openid_connect 0.6.1 → 2.3.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +5 -5
- data/.github/FUNDING.yml +3 -0
- data/.github/workflows/spec.yml +31 -0
- data/.gitignore +1 -0
- data/CHANGELOG.md +23 -0
- data/LICENSE +3 -1
- data/README.rdoc +10 -3
- data/Rakefile +6 -6
- data/TODOs +12 -0
- data/VERSION +1 -1
- data/lib/openid_connect/access_token/mtls.rb +9 -0
- data/lib/openid_connect/access_token.rb +14 -6
- data/lib/openid_connect/client/registrar.rb +69 -130
- data/lib/openid_connect/client.rb +7 -12
- data/lib/openid_connect/discovery/provider/config/resource.rb +5 -3
- data/lib/openid_connect/discovery/provider/config/response.rb +73 -78
- data/lib/openid_connect/discovery/provider/config.rb +5 -2
- data/lib/openid_connect/discovery/provider.rb +6 -2
- data/lib/openid_connect/discovery.rb +0 -2
- data/lib/openid_connect/jwtnizable.rb +6 -4
- data/lib/openid_connect/request_object/claimable.rb +4 -6
- data/lib/openid_connect/request_object.rb +6 -13
- data/lib/openid_connect/response_object/id_token.rb +38 -37
- data/lib/openid_connect/response_object/user_info/address.rb +10 -0
- data/lib/openid_connect/response_object/user_info.rb +64 -2
- data/lib/openid_connect.rb +26 -11
- data/lib/rack/oauth2/server/authorize/extension/code_and_id_token.rb +5 -1
- data/lib/rack/oauth2/server/authorize/extension/code_and_id_token_and_token.rb +1 -1
- data/lib/rack/oauth2/server/authorize/extension/id_token.rb +1 -1
- data/lib/rack/oauth2/server/authorize/extension/id_token_and_token.rb +1 -1
- data/lib/rack/oauth2/server/authorize/request_with_connect_params.rb +17 -14
- data/lib/rack/oauth2/server/id_token_response.rb +11 -13
- data/openid_connect.gemspec +19 -13
- data/spec/helpers/crypto_spec_helper.rb +2 -2
- data/spec/helpers/webmock_helper.rb +14 -9
- data/spec/mock_response/access_token/without_token_type.json +3 -0
- data/spec/mock_response/discovery/config.json +3 -3
- data/spec/mock_response/discovery/config_with_custom_port.json +13 -0
- data/spec/mock_response/discovery/config_with_invalid_issuer.json +13 -0
- data/spec/mock_response/discovery/config_with_path.json +13 -0
- data/spec/mock_response/discovery/config_without_issuer.json +12 -0
- data/spec/mock_response/errors/unknown.json +3 -1
- data/spec/mock_response/public_keys/{jwk.json → jwks.json} +1 -1
- data/spec/mock_response/public_keys/jwks_with_private_key.json +8 -0
- data/spec/mock_response/public_keys/private_key.pem +27 -0
- data/spec/openid_connect/access_token_spec.rb +11 -20
- data/spec/openid_connect/client/registrar_spec.rb +93 -208
- data/spec/openid_connect/client_spec.rb +79 -22
- data/spec/openid_connect/connect_object_spec.rb +1 -1
- data/spec/openid_connect/discovery/provider/config/response_spec.rb +76 -284
- data/spec/openid_connect/discovery/provider/config_spec.rb +64 -27
- data/spec/openid_connect/discovery/provider_spec.rb +2 -2
- data/spec/openid_connect/request_object_spec.rb +4 -4
- data/spec/openid_connect/response_object/id_token_spec.rb +94 -52
- data/spec/openid_connect/response_object/user_info/{open_id/address_spec.rb → address_spec.rb} +3 -3
- data/spec/openid_connect/response_object/{user_info/open_id_spec.rb → user_info_spec.rb} +13 -12
- data/spec/openid_connect_spec.rb +19 -19
- data/spec/rack/oauth2/server/authorize/extension/code_and_id_token_and_token_spec.rb +11 -0
