From e04fcd9f8fc5f36e66bc97261069ed83a76cf235 Mon Sep 17 00:00:00 2001 From: "Peter H. Boling" Date: Sun, 31 Aug 2025 04:01:02 -0600 Subject: [PATCH 1/2] =?UTF-8?q?=F0=9F=93=9D=20Added=20OIDC=20documentation?= =?UTF-8?q?,=20example,=20and=20spec=20references=20in=20OIDC.md?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- CHANGELOG.md | 2 + OIDC.md | 145 +++++++++++ README.md | 1 + docs/OAuth2.html | 2 +- docs/OAuth2/AccessToken.html | 2 +- docs/OAuth2/Authenticator.html | 2 +- docs/OAuth2/Client.html | 2 +- docs/OAuth2/Error.html | 2 +- docs/OAuth2/FilteredAttributes.html | 2 +- .../FilteredAttributes/ClassMethods.html | 2 +- docs/OAuth2/Response.html | 2 +- docs/OAuth2/Strategy.html | 2 +- docs/OAuth2/Strategy/Assertion.html | 2 +- docs/OAuth2/Strategy/AuthCode.html | 2 +- docs/OAuth2/Strategy/Base.html | 2 +- docs/OAuth2/Strategy/ClientCredentials.html | 2 +- docs/OAuth2/Strategy/Implicit.html | 2 +- docs/OAuth2/Strategy/Password.html | 2 +- docs/OAuth2/Version.html | 2 +- docs/_index.html | 49 ++-- docs/file.CHANGELOG.html | 20 +- docs/file.CITATION.html | 2 +- docs/file.CODE_OF_CONDUCT.html | 2 +- docs/file.CONTRIBUTING.html | 2 +- docs/file.FUNDING.html | 2 +- docs/file.LICENSE.html | 2 +- docs/file.OIDC.html | 238 ++++++++++++++++++ docs/file.README.html | 3 +- docs/file.REEK.html | 2 +- docs/file.RUBOCOP.html | 2 +- docs/file.SECURITY.html | 2 +- docs/file.access_token.html | 2 +- docs/file.authenticator.html | 2 +- docs/file.client.html | 2 +- docs/file.error.html | 2 +- docs/file.filtered_attributes.html | 2 +- docs/file.oauth2-2.0.10.gem.html | 2 +- docs/file.oauth2-2.0.11.gem.html | 2 +- docs/file.oauth2-2.0.12.gem.html | 2 +- docs/file.oauth2-2.0.13.gem.html | 2 +- docs/file.oauth2.html | 2 +- docs/file.response.html | 2 +- docs/file.strategy.html | 2 +- docs/file.version.html | 2 +- docs/file_list.html | 49 ++-- docs/index.html | 3 +- docs/top-level-namespace.html | 2 +- oauth2.gemspec | 3 +- 48 files changed, 494 insertions(+), 95 deletions(-) create mode 100644 OIDC.md create mode 100644 docs/file.OIDC.html diff --git a/CHANGELOG.md b/CHANGELOG.md index 7c36d47d..db7a8a3c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -14,6 +14,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - avoid bearer tokens in query, - refresh token guidance for public clients, - simplified client definitions) +- document how to implement an OIDC client with this gem in OIDC.md ### Changed ### Deprecated ### Removed @@ -32,6 +33,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - [gh660][gh660]- (more) Comprehensive documentation / examples by @pboling - [gh657][gh657] - Updated documentation for org-rename by @pboling - More funding links by @Aboling0 +- Documentation: Added docs/OIDC.md with OIDC 1.0 overview, example, and references ### Changed - Upgrade Code of Conduct to Contributor Covenant 2.1 by @pboling - [gh660][gh660] - Shrink post-install message by 4 lines by @pboling diff --git a/OIDC.md b/OIDC.md new file mode 100644 index 00000000..64c0e91f --- /dev/null +++ b/OIDC.md @@ -0,0 +1,145 @@ +# OpenID Connect (OIDC) with ruby-oauth/oauth2 + +This document complements the OAuth 2.1 notes already present in the repository by focusing on OpenID Connect (OIDC) 1.0 usage patterns when using this gem as an OAuth 2.0 client library. + +Scope of this document +- Audience: Developers building an OAuth 2.0/OIDC Relying Party (RP, aka client) in Ruby. +- Non-goals: This gem does not implement an OIDC Provider (OP, aka Authorization Server); for OP/server see other projects (e.g., doorkeeper + oidc extensions). +- Status: Informational documentation with links to normative specs. The gem intentionally remains protocol-agnostic beyond OAuth 2.0; OIDC specifics (like ID Token validation) must be handled by your application. + +Key concepts refresher +- OAuth 2.0 delegates authorization; it does not define authentication of the end-user. +- OIDC layers an identity layer on top of OAuth 2.0, introducing: + - ID Token: a JWT carrying claims about the authenticated end-user and the authentication event. + - Standardized scopes: openid (mandatory), profile, email, address, phone, offline_access, and others. + - UserInfo endpoint: a protected resource for retrieving user profile claims. + - Discovery and Dynamic Client Registration (optional for providers/clients that support them). + +What this gem provides for OIDC +- All OAuth 2.0 client capabilities required for OIDC flows: building authorization requests, exchanging authorization codes, refreshing tokens, and making authenticated resource requests. +- Transport and parsing conveniences (snaky hash, Faraday integration, error handling, etc.). +- Optional client authentication schemes useful with OIDC deployments: + - basic_auth (default) + - request_body (legacy) + - tls_client_auth (MTLS) + - private_key_jwt (OIDC-compliant when configured per OP requirements) + +What you must add in your app for OIDC +- ID Token validation: This gem surfaces id_token values but does not verify them. Your app should: + 1) Parse the JWT (header, payload, signature) + 2) Fetch the OP JSON Web Key Set (JWKS) from discovery (or configure statically) + 3) Select the correct key by kid (when present) and verify the signature and algorithm + 4) Validate standard claims (iss, aud, exp, iat, nbf, azp, nonce when used, at_hash/c_hash when applicable) + 5) Enforce expected client_id, issuer, and clock skew policies +- Nonce handling for Authorization Code flow with OIDC: generate a cryptographically-random nonce, bind it to the user session before redirect, include it in authorize request, and verify it in the ID Token on return. +- PKCE is best practice and often required by OPs: generate/verifier, send challenge in authorize, send verifier in token request. +- Session/state management: continue to validate state to mitigate CSRF; use exact redirect_uri matching. + +Minimal OIDC Authorization Code example + +```ruby +require "oauth2" +require "jwt" # jwt/ruby-jwt +require "net/http" +require "json" + +client = OAuth2::Client.new( + ENV.fetch("OIDC_CLIENT_ID"), + ENV.fetch("OIDC_CLIENT_SECRET"), + site: ENV.fetch("OIDC_ISSUER"), # e.g. https://accounts.example.com + authorize_url: "/authorize", # or discovered + token_url: "/token", # or discovered +) + +# Step 1: Redirect to OP for consent/auth +state = SecureRandom.hex(16) +nonce = SecureRandom.hex(16) +pkce_verifier = SecureRandom.urlsafe_base64(64) +pkce_challenge = Base64.urlsafe_encode64(Digest::SHA256.digest(pkce_verifier)).delete("=") + +authz_url = client.auth_code.authorize_url( + scope: "openid profile email", + state: state, + nonce: nonce, + code_challenge: pkce_challenge, + code_challenge_method: "S256", + redirect_uri: ENV.fetch("OIDC_REDIRECT_URI"), +) +# redirect_to authz_url + +# Step 2: Handle callback +# params[:code], params[:state] +raise "state mismatch" unless params[:state] == state + +token = client.auth_code.get_token( + params[:code], + redirect_uri: ENV.fetch("OIDC_REDIRECT_URI"), + code_verifier: pkce_verifier, +) + +# The token may include: access_token, id_token, refresh_token, etc. +id_token = token.params["id_token"] || token.params[:id_token] + +# Step 3: Validate the ID Token (simplified – add your own checks!) +# Discover keys (example using .well-known) +issuer = ENV.fetch("OIDC_ISSUER") +jwks_uri = JSON.parse(Net::HTTP.get(URI.join(issuer, "/.well-known/openid-configuration"))). + fetch("jwks_uri") +jwks = JSON.parse(Net::HTTP.get(URI(jwks_uri))) +keys = jwks.fetch("keys") + +# Use ruby-jwt JWK loader +jwk_set = JWT::JWK::Set.new(keys.map { |k| JWT::JWK.import(k) }) + +decoded, headers = JWT.decode( + id_token, + nil, + true, + algorithms: ["RS256", "ES256", "PS256"], + jwks: jwk_set, + verify_iss: true, + iss: issuer, + verify_aud: true, + aud: ENV.fetch("OIDC_CLIENT_ID"), +) + +# Verify nonce +raise "nonce mismatch" unless decoded["nonce"] == nonce + +# Optionally: call UserInfo +userinfo = token.get("/userinfo").parsed +``` + +Notes on discovery and registration +- Discovery: Most OPs publish configuration at {issuer}/.well-known/openid-configuration (OIDC Discovery 1.0). From there, resolve authorization_endpoint, token_endpoint, jwks_uri, userinfo_endpoint, etc. +- Dynamic Client Registration: Some OPs allow registering clients programmatically (OIDC Dynamic Client Registration 1.0). This gem does not implement registration; use a plain HTTP client or Faraday and store credentials securely. + +Common pitfalls and tips +- Always request the openid scope when you expect an ID Token. Without it, the OP may behave as vanilla OAuth 2.0. +- Validate ID Token signature and claims before trusting any identity data. Do not rely solely on the presence of an id_token field. +- Prefer Authorization Code + PKCE. Avoid Implicit; it is discouraged in modern guidance and may be disabled by providers. +- Use exact redirect_uri matching, and keep your allow-list short. +- For public clients that use refresh tokens, prefer sender-constrained tokens (DPoP/MTLS) or rotation with one-time-use refresh tokens, per modern best practices. +- When using private_key_jwt, ensure the "aud" (or token_url) and "iss/sub" claims are set per the OP’s rules, and include kid in the JWT header when required so the OP can select the right key. + +Relevant specifications and references +- OpenID Connect Core 1.0: https://openid.net/specs/openid-connect-core-1_0.html +- OIDC Core (final): https://openid.net/specs/openid-connect-core-1_0-final.html +- How OIDC works: https://openid.net/developers/how-connect-works/ +- OpenID Connect home: https://openid.net/connect/ +- OIDC Discovery 1.0: https://openid.net/specs/openid-connect-discovery-1_0.html +- OIDC Dynamic Client Registration 1.0: https://openid.net/specs/openid-connect-registration-1_0.html +- OIDC Session Management 1.0: https://openid.net/specs/openid-connect-session-1_0.html +- OIDC RP-Initiated Logout 1.0: https://openid.net/specs/openid-connect-rpinitiated-1_0.html +- OIDC Back-Channel Logout 1.0: https://openid.net/specs/openid-connect-backchannel-1_0.html +- OIDC Front-Channel Logout 1.0: https://openid.net/specs/openid-connect-frontchannel-1_0.html +- Auth0 OIDC overview: https://auth0.com/docs/authenticate/protocols/openid-connect-protocol +- Spring Authorization Server’s list of OAuth2/OIDC specs: https://github.com/spring-projects/spring-authorization-server/wiki/OAuth2-and-OIDC-Specifications + +See also +- README sections on OAuth 2.1 notes and OIDC notes +- Strategy classes under lib/oauth2/strategy for flow helpers +- Specs under spec/oauth2 for concrete usage patterns + +Contributions welcome +- If you discover provider-specific nuances, consider contributing examples or clarifications (without embedding provider-specific hacks into the library). diff --git a/README.md b/README.md index 56365fa0..434f932c 100644 --- a/README.md +++ b/README.md @@ -947,6 +947,7 @@ access = client.get_token({ - If the token response includes an `id_token` (a JWT), this gem surfaces it but does not validate the signature. Use a JWT library and your provider's JWKs to verify it. - For private_key_jwt client authentication, provide `auth_scheme: :private_key_jwt` and ensure your key configuration matches the provider requirements. +- See [OIDC.md](OIDC.md) for a more complete OIDC overview, example, and links to the relevant specifications. ### Debugging diff --git a/docs/OAuth2.html b/docs/OAuth2.html index f147de49..51c9468c 100644 --- a/docs/OAuth2.html +++ b/docs/OAuth2.html @@ -415,7 +415,7 @@

