rack-oauth2 1.12.0 → 2.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: c09e887a3c902ebbbfd1b2a1698d8a4d68d28e18e75616c629dd75e981e2a9d2
-  data.tar.gz: c0142a2c05df047f0d8f1e9ac11f428983d27a8945d5ae5be213be41b5615e20
+  metadata.gz: 45ba67ac4566f374465673cc5711e71c15006bbe966531a4c1de2473206879b2
+  data.tar.gz: 56f8718f283533c369b1743dfd86499e49e5d828a83ac060fa919fac57a935d2
 SHA512:
-  metadata.gz: ab1002bdd363b2edab71e8eeebd9872bca8ea2be6ad2a99875543974a2b85340ddcb42fc4ddf22f779b18429dc48a9d36fd91e9059391b76b537c04293ac2056
-  data.tar.gz: bdffd308340040287a3a8777cdaaaa9de58873d4d27e080dc719b4715ca53fd413bc726f19382b63cd086ad3dd47ac139a665f0acfcd25d2bb2a5e266d8dafce
+  metadata.gz: 63316467536c2c98cddea9b2b7907b3ff5fd6b53b892bd338709e1f7a6b014aa4dc20d71b12cd01ffac502c1ab0964218aac7ff6a0e81141ff8aa10e80557cdd
+  data.tar.gz: 97e685531853c4837a0e86636c865827033e25f646c4572d254e2584a811f937faa6dc7fe780742814bd9657066c9fc16394723ba87029605761d5acf2d490f7

data/.github/FUNDING.yml

@@ -0,0 +1,3 @@
+# These are supported funding model platforms
+
+github: nov

data/.github/workflows/spec.yml

@@ -0,0 +1,32 @@
+name: Spec
+
+on:
+  push:
+    branches:
+      - master
+  pull_request:
+
+permissions:
+  contents: read
+
+jobs:
+  spec:
+    strategy:
+      matrix:
+        os: ['ubuntu-20.04']
+        ruby-version: ['2.6', '2.7', '3.0', '3.1']
+        # ubuntu 22.04 only supports ssl 3 and thus only ruby 3.1
+        include:
+        - os: 'ubuntu-22.04'
+          ruby-version: '3.1'
+    runs-on: ${{ matrix.os }}
+
+    steps:
+    - uses: actions/checkout@v3
+    - name: Set up Ruby
+      uses: ruby/setup-ruby@v1
+      with:
+        ruby-version: ${{ matrix.ruby-version }}
+        bundler-cache: true
+    - name: Run Specs
+      run: bundle exec rake spec

data/CHANGELOG.md

@@ -0,0 +1,25 @@
+## [Unreleased]
+
+## [2.1.0] - 2022-10-10
+
+### Added
+
+- accept local_http_config on Rack::OAuth2::Client#access_token! & revoke!  to support custom headers etc. by @nov in https://github.com/nov/rack-oauth2/pull/93
+
+## [2.0.1] - 2022-10-09
+
+### Fixed
+
+- changes for mTLS on faraday by @nov in https://github.com/nov/rack-oauth2/pull/92
+
+## [2.0.0] - 2022-10-09
+
+### Added
+
+- start recording CHANGELOG
+
+### Changed
+
+- Switch from httpclient to faraday v2 https://github.com/nov/rack-oauth2/pull/91
+- make url-encoded the default https://github.com/nov/rack-oauth2/commit/98faf139be4f5bf9ec6134d31f65a298259d8a8b
+- let faraday encode params https://github.com/nov/rack-oauth2/commit/f399b3afb8facb3635b8842baee8584bc4d3ce73

data/README.rdoc

@@ -1,9 +1,7 @@
 = rack-oauth2
 
 OAuth 2.0 Server & Client Library.
-Both Bearer and MAC token type are supported.
-
-{<img src="https://secure.travis-ci.org/nov/rack-oauth2.png" />}[http://travis-ci.org/nov/rack-oauth2]
+Both Bearer token type are supported.
 
