openid_connect 0.6.1 → 2.3.0

data/lib/rack/oauth2/server/authorize/request_with_connect_params.rb

@@ -1,23 +1,26 @@
 class Rack::OAuth2::Server::Authorize
   module RequestWithConnectParams
-    CONNECT_EXT_PARAMS = [:nonce, :display, :prompt, :request, :request_uri, :id_token]
+    CONNECT_EXT_PARAMS = [
+      :nonce, :display, :prompt, :max_age, :ui_locales, :claims_locales,
+      :id_token_hint, :login_hint, :acr_values, :claims, :request, :request_uri
+    ]
 
-    def self.included(klass)
+    def self.prepended(klass)
       klass.send :attr_optional, *CONNECT_EXT_PARAMS
-      klass.class_eval do
-        def initialize_with_connect_params(env)
-          initialize_without_connect_params env
-          CONNECT_EXT_PARAMS.each do |attribute|
-            self.send :"#{attribute}=", params[attribute.to_s]
-          end
-        end
-        alias_method_chain :initialize, :connect_params
+    end
 
-        def openid_connect_request?
-          scope.include?('openid')
-        end
+    def initialize(env)
+      super
+      CONNECT_EXT_PARAMS.each do |attribute|
+        self.send :"#{attribute}=", params[attribute.to_s]
       end
+      self.prompt = Array(prompt.to_s.split(' '))
+      self.max_age = max_age.try(:to_i)
+    end
+
+    def openid_connect_request?
+      scope.include?('openid')
     end
   end
-  Request.send :include, RequestWithConnectParams
+  Request.send :prepend, RequestWithConnectParams
 end

data/lib/rack/oauth2/server/id_token_response.rb

@@ -1,22 +1,20 @@
 module Rack::OAuth2::Server
   module IdTokenResponse
-    def self.included(klass)
+    def self.prepended(klass)
       klass.send :attr_optional, :id_token
-      klass.class_eval do
-        def protocol_params_location
-          :fragment
-        end
+    end
+
+    def protocol_params_location
+      :fragment
+    end
 
-        def protocol_params_with_id_token
-          protocol_params_without_id_token.merge(
-            id_token: id_token
-          )
-        end
-        alias_method_chain :protocol_params, :id_token
-      end
+    def protocol_params
+      super.merge(
+        id_token: id_token
+      )
     end
   end
-  Token::Response.send :include, IdTokenResponse
+  Token::Response.send :prepend, IdTokenResponse
 end
 
 require 'rack/oauth2/server/authorize/extension/code_and_id_token'

data/openid_connect.gemspec

@@ -6,22 +6,28 @@ Gem::Specification.new do |s|
   s.homepage    = "https://github.com/nov/openid_connect"
   s.summary     = %q{OpenID Connect Server & Client Library}
   s.description = %q{OpenID Connect Server & Client Library}
+  s.license     = 'MIT'
+
   s.files         = `git ls-files`.split("\n")
   s.test_files    = `git ls-files -- {test,spec,features}/*`.split("\n")
   s.executables   = `git ls-files -- bin/*`.split("\n").map{ |f| File.basename(f) }
   s.require_paths = ["lib"]
-  s.add_runtime_dependency "json", ">= 1.4.3"
   s.add_runtime_dependency "tzinfo"
-  s.add_runtime_dependency "attr_required", ">= 0.0.5"
-  s.add_runtime_dependency "activemodel", ">= 3"
+  s.add_runtime_dependency "attr_required", ">= 1.0.0"
+  s.add_runtime_dependency "activemodel"
   s.add_runtime_dependency "validate_url"
-  s.add_runtime_dependency "validate_email"
-  s.add_runtime_dependency "json-jwt", ">= 0.3.3"
-  s.add_runtime_dependency "swd", ">= 0.1.2"
-  s.add_runtime_dependency "webfinger", ">= 0.0.2"
-  s.add_runtime_dependency "rack-oauth2", ">= 1.0.0"
-  s.add_development_dependency "rake", ">= 0.8"
-  s.add_development_dependency "rspec", ">= 2"
-  s.add_development_dependency "webmock", ">= 1.6.2"
-  s.add_development_dependency "cover_me", ">= 1.2.0"
-end
+  s.add_runtime_dependency "email_validator"
+  s.add_runtime_dependency "mail"
+  s.add_runtime_dependency 'faraday', '~> 2.0'
+  s.add_runtime_dependency 'faraday-follow_redirects'
+  s.add_runtime_dependency "json-jwt", ">= 1.16"
+  s.add_runtime_dependency "swd", "~> 2.0"
+  s.add_runtime_dependency "webfinger", "~> 2.0"
+  s.add_runtime_dependency "rack-oauth2", "~> 2.2"
+  s.add_development_dependency "rake"
+  s.add_development_dependency "rspec"
+  s.add_development_dependency "rspec-its"
+  s.add_development_dependency "webmock"
+  s.add_development_dependency "simplecov"
+  s.add_development_dependency "rexml"
+end

