-
Notifications
You must be signed in to change notification settings - Fork 117
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feature: Store and return nonces in IdToken responses
- Add migration generator for nonce table - Abort if Doorkeeper ORM isn't set to ActiveRecord - Use prepend to extend Doorkeeper classes
- Loading branch information
Showing
30 changed files
with
480 additions
and
87 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -27,4 +27,6 @@ def prompt_values | |
end | ||
end | ||
end | ||
|
||
Helpers::Controller.send :prepend, OpenidConnect::Helpers::Controller | ||
end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,20 @@ | ||
module Doorkeeper | ||
module OpenidConnect | ||
module OAuth | ||
module Authorization | ||
module Code | ||
def issue_token | ||
super.tap do |access_grant| | ||
::Doorkeeper::OpenidConnect::Nonce.create!( | ||
access_grant: access_grant, | ||
nonce: pre_auth.nonce | ||
) | ||
end | ||
end | ||
end | ||
end | ||
end | ||
end | ||
|
||
OAuth::Authorization::Code.send :prepend, OpenidConnect::OAuth::Authorization::Code | ||
end |
17 changes: 17 additions & 0 deletions
17
lib/doorkeeper/openid_connect/oauth/authorization_code_request.rb
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,17 @@ | ||
module Doorkeeper | ||
module OpenidConnect | ||
module OAuth | ||
module AuthorizationCodeRequest | ||
private | ||
|
||
def after_successful_response | ||
super | ||
id_token = Doorkeeper::OpenidConnect::Models::IdToken.new(access_token, grant.openid_connect_nonce.use!) | ||
@response.id_token = id_token | ||
end | ||
end | ||
end | ||
end | ||
|
||
OAuth::AuthorizationCodeRequest.send :prepend, OpenidConnect::OAuth::AuthorizationCodeRequest | ||
end |
28 changes: 28 additions & 0 deletions
28
lib/doorkeeper/openid_connect/oauth/password_access_token_request.rb
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,28 @@ | ||
module Doorkeeper | ||
module OpenidConnect | ||
module OAuth | ||
module PasswordAccessTokenRequest | ||
def self.prepended(base) | ||
base.class_eval do | ||
attr_reader :nonce | ||
end | ||
end | ||
|
||
def initialize(server, client, resource_owner, parameters = {}) | ||
super | ||
@nonce = parameters[:nonce] | ||
end | ||
|
||
private | ||
|
||
def after_successful_response | ||
super | ||
id_token = Doorkeeper::OpenidConnect::Models::IdToken.new(access_token, nonce) | ||
@response.id_token = id_token | ||
end | ||
end | ||
end | ||
end | ||
|
||
OAuth::PasswordAccessTokenRequest.send :prepend, OpenidConnect::OAuth::PasswordAccessTokenRequest | ||
end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,20 @@ | ||
module Doorkeeper | ||
module OpenidConnect | ||
module OAuth | ||
module PreAuthorization | ||
def self.prepended(base) | ||
base.class_eval do | ||
attr_reader :nonce | ||
end | ||
end | ||
|
||
def initialize(server, client, attrs = {}) | ||
super | ||
@nonce = attrs[:nonce] | ||
end | ||
end | ||
end | ||
end | ||
|
||
OAuth::PreAuthorization.send :prepend, OpenidConnect::OAuth::PreAuthorization | ||
end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,25 @@ | ||
module Doorkeeper | ||
module OpenidConnect | ||
module OAuth | ||
module TokenResponse | ||
def self.prepended(base) | ||
base.class_eval do | ||
attr_accessor :id_token | ||
end | ||
end | ||
|
||
def body | ||
if token.includes_scope? 'openid' | ||
super. | ||
merge({:id_token => id_token.try(:as_jws_token)}). | ||
reject { |_, value| value.blank? } | ||
else | ||
super | ||
end | ||
end | ||
end | ||
end | ||
end | ||
|
||
OAuth::TokenResponse.send :prepend, OpenidConnect::OAuth::TokenResponse | ||
