Update to latest upstream fork ~> m0n9oose/omniauth_openid_connect/

CHANGELOG.md

@@ -0,0 +1,47 @@
+# v0.3.5 (07.06.2020)
+
+- bugfix: Info from decoded id_token is not exposed into `request.env['omniauth.auth']` [#61](https://github.com/m0n9oose/omniauth_openid_connect/pull/61)
+- bugfix: NoMethodError (`undefined method 'count' for #<OpenIDConnect::ResponseObject::IdToken>`) [#60](https://github.com/m0n9oose/omniauth_openid_connect/pull/60)
+
+# v0.3.4 (21.05.2020)
+
+- Try to verify id_token when response_type is code [#44](https://github.com/m0n9oose/omniauth_openid_connect/pull/44)
+- Provide more information on error [#49](https://github.com/m0n9oose/omniauth_openid_connect/pull/49)
+- Update configuration documentation [#53](https://github.com/m0n9oose/omniauth_openid_connect/pull/53)
+- Add documentation about the send_scope_to_token_endpoint config property [#52](https://github.com/m0n9oose/omniauth_openid_connect/pull/52)
+- refactor: take uid_field from raw_attributes [#54](https://github.com/m0n9oose/omniauth_openid_connect/pull/54)
+- chore(ci): add 2.7, ruby-head and jruby-head [#55](https://github.com/m0n9oose/omniauth_openid_connect/pull/55)
+
+# v0.3.3 (09.11.2019)
+
+- Pass `acr_values` to authorize url [#43](https://github.com/m0n9oose/omniauth_openid_connect/pull/43)
+- Add raw info for id token [#42](https://github.com/m0n9oose/omniauth_openid_connect/pull/42)
+- Fixed `id_token` verification when `id_token` is not used [#41](https://github.com/m0n9oose/omniauth_openid_connect/pull/41)
+- Cast `response_type` to string when checking if it is set in params [#36](https://github.com/m0n9oose/omniauth_openid_connect/pull/36)
+- Support both symbol and string version of `response_type` option [#35](https://github.com/m0n9oose/omniauth_openid_connect/pull/35)
+- Fix gemspec homepage [#33](https://github.com/m0n9oose/omniauth_openid_connect/pull/33)
+- Add support for `response_type` `id_token` [#32](https://github.com/m0n9oose/omniauth_openid_connect/pull/32)
+
+# v0.3.2 (03.08.2019)
+
+- Use response_mode in `authorize_uri` if the option is defined [#30](https://github.com/m0n9oose/omniauth_openid_connect/pull/30)
+- Move verification of `id_token` to before accessing tokens [#28](https://github.com/m0n9oose/omniauth_openid_connect/pull/28)
+- Update omniauth dependency [#26](https://github.com/m0n9oose/omniauth_openid_connect/pull/26)
+
+# v0.3.1 (08.06.2019)
+
+- Set default OmniAuth name to openid_connect [#23](https://github.com/m0n9oose/omniauth_openid_connect/pull/23)
+
+# v0.3.0 (27.04.2019)
+
+- RP-Initiated Logout phase [#5](https://github.com/m0n9oose/omniauth_openid_connect/pull/5)
+- Allows `ui_locales`, `claims_locales` and `login_hint` as request params [#6](https://github.com/m0n9oose/omniauth_openid_connect/pull/6)
+- Make uid label configurable [#11](https://github.com/m0n9oose/omniauth_openid_connect/pull/11)
+- Allow rails applications to handle state mismatch [#14](https://github.com/m0n9oose/omniauth_openid_connect/pull/14)
+- Handle errors when fetching access_token at callback_phase [#17](https://github.com/m0n9oose/omniauth_openid_connect/pull/17)
+- Allow state method to receive env [#19](https://github.com/m0n9oose/omniauth_openid_connect/pull/19)
+
+# v0.2.4 (06.01.2019)
+
+- Prompt and login hint [#4](https://github.com/m0n9oose/omniauth_openid_connect/pull/4)
+- Bump openid_connect dependency [#9](https://github.com/m0n9oose/omniauth_openid_connect/pull/9)

