Import upstream version 3.1.0
Debian Janitor
1 year, 3 months ago
0 | 0 | version: 2.1 |
1 | 1 | orbs: |
2 | ship: auth0/ship@dev:alpha | |
2 | ship: auth0/ship@0 | |
3 | 3 | codecov: codecov/codecov@3 |
4 | 4 | |
5 | 5 | matrix_rubyversions: &matrix_rubyversions |
6 | 6 | matrix: |
7 | 7 | parameters: |
8 | rubyversion: ["2.6", "2.7", "3.0", "3.1"] | |
8 | rubyversion: ["2.7", "3.0", "3.1"] | |
9 | 9 | # Default version of ruby to use for lint and publishing |
10 | 10 | default_rubyversion: &default_rubyversion "2.7" |
11 | 11 |
0 | { | |
1 | "name": "Ruby", | |
2 | "image": "mcr.microsoft.com/devcontainers/ruby:3.1", | |
3 | "features": { | |
4 | "ghcr.io/devcontainers/features/node:1": { | |
5 | "version": "lts" | |
6 | } | |
7 | }, | |
8 | ||
9 | // Use 'forwardPorts' to make a list of ports inside the container available locally. | |
10 | // "forwardPorts": [], | |
11 | ||
12 | // Use 'postCreateCommand' to run commands after the container is created. | |
13 | // "postCreateCommand": "ruby --version", | |
14 | ||
15 | // Set `remoteUser` to `root` to connect as root instead. More info: https://aka.ms/vscode-remote/containers/non-root. | |
16 | "remoteUser": "vscode" | |
17 | } |
0 | blank_issues_enabled: false | |
1 | contact_links: | |
2 | - name: Auth0 Community | |
3 | url: https://community.auth0.com/c/sdks/5 | |
4 | about: Discuss this SDK in the Auth0 Community forums | |
5 | - name: Library Documentation | |
6 | url: https://github.com/auth0/omniauth-auth0#documentation | |
7 | about: Read the library docs on Auth0.com |
0 | --- | |
1 | name: Feature request | |
2 | about: Suggest an idea or a feature for this project | |
3 | title: '' | |
4 | labels: feature request | |
5 | assignees: '' | |
6 | --- | |
7 | ||
8 | <!-- | |
9 | **Please do not report security vulnerabilities here**. The Responsible Disclosure Program (https://auth0.com/whitehat) details the procedure for disclosing security issues. | |
10 | ||
11 | Thank you in advance for helping us to improve this library! Your attention to detail here is greatly appreciated and will help us respond as quickly as possible. For general support or usage questions, use the Auth0 Community (https://community.auth0.com/) or Auth0 Support (https://support.auth0.com/). Finally, to avoid duplicates, please search existing Issues before submitting one here. | |
12 | ||
13 | By submitting an Issue to this repository, you agree to the terms within the Auth0 Code of Conduct (https://github.com/auth0/open-source-template/blob/master/CODE-OF-CONDUCT.md). | |
14 | --> | |
15 | ||
16 | ### Describe the problem you'd like to have solved | |
17 | ||
18 | <!-- | |
19 | > A clear and concise description of what the problem is. Ex. I'm always frustrated when [...] | |
20 | --> | |
21 | ||
22 | ### Describe the ideal solution | |
23 | ||
24 | <!-- | |
25 | > A clear and concise description of what you want to happen. | |
26 | --> | |
27 | ||
28 | ## Alternatives and current work-arounds | |
29 | ||
30 | <!-- | |
31 | > A clear and concise description of any alternatives you've considered or any work-arounds that are currently in place. | |
32 | --> | |
33 | ||
34 | ### Additional information, if any | |
35 | ||
36 | <!-- | |
37 | > Add any other context or screenshots about the feature request here. | |
38 | -->⏎ |
0 | --- | |
1 | name: Report a bug | |
2 | about: Have you found a bug or issue? Create a bug report for this SDK | |
3 | title: '' | |
4 | labels: bug report | |
5 | assignees: '' | |
6 | --- | |
7 | ||
8 | <!-- | |
9 | **Please do not report security vulnerabilities here**. The Responsible Disclosure Program (https://auth0.com/whitehat) details the procedure for disclosing security issues. | |
10 | ||
11 | Thank you in advance for helping us to improve this library! Please read through the template below and answer all relevant questions. Your additional work here is greatly appreciated and will help us respond as quickly as possible. For general support or usage questions, use the Auth0 Community (https://community.auth0.com/) or Auth0 Support (https://support.auth0.com/). Finally, to avoid duplicates, please search existing Issues before submitting one here. | |
12 | ||
13 | By submitting an Issue to this repository, you agree to the terms within the Auth0 Code of Conduct (https://github.com/auth0/open-source-template/blob/master/CODE-OF-CONDUCT.md). | |
14 | --> | |
15 | ||
16 | ### Describe the problem | |
17 | ||
18 | <!-- | |
19 | > Provide a clear and concise description of the issue | |
20 | --> | |
21 | ||
22 | ### What was the expected behavior? | |
23 | ||
24 | <!-- | |
25 | > Tell us about the behavior you expected to see | |
26 | --> | |
27 | ||
28 | ### Reproduction | |
29 | <!-- | |
30 | > Detail the steps taken to reproduce this error, and whether this issue can be reproduced consistently or if it is intermittent. | |
31 | > **Note**: If clear, reproducable steps or the smallest sample app demonstrating misbehavior cannot be provided, we may not be able to follow up on this bug report. | |
32 | ||
33 | > Where possible, please include: | |
34 | > | |
35 | > - The smallest possible sample app that reproduces the undesirable behavior | |
36 | > - Log files (redact/remove sensitive information) | |
37 | > - Application settings (redact/remove sensitive information) | |
38 | > - Screenshots | |
39 | --> | |
40 | ||
41 | - Step 1.. | |
42 | - Step 2.. | |
43 | - ... | |
44 | ||
45 | ### Environment | |
46 | ||
47 | <!-- | |
48 | > Please provide the following: | |
49 | --> | |
50 | ||
51 | - **Version of this library used:** | |
52 | - **Which framework are you using, if applicable:** | |
53 | - **Other modules/plugins/libraries that might be involved:** | |
54 | - **Any other relevant information you think would be useful:**⏎ |
0 | ### Changes | |
1 | ||
2 | Please describe both what is changing and why this is important. Include: | |
3 | ||
4 | - Endpoints added, deleted, deprecated, or changed | |
5 | - Classes and methods added, deleted, deprecated, or changed | |
6 | - Screenshots of new or changed UI, if applicable | |
7 | - A summary of usage if this is a new feature or change to a public API (this should also be added to relevant documentation once released) | |
8 | ||
9 | ### References | |
10 | ||
11 | Please include relevant links supporting this change such as a: | |
12 | ||
13 | - support ticket | |
14 | - community post | |
15 | - StackOverflow post | |
16 | - support forum thread | |
17 | - related GitHub issue in this or another repo | |
18 | ||
19 | ### Testing | |
20 | ||
21 | Please describe how this can be tested by reviewers. Be specific about anything not tested and reasons why. If this library has unit and/or integration testing, tests should be added for new functionality and existing tests should complete without errors. | |
22 | ||
23 | * [ ] This change adds unit test coverage | |
24 | * [ ] This change has been tested on the latest version of the platform/language or why not | |
25 | ||
26 | ### Checklist | |
27 | ||
28 | * [ ] I have read the [Auth0 contribution guidelines](https://github.com/auth0/open-source-template/blob/master/GENERAL-CONTRIBUTING.md) | |
29 | * [ ] I have read the [Auth0 Code of Conduct](https://github.com/auth0/open-source-template/blob/master/CODE-OF-CONDUCT.md) | |
30 | * [ ] All existing and new tests complete without errors | |
31 | * [ ] All code quality tools/guidelines in the [CONTRIBUTING documentation](https://github.com/auth0/omniauth-auth0/blob/master/CONTRIBUTING.md) have been run/followed |
