openid_connect 0.9.2 → 0.10.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/.travis.yml +7 -2
- data/VERSION +1 -1
- data/lib/openid_connect/discovery/provider/config.rb +4 -2
- data/lib/openid_connect/discovery/provider/config/resource.rb +1 -1
- data/lib/openid_connect/discovery/provider/config/response.rb +5 -3
- data/lib/openid_connect/request_object.rb +2 -4
- data/lib/openid_connect/request_object/claimable.rb +4 -6
- data/lib/openid_connect/response_object/id_token.rb +2 -3
- data/lib/rack/oauth2/server/authorize/request_with_connect_params.rb +11 -13
- data/lib/rack/oauth2/server/id_token_response.rb +11 -13
- data/spec/mock_response/discovery/config_with_custom_port.json +13 -0
- data/spec/mock_response/discovery/config_with_invalid_issuer.json +13 -0
- data/spec/mock_response/discovery/config_with_path.json +13 -0
- data/spec/mock_response/discovery/config_without_issuer.json +12 -0
- data/spec/openid_connect/discovery/provider/config/response_spec.rb +1 -0
- data/spec/openid_connect/discovery/provider/config_spec.rb +36 -16
- metadata +11 -3
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 96670a029138c10be710eeb8b123c9e3b173c3ee
|
|
4
|
+
data.tar.gz: 02bf038dac7a8acaef22d285d0fbfc433443bd62
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 1f59f7cc3af3259e70dd8f40e8790c854a2ca7b487e0cdb09850e161460d07a9b7031b983da851563aa5f136c188b4ce698664597572911c36a5588b0d767557
|
|
7
|
+
data.tar.gz: 9bb50877162d933fcbaa8c82e2a2f344e3e81a3a30059f116716c5fb94db3586b946dac3ff350216ff84ef7077001af677fb533c97eea3d340f9aae0b767d384
|
data/.travis.yml
CHANGED
data/VERSION
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
0.
|
|
1
|
+
0.10.0
|
|
@@ -4,8 +4,10 @@ module OpenIDConnect
|
|
|
4
4
|
class Config
|
|
5
5
|
def self.discover!(identifier, cache_options = {})
|
|
6
6
|
uri = URI.parse(identifier)
|
|
7
|
-
Resource.new(uri).discover!(cache_options)
|
|
8
|
-
|
|
7
|
+
Resource.new(uri).discover!(cache_options).tap do |response|
|
|
8
|
+
response.validate! identifier
|
|
9
|
+
end
|
|
10
|
+
rescue SWD::Exception, ValidationFailed => e
|
|
9
11
|
raise DiscoveryFailed.new(e.message)
|
|
10
12
|
end
|
|
11
13
|
end
|
|
@@ -10,10 +10,10 @@ module OpenIDConnect
|
|
|
10
10
|
uri_attributes = {
|
|
11
11
|
required: [
|
|
12
12
|
:issuer,
|
|
13
|
+
:authorization_endpoint,
|
|
13
14
|
:jwks_uri
|
|
14
15
|
],
|
|
15
16
|
optional: [
|
|
16
|
-
:authorization_endpoint,
|
|
17
17
|
:token_endpoint,
|
|
18
18
|
:userinfo_endpoint,
|
|
19
19
|
:registration_endpoint,
|
|
@@ -72,8 +72,10 @@ module OpenIDConnect
|
|
|
72
72
|
end
|
|
73
73
|
end
|
|
74
74
|
|
|
75
|
-
def validate!
|
|
76
|
-
valid?
|
|
75
|
+
def validate!(expected_issuer = nil)
|
|
76
|
+
valid? && (
|
|
77
|
+
expected_issuer.blank? || issuer == expected_issuer
|
|
78
|
+
) or raise ValidationFailed.new(self)
|
|
77
79
|
end
|
|
78
80
|
|
|
79
81
|
def jwks
|
|
@@ -13,11 +13,9 @@ module OpenIDConnect
|
|
|
13
13
|
@userinfo = UserInfo.new(attributes) if attributes.present?
