rack-oauth2 1.17.0 → 1.20.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/.github/FUNDING.yml +3 -0
- data/.travis.yml +1 -1
- data/VERSION +1 -1
- data/lib/rack/oauth2/client.rb +1 -1
- data/lib/rack/oauth2/server/abstract/error.rb +1 -0
- data/lib/rack/oauth2/server/token/error.rb +3 -1
- data/lib/rack/oauth2/server/token.rb +10 -1
- data/lib/rack/oauth2.rb +5 -0
- data/rack-oauth2.gemspec +2 -1
- data/spec/rack/oauth2/client_spec.rb +3 -1
- data/spec/rack/oauth2/server/token_spec.rb +69 -0
- metadata +19 -4
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: bdcd25b6561ff3da4a222efbf541e17ef6aa4a75d08f97cd978ce9d28e8b5dfa
|
|
4
|
+
data.tar.gz: 48aabb016042ebbe28e302f608e16a4d6f9526cc29977540a5feb255acfd931b
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 7ba0fcc8364bd006eab83c4fcfa62325d6146407e27d79cd8e6e35dddf83e1b2d0ffb0efeeaf14d7e53d109cec26f0b8a4f66e5bb44eec4d93d9118d02fed686
|
|
7
|
+
data.tar.gz: 3fe2d26a2368b3f9e8c2cf3efb13452c13ac0fbf4ab9f6f1a5ac9b9a8154845c7fe684cd9f4f52522d9e6f772c48f0d21f5c0c1a30f737591dd98129fca1782f
|
data/.github/FUNDING.yml
ADDED
data/.travis.yml
CHANGED
data/VERSION
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
1.
|
|
1
|
+
1.20.0
|
data/lib/rack/oauth2/client.rb
CHANGED
|
@@ -3,7 +3,7 @@ module Rack
|
|
|
3
3
|
class Client
|
|
4
4
|
include AttrRequired, AttrOptional
|
|
5
5
|
attr_required :identifier
|
|
6
|
-
attr_optional :secret, :private_key, :certificate, :redirect_uri, :scheme, :host, :port, :authorization_endpoint, :token_endpoint
|
|
6
|
+
attr_optional :secret, :private_key, :certificate, :redirect_uri, :scheme, :host, :port, :authorization_endpoint, :token_endpoint, :revocation_endpoint
|
|
7
7
|
|
|
8
8
|
def initialize(attributes = {})
|
|
9
9
|
(required_attributes + optional_attributes).each do |key|
|
|
@@ -8,7 +8,9 @@ module Rack
|
|
|
8
8
|
class Unauthorized < Abstract::Unauthorized
|
|
9
9
|
def finish
|
|
10
10
|
super do |response|
|
|
11
|
-
|
|
11
|
+
unless @skip_www_authenticate
|
|
12
|
+
response.header['WWW-Authenticate'] = 'Basic realm="OAuth2 Token Endpoint"'
|
|
13
|
+
end
|
|
12
14
|
end
|
|
13
15
|
end
|
|
14
16
|
end
|
|
@@ -44,7 +44,7 @@ module Rack
|
|
|
44
44
|
|
|
45
45
|
class Request < Abstract::Request
|
|
46
46
|
attr_required :grant_type
|
|
47
|
-
attr_optional :client_secret
|
|
47
|
+
attr_optional :client_secret, :client_assertion, :client_assertion_type
|
|
48
48
|
|
|
49
49
|
def initialize(env)
|
|
50
50
|
auth = Rack::Auth::Basic::Request.new(env)
|
|
@@ -56,6 +56,15 @@ module Rack
|
|
|
56
56
|
else
|
|
57
57
|
super
|
|
58
58
|
@client_secret = params['client_secret']
|
|
59
|
+
@client_assertion = params['client_assertion']
|
|
60
|
+
@client_assertion_type = params['client_assertion_type']
|
|
61
|
+
if client_assertion.present? && client_assertion_type == URN::ClientAssertionType::JWT_BEARER
|
|
62
|
+
require 'json/jwt'
|
|
63
|
+
@client_id = JSON::JWT.decode(
|
|
64
|
+
client_assertion,
|
|
65
|
+
:skip_verification
|
|
66
|
+
)[:sub] rescue nil
|
|
67
|
+
end
|
|
59
68
|
end
|
|
60
69
|
@grant_type = params['grant_type'].to_s
|
|
61
70
|
end
|
data/lib/rack/oauth2.rb
CHANGED
|
@@ -43,6 +43,11 @@ module Rack
|
|
|
43
43
|
_http_client_ = HTTPClient.new(
|
|
44
44
|
agent_name: agent_name
|
|
45
45
|
)
|
|
46
|
+
|
|
47
|
+
# NOTE: httpclient gem seems stopped maintaining root certtificate set, use OS default.
|
|
48
|
+
_http_client_.ssl_config.clear_cert_store
|
|
49
|
+
_http_client_.ssl_config.cert_store.set_default_paths
|
|
50
|
+
|
|
46
51
|
http_config.try(:call, _http_client_)
|
|
47
52
|
local_http_config.try(:call, _http_client_) unless local_http_config.nil?