 The OAuth 2.0 Authorization Framework (RFC 6749)
 http://www.rfc-editor.org/rfc/rfc6749.txt
@@ -11,9 +9,6 @@ http://www.rfc-editor.org/rfc/rfc6749.txt
 The OAuth 2.0 Authorization Framework: Bearer Token Usage (RFC 6750)
 http://tools.ietf.org/html/draft-ietf-oauth-v2-bearer-06
 
-HTTP Authentication: MAC Access Authentication (draft 01)
-http://tools.ietf.org/html/draft-ietf-oauth-v2-http-mac-01
-
 == Installation
 
   gem install rack-oauth2
@@ -28,40 +23,20 @@ http://tools.ietf.org/html/draft-ietf-oauth-v2-http-mac-01
 
 === Bearer
 
-Running on Heroku
-https://rack-oauth2-sample.heroku.com
-
 Source on GitHub
 https://github.com/nov/rack-oauth2-sample
 
-=== MAC
-
-Running on Heroku
-https://rack-oauth2-sample-mac.heroku.com
-
-Source on GitHub
-https://github.com/nov/rack-oauth2-sample-mac
-
 == Sample Client
 
-=== Common between Bearer and MAC
-
 Authorization Request (request_type: 'code' and 'token')
 https://gist.github.com/862393
 
 Token Request (grant_type: 'client_credentials', 'password', 'authorization_code' and 'refresh_token')
 https://gist.github.com/883541
 
-=== Bearer
-
 Resource Request (request both for resource owner resource and for client resource)
 https://gist.github.com/883575
 
-=== MAC
-
-Resource Request (request both for resource owner resource and for client resource)
-https://gist.github.com/933885
-
 == Note on Patches/Pull Requests
 
 * Fork the project.

data/VERSION

@@ -1 +1 @@
-1.12.0
+2.2.0

data/lib/rack/oauth2/access_token/authenticator.rb

@@ -6,18 +6,9 @@ module Rack
           @token = token
         end
 
-        # Callback called in HTTPClient (before sending a request)
-        # request:: HTTP::Message
-        def filter_request(request)
+        def authenticate(request)
           @token.authenticate(request)
         end
-
-        # Callback called in HTTPClient (after received a response)
-        # response:: HTTP::Message
-        # request::  HTTP::Message
-        def filter_response(response, request)
-          # nothing to do
-        end
       end
     end
   end

data/lib/rack/oauth2/access_token/bearer.rb

@@ -3,7 +3,7 @@ module Rack
     class AccessToken
       class Bearer < AccessToken
         def authenticate(request)
-          request.header["Authorization"] = "Bearer #{access_token}"
+          request.headers["Authorization"] = "Bearer #{access_token}"
         end
 
         def to_mtls(attributes = {})

data/lib/rack/oauth2/access_token/mtls.rb

@@ -7,8 +7,8 @@ module Rack
         def initialize(attributes = {})
           super
           self.token_type = :bearer
-          httpclient.ssl_config.client_key = private_key
-          httpclient.ssl_config.client_cert = certificate
+          http_client.ssl.client_key = private_key
+          http_client.ssl.client_cert = certificate
         end
       end
     end

data/lib/rack/oauth2/access_token.rb

@@ -5,7 +5,7 @@ module Rack
       attr_required :access_token, :token_type
       attr_optional :refresh_token, :expires_in, :scope
       attr_accessor :raw_attributes
-      delegate :get, :patch, :post, :put, :delete, to: :httpclient
+      delegate :get, :patch, :post, :put, :delete, to: :http_client
 
       alias_method :to_s, :access_token
 
@@ -18,9 +18,9 @@ module Rack
         attr_missing!
       end
 
-      def httpclient
-        @httpclient ||= Rack::OAuth2.http_client("#{self.class} (#{VERSION})") do |config|
-          config.request_filter << Authenticator.new(self)
+      def http_client
+        @http_client ||= Rack::OAuth2.http_client("#{self.class} (#{VERSION})") do |faraday|
+          Authenticator.new(self).authenticate(faraday)
         end
       end
 
