce` option. (default true)
+  * Support for other client authentication methods. If don't specified
+  `:client_auth_method` option, automatically set `:basic`.
+  * Use "OpenID Connect Discovery", You should specify `true` to `discovery` option. (default false)
+  * In "OpenID Connect Discovery", generally provider should have Webfinger endpoint.
+  If provider does not have Webfinger endpoint, You can specify "Issuer" to option.  
+  e.g. `issuer: "https://myprovider.com"`  
+  It means to get configuration from "https://myprovider.com/.well-known/openid-configuration".
+
+For the full low down on OpenID Connect, please check out
+[the spec](http://openid.net/specs/openid-connect-core-1_0.html).
+
+## Contributing
+
+1. Fork it ( http://github.com/jjbohn/omniauth-openid-connect/fork )
+2. Create your feature branch (`git checkout -b my-new-feature`)
+3. Commit your changes (`git commit -am 'Add some feature'`)
+4. Push to the branch (`git push origin my-new-feature`)
+5. Create new Pull Request

data/Rakefile

@@ -0,0 +1,10 @@
+require 'bundler/gem_tasks'
+require 'rake/testtask'
+
+Rake::TestTask.new do |t|
+  t.libs << 'test'
+  t.test_files = FileList['test/lib/omniauth/**/*_test.rb']
+  t.verbose = true
+end
+
+task default: :test

data/lib/omniauth/openid_connect.rb

@@ -0,0 +1,3 @@
+require 'omniauth/openid_connect/errors'
+require 'omniauth/openid_connect/version'
+require 'omniauth/strategies/openid_connect'

data/lib/omniauth/openid_connect/errors.rb

@@ -0,0 +1,6 @@
+module OmniAuth
+  module OpenIDConnect
+    class Error < RuntimeError; end
+    class MissingCodeError < Error; end
+  end
+end

data/lib/omniauth/openid_connect/version.rb

@@ -0,0 +1,5 @@
+module OmniAuth
+  module OpenIDConnect
+    VERSION = '0.1'
+  end
+end

