after of bundle install

Bundler::GemRequireError: There was an error while trying to load the gem 'omniauth-openid-connect'.
Gem Load Error is: undefined method `alias_method_chain' for Rack::OAuth2::Server::Authorize::Request:Class

So that one can actually get at the sub needed to identify a user

Omniauth allows the disabling of SSL verification with something like:

:client_options => { :ssl => { :verify => !Rails.env.development? } }

Is there anyway to utilize this with OpenID Connect gem? I attempted to add the ssl key in the client_options hash but it didn't seem to have any effect.

There are deprecation warning issues related to the version of openid_connect that is used in the gem. Is there a possibility to update the gemspec to the latest version of openid_connect (0.12) and push a release to avoid these warnings in applications using this gem?

It looks like the logic here is expecting a discover option but the option is for discovery:
https://github.com/jjbohn/omniauth-openid-connect/blob/master/lib/omniauth/strategies/openid_connect.rb#L129

When I enabled discovery (after updating that logic to discovery) I noticed my issuer was failing to be discovered because it was missing https here as this logic expects a full URI (https://github.com/nov/openid_connect/blob/master/lib/openid_connect/discovery/provider/config/resource.rb#L11):
https://github.com/jjbohn/omniauth-openid-connect/blob/master/lib/omniauth/strategies/openid_connect.rb#L79

When I added the https I noticed it failed here because the decoding expected the issuer to not have a protocol:
https://github.com/jjbohn/omniauth-openid-connect/blob/master/lib/omniauth/strategies/openid_connect.rb#L162

I noticed the readme shows an issuer without the protocol and given the openid configuration data from the discovery doc shows it without the https guessing it should be this way so the bug is probably just in that the discovery logic should append the protocol itself? (https://accounts.google.com/.well-known/openid-configuration)

New to OpenID Connect, sorry for the trouble.

Hi,

As a user of the fork of this project, I find the situation with omniauth-openid-connect vs omniauth_openid_connect very confusing. For someone who’s unaware of the project history it takes a lot of time and effort just to find the right gem, and now there’s also the fork by GitLab (published at RubyGems) and another one (see omniauth/omniauth_openid_connect#101).

I think the original name of the gem is the most obvious one, so maybe @jjbohn you could give the credentials to update it to the people maintaining the most developed fork?

I've merged the many fixes scattered on many repositories, and I've provided a version that works with the latest environment and specs.

• OmniAuth2
• Ruby 3
• Supports the following: OpenID Connect Core 1.0 the Authorization Code Flow and the Implicit Flow. OpenID Connect RP-Initiated Logout 1.0.

If you agree, please write on the README to direct visitors to the new repository.
https://github.com/netsphere-labs/omniauth-openid-connect/

I'm always looking for developers, contributors. Thanks.

Hello,
is there a way to have multiple "redirect_uri" , or allow automatic discovery of redirect_uri ?
Best Regards,

Hello, Thank you for nice gem.
Would you please release new version if you have the time?
I want to use send_scope_to_token_endpoint option.

During the callback phase, when the strategy is attempting to retrieve the token from the OpenID connect endpoint, I get a big chunk of HTML back and the error code is 422 Unprocessable Entity.

It appears that the POST to /token results in a CSRF token validation failure on the endpoint. This has not happened with other clients.

What could be causing this? Running the latest released version (0.2.3) on a Rails 3 app.

When using discovery, and the response from the Provider is a JSON::JWK::Set, a JSON::JWK::Set::KidNotFound error is raised. Looking through the locals at the point of the error, it seems that the kid is not being passed down at all. It therefor can't find the key in the set to verify the token.

>>  key
=> [{"kid"=>"bkj-VXvyRclrNmDLT7FS8_-8pc6baq5cmLpu7Usv2G8", "kty"=>"RSA", "alg"=>"RS256", "use"=>"sig", "n"=>"kAqMplKg8U_szOGaaHtob9PvuqOpT5P0iRiN_UyecOEslQyT0B2zHoVFojeLp5zQ4qb-jhAspXedUh1y4RSSPyjIDKx4x7GQvceGb2ewJIQXV_My2FVlNeyyPpYM1JlMlDbgKTVy2CiTi75MKd3CF95bFnnskUi48uS78XjNSZhvonMmzVO3_mFw5m3KxoQDhdMKPjZ2kM6x9H9WJ-J06x_lQA3STDnYADdAQA9fk6985AMpjpGakn1RMgVXSTcr3KBLaliWNGa1L0CQRv7B_0euIj78j1gLSZonpXYNVkVFwUy3GTFTtjrobhc-39isjqGadQeAQmj7547WtHaOVQ", "e"=>"AQAB"}]
>>  key.class
=> JSON::JWK::Set
>>  kid
=> nil

Relevant stack trace:

json-jwt (1.6.1) lib/json/jws.rb:116:in `with_jwk_support'
json-jwt (1.6.1) lib/json/jws.rb:88:in `valid?'
json-jwt (1.6.1) lib/json/jws.rb:25:in `verify!'
json-jwt (1.6.1) lib/json/jws.rb:162:in `decode_compact_serialized'
json-jwt (1.6.1) lib/json/jwt.rb:77:in `decode_compact_serialized'
json-jwt (1.6.1) lib/json/jose.rb:39:in `decode'
openid_connect (0.9.2) lib/openid_connect/response_object/id_token.rb:60:in `decode'
omniauth-openid-connect (0.2.3) lib/omniauth/strategies/openid_connect.rb:173:in `decode_id_token'
omniauth-openid-connect (0.2.3) lib/omniauth/strategies/openid_connect.rb:162:in `block in access_token'
omniauth-openid-connect (0.2.3) lib/omniauth/strategies/openid_connect.rb:169:in `access_token'
omniauth-openid-connect (0.2.3) lib/omniauth/strategies/openid_connect.rb:102:in `callback_phase'
omniauth (1.3.1) lib/omniauth/strategy.rb:227:in `callback_call'
omniauth (1.3.1) lib/omniauth/strategy.rb:184:in `call!'
omniauth (1.3.1) lib/omniauth/strategy.rb:164:in `call'
omniauth (1.3.1) lib/omniauth/strategy.rb:186:in `call!'
omniauth (1.3.1) lib/omniauth/strategy.rb:164:in `call'
omniauth (1.3.1) lib/omniauth/builder.rb:63:in `call'

