openid_connect 0.0.3 → 0.0.4
Sign up to get free protection for your applications and to get access to all the features.
- data/Gemfile.lock +7 -7
- data/VERSION +1 -1
- data/lib/openid_connect.rb +1 -0
- data/lib/openid_connect/access_token.rb +7 -6
- data/lib/openid_connect/client.rb +8 -0
- data/lib/openid_connect/response_object.rb +5 -1
- data/lib/openid_connect/response_object/id_token.rb +4 -8
- data/spec/openid_connect/response_object/id_token_spec.rb +1 -1
- data/spec/rack/oauth2/server/authorize/extension/id_token_and_token_spec.rb +12 -2
- data/spec/rack/oauth2/server/authorize/extension/id_token_spec.rb +12 -14
- metadata +1 -1
data/Gemfile.lock
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
PATH
|
|
2
2
|
remote: .
|
|
3
3
|
specs:
|
|
4
|
-
openid_connect (0.0.
|
|
4
|
+
openid_connect (0.0.3)
|
|
5
5
|
activemodel (>= 3)
|
|
6
6
|
attr_required (>= 0.0.3)
|
|
7
7
|
json (>= 1.4.3)
|
|
@@ -14,16 +14,16 @@ PATH
|
|
|
14
14
|
GEM
|
|
15
15
|
remote: http://rubygems.org/
|
|
16
16
|
specs:
|
|
17
|
-
activemodel (3.0.
|
|
18
|
-
activesupport (= 3.0.
|
|
17
|
+
activemodel (3.0.5)
|
|
18
|
+
activesupport (= 3.0.5)
|
|
19
19
|
builder (~> 2.1.2)
|
|
20
|
-
i18n (~> 0.
|
|
21
|
-
activesupport (3.0.
|
|
20
|
+
i18n (~> 0.4)
|
|
21
|
+
activesupport (3.0.5)
|
|
22
22
|
attr_required (0.0.3)
|
|
23
23
|
builder (2.1.2)
|
|
24
24
|
diff-lcs (1.1.2)
|
|
25
25
|
httpclient (2.2.1)
|
|
26
|
-
i18n (0.
|
|
26
|
+
i18n (0.6.0)
|
|
27
27
|
json (1.5.3)
|
|
28
28
|
jwt (0.1.3)
|
|
29
29
|
json (>= 1.2.4)
|
|
@@ -34,7 +34,7 @@ GEM
|
|
|
34
34
|
mime-types (1.16)
|
|
35
35
|
polyglot (0.3.2)
|
|
36
36
|
rack (1.3.2)
|
|
37
|
-
rack-oauth2 (0.9.
|
|
37
|
+
rack-oauth2 (0.9.2)
|
|
38
38
|
activesupport (>= 2.3)
|
|
39
39
|
attr_required (>= 0.0.3)
|
|
40
40
|
httpclient (>= 2.2.0.2)
|
data/VERSION
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
0.0.
|
|
1
|
+
0.0.4
|
data/lib/openid_connect.rb
CHANGED
|
@@ -3,6 +3,7 @@ require 'rack/oauth2'
|
|
|
3
3
|
require 'rack/oauth2/server/authorize/extension/id_token'
|
|
4
4
|
require 'rack/oauth2/server/authorize/extension/id_token_and_token'
|
|
5
5
|
|
|
6
|
+
require 'openid_connect/exception'
|
|
6
7
|
require 'openid_connect/client'
|
|
7
8
|
require 'openid_connect/access_token'
|
|
8
9
|
require 'openid_connect/response_object'
|
|
@@ -5,25 +5,26 @@ module OpenIDConnect
|
|
|
5
5
|
def user_info!(scheme = :openid)
|
|
6
6
|
klass = case scheme
|
|
7
7
|
when :openid
|
|
8
|
-
UserInfo::OpenID
|
|
8
|
+
ResponseObject::UserInfo::OpenID
|
|
9
9
|
else
|
|
10
10
|
raise "Unknown Scheme: #{scheme}"
|
|
11
11
|
end
|
|
12
|
-
|
|
13
|
-
get
|
|
12
|
+
hash = resource_request do
|
|
13
|
+
get client.user_info_uri
|
|
14
14
|
end
|
|
15
|
+
klass.new hash
|
|
15
16
|
end
|
|
16
17
|
|
|
17
18
|
def id_token!
