nocebo/diaspora
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Replace user info endpoint with supported claims

Browse source 
The route /api/v0/user/ will now be used as a
non-OIDC route. In other words, the /api/v0/user/
will require the "read" scope while
/api/openid_connect/user_info/ will require the
"openid" scope
This commit is contained in:
theworldbright 2015-07-31 18:02:59 +09:00
parent 2be932ceff
commit d834a1d4d0
11 changed files with 68 additions and 23 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
app/controllers/api/openid_connect/discovery_controller.rb
View file

@ -25,8 +25,8 @@ module Api
request_object_signing_alg_values_supported: %i(HS256 HS384 HS512),
subject_types_supported: %w(public pairwise),
id_token_signing_alg_values_supported: %i(RS256),
token_endpoint_auth_methods_supported: %w(client_secret_basic client_secret_post)
# TODO: claims_supported: ["sub", "iss", "name", "email"]
token_endpoint_auth_methods_supported: %w(client_secret_basic client_secret_post),
claims_supported: %w(sub nickname profile picture zoneinfo)
)
end
end

19
app/controllers/api/openid_connect/user_info_controller.rb Normal file
View file

@ -0,0 +1,19 @@
module Api
module OpenidConnect
class UserInfoController < ApplicationController
include Api::OpenidConnect::ProtectedResourceEndpoint
before_action do
require_access_token Api::OpenidConnect::Scope.find_by(name: "openid")
end
def show
render json: current_user, serializer: UserInfoSerializer
end
def current_user
current_token ? current_token.authorization.user : nil
end
end
end
end

23
app/serializers/user_info_serializer.rb Normal file
View file

@ -0,0 +1,23 @@
class UserInfoSerializer < ActiveModel::Serializer
attributes :sub, :nickname, :profile, :picture, :zoneinfo
def sub
object.diaspora_handle # TODO: Change to proper sub
end
def nickname
object.name
end
def profile
File.join(AppConfig.environment.url, "people", object.guid).to_s
end
def picture
File.join(AppConfig.environment.url, object.image_url).to_s
end
def zoneinfo
object.language
end
end

3
app/serializers/user_serializer.rb
View file

@ -1,3 +0,0 @@
class UserSerializer < ActiveModel::Serializer
attributes :name, :email, :language, :username
end

2
config/routes.rb
View file

@ -250,6 +250,8 @@ Diaspora::Application.routes.draw do
get ".well-known/webfinger", to: "discovery#webfinger"
get ".well-known/openid-configuration", to: "discovery#configuration"
get "jwks.json", to: "id_tokens#jwks"
get "user_info", to: "user_info#show"
end
end
end

2
features/step_definitions/auth_code_steps.rb
View file

@ -28,5 +28,5 @@ end
When /^I parse the tokens and use it obtain user info$/ do
client_json = JSON.parse(last_response.body)
access_token = client_json["access_token"]
get api_v0_user_path, access_token: access_token
get api_openid_connect_user_info_path, access_token: access_token
end

2
features/step_definitions/implicit_flow_steps.rb
View file

@ -33,7 +33,7 @@ end
When /^I parse the bearer tokens and use it to access user info$/ do
access_token = current_url[/(?<=access_token=)[^&]+/]
get api_v0_user_path, access_token: access_token
get api_openid_connect_user_info_path, access_token: access_token
end
Then /^I should see an "([^\"]*)" error$/ do |error_message|

10
features/step_definitions/oidc_common_steps.rb
View file

@ -9,19 +9,19 @@ end
When /^I use received valid bearer tokens to access user info$/ do
access_token_json = JSON.parse(last_response.body)
get api_v0_user_path, access_token: access_token_json["access_token"]
get api_openid_connect_user_info_path, access_token: access_token_json["access_token"]
end
When /^I use invalid bearer tokens to access user info$/ do
get api_v0_user_path, access_token: SecureRandom.hex(32)
get api_openid_connect_user_info_path, access_token: SecureRandom.hex(32)
end
Then /^I should receive "([^\"]*)"'s id, username, and email$/ do |username|
user_info_json = JSON.parse(last_response.body)
user = User.find_by_username(username)
expect(user_info_json["username"]).to have_content(user.username)
expect(user_info_json["language"]).to have_content(user.language)
expect(user_info_json["email"]).to have_content(user.email)
user_profile_url = File.join(AppConfig.environment.url, "people", user.guid).to_s
expect(user_info_json["profile"]).to have_content(user_profile_url)
expect(user_info_json["zoneinfo"]).to have_content(user.language)
end
Then /^I should receive an "([^\"]*)" error$/ do |error_message|

