better_auth-oauth-provider 0.6.2 → 0.7.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 2e9330bd8c9a574651d4170f22486e66afc7480f30c9f004f02c0dbd2d366d4e
-  data.tar.gz: 2f6022d74c0a07ce4eb1e9a8ef05558478fa798c21567b8cf6ba5284b296f5d0
+  metadata.gz: a0b02bfe381c6895d73aca8a1084ee6e540da6e5f7d4bad032729d4695932e30
+  data.tar.gz: a24ba3d9aed24d1e65d338bfd2bf1d1627f2e4f6f78e24b6d44a2a7f6a973e55
 SHA512:
-  metadata.gz: c9abcc25c88f25d6f340afa4a44a4332d9d057b8ddf956542673c8c7d5ff59b29482d86db1dc33ddb3f5c287d4ac6e8fd2cea4873120360a4fab4cde3791a95b
-  data.tar.gz: 9971e847c0c74fbd1b3493c561748a8ee0d1e04c2f3179157215cacafbc545836cb7eca139cbb6589cca2a44d4cc584ccf327253323f9a91b3caea9eb6bcc5da
+  metadata.gz: 6cebc495d6cef993a9d948b0f3bfe41706d26147b9b2f8d90b540ed4d2782ab28db1eaa23321d00ad76cb5aa36c5f41b8d74a5532cce4415e3620b0bffac8751
+  data.tar.gz: 1ee7480850340bb18bdccd9e933c3c03b15e168b33d3d3511525be5e6882473f05864d58c5d9e37559d86da906f157859e35861ca834192d35efe1e263d19c6b

data/CHANGELOG.md

@@ -2,6 +2,12 @@
 
 ## Unreleased
 
+## 0.7.0 - 2026-05-05
+
+- Fixed OAuth provider consent approval, metadata, issuer normalization, revocation persistence, and endpoint-specific rate limits for hardening parity.
+- Changed RP-initiated logout ID token validation to use the hardened HS256 ID token key; old ID tokens signed only with the public client id will no longer validate.
+- Hardened OAuth client endpoints, token exchange, introspection, userinfo, and pairwise behavior with expanded parity coverage.
+
 ## 0.3.0 - 2026-04-30
 
 - Added upstream-parity support for provider init validation, request URI resolution, prompt handling, consent reference IDs, client references, custom token/id-token claims, scope-specific access-token expiry, M2M token defaults, userinfo JWT verification, and expanded introspection fields.

data/README.md

@@ -57,6 +57,7 @@ tokens = auth.api.o_auth2_token(
 ```
 
 When `resource` is present and valid, access tokens are JWTs. Without `resource`, access tokens are opaque and introspectable.
+By default, valid JWT access-token audiences are the provider issuer URL and, when `openid` is granted, the UserInfo endpoint. Set `valid_audiences` to allow additional resource servers.
 
 ## Routes
 
@@ -105,11 +106,18 @@ Common options accepted by `BetterAuth::Plugins.oauth_provider`:
 - `allow_unauthenticated_client_registration`
 - `client_registration_default_scopes`
 - `client_registration_allowed_scopes`
+- `client_credential_grant_default_scopes`
 - `store_client_secret`
 - `prefix`
+- `code_expires_in`
+- `id_token_expires_in`
 - `refresh_token_expires_in`
+- `access_token_expires_in`
+- `m2m_access_token_expires_in`
+- `scope_expirations`
 - `advertised_metadata`
 - `valid_audiences`
+- `allow_public_client_prelogin`
 - `custom_token_response_fields`
 - `custom_access_token_claims`
 - `custom_user_info_claims`
@@ -158,7 +166,9 @@ Then drop the legacy access-token and consent columns. Rails apps using `better_
 
 ## Ruby Adaptations
 
-When the JWT plugin is registered, OIDC metadata advertises its configured `jwks.key_pair_config.alg`, defaulting to `EdDSA` like upstream. If `disable_jwt_plugin: true` is set, Ruby intentionally falls back to HS256 ID tokens signed with the Better Auth secret.
+When the JWT plugin is registered, JWT access tokens and ID tokens use the JWT plugin's configured `jwks.key_pair_config.alg`, defaulting to `EdDSA` like upstream. If the JWT plugin is not registered, or `disable_jwt_plugin: true` is set, Ruby intentionally falls back to HS256 for compatibility.
