rodauth-oauth 0.1.0 → 0.4.2

data/lib/rodauth/features/oauth_http_mac.rb

@@ -2,33 +2,27 @@
 
 module Rodauth
   Feature.define(:oauth_http_mac) do
-    # :nocov:
     unless String.method_defined?(:delete_prefix)
       module PrefixExtensions
         refine(String) do
           def delete_suffix(suffix)
             suffix = suffix.to_s
             len = suffix.length
-            if len.positive? && index(suffix, -len)
-              self[0...-len]
-            else
-              dup
-            end
+            return dup unless len.positive? && index(suffix, -len)
+
+            self[0...-len]
           end
 
           def delete_prefix(prefix)
             prefix = prefix.to_s
-            if rindex(prefix, 0)
-              self[prefix.length..-1]
-            else
-              dup
-            end
+            return dup unless rindex(prefix, 0)
+
+            self[prefix.length..-1]
           end
         end
       end
       using(PrefixExtensions)
     end
-    # :nocov:
 
     depends :oauth
 

data/lib/rodauth/features/oauth_jwt.rb

@@ -6,6 +6,8 @@ module Rodauth
   Feature.define(:oauth_jwt) do
     depends :oauth
 
+    JWKS = OAuth::TtlStore.new
+
     auth_value_method :oauth_jwt_subject_type, "public" # public, pairwise
     auth_value_method :oauth_jwt_subject_secret, nil # salt for pairwise generation
 
@@ -22,6 +24,10 @@ module Rodauth
     auth_value_method :oauth_jwt_jwe_algorithm, nil
     auth_value_method :oauth_jwt_jwe_encryption_method, nil
 
+    # values used for rotating keys
+    auth_value_method :oauth_jwt_legacy_public_key, nil
+    auth_value_method :oauth_jwt_legacy_algorithm, nil
+
     auth_value_method :oauth_jwt_jwe_copyright, nil
     auth_value_method :oauth_jwt_audience, nil
 
@@ -35,7 +41,13 @@ module Rodauth
       :last_account_login_at
     )
 
-    JWKS = OAuth::TtlStore.new
+    route(:jwks) do |r|
+      next unless is_authorization_server?
+
+      r.get do
+        json_response_success({ keys: jwks_set }, true)
+      end
+    end
 
     def require_oauth_authorization(*scopes)
       authorization_required unless authorization_token
@@ -88,9 +100,7 @@ module Rodauth
       jws_jwk = if oauth_application[oauth_application_jws_jwk_column]
                   jwk = oauth_application[oauth_application_jws_jwk_column]
 
-                  if jwk
-                    jwk = JSON.parse(jwk, symbolize_names: true) if jwk.is_a?(String)
-                  end
+                  jwk = JSON.parse(jwk, symbolize_names: true) if jwk && jwk.is_a?(String)
                 else
                   redirect_response_error("invalid_request_object")
                 end
@@ -105,8 +115,8 @@ module Rodauth
       # [RFC7519] specification.  The value of "aud" should be the value of
       # the Authorization Server (AS) "issuer" as defined in RFC8414
       # [RFC8414].
-      claims.delete(:iss)
-      audience = claims.delete(:aud)
+      claims.delete("iss")
+      audience = claims.delete("aud")
 
       redirect_response_error("invalid_request_object") if audience && audience != authorization_server_url
 
@@ -119,11 +129,17 @@ module Rodauth
 
     # /token
 
-    def before_token
+    def require_oauth_application
       # requset authentication optional for assertions
-      return if param("grant_type") == "urn:ietf:params:oauth:grant-type:jwt-bearer"
+      return super unless param("grant_type") == "urn:ietf:params:oauth:grant-type:jwt-bearer"
 
