rodauth-oauth 0.0.6 → 0.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 73f73e4143c1c646b3a6f2a5e87fb925f38f18e157366d7522328b5cbcd2fbb7
-  data.tar.gz: bce8a4532e365328bb46197e72b05b78beca19b00587630f234cff0c8d51bc35
+  metadata.gz: 3eac600d006a2c78509f608575db062b7ba6d67356b890c7d38414b9b82875f9
+  data.tar.gz: c37fc18c093f546023481a88cc526c5a0b721b1a3bfeac827c21184e0583071b
 SHA512:
-  metadata.gz: 46053f71e35baad7b3c217bfbca0a259d07fd6909713805db23ff92c0503c0907903483e659fe988af774b26a87b274f8b72006983b1acc191bccb7d00919a86
-  data.tar.gz: 35305a71ea2b4035933d93e3fa5a3e9b388f32b2301ff05b87a86af45defa494cefc4d6d9adb823822c82acb995e57794fb710b1935aaab10430c1898d1a55b0
+  metadata.gz: 0a04fdb5ab370ed5736208cbd4ccb1e6da801af52cd68004625a21008c4a10a04bc143d99c9e1a71bccb9fad882fc3cff27d9c0900689dbd5cf6c0616e4d43a0
+  data.tar.gz: e6d5cb6e8ff31d64eb588fa39ad6a1e7bb1ae9416adac64e5f9a21bf451ffd4115a8c2d3bb8759f1a32192a88a4a401336e1baca7621a33934dc1b2a873c8402

data/CHANGELOG.md

@@ -2,8 +2,58 @@
 
 ## master
 
+### 0.1.0
+
+(31/7/2020)
+
+#### Features
+
+##### OpenID
+
+`rodauth-oauth` now ships with support for [OpenID Connect](https://openid.net/connect/). In order to enable, you have to:
+
+```ruby
+plugin :rodauth do
+  enable :oidc
+end
+```
+
+For more info about integrating it, [check the wiki](https://gitlab.com/honeyryderchuck/rodauth-oauth/-/wikis/home#openid-connect-since-v01).
+
+It supports omniauth openID integrations out-of-the-box, [check the OpenID example, which integrates with omniauth_openid_connect](https://gitlab.com/honeyryderchuck/rodauth-oauth/-/tree/master/examples).
+
+#### Improvements
+
+* JWT: `sub` claim now also handles "pairwise" subjects. For that, you have to set the `oauth_jwt_subject_type` option (`"public"` or `"pairwise"`) and `oauth_jwt_subject_secret` (will be used for salting the `sub` when the type is `"pairwise"`).
+* JWT: `auth_time` claim is now supported; if your application uses the `rodauth` feature `:account_expiration`, it'll use the `last_account_login_at` method, otherwise you can set the `last_account_login_at` option:
+
+```ruby
+last_account_login_at do
+  convert_timestamp(db[accounts_table].where(account_id_column => account_id).get(:that_column_where_you_keep_the_data))
+end
+```
+* JWT: `iss` claim now defaults to `authorization_server_url` when not defined;
+* JWT: `aud` claim now defaults to the token application's client ID (`client_id` claim was removed as a result);
+
+
+
+#### Breaking Changes
+
+`rodauth-oauth` URLs no longer have the `oauth-` prefix, so make sure you update your integrations accordingly, i.e. where you used to rely on `/oauth-authorize`, you'll have to use `/authorize`.
+
+URI schemes for client applications redirect URIs have to be `https`. In order to override this, set the `oauth_valid_uri_schemes` to an array of your expected URI schemes.
+
+
+#### Bugfixes
+
+* Authorization request submission can receive the `scope` as an array of values now, instead of only dealing with receiving a white-space separated list.
+* fixed trailing "/" in the "issuer" value in server metadata (`https://server.com/` -> `https://server.com`).
+
+
 ### 0.0.6
 
+(6/7/2020)
+
 #### Features
 
 The `oauth_jwt` feature now supports JWT Secured Authorization Request (JAR) (see https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-20). This means that client applications can send the authorization parameters inside a signed JWT. The client applications keeps the private key, while the authorization server **must** store a public key for the client application. For encrypted JWTs, the client application should use one of the public encryption keys exposed in the JWKs URI, to encrypt the JWT. Remember, **tokens must be signed then encrypted** (or just signed).
@@ -25,7 +75,9 @@ The `oauth_jwt` feature now supports JWT Secured Authorization Request (JAR) (se
 Removed React Javascript from example applications.
 
 
-### 0.0.5 (26/6/2020)
+### 0.0.5
+
+(26/6/2020)
 
 #### Features
 
@@ -62,7 +114,9 @@ It **requires** the authorization to implement the server metadata endpoint (`/.
 * option `scopes_param` renamed to `scope_param`;
 *
 
-## 0.0.4 (13/6/2020)
+## 0.0.4
+
+(13/6/2020)
 
 ### Features
 
@@ -99,7 +153,9 @@ The `oauth_jwt` feature now allows the usage of access tokens to authorize the g
 
 * Fixed scope claim of JWT ("scopes" -> "scope");
 
-## 0.0.3 (5/6/2020)
+## 0.0.3
+
+(5/6/2020)
 
 ### Features
 
@@ -131,7 +187,9 @@ end
 * renamed the existing `use_oauth_implicit_grant_type` to `use_oauth_implicit_grant_type?`;
 * It's now usable as JSON API (small caveat: POST authorize will still redirect on success...);
 
-## 0.0.2 (29/5/2020)
+## 0.0.2
+
+(29/5/2020)
 
 ### Features
 
@@ -147,6 +205,8 @@ end
 
 * usage of client secret for authorizing the generation of tokens, as the spec mandates (and refraining from them when doing PKCE).
 