+
+Upstream `oauthProviderResourceClient` and MCP protected-resource helpers remain future API-boundary work for Ruby. This gem currently hardens authorization-server behavior only.
 
 Route OpenAPI metadata blocks from upstream TypeScript are intentionally not ported into this package. Use the Ruby `open_api` plugin for generated OpenAPI output.
 

data/lib/better_auth/oauth_provider/version.rb

@@ -2,6 +2,6 @@
 
 module BetterAuth
   module OAuthProvider
-    VERSION = "0.6.2"
+    VERSION = "0.7.0"
   end
 end

data/lib/better_auth/plugins/oauth_provider/consent.rb

@@ -6,11 +6,15 @@ module BetterAuth
 
     def oauth_consent_endpoint(config)
       Endpoint.new(path: "/oauth2/consent", method: "POST") do |ctx|
-        current_session = Routes.current_session(ctx)
+        current_session = Routes.current_session(ctx, allow_nil: true)
         body = OAuthProtocol.stringify_keys(ctx.body)
         consent = config[:store][:consents].delete(body["consent_code"].to_s)
         raise APIError.new("BAD_REQUEST", message: "invalid consent_code") unless consent
         raise APIError.new("BAD_REQUEST", message: "expired consent_code") if consent[:expires_at] <= Time.now
+        raise APIError.new("UNAUTHORIZED", message: "session required") unless current_session
+        unless current_session[:user]["id"].to_s == consent[:session][:user]["id"].to_s
+          raise APIError.new("FORBIDDEN", message: "consent session mismatch")
+        end
 
         query = consent[:query]
         if body["accept"] == false || body["accept"].to_s == "false"
@@ -24,7 +28,7 @@ module BetterAuth
           raise APIError.new("BAD_REQUEST", message: "invalid_scope")
         end
 
-        reference_id = oauth_consent_reference(config, current_session, granted_scopes) || consent[:reference_id]
+        reference_id = consent[:reference_id]
         oauth_store_consent(ctx, consent[:client], consent[:session], granted_scopes, reference_id)
         redirect = oauth_authorization_redirect(ctx, config, query, consent[:session], consent[:client], granted_scopes, reference_id: reference_id)
         ctx.json({redirectURI: redirect})
@@ -44,7 +48,8 @@ module BetterAuth
         code_challenge: query["code_challenge"],
         code_challenge_method: query["code_challenge_method"],
         nonce: query["nonce"],
-        reference_id: reference_id || client_reference_id
+        reference_id: reference_id || client_reference_id,
+        expires_in: config[:code_expires_in]
       )
       OAuthProtocol.redirect_uri_with_params(query["redirect_uri"], code: code, state: query["state"], iss: OAuthProvider.validate_issuer_url(OAuthProtocol.issuer(ctx)))
     end

data/lib/better_auth/plugins/oauth_provider/introspect.rb

@@ -7,9 +7,11 @@ module BetterAuth
     def oauth_introspect_endpoint(config)
       Endpoint.new(path: "/oauth2/introspect", method: "POST", metadata: {allowed_media_types: ["application/x-www-form-urlencoded", "application/json"]}) do |ctx|
         client = OAuthProtocol.authenticate_client!(ctx, "oauthClient", store_client_secret: config[:store_client_secret], prefix: config[:prefix])
+        client_id = OAuthProtocol.stringify_keys(client)["clientId"]
         body = OAuthProtocol.stringify_keys(ctx.body)
-        token = OAuthProtocol.find_token_by_hint(config[:store], body["token"].to_s, body["token_type_hint"], prefix: config[:prefix])
-        active = token && !token["revoked"] && (!token["expiresAt"] || token["expiresAt"] > Time.now)
+        token_value = body["token"].to_s.sub(/\ABearer\s+/i, "")
+        token = OAuthProtocol.find_token_by_hint(config[:store], token_value, body["token_type_hint"], prefix: config[:prefix])
+        active = token && token["clientId"].to_s == client_id.to_s && !token["revoked"] && (!token["expiresAt"] || token["expiresAt"] > Time.now)
         if active
           next ctx.json({
             active: true,
@@ -24,7 +26,7 @@ module BetterAuth
           })
         end
 
-        jwt = oauth_introspect_jwt_access_token(ctx, client, body["token"].to_s)
+        jwt = oauth_introspect_jwt_access_token(ctx, client, token_value)
