Codebase list ruby-omniauth-auth0 / 3507f985-bbb9-4874-96fb-60fb9fdc9833/upstream/3.1.0
Import upstream version 3.1.0 Debian Janitor 1 year, 3 months ago
23 changed file(s) with 460 addition(s) and 490 deletion(s). Raw diff Collapse all Expand all
+2
-2
.circleci/config.yml less more
00 version: 2.1
11 orbs:
2 ship: auth0/ship@dev:alpha
2 ship: auth0/ship@0
33 codecov: codecov/codecov@3
44
55 matrix_rubyversions: &matrix_rubyversions
66 matrix:
77 parameters:
8 rubyversion: ["2.6", "2.7", "3.0", "3.1"]
8 rubyversion: ["2.7", "3.0", "3.1"]
99 # Default version of ruby to use for lint and publishing
1010 default_rubyversion: &default_rubyversion "2.7"
1111
+18
-0
.devcontainer/devcontainer.json less more
0 {
1 "name": "Ruby",
2 "image": "mcr.microsoft.com/devcontainers/ruby:3.1",
3 "features": {
4 "ghcr.io/devcontainers/features/node:1": {
5 "version": "lts"
6 }
7 },
8
9 // Use 'forwardPorts' to make a list of ports inside the container available locally.
10 // "forwardPorts": [],
11
12 // Use 'postCreateCommand' to run commands after the container is created.
13 // "postCreateCommand": "ruby --version",
14
15 // Set `remoteUser` to `root` to connect as root instead. More info: https://aka.ms/vscode-remote/containers/non-root.
16 "remoteUser": "vscode"
17 }
+0
-1
.github/CODEOWNERS less more
0 * @auth0/dx-sdks-engineer
+0
-8
.github/ISSUE_TEMPLATE/config.yml less more
0 blank_issues_enabled: false
1 contact_links:
2 - name: Auth0 Community
3 url: https://community.auth0.com/c/sdks/5
4 about: Discuss this SDK in the Auth0 Community forums
5 - name: Library Documentation
6 url: https://github.com/auth0/omniauth-auth0#documentation
7 about: Read the library docs on Auth0.com
+0
-39
.github/ISSUE_TEMPLATE/feature_request.md less more
0 ---
1 name: Feature request
2 about: Suggest an idea or a feature for this project
3 title: ''
4 labels: feature request
5 assignees: ''
6 ---
7
8 <!--
9 **Please do not report security vulnerabilities here**. The Responsible Disclosure Program (https://auth0.com/whitehat) details the procedure for disclosing security issues.
10
11 Thank you in advance for helping us to improve this library! Your attention to detail here is greatly appreciated and will help us respond as quickly as possible. For general support or usage questions, use the Auth0 Community (https://community.auth0.com/) or Auth0 Support (https://support.auth0.com/). Finally, to avoid duplicates, please search existing Issues before submitting one here.
12
13 By submitting an Issue to this repository, you agree to the terms within the Auth0 Code of Conduct (https://github.com/auth0/open-source-template/blob/master/CODE-OF-CONDUCT.md).
14 -->
15
16 ### Describe the problem you'd like to have solved
17
18 <!--
19 > A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
20 -->
21
22 ### Describe the ideal solution
23
24 <!--
25 > A clear and concise description of what you want to happen.
26 -->
27
28 ## Alternatives and current work-arounds
29
30 <!--
31 > A clear and concise description of any alternatives you've considered or any work-arounds that are currently in place.
32 -->
33
34 ### Additional information, if any
35
36 <!--
37 > Add any other context or screenshots about the feature request here.
38 -->
+0
-55
.github/ISSUE_TEMPLATE/report_a_bug.md less more
0 ---
1 name: Report a bug
2 about: Have you found a bug or issue? Create a bug report for this SDK
3 title: ''
4 labels: bug report
5 assignees: ''
6 ---
7
8 <!--
9 **Please do not report security vulnerabilities here**. The Responsible Disclosure Program (https://auth0.com/whitehat) details the procedure for disclosing security issues.
10
11 Thank you in advance for helping us to improve this library! Please read through the template below and answer all relevant questions. Your additional work here is greatly appreciated and will help us respond as quickly as possible. For general support or usage questions, use the Auth0 Community (https://community.auth0.com/) or Auth0 Support (https://support.auth0.com/). Finally, to avoid duplicates, please search existing Issues before submitting one here.
12
13 By submitting an Issue to this repository, you agree to the terms within the Auth0 Code of Conduct (https://github.com/auth0/open-source-template/blob/master/CODE-OF-CONDUCT.md).
14 -->
15
16 ### Describe the problem
17
18 <!--
19 > Provide a clear and concise description of the issue
20 -->
21
22 ### What was the expected behavior?
23
24 <!--
25 > Tell us about the behavior you expected to see
26 -->
27
28 ### Reproduction
29 <!--
30 > Detail the steps taken to reproduce this error, and whether this issue can be reproduced consistently or if it is intermittent.
31 > **Note**: If clear, reproducable steps or the smallest sample app demonstrating misbehavior cannot be provided, we may not be able to follow up on this bug report.
32
33 > Where possible, please include:
34 >
35 > - The smallest possible sample app that reproduces the undesirable behavior
36 > - Log files (redact/remove sensitive information)
37 > - Application settings (redact/remove sensitive information)
38 > - Screenshots
39 -->
40
41 - Step 1..
42 - Step 2..
43 - ...
44
45 ### Environment
46
47 <!--
48 > Please provide the following:
49 -->
50
51 - **Version of this library used:**
52 - **Which framework are you using, if applicable:**
53 - **Other modules/plugins/libraries that might be involved:**
54 - **Any other relevant information you think would be useful:**
+0
-32
.github/PULL_REQUEST_TEMPLATE.md less more
0 ### Changes
1
2 Please describe both what is changing and why this is important. Include:
3
4 - Endpoints added, deleted, deprecated, or changed
5 - Classes and methods added, deleted, deprecated, or changed
6 - Screenshots of new or changed UI, if applicable
7 - A summary of usage if this is a new feature or change to a public API (this should also be added to relevant documentation once released)
8
9 ### References
10
11 Please include relevant links supporting this change such as a:
12
13 - support ticket
14 - community post
15 - StackOverflow post
16 - support forum thread
17 - related GitHub issue in this or another repo
18
19 ### Testing
20
21 Please describe how this can be tested by reviewers. Be specific about anything not tested and reasons why. If this library has unit and/or integration testing, tests should be added for new functionality and existing tests should complete without errors.
22
23 * [ ] This change adds unit test coverage
24 * [ ] This change has been tested on the latest version of the platform/language or why not
25
26 ### Checklist
27
28 * [ ] I have read the [Auth0 contribution guidelines](https://github.com/auth0/open-source-template/blob/master/GENERAL-CONTRIBUTING.md)
29 * [ ] I have read the [Auth0 Code of Conduct](https://github.com/auth0/open-source-template/blob/master/CODE-OF-CONDUCT.md)
30 * [ ] All existing and new tests complete without errors
31 * [ ] All code quality tools/guidelines in the [CONTRIBUTING documentation](https://github.com/auth0/omniauth-auth0/blob/master/CONTRIBUTING.md) have been run/followed
+0
-20
.github/stale.yml less more
0 # Configuration for probot-stale - https://github.com/probot/stale
1
2 # Number of days of inactivity before an Issue or Pull Request becomes stale
3 daysUntilStale: 90
4
5 # Number of days of inactivity before an Issue or Pull Request with the stale label is closed.
