omniauth_openid_federation 1.3.0 → 2.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +45 -1
- data/README.md +120 -14
- data/app/controllers/omniauth_openid_federation/federation_controller.rb +3 -3
- data/config/polyrun_coverage.yml +15 -0
- data/config/polyrun_spec_quality.yml +29 -0
- data/config/routes.rb +20 -10
- data/examples/README_INTEGRATION_TESTING.md +3 -0
- data/examples/integration_test_flow.rb +10 -8
- data/examples/jobs/federation_cache_refresh_job.rb.example +7 -7
- data/examples/jobs/federation_files_generation_job.rb.example +3 -2
- data/examples/mock_op_server.rb +4 -5
- data/examples/mock_rp_server.rb +3 -3
- data/examples/standalone_multiple_endpoints_example.rb +494 -0
- data/lib/omniauth_openid_federation/access_token.rb +91 -450
- data/lib/omniauth_openid_federation/cache.rb +16 -0
- data/lib/omniauth_openid_federation/cache_adapter.rb +6 -3
- data/lib/omniauth_openid_federation/constants.rb +3 -0
- data/lib/omniauth_openid_federation/entity_statement_reader.rb +39 -14
- data/lib/omniauth_openid_federation/federation/entity_statement.rb +0 -4
- data/lib/omniauth_openid_federation/federation/entity_statement_builder.rb +7 -14
- data/lib/omniauth_openid_federation/federation/entity_statement_helper.rb +40 -11
- data/lib/omniauth_openid_federation/federation/entity_statement_validator.rb +8 -91
- data/lib/omniauth_openid_federation/federation/signed_jwks.rb +0 -1
- data/lib/omniauth_openid_federation/federation/trust_chain_resolver.rb +54 -21
- data/lib/omniauth_openid_federation/federation_endpoint.rb +40 -172
- data/lib/omniauth_openid_federation/http_client.rb +145 -32
- data/lib/omniauth_openid_federation/http_errors.rb +14 -0
- data/lib/omniauth_openid_federation/id_token.rb +19 -0
- data/lib/omniauth_openid_federation/jwe.rb +26 -0
- data/lib/omniauth_openid_federation/jwks/decode.rb +0 -13
- data/lib/omniauth_openid_federation/jwks/fetch.rb +16 -39
- data/lib/omniauth_openid_federation/jwks/rotate.rb +45 -20
- data/lib/omniauth_openid_federation/jws.rb +3 -11
- data/lib/omniauth_openid_federation/jwt_response_decoder.rb +290 -0
- data/lib/omniauth_openid_federation/oidc_client.rb +101 -0
- data/lib/omniauth_openid_federation/rack.rb +2 -0
- data/lib/omniauth_openid_federation/rack_endpoint.rb +21 -9
- data/lib/omniauth_openid_federation/rate_limiter.rb +10 -12
- data/lib/omniauth_openid_federation/secure_compare.rb +15 -0
- data/lib/omniauth_openid_federation/strategy/authorization_request.rb +220 -0
- data/lib/omniauth_openid_federation/strategy/callback_handling.rb +135 -0
- data/lib/omniauth_openid_federation/strategy/client_construction.rb +101 -0
- data/lib/omniauth_openid_federation/strategy/client_entity_statement.rb +211 -0
- data/lib/omniauth_openid_federation/strategy/endpoint_resolution.rb +433 -0
- data/lib/omniauth_openid_federation/strategy/failure_handling.rb +75 -0
- data/lib/omniauth_openid_federation/strategy/id_token_decoding.rb +268 -0
- data/lib/omniauth_openid_federation/strategy/jwks_resolution.rb +268 -0
- data/lib/omniauth_openid_federation/strategy/provider_entity_statement.rb +134 -0
- data/lib/omniauth_openid_federation/strategy/userinfo_decoding.rb +61 -0
- data/lib/omniauth_openid_federation/strategy.rb +27 -1910
- data/lib/omniauth_openid_federation/tasks/authentication_flow_tester.rb +237 -0