-      super
+      claims = jwt_decode(param("assertion"))
+
+      redirect_response_error("invalid_grant") unless claims
+
+      @oauth_application = db[oauth_applications_table].where(oauth_applications_client_id_column => claims["client_id"]).first
+
+      authorization_required unless @oauth_application
     end
 
     def validate_oauth_token_params
@@ -145,10 +161,6 @@ module Rodauth
     def create_oauth_token_from_assertion
       claims = jwt_decode(param("assertion"))
 
-      redirect_response_error("invalid_grant") unless claims
-
-      @oauth_application = db[oauth_applications_table].where(oauth_applications_client_id_column => claims["client_id"]).first
-
       account = account_ds(claims["sub"]).first
 
       redirect_response_error("invalid_client") unless oauth_application && account
@@ -164,20 +176,22 @@ module Rodauth
 
     def generate_oauth_token(params = {}, should_generate_refresh_token = true)
       create_params = {
-        oauth_grants_expires_in_column => Time.now + oauth_token_expires_in
+        oauth_grants_expires_in_column => Sequel.date_add(Sequel::CURRENT_TIMESTAMP, seconds: oauth_token_expires_in)
       }.merge(params)
 
-      if should_generate_refresh_token
-        refresh_token = oauth_unique_id_generator
+      oauth_token = rescue_from_uniqueness_error do
+        if should_generate_refresh_token
+          refresh_token = oauth_unique_id_generator
 
-        if oauth_tokens_refresh_token_hash_column
-          create_params[oauth_tokens_refresh_token_hash_column] = generate_token_hash(refresh_token)
-        else
-          create_params[oauth_tokens_refresh_token_column] = refresh_token
+          if oauth_tokens_refresh_token_hash_column
+            create_params[oauth_tokens_refresh_token_hash_column] = generate_token_hash(refresh_token)
+          else
+            create_params[oauth_tokens_refresh_token_column] = refresh_token
+          end
         end
-      end
 
-      oauth_token = _generate_oauth_token(create_params)
+        _generate_oauth_token(create_params)
+      end
 
       claims = jwt_claims(oauth_token)
 
@@ -192,7 +206,7 @@ module Rodauth
     end
 
     def jwt_claims(oauth_token)
-      issued_at = Time.now.utc.to_i
+      issued_at = Time.now.to_i
 
       claims = {
         iss: (oauth_jwt_token_issuer || authorization_server_url), # issuer
@@ -213,7 +227,7 @@ module Rodauth
         aud: (oauth_jwt_audience || oauth_application[oauth_applications_client_id_column])
       }
 
-      claims[:auth_time] = last_account_login_at.utc.to_i if last_account_login_at
+      claims[:auth_time] = last_account_login_at.to_i if last_account_login_at
 
       claims
     end
@@ -231,7 +245,7 @@ module Rodauth
       end
     end
 
-    def oauth_token_by_token(token, *)
+    def oauth_token_by_token(token)
       jwt_decode(token)
     end
 
@@ -293,10 +307,10 @@ module Rodauth
 
         # time-to-live
         ttl = if response.key?("cache-control")
-                cache_control = response["cache_control"]
-                cache_control[/max-age=(\d+)/, 1]
+                cache_control = response["cache-control"]
+                cache_control[/max-age=(\d+)/, 1].to_i
               elsif response.key?("expires")
-                Time.httpdate(response["expires"]).utc.to_i - Time.now.utc.to_i
+                Time.parse(response["expires"]).to_i - Time.now.to_i
               end
 
         [JSON.parse(response.body, symbolize_names: true), ttl]
@@ -304,7 +318,6 @@ module Rodauth
     end
 
     if defined?(JSON::JWT)
-      # :nocov:
 
       def jwk_import(data)
         JSON::JWK.new(data)
@@ -330,23 +343,27 @@ module Rodauth
       def jwt_decode(token, jws_key: oauth_jwt_public_key || _jwt_key, **)
         token = JSON::JWT.decode(token, oauth_jwt_jwe_key).plain_text if oauth_jwt_jwe_key
 