6 daysUntilClose: 7
7
8 # Issues or Pull Requests with these labels will never be considered stale. Set to `[]` to disable
9 exemptLabels: []
10
11 # Set to true to ignore issues with an assignee (defaults to false)
12 exemptAssignees: true
13
14 # Label to use when marking as stale
15 staleLabel: closed:stale
16
17 # Comment to post when marking as stale. Set to `false` to disable
18 markComment: >
19 This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. If you have not received a response for our team (apologies for the delay) and this is still a blocker, please reply with additional information or just a ping. Thank you for your contribution! 🙇‍♂️
+0
-24
.github/workflows/semgrep.yml less more
0 name: Semgrep
1
2 on:
3 pull_request: {}
4
5 push:
6 branches: ["master", "main"]
7
8 schedule:
9 - cron: '30 0 1,15 * *'
10
11 jobs:
12 semgrep:
13 name: Scan
14 runs-on: ubuntu-latest
15 container:
16 image: returntocorp/semgrep
17 if: (github.actor != 'dependabot[bot]')
18 steps:
19 - uses: actions/checkout@v3
20
21 - run: semgrep ci
22 env:
23 SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }}
+0
-12
.gitignore less more
0 .ruby-version
1 coverage
2 *.gem
3
4 .#*
5 .env
6 log/
7 tmp/
8
9 ## Environment normalization:
10 /.bundle
11 /vendor/bundle
+59
-11
CHANGELOG.md less more
00 # Change Log
11
2 ## [v3.1.0](https://github.com/auth0/omniauth-auth0/tree/v3.1.0) (2022-11-04)
3
4 [Full Changelog](https://github.com/auth0/omniauth-auth0/compare/v3.0.0...v3.1.0)
5
6 **Added**
7
8 - Add ui_locales to permitted params [\#135](https://github.com/auth0/omniauth-auth0/pull/135) ([martijn](https://github.com/martijn))
9
10 **Changed**
11
12 - Store plain Hash in session['authorize_params'] [\#150](https://github.com/auth0/omniauth-auth0/pull/150) ([santry](https://github.com/santry))
13 - Redesign readme to match new style [\#148](https://github.com/auth0/omniauth-auth0/pull/148) ([stevehobbsdev](https://github.com/stevehobbsdev))
14
15 **Fixed**
16
17 - Fix authentication hash link in code sample [\#153](https://github.com/auth0/omniauth-auth0/pull/153) ([ewanharris](https://github.com/ewanharris))
18
19 **Security**
20
21 - [Snyk] Fix for 1 vulnerabilities [\#149](https://github.com/auth0/omniauth-auth0/pull/149) ([snyk-bot](https://github.com/snyk-bot))
22 - Bump addressable from 2.7.0 to 2.8.0 [\#133](https://github.com/auth0/omniauth-auth0/pull/133) ([dependabot[bot]](https://github.com/apps/dependabot))
23 - [Snyk] Security upgrade webmock from 3.12.2 to 3.12.2 [\#134](https://github.com/auth0/omniauth-auth0/pull/134) ([snyk-bot](https://github.com/snyk-bot))
24
225 ## [v3.0.0](https://github.com/auth0/omniauth-auth0/tree/v3.0.0) (2021-04-14)
26
327 Version 3.0 introduces [Omniauth v2.0](https://github.com/omniauth/omniauth/releases/tag/v2.0.0) which addresses [CVE-2015-9284](https://nvd.nist.gov/vuln/detail/CVE-2015-9284). Omniauth now defaults to only allow `POST` as the allowed request_phase method. This was previously handled through the recommended [mitigation](https://github.com/omniauth/omniauth/wiki/Resolving-CVE-2015-9284) using the `omniauth-rails_csrf_protection v0.x.x` gem to provide CSRF protection.
428
529 ### Upgrading to omniauth-rails_csrf_protection v1.0.0
30
631 If you are using `omniauth-rails_csrf_protection` to provide CSRF protection, you will need to be upgrade to `1.x.x`.
732
833 ### BREAKING CHANGES
34
935 Now that OmniAuth now defaults to only `POST` as the allowed request_phase method, if you aren't already, you will need to convert any login links to use [form helpers](https://api.rubyonrails.org/classes/ActionView/Helpers/FormHelper.html#method-i-form_for) with the `POST` method.
1036
1137 ```html+ruby
2551 ```
2652
2753 ### Allowing GET Requests
54
2855 In the scenario you absolutely must use GET requests as an allowed request method for authentication, you can override the protection provided with the following config override:
2956
3057 ```ruby
31 # Allowing GET requests will expose you to CVE-2015-9284
58 # Allowing GET requests will expose you to CVE-2015-9284
3259 OmniAuth.config.allowed_request_methods = [:get, :post]
3360 ```
3461
3764 [Full Changelog](https://github.com/auth0/omniauth-auth0/compare/v2.5.0...v2.6.0)
3865
3966 **Added**
40 - Org Support [SDK-2395] [\#124](https://github.com/auth0/omniauth-auth0/pull/124) ([davidpatrick](https://github.com/davidpatrick))
41 - Add login_hint to permitted params [\#123](https://github.com/auth0/omniauth-auth0/pull/123) ([Roriz](https://github.com/Roriz))
67
68 - Org Support [SDK-2395] [\#124](https://github.com/auth0/omniauth-auth0/pull/124) ([davidpatrick](https://github.com/davidpatrick))
69 - Add login_hint to permitted params [\#123](https://github.com/auth0/omniauth-auth0/pull/123) ([Roriz](https://github.com/Roriz))
4270
4371 ## [v2.5.0](https://github.com/auth0/omniauth-auth0/tree/v2.5.0) (2021-01-21)
4472
4573 [Full Changelog](https://github.com/auth0/omniauth-auth0/compare/v2.4.2...v2.5.0)
4674
4775 **Added**
76
4877 - Parsing claims from the id_token [\#120](https://github.com/auth0/omniauth-auth0/pull/120) ([davidpatrick](https://github.com/davidpatrick))
4978
5079 **Changed**
80
5181 - Setup build matrix in CI [\#116](https://github.com/auth0/omniauth-auth0/pull/116) ([dmathieu](https://github.com/dmathieu))
5282
5383 **Fixed**
84
5485 - Fixes params passed to authorize [\#119](https://github.com/auth0/omniauth-auth0/pull/119) ([davidpatrick](https://github.com/davidpatrick))
5586
56
5787 ## [v2.4.2](https://github.com/auth0/omniauth-auth0/tree/v2.4.2) (2021-01-19)
5888
5989 [Full Changelog](https://github.com/auth0/omniauth-auth0/compare/v2.4.1...v2.4.2)
6090
6191 **Fixed**
92
6293 - Lock Omniauth to 1.9 in gemspec
6394
6495 ## [v2.4.1](https://github.com/auth0/omniauth-auth0/tree/v2.4.1) (2020-10-08)
6697 [Full Changelog](https://github.com/auth0/omniauth-auth0/compare/v2.4.0...v2.4.1)
6798
6899 **Fixed**
100
69101 - Verify the JWT Signature [\#109](https://github.com/auth0/omniauth-auth0/pull/109) ([jimmyjames](https://github.com/jimmyjames))
70102
71
72103 ## [v2.4.0](https://github.com/auth0/omniauth-auth0/tree/v2.4.0) (2020-09-22)
73104
74105 [Full Changelog](https://github.com/auth0/omniauth-auth0/compare/v2.3.1...v2.4.0)
75106
76107 **Security**
108
77109 - Bump rack from 2.2.2 to 2.2.3 [\#107](https://github.com/auth0/omniauth-auth0/pull/107) ([dependabot](https://github.com/dependabot))
78110 - Update dependencies [\#100](https://github.com/auth0/omniauth-auth0/pull/100) ([Albalmaceda](https://github.com/Albalmaceda))
79111
80112 **Added**
113
81114 - Add support for screen_hint=signup param [\#103](https://github.com/auth0/omniauth-auth0/pull/103) ([bbean86](https://github.com/bbean86))
82115 - Add support for `connection_scope` in params [\#99](https://github.com/auth0/omniauth-auth0/pull/99) ([felixclack](https://github.com/felixclack))
83116
84
85117 ## [v2.3.1](https://github.com/auth0/omniauth-auth0/tree/v2.3.1) (2020-03-27)
86118