diff --git a/docs/OAuth2/AccessToken.html b/docs/OAuth2/AccessToken.html index 9390625c..48ef159e 100644 --- a/docs/OAuth2/AccessToken.html +++ b/docs/OAuth2/AccessToken.html @@ -3069,7 +3069,7 @@

diff --git a/docs/OAuth2/Authenticator.html b/docs/OAuth2/Authenticator.html index dabcdf70..eb73cedb 100644 --- a/docs/OAuth2/Authenticator.html +++ b/docs/OAuth2/Authenticator.html @@ -883,7 +883,7 @@

diff --git a/docs/OAuth2/Client.html b/docs/OAuth2/Client.html index f7320c23..28ded2f2 100644 --- a/docs/OAuth2/Client.html +++ b/docs/OAuth2/Client.html @@ -2656,7 +2656,7 @@

diff --git a/docs/OAuth2/Error.html b/docs/OAuth2/Error.html index 565b17d6..3b632405 100644 --- a/docs/OAuth2/Error.html +++ b/docs/OAuth2/Error.html @@ -772,7 +772,7 @@

diff --git a/docs/OAuth2/FilteredAttributes.html b/docs/OAuth2/FilteredAttributes.html index 8add3c57..2b49116a 100644 --- a/docs/OAuth2/FilteredAttributes.html +++ b/docs/OAuth2/FilteredAttributes.html @@ -335,7 +335,7 @@

diff --git a/docs/OAuth2/FilteredAttributes/ClassMethods.html b/docs/OAuth2/FilteredAttributes/ClassMethods.html index 53511059..6c7a0789 100644 --- a/docs/OAuth2/FilteredAttributes/ClassMethods.html +++ b/docs/OAuth2/FilteredAttributes/ClassMethods.html @@ -280,7 +280,7 @@

diff --git a/docs/OAuth2/Response.html b/docs/OAuth2/Response.html index a9fb6698..8767f4e8 100644 --- a/docs/OAuth2/Response.html +++ b/docs/OAuth2/Response.html @@ -1619,7 +1619,7 @@

diff --git a/docs/OAuth2/Strategy.html b/docs/OAuth2/Strategy.html index 14eeec5c..d7eb70c9 100644 --- a/docs/OAuth2/Strategy.html +++ b/docs/OAuth2/Strategy.html @@ -107,7 +107,7 @@

