rodauth-oauth 0.0.6 → 0.4.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 73f73e4143c1c646b3a6f2a5e87fb925f38f18e157366d7522328b5cbcd2fbb7
-  data.tar.gz: bce8a4532e365328bb46197e72b05b78beca19b00587630f234cff0c8d51bc35
+  metadata.gz: c7c9cc026f547d781b05599d177237498390c8347791aaf5960e7447d2640b0b
+  data.tar.gz: 290ec103b22d394fbae7f153430605fa032b8baf6b6083e31ad8af8cd3d422b8
 SHA512:
-  metadata.gz: 46053f71e35baad7b3c217bfbca0a259d07fd6909713805db23ff92c0503c0907903483e659fe988af774b26a87b274f8b72006983b1acc191bccb7d00919a86
-  data.tar.gz: 35305a71ea2b4035933d93e3fa5a3e9b388f32b2301ff05b87a86af45defa494cefc4d6d9adb823822c82acb995e57794fb710b1935aaab10430c1898d1a55b0
+  metadata.gz: 64c22bd200ff9dcb5e8406ace5f4eb34625bcee5a381e52b6b7e960b614ec3941c0460997542d843ed4eaa843a85a7f2592a027c741d5380a7572edb974ca3a9
+  data.tar.gz: 0a6c93bc131d2fcb45e400173ced20096caa191e3ef73f4e67ab0fc12d5ead9b9f9e6867d163612299141b96b7691429cb5e5b263036887134396f244c3dd4f7

data/CHANGELOG.md

@@ -2,8 +2,160 @@
 
 ## master
 
+### 0.4.1
+
+### Improvements
+
+When in "Resource Server" mode, calling `rodauth.authorization_token` will now return an hash of the JSON payload that the Authorization Server responds, and which was already previously used to authorize access to protected resources.
+
+### Bugfixes
+
+* An error ocurred if the client passed an empty authorization header (`Authorization: ` or `Authorization: Bearer `), causing an unexpected error; It now responds with the proper `401 Unauthorized` status code.
+
+### 0.4.0
+
+### Features
+
+* A new method, `get_additional_param(account, claim)`, is now exposed; this method will be called whenever non-OIDC scopes are requested in the emission of the ID token.
+
+* The `form_post` response is now supported, either by passing the `response_mode=form_post` request param in the authorization URL, or by setting `oauth_response_mode "form_post"` option. This improves the overall security of an Authorization server even more, as authorization codes are sent to client applications via a POST request to the redirect URI.
+
+
+### Improvements
+
+* For the OIDC `address` scope, proper claims are now emitted as per the standard, i.e. the "formatted", "street_address", "locality", "region", "postal_code", "country". These will be the ones referenced in the `get_oidc_param` method.
+
+### Bugfixes
+
+* The rails templates were missing declarations from a few params, which made some of the flows (the PKCE for example) not work out-of-the box;
+* rails tests were silently not running in CI;
+* The CI suite was revamped, so that all Oauth tests would be run under rails as well. All versions from rails equal or above 5.0 are now targeted;
+
+### 0.3.0
+
+#### Features
+
+* `oauth_refresh_token_protection_policy` is a new option, which can be used to set a protection policy around usage of refresh tokens. By default it's `none`, for backwards-compatibility. However, when set to `rotation`, refresh tokens will be "use-once", i.e. a token refresh request will generate a new refresh token. Also,  refresh token requests performed with already-used refresh tokens will be interpreted as a security breach, i.e. all tokens linked to the compromised refresh token will be revoked.
+
+#### Improvements
+
+
+* Support for the OIDC authorize [`prompt` parameter](https://openid.net/specs/openid-connect-core-1_0.html) (sectionn 3.1.2.1). It supports the `none`, `login` and `consent` out-of-the-box, while providing support for `select-account` when paired with [rodauth-select-account, a rodauth feature to handle multiple accounts in the same session](https://gitlab.com/honeyryderchuck/rodauth-select-account).
+
+* Refresh Tokens are now expirable. The refresh token expiration period is governed by the `oauth_refresh_token_expires_in` option (default: 1 year), and is the period for which a refresh token can be used after its respective access token expired.
+
+#### Bugfixes
+
+* Default Templates now being packaged, as a way to provide a default experience to the OAuth journeys.
+
+* fixing metadata urls when plugin loaded with a prefix path (@ianks)
+
+* All date/time-based calculations, such as determining an expiration date, or checking if a token has expired, are now performed using database arithmetic operations, using sequel's `date_arithmetic` plugin. This will eliminate subtle bugs, such as when the database timezone is different than the application OS timezone.
+
+* OIDC configuration endpoint is now stricter, eliminating JSON metadata inherited from the Oauth metadata endpoint. (@ianks)
+
+#### Chore
+
+Use `rodauth.convert_timestamp` in the templates, whenever dates are displayed.
+
+Set HTTP Cache headers for metadata responses, such as `/.well-known/oauth-authorization-server` and `/.well-known/openid-configuration`, so they can be stored at the edge. The cache will be valid for 1 day (this value isn't set by an option yet).
+
+### 0.2.0
+
+#### Features
+
+##### SAML Assertion Grant Type
+
+`rodauth-auth` now supports using a SAML Assertion to request for an Access token.In order to enable, you have to:
+
+```ruby
+plugin :rodauth do
+  enable :oauth_saml
+end
+```
+
+For more info about integrating it, [check the wiki](https://gitlab.com/honeyryderchuck/rodauth-oauth/-/wikis/SAML-Assertion-Access-Tokens).
+
+##### Supporting rotating keys
+
+At some point, you'll want to replace the pkeys and algorithm used to generate and verify the JWT access tokens, but you want to keep validating previously-distributed JWT tokens, at least until they expire. Now you can, via two new options, `oauth_jwt_legacy_public_key` and `oauth_jwt_legacy_algorithm`, which will be declared in the JWKs URI and used to verify access tokens.
+
+
+##### Reuse access tokens
+
+If the `oauth_reuse_access_token` is set, if there's already an existing valid access token, any new grant for the same application / account / scope will keep the same access token. This can be helpful in scenarios where one wants the same access token distributed across devices.
+
+##### require_authorizable_account
+
+The method used to verify access to the authorize flow is called `require_authorizable_account`. By default, it checks if a user is logged in by using rodauth's own `require_account`. This is the method you'd want to redefine in order to augment these requirements, i.e. request 2fa authentication.
+
+#### Improvements
+
+Expired and revoked access tokens end up generating a lot of garbage, which will have to be periodically cleaned up. You can mitigate this now by setting a uniqueness index for a group of columns, i.e. if you set a uniqueness index for the `oauth_application_id/account_id/scopes` column, `rodauth-oauth` will transparently reuse the same db entry to store the new access token. If setting some other type of uniqueness index, make sure to update the option `oauth_tokens_unique_columns` (the array of columns from the uniqueness index).
+
+#### Bugfixes
+
+Calling `before_*_route` callbacks appropriately.
+
+Fixed some mishandling of HTTP headers when in in resource-server mode.
+
+#### Chore
+
+* 97.7% test coverage;
+* `rodauth-oauth` CI tests run against sqlite, postgresql and mysql.
+
+### 0.1.0
+
+(31/7/2020)
+
+#### Features
+
+##### OpenID
+
+`rodauth-oauth` now ships with support for [OpenID Connect](https://openid.net/connect/). In order to enable, you have to:
+
+```ruby
+plugin :rodauth do
+  enable :oidc
+end
+```
+
+For more info about integrating it, [check the wiki](https://gitlab.com/honeyryderchuck/rodauth-oauth/-/wikis/home#openid-connect-since-v01).
+
+It supports omniauth openID integrations out-of-the-box, [check the OpenID example, which integrates with omniauth_openid_connect](https://gitlab.com/honeyryderchuck/rodauth-oauth/-/tree/master/examples).
+
+#### Improvements
+
+* JWT: `sub` claim now also handles "pairwise" subjects. For that, you have to set the `oauth_jwt_subject_type` option (`"public"` or `"pairwise"`) and `oauth_jwt_subject_secret` (will be used for salting the `sub` when the type is `"pairwise"`).
+* JWT: `auth_time` claim is now supported; if your application uses the `rodauth` feature `:account_expiration`, it'll use the `last_account_login_at` method, otherwise you can set the `last_account_login_at` option:
+
+```ruby
+last_account_login_at do
+  convert_timestamp(db[accounts_table].where(account_id_column => account_id).get(:that_column_where_you_keep_the_data))
+end
+```
+* JWT: `iss` claim now defaults to `authorization_server_url` when not defined;
+* JWT: `aud` claim now defaults to the token application's client ID (`client_id` claim was removed as a result);
+
+
+
+#### Breaking Changes
+
+`rodauth-oauth` URLs no longer have the `oauth-` prefix, so make sure you update your integrations accordingly, i.e. where you used to rely on `/oauth-authorize`, you'll have to use `/authorize`.
+
+URI schemes for client applications redirect URIs have to be `https`. In order to override this, set the `oauth_valid_uri_schemes` to an array of your expected URI schemes.
+
+
+#### Bugfixes
+
+* Authorization request submission can receive the `scope` as an array of values now, instead of only dealing with receiving a white-space separated list.
+* fixed trailing "/" in the "issuer" value in server metadata (`https://server.com/` -> `https://server.com`).
+
+
 ### 0.0.6
 
+(6/7/2020)
+
 #### Features
 
 The `oauth_jwt` feature now supports JWT Secured Authorization Request (JAR) (see https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-20). This means that client applications can send the authorization parameters inside a signed JWT. The client applications keeps the private key, while the authorization server **must** store a public key for the client application. For encrypted JWTs, the client application should use one of the public encryption keys exposed in the JWKs URI, to encrypt the JWT. Remember, **tokens must be signed then encrypted** (or just signed).
@@ -25,7 +177,9 @@ The `oauth_jwt` feature now supports JWT Secured Authorization Request (JAR) (se
 Removed React Javascript from example applications.
 
