himari 0.4.0 → 0.6.0

data/lib/himari/services/oidc_userinfo_endpoint.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'himari/access_token'
 require 'himari/token_string'
 require 'himari/log_line'
@@ -6,9 +8,12 @@ module Himari
   module Services
     class OidcUserinfoEndpoint
       # @param storage [Himari::Storages::Base]
+      # @param signing_key_provider [Himari::ProviderChain<Himari::SigningKey>] verifies RFC 9068
+      #   JWT access tokens; opaque tokens do not need it
       # @param logger [Logger]
-      def initialize(storage:, logger: nil)
+      def initialize(storage:, signing_key_provider: nil, logger: nil)
         @storage = storage
+        @signing_key_provider = signing_key_provider
         @logger = logger
       end
 
@@ -17,14 +22,15 @@ module Himari
       end
 
       def call(env)
-        Handler.new(storage: @storage, env: env, logger: @logger).response
+        Handler.new(storage: @storage, signing_key_provider: @signing_key_provider, env: env, logger: @logger).response
       end
 
       class Handler
         class InvalidToken < StandardError; end
 
-        def initialize(storage:, env:, logger:)
+        def initialize(storage:, env:, logger:, signing_key_provider: nil)
           @storage = storage
+          @signing_key_provider = signing_key_provider
           @env = env
           @logger = logger
         end
@@ -34,18 +40,20 @@ module Himari
           return [404, {'Content-Type' => 'application/json'}, ['{"error": "not_found"}']] unless %w(GET POST).include?(@env['REQUEST_METHOD'])
 
           raise InvalidToken unless given_token
-          given_parsed_token = Himari::AccessToken.parse(given_token)
+
+          given_parsed_token = Himari::AccessToken.parse(given_token, signing_key_provider: @signing_key_provider)
 
           token = @storage.find_token(given_parsed_token.handle)
           raise InvalidToken unless token
-          token.verify_expiry!()
+
+          token.verify_expiry!
           token.verify_secret!(given_parsed_token.secret)
 
           @logger&.info(Himari::LogLine.new('OidcUserinfoEndpoint: returning', req: @env['himari.request_as_log'], token: token.as_log))
           [
             200,
             {'Content-Type' => 'application/json; charset=utf-8'},
-            [JSON.pretty_generate(token.claims), "\n"],
+            [JSON.pretty_generate(token.userinfo), "\n"],
           ]
         rescue InvalidToken, Himari::TokenString::SecretIncorrect, Himari::TokenString::InvalidFormat, Himari::TokenString::TokenExpired => e
           @logger&.warn(Himari::LogLine.new('OidcUserinfoEndpoint: invalid_token', req: @env['himari.request_as_log'], err: e.class.inspect, token: token&.as_log))
@@ -63,8 +71,6 @@ module Himari
             method, token = ah&.split(/\s+/, 2) # https://www.rfc-editor.org/rfc/rfc9110#name-credentials
             if method&.downcase == 'bearer' && token && !token.empty?
               token
-            else
-              nil
             end
           end
         end

data/lib/himari/services/upstream_authentication.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'himari/log_line'
 require 'himari/decisions/authentication'
 require 'himari/decisions/claims'
@@ -29,20 +31,26 @@ module Himari
           {
             session: session_data&.as_log,
             decision: {
-              claims: claims_result&.as_log&.reject{ |k,_v| %i(allowed explicit_deny).include?(k) },
+              claims: claims_result&.as_log&.reject { |k, _v| %i(allowed explicit_deny).include?(k) },
               authentication: authn_result&.as_log,
             },
           }
         end
       end
 
