openid_connect 1.3.0 → 1.4.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 42a846a8e97f83ba3b339e6d2dab2e1255b75afba843f5d83ee78fc03d554edc
-  data.tar.gz: b004368bea628de55949f51af0f82bcff0981d9e8fe3becc94a753915d564df2
+  metadata.gz: fc2fbaf7f12786bfb4695776c65b78a58a7730730382b138a8b53b6149939989
+  data.tar.gz: 54d98cef9172883b53426b457ab41cb743d078ae9ed20eb8b374628802cebf1d
 SHA512:
-  metadata.gz: c2cf62923d2b4262fbc276741f26ae80868b1d108d25ef8e52dbefb59df7005c4bf146cd9a31fbf7740a495adddb9c0ff47424a4306b3085929a4b33553fc659
-  data.tar.gz: 463aacad1ffe293e9a799fdbe367b32fca9f094409956701d396dda562e9b0faa0a54a0b4804768a34fc8685e0b93a2d44fb6033ceaa8512250d735a2f221ef3
+  metadata.gz: f3bc8fec5821911fbf334a27c9bc2d49dd7871cd5379a9ff91b7a5d1f05b017cece154744b4eb6283b3eea64dbf2cd6cb2fc61fe66a1f75c4dbf21aa97180646
+  data.tar.gz: '09845c6ec9f7d8a198333d49eab6511f25fccd7d31a6ea7f59456700f44eab420ae4dbe2d96d28e541f7cd7b5f9bf0c5976ee19a85b7397904c3debd45db01e9'

data/.github/FUNDING.yml

@@ -0,0 +1,3 @@
+# These are supported funding model platforms
+
+github: nov

data/.github/workflows/spec.yml

@@ -0,0 +1,32 @@
+name: Spec
+
+on:
+  push:
+    branches:
+      - master
+  pull_request:
+
+permissions:
+  contents: read
+
+jobs:
+  spec:
+    strategy:
+      matrix:
+        os: ['ubuntu-20.04']
+        ruby-version: ['2.6', '2.7', '3.0', '3.1']
+        # ubuntu 22.04 only supports ssl 3 and thus only ruby 3.1
+        include:
+        - os: 'ubuntu-22.04'
+          ruby-version: '3.1'
+    runs-on: ${{ matrix.os }}
+
+    steps:
+    - uses: actions/checkout@v3
+    - name: Set up Ruby
+      uses: ruby/setup-ruby@v1
+      with:
+        ruby-version: ${{ matrix.ruby-version }}
+        bundler-cache: true
+    - name: Run Specs
+      run: bundle exec rake spec

data/README.rdoc

@@ -2,8 +2,6 @@
 
 OpenID Connect Server & Client Library
 
-{<img src="https://secure.travis-ci.org/nov/openid_connect.png" />}[http://travis-ci.org/nov/openid_connect]
-
 == Installation
 
   gem install openid_connect

data/VERSION

@@ -1 +1 @@
-1.3.0
+1.4.2

data/lib/openid_connect/discovery/provider/config/response.rb

@@ -87,6 +87,11 @@ module OpenIDConnect
             JSON::JWK::Set.new @jwks[:keys]
           end
 
+          def jwk(kid)
+            @jwks ||= {}
+            @jwks[kid] ||= JSON::JWK::Set::Fetcher.fetch(jwks_uri, kid: kid)
+          end
+
           def public_keys
             @public_keys ||= jwks.collect(&:to_key)
           end

data/lib/openid_connect/response_object/id_token.rb

@@ -63,11 +63,16 @@ module OpenIDConnect
       end
 
       class << self
-        def decode(jwt_string, key)
-          if key == :self_issued
+        def decode(jwt_string, key_or_config)
+          case key_or_config
+          when :self_issued
             decode_self_issued jwt_string
+          when OpenIDConnect::Discovery::Provider::Config::Response
+            jwt = JSON::JWT.decode jwt_string, :skip_verification
+            jwt.verify! key_or_config.jwk(jwt.kid)
+            new jwt
           else
-            new JSON::JWT.decode jwt_string, key
+            new JSON::JWT.decode jwt_string, key_or_config
           end
         end
 