|
|
14
14
|
end
|
|
15
15
|
|
|
16
|
-
def
|
|
17
|
-
|
|
18
|
-
hash.with_indifferent_access
|
|
16
|
+
def as_json(options = {})
|
|
17
|
+
super.with_indifferent_access
|
|
19
18
|
end
|
|
20
|
-
alias_method_chain :as_json, :mixed_keys
|
|
21
19
|
|
|
22
20
|
class << self
|
|
23
21
|
def decode(jwt_string, key = nil)
|
|
@@ -3,12 +3,10 @@ module OpenIDConnect
|
|
|
3
3
|
module Claimable
|
|
4
4
|
def self.included(klass)
|
|
5
5
|
klass.send :attr_optional, :claims
|
|
6
|
-
klass.send :alias_method_chain, :initialize, :claims
|
|
7
|
-
klass.send :alias_method_chain, :as_json, :keep_blank
|
|
8
6
|
end
|
|
9
7
|
|
|
10
|
-
def
|
|
11
|
-
|
|
8
|
+
def initialize(attributes = {})
|
|
9
|
+
super
|
|
12
10
|
if claims.present?
|
|
13
11
|
_claims_ = {}
|
|
14
12
|
claims.each do |key, value|
|
|
@@ -29,9 +27,9 @@ module OpenIDConnect
|
|
|
29
27
|
end
|
|
30
28
|
end
|
|
31
29
|
|
|
32
|
-
def
|
|
30
|
+
def as_json(options = {})
|
|
33
31
|
keys = claims.try(:keys)
|
|
34
|
-
hash =
|
|
32
|
+
hash = super
|
|
35
33
|
Array(keys).each do |key|
|
|
36
34
|
hash[:claims][key] ||= nil
|
|
37
35
|
end
|
|
@@ -27,7 +27,7 @@ module OpenIDConnect
|
|
|
27
27
|
end
|
|
28
28
|
|
|
29
29
|
include JWTnizable
|
|
30
|
-
def
|
|
30
|
+
def to_jwt(key, algorithm = :RS256, &block)
|
|
31
31
|
hash_length = algorithm.to_s[2, 3].to_i
|
|
32
32
|
if access_token
|
|
33
33
|
token = case access_token
|
|
@@ -41,9 +41,8 @@ module OpenIDConnect
|
|
|
41
41
|
if code
|
|
42
42
|
self.c_hash = left_half_hash_of code, hash_length
|
|
43
43
|
end
|
|
44
|
-
|
|
44
|
+
super
|
|
45
45
|
end
|
|
46
|
-
alias_method_chain :to_jwt, :at_hash_and_c_hash
|
|
47
46
|
|
|
48
47
|
private
|
|
49
48
|
|
|
@@ -2,22 +2,20 @@ class Rack::OAuth2::Server::Authorize
|
|
|
2
2
|
module RequestWithConnectParams
|
|
3
3
|
CONNECT_EXT_PARAMS = [:nonce, :display, :prompt, :request, :request_uri, :id_token]
|
|
4
4
|
|
|
5
|
-
def self.
|
|
5
|
+
def self.prepended(klass)
|
|
6
6
|
klass.send :attr_optional, *CONNECT_EXT_PARAMS
|
|
7
|
-
|
|
8
|
-
def initialize_with_connect_params(env)
|
|
9
|
-
initialize_without_connect_params env
|
|
10
|
-
CONNECT_EXT_PARAMS.each do |attribute|
|
|
11
|
-
self.send :"#{attribute}=", params[attribute.to_s]
|
|
12
|
-
end
|
|
13
|
-
end
|
|
14
|
-
alias_method_chain :initialize, :connect_params
|
|
7
|
+
end
|
|
15
8
|
|
|
16
|
-
|
|
17
|
-
|
|
18
|
-
|
|
9
|
+
def initialize(env)
|
|
10
|
+
super
|
|
11
|
+
CONNECT_EXT_PARAMS.each do |attribute|
|
|
12
|
+
self.send :"#{attribute}=", params[attribute.to_s]
|
|
19
13
|
end
|
|
20
14
|
end
|
|
15
|
+
|
|
16
|
+
def openid_connect_request?
