rack-oauth2 1.12.0 → 1.21.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: c09e887a3c902ebbbfd1b2a1698d8a4d68d28e18e75616c629dd75e981e2a9d2
-  data.tar.gz: c0142a2c05df047f0d8f1e9ac11f428983d27a8945d5ae5be213be41b5615e20
+  metadata.gz: 7303cf85e66a7fb4a89d66d95b4ad35720ecb95459f9740208328314ea54b157
+  data.tar.gz: 061a4a30cbb25212979a37f26e18043cbf71dead3e36981b37f6152fc6899cfd
 SHA512:
-  metadata.gz: ab1002bdd363b2edab71e8eeebd9872bca8ea2be6ad2a99875543974a2b85340ddcb42fc4ddf22f779b18429dc48a9d36fd91e9059391b76b537c04293ac2056
-  data.tar.gz: bdffd308340040287a3a8777cdaaaa9de58873d4d27e080dc719b4715ca53fd413bc726f19382b63cd086ad3dd47ac139a665f0acfcd25d2bb2a5e266d8dafce
+  metadata.gz: 5fbabf81d770e80f02614d3b00b0fd9db8a63ed695a5b67b74266eee1f09ec6e7045db009ea7e6ee09af84680699809032ecc64d58caee48305573cd3532b5be
+  data.tar.gz: 5bc8cdbdddb9a997560eab574a955ab69d3ad8f9e594554a45d17e077991c2551382c917363c1c09db349abf262f5d9c15a7cfb13c24e56fe27d83cbde62f0f3

data/.github/FUNDING.yml

@@ -0,0 +1,3 @@
+# These are supported funding model platforms
+
+github: nov

data/.github/workflows/spec.yml

@@ -0,0 +1,30 @@
+name: Spec
+
+on:
+  push:
+  pull_request:
+
+permissions:
+  contents: read
+
+jobs:
+  spec:
+    strategy:
+      matrix:
+        os: ['ubuntu-20.04']
+        ruby-version: ['2.6', '2.7', '3.0', '3.1']
+        # ubuntu 22.04 only supports ssl 3 and thus only ruby 3.1
+        include:
+        - os: 'ubuntu-22.04'
+          ruby-version: '3.1'
+    runs-on: ${{ matrix.os }}
+
+    steps:
+    - uses: actions/checkout@v3
+    - name: Set up Ruby
+      uses: ruby/setup-ruby@v1
+      with:
+        ruby-version: ${{ matrix.ruby-version }}
+        bundler-cache: true
+    - name: Run Specs
+      run: bundle exec rake spec

data/.travis.yml

@@ -2,6 +2,7 @@ before_install:
   - gem install bundler
 
 rvm:
-  - 2.3.6
-  - 2.4.3
-  - 2.5.0
+  - 2.6.10
+  - 2.7.6
+  - 3.0.4
+  - 3.1.2

data/README.rdoc

@@ -28,17 +28,11 @@ http://tools.ietf.org/html/draft-ietf-oauth-v2-http-mac-01
 
 === Bearer
 
-Running on Heroku
-https://rack-oauth2-sample.heroku.com
-
 Source on GitHub
 https://github.com/nov/rack-oauth2-sample
 
 === MAC
 
-Running on Heroku
-https://rack-oauth2-sample-mac.heroku.com
-
 Source on GitHub
 https://github.com/nov/rack-oauth2-sample-mac
 

data/VERSION

@@ -1 +1 @@
-1.12.0
+1.21.3

data/lib/rack/oauth2/client.rb

@@ -3,7 +3,7 @@ module Rack
     class Client
       include AttrRequired, AttrOptional
       attr_required :identifier
-      attr_optional :secret, :private_key, :certificate, :redirect_uri, :scheme, :host, :port, :authorization_endpoint, :token_endpoint
+      attr_optional :secret, :private_key, :certificate, :redirect_uri, :scheme, :host, :port, :authorization_endpoint, :token_endpoint, :revocation_endpoint
 
       def initialize(attributes = {})
         (required_attributes + optional_attributes).each do |key|
@@ -16,12 +16,12 @@ module Rack
       end
 
       def authorization_uri(params = {})
+        params[:redirect_uri] ||= self.redirect_uri
         params[:response_type] ||= :code
         params[:response_type] = Array(params[:response_type]).join(' ')
         params[:scope] = Array(params[:scope]).join(' ')
         Util.redirect_uri absolute_uri_for(authorization_endpoint), :query, params.merge(
-          client_id: self.identifier,
-          redirect_uri: self.redirect_uri
+          client_id: self.identifier
         )
       end
 