-      # @param auth [Hash] Omniauth Auth Hash
+      # @param auth [Hash, nil] Omniauth Auth Hash (nil on revalidation)
+      # @param session [Himari::SessionData, nil] Existing session to revalidate (nil on initial login)
+      # @param grant_type [Symbol] :initial for omniauth callback, :refresh_token for revalidation
       # @param claims_rules [Array<Himari::Rule>] Claims Rules
       # @param authn_rules [Array<Himari::Rule>] Authentication Rules
       # @param logger [Logger]
-      def initialize(auth:, request: nil, claims_rules: [], authn_rules: [], logger: nil)
+      def initialize(auth: nil, session: nil, grant_type: :initial, request: nil, claims_rules: [], authn_rules: [], logger: nil)
+        raise ArgumentError, "auth or session is required" if auth.nil? && session.nil?
+
         @request = request
         @auth = auth
+        @session = session
+        @grant_type = grant_type
         @claims_rules = claims_rules
         @authn_rules = authn_rules
         @logger = logger
@@ -52,6 +60,22 @@ module Himari
       def self.from_request(request)
         new(
           auth: request.env.fetch('omniauth.auth'),
+          grant_type: :initial,
+          request: request,
+          claims_rules: Himari::ProviderChain.new(request.env[Himari::Middlewares::ClaimsRule::RACK_KEY] || []).collect,
+          authn_rules: Himari::ProviderChain.new(request.env[Himari::Middlewares::AuthenticationRule::RACK_KEY] || []).collect,
+          logger: request.env['rack.logger'],
+        )
+      end
+
+      # Re-run claims/authn rules against an existing session, e.g. on refresh_token grant.
+      #
+      # @param session [Himari::SessionData] existing session loaded from storage
+      # @param request [Rack::Request]
+      def self.revalidate_from_request(session:, request:)
+        new(
+          session: session,
+          grant_type: :refresh_token,
           request: request,
           claims_rules: Himari::ProviderChain.new(request.env[Himari::Middlewares::ClaimsRule::RACK_KEY] || []).collect,
           authn_rules: Himari::ProviderChain.new(request.env[Himari::Middlewares::AuthenticationRule::RACK_KEY] || []).collect,
@@ -60,27 +84,37 @@ module Himari
       end
 
       def provider
-        @auth&.fetch(:provider)
+        (@auth && @auth[:provider]) || @session&.user_data&.dig(:provider)
       end
 
-      def perform
-        @logger&.debug(Himari::LogLine.new('UpstreamAuthentication: perform', objid: self.object_id.to_s(16), uid: @auth[:uid], provider: @auth[:provider]))
-        claims_result = make_claims()
-        session_data = claims_result.decision.output
+      def uid_for_log
+        (@auth && @auth[:uid]) || @session&.claims&.dig(:sub)
+      end
 
-        authn_result = check_authn(claims_result, session_data)
+      def perform
+        @logger&.debug(Himari::LogLine.new('UpstreamAuthentication: perform', objid: object_id.to_s(16), uid: uid_for_log, provider: provider, grant_type: @grant_type))
+        claims_result = make_claims
+        base = derive_base_session(claims_result)
 
+        authn_result = check_authn(claims_result, base)
+        final_refresh_info = authn_result.decision&.refresh_info || claims_result.decision&.refresh_info
+        session_data = base.with(refresh_info: final_refresh_info)
 
         result = Result.new(claims_result, authn_result, session_data)
-        @logger&.debug(Himari::LogLine.new('UpstreamAuthentication: result', objid: self.object_id.to_s(16), uid: @auth[:uid], provider: @auth[:provider], result: result.as_log))
+        @logger&.debug(Himari::LogLine.new('UpstreamAuthentication: result', objid: object_id.to_s(16), uid: uid_for_log, provider: provider, grant_type: @grant_type, result: result.as_log))
         result
       end
 
       def make_claims
-        context = Himari::Decisions::Claims::Context.new(request: @request, auth: @auth).freeze
+        context = Himari::Decisions::Claims::Context.new(request: @request, auth: @auth, provider: provider, grant_type: @grant_type, refresh_info: @session&.refresh_info).freeze
         result = Himari::RuleProcessor.new(context, Himari::Decisions::Claims.new).run(@claims_rules)
 
-        @logger&.debug(Himari::LogLine.new('UpstreamAuthentication: claims', objid: self.object_id.to_s(16), uid: @auth[:uid], provider: @auth[:provider], claims_result: result.as_log))
+        @logger&.debug(Himari::LogLine.new('UpstreamAuthentication: claims', objid: object_id.to_s(16), uid: uid_for_log, provider: provider, grant_type: @grant_type, claims_result: result.as_log))
+
+        if result.explicit_deny
+          @logger&.warn(Himari::LogLine.new('UpstreamAuthentication: claims explicit deny', objid: object_id.to_s(16), uid: uid_for_log, provider: provider, grant_type: @grant_type, claims_result: result.as_log))
+          raise UnauthorizedError.new(Result.new(result, nil, nil))
+        end
 
         begin
           claims = result.decision&.output&.claims
@@ -92,13 +126,27 @@ module Himari
         result
       end
 
