RubyGems - doorkeeper-openid_connect - Versions diffs - 1.9.0 → 1.10.0 - Mend

doorkeeper-openid_connect 1.9.0 → 1.10.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (39) hide show

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: b43afb85064c2b12a0837aec166ab720b352813fec7004dfce38cfc0b4338fc6
-  data.tar.gz: de24da5d37377dadf9cb2bffcdf15c2b725075327efe301e0a1c907748ced3b8
+  metadata.gz: 1b09f0d036559583b3db8dd63e6e35452e5f9c42c90ce098ab263c1817016994
+  data.tar.gz: f9c9584568d90c9d351a347d435ba471d8e798aa42c9ac28edebefcd59d33c1a
 SHA512:
-  metadata.gz: 0e9c242e0e9dbf48500810be186040b6cdc4afdb564196453a005ae420b9f61e6b104afcfeb1e71be2f9d1356ccca8ec1265a1e8dfdd12a0e796a9d8d19d532e
-  data.tar.gz: b4832c67b7f870e9fa5b7745c5e1ddfd0ded602b0ca2f2cb9a351d4542f88b6e95b230c91cd24332ac6c6e6109035e589062db9c8a03faedf991a44a6ab7ddea
+  metadata.gz: a5a7f986bd19adcc2f3b4a03467d6052e32722f06162446b5ba944a8b905a111aa27528ccfc827e493382e95ab9dc89834a4ee483895951883291bda1387db81
+  data.tar.gz: c9fc3444e391e9b971bd193b18f388dafa47c5f5d6188d055fad2f524f9c8d6ceb67929a6b2ab5179ab50ff3c854e8d4883c9f6a43b9cd650cceba97a2e4dee2

