omniauth_openid_federation 1.3.2 → 2.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (62) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +32 -1
  3. data/README.md +119 -13
  4. data/app/controllers/omniauth_openid_federation/federation_controller.rb +2 -2
  5. data/config/polyrun_coverage.yml +15 -0
  6. data/config/polyrun_spec_quality.yml +29 -0
  7. data/examples/README_INTEGRATION_TESTING.md +3 -0
  8. data/examples/integration_test_flow.rb +10 -8
  9. data/examples/jobs/federation_cache_refresh_job.rb.example +7 -7
  10. data/examples/jobs/federation_files_generation_job.rb.example +3 -2
  11. data/examples/mock_op_server.rb +4 -5
  12. data/examples/mock_rp_server.rb +3 -3
  13. data/examples/standalone_multiple_endpoints_example.rb +494 -0
  14. data/lib/omniauth_openid_federation/access_token.rb +91 -450
  15. data/lib/omniauth_openid_federation/cache.rb +16 -0
  16. data/lib/omniauth_openid_federation/cache_adapter.rb +6 -3
  17. data/lib/omniauth_openid_federation/constants.rb +3 -0
  18. data/lib/omniauth_openid_federation/federation/entity_statement.rb +0 -4
  19. data/lib/omniauth_openid_federation/federation/entity_statement_validator.rb +2 -4
  20. data/lib/omniauth_openid_federation/federation/signed_jwks.rb +0 -1
  21. data/lib/omniauth_openid_federation/federation/trust_chain_resolver.rb +51 -6
  22. data/lib/omniauth_openid_federation/federation_endpoint.rb +1 -1
  23. data/lib/omniauth_openid_federation/http_client.rb +145 -32
  24. data/lib/omniauth_openid_federation/http_errors.rb +14 -0
  25. data/lib/omniauth_openid_federation/id_token.rb +19 -0
  26. data/lib/omniauth_openid_federation/jwe.rb +26 -0
  27. data/lib/omniauth_openid_federation/jwks/decode.rb +0 -13
  28. data/lib/omniauth_openid_federation/jwks/fetch.rb +16 -39
  29. data/lib/omniauth_openid_federation/jws.rb +2 -11
  30. data/lib/omniauth_openid_federation/jwt_response_decoder.rb +290 -0
  31. data/lib/omniauth_openid_federation/oidc_client.rb +101 -0
  32. data/lib/omniauth_openid_federation/rack.rb +2 -0
  33. data/lib/omniauth_openid_federation/rack_endpoint.rb +2 -2
  34. data/lib/omniauth_openid_federation/rate_limiter.rb +10 -12
  35. data/lib/omniauth_openid_federation/secure_compare.rb +15 -0
  36. data/lib/omniauth_openid_federation/strategy/authorization_request.rb +220 -0
  37. data/lib/omniauth_openid_federation/strategy/callback_handling.rb +135 -0
  38. data/lib/omniauth_openid_federation/strategy/client_construction.rb +101 -0
  39. data/lib/omniauth_openid_federation/strategy/client_entity_statement.rb +211 -0
  40. data/lib/omniauth_openid_federation/strategy/endpoint_resolution.rb +433 -0
  41. data/lib/omniauth_openid_federation/strategy/failure_handling.rb +75 -0
  42. data/lib/omniauth_openid_federation/strategy/id_token_decoding.rb +268 -0
  43. data/lib/omniauth_openid_federation/strategy/jwks_resolution.rb +268 -0
  44. data/lib/omniauth_openid_federation/strategy/provider_entity_statement.rb +134 -0
  45. data/lib/omniauth_openid_federation/strategy/userinfo_decoding.rb +61 -0
  46. data/lib/omniauth_openid_federation/strategy.rb +27 -1910
  47. data/lib/omniauth_openid_federation/tasks/authentication_flow_tester.rb +237 -0
  48. data/lib/omniauth_openid_federation/tasks/callback_processor.rb +235 -0
  49. data/lib/omniauth_openid_federation/tasks/client_keys_preparer.rb +96 -0
  50. data/lib/omniauth_openid_federation/tasks/local_endpoint_tester.rb +189 -0
  51. data/lib/omniauth_openid_federation/tasks/path_resolver.rb +20 -0
  52. data/lib/omniauth_openid_federation/tasks_helper.rb +28 -808
  53. data/lib/omniauth_openid_federation/time_helpers.rb +7 -0
  54. data/lib/omniauth_openid_federation/user_info.rb +15 -0
  55. data/lib/omniauth_openid_federation/utils.rb +10 -2
  56. data/lib/omniauth_openid_federation/validators.rb +43 -8
  57. data/lib/omniauth_openid_federation/version.rb +1 -1
  58. data/lib/omniauth_openid_federation.rb +9 -3
  59. data/lib/tasks/omniauth_openid_federation.rake +1 -2
  60. data/sig/omniauth_openid_federation.rbs +2 -1
  61. data/sig/strategy.rbs +6 -6
  62. metadata +181 -71
@@ -56,5 +56,12 @@ module OmniauthOpenidFederation
56
56
  false
57
57
  end
58
58
  end
59
+
60
+ # Seconds to add to {TimeHelpers.now} for JWT request object expiration.
