openid_connect 0.0.10 → 0.0.11

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    openid_connect (0.0.9)
+    openid_connect (0.0.10)
       activemodel (>= 3)
       attr_required (>= 0.0.3)
       json (>= 1.4.3)
@@ -63,7 +63,7 @@ GEM
     validate_url (0.2.0)
       activemodel (>= 3.0.0)
     webmock (1.7.2)
-      addressable (~> 2.2, > 2.2.5)
+      addressable (> 2.2.5, ~> 2.2)
       crack (>= 0.1.7)
 
 PLATFORMS

data/VERSION

@@ -1 +1 @@
-0.0.10
+0.0.11

data/lib/openid_connect.rb

@@ -6,3 +6,4 @@ require 'openid_connect/exception'
 require 'openid_connect/client'
 require 'openid_connect/access_token'
 require 'openid_connect/response_object'
+require 'openid_connect/server/id_token'

data/lib/openid_connect/client.rb

@@ -28,12 +28,9 @@ module OpenIDConnect
     private
 
     def setup_required_scope(scopes)
-      scopes = Array(scopes).join(' ').split(' ')
-      if scopes.include?('openid')
-        scopes
-      else
-        (scopes << 'openid')
-      end.join(' ')
+      _scopes_ = Array(scopes).join(' ').split(' ')
+      _scopes_ << 'openid' unless _scopes_.include?('openid')
+      _scopes_.join(' ')
     end
 
     def handle_success_response(response)

data/lib/openid_connect/response_object/id_token.rb

@@ -8,10 +8,14 @@ module OpenIDConnect
       attr_required :iss, :user_id, :aud, :exp
       attr_optional :iso29115, :nonce, :issued_to, :secret
 
+      def initialize(attributes = {})
+        super
+        @exp = @exp.to_i
+      end
+
       def verify!(client_id)
-        aud == client_id or
-        issued_to == client_id or
-        raise InvalidToken.new('Invalid audience or issued_to')
+        exp.to_i >= Time.now.to_i && aud == client_id or
+        raise InvalidToken.new('Invalid audience or expired')
       end
 
       def to_jwt

data/lib/openid_connect/server/id_token.rb

@@ -0,0 +1,46 @@
+module OpenIDConnect
+  module Server
+    class IdToken < Rack::OAuth2::Server::Abstract::Handler
+      def call(env)
+        @request  = Request.new(env)
+        @response = Response.new(request)
+        super.finish
+      rescue Rack::OAuth2::Server::Abstract::Error => e
+        e.finish
+      end
+
+      class Request < Rack::OAuth2::Server::Abstract::Request
+        attr_required :id_token
+
+        # NOTE: client_id is required in Rack::OAuth2 and should not exist here.
+        undef_method :client_id, :client_id=
+        @required_attributes.delete :client_id
+
+        def initialize(env)
+          super
+          @id_token  = params['id_token']
+          attr_missing!
+        end
+      end
+
+      class Response < Rack::OAuth2::Server::Abstract::Response
+        attr_required :id_token
+
+        def protocol_params
+          id_token.as_json
+        end
+
+        def finish
+          attr_missing!
+          write Rack::OAuth2::Util.compact_hash(protocol_params).to_json
+          header['Content-Type'] = 'application/json'
+          header['Cache-Control'] = 'no-store'
+          header['Pragma'] = 'no-cache'
+          super
+        end
+      end
+    end
+  end
+end
+
+require 'openid_connect/server/id_token/error'

data/lib/openid_connect/server/id_token/error.rb

@@ -0,0 +1,30 @@
+module OpenIDConnect
+  module Server
+    class IdToken
+      class BadRequest < Rack::OAuth2::Server::Abstract::BadRequest; end
+
+      module ErrorMethods
+        DEFAULT_DESCRIPTION = {
+          :invalid_request => "The request is missing a required parameter.",
+          :invalid_id_token => "The ID Token is not valid for the requested resource, is malformed, is in an incorrect format, or is expired."
+        }
+
+        def self.included(klass)
+          DEFAULT_DESCRIPTION.each do |error, default_description|
+            klass.class_eval <<-ERROR
+              def #{error}!(description = "#{default_description}", options = {})
+                bad_request! :#{error}, description, options
+              end
+            ERROR
+          end
+        end
+
+        def bad_request!(error, description = nil, options = {})
+          raise BadRequest.new(error, description, options)
+        end
+      end
+
+      Request.send :include, ErrorMethods
+    end
+  end
+end

data/spec/openid_connect/response_object/id_token_spec.rb

@@ -4,12 +4,13 @@ describe OpenIDConnect::ResponseObject::IdToken do
   let(:klass) { OpenIDConnect::ResponseObject::IdToken }
   let(:id_token) { klass.new attributes }
   let(:attributes) { required_attributes }
+  let(:ext) { 10.minutes.from_now }
   let :required_attributes do
     {
       :iss => 'https://server.example.com',
       :user_id => 'user_id',
       :aud => 'client_id',
-      :exp => 1313424327
+      :exp => ext
     }
   end
 