@@ -69,20 +69,83 @@ module Rack
       end
 
       def access_token!(*args)
-        headers, params = {}, @grant.as_json
+        headers, params, http_client, options = authenticated_context_from(*args)
+        params[:scope] = Array(options.delete(:scope)).join(' ') if options[:scope].present?
+        params.merge! @grant.as_json
+        params.merge! options
+        handle_response do
+          http_client.post(
+            absolute_uri_for(token_endpoint),
+            Util.compact_hash(params),
+            headers
+          )
+        end
+      end
+
+      def revoke!(*args)
+        headers, params, http_client, options = authenticated_context_from(*args)
+
+        params.merge! case
+        when access_token = options.delete(:access_token)
+          {
+            token: access_token,
+            token_type_hint: :access_token
+          }
+        when refresh_token = options.delete(:refresh_token)
+          {
+            token: refresh_token,
+            token_type_hint: :refresh_token
+          }
+        when @grant.is_a?(Grant::RefreshToken)
+          {
+            token: @grant.refresh_token,
+            token_type_hint: :refresh_token
+          }
+        when options[:token].blank?
+          raise ArgumentError, 'One of "token", "access_token" and "refresh_token" is required'
+        end
+        params.merge! options
+
+        handle_revocation_response do
+          http_client.post(
+            absolute_uri_for(revocation_endpoint),
+            Util.compact_hash(params),
+            headers
+          )
+        end
+      end
+
+      private
+
+      def absolute_uri_for(endpoint)
+        _endpoint_ = Util.parse_uri endpoint
+        _endpoint_.scheme ||= self.scheme || 'https'
+        _endpoint_.host ||= self.host
+        _endpoint_.port ||= self.port
+        raise 'No Host Info' unless _endpoint_.host
+        _endpoint_.to_s
+      end
+
+      def authenticated_context_from(*args)
+        headers, params = {}, {}
         http_client = Rack::OAuth2.http_client
 
         # NOTE:
-        #  Using Array#estract_options! for backward compatibility.
+        #  Using Array#extract_options! for backward compatibility.
         #  Until v1.0.5, the first argument was 'client_auth_method' in scalar.
         options = args.extract_options!
-        client_auth_method = args.first || options.delete(:client_auth_method) || :basic
-
-        params[:scope] = Array(options.delete(:scope)).join(' ') if options[:scope].present?
-        params.merge! options
+        client_auth_method = args.first || options.delete(:client_auth_method).try(:to_sym) || :basic
 
         case client_auth_method
         when :basic
+          cred = Base64.strict_encode64 [
+            Util.www_form_url_encode(identifier),
+            Util.www_form_url_encode(secret)
+          ].join(':')
+          headers.merge!(
+            'Authorization' => "Basic #{cred}"
+          )
+        when :basic_without_www_form_urlencode
           cred = ["#{identifier}:#{secret}"].pack('m').tr("\n", '')
           headers.merge!(
             'Authorization' => "Basic #{cred}"
@@ -92,9 +155,11 @@ module Rack
             client_assertion_type: URN::ClientAssertionType::JWT_BEARER
           )
           # NOTE: optionally auto-generate client_assertion.
-          if params[:client_assertion].blank?
+          params[:client_assertion] = if options[:client_assertion].present?
+            options.delete(:client_assertion)
+          else
             require 'json/jwt'
-            params[:client_assertion] = JSON::JWT.new(
+            JSON::JWT.new(
               iss: identifier,
               sub: identifier,
               aud: absolute_uri_for(token_endpoint),
@@ -119,24 +184,8 @@ module Rack
             client_secret: secret
           )
         end
-        handle_response do
-          http_client.post(
-            absolute_uri_for(token_endpoint),
-            Util.compact_hash(params),
-            headers
-          )
-        end
-      end
-
-      private
 
-      def absolute_uri_for(endpoint)
-        _endpoint_ = Util.parse_uri endpoint
-        _endpoint_.scheme ||= self.scheme || 'https'
-        _endpoint_.host ||= self.host
-        _endpoint_.port ||= self.port
-        raise 'No Host Info' unless _endpoint_.host
-        _endpoint_.to_s
+        [headers, params, http_client, options]
       end
 
       def handle_response
@@ -149,6 +198,16 @@ module Rack
         end
       end
 
+      def handle_revocation_response
+        response = yield
+        case response.status
+        when 200..201
+          :success
+        else
+          handle_error_response response
+        end
+      end
+
       def handle_success_response(response)
         token_hash = JSON.parse(response.body).with_indifferent_access
         case (@forced_token_type || token_hash[:token_type]).try(:downcase)

data/lib/rack/oauth2/server/abstract/error.rb

@@ -27,7 +27,7 @@ module Rack
             response.status = status
             yield response if block_given?
             unless response.redirect?
-              response.header['Content-Type'] = 'application/json'
+              response.headers['Content-Type'] = 'application/json'
               response.write Util.compact_hash(protocol_params).to_json
             end
             response.finish
@@ -42,6 +42,7 @@ module Rack
 
         class Unauthorized < Error
           def initialize(error = :unauthorized, description = nil, options = {})
+            @skip_www_authenticate = options[:skip_www_authenticate]
             super 401, error, description, options
           end
         end

data/lib/rack/oauth2/server/rails/response_ext.rb

@@ -5,7 +5,7 @@ module Rack
         module ResponseExt
           def redirect?
             ensure_finish do
-              @response.redirect?
+              super
             end
           end
 
@@ -17,13 +17,13 @@ module Rack
 
           def json
             ensure_finish do
-              @response.body
+              @body
             end
           end
 
-          def header
+          def headers
             ensure_finish do
-              @header
+              @headers
             end
           end
 