 
-### 0.0.5 (26/6/2020)
+### 0.0.5
+
+(26/6/2020)
 
 #### Features
 
@@ -62,7 +216,9 @@ It **requires** the authorization to implement the server metadata endpoint (`/.
 * option `scopes_param` renamed to `scope_param`;
 *
 
-## 0.0.4 (13/6/2020)
+## 0.0.4
+
+(13/6/2020)
 
 ### Features
 
@@ -99,7 +255,9 @@ The `oauth_jwt` feature now allows the usage of access tokens to authorize the g
 
 * Fixed scope claim of JWT ("scopes" -> "scope");
 
-## 0.0.3 (5/6/2020)
+## 0.0.3
+
+(5/6/2020)
 
 ### Features
 
@@ -131,7 +289,9 @@ end
 * renamed the existing `use_oauth_implicit_grant_type` to `use_oauth_implicit_grant_type?`;
 * It's now usable as JSON API (small caveat: POST authorize will still redirect on success...);
 
-## 0.0.2 (29/5/2020)
+## 0.0.2
+
+(29/5/2020)
 
 ### Features
 
@@ -147,6 +307,8 @@ end
 
 * usage of client secret for authorizing the generation of tokens, as the spec mandates (and refraining from them when doing PKCE).
 
-## 0.0.1 (14/5/2020)
+## 0.0.1
+
+(14/5/2020)
 
 Initial implementation of the Oauth 2.0 framework, with an example app done using roda.

data/README.md

@@ -1,13 +1,13 @@
 # Rodauth::Oauth
 
-[![pipeline status](https://gitlab.com/honeyryderchuck/rodauth-oauth/badges/master/pipeline.svg)](https://gitlab.com/honeyryderchuck/rodauth-oauth/-/commits/master)
-[![coverage report](https://gitlab.com/honeyryderchuck/rodauth-oauth/badges/master/coverage.svg)](https://gitlab.com/honeyryderchuck/rodauth-oauth/-/commits/master)
+[![pipeline status](https://gitlab.com/honeyryderchuck/rodauth-oauth/badges/master/pipeline.svg)](https://gitlab.com/honeyryderchuck/rodauth-oauth/-/pipelines?page=1&ref=master)
+[![coverage report](https://gitlab.com/honeyryderchuck/rodauth-oauth/badges/master/coverage.svg?job=coverage)](https://honeyryderchuck.gitlab.io/rodauth-oauth/coverage/#_AllFiles)
 
 This is an extension to the `rodauth` gem which implements the [OAuth 2.0 framework](https://tools.ietf.org/html/rfc6749) for an authorization server.
 
 ## Features
 
-This gem implements:
+This gem implements the following RFCs and features of OAuth:
 
 * [The OAuth 2.0 protocol framework](https://tools.ietf.org/html/rfc6749):
   * [Authorization grant flow](https://tools.ietf.org/html/rfc6749#section-1.3);
@@ -21,9 +21,12 @@ This gem implements:
 * Access Type (Token refresh online and offline);
 * [MAC Authentication Scheme](https://tools.ietf.org/html/draft-hammer-oauth-v2-mac-token-02);
 * [JWT Acess Tokens](https://tools.ietf.org/html/draft-ietf-oauth-access-token-jwt-07);
+* [SAML 2.0 Assertion Access Tokens](https://tools.ietf.org/html/draft-ietf-oauth-saml2-bearer-03);
 * [JWT Secured Authorization Requests](https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-20);
 * OAuth application and token management dashboards;
 
+It also implements the [OpenID Connect layer](https://openid.net/connect/) on top of the OAuth features it provides.
+
 This gem supports also rails (through [rodauth-rails]((https://github.com/janko/rodauth-rails))).
 
 
@@ -43,6 +46,15 @@ Or install it yourself as:
 
     $ gem install rodauth-oauth
 
+
+## Resources
+|               |                                                             |
+| ------------- | ----------------------------------------------------------- |
+| Website       | https://honeyryderchuck.gitlab.io/rodauth-oauth/            |
+| Documentation | https://honeyryderchuck.gitlab.io/rodauth-oauth/rdoc/       |
+| Wiki          | https://gitlab.com/honeyryderchuck/rodauth-oauth/wikis/home |
+| CI            | https://gitlab.com/honeyryderchuck/rodauth-oauth/pipelines  |
+
 ## Usage
 
 This tutorial assumes you already read the documentation and know how to set up `rodauth`. After that, integrating `roda-auth` will look like:
@@ -86,7 +98,18 @@ route do |r|
 end
 ```
 
-You'll have to do a bit more boilerplate, so here's the instructions.
+
+For OpenID, it's very similar to the example above:
+
+```ruby
+plugin :rodauth do
+  # enable it in the plugin
+  enable :login, :openid
+  oauth_application_default_scope %w[openid]
+  oauth_application_scopes %w[openid email profile]
+end
+```
+
 
 ### Example (TL;DR)
 
@@ -101,7 +124,7 @@ Generating tokens happens mostly server-to-server, so here's an example using:
 
 ```ruby
 require "httpx"
-response = HTTPX.post("https://auth_server/oauth-token",json: {
+response = HTTPX.post("https://auth_server/token",json: {
                   client_id: ENV["OAUTH_CLIENT_ID"],
                   client_secret: ENV["OAUTH_CLIENT_SECRET"],
                   grant_type: "authorization_code",
@@ -115,7 +138,7 @@ puts payload #=> {"access_token" => "awr23f3h8f9d2h89...", "refresh_token" => "2
 ##### cURL
 
 ```
-> curl --data '{"client_id":"$OAUTH_CLIENT_ID","client_secret":"$OAUTH_CLIENT_SECRET","grant_type":"authorization_code","code":"oiweicnewdh32fhoi3hf3ihfo2ih3f2o3as"}' https://auth_server/oauth-token
+> curl --data '{"client_id":"$OAUTH_CLIENT_ID","client_secret":"$OAUTH_CLIENT_SECRET","grant_type":"authorization_code","code":"oiweicnewdh32fhoi3hf3ihfo2ih3f2o3as"}' https://auth_server/token
 ```
 
 #### Refresh Token
@@ -126,7 +149,7 @@ Refreshing expired tokens also happens mostly server-to-server, here's an exampl
 
 ```ruby
 require "httpx"
-response = HTTPX.post("https://auth_server/oauth-token",json: {
+response = HTTPX.post("https://auth_server/token",json: {
                   client_id: ENV["OAUTH_CLIENT_ID"],
                   client_secret: ENV["OAUTH_CLIENT_SECRET"],
                   grant_type: "refresh_token",
@@ -140,7 +163,7 @@ puts payload #=> {"access_token" => "awr23f3h8f9d2h89...", "token_type" => "Bear
 ##### cURL
 
 ```
-> curl -H "X-your-auth-scheme: $SERVER_KEY" --data '{"client_id":"$OAUTH_CLIENT_ID","client_secret":"$OAUTH_CLIENT_SECRET","grant_type":"token","token":"2r89hfef4j9f90d2j2390jf390g"}' https://auth_server/oauth-token
+> curl -H "X-your-auth-scheme: $SERVER_KEY" --data '{"client_id":"$OAUTH_CLIENT_ID","client_secret":"$OAUTH_CLIENT_SECRET","grant_type":"token","token":"2r89hfef4j9f90d2j2390jf390g"}' https://auth_server/token
 ```
 
 #### Revoking tokens
@@ -151,7 +174,7 @@ Token revocation can be done both by the idenntity owner or the application owne
 require "httpx"
 httpx = HTTPX.plugin(:basic_authorization)
 response = httpx.basic_authentication(ENV["CLIENT_ID"], ENV["CLIENT_SECRET"])
-                .post("https://auth_server/oauth-revoke",json: {
+                .post("https://auth_server/revoke",json: {
                   token_type_hint: "access_token", # can also be "refresh:tokn"
                   token: "2r89hfef4j9f90d2j2390jf390g"
                 })
@@ -163,7 +186,7 @@ puts payload #=> {"access_token" => "awr23f3h8f9d2h89...", "token_type" => "Bear
 ##### cURL
 