I'm getting a 401 Unauthorized during the callback phase and it's not clear why. I'm wondering if I could have something wrong with my configuration or if there's an issue on the provider's side. The line it's failing on is this:

 elsif request.params['state'].to_s.empty? || request.params['state'] != stored_state
     return Rack::Response.new(['401 Unauthorized'], 401).finish

I've logged the variables in the if statement and see that state is present but stored_state is empty. Why might this be?

FWIW, here's my configuration:

           :name                    => "my name",
           :scope                   => [:openid, :email],
           :response_type           => :code,
           :client_signing_alg      => :RS512,
           :client_x509_signing_key => <my_certificate_here>,
           :discovery               => true,
           :issuer                  => <my_discovery_issuer>,
           :client_options          =>
           {
             :port         => 443,
             :scheme       => "https",
             :host         => <my_host>,
             :identifier   => <my_client_id>,
             :redirect_uri => <my_redirect_uri>
           }

Is there something I could be missing in my configuration?

Note that this is an integration with a 3rd party, not an established OpenID provider like Google or anything.

Thanks.

Hi all,

The latest release of gitlab CE 11.11 is integrated with openid_connect. I followed this page https://docs.gitlab.com/11.11/ce/administration/auth/oidc.html to set up the configuration, and restarted gitlab. I was able to see the OAuth login logo, but if i click it, gitlab gives me a 404 page. Here's the log:

==> /var/log/gitlab/gitlab-rails/production.log <==
Started POST "/users/auth/openid_connect" for 116.230.93.230 at 2019-05-23 05:32:24 +0000
Processing by OmniauthCallbacksController#passthru as HTML
Parameters: {"authenticity_token"=>"[FILTERED]"}
Completed 404 Not Found in 9ms (Views: 0.2ms | ActiveRecord: 0.0ms)

==> /var/log/gitlab/gitlab-rails/production_json.log <==
{"method":"POST","path":"/users/auth/openid_connect","format":"html","controller":"OmniauthCallbacksController","action":"passthru","status":404,"duration":9.78,"view":0.2,"db":0.0,"time":"2019-05-23T05:32:24.975Z","params":[{"key":"_method","value":"post"},{"key":"authenticity_token","value":"[FILTERED]"}],"remote_ip":"116.230.93.230","user_id":null,"username":null,"ua":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.131 Safari/537.36","queue_duration":null,"correlation_id":"Y3Ln4ODRpw6"}

I'm new to Ruby and Gem. Anyone knows how to fix it?

Thanks in advance.

When trying to login via google:

Error: invalid_request
Parameter not allowed for this message type: nonce

Seems like nonce should be removed or at least made optional via config

Don't know if it's a GitLab problem or an omniauth-openid-connect problem, but I wasn't able to get it working, despite being able to get two other omniauth providers working on GitLab-CE just fine (github, google_oauth2), so I can't assume it's a GitLab problem. Also, it's rather difficult to tell where the problem is.

Anyway, posting it here just in case:

https://gitlab.com/gitlab-org/gitlab-ce/issues/3019

I'd love to test this provider but I'm not really sure what bits of configuration are needed for it to work correctly.

Is this enough?

provider :openid_connect

Or do I need some keys or secrets?

Hello, good afternoon,

I have this gem inside multiple of my applications, and recently I have been getting a error in more than one of them. Can you guys help me find out what it can be?

Exception message : execution expired
Culprit : initialize

URL: https://xxxx/users/auth/openid_connect/callback?state=eb5e0f82ec8ca16e31a2f6e37f008312&session_state=0134ce87-c017-44b2-b985-4341cafb6afb&code=8fdb79b9-cdcb-4971-8bfe-7db06d22aad1.0134ce87-c017-44b2-b985-4341cafb6afb.49c0329e-6b0a-4060-81d6-9dcb46909f0a

Exception Stacktrace:

httpclient/session.rb in initialize at line 611
httpclient/session.rb in new at line 611
httpclient/session.rb in create_socket at line 611
httpclient/ssl_socket.rb in create_socket at line 21
httpclient/session.rb in block in connect at line 752
timeout.rb in timeout at line 103
httpclient/session.rb in connect at line 748
httpclient/session.rb in query at line 511
httpclient/session.rb in query at line 177
httpclient.rb in do_get_block at line 1242
httpclient.rb in block in do_request at line 1019
httpclient.rb in protect_keep_alive_disconnected at line 1133
httpclient.rb in do_request at line 1014
httpclient.rb in request at line 856
httpclient.rb in post at line 765
rack/oauth2/client.rb in block in access_token! at line 123
rack/oauth2/client.rb in handle_response at line 143
rack/oauth2/client.rb in access_token! at line 122
omniauth/strategies/openid_connect.rb in access_token at line 205
omniauth/strategies/openid_connect.rb in callback_phase at line 127
omniauth/strategy.rb in callback_call at line 238
omniauth/strategy.rb in call! at line 189
omniauth/strategy.rb in call at line 169
warden/manager.rb in block in call at line 36
warden/manager.rb in catch at line 34
warden/manager.rb in call at line 34
rack/etag.rb in call at line 27
rack/conditional_get.rb in call at line 27
rack/head.rb in call at line 14
rack/session/abstract/id.rb in context at line 277
rack/session/abstract/id.rb in call at line 271
action_dispatch/middleware/cookies.rb in call at line 613
action_dispatch/middleware/callbacks.rb in block in call at line 26
active_support/callbacks.rb in run_callbacks at line 97
action_dispatch/middleware/callbacks.rb in call at line 24
action_dispatch/middleware/debug_exceptions.rb in call at line 59
action_dispatch/middleware/show_exceptions.rb in call at line 31
rails/rack/logger.rb in call_app at line 36
rails/rack/logger.rb in block in call at line 24
active_support/tagged_logging.rb in block in tagged at line 69
active_support/tagged_logging.rb in tagged at line 26
active_support/tagged_logging.rb in tagged at line 69
rails/rack/logger.rb in call at line 24
action_dispatch/middleware/remote_ip.rb in call at line 79
action_dispatch/middleware/request_id.rb in call at line 25
rack/method_override.rb in call at line 24
rack/runtime.rb in call at line 24
active_support/cache/strategy/local_cache_middleware.rb in call at line 27
action_dispatch/middleware/executor.rb in call at line 12
action_dispatch/middleware/static.rb in call at line 125
rack/sendfile.rb in call at line 113
elastic_apm/middleware.rb in call at line 19
rails/engine.rb in call at line 522
puma/configuration.rb in call at line 227
puma/server.rb in handle_request at line 674
puma/server.rb in process_client at line 476
puma/server.rb in block in run at line 334
puma/thread_pool.rb in block in spawn_thread at line 135

Can it be some problem inside my OAuth2 Provider?
Seems kind of strange, because some of the applications using the gem and provider are working perfectly.

Thank you for you time!

According to the OpenID Connect UserInfo Response spec:

NOTE: Due to the possibility of token substitution attacks (see Section 16.11), the UserInfo Response is not guaranteed to be about the End-User identified by the sub (subject) element of the ID Token. The sub Claim in the UserInfo Response MUST be verified to exactly match the sub Claim in the ID Token; if they do not match, the UserInfo Response values MUST NOT be used.

Based on omniauth callback routes, etc, like other strategies

With Rails 5, Devise and omniauth-oauth2

Hello,
When trying to use the gem in my application to authenticate using a third parti OIDC Server, i am having an "Invalid JSOn Format" error as described in the log output below.I used the gem for two years without any issue and without change to the OIDC server and all of a sudden i got that message that is coming at the callback phase to the application
COuld someone help?
Best