- data/spec/rack/oauth2/server/authorize/extension/code_and_id_token_spec.rb +11 -0
- data/spec/rack/oauth2/server/authorize/extension/id_token_and_token_spec.rb +11 -0
- data/spec/rack/oauth2/server/authorize/extension/id_token_spec.rb +1 -1
- data/spec/rack/oauth2/server/authorize/request_with_connect_params_spec.rb +45 -0
- data/spec/spec_helper.rb +12 -1
- metadata +155 -90
- data/.travis.yml +0 -3
- data/Gemfile.lock +0 -102
- data/lib/openid_connect/debugger/request_filter.rb +0 -28
- data/lib/openid_connect/debugger.rb +0 -3
- data/lib/openid_connect/response_object/user_info/open_id/address.rb +0 -12
- data/lib/openid_connect/response_object/user_info/open_id.rb +0 -64
- data/lib/rack/oauth2/server/resource/error_with_connect_ext.rb +0 -14
- data/spec/mock_response/public_keys/x509.pem +0 -21
- data/spec/openid_connect/debugger/request_filter_spec.rb +0 -33
- data/spec/rack/oauth2/server/resource/error_with_connect_ext_spec.rb +0 -12
- /data/spec/mock_response/{user_info → userinfo}/openid.json +0 -0
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
|
-
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
2
|
+
SHA256:
|
3
|
+
metadata.gz: 2f06997a441c5c602002a3b24896e9abd6036b376746124ad25743bf7b1b64e2
|
4
|
+
data.tar.gz: 6456f15afc0c4a58926887765caa3c388f12a55f4afa37f52d4483dc9c5139e3
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 3fb6ecdd315275864320503e3c6287c03be8a8239bfcc1abe7d652896d2d015d0289b838a691e6711f7c96385e207ab9fafb6628de203327808a8b5568125e25
|
7
|
+
data.tar.gz: 89496d0a2d23455b40099ac2c71137771b43230e40c2f40a2758a315d10b32c9803e012cc6358bc3564d38d968c8fd1e5e4e37031969c526f96c37412804c289
|
data/.github/FUNDING.yml
ADDED
@@ -0,0 +1,31 @@
|
|
1
|
+
name: Spec
|
2
|
+
|
3
|
+
on:
|
4
|
+
push:
|
5
|
+
branches:
|
6
|
+
- main
|
7
|
+
pull_request:
|
8
|
+
|
9
|
+
permissions:
|
10
|
+
contents: read
|
11
|
+
|
12
|
+
jobs:
|
13
|
+
spec:
|
14
|
+
strategy:
|
15
|
+
matrix:
|
16
|
+
os: ['ubuntu-20.04', 'ubuntu-22.04']
|
17
|
+
ruby-version: ['3.1', '3.2', '3.3']
|
18
|
+
include:
|
19
|
+
- os: 'ubuntu-20.04'
|
20
|
+
ruby-version: '3.0'
|
21
|
+
runs-on: ${{ matrix.os }}
|
22
|
+
|
23
|
+
steps:
|
24
|
+
- uses: actions/checkout@v3
|
25
|
+
- name: Set up Ruby
|
26
|
+
uses: ruby/setup-ruby@v1
|
27
|
+
with:
|
28
|
+
ruby-version: ${{ matrix.ruby-version }}
|
29
|
+
bundler-cache: true
|
30
|
+
- name: Run Specs
|
31
|
+
run: bundle exec rake spec
|
data/.gitignore
CHANGED
data/CHANGELOG.md
ADDED
@@ -0,0 +1,23 @@
|
|
1
|
+
## [Unreleased]
|
2
|
+
|
3
|
+
## [2.2.0] - 2022-10-11
|
4
|
+
|
5
|
+
### Changed
|
6
|
+
|
7
|
+
- automatic json response decoding by @nov in https://github.com/nov/openid_connect/pull/77
|
8
|
+
|
9
|
+
## [2.1.0] - 2022-10-10
|
10
|
+
|
11
|
+
### Changed
|
12
|
+
|
13
|
+
- mTLS access token by @nov in https://github.com/nov/openid_connect/pull/76
|
14
|
+
|
15
|
+
## [2.0.0] - 2022-10-09
|
16
|
+
|
17
|
+
### Added
|
18
|
+
|
19
|
+
- start recording CHANGELOG
|
20
|
+
|
21
|
+
### Changed
|
22
|
+
|
23
|
+
- replace httpclient with faraday v2 by @nov in https://github.com/nov/openid_connect/pull/75
|
data/LICENSE
CHANGED
@@ -1,5 +1,7 @@
|
|
1
1
|
Copyright (c) 2011 nov matake
|
2
2
|
|
3
|
+
MIT License
|
4
|
+
|
3
5
|
Permission is hereby granted, free of charge, to any person obtaining
|
4
6
|
