rodauth-oauth 0.1.0 → 0.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 3eac600d006a2c78509f608575db062b7ba6d67356b890c7d38414b9b82875f9
-  data.tar.gz: c37fc18c093f546023481a88cc526c5a0b721b1a3bfeac827c21184e0583071b
+  metadata.gz: 02d69464053b6809900da774b4c9957d642b003d0a0de7aa076e57a5eb8895bc
+  data.tar.gz: e1dd94b69aa4bdf051b1c28d684a0ec2a1435da9f99ca6bf77da9d537474f9a6
 SHA512:
-  metadata.gz: 0a04fdb5ab370ed5736208cbd4ccb1e6da801af52cd68004625a21008c4a10a04bc143d99c9e1a71bccb9fad882fc3cff27d9c0900689dbd5cf6c0616e4d43a0
-  data.tar.gz: e6d5cb6e8ff31d64eb588fa39ad6a1e7bb1ae9416adac64e5f9a21bf451ffd4115a8c2d3bb8759f1a32192a88a4a401336e1baca7621a33934dc1b2a873c8402
+  metadata.gz: cfe325a2e8daa96a72b4577566ae84772dcf114411ebbd9d0115f0f33f5b104f7c138a1b1ef7813d46f0fd2226c6560db5d974e51ec92b33ce7e393726005b2d
+  data.tar.gz: df5866c1cd089c0d361a00d1ffd1db02df9b6551940dbf70e7390657fa8558ae0fb3c8eb2fcff6ec6fb9fd52406a99615574305d5a3bacdbd20f5fc22bacd63f

data/CHANGELOG.md

@@ -2,6 +2,50 @@
 
 ## master
 
+### 0.2.0
+
+#### Features
+
+##### SAML Assertion Grant Type
+
+`rodauth-auth` now supports using a SAML Assertion to request for an Access token.In order to enable, you have to:
+
+```ruby
+plugin :rodauth do
+  enable :oauth_saml
+end
+```
+
+For more info about integrating it, [check the wiki](https://gitlab.com/honeyryderchuck/rodauth-oauth/-/wikis/SAML-Assertion-Access-Tokens).
+
+##### Supporting rotating keys
+
+At some point, you'll want to replace the pkeys and algorithm used to generate and verify the JWT access tokens, but you want to keep validating previously-distributed JWT tokens, at least until they expire. Now you can, via two new options, `oauth_jwt_legacy_public_key` and `oauth_jwt_legacy_algorithm`, which will be declared in the JWKs URI and used to verify access tokens.
+
+
+##### Reuse access tokens
+
+If the `oauth_reuse_access_token` is set, if there's already an existing valid access token, any new grant for the same application / account / scope will keep the same access token. This can be helpful in scenarios where one wants the same access token distributed across devices.
+
+##### require_authorizable_account
+
+The method used to verify access to the authorize flow is called `require_authorizable_account`. By default, it checks if a user is logged in by using rodauth's own `require_account`. This is the method you'd want to redefine in order to augment these requirements, i.e. request 2fa authentication.
+
+#### Improvements
+
+Expired and revoked access tokens end up generating a lot of garbage, which will have to be periodically cleaned up. You can mitigate this now by setting a uniqueness index for a group of columns, i.e. if you set a uniqueness index for the `oauth_application_id/account_id/scopes` column, `rodauth-oauth` will transparently reuse the same db entry to store the new access token. If setting some other type of uniqueness index, make sure to update the option `oauth_tokens_unique_columns` (the array of columns from the uniqueness index).
+
+#### Bugfixes
+
+Calling `before_*_route` callbacks appropriately.
+
+Fixed some mishandling of HTTP headers when in in resource-server mode.
+
+#### Chore
+
+* 97.7% test coverage;
+* `rodauth-oauth` CI tests run against sqlite, postgresql and mysql.
+
 ### 0.1.0
 
 (31/7/2020)

data/README.md

@@ -21,6 +21,7 @@ This gem implements the following RFCs and features of OAuth:
 * Access Type (Token refresh online and offline);
 * [MAC Authentication Scheme](https://tools.ietf.org/html/draft-hammer-oauth-v2-mac-token-02);
 * [JWT Acess Tokens](https://tools.ietf.org/html/draft-ietf-oauth-access-token-jwt-07);
+* [SAML 2.0 Assertion Access Tokens](https://tools.ietf.org/html/draft-ietf-oauth-saml2-bearer-03);
 * [JWT Secured Authorization Requests](https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-20);
 * OAuth application and token management dashboards;
 

data/lib/generators/roda/oauth/templates/db/migrate/create_rodauth_oauth.rb

@@ -43,14 +43,14 @@ class CreateRodauthOAuth < ActiveRecord::Migration<%= migration_version %>
       t.foreign_key :oauth_tokens, column: :oauth_token_id
       t.integer :oauth_application_id
       t.foreign_key :oauth_applications, column: :oauth_application_id
-      t.string :token, null: false, token: true
+      t.string :token, null: false, token: true, unique: true
       # uncomment if setting oauth_tokens_token_hash_column
       # and delete the token column
-      # t.string :token_hash, token: true
-      t.string :refresh_token
+      # t.string :token_hash, token: true, unique: true
+      t.string :refresh_token, unique: true
       # uncomment if setting oauth_tokens_refresh_token_hash_column
       # and delete the refresh_token column
-      # t.string :refresh_token_hash, token: true
+      # t.string :refresh_token_hash, token: true, unique: true
       t.datetime :expires_in, null: false
       t.datetime :revoked_at
       t.string :scopes, null: false

