rack-oauth2 1.16.0 → 1.19.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 656ec18e337c0382c0bc710623e267cfb073c629ba16541451754b72c22c7e43
-  data.tar.gz: 962b029b37278c0dfb59bdb402b8e5b2f0727f081763738afb5bceea2980b5c3
+  metadata.gz: de77a3afabd5ae9ec958c5799970a99a5576cb727b27c80020d1199c986f25f1
+  data.tar.gz: 6225a40427c3bb882890f5d6e54407b1a80bd56f5b74f4278122678a2206ae29
 SHA512:
-  metadata.gz: 2911133e3fcf04274a883cd56808b3c44cd42a8db963fe94f008139d74dcfc727e45304a5bd2dc071d111cf86b95fd5ea1b86d57f72ecbd15bbdb28655a1a000
-  data.tar.gz: 5007ba0f4de30144cf0aa3ac924e5ea8e30246f6ad2d70050992c8ac81a487ae5ce36df507f4aa00be5e1ef8a89685bf0dc965e6bb6e79c3f4baef903d70f45d
+  metadata.gz: ce7ecffd6ee6aae2296c2d20a1353bfb96cdee665b1d06961859f2e3e1922822cb481e3791d7fefc6a53644ce6d150f7ec6eb63880b6112e66b0a9cd64f27fdf
+  data.tar.gz: 80c3816f4a0e1649c2f7f268fbde3583eb435c2978e155de963f9354cf6e2330778c22b80e15757a592042b800a5cf1fca9466557735aef3d90a59b77db2fd2b

data/.travis.yml

@@ -4,4 +4,5 @@ before_install:
 rvm:
   - 2.5.8
   - 2.6.6
-  - 2.7.1
+  - 2.7.2
+  - 3.0.0

data/VERSION

@@ -1 +1 @@
-1.16.0
+1.19.0

data/lib/rack/oauth2/client.rb

@@ -90,6 +90,11 @@ module Rack
           headers.merge!(
             'Authorization' => "Basic #{cred}"
           )
+        when :basic_without_www_form_urlencode
+          cred = ["#{identifier}:#{secret}"].pack('m').tr("\n", '')
+          headers.merge!(
+            'Authorization' => "Basic #{cred}"
+          )
         when :jwt_bearer
           params.merge!(
             client_assertion_type: URN::ClientAssertionType::JWT_BEARER

data/lib/rack/oauth2/server/abstract/error.rb

@@ -42,6 +42,7 @@ module Rack
 
         class Unauthorized < Error
           def initialize(error = :unauthorized, description = nil, options = {})
+            @skip_www_authenticate = options[:skip_www_authenticate]
             super 401, error, description, options
           end
         end

data/lib/rack/oauth2/server/token/error.rb

@@ -8,7 +8,9 @@ module Rack
         class Unauthorized < Abstract::Unauthorized
           def finish
             super do |response|
-              response.header['WWW-Authenticate'] = 'Basic realm="OAuth2 Token Endpoint"'
+              unless @skip_www_authenticate
+                response.header['WWW-Authenticate'] = 'Basic realm="OAuth2 Token Endpoint"'
+              end
             end
           end
         end

data/lib/rack/oauth2/server/token.rb

@@ -44,7 +44,7 @@ module Rack
 
         class Request < Abstract::Request
           attr_required :grant_type
-          attr_optional :client_secret
+          attr_optional :client_secret, :client_assertion, :client_assertion_type
 
           def initialize(env)
             auth = Rack::Auth::Basic::Request.new(env)
@@ -56,6 +56,15 @@ module Rack
             else
               super
               @client_secret = params['client_secret']
+              @client_assertion = params['client_assertion']
+              @client_assertion_type = params['client_assertion_type']
+              if client_assertion.present? && client_assertion_type == URN::ClientAssertionType::JWT_BEARER
+                require 'json/jwt'
+                @client_id = JSON::JWT.decode(
+                  client_assertion,
+                  :skip_verification
+                )[:sub] rescue nil
+              end
             end
             @grant_type = params['grant_type'].to_s
           end

data/lib/rack/oauth2/util.rb

@@ -4,10 +4,6 @@ module Rack
   module OAuth2
     module Util
       class << self
-        def rfc3986_encode(text)
-          URI.encode(text, Regexp.new("[^#{URI::PATTERN::UNRESERVED}]"))
-        end
-
         def www_form_url_encode(text)
           URI.encode_www_form_component(text)
         end

data/lib/rack/oauth2.rb

@@ -43,6 +43,11 @@ module Rack
       _http_client_ = HTTPClient.new(
         agent_name: agent_name
       )
+
+      # NOTE: httpclient gem seems stopped maintaining root certtificate set, use OS default.
+      _http_client_.ssl_config.clear_cert_store
+      _http_client_.ssl_config.cert_store.set_default_paths
+
       http_config.try(:call, _http_client_)
       local_http_config.try(:call, _http_client_) unless local_http_config.nil?
       _http_client_.request_filter << Debugger::RequestFilter.new if debugging?

