omniauth_openid_federation 1.2.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +7 -0
- data/CHANGELOG.md +44 -0
- data/LICENSE.md +22 -0
- data/README.md +922 -0
- data/SECURITY.md +28 -0
- data/app/controllers/omniauth_openid_federation/federation_controller.rb +160 -0
- data/config/routes.rb +17 -0
- data/examples/README_INTEGRATION_TESTING.md +399 -0
- data/examples/README_MOCK_OP.md +243 -0
- data/examples/app/controllers/users/omniauth_callbacks_controller.rb.example +37 -0
- data/examples/app/jobs/jwks_rotation_job.rb.example +60 -0
- data/examples/app/models/user.rb.example +39 -0
- data/examples/config/initializers/devise.rb.example +131 -0
- data/examples/config/initializers/federation_endpoint.rb.example +206 -0
- data/examples/config/mock_op.yml.example +83 -0
- data/examples/config/open_id_connect_config.rb.example +210 -0
- data/examples/config/routes.rb.example +12 -0
- data/examples/db/migrate/add_omniauth_to_users.rb.example +16 -0
- data/examples/integration_test_flow.rb +1334 -0
- data/examples/jobs/README.md +194 -0
- data/examples/jobs/federation_cache_refresh_job.rb.example +78 -0
- data/examples/jobs/federation_files_generation_job.rb.example +87 -0
- data/examples/mock_op_server.rb +775 -0
- data/examples/mock_rp_server.rb +435 -0
- data/lib/omniauth_openid_federation/access_token.rb +504 -0
- data/lib/omniauth_openid_federation/cache.rb +39 -0
- data/lib/omniauth_openid_federation/cache_adapter.rb +173 -0
- data/lib/omniauth_openid_federation/configuration.rb +135 -0
- data/lib/omniauth_openid_federation/constants.rb +13 -0
- data/lib/omniauth_openid_federation/endpoint_resolver.rb +168 -0
- data/lib/omniauth_openid_federation/engine.rb +17 -0
- data/lib/omniauth_openid_federation/entity_statement_reader.rb +129 -0
- data/lib/omniauth_openid_federation/errors.rb +52 -0
- data/lib/omniauth_openid_federation/federation/entity_statement.rb +331 -0
- data/lib/omniauth_openid_federation/federation/entity_statement_builder.rb +188 -0
- data/lib/omniauth_openid_federation/federation/entity_statement_fetcher.rb +142 -0
- data/lib/omniauth_openid_federation/federation/entity_statement_helper.rb +87 -0
- data/lib/omniauth_openid_federation/federation/entity_statement_parser.rb +198 -0
- data/lib/omniauth_openid_federation/federation/entity_statement_validator.rb +502 -0
- data/lib/omniauth_openid_federation/federation/metadata_policy_merger.rb +276 -0
- data/lib/omniauth_openid_federation/federation/signed_jwks.rb +210 -0
- data/lib/omniauth_openid_federation/federation/trust_chain_resolver.rb +225 -0
- data/lib/omniauth_openid_federation/federation_endpoint.rb +949 -0
- data/lib/omniauth_openid_federation/http_client.rb +70 -0
- data/lib/omniauth_openid_federation/instrumentation.rb +399 -0
- data/lib/omniauth_openid_federation/jwks/cache.rb +76 -0
- data/lib/omniauth_openid_federation/jwks/decode.rb +175 -0
- data/lib/omniauth_openid_federation/jwks/fetch.rb +153 -0
- data/lib/omniauth_openid_federation/jwks/normalizer.rb +49 -0
- data/lib/omniauth_openid_federation/jwks/rotate.rb +97 -0
- data/lib/omniauth_openid_federation/jwks/selector.rb +101 -0
- data/lib/omniauth_openid_federation/jws.rb +410 -0
- data/lib/omniauth_openid_federation/key_extractor.rb +173 -0
- data/lib/omniauth_openid_federation/logger.rb +99 -0
- data/lib/omniauth_openid_federation/rack_endpoint.rb +187 -0
- data/lib/omniauth_openid_federation/railtie.rb +15 -0
- data/lib/omniauth_openid_federation/rate_limiter.rb +55 -0
- data/lib/omniauth_openid_federation/strategy.rb +2114 -0
- data/lib/omniauth_openid_federation/string_helpers.rb +30 -0
- data/lib/omniauth_openid_federation/tasks_helper.rb +428 -0
- data/lib/omniauth_openid_federation/utils.rb +168 -0
- data/lib/omniauth_openid_federation/validators.rb +126 -0
- data/lib/omniauth_openid_federation/version.rb +3 -0
- data/lib/omniauth_openid_federation.rb +99 -0
- data/lib/tasks/omniauth_openid_federation.rake +376 -0
- data/sig/federation.rbs +218 -0
- data/sig/jwks.rbs +63 -0
- data/sig/omniauth_openid_federation.rbs +254 -0
- data/sig/strategy.rbs +60 -0
- metadata +361 -0
checksums.yaml
ADDED
|
@@ -0,0 +1,7 @@
|
|
|
1
|
+
---
|
|
2
|
+
SHA256:
|
|
3
|
+
metadata.gz: 9e8f49a0fa8dcdb16ab2eedc416b58ab370af6588d002ae78a2a1aa1a0a6ade1
|
|
4
|
+
data.tar.gz: ce433267ab3093c00c267a8d57de12766f931ccc0eb3a2713bbe13413465af30
|
|
5
|
+
SHA512:
|
|
6
|
+
metadata.gz: 25d0cb7725bfbbde1b836813ae64c0321231ba5c205c5972f5f162a37a1f81edf18f138158895e12131e2d02b10425d17dc1d823e89a2a3c652d1e0a76d30e18
|
|
7
|
+
data.tar.gz: 250ad8244fe94cb65ed702debf8dd1e121bfbfc8d386be4b4b901ef8ea372ab762ac02ea88e89f1967f4c5516083a26161abb8264c8475ba1a772926379c5587
