rodauth-oauth 0.0.1 → 0.0.6

data/lib/generators/roda/oauth/install_generator.rb

@@ -10,7 +10,7 @@ module Rodauth::OAuth::Rails
       include ::Rails::Generators::Migration
 
       source_root "#{__dir__}/templates"
-      namespace "roda:oauth:install"
+      namespace "rodauth:oauth:install"
 
       def create_rodauth_migration
         return unless defined?(ActiveRecord::Base)

data/lib/generators/roda/oauth/templates/db/migrate/create_rodauth_oauth.rb

@@ -24,6 +24,12 @@ class CreateRodauthOAuth < ActiveRecord::Migration<%= migration_version %>
       t.datetime :revoked_at
       t.string :scopes, null: false
       t.datetime :created_at, null: false, default: -> { "CURRENT_TIMESTAMP" }
+      # for using access_types
+      t.string :access_type, null: false, default: "offline"
+      # uncomment to enable PKCE
+      # t.string :code_challenge
+      # t.string :code_challenge_method
+
       t.index(%i[oauth_application_id code], unique: true)
     end
 
@@ -37,7 +43,13 @@ class CreateRodauthOAuth < ActiveRecord::Migration<%= migration_version %>
       t.integer :oauth_application_id
       t.foreign_key :oauth_applications, column: :oauth_application_id
       t.string :token, null: false, token: true
+      # uncomment if setting oauth_tokens_token_hash_column
+      # and delete the token column
+      # t.string :token_hash, token: true
       t.string :refresh_token
+      # uncomment if setting oauth_tokens_refresh_token_hash_column
+      # and delete the refresh_token column
+      # t.string :refresh_token_hash, token: true
       t.datetime :expires_in, null: false
       t.datetime :revoked_at
       t.string :scopes, null: false

data/lib/generators/roda/oauth/views_generator.rb

@@ -7,7 +7,7 @@ module Rodauth::OAuth
     module Generators
       class ViewsGenerator < ::Rails::Generators::Base
         source_root "#{__dir__}/templates"
-        namespace "roda:oauth:views"
+        namespace "rodauth:oauth:views"
 
         DEFAULT = %w[oauth_authorize].freeze
         VIEWS = {
@@ -16,11 +16,6 @@ module Rodauth::OAuth
         }.freeze
 
         DEPENDENCIES = {
-          active_sessions: :logout,
-          otp: :two_factor_base,
-          sms_codes: :two_factor_base,
-          recovery_codes: :two_factor_base,
-          webauthn: :two_factor_base
         }.freeze
 
         class_option :features, type: :array,

data/lib/rodauth/features/oauth.rb

@@ -1,8 +1,15 @@
 # frozen-string-literal: true
 
+require "base64"
+require "securerandom"
+require "net/http"
+
+require "rodauth/oauth/ttl_store"
+
 module Rodauth
   Feature.define(:oauth) do
     # RUBY EXTENSIONS
+    # :nocov:
     unless Regexp.method_defined?(:match?)
       module RegexpExtensions
         refine(Regexp) do
@@ -14,20 +21,37 @@ module Rodauth
       using(RegexpExtensions)
     end
 
-    SCOPES = %w[profile.read].freeze
+    unless String.method_defined?(:delete_suffix!)
+      module SuffixExtensions
+        refine(String) do
+          def delete_suffix!(suffix)
+            suffix = suffix.to_s
+            chomp! if frozen?
+            len = suffix.length
+            return unless len.positive? && index(suffix, -len)
+
+            self[-len..-1] = ""
+            self
+          end
+        end
+      end
+      using(SuffixExtensions)
+    end
+    # :nocov:
 
-    depends :login
+    SCOPES = %w[profile.read].freeze
 
     before "authorize"
     after "authorize"
     after "authorize_failure"
 
     before "token"
-    after "token"
 
     before "revoke"
     after "revoke"
 
+    before "introspect"
+
     before "create_oauth_application"
     after "create_oauth_application"
 
@@ -49,26 +73,28 @@ module Rodauth
 
     auth_value_method :oauth_grant_expires_in, 60 * 5 # 5 minutes
     auth_value_method :oauth_token_expires_in, 60 * 60 # 60 minutes
-    auth_value_method :use_oauth_implicit_grant_type, false
+    auth_value_method :use_oauth_implicit_grant_type?, false
+    auth_value_method :use_oauth_pkce?, true
+    auth_value_method :use_oauth_access_type?, true
 
-    # URL PARAMS
+    auth_value_method :oauth_require_pkce, false
+    auth_value_method :oauth_pkce_challenge_method, "S256"
 
-    # Authorize / token
-    %w[
-      grant_type code refresh_token client_id scope
-      state redirect_uri scopes token_type_hint token
-      access_type response_type
-    ].each do |param|
-      auth_value_method :"#{param}_param", param
-    end
+    auth_value_method :oauth_valid_uri_schemes, %w[http https]
+
+    auth_value_method :oauth_scope_separator, " "
 
     # Application
-    APPLICATION_REQUIRED_PARAMS = %w[name description scopes homepage_url redirect_uri].freeze
+    APPLICATION_REQUIRED_PARAMS = %w[name description scopes homepage_url redirect_uri client_secret].freeze
     auth_value_method :oauth_application_required_params, APPLICATION_REQUIRED_PARAMS
 
-    (APPLICATION_REQUIRED_PARAMS + %w[client_id client_secret]).each do |param|
+    (APPLICATION_REQUIRED_PARAMS + %w[client_id]).each do |param|
       auth_value_method :"oauth_application_#{param}_param", param
+      translatable_method :"#{param}_label", param.gsub("_", " ").capitalize
     end
+    button "Register", "oauth_application"
+    button "Authorize", "oauth_authorize"
+    button "Revoke", "oauth_token_revoke"
 
     # OAuth Token
     auth_value_method :oauth_tokens_path, "oauth-tokens"
@@ -83,6 +109,10 @@ module Rodauth
       auth_value_method :"oauth_tokens_#{column}_column", column
     end
 
+    # Oauth Token Hash
+    auth_value_method :oauth_tokens_token_hash_column, nil
+    auth_value_method :oauth_tokens_refresh_token_hash_column, nil
+
     # OAuth Grants
     auth_value_method :oauth_grants_table, :oauth_grants
     auth_value_method :oauth_grants_id_column, :id
@@ -90,6 +120,7 @@ module Rodauth
       account_id oauth_application_id
       redirect_uri code scopes access_type
       expires_in revoked_at
+      code_challenge code_challenge_method
     ].each do |column|
       auth_value_method :"oauth_grants_#{column}_column", column
     end
@@ -115,7 +146,7 @@ module Rodauth
 
     auth_value_method :oauth_application_default_scope, SCOPES.first
     auth_value_method :oauth_application_scopes, SCOPES
-    auth_value_method :oauth_token_type, "Bearer"
+    auth_value_method :oauth_token_type, "bearer"
 
     auth_value_method :invalid_request, "Request is missing a required parameter"
     auth_value_method :invalid_client, "Invalid client"
@@ -130,31 +161,46 @@ module Rodauth
     auth_value_method :unique_error_message, "is already in use"
     auth_value_method :null_error_message, "is not filled"
 
