rodauth-oauth 0.0.2 → 0.1.0

data/lib/rodauth/features/oauth_http_mac.rb

@@ -0,0 +1,110 @@
+# frozen-string-literal: true
+
+module Rodauth
+  Feature.define(:oauth_http_mac) do
+    # :nocov:
+    unless String.method_defined?(:delete_prefix)
+      module PrefixExtensions
+        refine(String) do
+          def delete_suffix(suffix)
+            suffix = suffix.to_s
+            len = suffix.length
+            if len.positive? && index(suffix, -len)
+              self[0...-len]
+            else
+              dup
+            end
+          end
+
+          def delete_prefix(prefix)
+            prefix = prefix.to_s
+            if rindex(prefix, 0)
+              self[prefix.length..-1]
+            else
+              dup
+            end
+          end
+        end
+      end
+      using(PrefixExtensions)
+    end
+    # :nocov:
+
+    depends :oauth
+
+    auth_value_method :oauth_token_type, "mac"
+    auth_value_method :oauth_mac_algorithm, "hmac-sha-256" # hmac-sha-256, hmac-sha-1
+    auth_value_method :oauth_tokens_mac_key_column, :mac_key
+
+    def authorization_token
+      return @authorization_token if defined?(@authorization_token)
+
+      @authorization_token = begin
+        value = request.get_header("HTTP_AUTHORIZATION").to_s
+
+        scheme, token = value.split(/ +/, 2)
+
+        return unless scheme == "MAC"
+
+        mac_attributes = parse_mac_authorization_header_props(token)
+
+        oauth_token = oauth_token_by_token(mac_attributes["id"])
+
+        return unless oauth_token && mac_signature_matches?(oauth_token, mac_attributes)
+
+        oauth_token
+
+        # TODO: set new MAC-KEY for the next request
+      end
+    end
+
+    private
+
+    def generate_oauth_token(params = {}, *args)
+      super({ oauth_tokens_mac_key_column => oauth_unique_id_generator }.merge(params), *args)
+    end
+
+    def json_access_token_payload(oauth_token)
+      payload = super
+
+      payload["mac_key"] = oauth_token[oauth_tokens_mac_key_column]
+      payload["mac_algorithm"] = oauth_mac_algorithm
+
+      payload
+    end
+
+    def mac_signature_matches?(oauth_token, mac_attributes)
+      nonce = mac_attributes["nonce"]
+      uri = URI(request.url)
+
+      request_signature = [
+        nonce,
+        request.request_method,
+        uri.request_uri,
+        uri.host,
+        uri.port
+      ].join("\n") + ("\n" * 3)
+
+      mac_algorithm = case oauth_mac_algorithm
+                      when "hmac-sha-256"
+                        OpenSSL::Digest::SHA256
+                      when "hmac-sha-1"
+                        OpenSSL::Digest::SHA1
+                      else
+                        raise ArgumentError, "Unsupported algorithm"
+                      end
+
+      mac_signature = Base64.strict_encode64 \
+        OpenSSL::HMAC.digest(mac_algorithm.new, oauth_token[oauth_tokens_mac_key_column], request_signature)
+
+      mac_signature == mac_attributes["mac"]
+    end
+
+    def parse_mac_authorization_header_props(token)
+      @mac_authorization_header_props = token.split(/ *, */).each_with_object({}) do |prop, props|
+        field, value = prop.split(/ *= */, 2)
+        props[field] = value.delete_prefix("\"").delete_suffix("\"")
+      end
+    end
+  end
+end

data/lib/rodauth/features/oauth_jwt.rb

@@ -0,0 +1,448 @@
+# frozen-string-literal: true
+
+require "rodauth/oauth/ttl_store"
+
+module Rodauth