0 | # Configuration for probot-stale - https://github.com/probot/stale | |
1 | ||
2 | # Number of days of inactivity before an Issue or Pull Request becomes stale | |
3 | daysUntilStale: 90 | |
4 | ||
5 | # Number of days of inactivity before an Issue or Pull Request with the stale label is closed. | |
6 | daysUntilClose: 7 | |
7 | ||
8 | # Issues or Pull Requests with these labels will never be considered stale. Set to `[]` to disable | |
9 | exemptLabels: [] | |
10 | ||
11 | # Set to true to ignore issues with an assignee (defaults to false) | |
12 | exemptAssignees: true | |
13 | ||
14 | # Label to use when marking as stale | |
15 | staleLabel: closed:stale | |
16 | ||
17 | # Comment to post when marking as stale. Set to `false` to disable | |
18 | markComment: > | |
19 | This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. If you have not received a response for our team (apologies for the delay) and this is still a blocker, please reply with additional information or just a ping. Thank you for your contribution! 🙇♂️⏎ |
0 | name: Semgrep | |
1 | ||
2 | on: | |
3 | pull_request: {} | |
4 | ||
5 | push: | |
6 | branches: ["master", "main"] | |
7 | ||
8 | schedule: | |
9 | - cron: '30 0 1,15 * *' | |
10 | ||
11 | jobs: | |
12 | semgrep: | |
13 | name: Scan | |
14 | runs-on: ubuntu-latest | |
15 | container: | |
16 | image: returntocorp/semgrep | |
17 | if: (github.actor != 'dependabot[bot]') | |
18 | steps: | |
19 | - uses: actions/checkout@v3 | |
20 | ||
21 | - run: semgrep ci | |
22 | env: | |
23 | SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }} |
0 | .ruby-version | |
1 | coverage | |
2 | *.gem | |
3 | ||
4 | .#* | |
5 | .env | |
6 | log/ | |
7 | tmp/ | |
8 | ||
9 | ## Environment normalization: | |
10 | /.bundle | |
11 | /vendor/bundle |
0 | 0 | # Change Log |
1 | 1 | |
2 | ## [v3.1.0](https://github.com/auth0/omniauth-auth0/tree/v3.1.0) (2022-11-04) | |
3 | ||
4 | [Full Changelog](https://github.com/auth0/omniauth-auth0/compare/v3.0.0...v3.1.0) | |
5 | ||
6 | **Added** | |
7 | ||
8 | - Add ui_locales to permitted params [\#135](https://github.com/auth0/omniauth-auth0/pull/135) ([martijn](https://github.com/martijn)) | |
9 | ||
10 | **Changed** | |
11 | ||
12 | - Store plain Hash in session['authorize_params'] [\#150](https://github.com/auth0/omniauth-auth0/pull/150) ([santry](https://github.com/santry)) | |
13 | - Redesign readme to match new style [\#148](https://github.com/auth0/omniauth-auth0/pull/148) ([stevehobbsdev](https://github.com/stevehobbsdev)) | |
14 | ||
15 | **Fixed** | |
16 | ||
17 | - Fix authentication hash link in code sample [\#153](https://github.com/auth0/omniauth-auth0/pull/153) ([ewanharris](https://github.com/ewanharris)) | |
18 | ||
19 | **Security** | |
20 | ||
21 | - [Snyk] Fix for 1 vulnerabilities [\#149](https://github.com/auth0/omniauth-auth0/pull/149) ([snyk-bot](https://github.com/snyk-bot)) | |
22 | - Bump addressable from 2.7.0 to 2.8.0 [\#133](https://github.com/auth0/omniauth-auth0/pull/133) ([dependabot[bot]](https://github.com/apps/dependabot)) | |
23 | - [Snyk] Security upgrade webmock from 3.12.2 to 3.12.2 [\#134](https://github.com/auth0/omniauth-auth0/pull/134) ([snyk-bot](https://github.com/snyk-bot)) | |
24 | ||
2 | 25 | ## [v3.0.0](https://github.com/auth0/omniauth-auth0/tree/v3.0.0) (2021-04-14) |
26 | ||
3 | 27 | Version 3.0 introduces [Omniauth v2.0](https://github.com/omniauth/omniauth/releases/tag/v2.0.0) which addresses [CVE-2015-9284](https://nvd.nist.gov/vuln/detail/CVE-2015-9284). Omniauth now defaults to only allow `POST` as the allowed request_phase method. This was previously handled through the recommended [mitigation](https://github.com/omniauth/omniauth/wiki/Resolving-CVE-2015-9284) using the `omniauth-rails_csrf_protection v0.x.x` gem to provide CSRF protection. |
4 | 28 | |
5 | 29 | ### Upgrading to omniauth-rails_csrf_protection v1.0.0 |
30 | ||
6 | 31 | If you are using `omniauth-rails_csrf_protection` to provide CSRF protection, you will need to be upgrade to `1.x.x`. |
7 | 32 | |
8 | 33 | ### BREAKING CHANGES |
34 | ||
9 | 35 | Now that OmniAuth now defaults to only `POST` as the allowed request_phase method, if you aren't already, you will need to convert any login links to use [form helpers](https://api.rubyonrails.org/classes/ActionView/Helpers/FormHelper.html#method-i-form_for) with the `POST` method. |
10 | 36 | |
11 | 37 | ```html+ruby |
25 | 51 | ``` |
26 | 52 | |
27 | 53 | ### Allowing GET Requests |
54 | ||
28 | 55 | In the scenario you absolutely must use GET requests as an allowed request method for authentication, you can override the protection provided with the following config override: |
29 | 56 | |
30 | 57 | ```ruby |
31 | # Allowing GET requests will expose you to CVE-2015-9284 | |
58 | # Allowing GET requests will expose you to CVE-2015-9284 | |
32 | 59 | OmniAuth.config.allowed_request_methods = [:get, :post] |
33 | 60 | ``` |
34 | 61 | |
37 | 64 | [Full Changelog](https://github.com/auth0/omniauth-auth0/compare/v2.5.0...v2.6.0) |
38 | 65 | |
39 | 66 | **Added** |
40 | - Org Support [SDK-2395] [\#124](https://github.com/auth0/omniauth-auth0/pull/124) ([davidpatrick](https://github.com/davidpatrick)) | |
41 | - Add login_hint to permitted params [\#123](https://github.com/auth0/omniauth-auth0/pull/123) ([Roriz](https://github.com/Roriz)) | |
67 | ||
68 | - Org Support [SDK-2395] [\#124](https://github.com/auth0/omniauth-auth0/pull/124) ([davidpatrick](https://github.com/davidpatrick)) | |
69 | - Add login_hint to permitted params [\#123](https://github.com/auth0/omniauth-auth0/pull/123) ([Roriz](https://github.com/Roriz)) | |
42 | 70 | |
43 | 71 | ## [v2.5.0](https://github.com/auth0/omniauth-auth0/tree/v2.5.0) (2021-01-21) |
44 | 72 | |
45 | 73 | [Full Changelog](https://github.com/auth0/omniauth-auth0/compare/v2.4.2...v2.5.0) |
46 | 74 | |
47 | 75 | **Added** |
76 | ||
48 | 77 | - Parsing claims from the id_token [\#120](https://github.com/auth0/omniauth-auth0/pull/120) ([davidpatrick](https://github.com/davidpatrick)) |
49 | 78 | |
50 | 79 | **Changed** |
80 | ||
51 | 81 | - Setup build matrix in CI [\#116](https://github.com/auth0/omniauth-auth0/pull/116) ([dmathieu](https://github.com/dmathieu)) |
52 | 82 | |
53 | 83 | **Fixed** |
84 | ||
54 | 85 | - Fixes params passed to authorize [\#119](https://github.com/auth0/omniauth-auth0/pull/119) ([davidpatrick](https://github.com/davidpatrick)) |
55 | 86 | |
56 | ||
57 | 87 | ## [v2.4.2](https://github.com/auth0/omniauth-auth0/tree/v2.4.2) (2021-01-19) |
58 | 88 | |
59 | 89 | [Full Changelog](https://github.com/auth0/omniauth-auth0/compare/v2.4.1...v2.4.2) |
60 | 90 | |
61 | 91 | **Fixed** |
92 | ||
62 | 93 | - Lock Omniauth to 1.9 in gemspec |
63 | 94 | |
64 | 95 | ## [v2.4.1](https://github.com/auth0/omniauth-auth0/tree/v2.4.1) (2020-10-08) |
66 | 97 | [Full Changelog](https://github.com/auth0/omniauth-auth0/compare/v2.4.0...v2.4.1) |
67 | 98 | |
68 | 99 | **Fixed** |
100 | ||
69 | 101 | - Verify the JWT Signature [\#109](https://github.com/auth0/omniauth-auth0/pull/109) ([jimmyjames](https://github.com/jimmyjames)) |
70 | 102 | |
71 | ||
72 | 103 | ## [v2.4.0](https://github.com/auth0/omniauth-auth0/tree/v2.4.0) (2020-09-22) |
73 | 104 | |
74 | 105 | [Full Changelog](https://github.com/auth0/omniauth-auth0/compare/v2.3.1...v2.4.0) |
75 | 106 | |
76 | 107 | **Security** |
108 | ||
77 | 109 | - Bump rack from 2.2.2 to 2.2.3 [\#107](https://github.com/auth0/omniauth-auth0/pull/107) ([dependabot](https://github.com/dependabot)) |