data/lib/omniauth/strategies/openid_connect.rb

@@ -0,0 +1,253 @@
+require 'addressable/uri'
+require 'timeout'
+require 'net/http'
+require 'open-uri'
+require 'omniauth'
+require 'openid_connect'
+
+module OmniAuth
+  module Strategies
+    class OpenIDConnect
+      include OmniAuth::Strategy
+
+      option :client_options, {
+        identifier: nil,
+        secret: nil,
+        redirect_uri: nil,
+        scheme: 'https',
+        host: nil,
+        port: 443,
+        authorization_endpoint: '/authorize',
+        token_endpoint: '/token',
+        userinfo_endpoint: '/userinfo',
+        jwks_uri: '/jwk'
+      }
+      option :issuer
+      option :discovery, false
+      option :client_signing_alg
+      option :client_jwk_signing_key
+      option :client_x509_signing_key
+      option :scope, [:openid]
+      option :response_type, "code"
+      option :state
+      option :response_mode
+      option :display, nil #, [:page, :popup, :touch, :wap]
+      option :prompt, nil #, [:none, :login, :consent, :select_account]
+      option :hd, nil
+      option :max_age
+      option :ui_locales
+      option :id_token_hint
+      option :login_hint
+      option :acr_values
+      option :send_nonce, true
+      option :send_scope_to_token_endpoint, true
+      option :client_auth_method
+
+      uid { user_info.sub }
+
+      info do
+        {
+          name: user_info.name,
+          email: user_info.email,
+          nickname: user_info.preferred_username,
+          first_name: user_info.given_name,
+          last_name: user_info.family_name,
+          gender: user_info.gender,
+          image: user_info.picture,
+          phone: user_info.phone_number,
+          urls: { website: user_info.website }
+        }
+      end
+
+      extra do
+        { raw_info: user_info.raw_attributes }
+      end
+
+      credentials do
+        {
+          id_token: access_token.id_token,
+          token: access_token.access_token,
+          refresh_token: access_token.refresh_token,
+          expires_in: access_token.expires_in,
+          scope: access_token.scope
+        }
+      end
+
+      def client
+        @client ||= ::OpenIDConnect::Client.new(client_options)
+      end
+
+      def config
+        @config ||= ::OpenIDConnect::Discovery::Provider::Config.discover!(options.issuer)
+      end
+
+      def request_phase
+        options.issuer = issuer if options.issuer.blank?
+        discover! if options.discovery
+        redirect authorize_uri
+      end
+
+      def callback_phase
+        error = request.params['error_reason'] || request.params['error']
+        if error
+          raise CallbackError.new(request.params['error'], request.params['error_description'] || request.params['error_reason'], request.params['error_uri'])
+        elsif request.params['state'].to_s.empty? || request.params['state'] != stored_state
+          return Rack::Response.new(['401 Unauthorized'], 401).finish
+        elsif !request.params['code']
+          return fail!(:missing_code, OmniAuth::OpenIDConnect::MissingCodeError.new(request.params['error']))
+        else
+          options.issuer = issuer if options.issuer.blank?
+          discover! if options.discovery
+          client.redirect_uri = redirect_uri
+          client.authorization_code = authorization_code
+          access_token
+          super
+        end
+      rescue CallbackError => e
+        fail!(:invalid_credentials, e)
+      rescue ::Timeout::Error, ::Errno::ETIMEDOUT => e
+        fail!(:timeout, e)
+      rescue ::SocketError => e
+        fail!(:failed_to_connect, e)
+      end
+
+      def authorization_code
+        request.params['code']
+      end
+
+      def authorize_uri
+        client.redirect_uri = redirect_uri
+        opts = {
+          response_type: options.response_type,
+          scope: options.scope,
+          state: new_state,
+          nonce: (new_nonce if options.send_nonce),
+          hd: options.hd,
+        }
+        client.authorization_uri(opts.reject { |k, v| v.nil? })
+      end
+
+      def public_key
+        return config.jwks if options.discovery
+        key_or_secret
+      end
+
+      private
+
+      def issuer
+        resource = "#{ client_options.scheme }://#{ client_options.host }"
+        resource = "#{ resource }:#{ client_options.port }" if client_options.port
+        ::OpenIDConnect::Discovery::Provider.discover!(resource).issuer
+      end
+
+      def discover!
+        client_options.authorization_endpoint = config.authorization_endpoint
+        client_options.token_endpoint = config.token_endpoint
+        client_options.userinfo_endpoint = config.userinfo_endpoint
+        client_options.jwks_uri = config.jwks_uri
+      end
+
+      def user_info
+        @user_info ||= access_token.userinfo!
+      end
+
+      def access_token
+        @access_token ||= begin
+          _access_token = client.access_token!(
+            scope: (options.scope if options.send_scope_to_token_endpoint),
+            client_auth_method: options.client_auth_method
+          )
+          _id_token = decode_id_token _access_token.id_token
+          _id_token.verify!(
+            issuer: options.issuer,
+            client_id: client_options.identifier,
+            nonce: stored_nonce
+          )
+          _access_token
+        end
+      end
+
+      def decode_id_token(id_token)
+        ::OpenIDConnect::ResponseObject::IdToken.decode(id_token, public_key)
+      end
+
+      def client_options
+        options.client_options
+      end
+
+      def new_state
+        state = options.state.call if options.state.respond_to? :call
+        session['omniauth.state'] = state || SecureRandom.hex(16)
+      end
+
+      def stored_state
+        session.delete('omniauth.state')
+      end
+
+      def new_nonce
+        session['omniauth.nonce'] = SecureRandom.hex(16)
+      end
+
+      def stored_nonce
+        session.delete('omniauth.nonce')
+      end
+
+      def session
+        return {} if @env.nil?
+        super
+      end
+
+      def key_or_secret
+        case options.client_signing_alg
+          when :HS256, :HS384, :HS512
+            return client_options.secret
+          when :RS256, :RS384, :RS512
+            if options.client_jwk_signing_key
+              return parse_jwk_key(options.client_jwk_signing_key)
+            elsif options.client_x509_signing_key
+              return parse_x509_key(options.client_x509_signing_key)
+            end
+          else
+        end
+      end
+
+      def parse_x509_key(key)
+        OpenSSL::X509::Certificate.new(key).public_key
+      end
+
+      def parse_jwk_key(key)
+        json = JSON.parse(key)
+        if json.has_key?('keys')
+          JSON::JWK::Set.new json['keys']
+        else
+          JSON::JWK.new json
+        end
+      end
+
+      def decode(str)
+        UrlSafeBase64.decode64(str).unpack('B*').first.to_i(2).to_s
+      end
+
+      def redirect_uri
+        return client_options.redirect_uri unless request.params['redirect_uri']
+        "#{ client_options.redirect_uri }?redirect_uri=#{ CGI.escape(request.params['redirect_uri']) }"
+      end
+
+      class CallbackError < StandardError
+        attr_accessor :error, :error_reason, :error_uri
+
+        def initialize(error, error_reason=nil, error_uri=nil)
+          self.error = error
+          self.error_reason = error_reason
+          self.error_uri = error_uri
+        end
+
+        def message
+          [error, error_reason, error_uri].compact.join(' | ')
+        end
+      end
+    end
+  end
+end
+
+OmniAuth.config.add_camelization 'openid_connect', 'OpenIDConnect'