 ```
-> curl -H "X-your-auth-scheme: $SERVER_KEY" --data '{"client_id":"$OAUTH_CLIENT_ID","token_type_hint":"access_token","token":"2r89hfef4j9f90d2j2390jf390g"}' https://auth_server/oauth-revoke
+> curl -H "X-your-auth-scheme: $SERVER_KEY" --data '{"client_id":"$OAUTH_CLIENT_ID","token_type_hint":"access_token","token":"2r89hfef4j9f90d2j2390jf390g"}' https://auth_server/revoke
 ```
 
 #### Token introspection
@@ -174,7 +197,7 @@ Token revocation can be used to determine the state of a token (whether active,
 require "httpx"
 httpx = HTTPX.plugin(:basic_authorization)
 response = httpx.basic_authentication(ENV["CLIENT_ID"], ENV["CLIENT_SECRET"])
-                .post("https://auth_server/oauth-introspect",json: {
+                .post("https://auth_server/introspect",json: {
                   token_type_hint: "access_token", # can also be "refresh:tokn"
                   token: "2r89hfef4j9f90d2j2390jf390g"
                 })
@@ -186,7 +209,7 @@ puts payload #=> {"active" => true, "scope" => "read write" ....
 ##### cURL
 
 ```
-> curl -H "X-your-auth-scheme: $SERVER_KEY" --data '{"client_id":"$OAUTH_CLIENT_ID","token_type_hint":"access_token","token":"2r89hfef4j9f90d2j2390jf390g"}' https://auth_server/oauth-revoke
+> curl -H "X-your-auth-scheme: $SERVER_KEY" --data '{"client_id":"$OAUTH_CLIENT_ID","token_type_hint":"access_token","token":"2r89hfef4j9f90d2j2390jf390g"}' https://auth_server/revoke
 ```
 
 ### Authorization Server Metadata
@@ -243,10 +266,10 @@ The rodauth default setup expects the roda `render` plugin to be activated; by d
 
 Once you set it up, by default, the following endpoints will be available:
 
-* `GET /oauth-authorize`: Loads the OAuth authorization HTML form;
-* `POST /oauth-authorize`: Responds to an OAuth authorization request, as [per the spec](https://tools.ietf.org/html/rfc6749#section-4);
-* `POST /oauth-token`: Generates OAuth tokens as [per the spec](https://tools.ietf.org/html/rfc6749#section-4.4.2);
-* `POST /oauth-revoke`: Revokes OAuth tokens as [per the spec](https://tools.ietf.org/html/rfc7009);
+* `GET /authorize`: Loads the OAuth authorization HTML form;
+* `POST /authorize`: Responds to an OAuth authorization request, as [per the spec](https://tools.ietf.org/html/rfc6749#section-4);
+* `POST /token`: Generates OAuth tokens as [per the spec](https://tools.ietf.org/html/rfc6749#section-4.4.2);
+* `POST /revoke`: Revokes OAuth tokens as [per the spec](https://tools.ietf.org/html/rfc7009);
 
 ### OAuth applications
 
@@ -426,7 +449,7 @@ The "Proof Key for Code Exchange by OAuth Public Clients" (aka PKCE) flow, which
 ```ruby
 # with httpx
 require "httpx"
-response = HTTPX.post("https://auth_server/oauth-token",json: {
+response = HTTPX.post("https://auth_server/token",json: {
                   client_id: ENV["OAUTH_CLIENT_ID"],
                   grant_type: "authorization_code",
                   code: "oiweicnewdh32fhoi3hf3ihfo2ih3f2o3as",
@@ -477,7 +500,7 @@ Generating an access token will deliver the following fields:
 ```ruby
 # with httpx
 require "httpx"
-response = httpx.post("https://auth_server/oauth-token",json: {
+response = httpx.post("https://auth_server/token",json: {
                   client_id: env["oauth_client_id"],
                   client_secret: env["oauth_client_secret"],
                   grant_type: "authorization_code",
@@ -576,7 +599,7 @@ which adds an extra layer of protection.
 
 #### JWKS URI
 
-A route is defined for getting the JWK Set in a JSON format; this is typically used by client applications, who need the JWK set to decode the JWT token. This URL is typically `https://oauth-server/oauth-jwks`.
+A route is defined for getting the JWK Set in a JSON format; this is typically used by client applications, who need the JWK set to decode the JWT token. This URL is typically `https://oauth-server/jwks`.
 
 #### JWT Bearer as authorization grant
 
@@ -585,7 +608,7 @@ One can emit a new access token by using the bearer access token as grant. This
 ```ruby
 # with httpx
 require "httpx"
-response = httpx.post("https://auth_server/oauth-token",json: {
+response = httpx.post("https://auth_server/token",json: {
                   grant_type: "urn:ietf:params:oauth:grant-type:jwt-bearer",
                   assertion: "eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOjEsImlzcyI6IkV4YW1wbGUiLCJpYXQiOjE1OTIwMDk1MDEsImNsaWVudF9pZCI6IkNMSUVOVF9JRCIsImV4cCI6MTU5MjAxMzEwMSwiYXVkIjpudWxsLCJzY29wZSI6InVzZXIucmVhZCB1c2VyLndyaXRlIiwianRpIjoiOGM1NTVjMjdiOWRjNDdmOTcyNWRkYzBhMjk0NzA1ZTA4NzFkY2JlN2Q5ZTNlMmVkNGE1ZTBiOGZlNTZlYzcxMSJ9.AlxKRtE3ec0mtyBSDx4VseND4eC6cH5ubtv8gfYxxsc"
                 })

data/lib/generators/roda/oauth/templates/db/migrate/create_rodauth_oauth.rb

@@ -29,7 +29,8 @@ class CreateRodauthOAuth < ActiveRecord::Migration<%= migration_version %>
       # uncomment to enable PKCE
       # t.string :code_challenge
       # t.string :code_challenge_method
-
+      # uncomment to use OIDC nonce
+      # t.string :nonce
       t.index(%i[oauth_application_id code], unique: true)
     end
 
@@ -42,18 +43,20 @@ class CreateRodauthOAuth < ActiveRecord::Migration<%= migration_version %>
       t.foreign_key :oauth_tokens, column: :oauth_token_id
       t.integer :oauth_application_id
       t.foreign_key :oauth_applications, column: :oauth_application_id
-      t.string :token, null: false, token: true
+      t.string :token, null: false, token: true, unique: true
       # uncomment if setting oauth_tokens_token_hash_column
       # and delete the token column
-      # t.string :token_hash, token: true
-      t.string :refresh_token
+      # t.string :token_hash, token: true, unique: true
+      t.string :refresh_token, unique: true
       # uncomment if setting oauth_tokens_refresh_token_hash_column
       # and delete the refresh_token column
-      # t.string :refresh_token_hash, token: true
+      # t.string :refresh_token_hash, token: true, unique: true
       t.datetime :expires_in, null: false
       t.datetime :revoked_at
       t.string :scopes, null: false
       t.datetime :created_at, null: false, default: -> { "CURRENT_TIMESTAMP" }
+      # uncomment to use OIDC nonce
+      # t.string :nonce
     end
   end
 end

data/lib/rodauth/features/oauth.rb

@@ -1,16 +1,21 @@
 # frozen-string-literal: true
 
+require "time"
 require "base64"
 require "securerandom"
 require "net/http"
 
 require "rodauth/oauth/ttl_store"
+require "rodauth/oauth/database_extensions"
 
 module Rodauth
   Feature.define(:oauth) do
     # RUBY EXTENSIONS
-    # :nocov:
     unless Regexp.method_defined?(:match?)
+      # If you wonder why this is there: the oauth feature uses a refinement to enhance the
+      # Regexp class locally with #match? , but this is never tested, because ActiveSupport
+      # monkey-patches the same method... Please ActiveSupport, stop being so intrusive!
+      # :nocov:
       module RegexpExtensions
         refine(Regexp) do
           def match?(*args)
@@ -19,6 +24,7 @@ module Rodauth
         end
       end
       using(RegexpExtensions)
+      # :nocov:
     end
 
     unless String.method_defined?(:delete_suffix!)
@@ -37,13 +43,13 @@ module Rodauth
       end
       using(SuffixExtensions)
     end
-    # :nocov:
 
     SCOPES = %w[profile.read].freeze
 
+    SERVER_METADATA = OAuth::TtlStore.new
+
     before "authorize"
     after "authorize"
-    after "authorize_failure"
 
     before "token"
 
@@ -55,15 +61,13 @@ module Rodauth
     before "create_oauth_application"
     after "create_oauth_application"
 
-    error_flash "OAuth Authorization invalid parameters", "oauth_grant_valid_parameters"
-
     error_flash "Please authorize to continue", "require_authorization"
     error_flash "There was an error registering your oauth application", "create_oauth_application"
     notice_flash "Your oauth application has been registered", "create_oauth_application"
 
     notice_flash "The oauth token has been revoked", "revoke_oauth_token"
 
-    view "oauth_authorize", "Authorize", "authorize"
+    view "authorize", "Authorize", "authorize"
     view "oauth_applications", "Oauth Applications", "oauth_applications"
     view "oauth_application", "Oauth Application", "oauth_application"
     view "new_oauth_application", "New Oauth Application", "new_oauth_application"
@@ -73,14 +77,16 @@ module Rodauth
 
     auth_value_method :oauth_grant_expires_in, 60 * 5 # 5 minutes
     auth_value_method :oauth_token_expires_in, 60 * 60 # 60 minutes
+    auth_value_method :oauth_refresh_token_expires_in, 60 * 60 * 24 * 360 # 1 year
     auth_value_method :use_oauth_implicit_grant_type?, false
     auth_value_method :use_oauth_pkce?, true
     auth_value_method :use_oauth_access_type?, true
 
     auth_value_method :oauth_require_pkce, false
     auth_value_method :oauth_pkce_challenge_method, "S256"
+    auth_value_method :oauth_response_mode, "query"
 
