omniauth_openid_federation 1.2.2 → 1.3.2

data/lib/omniauth_openid_federation/validators.rb

@@ -1,4 +1,8 @@
 # Input validation utilities for omniauth_openid_federation
+require_relative "constants"
+require_relative "configuration"
+require_relative "string_helpers"
+
 module OmniauthOpenidFederation
   module Validators
     # Validate that a private key is present and valid
@@ -10,7 +14,6 @@ module OmniauthOpenidFederation
         raise ConfigurationError, "Private key is required for signed request objects"
       end
 
-      # Try to parse if it's a string
       if private_key.is_a?(String)
         begin
           OpenSSL::PKey::RSA.new(private_key)
@@ -71,17 +74,16 @@ module OmniauthOpenidFederation
       true
     end
 
-    # Validate client options hash
+    # Validate client options hash (for configuration validation only)
+    # Note: This validates configuration structure, not security (config is trusted)
     #
     # @param client_options [Hash] The client options to validate
     # @raise [ConfigurationError] If required options are missing
     def self.validate_client_options!(client_options)
       client_options ||= {}
 
-      # Normalize hash keys to symbols
       normalized = normalize_hash(client_options)
 
-      # Validate required fields
       if StringHelpers.blank?(normalized[:identifier])
         raise ConfigurationError, "Client identifier is required"
       end
@@ -90,13 +92,17 @@ module OmniauthOpenidFederation
         raise ConfigurationError, "Redirect URI is required"
       end
 
-      # Validate redirect URI format
-      validate_uri!(normalized[:redirect_uri], required: true)
+      begin
+        parsed = URI.parse(normalized[:redirect_uri].to_s)
+        unless parsed.is_a?(URI::HTTP) || parsed.is_a?(URI::HTTPS)
+          raise ConfigurationError, "Redirect URI must be HTTP or HTTPS: #{normalized[:redirect_uri]}"
+        end
+      rescue URI::InvalidURIError => e
+        raise ConfigurationError, "Invalid redirect URI format: #{e.message}"
+      end
 
-      # Validate private key
       validate_private_key!(normalized[:private_key])
 