-## 0.0.1 (14/5/2020)
+## 0.0.1
+
+(14/5/2020)
 
 Initial implementation of the Oauth 2.0 framework, with an example app done using roda.

data/README.md

@@ -1,13 +1,13 @@
 # Rodauth::Oauth
 
-[![pipeline status](https://gitlab.com/honeyryderchuck/rodauth-oauth/badges/master/pipeline.svg)](https://gitlab.com/honeyryderchuck/rodauth-oauth/-/commits/master)
-[![coverage report](https://gitlab.com/honeyryderchuck/rodauth-oauth/badges/master/coverage.svg)](https://gitlab.com/honeyryderchuck/rodauth-oauth/-/commits/master)
+[![pipeline status](https://gitlab.com/honeyryderchuck/rodauth-oauth/badges/master/pipeline.svg)](https://gitlab.com/honeyryderchuck/rodauth-oauth/-/pipelines?page=1&ref=master)
+[![coverage report](https://gitlab.com/honeyryderchuck/rodauth-oauth/badges/master/coverage.svg)](https://honeyryderchuck.gitlab.io/rodauth-oauth/coverage/#_AllFiles)
 
 This is an extension to the `rodauth` gem which implements the [OAuth 2.0 framework](https://tools.ietf.org/html/rfc6749) for an authorization server.
 
 ## Features
 
-This gem implements:
+This gem implements the following RFCs and features of OAuth:
 
 * [The OAuth 2.0 protocol framework](https://tools.ietf.org/html/rfc6749):
   * [Authorization grant flow](https://tools.ietf.org/html/rfc6749#section-1.3);
@@ -24,6 +24,8 @@ This gem implements:
 * [JWT Secured Authorization Requests](https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-20);
 * OAuth application and token management dashboards;
 
+It also implements the [OpenID Connect layer](https://openid.net/connect/) on top of the OAuth features it provides.
+
 This gem supports also rails (through [rodauth-rails]((https://github.com/janko/rodauth-rails))).
 
 
@@ -43,6 +45,15 @@ Or install it yourself as:
 
     $ gem install rodauth-oauth
 
+
+## Resources
+|               |                                                             |
+| ------------- | ----------------------------------------------------------- |
+| Website       | https://honeyryderchuck.gitlab.io/rodauth-oauth/            |
+| Documentation | https://honeyryderchuck.gitlab.io/rodauth-oauth/rdoc/       |
+| Wiki          | https://gitlab.com/honeyryderchuck/rodauth-oauth/wikis/home |
+| CI            | https://gitlab.com/honeyryderchuck/rodauth-oauth/pipelines  |
+
 ## Usage
 
 This tutorial assumes you already read the documentation and know how to set up `rodauth`. After that, integrating `roda-auth` will look like:
@@ -86,7 +97,18 @@ route do |r|
 end
 ```
 
-You'll have to do a bit more boilerplate, so here's the instructions.
+
+For OpenID, it's very similar to the example above:
+
+```ruby
+plugin :rodauth do
+  # enable it in the plugin
+  enable :login, :openid
+  oauth_application_default_scope %w[openid]
+  oauth_application_scopes %w[openid email profile]
+end
+```
+
 
 ### Example (TL;DR)
 
@@ -101,7 +123,7 @@ Generating tokens happens mostly server-to-server, so here's an example using:
 
 ```ruby
 require "httpx"
-response = HTTPX.post("https://auth_server/oauth-token",json: {
+response = HTTPX.post("https://auth_server/token",json: {
                   client_id: ENV["OAUTH_CLIENT_ID"],
                   client_secret: ENV["OAUTH_CLIENT_SECRET"],
                   grant_type: "authorization_code",
@@ -115,7 +137,7 @@ puts payload #=> {"access_token" => "awr23f3h8f9d2h89...", "refresh_token" => "2
 ##### cURL
 
 ```
-> curl --data '{"client_id":"$OAUTH_CLIENT_ID","client_secret":"$OAUTH_CLIENT_SECRET","grant_type":"authorization_code","code":"oiweicnewdh32fhoi3hf3ihfo2ih3f2o3as"}' https://auth_server/oauth-token
+> curl --data '{"client_id":"$OAUTH_CLIENT_ID","client_secret":"$OAUTH_CLIENT_SECRET","grant_type":"authorization_code","code":"oiweicnewdh32fhoi3hf3ihfo2ih3f2o3as"}' https://auth_server/token
 ```
 
 #### Refresh Token
@@ -126,7 +148,7 @@ Refreshing expired tokens also happens mostly server-to-server, here's an exampl
 
 ```ruby
 require "httpx"
-response = HTTPX.post("https://auth_server/oauth-token",json: {
+response = HTTPX.post("https://auth_server/token",json: {
                   client_id: ENV["OAUTH_CLIENT_ID"],
                   client_secret: ENV["OAUTH_CLIENT_SECRET"],
                   grant_type: "refresh_token",
@@ -140,7 +162,7 @@ puts payload #=> {"access_token" => "awr23f3h8f9d2h89...", "token_type" => "Bear
 ##### cURL
 
 ```
-> curl -H "X-your-auth-scheme: $SERVER_KEY" --data '{"client_id":"$OAUTH_CLIENT_ID","client_secret":"$OAUTH_CLIENT_SECRET","grant_type":"token","token":"2r89hfef4j9f90d2j2390jf390g"}' https://auth_server/oauth-token
+> curl -H "X-your-auth-scheme: $SERVER_KEY" --data '{"client_id":"$OAUTH_CLIENT_ID","client_secret":"$OAUTH_CLIENT_SECRET","grant_type":"token","token":"2r89hfef4j9f90d2j2390jf390g"}' https://auth_server/token
 ```
 
 #### Revoking tokens
@@ -151,7 +173,7 @@ Token revocation can be done both by the idenntity owner or the application owne
 require "httpx"
 httpx = HTTPX.plugin(:basic_authorization)
 response = httpx.basic_authentication(ENV["CLIENT_ID"], ENV["CLIENT_SECRET"])
-                .post("https://auth_server/oauth-revoke",json: {
+                .post("https://auth_server/revoke",json: {
                   token_type_hint: "access_token", # can also be "refresh:tokn"
                   token: "2r89hfef4j9f90d2j2390jf390g"
                 })
@@ -163,7 +185,7 @@ puts payload #=> {"access_token" => "awr23f3h8f9d2h89...", "token_type" => "Bear
 ##### cURL
 
