openid_connect 0.6.1 → 2.3.0

data/lib/openid_connect/discovery/provider/config/response.rb

@@ -2,116 +2,111 @@ module OpenIDConnect
   module Discovery
     module Provider
       class Config
-        class Response < SWD::Resource
-          include AttrOptional
+        class Response
+          include ActiveModel::Validations, AttrRequired, AttrOptional
 
+          cattr_accessor :metadata_attributes
           attr_reader :raw
-          attr_optional(
-            :version,
-            :issuer,
-            :authorization_endpoint,
-            :token_endpoint,
-            :userinfo_endpoint,
-            :refresh_session_endpoint,
-            :check_session_endpoint,
-            :end_session_endpoint,
-            :jwk_url,
-            :jwk_encryption_url,
-            :x509_url,
-            :x509_encryption_url,
-            :registration_endpoint,
-            :scopes_supported,
+          attr_accessor :expected_issuer
+          uri_attributes = {
+            required: [
+              :issuer,
+              :authorization_endpoint,
+              :jwks_uri
+            ],
+            optional: [
+              :token_endpoint,
+              :userinfo_endpoint,
+              :registration_endpoint,
+              :end_session_endpoint,
+              :service_documentation,
+              :check_session_iframe,
+              :op_policy_uri,
+              :op_tos_uri
+            ]
+          }
+          attr_required(*(uri_attributes[:required] + [
             :response_types_supported,
-            :acr_values_supported,
             :subject_types_supported,
-            :claims_supported,
+            :id_token_signing_alg_values_supported
+          ]))
+          attr_optional(*(uri_attributes[:optional] + [
+            :scopes_supported,
+            :response_modes_supported,
+            :grant_types_supported,
+            :acr_values_supported,
+            :id_token_encryption_alg_values_supported,
+            :id_token_encryption_enc_values_supported,
             :userinfo_signing_alg_values_supported,
             :userinfo_encryption_alg_values_supported,
             :userinfo_encryption_enc_values_supported,
-            :id_token_signing_alg_values_supported,
-            :id_token_encryption_alg_values_supported,
-            :id_token_encryption_enc_values_supported,
             :request_object_signing_alg_values_supported,
             :request_object_encryption_alg_values_supported,
             :request_object_encryption_enc_values_supported,
             :token_endpoint_auth_methods_supported,
-            :token_endpoint_auth_signing_alg_values_supported
-          )
-          [
-            :userinfo_endpoint,
-            :userinfo_signing_alg_values_supported,
-            :userinfo_encryption_alg_values_supported,
-            :userinfo_encryption_enc_values_supported
-          ].each do |userinfo_attribute|
-            user_info_attribute = userinfo_attribute.to_s.sub('userinfo', 'user_info').to_sym
-            alias_method user_info_attribute, userinfo_attribute
-            alias_method :"#{user_info_attribute}=", userinfo_attribute
-          end
+            :token_endpoint_auth_signing_alg_values_supported,
+            :display_values_supported,
+            :claim_types_supported,
+            :claims_supported,
+            :claims_locales_supported,
+            :ui_locales_supported,
+            :claims_parameter_supported,
+            :request_parameter_supported,
+            :request_uri_parameter_supported,
+            :require_request_uri_registration
+          ]))
+
+          validates(*required_attributes, presence: true)
+          validates(*uri_attributes.values.flatten, url: true, allow_nil: true)
+          validates :issuer, with: :validate_issuer_matching
 
           def initialize(hash)
-            optional_attributes.each do |key|
+            (required_attributes + optional_attributes).each do |key|
               self.send "#{key}=", hash[key]
             end
-            self.userinfo_endpoint ||= hash[:user_info_endpoint]
-            self.userinfo_signing_alg_values_supported ||= hash[:user_info_signing_alg_values_supported]
-            self.userinfo_encryption_alg_values_supported ||= hash[:user_info_encryption_alg_values_supported]
-            self.userinfo_encryption_enc_values_supported ||= hash[:user_info_encryption_enc_values_supported]
-            self.version ||= '3.0'
             @raw = hash
           end
 