@@ -39,6 +39,4 @@ end
 
 require 'rack/oauth2/access_token/authenticator'
 require 'rack/oauth2/access_token/bearer'
-require 'rack/oauth2/access_token/mac'
-require 'rack/oauth2/access_token/legacy'
 require 'rack/oauth2/access_token/mtls'

data/lib/rack/oauth2/client.rb

@@ -3,7 +3,7 @@ module Rack
     class Client
       include AttrRequired, AttrOptional
       attr_required :identifier
-      attr_optional :secret, :private_key, :certificate, :redirect_uri, :scheme, :host, :port, :authorization_endpoint, :token_endpoint
+      attr_optional :secret, :private_key, :certificate, :redirect_uri, :scheme, :host, :port, :authorization_endpoint, :token_endpoint, :revocation_endpoint
 
       def initialize(attributes = {})
         (required_attributes + optional_attributes).each do |key|
@@ -16,12 +16,12 @@ module Rack
       end
 
       def authorization_uri(params = {})
+        params[:redirect_uri] ||= self.redirect_uri
         params[:response_type] ||= :code
         params[:response_type] = Array(params[:response_type]).join(' ')
         params[:scope] = Array(params[:scope]).join(' ')
         Util.redirect_uri absolute_uri_for(authorization_endpoint), :query, params.merge(
-          client_id: self.identifier,
-          redirect_uri: self.redirect_uri
+          client_id: self.identifier
         )
       end
 
@@ -69,20 +69,87 @@ module Rack
       end
 
       def access_token!(*args)
-        headers, params = {}, @grant.as_json
+        headers, params, http_client, options = authenticated_context_from(*args)
+        params[:scope] = Array(options.delete(:scope)).join(' ') if options[:scope].present?
+        params.merge! @grant.as_json
+        params.merge! options
+        handle_response do
+          http_client.post(
+            absolute_uri_for(token_endpoint),
+            Util.compact_hash(params),
+            headers
+          ) do |req|
+            yield req if block_given?
+          end
+        end
+      end
+
+      def revoke!(*args)
+        headers, params, http_client, options = authenticated_context_from(*args)
+
+        params.merge! case
+        when access_token = options.delete(:access_token)
+          {
+            token: access_token,
+            token_type_hint: :access_token
+          }
+        when refresh_token = options.delete(:refresh_token)
+          {
+            token: refresh_token,
+            token_type_hint: :refresh_token
+          }
+        when @grant.is_a?(Grant::RefreshToken)
+          {
+            token: @grant.refresh_token,
+            token_type_hint: :refresh_token
+          }
+        when options[:token].blank?
+          raise ArgumentError, 'One of "token", "access_token" and "refresh_token" is required'
+        end
+        params.merge! options
+
+        handle_revocation_response do
+          http_client.post(
+            absolute_uri_for(revocation_endpoint),
+            Util.compact_hash(params),
+            headers
+          ) do |req|
+            yield req if block_given?
+          end
+        end
+      end
+
+      private
+
+      def absolute_uri_for(endpoint)
+        _endpoint_ = Util.parse_uri endpoint
+        _endpoint_.scheme ||= self.scheme || 'https'
+        _endpoint_.host ||= self.host
+        _endpoint_.port ||= self.port
+        raise 'No Host Info' unless _endpoint_.host
+        _endpoint_.to_s
+      end
+
+      def authenticated_context_from(*args)
+        headers, params = {}, {}
         http_client = Rack::OAuth2.http_client
 
