diff --git a/app/controllers/api/openid_connect/authorizations_controller.rb b/app/controllers/api/openid_connect/authorizations_controller.rb
new file mode 100644
index 0000000000000000000000000000000000000000..16509f555d1d417b88620001ec3b8fe0779f6ac3
--- /dev/null
+++ b/app/controllers/api/openid_connect/authorizations_controller.rb
@@ -0,0 +1,106 @@
+module Api
+ module OpenidConnect
+ class AuthorizationsController < ApplicationController
+ rescue_from Rack::OAuth2::Server::Authorize::BadRequest do |e|
+ logger.info e.backtrace[0, 10].join("\n")
+ render json: {error: e.message || :error, status: e.status}
+ end
+
+ before_action :authenticate_user!
+
+ def new
+ request_authorization_consent_form
+ end
+
+ def create
+ restore_request_parameters
+ process_authorization_consent(params[:approve])
+ end
+
+ private
+
+ def request_authorization_consent_form # TODO: Add support for prompt params
+ if Api::OpenidConnect::Authorization.find_by_client_id_and_user(params[:client_id], current_user)
+ process_authorization_consent("true")
+ else
+ endpoint = Api::OpenidConnect::AuthorizationPoint::EndpointStartPoint.new(current_user)
+ handle_start_point_response(endpoint)
+ end
+ end
+
+ def handle_start_point_response(endpoint)
+ _status, header, response = *endpoint.call(request.env)
+ if response.redirect?
+ redirect_to header["Location"]
+ else
+ save_params_and_render_consent_form(endpoint)
+ end
+ end
+
+ def save_params_and_render_consent_form(endpoint)
+ @o_auth_application, @response_type, @redirect_uri, @scopes, @request_object = *[
+ endpoint.o_auth_application, endpoint.response_type,
+ endpoint.redirect_uri, endpoint.scopes, endpoint.request_object
+ ]
+ save_request_parameters
+ render :new
+ end
+
+ def save_request_parameters
+ session[:client_id] = @o_auth_application.client_id
+ session[:response_type] = @response_type
+ session[:redirect_uri] = @redirect_uri
+ session[:scopes] = scopes_as_space_seperated_values
+ session[:request_object] = @request_object
+ session[:nonce] = params[:nonce]
+ end
+
+ def scopes_as_space_seperated_values
+ @scopes.map(&:name).join(" ")
+ end
+
+ def process_authorization_consent(approvedString)
+ endpoint = Api::OpenidConnect::AuthorizationPoint::EndpointConfirmationPoint.new(
+ current_user, to_boolean(approvedString))
+ handle_confirmation_endpoint_response(endpoint)
+ end
+
+ def handle_confirmation_endpoint_response(endpoint)
+ _status, header, _response = *endpoint.call(request.env)
+ delete_authorization_session_variables
+ redirect_to header["Location"]
+ end
+
+ def delete_authorization_session_variables
+ session.delete(:client_id)
+ session.delete(:response_type)
+ session.delete(:redirect_uri)
+ session.delete(:scopes)
+ session.delete(:request_object)
+ session.delete(:nonce)
+ end
+
+ def to_boolean(str)
+ str.downcase == "true"
+ end
+
+ def restore_request_parameters
+ req = Rack::Request.new(request.env)
+ req.update_param("client_id", session[:client_id])
+ req.update_param("redirect_uri", session[:redirect_uri])
+ req.update_param("response_type", response_type_as_space_seperated_values)
+ req.update_param("scope", session[:scopes])
+ req.update_param("request_object", session[:request_object])
+ req.update_param("nonce", session[:nonce])
+ end
+
+ def response_type_as_space_seperated_values
+ if session[:response_type].respond_to?(:map)
+ session[:response_type].map(&:to_s).join(" ")
+ else
+ session[:response_type]
+ end
+ end
+ end
+ end
+end
diff --git a/app/controllers/api/openid_connect/clients_controller.rb b/app/controllers/api/openid_connect/clients_controller.rb
new file mode 100644
index 0000000000000000000000000000000000000000..d122a1692096c3fe1ce30d714f1bbfbe7ca05db9
--- /dev/null
+++ b/app/controllers/api/openid_connect/clients_controller.rb
@@ -0,0 +1,37 @@
+module Api
+ module OpenidConnect
+ class ClientsController < ApplicationController
+ rescue_from OpenIDConnect::HttpError do |e|
+ http_error_page_as_json(e)
+ end
+
+ rescue_from OpenIDConnect::ValidationFailed, ActiveRecord::RecordInvalid do |e|
+ validation_fail_as_json(e)
+ end
+
+ def create
+ registrar = OpenIDConnect::Client::Registrar.new(request.url, params)
+ client = Api::OpenidConnect::OAuthApplication.register! registrar
+ render json: client
+ end
+
+ private
+
+ def http_error_page_as_json(e)
+ render json:
+ {
+ error: :invalid_request,
+ error_description: e.message
+ }, status: 400
+ end
+
+ def validation_fail_as_json(e)
+ render json:
+ {
+ error: :invalid_client_metadata,
+ error_description: e.message
+ }, status: 400
+ end
+ end
+ end
+end
diff --git a/app/controllers/api/openid_connect/discovery_controller.rb b/app/controllers/api/openid_connect/discovery_controller.rb
new file mode 100644
index 0000000000000000000000000000000000000000..4d4b56bb595cb332da9ed5057f7428ac108bdfc2
--- /dev/null
+++ b/app/controllers/api/openid_connect/discovery_controller.rb
@@ -0,0 +1,34 @@
+module Api
+ module OpenidConnect
+ class DiscoveryController < ApplicationController
+ def webfinger
+ jrd = {
+ links: [{
+ rel: OpenIDConnect::Discovery::Provider::Issuer::REL_VALUE,
+ href: File.join(root_url, "api", "openid_connect")
+ }]
+ }
+ jrd[:subject] = params[:resource] if params[:resource].present?
+ render json: jrd, content_type: "application/jrd+json"
+ end
+
+ def configuration
+ render json: OpenIDConnect::Discovery::Provider::Config::Response.new(
+ issuer: root_url,
+ registration_endpoint: api_openid_connect_clients_url,
+ authorization_endpoint: new_api_openid_connect_authorization_url,
+ token_endpoint: api_openid_connect_access_tokens_url,
+ userinfo_endpoint: api_v0_user_url,
+ jwks_uri: File.join(root_url, "api", "openid_connect", "jwks.json"),
+ scopes_supported: Api::OpenidConnect::Scope.pluck(:name),
+ response_types_supported: Api::OpenidConnect::OAuthApplication.available_response_types,
+ request_object_signing_alg_values_supported: %i(HS256 HS384 HS512),
+ subject_types_supported: %w(public pairwise),
+ id_token_signing_alg_values_supported: %i(RS256),
+ token_endpoint_auth_methods_supported: %w(client_secret_basic client_secret_post)
+ # TODO: claims_supported: ["sub", "iss", "name", "email"]
+ )
+ end
+ end
+ end
+end
diff --git a/app/controllers/api/openid_connect/id_tokens_controller.rb b/app/controllers/api/openid_connect/id_tokens_controller.rb
new file mode 100644
index 0000000000000000000000000000000000000000..dae760892a34eb00506c33b4b5e7167cec99d740
--- /dev/null
+++ b/app/controllers/api/openid_connect/id_tokens_controller.rb
@@ -0,0 +1,15 @@
+module Api
+ module OpenidConnect
+ class IdTokensController < ApplicationController
+ def jwks
+ render json: JSON::JWK::Set.new(build_jwk).as_json
+ end
+
+ private
+
+ def build_jwk
+ JSON::JWK.new(Api::OpenidConnect::IdTokenConfig.public_key, use: :sig)
+ end
+ end
+ end
+end
diff --git a/app/controllers/api/v0/base_controller.rb b/app/controllers/api/v0/base_controller.rb
index 15b85151e26c938c03e026cfc14c4ed2955d4b12..edcd178edb0f81ae7660f4226ac017ed0f5cd465 100644
--- a/app/controllers/api/v0/base_controller.rb
+++ b/app/controllers/api/v0/base_controller.rb
@@ -1,7 +1,11 @@
-class Api::V0::BaseController < ApplicationController
- include OpenidConnect::ProtectedResourceEndpoint
+module Api
+ module V0
+ class BaseController < ApplicationController
+ include Api::OpenidConnect::ProtectedResourceEndpoint
- def user
- current_token ? current_token.authorization.user : nil
+ def current_user
+ current_token ? current_token.authorization.user : nil
+ end
+ end
end
end
diff --git a/app/controllers/api/v0/users_controller.rb b/app/controllers/api/v0/users_controller.rb
index 5a96e8d7351fc6623128e90a81c773d55132ff9c..d2cdf9dfbf0c152793fd699a6bda37fc0f15d045 100644
--- a/app/controllers/api/v0/users_controller.rb
+++ b/app/controllers/api/v0/users_controller.rb
@@ -1,9 +1,13 @@
-class Api::V0::UsersController < Api::V0::BaseController
- before_action do
- require_access_token OpenidConnect::Scope.find_by(name: "read")
- end
+module Api
+ module V0
+ class UsersController < Api::V0::BaseController
+ before_action do
+ require_access_token Api::OpenidConnect::Scope.find_by(name: "read")
+ end
- def show
- render json: user
+ def show
+ render json: current_user
+ end
+ end
end
end
diff --git a/app/controllers/openid_connect/authorizations_controller.rb b/app/controllers/openid_connect/authorizations_controller.rb
deleted file mode 100644
index d1e3604dd7d94ada17b6697dc544fae4fc30b22b..0000000000000000000000000000000000000000
--- a/app/controllers/openid_connect/authorizations_controller.rb
+++ /dev/null
@@ -1,91 +0,0 @@
-class OpenidConnect::AuthorizationsController < ApplicationController
- rescue_from Rack::OAuth2::Server::Authorize::BadRequest do |e|
- logger.info e.backtrace[0, 10].join("\n")
- render json: {error: e.message || :error, status: e.status}
- end
-
- before_action :authenticate_user!