61
+ #
62
+ # @return [Integer]
63
+ def self.request_object_expiration_offset
64
+ Constants::REQUEST_OBJECT_EXPIRATION_SECONDS
65
+ end
59
66
  end
60
67
  end
@@ -0,0 +1,15 @@
1
+ module OmniauthOpenidFederation
2
+ class UserInfo
3
+ attr_reader :raw_attributes
4
+
5
+ def initialize(raw_attributes)
6
+ @raw_attributes = raw_attributes.each_with_object({}) do |(key, value), claims|
7
+ claims[key.to_sym] = value
8
+ end
9
+ end
10
+
11
+ def as_json(_options = {})
12
+ raw_attributes.transform_keys(&:to_s)
13
+ end
14
+ end
15
+ end
@@ -7,11 +7,19 @@ module OmniauthOpenidFederation
7
7
  #
8
8
  # @param hash [Hash, Object] The hash to convert
9
9
  # @return [Hash, HashWithIndifferentAccess] Converted hash
10
- def self.to_indifferent_hash(hash)
10
+ def self.to_indifferent_hash(value)
11
+ hash = if value.is_a?(Hash)
12
+ value
13
+ elsif value.respond_to?(:to_h)
14
+ value.to_h
15
+ else
16
+ {}
17
+ end
18
+
11
19
  if defined?(ActiveSupport::HashWithIndifferentAccess)
12
20
  ActiveSupport::HashWithIndifferentAccess.new(hash)
13
21
  else
14
- hash.is_a?(Hash) ? hash : hash.to_h
22
+ hash
15
23
  end
16
24
  end
17
25
 
@@ -9,19 +9,54 @@ module OmniauthOpenidFederation
9
9
  #
10
10
  # @param private_key [OpenSSL::PKey::RSA, String, nil] The private key to validate
11
11
  # @raise [ConfigurationError] If private key is missing or invalid
12
- def self.validate_private_key!(private_key)
12
+ def self.validate_private_key!(private_key, min_bits: Constants::MIN_RSA_KEY_BITS)
13
13
  if private_key.nil?
14
14
  raise ConfigurationError, "Private key is required for signed request objects"
15
15
  end
16
16
 
17
- if private_key.is_a?(String)
18
- begin
19
- OpenSSL::PKey::RSA.new(private_key)
20
- rescue => e
21
- raise ConfigurationError, "Invalid private key format: #{e.message}"
17
+ normalized_key =
18
+ if private_key.is_a?(String)
19
+ begin
20
+ OpenSSL::PKey::RSA.new(private_key)
21
+ rescue => error
22
+ raise ConfigurationError, "Invalid private key format: #{error.message}"
23
+ end
24
+ elsif private_key.is_a?(OpenSSL::PKey::RSA)
25
+ private_key
26
+ else
27
+ raise ConfigurationError, "Private key must be an OpenSSL::PKey::RSA instance or PEM string"
22
28
  end
23
- elsif !private_key.is_a?(OpenSSL::PKey::RSA)
24
- raise ConfigurationError, "Private key must be an OpenSSL::PKey::RSA instance or PEM string"
29
+
30
+ if min_bits.to_i.positive? && normalized_key.n.num_bits < min_bits.to_i
31
+ raise ConfigurationError,
32
+ "RSA private key must be at least #{min_bits} bits (got #{normalized_key.n.num_bits} bits)"
33
+ end
34
+
35
+ true
36
+ end
37
+
38
+ def self.validate_required_request_object_claims!(claims, required_names)
39
+ required = Array(required_names).map(&:to_s).uniq
40
+ return true if required.empty?