data/CHANGELOG.md CHANGED Viewed

@@ -2,6 +2,46 @@
 - Please add here
+## v1.10.0 (2026-06-01)
+- [#241] Fix NameError on doorkeeper master by deferring AR model loading in run_hooks (see [Doorkeeper PR](https://github.com/doorkeeper-gem/doorkeeper/pull/1804))
+- [#242] Fix `NoMethodError` for openid_request in testing environments.
+- [#246] Fix `at_hash` to use correct hash algorithm based on `signing_algorithm`
+- [#250] Return configured `issuer` instead of `root_url` in WebFinger response (thanks to @sato11 for the original work in #172)
+- [#248] Fix `max_age` always triggering reauthentication when `auth_time_from_resource_owner` returns Integer
+- [#254] **Breaking:** Omit `expires_in` from the `response_type=id_token` response (OIDC Core §3.2.2.5 — `expires_in` represents the Access Token lifetime; it is still returned for `response_type=id_token token`)
+- [#252] Treat `auth_time_from_resource_owner` as optional in `IdToken` — omit `auth_time` claim when unconfigured instead of raising `InvalidConfiguration`
+- [#256] Accept non-callable values (symbol / string) for the `protocol` config option, matching the pattern used by `issuer` / `signing_algorithm` / `signing_key` / `expiration`
+- [#258] Skip `IdToken` construction on password grants without the `openid` scope
+- [#259] Skip `IdToken` construction on authorization code grants without the `openid` scope
+- [#261] Fix obsolete RuboCop configuration (`require:` → `plugins:`, `RSpec/FilePath` split, remove `Capybara/FeatureMethods`)
+- [#263] **Security/Breaking:** Determine dynamically registered client's `confidential` flag from `token_endpoint_auth_method` per RFC 7591 — previously every dynamically registered client was created as public (`confidential: false`), which let callers authenticate with only `client_id` (`by_uid_and_secret(uid, nil)` bypass). Default is now `client_secret_basic` (confidential); `none` produces a public client; unsupported values (e.g. `private_key_jwt`) are rejected with `invalid_client_metadata`. Also derive `token_endpoint_auth_methods_supported` in the response from `Doorkeeper.configuration.client_credentials_methods` instead of a hardcoded list, matching #236
+- [#264] Apply safe RuboCop autocorrections and fix resulting artifacts
+- [#265] Add Dynamic Client Registration section to README
+- [#266] Validate `application_type`, `response_types`, and `grant_types` parameters in dynamic client registration per RFC 7591 — reject unsupported values with `invalid_client_metadata` and echo the requested values back in the registration response, instead of silently ignoring them and returning the server's global configuration
+- [#267] Add `authorize_dynamic_client_registration` config option to gate the dynamic client registration endpoint per RFC 7591 §3.1 — when set to a callable, the block is evaluated in the controller scope (with access to `request`, `params`, `request.headers`, etc.) and falsy return values reject the request with `401 invalid_token`. Default is `nil` so the endpoint remains open for backward compatibility; consumers should configure this to validate an Initial Access Token (or any other authorization scheme) before allowing client registration
+- [#268] Update Dynamic Client Registration README for validated metadata parameters
+- [#269] Document `authorize_dynamic_client_registration` in README
+- [#270] Document the unified issuer block signature in README
+- [#278] Test against Ruby 4.0.
+- [#271] **Security:** Add `auth_time_from_session` config for per-session `max_age` enforcement. The legacy `auth_time_from_resource_owner` cannot distinguish between concurrent sessions and is now deprecated for `max_age` use (see [#150](https://github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/150))
+- [#272] Document `auth_time_from_session` in README (follow-up to [#271](https://github.com/doorkeeper-gem/doorkeeper-openid_connect/pull/271))
+- [#273] **Security/Hardening:** Merge framework-controlled registered claims last — `iss`/`sub`/`aud`/`exp`/`iat`/`nonce`/`auth_time` for the ID Token and `sub` for UserInfo — so a custom claim block can no longer override security-critical values. No legitimate configuration relied on this; custom claims that intentionally shadowed a registered claim name will now be ignored for that key (OIDC Core §2 / §3.1.3.7 / §5.3.2).
+- [#276] Get RuboCop to zero offenses: fix `Lint/MissingSuper` in `IdTokenResponse`, replace `puts` with `warn` for deprecation notices, and modernise spec style
+- [#277] Fix README inaccuracies (`signing_algorithm` description and link, `discovery_url_options` endpoint list, `oauth-authorization-server` route) and use constant-time comparison in the DCR authorization example to prevent timing attacks on the Initial Access Token
+- [#279] Return `account_selection_required` when a `prompt=select_account` handler does not generate a response, per [OIDC Core 1.0 §3.1.2.6](https://openid.net/specs/openid-connect-core-1_0.html#AuthError) — previously the authorization silently continued without account selection. Adds the missing `Errors::AccountSelectionRequired` class, mirroring the existing `login_required` backstop for `reauthenticate_resource_owner`
+- [#275] Return `login_required` for `max_age` reauthentication when `prompt=none`, instead of triggering the interactive `reauthenticate_resource_owner` flow (OIDC Core §3.1.2.1)
+- [#284] Document `acr` / `amr` claims in README — show how to expose Authentication Context Class Reference and Authentication Methods References via the `claim` DSL, with callouts for the `response:` and `scope:` defaults that silently bite
+- [#288] Document `offline_access` scope recipe in README — show how to wire `use_refresh_token` with scope-based filtering for OIDC offline access
+- [#281] Fix `NoMethodError` / `DoubleRenderError` when `resource_owner_authenticator` redirects with a truthy non-model value (e.g. `current_user || redirect_to(login_url)`). Normalize the leaked value to `nil` when `performed?` and add missing `if owner` guard on `select_account`.
+- [#285] Document custom `jwks_uri` path pattern in README — show how to advertise a non-default path in the discovery document using Rails' `direct` URL helper
+- [#283] Support multiple signing keys in the JWKS response — `signing_key` now also accepts an array (and callables returning an array). The first entry is the active key used to sign new ID tokens; the remaining entries are published in the JWKS so clients can still validate tokens signed with a retired key during a rotation window. Single-value and callable forms continue to work unchanged
+- [#286] Allow claims to be assigned to multiple scopes via `scope: [:profile, :all_data]` — the claim is returned whenever the access token grants any of the listed scopes. **Note:** the previously implicit `Claim#scope=` writer (from `attr_accessor :scope`) is no longer provided; rebuild the claim instead of mutating it
+- [#287] Add `apply_prompt_to_non_oidc_requests` option to honor the `prompt` parameter on plain OAuth requests that do not include the `openid` scope
+- [#282] Allow `prompt=none` reauthorization with a narrower subset of previously-granted scopes (issue #63). Per RFC 6749 §1.5, narrower-or-equal scopes do not require fresh user consent; previously these requests returned `consent_required`.
+- [#290] Freeze `Claim#scopes` and `Claim#response` arrays at construction so callers can't accidentally mutate the claim's internal state from outside
+- [#297] Fix the generated initializer's `issuer` example referencing an undefined `request` local (the block parameter is `_request`), which raised `NameError` when copied verbatim
 ## v1.9.0 (2026-03-16)
 - [#229] Allow to application manage signing key and algorithm