-
- def new
- request_authorization_consent_form
- end
-
- def create
- restore_request_parameters
- process_authorization_consent(params[:approve])
- end
-
- private
-
- def request_authorization_consent_form # TODO: Add support for prompt params
- if OpenidConnect::Authorization.find_by_client_id_and_user(params[:client_id], current_user)
- process_authorization_consent("true")
- else
- endpoint = OpenidConnect::AuthorizationPoint::EndpointStartPoint.new(current_user)
- handle_start_point_response(endpoint)
- end
- end
-
- def handle_start_point_response(endpoint)
- _status, header, response = *endpoint.call(request.env)
- if response.redirect?
- redirect_to header["Location"]
- else
- save_params_and_render_consent_form(endpoint)
- end
- end
-
- def save_params_and_render_consent_form(endpoint)
- @o_auth_application, @response_type, @redirect_uri, @scopes, @request_object = *[
- endpoint.o_auth_application, endpoint.response_type, endpoint.redirect_uri, endpoint.scopes, endpoint.request_object
- ]
- save_request_parameters
- render :new
- end
-
- def save_request_parameters
- session[:client_id] = @o_auth_application.client_id
- session[:response_type] = @response_type
- session[:redirect_uri] = @redirect_uri
- session[:scopes] = @scopes.map(&:name).join(" ")
- session[:request_object] = @request_object
- session[:nonce] = params[:nonce]
- end
-
- def process_authorization_consent(approvedString)
- endpoint = OpenidConnect::AuthorizationPoint::EndpointConfirmationPoint.new(
- current_user, to_boolean(approvedString))
- handle_confirmation_endpoint_response(endpoint)
- end
-
- def handle_confirmation_endpoint_response(endpoint)
- _status, header, _response = *endpoint.call(request.env)
- delete_authorization_session_variables
- redirect_to header["Location"]
- end
-
- def delete_authorization_session_variables
- session.delete(:client_id)
- session.delete(:response_type)
- session.delete(:redirect_uri)
- session.delete(:scopes)
- session.delete(:request_object)
- session.delete(:nonce)
- end
-
- def to_boolean(str)
- str.downcase == "true"
- end
-
- def restore_request_parameters
- req = Rack::Request.new(request.env)
- req.update_param("client_id", session[:client_id])
- req.update_param("redirect_uri", session[:redirect_uri])
- req.update_param("response_type", session[:response_type].respond_to?(:map) ?
- session[:response_type].map(&:to_s).join(" ") :
- session[:response_type])
- req.update_param("scope", session[:scopes])
- req.update_param("request_object", session[:request_object])
- req.update_param("nonce", session[:nonce])
- end
-end
diff --git a/app/controllers/openid_connect/clients_controller.rb b/app/controllers/openid_connect/clients_controller.rb
deleted file mode 100644
index accbbb7a70fb0d91a74bc02aa197b2f89d836b24..0000000000000000000000000000000000000000
--- a/app/controllers/openid_connect/clients_controller.rb
+++ /dev/null
@@ -1,33 +0,0 @@
-class OpenidConnect::ClientsController < ApplicationController
- rescue_from OpenIDConnect::HttpError do |e|
- http_error_page_as_json(e)
- end
-
- rescue_from OpenIDConnect::ValidationFailed, ActiveRecord::RecordInvalid do |e|
- validation_fail_as_json(e)
- end
-
- def create
- registrar = OpenIDConnect::Client::Registrar.new(request.url, params)
- client = OpenidConnect::OAuthApplication.register! registrar
- render json: client
- end
-
- private
-
- def http_error_page_as_json(e)
- render json:
- {
- error: :invalid_request,
- error_description: e.message
- }, status: 400
- end
-
- def validation_fail_as_json(e)
- render json:
- {
- error: :invalid_client_metadata,
- error_description: e.message
- }, status: 400
- end
-end
diff --git a/app/controllers/openid_connect/discovery_controller.rb b/app/controllers/openid_connect/discovery_controller.rb
deleted file mode 100644
index 8ed066e0659436fd155d79a5ae00759c19e3c23b..0000000000000000000000000000000000000000
--- a/app/controllers/openid_connect/discovery_controller.rb
+++ /dev/null
@@ -1,30 +0,0 @@
-class OpenidConnect::DiscoveryController < ApplicationController
- def webfinger
- jrd = {
- links: [{
- rel: OpenIDConnect::Discovery::Provider::Issuer::REL_VALUE,
- href: File.join(root_url, "openid_connect")
- }]
- }
- jrd[:subject] = params[:resource] if params[:resource].present?
- render json: jrd, content_type: "application/jrd+json"
- end
-
- def configuration
- render json: OpenIDConnect::Discovery::Provider::Config::Response.new(
- issuer: root_url,
- registration_endpoint: openid_connect_clients_url,
- authorization_endpoint: new_openid_connect_authorization_url,
- token_endpoint: openid_connect_access_tokens_url,
- userinfo_endpoint: api_v0_user_url,
- jwks_uri: File.join(root_url, "openid_connect", "jwks.json"),
- scopes_supported: OpenidConnect::Scope.pluck(:name),
- response_types_supported: OpenidConnect::OAuthApplication.available_response_types,
- request_object_signing_alg_values_supported: %i(HS256 HS384 HS512),
- subject_types_supported: %w(public pairwise),
- id_token_signing_alg_values_supported: %i(RS256),
- token_endpoint_auth_methods_supported: %w(client_secret_basic client_secret_post),
- # TODO: claims_supported: ["sub", "iss", "name", "email"]
- )
- end
-end
diff --git a/app/controllers/openid_connect/id_tokens_controller.rb b/app/controllers/openid_connect/id_tokens_controller.rb
deleted file mode 100644
index 75e0d69b4b5474ddd2e727ee88a8b7af037040d1..0000000000000000000000000000000000000000
--- a/app/controllers/openid_connect/id_tokens_controller.rb
+++ /dev/null
@@ -1,5 +0,0 @@
-class OpenidConnect::IdTokensController < ApplicationController
- def jwks
- render json: JSON::JWK::Set.new(JSON::JWK.new(OpenidConnect::IdTokenConfig.public_key, use: :sig)).as_json
- end
-end
diff --git a/app/models/api/openid_connect/authorization.rb b/app/models/api/openid_connect/authorization.rb
new file mode 100644
index 0000000000000000000000000000000000000000..88a511fbe4e2d1b5b4b84f03849f5b70dd749278
--- /dev/null
+++ b/app/models/api/openid_connect/authorization.rb
@@ -0,0 +1,50 @@
+module Api
+ module OpenidConnect
+ class Authorization < ActiveRecord::Base
+ belongs_to :user
+ belongs_to :o_auth_application
+
+ validates :user, presence: true
+ validates :o_auth_application, presence: true
+ validates :user, uniqueness: {scope: :o_auth_application}
+
+ has_many :authorization_scopes
+ has_many :scopes, through: :authorization_scopes
+ has_many :o_auth_access_tokens, dependent: :destroy
+ has_many :id_tokens, dependent: :destroy
+
+ before_validation :setup, on: :create
+
+ def setup
+ self.refresh_token = SecureRandom.hex(32)
+ end
+
+ def accessible?(required_scopes=nil)
+ Array(required_scopes).all? do |required_scope|
+ scopes.include? required_scope
+ end
+ end
+
+ def create_access_token
+ o_auth_access_tokens.create!.bearer_token
+ # TODO: Add support for request object
+ end
+
+ def create_id_token(nonce)
+ id_tokens.create!(nonce: nonce)
+ end
+
+ def self.find_by_client_id_and_user(client_id, user)
+ app = Api::OpenidConnect::OAuthApplication.find_by(client_id: client_id)
+ find_by(o_auth_application: app, user: user)
+ end
+
+ def self.find_by_refresh_token(client_id, refresh_token)
+ Api::OpenidConnect::Authorization.joins(:o_auth_application).find_by(
+ o_auth_applications: {client_id: client_id}, refresh_token: refresh_token)
+ end
+
+ # TODO: Consider splitting into subclasses by flow type
+ end
+ end
+end
diff --git a/app/models/api/openid_connect/authorization_scope.rb b/app/models/api/openid_connect/authorization_scope.rb
new file mode 100644
index 0000000000000000000000000000000000000000..fce15b225541a7d637c873b9af2899873e026f8f
--- /dev/null
+++ b/app/models/api/openid_connect/authorization_scope.rb
@@ -0,0 +1,11 @@
+module Api
+ module OpenidConnect
+ class AuthorizationScope < ActiveRecord::Base
+ belongs_to :authorization
+ belongs_to :scope
+
+ validates :authorization, presence: true
+ validates :scope, presence: true
+ end
+ end
+end
diff --git a/app/models/api/openid_connect/id_token.rb b/app/models/api/openid_connect/id_token.rb
new file mode 100644
index 0000000000000000000000000000000000000000..15becc1f8605eeedf76df8cca7a89a563882c525
--- /dev/null
+++ b/app/models/api/openid_connect/id_token.rb
@@ -0,0 +1,42 @@
+module Api
+ module OpenidConnect
+ class IdToken < ActiveRecord::Base
+ belongs_to :authorization
+
+ before_validation :setup, on: :create
+
+ default_scope { where("expires_at >= ?", Time.zone.now.utc) }
+
+ def setup
+ self.expires_at = 30.minutes.from_now
+ end
+
+ def to_jwt(options={})
+ to_response_object(options).to_jwt OpenidConnect::IdTokenConfig.private_key
+ end
+
+ def to_response_object(options={})
+ id_token = OpenIDConnect::ResponseObject::IdToken.new(claims)
+ id_token.code = options[:code] if options[:code]
+ id_token.access_token = options[:access_token] if options[:access_token]
+ id_token
+ end
+
+ def claims
+ @claims ||= {
+ iss: AppConfig.environment.url,
+ # TODO: Convert to proper PPID
+ sub: "#{AppConfig.environment.url}#{authorization.o_auth_application.client_id}#{authorization.user.id}",
+ aud: authorization.o_auth_application.client_id,
+ exp: expires_at.to_i,
+ iat: created_at.to_i,
+ auth_time: authorization.user.current_sign_in_at.to_i,
+ nonce: nonce,
+ acr: 0 # TODO: Adjust ?
