openid_connect 0.1.2 → 0.1.3

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    openid_connect (0.1.1)
+    openid_connect (0.1.2)
       activemodel (>= 3)
       attr_required (>= 0.0.5)
       json (>= 1.4.3)
@@ -38,7 +38,6 @@ GEM
     jruby-openssl (0.7.6.1)
       bouncy-castle-java (>= 1.5.0146.1)
     json (1.6.5)
-    json (1.6.5-java)
     json-jwt (0.0.7)
       activesupport (>= 2.3)
       i18n

data/VERSION

@@ -1 +1 @@
-0.1.2
+0.1.3

data/lib/openid_connect/response_object/id_token.rb

@@ -18,9 +18,12 @@ module OpenIDConnect
         @exp = @exp.to_i
       end
 
-      def verify!(client_id)
-        exp.to_i >= Time.now.to_i && aud == client_id or
-        raise InvalidToken.new('Invalid audience or expired')
+      def verify!(expected = {})
+        exp.to_i >= Time.now.to_i &&
+        iss == expected[:issuer] &&
+        aud == expected[:client_id] &&
+        nonce == expected[:nonce] or
+        raise InvalidToken.new('Invalid ID Token')
       end
 
       def to_jwt(key, algorithm = :RS256)
@@ -33,7 +36,7 @@ module OpenIDConnect
 
       class << self
         def decode(jwt_string, key_or_client)
-          attributes = case key_or_client
+          case key_or_client
           when Client
             OpenIDConnect::AccessToken.new(
               :client => key_or_client,

data/lib/openid_connect.rb

@@ -8,6 +8,7 @@ require 'validate_email'
 require 'attr_required'
 require 'attr_optional'
 require 'rack/oauth2'
+require 'rack/oauth2/server/authorize/request_with_connect_params'
 require 'rack/oauth2/server/id_token_response'
 
 module OpenIDConnect

data/lib/rack/oauth2/server/authorize/request_with_connect_params.rb

@@ -0,0 +1,25 @@
+class Rack::OAuth2::Server::Authorize
+  module RequestWithConnectParams
+    # NOTE: nonce is REQUIRED, but define optional attributes not to break rack-oauth2 for now
+    CONNECT_EXT_PARAMS = [:nonce, :display, :prompt, :request, :request_uri]
+
+    def self.included(klass)
+      klass.send :attr_optional, *CONNECT_EXT_PARAMS
+      klass.class_eval do
+        def initialize_with_connect_params(env)
+          initialize_without_connect_params env
+          CONNECT_EXT_PARAMS.each do |attribute|
+            self.send :"#{attribute}=", params[attribute.to_s]
+          end
+          invalid_request!('Nonce Required') if openid_connect_request? && nonce.blank?
+        end
+        alias_method_chain :initialize, :connect_params
+
+        def openid_connect_request?
+          scope.include?('openid')
+        end
+      end
+    end
+  end
+  Request.send :include, RequestWithConnectParams
+end

data/spec/openid_connect/response_object/id_token_spec.rb

@@ -22,20 +22,95 @@ describe OpenIDConnect::ResponseObject::IdToken do
   end
 
   describe '#verify!' do
-    context 'when valid client_id is given' do
-      it { id_token.verify!('client_id').should be_true }
+    context 'when both issuer, client_id and nonce are valid' do
+      it do
+        id_token.verify!(
+          :issuer => attributes[:iss],
+          :client_id => attributes[:aud],
+          :nonce => attributes[:nonce]
+        ).should be_true
+      end
 
       context 'when expired' do
         let(:ext) { 10.minutes.ago }
         it do
-          expect { id_token.verify! 'client_id' }.should raise_error OpenIDConnect::ResponseObject::IdToken::InvalidToken
+          expect do
+            id_token.verify!(
+              :issuer => attributes[:iss],
+              :client_id => attributes[:aud],
+              :nonce => attributes[:nonce]
+            )
+          end.should raise_error OpenIDConnect::ResponseObject::IdToken::InvalidToken
         end
       end
     end
 
