From 86ccda6c51af826aec96af7feb5deff4013b55d6 Mon Sep 17 00:00:00 2001 From: cmrd Senya Date: Sat, 3 Sep 2016 02:25:30 +0300 Subject: [PATCH 1/3] Support Dynamic Client Registration Adds support for Dynamic Client Registration (see https://openid.net/specs/openid-connect-registration-1_0.html). Dynamic Client Registration is initiated when no identifier was supplied among the client_options. Also, this includes changes for the better handling of "http" schema (useful in testing). --- lib/omniauth/strategies/openid_connect.rb | 25 +++++++++++++++++++++-- 1 file changed, 23 insertions(+), 2 deletions(-) diff --git a/lib/omniauth/strategies/openid_connect.rb b/lib/omniauth/strategies/openid_connect.rb index e4705c90..2432e029 100644 --- a/lib/omniauth/strategies/openid_connect.rb +++ b/lib/omniauth/strategies/openid_connect.rb @@ -16,12 +16,13 @@ class OpenIDConnect redirect_uri: nil, scheme: "https", host: nil, - port: 443, + port: nil, authorization_endpoint: "/authorize", token_endpoint: "/token", userinfo_endpoint: "/userinfo", jwks_uri: '/jwk' } + option :client_name, "a web application via omniauth-openid-connect" # in case of dynamic registration option :issuer option :discovery, false option :client_signing_alg @@ -74,7 +75,16 @@ class OpenIDConnect end def client - @client ||= ::OpenIDConnect::Client.new(client_options) + @client ||= \ + if client_options.identifier.nil? + registrar.register!.tap do |client| + %i(authorization_endpoint token_endpoint userinfo_endpoint).each do |key| + client.send :"#{key}=", client_options[key] + end + end + else + ::OpenIDConnect::Client.new(client_options) + end end def config @@ -82,6 +92,10 @@ def config end def request_phase + if client_options.scheme == "http" + WebFinger.url_builder = URI::HTTP + SWD.url_builder = URI::HTTP + end options.issuer = issuer if options.issuer.blank? discover! if options.discovery redirect authorize_uri @@ -138,6 +152,13 @@ def public_key private + def registrar + ::OpenIDConnect::Client::Registrar.new(config.registration_endpoint).tap do |registrar| + registrar.redirect_uris = *client_options.redirect_uri + registrar.client_name = options.client_name + end + end + def issuer resource = "#{client_options.scheme}://#{client_options.host}" + ((client_options.port) ? ":#{client_options.port.to_s}" : '') ::OpenIDConnect::Discovery::Provider.discover!(resource).issuer From 87150faa932d22fc31ed9dc22757d81bf3163041 Mon Sep 17 00:00:00 2001 From: cmrd Senya Date: Fri, 4 Nov 2016 18:52:01 +0200 Subject: [PATCH 2/3] fixup! Support Dynamic Client Registration --- lib/omniauth/strategies/openid_connect.rb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/lib/omniauth/strategies/openid_connect.rb b/lib/omniauth/strategies/openid_connect.rb index 2432e029..1a38cff7 100644 --- a/lib/omniauth/strategies/openid_connect.rb +++ b/lib/omniauth/strategies/openid_connect.rb @@ -81,6 +81,8 @@ def client %i(authorization_endpoint token_endpoint userinfo_endpoint).each do |key| client.send :"#{key}=", client_options[key] end + client_options.identifier = client.identifier + client_options.secret = client.secret end else ::OpenIDConnect::Client.new(client_options) From 5e8103b9bc6706fa92f27882ccbaf5fa8c9e1344 Mon Sep 17 00:00:00 2001 From: cmrd Senya Date: Fri, 4 Nov 2016 23:20:51 +0200 Subject: [PATCH 3/3] fixup! Support Dynamic Client Registration --- lib/omniauth/strategies/openid_connect.rb | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/lib/omniauth/strategies/openid_connect.rb b/lib/omniauth/strategies/openid_connect.rb index 1a38cff7..1e81096d 100644 --- a/lib/omniauth/strategies/openid_connect.rb +++ b/lib/omniauth/strategies/openid_connect.rb @@ -16,7 +16,7 @@ class OpenIDConnect redirect_uri: nil, scheme: "https", host: nil, - port: nil, + port: 443, authorization_endpoint: "/authorize", token_endpoint: "/token", userinfo_endpoint: "/userinfo", @@ -94,10 +94,6 @@ def config end def request_phase - if client_options.scheme == "http" - WebFinger.url_builder = URI::HTTP - SWD.url_builder = URI::HTTP - end options.issuer = issuer if options.issuer.blank? discover! if options.discovery redirect authorize_uri