+ }
+ end
+
+ # TODO: Add support for request objects
+ end
+ end
+end
diff --git a/app/models/api/openid_connect/o_auth_access_token.rb b/app/models/api/openid_connect/o_auth_access_token.rb
new file mode 100644
index 0000000000000000000000000000000000000000..a62b72ad96d57ca3dd274162c70d9d0e4f83417b
--- /dev/null
+++ b/app/models/api/openid_connect/o_auth_access_token.rb
@@ -0,0 +1,26 @@
+module Api
+ module OpenidConnect
+ class OAuthAccessToken < ActiveRecord::Base
+ belongs_to :authorization
+
+ before_validation :setup, on: :create
+
+ validates :token, presence: true, uniqueness: true
+ validates :authorization, presence: true
+
+ scope :valid, ->(time) { where("expires_at >= ?", time) }
+
+ def setup
+ self.token = SecureRandom.hex(32)
+ self.expires_at = 24.hours.from_now
+ end
+
+ def bearer_token
+ @bearer_token ||= Rack::OAuth2::AccessToken::Bearer.new(
+ access_token: token,
+ expires_in: (expires_at - Time.zone.now.utc).to_i
+ )
+ end
+ end
+ end
+end
diff --git a/app/models/api/openid_connect/o_auth_application.rb b/app/models/api/openid_connect/o_auth_application.rb
new file mode 100644
index 0000000000000000000000000000000000000000..2a97665a23dc43b5b71c9bca9bed0ad2eb7daffb
--- /dev/null
+++ b/app/models/api/openid_connect/o_auth_application.rb
@@ -0,0 +1,60 @@
+module Api
+ module OpenidConnect
+ class OAuthApplication < ActiveRecord::Base
+ has_many :authorizations
+ has_many :user, through: :authorizations
+
+ validates :client_id, presence: true, uniqueness: true
+ validates :client_secret, presence: true
+ validates :client_name, presence: true
+
+ serialize :redirect_uris, JSON
+ serialize :response_types, JSON
+ serialize :grant_types, JSON
+ serialize :contacts, JSON
+
+ before_validation :setup, on: :create
+
+ def setup
+ self.client_id = SecureRandom.hex(16)
+ self.client_secret = SecureRandom.hex(32)
+ self.response_types = []
+ self.grant_types = []
+ self.application_type = "web"
+ self.contacts = []
+ self.logo_uri = ""
+ self.client_uri = ""
+ self.policy_uri = ""
+ self.tos_uri = ""
+ end
+
+ class << self
+ def available_response_types
+ ["id_token", "id_token token"]
+ end
+
+ def register!(registrar)
+ registrar.validate!
+ build_client_application(registrar)
+ end
+
+ private
+
+ def build_client_application(registrar)
+ create! registrar_attributes(registrar)
+ end
+
+ def supported_metadata
+ %i(client_name response_types grant_types application_type
+ contacts logo_uri client_uri policy_uri tos_uri redirect_uris)
+ end
+
+ def registrar_attributes(registrar)
+ supported_metadata.each_with_object({}) do |key, attr|
+ attr[key] = registrar.public_send(key) if registrar.public_send(key)
+ end
+ end
+ end
+ end
+ end
+end
diff --git a/app/models/api/openid_connect/scope.rb b/app/models/api/openid_connect/scope.rb
new file mode 100644
index 0000000000000000000000000000000000000000..7b7d66ac1d362ada0229bbe60b747d4949043704
--- /dev/null
+++ b/app/models/api/openid_connect/scope.rb
@@ -0,0 +1,11 @@
+module Api
+ module OpenidConnect
+ class Scope < ActiveRecord::Base
+ has_many :authorizations, through: :authorization_scopes
+
+ validates :name, presence: true, uniqueness: true
+
+ # TODO: Add constants so scopes can be referenced as OpenidConnect::Scope::Read
+ end
+ end
+end
diff --git a/app/models/openid_connect/authorization.rb b/app/models/openid_connect/authorization.rb
deleted file mode 100644
index 2d9b0f951c52042084e8763b6d67ff4d9b80868a..0000000000000000000000000000000000000000
--- a/app/models/openid_connect/authorization.rb
+++ /dev/null
@@ -1,46 +0,0 @@
-class OpenidConnect::Authorization < ActiveRecord::Base
- belongs_to :user
- belongs_to :o_auth_application
-
- validates :user, presence: true
- validates :o_auth_application, presence: true
- validates :user, uniqueness: {scope: :o_auth_application}
-
- has_many :authorization_scopes
- has_many :scopes, through: :authorization_scopes
- has_many :o_auth_access_tokens, dependent: :destroy
- has_many :id_tokens, dependent: :destroy
-
- before_validation :setup, on: :create
-
- def setup
- self.refresh_token = SecureRandom.hex(32)
- end
-
- def accessible?(required_scopes=nil)
- Array(required_scopes).all? do |required_scope|
- scopes.include? required_scope
- end
- end
-
- def create_access_token
- o_auth_access_tokens.create!.bearer_token
- # TODO: Add support for request object
- end
-
- def create_id_token(nonce)
- id_tokens.create!(nonce: nonce)
- end
-
- def self.find_by_client_id_and_user(client_id, user)
- app = OpenidConnect::OAuthApplication.find_by(client_id: client_id)
- find_by(o_auth_application: app, user: user)
- end
-
- def self.find_by_refresh_token(client_id, refresh_token)
- OpenidConnect::Authorization.joins(:o_auth_application).where(
- o_auth_applications: {client_id: client_id}, refresh_token: refresh_token).first
- end
-
- # TODO: Consider splitting into subclasses by flow type
-end
diff --git a/app/models/openid_connect/authorization_scope.rb b/app/models/openid_connect/authorization_scope.rb
deleted file mode 100644
index 30e1602815d4b795072b3cb06016e44f69780b4f..0000000000000000000000000000000000000000
--- a/app/models/openid_connect/authorization_scope.rb
+++ /dev/null
@@ -1,7 +0,0 @@
-class OpenidConnect::AuthorizationScope < ActiveRecord::Base
- belongs_to :authorization
- belongs_to :scope
-
- validates :authorization, presence: true
- validates :scope, presence: true
-end
diff --git a/app/models/openid_connect/id_token.rb b/app/models/openid_connect/id_token.rb
deleted file mode 100644
index fe2cd252e303f5d18fe2f60b44ee18b556bd8359..0000000000000000000000000000000000000000
--- a/app/models/openid_connect/id_token.rb
+++ /dev/null
@@ -1,38 +0,0 @@
-class OpenidConnect::IdToken < ActiveRecord::Base
- belongs_to :authorization
-
- before_validation :setup, on: :create
-
- default_scope -> { where("expires_at >= ?", Time.now.utc) }
-
- def setup
- self.expires_at = 30.minutes.from_now
- end
-
- def to_jwt(options={})
- to_response_object(options).to_jwt OpenidConnect::IdTokenConfig.private_key
- end
-
- def to_response_object(options={})
- id_token = OpenIDConnect::ResponseObject::IdToken.new(claims)
- id_token.code = options[:code] if options[:code]
- id_token.access_token = options[:access_token] if options[:access_token]
- id_token
- end
-
- def claims
- @claims ||= {
- iss: AppConfig.environment.url,
- # TODO: Convert to proper PPID
- sub: "#{AppConfig.environment.url}#{authorization.o_auth_application.client_id}#{authorization.user.id}",
- aud: authorization.o_auth_application.client_id,
- exp: expires_at.to_i,
- iat: created_at.to_i,
- auth_time: authorization.user.current_sign_in_at.to_i,
- nonce: nonce,
- acr: 0 # TODO: Adjust ?
- }
- end
-
- # TODO: Add support for request objects
-end
diff --git a/app/models/openid_connect/o_auth_access_token.rb b/app/models/openid_connect/o_auth_access_token.rb
deleted file mode 100644
index 6374e968efd70437cfdbb5fcff94f1516ef6913e..0000000000000000000000000000000000000000
--- a/app/models/openid_connect/o_auth_access_token.rb
+++ /dev/null
@@ -1,22 +0,0 @@
-class OpenidConnect::OAuthAccessToken < ActiveRecord::Base
- belongs_to :authorization
-
- before_validation :setup, on: :create
-
- validates :token, presence: true, uniqueness: true
- validates :authorization, presence: true
-
- scope :valid, ->(time) { where("expires_at >= ?", time) }
-
- def setup
- self.token = SecureRandom.hex(32)
- self.expires_at = 24.hours.from_now
- end
-
- def bearer_token
- @bearer_token ||= Rack::OAuth2::AccessToken::Bearer.new(
- access_token: token,
- expires_in: (expires_at - Time.now.utc).to_i
- )
- end
-end
diff --git a/app/models/openid_connect/o_auth_application.rb b/app/models/openid_connect/o_auth_application.rb
deleted file mode 100644
index c4c1f0aa35b224aadd7d69a8b7845023e779c253..0000000000000000000000000000000000000000
--- a/app/models/openid_connect/o_auth_application.rb
+++ /dev/null
@@ -1,58 +0,0 @@
-class OpenidConnect::OAuthApplication < ActiveRecord::Base
- has_many :authorizations
- has_many :user, through: :authorizations
-
- validates :client_id, presence: true, uniqueness: true
- validates :client_secret, presence: true
- validates :client_name, presence: true
-
- serialize :redirect_uris, JSON
- serialize :response_types, JSON
- serialize :grant_types, JSON
- serialize :contacts, JSON
-
- before_validation :setup, on: :create
-
- def setup
- self.client_id = SecureRandom.hex(16)
- self.client_secret = SecureRandom.hex(32)
- self.response_types = []
- self.grant_types = []
- self.application_type = "web"
- self.contacts = []
- self.logo_uri = ""
- self.client_uri = ""
- self.policy_uri = ""
- self.tos_uri = ""
- end
-
- class << self
- def available_response_types
- ["id_token", "id_token token"]
- end
-
- def register!(registrar)
- registrar.validate!