a copy of this software and associated documentation files (the
|
5
7
|
"Software"), to deal in the Software without restriction, including
|
@@ -17,4 +19,4 @@ MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
|
|
17
19
|
NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
|
18
20
|
LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
|
19
21
|
OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
|
20
|
-
WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
22
|
+
WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
data/README.rdoc
CHANGED
@@ -16,16 +16,23 @@ OpenID Connect Server & Client Library
|
|
16
16
|
|
17
17
|
=== Provider
|
18
18
|
|
19
|
-
* Running on Heroku (
|
19
|
+
* Running on Heroku (https://connect-op.herokuapp.com)
|
20
20
|
* Source on GitHub (https://github.com/nov/openid_connect_sample)
|
21
21
|
|
22
|
+
* Simpler Version (https://github.com/nov/openid_connect_sample2)
|
23
|
+
|
22
24
|
=== Relying Party
|
23
25
|
|
24
|
-
* Running on Heroku (https://connect-rp.
|
26
|
+
* Running on Heroku (https://connect-rp.herokuapp.com)
|
25
27
|
* Source on GitHub (https://github.com/nov/openid_connect_sample_rp)
|
26
28
|
|
29
|
+
There is also OpenID Foudation Certified RP implementation using this gem below.
|
30
|
+
|
31
|
+
* Running on Heroku (https://connect-rp-certified.herokuapp.com)
|
32
|
+
* Source on GitHub (https://github.com/nov/connect-rp-certified)
|
33
|
+
|
27
34
|
== Note on Patches/Pull Requests
|
28
|
-
|
35
|
+
|
29
36
|
* Fork the project.
|
30
37
|
* Make your feature addition or bug fix.
|
31
38
|
* Add tests for it. This is important so I don't break it in a
|
data/Rakefile
CHANGED
@@ -4,16 +4,16 @@ Bundler::GemHelper.install_tasks
|
|
4
4
|
require 'rspec/core/rake_task'
|
5
5
|
RSpec::Core::RakeTask.new(:spec)
|
6
6
|
|
7
|
-
namespace :
|
8
|
-
desc "
|
7
|
+
namespace :coverage do
|
8
|
+
desc "Open coverage report"
|
9
9
|
task :report do
|
10
|
-
require '
|
11
|
-
|
10
|
+
require 'simplecov'
|
11
|
+
`open "#{File.join SimpleCov.coverage_path, 'index.html'}"`
|
12
12
|
end
|
13
13
|
end
|
14
14
|
|
15
15
|
task :spec do
|
16
|
-
Rake::Task['
|
16
|
+
Rake::Task[:'coverage:report'].invoke unless ENV['TRAVIS_RUBY_VERSION']
|
17
17
|
end
|
18
18
|
|
19
|
-
task default
|
19
|
+
task :default => :spec
|
data/TODOs
ADDED
data/VERSION
CHANGED
@@ -1 +1 @@
|
|
1
|
-
|
1
|
+
2.3.0
|
@@ -0,0 +1,9 @@
|
|
1
|
+
module OpenIDConnect
|
2
|
+
class AccessToken::MTLS < AccessToken
|
3
|
+
def initialize(attributes = {})
|
4
|
+
super
|
5
|
+
http_client.ssl.client_key = attributes[:private_key] || client.private_key
|
6
|
+
http_client.ssl.client_cert = attributes[:certificate] || client.certificate
|
7
|
+
end
|
8
|
+
end
|
9
|
+
end
|
@@ -8,13 +8,19 @@ module OpenIDConnect
|
|
8
8
|
@token_type = :bearer
|
9
9
|
end
|
10
10
|
|
11
|
-
def userinfo!(
|
11
|
+
def userinfo!(params = {})
|
12
12
|
hash = resource_request do
|
13
|
-
get client.userinfo_uri,
|
13
|
+
get client.userinfo_uri, params
|
14
14
|
end
|
15
|
-
ResponseObject::UserInfo
|
15
|
+
ResponseObject::UserInfo.new hash
|
16
|
+
end
|
17
|
+
|
18
|
+
def to_mtls(attributes = {})
|
19
|
+
(required_attributes + optional_attributes).each do |key|
|
20
|
+
attributes[key] = self.send(key)
|
21
|
+
end
|
22
|
+
MTLS.new attributes
|
16
23
|
end
|
17
|
-
alias_method :user_info!, :userinfo!
