openid_connect 1.1.0 → 2.2.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +5 -5
- data/.github/FUNDING.yml +3 -0
- data/.github/workflows/spec.yml +32 -0
- data/CHANGELOG.md +17 -0
- data/README.rdoc +0 -2
- data/VERSION +1 -1
- data/lib/openid_connect/access_token/mtls.rb +9 -0
- data/lib/openid_connect/access_token.rb +11 -2
- data/lib/openid_connect/client/registrar.rb +5 -5
- data/lib/openid_connect/client.rb +4 -5
- data/lib/openid_connect/discovery/provider/config/resource.rb +4 -2
- data/lib/openid_connect/discovery/provider/config/response.rb +21 -12
- data/lib/openid_connect/request_object.rb +3 -1
- data/lib/openid_connect/response_object/id_token.rb +28 -13
- data/lib/openid_connect/response_object/user_info.rb +1 -0
- data/lib/openid_connect.rb +22 -8
- data/openid_connect.gemspec +14 -6
- data/spec/helpers/webmock_helper.rb +7 -1
- data/spec/mock_response/access_token/without_token_type.json +3 -0
- data/spec/mock_response/errors/unknown.json +3 -1
- data/spec/mock_response/public_keys/jwks_with_private_key.json +8 -0
- data/spec/mock_response/public_keys/private_key.pem +27 -0
- data/spec/openid_connect/client/registrar_spec.rb +1 -1
- data/spec/openid_connect/client_spec.rb +10 -11
- data/spec/openid_connect/discovery/provider/config/response_spec.rb +23 -1
- data/spec/openid_connect/discovery/provider/config_spec.rb +28 -8
- data/spec/openid_connect/response_object/id_token_spec.rb +63 -11
- data/spec/openid_connect_spec.rb +2 -2
- metadata +82 -36
- data/.travis.yml +0 -7
- data/lib/openid_connect/debugger/request_filter.rb +0 -28
- data/lib/openid_connect/debugger.rb +0 -3
- data/spec/openid_connect/debugger/request_filter_spec.rb +0 -33
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
|
-
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
2
|
+
SHA256:
|
3
|
+
metadata.gz: 2b5a083aca9fb04e50e7ff4fb18d26d221daac9bf22ec1cfcc136007160a03db
|
4
|
+
data.tar.gz: 1eb0f4f04691552f0b276d284bb91f47d393c0afdc8e7473c57446c4e89c6cc1
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 3469b7247c8337d0f3bc5adddc3ebc117676814fba726ba95d59fb50279ae7f8a91e3856962ab794e44bc3d8a0ccbb9adf07966bc4ff50139c74e08c783e5e1f
|
7
|
+
data.tar.gz: 5670dcd68a4b196ebb167c2eb313360d407ae30a77914da20f376f4cddef1b009642fc5aeee5eddbd971b03e7baee939076a7ed343a9e63906e309b261bda8be
|
data/.github/FUNDING.yml
ADDED
@@ -0,0 +1,32 @@
|
|
1
|
+
name: Spec
|
2
|
+
|
3
|
+
on:
|
4
|
+
push:
|
5
|
+
branches:
|
6
|
+
- master
|
7
|
+
pull_request:
|
8
|
+
|
9
|
+
permissions:
|
10
|
+
contents: read
|
11
|
+
|
12
|
+
jobs:
|
13
|
+
spec:
|
14
|
+
strategy:
|
15
|
+
matrix:
|
16
|
+
os: ['ubuntu-20.04']
|
17
|
+
ruby-version: ['2.6', '2.7', '3.0', '3.1']
|
18
|
+
# ubuntu 22.04 only supports ssl 3 and thus only ruby 3.1
|
19
|
+
include:
|
20
|
+
- os: 'ubuntu-22.04'
|
21
|
+
ruby-version: '3.1'
|
22
|
+
runs-on: ${{ matrix.os }}
|
23
|
+
|
24
|
+
steps:
|
25
|
+
- uses: actions/checkout@v3
|
26
|
+
- name: Set up Ruby
|
27
|
+
uses: ruby/setup-ruby@v1
|
28
|
+
with:
|
29
|
+
ruby-version: ${{ matrix.ruby-version }}
|
30
|
+
bundler-cache: true
|
31
|
+
- name: Run Specs
|
32
|
+
run: bundle exec rake spec
|
data/CHANGELOG.md
ADDED
@@ -0,0 +1,17 @@
|
|
1
|
+
## [Unreleased]
|
2
|
+
|
3
|
+
## [2.1.0] - 2022-10-10
|
4
|
+
|
5
|
+
### Changed
|
6
|
+
|
7
|
+
- mTLS access token by @nov in https://github.com/nov/openid_connect/pull/76
|
8
|
+
|
9
|
+
## [2.0.0] - 2022-10-09
|
10
|
+
|
11
|
+
### Added
|
12
|
+
|
13
|
+
- start recording CHANGELOG
|
14
|
+
|
15
|
+
### Changed
|
16
|
+
|
17
|
+
- replace httpclient with faraday v2 by @nov in https://github.com/nov/openid_connect/pull/75
|
data/README.rdoc
CHANGED
data/VERSION
CHANGED
@@ -1 +1 @@
|
|
1
|
-
|
1
|
+
2.2.0
|
@@ -0,0 +1,9 @@
|
|
1
|
+
module OpenIDConnect
|
2
|
+
class AccessToken::MTLS < AccessToken
|
3
|
+
def initialize(attributes = {})
|
4
|
+
super
|
5
|
+
http_client.ssl.client_key = attributes[:private_key] || client.private_key
|
6
|
+
http_client.ssl.client_cert = attributes[:certificate] || client.certificate
|
7
|
+
end
|
8
|
+
end
|
9
|
+
end
|
@@ -15,13 +15,20 @@ module OpenIDConnect
|
|
15
15
|
ResponseObject::UserInfo.new hash
|
16
16
|
end
|
17
17
|
|
18
|
+
def to_mtls(attributes = {})
|
19
|
+
(required_attributes + optional_attributes).each do |key|
|
20
|
+
attributes[key] = self.send(key)
|
21
|
+
end
|
22
|
+
MTLS.new attributes
|
23
|
+
end
|
24
|
+
|
18
25
|
private
|
19
26
|
|
20
27
|
def resource_request
|
21
28
|
res = yield
|
22
29
|
case res.status
|
23
30
|
when 200
|
24
|
-
|
31
|
+
res.body.with_indifferent_access
|
25
32
|
when 400
|
26
33
|
raise BadRequest.new('API Access Faild', res)
|
27
34
|
when 401
|
@@ -33,4 +40,6 @@ module OpenIDConnect
|
|
33
40
|
end
|
34
41
|
end
|
35
42
|
end
|
36
|
-
end
|
43
|
+
end
|
44
|
+
|
45
|
+
require 'openid_connect/access_token/mtls'
|
@@ -50,12 +50,12 @@ module OpenIDConnect
|
|
50
50
|
]
|
51
51
|
attr_required :endpoint
|
52
52
|
attr_optional :initial_access_token
|
53
|
-
attr_required
|
54
|
-
attr_optional
|
53
|
+