           def as_json(options = {})
-            hash = optional_attributes.inject({}) do |hash, _attr_|
-              hash.merge(
-                _attr_ => self.send(_attr_)
-              )
-            end
-            hash.delete_if do |key, value|
-              value.nil?
+            validate!
+            (required_attributes + optional_attributes).inject({}) do |hash, _attr_|
+              value = self.send _attr_
+              hash.merge! _attr_ => value unless value.nil?
+              hash
             end
           end
 
-          def signing_key
-            x509_public_key || jwk_public_key
+          def validate!
+            valid? or raise ValidationFailed.new(self)
           end
 
-          def encryption_key
-            if x509_encryption_url
-              x509_public_key :for_encryption
-            elsif jwk_encryption_url
-              jwk_public_key :for_encryption
-            else
-              signing_key
-            end
+          def jwks
+            @jwks ||= OpenIDConnect.http_client.get(jwks_uri).body.with_indifferent_access
+            JSON::JWK::Set.new @jwks[:keys]
           end
 
-          private
+          def jwk(kid)
+            @jwks ||= {}
+            @jwks[kid] ||= JSON::JWK::Set::Fetcher.fetch(jwks_uri, kid: kid)
+          end
 
-          def x509_public_key(for_encryption = false)
-            endpoint = if for_encryption
-              x509_encryption_url || x509_url
-            else
-              x509_url
-            end
-            if endpoint
-              cert = OpenSSL::X509::Certificate.new OpenIDConnect.http_client.get_content(endpoint)
-              cert.public_key
-            end
+          def public_keys
+            @public_keys ||= jwks.collect(&:to_key)
           end
 
-          def jwk_public_key(for_encryption = false)
-            endpoint = if for_encryption
-              jwk_encryption_url || jwk_url
-            else
-              jwk_url
-            end
-            if endpoint
-              jwk_set = JSON.parse OpenIDConnect.http_client.get_content(endpoint), symbolize_names: true
-              JSON::JWK.decode jwk_set[:keys].first
+          private
+
+          def validate_issuer_matching
+            if expected_issuer.present? && issuer != expected_issuer
+              if OpenIDConnect.validate_discovery_issuer
+                errors.add :issuer, 'mismatch'
+              else
+                OpenIDConnect.logger.warn 'ignoring issuer mismach.'
+              end
             end
           end
         end
       end
     end
   end
-end
+end

data/lib/openid_connect/discovery/provider/config.rb

@@ -4,8 +4,11 @@ module OpenIDConnect
       class Config
         def self.discover!(identifier, cache_options = {})
           uri = URI.parse(identifier)
-          Resource.new(uri).discover!(cache_options)
-        rescue SWD::Exception => e
+          Resource.new(uri).discover!(cache_options).tap do |response|
+            response.expected_issuer = identifier
+            response.validate!
+          end
+        rescue SWD::Exception, ValidationFailed => e
           raise DiscoveryFailed.new(e.message)
         end
       end

data/lib/openid_connect/discovery/provider.rb

@@ -2,6 +2,8 @@ module OpenIDConnect
   module Discovery
     module Provider
       module Issuer
+        REL_VALUE = 'http://openid.net/specs/connect/1.0/issuer'
+
         def issuer
           self.link_for(REL_VALUE)[:href]
         end
@@ -9,14 +11,16 @@ module OpenIDConnect
 
       def self.discover!(identifier)
         resource = case identifier
-        when /^acct:/, /@/, /^https?:\/\//
+        when /^acct:/, /https?:\/\//
           identifier
+        when /@/
+          "acct:#{identifier}"
         else
           "https://#{identifier}"
         end
         response = WebFinger.discover!(
           resource,
-          rel: REL_VALUE
+          rel: Issuer::REL_VALUE
         )
         response.extend Issuer
         response