+      def derive_base_session(claims_result)
+        decision = claims_result.decision
+        if @session
+          # revalidation: keep existing handle/secret/expiry, refresh claims/user_data
+          @session.with(claims: decision.claims, user_data: decision.user_data)
+        else
+          decision.output
+        end
+      end
+
       def check_authn(claims_result, session_data)
-        context = Himari::Decisions::Authentication::Context.new(provider: provider, claims: session_data.claims, user_data: session_data.user_data, request: @request).freeze
+        context = Himari::Decisions::Authentication::Context.new(provider: provider, claims: session_data.claims, user_data: session_data.user_data, request: @request, grant_type: @grant_type, refresh_info: @session&.refresh_info).freeze
+        # Don't preseed decision.refresh_info from session; otherwise a no-op authn rule would clobber whatever
+        # the claims rule wrote (via Claims#refresh_info=). Authn rules that want to preserve session.refresh_info
+        # must read context.refresh_info and assign it explicitly.
         result = Himari::RuleProcessor.new(context, Himari::Decisions::Authentication.new).run(@authn_rules)
 
-        @logger&.debug(Himari::LogLine.new('UpstreamAuthentication: authentication', objid: self.object_id.to_s(16), uid: @auth[:uid], provider: @auth[:provider],  authn_result: result.as_log))
+        @logger&.debug(Himari::LogLine.new('UpstreamAuthentication: authentication', objid: object_id.to_s(16), uid: uid_for_log, provider: provider, grant_type: @grant_type, authn_result: result.as_log))
 
         raise UnauthorizedError.new(Result.new(claims_result, result, nil)) unless result.allowed
+
         result
       end
     end

data/lib/himari/session_data.rb

@@ -1,17 +1,22 @@
+# frozen_string_literal: true
+
 require 'himari/token_string'
 
 module Himari
   class SessionData
     include Himari::TokenString
 
-    def initialize(claims: {}, user_data: {}, handle:, secret: nil, secret_hash: nil, expiry: nil)
+    def initialize(claims: {}, user_data: {}, refresh_info: nil, handle:, secret: nil, secret_hash: nil, expiry: nil)
       @claims = claims
       @user_data = user_data
+      @refresh_info = refresh_info
 
       @handle = handle
       @secret = secret
       @secret_hash = secret_hash
+      @secret_hash_prev = nil
       @expiry = expiry
+      @verification = nil
     end
 
     def self.magic_header
@@ -22,13 +27,36 @@ module Himari
       3600
     end
 
-    attr_reader :claims, :user_data
+    attr_reader :claims, :user_data, :refresh_info
+
+    def refreshable?
+      !@refresh_info.nil?
+    end
+
+    def active?(now: Time.now)
+      @expiry.nil? || @expiry > now.to_i
+    end
+
+    # Return a copy with selected fields replaced. Reads @secret directly to
+    # sidestep TokenString#secret raising SecretMissing for storage-loaded sessions.
+    def with(claims: @claims, user_data: @user_data, refresh_info: @refresh_info, expiry: @expiry)
+      self.class.new(
+        handle: @handle,
+        secret: @secret,
+        secret_hash: @secret_hash,
+        expiry: expiry,
+        claims: claims,
+        user_data: user_data,
+        refresh_info: refresh_info,
+      )
+    end
 
     def as_log
       {
         handle: handle,
         claims: claims,
         expiry: expiry,
+        refreshable: refreshable?,
       }
     end
 
@@ -40,6 +68,7 @@ module Himari
 
         claims: claims,
         user_data: user_data,
+        refresh_info: refresh_info,
       }
     end
   end

data/lib/himari/signing_key.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'digest/sha2'
 require 'base64'
 module Himari
@@ -15,7 +17,6 @@ module Himari
 
     attr_reader :id, :pkey, :group
 
-
     def active?
       !@inactive
     end
@@ -30,7 +31,7 @@ module Himari
       end
 
       result &&= if !active.nil?
-        active == self.active?
+        active == active?
       else
         true
       end
@@ -55,9 +56,9 @@ module Himari
         'RS256'
       when OpenSSL::PKey::EC
         case ec_crv
-        when 'P-256'; 'ES256'
-        when 'P-384'; 'ES384'
-        when 'P-521'; 'ES512'
+        when 'P-256' then 'ES256'
+        when 'P-384' then 'ES384'
+        when 'P-521' then 'ES512'
         else
           raise AlgUnknown
         end
@@ -68,9 +69,9 @@ module Himari
 