@@ -39,7 +39,7 @@ module Rack
           end
 
           def ensure_finish
-            @status, @header, @response = finish unless finished?
+            @status, @headers, @body = finish unless finished?
             yield
           end
         end

data/lib/rack/oauth2/server/resource/error.rb

@@ -13,11 +13,11 @@ module Rack
           def finish
             super do |response|
               self.realm ||= DEFAULT_REALM
-              header = response.header['WWW-Authenticate'] = "#{scheme} realm=\"#{realm}\""
+              headers = response.headers['WWW-Authenticate'] = "#{scheme} realm=\"#{realm}\""
               if ErrorMethods::DEFAULT_DESCRIPTION.keys.include?(error)
-                header << ", error=\"#{error}\""
-                header << ", error_description=\"#{description}\"" if description.present?
-                header << ", error_uri=\"#{uri}\""                 if uri.present?
+                headers << ", error=\"#{error}\""
+                headers << ", error_description=\"#{description}\"" if description.present?
+                headers << ", error_uri=\"#{uri}\""                 if uri.present?
               end
             end
           end

data/lib/rack/oauth2/server/token/error.rb

@@ -8,7 +8,9 @@ module Rack
         class Unauthorized < Abstract::Unauthorized
           def finish
             super do |response|
-              response.header['WWW-Authenticate'] = 'Basic realm="OAuth2 Token Endpoint"'
+              unless @skip_www_authenticate
+                response.headers['WWW-Authenticate'] = 'Basic realm="OAuth2 Token Endpoint"'
+              end
             end
           end
         end

data/lib/rack/oauth2/server/token.rb

@@ -44,16 +44,27 @@ module Rack
 
         class Request < Abstract::Request
           attr_required :grant_type
-          attr_optional :client_secret
+          attr_optional :client_secret, :client_assertion, :client_assertion_type
 
           def initialize(env)
             auth = Rack::Auth::Basic::Request.new(env)
             if auth.provided? && auth.basic?
-              @client_id, @client_secret = auth.credentials
+              @client_id, @client_secret = auth.credentials.map do |cred|
+                Util.www_form_url_decode cred
+              end
               super
             else
               super
               @client_secret = params['client_secret']
+              @client_assertion = params['client_assertion']
+              @client_assertion_type = params['client_assertion_type']
+              if client_assertion.present? && client_assertion_type == URN::ClientAssertionType::JWT_BEARER
+                require 'json/jwt'
+                @client_id = JSON::JWT.decode(
+                  client_assertion,
+                  :skip_verification
+                )[:sub] rescue nil
+              end
             end
             @grant_type = params['grant_type'].to_s
           end
@@ -69,9 +80,9 @@ module Rack
           def finish
             attr_missing!
             write Util.compact_hash(protocol_params).to_json
-            header['Content-Type'] = 'application/json'
-            header['Cache-Control'] = 'no-store'
-            header['Pragma'] = 'no-cache'
+            headers['Content-Type'] = 'application/json'
+            headers['Cache-Control'] = 'no-store'
+            headers['Pragma'] = 'no-cache'
             super
           end
         end

data/lib/rack/oauth2/urn.rb

@@ -3,14 +3,14 @@ module Rack
     module URN
       module TokenType
         JWT           = 'urn:ietf:params:oauth:token-type:jwt'           # RFC7519
-        ACCESS_TOKEN  = 'urn:ietf:params:oauth:token-type:access-token'  # draft-ietf-oauth-token-exchange
-        REFRESH_TOKEN = 'urn:ietf:params:oauth:token-type:refresh-token' # draft-ietf-oauth-token-exchange
+        ACCESS_TOKEN  = 'urn:ietf:params:oauth:token-type:access_token'  # RFC8693
+        REFRESH_TOKEN = 'urn:ietf:params:oauth:token-type:refresh_token' # RFC8693
       end
 
       module GrantType
         JWT_BEARER     = 'urn:ietf:params:oauth:grant-type:jwt-bearer'     # RFC7523
         SAML2_BEARER   = 'urn:ietf:params:oauth:grant-type:saml2-bearer'   # RFC7522
-        TOKEN_EXCHANGE = 'urn:ietf:params:oauth:grant-type:token-exchange' # draft-ietf-oauth-token-exchange
+        TOKEN_EXCHANGE = 'urn:ietf:params:oauth:grant-type:token-exchange' # RFC8693
       end
 
       module ClientAssertionType

data/lib/rack/oauth2/util.rb

@@ -4,8 +4,12 @@ module Rack
   module OAuth2
     module Util
       class << self
-        def rfc3986_encode(text)
-          URI.encode(text, Regexp.new("[^#{URI::PATTERN::UNRESERVED}]"))
+        def www_form_url_encode(text)
+          URI.encode_www_form_component(text)
+        end
+
+        def www_form_url_decode(text)
+          URI.decode_www_form_component(text)
         end
 
         def base64_encode(text)

data/lib/rack/oauth2.rb

@@ -43,6 +43,11 @@ module Rack
       _http_client_ = HTTPClient.new(
         agent_name: agent_name
       )
+
+      # NOTE: httpclient gem seems stopped maintaining root certtificate set, use OS default.
+      _http_client_.ssl_config.clear_cert_store
+      _http_client_.ssl_config.cert_store.set_default_paths
+
       http_config.try(:call, _http_client_)
       local_http_config.try(:call, _http_client_) unless local_http_config.nil?
       _http_client_.request_filter << Debugger::RequestFilter.new if debugging?