|
data/CHANGELOG.md
ADDED
|
@@ -0,0 +1,44 @@
|
|
|
1
|
+
# CHANGELOG
|
|
2
|
+
|
|
3
|
+
## 1.2.2 (2025-11-27)
|
|
4
|
+
|
|
5
|
+
- Fix gemfile to include app and config directories
|
|
6
|
+
|
|
7
|
+
## 1.2.1 (2025-11-27)
|
|
8
|
+
|
|
9
|
+
- Clean up Railtie loading patches to fully rely on Zeitwerk and autoloading
|
|
10
|
+
|
|
11
|
+
## 1.2.0 (2025-11-27)
|
|
12
|
+
|
|
13
|
+
- Created `OmniauthOpenidFederation::Engine` class inheriting from `Rails::Engine`
|
|
14
|
+
- Engine provides controllers via standard Rails autoloading mechanisms
|
|
15
|
+
- Routes are now defined in Engine's `config/routes.rb` file
|
|
16
|
+
- Routes must now be mounted using `mount OmniauthOpenidFederation::Engine => "/"` in `config/routes.rb`
|
|
17
|
+
- `FederationEndpoint.mount_routes` is still available for backward compatibility
|
|
18
|
+
|
|
19
|
+
## 1.1.0 (2025-11-26)
|
|
20
|
+
|
|
21
|
+
- Enhanced instrumentation: All blocking exceptions automatically reported through instrumentation system, including OmniAuth middleware errors (like AuthenticityTokenProtection)
|
|
22
|
+
- CSRF protection instrumentation: New authenticity_error event type for reporting OmniAuth CSRF protection failures
|
|
23
|
+
- Comprehensive error reporting: Override fail! method in strategy to catch and instrument all authentication failures
|
|
24
|
+
- CSRF protection documentation: Added comprehensive Step 7 in README explaining CSRF protection configuration for both request and callback phases
|
|
25
|
+
- CSRF configuration examples: Added complete examples in examples/config/initializers/devise.rb.example and examples/app/controllers/users/omniauth_callbacks_controller.rb.example
|
|
26
|
+
- Deprecation warnings: Added runtime deprecation warnings for json_jwt method and ftn_spname option to guide users to recommended alternatives
|
|
27
|
+
- Code cleanup: Removed deprecated load_signing_key method (unused, returned nil)
|
|
28
|
+
- Updated deprecation notices: Fixed deprecation notices to reference correct replacement methods (request_object_params instead of non-existent provider_extension_params)
|
|
29
|
+
- Renamed option: `allow_authorize_params` → `request_object_params` for clarity (uses RFC 9101 terminology, clearly indicates params go into JWT request object)
|
|
30
|
+
|
|
31
|
+
## 1.0.0 (2025-11-26)
|
|
32
|
+
|
|
33
|
+
- Initial public release, production-ready
|
|
34
|
+
- Full OpenID Federation 1.0 support with automatic entity statement validation and trust chain resolution
|
|
35
|
+
- Secure authentication with automatic signing of authorization requests
|
|
36
|
+
- ID token encryption and decryption support for enhanced security
|
|
37
|
+
- Secure client authentication without shared secrets
|
|
38
|
+
- Automatic provider key rotation handling for seamless key updates
|
|
39
|
+
- Built-in security features: rate limiting, path traversal protection, and error sanitization
|
|
40
|
+
- Production-ready with thread-safe configuration and intelligent retry logic
|
|
41
|
+
- Works with any OpenID Federation provider, supporting provider-specific extensions
|
|
42
|
+
- Framework-agnostic: compatible with Rails, Sinatra, Rack, and other Rack-compatible frameworks
|
|
43
|
+
- Comprehensive management tools for entity statements and key management
|
|
44
|
+
- Enhanced developer experience with type signatures for better IDE support
|
data/LICENSE.md
ADDED
|
@@ -0,0 +1,22 @@
|
|
|
1
|
+
MIT License
|
|
2
|
+
|
|
3
|
+
Copyright (c) 2025 Andrei Makarov
|
|
4
|
+
|
|
5
|
+
Permission is hereby granted, free of charge, to any person obtaining a copy
|
|
6
|
+
of this software and associated documentation files (the "Software"), to deal
|
|
7
|
+
in the Software without restriction, including without limitation the rights
|
|
8
|
+
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
|
9
|
+
copies of the Software, and to permit persons to whom the Software is
|
|
10
|
+
furnished to do so, subject to the following conditions:
|
|
11
|
+
|
|
12
|
+
The above copyright notice and this permission notice shall be included in all
|
|
13
|
+
copies or substantial portions of the Software.
|
|
14
|
+
|
|
15
|
+
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
|
16
|
+
IMPLIED, INCLUDING WITHOUT LIMITATION THE WARRANTIES OF MERCHANTABILITY,
|
|
17
|
+
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
|
18
|
+
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
|
19
|
+
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
|
20
|
+
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
|
|
21
|
+
SOFTWARE.
|
|
22
|
+
|