Defined Under Namespace

diff --git a/docs/OAuth2/Strategy/Assertion.html b/docs/OAuth2/Strategy/Assertion.html index 76a454a4..bedd89d9 100644 --- a/docs/OAuth2/Strategy/Assertion.html +++ b/docs/OAuth2/Strategy/Assertion.html @@ -481,7 +481,7 @@

diff --git a/docs/OAuth2/Strategy/AuthCode.html b/docs/OAuth2/Strategy/AuthCode.html index 73881c8e..b0ea8617 100644 --- a/docs/OAuth2/Strategy/AuthCode.html +++ b/docs/OAuth2/Strategy/AuthCode.html @@ -483,7 +483,7 @@

diff --git a/docs/OAuth2/Strategy/Base.html b/docs/OAuth2/Strategy/Base.html index ed53e472..f6068df3 100644 --- a/docs/OAuth2/Strategy/Base.html +++ b/docs/OAuth2/Strategy/Base.html @@ -195,7 +195,7 @@

diff --git a/docs/OAuth2/Strategy/ClientCredentials.html b/docs/OAuth2/Strategy/ClientCredentials.html index 140ac362..93baa6ba 100644 --- a/docs/OAuth2/Strategy/ClientCredentials.html +++ b/docs/OAuth2/Strategy/ClientCredentials.html @@ -343,7 +343,7 @@

diff --git a/docs/OAuth2/Strategy/Implicit.html b/docs/OAuth2/Strategy/Implicit.html index 7db5f9e2..59166027 100644 --- a/docs/OAuth2/Strategy/Implicit.html +++ b/docs/OAuth2/Strategy/Implicit.html @@ -420,7 +420,7 @@

diff --git a/docs/OAuth2/Strategy/Password.html b/docs/OAuth2/Strategy/Password.html index 1db42065..bc70cb06 100644 --- a/docs/OAuth2/Strategy/Password.html +++ b/docs/OAuth2/Strategy/Password.html @@ -374,7 +374,7 @@

diff --git a/docs/OAuth2/Version.html b/docs/OAuth2/Version.html index 1fa26949..7e67b8d5 100644 --- a/docs/OAuth2/Version.html +++ b/docs/OAuth2/Version.html @@ -111,7 +111,7 @@

diff --git a/docs/_index.html b/docs/_index.html index 48ac3aaa..a601b39b 100644 --- a/docs/_index.html +++ b/docs/_index.html @@ -75,70 +75,73 @@

File Listing

  • FUNDING
    • -
  • RUBOCOP
    • +
  • OIDC
    • -
  • SECURITY
    • +
  • RUBOCOP
    • -
  • LICENSE
    • +
  • SECURITY
    • -
  • CITATION
    • +
  • LICENSE
    • -
  • oauth2-2.0.10.gem
    • +
  • CITATION
    • -
  • oauth2-2.0.11.gem
    • +
  • oauth2-2.0.10.gem
    • -
  • oauth2-2.0.12.gem
    • +
  • oauth2-2.0.11.gem
    • -
  • oauth2-2.0.13.gem
    • +
  • oauth2-2.0.12.gem
    • -
  • oauth2-2.0.10.gem
    • +
  • oauth2-2.0.13.gem
    • -
  • oauth2-2.0.11.gem
    • +
  • oauth2-2.0.10.gem
    • -
  • oauth2-2.0.12.gem
    • +
  • oauth2-2.0.11.gem
    • -
  • oauth2-2.0.13.gem
    • +
  • oauth2-2.0.12.gem
    • -
  • REEK
    • +
  • oauth2-2.0.13.gem
    • -
  • access_token
    • +
  • REEK
    • -
  • authenticator
    • +
  • access_token
    • -
  • client
    • +
  • authenticator
    • -
  • error
    • +
  • client
    • -
  • filtered_attributes
    • +
  • error
    • -
  • response
    • +
  • filtered_attributes
    • -
  • strategy
    • +
  • response
    • -
  • version
    • +
  • strategy
    • -
  • oauth2
    • +
  • version
    • + + +
  • oauth2
    • @@ -363,7 +366,7 @@

    Namespace Listing A-Z

    diff --git a/docs/file.CHANGELOG.html b/docs/file.CHANGELOG.html index d8e4431a..b2588230 100644 --- a/docs/file.CHANGELOG.html +++ b/docs/file.CHANGELOG.html @@ -74,15 +74,16 @@

    Added

  • implicit/password grants omitted,
  • avoid bearer tokens in query,
  • refresh token guidance for public clients,
    • -
  • simplified client definitions) -

    Changed

    -

    Deprecated

    -

    Removed

    -

    Fixed

    -

    Security

    -
    • +
  • simplified client definitions)
    • +
  • document how to implement an OIDC client with this gem in OIDC.md +

    Changed

    +

    Deprecated

    +

    Removed

    +

    Fixed

    +

    Security

    +

    • @@ -105,7 +106,8 @@

    Added

    gh660- (more) Comprehensive documentation / examples by @pboling
  • gh657 - Updated documentation for org-rename by @pboling
    • -
  • More funding links by @Aboling0 +
  • More funding links by @Aboling0
    • +
  • Documentation: Added docs/OIDC.md with OIDC 1.0 overview, example, and references

    Changed

  • Upgrade Code of Conduct to Contributor Covenant 2.1 by @pboling
    • @@ -1238,7 +1240,7 @@

    diff --git a/docs/file.CITATION.html b/docs/file.CITATION.html index ad98f8f8..9f06c3ac 100644 --- a/docs/file.CITATION.html +++ b/docs/file.CITATION.html @@ -82,7 +82,7 @@ diff --git a/docs/file.CODE_OF_CONDUCT.html b/docs/file.CODE_OF_CONDUCT.html index ed3003e1..1159e835 100644 --- a/docs/file.CODE_OF_CONDUCT.html +++ b/docs/file.CODE_OF_CONDUCT.html @@ -191,7 +191,7 @@

    Attribution

    diff --git a/docs/file.CONTRIBUTING.html b/docs/file.CONTRIBUTING.html index 4978c12c..65b15b25 100644 --- a/docs/file.CONTRIBUTING.html +++ b/docs/file.CONTRIBUTING.html @@ -274,7 +274,7 @@

    Manual process

    diff --git a/docs/file.FUNDING.html b/docs/file.FUNDING.html index 0d4904a8..c0ddd2e1 100644 --- a/docs/file.FUNDING.html +++ b/docs/file.FUNDING.html @@ -104,7 +104,7 @@

    Another Way to Support Open diff --git a/docs/file.LICENSE.html b/docs/file.LICENSE.html index d1165879..d9829657 100644 --- a/docs/file.LICENSE.html +++ b/docs/file.LICENSE.html @@ -60,7 +60,7 @@
    MIT License

    Copyright (c) 2017-2025 Peter H. Boling, of Galtzo.com, and oauth2 contributors
    Copyright (c) 2011-2013 Michael Bleigh and Intridea, Inc.