-    auth_value_method :oauth_valid_uri_schemes, %w[http https]
+    auth_value_method :oauth_valid_uri_schemes, %w[https]
 
     auth_value_method :oauth_scope_separator, " "
 
@@ -95,6 +101,7 @@ module Rodauth
     button "Register", "oauth_application"
     button "Authorize", "oauth_authorize"
     button "Revoke", "oauth_token_revoke"
+    button "Back to Client Application", "oauth_authorize_post"
 
     # OAuth Token
     auth_value_method :oauth_tokens_path, "oauth-tokens"
@@ -113,6 +120,8 @@ module Rodauth
     auth_value_method :oauth_tokens_token_hash_column, nil
     auth_value_method :oauth_tokens_refresh_token_hash_column, nil
 
+    # Access Token reuse
+    auth_value_method :oauth_reuse_access_token, false
     # OAuth Grants
     auth_value_method :oauth_grants_table, :oauth_grants
     auth_value_method :oauth_grants_id_column, :id
@@ -127,6 +136,7 @@ module Rodauth
 
     auth_value_method :authorization_required_error_status, 401
     auth_value_method :invalid_oauth_response_status, 400
+    auth_value_method :already_in_use_response_status, 409
 
     # OAuth Applications
     auth_value_method :oauth_applications_path, "oauth-applications"
@@ -144,13 +154,13 @@ module Rodauth
       auth_value_method :"oauth_applications_#{column}_column", column
     end
 
+    # Feature options
     auth_value_method :oauth_application_default_scope, SCOPES.first
     auth_value_method :oauth_application_scopes, SCOPES
     auth_value_method :oauth_token_type, "bearer"
+    auth_value_method :oauth_refresh_token_protection_policy, "none" # can be: none, sender_constrained, rotation
 
-    auth_value_method :invalid_request, "Request is missing a required parameter"
-    auth_value_method :invalid_client, "Invalid client"
-    auth_value_method :unauthorized_client, "Unauthorized client"
+    auth_value_method :invalid_client_message, "Invalid client"
     auth_value_method :invalid_grant_type_message, "Invalid grant type"
     auth_value_method :invalid_grant_message, "Invalid grant"
     auth_value_method :invalid_scope_message, "Invalid scope"
@@ -160,6 +170,8 @@ module Rodauth
 
     auth_value_method :unique_error_message, "is already in use"
     auth_value_method :null_error_message, "is not filled"
+    auth_value_method :already_in_use_message, "error generating unique token"
+    auth_value_method :already_in_use_error_code, "invalid_request"
 
     # PKCE
     auth_value_method :code_challenge_required_error_code, "invalid_request"
@@ -177,6 +189,8 @@ module Rodauth
     # Only required to use if the plugin is to be used in a resource server
     auth_value_method :is_authorization_server?, true
 
+    auth_value_method :oauth_unique_id_generation_retries, 3
+
     auth_value_methods(
       :fetch_access_token,
       :oauth_unique_id_generator,
@@ -184,22 +198,231 @@ module Rodauth
       :secret_hash,
       :generate_token_hash,
       :authorization_server_url,
-      :before_introspection_request
+      :before_introspection_request,
+      :require_authorizable_account,
+      :oauth_tokens_unique_columns
     )
 
     auth_value_methods(:only_json?)
 
     auth_value_method :json_request_regexp, %r{\bapplication/(?:vnd\.api\+)?json\b}i
 
-    SERVER_METADATA = OAuth::TtlStore.new
+    # /token
+    route(:token) do |r|
+      next unless is_authorization_server?
+
+      before_token_route
+      require_oauth_application
+
+      r.post do
+        catch_error do
+          validate_oauth_token_params
+
+          oauth_token = nil
+          transaction do
+            before_token
+            oauth_token = create_oauth_token
+          end
+
+          json_response_success(json_access_token_payload(oauth_token))
+        end
+
+        throw_json_response_error(invalid_oauth_response_status, "invalid_request")
+      end
+    end
+
+    # /introspect
+    route(:introspect) do |r|
+      next unless is_authorization_server?
+
+      before_introspect_route
+
+      r.post do
+        catch_error do
+          validate_oauth_introspect_params
+
+          before_introspect
+          oauth_token = case param("token_type_hint")
+                        when "access_token"
+                          oauth_token_by_token(param("token"))
+                        when "refresh_token"
+                          oauth_token_by_refresh_token(param("token"))
+                        else
+                          oauth_token_by_token(param("token")) || oauth_token_by_refresh_token(param("token"))
+                        end
+
+          if oauth_application
+            redirect_response_error("invalid_request") if oauth_token && !token_from_application?(oauth_token, oauth_application)
+          elsif oauth_token
+            @oauth_application = db[oauth_applications_table].where(oauth_applications_id_column =>
+              oauth_token[oauth_tokens_oauth_application_id_column]).first
+          end
+
+          json_response_success(json_token_introspect_payload(oauth_token))
+        end
+
+        throw_json_response_error(invalid_oauth_response_status, "invalid_request")
+      end
+    end
+
+    # /revoke
+    route(:revoke) do |r|
+      next unless is_authorization_server?
+
+      before_revoke_route
+      require_oauth_application
+
+      r.post do
+        catch_error do
+          validate_oauth_revoke_params
+
+          oauth_token = nil
+          transaction do
+            before_revoke
+            oauth_token = revoke_oauth_token
+            after_revoke
+          end
+
+          if accepts_json?
+            json_response_success \
+              "token" => oauth_token[oauth_tokens_token_column],
+              "refresh_token" => oauth_token[oauth_tokens_refresh_token_column],
+              "revoked_at" => convert_timestamp(oauth_token[oauth_tokens_revoked_at_column])
+          else
+            set_notice_flash revoke_oauth_token_notice_flash
+            redirect request.referer || "/"
+          end
+        end
+
+        redirect_response_error("invalid_request", request.referer || "/")
+      end
+    end
+
+    # /authorize
+    route(:authorize) do |r|
+      next unless is_authorization_server?
+
+      before_authorize_route
+      require_authorizable_account
+
+      validate_oauth_grant_params
+      try_approval_prompt if use_oauth_access_type? && request.get?
+
+      r.get do
+        authorize_view
+      end
+
+      r.post do
+        redirect_url = URI.parse(redirect_uri)
+
+        params, mode = transaction do
+          before_authorize
+          do_authorize
+        end
+
+        case mode
+        when "query"
+          params = params.map { |k, v| "#{k}=#{v}" }
+          params << redirect_url.query if redirect_url.query
+          redirect_url.query = params.join("&")
+          redirect(redirect_url.to_s)
+        when "fragment"
+          params = params.map { |k, v| "#{k}=#{v}" }
+          params << redirect_url.query if redirect_url.query
+          redirect_url.fragment = params.join("&")
+          redirect(redirect_url.to_s)
+        when "form_post"
+          scope.view layout: false, inline: <<-FORM
+            <html>
+              <head><title>Authorized</title></head>
+              <body onload="javascript:document.forms[0].submit()">
+                <form method="post" action="#{redirect_uri}">
+                  #{
+                    params.map do |name, value|
+                      "<input type=\"hidden\" name=\"#{name}\" value=\"#{scope.h(value)}\" />"
+                    end.join
+                  }
+                  <input type="submit" class="btn btn-outline-primary" value="#{scope.h(oauth_authorize_post_button)}"/>
+                </form>
+              </body>
+            </html>
+          FORM
+        when "none"
+          redirect(redirect_url.to_s)
+        end
+      end
+    end
+
+    def oauth_server_metadata(issuer = nil)
+      request.on(".well-known") do
+        request.on("oauth-authorization-server") do
+          request.get do
+            json_response_success(oauth_server_metadata_body(issuer), true)
+          end
+        end
+      end
+    end
+
+    # /oauth-applications routes
+    def oauth_applications
+      request.on(oauth_applications_path) do
+        require_account
+
+        request.get "new" do
+          new_oauth_application_view
+        end
+
+        request.on(oauth_applications_id_pattern) do |id|
+          oauth_application = db[oauth_applications_table].where(oauth_applications_id_column => id).first
+          next unless oauth_application
+
+          scope.instance_variable_set(:@oauth_application, oauth_application)
+
+          request.is do
+            request.get do
+              oauth_application_view
+            end
+          end
+
+          request.on(oauth_tokens_path) do
+            oauth_tokens = db[oauth_tokens_table].where(oauth_tokens_oauth_application_id_column => id)
+            scope.instance_variable_set(:@oauth_tokens, oauth_tokens)
+            request.get do
+              oauth_tokens_view
+            end
+          end
+        end
+
+        request.get do
+          scope.instance_variable_set(:@oauth_applications, db[oauth_applications_table])
+          oauth_applications_view
+        end
+
+        request.post do
+          catch_error do
+            validate_oauth_application_params
+
+            transaction do
+              before_create_oauth_application
+              id = create_oauth_application
+              after_create_oauth_application
+              set_notice_flash create_oauth_application_notice_flash
+              redirect "#{request.path}/#{id}"
+            end
+          end
+          set_error_flash create_oauth_application_error_flash
+          new_oauth_application_view
+        end
+      end
+    end
 
     def check_csrf?
       case request.path
-      when oauth_token_path, oauth_introspect_path
+      when token_path, introspect_path
         false
-      when oauth_revoke_path
+      when revoke_path
         !json_request?
-      when oauth_authorize_path, %r{/#{oauth_applications_path}}
+      when authorize_path, %r{/#{oauth_applications_path}}
         only_json? ? false : super
       else
         super
@@ -218,14 +441,12 @@ module Rodauth
     end
 
     unless method_defined?(:json_request?)
-      # :nocov:
       # copied from the jwt feature
       def json_request?
         return @json_request if defined?(@json_request)
 