+    # PKCE
+    auth_value_method :code_challenge_required_error_code, "invalid_request"
+    auth_value_method :code_challenge_required_message, "code challenge required"
+    auth_value_method :unsupported_transform_algorithm_error_code, "invalid_request"
+    auth_value_method :unsupported_transform_algorithm_message, "transform algorithm not supported"
+
+    # METADATA
+    auth_value_method :oauth_metadata_service_documentation, nil
+    auth_value_method :oauth_metadata_ui_locales_supported, nil
+    auth_value_method :oauth_metadata_op_policy_uri, nil
+    auth_value_method :oauth_metadata_op_tos_uri, nil
+
+    # Resource Server params
+    # Only required to use if the plugin is to be used in a resource server
+    auth_value_method :is_authorization_server?, true
+
     auth_value_methods(
-      :oauth_unique_id_generator
+      :fetch_access_token,
+      :oauth_unique_id_generator,
+      :secret_matches?,
+      :secret_hash,
+      :generate_token_hash,
+      :authorization_server_url,
+      :before_introspection_request
     )
 
-    redirect(:oauth_application) do |id|
-      "/#{oauth_applications_path}/#{id}"
-    end
+    auth_value_methods(:only_json?)
 
-    redirect(:require_authorization) do
-      if logged_in?
-        oauth_authorize_path
-      else
-        login_redirect
-      end
-    end
+    auth_value_method :json_request_regexp, %r{\bapplication/(?:vnd\.api\+)?json\b}i
 
-    auth_value_method :json_request_accept_regexp, %r{\bapplication/(?:vnd\.api\+)?json\b}i
-    auth_methods(:json_request?)
+    SERVER_METADATA = OAuth::TtlStore.new
 
     def check_csrf?
       case request.path
-      when oauth_token_path
+      when oauth_token_path, oauth_introspect_path
         false
       when oauth_revoke_path
         !json_request?
+      when oauth_authorize_path, %r{/#{oauth_applications_path}}
+        only_json? ? false : super
       else
         super
       end
@@ -165,104 +211,98 @@ module Rodauth
       super || authorization_token
     end
 
-    def json_request?
-      return @json_request if defined?(@json_request)
+    def accepts_json?
+      return true if only_json?
 
-      @json_request = request.get_header("HTTP_ACCEPT") =~ json_request_accept_regexp
+      (accept = request.env["HTTP_ACCEPT"]) && accept =~ json_request_regexp
     end
 
-    attr_reader :oauth_application
+    unless method_defined?(:json_request?)
+      # :nocov:
+      # copied from the jwt feature
+      def json_request?
+        return @json_request if defined?(@json_request)
 
-    def initialize(scope)
-      @scope = scope
+        @json_request = request.content_type =~ json_request_regexp
+      end
+      # :nocov:
     end
 
-    def state
-      state = param(state_param)
-
-      return unless state && !state.empty?
-
-      state
+    def initialize(scope)
+      @scope = scope
     end
 
     def scopes
-      scopes = param(scopes_param)
-
-      return [oauth_application_default_scope] unless scopes && !scopes.empty?
-
-      scopes.split(" ")
+      (param_or_nil("scope") || oauth_application_default_scope).split(" ")
     end
 
-    def client_id
-      client_id = param(client_id_param)
-
-      return unless client_id && !client_id.empty?
+    def redirect_uri
+      param_or_nil("redirect_uri") || begin
+        return unless oauth_application
 
-      client_id
+        redirect_uris = oauth_application[oauth_applications_redirect_uri_column].split(" ")
+        redirect_uris.size == 1 ? redirect_uris.first : nil
+      end
     end
 
-    def redirect_uri
-      redirect_uri = param(redirect_uri_param)
+    def oauth_application
+      return @oauth_application if defined?(@oauth_application)
 
-      return oauth_application[oauth_applications_redirect_uri_column] unless redirect_uri && !redirect_uri.empty?
+      @oauth_application = begin
+        client_id = param_or_nil("client_id")
 
-      redirect_uri
-    end
+        return unless client_id
 
-    def token_type_hint
-      token_type_hint = param(token_type_hint_param)
+        db[oauth_applications_table].filter(oauth_applications_client_id_column => client_id).first
+      end
+    end
 
-      return "access_token" unless token_type_hint && !token_type_hint.empty?
+    def fetch_access_token
+      value = request.env["HTTP_AUTHORIZATION"]
 
-      token_type_hint
-    end
+      return unless value
 
-    def token
-      token = param(token_param)
+      scheme, token = value.split(" ", 2)
 
-      return unless token && !token.empty?
+      return unless scheme.downcase == oauth_token_type
 
       token
     end
 
-    def oauth_application
-      return @oauth_application if defined?(@oauth_application)
+    def authorization_token
+      return @authorization_token if defined?(@authorization_token)
 
-      @oauth_application = begin
-        client_id = param(client_id_param)
+      # check if there is a token
+      bearer_token = fetch_access_token
 
-        return unless client_id
+      return unless bearer_token
 
-        db[oauth_applications_table].filter(oauth_applications_client_id_column => client_id).first
-      end
+      # check if token has not expired
+      # check if token has been revoked
+      @authorization_token = oauth_token_by_token(bearer_token)
     end
 
-    def authorization_token
-      return @authorization_token if defined?(@authorization_token)
+    def require_oauth_authorization(*scopes)
+      token_scopes = if is_authorization_server?
+                       authorization_required unless authorization_token
 
-      @authorization_token = begin
-        value = request.get_header("HTTP_AUTHORIZATION").to_s
+                       scopes << oauth_application_default_scope if scopes.empty?
 
-        scheme, token = value.split(" ", 2)
+                       authorization_token[oauth_tokens_scopes_column].split(oauth_scope_separator)
+                     else
+                       bearer_token = fetch_access_token
 
-        return unless scheme == "Bearer"
+                       authorization_required unless bearer_token
 
-        # check if there is a token
-        # check if token has not expired
-        # check if token has been revoked
-        db[oauth_tokens_table].where(oauth_tokens_token_column => token)
-                              .where(Sequel[oauth_tokens_expires_in_column] >= Sequel::CURRENT_TIMESTAMP)
-                              .where(oauth_tokens_revoked_at_column => nil)
-                              .first
-      end
-    end
+                       scopes << oauth_application_default_scope if scopes.empty?
 
