omniauth_openid_federation 1.3.2 → 2.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +32 -1
- data/README.md +119 -13
- data/app/controllers/omniauth_openid_federation/federation_controller.rb +2 -2
- data/config/polyrun_coverage.yml +15 -0
- data/config/polyrun_spec_quality.yml +29 -0
- data/examples/README_INTEGRATION_TESTING.md +3 -0
- data/examples/integration_test_flow.rb +10 -8
- data/examples/jobs/federation_cache_refresh_job.rb.example +7 -7
- data/examples/jobs/federation_files_generation_job.rb.example +3 -2
- data/examples/mock_op_server.rb +4 -5
- data/examples/mock_rp_server.rb +3 -3
- data/examples/standalone_multiple_endpoints_example.rb +494 -0
- data/lib/omniauth_openid_federation/access_token.rb +91 -450
- data/lib/omniauth_openid_federation/cache.rb +16 -0
- data/lib/omniauth_openid_federation/cache_adapter.rb +6 -3
- data/lib/omniauth_openid_federation/constants.rb +3 -0
- data/lib/omniauth_openid_federation/federation/entity_statement.rb +0 -4
- data/lib/omniauth_openid_federation/federation/entity_statement_validator.rb +2 -4
- data/lib/omniauth_openid_federation/federation/signed_jwks.rb +0 -1
- data/lib/omniauth_openid_federation/federation/trust_chain_resolver.rb +51 -6
- data/lib/omniauth_openid_federation/federation_endpoint.rb +1 -1
- data/lib/omniauth_openid_federation/http_client.rb +145 -32
- data/lib/omniauth_openid_federation/http_errors.rb +14 -0
- data/lib/omniauth_openid_federation/id_token.rb +19 -0
- data/lib/omniauth_openid_federation/jwe.rb +26 -0
- data/lib/omniauth_openid_federation/jwks/decode.rb +0 -13
- data/lib/omniauth_openid_federation/jwks/fetch.rb +16 -39
- data/lib/omniauth_openid_federation/jws.rb +2 -11
- data/lib/omniauth_openid_federation/jwt_response_decoder.rb +290 -0
- data/lib/omniauth_openid_federation/oidc_client.rb +101 -0
- data/lib/omniauth_openid_federation/rack.rb +2 -0
- data/lib/omniauth_openid_federation/rack_endpoint.rb +2 -2
- data/lib/omniauth_openid_federation/rate_limiter.rb +10 -12
- data/lib/omniauth_openid_federation/secure_compare.rb +15 -0
- data/lib/omniauth_openid_federation/strategy/authorization_request.rb +220 -0
- data/lib/omniauth_openid_federation/strategy/callback_handling.rb +135 -0
- data/lib/omniauth_openid_federation/strategy/client_construction.rb +101 -0
- data/lib/omniauth_openid_federation/strategy/client_entity_statement.rb +211 -0
- data/lib/omniauth_openid_federation/strategy/endpoint_resolution.rb +433 -0
- data/lib/omniauth_openid_federation/strategy/failure_handling.rb +75 -0
- data/lib/omniauth_openid_federation/strategy/id_token_decoding.rb +268 -0
- data/lib/omniauth_openid_federation/strategy/jwks_resolution.rb +268 -0
- data/lib/omniauth_openid_federation/strategy/provider_entity_statement.rb +134 -0
- data/lib/omniauth_openid_federation/strategy/userinfo_decoding.rb +61 -0
- data/lib/omniauth_openid_federation/strategy.rb +27 -1910
- data/lib/omniauth_openid_federation/tasks/authentication_flow_tester.rb +237 -0