attr_required(*required_metadata_attributes)
|
54
|
+
attr_optional(*(metadata_attributes - required_metadata_attributes))
|
55
55
|
|
56
|
-
validates
|
56
|
+
validates(*required_attributes, presence: true)
|
57
57
|
validates :sector_identifier_uri, presence: {if: :sector_identifier_required?}
|
58
|
-
validates
|
58
|
+
validates(*singular_uri_attributes, url: true, allow_nil: true)
|
59
59
|
validate :validate_plural_uri_attributes
|
60
60
|
validate :validate_contacts
|
61
61
|
|
@@ -170,7 +170,7 @@ module OpenIDConnect
|
|
170
170
|
end
|
171
171
|
|
172
172
|
def handle_success_response(response)
|
173
|
-
credentials =
|
173
|
+
credentials = response.body.with_indifferent_access
|
174
174
|
Client.new(
|
175
175
|
identifier: credentials[:client_id],
|
176
176
|
secret: credentials[:client_secret],
|
@@ -26,19 +26,18 @@ module OpenIDConnect
|
|
26
26
|
end
|
27
27
|
|
28
28
|
def handle_success_response(response)
|
29
|
-
token_hash =
|
30
|
-
|
29
|
+
token_hash = response.body.with_indifferent_access
|
30
|
+
token_type = (@forced_token_type || token_hash[:token_type]).try(:downcase)
|
31
|
+
case token_type
|
31
32
|
when 'bearer'
|
32
33
|
AccessToken.new token_hash.merge(client: self)
|
33
34
|
else
|
34
35
|
raise Exception.new("Unexpected Token Type: #{token_type}")
|
35
36
|
end
|
36
|
-
rescue JSON::ParserError
|
37
|
-
raise Exception.new("Unknown Token Type")
|
38
37
|
end
|
39
38
|
end
|
40
39
|
end
|
41
40
|
|
42
41
|
Dir[File.dirname(__FILE__) + '/client/*.rb'].each do |file|
|
43
42
|
require file
|
44
|
-
end
|
43
|
+
end
|
@@ -1,3 +1,5 @@
|
|
1
|
+
require "openssl"
|
2
|
+
|
1
3
|
module OpenIDConnect
|
2
4
|
module Discovery
|
3
5
|
module Provider
|
@@ -27,8 +29,8 @@ module OpenIDConnect
|
|
27
29
|
end
|
28
30
|
|
29
31
|
def cache_key
|
30
|
-
|
31
|
-
"swd:resource:opneid-conf:#{
|
32
|
+
sha256 = OpenSSL::Digest::SHA256.hexdigest host
|
33
|
+
"swd:resource:opneid-conf:#{sha256}"
|
32
34
|
end
|
33
35
|
end
|
34
36
|
end
|
@@ -18,17 +18,19 @@ module OpenIDConnect
|
|
18
18
|
:token_endpoint,
|
19
19
|
:userinfo_endpoint,
|
20
20
|
:registration_endpoint,
|
21
|
+
:end_session_endpoint,
|
21
22
|
:service_documentation,
|
23
|
+
:check_session_iframe,
|
22
24
|
:op_policy_uri,
|
23
25
|
:op_tos_uri
|
24
26
|
]
|
25
27
|
}
|
26
|
-
attr_required
|
28
|
+
attr_required(*(uri_attributes[:required] + [
|
27
29
|
:response_types_supported,
|
28
30
|
:subject_types_supported,
|
29
31
|
:id_token_signing_alg_values_supported
|
30
|
-
])
|
31
|
-
attr_optional
|
32
|
+
]))
|
33
|
+
attr_optional(*(uri_attributes[:optional] + [
|
32
34
|
:scopes_supported,
|
33
35
|
:response_modes_supported,
|
34
36
|
:grant_types_supported,
|
@@ -52,10 +54,10 @@ module OpenIDConnect
|
|
52
54
|
:request_parameter_supported,
|
53
55
|
:request_uri_parameter_supported,
|
54
56
|
:require_request_uri_registration
|
55
|
-
])
|
57
|
+
]))
|
56
58
|
|
57
|
-
validates
|
58
|
-
validates
|
59
|
+
validates(*required_attributes, presence: true)
|
60
|
+
validates(*uri_attributes.values.flatten, url: true, allow_nil: true)
|
59
61
|
validates :issuer, with: :validate_issuer_matching
|
60
62
|
|
61
63
|
def initialize(hash)
|
@@ -74,17 +76,20 @@ module OpenIDConnect
|
|
74
76
|
end
|
75
77
|
end
|
76
78
|
|
77
|
-
def validate!
|
79
|
+
def validate!
|
78
80
|
valid? or raise ValidationFailed.new(self)
|
79
81
|
end
|
80
82
|
|
81
83
|
def jwks
|
82
|
-
@jwks ||=
|
83
|
-
OpenIDConnect.http_client.get_content(jwks_uri)
|
84
|
-
).with_indifferent_access
|
84
|
+
@jwks ||= OpenIDConnect.http_client.get(jwks_uri).body.with_indifferent_access
|
85
85
|
JSON::JWK::Set.new @jwks[:keys]
|
86
86
|
end
|
87
87
|
|
88
|
+
def jwk(kid)
|
89
|
+
@jwks ||= {}
|
90
|
+
@jwks[kid] ||= JSON::JWK::Set::Fetcher.fetch(jwks_uri, kid: kid)
|
91
|
+
end
|
92
|
+
|
88
93
|
def public_keys
|
89
94
|
@public_keys ||= jwks.collect(&:to_key)
|
90
95
|
end
|
@@ -93,11 +98,15 @@ module OpenIDConnect
|
|
93
98
|
|
94
99
|
def validate_issuer_matching
|
95
100
|
if expected_issuer.present? && issuer != expected_issuer
|
96
|
-
|
101
|
+
if OpenIDConnect.validate_discovery_issuer
|
102
|
+
errors.add :issuer, 'mismatch'
|
103
|
+
else
|
104
|
+
OpenIDConnect.logger.warn 'ignoring issuer mismach.'
|
105
|
+
end
|
97
106
|
end
|
98
107
|
end
|
99
108
|
end
|
100
109
|
end
|
101
110
|
end
|
102
111
|
end
|
103
|
-
end
|
112
|
+
end
|
@@ -5,10 +5,12 @@ module OpenIDConnect
|
|
5
5
|
attr_optional :client_id, :response_type, :redirect_uri, :scope, :state, :nonce, :display, :prompt, :userinfo, :id_token
|
6
6
|
validate :require_at_least_one_attributes
|
7
7
|
|
8
|
+
undef :id_token=
|
8
9
|
def id_token=(attributes = {})
|
9
10
|
@id_token = IdToken.new(attributes) if attributes.present?
|
10
11
|
end
|
11
12
|
|
13
|
+
undef :userinfo=
|
12
14
|
def userinfo=(attributes = {})
|
13
15
|
@userinfo = UserInfo.new(attributes) if attributes.present?
|
14
16
|
end
|
@@ -23,7 +25,7 @@ module OpenIDConnect
|
|
23
25
|
end
|
24
26
|
|
25
27
|
def fetch(request_uri, key = nil)
|
26
|
-
jwt_string = OpenIDConnect.http_client.