-    def require_oauth_authorization(*scopes)
-      authorization_required unless authorization_token
+                       # where in resource server, NOT the authorization server.
+                       payload = introspection_request("access_token", bearer_token)
 
-      scopes << oauth_application_default_scope if scopes.empty?
+                       authorization_required unless payload["active"]
 
-      token_scopes = authorization_token[:scopes].split(",")
+                       payload["scope"].split(oauth_scope_separator)
+                     end
 
       authorization_required unless scopes.any? { |scope| token_scopes.include?(scope) }
     end
@@ -275,8 +315,11 @@ module Rodauth
         request.get "new" do
           new_oauth_application_view
         end
+
         request.on(oauth_applications_id_pattern) do |id|
           oauth_application = db[oauth_applications_table].where(oauth_applications_id_column => id).first
+          next unless oauth_application
+
           scope.instance_variable_set(:@oauth_application, oauth_application)
 
           request.is do
@@ -288,7 +331,9 @@ module Rodauth
           request.on(oauth_tokens_path) do
             oauth_tokens = db[oauth_tokens_table].where(oauth_tokens_oauth_application_id_column => id)
             scope.instance_variable_set(:@oauth_tokens, oauth_tokens)
-            oauth_tokens_view
+            request.get do
+              oauth_tokens_view
+            end
           end
         end
 
@@ -306,7 +351,7 @@ module Rodauth
               id = create_oauth_application
               after_create_oauth_application
               set_notice_flash create_oauth_application_notice_flash
-              redirect oauth_application_redirect(id)
+              redirect "#{request.path}/#{id}"
             end
           end
           set_error_flash create_oauth_application_error_flash
@@ -315,10 +360,216 @@ module Rodauth
       end
     end
 
+    def oauth_server_metadata(issuer = nil)
+      request.on(".well-known") do
+        request.on("oauth-authorization-server") do
+          request.get do
+            json_response_success(oauth_server_metadata_body(issuer))
+          end
+        end
+      end
+    end
+
     private
 
+    def authorization_server_url
+      base_url
+    end
+
+    def authorization_server_metadata
+      auth_url = URI(authorization_server_url)
+
+      server_metadata = SERVER_METADATA[auth_url]
+
+      return server_metadata if server_metadata
+
+      SERVER_METADATA.set(auth_url) do
+        http = Net::HTTP.new(auth_url.host, auth_url.port)
+        http.use_ssl = auth_url.scheme == "https"
+
+        request = Net::HTTP::Get.new("/.well-known/oauth-authorization-server")
+        request["accept"] = json_response_content_type
+        response = http.request(request)
+        authorization_required unless response.code.to_i == 200
+
+        # time-to-live
+        ttl = if response.key?("cache-control")
+                cache_control = response["cache_control"]
+                cache_control[/max-age=(\d+)/, 1]
+              elsif response.key?("expires")
+                Time.httpdate(response["expires"]).utc.to_i - Time.now.utc.to_i
+              end
+
+        [JSON.parse(response.body, symbolize_names: true), ttl]
+      end
+    end
+
+    def introspection_request(token_type_hint, token)
+      auth_url = URI(authorization_server_url)
+      http = Net::HTTP.new(auth_url.host, auth_url.port)
+      http.use_ssl = auth_url.scheme == "https"
+
+      request = Net::HTTP::Post.new(oauth_introspect_path)
+      request["content-type"] = json_response_content_type
+      request["accept"] = json_response_content_type
+      request.body = JSON.dump({ "token_type_hint" => token_type_hint, "token" => token })
+
+      before_introspection_request(request)
+      response = http.request(request)
+      authorization_required unless response.code.to_i == 200
+
+      JSON.parse(response.body)
+    end
+
+    def before_introspection_request(request); end
+
+    def template_path(page)
+      path = File.join(File.dirname(__FILE__), "../../../templates", "#{page}.str")
+      return super unless File.exist?(path)
+
+      path
+    end
+
+    # to be used internally. Same semantics as require account, must:
+    # fetch an authorization basic header
+    # parse client id and secret
+    #
+    def require_oauth_application
+      # get client credenntials
+      client_id = client_secret = nil
+
+      # client_secret_basic
+      if (token = ((v = request.env["HTTP_AUTHORIZATION"]) && v[/\A *Basic (.*)\Z/, 1]))
+        client_id, client_secret = Base64.decode64(token).split(/:/, 2)
+      else
+        client_id = param_or_nil("client_id")
+        client_secret = param_or_nil("client_secret")
+      end
+
+      authorization_required unless client_id
+
+      @oauth_application = db[oauth_applications_table].where(oauth_applications_client_id_column => client_id).first
+
+      # skip if using pkce
+      return if @oauth_application && use_oauth_pkce? && param_or_nil("code_verifier")
+
+      authorization_required unless @oauth_application && secret_matches?(@oauth_application, client_secret)
+    end
+
+    def secret_matches?(oauth_application, secret)
+      BCrypt::Password.new(oauth_application[oauth_applications_client_secret_column]) == secret
+    end
+
+    def secret_hash(secret)
+      password_hash(secret)
+    end
+
     def oauth_unique_id_generator
-      SecureRandom.uuid
+      SecureRandom.hex(32)
+    end
+
+    def generate_token_hash(token)
+      Base64.urlsafe_encode64(Digest::SHA256.digest(token))
+    end
+
+    def token_from_application?(oauth_token, oauth_application)
+      oauth_token[oauth_tokens_oauth_application_id_column] == oauth_application[oauth_applications_id_column]
+    end
+
+    unless method_defined?(:password_hash)
+      # :nocov:
+      # From login_requirements_base feature
+      if ENV["RACK_ENV"] == "test"
+        def password_hash_cost
+          BCrypt::Engine::MIN_COST
+        end
+      else
+        def password_hash_cost
+          BCrypt::Engine::DEFAULT_COST
+        end
+      end
+
+      def password_hash(password)
+        BCrypt::Password.create(password, cost: password_hash_cost)
+      end
+      # :nocov:
+    end
+
+    def generate_oauth_token(params = {}, should_generate_refresh_token = true)
+      create_params = {
+        oauth_grants_expires_in_column => Time.now + oauth_token_expires_in
+      }.merge(params)
+
+      token = oauth_unique_id_generator
+      refresh_token = nil
+
+      if oauth_tokens_token_hash_column
+        create_params[oauth_tokens_token_hash_column] = generate_token_hash(token)
+      else
+        create_params[oauth_tokens_token_column] = token
+      end
+
+      if should_generate_refresh_token
+        refresh_token = oauth_unique_id_generator
+
+        if oauth_tokens_refresh_token_hash_column
+          create_params[oauth_tokens_refresh_token_hash_column] = generate_token_hash(refresh_token)
+        else
+          create_params[oauth_tokens_refresh_token_column] = refresh_token
+        end
+      end
+      oauth_token = _generate_oauth_token(create_params)
+
+      oauth_token[oauth_tokens_token_column] = token
+      oauth_token[oauth_tokens_refresh_token_column] = refresh_token if refresh_token
+      oauth_token
+    end
+
+    def _generate_oauth_token(params = {})
+      ds = db[oauth_tokens_table]
+
+      begin
+        if ds.supports_returning?(:insert)
+          ds.returning.insert(params).first
+        else
+          id = ds.insert(params)
+          ds.where(oauth_tokens_id_column => id).first
+        end
+      rescue Sequel::UniqueConstraintViolation
+        retry
+      end
+    end
+
+    def oauth_token_by_token(token, dataset = db[oauth_tokens_table])
+      ds = if oauth_tokens_token_hash_column
+             dataset.where(oauth_tokens_token_hash_column => generate_token_hash(token))
+           else
+             dataset.where(oauth_tokens_token_column => token)
+           end
+
+      ds.where(Sequel[oauth_tokens_expires_in_column] >= Sequel::CURRENT_TIMESTAMP)
+        .where(oauth_tokens_revoked_at_column => nil).first
+    end
+
+    def oauth_token_by_refresh_token(token, dataset = db[oauth_tokens_table])
+      ds = if oauth_tokens_refresh_token_hash_column
+             dataset.where(oauth_tokens_refresh_token_hash_column => generate_token_hash(token))
+           else
+             dataset.where(oauth_tokens_refresh_token_column => token)
+           end
+
+      ds.where(Sequel[oauth_tokens_expires_in_column] >= Sequel::CURRENT_TIMESTAMP)
+        .where(oauth_tokens_revoked_at_column => nil).first
+    end
+
+    def json_access_token_payload(oauth_token)
+      payload = {
+        "access_token" => oauth_token[oauth_tokens_token_column],
+        "token_type" => oauth_token_type,
+        "expires_in" => oauth_token_expires_in
+      }
+      payload["refresh_token"] = oauth_token[oauth_tokens_refresh_token_column] if oauth_token[oauth_tokens_refresh_token_column]
+      payload
     end
 