data/openid_connect.gemspec

@@ -17,13 +17,20 @@ Gem::Specification.new do |s|
   s.add_runtime_dependency "activemodel"
   s.add_runtime_dependency "validate_url"
   s.add_runtime_dependency "validate_email"
-  s.add_runtime_dependency "json-jwt", ">= 1.5.0"
-  s.add_runtime_dependency "swd", ">= 1.0.0"
-  s.add_runtime_dependency "webfinger", ">= 1.0.1"
-  s.add_runtime_dependency "rack-oauth2", ">= 1.6.1"
+  s.add_runtime_dependency "json-jwt", ">= 1.15.0"
+  s.add_runtime_dependency "swd", "~> 1.3"
+  s.add_runtime_dependency "webfinger", "~> 1.2"
+  s.add_runtime_dependency "rack-oauth2", "~> 1.21"
+  if Gem.ruby_version >= Gem::Version.create(3.1)
+    # TODO:
+    #  remove "net-smtp" dependency after mail gem 2.8+ (which supports ruby 3.1+) released.
+    #  ref.) https://rubygems.org/gems/mailhttps://github.com/mikel/mail
+    s.add_runtime_dependency "net-smtp"
+  end
   s.add_development_dependency "rake"
   s.add_development_dependency "rspec"
   s.add_development_dependency "rspec-its"
   s.add_development_dependency "webmock"
   s.add_development_dependency "simplecov"
+  s.add_development_dependency "rexml"
 end

data/spec/mock_response/public_keys/jwks_with_private_key.json

@@ -0,0 +1,8 @@
+{
+  "keys": [{
+    "kty": "RSA",
+    "e": "AQAB",
+    "n": "vWr1S4T0jBnYU9PIpUYxT48Ca8HK8aitbmqbTM3t3Zzl1GNpIlyePnwXSL6SgNcVbeRhTfvXZUzH4pP8HzPJdpUHnAeYyCzjz9UNykdFCp2YW676wpLDzMkaU7bYLJxGjZlpHU-UJVIm5KX9-NfMyGbFUOuw4AY-OWp8GxrqwAF4U6bJ86TpO24wMxmgm0Vl72aRMGVJkRz66YLYOPNVjXjOI4bUuxg_o3Px5QASxvDCawMeLR3pLCoQcLAZn6WZx7nX3Wu6QzcY0QCqhqUAeY49QRT83Jdg7WUsNa2Rbegi3jJGJf-t9hEcJPmrI6q9zl6WArUueQHS-XUQWq5ptw",
+    "kid": "DCmKamGtkGAWz-uujePOp-UeATAeT4fi3KouR78r44I"
+  }]
+}