 ```
-> curl -H "X-your-auth-scheme: $SERVER_KEY" --data '{"client_id":"$OAUTH_CLIENT_ID","token_type_hint":"access_token","token":"2r89hfef4j9f90d2j2390jf390g"}' https://auth_server/oauth-revoke
+> curl -H "X-your-auth-scheme: $SERVER_KEY" --data '{"client_id":"$OAUTH_CLIENT_ID","token_type_hint":"access_token","token":"2r89hfef4j9f90d2j2390jf390g"}' https://auth_server/revoke
 ```
 
 #### Token introspection
@@ -174,7 +196,7 @@ Token revocation can be used to determine the state of a token (whether active,
 require "httpx"
 httpx = HTTPX.plugin(:basic_authorization)
 response = httpx.basic_authentication(ENV["CLIENT_ID"], ENV["CLIENT_SECRET"])
-                .post("https://auth_server/oauth-introspect",json: {
+                .post("https://auth_server/introspect",json: {
                   token_type_hint: "access_token", # can also be "refresh:tokn"
                   token: "2r89hfef4j9f90d2j2390jf390g"
                 })
@@ -186,7 +208,7 @@ puts payload #=> {"active" => true, "scope" => "read write" ....
 ##### cURL
 
 ```
-> curl -H "X-your-auth-scheme: $SERVER_KEY" --data '{"client_id":"$OAUTH_CLIENT_ID","token_type_hint":"access_token","token":"2r89hfef4j9f90d2j2390jf390g"}' https://auth_server/oauth-revoke
+> curl -H "X-your-auth-scheme: $SERVER_KEY" --data '{"client_id":"$OAUTH_CLIENT_ID","token_type_hint":"access_token","token":"2r89hfef4j9f90d2j2390jf390g"}' https://auth_server/revoke
 ```
 
 ### Authorization Server Metadata
@@ -243,10 +265,10 @@ The rodauth default setup expects the roda `render` plugin to be activated; by d
 
 Once you set it up, by default, the following endpoints will be available:
 
-* `GET /oauth-authorize`: Loads the OAuth authorization HTML form;
-* `POST /oauth-authorize`: Responds to an OAuth authorization request, as [per the spec](https://tools.ietf.org/html/rfc6749#section-4);
-* `POST /oauth-token`: Generates OAuth tokens as [per the spec](https://tools.ietf.org/html/rfc6749#section-4.4.2);
-* `POST /oauth-revoke`: Revokes OAuth tokens as [per the spec](https://tools.ietf.org/html/rfc7009);
+* `GET /authorize`: Loads the OAuth authorization HTML form;
+* `POST /authorize`: Responds to an OAuth authorization request, as [per the spec](https://tools.ietf.org/html/rfc6749#section-4);
+* `POST /token`: Generates OAuth tokens as [per the spec](https://tools.ietf.org/html/rfc6749#section-4.4.2);
+* `POST /revoke`: Revokes OAuth tokens as [per the spec](https://tools.ietf.org/html/rfc7009);
 
 ### OAuth applications
 
@@ -426,7 +448,7 @@ The "Proof Key for Code Exchange by OAuth Public Clients" (aka PKCE) flow, which
 ```ruby
 # with httpx
 require "httpx"
-response = HTTPX.post("https://auth_server/oauth-token",json: {
+response = HTTPX.post("https://auth_server/token",json: {
                   client_id: ENV["OAUTH_CLIENT_ID"],
                   grant_type: "authorization_code",
                   code: "oiweicnewdh32fhoi3hf3ihfo2ih3f2o3as",
@@ -477,7 +499,7 @@ Generating an access token will deliver the following fields:
 ```ruby
 # with httpx
 require "httpx"
-response = httpx.post("https://auth_server/oauth-token",json: {
+response = httpx.post("https://auth_server/token",json: {
                   client_id: env["oauth_client_id"],
                   client_secret: env["oauth_client_secret"],
                   grant_type: "authorization_code",
@@ -576,7 +598,7 @@ which adds an extra layer of protection.
 
 #### JWKS URI
 
-A route is defined for getting the JWK Set in a JSON format; this is typically used by client applications, who need the JWK set to decode the JWT token. This URL is typically `https://oauth-server/oauth-jwks`.
+A route is defined for getting the JWK Set in a JSON format; this is typically used by client applications, who need the JWK set to decode the JWT token. This URL is typically `https://oauth-server/jwks`.
 
 #### JWT Bearer as authorization grant
 
@@ -585,7 +607,7 @@ One can emit a new access token by using the bearer access token as grant. This
 ```ruby
 # with httpx
 require "httpx"
-response = httpx.post("https://auth_server/oauth-token",json: {
+response = httpx.post("https://auth_server/token",json: {
                   grant_type: "urn:ietf:params:oauth:grant-type:jwt-bearer",
                   assertion: "eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOjEsImlzcyI6IkV4YW1wbGUiLCJpYXQiOjE1OTIwMDk1MDEsImNsaWVudF9pZCI6IkNMSUVOVF9JRCIsImV4cCI6MTU5MjAxMzEwMSwiYXVkIjpudWxsLCJzY29wZSI6InVzZXIucmVhZCB1c2VyLndyaXRlIiwianRpIjoiOGM1NTVjMjdiOWRjNDdmOTcyNWRkYzBhMjk0NzA1ZTA4NzFkY2JlN2Q5ZTNlMmVkNGE1ZTBiOGZlNTZlYzcxMSJ9.AlxKRtE3ec0mtyBSDx4VseND4eC6cH5ubtv8gfYxxsc"
                 })

data/lib/generators/roda/oauth/templates/db/migrate/create_rodauth_oauth.rb

@@ -29,7 +29,8 @@ class CreateRodauthOAuth < ActiveRecord::Migration<%= migration_version %>
       # uncomment to enable PKCE
       # t.string :code_challenge
       # t.string :code_challenge_method
-
+      # uncomment to use OIDC nonce
+      # t.string :nonce
       t.index(%i[oauth_application_id code], unique: true)
     end
 
@@ -54,6 +55,8 @@ class CreateRodauthOAuth < ActiveRecord::Migration<%= migration_version %>
       t.datetime :revoked_at
       t.string :scopes, null: false
       t.datetime :created_at, null: false, default: -> { "CURRENT_TIMESTAMP" }
+      # uncomment to use OIDC nonce
+      # t.string :nonce
     end
   end
 end

data/lib/rodauth/features/oauth.rb

@@ -43,7 +43,6 @@ module Rodauth
 
     before "authorize"
     after "authorize"
-    after "authorize_failure"
 
     before "token"
 
