rack-oauth2 1.14.0 → 1.18.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.travis.yml +2 -1
- data/VERSION +1 -1
- data/lib/rack/oauth2/client.rb +9 -4
- data/lib/rack/oauth2/server/abstract/error.rb +1 -0
- data/lib/rack/oauth2/server/token.rb +13 -2
- data/lib/rack/oauth2/server/token/error.rb +3 -1
- data/lib/rack/oauth2/util.rb +4 -4
- data/spec/rack/oauth2/client_spec.rb +18 -0
- data/spec/rack/oauth2/server/token/client_credentials_spec.rb +32 -2
- data/spec/rack/oauth2/server/token_spec.rb +69 -0
- data/spec/rack/oauth2/util_spec.rb +6 -6
- metadata +3 -3
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: e69450cef535f14c809f9f193acf6e477fea7ef78613def7c154decb7affc87b
|
4
|
+
data.tar.gz: 964dc3c51ae1e5b526b28c6e203466f0ad7cf35da3c0b9787b210081d4a19b6c
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 4f32e64b3729f04fa914e28056ef650ceff9eb12db1888d6c955061aa5f1df86be245336609f0956b7e54d08822da883acfb6b47a2816f5aee61b252f258536d
|
7
|
+
data.tar.gz: 711dfbc5208521af851f7d01a5b52086989576afedcdd474dd393c5b2c2073767e74e6adddca45a7bd7e9f500cc57cda71c0ef3608555efdf67bd853ae7e9e69
|
data/.travis.yml
CHANGED
data/VERSION
CHANGED
@@ -1 +1 @@
|
|
1
|
-
1.
|
1
|
+
1.18.0
|
data/lib/rack/oauth2/client.rb
CHANGED
@@ -16,12 +16,12 @@ module Rack
|
|
16
16
|
end
|
17
17
|
|
18
18
|
def authorization_uri(params = {})
|
19
|
+
params[:redirect_uri] ||= self.redirect_uri
|
19
20
|
params[:response_type] ||= :code
|
20
21
|
params[:response_type] = Array(params[:response_type]).join(' ')
|
21
22
|
params[:scope] = Array(params[:scope]).join(' ')
|
22
23
|
Util.redirect_uri absolute_uri_for(authorization_endpoint), :query, params.merge(
|
23
|
-
client_id: self.identifier
|
24
|
-
redirect_uri: self.redirect_uri
|
24
|
+
client_id: self.identifier
|
25
25
|
)
|
26
26
|
end
|
27
27
|
|
@@ -84,12 +84,17 @@ module Rack
|
|
84
84
|
case client_auth_method
|
85
85
|
when :basic
|
86
86
|
cred = Base64.strict_encode64 [
|
87
|
-
Util.
|
88
|
-
Util.
|
87
|
+
Util.www_form_url_encode(identifier),
|
88
|
+
Util.www_form_url_encode(secret)
|
89
89
|
].join(':')
|
90
90
|
headers.merge!(
|
91
91
|
'Authorization' => "Basic #{cred}"
|
92
92
|
)
|
93
|
+
when :basic_without_www_form_urlencode
|
94
|
+
cred = ["#{identifier}:#{secret}"].pack('m').tr("\n", '')
|
95
|
+
headers.merge!(
|
96
|
+
'Authorization' => "Basic #{cred}"
|
97
|
+
)
|
93
98
|
when :jwt_bearer
|
94
99
|
params.merge!(
|
95
100
|
client_assertion_type: URN::ClientAssertionType::JWT_BEARER
|
@@ -44,16 +44,27 @@ module Rack
|
|
44
44
|
|
45
45
|
class Request < Abstract::Request
|
46
46
|
attr_required :grant_type
|
47
|
-
attr_optional :client_secret
|
47
|
+
attr_optional :client_secret, :client_assertion, :client_assertion_type
|
48
48
|
|
49
49
|
def initialize(env)
|
50
50
|
auth = Rack::Auth::Basic::Request.new(env)
|
51
51
|
if auth.provided? && auth.basic?
