openid_connect 0.6.1 → 2.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: 806c31b986d5df085e19f74d6b7140f3db2b70c5
-  data.tar.gz: ad199229fe09fc363fd985c047c038c874c1ef8f
+SHA256:
+  metadata.gz: 2f06997a441c5c602002a3b24896e9abd6036b376746124ad25743bf7b1b64e2
+  data.tar.gz: 6456f15afc0c4a58926887765caa3c388f12a55f4afa37f52d4483dc9c5139e3
 SHA512:
-  metadata.gz: 1a2abe2d41fc859cf818416f3f91a55f0c87644bf0254ddfa8438d905d8ac14f21abb6bdadd52744d3567c99680d95acc4e746bedb9dd48d634c3b3a7a7b70e1
-  data.tar.gz: 25e21e4e866c87d4a3732a62152f3ecff3c0f8c24b9ea992417d6c138039c464a44c90e8c68cfec46a131878615356de8f4939a1f6aa574a71c6394e31af7b79
+  metadata.gz: 3fb6ecdd315275864320503e3c6287c03be8a8239bfcc1abe7d652896d2d015d0289b838a691e6711f7c96385e207ab9fafb6628de203327808a8b5568125e25
+  data.tar.gz: 89496d0a2d23455b40099ac2c71137771b43230e40c2f40a2758a315d10b32c9803e012cc6358bc3564d38d968c8fd1e5e4e37031969c526f96c37412804c289

data/.github/FUNDING.yml

@@ -0,0 +1,3 @@
+# These are supported funding model platforms
+
+github: nov

data/.github/workflows/spec.yml

@@ -0,0 +1,31 @@
+name: Spec
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+
+permissions:
+  contents: read
+
+jobs:
+  spec:
+    strategy:
+      matrix:
+        os: ['ubuntu-20.04', 'ubuntu-22.04']
+        ruby-version: ['3.1', '3.2', '3.3']
+        include:
+        - os: 'ubuntu-20.04'
+          ruby-version: '3.0'
+    runs-on: ${{ matrix.os }}
+
+    steps:
+    - uses: actions/checkout@v3
+    - name: Set up Ruby
+      uses: ruby/setup-ruby@v1
+      with:
+        ruby-version: ${{ matrix.ruby-version }}
+        bundler-cache: true
+    - name: Run Specs
+      run: bundle exec rake spec

data/.gitignore

@@ -17,5 +17,6 @@ tmtags
 coverage*
 rdoc
 pkg
+Gemfile.lock
 
 ## PROJECT::SPECIFIC

data/CHANGELOG.md

@@ -0,0 +1,23 @@
+## [Unreleased]
+
+## [2.2.0] - 2022-10-11
+
+### Changed
+
+- automatic json response decoding by @nov in https://github.com/nov/openid_connect/pull/77
+
+## [2.1.0] - 2022-10-10
+
+### Changed
+
+- mTLS access token by @nov in https://github.com/nov/openid_connect/pull/76
+
+## [2.0.0] - 2022-10-09
+
+### Added
+
+- start recording CHANGELOG
+
+### Changed
+
+- replace httpclient with faraday v2 by @nov in https://github.com/nov/openid_connect/pull/75

data/LICENSE

@@ -1,5 +1,7 @@
 Copyright (c) 2011 nov matake
 
+MIT License
+
 Permission is hereby granted, free of charge, to any person obtaining
 a copy of this software and associated documentation files (the
 "Software"), to deal in the Software without restriction, including
@@ -17,4 +19,4 @@ MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
 NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
 LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
 OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
-WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.rdoc

@@ -16,16 +16,23 @@ OpenID Connect Server & Client Library
 
 === Provider
 
-* Running on Heroku (http://connect-op.heroku.com)
+* Running on Heroku (https://connect-op.herokuapp.com)
 * Source on GitHub (https://github.com/nov/openid_connect_sample)
 
+* Simpler Version (https://github.com/nov/openid_connect_sample2)
+
 === Relying Party
 
-* Running on Heroku (https://connect-rp.heroku.com)
+* Running on Heroku (https://connect-rp.herokuapp.com)
 * Source on GitHub (https://github.com/nov/openid_connect_sample_rp)
 
+There is also OpenID Foudation Certified RP implementation using this gem below.
+
+* Running on Heroku (https://connect-rp-certified.herokuapp.com)
+* Source on GitHub (https://github.com/nov/connect-rp-certified)
+
 == Note on Patches/Pull Requests
- 
+
 * Fork the project.
 * Make your feature addition or bug fix.
 * Add tests for it. This is important so I don't break it in a

data/Rakefile

@@ -4,16 +4,16 @@ Bundler::GemHelper.install_tasks
 require 'rspec/core/rake_task'
 RSpec::Core::RakeTask.new(:spec)
 