data/lib/rodauth/features/oauth.rb

@@ -1,16 +1,21 @@
 # frozen-string-literal: true
 
+require "time"
 require "base64"
 require "securerandom"
 require "net/http"
 
 require "rodauth/oauth/ttl_store"
+require "rodauth/oauth/database_extensions"
 
 module Rodauth
   Feature.define(:oauth) do
     # RUBY EXTENSIONS
-    # :nocov:
     unless Regexp.method_defined?(:match?)
+      # If you wonder why this is there: the oauth feature uses a refinement to enhance the
+      # Regexp class locally with #match? , but this is never tested, because ActiveSupport
+      # monkey-patches the same method... Please ActiveSupport, stop being so intrusive!
+      # :nocov:
       module RegexpExtensions
         refine(Regexp) do
           def match?(*args)
@@ -19,6 +24,7 @@ module Rodauth
         end
       end
       using(RegexpExtensions)
+      # :nocov:
     end
 
     unless String.method_defined?(:delete_suffix!)
@@ -37,7 +43,6 @@ module Rodauth
       end
       using(SuffixExtensions)
     end
-    # :nocov:
 
     SCOPES = %w[profile.read].freeze
 
@@ -110,6 +115,8 @@ module Rodauth
     auth_value_method :oauth_tokens_token_hash_column, nil
     auth_value_method :oauth_tokens_refresh_token_hash_column, nil
 
+    # Access Token reuse
+    auth_value_method :oauth_reuse_access_token, false
     # OAuth Grants
     auth_value_method :oauth_grants_table, :oauth_grants
     auth_value_method :oauth_grants_id_column, :id
@@ -124,6 +131,7 @@ module Rodauth
 
     auth_value_method :authorization_required_error_status, 401
     auth_value_method :invalid_oauth_response_status, 400
+    auth_value_method :already_in_use_response_status, 409
 
     # OAuth Applications
     auth_value_method :oauth_applications_path, "oauth-applications"
@@ -155,6 +163,8 @@ module Rodauth
 
     auth_value_method :unique_error_message, "is already in use"
     auth_value_method :null_error_message, "is not filled"
+    auth_value_method :already_in_use_message, "error generating unique token"
+    auth_value_method :already_in_use_error_code, "invalid_request"
 
     # PKCE
     auth_value_method :code_challenge_required_error_code, "invalid_request"
@@ -172,6 +182,8 @@ module Rodauth
     # Only required to use if the plugin is to be used in a resource server
     auth_value_method :is_authorization_server?, true
 
+    auth_value_method :oauth_unique_id_generation_retries, 3
+
     auth_value_methods(
       :fetch_access_token,
       :oauth_unique_id_generator,
@@ -179,7 +191,9 @@ module Rodauth
       :secret_hash,
       :generate_token_hash,
       :authorization_server_url,
-      :before_introspection_request
+      :before_introspection_request,
+      :require_authorizable_account,
+      :oauth_tokens_unique_columns
     )
 
     auth_value_methods(:only_json?)
@@ -213,14 +227,12 @@ module Rodauth
     end
 
     unless method_defined?(:json_request?)
-      # :nocov:
       # copied from the jwt feature
       def json_request?
         return @json_request if defined?(@json_request)
 
         @json_request = request.content_type =~ json_request_regexp
       end
-      # :nocov:
     end
 
     def initialize(scope)
@@ -343,7 +355,7 @@ module Rodauth
         end
 
         request.get do
-          scope.instance_variable_set(:@oauth_applications, db[:oauth_applications])
+          scope.instance_variable_set(:@oauth_applications, db[oauth_applications_table])
           oauth_applications_view
         end
 
@@ -375,8 +387,42 @@ module Rodauth
       end
     end
 
+    def post_configure
+      super
+      self.class.__send__(:include, Rodauth::OAuth::ExtendDatabase(db))
+
+      # Check whether we can reutilize db entries for the same account / application pair
+      one_oauth_token_per_account = begin
+        db.indexes(oauth_tokens_table).values.any? do |definition|
+          definition[:unique] &&
+            definition[:columns] == oauth_tokens_unique_columns
+        end
+      end
+      self.class.send(:define_method, :__one_oauth_token_per_account) { one_oauth_token_per_account }
+    end
+
     private
 
+    def rescue_from_uniqueness_error(&block)
+      retries = oauth_unique_id_generation_retries
+      begin
+        transaction(savepoint: :only, &block)
+      rescue Sequel::UniqueConstraintViolation
+        redirect_response_error("already_in_use") if retries.zero?
+        retries -= 1
+        retry
+      end
+    end
+
+    # OAuth Token Unique/Reuse
+    def oauth_tokens_unique_columns
+      [
+        oauth_tokens_oauth_application_id_column,
+        oauth_tokens_account_id_column,
+        oauth_tokens_scopes_column
+      ]
+    end
+
     def authorization_server_url
       base_url
     end
@@ -399,10 +445,10 @@ module Rodauth
 
