rack-oauth2 1.17.0 → 1.20.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.github/FUNDING.yml +3 -0
- data/.travis.yml +1 -1
- data/VERSION +1 -1
- data/lib/rack/oauth2/client.rb +1 -1
- data/lib/rack/oauth2/server/abstract/error.rb +1 -0
- data/lib/rack/oauth2/server/token/error.rb +3 -1
- data/lib/rack/oauth2/server/token.rb +10 -1
- data/lib/rack/oauth2.rb +5 -0
- data/rack-oauth2.gemspec +2 -1
- data/spec/rack/oauth2/client_spec.rb +3 -1
- data/spec/rack/oauth2/server/token_spec.rb +69 -0
- metadata +19 -4
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: bdcd25b6561ff3da4a222efbf541e17ef6aa4a75d08f97cd978ce9d28e8b5dfa
|
|
4
|
+
data.tar.gz: 48aabb016042ebbe28e302f608e16a4d6f9526cc29977540a5feb255acfd931b
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 7ba0fcc8364bd006eab83c4fcfa62325d6146407e27d79cd8e6e35dddf83e1b2d0ffb0efeeaf14d7e53d109cec26f0b8a4f66e5bb44eec4d93d9118d02fed686
|
|
7
|
+
data.tar.gz: 3fe2d26a2368b3f9e8c2cf3efb13452c13ac0fbf4ab9f6f1a5ac9b9a8154845c7fe684cd9f4f52522d9e6f772c48f0d21f5c0c1a30f737591dd98129fca1782f
|
data/.github/FUNDING.yml
ADDED
data/.travis.yml
CHANGED
data/VERSION
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
1.
|
|
1
|
+
1.20.0
|
data/lib/rack/oauth2/client.rb
CHANGED
|
@@ -3,7 +3,7 @@ module Rack
|
|
|
3
3
|
class Client
|
|
4
4
|
include AttrRequired, AttrOptional
|
|
5
5
|
attr_required :identifier
|
|
6
|
-
attr_optional :secret, :private_key, :certificate, :redirect_uri, :scheme, :host, :port, :authorization_endpoint, :token_endpoint
|
|
6
|
+
attr_optional :secret, :private_key, :certificate, :redirect_uri, :scheme, :host, :port, :authorization_endpoint, :token_endpoint, :revocation_endpoint
|
|
7
7
|
|
|
8
8
|
def initialize(attributes = {})
|
|
9
9
|
(required_attributes + optional_attributes).each do |key|
|
|
@@ -8,7 +8,9 @@ module Rack
|
|
|
8
8
|
class Unauthorized < Abstract::Unauthorized
|
|
9
9
|
def finish
|
|
10
10
|
super do |response|
|
|
11
|
-
|
|
11
|
+
unless @skip_www_authenticate
|
|
12
|
+
response.header['WWW-Authenticate'] = 'Basic realm="OAuth2 Token Endpoint"'
|
|
13
|
+
end
|
|
12
14
|
end
|
|
13
15
|
end
|
|
14
16
|
end
|
|
@@ -44,7 +44,7 @@ module Rack
|
|
|
44
44
|
|
|
45
45
|
class Request < Abstract::Request
|
|
46
46
|
attr_required :grant_type
|
|
47
|
-
attr_optional :client_secret
|
|
47
|
+
attr_optional :client_secret, :client_assertion, :client_assertion_type
|
|
48
48
|
|
|
49
49
|
def initialize(env)
|
|
50
50
|
auth = Rack::Auth::Basic::Request.new(env)
|
|
@@ -56,6 +56,15 @@ module Rack
|
|
|
56
56
|
else
|
|
57
57
|
super
|
|
58
58
|
@client_secret = params['client_secret']
|
|
59
|
+
@client_assertion = params['client_assertion']
|
|
60
|
+
@client_assertion_type = params['client_assertion_type']
|
|
61
|
+
if client_assertion.present? && client_assertion_type == URN::ClientAssertionType::JWT_BEARER
|
|
62
|
+
require 'json/jwt'
|
|
63
|
+
@client_id = JSON::JWT.decode(
|
|
64
|
+
client_assertion,
|
|
65
|
+
:skip_verification
|
|
66
|
+
)[:sub] rescue nil
|
|
67
|
+
end
|
|
59
68
|
end
|
|
60
69
|
@grant_type = params['grant_type'].to_s
|
|
61
70
|
end
|
data/lib/rack/oauth2.rb
CHANGED
|
@@ -43,6 +43,11 @@ module Rack
|
|
|
43
43
|
_http_client_ = HTTPClient.new(
|
|
44
44
|
agent_name: agent_name
|
|
45
45
|
)
|
|
46
|
+
|
|
47
|
+
# NOTE: httpclient gem seems stopped maintaining root certtificate set, use OS default.
|
|
48
|
+
_http_client_.ssl_config.clear_cert_store
|
|
49
|
+
_http_client_.ssl_config.cert_store.set_default_paths
|
|
50
|
+
|
|
46
51
|
http_config.try(:call, _http_client_)
|
|
47
52
|
local_http_config.try(:call, _http_client_) unless local_http_config.nil?