|
|
17
|
+
scope.include?('openid')
|
|
18
|
+
end
|
|
21
19
|
end
|
|
22
|
-
Request.send :
|
|
20
|
+
Request.send :prepend, RequestWithConnectParams
|
|
23
21
|
end
|
|
@@ -1,22 +1,20 @@
|
|
|
1
1
|
module Rack::OAuth2::Server
|
|
2
2
|
module IdTokenResponse
|
|
3
|
-
def self.
|
|
3
|
+
def self.prepended(klass)
|
|
4
4
|
klass.send :attr_optional, :id_token
|
|
5
|
-
|
|
6
|
-
|
|
7
|
-
|
|
8
|
-
|
|
5
|
+
end
|
|
6
|
+
|
|
7
|
+
def protocol_params_location
|
|
8
|
+
:fragment
|
|
9
|
+
end
|
|
9
10
|
|
|
10
|
-
|
|
11
|
-
|
|
12
|
-
|
|
13
|
-
|
|
14
|
-
end
|
|
15
|
-
alias_method_chain :protocol_params, :id_token
|
|
16
|
-
end
|
|
11
|
+
def protocol_params
|
|
12
|
+
super.merge(
|
|
13
|
+
id_token: id_token
|
|
14
|
+
)
|
|
17
15
|
end
|
|
18
16
|
end
|
|
19
|
-
Token::Response.send :
|
|
17
|
+
Token::Response.send :prepend, IdTokenResponse
|
|
20
18
|
end
|
|
21
19
|
|
|
22
20
|
require 'rack/oauth2/server/authorize/extension/code_and_id_token'
|
|
@@ -0,0 +1,13 @@
|
|
|
1
|
+
{
|
|
2
|
+
"issuer": "https://connect-op.heroku.com:8080",
|
|
3
|
+
"authorization_endpoint": "https://connect-op.heroku.com:8080/authorizations/new",
|
|
4
|
+
"token_endpoint": "https://connect-op.heroku.com:8080/access_tokens",
|
|
5
|
+
"userinfo_endpoint": "https://connect-op.heroku.com:8080/userinfo",
|
|
6
|
+
"registration_endpoint": "https://connect-op.heroku.com:8080/connect/client",
|
|
7
|
+
"scopes_supported": ["openid", "profile", "email", "address"],
|
|
8
|
+
"response_types_supported": ["code", "token", "id_token", "code token", "code id_token", "id_token token"],
|
|
9
|
+
"subject_types_supported": ["public", "pairwise"],
|
|
10
|
+
"claims_supported": ["sub", "iss", "name", "email"],
|
|
11
|
+
"jwks_uri": "https://connect-op.heroku.com/jwks.json",
|
|
12
|
+
"id_token_signing_alg_values_supported": ["RS256"]
|
|
13
|
+
}
|
|
@@ -0,0 +1,13 @@
|
|
|
1
|
+
{
|
|
2
|
+
"issuer": "https://attacker.example.com",
|
|
3
|
+
"authorization_endpoint": "https://connect-op.heroku.com/authorizations/new",
|
|
4
|
+
"token_endpoint": "https://connect-op.heroku.com/access_tokens",
|
|
5
|
+
"userinfo_endpoint": "https://connect-op.heroku.com/userinfo",
|
|
6
|
+
"registration_endpoint": "https://connect-op.heroku.com/connect/client",
|
|
7
|
+
"scopes_supported": ["openid", "profile", "email", "address"],
|
|
8
|
+
"response_types_supported": ["code", "token", "id_token", "code token", "code id_token", "id_token token"],
|
|
9
|
+
"subject_types_supported": ["public", "pairwise"],
|
|
10
|
+
"claims_supported": ["sub", "iss", "name", "email"],
|
|
11
|
+
"jwks_uri": "https://connect-op.heroku.com/jwks.json",
|
|
12
|
+
"id_token_signing_alg_values_supported": ["RS256"]
|
|
13
|
+
}
|
|
@@ -0,0 +1,13 @@
|
|
|
1
|
+
{
|
|
2
|
+
"issuer": "https://connect.openid4.us/abop",
|
|
3
|
+
"authorization_endpoint": "https://connect.openid4.us/abop/authorizations/new",
|
|
4
|
+
"token_endpoint": "https://connect.openid4.us/abop/access_tokens",
|
|
5
|
+
"userinfo_endpoint": "https://connect.openid4.us/abop/userinfo",
|
|
6
|
+
"registration_endpoint": "https://connect.openid4.us/abop/connect/client",