         ctx.json(jwt || {active: false})
       end
     end
@@ -34,7 +36,7 @@ module BetterAuth
     end
 
     def oauth_introspect_jwt_access_token(ctx, client, token)
-      payload = ::JWT.decode(token, ctx.context.secret, true, algorithm: "HS256").first
+      payload = OAuthProtocol.verify_oauth_jwt(ctx, token, issuer: OAuthProvider.validate_issuer_url(OAuthProtocol.issuer(ctx)), hs256_secret: ctx.context.secret)
       client_data = OAuthProtocol.stringify_keys(client)
       return nil unless payload["azp"] == client_data["clientId"]
 

data/lib/better_auth/plugins/oauth_provider/logout.rb

@@ -19,7 +19,12 @@ module BetterAuth
         raise APIError.new("BAD_REQUEST", message: "invalid_client") if client_data["disabled"]
         raise APIError.new("UNAUTHORIZED", message: "client unable to logout") unless client_data["enableEndSession"]
 
-        payload = Crypto.verify_jwt(id_token_hint, client_data["clientId"])
+        payload = OAuthProtocol.verify_oauth_jwt(
+          ctx,
+          id_token_hint,
+          issuer: OAuthProvider.validate_issuer_url(OAuthProtocol.issuer(ctx)),
+          hs256_secret: OAuthProtocol.id_token_hs256_key(ctx, client_data["clientId"], client_data["clientSecret"])
+        )
         raise APIError.new("UNAUTHORIZED", message: "invalid id token") unless payload
         raise APIError.new("BAD_REQUEST", message: "audience mismatch") if input["client_id"] && payload["aud"] != input["client_id"]
 

data/lib/better_auth/plugins/oauth_provider/metadata.rb

@@ -11,7 +11,6 @@ module BetterAuth
           issuer: OAuthProvider.validate_issuer_url(OAuthProtocol.issuer(ctx)),
           authorization_endpoint: "#{base}/oauth2/authorize",
           token_endpoint: "#{base}/oauth2/token",
-          registration_endpoint: "#{base}/oauth2/register",
           introspection_endpoint: "#{base}/oauth2/introspect",
           revocation_endpoint: "#{base}/oauth2/revoke",
           response_types_supported: ["code"],
@@ -24,6 +23,7 @@ module BetterAuth
           authorization_response_iss_parameter_supported: true,
           scopes_supported: config.dig(:advertised_metadata, :scopes_supported) || config[:scopes]
         }
+        metadata[:registration_endpoint] = "#{base}/oauth2/register" if config[:allow_dynamic_client_registration]
         metadata[:jwks_uri] = oauth_jwks_uri(config) if oauth_jwks_uri(config)
         ctx.json(metadata, headers: oauth_metadata_headers)
       end
@@ -40,7 +40,6 @@ module BetterAuth
           issuer: OAuthProvider.validate_issuer_url(OAuthProtocol.issuer(ctx)),
           authorization_endpoint: "#{base}/oauth2/authorize",
           token_endpoint: "#{base}/oauth2/token",
-          registration_endpoint: "#{base}/oauth2/register",
           introspection_endpoint: "#{base}/oauth2/introspect",
           revocation_endpoint: "#{base}/oauth2/revoke",
           response_types_supported: ["code"],
@@ -60,6 +59,7 @@ module BetterAuth
           prompt_values_supported: oauth_prompt_values,
           claims_supported: config.dig(:advertised_metadata, :claims_supported) || config[:claims] || []
         }
+        metadata[:registration_endpoint] = "#{base}/oauth2/register" if config[:allow_dynamic_client_registration]
         metadata[:jwks_uri] = oauth_jwks_uri(config) if oauth_jwks_uri(config)
         ctx.json(metadata, headers: oauth_metadata_headers)
       end
@@ -85,6 +85,8 @@ module BetterAuth
       return ["HS256"] if config[:disable_jwt_plugin]
 
       jwt_plugin = ctx.context.options.plugins.find { |plugin| plugin.id == "jwt" }
+      return ["HS256"] unless jwt_plugin
+
       alg = config.dig(:jwt, :jwks, :key_pair_config, :alg) ||
         jwt_plugin&.options&.dig(:jwks, :key_pair_config, :alg)
       alg ? [alg] : ["EdDSA"]

data/lib/better_auth/plugins/oauth_provider/oauth_client/endpoints.rb

@@ -53,9 +53,16 @@ module BetterAuth
       end
     end
 
-    def oauth_get_client_public_prelogin_endpoint(_config)
+    def oauth_get_client_public_prelogin_endpoint(config)
       Endpoint.new(path: "/oauth2/public-client-prelogin", method: "POST") do |ctx|