- build_client_application(registrar)
- end
-
- private
-
- def build_client_application(registrar)
- create! registrar_attributes(registrar)
- end
-
- def supported_metadata
- %i(client_name response_types grant_types application_type
- contacts logo_uri client_uri policy_uri tos_uri redirect_uris)
- end
-
- def registrar_attributes(registrar)
- supported_metadata.each_with_object({}) do |key, attr|
- if registrar.public_send(key)
- attr[key] = registrar.public_send(key)
- end
- end
- end
- end
-end
diff --git a/app/models/openid_connect/scope.rb b/app/models/openid_connect/scope.rb
deleted file mode 100644
index eff4da110b1b389d59260220477467eb18268475..0000000000000000000000000000000000000000
--- a/app/models/openid_connect/scope.rb
+++ /dev/null
@@ -1,7 +0,0 @@
-class OpenidConnect::Scope < ActiveRecord::Base
- has_many :authorizations, through: :authorization_scopes
-
- validates :name, presence: true, uniqueness: true
-
- # TODO: Add constants so scopes can be referenced as OpenidConnect::Scope::Read
-end
diff --git a/app/models/user.rb b/app/models/user.rb
index 9c49271612de9ccf8d93f6a91954b2fd78fa5476..a7b58882c2f1f3c1136ff2f1e1623451f15e8d8d 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -76,8 +76,8 @@ class User < ActiveRecord::Base
has_many :reports
- has_many :authorizations, class_name: "OpenidConnect::Authorization"
- has_many :o_auth_applications, through: :authorizations, class_name: "OpenidConnect::OAuthApplication"
+ has_many :authorizations, class_name: "Api::OpenidConnect::Authorization"
+ has_many :o_auth_applications, through: :authorizations, class_name: "Api::OpenidConnect::OAuthApplication"
before_save :guard_unconfirmed_email,
:save_person!
diff --git a/app/views/openid_connect/authorizations/_form.haml b/app/views/api/openid_connect/authorizations/_form.haml
similarity index 71%
rename from app/views/openid_connect/authorizations/_form.haml
rename to app/views/api/openid_connect/authorizations/_form.haml
index 9a72bff90c300e8162c41da4a1a3e8f9c836fb69..0e1662d1208b937920cb8100ba4d3de917e63b6d 100644
--- a/app/views/openid_connect/authorizations/_form.haml
+++ b/app/views/api/openid_connect/authorizations/_form.haml
@@ -1,4 +1,4 @@
-= form_tag openid_connect_authorizations_path, class: action do
+= form_tag api_openid_connect_authorizations_path, class: action do
- if action == :approve
= submit_tag t(".approve")
= hidden_field_tag :approve, true
diff --git a/app/views/openid_connect/authorizations/new.html.haml b/app/views/api/openid_connect/authorizations/new.html.haml
similarity index 67%
rename from app/views/openid_connect/authorizations/new.html.haml
rename to app/views/api/openid_connect/authorizations/new.html.haml
index 9e3b91b8aa19b20c069af260cc5a433f075533c9..8009785ba7481e57dfd01d79cd9f5fde0bd8b7b1 100644
--- a/app/views/openid_connect/authorizations/new.html.haml
+++ b/app/views/api/openid_connect/authorizations/new.html.haml
@@ -10,5 +10,5 @@
%ul
%pre= JSON.pretty_generate @request_object.as_json
-= render 'openid_connect/authorizations/form', action: :approve
-= render 'openid_connect/authorizations/form', action: :deny
+= render 'api/openid_connect/authorizations/form', action: :approve
+= render 'api/openid_connect/authorizations/form', action: :deny
diff --git a/config/application.rb b/config/application.rb
index 7fc97f5cae2d5d19a024dc71514fddcbf1d6ec08..e5d10d0664cc0e5935fc52f35d4975a7c448d43d 100644
--- a/config/application.rb
+++ b/config/application.rb
@@ -109,7 +109,7 @@ module Diaspora
config.action_mailer.asset_host = AppConfig.pod_uri.to_s
config.middleware.use Rack::OAuth2::Server::Resource::Bearer, "OpenID Connect" do |req|
- OpenidConnect::OAuthAccessToken.valid(Time.now.utc).find_by(token: req.access_token) || req.invalid_token!
+ Api::OpenidConnect::OAuthAccessToken.valid(Time.zone.now.utc).find_by(token: req.access_token) || req.invalid_token!
end
end
end
diff --git a/config/locales/diaspora/en.yml b/config/locales/diaspora/en.yml
index 113180940abe1aaa913d6bc48fef7b1bdb2067b3..e53b386c3c415f76c2305a9446f72cb2831021df 100644
--- a/config/locales/diaspora/en.yml
+++ b/config/locales/diaspora/en.yml
@@ -881,15 +881,16 @@ en:
Hoping to see you again,
The diaspora* email robot!
- openid_connect:
- authorizations:
- new:
- will_be_redirected: "You will be redirected to"
- with_id_token: "with an id token if approved or an error if denied"
- requested_objects: "Request Objects (Currently not supported)"
- form:
- approve: "Approve"
- deny: "Deny"
+ api:
+ openid_connect:
+ authorizations:
+ new:
+ will_be_redirected: "You will be redirected to"
+ with_id_token: "with an id token if approved or an error if denied"
+ requested_objects: "Request Objects (Currently not supported)"
+ form:
+ approve: "Approve"
+ deny: "Deny"
people:
zero: "No people"
one: "1 person"
diff --git a/config/routes.rb b/config/routes.rb
index e1c9bdf2e4fdec79e6f0b83b61032de627a203ec..a9739b73ad256cda5cbacd01bb8fcff18e4bb6a4 100644
--- a/config/routes.rb
+++ b/config/routes.rb
@@ -233,22 +233,23 @@ Diaspora::Application.routes.draw do
# Startpage
root :to => 'home#show'
- # OpenID Connect & OAuth
- namespace :openid_connect do
- resources :clients, only: :create
- post "access_tokens", to: proc {|env| OpenidConnect::TokenEndpoint.new.call(env) }
-
- # Authorization Servers MUST support the use of the HTTP GET and POST methods at the Authorization Endpoint
- # See http://openid.net/specs/openid-connect-core-1_0.html#AuthResponseValidation
- resources :authorizations, only: %i(new create)
- post "authorizations/new", to: "authorizations#new"
-
- get ".well-known/webfinger", to: "discovery#webfinger"
- get ".well-known/openid-configuration", to: "discovery#configuration"
- get "jwks.json", to: "id_tokens#jwks"
- end
-
api_version(module: "Api::V0", path: {value: "api/v0"}, default: true) do
match "user", to: "users#show", via: %i(get post)
end
+
+ namespace :api do
+ namespace :openid_connect do
+ resources :clients, only: :create
+ post "access_tokens", to: proc {|env| Api::OpenidConnect::TokenEndpoint.new.call(env) }
+
+ # Authorization Servers MUST support the use of the HTTP GET and POST methods at the Authorization Endpoint
+ # See http://openid.net/specs/openid-connect-core-1_0.html#AuthResponseValidation
+ resources :authorizations, only: %i(new create)
+ post "authorizations/new", to: "authorizations#new"
+
+ get ".well-known/webfinger", to: "discovery#webfinger"
+ get ".well-known/openid-configuration", to: "discovery#configuration"
+ get "jwks.json", to: "id_tokens#jwks"
+ end
+ end
end
diff --git a/features/step_definitions/implicit_flow_steps.rb b/features/step_definitions/implicit_flow_steps.rb
index 7c50f31590722d6b4bb7eebb1d003d3659e1fc0f..fad520faaa40293f465f18972fb443018be4185f 100644
--- a/features/step_definitions/implicit_flow_steps.rb
+++ b/features/step_definitions/implicit_flow_steps.rb
@@ -8,11 +8,12 @@ o_auth_query_params = %i(
Given /^I send a post request from that client to the implicit flow authorization endpoint$/ do
client_json = JSON.parse(last_response.body)
- visit new_openid_connect_authorization_path + "?client_id=#{client_json["o_auth_application"]["client_id"]}&#{o_auth_query_params}"
+ visit new_api_openid_connect_authorization_path +
+ "?client_id=#{client_json['o_auth_application']['client_id']}&#{o_auth_query_params}"
end
Given /^I send a post request from that client to the implicit flow authorization endpoint using a invalid client id/ do
- visit new_openid_connect_authorization_path + "?client_id=randomid&#{o_auth_query_params}"
+ visit new_api_openid_connect_authorization_path + "?client_id=randomid&#{o_auth_query_params}"
end
When /^I give my consent and authorize the client$/ do
diff --git a/features/step_definitions/password_flow_steps.rb b/features/step_definitions/password_flow_steps.rb
index 778399a605fadf374355ddfa6221b4101e7bd924..2a68d1082a12151ab8ac4eb9eb07b9bdb0d23e32 100644
--- a/features/step_definitions/password_flow_steps.rb
+++ b/features/step_definitions/password_flow_steps.rb
@@ -1,16 +1,16 @@
Given(/^all scopes exist$/) do
- OpenidConnect::Scope.find_or_create_by(name: "openid")
- OpenidConnect::Scope.find_or_create_by(name: "read")
+ Api::OpenidConnect::Scope.find_or_create_by(name: "openid")
