omniauth_openid_federation 1.0.0

data/lib/omniauth_openid_federation/cache_adapter.rb

@@ -0,0 +1,173 @@
+# Cache adapter interface for framework-agnostic caching
+# Provides a simple interface that can be implemented by any cache backend
+#
+# @example Using Rails cache (automatic)
+#   # Rails.cache is automatically detected and used if available
+#
+# @example Using a custom cache adapter
+#   class MyCacheAdapter
+#     def fetch(key, expires_in: nil)
+#       # Your cache implementation
+#       yield if block_given?
+#     end
+#
+#     def read(key)
+#       # Your cache read implementation
+#     end
+#
+#     def write(key, value, expires_in: nil)
+#       # Your cache write implementation
+#     end
+#
+#     def delete(key)
+#       # Your cache delete implementation
+#     end
+#   end
+#
+#   OmniauthOpenidFederation.configure do |config|
+#     config.cache_adapter = MyCacheAdapter.new
+#   end
+module OmniauthOpenidFederation
+  class CacheAdapter
+    class << self
+      attr_writer :adapter
+
+      # Get the configured cache adapter
+      # Automatically detects Rails.cache if available
+      #
+      # @return [Object, nil] Cache adapter instance or nil if no cache available
+      def adapter
+        @adapter ||= detect_adapter
+      end
+
+      # Reset the cache adapter (useful for testing)
+      # Forces re-detection of cache adapter on next access
+      #
+      # @return [void]
+      def reset!
+        @adapter = nil
+      end
+
+      # Check if caching is available
+      #
+      # @return [Boolean] true if cache adapter is available
+      def available?
+        !adapter.nil?
+      end
+
+      # Fetch a value from cache, or compute and cache it
+      #
+      # @param key [String] Cache key
+      # @param expires_in [Integer, nil] Expiration time in seconds (nil = no expiration)
+      # @yield Block to compute value if not cached
+      # @return [Object] Cached or computed value
+      def fetch(key, expires_in: nil, &block)
+        return yield unless available? && block_given?
+
+        adapter.fetch(key, expires_in: expires_in, &block)
+      end
+
+      # Read a value from cache
+      #
+      # @param key [String] Cache key
+      # @return [Object, nil] Cached value or nil
+      def read(key)
+        return nil unless available?
+        adapter.read(key)
+      end
+
+      # Write a value to cache
+      #
+      # @param key [String] Cache key
+      # @param value [Object] Value to cache
+      # @param expires_in [Integer, nil] Expiration time in seconds (nil = no expiration)
+      # @return [void]
+      def write(key, value, expires_in: nil)
+        return unless available?
+        adapter.write(key, value, expires_in: expires_in)
+      end
+
+      # Delete a value from cache
+      #
+      # @param key [String] Cache key
+      # @return [void]
+      def delete(key)
+        return unless available?
+        adapter.delete(key)
+      end
+
+      # Clear all cache (if supported)
+      #
+      # @return [void]
+      def clear
+        return unless available?
+        adapter.clear if adapter.respond_to?(:clear)
+      end
+
+      private
+
+      # Detect and return the appropriate cache adapter
+      #
+      # @return [Object, nil] Cache adapter instance or nil
+      def detect_adapter
+        # Use configured adapter from configuration if set
+        config = OmniauthOpenidFederation::Configuration.config
+        if config.cache_adapter
+          return config.cache_adapter
+        end
+
+        # Try Rails cache
+        if defined?(Rails) && Rails.respond_to?(:cache) && Rails.cache
+          return RailsCacheAdapter.new(Rails.cache)
+        end
+
+        # Try ActiveSupport::Cache if available (without Rails)
+        if defined?(ActiveSupport::Cache::Store)
+          # Try to use a memory store as fallback
+          begin
+            require "active_support/cache/memory_store"
+            return RailsCacheAdapter.new(ActiveSupport::Cache::MemoryStore.new)
+          rescue LoadError
+            # ActiveSupport::Cache::MemoryStore not available
+          end
+        end
+
+        nil
+      end
+    end
+
+    # Adapter for Rails/ActiveSupport cache stores
+    # Wraps Rails.cache or ActiveSupport::Cache::Store to provide consistent interface
+    class RailsCacheAdapter
+      def initialize(cache_store)
+        @cache_store = cache_store
+      end
+
+      def fetch(key, expires_in: nil, &block)
+        options = {}
+        options[:expires_in] = expires_in if expires_in
+        # Handle nil key gracefully
+        return block.call if key.nil? && block_given?
+        @cache_store.fetch(key, options, &block)
+      end
+
+      def read(key)
+        @cache_store.read(key)
+      end
+
+      def write(key, value, expires_in: nil)
+        options = {}
+        options[:expires_in] = expires_in if expires_in
+        @cache_store.write(key, value, options)
+      end
+
+      def delete(key)
+        @cache_store.delete(key)
+      end
+
+      def clear
+        @cache_store.clear if @cache_store.respond_to?(:clear)
+      end
+    end
+  end
+end

