1.1.0

Xero OAuth 2.0 OmniAuth Strategy version 1.1.0 release.

Adds support for additional authorization options at runtime per #12.

You can now choose to define a state param in the initializer config:

Rails.application.config.middleware.use OmniAuth::Builder do
  provider(
    :xero_oauth2,
    ENV['CLIENT_ID'],
    ENV['CLIENT_SECRET'],
    scope: ENV['SCOPES'],
    state: 'sup3r$ecretSt@te'
  )
end

OR
You can choose to set the state param dynamically at runtime:

Rails.application.config.middleware.use OmniAuth::Builder do
  provider(
    :xero_oauth2,
    ENV['CLIENT_ID'],
    ENV['CLIENT_SECRET'],
    scope: ENV['SCOPES'],
    provider_ignores_state: true # without this you'll get a "CSRF detected" error
  )
end

-----

<h4>Xero Ruby Oauth2 Demo App</h4>
<p><%= form_tag('/auth/xero_oauth2', method: 'post') do %>
  <input type="hidden" name="state" value="runtime-sup3r$ecretSt@te">
  <button type='submit'>Connect to Xero</button>
<% end %></p>

1.0.3

Xero OAuth 2.0 OmniAuth Strategy version 1.0.3 release.

Fixes a breaking change in Omniauth 2

• https://github.com/omniauth/omniauth/wiki/Upgrading-to-2.0#relative-root-apps
• omniauth/omniauth#903

Repository Cleanup:

• Removed Gemfile.lock
• Removed previously packaged gems
• Fix up version.rb to always match gemspec

Special thanks to @whithajess 🎉

1.0.2

Xero OAuth 2.0 OmniAuth Strategy version 1.0.1 release.

Dependencies updated to:
omniauth-xero-oauth2 (1.0.1)
omniauth (~> 2.0.0)

As per documentation on OmniAuth 2.0.0 release notes, the following redirect method should be used for rails app:

<%= form_tag('/auth/developer', method: 'post') do %>
<button type='submit'>Login with Developer</button>
<% end %>

To prevent csrf attack, you will also need the following defined in your initialiser:

# Derived from https://github.com/cookpad/omniauth-rails_csrf_protection/blob/master/lib/omniauth/rails_csrf_protection/token_verifier.rb
# This specific implementation has been pared down and should not be taken as the most correct way to do this.
class TokenVerifier
  include ActiveSupport::Configurable
  include ActionController::RequestForgeryProtection

  def call(env)
    @request = ActionDispatch::Request.new(env.dup)
    raise OmniAuth::AuthenticityError unless verified_request?
  end

  private
  attr_reader :request
  delegate :params, :session, to: :request
end
# in an initializer
OmniAuth.config.request_validation_phase = TokenVerifier.new

The sample vanilla app for Xero OmniAuth Oauth 2.0 is updated.

0.9.4

Version bumped due to security updates

v0.9.3

Thanks to an issue gdelavil discovered.

The oversight of using instance variable @id_token is fixed.

The strategy will work with scopes that don't have openID more robust.

v0.9.2

In this version, the strategy will work with scope with or without openid:

example scope with openid:
openid profile email files accounting.transactions accounting.transactions.read accounting.reports.read accounting.journals.read accounting.settings accounting.settings.read accounting.contacts accounting.contacts.read accounting.attachments accounting.attachments.read offline_access

example scope without openid:
files accounting.transactions accounting.transactions.read accounting.reports.read accounting.journals.read accounting.settings accounting.settings.read accounting.contacts accounting.contacts.read accounting.attachments accounting.attachments.read offline_access