Invalid JSON Format
Rails.root: /usr/src/bustickets
Application Trace | Framework Trace | Full Trace
json-jwt (1.9.4) lib/json/jose.rb:66:in rescue in decode' json-jwt (1.9.4) lib/json/jose.rb:60:in decode'
/usr/local/rvm/gems/ruby-2.1.1/bundler/gems/openid-connect-xc-5b0df1fd5339/lib/openid_connect/response_object/id_token.rb:60:in decode' /usr/local/rvm/gems/ruby-2.1.1/bundler/gems/omniauth-openid-connect-xc-d9d4d6cfd177/lib/omniauth/strategies/openid_connect.rb:174:in decode_id_token'
/usr/local/rvm/gems/ruby-2.1.1/bundler/gems/omniauth-openid-connect-xc-d9d4d6cfd177/lib/omniauth/strategies/openid_connect.rb:163:in block in access_token' /usr/local/rvm/gems/ruby-2.1.1/bundler/gems/omniauth-openid-connect-xc-d9d4d6cfd177/lib/omniauth/strategies/openid_connect.rb:170:in call'
/usr/local/rvm/gems/ruby-2.1.1/bundler/gems/omniauth-openid-connect-xc-d9d4d6cfd177/lib/omniauth/strategies/openid_connect.rb:170:in access_token' /usr/local/rvm/gems/ruby-2.1.1/bundler/gems/omniauth-openid-connect-xc-d9d4d6cfd177/lib/omniauth/strategies/openid_connect.rb:102:in callback_phase'
omniauth (1.4.2) lib/omniauth/strategy.rb:227:in callback_call' omniauth (1.4.2) lib/omniauth/strategy.rb:184:in call!'
omniauth (1.4.2) lib/omniauth/strategy.rb:164:in call' omniauth (1.4.2) lib/omniauth/strategy.rb:186:in call!'
omniauth (1.4.2) lib/omniauth/strategy.rb:164:in call' omniauth (1.4.2) lib/omniauth/strategy.rb:186:in call!'
omniauth (1.4.2) lib/omniauth/strategy.rb:164:in call' omniauth (1.4.2) lib/omniauth/strategy.rb:186:in call!'
omniauth (1.4.2) lib/omniauth/strategy.rb:164:in call' omniauth (1.4.2) lib/omniauth/strategy.rb:186:in call!'
omniauth (1.4.2) lib/omniauth/strategy.rb:164:in call' warden (1.2.6) lib/warden/manager.rb:35:in block in call'
warden (1.2.6) lib/warden/manager.rb:34:in catch' warden (1.2.6) lib/warden/manager.rb:34:in call'
rack (1.5.5) lib/rack/etag.rb:23:in call' rack (1.5.5) lib/rack/conditionalget.rb:25:in call'
rack (1.5.5) lib/rack/head.rb:11:in call' remotipart (1.2.1) lib/remotipart/middleware.rb:27:in call'
actionpack (4.1.5) lib/action_dispatch/middleware/params_parser.rb:27:in call' actionpack (4.1.5) lib/action_dispatch/middleware/flash.rb:254:in call'
rack (1.5.5) lib/rack/session/abstract/id.rb:225:in context' rack (1.5.5) lib/rack/session/abstract/id.rb:220:in call'
actionpack (4.1.5) lib/action_dispatch/middleware/cookies.rb:560:in call' activerecord (4.1.5) lib/active_record/query_cache.rb:36:in call'
activerecord (4.1.5) lib/active_record/connection_adapters/abstract/connection_pool.rb:621:in call' activerecord (4.1.5) lib/active_record/migration.rb:380:in call'
actionpack (4.1.5) lib/action_dispatch/middleware/callbacks.rb:29:in block in call' activesupport (4.1.5) lib/active_support/callbacks.rb:82:in run_callbacks'
actionpack (4.1.5) lib/action_dispatch/middleware/callbacks.rb:27:in call' actionpack (4.1.5) lib/action_dispatch/middleware/reloader.rb:73:in call'
actionpack (4.1.5) lib/action_dispatch/middleware/remote_ip.rb:76:in call' rollbar (2.15.4) lib/rollbar/middleware/rails/rollbar.rb:24:in block in call'
rollbar (2.15.4) lib/rollbar.rb:145:in scoped' rollbar (2.15.4) lib/rollbar/middleware/rails/rollbar.rb:22:in call'
better_errors (2.1.1) lib/better_errors/middleware.rb:59:in call' actionpack (4.1.5) lib/action_dispatch/middleware/debug_exceptions.rb:17:in call'
rollbar (2.15.4) lib/rollbar/middleware/rails/show_exceptions.rb:22:in call_with_rollbar' actionpack (4.1.5) lib/action_dispatch/middleware/show_exceptions.rb:30:in call'
railties (4.1.5) lib/rails/rack/logger.rb:38:in call_app' railties (4.1.5) lib/rails/rack/logger.rb:22:in call'
quiet_assets (1.1.0) lib/quiet_assets.rb:27:in call_with_quiet_assets' request_store (1.3.2) lib/request_store/middleware.rb:9:in call'
actionpack (4.1.5) lib/action_dispatch/middleware/request_id.rb:21:in call' rack (1.5.5) lib/rack/methodoverride.rb:21:in call'
rack (1.5.5) lib/rack/runtime.rb:17:in call' activesupport (4.1.5) lib/active_support/cache/strategy/local_cache_middleware.rb:26:in call'
rack (1.5.5) lib/rack/lock.rb:17:in call' actionpack (4.1.5) lib/action_dispatch/middleware/static.rb:64:in call'
rack (1.5.5) lib/rack/sendfile.rb:112:in call' railties (4.1.5) lib/rails/engine.rb:514:in call'
railties (4.1.5) lib/rails/application.rb:144:in call' rack (1.5.5) lib/rack/content_length.rb:14:in call'
thin (1.7.0) lib/thin/connection.rb:86:in block in pre_process' thin (1.7.0) lib/thin/connection.rb:84:in catch'
thin (1.7.0) lib/thin/connection.rb:84:in pre_process' thin (1.7.0) lib/thin/connection.rb:53:in process'
thin (1.7.0) lib/thin/connection.rb:39:in receive_data' eventmachine (1.2.1) lib/eventmachine.rb:194:in run_machine'
eventmachine (1.2.1) lib/eventmachine.rb:194:in run' thin (1.7.0) lib/thin/backends/base.rb:73:in start'
thin (1.7.0) lib/thin/server.rb:162:in start' rack (1.5.5) lib/rack/handler/thin.rb:16:in run'
rack (1.5.5) lib/rack/server.rb:264:in start' railties (4.1.5) lib/rails/commands/server.rb:69:in start'
railties (4.1.5) lib/rails/commands/commands_tasks.rb:81:in block in server' railties (4.1.5) lib/rails/commands/commands_tasks.rb:76:in tap'
railties (4.1.5) lib/rails/commands/commands_tasks.rb:76:in server' railties (4.1.5) lib/rails/commands/commands_tasks.rb:40:in run_command!'
railties (4.1.5) lib/rails/commands.rb:17:in <top (required)>' bin/rails:4:in require'
bin/rails:4:in `

SPEC is here:

http://openid.net/specs/openid-connect-session-1_0.html#RPLogout

While logout the id_token parameter needs to be send to the end_session_endpoint

https://github.com/nov/openid_connect was recently updated, would there be a chance of updating this gem to bump the dependency versions?

So that a static registration is not needed

While configuring Gitlab to use openid-connect for SSO without discovery, the in values for omnibus are provided as yaml. The values from yaml are interpreted in ruby as strings and not as symbols, but the check in the key_or_secret function is done against symbols, which leads to a verification failure:

** [Raven] Event not sent due to excluded environment: production

JSON::JWS::VerificationFailed (JSON::JWS::VerificationFailed):
  lib/gitlab/middleware/go.rb:16:in `call'

I added this gem to the gemfile and added this code to config/initializers/devise.rb

config.omniauth :openid_connect, :name => "openid-connect", :identifier => "http://<openid-connect-server>/.well-known/openid-configuration", :client_id =>"gitlab", :client_secret => "gitlab"

and to: app/controllers/omniauth_callbacks_controller.rb

I added:

def openidconnect
    handle_omniauth
 end

Similar approach works with other gems (omniauth-*), wonder why this is throwing this error?

Looks like the credentials are not getting passed on. Issue with the gem?