-        @jwt_token = if jws_key
-                       JSON::JWT.decode(token, jws_key)
-                     elsif !is_authorization_server? && auth_server_jwks_set
-                       JSON::JWT.decode(token, JSON::JWK::Set.new(auth_server_jwks_set))
-                     end
+        if is_authorization_server?
+          if oauth_jwt_legacy_public_key
+            JSON::JWT.decode(token, JSON::JWK::Set.new({ keys: jwks_set }))
+          elsif jws_key
+            JSON::JWT.decode(token, jws_key)
+          end
+        elsif (jwks = auth_server_jwks_set)
+          JSON::JWT.decode(token, JSON::JWK::Set.new(jwks))
+        end
       rescue JSON::JWT::Exception
         nil
       end
 
       def jwks_set
-        [
+        @jwks_set ||= [
           (JSON::JWK.new(oauth_jwt_public_key).merge(use: "sig", alg: oauth_jwt_algorithm) if oauth_jwt_public_key),
+          (JSON::JWK.new(oauth_jwt_legacy_public_key).merge(use: "sig", alg: oauth_jwt_legacy_algorithm) if oauth_jwt_legacy_public_key),
           (JSON::JWK.new(oauth_jwt_jwe_public_key).merge(use: "enc", alg: oauth_jwt_jwe_algorithm) if oauth_jwt_jwe_public_key)
         ].compact
       end
 
-      # :nocov:
     elsif defined?(JWT)
 
       # ruby-jwt
@@ -391,21 +408,30 @@ module Rodauth
       def jwt_decode(token, jws_key: oauth_jwt_public_key || _jwt_key, jws_algorithm: oauth_jwt_algorithm)
         # decrypt jwe
         token = JWE.decrypt(token, oauth_jwt_jwe_key) if oauth_jwt_jwe_key
-
         # decode jwt
-        @jwt_token = if jws_key
-                       JWT.decode(token, jws_key, true, algorithms: [jws_algorithm]).first
-                     elsif !is_authorization_server? && auth_server_jwks_set
-                       algorithms = auth_server_jwks_set[:keys].select { |k| k[:use] == "sig" }.map { |k| k[:alg] }
-                       JWT.decode(token, nil, true, jwks: auth_server_jwks_set, algorithms: algorithms).first
-                     end
+        if is_authorization_server?
+          if oauth_jwt_legacy_public_key
+            algorithms = jwks_set.select { |k| k[:use] == "sig" }.map { |k| k[:alg] }
+            JWT.decode(token, nil, true, jwks: { keys: jwks_set }, algorithms: algorithms).first
+          elsif jws_key
+            JWT.decode(token, jws_key, true, algorithms: [jws_algorithm]).first
+          end
+        elsif (jwks = auth_server_jwks_set)
+          algorithms = jwks[:keys].select { |k| k[:use] == "sig" }.map { |k| k[:alg] }
+          JWT.decode(token, nil, true, jwks: jwks, algorithms: algorithms).first
+        end
       rescue JWT::DecodeError, JWT::JWKError
         nil
       end
 
       def jwks_set
-        [
+        @jwks_set ||= [
           (JWT::JWK.new(oauth_jwt_public_key).export.merge(use: "sig", alg: oauth_jwt_algorithm) if oauth_jwt_public_key),
+          (
+             if oauth_jwt_legacy_public_key
+               JWT::JWK.new(oauth_jwt_legacy_public_key).export.merge(use: "sig", alg: oauth_jwt_legacy_algorithm)
+             end
+           ),
           (JWT::JWK.new(oauth_jwt_jwe_public_key).export.merge(use: "enc", alg: oauth_jwt_jwe_algorithm) if oauth_jwt_jwe_public_key)
         ].compact
       end
@@ -436,13 +462,5 @@ module Rodauth
 
       super
     end
-
-    route(:jwks) do |r|
-      next unless is_authorization_server?
-
-      r.get do
-        json_response_success({ keys: jwks_set })
-      end
-    end
   end
 end