-      # Validate endpoints if provided
       %i[authorization_endpoint token_endpoint jwks_uri].each do |endpoint|
         if normalized.key?(endpoint) && !StringHelpers.blank?(normalized[endpoint])
           # Endpoints can be paths or full URLs
@@ -122,5 +128,285 @@ module OmniauthOpenidFederation
         result[key] = v
       end
     end
+
+    # Validate and sanitize user input from HTTP requests only (not config values)
+    # Prevents URI exploitation, ReDoS, string overflow, and control character attacks
+    # Default max_length uses Configuration.config.max_string_length (8KB default) - large enough for legitimate use, prevents DoS attacks
+    def self.sanitize_request_param(value, max_length: nil, allow_control_chars: false)
+      max_length ||= ::OmniauthOpenidFederation::Configuration.config.max_string_length
+      return nil if value.nil?
+
+      str = value.to_s.strip
+      return nil if str.length > max_length
+
+      unless allow_control_chars
+        str = str.gsub(/[^\x20-\x7E]/, "")
+      end
+
+      str.empty? ? nil : str
+    end
+
+    # Validate URI for user input only (not config values)
+    # Prevents URI gem exploitation and validates scheme/length
+    def self.validate_uri_safe!(uri_str, max_length: nil, allowed_schemes: ["http", "https"])
+      max_length ||= ::OmniauthOpenidFederation::Configuration.config.max_string_length
+      raise SecurityError, "URI cannot be nil" if uri_str.nil?
+
+      original_str = uri_str.to_s
+      sanitized = original_str.gsub(/[^\x20-\x7E]/, "")
+      raise SecurityError, "URI contains invalid characters (only printable ASCII allowed)" if sanitized != original_str
+
+      str = sanitized.strip
+      raise SecurityError, "URI cannot be empty" if str.empty?
+      raise SecurityError, "URI exceeds maximum length of #{max_length} characters" if str.length > max_length
+
+      begin
+        parsed = URI.parse(str)
+      rescue URI::InvalidURIError => e
+        raise SecurityError, "Invalid URI format: #{e.message}"
+      end
+
+      unless parsed.scheme && allowed_schemes.include?(parsed.scheme.downcase)
+        raise SecurityError, "URI scheme must be one of: #{allowed_schemes.join(", ")}"
+      end
+
+      unless parsed.is_a?(URI::HTTP) || parsed.is_a?(URI::HTTPS)
+        raise SecurityError, "URI must be HTTP or HTTPS"
+      end
+
+      raise SecurityError, "URI host cannot be empty" if StringHelpers.blank?(parsed.host)
+
+      parsed
+    end
+
+    # Validate and normalize acr_values parameter per OIDC Core 1.0 spec
+    # acr_values is a space-separated string of ACR values
+    # Security: Uses allowed characters approach - only allows printable ASCII characters
+    #
+    # @param acr_values [String, Array, nil] ACR values in any format
+    # @param max_length [Integer] Maximum total length (default: Configuration.config.max_string_length)
+    # @param skip_sanitization [Boolean] Skip sanitization if values are already sanitized (default: false)
+    # @return [String, nil] Normalized space-separated string or nil
+    def self.normalize_acr_values(acr_values, max_length: nil, skip_sanitization: false)
+      max_length ||= ::OmniauthOpenidFederation::Configuration.config.max_string_length
+      return nil if StringHelpers.blank?(acr_values)
+
+      case acr_values
+      when Array
+        values = acr_values.map(&:to_s).map(&:strip).reject { |v| StringHelpers.blank?(v) }
+      when String
+        trimmed = acr_values.strip
+        values = trimmed.split(" ").map(&:strip).reject { |v| StringHelpers.blank?(v) }
+      else
+        str = acr_values.to_s.strip
+        return nil if str.length > max_length
+        values = str.split(" ").map(&:strip).reject { |v| StringHelpers.blank?(v) }
+      end
+
+      unless skip_sanitization
+        values = values.map { |v| sanitize_request_param(v) }.compact
+      end
+
+      return nil if values.empty?
+
+      result = values.join(" ")
+      return nil if result.length > max_length
+
+      result
+    end
+
+    # Validate and sanitize client_id per OIDC Core 1.0 spec
+    # client_id is REQUIRED and must be a valid string
+    #
+    # @param client_id [String, nil] Client identifier
+    # @return [String] Sanitized client_id
+    # @raise [ConfigurationError] If client_id is invalid
+    def self.validate_client_id!(client_id)
+      if StringHelpers.blank?(client_id)
+        raise ConfigurationError, "client_id is REQUIRED per OIDC Core 1.0 spec"
+      end
+
+      str = client_id.to_s.strip
+      if str.empty?
+        raise ConfigurationError, "client_id cannot be empty after trimming"
+      end
+
+      sanitized = sanitize_request_param(str)
+      if StringHelpers.blank?(sanitized)
+        raise ConfigurationError, "client_id contains invalid characters"
+      end
+
+      sanitized
+    end
+
+    # Validate and sanitize redirect_uri per OIDC Core 1.0 spec
+    # redirect_uri is REQUIRED and must be a valid absolute URI
+    #
+    # @param redirect_uri [String, nil] Redirect URI
+    # @return [String] Validated redirect_uri
+    # @raise [ConfigurationError] If redirect_uri is invalid
+    def self.validate_redirect_uri!(redirect_uri)
+      if StringHelpers.blank?(redirect_uri)
+        raise ConfigurationError, "redirect_uri is REQUIRED per OIDC Core 1.0 spec"
+      end
+
+      str = redirect_uri.to_s.strip
+      if str.empty?
+        raise ConfigurationError, "redirect_uri cannot be empty after trimming"
+      end
+
+      validated = validate_uri_safe!(str, allowed_schemes: ["http", "https"])
+      validated.to_s