- data/lib/omniauth_openid_federation/tasks/callback_processor.rb +235 -0
- data/lib/omniauth_openid_federation/tasks/client_keys_preparer.rb +96 -0
- data/lib/omniauth_openid_federation/tasks/local_endpoint_tester.rb +189 -0
- data/lib/omniauth_openid_federation/tasks/path_resolver.rb +20 -0
- data/lib/omniauth_openid_federation/tasks_helper.rb +28 -808
- data/lib/omniauth_openid_federation/time_helpers.rb +7 -0
- data/lib/omniauth_openid_federation/user_info.rb +15 -0
- data/lib/omniauth_openid_federation/utils.rb +10 -2
- data/lib/omniauth_openid_federation/validators.rb +43 -8
- data/lib/omniauth_openid_federation/version.rb +1 -1
- data/lib/omniauth_openid_federation.rb +9 -3
- data/lib/tasks/omniauth_openid_federation.rake +1 -2
- data/sig/omniauth_openid_federation.rbs +2 -1
- data/sig/strategy.rbs +6 -6
- metadata +181 -71
|
@@ -56,5 +56,12 @@ module OmniauthOpenidFederation
|
|
|
56
56
|
false
|
|
57
57
|
end
|
|
58
58
|
end
|
|
59
|
+
|
|
60
|
+
# Seconds to add to {TimeHelpers.now} for JWT request object expiration.
|
|
61
|
+
#
|
|
62
|
+
# @return [Integer]
|
|
63
|
+
def self.request_object_expiration_offset
|
|
64
|
+
Constants::REQUEST_OBJECT_EXPIRATION_SECONDS
|
|
65
|
+
end
|
|
59
66
|
end
|
|
60
67
|
end
|
|
@@ -0,0 +1,15 @@
|
|
|
1
|
+
module OmniauthOpenidFederation
|
|
2
|
+
class UserInfo
|
|
3
|
+
attr_reader :raw_attributes
|
|
4
|
+
|
|
5
|
+
def initialize(raw_attributes)
|
|
6
|
+
@raw_attributes = raw_attributes.each_with_object({}) do |(key, value), claims|
|
|
7
|
+
claims[key.to_sym] = value
|
|
8
|
+
end
|
|
9
|
+
end
|
|
10
|
+
|
|
11
|
+
def as_json(_options = {})
|
|
12
|
+
raw_attributes.transform_keys(&:to_s)
|
|
13
|
+
end
|
|
14
|
+
end
|
|
15
|
+
end
|
|
@@ -7,11 +7,19 @@ module OmniauthOpenidFederation
|
|
|
7
7
|
#
|
|
8
8
|
# @param hash [Hash, Object] The hash to convert
|
|
9
9
|
# @return [Hash, HashWithIndifferentAccess] Converted hash
|
|
10
|
-
def self.to_indifferent_hash(
|
|
10
|
+
def self.to_indifferent_hash(value)
|
|
11
|
+
hash = if value.is_a?(Hash)
|
|
12
|
+
value
|
|
13
|
+
elsif value.respond_to?(:to_h)
|
|
14
|
+
value.to_h
|
|
15
|
+
else
|
|
16
|
+
{}
|
|
17
|
+
end
|
|
18
|
+
|
|
11
19
|
if defined?(ActiveSupport::HashWithIndifferentAccess)
|
|
12
20
|
ActiveSupport::HashWithIndifferentAccess.new(hash)
|
|
13
21
|
else
|
|
14
|
-
hash
|
|
22
|
+
hash
|
|
15
23
|
end
|
|
16
24
|
end
|
|
17
25
|
|
|
@@ -9,19 +9,54 @@ module OmniauthOpenidFederation
|
|
|
9
9
|
#
|
|
10
10
|
# @param private_key [OpenSSL::PKey::RSA, String, nil] The private key to validate
|
|
11
11
|
# @raise [ConfigurationError] If private key is missing or invalid
|
|
12
|
-
def self.validate_private_key!(private_key)
|
|
12
|
+
def self.validate_private_key!(private_key, min_bits: Constants::MIN_RSA_KEY_BITS)
|
|
13
13
|
if private_key.nil?
|
|
14
14
|
raise ConfigurationError, "Private key is required for signed request objects"
|
|
15
15
|
end
|
|
16
16
|
|
|
17
|
-
|
|
18
|
-
|
|
19
|
-
|
|
20
|
-
|
|
21
|
-
|
|
17
|
+
normalized_key =
|
|
18
|
+
if private_key.is_a?(String)
|
|
19
|
+
begin
|
|
20
|
+
OpenSSL::PKey::RSA.new(private_key)
|
|
21
|
+
rescue => error
|
|
22
|
+
raise ConfigurationError, "Invalid private key format: #{error.message}"
|
|
23
|
+
end
|
|
24
|
+
elsif private_key.is_a?(OpenSSL::PKey::RSA)
|
|
25
|
+
private_key
|
|
26
|
+
else
|
|
27
|
+
raise ConfigurationError, "Private key must be an OpenSSL::PKey::RSA instance or PEM string"
|
|
22
28
|
end
|
|
23
|
-
|
|
24
|
-
|
|
29
|
+
|
|
30
|
+
if min_bits.to_i.positive? && normalized_key.n.num_bits < min_bits.to_i
|
|
31
|
+
raise ConfigurationError,
|
|
32
|
+
"RSA private key must be at least #{min_bits} bits (got #{normalized_key.n.num_bits} bits)"
|
|
33
|
+
end
|
|
34
|
+
|
|
35
|
+
true
|
|
36
|
+
end
|
|
37
|
+
|
|
38
|
+
def self.validate_required_request_object_claims!(claims, required_names)
|
|
39
|
+
required = Array(required_names).map(&:to_s).uniq
|
|
40
|
+
return true if required.empty?
|
|
41
|
+
|
|
42
|
+
normalized_claims = (claims || {}).each_with_object({}) do |(key, value), hash|
|
|
43
|
+
hash[key.to_s] = value
|
|
44
|
+
end
|
|
45
|
+
|
|
46
|
+
missing = required.reject { |name| StringHelpers.present?(normalized_claims[name]) }
|
|
47
|
+
return true if missing.empty?