|
|
48
53
|
_http_client_.request_filter << Debugger::RequestFilter.new if debugging?
|
data/rack-oauth2.gemspec
CHANGED
|
@@ -7,7 +7,7 @@ Gem::Specification.new do |s|
|
|
|
7
7
|
s.email = 'nov@matake.jp'
|
|
8
8
|
s.extra_rdoc_files = ['LICENSE', 'README.rdoc']
|
|
9
9
|
s.rdoc_options = ['--charset=UTF-8']
|
|
10
|
-
s.homepage = '
|
|
10
|
+
s.homepage = 'https://github.com/nov/rack-oauth2'
|
|
11
11
|
s.license = 'MIT'
|
|
12
12
|
s.require_paths = ['lib']
|
|
13
13
|
s.executables = `git ls-files -- bin/*`.split("\n").map{ |f| File.basename(f) }
|
|
@@ -23,4 +23,5 @@ Gem::Specification.new do |s|
|
|
|
23
23
|
s.add_development_dependency 'rspec'
|
|
24
24
|
s.add_development_dependency 'rspec-its'
|
|
25
25
|
s.add_development_dependency 'webmock'
|
|
26
|
+
s.add_development_dependency 'rexml'
|
|
26
27
|
end
|
|
@@ -8,7 +8,8 @@ describe Rack::OAuth2::Client do
|
|
|
8
8
|
identifier: client_id,
|
|
9
9
|
secret: client_secret,
|
|
10
10
|
host: 'server.example.com',
|
|
11
|
-
redirect_uri: 'https://client.example.com/callback'
|
|
11
|
+
redirect_uri: 'https://client.example.com/callback',
|
|
12
|
+
revocation_endpoint: '/oauth2/revoke'
|
|
12
13
|
)
|
|
13
14
|
end
|
|
14
15
|
subject { client }
|
|
@@ -17,6 +18,7 @@ describe Rack::OAuth2::Client do
|
|
|
17
18
|
its(:secret) { should == 'client_secret' }
|
|
18
19
|
its(:authorization_endpoint) { should == '/oauth2/authorize' }
|
|
19
20
|
its(:token_endpoint) { should == '/oauth2/token' }
|
|
21
|
+
its(:revocation_endpoint) { should == '/oauth2/revoke' }
|
|
20
22
|
|
|
21
23
|
context 'when identifier is missing' do
|
|
22
24
|
it do
|
|
@@ -71,6 +71,60 @@ describe Rack::OAuth2::Server::Token do
|
|
|
71
71
|
end
|
|
72
72
|
end
|
|
73
73
|
|
|
74
|
+
context 'when client_id is given via JWT client assertion' do
|
|
75
|
+
before do
|
|
76
|
+
require 'json/jwt'
|
|
77
|
+
params[:client_assertion] = JSON::JWT.new(
|
|
78
|
+
sub: params[:client_id]
|
|
79
|
+
# NOTE: actual client_assertion should have more claims.
|
|
80
|
+
).sign('client_secret').to_s
|
|
81
|
+
params[:client_assertion_type] = Rack::OAuth2::URN::ClientAssertionType::JWT_BEARER
|
|
82
|
+
params.delete(:client_id)
|
|
83
|
+
end
|
|
84
|
+
|
|
85
|
+
context 'when client_assertion is invalid JWT' do
|
|
86
|
+
before do
|
|
87
|
+
params[:client_assertion] = 'invalid-jwt'
|
|
88
|
+
end
|
|
89
|
+
its(:status) { should == 400 }
|
|
90
|
+
its(:content_type) { should == 'application/json' }
|
|
91
|
+
its(:body) { should include '"error":"invalid_request"' }
|
|
92
|
+
end
|
|
93
|
+
|
|
94
|
+
context 'when client_assertion_type is missing' do
|
|
95
|
+
before do
|
|
96
|
+
params.delete(:client_assertion_type)
|
|
97
|
+
end
|
|
98
|
+
its(:status) { should == 400 }
|
|
99
|
+
its(:content_type) { should == 'application/json' }
|
|
100
|
+
its(:body) { should include '"error":"invalid_request"' }
|
|
101
|
+
end
|
|
102
|
+
|
|
103
|
+
context 'when client_assertion_type is unknown' do
|
|
104
|
+
before do
|
|
105
|
+
params[:client_assertion_type] = 'unknown'
|
|
106
|
+
end
|
|
107
|
+
its(:status) { should == 400 }
|
|
108
|
+
its(:content_type) { should == 'application/json' }
|
|
109
|
+
its(:body) { should include '"error":"invalid_request"' }
|
|
110
|
+
end
|
|
111
|
+
|
|
112
|
+
context 'when client_assertion issuer is different from client_id' do
|
|
113
|
+
before do
|
|
114
|
+
params[:client_id] = 'another_client_id'
|
|
115
|
+
end
|
|
116
|
+
its(:status) { should == 400 }
|
|
117
|
+
its(:content_type) { should == 'application/json' }
|
|
118
|
+