+    end
+
+    # Validate and sanitize scope per OIDC Core 1.0 spec
+    # scope is space-delimited, case-sensitive list of ASCII string values
+    # MUST include "openid" scope value
+    #
+    # @param scope [String, Array, nil] Scope value(s)
+    # @param require_openid [Boolean] Whether to require "openid" scope (default: true)
+    # @return [String] Normalized space-separated scope string
+    # @raise [ConfigurationError] If scope is invalid
+    def self.validate_scope!(scope, require_openid: true)
+      if StringHelpers.blank?(scope)
+        if require_openid
+          raise ConfigurationError, "scope is REQUIRED and MUST include 'openid' per OIDC Core 1.0 spec"
+        end
+        return nil
+      end
+
+      scopes = case scope
+      when Array
+        scope.map(&:to_s).map(&:strip).reject { |s| StringHelpers.blank?(s) }
+      when String
+        scope.strip.split(" ").map(&:strip).reject { |s| StringHelpers.blank?(s) }
+      else
+        scope.to_s.strip.split(" ").map(&:strip).reject { |s| StringHelpers.blank?(s) }
+      end
+
+      scopes = scopes.map { |s| sanitize_request_param(s) }.compact
+
+      if scopes.empty?
+        raise ConfigurationError, "scope cannot be empty after validation"
+      end
+
+      if require_openid && !scopes.include?("openid")
+        raise ConfigurationError, "scope MUST include 'openid' per OIDC Core 1.0 spec"
+      end
+
+      result = scopes.join(" ")
+      max_length = ::OmniauthOpenidFederation::Configuration.config.max_string_length
+      if result.length > max_length
+        raise ConfigurationError, "scope exceeds maximum length of #{max_length} characters"
+      end
+
+      result
+    end
+
+    # Validate and sanitize state parameter
+    # state is REQUIRED for CSRF protection
+    #
+    # @param state [String, nil] State value
+    # @return [String] Sanitized state value
+    # @raise [ConfigurationError] If state is invalid
+    def self.validate_state!(state)
+      if StringHelpers.blank?(state)
+        raise ConfigurationError, "state is REQUIRED for CSRF protection"
+      end
+
+      str = state.to_s.strip
+      if str.empty?
+        raise ConfigurationError, "state cannot be empty after trimming"
+      end
+
+      sanitized = sanitize_request_param(str)
+      if StringHelpers.blank?(sanitized)
+        raise ConfigurationError, "state contains invalid characters"
+      end
+
+      sanitized
+    end
+
+    # Validate and sanitize nonce parameter
+    # nonce is REQUIRED for Implicit and Hybrid flows, RECOMMENDED for Authorization Code flow
+    #
+    # @param nonce [String, nil] Nonce value
+    # @param required [Boolean] Whether nonce is required (default: false)
+    # @return [String, nil] Sanitized nonce value or nil
+    # @raise [ConfigurationError] If nonce is required but invalid
+    def self.validate_nonce(nonce, required: false)
+      return nil unless nonce
+
+      str = nonce.to_s.strip
+      if str.empty?
+        if required
+          raise ConfigurationError, "nonce is REQUIRED but is empty after trimming"
+        end
+        return nil
+      end
+
+      sanitized = sanitize_request_param(str)
+      if StringHelpers.blank?(sanitized)
+        if required
+          raise ConfigurationError, "nonce contains invalid characters"
+        end
+        return nil
+      end
+
+      sanitized
+    end
+
+    # Validate and sanitize response_type per OIDC Core 1.0 spec
+    # response_type is REQUIRED and must be a valid value
+    #
+    # @param response_type [String, nil] Response type
+    # @return [String] Validated response_type
+    # @raise [ConfigurationError] If response_type is invalid
+    def self.validate_response_type!(response_type)
+      if StringHelpers.blank?(response_type)
+        raise ConfigurationError, "response_type is REQUIRED per OIDC Core 1.0 spec"
+      end
+
+      str = response_type.to_s.strip
+      if str.empty?
+        raise ConfigurationError, "response_type cannot be empty after trimming"
+      end
+
+      sanitized = sanitize_request_param(str)
+      if StringHelpers.blank?(sanitized)
+        raise ConfigurationError, "response_type contains invalid characters"
+      end
+
+      valid_types = ["code", "id_token", "token", "id_token token", "code id_token", "code token", "code id_token token"]
+      types = sanitized.split(" ").map(&:strip)
+      unless types.all? { |t| valid_types.include?(t) || t.match?(/^[a-z_]+$/) }
+        raise ConfigurationError, "response_type contains invalid value: #{sanitized}"
+      end
+
+      sanitized
+    end
+
+    # Validate entity identifier per OpenID Federation 1.0 spec
+    # Entity identifiers are URIs that identify entities in the federation
+    #
+    # @param entity_id [String, nil] Entity identifier
+    # @param max_length [Integer] Maximum length (default: Configuration.config.max_string_length)
+    # @return [String] Validated and trimmed entity identifier
+    # @raise [SecurityError] If entity identifier is invalid
+    def self.validate_entity_identifier!(entity_id, max_length: nil)
+      max_length ||= ::OmniauthOpenidFederation::Configuration.config.max_string_length
+      if StringHelpers.blank?(entity_id)
+        raise SecurityError, "Entity identifier cannot be nil or empty"
+      end
+
+      str = entity_id.to_s.strip
+      if str.empty?
+        raise SecurityError, "Entity identifier cannot be empty after trimming"
+      end
+
+      validate_uri_safe!(str, max_length: max_length, allowed_schemes: ["http", "https"])
+
+      str
+    end
   end
 end