data/lib/rodauth/features/oauth_saml.rb

@@ -0,0 +1,104 @@
+# frozen-string-literal: true
+
+require "onelogin/ruby-saml"
+
+module Rodauth
+  Feature.define(:oauth_saml) do
+    depends :oauth
+
+    auth_value_method :oauth_saml_cert_fingerprint, "9E:65:2E:03:06:8D:80:F2:86:C7:6C:77:A1:D9:14:97:0A:4D:F4:4D"
+    auth_value_method :oauth_saml_cert_fingerprint_algorithm, nil
+    auth_value_method :oauth_saml_name_identifier_format, "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
+
+    auth_value_method :oauth_saml_security_authn_requests_signed, false
+    auth_value_method :oauth_saml_security_metadata_signed, false
+    auth_value_method :oauth_saml_security_digest_method, XMLSecurity::Document::SHA1
+    auth_value_method :oauth_saml_security_signature_method, XMLSecurity::Document::RSA_SHA1
+
+    SAML_GRANT_TYPE = "http://oauth.net/grant_type/assertion/saml/2.0/bearer"
+
+    # /token
+
+    def require_oauth_application
+      # requset authentication optional for assertions
+      return super unless param("grant_type") == SAML_GRANT_TYPE && !param_or_nil("client_id")
+
+      # TODO: invalid grant
+      authorization_required unless saml_assertion
+
+      redirect_uri = saml_assertion.destination
+
+      @oauth_application = db[oauth_applications_table].where(
+        oauth_applications_homepage_url_column => saml_assertion.audiences,
+        oauth_applications_redirect_uri_column => redirect_uri
+      ).first
+
+      # The Assertion's <Issuer> element MUST contain a unique identifier
+      # for the entity that issued the Assertion.
+      authorization_required unless saml_assertion.issuers.all? do |issuer|
+        issuer.start_with?(@oauth_application[oauth_applications_homepage_url_column])
+      end
+
+      authorization_required unless @oauth_application
+    end
+
+    private
+
+    def secret_matches?(oauth_application, secret)
+      return super unless param_or_nil("assertion")
+
+      true
+    end
+
+    def saml_assertion
+      return @saml_assertion if defined?(@saml_assertion)
+
+      @saml_assertion = begin
+        settings = OneLogin::RubySaml::Settings.new
+        settings.idp_cert_fingerprint = oauth_saml_cert_fingerprint
+        settings.idp_cert_fingerprint_algorithm = oauth_saml_cert_fingerprint_algorithm
+        settings.name_identifier_format = oauth_saml_name_identifier_format
+        settings.security[:authn_requests_signed] = oauth_saml_security_authn_requests_signed
+        settings.security[:metadata_signed] = oauth_saml_security_metadata_signed
+        settings.security[:digest_method] = oauth_saml_security_digest_method
+        settings.security[:signature_method] = oauth_saml_security_signature_method
+
+        response = OneLogin::RubySaml::Response.new(param("assertion"), settings: settings, skip_recipient_check: true)
+
+        return unless response.is_valid?
+
+        response
+      end
+    end
+
+    def validate_oauth_token_params
+      return super unless param("grant_type") == SAML_GRANT_TYPE
+
+      redirect_response_error("invalid_client") unless param_or_nil("assertion")
+
+      redirect_response_error("invalid_scope") unless check_valid_scopes?
+    end
+
+    def create_oauth_token
+      if param("grant_type") == SAML_GRANT_TYPE
+        create_oauth_token_from_saml_assertion
+      else
+        super
+      end
+    end
+
+    def create_oauth_token_from_saml_assertion
+      account = db[accounts_table].where(login_column => saml_assertion.nameid).first
+
+      redirect_response_error("invalid_client") unless oauth_application && account
+
+      create_params = {
+        oauth_tokens_account_id_column => account[account_id_column],
+        oauth_tokens_oauth_application_id_column => oauth_application[oauth_applications_id_column],
+        oauth_tokens_scopes_column => (param_or_nil("scope") || oauth_application[oauth_applications_scopes_column])
+      }
+
+      generate_oauth_token(create_params, false)
+    end
+  end
+end