87119 [Full Changelog](https://github.com/auth0/omniauth-auth0/compare/v2.3.0...v2.3.1)
92124 - Fix "NameError: uninitialized constant OmniAuth::Auth0::TokenValidationError" [\#96](https://github.com/auth0/omniauth-auth0/pull/96) ([stefanwork](https://github.com/stefanwork))
93125
94126 ## [v2.3.0](https://github.com/auth0/omniauth-auth0/tree/v2.3.0) (2020-03-06)
127
95128 [Full Changelog](https://github.com/auth0/omniauth-auth0/compare/v2.2.0...v2.3.0)
96129
97130 **Added**
131
98132 - Improved OIDC Compliance [\#92](https://github.com/auth0/omniauth-auth0/pull/92) ([davidpatrick](https://github.com/davidpatrick))
99133
100134 ## [v2.2.0](https://github.com/auth0/omniauth-auth0/tree/v2.2.0) (2018-04-18)
135
101136 [Full Changelog](https://github.com/auth0/omniauth-auth0/compare/v2.1.0...v2.2.0)
102137
103138 **Closed issues**
139
104140 - It supports custom domain? [\#71](https://github.com/auth0/omniauth-auth0/issues/71)
105141 - Valid Login, No Details: email=nil image=nil name="github|38257089" nickname=nil [\#70](https://github.com/auth0/omniauth-auth0/issues/70)
106142
107143 **Added**
144
108145 - Custom issuer [\#77](https://github.com/auth0/omniauth-auth0/pull/77) ([ryan-rosenfeld](https://github.com/ryan-rosenfeld))
109146 - Add telemetry to token endpoint [\#74](https://github.com/auth0/omniauth-auth0/pull/74) ([joshcanhelp](https://github.com/joshcanhelp))
110147
111148 **Changed**
149
112150 - Remove telemetry from authorize URL [\#75](https://github.com/auth0/omniauth-auth0/pull/75) ([joshcanhelp](https://github.com/joshcanhelp))
113151
114152 ## [v2.1.0](https://github.com/auth0/omniauth-auth0/tree/v2.1.0) (2018-10-30)
153
115154 [Full Changelog](https://github.com/auth0/omniauth-auth0/compare/v2.0.0...v2.1.0)
116155
117156 **Closed issues**
157
118158 - URL should be spelled uppercase outside of code [\#64](https://github.com/auth0/omniauth-auth0/issues/64)
119159 - Add prompt=none authorization param handler [\#58](https://github.com/auth0/omniauth-auth0/issues/58)
120160 - Could not find a valid mapping for path "/auth/oauth2/callback" [\#56](https://github.com/auth0/omniauth-auth0/issues/56)
123163 - /auth/:provider route not registered? [\#47](https://github.com/auth0/omniauth-auth0/issues/47)
124164
125165 **Added**
166
126167 - Add ID token validation [\#62](https://github.com/auth0/omniauth-auth0/pull/62) ([joshcanhelp](https://github.com/joshcanhelp))
127168 - Silent authentication [\#59](https://github.com/auth0/omniauth-auth0/pull/59) ([batalla3692](https://github.com/batalla3692))
128169 - Pass connection parameter to auth0 [\#54](https://github.com/auth0/omniauth-auth0/pull/54) ([tomgi](https://github.com/tomgi))
129170
130171 **Changed**
172
131173 - Update to omniauth-oauth2 [\#55](https://github.com/auth0/omniauth-auth0/pull/55) ([chills42](https://github.com/chills42))
132174
133175 **Fixed**
176
134177 - Fix Rubocop errors [\#66](https://github.com/auth0/omniauth-auth0/pull/66) ([joshcanhelp](https://github.com/joshcanhelp))
135178 - Fix minute bug in README.md [\#63](https://github.com/auth0/omniauth-auth0/pull/63) ([rahuldess](https://github.com/rahuldess))
136179
137180 ## [v2.0.0](https://github.com/auth0/omniauth-auth0/tree/v2.0.0) (2017-01-25)
181
138182 [Full Changelog](https://github.com/auth0/omniauth-auth0/compare/v1.4.1...v2.0.0)
139183
140184 Updated library to handle OIDC conformant clients and OAuth2 features in Auth0.
152196 Also in `extra` will have in `raw_info` the full /userinfo response.
153197
154198 **Fixed**
199
155200 - Use image attribute of omniauth instead of picture [\#45](https://github.com/auth0/omniauth-auth0/pull/45) ([hzalaz](https://github.com/hzalaz))
156 - Rework strategy to handle OAuth and OIDC [\#44](https://github.com/auth0/omniauth-auth0/pull/44) ([hzalaz](https://github.com/hzalaz))
201 - Rework strategy to handle OAuth and OIDC [\#44](https://github.com/auth0/omniauth-auth0/pull/44) ([hzalaz](https://github.com/hzalaz))
157202 - lock v10 update, dependencies update [\#41](https://github.com/auth0/omniauth-auth0/pull/41) ([Amialc](https://github.com/Amialc))
158203
159204 ## [v1.4.2](https://github.com/auth0/omniauth-auth0/tree/v1.4.2) (2016-06-13)
205
160206 [Full Changelog](https://github.com/auth0/omniauth-auth0/compare/v1.4.1...v1.4.2)
161207
162208 **Added**
209
163210 - Link to OmniAuth site [\#36](https://github.com/auth0/omniauth-auth0/pull/36) ([jghaines](https://github.com/jghaines))
164211 - add ssl fix to RoR example [\#31](https://github.com/auth0/omniauth-auth0/pull/31) ([Amialc](https://github.com/Amialc))
165212 - Update LICENSE [\#17](https://github.com/auth0/omniauth-auth0/pull/17) ([aguerere](https://github.com/aguerere))
166213
167214 **Changed**
215
168216 - Update lock to version 9 [\#34](https://github.com/auth0/omniauth-auth0/pull/34) ([Annyv2](https://github.com/Annyv2))
169217 - Update Gemfile [\#22](https://github.com/auth0/omniauth-auth0/pull/22) ([Annyv2](https://github.com/Annyv2))
170218 - Update lock [\#15](https://github.com/auth0/omniauth-auth0/pull/15) ([Annyv2](https://github.com/Annyv2))
171219
172220 **Fixed**
221
173222 - Fix setup [\#38](https://github.com/auth0/omniauth-auth0/pull/38) ([deepak](https://github.com/deepak))
174223 - Added missing instruction [\#30](https://github.com/auth0/omniauth-auth0/pull/30) ([Annyv2](https://github.com/Annyv2))
175224 - Fixes undefined Auth0Lock issue [\#28](https://github.com/auth0/omniauth-auth0/pull/28) ([Annyv2](https://github.com/Annyv2))
176225 - Update Readme [\#27](https://github.com/auth0/omniauth-auth0/pull/27) ([Annyv2](https://github.com/Annyv2))
177226
178
179227 ## [v1.4.1](https://github.com/auth0/omniauth-auth0/tree/v1.4.1) (2015-11-18)
228
180229 [Full Changelog](https://github.com/auth0/omniauth-auth0/compare/v1.4.0...v1.4.1)
181230
182231 **Merged pull requests:**
187236 - Add nested module in version.rb [\#9](https://github.com/auth0/omniauth-auth0/pull/9) ([l4u](https://github.com/l4u))
188237
189238 ## [v1.4.0](https://github.com/auth0/omniauth-auth0/tree/v1.4.0) (2015-06-01)
239
190240 **Merged pull requests:**
191241
192242 - Client headers [\#8](https://github.com/auth0/omniauth-auth0/pull/8) ([benschwarz](https://github.com/benschwarz))
195245 - Update README.md [\#3](https://github.com/auth0/omniauth-auth0/pull/3) ([pose](https://github.com/pose))
196246 - Fix Markdown typo [\#2](https://github.com/auth0/omniauth-auth0/pull/2) ([dentarg](https://github.com/dentarg))
197247
198
199
200 \* *This Change Log was automatically generated by [github_changelog_generator](https://github.com/skywinder/Github-Changelog-Generator)*
248 \* _This Change Log was automatically generated by [github_changelog_generator](https://github.com/skywinder/Github-Changelog-Generator)_
+0
-3
CODE_OF_CONDUCT.md less more
0 # Code of Conduct
1
2 Please see [Auth0's Code of Conduct](https://github.com/auth0/open-source-template/blob/master/CODE-OF-CONDUCT.md) for information on contributing to this repo.
