openid_connect 0.6.1 → 0.7.0

data/lib/openid_connect/request_object.rb

@@ -3,14 +3,8 @@ module OpenIDConnect
     include JWTnizable
 
     attr_optional :client_id, :response_type, :redirect_uri, :scope, :state, :nonce, :display, :prompt, :userinfo, :id_token
-    alias_method :user_info, :userinfo
     validate :require_at_least_one_attributes
 
-    def initialize(attributes = {})
-      attributes[:userinfo] ||= attributes[:user_info]
-      super attributes
-    end
-
     def id_token=(attributes = {})
       @id_token = IdToken.new(attributes) if attributes.present?
     end
@@ -18,7 +12,6 @@ module OpenIDConnect
     def userinfo=(attributes = {})
       @userinfo = UserInfo.new(attributes) if attributes.present?
     end
-    alias_method :user_info=, :userinfo=
 
     def as_json_with_mixed_keys(options = {})
       hash = as_json_without_mixed_keys options
@@ -41,4 +34,4 @@ end
 
 require 'openid_connect/request_object/claimable'
 require 'openid_connect/request_object/id_token'
-require 'openid_connect/request_object/user_info'
+require 'openid_connect/request_object/userinfo'

data/lib/openid_connect/response_object/id_token.rb

@@ -81,7 +81,7 @@ module OpenIDConnect
         end
 
         def self_issued_subject(jwk)
-          subject_base_string = case jwk[:alg].to_s
+          subject_base_string = case jwk[:kty].to_s
           when 'RSA'
             [jwk[:n], jwk[:e]].join
           when 'EC'

data/lib/openid_connect/response_object/userinfo.rb

@@ -0,0 +1,3 @@
+Dir[File.dirname(__FILE__) + '/userinfo/*.rb'].each do |file|
+  require file
+end

data/lib/openid_connect/response_object/{user_info → userinfo}/open_id.rb

@@ -20,24 +20,25 @@ module OpenIDConnect
           :zoneinfo,
           :locale,
           :phone_number,
+          :phone_number_verified,
           :address,
           :updated_time
         )
         alias_method :subject, :sub
         alias_method :subject=, :sub=
 
-        validates :email_verified, inclusion: {in: [true, false]},                             allow_nil: true
-        validates :gender,         inclusion: {in: ['male', 'female']},                        allow_nil: true
-        validates :zoneinfo,       inclusion: {in: TZInfo::TimezoneProxy.all.collect(&:name)}, allow_nil: true
-        validates :profile, :picture, :website, url: true, allow_nil: true
-        validates :email, email: true, allow_nil: true
+        validates :email_verified, :phone_number_verified, allow_nil: true, inclusion: {in: [true, false]}
+        validates :gender,                                 allow_nil: true, inclusion: {in: ['male', 'female']}
+        validates :zoneinfo,                               allow_nil: true, inclusion: {in: TZInfo::TimezoneProxy.all.collect(&:name)}
+        validates :profile, :picture, :website,            allow_nil: true, url: true
+        validates :email,                                  allow_nil: true, email: true
         validate :validate_address
         validate :require_at_least_one_attributes
         # TODO: validate locale
 
         def initialize(attributes = {})
           super
-          (all_attributes - [:email_verified, :address]).each do |key|
+          (all_attributes - [:email_verified, :phone_number_verified, :address]).each do |key|
             self.send "#{key}=", self.send(key).try(:to_s)
           end
         end

data/openid_connect.gemspec

@@ -13,10 +13,10 @@ Gem::Specification.new do |s|
   s.add_runtime_dependency "json", ">= 1.4.3"
   s.add_runtime_dependency "tzinfo"
   s.add_runtime_dependency "attr_required", ">= 0.0.5"
-  s.add_runtime_dependency "activemodel", ">= 3"
+  s.add_runtime_dependency "activemodel", "< 4"
   s.add_runtime_dependency "validate_url"
   s.add_runtime_dependency "validate_email"
-  s.add_runtime_dependency "json-jwt", ">= 0.3.3"
+  s.add_runtime_dependency "json-jwt", ">= 0.5.5"
   s.add_runtime_dependency "swd", ">= 0.1.2"
   s.add_runtime_dependency "webfinger", ">= 0.0.2"
   s.add_runtime_dependency "rack-oauth2", ">= 1.0.0"