         # time-to-live
         ttl = if response.key?("cache-control")
-                cache_control = response["cache_control"]
+                cache_control = response["cache-control"]
                 cache_control[/max-age=(\d+)/, 1]
               elsif response.key?("expires")
-                Time.httpdate(response["expires"]).utc.to_i - Time.now.utc.to_i
+                DateTime.httpdate(response["expires"]).utc.to_i - Time.now.utc.to_i
               end
 
         [JSON.parse(response.body, symbolize_names: true), ttl]
@@ -482,22 +528,11 @@ module Rodauth
     end
 
     unless method_defined?(:password_hash)
-      # :nocov:
       # From login_requirements_base feature
-      if ENV["RACK_ENV"] == "test"
-        def password_hash_cost
-          BCrypt::Engine::MIN_COST
-        end
-      else
-        def password_hash_cost
-          BCrypt::Engine::DEFAULT_COST
-        end
-      end
 
       def password_hash(password)
-        BCrypt::Password.create(password, cost: password_hash_cost)
+        BCrypt::Password.create(password, cost: BCrypt::Engine::DEFAULT_COST)
       end
-      # :nocov:
     end
 
     def generate_oauth_token(params = {}, should_generate_refresh_token = true)
@@ -505,43 +540,60 @@ module Rodauth
         oauth_grants_expires_in_column => Time.now + oauth_token_expires_in
       }.merge(params)
 
-      token = oauth_unique_id_generator
-      refresh_token = nil
+      rescue_from_uniqueness_error do
+        token = oauth_unique_id_generator
 
-      if oauth_tokens_token_hash_column
-        create_params[oauth_tokens_token_hash_column] = generate_token_hash(token)
-      else
-        create_params[oauth_tokens_token_column] = token
-      end
+        if oauth_tokens_token_hash_column
+          create_params[oauth_tokens_token_hash_column] = generate_token_hash(token)
+        else
+          create_params[oauth_tokens_token_column] = token
+        end
 
-      if should_generate_refresh_token
-        refresh_token = oauth_unique_id_generator
+        refresh_token = nil
+        if should_generate_refresh_token
+          refresh_token = oauth_unique_id_generator
 
-        if oauth_tokens_refresh_token_hash_column
-          create_params[oauth_tokens_refresh_token_hash_column] = generate_token_hash(refresh_token)
-        else
-          create_params[oauth_tokens_refresh_token_column] = refresh_token
+          if oauth_tokens_refresh_token_hash_column
+            create_params[oauth_tokens_refresh_token_hash_column] = generate_token_hash(refresh_token)
+          else
+            create_params[oauth_tokens_refresh_token_column] = refresh_token
+          end
         end
+        oauth_token = _generate_oauth_token(create_params)
+        oauth_token[oauth_tokens_token_column] = token
+        oauth_token[oauth_tokens_refresh_token_column] = refresh_token if refresh_token
+        oauth_token
       end
-      oauth_token = _generate_oauth_token(create_params)
-
-      oauth_token[oauth_tokens_token_column] = token
-      oauth_token[oauth_tokens_refresh_token_column] = refresh_token if refresh_token
-      oauth_token
     end
 
     def _generate_oauth_token(params = {})
       ds = db[oauth_tokens_table]
 
-      begin
-        if ds.supports_returning?(:insert)
-          ds.returning.insert(params).first
-        else
-          id = ds.insert(params)
-          ds.where(oauth_tokens_id_column => id).first
+      if __one_oauth_token_per_account
+
+        token = __insert_or_update_and_return__(
+          ds,
+          oauth_tokens_id_column,
+          oauth_tokens_unique_columns,
+          params,
+          Sequel.expr(Sequel[oauth_tokens_table][oauth_tokens_expires_in_column]) > Sequel::CURRENT_TIMESTAMP,
+          ([oauth_tokens_token_column, oauth_tokens_refresh_token_column] if oauth_reuse_access_token)
+        )
+
+        # if the previous operation didn't return a row, it means that the conditions
+        # invalidated the update, and the existing token is still valid.
+        token || ds.where(
+          oauth_tokens_account_id_column => params[oauth_tokens_account_id_column],
+          oauth_tokens_oauth_application_id_column => params[oauth_tokens_oauth_application_id_column]
+        ).first
+      else
+        if oauth_reuse_access_token
+          unique_conds = Hash[oauth_tokens_unique_columns.map { |column| [column, params[column]] }]
+          valid_token = ds.where(Sequel.expr(Sequel[oauth_tokens_table][oauth_tokens_expires_in_column]) > Sequel::CURRENT_TIMESTAMP)
+                          .where(unique_conds).first
+          return valid_token if valid_token
         end
-      rescue Sequel::UniqueConstraintViolation
-        retry
+        __insert_and_return__(ds, oauth_tokens_id_column, params)
       end
     end
 
@@ -633,7 +685,6 @@ module Rodauth
       # set client ID/secret pairs
 
       create_params.merge! \
-        oauth_applications_client_id_column => oauth_unique_id_generator,
         oauth_applications_client_secret_column => \
           secret_hash(oauth_application_params[oauth_application_client_secret_param])
 
@@ -643,29 +694,14 @@ module Rodauth
                                                           oauth_application_default_scope
                                                         end
 
