omniauth_openid_connect 0.2.4 → 0.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 9379f2ad95525430e02d022ece044a331e36d7a5ea093d48349829305f16b445
-  data.tar.gz: 98959c5836425cae327007dc76fefbc09db5693d71488282ec5b08f1199da306
+  metadata.gz: 8916e5d71adfaa8dd6c64c168746671ba026fec61798ee85a9393c03b36c5bbd
+  data.tar.gz: adfa760da9122452dc6cc486fb721ef1ce32a79910b8c16a32b6b153430b3e28
 SHA512:
-  metadata.gz: 18460b36bc8dfffb027e11baea3da125406cea9749877cf02640e60e7b98a4b813821988d6bcb7e4d41b7cb4a4d20207bf4bd4684d9ee6dd374f49618bda6556
-  data.tar.gz: 5b8f9509cdb60e5c2f0234732781dbae04379ab4ccab482b9bd374c4134d7502d9bc27bcfac57be641d4154025d97bde92e7ebd16c5588f8fde55b4f3a65133a
+  metadata.gz: 877b098cd0f6a167cd6486a91de34668a6a8c7329ab0fb0eddcbb5914e548895db64a5e9e2ecf20308a90685f3baf29327b0a1e163d007b76e992908b398ea96
+  data.tar.gz: 0ae557ebfc1319225171bba2fdae139a7c6a98338812bec2d3a5b50c58946f825511565c0a0d4c8d07a658a892ba2b652f78c12fd79a7fd1466c16925b85a3e5

data/.gitignore

@@ -2,6 +2,7 @@
 *.rbc
 .bundle
 .config
+.idea
 .yardoc
 InstalledFiles
 _yardoc

data/CHANGELOG.md

@@ -0,0 +1,13 @@
+# v0.3.0 (27.04.2019)
+
+- RP-Initiated Logout phase [#5](https://github.com/m0n9oose/omniauth_openid_connect/pull/5)
+- Allows `ui_locales`, `claims_locales` and `login_hint` as request params [#6](https://github.com/m0n9oose/omniauth_openid_connect/pull/6)
+- Make uid label configurable [#11](https://github.com/m0n9oose/omniauth_openid_connect/pull/11)
+- Allow rails applications to handle state mismatch [#14](https://github.com/m0n9oose/omniauth_openid_connect/pull/14)
+- Handle errors when fetching access_token at callback_phase [#17](https://github.com/m0n9oose/omniauth_openid_connect/pull/17)
+- Allow state method to receive env [#19](https://github.com/m0n9oose/omniauth_openid_connect/pull/19)
+
+# v0.2.4 (06.01.2019)
+
+- Prompt and login hint [#4](https://github.com/m0n9oose/omniauth_openid_connect/pull/4)
+- Bump openid_connect dependency [#9](https://github.com/m0n9oose/omniauth_openid_connect/pull/9)

data/README.md

@@ -28,6 +28,7 @@ config.omniauth :openid_connect, {
   name: :my_provider,
   scope: [:openid, :email, :profile, :address],
   response_type: :code,
+  uid_field: "preferred_username",
   client_options: {
     port: 443,
     scheme: "https",
@@ -43,12 +44,16 @@ Configuration details:
   * `name` is arbitrary, I recommend using the name of your provider. The name
   configuration exists because you could be using multiple OpenID Connect
   providers in a single app.
+
+  **NOTE**: if you use this gem with Devise you should use `:openid_connect` name,
+  or Devise would route to 'users/auth/:provider' rather than 'users/auth/openid_connect'
+
   * Although `response_type` is an available option, currently, only `:code`
   is valid. There are plans to bring in implicit flow and hybrid flow at some
   point, but it hasn't come up yet for me. Those flows aren't best practive for
   server side web apps anyway and are designed more for native/mobile apps.
   * If you want to pass `state` paramete by yourself. You can set Proc Object.  
-  e.g. `state: Proc.new{ SecureRandom.hex(32) }`
+  e.g. `state: Proc.new { SecureRandom.hex(32) }`
   * `nonce` is optional. If don't want to pass "nonce" parameter to provider, You should specify
   `false` to `send_nonce` option. (default true)
   * Support for other client authentication methods. If don't specified
@@ -58,6 +63,11 @@ Configuration details:
   If provider does not have Webfinger endpoint, You can specify "Issuer" to option.  
   e.g. `issuer: "https://myprovider.com"`  
   It means to get configuration from "https://myprovider.com/.well-known/openid-configuration".
+  * The uid is by default using the `sub` value from the `user_info` response,
+  which in some applications is not the expected value. To avoid such limitations, the uid label can be
+  configured by providing the omniauth `uid_field` option to a different label (i.e. `preferred_username`)
+  that appears in the `user_info` details.
+  * The `issuer` property should exactly match the provider's issuer link.
 