Started GET "/users/auth/openid-connect" for 127.0.0.1 at 2014-03-07 02:28:59 +0530

AttrRequired::AttrMissing ('identifier' required.):
  vendor/bundle/ruby/1.9.1/gems/attr_required-1.0.0/lib/attr_required.rb:59:in `attr_missing!'
  vendor/bundle/ruby/1.9.1/gems/rack-oauth2-1.0.7/lib/rack/oauth2/client.rb:15:in `initialize'
  vendor/bundle/ruby/1.9.1/gems/openid_connect-0.7.3/lib/openid_connect/client.rb:6:in `initialize'
  vendor/bundle/ruby/1.9.1/bundler/gems/omniauth-openid-connect-21f0beac1983/lib/omniauth/strategies/openid_connect.rb:59:in `new'
  vendor/bundle/ruby/1.9.1/bundler/gems/omniauth-openid-connect-21f0beac1983/lib/omniauth/strategies/openid_connect.rb:59:in `client'
  vendor/bundle/ruby/1.9.1/bundler/gems/omniauth-openid-connect-21f0beac1983/lib/omniauth/strategies/openid_connect.rb:89:in `authorize_uri'
  vendor/bundle/ruby/1.9.1/bundler/gems/omniauth-openid-connect-21f0beac1983/lib/omniauth/strategies/openid_connect.rb:63:in `block in request_phase'
  vendor/bundle/ruby/1.9.1/bundler/gems/omniauth-openid-connect-21f0beac1983/lib/omniauth/strategies/openid_connect.rb:63:in `open'
  vendor/bundle/ruby/1.9.1/bundler/gems/omniauth-openid-connect-21f0beac1983/lib/omniauth/strategies/openid_connect.rb:63:in `request_phase'
  vendor/bundle/ruby/1.9.1/gems/omniauth-1.1.4/lib/omniauth/strategy.rb:215:in `request_call'
  vendor/bundle/ruby/1.9.1/gems/omniauth-1.1.4/lib/omniauth/strategy.rb:181:in `call!'
  vendor/bundle/ruby/1.9.1/gems/omniauth-1.1.4/lib/omniauth/strategy.rb:164:in `call'
  vendor/bundle/ruby/1.9.1/gems/rack-cors-0.2.9/lib/rack/cors.rb:54:in `call'
  vendor/bundle/ruby/1.9.1/gems/rack-attack-2.3.0/lib/rack/attack.rb:63:in `call'
  vendor/bundle/ruby/1.9.1/gems/warden-1.2.3/lib/warden/manager.rb:35:in `block in call'
  vendor/bundle/ruby/1.9.1/gems/warden-1.2.3/lib/warden/manager.rb:34:in `catch'
  vendor/bundle/ruby/1.9.1/gems/warden-1.2.3/lib/warden/manager.rb:34:in `call'
  vendor/bundle/ruby/1.9.1/gems/rack-1.5.2/lib/rack/etag.rb:23:in `call'
  vendor/bundle/ruby/1.9.1/gems/rack-1.5.2/lib/rack/conditionalget.rb:25:in `call'
  vendor/bundle/ruby/1.9.1/gems/rack-1.5.2/lib/rack/head.rb:11:in `call'
  vendor/bundle/ruby/1.9.1/gems/actionpack-4.0.3/lib/action_dispatch/middleware/params_parser.rb:27:in `call'
  vendor/bundle/ruby/1.9.1/gems/actionpack-4.0.3/lib/action_dispatch/middleware/flash.rb:241:in `call'
  vendor/bundle/ruby/1.9.1/gems/rack-1.5.2/lib/rack/session/abstract/id.rb:225:in `context'
  vendor/bundle/ruby/1.9.1/gems/rack-1.5.2/lib/rack/session/abstract/id.rb:220:in `call'
  vendor/bundle/ruby/1.9.1/gems/actionpack-4.0.3/lib/action_dispatch/middleware/cookies.rb:486:in `call'
  vendor/bundle/ruby/1.9.1/gems/activerecord-4.0.3/lib/active_record/query_cache.rb:36:in `call'
  vendor/bundle/ruby/1.9.1/gems/activerecord-4.0.3/lib/active_record/connection_adapters/abstract/connection_pool.rb:626:in `call'
  vendor/bundle/ruby/1.9.1/gems/actionpack-4.0.3/lib/action_dispatch/middleware/callbacks.rb:29:in `block in call'
  vendor/bundle/ruby/1.9.1/gems/activesupport-4.0.3/lib/active_support/callbacks.rb:373:in `_run__3308901117666345589__call__callbacks'
  vendor/bundle/ruby/1.9.1/gems/activesupport-4.0.3/lib/active_support/callbacks.rb:80:in `run_callbacks'
  vendor/bundle/ruby/1.9.1/gems/actionpack-4.0.3/lib/action_dispatch/middleware/callbacks.rb:27:in `call'
  vendor/bundle/ruby/1.9.1/gems/actionpack-4.0.3/lib/action_dispatch/middleware/remote_ip.rb:76:in `call'
  vendor/bundle/ruby/1.9.1/gems/actionpack-4.0.3/lib/action_dispatch/middleware/debug_exceptions.rb:17:in `call'
  vendor/bundle/ruby/1.9.1/gems/actionpack-4.0.3/lib/action_dispatch/middleware/show_exceptions.rb:30:in `call'
  vendor/bundle/ruby/1.9.1/gems/railties-4.0.3/lib/rails/rack/logger.rb:38:in `call_app'
  vendor/bundle/ruby/1.9.1/gems/railties-4.0.3/lib/rails/rack/logger.rb:20:in `block in call'
  vendor/bundle/ruby/1.9.1/gems/activesupport-4.0.3/lib/active_support/tagged_logging.rb:67:in `block in tagged'
  vendor/bundle/ruby/1.9.1/gems/activesupport-4.0.3/lib/active_support/tagged_logging.rb:25:in `tagged'
  vendor/bundle/ruby/1.9.1/gems/activesupport-4.0.3/lib/active_support/tagged_logging.rb:67:in `tagged'
  vendor/bundle/ruby/1.9.1/gems/railties-4.0.3/lib/rails/rack/logger.rb:20:in `call'
  vendor/bundle/ruby/1.9.1/gems/actionpack-4.0.3/lib/action_dispatch/middleware/request_id.rb:21:in `call'
  vendor/bundle/ruby/1.9.1/gems/rack-1.5.2/lib/rack/methodoverride.rb:21:in `call'
  vendor/bundle/ruby/1.9.1/gems/rack-1.5.2/lib/rack/runtime.rb:17:in `call'
  vendor/bundle/ruby/1.9.1/gems/rack-1.5.2/lib/rack/lock.rb:17:in `call'
  vendor/bundle/ruby/1.9.1/gems/rack-1.5.2/lib/rack/sendfile.rb:112:in `call'
  vendor/bundle/ruby/1.9.1/gems/railties-4.0.3/lib/rails/engine.rb:511:in `call'
  vendor/bundle/ruby/1.9.1/gems/railties-4.0.3/lib/rails/application.rb:97:in `call'
  vendor/bundle/ruby/1.9.1/gems/railties-4.0.3/lib/rails/railtie/configurable.rb:30:in `method_missing'
  vendor/bundle/ruby/1.9.1/gems/rack-1.5.2/lib/rack/builder.rb:138:in `call'
  vendor/bundle/ruby/1.9.1/gems/rack-1.5.2/lib/rack/urlmap.rb:65:in `block in call'
  vendor/bundle/ruby/1.9.1/gems/rack-1.5.2/lib/rack/urlmap.rb:50:in `each'
  vendor/bundle/ruby/1.9.1/gems/rack-1.5.2/lib/rack/urlmap.rb:50:in `call'
  vendor/bundle/ruby/1.9.1/gems/unicorn-4.6.3/lib/unicorn/http_server.rb:552:in `process_client'
  vendor/bundle/ruby/1.9.1/gems/unicorn-worker-killer-0.4.2/lib/unicorn/worker_killer.rb:51:in `process_client'
  vendor/bundle/ruby/1.9.1/gems/unicorn-4.6.3/lib/unicorn/http_server.rb:632:in `worker_loop'
  vendor/bundle/ruby/1.9.1/gems/unicorn-4.6.3/lib/unicorn/http_server.rb:500:in `spawn_missing_workers'
  vendor/bundle/ruby/1.9.1/gems/unicorn-4.6.3/lib/unicorn/http_server.rb:142:in `start'
  vendor/bundle/ruby/1.9.1/gems/unicorn-4.6.3/bin/unicorn_rails:209:in `<top (required)>'
  vendor/bundle/ruby/1.9.1/bin/unicorn_rails:23:in `load'
  vendor/bundle/ruby/1.9.1/bin/unicorn_rails:23:in `<main>'