data/rack-oauth2.gemspec

@@ -7,13 +7,13 @@ Gem::Specification.new do |s|
   s.email = 'nov@matake.jp'
   s.extra_rdoc_files = ['LICENSE', 'README.rdoc']
   s.rdoc_options = ['--charset=UTF-8']
-  s.homepage = 'http://github.com/nov/rack-oauth2'
+  s.homepage = 'https://github.com/nov/rack-oauth2'
   s.license = 'MIT'
   s.require_paths = ['lib']
   s.executables = `git ls-files -- bin/*`.split("\n").map{ |f| File.basename(f) }
   s.files = `git ls-files`.split("\n")
   s.test_files = `git ls-files -- {test,spec,features}/*`.split("\n")
-  s.add_runtime_dependency 'rack', '< 2.1'
+  s.add_runtime_dependency 'rack', '>= 2.1.0'
   s.add_runtime_dependency 'httpclient'
   s.add_runtime_dependency 'activesupport'
   s.add_runtime_dependency 'attr_required'
@@ -23,4 +23,5 @@ Gem::Specification.new do |s|
   s.add_development_dependency 'rspec'
   s.add_development_dependency 'rspec-its'
   s.add_development_dependency 'webmock'
+  s.add_development_dependency 'rexml'
 end

data/spec/rack/oauth2/client_spec.rb

@@ -1,12 +1,15 @@
 require 'spec_helper.rb'
 
 describe Rack::OAuth2::Client do
+  let(:client_id) { 'client_id' }
+  let(:client_secret) { 'client_secret' }
   let :client do
     Rack::OAuth2::Client.new(
-      identifier: 'client_id',
-      secret: 'client_secret',
+      identifier: client_id,
+      secret: client_secret,
       host: 'server.example.com',
-      redirect_uri: 'https://client.example.com/callback'
+      redirect_uri: 'https://client.example.com/callback',
+      revocation_endpoint: '/oauth2/revoke'
     )
   end
   subject { client }
@@ -15,6 +18,7 @@ describe Rack::OAuth2::Client do
   its(:secret)     { should == 'client_secret' }
   its(:authorization_endpoint) { should == '/oauth2/authorize' }
   its(:token_endpoint)         { should == '/oauth2/token' }
+  its(:revocation_endpoint)    { should == '/oauth2/revoke' }
 
   context 'when identifier is missing' do
     it do
@@ -97,6 +101,42 @@ describe Rack::OAuth2::Client do
           client.access_token!
         end
 
+        context 'when Basic auth method is used' do
+          context 'when client_id is a url' do
+            let(:client_id) { 'https://client.example.com'}
+
+            it 'should be encoded in "application/x-www-form-urlencoded"' do
+              mock_response(
+                :post,
+                'https://server.example.com/oauth2/token',
+                'tokens/bearer.json',
+                request_header: {
+                  'Authorization' => 'Basic aHR0cHMlM0ElMkYlMkZjbGllbnQuZXhhbXBsZS5jb206Y2xpZW50X3NlY3JldA=='
+                }
+              )
+              client.access_token!
+            end
+          end
+        end
+
+        context 'when basic_without_www_form_urlencode method is used' do
+          context 'when client_id is a url' do
+             let(:client_id) { 'https://client.example.com'}
+
+             it 'should be encoded in "application/x-www-form-urlencoded"' do
+               mock_response(
+                 :post,
+                 'https://server.example.com/oauth2/token',
+                 'tokens/bearer.json',
+                 request_header: {
+                   'Authorization' => 'Basic aHR0cHM6Ly9jbGllbnQuZXhhbXBsZS5jb206Y2xpZW50X3NlY3JldA=='
+                 }
+               )
+               client.access_token! :basic_without_www_form_urlencode
+             end
+           end
+        end
+
         context 'when jwt_bearer auth method specified' do
           context 'when client_secret is given' do
             it 'should be JWT bearer client assertion w/ auto-generated HS256-signed JWT assertion' do
@@ -148,7 +188,7 @@ describe Rack::OAuth2::Client do
               let :client do
                 Rack::OAuth2::Client.new(
                   identifier: 'client_id',
-                  private_key: OpenSSL::PKey::EC.new('prime256v1').generate_key,
+                  private_key: OpenSSL::PKey::EC.generate('prime256v1'),
                   host: 'server.example.com',
                   redirect_uri: 'https://client.example.com/callback'
                 )
@@ -408,12 +448,86 @@ describe Rack::OAuth2::Client do
     end
   end
 
+  describe '#revoke!' do
+    context 'when access_token given' do
+      before do
+        mock_response(
+          :post,
+          'https://server.example.com/oauth2/revoke',
+          'blank',
+          status: 200,
+          body: {
+            token: 'access_token',
+            token_type_hint: 'access_token'
+          }
+        )
+      end
+      it do
+        client.revoke!(access_token: 'access_token').should == :success
+      end
+    end
+
+    context 'when refresh_token given' do
+      before do
+        mock_response(
+          :post,
+          'https://server.example.com/oauth2/revoke',
+          'blank',
+          status: 200,
+          body: {
+            token: 'refresh_token',
+            token_type_hint: 'refresh_token'
+          }
+        )
+      end
+
+      context 'as argument' do
+        it do
+          client.revoke!(refresh_token: 'refresh_token').should == :success
+        end
+      end
+
+      context 'as grant' do
+        it do
+          client.refresh_token = 'refresh_token'
+          client.revoke!
+        end
+      end
+    end
+
+    context 'when error response given' do
+      before do
+        mock_response(
+          :post,
+          'https://server.example.com/oauth2/revoke',
+          'errors/invalid_request.json',
+          status: 400
+        )
+      end
+
+      it do
+        expect do
+          client.revoke! access_token: 'access_token'
+        end.to raise_error Rack::OAuth2::Client::Error
+      end
+    end
+
+    context 'when no token given' do
+      it do
+        expect do
+          client.revoke!
+        end.to raise_error ArgumentError
+      end
+    end
+  end
+
   context 'when no host info' do
     let :client do
       Rack::OAuth2::Client.new(
         identifier: 'client_id',
         secret: 'client_secret',
-        redirect_uri: 'https://client.example.com/callback'
+        redirect_uri: 'https://client.example.com/callback',
+        revocation_endpoint: '/oauth2/revoke'
       )
     end
 
