rack-oauth2 1.17.0 → 1.18.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 5ea33651fcefd142210b8b6c275eb6a3c6096274796ef3070a5fa87da18433a6
4
- data.tar.gz: 284e253fbefbe51cc1d645ec348584160c6f4363251f908ea536d1796b3444e5
3
+ metadata.gz: e69450cef535f14c809f9f193acf6e477fea7ef78613def7c154decb7affc87b
4
+ data.tar.gz: 964dc3c51ae1e5b526b28c6e203466f0ad7cf35da3c0b9787b210081d4a19b6c
5
5
  SHA512:
6
- metadata.gz: ae2c8ced737f24a116a0b484d745477e8e4b03732e5a7147428e4d63fee61518ca43a705020817b09311ac030267e1b55ab072f421b26a90292482945c9b3bd3
7
- data.tar.gz: 2e70af95a0040f956e3de8d918d50c3322107f68cb7a5af25a9987cac914c40d6453202e97e42395bf1707e78b65987f0b059b9c77bf3421070ee6f51a2dddd3
6
+ metadata.gz: 4f32e64b3729f04fa914e28056ef650ceff9eb12db1888d6c955061aa5f1df86be245336609f0956b7e54d08822da883acfb6b47a2816f5aee61b252f258536d
7
+ data.tar.gz: 711dfbc5208521af851f7d01a5b52086989576afedcdd474dd393c5b2c2073767e74e6adddca45a7bd7e9f500cc57cda71c0ef3608555efdf67bd853ae7e9e69
data/VERSION CHANGED
@@ -1 +1 @@
1
- 1.17.0
1
+ 1.18.0
@@ -42,6 +42,7 @@ module Rack
42
42
 
43
43
  class Unauthorized < Error
44
44
  def initialize(error = :unauthorized, description = nil, options = {})
45
+ @skip_www_authenticate = options[:skip_www_authenticate]
45
46
  super 401, error, description, options
46
47
  end
47
48
  end
@@ -44,7 +44,7 @@ module Rack
44
44
 
45
45
  class Request < Abstract::Request
46
46
  attr_required :grant_type
47
- attr_optional :client_secret
47
+ attr_optional :client_secret, :client_assertion, :client_assertion_type
48
48
 
49
49
  def initialize(env)
50
50
  auth = Rack::Auth::Basic::Request.new(env)
@@ -56,6 +56,15 @@ module Rack
56
56
  else
57
57
  super
58
58
  @client_secret = params['client_secret']
59
+ @client_assertion = params['client_assertion']
60
+ @client_assertion_type = params['client_assertion_type']
61
+ if client_assertion.present? && client_assertion_type == URN::ClientAssertionType::JWT_BEARER
62
+ require 'json/jwt'
63
+ @client_id = JSON::JWT.decode(
64
+ client_assertion,
65
+ :skip_verification
66
+ )[:sub] rescue nil
67
+ end
59
68
  end
60
69
  @grant_type = params['grant_type'].to_s
61
70
  end
@@ -8,7 +8,9 @@ module Rack
8
8
  class Unauthorized < Abstract::Unauthorized
9
9
  def finish
10
10
  super do |response|
11
- response.header['WWW-Authenticate'] = 'Basic realm="OAuth2 Token Endpoint"'
11
+ unless @skip_www_authenticate
12
+ response.header['WWW-Authenticate'] = 'Basic realm="OAuth2 Token Endpoint"'
13
+ end
12
14
  end
13
15
  end
14
16
  end
@@ -71,6 +71,60 @@ describe Rack::OAuth2::Server::Token do
71
71
  end
72
72
  end
73
73
 
74
+ context 'when client_id is given via JWT client assertion' do
75
+ before do
76
+ require 'json/jwt'
77
+ params[:client_assertion] = JSON::JWT.new(
78
+ sub: params[:client_id]
79
+ # NOTE: actual client_assertion should have more claims.
80
+ ).sign('client_secret').to_s
81
+ params[:client_assertion_type] = Rack::OAuth2::URN::ClientAssertionType::JWT_BEARER
82
+ params.delete(:client_id)
83
+ end
84
+
85
+ context 'when client_assertion is invalid JWT' do
86
+ before do
87
+ params[:client_assertion] = 'invalid-jwt'
88
+ end
89
+ its(:status) { should == 400 }
90
+ its(:content_type) { should == 'application/json' }
91
+ its(:body) { should include '"error":"invalid_request"' }
92
+ end
93
+
94
+ context 'when client_assertion_type is missing' do
95
+ before do
96
+ params.delete(:client_assertion_type)
97
+ end
98
+ its(:status) { should == 400 }
99
+ its(:content_type) { should == 'application/json' }
100
+ its(:body) { should include '"error":"invalid_request"' }
101
+ end
102
+
103
+ context 'when client_assertion_type is unknown' do
104
+ before do
105
+ params[:client_assertion_type] = 'unknown'
106
+ end
107
+ its(:status) { should == 400 }
108
+ its(:content_type) { should == 'application/json' }
109
+ its(:body) { should include '"error":"invalid_request"' }
110
+ end
111
+
112
+ context 'when client_assertion issuer is different from client_id' do
113
+ before do
114
+ params[:client_id] = 'another_client_id'
115
+ end
116
+ its(:status) { should == 400 }
117
+ its(:content_type) { should == 'application/json' }
118
+ its(:body) { should include '"error":"invalid_request"' }
119
+ end
120
+
121
+ context 'otherwise' do
122
+ its(:status) { should == 200 }
123
+ its(:content_type) { should == 'application/json' }
124
+ its(:body) { should include '"access_token":"access_token"' }
125
+ end
126
+ end
127
+
74
128
  Rack::OAuth2::Server::Token::ErrorMethods::DEFAULT_DESCRIPTION.each do |error, default_message|
75
129
  status = if error == :invalid_client
76
130
  401
@@ -87,7 +141,22 @@ describe Rack::OAuth2::Server::Token do
87
141
  its(:content_type) { should == 'application/json' }
88
142
  its(:body) { should include "\"error\":\"#{error}\"" }
89
143
  its(:body) { should include "\"error_description\":\"#{default_message}\"" }
144
+ if error == :invalid_client
145
+ its(:headers) { should include 'WWW-Authenticate' }
146
+ end
147
+ end
148
+ end
149
+
150
+ context 'when skip_www_authenticate option is specified on invalid_client' do
151
+ let(:app) do
152
+ Rack::OAuth2::Server::Token.new do |request, response|
153
+ request.invalid_client!(
154
+ Rack::OAuth2::Server::Token::ErrorMethods::DEFAULT_DESCRIPTION[:invalid_client],
155
+ skip_www_authenticate: true
156
+ )
157
+ end
90
158
  end
159
+ its(:headers) { should_not include 'WWW-Authenticate' }
91
160
  end
92
161
 
93
162
  context 'when responding' do
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: rack-oauth2
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.17.0
4
+ version: 1.18.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - nov matake
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2021-05-26 00:00:00.000000000 Z
11
+ date: 2021-08-06 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: rack
@@ -301,7 +301,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
301
301
  - !ruby/object:Gem::Version
302
302
  version: '0'
303
303
  requirements: []
304
- rubygems_version: 3.0.3
304
+ rubygems_version: 3.1.4
305
305
  signing_key:
306
306
  specification_version: 4
307
307
  summary: OAuth 2.0 Server & Client Library - Both Bearer and MAC token type are supported