         @json_request = request.content_type =~ json_request_regexp
       end
-      # :nocov:
     end
 
     def initialize(scope)
@@ -233,7 +454,15 @@ module Rodauth
     end
 
     def scopes
-      (param_or_nil("scope") || oauth_application_default_scope).split(" ")
+      scope = request.params["scope"]
+      case scope
+      when Array
+        scope
+      when String
+        scope.split(" ")
+      when nil
+        [oauth_application_default_scope]
+      end
     end
 
     def redirect_uri
@@ -260,12 +489,14 @@ module Rodauth
     def fetch_access_token
       value = request.env["HTTP_AUTHORIZATION"]
 
-      return unless value
+      return unless value && !value.empty?
 
       scheme, token = value.split(" ", 2)
 
       return unless scheme.downcase == oauth_token_type
 
+      return if token.nil? || token.empty?
+
       token
     end
 
@@ -277,101 +508,79 @@ module Rodauth
 
       return unless bearer_token
 
-      # check if token has not expired
-      # check if token has been revoked
-      @authorization_token = oauth_token_by_token(bearer_token)
+      @authorization_token = if is_authorization_server?
+                               # check if token has not expired
+                               # check if token has been revoked
+                               oauth_token_by_token(bearer_token)
+                             else
+                               # where in resource server, NOT the authorization server.
+                               payload = introspection_request("access_token", bearer_token)
+
+                               return unless payload["active"]
+
+                               payload
+                             end
     end
 
     def require_oauth_authorization(*scopes)
-      token_scopes = if is_authorization_server?
-                       authorization_required unless authorization_token
+      authorization_required unless authorization_token
 
-                       scopes << oauth_application_default_scope if scopes.empty?
+      scopes << oauth_application_default_scope if scopes.empty?
 
+      token_scopes = if is_authorization_server?
                        authorization_token[oauth_tokens_scopes_column].split(oauth_scope_separator)
                      else
-                       bearer_token = fetch_access_token
-
-                       authorization_required unless bearer_token
-
-                       scopes << oauth_application_default_scope if scopes.empty?
-
-                       # where in resource server, NOT the authorization server.
-                       payload = introspection_request("access_token", bearer_token)
-
-                       authorization_required unless payload["active"]
-
-                       payload["scope"].split(oauth_scope_separator)
+                       aux_scopes = authorization_token["scope"]
+                       if aux_scopes
+                         aux_scopes.split(oauth_scope_separator)
+                       else
+                         []
+                       end
                      end
 
       authorization_required unless scopes.any? { |scope| token_scopes.include?(scope) }
     end
 
-    # /oauth-applications routes
-    def oauth_applications
-      request.on(oauth_applications_path) do
-        require_account
-
-        request.get "new" do
-          new_oauth_application_view
-        end
-
-        request.on(oauth_applications_id_pattern) do |id|
-          oauth_application = db[oauth_applications_table].where(oauth_applications_id_column => id).first
-          next unless oauth_application
-
-          scope.instance_variable_set(:@oauth_application, oauth_application)
+    def post_configure
+      super
+      self.class.__send__(:include, Rodauth::OAuth::ExtendDatabase(db))
 
-          request.is do
-            request.get do
-              oauth_application_view
-            end
-          end
-
-          request.on(oauth_tokens_path) do
-            oauth_tokens = db[oauth_tokens_table].where(oauth_tokens_oauth_application_id_column => id)
-            scope.instance_variable_set(:@oauth_tokens, oauth_tokens)
-            request.get do
-              oauth_tokens_view
-            end
-          end
+      # Check whether we can reutilize db entries for the same account / application pair
+      one_oauth_token_per_account = begin
+        db.indexes(oauth_tokens_table).values.any? do |definition|
+          definition[:unique] &&
+            definition[:columns] == oauth_tokens_unique_columns
         end
+      end
+      self.class.send(:define_method, :__one_oauth_token_per_account) { one_oauth_token_per_account }
+    end
 
-        request.get do
-          scope.instance_variable_set(:@oauth_applications, db[:oauth_applications])
-          oauth_applications_view
-        end
+    def use_date_arithmetic?
+      true
+    end
 
-        request.post do
-          catch_error do
-            validate_oauth_application_params
+    private
 
-            transaction do
-              before_create_oauth_application
-              id = create_oauth_application
-              after_create_oauth_application
-              set_notice_flash create_oauth_application_notice_flash
-              redirect "#{request.path}/#{id}"
-            end
-          end
-          set_error_flash create_oauth_application_error_flash
-          new_oauth_application_view
-        end
+    def rescue_from_uniqueness_error(&block)
+      retries = oauth_unique_id_generation_retries
+      begin
+        transaction(savepoint: :only, &block)
+      rescue Sequel::UniqueConstraintViolation
+        redirect_response_error("already_in_use") if retries.zero?
+        retries -= 1
+        retry
       end
     end
 
-    def oauth_server_metadata(issuer = nil)
-      request.on(".well-known") do
-        request.on("oauth-authorization-server") do
-          request.get do
-            json_response_success(oauth_server_metadata_body(issuer))
-          end
-        end
-      end
+    # OAuth Token Unique/Reuse
+    def oauth_tokens_unique_columns
+      [
+        oauth_tokens_oauth_application_id_column,
+        oauth_tokens_account_id_column,
+        oauth_tokens_scopes_column
+      ]
     end
 
-    private
-
     def authorization_server_url
       base_url
     end
@@ -394,10 +603,10 @@ module Rodauth
 
         # time-to-live
         ttl = if response.key?("cache-control")
-                cache_control = response["cache_control"]
-                cache_control[/max-age=(\d+)/, 1]
+                cache_control = response["cache-control"]
+                cache_control[/max-age=(\d+)/, 1].to_i
               elsif response.key?("expires")
-                Time.httpdate(response["expires"]).utc.to_i - Time.now.utc.to_i
+                Time.parse(response["expires"]).to_i - Time.now.to_i
               end
 
         [JSON.parse(response.body, symbolize_names: true), ttl]
@@ -409,7 +618,7 @@ module Rodauth
       http = Net::HTTP.new(auth_url.host, auth_url.port)
       http.use_ssl = auth_url.scheme == "https"
 
-      request = Net::HTTP::Post.new(oauth_introspect_path)
+      request = Net::HTTP::Post.new(introspect_path)
       request["content-type"] = json_response_content_type
       request["accept"] = json_response_content_type
       request.body = JSON.dump({ "token_type_hint" => token_type_hint, "token" => token })
@@ -465,7 +674,7 @@ module Rodauth
     end
 
     def oauth_unique_id_generator
-      SecureRandom.hex(32)
+      SecureRandom.urlsafe_base64(32)
     end
 
     def generate_token_hash(token)
@@ -477,89 +686,106 @@ module Rodauth
     end
 
     unless method_defined?(:password_hash)
-      # :nocov:
       # From login_requirements_base feature
-      if ENV["RACK_ENV"] == "test"
-        def password_hash_cost
-          BCrypt::Engine::MIN_COST
-        end
-      else
-        def password_hash_cost
-          BCrypt::Engine::DEFAULT_COST
-        end
-      end
 
       def password_hash(password)
-        BCrypt::Password.create(password, cost: password_hash_cost)
+        BCrypt::Password.create(password, cost: BCrypt::Engine::DEFAULT_COST)
       end
-      # :nocov:
     end
 
     def generate_oauth_token(params = {}, should_generate_refresh_token = true)
       create_params = {
-        oauth_grants_expires_in_column => Time.now + oauth_token_expires_in
+        oauth_grants_expires_in_column => Sequel.date_add(Sequel::CURRENT_TIMESTAMP, seconds: oauth_token_expires_in)
       }.merge(params)
 
-      token = oauth_unique_id_generator
-      refresh_token = nil
+      rescue_from_uniqueness_error do
+        token = oauth_unique_id_generator
 
-      if oauth_tokens_token_hash_column
-        create_params[oauth_tokens_token_hash_column] = generate_token_hash(token)
-      else
-        create_params[oauth_tokens_token_column] = token
-      end
+        if oauth_tokens_token_hash_column
+          create_params[oauth_tokens_token_hash_column] = generate_token_hash(token)
+        else
+          create_params[oauth_tokens_token_column] = token
+        end
 
