rodauth-oauth 0.0.3 → 0.2.0

data/lib/rodauth/features/oauth_http_mac.rb

@@ -47,9 +47,6 @@ module Rodauth
         mac_attributes = parse_mac_authorization_header_props(token)
 
         oauth_token = oauth_token_by_token(mac_attributes["id"])
-                      .where(Sequel[oauth_tokens_expires_in_column] >= Sequel::CURRENT_TIMESTAMP)
-                      .where(oauth_tokens_revoked_at_column => nil)
-                      .first
 
         return unless oauth_token && mac_signature_matches?(oauth_token, mac_attributes)
 

data/lib/rodauth/features/oauth_jwt.rb

@@ -1,81 +1,207 @@
 # frozen-string-literal: true
 
+require "rodauth/oauth/ttl_store"
+
 module Rodauth
   Feature.define(:oauth_jwt) do
     depends :oauth
 
-    auth_value_method :oauth_jwt_token_issuer, "Example"
+    auth_value_method :oauth_jwt_subject_type, "public" # public, pairwise
+    auth_value_method :oauth_jwt_subject_secret, nil # salt for pairwise generation
+
+    auth_value_method :oauth_jwt_token_issuer, nil
+
+    auth_value_method :oauth_application_jws_jwk_column, nil
 
     auth_value_method :oauth_jwt_key, nil
     auth_value_method :oauth_jwt_public_key, nil
     auth_value_method :oauth_jwt_algorithm, "HS256"
 
-    auth_value_method :oauth_jwt_jwk_key, nil
-    auth_value_method :oauth_jwt_jwk_public_key, nil
-    auth_value_method :oauth_jwt_jwk_algorithm, "RS256"
-
     auth_value_method :oauth_jwt_jwe_key, nil
     auth_value_method :oauth_jwt_jwe_public_key, nil
     auth_value_method :oauth_jwt_jwe_algorithm, nil
     auth_value_method :oauth_jwt_jwe_encryption_method, nil
 
+    # values used for rotating keys
+    auth_value_method :oauth_jwt_legacy_public_key, nil
+    auth_value_method :oauth_jwt_legacy_algorithm, nil
+
     auth_value_method :oauth_jwt_jwe_copyright, nil
     auth_value_method :oauth_jwt_audience, nil
 
+    auth_value_method :request_uri_not_supported_message, "request uri is unsupported"
+    auth_value_method :invalid_request_object_message, "request object is invalid"
+
     auth_value_methods(
-      :generate_jti,
       :jwt_encode,
-      :jwt_decode
+      :jwt_decode,
+      :jwks_set,
+      :last_account_login_at
     )
 
+    JWKS = OAuth::TtlStore.new
+
     def require_oauth_authorization(*scopes)
       authorization_required unless authorization_token
 
       scopes << oauth_application_default_scope if scopes.empty?
 
-      token_scopes = authorization_token["scopes"].split(",")
+      token_scopes = authorization_token["scope"].split(" ")
 
       authorization_required unless scopes.any? { |scope| token_scopes.include?(scope) }
     end
 
     private
 
+    unless method_defined?(:last_account_login_at)
+      def last_account_login_at
+        nil
+      end
+    end
+
     def authorization_token
       return @authorization_token if defined?(@authorization_token)
 