+167
-0
EXAMPLES.md less more
0 * [Example of the resulting authentication hash](#example-of-the-resulting-authentication-hash)
1 * [Send additional authentication parameters](#send-additional-authentication-parameters)
2 * [Query Parameter Options](#query-parameter-options)
3 * [Auth0 Organizations](#auth0-organizations)
4 - [Logging in with an Organization](#logging-in-with-an-organization)
5 - [Validating Organizations when using Organization Login Prompt](#validating-organizations-when-using-organization-login-prompt)
6 - [Accepting user invitations](#accepting-user-invitations)
7
8 ### Example of the resulting authentication hash
9
10 The Auth0 strategy will provide the standard OmniAuth hash attributes:
11
12 - `:provider` - the name of the strategy, in this case `auth0`
13 - `:uid` - the user identifier
14 - `:info` - the result of the call to `/userinfo` using OmniAuth standard attributes
15 - `:credentials` - tokens requested and data
16 - `:extra` - Additional info obtained from calling `/userinfo` in the `:raw_info` property
17
18 ```ruby
19 {
20 :provider => 'auth0',
21 :uid => 'auth0|USER_ID',
22 :info => {
23 :name => 'John Foo',
24 :email => 'johnfoo@example.org',
25 :nickname => 'john',
26 :image => 'https://example.org/john.jpg'
27 },
28 :credentials => {
29 :token => 'ACCESS_TOKEN',
30 :expires_at => 1485373937,
31 :expires => true,
32 :refresh_token => 'REFRESH_TOKEN',
33 :id_token => 'JWT_ID_TOKEN',
34 :token_type => 'bearer',
35 },
36 :extra => {
37 :raw_info => {
38 :email => 'johnfoo@example.org',
39 :email_verified => 'true',
40 :name => 'John Foo',
41 :picture => 'https://example.org/john.jpg',
42 :user_id => 'auth0|USER_ID',
43 :nickname => 'john',
44 :created_at => '2014-07-15T17:19:50.387Z'
45 }
46 }
47 }
48 ```
49
50 ## Send additional authentication parameters
51
52 To send additional parameters during login, you can specify them when you register the provider:
53
54 ```ruby
55 provider
56 :auth0,
57 ENV['AUTH0_CLIENT_ID'],
58 ENV['AUTH0_CLIENT_SECRET'],
59 ENV['AUTH0_DOMAIN'],
60 {
61 authorize_params: {
62 scope: 'openid read:users write:order',
63 audience: 'https://mydomain/api',
64 max_age: 3600 # time in seconds authentication is valid
65 }
66 }
67 ```
68
69 This will tell the strategy to send those parameters on every authentication request.
70
71 ## Query Parameter Options
72
73 In some scenarios, you may need to pass specific query parameters to `/authorize`. The following parameters are available to enable this:
74
75 - `connection`
76 - `connection_scope`
77 - `prompt`
78 - `screen_hint` (only relevant to New Universal Login Experience)
79 - `organization`
80 - `invitation`
81
82 Simply pass these query parameters to your OmniAuth redirect endpoint to enable their behavior.
83
84 ## Auth0 Organizations
85
86 [Organizations](https://auth0.com/docs/organizations) is a set of features that provide better support for developers who build and maintain SaaS and Business-to-Business (B2B) applications.
87
88 Note that Organizations is currently only available to customers on our Enterprise and Startup subscription plans.
89
90 ### Logging in with an Organization
91
92 Logging in with an Organization is as easy as passing the parameters to the authorize endpoint. You can do this with
93
94 ```ruby
95 <%=
96 button_to 'Login', 'auth/auth0',
97 method: :post,
98 params: {
99 # Found in your Auth0 dashboard, under Organization settings:
100 organization: '{AUTH0_ORGANIZATION}'
101 }
102 %>
103 ```
104
105 Alternatively you can configure the organization when you register the provider:
106
107 ```ruby
108 provider
109 :auth0,
110 ENV['AUTH0_CLIENT_ID'],
111 ENV['AUTH0_CLIENT_SECRET'],
112 ENV['AUTH0_DOMAIN']
113 {
114 authorize_params: {
115 scope: 'openid read:users',
116 audience: 'https://{AUTH0_DOMAIN}/api',
117 organization: '{AUTH0_ORGANIZATION}'
118 }
119 }
120 ```
121
122 When passing `openid` to the scope and `organization` to the authorize params, you will receive an ID token on callback with the `org_id` claim. This claim is validated for you by the SDK.
123
124 ### Validating Organizations when using Organization Login Prompt
125
126 When Organization login prompt is enabled on your application, but you haven't specified an Organization for the application's authorization endpoint, the `org_id` claim will be present on the ID token, and should be validated to ensure that the value received is expected or known.
127
128 Normally, validating the issuer would be enough to ensure that the token was issued by Auth0, and this check is performed by the SDK. However, in the case of organizations, additional checks should be made so that the organization within an Auth0 tenant is expected.
129
130 In particular, the `org_id` claim should be checked to ensure it is a value that is already known to the application. This could be validated against a known list of organization IDs, or perhaps checked in conjunction with the current request URL. e.g. the sub-domain may hint at what organization should be used to validate the ID Token.
131
132 Here is an example using it in your `callback` method
133
134 ```ruby
135 def callback
136 claims = request.env['omniauth.auth']['extra']['raw_info']
137
138 if claims["org"] && claims["org"] !== expected_org
139 redirect_to '/unauthorized', status: 401
140 else
141 session[:userinfo] = claims
142 redirect_to '/dashboard'
143 end
144 end
145 ```
146
147 For more information, please read [Work with Tokens and Organizations](https://auth0.com/docs/organizations/using-tokens) on Auth0 Docs.
148
149 ### Accepting user invitations
150
151 Auth0 Organizations allow users to be invited using emailed links, which will direct a user back to your application. The URL the user will arrive at is based on your configured `Application Login URI`, which you can change from your Application's settings inside the Auth0 dashboard.
152
153 When the user arrives at your application using an invite link, you can expect three query parameters to be provided: `invitation`, `organization`, and `organization_name`. These will always be delivered using a GET request.
