Revert "bundle update oauth2"

This reverts commit 9e69dde208.

Change-Id: I3cf8a7ebe352134a17db94f253718ae9fa97a08f
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/327804
Reviewed-by: Jacob Burroughs <jburroughs@instructure.com>
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
QA-Review: Cody Cutrer <cody@instructure.com>
Build-Review: Cody Cutrer <cody@instructure.com>
Product-Review: Cody Cutrer <cody@instructure.com>

Gemfile.d/app.rb

@@ -77,7 +77,7 @@ gem "neighbor", "~> 0.3"
 gem "net-http", "~> 0.1", require: false
 gem "net-ldap", "~> 0.18", require: false
 gem "oauth", "~> 1.1", require: false
-gem "oauth2", "~> 2.0", require: false
+gem "oauth2", "~> 1.4", require: false
 gem "oj", "~> 3.16"
 gem "outrigger", "3.0.1"
 gem "parallel", "~> 1.23", require: false

Gemfile.lock

@@ -744,13 +744,12 @@ GEM
       version_gem (~> 1.1)
     oauth-tty (1.0.5)
       version_gem (~> 1.1, >= 1.1.1)
-    oauth2 (2.0.9)
+    oauth2 (1.4.11)
       faraday (>= 0.17.3, < 3.0)
       jwt (>= 1.0, < 3.0)
+      multi_json (~> 1.3)
       multi_xml (~> 0.5)
       rack (>= 1.2, < 4)
-      snaky_hash (~> 2.0)
-      version_gem (~> 1.1)
     oj (3.16.1)
     once-ler (2.0.1)
       activerecord (>= 6.0, < 7.1)
@@ -1256,7 +1255,7 @@ DEPENDENCIES
   net-http (~> 0.1)
   net-ldap (~> 0.18)
   oauth (~> 1.1)
-  oauth2 (~> 2.0)
+  oauth2 (~> 1.4)
   oj (~> 3.16)
   once-ler (= 2.0.1)
   outrigger (= 3.0.1)

app/models/authentication_provider/apple.rb

@@ -73,7 +73,7 @@ class AuthenticationProvider::Apple < AuthenticationProvider::OpenIDConnect
     end
 
     user = JSON.parse(params[:user]) if params[:user]
-    id_token.merge!(user["name"].slice("firstName", "lastName")) if user && user["name"]
+    id_token.merge!(user["name"].slice("firstName", "lastName")) if user["name"]
     id_token
   end
 
@@ -81,6 +81,14 @@ class AuthenticationProvider::Apple < AuthenticationProvider::OpenIDConnect
     token
   end
 
+  def generate_authorize_url(redirect_uri, state)
+    # wtf Apple https://forums.developer.apple.com/thread/122458
+    # we _could_ update faraday, which has been fixed to deal with this as well,
+    # but that's a long rabbit whole of other gems that would need updating and
+    # have very large breaking changes, so far riskier
+    super.gsub("+", "%20")
+  end
+
   protected
 
   def authorize_url

app/models/authentication_provider/linked_in.rb

@@ -92,8 +92,8 @@ class AuthenticationProvider::LinkedIn < AuthenticationProvider::OAuth2
   def client_options
     {
       site: "https://api.linkedin.com",
-      authorize_url: "https://www.linkedin.com/oauth/v2/authorization",
+      authorize_url: "https://www.linkedin.com/uas/oauth2/authorization",
-      token_url: "https://www.linkedin.com/oauth/v2/accessToken"
+      token_url: "https://www.linkedin.com/uas/oauth2/accessToken"
     }
   end
 
@@ -108,8 +108,4 @@ class AuthenticationProvider::LinkedIn < AuthenticationProvider::OAuth2
       "r_liteprofile"
     end
   end
-
-  def token_options
-    { client_secret: }
-  end
 end

app/models/authentication_provider/oauth.rb

@@ -19,6 +19,7 @@
 #
 
 require "oauth2"
+require "canvas/core_ext/oauth2"
 
 class AuthenticationProvider::OAuth < AuthenticationProvider::Delegated
   SENSITIVE_PARAMS = [:consumer_secret].freeze

app/models/authentication_provider/oauth2.rb

@@ -19,6 +19,7 @@
 #
 
 require "oauth2"
+require "canvas/core_ext/oauth2"
 
 class OAuthValidationError < RuntimeError
 end

lib/canvas/core_ext/oauth2.rb

@@ -0,0 +1,44 @@
+# frozen_string_literal: true
+
+#
+# Copyright (C) 2016 - present Instructure, Inc.
+#
+# This file is part of Canvas.
+#
+# Canvas is free software: you can redistribute it and/or modify it under
+# the terms of the GNU Affero General Public License as published by the Free
+# Software Foundation, version 3 of the License.
+#
+# Canvas is distributed in the hope that it will be useful, but WITHOUT ANY
+# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR
+# A PARTICULAR PURPOSE. See the GNU Affero General Public License for more
+# details.
+#
+# You should have received a copy of the GNU Affero General Public License along
+# with this program. If not, see <http://www.gnu.org/licenses/>.
+
+module Canvas::CoreExt
+  module OAuth2
+    def get_token(params, access_token_opts = {}, access_token_class = ::OAuth2::AccessToken)
+      params = ::OAuth2::Authenticator.new(id, secret, options[:auth_scheme]).apply(params)
+      opts = { raise_errors: options[:raise_errors], parse: params.delete(:parse) }
+      headers = params.delete(:headers) || {}
+      if options[:token_method] == :post
+        opts[:body] = params
+        opts[:headers] = { "Content-Type" => "application/x-www-form-urlencoded" }
+      else
+        opts[:params] = params
+        opts[:headers] = {}
+      end
+      opts[:headers].merge!(headers)
+      response = request(options[:token_method], token_url, opts)
+      # only change is on this line; Microsoft doesn't send back an access_token if you're doing a pure OpenID Connect auth
+      if options[:raise_errors] && !((response.parsed.is_a?(Hash) && response.parsed["access_token"]) || response.parsed["id_token"])
+        error = ::OAuth2::Error.new(response)
+        raise(error)
+      end
+      access_token_class.from_hash(self, response.parsed.merge(access_token_opts))
+    end
+  end
+end
+OAuth2::Client.prepend(Canvas::CoreExt::OAuth2)