6
spec/controllers/api/openid_connect/authorizations_controller_spec.rb
View file

@ -94,8 +94,10 @@ describe Api::OpenidConnect::AuthorizationsController, type: :controller do
end
end
context "when already authorized" do
let!(:auth) { Api::OpenidConnect::Authorization.find_or_create_by(o_auth_application: client, user: alice,
redirect_uri: "http://localhost:3000/") }
let!(:auth) {
Api::OpenidConnect::Authorization.find_or_create_by(o_auth_application: client, user: alice,
redirect_uri: "http://localhost:3000/")
}
context "when valid parameters are passed" do
before do

9
spec/integration/api/users_controller_spec.rb
View file

@ -8,20 +8,21 @@ describe Api::V0::UsersController do
end
let(:auth_with_read) do
auth = Api::OpenidConnect::Authorization.create!(o_auth_application: client, user: alice)
auth.scopes << [Api::OpenidConnect::Scope.find_or_create_by(name: "read")]
auth.scopes << [Api::OpenidConnect::Scope.find_or_create_by(name: "openid"),
Api::OpenidConnect::Scope.find_or_create_by(name: "read")]
auth
end
let!(:access_token_with_read) { auth_with_read.create_access_token.to_s }
describe "#show" do
before do
get api_v0_user_path, access_token: access_token_with_read
get api_openid_connect_user_info_path, access_token: access_token_with_read
end
it "shows the info" do
json_body = JSON.parse(response.body)
expect(json_body["username"]).to eq(alice.username)
expect(json_body["email"]).to eq(alice.email)
expect(json_body["nickname"]).to eq(alice.name)
expect(json_body["profile"]).to eq(File.join(AppConfig.environment.url, "people", alice.guid).to_s)
end
end
end

11
spec/lib/api/openid_connect/protected_resource_endpoint_spec.rb
View file

@ -8,7 +8,8 @@ describe Api::OpenidConnect::ProtectedResourceEndpoint, type: :request do
end
let(:auth_with_read) do
auth = Api::OpenidConnect::Authorization.create!(o_auth_application: client, user: alice)
auth.scopes << [Api::OpenidConnect::Scope.find_or_create_by(name: "read")]
auth.scopes << [Api::OpenidConnect::Scope.find_or_create_by(name: "openid"),
Api::OpenidConnect::Scope.find_or_create_by(name: "read")]
auth
end
let!(:access_token_with_read) { auth_with_read.create_access_token.to_s }
@ -18,7 +19,7 @@ describe Api::OpenidConnect::ProtectedResourceEndpoint, type: :request do
context "when valid access token is provided" do
before do
get api_v0_user_path, access_token: access_token_with_read
get api_openid_connect_user_info_path, access_token: access_token_with_read
end
it "includes private in the cache-control header" do
@ -28,7 +29,7 @@ describe Api::OpenidConnect::ProtectedResourceEndpoint, type: :request do
context "when no access token is provided" do
before do
get api_v0_user_path
get api_openid_connect_user_info_path
end
it "should respond with a 401 Unauthorized response" do
@ -41,7 +42,7 @@ describe Api::OpenidConnect::ProtectedResourceEndpoint, type: :request do
context "when an invalid access token is provided" do
before do
get api_v0_user_path, access_token: invalid_token
get api_openid_connect_user_info_path, access_token: invalid_token
end
it "should respond with a 401 Unauthorized response" do
@ -60,7 +61,7 @@ describe Api::OpenidConnect::ProtectedResourceEndpoint, type: :request do
context "when authorization has been destroyed" do
before do
auth_with_read.destroy
get api_v0_user_path, access_token: access_token_with_read
get api_openid_connect_user_info_path, access_token: access_token_with_read
end
it "should respond with a 401 Unauthorized response" do