data/lib/omniauth_openid_connect.rb

@@ -0,0 +1 @@
+require 'omniauth/openid_connect'

data/omniauth_openid_connect.gemspec

@@ -0,0 +1,35 @@
+# coding: utf-8
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'omniauth/openid_connect/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = 'omniauth_openid_connect'
+  spec.version       = OmniAuth::OpenIDConnect::VERSION
+  spec.authors       = 'John Bohn'
+  spec.email         = 'jjbohn@gmail.com'
+  spec.summary       = 'OpenID Connect Strategy for OmniAuth'
+  spec.description   = 'OpenID Connect Strategy for OmniAuth'
+  spec.homepage      = 'https://github.com/jjbohn/omniauth-openid-connect'
+  spec.license       = 'MIT'
+
+  spec.files         = `git ls-files -z`.split("\x0")
+  spec.executables   = spec.files.grep(%r(^bin/)) { |f| File.basename(f) }
+  spec.test_files    = spec.files.grep(%r(^(test|spec|features)/))
+  spec.require_paths = ['lib']
+
+  spec.add_dependency 'omniauth', '~> 1.3'
+  spec.add_dependency 'openid_connect', '~> 0.12.0'
+  spec.add_dependency 'addressable', '~> 2.5'
+  spec.add_development_dependency 'bundler', '~> 1.5'
+  spec.add_development_dependency 'minitest', '~> 5.1'
+  spec.add_development_dependency 'mocha', '~> 1.2'
+  spec.add_development_dependency 'guard', '~> 2.14'
+  spec.add_development_dependency 'guard-minitest', '~> 2.4'
+  spec.add_development_dependency 'guard-bundler', '~> 2.1'
+  spec.add_development_dependency 'rake', '~> 11.3'
+  spec.add_development_dependency 'simplecov', '~> 0.12'
+  spec.add_development_dependency 'pry', '~> 0.9'
+  spec.add_development_dependency 'coveralls', '~> 0.8'
+  spec.add_development_dependency 'faker', '~> 1.6'
+end

data/test/fixtures/id_token.txt

@@ -0,0 +1 @@
+eyJhbGciOiJSUzI1NiIsImtpZCI6IjFlOWdkazcifQ.ewogImlzcyI6ICJodHRwOi8vc2VydmVyLmV4YW1wbGUuY29tIiwKICJzdWIiOiAiMjQ4Mjg5NzYxMDAxIiwKICJhdWQiOiAiczZCaGRSa3F0MyIsCiAibm9uY2UiOiAibi0wUzZfV3pBMk1qIiwKICJleHAiOiAxMzExMjgxOTcwLAogImlhdCI6IDEzMTEyODA5NzAKfQ.ggW8hZ1EuVLuxNuuIJKX_V8a_OMXzR0EHR9R6jgdqrOOF4daGU96Sr_P6qJp6IcmD3HP99Obi1PRs-cwh3LO-p146waJ8IhehcwL7F09JdijmBqkvPeB2T9CJNqeGpe-gccMg4vfKjkM8FcGvnzZUN4_KSP0aAp1tOJ1zZwgjxqGByKHiOtX7TpdQyHE5lcMiKPXfEIQILVq0pc_E2DzL7emopWoaoZTF_m0_N0YzFC6g6EJbOEoRoSK5hoDalrcvRYLSrQAZZKflyuVCyixEoV9GfNQC3_osjzw2PAithfubEEBLuVVk4XUVrWOLrLl0nx7RkKU8NXNHq-rvKMzqg

data/test/fixtures/jwks.json

@@ -0,0 +1,8 @@
+{"keys": [{
+    "kty": "RSA",
+    "n": "0vx7agoebGcQSuuPiLJXZptN9nndrQmbXEps2aiAFbWhM78LhWx4cbbfAAtVT86zwu1RK7aPFFxuhDR1L6tSoc_BJECPebWKRXjBZCiFV4n3oknjhMstn64tZ_2W-5JsGY4Hc5n9yBXArwl93lqt7_RN5w6Cf0h4QyQ5v-65YGjQR0_FDW2QvzqY368QQMicAtaSqzs8KJZgnYb9c7d0zgdAZHzu6qMQvRL5hajrn1n91CbOpbISD08qNLyrdkt-bFTWhAI4vMQFh6WeZu0fM4lFd2NcRwr3XPksINHaQ-G_xBniIqbw0Ls1jF44-csFCur-kEgU8awapJzKnqDKgw",
+    "e": "AQAB",
+    "alg": "RS256",
+    "kid": "1e9gdk7"
+  }]
+}