+ Api::OpenidConnect::Scope.find_or_create_by(name: "read")
end
When /^I register a new client$/ do
- post openid_connect_clients_path, redirect_uris: ["http://localhost:3000"], client_name: "diaspora client"
+ post api_openid_connect_clients_path, redirect_uris: ["http://localhost:3000"], client_name: "diaspora client"
end
Given /^I send a post request from that client to the password flow token endpoint using "([^\"]*)"'s credentials$/ do |username|
client_json = JSON.parse(last_response.body)
user = User.find_by(username: username)
- post openid_connect_access_tokens_path, grant_type: "password", username: user.username,
+ post api_openid_connect_access_tokens_path, grant_type: "password", username: user.username,
password: "password", # Password has been hard coded as all test accounts seem to have a password of "password"
client_id: client_json["o_auth_application"]["client_id"],
client_secret: client_json["o_auth_application"]["client_secret"],
@@ -19,7 +19,7 @@ end
Given /^I send a post request from that client to the password flow token endpoint using invalid credentials$/ do
client_json = JSON.parse(last_response.body)
- post openid_connect_access_tokens_path, grant_type: "password", username: "bob", password: "wrongpassword",
+ post api_openid_connect_access_tokens_path, grant_type: "password", username: "bob", password: "wrongpassword",
client_id: client_json["o_auth_application"]["client_id"],
client_secret: client_json["o_auth_application"]["client_secret"],
scope: "read"
diff --git a/lib/api/openid_connect/authorization_point/endpoint.rb b/lib/api/openid_connect/authorization_point/endpoint.rb
new file mode 100644
index 0000000000000000000000000000000000000000..29d010f9188acfc84447326987dcd8528babead9
--- /dev/null
+++ b/lib/api/openid_connect/authorization_point/endpoint.rb
@@ -0,0 +1,58 @@
+module Api
+ module OpenidConnect
+ module AuthorizationPoint
+ class Endpoint
+ attr_accessor :app, :user, :o_auth_application, :redirect_uri, :response_type,
+ :scopes, :_request_, :request_uri, :request_object, :nonce
+ delegate :call, to: :app
+
+ def initialize(current_user)
+ @user = current_user
+ @app = Rack::OAuth2::Server::Authorize.new do |req, res|
+ build_attributes(req, res)
+ if OAuthApplication.available_response_types.include? Array(req.response_type).map(&:to_s).join(" ")
+ handle_response_type(req, res)
+ else
+ req.unsupported_response_type!
+ end
+ end
+ end
+
+ def build_attributes(req, res)
+ build_client(req)
+ build_redirect_uri(req, res)
+ verify_nonce(req, res)
+ build_scopes(req)
+ end
+
+ def handle_response_type(_req, _res)
+ # Implemented by subclass
+ end
+
+ private
+
+ def build_client(req)
+ @o_auth_application = OAuthApplication.find_by_client_id(req.client_id) || req.bad_request!
+ end
+
+ def build_redirect_uri(req, res)
+ res.redirect_uri = @redirect_uri = req.verify_redirect_uri!(@o_auth_application.redirect_uris)
+ end
+
+ def verify_nonce(req, res)
+ req.invalid_request! "nonce required" if res.protocol_params_location == :fragment && req.nonce.blank?
+ end
+
+ def build_scopes(req)
+ @scopes = req.scope.map {|scope_name|
+ OpenidConnect::Scope.where(name: scope_name).first.tap do |scope|
+ req.invalid_scope! "Unknown scope: #{scope}" unless scope
+ end
+ }
+ end
+
+ # TODO: buildResponseType(req)
+ end
+ end
+ end
+end
diff --git a/lib/api/openid_connect/authorization_point/endpoint_confirmation_point.rb b/lib/api/openid_connect/authorization_point/endpoint_confirmation_point.rb
new file mode 100644
index 0000000000000000000000000000000000000000..a500b9dccc7746cea7150adbb148639ac3a70cdd
--- /dev/null
+++ b/lib/api/openid_connect/authorization_point/endpoint_confirmation_point.rb
@@ -0,0 +1,50 @@
+module Api
+ module OpenidConnect
+ module AuthorizationPoint
+ class EndpointConfirmationPoint < Endpoint
+ def initialize(current_user, approved=false)
+ super(current_user)
+ @approved = approved
+ end
+
+ def handle_response_type(req, res)
+ handle_approval(@approved, req, res)
+ end
+
+ def handle_approval(approved, req, res)
+ if approved
+ approved!(req, res)
+ else
+ req.access_denied!
+ end
+ end
+
+ # TODO: Add support for request object and auth code
+ def approved!(req, res)
+ auth = OpenidConnect::Authorization.find_or_create_by(o_auth_application: @o_auth_application, user: @user)
+ auth.scopes << @scopes
+ handle_approved_response_type(auth, req, res)
+ res.approve!
+ end
+
+ def handle_approved_response_type(auth, req, res)
+ response_types = Array(req.response_type)
+ handle_approved_access_token(auth, res, response_types)
+ handle_approved_id_token(auth, req, res, response_types)
+ end
+
+ def handle_approved_access_token(auth, res, response_types)
+ return unless response_types.include?(:token)
+ res.access_token = auth.create_access_token
+ end
+
+ def handle_approved_id_token(auth, req, res, response_types)
+ return unless response_types.include?(:id_token)
+ id_token = auth.create_id_token(req.nonce)
+ access_token_value = res.respond_to?(:access_token) ? res.access_token : nil
+ res.id_token = id_token.to_jwt(code: nil, access_token: access_token_value)
+ end
+ end
+ end
+ end
+end
diff --git a/lib/api/openid_connect/authorization_point/endpoint_start_point.rb b/lib/api/openid_connect/authorization_point/endpoint_start_point.rb
new file mode 100644
index 0000000000000000000000000000000000000000..69667cd0e8115480106d04f81b975b9006b3749c
--- /dev/null
+++ b/lib/api/openid_connect/authorization_point/endpoint_start_point.rb
@@ -0,0 +1,13 @@
+module Api
+ module OpenidConnect
+ module AuthorizationPoint
+ class EndpointStartPoint < Endpoint
+ def handle_response_type(req, _res)
+ @response_type = req.response_type
+ end
+
+ # TODO: buildRequestObject(req)
+ end
+ end
+ end
+end
diff --git a/lib/api/openid_connect/id_token_config.rb b/lib/api/openid_connect/id_token_config.rb
new file mode 100644
index 0000000000000000000000000000000000000000..d046d4b7a28dfda369bcdfd5004e9f30c4c7cc94
--- /dev/null
+++ b/lib/api/openid_connect/id_token_config.rb
@@ -0,0 +1,13 @@
+module Api
+ module OpenidConnect
+ class IdTokenConfig
+ @@key = OpenSSL::PKey::RSA.new(2048)
+ def self.public_key
+ @@key.public_key
+ end
+ def self.private_key
+ @@key
+ end
+ end
+ end
+end
diff --git a/lib/api/openid_connect/protected_resource_endpoint.rb b/lib/api/openid_connect/protected_resource_endpoint.rb
new file mode 100644
index 0000000000000000000000000000000000000000..ca9f82ffefa9b3748152e658ea10909aa3e77681
--- /dev/null
+++ b/lib/api/openid_connect/protected_resource_endpoint.rb
@@ -0,0 +1,15 @@
+module Api
+ module OpenidConnect
+ module ProtectedResourceEndpoint
+ attr_reader :current_token
+
+ def require_access_token(*required_scopes)
+ @current_token = request.env[Rack::OAuth2::Server::Resource::ACCESS_TOKEN]
+ raise Rack::OAuth2::Server::Resource::Bearer::Unauthorized.new("Unauthorized user") unless
+ @current_token && @current_token.authorization
+ raise Rack::OAuth2::Server::Resource::Bearer::Forbidden.new(:insufficient_scope) unless
+ @current_token.authorization.try(:accessible?, required_scopes)
+ end
+ end
+ end
+end
diff --git a/lib/api/openid_connect/token_endpoint.rb b/lib/api/openid_connect/token_endpoint.rb
new file mode 100644
index 0000000000000000000000000000000000000000..eb893743605f285a9fa8f4146798d19828d85fa8
--- /dev/null
+++ b/lib/api/openid_connect/token_endpoint.rb
@@ -0,0 +1,73 @@
+module Api
+ module OpenidConnect
+ class TokenEndpoint
+ attr_accessor :app
+ delegate :call, to: :app
+
+ def initialize
+ @app = Rack::OAuth2::Server::Token.new do |req, res|
+ o_auth_app = retrieve_client(req)
+ if app_valid?(o_auth_app, req)
+ handle_flows(o_auth_app, req, res)
+ else
+ req.invalid_client!
+ end
+ end
+ end
+
+ def handle_flows(o_auth_app, req, res)
+ case req.grant_type
+ when :password
+ handle_password_flow(o_auth_app, req, res)
+ when :refresh_token
+ handle_refresh_flow(req, res)
+ else
+ req.unsupported_grant_type!
+ end
+ end
+
+ def handle_password_flow(o_auth_app, req, res)
+ user = User.find_for_database_authentication(username: req.username)
+ if user
+ if user.valid_password?(req.password)
+ auth = OpenidConnect::Authorization.find_or_create_by(o_auth_application: o_auth_app, user: user)
+ build_auth_and_access_token(auth, req, res)
+ else
+ req.invalid_grant!