-    context 'otherwise' do
+    context 'when issuer is invalid' do
+      it do
+        expect do
+          id_token.verify!(
+            :issuer => 'invalid_issuer',
+            :client_id => attributes[:aud],
+            :nonce => attributes[:nonce]
+          )
+        end.should raise_error OpenIDConnect::ResponseObject::IdToken::InvalidToken
+      end
+    end
+
+    context 'when issuer is missing' do
+      it do
+        expect do
+          id_token.verify!(
+            :client_id => attributes[:aud],
+            :nonce => attributes[:nonce]
+          )
+        end.should raise_error OpenIDConnect::ResponseObject::IdToken::InvalidToken
+      end
+    end
+
+    context 'when client_id is invalid' do
+      it do
+        expect do
+          id_token.verify!(
+            :issuer => attributes[:iss],
+            :client_id => 'invalid_client',
+            :nonce => attributes[:nonce]
+          )
+        end.should raise_error OpenIDConnect::ResponseObject::IdToken::InvalidToken
+      end
+    end
+
+    context 'when client_id is missing' do
+      it do
+        expect do
+          id_token.verify!(
+            :issuer => attributes[:iss],
+            :nonce => attributes[:nonce]
+          )
+        end.should raise_error OpenIDConnect::ResponseObject::IdToken::InvalidToken
+      end
+    end
+
+    context 'when nonce is invalid' do
+      it do
+        expect do
+          id_token.verify!(
+            :issuer => attributes[:iss],
+            :client_id => attributes[:aud],
+            :nonce => 'invalid_nonce'
+          )
+        end.should raise_error OpenIDConnect::ResponseObject::IdToken::InvalidToken
+      end
+    end
+
+    context 'when nonce is missing' do
       it do
-        expect { id_token.verify! 'invalid_client' }.should raise_error OpenIDConnect::ResponseObject::IdToken::InvalidToken
+        expect do
+          id_token.verify!(
+            :issuer => attributes[:iss],
+            :client_id => attributes[:aud]
+          )
+        end.should raise_error OpenIDConnect::ResponseObject::IdToken::InvalidToken
       end
     end
   end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: openid_connect
 version: !ruby/object:Gem::Version
-  version: 0.1.2
+  version: 0.1.3
   prerelease: 
 platform: ruby
 authors:
@@ -9,11 +9,11 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2012-02-16 00:00:00.000000000Z
+date: 2012-02-17 00:00:00.000000000Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: json
-  requirement: &70274059071100 !ruby/object:Gem::Requirement
+  requirement: &70146497161760 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -21,10 +21,10 @@ dependencies:
         version: 1.4.3
   type: :runtime
   prerelease: false
-  version_requirements: *70274059071100
+  version_requirements: *70146497161760
 - !ruby/object:Gem::Dependency
   name: tzinfo
-  requirement: &70274059070360 !ruby/object:Gem::Requirement
+  requirement: &70146497161120 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -32,10 +32,10 @@ dependencies:
         version: '0'
   type: :runtime
   prerelease: false
-  version_requirements: *70274059070360
+  version_requirements: *70146497161120
 - !ruby/object:Gem::Dependency
   name: attr_required
-  requirement: &70274059069640 !ruby/object:Gem::Requirement
+  requirement: &70146497159480 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -43,10 +43,10 @@ dependencies:
         version: 0.0.5
   type: :runtime
   prerelease: false
-  version_requirements: *70274059069640
+  version_requirements: *70146497159480
 - !ruby/object:Gem::Dependency
   name: activemodel
-  requirement: &70274059068540 !ruby/object:Gem::Requirement
+  requirement: &70146497158360 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -54,10 +54,10 @@ dependencies:
         version: '3'
   type: :runtime
   prerelease: false
-  version_requirements: *70274059068540