data/lib/rodauth/features/oidc.rb

@@ -2,14 +2,63 @@
 
 module Rodauth
   Feature.define(:oidc) do
+    # https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims
     OIDC_SCOPES_MAP = {
       "profile" => %i[name family_name given_name middle_name nickname preferred_username
                       profile picture website gender birthdate zoneinfo locale updated_at].freeze,
       "email" => %i[email email_verified].freeze,
-      "address" => %i[address].freeze,
+      "address" => %i[formatted street_address locality region postal_code country].freeze,
       "phone" => %i[phone_number phone_number_verified].freeze
     }.freeze
 
+    VALID_METADATA_KEYS = %i[
+      issuer
+      authorization_endpoint
+      token_endpoint
+      userinfo_endpoint
+      jwks_uri
+      registration_endpoint
+      scopes_supported
+      response_types_supported
+      response_modes_supported
+      grant_types_supported
+      acr_values_supported
+      subject_types_supported
+      id_token_signing_alg_values_supported
+      id_token_encryption_alg_values_supported
+      id_token_encryption_enc_values_supported
+      userinfo_signing_alg_values_supported
+      userinfo_encryption_alg_values_supported
+      userinfo_encryption_enc_values_supported
+      request_object_signing_alg_values_supported
+      request_object_encryption_alg_values_supported
+      request_object_encryption_enc_values_supported
+      token_endpoint_auth_methods_supported
+      token_endpoint_auth_signing_alg_values_supported
+      display_values_supported
+      claim_types_supported
+      claims_supported
+      service_documentation
+      claims_locales_supported
+      ui_locales_supported
+      claims_parameter_supported
+      request_parameter_supported
+      request_uri_parameter_supported
+      require_request_uri_registration
+      op_policy_uri
+      op_tos_uri
+    ].freeze
+
+    REQUIRED_METADATA_KEYS = %i[
+      issuer
+      authorization_endpoint
+      token_endpoint
+      jwks_uri
+      response_types_supported
+      subject_types_supported
+      id_token_signing_alg_values_supported
+    ].freeze
+
     depends :oauth_jwt
 
     auth_value_method :oauth_application_default_scope, "openid"
@@ -22,12 +71,47 @@ module Rodauth
 
     auth_value_method :webfinger_relation, "http://openid.net/specs/connect/1.0/issuer"
 
-    auth_value_methods(:get_oidc_param)
+    auth_value_method :oauth_prompt_login_cookie_key, "_rodauth_oauth_prompt_login"
+    auth_value_method :oauth_prompt_login_cookie_options, {}.freeze
+    auth_value_method :oauth_prompt_login_interval, 5 * 60 * 60 # 5 minutes
+
+    auth_value_methods(:get_oidc_param, :get_additional_param)
+
+    # /userinfo
+    route(:userinfo) do |r|
+      next unless is_authorization_server?
+
+      r.on method: %i[get post] do
+        catch_error do
+          oauth_token = authorization_token
+
+          throw_json_response_error(authorization_required_error_status, "invalid_token") unless oauth_token
+
+          oauth_scopes = oauth_token["scope"].split(" ")
+
+          throw_json_response_error(authorization_required_error_status, "invalid_token") unless oauth_scopes.include?("openid")
+
+          account = db[accounts_table].where(account_id_column => oauth_token["sub"]).first
+
+          throw_json_response_error(authorization_required_error_status, "invalid_token") unless account
+
+          oauth_scopes.delete("openid")
+
+          oidc_claims = { "sub" => oauth_token["sub"] }
+
+          fill_with_account_claims(oidc_claims, account, oauth_scopes)
+
+          json_response_success(oidc_claims)
+        end
+
+        throw_json_response_error(authorization_required_error_status, "invalid_token")
+      end
+    end
 