41
+
42
+ normalized_claims = (claims || {}).each_with_object({}) do |(key, value), hash|
43
+ hash[key.to_s] = value
44
+ end
45
+
46
+ missing = required.reject { |name| StringHelpers.present?(normalized_claims[name]) }
47
+ return true if missing.empty?
48
+
49
+ raise ConfigurationError, "Missing required request object claims: #{missing.join(", ")}"
50
+ end
51
+
52
+ def self.validate_allowed_acr_value!(acr_value, allowed_acr_values)
53
+ allowed = Array(allowed_acr_values).map(&:to_s).map(&:strip).reject { |value| StringHelpers.blank?(value) }
54
+ return true if allowed.empty?
55
+
56
+ token_acr = acr_value.to_s.strip
57
+ if StringHelpers.blank?(token_acr) || !allowed.include?(token_acr)
58
+ raise ValidationError,
59
+ "ID token acr mismatch: expected one of [#{allowed.join(", ")}], got '#{acr_value}'"
25
60
  end
26
61
 
27
62
  true
@@ -1,3 +1,3 @@
1
1
  module OmniauthOpenidFederation
2
- VERSION = "1.3.2".freeze
2
+ VERSION = "2.0.0".freeze
3
3
  end
@@ -1,7 +1,7 @@
1
1
  # OmniAuth OpenID Federation
2
2
  #
3
- # Custom OmniAuth strategy for OpenID Federation providers using openid_connect gem
4
- # supporting signed request objects, ID token encryption, and OpenID Federation.
3
+ # Custom OmniAuth strategy for OpenID Federation providers supporting signed request objects,
4
+ # ID token encryption, and OpenID Federation.
5
5
  #
6
6
  # @see https://openid.net/specs/openid-federation-1_0.html
7
7
  module OmniauthOpenidFederation
@@ -39,7 +39,13 @@ require_relative "omniauth_openid_federation/constants"
39
39
  require_relative "omniauth_openid_federation/cache"
40
40
  require_relative "omniauth_openid_federation/cache_adapter"
41
41
  require_relative "omniauth_openid_federation/utils"
42
+ require_relative "omniauth_openid_federation/jwe"
42
43
  require_relative "omniauth_openid_federation/jws"
44
+ require_relative "omniauth_openid_federation/http_errors"
45
+ require_relative "omniauth_openid_federation/id_token"
46
+ require_relative "omniauth_openid_federation/user_info"
47
+ require_relative "omniauth_openid_federation/secure_compare"
48
+ require_relative "omniauth_openid_federation/oidc_client"
43
49
  require_relative "omniauth_openid_federation/jwks/normalizer"
44
50
  require_relative "omniauth_openid_federation/jwks/fetch"
45
51
  require_relative "omniauth_openid_federation/jwks/decode"
@@ -56,12 +62,12 @@ require_relative "omniauth_openid_federation/federation/trust_chain_resolver"
56
62
  require_relative "omniauth_openid_federation/federation/metadata_policy_merger"
57
63
  require_relative "omniauth_openid_federation/federation/signed_jwks"
58
64
  require_relative "omniauth_openid_federation/federation_endpoint"
59
- require_relative "omniauth_openid_federation/rack_endpoint"
60
65
  require_relative "omniauth_openid_federation/entity_statement_reader"
61
66
  require_relative "omniauth_openid_federation/tasks_helper"
62
67
  require_relative "omniauth_openid_federation/endpoint_resolver"
63
68
  require_relative "omniauth_openid_federation/strategy"
64
69
  require_relative "omniauth_openid_federation/access_token"
70
+ require_relative "omniauth_openid_federation/jwt_response_decoder"
65
71
 
66
72
  module OmniauthOpenidFederation
67
73
  # Rotate JWKS cache for a provider
@@ -457,8 +457,7 @@ namespace :openid_federation do
457
457
  begin
458
458
  well_known_url = "#{base_url}/.well-known/openid-federation"
459
459
  puts "📥 Attempting to fetch entity statement from: #{well_known_url}"
460
- require "http"
461
- response = HTTP.timeout(connect: 5, read: 5).get(well_known_url)
460
+ response = OmniauthOpenidFederation::HttpClient.get(well_known_url, timeout: 5, max_retries: 0)
462
461
  if response.status.success?