data/lib/openid_connect/discovery.rb

@@ -1,7 +1,5 @@
 module OpenIDConnect
   module Discovery
-    REL_VALUE = 'http://openid.net/specs/connect/1.0/issuer'
-
     class InvalidIdentifier < Exception; end
     class DiscoveryFailed < Exception; end
   end

data/lib/openid_connect/jwtnizable.rb

@@ -1,12 +1,14 @@
 module OpenIDConnect
   module JWTnizable
     def to_jwt(key, algorithm = :RS256, &block)
+      as_jwt(key, algorithm, &block).to_s
+    end
+
+    def as_jwt(key, algorithm = :RS256, &block)
       token = JSON::JWT.new as_json
       yield token if block_given?
-      if algorithm != :none
-        token = token.sign key, algorithm
-      end
-      token.to_s
+      token = token.sign key, algorithm if algorithm != :none
+      token
     end
   end
 end

data/lib/openid_connect/request_object/claimable.rb

@@ -3,12 +3,10 @@ module OpenIDConnect
     module Claimable
       def self.included(klass)
         klass.send :attr_optional, :claims
-        klass.send :alias_method_chain, :initialize, :claims
-        klass.send :alias_method_chain, :as_json, :keep_blank
       end
 
-      def initialize_with_claims(attributes = {})
-        initialize_without_claims attributes
+      def initialize(attributes = {})
+        super
         if claims.present?
           _claims_ = {}
           claims.each do |key, value|
@@ -29,9 +27,9 @@ module OpenIDConnect
         end
       end
 
-      def as_json_with_keep_blank(options = {})
+      def as_json(options = {})
         keys = claims.try(:keys)
-        hash = as_json_without_keep_blank options
+        hash = super
         Array(keys).each do |key|
           hash[:claims][key] ||= nil
         end

data/lib/openid_connect/request_object.rb

@@ -3,28 +3,21 @@ module OpenIDConnect
     include JWTnizable
 
     attr_optional :client_id, :response_type, :redirect_uri, :scope, :state, :nonce, :display, :prompt, :userinfo, :id_token
-    alias_method :user_info, :userinfo
     validate :require_at_least_one_attributes
 
-    def initialize(attributes = {})
-      attributes[:userinfo] ||= attributes[:user_info]
-      super attributes
-    end
-
+    undef :id_token=
     def id_token=(attributes = {})
       @id_token = IdToken.new(attributes) if attributes.present?
     end
 
+    undef :userinfo=
     def userinfo=(attributes = {})
       @userinfo = UserInfo.new(attributes) if attributes.present?
     end
-    alias_method :user_info=, :userinfo=
 
-    def as_json_with_mixed_keys(options = {})
-      hash = as_json_without_mixed_keys options
-      hash.with_indifferent_access
+    def as_json(options = {})
+      super.with_indifferent_access
     end
-    alias_method_chain :as_json, :mixed_keys
 
     class << self
       def decode(jwt_string, key = nil)
@@ -32,7 +25,7 @@ module OpenIDConnect
       end
 
       def fetch(request_uri, key = nil)
-        jwt_string = OpenIDConnect.http_client.get_content(request_uri)
+        jwt_string = OpenIDConnect.http_client.get(request_uri).body
         decode jwt_string, key
       end
     end
@@ -41,4 +34,4 @@ end
 
 require 'openid_connect/request_object/claimable'
 require 'openid_connect/request_object/id_token'
-require 'openid_connect/request_object/user_info'
+require 'openid_connect/request_object/user_info'

data/lib/openid_connect/response_object/id_token.rb

@@ -1,33 +1,41 @@
-require 'json/jwt'
-
 module OpenIDConnect
   class ResponseObject
     class IdToken < ConnectObject
       class InvalidToken < Exception; end
+      class ExpiredToken < InvalidToken; end
+      class InvalidIssuer < InvalidToken; end
+      class InvalidNonce < InvalidToken; end
+      class InvalidAudience < InvalidToken; end
 