       @authorization_token = begin
-        value = request.get_header("HTTP_AUTHORIZATION").to_s
+        bearer_token = fetch_access_token
+
+        return unless bearer_token
+
+        jwt_token = jwt_decode(bearer_token)
+
+        return unless jwt_token
+
+        return if jwt_token["iss"] != (oauth_jwt_token_issuer || authorization_server_url) ||
+                  (oauth_jwt_audience && jwt_token["aud"] != oauth_jwt_audience) ||
+                  !jwt_token["sub"]
+
+        jwt_token
+      end
+    end
+
+    # /authorize
+
+    def validate_oauth_grant_params
+      # TODO: add support for requst_uri
+      redirect_response_error("request_uri_not_supported") if param_or_nil("request_uri")
+
+      request_object = param_or_nil("request")
+
+      return super unless request_object && oauth_application
+
+      jws_jwk = if oauth_application[oauth_application_jws_jwk_column]
+                  jwk = oauth_application[oauth_application_jws_jwk_column]
+
+                  jwk = JSON.parse(jwk, symbolize_names: true) if jwk && jwk.is_a?(String)
+                else
+                  redirect_response_error("invalid_request_object")
+                end
+
+      claims = jwt_decode(request_object, jws_key: jwk_import(jws_jwk), jws_algorithm: jwk[:alg])
+
+      redirect_response_error("invalid_request_object") unless claims
+
+      # If signed, the Authorization Request
+      # Object SHOULD contain the Claims "iss" (issuer) and "aud" (audience)
+      # as members, with their semantics being the same as defined in the JWT
+      # [RFC7519] specification.  The value of "aud" should be the value of
+      # the Authorization Server (AS) "issuer" as defined in RFC8414
+      # [RFC8414].
+      claims.delete("iss")
+      audience = claims.delete("aud")
+
+      redirect_response_error("invalid_request_object") if audience && audience != authorization_server_url
 
-        scheme, token = value.split(/ +/, 2)
+      claims.each do |k, v|
+        request.params[k.to_s] = v
+      end
+
+      super
+    end
+
+    # /token
 
-        return unless scheme == "Bearer"
+    def require_oauth_application
+      # requset authentication optional for assertions
+      return super unless param("grant_type") == "urn:ietf:params:oauth:grant-type:jwt-bearer"
 
-        jwt_decode(token)
+      claims = jwt_decode(param("assertion"))
+
+      redirect_response_error("invalid_grant") unless claims
+
+      @oauth_application = db[oauth_applications_table].where(oauth_applications_client_id_column => claims["client_id"]).first
+
+      authorization_required unless @oauth_application
+    end
+
+    def validate_oauth_token_params
+      if param("grant_type") == "urn:ietf:params:oauth:grant-type:jwt-bearer"
+        redirect_response_error("invalid_client") unless param_or_nil("assertion")
+      else
+        super
+      end
+    end
+
+    def create_oauth_token
+      if param("grant_type") == "urn:ietf:params:oauth:grant-type:jwt-bearer"
+        create_oauth_token_from_assertion
+      else
+        super
       end
     end
 
+    def create_oauth_token_from_assertion
+      claims = jwt_decode(param("assertion"))
+
+      account = account_ds(claims["sub"]).first
+
+      redirect_response_error("invalid_client") unless oauth_application && account
+
+      create_params = {
+        oauth_tokens_account_id_column => claims["sub"],
+        oauth_tokens_oauth_application_id_column => oauth_application[oauth_applications_id_column],
+        oauth_tokens_scopes_column => claims["scope"]
+      }
+
+      generate_oauth_token(create_params, false)
+    end
+
     def generate_oauth_token(params = {}, should_generate_refresh_token = true)
       create_params = {
         oauth_grants_expires_in_column => Time.now + oauth_token_expires_in
       }.merge(params)
 
-      if should_generate_refresh_token
-        refresh_token = oauth_unique_id_generator
+      oauth_token = rescue_from_uniqueness_error do
+        if should_generate_refresh_token
+          refresh_token = oauth_unique_id_generator
 
-        if oauth_tokens_refresh_token_hash_column
-          create_params[oauth_tokens_refresh_token_hash_column] = generate_token_hash(refresh_token)
-        else
-          create_params[oauth_tokens_refresh_token_column] = refresh_token
+          if oauth_tokens_refresh_token_hash_column
+            create_params[oauth_tokens_refresh_token_hash_column] = generate_token_hash(refresh_token)
+          else
+            create_params[oauth_tokens_refresh_token_column] = refresh_token
+          end
         end
+
+        _generate_oauth_token(create_params)
       end
 
-      oauth_token = _generate_oauth_token(create_params)
+      claims = jwt_claims(oauth_token)
+
+      # one of the points of using jwt is avoiding database lookups, so we put here all relevant
+      # token data.
+      claims[:scope] = oauth_token[oauth_tokens_scopes_column]
 
-      issued_at = Time.current.utc.to_i
+      token = jwt_encode(claims)
 
