diff --git a/lib/omniauth/strategies/openid_connect.rb b/lib/omniauth/strategies/openid_connect.rb index 9a530250..22dae248 100644 --- a/lib/omniauth/strategies/openid_connect.rb +++ b/lib/omniauth/strategies/openid_connect.rb @@ -181,10 +181,12 @@ def authorize_uri client.authorization_uri(opts.reject { |_k, v| v.nil? }) end - def public_key - return config.jwks if options.discovery - - key_or_secret || config.jwks + def public_key_or_config + if options.discovery || key_or_secret.blank? + config + else + key_or_secret + end end private @@ -231,7 +233,7 @@ def access_token end def decode_id_token(id_token) - ::OpenIDConnect::ResponseObject::IdToken.decode(id_token, public_key) + ::OpenIDConnect::ResponseObject::IdToken.decode(id_token, public_key_or_config) end def client_options diff --git a/omniauth_openid_connect.gemspec b/omniauth_openid_connect.gemspec index 7f0dd5ac..2b5e07f4 100644 --- a/omniauth_openid_connect.gemspec +++ b/omniauth_openid_connect.gemspec @@ -29,7 +29,7 @@ Gem::Specification.new do |spec| spec.add_dependency 'addressable', '~> 2.5' spec.add_dependency 'omniauth', '>= 1.9', '< 3' - spec.add_dependency 'openid_connect', '~> 1.1' + spec.add_dependency 'openid_connect', '~> 1.4' spec.add_development_dependency 'faker', '~> 2.0' spec.add_development_dependency 'guard', '~> 2.14' spec.add_development_dependency 'guard-bundler', '~> 2.2' diff --git a/test/lib/omniauth/strategies/openid_connect_test.rb b/test/lib/omniauth/strategies/openid_connect_test.rb index fbf5dd44..aa801fce 100644 --- a/test/lib/omniauth/strategies/openid_connect_test.rb +++ b/test/lib/omniauth/strategies/openid_connect_test.rb @@ -568,11 +568,37 @@ def test_option_client_auth_method assert(strategy.send(:access_token)) end + def test_with_no_key_nor_discovery + config = ::OpenIDConnect::Discovery::Provider::Config::Response.new( + issuer: 'https://example.com/', + authorization_endpoint: 'https://example.com/authorization', + jwks_uri: 'https://example.com/jwks' + ) + ::OpenIDConnect::Discovery::Provider::Config.stubs(:discover!).with('https://example.com/').returns(config) + strategy.options.issuer = 'https://example.com/' + strategy.options.discovery = true + + assert_equal config, strategy.public_key_or_config + end + + def test_public_key_with_discovery + config = ::OpenIDConnect::Discovery::Provider::Config::Response.new( + issuer: 'https://example.com/', + authorization_endpoint: 'https://example.com/authorization', + jwks_uri: 'https://example.com/jwks' + ) + ::OpenIDConnect::Discovery::Provider::Config.stubs(:discover!).with('https://example.com/').returns(config) + strategy.options.issuer = 'https://example.com/' + strategy.options.discovery = true + + assert_equal config, strategy.public_key_or_config + end + def test_public_key_with_jwks strategy.options.client_signing_alg = :RS256 strategy.options.client_jwk_signing_key = File.read('./test/fixtures/jwks.json') - assert_equal JSON::JWK::Set, strategy.public_key.class + assert_equal JSON::JWK::Set, strategy.public_key_or_config.class end def test_public_key_with_jwk @@ -582,19 +608,19 @@ def test_public_key_with_jwk jwk = jwks['keys'].first strategy.options.client_jwk_signing_key = jwk.to_json - assert_equal JSON::JWK, strategy.public_key.class + assert_equal JSON::JWK, strategy.public_key_or_config.class end def test_public_key_with_x509 strategy.options.client_signing_alg = :RS256 strategy.options.client_x509_signing_key = File.read('./test/fixtures/test.crt') - assert_equal OpenSSL::PKey::RSA, strategy.public_key.class + assert_equal OpenSSL::PKey::RSA, strategy.public_key_or_config.class end def test_public_key_with_hmac strategy.options.client_options.secret = 'secret' strategy.options.client_signing_alg = :HS256 - assert_equal strategy.options.client_options.secret, strategy.public_key + assert_equal strategy.options.client_options.secret, strategy.public_key_or_config end def test_id_token_auth_hash