|
|
18
|
-
|
|
19
|
-
get
|
|
19
|
+
hash = resource_request do
|
|
20
|
+
get client.introspection_uri
|
|
20
21
|
end
|
|
22
|
+
ResponseObject::IdToken.new hash
|
|
21
23
|
end
|
|
22
24
|
|
|
23
25
|
private
|
|
24
26
|
|
|
25
27
|
def resource_request
|
|
26
|
-
access_token_requied!
|
|
27
28
|
res = yield
|
|
28
29
|
case res.status
|
|
29
30
|
when 200
|
|
@@ -22,6 +22,14 @@ module OpenIDConnect
|
|
|
22
22
|
AccessToken.new token.token_response.merge(:client => self)
|
|
23
23
|
end
|
|
24
24
|
|
|
25
|
+
def introspection_uri
|
|
26
|
+
absolute_uri_for introspection_endpoint
|
|
27
|
+
end
|
|
28
|
+
|
|
29
|
+
def user_info_uri
|
|
30
|
+
absolute_uri_for user_info_endpoint
|
|
31
|
+
end
|
|
32
|
+
|
|
25
33
|
private
|
|
26
34
|
|
|
27
35
|
def setup_required_scope(scopes)
|
|
@@ -20,6 +20,10 @@ module OpenIDConnect
|
|
|
20
20
|
required_attributes + optional_attributes
|
|
21
21
|
end
|
|
22
22
|
|
|
23
|
+
def hidden_attributes
|
|
24
|
+
nil
|
|
25
|
+
end
|
|
26
|
+
|
|
23
27
|
def require_at_least_one_attributes
|
|
24
28
|
all_blank = all_attriutes.all? do |key|
|
|
25
29
|
self.send(key).blank?
|
|
@@ -28,7 +32,7 @@ module OpenIDConnect
|
|
|
28
32
|
end
|
|
29
33
|
|
|
30
34
|
def as_json(options = {})
|
|
31
|
-
all_attriutes.inject({}) do |hash, _attr_|
|
|
35
|
+
(all_attriutes - Array(hidden_attributes)).inject({}) do |hash, _attr_|
|
|
32
36
|
hash.merge! _attr_ => self.send(_attr_)
|
|
33
37
|
end.delete_if do |key, value|
|
|
34
38
|
value.nil?
|
|
@@ -3,15 +3,11 @@ require 'jwt'
|
|
|
3
3
|
module OpenIDConnect
|
|
4
4
|
class ResponseObject
|
|
5
5
|
class IdToken < ResponseObject
|
|
6
|
-
attr_required :iss, :user_id, :aud, :exp
|
|
7
|
-
attr_optional :iso29115, :nonce, :issued_to
|
|
6
|
+
attr_required :iss, :user_id, :aud, :exp
|
|
7
|
+
attr_optional :iso29115, :nonce, :issued_to, :secret
|
|
8
8
|
|
|
9
|
-
def
|
|
10
|
-
|
|
11
|
-
hash.merge! key => self.send(key)
|
|
12
|
-
end.delete_if do |key, value|
|
|
13
|
-
value.nil?
|
|
14
|
-
end
|
|
9
|
+
def hidden_attributes
|
|
10
|
+
:secret
|
|
15
11
|
end
|
|
16
12
|
|
|
17
13
|
def to_jwt
|
|
@@ -6,6 +6,6 @@ describe OpenIDConnect::ResponseObject::IdToken do
|
|
|
6
6
|
describe 'attributes' do
|
|
7
7
|
subject { klass }
|
|
8
8
|
its(:required_attributes) { should == [:iss, :user_id, :aud, :exp] }
|
|
9
|
-
its(:optional_attributes) { should == [:iso29115, :nonce, :issued_to] }
|
|
9
|
+
its(:optional_attributes) { should == [:iso29115, :nonce, :issued_to, :secret] }
|
|
10
10
|
end
|
|
11
11
|
end
|
|
@@ -7,6 +7,15 @@ describe Rack::OAuth2::Server::Authorize::Extension::IdTokenAndToken do
|
|
|
7
7
|
let(:response) do
|
|
8
8
|
request.get("/?response_type=id_token%20token&client_id=client&redirect_uri=#{redirect_uri}")
|
|
9
9
|
end
|
|
10
|
+
let(:id_token) do
|
|
11
|
+
OpenIDConnect::ResponseObject::IdToken.new(
|
|
12
|
+
:iss => 'iss',
|
|
13
|
+
:user_id => 'user_id',
|
|
14
|
+
:aud => 'aud',
|
|
15
|
+
:exp => 10.minutes.from_now,
|
|
16
|
+
:secret => 'secret'
|
|
17
|
+
)
|
|
18
|
+
end
|
|
10
19
|
|
|
11
20
|
context "when approved" do
|
|
12
21
|
subject { response }
|
|
@@ -15,11 +24,12 @@ describe Rack::OAuth2::Server::Authorize::Extension::IdTokenAndToken do
|
|
|
15
24
|
Rack::OAuth2::Server::Authorize.new do |request, response|
|
|
16
25
|
response.redirect_uri = redirect_uri
|
|
17
26
|
response.access_token = bearer_token
|
|
27
|
+
response.id_token = id_token
|
|
18
28
|
response.approve!
