Hello community,
here is the log from the commit of package rubygem-omniauth-google-oauth2 for
openSUSE:Factory checked in at 2019-03-04 09:20:33
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/rubygem-omniauth-google-oauth2 (Old)
and /work/SRC/openSUSE:Factory/.rubygem-omniauth-google-oauth2.new.28833
(New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "rubygem-omniauth-google-oauth2"
Mon Mar 4 09:20:33 2019 rev:4 rq:679529 version:0.6.0
Changes:
--------
---
/work/SRC/openSUSE:Factory/rubygem-omniauth-google-oauth2/rubygem-omniauth-google-oauth2.changes
2019-01-21 10:25:15.081757360 +0100
+++
/work/SRC/openSUSE:Factory/.rubygem-omniauth-google-oauth2.new.28833/rubygem-omniauth-google-oauth2.changes
2019-03-04 09:20:38.200598158 +0100
@@ -1,0 +2,21 @@
+Mon Jan 14 13:49:32 UTC 2019 - Stephan Kulow <[email protected]>
+
+- updated to version 0.6.0
+ see installed CHANGELOG.md
+
+ ## 0.6.0 - 2018-12-28
+
+ ### Added
+ - Support for JWT 2.x.
+
+ ### Deprecated
+ - Nothing.
+
+ ### Removed
+ - Support for JWT 1.x.
+ - Support for `raw_friend_info` and `raw_image_info`.
+
+ ### Fixed
+ - Nothing.
+
+-------------------------------------------------------------------
Old:
----
omniauth-google-oauth2-0.5.4.gem
New:
----
omniauth-google-oauth2-0.6.0.gem
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ rubygem-omniauth-google-oauth2.spec ++++++
--- /var/tmp/diff_new_pack.DrtdkU/_old 2019-03-04 09:20:39.648597898 +0100
+++ /var/tmp/diff_new_pack.DrtdkU/_new 2019-03-04 09:20:39.648597898 +0100
@@ -1,7 +1,7 @@
#
# spec file for package rubygem-omniauth-google-oauth2
#
-# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -24,7 +24,7 @@
#
Name: rubygem-omniauth-google-oauth2
-Version: 0.5.4
+Version: 0.6.0
Release: 0
%define mod_name omniauth-google-oauth2
%define mod_full_name %{mod_name}-%{version}
++++++ omniauth-google-oauth2-0.5.4.gem -> omniauth-google-oauth2-0.6.0.gem
++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/CHANGELOG.md new/CHANGELOG.md
--- old/CHANGELOG.md 2018-12-08 00:59:10.000000000 +0100
+++ new/CHANGELOG.md 2018-12-29 07:38:12.000000000 +0100
@@ -1,6 +1,21 @@
# Changelog
All notable changes to this project will be documented in this file.
+## 0.6.0 - 2018-12-28
+
+### Added
+- Support for JWT 2.x.
+
+### Deprecated
+- Nothing.
+
+### Removed
+- Support for JWT 1.x.
+- Support for `raw_friend_info` and `raw_image_info`.
+
+### Fixed
+- Nothing.
+
## 0.5.4 - 2018-12-07
### Added
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/README.md new/README.md
--- old/README.md 2018-12-08 00:59:10.000000000 +0100
+++ new/README.md 2018-12-29 07:38:12.000000000 +0100
@@ -7,8 +7,6 @@
Get your API key at: https://code.google.com/apis/console/ Note the Client ID
and the Client Secret.
-**Note**: You must enable the "Contacts API" and "Google+ API" via the Google
API console. Otherwise, you will receive an `OAuth2::Error`(`Error: "Invalid
credentials"`) stating that access is not configured when you attempt to
authenticate.
-
For more details, read the Google docs:
https://developers.google.com/accounts/docs/OAuth2
## Installation
@@ -25,8 +23,6 @@
* Go to 'https://console.developers.google.com'
* Select your project.
-* Click 'Enable and manage APIs'.
-* Make sure "Contacts API" and "Google+ API" are on.
* Go to Credentials, then select the "OAuth consent screen" tab on top, and
provide an 'EMAIL ADDRESS' and a 'PRODUCT NAME'
* Wait 10 minutes for changes to take effect.
@@ -87,15 +83,13 @@
* `openid_realm`: Set the OpenID realm value, to allow upgrading from OpenID
based authentication to OAuth 2 based authentication. When this is set
correctly an `openid_id` value will be set in `[:extra][:id_info]` in the
authentication hash with the value of the user's OpenID ID URL.
-* `verify_iss`: Allows you to disable iss validation when decoding the JWT.