data/README.md CHANGED Viewed

@@ -4,8 +4,6 @@
 [![Maintainability](https://qlty.sh/gh/doorkeeper-gem/projects/doorkeeper-openid_connect/maintainability.svg)](https://qlty.sh/gh/doorkeeper-gem/projects/doorkeeper-openid_connect)
 [![Gem Version](https://badge.fury.io/rb/doorkeeper-openid_connect.svg)](https://rubygems.org/gems/doorkeeper-openid_connect)
-#### :warning: **This project is looking for maintainers, see [this issue](https://github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/89).**
 This library implements an [OpenID Connect](http://openid.net/connect/) authentication provider for Rails applications on top of the [Doorkeeper](https://github.com/doorkeeper-gem/doorkeeper) OAuth 2.0 framework.
 OpenID Connect is a single-sign-on and identity layer with a [growing list of server and client implementations](http://openid.net/developers/libraries/). If you're looking for a client in Ruby check out [omniauth_openid_connect](https://github.com/m0n9oose/omniauth_openid_connect/).
@@ -22,6 +20,7 @@ OpenID Connect is a single-sign-on and identity layer with a [growing list of se
   - [Routes](#routes)
   - [Nonces](#nonces)
   - [Internationalization (I18n)](#internationalization-i18n)
+  - [Dynamic Client Registration](#dynamic-client-registration)
 - [Development](#development)
 - [License](#license)
 - [Sponsors](#sponsors)
@@ -35,8 +34,9 @@ The following parts of [OpenID Connect Core 1.0](http://openid.net/specs/openid-
 - [UserInfo Endpoint](http://openid.net/specs/openid-connect-core-1_0.html#UserInfo)
 - [Normal Claims](http://openid.net/specs/openid-connect-core-1_0.html#NormalClaims)
 - [OAuth 2.0 Form Post Response Mode](https://openid.net/specs/oauth-v2-form-post-response-mode-1_0.html)
+- [OAuth 2.0 Dynamic Client Registration Protocol](https://datatracker.ietf.org/doc/html/rfc7591)
-In addition we also support most of [OpenID Connect Discovery 1.0](http://openid.net/specs/openid-connect-discovery-1_0.html) for automatic configuration discovery.
+In addition, we also support most of [OpenID Connect Discovery 1.0](http://openid.net/specs/openid-connect-discovery-1_0.html) for automatic configuration discovery.
 Take a look at the [DiscoveryController](app/controllers/doorkeeper/openid_connect/discovery_controller.rb) for more details on supported features.
@@ -72,7 +72,8 @@ rails generate doorkeeper:openid_connect:migration
 rake db:migrate
 ```
-If you're upgrading from an earlier version, check [CHANGELOG.md](CHANGELOG.md) for upgrade instructions.
+If you're upgrading from an earlier version, check [Migration from old versions](https://github.com/doorkeeper-gem/doorkeeper-openid_connect/wiki/Migration%E2%80%90from%E2%80%90old%E2%80%90versions)
+wiki and [CHANGELOG.md](CHANGELOG.md) for upgrade instructions.
 ## Configuration
@@ -104,7 +105,19 @@ The following settings are required in `config/initializers/doorkeeper_openid_co
 - `issuer`
   - Identifier for the issuer of the response (i.e. your application URL). The value is a case sensitive URL using the `https` scheme that contains scheme, host, and optionally, port number and path components and no query or fragment components.
-  - You can either pass a string value, or a block to generate the issuer dynamically based on the `resource_owner` and `application` or [request](app/controllers/doorkeeper/openid_connect/discovery_controller.rb#L123) passed to the block.
+  - You can either pass a string value, or a block to generate the issuer dynamically. The block receives `resource_owner`, `application`, and `request` so that the same configuration can serve both ID token issuance (where `resource_owner` and `application` are available) and the discovery endpoint (where only `request` is available):
+    ```ruby
+    # config/initializers/doorkeeper_openid_connect.rb
+    Doorkeeper::OpenidConnect.configure do
+      # ...
+      issuer do |resource_owner, application, request|
+        request&.base_url || "https://default.example.com"
+      end
+    end
+    ```
+  - For backward compatibility, blocks with arity 0, 1, or 2 are also accepted. An arity-1 block receives `request` from the discovery endpoint and `resource_owner` from the ID token context, while an arity-2 block always receives `resource_owner` and `application`.
 - `subject`
   - Identifier for the resource owner (i.e. the authenticated user). A locally unique and never reassigned identifier within the issuer for the end-user, which is intended to be consumed by the client. The value is a case-sensitive string and must not exceed 255 ASCII characters in length.
   - The database ID of the user is an acceptable choice if you don't mind leaking that information.
@@ -128,15 +141,45 @@ The following settings are required in `config/initializers/doorkeeper_openid_co
   - You can generate a private key with the `openssl` command, see e.g. [Generate an RSA keypair using OpenSSL](https://en.wikibooks.org/wiki/Cryptography/Generate_a_keypair_using_OpenSSL).