data/spec/mock_response/public_keys/private_key.pem

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEAvWr1S4T0jBnYU9PIpUYxT48Ca8HK8aitbmqbTM3t3Zzl1GNp
+IlyePnwXSL6SgNcVbeRhTfvXZUzH4pP8HzPJdpUHnAeYyCzjz9UNykdFCp2YW676
+wpLDzMkaU7bYLJxGjZlpHU+UJVIm5KX9+NfMyGbFUOuw4AY+OWp8GxrqwAF4U6bJ
+86TpO24wMxmgm0Vl72aRMGVJkRz66YLYOPNVjXjOI4bUuxg/o3Px5QASxvDCawMe
+LR3pLCoQcLAZn6WZx7nX3Wu6QzcY0QCqhqUAeY49QRT83Jdg7WUsNa2Rbegi3jJG
+Jf+t9hEcJPmrI6q9zl6WArUueQHS+XUQWq5ptwIDAQABAoIBAHvDWBUJAVRNSsiy
+90XuECggk/9ed0Dg6rjblS9g2kvTyWO1tKsMAyVmpTwVsNnYLxtHfsCajcmVmoEU
+Gkc06iy+AWPUnuIkWpGgbss9OAJQqI03Toc1qBO1TqtmK+cyEPNSSpkpNu4PuHPr
+dX9TWW2ToNdXuJEX4y5WwlJfiwT6kPdK86IKpPCql1+X/N2nKbn+5OWHTDuW3jLF
+H4UoJlUU77VgPedQLF9xr9NXGZbgYdTtsg3GU3k7/xhcetNq22Dtr8vYnX8LcIsZ
+9VW+KBRGOwgXTMLuj25VxkFUsJejEoq5+WyHTsSsa4w8Fxyc50GPfZJKh8J2jHiG
+8weJUNECgYEA5CoQmUz+8saVg1IwnEgZBSMF1rthMgvuDPhD8PJNaugUCyo9tg0O
+AXo9EMOUHmr2vCN8h2MZZuuW0D5np/Z9T102N99mJU6tVMSabBPDUTfxThq4xY48
+VZvS6EOzSomeEbrIDciJghqJIvPxEoqLXY3Zg7kDef7YiqybhZFdlS8CgYEA1IbH
+MHKfcL+LAo88y4tgOe6Wn8FRG1K7MHvdR+KErgxBg63I9zmolPsyznjNVKpB9syt
+zqkDxBg/jTIctgeziMQNSODQoqRKcgEDePwcu+wBvuV+LJFJoIWFrvIPyZ5yKzeb
+Vm1lRMgQfoeAQE4nVYAJG+oTTsFTdEtrHkOW4fkCgYEAsNHcnUFrTvARDH1UiLjj
+EvUKYFhEwck3CbwYwxC0aIZEikaJHp3NXd3Cl0xKbKxOXI1Pw4hMNlObQ/Uo1aUT
+hb7h9rjda0omz8uxNNK4CihFjFbvHMLXBS1GbJOSzdAKvQi4Yt4nmrk/z+Omzsyp
+pq34hLmL9S5H2Ghd+kwmbycCgYBiC1N1PEvl3depdJ8dX80irLj8NljOfBozQdFR
+ymRfTvQiZVfjBcyJ/mDv87b2Kh2IV+CPCFXebzlSUB4CtAbVP2zJhD176sMVWPZb
+KCOxZi1f/ct5kAUhcre7f5xc7SXKXjrhYlJnqsxBMw2tnOB0hz6sjA4gNPvlGK3w
+JkpDMQKBgQCgPoqSjmbroWC9oq5iDwRtx6f6fJG7CE91ZFJulunQj6YWOC3zNHEa
+XvPPGM8fZpJS4e8LiPClkk8nsOoC50neEVGZeEuhdP6m6WNPN3SlP7bXozHOJTh0
+mHrk2bUHFlQn8f5KWfLQbdyKBzs7WqCRTOR/gIbfxBlUOs0BN37xhw==
+-----END RSA PRIVATE KEY-----

data/spec/openid_connect/response_object/id_token_spec.rb

@@ -251,6 +251,54 @@ describe OpenIDConnect::ResponseObject::IdToken do
     its(:exp) { should == attributes[:exp].to_i }
     its(:raw_attributes) { should be_instance_of JSON::JWS }
 