         input = OAuthProtocol.stringify_keys(ctx.body).merge(OAuthProtocol.stringify_keys(ctx.query))
+        unless config[:allow_public_client_prelogin] || config[:allowPublicClientPrelogin]
+          raise APIError.new("BAD_REQUEST")
+        end
+        unless OAuthProvider::Utils.verify_oauth_query_params(input["oauth_query"], ctx.context.secret)
+          raise APIError.new("UNAUTHORIZED", body: {error: "invalid_signature"})
+        end
+
         client = OAuthProtocol.find_client(ctx, "oauthClient", input["client_id"])
         raise APIError.new("NOT_FOUND", message: "client not found") unless client
         raise APIError.new("NOT_FOUND", message: "client not found") if OAuthProtocol.stringify_keys(client)["disabled"]
@@ -101,6 +108,7 @@ module BetterAuth
         oauth_assert_owned_client!(client, session, config)
 
         update_source = OAuthProtocol.stringify_keys(body["update"] || {})
+        oauth_validate_client_update!(client, update_source, config, admin: false)
         update = oauth_client_update_data(update_source)
         updated = update.empty? ? client : ctx.context.adapter.update(model: "oauthClient", where: [{field: "clientId", value: body["client_id"]}], update: update.merge(updatedAt: Time.now))
         ctx.json(OAuthProtocol.client_response(updated, include_secret: false))
@@ -136,13 +144,15 @@ module BetterAuth
       end
     end
 
-    def oauth_admin_update_client_endpoint(_config)
+    def oauth_admin_update_client_endpoint(config)
       Endpoint.new(path: "/admin/oauth2/update-client", method: "PATCH", metadata: {server_only: true}) do |ctx|
         body = OAuthProtocol.stringify_keys(ctx.body)
         client = OAuthProtocol.find_client(ctx, "oauthClient", body["client_id"])
         raise APIError.new("NOT_FOUND", message: "client not found") unless client
 
-        update = oauth_client_update_data(OAuthProtocol.stringify_keys(body["update"] || {}), admin: true)
+        update_source = OAuthProtocol.stringify_keys(body["update"] || {})
+        oauth_validate_client_update!(client, update_source, config, admin: true)
+        update = oauth_client_update_data(update_source, admin: true)
         updated = update.empty? ? client : ctx.context.adapter.update(model: "oauthClient", where: [{field: "clientId", value: body["client_id"]}], update: update.merge(updatedAt: Time.now))
         ctx.json(OAuthProtocol.client_response(updated, include_secret: false))
       end

data/lib/better_auth/plugins/oauth_provider/oauth_client/index.rb

@@ -46,9 +46,12 @@ module BetterAuth
         update["redirectUrls"] = redirects.join(",")
       end
       update["postLogoutRedirectUris"] = Array(source["post_logout_redirect_uris"]).map(&:to_s) if source.key?("post_logout_redirect_uris")
+      update["tokenEndpointAuthMethod"] = source["token_endpoint_auth_method"] || source["tokenEndpointAuthMethod"] if admin && (source.key?("token_endpoint_auth_method") || source.key?("tokenEndpointAuthMethod"))
       update["grantTypes"] = Array(source["grant_types"]).map(&:to_s) if source.key?("grant_types")
       update["responseTypes"] = Array(source["response_types"]).map(&:to_s) if source.key?("response_types")
       update["scopes"] = OAuthProtocol.parse_scopes(source["scope"] || source["scopes"]) if source.key?("scope") || source.key?("scopes")
+      update["type"] = source["type"] if admin && source.key?("type")
+      update["public"] = !!source["public"] if admin && source.key?("public")
       update["enableEndSession"] = !!(source["enable_end_session"] || source["enableEndSession"]) if source.key?("enable_end_session") || source.key?("enableEndSession")
       update["skipConsent"] = !!(source["skip_consent"] || source["skipConsent"]) if admin && (source.key?("skip_consent") || source.key?("skipConsent"))
       update["clientSecretExpiresAt"] = source["client_secret_expires_at"] if admin && source.key?("client_secret_expires_at")
@@ -57,6 +60,41 @@ module BetterAuth
       update
     end
 
+    def oauth_validate_client_update!(client, source, config, admin:)
+      return if source.empty?