data/lib/omniauth_openid_federation/version.rb

@@ -1,3 +1,3 @@
 module OmniauthOpenidFederation
-  VERSION = "1.2.2".freeze
+  VERSION = "1.3.2".freeze
 end

data/lib/omniauth_openid_federation.rb

@@ -28,6 +28,7 @@ end
 
 require_relative "omniauth_openid_federation/version"
 require_relative "omniauth_openid_federation/string_helpers"
+require_relative "omniauth_openid_federation/time_helpers"
 require_relative "omniauth_openid_federation/logger"
 require_relative "omniauth_openid_federation/configuration"
 require_relative "omniauth_openid_federation/errors"

data/lib/tasks/omniauth_openid_federation.rake

@@ -1,5 +1,6 @@
 # Rake tasks for OmniAuth OpenID Federation
 # Thin wrappers around TasksHelper for CLI interface
+require_relative "../omniauth_openid_federation/time_helpers"
 
 namespace :openid_federation do
   desc "Fetch entity statement from OpenID Federation provider"
@@ -262,8 +263,8 @@ namespace :openid_federation do
       end
       puts "   Issuer: #{metadata[:issuer]}"
       puts "   Subject: #{metadata[:sub]}"
-      puts "   Expires: #{Time.at(metadata[:exp])}" if metadata[:exp]
-      puts "   Issued At: #{Time.at(metadata[:iat])}" if metadata[:iat]
+      puts "   Expires: #{OmniauthOpenidFederation::TimeHelpers.at(metadata[:exp])}" if metadata[:exp]
+      puts "   Issued At: #{OmniauthOpenidFederation::TimeHelpers.at(metadata[:iat])}" if metadata[:iat]
       puts
 
