openid_connect 1.1.0 → 2.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: e62bda117ed864fde39524c98562d65c1255187e
-  data.tar.gz: 7929b0e8bc8f349b2f66ffc385a821b03dca0976
+SHA256:
+  metadata.gz: 2b5a083aca9fb04e50e7ff4fb18d26d221daac9bf22ec1cfcc136007160a03db
+  data.tar.gz: 1eb0f4f04691552f0b276d284bb91f47d393c0afdc8e7473c57446c4e89c6cc1
 SHA512:
-  metadata.gz: db9854c96d10c7343b6d1a10afe7b840ed7398e2644b7b493ccad9610bc2b4078fff375f4ecd1d465637b70827ac852a866a4a3708f4fc1ea4f639554cfdb1fa
-  data.tar.gz: a6a304fabefc2548fd9db7d98ab9b01bdf28c9735f5070c19073eaba32a1c5b346d5908d9493f193473c617ba7a6ff3e246ade91668573860256d0227d88ba7e
+  metadata.gz: 3469b7247c8337d0f3bc5adddc3ebc117676814fba726ba95d59fb50279ae7f8a91e3856962ab794e44bc3d8a0ccbb9adf07966bc4ff50139c74e08c783e5e1f
+  data.tar.gz: 5670dcd68a4b196ebb167c2eb313360d407ae30a77914da20f376f4cddef1b009642fc5aeee5eddbd971b03e7baee939076a7ed343a9e63906e309b261bda8be

data/.github/FUNDING.yml

@@ -0,0 +1,3 @@
+# These are supported funding model platforms
+
+github: nov

data/.github/workflows/spec.yml

@@ -0,0 +1,32 @@
+name: Spec
+
+on:
+  push:
+    branches:
+      - master
+  pull_request:
+
+permissions:
+  contents: read
+
+jobs:
+  spec:
+    strategy:
+      matrix:
+        os: ['ubuntu-20.04']
+        ruby-version: ['2.6', '2.7', '3.0', '3.1']
+        # ubuntu 22.04 only supports ssl 3 and thus only ruby 3.1
+        include:
+        - os: 'ubuntu-22.04'
+          ruby-version: '3.1'
+    runs-on: ${{ matrix.os }}
+
+    steps:
+    - uses: actions/checkout@v3
+    - name: Set up Ruby
+      uses: ruby/setup-ruby@v1
+      with:
+        ruby-version: ${{ matrix.ruby-version }}
+        bundler-cache: true
+    - name: Run Specs
+      run: bundle exec rake spec

data/CHANGELOG.md

@@ -0,0 +1,17 @@
+## [Unreleased]
+
+## [2.1.0] - 2022-10-10
+
+### Changed
+
+- mTLS access token by @nov in https://github.com/nov/openid_connect/pull/76
+
+## [2.0.0] - 2022-10-09
+
+### Added
+
+- start recording CHANGELOG
+
+### Changed
+
+- replace httpclient with faraday v2 by @nov in https://github.com/nov/openid_connect/pull/75

data/README.rdoc

@@ -2,8 +2,6 @@
 
 OpenID Connect Server & Client Library
 
-{<img src="https://secure.travis-ci.org/nov/openid_connect.png" />}[http://travis-ci.org/nov/openid_connect]
-
 == Installation
 
   gem install openid_connect

data/VERSION

@@ -1 +1 @@
-1.1.0
+2.2.0

data/lib/openid_connect/access_token/mtls.rb

@@ -0,0 +1,9 @@
+module OpenIDConnect
+  class AccessToken::MTLS < AccessToken
+    def initialize(attributes = {})
+      super
+      http_client.ssl.client_key  = attributes[:private_key] || client.private_key
+      http_client.ssl.client_cert = attributes[:certificate] || client.certificate
+    end
+  end
+end

data/lib/openid_connect/access_token.rb

@@ -15,13 +15,20 @@ module OpenIDConnect
       ResponseObject::UserInfo.new hash
     end
 
+    def to_mtls(attributes = {})
+      (required_attributes + optional_attributes).each do |key|
+        attributes[key] = self.send(key)
+      end
+      MTLS.new attributes
+    end
+
     private
 
     def resource_request
       res = yield
       case res.status
       when 200
-        JSON.parse(res.body).with_indifferent_access
+        res.body.with_indifferent_access
       when 400
         raise BadRequest.new('API Access Faild', res)
       when 401
@@ -33,4 +40,6 @@ module OpenIDConnect
       end
     end
   end
-end
+end
+
+require 'openid_connect/access_token/mtls'

data/lib/openid_connect/client/registrar.rb

@@ -50,12 +50,12 @@ module OpenIDConnect
       ]
       attr_required :endpoint
       attr_optional :initial_access_token
-      attr_required *required_metadata_attributes
-      attr_optional *(metadata_attributes - required_metadata_attributes)
+      attr_required(*required_metadata_attributes)
+      attr_optional(*(metadata_attributes - required_metadata_attributes))
 
-      validates *required_attributes,   presence: true
+      validates(*required_attributes,   presence: true)
       validates :sector_identifier_uri, presence: {if: :sector_identifier_required?}
-      validates *singular_uri_attributes, url: true, allow_nil: true
+      validates(*singular_uri_attributes, url: true, allow_nil: true)
       validate :validate_plural_uri_attributes
       validate :validate_contacts
 