@@ -55,15 +54,13 @@ module Rodauth
     before "create_oauth_application"
     after "create_oauth_application"
 
-    error_flash "OAuth Authorization invalid parameters", "oauth_grant_valid_parameters"
-
     error_flash "Please authorize to continue", "require_authorization"
     error_flash "There was an error registering your oauth application", "create_oauth_application"
     notice_flash "Your oauth application has been registered", "create_oauth_application"
 
     notice_flash "The oauth token has been revoked", "revoke_oauth_token"
 
-    view "oauth_authorize", "Authorize", "authorize"
+    view "authorize", "Authorize", "authorize"
     view "oauth_applications", "Oauth Applications", "oauth_applications"
     view "oauth_application", "Oauth Application", "oauth_application"
     view "new_oauth_application", "New Oauth Application", "new_oauth_application"
@@ -80,7 +77,7 @@ module Rodauth
     auth_value_method :oauth_require_pkce, false
     auth_value_method :oauth_pkce_challenge_method, "S256"
 
-    auth_value_method :oauth_valid_uri_schemes, %w[http https]
+    auth_value_method :oauth_valid_uri_schemes, %w[https]
 
     auth_value_method :oauth_scope_separator, " "
 
@@ -148,9 +145,7 @@ module Rodauth
     auth_value_method :oauth_application_scopes, SCOPES
     auth_value_method :oauth_token_type, "bearer"
 
-    auth_value_method :invalid_request, "Request is missing a required parameter"
-    auth_value_method :invalid_client, "Invalid client"
-    auth_value_method :unauthorized_client, "Unauthorized client"
+    auth_value_method :invalid_client_message, "Invalid client"
     auth_value_method :invalid_grant_type_message, "Invalid grant type"
     auth_value_method :invalid_grant_message, "Invalid grant"
     auth_value_method :invalid_scope_message, "Invalid scope"
@@ -195,11 +190,11 @@ module Rodauth
 
     def check_csrf?
       case request.path
-      when oauth_token_path, oauth_introspect_path
+      when token_path, introspect_path
         false
-      when oauth_revoke_path
+      when revoke_path
         !json_request?
-      when oauth_authorize_path, %r{/#{oauth_applications_path}}
+      when authorize_path, %r{/#{oauth_applications_path}}
         only_json? ? false : super
       else
         super
@@ -233,7 +228,15 @@ module Rodauth
     end
 
     def scopes
-      (param_or_nil("scope") || oauth_application_default_scope).split(" ")
+      scope = request.params["scope"]
+      case scope
+      when Array
+        scope
+      when String
+        scope.split(" ")
+      when nil
+        [oauth_application_default_scope]
+      end
     end
 
     def redirect_uri
@@ -266,6 +269,8 @@ module Rodauth
 
       return unless scheme.downcase == oauth_token_type
 
+      return if token.empty?
+
       token
     end
 
@@ -409,7 +414,7 @@ module Rodauth
       http = Net::HTTP.new(auth_url.host, auth_url.port)
       http.use_ssl = auth_url.scheme == "https"
 
-      request = Net::HTTP::Post.new(oauth_introspect_path)
+      request = Net::HTTP::Post.new(introspect_path)
       request["content-type"] = json_response_content_type
       request["accept"] = json_response_content_type
       request.body = JSON.dump({ "token_type_hint" => token_type_hint, "token" => token })
@@ -694,14 +699,14 @@ module Rodauth
       request.env["REQUEST_METHOD"] = "POST"
     end
 
-    def create_oauth_grant
-      create_params = {
+    def create_oauth_grant(create_params = {})
+      create_params.merge!(
         oauth_grants_account_id_column => account_id,
         oauth_grants_oauth_application_id_column => oauth_application[oauth_applications_id_column],
         oauth_grants_redirect_uri_column => redirect_uri,
         oauth_grants_expires_in_column => Time.now + oauth_grant_expires_in,
         oauth_grants_scopes_column => scopes.join(oauth_scope_separator)
-      }
+      )
 
       # Access Type flow
       if use_oauth_access_type?
@@ -735,6 +740,45 @@ module Rodauth
       end
     end
 
+    def do_authorize(redirect_url, query_params = [], fragment_params = [])
+      case param("response_type")
+      when "token"
+        redirect_response_error("invalid_request") unless use_oauth_implicit_grant_type?
+
+        fragment_params.replace(_do_authorize_token.map { |k, v| "#{k}=#{v}" })
+      when "code", "", nil
+        query_params.replace(_do_authorize_code.map { |k, v| "#{k}=#{v}" })
+      end
+
+      if param_or_nil("state")
+        if !fragment_params.empty?
+          fragment_params << "state=#{param('state')}"
+        else
+          query_params << "state=#{param('state')}"
+        end
+      end
+
+      query_params << redirect_url.query if redirect_url.query
+
+      redirect_url.query = query_params.join("&") unless query_params.empty?
+      redirect_url.fragment = fragment_params.join("&") unless fragment_params.empty?
+    end
+
+    def _do_authorize_code
+      { "code" => create_oauth_grant }
+    end
+
+    def _do_authorize_token
+      create_params = {
+        oauth_tokens_account_id_column => account_id,
+        oauth_tokens_oauth_application_id_column => oauth_application[oauth_applications_id_column],
+        oauth_tokens_scopes_column => scopes
+      }
+      oauth_token = generate_oauth_token(create_params, false)
+
+      json_access_token_payload(oauth_token)
+    end
+
     # Access Tokens
 