|
52
|
-
@client_id, @client_secret = auth.credentials
|
52
|
+
@client_id, @client_secret = auth.credentials.map do |cred|
|
53
|
+
Util.www_form_url_decode cred
|
54
|
+
end
|
53
55
|
super
|
54
56
|
else
|
55
57
|
super
|
56
58
|
@client_secret = params['client_secret']
|
59
|
+
@client_assertion = params['client_assertion']
|
60
|
+
@client_assertion_type = params['client_assertion_type']
|
61
|
+
if client_assertion.present? && client_assertion_type == URN::ClientAssertionType::JWT_BEARER
|
62
|
+
require 'json/jwt'
|
63
|
+
@client_id = JSON::JWT.decode(
|
64
|
+
client_assertion,
|
65
|
+
:skip_verification
|
66
|
+
)[:sub] rescue nil
|
67
|
+
end
|
57
68
|
end
|
58
69
|
@grant_type = params['grant_type'].to_s
|
59
70
|
end
|
@@ -8,7 +8,9 @@ module Rack
|
|
8
8
|
class Unauthorized < Abstract::Unauthorized
|
9
9
|
def finish
|
10
10
|
super do |response|
|
11
|
-
|
11
|
+
unless @skip_www_authenticate
|
12
|
+
response.header['WWW-Authenticate'] = 'Basic realm="OAuth2 Token Endpoint"'
|
13
|
+
end
|
12
14
|
end
|
13
15
|
end
|
14
16
|
end
|
data/lib/rack/oauth2/util.rb
CHANGED
@@ -4,12 +4,12 @@ module Rack
|
|
4
4
|
module OAuth2
|
5
5
|
module Util
|
6
6
|
class << self
|
7
|
-
def
|
8
|
-
URI.
|
7
|
+
def www_form_url_encode(text)
|
8
|
+
URI.encode_www_form_component(text)
|
9
9
|
end
|
10
10
|
|
11
|
-
def
|
12
|
-
URI.
|
11
|
+
def www_form_url_decode(text)
|
12
|
+
URI.decode_www_form_component(text)
|
13
13
|
end
|
14
14
|
|
15
15
|
def base64_encode(text)
|
@@ -117,6 +117,24 @@ describe Rack::OAuth2::Client do
|
|
117
117
|
end
|
118
118
|
end
|
119
119
|
|
120
|
+
context 'when basic_without_www_form_urlencode method is used' do
|
121
|
+
context 'when client_id is a url' do
|
122
|
+
let(:client_id) { 'https://client.example.com'}
|
123
|
+
|
124
|
+
it 'should be encoded in "application/x-www-form-urlencoded"' do
|
125
|
+
mock_response(
|
126
|
+
:post,
|
127
|
+
'https://server.example.com/oauth2/token',
|
128
|
+
'tokens/bearer.json',
|
129
|
+
request_header: {
|
130
|
+
'Authorization' => 'Basic aHR0cHM6Ly9jbGllbnQuZXhhbXBsZS5jb206Y2xpZW50X3NlY3JldA=='
|
131
|
+
}
|
132
|
+
)
|
133
|
+
client.access_token! :basic_without_www_form_urlencode
|
134
|
+
end
|
135
|
+
end
|
136
|
+
end
|
137
|
+
|
120
138
|
context 'when jwt_bearer auth method specified' do
|
121
139
|
context 'when client_secret is given' do
|
122
140
|
it 'should be JWT bearer client assertion w/ auto-generated HS256-signed JWT assertion' do
|
@@ -4,14 +4,19 @@ describe Rack::OAuth2::Server::Token::ClientCredentials do
|
|
4
4
|
let(:request) { Rack::MockRequest.new app }
|
5
5
|
let(:app) do
|
6
6
|
Rack::OAuth2::Server::Token.new do |request, response|
|
7
|
+
unless request.client_id == client_id && request.client_secret == client_secret
|
8
|
+
request.invalid_client!