   - You should not commit the key to your repository, but use an external file (in combination with `File.read`) and/or the [dotenv-rails](https://github.com/bkeepers/dotenv) gem (in combination with `ENV[...]`).
 - `signing_algorithm`
-  - The encryption type of the private key which defaults to `:rs256`. The list of supported algorithms can be found [here](https://github.com/nov/json-jwt/wiki/JWE#supported-algorithms)
+  - The signing algorithm used for the ID token, which defaults to `:rs256`. The list of supported algorithms can be found [here](https://github.com/jwt/ruby-jwt#algorithms-and-usage)
 - `resource_owner_from_access_token`
   - Defines how to translate the Doorkeeper access token to a resource owner model.
+> [!Note]
+> Both `signing_key` and `signing_algorithm` also accept callable objects (e.g. a lambda), which are evaluated on each call — useful for multi-tenant setups where the key or algorithm varies per request:
+>
+> ```ruby
+> signing_key -> { current_tenant.private_key }
+> signing_algorithm -> { current_tenant.algorithm }
+> ```
+> [!Note]
+> `signing_key` also accepts an array for key rotation. The first entry is the active key used to sign newly issued ID tokens; the remaining entries are still published in the JWKS so clients can validate tokens signed with a retired key during a rotation window. Callable forms returning an array are also supported.
+>
+> ```ruby
+> signing_key [
+>   File.read("config/keys/current.pem"),  # active, signs new tokens
+>   File.read("config/keys/previous.pem"), # retired, exposed in JWKS only
+> ]
+> ```
 The following settings are optional, but recommended for better client compatibility:
 - `auth_time_from_resource_owner`
   - Returns the time of the user's last login, this can be a `Time`, `DateTime`, or any other class that responds to `to_i`
-  - Required to support the `max_age` parameter and the `auth_time` claim.
+  - Used to populate the `auth_time` claim on the ID Token.
+  - Used as a fallback for `max_age` enforcement when `auth_time_from_session` is not configured. **Note:** for multi-session deployments this is insecure (it returns the most recent login on _any_ device), and emits a deprecation warning — prefer `auth_time_from_session` below.
+- `auth_time_from_session`
+  - Returns the time the user authenticated for the *current* session. Required for correct `max_age` enforcement when the same user can hold multiple concurrent sessions (e.g. PC + smartphone) — `auth_time_from_resource_owner` cannot distinguish between sessions and would let a stale session inherit a fresh login from another device.
+  - The block is executed in the controller's scope and receives `(session, request)`. Return value can be a `Time`, `DateTime`, or anything responding to `to_i`. Return `nil` to force reauthentication.
+    ```ruby
+    # Example: capture auth_time on the session at login,
+    # and surface it here for the OIDC max_age check.
+    auth_time_from_session do |session, _request|
+      session[:auth_time]
+    end
+    ```
 - `reauthenticate_resource_owner`
   - Defines how to trigger reauthentication for the current user (e.g. display a password prompt, or sign-out the user and redirect to the login form).
   - Required to support the `max_age` and `prompt=login` parameters.
@@ -177,7 +220,7 @@ The following settings are optional:
 - `discovery_url_options`
   - The URL options for every available endpoint to use when generating the endpoint URL in the
     discovery response. Available endpoints: `authorization`, `token`, `revocation`,
-    `introspection`, `userinfo`, `jwks`, `webfinger`.
+    `introspection`, `userinfo`, `jwks`, `dynamic_client_registration`.
   - This option requires option keys with an available endpoint and
     [URL options](https://api.rubyonrails.org/v6.0.3.3/classes/ActionDispatch/Routing/UrlFor.html#method-i-url_for)
     as value.
@@ -203,6 +246,20 @@ The following settings are optional:
     end
     ```
+- `apply_prompt_to_non_oidc_requests`
+  - Whether to honor the `prompt` authorization parameter (`none`, `login`, `consent`, `select_account`) on plain OAuth requests that do not include the `openid` scope.
+  - Defaults to `false`, which preserves the historical behavior of silently ignoring `prompt` outside of OIDC requests.
+  - `max_age` enforcement remains OIDC-only regardless of this option, since it is defined by OIDC Core.
+    ```ruby
+    # config/initializers/doorkeeper_openid_connect.rb
+    Doorkeeper::OpenidConnect.configure do
+      # ...
+      apply_prompt_to_non_oidc_requests true
+      # ...
+    end
+    ```
 ### Scopes
 To perform authentication over OpenID Connect, an OAuth client needs to request the `openid` scope. This scope needs to be enabled using either `optional_scopes` in the global Doorkeeper configuration in `config/initializers/doorkeeper.rb`, or by adding it to any OAuth application's `scope` attribute.
@@ -211,6 +268,24 @@ To perform authentication over OpenID Connect, an OAuth client needs to request
 >
 > See [Using Scopes](https://github.com/doorkeeper-gem/doorkeeper/wiki/Using-Scopes) in the Doorkeeper wiki for more information.
