rodauth-oauth 0.0.6 → 0.4.1

data/lib/rodauth/features/oauth_http_mac.rb

@@ -8,20 +8,16 @@ module Rodauth
           def delete_suffix(suffix)
             suffix = suffix.to_s
             len = suffix.length
-            if len.positive? && index(suffix, -len)
-              self[0...-len]
-            else
-              dup
-            end
+            return dup unless len.positive? && index(suffix, -len)
+
+            self[0...-len]
           end
 
           def delete_prefix(prefix)
             prefix = prefix.to_s
-            if rindex(prefix, 0)
-              self[prefix.length..-1]
-            else
-              dup
-            end
+            return dup unless rindex(prefix, 0)
+
+            self[prefix.length..-1]
           end
         end
       end

data/lib/rodauth/features/oauth_jwt.rb

@@ -6,7 +6,12 @@ module Rodauth
   Feature.define(:oauth_jwt) do
     depends :oauth
 
-    auth_value_method :oauth_jwt_token_issuer, "Example"
+    JWKS = OAuth::TtlStore.new
+
+    auth_value_method :oauth_jwt_subject_type, "public" # public, pairwise
+    auth_value_method :oauth_jwt_subject_secret, nil # salt for pairwise generation
+
+    auth_value_method :oauth_jwt_token_issuer, nil
 
     auth_value_method :oauth_application_jws_jwk_column, nil
 
@@ -19,6 +24,10 @@ module Rodauth
     auth_value_method :oauth_jwt_jwe_algorithm, nil
     auth_value_method :oauth_jwt_jwe_encryption_method, nil
 
+    # values used for rotating keys
+    auth_value_method :oauth_jwt_legacy_public_key, nil
+    auth_value_method :oauth_jwt_legacy_algorithm, nil
+
     auth_value_method :oauth_jwt_jwe_copyright, nil
     auth_value_method :oauth_jwt_audience, nil
 
@@ -28,10 +37,17 @@ module Rodauth
     auth_value_methods(
       :jwt_encode,
       :jwt_decode,
-      :jwks_set
+      :jwks_set,
+      :last_account_login_at
     )
 
-    JWKS = OAuth::TtlStore.new
+    route(:jwks) do |r|
+      next unless is_authorization_server?
+
+      r.get do
+        json_response_success({ keys: jwks_set }, true)
+      end
+    end
 
     def require_oauth_authorization(*scopes)
       authorization_required unless authorization_token
@@ -45,6 +61,12 @@ module Rodauth
 
     private
 
+    unless method_defined?(:last_account_login_at)
+      def last_account_login_at
+        nil
+      end
+    end
+
     def authorization_token
       return @authorization_token if defined?(@authorization_token)
 
@@ -57,8 +79,8 @@ module Rodauth
 
         return unless jwt_token
 
-        return if jwt_token["iss"] != oauth_jwt_token_issuer ||
-                  jwt_token["aud"] != oauth_jwt_audience ||
+        return if jwt_token["iss"] != (oauth_jwt_token_issuer || authorization_server_url) ||
+                  (oauth_jwt_audience && jwt_token["aud"] != oauth_jwt_audience) ||
                   !jwt_token["sub"]
 
         jwt_token
@@ -78,9 +100,7 @@ module Rodauth
       jws_jwk = if oauth_application[oauth_application_jws_jwk_column]
                   jwk = oauth_application[oauth_application_jws_jwk_column]
 
-                  if jwk
-                    jwk = JSON.parse(jwk, symbolize_names: true) if jwk.is_a?(String)
-                  end
+                  jwk = JSON.parse(jwk, symbolize_names: true) if jwk && jwk.is_a?(String)
                 else
                   redirect_response_error("invalid_request_object")
                 end
@@ -95,8 +115,8 @@ module Rodauth
       # [RFC7519] specification.  The value of "aud" should be the value of
       # the Authorization Server (AS) "issuer" as defined in RFC8414
       # [RFC8414].
-      claims.delete(:iss)
-      audience = claims.delete(:aud)
+      claims.delete("iss")
+      audience = claims.delete("aud")
 
       redirect_response_error("invalid_request_object") if audience && audience != authorization_server_url
 
@@ -109,11 +129,17 @@ module Rodauth
 
     # /token
 
-    def before_token
+    def require_oauth_application
       # requset authentication optional for assertions
-      return if param("grant_type") == "urn:ietf:params:oauth:grant-type:jwt-bearer"
+      return super unless param("grant_type") == "urn:ietf:params:oauth:grant-type:jwt-bearer"
 
