rodauth-oauth 0.0.4 → 0.3.0

data/lib/rodauth/features/oauth_saml.rb

@@ -0,0 +1,104 @@
+# frozen-string-literal: true
+
+require "onelogin/ruby-saml"
+
+module Rodauth
+  Feature.define(:oauth_saml) do
+    depends :oauth
+
+    auth_value_method :oauth_saml_cert_fingerprint, "9E:65:2E:03:06:8D:80:F2:86:C7:6C:77:A1:D9:14:97:0A:4D:F4:4D"
+    auth_value_method :oauth_saml_cert_fingerprint_algorithm, nil
+    auth_value_method :oauth_saml_name_identifier_format, "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
+
+    auth_value_method :oauth_saml_security_authn_requests_signed, false
+    auth_value_method :oauth_saml_security_metadata_signed, false
+    auth_value_method :oauth_saml_security_digest_method, XMLSecurity::Document::SHA1
+    auth_value_method :oauth_saml_security_signature_method, XMLSecurity::Document::RSA_SHA1
+
+    SAML_GRANT_TYPE = "http://oauth.net/grant_type/assertion/saml/2.0/bearer"
+
+    # /token
+
+    def require_oauth_application
+      # requset authentication optional for assertions
+      return super unless param("grant_type") == SAML_GRANT_TYPE && !param_or_nil("client_id")
+
+      # TODO: invalid grant
+      authorization_required unless saml_assertion
+
+      redirect_uri = saml_assertion.destination
+
+      @oauth_application = db[oauth_applications_table].where(
+        oauth_applications_homepage_url_column => saml_assertion.audiences,
+        oauth_applications_redirect_uri_column => redirect_uri
+      ).first
+
+      # The Assertion's <Issuer> element MUST contain a unique identifier
+      # for the entity that issued the Assertion.
+      authorization_required unless saml_assertion.issuers.all? do |issuer|
+        issuer.start_with?(@oauth_application[oauth_applications_homepage_url_column])
+      end
+
+      authorization_required unless @oauth_application
+    end
+
+    private
+
+    def secret_matches?(oauth_application, secret)
+      return super unless param_or_nil("assertion")
+
+      true
+    end
+
+    def saml_assertion
+      return @saml_assertion if defined?(@saml_assertion)
+
+      @saml_assertion = begin
+        settings = OneLogin::RubySaml::Settings.new
+        settings.idp_cert_fingerprint = oauth_saml_cert_fingerprint
+        settings.idp_cert_fingerprint_algorithm = oauth_saml_cert_fingerprint_algorithm
+        settings.name_identifier_format = oauth_saml_name_identifier_format
+        settings.security[:authn_requests_signed] = oauth_saml_security_authn_requests_signed
+        settings.security[:metadata_signed] = oauth_saml_security_metadata_signed
+        settings.security[:digest_method] = oauth_saml_security_digest_method
+        settings.security[:signature_method] = oauth_saml_security_signature_method
+
+        response = OneLogin::RubySaml::Response.new(param("assertion"), settings: settings, skip_recipient_check: true)
+
+        return unless response.is_valid?
+
+        response
+      end
+    end
+
+    def validate_oauth_token_params
+      return super unless param("grant_type") == SAML_GRANT_TYPE
+
+      redirect_response_error("invalid_client") unless param_or_nil("assertion")
+
+      redirect_response_error("invalid_scope") unless check_valid_scopes?