-      if should_generate_refresh_token
-        refresh_token = oauth_unique_id_generator
+        refresh_token = nil
+        if should_generate_refresh_token
+          refresh_token = oauth_unique_id_generator
 
-        if oauth_tokens_refresh_token_hash_column
-          create_params[oauth_tokens_refresh_token_hash_column] = generate_token_hash(refresh_token)
-        else
-          create_params[oauth_tokens_refresh_token_column] = refresh_token
+          if oauth_tokens_refresh_token_hash_column
+            create_params[oauth_tokens_refresh_token_hash_column] = generate_token_hash(refresh_token)
+          else
+            create_params[oauth_tokens_refresh_token_column] = refresh_token
+          end
         end
+        oauth_token = _generate_oauth_token(create_params)
+        oauth_token[oauth_tokens_token_column] = token
+        oauth_token[oauth_tokens_refresh_token_column] = refresh_token if refresh_token
+        oauth_token
       end
-      oauth_token = _generate_oauth_token(create_params)
-
-      oauth_token[oauth_tokens_token_column] = token
-      oauth_token[oauth_tokens_refresh_token_column] = refresh_token if refresh_token
-      oauth_token
     end
 
     def _generate_oauth_token(params = {})
       ds = db[oauth_tokens_table]
 
-      begin
-        if ds.supports_returning?(:insert)
-          ds.returning.insert(params).first
-        else
-          id = ds.insert(params)
-          ds.where(oauth_tokens_id_column => id).first
+      if __one_oauth_token_per_account
+
+        token = __insert_or_update_and_return__(
+          ds,
+          oauth_tokens_id_column,
+          oauth_tokens_unique_columns,
+          params,
+          Sequel.expr(Sequel[oauth_tokens_table][oauth_tokens_expires_in_column]) > Sequel::CURRENT_TIMESTAMP,
+          ([oauth_tokens_token_column, oauth_tokens_refresh_token_column] if oauth_reuse_access_token)
+        )
+
+        # if the previous operation didn't return a row, it means that the conditions
+        # invalidated the update, and the existing token is still valid.
+        token || ds.where(
+          oauth_tokens_account_id_column => params[oauth_tokens_account_id_column],
+          oauth_tokens_oauth_application_id_column => params[oauth_tokens_oauth_application_id_column]
+        ).first
+      else
+        if oauth_reuse_access_token
+          unique_conds = Hash[oauth_tokens_unique_columns.map { |column| [column, params[column]] }]
+          valid_token = ds.where(Sequel.expr(Sequel[oauth_tokens_table][oauth_tokens_expires_in_column]) > Sequel::CURRENT_TIMESTAMP)
+                          .where(unique_conds).first
+          return valid_token if valid_token
         end
-      rescue Sequel::UniqueConstraintViolation
-        retry
+        __insert_and_return__(ds, oauth_tokens_id_column, params)
       end
     end
 
-    def oauth_token_by_token(token, dataset = db[oauth_tokens_table])
+    def oauth_token_by_token(token)
+      ds = db[oauth_tokens_table]
+
       ds = if oauth_tokens_token_hash_column
-             dataset.where(oauth_tokens_token_hash_column => generate_token_hash(token))
+             ds.where(oauth_tokens_token_hash_column => generate_token_hash(token))
            else
-             dataset.where(oauth_tokens_token_column => token)
+             ds.where(oauth_tokens_token_column => token)
            end
 
       ds.where(Sequel[oauth_tokens_expires_in_column] >= Sequel::CURRENT_TIMESTAMP)
         .where(oauth_tokens_revoked_at_column => nil).first
     end
 
-    def oauth_token_by_refresh_token(token, dataset = db[oauth_tokens_table])
+    def oauth_token_by_refresh_token(token, revoked: false)
+      ds = db[oauth_tokens_table]
+      #
+      # filter expired refresh tokens out.
+      # an expired refresh token is a token whose access token expired for a period longer than the
+      # refresh token expiration period.
+      #
+      ds = ds.where(Sequel.date_add(oauth_tokens_expires_in_column, seconds: oauth_refresh_token_expires_in) >= Sequel::CURRENT_TIMESTAMP)
+
       ds = if oauth_tokens_refresh_token_hash_column
-             dataset.where(oauth_tokens_refresh_token_hash_column => generate_token_hash(token))
+             ds.where(oauth_tokens_refresh_token_hash_column => generate_token_hash(token))
            else
-             dataset.where(oauth_tokens_refresh_token_column => token)
+             ds.where(oauth_tokens_refresh_token_column => token)
            end
 
-      ds.where(Sequel[oauth_tokens_expires_in_column] >= Sequel::CURRENT_TIMESTAMP)
-        .where(oauth_tokens_revoked_at_column => nil).first
+      ds = ds.where(oauth_tokens_revoked_at_column => nil) unless revoked
+
+      ds.first
     end
 
     def json_access_token_payload(oauth_token)
@@ -628,7 +854,6 @@ module Rodauth
       # set client ID/secret pairs
 
       create_params.merge! \
-        oauth_applications_client_id_column => oauth_unique_id_generator,
         oauth_applications_client_secret_column => \
           secret_hash(oauth_application_params[oauth_application_client_secret_param])
 
@@ -638,29 +863,14 @@ module Rodauth
                                                           oauth_application_default_scope
                                                         end
 
-      id = nil
-      raised = begin
-                 id = db[oauth_applications_table].insert(create_params)
-                 false
-               rescue Sequel::ConstraintViolation => e
-                 e
-               end
-
-      if raised
-        field = raised.message[/\.(.*)$/, 1]
-        case raised
-        when Sequel::UniqueConstraintViolation
-          throw_error(field, unique_error_message)
-        when Sequel::NotNullConstraintViolation
-          throw_error(field, null_error_message)
-        end
+      rescue_from_uniqueness_error do
+        create_params[oauth_applications_client_id_column] = oauth_unique_id_generator
+        db[oauth_applications_table].insert(create_params)
       end
-
-      !raised && id
     end
 
     # Authorize
-    def before_authorize
+    def require_authorizable_account
       require_account
     end
 
@@ -673,6 +883,9 @@ module Rodauth
       end
       redirect_response_error("invalid_scope") unless check_valid_scopes?
 
+      if (response_mode = param_or_nil("response_mode")) && response_mode != "form_post"
+        redirect_response_error("invalid_request")
+      end
       validate_pkce_challenge_params if use_oauth_pkce?
     end
 
@@ -690,57 +903,79 @@ module Rodauth
       ).count.zero?
 
       # if there's a previous oauth grant for the params combo, it means that this user has approved before.
-
       request.env["REQUEST_METHOD"] = "POST"
     end
 
-    def create_oauth_grant
-      create_params = {
+    def create_oauth_grant(create_params = {})
+      create_params.merge!(
         oauth_grants_account_id_column => account_id,
         oauth_grants_oauth_application_id_column => oauth_application[oauth_applications_id_column],
         oauth_grants_redirect_uri_column => redirect_uri,
-        oauth_grants_expires_in_column => Time.now + oauth_grant_expires_in,
+        oauth_grants_expires_in_column => Sequel.date_add(Sequel::CURRENT_TIMESTAMP, seconds: oauth_grant_expires_in),
         oauth_grants_scopes_column => scopes.join(oauth_scope_separator)
-      }
+      )
 
       # Access Type flow
-      if use_oauth_access_type?
-        if (access_type = param_or_nil("access_type"))
-          create_params[oauth_grants_access_type_column] = access_type
-        end
+      if use_oauth_access_type? && (access_type = param_or_nil("access_type"))
+        create_params[oauth_grants_access_type_column] = access_type
       end
 
       # PKCE flow
-      if use_oauth_pkce?
+      if use_oauth_pkce? && (code_challenge = param_or_nil("code_challenge"))
+        code_challenge_method = param_or_nil("code_challenge_method")
 
-        if (code_challenge = param_or_nil("code_challenge"))
-          code_challenge_method = param_or_nil("code_challenge_method")
-
-          create_params[oauth_grants_code_challenge_column] = code_challenge
-          create_params[oauth_grants_code_challenge_method_column] = code_challenge_method
-        elsif oauth_require_pkce
-          redirect_response_error("code_challenge_required")
-        end
+        create_params[oauth_grants_code_challenge_column] = code_challenge
+        create_params[oauth_grants_code_challenge_method_column] = code_challenge_method
       end
 
       ds = db[oauth_grants_table]
 
-      begin
-        authorization_code = oauth_unique_id_generator
-        create_params[oauth_grants_code_column] = authorization_code
-        ds.insert(create_params)
-        authorization_code
-      rescue Sequel::UniqueConstraintViolation
-        retry
+      rescue_from_uniqueness_error do
+        create_params[oauth_grants_code_column] = oauth_unique_id_generator
+        __insert_and_return__(ds, oauth_grants_id_column, create_params)
       end
+      create_params[oauth_grants_code_column]
+    end
+
+    def do_authorize(response_params = {}, response_mode = param_or_nil("response_mode"))
+      case param("response_type")
+      when "token"
+        redirect_response_error("invalid_request") unless use_oauth_implicit_grant_type?
+
+        response_mode ||= "fragment"
+        response_params.replace(_do_authorize_token)
+      when "code"
+        response_mode ||= "query"
+        response_params.replace(_do_authorize_code)
+      when "none"
+        response_mode ||= "none"
+      when "", nil
+        response_mode ||= oauth_response_mode
+        response_params.replace(_do_authorize_code)
+      end
+
+      response_params["state"] = param("state") if param_or_nil("state")
+
+      [response_params, response_mode]
     end
 