|
28
|
+
jwt_string = OpenIDConnect.http_client.get(request_uri).body
|
27
29
|
decode jwt_string, key
|
28
30
|
end
|
29
31
|
end
|
@@ -1,13 +1,15 @@
|
|
1
|
-
require 'json/jwt'
|
2
|
-
|
3
1
|
module OpenIDConnect
|
4
2
|
class ResponseObject
|
5
3
|
class IdToken < ConnectObject
|
6
4
|
class InvalidToken < Exception; end
|
5
|
+
class ExpiredToken < InvalidToken; end
|
6
|
+
class InvalidIssuer < InvalidToken; end
|
7
|
+
class InvalidNonce < InvalidToken; end
|
8
|
+
class InvalidAudience < InvalidToken; end
|
7
9
|
|
8
10
|
attr_required :iss, :sub, :aud, :exp, :iat
|
9
|
-
attr_optional :acr, :auth_time, :nonce, :sub_jwk, :at_hash, :c_hash
|
10
|
-
attr_accessor :access_token, :code
|
11
|
+
attr_optional :acr, :amr, :azp, :jti, :sid, :auth_time, :nonce, :sub_jwk, :at_hash, :c_hash, :s_hash
|
12
|
+
attr_accessor :access_token, :code, :state
|
11
13
|
alias_method :subject, :sub
|
12
14
|
alias_method :subject=, :sub=
|
13
15
|
|
@@ -20,11 +22,16 @@ module OpenIDConnect
|
|
20
22
|
end
|
21
23
|
|
22
24
|
def verify!(expected = {})
|
23
|
-
exp.to_i > Time.now.to_i
|
24
|
-
iss == expected[:issuer]
|
25
|
-
|
26
|
-
|
27
|
-
|
25
|
+
raise ExpiredToken.new('Invalid ID token: Expired token') unless exp.to_i > Time.now.to_i
|
26
|
+
raise InvalidIssuer.new('Invalid ID token: Issuer does not match') unless iss == expected[:issuer]
|
27
|
+
raise InvalidNonce.new('Invalid ID Token: Nonce does not match') unless nonce == expected[:nonce]
|
28
|
+
|
29
|
+
# aud(ience) can be a string or an array of strings
|
30
|
+
unless Array(aud).include?(expected[:audience] || expected[:client_id])
|
31
|
+
raise InvalidAudience.new('Invalid ID token: Audience does not match')
|
32
|
+
end
|
33
|
+
|
34
|
+
true
|
28
35
|
end
|
29
36
|
|
30
37
|
include JWTnizable
|
@@ -42,6 +49,9 @@ module OpenIDConnect
|
|
42
49
|
if code
|
43
50
|
self.c_hash = left_half_hash_of code, hash_length
|
44
51
|
end
|
52
|
+
if state
|
53
|
+
self.s_hash = left_half_hash_of state, hash_length
|
54
|
+
end
|
45
55
|
super
|
46
56
|
end
|
47
57
|
|
@@ -49,15 +59,20 @@ module OpenIDConnect
|
|
49
59
|
|
50
60
|
def left_half_hash_of(string, hash_length)
|
51
61
|
digest = OpenSSL::Digest.new("SHA#{hash_length}").digest string
|
52
|
-
|
62
|
+
Base64.urlsafe_encode64 digest[0, hash_length / (2 * 8)], padding: false
|
53
63
|
end
|
54
64
|
|
55
65
|
class << self
|
56
|
-
def decode(jwt_string,
|
57
|
-
|
66
|
+
def decode(jwt_string, key_or_config)
|
67
|
+
case key_or_config
|
68
|
+
when :self_issued
|
58
69
|
decode_self_issued jwt_string
|
70
|
+
when OpenIDConnect::Discovery::Provider::Config::Response
|
71
|
+
jwt = JSON::JWT.decode jwt_string, :skip_verification
|
72
|
+
jwt.verify! key_or_config.jwk(jwt.kid)
|
73
|
+
new jwt
|
59
74
|
else
|
60
|
-
new JSON::JWT.decode jwt_string,
|
75
|
+
new JSON::JWT.decode jwt_string, key_or_config
|
61
76
|
end
|
62
77
|
end
|
63
78
|
|
data/lib/openid_connect.rb
CHANGED
@@ -1,5 +1,7 @@
|
|
1
1
|
require 'json'
|
2
2
|
require 'logger'
|
3
|
+
require 'faraday'
|
4
|
+
require 'faraday/follow_redirects'
|
3
5
|
require 'swd'
|
4
6
|
require 'webfinger'
|
5
7
|
require 'active_model'
|
@@ -8,6 +10,7 @@ require 'validate_url'
|
|
8
10
|
require 'validate_email'
|
9
11
|
require 'attr_required'
|
10
12
|
require 'attr_optional'
|
13
|
+
require 'json/jwt'
|
11
14
|
require 'rack/oauth2'
|
12
15
|
require 'rack/oauth2/server/authorize/error_with_connect_ext'
|
13
16
|
require 'rack/oauth2/server/authorize/request_with_connect_params'
|
@@ -63,19 +66,31 @@ module OpenIDConnect
|
|
63
66
|
self.debugging = false
|
64
67
|
|
65
68
|
def self.http_client
|
66
|
-
|
67
|
-
|
68
|
-
|
69
|
-
|
70
|
-
|
71
|
-
|
69
|
+
Faraday.new(headers: {user_agent: "OpenIDConnect (#{VERSION})"}) do |faraday|
|
70
|
+
faraday.request :url_encoded
|
71
|
+
faraday.request :json
|
72
|
+
faraday.response :json
|
73
|
+
faraday.response :logger, OpenIDConnect.logger, {bodies: true} if debugging?
|
74
|
+
faraday.adapter Faraday.default_adapter
|
75
|
+
http_config&.call(faraday)
|
76
|
+
end
|
72
77
|
end
|
73
78
|
def self.http_config(&block)
|
74
79
|
@sub_protocols.each do |klass|
|
75
|
-
klass.http_config
|
80
|
+
klass.http_config(&block) unless klass.http_config
|
76
81
|
end
|
77
82
|
@@http_config ||= block
|
78
83
|
end
|
84
|
+
|
85
|
+
def self.validate_discovery_issuer=(boolean)
|
86
|
+
@@validate_discovery_issuer = boolean
|
87
|
+
end
|
88
|
+
|
89
|
+
def self.validate_discovery_issuer
|
90
|
+
@@validate_discovery_issuer
|
91
|
+
end
|
92
|
+
|
93
|
+
self.validate_discovery_issuer = true
|
79
94
|
end
|
80
95
|
|
81
96
|
require 'openid_connect/exception'
|
@@ -84,4 +99,3 @@ require 'openid_connect/access_token'
|
|
84
99
|
require 'openid_connect/jwtnizable'
|
85
100
|
require 'openid_connect/connect_object'
|
86
101
|
require 'openid_connect/discovery'
|
87
|
-
require 'openid_connect/debugger'
|
data/openid_connect.gemspec
CHANGED
@@ -12,19 +12,27 @@ Gem::Specification.new do |s|
|
|
12
12
|
s.test_files = `git ls-files -- {test,spec,features}/*`.split("\n")
|
13
13
|
s.executables = `git ls-files -- bin/*`.split("\n").map{ |f| File.basename(f) }
|
14
14
|
s.require_paths = ["lib"]
|
15
|
-
s.add_runtime_dependency "json", ">= 1.4.3"
|
16
15
|
s.add_runtime_dependency "tzinfo"
|
17
16
|
s.add_runtime_dependency "attr_required", ">= 1.0.0"
|
18
17
|
s.add_runtime_dependency "activemodel"
|
19
18
|
s.add_runtime_dependency "validate_url"
|
20
19
|
s.add_runtime_dependency "validate_email"
|
21
|
-
s.add_runtime_dependency
|
22
|
-
s.add_runtime_dependency
|
23
|
-
s.add_runtime_dependency "
|
24
|
-
s.add_runtime_dependency "
|
20
|
+
s.add_runtime_dependency 'faraday', '~> 2.0'
|
21
|
+
s.add_runtime_dependency 'faraday-follow_redirects'
|
22
|
+
s.add_runtime_dependency "json-jwt", ">= 1.16"
|
23
|
+
s.add_runtime_dependency "swd", "~> 2.0"
|
24
|
+
s.add_runtime_dependency "webfinger", "~> 2.0"
|
25
|
+
s.add_runtime_dependency "rack-oauth2", "~> 2.2"
|
26
|
+
if Gem.ruby_version >= Gem::Version.create(3.1)