154
155 You can then supply those parametrs to a `button_to` or `link_to` helper
156
157 ```ruby
158 <%=
159 button_to 'Login', 'auth/auth0',
160 method: :post,
161 params: {
162 organization: '{YOUR_ORGANIZATION_ID}',
163 invitation: '{INVITE_CODE}'
164 }
165 %>
166 ```
+15
-14
Gemfile less more
11
22 gemspec
33
4 gem 'gem-release'
5 gem 'jwt'
6 gem 'rake'
4 gem 'gem-release', '~> 2'
5 gem 'jwt', '~> 2'
6 gem 'rake', '~> 13'
77
88 group :development do
9 gem 'dotenv'
10 gem 'pry'
11 gem 'rubocop', require: false
12 gem 'shotgun'
13 gem 'sinatra'
14 gem 'thin'
9 gem 'dotenv', '~> 2'
10 gem 'pry', '~> 0'
11 gem 'rubocop', '~> 1', require: false
12 gem 'shotgun', '~> 0'
13 gem 'sinatra', '~> 2'
14 gem 'thin', '~> 1'
1515 end
1616
1717 group :test do
18 gem 'guard-rspec', require: false
18 gem 'guard-rspec', '~> 4', require: false
1919 gem 'listen', '~> 3'
20 gem 'rack-test'
21 gem 'rspec', '~> 3.5'
22 gem 'simplecov-cobertura'
23 gem 'webmock', '>= 3.12.2'
20 gem 'rack-test', '~> 2'
21 gem 'rspec', '~> 3'
22 gem 'simplecov-cobertura', '~> 2'
23 gem 'webmock', '~> 3'
24 gem 'multi_json', '~> 1'
2425 end
+68
-60
Gemfile.lock less more
00 PATH
11 remote: .
22 specs:
3 omniauth-auth0 (3.0.0)
4 omniauth (~> 2.0)
5 omniauth-oauth2 (~> 1.7)
3 omniauth-auth0 (3.1.0)
4 omniauth (~> 2)
5 omniauth-oauth2 (~> 1)
66
77 GEM
88 remote: https://rubygems.org/
99 specs:
10 addressable (2.8.0)
11 public_suffix (>= 2.0.2, < 5.0)
10 addressable (2.8.1)
11 public_suffix (>= 2.0.2, < 6.0)
1212 ast (2.4.2)
1313 coderay (1.1.3)
1414 crack (0.4.5)
1616 daemons (1.4.1)
1717 diff-lcs (1.5.0)
1818 docile (1.4.0)
19 dotenv (2.7.6)
19 dotenv (2.8.1)
2020 eventmachine (1.2.7)
21 faraday (2.3.0)
22 faraday-net_http (~> 2.0)
21 faraday (2.7.1)
22 faraday-net_http (>= 2.0, < 3.1)
2323 ruby2_keywords (>= 0.0.4)
24 faraday-net_http (2.0.3)
24 faraday-net_http (3.0.2)
2525 ffi (1.15.5)
2626 formatador (1.1.0)
2727 gem-release (2.2.2)
4141 rspec (>= 2.99.0, < 4.0)
4242 hashdiff (1.0.1)
4343 hashie (5.0.0)
44 jwt (2.3.0)
44 json (2.6.3)
45 jwt (2.5.0)
4546 listen (3.7.1)
4647 rb-fsevent (~> 0.10, >= 0.10.3)
4748 rb-inotify (~> 0.9, >= 0.9.10)
4950 method_source (1.0.0)
5051 multi_json (1.15.0)
5152 multi_xml (0.6.0)
52 mustermann (1.1.1)
53 mustermann (2.0.2)
5354 ruby2_keywords (~> 0.0.1)
5455 nenv (0.3.0)
5556 notiffany (0.1.3)
5657 nenv (~> 0.1)
5758 shellany (~> 0.0)
58 oauth2 (1.4.9)
59 oauth2 (2.0.9)
5960 faraday (>= 0.17.3, < 3.0)
6061 jwt (>= 1.0, < 3.0)
61 multi_json (~> 1.3)
6262 multi_xml (~> 0.5)
63 rack (>= 1.2, < 3)
63 rack (>= 1.2, < 4)
64 snaky_hash (~> 2.0)
65 version_gem (~> 1.1)
6466 omniauth (2.1.0)
6567 hashie (>= 3.4.6)
6668 rack (>= 2.2.3)
6769 rack-protection
68 omniauth-oauth2 (1.7.2)
69 oauth2 (~> 1.4)
70 omniauth (>= 1.9, < 3)
70 omniauth-oauth2 (1.8.0)
71 oauth2 (>= 1.4, < 3)
72 omniauth (~> 2.0)
7173 parallel (1.22.1)
72 parser (3.1.2.0)
74 parser (3.1.3.0)
7375 ast (~> 2.4.1)
7476 pry (0.14.1)
7577 coderay (~> 1.1)
7678 method_source (~> 1.0)
77 public_suffix (4.0.7)
78 rack (2.2.3.1)
79 rack-protection (2.2.0)
79 public_suffix (5.0.0)
80 rack (2.2.4)
81 rack-protection (2.2.3)
8082 rack
81 rack-test (1.1.0)
82 rack (>= 1.0, < 3)
83 rack-test (2.0.2)
84 rack (>= 1.3)
8385 rainbow (3.1.1)
8486 rake (13.0.6)
85 rb-fsevent (0.11.1)
87 rb-fsevent (0.11.2)
8688 rb-inotify (0.10.1)
8789 ffi (~> 1.0)
88 regexp_parser (2.5.0)
90 regexp_parser (2.6.1)
8991 rexml (3.2.5)
90 rspec (3.11.0)
91 rspec-core (~> 3.11.0)
92 rspec-expectations (~> 3.11.0)
93 rspec-mocks (~> 3.11.0)
94 rspec-core (3.11.0)
95 rspec-support (~> 3.11.0)
96 rspec-expectations (3.11.0)
92 rspec (3.12.0)
93 rspec-core (~> 3.12.0)
94 rspec-expectations (~> 3.12.0)
95 rspec-mocks (~> 3.12.0)
96 rspec-core (3.12.0)
97 rspec-support (~> 3.12.0)
98 rspec-expectations (3.12.0)
9799 diff-lcs (>= 1.2.0, < 2.0)
98 rspec-support (~> 3.11.0)
99 rspec-mocks (3.11.1)
100 rspec-support (~> 3.12.0)
101 rspec-mocks (3.12.0)
100102 diff-lcs (>= 1.2.0, < 2.0)
101 rspec-support (~> 3.11.0)
102 rspec-support (3.11.0)
103 rubocop (1.30.0)
103 rspec-support (~> 3.12.0)
104 rspec-support (3.12.0)
105 rubocop (1.39.0)
106 json (~> 2.3)
104107 parallel (~> 1.10)
105 parser (>= 3.1.0.0)
108 parser (>= 3.1.2.1)
106109 rainbow (>= 2.2.2, < 4.0)
107110 regexp_parser (>= 1.8, < 3.0)
108111 rexml (>= 3.2.5, < 4.0)
109 rubocop-ast (>= 1.18.0, < 2.0)
112 rubocop-ast (>= 1.23.0, < 2.0)
110113 ruby-progressbar (~> 1.7)
111114 unicode-display_width (>= 1.4.0, < 3.0)
112 rubocop-ast (1.18.0)
115 rubocop-ast (1.24.0)
113116 parser (>= 3.1.1.0)
114117 ruby-progressbar (1.11.0)
115118 ruby2_keywords (0.0.5)
125128 simplecov (~> 0.19)
126129 simplecov-html (0.12.3)
127130 simplecov_json_formatter (0.1.4)
128 sinatra (2.2.0)
129 mustermann (~> 1.0)
131 sinatra (2.2.3)
132 mustermann (~> 2.0)
130133 rack (~> 2.2)
131 rack-protection (= 2.2.0)
134 rack-protection (= 2.2.3)
132135 tilt (~> 2.0)
136 snaky_hash (2.0.1)
137 hashie
138 version_gem (~> 1.1, >= 1.1.1)
133139 thin (1.8.1)
134140 daemons (~> 1.0, >= 1.0.9)
135141 eventmachine (~> 1.0, >= 1.0.4)
136142 rack (>= 1, < 3)
137143 thor (1.2.1)
138 tilt (2.0.10)
139 unicode-display_width (2.1.0)
140 webmock (3.14.0)
144 tilt (2.0.11)
145 unicode-display_width (2.3.0)
146 version_gem (1.1.1)
147 webmock (3.18.1)
141148 addressable (>= 2.8.0)
142149 crack (>= 0.3.2)
143150 hashdiff (>= 0.4.0, < 2.0.0)
150157
151158 DEPENDENCIES
152159 bundler
153 dotenv
154 gem-release
155 guard-rspec
156 jwt
160 dotenv (~> 2)
161 gem-release (~> 2)
162 guard-rspec (~> 4)
163 jwt (~> 2)
157164 listen (~> 3)
165 multi_json (~> 1)
158166 omniauth-auth0!