data/lib/omniauth_openid_federation/configuration.rb

@@ -0,0 +1,135 @@
+# Configuration for omniauth_openid_federation
+# Provides centralized configuration management
+module OmniauthOpenidFederation
+  class Configuration
+    # SSL verification setting
+    # @return [Boolean] true to verify SSL certificates, false to skip verification
+    attr_accessor :verify_ssl
+
+    # Cache TTL for JWKS in seconds
+    # @return [Integer, nil] Cache TTL in seconds, or nil for manual rotation (never expires)
+    #   - nil: Cache forever, manual rotation only (default)
+    #   - positive integer: Cache expires after this many seconds
+    attr_accessor :cache_ttl
+
+    # Rotate JWKS cache on key-related errors
+    # @return [Boolean] true to automatically rotate cache on key-related errors, false to require manual rotation
+    #   - false: Manual rotation only (default)
+    #   - true: Automatically rotate cache when key-related errors occur (401, 403, 404, signature failures)
+    attr_accessor :rotate_on_errors
+
+    # HTTP request timeout in seconds
+    # @return [Integer] Timeout in seconds
+    attr_accessor :http_timeout
+
+    # Maximum number of retries for HTTP requests
+    # @return [Integer] Maximum retry count
+    attr_accessor :max_retries
+
+    # Retry delay in seconds (will be multiplied by retry attempt)
+    # @return [Integer] Base retry delay in seconds
+    attr_accessor :retry_delay
+
+    # HTTP options for HTTP::Options.new
+    # Can be a Hash or a Proc that returns a Hash
+    # @return [Hash, Proc, nil] HTTP options hash or proc that returns hash
+    # @example
+    #   config.http_options = { ssl: { verify_mode: OpenSSL::SSL::VERIFY_NONE } }
+    #   # Or with a proc for dynamic configuration:
+    #   config.http_options = -> { { ssl: { verify_mode: OpenSSL::SSL::VERIFY_NONE } } }
+    attr_accessor :http_options
+
+    # Custom cache adapter (optional)
+    # If not set, automatically detects Rails.cache or ActiveSupport::Cache
+    # @return [Object, nil] Cache adapter instance or nil
+    # @example
+    #   class MyCacheAdapter
+    #     def fetch(key, expires_in: nil, &block)
+    #       # Your implementation
+    #     end
+    #   end
+    #   config.cache_adapter = MyCacheAdapter.new
+    attr_accessor :cache_adapter
+
+    # Root path for file operations (optional)
+    # Used for resolving relative file paths when Rails.root is not available
+    # @return [String, nil] Root path or nil
+    # @example
+    #   config.root_path = "/path/to/app"
+    attr_accessor :root_path
+
+    # Clock skew tolerance in seconds for entity statement time validation
+    # Per OpenID Federation 1.0 Section 3.2.1, time validation MUST allow for clock skew
+    # @return [Integer] Clock skew tolerance in seconds (default: 60)
+    # @example
+    #   config.clock_skew_tolerance = 120  # Allow 2 minutes of clock skew
+    attr_accessor :clock_skew_tolerance
+
+    # Custom instrumentation callback for security events
+    # Can be a Proc, object with #call or #notify method, or logger-like object
+    # @return [Proc, Object, nil] Instrumentation callback or nil to disable
+    # @example Configure with Sentry
+    #   config.instrumentation = ->(event, data) do
+    #     Sentry.capture_message("OpenID Federation: #{event}", level: :warning, extra: data)
+    #   end
+    # @example Configure with Honeybadger
+    #   config.instrumentation = ->(event, data) do
+    #     Honeybadger.notify("OpenID Federation: #{event}", context: data)
+    #   end
+    # @example Configure with custom logger
+    #   config.instrumentation = ->(event, data) do
+    #     Rails.logger.warn("[Security] #{event}: #{data.inspect}")
+    #   end
+    # @example Disable instrumentation
+    #   config.instrumentation = nil
+    attr_accessor :instrumentation
+
+    def initialize
+      @verify_ssl = true # Default to secure
+      @cache_ttl = nil # Default: manual rotation (never expires)
+      @rotate_on_errors = false # Default: manual rotation only
+      @http_timeout = 10
+      @max_retries = 3
+      @retry_delay = 1
+      @http_options = nil
+      @cache_adapter = nil
+      @root_path = nil
+      @clock_skew_tolerance = 60 # Default: 60 seconds clock skew tolerance
+      @instrumentation = nil # Default: no instrumentation
+    end
+
+    # Configure the gem
+    #
+    # @yield [config] Yields the configuration object
+    # @example
+    #   OmniauthOpenidFederation.configure do |config|
+    #     config.verify_ssl = false # Only for development
+    #     config.cache_ttl = 3600  # Cache expires after 1 hour
+    #     config.rotate_on_errors = true  # Rotate on key-related errors
+    #   end
+    def self.configure
+      yield(config) if block_given?
+      config
+    end
+
+    # Get the global configuration instance (thread-safe)
+    #
+    # @return [Configuration] The configuration instance
+    def self.config
+      @config_mutex ||= Mutex.new
+      @config_mutex.synchronize do
+        @config ||= new
+      end
+    end
+
+    # Reset configuration (useful for testing)
+    #
+    # @return [void]
+    def self.reset!
+      @config_mutex ||= Mutex.new
+      @config_mutex.synchronize do
+        @config = nil
+      end
+    end
+  end
+end