+  Feature.define(:oauth_jwt) do
+    depends :oauth
+
+    auth_value_method :oauth_jwt_subject_type, "public" # public, pairwise
+    auth_value_method :oauth_jwt_subject_secret, nil # salt for pairwise generation
+
+    auth_value_method :oauth_jwt_token_issuer, nil
+
+    auth_value_method :oauth_application_jws_jwk_column, nil
+
+    auth_value_method :oauth_jwt_key, nil
+    auth_value_method :oauth_jwt_public_key, nil
+    auth_value_method :oauth_jwt_algorithm, "HS256"
+
+    auth_value_method :oauth_jwt_jwe_key, nil
+    auth_value_method :oauth_jwt_jwe_public_key, nil
+    auth_value_method :oauth_jwt_jwe_algorithm, nil
+    auth_value_method :oauth_jwt_jwe_encryption_method, nil
+
+    auth_value_method :oauth_jwt_jwe_copyright, nil
+    auth_value_method :oauth_jwt_audience, nil
+
+    auth_value_method :request_uri_not_supported_message, "request uri is unsupported"
+    auth_value_method :invalid_request_object_message, "request object is invalid"
+
+    auth_value_methods(
+      :jwt_encode,
+      :jwt_decode,
+      :jwks_set,
+      :last_account_login_at
+    )
+
+    JWKS = OAuth::TtlStore.new
+
+    def require_oauth_authorization(*scopes)
+      authorization_required unless authorization_token
+
+      scopes << oauth_application_default_scope if scopes.empty?
+
+      token_scopes = authorization_token["scope"].split(" ")
+
+      authorization_required unless scopes.any? { |scope| token_scopes.include?(scope) }
+    end
+
+    private
+
+    unless method_defined?(:last_account_login_at)
+      def last_account_login_at
+        nil
+      end
+    end
+
+    def authorization_token
+      return @authorization_token if defined?(@authorization_token)
+
+      @authorization_token = begin
+        bearer_token = fetch_access_token
+
+        return unless bearer_token
+
+        jwt_token = jwt_decode(bearer_token)
+
+        return unless jwt_token
+
+        return if jwt_token["iss"] != (oauth_jwt_token_issuer || authorization_server_url) ||
+                  (oauth_jwt_audience && jwt_token["aud"] != oauth_jwt_audience) ||
+                  !jwt_token["sub"]
+
+        jwt_token
+      end
+    end
+
+    # /authorize
+
+    def validate_oauth_grant_params
+      # TODO: add support for requst_uri
+      redirect_response_error("request_uri_not_supported") if param_or_nil("request_uri")
+
+      request_object = param_or_nil("request")
+
+      return super unless request_object && oauth_application
+
+      jws_jwk = if oauth_application[oauth_application_jws_jwk_column]
+                  jwk = oauth_application[oauth_application_jws_jwk_column]
+
+                  if jwk
+                    jwk = JSON.parse(jwk, symbolize_names: true) if jwk.is_a?(String)
+                  end
+                else
+                  redirect_response_error("invalid_request_object")
+                end
+
+      claims = jwt_decode(request_object, jws_key: jwk_import(jws_jwk), jws_algorithm: jwk[:alg])
+
+      redirect_response_error("invalid_request_object") unless claims
+
+      # If signed, the Authorization Request
+      # Object SHOULD contain the Claims "iss" (issuer) and "aud" (audience)
+      # as members, with their semantics being the same as defined in the JWT
+      # [RFC7519] specification.  The value of "aud" should be the value of
+      # the Authorization Server (AS) "issuer" as defined in RFC8414
+      # [RFC8414].