-      super
+      claims = jwt_decode(param("assertion"))
+
+      redirect_response_error("invalid_grant") unless claims
+
+      @oauth_application = db[oauth_applications_table].where(oauth_applications_client_id_column => claims["client_id"]).first
+
+      authorization_required unless @oauth_application
     end
 
     def validate_oauth_token_params
@@ -135,10 +161,6 @@ module Rodauth
     def create_oauth_token_from_assertion
       claims = jwt_decode(param("assertion"))
 
-      redirect_response_error("invalid_grant") unless claims
-
-      @oauth_application = db[oauth_applications_table].where(oauth_applications_client_id_column => claims["client_id"]).first
-
       account = account_ds(claims["sub"]).first
 
       redirect_response_error("invalid_client") unless oauth_application && account
@@ -154,26 +176,40 @@ module Rodauth
 
     def generate_oauth_token(params = {}, should_generate_refresh_token = true)
       create_params = {
-        oauth_grants_expires_in_column => Time.now + oauth_token_expires_in
+        oauth_grants_expires_in_column => Sequel.date_add(Sequel::CURRENT_TIMESTAMP, seconds: oauth_token_expires_in)
       }.merge(params)
 
-      if should_generate_refresh_token
-        refresh_token = oauth_unique_id_generator
+      oauth_token = rescue_from_uniqueness_error do
+        if should_generate_refresh_token
+          refresh_token = oauth_unique_id_generator
 
-        if oauth_tokens_refresh_token_hash_column
-          create_params[oauth_tokens_refresh_token_hash_column] = generate_token_hash(refresh_token)
-        else
-          create_params[oauth_tokens_refresh_token_column] = refresh_token
+          if oauth_tokens_refresh_token_hash_column
+            create_params[oauth_tokens_refresh_token_hash_column] = generate_token_hash(refresh_token)
+          else
+            create_params[oauth_tokens_refresh_token_column] = refresh_token
+          end
         end
+
+        _generate_oauth_token(create_params)
       end
 
-      oauth_token = _generate_oauth_token(create_params)
+      claims = jwt_claims(oauth_token)
+
+      # one of the points of using jwt is avoiding database lookups, so we put here all relevant
+      # token data.
+      claims[:scope] = oauth_token[oauth_tokens_scopes_column]
 
-      issued_at = Time.now.utc.to_i
+      token = jwt_encode(claims)
 
-      payload = {
-        sub: oauth_token[oauth_tokens_account_id_column],
-        iss: oauth_jwt_token_issuer, # issuer
+      oauth_token[oauth_tokens_token_column] = token
+      oauth_token
+    end
+
+    def jwt_claims(oauth_token)
+      issued_at = Time.now.to_i
+
+      claims = {
+        iss: (oauth_jwt_token_issuer || authorization_server_url), # issuer
         iat: issued_at, # issued at
         #
         # sub  REQUIRED - as defined in section 4.1.2 of [RFC7519].  In case of
@@ -184,23 +220,32 @@ module Rodauth
         # owner is involved, such as the client credentials grant, the value
         # of "sub" SHOULD correspond to an identifier the authorization
         # server uses to indicate the client application.
+        sub: jwt_subject(oauth_token),
         client_id: oauth_application[oauth_applications_client_id_column],
 
         exp: issued_at + oauth_token_expires_in,
-        aud: oauth_jwt_audience,
-
-        # one of the points of using jwt is avoiding database lookups, so we put here all relevant
-        # token data.
-        scope: oauth_token[oauth_tokens_scopes_column]
+        aud: (oauth_jwt_audience || oauth_application[oauth_applications_client_id_column])
       }
 
-      token = jwt_encode(payload)
+      claims[:auth_time] = last_account_login_at.to_i if last_account_login_at
 
-      oauth_token[oauth_tokens_token_column] = token
-      oauth_token
+      claims
+    end
+
+    def jwt_subject(oauth_token)
+      case oauth_jwt_subject_type
+      when "public"
+        oauth_token[oauth_tokens_account_id_column]
+      when "pairwise"
+        id = oauth_token[oauth_tokens_account_id_column]
+        application_id = oauth_token[oauth_tokens_oauth_application_id_column]
+        Digest::SHA256.hexdigest("#{id}#{application_id}#{oauth_jwt_subject_secret}")
+      else
+        raise StandardError, "unexpected subject (#{oauth_jwt_subject_type})"
+      end
     end
 
-    def oauth_token_by_token(token, *)
+    def oauth_token_by_token(token)
       jwt_decode(token)
     end
 
@@ -228,17 +273,11 @@ module Rodauth
     def oauth_server_metadata_body(path)
       metadata = super
       metadata.merge! \
-        jwks_uri: oauth_jwks_url,
+        jwks_uri: jwks_url,
         token_endpoint_auth_signing_alg_values_supported: [oauth_jwt_algorithm]
       metadata
     end
 