-    # Access Tokens
+    def _do_authorize_code
+      { "code" => create_oauth_grant }
+    end
 
-    def before_token
-      require_oauth_application
+    def _do_authorize_token
+      create_params = {
+        oauth_tokens_account_id_column => account_id,
+        oauth_tokens_oauth_application_id_column => oauth_application[oauth_applications_id_column],
+        oauth_tokens_scopes_column => scopes
+      }
+      oauth_token = generate_oauth_token(create_params, false)
+
+      json_access_token_payload(oauth_token)
     end
 
+    # Access Tokens
+
     def validate_oauth_token_params
       unless (grant_type = param_or_nil("grant_type"))
         redirect_response_error("invalid_request")
@@ -760,27 +995,56 @@ module Rodauth
     def create_oauth_token
       case param("grant_type")
       when "authorization_code"
-        create_oauth_token_from_authorization_code(oauth_application)
+        # fetch oauth grant
+        oauth_grant = db[oauth_grants_table].where(
+          oauth_grants_code_column => param("code"),
+          oauth_grants_redirect_uri_column => param("redirect_uri"),
+          oauth_grants_oauth_application_id_column => oauth_application[oauth_applications_id_column],
+          oauth_grants_revoked_at_column => nil
+        ).where(Sequel[oauth_grants_expires_in_column] >= Sequel::CURRENT_TIMESTAMP)
+                                            .for_update
+                                            .first
+
+        redirect_response_error("invalid_grant") unless oauth_grant
+
+        create_params = {
+          oauth_tokens_account_id_column => oauth_grant[oauth_grants_account_id_column],
+          oauth_tokens_oauth_application_id_column => oauth_grant[oauth_grants_oauth_application_id_column],
+          oauth_tokens_oauth_grant_id_column => oauth_grant[oauth_grants_id_column],
+          oauth_tokens_scopes_column => oauth_grant[oauth_grants_scopes_column]
+        }
+        create_oauth_token_from_authorization_code(oauth_grant, create_params)
       when "refresh_token"
-        create_oauth_token_from_token(oauth_application)
-      else
-        redirect_response_error("invalid_grant")
+        # fetch potentially revoked oauth token
+        oauth_token = oauth_token_by_refresh_token(param("refresh_token"), revoked: true)
+
+        if !oauth_token
+          redirect_response_error("invalid_grant")
+        elsif oauth_token[oauth_tokens_revoked_at_column]
+          if oauth_refresh_token_protection_policy == "rotation"
+            # https://tools.ietf.org/html/draft-ietf-oauth-v2-1-00#section-6.1
+            #
+            # If a refresh token is compromised and subsequently used by both the attacker and the legitimate
+            # client, one of them will present an invalidated refresh token, which will inform the authorization
+            # server of the breach.  The authorization server cannot determine which party submitted the invalid
+            # refresh token, but it will revoke the active refresh token.  This stops the attack at the cost of
+            # forcing the legitimate client to obtain a fresh authorization grant.
+
+            db[oauth_tokens_table].where(oauth_tokens_oauth_token_id_column => oauth_token[oauth_tokens_id_column])
+                                  .update(oauth_tokens_revoked_at_column => Sequel::CURRENT_TIMESTAMP)
+          end
+          redirect_response_error("invalid_grant")
+        end
+
+        update_params = {
+          oauth_tokens_oauth_application_id_column => oauth_token[oauth_grants_oauth_application_id_column],
+          oauth_tokens_expires_in_column => Sequel.date_add(Sequel::CURRENT_TIMESTAMP, seconds: oauth_token_expires_in)
+        }
+        create_oauth_token_from_token(oauth_token, update_params)
       end
     end
 
-    def create_oauth_token_from_authorization_code(oauth_application)
-      # fetch oauth grant
-      oauth_grant = db[oauth_grants_table].where(
-        oauth_grants_code_column => param("code"),
-        oauth_grants_redirect_uri_column => param("redirect_uri"),
-        oauth_grants_oauth_application_id_column => oauth_application[oauth_applications_id_column],
-        oauth_grants_revoked_at_column => nil
-      ).where(Sequel[oauth_grants_expires_in_column] >= Sequel::CURRENT_TIMESTAMP)
-                                          .for_update
-                                          .first
-
-      redirect_response_error("invalid_grant") unless oauth_grant
-
+    def create_oauth_token_from_authorization_code(oauth_grant, create_params)
       # PKCE
       if use_oauth_pkce?
         if oauth_grant[oauth_grants_code_challenge_column]
@@ -792,13 +1056,6 @@ module Rodauth
         end
       end
 
-      create_params = {
-        oauth_tokens_account_id_column => oauth_grant[oauth_grants_account_id_column],
-        oauth_tokens_oauth_application_id_column => oauth_grant[oauth_grants_oauth_application_id_column],
-        oauth_tokens_oauth_grant_id_column => oauth_grant[oauth_grants_id_column],
-        oauth_tokens_scopes_column => oauth_grant[oauth_grants_scopes_column]
-      }
-
       # revoke oauth grant
       db[oauth_grants_table].where(oauth_grants_id_column => oauth_grant[oauth_grants_id_column])
                             .update(oauth_grants_revoked_at_column => Sequel::CURRENT_TIMESTAMP)
@@ -809,40 +1066,41 @@ module Rodauth
       generate_oauth_token(create_params, should_generate_refresh_token)
     end
 
-    def create_oauth_token_from_token(oauth_application)
-      # fetch oauth token
-      oauth_token = oauth_token_by_refresh_token(param("refresh_token"))
-
-      redirect_response_error("invalid_grant") unless oauth_token && token_from_application?(oauth_token, oauth_application)
+    def create_oauth_token_from_token(oauth_token, update_params)
+      redirect_response_error("invalid_grant") unless token_from_application?(oauth_token, oauth_application)
 
-      token = oauth_unique_id_generator
+      rescue_from_uniqueness_error do
+        oauth_tokens_ds = db[oauth_tokens_table]
+        token = oauth_unique_id_generator
 
-      update_params = {
-        oauth_tokens_oauth_application_id_column => oauth_token[oauth_grants_oauth_application_id_column],
-        oauth_tokens_expires_in_column => Time.now + oauth_token_expires_in
-      }
-
-      if oauth_tokens_token_hash_column
-        update_params[oauth_tokens_token_hash_column] = generate_token_hash(token)
-      else
-        update_params[oauth_tokens_token_column] = token
-      end
-
-      ds = db[oauth_tokens_table].where(oauth_tokens_id_column => oauth_token[oauth_tokens_id_column])
-
-      oauth_token = begin
-        if ds.supports_returning?(:update)
-          ds.returning.update(update_params).first
+        if oauth_tokens_token_hash_column
+          update_params[oauth_tokens_token_hash_column] = generate_token_hash(token)
         else
-          ds.update(update_params)
-          ds.first
+          update_params[oauth_tokens_token_column] = token
         end
-                    rescue Sequel::UniqueConstraintViolation
-                      retry
-      end
 
-      oauth_token[oauth_tokens_token_column] = token
-      oauth_token
+        oauth_token = if oauth_refresh_token_protection_policy == "rotation"
+                        insert_params = {
+                          **update_params,
+                          oauth_tokens_oauth_token_id_column => oauth_token[oauth_tokens_id_column],
+                          oauth_tokens_scopes_column => oauth_token[oauth_tokens_scopes_column]
+                        }
+
+                        # revoke the refresh token
+                        oauth_tokens_ds.where(oauth_tokens_id_column => oauth_token[oauth_tokens_id_column])
+                                       .update(oauth_tokens_revoked_at_column => Sequel::CURRENT_TIMESTAMP)
+
+                        insert_params[oauth_tokens_oauth_token_id_column] = oauth_token[oauth_tokens_id_column]
+                        __insert_and_return__(oauth_tokens_ds, oauth_tokens_id_column, insert_params)
+                      else
+                        # includes none
+                        ds = oauth_tokens_ds.where(oauth_tokens_id_column => oauth_token[oauth_tokens_id_column])
+                        __update_and_return__(ds, update_params)
+                      end
+
+        oauth_token[oauth_tokens_token_column] = token
+        oauth_token
+      end
     end
 
     TOKEN_HINT_TYPES = %w[access_token refresh_token].freeze
@@ -851,8 +1109,8 @@ module Rodauth
 
     def validate_oauth_introspect_params
       # check if valid token hint type
-      if param_or_nil("token_type_hint")
-        redirect_response_error("unsupported_token_type") unless TOKEN_HINT_TYPES.include?(param("token_type_hint"))
+      if param_or_nil("token_type_hint") && !TOKEN_HINT_TYPES.include?(param("token_type_hint"))
+        redirect_response_error("unsupported_token_type")
       end
 
       redirect_response_error("invalid_request") unless param_or_nil("token")
@@ -870,18 +1128,12 @@ module Rodauth
       }
     end
 