463
462
  entity_statement_path = "/tmp/entity_statement_#{Time.now.to_i}.json"
464
463
  File.write(entity_statement_path, response.body.to_s)
@@ -71,7 +71,8 @@ module OmniauthOpenidFederation
71
71
  end
72
72
 
73
73
  class HttpClient
74
- def self.get: (String uri, ?timeout: Integer, ?max_retries: Integer, ?retry_delay: Integer) -> untyped
74
+ def self.get: (String uri, ?Hash[Symbol, untyped] options) -> untyped
75
+ def self.post: (String uri, ?Hash[Symbol, untyped] options) -> untyped
75
76
  end
76
77
 
77
78
  class Logger
data/sig/strategy.rbs CHANGED
@@ -1,8 +1,8 @@
1
1
  module OmniAuth
2
2
  module Strategies
3
3
  class OpenIDFederation < OmniAuth::Strategies::OAuth2
4
- def client: () -> untyped
5
- def oidc_client: () -> untyped
4
+ def client: () -> OmniauthOpenidFederation::OidcClient
5
+ def oidc_client: () -> OmniauthOpenidFederation::OidcClient
6
6
  def request_phase: () -> untyped
7
7
  def callback_phase: () -> untyped
8
8
  def auth_hash: () -> OmniAuth::AuthHash
@@ -10,7 +10,7 @@ module OmniAuth
10
10
  def raw_info: () -> Hash[String, untyped]
11
11
  def client_jwk_signing_key: () -> untyped
12
12
  def options: () -> untyped
13
- def exchange_authorization_code: (String authorization_code) -> untyped
13
+ def exchange_authorization_code: (String authorization_code) -> OmniauthOpenidFederation::AccessToken
14
14
  def new_state: () -> String
15
15
  def new_nonce: () -> String
16
16
  def resolve_endpoints_from_metadata: (Hash[Symbol, untyped] client_options_hash) -> Hash[Symbol, String?]
@@ -21,7 +21,7 @@ module OmniAuth
21
21
  def resolve_jwks_uri: (Hash[Symbol, untyped] normalized_options) -> String?
22
22
  def build_base_url: (Hash[Symbol, untyped] client_options_hash) -> String
23
23
  def build_endpoint: (String base_url, String path) -> String
24
- def decode_id_token: (String id_token) -> Hash[String, untyped]
24
+ def decode_id_token: (String id_token) -> OmniauthOpenidFederation::IdToken
25
25
  def encrypted_token?: (String token) -> bool
26
26
  def decode_userinfo: (untyped userinfo) -> Hash[String, untyped]
27
27
  def load_provider_entity_statement: () -> Hash[Symbol, untyped]?
@@ -45,9 +45,10 @@ module OmniAuth
45
45
  end
46
46
  end
47
47
 
48
- module OpenIDConnect
48
+ module OmniauthOpenidFederation
49
49
  class AccessToken
50
50
  def resource_request: () { () -> untyped } -> untyped
51
+ def userinfo!: () -> untyped
51
52
  def get_strategy_options: () -> Hash[Symbol, untyped]
52
53
  def extract_encryption_key_for_decryption: () -> untyped
53
54
  def fetch_signed_jwks: (Hash[Symbol, untyped] strategy_options) -> Hash[String, untyped]?
@@ -55,4 +56,3 @@ module OpenIDConnect
55
56
  def resolve_jwks_uri_from_entity_statement: (Hash[Symbol, untyped] strategy_options) -> String?