78 | 110 | - Update dependencies [\#100](https://github.com/auth0/omniauth-auth0/pull/100) ([Albalmaceda](https://github.com/Albalmaceda)) |
79 | 111 | |
80 | 112 | **Added** |
113 | ||
81 | 114 | - Add support for screen_hint=signup param [\#103](https://github.com/auth0/omniauth-auth0/pull/103) ([bbean86](https://github.com/bbean86)) |
82 | 115 | - Add support for `connection_scope` in params [\#99](https://github.com/auth0/omniauth-auth0/pull/99) ([felixclack](https://github.com/felixclack)) |
83 | 116 | |
84 | ||
85 | 117 | ## [v2.3.1](https://github.com/auth0/omniauth-auth0/tree/v2.3.1) (2020-03-27) |
86 | 118 | |
87 | 119 | [Full Changelog](https://github.com/auth0/omniauth-auth0/compare/v2.3.0...v2.3.1) |
92 | 124 | - Fix "NameError: uninitialized constant OmniAuth::Auth0::TokenValidationError" [\#96](https://github.com/auth0/omniauth-auth0/pull/96) ([stefanwork](https://github.com/stefanwork)) |
93 | 125 | |
94 | 126 | ## [v2.3.0](https://github.com/auth0/omniauth-auth0/tree/v2.3.0) (2020-03-06) |
127 | ||
95 | 128 | [Full Changelog](https://github.com/auth0/omniauth-auth0/compare/v2.2.0...v2.3.0) |
96 | 129 | |
97 | 130 | **Added** |
131 | ||
98 | 132 | - Improved OIDC Compliance [\#92](https://github.com/auth0/omniauth-auth0/pull/92) ([davidpatrick](https://github.com/davidpatrick)) |
99 | 133 | |
100 | 134 | ## [v2.2.0](https://github.com/auth0/omniauth-auth0/tree/v2.2.0) (2018-04-18) |
135 | ||
101 | 136 | [Full Changelog](https://github.com/auth0/omniauth-auth0/compare/v2.1.0...v2.2.0) |
102 | 137 | |
103 | 138 | **Closed issues** |
139 | ||
104 | 140 | - It supports custom domain? [\#71](https://github.com/auth0/omniauth-auth0/issues/71) |
105 | 141 | - Valid Login, No Details: email=nil image=nil name="github|38257089" nickname=nil [\#70](https://github.com/auth0/omniauth-auth0/issues/70) |
106 | 142 | |
107 | 143 | **Added** |
144 | ||
108 | 145 | - Custom issuer [\#77](https://github.com/auth0/omniauth-auth0/pull/77) ([ryan-rosenfeld](https://github.com/ryan-rosenfeld)) |
109 | 146 | - Add telemetry to token endpoint [\#74](https://github.com/auth0/omniauth-auth0/pull/74) ([joshcanhelp](https://github.com/joshcanhelp)) |
110 | 147 | |
111 | 148 | **Changed** |
149 | ||
112 | 150 | - Remove telemetry from authorize URL [\#75](https://github.com/auth0/omniauth-auth0/pull/75) ([joshcanhelp](https://github.com/joshcanhelp)) |
113 | 151 | |
114 | 152 | ## [v2.1.0](https://github.com/auth0/omniauth-auth0/tree/v2.1.0) (2018-10-30) |
153 | ||
115 | 154 | [Full Changelog](https://github.com/auth0/omniauth-auth0/compare/v2.0.0...v2.1.0) |
116 | 155 | |
117 | 156 | **Closed issues** |
157 | ||
118 | 158 | - URL should be spelled uppercase outside of code [\#64](https://github.com/auth0/omniauth-auth0/issues/64) |
119 | 159 | - Add prompt=none authorization param handler [\#58](https://github.com/auth0/omniauth-auth0/issues/58) |
120 | 160 | - Could not find a valid mapping for path "/auth/oauth2/callback" [\#56](https://github.com/auth0/omniauth-auth0/issues/56) |
123 | 163 | - /auth/:provider route not registered? [\#47](https://github.com/auth0/omniauth-auth0/issues/47) |
124 | 164 | |
125 | 165 | **Added** |
166 | ||
126 | 167 | - Add ID token validation [\#62](https://github.com/auth0/omniauth-auth0/pull/62) ([joshcanhelp](https://github.com/joshcanhelp)) |
127 | 168 | - Silent authentication [\#59](https://github.com/auth0/omniauth-auth0/pull/59) ([batalla3692](https://github.com/batalla3692)) |
128 | 169 | - Pass connection parameter to auth0 [\#54](https://github.com/auth0/omniauth-auth0/pull/54) ([tomgi](https://github.com/tomgi)) |
129 | 170 | |
130 | 171 | **Changed** |
172 | ||
131 | 173 | - Update to omniauth-oauth2 [\#55](https://github.com/auth0/omniauth-auth0/pull/55) ([chills42](https://github.com/chills42)) |
132 | 174 | |
133 | 175 | **Fixed** |
176 | ||
134 | 177 | - Fix Rubocop errors [\#66](https://github.com/auth0/omniauth-auth0/pull/66) ([joshcanhelp](https://github.com/joshcanhelp)) |
135 | 178 | - Fix minute bug in README.md [\#63](https://github.com/auth0/omniauth-auth0/pull/63) ([rahuldess](https://github.com/rahuldess)) |
136 | 179 | |
137 | 180 | ## [v2.0.0](https://github.com/auth0/omniauth-auth0/tree/v2.0.0) (2017-01-25) |
181 | ||
138 | 182 | [Full Changelog](https://github.com/auth0/omniauth-auth0/compare/v1.4.1...v2.0.0) |
139 | 183 | |
140 | 184 | Updated library to handle OIDC conformant clients and OAuth2 features in Auth0. |
152 | 196 | Also in `extra` will have in `raw_info` the full /userinfo response. |
153 | 197 | |
154 | 198 | **Fixed** |
199 | ||
155 | 200 | - Use image attribute of omniauth instead of picture [\#45](https://github.com/auth0/omniauth-auth0/pull/45) ([hzalaz](https://github.com/hzalaz)) |
156 | - Rework strategy to handle OAuth and OIDC [\#44](https://github.com/auth0/omniauth-auth0/pull/44) ([hzalaz](https://github.com/hzalaz)) | |
201 | - Rework strategy to handle OAuth and OIDC [\#44](https://github.com/auth0/omniauth-auth0/pull/44) ([hzalaz](https://github.com/hzalaz)) | |
157 | 202 | - lock v10 update, dependencies update [\#41](https://github.com/auth0/omniauth-auth0/pull/41) ([Amialc](https://github.com/Amialc)) |
158 | 203 | |
159 | 204 | ## [v1.4.2](https://github.com/auth0/omniauth-auth0/tree/v1.4.2) (2016-06-13) |
205 | ||
160 | 206 | [Full Changelog](https://github.com/auth0/omniauth-auth0/compare/v1.4.1...v1.4.2) |
161 | 207 | |
162 | 208 | **Added** |
209 | ||
163 | 210 | - Link to OmniAuth site [\#36](https://github.com/auth0/omniauth-auth0/pull/36) ([jghaines](https://github.com/jghaines)) |
164 | 211 | - add ssl fix to RoR example [\#31](https://github.com/auth0/omniauth-auth0/pull/31) ([Amialc](https://github.com/Amialc)) |
165 | 212 | - Update LICENSE [\#17](https://github.com/auth0/omniauth-auth0/pull/17) ([aguerere](https://github.com/aguerere)) |
166 | 213 | |
167 | 214 | **Changed** |
215 | ||
168 | 216 | - Update lock to version 9 [\#34](https://github.com/auth0/omniauth-auth0/pull/34) ([Annyv2](https://github.com/Annyv2)) |
169 | 217 | - Update Gemfile [\#22](https://github.com/auth0/omniauth-auth0/pull/22) ([Annyv2](https://github.com/Annyv2)) |
170 | 218 | - Update lock [\#15](https://github.com/auth0/omniauth-auth0/pull/15) ([Annyv2](https://github.com/Annyv2)) |
171 | 219 | |
172 | 220 | **Fixed** |
221 | ||
173 | 222 | - Fix setup [\#38](https://github.com/auth0/omniauth-auth0/pull/38) ([deepak](https://github.com/deepak)) |
174 | 223 | - Added missing instruction [\#30](https://github.com/auth0/omniauth-auth0/pull/30) ([Annyv2](https://github.com/Annyv2)) |
175 | 224 | - Fixes undefined Auth0Lock issue [\#28](https://github.com/auth0/omniauth-auth0/pull/28) ([Annyv2](https://github.com/Annyv2)) |
176 | 225 | - Update Readme [\#27](https://github.com/auth0/omniauth-auth0/pull/27) ([Annyv2](https://github.com/Annyv2)) |
177 | 226 | |
178 | ||
179 | 227 | ## [v1.4.1](https://github.com/auth0/omniauth-auth0/tree/v1.4.1) (2015-11-18) |
228 | ||
180 | 229 | [Full Changelog](https://github.com/auth0/omniauth-auth0/compare/v1.4.0...v1.4.1) |
181 | 230 | |
182 | 231 | **Merged pull requests:** |
187 | 236 | - Add nested module in version.rb [\#9](https://github.com/auth0/omniauth-auth0/pull/9) ([l4u](https://github.com/l4u)) |
188 | 237 | |
189 | 238 | ## [v1.4.0](https://github.com/auth0/omniauth-auth0/tree/v1.4.0) (2015-06-01) |
239 | ||
190 | 240 | **Merged pull requests:** |
191 | 241 | |
192 | 242 | - Client headers [\#8](https://github.com/auth0/omniauth-auth0/pull/8) ([benschwarz](https://github.com/benschwarz)) |