-    def before_introspect; end
-
     # Token revocation
 
-    def before_revoke
-      require_oauth_application
-    end
-
     def validate_oauth_revoke_params
       # check if valid token hint type
-      if param_or_nil("token_type_hint")
-        redirect_response_error("unsupported_token_type") unless TOKEN_HINT_TYPES.include?(param("token_type_hint"))
+      if param_or_nil("token_type_hint") && !TOKEN_HINT_TYPES.include?(param("token_type_hint"))
+        redirect_response_error("unsupported_token_type")
       end
 
       redirect_response_error("invalid_request") unless param_or_nil("token")
@@ -898,23 +1150,13 @@ module Rodauth
 
       redirect_response_error("invalid_request") unless oauth_token
 
-      if oauth_application
-        redirect_response_error("invalid_request") unless token_from_application?(oauth_token, oauth_application)
-      else
-        @oauth_application = db[oauth_applications_table].where(oauth_applications_id_column =>
-          oauth_token[oauth_tokens_oauth_application_id_column]).first
-      end
+      redirect_response_error("invalid_request") unless token_from_application?(oauth_token, oauth_application)
 
       update_params = { oauth_tokens_revoked_at_column => Sequel::CURRENT_TIMESTAMP }
 
       ds = db[oauth_tokens_table].where(oauth_tokens_id_column => oauth_token[oauth_tokens_id_column])
 
-      oauth_token = if ds.supports_returning?(:update)
-                      ds.returning.update(update_params).first
-                    else
-                      ds.update(update_params)
-                      ds.first
-                    end
+      oauth_token = __update_and_return__(ds, update_params)
 
       oauth_token[oauth_tokens_token_column] = token
       oauth_token
@@ -932,7 +1174,13 @@ module Rodauth
 
     def redirect_response_error(error_code, redirect_url = redirect_uri || request.referer || default_redirect)
       if accepts_json?
-        throw_json_response_error(invalid_oauth_response_status, error_code)
+        status_code = if respond_to?(:"#{error_code}_response_status")
+                        send(:"#{error_code}_response_status")
+                      else
+                        invalid_oauth_response_status
+                      end
+
+        throw_json_response_error(status_code, error_code)
       else
         redirect_url = URI.parse(redirect_url)
         query_params = []
@@ -954,9 +1202,17 @@ module Rodauth
       end
     end
 
-    def json_response_success(body)
+    def json_response_success(body, cache = false)
       response.status = 200
       response["Content-Type"] ||= json_response_content_type
+      if cache
+        # defaulting to 1-day for everyone, for now at least
+        max_age = 60 * 60 * 24
+        response["Cache-Control"] = "private, max-age=#{max_age}"
+      else
+        response["Cache-Control"] = "no-store"
+        response["Pragma"] = "no-cache"
+      end
       json_payload = _json_response_body(body)
       response.write(json_payload)
       request.halt
@@ -979,7 +1235,6 @@ module Rodauth
     end
 
     unless method_defined?(:_json_response_body)
-      # :nocov:
       def _json_response_body(hash)
         if request.respond_to?(:convert_to_json)
           request.send(:convert_to_json, hash)
@@ -987,7 +1242,6 @@ module Rodauth
           JSON.dump(hash)
         end
       end
-      # :nocov:
     end
 
     def authorization_required
@@ -995,7 +1249,7 @@ module Rodauth
         throw_json_response_error(authorization_required_error_status, "invalid_client")
       else
         set_redirect_error_flash(require_authorization_error_flash)
-        redirect(oauth_authorize_path)
+        redirect(authorize_path)
       end
     end
 
@@ -1075,10 +1329,10 @@ module Rodauth
 
     def oauth_server_metadata_body(path)
       issuer = base_url
-      issuer += "/#{path}" if issuer
+      issuer += "/#{path}" if path
 
       responses_supported = %w[code]
-      response_modes_supported = %w[query]
+      response_modes_supported = %w[query form_post]
       grant_types_supported = %w[authorization_code]
 
       if use_oauth_implicit_grant_type?
@@ -1086,11 +1340,12 @@ module Rodauth
         response_modes_supported << "fragment"
         grant_types_supported << "implicit"
       end
+
       {
         issuer: issuer,
-        authorization_endpoint: oauth_authorize_url,
-        token_endpoint: oauth_token_url,
-        registration_endpoint: "#{base_url}/#{oauth_applications_path}",
+        authorization_endpoint: authorize_url,
+        token_endpoint: token_url,
+        registration_endpoint: route_url(oauth_applications_path),
         scopes_supported: oauth_application_scopes,
         response_types_supported: responses_supported,
         response_modes_supported: response_modes_supported,
@@ -1100,142 +1355,12 @@ module Rodauth
         ui_locales_supported: oauth_metadata_ui_locales_supported,
         op_policy_uri: oauth_metadata_op_policy_uri,
         op_tos_uri: oauth_metadata_op_tos_uri,
-        revocation_endpoint: oauth_revoke_url,
+        revocation_endpoint: revoke_url,
         revocation_endpoint_auth_methods_supported: nil, # because it's client_secret_basic
-        introspection_endpoint: oauth_introspect_url,
+        introspection_endpoint: introspect_url,
         introspection_endpoint_auth_methods_supported: %w[client_secret_basic],
         code_challenge_methods_supported: (use_oauth_pkce? ? oauth_pkce_challenge_method : nil)
       }
     end
-
-    # /oauth-token
-    route(:oauth_token) do |r|
-      before_token
-
-      r.post do
-        catch_error do
-          validate_oauth_token_params
-
-          oauth_token = nil
-          transaction do
-            oauth_token = create_oauth_token
-          end
-
-          json_response_success(json_access_token_payload(oauth_token))
-        end
-
-        throw_json_response_error(invalid_oauth_response_status, "invalid_request")
-      end
-    end
-
-    # /oauth-introspect
-    route(:oauth_introspect) do |r|
-      before_introspect
-
-      r.post do
-        catch_error do
-          validate_oauth_introspect_params
-
-          oauth_token = case param("token_type_hint")
-                        when "access_token"
-                          oauth_token_by_token(param("token"))
-                        when "refresh_token"
-                          oauth_token_by_refresh_token(param("token"))
-                        else
-                          oauth_token_by_token(param("token")) || oauth_token_by_refresh_token(param("token"))
-                        end
-
-          if oauth_application
-            redirect_response_error("invalid_request") if oauth_token && !token_from_application?(oauth_token, oauth_application)
-          elsif oauth_token
-            @oauth_application = db[oauth_applications_table].where(oauth_applications_id_column =>
-              oauth_token[oauth_tokens_oauth_application_id_column]).first
-          end
-
-          json_response_success(json_token_introspect_payload(oauth_token))
-        end
-
-        throw_json_response_error(invalid_oauth_response_status, "invalid_request")
-      end
-    end
-
-    # /oauth-revoke
-    route(:oauth_revoke) do |r|
-      before_revoke
-
-      r.post do
-        catch_error do
-          validate_oauth_revoke_params
-
-          oauth_token = nil
-          transaction do
-            oauth_token = revoke_oauth_token
-            after_revoke
-          end
-
-          if accepts_json?
-            json_response_success \
-              "token" => oauth_token[oauth_tokens_token_column],
-              "refresh_token" => oauth_token[oauth_tokens_refresh_token_column],
-              "revoked_at" => oauth_token[oauth_tokens_revoked_at_column]
-          else
-            set_notice_flash revoke_oauth_token_notice_flash
-            redirect request.referer || "/"
-          end
-        end
-
-        redirect_response_error("invalid_request", request.referer || "/")
-      end
-    end
-
-    # /oauth-authorize
-    route(:oauth_authorize) do |r|
-      require_account
-      validate_oauth_grant_params
-      try_approval_prompt if use_oauth_access_type? && request.get?
-
-      before_authorize
-
-      r.get do
-        authorize_view
-      end
-
-      r.post do
-        code = nil
-        query_params = []
-        fragment_params = []
-
-        transaction do
-          case param("response_type")
-          when "token"
-            redirect_response_error("invalid_request") unless use_oauth_implicit_grant_type?
-
-            create_params = {
-              oauth_tokens_account_id_column => account_id,
-              oauth_tokens_oauth_application_id_column => oauth_application[oauth_applications_id_column],
-              oauth_tokens_scopes_column => scopes
-            }
-            oauth_token = generate_oauth_token(create_params, false)
-
-            token_payload = json_access_token_payload(oauth_token)
-            fragment_params.replace(token_payload.map { |k, v| "#{k}=#{v}" })
-          when "code", "", nil
-            code = create_oauth_grant
-            query_params << "code=#{code}"
-          else
-            redirect_response_error("invalid_request")
-          end
-          after_authorize
-        end
-
-        redirect_url = URI.parse(redirect_uri)
-        query_params << "state=#{param('state')}" if param_or_nil("state")
-        query_params << redirect_url.query if redirect_url.query
-        redirect_url.query = query_params.join("&") unless query_params.empty?
-        redirect_url.fragment = fragment_params.join("&") unless fragment_params.empty?
-
-        redirect(redirect_url.to_s)
-      end
-    end
   end
 end