+#### `offline_access`
+Per [OIDC Core §11](https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess), the `offline_access` scope signals that the client wants a refresh token so it can access the user's resources while the user is offline. Doorkeeper's existing `use_refresh_token` block already covers the basic flow — issue a refresh token only when the client actually asked for `offline_access`:
+```ruby
+# config/initializers/doorkeeper.rb
+Doorkeeper.configure do
+  optional_scopes :openid, :offline_access
+  # Issue a refresh token only when the client requests offline_access
+  use_refresh_token do |context|
+    context.scopes.exists?("offline_access")
+  end
+end
+```
+> **Note:** This does not automatically enforce [OIDC Core §11](https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess)'s strict requirements — for example, the OP MUST ignore `offline_access` unless `prompt=consent` is present and `response_type` returns an Authorization Code. If you need that level of enforcement, filter the scope in your `use_refresh_token` block or authorization controller override.
 ### Claims
 Claims can be defined in a `claims` block inside `config/initializers/doorkeeper_openid_connect.rb`:
@@ -249,6 +324,48 @@ By default all custom claims are only returned from the `UserInfo` endpoint and
 You can also pass a `scope:` keyword argument on each claim to specify which OAuth scope should be required to access the claim. If you define any of the defined [Standard Claims](http://openid.net/specs/openid-connect-core-1_0.html#StandardClaims) they will by default use their [corresponding scopes](http://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims) (`profile`, `email`, `address` and `phone`), and any other claims will by default use the `profile` scope. Again, to use any of these scopes you need to enable them as described above.
+You can also pass an array of scopes, in which case the claim is returned whenever the access token grants any of the listed scopes. This is useful when you want to expose the same claim under both a standard scope and an aggregate scope:
+``` ruby
+claim :given_name, scope: [:profile, :all_data] do |user|
+  user.first_name
+end
+claim :email, scope: [:email, :all_data] do |user|
+  user.email
+end
+```
+#### Authentication Context (`acr`) and Methods (`amr`)
+The `claim` DSL also handles standard top-level ID Token claims such as [`acr`](http://openid.net/specs/openid-connect-core-1_0.html#IDToken) (Authentication Context Class Reference) and [`amr`](https://www.rfc-editor.org/rfc/rfc8176) (Authentication Methods References) — commonly used to expose MFA status to clients:
+```ruby
+claims do
+  claim :acr, response: [:id_token, :user_info], scope: :openid do |resource_owner|
+    # Single string — e.g. a URI like "urn:mace:incommon:iap:silver",
+    # or a numeric Level of Assurance "1".."4" per ISO/IEC 29115.
+    resource_owner.mfa_enabled? ? "2" : "1"
+  end
+  claim :amr, response: [:id_token, :user_info], scope: :openid do |resource_owner|
+    # Array of strings, per RFC 8176.
+    methods = ["pwd"]
+    methods << "mfa" if resource_owner.mfa_enabled?
+    methods << "otp" if resource_owner.last_login_used_totp?
+    methods
+  end
+end
+```
+Two defaults are worth calling out because they bite silently:
+- **`response: [:id_token, :user_info]`** — custom claims default to UserInfo only, but relying parties usually expect `acr` / `amr` on the ID Token.
+- **`scope: :openid`** — without it, non-standard claims fall back to the `profile` scope and disappear for clients that only requested `openid`.
+Claim names you declare here are automatically advertised under `claims_supported` in the discovery document. The list of advertised `acr` values (`acr_values_supported`) is not currently generated.
 ### Routes
 The installation generator will update your `config/routes.rb` to define all required routes:
@@ -267,11 +384,36 @@ GET   /oauth/userinfo
 POST  /oauth/userinfo
 GET   /oauth/discovery/keys
 GET   /.well-known/openid-configuration
+GET   /.well-known/oauth-authorization-server
 GET   /.well-known/webfinger
 ```
 With the exception of the hard-coded `/.well-known` paths (see [RFC 5785](https://tools.ietf.org/html/rfc5785)) you can customize routes in the same way as with Doorkeeper, please refer to [this page on their wiki](https://github.com/doorkeeper-gem/doorkeeper/wiki/Customizing-routes#version--05-1).
+#### Customizing the `jwks_uri` path in the discovery document
+[`discovery_url_options`](#configuration) lets you tweak the host, protocol, or port of the published `jwks_uri`, but not the path itself. To advertise a custom path — while keeping `/oauth/discovery/keys` working for existing clients during a rollover — mount the discovery controller at the new path and re-point the `oauth_discovery_keys_url` helper at it via [`direct`](https://api.rubyonrails.org/classes/ActionDispatch/Routing/Mapper/CustomUrlHelpers.html#method-i-direct):
+```ruby
+# config/routes.rb
+Rails.application.routes.draw do