     def before_token
@@ -760,27 +804,42 @@ module Rodauth
     def create_oauth_token
       case param("grant_type")
       when "authorization_code"
-        create_oauth_token_from_authorization_code(oauth_application)
+        # fetch oauth grant
+        oauth_grant = db[oauth_grants_table].where(
+          oauth_grants_code_column => param("code"),
+          oauth_grants_redirect_uri_column => param("redirect_uri"),
+          oauth_grants_oauth_application_id_column => oauth_application[oauth_applications_id_column],
+          oauth_grants_revoked_at_column => nil
+        ).where(Sequel[oauth_grants_expires_in_column] >= Sequel::CURRENT_TIMESTAMP)
+                                            .for_update
+                                            .first
+
+        redirect_response_error("invalid_grant") unless oauth_grant
+
+        create_params = {
+          oauth_tokens_account_id_column => oauth_grant[oauth_grants_account_id_column],
+          oauth_tokens_oauth_application_id_column => oauth_grant[oauth_grants_oauth_application_id_column],
+          oauth_tokens_oauth_grant_id_column => oauth_grant[oauth_grants_id_column],
+          oauth_tokens_scopes_column => oauth_grant[oauth_grants_scopes_column]
+        }
+        create_oauth_token_from_authorization_code(oauth_grant, create_params)
       when "refresh_token"
-        create_oauth_token_from_token(oauth_application)
+        # fetch oauth token
+        oauth_token = oauth_token_by_refresh_token(param("refresh_token"))
+
+        redirect_response_error("invalid_grant") unless oauth_token
+
+        update_params = {
+          oauth_tokens_oauth_application_id_column => oauth_token[oauth_grants_oauth_application_id_column],
+          oauth_tokens_expires_in_column => Time.now + oauth_token_expires_in
+        }
+        create_oauth_token_from_token(oauth_token, update_params)
       else
         redirect_response_error("invalid_grant")
       end
     end
 
-    def create_oauth_token_from_authorization_code(oauth_application)
-      # fetch oauth grant
-      oauth_grant = db[oauth_grants_table].where(
-        oauth_grants_code_column => param("code"),
-        oauth_grants_redirect_uri_column => param("redirect_uri"),
-        oauth_grants_oauth_application_id_column => oauth_application[oauth_applications_id_column],
-        oauth_grants_revoked_at_column => nil
-      ).where(Sequel[oauth_grants_expires_in_column] >= Sequel::CURRENT_TIMESTAMP)
-                                          .for_update
-                                          .first
-
-      redirect_response_error("invalid_grant") unless oauth_grant
-
+    def create_oauth_token_from_authorization_code(oauth_grant, create_params)
       # PKCE
       if use_oauth_pkce?
         if oauth_grant[oauth_grants_code_challenge_column]
@@ -792,13 +851,6 @@ module Rodauth
         end
       end
 
-      create_params = {
-        oauth_tokens_account_id_column => oauth_grant[oauth_grants_account_id_column],
-        oauth_tokens_oauth_application_id_column => oauth_grant[oauth_grants_oauth_application_id_column],
-        oauth_tokens_oauth_grant_id_column => oauth_grant[oauth_grants_id_column],
-        oauth_tokens_scopes_column => oauth_grant[oauth_grants_scopes_column]
-      }
-
       # revoke oauth grant
       db[oauth_grants_table].where(oauth_grants_id_column => oauth_grant[oauth_grants_id_column])
                             .update(oauth_grants_revoked_at_column => Sequel::CURRENT_TIMESTAMP)
@@ -809,19 +861,11 @@ module Rodauth
       generate_oauth_token(create_params, should_generate_refresh_token)
     end
 
-    def create_oauth_token_from_token(oauth_application)
-      # fetch oauth token
-      oauth_token = oauth_token_by_refresh_token(param("refresh_token"))
-
-      redirect_response_error("invalid_grant") unless oauth_token && token_from_application?(oauth_token, oauth_application)
+    def create_oauth_token_from_token(oauth_token, update_params)
+      redirect_response_error("invalid_grant") unless token_from_application?(oauth_token, oauth_application)
 
       token = oauth_unique_id_generator
 
-      update_params = {
-        oauth_tokens_oauth_application_id_column => oauth_token[oauth_grants_oauth_application_id_column],
-        oauth_tokens_expires_in_column => Time.now + oauth_token_expires_in
-      }
-
       if oauth_tokens_token_hash_column
         update_params[oauth_tokens_token_hash_column] = generate_token_hash(token)
       else
@@ -995,7 +1039,7 @@ module Rodauth
         throw_json_response_error(authorization_required_error_status, "invalid_client")
       else
         set_redirect_error_flash(require_authorization_error_flash)
-        redirect(oauth_authorize_path)
+        redirect(authorize_path)
       end
     end
 
@@ -1075,7 +1119,7 @@ module Rodauth
 
     def oauth_server_metadata_body(path)
       issuer = base_url
-      issuer += "/#{path}" if issuer
+      issuer += "/#{path}" if path
 
       responses_supported = %w[code]
       response_modes_supported = %w[query]
@@ -1088,8 +1132,8 @@ module Rodauth
       end
       {
         issuer: issuer,
-        authorization_endpoint: oauth_authorize_url,
-        token_endpoint: oauth_token_url,
+        authorization_endpoint: authorize_url,
+        token_endpoint: token_url,
         registration_endpoint: "#{base_url}/#{oauth_applications_path}",
         scopes_supported: oauth_application_scopes,
         response_types_supported: responses_supported,
@@ -1100,16 +1144,18 @@ module Rodauth
         ui_locales_supported: oauth_metadata_ui_locales_supported,
         op_policy_uri: oauth_metadata_op_policy_uri,
         op_tos_uri: oauth_metadata_op_tos_uri,
-        revocation_endpoint: oauth_revoke_url,
+        revocation_endpoint: revoke_url,
         revocation_endpoint_auth_methods_supported: nil, # because it's client_secret_basic
-        introspection_endpoint: oauth_introspect_url,
+        introspection_endpoint: introspect_url,
         introspection_endpoint_auth_methods_supported: %w[client_secret_basic],
         code_challenge_methods_supported: (use_oauth_pkce? ? oauth_pkce_challenge_method : nil)
       }
     end
 