     # Oauth Application
@@ -336,11 +587,21 @@ module Rodauth
 
     def validate_oauth_application_params
       oauth_application_params.each do |key, value|
-        if key == oauth_application_homepage_url_param ||
-           key == oauth_application_redirect_uri_param
+        if key == oauth_application_homepage_url_param
 
-          set_field_error(key, invalid_url_message) unless URI::DEFAULT_PARSER.make_regexp(%w[http https]).match?(value)
+          set_field_error(key, invalid_url_message) unless check_valid_uri?(value)
 
+        elsif key == oauth_application_redirect_uri_param
+
+          if value.respond_to?(:each)
+            value.each do |uri|
+              next if uri.empty?
+
+              set_field_error(key, invalid_url_message) unless check_valid_uri?(uri)
+            end
+          else
+            set_field_error(key, invalid_url_message) unless check_valid_uri?(value)
+          end
         elsif key == oauth_application_scopes_param
 
           value.each do |scope|
@@ -358,35 +619,32 @@ module Rodauth
         oauth_applications_name_column => oauth_application_params[oauth_application_name_param],
         oauth_applications_description_column => oauth_application_params[oauth_application_description_param],
         oauth_applications_scopes_column => oauth_application_params[oauth_application_scopes_param],
-        oauth_applications_homepage_url_column => oauth_application_params[oauth_application_homepage_url_param],
-        oauth_applications_redirect_uri_column => oauth_application_params[oauth_application_redirect_uri_param]
+        oauth_applications_homepage_url_column => oauth_application_params[oauth_application_homepage_url_param]
       }
 
+      redirect_uris = oauth_application_params[oauth_application_redirect_uri_param]
+      redirect_uris = redirect_uris.to_a.reject(&:empty?).join(" ") if redirect_uris.respond_to?(:each)
+      create_params[oauth_applications_redirect_uri_column] = redirect_uris unless redirect_uris.empty?
       # set client ID/secret pairs
+
       create_params.merge! \
         oauth_applications_client_id_column => oauth_unique_id_generator,
-        oauth_applications_client_secret_column => oauth_unique_id_generator
+        oauth_applications_client_secret_column => \
+          secret_hash(oauth_application_params[oauth_application_client_secret_param])
 
       create_params[oauth_applications_scopes_column] = if create_params[oauth_applications_scopes_column]
-                                                          create_params[oauth_applications_scopes_column].join(",")
+                                                          create_params[oauth_applications_scopes_column].join(oauth_scope_separator)
                                                         else
                                                           oauth_application_default_scope
                                                         end
 
-      ds = db[oauth_applications_table]
-
       id = nil
       raised = begin
-        id = if ds.supports_returning?(:insert)
-               ds.returning(oauth_applications_id_column).insert(create_params)
-             else
-               id = db[oauth_applications_table].insert(create_params)
-               db[oauth_applications_table].where(oauth_applications_id_column => id).get(oauth_applications_id_column)
-             end
-        false
+                 id = db[oauth_applications_table].insert(create_params)
+                 false
                rescue Sequel::ConstraintViolation => e
                  e
-      end
+               end
 
       if raised
         field = raised.message[/\.(.*)$/, 1]
@@ -402,12 +660,38 @@ module Rodauth
     end
 