159 pry
160 rack-test
161 rake
162 rspec (~> 3.5)
163 rubocop
164 shotgun
165 simplecov-cobertura
166 sinatra
167 thin
168 webmock (>= 3.12.2)
167 pry (~> 0)
168 rack-test (~> 2)
169 rake (~> 13)
170 rspec (~> 3)
171 rubocop (~> 1)
172 shotgun (~> 0)
173 simplecov-cobertura (~> 2)
174 sinatra (~> 2)
175 thin (~> 1)
176 webmock (~> 3)
169177
170178 BUNDLED WITH
171179 2.3.7
+98
-199
README.md less more
0 # OmniAuth Auth0
0 ![Omniauth-auth0](https://cdn.auth0.com/website/sdks/banners/omniauth-auth0-banner.png)
11
2 An [OmniAuth](https://github.com/intridea/omniauth) strategy for authenticating with [Auth0](https://auth0.com). This strategy is based on the [OmniAuth OAuth2](https://github.com/omniauth/omniauth-oauth2) strategy.
3
4 > :warning: **Important security note for v2:** This solution uses a 3rd party library that had a [security issue(s)](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-9284) in v2. Please review the details of the vulnerability, including [Auth0](https://github.com/auth0/omniauth-auth0/issues/82 ) and other recommended [mitigations](https://github.com/omniauth/omniauth/wiki/Resolving-CVE-2015-9284), before implementing the solution in v2. **[Upgrading to v3](https://github.com/auth0/omniauth-auth0/pull/128) of this library resolves the issue.**
52
63 [![CircleCI](https://img.shields.io/circleci/project/github/auth0/omniauth-auth0/master.svg)](https://circleci.com/gh/auth0/omniauth-auth0)
74 [![codecov](https://codecov.io/gh/auth0/omniauth-auth0/branch/master/graph/badge.svg)](https://codecov.io/gh/auth0/omniauth-auth0)
85 [![Gem Version](https://badge.fury.io/rb/omniauth-auth0.svg)](https://badge.fury.io/rb/omniauth-auth0)
96 [![MIT licensed](https://img.shields.io/dub/l/vibe-d.svg?style=flat)](https://github.com/auth0/omniauth-auth0/blob/master/LICENSE)
10 [![FOSSA Status](https://app.fossa.com/api/projects/git%2Bgithub.com%2Fauth0%2Fomniauth-auth0.svg?type=shield)](https://app.fossa.com/projects/git%2Bgithub.com%2Fauth0%2Fomniauth-auth0?ref=badge_shield)
117
12 ## Table of Contents
13
14 - [Documentation](#documentation)
15 - [Installation](#installation)
16 - [Getting Started](#getting-started)
17 - [Contribution](#contribution)
18 - [Support + Feedback](#support--feedback)
19 - [Vulnerability Reporting](#vulnerability-reporting)
20 - [What is Auth0](#what-is-auth0)
21 - [License](#license)
8 <div>
9 📚 <a href="#documentation">Documentation</a> - 🚀 <a href="#getting-started">Getting started</a> - 💻 <a href="https://www.rubydoc.info/gems/omniauth-auth0">API reference</a> - 💬 <a href="#feedback">Feedback</a>
10 </div>
2211
2312 ## Documentation
2413
2615 - [Sample projects](https://github.com/auth0-samples/auth0-rubyonrails-sample)
2716 - [API Reference](https://www.rubydoc.info/gems/omniauth-auth0)
2817
29 ## Installation
18 ## Getting started
19
20 ### Installation
3021
3122 Add the following line to your `Gemfile`:
3223
4839
4940 See our [contributing guide](CONTRIBUTING.md) for information on local installation for development.
5041
51 ## Getting Started
42 ## Configure the SDK
5243
53 To start processing authentication requests, the following steps must be performed:
44 Adding the SDK to your Rails app requires a few steps:
5445
55 1. Initialize the strategy
56 2. Configure the callback controller
57 3. Add the required routes
58 4. Trigger an authentication request
46 - [Create the configuration file](#create-the-configuration-file)
47 - [Create the initializer](#create-the-initializer)
48 - [Create the callback controller](#create-the-callback-controller)
49 - [Add routes](#add-routes)
5950
60 All of these tasks and more are covered in our [Ruby on Rails Quickstart](https://auth0.com/docs/quickstart/webapp/rails).
51 ### Create the configuration file
6152
62 ### Additional authentication parameters
53 Create the file `./config/auth0.yml` within your application directory with the following content:
6354
64 To send additional parameters during login, you can specify them when you register the provider:
55 ```yml
56 development:
57 auth0_domain: <YOUR_DOMAIN>
58 auth0_client_id: <YOUR_CLIENT_ID>
59 auth0_client_secret: <YOUR AUTH0 CLIENT SECRET>
60 ```
61
62 ### Create the initializer
63
64 Create a new Ruby file in `./config/initializers/auth0.rb` to configure the OmniAuth middleware:
6565
6666 ```ruby
67 provider
68 :auth0,
69 ENV['AUTH0_CLIENT_ID'],
70 ENV['AUTH0_CLIENT_SECRET'],
71 ENV['AUTH0_DOMAIN'],
72 {
67 AUTH0_CONFIG = Rails.application.config_for(:auth0)
68
69 Rails.application.config.middleware.use OmniAuth::Builder do
70 provider(
71 :auth0,
72 AUTH0_CONFIG['auth0_client_id'],
73 AUTH0_CONFIG['auth0_client_secret'],
74 AUTH0_CONFIG['auth0_domain'],
75 callback_path: '/auth/auth0/callback',
7376 authorize_params: {
74 scope: 'openid read:users write:order',
75 audience: 'https://mydomain/api',
76 max_age: 3600 # time in seconds authentication is valid
77 scope: 'openid profile'
7778 }
78 }
79 )
80 end
7981 ```
8082
81 ... which will tell the strategy to send those parameters on every authentication request.
83 ### Create the callback controller
8284
83 ### Authentication hash
85 Create a new controller `./app/controllers/auth0_controller.rb` to handle the callback from Auth0.
8486
85 The Auth0 strategy will provide the standard OmniAuth hash attributes:
86
87 - `:provider` - the name of the strategy, in this case `auth0`
88 - `:uid` - the user identifier
89 - `:info` - the result of the call to `/userinfo` using OmniAuth standard attributes
90 - `:credentials` - tokens requested and data
91 - `:extra` - Additional info obtained from calling `/userinfo` in the `:raw_info` property
87 > You can also run `rails generate controller auth0 callback failure logout --skip-assets --skip-helper --skip-routes --skip-template-engine` to scaffold this controller for you.