+    end
+
+    def create_oauth_token
+      if param("grant_type") == SAML_GRANT_TYPE
+        create_oauth_token_from_saml_assertion
+      else
+        super
+      end
+    end
+
+    def create_oauth_token_from_saml_assertion
+      account = db[accounts_table].where(login_column => saml_assertion.nameid).first
+
+      redirect_response_error("invalid_client") unless oauth_application && account
+
+      create_params = {
+        oauth_tokens_account_id_column => account[account_id_column],
+        oauth_tokens_oauth_application_id_column => oauth_application[oauth_applications_id_column],
+        oauth_tokens_scopes_column => (param_or_nil("scope") || oauth_application[oauth_applications_scopes_column])
+      }
+
+      generate_oauth_token(create_params, false)
+    end
+  end
+end

data/lib/rodauth/features/oidc.rb

@@ -0,0 +1,388 @@
+# frozen-string-literal: true
+
+module Rodauth
+  Feature.define(:oidc) do
+    OIDC_SCOPES_MAP = {
+      "profile" => %i[name family_name given_name middle_name nickname preferred_username
+                      profile picture website gender birthdate zoneinfo locale updated_at].freeze,
+      "email" => %i[email email_verified].freeze,
+      "address" => %i[address].freeze,
+      "phone" => %i[phone_number phone_number_verified].freeze
+    }.freeze
+
+    VALID_METADATA_KEYS = %i[
+      issuer
+      authorization_endpoint
+      token_endpoint
+      userinfo_endpoint
+      jwks_uri
+      registration_endpoint
+      scopes_supported
+      response_types_supported
+      response_modes_supported
+      grant_types_supported
+      acr_values_supported
+      subject_types_supported
+      id_token_signing_alg_values_supported
+      id_token_encryption_alg_values_supported
+      id_token_encryption_enc_values_supported
+      userinfo_signing_alg_values_supported
+      userinfo_encryption_alg_values_supported
+      userinfo_encryption_enc_values_supported
+      request_object_signing_alg_values_supported
+      request_object_encryption_alg_values_supported
+      request_object_encryption_enc_values_supported
+      token_endpoint_auth_methods_supported
+      token_endpoint_auth_signing_alg_values_supported
+      display_values_supported
+      claim_types_supported
+      claims_supported
+      service_documentation
+      claims_locales_supported
+      ui_locales_supported
+      claims_parameter_supported
+      request_parameter_supported
+      request_uri_parameter_supported
+      require_request_uri_registration
+      op_policy_uri
+      op_tos_uri
+    ].freeze
+
+    REQUIRED_METADATA_KEYS = %i[
+      issuer
+      authorization_endpoint
+      token_endpoint
+      jwks_uri
+      response_types_supported
+      subject_types_supported
+      id_token_signing_alg_values_supported
+    ].freeze
+
+    depends :oauth_jwt
+
+    auth_value_method :oauth_application_default_scope, "openid"
+    auth_value_method :oauth_application_scopes, %w[openid]
+
+    auth_value_method :oauth_grants_nonce_column, :nonce
+    auth_value_method :oauth_tokens_nonce_column, :nonce
+
+    auth_value_method :invalid_scope_message, "The Access Token expired"
+
+    auth_value_method :webfinger_relation, "http://openid.net/specs/connect/1.0/issuer"
+
+    auth_value_method :oauth_prompt_login_cookie_key, "_rodauth_oauth_prompt_login"
+    auth_value_method :oauth_prompt_login_cookie_options, {}.freeze
+    auth_value_method :oauth_prompt_login_interval, 5 * 60 * 60 # 5 minutes
+
+    auth_value_methods(:get_oidc_param)
+
+    # /userinfo
+    route(:userinfo) do |r|
+      next unless is_authorization_server?
+
+      r.on method: %i[get post] do
+        catch_error do
+          oauth_token = authorization_token
+
+          throw_json_response_error(authorization_required_error_status, "invalid_token") unless oauth_token
+
+          oauth_scopes = oauth_token["scope"].split(" ")
+
+          throw_json_response_error(authorization_required_error_status, "invalid_token") unless oauth_scopes.include?("openid")
+
+          account = db[accounts_table].where(account_id_column => oauth_token["sub"]).first
+
+          throw_json_response_error(authorization_required_error_status, "invalid_token") unless account
+
+          oauth_scopes.delete("openid")
+
+          oidc_claims = { "sub" => oauth_token["sub"] }
+
+          fill_with_account_claims(oidc_claims, account, oauth_scopes)
+
+          json_response_success(oidc_claims)
+        end
+
+        throw_json_response_error(authorization_required_error_status, "invalid_token")
+      end
+    end
+
+    def openid_configuration(issuer = nil)
+      request.on(".well-known/openid-configuration") do
+        request.get do
+          json_response_success(openid_configuration_body(issuer), cache: true)
+        end
+      end
+    end
+
+    def webfinger
+      request.on(".well-known/webfinger") do
+        request.get do
+          resource = param_or_nil("resource")
+
+          throw_json_response_error(400, "invalid_request") unless resource
+
+          response.status = 200
+          response["Content-Type"] ||= "application/jrd+json"
+
+          json_payload = JSON.dump({
+                                     subject: resource,
+                                     links: [{
+                                       rel: webfinger_relation,
+                                       href: authorization_server_url
+                                     }]
+                                   })
+          response.write(json_payload)
+          request.halt
+        end
+      end
+    end
+
+    private
+
+    def require_authorizable_account
+      try_prompt if param_or_nil("prompt")
+      super
+    end
+
+    # this executes before checking for a logged in account
+    def try_prompt
+      prompt = param_or_nil("prompt")
+
+      case prompt
+      when "none"
+        redirect_response_error("login_required") unless logged_in?