|
18
24
|
|
19
25
|
private
|
20
26
|
|
@@ -22,7 +28,7 @@ module OpenIDConnect
|
|
22
28
|
res = yield
|
23
29
|
case res.status
|
24
30
|
when 200
|
25
|
-
|
31
|
+
res.body.with_indifferent_access
|
26
32
|
when 400
|
27
33
|
raise BadRequest.new('API Access Faild', res)
|
28
34
|
when 401
|
@@ -34,4 +40,6 @@ module OpenIDConnect
|
|
34
40
|
end
|
35
41
|
end
|
36
42
|
end
|
37
|
-
end
|
43
|
+
end
|
44
|
+
|
45
|
+
require 'openid_connect/access_token/mtls'
|
@@ -5,106 +5,73 @@ module OpenIDConnect
|
|
5
5
|
|
6
6
|
class RegistrationFailed < HttpError; end
|
7
7
|
|
8
|
+
cattr_accessor :plural_uri_attributes, :metadata_attributes
|
9
|
+
singular_uri_attributes = [
|
10
|
+
:logo_uri,
|
11
|
+
:client_uri,
|
12
|
+
:policy_uri,
|
13
|
+
:tos_uri,
|
14
|
+
:jwks_uri,
|
15
|
+
:sector_identifier_uri,
|
16
|
+
:initiate_login_uri
|
17
|
+
]
|
8
18
|
singular_attributes = [
|
9
|
-
:operation,
|
10
|
-
:client_id,
|
11
|
-
:client_secret,
|
12
|
-
:access_token,
|
13
19
|
:application_type,
|
14
20
|
:client_name,
|
15
|
-
:
|
16
|
-
:token_endpoint_auth_method,
|
17
|
-
:policy_url,
|
18
|
-
:tos_url,
|
19
|
-
:jwk_url,
|
20
|
-
:jwk_encryption_url,
|
21
|
-
:x509_url,
|
22
|
-
:x509_encryption_url,
|
23
|
-
:sector_identifier_url,
|
21
|
+
:jwks,
|
24
22
|
:subject_type,
|
25
|
-
:request_object_signing_alg,
|
26
|
-
:userinfo_signed_response_alg,
|
27
|
-
:userinfo_encrypted_response_alg,
|
28
|
-
:userinfo_encrypted_response_enc,
|
29
23
|
:id_token_signed_response_alg,
|
30
24
|
:id_token_encrypted_response_alg,
|
31
25
|
:id_token_encrypted_response_enc,
|
26
|
+
:userinfo_signed_response_alg,
|
27
|
+
:userinfo_encrypted_response_alg,
|
28
|
+
:userinfo_encrypted_response_enc,
|
29
|
+
:request_object_signing_alg,
|
30
|
+
:request_object_encryption_alg,
|
31
|
+
:request_object_encryption_enc,
|
32
|
+
:token_endpoint_auth_method,
|
33
|
+
:token_endpoint_auth_signing_alg,
|
32
34
|
:default_max_age,
|
33
|
-
:require_auth_time
|
34
|
-
|
35
|
-
|
36
|
-
:
|
35
|
+
:require_auth_time
|
36
|
+
] + singular_uri_attributes
|
37
|
+
self.plural_uri_attributes = [
|
38
|
+
:redirect_uris,
|
39
|
+
:request_uris
|
37
40
|
]
|
38
|
-
|
41
|
+
plural_attributes = [
|
42
|
+
:response_types,
|
43
|
+
:grant_types,
|
39
44
|
:contacts,
|
45
|
+
:default_acr_values,
|
46
|
+
] + plural_uri_attributes
|
47
|
+
self.metadata_attributes = singular_attributes + plural_attributes
|
48
|
+
required_metadata_attributes = [
|
40
49
|
:redirect_uris
|
41
50
|
]
|
42
51
|
attr_required :endpoint
|
43
|
-
attr_optional
|
44
|
-
|
45
|
-
|
46
|
-
|
47
|
-
|
48
|
-
|
49
|
-
|
50
|
-
|
51
|
-
else
|
52
|
-
value
|
53
|
-
end
|
54
|
-
end
|
55
|
-
alias_method_chain _attr_, :split
|
56
|
-
end