its(:body) { should include '"error":"invalid_request"' }
|
|
119
|
+
end
|
|
120
|
+
|
|
121
|
+
context 'otherwise' do
|
|
122
|
+
its(:status) { should == 200 }
|
|
123
|
+
its(:content_type) { should == 'application/json' }
|
|
124
|
+
its(:body) { should include '"access_token":"access_token"' }
|
|
125
|
+
end
|
|
126
|
+
end
|
|
127
|
+
|
|
74
128
|
Rack::OAuth2::Server::Token::ErrorMethods::DEFAULT_DESCRIPTION.each do |error, default_message|
|
|
75
129
|
status = if error == :invalid_client
|
|
76
130
|
401
|
|
@@ -87,7 +141,22 @@ describe Rack::OAuth2::Server::Token do
|
|
|
87
141
|
its(:content_type) { should == 'application/json' }
|
|
88
142
|
its(:body) { should include "\"error\":\"#{error}\"" }
|
|
89
143
|
its(:body) { should include "\"error_description\":\"#{default_message}\"" }
|
|
144
|
+
if error == :invalid_client
|
|
145
|
+
its(:headers) { should include 'WWW-Authenticate' }
|
|
146
|
+
end
|
|
147
|
+
end
|
|
148
|
+
end
|
|
149
|
+
|
|
150
|
+
context 'when skip_www_authenticate option is specified on invalid_client' do
|
|
151
|
+
let(:app) do
|
|
152
|
+
Rack::OAuth2::Server::Token.new do |request, response|
|
|
153
|
+
request.invalid_client!(
|
|
154
|
+
Rack::OAuth2::Server::Token::ErrorMethods::DEFAULT_DESCRIPTION[:invalid_client],
|
|
155
|
+
skip_www_authenticate: true
|
|
156
|
+
)
|
|
157
|
+
end
|
|
90
158
|
end
|
|
159
|
+
its(:headers) { should_not include 'WWW-Authenticate' }
|
|
91
160
|
end
|
|
92
161
|
|
|
93
162
|
context 'when responding' do
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: rack-oauth2
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.
|
|
4
|
+
version: 1.20.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- nov matake
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date:
|
|
11
|
+
date: 2022-07-11 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: rack
|
|
@@ -150,6 +150,20 @@ dependencies:
|
|
|
150
150
|
- - ">="
|
|
151
151
|
- !ruby/object:Gem::Version
|
|
152
152
|
version: '0'
|
|
153
|
+
- !ruby/object:Gem::Dependency
|
|
154
|
+
name: rexml
|
|
155
|
+
requirement: !ruby/object:Gem::Requirement
|
|
156
|
+
requirements:
|
|
157
|
+
- - ">="
|
|
158
|
+
- !ruby/object:Gem::Version
|
|
159
|
+
version: '0'
|
|
160
|
+
type: :development
|
|
161
|
+
prerelease: false
|
|
162
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
163
|
+
requirements:
|
|
164
|
+
- - ">="
|
|
165
|
+
- !ruby/object:Gem::Version
|
|
166
|
+
version: '0'
|
|
153
167
|
description: OAuth 2.0 Server & Client Library. Both Bearer and MAC token type are
|
|
154
168
|
supported.
|
|
155
169
|
email: nov@matake.jp
|
|
@@ -160,6 +174,7 @@ extra_rdoc_files:
|
|
|
160
174
|
- README.rdoc
|
|
161
175
|
files:
|
|
162
176
|
- ".document"
|
|
177
|
+
- ".github/FUNDING.yml"
|
|
163
178
|
- ".gitignore"
|
|
164
179
|
- ".rspec"
|
|
165
180
|
- ".travis.yml"
|
|
@@ -281,7 +296,7 @@ files:
|
|
|
281
296
|
- spec/rack/oauth2/server/token_spec.rb
|
|
282
297
|
- spec/rack/oauth2/util_spec.rb
|
|
283
298
|
- spec/spec_helper.rb
|
|
284
|
-
homepage:
|
|
299
|
+
homepage: https://github.com/nov/rack-oauth2
|
|
285
300
|
licenses:
|
|
286
301
|
- MIT
|
|
287
302
|
metadata: {}
|
|
@@ -301,7 +316,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
301
316
|
- !ruby/object:Gem::Version
|
|
302
317
|
version: '0'
|
|
303
318
|
requirements: []
|
|
304
|
-
rubygems_version: 3.
|
|
319
|
+
rubygems_version: 3.1.6
|
|
305
320
|
signing_key:
|
|
306
321
|
specification_version: 4
|
|
307
322
|
summary: OAuth 2.0 Server & Client Library - Both Bearer and MAC token type are supported
|