|
|
7
|
+
"scopes_supported": ["openid", "profile", "email", "address"],
|
|
8
|
+
"response_types_supported": ["code", "token", "id_token", "code token", "code id_token", "id_token token"],
|
|
9
|
+
"subject_types_supported": ["public", "pairwise"],
|
|
10
|
+
"claims_supported": ["sub", "iss", "name", "email"],
|
|
11
|
+
"jwks_uri": "https://connect-op.heroku.com/jwks.json",
|
|
12
|
+
"id_token_signing_alg_values_supported": ["RS256"]
|
|
13
|
+
}
|
|
@@ -0,0 +1,12 @@
|
|
|
1
|
+
{
|
|
2
|
+
"authorization_endpoint": "https://connect-op.heroku.com/authorizations/new",
|
|
3
|
+
"token_endpoint": "https://connect-op.heroku.com/access_tokens",
|
|
4
|
+
"userinfo_endpoint": "https://connect-op.heroku.com/userinfo",
|
|
5
|
+
"registration_endpoint": "https://connect-op.heroku.com/connect/client",
|
|
6
|
+
"scopes_supported": ["openid", "profile", "email", "address"],
|
|
7
|
+
"response_types_supported": ["code", "token", "id_token", "code token", "code id_token", "id_token token"],
|
|
8
|
+
"subject_types_supported": ["public", "pairwise"],
|
|
9
|
+
"claims_supported": ["sub", "iss", "name", "email"],
|
|
10
|
+
"jwks_uri": "https://connect-op.heroku.com/jwks.json",
|
|
11
|
+
"id_token_signing_alg_values_supported": ["RS256"]
|
|
12
|
+
}
|
|
@@ -10,6 +10,7 @@ describe OpenIDConnect::Discovery::Provider::Config::Response do
|
|
|
10
10
|
let :minimum_attributes do
|
|
11
11
|
{
|
|
12
12
|
issuer: 'https://server.example.com',
|
|
13
|
+
authorization_endpoint: 'https://server.example.com/authorize',
|
|
13
14
|
jwks_uri: jwks_uri,
|
|
14
15
|
response_types_supported: [
|
|
15
16
|
:code, :id_token, 'token id_token'
|
|
@@ -24,6 +24,28 @@ describe OpenIDConnect::Discovery::Provider::Config do
|
|
|
24
24
|
end
|
|
25
25
|
end
|
|
26
26
|
|
|
27
|
+
context 'when OP identifier includes custom port' do
|
|
28
|
+
let(:provider) { 'https://connect-op.heroku.com:8080' }
|
|
29
|
+
let(:endpoint) { 'https://connect-op.heroku.com:8080/.well-known/openid-configuration' }
|
|
30
|
+
|
|
31
|
+
it 'should construct well-known URI with given port' do
|
|
32
|
+
mock_json :get, endpoint, 'discovery/config_with_custom_port' do
|
|
33
|
+
OpenIDConnect::Discovery::Provider::Config.discover! provider
|
|
34
|
+
end
|
|
35
|
+
end
|
|
36
|
+
end
|
|
37
|
+
|
|
38
|
+
context 'when OP identifier includes path' do
|
|
39
|
+
let(:provider) { 'https://connect.openid4.us/abop' }
|
|
40
|
+
let(:endpoint) { 'https://connect.openid4.us/abop/.well-known/openid-configuration' }
|
|
41
|
+
|
|
42
|
+
it 'should construct well-known URI with given port' do
|
|
43
|
+
mock_json :get, endpoint, 'discovery/config_with_path' do
|
|
44
|
+
OpenIDConnect::Discovery::Provider::Config.discover! provider
|
|
45
|
+
end
|
|
46
|
+
end
|
|
47
|
+
end
|
|
48
|
+
|
|
27
49
|
context 'when SWD::Exception raised' do
|
|
28
50
|
it do
|
|
29
51
|
expect do
|
|
@@ -33,26 +55,24 @@ describe OpenIDConnect::Discovery::Provider::Config do
|
|
|
33
55
|
end.to raise_error OpenIDConnect::Discovery::DiscoveryFailed
|
|
34
56
|
end
|
|
35
57
|
end
|
|
36
|
-
end
|
|
37
58
|
|
|
38
|
-
|
|
39
|
-
|
|
40
|
-
|