-namespace :cover_me do
-  desc "Generates and opens code coverage report."
+namespace :coverage do
+  desc "Open coverage report"
   task :report do
-    require 'cover_me'
-    CoverMe.complete!
+    require 'simplecov'
+    `open "#{File.join SimpleCov.coverage_path, 'index.html'}"`
   end
 end
 
 task :spec do
-  Rake::Task['cover_me:report'].invoke
+  Rake::Task[:'coverage:report'].invoke unless ENV['TRAVIS_RUBY_VERSION']
 end
 
-task default: :spec
+task :default => :spec

data/TODOs

@@ -0,0 +1,12 @@
+## Discovery
+
+* WebFinger User Input Normalization
+
+## Dynamic Client Registration
+
+* Update Registration Response Format
+* Client Metadata "Read" Call Support
+
+## Message
+
+* Update UserInfo OpenID Schema

data/VERSION

@@ -1 +1 @@
-0.6.1
+2.3.0

data/lib/openid_connect/access_token/mtls.rb

@@ -0,0 +1,9 @@
+module OpenIDConnect
+  class AccessToken::MTLS < AccessToken
+    def initialize(attributes = {})
+      super
+      http_client.ssl.client_key  = attributes[:private_key] || client.private_key
+      http_client.ssl.client_cert = attributes[:certificate] || client.certificate
+    end
+  end
+end

data/lib/openid_connect/access_token.rb

@@ -8,13 +8,19 @@ module OpenIDConnect
       @token_type = :bearer
     end
 
-    def userinfo!(schema = :openid)
+    def userinfo!(params = {})
       hash = resource_request do
-        get client.userinfo_uri, schema: schema
+        get client.userinfo_uri, params
       end
-      ResponseObject::UserInfo::OpenID.new hash
+      ResponseObject::UserInfo.new hash
+    end
+
+    def to_mtls(attributes = {})
+      (required_attributes + optional_attributes).each do |key|
+        attributes[key] = self.send(key)
+      end
+      MTLS.new attributes
     end
-    alias_method :user_info!, :userinfo!
 
     private
 
@@ -22,7 +28,7 @@ module OpenIDConnect
       res = yield
       case res.status
       when 200
-        JSON.parse res.body, symbolize_names: true
+        res.body.with_indifferent_access
       when 400
         raise BadRequest.new('API Access Faild', res)
       when 401
@@ -34,4 +40,6 @@ module OpenIDConnect
       end
     end
   end
-end
+end
+
+require 'openid_connect/access_token/mtls'