|
27
|
+
# TODO:
|
28
|
+
# remove "net-smtp" dependency after mail gem 2.8+ (which supports ruby 3.1+) released.
|
29
|
+
# ref.) https://rubygems.org/gems/mail
|
30
|
+
s.add_runtime_dependency "net-smtp"
|
31
|
+
end
|
25
32
|
s.add_development_dependency "rake"
|
26
33
|
s.add_development_dependency "rspec"
|
27
34
|
s.add_development_dependency "rspec-its"
|
28
35
|
s.add_development_dependency "webmock"
|
29
36
|
s.add_development_dependency "simplecov"
|
30
|
-
|
37
|
+
s.add_development_dependency "rexml"
|
38
|
+
end
|
@@ -32,7 +32,13 @@ module WebMockHelper
|
|
32
32
|
|
33
33
|
def response_for(response_file, options = {})
|
34
34
|
response = {}
|
35
|
-
|
35
|
+
format = options[:format] || :json
|
36
|
+
if format == :json
|
37
|
+
response[:headers] = {
|
38
|
+
'Content-Type': 'application/json'
|
39
|
+
}
|
40
|
+
end
|
41
|
+
response[:body] = File.new(File.join(File.dirname(__FILE__), '../mock_response', "#{response_file}.#{format}"))
|
36
42
|
if options[:status]
|
37
43
|
response[:status] = options[:status]
|
38
44
|
end
|
@@ -0,0 +1,8 @@
|
|
1
|
+
{
|
2
|
+
"keys": [{
|
3
|
+
"kty": "RSA",
|
4
|
+
"e": "AQAB",
|
5
|
+
"n": "vWr1S4T0jBnYU9PIpUYxT48Ca8HK8aitbmqbTM3t3Zzl1GNpIlyePnwXSL6SgNcVbeRhTfvXZUzH4pP8HzPJdpUHnAeYyCzjz9UNykdFCp2YW676wpLDzMkaU7bYLJxGjZlpHU-UJVIm5KX9-NfMyGbFUOuw4AY-OWp8GxrqwAF4U6bJ86TpO24wMxmgm0Vl72aRMGVJkRz66YLYOPNVjXjOI4bUuxg_o3Px5QASxvDCawMeLR3pLCoQcLAZn6WZx7nX3Wu6QzcY0QCqhqUAeY49QRT83Jdg7WUsNa2Rbegi3jJGJf-t9hEcJPmrI6q9zl6WArUueQHS-XUQWq5ptw",
|
6
|
+
"kid": "DCmKamGtkGAWz-uujePOp-UeATAeT4fi3KouR78r44I"
|
7
|
+
}]
|
8
|
+
}
|
@@ -0,0 +1,27 @@
|
|
1
|
+
-----BEGIN RSA PRIVATE KEY-----
|
2
|
+
MIIEpAIBAAKCAQEAvWr1S4T0jBnYU9PIpUYxT48Ca8HK8aitbmqbTM3t3Zzl1GNp
|
3
|
+
IlyePnwXSL6SgNcVbeRhTfvXZUzH4pP8HzPJdpUHnAeYyCzjz9UNykdFCp2YW676
|
4
|
+
wpLDzMkaU7bYLJxGjZlpHU+UJVIm5KX9+NfMyGbFUOuw4AY+OWp8GxrqwAF4U6bJ
|
5
|
+
86TpO24wMxmgm0Vl72aRMGVJkRz66YLYOPNVjXjOI4bUuxg/o3Px5QASxvDCawMe
|
6
|
+
LR3pLCoQcLAZn6WZx7nX3Wu6QzcY0QCqhqUAeY49QRT83Jdg7WUsNa2Rbegi3jJG
|
7
|
+
Jf+t9hEcJPmrI6q9zl6WArUueQHS+XUQWq5ptwIDAQABAoIBAHvDWBUJAVRNSsiy
|
8
|
+
90XuECggk/9ed0Dg6rjblS9g2kvTyWO1tKsMAyVmpTwVsNnYLxtHfsCajcmVmoEU
|
9
|
+
Gkc06iy+AWPUnuIkWpGgbss9OAJQqI03Toc1qBO1TqtmK+cyEPNSSpkpNu4PuHPr
|
10
|
+
dX9TWW2ToNdXuJEX4y5WwlJfiwT6kPdK86IKpPCql1+X/N2nKbn+5OWHTDuW3jLF
|
11
|
+
H4UoJlUU77VgPedQLF9xr9NXGZbgYdTtsg3GU3k7/xhcetNq22Dtr8vYnX8LcIsZ
|
12
|
+
9VW+KBRGOwgXTMLuj25VxkFUsJejEoq5+WyHTsSsa4w8Fxyc50GPfZJKh8J2jHiG
|
13
|
+
8weJUNECgYEA5CoQmUz+8saVg1IwnEgZBSMF1rthMgvuDPhD8PJNaugUCyo9tg0O
|
14
|
+
AXo9EMOUHmr2vCN8h2MZZuuW0D5np/Z9T102N99mJU6tVMSabBPDUTfxThq4xY48
|
15
|
+
VZvS6EOzSomeEbrIDciJghqJIvPxEoqLXY3Zg7kDef7YiqybhZFdlS8CgYEA1IbH
|
16
|
+
MHKfcL+LAo88y4tgOe6Wn8FRG1K7MHvdR+KErgxBg63I9zmolPsyznjNVKpB9syt
|
17
|
+
zqkDxBg/jTIctgeziMQNSODQoqRKcgEDePwcu+wBvuV+LJFJoIWFrvIPyZ5yKzeb
|
18
|
+
Vm1lRMgQfoeAQE4nVYAJG+oTTsFTdEtrHkOW4fkCgYEAsNHcnUFrTvARDH1UiLjj
|
19
|
+
EvUKYFhEwck3CbwYwxC0aIZEikaJHp3NXd3Cl0xKbKxOXI1Pw4hMNlObQ/Uo1aUT
|
20
|
+
hb7h9rjda0omz8uxNNK4CihFjFbvHMLXBS1GbJOSzdAKvQi4Yt4nmrk/z+Omzsyp
|
21
|
+
pq34hLmL9S5H2Ghd+kwmbycCgYBiC1N1PEvl3depdJ8dX80irLj8NljOfBozQdFR
|
22
|
+
ymRfTvQiZVfjBcyJ/mDv87b2Kh2IV+CPCFXebzlSUB4CtAbVP2zJhD176sMVWPZb
|
23
|
+
KCOxZi1f/ct5kAUhcre7f5xc7SXKXjrhYlJnqsxBMw2tnOB0hz6sjA4gNPvlGK3w
|
24
|
+
JkpDMQKBgQCgPoqSjmbroWC9oq5iDwRtx6f6fJG7CE91ZFJulunQj6YWOC3zNHEa
|
25
|
+
XvPPGM8fZpJS4e8LiPClkk8nsOoC50neEVGZeEuhdP6m6WNPN3SlP7bXozHOJTh0
|
26
|
+
mHrk2bUHFlQn8f5KWfLQbdyKBzs7WqCRTOR/gIbfxBlUOs0BN37xhw==
|
27
|
+
-----END RSA PRIVATE KEY-----
|
@@ -162,22 +162,21 @@ describe OpenIDConnect::Client do
|
|
162
162
|
end
|
163
163
|
end
|
164
164
|
|
165
|
-
context 'when invalid JSON is returned' do
|
166
|
-
it 'should raise OpenIDConnect::Exception' do
|
167
|
-
mock_json :post, client.token_endpoint, 'access_token/invalid_json', request_header: header_params, params: protocol_params do
|
168
|
-
expect do
|
169
|
-
access_token
|
170
|
-
end.to raise_error OpenIDConnect::Exception, 'Unknown Token Type'
|
171
|
-
end
|
172
|
-
end
|
173
|
-
end
|
174
|
-
|
175
165
|
context 'otherwise' do
|
176
166
|
it 'should raise Unexpected Token Type exception' do
|
177
167
|
mock_json :post, client.token_endpoint, 'access_token/mac', request_header: header_params, params: protocol_params do
|
178
168
|
expect { access_token }.to raise_error OpenIDConnect::Exception, 'Unexpected Token Type: mac'
|
179
169
|
end
|
180
170
|
end
|
171
|
+
|
172
|
+
context 'when token_type is forced' do
|
173
|
+
before { client.force_token_type! :bearer }
|
174
|
+
it 'should use forced token_type' do
|
175
|
+
mock_json :post, client.token_endpoint, 'access_token/without_token_type', request_header: header_params, params: protocol_params do
|
176
|
+
access_token.should be_a OpenIDConnect::AccessToken
|
177
|
+
end
|
178
|
+
end
|
179
|
+
end
|
181
180
|
end
|
182
181
|
end
|
183
|
-
end
|
182
|
+
end
|
@@ -35,6 +35,28 @@ describe OpenIDConnect::Discovery::Provider::Config::Response do
|
|
35
35
|
it { should_not be_valid }
|
36
36
|
end
|
37
37
|
|
38
|
+
context 'when end_session_endpoint given' do
|
39
|
+
let(:end_session_endpoint) { 'https://server.example.com/end_session' }
|
40
|
+
let :attributes do
|
41
|
+
minimum_attributes.merge(
|
42
|
+
end_session_endpoint: end_session_endpoint
|
43
|
+
)
|
44
|
+
end
|
45
|
+
it { should be_valid }
|
46
|
+
its(:end_session_endpoint) { should == end_session_endpoint }