-      payload = {
-        sub: oauth_token[oauth_tokens_account_id_column],
-        iss: oauth_jwt_token_issuer, # issuer
+      oauth_token[oauth_tokens_token_column] = token
+      oauth_token
+    end
+
+    def jwt_claims(oauth_token)
+      issued_at = Time.now.utc.to_i
+
+      claims = {
+        iss: (oauth_jwt_token_issuer || authorization_server_url), # issuer
         iat: issued_at, # issued at
         #
         # sub  REQUIRED - as defined in section 4.1.2 of [RFC7519].  In case of
@@ -86,40 +212,117 @@ module Rodauth
         # owner is involved, such as the client credentials grant, the value
         # of "sub" SHOULD correspond to an identifier the authorization
         # server uses to indicate the client application.
-        client_id: oauth_token[oauth_tokens_oauth_application_id_column],
+        sub: jwt_subject(oauth_token),
+        client_id: oauth_application[oauth_applications_client_id_column],
 
         exp: issued_at + oauth_token_expires_in,
-        aud: oauth_jwt_audience,
-
-        # one of the points of using jwt is avoiding database lookups, so we put here all relevant
-        # token data.
-        scopes: oauth_token[oauth_tokens_scopes_column]
+        aud: (oauth_jwt_audience || oauth_application[oauth_applications_client_id_column])
       }
 
-      token = jwt_encode(payload)
+      claims[:auth_time] = last_account_login_at.utc.to_i if last_account_login_at
 
-      oauth_token[oauth_tokens_token_column] = token
-      oauth_token
+      claims
+    end
+
+    def jwt_subject(oauth_token)
+      case oauth_jwt_subject_type
+      when "public"
+        oauth_token[oauth_tokens_account_id_column]
+      when "pairwise"
+        id = oauth_token[oauth_tokens_account_id_column]
+        application_id = oauth_token[oauth_tokens_oauth_application_id_column]
+        Digest::SHA256.hexdigest("#{id}#{application_id}#{oauth_jwt_subject_secret}")
+      else
+        raise StandardError, "unexpected subject (#{oauth_jwt_subject_type})"
+      end
+    end
+
+    def oauth_token_by_token(token, *)
+      jwt_decode(token)
+    end
+
+    def json_token_introspect_payload(oauth_token)
+      return { active: false } unless oauth_token
+
+      return super unless oauth_token["sub"] # naive check on whether it's a jwt token
+
+      {
+        active: true,
+        scope: oauth_token["scope"],
+        client_id: oauth_token["client_id"],
+        # username
+        token_type: "access_token",
+        exp: oauth_token["exp"],
+        iat: oauth_token["iat"],
+        nbf: oauth_token["nbf"],
+        sub: oauth_token["sub"],
+        aud: oauth_token["aud"],
+        iss: oauth_token["iss"],
+        jti: oauth_token["jti"]
+      }
+    end
+
+    def oauth_server_metadata_body(path)
+      metadata = super
+      metadata.merge! \
+        jwks_uri: jwks_url,
+        token_endpoint_auth_signing_alg_values_supported: [oauth_jwt_algorithm]
+      metadata
     end
 
     def _jwt_key
-      @_jwt_key ||= oauth_jwt_key || oauth_application[oauth_applications_client_secret_column]
+      @_jwt_key ||= oauth_jwt_key || (oauth_application[oauth_applications_client_secret_column] if oauth_application)
+    end
+
+    # Resource Server only!
+    #
+    # returns the jwks set from the authorization server.
+    def auth_server_jwks_set
+      metadata = authorization_server_metadata
+
+      return unless metadata && (jwks_uri = metadata[:jwks_uri])
+
+      jwks_uri = URI(jwks_uri)
+
+      jwks = JWKS[jwks_uri]
+
+      return jwks if jwks
+
+      JWKS.set(jwks_uri) do
+        http = Net::HTTP.new(jwks_uri.host, jwks_uri.port)
+        http.use_ssl = jwks_uri.scheme == "https"
+
+        request = Net::HTTP::Get.new(jwks_uri.request_uri)
+        request["accept"] = json_response_content_type
+        response = http.request(request)
+        authorization_required unless response.code.to_i == 200
+
+        # time-to-live
+        ttl = if response.key?("cache-control")
+                cache_control = response["cache-control"]
+                cache_control[/max-age=(\d+)/, 1]
+              elsif response.key?("expires")
+                DateTime.httpdate(response["expires"]).utc.to_i - Time.now.utc.to_i
+              end
+
+        [JSON.parse(response.body, symbolize_names: true), ttl]
+      end
     end
 
     if defined?(JSON::JWT)
-      # :nocov:
+
+      def jwk_import(data)
+        JSON::JWK.new(data)
+      end
 