       attr_required :iss, :sub, :aud, :exp, :iat
-      attr_optional :acr, :auth_time, :nonce, :sub_jwk, :at_hash, :c_hash
-      attr_accessor :access_token, :code
+      attr_optional :acr, :amr, :azp, :jti, :sid, :auth_time, :nonce, :sub_jwk, :at_hash, :c_hash, :s_hash
+      attr_accessor :access_token, :code, :state
       alias_method :subject, :sub
       alias_method :subject=, :sub=
 
       def initialize(attributes = {})
         super
-        (all_attributes - [:exp, :iat, :auth_time, :sub_jwk]).each do |key|
+        (all_attributes - [:aud, :exp, :iat, :auth_time, :sub_jwk]).each do |key|
           self.send "#{key}=", self.send(key).try(:to_s)
         end
+        self.auth_time = auth_time.to_i unless auth_time.nil?
       end
 
       def verify!(expected = {})
-        exp.to_i > Time.now.to_i &&
-        iss == expected[:issuer] &&
-        aud == expected[:client_id] &&
-        nonce == expected[:nonce] or
-        raise InvalidToken.new('Invalid ID Token')
+        raise ExpiredToken.new('Invalid ID token: Expired token') unless exp.to_i > Time.now.to_i
+        raise InvalidIssuer.new('Invalid ID token: Issuer does not match') unless iss == expected[:issuer]
+        raise InvalidNonce.new('Invalid ID Token: Nonce does not match') unless nonce == expected[:nonce]
+
+        # aud(ience) can be a string or an array of strings
+        unless Array(aud).include?(expected[:audience] || expected[:client_id])
+          raise InvalidAudience.new('Invalid ID token: Audience does not match')
+        end
+
+        true
       end
 
       include JWTnizable
-      def to_jwt_with_at_hash_and_c_hash(key, algorithm = :RS256, &block)
+      def to_jwt(key, algorithm = :RS256, &block)
         hash_length = algorithm.to_s[2, 3].to_i
         if access_token
           token = case access_token
@@ -41,33 +49,39 @@ module OpenIDConnect
         if code
           self.c_hash = left_half_hash_of code, hash_length
         end
-        to_jwt_without_at_hash_and_c_hash key, algorithm, &block
+        if state
+          self.s_hash = left_half_hash_of state, hash_length
+        end
+        super
       end
-      alias_method_chain :to_jwt, :at_hash_and_c_hash
 
       private
 
       def left_half_hash_of(string, hash_length)
-        digest = OpenSSL::Digest::Digest.new("SHA#{hash_length}").digest string
-        UrlSafeBase64.encode64 digest[0, hash_length / (2 * 8)]
+        digest = OpenSSL::Digest.new("SHA#{hash_length}").digest string
+        Base64.urlsafe_encode64 digest[0, hash_length / (2 * 8)], padding: false
       end
 
       class << self
-        def decode(jwt_string, key)
-          if key == :self_issued
+        def decode(jwt_string, key_or_config)
+          case key_or_config
+          when :self_issued
             decode_self_issued jwt_string
+          when OpenIDConnect::Discovery::Provider::Config::Response
+            jwt = JSON::JWT.decode jwt_string, :skip_verification
+            jwt.verify! key_or_config.jwk(jwt.kid)
+            new jwt
           else
-            new JSON::JWT.decode jwt_string, key
+            new JSON::JWT.decode jwt_string, key_or_config
           end
         end
 
         def decode_self_issued(jwt_string)
           jwt = JSON::JWT.decode jwt_string, :skip_verification
-          jwk = jwt[:sub_jwk]
+          jwk = JSON::JWK.new jwt[:sub_jwk]
           raise InvalidToken.new('Missing sub_jwk') if jwk.blank?
-          raise InvalidToken.new('Invalid subject') unless jwt[:sub] == self_issued_subject(jwk)
-          public_key = JSON::JWK.decode jwk
-          jwt = JSON::JWT.decode jwt_string, public_key
+          raise InvalidToken.new('Invalid subject') unless jwt[:sub] == jwk.thumbprint
+          jwt.verify! jwk
           new jwt
         end
 
