rack-oauth2 1.14.0 → 1.18.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/.travis.yml +2 -1
- data/VERSION +1 -1
- data/lib/rack/oauth2/client.rb +9 -4
- data/lib/rack/oauth2/server/abstract/error.rb +1 -0
- data/lib/rack/oauth2/server/token.rb +13 -2
- data/lib/rack/oauth2/server/token/error.rb +3 -1
- data/lib/rack/oauth2/util.rb +4 -4
- data/spec/rack/oauth2/client_spec.rb +18 -0
- data/spec/rack/oauth2/server/token/client_credentials_spec.rb +32 -2
- data/spec/rack/oauth2/server/token_spec.rb +69 -0
- data/spec/rack/oauth2/util_spec.rb +6 -6
- metadata +3 -3
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: e69450cef535f14c809f9f193acf6e477fea7ef78613def7c154decb7affc87b
|
|
4
|
+
data.tar.gz: 964dc3c51ae1e5b526b28c6e203466f0ad7cf35da3c0b9787b210081d4a19b6c
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 4f32e64b3729f04fa914e28056ef650ceff9eb12db1888d6c955061aa5f1df86be245336609f0956b7e54d08822da883acfb6b47a2816f5aee61b252f258536d
|
|
7
|
+
data.tar.gz: 711dfbc5208521af851f7d01a5b52086989576afedcdd474dd393c5b2c2073767e74e6adddca45a7bd7e9f500cc57cda71c0ef3608555efdf67bd853ae7e9e69
|
data/.travis.yml
CHANGED
data/VERSION
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
1.
|
|
1
|
+
1.18.0
|
data/lib/rack/oauth2/client.rb
CHANGED
|
@@ -16,12 +16,12 @@ module Rack
|
|
|
16
16
|
end
|
|
17
17
|
|
|
18
18
|
def authorization_uri(params = {})
|
|
19
|
+
params[:redirect_uri] ||= self.redirect_uri
|
|
19
20
|
params[:response_type] ||= :code
|
|
20
21
|
params[:response_type] = Array(params[:response_type]).join(' ')
|
|
21
22
|
params[:scope] = Array(params[:scope]).join(' ')
|
|
22
23
|
Util.redirect_uri absolute_uri_for(authorization_endpoint), :query, params.merge(
|
|
23
|
-
client_id: self.identifier
|
|
24
|
-
redirect_uri: self.redirect_uri
|
|
24
|
+
client_id: self.identifier
|
|
25
25
|
)
|
|
26
26
|
end
|
|
27
27
|
|
|
@@ -84,12 +84,17 @@ module Rack
|
|
|
84
84
|
case client_auth_method
|
|
85
85
|
when :basic
|
|
86
86
|
cred = Base64.strict_encode64 [
|
|
87
|
-
Util.
|
|
88
|
-
Util.
|
|
87
|
+
Util.www_form_url_encode(identifier),
|
|
88
|
+
Util.www_form_url_encode(secret)
|
|
89
89
|
].join(':')
|
|
90
90
|
headers.merge!(
|
|
91
91
|
'Authorization' => "Basic #{cred}"
|
|
92
92
|
)
|
|
93
|
+
when :basic_without_www_form_urlencode
|
|
94
|
+
cred = ["#{identifier}:#{secret}"].pack('m').tr("\n", '')
|
|
95
|
+
headers.merge!(
|
|
96
|
+
'Authorization' => "Basic #{cred}"
|
|
97
|
+
)
|
|
93
98
|
when :jwt_bearer
|
|
94
99
|
params.merge!(
|
|
95
100
|
client_assertion_type: URN::ClientAssertionType::JWT_BEARER
|
|
@@ -44,16 +44,27 @@ module Rack
|
|
|
44
44
|
|
|
45
45
|
class Request < Abstract::Request
|
|
46
46
|
attr_required :grant_type
|
|
47
|
-
attr_optional :client_secret
|
|
47
|
+
attr_optional :client_secret, :client_assertion, :client_assertion_type
|
|
48
48
|
|
|
49
49
|
def initialize(env)
|
|
50
50
|
auth = Rack::Auth::Basic::Request.new(env)
|
|
51
51
|
if auth.provided? && auth.basic?