Gemfile

@@ -1,2 +1,4 @@
+# frozen_string_literal: true
+
 source 'https://rubygems.org'
 gemspec

Guardfile

@@ -1,11 +1,13 @@
+# frozen_string_literal: true
+
 # A sample Guardfile
 # More info at https://github.com/guard/guard#readme
 
 guard 'minitest' do
   # with Minitest::Unit
-  watch(%r|^test/(.*)\/(.*)_test\.rb|)
-  watch(%r|^lib/(.*)\.rb|)     { |m| "test/lib/#{m[1]}_test.rb" }
-  watch(%r|^test/test_helper\.rb|)    { "test" }
+  watch(%r{^test/(.*)\/(.*)_test\.rb})
+  watch(%r{^lib/(.*)\.rb}) { |m| "test/lib/#{m[1]}_test.rb" }
+  watch(%r{^test/test_helper\.rb}) { 'test' }
 end
 
 guard :bundler do

README.md

@@ -1,10 +1,10 @@
 # OmniAuth::OpenIDConnect
 
-OpenID Connect strategy for OmniAuth
-[![Gem Version](https://badge.fury.io/rb/omniauth-openid-connect.png)](http://badge.fury.io/rb/omniauth-openid-connect)
-[![Build Status](https://travis-ci.org/jjbohn/omniauth-openid-connect.png?branch=master)](https://travis-ci.org/jjbohn/omniauth-openid-connect)
-[![Coverage Status](https://coveralls.io/repos/jjbohn/omniauth-openid-connect/badge.png?branch=master)](https://coveralls.io/r/jjbohn/omniauth-openid-connect?branch=master)
-[![Code Climate](https://codeclimate.com/github/jjbohn/omniauth-openid-connect.png)](https://codeclimate.com/github/jjbohn/omniauth-openid-connect)
+Originally was [omniauth-openid-connect](https://github.com/jjbohn/omniauth-openid-connect)
+
+I've forked this repository and launch as separate gem because maintaining of original was dropped.
+
+[![Build Status](https://travis-ci.org/m0n9oose/omniauth_openid_connect.png?branch=master)](https://travis-ci.org/m0n9oose/omniauth_openid_connect)
 
 ## Installation
 
@@ -18,7 +18,11 @@ And then execute:
 
 Or install it yourself as:
 
-    $ gem install omniauth-openid-connect
+    $ gem install omniauth_openid_connect
+
+## Supported Ruby Versions
+
+OmniAuth::OpenIDConnect is tested under 2.4, 2.5, 2.6, 2.7
 