|
57
|
-
|
58
|
-
validates :operation, presence: true
|
59
|
-
validates :client_id, presence: {if: ->(c) { ['client_update', 'rotate_secret'].include?(c.operation.to_s) }}
|
60
|
-
validates :sector_identifier_url, presence: {if: :sector_identifier_required?}
|
61
|
-
|
62
|
-
validates :operation, inclusion: {in: ['client_register', 'rotate_secret', 'client_update']}
|
63
|
-
validates :application_type, inclusion: {in: ['native', 'web']}, allow_nil: true
|
64
|
-
validates :subject_type, inclusion: {in: ['pairwise', 'public']}, allow_nil: true
|
65
|
-
validates :token_endpoint_auth_method, inclusion: {
|
66
|
-
in: ['client_secret_post', 'client_secret_basic', 'client_secret_jwt', 'private_key_jwt']
|
67
|
-
}, allow_nil: true
|
68
|
-
|
69
|
-
validates(
|
70
|
-
:logo_url,
|
71
|
-
:policy_url,
|
72
|
-
:tos_url,
|
73
|
-
:jwk_url,
|
74
|
-
:jwk_encryption_url,
|
75
|
-
:x509_url,
|
76
|
-
:x509_encryption_url,
|
77
|
-
:sector_identifier_url,
|
78
|
-
:initiate_login_uri,
|
79
|
-
:post_logout_redirect_url,
|
80
|
-
url: true,
|
81
|
-
allow_nil: true
|
82
|
-
)
|
83
|
-
|
52
|
+
attr_optional :initial_access_token
|
53
|
+
attr_required(*required_metadata_attributes)
|
54
|
+
attr_optional(*(metadata_attributes - required_metadata_attributes))
|
55
|
+
|
56
|
+
validates(*required_attributes, presence: true)
|
57
|
+
validates :sector_identifier_uri, presence: {if: :sector_identifier_required?}
|
58
|
+
validates(*singular_uri_attributes, url: true, allow_nil: true)
|
59
|
+
validate :validate_plural_uri_attributes
|
84
60
|
validate :validate_contacts
|
85
|
-
validate :validate_redirect_uris
|
86
|
-
validate :validate_key_urls
|
87
|
-
validate :validate_signature_algorithms
|
88
|
-
validate :validate_encription_algorithms
|
89
61
|
|
90
62
|
def initialize(endpoint, attributes = {})
|
91
|
-
|
92
|
-
|
93
|
-
|
94
|
-
|
95
|
-
else
|
96
|
-
attributes[_attr_].try(:to_s)
|
97
|
-
end
|
98
|
-
self.send "#{_attr_}=", value
|
63
|
+
self.endpoint = endpoint
|
64
|
+
self.initial_access_token = attributes[:initial_access_token]
|
65
|
+
self.class.metadata_attributes.each do |_attr_|
|
66
|
+
self.send "#{_attr_}=", attributes[_attr_]
|
99
67
|
end
|
100
|
-
attr_missing!
|
101
68
|
end
|
102
69
|
|
103
70
|
def sector_identifier
|
104
|
-
if valid_uri?(
|
105
|
-
URI.parse(
|
71
|
+
if valid_uri?(sector_identifier_uri)
|
72
|
+
URI.parse(sector_identifier_uri).host
|
106
73
|
else
|
107
|
-
hosts =
|
74
|
+
hosts = redirect_uris.collect do |redirect_uri|
|
108
75
|
if valid_uri?(redirect_uri, nil)
|
109
76
|
URI.parse(redirect_uri).host
|
110
77
|
else
|
@@ -121,32 +88,21 @@ module OpenIDConnect
|
|
121
88
|
|
122
89
|
def as_json(options = {})
|
123
90
|
validate!