195 | 245 | - Update README.md [\#3](https://github.com/auth0/omniauth-auth0/pull/3) ([pose](https://github.com/pose)) |
196 | 246 | - Fix Markdown typo [\#2](https://github.com/auth0/omniauth-auth0/pull/2) ([dentarg](https://github.com/dentarg)) |
197 | 247 | |
198 | ||
199 | ||
200 | \* *This Change Log was automatically generated by [github_changelog_generator](https://github.com/skywinder/Github-Changelog-Generator)* | |
248 | \* _This Change Log was automatically generated by [github_changelog_generator](https://github.com/skywinder/Github-Changelog-Generator)_ |
0 | # Code of Conduct | |
1 | ||
2 | Please see [Auth0's Code of Conduct](https://github.com/auth0/open-source-template/blob/master/CODE-OF-CONDUCT.md) for information on contributing to this repo. |
0 | * [Example of the resulting authentication hash](#example-of-the-resulting-authentication-hash) | |
1 | * [Send additional authentication parameters](#send-additional-authentication-parameters) | |
2 | * [Query Parameter Options](#query-parameter-options) | |
3 | * [Auth0 Organizations](#auth0-organizations) | |
4 | - [Logging in with an Organization](#logging-in-with-an-organization) | |
5 | - [Validating Organizations when using Organization Login Prompt](#validating-organizations-when-using-organization-login-prompt) | |
6 | - [Accepting user invitations](#accepting-user-invitations) | |
7 | ||
8 | ### Example of the resulting authentication hash | |
9 | ||
10 | The Auth0 strategy will provide the standard OmniAuth hash attributes: | |
11 | ||
12 | - `:provider` - the name of the strategy, in this case `auth0` | |
13 | - `:uid` - the user identifier | |
14 | - `:info` - the result of the call to `/userinfo` using OmniAuth standard attributes | |
15 | - `:credentials` - tokens requested and data | |
16 | - `:extra` - Additional info obtained from calling `/userinfo` in the `:raw_info` property | |
17 | ||
18 | ```ruby | |
19 | { | |
20 | :provider => 'auth0', | |
21 | :uid => 'auth0|USER_ID', | |
22 | :info => { | |
23 | :name => 'John Foo', | |
24 | :email => 'johnfoo@example.org', | |
25 | :nickname => 'john', | |
26 | :image => 'https://example.org/john.jpg' | |
27 | }, | |
28 | :credentials => { | |
29 | :token => 'ACCESS_TOKEN', | |
30 | :expires_at => 1485373937, | |
31 | :expires => true, | |
32 | :refresh_token => 'REFRESH_TOKEN', | |
33 | :id_token => 'JWT_ID_TOKEN', | |
34 | :token_type => 'bearer', | |
35 | }, | |
36 | :extra => { | |
37 | :raw_info => { | |
38 | :email => 'johnfoo@example.org', | |
39 | :email_verified => 'true', | |
40 | :name => 'John Foo', | |
41 | :picture => 'https://example.org/john.jpg', | |
42 | :user_id => 'auth0|USER_ID', | |
43 | :nickname => 'john', | |
44 | :created_at => '2014-07-15T17:19:50.387Z' | |
45 | } | |
46 | } | |
47 | } | |
48 | ``` | |
49 | ||
50 | ## Send additional authentication parameters | |
51 | ||
52 | To send additional parameters during login, you can specify them when you register the provider: | |
53 | ||
54 | ```ruby | |
55 | provider | |
56 | :auth0, | |
57 | ENV['AUTH0_CLIENT_ID'], | |
58 | ENV['AUTH0_CLIENT_SECRET'], | |
59 | ENV['AUTH0_DOMAIN'], | |
60 | { | |
61 | authorize_params: { | |
62 | scope: 'openid read:users write:order', | |
63 | audience: 'https://mydomain/api', | |
64 | max_age: 3600 # time in seconds authentication is valid | |
65 | } | |
66 | } | |
67 | ``` | |
68 | ||
69 | This will tell the strategy to send those parameters on every authentication request. | |
70 | ||
71 | ## Query Parameter Options | |
72 | ||
73 | In some scenarios, you may need to pass specific query parameters to `/authorize`. The following parameters are available to enable this: | |
74 | ||
75 | - `connection` | |
76 | - `connection_scope` | |
77 | - `prompt` | |
78 | - `screen_hint` (only relevant to New Universal Login Experience) | |
79 | - `organization` | |
80 | - `invitation` | |
81 | ||
82 | Simply pass these query parameters to your OmniAuth redirect endpoint to enable their behavior. | |
83 | ||
84 | ## Auth0 Organizations | |
85 | ||
86 | [Organizations](https://auth0.com/docs/organizations) is a set of features that provide better support for developers who build and maintain SaaS and Business-to-Business (B2B) applications. | |
87 | ||
88 | Note that Organizations is currently only available to customers on our Enterprise and Startup subscription plans. | |
89 | ||
90 | ### Logging in with an Organization | |
91 | ||
92 | Logging in with an Organization is as easy as passing the parameters to the authorize endpoint. You can do this with | |
93 | ||
94 | ```ruby | |
95 | <%= | |
96 | button_to 'Login', 'auth/auth0', | |
97 | method: :post, | |
98 | params: { | |
99 | # Found in your Auth0 dashboard, under Organization settings: | |
100 | organization: '{AUTH0_ORGANIZATION}' | |
101 | } | |
102 | %> | |
103 | ``` | |
104 | ||
105 | Alternatively you can configure the organization when you register the provider: | |
106 | ||
107 | ```ruby | |
108 | provider | |
109 | :auth0, | |
110 | ENV['AUTH0_CLIENT_ID'], | |
111 | ENV['AUTH0_CLIENT_SECRET'], | |
112 | ENV['AUTH0_DOMAIN'] | |
113 | { | |
114 | authorize_params: { | |
115 | scope: 'openid read:users', | |
116 | audience: 'https://{AUTH0_DOMAIN}/api', | |
117 | organization: '{AUTH0_ORGANIZATION}' | |
118 | } | |
119 | } | |
120 | ``` | |
121 | ||
122 | When passing `openid` to the scope and `organization` to the authorize params, you will receive an ID token on callback with the `org_id` claim. This claim is validated for you by the SDK. | |
123 | ||
124 | ### Validating Organizations when using Organization Login Prompt | |
125 | ||
126 | When Organization login prompt is enabled on your application, but you haven't specified an Organization for the application's authorization endpoint, the `org_id` claim will be present on the ID token, and should be validated to ensure that the value received is expected or known. | |
127 | ||
128 | Normally, validating the issuer would be enough to ensure that the token was issued by Auth0, and this check is performed by the SDK. However, in the case of organizations, additional checks should be made so that the organization within an Auth0 tenant is expected. | |
129 | ||
130 | In particular, the `org_id` claim should be checked to ensure it is a value that is already known to the application. This could be validated against a known list of organization IDs, or perhaps checked in conjunction with the current request URL. e.g. the sub-domain may hint at what organization should be used to validate the ID Token. | |
131 | ||
132 | Here is an example using it in your `callback` method | |
133 | ||
134 | ```ruby | |
135 | def callback | |
136 | claims = request.env['omniauth.auth']['extra']['raw_info'] | |
137 | ||
138 | if claims["org"] && claims["org"] !== expected_org | |
139 | redirect_to '/unauthorized', status: 401 | |
140 | else | |
141 | session[:userinfo] = claims | |
142 | redirect_to '/dashboard' | |
143 | end | |
144 | end | |
145 | ``` | |
146 | ||
147 | For more information, please read [Work with Tokens and Organizations](https://auth0.com/docs/organizations/using-tokens) on Auth0 Docs. | |
148 | ||
149 | ### Accepting user invitations | |
150 | ||
151 | Auth0 Organizations allow users to be invited using emailed links, which will direct a user back to your application. The URL the user will arrive at is based on your configured `Application Login URI`, which you can change from your Application's settings inside the Auth0 dashboard. | |
152 | ||