|
|
48
|
+
|
|
49
|
+
raise ConfigurationError, "Missing required request object claims: #{missing.join(", ")}"
|
|
50
|
+
end
|
|
51
|
+
|
|
52
|
+
def self.validate_allowed_acr_value!(acr_value, allowed_acr_values)
|
|
53
|
+
allowed = Array(allowed_acr_values).map(&:to_s).map(&:strip).reject { |value| StringHelpers.blank?(value) }
|
|
54
|
+
return true if allowed.empty?
|
|
55
|
+
|
|
56
|
+
token_acr = acr_value.to_s.strip
|
|
57
|
+
if StringHelpers.blank?(token_acr) || !allowed.include?(token_acr)
|
|
58
|
+
raise ValidationError,
|
|
59
|
+
"ID token acr mismatch: expected one of [#{allowed.join(", ")}], got '#{acr_value}'"
|
|
25
60
|
end
|
|
26
61
|
|
|
27
62
|
true
|
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
# OmniAuth OpenID Federation
|
|
2
2
|
#
|
|
3
|
-
# Custom OmniAuth strategy for OpenID Federation providers
|
|
4
|
-
#
|
|
3
|
+
# Custom OmniAuth strategy for OpenID Federation providers supporting signed request objects,
|
|
4
|
+
# ID token encryption, and OpenID Federation.
|
|
5
5
|
#
|
|
6
6
|
# @see https://openid.net/specs/openid-federation-1_0.html
|
|
7
7
|
module OmniauthOpenidFederation
|
|
@@ -39,7 +39,13 @@ require_relative "omniauth_openid_federation/constants"
|
|
|
39
39
|
require_relative "omniauth_openid_federation/cache"
|
|
40
40
|
require_relative "omniauth_openid_federation/cache_adapter"
|
|
41
41
|
require_relative "omniauth_openid_federation/utils"
|
|
42
|
+
require_relative "omniauth_openid_federation/jwe"
|
|
42
43
|
require_relative "omniauth_openid_federation/jws"
|
|
44
|
+
require_relative "omniauth_openid_federation/http_errors"
|
|
45
|
+
require_relative "omniauth_openid_federation/id_token"
|
|
46
|
+
require_relative "omniauth_openid_federation/user_info"
|
|
47
|
+
require_relative "omniauth_openid_federation/secure_compare"
|
|
48
|
+
require_relative "omniauth_openid_federation/oidc_client"
|
|
43
49
|
require_relative "omniauth_openid_federation/jwks/normalizer"
|
|
44
50
|
require_relative "omniauth_openid_federation/jwks/fetch"
|
|
45
51
|
require_relative "omniauth_openid_federation/jwks/decode"
|
|
@@ -56,12 +62,12 @@ require_relative "omniauth_openid_federation/federation/trust_chain_resolver"
|
|
|
56
62
|
require_relative "omniauth_openid_federation/federation/metadata_policy_merger"
|
|
57
63
|
require_relative "omniauth_openid_federation/federation/signed_jwks"
|
|
58
64
|
require_relative "omniauth_openid_federation/federation_endpoint"
|
|
59
|
-
require_relative "omniauth_openid_federation/rack_endpoint"
|
|
60
65
|
require_relative "omniauth_openid_federation/entity_statement_reader"
|
|
61
66
|
require_relative "omniauth_openid_federation/tasks_helper"
|
|
62
67
|
require_relative "omniauth_openid_federation/endpoint_resolver"
|
|
63
68
|
require_relative "omniauth_openid_federation/strategy"
|
|
64
69
|
require_relative "omniauth_openid_federation/access_token"
|
|
70
|
+
require_relative "omniauth_openid_federation/jwt_response_decoder"
|
|
65
71
|
|
|
66
72
|
module OmniauthOpenidFederation
|
|
67
73
|
# Rotate JWKS cache for a provider
|
|
@@ -457,8 +457,7 @@ namespace :openid_federation do
|
|
|
457
457
|
begin
|
|
458
458
|
well_known_url = "#{base_url}/.well-known/openid-federation"
|
|
459
459
|
puts "📥 Attempting to fetch entity statement from: #{well_known_url}"
|
|
460
|
-
|
|
461
|
-
response = HTTP.timeout(connect: 5, read: 5).get(well_known_url)
|
|
460
|
+
response = OmniauthOpenidFederation::HttpClient.get(well_known_url, timeout: 5, max_retries: 0)
|
|
462
461
|
if response.status.success?
|
|
463
462
|
entity_statement_path = "/tmp/entity_statement_#{Time.now.to_i}.json"
|
|
464
463
|
File.write(entity_statement_path, response.body.to_s)
|
|
@@ -71,7 +71,8 @@ module OmniauthOpenidFederation
|
|
|
71
71
|
end
|
|
72
72
|
|
|
73
73
|
class HttpClient
|
|
74
|
-
def self.get: (String uri, ?