     # Authorize
+    def before_authorize
+      require_account
+    end
 
     def validate_oauth_grant_params
-      unless oauth_application && check_valid_redirect_uri? && check_valid_access_type?
+      redirect_response_error("invalid_request", request.referer || default_redirect) unless oauth_application && check_valid_redirect_uri?
+
+      unless oauth_application && check_valid_redirect_uri? && check_valid_access_type? &&
+             check_valid_approval_prompt? && check_valid_response_type?
         redirect_response_error("invalid_request")
       end
       redirect_response_error("invalid_scope") unless check_valid_scopes?
+
+      validate_pkce_challenge_params if use_oauth_pkce?
+    end
+
+    def try_approval_prompt
+      approval_prompt = param_or_nil("approval_prompt")
+
+      return unless approval_prompt && approval_prompt == "auto"
+
+      return if db[oauth_grants_table].where(
+        oauth_grants_account_id_column => account_id,
+        oauth_grants_oauth_application_id_column => oauth_application[oauth_applications_id_column],
+        oauth_grants_redirect_uri_column => redirect_uri,
+        oauth_grants_scopes_column => scopes.join(oauth_scope_separator),
+        oauth_grants_access_type_column => "online"
+      ).count.zero?
+
+      # if there's a previous oauth grant for the params combo, it means that this user has approved before.
+
+      request.env["REQUEST_METHOD"] = "POST"
     end
 
     def create_oauth_grant
@@ -415,24 +699,37 @@ module Rodauth
         oauth_grants_account_id_column => account_id,
         oauth_grants_oauth_application_id_column => oauth_application[oauth_applications_id_column],
         oauth_grants_redirect_uri_column => redirect_uri,
-        oauth_grants_code_column => oauth_unique_id_generator,
         oauth_grants_expires_in_column => Time.now + oauth_grant_expires_in,
-        oauth_grants_scopes_column => scopes.join(",")
+        oauth_grants_scopes_column => scopes.join(oauth_scope_separator)
       }
 
-      unless (access_type = param("access_type")).empty?
-        create_params[oauth_grants_access_type_column] = access_type
+      # Access Type flow
+      if use_oauth_access_type?
+        if (access_type = param_or_nil("access_type"))
+          create_params[oauth_grants_access_type_column] = access_type
+        end
+      end
+
+      # PKCE flow
+      if use_oauth_pkce?
+
+        if (code_challenge = param_or_nil("code_challenge"))
+          code_challenge_method = param_or_nil("code_challenge_method")
+
+          create_params[oauth_grants_code_challenge_column] = code_challenge
+          create_params[oauth_grants_code_challenge_method_column] = code_challenge_method
+        elsif oauth_require_pkce
+          redirect_response_error("code_challenge_required")
+        end
       end
 
       ds = db[oauth_grants_table]
 
       begin
-        if ds.supports_returning?(:insert)
-          ds.returning(authorize_code_column).insert(create_params)
-        else
-          id = ds.insert(create_params)
-          ds.where(oauth_grants_id_column => id).get(oauth_grants_code_column)
-        end
+        authorization_code = oauth_unique_id_generator
+        create_params[oauth_grants_code_column] = authorization_code
+        ds.insert(create_params)
+        authorization_code
       rescue Sequel::UniqueConstraintViolation
         retry
       end
@@ -440,155 +737,187 @@ module Rodauth
 
     # Access Tokens
 
-    def validate_oauth_token_params
-      redirect_response_error("invalid_request") unless param(client_id_param)
+    def before_token
+      require_oauth_application
+    end
 
-      unless (grant_type = param(grant_type_param))
+    def validate_oauth_token_params
+      unless (grant_type = param_or_nil("grant_type"))
         redirect_response_error("invalid_request")
       end
 
       case grant_type
       when "authorization_code"
-        redirect_response_error("invalid_request") unless param(code_param)
+        redirect_response_error("invalid_request") unless param_or_nil("code")
 
       when "refresh_token"
-        redirect_response_error("invalid_request") unless param(refresh_token_param)
+        redirect_response_error("invalid_request") unless param_or_nil("refresh_token")
       else
         redirect_response_error("invalid_request")
       end
     end
 
-    def generate_oauth_token(params = {})
+    def create_oauth_token
+      case param("grant_type")
+      when "authorization_code"
+        create_oauth_token_from_authorization_code(oauth_application)
+      when "refresh_token"
+        create_oauth_token_from_token(oauth_application)
+      else
+        redirect_response_error("invalid_grant")
+      end
+    end
+
+    def create_oauth_token_from_authorization_code(oauth_application)
+      # fetch oauth grant
+      oauth_grant = db[oauth_grants_table].where(
+        oauth_grants_code_column => param("code"),
+        oauth_grants_redirect_uri_column => param("redirect_uri"),
+        oauth_grants_oauth_application_id_column => oauth_application[oauth_applications_id_column],
+        oauth_grants_revoked_at_column => nil
+      ).where(Sequel[oauth_grants_expires_in_column] >= Sequel::CURRENT_TIMESTAMP)
+                                          .for_update
+                                          .first
+
+      redirect_response_error("invalid_grant") unless oauth_grant
+
+      # PKCE
+      if use_oauth_pkce?
+        if oauth_grant[oauth_grants_code_challenge_column]
+          code_verifier = param_or_nil("code_verifier")
+
+          redirect_response_error("invalid_request") unless code_verifier && check_valid_grant_challenge?(oauth_grant, code_verifier)
+        elsif oauth_require_pkce
+          redirect_response_error("code_challenge_required")
+        end
+      end
+
       create_params = {
-        oauth_grants_expires_in_column => Time.now + oauth_token_expires_in,
-        oauth_tokens_token_column => oauth_unique_id_generator
-      }.merge(params)
+        oauth_tokens_account_id_column => oauth_grant[oauth_grants_account_id_column],
+        oauth_tokens_oauth_application_id_column => oauth_grant[oauth_grants_oauth_application_id_column],
+        oauth_tokens_oauth_grant_id_column => oauth_grant[oauth_grants_id_column],
+        oauth_tokens_scopes_column => oauth_grant[oauth_grants_scopes_column]
+      }
 
-      ds = db[oauth_tokens_table]
+      # revoke oauth grant
+      db[oauth_grants_table].where(oauth_grants_id_column => oauth_grant[oauth_grants_id_column])
+                            .update(oauth_grants_revoked_at_column => Sequel::CURRENT_TIMESTAMP)
 
-      begin
-        if ds.supports_returning?(:insert)
-          ds.returning.insert(create_params)
+      should_generate_refresh_token = !use_oauth_access_type? ||
+                                      oauth_grant[oauth_grants_access_type_column] == "offline"
+
+      generate_oauth_token(create_params, should_generate_refresh_token)
+    end
+
+    def create_oauth_token_from_token(oauth_application)
+      # fetch oauth token
+      oauth_token = oauth_token_by_refresh_token(param("refresh_token"))
+
+      redirect_response_error("invalid_grant") unless oauth_token && token_from_application?(oauth_token, oauth_application)
+
+      token = oauth_unique_id_generator
+
+      update_params = {
+        oauth_tokens_oauth_application_id_column => oauth_token[oauth_grants_oauth_application_id_column],
+        oauth_tokens_expires_in_column => Time.now + oauth_token_expires_in
+      }
+
+      if oauth_tokens_token_hash_column
+        update_params[oauth_tokens_token_hash_column] = generate_token_hash(token)
+      else
+        update_params[oauth_tokens_token_column] = token
+      end
+
+      ds = db[oauth_tokens_table].where(oauth_tokens_id_column => oauth_token[oauth_tokens_id_column])
+
+      oauth_token = begin
+        if ds.supports_returning?(:update)
+          ds.returning.update(update_params).first
         else
-          id = ds.insert(create_params)
-          ds.where(oauth_tokens_id_column => id).first
+          ds.update(update_params)
+          ds.first
         end
-      rescue Sequel::UniqueConstraintViolation
-        retry
+                    rescue Sequel::UniqueConstraintViolation
+                      retry
       end
+
+      oauth_token[oauth_tokens_token_column] = token
+      oauth_token
     end
 