data/test/fixtures/test.crt

@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDJDCCAgwCCQC57Ob2JfXb+DANBgkqhkiG9w0BAQUFADBUMQswCQYDVQQGEwJK
+UDEOMAwGA1UECBMFVG9reW8xITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5
+IEx0ZDESMBAGA1UEAxMJbG9jYWxob3N0MB4XDTE0MDgwMTA4NTAxM1oXDTE1MDgw
+MTA4NTAxM1owVDELMAkGA1UEBhMCSlAxDjAMBgNVBAgTBVRva3lvMSEwHwYDVQQK
+ExhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxEjAQBgNVBAMTCWxvY2FsaG9zdDCC
+ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAN+7czSGHN2087T+oX2kBCY/
+XN6UOS/mdU2Gn//omZlyxsQXIqvgBLNWeCVt4QdlFUbgPLggfXUelECV/RUOCIIi
+F2Th4t3x1LviN2XkUiva0DZBnOycqEaJdkyreEuGL1CLVZgZjKmSzNqLl0Yci3D0
+zgVsXFZSadQebietm4CCmfJYREt9NJxXcrLxVDgat/Xm/KJBsohs3f+cbBT8EXer
+7+2oZjZoVUgw1hu0alaOvAfE4mxsVwjn3g2mjDqRJLbbuWqgDobjMHah+d4zwJvN
+ePK8E0hfaz/XBLsJ4e6bQA3M3bANEgSvsicup/qb/0th4gUdc/kj4aJGj0RP7oEC
+AwEAATANBgkqhkiG9w0BAQUFAAOCAQEADuVec/8u2qJiq6K2W/gSLGYCBZq64OrA
+s7L2+S82m9/3gAb62wGcDNZjIGFDQubXmO6RhHv7JUT5YZqv9/kRGTJcHDUrwwoN
+IE99CIPizp7VfnrZ6GsYeszSsw3m+mKTETm+6ELmaSDbYAsrCg4IpGwUF0L88ATv
+CJ8QzW4X7b9dYVc7UAYyCie2N65GXfesBbRlSwFLuVqIzZfMdNpNijTIUwUqGSME
+b8IjLYzvekP53CO4wEBRrAVIPNXgftorxIE30OLWua2Qw3y6Pn+Qp5fLe47025S7
+Lcec18/FbHG0Vbq0qO9cKQw80XyK31N6z556wr2GN2WyixkzVRddXA==
+-----END CERTIFICATE-----