|
124
|
-
|
125
|
-
value = self.send
|
126
|
-
hash.merge! _attr_ =>
|
127
|
-
|
128
|
-
value.collect(&:to_s).join(' ')
|
129
|
-
else
|
130
|
-
value
|
131
|
-
end
|
132
|
-
end.delete_if do |key, value|
|
133
|
-
value.nil?
|
91
|
+
self.class.metadata_attributes.inject({}) do |hash, _attr_|
|
92
|
+
value = self.send _attr_
|
93
|
+
hash.merge! _attr_ => value unless value.nil?
|
94
|
+
hash
|
134
95
|
end
|
135
96
|
end
|
136
97
|
|
137
98
|
def register!
|
138
|
-
|
139
|
-
|
140
|
-
|
141
|
-
|
142
|
-
def rotate_secret!
|
143
|
-
self.operation = 'rotate_secret'
|
144
|
-
post!
|
99
|
+
handle_response do
|
100
|
+
http_client.post endpoint, to_json, 'Content-Type' => 'application/json'
|
101
|
+
end
|
145
102
|
end
|
146
103
|
|
147
|
-
def
|
148
|
-
|
149
|
-
post!
|
104
|
+
def read
|
105
|
+
# TODO: Do we want this feature even if we don't have rotate secret nor update metadata support?
|
150
106
|
end
|
151
107
|
|
152
108
|
def validate!
|
@@ -156,14 +112,13 @@ module OpenIDConnect
|
|
156
112
|
private
|
157
113
|
|
158
114
|
def sector_identifier_required?
|
159
|
-
subject_type == 'pairwise' &&
|
115
|
+
subject_type.to_s == 'pairwise' &&
|
160
116
|
sector_identifier.blank?
|
161
117
|
end
|
162
118
|
|
163
119
|
def valid_uri?(uri, schemes = ['http', 'https'])
|
164
120
|
# NOTE: specify nil for schemes to allow any schemes
|
165
|
-
URI::regexp(schemes).match(uri).present?
|
166
|
-
URI.parse(uri).fragment.blank?
|
121
|
+
URI::regexp(schemes).match(uri).present?
|
167
122
|
end
|
168
123
|
|
169
124
|
def validate_contacts
|
@@ -180,42 +135,26 @@ module OpenIDConnect
|
|
180
135
|
end
|
181
136
|
end
|
182
137
|
|
183
|
-
def
|
184
|
-
|
185
|
-
|
186
|
-
|
138
|
+
def validate_plural_uri_attributes
|
139
|
+
self.class.plural_uri_attributes.each do |_attr_|
|
140
|
+
if (uris = self.send(_attr_))
|
141
|
+
include_invalid = uris.any? do |uri|
|
142
|
+
!valid_uri?(uri, nil)
|
143
|
+
end
|
144
|
+
errors.add _attr_, 'includes invalid URL' if include_invalid
|
187
145
|
end
|
188
|
-
errors.add :redirect_uris, 'includes invalid URL' if include_invalid
|
189
|
-
end
|
190
|
-
end
|
191
|
-
|
192
|
-
def validate_key_urls
|
193
|
-
# TODO
|
194
|
-
end
|
195
|
-
|
196
|
-
def validate_signature_algorithms
|
197
|
-
# TODO
|
198
|
-
end
|
199
|
-
|
200
|
-
def validate_encription_algorithms
|
201
|
-
# TODO
|
202
|
-
end
|
203
|
-
|
204
|
-
def post!