    Permission is hereby granted, free of charge, to any person obtaining a copy
    of this software and associated documentation files (the "Software"), to deal
    in the Software without restriction, including without limitation the rights
    to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
    copies of the Software, and to permit persons to whom the Software is
    furnished to do so, subject to the following conditions:

    The above copyright notice and this permission notice shall be included in all
    copies or substantial portions of the Software.

    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
    IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
    AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
    LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
    OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
    SOFTWARE.
    diff --git a/docs/file.OIDC.html b/docs/file.OIDC.html new file mode 100644 index 00000000..60f2e974 --- /dev/null +++ b/docs/file.OIDC.html @@ -0,0 +1,238 @@ + + + + + + + File: OIDC + + — Documentation by YARD 0.9.37 + + + + + + + + + + + + + + + + + +
    + +
    +
    + +
    + + +

    OpenID Connect (OIDC) with ruby-oauth/oauth2

    + +

    This document complements the OAuth 2.1 notes already present in the repository by focusing on OpenID Connect (OIDC) 1.0 usage patterns when using this gem as an OAuth 2.0 client library.

    + +

    Scope of this document

    +
      +
    • Audience: Developers building an OAuth 2.0/OIDC Relying Party (RP, aka client) in Ruby.
      • +
    • Non-goals: This gem does not implement an OIDC Provider (OP, aka Authorization Server); for OP/server see other projects (e.g., doorkeeper + oidc extensions).
      • +
    • Status: Informational documentation with links to normative specs. The gem intentionally remains protocol-agnostic beyond OAuth 2.0; OIDC specifics (like ID Token validation) must be handled by your application.
      • +
    + +

    Key concepts refresher

    +
      +
    • OAuth 2.0 delegates authorization; it does not define authentication of the end-user.
      • +
    • OIDC layers an identity layer on top of OAuth 2.0, introducing: +
        +
      • ID Token: a JWT carrying claims about the authenticated end-user and the authentication event.
        • +
      • Standardized scopes: openid (mandatory), profile, email, address, phone, offline_access, and others.
        • +
      • UserInfo endpoint: a protected resource for retrieving user profile claims.
        • +
      • Discovery and Dynamic Client Registration (optional for providers/clients that support them).
        • +
      +
      • +
    + +

    What this gem provides for OIDC

    +
      +
    • All OAuth 2.0 client capabilities required for OIDC flows: building authorization requests, exchanging authorization codes, refreshing tokens, and making authenticated resource requests.
      • +
    • Transport and parsing conveniences (snaky hash, Faraday integration, error handling, etc.).
      • +
    • Optional client authentication schemes useful with OIDC deployments: +
        +
      • basic_auth (default)
        • +
      • request_body (legacy)
        • +
      • tls_client_auth (MTLS)
        • +
      • private_key_jwt (OIDC-compliant when configured per OP requirements)
        • +
      +
      • +
    + +

    What you must add in your app for OIDC

    +
      +
    • ID Token validation: This gem surfaces id_token values but does not verify them. Your app should:
      +1) Parse the JWT (header, payload, signature)
      +2) Fetch the OP JSON Web Key Set (JWKS) from discovery (or configure statically)
      +3) Select the correct key by kid (when present) and verify the signature and algorithm
      +4) Validate standard claims (iss, aud, exp, iat, nbf, azp, nonce when used, at_hash/c_hash when applicable)
      +5) Enforce expected client_id, issuer, and clock skew policies
      • +
    • Nonce handling for Authorization Code flow with OIDC: generate a cryptographically-random nonce, bind it to the user session before redirect, include it in authorize request, and verify it in the ID Token on return.
      • +
    • PKCE is best practice and often required by OPs: generate/verifier, send challenge in authorize, send verifier in token request.
      • +
    • Session/state management: continue to validate state to mitigate CSRF; use exact redirect_uri matching.
      • +
    + +

    Minimal OIDC Authorization Code example

    + +
    require "oauth2"
+require "jwt"         # jwt/ruby-jwt
+require "net/http"
+require "json"
+
+client = OAuth2::Client.new(
+  ENV.fetch("OIDC_CLIENT_ID"),
+  ENV.fetch("OIDC_CLIENT_SECRET"),
+  site: ENV.fetch("OIDC_ISSUER"),              # e.g. https://accounts.example.com
+  authorize_url: "/authorize",                 # or discovered
+  token_url: "/token",                         # or discovered
+)
+
+# Step 1: Redirect to OP for consent/auth
+state = SecureRandom.hex(16)
+nonce = SecureRandom.hex(16)
+pkce_verifier = SecureRandom.urlsafe_base64(64)
+pkce_challenge = Base64.urlsafe_encode64(Digest::SHA256.digest(pkce_verifier)).delete("=")
+
+authz_url = client.auth_code.authorize_url(
+  scope: "openid profile email",
+  state: state,
+  nonce: nonce,
+  code_challenge: pkce_challenge,
+  code_challenge_method: "S256",
+  redirect_uri: ENV.fetch("OIDC_REDIRECT_URI"),
+)
+# redirect_to authz_url
+
+# Step 2: Handle callback
+# params[:code], params[:state]
+raise "state mismatch" unless params[:state] == state
+
+token = client.auth_code.get_token(
+  params[:code],
+  redirect_uri: ENV.fetch("OIDC_REDIRECT_URI"),
+  code_verifier: pkce_verifier,
+)
+
+# The token may include: access_token, id_token, refresh_token, etc.
+id_token = token.params["id_token"] || token.params[:id_token]
+
+# Step 3: Validate the ID Token (simplified – add your own checks!)
+# Discover keys (example using .well-known)
+issuer = ENV.fetch("OIDC_ISSUER")
+jwks_uri = JSON.parse(Net::HTTP.get(URI.join(issuer, "/.well-known/openid-configuration"))).
+  fetch("jwks_uri")
+jwks = JSON.parse(Net::HTTP.get(URI(jwks_uri)))
+keys = jwks.fetch("keys")
+
+# Use ruby-jwt JWK loader
+jwk_set = JWT::JWK::Set.new(keys.map { |k| JWT::JWK.import(k) })
+
+decoded, headers = JWT.decode(
+  id_token,
+  nil,
+  true,
+  algorithms: ["RS256", "ES256", "PS256"],
+  jwks: jwk_set,
+  verify_iss: true,
+  iss: issuer,
+  verify_aud: true,
+  aud: ENV.fetch("OIDC_CLIENT_ID"),
+)
+
+# Verify nonce
+raise "nonce mismatch" unless decoded["nonce"] == nonce
+
+# Optionally: call UserInfo
+userinfo = token.get("/userinfo").parsed
+
    + +