This was added since Google now returns either `accounts.google.com` or
`https://accounts.google.com`, and there is no way to predict what they will
return, causing JWT validation failures.
-
Here's an example of a possible configuration where the strategy name is
changed, the user is asked for extra permissions, the user is always prompted
to select his account when logging in and the user's profile picture is
returned as a thumbnail:
```ruby
Rails.application.config.middleware.use OmniAuth::Builder do
provider :google_oauth2, ENV['GOOGLE_CLIENT_ID'],
ENV['GOOGLE_CLIENT_SECRET'],
{
- scope: 'userinfo.email, userinfo.profile, plus.me,
http://gdata.youtube.com',
+ scope: 'userinfo.email, userinfo.profile, http://gdata.youtube.com',
prompt: 'select_account',
image_aspect_ratio: 'square',
image_size: 50
@@ -141,8 +135,6 @@
"exp" => 1496120719
},
"raw_info" => {
- "kind" => "plus#personOpenIdConnect",
- "gender" => "male",
"sub" => "100000000000000000000",
"name" => "John Smith",
"given_name" => "John",
@@ -244,48 +236,38 @@
```javascript
// Basic hybrid auth example following the pattern at:
-//
https://developers.google.com/api-client-library/javascript/features/authentication#Authexample
-jQuery(function() {
- return $.ajax({
- url: 'https://apis.google.com/js/client:plus.js?onload=gpAsyncInit',
- dataType: 'script',
- cache: true
- });
-});
+// https://developers.google.com/identity/sign-in/web/reference
-window.gpAsyncInit = function() {
- gapi.auth.authorize({
- immediate: true,
- response_type: 'code',
- cookie_policy: 'single_host_origin',
- client_id: 'YOUR_CLIENT_ID',
- scope: 'email profile'
- }, function(response) {
- return;
- });
- $('.googleplus-login').click(function(e) {
- e.preventDefault();
- gapi.auth.authorize({
- immediate: false,
- response_type: 'code',
- cookie_policy: 'single_host_origin',
- client_id: 'YOUR_CLIENT_ID',
- scope: 'email profile'
- }, function(response) {
- if (response && !response.error) {
- // google authentication succeed, now post data to server.
- jQuery.ajax({type: 'POST', url: '/auth/google_oauth2/callback', data:
response,
- success: function(data) {
- // response from server
- }
- });
- } else {
- // google authentication failed
- }
+<script src="https://apis.google.com/js/platform.js?onload=init"; async
defer></script>
+
+...
+
+function init() {
+ gapi.load('auth2', function() {
+ // Ready.
+ $('.google-login-button').click(function(e) {
+ e.preventDefault();
+
+ gapi.auth2.authorize({
+ client_id: 'YOUR_CLIENT_ID',
+ cookie_policy: 'single_host_origin',
+ scope: 'email profile',
+ response_type: 'code'
+ }, function(response) {
+ if (response && !response.error) {
+ // google authentication succeed, now post data to server.
+ jQuery.ajax({type: 'POST', url: '/auth/google_oauth2/callback',
data: response,
+ success: function(data) {
+ // response from server
+ }
+ });
+ } else {
+ // google authentication failed
+ }
+ });
});
});
};
-
```
#### Note about mobile clients (iOS, Android)
@@ -309,7 +291,7 @@
## License
-Copyright (c) 2017 by Josh Ellithorpe
+Copyright (c) 2018 by Josh Ellithorpe
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights to
use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies
of the Software, and to permit persons to whom the Software is furnished to do
so, subject to the following conditions:
Binary files old/checksums.yaml.gz and new/checksums.yaml.gz differ
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/omniauth/google_oauth2/version.rb
new/lib/omniauth/google_oauth2/version.rb
--- old/lib/omniauth/google_oauth2/version.rb 2018-12-08 00:59:10.000000000
+0100
+++ new/lib/omniauth/google_oauth2/version.rb 2018-12-29 07:38:12.000000000
+0100
@@ -2,6 +2,6 @@
module OmniAuth
module GoogleOauth2
- VERSION = '0.5.4'
+ VERSION = '0.6.0'
end
end
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/omniauth/strategies/google_oauth2.rb
