omniauth_openid_federation 1.2.2 → 1.3.0

data/app/controllers/omniauth_openid_federation/federation_controller.rb

@@ -50,6 +50,19 @@ module OmniauthOpenidFederation
         return
       end
 
+      # Security: Validate entity identifier per OpenID Federation 1.0 spec
+      # Entity identifiers must be valid HTTP/HTTPS URIs
+      begin
+        # Validate and get trimmed value
+        subject_entity_id = OmniauthOpenidFederation::Validators.validate_entity_identifier!(subject_entity_id, max_length: 2048)
+      rescue SecurityError => e
+        render json: {error: "invalid_request", error_description: "Invalid subject entity ID: #{e.message}"}, status: :bad_request
+        return
+      rescue => e
+        render json: {error: "invalid_request", error_description: "Subject entity ID validation failed: #{e.message}"}, status: :bad_request
+        return
+      end
+
       # Validate that subject is not the issuer (invalid request per spec)
       config = OmniauthOpenidFederation::FederationEndpoint.configuration
       if subject_entity_id == config.issuer

data/examples/config/initializers/devise.rb.example

@@ -1,10 +1,23 @@
 # Example Devise configuration for OmniAuth OpenID Federation
 # Copy this to config/initializers/devise.rb and customize for your provider
+#
+# This example uses a configuration class pattern (OpenIdConnectConfig)
+# See examples/config/open_id_connect_config.rb.example for the config class
 
 require "omniauth_openid_federation"
 
 # Configure global settings (optional but recommended)
 OmniauthOpenidFederation.configure do |config|
+  if Rails.env.development?
+    config.http_options = { ssl: { verify_mode: OpenSSL::SSL::VERIFY_PEER, ca_file: (OpenSSL::X509::DEFAULT_CERT_FILE if File.exist?(OpenSSL::X509::DEFAULT_CERT_FILE)) } }
+  end
+
+  config.cache_ttl = 24 * 60 * 60
+  config.rotate_on_errors = true
+  config.http_timeout = 10
+  config.max_retries = 3
+  config.verify_ssl = true
+
   # Security instrumentation - get notified about security events, MITM attacks, etc.
   # Example with Sentry:
   # config.instrumentation = ->(event, data) do
@@ -24,51 +37,12 @@ OmniauthOpenidFederation.configure do |config|
   # config.instrumentation = ->(event, data) do
   #   Rails.logger.warn("[Security] #{event}: #{data.inspect}")
   # end
-  
-  # Cache configuration (optional)
-  # config.cache_ttl = 3600  # Refresh provider keys every hour
-  # config.rotate_on_errors = true  # Auto-handle provider key rotation
-end
-
-# Provider configuration
-provider_issuer = ENV["OPENID_PROVIDER_ISSUER"] || "https://provider.example.com"
-client_id = ENV["OPENID_CLIENT_ID"] || "your-client-id"
-redirect_uri = "#{ENV["APP_URL"] || "https://your-app.com"}/users/auth/openid_federation/callback"
-
-# File paths
-private_key_path = Rails.root.join("config", "client-private-key.pem")
-entity_statement_path = Rails.root.join("config", "provider-entity-statement.jwt")
-
-# Load private key
-unless File.exist?(private_key_path)
-  raise "Private key not found at #{private_key_path}. Generate it first using the example in README."
-end
-private_key = OpenSSL::PKey::RSA.new(File.read(private_key_path))
-
-# Resolve endpoints from entity statement or manual configuration
-endpoints = if File.exist?(entity_statement_path)
-  # Use entity statement if available (recommended for OpenID Federation)
-  OmniauthOpenidFederation::EndpointResolver.resolve(
-    entity_statement_path: entity_statement_path.to_s,
-    config: {}
-  )
-else
-  # Fallback to manual configuration
-  {
-    authorization_endpoint: ENV["OPENID_AUTHORIZATION_ENDPOINT"] || "/oauth2/authorize",
-    token_endpoint: ENV["OPENID_TOKEN_ENDPOINT"] || "/oauth2/token",
-    userinfo_endpoint: ENV["OPENID_USERINFO_ENDPOINT"] || "/oauth2/userinfo",
-    jwks_uri: ENV["OPENID_JWKS_URI"] || "/.well-known/jwks.json",
-    audience: provider_issuer
-  }
 end
 
-# Validate endpoints
-OmniauthOpenidFederation::EndpointResolver.validate_and_build_audience(
-  endpoints,
-  issuer_uri: URI.parse(provider_issuer)
-)
+# Load configuration from config class
+open_id_config = OpenIdConnectConfig.new
 
+if open_id_config.enabled?
 Devise.setup do |config|
   # ... your other Devise configuration ...
 