|
9
|
+
end
|
7
10
|
response.access_token = Rack::OAuth2::AccessToken::Bearer.new(access_token: 'access_token')
|
8
11
|
end
|
9
12
|
end
|
13
|
+
let(:client_id) { 'client_id '}
|
14
|
+
let(:client_secret) { 'client_secret' }
|
10
15
|
let(:params) do
|
11
16
|
{
|
12
17
|
grant_type: 'client_credentials',
|
13
|
-
client_id:
|
14
|
-
client_secret:
|
18
|
+
client_id: client_id,
|
19
|
+
client_secret: client_secret
|
15
20
|
}
|
16
21
|
end
|
17
22
|
subject { request.post('/', params: params) }
|
@@ -20,4 +25,29 @@ describe Rack::OAuth2::Server::Token::ClientCredentials do
|
|
20
25
|
its(:content_type) { should == 'application/json' }
|
21
26
|
its(:body) { should include '"access_token":"access_token"' }
|
22
27
|
its(:body) { should include '"token_type":"bearer"' }
|
28
|
+
|
29
|
+
context 'basic auth' do
|
30
|
+
let(:params) do
|
31
|
+
{ grant_type: 'client_credentials' }
|
32
|
+
end
|
33
|
+
let(:encoded_creds) do
|
34
|
+
Base64.strict_encode64([
|
35
|
+
Rack::OAuth2::Util.www_form_url_encode(client_id),
|
36
|
+
Rack::OAuth2::Util.www_form_url_encode(client_secret)
|
37
|
+
].join(':'))
|
38
|
+
end
|
39
|
+
subject do
|
40
|
+
request.post('/',
|
41
|
+
{params: params, 'HTTP_AUTHORIZATION' => "Basic #{encoded_creds}"})
|
42
|
+
end
|
43
|
+
|
44
|
+
its(:status) { should == 200 }
|
45
|
+
|
46
|
+
context 'compliance with RFC6749 sec 2.3.1' do
|
47
|
+
let(:client_id) { 'client: yes/please!' }
|
48
|
+
let(:client_secret) { 'terrible:secret:of:space' }
|
49
|
+
|
50
|
+
its(:status) { should == 200 }
|
51
|
+
end
|
52
|
+
end
|
23
53
|
end
|
@@ -71,6 +71,60 @@ describe Rack::OAuth2::Server::Token do
|
|
71
71
|
end
|
72
72
|
end
|
73
73
|
|
74
|
+
context 'when client_id is given via JWT client assertion' do
|
75
|
+
before do
|
76
|
+
require 'json/jwt'
|
77
|
+
params[:client_assertion] = JSON::JWT.new(
|
78
|
+
sub: params[:client_id]
|
79
|
+
# NOTE: actual client_assertion should have more claims.
|
80
|
+
).sign('client_secret').to_s
|
81
|
+
params[:client_assertion_type] = Rack::OAuth2::URN::ClientAssertionType::JWT_BEARER
|
82
|
+
params.delete(:client_id)
|
83
|
+
end
|
84
|
+
|
85
|
+
context 'when client_assertion is invalid JWT' do
|
86
|
+
before do
|
87
|
+
params[:client_assertion] = 'invalid-jwt'
|
88
|
+
end
|
89
|
+
its(:status) { should == 400 }
|
90
|
+
its(:content_type) { should == 'application/json' }
|
91
|
+
its(:body) { should include '"error":"invalid_request"' }
|
92
|
+
end
|
93
|
+
|
94
|
+
context 'when client_assertion_type is missing' do
|
95
|
+
before do
|
96
|
+
params.delete(:client_assertion_type)
|
97
|
+
end
|
98
|
+
its(:status) { should == 400 }
|
99
|
+
its(:content_type) { should == 'application/json' }
|
100
|
+
its(:body) { should include '"error":"invalid_request"' }
|
101
|
+
end
|
102
|
+
|
103
|
+
context 'when client_assertion_type is unknown' do
|
104
|
+
before do
|
105
|
+
params[:client_assertion_type] = 'unknown'
|
106
|
+
end
|
107
|
+
its(:status) { should == 400 }
|
108
|
+
its(:content_type) { should == 'application/json' }
|
109
|
+
its(:body) { should include '"error":"invalid_request"' }
|