|
|
19
29
|
end
|
|
20
30
|
end
|
|
21
31
|
its(:status) { should == 302 }
|
|
22
|
-
its(:location) { should == "#{redirect_uri}#access_token=#{access_token}&token_type=bearer" }
|
|
32
|
+
its(:location) { should == "#{redirect_uri}#access_token=#{access_token}&id_token=#{id_token.to_jwt}&token_type=bearer" }
|
|
23
33
|
|
|
24
34
|
context 'when refresh_token is given' do
|
|
25
35
|
let :bearer_token do
|
|
@@ -28,7 +38,7 @@ describe Rack::OAuth2::Server::Authorize::Extension::IdTokenAndToken do
|
|
|
28
38
|
:refresh_token => 'refresh'
|
|
29
39
|
)
|
|
30
40
|
end
|
|
31
|
-
its(:location) { should == "#{redirect_uri}#access_token=#{access_token}&token_type=bearer" }
|
|
41
|
+
its(:location) { should == "#{redirect_uri}#access_token=#{access_token}&id_token=#{id_token.to_jwt}&token_type=bearer" }
|
|
32
42
|
end
|
|
33
43
|
end
|
|
34
44
|
|
|
@@ -3,33 +3,31 @@ require 'spec_helper'
|
|
|
3
3
|
describe Rack::OAuth2::Server::Authorize::Extension::IdToken do
|
|
4
4
|
let(:request) { Rack::MockRequest.new app }
|
|
5
5
|
let(:redirect_uri) { 'http://client.example.com/callback' }
|
|
6
|
-
let(:access_token) { 'access_token' }
|
|
7
6
|
let(:response) do
|
|
8
7
|
request.get("/?response_type=id_token&client_id=client&redirect_uri=#{redirect_uri}")
|
|
9
8
|
end
|
|
9
|
+
let(:id_token) do
|
|
10
|
+
OpenIDConnect::ResponseObject::IdToken.new(
|
|
11
|
+
:iss => 'iss',
|
|
12
|
+
:user_id => 'user_id',
|
|
13
|
+
:aud => 'aud',
|
|
14
|
+
:exp => 10.minutes.from_now,
|
|
15
|
+
:secret => 'secret'
|
|
16
|
+
)
|
|
17
|
+
end
|
|
10
18
|
|
|
11
19
|
context "when approved" do
|
|
12
20
|
subject { response }
|
|
13
|
-
|
|
21
|
+
|
|
14
22
|
let :app do
|
|
15
23
|
Rack::OAuth2::Server::Authorize.new do |request, response|
|
|
16
24
|
response.redirect_uri = redirect_uri
|
|
17
|
-
response.
|
|
25
|
+
response.id_token = id_token
|
|
18
26
|
response.approve!
|
|
19
27
|
end
|
|
20
28
|
end
|
|
21
29
|
its(:status) { should == 302 }
|
|
22
|
-
its(:location) { should == "#{redirect_uri}#
|
|
23
|
-
|
|
24
|
-
context 'when refresh_token is given' do
|
|
25
|
-
let :bearer_token do
|
|
26
|
-
Rack::OAuth2::AccessToken::Bearer.new(
|
|
27
|
-
:access_token => access_token,
|
|
28
|
-
:refresh_token => 'refresh'
|
|
29
|
-
)
|
|
30
|
-
end
|
|
31
|
-
its(:location) { should == "#{redirect_uri}#access_token=#{access_token}&token_type=bearer" }
|
|
32
|
-
end
|
|
30
|
+
its(:location) { should == "#{redirect_uri}#id_token=#{id_token.to_jwt}" }
|
|
33
31
|
end
|
|
34
32
|
|
|
35
33
|
context 'when denied' do
|