     def hash_function
       case alg
-      when 'ES256', 'RS256'; Digest::SHA256
-      when 'ES384'; Digest::SHA384
-      when 'ES512'; Digest::SHA512
+      when 'ES256', 'RS256' then Digest::SHA256
+      when 'ES384' then Digest::SHA384
+      when 'ES512' then Digest::SHA512
       else
         raise AlgUnknown
       end
@@ -78,6 +79,7 @@ module Himari
 
     def ec_crv
       raise OperationInvalid, "this key is not EC" unless pkey.is_a?(OpenSSL::PKey::EC)
+
       # https://www.rfc-editor.org/rfc/rfc8422.html#appendix-A
       case pkey.group.curve_name
       when 'prime256v1', 'secp256r1'
@@ -97,10 +99,11 @@ module Himari
       when OpenSSL::PKey::EC # https://www.rfc-editor.org/rfc/rfc7518#section-6.2
         # https://www.secg.org/sec1-v2.pdf - 2.3.3. Elliptic-Curve-Point-to-Octet-String Conversion
         xy = pkey.public_key.to_octet_string(:uncompressed) # 0x04 || X || Y
-        len = pkey.group.degree/8
-        raise unless xy[0] == "\x04".b && xy.size == ((len*2)+1)
-        x = xy[1,len]
-        y = xy[1+len,len]
+        len = pkey.group.degree / 8
+        raise unless xy[0] == "\x04".b && xy.size == ((len * 2) + 1)
+
+        x = xy[1, len]
+        y = xy[1 + len, len]
 
         {
           kid: id,
@@ -117,8 +120,8 @@ module Himari
           kty: 'RSA',
           use: "sig",
           alg: alg,
-          n: Base64.urlsafe_encode64(pkey.n.to_s(2)).gsub(/=+/,''),
-          e: Base64.urlsafe_encode64(pkey.e.to_s(2)).gsub(/=+/,''),
+          n: Base64.urlsafe_encode64(pkey.n.to_s(2)).gsub(/=+/, ''),
+          e: Base64.urlsafe_encode64(pkey.e.to_s(2)).gsub(/=+/, ''),
         }
       else
         raise AlgUnknown

data/lib/himari/storages/base.rb

@@ -1,6 +1,10 @@
+# frozen_string_literal: true
+
 require 'himari/authorization_code'
 require 'himari/access_token'
+require 'himari/refresh_token'
 require 'himari/session_data'
+require 'himari/dynamic_client_registration'
 
 module Himari
   module Storages
@@ -42,6 +46,46 @@ module Himari
         delete('token', handle)
       end
 
+      def find_refresh_token(handle)
+        content = read('refresh', handle)
+        content && RefreshToken.new(**content)
+      end
+
+      # @param if_version [Integer, nil] when given, only write if the stored record's
+      #   version equals this value (compare-and-swap); raises Conflict otherwise.
+      def put_refresh_token(token, overwrite: false, if_version: nil)
+        write('refresh', token.handle, token.as_json, overwrite: overwrite, if_version: if_version)
+      end
+
+      def delete_refresh_token(token)
+        delete_refresh_token_by_handle(token.handle)
+      end
+
+      def delete_refresh_token_by_handle(handle)
+        delete('refresh', handle)
+      end
+
+      def find_dynamic_client(id)
+        # ids are server-generated url-safe base64; reject anything else before it reaches a
+        # storage key (defense-in-depth against path traversal on filesystem-backed storage).
+        return unless id.is_a?(String) && id.match?(/\A[A-Za-z0-9_-]+\z/)
+
+        content = read('dynamic_client', id)
+        content && DynamicClientRegistration.from_json(content)
+      end
+
+      def put_dynamic_client(client, overwrite: false)
+        write('dynamic_client', client.id, client.as_json, overwrite: overwrite)
+      end
+
+      def delete_dynamic_client(client)
+        delete_dynamic_client_by_id(client.id)
+      end
+
+      def delete_dynamic_client_by_id(id)
+        delete('dynamic_client', id)
+      end
+
       def find_session(handle)
         content = read('session', handle)
         content && SessionData.new(**content)
@@ -59,7 +103,7 @@ module Himari
         delete('session', handle)
       end
 