-      id = nil
-      raised = begin
-                 id = db[oauth_applications_table].insert(create_params)
-                 false
-               rescue Sequel::ConstraintViolation => e
-                 e
-               end
-
-      if raised
-        field = raised.message[/\.(.*)$/, 1]
-        case raised
-        when Sequel::UniqueConstraintViolation
-          throw_error(field, unique_error_message)
-        when Sequel::NotNullConstraintViolation
-          throw_error(field, null_error_message)
-        end
+      rescue_from_uniqueness_error do
+        create_params[oauth_applications_client_id_column] = oauth_unique_id_generator
+        db[oauth_applications_table].insert(create_params)
       end
-
-      !raised && id
     end
 
     # Authorize
-    def before_authorize
+    def require_authorizable_account
       require_account
     end
 
@@ -709,35 +745,25 @@ module Rodauth
       )
 
       # Access Type flow
-      if use_oauth_access_type?
-        if (access_type = param_or_nil("access_type"))
-          create_params[oauth_grants_access_type_column] = access_type
-        end
+      if use_oauth_access_type? && (access_type = param_or_nil("access_type"))
+        create_params[oauth_grants_access_type_column] = access_type
       end
 
       # PKCE flow
-      if use_oauth_pkce?
+      if use_oauth_pkce? && (code_challenge = param_or_nil("code_challenge"))
+        code_challenge_method = param_or_nil("code_challenge_method")
 
-        if (code_challenge = param_or_nil("code_challenge"))
-          code_challenge_method = param_or_nil("code_challenge_method")
-
-          create_params[oauth_grants_code_challenge_column] = code_challenge
-          create_params[oauth_grants_code_challenge_method_column] = code_challenge_method
-        elsif oauth_require_pkce
-          redirect_response_error("code_challenge_required")
-        end
+        create_params[oauth_grants_code_challenge_column] = code_challenge
+        create_params[oauth_grants_code_challenge_method_column] = code_challenge_method
       end
 
       ds = db[oauth_grants_table]
 
-      begin
-        authorization_code = oauth_unique_id_generator
-        create_params[oauth_grants_code_column] = authorization_code
-        ds.insert(create_params)
-        authorization_code
-      rescue Sequel::UniqueConstraintViolation
-        retry
+      rescue_from_uniqueness_error do
+        create_params[oauth_grants_code_column] = oauth_unique_id_generator
+        __insert_and_return__(ds, oauth_grants_id_column, create_params)
       end
+      create_params[oauth_grants_code_column]
     end
 
     def do_authorize(redirect_url, query_params = [], fragment_params = [])
@@ -781,10 +807,6 @@ module Rodauth
 
     # Access Tokens
 
-    def before_token
-      require_oauth_application
-    end
-
     def validate_oauth_token_params
       unless (grant_type = param_or_nil("grant_type"))
         redirect_response_error("invalid_request")
@@ -834,8 +856,6 @@ module Rodauth
           oauth_tokens_expires_in_column => Time.now + oauth_token_expires_in
         }
         create_oauth_token_from_token(oauth_token, update_params)
-      else
-        redirect_response_error("invalid_grant")
       end
     end
 
@@ -864,29 +884,21 @@ module Rodauth
     def create_oauth_token_from_token(oauth_token, update_params)
       redirect_response_error("invalid_grant") unless token_from_application?(oauth_token, oauth_application)
 
-      token = oauth_unique_id_generator
-
-      if oauth_tokens_token_hash_column
-        update_params[oauth_tokens_token_hash_column] = generate_token_hash(token)
-      else
-        update_params[oauth_tokens_token_column] = token
-      end
+      rescue_from_uniqueness_error do
+        token = oauth_unique_id_generator
 
-      ds = db[oauth_tokens_table].where(oauth_tokens_id_column => oauth_token[oauth_tokens_id_column])
-
-      oauth_token = begin
-        if ds.supports_returning?(:update)
-          ds.returning.update(update_params).first
+        if oauth_tokens_token_hash_column
+          update_params[oauth_tokens_token_hash_column] = generate_token_hash(token)
         else
-          ds.update(update_params)
-          ds.first
+          update_params[oauth_tokens_token_column] = token
         end
-                    rescue Sequel::UniqueConstraintViolation
-                      retry
-      end
 
-      oauth_token[oauth_tokens_token_column] = token
-      oauth_token
+        ds = db[oauth_tokens_table].where(oauth_tokens_id_column => oauth_token[oauth_tokens_id_column])
+
+        oauth_token = __update_and_return__(ds, update_params)
+        oauth_token[oauth_tokens_token_column] = token
+        oauth_token
+      end
     end
 
     TOKEN_HINT_TYPES = %w[access_token refresh_token].freeze
@@ -895,8 +907,8 @@ module Rodauth
 
     def validate_oauth_introspect_params
       # check if valid token hint type
-      if param_or_nil("token_type_hint")
-        redirect_response_error("unsupported_token_type") unless TOKEN_HINT_TYPES.include?(param("token_type_hint"))
+      if param_or_nil("token_type_hint") && !TOKEN_HINT_TYPES.include?(param("token_type_hint"))
+        redirect_response_error("unsupported_token_type")
       end
 
       redirect_response_error("invalid_request") unless param_or_nil("token")
@@ -914,18 +926,12 @@ module Rodauth
       }
     end
 