data/spec/helpers/crypto_spec_helper.rb

@@ -8,11 +8,11 @@ module CryptoSpecHelper
   end
 
   def private_key
-    @private_key ||= OpenSSL::PKey::RSA.new rsa_key.export(OpenSSL::Cipher::Cipher.new('DES-EDE3-CBC'), 'pass-phrase'), 'pass-phrase'
+    @private_key ||= OpenSSL::PKey::RSA.new rsa_key.export(OpenSSL::Cipher.new('DES-EDE3-CBC'), 'pass-phrase'), 'pass-phrase'
   end
 
   def ec_key
-    @ec_key ||= OpenSSL::PKey::EC.new('secp256k1').generate_key
+    @ec_key ||= OpenSSL::PKey::EC.new('prime256v1').generate_key
   end
 
   def ec_public_key

data/spec/helpers/webmock_helper.rb

@@ -7,23 +7,22 @@ module WebMockHelper
     ).to_return(
       response_for(response_file, options)
     )
-    yield
+    result = yield
     a_request(method, endpoint).with(
       request_for(method, options)
     ).should have_been_made.once
+    result
   end
 
   private
 
   def request_for(method, options = {})
     request = {}
-    if options[:params]
-      case method
-      when :post, :put
-        request[:body] = options[:params]
-      else
-        request[:query] = options[:params]
-      end
+    case method
+    when :post, :put
+      request[:body] = options[:params]
+    else
+      request[:query] = options[:params]
     end
     if options[:request_header]
       request[:headers] = options[:request_header]
@@ -33,7 +32,13 @@ module WebMockHelper
 
   def response_for(response_file, options = {})
     response = {}
-    response[:body] = File.new(File.join(File.dirname(__FILE__), '../mock_response', "#{response_file}.#{options[:format] || :json}"))
+    format = options[:format] || :json
+    if format == :json
+      response[:headers] = {
+        'Content-Type': 'application/json'
+      }
+    end
+    response[:body] = File.new(File.join(File.dirname(__FILE__), '../mock_response', "#{response_file}.#{format}"))
     if options[:status]
       response[:status] = options[:status]
     end

data/spec/mock_response/access_token/without_token_type.json

@@ -0,0 +1,3 @@
+{
+  "access_token":"access_token"
+}

data/spec/mock_response/discovery/config.json

@@ -1,13 +1,13 @@
 {
-    "version": "3.0",
     "issuer": "https://connect-op.heroku.com",
     "authorization_endpoint": "https://connect-op.heroku.com/authorizations/new",
     "token_endpoint": "https://connect-op.heroku.com/access_tokens",
-    "userinfo_endpoint": "https://connect-op.heroku.com/user_info",
+    "userinfo_endpoint": "https://connect-op.heroku.com/userinfo",
     "registration_endpoint": "https://connect-op.heroku.com/connect/client",
     "scopes_supported": ["openid", "profile", "email", "address"],
     "response_types_supported": ["code", "token", "id_token", "code token", "code id_token", "id_token token"],
     "subject_types_supported": ["public", "pairwise"],
     "claims_supported": ["sub", "iss", "name", "email"],
-    "x509_url": "https://connect-op.heroku.com/cert.pem"
+    "jwks_uri": "https://connect-op.heroku.com/jwks.json",
+    "id_token_signing_alg_values_supported": ["RS256"]
 }

data/spec/mock_response/discovery/config_with_custom_port.json

@@ -0,0 +1,13 @@
+{
+    "issuer": "https://connect-op.heroku.com:8080",
+    "authorization_endpoint": "https://connect-op.heroku.com:8080/authorizations/new",
+    "token_endpoint": "https://connect-op.heroku.com:8080/access_tokens",
+    "userinfo_endpoint": "https://connect-op.heroku.com:8080/userinfo",
+    "registration_endpoint": "https://connect-op.heroku.com:8080/connect/client",
+    "scopes_supported": ["openid", "profile", "email", "address"],
+    "response_types_supported": ["code", "token", "id_token", "code token", "code id_token", "id_token token"],
+    "subject_types_supported": ["public", "pairwise"],
+    "claims_supported": ["sub", "iss", "name", "email"],
+    "jwks_uri": "https://connect-op.heroku.com/jwks.json",
+    "id_token_signing_alg_values_supported": ["RS256"]
+}