@@ -170,7 +170,7 @@ module OpenIDConnect
       end
 
       def handle_success_response(response)
-        credentials = JSON.parse(response.body).with_indifferent_access
+        credentials = response.body.with_indifferent_access
         Client.new(
           identifier: credentials[:client_id],
           secret:     credentials[:client_secret],

data/lib/openid_connect/client.rb

@@ -26,19 +26,18 @@ module OpenIDConnect
     end
 
     def handle_success_response(response)
-      token_hash = JSON.parse(response.body).with_indifferent_access
-      case token_type = token_hash[:token_type].try(:downcase)
+      token_hash = response.body.with_indifferent_access
+      token_type = (@forced_token_type || token_hash[:token_type]).try(:downcase)
+      case token_type
       when 'bearer'
         AccessToken.new token_hash.merge(client: self)
       else
         raise Exception.new("Unexpected Token Type: #{token_type}")
       end
-    rescue JSON::ParserError
-      raise Exception.new("Unknown Token Type")
     end
   end
 end
 
 Dir[File.dirname(__FILE__) + '/client/*.rb'].each do |file|
   require file
-end
+end

data/lib/openid_connect/discovery/provider/config/resource.rb

@@ -1,3 +1,5 @@
+require "openssl"
+
 module OpenIDConnect
   module Discovery
     module Provider
@@ -27,8 +29,8 @@ module OpenIDConnect
           end
 
           def cache_key
-            md5 = Digest::MD5.hexdigest host
-            "swd:resource:opneid-conf:#{md5}"
+            sha256 = OpenSSL::Digest::SHA256.hexdigest host
+            "swd:resource:opneid-conf:#{sha256}"
           end
         end
       end

data/lib/openid_connect/discovery/provider/config/response.rb

@@ -18,17 +18,19 @@ module OpenIDConnect
               :token_endpoint,
               :userinfo_endpoint,
               :registration_endpoint,
+              :end_session_endpoint,
               :service_documentation,
+              :check_session_iframe,
               :op_policy_uri,
               :op_tos_uri
             ]
           }
-          attr_required *(uri_attributes[:required] + [
+          attr_required(*(uri_attributes[:required] + [
             :response_types_supported,
             :subject_types_supported,
             :id_token_signing_alg_values_supported
-          ])
-          attr_optional *(uri_attributes[:optional] + [
+          ]))
+          attr_optional(*(uri_attributes[:optional] + [
             :scopes_supported,
             :response_modes_supported,
             :grant_types_supported,
@@ -52,10 +54,10 @@ module OpenIDConnect
             :request_parameter_supported,
             :request_uri_parameter_supported,
             :require_request_uri_registration
-          ])
+          ]))
 
-          validates *required_attributes, presence: true
-          validates *uri_attributes.values.flatten, url: true, allow_nil: true
+          validates(*required_attributes, presence: true)
+          validates(*uri_attributes.values.flatten, url: true, allow_nil: true)
           validates :issuer, with: :validate_issuer_matching
 
           def initialize(hash)
@@ -74,17 +76,20 @@ module OpenIDConnect
             end
           end
 
-          def validate!(expected_issuer = nil)
+          def validate!
             valid? or raise ValidationFailed.new(self)
           end
 
           def jwks
-            @jwks ||= JSON.parse(
-              OpenIDConnect.http_client.get_content(jwks_uri)
-            ).with_indifferent_access
+            @jwks ||= OpenIDConnect.http_client.get(jwks_uri).body.with_indifferent_access
             JSON::JWK::Set.new @jwks[:keys]
           end
 
+          def jwk(kid)
+            @jwks ||= {}
+            @jwks[kid] ||= JSON::JWK::Set::Fetcher.fetch(jwks_uri, kid: kid)
+          end
+
           def public_keys
             @public_keys ||= jwks.collect(&:to_key)
           end
@@ -93,11 +98,15 @@ module OpenIDConnect
 
           def validate_issuer_matching
             if expected_issuer.present? && issuer != expected_issuer
-              errors.add :issuer, 'mismatch'
+              if OpenIDConnect.validate_discovery_issuer
+                errors.add :issuer, 'mismatch'
+              else
+                OpenIDConnect.logger.warn 'ignoring issuer mismach.'
+              end
             end
           end
         end
       end
     end
   end
-end
+end

data/lib/openid_connect/request_object.rb

@@ -5,10 +5,12 @@ module OpenIDConnect
     attr_optional :client_id, :response_type, :redirect_uri, :scope, :state, :nonce, :display, :prompt, :userinfo, :id_token
     validate :require_at_least_one_attributes
 
+    undef :id_token=
     def id_token=(attributes = {})
       @id_token = IdToken.new(attributes) if attributes.present?
     end
 
+    undef :userinfo=
     def userinfo=(attributes = {})
       @userinfo = UserInfo.new(attributes) if attributes.present?
     end
@@ -23,7 +25,7 @@ module OpenIDConnect
       end
 
       def fetch(request_uri, key = nil)
-        jwt_string = OpenIDConnect.http_client.get_content(request_uri)
+        jwt_string = OpenIDConnect.http_client.get(request_uri).body
         decode jwt_string, key
       end
     end

data/lib/openid_connect/response_object/id_token.rb

@@ -1,13 +1,15 @@
-require 'json/jwt'
-
 module OpenIDConnect
   class ResponseObject
     class IdToken < ConnectObject
       class InvalidToken < Exception; end
+      class ExpiredToken < InvalidToken; end
+      class InvalidIssuer < InvalidToken; end
+      class InvalidNonce < InvalidToken; end
+      class InvalidAudience < InvalidToken; end
 
       attr_required :iss, :sub, :aud, :exp, :iat
-      attr_optional :acr, :auth_time, :nonce, :sub_jwk, :at_hash, :c_hash
-      attr_accessor :access_token, :code
+      attr_optional :acr, :amr, :azp, :jti, :sid, :auth_time, :nonce, :sub_jwk, :at_hash, :c_hash, :s_hash
+      attr_accessor :access_token, :code, :state
       alias_method :subject, :sub
       alias_method :subject=, :sub=
 
