synth
Not compatible with Oauth 2.0.10
Following the issue in the oauth repo.
There was a breaking change in which you cant access Oauth2 responses by symbol anymore and it breaks the domain verifier lib/omniauth/microsoft_graph/domain_verifier.rb:79
since the code is doing this
def get_jwks(oidc_config)
# Depending on the tenant, the JWKS endpoint might be different. We need to
# consider both the JWKS from the OIDC configuration and the common JWKS endpoint.
oidc_config_jwk_keys = access_token.get(oidc_config['jwks_uri']).parsed[:keys]
common_jwk_keys = access_token.get(COMMON_JWKS_URL).parsed[:keys]
JWT::JWK::Set.new(oidc_config_jwk_keys + common_jwk_keys)
end
but in the new version it needs to be this
def get_jwks(oidc_config)
# Depending on the tenant, the JWKS endpoint might be different. We need to
# consider both the JWKS from the OIDC configuration and the common JWKS endpoint.
oidc_config_jwk_keys = access_token.get(oidc_config['jwks_uri']).parsed["keys"]
common_jwk_keys = access_token.get(COMMON_JWKS_URL).parsed["keys"]
JWT::JWK::Set.new(oidc_config_jwk_keys + common_jwk_keys)
end
I'm going to revert the change to oauth2 in a patch release, so that it remains compatible as-is. Will update here when the fix is released.
- [x] Fix: https://github.com/oauth-xx/oauth2/pull/650
- [x] Release: https://github.com/oauth-xx/oauth2/pull/651
oauth2 v2.0.11 is released with fix. This should be closed.
https://github.com/oauth-xx/oauth2/releases/tag/v2.0.11
Access to the parsed response via symbol, string, or method, is part of the documented public API, and the change to that functionality was a mistake. It was an attempt to fix a different bug, that I've since fixed a different way.
Since it was a regression, and a bug, it was fixed in a patch release.
I am not going to yank v2.0.10, since it anyone upgrading now will get v2.0.11 instead, and tools that use string keys will still work, so it is only broken for certain use cases.
Please upgrade to oauth2 v2.0.11!