openid_connect 0.2.1 → 0.2.2

data/.travis.yml

@@ -1,4 +1,3 @@
 rvm:
-  - 1.8.7
   - 1.9.2
-  - 1.9.3
+  - 1.9.3

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    openid_connect (0.2.0)
+    openid_connect (0.2.1)
       activemodel (>= 3)
       attr_required (>= 0.0.5)
       json (>= 1.4.3)
@@ -38,7 +38,6 @@ GEM
     jruby-openssl (0.7.7)
       bouncy-castle-java (>= 1.5.0146.1)
     json (1.7.3)
-    json (1.7.3-java)
     json-jwt (0.0.7)
       activesupport (>= 2.3)
       i18n

data/VERSION

@@ -1 +1 @@
-0.2.1
+0.2.2

data/lib/openid_connect/access_token.rb

@@ -15,14 +15,6 @@ module OpenIDConnect
       ResponseObject::UserInfo::OpenID.new hash
     end
 
-    def id_token!
-      client.check_id_uri
-      hash = resource_request do
-        get client.check_id_uri
-      end
-      ResponseObject::IdToken.new hash
-    end
-
     private
 
     def resource_request

data/lib/openid_connect/client.rb

@@ -1,11 +1,10 @@
 module OpenIDConnect
   class Client < Rack::OAuth2::Client
-    attr_optional :check_id_endpoint, :user_info_endpoint, :expires_in
+    attr_optional :user_info_endpoint, :expires_in
 
     def initialize(attributes = {})
       super
       @user_info_endpoint ||= '/user_info'
-      @check_id_endpoint  ||= '/id_token'
     end
 
     def authorization_uri(params = {})
@@ -14,10 +13,6 @@ module OpenIDConnect
       super
     end
 
-    def check_id_uri
-      absolute_uri_for check_id_endpoint
-    end
-
     def user_info_uri
       absolute_uri_for user_info_endpoint
     end

data/lib/openid_connect/client/registrar.rb

@@ -22,14 +22,21 @@ module OpenIDConnect
         :sector_identifier_url,
         :user_id_type,
         :require_signed_request_object,
+        :userinfo_signed_response_alg,
+        :userinfo_encrypted_response_alg,
+        :userinfo_encrypted_response_enc,
+        :userinfo_encrypted_response_int,
+        :id_token_signed_response_alg,
+        :id_token_encrypted_response_alg,
+        :id_token_encrypted_response_enc,
+        :id_token_encrypted_response_int,
+        :default_max_age,
+        :require_auth_time,
+        :default_acr
       ]
       plurar_attributes = [
         :contacts,
-        :redirect_uris,
-        :userinfo_signed_response_algs,
-        :userinfo_encrypted_response_algs,
-        :id_token_signed_response_algs,
-        :id_token_encrypted_response_algs
+        :redirect_uris
       ]
       attr_required :endpoint
       attr_optional *(singular_attributes + plurar_attributes)
@@ -48,10 +55,10 @@ module OpenIDConnect
       end
 
       validates :type,                  :presence => true
-      validates :client_id,             :presence => {:if => lambda { |c| c.type.to_s == 'client_update' }}
+      validates :client_id,             :presence => {:if => lambda { |c| ['client_update', 'rotate_secret'].include?(c.type.to_s) }}
       validates :sector_identifier_url, :presence => {:if => :sector_identifier_required?}
 
-      validates :type,             :inclusion => {:in => ['client_associate', 'client_update']}
+      validates :type,             :inclusion => {:in => ['client_associate', 'rotate_secret', 'client_update']}
       validates :application_type, :inclusion => {:in => ['native', 'web']},      :allow_nil => true
       validates :user_id_type,     :inclusion => {:in => ['pairwise', 'public']}, :allow_nil => true
       validates :token_endpoint_auth_type, :inclusion => {
@@ -127,6 +134,11 @@ module OpenIDConnect
         post!
       end
 
+      def rotate_secret!
+        self.type = 'rotate_secret'
+        post!
+      end
+
       def update!
         self.type = 'client_update'
         post!