+  use_doorkeeper_openid_connect
+  # 1. Mount the custom path under a non-conflicting helper name
+  get "/-/jwks",
+      to: "doorkeeper/openid_connect/discovery#keys",
+      as: :custom_jwks
+  # 2. Re-point oauth_discovery_keys_url at the new path
+  direct(:oauth_discovery_keys) { |opts| custom_jwks_url(opts) }
+end
+```
+After this, `.well-known/openid-configuration` returns `"jwks_uri": "https://example.com/-/jwks"`, and the original `/oauth/discovery/keys` route still responds (handy during a rollover).
+> [!Note]
+> A naive `match "/-/jwks", ..., as: :oauth_discovery_keys` won't work — Rails has refused to reuse a route name [since 4.0](https://github.com/rails/rails/commit/a2b7c0e69d) and raises `ArgumentError: Invalid route name, already in use: 'oauth_discovery_keys'`. The `direct` helper sidesteps this by overriding the URL helper itself rather than re-declaring the route name.
 ### Nonces
 To support clients who send nonces you have to tweak Doorkeeper's authorization view so the parameter is passed on.
@@ -309,6 +451,67 @@ Then tweak the template as follows:
 We use Rails locale files for error messages and scope descriptions, see [config/locales/en.yml](config/locales/en.yml). You can override these by adding them to your own translations in `config/locale`.
+### Dynamic Client Registration
+This gem supports [OpenID Connect Dynamic Client Registration 1.0](https://openid.net/specs/openid-connect-registration-1_0.html) based on [RFC 7591](https://www.rfc-editor.org/rfc/rfc7591).
+To enable dynamic client registration, add the following to `config/initializers/doorkeeper_openid_connect.rb`:
+```ruby
+Doorkeeper::OpenidConnect.configure do
+  # ...
+  dynamic_client_registration true
+  # ...
+end
+```
+This exposes a `POST /oauth/registration` endpoint where OAuth clients can register themselves.
+#### Supported parameters
+The registration endpoint currently accepts the following [RFC 7591 §2](https://www.rfc-editor.org/rfc/rfc7591#section-2) parameters:
+| Parameter | Description |
+| --- | --- |
+| `client_name` | Human-readable name of the client |
+| `redirect_uris` | Array of redirection URIs |
+| `scope` | Space-delimited list of requested scopes |
+| `token_endpoint_auth_method` | Requested authentication method. Defaults to `client_secret_basic`. `none` is always allowed (and registers a public client); other allowed values depend on the host application's Doorkeeper `client_credentials_methods` configuration. Unsupported values are rejected with `invalid_client_metadata`. |
+| `application_type` | Client type: `web` (default) or `native`, per [OpenID Connect Discovery 1.0](https://openid.net/specs/openid-connect-discovery-1_0.html). Unsupported values are rejected with `invalid_client_metadata`. |
+| `response_types` | Array of OAuth 2.0 response types the client will use (e.g. `["code"]`). Must be a subset of the server's supported response types. Defaults to the server's full set when omitted. |
+| `grant_types` | Array of OAuth 2.0 grant types the client will use (e.g. `["authorization_code"]`). Must be a subset of the server's supported grant types. Defaults to the server's full set when omitted. |
+When `token_endpoint_auth_method` is set to `none`, the client is registered as **public** (i.e. `confidential: false`). For all other values — or when the parameter is omitted — the client is registered as **confidential**, matching the RFC 7591 default of `client_secret_basic`.
+Other RFC 7591 parameters (e.g. `client_uri`, `logo_uri`, `contacts`) require schema additions to `oauth_applications` and are not yet supported.
+#### Authorization
+By default, the registration endpoint is open to any request. To require authorization (e.g. an Initial Access Token per [RFC 7591 §3.1](https://www.rfc-editor.org/rfc/rfc7591#section-3.1)), configure `authorize_dynamic_client_registration`:
+```ruby
+Doorkeeper::OpenidConnect.configure do
+  # ...
+  dynamic_client_registration true
+  authorize_dynamic_client_registration do
+    provided = request.headers["Authorization"].to_s
+    expected = "Bearer #{ENV['DCR_INITIAL_ACCESS_TOKEN']}"
+    # Use a constant-time comparison to avoid leaking the token via timing.
+    # Digesting first keeps the comparison fixed-length so the token's length
+    # isn't leaked either.
+    ActiveSupport::SecurityUtils.secure_compare(
+      Digest::SHA256.hexdigest(provided),
+      Digest::SHA256.hexdigest(expected),
+    )
+  end
+  # ...
+end
+```
+The block is evaluated in the controller scope (with access to `request`, `params`, `request.headers`, etc.). Return a truthy value to allow the request, or a falsy value to reject it with `401 invalid_token`.
+When not configured (default), the endpoint remains open for backward compatibility.
 ## Development
 Run `bundle install` to setup all development dependencies.
@@ -334,7 +537,7 @@ bundle exec rake server
 By default, the latest Rails version is used. To use a specific version run:
 ```
-rails=4.2.0 bundle update
+rails=7.2 bundle update
 ```
 ## License