data/spec/mock_response/discovery/config_with_invalid_issuer.json

@@ -0,0 +1,13 @@
+{
+    "issuer": "https://attacker.example.com",
+    "authorization_endpoint": "https://connect-op.heroku.com/authorizations/new",
+    "token_endpoint": "https://connect-op.heroku.com/access_tokens",
+    "userinfo_endpoint": "https://connect-op.heroku.com/userinfo",
+    "registration_endpoint": "https://connect-op.heroku.com/connect/client",
+    "scopes_supported": ["openid", "profile", "email", "address"],
+    "response_types_supported": ["code", "token", "id_token", "code token", "code id_token", "id_token token"],
+    "subject_types_supported": ["public", "pairwise"],
+    "claims_supported": ["sub", "iss", "name", "email"],
+    "jwks_uri": "https://connect-op.heroku.com/jwks.json",
+    "id_token_signing_alg_values_supported": ["RS256"]
+}

data/spec/mock_response/discovery/config_with_path.json

@@ -0,0 +1,13 @@
+{
+    "issuer": "https://connect.openid4.us/abop",
+    "authorization_endpoint": "https://connect.openid4.us/abop/authorizations/new",
+    "token_endpoint": "https://connect.openid4.us/abop/access_tokens",
+    "userinfo_endpoint": "https://connect.openid4.us/abop/userinfo",
+    "registration_endpoint": "https://connect.openid4.us/abop/connect/client",
+    "scopes_supported": ["openid", "profile", "email", "address"],
+    "response_types_supported": ["code", "token", "id_token", "code token", "code id_token", "id_token token"],
+    "subject_types_supported": ["public", "pairwise"],
+    "claims_supported": ["sub", "iss", "name", "email"],
+    "jwks_uri": "https://connect-op.heroku.com/jwks.json",
+    "id_token_signing_alg_values_supported": ["RS256"]
+}

data/spec/mock_response/discovery/config_without_issuer.json

@@ -0,0 +1,12 @@
+{
+    "authorization_endpoint": "https://connect-op.heroku.com/authorizations/new",
+    "token_endpoint": "https://connect-op.heroku.com/access_tokens",
+    "userinfo_endpoint": "https://connect-op.heroku.com/userinfo",
+    "registration_endpoint": "https://connect-op.heroku.com/connect/client",
+    "scopes_supported": ["openid", "profile", "email", "address"],
+    "response_types_supported": ["code", "token", "id_token", "code token", "code id_token", "id_token token"],
+    "subject_types_supported": ["public", "pairwise"],
+    "claims_supported": ["sub", "iss", "name", "email"],
+    "jwks_uri": "https://connect-op.heroku.com/jwks.json",
+    "id_token_signing_alg_values_supported": ["RS256"]
+}

data/spec/mock_response/errors/unknown.json

@@ -1 +1,3 @@
-Fuckin Unknown Error
+{
+  "unknown": "unknown"
+}

data/spec/mock_response/public_keys/{jwk.json → jwks.json}

@@ -1,6 +1,6 @@
 {
   "keys": [{
-    "alg": "RSA",
+    "kty": "RSA",
     "e": "AQAB",
     "n": "u4liYNFzgsRr1ERdUY7CY6r4nefi3RzIhK5fdPgdZSMEEflACWAuJu21_TcDpbZ1-6Kbq7zShFsVTAnBkWdO7EP1Rsn11fZpi9m_zEq_uRY-4RpNwp3S9xSdoQ4F3-js1EMaDQ6km0-c0gvr_TyhFqDj_6w_Bb0vFptfGXwfKewPPnhsi7GJ62ihZ32PzxOvEIYcaoXr9xaeudYD3BzWSDmjKGA7PMaEuBhScdUAoibCmsKB-yAGsz2amHnUhcl4B_EBs6wk65Y7ge0ZQJUOGPdUQL49VuALKmr7cMhHKh5KuQmPAi_20K2uZL_EFDaObDWZrclx98s0DmfTRKINtw"
   }]