       # Key status information
@@ -373,4 +374,302 @@ namespace :openid_federation do
       exit 1
     end
   end
+
+  desc "Test full OpenID Federation authentication flow with a real provider"
+  task :test_authentication_flow, [:login_page_url, :base_url, :provider_acr] => :environment do |_t, args|
+    require "omniauth_openid_federation"
+    require "cgi"
+    require "base64"
+    require "openssl"
+    require "uri"
+    require "time"
+
+    login_page_url = args[:login_page_url] || ENV["LOGIN_PAGE_URL"]
+    base_url = args[:base_url] || ENV["BASE_URL"] || (login_page_url ? URI.parse(login_page_url).tap { |u|
+      u.path = ""
+      u.query = nil
+      u.fragment = nil
+    }.to_s : "http://localhost:3000")
+    provider_acr = args[:provider_acr] || ENV["PROVIDER_ACR"]
+
+    # Required configuration from environment
+    client_id = ENV["CLIENT_ID"]
+    redirect_uri = ENV["REDIRECT_URI"] || "#{base_url}/users/auth/openid_federation/callback"
+    private_key_pem = ENV["PRIVATE_KEY"] || (ENV["PRIVATE_KEY_BASE64"] ? Base64.decode64(ENV["PRIVATE_KEY_BASE64"]) : nil)
+    private_key_path = ENV["PRIVATE_KEY_PATH"]
+
+    # Entity statement configuration
+    entity_statement_url = ENV["ENTITY_STATEMENT_URL"]
+    entity_statement_path = ENV["ENTITY_STATEMENT_PATH"]
+    client_entity_statement_url = ENV["CLIENT_ENTITY_STATEMENT_URL"]
+    client_entity_statement_path = ENV["CLIENT_ENTITY_STATEMENT_PATH"]
+
+    puts "=" * 80
+    puts "OpenID Federation Authentication Flow Test"
+    puts "=" * 80
+    puts
+    puts "Login Page URL: #{login_page_url || "Not provided"}"
+    puts "Base URL: #{base_url}"
+    puts "Provider ACR: #{provider_acr || "Not specified (will use default)"}"
+    puts
+
+    # Validate required parameters
+    unless login_page_url
+      puts "❌ LOGIN_PAGE_URL is required"
+      puts "   Set it as an environment variable or pass as first argument:"
+      puts "   rake openid_federation:test_authentication_flow[https://example.com/login]"
+      exit 1
+    end
+
+    # Load private key
+    private_key = nil
+    if private_key_pem
+      begin
+        private_key = OpenSSL::PKey::RSA.new(private_key_pem)
+      rescue => e
+        puts "❌ Failed to parse private key from PRIVATE_KEY or PRIVATE_KEY_BASE64: #{e.message}"
+        exit 1
+      end
+    elsif private_key_path
+      begin
+        private_key = OpenSSL::PKey::RSA.new(File.read(private_key_path))
+      rescue => e
+        puts "❌ Failed to load private key from #{private_key_path}: #{e.message}"
+        exit 1
+      end
+    end
+
+    unless private_key
+      puts "❌ Private key is required"
+      puts "   Set one of: PRIVATE_KEY, PRIVATE_KEY_BASE64, or PRIVATE_KEY_PATH"
+      exit 1
+    end
+
+    unless client_id
+      puts "❌ CLIENT_ID is required"
+      puts "   Set it as an environment variable: CLIENT_ID=your_client_id"
+      exit 1
+    end
+
+    # Try to resolve entity statement if not provided
+    unless entity_statement_url || entity_statement_path
+      # Try to fetch from well-known endpoint
+      begin
+        well_known_url = "#{base_url}/.well-known/openid-federation"
+        puts "📥 Attempting to fetch entity statement from: #{well_known_url}"
+        require "http"
+        response = HTTP.timeout(connect: 5, read: 5).get(well_known_url)
+        if response.status.success?
+          entity_statement_path = "/tmp/entity_statement_#{Time.now.to_i}.json"
+          File.write(entity_statement_path, response.body.to_s)
+          puts "   ✅ Entity statement cached to: #{entity_statement_path}"
+        end