-    # /oauth-token
-    route(:oauth_token) do |r|
+    # /token
+    route(:token) do |r|
+      next unless is_authorization_server?
+
       before_token
 
       r.post do
@@ -1128,8 +1174,10 @@ module Rodauth
       end
     end
 
-    # /oauth-introspect
-    route(:oauth_introspect) do |r|
+    # /introspect
+    route(:introspect) do |r|
+      next unless is_authorization_server?
+
       before_introspect
 
       r.post do
@@ -1159,8 +1207,10 @@ module Rodauth
       end
     end
 
-    # /oauth-revoke
-    route(:oauth_revoke) do |r|
+    # /revoke
+    route(:revoke) do |r|
+      next unless is_authorization_server?
+
       before_revoke
 
       r.post do
@@ -1188,8 +1238,10 @@ module Rodauth
       end
     end
 
-    # /oauth-authorize
-    route(:oauth_authorize) do |r|
+    # /authorize
+    route(:authorize) do |r|
+      next unless is_authorization_server?
+
       require_account
       validate_oauth_grant_params
       try_approval_prompt if use_oauth_access_type? && request.get?
@@ -1201,39 +1253,11 @@ module Rodauth
       end
 
       r.post do
-        code = nil
-        query_params = []
-        fragment_params = []
+        redirect_url = URI.parse(redirect_uri)
 
         transaction do
-          case param("response_type")
-          when "token"
-            redirect_response_error("invalid_request") unless use_oauth_implicit_grant_type?
-
-            create_params = {
-              oauth_tokens_account_id_column => account_id,
-              oauth_tokens_oauth_application_id_column => oauth_application[oauth_applications_id_column],
-              oauth_tokens_scopes_column => scopes
-            }
-            oauth_token = generate_oauth_token(create_params, false)
-
-            token_payload = json_access_token_payload(oauth_token)
-            fragment_params.replace(token_payload.map { |k, v| "#{k}=#{v}" })
-          when "code", "", nil
-            code = create_oauth_grant
-            query_params << "code=#{code}"
-          else
-            redirect_response_error("invalid_request")
-          end
-          after_authorize
+          do_authorize(redirect_url)
         end
-
-        redirect_url = URI.parse(redirect_uri)
-        query_params << "state=#{param('state')}" if param_or_nil("state")
-        query_params << redirect_url.query if redirect_url.query
-        redirect_url.query = query_params.join("&") unless query_params.empty?
-        redirect_url.fragment = fragment_params.join("&") unless fragment_params.empty?
-
         redirect(redirect_url.to_s)
       end
     end

data/lib/rodauth/features/oauth_http_mac.rb

@@ -2,6 +2,7 @@
 
 module Rodauth
   Feature.define(:oauth_http_mac) do
+    # :nocov:
     unless String.method_defined?(:delete_prefix)
       module PrefixExtensions
         refine(String) do
@@ -27,6 +28,7 @@ module Rodauth
       end
       using(PrefixExtensions)
     end
+    # :nocov:
 
     depends :oauth
 

data/lib/rodauth/features/oauth_jwt.rb

@@ -6,7 +6,10 @@ module Rodauth
   Feature.define(:oauth_jwt) do
     depends :oauth
 
-    auth_value_method :oauth_jwt_token_issuer, "Example"
+    auth_value_method :oauth_jwt_subject_type, "public" # public, pairwise
+    auth_value_method :oauth_jwt_subject_secret, nil # salt for pairwise generation
+
+    auth_value_method :oauth_jwt_token_issuer, nil
 
     auth_value_method :oauth_application_jws_jwk_column, nil
 
@@ -28,7 +31,8 @@ module Rodauth
     auth_value_methods(
       :jwt_encode,
       :jwt_decode,
-      :jwks_set
+      :jwks_set,
+      :last_account_login_at
     )
 
     JWKS = OAuth::TtlStore.new
@@ -45,6 +49,12 @@ module Rodauth
 
     private
 
+    unless method_defined?(:last_account_login_at)
+      def last_account_login_at
+        nil
+      end
+    end
+
     def authorization_token
       return @authorization_token if defined?(@authorization_token)
 
@@ -57,8 +67,8 @@ module Rodauth
 
         return unless jwt_token
 
-        return if jwt_token["iss"] != oauth_jwt_token_issuer ||
-                  jwt_token["aud"] != oauth_jwt_audience ||
+        return if jwt_token["iss"] != (oauth_jwt_token_issuer || authorization_server_url) ||
+                  (oauth_jwt_audience && jwt_token["aud"] != oauth_jwt_audience) ||
                   !jwt_token["sub"]
 
         jwt_token
@@ -169,11 +179,23 @@ module Rodauth
 
       oauth_token = _generate_oauth_token(create_params)
 
+      claims = jwt_claims(oauth_token)
+
+      # one of the points of using jwt is avoiding database lookups, so we put here all relevant
+      # token data.
+      claims[:scope] = oauth_token[oauth_tokens_scopes_column]
+
+      token = jwt_encode(claims)
+
+      oauth_token[oauth_tokens_token_column] = token
+      oauth_token
+    end
+
+    def jwt_claims(oauth_token)
       issued_at = Time.now.utc.to_i
 
-      payload = {
-        sub: oauth_token[oauth_tokens_account_id_column],
-        iss: oauth_jwt_token_issuer, # issuer
+      claims = {
+        iss: (oauth_jwt_token_issuer || authorization_server_url), # issuer
         iat: issued_at, # issued at
         #
         # sub  REQUIRED - as defined in section 4.1.2 of [RFC7519].  In case of
@@ -184,20 +206,29 @@ module Rodauth
         # owner is involved, such as the client credentials grant, the value
         # of "sub" SHOULD correspond to an identifier the authorization
         # server uses to indicate the client application.
+        sub: jwt_subject(oauth_token),
         client_id: oauth_application[oauth_applications_client_id_column],
 
         exp: issued_at + oauth_token_expires_in,
-        aud: oauth_jwt_audience,
-
-        # one of the points of using jwt is avoiding database lookups, so we put here all relevant
-        # token data.
-        scope: oauth_token[oauth_tokens_scopes_column]
+        aud: (oauth_jwt_audience || oauth_application[oauth_applications_client_id_column])
       }
 
-      token = jwt_encode(payload)
+      claims[:auth_time] = last_account_login_at.utc.to_i if last_account_login_at
 