153 | When the user arrives at your application using an invite link, you can expect three query parameters to be provided: `invitation`, `organization`, and `organization_name`. These will always be delivered using a GET request. | |
154 | ||
155 | You can then supply those parametrs to a `button_to` or `link_to` helper | |
156 | ||
157 | ```ruby | |
158 | <%= | |
159 | button_to 'Login', 'auth/auth0', | |
160 | method: :post, | |
161 | params: { | |
162 | organization: '{YOUR_ORGANIZATION_ID}', | |
163 | invitation: '{INVITE_CODE}' | |
164 | } | |
165 | %> | |
166 | ``` |
1 | 1 | |
2 | 2 | gemspec |
3 | 3 | |
4 | gem 'gem-release' | |
5 | gem 'jwt' | |
6 | gem 'rake' | |
4 | gem 'gem-release', '~> 2' | |
5 | gem 'jwt', '~> 2' | |
6 | gem 'rake', '~> 13' | |
7 | 7 | |
8 | 8 | group :development do |
9 | gem 'dotenv' | |
10 | gem 'pry' | |
11 | gem 'rubocop', require: false | |
12 | gem 'shotgun' | |
13 | gem 'sinatra' | |
14 | gem 'thin' | |
9 | gem 'dotenv', '~> 2' | |
10 | gem 'pry', '~> 0' | |
11 | gem 'rubocop', '~> 1', require: false | |
12 | gem 'shotgun', '~> 0' | |
13 | gem 'sinatra', '~> 2' | |
14 | gem 'thin', '~> 1' | |
15 | 15 | end |
16 | 16 | |
17 | 17 | group :test do |
18 | gem 'guard-rspec', require: false | |
18 | gem 'guard-rspec', '~> 4', require: false | |
19 | 19 | gem 'listen', '~> 3' |
20 | gem 'rack-test' | |
21 | gem 'rspec', '~> 3.5' | |
22 | gem 'simplecov-cobertura' | |
23 | gem 'webmock', '>= 3.12.2' | |
20 | gem 'rack-test', '~> 2' | |
21 | gem 'rspec', '~> 3' | |
22 | gem 'simplecov-cobertura', '~> 2' | |
23 | gem 'webmock', '~> 3' | |
24 | gem 'multi_json', '~> 1' | |
24 | 25 | end |
0 | 0 | PATH |
1 | 1 | remote: . |
2 | 2 | specs: |
3 | omniauth-auth0 (3.0.0) | |
4 | omniauth (~> 2.0) | |
5 | omniauth-oauth2 (~> 1.7) | |
3 | omniauth-auth0 (3.1.0) | |
4 | omniauth (~> 2) | |
5 | omniauth-oauth2 (~> 1) | |
6 | 6 | |
7 | 7 | GEM |
8 | 8 | remote: https://rubygems.org/ |
9 | 9 | specs: |
10 | addressable (2.8.0) | |
11 | public_suffix (>= 2.0.2, < 5.0) | |
10 | addressable (2.8.1) | |
11 | public_suffix (>= 2.0.2, < 6.0) | |
12 | 12 | ast (2.4.2) |
13 | 13 | coderay (1.1.3) |
14 | 14 | crack (0.4.5) |
16 | 16 | daemons (1.4.1) |
17 | 17 | diff-lcs (1.5.0) |
18 | 18 | docile (1.4.0) |
19 | dotenv (2.7.6) | |
19 | dotenv (2.8.1) | |
20 | 20 | eventmachine (1.2.7) |
21 | faraday (2.3.0) | |
22 | faraday-net_http (~> 2.0) | |
21 | faraday (2.7.1) | |
22 | faraday-net_http (>= 2.0, < 3.1) | |
23 | 23 | ruby2_keywords (>= 0.0.4) |
24 | faraday-net_http (2.0.3) | |
24 | faraday-net_http (3.0.2) | |
25 | 25 | ffi (1.15.5) |
26 | 26 | formatador (1.1.0) |
27 | 27 | gem-release (2.2.2) |
41 | 41 | rspec (>= 2.99.0, < 4.0) |
42 | 42 | hashdiff (1.0.1) |
43 | 43 | hashie (5.0.0) |
44 | jwt (2.3.0) | |
44 | json (2.6.3) | |
45 | jwt (2.5.0) | |
45 | 46 | listen (3.7.1) |
46 | 47 | rb-fsevent (~> 0.10, >= 0.10.3) |
47 | 48 | rb-inotify (~> 0.9, >= 0.9.10) |
49 | 50 | method_source (1.0.0) |
50 | 51 | multi_json (1.15.0) |
51 | 52 | multi_xml (0.6.0) |
52 | mustermann (1.1.1) | |
53 | mustermann (2.0.2) | |
53 | 54 | ruby2_keywords (~> 0.0.1) |
54 | 55 | nenv (0.3.0) |
55 | 56 | notiffany (0.1.3) |
56 | 57 | nenv (~> 0.1) |
57 | 58 | shellany (~> 0.0) |
58 | oauth2 (1.4.9) | |
59 | oauth2 (2.0.9) | |
59 | 60 | faraday (>= 0.17.3, < 3.0) |
60 | 61 | jwt (>= 1.0, < 3.0) |
61 | multi_json (~> 1.3) | |
62 | 62 | multi_xml (~> 0.5) |
63 | rack (>= 1.2, < 3) | |
63 | rack (>= 1.2, < 4) | |
64 | snaky_hash (~> 2.0) | |
65 | version_gem (~> 1.1) | |
64 | 66 | omniauth (2.1.0) |
65 | 67 | hashie (>= 3.4.6) |
66 | 68 | rack (>= 2.2.3) |
67 | 69 | rack-protection |
68 | omniauth-oauth2 (1.7.2) | |
69 | oauth2 (~> 1.4) | |
70 | omniauth (>= 1.9, < 3) | |
70 | omniauth-oauth2 (1.8.0) | |
71 | oauth2 (>= 1.4, < 3) | |
72 | omniauth (~> 2.0) | |
71 | 73 | parallel (1.22.1) |
72 | parser (3.1.2.0) | |
74 | parser (3.1.3.0) | |
73 | 75 | ast (~> 2.4.1) |
74 | 76 | pry (0.14.1) |
75 | 77 | coderay (~> 1.1) |
76 | 78 | method_source (~> 1.0) |
77 | public_suffix (4.0.7) | |
78 | rack (2.2.3.1) | |
79 | rack-protection (2.2.0) | |
79 | public_suffix (5.0.0) | |
80 | rack (2.2.4) | |
81 | rack-protection (2.2.3) | |
80 | 82 | rack |
81 | rack-test (1.1.0) | |
82 | rack (>= 1.0, < 3) | |
83 | rack-test (2.0.2) | |
84 | rack (>= 1.3) | |
83 | 85 | rainbow (3.1.1) |
84 | 86 | rake (13.0.6) |
85 | rb-fsevent (0.11.1) | |
87 | rb-fsevent (0.11.2) | |
86 | 88 | rb-inotify (0.10.1) |
87 | 89 | ffi (~> 1.0) |
88 | regexp_parser (2.5.0) | |
90 | regexp_parser (2.6.1) | |
89 | 91 | rexml (3.2.5) |
90 | rspec (3.11.0) | |
91 | rspec-core (~> 3.11.0) | |
92 | rspec-expectations (~> 3.11.0) | |
93 | rspec-mocks (~> 3.11.0) | |
94 | rspec-core (3.11.0) | |
95 | rspec-support (~> 3.11.0) | |
96 | rspec-expectations (3.11.0) | |
92 | rspec (3.12.0) | |
93 | rspec-core (~> 3.12.0) | |
94 | rspec-expectations (~> 3.12.0) | |
95 | rspec-mocks (~> 3.12.0) | |
96 | rspec-core (3.12.0) | |
97 | rspec-support (~> 3.12.0) | |
98 | rspec-expectations (3.12.0) | |
97 | 99 | diff-lcs (>= 1.2.0, < 2.0) |
98 | rspec-support (~> 3.11.0) | |
99 | rspec-mocks (3.11.1) | |
100 | rspec-support (~> 3.12.0) | |
101 | rspec-mocks (3.12.0) | |
100 | 102 | diff-lcs (>= 1.2.0, < 2.0) |
101 | rspec-support (~> 3.11.0) | |
102 | rspec-support (3.11.0) | |
103 | rubocop (1.30.0) | |
103 | rspec-support (~> 3.12.0) | |
104 | rspec-support (3.12.0) | |
105 | rubocop (1.39.0) | |
106 | json (~> 2.3) | |
104 | 107 | parallel (~> 1.10) |
105 | parser (>= 3.1.0.0) | |
108 | parser (>= 3.1.2.1) | |
106 | 109 | rainbow (>= 2.2.2, < 4.0) |
107 | 110 | regexp_parser (>= 1.8, < 3.0) |
108 | 111 | rexml (>= 3.2.5, < 4.0) |
109 | rubocop-ast (>= 1.18.0, < 2.0) | |
112 | rubocop-ast (>= 1.23.0, < 2.0) | |
110 | 113 | ruby-progressbar (~> 1.7) |
111 | 114 | unicode-display_width (>= 1.4.0, < 3.0) |
112 | rubocop-ast (1.18.0) | |
115 | rubocop-ast (1.24.0) | |
113 | 116 | parser (>= 3.1.1.0) |
114 | 117 | ruby-progressbar (1.11.0) |
115 | 118 | ruby2_keywords (0.0.5) |
125 | 128 | simplecov (~> 0.19) |
126 | 129 | simplecov-html (0.12.3) |
127 | 130 | simplecov_json_formatter (0.1.4) |
128 | sinatra (2.2.0) | |
129 | mustermann (~> 1.0) | |
131 | sinatra (2.2.3) | |
132 | mustermann (~> 2.0) | |
130 | 133 | rack (~> 2.2) |
131 | rack-protection (= 2.2.0) | |
134 | rack-protection (= 2.2.3) | |
132 | 135 | tilt (~> 2.0) |
136 | snaky_hash (2.0.1) | |
137 | hashie | |
138 | version_gem (~> 1.1, >= 1.1.1) | |
133 | 139 | thin (1.8.1) |
134 | 140 | daemons (~> 1.0, >= 1.0.9) |
135 | 141 | eventmachine (~> 1.0, >= 1.0.4) |
136 | 142 | rack (>= 1, < 3) |
137 | 143 | thor (1.2.1) |
138 | tilt (2.0.10) | |
139 | unicode-display_width (2.1.0) | |
140 | webmock (3.14.0) | |
144 | tilt (2.0.11) | |
145 | unicode-display_width (2.3.0) | |
146 | version_gem (1.1.1) | |
147 | webmock (3.18.1) | |
141 | 148 | addressable (>= 2.8.0) |
142 | 149 | crack (>= 0.3.2) |
143 | 150 | hashdiff (>= 0.4.0, < 2.0.0) |
150 | 157 | |
151 | 158 | DEPENDENCIES |
152 | 159 | bundler |
153 | dotenv | |
154 | gem-release | |
155 | guard-rspec | |
156 | jwt | |
160 | dotenv (~> 2) | |
161 | gem-release (~> 2) | |
162 | guard-rspec (~> 4) | |
163 | jwt (~> 2) | |
157 | 164 | listen (~> 3) |
165 | multi_json (~> 1) | |
158 | 166 | omniauth-auth0! |
159 | pry | |
160 | rack-test | |
161 | rake | |
162 | rspec (~> 3.5) | |
163 | rubocop | |
164 | shotgun | |
165 | simplecov-cobertura | |
166 | sinatra | |
167 | thin | |
168 | webmock (>= 3.12.2) | |
167 | pry (~> 0) | |
168 | rack-test (~> 2) | |
169 | rake (~> 13) | |
170 | rspec (~> 3) | |
171 | rubocop (~> 1) | |
172 | shotgun (~> 0) | |