-    def create_oauth_token
-      case param(grant_type_param)
-      when "authorization_code"
-        # fetch oauth grant
-        oauth_grant = db[oauth_grants_table].where(
-          oauth_grants_code_column => param(code_param),
-          oauth_grants_redirect_uri_column => param(redirect_uri_param),
-          oauth_grants_oauth_application_id_column => db[oauth_applications_table].where(
-            oauth_applications_client_id_column => param(client_id_param),
-            oauth_applications_account_id_column => oauth_applications_account_id_column
-          ).select(oauth_applications_id_column)
-        ).where(Sequel[oauth_grants_expires_in_column] >= Sequel::CURRENT_TIMESTAMP)
-                                            .where(oauth_grants_revoked_at_column => nil)
-                                            .first
-
-        redirect_response_error("invalid_grant") unless oauth_grant
-
-        create_params = {
-          oauth_tokens_account_id_column => oauth_grant[oauth_grants_account_id_column],
-          oauth_tokens_oauth_application_id_column => oauth_grant[oauth_grants_oauth_application_id_column],
-          oauth_tokens_oauth_grant_id_column => oauth_grant[oauth_grants_id_column],
-          oauth_tokens_scopes_column => oauth_grant[oauth_grants_scopes_column]
-        }
-
-        if oauth_grant[oauth_grants_access_type_column] == "offline"
-          create_params[oauth_tokens_refresh_token_column] = oauth_unique_id_generator
-        end
-        # revoke oauth grant
-        db[oauth_grants_table].where(oauth_grants_id_column => oauth_grant[oauth_grants_id_column])
-                              .update(oauth_grants_revoked_at_column => Sequel::CURRENT_TIMESTAMP)
+    TOKEN_HINT_TYPES = %w[access_token refresh_token].freeze
 
-        generate_oauth_token(create_params)
-      when "refresh_token"
-        # fetch oauth grant
-        oauth_token = db[oauth_tokens_table].where(
-          oauth_tokens_refresh_token_column => param(refresh_token_param),
-          oauth_tokens_oauth_application_id_column => db[oauth_applications_table].where(
-            oauth_applications_client_id_column => param(client_id_param),
-            oauth_applications_account_id_column => account_id
-          ).select(oauth_applications_id_column)
-        ).where(oauth_grants_revoked_at_column => nil).first
-
-        redirect_response_error("invalid_grant") unless oauth_token
-
-        update_params = {
-          oauth_tokens_oauth_application_id_column => oauth_token[oauth_grants_oauth_application_id_column],
-          oauth_tokens_expires_in_column => Time.now + oauth_token_expires_in,
-          oauth_tokens_token_column => oauth_unique_id_generator
-        }
-
-        ds = db[oauth_tokens_table].where(oauth_tokens_id_column => oauth_token[oauth_tokens_id_column])
-        begin
-          if ds.supports_returning?(:update)
-            ds.returning.update(update_params)
-          else
-            ds.update(update_params)
-            ds.first
-          end
-        rescue Sequel::UniqueConstraintViolation
-          retry
-        end
-      else
-        redirect_response_error("invalid_grant")
+    # Token introspect
+
+    def validate_oauth_introspect_params
+      # check if valid token hint type
+      if param_or_nil("token_type_hint")
+        redirect_response_error("unsupported_token_type") unless TOKEN_HINT_TYPES.include?(param("token_type_hint"))
       end
+
+      redirect_response_error("invalid_request") unless param_or_nil("token")
     end
 
+    def json_token_introspect_payload(token)
+      return { active: false } unless token
+
+      {
+        active: true,
+        scope: token[oauth_tokens_scopes_column],
+        client_id: oauth_application[oauth_applications_client_id_column],
+        # username
+        token_type: oauth_token_type
+      }
+    end
+
+    def before_introspect; end
+
     # Token revocation
 
-    TOKEN_HINT_TYPES = %w[access_token refresh_token].freeze
+    def before_revoke
+      require_oauth_application
+    end
 
     def validate_oauth_revoke_params
       # check if valid token hint type
-      redirect_response_error("unsupported_token_type") unless TOKEN_HINT_TYPES.include?(token_type_hint)
+      if param_or_nil("token_type_hint")
+        redirect_response_error("unsupported_token_type") unless TOKEN_HINT_TYPES.include?(param("token_type_hint"))
+      end
 
-      redirect_response_error("invalid_request") unless param(token_param)
+      redirect_response_error("invalid_request") unless param_or_nil("token")
     end
 
     def revoke_oauth_token
-      # one can only revoke tokens which haven't been revoked before, and which are
-      # either our tokens, or tokens from applications we own.
-      ds = db[oauth_tokens_table]
-           .where(oauth_tokens_revoked_at_column => nil)
-           .where(
-             Sequel.or(
-               oauth_tokens_account_id_column => account_id,
-               oauth_tokens_oauth_application_id_column => db[oauth_applications_table].where(
-                 oauth_applications_client_id_column => param(client_id_param),
-                 oauth_applications_account_id_column => account_id
-               ).select(oauth_applications_id_column)
-             )
-           )
-      ds = case token_type_hint
-           when "access_token"
-             ds.where(oauth_tokens_token_column => token)
-           when "refresh_token"
-             ds.where(oauth_tokens_refresh_token_column => token)
-           end
+      token = param("token")
+
+      oauth_token = if param("token_type_hint") == "refresh_token"
+                      oauth_token_by_refresh_token(token)
+                    else
+                      oauth_token_by_token(token)
+                    end
 
-      oauth_token = ds.first
       redirect_response_error("invalid_request") unless oauth_token
 
+      if oauth_application
+        redirect_response_error("invalid_request") unless token_from_application?(oauth_token, oauth_application)
+      else
+        @oauth_application = db[oauth_applications_table].where(oauth_applications_id_column =>
+          oauth_token[oauth_tokens_oauth_application_id_column]).first
+      end
+
       update_params = { oauth_tokens_revoked_at_column => Sequel::CURRENT_TIMESTAMP }
 
       ds = db[oauth_tokens_table].where(oauth_tokens_id_column => oauth_token[oauth_tokens_id_column])
 