@@ -107,25 +81,40 @@ Devise.setup do |config|
   end
 
   config.omniauth :openid_federation,
+      strategy_class: OmniAuth::Strategies::OpenIDFederation,
     name: :openid_federation,
     scope: [:openid],
     response_type: "code",
     discovery: true,
-    issuer: provider_issuer,
     client_auth_method: :jwt_bearer,
     client_signing_alg: :RS256,
-    audience: endpoints[:audience],
-    entity_statement_path: entity_statement_path.to_s,
+      entity_statement_path: open_id_config.entity_statement_absolute_path,
+      always_encrypt_request_object: true,
+      # Allow-list of custom parameter names to include in signed request object
+      # Parameters must be present in request.params and listed here to be included
+      request_object_params: [:ftn_spname], # Example: include ftn_spname if present
+      # Proc to modify params before adding to signed request object
+      # Useful for combining config values with form values, adding config-based params, etc.
+      prepare_request_object_params: proc do |params|
+        # Example: Combine config acr_values with form acr_values
+        form_acr_values = params["acr_values"]&.to_s&.strip
+        config_acr_values = open_id_config.acr_values.to_s.strip
+        
+        if config_acr_values.present? && form_acr_values.present?
+          params["acr_values"] = "#{config_acr_values} #{form_acr_values}".strip
+        elsif config_acr_values.present?
+          params["acr_values"] = config_acr_values
+        end
+        
+        # Example: Add custom parameter from config
+        params["ftn_spname"] = open_id_config.ftn_spname if open_id_config.ftn_spname.present?
+        
+        params
+      end,
     client_options: {
-      identifier: client_id,
-      redirect_uri: redirect_uri,
-      private_key: private_key,
-      scheme: URI.parse(provider_issuer).scheme,
-      host: URI.parse(provider_issuer).host,
-      authorization_endpoint: endpoints[:authorization_endpoint],
-      token_endpoint: endpoints[:token_endpoint],
-      userinfo_endpoint: endpoints[:userinfo_endpoint],
-      jwks_uri: endpoints[:jwks_uri]
+        identifier: open_id_config.client_id,
+        redirect_uri: open_id_config.redirect_uri,
+        private_key: open_id_config.private_key
     }
 end
-
+end

data/examples/config/initializers/federation_endpoint.rb.example

@@ -187,7 +187,7 @@ end
 # ============================================================================
 # Add to config/routes.rb:
 #
-#   OmniauthOpenidFederation::FederationEndpoint.mount_routes(self)
+#   mount OmniauthOpenidFederation::Engine => "/"
 #
 # This mounts all endpoints:
 #   - GET /.well-known/openid-federation (entity statement)
@@ -202,5 +202,5 @@ end
 #   get "/.well-known/signed-jwks.json", to: "omniauth_openid_federation/federation#signed_jwks"
 
 Rails.logger.info "[FederationEndpoint] Configured. Add the route in config/routes.rb:"
-Rails.logger.info "  OmniauthOpenidFederation::FederationEndpoint.mount_routes(self)"
+Rails.logger.info "  mount OmniauthOpenidFederation::Engine => \"/\""
 

data/examples/config/open_id_connect_config.rb.example

@@ -62,8 +62,6 @@ class OpenIdConnectConfig < ApplicationConfig
     :client_entity_statement_path,
     :client_entity_statement_url,
     :client_entity_identifier,
-    :ftn_spname,
-    :acr_values,
     :organization_name
 
   # Load private key from file or base64 encoded string
@@ -128,8 +126,8 @@ class OpenIdConnectConfig < ApplicationConfig
   # Entity statements MUST be available at /.well-known/openid-federation
   # URL is the source of truth per OpenID Federation spec
   def entity_statement_absolute_path
-    return nil if entity_statement_path.blank?
-    @entity_statement_absolute_path ||= Rails.root.join(entity_statement_path)
+    return Rails.root.join("config", ".federation-entity-statement.jwt").to_s if entity_statement_path.blank?
+    @entity_statement_absolute_path ||= Rails.root.join(entity_statement_path).to_s
   end
 
