lib/omniauth/strategies/auth0.rb in omniauth-auth0-2.2.0 vs lib/omniauth/strategies/auth0.rb in omniauth-auth0-2.3.0

@@ -1,9 +1,10 @@
 # frozen_string_literal: true
 
 require 'base64'
 require 'uri'
+require 'securerandom'
 require 'omniauth-oauth2'
 require 'omniauth/auth0/jwt_validator'
 require 'omniauth/auth0/telemetry'
 
 module OmniAuth
@@ -46,15 +47,21 @@
             'token_type' => access_token.params['token_type'],
             'refresh_token' => access_token.refresh_token
           )
         end
 
-        # Make sure the ID token can be verified and decoded.
-        auth0_jwt = OmniAuth::Auth0::JWTValidator.new(options)
-        jwt_decoded = auth0_jwt.decode(credentials['id_token'])
-        fail!(:invalid_id_token) unless jwt_decoded.length
+        # Retrieve and remove authorization params from the session
+        session_authorize_params = session['authorize_params'] || {}
+        session.delete('authorize_params')
 
+        auth_scope = session_authorize_params[:scope]
+        if auth_scope.respond_to?(:include?) && auth_scope.include?('openid')
+          # Make sure the ID token can be verified and decoded.
+          auth0_jwt = OmniAuth::Auth0::JWTValidator.new(options)
+          auth0_jwt.verify(credentials['id_token'], session_authorize_params)
+        end
+
         credentials
       end
 
       # Store all raw information for use in the session.
       extra do
@@ -76,12 +83,22 @@
 
       # Define the parameters used for the /authorize endpoint
       def authorize_params
         params = super
         parsed_query = Rack::Utils.parse_query(request.query_string)
-        params['connection'] = parsed_query['connection']
-        params['prompt'] = parsed_query['prompt']
+        %w[connection prompt].each do |key|
+          params[key] = parsed_query[key] if parsed_query.key?(key)
+        end
+
+        # Generate nonce
+        params[:nonce] = SecureRandom.hex
+        # Generate leeway if none exists
+        params[:leeway] = 60 unless params[:leeway]
+        
+        # Store authorize params in the session for token verification
+        session['authorize_params'] = params
+
         params
       end
 
       def build_access_token
         options.token_params[:headers] = { 'Auth0-Client' => telemetry_encoded }
@@ -101,9 +118,15 @@
           fail!(:missing_domain)
         else
           # All checks pass, run the Oauth2 request_phase method.
           super
         end
+      end
+
+      def callback_phase
+        super
+      rescue OmniAuth::Auth0::TokenValidationError => e
+        fail!(:token_validation_error, e)
       end
 
       private
 
       # Parse the raw user info.