return the next error JSON::JWS::VerificationFailed

Several features have been added but no documenation is available:

• Nonce is optional
• You can pass state to the server
• Discover feature has been implemented
• id tokens are validated
• enhanced error messages
• Support for other client authentication methods

So when there is an access denied message from the OpenID Connect provide and the callback looks like this:

/users/auth/openid_connect/callback?error=access_denied&error_description=The%20authorization%20server%20can%20not%20authorize%20the%20resource%20owner.

We get a 500 internal server error.

i need update opneid_connect gem, exist PR for this #70

It looks like the version was bumped to 0.2.0 recently but no gem was released. Can we get a new release to rubygems?

After my callback phase I'm getting just a nil'ed out hash in my controller callback action.

info=#<OmniAuth::AuthHash::InfoHash email=nil first_name=nil gender=nil image=nil last_name=nil name=nil nickname=nil phone=nil urls=#<OmniAuth::AuthHash website=nil>>

Things seem to be "working" other than this - no errors or anything. The omniauth hash does have an id_token and a token but for some reason that doesn't seem to be translating into any real data. Why might this be?

Here's my configuration:

provider :my_provider,
:name => "my_provider",
:scope => [:openid, :eportal],
:response_type => :code,
:client_signing_alg => :RS256,
:client_x509_signing_key => "-----BEGIN CERTIFICATE-----.....-----END CERTIFICATE-----",
:discovery => true,
:issuer => <issuer_uri>,
:client_options =>
{
:port => 443,
:scheme => "https",
:host => ,
:identifier => ,
:redirect_uri => <my_redirect_uri>,
:secret => <my_secret>
}

Am I missing something that is preventing it from decrypting the id_token to put the data into the omniauth info hash? There seem to be so many configuration options but I haven't been able to find in the documentation the right combination of settings to make this work.

So I've had to pass acr_values to the OP and although these are defined as options OmniAuth::Strategies::OpenIDConnect class they are never passed to the final authorize URI. I've included them inside lib/omniauth/strategies/openid_connect.rb on line 127 like so:

      def authorize_uri
        client.redirect_uri = client_options.redirect_uri
        opts = {
            response_type: options.response_type,
            scope: options.scope,
            state: new_state,
            nonce: (new_nonce if options.send_nonce),
            hd: options.hd,
            acr_values: options.acr_values # here is the line
        }
        client.authorization_uri(opts.reject{|k,v| v.nil?})
      end

To my understanding this authorize URI should be flexible enough to include any option that could be passed in the authorize_uri not just the acr_values. Was there a reason this wasn't included in this version or am I missing something?