+  version_requirements: *70146497158360
 - !ruby/object:Gem::Dependency
   name: validate_url
-  requirement: &70274059066340 !ruby/object:Gem::Requirement
+  requirement: &70146497148360 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -65,10 +65,10 @@ dependencies:
         version: '0'
   type: :runtime
   prerelease: false
-  version_requirements: *70274059066340
+  version_requirements: *70146497148360
 - !ruby/object:Gem::Dependency
   name: validate_email
-  requirement: &70274059055940 !ruby/object:Gem::Requirement
+  requirement: &70146497147620 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -76,10 +76,10 @@ dependencies:
         version: '0'
   type: :runtime
   prerelease: false
-  version_requirements: *70274059055940
+  version_requirements: *70146497147620
 - !ruby/object:Gem::Dependency
   name: json-jwt
-  requirement: &70274059054840 !ruby/object:Gem::Requirement
+  requirement: &70146497146960 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -87,10 +87,10 @@ dependencies:
         version: 0.0.3
   type: :runtime
   prerelease: false
-  version_requirements: *70274059054840
+  version_requirements: *70146497146960
 - !ruby/object:Gem::Dependency
   name: swd
-  requirement: &70274059053220 !ruby/object:Gem::Requirement
+  requirement: &70146497146440 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -98,10 +98,10 @@ dependencies:
         version: 0.1.2
   type: :runtime
   prerelease: false
-  version_requirements: *70274059053220
+  version_requirements: *70146497146440
 - !ruby/object:Gem::Dependency
   name: rack-oauth2
-  requirement: &70274059051760 !ruby/object:Gem::Requirement
+  requirement: &70146497145960 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -109,10 +109,10 @@ dependencies:
         version: 0.14.2
   type: :runtime
   prerelease: false
-  version_requirements: *70274059051760
+  version_requirements: *70146497145960
 - !ruby/object:Gem::Dependency
   name: rake
-  requirement: &70274059050680 !ruby/object:Gem::Requirement
+  requirement: &70146497145480 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -120,10 +120,10 @@ dependencies:
         version: '0.8'
   type: :development
   prerelease: false
-  version_requirements: *70274059050680
+  version_requirements: *70146497145480
 - !ruby/object:Gem::Dependency
   name: cover_me
-  requirement: &70274059050080 !ruby/object:Gem::Requirement
+  requirement: &70146497144840 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -131,10 +131,10 @@ dependencies:
         version: 1.2.0
   type: :development
   prerelease: false
-  version_requirements: *70274059050080
+  version_requirements: *70146497144840
 - !ruby/object:Gem::Dependency
   name: rspec
-  requirement: &70274059049320 !ruby/object:Gem::Requirement
+  requirement: &70146497144140 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -142,10 +142,10 @@ dependencies:
         version: '2'
   type: :development
   prerelease: false
-  version_requirements: *70274059049320
+  version_requirements: *70146497144140
 - !ruby/object:Gem::Dependency
   name: webmock
-  requirement: &70274059048160 !ruby/object:Gem::Requirement
+  requirement: &70146497143120 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -153,7 +153,7 @@ dependencies:
         version: 1.6.2
   type: :development
   prerelease: false
-  version_requirements: *70274059048160
+  version_requirements: *70146497143120
 description: OpenID Connect Server & Client Library
 email:
 - nov@matake.jp
@@ -194,6 +194,7 @@ files:
 - lib/rack/oauth2/server/authorize/extension/code_and_id_token.rb
 - lib/rack/oauth2/server/authorize/extension/id_token.rb
 - lib/rack/oauth2/server/authorize/extension/id_token_and_token.rb
+- lib/rack/oauth2/server/authorize/request_with_connect_params.rb
 - lib/rack/oauth2/server/id_token_response.rb
 - openid_connect.gemspec
 - spec/helpers/webmock_helper.rb