|
|
52
|
-
@client_id, @client_secret = auth.credentials
|
|
52
|
+
@client_id, @client_secret = auth.credentials.map do |cred|
|
|
53
|
+
Util.www_form_url_decode cred
|
|
54
|
+
end
|
|
53
55
|
super
|
|
54
56
|
else
|
|
55
57
|
super
|
|
56
58
|
@client_secret = params['client_secret']
|
|
59
|
+
@client_assertion = params['client_assertion']
|
|
60
|
+
@client_assertion_type = params['client_assertion_type']
|
|
61
|
+
if client_assertion.present? && client_assertion_type == URN::ClientAssertionType::JWT_BEARER
|
|
62
|
+
require 'json/jwt'
|
|
63
|
+
@client_id = JSON::JWT.decode(
|
|
64
|
+
client_assertion,
|
|
65
|
+
:skip_verification
|
|
66
|
+
)[:sub] rescue nil
|
|
67
|
+
end
|
|
57
68
|
end
|
|
58
69
|
@grant_type = params['grant_type'].to_s
|
|
59
70
|
end
|
|
@@ -8,7 +8,9 @@ module Rack
|
|
|
8
8
|
class Unauthorized < Abstract::Unauthorized
|
|
9
9
|
def finish
|
|
10
10
|
super do |response|
|
|
11
|
-
|
|
11
|
+
unless @skip_www_authenticate
|
|
12
|
+
response.header['WWW-Authenticate'] = 'Basic realm="OAuth2 Token Endpoint"'
|
|
13
|
+
end
|
|
12
14
|
end
|
|
13
15
|
end
|
|
14
16
|
end
|
data/lib/rack/oauth2/util.rb
CHANGED
|
@@ -4,12 +4,12 @@ module Rack
|
|
|
4
4
|
module OAuth2
|
|
5
5
|
module Util
|
|
6
6
|
class << self
|
|
7
|
-
def
|
|
8
|
-
URI.
|
|
7
|
+
def www_form_url_encode(text)
|
|
8
|
+
URI.encode_www_form_component(text)
|
|
9
9
|
end
|
|
10
10
|
|
|
11
|
-
def
|
|
12
|
-
URI.
|
|
11
|
+
def www_form_url_decode(text)
|
|
12
|
+
URI.decode_www_form_component(text)
|
|
13
13
|
end
|
|
14
14
|
|
|
15
15
|
def base64_encode(text)
|
|
@@ -117,6 +117,24 @@ describe Rack::OAuth2::Client do
|
|
|
117
117
|
end
|
|
118
118
|
end
|
|
119
119
|
|
|
120
|
+
context 'when basic_without_www_form_urlencode method is used' do
|
|
121
|
+
context 'when client_id is a url' do
|
|
122
|
+
let(:client_id) { 'https://client.example.com'}
|
|
123
|
+
|
|
124
|
+
it 'should be encoded in "application/x-www-form-urlencoded"' do
|
|
125
|
+
mock_response(
|
|
126
|
+
:post,
|
|
127
|
+
'https://server.example.com/oauth2/token',
|
|
128
|
+
'tokens/bearer.json',
|
|
129
|
+
request_header: {
|
|
130
|
+
'Authorization' => 'Basic aHR0cHM6Ly9jbGllbnQuZXhhbXBsZS5jb206Y2xpZW50X3NlY3JldA=='
|
|
131
|
+
}
|
|
132
|
+
)
|
|
133
|
+
client.access_token! :basic_without_www_form_urlencode
|
|
134
|
+
end
|
|
135
|
+
end
|
|
136
|
+
end
|
|
137
|
+
|
|
120
138
|
context 'when jwt_bearer auth method specified' do
|
|
121
139
|
context 'when client_secret is given' do
|
|
122
140
|
it 'should be JWT bearer client assertion w/ auto-generated HS256-signed JWT assertion' do
|
|
@@ -4,14 +4,19 @@ describe Rack::OAuth2::Server::Token::ClientCredentials do
|
|
|
4
4
|
let(:request) { Rack::MockRequest.new app }
|
|
5
5
|
let(:app) do
|
|
6
6
|
Rack::OAuth2::Server::Token.new do |request, response|
|
|
7
|
+
unless request.client_id == client_id && request.client_secret == client_secret
|
|
8
|
+
request.invalid_client!