|
|
74
|
+
def self.get: (String uri, ?Hash[Symbol, untyped] options) -> untyped
|
|
75
|
+
def self.post: (String uri, ?Hash[Symbol, untyped] options) -> untyped
|
|
75
76
|
end
|
|
76
77
|
|
|
77
78
|
class Logger
|
data/sig/strategy.rbs
CHANGED
|
@@ -1,8 +1,8 @@
|
|
|
1
1
|
module OmniAuth
|
|
2
2
|
module Strategies
|
|
3
3
|
class OpenIDFederation < OmniAuth::Strategies::OAuth2
|
|
4
|
-
def client: () ->
|
|
5
|
-
def oidc_client: () ->
|
|
4
|
+
def client: () -> OmniauthOpenidFederation::OidcClient
|
|
5
|
+
def oidc_client: () -> OmniauthOpenidFederation::OidcClient
|
|
6
6
|
def request_phase: () -> untyped
|
|
7
7
|
def callback_phase: () -> untyped
|
|
8
8
|
def auth_hash: () -> OmniAuth::AuthHash
|
|
@@ -10,7 +10,7 @@ module OmniAuth
|
|
|
10
10
|
def raw_info: () -> Hash[String, untyped]
|
|
11
11
|
def client_jwk_signing_key: () -> untyped
|
|
12
12
|
def options: () -> untyped
|
|
13
|
-
def exchange_authorization_code: (String authorization_code) ->
|
|
13
|
+
def exchange_authorization_code: (String authorization_code) -> OmniauthOpenidFederation::AccessToken
|
|
14
14
|
def new_state: () -> String
|
|
15
15
|
def new_nonce: () -> String
|
|
16
16
|
def resolve_endpoints_from_metadata: (Hash[Symbol, untyped] client_options_hash) -> Hash[Symbol, String?]
|
|
@@ -21,7 +21,7 @@ module OmniAuth
|
|
|
21
21
|
def resolve_jwks_uri: (Hash[Symbol, untyped] normalized_options) -> String?
|
|
22
22
|
def build_base_url: (Hash[Symbol, untyped] client_options_hash) -> String
|
|
23
23
|
def build_endpoint: (String base_url, String path) -> String
|
|
24
|
-
def decode_id_token: (String id_token) ->
|
|
24
|
+
def decode_id_token: (String id_token) -> OmniauthOpenidFederation::IdToken
|
|
25
25
|
def encrypted_token?: (String token) -> bool
|
|
26
26
|
def decode_userinfo: (untyped userinfo) -> Hash[String, untyped]
|
|
27
27
|
def load_provider_entity_statement: () -> Hash[Symbol, untyped]?
|
|
@@ -45,9 +45,10 @@ module OmniAuth
|
|
|
45
45
|
end
|
|
46
46
|
end
|
|
47
47
|
|
|
48
|
-
module
|
|
48
|
+
module OmniauthOpenidFederation
|
|
49
49
|
class AccessToken
|
|
50
50
|
def resource_request: () { () -> untyped } -> untyped
|
|
51
|
+
def userinfo!: () -> untyped
|
|
51
52
|
def get_strategy_options: () -> Hash[Symbol, untyped]
|
|
52
53
|
def extract_encryption_key_for_decryption: () -> untyped
|
|
53
54
|
def fetch_signed_jwks: (Hash[Symbol, untyped] strategy_options) -> Hash[String, untyped]?
|
|
@@ -55,4 +56,3 @@ module OpenIDConnect
|
|
|
55
56
|
def resolve_jwks_uri_from_entity_statement: (Hash[Symbol, untyped] strategy_options) -> String?
|
|
56
57
|
end
|
|
57
58
|
end
|
|
58
|
-
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: omniauth_openid_federation
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version:
|
|
4
|
+
version: 2.0.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Andrei Makarov
|
|
@@ -24,33 +24,33 @@ dependencies:
|
|
|
24
24
|
- !ruby/object:Gem::Version
|
|
25
25
|
version: '1.8'
|
|
26
26
|
- !ruby/object:Gem::Dependency
|
|
27
|
-
name:
|
|
27
|
+
name: oauth2
|
|
28
28
|
requirement: !ruby/object:Gem::Requirement
|
|
29
29
|
requirements:
|
|
30
30
|
- - "~>"
|
|
31
31
|
- !ruby/object:Gem::Version
|
|
32
|
-
version: '2.
|
|
32
|
+
version: '2.0'
|
|
33
33
|
type: :runtime
|
|
34
34
|
prerelease: false
|
|
35
35
|
version_requirements: !ruby/object:Gem::Requirement
|
|
36
36
|
requirements:
|
|
37
37
|
- - "~>"
|
|
38
38
|
- !ruby/object:Gem::Version
|
|
39
|
-
version: '2.
|
|
39
|
+
version: '2.0'
|
|
40
40
|
- !ruby/object:Gem::Dependency
|
|
41
41
|
name: jwt
|
|
42
42
|
requirement: !ruby/object:Gem::Requirement
|
|
43
43
|
requirements:
|
|
44
44
|
- - "~>"
|
|
45
45
|
- !ruby/object:Gem::Version
|
|
46
|
-
version: '3.