+
+      current = OAuthProtocol.stringify_keys(client)
+      source = source.except("public", "token_endpoint_auth_method", "tokenEndpointAuthMethod", "client_secret", "clientSecret", "type") unless admin
+      return if source.empty?
+
+      redirects = source.key?("redirect_uris") ? Array(source["redirect_uris"]).map(&:to_s) : OAuthProtocol.client_redirect_uris(current)
+      redirects.each { |uri| OAuthProtocol.validate_safe_url!(uri, field: "redirect_uris") }
+      if source.key?("post_logout_redirect_uris")
+        Array(source["post_logout_redirect_uris"]).map(&:to_s).each { |uri| OAuthProtocol.validate_safe_url!(uri, field: "post_logout_redirect_uris") }
+      end
+
+      auth_method = source["token_endpoint_auth_method"] || source["tokenEndpointAuthMethod"] || current["tokenEndpointAuthMethod"] || "client_secret_basic"
+      body = {
+        "token_endpoint_auth_method" => auth_method,
+        "grant_types" => source.key?("grant_types") ? Array(source["grant_types"]).map(&:to_s) : Array(current["grantTypes"]).map(&:to_s),
+        "response_types" => source.key?("response_types") ? Array(source["response_types"]).map(&:to_s) : Array(current["responseTypes"]).map(&:to_s),
+        "type" => source.key?("type") ? source["type"] : current["type"],
+        "subject_type" => source["subject_type"] || source["subjectType"] || current["subjectType"]
+      }.compact
+      OAuthProtocol.validate_client_metadata_enums!(auth_method, body)
+      OAuthProtocol.validate_admin_only_fields!(source, admin: admin)
+      OAuthProtocol.validate_client_registration!(auth_method, body["grant_types"], body["response_types"], body, unauthenticated: false, dynamic_registration: false)
+      OAuthProtocol.validate_pairwise_client!(body, redirects, config[:pairwise_secret])
+
+      return unless source.key?("scope") || source.key?("scopes")
+
+      scopes = OAuthProtocol.parse_scopes(source["scope"] || source["scopes"])
+      allowed = OAuthProtocol.parse_scopes(config[:client_registration_allowed_scopes] || config[:scopes])
+      unless allowed.empty? || scopes.all? { |scope| allowed.include?(scope) }
+        raise APIError.new("BAD_REQUEST", message: "invalid_scope")
+      end
+    end
+
     def oauth_public_client_response(client)
       data = OAuthProtocol.stringify_keys(client)
       {

data/lib/better_auth/plugins/oauth_provider/rate_limit.rb

@@ -12,7 +12,10 @@ module BetterAuth
         oauth_rate_limit_rule(rate_limit, :introspect, "/oauth2/introspect", window: 60, max: 100),
         oauth_rate_limit_rule(rate_limit, :revoke, "/oauth2/revoke", window: 60, max: 30),
         oauth_rate_limit_rule(rate_limit, :register, "/oauth2/register", window: 60, max: 5),
-        oauth_rate_limit_rule(rate_limit, :userinfo, "/oauth2/userinfo", window: 60, max: 60)
+        oauth_rate_limit_rule(rate_limit, :userinfo, "/oauth2/userinfo", window: 60, max: 60),
+        oauth_rate_limit_rule(rate_limit, :continue, "/oauth2/continue", window: 60, max: 40),
+        oauth_rate_limit_rule(rate_limit, :consent, "/oauth2/consent", window: 60, max: 40),
+        oauth_rate_limit_rule(rate_limit, :end_session, "/oauth2/end-session", window: 60, max: 30)
       ].compact
     end
 

data/lib/better_auth/plugins/oauth_provider/revoke.rb

@@ -6,7 +6,8 @@ module BetterAuth
 
     def oauth_revoke_endpoint(config)
       Endpoint.new(path: "/oauth2/revoke", method: "POST", metadata: {allowed_media_types: ["application/x-www-form-urlencoded", "application/json"]}) do |ctx|
-        OAuthProtocol.authenticate_client!(ctx, "oauthClient", store_client_secret: config[:store_client_secret], prefix: config[:prefix])
+        client = OAuthProtocol.authenticate_client!(ctx, "oauthClient", store_client_secret: config[:store_client_secret], prefix: config[:prefix])
+        client_id = OAuthProtocol.stringify_keys(client)["clientId"]
         body = OAuthProtocol.stringify_keys(ctx.body)
         if body["token_type_hint"].to_s == "access_token" && OAuthProtocol.find_token_by_hint(config[:store], body["token"].to_s, "refresh_token", prefix: config[:prefix])