 For the full low down on OpenID Connect, please check out
 [the spec](http://openid.net/specs/openid-connect-core-1_0.html).
@@ -66,6 +76,7 @@ For the full low down on OpenID Connect, please check out
 
 1. Fork it ( http://github.com/m0n9oose/omniauth-openid-connect/fork )
 2. Create your feature branch (`git checkout -b my-new-feature`)
-3. Commit your changes (`git commit -am 'Add some feature'`)
-4. Push to the branch (`git push origin my-new-feature`)
-5. Create new Pull Request
+3. Cover your changes with tests and make sure they're green (`bundle install && bundle exec rake test`)
+4. Commit your changes (`git commit -am 'Add some feature'`)
+5. Push to the branch (`git push origin my-new-feature`)
+6. Create new Pull Request

data/lib/omniauth/openid_connect/version.rb

@@ -1,5 +1,5 @@
 module OmniAuth
   module OpenIDConnect
-    VERSION = '0.2.4'
+    VERSION = '0.3.0'
   end
 end

data/lib/omniauth/strategies/openid_connect.rb

@@ -4,11 +4,15 @@ require 'net/http'
 require 'open-uri'
 require 'omniauth'
 require 'openid_connect'
+require 'forwardable'
 
 module OmniAuth
   module Strategies
     class OpenIDConnect
       include OmniAuth::Strategy
+      extend Forwardable
+
+      def_delegator :request, :params
 
       option :client_options, {
         identifier: nil,
@@ -20,7 +24,8 @@ module OmniAuth
         authorization_endpoint: '/authorize',
         token_endpoint: '/token',
         userinfo_endpoint: '/userinfo',
-        jwks_uri: '/jwk'
+        jwks_uri: '/jwk',
+        end_session_endpoint: nil
       }
       option :issuer
       option :discovery, false
@@ -37,13 +42,19 @@ module OmniAuth
       option :max_age
       option :ui_locales
       option :id_token_hint
-      option :login_hint
       option :acr_values
       option :send_nonce, true
       option :send_scope_to_token_endpoint, true
       option :client_auth_method
-
-      uid { user_info.sub }
+      option :post_logout_redirect_uri
+      option :uid_field, 'sub'
+
+      def uid
+        user_info.public_send(options.uid_field.to_s)
+      rescue NoMethodError
+        log :warn, "User sub:#{user_info.sub} missing info field: #{options.uid_field}"
+        user_info.sub
+      end
 
       info do
         {
@@ -82,28 +93,28 @@ module OmniAuth
       end
 
       def request_phase
-        options.issuer = issuer if options.issuer.blank?
-        discover! if options.discovery
+        options.issuer = issuer if options.issuer.nil? || options.issuer.empty?
+        discover!
         redirect authorize_uri
       end
 
       def callback_phase
-        error = request.params['error_reason'] || request.params['error']
+        error = params['error_reason'] || params['error']
         if error
-          raise CallbackError.new(request.params['error'], request.params['error_description'] || request.params['error_reason'], request.params['error_uri'])
-        elsif request.params['state'].to_s.empty? || request.params['state'] != stored_state
-          return Rack::Response.new(['401 Unauthorized'], 401).finish
-        elsif !request.params['code']
-          return fail!(:missing_code, OmniAuth::OpenIDConnect::MissingCodeError.new(request.params['error']))
+          raise CallbackError.new(params['error'], params['error_description'] || params['error_reason'], params['error_uri'])
+        elsif params['state'].to_s.empty? || params['state'] != stored_state
+          raise CallbackError, 'Invalid state parameter'
+        elsif !params['code']
+          return fail!(:missing_code, OmniAuth::OpenIDConnect::MissingCodeError.new(params['error']))
         else
-          options.issuer = issuer if options.issuer.blank?
-          discover! if options.discovery
+          options.issuer = issuer if options.issuer.nil? || options.issuer.empty?
+          discover!
           client.redirect_uri = redirect_uri
           client.authorization_code = authorization_code
           access_token
           super
         end
-      rescue CallbackError => e
+      rescue CallbackError, ::Rack::OAuth2::Client::Error => e
         fail!(:invalid_credentials, e)
       rescue ::Timeout::Error, ::Errno::ETIMEDOUT => e
         fail!(:timeout, e)
@@ -111,8 +122,24 @@ module OmniAuth
         fail!(:failed_to_connect, e)
       end
 