data/spec/helpers/webmock_helper.rb

@@ -7,10 +7,11 @@ module WebMockHelper
     ).to_return(
       response_for(response_file, options)
     )
-    yield
+    result = yield
     a_request(method, endpoint).with(
       request_for(method, options)
     ).should have_been_made.once
+    result
   end
 
   private

data/spec/mock_response/discovery/config.json

@@ -3,11 +3,12 @@
     "issuer": "https://connect-op.heroku.com",
     "authorization_endpoint": "https://connect-op.heroku.com/authorizations/new",
     "token_endpoint": "https://connect-op.heroku.com/access_tokens",
-    "userinfo_endpoint": "https://connect-op.heroku.com/user_info",
+    "userinfo_endpoint": "https://connect-op.heroku.com/userinfo",
     "registration_endpoint": "https://connect-op.heroku.com/connect/client",
     "scopes_supported": ["openid", "profile", "email", "address"],
     "response_types_supported": ["code", "token", "id_token", "code token", "code id_token", "id_token token"],
     "subject_types_supported": ["public", "pairwise"],
     "claims_supported": ["sub", "iss", "name", "email"],
-    "x509_url": "https://connect-op.heroku.com/cert.pem"
+    "jwks_uri": "https://connect-op.heroku.com/jwks.json",
+    "id_token_signing_alg_values_supported": ["RS256"]
 }

data/spec/mock_response/public_keys/{jwk.json → jwks.json}

@@ -1,6 +1,6 @@
 {
   "keys": [{
-    "alg": "RSA",
+    "kty": "RSA",
     "e": "AQAB",
     "n": "u4liYNFzgsRr1ERdUY7CY6r4nefi3RzIhK5fdPgdZSMEEflACWAuJu21_TcDpbZ1-6Kbq7zShFsVTAnBkWdO7EP1Rsn11fZpi9m_zEq_uRY-4RpNwp3S9xSdoQ4F3-js1EMaDQ6km0-c0gvr_TyhFqDj_6w_Bb0vFptfGXwfKewPPnhsi7GJ62ihZ32PzxOvEIYcaoXr9xaeudYD3BzWSDmjKGA7PMaEuBhScdUAoibCmsKB-yAGsz2amHnUhcl4B_EBs6wk65Y7ge0ZQJUOGPdUQL49VuALKmr7cMhHKh5KuQmPAi_20K2uZL_EFDaObDWZrclx98s0DmfTRKINtw"
   }]

data/spec/openid_connect/access_token_spec.rb

@@ -92,18 +92,19 @@ describe OpenIDConnect::AccessToken do
     end
   end
 
-  describe '#user_info!' do
-    it 'should return OpenIDConnect::ResponseObject::UserInfo::OpenID' do
-      mock_json :get, client.user_info_uri, 'user_info/openid', :HTTP_AUTHORIZATION => 'Bearer access_token', params: {
+  describe '#userinfo!' do
+    it do
+      userinfo = mock_json :get, client.userinfo_uri, 'userinfo/openid', :HTTP_AUTHORIZATION => 'Bearer access_token', params: {
         schema: 'openid'
       } do
-        access_token.user_info!.should be_a OpenIDConnect::ResponseObject::UserInfo::OpenID
+        access_token.userinfo!
       end
+      userinfo.should be_instance_of OpenIDConnect::ResponseObject::UserInfo::OpenID
     end
 
     describe 'error handling' do
-      let(:endpoint) { client.user_info_uri }
-      let(:request) { access_token.user_info! }
+      let(:endpoint) { client.userinfo_uri }
+      let(:request) { access_token.userinfo! }
       it_behaves_like :access_token_error_handling
     end
   end