-    def before_introspect; end
-
     # Token revocation
 
-    def before_revoke
-      require_oauth_application
-    end
-
     def validate_oauth_revoke_params
       # check if valid token hint type
-      if param_or_nil("token_type_hint")
-        redirect_response_error("unsupported_token_type") unless TOKEN_HINT_TYPES.include?(param("token_type_hint"))
+      if param_or_nil("token_type_hint") && !TOKEN_HINT_TYPES.include?(param("token_type_hint"))
+        redirect_response_error("unsupported_token_type")
       end
 
       redirect_response_error("invalid_request") unless param_or_nil("token")
@@ -942,23 +948,13 @@ module Rodauth
 
       redirect_response_error("invalid_request") unless oauth_token
 
-      if oauth_application
-        redirect_response_error("invalid_request") unless token_from_application?(oauth_token, oauth_application)
-      else
-        @oauth_application = db[oauth_applications_table].where(oauth_applications_id_column =>
-          oauth_token[oauth_tokens_oauth_application_id_column]).first
-      end
+      redirect_response_error("invalid_request") unless token_from_application?(oauth_token, oauth_application)
 
       update_params = { oauth_tokens_revoked_at_column => Sequel::CURRENT_TIMESTAMP }
 
       ds = db[oauth_tokens_table].where(oauth_tokens_id_column => oauth_token[oauth_tokens_id_column])
 
-      oauth_token = if ds.supports_returning?(:update)
-                      ds.returning.update(update_params).first
-                    else
-                      ds.update(update_params)
-                      ds.first
-                    end
+      oauth_token = __update_and_return__(ds, update_params)
 
       oauth_token[oauth_tokens_token_column] = token
       oauth_token
@@ -976,7 +972,13 @@ module Rodauth
 
     def redirect_response_error(error_code, redirect_url = redirect_uri || request.referer || default_redirect)
       if accepts_json?
-        throw_json_response_error(invalid_oauth_response_status, error_code)
+        status_code = if respond_to?(:"#{error_code}_response_status")
+                        send(:"#{error_code}_response_status")
+                      else
+                        invalid_oauth_response_status
+                      end
+
+        throw_json_response_error(status_code, error_code)
       else
         redirect_url = URI.parse(redirect_url)
         query_params = []
@@ -1023,7 +1025,6 @@ module Rodauth
     end
 
     unless method_defined?(:_json_response_body)
-      # :nocov:
       def _json_response_body(hash)
         if request.respond_to?(:convert_to_json)
           request.send(:convert_to_json, hash)
@@ -1031,7 +1032,6 @@ module Rodauth
           JSON.dump(hash)
         end
       end
-      # :nocov:
     end
 
     def authorization_required
@@ -1156,7 +1156,8 @@ module Rodauth
     route(:token) do |r|
       next unless is_authorization_server?
 
-      before_token
+      before_token_route
+      require_oauth_application
 
       r.post do
         catch_error do
@@ -1164,6 +1165,7 @@ module Rodauth
 
           oauth_token = nil
           transaction do
+            before_token
             oauth_token = create_oauth_token
           end
 
@@ -1178,12 +1180,13 @@ module Rodauth
     route(:introspect) do |r|
       next unless is_authorization_server?
 
-      before_introspect
+      before_introspect_route
 
       r.post do
         catch_error do
           validate_oauth_introspect_params
 
+          before_introspect
           oauth_token = case param("token_type_hint")
                         when "access_token"
                           oauth_token_by_token(param("token"))
@@ -1211,7 +1214,8 @@ module Rodauth
     route(:revoke) do |r|
       next unless is_authorization_server?
 
-      before_revoke
+      before_revoke_route
+      require_oauth_application
 
       r.post do
         catch_error do
@@ -1219,6 +1223,7 @@ module Rodauth
 
           oauth_token = nil
           transaction do
+            before_revoke
             oauth_token = revoke_oauth_token
             after_revoke
           end
@@ -1242,12 +1247,12 @@ module Rodauth
     route(:authorize) do |r|
       next unless is_authorization_server?
 
-      require_account
+      before_authorize_route
+      require_authorizable_account
+
       validate_oauth_grant_params
       try_approval_prompt if use_oauth_access_type? && request.get?
 
-      before_authorize
-
       r.get do
         authorize_view
       end
@@ -1256,6 +1261,7 @@ module Rodauth
         redirect_url = URI.parse(redirect_uri)
 
         transaction do
+          before_authorize
           do_authorize(redirect_url)
         end
         redirect(redirect_url.to_s)

data/lib/rodauth/features/oauth_http_mac.rb

@@ -2,7 +2,6 @@
 
 module Rodauth
   Feature.define(:oauth_http_mac) do
-    # :nocov:
     unless String.method_defined?(:delete_prefix)
       module PrefixExtensions
         refine(String) do
@@ -28,7 +27,6 @@ module Rodauth
       end
       using(PrefixExtensions)
     end
-    # :nocov:
 
     depends :oauth
 

data/lib/rodauth/features/oauth_jwt.rb

@@ -22,6 +22,10 @@ module Rodauth
     auth_value_method :oauth_jwt_jwe_algorithm, nil
     auth_value_method :oauth_jwt_jwe_encryption_method, nil
 
+    # values used for rotating keys
+    auth_value_method :oauth_jwt_legacy_public_key, nil
+    auth_value_method :oauth_jwt_legacy_algorithm, nil
+
     auth_value_method :oauth_jwt_jwe_copyright, nil
     auth_value_method :oauth_jwt_audience, nil
 