data/test/lib/omniauth/strategies/openid_connect_test.rb

@@ -0,0 +1,352 @@
+require 'test_helper'
+
+module OmniAuth
+  module Strategies
+    class OpenIDConnectTest < StrategyTestCase
+      def test_client_options_defaults
+        assert_equal 'https', strategy.options.client_options.scheme
+        assert_equal 443, strategy.options.client_options.port
+        assert_equal '/authorize', strategy.options.client_options.authorization_endpoint
+        assert_equal '/token', strategy.options.client_options.token_endpoint
+      end
+
+      def test_request_phase
+        expected_redirect = /^https:\/\/example\.com\/authorize\?client_id=1234&nonce=\w{32}&response_type=code&scope=openid&state=\w{32}$/
+        strategy.options.issuer = 'example.com'
+        strategy.options.client_options.host = 'example.com'
+        strategy.expects(:redirect).with(regexp_matches(expected_redirect))
+        strategy.request_phase
+      end
+
+      def test_request_phase_with_discovery
+        expected_redirect = /^https:\/\/example\.com\/authorization\?client_id=1234&nonce=\w{32}&response_type=code&scope=openid&state=\w{32}$/
+        strategy.options.client_options.host = 'example.com'
+        strategy.options.discovery = true
+
+        issuer = stub('OpenIDConnect::Discovery::Issuer')
+        issuer.stubs(:issuer).returns('https://example.com/')
+        ::OpenIDConnect::Discovery::Provider.stubs(:discover!).returns(issuer)
+
+        config = stub('OpenIDConnect::Discovery::Provder::Config')
+        config.stubs(:authorization_endpoint).returns('https://example.com/authorization')
+        config.stubs(:token_endpoint).returns('https://example.com/token')
+        config.stubs(:userinfo_endpoint).returns('https://example.com/userinfo')
+        config.stubs(:jwks_uri).returns('https://example.com/jwks')
+        ::OpenIDConnect::Discovery::Provider::Config.stubs(:discover!).with('https://example.com/').returns(config)
+
+        strategy.expects(:redirect).with(regexp_matches(expected_redirect))
+        strategy.request_phase
+
+        assert_equal strategy.options.issuer, 'https://example.com/'
+        assert_equal strategy.options.client_options.authorization_endpoint, 'https://example.com/authorization'
+        assert_equal strategy.options.client_options.token_endpoint, 'https://example.com/token'
+        assert_equal strategy.options.client_options.userinfo_endpoint, 'https://example.com/userinfo'
+        assert_equal strategy.options.client_options.jwks_uri, 'https://example.com/jwks'
+      end
+
+      def test_uid
+        assert_equal user_info.sub, strategy.uid
+      end
+
+      def test_callback_phase(session = {}, params = {})
+        code = SecureRandom.hex(16)
+        state = SecureRandom.hex(16)
+        nonce = SecureRandom.hex(16)
+        request.stubs(:params).returns('code' => code, 'state' => state)
+        request.stubs(:path_info).returns('')
+
+        strategy.options.issuer = 'example.com'
+        strategy.options.client_signing_alg = :RS256
+        strategy.options.client_jwk_signing_key = File.read('test/fixtures/jwks.json')
+
+        id_token = stub('OpenIDConnect::ResponseObject::IdToken')
+        id_token.stubs(:verify!).with(issuer: strategy.options.issuer, client_id: @identifier, nonce: nonce).returns(true)
+        ::OpenIDConnect::ResponseObject::IdToken.stubs(:decode).returns(id_token)
+
+        strategy.unstub(:user_info)
+        access_token = stub('OpenIDConnect::AccessToken')
+        access_token.stubs(:access_token)
+        access_token.stubs(:refresh_token)
+        access_token.stubs(:expires_in)
+        access_token.stubs(:scope)
+        access_token.stubs(:id_token).returns(File.read('test/fixtures/id_token.txt'))
+        client.expects(:access_token!).at_least_once.returns(access_token)
+        access_token.expects(:userinfo!).returns(user_info)
+
+        strategy.call!('rack.session' => { 'omniauth.state' => state, 'omniauth.nonce' => nonce })
+        strategy.callback_phase
+      end
+
+      def test_callback_phase_with_discovery
+        code = SecureRandom.hex(16)
+        state = SecureRandom.hex(16)
+        nonce = SecureRandom.hex(16)
+        jwks = JSON::JWK::Set.new(JSON.parse(File.read('test/fixtures/jwks.json'))['keys'])
+
+        request.stubs(:params).returns('code' => code, 'state' => state)
+        request.stubs(:path_info).returns('')
+
+        strategy.options.client_options.host = 'example.com'
+        strategy.options.discovery = true
+
+        issuer = stub('OpenIDConnect::Discovery::Issuer')
+        issuer.stubs(:issuer).returns('https://example.com/')
+        ::OpenIDConnect::Discovery::Provider.stubs(:discover!).returns(issuer)
+
+        config = stub('OpenIDConnect::Discovery::Provder::Config')
+        config.stubs(:authorization_endpoint).returns('https://example.com/authorization')
+        config.stubs(:token_endpoint).returns('https://example.com/token')
+        config.stubs(:userinfo_endpoint).returns('https://example.com/userinfo')
+        config.stubs(:jwks_uri).returns('https://example.com/jwks')