       # json-jwt
       def jwt_encode(payload)
         jwt = JSON::JWT.new(payload)
+        jwk = JSON::JWK.new(_jwt_key)
+
+        jwt = jwt.sign(jwk, oauth_jwt_algorithm)
+        jwt.kid = jwk.thumbprint
 
-        jwt = if oauth_jwt_jwk_key
-                jwk = JSON::JWK.new(oauth_jwt_jwk_key)
-                jwt.kid = jwk.thumbprint
-                jwt.sign(oauth_jwt_jwk_key, oauth_jwt_jwk_algorithm)
-              else
-                jwt.sign(_jwt_key, oauth_jwt_algorithm)
-              end
         if oauth_jwt_jwe_key
           algorithm = oauth_jwt_jwe_algorithm.to_sym if oauth_jwt_jwe_algorithm
           jwt = jwt.encrypt(oauth_jwt_jwe_public_key || oauth_jwt_jwe_key,
@@ -129,45 +332,57 @@ module Rodauth
         jwt.to_s
       end
 
-      def jwt_decode(token)
+      def jwt_decode(token, jws_key: oauth_jwt_public_key || _jwt_key, **)
         token = JSON::JWT.decode(token, oauth_jwt_jwe_key).plain_text if oauth_jwt_jwe_key
-        if oauth_jwt_jwk_key
-          jwk = JSON::JWK.new(oauth_jwt_jwk_key)
-          JSON::JWT.decode(token, jwk)
-        else
-          JSON::JWT.decode(token, oauth_jwt_public_key || _jwt_key)
+
+        if is_authorization_server?
+          if oauth_jwt_legacy_public_key
+            JSON::JWT.decode(token, JSON::JWK::Set.new({ keys: jwks_set }))
+          elsif jws_key
+            JSON::JWT.decode(token, jws_key)
+          end
+        elsif (jwks = auth_server_jwks_set)
+          JSON::JWT.decode(token, JSON::JWK::Set.new(jwks))
         end
       rescue JSON::JWT::Exception
         nil
       end
-      # :nocov:
+
+      def jwks_set
+        @jwks_set ||= [
+          (JSON::JWK.new(oauth_jwt_public_key).merge(use: "sig", alg: oauth_jwt_algorithm) if oauth_jwt_public_key),
+          (JSON::JWK.new(oauth_jwt_legacy_public_key).merge(use: "sig", alg: oauth_jwt_legacy_algorithm) if oauth_jwt_legacy_public_key),
+          (JSON::JWK.new(oauth_jwt_jwe_public_key).merge(use: "enc", alg: oauth_jwt_jwe_algorithm) if oauth_jwt_jwe_public_key)
+        ].compact
+      end
+
     elsif defined?(JWT)
 
       # ruby-jwt
 
+      def jwk_import(data)
+        JWT::JWK.import(data).keypair
+      end
+
       def jwt_encode(payload)
         headers = {}
 
-        key, algorithm = if oauth_jwt_jwk_key
-                           jwk_key = JWT::JWK.new(oauth_jwt_jwk_key)
-                           # JWK
-                           # Currently only supports RSA public keys.
-                           headers[:kid] = jwk_key.kid
+        key = _jwt_key
 
-                           [jwk_key.keypair, oauth_jwt_jwk_algorithm]
-                         else
-                           # JWS
+        if key.is_a?(OpenSSL::PKey::RSA)
+          jwk = JWT::JWK.new(_jwt_key)
+          headers[:kid] = jwk.kid
 
-                           [_jwt_key, oauth_jwt_algorithm]
-                         end
+          key = jwk.keypair
+        end
 
         # Use the key and iat to create a unique key per request to prevent replay attacks
         jti_raw = [key, payload[:iat]].join(":").to_s
-        jti = Digest::MD5.hexdigest(jti_raw)
+        jti = Digest::SHA256.hexdigest(jti_raw)
 