56
57
  end
57
58
  end
58
-
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: omniauth_openid_federation
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.3.2
4
+ version: 2.0.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Andrei Makarov
@@ -24,33 +24,33 @@ dependencies:
24
24
  - !ruby/object:Gem::Version
25
25
  version: '1.8'
26
26
  - !ruby/object:Gem::Dependency
27
- name: openid_connect
27
+ name: oauth2
28
28
  requirement: !ruby/object:Gem::Requirement
29
29
  requirements:
30
30
  - - "~>"
31
31
  - !ruby/object:Gem::Version
32
- version: '2.3'
32
+ version: '2.0'
33
33
  type: :runtime
34
34
  prerelease: false
35
35
  version_requirements: !ruby/object:Gem::Requirement
36
36
  requirements:
37
37
  - - "~>"
38
38
  - !ruby/object:Gem::Version
39
- version: '2.3'
39
+ version: '2.0'
40
40
  - !ruby/object:Gem::Dependency
41
41
  name: jwt
42
42
  requirement: !ruby/object:Gem::Requirement
43
43
  requirements:
44
44
  - - "~>"
45
45
  - !ruby/object:Gem::Version
46
- version: '3.1'
46
+ version: '3.2'
47
47
  type: :runtime
48
48
  prerelease: false
49
49
  version_requirements: !ruby/object:Gem::Requirement
50
50
  requirements:
51
51
  - - "~>"
52
52
  - !ruby/object:Gem::Version
53
- version: '3.1'
53
+ version: '3.2'
54
54
  - !ruby/object:Gem::Dependency
55
55
  name: jwe
56
56
  requirement: !ruby/object:Gem::Requirement
@@ -71,34 +71,14 @@ dependencies:
71
71
  requirements:
72
72
  - - "~>"
73
73
  - !ruby/object:Gem::Version
74
- version: '5.3'
74
+ version: '6.0'
75
75
  type: :runtime
76
76
  prerelease: false
77
77
  version_requirements: !ruby/object:Gem::Requirement
78
78
  requirements:
79
79
  - - "~>"
80
80
  - !ruby/object:Gem::Version
81
- version: '5.3'
82
- - !ruby/object:Gem::Dependency
83
- name: rack
84
- requirement: !ruby/object:Gem::Requirement
85
- requirements:
86
- - - ">="
87
- - !ruby/object:Gem::Version
88
- version: '2.0'
89
- - - "<"
90
- - !ruby/object:Gem::Version
91
- version: '4'
92
- type: :runtime
93
- prerelease: false
94
- version_requirements: !ruby/object:Gem::Requirement
95
- requirements:
96
- - - ">="
97
- - !ruby/object:Gem::Version
98
- version: '2.0'
99
- - - "<"
100
- - !ruby/object:Gem::Version
101
- version: '4'
81
+ version: '6.0'
102
82
  - !ruby/object:Gem::Dependency
103
83
  name: rspec
104
84
  requirement: !ruby/object:Gem::Requirement
@@ -114,75 +94,53 @@ dependencies:
114
94
  - !ruby/object:Gem::Version
115
95
  version: '3.13'
116
96
  - !ruby/object:Gem::Dependency
117
- name: webmock
97
+ name: polyrun
118
98
  requirement: !ruby/object:Gem::Requirement
119
99
  requirements:
120
- - - "~>"
100
+ - - ">="
121
101
  - !ruby/object:Gem::Version
122
- version: '3.26'
102
+ version: 2.1.2
123
103
  type: :development
124
104
  prerelease: false
125
105
  version_requirements: !ruby/object:Gem::Requirement
126
106
  requirements:
127
- - - "~>"
107
+ - - ">="
128
108
  - !ruby/object:Gem::Version
129
- version: '3.26'
109
+ version: 2.1.2
130
110
  - !ruby/object:Gem::Dependency
131
- name: rake
111
+ name: webmock