|
|
46
|
+
version: '3.2'
|
|
47
47
|
type: :runtime
|
|
48
48
|
prerelease: false
|
|
49
49
|
version_requirements: !ruby/object:Gem::Requirement
|
|
50
50
|
requirements:
|
|
51
51
|
- - "~>"
|
|
52
52
|
- !ruby/object:Gem::Version
|
|
53
|
-
version: '3.
|
|
53
|
+
version: '3.2'
|
|
54
54
|
- !ruby/object:Gem::Dependency
|
|
55
55
|
name: jwe
|
|
56
56
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -71,34 +71,14 @@ dependencies:
|
|
|
71
71
|
requirements:
|
|
72
72
|
- - "~>"
|
|
73
73
|
- !ruby/object:Gem::Version
|
|
74
|
-
version: '
|
|
74
|
+
version: '6.0'
|
|
75
75
|
type: :runtime
|
|
76
76
|
prerelease: false
|
|
77
77
|
version_requirements: !ruby/object:Gem::Requirement
|
|
78
78
|
requirements:
|
|
79
79
|
- - "~>"
|
|
80
80
|
- !ruby/object:Gem::Version
|
|
81
|
-
version: '
|
|
82
|
-
- !ruby/object:Gem::Dependency
|
|
83
|
-
name: rack
|
|
84
|
-
requirement: !ruby/object:Gem::Requirement
|
|
85
|
-
requirements:
|
|
86
|
-
- - ">="
|
|
87
|
-
- !ruby/object:Gem::Version
|
|
88
|
-
version: '2.0'
|
|
89
|
-
- - "<"
|
|
90
|
-
- !ruby/object:Gem::Version
|
|
91
|
-
version: '4'
|
|
92
|
-
type: :runtime
|
|
93
|
-
prerelease: false
|
|
94
|
-
version_requirements: !ruby/object:Gem::Requirement
|
|
95
|
-
requirements:
|
|
96
|
-
- - ">="
|
|
97
|
-
- !ruby/object:Gem::Version
|
|
98
|
-
version: '2.0'
|
|
99
|
-
- - "<"
|
|
100
|
-
- !ruby/object:Gem::Version
|
|
101
|
-
version: '4'
|
|
81
|
+
version: '6.0'
|
|
102
82
|
- !ruby/object:Gem::Dependency
|
|
103
83
|
name: rspec
|
|
104
84
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -114,75 +94,53 @@ dependencies:
|
|
|
114
94
|
- !ruby/object:Gem::Version
|
|
115
95
|
version: '3.13'
|
|
116
96
|
- !ruby/object:Gem::Dependency
|
|
117
|
-
name:
|
|
97
|
+
name: polyrun
|
|
118
98
|
requirement: !ruby/object:Gem::Requirement
|
|
119
99
|
requirements:
|
|
120
|
-
- - "
|
|
100
|
+
- - ">="
|
|
121
101
|
- !ruby/object:Gem::Version
|
|
122
|
-
version:
|
|
102
|
+
version: 2.1.2
|
|
123
103
|
type: :development
|
|
124
104
|
prerelease: false
|
|
125
105
|
version_requirements: !ruby/object:Gem::Requirement
|
|
126
106
|
requirements:
|
|
127
|
-
- - "
|
|
107
|
+
- - ">="
|
|
128
108
|
- !ruby/object:Gem::Version
|
|
129
|
-
version:
|
|
109
|
+
version: 2.1.2
|
|
130
110
|
- !ruby/object:Gem::Dependency
|
|
131
|
-
name:
|
|
111
|
+
name: webmock
|
|
132
112
|
requirement: !ruby/object:Gem::Requirement
|
|
133
113
|
requirements:
|
|
134
114
|
- - "~>"
|
|
135
115
|
- !ruby/object:Gem::Version
|
|
136
|
-
version: '
|
|
137
|
-
|
|
138
|
-
prerelease: false
|
|
139
|
-
version_requirements: !ruby/object:Gem::Requirement
|
|
140
|
-
requirements:
|
|
141
|
-
- - "~>"
|
|
142
|
-
- !ruby/object:Gem::Version
|
|
143
|
-
version: '13.3'
|
|
144
|
-
- !ruby/object:Gem::Dependency
|
|
145
|
-
name: simplecov
|
|
146
|
-
requirement: !ruby/object:Gem::Requirement
|
|
147
|
-
requirements:
|
|
148
|
-
- - "~>"
|
|
116
|
+
version: '3.26'
|
|
117
|
+
- - ">="
|
|
149
118
|
- !ruby/object:Gem::Version
|
|
150
|
-
version:
|
|
119
|
+
version: 3.26.2
|
|
151
120
|
type: :development
|
|
152
121
|
prerelease: false
|
|
153
122
|
version_requirements: !ruby/object:Gem::Requirement