173 | simplecov-cobertura (~> 2) | |
174 | sinatra (~> 2) | |
175 | thin (~> 1) | |
176 | webmock (~> 3) | |
169 | 177 | |
170 | 178 | BUNDLED WITH |
171 | 179 | 2.3.7 |
0 | # OmniAuth Auth0 | |
0 | ![Omniauth-auth0](https://cdn.auth0.com/website/sdks/banners/omniauth-auth0-banner.png) | |
1 | 1 | |
2 | An [OmniAuth](https://github.com/intridea/omniauth) strategy for authenticating with [Auth0](https://auth0.com). This strategy is based on the [OmniAuth OAuth2](https://github.com/omniauth/omniauth-oauth2) strategy. | |
3 | ||
4 | > :warning: **Important security note for v2:** This solution uses a 3rd party library that had a [security issue(s)](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-9284) in v2. Please review the details of the vulnerability, including [Auth0](https://github.com/auth0/omniauth-auth0/issues/82 ) and other recommended [mitigations](https://github.com/omniauth/omniauth/wiki/Resolving-CVE-2015-9284), before implementing the solution in v2. **[Upgrading to v3](https://github.com/auth0/omniauth-auth0/pull/128) of this library resolves the issue.** | |
5 | 2 | |
6 | 3 | [![CircleCI](https://img.shields.io/circleci/project/github/auth0/omniauth-auth0/master.svg)](https://circleci.com/gh/auth0/omniauth-auth0) |
7 | 4 | [![codecov](https://codecov.io/gh/auth0/omniauth-auth0/branch/master/graph/badge.svg)](https://codecov.io/gh/auth0/omniauth-auth0) |
8 | 5 | [![Gem Version](https://badge.fury.io/rb/omniauth-auth0.svg)](https://badge.fury.io/rb/omniauth-auth0) |
9 | 6 | [![MIT licensed](https://img.shields.io/dub/l/vibe-d.svg?style=flat)](https://github.com/auth0/omniauth-auth0/blob/master/LICENSE) |
10 | [![FOSSA Status](https://app.fossa.com/api/projects/git%2Bgithub.com%2Fauth0%2Fomniauth-auth0.svg?type=shield)](https://app.fossa.com/projects/git%2Bgithub.com%2Fauth0%2Fomniauth-auth0?ref=badge_shield) | |
11 | 7 | |
12 | ## Table of Contents | |
13 | ||
14 | - [Documentation](#documentation) | |
15 | - [Installation](#installation) | |
16 | - [Getting Started](#getting-started) | |
17 | - [Contribution](#contribution) | |
18 | - [Support + Feedback](#support--feedback) | |
19 | - [Vulnerability Reporting](#vulnerability-reporting) | |
20 | - [What is Auth0](#what-is-auth0) | |
21 | - [License](#license) | |
8 | <div> | |
9 | 📚 <a href="#documentation">Documentation</a> - 🚀 <a href="#getting-started">Getting started</a> - 💻 <a href="https://www.rubydoc.info/gems/omniauth-auth0">API reference</a> - 💬 <a href="#feedback">Feedback</a> | |
10 | </div> | |
22 | 11 | |
23 | 12 | ## Documentation |
24 | 13 | |
26 | 15 | - [Sample projects](https://github.com/auth0-samples/auth0-rubyonrails-sample) |
27 | 16 | - [API Reference](https://www.rubydoc.info/gems/omniauth-auth0) |
28 | 17 | |
29 | ## Installation | |
18 | ## Getting started | |
19 | ||
20 | ### Installation | |
30 | 21 | |
31 | 22 | Add the following line to your `Gemfile`: |
32 | 23 | |
48 | 39 | |
49 | 40 | See our [contributing guide](CONTRIBUTING.md) for information on local installation for development. |
50 | 41 | |
51 | ## Getting Started | |
42 | ## Configure the SDK | |
52 | 43 | |
53 | To start processing authentication requests, the following steps must be performed: | |
44 | Adding the SDK to your Rails app requires a few steps: | |
54 | 45 | |
55 | 1. Initialize the strategy | |
56 | 2. Configure the callback controller | |
57 | 3. Add the required routes | |
58 | 4. Trigger an authentication request | |
46 | - [Create the configuration file](#create-the-configuration-file) | |
47 | - [Create the initializer](#create-the-initializer) | |
48 | - [Create the callback controller](#create-the-callback-controller) | |
49 | - [Add routes](#add-routes) | |
59 | 50 | |
60 | All of these tasks and more are covered in our [Ruby on Rails Quickstart](https://auth0.com/docs/quickstart/webapp/rails). | |
51 | ### Create the configuration file | |
61 | 52 | |
62 | ### Additional authentication parameters | |
53 | Create the file `./config/auth0.yml` within your application directory with the following content: | |
63 | 54 | |
64 | To send additional parameters during login, you can specify them when you register the provider: | |
55 | ```yml | |
56 | development: | |
57 | auth0_domain: <YOUR_DOMAIN> | |
58 | auth0_client_id: <YOUR_CLIENT_ID> | |
59 | auth0_client_secret: <YOUR AUTH0 CLIENT SECRET> | |
60 | ``` | |
61 | ||
62 | ### Create the initializer | |
63 | ||
64 | Create a new Ruby file in `./config/initializers/auth0.rb` to configure the OmniAuth middleware: | |
65 | 65 | |
66 | 66 | ```ruby |
67 | provider | |
68 | :auth0, | |
69 | ENV['AUTH0_CLIENT_ID'], | |
70 | ENV['AUTH0_CLIENT_SECRET'], | |
71 | ENV['AUTH0_DOMAIN'], | |
72 | { | |
67 | AUTH0_CONFIG = Rails.application.config_for(:auth0) | |
68 | ||
69 | Rails.application.config.middleware.use OmniAuth::Builder do | |
70 | provider( | |
71 | :auth0, | |
72 | AUTH0_CONFIG['auth0_client_id'], | |
73 | AUTH0_CONFIG['auth0_client_secret'], | |
74 | AUTH0_CONFIG['auth0_domain'], | |
75 | callback_path: '/auth/auth0/callback', | |
73 | 76 | authorize_params: { |
74 | scope: 'openid read:users write:order', | |
75 | audience: 'https://mydomain/api', | |
76 | max_age: 3600 # time in seconds authentication is valid | |
77 | scope: 'openid profile' | |
77 | 78 | } |
78 | } | |
79 | ) | |
80 | end | |
79 | 81 | ``` |
80 | 82 | |
81 | ... which will tell the strategy to send those parameters on every authentication request. | |
83 | ### Create the callback controller | |
82 | 84 | |
83 | ### Authentication hash | |
85 | Create a new controller `./app/controllers/auth0_controller.rb` to handle the callback from Auth0. | |
84 | 86 | |
85 | The Auth0 strategy will provide the standard OmniAuth hash attributes: | |
86 | ||
87 | - `:provider` - the name of the strategy, in this case `auth0` | |
88 | - `:uid` - the user identifier | |
89 | - `:info` - the result of the call to `/userinfo` using OmniAuth standard attributes | |
90 | - `:credentials` - tokens requested and data | |
91 | - `:extra` - Additional info obtained from calling `/userinfo` in the `:raw_info` property | |
87 | > You can also run `rails generate controller auth0 callback failure logout --skip-assets --skip-helper --skip-routes --skip-template-engine` to scaffold this controller for you. | |
92 | 88 | |
93 | 89 | ```ruby |
94 | { | |
95 | :provider => 'auth0', | |
96 | :uid => 'auth0|USER_ID', | |
97 | :info => { | |
98 | :name => 'John Foo', | |
99 | :email => 'johnfoo@example.org', | |
100 | :nickname => 'john', | |
101 | :image => 'https://example.org/john.jpg' | |
102 | }, | |
103 | :credentials => { | |
104 | :token => 'ACCESS_TOKEN', | |
105 | :expires_at => 1485373937, | |
106 | :expires => true, | |
107 | :refresh_token => 'REFRESH_TOKEN', | |
108 | :id_token => 'JWT_ID_TOKEN', | |
109 | :token_type => 'bearer', | |
110 | }, | |
111 | :extra => { | |
112 | :raw_info => { | |
113 | :email => 'johnfoo@example.org', | |
114 | :email_verified => 'true', | |
115 | :name => 'John Foo', | |
116 | :picture => 'https://example.org/john.jpg', | |
117 | :user_id => 'auth0|USER_ID', | |
118 | :nickname => 'john', | |
119 | :created_at => '2014-07-15T17:19:50.387Z' | |
120 | } | |
121 | } | |
122 | } | |
90 | # ./app/controllers/auth0_controller.rb | |
91 | class Auth0Controller < ApplicationController | |
92 | def callback | |
93 | # OmniAuth stores the information returned from Auth0 and the IdP in request.env['omniauth.auth']. | |
94 | # In this code, you will pull the raw_info supplied from the id_token and assign it to the session. | |