132
112
  requirement: !ruby/object:Gem::Requirement
133
113
  requirements:
134
114
  - - "~>"
135
115
  - !ruby/object:Gem::Version
136
- version: '13.3'
137
- type: :development
138
- prerelease: false
139
- version_requirements: !ruby/object:Gem::Requirement
140
- requirements:
141
- - - "~>"
142
- - !ruby/object:Gem::Version
143
- version: '13.3'
144
- - !ruby/object:Gem::Dependency
145
- name: simplecov
146
- requirement: !ruby/object:Gem::Requirement
147
- requirements:
148
- - - "~>"
116
+ version: '3.26'
117
+ - - ">="
149
118
  - !ruby/object:Gem::Version
150
- version: '0.22'
119
+ version: 3.26.2
151
120
  type: :development
152
121
  prerelease: false
153
122
  version_requirements: !ruby/object:Gem::Requirement
154
123
  requirements:
155
124
  - - "~>"
156
125
  - !ruby/object:Gem::Version
157
- version: '0.22'
158
- - !ruby/object:Gem::Dependency
159
- name: rspec_junit_formatter
160
- requirement: !ruby/object:Gem::Requirement
161
- requirements:
162
- - - "~>"
163
- - !ruby/object:Gem::Version
164
- version: '0.6'
165
- type: :development
166
- prerelease: false
167
- version_requirements: !ruby/object:Gem::Requirement
168
- requirements:
169
- - - "~>"
126
+ version: '3.26'
127
+ - - ">="
170
128
  - !ruby/object:Gem::Version
171
- version: '0.6'
129
+ version: 3.26.2
172
130
  - !ruby/object:Gem::Dependency
173
- name: simplecov-cobertura
131
+ name: rake
174
132
  requirement: !ruby/object:Gem::Requirement
175
133
  requirements:
176
134
  - - "~>"
177
135
  - !ruby/object:Gem::Version
178
- version: '3.1'
136
+ version: '13.3'
179
137
  type: :development
180
138
  prerelease: false
181
139
  version_requirements: !ruby/object:Gem::Requirement
182
140
  requirements:
183
141
  - - "~>"
184
142
  - !ruby/object:Gem::Version
185
- version: '3.1'
143
+ version: '13.3'
186
144
  - !ruby/object:Gem::Dependency
187
145
  name: standard
188
146
  requirement: !ruby/object:Gem::Requirement
@@ -323,6 +281,20 @@ dependencies:
323
281
  - - "~>"
324
282
  - !ruby/object:Gem::Version
325
283
  version: '1.1'
284
+ - !ruby/object:Gem::Dependency
285
+ name: mutex_m
286
+ requirement: !ruby/object:Gem::Requirement
287
+ requirements:
288
+ - - ">="
289
+ - !ruby/object:Gem::Version
290
+ version: '0'
291
+ type: :development
292
+ prerelease: false
293
+ version_requirements: !ruby/object:Gem::Requirement
294
+ requirements:
295
+ - - ">="
296
+ - !ruby/object:Gem::Version
297
+ version: '0'
326
298
  - !ruby/object:Gem::Dependency
327
299
  name: rbs
328
300
  requirement: !ruby/object:Gem::Requirement
@@ -351,10 +323,122 @@ dependencies:
351
323
  - - "~>"
352
324
  - !ruby/object:Gem::Version
353
325
  version: '1.9'
354
- description: Custom OmniAuth strategy for OpenID Federation providers using openid_connect
355
- gem, supporting signed request objects (RFC 9101), ID token encryption/decryption,
356
- client assertion (private_key_jwt), and OpenID Federation entity statements. Framework-agnostic
357
- and works with Rails, Sinatra, Rack, and other Rack-compatible frameworks.