data/spec/rack/oauth2/client_spec.rb

@@ -117,6 +117,24 @@ describe Rack::OAuth2::Client do
           end
         end
 
+        context 'when basic_without_www_form_urlencode method is used' do
+          context 'when client_id is a url' do
+             let(:client_id) { 'https://client.example.com'}
+
+             it 'should be encoded in "application/x-www-form-urlencoded"' do
+               mock_response(
+                 :post,
+                 'https://server.example.com/oauth2/token',
+                 'tokens/bearer.json',
+                 request_header: {
+                   'Authorization' => 'Basic aHR0cHM6Ly9jbGllbnQuZXhhbXBsZS5jb206Y2xpZW50X3NlY3JldA=='
+                 }
+               )
+               client.access_token! :basic_without_www_form_urlencode
+             end
+           end
+        end
+
         context 'when jwt_bearer auth method specified' do
           context 'when client_secret is given' do
             it 'should be JWT bearer client assertion w/ auto-generated HS256-signed JWT assertion' do

data/spec/rack/oauth2/server/token_spec.rb

@@ -71,6 +71,60 @@ describe Rack::OAuth2::Server::Token do
     end
   end
 
+  context 'when client_id is given via JWT client assertion' do
+    before do
+      require 'json/jwt'
+      params[:client_assertion] = JSON::JWT.new(
+        sub: params[:client_id]
+        # NOTE: actual client_assertion should have more claims.
+      ).sign('client_secret').to_s
+      params[:client_assertion_type] = Rack::OAuth2::URN::ClientAssertionType::JWT_BEARER
+      params.delete(:client_id)
+    end
+
+    context 'when client_assertion is invalid JWT' do
+      before do
+        params[:client_assertion] = 'invalid-jwt'
+      end
+      its(:status)       { should == 400 }
+      its(:content_type) { should == 'application/json' }
+      its(:body)         { should include '"error":"invalid_request"' }
+    end
+
+    context 'when client_assertion_type is missing' do
+      before do
+        params.delete(:client_assertion_type)
+      end
+      its(:status)       { should == 400 }
+      its(:content_type) { should == 'application/json' }
+      its(:body)         { should include '"error":"invalid_request"' }
+    end
+
+    context 'when client_assertion_type is unknown' do
+      before do
+        params[:client_assertion_type] = 'unknown'
+      end
+      its(:status)       { should == 400 }
+      its(:content_type) { should == 'application/json' }
+      its(:body)         { should include '"error":"invalid_request"' }
+    end
+
+    context 'when client_assertion issuer is different from client_id' do
+      before do
+        params[:client_id] = 'another_client_id'
+      end
+      its(:status)       { should == 400 }
+      its(:content_type) { should == 'application/json' }
+      its(:body)         { should include '"error":"invalid_request"' }
+    end
+
+    context 'otherwise' do
+      its(:status)       { should == 200 }
+      its(:content_type) { should == 'application/json' }
+      its(:body)         { should include '"access_token":"access_token"' }
+    end
+  end
+
   Rack::OAuth2::Server::Token::ErrorMethods::DEFAULT_DESCRIPTION.each do |error, default_message|
     status = if error == :invalid_client
       401
@@ -87,7 +141,22 @@ describe Rack::OAuth2::Server::Token do
       its(:content_type) { should == 'application/json' }
       its(:body)         { should include "\"error\":\"#{error}\"" }
       its(:body)         { should include "\"error_description\":\"#{default_message}\"" }
+      if error == :invalid_client
+        its(:headers)    { should include 'WWW-Authenticate' }
+      end
+    end
+  end
+
+  context 'when skip_www_authenticate option is specified on invalid_client' do
+    let(:app) do
+      Rack::OAuth2::Server::Token.new do |request, response|
+        request.invalid_client!(
+          Rack::OAuth2::Server::Token::ErrorMethods::DEFAULT_DESCRIPTION[:invalid_client],
+          skip_www_authenticate: true
+        )
+      end
     end
+    its(:headers) { should_not include 'WWW-Authenticate' }
   end
 
   context 'when responding' do

data/spec/rack/oauth2/util_spec.rb

@@ -9,11 +9,6 @@ describe Rack::OAuth2::Util do
     'http://client.example.com/callback'
   end
 
-  describe '.rfc3986_encode' do
-    subject { util.rfc3986_encode '=+ .-/' }
-    it { should == '%3D%2B%20.-%2F' }
-  end
-
   describe '.www_form_url_encode' do
     subject { util.www_form_url_encode '=+ .-/' }
     it { should == '%3D%2B+.-%2F' }

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rack-oauth2
 version: !ruby/object:Gem::Version
-  version: 1.16.0
+  version: 1.19.0
 platform: ruby
 authors:
 - nov matake
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-07-17 00:00:00.000000000 Z
+date: 2021-10-01 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rack
@@ -301,7 +301,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.3
+rubygems_version: 3.1.4
 signing_key: 
 specification_version: 4
 summary: OAuth 2.0 Server & Client Library - Both Bearer and MAC token type are supported