bundle update oauth2

Change-Id: Ie3ca994e3cddff3fc985c0aac9534e1617774a2c
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/325872
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
QA-Review: Cody Cutrer <cody@instructure.com>
Reviewed-by: Jacob Burroughs <jburroughs@instructure.com>
Product-Review: Cody Cutrer <cody@instructure.com>
Build-Review: Cody Cutrer <cody@instructure.com>

Gemfile.d/app.rb

@@ -97,7 +97,7 @@ gem "net-pop", "~> 0.1", require: false
 gem "net-smtp", "~> 0.3", require: false
 gem "nokogiri", "~> 1.14", require: false
 gem "oauth", "~> 1.1", require: false
-gem "oauth2", "~> 1.4", require: false
+gem "oauth2", "~> 2.0", require: false
 gem "oj", "~> 3.16"
 gem "outrigger", "3.0.1"
 gem "parallel", "~> 1.23", require: false

Gemfile.lock

@@ -771,12 +771,13 @@ GEM
       version_gem (~> 1.1)
     oauth-tty (1.0.5)
       version_gem (~> 1.1, >= 1.1.1)
-    oauth2 (1.4.11)
+    oauth2 (2.0.9)
       faraday (>= 0.17.3, < 3.0)
       jwt (>= 1.0, < 3.0)
-      multi_json (~> 1.3)
       multi_xml (~> 0.5)
       rack (>= 1.2, < 4)
+      snaky_hash (~> 2.0)
+      version_gem (~> 1.1)
     oj (3.16.0)
     once-ler (2.0.1)
       activerecord (>= 6.0, < 7.1)
@@ -1292,7 +1293,7 @@ DEPENDENCIES
   net-smtp (~> 0.3)
   nokogiri (~> 1.14)
   oauth (~> 1.1)
-  oauth2 (~> 1.4)
+  oauth2 (~> 2.0)
   oj (~> 3.16)
   once-ler (= 2.0.1)
   outrigger (= 3.0.1)

app/models/authentication_provider/apple.rb

@@ -73,7 +73,7 @@ class AuthenticationProvider::Apple < AuthenticationProvider::OpenIDConnect
     end
 
     user = JSON.parse(params[:user]) if params[:user]
-    id_token.merge!(user["name"].slice("firstName", "lastName")) if user["name"]
+    id_token.merge!(user["name"].slice("firstName", "lastName")) if user && user["name"]
     id_token
   end
 
@@ -81,14 +81,6 @@ class AuthenticationProvider::Apple < AuthenticationProvider::OpenIDConnect
     token
   end
 
-  def generate_authorize_url(redirect_uri, state)
-    # wtf Apple https://forums.developer.apple.com/thread/122458
-    # we _could_ update faraday, which has been fixed to deal with this as well,
-    # but that's a long rabbit whole of other gems that would need updating and
-    # have very large breaking changes, so far riskier
-    super.gsub("+", "%20")
-  end
-
   protected
 
   def authorize_url

app/models/authentication_provider/linked_in.rb

@@ -92,8 +92,8 @@ class AuthenticationProvider::LinkedIn < AuthenticationProvider::OAuth2
   def client_options
     {
       site: "https://api.linkedin.com",
-      authorize_url: "https://www.linkedin.com/uas/oauth2/authorization",
-      token_url: "https://www.linkedin.com/uas/oauth2/accessToken"
+      authorize_url: "https://www.linkedin.com/oauth/v2/authorization",
+      token_url: "https://www.linkedin.com/oauth/v2/accessToken"
     }
   end
 
@@ -108,4 +108,8 @@ class AuthenticationProvider::LinkedIn < AuthenticationProvider::OAuth2
       "r_liteprofile"
     end
   end
+
+  def token_options
+    { client_secret: }
+  end
 end

app/models/authentication_provider/oauth.rb

@@ -19,7 +19,6 @@
 #
 
 require "oauth2"
-require "canvas/core_ext/oauth2"
 
 class AuthenticationProvider::OAuth < AuthenticationProvider::Delegated
   SENSITIVE_PARAMS = [:consumer_secret].freeze

app/models/authentication_provider/oauth2.rb

@@ -19,7 +19,6 @@
 #
 
 require "oauth2"
-require "canvas/core_ext/oauth2"
 
 class OAuthValidationError < RuntimeError
 end

lib/canvas/core_ext/oauth2.rb

@@ -1,44 +0,0 @@
-# frozen_string_literal: true
-
-#
-# Copyright (C) 2016 - present Instructure, Inc.
-#
-# This file is part of Canvas.
-#
-# Canvas is free software: you can redistribute it and/or modify it under
-# the terms of the GNU Affero General Public License as published by the Free
-# Software Foundation, version 3 of the License.
-#
-# Canvas is distributed in the hope that it will be useful, but WITHOUT ANY
-# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR
-# A PARTICULAR PURPOSE. See the GNU Affero General Public License for more
-# details.
-#
-# You should have received a copy of the GNU Affero General Public License along
-# with this program. If not, see <http://www.gnu.org/licenses/>.
-
-module Canvas::CoreExt
-  module OAuth2
-    def get_token(params, access_token_opts = {}, access_token_class = ::OAuth2::AccessToken)
-      params = ::OAuth2::Authenticator.new(id, secret, options[:auth_scheme]).apply(params)
-      opts = { raise_errors: options[:raise_errors], parse: params.delete(:parse) }
-      headers = params.delete(:headers) || {}
-      if options[:token_method] == :post
-        opts[:body] = params
-        opts[:headers] = { "Content-Type" => "application/x-www-form-urlencoded" }
-      else
-        opts[:params] = params
-        opts[:headers] = {}
-      end
-      opts[:headers].merge!(headers)
-      response = request(options[:token_method], token_url, opts)
-      # only change is on this line; Microsoft doesn't send back an access_token if you're doing a pure OpenID Connect auth
-      if options[:raise_errors] && !((response.parsed.is_a?(Hash) && response.parsed["access_token"]) || response.parsed["id_token"])
-        error = ::OAuth2::Error.new(response)
-        raise(error)
-      end
-      access_token_class.from_hash(self, response.parsed.merge(access_token_opts))
-    end
-  end
-end
-OAuth2::Client.prepend(Canvas::CoreExt::OAuth2)