|
47
|
+
end
|
48
|
+
|
49
|
+
context 'when check_session_iframe given' do
|
50
|
+
let(:check_session_iframe) { 'https://server.example.com/check_session_iframe.html' }
|
51
|
+
let :attributes do
|
52
|
+
minimum_attributes.merge(
|
53
|
+
check_session_iframe: check_session_iframe
|
54
|
+
)
|
55
|
+
end
|
56
|
+
it { should be_valid }
|
57
|
+
its(:check_session_iframe) { should == check_session_iframe }
|
58
|
+
end
|
59
|
+
|
38
60
|
describe '#as_json' do
|
39
61
|
subject { instance.as_json }
|
40
62
|
it { should == minimum_attributes }
|
@@ -81,4 +103,4 @@ describe OpenIDConnect::Discovery::Provider::Config::Response do
|
|
81
103
|
public_keys.first.should be_instance_of OpenSSL::PKey::RSA
|
82
104
|
end
|
83
105
|
end
|
84
|
-
end
|
106
|
+
end
|
@@ -56,13 +56,33 @@ describe OpenIDConnect::Discovery::Provider::Config do
|
|
56
56
|
end
|
57
57
|
end
|
58
58
|
|
59
|
-
|
60
|
-
|
61
|
-
|
62
|
-
|
63
|
-
|
64
|
-
|
65
|
-
|
59
|
+
describe 'when response include invalid issuer' do
|
60
|
+
context 'with normal configuration' do
|
61
|
+
it do
|
62
|
+
expect do
|
63
|
+
mock_json :get, endpoint, 'discovery/config_with_invalid_issuer' do
|
64
|
+
OpenIDConnect::Discovery::Provider::Config.discover! provider
|
65
|
+
end
|
66
|
+
end.to raise_error OpenIDConnect::Discovery::DiscoveryFailed
|
67
|
+
end
|
68
|
+
end
|
69
|
+
|
70
|
+
context 'when issuer validation is disabled.' do
|
71
|
+
before :each do
|
72
|
+
OpenIDConnect.validate_discovery_issuer = false
|
73
|
+
end
|
74
|
+
|
75
|
+
after :each do
|
76
|
+
OpenIDConnect.validate_discovery_issuer = true
|
77
|
+
end
|
78
|
+
|
79
|
+
it do
|
80
|
+
expect do
|
81
|
+
mock_json :get, endpoint, 'discovery/config_with_invalid_issuer' do
|
82
|
+
OpenIDConnect::Discovery::Provider::Config.discover! provider
|
83
|
+
end
|
84
|
+
end.not_to raise_error
|
85
|
+
end
|
66
86
|
end
|
67
87
|
end
|
68
88
|
|
@@ -76,4 +96,4 @@ describe OpenIDConnect::Discovery::Provider::Config do
|
|
76
96
|
end
|
77
97
|
end
|
78
98
|
end
|
79
|
-
end
|
99
|
+
end
|
@@ -19,7 +19,7 @@ describe OpenIDConnect::ResponseObject::IdToken do
|
|
19
19
|
describe 'attributes' do
|
20
20
|
subject { klass }
|
21
21
|
its(:required_attributes) { should == [:iss, :sub, :aud, :exp, :iat] }
|
22
|
-
its(:optional_attributes) { should == [:acr, :auth_time, :nonce, :sub_jwk, :at_hash, :c_hash] }
|
22
|
+
its(:optional_attributes) { should == [:acr, :amr, :azp, :jti, :sid, :auth_time, :nonce, :sub_jwk, :at_hash, :c_hash, :s_hash] }
|
23
23
|
|
24
24
|
describe 'auth_time' do
|
25
25
|
subject { id_token.auth_time }
|
@@ -157,7 +157,7 @@ describe OpenIDConnect::ResponseObject::IdToken do
|
|
157
157
|
t = id_token.to_jwt private_key do |t|
|
158
158
|
t.header[:x5u] = "http://server.example.com/x5u"
|
159
159
|
end
|
160
|
-
h =
|
160
|
+
h = Base64.urlsafe_decode64 t.split('.').first
|
161
161
|
h.should include 'x5u'
|
162
162
|
end
|
163
163
|
end
|
@@ -169,8 +169,9 @@ describe OpenIDConnect::ResponseObject::IdToken do
|
|
169
169
|
jwt = JSON::JWT.decode t, public_key
|
170
170
|
jwt.should include :at_hash
|
171
171
|
jwt.should_not include :c_hash
|
172
|
-
jwt[:at_hash].should ==
|
173
|
-
OpenSSL::Digest::SHA256.digest('access_token')[0, 128 / 8]
|
172
|
+
jwt[:at_hash].should == Base64.urlsafe_encode64(
|
173
|
+
OpenSSL::Digest::SHA256.digest('access_token')[0, 128 / 8],
|
174
|
+
padding: false
|
174
175
|
)
|
175
176
|
end
|
176
177
|
end
|
@@ -193,8 +194,9 @@ describe OpenIDConnect::ResponseObject::IdToken do
|
|
193
194
|
jwt = JSON::JWT.decode t, public_key
|
194
195
|
jwt.should_not include :at_hash
|
195
196
|
jwt.should include :c_hash
|
196
|
-
jwt[:c_hash].should ==
|
197
|
-
OpenSSL::Digest::SHA256.digest('authorization_code')[0, 128 / 8]
|
197
|
+
jwt[:c_hash].should == Base64.urlsafe_encode64(
|
198
|
+
OpenSSL::Digest::SHA256.digest('authorization_code')[0, 128 / 8],
|
199
|
+
padding: false
|
198
200
|
)
|
199
201
|
end
|
200
202
|
end
|
@@ -209,11 +211,13 @@ describe OpenIDConnect::ResponseObject::IdToken do
|
|
209
211
|
jwt = JSON::JWT.decode t, public_key
|
210
212
|
jwt.should include :at_hash
|
211
213
|
jwt.should include :c_hash
|
212
|
-
jwt[:at_hash].should ==
|
213
|
-
OpenSSL::Digest::SHA256.digest('access_token')[0, 128 / 8]
|
214
|
+
jwt[:at_hash].should == Base64.urlsafe_encode64(
|
215
|
+
OpenSSL::Digest::SHA256.digest('access_token')[0, 128 / 8],
|
216
|
+
padding: false
|
214
217
|
)
|
215
|
-
jwt[:c_hash].should ==
|
216
|
-
OpenSSL::Digest::SHA256.digest('authorization_code')[0, 128 / 8]
|
218
|
+
jwt[:c_hash].should == Base64.urlsafe_encode64(
|
219
|
+
OpenSSL::Digest::SHA256.digest('authorization_code')[0, 128 / 8],
|
220
|
+
padding: false
|
217
221
|
)
|
218
222
|
end
|
219
223
|
end
|
@@ -247,6 +251,54 @@ describe OpenIDConnect::ResponseObject::IdToken do
|
|
247
251
|
its(:exp) { should == attributes[:exp].to_i }
|
248
252
|
its(:raw_attributes) { should be_instance_of JSON::JWS }
|
249
253
|
|
254
|
+
context 'when IdP config is given' do
|
255
|
+
subject { klass.decode id_token.to_jwt(private_key), idp_config }
|
256
|
+
let(:jwks) do
|
257
|
+
jwk_str = File.read(File.join(__dir__, '../../mock_response/public_keys/jwks_with_private_key.json'))
|
258
|
+
jwk = JSON::JWK::Set.new JSON.parse(jwk_str)
|
259
|
+
end
|
260
|
+
let(:idp_config) do
|
261
|
+
OpenIDConnect::Discovery::Provider::Config::Response.new(