         # NOTE:
-        #  Using Array#estract_options! for backward compatibility.
+        #  Using Array#extract_options! for backward compatibility.
         #  Until v1.0.5, the first argument was 'client_auth_method' in scalar.
         options = args.extract_options!
-        client_auth_method = args.first || options.delete(:client_auth_method) || :basic
-
-        params[:scope] = Array(options.delete(:scope)).join(' ') if options[:scope].present?
-        params.merge! options
+        client_auth_method = args.first || options.delete(:client_auth_method)&.to_sym || :basic
 
         case client_auth_method
         when :basic
+          cred = Base64.strict_encode64 [
+            Util.www_form_url_encode(identifier),
+            Util.www_form_url_encode(secret)
+          ].join(':')
+          headers.merge!(
+            'Authorization' => "Basic #{cred}"
+          )
+        when :basic_without_www_form_urlencode
           cred = ["#{identifier}:#{secret}"].pack('m').tr("\n", '')
           headers.merge!(
             'Authorization' => "Basic #{cred}"
@@ -92,9 +159,11 @@ module Rack
             client_assertion_type: URN::ClientAssertionType::JWT_BEARER
           )
           # NOTE: optionally auto-generate client_assertion.
-          if params[:client_assertion].blank?
+          params[:client_assertion] = if options[:client_assertion].present?
+            options.delete(:client_assertion)
+          else
             require 'json/jwt'
-            params[:client_assertion] = JSON::JWT.new(
+            JSON::JWT.new(
               iss: identifier,
               sub: identifier,
               aud: absolute_uri_for(token_endpoint),
@@ -111,32 +180,16 @@ module Rack
           params.merge!(
             client_id: identifier
           )
-          http_client.ssl_config.client_key = private_key
-          http_client.ssl_config.client_cert = certificate
+          http_client.ssl.client_key = private_key
+          http_client.ssl.client_cert = certificate
         else
           params.merge!(
             client_id: identifier,
             client_secret: secret
           )
         end
-        handle_response do
-          http_client.post(
-            absolute_uri_for(token_endpoint),
-            Util.compact_hash(params),
-            headers
-          )
-        end
-      end
-
-      private
 
-      def absolute_uri_for(endpoint)
-        _endpoint_ = Util.parse_uri endpoint
-        _endpoint_.scheme ||= self.scheme || 'https'
-        _endpoint_.host ||= self.host
-        _endpoint_.port ||= self.port
-        raise 'No Host Info' unless _endpoint_.host
-        _endpoint_.to_s
+        [headers, params, http_client, options]
       end
 
       def handle_response
@@ -149,27 +202,30 @@ module Rack
         end
       end
 
+      def handle_revocation_response
+        response = yield
+        case response.status
+        when 200..201
+          :success
+        else
+          handle_error_response response
+        end
+      end
+
       def handle_success_response(response)
-        token_hash = JSON.parse(response.body).with_indifferent_access
-        case (@forced_token_type || token_hash[:token_type]).try(:downcase)
+        token_hash = response.body.with_indifferent_access
+        case (@forced_token_type || token_hash[:token_type])&.downcase
         when 'bearer'
           AccessToken::Bearer.new(token_hash)
-        when 'mac'
-          AccessToken::MAC.new(token_hash)
-        when nil
-          AccessToken::Legacy.new(token_hash)
         else
           raise 'Unknown Token Type'
         end
-      rescue JSON::ParserError
-        # NOTE: Facebook support (They don't use JSON as token response)
-        AccessToken::Legacy.new Rack::Utils.parse_nested_query(response.body).with_indifferent_access
       end
 
       def handle_error_response(response)
-        error = JSON.parse(response.body).with_indifferent_access
+        error = response.body.with_indifferent_access
         raise Error.new(response.status, error)
-      rescue JSON::ParserError
+      rescue Faraday::ParsingError, NoMethodError
         raise Error.new(response.status, error: 'Unknown', error_description: response.body)
       end
     end

data/lib/rack/oauth2/server/abstract/error.rb

@@ -27,7 +27,7 @@ module Rack
             response.status = status
             yield response if block_given?
             unless response.redirect?
-              response.header['Content-Type'] = 'application/json'
+              response.headers['Content-Type'] = 'application/json'
               response.write Util.compact_hash(protocol_params).to_json
             end
             response.finish
@@ -42,6 +42,7 @@ module Rack
 