         # @see JWT reserved claims - https://tools.ietf.org/html/draft-jones-json-web-token-07#page-7
         payload[:jti] = jti
-        token = JWT.encode(payload, key, algorithm, headers)
+        token = JWT.encode(payload, key, oauth_jwt_algorithm, headers)
 
         if oauth_jwt_jwe_key
           params = {
@@ -182,47 +397,70 @@ module Rodauth
         token
       end
 
-      def jwt_decode(token)
+      def jwt_decode(token, jws_key: oauth_jwt_public_key || _jwt_key, jws_algorithm: oauth_jwt_algorithm)
         # decrypt jwe
         token = JWE.decrypt(token, oauth_jwt_jwe_key) if oauth_jwt_jwe_key
-
         # decode jwt
-        headers = { algorithms: [oauth_jwt_algorithm] }
-
-        key = if oauth_jwt_jwk_key
-                jwk_key = JWT::JWK.new(oauth_jwt_jwk_key)
-                # JWK
-                # The jwk loader would fetch the set of JWKs from a trusted source
-                jwk_loader = lambda do |options|
-                  @cached_keys = nil if options[:invalidate] # need to reload the keys
-                  @cached_keys ||= { keys: [jwk_key.export] }
-                end
-
-                headers[:algorithms] = [oauth_jwt_jwk_algorithm]
-                headers[:jwks] = jwk_loader
-
-                nil
-              else
-                # JWS
-                # worst case scenario, the key is the application key
-                oauth_jwt_public_key || _jwt_key
-              end
-        token, = JWT.decode(token, key, true, headers)
-        token
-      rescue JWT::DecodeError
+        if is_authorization_server?
+          if oauth_jwt_legacy_public_key
+            algorithms = jwks_set.select { |k| k[:use] == "sig" }.map { |k| k[:alg] }
+            JWT.decode(token, nil, true, jwks: { keys: jwks_set }, algorithms: algorithms).first
+          elsif jws_key
+            JWT.decode(token, jws_key, true, algorithms: [jws_algorithm]).first
+          end
+        elsif (jwks = auth_server_jwks_set)
+          algorithms = jwks[:keys].select { |k| k[:use] == "sig" }.map { |k| k[:alg] }
+          JWT.decode(token, nil, true, jwks: jwks, algorithms: algorithms).first
+        end
+      rescue JWT::DecodeError, JWT::JWKError
         nil
       end
 
+      def jwks_set
+        @jwks_set ||= [
+          (JWT::JWK.new(oauth_jwt_public_key).export.merge(use: "sig", alg: oauth_jwt_algorithm) if oauth_jwt_public_key),
+          (
+             if oauth_jwt_legacy_public_key
+               JWT::JWK.new(oauth_jwt_legacy_public_key).export.merge(use: "sig", alg: oauth_jwt_legacy_algorithm)
+             end
+           ),
+          (JWT::JWK.new(oauth_jwt_jwe_public_key).export.merge(use: "enc", alg: oauth_jwt_jwe_algorithm) if oauth_jwt_jwe_public_key)
+        ].compact
+      end
     else
       # :nocov:
+      def jwk_import(_data)
+        raise "#{__method__} is undefined, redefine it or require either \"jwt\" or \"json-jwt\""
+      end
+
       def jwt_encode(_token)
         raise "#{__method__} is undefined, redefine it or require either \"jwt\" or \"json-jwt\""
       end
 
-      def jwt_decode(_token)
+      def jwt_decode(_token, **)
+        raise "#{__method__} is undefined, redefine it or require either \"jwt\" or \"json-jwt\""
+      end
+
+      def jwks_set
         raise "#{__method__} is undefined, redefine it or require either \"jwt\" or \"json-jwt\""
       end
       # :nocov:
     end
+
+    def validate_oauth_revoke_params
+      token_hint = param_or_nil("token_type_hint")
+
+      throw(:rodauth_error) if !token_hint || token_hint == "access_token"
+
+      super
+    end
+
+    route(:jwks) do |r|
+      next unless is_authorization_server?
+
+      r.get do
+        json_response_success({ keys: jwks_set })
+      end
+    end
   end
 end