+      rescue => e
+        puts "   ⚠️  Could not fetch entity statement: #{e.message}"
+        puts "   Set ENTITY_STATEMENT_URL or ENTITY_STATEMENT_PATH manually"
+      end
+    end
+
+    # Display configuration status
+    puts "📋 Configuration Status:"
+    puts "   ✅ Client ID: #{client_id}"
+    puts "   ✅ Redirect URI: #{redirect_uri}"
+    puts "   ✅ Private Key: Loaded"
+    if entity_statement_url
+      puts "   ✅ Provider Entity Statement URL: #{entity_statement_url}"
+    elsif entity_statement_path
+      puts "   ✅ Provider Entity Statement Path: #{entity_statement_path}"
+    else
+      puts "   ⚠️  Provider Entity Statement: Not configured"
+    end
+    if client_entity_statement_url
+      puts "   ✅ Client Entity Statement URL: #{client_entity_statement_url}"
+    elsif client_entity_statement_path
+      puts "   ✅ Client Entity Statement Path: #{client_entity_statement_path}"
+    end
+    puts
+
+    begin
+      # Step 1: Request authorization URL
+      puts "=" * 80
+      puts "📋 Step 1: Requesting Authorization URL"
+      puts "-" * 80
+      puts
+
+      result = OmniauthOpenidFederation::TasksHelper.test_authentication_flow(
+        login_page_url: login_page_url,
+        base_url: base_url,
+        provider_acr: provider_acr
+      )
+
+      if result[:errors].any?
+        puts "❌ Errors occurred:"
+        result[:errors].each { |error| puts "   - #{error}" }
+        exit 1
+      end
+
+      puts "✅ CSRF token extracted: #{result[:csrf_token][0..20]}..." if result[:csrf_token]
+      puts "✅ Cookies received: #{result[:cookies].length} cookie(s)"
+      puts
+      puts "✅ Authorization URL received"
+      puts
+      puts "🔗 Authorization URL:"
+      puts result[:authorization_url]
+      puts
+      puts "📋 Instructions:"
+      result[:instructions].each { |instruction| puts "   #{instruction}" }
+      puts
+
+      # Step 2: Get callback URL from user
+      puts "=" * 80
+      puts "📥 Step 2: Waiting for Callback URL"
+      puts "-" * 80
+      puts
+      print "Paste the callback URL here (or press Enter to skip to manual code entry): "
+      callback_url = $stdin.gets.chomp
+
+      if callback_url.empty?
+        puts
+        print "Enter authorization code manually: "
+        auth_code = $stdin.gets.chomp
+
+        if auth_code.empty?
+          puts "❌ No authorization code provided"
+          exit 1
+        end
+
+        # Build callback URL with code
+        callback_url = "#{base_url}/users/auth/openid_federation/callback?code=#{CGI.escape(auth_code)}"
+      end
+
+      # Step 3: Process callback and validate
+      puts
+      puts "=" * 80
+      puts "🔄 Step 3: Processing Callback and Validating"
+      puts "-" * 80
+      puts
+
+      callback_result = OmniauthOpenidFederation::TasksHelper.process_callback_and_validate(
+        callback_url: callback_url,
+        base_url: base_url,
+        entity_statement_url: entity_statement_url,
+        entity_statement_path: entity_statement_path,
+        client_id: client_id,
+        redirect_uri: redirect_uri,
+        private_key: private_key,
+        provider_acr: provider_acr,
+        client_entity_statement_url: client_entity_statement_url,
+        client_entity_statement_path: client_entity_statement_path
+      )
+
+      if callback_result[:errors].any?
+        puts "❌ Errors occurred:"
+        callback_result[:errors].each { |error| puts "   - #{error}" }
+        exit 1
+      end
+
+      puts "✅ Authorization code extracted"
+      puts "✅ Strategy initialized"
+      puts "✅ Tokens received"
+      puts