   # Get provider entity statement URL
@@ -143,7 +141,7 @@ class OpenIdConnectConfig < ApplicationConfig
   # Get client entity statement absolute path
   def client_entity_statement_absolute_path
     return nil if client_entity_statement_path.blank?
-    @client_entity_statement_absolute_path ||= Rails.root.join(client_entity_statement_path)
+    @client_entity_statement_absolute_path ||= Rails.root.join(client_entity_statement_path).to_s
   end
 
   # Get client entity statement path for strategy configuration
@@ -165,7 +163,6 @@ class OpenIdConnectConfig < ApplicationConfig
   # Uses standard path /.well-known/openid-federation (mounted by library)
   def client_entity_statement_url
     return values[:client_entity_statement_url] if values[:client_entity_statement_url].present?
-    # Default to standard federation endpoint if not explicitly configured
     app_url = ENV["APP_URL"] || "https://your-app.example.com"
     "#{app_url}/.well-known/openid-federation"
   end
@@ -174,16 +171,15 @@ end
 # Usage in initializer (config/initializers/omniauth_openid_federation.rb):
 #
 # open_id_config = OpenIdConnectConfig.new
-# if open_id_config.enabled? && open_id_config.private_key.present?
+# if open_id_config.enabled?
 #   app_url = ENV["APP_URL"] || "https://your-app.example.com"
 #
 #   OmniauthOpenidFederation::FederationEndpoint.auto_configure(
 #     issuer: app_url,
-#     # Production (RECOMMENDED): Use separate keys
-#     signing_key: open_id_config.signing_key,
-#     encryption_key: open_id_config.encryption_key,
-#     # Development/Testing (NOT RECOMMENDED FOR PRODUCTION): Single key
-#     # private_key: open_id_config.private_key,
+#     # RECOMMENDED: Use separate signing_key and encryption_key for production
+#     # signing_key: open_id_config.signing_key,
+#     # encryption_key: open_id_config.encryption_key,
+#     private_key: open_id_config.private_key, # DEV/TESTING ONLY - not recommended for production
 #     entity_statement_path: open_id_config.client_entity_statement_absolute_path,
 #     metadata: {
 #       openid_relying_party: {
@@ -202,9 +198,10 @@ end
 #         organization_name: open_id_config.organization_name
 #       }
 #     },
-#     expiration_seconds: (ENV["FEDERATION_EXPIRATION_SECONDS"] || 86400).to_i,
-#     jwks_cache_ttl: (ENV["FEDERATION_JWKS_CACHE_TTL"] || 3600).to_i,
-#     auto_provision_keys: true
+#     expiration_seconds: 86400,
+#     jwks_cache_ttl: 3600,
+#     auto_provision_keys: true,
+#     key_rotation_period: 90.days.to_i
 #   )
 # end
 

data/examples/config/routes.rb.example

@@ -1,12 +1,16 @@
 # Example routes.rb showing how to mount the federation endpoint
 Rails.application.routes.draw do
-  # Mount the federation endpoint (required for serving entity statements)
+  # Mount OpenID Federation engine early to ensure well-known routes are registered before catch-all routes
   # This enables the /.well-known/openid-federation endpoint
-  OmniauthOpenidFederation::FederationEndpoint.mount_routes(self)
-
-  # Or mount manually:
-  # get "/.well-known/openid-federation", to: "omniauth_openid_federation/federation#show", as: :openid_federation
+  if OpenIdConnectConfig.enabled?
+    mount OmniauthOpenidFederation::Engine => "/"
+  end
 
   # Your other routes...
+  devise_for :users, controllers: {
+    omniauth_callbacks: "users/omniauth_callbacks"
+  }
+
+  # ... rest of your routes ...
 end
 

data/lib/omniauth_openid_federation/configuration.rb

@@ -84,6 +84,13 @@ module OmniauthOpenidFederation
     #   config.instrumentation = nil
     attr_accessor :instrumentation
 