data/app/controllers/concerns/doorkeeper/openid_connect/authorizations_extension.rb CHANGED Viewed

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
 module Doorkeeper
   module OpenidConnect
     module AuthorizationsExtension
@@ -9,4 +11,3 @@ module Doorkeeper
     end
   end
 end

data/app/controllers/doorkeeper/openid_connect/discovery_controller.rb CHANGED Viewed

@@ -5,8 +5,9 @@ module Doorkeeper
     class DiscoveryController < ::Doorkeeper::ApplicationMetalController
       include Doorkeeper::Helpers::Controller
       include GrantTypesSupportedMixin
+      include TokenEndpointAuthMethodsSupportedMixin
-      WEBFINGER_RELATION = 'http://openid.net/specs/connect/1.0/issuer'
+      WEBFINGER_RELATION = "http://openid.net/specs/connect/1.0/issuer"
       def provider
         render json: provider_response
@@ -47,7 +48,7 @@ module Doorkeeper
           # TODO: look into doorkeeper-jwt_assertion for these
           #  'client_secret_jwt',
           #  'private_key_jwt'
-          token_endpoint_auth_methods_supported: token_endpoint_auth_methods_supported(doorkeeper),
+          token_endpoint_auth_methods_supported: token_endpoint_auth_methods_supported,
           subject_types_supported: openid_connect.subject_types_supported,
@@ -56,7 +57,7 @@ module Doorkeeper
           ],
           claim_types_supported: [
-            'normal',
+            "normal",
             # TODO: support these
             # 'aggregated',
@@ -79,11 +80,6 @@ module Doorkeeper
         doorkeeper.authorization_response_flows.flat_map(&:response_mode_matches).uniq
       end
-      def token_endpoint_auth_methods_supported(doorkeeper)
-        mapping = { from_basic: 'client_secret_basic', from_params: 'client_secret_post' }
-        doorkeeper.client_credentials_methods.filter_map { |method| mapping[method] }
-      end
       def code_challenge_methods_supported(doorkeeper)
         return unless doorkeeper.access_grant_model.pkce_supported?
@@ -96,27 +92,19 @@ module Doorkeeper
           links: [
             {
               rel: WEBFINGER_RELATION,
-              href: root_url(webfinger_url_options),
+              href: issuer,
             }
           ]
         }
       end
       def keys_response
-        signing_key = Doorkeeper::OpenidConnect.signing_key_normalized
-        {
-          keys: [
-            signing_key.merge(
-              use: 'sig',
-              alg: Doorkeeper::OpenidConnect.signing_algorithm
-            )
-          ]
-        }
+        { keys: Doorkeeper::OpenidConnect.signing_keys_normalized }
       end
       def protocol
-        Doorkeeper::OpenidConnect.configuration.protocol.call
+        configured = Doorkeeper::OpenidConnect.configuration.protocol
+        configured.respond_to?(:call) ? configured.call : configured
       end
       def discovery_url_options
@@ -130,14 +118,11 @@ module Doorkeeper
       end
       def issuer
-        if Doorkeeper::OpenidConnect.configuration.issuer.respond_to?(:call)
-          Doorkeeper::OpenidConnect.configuration.issuer.call(request).to_s
-        else
-          Doorkeeper::OpenidConnect.configuration.issuer
-        end
+        Doorkeeper::OpenidConnect.resolve_issuer(request: request)
       end
-      %i[authorization token revocation introspection userinfo jwks webfinger dynamic_client_registration].each do |endpoint|
+      %i[authorization token revocation introspection userinfo jwks
+         dynamic_client_registration].each do |endpoint|
         define_method :"#{endpoint}_url_options" do
           discovery_url_default_options.merge(discovery_url_options[endpoint.to_sym] || {})
         end

data/app/controllers/doorkeeper/openid_connect/dynamic_client_registration_controller.rb CHANGED Viewed