data/lib/omniauth_openid_federation/constants.rb

@@ -0,0 +1,13 @@
+# Constants for omniauth_openid_federation
+module OmniauthOpenidFederation
+  module Constants
+    # HTTP status codes that indicate key-related errors (possible key rotation)
+    KEY_ROTATION_HTTP_CODES = [401, 403, 404].freeze
+
+    # Request object expiration time in seconds (10 minutes)
+    REQUEST_OBJECT_EXPIRATION_SECONDS = 600
+
+    # Maximum retry delay in seconds (prevents unbounded retry delays)
+    MAX_RETRY_DELAY_SECONDS = 60
+  end
+end

data/lib/omniauth_openid_federation/endpoint_resolver.rb

@@ -0,0 +1,168 @@
+require "uri"
+require "json"
+require_relative "string_helpers"
+require_relative "logger"
+require_relative "errors"
+require_relative "utils"
+require_relative "federation/entity_statement"
+
+# Endpoint resolver for OpenID Federation
+# Resolves OAuth 2.0 endpoints from entity statement metadata or configuration
+module OmniauthOpenidFederation
+  # Endpoint resolver for OpenID Federation
+  #
+  # Resolves OAuth 2.0 endpoints from entity statement metadata or configuration.
+  #
+  # @example Resolve endpoints from entity statement
+  #   endpoints = EndpointResolver.resolve(
+  #     entity_statement_path: "config/provider-entity-statement.jwt",
+  #     config: {}
+  #   )
+  class EndpointResolver
+    class << self
+      # Resolve endpoints from entity statement or configuration
+      #
+      # Priority: config -> entity statement -> nil
+      #
+      # @param entity_statement_path [String, nil] Path to entity statement file
+      # @param config [Hash] Configuration hash with endpoint keys
+      # @return [Hash] Hash with :authorization_endpoint, :token_endpoint, :userinfo_endpoint, :jwks_uri, :entity_statement_endpoint, :audience
+      def resolve(entity_statement_path: nil, config: {})
+        # Try to get endpoints from entity statement if available
+        entity_metadata = load_entity_statement_metadata(entity_statement_path)
+
+        # Extract endpoints with priority: config -> entity statement -> nil
+        # For entity statement, prefer full URLs if available, otherwise extract path
+        # Entity statement metadata may contain full URLs (preferred) or paths
+        entity_provider_metadata = entity_metadata&.dig(:metadata, :openid_provider) || {}
+
+        # Get endpoint from entity statement (may be full URL or path)
+        entity_auth_endpoint = entity_provider_metadata["authorization_endpoint"] || entity_provider_metadata[:authorization_endpoint]
+        entity_token_endpoint = entity_provider_metadata["token_endpoint"] || entity_provider_metadata[:token_endpoint]
+        entity_userinfo_endpoint = entity_provider_metadata["userinfo_endpoint"] || entity_provider_metadata[:userinfo_endpoint]
+        entity_jwks_uri = entity_provider_metadata["jwks_uri"] || entity_provider_metadata[:jwks_uri]
+
+        # Use config if provided, otherwise use entity statement value (full URL or path)
+        authorization_endpoint = config[:authorization_endpoint] || entity_auth_endpoint
+        token_endpoint = config[:token_endpoint] || entity_token_endpoint
+        userinfo_endpoint = config[:userinfo_endpoint] || entity_userinfo_endpoint
+        jwks_uri = config[:jwks_uri] || entity_jwks_uri
+
+        # Entity statement endpoint (defaults to /.well-known/openid-federation if not specified)
+        entity_statement_endpoint = config[:entity_statement_endpoint] ||
+          extract_path_from_url(entity_metadata&.dig(:metadata, :openid_federation, "federation_entity_endpoint")) ||
+          extract_path_from_url(entity_metadata&.dig(:metadata, :openid_federation, :federation_entity_endpoint)) ||
+          "/.well-known/openid-federation"
+
+        # Determine audience
+        # For OpenID Federation, audience should be the provider issuer (not token endpoint)
+        audience = config[:audience]
+        unless audience
+          # Try provider issuer from entity statement first (preferred for OpenID Federation)
+          provider_issuer = entity_metadata&.dig(:metadata, :openid_provider, "issuer") ||
+            entity_metadata&.dig(:metadata, :openid_provider, :issuer)
+          if StringHelpers.present?(provider_issuer)
+            audience = provider_issuer
+          else
+            # Fallback to token endpoint URL if provider issuer not available
+            token_endpoint_url = entity_metadata&.dig(:metadata, :openid_provider, "token_endpoint") ||