+      puts "📋 Token Information:"
+      callback_result[:token_info].each do |key, value|
+        if value
+          label = key.to_s.split("_").map(&:capitalize).join(" ")
+          puts "   #{label}: #{value}"
+        end
+      end
+      puts
+
+      # Step 4: ID Token validation
+      puts "=" * 80
+      puts "🔐 Step 4: ID Token Validation"
+      puts "-" * 80
+      puts
+
+      if callback_result[:id_token_valid]
+        puts "✅ ID token decrypted and validated"
+        puts
+        puts "📋 ID Token Claims:"
+        callback_result[:id_token_claims].each do |key, value|
+          if value
+            if [:exp, :iat, :auth_time].include?(key)
+              time_value = begin
+                OmniauthOpenidFederation::TimeHelpers.at(value)
+              rescue
+                value
+              end
+              puts "   #{key}: #{value} (#{time_value})"
+            else
+              puts "   #{key}: #{value}"
+            end
+          end
+        end
+        puts
+        puts "✅ All required claims present"
+      else
+        puts "❌ ID token validation failed"
+      end
+      puts
+
+      # Step 5: OpenID Federation Compliance
+      puts "=" * 80
+      puts "✅ Step 5: OpenID Federation Compliance Check"
+      puts "-" * 80
+      puts
+
+      callback_result[:compliance_checks].each do |check_name, check_data|
+        status_icon = check_data[:verified] ? "✅" : "❌"
+        puts "#{status_icon} #{check_name}"
+        puts "   Status: #{check_data[:status]}"
+        puts "   Description: #{check_data[:description]}"
+        puts
+      end
+
+      all_verified = callback_result[:all_compliance_verified]
+
+      if all_verified
+        puts "✅ All OpenID Federation requirements verified"
+      else
+        puts "⚠️  Some requirements not verified"
+      end
+      puts
+
+      # Step 6: Summary
+      puts "=" * 80
+      puts "📊 Test Summary"
+      puts "=" * 80
+      puts
+      puts "Provider ACR: #{provider_acr || "Default"}"
+      if callback_result[:id_token_claims][:sub]
+        puts "Subject (sub): #{callback_result[:id_token_claims][:sub]}"
+      end
+      if callback_result[:id_token_claims][:iss]
+        puts "Issuer (iss): #{callback_result[:id_token_claims][:iss]}"
+      end
+      if callback_result[:id_token_claims][:aud]
+        puts "Audience (aud): #{callback_result[:id_token_claims][:aud]}"
+      end
+      if callback_result[:id_token_claims][:acr]
+        puts "Authentication Context (acr): #{callback_result[:id_token_claims][:acr]}"
+      end
+      puts
+      puts "OpenID Federation Compliance: #{all_verified ? "✅ PASS" : "❌ FAIL"}"
+      puts
+      puts "=" * 80
+
+      if all_verified
+        puts "✅ All tests passed! Implementation is compliant."
+        exit 0
+      else
+        puts "⚠️  Some checks failed. Review the output above."
+        exit 1
+      end
+    rescue => e
+      puts "❌ Test failed: #{e.message}"
+      puts "   #{e.class}"
+      puts "   #{e.backtrace.first(10).join("\n   ")}"
+      exit 1
+    end
+  end
 end

data/sig/federation.rbs

@@ -152,14 +152,6 @@ module OmniauthOpenidFederation
     def self.generate_signed_jwks: () -> String
     def self.current_jwks: () -> Hash[String, untyped]
     def self.rack_app: () -> RackEndpoint
-    def self.mount_routes: (
-      untyped router,
-      ?entity_statement_path: String,
-      ?fetch_path: String,
-      ?jwks_path: String,
-      ?signed_jwks_path: String,
-      ?as: Symbol
-    ) -> void
 
     def self.generate_fresh_keys: (
       entity_statement_path: String,