@@ -88,9 +92,7 @@ module Rodauth
       jws_jwk = if oauth_application[oauth_application_jws_jwk_column]
                   jwk = oauth_application[oauth_application_jws_jwk_column]
 
-                  if jwk
-                    jwk = JSON.parse(jwk, symbolize_names: true) if jwk.is_a?(String)
-                  end
+                  jwk = JSON.parse(jwk, symbolize_names: true) if jwk && jwk.is_a?(String)
                 else
                   redirect_response_error("invalid_request_object")
                 end
@@ -105,8 +107,8 @@ module Rodauth
       # [RFC7519] specification.  The value of "aud" should be the value of
       # the Authorization Server (AS) "issuer" as defined in RFC8414
       # [RFC8414].
-      claims.delete(:iss)
-      audience = claims.delete(:aud)
+      claims.delete("iss")
+      audience = claims.delete("aud")
 
       redirect_response_error("invalid_request_object") if audience && audience != authorization_server_url
 
@@ -119,11 +121,17 @@ module Rodauth
 
     # /token
 
-    def before_token
+    def require_oauth_application
       # requset authentication optional for assertions
-      return if param("grant_type") == "urn:ietf:params:oauth:grant-type:jwt-bearer"
+      return super unless param("grant_type") == "urn:ietf:params:oauth:grant-type:jwt-bearer"
 
-      super
+      claims = jwt_decode(param("assertion"))
+
+      redirect_response_error("invalid_grant") unless claims
+
+      @oauth_application = db[oauth_applications_table].where(oauth_applications_client_id_column => claims["client_id"]).first
+
+      authorization_required unless @oauth_application
     end
 
     def validate_oauth_token_params
@@ -145,10 +153,6 @@ module Rodauth
     def create_oauth_token_from_assertion
       claims = jwt_decode(param("assertion"))
 
-      redirect_response_error("invalid_grant") unless claims
-
-      @oauth_application = db[oauth_applications_table].where(oauth_applications_client_id_column => claims["client_id"]).first
-
       account = account_ds(claims["sub"]).first
 
       redirect_response_error("invalid_client") unless oauth_application && account
@@ -167,17 +171,19 @@ module Rodauth
         oauth_grants_expires_in_column => Time.now + oauth_token_expires_in
       }.merge(params)
 
-      if should_generate_refresh_token
-        refresh_token = oauth_unique_id_generator
+      oauth_token = rescue_from_uniqueness_error do
+        if should_generate_refresh_token
+          refresh_token = oauth_unique_id_generator
 
-        if oauth_tokens_refresh_token_hash_column
-          create_params[oauth_tokens_refresh_token_hash_column] = generate_token_hash(refresh_token)
-        else
-          create_params[oauth_tokens_refresh_token_column] = refresh_token
+          if oauth_tokens_refresh_token_hash_column
+            create_params[oauth_tokens_refresh_token_hash_column] = generate_token_hash(refresh_token)
+          else
+            create_params[oauth_tokens_refresh_token_column] = refresh_token
+          end
         end
-      end
 
-      oauth_token = _generate_oauth_token(create_params)
+        _generate_oauth_token(create_params)
+      end
 
       claims = jwt_claims(oauth_token)
 
@@ -293,10 +299,10 @@ module Rodauth
 
         # time-to-live
         ttl = if response.key?("cache-control")
-                cache_control = response["cache_control"]
+                cache_control = response["cache-control"]
                 cache_control[/max-age=(\d+)/, 1]
               elsif response.key?("expires")
-                Time.httpdate(response["expires"]).utc.to_i - Time.now.utc.to_i
+                DateTime.httpdate(response["expires"]).utc.to_i - Time.now.utc.to_i
               end
 
         [JSON.parse(response.body, symbolize_names: true), ttl]
@@ -304,7 +310,6 @@ module Rodauth
     end
 
     if defined?(JSON::JWT)
-      # :nocov:
 
       def jwk_import(data)
         JSON::JWK.new(data)
@@ -330,23 +335,27 @@ module Rodauth
       def jwt_decode(token, jws_key: oauth_jwt_public_key || _jwt_key, **)
         token = JSON::JWT.decode(token, oauth_jwt_jwe_key).plain_text if oauth_jwt_jwe_key
 
-        @jwt_token = if jws_key
-                       JSON::JWT.decode(token, jws_key)
-                     elsif !is_authorization_server? && auth_server_jwks_set
-                       JSON::JWT.decode(token, JSON::JWK::Set.new(auth_server_jwks_set))
-                     end
+        if is_authorization_server?
+          if oauth_jwt_legacy_public_key
+            JSON::JWT.decode(token, JSON::JWK::Set.new({ keys: jwks_set }))
+          elsif jws_key
+            JSON::JWT.decode(token, jws_key)
+          end
+        elsif (jwks = auth_server_jwks_set)
+          JSON::JWT.decode(token, JSON::JWK::Set.new(jwks))
+        end
       rescue JSON::JWT::Exception
         nil
       end
 
       def jwks_set
-        [
+        @jwks_set ||= [
           (JSON::JWK.new(oauth_jwt_public_key).merge(use: "sig", alg: oauth_jwt_algorithm) if oauth_jwt_public_key),
+          (JSON::JWK.new(oauth_jwt_legacy_public_key).merge(use: "sig", alg: oauth_jwt_legacy_algorithm) if oauth_jwt_legacy_public_key),
           (JSON::JWK.new(oauth_jwt_jwe_public_key).merge(use: "enc", alg: oauth_jwt_jwe_algorithm) if oauth_jwt_jwe_public_key)
         ].compact
       end
 