|
262
|
+
issuer: attributes[:issuer],
|
263
|
+
authorization_endpoint: File.join(attributes[:iss], 'authorize'),
|
264
|
+
jwks_uri: File.join(attributes[:iss], 'jwks'),
|
265
|
+
response_types_supported: ['code'],
|
266
|
+
subject_types_supported: ['public'],
|
267
|
+
id_token_signing_alg_values_supported: ['RS256']
|
268
|
+
)
|
269
|
+
end
|
270
|
+
|
271
|
+
context 'when id_token has kid' do
|
272
|
+
let(:private_key) do
|
273
|
+
OpenSSL::PKey::RSA.new(
|
274
|
+
File.read(File.join(__dir__, '../../mock_response/public_keys/private_key.pem'))
|
275
|
+
).to_jwk
|
276
|
+
end
|
277
|
+
|
278
|
+
it do
|
279
|
+
mock_json :get, idp_config.jwks_uri, 'public_keys/jwks_with_private_key' do
|
280
|
+
should be_a klass
|
281
|
+
end
|
282
|
+
end
|
283
|
+
end
|
284
|
+
|
285
|
+
context 'otherwise' do
|
286
|
+
let(:private_key) do
|
287
|
+
OpenSSL::PKey::RSA.new(
|
288
|
+
File.read(File.join(__dir__, '../../mock_response/public_keys/private_key.pem'))
|
289
|
+
)
|
290
|
+
end
|
291
|
+
|
292
|
+
it do
|
293
|
+
mock_json :get, idp_config.jwks_uri, 'public_keys/jwks_with_private_key' do
|
294
|
+
expect do
|
295
|
+
should
|
296
|
+
end.to raise_error JSON::JWK::Set::KidNotFound
|
297
|
+
end
|
298
|
+
end
|
299
|
+
end
|
300
|
+
end
|
301
|
+
|
250
302
|
context 'when self-issued' do
|
251
303
|
context 'when valid' do
|
252
304
|
let(:self_issued) do
|
@@ -315,4 +367,4 @@ describe OpenIDConnect::ResponseObject::IdToken do
|
|
315
367
|
its(:sub_jwk) { should == sub_jwk}
|
316
368
|
its(:subject) { should == sub_jwk.thumbprint }
|
317
369
|
end
|
318
|
-
end
|
370
|
+
end
|
data/spec/openid_connect_spec.rb
CHANGED
@@ -46,12 +46,12 @@ describe OpenIDConnect do
|
|
46
46
|
context 'with http_config' do
|
47
47
|
before do
|
48
48
|
OpenIDConnect.http_config do |config|
|
49
|
-
config.
|
49
|
+
config.ssl.verify = false
|
50
50
|
end
|
51
51
|
end
|
52
52
|
it 'should configure OpenIDConnect, SWD and Rack::OAuth2\'s http_client' do
|
53
53
|
[OpenIDConnect, SWD, WebFinger, Rack::OAuth2].each do |klass|
|
54
|
-
klass.http_client.
|
54
|
+
klass.http_client.ssl.verify.should be_falsy
|
55
55
|
end
|
56
56
|
end
|
57
57
|
end
|
metadata
CHANGED
@@ -1,59 +1,59 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: openid_connect
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version:
|
4
|
+
version: 2.2.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- nov matake
|
8
|
-
autorequire:
|
8
|
+
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date:
|
11
|
+
date: 2022-10-11 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
|
-
name:
|
14
|
+
name: tzinfo
|
15
15
|
requirement: !ruby/object:Gem::Requirement
|
16
16
|
requirements:
|
17
17
|
- - ">="
|
18
18
|
- !ruby/object:Gem::Version
|
19
|
-
version:
|
19
|
+
version: '0'
|
20
20
|
type: :runtime
|
21
21
|
prerelease: false
|
22
22
|
version_requirements: !ruby/object:Gem::Requirement
|
23
23
|
requirements:
|
24
24
|
- - ">="
|
25
25
|
- !ruby/object:Gem::Version
|
26
|
-
version:
|
26
|
+
version: '0'
|
27
27
|
- !ruby/object:Gem::Dependency
|
28
|
-
name:
|
28
|
+
name: attr_required
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|
30
30
|
requirements:
|
31
31
|
- - ">="
|
32
32
|
- !ruby/object:Gem::Version
|
33
|
-
version:
|
33
|
+
version: 1.0.0
|
34
34
|
type: :runtime
|
35
35
|
prerelease: false
|
36
36
|
version_requirements: !ruby/object:Gem::Requirement
|
37
37
|
requirements:
|
38
38
|
- - ">="
|
39
39
|
- !ruby/object:Gem::Version
|
40
|
-
version:
|
40
|
+
version: 1.0.0
|
41
41
|
- !ruby/object:Gem::Dependency
|
42
|
-
name:
|
42
|
+
name: activemodel
|
43
43
|
requirement: !ruby/object:Gem::Requirement
|
44
44
|
requirements:
|
45
45
|
- - ">="
|
46
46
|
- !ruby/object:Gem::Version
|
47
|
-
version:
|
47
|
+
version: '0'
|
48
48
|
type: :runtime
|
49
49
|
prerelease: false
|
50
50
|
version_requirements: !ruby/object:Gem::Requirement
|
51
51
|
requirements:
|
52
52
|
- - ">="
|
53
53
|
- !ruby/object:Gem::Version
|
54
|
-
version:
|
54
|
+
version: '0'
|
55
55
|
- !ruby/object:Gem::Dependency
|
56
|
-
name:
|
56
|
+
name: validate_url
|
57
57
|
requirement: !ruby/object:Gem::Requirement
|
58
58
|
requirements:
|
59
59
|
- - ">="
|
@@ -67,7 +67,7 @@ dependencies:
|
|
67
67
|
- !ruby/object:Gem::Version
|
68
68
|
version: '0'
|
69
69
|
- !ruby/object:Gem::Dependency
|
70
|
-
name:
|
70
|
+
name: validate_email
|
71
71
|
requirement: !ruby/object:Gem::Requirement
|
72
72
|
requirements:
|
73
73
|
- - ">="
|
@@ -81,7 +81,21 @@ dependencies:
|
|
81
81
|
- !ruby/object:Gem::Version
|
82
82
|
version: '0'
|
83
83
|
- !ruby/object:Gem::Dependency
|
84
|
-
name:
|
84
|
+
name: faraday
|
85
|
+
requirement: !ruby/object:Gem::Requirement
|
86
|
+
requirements:
|
87
|
+
- - "~>"
|
88
|
+
- !ruby/object:Gem::Version
|
89
|
+
version: '2.0'
|
90
|
+
type: :runtime
|
91
|
+
prerelease: false
|
92
|
+
version_requirements: !ruby/object:Gem::Requirement
|
93
|
+
requirements:
|
94
|
+
- - "~>"
|
95
|
+
- !ruby/object:Gem::Version
|
96
|
+
version: '2.0'
|
97
|
+
- !ruby/object:Gem::Dependency
|
98
|
+
name: faraday-follow_redirects
|
85
99
|
requirement: !ruby/object:Gem::Requirement
|
86
100
|
requirements:
|
87
101
|
- - ">="
|
@@ -100,56 +114,70 @@ dependencies:
|
|
100
114
|
requirements:
|
101
115
|
- - ">="
|
102
116
|
- !ruby/object:Gem::Version
|
103
|
-
version: 1.