326
+ - !ruby/object:Gem::Dependency
327
+ name: rodauth
328
+ requirement: !ruby/object:Gem::Requirement
329
+ requirements:
330
+ - - "~>"
331
+ - !ruby/object:Gem::Version
332
+ version: '2.0'
333
+ type: :development
334
+ prerelease: false
335
+ version_requirements: !ruby/object:Gem::Requirement
336
+ requirements:
337
+ - - "~>"
338
+ - !ruby/object:Gem::Version
339
+ version: '2.0'
340
+ - !ruby/object:Gem::Dependency
341
+ name: rodauth-omniauth
342
+ requirement: !ruby/object:Gem::Requirement
343
+ requirements:
344
+ - - "~>"
345
+ - !ruby/object:Gem::Version
346
+ version: '0.6'
347
+ type: :development
348
+ prerelease: false
349
+ version_requirements: !ruby/object:Gem::Requirement
350
+ requirements:
351
+ - - "~>"
352
+ - !ruby/object:Gem::Version
353
+ version: '0.6'
354
+ - !ruby/object:Gem::Dependency
355
+ name: sequel
356
+ requirement: !ruby/object:Gem::Requirement
357
+ requirements:
358
+ - - "~>"
359
+ - !ruby/object:Gem::Version
360
+ version: '5.0'
361
+ type: :development
362
+ prerelease: false
363
+ version_requirements: !ruby/object:Gem::Requirement
364
+ requirements:
365
+ - - "~>"
366
+ - !ruby/object:Gem::Version
367
+ version: '5.0'
368
+ - !ruby/object:Gem::Dependency
369
+ name: sqlite3
370
+ requirement: !ruby/object:Gem::Requirement
371
+ requirements:
372
+ - - "~>"
373
+ - !ruby/object:Gem::Version
374
+ version: '2.0'
375
+ type: :development
376
+ prerelease: false
377
+ version_requirements: !ruby/object:Gem::Requirement
378
+ requirements:
379
+ - - "~>"
380
+ - !ruby/object:Gem::Version
381
+ version: '2.0'
382
+ - !ruby/object:Gem::Dependency
383
+ name: rack-test
384
+ requirement: !ruby/object:Gem::Requirement
385
+ requirements:
386
+ - - "~>"
387
+ - !ruby/object:Gem::Version
388
+ version: '2.0'
389
+ type: :development
390
+ prerelease: false
391
+ version_requirements: !ruby/object:Gem::Requirement
392
+ requirements:
393
+ - - "~>"
394
+ - !ruby/object:Gem::Version
395
+ version: '2.0'
396
+ - !ruby/object:Gem::Dependency
397
+ name: tilt
398
+ requirement: !ruby/object:Gem::Requirement
399
+ requirements:
400
+ - - "~>"
401
+ - !ruby/object:Gem::Version
402
+ version: '2.0'
403
+ type: :development
404
+ prerelease: false
405
+ version_requirements: !ruby/object:Gem::Requirement
406
+ requirements:
407
+ - - "~>"
408
+ - !ruby/object:Gem::Version
409
+ version: '2.0'
410
+ - !ruby/object:Gem::Dependency
411
+ name: bcrypt
412
+ requirement: !ruby/object:Gem::Requirement
413
+ requirements:
414
+ - - "~>"
415
+ - !ruby/object:Gem::Version
416
+ version: '3.1'
417
+ type: :development
418
+ prerelease: false
419
+ version_requirements: !ruby/object:Gem::Requirement
420
+ requirements:
421
+ - - "~>"
422
+ - !ruby/object:Gem::Version
423
+ version: '3.1'
424
+ - !ruby/object:Gem::Dependency
425
+ name: bundler-audit
426
+ requirement: !ruby/object:Gem::Requirement
427
+ requirements:
428
+ - - "~>"
429
+ - !ruby/object:Gem::Version
430
+ version: '0.9'
431
+ type: :development
432
+ prerelease: false
433
+ version_requirements: !ruby/object:Gem::Requirement
434
+ requirements:
435
+ - - "~>"
436
+ - !ruby/object:Gem::Version
437
+ version: '0.9'
438
+ description: Custom OmniAuth strategy for OpenID Federation providers supporting signed
439
+ request objects (RFC 9101), ID token encryption/decryption, client assertion (private_key_jwt),
440
+ and OpenID Federation entity statements. Framework-agnostic and works with Rails,
441
+ Sinatra, Rack, and other Rack-compatible frameworks.