@@ -20,11 +22,16 @@ module OpenIDConnect
       end
 
       def verify!(expected = {})
-        exp.to_i > Time.now.to_i &&
-        iss == expected[:issuer] &&
-        Array(aud).include?(expected[:audience] || expected[:client_id]) && # aud(ience) can be a string or an array of strings
-        nonce == expected[:nonce] or
-        raise InvalidToken.new('Invalid ID Token')
+        raise ExpiredToken.new('Invalid ID token: Expired token') unless exp.to_i > Time.now.to_i
+        raise InvalidIssuer.new('Invalid ID token: Issuer does not match') unless iss == expected[:issuer]
+        raise InvalidNonce.new('Invalid ID Token: Nonce does not match') unless nonce == expected[:nonce]
+
+        # aud(ience) can be a string or an array of strings
+        unless Array(aud).include?(expected[:audience] || expected[:client_id])
+          raise InvalidAudience.new('Invalid ID token: Audience does not match')
+        end
+
+        true
       end
 
       include JWTnizable
@@ -42,6 +49,9 @@ module OpenIDConnect
         if code
           self.c_hash = left_half_hash_of code, hash_length
         end
+        if state
+          self.s_hash = left_half_hash_of state, hash_length
+        end
         super
       end
 
@@ -49,15 +59,20 @@ module OpenIDConnect
 
       def left_half_hash_of(string, hash_length)
         digest = OpenSSL::Digest.new("SHA#{hash_length}").digest string
-        UrlSafeBase64.encode64 digest[0, hash_length / (2 * 8)]
+        Base64.urlsafe_encode64 digest[0, hash_length / (2 * 8)], padding: false
       end
 
       class << self
-        def decode(jwt_string, key)
-          if key == :self_issued
+        def decode(jwt_string, key_or_config)
+          case key_or_config
+          when :self_issued
             decode_self_issued jwt_string
+          when OpenIDConnect::Discovery::Provider::Config::Response
+            jwt = JSON::JWT.decode jwt_string, :skip_verification
+            jwt.verify! key_or_config.jwk(jwt.kid)
+            new jwt
           else
-            new JSON::JWT.decode jwt_string, key
+            new JSON::JWT.decode jwt_string, key_or_config
           end
         end
 

data/lib/openid_connect/response_object/user_info.rb

@@ -47,6 +47,7 @@ module OpenIDConnect
         errors.add :address, address.errors.full_messages.join(', ') if address.present? && !address.valid?
       end
 
+      undef :address=
       def address=(hash_or_address)
         @address = case hash_or_address
         when Hash

data/lib/openid_connect.rb

@@ -1,5 +1,7 @@
 require 'json'
 require 'logger'
+require 'faraday'
+require 'faraday/follow_redirects'
 require 'swd'
 require 'webfinger'
 require 'active_model'
@@ -8,6 +10,7 @@ require 'validate_url'
 require 'validate_email'
 require 'attr_required'
 require 'attr_optional'
+require 'json/jwt'
 require 'rack/oauth2'
 require 'rack/oauth2/server/authorize/error_with_connect_ext'
 require 'rack/oauth2/server/authorize/request_with_connect_params'
@@ -63,19 +66,31 @@ module OpenIDConnect
   self.debugging = false
 
   def self.http_client
-    _http_client_ = HTTPClient.new(
-      agent_name: "OpenIDConnect (#{VERSION})"
-    )
-    _http_client_.request_filter << Debugger::RequestFilter.new if debugging?
-    http_config.try(:call, _http_client_)
-    _http_client_
+    Faraday.new(headers: {user_agent: "OpenIDConnect (#{VERSION})"}) do |faraday|
+      faraday.request :url_encoded
+      faraday.request :json
+      faraday.response :json
+      faraday.response :logger, OpenIDConnect.logger, {bodies: true} if debugging?
+      faraday.adapter Faraday.default_adapter
+      http_config&.call(faraday)
+    end
   end
   def self.http_config(&block)
     @sub_protocols.each do |klass|
-      klass.http_config &block unless klass.http_config
+      klass.http_config(&block) unless klass.http_config
     end
     @@http_config ||= block
   end
+
+  def self.validate_discovery_issuer=(boolean)
+    @@validate_discovery_issuer = boolean
+  end
+
+  def self.validate_discovery_issuer
+    @@validate_discovery_issuer
+  end
+
+  self.validate_discovery_issuer = true
 end
 
 require 'openid_connect/exception'
@@ -84,4 +99,3 @@ require 'openid_connect/access_token'
 require 'openid_connect/jwtnizable'
 require 'openid_connect/connect_object'
 require 'openid_connect/discovery'
-require 'openid_connect/debugger'