         class Unauthorized < Error
           def initialize(error = :unauthorized, description = nil, options = {})
+            @skip_www_authenticate = options[:skip_www_authenticate]
             super 401, error, description, options
           end
         end

data/lib/rack/oauth2/server/extension/pkce.rb

@@ -27,7 +27,7 @@ module Rack
 
             def verify_code_verifier!(code_challenge, code_challenge_method = :S256)
               if code_verifier.present? || code_challenge.present?
-                case code_challenge_method.try(:to_sym)
+                case code_challenge_method&.to_sym
                 when :S256
                   code_challenge == Util.urlsafe_base64_encode(
                     OpenSSL::Digest::SHA256.digest(code_verifier.to_s)

data/lib/rack/oauth2/server/rails/response_ext.rb

@@ -5,7 +5,7 @@ module Rack
         module ResponseExt
           def redirect?
             ensure_finish do
-              @response.redirect?
+              super
             end
           end
 
@@ -17,13 +17,13 @@ module Rack
 
           def json
             ensure_finish do
-              @response.body
+              @body
             end
           end
 
-          def header
+          def headers
             ensure_finish do
-              @header
+              @headers
             end
           end
 
@@ -39,7 +39,7 @@ module Rack
           end
 
           def ensure_finish
-            @status, @header, @response = finish unless finished?
+            @status, @headers, @body = finish unless finished?
             yield
           end
         end

data/lib/rack/oauth2/server/resource/error.rb

@@ -13,11 +13,11 @@ module Rack
           def finish
             super do |response|
               self.realm ||= DEFAULT_REALM
-              header = response.header['WWW-Authenticate'] = "#{scheme} realm=\"#{realm}\""
+              headers = response.headers['WWW-Authenticate'] = "#{scheme} realm=\"#{realm}\""
               if ErrorMethods::DEFAULT_DESCRIPTION.keys.include?(error)
-                header << ", error=\"#{error}\""
-                header << ", error_description=\"#{description}\"" if description.present?
-                header << ", error_uri=\"#{uri}\""                 if uri.present?
+                headers << ", error=\"#{error}\""
+                headers << ", error_description=\"#{description}\"" if description.present?
+                headers << ", error_uri=\"#{uri}\""                 if uri.present?
               end
             end
           end

data/lib/rack/oauth2/server/resource.rb

@@ -52,4 +52,3 @@ end
 
 require 'rack/oauth2/server/resource/error'
 require 'rack/oauth2/server/resource/bearer'
-require 'rack/oauth2/server/resource/mac'

data/lib/rack/oauth2/server/token/error.rb

@@ -8,7 +8,9 @@ module Rack
         class Unauthorized < Abstract::Unauthorized
           def finish
             super do |response|
-              response.header['WWW-Authenticate'] = 'Basic realm="OAuth2 Token Endpoint"'
+              unless @skip_www_authenticate
+                response.headers['WWW-Authenticate'] = 'Basic realm="OAuth2 Token Endpoint"'
+              end
             end
           end
         end

data/lib/rack/oauth2/server/token.rb

@@ -44,16 +44,27 @@ module Rack
 
         class Request < Abstract::Request
           attr_required :grant_type
-          attr_optional :client_secret
+          attr_optional :client_secret, :client_assertion, :client_assertion_type
 
           def initialize(env)
             auth = Rack::Auth::Basic::Request.new(env)
             if auth.provided? && auth.basic?
-              @client_id, @client_secret = auth.credentials
+              @client_id, @client_secret = auth.credentials.map do |cred|
+                Util.www_form_url_decode cred
+              end
               super
             else
               super
               @client_secret = params['client_secret']
+              @client_assertion = params['client_assertion']
+              @client_assertion_type = params['client_assertion_type']
+              if client_assertion.present? && client_assertion_type == URN::ClientAssertionType::JWT_BEARER
+                require 'json/jwt'
+                @client_id = JSON::JWT.decode(
+                  client_assertion,
+                  :skip_verification
+                )[:sub] rescue nil
+              end
             end
             @grant_type = params['grant_type'].to_s
           end
@@ -69,9 +80,9 @@ module Rack
           def finish
             attr_missing!
             write Util.compact_hash(protocol_params).to_json
-            header['Content-Type'] = 'application/json'
-            header['Cache-Control'] = 'no-store'
-            header['Pragma'] = 'no-cache'
+            headers['Content-Type'] = 'application/json'
+            headers['Cache-Control'] = 'no-store'
+            headers['Pragma'] = 'no-cache'
             super
           end
         end