+      claims.delete(:iss)
+      audience = claims.delete(:aud)
+
+      redirect_response_error("invalid_request_object") if audience && audience != authorization_server_url
+
+      claims.each do |k, v|
+        request.params[k.to_s] = v
+      end
+
+      super
+    end
+
+    # /token
+
+    def before_token
+      # requset authentication optional for assertions
+      return if param("grant_type") == "urn:ietf:params:oauth:grant-type:jwt-bearer"
+
+      super
+    end
+
+    def validate_oauth_token_params
+      if param("grant_type") == "urn:ietf:params:oauth:grant-type:jwt-bearer"
+        redirect_response_error("invalid_client") unless param_or_nil("assertion")
+      else
+        super
+      end
+    end
+
+    def create_oauth_token
+      if param("grant_type") == "urn:ietf:params:oauth:grant-type:jwt-bearer"
+        create_oauth_token_from_assertion
+      else
+        super
+      end
+    end
+
+    def create_oauth_token_from_assertion
+      claims = jwt_decode(param("assertion"))
+
+      redirect_response_error("invalid_grant") unless claims
+
+      @oauth_application = db[oauth_applications_table].where(oauth_applications_client_id_column => claims["client_id"]).first
+
+      account = account_ds(claims["sub"]).first
+
+      redirect_response_error("invalid_client") unless oauth_application && account
+
+      create_params = {
+        oauth_tokens_account_id_column => claims["sub"],
+        oauth_tokens_oauth_application_id_column => oauth_application[oauth_applications_id_column],
+        oauth_tokens_scopes_column => claims["scope"]
+      }
+
+      generate_oauth_token(create_params, false)
+    end
+
+    def generate_oauth_token(params = {}, should_generate_refresh_token = true)
+      create_params = {
+        oauth_grants_expires_in_column => Time.now + oauth_token_expires_in
+      }.merge(params)
+
+      if should_generate_refresh_token
+        refresh_token = oauth_unique_id_generator
+
+        if oauth_tokens_refresh_token_hash_column
+          create_params[oauth_tokens_refresh_token_hash_column] = generate_token_hash(refresh_token)
+        else
+          create_params[oauth_tokens_refresh_token_column] = refresh_token
+        end
+      end
+
+      oauth_token = _generate_oauth_token(create_params)
+
+      claims = jwt_claims(oauth_token)
+
+      # one of the points of using jwt is avoiding database lookups, so we put here all relevant
+      # token data.
+      claims[:scope] = oauth_token[oauth_tokens_scopes_column]
+
+      token = jwt_encode(claims)
+
+      oauth_token[oauth_tokens_token_column] = token
+      oauth_token
+    end
+
+    def jwt_claims(oauth_token)
+      issued_at = Time.now.utc.to_i
+
+      claims = {
+        iss: (oauth_jwt_token_issuer || authorization_server_url), # issuer
+        iat: issued_at, # issued at
+        #
+        # sub  REQUIRED - as defined in section 4.1.2 of [RFC7519].  In case of
+        # access tokens obtained through grants where a resource owner is
+        # involved, such as the authorization code grant, the value of "sub"
+        # SHOULD correspond to the subject identifier of the resource owner.
+        # In case of access tokens obtained through grants where no resource
+        # owner is involved, such as the client credentials grant, the value
+        # of "sub" SHOULD correspond to an identifier the authorization
+        # server uses to indicate the client application.
+        sub: jwt_subject(oauth_token),
+        client_id: oauth_application[oauth_applications_client_id_column],
+
+        exp: issued_at + oauth_token_expires_in,
+        aud: (oauth_jwt_audience || oauth_application[oauth_applications_client_id_column])
+      }
+
+      claims[:auth_time] = last_account_login_at.utc.to_i if last_account_login_at
+
+      claims
+    end
+
+    def jwt_subject(oauth_token)
+      case oauth_jwt_subject_type
+      when "public"
+        oauth_token[oauth_tokens_account_id_column]
+      when "pairwise"
+        id = oauth_token[oauth_tokens_account_id_column]
+        application_id = oauth_token[oauth_tokens_oauth_application_id_column]
+        Digest::SHA256.hexdigest("#{id}#{application_id}#{oauth_jwt_subject_secret}")
+      else
+        raise StandardError, "unexpected subject (#{oauth_jwt_subject_type})"
+      end
+    end
+
+    def oauth_token_by_token(token, *)
+      jwt_decode(token)
+    end
+
+    def json_token_introspect_payload(oauth_token)
+      return { active: false } unless oauth_token
+
+      return super unless oauth_token["sub"] # naive check on whether it's a jwt token
+
+      {
+        active: true,
+        scope: oauth_token["scope"],
+        client_id: oauth_token["client_id"],
+        # username
+        token_type: "access_token",
+        exp: oauth_token["exp"],
+        iat: oauth_token["iat"],
+        nbf: oauth_token["nbf"],
+        sub: oauth_token["sub"],
+        aud: oauth_token["aud"],
+        iss: oauth_token["iss"],
+        jti: oauth_token["jti"]
+      }
+    end
+
+    def oauth_server_metadata_body(path)
+      metadata = super
+      metadata.merge! \
+        jwks_uri: jwks_url,
+        token_endpoint_auth_signing_alg_values_supported: [oauth_jwt_algorithm]
+      metadata
+    end
+
+    def _jwt_key
+      @_jwt_key ||= oauth_jwt_key || (oauth_application[oauth_applications_client_secret_column] if oauth_application)
+    end
+
+    # Resource Server only!