|
|
48
53
|
_http_client_.request_filter << Debugger::RequestFilter.new if debugging?
|
data/rack-oauth2.gemspec
CHANGED
|
@@ -7,7 +7,7 @@ Gem::Specification.new do |s|
|
|
|
7
7
|
s.email = 'nov@matake.jp'
|
|
8
8
|
s.extra_rdoc_files = ['LICENSE', 'README.rdoc']
|
|
9
9
|
s.rdoc_options = ['--charset=UTF-8']
|
|
10
|
-
s.homepage = '
|
|
10
|
+
s.homepage = 'https://github.com/nov/rack-oauth2'
|
|
11
11
|
s.license = 'MIT'
|
|
12
12
|
s.require_paths = ['lib']
|
|
13
13
|
s.executables = `git ls-files -- bin/*`.split("\n").map{ |f| File.basename(f) }
|
|
@@ -23,4 +23,5 @@ Gem::Specification.new do |s|
|
|
|
23
23
|
s.add_development_dependency 'rspec'
|
|
24
24
|
s.add_development_dependency 'rspec-its'
|
|
25
25
|
s.add_development_dependency 'webmock'
|
|
26
|
+
s.add_development_dependency 'rexml'
|
|
26
27
|
end
|
|
@@ -8,7 +8,8 @@ describe Rack::OAuth2::Client do
|
|
|
8
8
|
identifier: client_id,
|
|
9
9
|
secret: client_secret,
|
|
10
10
|
host: 'server.example.com',
|
|
11
|
-
redirect_uri: 'https://client.example.com/callback'
|
|
11
|
+
redirect_uri: 'https://client.example.com/callback',
|
|
12
|
+
revocation_endpoint: '/oauth2/revoke'
|
|
12
13
|
)
|
|
13
14
|
end
|
|
14
15
|
subject { client }
|
|
@@ -17,6 +18,7 @@ describe Rack::OAuth2::Client do
|
|
|
17
18
|
its(:secret) { should == 'client_secret' }
|
|
18
19
|
its(:authorization_endpoint) { should == '/oauth2/authorize' }
|
|
19
20
|
its(:token_endpoint) { should == '/oauth2/token' }
|
|
21
|
+
its(:revocation_endpoint) { should == '/oauth2/revoke' }
|
|
20
22
|
|
|
21
23
|
context 'when identifier is missing' do
|
|
22
24
|
it do
|
|
@@ -71,6 +71,60 @@ describe Rack::OAuth2::Server::Token do
|
|
|
71
71
|
end
|
|
72
72
|
end
|
|
73
73
|
|
|
74
|
+
context 'when client_id is given via JWT client assertion' do
|
|
75
|
+
before do
|
|
76
|
+
require 'json/jwt'
|
|
77
|
+
params[:client_assertion] = JSON::JWT.new(
|
|
78
|
+
sub: params[:client_id]
|
|
79
|
+
# NOTE: actual client_assertion should have more claims.
|
|
80
|
+
).sign('client_secret').to_s
|
|
81
|
+
params[:client_assertion_type] = Rack::OAuth2::URN::ClientAssertionType::JWT_BEARER
|
|
82
|
+
params.delete(:client_id)
|
|
83
|
+
end
|
|
84
|
+
|
|
85
|
+
context 'when client_assertion is invalid JWT' do
|
|
86
|
+
before do
|
|
87
|
+
params[:client_assertion] = 'invalid-jwt'
|
|
88
|
+
end
|
|
89
|
+
its(:status) { should == 400 }
|
|
90
|
+
its(:content_type) { should == 'application/json' }
|
|
91
|
+
its(:body) { should include '"error":"invalid_request"' }
|
|
92
|
+
end
|
|
93
|
+
|
|
94
|
+
context 'when client_assertion_type is missing' do
|
|
95
|
+
before do
|
|
96
|
+
params.delete(:client_assertion_type)
|
|
97
|
+
end
|
|
98
|
+
its(:status) { should == 400 }
|
|
99
|
+
its(:content_type) { should == 'application/json' }
|
|
100
|
+
its(:body) { should include '"error":"invalid_request"' }
|
|
101
|
+
end
|
|
102
|
+
|
|
103
|
+
context 'when client_assertion_type is unknown' do
|
|
104
|
+
before do
|
|
105
|
+
params[:client_assertion_type] = 'unknown'
|
|
106
|
+
end
|
|
107
|
+
its(:status) { should == 400 }
|
|
108
|
+
its(:content_type) { should == 'application/json' }
|
|
109
|
+
its(:body) { should include '"error":"invalid_request"' }
|
|
110
|
+
end
|
|
111
|
+
|
|
112
|
+
context 'when client_assertion issuer is different from client_id' do
|
|
113
|
+
before do
|
|
114
|
+
params[:client_id] = 'another_client_id'
|
|
115
|
+
end
|
|
116
|
+
its(:status) { should == 400 }
|
|
117
|
+
its(:content_type) { should == 'application/json' }
|
|
118
|
+