data/spec/openid_connect/client/registrar_spec.rb

@@ -5,140 +5,93 @@ describe OpenIDConnect::Client::Registrar do
   let(:attributes) { minimum_attributes }
   let(:minimum_attributes) do
     {
-      operation: :client_register
+      redirect_uris: ['https://client.example.com/callback']
     }
   end
   let(:instance) { OpenIDConnect::Client::Registrar.new(endpoint, attributes) }
   let(:endpoint) { 'https://server.example.com/clients' }
 
   context 'when endpoint given' do
-    context 'when attributes given' do
-      context 'when operation=client_register' do
-        let(:attributes) do
-          minimum_attributes
-        end
-        it { should be_valid }
-      end
-
-      context 'when operation=client_update' do
-        context 'when client_id given' do
-          let(:attributes) do
-            {
-              operation: :client_update,
-              client_id: 'client.example.com'
-            }
-          end
-          it { should be_valid }
-        end
-
-        context 'otherwise' do
-          let(:attributes) do
-            {
-              operation: :client_update
-            }
-          end
-          it { should_not be_valid }
-        end
-      end
-
-      context 'otherwise' do
-        let(:attributes) do
-          {
-            operation: :invalid_operation
-          }
-        end
-        it { should_not be_valid }
+    context 'when required attributes given' do
+      let(:attributes) do
+        minimum_attributes
       end
+      it { should be_valid }
     end
 
     context 'otherwise' do
       let(:instance) { OpenIDConnect::Client::Registrar.new(endpoint) }
-      it do
-        expect do
-          instance
-        end.not_to raise_error
-      end
       it { should_not be_valid }
     end
   end
 
   context 'otherwise' do
-    let(:instance) { OpenIDConnect::Client::Registrar.new(endpoint) }
     let(:endpoint) { '' }
-
-    it do
-      expect do
-        instance
-      end.to raise_error AttrRequired::AttrMissing
-    end
+    it { should_not be_valid }
   end
 
   describe '#sector_identifier' do
-    context 'when sector_identifier_url given' do
+    context 'when sector_identifier_uri given' do
       let(:attributes) do
         minimum_attributes.merge(
-          sector_identifier_url: 'https://client.example.com/sector_identifier.json'
+          sector_identifier_uri: 'https://client2.example.com/sector_identifier.json'
         )
       end
-      its(:sector_identifier) { should == 'client.example.com' }
-
-      context 'when sector_identifier_url is invalid URI' do
-        let(:attributes) do
-          minimum_attributes.merge(
-            sector_identifier_url: ':invalid'
-          )
-        end
-        its(:sector_identifier) { should be_nil }
-      end
+      its(:sector_identifier) { should == 'client2.example.com' }
 
-      context 'when redirect_uris given' do
+      context 'when sector_identifier_uri is invalid URI' do
         let(:attributes) do
           minimum_attributes.merge(
-            sector_identifier_url: 'https://client.example.com/sector_identifier.json',
-            redirect_uris: 'https://client2.example.com/callback'
+            sector_identifier_uri: 'invalid'
           )
         end
-        its(:sector_identifier) { should == 'client.example.com' }
+        it { should_not be_valid }
       end
     end
 
     context 'otherwise' do
-      context 'when redirect_uris given' do
-        context 'when single host' do
-          let(:attributes) do
-            minimum_attributes.merge(
-              redirect_uris: [
-                'https://client.example.com/callback/op1',
-                'https://client.example.com/callback/op2'
-              ].join(' ')
-            )
-          end
-          its(:sector_identifier) { should == 'client.example.com' }
+      let(:attributes) do
+        minimum_attributes.merge(
+          redirect_uris: redirect_uris
+        )
+      end
+
+      context 'when redirect_uris includes only one host' do
+        let(:redirect_uris) do
+          [
+            'https://client.example.com/callback/op1',
+            'https://client.example.com/callback/op2'
+          ]
         end
+        its(:sector_identifier) { should == 'client.example.com' }
+      end
 
-        context 'when multi host' do
-          let(:attributes) do
-            minimum_attributes.merge(
-              redirect_uris: [
-                'https://client1.example.com/callback',
-                'https://client2.example.com/callback'
-              ].join(' ')
-            )
-          end
-          its(:sector_identifier) { should be_nil }
+      context 'when redirect_uris includes multiple hosts' do
+        let(:redirect_uris) do
+          [
+            'https://client1.example.com/callback',
+            'https://client2.example.com/callback'
+          ]
         end
+        its(:sector_identifier) { should be_nil }
 