-      private def write(kind, key, content, overwrite: false)
+      private def write(kind, key, content, overwrite: false, if_version: nil)
         raise NotImplementedError
       end
 

data/lib/himari/storages/filesystem.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'himari/storages/base'
 
 module Himari
@@ -11,11 +13,20 @@ module Himari
 
       attr_reader :path
 
-      private def write(kind, key, content, overwrite: false)
+      # The version compare-and-swap below is a read-compare-write, which is not atomic
+      # across processes. Adequate for filesystem storage's dev/single-node use; the
+      # production atomic path is DynamoDB's conditional update.
+      private def write(kind, key, content, overwrite: false, if_version: nil)
         dir = File.join(@path, kind)
         path = File.join(dir, key)
         Dir.mkdir(dir) unless Dir.exist?(dir)
-        raise Himari::Storages::Base::Conflict if File.exist?(path)
+        if if_version
+          existing = read(kind, key)
+          raise Himari::Storages::Base::Conflict unless existing && existing[:version] == if_version
+        elsif File.exist?(path) && !overwrite
+          raise Himari::Storages::Base::Conflict
+        end
+
         File.write(path, "#{JSON.pretty_generate(content)}\n")
         nil
       end
@@ -24,7 +35,7 @@ module Himari
         path = File.join(@path, kind, key)
         JSON.parse(File.read(path), symbolize_names: true)
       rescue Errno::ENOENT
-        return nil
+        nil
       end
 
       private def delete(kind, key)

data/lib/himari/storages/memory.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'himari/storages/base'
 
 module Himari
@@ -9,9 +11,15 @@ module Himari
         @memory = {}
       end
 
-      private def write(kind, key, content, overwrite: false)
+      private def write(kind, key, content, overwrite: false, if_version: nil)
         path = File.join(kind, key)
-        raise Himari::Storages::Base::Conflict if @memory.key?(path)
+        if if_version
+          existing = read(kind, key)
+          raise Himari::Storages::Base::Conflict unless existing && existing[:version] == if_version
+        elsif @memory.key?(path) && !overwrite
+          raise Himari::Storages::Base::Conflict
+        end
+
         @memory[path] = JSON.pretty_generate(content)
         nil
       end

data/lib/himari/token_string.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'securerandom'
 require 'base64'
 require 'digest/sha2'
@@ -11,6 +13,10 @@ module Himari
     class TokenExpired < Error; end
     class InvalidFormat < Error; end
 
+    # Outcome of a successful verify_secret!: which stored secret slot the presented secret
+    # matched (:current or :previous) and the hash it matched against. nil until verified.
+    Verification = Data.define(:via, :secret_hash)
+
     module ClassMethods
       def magic_header
         raise NotImplementedError
@@ -25,7 +31,7 @@ module Himari
           handle: SecureRandom.urlsafe_base64(32),
           secret: SecureRandom.urlsafe_base64(48),
           expiry: Time.now.to_i + (lifetime || default_lifetime),
-          **kwargs
+          **kwargs,
         )
       end
 
@@ -38,6 +44,10 @@ module Himari
       k.extend(ClassMethods)
     end
 
+    def self.hash_secret(secret)
+      Base64.urlsafe_encode64(Digest::SHA384.digest(secret), padding: false)
+    end
+
     def handle
       @handle
     end
@@ -48,11 +58,19 @@ module Himari
 
     def secret
       raise SecretMissing unless @secret
+
       @secret
     end
 
     def secret_hash
-      @secret_hash ||= Base64.urlsafe_encode64(Digest::SHA384.digest(secret), padding: false)
+      @secret_hash ||= TokenString.hash_secret(secret)
+    end
+
+    # Optional second valid secret hash. Tokens that rotate in place (RefreshToken) keep the
+    # previously-issued secret valid for one more turn so a client whose rotation response was
+    # lost can retry. nil for single-secret tokens (AccessToken, SessionData).
+    def secret_hash_prev
+      @secret_hash_prev
     end
 
     def verify!(secret:, now: Time.now)
@@ -61,13 +79,30 @@ module Himari
     end
 
     def verify_secret!(given_secret)
-      dgst = Base64.urlsafe_decode64(secret_hash) # TODO: rescue errors
       given_dgst = Digest::SHA384.digest(given_secret)
-      raise SecretIncorrect unless Rack::Utils.secure_compare(dgst, given_dgst)
+      @verification =
+        if secret_hash_match(secret_hash, given_dgst)
+          Verification.new(via: :current, secret_hash: secret_hash)
+        elsif secret_hash_prev && secret_hash_match(secret_hash_prev, given_dgst)
+          Verification.new(via: :previous, secret_hash: secret_hash_prev)
+        end
+      raise SecretIncorrect unless @verification
+
       @secret = given_secret
       true
     end
 