+    #
+    # returns the jwks set from the authorization server.
+    def auth_server_jwks_set
+      metadata = authorization_server_metadata
+
+      return unless metadata && (jwks_uri = metadata[:jwks_uri])
+
+      jwks_uri = URI(jwks_uri)
+
+      jwks = JWKS[jwks_uri]
+
+      return jwks if jwks
+
+      JWKS.set(jwks_uri) do
+        http = Net::HTTP.new(jwks_uri.host, jwks_uri.port)
+        http.use_ssl = jwks_uri.scheme == "https"
+
+        request = Net::HTTP::Get.new(jwks_uri.request_uri)
+        request["accept"] = json_response_content_type
+        response = http.request(request)
+        authorization_required unless response.code.to_i == 200
+
+        # time-to-live
+        ttl = if response.key?("cache-control")
+                cache_control = response["cache_control"]
+                cache_control[/max-age=(\d+)/, 1]
+              elsif response.key?("expires")
+                Time.httpdate(response["expires"]).utc.to_i - Time.now.utc.to_i
+              end
+
+        [JSON.parse(response.body, symbolize_names: true), ttl]
+      end
+    end
+
+    if defined?(JSON::JWT)
+      # :nocov:
+
+      def jwk_import(data)
+        JSON::JWK.new(data)
+      end
+
+      # json-jwt
+      def jwt_encode(payload)
+        jwt = JSON::JWT.new(payload)
+        jwk = JSON::JWK.new(_jwt_key)
+
+        jwt = jwt.sign(jwk, oauth_jwt_algorithm)
+        jwt.kid = jwk.thumbprint
+
+        if oauth_jwt_jwe_key
+          algorithm = oauth_jwt_jwe_algorithm.to_sym if oauth_jwt_jwe_algorithm
+          jwt = jwt.encrypt(oauth_jwt_jwe_public_key || oauth_jwt_jwe_key,
+                            algorithm,
+                            oauth_jwt_jwe_encryption_method.to_sym)
+        end
+        jwt.to_s
+      end
+
+      def jwt_decode(token, jws_key: oauth_jwt_public_key || _jwt_key, **)
+        token = JSON::JWT.decode(token, oauth_jwt_jwe_key).plain_text if oauth_jwt_jwe_key
+
+        @jwt_token = if jws_key
+                       JSON::JWT.decode(token, jws_key)
+                     elsif !is_authorization_server? && auth_server_jwks_set
+                       JSON::JWT.decode(token, JSON::JWK::Set.new(auth_server_jwks_set))
+                     end
+      rescue JSON::JWT::Exception
+        nil
+      end
+
+      def jwks_set
+        [
+          (JSON::JWK.new(oauth_jwt_public_key).merge(use: "sig", alg: oauth_jwt_algorithm) if oauth_jwt_public_key),
+          (JSON::JWK.new(oauth_jwt_jwe_public_key).merge(use: "enc", alg: oauth_jwt_jwe_algorithm) if oauth_jwt_jwe_public_key)
+        ].compact
+      end
+
+      # :nocov:
+    elsif defined?(JWT)
+
+      # ruby-jwt
+
+      def jwk_import(data)
+        JWT::JWK.import(data).keypair
+      end
+
+      def jwt_encode(payload)
+        headers = {}
+
+        key = _jwt_key
+
+        if key.is_a?(OpenSSL::PKey::RSA)
+          jwk = JWT::JWK.new(_jwt_key)
+          headers[:kid] = jwk.kid
+