-      if ds.supports_returning?(:update)
-        ds.returning.update(update_params)
-      else
-        ds.update(update_params)
-        ds.first
-      end
+      oauth_token = if ds.supports_returning?(:update)
+                      ds.returning.update(update_params).first
+                    else
+                      ds.update(update_params)
+                      ds.first
+                    end
+
+      oauth_token[oauth_tokens_token_column] = token
+      oauth_token
 
       # If the particular
       # token is a refresh token and the authorization server supports the
@@ -601,106 +930,229 @@ module Rodauth
 
     # Response helpers
 
-    def redirect_response_error(error_code, redirect_url = request.referer || default_redirect)
-      if json_request?
+    def redirect_response_error(error_code, redirect_url = redirect_uri || request.referer || default_redirect)
+      if accepts_json?
         throw_json_response_error(invalid_oauth_response_status, error_code)
       else
         redirect_url = URI.parse(redirect_url)
-        query_params = ["error=#{error_code}"]
+        query_params = []
+
+        query_params << if respond_to?(:"#{error_code}_error_code")
+                          "error=#{send(:"#{error_code}_error_code")}"
+                        else
+                          "error=#{error_code}"
+                        end
+
         if respond_to?(:"#{error_code}_message")
           message = send(:"#{error_code}_message")
           query_params << ["error_description=#{CGI.escape(message)}"]
         end
+
         query_params << redirect_url.query if redirect_url.query
         redirect_url.query = query_params.join("&")
         redirect(redirect_url.to_s)
       end
     end
 
+    def json_response_success(body)
+      response.status = 200
+      response["Content-Type"] ||= json_response_content_type
+      json_payload = _json_response_body(body)
+      response.write(json_payload)
+      request.halt
+    end
+
     def throw_json_response_error(status, error_code)
       set_response_error_status(status)
-      payload = { "error" => error_code }
+      code = if respond_to?(:"#{error_code}_error_code")
+               send(:"#{error_code}_error_code")
+             else
+               error_code
+             end
+      payload = { "error" => code }
       payload["error_description"] = send(:"#{error_code}_message") if respond_to?(:"#{error_code}_message")
-      json_payload = if request.respond_to?(:convert_to_json)
-                       request.send(:convert_to_json, payload)
-                     else
-                       JSON.dump(payload)
-                     end
+      json_payload = _json_response_body(payload)
       response["Content-Type"] ||= json_response_content_type
-      response["WWW-Authenticate"] = "Bearer" if status == 401
+      response["WWW-Authenticate"] = oauth_token_type.upcase if status == 401
       response.write(json_payload)
       request.halt
     end
 
+    unless method_defined?(:_json_response_body)
+      # :nocov:
+      def _json_response_body(hash)
+        if request.respond_to?(:convert_to_json)
+          request.send(:convert_to_json, hash)
+        else
+          JSON.dump(hash)
+        end
+      end
+      # :nocov:
+    end
+
     def authorization_required
-      if json_request?
+      if accepts_json?
         throw_json_response_error(authorization_required_error_status, "invalid_client")
       else
         set_redirect_error_flash(require_authorization_error_flash)
-        redirect(require_authorization_redirect)
+        redirect(oauth_authorize_path)
       end
     end
 
+    def check_valid_uri?(uri)
+      URI::DEFAULT_PARSER.make_regexp(oauth_valid_uri_schemes).match?(uri)
+    end
+
     def check_valid_scopes?
       return false unless scopes
 
-      (scopes - oauth_application[oauth_applications_scopes_column].split(",")).empty?
+      (scopes - oauth_application[oauth_applications_scopes_column].split(oauth_scope_separator)).empty?
     end
 
     def check_valid_redirect_uri?
-      redirect_uri == oauth_application[oauth_applications_redirect_uri_column]
+      oauth_application[oauth_applications_redirect_uri_column].split(" ").include?(redirect_uri)
     end
 
     ACCESS_TYPES = %w[offline online].freeze
 
     def check_valid_access_type?
-      access_type = param("access_type")
-      access_type.empty? || ACCESS_TYPES.include?(access_type)
+      return true unless use_oauth_access_type?
+
+      access_type = param_or_nil("access_type")
+      !access_type || ACCESS_TYPES.include?(access_type)
+    end
+
+    APPROVAL_PROMPTS = %w[force auto].freeze
+
+    def check_valid_approval_prompt?
+      return true unless use_oauth_access_type?
+
+      approval_prompt = param_or_nil("approval_prompt")
+      !approval_prompt || APPROVAL_PROMPTS.include?(approval_prompt)
     end
 
     def check_valid_response_type?
-      response_type = param("response_type")
+      response_type = param_or_nil("response_type")
 
-      return true if response_type.empty? || response_type == "code"
+      return true if response_type.nil? || response_type == "code"
 
-      return use_oauth_implicit_grant_type if response_type == "token"
+      return use_oauth_implicit_grant_type? if response_type == "token"
 
       false
     end
 
+    # PKCE
+
+    def validate_pkce_challenge_params
+      if param_or_nil("code_challenge")
+
+        challenge_method = param_or_nil("code_challenge_method")
+        redirect_response_error("code_challenge_required") unless oauth_pkce_challenge_method == challenge_method
+      else
+        return unless oauth_require_pkce
+
+        redirect_response_error("code_challenge_required")
+      end
+    end
+
+    def check_valid_grant_challenge?(grant, verifier)
+      challenge = grant[oauth_grants_code_challenge_column]
+
+      case grant[oauth_grants_code_challenge_method_column]
+      when "plain"
+        challenge == verifier
+      when "S256"
+        generated_challenge = Base64.urlsafe_encode64(Digest::SHA256.digest(verifier))
+        generated_challenge.delete_suffix!("=") while generated_challenge.end_with?("=")
+
+        challenge == generated_challenge
+      else
+        redirect_response_error("unsupported_transform_algorithm")
+      end
+    end
+
+    # Server metadata
+
+    def oauth_server_metadata_body(path)
+      issuer = base_url
+      issuer += "/#{path}" if issuer
+
+      responses_supported = %w[code]
+      response_modes_supported = %w[query]
+      grant_types_supported = %w[authorization_code]
+
+      if use_oauth_implicit_grant_type?
+        responses_supported << "token"
+        response_modes_supported << "fragment"
+        grant_types_supported << "implicit"
+      end
+      {
+        issuer: issuer,
+        authorization_endpoint: oauth_authorize_url,
+        token_endpoint: oauth_token_url,
+        registration_endpoint: "#{base_url}/#{oauth_applications_path}",
+        scopes_supported: oauth_application_scopes,
+        response_types_supported: responses_supported,
+        response_modes_supported: response_modes_supported,
+        grant_types_supported: grant_types_supported,
+        token_endpoint_auth_methods_supported: %w[client_secret_basic client_secret_post],
+        service_documentation: oauth_metadata_service_documentation,
+        ui_locales_supported: oauth_metadata_ui_locales_supported,
+        op_policy_uri: oauth_metadata_op_policy_uri,
+        op_tos_uri: oauth_metadata_op_tos_uri,
+        revocation_endpoint: oauth_revoke_url,
+        revocation_endpoint_auth_methods_supported: nil, # because it's client_secret_basic
+        introspection_endpoint: oauth_introspect_url,
+        introspection_endpoint_auth_methods_supported: %w[client_secret_basic],
+        code_challenge_methods_supported: (use_oauth_pkce? ? oauth_pkce_challenge_method : nil)
+      }
+    end
+
     # /oauth-token
     route(:oauth_token) do |r|
-      throw_json_response_error(authorization_required_error_status, "invalid_client") unless logged_in?
+      before_token
 