data/openid_connect.gemspec

@@ -12,19 +12,27 @@ Gem::Specification.new do |s|
   s.test_files    = `git ls-files -- {test,spec,features}/*`.split("\n")
   s.executables   = `git ls-files -- bin/*`.split("\n").map{ |f| File.basename(f) }
   s.require_paths = ["lib"]
-  s.add_runtime_dependency "json", ">= 1.4.3"
   s.add_runtime_dependency "tzinfo"
   s.add_runtime_dependency "attr_required", ">= 1.0.0"
   s.add_runtime_dependency "activemodel"
   s.add_runtime_dependency "validate_url"
   s.add_runtime_dependency "validate_email"
-  s.add_runtime_dependency "json-jwt", ">= 1.5.0"
-  s.add_runtime_dependency "swd", ">= 1.0.0"
-  s.add_runtime_dependency "webfinger", ">= 1.0.1"
-  s.add_runtime_dependency "rack-oauth2", ">= 1.6.0"
+  s.add_runtime_dependency 'faraday', '~> 2.0'
+  s.add_runtime_dependency 'faraday-follow_redirects'
+  s.add_runtime_dependency "json-jwt", ">= 1.16"
+  s.add_runtime_dependency "swd", "~> 2.0"
+  s.add_runtime_dependency "webfinger", "~> 2.0"
+  s.add_runtime_dependency "rack-oauth2", "~> 2.2"
+  if Gem.ruby_version >= Gem::Version.create(3.1)
+    # TODO:
+    #  remove "net-smtp" dependency after mail gem 2.8+ (which supports ruby 3.1+) released.
+    #  ref.) https://rubygems.org/gems/mail
+    s.add_runtime_dependency "net-smtp"
+  end
   s.add_development_dependency "rake"
   s.add_development_dependency "rspec"
   s.add_development_dependency "rspec-its"
   s.add_development_dependency "webmock"
   s.add_development_dependency "simplecov"
-end
+  s.add_development_dependency "rexml"
+end

data/spec/helpers/webmock_helper.rb

@@ -32,7 +32,13 @@ module WebMockHelper
 
   def response_for(response_file, options = {})
     response = {}
-    response[:body] = File.new(File.join(File.dirname(__FILE__), '../mock_response', "#{response_file}.#{options[:format] || :json}"))
+    format = options[:format] || :json
+    if format == :json
+      response[:headers] = {
+        'Content-Type': 'application/json'
+      }
+    end
+    response[:body] = File.new(File.join(File.dirname(__FILE__), '../mock_response', "#{response_file}.#{format}"))
     if options[:status]
       response[:status] = options[:status]
     end

data/spec/mock_response/access_token/without_token_type.json

@@ -0,0 +1,3 @@
+{
+  "access_token":"access_token"
+}

data/spec/mock_response/errors/unknown.json

@@ -1 +1,3 @@
-Fuckin Unknown Error
+{
+  "unknown": "unknown"
+}

data/spec/mock_response/public_keys/jwks_with_private_key.json

@@ -0,0 +1,8 @@
+{
+  "keys": [{
+    "kty": "RSA",
+    "e": "AQAB",
+    "n": "vWr1S4T0jBnYU9PIpUYxT48Ca8HK8aitbmqbTM3t3Zzl1GNpIlyePnwXSL6SgNcVbeRhTfvXZUzH4pP8HzPJdpUHnAeYyCzjz9UNykdFCp2YW676wpLDzMkaU7bYLJxGjZlpHU-UJVIm5KX9-NfMyGbFUOuw4AY-OWp8GxrqwAF4U6bJ86TpO24wMxmgm0Vl72aRMGVJkRz66YLYOPNVjXjOI4bUuxg_o3Px5QASxvDCawMeLR3pLCoQcLAZn6WZx7nX3Wu6QzcY0QCqhqUAeY49QRT83Jdg7WUsNa2Rbegi3jJGJf-t9hEcJPmrI6q9zl6WArUueQHS-XUQWq5ptw",
+    "kid": "DCmKamGtkGAWz-uujePOp-UeATAeT4fi3KouR78r44I"
+  }]
+}