Custom parameter (form: 'login') is being ignored. How to merge my custom parameters to authorize url?

config.omniauth :openid_connect, {

name: :adfs,

scope: [:profile],

response_type: :code,

discovery: true,

issuer: Settings.site,

client_options: {

host: Settings.site,

identifier: Settings.client_id,

secret: Settings.secret,

redirect_uri: Settings.redirect_uri,
form: ‘login’
},

}

See this build for an example of how the builds randomly fail. It's a different job every build.

For posterity:

Using worker: worker-linux-8-1.bb.travis-ci.org:travis-linux-18
git.1
$ git clone --depth=50 git://github.com/jjbohn/omniauth-openid-connect.git jjbohn/omniauth-openid-connect
Cloning into 'jjbohn/omniauth-openid-connect'...
remote: Reusing existing pack: 278, done.
remote: Total 278 (delta 0), reused 0 (delta 0)
Receiving objects: 100% (278/278), 31.21 KiB | 0 bytes/s, done.
Resolving deltas: 100% (106/106), done.
Checking connectivity... done.
$ cd jjbohn/omniauth-openid-connect
git.3
$ git fetch origin +refs/pull/18/merge: 
remote: Counting objects: 12, done.
remote: Compressing objects: 100% (10/10), done.
remote: Total 12 (delta 1), reused 0 (delta 0)
Unpacking objects: 100% (12/12), done.
From git://github.com/jjbohn/omniauth-openid-connect
 * branch            refs/pull/18/merge -> FETCH_HEAD
git.4
$ git checkout -qf FETCH_HEAD
rvm.1
$ rvm use 2.0.0 --install --binary --fuzzy
Using /home/travis/.rvm/gems/ruby-2.0.0-p451
$ export BUNDLE_GEMFILE=$PWD/Gemfile
$ ruby --version
ruby 2.0.0p451 (2014-02-24 revision 45167) [x86_64-linux]
$ rvm --version
rvm 1.25.25 (latest-minor) by Wayne E. Seguin <[email protected]>, Michal Papis <[email protected]> [https://rvm.io/]
$ gem --version
2.2.2
$ bundle --version
Bundler version 1.6.2
install
$ bundle install
Fetching gem metadata from https://rubygems.org/.........
Fetching additional metadata from https://rubygems.org/..
Resolving dependencies...
Installing rake 10.3.2
Installing i18n 0.6.9
Installing json 1.8.1
Installing minitest 5.3.5
Installing thread_safe 0.3.4
Installing tzinfo 1.2.1
Installing activesupport 4.1.1
Installing builder 3.2.2
Installing activemodel 4.1.1
Installing addressable 2.3.6
Installing attr_required 1.0.0
Installing bindata 2.1.0
Using bundler 1.6.2
Installing timers 1.1.0
Installing celluloid 0.15.2
Installing coderay 1.1.0
Installing multi_json 1.10.1
Installing mime-types 2.3
Installing rest-client 1.6.7
Installing docile 1.1.5
Installing simplecov-html 0.8.0
Installing simplecov 0.8.2
Installing tins 1.3.0
Installing term-ansicolor 1.3.0
Installing thor 0.19.1
Installing coveralls 0.7.0
Installing faker 1.3.0
Installing ffi 1.9.3
Installing formatador 0.2.5
Installing rb-fsevent 0.9.4
Installing rb-inotify 0.9.5
Installing listen 2.7.9
Installing lumberjack 1.0.7
Installing method_source 0.8.2
Installing slop 3.5.0
Installing pry 0.10.0
Installing guard 2.6.1
Installing guard-bundler 2.0.0
Installing guard-minitest 2.3.1
Installing hashie 2.1.2
Installing httpclient 2.4.0
Installing securecompare 1.0.0
Installing url_safe_base64 0.2.2
Installing json-jwt 0.6.1
Installing mail 2.6.1
Installing metaclass 0.0.4
Installing mocha 1.1.0
Installing rack 1.5.2
Installing omniauth 1.2.1
Installing rack-oauth2 1.0.8
Installing swd 0.2.1
Installing validate_email 0.1.6
Installing validate_url 0.2.2
Installing webfinger 1.0.0
Installing openid_connect 0.7.3
Using omniauth-openid-connect 0.1.0 from source at .
Your bundle is complete!
Use `bundle show [gemname]` to see where a bundled gem is installed.
$ bundle exec rake
/home/travis/.rvm/rubies/ruby-2.0.0-p451/bin/ruby -I"lib:lib/omniauth-openid-connect" -I"/home/travis/.rvm/gems/ruby-2.0.0-p451/gems/rake-10.3.2/lib" "/home/travis/.rvm/gems/ruby-2.0.0-p451/gems/rake-10.3.2/lib/rake/rake_test_loader.rb" "test/lib/omniauth/openid_connect/version_test.rb" "test/lib/omniauth/strategies/openid_connect_test.rb" 
[Coveralls] Set up the SimpleCov formatter.
[Coveralls] Using SimpleCov's default settings.
[Coveralls] Submitting with config:
{
  "environment": {
    "pwd": "/home/travis/build/jjbohn/omniauth-openid-connect",
    "rails_root": null,
    "simplecov_root": "/home/travis/build/jjbohn/omniauth-openid-connect",
    "gem_version": "0.7.0",
    "travis_job_id": "28347137",
    "travis_pull_request": "18"
  },
  "git": {
    "head": {
      "id": "a7a9f5bf31c744a50c306f19c1babe32ec4dbac2",
      "author_name": "Nathan West",
      "author_email": "[email protected]",
      "committer_name": "Nathan West",
      "committer_email": "[email protected]",