|
|
154
123
|
requirements:
|
|
155
124
|
- - "~>"
|
|
156
125
|
- !ruby/object:Gem::Version
|
|
157
|
-
version: '
|
|
158
|
-
-
|
|
159
|
-
name: rspec_junit_formatter
|
|
160
|
-
requirement: !ruby/object:Gem::Requirement
|
|
161
|
-
requirements:
|
|
162
|
-
- - "~>"
|
|
163
|
-
- !ruby/object:Gem::Version
|
|
164
|
-
version: '0.6'
|
|
165
|
-
type: :development
|
|
166
|
-
prerelease: false
|
|
167
|
-
version_requirements: !ruby/object:Gem::Requirement
|
|
168
|
-
requirements:
|
|
169
|
-
- - "~>"
|
|
126
|
+
version: '3.26'
|
|
127
|
+
- - ">="
|
|
170
128
|
- !ruby/object:Gem::Version
|
|
171
|
-
version:
|
|
129
|
+
version: 3.26.2
|
|
172
130
|
- !ruby/object:Gem::Dependency
|
|
173
|
-
name:
|
|
131
|
+
name: rake
|
|
174
132
|
requirement: !ruby/object:Gem::Requirement
|
|
175
133
|
requirements:
|
|
176
134
|
- - "~>"
|
|
177
135
|
- !ruby/object:Gem::Version
|
|
178
|
-
version: '3
|
|
136
|
+
version: '13.3'
|
|
179
137
|
type: :development
|
|
180
138
|
prerelease: false
|
|
181
139
|
version_requirements: !ruby/object:Gem::Requirement
|
|
182
140
|
requirements:
|
|
183
141
|
- - "~>"
|
|
184
142
|
- !ruby/object:Gem::Version
|
|
185
|
-
version: '3
|
|
143
|
+
version: '13.3'
|
|
186
144
|
- !ruby/object:Gem::Dependency
|
|
187
145
|
name: standard
|
|
188
146
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -323,6 +281,20 @@ dependencies:
|
|
|
323
281
|
- - "~>"
|
|
324
282
|
- !ruby/object:Gem::Version
|
|
325
283
|
version: '1.1'
|
|
284
|
+
- !ruby/object:Gem::Dependency
|
|
285
|
+
name: mutex_m
|
|
286
|
+
requirement: !ruby/object:Gem::Requirement
|
|
287
|
+
requirements:
|
|
288
|
+
- - ">="
|
|
289
|
+
- !ruby/object:Gem::Version
|
|
290
|
+
version: '0'
|
|
291
|
+
type: :development
|
|
292
|
+
prerelease: false
|
|
293
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
294
|
+
requirements:
|
|
295
|
+
- - ">="
|
|
296
|
+
- !ruby/object:Gem::Version
|
|
297
|
+
version: '0'
|
|
326
298
|
- !ruby/object:Gem::Dependency
|
|
327
299
|
name: rbs
|
|
328
300
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -351,10 +323,122 @@ dependencies:
|
|
|
351
323
|
- - "~>"
|
|
352
324
|
- !ruby/object:Gem::Version
|
|
353
325
|
version: '1.9'
|
|
354
|
-
|
|
355
|
-
|
|
356
|
-
|
|
357
|
-
|
|
326
|
+
- !ruby/object:Gem::Dependency
|
|
327
|
+
name: rodauth
|
|
328
|
+
requirement: !ruby/object:Gem::Requirement
|
|
329
|
+
requirements:
|
|
330
|
+
- - "~>"
|
|
331
|
+
- !ruby/object:Gem::Version
|
|
332
|
+
version: '2.0'
|
|
333
|
+
type: :development
|
|
334
|
+
prerelease: false
|
|
335
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
336
|
+
requirements:
|
|
337
|
+
- - "~>"
|
|
338
|
+
- !ruby/object:Gem::Version
|
|
339
|
+
version: '2.0'
|
|
340
|
+
- !ruby/object:Gem::Dependency
|
|
341
|
+
name: rodauth-omniauth
|
|
342
|
+
requirement: !ruby/object:Gem::Requirement
|
|
343
|
+
requirements:
|
|
344
|
+
- - "~>"
|
|
345
|
+
- !ruby/object:Gem::Version
|
|
346
|
+
version: '0.6'
|
|
347
|
+
type: :development
|
|
348
|
+
prerelease: false
|
|
349
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
350
|
+
requirements:
|
|
351
|
+
- - "~>"
|
|
352
|
+
- !ruby/object:Gem::Version
|
|
353
|
+