           raise APIError.new("BAD_REQUEST", message: "invalid_request")
@@ -14,11 +15,31 @@ module BetterAuth
         if body["token_type_hint"].to_s == "refresh_token" && OAuthProtocol.find_token_by_hint(config[:store], body["token"].to_s, "access_token", prefix: config[:prefix])
           raise APIError.new("BAD_REQUEST", message: "invalid_request")
         end
-        if (token = OAuthProtocol.find_token_by_hint(config[:store], body["token"].to_s, body["token_type_hint"], prefix: config[:prefix]))
+        if (token = OAuthProtocol.find_token_by_hint(config[:store], body["token"].to_s, body["token_type_hint"], prefix: config[:prefix])) && token["clientId"].to_s == client_id.to_s
           token["revoked"] = Time.now
+          oauth_persist_token_revocation(ctx, config, body, token)
         end
         ctx.json({revoked: true})
       end
     end
+
+    def oauth_persist_token_revocation(ctx, config, body, token)
+      return unless token["id"]
+
+      hint = body["token_type_hint"].to_s
+      token_value = body["token"].to_s
+      access_value = OAuthProtocol.strip_prefix(token_value, config[:prefix], :access_token)
+      refresh_value = OAuthProtocol.strip_prefix(token_value, config[:prefix], :refresh_token)
+      is_access = hint == "access_token" || (access_value && config[:store][:tokens][access_value].equal?(token))
+      is_refresh = hint == "refresh_token" || (refresh_value && config[:store][:refresh_tokens][refresh_value].equal?(token))
+
+      if is_access && OAuthProtocol.schema_model?(ctx, "oauthAccessToken")
+        ctx.context.adapter.update(model: "oauthAccessToken", where: [{field: "id", value: token["id"]}], update: {revoked: token["revoked"]})
+      end
+
+      if is_refresh && OAuthProtocol.schema_model?(ctx, "oauthRefreshToken")
+        ctx.context.adapter.update(model: "oauthRefreshToken", where: [{field: "id", value: token["id"]}], update: {revoked: token["revoked"]})
+      end
+    end
   end
 end

data/lib/better_auth/plugins/oauth_provider/token.rb

@@ -12,8 +12,6 @@ module BetterAuth
         if client_grants.any? && !client_grants.include?(body["grant_type"].to_s)
           raise APIError.new("BAD_REQUEST", message: "unsupported_grant_type")
         end
-        audience = oauth_validate_resource!(ctx, config, body)
-
         response = case body["grant_type"]
         when OAuthProtocol::AUTH_CODE_GRANT
           code = OAuthProtocol.consume_code!(
@@ -23,6 +21,7 @@ module BetterAuth
             redirect_uri: body["redirect_uri"],
             code_verifier: body["code_verifier"]
           )
+          audience = oauth_validate_resource!(ctx, config, body, code[:scopes])
           OAuthProtocol.issue_tokens(
             ctx,
             config[:store],
@@ -35,12 +34,14 @@ module BetterAuth
             prefix: config[:prefix],
             refresh_token_expires_in: config[:refresh_token_expires_in],
             access_token_expires_in: oauth_access_token_expires_in(config, code[:scopes], machine: false),
+            id_token_expires_in: config[:id_token_expires_in],
             audience: audience,
             grant_type: OAuthProtocol::AUTH_CODE_GRANT,
             custom_token_response_fields: config[:custom_token_response_fields],
             custom_access_token_claims: config[:custom_access_token_claims],
             custom_id_token_claims: config[:custom_id_token_claims],
             jwt_access_token: oauth_jwt_access_token?(config, audience),
+            use_jwt_plugin: !config[:disable_jwt_plugin],
             pairwise_secret: config[:pairwise_secret],
             nonce: code[:nonce],
             auth_time: code[:auth_time],
@@ -49,17 +50,28 @@ module BetterAuth
           )
         when OAuthProtocol::CLIENT_CREDENTIALS_GRANT
           requested = OAuthProtocol.parse_scopes(body["scope"])
-          allowed = OAuthProtocol.parse_scopes(OAuthProtocol.stringify_keys(client)["scopes"] || config[:scopes])
+          oidc_scopes = %w[openid profile email offline_access]
+          unless (requested & oidc_scopes).empty?