-    def token_from_application?(oauth_token, oauth_application)
-      return super unless oauth_token["sub"] # naive check on whether it's a jwt token
-
-      oauth_token["client_id"] == oauth_application[oauth_applications_client_id_column]
-    end
-
     def _jwt_key
       @_jwt_key ||= oauth_jwt_key || (oauth_application[oauth_applications_client_secret_column] if oauth_application)
     end
@@ -268,10 +307,10 @@ module Rodauth
 
         # time-to-live
         ttl = if response.key?("cache-control")
-                cache_control = response["cache_control"]
-                cache_control[/max-age=(\d+)/, 1]
+                cache_control = response["cache-control"]
+                cache_control[/max-age=(\d+)/, 1].to_i
               elsif response.key?("expires")
-                Time.httpdate(response["expires"]).utc.to_i - Time.now.utc.to_i
+                Time.parse(response["expires"]).to_i - Time.now.to_i
               end
 
         [JSON.parse(response.body, symbolize_names: true), ttl]
@@ -279,7 +318,6 @@ module Rodauth
     end
 
     if defined?(JSON::JWT)
-      # :nocov:
 
       def jwk_import(data)
         JSON::JWK.new(data)
@@ -305,23 +343,27 @@ module Rodauth
       def jwt_decode(token, jws_key: oauth_jwt_public_key || _jwt_key, **)
         token = JSON::JWT.decode(token, oauth_jwt_jwe_key).plain_text if oauth_jwt_jwe_key
 
-        @jwt_token = if jws_key
-                       JSON::JWT.decode(token, jws_key)
-                     elsif !is_authorization_server? && auth_server_jwks_set
-                       JSON::JWT.decode(token, JSON::JWK::Set.new(auth_server_jwks_set))
-                     end
+        if is_authorization_server?
+          if oauth_jwt_legacy_public_key
+            JSON::JWT.decode(token, JSON::JWK::Set.new({ keys: jwks_set }))
+          elsif jws_key
+            JSON::JWT.decode(token, jws_key)
+          end
+        elsif (jwks = auth_server_jwks_set)
+          JSON::JWT.decode(token, JSON::JWK::Set.new(jwks))
+        end
       rescue JSON::JWT::Exception
         nil
       end
 
       def jwks_set
-        [
+        @jwks_set ||= [
           (JSON::JWK.new(oauth_jwt_public_key).merge(use: "sig", alg: oauth_jwt_algorithm) if oauth_jwt_public_key),
+          (JSON::JWK.new(oauth_jwt_legacy_public_key).merge(use: "sig", alg: oauth_jwt_legacy_algorithm) if oauth_jwt_legacy_public_key),
           (JSON::JWK.new(oauth_jwt_jwe_public_key).merge(use: "enc", alg: oauth_jwt_jwe_algorithm) if oauth_jwt_jwe_public_key)
         ].compact
       end
 
-      # :nocov:
     elsif defined?(JWT)
 
       # ruby-jwt
@@ -366,21 +408,30 @@ module Rodauth
       def jwt_decode(token, jws_key: oauth_jwt_public_key || _jwt_key, jws_algorithm: oauth_jwt_algorithm)
         # decrypt jwe
         token = JWE.decrypt(token, oauth_jwt_jwe_key) if oauth_jwt_jwe_key
-
         # decode jwt
-        @jwt_token = if jws_key
-                       JWT.decode(token, jws_key, true, algorithms: [jws_algorithm]).first
-                     elsif !is_authorization_server? && auth_server_jwks_set
-                       algorithms = auth_server_jwks_set[:keys].select { |k| k[:use] == "sig" }.map { |k| k[:alg] }
-                       JWT.decode(token, nil, true, jwks: auth_server_jwks_set, algorithms: algorithms).first
-                     end
+        if is_authorization_server?
+          if oauth_jwt_legacy_public_key
+            algorithms = jwks_set.select { |k| k[:use] == "sig" }.map { |k| k[:alg] }
+            JWT.decode(token, nil, true, jwks: { keys: jwks_set }, algorithms: algorithms).first
+          elsif jws_key
+            JWT.decode(token, jws_key, true, algorithms: [jws_algorithm]).first
+          end
+        elsif (jwks = auth_server_jwks_set)
+          algorithms = jwks[:keys].select { |k| k[:use] == "sig" }.map { |k| k[:alg] }
+          JWT.decode(token, nil, true, jwks: jwks, algorithms: algorithms).first
+        end
       rescue JWT::DecodeError, JWT::JWKError
         nil
       end
 