9288
9389 ```ruby
94 {
95 :provider => 'auth0',
96 :uid => 'auth0|USER_ID',
97 :info => {
98 :name => 'John Foo',
99 :email => 'johnfoo@example.org',
100 :nickname => 'john',
101 :image => 'https://example.org/john.jpg'
102 },
103 :credentials => {
104 :token => 'ACCESS_TOKEN',
105 :expires_at => 1485373937,
106 :expires => true,
107 :refresh_token => 'REFRESH_TOKEN',
108 :id_token => 'JWT_ID_TOKEN',
109 :token_type => 'bearer',
110 },
111 :extra => {
112 :raw_info => {
113 :email => 'johnfoo@example.org',
114 :email_verified => 'true',
115 :name => 'John Foo',
116 :picture => 'https://example.org/john.jpg',
117 :user_id => 'auth0|USER_ID',
118 :nickname => 'john',
119 :created_at => '2014-07-15T17:19:50.387Z'
120 }
121 }
122 }
90 # ./app/controllers/auth0_controller.rb
91 class Auth0Controller < ApplicationController
92 def callback
93 # OmniAuth stores the information returned from Auth0 and the IdP in request.env['omniauth.auth'].
94 # In this code, you will pull the raw_info supplied from the id_token and assign it to the session.
95 # Refer to https://github.com/auth0/omniauth-auth0/blob/master/EXAMPLES.md#example-of-the-resulting-authentication-hash for complete information on 'omniauth.auth' contents.
96 auth_info = request.env['omniauth.auth']
97 session[:userinfo] = auth_info['extra']['raw_info']
98
99 # Redirect to the URL you want after successful auth
100 redirect_to '/dashboard'
101 end
102
103 def failure
104 # Handles failed authentication -- Show a failure page (you can also handle with a redirect)
105 @error_msg = request.params['message']
106 end
107
108 def logout
109 # you will finish this in a later step
110 end
111 end
123112 ```
124113
125 ### Query Parameter Options
114 ### Add routes
126115
127 In some scenarios, you may need to pass specific query parameters to `/authorize`. The following parameters are available to enable this:
128
129 - `connection`
130 - `connection_scope`
131 - `prompt`
132 - `screen_hint` (only relevant to New Universal Login Experience)
133 - `organization`
134 - `invitation`
135
136 Simply pass these query parameters to your OmniAuth redirect endpoint to enable their behavior.
137
138 ## Examples
139
140 ### Auth0 Organizations
141
142 [Organizations](https://auth0.com/docs/organizations) is a set of features that provide better support for developers who build and maintain SaaS and Business-to-Business (B2B) applications.
143
144 Using Organizations, you can:
145
146 - Represent teams, business customers, partner companies, or any logical grouping of users that should have different ways of accessing your applications, as organizations.
147 - Manage their membership in a variety of ways, including user invitation.
148 - Configure branded, federated login flows for each organization.
149 - Implement role-based access control, such that users can have different roles when authenticating in the context of different organizations.
150 - Build administration capabilities into your products, using Organizations APIs, so that those businesses can manage their own organizations.
151
152 Note that Organizations is currently only available to customers on our Enterprise and Startup subscription plans.
153
154 #### Logging in with an Organization
155
156 Logging in with an Organization is as easy as passing the parameters to the authorize endpoint. You can do this with
116 Finally, add the following routes to your `./config/routes.rb` file:
157117
158118 ```ruby
159 <%=
160 button_to 'Login', 'auth/auth0',
161 method: :post,
162 params: {
163 # Found in your Auth0 dashboard, under Organization settings:
164 organization: '{AUTH0_ORGANIZATION}'
165 }
166 %>
119 Rails.application.routes.draw do
120 # ..
121 get '/auth/auth0/callback' => 'auth0#callback'
122 get '/auth/failure' => 'auth0#failure'
123 get '/auth/logout' => 'auth0#logout'
124 end
167125 ```
168126
169 Alternatively you can configure the organization when you register the provider:
127 ## Logging in
170128
171 ```ruby
172 provider
173 :auth0,
174 ENV['AUTH0_CLIENT_ID'],
175 ENV['AUTH0_CLIENT_SECRET'],
176 ENV['AUTH0_DOMAIN']
177 {
178 authorize_params: {
179 scope: 'openid read:users',
180 audience: 'https://{AUTH0_DOMAIN}/api',
181 organization: '{AUTH0_ORGANIZATION}'
182 }
183 }
129 To redirect your users to Auth0 for authentication, redirect your users to the `/auth/auth0` endpoint of your app. One way to do this is to use a link or button on a page:
130
131 ```html
132 <%= button_to 'Login', '/auth/auth0', method: :post %>
184133 ```
185134
186 When passing `openid` to the scope and `organization` to the authorize params, you will receive an ID token on callback with the `org_id` claim. This claim is validated for you by the SDK.
135 ## Feedback
187136
188 #### Validating Organizations when using Organization Login Prompt
189
190 When Organization login prompt is enabled on your application, but you haven't specified an Organization for the application's authorization endpoint, the `org_id` claim will be present on the ID token, and should be validated to ensure that the value received is expected or known.
191
192 Normally, validating the issuer would be enough to ensure that the token was issued by Auth0, and this check is performed by the SDK. However, in the case of organizations, additional checks should be made so that the organization within an Auth0 tenant is expected.
193
194 In particular, the `org_id` claim should be checked to ensure it is a value that is already known to the application. This could be validated against a known list of organization IDs, or perhaps checked in conjunction with the current request URL. e.g. the sub-domain may hint at what organization should be used to validate the ID Token.
195
196 Here is an example using it in your `callback` method
197
198 ```ruby
199 def callback
200 claims = request.env['omniauth.auth']['extra']['raw_info']
201
202 if claims["org"] && claims["org"] !== expected_org
203 redirect_to '/unauthorized', status: 401
204 else
205 session[:userinfo] = claims
206 redirect_to '/dashboard'
207 end
208 end
209 ```
210
211 For more information, please read [Work with Tokens and Organizations](https://auth0.com/docs/organizations/using-tokens) on Auth0 Docs.
212
213 #### Accepting user invitations
214
215 Auth0 Organizations allow users to be invited using emailed links, which will direct a user back to your application. The URL the user will arrive at is based on your configured `Application Login URI`, which you can change from your Application's settings inside the Auth0 dashboard.
216
217 When the user arrives at your application using an invite link, you can expect three query parameters to be provided: `invitation`, `organization`, and `organization_name`. These will always be delivered using a GET request.
218
219 You can then supply those parametrs to a `button_to` or `link_to` helper
220
221 ```ruby
222 <%=
223 button_to 'Login', 'auth/auth0',
224 method: :post,
225 params: {
226 organization: '{YOUR_ORGANIZATION_ID}',
227 invitation: '{INVITE_CODE}'
228 }
229 %>
230 ```
231
232 ## Contribution
137 ### Contributing
233138
234139 We appreciate feedback and contribution to this repo! Before you get started, please see the following:
235140
236 - [Auth0's contribution guidelines](https://github.com/auth0/open-source-template/blob/master/GENERAL-CONTRIBUTING.md)
237 - [Auth0's Code of Conduct](https://github.com/auth0/open-source-template/blob/master/CODE-OF-CONDUCT.md)
238 - [This repo's contribution guide](CONTRIBUTING.md)
141 - [Auth0's general contribution guidelines](https://github.com/auth0/open-source-template/blob/master/GENERAL-CONTRIBUTING.md)
142 - [Auth0's code of conduct guidelines](https://github.com/auth0/open-source-template/blob/master/CODE-OF-CONDUCT.md)
143 - [This repo's contribution guide](https://github.com/auth0/omniauth-auth0/blob/master/CONTRIBUTING.md)
239144
240 ## Support + Feedback
145 ### Raise an issue
241146
242 - Use [Community](https://community.auth0.com/) for usage, questions, specific cases.