new/lib/omniauth/strategies/google_oauth2.rb
--- old/lib/omniauth/strategies/google_oauth2.rb 2018-12-08
00:59:10.000000000 +0100
+++ new/lib/omniauth/strategies/google_oauth2.rb 2018-12-29
07:38:12.000000000 +0100
@@ -8,9 +8,11 @@
module Strategies
# Main class for Google OAuth2 strategy.
class GoogleOauth2 < OmniAuth::Strategies::OAuth2
+ ALLOWED_ISSUERS = ['accounts.google.com',
'https://accounts.google.com'].freeze
BASE_SCOPE_URL = 'https://www.googleapis.com/auth/'
BASE_SCOPES = %w[profile email openid].freeze
DEFAULT_SCOPE = 'email,profile'
+ USER_INFO_URL = 'https://www.googleapis.com/oauth2/v3/userinfo'
option :name, 'google_oauth2'
option :skip_friends, true
@@ -19,7 +21,6 @@
option :jwt_leeway, 60
option :authorize_options, %i[access_type hd login_hint prompt
request_visible_actions scope state redirect_uri include_granted_scopes
openid_realm device_id device_name]
option :authorized_client_ids, []
- option :verify_iss, true
option :client_options,
site: 'https://oauth2.googleapis.com',
@@ -59,35 +60,30 @@
hash = {}
hash[:id_token] = access_token['id_token']
if !options[:skip_jwt] && !access_token['id_token'].nil?
- hash[:id_info] = ::JWT.decode(
- access_token['id_token'], nil, false, verify_iss:
options.verify_iss,
- iss: 'accounts.google.com',
- verify_aud: true,
- aud: options.client_id,
- verify_sub: false,
- verify_expiration: true,
- verify_not_before: true,
- verify_iat: true,
- verify_jti: false,
- leeway: options[:jwt_leeway]
- ).first
+ decoded = ::JWT.decode(access_token['id_token'], nil, false).first
+
+ # We have to manually verify the claims because the third parameter
to
+ # JWT.decode is false since no verification key is provided.
+ ::JWT::Verify.verify_claims(decoded,
+ verify_iss: true,
+ iss: ALLOWED_ISSUERS,
+ verify_aud: true,
+ aud: options.client_id,
+ verify_sub: false,
+ verify_expiration: true,
+ verify_not_before: true,
+ verify_iat: true,
+ verify_jti: false,
+ leeway: options[:jwt_leeway])
+
+ hash[:id_info] = decoded
end
hash[:raw_info] = raw_info unless skip_info?
- hash[:raw_friend_info] = raw_friend_info(raw_info['sub']) unless
skip_info? || options[:skip_friends]
- hash[:raw_image_info] = raw_image_info(raw_info['sub']) unless
skip_info? || options[:skip_image_info]
prune! hash
end
def raw_info
- @raw_info ||=
access_token.get('https://www.googleapis.com/plus/v1/people/me/openIdConnect').parsed
- end
-
- def raw_friend_info(id)
- @raw_friend_info ||=
access_token.get("https://www.googleapis.com/plus/v1/people/#{id}/people/visible";).parsed
- end
-
- def raw_image_info(id)
- @raw_image_info ||=
access_token.get("https://www.googleapis.com/plus/v1/people/#{id}?fields=image";).parsed
+ @raw_info ||= access_token.get(USER_INFO_URL).parsed
end
def custom_build_access_token
@@ -202,7 +198,7 @@
def verify_hd(access_token)
return true unless options.hd
- @raw_info ||=
access_token.get('https://www.googleapis.com/plus/v1/people/me/openIdConnect').parsed
+ @raw_info ||= access_token.get(USER_INFO_URL).parsed
options.hd = options.hd.call if options.hd.is_a? Proc
allowed_hosted_domains = Array(options.hd)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/metadata new/metadata
--- old/metadata 2018-12-08 00:59:10.000000000 +0100
+++ new/metadata 2018-12-29 07:38:12.000000000 +0100
@@ -1,7 +1,7 @@
--- !ruby/object:Gem::Specification
name: omniauth-google-oauth2
version: !ruby/object:Gem::Version
- version: 0.5.4
+ version: 0.6.0
platform: ruby
authors:
- Josh Ellithorpe
@@ -9,7 +9,7 @@
autorequire:
bindir: bin
cert_chain: []
-date: 2018-12-07 00:00:00.000000000 Z
+date: 2018-12-29 00:00:00.000000000 Z
dependencies:
- !ruby/object:Gem::Dependency
name: jwt
@@ -17,14 +17,14 @@
requirements:
- - ">="
- !ruby/object:Gem::Version
- version: '1.5'
+ version: '2.0'
type: :runtime
prerelease: false
version_requirements: !ruby/object:Gem::Requirement
requirements:
- - ">="
- !ruby/object:Gem::Version
- version: '1.5'
+ version: '2.0'
- !ruby/object:Gem::Dependency