data/lib/openid_connect/client/registrar.rb

@@ -5,106 +5,73 @@ module OpenIDConnect
 
       class RegistrationFailed < HttpError; end
 
+      cattr_accessor :plural_uri_attributes, :metadata_attributes
+      singular_uri_attributes = [
+        :logo_uri,
+        :client_uri,
+        :policy_uri,
+        :tos_uri,
+        :jwks_uri,
+        :sector_identifier_uri,
+        :initiate_login_uri
+      ]
       singular_attributes = [
-        :operation,
-        :client_id,
-        :client_secret,
-        :access_token,
         :application_type,
         :client_name,
-        :logo_url,
-        :token_endpoint_auth_method,
-        :policy_url,
-        :tos_url,
-        :jwk_url,
-        :jwk_encryption_url,
-        :x509_url,
-        :x509_encryption_url,
-        :sector_identifier_url,
+        :jwks,
         :subject_type,
-        :request_object_signing_alg,
-        :userinfo_signed_response_alg,
-        :userinfo_encrypted_response_alg,
-        :userinfo_encrypted_response_enc,
         :id_token_signed_response_alg,
         :id_token_encrypted_response_alg,
         :id_token_encrypted_response_enc,
+        :userinfo_signed_response_alg,
+        :userinfo_encrypted_response_alg,
+        :userinfo_encrypted_response_enc,
+        :request_object_signing_alg,
+        :request_object_encryption_alg,
+        :request_object_encryption_enc,
+        :token_endpoint_auth_method,
+        :token_endpoint_auth_signing_alg,
         :default_max_age,
-        :require_auth_time,
-        :default_acr,
-        :initiate_login_uri,
-        :post_logout_redirect_url
+        :require_auth_time
+      ] + singular_uri_attributes
+      self.plural_uri_attributes = [
+        :redirect_uris,
+        :request_uris
       ]
-      plurar_attributes = [
+      plural_attributes = [
+        :response_types,
+        :grant_types,
         :contacts,
+        :default_acr_values,
+      ] + plural_uri_attributes
+      self.metadata_attributes = singular_attributes + plural_attributes
+      required_metadata_attributes = [
         :redirect_uris
       ]
       attr_required :endpoint
-      attr_optional *(singular_attributes + plurar_attributes)
-
-      plurar_attributes.each do |_attr_|
-        define_method "#{_attr_}_with_split" do
-          value = self.send("#{_attr_}_without_split")
-          case value
-          when String
-            value.split(' ')
-          else
-            value
-          end
-        end
-        alias_method_chain _attr_, :split
-      end
-
-      validates :operation,             presence: true
-      validates :client_id,             presence: {if: ->(c) { ['client_update', 'rotate_secret'].include?(c.operation.to_s) }}
-      validates :sector_identifier_url, presence: {if: :sector_identifier_required?}
-
-      validates :operation,        inclusion: {in: ['client_register', 'rotate_secret', 'client_update']}
-      validates :application_type, inclusion: {in: ['native', 'web']},      allow_nil: true
-      validates :subject_type,     inclusion: {in: ['pairwise', 'public']}, allow_nil: true
-      validates :token_endpoint_auth_method, inclusion: {
-        in: ['client_secret_post', 'client_secret_basic', 'client_secret_jwt', 'private_key_jwt']
-      }, allow_nil: true
-
-      validates(
-        :logo_url,
-        :policy_url,
-        :tos_url,
-        :jwk_url,
-        :jwk_encryption_url,
-        :x509_url,
-        :x509_encryption_url,
-        :sector_identifier_url,
-        :initiate_login_uri,
-        :post_logout_redirect_url,
-        url: true,
-        allow_nil: true
-      )
-
+      attr_optional :initial_access_token
+      attr_required(*required_metadata_attributes)
+      attr_optional(*(metadata_attributes - required_metadata_attributes))
+
+      validates(*required_attributes,   presence: true)
+      validates :sector_identifier_uri, presence: {if: :sector_identifier_required?}
+      validates(*singular_uri_attributes, url: true, allow_nil: true)
+      validate :validate_plural_uri_attributes
       validate :validate_contacts
-      validate :validate_redirect_uris
-      validate :validate_key_urls
-      validate :validate_signature_algorithms
-      validate :validate_encription_algorithms
 
       def initialize(endpoint, attributes = {})
-        @endpoint = endpoint
-        optional_attributes.each do |_attr_|
-          value = if _attr_ == :access_token
-            attributes[_attr_]
-          else
-            attributes[_attr_].try(:to_s)
-          end
-          self.send "#{_attr_}=", value
+        self.endpoint = endpoint
+        self.initial_access_token = attributes[:initial_access_token]
+        self.class.metadata_attributes.each do |_attr_|
+          self.send "#{_attr_}=", attributes[_attr_]
         end
-        attr_missing!
       end
 
       def sector_identifier
-        if valid_uri?(sector_identifier_url)
-          URI.parse(sector_identifier_url).host
+        if valid_uri?(sector_identifier_uri)
+          URI.parse(sector_identifier_uri).host
         else
-          hosts = Array(redirect_uris).collect do |redirect_uri|
+          hosts = redirect_uris.collect do |redirect_uri|
             if valid_uri?(redirect_uri, nil)
               URI.parse(redirect_uri).host
             else
@@ -121,32 +88,21 @@ module OpenIDConnect
 
       def as_json(options = {})
         validate!
-        (optional_attributes - [:access_token]).inject({}) do |hash, _attr_|
-          value = self.send(_attr_)
-          hash.merge! _attr_ => case value
-          when Array
-            value.collect(&:to_s).join(' ')
-          else
-            value
-          end
-        end.delete_if do |key, value|
-          value.nil?
+        self.class.metadata_attributes.inject({}) do |hash, _attr_|
+          value = self.send _attr_
+          hash.merge! _attr_ => value unless value.nil?
+          hash
         end
       end
 
       def register!
-        self.operation = 'client_register'
-        post!
-      end
-
-      def rotate_secret!
-        self.operation = 'rotate_secret'
-        post!
+        handle_response do
+          http_client.post endpoint, to_json, 'Content-Type' => 'application/json'
+        end
       end
 
-      def update!
-        self.operation = 'client_update'
-        post!
+      def read
+        # TODO: Do we want this feature even if we don't have rotate secret nor update metadata support?
       end
 
       def validate!
@@ -156,14 +112,13 @@ module OpenIDConnect
       private
 
       def sector_identifier_required?
-        subject_type == 'pairwise' &&
+        subject_type.to_s == 'pairwise' &&
         sector_identifier.blank?
       end
 
       def valid_uri?(uri, schemes = ['http', 'https'])
         # NOTE: specify nil for schemes to allow any schemes
-        URI::regexp(schemes).match(uri).present? &&
-        URI.parse(uri).fragment.blank?
+        URI::regexp(schemes).match(uri).present?
       end
 
       def validate_contacts
@@ -180,42 +135,26 @@ module OpenIDConnect
         end
       end
 