data/spec/mock_response/public_keys/private_key.pem

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEAvWr1S4T0jBnYU9PIpUYxT48Ca8HK8aitbmqbTM3t3Zzl1GNp
+IlyePnwXSL6SgNcVbeRhTfvXZUzH4pP8HzPJdpUHnAeYyCzjz9UNykdFCp2YW676
+wpLDzMkaU7bYLJxGjZlpHU+UJVIm5KX9+NfMyGbFUOuw4AY+OWp8GxrqwAF4U6bJ
+86TpO24wMxmgm0Vl72aRMGVJkRz66YLYOPNVjXjOI4bUuxg/o3Px5QASxvDCawMe
+LR3pLCoQcLAZn6WZx7nX3Wu6QzcY0QCqhqUAeY49QRT83Jdg7WUsNa2Rbegi3jJG
+Jf+t9hEcJPmrI6q9zl6WArUueQHS+XUQWq5ptwIDAQABAoIBAHvDWBUJAVRNSsiy
+90XuECggk/9ed0Dg6rjblS9g2kvTyWO1tKsMAyVmpTwVsNnYLxtHfsCajcmVmoEU
+Gkc06iy+AWPUnuIkWpGgbss9OAJQqI03Toc1qBO1TqtmK+cyEPNSSpkpNu4PuHPr
+dX9TWW2ToNdXuJEX4y5WwlJfiwT6kPdK86IKpPCql1+X/N2nKbn+5OWHTDuW3jLF
+H4UoJlUU77VgPedQLF9xr9NXGZbgYdTtsg3GU3k7/xhcetNq22Dtr8vYnX8LcIsZ
+9VW+KBRGOwgXTMLuj25VxkFUsJejEoq5+WyHTsSsa4w8Fxyc50GPfZJKh8J2jHiG
+8weJUNECgYEA5CoQmUz+8saVg1IwnEgZBSMF1rthMgvuDPhD8PJNaugUCyo9tg0O
+AXo9EMOUHmr2vCN8h2MZZuuW0D5np/Z9T102N99mJU6tVMSabBPDUTfxThq4xY48
+VZvS6EOzSomeEbrIDciJghqJIvPxEoqLXY3Zg7kDef7YiqybhZFdlS8CgYEA1IbH
+MHKfcL+LAo88y4tgOe6Wn8FRG1K7MHvdR+KErgxBg63I9zmolPsyznjNVKpB9syt
+zqkDxBg/jTIctgeziMQNSODQoqRKcgEDePwcu+wBvuV+LJFJoIWFrvIPyZ5yKzeb
+Vm1lRMgQfoeAQE4nVYAJG+oTTsFTdEtrHkOW4fkCgYEAsNHcnUFrTvARDH1UiLjj
+EvUKYFhEwck3CbwYwxC0aIZEikaJHp3NXd3Cl0xKbKxOXI1Pw4hMNlObQ/Uo1aUT
+hb7h9rjda0omz8uxNNK4CihFjFbvHMLXBS1GbJOSzdAKvQi4Yt4nmrk/z+Omzsyp
+pq34hLmL9S5H2Ghd+kwmbycCgYBiC1N1PEvl3depdJ8dX80irLj8NljOfBozQdFR
+ymRfTvQiZVfjBcyJ/mDv87b2Kh2IV+CPCFXebzlSUB4CtAbVP2zJhD176sMVWPZb
+KCOxZi1f/ct5kAUhcre7f5xc7SXKXjrhYlJnqsxBMw2tnOB0hz6sjA4gNPvlGK3w
+JkpDMQKBgQCgPoqSjmbroWC9oq5iDwRtx6f6fJG7CE91ZFJulunQj6YWOC3zNHEa
+XvPPGM8fZpJS4e8LiPClkk8nsOoC50neEVGZeEuhdP6m6WNPN3SlP7bXozHOJTh0
+mHrk2bUHFlQn8f5KWfLQbdyKBzs7WqCRTOR/gIbfxBlUOs0BN37xhw==
+-----END RSA PRIVATE KEY-----

data/spec/openid_connect/client/registrar_spec.rb

@@ -253,7 +253,7 @@ describe OpenIDConnect::Client::Registrar do
     end
 
     context 'otherwise' do
-      it { should be_instance_of HTTPClient }
+      it { should be_instance_of Faraday::Connection }
     end
   end
 end

data/spec/openid_connect/client_spec.rb

@@ -162,22 +162,21 @@ describe OpenIDConnect::Client do
       end
     end
 
-    context 'when invalid JSON is returned' do
-      it 'should raise OpenIDConnect::Exception' do
-        mock_json :post, client.token_endpoint, 'access_token/invalid_json', request_header: header_params, params: protocol_params do
-          expect do
-            access_token
-          end.to raise_error OpenIDConnect::Exception, 'Unknown Token Type'
-        end
-      end
-    end
-
     context 'otherwise' do
       it 'should raise Unexpected Token Type exception' do
         mock_json :post, client.token_endpoint, 'access_token/mac', request_header: header_params, params: protocol_params do
           expect { access_token }.to raise_error OpenIDConnect::Exception, 'Unexpected Token Type: mac'
         end
       end
+
+      context 'when token_type is forced' do
+        before { client.force_token_type! :bearer }
+        it 'should use forced token_type' do
+          mock_json :post, client.token_endpoint, 'access_token/without_token_type', request_header: header_params, params: protocol_params do
+            access_token.should be_a OpenIDConnect::AccessToken
+          end
+        end
+      end
     end
   end
-end
+end

data/spec/openid_connect/discovery/provider/config/response_spec.rb

@@ -35,6 +35,28 @@ describe OpenIDConnect::Discovery::Provider::Config::Response do
     it { should_not be_valid }
   end
 
+  context 'when end_session_endpoint given' do
+    let(:end_session_endpoint) { 'https://server.example.com/end_session' }
+    let :attributes do
+      minimum_attributes.merge(
+        end_session_endpoint: end_session_endpoint
+      )
+    end
+    it { should be_valid }
+    its(:end_session_endpoint) { should == end_session_endpoint }
+  end
+
+  context 'when check_session_iframe given' do
+    let(:check_session_iframe) { 'https://server.example.com/check_session_iframe.html' }
+    let :attributes do
+      minimum_attributes.merge(
+        check_session_iframe: check_session_iframe
+      )
+    end
+    it { should be_valid }
+    its(:check_session_iframe) { should == check_session_iframe }
+  end
+
   describe '#as_json' do
     subject { instance.as_json }
     it { should == minimum_attributes }
@@ -81,4 +103,4 @@ describe OpenIDConnect::Discovery::Provider::Config::Response do
       public_keys.first.should be_instance_of OpenSSL::PKey::RSA
     end
   end
-end
+end

data/spec/openid_connect/discovery/provider/config_spec.rb

@@ -56,13 +56,33 @@ describe OpenIDConnect::Discovery::Provider::Config do
       end
     end
 