+      def other_phase
+        if logout_path_pattern.match?(current_path)
+          options.issuer = issuer if options.issuer.nil? || options.issuer.empty?
+          discover!
+          return redirect(end_session_uri) if end_session_uri
+        end
+        call_app!
+      end
+
       def authorization_code
-        request.params['code']
+        params['code']
+      end
+
+      def end_session_uri
+        return unless end_session_endpoint_is_valid?
+        end_session_uri = URI(client_options.end_session_endpoint)
+        end_session_uri.query = encoded_post_logout_redirect_uri
+        end_session_uri.to_s
       end
 
       def authorize_uri
@@ -121,7 +148,9 @@ module OmniAuth
           response_type: options.response_type,
           scope: options.scope,
           state: new_state,
-          login_hint: options.login_hint,
+          login_hint: params['login_hint'],
+          ui_locales: params['ui_locales'],
+          claims_locales: params['claims_locales'],
           prompt: options.prompt,
           nonce: (new_nonce if options.send_nonce),
           hd: options.hd,
@@ -143,10 +172,12 @@ module OmniAuth
       end
 
       def discover!
+        return unless options.discovery
         client_options.authorization_endpoint = config.authorization_endpoint
         client_options.token_endpoint = config.token_endpoint
         client_options.userinfo_endpoint = config.userinfo_endpoint
         client_options.jwks_uri = config.jwks_uri
+        client_options.end_session_endpoint = config.end_session_endpoint if config.respond_to?(:end_session_endpoint)
       end
 
       def user_info
@@ -178,7 +209,13 @@ module OmniAuth
       end
 
       def new_state
-        state = options.state.call if options.state.respond_to? :call
+        state = if options.state.respond_to?(:call)
+                  if options.state.arity == 1
+                    options.state.call(env)
+                  else
+                    options.state.call
+                  end
+                end
         session['omniauth.state'] = state || SecureRandom.hex(16)
       end
 
@@ -231,8 +268,24 @@ module OmniAuth
       end
 
       def redirect_uri
-        return client_options.redirect_uri unless request.params['redirect_uri']
-        "#{ client_options.redirect_uri }?redirect_uri=#{ CGI.escape(request.params['redirect_uri']) }"
+        return client_options.redirect_uri unless params['redirect_uri']
+        "#{ client_options.redirect_uri }?redirect_uri=#{ CGI.escape(params['redirect_uri']) }"
+      end
+
+      def encoded_post_logout_redirect_uri
+        return unless options.post_logout_redirect_uri
+        URI.encode_www_form(
+          post_logout_redirect_uri: options.post_logout_redirect_uri
+        )
+      end
+
+      def end_session_endpoint_is_valid?
+        client_options.end_session_endpoint &&
+          client_options.end_session_endpoint =~ URI::DEFAULT_PARSER.make_regexp
+      end
+
+      def logout_path_pattern
+        @logout_path_pattern ||= %r{\A#{Regexp.quote(request_path)}(/logout)}
       end
 
       class CallbackError < StandardError

data/omniauth_openid_connect.gemspec

@@ -21,7 +21,6 @@ Gem::Specification.new do |spec|
   spec.add_dependency 'omniauth', '~> 1.3'
   spec.add_dependency 'openid_connect', '~> 1.1'
   spec.add_dependency 'addressable', '~> 2.5'
-  spec.add_development_dependency 'bundler', '~> 1.5'
   spec.add_development_dependency 'minitest', '~> 5.1'
   spec.add_development_dependency 'mocha', '~> 1.7'
   spec.add_development_dependency 'guard', '~> 2.14'