-      oauth_token[oauth_tokens_token_column] = token
-      oauth_token
+      claims
+    end
+
+    def jwt_subject(oauth_token)
+      case oauth_jwt_subject_type
+      when "public"
+        oauth_token[oauth_tokens_account_id_column]
+      when "pairwise"
+        id = oauth_token[oauth_tokens_account_id_column]
+        application_id = oauth_token[oauth_tokens_oauth_application_id_column]
+        Digest::SHA256.hexdigest("#{id}#{application_id}#{oauth_jwt_subject_secret}")
+      else
+        raise StandardError, "unexpected subject (#{oauth_jwt_subject_type})"
+      end
     end
 
     def oauth_token_by_token(token, *)
@@ -228,17 +259,11 @@ module Rodauth
     def oauth_server_metadata_body(path)
       metadata = super
       metadata.merge! \
-        jwks_uri: oauth_jwks_url,
+        jwks_uri: jwks_url,
         token_endpoint_auth_signing_alg_values_supported: [oauth_jwt_algorithm]
       metadata
     end
 
-    def token_from_application?(oauth_token, oauth_application)
-      return super unless oauth_token["sub"] # naive check on whether it's a jwt token
-
-      oauth_token["client_id"] == oauth_application[oauth_applications_client_id_column]
-    end
-
     def _jwt_key
       @_jwt_key ||= oauth_jwt_key || (oauth_application[oauth_applications_client_secret_column] if oauth_application)
     end
@@ -412,7 +437,9 @@ module Rodauth
       super
     end
 
-    route(:oauth_jwks) do |r|
+    route(:jwks) do |r|
+      next unless is_authorization_server?
+
       r.get do
         json_response_success({ keys: jwks_set })
       end

data/lib/rodauth/features/oidc.rb

@@ -0,0 +1,267 @@
+# frozen-string-literal: true
+
+module Rodauth
+  Feature.define(:oidc) do
+    OIDC_SCOPES_MAP = {
+      "profile" => %i[name family_name given_name middle_name nickname preferred_username
+                      profile picture website gender birthdate zoneinfo locale updated_at].freeze,
+      "email" => %i[email email_verified].freeze,
+      "address" => %i[address].freeze,
+      "phone" => %i[phone_number phone_number_verified].freeze
+    }.freeze
+
+    depends :oauth_jwt
+
+    auth_value_method :oauth_application_default_scope, "openid"
+    auth_value_method :oauth_application_scopes, %w[openid]
+
+    auth_value_method :oauth_grants_nonce_column, :nonce
+    auth_value_method :oauth_tokens_nonce_column, :nonce
+
+    auth_value_method :invalid_scope_message, "The Access Token expired"
+
+    auth_value_method :webfinger_relation, "http://openid.net/specs/connect/1.0/issuer"
+
+    auth_value_methods(:get_oidc_param)
+
+    def openid_configuration(issuer = nil)
+      request.on(".well-known/openid-configuration") do
+        request.get do
+          json_response_success(openid_configuration_body(issuer))
+        end
+      end
+    end
+
+    def webfinger
+      request.on(".well-known/webfinger") do
+        request.get do
+          resource = param_or_nil("resource")
+
+          throw_json_response_error(400, "invalid_request") unless resource
+
+          response.status = 200
+          response["Content-Type"] ||= "application/jrd+json"
+
+          json_payload = JSON.dump({
+                                     subject: resource,
+                                     links: [{
+                                       rel: webfinger_relation,
+                                       href: authorization_server_url
+                                     }]
+                                   })
+          response.write(json_payload)
+          request.halt
+        end
+      end
+    end
+
+    private
+
+    def create_oauth_grant(create_params = {})
+      return super unless (nonce = param_or_nil("nonce"))
+
+      super(oauth_grants_nonce_column => nonce)
+    end
+
+    def create_oauth_token_from_authorization_code(oauth_grant, create_params)
+      return super unless oauth_grant[oauth_grants_nonce_column]
+
+      super(oauth_grant, create_params.merge(oauth_tokens_nonce_column => oauth_grant[oauth_grants_nonce_column]))
+    end
+
+    def create_oauth_token
+      oauth_token = super
+      generate_id_token(oauth_token)
+      oauth_token
+    end
+
+    def generate_id_token(oauth_token)
+      oauth_scopes = oauth_token[oauth_tokens_scopes_column].split(oauth_scope_separator)
+
+      return unless oauth_scopes.include?("openid")
+
+      id_token_claims = jwt_claims(oauth_token)
+      id_token_claims[:nonce] = oauth_token[oauth_tokens_nonce_column] if oauth_token[oauth_tokens_nonce_column]
+
+      # Time when the End-User authentication occurred.
+      #
+      # Sounds like the same as issued at claim.
+      id_token_claims[:auth_time] = id_token_claims[:iat]
+
+      account = db[accounts_table].where(account_id_column => oauth_token[oauth_tokens_account_id_column]).first
+
+      # this should never happen!
+      # a newly minted oauth token from a grant should have been assigned to an account
+      # who just authorized its generation.
+      return unless account
+
+      fill_with_account_claims(id_token_claims, account, oauth_scopes)
+
+      oauth_token[:id_token] = jwt_encode(id_token_claims)
+    end
+
+    def fill_with_account_claims(claims, account, scopes)
+      scopes_by_oidc = scopes.each_with_object({}) do |scope, by_oidc|
+        oidc, param = scope.split(".", 2)
+
+        by_oidc[oidc] ||= []
+
+        by_oidc[oidc] << param.to_sym if param
+      end
+
+      oidc_scopes = (OIDC_SCOPES_MAP.keys & scopes_by_oidc.keys)
+
+      return if oidc_scopes.empty?
+
+      if respond_to?(:get_oidc_param)
+        oidc_scopes.each do |scope|
+          params = scopes_by_oidc[scope]
+          params = params.empty? ? OIDC_SCOPES_MAP[scope] : (OIDC_SCOPES_MAP[scope] & params)
+
+          params.each do |param|
+            claims[param] = __send__(:get_oidc_param, account, param)
+          end
+        end
+      else
+        warn "`get_oidc_param(token, param)` must be implemented to use oidc scopes."
+      end
+    end
+
+    def json_access_token_payload(oauth_token)
+      payload = super
+      payload["id_token"] = oauth_token[:id_token] if oauth_token[:id_token]
+      payload
+    end
+
+    # Authorize
+
+    def check_valid_response_type?
+      case param_or_nil("response_type")
+      when "none", "id_token",
+           "code token", "code id_token", "id_token token", "code id_token token" # multiple
+        true
+      else
+        super
+      end
+    end
+
+    def do_authorize(redirect_url, query_params = [], fragment_params = [])
+      return super unless use_oauth_implicit_grant_type?
+
+      case param("response_type")
+      when "id_token"
+        fragment_params.replace(_do_authorize_id_token.map { |k, v| "#{k}=#{v}" })
+      when "code token"
+        redirect_response_error("invalid_request") unless use_oauth_implicit_grant_type?
+
+        params = _do_authorize_code.merge(_do_authorize_token)
+
+        fragment_params.replace(params.map { |k, v| "#{k}=#{v}" })
+      when "code id_token"
+        params = _do_authorize_code.merge(_do_authorize_id_token)
+
+        fragment_params.replace(params.map { |k, v| "#{k}=#{v}" })
+      when "id_token token"
+        params = _do_authorize_id_token.merge(_do_authorize_token)
+
+        fragment_params.replace(params.map { |k, v| "#{k}=#{v}" })
+      when "code id_token token"
+        params = _do_authorize_code.merge(_do_authorize_id_token).merge(_do_authorize_token)
+
+        fragment_params.replace(params.map { |k, v| "#{k}=#{v}" })
+      end
+
+      super(redirect_url, query_params, fragment_params)
+    end
+
+    def _do_authorize_id_token
+      create_params = {
+        oauth_tokens_account_id_column => account_id,
+        oauth_tokens_oauth_application_id_column => oauth_application[oauth_applications_id_column],
+        oauth_tokens_scopes_column => scopes
+      }
+      oauth_token = generate_oauth_token(create_params, false)
+      generate_id_token(oauth_token)
+      params = json_access_token_payload(oauth_token)
+      params.delete("access_token")
+      params
+    end
+
+    # Metadata
+
+    def openid_configuration_body(path)
+      metadata = oauth_server_metadata_body(path)
+
+      scope_claims = oauth_application_scopes.each_with_object([]) do |scope, claims|
+        oidc, param = scope.split(".", 2)
+        if param
+          claims << param
+        else
+          oidc_claims = OIDC_SCOPES_MAP[oidc]
+          claims.concat(oidc_claims) if oidc_claims
+        end
+      end
+
+      scope_claims.unshift("auth_time") if last_account_login_at
+
+      metadata.merge({
+                       userinfo_endpoint: userinfo_url,
+                       response_types_supported: metadata[:response_types_supported] +
+                         ["none", "id_token", %w[code token], %w[code id_token], %w[id_token token], %w[code id_token token]],
+                       response_modes_supported: %w[query fragment],
+                       grant_types_supported: %w[authorization_code implicit],
+
+                       subject_types_supported: [oauth_jwt_subject_type],
+
+                       id_token_signing_alg_values_supported: metadata[:token_endpoint_auth_signing_alg_values_supported],
+                       id_token_encryption_alg_values_supported: [oauth_jwt_jwe_algorithm].compact,
+                       id_token_encryption_enc_values_supported: [oauth_jwt_jwe_encryption_method].compact,
+
+                       userinfo_signing_alg_values_supported: [],
+                       userinfo_encryption_alg_values_supported: [],
+                       userinfo_encryption_enc_values_supported: [],
+
+                       request_object_signing_alg_values_supported: [],
+                       request_object_encryption_alg_values_supported: [],
+                       request_object_encryption_enc_values_supported: [],
+
+                       # These Claim Types are described in Section 5.6 of OpenID Connect Core 1.0 [OpenID.Core].
+                       # Values defined by this specification are normal, aggregated, and distributed.
+                       # If omitted, the implementation supports only normal Claims.
+                       claim_types_supported: %w[normal],
+                       claims_supported: %w[sub iss iat exp aud] | scope_claims
+                     })
+    end
+
+    # /userinfo
+    route(:userinfo) do |r|
+      next unless is_authorization_server?
+
+      r.on method: %i[get post] do
+        catch_error do
+          oauth_token = authorization_token
+
+          throw_json_response_error(authorization_required_error_status, "invalid_token") unless oauth_token
+
+          oauth_scopes = oauth_token["scope"].split(" ")
+
+          throw_json_response_error(authorization_required_error_status, "invalid_token") unless oauth_scopes.include?("openid")
+
+          account = db[accounts_table].where(account_id_column => oauth_token["sub"]).first
+
+          throw_json_response_error(authorization_required_error_status, "invalid_token") unless account
+
+          oauth_scopes.delete("openid")
+
+          oidc_claims = { "sub" => oauth_token["sub"] }
+
+          fill_with_account_claims(oidc_claims, account, oauth_scopes)
+
+          json_response_success(oidc_claims)
+        end
+
+        throw_json_response_error(authorization_required_error_status, "invalid_token")
+      end
+    end
+  end
+end