95 | # Refer to https://github.com/auth0/omniauth-auth0/blob/master/EXAMPLES.md#example-of-the-resulting-authentication-hash for complete information on 'omniauth.auth' contents. | |
96 | auth_info = request.env['omniauth.auth'] | |
97 | session[:userinfo] = auth_info['extra']['raw_info'] | |
98 | ||
99 | # Redirect to the URL you want after successful auth | |
100 | redirect_to '/dashboard' | |
101 | end | |
102 | ||
103 | def failure | |
104 | # Handles failed authentication -- Show a failure page (you can also handle with a redirect) | |
105 | @error_msg = request.params['message'] | |
106 | end | |
107 | ||
108 | def logout | |
109 | # you will finish this in a later step | |
110 | end | |
111 | end | |
123 | 112 | ``` |
124 | 113 | |
125 | ### Query Parameter Options | |
114 | ### Add routes | |
126 | 115 | |
127 | In some scenarios, you may need to pass specific query parameters to `/authorize`. The following parameters are available to enable this: | |
128 | ||
129 | - `connection` | |
130 | - `connection_scope` | |
131 | - `prompt` | |
132 | - `screen_hint` (only relevant to New Universal Login Experience) | |
133 | - `organization` | |
134 | - `invitation` | |
135 | ||
136 | Simply pass these query parameters to your OmniAuth redirect endpoint to enable their behavior. | |
137 | ||
138 | ## Examples | |
139 | ||
140 | ### Auth0 Organizations | |
141 | ||
142 | [Organizations](https://auth0.com/docs/organizations) is a set of features that provide better support for developers who build and maintain SaaS and Business-to-Business (B2B) applications. | |
143 | ||
144 | Using Organizations, you can: | |
145 | ||
146 | - Represent teams, business customers, partner companies, or any logical grouping of users that should have different ways of accessing your applications, as organizations. | |
147 | - Manage their membership in a variety of ways, including user invitation. | |
148 | - Configure branded, federated login flows for each organization. | |
149 | - Implement role-based access control, such that users can have different roles when authenticating in the context of different organizations. | |
150 | - Build administration capabilities into your products, using Organizations APIs, so that those businesses can manage their own organizations. | |
151 | ||
152 | Note that Organizations is currently only available to customers on our Enterprise and Startup subscription plans. | |
153 | ||
154 | #### Logging in with an Organization | |
155 | ||
156 | Logging in with an Organization is as easy as passing the parameters to the authorize endpoint. You can do this with | |
116 | Finally, add the following routes to your `./config/routes.rb` file: | |
157 | 117 | |
158 | 118 | ```ruby |
159 | <%= | |
160 | button_to 'Login', 'auth/auth0', | |
161 | method: :post, | |
162 | params: { | |
163 | # Found in your Auth0 dashboard, under Organization settings: | |
164 | organization: '{AUTH0_ORGANIZATION}' | |
165 | } | |
166 | %> | |
119 | Rails.application.routes.draw do | |
120 | # .. | |
121 | get '/auth/auth0/callback' => 'auth0#callback' | |
122 | get '/auth/failure' => 'auth0#failure' | |
123 | get '/auth/logout' => 'auth0#logout' | |
124 | end | |
167 | 125 | ``` |
168 | 126 | |
169 | Alternatively you can configure the organization when you register the provider: | |
127 | ## Logging in | |
170 | 128 | |
171 | ```ruby | |
172 | provider | |
173 | :auth0, | |
174 | ENV['AUTH0_CLIENT_ID'], | |
175 | ENV['AUTH0_CLIENT_SECRET'], | |
176 | ENV['AUTH0_DOMAIN'] | |
177 | { | |
178 | authorize_params: { | |
179 | scope: 'openid read:users', | |
180 | audience: 'https://{AUTH0_DOMAIN}/api', | |
181 | organization: '{AUTH0_ORGANIZATION}' | |
182 | } | |
183 | } | |
129 | To redirect your users to Auth0 for authentication, redirect your users to the `/auth/auth0` endpoint of your app. One way to do this is to use a link or button on a page: | |
130 | ||
131 | ```html | |
132 | <%= button_to 'Login', '/auth/auth0', method: :post %> | |
184 | 133 | ``` |
185 | 134 | |
186 | When passing `openid` to the scope and `organization` to the authorize params, you will receive an ID token on callback with the `org_id` claim. This claim is validated for you by the SDK. | |
135 | ## Feedback | |
187 | 136 | |
188 | #### Validating Organizations when using Organization Login Prompt | |
189 | ||
190 | When Organization login prompt is enabled on your application, but you haven't specified an Organization for the application's authorization endpoint, the `org_id` claim will be present on the ID token, and should be validated to ensure that the value received is expected or known. | |
191 | ||
192 | Normally, validating the issuer would be enough to ensure that the token was issued by Auth0, and this check is performed by the SDK. However, in the case of organizations, additional checks should be made so that the organization within an Auth0 tenant is expected. | |
193 | ||
194 | In particular, the `org_id` claim should be checked to ensure it is a value that is already known to the application. This could be validated against a known list of organization IDs, or perhaps checked in conjunction with the current request URL. e.g. the sub-domain may hint at what organization should be used to validate the ID Token. | |
195 | ||
196 | Here is an example using it in your `callback` method | |
197 | ||
198 | ```ruby | |
199 | def callback | |
200 | claims = request.env['omniauth.auth']['extra']['raw_info'] | |
201 | ||
202 | if claims["org"] && claims["org"] !== expected_org | |
203 | redirect_to '/unauthorized', status: 401 | |
204 | else | |
205 | session[:userinfo] = claims | |
206 | redirect_to '/dashboard' | |
207 | end | |
208 | end | |
209 | ``` | |
210 | ||
211 | For more information, please read [Work with Tokens and Organizations](https://auth0.com/docs/organizations/using-tokens) on Auth0 Docs. | |
212 | ||
213 | #### Accepting user invitations | |
214 | ||
215 | Auth0 Organizations allow users to be invited using emailed links, which will direct a user back to your application. The URL the user will arrive at is based on your configured `Application Login URI`, which you can change from your Application's settings inside the Auth0 dashboard. | |
216 | ||
217 | When the user arrives at your application using an invite link, you can expect three query parameters to be provided: `invitation`, `organization`, and `organization_name`. These will always be delivered using a GET request. | |
218 | ||
219 | You can then supply those parametrs to a `button_to` or `link_to` helper | |
220 | ||
221 | ```ruby | |
222 | <%= | |
223 | button_to 'Login', 'auth/auth0', | |
224 | method: :post, | |
225 | params: { | |
226 | organization: '{YOUR_ORGANIZATION_ID}', | |
227 | invitation: '{INVITE_CODE}' | |
228 | } | |
229 | %> | |
230 | ``` | |
231 | ||
232 | ## Contribution | |
137 | ### Contributing | |
233 | 138 | |
234 | 139 | We appreciate feedback and contribution to this repo! Before you get started, please see the following: |
235 | 140 | |
236 | - [Auth0's contribution guidelines](https://github.com/auth0/open-source-template/blob/master/GENERAL-CONTRIBUTING.md) | |
237 | - [Auth0's Code of Conduct](https://github.com/auth0/open-source-template/blob/master/CODE-OF-CONDUCT.md) | |
238 | - [This repo's contribution guide](CONTRIBUTING.md) | |
141 | - [Auth0's general contribution guidelines](https://github.com/auth0/open-source-template/blob/master/GENERAL-CONTRIBUTING.md) | |