+
+        require_account
+
+        if db[oauth_grants_table].where(
+          oauth_grants_account_id_column => account_id,
+          oauth_grants_oauth_application_id_column => oauth_application[oauth_applications_id_column],
+          oauth_grants_redirect_uri_column => redirect_uri,
+          oauth_grants_scopes_column => scopes.join(oauth_scope_separator),
+          oauth_grants_access_type_column => "online"
+        ).count.zero?
+          redirect_response_error("consent_required")
+        end
+
+        request.env["REQUEST_METHOD"] = "POST"
+      when "login"
+        if logged_in? && request.cookies[oauth_prompt_login_cookie_key] == "login"
+          ::Rack::Utils.delete_cookie_header!(response.headers, oauth_prompt_login_cookie_key, oauth_prompt_login_cookie_options)
+          return
+        end
+
+        # logging out
+        clear_session
+        set_session_value(login_redirect_session_key, request.fullpath)
+
+        login_cookie_opts = Hash[oauth_prompt_login_cookie_options]
+        login_cookie_opts[:value] = "login"
+        login_cookie_opts[:expires] = convert_timestamp(Time.now + oauth_prompt_login_interval) # 15 minutes
+        ::Rack::Utils.set_cookie_header!(response.headers, oauth_prompt_login_cookie_key, login_cookie_opts)
+
+        redirect require_login_redirect
+      when "consent"
+        require_account
+
+        if db[oauth_grants_table].where(
+          oauth_grants_account_id_column => account_id,
+          oauth_grants_oauth_application_id_column => oauth_application[oauth_applications_id_column],
+          oauth_grants_redirect_uri_column => redirect_uri,
+          oauth_grants_scopes_column => scopes.join(oauth_scope_separator),
+          oauth_grants_access_type_column => "online"
+        ).count.zero?
+          redirect_response_error("consent_required")
+        end
+      when "select-account"
+        # obly works if select_account plugin is available
+        require_select_account if respond_to?(:require_select_account)
+      else
+        redirect_response_error("invalid_request")
+      end
+    end
+
+    def create_oauth_grant(create_params = {})
+      return super unless (nonce = param_or_nil("nonce"))
+
+      super(oauth_grants_nonce_column => nonce)
+    end
+
+    def create_oauth_token_from_authorization_code(oauth_grant, create_params)
+      return super unless oauth_grant[oauth_grants_nonce_column]
+
+      super(oauth_grant, create_params.merge(oauth_tokens_nonce_column => oauth_grant[oauth_grants_nonce_column]))
+    end
+
+    def create_oauth_token
+      oauth_token = super
+      generate_id_token(oauth_token)
+      oauth_token
+    end
+
+    def generate_id_token(oauth_token)
+      oauth_scopes = oauth_token[oauth_tokens_scopes_column].split(oauth_scope_separator)
+
+      return unless oauth_scopes.include?("openid")
+
+      id_token_claims = jwt_claims(oauth_token)
+      id_token_claims[:nonce] = oauth_token[oauth_tokens_nonce_column] if oauth_token[oauth_tokens_nonce_column]
+
+      # Time when the End-User authentication occurred.
+      #
+      # Sounds like the same as issued at claim.
+      id_token_claims[:auth_time] = id_token_claims[:iat]
+
+      account = db[accounts_table].where(account_id_column => oauth_token[oauth_tokens_account_id_column]).first
+
+      # this should never happen!
+      # a newly minted oauth token from a grant should have been assigned to an account
+      # who just authorized its generation.
+      return unless account
+
+      fill_with_account_claims(id_token_claims, account, oauth_scopes)
+
+      oauth_token[:id_token] = jwt_encode(id_token_claims)
+    end
+
+    def fill_with_account_claims(claims, account, scopes)
+      scopes_by_oidc = scopes.each_with_object({}) do |scope, by_oidc|
+        oidc, param = scope.split(".", 2)
+
+        by_oidc[oidc] ||= []
+
+        by_oidc[oidc] << param.to_sym if param
+      end
+
+      oidc_scopes = (OIDC_SCOPES_MAP.keys & scopes_by_oidc.keys)
+
+      return if oidc_scopes.empty?
+
+      if respond_to?(:get_oidc_param)
+        oidc_scopes.each do |scope|
+          params = scopes_by_oidc[scope]
+          params = params.empty? ? OIDC_SCOPES_MAP[scope] : (OIDC_SCOPES_MAP[scope] & params)
+
+          params.each do |param|
+            claims[param] = __send__(:get_oidc_param, account, param)
+          end
+        end
+      else
+        warn "`get_oidc_param(token, param)` must be implemented to use oidc scopes."