+            raise APIError.new("BAD_REQUEST", message: "invalid_scope")
+          end
+          client_data = OAuthProtocol.stringify_keys(client)
+          allowed = if client_data.key?("scopes") && !client_data["scopes"].nil?
+            OAuthProtocol.parse_scopes(client_data["scopes"])
+          else
+            OAuthProtocol.parse_scopes(config[:client_credential_grant_default_scopes] || config[:scopes])
+          end
           requested = allowed if requested.empty?
           unless requested.all? { |scope| allowed.include?(scope) }
             raise APIError.new("BAD_REQUEST", message: "invalid_scope")
           end
 
-          OAuthProtocol.issue_tokens(ctx, config[:store], model: "oauthAccessToken", client: client, session: {"user" => {}, "session" => {}}, scopes: requested, include_refresh: false, issuer: OAuthProtocol.issuer(ctx), prefix: config[:prefix], audience: audience, grant_type: OAuthProtocol::CLIENT_CREDENTIALS_GRANT, custom_token_response_fields: config[:custom_token_response_fields], custom_access_token_claims: config[:custom_access_token_claims], custom_id_token_claims: config[:custom_id_token_claims], jwt_access_token: oauth_jwt_access_token?(config, audience), pairwise_secret: config[:pairwise_secret], access_token_expires_in: oauth_access_token_expires_in(config, requested, machine: true), filter_id_token_claims_by_scope: true)
+          audience = oauth_validate_resource!(ctx, config, body, requested)
+          OAuthProtocol.issue_tokens(ctx, config[:store], model: "oauthAccessToken", client: client, session: {"user" => {}, "session" => {}}, scopes: requested, include_refresh: false, issuer: OAuthProvider.validate_issuer_url(OAuthProtocol.issuer(ctx)), prefix: config[:prefix], audience: audience, grant_type: OAuthProtocol::CLIENT_CREDENTIALS_GRANT, custom_token_response_fields: config[:custom_token_response_fields], custom_access_token_claims: config[:custom_access_token_claims], custom_id_token_claims: config[:custom_id_token_claims], jwt_access_token: oauth_jwt_access_token?(config, audience), use_jwt_plugin: !config[:disable_jwt_plugin], pairwise_secret: config[:pairwise_secret], access_token_expires_in: oauth_access_token_expires_in(config, requested, machine: true), id_token_expires_in: config[:id_token_expires_in], filter_id_token_claims_by_scope: true)
         when OAuthProtocol::REFRESH_GRANT
           refresh_record = OAuthProtocol.find_token_by_hint(config[:store], body["refresh_token"].to_s, "refresh_token", prefix: config[:prefix])
           refresh_scopes = OAuthProtocol.parse_scopes(body["scope"] || refresh_record&.fetch("scopes", nil))
-          OAuthProtocol.refresh_tokens(ctx, config[:store], model: "oauthAccessToken", client: client, refresh_token: body["refresh_token"], scopes: body["scope"], issuer: OAuthProtocol.issuer(ctx), prefix: config[:prefix], refresh_token_expires_in: config[:refresh_token_expires_in], audience: audience, custom_token_response_fields: config[:custom_token_response_fields], custom_access_token_claims: config[:custom_access_token_claims], custom_id_token_claims: config[:custom_id_token_claims], jwt_access_token: oauth_jwt_access_token?(config, audience), pairwise_secret: config[:pairwise_secret], access_token_expires_in: oauth_access_token_expires_in(config, refresh_scopes, machine: false), filter_id_token_claims_by_scope: true)
+          audience = oauth_validate_resource!(ctx, config, body, refresh_scopes)