358
442
  email:
359
443
  - contact@kiskolabs.com
360
444
  executables: []
@@ -366,6 +450,8 @@ files:
366
450
  - README.md
367
451
  - SECURITY.md
368
452
  - app/controllers/omniauth_openid_federation/federation_controller.rb
453
+ - config/polyrun_coverage.yml
454
+ - config/polyrun_spec_quality.yml
369
455
  - config/routes.rb
370
456
  - examples/README_INTEGRATION_TESTING.md
371
457
  - examples/README_MOCK_OP.md
@@ -384,6 +470,7 @@ files:
384
470
  - examples/jobs/federation_files_generation_job.rb.example
385
471
  - examples/mock_op_server.rb
386
472
  - examples/mock_rp_server.rb
473
+ - examples/standalone_multiple_endpoints_example.rb
387
474
  - lib/omniauth_openid_federation.rb
388
475
  - lib/omniauth_openid_federation/access_token.rb
389
476
  - lib/omniauth_openid_federation/cache.rb
@@ -405,7 +492,10 @@ files:
405
492
  - lib/omniauth_openid_federation/federation/trust_chain_resolver.rb
406
493
  - lib/omniauth_openid_federation/federation_endpoint.rb
407
494
  - lib/omniauth_openid_federation/http_client.rb
495
+ - lib/omniauth_openid_federation/http_errors.rb
496
+ - lib/omniauth_openid_federation/id_token.rb
408
497
  - lib/omniauth_openid_federation/instrumentation.rb
498
+ - lib/omniauth_openid_federation/jwe.rb
409
499
  - lib/omniauth_openid_federation/jwks/cache.rb
410
500
  - lib/omniauth_openid_federation/jwks/decode.rb
411
501
  - lib/omniauth_openid_federation/jwks/fetch.rb
@@ -413,15 +503,35 @@ files:
413
503
  - lib/omniauth_openid_federation/jwks/rotate.rb
414
504
  - lib/omniauth_openid_federation/jwks/selector.rb
415
505
  - lib/omniauth_openid_federation/jws.rb
506
+ - lib/omniauth_openid_federation/jwt_response_decoder.rb
416
507
  - lib/omniauth_openid_federation/key_extractor.rb
417
508
  - lib/omniauth_openid_federation/logger.rb
509
+ - lib/omniauth_openid_federation/oidc_client.rb
510
+ - lib/omniauth_openid_federation/rack.rb
418
511
  - lib/omniauth_openid_federation/rack_endpoint.rb
419
512
  - lib/omniauth_openid_federation/railtie.rb
420
513
  - lib/omniauth_openid_federation/rate_limiter.rb
514
+ - lib/omniauth_openid_federation/secure_compare.rb
421
515
  - lib/omniauth_openid_federation/strategy.rb
516
+ - lib/omniauth_openid_federation/strategy/authorization_request.rb
517
+ - lib/omniauth_openid_federation/strategy/callback_handling.rb
518
+ - lib/omniauth_openid_federation/strategy/client_construction.rb
519
+ - lib/omniauth_openid_federation/strategy/client_entity_statement.rb
520
+ - lib/omniauth_openid_federation/strategy/endpoint_resolution.rb
521
+ - lib/omniauth_openid_federation/strategy/failure_handling.rb
522
+ - lib/omniauth_openid_federation/strategy/id_token_decoding.rb
523
+ - lib/omniauth_openid_federation/strategy/jwks_resolution.rb
524
+ - lib/omniauth_openid_federation/strategy/provider_entity_statement.rb
525
+ - lib/omniauth_openid_federation/strategy/userinfo_decoding.rb
422
526
  - lib/omniauth_openid_federation/string_helpers.rb
527
+ - lib/omniauth_openid_federation/tasks/authentication_flow_tester.rb
528
+ - lib/omniauth_openid_federation/tasks/callback_processor.rb
529
+ - lib/omniauth_openid_federation/tasks/client_keys_preparer.rb
530
+ - lib/omniauth_openid_federation/tasks/local_endpoint_tester.rb
531
+ - lib/omniauth_openid_federation/tasks/path_resolver.rb
423
532
  - lib/omniauth_openid_federation/tasks_helper.rb
424
533
  - lib/omniauth_openid_federation/time_helpers.rb
534
+ - lib/omniauth_openid_federation/user_info.rb
425
535
  - lib/omniauth_openid_federation/utils.rb
426
536
  - lib/omniauth_openid_federation/validators.rb
427
537
  - lib/omniauth_openid_federation/version.rb
@@ -446,14 +556,14 @@ required_ruby_version: !ruby/object:Gem::Requirement
446
556
  requirements:
447
557
  - - ">="
448
558
  - !ruby/object:Gem::Version
449
- version: '3.0'
559
+ version: '3.2'
450
560
  required_rubygems_version: !ruby/object:Gem::Requirement
451
561
  requirements:
452
562
  - - ">="
453
563
  - !ruby/object:Gem::Version
454
564
  version: 3.3.0
455
565
  requirements: []
456
- rubygems_version: 3.6.9
566
+ rubygems_version: 4.0.3
457
567
  specification_version: 4
458
568
  summary: OmniAuth strategy for OpenID Federation providers with signed request objects
459
569
  and ID token encryption.