version: '0.6'
|
|
354
|
+
- !ruby/object:Gem::Dependency
|
|
355
|
+
name: sequel
|
|
356
|
+
requirement: !ruby/object:Gem::Requirement
|
|
357
|
+
requirements:
|
|
358
|
+
- - "~>"
|
|
359
|
+
- !ruby/object:Gem::Version
|
|
360
|
+
version: '5.0'
|
|
361
|
+
type: :development
|
|
362
|
+
prerelease: false
|
|
363
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
364
|
+
requirements:
|
|
365
|
+
- - "~>"
|
|
366
|
+
- !ruby/object:Gem::Version
|
|
367
|
+
version: '5.0'
|
|
368
|
+
- !ruby/object:Gem::Dependency
|
|
369
|
+
name: sqlite3
|
|
370
|
+
requirement: !ruby/object:Gem::Requirement
|
|
371
|
+
requirements:
|
|
372
|
+
- - "~>"
|
|
373
|
+
- !ruby/object:Gem::Version
|
|
374
|
+
version: '2.0'
|
|
375
|
+
type: :development
|
|
376
|
+
prerelease: false
|
|
377
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
378
|
+
requirements:
|
|
379
|
+
- - "~>"
|
|
380
|
+
- !ruby/object:Gem::Version
|
|
381
|
+
version: '2.0'
|
|
382
|
+
- !ruby/object:Gem::Dependency
|
|
383
|
+
name: rack-test
|
|
384
|
+
requirement: !ruby/object:Gem::Requirement
|
|
385
|
+
requirements:
|
|
386
|
+
- - "~>"
|
|
387
|
+
- !ruby/object:Gem::Version
|
|
388
|
+
version: '2.0'
|
|
389
|
+
type: :development
|
|
390
|
+
prerelease: false
|
|
391
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
392
|
+
requirements:
|
|
393
|
+
- - "~>"
|
|
394
|
+
- !ruby/object:Gem::Version
|
|
395
|
+
version: '2.0'
|
|
396
|
+
- !ruby/object:Gem::Dependency
|
|
397
|
+
name: tilt
|
|
398
|
+
requirement: !ruby/object:Gem::Requirement
|
|
399
|
+
requirements:
|
|
400
|
+
- - "~>"
|
|
401
|
+
- !ruby/object:Gem::Version
|
|
402
|
+
version: '2.0'
|
|
403
|
+
type: :development
|
|
404
|
+
prerelease: false
|
|
405
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
406
|
+
requirements:
|
|
407
|
+
- - "~>"
|
|
408
|
+
- !ruby/object:Gem::Version
|
|
409
|
+
version: '2.0'
|
|
410
|
+
- !ruby/object:Gem::Dependency
|
|
411
|
+
name: bcrypt
|
|
412
|
+
requirement: !ruby/object:Gem::Requirement
|
|
413
|
+
requirements:
|
|
414
|
+
- - "~>"
|
|
415
|
+
- !ruby/object:Gem::Version
|
|
416
|
+
version: '3.1'
|
|
417
|
+
type: :development
|
|
418
|
+
prerelease: false
|
|
419
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
420
|
+
requirements:
|
|
421
|
+
- - "~>"
|
|
422
|
+
- !ruby/object:Gem::Version
|
|
423
|
+
version: '3.1'
|
|
424
|
+
- !ruby/object:Gem::Dependency
|
|
425
|
+
name: bundler-audit
|
|
426
|
+
requirement: !ruby/object:Gem::Requirement
|
|
427
|
+
requirements:
|
|
428
|
+
- - "~>"
|
|
429
|
+
- !ruby/object:Gem::Version
|
|
430
|
+
version: '0.9'
|
|
431
|
+
type: :development
|
|
432
|
+
prerelease: false
|
|
433
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
434
|
+
requirements:
|
|
435
|
+
- - "~>"
|
|
436
|
+
- !ruby/object:Gem::Version
|
|
437
|
+
version: '0.9'
|
|
438
|
+
description: Custom OmniAuth strategy for OpenID Federation providers supporting signed
|
|
439
|
+
request objects (RFC 9101), ID token encryption/decryption, client assertion (private_key_jwt),
|
|
440
|
+
and OpenID Federation entity statements. Framework-agnostic and works with Rails,
|
|
441
|
+
Sinatra, Rack, and other Rack-compatible frameworks.