    Notes on discovery and registration

    +
      +
    • Discovery: Most OPs publish configuration at issuer/.well-known/openid-configuration (OIDC Discovery 1.0). From there, resolve authorization_endpoint, token_endpoint, jwks_uri, userinfo_endpoint, etc.
      • +
    • Dynamic Client Registration: Some OPs allow registering clients programmatically (OIDC Dynamic Client Registration 1.0). This gem does not implement registration; use a plain HTTP client or Faraday and store credentials securely.
      • +
    + +

    Common pitfalls and tips

    +
      +
    • Always request the openid scope when you expect an ID Token. Without it, the OP may behave as vanilla OAuth 2.0.
      • +
    • Validate ID Token signature and claims before trusting any identity data. Do not rely solely on the presence of an id_token field.
      • +
    • Prefer Authorization Code + PKCE. Avoid Implicit; it is discouraged in modern guidance and may be disabled by providers.
      • +
    • Use exact redirect_uri matching, and keep your allow-list short.
      • +
    • For public clients that use refresh tokens, prefer sender-constrained tokens (DPoP/MTLS) or rotation with one-time-use refresh tokens, per modern best practices.
      • +
    • When using private_key_jwt, ensure the “aud” (or token_url) and “iss/sub” claims are set per the OP’s rules, and include kid in the JWT header when required so the OP can select the right key.
      • +
    + +

    Relevant specifications and references

    +
      +
    • OpenID Connect Core 1.0: https://openid.net/specs/openid-connect-core-1_0.html
      • +
    • OIDC Core (final): https://openid.net/specs/openid-connect-core-1_0-final.html
      • +
    • How OIDC works: https://openid.net/developers/how-connect-works/
      • +
    • OpenID Connect home: https://openid.net/connect/
      • +
    • OIDC Discovery 1.0: https://openid.net/specs/openid-connect-discovery-1_0.html
      • +
    • OIDC Dynamic Client Registration 1.0: https://openid.net/specs/openid-connect-registration-1_0.html
      • +
    • OIDC Session Management 1.0: https://openid.net/specs/openid-connect-session-1_0.html
      • +
    • OIDC RP-Initiated Logout 1.0: https://openid.net/specs/openid-connect-rpinitiated-1_0.html
      • +
    • OIDC Back-Channel Logout 1.0: https://openid.net/specs/openid-connect-backchannel-1_0.html
      • +
    • OIDC Front-Channel Logout 1.0: https://openid.net/specs/openid-connect-frontchannel-1_0.html
      • +
    • Auth0 OIDC overview: https://auth0.com/docs/authenticate/protocols/openid-connect-protocol
      • +
    • Spring Authorization Server’s list of OAuth2/OIDC specs: https://github.com/spring-projects/spring-authorization-server/wiki/OAuth2-and-OIDC-Specifications
      • +
    + +

    See also

    +
      +
    • README sections on OAuth 2.1 notes and OIDC notes
      • +
    • Strategy classes under lib/oauth2/strategy for flow helpers
      • +
    • Specs under spec/oauth2 for concrete usage patterns
      • +
    + +

    Contributions welcome

    +
      +
    • If you discover provider-specific nuances, consider contributing examples or clarifications (without embedding provider-specific hacks into the library).
      • +
    +
    + + + +
    + + \ No newline at end of file diff --git a/docs/file.README.html b/docs/file.README.html index 0d3fa887..8b9e4426 100644 --- a/docs/file.README.html +++ b/docs/file.README.html @@ -1094,6 +1094,7 @@

    OpenID Connect (OIDC) Notes

    Debugging

    @@ -1326,7 +1327,7 @@

    Please give the project a star ⭐ ♥ diff --git a/docs/file.REEK.html b/docs/file.REEK.html index 57f29476..6ad2545d 100644 --- a/docs/file.REEK.html +++ b/docs/file.REEK.html @@ -61,7 +61,7 @@ diff --git a/docs/file.RUBOCOP.html b/docs/file.RUBOCOP.html index 4ac6b96e..cbf7242e 100644 --- a/docs/file.RUBOCOP.html +++ b/docs/file.RUBOCOP.html @@ -161,7 +161,7 @@

    Benefits of rubocop_gradual

    diff --git a/docs/file.SECURITY.html b/docs/file.SECURITY.html index 7643c7c2..ab2bfc72 100644 --- a/docs/file.SECURITY.html +++ b/docs/file.SECURITY.html @@ -113,7 +113,7 @@

    Enterprise Support

    diff --git a/docs/file.access_token.html b/docs/file.access_token.html index 4cb72ea2..e8323b83 100644 --- a/docs/file.access_token.html +++ b/docs/file.access_token.html @@ -84,7 +84,7 @@ diff --git a/docs/file.authenticator.html b/docs/file.authenticator.html index ce2b14fb..fc41144f 100644 --- a/docs/file.authenticator.html +++ b/docs/file.authenticator.html @@ -81,7 +81,7 @@ diff --git a/docs/file.client.html b/docs/file.client.html index f7d7750b..3d320cc3 100644 --- a/docs/file.client.html +++ b/docs/file.client.html @@ -111,7 +111,7 @@ diff --git a/docs/file.error.html b/docs/file.error.html index 419173f9..2fc71f6e 100644 --- a/docs/file.error.html +++ b/docs/file.error.html @@ -68,7 +68,7 @@ diff --git a/docs/file.filtered_attributes.html b/docs/file.filtered_attributes.html index 2006a7ed..e278122b 100644 --- a/docs/file.filtered_attributes.html +++ b/docs/file.filtered_attributes.html @@ -66,7 +66,7 @@ diff --git a/docs/file.oauth2-2.0.10.gem.html b/docs/file.oauth2-2.0.10.gem.html index 734ab2bc..45ff9943 100644 --- a/docs/file.oauth2-2.0.10.gem.html +++ b/docs/file.oauth2-2.0.10.gem.html @@ -61,7 +61,7 @@ diff --git a/docs/file.oauth2-2.0.11.gem.html b/docs/file.oauth2-2.0.11.gem.html index 81a61042..371172e2 100644 --- a/docs/file.oauth2-2.0.11.gem.html +++ b/docs/file.oauth2-2.0.11.gem.html @@ -61,7 +61,7 @@ diff --git a/docs/file.oauth2-2.0.12.gem.html b/docs/file.oauth2-2.0.12.gem.html index 100e46f9..1726bcd5 100644 --- a/docs/file.oauth2-2.0.12.gem.html +++ b/docs/file.oauth2-2.0.12.gem.html @@ -61,7 +61,7 @@ diff --git a/docs/file.oauth2-2.0.13.gem.html b/docs/file.oauth2-2.0.13.gem.html index a86bbff3..427761be 100644 --- a/docs/file.oauth2-2.0.13.gem.html +++ b/docs/file.oauth2-2.0.13.gem.html @@ -61,7 +61,7 @@ diff --git a/docs/file.oauth2.html b/docs/file.oauth2.html index 5ca07d80..bc62af1b 100644 --- a/docs/file.oauth2.html +++ b/docs/file.oauth2.html @@ -69,7 +69,7 @@ diff --git a/docs/file.response.html b/docs/file.response.html index 6eef2f43..f2100125 100644 --- a/docs/file.response.html +++ b/docs/file.response.html @@ -77,7 +77,7 @@ diff --git a/docs/file.strategy.html b/docs/file.strategy.html index 86173f0f..0a0ff053 100644 --- a/docs/file.strategy.html +++ b/docs/file.strategy.html @@ -93,7 +93,7 @@ diff --git a/docs/file.version.html b/docs/file.version.html index 14bb9040..855f51e7 100644 --- a/docs/file.version.html +++ b/docs/file.version.html @@ -65,7 +65,7 @@ diff --git a/docs/file_list.html b/docs/file_list.html index 0f55bc81..4f34dca7 100644 --- a/docs/file_list.html +++ b/docs/file_list.html @@ -72,112 +72,117 @@