data/test/lib/omniauth/strategies/openid_connect_test.rb

@@ -18,6 +18,73 @@ module OmniAuth
         strategy.request_phase
       end
 
+      def test_logout_phase_with_discovery
+        expected_redirect = %r{^https:\/\/example\.com\/logout$}
+        strategy.options.client_options.host = 'example.com'
+        strategy.options.discovery = true
+
+        issuer = stub('OpenIDConnect::Discovery::Issuer')
+        issuer.stubs(:issuer).returns('https://example.com/')
+        ::OpenIDConnect::Discovery::Provider.stubs(:discover!).returns(issuer)
+
+        config = stub('OpenIDConnect::Discovery::Provder::Config')
+        config.stubs(:authorization_endpoint).returns('https://example.com/authorization')
+        config.stubs(:token_endpoint).returns('https://example.com/token')
+        config.stubs(:userinfo_endpoint).returns('https://example.com/userinfo')
+        config.stubs(:jwks_uri).returns('https://example.com/jwks')
+        config.stubs(:end_session_endpoint).returns('https://example.com/logout')
+        ::OpenIDConnect::Discovery::Provider::Config.stubs(:discover!).with('https://example.com/').returns(config)
+
+        request.stubs(:path_info).returns('/auth/openidconnect/logout')
+
+        strategy.expects(:redirect).with(regexp_matches(expected_redirect))
+        strategy.other_phase
+      end
+
+      def test_logout_phase_with_discovery_and_post_logout_redirect_uri
+        expected_redirect = 'https://example.com/logout?post_logout_redirect_uri=https%3A%2F%2Fmysite.com'
+        strategy.options.client_options.host = 'example.com'
+        strategy.options.discovery = true
+        strategy.options.post_logout_redirect_uri = 'https://mysite.com'
+
+        issuer = stub('OpenIDConnect::Discovery::Issuer')
+        issuer.stubs(:issuer).returns('https://example.com/')
+        ::OpenIDConnect::Discovery::Provider.stubs(:discover!).returns(issuer)
+
+        config = stub('OpenIDConnect::Discovery::Provder::Config')
+        config.stubs(:authorization_endpoint).returns('https://example.com/authorization')
+        config.stubs(:token_endpoint).returns('https://example.com/token')
+        config.stubs(:userinfo_endpoint).returns('https://example.com/userinfo')
+        config.stubs(:jwks_uri).returns('https://example.com/jwks')
+        config.stubs(:end_session_endpoint).returns('https://example.com/logout')
+        ::OpenIDConnect::Discovery::Provider::Config.stubs(:discover!).with('https://example.com/').returns(config)
+
+        request.stubs(:path_info).returns('/auth/openidconnect/logout')
+
+        strategy.expects(:redirect).with(expected_redirect)
+        strategy.other_phase
+      end
+
+      def test_logout_phase
+        strategy.options.issuer = 'example.com'
+        strategy.options.client_options.host = 'example.com'
+
+        request.stubs(:path_info).returns('/auth/openidconnect/logout')
+
+        strategy.expects(:call_app!)
+        strategy.other_phase
+      end
+
+      def test_request_phase_with_params
+        expected_redirect = /^https:\/\/example\.com\/authorize\?claims_locales=es&client_id=1234&login_hint=john.doe%40example.com&nonce=\w{32}&response_type=code&scope=openid&state=\w{32}&ui_locales=en$/
+        strategy.options.issuer = 'example.com'
+        strategy.options.client_options.host = 'example.com'
+        request.stubs(:params).returns('login_hint' => 'john.doe@example.com', 'ui_locales' => 'en', 'claims_locales' => 'es')
+
+        strategy.expects(:redirect).with(regexp_matches(expected_redirect))
+        strategy.request_phase
+      end
+
       def test_request_phase_with_discovery
         expected_redirect = /^https:\/\/example\.com\/authorization\?client_id=1234&nonce=\w{32}&response_type=code&scope=openid&state=\w{32}$/
         strategy.options.client_options.host = 'example.com'
@@ -42,10 +109,17 @@ module OmniAuth
         assert_equal strategy.options.client_options.token_endpoint, 'https://example.com/token'
         assert_equal strategy.options.client_options.userinfo_endpoint, 'https://example.com/userinfo'
         assert_equal strategy.options.client_options.jwks_uri, 'https://example.com/jwks'
+        assert_nil strategy.options.client_options.end_session_endpoint
       end
 
       def test_uid
         assert_equal user_info.sub, strategy.uid
+
+        strategy.options.uid_field = 'preferred_username'
+        assert_equal user_info.preferred_username, strategy.uid
+
+        strategy.options.uid_field = 'something'
+        assert_equal user_info.sub, strategy.uid
       end
 
       def test_callback_phase(session = {}, params = {})
@@ -139,10 +213,20 @@ module OmniAuth
         request.stubs(:path_info).returns('')
 
         strategy.call!('rack.session' => { 'omniauth.state' => state, 'omniauth.nonce' => nonce })
-        result = strategy.callback_phase
+        strategy.expects(:fail!)
+        strategy.callback_phase
+      end
+
+      def test_callback_phase_without_code
+        state = SecureRandom.hex(16)
+        nonce = SecureRandom.hex(16)
+        request.stubs(:params).returns('state' => state)
+        request.stubs(:path_info).returns('')
 