-      def validate_redirect_uris
-        if redirect_uris
-          include_invalid = redirect_uris.any? do |redirect_uri|
-            !valid_uri?(redirect_uri, nil)
+      def validate_plural_uri_attributes
+        self.class.plural_uri_attributes.each do |_attr_|
+          if (uris = self.send(_attr_))
+            include_invalid = uris.any? do |uri|
+              !valid_uri?(uri, nil)
+            end
+            errors.add _attr_, 'includes invalid URL' if include_invalid
           end
-          errors.add :redirect_uris, 'includes invalid URL' if include_invalid
-        end
-      end
-
-      def validate_key_urls
-        # TODO
-      end
-
-      def validate_signature_algorithms
-        # TODO
-      end
-
-      def validate_encription_algorithms
-        # TODO
-      end
-
-      def post!
-        handle_response do
-          http_client.post endpoint, as_json
         end
       end
 
       def http_client
-        case access_token
+        case initial_access_token
         when nil
           OpenIDConnect.http_client
         when Rack::OAuth2::AccessToken::Bearer
-          access_token
+          initial_access_token
         else
           Rack::OAuth2::AccessToken::Bearer.new(
-            access_token: access_token
+            access_token: initial_access_token
           )
         end
       end
@@ -231,7 +170,7 @@ module OpenIDConnect
       end
 
       def handle_success_response(response)
-        credentials = JSON.parse response.body, symbolize_names: true
+        credentials = response.body.with_indifferent_access
         Client.new(
           identifier: credentials[:client_id],
           secret:     credentials[:client_secret],
@@ -244,4 +183,4 @@ module OpenIDConnect
       end
     end
   end
-end
+end

data/lib/openid_connect/client.rb

@@ -1,48 +1,43 @@
 module OpenIDConnect
   class Client < Rack::OAuth2::Client
     attr_optional :userinfo_endpoint, :expires_in
-    alias_method :user_info_endpoint, :userinfo_endpoint
-    alias_method :user_info_endpoint=, :userinfo_endpoint=
 
     def initialize(attributes = {})
-      attributes[:userinfo_endpoint] ||= attributes[:user_info_endpoint]
       super attributes
-      self.userinfo_endpoint ||= '/user_info'
+      self.userinfo_endpoint ||= '/userinfo'
     end
 
     def authorization_uri(params = {})
-      params[:response_type] ||= :token
       params[:scope] = setup_required_scope params[:scope]
+      params[:prompt] = Array(params[:prompt]).join(' ')
       super
     end
 
     def userinfo_uri
       absolute_uri_for userinfo_endpoint
     end
-    alias_method :user_info_uri, :userinfo_uri
 
     private
 
     def setup_required_scope(scopes)
-      _scopes_ = Array(scopes).collect(&:to_s).join(' ').split(' ')
+      _scopes_ = Array(scopes).join(' ').split(' ')
       _scopes_ << 'openid' unless _scopes_.include?('openid')
       _scopes_
     end
 
     def handle_success_response(response)
-      token_hash = JSON.parse response.body, symbolize_names: true
-      case token_type = token_hash[:token_type].try(:downcase)
+      token_hash = response.body.with_indifferent_access
+      token_type = (@forced_token_type || token_hash[:token_type]).try(:downcase)
+      case token_type
       when 'bearer'
         AccessToken.new token_hash.merge(client: self)
       else
         raise Exception.new("Unexpected Token Type: #{token_type}")
       end
-    rescue JSON::ParserError
-      raise Exception.new("Unknown Token Type")
     end
   end
 end
 
 Dir[File.dirname(__FILE__) + '/client/*.rb'].each do |file|
   require file
-end
+end

data/lib/openid_connect/discovery/provider/config/resource.rb

@@ -1,3 +1,5 @@
+require "openssl"
+
 module OpenIDConnect
   module Discovery
     module Provider
@@ -23,12 +25,12 @@ module OpenIDConnect
           private
 
           def to_response_object(hash)
-            Response.new hash
+            Response.new(hash)
           end
 
           def cache_key
-            md5 = Digest::MD5.hexdigest host
-            "swd:resource:opneid-conf:#{md5}"
+            sha256 = OpenSSL::Digest::SHA256.hexdigest host
+            "swd:resource:opneid-conf:#{sha256}"
           end
         end
       end