    File List

    -
  • +
  • +
    OIDC
    +
    • + + +
  • RUBOCOP
    • -
  • +
  • SECURITY
    • -
  • +
  • LICENSE
    • -
  • +
  • CITATION
    • -
  • +
  • oauth2-2.0.10.gem
    • -
  • +
  • oauth2-2.0.11.gem
    • -
  • +
  • oauth2-2.0.12.gem
    • -
  • +
  • oauth2-2.0.13.gem
    • -
  • +
  • oauth2-2.0.10.gem
    • -
  • +
  • oauth2-2.0.11.gem
    • -
  • +
  • oauth2-2.0.12.gem
    • -
  • +
  • oauth2-2.0.13.gem
    • -
  • +
  • REEK
    • -
  • +
  • access_token
    • -
  • +
  • authenticator
    • -
  • +
  • client
    • -
  • +
  • error
    • -
  • +
  • filtered_attributes
    • -
  • +
  • response
    • -
  • +
  • strategy
    • -
  • +
  • version
    • -
  • +
  • oauth2
    • diff --git a/docs/index.html b/docs/index.html index 4bdbc8bd..d304cf82 100644 --- a/docs/index.html +++ b/docs/index.html @@ -1094,6 +1094,7 @@

    OpenID Connect (OIDC) Notes

    Debugging

    @@ -1326,7 +1327,7 @@

    Please give the project a star ⭐ ♥ diff --git a/docs/top-level-namespace.html b/docs/top-level-namespace.html index 2c7379c1..d7520621 100644 --- a/docs/top-level-namespace.html +++ b/docs/top-level-namespace.html @@ -100,7 +100,7 @@

    Defined Under Namespace

    diff --git a/oauth2.gemspec b/oauth2.gemspec index f96f938a..eeeea00e 100644 --- a/oauth2.gemspec +++ b/oauth2.gemspec @@ -53,7 +53,7 @@ Gem::Specification.new do |spec| • Changes in this patch: #{gl_homepage}/-/blob/v#{spec.version}/CHANGELOG.md#200-2022-06-21-tag News: -1. New documentation website: https://oauth2.galtzo.com +1. New documentation website, including for OAuth 2.1 and OIDC: https://oauth2.galtzo.com 2. New official Discord for discussion and support: https://discord.gg/3qme4XHNKN 3. New org name "ruby-oauth" on Open Source Collective, GitHub, GitLab, Codeberg (update git remotes!) 4. Non-commercial support for the 2.x series will end by April, 2026. Please make a plan to upgrade to the next version prior to that date. @@ -103,6 +103,7 @@ Thanks, @pboling / @galtzo "CONTRIBUTING.md", "FUNDING.md", "LICENSE.txt", + "OIDC.md", "README.md", "REEK", "RUBOCOP.md", From f4e2ba3239a8584d3e822c33ce45db99e8141e77 Mon Sep 17 00:00:00 2001 From: "Peter H. Boling" Date: Sun, 31 Aug 2025 04:15:57 -0600 Subject: [PATCH 2/2] =?UTF-8?q?=F0=9F=93=9D=20Libraries=20built=20on=20top?= =?UTF-8?q?=20of=20the=20oauth2=20gem=20that=20implement=20OIDC?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- CHANGELOG.md | 1 + OIDC.md | 15 +++++++++++- docs/OAuth2.html | 2 +- docs/OAuth2/AccessToken.html | 2 +- docs/OAuth2/Authenticator.html | 2 +- docs/OAuth2/Client.html | 2 +- docs/OAuth2/Error.html | 2 +- docs/OAuth2/FilteredAttributes.html | 2 +- .../FilteredAttributes/ClassMethods.html | 2 +- docs/OAuth2/Response.html | 2 +- docs/OAuth2/Strategy.html | 2 +- docs/OAuth2/Strategy/Assertion.html | 2 +- docs/OAuth2/Strategy/AuthCode.html | 2 +- docs/OAuth2/Strategy/Base.html | 2 +- docs/OAuth2/Strategy/ClientCredentials.html | 2 +- docs/OAuth2/Strategy/Implicit.html | 2 +- docs/OAuth2/Strategy/Password.html | 2 +- docs/OAuth2/Version.html | 2 +- docs/_index.html | 2 +- docs/file.CHANGELOG.html | 16 ++++++++----- docs/file.CITATION.html | 2 +- docs/file.CODE_OF_CONDUCT.html | 2 +- docs/file.CONTRIBUTING.html | 2 +- docs/file.FUNDING.html | 2 +- docs/file.LICENSE.html | 2 +- docs/file.OIDC.html | 23 +++++++++++++++++-- docs/file.README.html | 2 +- docs/file.REEK.html | 2 +- docs/file.RUBOCOP.html | 2 +- docs/file.SECURITY.html | 2 +- docs/file.access_token.html | 2 +- docs/file.authenticator.html | 2 +- docs/file.client.html | 2 +- docs/file.error.html | 2 +- docs/file.filtered_attributes.html | 2 +- docs/file.oauth2-2.0.10.gem.html | 2 +- docs/file.oauth2-2.0.11.gem.html | 2 +- docs/file.oauth2-2.0.12.gem.html | 2 +- docs/file.oauth2-2.0.13.gem.html | 2 +- docs/file.oauth2.html | 2 +- docs/file.response.html | 2 +- docs/file.strategy.html | 2 +- docs/file.version.html | 2 +- docs/index.html | 2 +- docs/top-level-namespace.html | 2 +- 45 files changed, 87 insertions(+), 50 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index db7a8a3c..4882ff50 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -15,6 +15,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - refresh token guidance for public clients, - simplified client definitions) - document how to implement an OIDC client with this gem in OIDC.md + - also, list libraries built on top of the oauth2 gem that implement OIDC ### Changed ### Deprecated ### Removed diff --git a/OIDC.md b/OIDC.md index 64c0e91f..2bd7c708 100644 --- a/OIDC.md +++ b/OIDC.md @@ -1,6 +1,19 @@ # OpenID Connect (OIDC) with ruby-oauth/oauth2 -This document complements the OAuth 2.1 notes already present in the repository by focusing on OpenID Connect (OIDC) 1.0 usage patterns when using this gem as an OAuth 2.0 client library. +## OIDC Libraries + +Libraries built on top of the oauth2 gem that implement OIDC. + +- [gamora](https://github.com/amco/gamora-rb) - OpenID Connect Relying Party for Rails apps +- [omniauth-doximity-oauth2](https://github.com/doximity/omniauth-doximity-oauth2) - OmniAuth strategy for Doximity, supporting OIDC, and using PKCE +- [omniauth-himari](https://github.com/sorah/himari) - OmniAuth strategy to act as OIDC RP and use [Himari](https://github.com/sorah/himari) for OP +- [omniauth-mit-oauth2](https://github.com/MITLibraries/omniauth-mit-oauth2) - OmniAuth strategy for MIT OIDC + +If any other libraries would like to be added to this list, please open an issue or pull request. + +## Raw OIDC with ruby-oauth/oauth2 + +This document complements the inline documentation by focusing on OpenID Connect (OIDC) 1.0 usage patterns when using this gem as an OAuth 2.0 client library. Scope of this document - Audience: Developers building an OAuth 2.0/OIDC Relying Party (RP, aka client) in Ruby. diff --git a/docs/OAuth2.html b/docs/OAuth2.html index 51c9468c..29589692 100644 --- a/docs/OAuth2.html +++ b/docs/OAuth2.html @@ -415,7 +415,7 @@