+    # Maximum string length for request parameters (default: 8192 / 8KB)
+    # Prevents DoS attacks while allowing legitimate use cases (e.g., encrypted JWT authorization codes)
+    # @return [Integer] Maximum string length in characters
+    # @example
+    #   config.max_string_length = 16384  # Increase to 16KB
+    attr_accessor :max_string_length
+
     def initialize
       @verify_ssl = true # Default to secure
       @cache_ttl = nil # Default: manual rotation (never expires)
@@ -96,6 +103,7 @@ module OmniauthOpenidFederation
       @root_path = nil
       @clock_skew_tolerance = 60 # Default: 60 seconds clock skew tolerance
       @instrumentation = nil # Default: no instrumentation
+      @max_string_length = 8192 # Default: 8KB - prevents DoS while allowing legitimate use cases
     end
 
     # Configure the gem

data/lib/omniauth_openid_federation/constants.rb

@@ -9,5 +9,10 @@ module OmniauthOpenidFederation
 
     # Maximum retry delay in seconds (prevents unbounded retry delays)
     MAX_RETRY_DELAY_SECONDS = 60
+
+    # Maximum string length for request parameters (8KB)
+    # Prevents DoS attacks while allowing legitimate use cases (e.g., encrypted JWT authorization codes)
+    # Use Configuration.config.max_string_length for runtime configuration instead of patching this constant
+    MAX_STRING_LENGTH = 8192
   end
 end

data/lib/omniauth_openid_federation/federation_endpoint.rb

@@ -64,8 +64,6 @@ module OmniauthOpenidFederation
   #   # In config/routes.rb (Rails)
   #   get "/.well-known/openid-federation", to: "omniauth_openid_federation/federation#show"
   #
-  #   # Or use the provided route helper
-  #   OmniauthOpenidFederation::FederationEndpoint.mount_routes
   class FederationEndpoint
     class << self
       # Configure the federation endpoint
@@ -558,26 +556,6 @@ module OmniauthOpenidFederation
       #   - GET /.well-known/jwks.json (standard JWKS)
       #   - GET /.well-known/signed-jwks.json (signed JWKS)
       #
-      # ALTERNATIVE: Use mount_routes helper (for backward compatibility or custom paths):
-      #   Rails.application.routes.draw do
-      #     OmniauthOpenidFederation::FederationEndpoint.mount_routes(self)
-      #   end
-      #
-      # @param router [ActionDispatch::Routing::Mapper] The routes mapper (pass `self` from routes.rb)
-      # @param entity_statement_path [String] Path for entity statement endpoint (default: "/.well-known/openid-federation")
-      # @param fetch_path [String] Path for fetch endpoint (default: "/.well-known/openid-federation/fetch")
-      # @param jwks_path [String] Path for standard JWKS endpoint (default: "/.well-known/jwks.json")
-      # @param signed_jwks_path [String] Path for signed JWKS endpoint (default: "/.well-known/signed-jwks.json")
-      # @param as [String, Symbol] Route name prefix (default: :openid_federation)
-      # @deprecated Use `mount OmniauthOpenidFederation::Engine => "/"` instead (Rails-idiomatic way)
-      def mount_routes(router, entity_statement_path: "/.well-known/openid-federation", fetch_path: "/.well-known/openid-federation/fetch", jwks_path: "/.well-known/jwks.json", signed_jwks_path: "/.well-known/signed-jwks.json", as: :openid_federation)
-        # Controller uses Rails-conventional naming (OmniauthOpenidFederation)
-        # which matches natural inflection from omniauth_openid_federation
-        router.get entity_statement_path, to: "omniauth_openid_federation/federation#show", as: as
-        router.get fetch_path, to: "omniauth_openid_federation/federation#fetch", as: :"#{as}_fetch"
-        router.get jwks_path, to: "omniauth_openid_federation/federation#jwks", as: :"#{as}_jwks"
-        router.get signed_jwks_path, to: "omniauth_openid_federation/federation#signed_jwks", as: :"#{as}_signed_jwks"
-      end
 
       # Generate fresh signing and encryption keys and write entity statement to file
       #

data/lib/omniauth_openid_federation/jwks/decode.rb

@@ -155,21 +155,6 @@ module OmniauthOpenidFederation
           )
         end
       end
-
-      # Decode JWT using jwt gem (legacy method name kept for backward compatibility)
-      #
-      # @param encoded_jwt [String] The JWT to decode
-      # @param jwks_uri [String] The JWKS URI for key lookup
-      # @param retried [Boolean] Internal flag for retry logic (default: false)
-      # @param entity_statement_keys [Hash, Array, nil] Entity statement keys for validation
-      # @return [Array<Hash>] Array with [payload, header]
-      # @raise [ValidationError] If JWT validation fails
-      # @raise [SignatureError] If signature verification fails
-      # @deprecated Use jwt() method instead. This method will be removed in a future version.
-      def self.json_jwt(encoded_jwt, jwks_uri, retried: false, entity_statement_keys: nil)
-        OmniauthOpenidFederation::Logger.warn("[Jwks::Decode] json_jwt is deprecated. Use jwt() method instead.")
-        jwt(encoded_jwt, jwks_uri, retried: retried, entity_statement_keys: entity_statement_keys)
-      end
     end
   end
 end