@@ -75,24 +89,11 @@ module OpenIDConnect
           attributes[:sub_jwk] ||= JSON::JWK.new attributes.delete(:public_key)
           _attributes_ = {
             iss: 'https://self-issued.me',
-            sub: self_issued_subject(attributes[:sub_jwk])
+            sub: JSON::JWK.new(attributes[:sub_jwk]).thumbprint
           }.merge(attributes)
           new _attributes_
         end
-
-        def self_issued_subject(jwk)
-          subject_base_string = case jwk[:alg].to_s
-          when 'RSA'
-            [jwk[:n], jwk[:e]].join
-          when 'EC'
-            raise NotImplementedError.new('Not Implemented Yet')
-          else
-            # Shouldn't reach here. All unknown algorithm error should occurs when decoding JWK
-            raise InvalidToken.new('Unknown Algorithm')
-          end
-          UrlSafeBase64.encode64 OpenSSL::Digest::SHA256.digest(subject_base_string)
-        end
       end
     end
   end
-end
+end

data/lib/openid_connect/response_object/user_info/address.rb

@@ -0,0 +1,10 @@
+module OpenIDConnect
+  class ResponseObject
+    class UserInfo
+      class Address < ConnectObject
+        attr_optional :formatted, :street_address, :locality, :region, :postal_code, :country
+        validate :require_at_least_one_attributes
+      end
+    end
+  end
+end

data/lib/openid_connect/response_object/user_info.rb

@@ -1,3 +1,65 @@
-Dir[File.dirname(__FILE__) + '/user_info/*.rb'].each do |file| 
+module OpenIDConnect
+  class ResponseObject
+    class UserInfo < ConnectObject
+      attr_optional(
+        :sub,
+        :name,
+        :given_name,
+        :family_name,
+        :middle_name,
+        :nickname,
+        :preferred_username,
+        :profile,
+        :picture,
+        :website,
+        :email,
+        :email_verified,
+        :gender,
+        :birthdate,
+        :zoneinfo,
+        :locale,
+        :phone_number,
+        :phone_number_verified,
+        :address,
+        :updated_at
+      )
+      alias_method :subject, :sub
+      alias_method :subject=, :sub=
+
+      validates :email_verified, :phone_number_verified, allow_nil: true, inclusion: {in: [true, false]}
+      validates :zoneinfo,                               allow_nil: true, inclusion: {in: TZInfo::TimezoneProxy.all.collect(&:name)}
+      validates :profile, :picture, :website,            allow_nil: true, url: true
+      validates :email,                                  allow_nil: true, email: true
+      validates :updated_at,                             allow_nil: true, numericality: {only_integer: true}
+      validate :validate_address
+      validate :require_at_least_one_attributes
+      # TODO: validate locale
+
+      def initialize(attributes = {})
+        super
+        (all_attributes - [:email_verified, :phone_number_verified, :address, :updated_at]).each do |key|
+          self.send "#{key}=", self.send(key).try(:to_s)
+        end
+        self.updated_at = updated_at.try(:to_i)
+      end
+
+      def validate_address
+        errors.add :address, address.errors.full_messages.join(', ') if address.present? && !address.valid?
+      end
+
+      undef :address=
+      def address=(hash_or_address)
+        @address = case hash_or_address
+        when Hash
+          Address.new hash_or_address
+        when Address
+          hash_or_address
+        end
+      end
+    end
+  end
+end
+
+Dir[File.dirname(__FILE__) + '/user_info/*.rb'].each do |file|
   require file
-end
+end