142 | - [Auth0's code of conduct guidelines](https://github.com/auth0/open-source-template/blob/master/CODE-OF-CONDUCT.md) | |
143 | - [This repo's contribution guide](https://github.com/auth0/omniauth-auth0/blob/master/CONTRIBUTING.md) | |
239 | 144 | |
240 | ## Support + Feedback | |
145 | ### Raise an issue | |
241 | 146 | |
242 | - Use [Community](https://community.auth0.com/) for usage, questions, specific cases. | |
243 | - Use [Issues](https://github.com/auth0/omniauth-auth0/issues) here for code-level support and bug reports. | |
244 | - Paid customers can use [Support](https://support.auth0.com/) to submit a trouble ticket for production-affecting issues. | |
147 | To provide feedback or report a bug, please [raise an issue on our issue tracker](https://github.com/auth0/omniauth-auth0/issues). | |
245 | 148 | |
246 | ## Vulnerability Reporting | |
149 | ### Vulnerability Reporting | |
247 | 150 | |
248 | Please do not report security vulnerabilities on the public GitHub issue tracker. The [Responsible Disclosure Program](https://auth0.com/whitehat) details the procedure for disclosing security issues. | |
151 | Please do not report security vulnerabilities on the public GitHub issue tracker. The [Responsible Disclosure Program](https://auth0.com/whitehat) details the procedure for disclosing security issues. | |
249 | 152 | |
250 | ## What is Auth0? | |
153 | --- | |
251 | 154 | |
252 | Auth0 helps you to easily: | |
253 | ||
254 | - implement authentication with multiple identity providers, including social (e.g., Google, Facebook, Microsoft, LinkedIn, GitHub, Twitter, etc), or enterprise (e.g., Windows Azure AD, Google Apps, Active Directory, ADFS, SAML, etc.) | |
255 | - log in users with username/password databases, passwordless, or multi-factor authentication | |
256 | - link multiple user accounts together | |
257 | - generate signed JSON Web Tokens to authorize your API calls and flow the user identity securely | |
258 | - access demographics and analytics detailing how, when, and where users are logging in | |
259 | - enrich user profiles from other data sources using customizable JavaScript rules | |
260 | ||
261 | [Why Auth0?](https://auth0.com/why-auth0) | |
262 | ||
263 | ## License | |
264 | ||
265 | The OmniAuth Auth0 strategy is licensed under MIT - [LICENSE](LICENSE) | |
266 | ||
267 | ||
268 | [![FOSSA Status](https://app.fossa.com/api/projects/git%2Bgithub.com%2Fauth0%2Fomniauth-auth0.svg?type=large)](https://app.fossa.com/projects/git%2Bgithub.com%2Fauth0%2Fomniauth-auth0?ref=badge_large) | |
155 | <p align="center"> | |
156 | <picture> | |
157 | <source media="(prefers-color-scheme: dark)" srcset="https://cdn.auth0.com/website/sdks/logos/auth0_dark_mode.png" width="150"> | |
158 | <source media="(prefers-color-scheme: light)" srcset="https://cdn.auth0.com/website/sdks/logos/auth0_light_mode.png" width="150"> | |
159 | <img alt="Auth0 Logo" src="https://cdn.auth0.com/website/sdks/logos/auth0_light_mode.png" width="150"> | |
160 | </picture> | |
161 | </p> | |
162 | <p align="center"> | |
163 | Auth0 is an easy to implement, adaptable authentication and authorization platform. To learn more checkout <a href="https://auth0.com/why-auth0">Why Auth0?</a> | |
164 | </p> | |
165 | <p align="center"> | |
166 | This project is licensed under the MIT license. See the <a href="https://github.com/auth0/omniauth-auth0/blob/master/LICENSE"> LICENSE</a> file for more info. | |
167 | </p> |
93 | 93 | params[:leeway] = 60 unless params[:leeway] |
94 | 94 | |
95 | 95 | # Store authorize params in the session for token verification |
96 | session['authorize_params'] = params | |
96 | session['authorize_params'] = params.to_hash | |
97 | 97 | |
98 | 98 | params |
99 | 99 | end |
0 | 0 | module OmniAuth |
1 | 1 | module Auth0 |
2 | VERSION = '3.0.0'.freeze | |
2 | VERSION = '3.1.0'.freeze | |
3 | 3 | end |
4 | 4 | end |
20 | 20 | s.executables = `git ls-files -- bin/*`.split('\n').map{ |f| File.basename(f) } |
21 | 21 | s.require_paths = ['lib'] |
22 | 22 | |
23 | s.add_runtime_dependency 'omniauth', '~> 2.0' | |
24 | s.add_runtime_dependency 'omniauth-oauth2', '~> 1.7' | |
23 | s.add_runtime_dependency 'omniauth', '~> 2' | |
24 | s.add_runtime_dependency 'omniauth-oauth2', '~> 1' | |
25 | 25 | |
26 | 26 | s.add_development_dependency 'bundler' |
27 | ||
27 | ||
28 | 28 | s.license = 'MIT' |
29 | 29 | end |
356 | 356 | message: "Nonce (nonce) claim value mismatch in the ID token; expected (noncey), found (mismatch)" |
357 | 357 | })) |
358 | 358 | end |
359 | ||
359 | ||
360 | 360 | it 'should fail when “aud” is an array of strings and azp claim is not present' do |
361 | 361 | aud = [ |
362 | 362 | client_id, |
475 | 475 | expect(id_token['auth_time']).to eq(auth_time) |
476 | 476 | end |
477 | 477 | |
478 | it 'should fail when authorize params has organization but org_id is missing in the token', focus: true do | |
478 | it 'should fail when authorize params has organization but org_id is missing in the token' do | |
479 | 479 | payload = { |
480 | 480 | iss: "https://#{domain}/", |
481 | 481 | sub: 'sub', |
492 | 492 | })) |
493 | 493 | end |
494 | 494 | |
495 | it 'should fail when authorize params has organization but token org_id does not match', focus: true do | |
495 | it 'should fail when authorize params has organization but token org_id does not match' do | |
496 | 496 | payload = { |
497 | 497 | iss: "https://#{domain}/", |
498 | 498 | sub: 'sub', |
543 | 543 | expect do |
544 | 544 | verified_token = make_jwt_validator(opt_domain: domain).verify(token) |
545 | 545 | end.to raise_error(an_instance_of(JWT::VerificationError).and having_attributes({ |
546 | message: "Signature verification raised" | |
546 | message: "Signature verification failed" | |
547 | 547 | })) |
548 | 548 | end |
549 | 549 |
1 | 1 | |
2 | 2 | require 'spec_helper' |
3 | 3 | require 'jwt' |
4 | require 'multi_json' | |
4 | 5 | |
5 | 6 | OmniAuth.config.allowed_request_methods = [:get, :post] |
6 | 7 | |
195 | 196 | expect(redirect_url).not_to have_query('screen_hint') |
196 | 197 | expect(redirect_url).not_to have_query('organization') |
197 | 198 | expect(redirect_url).not_to have_query('invitation') |
199 | end | |
200 | ||
201 | def session | |
202 | session_cookie = last_response.cookies['rack.session'].first | |
203 | session_data, _, _ = session_cookie.rpartition('--') | |
204 | decoded_session_data = Base64.decode64(session_data) | |
205 | Marshal.load(decoded_session_data) | |
206 | end | |
207 | ||
208 | it "stores session['authorize_params'] as a plain Ruby Hash" do | |
209 | get '/auth/auth0' | |
210 | ||
211 | expect(session['authorize_params'].class).to eq(::Hash) | |
198 | 212 | end |
199 | 213 | |
200 | 214 | describe 'callback' do |
0 | 0 | $LOAD_PATH.unshift File.expand_path(__dir__) |
1 | 1 | $LOAD_PATH.unshift File.expand_path('../lib', __dir__) |
2 | 2 | |
3 | require 'multi_json' | |
3 | 4 | require 'simplecov' |
4 | 5 | SimpleCov.start |
5 | 6 | |
21 | 22 | config.include WebMock::API |
22 | 23 | config.include Rack::Test::Methods |
23 | 24 | config.extend OmniAuth::Test::StrategyMacros, type: :strategy |
25 | config.filter_run focus: true | |
26 | config.run_all_when_everything_filtered = true | |
24 | 27 | |
25 | 28 | def app |
26 | 29 | @app || make_application |
38 | 41 | configure do |
39 | 42 | enable :sessions |
40 | 43 | set :show_exceptions, false |
41 | set :session_secret, 'TEST' | |
44 | set :session_secret, '9771aff2c634257053c62ba072c54754bd2cc92739b37e81c3eda505da48c2ec' | |
42 | 45 | end |
43 | 46 | |
44 | 47 | use OmniAuth::Builder do |