data/lib/openid_connect/discovery/principal.rb

@@ -6,8 +6,6 @@ module OpenIDConnect
       def self.parse(identifier)
         raise InvalidIdentifier.new('Identifier Required') if identifier.blank?
         type = case identifier
-        when /^(=|@|!)/
-          XRI
         when /@/
           Email
         else
@@ -31,5 +29,4 @@ module OpenIDConnect
 end
 
 require 'openid_connect/discovery/principal/email'
-require 'openid_connect/discovery/principal/uri'
-require 'openid_connect/discovery/principal/xri'
+require 'openid_connect/discovery/principal/uri'

data/lib/openid_connect/discovery/provider/config/response.rb

@@ -12,7 +12,6 @@ module OpenIDConnect
             :authorization_endpoint,
             :token_endpoint,
             :user_info_endpoint,
-            :check_id_endpoint,
             :refresh_session_endpoint,
             :end_session_endpoint,
             :jwk_url,

data/lib/openid_connect/response_object/id_token.rb

@@ -6,7 +6,7 @@ module OpenIDConnect
       class InvalidToken < Exception; end
 
       attr_required :iss, :user_id, :aud, :exp, :iat
-      attr_optional :acr, :auth_time, :nonce
+      attr_optional :acr, :auth_time, :nonce, :at_hash
 
       def initialize(attributes = {})
         super
@@ -25,16 +25,8 @@ module OpenIDConnect
 
       include JWTnizable
       class << self
-        def decode(jwt_string, key_or_client)
-          case key_or_client
-          when Client
-            OpenIDConnect::AccessToken.new(
-              :client => key_or_client,
-              :access_token => jwt_string
-            ).id_token!
-          else
-            new JSON::JWT.decode(jwt_string, key_or_client)
-          end
+        def decode(jwt_string, key)
+          new JSON::JWT.decode(jwt_string, key)
         end
       end
     end

data/spec/mock_response/client/registered.json

@@ -1,5 +1,5 @@
 {
-  "client_id": "client_id",
+  "client_id": "client.example.com",
   "client_secret": "client_secret",
   "expires_in": 3600
 }

data/spec/mock_response/client/rotated.json

@@ -0,0 +1,5 @@
+{
+  "client_id": "client.example.com",
+  "client_secret": "new_client_secret",
+  "expires_in": 3600
+}

data/spec/mock_response/client/updated.json

@@ -1,5 +1,3 @@
 {
-  "client_id": "new_client_id",
-  "client_secret": "new_client_secret",
-  "expires_in": 3600
+  "client_id": "client.example.com"
 }

data/spec/mock_response/discovery/config.json

@@ -4,7 +4,6 @@
     "authorization_endpoint": "https://connect-op.heroku.com/authorizations/new",
     "token_endpoint": "https://connect-op.heroku.com/access_tokens",
     "userinfo_endpoint": "https://connect-op.heroku.com/user_info",
-    "check_id_endpoint": "https://connect-op.heroku.com/id_token",
     "registration_endpoint": "https://connect-op.heroku.com/connect/client",
     "scopes_supported": ["openid", "profile", "email", "address"],
     "response_types_supported": ["code", "token", "id_token", "code token", "code id_token", "id_token token"],

data/spec/openid_connect/access_token_spec.rb

@@ -97,18 +97,4 @@ describe OpenIDConnect::AccessToken do
       it_behaves_like :access_token_error_handling
     end
   end
-
-  describe '#id_token!' do
-    it 'should return OpenIDConnect::ResponseObject::UserInfo::OpenID' do
-      mock_json :get, client.check_id_uri, 'id_token', :HTTP_AUTHORIZATION => 'Bearer access_token' do
-        access_token.id_token!.should be_a OpenIDConnect::ResponseObject::IdToken
-      end
-    end
-
-    describe 'error handling' do
-      let(:endpoint) { client.check_id_uri }
-      let(:request) { access_token.id_token! }
-      it_behaves_like :access_token_error_handling
-    end
-  end
 end

data/spec/openid_connect/client/registrar_spec.rb

@@ -224,7 +224,7 @@ describe OpenIDConnect::Client::Registrar do
       } do
         client = instance.associate!
         client.should be_instance_of OpenIDConnect::Client
-        client.identifier.should == 'client_id'
+        client.identifier.should == 'client.example.com'
         client.secret.should == 'client_secret'
         client.expires_in.should == 3600
       end
@@ -255,13 +255,13 @@ describe OpenIDConnect::Client::Registrar do
       mock_json :post, endpoint, 'client/updated', :params => {
         :type => 'client_update',
         :client_id => 'client.example.com',
-        :client_secret => 'client_secret'
+        :client_secret => 'client_secret',
+        :application_name => 'New Name'
       } do
+        instance.application_name = 'New Name'
         client = instance.update!
         client.should be_instance_of OpenIDConnect::Client
-        client.identifier.should == 'new_client_id'
-        client.secret.should == 'new_client_secret'
-        client.expires_in.should == 3600
+        client.identifier.should == 'client.example.com'
       end
     end
 
