From 107eaf6e3492f772338609f8e6f420532b376fef Mon Sep 17 00:00:00 2001 From: Markus Koller Date: Wed, 30 Nov 2016 16:24:59 +0100 Subject: [PATCH] chore: Release version 1.1.0 --- CHANGELOG.md | 24 ++++++++ CONTRIBUTING.md | 7 +++ README.md | 70 ++++++++++++++++++++---- doorkeeper-openid_connect.gemspec | 12 ++-- lib/doorkeeper/openid_connect/version.rb | 2 +- 5 files changed, 96 insertions(+), 19 deletions(-) create mode 100644 CHANGELOG.md diff --git a/CHANGELOG.md b/CHANGELOG.md new file mode 100644 index 0000000..be84b8b --- /dev/null +++ b/CHANGELOG.md @@ -0,0 +1,24 @@ + +### v1.1.0 (2016-11-30) + +This release is a general clean-up and adds support for some advanced OpenID Connect features. +Make sure to check the updated [README.md](README.md), especially the [configuration](README.md#configuration) section. + +#### Features + +* Respect scope grants in UserInfo response ([25f2170](/../../commit/25f2170)) +* Support max_age parameter ([aabe3aa](/../../commit/aabe3aa)) +* Add generator for initializer ([80399fd](/../../commit/80399fd)) +* Store and return nonces in IdToken responses ([d28ca8c](/../../commit/d28ca8c)) +* Support prompt=none parameter ([c775d8b](/../../commit/c775d8b)) +* Add supported claims to discovery response ([1d8f9ea](/../../commit/1d8f9ea)) +* Add webfinger and keys endpoints for discovery ([f70898b](/../../commit/f70898b)) +* Add discovery endpoint ([a16caa8](/../../commit/a16caa8)) + +#### Bug Fixes + +* Work around response_body issue on Rails 5, fix specs ([bc4ac76](/../../commit/bc4ac76)) +* Return auth_time in ID token claims ([490f756](/../../commit/490f756)) +* Don't require nonce ([d2945da](/../../commit/d2945da)) +* Also support POST requests to userinfo ([87a6577](/../../commit/87a6577)) +* Add openid scope to Doorkeeper configuration ([8169c2d](/../../commit/8169c2d)) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 8c9bd00..2762fd6 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -63,3 +63,10 @@ feat: create initial CONTRIBUTING.md This closes #73 ``` + +## Release process + +- Bump version in `lib/doorkeeper/openid_connect/version.rb` +- Update `CHANGELOG.md` +- Commit all changes +- Tag release and publish gem with `rake release` diff --git a/README.md b/README.md index 4e81001..fd9c785 100644 --- a/README.md +++ b/README.md @@ -12,16 +12,16 @@ This library implements [OpenID Connect](http://openid.net/connect/) for Rails a - [Status](#status) - [Installation](#installation) - [Configuration](#configuration) - - [OAuth Scopes](#oauth-scopes) + - [Scopes](#scopes) + - [Claims](#claims) - [Routes](#routes) + - [Nonces](#nonces) - [Development](#development) - [License](#license) - [Sponsors](#sponsors) ## Status -The library is usable but still a bit rough around the edges. Please refer to the [v1.0.1 README](https://github.com/doorkeeper-gem/doorkeeper-openid_connect/blob/v1.0.1/README.md) until the next version is released. - The following parts of [OpenID Connect Core 1.0](http://openid.net/specs/openid-connect-core-1_0.html) are currently supported: - [Authentication using the Authorization Code Flow](http://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth) - [Requesting Claims using Scope Values](http://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims) @@ -81,7 +81,7 @@ The following settings are required in `config/initializers/doorkeeper_openid_co - `jws_private_key`, `jws_public_key` - Private and public RSA key pair for [JSON Web Signature](https://tools.ietf.org/html/draft-ietf-jose-json-web-signature-31). - You can generate these with the `openssl` command, see e.g. [Generate a keypair using OpenSSL](https://en.wikibooks.org/wiki/Cryptography/Generate_a_keypair_using_OpenSSL). - - You should not commit these keys to your repository, but use external files (in combination with `File.read`) or the [dotenv-rails](https://github.com/bkeepers/dotenv) gem (in combination with `ENV[...]`). + - You should not commit these keys to your repository, but use external files (in combination with `File.read`) and/or the [dotenv-rails](https://github.com/bkeepers/dotenv) gem (in combination with `ENV[...]`). - `resource_owner_from_access_token` - Defines how to translate the Doorkeeper access token to a resource owner model. @@ -100,20 +100,33 @@ The following settings are optional: - Expiration time after which the ID Token must not be accepted for processing by clients. - The default is 120 seconds -Custom claims can optionally be specified in a `claims` block. The following claim types are currently supported: +### Scopes + +To perform authentication over OpenID Connect, an OAuth client needs to request the `openid` scope. This scope needs to be enabled using either `optional_scopes` in the global Doorkeeper configuration in `config/initializers/doorkeeper.rb`, or by adding it to any OAuth application's `scope` attribute. -- `normal_claim` - - Specify claim name and a block which is called with `resource_owner` to determine the claim value. +> Note that any application defining its own scopes won't inherit the scopes defined in the initializer, so you might have to update existing applications as well. +> +> See [Using