+              entity_metadata&.dig(:metadata, :openid_provider, :token_endpoint)
+            audience = token_endpoint_url if StringHelpers.present?(token_endpoint_url)
+          end
+        end
+
+        {
+          authorization_endpoint: authorization_endpoint,
+          token_endpoint: token_endpoint,
+          userinfo_endpoint: userinfo_endpoint,
+          jwks_uri: jwks_uri,
+          entity_statement_endpoint: entity_statement_endpoint,
+          audience: audience
+        }
+      end
+
+      # Build full entity statement URL from issuer and endpoint path
+      #
+      # @param issuer_uri [String, URI] Issuer URI (e.g., "https://provider.example.com")
+      # @param entity_statement_endpoint [String, nil] Entity statement endpoint path (e.g., "/.well-known/openid-federation")
+      # @return [String] Full entity statement URL
+      def build_entity_statement_url(issuer_uri, entity_statement_endpoint: nil)
+        Utils.build_entity_statement_url(issuer_uri, entity_statement_endpoint: entity_statement_endpoint)
+      end
+
+      # Build full endpoint URL from issuer and endpoint path
+      #
+      # @param issuer_uri [String, URI] Issuer URI (e.g., "https://provider.example.com")
+      # @param endpoint_path [String] Endpoint path (e.g., "/oauth2/authorize")
+      # @return [String] Full endpoint URL
+      def build_endpoint_url(issuer_uri, endpoint_path)
+        Utils.build_endpoint_url(issuer_uri, endpoint_path)
+      end
+
+      # Validate that required endpoints are present
+      # @param endpoints [Hash] Endpoints hash from resolve
+      # @param issuer_uri [URI] Issuer URI for building audience if needed
+      # @return [Hash] Validated endpoints with audience built if needed
+      # @raise [ConfigurationError] If required endpoints are missing
+      def validate_and_build_audience(endpoints, issuer_uri: nil)
+        if StringHelpers.blank?(endpoints[:authorization_endpoint])
+          raise ConfigurationError, "Authorization endpoint not configured. Provide authorization_endpoint in config or entity statement"
+        end
+        if StringHelpers.blank?(endpoints[:token_endpoint])
+          raise ConfigurationError, "Token endpoint not configured. Provide token_endpoint in config or entity statement"
+        end
+        if StringHelpers.blank?(endpoints[:jwks_uri])
+          raise ConfigurationError, "JWKS URI not configured. Provide jwks_uri in config or entity statement"
+        end
+
+        # Build audience from issuer + token_endpoint if not provided
+        # Note: For OpenID Federation, audience should ideally be provider issuer,
+        # but if not available, we build from issuer + token_endpoint path
+        unless StringHelpers.present?(endpoints[:audience])
+          if issuer_uri
+            # For some providers, audience may be issuer + path prefix
+            # But we'll use token_endpoint as fallback since we don't have provider issuer here
+            audience_uri = issuer_uri.dup
+            audience_uri.path = endpoints[:token_endpoint]
+            endpoints[:audience] = audience_uri.to_s
+          end
+        end
+
+        endpoints
+      end
+
+      private
+
+      def load_entity_statement_metadata(entity_statement_path)
+        return nil unless entity_statement_path && File.exist?(entity_statement_path)
+
+        begin
+          entity_statement = OmniauthOpenidFederation::Federation::EntityStatement.new(File.read(entity_statement_path))
+          entity_statement.parse
+        rescue => e
+          OmniauthOpenidFederation::Logger.warn("[EndpointResolver] Failed to parse entity statement: #{e.message}")
+          nil
+        end
+      end
+
+      def extract_path_from_url(url)
+        return nil if StringHelpers.blank?(url)
+        return url.to_s if url.to_s.start_with?("http://", "https://") # Return full URL as-is
+
+        begin
+          uri = URI.parse(url.to_s)
+          # If it's a full URL, return the path; if it's already a path, return as-is
+          if uri.host
+            StringHelpers.present?(uri.path) ? uri.path : nil
+          else
+            # No host means it's already a path
+            url.to_s.start_with?("/") ? url.to_s : "/#{url}"
+          end
+        rescue URI::InvalidURIError
+          # If it's already a path (starts with /), return as-is
+          url.to_s.start_with?("/") ? url.to_s : nil
+        end
+      end
+    end
+  end
+end