+        config.stubs(:jwks).returns(jwks)
+
+        ::OpenIDConnect::Discovery::Provider::Config.stubs(:discover!).with('https://example.com/').returns(config)
+
+        id_token = stub('OpenIDConnect::ResponseObject::IdToken')
+        id_token.stubs(:verify!).with(issuer: 'https://example.com/', client_id: @identifier, nonce: nonce).returns(true)
+        ::OpenIDConnect::ResponseObject::IdToken.stubs(:decode).returns(id_token)
+
+        strategy.unstub(:user_info)
+        access_token = stub('OpenIDConnect::AccessToken')
+        access_token.stubs(:access_token)
+        access_token.stubs(:refresh_token)
+        access_token.stubs(:expires_in)
+        access_token.stubs(:scope)
+        access_token.stubs(:id_token).returns(File.read('test/fixtures/id_token.txt'))
+        client.expects(:access_token!).at_least_once.returns(access_token)
+        access_token.expects(:userinfo!).returns(user_info)
+
+        strategy.call!('rack.session' => { 'omniauth.state' => state, 'omniauth.nonce' => nonce })
+        strategy.callback_phase
+      end
+
+      def test_callback_phase_with_error
+        state = SecureRandom.hex(16)
+        nonce = SecureRandom.hex(16)
+        request.stubs(:params).returns('error' => 'invalid_request')
+        request.stubs(:path_info).returns('')
+
+        strategy.call!({'rack.session' => {'omniauth.state' => state, 'omniauth.nonce' => nonce}})
+        strategy.expects(:fail!)
+        strategy.callback_phase
+      end
+
+      def test_callback_phase_with_invalid_state
+        code = SecureRandom.hex(16)
+        state = SecureRandom.hex(16)
+        nonce = SecureRandom.hex(16)
+        request.stubs(:params).returns('code' => code, 'state' => 'foobar')
+        request.stubs(:path_info).returns('')
+
+        strategy.call!('rack.session' => { 'omniauth.state' => state, 'omniauth.nonce' => nonce })
+        result = strategy.callback_phase
+
+        assert result.kind_of?(Array)
+        assert result.first == 401, "Expecting unauthorized"
+      end
+
+      def test_callback_phase_with_timeout
+        code = SecureRandom.hex(16)
+        state = SecureRandom.hex(16)
+        nonce = SecureRandom.hex(16)
+        request.stubs(:params).returns('code' => code, 'state' => state)
+        request.stubs(:path_info).returns('')
+
+        strategy.options.issuer = 'example.com'
+
+        strategy.stubs(:access_token).raises(::Timeout::Error.new('error'))
+        strategy.call!('rack.session' => { 'omniauth.state' => state, 'omniauth.nonce' => nonce })
+        strategy.expects(:fail!)
+        strategy.callback_phase
+      end
+
+      def test_callback_phase_with_etimeout
+        code = SecureRandom.hex(16)
+        state = SecureRandom.hex(16)
+        nonce = SecureRandom.hex(16)
+        request.stubs(:params).returns('code' => code, 'state' => state)
+        request.stubs(:path_info).returns('')
+
+        strategy.options.issuer = 'example.com'
+
+        strategy.stubs(:access_token).raises(::Errno::ETIMEDOUT.new('error'))
+        strategy.call!('rack.session' => { 'omniauth.state' => state, 'omniauth.nonce' => nonce })
+        strategy.expects(:fail!)
+        strategy.callback_phase
+      end
+
+      def test_callback_phase_with_socket_error
+        code = SecureRandom.hex(16)
+        state = SecureRandom.hex(16)
+        nonce = SecureRandom.hex(16)
+        request.stubs(:params).returns('code' => code, 'state' => state)
+        request.stubs(:path_info).returns('')
+
+        strategy.options.issuer = 'example.com'
+
+        strategy.stubs(:access_token).raises(::SocketError.new('error'))
+        strategy.call!('rack.session' => { 'omniauth.state' => state, 'omniauth.nonce' => nonce })
+        strategy.expects(:fail!)
+        strategy.callback_phase
+      end
+
+      def test_info
+        info = strategy.info
+        assert_equal user_info.name, info[:name]
+        assert_equal user_info.email, info[:email]
+        assert_equal user_info.preferred_username, info[:nickname]
+        assert_equal user_info.given_name, info[:first_name]
+        assert_equal user_info.family_name, info[:last_name]
+        assert_equal user_info.gender, info[:gender]
+        assert_equal user_info.picture, info[:image]
+        assert_equal user_info.phone_number, info[:phone]
+        assert_equal({ website: user_info.website }, info[:urls])
+      end
+
+      def test_extra
+        assert_equal({ raw_info: user_info.as_json }, strategy.extra)
+      end
+
+      def test_credentials
+        strategy.options.issuer = 'example.com'
+        strategy.options.client_signing_alg = :RS256
+        strategy.options.client_jwk_signing_key = File.read('test/fixtures/jwks.json')
+
+        id_token = stub('OpenIDConnect::ResponseObject::IdToken')
+        id_token.stubs(:verify!).returns(true)
+        ::OpenIDConnect::ResponseObject::IdToken.stubs(:decode).returns(id_token)
+
+        access_token = stub('OpenIDConnect::AccessToken')
+        access_token.stubs(:access_token).returns(SecureRandom.hex(16))
+        access_token.stubs(:refresh_token).returns(SecureRandom.hex(16))