@@ -22,6 +23,13 @@ describe OpenIDConnect::ResponseObject::IdToken do
   describe '#verify!' do
     context 'when valid client_id is given' do
       it { id_token.verify!('client_id').should be_true }
+
+      context 'when expired' do
+        let(:ext) { 10.minutes.ago }
+        it do
+          expect { id_token.verify! 'client_id' }.should raise_error OpenIDConnect::ResponseObject::IdToken::InvalidToken
+        end
+      end
     end
 
     context 'otherwise' do
@@ -56,8 +64,9 @@ describe OpenIDConnect::ResponseObject::IdToken do
     subject { klass.from_jwt id_token.to_jwt, 'secret' }
     let(:attributes) { required_attributes.merge(:secret => 'secret') }
     it { should be_a klass }
-    [:iss, :user_id, :aud, :exp, :secret].each do |key|
+    [:iss, :user_id, :aud, :secret].each do |key|
       its(key) { should == attributes[key] }
     end
+    its(:exp) { should == attributes[:exp].to_i }
   end
 end

data/spec/openid_connect/server/id_token_spec.rb

@@ -0,0 +1,67 @@
+require 'spec_helper.rb'
+
+describe OpenIDConnect::Server::IdToken do
+  let(:request) { Rack::MockRequest.new app }
+  let :app do
+    OpenIDConnect::Server::IdToken.new do |req, res|
+      res.id_token = id_token
+    end
+  end
+  let :env do
+    Rack::MockRequest.env_for(
+      '/id_token',
+      :params => params
+    )
+  end
+  let :params do
+    {:id_token => id_token.to_jwt}
+  end
+  let :id_token do
+    OpenIDConnect::ResponseObject::IdToken.new(
+      :iss => 'https://server.example.com',
+      :user_id => 'user_id',
+      :aud => 'client_id',
+      :exp => 1313424327,
+      :secret => 'secret'
+    )
+  end
+  subject { request.post('/id_token', :params => params) }
+
+  context 'when valid id_token is given' do
+    it 'should extract it' do
+      status, header, response = app.call(env)
+      status.should == 200
+      json = response.body.first
+      json.should include '"aud":"client_id"'
+      json.should include '"user_id":"user_id"'
+      json.should include '"exp":1313424327'
+      json.should include '"iss":"https://server.example.com"'
+    end
+  end
+
+  context 'otherwise' do
+    context 'when missing' do
+      let :params do
+        {}
+      end
+      it do
+        status, header, response = app.call(env)
+        status.should == 400
+        response.body.first.should include '"error":"invalid_request"'
+      end
+    end
+
+    context 'when rejected by authenticator' do
+      let :app do
+        OpenIDConnect::Server::IdToken.new do |req, res|
+          req.invalid_id_token! 'Expired or Invalid Format'
+        end
+      end
+      it do
+        status, header, response = app.call(env)
+        status.should == 400
+        response.body.first.should include '"error":"invalid_id_token"'
+      end
+    end
+  end
+end