@@ -280,6 +280,29 @@ describe OpenIDConnect::Client::Registrar do
     end
   end
 
+  describe '#rotate_secret!' do
+    let(:attributes) do
+      {
+        :client_id => 'client.example.com',
+        :client_secret => 'client_secret'
+      }
+    end
+
+    it 'should return OpenIDConnect::Client' do
+      mock_json :post, endpoint, 'client/rotated', :params => {
+        :type => 'rotate_secret',
+        :client_id => 'client.example.com',
+        :client_secret => 'client_secret'
+      } do
+        client = instance.rotate_secret!
+        client.should be_instance_of OpenIDConnect::Client
+        client.identifier.should == 'client.example.com'
+        client.secret.should == 'new_client_secret'
+        client.expires_in.should == 3600
+      end
+    end
+  end
+
   describe '#validate!' do
     context 'when valid' do
       it do

data/spec/openid_connect/client_spec.rb

@@ -19,12 +19,11 @@ describe OpenIDConnect::Client do
       end
       its(:authorization_uri) { should include 'https://server.example.com/oauth2/authorize' }
       its(:authorization_uri) { should include 'scope=openid' }
-      its(:check_id_uri)      { should == 'https://server.example.com/id_token' }
       its(:user_info_uri)     { should == 'https://server.example.com/user_info' }
     end
 
     context 'otherwise' do
-      [:authorization_uri, :check_id_uri, :user_info_uri].each do |endpoint|
+      [:authorization_uri, :user_info_uri].each do |endpoint|
         describe endpoint do
           it do
             expect { client.send endpoint }.should raise_error 'No Host Info'

data/spec/openid_connect/discovery/principal_spec.rb

@@ -5,9 +5,7 @@ describe OpenIDConnect::Discovery::Principal do
     {
       'server.example.com' => OpenIDConnect::Discovery::Principal::URI,
       'http://server.example.com' => OpenIDConnect::Discovery::Principal::URI,
-      'nov@server.example.com' => OpenIDConnect::Discovery::Principal::Email,
-      '=nov' => OpenIDConnect::Discovery::Principal::XRI,
-      '@nov' => OpenIDConnect::Discovery::Principal::XRI
+      'nov@server.example.com' => OpenIDConnect::Discovery::Principal::Email
     }.each do |input, klass|
       describe input do
         it do

data/spec/openid_connect/discovery/provider/config_spec.rb

@@ -14,7 +14,6 @@ describe OpenIDConnect::Discovery::Provider::Config do
         config.authorization_endpoint.should == 'https://connect-op.heroku.com/authorizations/new'
         config.token_endpoint.should == 'https://connect-op.heroku.com/access_tokens'
         config.user_info_endpoint.should == 'https://connect-op.heroku.com/user_info'
-        config.check_id_endpoint.should == 'https://connect-op.heroku.com/id_token'
         config.refresh_session_endpoint.should be_nil
         config.end_session_endpoint.should be_nil
         config.jwk_url.should be_nil

data/spec/openid_connect/response_object/id_token_spec.rb

@@ -19,7 +19,7 @@ describe OpenIDConnect::ResponseObject::IdToken do
   describe 'attributes' do
     subject { klass }
     its(:required_attributes) { should == [:iss, :user_id, :aud, :exp, :iat] }
-    its(:optional_attributes) { should == [:acr, :auth_time, :nonce] }
+    its(:optional_attributes) { should == [:acr, :auth_time, :nonce, :at_hash] }
   end
 
   describe '#verify!' do
@@ -150,37 +150,12 @@ describe OpenIDConnect::ResponseObject::IdToken do
   end
 