data/lib/omniauth_openid_federation/jws.rb

@@ -63,10 +63,6 @@ module OmniauthOpenidFederation
     STATE_BYTES = 16 # Number of hex bytes for state parameter
 
     attr_accessor :private_key, :state, :nonce
-    # Provider-specific extension parameters (outside JWT)
-    # Some providers may require additional parameters that are not part of the JWT
-    # @deprecated Use request_object_params option in strategy instead (adds params to the JWT request object)
-    attr_accessor :ftn_spname
 
     # Initialize JWT request object builder
     #
@@ -114,21 +110,27 @@ module OmniauthOpenidFederation
       key_source: :local,
       client_entity_statement: nil
     )
-      @client_id = client_id
-      @redirect_uri = redirect_uri
-      @scope = scope
-      @issuer = issuer
-      @audience = audience
-      @state = state || SecureRandom.hex(STATE_BYTES)
-      @nonce = nonce
-      @response_type = response_type
-      @response_mode = response_mode
-      @login_hint = login_hint
-      @ui_locales = ui_locales
-      @claims_locales = claims_locales
-      @prompt = prompt
-      @hd = hd
-      @acr_values = acr_values
+      # Security: User input parameters are validated and sanitized before reaching here
+      # Configuration parameters are trusted and only trimmed for consistency
+      # Store trimmed values to ensure consistency
+      @client_id = client_id.to_s.strip
+      @redirect_uri = redirect_uri.to_s.strip
+      @scope = scope.to_s.strip
+      @issuer = issuer&.to_s&.strip
+      @audience = audience&.to_s&.strip
+      @state = state&.to_s&.strip || SecureRandom.hex(STATE_BYTES)
+      @nonce = nonce&.to_s&.strip
+      @response_type = response_type.to_s.strip
+      @response_mode = response_mode&.to_s&.strip
+      # User input parameters (already sanitized)
+      @login_hint = login_hint&.to_s&.strip
+      @ui_locales = ui_locales&.to_s&.strip
+      @claims_locales = claims_locales&.to_s&.strip
+      # Configuration parameters (trusted, only trimmed)
+      @prompt = prompt&.to_s&.strip
+      @hd = hd&.to_s&.strip
+      # User input parameter (already sanitized)
+      @acr_values = acr_values&.to_s&.strip
       @extra_params = extra_params
       @jwks = jwks
       @entity_statement_path = entity_statement_path

data/lib/omniauth_openid_federation/rack_endpoint.rb

@@ -25,9 +25,11 @@
 require "rack"
 require "json"
 require "digest"
+require "uri"
 require_relative "cache_adapter"
 require_relative "federation_endpoint"
 require_relative "logger"
+require_relative "constants"
 
 module OmniauthOpenidFederation
   class RackEndpoint
@@ -117,6 +119,17 @@ module OmniauthOpenidFederation
         return error_response(400, {error: "invalid_request", error_description: "Missing required parameter: sub"}.to_json)
       end
 
+      # Security: Validate entity identifier per OpenID Federation 1.0 spec
+      # Entity identifiers must be valid HTTP/HTTPS URIs
+      begin
+        # Validate and get trimmed value
+        subject_entity_id = OmniauthOpenidFederation::Validators.validate_entity_identifier!(subject_entity_id)
+      rescue SecurityError => e
+        return error_response(400, {error: "invalid_request", error_description: "Invalid subject entity ID: #{e.message}"}.to_json)
+      rescue => e
+        return error_response(400, {error: "invalid_request", error_description: "Subject entity ID validation failed: #{e.message}"}.to_json)
+      end
+
       # Validate that subject is not the issuer (invalid request per spec)
       config = OmniauthOpenidFederation::FederationEndpoint.configuration
       if subject_entity_id == config.issuer