data/spec/mock_response/public_keys/jwks_with_private_key.json

@@ -0,0 +1,8 @@
+{
+  "keys": [{
+    "kty": "RSA",
+    "e": "AQAB",
+    "n": "vWr1S4T0jBnYU9PIpUYxT48Ca8HK8aitbmqbTM3t3Zzl1GNpIlyePnwXSL6SgNcVbeRhTfvXZUzH4pP8HzPJdpUHnAeYyCzjz9UNykdFCp2YW676wpLDzMkaU7bYLJxGjZlpHU-UJVIm5KX9-NfMyGbFUOuw4AY-OWp8GxrqwAF4U6bJ86TpO24wMxmgm0Vl72aRMGVJkRz66YLYOPNVjXjOI4bUuxg_o3Px5QASxvDCawMeLR3pLCoQcLAZn6WZx7nX3Wu6QzcY0QCqhqUAeY49QRT83Jdg7WUsNa2Rbegi3jJGJf-t9hEcJPmrI6q9zl6WArUueQHS-XUQWq5ptw",
+    "kid": "DCmKamGtkGAWz-uujePOp-UeATAeT4fi3KouR78r44I"
+  }]
+}

data/spec/mock_response/public_keys/private_key.pem

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEAvWr1S4T0jBnYU9PIpUYxT48Ca8HK8aitbmqbTM3t3Zzl1GNp
+IlyePnwXSL6SgNcVbeRhTfvXZUzH4pP8HzPJdpUHnAeYyCzjz9UNykdFCp2YW676
+wpLDzMkaU7bYLJxGjZlpHU+UJVIm5KX9+NfMyGbFUOuw4AY+OWp8GxrqwAF4U6bJ
+86TpO24wMxmgm0Vl72aRMGVJkRz66YLYOPNVjXjOI4bUuxg/o3Px5QASxvDCawMe
+LR3pLCoQcLAZn6WZx7nX3Wu6QzcY0QCqhqUAeY49QRT83Jdg7WUsNa2Rbegi3jJG
+Jf+t9hEcJPmrI6q9zl6WArUueQHS+XUQWq5ptwIDAQABAoIBAHvDWBUJAVRNSsiy
+90XuECggk/9ed0Dg6rjblS9g2kvTyWO1tKsMAyVmpTwVsNnYLxtHfsCajcmVmoEU
+Gkc06iy+AWPUnuIkWpGgbss9OAJQqI03Toc1qBO1TqtmK+cyEPNSSpkpNu4PuHPr
+dX9TWW2ToNdXuJEX4y5WwlJfiwT6kPdK86IKpPCql1+X/N2nKbn+5OWHTDuW3jLF
+H4UoJlUU77VgPedQLF9xr9NXGZbgYdTtsg3GU3k7/xhcetNq22Dtr8vYnX8LcIsZ
+9VW+KBRGOwgXTMLuj25VxkFUsJejEoq5+WyHTsSsa4w8Fxyc50GPfZJKh8J2jHiG
+8weJUNECgYEA5CoQmUz+8saVg1IwnEgZBSMF1rthMgvuDPhD8PJNaugUCyo9tg0O
+AXo9EMOUHmr2vCN8h2MZZuuW0D5np/Z9T102N99mJU6tVMSabBPDUTfxThq4xY48
+VZvS6EOzSomeEbrIDciJghqJIvPxEoqLXY3Zg7kDef7YiqybhZFdlS8CgYEA1IbH
+MHKfcL+LAo88y4tgOe6Wn8FRG1K7MHvdR+KErgxBg63I9zmolPsyznjNVKpB9syt
+zqkDxBg/jTIctgeziMQNSODQoqRKcgEDePwcu+wBvuV+LJFJoIWFrvIPyZ5yKzeb
+Vm1lRMgQfoeAQE4nVYAJG+oTTsFTdEtrHkOW4fkCgYEAsNHcnUFrTvARDH1UiLjj
+EvUKYFhEwck3CbwYwxC0aIZEikaJHp3NXd3Cl0xKbKxOXI1Pw4hMNlObQ/Uo1aUT
+hb7h9rjda0omz8uxNNK4CihFjFbvHMLXBS1GbJOSzdAKvQi4Yt4nmrk/z+Omzsyp
+pq34hLmL9S5H2Ghd+kwmbycCgYBiC1N1PEvl3depdJ8dX80irLj8NljOfBozQdFR
+ymRfTvQiZVfjBcyJ/mDv87b2Kh2IV+CPCFXebzlSUB4CtAbVP2zJhD176sMVWPZb
+KCOxZi1f/ct5kAUhcre7f5xc7SXKXjrhYlJnqsxBMw2tnOB0hz6sjA4gNPvlGK3w
+JkpDMQKBgQCgPoqSjmbroWC9oq5iDwRtx6f6fJG7CE91ZFJulunQj6YWOC3zNHEa
+XvPPGM8fZpJS4e8LiPClkk8nsOoC50neEVGZeEuhdP6m6WNPN3SlP7bXozHOJTh0
+mHrk2bUHFlQn8f5KWfLQbdyKBzs7WqCRTOR/gIbfxBlUOs0BN37xhw==
+-----END RSA PRIVATE KEY-----