243 - Use [Issues](https://github.com/auth0/omniauth-auth0/issues) here for code-level support and bug reports.
244 - Paid customers can use [Support](https://support.auth0.com/) to submit a trouble ticket for production-affecting issues.
147 To provide feedback or report a bug, please [raise an issue on our issue tracker](https://github.com/auth0/omniauth-auth0/issues).
245148
246 ## Vulnerability Reporting
149 ### Vulnerability Reporting
247150
248 Please do not report security vulnerabilities on the public GitHub issue tracker. The [Responsible Disclosure Program](https://auth0.com/whitehat) details the procedure for disclosing security issues.
151 Please do not report security vulnerabilities on the public GitHub issue tracker. The [Responsible Disclosure Program](https://auth0.com/whitehat) details the procedure for disclosing security issues.
249152
250 ## What is Auth0?
153 ---
251154
252 Auth0 helps you to easily:
253
254 - implement authentication with multiple identity providers, including social (e.g., Google, Facebook, Microsoft, LinkedIn, GitHub, Twitter, etc), or enterprise (e.g., Windows Azure AD, Google Apps, Active Directory, ADFS, SAML, etc.)
255 - log in users with username/password databases, passwordless, or multi-factor authentication
256 - link multiple user accounts together
257 - generate signed JSON Web Tokens to authorize your API calls and flow the user identity securely
258 - access demographics and analytics detailing how, when, and where users are logging in
259 - enrich user profiles from other data sources using customizable JavaScript rules
260
261 [Why Auth0?](https://auth0.com/why-auth0)
262
263 ## License
264
265 The OmniAuth Auth0 strategy is licensed under MIT - [LICENSE](LICENSE)
266
267
268 [![FOSSA Status](https://app.fossa.com/api/projects/git%2Bgithub.com%2Fauth0%2Fomniauth-auth0.svg?type=large)](https://app.fossa.com/projects/git%2Bgithub.com%2Fauth0%2Fomniauth-auth0?ref=badge_large)
155 <p align="center">
156 <picture>
157 <source media="(prefers-color-scheme: dark)" srcset="https://cdn.auth0.com/website/sdks/logos/auth0_dark_mode.png" width="150">
158 <source media="(prefers-color-scheme: light)" srcset="https://cdn.auth0.com/website/sdks/logos/auth0_light_mode.png" width="150">
159 <img alt="Auth0 Logo" src="https://cdn.auth0.com/website/sdks/logos/auth0_light_mode.png" width="150">
160 </picture>
161 </p>
162 <p align="center">
163 Auth0 is an easy to implement, adaptable authentication and authorization platform. To learn more checkout <a href="https://auth0.com/why-auth0">Why Auth0?</a>
164 </p>
165 <p align="center">
166 This project is licensed under the MIT license. See the <a href="https://github.com/auth0/omniauth-auth0/blob/master/LICENSE"> LICENSE</a> file for more info.
167 </p>
+1
-1
lib/omniauth/strategies/auth0.rb less more
9393 params[:leeway] = 60 unless params[:leeway]
9494
9595 # Store authorize params in the session for token verification
96 session['authorize_params'] = params
96 session['authorize_params'] = params.to_hash
9797
9898 params
9999 end
+1
-1
lib/omniauth-auth0/version.rb less more
00 module OmniAuth
11 module Auth0
2 VERSION = '3.0.0'.freeze
2 VERSION = '3.1.0'.freeze
33 end
44 end
+3
-3
omniauth-auth0.gemspec less more
2020 s.executables = `git ls-files -- bin/*`.split('\n').map{ |f| File.basename(f) }
2121 s.require_paths = ['lib']
2222
23 s.add_runtime_dependency 'omniauth', '~> 2.0'
24 s.add_runtime_dependency 'omniauth-oauth2', '~> 1.7'
23 s.add_runtime_dependency 'omniauth', '~> 2'
24 s.add_runtime_dependency 'omniauth-oauth2', '~> 1'
2525
2626 s.add_development_dependency 'bundler'
27
27
2828 s.license = 'MIT'
2929 end
+6
-0
opslevel.yml less more
0 ---
1 version: 1
2 repository:
3 owner: dx_sdks
4 tier:
5 tags:
+4
-4
spec/omniauth/auth0/jwt_validator_spec.rb less more
356356 message: "Nonce (nonce) claim value mismatch in the ID token; expected (noncey), found (mismatch)"
357357 }))
358358 end
359
359
360360 it 'should fail when “aud” is an array of strings and azp claim is not present' do
361361 aud = [
362362 client_id,
475475 expect(id_token['auth_time']).to eq(auth_time)
476476 end
477477
478 it 'should fail when authorize params has organization but org_id is missing in the token', focus: true do
478 it 'should fail when authorize params has organization but org_id is missing in the token' do
479479 payload = {
480480 iss: "https://#{domain}/",
481481 sub: 'sub',
492492 }))
493493 end
494494
495 it 'should fail when authorize params has organization but token org_id does not match', focus: true do
495 it 'should fail when authorize params has organization but token org_id does not match' do
496496 payload = {
497497 iss: "https://#{domain}/",
498498 sub: 'sub',
543543 expect do
544544 verified_token = make_jwt_validator(opt_domain: domain).verify(token)
545545 end.to raise_error(an_instance_of(JWT::VerificationError).and having_attributes({
546 message: "Signature verification raised"
546 message: "Signature verification failed"
547547 }))
548548 end
549549
+14
-0
spec/omniauth/strategies/auth0_spec.rb less more
11
22 require 'spec_helper'
33 require 'jwt'
4 require 'multi_json'
45
56 OmniAuth.config.allowed_request_methods = [:get, :post]
67
195196 expect(redirect_url).not_to have_query('screen_hint')
196197 expect(redirect_url).not_to have_query('organization')
197198 expect(redirect_url).not_to have_query('invitation')
199 end
200
201 def session
202 session_cookie = last_response.cookies['rack.session'].first
203 session_data, _, _ = session_cookie.rpartition('--')
204 decoded_session_data = Base64.decode64(session_data)
205 Marshal.load(decoded_session_data)
206 end
207
208 it "stores session['authorize_params'] as a plain Ruby Hash" do
209 get '/auth/auth0'
210
211 expect(session['authorize_params'].class).to eq(::Hash)
198212 end
199213
200214 describe 'callback' do
+4
-1
spec/spec_helper.rb less more
00 $LOAD_PATH.unshift File.expand_path(__dir__)
11 $LOAD_PATH.unshift File.expand_path('../lib', __dir__)
22
3 require 'multi_json'
34 require 'simplecov'
45 SimpleCov.start
56
2122 config.include WebMock::API
2223 config.include Rack::Test::Methods
2324 config.extend OmniAuth::Test::StrategyMacros, type: :strategy
25 config.filter_run focus: true
26 config.run_all_when_everything_filtered = true
2427
2528 def app
2629 @app || make_application
3841 configure do
3942 enable :sessions
4043 set :show_exceptions, false
41 set :session_secret, 'TEST'
44 set :session_secret, '9771aff2c634257053c62ba072c54754bd2cc92739b37e81c3eda505da48c2ec'
4245 end
4346
4447 use OmniAuth::Builder do