- data/lib/omniauth_openid_federation/tasks/callback_processor.rb +235 -0
- data/lib/omniauth_openid_federation/tasks/client_keys_preparer.rb +96 -0
- data/lib/omniauth_openid_federation/tasks/local_endpoint_tester.rb +189 -0
- data/lib/omniauth_openid_federation/tasks/path_resolver.rb +20 -0
- data/lib/omniauth_openid_federation/tasks_helper.rb +28 -790
- data/lib/omniauth_openid_federation/time_helpers.rb +67 -0
- data/lib/omniauth_openid_federation/user_info.rb +15 -0
- data/lib/omniauth_openid_federation/utils.rb +14 -9
- data/lib/omniauth_openid_federation/validators.rb +55 -44
- data/lib/omniauth_openid_federation/version.rb +1 -1
- data/lib/omniauth_openid_federation.rb +10 -3
- data/lib/tasks/omniauth_openid_federation.rake +5 -5
- data/sig/omniauth_openid_federation.rbs +8 -1
- data/sig/strategy.rbs +6 -6
- metadata +252 -43
|
@@ -0,0 +1,61 @@
|
|
|
1
|
+
module OmniauthOpenidFederation
|
|
2
|
+
module Strategy
|
|
3
|
+
module UserinfoDecoding
|
|
4
|
+
private
|
|
5
|
+
|
|
6
|
+
def decode_userinfo(userinfo)
|
|
7
|
+
if userinfo.is_a?(String)
|
|
8
|
+
if encrypted_token?(userinfo)
|
|
9
|
+
client_options_hash = options.client_options || {}
|
|
10
|
+
normalized_options = OmniauthOpenidFederation::Validators.normalize_hash(client_options_hash)
|
|
11
|
+
|
|
12
|
+
decryption_key_source = options.decryption_key_source || options.key_source || :local
|
|
13
|
+
private_key = normalized_options[:private_key]
|
|
14
|
+
jwks = normalized_options[:jwks] || normalized_options["jwks"]
|
|
15
|
+
metadata = load_metadata_for_key_extraction
|
|
16
|
+
|
|
17
|
+
encryption_key = if decryption_key_source == :federation
|
|
18
|
+
OmniauthOpenidFederation::KeyExtractor.extract_encryption_key(
|
|
19
|
+
jwks: jwks,
|
|
20
|
+
metadata: metadata,
|
|
21
|
+
private_key: private_key
|
|
22
|
+
) || private_key
|
|
23
|
+
else
|
|
24
|
+
private_key
|
|
25
|
+
end
|
|
26
|
+
|
|
27
|
+
OmniauthOpenidFederation::Validators.validate_private_key!(encryption_key)
|
|
28
|
+
|
|
29
|
+
begin
|
|
30
|
+
userinfo_string = OmniauthOpenidFederation::Jwe.decrypt(userinfo, encryption_key)
|
|
31
|
+
OmniauthOpenidFederation::Logger.debug("[Strategy] Successfully decrypted userinfo using encryption key")
|
|
32
|
+
JSON.parse(userinfo_string)
|
|
33
|
+
rescue => e
|
|
34
|
+
error_msg = "Failed to decrypt userinfo: #{e.class} - #{e.message}"
|
|
35
|
+
OmniauthOpenidFederation::Logger.error("[Strategy] #{error_msg}")
|
|
36
|
+
OmniauthOpenidFederation::Instrumentation.notify_decryption_failed(
|
|
37
|
+
token_type: "userinfo",
|
|
38
|
+
error_message: e.message,
|
|
39
|
+
error_class: e.class.name
|
|
40
|
+
)
|
|
41
|
+
raise OmniauthOpenidFederation::DecryptionError, error_msg, e.backtrace
|
|
42
|
+
end
|
|
43
|
+
else
|
|
44
|
+
JSON.parse(userinfo)
|
|
45
|
+
end
|
|
46
|
+
elsif userinfo.is_a?(Hash)
|
|
47
|
+
userinfo
|
|
48
|
+
elsif userinfo.respond_to?(:raw_attributes)
|
|
49
|
+
userinfo.raw_attributes || {}
|
|
50
|
+
elsif userinfo.respond_to?(:as_json)
|
|
51
|
+
userinfo.as_json(skip_validation: true)
|
|
52
|
+
else
|
|
53
|
+
userinfo.instance_variables.each_with_object({}) do |var, hash|
|
|
54
|
+
key = var.to_s.delete_prefix("@").to_sym
|
|
55
|
+
hash[key] = userinfo.instance_variable_get(var)
|
|
56
|
+
end
|
|
57
|
+
end
|
|
58
|
+
end
|
|
59
|
+
end
|
|
60
|
+
end
|
|
61
|
+
end
|