+    # The Verification from the last successful verify_secret!, or nil. Used for logging
+    # (#via) and to let a rotating token keep the just-presented secret valid (#secret_hash).
+    attr_reader :verification
+
+    private def secret_hash_match(stored_hash, given_dgst)
+      stored_dgst = Base64.urlsafe_decode64(stored_hash)
+      Rack::Utils.secure_compare(stored_dgst, given_dgst)
+    rescue ArgumentError
+      raise SecretIncorrect
+    end
+
     def verify_expiry!(now = Time.now)
       raise TokenExpired if @expiry <= now.to_i
     end
@@ -77,6 +112,7 @@ module Himari
         parts = str.split('.')
         raise InvalidFormat unless parts.size == 3
         raise InvalidFormat unless parts[0] == header
+
         new(header: header, handle: parts[1], secret: parts[2])
       end
 

data/lib/himari/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Himari
-  VERSION = "0.4.0"
+  VERSION = "0.6.0"
 end

data/public/public/index.css

@@ -60,6 +60,24 @@ main > header img, main > footer img {
   margin-top: 30px;
 }
 
+.consent-detail {
+  margin: 12px 0 24px;
+}
+.consent-scopes {
+  display: inline-block;
+  text-align: left;
+}
+.himari-consent .actions form {
+  display: flex;
+  flex-direction: row;
+  gap: 12px;
+}
+.consent-deny {
+  border-color: #4E6994 !important;
+  background: transparent !important;
+  color: #4E6994 !important;
+}
+
 .notice {
   background-color: white;
   border: 1px #bfa88a solid;

data/views/consent.erb

@@ -0,0 +1,59 @@
+<!DOCTYPE html>
+<html lang="en">
+  <head>
+    <meta charset="utf-8">
+    <title><%= h(msg(:consent_page_title, nil) || msg(:consent_title, "Authorize access")) %></title>
+    <link rel="stylesheet" href="/public/index.css?cb=<%= cachebuster %>" type="text/css" />
+    <meta name="viewport" content="initial-scale=1">
+    <meta name="robots" content="noindex, nofollow">
+
+    <meta name="himari:release" content="<%= release_code %>">
+  </head>
+
+  <body class='himari-app himari-consent'>
+    <main>
+
+      <header>
+        <h1><%= msg(:consent_title, "Authorize access") %></h1>
+        <%= msg(:consent_header) %>
+
+        <% if @notice %>
+          <div class='notice'>
+            <p><%=h @notice %></p>
+          </div>
+        <% end %>
+      </header>
+
+      <section class='consent-detail'>
+        <p><strong><%=h(@consent_client.name || @consent_client.id) %></strong> <%= msg(:consent_request_message, "is requesting access to your account.") %></p>
+
+        <% if @consent_scopes.any? %>
+          <p><%= msg(:consent_scopes_message, "The following will be shared:") %></p>
+          <ul class='consent-scopes'>
+            <% @consent_scopes.each do |scope| %>
+              <li><%=h msg(:"scope_#{scope}", scope) %></li>
+            <% end %>
+          </ul>
+        <% else %>
+          <p><%= msg(:consent_no_scopes_message, "Basic sign-in information will be shared.") %></p>
+        <% end %>
+      </section>
+
+      <nav class='actions'>
+        <form action="<%=h request.path %>" method="POST" id='consent-form'>
+          <input type="hidden" name="<%= csrf_token_name %>" value="<%= csrf_token_value %>" />
+          <% request.GET.each do |k, v| %>
+            <% next if k == csrf_token_name || k == '_consent' %>
+            <input type="hidden" name="<%=h k %>" value="<%=h v %>" />
+          <% end %>
+          <button type='submit' name='_consent' value='approve' class='consent-approve'><%= msg(:consent_approve, "Approve") %></button>
+          <button type='submit' name='_consent' value='deny' class='consent-deny'><%= msg(:consent_deny, "Deny") %></button>
+        </form>
+      </nav>
+
+      <footer>
+        <%= msg(:consent_footer) %>
+      </footer>
+    </main>
+  </body>
+</html>