|
205
|
-
handle_response do
|
206
|
-
http_client.post endpoint, as_json
|
207
146
|
end
|
208
147
|
end
|
209
148
|
|
210
149
|
def http_client
|
211
|
-
case
|
150
|
+
case initial_access_token
|
212
151
|
when nil
|
213
152
|
OpenIDConnect.http_client
|
214
153
|
when Rack::OAuth2::AccessToken::Bearer
|
215
|
-
|
154
|
+
initial_access_token
|
216
155
|
else
|
217
156
|
Rack::OAuth2::AccessToken::Bearer.new(
|
218
|
-
access_token:
|
157
|
+
access_token: initial_access_token
|
219
158
|
)
|
220
159
|
end
|
221
160
|
end
|
@@ -231,7 +170,7 @@ module OpenIDConnect
|
|
231
170
|
end
|
232
171
|
|
233
172
|
def handle_success_response(response)
|
234
|
-
credentials =
|
173
|
+
credentials = response.body.with_indifferent_access
|
235
174
|
Client.new(
|
236
175
|
identifier: credentials[:client_id],
|
237
176
|
secret: credentials[:client_secret],
|
@@ -244,4 +183,4 @@ module OpenIDConnect
|
|
244
183
|
end
|
245
184
|
end
|
246
185
|
end
|
247
|
-
end
|
186
|
+
end
|
@@ -1,48 +1,43 @@
|
|
1
1
|
module OpenIDConnect
|
2
2
|
class Client < Rack::OAuth2::Client
|
3
3
|
attr_optional :userinfo_endpoint, :expires_in
|
4
|
-
alias_method :user_info_endpoint, :userinfo_endpoint
|
5
|
-
alias_method :user_info_endpoint=, :userinfo_endpoint=
|
6
4
|
|
7
5
|
def initialize(attributes = {})
|
8
|
-
attributes[:userinfo_endpoint] ||= attributes[:user_info_endpoint]
|
9
6
|
super attributes
|
10
|
-
self.userinfo_endpoint ||= '/
|
7
|
+
self.userinfo_endpoint ||= '/userinfo'
|
11
8
|
end
|
12
9
|
|
13
10
|
def authorization_uri(params = {})
|
14
|
-
params[:response_type] ||= :token
|
15
11
|
params[:scope] = setup_required_scope params[:scope]
|
12
|
+
params[:prompt] = Array(params[:prompt]).join(' ')
|
16
13
|
super
|
17
14
|
end
|
18
15
|
|
19
16
|
def userinfo_uri
|
20
17
|
absolute_uri_for userinfo_endpoint
|
21
18
|
end
|
22
|
-
alias_method :user_info_uri, :userinfo_uri
|
23
19
|
|
24
20
|
private
|
25
21
|
|
26
22
|
def setup_required_scope(scopes)
|
27
|
-
_scopes_ = Array(scopes).
|
23
|
+
_scopes_ = Array(scopes).join(' ').split(' ')
|
28
24
|
_scopes_ << 'openid' unless _scopes_.include?('openid')
|
29
25
|
_scopes_
|
30
26
|
end
|
31
27
|
|
32
28
|
def handle_success_response(response)
|
33
|
-
token_hash =
|
34
|
-
|
29
|
+
token_hash = response.body.with_indifferent_access
|
30
|
+
token_type = (@forced_token_type || token_hash[:token_type]).try(:downcase)
|
31
|
+
case token_type
|
35
32
|
when 'bearer'
|
36
33
|
AccessToken.new token_hash.merge(client: self)
|
37
34
|
else
|
38
35
|
raise Exception.new("Unexpected Token Type: #{token_type}")
|
39
36
|
end
|
40
|
-
rescue JSON::ParserError
|
41
|
-
raise Exception.new("Unknown Token Type")
|
42
37
|
end
|
43
38
|
end
|
44
39
|
end
|
45
40
|
|
46
41
|
Dir[File.dirname(__FILE__) + '/client/*.rb'].each do |file|
|
47
42
|
require file
|
48
|
-
end
|
43
|
+
end
|
@@ -1,3 +1,5 @@
|
|
1
|
+
require "openssl"
|
2
|
+
|
1
3
|
module OpenIDConnect
|
2
4
|
module Discovery
|
3
5
|
module Provider
|
@@ -23,12 +25,12 @@ module OpenIDConnect
|
|
23
25
|
private
|
24
26
|
|
25
27
|
def to_response_object(hash)
|
26
|
-
Response.new
|
28
|
+
Response.new(hash)
|
27
29
|
end
|
28
30
|
|
29
31
|
def cache_key
|
30
|
-
|
31
|
-
"swd:resource:opneid-conf:#{
|
32
|
+
sha256 = OpenSSL::Digest::SHA256.hexdigest host
|
33
|
+
"swd:resource:opneid-conf:#{sha256}"
|
32
34
|
end
|
33
35
|
end
|
34
36
|
end
|