metadata

@@ -1,8 +1,13 @@
 --- !ruby/object:Gem::Specification 
 name: openid_connect
 version: !ruby/object:Gem::Version 
+  hash: 9
   prerelease: 
-  version: 0.0.10
+  segments: 
+  - 0
+  - 0
+  - 11
+  version: 0.0.11
 platform: ruby
 authors: 
 - nov matake
@@ -20,6 +25,9 @@ dependencies:
     requirements: 
     - - ">="
       - !ruby/object:Gem::Version 
+        hash: 5
+        segments: 
+        - 3
         version: "3"
   type: :runtime
   version_requirements: *id001
@@ -31,6 +39,9 @@ dependencies:
     requirements: 
     - - ">="
       - !ruby/object:Gem::Version 
+        hash: 3
+        segments: 
+        - 0
         version: "0"
   type: :runtime
   version_requirements: *id002
@@ -42,6 +53,9 @@ dependencies:
     requirements: 
     - - ">="
       - !ruby/object:Gem::Version 
+        hash: 3
+        segments: 
+        - 0
         version: "0"
   type: :runtime
   version_requirements: *id003
@@ -53,6 +67,9 @@ dependencies:
     requirements: 
     - - ">="
       - !ruby/object:Gem::Version 
+        hash: 3
+        segments: 
+        - 0
         version: "0"
   type: :runtime
   version_requirements: *id004
@@ -64,6 +81,11 @@ dependencies:
     requirements: 
     - - ">="
       - !ruby/object:Gem::Version 
+        hash: 29
+        segments: 
+        - 0
+        - 1
+        - 3
         version: 0.1.3
   type: :runtime
   version_requirements: *id005
@@ -75,6 +97,11 @@ dependencies:
     requirements: 
     - - ">="
       - !ruby/object:Gem::Version 
+        hash: 1
+        segments: 
+        - 1
+        - 4
+        - 3
         version: 1.4.3
   type: :runtime
   version_requirements: *id006
@@ -86,6 +113,11 @@ dependencies:
     requirements: 
     - - ">="
       - !ruby/object:Gem::Version 
+        hash: 25
+        segments: 
+        - 0
+        - 0
+        - 3
         version: 0.0.3
   type: :runtime
   version_requirements: *id007
@@ -97,6 +129,10 @@ dependencies:
     requirements: 
     - - ">="
       - !ruby/object:Gem::Version 
+        hash: 25
+        segments: 
+        - 0
+        - 9
         version: "0.9"
   type: :runtime
   version_requirements: *id008
@@ -108,6 +144,10 @@ dependencies:
     requirements: 
     - - ">="
       - !ruby/object:Gem::Version 
+        hash: 27
+        segments: 
+        - 0
+        - 8
         version: "0.8"
   type: :development
   version_requirements: *id009
@@ -119,6 +159,10 @@ dependencies:
     requirements: 
     - - ">="
       - !ruby/object:Gem::Version 
+        hash: 25
+        segments: 
+        - 0
+        - 9
         version: "0.9"
   type: :development
   version_requirements: *id010
@@ -130,6 +174,9 @@ dependencies:
     requirements: 
     - - ">="
       - !ruby/object:Gem::Version 
+        hash: 7
+        segments: 
+        - 2
         version: "2"
   type: :development
   version_requirements: *id011
@@ -141,6 +188,11 @@ dependencies:
     requirements: 
     - - ">="
       - !ruby/object:Gem::Version 
+        hash: 11
+        segments: 
+        - 1
+        - 6
+        - 2
         version: 1.6.2
   type: :development
   version_requirements: *id012
@@ -171,6 +223,8 @@ files:
 - lib/openid_connect/response_object/user_info.rb
 - lib/openid_connect/response_object/user_info/open_id.rb
 - lib/openid_connect/response_object/user_info/open_id/address.rb
+- lib/openid_connect/server/id_token.rb
+- lib/openid_connect/server/id_token/error.rb
 - lib/rack/oauth2/server/id_token_response.rb
 - openid_connect.gemspec
 - spec/helpers/webmock_helper.rb
@@ -190,6 +244,7 @@ files:
 - spec/openid_connect/response_object/user_info/open_id/address_spec.rb
 - spec/openid_connect/response_object/user_info/open_id_spec.rb
 - spec/openid_connect/response_object_spec.rb
+- spec/openid_connect/server/id_token_spec.rb
 - spec/rack/oauth2/server/authorize/code_and_token_spec.rb
 - spec/rack/oauth2/server/authorize/token_spec.rb
 - spec/rack/oauth2/server/token/authorization_code_spec.rb
@@ -208,12 +263,18 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements: 
   - - ">="
     - !ruby/object:Gem::Version 
+      hash: 3
+      segments: 
+      - 0
       version: "0"
 required_rubygems_version: !ruby/object:Gem::Requirement 
   none: false
   requirements: 
   - - ">="
     - !ruby/object:Gem::Version 
+      hash: 3
+      segments: 
+      - 0
       version: "0"
 requirements: []
 
@@ -240,6 +301,7 @@ test_files:
 - spec/openid_connect/response_object/user_info/open_id/address_spec.rb
 - spec/openid_connect/response_object/user_info/open_id_spec.rb
 - spec/openid_connect/response_object_spec.rb
+- spec/openid_connect/server/id_token_spec.rb
 - spec/rack/oauth2/server/authorize/code_and_token_spec.rb
 - spec/rack/oauth2/server/authorize/token_spec.rb
 - spec/rack/oauth2/server/token/authorization_code_spec.rb