-    context 'when response include invalid issuer' do
-      it do
-        expect do
-          mock_json :get, endpoint, 'discovery/config_with_invalid_issuer' do
-            OpenIDConnect::Discovery::Provider::Config.discover! provider
-          end
-        end.to raise_error OpenIDConnect::Discovery::DiscoveryFailed
+    describe 'when response include invalid issuer' do
+      context 'with normal configuration' do
+        it do
+          expect do
+            mock_json :get, endpoint, 'discovery/config_with_invalid_issuer' do
+              OpenIDConnect::Discovery::Provider::Config.discover! provider
+            end
+          end.to raise_error OpenIDConnect::Discovery::DiscoveryFailed
+        end
+      end
+
+      context 'when issuer validation is disabled.' do
+        before :each do
+          OpenIDConnect.validate_discovery_issuer = false
+        end
+
+        after :each do
+          OpenIDConnect.validate_discovery_issuer = true
+        end
+
+        it do
+          expect do
+            mock_json :get, endpoint, 'discovery/config_with_invalid_issuer' do
+              OpenIDConnect::Discovery::Provider::Config.discover! provider
+            end
+          end.not_to raise_error
+        end
       end
     end
 
@@ -76,4 +96,4 @@ describe OpenIDConnect::Discovery::Provider::Config do
       end
     end
   end
-end
+end

data/spec/openid_connect/response_object/id_token_spec.rb

@@ -19,7 +19,7 @@ describe OpenIDConnect::ResponseObject::IdToken do
   describe 'attributes' do
     subject { klass }
     its(:required_attributes) { should == [:iss, :sub, :aud, :exp, :iat] }
-    its(:optional_attributes) { should == [:acr, :auth_time, :nonce, :sub_jwk, :at_hash, :c_hash] }
+    its(:optional_attributes) { should == [:acr, :amr, :azp, :jti, :sid, :auth_time, :nonce, :sub_jwk, :at_hash, :c_hash, :s_hash] }
 
     describe 'auth_time' do
       subject { id_token.auth_time }
@@ -157,7 +157,7 @@ describe OpenIDConnect::ResponseObject::IdToken do
         t = id_token.to_jwt private_key do |t|
           t.header[:x5u] = "http://server.example.com/x5u"
         end
-        h = UrlSafeBase64.decode64 t.split('.').first
+        h = Base64.urlsafe_decode64 t.split('.').first
         h.should include 'x5u'
       end
     end
@@ -169,8 +169,9 @@ describe OpenIDConnect::ResponseObject::IdToken do
           jwt = JSON::JWT.decode t, public_key
           jwt.should include :at_hash
           jwt.should_not include :c_hash
-          jwt[:at_hash].should == UrlSafeBase64.encode64(
-            OpenSSL::Digest::SHA256.digest('access_token')[0, 128 / 8]
+          jwt[:at_hash].should == Base64.urlsafe_encode64(
+            OpenSSL::Digest::SHA256.digest('access_token')[0, 128 / 8],
+            padding: false
           )
         end
       end
@@ -193,8 +194,9 @@ describe OpenIDConnect::ResponseObject::IdToken do
         jwt = JSON::JWT.decode t, public_key
         jwt.should_not include :at_hash
         jwt.should include :c_hash
-        jwt[:c_hash].should == UrlSafeBase64.encode64(
-          OpenSSL::Digest::SHA256.digest('authorization_code')[0, 128 / 8]
+        jwt[:c_hash].should == Base64.urlsafe_encode64(
+          OpenSSL::Digest::SHA256.digest('authorization_code')[0, 128 / 8],
+          padding: false
         )
       end
     end
@@ -209,11 +211,13 @@ describe OpenIDConnect::ResponseObject::IdToken do
         jwt = JSON::JWT.decode t, public_key
         jwt.should include :at_hash
         jwt.should include :c_hash
-        jwt[:at_hash].should == UrlSafeBase64.encode64(
-          OpenSSL::Digest::SHA256.digest('access_token')[0, 128 / 8]
+        jwt[:at_hash].should == Base64.urlsafe_encode64(
+          OpenSSL::Digest::SHA256.digest('access_token')[0, 128 / 8],
+          padding: false
         )
-        jwt[:c_hash].should == UrlSafeBase64.encode64(
-          OpenSSL::Digest::SHA256.digest('authorization_code')[0, 128 / 8]
+        jwt[:c_hash].should == Base64.urlsafe_encode64(
+          OpenSSL::Digest::SHA256.digest('authorization_code')[0, 128 / 8],
+          padding: false
         )
       end
     end
@@ -247,6 +251,54 @@ describe OpenIDConnect::ResponseObject::IdToken do
     its(:exp) { should == attributes[:exp].to_i }
     its(:raw_attributes) { should be_instance_of JSON::JWS }
 