-      # access-token
       r.post do
         catch_error do
           validate_oauth_token_params
 
           oauth_token = nil
           transaction do
-            before_token
             oauth_token = create_oauth_token
-            after_token
           end
 
-          response.status = 200
-          response["Content-Type"] ||= json_response_content_type
-          json_response = {
-            "token" => oauth_token[:token],
-            "token_type" => oauth_token_type,
-            "expires_in" => oauth_token_expires_in
-          }
-
-          json_response["refresh_token"] = oauth_token[:refresh_token] if oauth_token[:refresh_token]
-
-          json_payload = if request.respond_to?(:convert_to_json)
-                           request.send(:convert_to_json, json_response)
-                         else
-                           JSON.dump(json_response)
-                         end
-          response.write(json_payload)
-          request.halt
+          json_response_success(json_access_token_payload(oauth_token))
+        end
+
+        throw_json_response_error(invalid_oauth_response_status, "invalid_request")
+      end
+    end
+
+    # /oauth-introspect
+    route(:oauth_introspect) do |r|
+      before_introspect
+
+      r.post do
+        catch_error do
+          validate_oauth_introspect_params
+
+          oauth_token = case param("token_type_hint")
+                        when "access_token"
+                          oauth_token_by_token(param("token"))
+                        when "refresh_token"
+                          oauth_token_by_refresh_token(param("token"))
+                        else
+                          oauth_token_by_token(param("token")) || oauth_token_by_refresh_token(param("token"))
+                        end
+
+          if oauth_application
+            redirect_response_error("invalid_request") if oauth_token && !token_from_application?(oauth_token, oauth_application)
+          elsif oauth_token
+            @oauth_application = db[oauth_applications_table].where(oauth_applications_id_column =>
+              oauth_token[oauth_tokens_oauth_application_id_column]).first
+          end
+
+          json_response_success(json_token_introspect_payload(oauth_token))
         end
 
         throw_json_response_error(invalid_oauth_response_status, "invalid_request")
@@ -709,80 +1161,67 @@ module Rodauth
 
     # /oauth-revoke
     route(:oauth_revoke) do |r|
-      require_account
+      before_revoke
 
-      # access-token
       r.post do
         catch_error do
           validate_oauth_revoke_params
 
           oauth_token = nil
           transaction do
-            before_revoke
             oauth_token = revoke_oauth_token
             after_revoke
           end
 
-          if json_request?
-            response.status = 200
-            response["Content-Type"] ||= json_response_content_type
-            json_response = {
-              "token" => oauth_token[:token],
-              "refresh_token" => oauth_token[:refresh_token],
-              "revoked_at" => oauth_token[:revoked_at]
-            }
-            json_payload = if request.respond_to?(:convert_to_json)
-                             request.send(:convert_to_json, json_response)
-                           else
-                             JSON.dump(json_response)
-                           end
-            response.write(json_payload)
-            request.halt
+          if accepts_json?
+            json_response_success \
+              "token" => oauth_token[oauth_tokens_token_column],
+              "refresh_token" => oauth_token[oauth_tokens_refresh_token_column],
+              "revoked_at" => oauth_token[oauth_tokens_revoked_at_column]
           else
             set_notice_flash revoke_oauth_token_notice_flash
             redirect request.referer || "/"
           end
         end
 
-        throw_json_response_error(invalid_oauth_response_status, "invalid_request")
+        redirect_response_error("invalid_request", request.referer || "/")
       end
     end
 
     # /oauth-authorize
     route(:oauth_authorize) do |r|
       require_account
+      validate_oauth_grant_params
+      try_approval_prompt if use_oauth_access_type? && request.get?
+
+      before_authorize
 
       r.get do
-        validate_oauth_grant_params
         authorize_view
       end
 
       r.post do
-        validate_oauth_grant_params
-
         code = nil
         query_params = []
         fragment_params = []
 
         transaction do
-          before_authorize
-          case param(response_type_param)
+          case param("response_type")
           when "token"
-            redirect_response_error("invalid_request", redirect_uri) unless use_oauth_implicit_grant_type
+            redirect_response_error("invalid_request") unless use_oauth_implicit_grant_type?
 
             create_params = {
               oauth_tokens_account_id_column => account_id,
               oauth_tokens_oauth_application_id_column => oauth_application[oauth_applications_id_column],
               oauth_tokens_scopes_column => scopes
             }
-            oauth_token = generate_oauth_token(create_params)
+            oauth_token = generate_oauth_token(create_params, false)
 
-            fragment_params << ["access_token=#{oauth_token[:token]}"]
-            fragment_params << ["token_type=#{oauth_token_type}"]
-            fragment_params << ["expires_in=#{oauth_token_expires_in}"]
+            token_payload = json_access_token_payload(oauth_token)
+            fragment_params.replace(token_payload.map { |k, v| "#{k}=#{v}" })
           when "code", "", nil
             code = create_oauth_grant
-            query_params << ["code=#{code}"]
+            query_params << "code=#{code}"
           else
             redirect_response_error("invalid_request")
           end
@@ -790,7 +1229,7 @@ module Rodauth
         end
 
         redirect_url = URI.parse(redirect_uri)
-        query_params << "state=#{state}" if state
+        query_params << "state=#{param('state')}" if param_or_nil("state")
         query_params << redirect_url.query if redirect_url.query
         redirect_url.query = query_params.join("&") unless query_params.empty?
         redirect_url.fragment = fragment_params.join("&") unless fragment_params.empty?