+ end
+ else
+ req.invalid_grant! # TODO: Change to user login: Perhaps redirect_to login_path?
+ end
+ end
+
+ def build_auth_and_access_token(auth, req, res)
+ scope_list = req.scope.map { |scope_name|
+ OpenidConnect::Scope.find_by(name: scope_name).tap do |scope|
+ req.invalid_scope! "Unknown scope: #{scope}" unless scope
+ end
+ } # TODO: Check client scope permissions
+ auth.scopes << scope_list
+ res.access_token = auth.create_access_token
+ end
+
+ def handle_refresh_flow(req, res)
+ # Handle as if scope request was omitted even if provided.
+ # See https://tools.ietf.org/html/rfc6749#section-6 for handling
+ auth = Api::OpenidConnect::Authorization.find_by_refresh_token req.client_id, req.refresh_token
+ if auth
+ res.access_token = auth.create_access_token
+ else
+ req.invalid_grant!
+ end
+ end
+
+ def retrieve_client(req)
+ Api::OpenidConnect::OAuthApplication.find_by client_id: req.client_id
+ end
+
+ def app_valid?(o_auth_app, req)
+ o_auth_app.client_secret == req.client_secret
+ end
+ end
+ end
+end
diff --git a/lib/openid_connect/authorization_point/endpoint.rb b/lib/openid_connect/authorization_point/endpoint.rb
deleted file mode 100644
index a65974273bb3a31380011ca6460ec1c09f1c9d04..0000000000000000000000000000000000000000
--- a/lib/openid_connect/authorization_point/endpoint.rb
+++ /dev/null
@@ -1,58 +0,0 @@
-module OpenidConnect
- module AuthorizationPoint
- class Endpoint
- attr_accessor :app, :user, :o_auth_application, :redirect_uri, :response_type,
- :scopes, :_request_, :request_uri, :request_object, :nonce
- delegate :call, to: :app
-
- def initialize(current_user)
- @user = current_user
- @app = Rack::OAuth2::Server::Authorize.new do |req, res|
- build_attributes(req, res)
- if OAuthApplication.available_response_types.include? Array(req.response_type).map(&:to_s).join(" ")
- handle_response_type(req, res)
- else
- req.unsupported_response_type!
- end
- end
- end
-
- def build_attributes(req, res)
- build_client(req)
- build_redirect_uri(req, res)
- verify_nonce(req, res)
- build_scopes(req)
- end
-
- def handle_response_type(_req, _res)
- # Implemented by subclass
- end
-
- private
-
- def build_client(req)
- @o_auth_application = OAuthApplication.find_by_client_id(req.client_id) || req.bad_request!
- end
-
- def build_redirect_uri(req, res)
- res.redirect_uri = @redirect_uri = req.verify_redirect_uri!(@o_auth_application.redirect_uris)
- end
-
- def verify_nonce(req, res)
- if res.protocol_params_location == :fragment && req.nonce.blank?
- req.invalid_request! "nonce required"
- end
- end
-
- def build_scopes(req)
- @scopes = req.scope.map {|scope_name|
- OpenidConnect::Scope.where(name: scope_name).first.tap do |scope|
- req.invalid_scope! "Unknown scope: #{scope}" unless scope
- end
- }
- end
-
- # TODO: buildResponseType(req)
- end
- end
-end
diff --git a/lib/openid_connect/authorization_point/endpoint_confirmation_point.rb b/lib/openid_connect/authorization_point/endpoint_confirmation_point.rb
deleted file mode 100644
index 7a6b83183f04150a8b4c08b9fd186df7774040a8..0000000000000000000000000000000000000000
--- a/lib/openid_connect/authorization_point/endpoint_confirmation_point.rb
+++ /dev/null
@@ -1,38 +0,0 @@
-module OpenidConnect
- module AuthorizationPoint
- class EndpointConfirmationPoint < Endpoint
- def initialize(current_user, approved=false)
- super(current_user)
- @approved = approved
- end
-
- def handle_response_type(req, res)
- handle_approval(@approved, req, res)
- end
-
- def handle_approval(approved, req, res)
- if approved
- approved!(req, res)
- else
- req.access_denied!
- end
- end
-
- # TODO: Add support for request object and auth code
- def approved!(req, res)
- auth = OpenidConnect::Authorization.find_or_create_by(o_auth_application: @o_auth_application, user: @user)
- auth.scopes << @scopes
- response_types = Array(req.response_type)
- if response_types.include?(:token)
- res.access_token = auth.create_access_token
- end
- if response_types.include?(:id_token)
- id_token = auth.create_id_token(req.nonce)
- access_token_value = res.respond_to?(:access_token) ? res.access_token : nil
- res.id_token = id_token.to_jwt(code: nil, access_token: access_token_value)
- end
- res.approve!
- end
- end
- end
-end
diff --git a/lib/openid_connect/authorization_point/endpoint_start_point.rb b/lib/openid_connect/authorization_point/endpoint_start_point.rb
deleted file mode 100644
index 3af4274e79d0428e12cbd36cea754e805e771743..0000000000000000000000000000000000000000
--- a/lib/openid_connect/authorization_point/endpoint_start_point.rb
+++ /dev/null
@@ -1,11 +0,0 @@
-module OpenidConnect
- module AuthorizationPoint
- class EndpointStartPoint < Endpoint
- def handle_response_type(req, _res)
- @response_type = req.response_type
- end
-
- # TODO: buildRequestObject(req)
- end
- end
-end
diff --git a/lib/openid_connect/id_token_config.rb b/lib/openid_connect/id_token_config.rb
deleted file mode 100644
index cac535c037bd3764d4a40a966258bcc38ec6a9d8..0000000000000000000000000000000000000000
--- a/lib/openid_connect/id_token_config.rb
+++ /dev/null
@@ -1,11 +0,0 @@
-module OpenidConnect
- class IdTokenConfig
- @@key = OpenSSL::PKey::RSA.new(2048)
- def self.public_key
- @@key.public_key
- end
- def self.private_key
- @@key
- end
- end
-end
diff --git a/lib/openid_connect/protected_resource_endpoint.rb b/lib/openid_connect/protected_resource_endpoint.rb
deleted file mode 100644
index abc606981054208c2e348c8280198ad936a239de..0000000000000000000000000000000000000000
--- a/lib/openid_connect/protected_resource_endpoint.rb
+++ /dev/null
@@ -1,15 +0,0 @@
-module OpenidConnect
- module ProtectedResourceEndpoint
- attr_reader :current_token
-
- def require_access_token(*required_scopes)
- @current_token = request.env[Rack::OAuth2::Server::Resource::ACCESS_TOKEN]
- unless @current_token && @current_token.authorization
- raise Rack::OAuth2::Server::Resource::Bearer::Unauthorized.new("Unauthorized user")
- end
- unless @current_token.authorization.try(:accessible?, required_scopes)
- raise Rack::OAuth2::Server::Resource::Bearer::Forbidden.new(:insufficient_scope)
- end
- end
- end
-end
diff --git a/lib/openid_connect/token_endpoint.rb b/lib/openid_connect/token_endpoint.rb
deleted file mode 100644
index 53347eba20b000b6e24e7f84fa99a5ee41db18c9..0000000000000000000000000000000000000000
--- a/lib/openid_connect/token_endpoint.rb
+++ /dev/null
@@ -1,67 +0,0 @@
-module OpenidConnect
- class TokenEndpoint
- attr_accessor :app
- delegate :call, to: :app
-
- def initialize
- @app = Rack::OAuth2::Server::Token.new do |req, res|
- o_auth_app = retrieve_client(req)
- if app_valid?(o_auth_app, req)
- handle_flows(o_auth_app, req, res)
- else
- req.invalid_client!
- end
- end
- end
-
- def handle_flows(o_auth_app, req, res)
- case req.grant_type
- when :password
- handle_password_flow(o_auth_app, req, res)
- when :refresh_token
- handle_refresh_flow(req, res)
- else
- req.unsupported_grant_type!
- end
- end
-
- def handle_password_flow(o_auth_app, req, res)
- user = User.find_for_database_authentication(username: req.username)
- if user
- if user.valid_password?(req.password)
- scope_list = req.scope.map { |scope_name|
- OpenidConnect::Scope.find_by(name: scope_name).tap do |scope|
- req.invalid_scope! "Unknown scope: #{scope}" unless scope
- end
- } # TODO: Check client scope permissions
- auth = OpenidConnect::Authorization.find_or_create_by(o_auth_application: o_auth_app, user: user)
- auth.scopes << scope_list
- res.access_token = auth.create_access_token
- else
- req.invalid_grant!
- end
- else
- req.invalid_grant! # TODO: Change to user login: Perhaps redirect_to login_path?
- end
- end
-
- def handle_refresh_flow(req, res)
- # Handle as if scope request was omitted even if provided.
- # See https://tools.ietf.org/html/rfc6749#section-6 for handling
- auth = OpenidConnect::Authorization.find_by_refresh_token req.client_id, req.refresh_token
- if auth
- res.access_token = auth.create_access_token
- else
- req.invalid_grant!