@@ -3,11 +3,18 @@
 module Doorkeeper
   module OpenidConnect
     class DynamicClientRegistrationController < ::Doorkeeper::ApplicationMetalController
-      include GrantTypesSupportedMixin
+      before_action :authorize_dynamic_client_registration!
       def register
-        client = Doorkeeper::Application.create!(application_params)
-        render json: registration_response(client), status: :created
+        registration = OAuth::DynamicRegistrationRequest.new(::Doorkeeper.configuration, params)
+        unless registration.valid?
+          render json: registration.error_response, status: :bad_request
+          return
+        end
+        client = Doorkeeper::Application.create!(application_params(registration))
+        render json: registration_response(client, registration), status: :created
       rescue ActiveRecord::RecordInvalid => e
         render json: { error: "invalid_client_params", error_description: e.record.errors.full_messages.join(", ") },
           status: :bad_request
@@ -15,29 +22,59 @@ module Doorkeeper
       private
-      def application_params
-        {
-          name: params.dig(:client_name),
-          redirect_uri: params.dig(:redirect_uris) || [],
-          scopes: params.dig(:scope),
-          confidential: false,
-        }
+      def authorize_dynamic_client_registration!
+        authorizer = ::Doorkeeper::OpenidConnect.configuration.authorize_dynamic_client_registration
+        return if authorizer.nil?
+        return if authorized?(authorizer)
+        response.headers["WWW-Authenticate"] = "Bearer error=\"invalid_token\""
+        render json: {
+          error: "invalid_token",
+          error_description: I18n.t(
+            "doorkeeper.openid_connect.errors.messages.dynamic_client_registration_unauthorized",
+          ),
+        }, status: :unauthorized
       end
-      def registration_response(doorkeeper_application)
-        doorkeeper_config = ::Doorkeeper.configuration
+      def authorized?(authorizer)
+        if authorizer.respond_to?(:to_proc)
+          instance_exec(&authorizer.to_proc)
+        elsif authorizer.respond_to?(:call)
+          authorizer.call(self)
+        else
+          authorizer
+        end
+      end
+      def application_params(registration)
         {
-          client_secret: doorkeeper_application.plaintext_secret || doorkeeper_application.secret,
+          name: params[:client_name],
+          redirect_uri: params[:redirect_uris] || [],
+          scopes: params[:scope],
+          confidential: registration.confidential_client?,
+        }
+      end
+      def registration_response(doorkeeper_application, registration)
+        response = {
           client_id: doorkeeper_application.uid,
           client_id_issued_at: doorkeeper_application.created_at.to_i,
           redirect_uris: doorkeeper_application.redirect_uri.split,
-          token_endpoint_auth_methods_supported: %w[client_secret_basic client_secret_post],
-          response_types: doorkeeper_config.authorization_response_types,
-          grant_types: grant_types_supported(doorkeeper_config),
+          token_endpoint_auth_method: registration.token_endpoint_auth_method,
+          token_endpoint_auth_methods_supported: registration.token_endpoint_auth_methods_supported,
+          response_types: registration.requested_response_types,
+          grant_types: registration.requested_grant_types,
           scope: doorkeeper_application.scopes.to_s,
-          application_type: "web"
+          application_type: registration.requested_application_type,
         }
+        if registration.confidential_client?
+          response[:client_secret] =
+            doorkeeper_application.plaintext_secret || doorkeeper_application.secret
+        end
+        response
       end
     end
   end

data/config/locales/en.yml CHANGED Viewed

@@ -21,3 +21,5 @@ en:
           reauthenticate_resource_owner_not_configured: 'Failure due to Doorkeeper::OpenidConnect.configure.reauthenticate_resource_owner missing configuration.'
           select_account_for_resource_owner_not_configured: 'Failure due to Doorkeeper::OpenidConnect.configure.select_account_for_resource_owner missing configuration.'
           subject_not_configured: 'ID Token generation failed due to Doorkeeper::OpenidConnect.configure.subject missing configuration.'
+          signing_key_not_configured: 'Doorkeeper::OpenidConnect.configure.signing_key must resolve to at least one key.'
+          dynamic_client_registration_unauthorized: 'Authorization required for client registration'

data/lib/doorkeeper/oauth/id_token_response.rb CHANGED Viewed

@@ -8,6 +8,7 @@ module Doorkeeper
       attr_accessor :pre_auth, :auth, :id_token
       def initialize(pre_auth, auth, id_token)
+        super()
         @pre_auth = pre_auth
         @auth = auth
         @id_token = id_token
@@ -19,7 +20,6 @@ module Doorkeeper
       def body
         {
-          expires_in: auth.token.expires_in_seconds,
           state: pre_auth.state,
           id_token: id_token.as_jws_token
         }

data/lib/doorkeeper/oauth/id_token_token_response.rb CHANGED Viewed

@@ -6,7 +6,8 @@ module Doorkeeper
       def body
         super.merge({
           access_token: auth.token.token,
-          token_type: auth.token.token_type
+          token_type: auth.token.token_type,
+          expires_in: auth.token.expires_in_seconds
         })
       end
     end