 ## Usage
 
@@ -28,6 +32,7 @@ config.omniauth :openid_connect, {
   name: :my_provider,
   scope: [:openid, :email, :profile, :address],
   response_type: :code,
+  uid_field: "preferred_username",
   client_options: {
     port: 443,
     scheme: "https",
@@ -39,33 +44,83 @@ config.omniauth :openid_connect, {
 }
 ```
 
-Configuration details:
+### Options Overview
+
+| Field                        | Description                                                                                                                                                   | Required | Default                    | Example/Options                                     |
+|------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------|----------|----------------------------|-----------------------------------------------------|
+| name                         | Arbitrary string to identify connection and identify it from other openid_connect providers                                                                                                                        | no       | String: openid_connect     | :my_idp                                             |
+| issuer                       | Root url for the authorization server                                                                                                                         | yes      |                            | https://myprovider.com                              |
+| discovery                    | Should OpenID discovery be used. This is recommended if the IDP provides a discovery endpoint. See client config for how to manually enter discovered values. | no       | false                      | one of: true, false                                 |
+| client_auth_method           | Which authentication method to use to authenticate your app with the authorization server                                                                     | no       | Sym: basic                 | "basic", "jwks"                                     |
+| scope                        | Which OpenID scopes to include (:openid is always required)                                                                                                   | no       | Array<sym> [:openid]       | [:openid, :profile, :email]                         |
+| response_type                | Which OAuth2 response type to use with the authorization request                                                                                              | no       | String: code               | one of: 'code', 'id_token'                          |
+| state                        | A value to be used for the OAuth2 state parameter on the authorization request. Can be a proc that generates a string.                                        | no       | Random 16 character string | Proc.new { SecureRandom.hex(32) }                   |
+| response_mode                | The response mode per [spec](https://openid.net/specs/oauth-v2-form-post-response-mode-1_0.html)                                                              | no       | nil                        | one of: :query, :fragment, :form_post, :web_message |
+| display                      | An optional parameter to the authorization request to determine how the authorization and consent page                                                        | no       | nil                        | one of: :page, :popup, :touch, :wap                 |
+| prompt                       | An optional parameter to the authrization request to determine what pages the user will be shown                                                              | no       | nil                        | one of: :none, :login, :consent, :select_account    |
+| send_scope_to_token_endpoint | Should the scope parameter be sent to the authorization token endpoint?                                                                                       | no       | true                       | one of: true, false                                 |
+| post_logout_redirect_uri     | The logout redirect uri to use per the [session management draft](https://openid.net/specs/openid-connect-session-1_0.html)                                   | no       | empty                      | https://myapp.com/logout/callback                   |
+| uid_field                    | The field of the user info response to be used as a unique id                                                                                                 | no       | 'sub'                      | "sub", "preferred_username"                         |
+| client_options               | A hash of client options detailed in its own section                                                                                                          | yes      |                            |                                                     |
+
+### Client Config Options
+
+These are the configuration options for the client_options hash of the configuration.
+
+| Field                  | Description                                                     | Default    | Replaced by discovery? |
+|------------------------|-----------------------------------------------------------------|------------|------------------------|
+| identifier             | The OAuth2 client_id                                            |            |                        |
+| secret                 | The OAuth2 client secret                                        |            |                        |
+| redirect_uri           | The OAuth2 authorization callback url in your app               |            |                        |
+| scheme                 | The http scheme to use                                          | https      |                        |