- end
- end
-
- def retrieve_client(req)
- OpenidConnect::OAuthApplication.find_by client_id: req.client_id
- end
-
- def app_valid?(o_auth_app, req)
- o_auth_app.client_secret == req.client_secret
- end
- end
-end
diff --git a/spec/controllers/openid_connect/authorizations_controller_spec.rb b/spec/controllers/api/openid_connect/authorizations_controller_spec.rb
similarity index 91%
rename from spec/controllers/openid_connect/authorizations_controller_spec.rb
rename to spec/controllers/api/openid_connect/authorizations_controller_spec.rb
index e19b80e21fe81cc09be8c5dc2582f421a3111799..9719f9015891a5d68d9f767127347e23932f8ff6 100644
--- a/spec/controllers/openid_connect/authorizations_controller_spec.rb
+++ b/spec/controllers/api/openid_connect/authorizations_controller_spec.rb
@@ -1,12 +1,12 @@
require "spec_helper"
-describe OpenidConnect::AuthorizationsController, type: :controller do
+describe Api::OpenidConnect::AuthorizationsController, type: :controller do
let!(:client) do
- OpenidConnect::OAuthApplication.create!(
+ Api::OpenidConnect::OAuthApplication.create!(
client_name: "Diaspora Test Client", redirect_uris: ["http://localhost:3000/"])
end
let!(:client_with_multiple_redirects) do
- OpenidConnect::OAuthApplication.create!(
+ Api::OpenidConnect::OAuthApplication.create!(
client_name: "Diaspora Test Client", redirect_uris: ["http://localhost:3000/", "http://localhost/"])
end
@@ -15,7 +15,7 @@ describe OpenidConnect::AuthorizationsController, type: :controller do
before do
sign_in :user, alice
allow(@controller).to receive(:current_user).and_return(alice)
- OpenidConnect::Scope.create!(name: "openid")
+ Api::OpenidConnect::Scope.create!(name: "openid")
end
describe "#new" do
@@ -94,7 +94,7 @@ describe OpenidConnect::AuthorizationsController, type: :controller do
end
end
context "when already authorized" do
- let!(:auth) { OpenidConnect::Authorization.find_or_create_by(o_auth_application: client, user: alice) }
+ let!(:auth) { Api::OpenidConnect::Authorization.find_or_create_by(o_auth_application: client, user: alice) }
context "when valid parameters are passed" do
before do
@@ -106,9 +106,9 @@ describe OpenidConnect::AuthorizationsController, type: :controller do
expect(response.location).to have_content("id_token=")
encoded_id_token = response.location[/(?<=id_token=)[^&]+/]
decoded_token = OpenIDConnect::ResponseObject::IdToken.decode encoded_id_token,
- OpenidConnect::IdTokenConfig.public_key
+ Api::OpenidConnect::IdTokenConfig.public_key
expect(decoded_token.nonce).to eq("4130930983")
- expect(decoded_token.exp).to be > Time.now.utc.to_i
+ expect(decoded_token.exp).to be > Time.zone.now.utc.to_i
end
it "should return the passed in state" do
@@ -133,15 +133,15 @@ describe OpenidConnect::AuthorizationsController, type: :controller do
it "should return the id token in a fragment" do
encoded_id_token = response.location[/(?<=id_token=)[^&]+/]
decoded_token = OpenIDConnect::ResponseObject::IdToken.decode encoded_id_token,
- OpenidConnect::IdTokenConfig.public_key
+ Api::OpenidConnect::IdTokenConfig.public_key
expect(decoded_token.nonce).to eq("4180930983")
- expect(decoded_token.exp).to be > Time.now.utc.to_i
+ expect(decoded_token.exp).to be > Time.zone.now.utc.to_i
end
it "should return a valid access token in a fragment" do
encoded_id_token = response.location[/(?<=id_token=)[^&]+/]
decoded_token = OpenIDConnect::ResponseObject::IdToken.decode encoded_id_token,
- OpenidConnect::IdTokenConfig.public_key
+ Api::OpenidConnect::IdTokenConfig.public_key
access_token = response.location[/(?<=access_token=)[^&]+/]
access_token_check_num = UrlSafeBase64.encode64(OpenSSL::Digest::SHA256.digest(access_token)[0, 128 / 8])
expect(decoded_token.at_hash).to eq(access_token_check_num)
@@ -164,9 +164,9 @@ describe OpenidConnect::AuthorizationsController, type: :controller do
expect(response.location).to have_content("id_token=")
encoded_id_token = response.location[/(?<=id_token=)[^&]+/]
decoded_token = OpenIDConnect::ResponseObject::IdToken.decode encoded_id_token,
- OpenidConnect::IdTokenConfig.public_key
+ Api::OpenidConnect::IdTokenConfig.public_key
expect(decoded_token.nonce).to eq("4180930983")
- expect(decoded_token.exp).to be > Time.now.utc.to_i
+ expect(decoded_token.exp).to be > Time.zone.now.utc.to_i
end
it "should return the passed in state" do
diff --git a/spec/controllers/openid_connect/clients_controller_spec.rb b/spec/controllers/api/openid_connect/clients_controller_spec.rb
similarity index 96%
rename from spec/controllers/openid_connect/clients_controller_spec.rb
rename to spec/controllers/api/openid_connect/clients_controller_spec.rb
index 2bd3cbca49c3877f5adec6e03268cdef0c0a8401..5326fa32df9d2a0e0de35ad3159b5b3f3c05d08e 100644
--- a/spec/controllers/openid_connect/clients_controller_spec.rb
+++ b/spec/controllers/api/openid_connect/clients_controller_spec.rb
@@ -1,6 +1,6 @@
require "spec_helper"
-describe OpenidConnect::ClientsController, type: :controller do
+describe Api::OpenidConnect::ClientsController, type: :controller do
describe "#create" do
context "when valid parameters are passed" do
it "should return a client id" do
diff --git a/spec/controllers/openid_connect/discovery_controller_spec.rb b/spec/controllers/api/openid_connect/discovery_controller_spec.rb
similarity index 87%
rename from spec/controllers/openid_connect/discovery_controller_spec.rb
rename to spec/controllers/api/openid_connect/discovery_controller_spec.rb
index 6a30d9c327d286c3710f4c2c9381595291441606..f71126462a6e60e5ca8580c5090e0776ce6c47e1 100644
--- a/spec/controllers/openid_connect/discovery_controller_spec.rb
+++ b/spec/controllers/api/openid_connect/discovery_controller_spec.rb
@@ -1,6 +1,6 @@
require "spec_helper"
-describe OpenidConnect::DiscoveryController, type: :controller do
+describe Api::OpenidConnect::DiscoveryController, type: :controller do
describe "#webfinger" do
before do
get :webfinger, resource: "http://test.host/bob"
@@ -8,7 +8,7 @@ describe OpenidConnect::DiscoveryController, type: :controller do
it "should return a url to the openid-configuration" do
json_body = JSON.parse(response.body)
- expect(json_body["links"].first["href"]).to eq("http://test.host/openid_connect")
+ expect(json_body["links"].first["href"]).to eq("http://test.host/api/openid_connect")
end
it "should return the resource in the subject" do
diff --git a/spec/controllers/openid_connect/id_tokens_controller_spec.rb b/spec/controllers/api/openid_connect/id_tokens_controller_spec.rb
similarity index 70%
rename from spec/controllers/openid_connect/id_tokens_controller_spec.rb
rename to spec/controllers/api/openid_connect/id_tokens_controller_spec.rb
index 1e9e3548b286428a571dedfe7d6029c57da1e781..06930c45b3d3154233a788ab3f9e966f0dcd062d 100644
--- a/spec/controllers/openid_connect/id_tokens_controller_spec.rb
+++ b/spec/controllers/api/openid_connect/id_tokens_controller_spec.rb
@@ -1,6 +1,6 @@
require "spec_helper"
-describe OpenidConnect::IdTokensController, type: :controller do
+describe Api::OpenidConnect::IdTokensController, type: :controller do
describe "#jwks" do
before do
get :jwks
@@ -13,7 +13,7 @@ describe OpenidConnect::IdTokensController, type: :controller do
JSON::JWK.decode jwk
end
public_key = public_keys.first
- expect(OpenidConnect::IdTokenConfig.private_key.public_key.to_s).to eq(public_key.to_s)
+ expect(Api::OpenidConnect::IdTokenConfig.private_key.public_key.to_s).to eq(public_key.to_s)
end
end
end
diff --git a/spec/integration/api/users_controller_spec.rb b/spec/integration/api/users_controller_spec.rb
new file mode 100644
index 0000000000000000000000000000000000000000..53f9b46070d6e071ac1b43eb0a5084983b90e03c
--- /dev/null
+++ b/spec/integration/api/users_controller_spec.rb
@@ -0,0 +1,27 @@
+require "spec_helper"
+
+describe Api::V0::UsersController do
+ # TODO: Replace with factory
+ let!(:client) do
+ Api::OpenidConnect::OAuthApplication.create!(
+ client_name: "Diaspora Test Client", redirect_uris: ["http://localhost:3000/"])
+ end
+ let(:auth_with_read) do
+ auth = Api::OpenidConnect::Authorization.create!(o_auth_application: client, user: alice)
+ auth.scopes << [Api::OpenidConnect::Scope.find_or_create_by(name: "read")]
+ auth
+ end
+ let!(:access_token_with_read) { auth_with_read.create_access_token.to_s }
+
+ describe "#show" do
+ before do
+ get api_v0_user_path, access_token: access_token_with_read
+ end
+
+ it "shows the info" do
+ json_body = JSON.parse(response.body)
+ expect(json_body["username"]).to eq(alice.username)
+ expect(json_body["email"]).to eq(alice.email)
+ end
+ end
+end
diff --git a/spec/lib/openid_connect/protected_resource_endpoint_spec.rb b/spec/lib/api/openid_connect/protected_resource_endpoint_spec.rb
similarity index 86%
rename from spec/lib/openid_connect/protected_resource_endpoint_spec.rb
rename to spec/lib/api/openid_connect/protected_resource_endpoint_spec.rb
index cd344c3a9c95e0525245b903b6cf233d2035eaaf..f3933a5ee873059863b5e16aa4401f28e3143735 100644
--- a/spec/lib/openid_connect/protected_resource_endpoint_spec.rb
+++ b/spec/lib/api/openid_connect/protected_resource_endpoint_spec.rb
@@ -1,14 +1,14 @@
require "spec_helper"
-describe OpenidConnect::ProtectedResourceEndpoint, type: :request do
+describe Api::OpenidConnect::ProtectedResourceEndpoint, type: :request do
# TODO: Replace with factory
let!(:client) do