name: omniauth
requirement: !ruby/object:Gem::Requirement
@@ -141,7 +141,7 @@
version: '0'
requirements: []
rubyforge_project:
-rubygems_version: 2.6.13
+rubygems_version: 2.6.11
signing_key:
specification_version: 4
summary: A Google OAuth2 strategy for OmniAuth 1.x
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/omniauth-google-oauth2.gemspec
new/omniauth-google-oauth2.gemspec
--- old/omniauth-google-oauth2.gemspec 2018-12-08 00:59:10.000000000 +0100
+++ new/omniauth-google-oauth2.gemspec 2018-12-29 07:38:12.000000000 +0100
@@ -20,7 +20,7 @@
gem.required_ruby_version = '>= 2.1'
- gem.add_runtime_dependency 'jwt', '>= 1.5'
+ gem.add_runtime_dependency 'jwt', '>= 2.0'
gem.add_runtime_dependency 'omniauth', '>= 1.1.1'
gem.add_runtime_dependency 'omniauth-oauth2', '>= 1.5'
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/spec/omniauth/strategies/google_oauth2_spec.rb
new/spec/omniauth/strategies/google_oauth2_spec.rb
--- old/spec/omniauth/strategies/google_oauth2_spec.rb 2018-12-08
00:59:10.000000000 +0100
+++ new/spec/omniauth/strategies/google_oauth2_spec.rb 2018-12-29
07:38:12.000000000 +0100
@@ -304,9 +304,7 @@
OAuth2::Client.new('abc', 'def') do |builder|
builder.request :url_encoded
builder.adapter :test do |stub|
- stub.get('/plus/v1/people/me/openIdConnect') { [200, {
'content-type' => 'application/json' }, '{"sub": "12345"}'] }
- stub.get('/plus/v1/people/12345/people/visible') { [200, {
'content-type' => 'application/json' }, '[{"foo":"bar"}]'] }
- stub.get('/plus/v1/people/12345?fields=image') { [200, {
'content-type' => 'application/json' }, '{"image":"imageData"}'] }
+ stub.get('/oauth2/v3/userinfo') { [200, { 'content-type' =>
'application/json' }, '{"sub": "12345"}'] }
end
end
end
@@ -315,35 +313,60 @@
before { allow(subject).to receive(:access_token).and_return(access_token)
}
describe 'id_token' do
- context 'when the id_token is passed into the access token' do
- token_info =
+ shared_examples 'id_token issued by valid issuer' do |issuer| #
rubocop:disable Metrics/BlockLength
+ context 'when the id_token is passed into the access token' do
+ let(:token_info) do
+ {
+ 'abc' => 'xyz',
+ 'exp' => Time.now.to_i + 3600,
+ 'nbf' => Time.now.to_i - 60,
+ 'iat' => Time.now.to_i,
+ 'aud' => 'appid',
+ 'iss' => issuer
+ }
+ end
+ let(:id_token) { JWT.encode(token_info, 'secret') }
+ let(:access_token) { OAuth2::AccessToken.from_hash(client,
'id_token' => id_token) }
+
+ it 'should include id_token when set on the access_token' do
+ expect(subject.extra).to include(id_token: id_token)
+ end
+
+ it 'should include id_info when id_token is set on the access_token
and skip_jwt is false' do
+ subject.options[:skip_jwt] = false
+ expect(subject.extra).to include(id_info: token_info)
+ end
+
+ it 'should not include id_info when id_token is set on the
access_token and skip_jwt is true' do
+ subject.options[:skip_jwt] = true
+ expect(subject.extra).not_to have_key(:id_info)
+ end
+
+ it 'should include id_info when id_token is set on the access_token
by default' do
+ expect(subject.extra).to include(id_info: token_info)
+ end
+ end
+ end
+
+ it_behaves_like 'id_token issued by valid issuer', 'accounts.google.com'
+ it_behaves_like 'id_token issued by valid issuer',
'https://accounts.google.com'
+
+ context 'when the id_token is issued by an invalid issuer' do
+ let(:token_info) do
{
'abc' => 'xyz',
'exp' => Time.now.to_i + 3600,
'nbf' => Time.now.to_i - 60,
'iat' => Time.now.to_i,
'aud' => 'appid',
- 'iss' => 'accounts.google.com'
+ 'iss' => 'fake.google.com'
}
- id_token = JWT.encode(token_info, 'secret')
- let(:access_token) { OAuth2::AccessToken.from_hash(client, 'id_token'
=> id_token) }
-
- it 'should include id_token when set on the access_token' do
- expect(subject.extra).to include(id_token: id_token)
- end
-
- it 'should include id_info when id_token is set on the access_token
and skip_jwt is false' do
- subject.options[:skip_jwt] = false
- expect(subject.extra).to include(id_info: token_info)