    diff --git a/docs/OAuth2/AccessToken.html b/docs/OAuth2/AccessToken.html index 48ef159e..40443e45 100644 --- a/docs/OAuth2/AccessToken.html +++ b/docs/OAuth2/AccessToken.html @@ -3069,7 +3069,7 @@

    diff --git a/docs/OAuth2/Authenticator.html b/docs/OAuth2/Authenticator.html index eb73cedb..2d8d9d58 100644 --- a/docs/OAuth2/Authenticator.html +++ b/docs/OAuth2/Authenticator.html @@ -883,7 +883,7 @@

    diff --git a/docs/OAuth2/Client.html b/docs/OAuth2/Client.html index 28ded2f2..eb046f10 100644 --- a/docs/OAuth2/Client.html +++ b/docs/OAuth2/Client.html @@ -2656,7 +2656,7 @@

    diff --git a/docs/OAuth2/Error.html b/docs/OAuth2/Error.html index 3b632405..b852be13 100644 --- a/docs/OAuth2/Error.html +++ b/docs/OAuth2/Error.html @@ -772,7 +772,7 @@

    diff --git a/docs/OAuth2/FilteredAttributes.html b/docs/OAuth2/FilteredAttributes.html index 2b49116a..82ca2b5c 100644 --- a/docs/OAuth2/FilteredAttributes.html +++ b/docs/OAuth2/FilteredAttributes.html @@ -335,7 +335,7 @@

    diff --git a/docs/OAuth2/FilteredAttributes/ClassMethods.html b/docs/OAuth2/FilteredAttributes/ClassMethods.html index 6c7a0789..e729ba40 100644 --- a/docs/OAuth2/FilteredAttributes/ClassMethods.html +++ b/docs/OAuth2/FilteredAttributes/ClassMethods.html @@ -280,7 +280,7 @@

    diff --git a/docs/OAuth2/Response.html b/docs/OAuth2/Response.html index 8767f4e8..17bbd4f8 100644 --- a/docs/OAuth2/Response.html +++ b/docs/OAuth2/Response.html @@ -1619,7 +1619,7 @@

    diff --git a/docs/OAuth2/Strategy.html b/docs/OAuth2/Strategy.html index d7eb70c9..1117d94d 100644 --- a/docs/OAuth2/Strategy.html +++ b/docs/OAuth2/Strategy.html @@ -107,7 +107,7 @@

    Defined Under Namespace

    diff --git a/docs/OAuth2/Strategy/Assertion.html b/docs/OAuth2/Strategy/Assertion.html index bedd89d9..69264be5 100644 --- a/docs/OAuth2/Strategy/Assertion.html +++ b/docs/OAuth2/Strategy/Assertion.html @@ -481,7 +481,7 @@

    diff --git a/docs/OAuth2/Strategy/AuthCode.html b/docs/OAuth2/Strategy/AuthCode.html index b0ea8617..6480e47e 100644 --- a/docs/OAuth2/Strategy/AuthCode.html +++ b/docs/OAuth2/Strategy/AuthCode.html @@ -483,7 +483,7 @@

    diff --git a/docs/OAuth2/Strategy/Base.html b/docs/OAuth2/Strategy/Base.html index f6068df3..05d29d90 100644 --- a/docs/OAuth2/Strategy/Base.html +++ b/docs/OAuth2/Strategy/Base.html @@ -195,7 +195,7 @@

    diff --git a/docs/OAuth2/Strategy/ClientCredentials.html b/docs/OAuth2/Strategy/ClientCredentials.html index 93baa6ba..1e935d28 100644 --- a/docs/OAuth2/Strategy/ClientCredentials.html +++ b/docs/OAuth2/Strategy/ClientCredentials.html @@ -343,7 +343,7 @@

    diff --git a/docs/OAuth2/Strategy/Implicit.html b/docs/OAuth2/Strategy/Implicit.html index 59166027..f6a52a17 100644 --- a/docs/OAuth2/Strategy/Implicit.html +++ b/docs/OAuth2/Strategy/Implicit.html @@ -420,7 +420,7 @@

    diff --git a/docs/OAuth2/Strategy/Password.html b/docs/OAuth2/Strategy/Password.html index bc70cb06..874eacd3 100644 --- a/docs/OAuth2/Strategy/Password.html +++ b/docs/OAuth2/Strategy/Password.html @@ -374,7 +374,7 @@

    diff --git a/docs/OAuth2/Version.html b/docs/OAuth2/Version.html index 7e67b8d5..185cbff7 100644 --- a/docs/OAuth2/Version.html +++ b/docs/OAuth2/Version.html @@ -111,7 +111,7 @@

    diff --git a/docs/_index.html b/docs/_index.html index a601b39b..0aeb681f 100644 --- a/docs/_index.html +++ b/docs/_index.html @@ -366,7 +366,7 @@

    Namespace Listing A-Z

    diff --git a/docs/file.CHANGELOG.html b/docs/file.CHANGELOG.html index b2588230..1800d34a 100644 --- a/docs/file.CHANGELOG.html +++ b/docs/file.CHANGELOG.html @@ -78,11 +78,15 @@

    Added

  • document how to implement an OIDC client with this gem in OIDC.md -

    Changed

    -

    Deprecated

    -

    Removed

    -

    Fixed

    -

    Security

    +
      +
    • also, list libraries built on top of the oauth2 gem that implement OIDC +

      Changed

      +

      Deprecated

      +

      Removed

      +

      Fixed

      +

      Security

      +
      • +
    • @@ -1240,7 +1244,7 @@

    diff --git a/docs/file.CITATION.html b/docs/file.CITATION.html index 9f06c3ac..cfb8a348 100644 --- a/docs/file.CITATION.html +++ b/docs/file.CITATION.html @@ -82,7 +82,7 @@ diff --git a/docs/file.CODE_OF_CONDUCT.html b/docs/file.CODE_OF_CONDUCT.html index 1159e835..b734d9de 100644 --- a/docs/file.CODE_OF_CONDUCT.html +++ b/docs/file.CODE_OF_CONDUCT.html @@ -191,7 +191,7 @@

    Attribution

    diff --git a/docs/file.CONTRIBUTING.html b/docs/file.CONTRIBUTING.html index 65b15b25..47ab5b39 100644 --- a/docs/file.CONTRIBUTING.html +++ b/docs/file.CONTRIBUTING.html @@ -274,7 +274,7 @@

    Manual process

    diff --git a/docs/file.FUNDING.html b/docs/file.FUNDING.html index c0ddd2e1..8898aed1 100644 --- a/docs/file.FUNDING.html +++ b/docs/file.FUNDING.html @@ -104,7 +104,7 @@

    Another Way to Support Open diff --git a/docs/file.LICENSE.html b/docs/file.LICENSE.html index d9829657..668c2ecc 100644 --- a/docs/file.LICENSE.html +++ b/docs/file.LICENSE.html @@ -60,7 +60,7 @@
    MIT License

    Copyright (c) 2017-2025 Peter H. Boling, of Galtzo.com, and oauth2 contributors
    Copyright (c) 2011-2013 Michael Bleigh and Intridea, Inc.