     def openid_configuration(issuer = nil)
       request.on(".well-known/openid-configuration") do
         request.get do
-          json_response_success(openid_configuration_body(issuer))
+          json_response_success(openid_configuration_body(issuer), cache: true)
         end
       end
     end
@@ -57,6 +141,68 @@ module Rodauth
 
     private
 
+    def require_authorizable_account
+      try_prompt if param_or_nil("prompt")
+      super
+    end
+
+    # this executes before checking for a logged in account
+    def try_prompt
+      prompt = param_or_nil("prompt")
+
+      case prompt
+      when "none"
+        redirect_response_error("login_required") unless logged_in?
+
+        require_account
+
+        if db[oauth_grants_table].where(
+          oauth_grants_account_id_column => account_id,
+          oauth_grants_oauth_application_id_column => oauth_application[oauth_applications_id_column],
+          oauth_grants_redirect_uri_column => redirect_uri,
+          oauth_grants_scopes_column => scopes.join(oauth_scope_separator),
+          oauth_grants_access_type_column => "online"
+        ).count.zero?
+          redirect_response_error("consent_required")
+        end
+
+        request.env["REQUEST_METHOD"] = "POST"
+      when "login"
+        if logged_in? && request.cookies[oauth_prompt_login_cookie_key] == "login"
+          ::Rack::Utils.delete_cookie_header!(response.headers, oauth_prompt_login_cookie_key, oauth_prompt_login_cookie_options)
+          return
+        end
+
+        # logging out
+        clear_session
+        set_session_value(login_redirect_session_key, request.fullpath)
+
+        login_cookie_opts = Hash[oauth_prompt_login_cookie_options]
+        login_cookie_opts[:value] = "login"
+        login_cookie_opts[:expires] = convert_timestamp(Time.now + oauth_prompt_login_interval) # 15 minutes
+        ::Rack::Utils.set_cookie_header!(response.headers, oauth_prompt_login_cookie_key, login_cookie_opts)
+
+        redirect require_login_redirect
+      when "consent"
+        require_account
+
+        if db[oauth_grants_table].where(
+          oauth_grants_account_id_column => account_id,
+          oauth_grants_oauth_application_id_column => oauth_application[oauth_applications_id_column],
+          oauth_grants_redirect_uri_column => redirect_uri,
+          oauth_grants_scopes_column => scopes.join(oauth_scope_separator),
+          oauth_grants_access_type_column => "online"
+        ).count.zero?
+          redirect_response_error("consent_required")
+        end
+      when "select-account"
+        # obly works if select_account plugin is available
+        require_select_account if respond_to?(:require_select_account)
+      else
+        redirect_response_error("invalid_request")
+      end
+    end
+
     def create_oauth_grant(create_params = {})
       return super unless (nonce = param_or_nil("nonce"))
 
@@ -100,8 +246,11 @@ module Rodauth
       oauth_token[:id_token] = jwt_encode(id_token_claims)
     end
 
+    # aka fill_with_standard_claims
     def fill_with_account_claims(claims, account, scopes)
-      scopes_by_oidc = scopes.each_with_object({}) do |scope, by_oidc|
+      scopes_by_claim = scopes.each_with_object({}) do |scope, by_oidc|
+        next if scope == "openid"
+
         oidc, param = scope.split(".", 2)
 
         by_oidc[oidc] ||= []
@@ -109,21 +258,33 @@ module Rodauth
         by_oidc[oidc] << param.to_sym if param
       end
 
-      oidc_scopes = (OIDC_SCOPES_MAP.keys & scopes_by_oidc.keys)
-
-      return if oidc_scopes.empty?
+      oidc_scopes, additional_scopes = scopes_by_claim.keys.partition { |key| OIDC_SCOPES_MAP.key?(key) }
 