+    context 'when IdP config is given' do
+      subject { klass.decode id_token.to_jwt(private_key), idp_config }
+      let(:jwks) do
+        jwk_str = File.read(File.join(__dir__, '../../mock_response/public_keys/jwks_with_private_key.json'))
+        jwk = JSON::JWK::Set.new JSON.parse(jwk_str)
+      end
+      let(:idp_config) do
+        OpenIDConnect::Discovery::Provider::Config::Response.new(
+          issuer: attributes[:issuer],
+          authorization_endpoint: File.join(attributes[:iss], 'authorize'),
+          jwks_uri: File.join(attributes[:iss], 'jwks'),
+          response_types_supported: ['code'],
+          subject_types_supported: ['public'],
+          id_token_signing_alg_values_supported: ['RS256']
+        )
+      end
+
+      context 'when id_token has kid' do
+        let(:private_key) do
+          OpenSSL::PKey::RSA.new(
+            File.read(File.join(__dir__, '../../mock_response/public_keys/private_key.pem'))
+          ).to_jwk
+        end
+
+        it do
+          mock_json :get, idp_config.jwks_uri, 'public_keys/jwks_with_private_key' do
+            should be_a klass
+          end
+        end
+      end
+
+      context 'otherwise' do
+        let(:private_key) do
+          OpenSSL::PKey::RSA.new(
+            File.read(File.join(__dir__, '../../mock_response/public_keys/private_key.pem'))
+          )
+        end
+
+        it do
+          mock_json :get, idp_config.jwks_uri, 'public_keys/jwks_with_private_key' do
+            expect do
+              should
+            end.to raise_error JSON::JWK::Set::KidNotFound
+          end
+        end
+      end
+    end
+
     context 'when self-issued' do
       context 'when valid' do
         let(:self_issued) do
@@ -315,4 +367,4 @@ describe OpenIDConnect::ResponseObject::IdToken do
     its(:sub_jwk) { should == sub_jwk}
     its(:subject) { should == sub_jwk.thumbprint }
   end
-end
+end

data/spec/openid_connect_spec.rb

@@ -46,12 +46,12 @@ describe OpenIDConnect do
     context 'with http_config' do
       before do
         OpenIDConnect.http_config do |config|
-          config.ssl_config.verify_mode = OpenSSL::SSL::VERIFY_NONE
+          config.ssl.verify = false
         end
       end
       it 'should configure OpenIDConnect, SWD and Rack::OAuth2\'s http_client' do
         [OpenIDConnect, SWD, WebFinger, Rack::OAuth2].each do |klass|
-          klass.http_client.ssl_config.verify_mode.should == OpenSSL::SSL::VERIFY_NONE
+          klass.http_client.ssl.verify.should be_falsy
         end
       end
     end

metadata

@@ -1,59 +1,59 @@
 --- !ruby/object:Gem::Specification
 name: openid_connect
 version: !ruby/object:Gem::Version
-  version: 1.1.0
+  version: 2.2.0
 platform: ruby
 authors:
 - nov matake
-autorequire: 
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2017-03-23 00:00:00.000000000 Z
+date: 2022-10-11 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
-  name: json
+  name: tzinfo
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 1.4.3
+        version: '0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 1.4.3
+        version: '0'
 - !ruby/object:Gem::Dependency
-  name: tzinfo
+  name: attr_required
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '0'
+        version: 1.0.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '0'
+        version: 1.0.0
 - !ruby/object:Gem::Dependency
-  name: attr_required
+  name: activemodel
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 1.0.0
+        version: '0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 1.0.0
+        version: '0'
 - !ruby/object:Gem::Dependency
-  name: activemodel
+  name: validate_url
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
@@ -67,7 +67,7 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
-  name: validate_url
+  name: validate_email
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
@@ -81,7 +81,21 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
-  name: validate_email
+  name: faraday
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+- !ruby/object:Gem::Dependency
+  name: faraday-follow_redirects
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
@@ -100,56 +114,70 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 1.5.0
+        version: '1.16'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 1.5.0
+        version: '1.16'
 - !ruby/object:Gem::Dependency
   name: swd
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.0.0
+        version: '2.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.0.0
+        version: '2.0'
 - !ruby/object:Gem::Dependency
   name: webfinger
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.0.1
+        version: '2.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.0.1
+        version: '2.0'
 - !ruby/object:Gem::Dependency
   name: rack-oauth2
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.2'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.2'
+- !ruby/object:Gem::Dependency
+  name: net-smtp
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 1.6.0
+        version: '0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 1.6.0
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
@@ -220,6 +248,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: rexml
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 description: OpenID Connect Server & Client Library
 email:
 - nov@matake.jp
@@ -227,9 +269,11 @@ executables: []
 extensions: []
 extra_rdoc_files: []
 files:
+- ".github/FUNDING.yml"
+- ".github/workflows/spec.yml"
 - ".gitignore"
 - ".rspec"
-- ".travis.yml"
+- CHANGELOG.md
 - Gemfile
 - LICENSE
 - README.rdoc
@@ -238,11 +282,10 @@ files:
 - VERSION
 - lib/openid_connect.rb
 - lib/openid_connect/access_token.rb
+- lib/openid_connect/access_token/mtls.rb
 - lib/openid_connect/client.rb
 - lib/openid_connect/client/registrar.rb
 - lib/openid_connect/connect_object.rb
-- lib/openid_connect/debugger.rb
-- lib/openid_connect/debugger/request_filter.rb
 - lib/openid_connect/discovery.rb
 - lib/openid_connect/discovery/provider.rb
 - lib/openid_connect/discovery/provider/config.rb
@@ -272,6 +315,7 @@ files:
 - spec/mock_response/access_token/bearer_with_id_token.json
 - spec/mock_response/access_token/invalid_json.json
 - spec/mock_response/access_token/mac.json
+- spec/mock_response/access_token/without_token_type.json
 - spec/mock_response/client/registered.json
 - spec/mock_response/client/rotated.json
 - spec/mock_response/client/updated.json
@@ -288,13 +332,14 @@ files:
 - spec/mock_response/errors/unknown.json
 - spec/mock_response/id_token.json
 - spec/mock_response/public_keys/jwks.json
+- spec/mock_response/public_keys/jwks_with_private_key.json
+- spec/mock_response/public_keys/private_key.pem
 - spec/mock_response/request_object/signed.jwt
 - spec/mock_response/userinfo/openid.json
 - spec/openid_connect/access_token_spec.rb
 - spec/openid_connect/client/registrar_spec.rb
 - spec/openid_connect/client_spec.rb
 - spec/openid_connect/connect_object_spec.rb
-- spec/openid_connect/debugger/request_filter_spec.rb
 - spec/openid_connect/discovery/provider/config/resource_spec.rb
 - spec/openid_connect/discovery/provider/config/response_spec.rb
 - spec/openid_connect/discovery/provider/config_spec.rb
@@ -317,7 +362,7 @@ homepage: https://github.com/nov/openid_connect
 licenses:
 - MIT
 metadata: {}
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -332,9 +377,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.6.8
-signing_key: 
+rubygems_version: 3.3.7
+signing_key:
 specification_version: 4
 summary: OpenID Connect Server & Client Library
 test_files:
@@ -344,6 +388,7 @@ test_files:
 - spec/mock_response/access_token/bearer_with_id_token.json
 - spec/mock_response/access_token/invalid_json.json
 - spec/mock_response/access_token/mac.json
+- spec/mock_response/access_token/without_token_type.json
 - spec/mock_response/client/registered.json
 - spec/mock_response/client/rotated.json
 - spec/mock_response/client/updated.json
@@ -360,13 +405,14 @@ test_files:
 - spec/mock_response/errors/unknown.json
 - spec/mock_response/id_token.json
 - spec/mock_response/public_keys/jwks.json
+- spec/mock_response/public_keys/jwks_with_private_key.json
+- spec/mock_response/public_keys/private_key.pem
 - spec/mock_response/request_object/signed.jwt
 - spec/mock_response/userinfo/openid.json
 - spec/openid_connect/access_token_spec.rb
 - spec/openid_connect/client/registrar_spec.rb
 - spec/openid_connect/client_spec.rb
 - spec/openid_connect/connect_object_spec.rb
-- spec/openid_connect/debugger/request_filter_spec.rb
 - spec/openid_connect/discovery/provider/config/resource_spec.rb
 - spec/openid_connect/discovery/provider/config/response_spec.rb
 - spec/openid_connect/discovery/provider/config_spec.rb