+    context 'when IdP config is given' do
+      subject { klass.decode id_token.to_jwt(private_key), idp_config }
+      let(:jwks) do
+        jwk_str = File.read(File.join(__dir__, '../../mock_response/public_keys/jwks_with_private_key.json'))
+        jwk = JSON::JWK::Set.new JSON.parse(jwk_str)
+      end
+      let(:idp_config) do
+        OpenIDConnect::Discovery::Provider::Config::Response.new(
+          issuer: attributes[:issuer],
+          authorization_endpoint: File.join(attributes[:iss], 'authorize'),
+          jwks_uri: File.join(attributes[:iss], 'jwks'),
+          response_types_supported: ['code'],
+          subject_types_supported: ['public'],
+          id_token_signing_alg_values_supported: ['RS256']
+        )
+      end
+
+      context 'when id_token has kid' do
+        let(:private_key) do
+          OpenSSL::PKey::RSA.new(
+            File.read(File.join(__dir__, '../../mock_response/public_keys/private_key.pem'))
+          ).to_jwk
+        end
+
+        it do
+          mock_json :get, idp_config.jwks_uri, 'public_keys/jwks_with_private_key' do
+            should be_a klass
+          end
+        end
+      end
+
+      context 'otherwise' do
+        let(:private_key) do
+          OpenSSL::PKey::RSA.new(
+            File.read(File.join(__dir__, '../../mock_response/public_keys/private_key.pem'))
+          )
+        end
+
+        it do
+          mock_json :get, idp_config.jwks_uri, 'public_keys/jwks_with_private_key' do
+            expect do
+              should
+            end.to raise_error JSON::JWK::Set::KidNotFound
+          end
+        end
+      end
+    end
+
     context 'when self-issued' do
       context 'when valid' do
         let(:self_issued) do

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: openid_connect
 version: !ruby/object:Gem::Version
-  version: 1.3.0
+  version: 1.4.2
 platform: ruby
 authors:
 - nov matake
-autorequire: 
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2021-10-01 00:00:00.000000000 Z
+date: 2022-10-08 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: tzinfo
@@ -86,56 +86,70 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 1.5.0
+        version: 1.15.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 1.5.0
+        version: 1.15.0
 - !ruby/object:Gem::Dependency
   name: swd
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.0.0
+        version: '1.3'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.0.0
+        version: '1.3'
 - !ruby/object:Gem::Dependency
   name: webfinger
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.0.1
+        version: '1.2'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.0.1
+        version: '1.2'
 - !ruby/object:Gem::Dependency
   name: rack-oauth2
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.21'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.21'
+- !ruby/object:Gem::Dependency
+  name: net-smtp
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 1.6.1
+        version: '0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 1.6.1
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
@@ -206,6 +220,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: rexml
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 description: OpenID Connect Server & Client Library
 email:
 - nov@matake.jp
@@ -213,9 +241,10 @@ executables: []
 extensions: []
 extra_rdoc_files: []
 files:
+- ".github/FUNDING.yml"
+- ".github/workflows/spec.yml"
 - ".gitignore"
 - ".rspec"
-- ".travis.yml"
 - Gemfile
 - LICENSE
 - README.rdoc
@@ -275,6 +304,8 @@ files:
 - spec/mock_response/errors/unknown.json
 - spec/mock_response/id_token.json
 - spec/mock_response/public_keys/jwks.json
+- spec/mock_response/public_keys/jwks_with_private_key.json
+- spec/mock_response/public_keys/private_key.pem
 - spec/mock_response/request_object/signed.jwt
 - spec/mock_response/userinfo/openid.json
 - spec/openid_connect/access_token_spec.rb
@@ -304,7 +335,7 @@ homepage: https://github.com/nov/openid_connect
 licenses:
 - MIT
 metadata: {}
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -319,8 +350,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.4
-signing_key: 
+rubygems_version: 3.3.7
+signing_key:
 specification_version: 4
 summary: OpenID Connect Server & Client Library
 test_files:
@@ -347,6 +378,8 @@ test_files:
 - spec/mock_response/errors/unknown.json
 - spec/mock_response/id_token.json
 - spec/mock_response/public_keys/jwks.json
+- spec/mock_response/public_keys/jwks_with_private_key.json
+- spec/mock_response/public_keys/private_key.pem
 - spec/mock_response/request_object/signed.jwt
 - spec/mock_response/userinfo/openid.json
 - spec/openid_connect/access_token_spec.rb

data/.travis.yml

@@ -1,8 +0,0 @@
-before_install:
-  - gem install bundler
-
-rvm:
-  - 2.5.8
-  - 2.6.6
-  - 2.7.2
-  - 3.0.0