-      if respond_to?(:get_oidc_param)
-        oidc_scopes.each do |scope|
-          params = scopes_by_oidc[scope]
-          params = params.empty? ? OIDC_SCOPES_MAP[scope] : (OIDC_SCOPES_MAP[scope] & params)
+      unless oidc_scopes.empty?
+        if respond_to?(:get_oidc_param)
+          oidc_scopes.each do |scope|
+            scope_claims = claims
+            params = scopes_by_claim[scope]
+            params = params.empty? ? OIDC_SCOPES_MAP[scope] : (OIDC_SCOPES_MAP[scope] & params)
 
-          params.each do |param|
-            claims[param] = __send__(:get_oidc_param, account, param)
+            scope_claims = (claims["address"] = {}) if scope == "address"
+            params.each do |param|
+              scope_claims[param] = __send__(:get_oidc_param, account, param)
+            end
           end
+        else
+          warn "`get_oidc_param(account, claim)` must be implemented to use oidc scopes."
+        end
+      end
+
+      return if additional_scopes.empty?
+
+      if respond_to?(:get_additional_param)
+        additional_scopes.each do |scope|
+          claims[scope] = __send__(:get_additional_param, account, scope.to_sym)
         end
       else
-        warn "`get_oidc_param(token, param)` must be implemented to use oidc scopes."
+        warn "`get_additional_param(account, claim)` must be implemented to use oidc scopes."
       end
     end
 
@@ -145,33 +306,27 @@ module Rodauth
       end
     end
 
-    def do_authorize(redirect_url, query_params = [], fragment_params = [])
+    def do_authorize(response_params = {}, response_mode = param_or_nil("response_mode"))
       return super unless use_oauth_implicit_grant_type?
 
       case param("response_type")
       when "id_token"
-        fragment_params.replace(_do_authorize_id_token.map { |k, v| "#{k}=#{v}" })
+        response_params.replace(_do_authorize_id_token)
       when "code token"
         redirect_response_error("invalid_request") unless use_oauth_implicit_grant_type?
 
-        params = _do_authorize_code.merge(_do_authorize_token)
-
-        fragment_params.replace(params.map { |k, v| "#{k}=#{v}" })
+        response_params.replace(_do_authorize_code.merge(_do_authorize_token))
       when "code id_token"
-        params = _do_authorize_code.merge(_do_authorize_id_token)
-
-        fragment_params.replace(params.map { |k, v| "#{k}=#{v}" })
+        response_params.replace(_do_authorize_code.merge(_do_authorize_id_token))
       when "id_token token"
-        params = _do_authorize_id_token.merge(_do_authorize_token)
-
-        fragment_params.replace(params.map { |k, v| "#{k}=#{v}" })
+        response_params.replace(_do_authorize_id_token.merge(_do_authorize_token))
       when "code id_token token"
-        params = _do_authorize_code.merge(_do_authorize_id_token).merge(_do_authorize_token)
 
-        fragment_params.replace(params.map { |k, v| "#{k}=#{v}" })
+        response_params.replace(_do_authorize_code.merge(_do_authorize_id_token).merge(_do_authorize_token))
       end
+      response_mode ||= "fragment" unless response_params.empty?
 
-      super(redirect_url, query_params, fragment_params)
+      super(response_params, response_mode)
     end
 
     def _do_authorize_id_token
@@ -190,7 +345,9 @@ module Rodauth
     # Metadata
 
     def openid_configuration_body(path)
-      metadata = oauth_server_metadata_body(path)
+      metadata = oauth_server_metadata_body(path).select do |k, _|
+        VALID_METADATA_KEYS.include?(k)
+      end
 
       scope_claims = oauth_application_scopes.each_with_object([]) do |scope, claims|
         oidc, param = scope.split(".", 2)
@@ -204,63 +361,38 @@ module Rodauth
 