+      end
+    end
+
+    def json_access_token_payload(oauth_token)
+      payload = super
+      payload["id_token"] = oauth_token[:id_token] if oauth_token[:id_token]
+      payload
+    end
+
+    # Authorize
+
+    def check_valid_response_type?
+      case param_or_nil("response_type")
+      when "none", "id_token",
+           "code token", "code id_token", "id_token token", "code id_token token" # multiple
+        true
+      else
+        super
+      end
+    end
+
+    def do_authorize(redirect_url, query_params = [], fragment_params = [])
+      return super unless use_oauth_implicit_grant_type?
+
+      case param("response_type")
+      when "id_token"
+        fragment_params.replace(_do_authorize_id_token.map { |k, v| "#{k}=#{v}" })
+      when "code token"
+        redirect_response_error("invalid_request") unless use_oauth_implicit_grant_type?
+
+        params = _do_authorize_code.merge(_do_authorize_token)
+
+        fragment_params.replace(params.map { |k, v| "#{k}=#{v}" })
+      when "code id_token"
+        params = _do_authorize_code.merge(_do_authorize_id_token)
+
+        fragment_params.replace(params.map { |k, v| "#{k}=#{v}" })
+      when "id_token token"
+        params = _do_authorize_id_token.merge(_do_authorize_token)
+
+        fragment_params.replace(params.map { |k, v| "#{k}=#{v}" })
+      when "code id_token token"
+        params = _do_authorize_code.merge(_do_authorize_id_token).merge(_do_authorize_token)
+
+        fragment_params.replace(params.map { |k, v| "#{k}=#{v}" })
+      end
+
+      super(redirect_url, query_params, fragment_params)
+    end
+
+    def _do_authorize_id_token
+      create_params = {
+        oauth_tokens_account_id_column => account_id,
+        oauth_tokens_oauth_application_id_column => oauth_application[oauth_applications_id_column],
+        oauth_tokens_scopes_column => scopes
+      }
+      oauth_token = generate_oauth_token(create_params, false)
+      generate_id_token(oauth_token)
+      params = json_access_token_payload(oauth_token)
+      params.delete("access_token")
+      params
+    end
+
+    # Metadata
+
+    def openid_configuration_body(path)
+      metadata = oauth_server_metadata_body(path).select do |k, _|
+        VALID_METADATA_KEYS.include?(k)
+      end
+
+      scope_claims = oauth_application_scopes.each_with_object([]) do |scope, claims|
+        oidc, param = scope.split(".", 2)
+        if param
+          claims << param
+        else
+          oidc_claims = OIDC_SCOPES_MAP[oidc]
+          claims.concat(oidc_claims) if oidc_claims
+        end
+      end
+
+      scope_claims.unshift("auth_time") if last_account_login_at
+
+      metadata.merge(
+        userinfo_endpoint: userinfo_url,
+        response_types_supported: metadata[:response_types_supported] +
+          ["none", "id_token", "code token", "code id_token", "id_token token", "code id_token token"],
+        response_modes_supported: %w[query fragment],
+        grant_types_supported: %w[authorization_code implicit],
+
+        subject_types_supported: [oauth_jwt_subject_type],
+
+        id_token_signing_alg_values_supported: metadata[:token_endpoint_auth_signing_alg_values_supported],
+        id_token_encryption_alg_values_supported: [oauth_jwt_jwe_algorithm].compact,
+        id_token_encryption_enc_values_supported: [oauth_jwt_jwe_encryption_method].compact,
+
+        userinfo_signing_alg_values_supported: [],
+        userinfo_encryption_alg_values_supported: [],
+        userinfo_encryption_enc_values_supported: [],
+
+        request_object_signing_alg_values_supported: [],
+        request_object_encryption_alg_values_supported: [],
+        request_object_encryption_enc_values_supported: [],
+
+        # These Claim Types are described in Section 5.6 of OpenID Connect Core 1.0 [OpenID.Core].
+        # Values defined by this specification are normal, aggregated, and distributed.
+        # If omitted, the implementation supports only normal Claims.
+        claim_types_supported: %w[normal],
+        claims_supported: %w[sub iss iat exp aud] | scope_claims
+      ).reject do |key, val|
+        # Filter null values in optional items
+        (!REQUIRED_METADATA_KEYS.include?(key.to_sym) && val.nil?) ||
+          # Claims with zero elements MUST be omitted from the response
+          (val.respond_to?(:empty?) && val.empty?)
+      end
+    end
+  end
+end