    Permission is hereby granted, free of charge, to any person obtaining a copy
    of this software and associated documentation files (the "Software"), to deal
    in the Software without restriction, including without limitation the rights
    to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
    copies of the Software, and to permit persons to whom the Software is
    furnished to do so, subject to the following conditions:

    The above copyright notice and this permission notice shall be included in all
    copies or substantial portions of the Software.

    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
    IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
    AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
    LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
    OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
    SOFTWARE.
    diff --git a/docs/file.OIDC.html b/docs/file.OIDC.html index 60f2e974..bba61a62 100644 --- a/docs/file.OIDC.html +++ b/docs/file.OIDC.html @@ -59,7 +59,26 @@

    OpenID Connect (OIDC) with ruby-oauth/oauth2

    -

    This document complements the OAuth 2.1 notes already present in the repository by focusing on OpenID Connect (OIDC) 1.0 usage patterns when using this gem as an OAuth 2.0 client library.

    +

    OIDC Libraries

    + +

    Libraries built on top of the oauth2 gem that implement OIDC.

    + + + +

    If any other libraries would like to be added to this list, please open an issue or pull request.

    + +

    Raw OIDC with ruby-oauth/oauth2

    + +

    This document complements the inline documentation by focusing on OpenID Connect (OIDC) 1.0 usage patterns when using this gem as an OAuth 2.0 client library.

    Scope of this document

      @@ -228,7 +247,7 @@
    diff --git a/docs/file.README.html b/docs/file.README.html index 8b9e4426..984b4d15 100644 --- a/docs/file.README.html +++ b/docs/file.README.html @@ -1327,7 +1327,7 @@

    Please give the project a star ⭐ ♥ diff --git a/docs/file.REEK.html b/docs/file.REEK.html index 6ad2545d..b7f88131 100644 --- a/docs/file.REEK.html +++ b/docs/file.REEK.html @@ -61,7 +61,7 @@ diff --git a/docs/file.RUBOCOP.html b/docs/file.RUBOCOP.html index cbf7242e..12b309de 100644 --- a/docs/file.RUBOCOP.html +++ b/docs/file.RUBOCOP.html @@ -161,7 +161,7 @@

    Benefits of rubocop_gradual

    diff --git a/docs/file.SECURITY.html b/docs/file.SECURITY.html index ab2bfc72..72e893b1 100644 --- a/docs/file.SECURITY.html +++ b/docs/file.SECURITY.html @@ -113,7 +113,7 @@

    Enterprise Support

    diff --git a/docs/file.access_token.html b/docs/file.access_token.html index e8323b83..0f803ede 100644 --- a/docs/file.access_token.html +++ b/docs/file.access_token.html @@ -84,7 +84,7 @@ diff --git a/docs/file.authenticator.html b/docs/file.authenticator.html index fc41144f..abf4b0bc 100644 --- a/docs/file.authenticator.html +++ b/docs/file.authenticator.html @@ -81,7 +81,7 @@ diff --git a/docs/file.client.html b/docs/file.client.html index 3d320cc3..04fbe9c3 100644 --- a/docs/file.client.html +++ b/docs/file.client.html @@ -111,7 +111,7 @@ diff --git a/docs/file.error.html b/docs/file.error.html index 2fc71f6e..f6679210 100644 --- a/docs/file.error.html +++ b/docs/file.error.html @@ -68,7 +68,7 @@ diff --git a/docs/file.filtered_attributes.html b/docs/file.filtered_attributes.html index e278122b..deb0dfd6 100644 --- a/docs/file.filtered_attributes.html +++ b/docs/file.filtered_attributes.html @@ -66,7 +66,7 @@ diff --git a/docs/file.oauth2-2.0.10.gem.html b/docs/file.oauth2-2.0.10.gem.html index 45ff9943..4651750e 100644 --- a/docs/file.oauth2-2.0.10.gem.html +++ b/docs/file.oauth2-2.0.10.gem.html @@ -61,7 +61,7 @@ diff --git a/docs/file.oauth2-2.0.11.gem.html b/docs/file.oauth2-2.0.11.gem.html index 371172e2..bd91a146 100644 --- a/docs/file.oauth2-2.0.11.gem.html +++ b/docs/file.oauth2-2.0.11.gem.html @@ -61,7 +61,7 @@ diff --git a/docs/file.oauth2-2.0.12.gem.html b/docs/file.oauth2-2.0.12.gem.html index 1726bcd5..77de0097 100644 --- a/docs/file.oauth2-2.0.12.gem.html +++ b/docs/file.oauth2-2.0.12.gem.html @@ -61,7 +61,7 @@ diff --git a/docs/file.oauth2-2.0.13.gem.html b/docs/file.oauth2-2.0.13.gem.html index 427761be..e14b7573 100644 --- a/docs/file.oauth2-2.0.13.gem.html +++ b/docs/file.oauth2-2.0.13.gem.html @@ -61,7 +61,7 @@ diff --git a/docs/file.oauth2.html b/docs/file.oauth2.html index bc62af1b..ae49d83e 100644 --- a/docs/file.oauth2.html +++ b/docs/file.oauth2.html @@ -69,7 +69,7 @@ diff --git a/docs/file.response.html b/docs/file.response.html index f2100125..3f4f9aee 100644 --- a/docs/file.response.html +++ b/docs/file.response.html @@ -77,7 +77,7 @@ diff --git a/docs/file.strategy.html b/docs/file.strategy.html index 0a0ff053..7efc0324 100644 --- a/docs/file.strategy.html +++ b/docs/file.strategy.html @@ -93,7 +93,7 @@ diff --git a/docs/file.version.html b/docs/file.version.html index 855f51e7..216e9cb2 100644 --- a/docs/file.version.html +++ b/docs/file.version.html @@ -65,7 +65,7 @@ diff --git a/docs/index.html b/docs/index.html index d304cf82..28ad4d8b 100644 --- a/docs/index.html +++ b/docs/index.html @@ -1327,7 +1327,7 @@

    Please give the project a star ⭐ ♥ diff --git a/docs/top-level-namespace.html b/docs/top-level-namespace.html index d7520621..599b7b92 100644 --- a/docs/top-level-namespace.html +++ b/docs/top-level-namespace.html @@ -100,7 +100,7 @@

    Defined Under Namespace