data/lib/rodauth/oauth/version.rb

@@ -2,6 +2,6 @@
 
 module Rodauth
   module OAuth
-    VERSION = "0.0.6"
+    VERSION = "0.1.0"
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rodauth-oauth
 version: !ruby/object:Gem::Version
-  version: 0.0.6
+  version: 0.1.0
 platform: ruby
 authors:
 - Tiago Cardoso
-autorequire: 
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2020-07-06 00:00:00.000000000 Z
+date: 2020-08-01 00:00:00.000000000 Z
 dependencies: []
 description: Implementation of the OAuth 2.0 protocol on top of rodauth.
 email:
@@ -32,6 +32,7 @@ files:
 - lib/rodauth/features/oauth.rb
 - lib/rodauth/features/oauth_http_mac.rb
 - lib/rodauth/features/oauth_jwt.rb
+- lib/rodauth/features/oidc.rb
 - lib/rodauth/oauth.rb
 - lib/rodauth/oauth/railtie.rb
 - lib/rodauth/oauth/ttl_store.rb
@@ -42,7 +43,7 @@ metadata:
   homepage_uri: https://gitlab.com/honeyryderchuck/roda-oauth
   source_code_uri: https://gitlab.com/honeyryderchuck/roda-oauth
   changelog_uri: https://gitlab.com/honeyryderchuck/roda-oauth/-/blob/master/CHANGELOG.md
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -58,7 +59,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubygems_version: 3.1.2
-signing_key: 
+signing_key:
 specification_version: 4
 summary: Implementation of the OAuth 2.0 protocol on top of rodauth.
 test_files: []