data/lib/omniauth_openid_federation/entity_statement_reader.rb

@@ -0,0 +1,122 @@
+require "jwt"
+require "digest"
+require "base64"
+require_relative "key_extractor"
+require_relative "utils"
+require_relative "configuration"
+require_relative "logger"
+
+# Entity Statement Reader for OpenID Federation 1.0
+# @see https://openid.net/specs/openid-federation-1_0.html OpenID Federation 1.0 Specification
+# @see https://openid.net/specs/openid-federation-1_0.html#section-3 Section 3: Entity Statement
+#
+# Entity statements are self-signed JWTs that contain provider metadata and JWKS.
+# This class provides utilities for:
+# - Extracting JWKS from entity statements for validating signed JWKS
+# - Parsing provider metadata from entity statements
+# - Validating entity statement fingerprints (SHA-256 hash)
+#
+# Entity statements are typically fetched from /.well-known/openid-federation endpoint
+# and stored locally for use in validating signed JWKS and extracting provider configuration.
+module OmniauthOpenidFederation
+  class EntityStatementReader
+    # Standard JWT has 3 parts: header.payload.signature
+    JWT_PARTS_COUNT = 3
+
+    class << self
+      # Fetch JWKS keys from entity statement
+      #
+      # @param entity_statement_path [String, nil] Path to entity statement file
+      # @return [Array<Hash>] Array of JWK hash objects
+      def fetch_keys(entity_statement_path: nil)
+        entity_statement = load_entity_statement(entity_statement_path)
+        return [] if entity_statement.nil? || entity_statement.empty?
+
+        # Decode self-signed entity statement
+        # Entity statements are self-signed, so we validate using their own JWKS
+        # First, decode without validation to get the JWKS
+        jwt_parts = entity_statement.split(".")
+        return [] if jwt_parts.length != JWT_PARTS_COUNT
+
+        # Decode payload (second part)
+        payload = JSON.parse(Base64.urlsafe_decode64(jwt_parts[1]))
+
+        # Extract JWKS from entity statement claims
+        payload.fetch("jwks", {}).fetch("keys", [])
+
+        # Return JWK hashes directly (no need to convert to objects)
+      end
+
+      # Parse provider metadata from entity statement
+      #
+      # @param entity_statement_path [String, nil] Path to entity statement file
+      # @return [Hash, nil] Hash with provider metadata or nil if not found
+      def parse_metadata(entity_statement_path: nil)
+        entity_statement = load_entity_statement(entity_statement_path)
+        return nil if entity_statement.nil? || entity_statement.empty?
+
+        # Decode JWT payload
+        jwt_parts = entity_statement.split(".")
+        return nil if jwt_parts.length != JWT_PARTS_COUNT
+
+        claims = JSON.parse(Base64.urlsafe_decode64(jwt_parts[1]))
+
+        # Extract provider metadata
+        metadata = claims.fetch("metadata", {})
+        provider_metadata = metadata.fetch("openid_provider", {})
+
+        {
+          issuer: provider_metadata["issuer"],
+          authorization_endpoint: provider_metadata["authorization_endpoint"],
+          token_endpoint: provider_metadata["token_endpoint"],
+          userinfo_endpoint: provider_metadata["userinfo_endpoint"],
+          jwks_uri: provider_metadata["jwks_uri"],
+          signed_jwks_uri: provider_metadata["signed_jwks_uri"],
+          entity_issuer: claims["iss"],
+          entity_jwks: claims.fetch("jwks", {})
+        }