-        context 'when invalid URI' do
+        context 'when subject_type=pairwise' do
           let(:attributes) do
             minimum_attributes.merge(
-              redirect_uris: ':invalid'
+              redirect_uris: redirect_uris,
+              subject_type: :pairwise
             )
           end
-          its(:sector_identifier) { should be_nil }
+          it { should_not be_valid }
         end
       end
 
-      context 'otherwise' do
+      context 'when redirect_uris includes invalid URL' do
+        let(:redirect_uris) do
+          [
+            'invalid'
+          ]
+        end
         its(:sector_identifier) { should be_nil }
       end
     end
@@ -146,7 +99,7 @@ describe OpenIDConnect::Client::Registrar do
 
   describe '#redirect_uris' do
     let(:base_url) { 'http://client.example.com/callback' }
-    let(:attributes) { minimum_attributes.merge(redirect_uris: redirect_uri) }
+    let(:attributes) { minimum_attributes.merge(redirect_uris: [redirect_uri]) }
 
     context 'when query included' do
       let(:redirect_uri) { [base_url, '?foo=bar'].join }
@@ -156,41 +109,41 @@ describe OpenIDConnect::Client::Registrar do
 
     context 'when fragment included' do
       let(:redirect_uri) { [base_url, '#foo=bar'].join }
-      it { should_not be_valid }
+      it { should be_valid }
     end
   end
 
   describe '#contacts' do
     context 'when contacts given' do
+      let(:attributes) do
+        minimum_attributes.merge(
+          contacts: contacts
+        )
+      end
+
       context 'when invalid email included' do
-        let(:attributes) do
-          minimum_attributes.merge(
-            contacts: [
-              ':invalid',
-              'nov@matake.jp'
-            ].join(' ')
-          )
+        let(:contacts) do
+          [
+            'invalid',
+            'nov@matake.jp'
+          ]
         end
         it { should_not be_valid }
       end
 
       context 'when localhost address included' do
-        let(:attributes) do
-          minimum_attributes.merge(
-            contacts: [
-              'nov@localhost',
-              'nov@matake.jp'
-            ].join(' ')
-          )
+        let(:contacts) do
+          [
+            'nov@localhost',
+            'nov@matake.jp'
+          ]
         end
         it { should_not be_valid }
       end
 
       context 'otherwise' do
-        let(:attributes) do
-          minimum_attributes.merge(
-            contacts: 'nov@matake.jp'
-          )
+        let(:contacts) do
+          ['nov@matake.jp']
         end
         it { should be_valid }
       end
@@ -199,27 +152,16 @@ describe OpenIDConnect::Client::Registrar do
 
   describe '#as_json' do
     context 'when valid' do
-      let(:attributes) do
-        minimum_attributes.merge(
-          redirect_uris: [
-            'https://client1.example.com/callback',
-            'https://client2.example.com/callback'
-          ].join(' ')
-        )
-      end
       its(:as_json) do
-        should == {
-          operation: 'client_register',
-          redirect_uris: 'https://client1.example.com/callback https://client2.example.com/callback'
-        }
+        should == minimum_attributes
       end
     end
 
     context 'otherwise' do
       let(:attributes) do
-        {
-          operation: :client_update
-        }
+        minimum_attributes.merge(
+          sector_identifier_uri: 'invalid'
+        )
       end
       it do
         expect do
@@ -230,27 +172,19 @@ describe OpenIDConnect::Client::Registrar do
   end
 
   describe '#register!' do
-    let(:attributes) do
-      {}
-    end
-
     it 'should return OpenIDConnect::Client' do
-      mock_json :post, endpoint, 'client/registered', params: {
-        operation: 'client_register'
-      } do
-        client = instance.register!
-        client.should be_instance_of OpenIDConnect::Client
-        client.identifier.should == 'client.example.com'
-        client.secret.should == 'client_secret'
-        client.expires_in.should == 3600
+      client = mock_json :post, endpoint, 'client/registered', params: minimum_attributes do
+        instance.register!
       end
+      client.should be_instance_of OpenIDConnect::Client
+      client.identifier.should == 'client.example.com'
+      client.secret.should == 'client_secret'
+      client.expires_in.should == 3600
     end
 