+        access_token.stubs(:expires_in).returns(Time.now)
+        access_token.stubs(:scope).returns('openidconnect')
+        access_token.stubs(:id_token).returns(File.read('test/fixtures/id_token.txt'))
+
+        client.expects(:access_token!).returns(access_token)
+        access_token.expects(:refresh_token).returns(access_token.refresh_token)
+        access_token.expects(:expires_in).returns(access_token.expires_in)
+
+        assert_equal(
+          {
+            id_token: access_token.id_token,
+            token: access_token.access_token,
+            refresh_token: access_token.refresh_token,
+            expires_in: access_token.expires_in,
+            scope: access_token.scope
+          },
+          strategy.credentials
+        )
+      end
+
+      def test_option_send_nonce
+        strategy.options.client_options[:host] = 'foobar.com'
+
+        assert(strategy.authorize_uri =~ /nonce=/, 'URI must contain nonce')
+
+        strategy.options.send_nonce = false
+        assert(!(strategy.authorize_uri =~ /nonce=/), 'URI must not contain nonce')
+      end
+
+      def test_failure_endpoint_redirect
+        OmniAuth.config.stubs(:failure_raise_out_environments).returns([])
+        strategy.stubs(:env).returns({})
+        request.stubs(:params).returns('error' => 'access denied')
+
+        result = strategy.callback_phase
+
+        assert(result.is_a? Array)
+        assert(result[0] == 302, 'Redirect')
+        assert(result[1]["Location"] =~ /\/auth\/failure/)
+      end
+
+      def test_state
+        strategy.options.state = lambda { 42 }
+        session = { "state" => 42 }
+
+        expected_redirect = /&state=/
+        strategy.options.issuer = 'example.com'
+        strategy.options.client_options.host = 'example.com'
+        strategy.expects(:redirect).with(regexp_matches(expected_redirect))
+        strategy.request_phase
+
+        # this should succeed as the correct state is passed with the request
+        test_callback_phase(session, { 'state' => 42 })
+
+        # the following should fail because the wrong state is passed to the callback
+        code = SecureRandom.hex(16)
+        request.stubs(:params).returns('code' => code, 'state' => 43)
+        request.stubs(:path_info).returns('')
+        strategy.call!('rack.session' => session)
+
+        result = strategy.callback_phase
+
+        assert result.kind_of?(Array)
+        assert result.first == 401, 'Expecting unauthorized'
+      end
+
+      def test_option_client_auth_method
+        state = SecureRandom.hex(16)
+        nonce = SecureRandom.hex(16)
+
+        opts = strategy.options.client_options
+        opts[:host] = 'foobar.com'
+        strategy.options.issuer = 'foobar.com'
+        strategy.options.client_auth_method = :not_basic
+        strategy.options.client_signing_alg = :RS256
+        strategy.options.client_jwk_signing_key = File.read('test/fixtures/jwks.json')
+
+        json_response = {
+          access_token: 'test_access_token',
+          id_token: File.read('test/fixtures/id_token.txt'),
+          token_type: 'Bearer',
+        }.to_json
+        success = Struct.new(:status, :body).new(200, json_response)
+
+        request.stubs(:path_info).returns('')
+        strategy.call!('rack.session' => { 'omniauth.state' => state, 'omniauth.nonce' => nonce })
+
+        id_token = stub('OpenIDConnect::ResponseObject::IdToken')
+        id_token.stubs(:verify!).with(issuer: strategy.options.issuer, client_id: @identifier, nonce: nonce).returns(true)
+        ::OpenIDConnect::ResponseObject::IdToken.stubs(:decode).returns(id_token)
+
+        HTTPClient.any_instance.stubs(:post).with(
+          "#{ opts.scheme }://#{ opts.host }:#{ opts.port }#{ opts.token_endpoint }",
+          { scope: 'openid', grant_type: :client_credentials, client_id: @identifier, client_secret: @secret },
+          {}
+        ).returns(success)
+
+        assert(strategy.send :access_token)
+      end
+
+      def test_public_key_with_jwks
+        strategy.options.client_signing_alg = :RS256
+        strategy.options.client_jwk_signing_key = File.read('./test/fixtures/jwks.json')
+
+        assert_equal JSON::JWK::Set, strategy.public_key.class
+      end
+
+      def test_public_key_with_jwk
+        strategy.options.client_signing_alg = :RS256
+        jwks_str = File.read('./test/fixtures/jwks.json')
+        jwks = JSON.parse(jwks_str)
+        jwk = jwks['keys'].first
+        strategy.options.client_jwk_signing_key = jwk.to_json
+
+        assert_equal JSON::JWK, strategy.public_key.class
+      end
+
+      def test_public_key_with_x509
+        strategy.options.client_signing_alg = :RS256
+        strategy.options.client_x509_signing_key = File.read('./test/fixtures/test.crt')
+        assert_equal OpenSSL::PKey::RSA, strategy.public_key.class
+      end
+
+      def test_public_key_with_hmac
+        strategy.options.client_options.secret = 'secret'
+        strategy.options.client_signing_alg = :HS256
+        assert_equal strategy.options.client_options.secret, strategy.public_key
+      end
+    end
+  end
+end