|
|
358
442
|
email:
|
|
359
443
|
- contact@kiskolabs.com
|
|
360
444
|
executables: []
|
|
@@ -366,6 +450,8 @@ files:
|
|
|
366
450
|
- README.md
|
|
367
451
|
- SECURITY.md
|
|
368
452
|
- app/controllers/omniauth_openid_federation/federation_controller.rb
|
|
453
|
+
- config/polyrun_coverage.yml
|
|
454
|
+
- config/polyrun_spec_quality.yml
|
|
369
455
|
- config/routes.rb
|
|
370
456
|
- examples/README_INTEGRATION_TESTING.md
|
|
371
457
|
- examples/README_MOCK_OP.md
|
|
@@ -384,6 +470,7 @@ files:
|
|
|
384
470
|
- examples/jobs/federation_files_generation_job.rb.example
|
|
385
471
|
- examples/mock_op_server.rb
|
|
386
472
|
- examples/mock_rp_server.rb
|
|
473
|
+
- examples/standalone_multiple_endpoints_example.rb
|
|
387
474
|
- lib/omniauth_openid_federation.rb
|
|
388
475
|
- lib/omniauth_openid_federation/access_token.rb
|
|
389
476
|
- lib/omniauth_openid_federation/cache.rb
|
|
@@ -405,7 +492,10 @@ files:
|
|
|
405
492
|
- lib/omniauth_openid_federation/federation/trust_chain_resolver.rb
|
|
406
493
|
- lib/omniauth_openid_federation/federation_endpoint.rb
|
|
407
494
|
- lib/omniauth_openid_federation/http_client.rb
|
|
495
|
+
- lib/omniauth_openid_federation/http_errors.rb
|
|
496
|
+
- lib/omniauth_openid_federation/id_token.rb
|
|
408
497
|
- lib/omniauth_openid_federation/instrumentation.rb
|
|
498
|
+
- lib/omniauth_openid_federation/jwe.rb
|
|
409
499
|
- lib/omniauth_openid_federation/jwks/cache.rb
|
|
410
500
|
- lib/omniauth_openid_federation/jwks/decode.rb
|
|
411
501
|
- lib/omniauth_openid_federation/jwks/fetch.rb
|
|
@@ -413,15 +503,35 @@ files:
|
|
|
413
503
|
- lib/omniauth_openid_federation/jwks/rotate.rb
|
|
414
504
|
- lib/omniauth_openid_federation/jwks/selector.rb
|
|
415
505
|
- lib/omniauth_openid_federation/jws.rb
|
|
506
|
+
- lib/omniauth_openid_federation/jwt_response_decoder.rb
|
|
416
507
|
- lib/omniauth_openid_federation/key_extractor.rb
|
|
417
508
|
- lib/omniauth_openid_federation/logger.rb
|
|
509
|
+
- lib/omniauth_openid_federation/oidc_client.rb
|
|
510
|
+
- lib/omniauth_openid_federation/rack.rb
|
|
418
511
|
- lib/omniauth_openid_federation/rack_endpoint.rb
|
|
419
512
|
- lib/omniauth_openid_federation/railtie.rb
|
|
420
513
|
- lib/omniauth_openid_federation/rate_limiter.rb
|
|
514
|
+
- lib/omniauth_openid_federation/secure_compare.rb
|
|
421
515
|
- lib/omniauth_openid_federation/strategy.rb
|
|
516
|
+
- lib/omniauth_openid_federation/strategy/authorization_request.rb
|
|
517
|
+
- lib/omniauth_openid_federation/strategy/callback_handling.rb
|
|
518
|
+
- lib/omniauth_openid_federation/strategy/client_construction.rb
|
|
519
|
+
- lib/omniauth_openid_federation/strategy/client_entity_statement.rb
|
|
520
|
+
- lib/omniauth_openid_federation/strategy/endpoint_resolution.rb
|
|
521
|
+
- lib/omniauth_openid_federation/strategy/failure_handling.rb
|
|
522
|
+
- lib/omniauth_openid_federation/strategy/id_token_decoding.rb
|
|
523
|
+
- lib/omniauth_openid_federation/strategy/jwks_resolution.rb
|
|
524
|
+
- lib/omniauth_openid_federation/strategy/provider_entity_statement.rb
|
|
525
|
+
- lib/omniauth_openid_federation/strategy/userinfo_decoding.rb
|
|
422
526
|
- lib/omniauth_openid_federation/string_helpers.rb
|
|
527
|
+
- lib/omniauth_openid_federation/tasks/authentication_flow_tester.rb
|
|
528
|
+
- lib/omniauth_openid_federation/tasks/callback_processor.rb
|
|
529
|
+
- lib/omniauth_openid_federation/tasks/client_keys_preparer.rb
|
|
530
|
+
- lib/omniauth_openid_federation/tasks/local_endpoint_tester.rb
|
|
531
|
+
- lib/omniauth_openid_federation/tasks/path_resolver.rb
|
|
423
532
|
- lib/omniauth_openid_federation/tasks_helper.rb
|
|
424
533
|
- lib/omniauth_openid_federation/time_helpers.rb
|
|
534
|
+
- lib/omniauth_openid_federation/user_info.rb
|
|
425
535
|
- lib/omniauth_openid_federation/utils.rb
|
|
426
536
|
- lib/omniauth_openid_federation/validators.rb
|
|
427
537
|
- lib/omniauth_openid_federation/version.rb
|
|
@@ -446,14 +556,14 @@ required_ruby_version: !ruby/object:Gem::Requirement
|
|
|
446
556
|
requirements:
|
|
447
557
|
- - ">="
|
|
448
558
|
- !ruby/object:Gem::Version
|
|
449
|
-
version: '3.
|
|
559
|
+
version: '3.2'
|
|
450
560
|
required_rubygems_version: !ruby/object:Gem::Requirement
|
|
451
561
|
requirements:
|
|
452
562
|
- - ">="
|
|
453
563
|
- !ruby/object:Gem::Version
|
|
454
564
|
version: 3.3.0
|
|
455
565
|
requirements: []
|
|
456
|
-
rubygems_version:
|
|
566
|
+
rubygems_version: 4.0.3
|
|
457
567
|
specification_version: 4
|
|
458
568
|
summary: OmniAuth strategy for OpenID Federation providers with signed request objects
|
|
459
569
|
and ID token encryption.
|