+          OAuthProtocol.refresh_tokens(ctx, config[:store], model: "oauthAccessToken", client: client, refresh_token: body["refresh_token"], scopes: body["scope"], issuer: OAuthProvider.validate_issuer_url(OAuthProtocol.issuer(ctx)), prefix: config[:prefix], refresh_token_expires_in: config[:refresh_token_expires_in], audience: audience, custom_token_response_fields: config[:custom_token_response_fields], custom_access_token_claims: config[:custom_access_token_claims], custom_id_token_claims: config[:custom_id_token_claims], jwt_access_token: oauth_jwt_access_token?(config, audience), use_jwt_plugin: !config[:disable_jwt_plugin], pairwise_secret: config[:pairwise_secret], access_token_expires_in: oauth_access_token_expires_in(config, refresh_scopes, machine: false), id_token_expires_in: config[:id_token_expires_in], filter_id_token_claims_by_scope: true)
         else
           raise APIError.new("BAD_REQUEST", message: "unsupported_grant_type")
         end
@@ -67,17 +79,21 @@ module BetterAuth
       end
     end
 
-    def oauth_validate_resource!(ctx, config, body)
+    def oauth_validate_resource!(ctx, config, body, scopes)
       resources = Array(body["resource"]).compact.map(&:to_s)
       return nil if resources.empty?
 
+      userinfo_audience = "#{OAuthProtocol.endpoint_base(ctx)}/oauth2/userinfo"
+      requested = resources.dup
+      requested << userinfo_audience if OAuthProtocol.parse_scopes(scopes).include?("openid") && !requested.include?(userinfo_audience)
       valid = Array(config[:valid_audiences]).map(&:to_s)
-      return (resources.length == 1) ? resources.first : resources if valid.empty?
+      valid = [OAuthProvider.validate_issuer_url(OAuthProtocol.issuer(ctx))] if valid.empty?
+      valid << userinfo_audience if OAuthProtocol.parse_scopes(scopes).include?("openid") && !valid.include?(userinfo_audience)
 
-      resources.each do |resource|
+      requested.each do |resource|
         raise APIError.new("BAD_REQUEST", message: "requested resource invalid") unless valid.include?(resource)
       end
-      (resources.length == 1) ? resources.first : resources
+      (requested.length == 1) ? requested.first : requested
     end
 
     def oauth_access_token_expires_in(config, scopes, machine:)

data/lib/better_auth/plugins/oauth_provider/userinfo.rb

@@ -6,7 +6,7 @@ module BetterAuth
 
     def oauth_userinfo_endpoint(config)
       Endpoint.new(path: "/oauth2/userinfo", method: "GET") do |ctx|
-        ctx.json(OAuthProtocol.userinfo(config[:store], ctx.headers["authorization"], additional_claim: config[:custom_user_info_claims] || config[:additional_claim], prefix: config[:prefix], jwt_secret: ctx.context.secret))
+        ctx.json(OAuthProtocol.userinfo(config[:store], ctx.headers["authorization"], additional_claim: config[:custom_user_info_claims] || config[:additional_claim], prefix: config[:prefix], jwt_secret: ctx.context.secret, ctx: ctx, issuer: OAuthProvider.validate_issuer_url(OAuthProtocol.issuer(ctx))))
       end
     end
   end

data/lib/better_auth/plugins/oauth_provider.rb

@@ -50,9 +50,12 @@ module BetterAuth
         post_login: {},
         store_client_secret: "plain",
         prefix: {},
+        code_expires_in: 600,
+        id_token_expires_in: 36_000,
         refresh_token_expires_in: 2_592_000,
         access_token_expires_in: 3600,
         m2m_access_token_expires_in: 3600,
+        client_credential_grant_default_scopes: nil,
         scope_expirations: {},
         store: OAuthProtocol.stores
       }.merge(normalize_hash(options))

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: better_auth-oauth-provider
 version: !ruby/object:Gem::Version
-  version: 0.6.2
+  version: 0.7.0
 platform: ruby
 authors:
 - Sebastian Sala