|
41
|
-
|
|
42
|
-
|
|
43
|
-
|
|
44
|
-
OpenIDConnect::Discovery::
|
|
59
|
+
context 'when response include invalid issuer' do
|
|
60
|
+
it do
|
|
61
|
+
expect do
|
|
62
|
+
mock_json :get, endpoint, 'discovery/config_with_invalid_issuer' do
|
|
63
|
+
OpenIDConnect::Discovery::Provider::Config.discover! provider
|
|
64
|
+
end
|
|
65
|
+
end.to raise_error OpenIDConnect::Discovery::DiscoveryFailed
|
|
45
66
|
end
|
|
46
67
|
end
|
|
47
|
-
end
|
|
48
|
-
|
|
49
|
-
context 'when OP identifier includes path' do
|
|
50
|
-
let(:provider) { 'https://connect.openid4.us/abop' }
|
|
51
|
-
let(:endpoint) { 'https://connect.openid4.us/abop/.well-known/openid-configuration' }
|
|
52
68
|
|
|
53
|
-
|
|
54
|
-
|
|
55
|
-
|
|
69
|
+
context 'when response include no issuer' do
|
|
70
|
+
it do
|
|
71
|
+
expect do
|
|
72
|
+
mock_json :get, endpoint, 'discovery/config_without_issuer' do
|
|
73
|
+
OpenIDConnect::Discovery::Provider::Config.discover! provider
|
|
74
|
+
end
|
|
75
|
+
end.to raise_error OpenIDConnect::Discovery::DiscoveryFailed
|
|
56
76
|
end
|
|
57
77
|
end
|
|
58
78
|
end
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: openid_connect
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 0.10.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- nov matake
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date:
|
|
11
|
+
date: 2016-01-26 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: json
|
|
@@ -276,6 +276,10 @@ files:
|
|
|
276
276
|
- spec/mock_response/client/rotated.json
|
|
277
277
|
- spec/mock_response/client/updated.json
|
|
278
278
|
- spec/mock_response/discovery/config.json
|
|
279
|
+
- spec/mock_response/discovery/config_with_custom_port.json
|
|
280
|
+
- spec/mock_response/discovery/config_with_invalid_issuer.json
|
|
281
|
+
- spec/mock_response/discovery/config_with_path.json
|
|
282
|
+
- spec/mock_response/discovery/config_without_issuer.json
|
|
279
283
|
- spec/mock_response/discovery/swd.json
|
|
280
284
|
- spec/mock_response/discovery/webfinger.json
|
|
281
285
|
- spec/mock_response/errors/insufficient_scope.json
|
|
@@ -328,7 +332,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
328
332
|
version: '0'
|
|
329
333
|
requirements: []
|
|
330
334
|
rubyforge_project:
|
|
331
|
-
rubygems_version: 2.
|
|
335
|
+
rubygems_version: 2.5.1
|
|
332
336
|
signing_key:
|
|
333
337
|
specification_version: 4
|
|
334
338
|
summary: OpenID Connect Server & Client Library
|
|
@@ -343,6 +347,10 @@ test_files:
|
|
|
343
347
|
- spec/mock_response/client/rotated.json
|
|
344
348
|
- spec/mock_response/client/updated.json
|
|
345
349
|
- spec/mock_response/discovery/config.json
|
|
350
|
+
- spec/mock_response/discovery/config_with_custom_port.json
|
|
351
|
+
- spec/mock_response/discovery/config_with_invalid_issuer.json
|
|
352
|
+
- spec/mock_response/discovery/config_with_path.json
|
|
353
|
+
- spec/mock_response/discovery/config_without_issuer.json
|
|
346
354
|
- spec/mock_response/discovery/swd.json
|
|
347
355
|
- spec/mock_response/discovery/webfinger.json
|
|
348
356
|
- spec/mock_response/errors/insufficient_scope.json
|