      "message": "Merge 90707cdb544cf76837bbf15d395cc02c415f73f3 into 88ba03399bb2129e901b8fa6257230934d2e7bb8"
    },
    "branch": "(detached from FETCH_HEAD)",
    "remotes": [
      {
        "name": "origin",
        "url": "git://github.com/jjbohn/omniauth-openid-connect.git"
      }
    ]
  },
  "service_job_id": "28347137",
  "service_name": "travis-ci"
}
[Coveralls] Submitting to https://coveralls.io/api/v1
[Coveralls] Job #62.2
[Coveralls] https://coveralls.io/jobs/2117515
Coverage is at 12.5%.
Coverage report sent to Coveralls.
/home/travis/.rvm/gems/ruby-2.0.0-p451/gems/activesupport-4.1.1/lib/active_support/number_helper.rb:3:in `<module:NumberHelper>': uninitialized constant ActiveSupport::Autoload (NameError)
    from /home/travis/.rvm/gems/ruby-2.0.0-p451/gems/activesupport-4.1.1/lib/active_support/number_helper.rb:2:in `<module:ActiveSupport>'
    from /home/travis/.rvm/gems/ruby-2.0.0-p451/gems/activesupport-4.1.1/lib/active_support/number_helper.rb:1:in `<top (required)>'
    from /home/travis/.rvm/gems/ruby-2.0.0-p451/gems/activesupport-4.1.1/lib/active_support/core_ext/numeric/conversions.rb:2:in `require'
    from /home/travis/.rvm/gems/ruby-2.0.0-p451/gems/activesupport-4.1.1/lib/active_support/core_ext/numeric/conversions.rb:2:in `<top (required)>'
    from /home/travis/.rvm/gems/ruby-2.0.0-p451/gems/activesupport-4.1.1/lib/active_support/core_ext/numeric.rb:3:in `require'
    from /home/travis/.rvm/gems/ruby-2.0.0-p451/gems/activesupport-4.1.1/lib/active_support/core_ext/numeric.rb:3:in `<top (required)>'
    from /home/travis/.rvm/gems/ruby-2.0.0-p451/gems/activesupport-4.1.1/lib/active_support/core_ext.rb:2:in `require'
    from /home/travis/.rvm/gems/ruby-2.0.0-p451/gems/activesupport-4.1.1/lib/active_support/core_ext.rb:2:in `block in <top (required)>'
    from /home/travis/.rvm/gems/ruby-2.0.0-p451/gems/activesupport-4.1.1/lib/active_support/core_ext.rb:1:in `each'
    from /home/travis/.rvm/gems/ruby-2.0.0-p451/gems/activesupport-4.1.1/lib/active_support/core_ext.rb:1:in `<top (required)>'
    from /home/travis/.rvm/gems/ruby-2.0.0-p451/gems/swd-0.2.1/lib/swd.rb:4:in `require'
    from /home/travis/.rvm/gems/ruby-2.0.0-p451/gems/swd-0.2.1/lib/swd.rb:4:in `<top (required)>'
    from /home/travis/.rvm/gems/ruby-2.0.0-p451/gems/openid_connect-0.7.3/lib/openid_connect.rb:3:in `require'
    from /home/travis/.rvm/gems/ruby-2.0.0-p451/gems/openid_connect-0.7.3/lib/openid_connect.rb:3:in `<top (required)>'
    from /home/travis/build/jjbohn/omniauth-openid-connect/lib/omniauth/strategies/openid_connect.rb:4:in `require'
    from /home/travis/build/jjbohn/omniauth-openid-connect/lib/omniauth/strategies/openid_connect.rb:4:in `<top (required)>'
    from /home/travis/build/jjbohn/omniauth-openid-connect/lib/omniauth/openid_connect.rb:2:in `require'
    from /home/travis/build/jjbohn/omniauth-openid-connect/lib/omniauth/openid_connect.rb:2:in `<top (required)>'
    from /home/travis/build/jjbohn/omniauth-openid-connect/lib/omniauth-openid-connect.rb:1:in `require'
    from /home/travis/build/jjbohn/omniauth-openid-connect/lib/omniauth-openid-connect.rb:1:in `<top (required)>'
    from /home/travis/build/jjbohn/omniauth-openid-connect/test/test_helper.rb:11:in `require_relative'
    from /home/travis/build/jjbohn/omniauth-openid-connect/test/test_helper.rb:11:in `<top (required)>'
    from /home/travis/build/jjbohn/omniauth-openid-connect/test/lib/omniauth/openid_connect/version_test.rb:1:in `require_relative'
    from /home/travis/build/jjbohn/omniauth-openid-connect/test/lib/omniauth/openid_connect/version_test.rb:1:in `<top (required)>'
    from /home/travis/.rvm/gems/ruby-2.0.0-p451/gems/rake-10.3.2/lib/rake/rake_test_loader.rb:15:in `require'
    from /home/travis/.rvm/gems/ruby-2.0.0-p451/gems/rake-10.3.2/lib/rake/rake_test_loader.rb:15:in `block in <main>'
    from /home/travis/.rvm/gems/ruby-2.0.0-p451/gems/rake-10.3.2/lib/rake/rake_test_loader.rb:4:in `select'
    from /home/travis/.rvm/gems/ruby-2.0.0-p451/gems/rake-10.3.2/lib/rake/rake_test_loader.rb:4:in `<main>'
rake aborted!
Command failed with status (1): [ruby -I"lib:lib/omniauth-openid-connect" -I"/home/travis/.rvm/gems/ruby-2.0.0-p451/gems/rake-10.3.2/lib" "/home/travis/.rvm/gems/ruby-2.0.0-p451/gems/rake-10.3.2/lib/rake/rake_test_loader.rb" "test/lib/omniauth/openid_connect/version_test.rb" "test/lib/omniauth/strategies/openid_connect_test.rb" ]
Tasks: TOP => default => test
(See full trace by running task with --trace)
The command "bundle exec rake" exited with 1.
Done. Your build exited with 1.