+      end
+
+      # Validate entity statement fingerprint
+      #
+      # @param entity_statement_content [String] The entity statement content
+      # @param expected_fingerprint [String] The expected SHA-256 fingerprint
+      # @return [Boolean] true if fingerprints match
+      def validate_fingerprint(entity_statement_content, expected_fingerprint)
+        calculated = Digest::SHA256.hexdigest(entity_statement_content).downcase
+        expected = expected_fingerprint.downcase
+        calculated == expected
+      end
+
+      private
+
+      def load_entity_statement(entity_statement_path)
+        return nil if entity_statement_path.nil? || entity_statement_path.to_s.empty?
+
+        # Determine allowed directories for file path validation
+        config = OmniauthOpenidFederation::Configuration.config
+        allowed_dirs = if defined?(Rails) && Rails.root
+          [Rails.root.join("config").to_s]
+        elsif config.root_path
+          [File.join(config.root_path, "config")]
+        end
+
+        begin
+          # Validate file path to prevent path traversal attacks
+          validated_path = Utils.validate_file_path!(
+            entity_statement_path,
+            allowed_dirs: allowed_dirs
+          )
+
+          return nil unless File.exist?(validated_path)
+
+          File.read(validated_path)
+        rescue SecurityError => e
+          # Log security error but return nil to maintain backward compatibility
+          Logger.warn("[EntityStatementReader] Security error: #{e.message}")
+          nil
+        end
+      end
+    end
+  end
+end

data/lib/omniauth_openid_federation/errors.rb

@@ -0,0 +1,52 @@
+# Exception hierarchy for omniauth_openid_federation
+# Provides structured error handling with specific exception types
+module OmniauthOpenidFederation
+  # Base error class for all omniauth_openid_federation errors
+  class Error < StandardError; end
+
+  # Configuration errors (missing required options, invalid values, etc.)
+  class ConfigurationError < Error; end
+
+  # Security-related errors (signature failures, decryption errors, etc.)
+  class SecurityError < Error; end
+
+  # Network errors (HTTP failures, timeouts, etc.)
+  class NetworkError < Error; end
+
+  # Validation errors (invalid tokens, malformed data, etc.)
+  class ValidationError < Error; end
+
+  # Decryption errors (ID token decryption failures)
+  class DecryptionError < SecurityError; end
+
+  # Encryption errors (request object encryption failures)
+  class EncryptionError < SecurityError; end
+
+  # Signature errors (JWT signature verification failures)
+  class SignatureError < SecurityError; end
+
+  # Fetch errors (failed to fetch entity statements, JWKS, etc.)
+  class FetchError < NetworkError; end
+
+  # Key-related errors (indicates possible key rotation)
+  # Used for cache rotation logic when key-related HTTP errors occur
+  class KeyRelatedError < FetchError
+    def key_related_error?
+      true
+    end
+  end
+
+  # Key-related validation errors (signature failures, decode errors)
+  class KeyRelatedValidationError < ValidationError
+    def key_related_error?
+      true
+    end
+  end
+
+  # Compatibility aliases for federation classes
+  module Federation
+    # Alias for backward compatibility with tests
+    FetchError = OmniauthOpenidFederation::FetchError
+    ValidationError = OmniauthOpenidFederation::ValidationError
+  end
+end