   describe '.decode' do
-    context 'when key is given' do
-      subject { klass.decode id_token.to_jwt(private_key), public_key }
-      let(:attributes) { required_attributes }
-      it { should be_a klass }
-      [:iss, :user_id, :aud].each do |key|
-        its(key) { should == attributes[key] }
-      end
-      its(:exp) { should == attributes[:exp].to_i }
-    end
-
-    context 'when client is given' do
-      let :client do
-        OpenIDConnect::Client.new(
-          :identifier => 'client_id',
-          :secret => 'client_secret',
-          :host => 'server.example.com'
-        )
-      end
-      subject do
-        mock_json :get, client.check_id_uri, 'id_token', :HTTP_AUTHORIZATION => 'Bearer access_token' do
-          @subject = klass.decode id_token.to_jwt(private_key), client
-        end
-        @subject
-      end
-      let(:attributes) { required_attributes }
-      let(:ext) { 1303852880 }
-      it { should be_a klass }
-      [:iss, :user_id, :aud].each do |key|
-        its(key) { should == attributes[key] }
-      end
-      its(:exp) { should == attributes[:exp].to_i }
+    subject { klass.decode id_token.to_jwt(private_key), public_key }
+    let(:attributes) { required_attributes }
+    it { should be_a klass }
+    [:iss, :user_id, :aud].each do |key|
+      its(key) { should == attributes[key] }
     end
+    its(:exp) { should == attributes[:exp].to_i }
   end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: openid_connect
 version: !ruby/object:Gem::Version
-  version: 0.2.1
+  version: 0.2.2
   prerelease: 
 platform: ruby
 authors:
@@ -246,7 +246,6 @@ files:
 - lib/openid_connect/discovery/principal.rb
 - lib/openid_connect/discovery/principal/email.rb
 - lib/openid_connect/discovery/principal/uri.rb
-- lib/openid_connect/discovery/principal/xri.rb
 - lib/openid_connect/discovery/provider.rb
 - lib/openid_connect/discovery/provider/config.rb
 - lib/openid_connect/discovery/provider/config/resource.rb
@@ -276,6 +275,7 @@ files:
 - spec/mock_response/access_token/invalid_json.json
 - spec/mock_response/access_token/mac.json
 - spec/mock_response/client/registered.json
+- spec/mock_response/client/rotated.json
 - spec/mock_response/client/updated.json
 - spec/mock_response/discovery/config.json
 - spec/mock_response/discovery/swd.json
@@ -292,7 +292,6 @@ files:
 - spec/openid_connect/debugger/request_filter_spec.rb
 - spec/openid_connect/discovery/principal/email_spec.rb
 - spec/openid_connect/discovery/principal/uri_spec.rb
-- spec/openid_connect/discovery/principal/xri_spec.rb
 - spec/openid_connect/discovery/principal_spec.rb
 - spec/openid_connect/discovery/provider/config/response_spec.rb
 - spec/openid_connect/discovery/provider/config_spec.rb
@@ -342,6 +341,7 @@ test_files:
 - spec/mock_response/access_token/invalid_json.json
 - spec/mock_response/access_token/mac.json
 - spec/mock_response/client/registered.json
+- spec/mock_response/client/rotated.json
 - spec/mock_response/client/updated.json
 - spec/mock_response/discovery/config.json
 - spec/mock_response/discovery/swd.json
@@ -358,7 +358,6 @@ test_files:
 - spec/openid_connect/debugger/request_filter_spec.rb
 - spec/openid_connect/discovery/principal/email_spec.rb
 - spec/openid_connect/discovery/principal/uri_spec.rb
-- spec/openid_connect/discovery/principal/xri_spec.rb
 - spec/openid_connect/discovery/principal_spec.rb
 - spec/openid_connect/discovery/provider/config/response_spec.rb
 - spec/openid_connect/discovery/provider/config_spec.rb

data/lib/openid_connect/discovery/principal/xri.rb

@@ -1,15 +0,0 @@
-module OpenIDConnect
-  module Discovery
-    class Principal
-      class XRI < Principal
-        def initialize(identifier)
-          @identifier = identifier
-        end
-
-        def discover!(cache_options = {})
-          raise NotImplementedError.new('XRI is not supported yet')
-        end
-      end
-    end
-  end
-end

data/spec/openid_connect/discovery/principal/xri_spec.rb

@@ -1,5 +0,0 @@
-require 'spec_helper'
-
-describe OpenIDConnect::Discovery::Principal::XRI do
-  it :TODO
-end