- end
-
- it 'should not include id_info when id_token is set on the
access_token and skip_jwt is true' do
- subject.options[:skip_jwt] = true
- expect(subject.extra).not_to have_key(:id_info)
end
+ let(:id_token) { JWT.encode(token_info, 'secret') }
+ let(:access_token) { OAuth2::AccessToken.from_hash(client, 'id_token'
=> id_token) }
- it 'should include id_info when id_token is set on the access_token by
default' do
- expect(subject.extra).to include(id_info: token_info)
+ it 'raises JWT::InvalidIssuerError' do
+ expect { subject.extra }.to raise_error(JWT::InvalidIssuerError)
end
end
@@ -375,66 +398,6 @@
end
end
end
-
- describe 'raw_friend_info' do
- context 'when skip_info is true' do
- before { subject.options[:skip_info] = true }
-
- it 'should not include raw_friend_info' do
- expect(subject.extra).not_to have_key(:raw_friend_info)
- end
- end
-
- context 'when skip_info is false' do
- before { subject.options[:skip_info] = false }
-
- context 'when skip_friends is true' do
- before { subject.options[:skip_friends] = true }
-
- it 'should not include raw_friend_info' do
- expect(subject.extra).not_to have_key(:raw_friend_info)
- end
- end
-
- context 'when skip_friends is false' do
- before { subject.options[:skip_friends] = false }
-
- it 'should not include raw_friend_info' do
- expect(subject.extra[:raw_friend_info]).to eq([{ 'foo' => 'bar' }])
- end
- end
- end
- end
-
- describe 'raw_image_info' do
- context 'when skip_info is true' do
- before { subject.options[:skip_info] = true }
-
- it 'should not include raw_image_info' do
- expect(subject.extra).not_to have_key(:raw_image_info)
- end
- end
-
- context 'when skip_info is false' do
- before { subject.options[:skip_info] = false }
-
- context 'when skip_image_info is true' do
- before { subject.options[:skip_image_info] = true }
-
- it 'should not include raw_image_info' do
- expect(subject.extra).not_to have_key(:raw_image_info)
- end
- end
-
- context 'when skip_image_info is false' do
- before { subject.options[:skip_image_info] = false }
-
- it 'should include raw_image_info' do
- expect(subject.extra[:raw_image_info]).to eq('image' =>
'imageData')
- end
- end
- end
- end
end
describe 'populate auth hash urls' do
@@ -599,37 +562,6 @@
end
end
- describe 'verify_iss option' do
- before(:each) do
- subject.options.client_options[:connection_build] = proc do |builder|
- builder.request :url_encoded
- builder.adapter :test do |stub|
- stub.get('/oauth2/v3/tokeninfo?access_token=invalid_iss_token') do
- [200, { 'Content-Type' => 'application/json; charset=UTF-8' },
- JSON.dump(
- aud: '000000000000.apps.googleusercontent.com',
- sub: '123456789',
- email_verified: 'true',
- email: '[email protected]',
- access_type: 'offline',
- scope: 'profile email',
- expires_in: 436,
- iss: 'foobar.com'
- )]
- end
- end
- end
- subject.options.authorized_client_ids =
['000000000000.apps.googleusercontent.com']
- subject.options.client_id = '000000000000.apps.googleusercontent.com'
- subject.options[:verify_iss] = false
- end
-
- it 'should verify token if the iss does not match options.expected_iss' do
- result = subject.send(:verify_token, 'invalid_iss_token')
- expect(result).to eq(true)
- end
- end
-
describe 'verify_token' do
before(:each) do
subject.options.client_options[:connection_build] = proc do |builder|
@@ -679,7 +611,7 @@
OAuth2::Client.new('abc', 'def') do |builder|
builder.request :url_encoded
builder.adapter :test do |stub|
- stub.get('/plus/v1/people/me/openIdConnect') do
+ stub.get('/oauth2/v3/userinfo') do
[200, { 'Content-Type' => 'application/json; charset=UTF-8' },
JSON.dump(
hd: 'example.com'
)]
@@ -694,7 +626,7 @@
OAuth2::Client.new('abc', 'def') do |builder|
builder.request :url_encoded
builder.adapter :test do |stub|
- stub.get('/plus/v1/people/me/openIdConnect') do
+ stub.get('/oauth2/v3/userinfo') do
[200, { 'Content-Type' => 'application/json; charset=UTF-8' },
JSON.dump({})]
end
end