data/lib/rack/oauth2/urn.rb

@@ -3,14 +3,14 @@ module Rack
     module URN
       module TokenType
         JWT           = 'urn:ietf:params:oauth:token-type:jwt'           # RFC7519
-        ACCESS_TOKEN  = 'urn:ietf:params:oauth:token-type:access-token'  # draft-ietf-oauth-token-exchange
-        REFRESH_TOKEN = 'urn:ietf:params:oauth:token-type:refresh-token' # draft-ietf-oauth-token-exchange
+        ACCESS_TOKEN  = 'urn:ietf:params:oauth:token-type:access_token'  # RFC8693
+        REFRESH_TOKEN = 'urn:ietf:params:oauth:token-type:refresh_token' # RFC8693
       end
 
       module GrantType
         JWT_BEARER     = 'urn:ietf:params:oauth:grant-type:jwt-bearer'     # RFC7523
         SAML2_BEARER   = 'urn:ietf:params:oauth:grant-type:saml2-bearer'   # RFC7522
-        TOKEN_EXCHANGE = 'urn:ietf:params:oauth:grant-type:token-exchange' # draft-ietf-oauth-token-exchange
+        TOKEN_EXCHANGE = 'urn:ietf:params:oauth:grant-type:token-exchange' # RFC8693
       end
 
       module ClientAssertionType

data/lib/rack/oauth2/util.rb

@@ -4,8 +4,12 @@ module Rack
   module OAuth2
     module Util
       class << self
-        def rfc3986_encode(text)
-          URI.encode(text, Regexp.new("[^#{URI::PATTERN::UNRESERVED}]"))
+        def www_form_url_encode(text)
+          URI.encode_www_form_component(text)
+        end
+
+        def www_form_url_decode(text)
+          URI.decode_www_form_component(text)
         end
 
         def base64_encode(text)

data/lib/rack/oauth2.rb

@@ -1,5 +1,6 @@
 require 'rack'
-require 'httpclient'
+require 'faraday'
+require 'faraday/follow_redirects'
 require 'logger'
 require 'active_support'
 require 'active_support/core_ext'
@@ -40,13 +41,15 @@ module Rack
     self.debugging = false
 
     def self.http_client(agent_name = "Rack::OAuth2 (#{VERSION})", &local_http_config)
-      _http_client_ = HTTPClient.new(
-        agent_name: agent_name
-      )
-      http_config.try(:call, _http_client_)
-      local_http_config.try(:call, _http_client_) unless local_http_config.nil?
-      _http_client_.request_filter << Debugger::RequestFilter.new if debugging?
-      _http_client_
+      Faraday.new(headers: {user_agent: agent_name}) do |faraday|
+        faraday.request :url_encoded
+        faraday.request :json
+        faraday.response :json
+        faraday.response :logger, Rack::OAuth2.logger, {bodies: true} if debugging?
+        faraday.adapter Faraday.default_adapter
+        local_http_config&.call(faraday)
+        http_config&.call(faraday)
+      end
     end
 
     def self.http_config(&block)
@@ -56,7 +59,6 @@ module Rack
     def self.reset_http_config!
       @@http_config = nil
     end
-
   end
 end
 
@@ -65,4 +67,3 @@ require 'rack/oauth2/util'
 require 'rack/oauth2/server'
 require 'rack/oauth2/client'
 require 'rack/oauth2/access_token'
-require 'rack/oauth2/debugger'