|
117
|
+
version: '1.16'
|
104
118
|
type: :runtime
|
105
119
|
prerelease: false
|
106
120
|
version_requirements: !ruby/object:Gem::Requirement
|
107
121
|
requirements:
|
108
122
|
- - ">="
|
109
123
|
- !ruby/object:Gem::Version
|
110
|
-
version: 1.
|
124
|
+
version: '1.16'
|
111
125
|
- !ruby/object:Gem::Dependency
|
112
126
|
name: swd
|
113
127
|
requirement: !ruby/object:Gem::Requirement
|
114
128
|
requirements:
|
115
|
-
- - "
|
129
|
+
- - "~>"
|
116
130
|
- !ruby/object:Gem::Version
|
117
|
-
version:
|
131
|
+
version: '2.0'
|
118
132
|
type: :runtime
|
119
133
|
prerelease: false
|
120
134
|
version_requirements: !ruby/object:Gem::Requirement
|
121
135
|
requirements:
|
122
|
-
- - "
|
136
|
+
- - "~>"
|
123
137
|
- !ruby/object:Gem::Version
|
124
|
-
version:
|
138
|
+
version: '2.0'
|
125
139
|
- !ruby/object:Gem::Dependency
|
126
140
|
name: webfinger
|
127
141
|
requirement: !ruby/object:Gem::Requirement
|
128
142
|
requirements:
|
129
|
-
- - "
|
143
|
+
- - "~>"
|
130
144
|
- !ruby/object:Gem::Version
|
131
|
-
version:
|
145
|
+
version: '2.0'
|
132
146
|
type: :runtime
|
133
147
|
prerelease: false
|
134
148
|
version_requirements: !ruby/object:Gem::Requirement
|
135
149
|
requirements:
|
136
|
-
- - "
|
150
|
+
- - "~>"
|
137
151
|
- !ruby/object:Gem::Version
|
138
|
-
version:
|
152
|
+
version: '2.0'
|
139
153
|
- !ruby/object:Gem::Dependency
|
140
154
|
name: rack-oauth2
|
155
|
+
requirement: !ruby/object:Gem::Requirement
|
156
|
+
requirements:
|
157
|
+
- - "~>"
|
158
|
+
- !ruby/object:Gem::Version
|
159
|
+
version: '2.2'
|
160
|
+
type: :runtime
|
161
|
+
prerelease: false
|
162
|
+
version_requirements: !ruby/object:Gem::Requirement
|
163
|
+
requirements:
|
164
|
+
- - "~>"
|
165
|
+
- !ruby/object:Gem::Version
|
166
|
+
version: '2.2'
|
167
|
+
- !ruby/object:Gem::Dependency
|
168
|
+
name: net-smtp
|
141
169
|
requirement: !ruby/object:Gem::Requirement
|
142
170
|
requirements:
|
143
171
|
- - ">="
|
144
172
|
- !ruby/object:Gem::Version
|
145
|
-
version:
|
173
|
+
version: '0'
|
146
174
|
type: :runtime
|
147
175
|
prerelease: false
|
148
176
|
version_requirements: !ruby/object:Gem::Requirement
|
149
177
|
requirements:
|
150
178
|
- - ">="
|
151
179
|
- !ruby/object:Gem::Version
|
152
|
-
version:
|
180
|
+
version: '0'
|
153
181
|
- !ruby/object:Gem::Dependency
|
154
182
|
name: rake
|
155
183
|
requirement: !ruby/object:Gem::Requirement
|
@@ -220,6 +248,20 @@ dependencies:
|
|
220
248
|
- - ">="
|
221
249
|
- !ruby/object:Gem::Version
|
222
250
|
version: '0'
|
251
|
+
- !ruby/object:Gem::Dependency
|
252
|
+
name: rexml
|
253
|
+
requirement: !ruby/object:Gem::Requirement
|
254
|
+
requirements:
|
255
|
+
- - ">="
|
256
|
+
- !ruby/object:Gem::Version
|
257
|
+
version: '0'
|
258
|
+
type: :development
|
259
|
+
prerelease: false
|
260
|
+
version_requirements: !ruby/object:Gem::Requirement
|
261
|
+
requirements:
|
262
|
+
- - ">="
|
263
|
+
- !ruby/object:Gem::Version
|
264
|
+
version: '0'
|
223
265
|
description: OpenID Connect Server & Client Library
|
224
266
|
email:
|
225
267
|
- nov@matake.jp
|
@@ -227,9 +269,11 @@ executables: []
|
|
227
269
|
extensions: []
|
228
270
|
extra_rdoc_files: []
|
229
271
|
files:
|
272
|
+
- ".github/FUNDING.yml"
|
273
|
+
- ".github/workflows/spec.yml"
|
230
274
|
- ".gitignore"
|
231
275
|
- ".rspec"
|
232
|
-
-
|
276
|
+
- CHANGELOG.md
|
233
277
|
- Gemfile
|
234
278
|
- LICENSE
|
235
279
|
- README.rdoc
|
@@ -238,11 +282,10 @@ files:
|
|
238
282
|
- VERSION
|
239
283
|
- lib/openid_connect.rb
|
240
284
|
- lib/openid_connect/access_token.rb
|
285
|
+
- lib/openid_connect/access_token/mtls.rb
|
241
286
|
- lib/openid_connect/client.rb
|
242
287
|
- lib/openid_connect/client/registrar.rb
|
243
288
|
- lib/openid_connect/connect_object.rb
|
244
|
-
- lib/openid_connect/debugger.rb
|
245
|
-
- lib/openid_connect/debugger/request_filter.rb
|
246
289
|
- lib/openid_connect/discovery.rb
|
247
290
|
- lib/openid_connect/discovery/provider.rb
|
248
291
|
- lib/openid_connect/discovery/provider/config.rb
|
@@ -272,6 +315,7 @@ files:
|
|
272
315
|
- spec/mock_response/access_token/bearer_with_id_token.json
|
273
316
|
- spec/mock_response/access_token/invalid_json.json
|
274
317
|
- spec/mock_response/access_token/mac.json
|
318
|
+
- spec/mock_response/access_token/without_token_type.json
|
275
319
|
- spec/mock_response/client/registered.json
|
276
320
|
- spec/mock_response/client/rotated.json
|
277
321
|
- spec/mock_response/client/updated.json
|
@@ -288,13 +332,14 @@ files:
|
|
288
332
|
- spec/mock_response/errors/unknown.json
|
289
333
|
- spec/mock_response/id_token.json
|
290
334
|
- spec/mock_response/public_keys/jwks.json
|
335
|
+
- spec/mock_response/public_keys/jwks_with_private_key.json
|
336
|
+
- spec/mock_response/public_keys/private_key.pem
|
291
337