@@ -428,5 +542,11 @@ describe Rack::OAuth2::Client do
         expect { client.access_token! }.to raise_error 'No Host Info'
       end
     end
+
+    describe '#revoke!' do
+      it do
+        expect { client.revoke! access_token: 'access_token' }.to raise_error 'No Host Info'
+      end
+    end
   end
 end

data/spec/rack/oauth2/server/authorize/error_spec.rb

@@ -23,27 +23,27 @@ describe Rack::OAuth2::Server::Authorize::BadRequest do
       context 'when protocol_params_location = :query' do
         before { error.protocol_params_location = :query }
         it 'should redirect with error in query' do
-          state, header, response = error.finish
+          state, headers, response = error.finish
           state.should == 302
-          header["Location"].should == "#{redirect_uri}?error=invalid_request"
+          headers["Location"].should == "#{redirect_uri}?error=invalid_request"
         end
       end
 
       context 'when protocol_params_location = :fragment' do
         before { error.protocol_params_location = :fragment }
         it 'should redirect with error in fragment' do
-          state, header, response = error.finish
+          state, headers, response = error.finish
           state.should == 302
-          header["Location"].should == "#{redirect_uri}#error=invalid_request"
+          headers["Location"].should == "#{redirect_uri}#error=invalid_request"
         end
       end
 
       context 'otherwise' do
         before { error.protocol_params_location = :other }
         it 'should redirect without error' do
-          state, header, response = error.finish
+          state, headers, response = error.finish
           state.should == 302
-          header["Location"].should == redirect_uri
+          headers["Location"].should == redirect_uri
         end
       end
     end

data/spec/rack/oauth2/server/resource/bearer/error_spec.rb

@@ -12,8 +12,8 @@ describe Rack::OAuth2::Server::Resource::Bearer::Unauthorized do
 
   describe '#finish' do
     it 'should use Bearer scheme' do
-      status, header, response = error.finish
-      header['WWW-Authenticate'].should include 'Bearer'
+      status, headers, response = error.finish
+      headers['WWW-Authenticate'].should include 'Bearer'
     end
   end
 end

data/spec/rack/oauth2/server/resource/bearer_spec.rb

@@ -22,29 +22,29 @@ describe Rack::OAuth2::Server::Resource::Bearer do
 
   shared_examples_for :authenticated_bearer_request do
     it 'should be authenticated' do
-      status, header, response = request
+      status, headers, response = request
       status.should == 200
       access_token.should == bearer_token
     end
   end
   shared_examples_for :unauthorized_bearer_request do
     it 'should be unauthorized' do
-      status, header, response = request
+      status, headers, response = request
       status.should == 401
-      header['WWW-Authenticate'].should include 'Bearer'
+      headers['WWW-Authenticate'].should include 'Bearer'
       access_token.should be_nil
     end
   end
   shared_examples_for :bad_bearer_request do
     it 'should be bad_request' do
-      status, header, response = request
+      status, headers, response = request
       status.should == 400
       access_token.should be_nil
     end
   end
   shared_examples_for :skipped_authentication_request do
     it 'should skip OAuth 2.0 authentication' do
-      status, header, response = request
+      status, headers, response = request
       status.should == 200
       access_token.should be_nil
     end
@@ -94,15 +94,15 @@ describe Rack::OAuth2::Server::Resource::Bearer do
           end
         end
         it 'should use specified realm' do
-          status, header, response = request
-          header['WWW-Authenticate'].should include "Bearer realm=\"#{realm}\""
+          status, headers, response = request
+          headers['WWW-Authenticate'].should include "Bearer realm=\"#{realm}\""
         end
       end
 
       context 'otherwize' do
         it 'should use default realm' do
-          status, header, response = request
-          header['WWW-Authenticate'].should include "Bearer realm=\"#{Rack::OAuth2::Server::Resource::Bearer::DEFAULT_REALM}\""
+          status, headers, response = request
+          headers['WWW-Authenticate'].should include "Bearer realm=\"#{Rack::OAuth2::Server::Resource::Bearer::DEFAULT_REALM}\""
         end
       end
     end

data/spec/rack/oauth2/server/resource/error_spec.rb

@@ -7,10 +7,10 @@ describe Rack::OAuth2::Server::Resource::BadRequest do
 
   describe '#finish' do
     it 'should respond in JSON' do
-      status, header, response = error.finish
+      status, headers, response = error.finish
       status.should == 400
-      header['Content-Type'].should == 'application/json'
-      response.body.should == ['{"error":"invalid_request"}']
+      headers['Content-Type'].should == 'application/json'
+      response.should == ['{"error":"invalid_request"}']
     end
   end
 end
@@ -40,20 +40,20 @@ describe Rack::OAuth2::Server::Resource::Unauthorized do
 