data/lib/openid_connect.rb

@@ -1,22 +1,26 @@
 require 'json'
 require 'logger'
+require 'faraday'
+require 'faraday/follow_redirects'
 require 'swd'
 require 'webfinger'
 require 'active_model'
 require 'tzinfo'
 require 'validate_url'
-require 'validate_email'
+require 'email_validator/strict'
+require 'mail'
 require 'attr_required'
 require 'attr_optional'
+require 'json/jwt'
 require 'rack/oauth2'
+require 'rack/oauth2/server/authorize/error_with_connect_ext'
 require 'rack/oauth2/server/authorize/request_with_connect_params'
 require 'rack/oauth2/server/id_token_response'
-require 'rack/oauth2/server/resource/error_with_connect_ext'
 
 module OpenIDConnect
   VERSION = ::File.read(
     ::File.join(::File.dirname(__FILE__), '../VERSION')
-  )
+  ).chomp
 
   def self.logger
     @@logger
@@ -63,19 +67,31 @@ module OpenIDConnect
   self.debugging = false
 
   def self.http_client
-    _http_client_ = HTTPClient.new(
-      agent_name: "OpenIDConnect (#{VERSION})"
-    )
-    _http_client_.request_filter << Debugger::RequestFilter.new if debugging?
-    http_config.try(:call, _http_client_)
-    _http_client_
+    Faraday.new(headers: {user_agent: "OpenIDConnect (#{VERSION})"}) do |faraday|
+      faraday.request :url_encoded
+      faraday.request :json
+      faraday.response :json
+      faraday.adapter Faraday.default_adapter
+      http_config&.call(faraday)
+      faraday.response :logger, OpenIDConnect.logger, {bodies: true} if debugging?
+    end
   end
   def self.http_config(&block)
     @sub_protocols.each do |klass|
-      klass.http_config &block unless klass.http_config
+      klass.http_config(&block) unless klass.http_config
     end
     @@http_config ||= block
   end
+
+  def self.validate_discovery_issuer=(boolean)
+    @@validate_discovery_issuer = boolean
+  end
+
+  def self.validate_discovery_issuer
+    @@validate_discovery_issuer
+  end
+
+  self.validate_discovery_issuer = true
 end
 
 require 'openid_connect/exception'
@@ -84,4 +100,3 @@ require 'openid_connect/access_token'
 require 'openid_connect/jwtnizable'
 require 'openid_connect/connect_object'
 require 'openid_connect/discovery'
-require 'openid_connect/debugger'

data/lib/rack/oauth2/server/authorize/extension/code_and_id_token.rb

@@ -10,7 +10,7 @@ module Rack
               end
             end
 
-            def call(env)
+            def _call(env)
               @request  = Request.new env
               @response = Response.new request
               super
@@ -22,6 +22,10 @@ module Rack
                 @response_type = [:code, :id_token]
                 attr_missing!
               end
+
+              def error_params_location
+                :fragment
+              end
             end
 
             class Response < Authorize::Code::Response

data/lib/rack/oauth2/server/authorize/extension/code_and_id_token_and_token.rb

@@ -10,7 +10,7 @@ module Rack
               end
             end
 
-            def call(env)
+            def _call(env)
               @request  = Request.new env
               @response = Response.new request
               super

data/lib/rack/oauth2/server/authorize/extension/id_token.rb

@@ -10,7 +10,7 @@ module Rack
               end
             end
 
-            def call(env)
+            def _call(env)
               @request  = Request.new env
               @response = Response.new request
               super

data/lib/rack/oauth2/server/authorize/extension/id_token_and_token.rb

@@ -10,7 +10,7 @@ module Rack
               end
             end
 
-            def call(env)
+            def _call(env)
               @request  = Request.new env
               @response = Response.new request
               super