       scope_claims.unshift("auth_time") if last_account_login_at
 
-      metadata.merge({
-                       userinfo_endpoint: userinfo_url,
-                       response_types_supported: metadata[:response_types_supported] +
-                         ["none", "id_token", %w[code token], %w[code id_token], %w[id_token token], %w[code id_token token]],
-                       response_modes_supported: %w[query fragment],
-                       grant_types_supported: %w[authorization_code implicit],
-
-                       subject_types_supported: [oauth_jwt_subject_type],
-
-                       id_token_signing_alg_values_supported: metadata[:token_endpoint_auth_signing_alg_values_supported],
-                       id_token_encryption_alg_values_supported: [oauth_jwt_jwe_algorithm].compact,
-                       id_token_encryption_enc_values_supported: [oauth_jwt_jwe_encryption_method].compact,
-
-                       userinfo_signing_alg_values_supported: [],
-                       userinfo_encryption_alg_values_supported: [],
-                       userinfo_encryption_enc_values_supported: [],
-
-                       request_object_signing_alg_values_supported: [],
-                       request_object_encryption_alg_values_supported: [],
-                       request_object_encryption_enc_values_supported: [],
-
-                       # These Claim Types are described in Section 5.6 of OpenID Connect Core 1.0 [OpenID.Core].
-                       # Values defined by this specification are normal, aggregated, and distributed.
-                       # If omitted, the implementation supports only normal Claims.
-                       claim_types_supported: %w[normal],
-                       claims_supported: %w[sub iss iat exp aud] | scope_claims
-                     })
-    end
-
-    # /userinfo
-    route(:userinfo) do |r|
-      next unless is_authorization_server?
-
-      r.on method: %i[get post] do
-        catch_error do
-          oauth_token = authorization_token
-
-          throw_json_response_error(authorization_required_error_status, "invalid_token") unless oauth_token
-
-          oauth_scopes = oauth_token["scope"].split(" ")
-
-          throw_json_response_error(authorization_required_error_status, "invalid_token") unless oauth_scopes.include?("openid")
-
-          account = db[accounts_table].where(account_id_column => oauth_token["sub"]).first
-
-          throw_json_response_error(authorization_required_error_status, "invalid_token") unless account
-
-          oauth_scopes.delete("openid")
-
-          oidc_claims = { "sub" => oauth_token["sub"] }
-
-          fill_with_account_claims(oidc_claims, account, oauth_scopes)
-
-          json_response_success(oidc_claims)
-        end
+      response_types_supported = metadata[:response_types_supported]
+      if use_oauth_implicit_grant_type?
+        response_types_supported += ["none", "id_token", "code token", "code id_token", "id_token token", "code id_token token"]
+      end
 
-        throw_json_response_error(authorization_required_error_status, "invalid_token")
+      metadata.merge(
+        userinfo_endpoint: userinfo_url,
+        response_types_supported: response_types_supported,
+        subject_types_supported: [oauth_jwt_subject_type],
+
+        id_token_signing_alg_values_supported: metadata[:token_endpoint_auth_signing_alg_values_supported],
+        id_token_encryption_alg_values_supported: [oauth_jwt_jwe_algorithm].compact,
+        id_token_encryption_enc_values_supported: [oauth_jwt_jwe_encryption_method].compact,
+
+        userinfo_signing_alg_values_supported: [],
+        userinfo_encryption_alg_values_supported: [],
+        userinfo_encryption_enc_values_supported: [],
+
+        request_object_signing_alg_values_supported: [],
+        request_object_encryption_alg_values_supported: [],
+        request_object_encryption_enc_values_supported: [],
+
+        # These Claim Types are described in Section 5.6 of OpenID Connect Core 1.0 [OpenID.Core].
+        # Values defined by this specification are normal, aggregated, and distributed.
+        # If omitted, the implementation supports only normal Claims.
+        claim_types_supported: %w[normal],
+        claims_supported: %w[sub iss iat exp aud] | scope_claims
+      ).reject do |key, val|
+        # Filter null values in optional items
+        (!REQUIRED_METADATA_KEYS.include?(key.to_sym) && val.nil?) ||
+          # Claims with zero elements MUST be omitted from the response
+          (val.respond_to?(:empty?) && val.empty?)
       end
     end
   end