Skip to content

Commit

Permalink
feature: Respect scope grants in UserInfo response
Browse files Browse the repository at this point in the history 
- Support a :scope parameter when defining claims
- Remove the Models namespace since these aren't Rails models
  • Loading branch information
@toupeira
toupeira committed Nov 14, 2016
1 parent 2838f90 commit 25f2170
Show file tree
Hide file tree
Showing 26 changed files with 273 additions and 181 deletions.
2 changes: 1 addition & 1 deletion app/controllers/doorkeeper/openid_connect/userinfo_controller.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ class UserinfoController < ::Doorkeeper::ApplicationController

def show
resource_owner = doorkeeper_token.instance_eval(&Doorkeeper::OpenidConnect.configuration.resource_owner_from_access_token)
user_info = Doorkeeper::OpenidConnect::Models::UserInfo.new(resource_owner)
user_info = Doorkeeper::OpenidConnect::UserInfo.new(resource_owner, doorkeeper_token.scopes)
render json: user_info, status: :ok
end
end
Expand Down
9 changes: 4 additions & 5 deletions lib/doorkeeper/openid_connect.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,17 +3,16 @@
require 'json/jwt'

require 'doorkeeper/openid_connect/claims_builder'
require 'doorkeeper/openid_connect/claims/claim'
require 'doorkeeper/openid_connect/claims/normal_claim'
require 'doorkeeper/openid_connect/config'
require 'doorkeeper/openid_connect/engine'
require 'doorkeeper/openid_connect/id_token'
require 'doorkeeper/openid_connect/user_info'
require 'doorkeeper/openid_connect/version'

require 'doorkeeper/openid_connect/helpers/controller'

require 'doorkeeper/openid_connect/models/id_token'
require 'doorkeeper/openid_connect/models/user_info'
require 'doorkeeper/openid_connect/models/claims/claim'
require 'doorkeeper/openid_connect/models/claims/normal_claim'

require 'doorkeeper/openid_connect/oauth/authorization/code'
require 'doorkeeper/openid_connect/oauth/authorization_code_request'
require 'doorkeeper/openid_connect/oauth/password_access_token_request'
Expand Down
9 changes: 9 additions & 0 deletions lib/doorkeeper/openid_connect/claims/aggregated_claim.rb
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
module Doorkeeper
module OpenidConnect
module Claims
class AggregatedClaim < Claim
attr_accessor :jwt
end
end
end
end
34 changes: 34 additions & 0 deletions lib/doorkeeper/openid_connect/claims/claim.rb
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
module Doorkeeper
module OpenidConnect
module Claims
class Claim
attr_accessor :name, :scope

# http://openid.net/specs/openid-connect-core-1_0.html#StandardClaims
# http://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims
STANDARD_CLAIMS = {
profile: %w[
name family_name given_name middle_name nickname preferred_username
profile picture website gender birthdate zoneinfo locale updated_at
],
email: %w[ email email_verified ],
address: %w[ address ],
phone: %w[ phone_number phone_number_verified ],
}

def initialize(options = {})
@name = options[:name]
@scope = options[:scope]

# use default scope for Standard Claims
@scope ||= STANDARD_CLAIMS.find do |_scope, claims|
claims.include? @name
end.try(:first)

# use profile scope as default fallback
@scope ||= :profile
end
end
end
end
end
9 changes: 9 additions & 0 deletions lib/doorkeeper/openid_connect/claims/distributed_claim.rb
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
module Doorkeeper
module OpenidConnect
module Claims
class DistributedClaim < Claim
attr_accessor :endpoint, :access_token
end
end
end
end
18 changes: 18 additions & 0 deletions lib/doorkeeper/openid_connect/claims/normal_claim.rb
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
module Doorkeeper
module OpenidConnect
module Claims
class NormalClaim < Claim
attr_reader :generator

def initialize(options = {})
super(options)
@generator = options[:generator]
end

def type
:normal
end
end
end
end
end
8 changes: 5 additions & 3 deletions lib/doorkeeper/openid_connect/claims_builder.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,13 +12,15 @@ def build
@claims
end

def normal_claim(name, &block)
def normal_claim(name, scope: nil, &block)
@claims[name] =
Doorkeeper::OpenidConnect::Models::Claims::NormalClaim.new(
Claims::NormalClaim.new(
name: name,
value: block
scope: scope,
generator: block
)
end
alias_method :claim, :normal_claim
end
end
end
62 changes: 62 additions & 0 deletions lib/doorkeeper/openid_connect/id_token.rb
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,62 @@
module Doorkeeper
module OpenidConnect
class IdToken
include ActiveModel::Validations

attr_reader :nonce

def initialize(access_token, nonce = nil)
@access_token = access_token
@nonce = nonce
@resource_owner = access_token.instance_eval(&Doorkeeper::OpenidConnect.configuration.resource_owner_from_access_token)
@issued_at = Time.now
end

def claims
{
iss: issuer,
sub: subject,
aud: audience,
exp: expiration,
iat: issued_at,
nonce: nonce,
auth_time: auth_time,
}
end

def as_json(*_)
claims.reject { |_, value| value.blank? }
end

def as_jws_token
JSON::JWT.new(as_json).sign(Doorkeeper::OpenidConnect.signing_key).to_s
end

private

def issuer
Doorkeeper::OpenidConnect.configuration.issuer
end

def subject
@resource_owner.instance_eval(&Doorkeeper::OpenidConnect.configuration.subject).to_s
end

def audience
@access_token.application.uid
end

def expiration
(@issued_at.utc + Doorkeeper::OpenidConnect.configuration.expiration).to_i
end

def issued_at
@issued_at.utc.to_i
end

def auth_time
@resource_owner.instance_eval(&Doorkeeper::OpenidConnect.configuration.auth_time_from_resource_owner).try(:to_i)
end
end
end
end
11 changes: 0 additions & 11 deletions lib/doorkeeper/openid_connect/models/claims/aggregated_claim.rb
View file

This file was deleted.

15 changes: 0 additions & 15 deletions lib/doorkeeper/openid_connect/models/claims/claim.rb
View file

This file was deleted.

11 changes: 0 additions & 11 deletions lib/doorkeeper/openid_connect/models/claims/distributed_claim.rb
View file

This file was deleted.

24 changes: 0 additions & 24 deletions lib/doorkeeper/openid_connect/models/claims/normal_claim.rb
View file

This file was deleted.

64 changes: 0 additions & 64 deletions lib/doorkeeper/openid_connect/models/id_token.rb
View file

This file was deleted.

39 changes: 0 additions & 39 deletions lib/doorkeeper/openid_connect/models/user_info.rb
View file

This file was deleted.

2 changes: 1 addition & 1 deletion lib/doorkeeper/openid_connect/oauth/authorization_code_request.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ def after_successful_response
openid_request.nonce
end

id_token = Doorkeeper::OpenidConnect::Models::IdToken.new(access_token, nonce)
id_token = Doorkeeper::OpenidConnect::IdToken.new(access_token, nonce)
@response.id_token = id_token
end
end
Expand Down
2 changes: 1 addition & 1 deletion lib/doorkeeper/openid_connect/oauth/password_access_token_request.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ def initialize(server, client, resource_owner, parameters = {})

def after_successful_response
super
id_token = Doorkeeper::OpenidConnect::Models::IdToken.new(access_token, nonce)
id_token = Doorkeeper::OpenidConnect::IdToken.new(access_token, nonce)
@response.id_token = id_token
end
end
Expand Down
Loading

0 comments on commit 25f2170

Please sign in to comment.