-      # :nocov:
     elsif defined?(JWT)
 
       # ruby-jwt
@@ -391,21 +400,30 @@ module Rodauth
       def jwt_decode(token, jws_key: oauth_jwt_public_key || _jwt_key, jws_algorithm: oauth_jwt_algorithm)
         # decrypt jwe
         token = JWE.decrypt(token, oauth_jwt_jwe_key) if oauth_jwt_jwe_key
-
         # decode jwt
-        @jwt_token = if jws_key
-                       JWT.decode(token, jws_key, true, algorithms: [jws_algorithm]).first
-                     elsif !is_authorization_server? && auth_server_jwks_set
-                       algorithms = auth_server_jwks_set[:keys].select { |k| k[:use] == "sig" }.map { |k| k[:alg] }
-                       JWT.decode(token, nil, true, jwks: auth_server_jwks_set, algorithms: algorithms).first
-                     end
+        if is_authorization_server?
+          if oauth_jwt_legacy_public_key
+            algorithms = jwks_set.select { |k| k[:use] == "sig" }.map { |k| k[:alg] }
+            JWT.decode(token, nil, true, jwks: { keys: jwks_set }, algorithms: algorithms).first
+          elsif jws_key
+            JWT.decode(token, jws_key, true, algorithms: [jws_algorithm]).first
+          end
+        elsif (jwks = auth_server_jwks_set)
+          algorithms = jwks[:keys].select { |k| k[:use] == "sig" }.map { |k| k[:alg] }
+          JWT.decode(token, nil, true, jwks: jwks, algorithms: algorithms).first
+        end
       rescue JWT::DecodeError, JWT::JWKError
         nil
       end
 
       def jwks_set
-        [
+        @jwks_set ||= [
           (JWT::JWK.new(oauth_jwt_public_key).export.merge(use: "sig", alg: oauth_jwt_algorithm) if oauth_jwt_public_key),
+          (
+             if oauth_jwt_legacy_public_key
+               JWT::JWK.new(oauth_jwt_legacy_public_key).export.merge(use: "sig", alg: oauth_jwt_legacy_algorithm)
+             end
+           ),
           (JWT::JWK.new(oauth_jwt_jwe_public_key).export.merge(use: "enc", alg: oauth_jwt_jwe_algorithm) if oauth_jwt_jwe_public_key)
         ].compact
       end

data/lib/rodauth/features/oauth_saml.rb

@@ -0,0 +1,104 @@
+# frozen-string-literal: true
+
+require "onelogin/ruby-saml"
+
+module Rodauth
+  Feature.define(:oauth_saml) do
+    depends :oauth
+
+    auth_value_method :oauth_saml_cert_fingerprint, "9E:65:2E:03:06:8D:80:F2:86:C7:6C:77:A1:D9:14:97:0A:4D:F4:4D"
+    auth_value_method :oauth_saml_cert_fingerprint_algorithm, nil
+    auth_value_method :oauth_saml_name_identifier_format, "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
+
+    auth_value_method :oauth_saml_security_authn_requests_signed, false
+    auth_value_method :oauth_saml_security_metadata_signed, false
+    auth_value_method :oauth_saml_security_digest_method, XMLSecurity::Document::SHA1
+    auth_value_method :oauth_saml_security_signature_method, XMLSecurity::Document::RSA_SHA1
+
+    SAML_GRANT_TYPE = "http://oauth.net/grant_type/assertion/saml/2.0/bearer"
+
+    # /token
+
+    def require_oauth_application
+      # requset authentication optional for assertions
+      return super unless param("grant_type") == SAML_GRANT_TYPE && !param_or_nil("client_id")
+
+      # TODO: invalid grant
+      authorization_required unless saml_assertion
+
+      redirect_uri = saml_assertion.destination
+
+      @oauth_application = db[oauth_applications_table].where(
+        oauth_applications_homepage_url_column => saml_assertion.audiences,
+        oauth_applications_redirect_uri_column => redirect_uri
+      ).first
+
+      # The Assertion's <Issuer> element MUST contain a unique identifier
+      # for the entity that issued the Assertion.
+      authorization_required unless saml_assertion.issuers.all? do |issuer|
+        issuer.start_with?(@oauth_application[oauth_applications_homepage_url_column])
+      end
+
+      authorization_required unless @oauth_application
+    end
+
+    private
+
+    def secret_matches?(oauth_application, secret)
+      return super unless param_or_nil("assertion")
+
+      true
+    end
+
+    def saml_assertion
+      return @saml_assertion if defined?(@saml_assertion)
+
+      @saml_assertion = begin
+        settings = OneLogin::RubySaml::Settings.new
+        settings.idp_cert_fingerprint = oauth_saml_cert_fingerprint
+        settings.idp_cert_fingerprint_algorithm = oauth_saml_cert_fingerprint_algorithm
+        settings.name_identifier_format = oauth_saml_name_identifier_format
+        settings.security[:authn_requests_signed] = oauth_saml_security_authn_requests_signed
+        settings.security[:metadata_signed] = oauth_saml_security_metadata_signed
+        settings.security[:digest_method] = oauth_saml_security_digest_method
+        settings.security[:signature_method] = oauth_saml_security_signature_method
+
+        response = OneLogin::RubySaml::Response.new(param("assertion"), settings: settings, skip_recipient_check: true)
+
+        return unless response.is_valid?
+
+        response
+      end
+    end
+
+    def validate_oauth_token_params
+      return super unless param("grant_type") == SAML_GRANT_TYPE
+
+      redirect_response_error("invalid_client") unless param_or_nil("assertion")
+
+      redirect_response_error("invalid_scope") unless check_valid_scopes?
+    end
+
+    def create_oauth_token
+      if param("grant_type") == SAML_GRANT_TYPE
+        create_oauth_token_from_saml_assertion
+      else
+        super
+      end
+    end
+
+    def create_oauth_token_from_saml_assertion
+      account = db[accounts_table].where(login_column => saml_assertion.nameid).first
+
+      redirect_response_error("invalid_client") unless oauth_application && account
+
+      create_params = {
+        oauth_tokens_account_id_column => account[account_id_column],
+        oauth_tokens_oauth_application_id_column => oauth_application[oauth_applications_id_column],
+        oauth_tokens_scopes_column => (param_or_nil("scope") || oauth_application[oauth_applications_scopes_column])
+      }
+
+      generate_oauth_token(create_params, false)
+    end
+  end
+end