-        assert result.kind_of?(Array)
-        assert result.first == 401, "Expecting unauthorized"
+        strategy.call!('rack.session' => { 'omniauth.state' => state, 'omniauth.nonce' => nonce })
+
+        strategy.expects(:fail!)
+        strategy.callback_phase
       end
 
       def test_callback_phase_with_timeout
@@ -190,6 +274,21 @@ module OmniAuth
         strategy.callback_phase
       end
 
+      def test_callback_phase_with_rack_oauth2_client_error
+        code = SecureRandom.hex(16)
+        state = SecureRandom.hex(16)
+        nonce = SecureRandom.hex(16)
+        request.stubs(:params).returns('code' => code, 'state' => state)
+        request.stubs(:path_info).returns('')
+
+        strategy.options.issuer = 'example.com'
+
+        strategy.stubs(:access_token).raises(::Rack::OAuth2::Client::Error.new('error', error: 'Unknown'))
+        strategy.call!('rack.session' => { 'omniauth.state' => state, 'omniauth.nonce' => nonce })
+        strategy.expects(:fail!)
+        strategy.callback_phase
+      end
+
       def test_info
         info = strategy.info
         assert_equal user_info.name, info[:name]
@@ -261,15 +360,15 @@ module OmniAuth
       end
 
       def test_state
-        strategy.options.state = lambda { 42 }
-        session = { "state" => 42 }
+        strategy.options.state = -> { 42 }
 
-        expected_redirect = /&state=/
+        expected_redirect = /&state=42/
         strategy.options.issuer = 'example.com'
         strategy.options.client_options.host = 'example.com'
         strategy.expects(:redirect).with(regexp_matches(expected_redirect))
         strategy.request_phase
 
+        session = { 'state' => 42 }
         # this should succeed as the correct state is passed with the request
         test_callback_phase(session, { 'state' => 42 })
 
@@ -277,12 +376,26 @@ module OmniAuth
         code = SecureRandom.hex(16)
         request.stubs(:params).returns('code' => code, 'state' => 43)
         request.stubs(:path_info).returns('')
+
         strategy.call!('rack.session' => session)
+        strategy.expects(:fail!)
+        strategy.callback_phase
+      end
 
-        result = strategy.callback_phase
+      def test_dynamic_state
+        # Stub request parameters
+        Strategy.send(:define_method, 'env', -> { { QUERY_STRING: { state: 'abc', client_id: '123' } } })
 
-        assert result.kind_of?(Array)
-        assert result.first == 401, 'Expecting unauthorized'
+        strategy.options.state = lambda { |env|
+          # Get params from request, e.g. CGI.parse(env['QUERY_STRING'])
+          env[:QUERY_STRING][:state] + env[:QUERY_STRING][:client_id]
+        }
+
+        expected_redirect = /&state=abc123/
+        strategy.options.issuer = 'example.com'
+        strategy.options.client_options.host = 'example.com'
+        strategy.expects(:redirect).with(regexp_matches(expected_redirect))
+        strategy.request_phase
       end
 
       def test_option_client_auth_method

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: omniauth_openid_connect
 version: !ruby/object:Gem::Version
-  version: 0.2.4
+  version: 0.3.0
 platform: ruby
 authors:
 - John Bohn
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2019-01-06 00:00:00.000000000 Z
+date: 2019-04-27 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: omniauth
@@ -53,20 +53,6 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '2.5'
-- !ruby/object:Gem::Dependency
-  name: bundler
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '1.5'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '1.5'
 - !ruby/object:Gem::Dependency
   name: minitest
   requirement: !ruby/object:Gem::Requirement
@@ -217,6 +203,7 @@ extra_rdoc_files: []
 files:
 - ".gitignore"
 - ".travis.yml"
+- CHANGELOG.md
 - Gemfile
 - Guardfile
 - LICENSE.txt
@@ -253,8 +240,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.7.6
+rubygems_version: 3.0.2
 signing_key: 
 specification_version: 4
 summary: OpenID Connect Strategy for OmniAuth