110
|
+
end
|
111
|
+
|
112
|
+
context 'when client_assertion issuer is different from client_id' do
|
113
|
+
before do
|
114
|
+
params[:client_id] = 'another_client_id'
|
115
|
+
end
|
116
|
+
its(:status) { should == 400 }
|
117
|
+
its(:content_type) { should == 'application/json' }
|
118
|
+
its(:body) { should include '"error":"invalid_request"' }
|
119
|
+
end
|
120
|
+
|
121
|
+
context 'otherwise' do
|
122
|
+
its(:status) { should == 200 }
|
123
|
+
its(:content_type) { should == 'application/json' }
|
124
|
+
its(:body) { should include '"access_token":"access_token"' }
|
125
|
+
end
|
126
|
+
end
|
127
|
+
|
74
128
|
Rack::OAuth2::Server::Token::ErrorMethods::DEFAULT_DESCRIPTION.each do |error, default_message|
|
75
129
|
status = if error == :invalid_client
|
76
130
|
401
|
@@ -87,7 +141,22 @@ describe Rack::OAuth2::Server::Token do
|
|
87
141
|
its(:content_type) { should == 'application/json' }
|
88
142
|
its(:body) { should include "\"error\":\"#{error}\"" }
|
89
143
|
its(:body) { should include "\"error_description\":\"#{default_message}\"" }
|
144
|
+
if error == :invalid_client
|
145
|
+
its(:headers) { should include 'WWW-Authenticate' }
|
146
|
+
end
|
147
|
+
end
|
148
|
+
end
|
149
|
+
|
150
|
+
context 'when skip_www_authenticate option is specified on invalid_client' do
|
151
|
+
let(:app) do
|
152
|
+
Rack::OAuth2::Server::Token.new do |request, response|
|
153
|
+
request.invalid_client!(
|
154
|
+
Rack::OAuth2::Server::Token::ErrorMethods::DEFAULT_DESCRIPTION[:invalid_client],
|
155
|
+
skip_www_authenticate: true
|
156
|
+
)
|
157
|
+
end
|
90
158
|
end
|
159
|
+
its(:headers) { should_not include 'WWW-Authenticate' }
|
91
160
|
end
|
92
161
|
|
93
162
|
context 'when responding' do
|
@@ -9,14 +9,14 @@ describe Rack::OAuth2::Util do
|
|
9
9
|
'http://client.example.com/callback'
|
10
10
|
end
|
11
11
|
|
12
|
-
describe '.
|
13
|
-
subject { util.
|
14
|
-
it { should == '%3D%2B
|
12
|
+
describe '.www_form_url_encode' do
|
13
|
+
subject { util.www_form_url_encode '=+ .-/' }
|
14
|
+
it { should == '%3D%2B+.-%2F' }
|
15
15
|
end
|
16
16
|
|
17
|
-
describe '.
|
18
|
-
subject { util.
|
19
|
-
it { should == '
|
17
|
+
describe '.www_form_urldecode' do
|
18
|
+
subject { util.www_form_url_decode '%3D%2B+.-%2F' }
|
19
|
+
it { should == '=+ .-/' }
|
20
20
|
end
|
21
21
|
|
22
22
|
describe '.base64_encode' do
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: rack-oauth2
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 1.
|
4
|
+
version: 1.18.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- nov matake
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date:
|
11
|
+
date: 2021-08-06 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: rack
|
@@ -301,7 +301,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
301
301
|
- !ruby/object:Gem::Version
|
302
302
|
version: '0'
|
303
303
|
requirements: []
|
304
|
-
rubygems_version: 3.
|
304
|
+
rubygems_version: 3.1.4
|
305
305
|
signing_key:
|
306
306
|
specification_version: 4
|
307
307
|
summary: OAuth 2.0 Server & Client Library - Both Bearer and MAC token type are supported
|