data/.travis.yml

@@ -1,7 +0,0 @@
-before_install:
-  - gem install bundler
-
-rvm:
-  - 2.2.2
-  - 2.2.5
-  - 2.3.1

data/lib/openid_connect/debugger/request_filter.rb

@@ -1,28 +0,0 @@
-module OpenIDConnect
-  module Debugger
-    class RequestFilter
-      # Callback called in HTTPClient (before sending a request)
-      # request:: HTTP::Message
-      def filter_request(request)
-        started = "======= [OpenIDConnect] HTTP REQUEST STARTED ======="
-        log started, request.dump
-      end
-
-      # Callback called in HTTPClient (after received a response)
-      # request::  HTTP::Message
-      # response:: HTTP::Message
-      def filter_response(request, response)
-        finished = "======= [OpenIDConnect] HTTP REQUEST FINISHED ======="
-        log '-' * 50, response.dump, finished
-      end
-
-      private
-
-      def log(*outputs)
-        outputs.each do |output|
-          OpenIDConnect.logger.info output
-        end
-      end
-    end
-  end
-end

data/lib/openid_connect/debugger.rb

@@ -1,3 +0,0 @@
-Dir[File.dirname(__FILE__) + '/debugger/*.rb'].each do |file|
-  require file
-end

data/spec/openid_connect/debugger/request_filter_spec.rb

@@ -1,33 +0,0 @@
-require 'spec_helper'
-
-describe OpenIDConnect::Debugger::RequestFilter do
-  let(:resource_endpoint) { 'https://example.com/resources' }
-  let(:request) { HTTP::Message.new_request(:get, URI.parse(resource_endpoint)) }
-  let(:response) { HTTP::Message.new_response({hello: 'world'}.to_json) }
-  let(:request_filter) { OpenIDConnect::Debugger::RequestFilter.new }
-
-  describe '#filter_request' do
-    it 'should log request' do
-      [
-        "======= [OpenIDConnect] HTTP REQUEST STARTED =======",
-        request.dump
-      ].each do |output|
-        expect(OpenIDConnect.logger).to receive(:info).with output
-      end
-      request_filter.filter_request(request)
-    end
-  end
-
-  describe '#filter_response' do
-    it 'should log response' do
-      [
-        "--------------------------------------------------",
-        response.dump,
-        "======= [OpenIDConnect] HTTP REQUEST FINISHED ======="
-      ].each do |output|
-        expect(OpenIDConnect.logger).to receive(:info).with output
-      end
-      request_filter.filter_response(request, response)
-    end
-  end
-end