|
|
9
|
+
end
|
|
7
10
|
response.access_token = Rack::OAuth2::AccessToken::Bearer.new(access_token: 'access_token')
|
|
8
11
|
end
|
|
9
12
|
end
|
|
13
|
+
let(:client_id) { 'client_id '}
|
|
14
|
+
let(:client_secret) { 'client_secret' }
|
|
10
15
|
let(:params) do
|
|
11
16
|
{
|
|
12
17
|
grant_type: 'client_credentials',
|
|
13
|
-
client_id:
|
|
14
|
-
client_secret:
|
|
18
|
+
client_id: client_id,
|
|
19
|
+
client_secret: client_secret
|
|
15
20
|
}
|
|
16
21
|
end
|
|
17
22
|
subject { request.post('/', params: params) }
|
|
@@ -20,4 +25,29 @@ describe Rack::OAuth2::Server::Token::ClientCredentials do
|
|
|
20
25
|
its(:content_type) { should == 'application/json' }
|
|
21
26
|
its(:body) { should include '"access_token":"access_token"' }
|
|
22
27
|
its(:body) { should include '"token_type":"bearer"' }
|
|
28
|
+
|
|
29
|
+
context 'basic auth' do
|
|
30
|
+
let(:params) do
|
|
31
|
+
{ grant_type: 'client_credentials' }
|
|
32
|
+
end
|
|
33
|
+
let(:encoded_creds) do
|
|
34
|
+
Base64.strict_encode64([
|
|
35
|
+
Rack::OAuth2::Util.www_form_url_encode(client_id),
|
|
36
|
+
Rack::OAuth2::Util.www_form_url_encode(client_secret)
|
|
37
|
+
].join(':'))
|
|
38
|
+
end
|
|
39
|
+
subject do
|
|
40
|
+
request.post('/',
|
|
41
|
+
{params: params, 'HTTP_AUTHORIZATION' => "Basic #{encoded_creds}"})
|
|
42
|
+
end
|
|
43
|
+
|
|
44
|
+
its(:status) { should == 200 }
|
|
45
|
+
|
|
46
|
+
context 'compliance with RFC6749 sec 2.3.1' do
|
|
47
|
+
let(:client_id) { 'client: yes/please!' }
|
|
48
|
+
let(:client_secret) { 'terrible:secret:of:space' }
|
|
49
|
+
|
|
50
|
+
its(:status) { should == 200 }
|
|
51
|
+
end
|
|
52
|
+
end
|
|
23
53
|
end
|
|
@@ -71,6 +71,60 @@ describe Rack::OAuth2::Server::Token do
|
|
|
71
71
|
end
|
|
72
72
|
end
|
|
73
73
|
|
|
74
|
+
context 'when client_id is given via JWT client assertion' do
|
|
75
|
+
before do
|
|
76
|
+
require 'json/jwt'
|
|
77
|
+
params[:client_assertion] = JSON::JWT.new(
|
|
78
|
+
sub: params[:client_id]
|
|
79
|
+
# NOTE: actual client_assertion should have more claims.
|
|
80
|
+
).sign('client_secret').to_s
|
|
81
|
+
params[:client_assertion_type] = Rack::OAuth2::URN::ClientAssertionType::JWT_BEARER
|
|
82
|
+
params.delete(:client_id)
|
|
83
|
+
end
|
|
84
|
+
|
|
85
|
+
context 'when client_assertion is invalid JWT' do
|
|
86
|
+
before do
|
|
87
|
+
params[:client_assertion] = 'invalid-jwt'
|
|
88
|
+
end
|
|
89
|
+
its(:status) { should == 400 }
|
|
90
|
+
its(:content_type) { should == 'application/json' }
|
|
91
|
+
its(:body) { should include '"error":"invalid_request"' }
|
|
92
|
+
end
|
|
93
|
+
|
|
94
|
+
context 'when client_assertion_type is missing' do
|
|
95
|
+
before do
|
|
96
|
+
params.delete(:client_assertion_type)
|
|
97
|
+
end
|
|
98
|
+
its(:status) { should == 400 }
|
|
99
|
+
its(:content_type) { should == 'application/json' }
|
|
100
|
+
its(:body) { should include '"error":"invalid_request"' }
|
|
101
|
+
end
|
|
102
|
+
|
|
103
|
+
context 'when client_assertion_type is unknown' do
|
|
104
|
+
before do
|
|
105
|
+
params[:client_assertion_type] = 'unknown'
|
|
106
|
+
end
|
|
107
|
+
its(:status) { should == 400 }
|
|
108
|
+
its(:content_type) { should == 'application/json' }
|
|
109
|
+
its(:body) { should include '"error":"invalid_request"' }