+| host                   | The host of the authorization server                            | nil        |                        |
+| port                   | The port for the authorization server                           | 443        |                        |
+| authorization_endpoint | The authorize endpoint on the authorization server              | /authorize | yes                    |
+| token_endpoint         | The token endpoint on the authorization server                  | /token     | yes                    |
+| userinfo_endpoint      | The user info endpoint on the authorization server              | /userinfo  | yes                    |
+| jwks_uri               | The jwks_uri on the authorization server                        | /jwk       | yes                    |
+| end_session_endpoint   | The url to call to log the user out at the authorization server | nil        | yes                    |
+
+### Additional Configuration Notes
   * `name` is arbitrary, I recommend using the name of your provider. The name
   configuration exists because you could be using multiple OpenID Connect
   providers in a single app.
-  * Although `response_type` is an available option, currently, only `:code`
-  is valid. There are plans to bring in implicit flow and hybrid flow at some
-  point, but it hasn't come up yet for me. Those flows aren't best practive for
-  server side web apps anyway and are designed more for native/mobile apps.
-  * If you want to pass `state` paramete by yourself. You can set Proc Object.  
-  e.g. `state: Proc.new{ SecureRandom.hex(32) }`
+
+  **NOTE**: if you use this gem with Devise you should use `:openid_connect` name,
+  or Devise would route to 'users/auth/:provider' rather than 'users/auth/openid_connect'
+
+  * `response_type` tells the authorization server which grant type the application wants to use,
+  currently, only `:code` (Authorization Code grant) and `:id_token` (Implicit grant) are valid.
+  * If you want to pass `state` paramete by yourself. You can set Proc Object.
+  e.g. `state: Proc.new { SecureRandom.hex(32) }`
   * `nonce` is optional. If don't want to pass "nonce" parameter to provider, You should specify
   `false` to `send_nonce` option. (default true)
   * Support for other client authentication methods. If don't specified
   `:client_auth_method` option, automatically set `:basic`.
   * Use "OpenID Connect Discovery", You should specify `true` to `discovery` option. (default false)
   * In "OpenID Connect Discovery", generally provider should have Webfinger endpoint.
-  If provider does not have Webfinger endpoint, You can specify "Issuer" to option.  
-  e.g. `issuer: "https://myprovider.com"`  
+  If provider does not have Webfinger endpoint, You can specify "Issuer" to option.
+  e.g. `issuer: "https://myprovider.com"`
   It means to get configuration from "https://myprovider.com/.well-known/openid-configuration".
+  * The uid is by default using the `sub` value from the `user_info` response,
+  which in some applications is not the expected value. To avoid such limitations, the uid label can be
+  configured by providing the omniauth `uid_field` option to a different label (i.e. `preferred_username`)
+  that appears in the `user_info` details.
+  * The `issuer` property should exactly match the provider's issuer link.
+  * The `response_mode` option is optional and specifies how the result of the authorization request is formatted.
+  * Some OpenID Connect providers require the `scope` attribute in requests to the token endpoint, even if
+  this is not in the protocol specifications. In those cases, the `send_scope_to_token_endpoint`
+  property can be used to add the attribute to the token request. Initial value is `true`, which means that the
+  scope attribute is included by default.
 
 For the full low down on OpenID Connect, please check out
 [the spec](http://openid.net/specs/openid-connect-core-1_0.html).
 
 ## Contributing
 
-1. Fork it ( http://github.com/jjbohn/omniauth-openid-connect/fork )
+1. Fork it ( http://github.com/m0n9oose/omniauth-openid-connect/fork )
 2. Create your feature branch (`git checkout -b my-new-feature`)
-3. Commit your changes (`git commit -am 'Add some feature'`)
-4. Push to the branch (`git push origin my-new-feature`)
-5. Create new Pull Request
+3. Cover your changes with tests and make sure they're green (`bundle install && bundle exec rake test`)
+4. Commit your changes (`git commit -am 'Add some feature'`)
+5. Push to the branch (`git push origin my-new-feature`)
+6. Create new Pull Request

Rakefile

@@ -2,7 +2,7 @@ require 'bundler/gem_tasks'
 require 'rake/testtask'
 
 Rake::TestTask.new do |t|
-  t.libs << 'lib/omniauth-openid-connect'
+  t.libs << 'test'
   t.test_files = FileList['test/lib/omniauth/**/*_test.rb']
   t.verbose = true
 end

lib/omniauth-openid-connect.rb

@@ -1 +1,3 @@
-require "omniauth/openid_connect"
+# frozen_string_literal: true
+
+require 'omniauth/openid_connect'

lib/omniauth/openid_connect.rb

@@ -1,3 +1,5 @@
-require "omniauth/openid_connect/errors"
-require "omniauth/openid_connect/version"
-require "omniauth/strategies/openid_connect"
+# frozen_string_literal: true
+
+require 'omniauth/openid_connect/errors'
+require 'omniauth/openid_connect/version'
+require 'omniauth/strategies/openid_connect'

lib/omniauth/openid_connect/errors.rb

@@ -1,6 +1,9 @@
+# frozen_string_literal: true
+
 module OmniAuth
   module OpenIDConnect
     class Error < RuntimeError; end
     class MissingCodeError < Error; end
+    class MissingIdTokenError < Error; end
   end
 end

lib/omniauth/openid_connect/version.rb

@@ -1,5 +1,7 @@
+# frozen_string_literal: true
+
 module OmniAuth
   module OpenIDConnect
-    VERSION = "0.2.2"
+    VERSION = '0.3.5.vn1'
   end
 end