its(:body) { should include '"error":"invalid_request"' }
|
|
119
|
+
end
|
|
120
|
+
|
|
121
|
+
context 'otherwise' do
|
|
122
|
+
its(:status) { should == 200 }
|
|
123
|
+
its(:content_type) { should == 'application/json' }
|
|
124
|
+
its(:body) { should include '"access_token":"access_token"' }
|
|
125
|
+
end
|
|
126
|
+
end
|
|
127
|
+
|
|
74
128
|
Rack::OAuth2::Server::Token::ErrorMethods::DEFAULT_DESCRIPTION.each do |error, default_message|
|
|
75
129
|
status = if error == :invalid_client
|
|
76
130
|
401
|
|
@@ -87,7 +141,22 @@ describe Rack::OAuth2::Server::Token do
|
|
|
87
141
|
its(:content_type) { should == 'application/json' }
|
|
88
142
|
its(:body) { should include "\"error\":\"#{error}\"" }
|
|
89
143
|
its(:body) { should include "\"error_description\":\"#{default_message}\"" }
|
|
144
|
+
if error == :invalid_client
|
|
145
|
+
its(:headers) { should include 'WWW-Authenticate' }
|
|
146
|
+
end
|
|
147
|
+
end
|
|
148
|
+
end
|
|
149
|
+
|
|
150
|
+
context 'when skip_www_authenticate option is specified on invalid_client' do
|
|
151
|
+
let(:app) do
|
|
152
|
+
Rack::OAuth2::Server::Token.new do |request, response|
|
|
153
|
+
request.invalid_client!(
|
|
154
|
+
Rack::OAuth2::Server::Token::ErrorMethods::DEFAULT_DESCRIPTION[:invalid_client],
|
|
155
|
+
skip_www_authenticate: true
|
|
156
|
+
)
|
|
157
|
+
end
|
|
90
158
|
end
|
|
159
|
+
its(:headers) { should_not include 'WWW-Authenticate' }
|
|
91
160
|
end
|
|
92
161
|
|
|
93
162
|
context 'when responding' do
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: rack-oauth2
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.
|
|
4
|
+
version: 1.20.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- nov matake
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date:
|
|
11
|
+
date: 2022-07-11 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: rack
|
|
@@ -150,6 +150,20 @@ dependencies:
|
|
|
150
150
|
- - ">="
|
|
151
151
|
- !ruby/object:Gem::Version
|
|
152
152
|
version: '0'
|
|
153
|
+
- !ruby/object:Gem::Dependency
|
|
154
|
+
name: rexml
|
|
155
|
+
requirement: !ruby/object:Gem::Requirement
|
|
156
|
+
requirements:
|
|
157
|
+
- - ">="
|
|
158
|
+
- !ruby/object:Gem::Version
|
|
159
|
+
version: '0'
|
|
160
|
+
type: :development
|
|
161
|
+
prerelease: false
|
|
162
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
163
|
+
requirements:
|
|
164
|
+
- - ">="
|
|
165
|
+
- !ruby/object:Gem::Version
|
|
166
|
+
version: '0'
|
|
153
167
|
description: OAuth 2.0 Server & Client Library. Both Bearer and MAC token type are
|
|
154
168
|
supported.
|
|
155
169
|
email: nov@matake.jp
|
|
@@ -160,6 +174,7 @@ extra_rdoc_files:
|
|
|
160
174
|
- README.rdoc
|
|
161
175
|
files:
|
|
162
176
|
- ".document"
|
|
177
|
+
- ".github/FUNDING.yml"
|
|
163
178
|
- ".gitignore"
|
|
164
179
|
- ".rspec"
|
|
165
180
|
- ".travis.yml"
|
|
@@ -281,7 +296,7 @@ files:
|
|
|
281
296
|
- spec/rack/oauth2/server/token_spec.rb
|
|
282
297
|
- spec/rack/oauth2/util_spec.rb
|
|
283
298
|
- spec/spec_helper.rb
|
|
284
|
-
homepage:
|
|
299
|
+
homepage: https://github.com/nov/rack-oauth2
|
|
285
300
|
licenses:
|
|
286
301
|
- MIT
|
|
287
302
|
metadata: {}
|
|
@@ -301,7 +316,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
301
316
|
- !ruby/object:Gem::Version
|
|
302
317
|
version: '0'
|
|
303
318
|
requirements: []
|
|
304
|
-
rubygems_version: 3.
|
|
319
|
+
rubygems_version: 3.1.6
|
|
305
320
|
signing_key:
|
|
306
321
|
specification_version: 4
|
|
307
322
|
summary: OAuth 2.0 Server & Client Library - Both Bearer and MAC token type are supported
|