- OpenidConnect::OAuthApplication.create!(
+ Api::OpenidConnect::OAuthApplication.create!(
client_name: "Diaspora Test Client", redirect_uris: ["http://localhost:3000/"])
end
let(:auth_with_read) do
- auth = OpenidConnect::Authorization.create!(o_auth_application: client, user: alice)
- auth.scopes << [OpenidConnect::Scope.find_or_create_by(name: "read")]
+ auth = Api::OpenidConnect::Authorization.create!(o_auth_application: client, user: alice)
+ auth.scopes << [Api::OpenidConnect::Scope.find_or_create_by(name: "read")]
auth
end
let!(:access_token_with_read) { auth_with_read.create_access_token.to_s }
@@ -27,12 +27,14 @@ describe OpenidConnect::ProtectedResourceEndpoint, type: :request do
end
context "when no access token is provided" do
- it "should respond with a 401 Unauthorized response" do
+ before do
get api_v0_user_path
+ end
+
+ it "should respond with a 401 Unauthorized response" do
expect(response.status).to be(401)
end
it "should have an auth-scheme value of Bearer" do
- get api_v0_user_path
expect(response.headers["WWW-Authenticate"]).to include("Bearer")
end
end
diff --git a/spec/lib/openid_connect/token_endpoint_spec.rb b/spec/lib/api/openid_connect/token_endpoint_spec.rb
similarity index 71%
rename from spec/lib/openid_connect/token_endpoint_spec.rb
rename to spec/lib/api/openid_connect/token_endpoint_spec.rb
index 7af40fd21621b052bbb6cd116d47be0ebd60d796..21eda5e87eea0732cb3cb2fa46a1fbaeda5f5b85 100644
--- a/spec/lib/openid_connect/token_endpoint_spec.rb
+++ b/spec/lib/api/openid_connect/token_endpoint_spec.rb
@@ -1,20 +1,20 @@
require "spec_helper"
-describe OpenidConnect::TokenEndpoint, type: :request do
+describe Api::OpenidConnect::TokenEndpoint, type: :request do
let!(:client) do
- OpenidConnect::OAuthApplication.create!(
+ Api::OpenidConnect::OAuthApplication.create!(
redirect_uris: ["http://localhost"], client_name: "diaspora client")
end
- let(:auth) { OpenidConnect::Authorization.find_or_create_by(o_auth_application: client, user: bob) }
+ let(:auth) { Api::OpenidConnect::Authorization.find_or_create_by(o_auth_application: client, user: bob) }
before do
- OpenidConnect::Scope.find_or_create_by(name: "read")
+ Api::OpenidConnect::Scope.find_or_create_by(name: "read")
end
describe "the password grant type" do
context "when the username field is missing" do
it "should return an invalid request error" do
- post openid_connect_access_tokens_path, grant_type: "password", password: "bluepin7",
+ post api_openid_connect_access_tokens_path, grant_type: "password", password: "bluepin7",
client_id: client.client_id, client_secret: client.client_secret, scope: "read"
expect(response.body).to include "'username' required"
end
@@ -22,7 +22,7 @@ describe OpenidConnect::TokenEndpoint, type: :request do
context "when the password field is missing" do
it "should return an invalid request error" do
- post openid_connect_access_tokens_path, grant_type: "password", username: "bob",
+ post api_openid_connect_access_tokens_path, grant_type: "password", username: "bob",
client_id: client.client_id, client_secret: client.client_secret, scope: "read"
expect(response.body).to include "'password' required"
end
@@ -30,7 +30,7 @@ describe OpenidConnect::TokenEndpoint, type: :request do
context "when the username does not match an existing user" do
it "should return an invalid request error" do
- post openid_connect_access_tokens_path, grant_type: "password", username: "randomnoexist",
+ post api_openid_connect_access_tokens_path, grant_type: "password", username: "randomnoexist",
password: "bluepin7", client_id: client.client_id, client_secret: client.client_secret, scope: "read"
expect(response.body).to include "invalid_grant"
end
@@ -38,7 +38,7 @@ describe OpenidConnect::TokenEndpoint, type: :request do
context "when the password is invalid" do
it "should return an invalid request error" do
- post openid_connect_access_tokens_path, grant_type: "password", username: "bob",
+ post api_openid_connect_access_tokens_path, grant_type: "password", username: "bob",
password: "wrongpassword", client_id: client.client_id, client_secret: client.client_secret, scope: "read"
expect(response.body).to include "invalid_grant"
end
@@ -46,7 +46,7 @@ describe OpenidConnect::TokenEndpoint, type: :request do
context "when the client_secret doesn't match" do
it "should return an invalid client error" do
- post openid_connect_access_tokens_path, grant_type: "password", username: "bob",
+ post api_openid_connect_access_tokens_path, grant_type: "password", username: "bob",
password: "bluepin7", client_id: client.client_id, client_secret: "client.client_secret", scope: "read"
expect(response.body).to include "invalid_client"
end
@@ -54,7 +54,7 @@ describe OpenidConnect::TokenEndpoint, type: :request do
context "when the request is valid" do
it "should return an access token" do
- post openid_connect_access_tokens_path, grant_type: "password", username: "bob",
+ post api_openid_connect_access_tokens_path, grant_type: "password", username: "bob",
password: "bluepin7", client_id: client.client_id, client_secret: client.client_secret, scope: "read"
json = JSON.parse(response.body)
expect(json.keys).to include "expires_in"
@@ -65,16 +65,18 @@ describe OpenidConnect::TokenEndpoint, type: :request do
context "when there are duplicate fields" do
it "should return an invalid request error" do
- post openid_connect_access_tokens_path, grant_type: "password", username: "bob", password: "bluepin7",
- username: "bob", password: "bluepin6", client_id: client.client_id, client_secret: client.client_secret, scope: "read"
+ post api_openid_connect_access_tokens_path, grant_type: "password", username: "bob", password: "bluepin7",
+ username: "bob", password: "bluepin6", client_id: client.client_id, client_secret: client.client_secret,
+ scope: "read"
expect(response.body).to include "invalid_grant"
end
end
context "when the client is unregistered" do
it "should return an error" do
- post openid_connect_access_tokens_path, grant_type: "password", username: "bob",
- password: "bluepin7", client_id: SecureRandom.hex(16).to_s, client_secret: client.client_secret, scope: "read"
+ post api_openid_connect_access_tokens_path, grant_type: "password", username: "bob",
+ password: "bluepin7", client_id: SecureRandom.hex(16).to_s, client_secret: client.client_secret,
+ scope: "read"
expect(response.body).to include "invalid_client"
end
end
@@ -84,7 +86,7 @@ describe OpenidConnect::TokenEndpoint, type: :request do
describe "an unsupported grant type" do
it "should return an unsupported grant type error" do
- post openid_connect_access_tokens_path, grant_type: "noexistgrant", username: "bob",
+ post api_openid_connect_access_tokens_path, grant_type: "noexistgrant", username: "bob",
password: "bluepin7", client_id: client.client_id, client_secret: client.client_secret, scope: "read"
expect(response.body).to include "unsupported_grant_type"
end
@@ -93,7 +95,7 @@ describe OpenidConnect::TokenEndpoint, type: :request do
describe "the refresh token flow" do
context "when the refresh token is valid" do
it "should return an access token" do
- post openid_connect_access_tokens_path, grant_type: "refresh_token",
+ post api_openid_connect_access_tokens_path, grant_type: "refresh_token",
client_id: client.client_id, client_secret: client.client_secret, refresh_token: auth.refresh_token
json = JSON.parse(response.body)
expect(response.body).to include "expires_in"
@@ -104,7 +106,7 @@ describe OpenidConnect::TokenEndpoint, type: :request do
context "when the refresh token is not valid" do
it "should return an invalid grant error" do
- post openid_connect_access_tokens_path, grant_type: "refresh_token",
+ post api_openid_connect_access_tokens_path, grant_type: "refresh_token",
client_id: client.client_id, client_secret: client.client_secret, refresh_token: "123456"
expect(response.body).to include "invalid_grant"
end
@@ -112,7 +114,7 @@ describe OpenidConnect::TokenEndpoint, type: :request do
context "when the client is unregistered" do
it "should return an error" do
- post openid_connect_access_tokens_path, grant_type: "refresh_token", refresh_token: auth.refresh_token,
+ post api_openid_connect_access_tokens_path, grant_type: "refresh_token", refresh_token: auth.refresh_token,
client_id: SecureRandom.hex(16).to_s, client_secret: client.client_secret
expect(response.body).to include "invalid_client"
end
@@ -120,7 +122,7 @@ describe OpenidConnect::TokenEndpoint, type: :request do
context "when the refresh_token field is missing" do
it "should return an invalid request error" do
- post openid_connect_access_tokens_path, grant_type: "refresh_token",
+ post api_openid_connect_access_tokens_path, grant_type: "refresh_token",
client_id: client.client_id, client_secret: client.client_secret
expect(response.body).to include "'refresh_token' required"
end
@@ -128,7 +130,7 @@ describe OpenidConnect::TokenEndpoint, type: :request do
context "when the client_secret doesn't match" do
it "should return an invalid client error" do
- post openid_connect_access_tokens_path, grant_type: "refresh_token", refresh_token: auth.refresh_token,
+ post api_openid_connect_access_tokens_path, grant_type: "refresh_token", refresh_token: auth.refresh_token,
client_id: client.client_id, client_secret: "client.client_secret"
expect(response.body).to include "invalid_client"
end