fix reading OpenID Connect token responses from Microsoft

when using Microsoft's OpenID Connect service (as documented at https://azure.microsoft.com/en-us/documentation/articles/active-directory-v2-protocols/) if you only request the openid scope, Microsoft only returns an id_token, with no access_token. so treat that as a valid response.
oauth-xx · Mar 10, 2016 · e3348ac · e3348ac
1 parent e0006cb
commit e3348ac
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 2 deletions.
diff --git a/lib/oauth2/client.rb b/lib/oauth2/client.rb
@@ -136,8 +136,11 @@ def get_token(params, access_token_opts = {}, access_token_class = AccessToken)
  opts[:params] = params
  end
  response = request(options[:token_method], token_url, opts)
- error = Error.new(response)
- raise(error) if options[:raise_errors] && !(response.parsed.is_a?(Hash) && response.parsed['access_token'])
+ if options[:raise_errors] && !(response.parsed.is_a?(Hash) &&
+ (response.parsed['access_token'] || response.parsed['id_token']))
+ error = Error.new(response)
+ raise(error)
+ end
  access_token_class.from_hash(self, response.parsed.merge(access_token_opts))
  end
 

diff --git a/spec/oauth2/strategy/auth_code_spec.rb b/spec/oauth2/strategy/auth_code_spec.rb
@@ -5,6 +5,7 @@
  let(:kvform_token) { 'expires_in=600&access_token=salmon&refresh_token=trout&extra_param=steve' }
  let(:facebook_token) { kvform_token.gsub('_in', '') }
  let(:json_token) { MultiJson.encode(:expires_in => 600, :access_token => 'salmon', :refresh_token => 'trout', :extra_param => 'steve') }
+ let(:microsoft_token) { 'id_token=jwt' }
 
  let(:client) do
  OAuth2::Client.new('abc', 'def', :site => 'http://api.example.com') do |builder|
@@ -17,6 +18,8 @@
  [200, {'Content-Type' => 'application/json'}, json_token]
  when 'from_facebook'
  [200, {'Content-Type' => 'application/x-www-form-urlencoded'}, facebook_token]
+ when 'from_microsoft'
+ [200, {'Content-Type' => 'application/x-www-form-urlencoded'}, microsoft_token]
  end
  end
  stub.post('/oauth/token', 'client_id' => 'abc', 'client_secret' => 'def', 'code' => 'sushi', 'grant_type' => 'authorization_code') do |env|
@@ -50,6 +53,15 @@
  end
  end
 
+ describe '#get_token' do
+ it "doesn't treat an OpenID Connect token with only an id_token (like from Microsoft) as invalid" do
+ @mode = 'from_microsoft'
+ client.options[:token_method] = :get
+ @access = subject.get_token(code)
+ expect(@access['id_token']).to eq('jwt')
+ end
+ end
+
  %w(json formencoded from_facebook).each do |mode|
  [:get, :post].each do |verb|
  describe "#get_token (#{mode}, access_token_method=#{verb}" do