data/test/strategy_test_case.rb

@@ -0,0 +1,51 @@
+class StrategyTestCase < MiniTest::Test
+  class DummyApp
+    def call(env); end
+  end
+
+  attr_accessor :identifier, :secret
+
+  def setup
+    @identifier = '1234'
+    @secret = '1234asdgat3'
+  end
+
+  def client
+    strategy.client
+  end
+
+  def user_info
+    @user_info ||= OpenIDConnect::ResponseObject::UserInfo.new(
+      sub: SecureRandom.hex(16),
+      name: Faker::Name.name,
+      email: Faker::Internet.email,
+      nickname: Faker::Name.first_name,
+      preferred_username: Faker::Internet.user_name,
+      given_name: Faker::Name.first_name,
+      family_name: Faker::Name.last_name,
+      gender: 'female',
+      picture: Faker::Internet.url + '.png',
+      phone_number: Faker::PhoneNumber.phone_number,
+      website: Faker::Internet.url,
+    )
+  end
+
+  def request
+    @request ||= stub('Request').tap do |request|
+      request.stubs(:params).returns({})
+      request.stubs(:cookies).returns({})
+      request.stubs(:env).returns({})
+      request.stubs(:scheme).returns({})
+      request.stubs(:ssl?).returns(false)
+    end
+  end
+
+  def strategy
+    @strategy ||= OmniAuth::Strategies::OpenIDConnect.new(DummyApp.new).tap do |strategy|
+      strategy.options.client_options.identifier = @identifier
+      strategy.options.client_options.secret = @secret
+      strategy.stubs(:request).returns(request)
+      strategy.stubs(:user_info).returns(user_info)
+    end
+  end
+end

data/test/test_helper.rb

@@ -0,0 +1,13 @@
+require 'simplecov'
+require 'coveralls'
+require 'minitest/autorun'
+require 'mocha/mini_test'
+require 'faker'
+require 'active_support'
+require 'omniauth_openid_connect'
+require_relative 'strategy_test_case'
+
+SimpleCov.command_name 'test'
+SimpleCov.start
+Coveralls.wear!
+OmniAuth.config.test_mode = true

metadata

@@ -0,0 +1,264 @@
+--- !ruby/object:Gem::Specification
+name: omniauth_openid_connect
+version: !ruby/object:Gem::Version
+  version: '0.1'
+platform: ruby
+authors:
+- John Bohn
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2016-12-01 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: omniauth
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.3'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.3'
+- !ruby/object:Gem::Dependency
+  name: openid_connect
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.12.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.12.0
+- !ruby/object:Gem::Dependency
+  name: addressable
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.5'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.5'
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.5'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.5'
+- !ruby/object:Gem::Dependency
+  name: minitest
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '5.1'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '5.1'
+- !ruby/object:Gem::Dependency
+  name: mocha
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.2'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.2'
+- !ruby/object:Gem::Dependency
+  name: guard
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.14'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.14'
+- !ruby/object:Gem::Dependency
+  name: guard-minitest
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.4'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.4'
+- !ruby/object:Gem::Dependency
+  name: guard-bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.1'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.1'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '11.3'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '11.3'
+- !ruby/object:Gem::Dependency
+  name: simplecov
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.12'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.12'
+- !ruby/object:Gem::Dependency
+  name: pry
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.9'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.9'
+- !ruby/object:Gem::Dependency
+  name: coveralls
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.8'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.8'
+- !ruby/object:Gem::Dependency
+  name: faker
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.6'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.6'
+description: OpenID Connect Strategy for OmniAuth
+email: jjbohn@gmail.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gitignore"
+- ".travis.yml"
+- Gemfile
+- Guardfile
+- LICENSE.txt
+- README.md
+- Rakefile
+- lib/omniauth/openid_connect.rb
+- lib/omniauth/openid_connect/errors.rb
+- lib/omniauth/openid_connect/version.rb
+- lib/omniauth/strategies/openid_connect.rb
+- lib/omniauth_openid_connect.rb
+- omniauth_openid_connect.gemspec
+- test/fixtures/id_token.txt
+- test/fixtures/jwks.json
+- test/fixtures/test.crt
+- test/lib/omniauth/strategies/openid_connect_test.rb
+- test/strategy_test_case.rb
+- test/test_helper.rb
+homepage: https://github.com/jjbohn/omniauth-openid-connect
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.5.1
+signing_key: 
+specification_version: 4
+summary: OpenID Connect Strategy for OmniAuth
+test_files:
+- test/fixtures/id_token.txt
+- test/fixtures/jwks.json
+- test/fixtures/test.crt
+- test/lib/omniauth/strategies/openid_connect_test.rb
+- test/strategy_test_case.rb
+- test/test_helper.rb