Scopes](https://github.com/doorkeeper-gem/doorkeeper/wiki/Using-Scopes) in the Doorkeeper wiki for more information. -You can pass a `scope:` keyword argument on each claim to specify which OAuth scope should be required to access the claim. [Standard Claims](http://openid.net/specs/openid-connect-core-1_0.html#StandardClaims) as defined by OpenID Connect will by default use their [corresponding scopes](http://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims), and any other claims will by default use the `profile` scope. +### Claims -### OAuth Scopes +Claims can be defined in a `claims` block inside `config/initializers/doorkeeper_openid_connect.rb`: -To authenticate using OpenID Connect, clients need to request the `openid` scope. You can either enable this for all applications using `optional_scopes` in `config/initializers/doorkeeper.rb`, or add them to any Doorkeeper application's `scope` attribute. Note that any application defining its own scopes won't inherit the scopes defined in the initializer. +```ruby +Doorkeeper::OpenidConnect.configure do + claims do + claim :email do |resource_owner| + resource_owner.email + end -The specification also defines the optional scopes `profile`, `email`, `address` and `phone` to grant access to groups of Standard Claims, as mentioned above. + claim :full_name do |resource_owner| + "#{resource_owner.first_name} #{resource_owner.last_name}" + end + end +end +``` -See [Using Scopes](https://github.com/doorkeeper-gem/doorkeeper/wiki/Using-Scopes) in the Doorkeeper wiki for more information. +You can pass a `scope:` keyword argument on each claim to specify which OAuth scope should be required to access the claim. If you define any of the defined [Standard Claims](http://openid.net/specs/openid-connect-core-1_0.html#StandardClaims) they will by default use their [corresponding scopes](http://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims) (`profile`, `email`, `address` and `phone`), and any other claims will by default use the `profile` scope. Again, to use any of these scopes you need to enable them as described above. ### Routes @@ -136,6 +149,39 @@ GET /.well-known/openid-configuration GET /.well-known/webfinger ``` +### Nonces + +To support clients who send nonces you have to tweak Doorkeeper's authorization view so the parameter is passed on. + +If you don't already have custom templates, run this generator in your Rails application to add them: + +```sh +rails generate doorkeeper:views +``` + +Then tweak the template as follows: + +```patch +--- i/app/views/doorkeeper/authorizations/new.html.erb ++++ w/app/views/doorkeeper/authorizations/new.html.erb +@@ -26,6 +26,7 @@ + <%= hidden_field_tag :state, @pre_auth.state %> + <%= hidden_field_tag :response_type, @pre_auth.response_type %> + <%= hidden_field_tag :scope, @pre_auth.scope %> ++ <%= hidden_field_tag :nonce, @pre_auth.nonce %> + <%= submit_tag t('doorkeeper.authorizations.buttons.authorize'), class: "btn btn-success btn-lg btn-block" %> + <% end %> + <%= form_tag oauth_authorization_path, method: :delete do %> +@@ -34,6 +35,7 @@ + <%= hidden_field_tag :state, @pre_auth.state %> + <%= hidden_field_tag :response_type, @pre_auth.response_type %> + <%= hidden_field_tag :scope, @pre_auth.scope %> ++ <%= hidden_field_tag :nonce, @pre_auth.nonce %> + <%= submit_tag t('doorkeeper.authorizations.buttons.deny'), class: "btn btn-danger btn-lg btn-block" %> + <% end %> + +``` + ## Development Run `bundle install` to setup all development dependencies. diff --git a/doorkeeper-openid_connect.gemspec b/doorkeeper-openid_connect.gemspec index 5364790..260d62c 100644 --- a/doorkeeper-openid_connect.gemspec +++ b/doorkeeper-openid_connect.gemspec @@ -1,15 +1,14 @@ -# coding: utf-8 $:.push File.expand_path('../lib', __FILE__) require 'doorkeeper/openid_connect/version' Gem::Specification.new do |spec| spec.name = 'doorkeeper-openid_connect' spec.version = Doorkeeper::OpenidConnect::VERSION - spec.authors = ['Sam Dengler'] - spec.email = ['sam.dengler@playonsports.com'] - spec.homepage = 'https://github.com/playon/doorkeeper-openid_connect' - spec.summary = %q{OpenID Connect extension to Doorkeeper.} - spec.description = %q{OpenID Connect extension to Doorkeeper.} + spec.authors = ['Sam Dengler', 'Markus Koller'] + spec.email = ['sam.dengler@playonsports.com', 'markus-koller@gmx.ch'] + spec.homepage = 'https://github.com/doorkeeper-gem/doorkeeper-openid_connect' + spec.summary = %q{OpenID Connect extension for Doorkeeper.} + spec.description = %q{OpenID Connect extension for Doorkeeper.} spec.license = %q{MIT} spec.files = `git ls-files -z`.split("\x0").reject do |f| @@ -27,4 +26,5 @@ Gem::Specification.new do |spec| spec.add_development_dependency 'factory_girl' spec.add_development_dependency 'sqlite3' spec.add_development_dependency 'pry-byebug' + spec.add_development_dependency 'conventional-changelog', '~> 1.2' end diff --git a/lib/doorkeeper/openid_connect/version.rb b/lib/doorkeeper/openid_connect/version.rb index 9206139..23a7a59 100644 --- a/lib/doorkeeper/openid_connect/version.rb +++ b/lib/doorkeeper/openid_connect/version.rb @@ -1,5 +1,5 @@ module Doorkeeper module OpenidConnect - VERSION = '1.0.3'.freeze + VERSION = '1.1.0'.freeze end end