|
- spec/mock_response/request_object/signed.jwt
|
292
338
|
- spec/mock_response/userinfo/openid.json
|
293
339
|
- spec/openid_connect/access_token_spec.rb
|
294
340
|
- spec/openid_connect/client/registrar_spec.rb
|
295
341
|
- spec/openid_connect/client_spec.rb
|
296
342
|
- spec/openid_connect/connect_object_spec.rb
|
297
|
-
- spec/openid_connect/debugger/request_filter_spec.rb
|
298
343
|
- spec/openid_connect/discovery/provider/config/resource_spec.rb
|
299
344
|
- spec/openid_connect/discovery/provider/config/response_spec.rb
|
300
345
|
- spec/openid_connect/discovery/provider/config_spec.rb
|
@@ -317,7 +362,7 @@ homepage: https://github.com/nov/openid_connect
|
|
317
362
|
licenses:
|
318
363
|
- MIT
|
319
364
|
metadata: {}
|
320
|
-
post_install_message:
|
365
|
+
post_install_message:
|
321
366
|
rdoc_options: []
|
322
367
|
require_paths:
|
323
368
|
- lib
|
@@ -332,9 +377,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
332
377
|
- !ruby/object:Gem::Version
|
333
378
|
version: '0'
|
334
379
|
requirements: []
|
335
|
-
|
336
|
-
|
337
|
-
signing_key:
|
380
|
+
rubygems_version: 3.3.7
|
381
|
+
signing_key:
|
338
382
|
specification_version: 4
|
339
383
|
summary: OpenID Connect Server & Client Library
|
340
384
|
test_files:
|
@@ -344,6 +388,7 @@ test_files:
|
|
344
388
|
- spec/mock_response/access_token/bearer_with_id_token.json
|
345
389
|
- spec/mock_response/access_token/invalid_json.json
|
346
390
|
- spec/mock_response/access_token/mac.json
|
391
|
+
- spec/mock_response/access_token/without_token_type.json
|
347
392
|
- spec/mock_response/client/registered.json
|
348
393
|
- spec/mock_response/client/rotated.json
|
349
394
|
- spec/mock_response/client/updated.json
|
@@ -360,13 +405,14 @@ test_files:
|
|
360
405
|
- spec/mock_response/errors/unknown.json
|
361
406
|
- spec/mock_response/id_token.json
|
362
407
|
- spec/mock_response/public_keys/jwks.json
|
408
|
+
- spec/mock_response/public_keys/jwks_with_private_key.json
|
409
|
+
- spec/mock_response/public_keys/private_key.pem
|
363
410
|
- spec/mock_response/request_object/signed.jwt
|
364
411
|
- spec/mock_response/userinfo/openid.json
|
365
412
|
- spec/openid_connect/access_token_spec.rb
|
366
413
|
- spec/openid_connect/client/registrar_spec.rb
|
367
414
|
- spec/openid_connect/client_spec.rb
|
368
415
|
- spec/openid_connect/connect_object_spec.rb
|
369
|
-
- spec/openid_connect/debugger/request_filter_spec.rb
|
370
416
|
- spec/openid_connect/discovery/provider/config/resource_spec.rb
|
371
417
|
- spec/openid_connect/discovery/provider/config/response_spec.rb
|
372
418
|
- spec/openid_connect/discovery/provider/config_spec.rb
|
data/.travis.yml
DELETED
@@ -1,28 +0,0 @@
|
|
1
|
-
module OpenIDConnect
|
2
|
-
module Debugger
|
3
|
-
class RequestFilter
|
4
|
-
# Callback called in HTTPClient (before sending a request)
|
5
|
-
# request:: HTTP::Message
|
6
|
-
def filter_request(request)
|
7
|
-
started = "======= [OpenIDConnect] HTTP REQUEST STARTED ======="
|
8
|
-
log started, request.dump
|
9
|
-
end
|
10
|
-
|
11
|
-
# Callback called in HTTPClient (after received a response)
|
12
|
-
# request:: HTTP::Message
|
13
|
-
# response:: HTTP::Message
|
14
|
-
def filter_response(request, response)
|
15
|
-
finished = "======= [OpenIDConnect] HTTP REQUEST FINISHED ======="
|
16
|
-
log '-' * 50, response.dump, finished
|
17
|
-
end
|
18
|
-
|
19
|
-
private
|
20
|
-
|
21
|
-
def log(*outputs)
|
22
|
-
outputs.each do |output|
|
23
|
-
OpenIDConnect.logger.info output
|
24
|
-
end
|
25
|
-
end
|
26
|
-
end
|
27
|
-
end
|
28
|
-
end
|
@@ -1,33 +0,0 @@
|
|
1
|
-
require 'spec_helper'
|
2
|
-
|
3
|
-
describe OpenIDConnect::Debugger::RequestFilter do
|
4
|
-
let(:resource_endpoint) { 'https://example.com/resources' }
|
5
|
-
let(:request) { HTTP::Message.new_request(:get, URI.parse(resource_endpoint)) }
|
6
|
-
let(:response) { HTTP::Message.new_response({hello: 'world'}.to_json) }
|
7
|
-
let(:request_filter) { OpenIDConnect::Debugger::RequestFilter.new }
|
8
|
-
|
9
|
-
describe '#filter_request' do
|
10
|
-
it 'should log request' do
|
11
|
-
[
|
12
|
-
"======= [OpenIDConnect] HTTP REQUEST STARTED =======",
|
13
|
-
request.dump
|
14
|
-
].each do |output|
|
15
|
-
expect(OpenIDConnect.logger).to receive(:info).with output
|
16
|
-
end
|
17
|
-
request_filter.filter_request(request)
|
18
|
-
end
|
19
|
-
end
|
20
|
-
|
21
|
-
describe '#filter_response' do
|
22
|
-
it 'should log response' do
|
23
|
-
[
|
24
|
-
"--------------------------------------------------",
|
25
|
-
response.dump,
|
26
|
-
"======= [OpenIDConnect] HTTP REQUEST FINISHED ======="
|
27
|
-
].each do |output|
|
28
|
-
expect(OpenIDConnect.logger).to receive(:info).with output
|
29
|
-
end
|
30
|
-
request_filter.filter_response(request, response)
|
31
|
-
end
|
32
|
-
end
|
33
|
-
end
|