end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
module Doorkeeper | ||
module OpenidConnect | ||
module Orm | ||
module ActiveRecord | ||
def initialize_models! | ||
super | ||
require 'doorkeeper/openid_connect/orm/active_record/access_grant' | ||
require 'doorkeeper/openid_connect/orm/active_record/nonce' | ||
|
||
if Doorkeeper.configuration.active_record_options[:establish_connection] | ||
[Doorkeeper::OpenidConnect::Nonce].each do |c| | ||
c.send :establish_connection, Doorkeeper.configuration.active_record_options[:establish_connection] | ||
end | ||
end | ||
end | ||
end | ||
end | ||
end | ||
|
||
Orm::ActiveRecord.singleton_class.send :prepend, OpenidConnect::Orm::ActiveRecord | ||
end |
16 changes: 16 additions & 0 deletions
16
lib/doorkeeper/openid_connect/orm/active_record/access_grant.rb
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
module Doorkeeper | ||
module OpenidConnect | ||
module AccessGrant | ||
def self.prepended(base) | ||
base.class_eval do | ||
has_one :openid_connect_nonce, | ||
class_name: 'Doorkeeper::OpenidConnect::Nonce', | ||
inverse_of: :access_grant, | ||
dependent: :delete | ||
end | ||
end | ||
end | ||
end | ||
|
||
AccessGrant.send :prepend, OpenidConnect::AccessGrant | ||
end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,17 @@ | ||
module Doorkeeper | ||
module OpenidConnect | ||
class Nonce < ActiveRecord::Base | ||
self.table_name = "#{table_name_prefix}oauth_openid_connect_nonces#{table_name_suffix}".to_sym | ||
|
||
validates :access_grant_id, :nonce, presence: true | ||
belongs_to :access_grant, | ||
class_name: 'Doorkeeper::AccessGrant', | ||
inverse_of: :openid_connect_nonce | ||
|
||
def use! | ||
destroy! | ||
nonce | ||
end | ||
end | ||
end | ||
end |
15 changes: 15 additions & 0 deletions
15
lib/generators/doorkeeper/openid_connect/migration_generator.rb
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,15 @@ | ||
require 'rails/generators/active_record' | ||
|
||
class Doorkeeper::OpenidConnect::MigrationGenerator < ::Rails::Generators::Base | ||
include Rails::Generators::Migration | ||
source_root File.expand_path('../templates', __FILE__) | ||
desc 'Installs Doorkeeper OpenID Connect migration file.' | ||
|
||
def install | ||
migration_template 'migration.rb', 'db/migrate/create_doorkeeper_openid_connect_tables.rb' | ||
end | ||
|
||
def self.next_migration_number(dirname) | ||
ActiveRecord::Generators::Base.next_migration_number(dirname) | ||
end | ||
end |
14 changes: 14 additions & 0 deletions
14
lib/generators/doorkeeper/openid_connect/templates/migration.rb
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
class CreateDoorkeeperOpenidConnectTables < ActiveRecord::Migration | ||
def change | ||
create_table :oauth_openid_connect_nonces do |t| | ||
t.integer :access_grant_id, null: false | ||
t.string :nonce, null: false | ||
end | ||
|
||
add_foreign_key( | ||
:oauth_openid_connect_nonces, | ||
:oauth_access_grants, | ||
column: :access_grant_id | ||
) | ||
end | ||
end |
File renamed without changes.
File renamed without changes.
14 changes: 14 additions & 0 deletions
14
spec/dummy/db/migrate/20161031135842_create_doorkeeper_openid_connect_tables.rb
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
class CreateDoorkeeperOpenidConnectTables < ActiveRecord::Migration | ||
def change | ||
create_table :oauth_openid_connect_nonces do |t| | ||
t.integer :access_grant_id, null: false | ||
t.string :nonce, null: false | ||
end | ||
|
||
add_foreign_key( | ||
:oauth_openid_connect_nonces, | ||
:oauth_access_grants, | ||
column: :access_grant_id | ||
) | ||
end | ||
end |
Oops, something went wrong.