data/spec/openid_connect/access_token_spec.rb

@@ -53,9 +53,7 @@ describe OpenIDConnect::AccessToken do
   shared_examples_for :access_token_error_handling do
     context 'when bad_request' do
       it 'should raise OpenIDConnect::Forbidden' do
-        mock_json :get, endpoint, 'errors/invalid_request', :HTTP_AUTHORIZATION => 'Bearer access_token', status: 400, params: {
-          schema: 'openid'
-        } do
+        mock_json :get, endpoint, 'errors/invalid_request', :HTTP_AUTHORIZATION => 'Bearer access_token', status: 400 do
           expect { request }.to raise_error OpenIDConnect::BadRequest
         end
       end
@@ -63,9 +61,7 @@ describe OpenIDConnect::AccessToken do
 
     context 'when unauthorized' do
       it 'should raise OpenIDConnect::Unauthorized' do
-        mock_json :get, endpoint, 'errors/invalid_access_token', :HTTP_AUTHORIZATION => 'Bearer access_token', status: 401, params: {
-          schema: 'openid'
-        } do
+        mock_json :get, endpoint, 'errors/invalid_access_token', :HTTP_AUTHORIZATION => 'Bearer access_token', status: 401 do
           expect { request }.to raise_error OpenIDConnect::Unauthorized
         end
       end
@@ -73,9 +69,7 @@ describe OpenIDConnect::AccessToken do
 
     context 'when forbidden' do
       it 'should raise OpenIDConnect::Forbidden' do
-        mock_json :get, endpoint, 'errors/insufficient_scope', :HTTP_AUTHORIZATION => 'Bearer access_token', status: 403, params: {
-          schema: 'openid'
-        } do
+        mock_json :get, endpoint, 'errors/insufficient_scope', :HTTP_AUTHORIZATION => 'Bearer access_token', status: 403 do
           expect { request }.to raise_error OpenIDConnect::Forbidden
         end
       end
@@ -83,27 +77,24 @@ describe OpenIDConnect::AccessToken do
 
     context 'when unknown' do
       it 'should raise OpenIDConnect::HttpError' do
-        mock_json :get, endpoint, 'errors/unknown', :HTTP_AUTHORIZATION => 'Bearer access_token', status: 500, params: {
-          schema: 'openid'
-        } do
+        mock_json :get, endpoint, 'errors/unknown', :HTTP_AUTHORIZATION => 'Bearer access_token', status: 500 do
           expect { request }.to raise_error OpenIDConnect::HttpError
         end
       end
     end
   end
 
-  describe '#user_info!' do
-    it 'should return OpenIDConnect::ResponseObject::UserInfo::OpenID' do
-      mock_json :get, client.user_info_uri, 'user_info/openid', :HTTP_AUTHORIZATION => 'Bearer access_token', params: {
-        schema: 'openid'
-      } do
-        access_token.user_info!.should be_a OpenIDConnect::ResponseObject::UserInfo::OpenID
+  describe '#userinfo!' do
+    it do
+      userinfo = mock_json :get, client.userinfo_uri, 'userinfo/openid', :HTTP_AUTHORIZATION => 'Bearer access_token' do
+        access_token.userinfo!
       end
+      userinfo.should be_instance_of OpenIDConnect::ResponseObject::UserInfo
     end
 
     describe 'error handling' do
-      let(:endpoint) { client.user_info_uri }
-      let(:request) { access_token.user_info! }
+      let(:endpoint) { client.userinfo_uri }
+      let(:request) { access_token.userinfo! }
       it_behaves_like :access_token_error_handling
     end
   end