+          key = jwk.keypair
+        end
+
+        # Use the key and iat to create a unique key per request to prevent replay attacks
+        jti_raw = [key, payload[:iat]].join(":").to_s
+        jti = Digest::SHA256.hexdigest(jti_raw)
+
+        # @see JWT reserved claims - https://tools.ietf.org/html/draft-jones-json-web-token-07#page-7
+        payload[:jti] = jti
+        token = JWT.encode(payload, key, oauth_jwt_algorithm, headers)
+
+        if oauth_jwt_jwe_key
+          params = {
+            zip: "DEF",
+            copyright: oauth_jwt_jwe_copyright
+          }
+          params[:enc] = oauth_jwt_jwe_encryption_method if oauth_jwt_jwe_encryption_method
+          params[:alg] = oauth_jwt_jwe_algorithm if oauth_jwt_jwe_algorithm
+          token = JWE.encrypt(token, oauth_jwt_jwe_public_key || oauth_jwt_jwe_key, **params)
+        end
+
+        token
+      end
+
+      def jwt_decode(token, jws_key: oauth_jwt_public_key || _jwt_key, jws_algorithm: oauth_jwt_algorithm)
+        # decrypt jwe
+        token = JWE.decrypt(token, oauth_jwt_jwe_key) if oauth_jwt_jwe_key
+
+        # decode jwt
+        @jwt_token = if jws_key
+                       JWT.decode(token, jws_key, true, algorithms: [jws_algorithm]).first
+                     elsif !is_authorization_server? && auth_server_jwks_set
+                       algorithms = auth_server_jwks_set[:keys].select { |k| k[:use] == "sig" }.map { |k| k[:alg] }
+                       JWT.decode(token, nil, true, jwks: auth_server_jwks_set, algorithms: algorithms).first
+                     end
+      rescue JWT::DecodeError, JWT::JWKError
+        nil
+      end
+
+      def jwks_set
+        [
+          (JWT::JWK.new(oauth_jwt_public_key).export.merge(use: "sig", alg: oauth_jwt_algorithm) if oauth_jwt_public_key),
+          (JWT::JWK.new(oauth_jwt_jwe_public_key).export.merge(use: "enc", alg: oauth_jwt_jwe_algorithm) if oauth_jwt_jwe_public_key)
+        ].compact
+      end
+    else
+      # :nocov:
+      def jwk_import(_data)
+        raise "#{__method__} is undefined, redefine it or require either \"jwt\" or \"json-jwt\""
+      end
+
+      def jwt_encode(_token)
+        raise "#{__method__} is undefined, redefine it or require either \"jwt\" or \"json-jwt\""
+      end
+
+      def jwt_decode(_token, **)
+        raise "#{__method__} is undefined, redefine it or require either \"jwt\" or \"json-jwt\""
+      end
+
+      def jwks_set
+        raise "#{__method__} is undefined, redefine it or require either \"jwt\" or \"json-jwt\""
+      end
+      # :nocov:
+    end
+
+    def validate_oauth_revoke_params
+      token_hint = param_or_nil("token_type_hint")
+
+      throw(:rodauth_error) if !token_hint || token_hint == "access_token"
+
+      super
+    end
+
+    route(:jwks) do |r|
+      next unless is_authorization_server?
+
+      r.get do
+        json_response_success({ keys: jwks_set })
+      end
+    end
+  end
+end