     context 'when failed' do
       it 'should raise OpenIDConnect::Client::Registrar::RegistrationFailed' do
-        mock_json :post, endpoint, 'errors/unknown', params: {
-          operation: 'client_register'
-        }, status: 400 do
+        mock_json :post, endpoint, 'errors/unknown', params: minimum_attributes, status: 400 do
           expect do
             instance.register!
           end.to raise_error OpenIDConnect::Client::Registrar::RegistrationFailed
@@ -259,66 +193,6 @@ describe OpenIDConnect::Client::Registrar do
     end
   end
 
-  describe '#update!' do
-    let(:attributes) do
-      {
-        client_id: 'client.example.com',
-        client_secret: 'client_secret'
-      }
-    end
-
-    it 'should return OpenIDConnect::Client' do
-      mock_json :post, endpoint, 'client/updated', params: {
-        operation: 'client_update',
-        client_id: 'client.example.com',
-        client_secret: 'client_secret',
-        client_name: 'New Name'
-      } do
-        instance.client_name = 'New Name'
-        client = instance.update!
-        client.should be_instance_of OpenIDConnect::Client
-        client.identifier.should == 'client.example.com'
-      end
-    end
-
-    context 'when failed' do
-      it 'should raise OpenIDConnect::Client::Registrar::RegistrationFailed' do
-        mock_json :post, endpoint, 'errors/unknown', params: {
-          operation: 'client_update',
-          client_id: 'client.example.com',
-          client_secret: 'client_secret'
-        }, status: 400 do
-          expect do
-            instance.update!
-          end.to raise_error OpenIDConnect::Client::Registrar::RegistrationFailed
-        end
-      end
-    end
-  end
-
-  describe '#rotate_secret!' do
-    let(:attributes) do
-      {
-        client_id: 'client.example.com',
-        client_secret: 'client_secret'
-      }
-    end
-
-    it 'should return OpenIDConnect::Client' do
-      mock_json :post, endpoint, 'client/rotated', params: {
-        operation: 'rotate_secret',
-        client_id: 'client.example.com',
-        client_secret: 'client_secret'
-      } do
-        client = instance.rotate_secret!
-        client.should be_instance_of OpenIDConnect::Client
-        client.identifier.should == 'client.example.com'
-        client.secret.should == 'new_client_secret'
-        client.expires_in.should == 3600
-      end
-    end
-  end
-
   describe '#validate!' do
     context 'when valid' do
       it do
@@ -330,10 +204,11 @@ describe OpenIDConnect::Client::Registrar do
 
     context 'otherwise' do
       let(:attributes) do
-        {
-          operation: :client_update
-        }
+        minimum_attributes.merge(
+          sector_identifier_uri: 'invalid'
+        )
       end
+
       it do
         expect do
           instance.validate!
@@ -345,15 +220,15 @@ describe OpenIDConnect::Client::Registrar do
   describe 'http_client' do
     subject { instance.send(:http_client) }
 
-    context 'when access_token given' do
+    context 'when initial_access_token given' do
       let(:attributes) do
         minimum_attributes.merge(
-          access_token: access_token
+          initial_access_token: initial_access_token
         )
       end
 
       context 'when Rack::OAuth2::AccessToken::Bearer given' do
-        let(:access_token) do
+        let(:initial_access_token) do
           Rack::OAuth2::AccessToken::Bearer.new(access_token: 'access_token')
         end
         it { should be_instance_of Rack::OAuth2::AccessToken::Bearer }
@@ -361,7 +236,7 @@ describe OpenIDConnect::Client::Registrar do
       end
 
       context 'otherwise' do
-        let(:access_token) { 'access_token' }
+        let(:initial_access_token) { 'access_token' }
         it { should be_instance_of Rack::OAuth2::AccessToken::Bearer }
         its(:access_token) { should == 'access_token' }
       end