       def jwks_set
-        [
+        @jwks_set ||= [
           (JWT::JWK.new(oauth_jwt_public_key).export.merge(use: "sig", alg: oauth_jwt_algorithm) if oauth_jwt_public_key),
+          (
+             if oauth_jwt_legacy_public_key
+               JWT::JWK.new(oauth_jwt_legacy_public_key).export.merge(use: "sig", alg: oauth_jwt_legacy_algorithm)
+             end
+           ),
           (JWT::JWK.new(oauth_jwt_jwe_public_key).export.merge(use: "enc", alg: oauth_jwt_jwe_algorithm) if oauth_jwt_jwe_public_key)
         ].compact
       end
@@ -411,11 +462,5 @@ module Rodauth
 
       super
     end
-
-    route(:oauth_jwks) do |r|
-      r.get do
-        json_response_success({ keys: jwks_set })
-      end
-    end
   end
 end

data/lib/rodauth/features/oauth_saml.rb

@@ -0,0 +1,104 @@
+# frozen-string-literal: true
+
+require "onelogin/ruby-saml"
+
+module Rodauth
+  Feature.define(:oauth_saml) do
+    depends :oauth
+
+    auth_value_method :oauth_saml_cert_fingerprint, "9E:65:2E:03:06:8D:80:F2:86:C7:6C:77:A1:D9:14:97:0A:4D:F4:4D"
+    auth_value_method :oauth_saml_cert_fingerprint_algorithm, nil
+    auth_value_method :oauth_saml_name_identifier_format, "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
+
+    auth_value_method :oauth_saml_security_authn_requests_signed, false
+    auth_value_method :oauth_saml_security_metadata_signed, false
+    auth_value_method :oauth_saml_security_digest_method, XMLSecurity::Document::SHA1
+    auth_value_method :oauth_saml_security_signature_method, XMLSecurity::Document::RSA_SHA1
+
+    SAML_GRANT_TYPE = "http://oauth.net/grant_type/assertion/saml/2.0/bearer"
+
+    # /token
+
+    def require_oauth_application
+      # requset authentication optional for assertions
+      return super unless param("grant_type") == SAML_GRANT_TYPE && !param_or_nil("client_id")
+
+      # TODO: invalid grant
+      authorization_required unless saml_assertion
+
+      redirect_uri = saml_assertion.destination
+
+      @oauth_application = db[oauth_applications_table].where(
+        oauth_applications_homepage_url_column => saml_assertion.audiences,
+        oauth_applications_redirect_uri_column => redirect_uri
+      ).first
+
+      # The Assertion's <Issuer> element MUST contain a unique identifier
+      # for the entity that issued the Assertion.
+      authorization_required unless saml_assertion.issuers.all? do |issuer|
+        issuer.start_with?(@oauth_application[oauth_applications_homepage_url_column])
+      end
+
+      authorization_required unless @oauth_application
+    end
+
+    private
+
+    def secret_matches?(oauth_application, secret)
+      return super unless param_or_nil("assertion")
+
+      true
+    end
+
+    def saml_assertion
+      return @saml_assertion if defined?(@saml_assertion)
+
+      @saml_assertion = begin
+        settings = OneLogin::RubySaml::Settings.new
+        settings.idp_cert_fingerprint = oauth_saml_cert_fingerprint
+        settings.idp_cert_fingerprint_algorithm = oauth_saml_cert_fingerprint_algorithm
+        settings.name_identifier_format = oauth_saml_name_identifier_format
+        settings.security[:authn_requests_signed] = oauth_saml_security_authn_requests_signed
+        settings.security[:metadata_signed] = oauth_saml_security_metadata_signed
+        settings.security[:digest_method] = oauth_saml_security_digest_method
+        settings.security[:signature_method] = oauth_saml_security_signature_method
+
+        response = OneLogin::RubySaml::Response.new(param("assertion"), settings: settings, skip_recipient_check: true)
+
+        return unless response.is_valid?
+
+        response
+      end
+    end
+
+    def validate_oauth_token_params
+      return super unless param("grant_type") == SAML_GRANT_TYPE
+
+      redirect_response_error("invalid_client") unless param_or_nil("assertion")
+
+      redirect_response_error("invalid_scope") unless check_valid_scopes?
+    end
+
+    def create_oauth_token
+      if param("grant_type") == SAML_GRANT_TYPE
+        create_oauth_token_from_saml_assertion
+      else
+        super
+      end
+    end
+
+    def create_oauth_token_from_saml_assertion
+      account = db[accounts_table].where(login_column => saml_assertion.nameid).first
+
+      redirect_response_error("invalid_client") unless oauth_application && account
+
+      create_params = {
+        oauth_tokens_account_id_column => account[account_id_column],
+        oauth_tokens_oauth_application_id_column => oauth_application[oauth_applications_id_column],
+        oauth_tokens_scopes_column => (param_or_nil("scope") || oauth_application[oauth_applications_scopes_column])
+      }
+
+      generate_oauth_token(create_params, false)
+    end
+  end
+end