     describe '#finish' do
       it 'should respond in JSON' do
-        status, header, response = error_with_scheme.finish
+        status, headers, response = error_with_scheme.finish
         status.should == 401
-        header['Content-Type'].should == 'application/json'
-        header['WWW-Authenticate'].should == "Scheme realm=\"#{realm}\", error=\"invalid_token\""
-        response.body.should == ['{"error":"invalid_token"}']
+        headers['Content-Type'].should == 'application/json'
+        headers['WWW-Authenticate'].should == "Scheme realm=\"#{realm}\", error=\"invalid_token\""
+        response.should == ['{"error":"invalid_token"}']
       end
 
       context 'when error_code is not invalid_token' do
         let(:error) { Rack::OAuth2::Server::Resource::Unauthorized.new(:something) }
 
         it 'should have error_code in body but not in WWW-Authenticate header' do
-          status, header, response = error_with_scheme.finish
-          header['WWW-Authenticate'].should == "Scheme realm=\"#{realm}\""
-          response.body.first.should include '"error":"something"'
+          status, headers, response = error_with_scheme.finish
+          headers['WWW-Authenticate'].should == "Scheme realm=\"#{realm}\""
+          response.first.should include '"error":"something"'
         end
       end
 
@@ -61,9 +61,9 @@ describe Rack::OAuth2::Server::Resource::Unauthorized do
         let(:error) { Rack::OAuth2::Server::Resource::Unauthorized.new }
 
         it 'should have error_code in body but not in WWW-Authenticate header' do
-          status, header, response = error_with_scheme.finish
-          header['WWW-Authenticate'].should == "Scheme realm=\"#{realm}\""
-          response.body.first.should == '{"error":"unauthorized"}'
+          status, headers, response = error_with_scheme.finish
+          headers['WWW-Authenticate'].should == "Scheme realm=\"#{realm}\""
+          response.first.should == '{"error":"unauthorized"}'
         end
       end
 
@@ -72,9 +72,9 @@ describe Rack::OAuth2::Server::Resource::Unauthorized do
         let(:error) { Rack::OAuth2::Server::Resource::Bearer::Unauthorized.new(:something, nil, realm: realm) }
 
         it 'should use given realm' do
-          status, header, response = error_with_scheme.finish
-          header['WWW-Authenticate'].should == "Scheme realm=\"#{realm}\""
-          response.body.first.should include '"error":"something"'
+          status, headers, response = error_with_scheme.finish
+          headers['WWW-Authenticate'].should == "Scheme realm=\"#{realm}\""
+          response.first.should include '"error":"something"'
         end
       end
     end
@@ -88,10 +88,10 @@ describe Rack::OAuth2::Server::Resource::Forbidden do
 
   describe '#finish' do
     it 'should respond in JSON' do
-      status, header, response = error.finish
+      status, headers, response = error.finish
       status.should == 403
-      header['Content-Type'].should == 'application/json'
-      response.body.should == ['{"error":"insufficient_scope"}']
+      headers['Content-Type'].should == 'application/json'
+      response.should == ['{"error":"insufficient_scope"}']
     end
   end
 
@@ -99,8 +99,8 @@ describe Rack::OAuth2::Server::Resource::Forbidden do
     let(:error) { Rack::OAuth2::Server::Resource::Bearer::Forbidden.new(:insufficient_scope, 'Desc', scope: [:scope1, :scope2]) }
 
     it 'should have blank WWW-Authenticate header' do
-      status, header, response = error.finish
-      response.body.first.should include '"scope":"scope1 scope2"'
+      status, headers, response = error.finish
+      response.first.should include '"scope":"scope1 scope2"'
     end
   end
 end

data/spec/rack/oauth2/server/resource/mac/error_spec.rb

@@ -12,8 +12,8 @@ describe Rack::OAuth2::Server::Resource::MAC::Unauthorized do
 
   describe '#finish' do
     it 'should use MAC scheme' do
-      status, header, response = error.finish
-      header['WWW-Authenticate'].should =~ /^MAC /
+      status, headers, response = error.finish
+      headers['WWW-Authenticate'].should =~ /^MAC /
     end
   end
 end

data/spec/rack/oauth2/server/resource/mac_spec.rb

@@ -29,29 +29,29 @@ describe Rack::OAuth2::Server::Resource::MAC do
 
   shared_examples_for :non_mac_request do
     it 'should skip OAuth 2.0 authentication' do
-      status, header, response = request
+      status, headers, response = request
       status.should == 200
       access_token.should be_nil
     end
   end
   shared_examples_for :authenticated_mac_request do
     it 'should be authenticated' do
-      status, header, response = request
+      status, headers, response = request
       status.should == 200
       access_token.should == mac_token
     end
   end
   shared_examples_for :unauthorized_mac_request do
     it 'should be unauthorized' do
-      status, header, response = request
+      status, headers, response = request
       status.should == 401
-      header['WWW-Authenticate'].should include 'MAC'
+      headers['WWW-Authenticate'].should include 'MAC'
       access_token.should be_nil
     end
   end
   shared_examples_for :bad_mac_request do
     it 'should be unauthorized' do
-      status, header, response = request
+      status, headers, response = request
       status.should == 400
       access_token.should be_nil
     end
@@ -60,7 +60,7 @@ describe Rack::OAuth2::Server::Resource::MAC do
   context 'when no access token is given' do
     let(:env) { Rack::MockRequest.env_for('/protected_resource') }
     it 'should skip OAuth 2.0 authentication' do
-      status, header, response = request
+      status, headers, response = request
       status.should == 200
       access_token.should be_nil
     end
@@ -103,15 +103,15 @@ describe Rack::OAuth2::Server::Resource::MAC do
           end
         end
         it 'should use specified realm' do
-          status, header, response = request
-          header['WWW-Authenticate'].should include "MAC realm=\"#{realm}\""
+          status, headers, response = request
+          headers['WWW-Authenticate'].should include "MAC realm=\"#{realm}\""
         end
       end
 