|
|
110
|
+
end
|
|
111
|
+
|
|
112
|
+
context 'when client_assertion issuer is different from client_id' do
|
|
113
|
+
before do
|
|
114
|
+
params[:client_id] = 'another_client_id'
|
|
115
|
+
end
|
|
116
|
+
its(:status) { should == 400 }
|
|
117
|
+
its(:content_type) { should == 'application/json' }
|
|
118
|
+
its(:body) { should include '"error":"invalid_request"' }
|
|
119
|
+
end
|
|
120
|
+
|
|
121
|
+
context 'otherwise' do
|
|
122
|
+
its(:status) { should == 200 }
|
|
123
|
+
its(:content_type) { should == 'application/json' }
|
|
124
|
+
its(:body) { should include '"access_token":"access_token"' }
|
|
125
|
+
end
|
|
126
|
+
end
|
|
127
|
+
|
|
74
128
|
Rack::OAuth2::Server::Token::ErrorMethods::DEFAULT_DESCRIPTION.each do |error, default_message|
|
|
75
129
|
status = if error == :invalid_client
|
|
76
130
|
401
|
|
@@ -87,7 +141,22 @@ describe Rack::OAuth2::Server::Token do
|
|
|
87
141
|
its(:content_type) { should == 'application/json' }
|
|
88
142
|
its(:body) { should include "\"error\":\"#{error}\"" }
|
|
89
143
|
its(:body) { should include "\"error_description\":\"#{default_message}\"" }
|
|
144
|
+
if error == :invalid_client
|
|
145
|
+
its(:headers) { should include 'WWW-Authenticate' }
|
|
146
|
+
end
|
|
147
|
+
end
|
|
148
|
+
end
|
|
149
|
+
|
|
150
|
+
context 'when skip_www_authenticate option is specified on invalid_client' do
|
|
151
|
+
let(:app) do
|
|
152
|
+
Rack::OAuth2::Server::Token.new do |request, response|
|
|
153
|
+
request.invalid_client!(
|
|
154
|
+
Rack::OAuth2::Server::Token::ErrorMethods::DEFAULT_DESCRIPTION[:invalid_client],
|
|
155
|
+
skip_www_authenticate: true
|
|
156
|
+
)
|
|
157
|
+
end
|
|
90
158
|
end
|
|
159
|
+
its(:headers) { should_not include 'WWW-Authenticate' }
|
|
91
160
|
end
|
|
92
161
|
|
|
93
162
|
context 'when responding' do
|
|
@@ -9,14 +9,14 @@ describe Rack::OAuth2::Util do
|
|
|
9
9
|
'http://client.example.com/callback'
|
|
10
10
|
end
|
|
11
11
|
|
|
12
|
-
describe '.
|
|
13
|
-
subject { util.
|
|
14
|
-
it { should == '%3D%2B
|
|
12
|
+
describe '.www_form_url_encode' do
|
|
13
|
+
subject { util.www_form_url_encode '=+ .-/' }
|
|
14
|
+
it { should == '%3D%2B+.-%2F' }
|
|
15
15
|
end
|
|
16
16
|
|
|
17
|
-
describe '.
|
|
18
|
-
subject { util.
|
|
19
|
-
it { should == '
|
|
17
|
+
describe '.www_form_urldecode' do
|
|
18
|
+
subject { util.www_form_url_decode '%3D%2B+.-%2F' }
|
|
19
|
+
it { should == '=+ .-/' }
|
|
20
20
|
end
|
|
21
21
|
|
|
22
22
|
describe '.base64_encode' do
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: rack-oauth2
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.
|
|
4
|
+
version: 1.18.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- nov matake
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date:
|
|
11
|
+
date: 2021-08-06 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: rack
|
|
@@ -301,7 +301,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
301
301
|
- !ruby/object:Gem::Version
|
|
302
302
|
version: '0'
|
|
303
303
|
requirements: []
|
|
304
|
-
rubygems_version: 3.
|
|
304
|
+
rubygems_version: 3.1.4
|
|
305
305
|
signing_key:
|
|
306
306
|
specification_version: 4
|
|
307
307
|
summary: OAuth 2.0 Server & Client Library - Both Bearer and MAC token type are supported
|