data/lib/rodauth/oauth/database_extensions.rb

@@ -0,0 +1,73 @@
+# frozen_string_literal: true
+
+module Rodauth
+  module OAuth
+    # rubocop:disable Naming/MethodName, Metrics/ParameterLists
+    def self.ExtendDatabase(db)
+      Module.new do
+        dataset = db.dataset
+
+        if dataset.supports_returning?(:insert)
+          def __insert_and_return__(dataset, _pkey, params)
+            dataset.returning.insert(params).first
+          end
+        else
+          def __insert_and_return__(dataset, pkey, params)
+            id = dataset.insert(params)
+            dataset.where(pkey => id).first
+          end
+        end
+
+        if dataset.supports_returning?(:update)
+          def __update_and_return__(dataset, params)
+            dataset.returning.update(params).first
+          end
+        else
+          def __update_and_return__(dataset, params)
+            dataset.update(params)
+            dataset.first
+          end
+        end
+
+        if dataset.respond_to?(:supports_insert_conflict?) && dataset.supports_insert_conflict?
+          def __insert_or_update_and_return__(dataset, pkey, unique_columns, params, conds = nil, exclude_on_update = nil)
+            to_update = params.keys - unique_columns
+            to_update -= exclude_on_update if exclude_on_update
+
+            dataset = dataset.insert_conflict(
+              target: unique_columns,
+              update: Hash[ to_update.map { |attribute| [attribute, Sequel[:excluded][attribute]] } ],
+              update_where: conds
+            )
+
+            __insert_and_return__(dataset, pkey, params)
+          end
+        else
+          def __insert_or_update_and_return__(dataset, pkey, unique_columns, params, conds = nil, exclude_on_update = nil)
+            find_params, update_params = params.partition { |key, _| unique_columns.include?(key) }.map { |h| Hash[h] }
+
+            dataset_where = dataset.where(find_params)
+            record = if conds
+                       dataset_where_conds = dataset_where.where(conds)
+
+                       # this means that there's still a valid entry there, so return early
+                       return if dataset_where.count != dataset_where_conds.count
+
+                       dataset_where_conds.first
+                     else
+                       dataset_where.first
+                     end
+
+            if record
+              update_params.reject! { |k, _v| exclude_on_update.include?(k) } if exclude_on_update
+              __update_and_return__(dataset_where, update_params)
+            else
+              __insert_and_return__(dataset, pkey, params)
+            end
+          end
+        end
+      end
+    end
+    # rubocop:enable Naming/MethodName, Metrics/ParameterLists
+  end
+end

data/lib/rodauth/oauth/version.rb

@@ -2,6 +2,6 @@
 
 module Rodauth
   module OAuth
-    VERSION = "0.1.0"
+    VERSION = "0.2.0"
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rodauth-oauth
 version: !ruby/object:Gem::Version
-  version: 0.1.0
+  version: 0.2.0
 platform: ruby
 authors:
 - Tiago Cardoso
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2020-08-01 00:00:00.000000000 Z
+date: 2020-09-09 00:00:00.000000000 Z
 dependencies: []
 description: Implementation of the OAuth 2.0 protocol on top of rodauth.
 email:
@@ -32,8 +32,10 @@ files:
 - lib/rodauth/features/oauth.rb
 - lib/rodauth/features/oauth_http_mac.rb
 - lib/rodauth/features/oauth_jwt.rb
+- lib/rodauth/features/oauth_saml.rb
 - lib/rodauth/features/oidc.rb
 - lib/rodauth/oauth.rb
+- lib/rodauth/oauth/database_extensions.rb
 - lib/rodauth/oauth/railtie.rb
 - lib/rodauth/oauth/ttl_store.rb
 - lib/rodauth/oauth/version.rb