       context 'otherwize' do
         it 'should use default realm' do
-          status, header, response = request
-          header['WWW-Authenticate'].should include "MAC realm=\"#{Rack::OAuth2::Server::Resource::DEFAULT_REALM}\""
+          status, headers, response = request
+          headers['WWW-Authenticate'].should include "MAC realm=\"#{Rack::OAuth2::Server::Resource::DEFAULT_REALM}\""
         end
       end
     end

data/spec/rack/oauth2/server/token/authorization_code_spec.rb

@@ -24,8 +24,8 @@ describe Rack::OAuth2::Server::Token::AuthorizationCode do
   its(:body)         { should include '"token_type":"bearer"' }
 
   it 'should prevent to be cached' do
-    response.header['Cache-Control'].should == 'no-store'
-    response.header['Pragma'].should == 'no-cache'
+    response.headers['Cache-Control'].should == 'no-store'
+    response.headers['Pragma'].should == 'no-cache'
   end
 
   [:code].each do |required|

data/spec/rack/oauth2/server/token/client_credentials_spec.rb

@@ -4,14 +4,19 @@ describe Rack::OAuth2::Server::Token::ClientCredentials do
   let(:request) { Rack::MockRequest.new app }
   let(:app) do
     Rack::OAuth2::Server::Token.new do |request, response|
+      unless request.client_id == client_id && request.client_secret == client_secret
+        request.invalid_client!
+      end
       response.access_token = Rack::OAuth2::AccessToken::Bearer.new(access_token: 'access_token')
     end
   end
+  let(:client_id) { 'client_id '}
+  let(:client_secret) { 'client_secret' }
   let(:params) do
     {
       grant_type: 'client_credentials',
-      client_id: 'client_id',
-      client_secret: 'client_secret'
+      client_id: client_id,
+      client_secret: client_secret
     }
   end
   subject { request.post('/', params: params) }
@@ -20,4 +25,29 @@ describe Rack::OAuth2::Server::Token::ClientCredentials do
   its(:content_type) { should == 'application/json' }
   its(:body)         { should include '"access_token":"access_token"' }
   its(:body)         { should include '"token_type":"bearer"' }
+
+  context 'basic auth' do
+    let(:params) do
+      { grant_type: 'client_credentials' }
+    end
+    let(:encoded_creds) do
+      Base64.strict_encode64([
+        Rack::OAuth2::Util.www_form_url_encode(client_id),
+        Rack::OAuth2::Util.www_form_url_encode(client_secret)
+      ].join(':'))
+    end
+    subject do
+      request.post('/',
+        {params: params, 'HTTP_AUTHORIZATION' => "Basic #{encoded_creds}"})
+    end
+
+    its(:status)       { should == 200 }
+
+    context 'compliance with RFC6749 sec 2.3.1' do
+      let(:client_id) { 'client: yes/please!' }
+      let(:client_secret) { 'terrible:secret:of:space' }
+
+      its(:status)       { should == 200 }
+    end
+  end
 end

data/spec/rack/oauth2/server/token/error_spec.rb

@@ -7,10 +7,10 @@ describe Rack::OAuth2::Server::Token::BadRequest do
 
   describe '#finish' do
     it 'should respond in JSON' do
-      status, header, response = error.finish
+      status, headers, response = error.finish
       status.should == 400
-      header['Content-Type'].should == 'application/json'
-      response.body.should == ['{"error":"invalid_request"}']
+      headers['Content-Type'].should == 'application/json'
+      response.should == ['{"error":"invalid_request"}']
     end
   end
 end
@@ -22,11 +22,11 @@ describe Rack::OAuth2::Server::Token::Unauthorized do
 
   describe '#finish' do
     it 'should respond in JSON' do
-      status, header, response = error.finish
+      status, headers, response = error.finish
       status.should == 401
-      header['Content-Type'].should == 'application/json'
-      header['WWW-Authenticate'].should == 'Basic realm="OAuth2 Token Endpoint"'
-      response.body.should == ['{"error":"invalid_request"}']
+      headers['Content-Type'].should == 'application/json'
+      headers['WWW-Authenticate'].should == 'Basic realm="OAuth2 Token Endpoint"'
+      response.should == ['{"error":"invalid_request"}']
     end
   end
 end
@@ -74,4 +74,4 @@ describe Rack::OAuth2::Server::Token::ErrorMethods do
       end
     end
   end
-end
+end

data/spec/rack/oauth2/server/token_spec.rb

@@ -28,9 +28,9 @@ describe Rack::OAuth2::Server::Token do
         )
       end
       it 'should fail with unsupported_grant_type' do
-        status, header, response = app.call(env)
+        status, headers, response = app.call(env)
         status.should == 400
-        response.body.first.should include '"error":"invalid_request"'
+        response.first.should include '"error":"invalid_request"'
       end
     end
 
@@ -43,7 +43,7 @@ describe Rack::OAuth2::Server::Token do
         )
       end
       it 'should ignore duplicates' do
-        status, header, response = app.call(env)
+        status, headers, response = app.call(env)
         status.should == 200
       end
     end
@@ -71,6 +71,60 @@ describe Rack::OAuth2::Server::Token do
     end
   end
 
+  context 'when client_id is given via JWT client assertion' do
+    before do
+      require 'json/jwt'
+      params[:client_assertion] = JSON::JWT.new(
+        sub: params[:client_id]
+        # NOTE: actual client_assertion should have more claims.
+      ).sign('client_secret').to_s
+      params[:client_assertion_type] = Rack::OAuth2::URN::ClientAssertionType::JWT_BEARER
+      params.delete(:client_id)
+    end
+
+    context 'when client_assertion is invalid JWT' do
+      before do
+        params[:client_assertion] = 'invalid-jwt'
+      end
+      its(:status)       { should == 400 }
+      its(:content_type) { should == 'application/json' }
+      its(:body)         { should include '"error":"invalid_request"' }
+    end
+
+    context 'when client_assertion_type is missing' do
+      before do
+        params.delete(:client_assertion_type)
+      end
+      its(:status)       { should == 400 }
+      its(:content_type) { should == 'application/json' }
+      its(:body)         { should include '"error":"invalid_request"' }
+    end
+
+    context 'when client_assertion_type is unknown' do
+      before do
+        params[:client_assertion_type] = 'unknown'
+      end
+      its(:status)       { should == 400 }
+      its(:content_type) { should == 'application/json' }
+      its(:body)         { should include '"error":"invalid_request"' }
+    end
+
+    context 'when client_assertion issuer is different from client_id' do
+      before do
+        params[:client_id] = 'another_client_id'
+      end
+      its(:status)       { should == 400 }
+      its(:content_type) { should == 'application/json' }
+      its(:body)         { should include '"error":"invalid_request"' }
+    end
+
+    context 'otherwise' do
+      its(:status)       { should == 200 }
+      its(:content_type) { should == 'application/json' }
+      its(:body)         { should include '"access_token":"access_token"' }
+    end
+  end
+
   Rack::OAuth2::Server::Token::ErrorMethods::DEFAULT_DESCRIPTION.each do |error, default_message|
     status = if error == :invalid_client
       401
@@ -87,7 +141,22 @@ describe Rack::OAuth2::Server::Token do
       its(:content_type) { should == 'application/json' }
       its(:body)         { should include "\"error\":\"#{error}\"" }
       its(:body)         { should include "\"error_description\":\"#{default_message}\"" }
+      if error == :invalid_client
+        its(:headers)    { should include 'WWW-Authenticate' }
+      end
+    end
+  end
+
+  context 'when skip_www_authenticate option is specified on invalid_client' do
+    let(:app) do
+      Rack::OAuth2::Server::Token.new do |request, response|
+        request.invalid_client!(
+          Rack::OAuth2::Server::Token::ErrorMethods::DEFAULT_DESCRIPTION[:invalid_client],
+          skip_www_authenticate: true
+        )
+      end
     end
+    its(:headers) { should_not include 'WWW-Authenticate' }
   end
 
   context 'when responding' do

data/spec/rack/oauth2/util_spec.rb

@@ -9,9 +9,14 @@ describe Rack::OAuth2::Util do
     'http://client.example.com/callback'
   end
 
-  describe '.rfc3986_encode' do
-    subject { util.rfc3986_encode '=+ .-/' }
-    it { should == '%3D%2B%20.-%2F' }
+  describe '.www_form_url_encode' do
+    subject { util.www_form_url_encode '=+ .-/' }
+    it { should == '%3D%2B+.-%2F' }
+  end
+
+  describe '.www_form_urldecode' do
+    subject { util.www_form_url_decode '%3D%2B+.-%2F' }
+    it { should == '=+ .-/' }
   end
 
   describe '.base64_encode' do

metadata

@@ -1,29 +1,29 @@
 --- !ruby/object:Gem::Specification
 name: rack-oauth2
 version: !ruby/object:Gem::Version
-  version: 1.12.0
+  version: 1.21.3
 platform: ruby
 authors:
 - nov matake
-autorequire: 
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2020-03-25 00:00:00.000000000 Z
+date: 2022-09-14 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rack
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "<"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '2.1'
+        version: 2.1.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "<"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '2.1'
+        version: 2.1.0
 - !ruby/object:Gem::Dependency
   name: httpclient
   requirement: !ruby/object:Gem::Requirement
@@ -150,6 +150,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: rexml
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 description: OAuth 2.0 Server & Client Library. Both Bearer and MAC token type are
   supported.
 email: nov@matake.jp
@@ -160,6 +174,8 @@ extra_rdoc_files:
 - README.rdoc
 files:
 - ".document"
+- ".github/FUNDING.yml"
+- ".github/workflows/spec.yml"
 - ".gitignore"
 - ".rspec"
 - ".travis.yml"
@@ -281,11 +297,11 @@ files:
 - spec/rack/oauth2/server/token_spec.rb
 - spec/rack/oauth2/util_spec.rb
 - spec/spec_helper.rb
-homepage: http://github.com/nov/rack-oauth2
+homepage: https://github.com/nov/rack-oauth2
 licenses:
 - MIT
 metadata: {}
-post_install_message: 
+post_install_message:
 rdoc_options:
 - "--charset=UTF-8"
 require_paths:
@@ -301,8 +317,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.3
-signing_key: 
+rubygems_version: 3.3.7
+signing_key:
 specification_version: 4
 summary: OAuth 2.0 Server & Client Library - Both Bearer and MAC token type are supported
 test_files: