rodauth-oauth 0.10.4 → 1.0.0.pre.beta1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/MIGRATION-GUIDE-v1.md +286 -0
- data/README.md +22 -30
- data/doc/release_notes/1_0_0_beta1.md +38 -0
- data/lib/generators/rodauth/oauth/install_generator.rb +0 -1
- data/lib/generators/rodauth/oauth/templates/app/views/rodauth/authorize.html.erb +4 -6
- data/lib/generators/rodauth/oauth/templates/app/views/rodauth/device_search.html.erb +1 -1
- data/lib/generators/rodauth/oauth/templates/app/views/rodauth/device_verification.html.erb +2 -2
- data/lib/generators/rodauth/oauth/templates/app/views/rodauth/new_oauth_application.html.erb +1 -6
- data/lib/generators/rodauth/oauth/templates/app/views/rodauth/oauth_application.html.erb +0 -2
- data/lib/generators/rodauth/oauth/templates/app/views/rodauth/oauth_application_oauth_grants.html.erb +41 -0
- data/lib/generators/rodauth/oauth/templates/app/views/rodauth/oauth_applications.html.erb +2 -2
- data/lib/generators/rodauth/oauth/templates/app/views/rodauth/oauth_grants.html.erb +37 -0
- data/lib/generators/rodauth/oauth/templates/db/migrate/create_rodauth_oauth.rb +18 -29
- data/lib/rodauth/features/oauth_application_management.rb +59 -72
- data/lib/rodauth/features/oauth_assertion_base.rb +19 -23
- data/lib/rodauth/features/oauth_authorization_code_grant.rb +35 -88
- data/lib/rodauth/features/oauth_authorize_base.rb +103 -20
- data/lib/rodauth/features/oauth_base.rb +365 -302
- data/lib/rodauth/features/oauth_client_credentials_grant.rb +20 -18
- data/lib/rodauth/features/{oauth_device_grant.rb → oauth_device_code_grant.rb} +62 -73
- data/lib/rodauth/features/oauth_dynamic_client_registration.rb +46 -28
- data/lib/rodauth/features/oauth_grant_management.rb +70 -0
- data/lib/rodauth/features/oauth_implicit_grant.rb +25 -24
- data/lib/rodauth/features/oauth_jwt.rb +52 -688
- data/lib/rodauth/features/oauth_jwt_base.rb +435 -0
- data/lib/rodauth/features/oauth_jwt_bearer_grant.rb +45 -17
- data/lib/rodauth/features/oauth_jwt_jwks.rb +47 -0
- data/lib/rodauth/features/oauth_jwt_secured_authorization_request.rb +62 -0
- data/lib/rodauth/features/oauth_management_base.rb +2 -0
- data/lib/rodauth/features/oauth_pkce.rb +22 -26
- data/lib/rodauth/features/oauth_resource_indicators.rb +33 -21
- data/lib/rodauth/features/oauth_resource_server.rb +59 -0
- data/lib/rodauth/features/oauth_saml_bearer_grant.rb +5 -1
- data/lib/rodauth/features/oauth_token_introspection.rb +76 -46
- data/lib/rodauth/features/oauth_token_revocation.rb +46 -33
- data/lib/rodauth/features/oidc.rb +188 -95
- data/lib/rodauth/features/oidc_dynamic_client_registration.rb +89 -53
- data/lib/rodauth/oauth/database_extensions.rb +8 -6
- data/lib/rodauth/oauth/http_extensions.rb +61 -0
- data/lib/rodauth/oauth/railtie.rb +20 -0
- data/lib/rodauth/oauth/version.rb +1 -1
- data/lib/rodauth/oauth.rb +29 -1
- data/locales/en.yml +32 -22
- data/locales/pt.yml +32 -22
- data/templates/authorize.str +19 -24
- data/templates/device_search.str +1 -1
- data/templates/device_verification.str +2 -2
- data/templates/jwks_field.str +1 -0
- data/templates/new_oauth_application.str +1 -2
- data/templates/oauth_application.str +2 -2
- data/templates/oauth_application_oauth_grants.str +54 -0
- data/templates/oauth_applications.str +2 -2
- data/templates/oauth_grants.str +52 -0
- metadata +20 -16
- data/lib/generators/rodauth/oauth/templates/app/models/oauth_token.rb +0 -4
- data/lib/generators/rodauth/oauth/templates/app/views/rodauth/oauth_application_oauth_tokens.html.erb +0 -39
- data/lib/generators/rodauth/oauth/templates/app/views/rodauth/oauth_tokens.html.erb +0 -35
- data/lib/rodauth/features/oauth.rb +0 -9
- data/lib/rodauth/features/oauth_http_mac.rb +0 -86
- data/lib/rodauth/features/oauth_token_management.rb +0 -81
- data/lib/rodauth/oauth/refinements.rb +0 -48
- data/templates/jwt_public_key_field.str +0 -4
- data/templates/oauth_application_oauth_tokens.str +0 -52
- data/templates/oauth_tokens.str +0 -50
|
@@ -1,5 +1,7 @@
|
|
|
1
1
|
# frozen_string_literal: true
|
|
2
2
|
|
|
3
|
+
require "rodauth/oauth"
|
|
4
|
+
|
|
3
5
|
module Rodauth
|
|
4
6
|
Feature.define(:oidc_dynamic_client_registration, :OidcDynamicClientRegistration) do
|
|
5
7
|
depends :oauth_dynamic_client_registration, :oidc
|
|
@@ -8,10 +10,6 @@ module Rodauth
|
|
|
8
10
|
|
|
9
11
|
private
|
|
10
12
|
|
|
11
|
-
def registration_metadata
|
|
12
|
-
openid_configuration_body
|
|
13
|
-
end
|
|
14
|
-
|
|
15
13
|
def validate_client_registration_params
|
|
16
14
|
super
|
|
17
15
|
|
|
@@ -43,11 +41,41 @@ module Rodauth
|
|
|
43
41
|
else
|
|
44
42
|
register_throw_json_response_error("invalid_client_metadata", register_invalid_application_type_message(type))
|
|
45
43
|
end
|
|
46
|
-
|
|
44
|
+
end
|
|
45
|
+
|
|
46
|
+
if (value = @oauth_application_params[oauth_applications_sector_identifier_uri_column])
|
|
47
|
+
uri = URI(value)
|
|
48
|
+
|
|
49
|
+
unless uri.scheme == "https" || uri.host == "localhost"
|
|
50
|
+
register_throw_json_response_error("invalid_redirect_uri", register_invalid_uri_message(uri))
|
|
51
|
+
end
|
|
52
|
+
end
|
|
53
|
+
|
|
54
|
+
if (value = @oauth_application_params[oauth_applications_subject_type_column])
|
|
47
55
|
unless %w[pairwise public].include?(value)
|
|
48
56
|
register_throw_json_response_error("invalid_client_metadata", register_invalid_param_message("subject_type"))
|
|
49
57
|
end
|
|
50
|
-
|
|
58
|
+
|
|
59
|
+
if value == "pairwise"
|
|
60
|
+
sector_identifier_uri = @oauth_application_params[oauth_applications_sector_identifier_uri_column]
|
|
61
|
+
|
|
62
|
+
if sector_identifier_uri
|
|
63
|
+
response = http_request(sector_identifier_uri)
|
|
64
|
+
unless response.code.to_i == 200
|
|
65
|
+
register_throw_json_response_error("invalid_client_metadata",
|
|
66
|
+
register_invalid_param_message("sector_identifier_uri"))
|
|
67
|
+
end
|
|
68
|
+
uris = JSON.parse(response.body)
|
|
69
|
+
|
|
70
|
+
if uris != @oauth_application_params[oauth_applications_redirect_uri_column].split(" ")
|
|
71
|
+
register_throw_json_response_error("invalid_client_metadata", register_invalid_param_message("sector_identifier_uri"))
|
|
72
|
+
end
|
|
73
|
+
|
|
74
|
+
end
|
|
75
|
+
end
|
|
76
|
+
end
|
|
77
|
+
|
|
78
|
+
if (value = @oauth_application_params[oauth_applications_id_token_signed_response_alg_column])
|
|
51
79
|
if value == "none"
|
|
52
80
|
# The value none MUST NOT be used as the ID Token alg value unless the Client uses only Response Types
|
|
53
81
|
# that return no ID Token from the Authorization Endpoint
|
|
@@ -55,41 +83,52 @@ module Rodauth
|
|
|
55
83
|
if response_types && response_types.include?("id_token")
|
|
56
84
|
register_throw_json_response_error("invalid_client_metadata", register_invalid_param_message("id_token_signed_response_alg"))
|
|
57
85
|
end
|
|
58
|
-
elsif !
|
|
86
|
+
elsif !oauth_jwt_jws_algorithms_supported.include?(value)
|
|
59
87
|
register_throw_json_response_error("invalid_client_metadata", register_invalid_param_message("id_token_signed_response_alg"))
|
|
60
88
|
end
|
|
61
|
-
|
|
62
|
-
|
|
63
|
-
|
|
64
|
-
|
|
65
|
-
|
|
66
|
-
|
|
67
|
-
|
|
68
|
-
|
|
69
|
-
|
|
70
|
-
|
|
71
|
-
|
|
72
|
-
|
|
73
|
-
|
|
74
|
-
|
|
75
|
-
|
|
76
|
-
|
|
77
|
-
|
|
78
|
-
|
|
79
|
-
|
|
80
|
-
|
|
81
|
-
|
|
82
|
-
|
|
83
|
-
|
|
84
|
-
|
|
85
|
-
|
|
86
|
-
|
|
87
|
-
|
|
88
|
-
|
|
89
|
-
|
|
90
|
-
|
|
91
|
-
|
|
92
|
-
|
|
89
|
+
end
|
|
90
|
+
|
|
91
|
+
if (value = @oauth_application_params[oauth_applications_id_token_encrypted_response_alg_column]) &&
|
|
92
|
+
!oauth_jwt_jwe_algorithms_supported.include?(value)
|
|
93
|
+
register_throw_json_response_error("invalid_client_metadata", register_invalid_param_message("id_token_encrypted_response_alg"))
|
|
94
|
+
end
|
|
95
|
+
|
|
96
|
+
if (value = @oauth_application_params[oauth_applications_id_token_encrypted_response_enc_column]) &&
|
|
97
|
+
!oauth_jwt_jwe_encryption_methods_supported.include?(value)
|
|
98
|
+
register_throw_json_response_error("invalid_client_metadata", register_invalid_param_message("id_token_encrypted_response_enc"))
|
|
99
|
+
end
|
|
100
|
+
|
|
101
|
+
if (value = @oauth_application_params[oauth_applications_userinfo_signed_response_alg_column]) &&
|
|
102
|
+
!oauth_jwt_jws_algorithms_supported.include?(value)
|
|
103
|
+
register_throw_json_response_error("invalid_client_metadata", register_invalid_param_message("userinfo_signed_response_alg"))
|
|
104
|
+
end
|
|
105
|
+
|
|
106
|
+
if (value = @oauth_application_params[oauth_applications_userinfo_encrypted_response_alg_column]) &&
|
|
107
|
+
!oauth_jwt_jwe_algorithms_supported.include?(value)
|
|
108
|
+
register_throw_json_response_error("invalid_client_metadata", register_invalid_param_message("userinfo_encrypted_response_alg"))
|
|
109
|
+
end
|
|
110
|
+
|
|
111
|
+
if (value = @oauth_application_params[oauth_applications_userinfo_encrypted_response_enc_column]) &&
|
|
112
|
+
!oauth_jwt_jwe_encryption_methods_supported.include?(value)
|
|
113
|
+
register_throw_json_response_error("invalid_client_metadata", register_invalid_param_message("userinfo_encrypted_response_enc"))
|
|
114
|
+
end
|
|
115
|
+
|
|
116
|
+
if defined?(oauth_applications_request_object_signing_alg_column) &&
|
|
117
|
+
(value = @oauth_application_params[oauth_applications_request_object_signing_alg_column]) &&
|
|
118
|
+
!oauth_jwt_jws_algorithms_supported.include?(value)
|
|
119
|
+
register_throw_json_response_error("invalid_client_metadata", register_invalid_param_message("request_object_signing_alg"))
|
|
120
|
+
end
|
|
121
|
+
|
|
122
|
+
if defined?(oauth_applications_request_object_encryption_alg_column) &&
|
|
123
|
+
(value = @oauth_application_params[oauth_applications_request_object_encryption_alg_column]) &&
|
|
124
|
+
!oauth_jwt_jwe_algorithms_supported.include?(value)
|
|
125
|
+
register_throw_json_response_error("invalid_client_metadata", register_invalid_param_message("request_object_encryption_alg"))
|
|
126
|
+
end
|
|
127
|
+
|
|
128
|
+
if defined?(oauth_applications_request_object_encryption_enc_column) &&
|
|
129
|
+
(value = @oauth_application_params[oauth_applications_request_object_encryption_enc_column]) &&
|
|
130
|
+
!oauth_jwt_jwe_encryption_methods_supported.include?(value)
|
|
131
|
+
register_throw_json_response_error("invalid_client_metadata", register_invalid_param_message("request_object_encryption_enc"))
|
|
93
132
|
end
|
|
94
133
|
end
|
|
95
134
|
|
|
@@ -114,27 +153,24 @@ module Rodauth
|
|
|
114
153
|
return_params["application_type"] = "web"
|
|
115
154
|
"web"
|
|
116
155
|
end
|
|
117
|
-
create_params[oauth_applications_id_token_signed_response_alg_column] ||=
|
|
118
|
-
|
|
119
|
-
|
|
120
|
-
end
|
|
156
|
+
create_params[oauth_applications_id_token_signed_response_alg_column] ||= return_params["id_token_signed_response_alg"] =
|
|
157
|
+
oauth_jwt_keys.keys.first
|
|
158
|
+
|
|
121
159
|
if create_params.key?(oauth_applications_id_token_encrypted_response_alg_column)
|
|
122
|
-
create_params[oauth_applications_id_token_encrypted_response_enc_column] ||=
|
|
123
|
-
return_params["id_token_encrypted_response_enc"] = "A128CBC-HS256"
|
|
160
|
+
create_params[oauth_applications_id_token_encrypted_response_enc_column] ||= return_params["id_token_encrypted_response_enc"] =
|
|
124
161
|
"A128CBC-HS256"
|
|
125
|
-
|
|
162
|
+
|
|
126
163
|
end
|
|
127
164
|
if create_params.key?(oauth_applications_userinfo_encrypted_response_alg_column)
|
|
128
|
-
create_params[oauth_applications_userinfo_encrypted_response_enc_column] ||=
|
|
129
|
-
return_params["userinfo_encrypted_response_enc"] = "A128CBC-HS256"
|
|
165
|
+
create_params[oauth_applications_userinfo_encrypted_response_enc_column] ||= return_params["userinfo_encrypted_response_enc"] =
|
|
130
166
|
"A128CBC-HS256"
|
|
131
|
-
|
|
167
|
+
|
|
132
168
|
end
|
|
133
|
-
if
|
|
134
|
-
|
|
135
|
-
|
|
169
|
+
if defined?(oauth_applications_request_object_encryption_alg_column) &&
|
|
170
|
+
create_params.key?(oauth_applications_request_object_encryption_alg_column)
|
|
171
|
+
create_params[oauth_applications_request_object_encryption_enc_column] ||= return_params["request_object_encryption_enc"] =
|
|
136
172
|
"A128CBC-HS256"
|
|
137
|
-
|
|
173
|
+
|
|
138
174
|
end
|
|
139
175
|
|
|
140
176
|
super(return_params)
|
|
@@ -30,13 +30,14 @@ module Rodauth
|
|
|
30
30
|
end
|
|
31
31
|
|
|
32
32
|
if dataset.respond_to?(:supports_insert_conflict?) && dataset.supports_insert_conflict?
|
|
33
|
-
def __insert_or_update_and_return__(dataset, pkey, unique_columns, params, conds = nil,
|
|
34
|
-
to_update = params.keys - unique_columns
|
|
35
|
-
|
|
33
|
+
def __insert_or_update_and_return__(dataset, pkey, unique_columns, params, conds = nil, to_update_extra = nil)
|
|
34
|
+
to_update = Hash[(params.keys - unique_columns).map { |attribute| [attribute, Sequel[:excluded][attribute]] }]
|
|
35
|
+
|
|
36
|
+
to_update.merge!(to_update_extra) if to_update_extra
|
|
36
37
|
|
|
37
38
|
dataset = dataset.insert_conflict(
|
|
38
39
|
target: unique_columns,
|
|
39
|
-
update:
|
|
40
|
+
update: to_update,
|
|
40
41
|
update_where: conds
|
|
41
42
|
)
|
|
42
43
|
|
|
@@ -51,7 +52,7 @@ module Rodauth
|
|
|
51
52
|
) || dataset.where(params).first
|
|
52
53
|
end
|
|
53
54
|
else
|
|
54
|
-
def __insert_or_update_and_return__(dataset, pkey, unique_columns, params, conds = nil,
|
|
55
|
+
def __insert_or_update_and_return__(dataset, pkey, unique_columns, params, conds = nil, to_update_extra = nil)
|
|
55
56
|
find_params, update_params = params.partition { |key, _| unique_columns.include?(key) }.map { |h| Hash[h] }
|
|
56
57
|
|
|
57
58
|
dataset_where = dataset.where(find_params)
|
|
@@ -67,7 +68,8 @@ module Rodauth
|
|
|
67
68
|
end
|
|
68
69
|
|
|
69
70
|
if record
|
|
70
|
-
update_params.
|
|
71
|
+
update_params.merge!(to_update_extra) if to_update_extra
|
|
72
|
+
|
|
71
73
|
__update_and_return__(dataset_where, update_params)
|
|
72
74
|
else
|
|
73
75
|
__insert_and_return__(dataset, pkey, params)
|
|
@@ -0,0 +1,61 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
2
|
+
|
|
3
|
+
require "uri"
|
|
4
|
+
require "net/http"
|
|
5
|
+
require "rodauth/oauth/ttl_store"
|
|
6
|
+
|
|
7
|
+
module Rodauth
|
|
8
|
+
module OAuth
|
|
9
|
+
module HTTPExtensions
|
|
10
|
+
REQUEST_CACHE = OAuth::TtlStore.new
|
|
11
|
+
|
|
12
|
+
private
|
|
13
|
+
|
|
14
|
+
def http_request(uri, form_data = nil)
|
|
15
|
+
uri = URI(uri)
|
|
16
|
+
|
|
17
|
+
http = Net::HTTP.new(uri.host, uri.port)
|
|
18
|
+
http.use_ssl = uri.scheme == "https"
|
|
19
|
+
|
|
20
|
+
if form_data
|
|
21
|
+
request = Net::HTTP::Post.new(uri.request_uri)
|
|
22
|
+
request["content-type"] = "application/x-www-form-urlencoded"
|
|
23
|
+
request.set_form_data(form_data)
|
|
24
|
+
else
|
|
25
|
+
request = Net::HTTP::Get.new(uri.request_uri)
|
|
26
|
+
end
|
|
27
|
+
request["accept"] = json_response_content_type
|
|
28
|
+
|
|
29
|
+
yield request if block_given?
|
|
30
|
+
|
|
31
|
+
response = http.request(request)
|
|
32
|
+
authorization_required unless response.code.to_i == 200
|
|
33
|
+
response
|
|
34
|
+
end
|
|
35
|
+
|
|
36
|
+
def http_request_with_cache(uri, *args)
|
|
37
|
+
uri = URI(uri)
|
|
38
|
+
|
|
39
|
+
response = http_request_cache[uri]
|
|
40
|
+
|
|
41
|
+
return response if response
|
|
42
|
+
|
|
43
|
+
http_request_cache.set(uri) do
|
|
44
|
+
response = http_request(uri, *args)
|
|
45
|
+
ttl = if response.key?("cache-control")
|
|
46
|
+
cache_control = response["cache-control"]
|
|
47
|
+
cache_control[/max-age=(\d+)/, 1].to_i
|
|
48
|
+
elsif response.key?("expires")
|
|
49
|
+
Time.parse(response["expires"]).to_i - Time.now.to_i
|
|
50
|
+
end
|
|
51
|
+
|
|
52
|
+
[JSON.parse(response.body, symbolize_names: true), ttl]
|
|
53
|
+
end
|
|
54
|
+
end
|
|
55
|
+
|
|
56
|
+
def http_request_cache
|
|
57
|
+
REQUEST_CACHE
|
|
58
|
+
end
|
|
59
|
+
end
|
|
60
|
+
end
|
|
61
|
+
end
|
|
@@ -2,7 +2,27 @@
|
|
|
2
2
|
|
|
3
3
|
module Rodauth
|
|
4
4
|
module OAuth
|
|
5
|
+
module ControllerMethods
|
|
6
|
+
def self.included(controller)
|
|
7
|
+
# ActionController::API doesn't have helper methods
|
|
8
|
+
controller.helper_method :current_oauth_account, :current_oauth_application if controller.respond_to?(:helper_method)
|
|
9
|
+
end
|
|
10
|
+
|
|
11
|
+
def current_oauth_account(name = nil)
|
|
12
|
+
rodauth(name).current_oauth_account
|
|
13
|
+
end
|
|
14
|
+
|
|
15
|
+
def current_oauth_application(name = nil)
|
|
16
|
+
rodauth(name).current_oauth_application
|
|
17
|
+
end
|
|
18
|
+
end
|
|
19
|
+
|
|
5
20
|
class Railtie < ::Rails::Railtie
|
|
21
|
+
initializer "rodauth.controller" do
|
|
22
|
+
ActiveSupport.on_load(:action_controller) do
|
|
23
|
+
include ControllerMethods
|
|
24
|
+
end
|
|
25
|
+
end
|
|
6
26
|
end
|
|
7
27
|
end
|
|
8
28
|
end
|
data/lib/rodauth/oauth.rb
CHANGED
|
@@ -1,7 +1,35 @@
|
|
|
1
1
|
# frozen_string_literal: true
|
|
2
2
|
|
|
3
3
|
require "rodauth"
|
|
4
|
-
|
|
5
4
|
require "rodauth/oauth/version"
|
|
6
5
|
|
|
6
|
+
module Rodauth
|
|
7
|
+
module OAuth
|
|
8
|
+
module FeatureExtensions
|
|
9
|
+
def auth_server_route(*args, &blk)
|
|
10
|
+
routes = route(*args, &blk)
|
|
11
|
+
|
|
12
|
+
handle_meth = routes.last
|
|
13
|
+
|
|
14
|
+
define_method(:"#{handle_meth}_for_auth_server") do
|
|
15
|
+
next unless is_authorization_server?
|
|
16
|
+
|
|
17
|
+
send(:"#{handle_meth}_not_for_auth_server")
|
|
18
|
+
end
|
|
19
|
+
|
|
20
|
+
alias_method :"#{handle_meth}_not_for_auth_server", handle_meth
|
|
21
|
+
alias_method handle_meth, :"#{handle_meth}_for_auth_server"
|
|
22
|
+
end
|
|
23
|
+
|
|
24
|
+
# override
|
|
25
|
+
def translatable_method(meth, value)
|
|
26
|
+
define_method(meth) { |*args| translate(meth, value, *args) }
|
|
27
|
+
auth_value_methods(meth)
|
|
28
|
+
end
|
|
29
|
+
end
|
|
30
|
+
end
|
|
31
|
+
|
|
32
|
+
Feature.prepend OAuth::FeatureExtensions
|
|
33
|
+
end
|
|
34
|
+
|
|
7
35
|
require "rodauth/oauth/railtie" if defined?(Rails)
|
data/locales/en.yml
CHANGED
|
@@ -3,21 +3,29 @@ en:
|
|
|
3
3
|
require_authorization_error_flash: "Please authorize to continue"
|
|
4
4
|
create_oauth_application_error_flash: "There was an error registering your oauth application"
|
|
5
5
|
create_oauth_application_notice_flash: "Your oauth application has been registered"
|
|
6
|
-
revoke_unauthorized_account_error_flash: "You are not authorized to revoke this
|
|
7
|
-
|
|
6
|
+
revoke_unauthorized_account_error_flash: "You are not authorized to revoke this grant"
|
|
7
|
+
revoke_oauth_grant_notice_flash: "The oauth grant has been revoked"
|
|
8
8
|
device_verification_notice_flash: "The device is verified"
|
|
9
9
|
user_code_not_found_error_flash: "No device to authorize with the given user code"
|
|
10
10
|
authorize_page_title: "Authorize"
|
|
11
|
+
authorize_page_lead: "The application %{name} would like to access your data."
|
|
12
|
+
oauth_cancel_button: "Cancel"
|
|
11
13
|
oauth_applications_page_title: "Oauth Applications"
|
|
12
14
|
oauth_application_page_title: "Oauth Application"
|
|
13
15
|
new_oauth_application_page_title: "New Oauth Application"
|
|
14
|
-
|
|
15
|
-
|
|
16
|
+
oauth_application_oauth_grants_page_title: "Application Oauth Grants"
|
|
17
|
+
oauth_grants_page_title: "My Oauth Grants"
|
|
16
18
|
device_verification_page_title: "Device Verification"
|
|
17
19
|
device_search_page_title: "Device Search"
|
|
18
20
|
oauth_management_pagination_previous_button: "Previous"
|
|
19
21
|
oauth_management_pagination_next_button: "Next"
|
|
20
|
-
|
|
22
|
+
oauth_grants_type_label: "Grant Type"
|
|
23
|
+
oauth_grants_scopes_label: "Scopes"
|
|
24
|
+
oauth_grants_token_label: "Token"
|
|
25
|
+
oauth_grants_refresh_token_label: "Refresh Token"
|
|
26
|
+
oauth_grants_expires_in_label: "Expires In"
|
|
27
|
+
oauth_grants_revoked_at_label: "Revoked at"
|
|
28
|
+
oauth_no_grants_text: "No oauth grants yet!"
|
|
21
29
|
oauth_applications_name_label: "Name"
|
|
22
30
|
oauth_applications_description_label: "Description"
|
|
23
31
|
oauth_applications_scopes_label: "Default scopes"
|
|
@@ -28,30 +36,32 @@ en:
|
|
|
28
36
|
oauth_applications_redirect_uri_label: "Redirect URL"
|
|
29
37
|
oauth_applications_client_secret_label: "Client Secret"
|
|
30
38
|
oauth_applications_client_id_label: "Client ID"
|
|
39
|
+
oauth_no_applications_text: "No oauth applications yet!"
|
|
31
40
|
oauth_grant_user_code_label: "User code"
|
|
32
41
|
oauth_grant_user_jws_jwk_label: "JSON Web Keys"
|
|
33
42
|
oauth_grant_user_jwt_public_key_label: "Public key"
|
|
34
43
|
oauth_application_button: "Register"
|
|
35
44
|
oauth_authorize_button: "Authorize"
|
|
36
|
-
|
|
45
|
+
oauth_grant_revoke_button: "Revoke"
|
|
37
46
|
oauth_authorize_post_button: "Back to Client Application"
|
|
47
|
+
oauth_device_verification_page_lead: "The device with user code %{user_code} would like to access your data."
|
|
38
48
|
oauth_device_verification_button: "Verify"
|
|
49
|
+
oauth_device_search_page_lead: "Insert the user code from the device you'd like to authorize."
|
|
39
50
|
oauth_device_search_button: "Search"
|
|
40
|
-
|
|
41
|
-
|
|
42
|
-
|
|
43
|
-
|
|
51
|
+
oauth_invalid_client_message: "Client authentication failed"
|
|
52
|
+
oauth_invalid_grant_type_message: "Invalid grant type"
|
|
53
|
+
oauth_invalid_grant_message: "Invalid grant"
|
|
54
|
+
oauth_invalid_scope_message: "Invalid scope"
|
|
44
55
|
invalid_url_message: "Invalid URL"
|
|
45
|
-
|
|
46
|
-
unique_error_message: "is already in use"
|
|
56
|
+
oauth_unsupported_token_type_message: "Invalid token type hint"
|
|
47
57
|
null_error_message: "is not filled"
|
|
48
|
-
|
|
49
|
-
|
|
50
|
-
|
|
51
|
-
|
|
52
|
-
|
|
53
|
-
|
|
54
|
-
|
|
55
|
-
|
|
56
|
-
|
|
57
|
-
|
|
58
|
+
oauth_already_in_use_message: "error generating unique token"
|
|
59
|
+
oauth_expired_token_message: "the device code has expired"
|
|
60
|
+
oauth_access_denied_message: "the authorization request has been denied"
|
|
61
|
+
oauth_authorization_pending_message: "the authorization request is still pending"
|
|
62
|
+
oauth_slow_down_message: "authorization request is still pending but poll interval should be increased"
|
|
63
|
+
oauth_code_challenge_required_message: "code challenge required"
|
|
64
|
+
oauth_unsupported_transform_algorithm_message: "transform algorithm not supported"
|
|
65
|
+
oauth_request_uri_not_supported_message: "request uri is unsupported"
|
|
66
|
+
oauth_invalid_request_object_message: "request object is invalid"
|
|
67
|
+
oauth_invalid_scope_message: "The Access Token expired"
|
data/locales/pt.yml
CHANGED
|
@@ -3,21 +3,29 @@ pt:
|
|
|
3
3
|
require_authorization_error_flash: "Autorize para continuar"
|
|
4
4
|
create_oauth_application_error_flash: "Aconteceu um erro ao registar o aplicativo oauth"
|
|
5
5
|
create_oauth_application_notice_flash: "O seu aplicativo oauth foi registado com sucesso"
|
|
6
|
-
revoke_unauthorized_account_error_flash: "Não está autorizado a revogar
|
|
7
|
-
|
|
6
|
+
revoke_unauthorized_account_error_flash: "Não está autorizado a revogar esta concessão"
|
|
7
|
+
revoke_oauth_grant_notice_flash: "O token oauth foi revogado com sucesso"
|
|
8
8
|
device_verification_notice_flash: "O dispositivo foi verificado com sucesso"
|
|
9
9
|
user_code_not_found_error_flash: "Não existe nenhum dispositivo a ser autorizado com o código de usuário inserido"
|
|
10
10
|
authorize_page_title: "Autorizar"
|
|
11
|
+
authorize_page_lead: "O aplicativo %{name} gostaria de aceder aos seus dados."
|
|
12
|
+
oauth_cancel_button: "Cancelar"
|
|
11
13
|
oauth_applications_page_title: "Aplicativos OAuth"
|
|
12
14
|
oauth_application_page_title: "Aplicativo Oauth"
|
|
13
15
|
new_oauth_application_page_title: "Novo Aplicativo Oauth"
|
|
14
|
-
|
|
15
|
-
|
|
16
|
+
oauth_application_oauth_grants_page_title: "Concessões Oauth do Aplicativo"
|
|
17
|
+
oauth_grants_page_title: "As minhas concessões Oauth"
|
|
16
18
|
device_verification_page_title: "Verificação de dispositivo"
|
|
17
19
|
device_search_page_title: "Pesquisa de dispositivo"
|
|
18
20
|
oauth_management_pagination_previous_button: "Anterior"
|
|
19
21
|
oauth_management_pagination_next_button: "Próxima"
|
|
20
|
-
|
|
22
|
+
oauth_grants_type_label: "Tipo de concessão"
|
|
23
|
+
oauth_grants_scopes_label: "Escopos"
|
|
24
|
+
oauth_grants_token_label: "Token"
|
|
25
|
+
oauth_grants_refresh_token_label: "Refresh Token"
|
|
26
|
+
oauth_grants_expires_in_label: "Expira em"
|
|
27
|
+
oauth_grants_revoked_at_label: "Revogado a"
|
|
28
|
+
oauth_no_grants_text: "Nenhuma concessão OAuth ainda!"
|
|
21
29
|
oauth_applications_name_label: "Nome"
|
|
22
30
|
oauth_applications_description_label: "Descrição"
|
|
23
31
|
oauth_applications_scopes_label: "Escopos prédefinidos"
|
|
@@ -28,30 +36,32 @@ pt:
|
|
|
28
36
|
oauth_applications_redirect_uri_label: "URL para redireccionamento"
|
|
29
37
|
oauth_applications_client_secret_label: "Segredo de cliente"
|
|
30
38
|
oauth_applications_client_id_label: "ID do cliente"
|
|
39
|
+
oauth_no_applications_text: "Nenhum aplicativo OAuth ainda!"
|
|
31
40
|
oauth_grant_user_code_label: "Código do usuário"
|
|
32
41
|
oauth_grant_user_jws_jwk_label: "Chaves JSON Web"
|
|
33
42
|
oauth_grant_user_jwt_public_key_label: "Chave pública"
|
|
34
43
|
oauth_application_button: "Registar"
|
|
35
44
|
oauth_authorize_button: "Autorizar"
|
|
36
|
-
|
|
45
|
+
oauth_grant_revoke_button: "Revogar"
|
|
37
46
|
oauth_authorize_post_button: "Voltar para o aplicativo cliente"
|
|
47
|
+
oauth_device_verification_page_lead: "O dispositivo com o código de usuário %{user_code} gostaria de aceder aos seus dados."
|
|
38
48
|
oauth_device_verification_button: "Verificar"
|
|
49
|
+
oauth_device_search_page_lead: "Introduza o código de usuário do dispositivo que gostaria de autorizar."
|
|
39
50
|
oauth_device_search_button: "Pesquisar"
|
|
40
|
-
|
|
41
|
-
|
|
42
|
-
|
|
43
|
-
|
|
51
|
+
oauth_invalid_client_message: "A autenticação do cliente falhou"
|
|
52
|
+
oauth_invalid_grant_type_message: "Tipo de atribuição inválida"
|
|
53
|
+
oauth_invalid_grant_message: "Atribuição inválida"
|
|
54
|
+
oauth_invalid_scope_message: "Escopo inválido"
|
|
44
55
|
invalid_url_message: "URL inválido"
|
|
45
|
-
|
|
46
|
-
unique_error_message: "já está sendo utilizado"
|
|
56
|
+
oauth_unsupported_token_type_message: "Sugestão de tipo de token inválida"
|
|
47
57
|
null_error_message: "não está preenchido"
|
|
48
|
-
|
|
49
|
-
|
|
50
|
-
|
|
51
|
-
|
|
52
|
-
|
|
53
|
-
|
|
54
|
-
|
|
55
|
-
|
|
56
|
-
|
|
57
|
-
|
|
58
|
+
oauth_already_in_use_message: "erro ao gerar token único"
|
|
59
|
+
oauth_expired_token_message: "o código de dispositivo expirou"
|
|
60
|
+
oauth_access_denied_message: "o pedido de autorização foi negado"
|
|
61
|
+
oauth_authorization_pending_message: "o pedido de autorização ainda está pendente"
|
|
62
|
+
oauth_slow_down_message: "o pedido de autorização ainda está pendente mas o intervalo de actualização deve ser aumentado"
|
|
63
|
+
oauth_code_challenge_required_message: "código de negociação necessário"
|
|
64
|
+
oauth_unsupported_transform_algorithm_message: "algoritmo de transformação não suportado"
|
|
65
|
+
oauth_request_uri_not_supported_message: "request_uri não é suportado"
|
|
66
|
+
oauth_invalid_request_object_message: "request_object é inválido"
|
|
67
|
+
oauth_invalid_scope_message: "O Token de acesso expirou"
|
data/templates/authorize.str
CHANGED
|
@@ -8,10 +8,14 @@
|
|
|
8
8
|
end
|
|
9
9
|
}
|
|
10
10
|
<p class="lead">
|
|
11
|
-
|
|
12
|
-
|
|
13
|
-
#{h(rodauth.oauth_application[rodauth.
|
|
14
|
-
|
|
11
|
+
#{
|
|
12
|
+
rodauth.authorize_page_lead(name: <<-LINK
|
|
13
|
+
<a target="_blank" href="#{h(rodauth.oauth_application[rodauth.oauth_applications_homepage_url_column])}">
|
|
14
|
+
#{h(rodauth.oauth_application[rodauth.oauth_applications_name_column])}
|
|
15
|
+
</a>
|
|
16
|
+
LINK
|
|
17
|
+
)
|
|
18
|
+
}
|
|
15
19
|
</p>
|
|
16
20
|
<div class="list-group">
|
|
17
21
|
#{
|
|
@@ -52,31 +56,20 @@
|
|
|
52
56
|
}
|
|
53
57
|
|
|
54
58
|
<div class="form-group">
|
|
55
|
-
<h1 class="display-6">#{rodauth.
|
|
59
|
+
<h1 class="display-6">#{rodauth.oauth_grants_scopes_label}</h1>
|
|
56
60
|
|
|
57
61
|
#{
|
|
58
|
-
rodauth.
|
|
59
|
-
|
|
60
|
-
|
|
61
|
-
<
|
|
62
|
-
|
|
63
|
-
|
|
64
|
-
|
|
65
|
-
</div>
|
|
66
|
-
HTML
|
|
67
|
-
else
|
|
68
|
-
<<-HTML
|
|
69
|
-
<div class="form-check">
|
|
70
|
-
<input id="#{scope}" class="form-check-input" type="checkbox" name="scope[]" value="#{h(scope)}">
|
|
71
|
-
<label class="form-check-label" for="#{scope}">#{h(scope)}</label>
|
|
72
|
-
</div>
|
|
73
|
-
HTML
|
|
74
|
-
end
|
|
62
|
+
rodauth.authorize_scopes.map do |scope|
|
|
63
|
+
<<-HTML
|
|
64
|
+
<div class="form-check">
|
|
65
|
+
<input id="#{scope}" class="form-check-input" type="checkbox" name="scope[]" value="#{h(scope)}">
|
|
66
|
+
<label class="form-check-label" for="#{scope}">#{h(scope)}</label>
|
|
67
|
+
</div>
|
|
68
|
+
HTML
|
|
75
69
|
end.join
|
|
76
70
|
}
|
|
77
71
|
|
|
78
72
|
<input type="hidden" name="client_id" value="#{rodauth.param("client_id")}"/>
|
|
79
|
-
|
|
80
73
|
#{"<input type=\"hidden\" name=\"access_type\" value=\"#{rodauth.param("access_type")}\"/>" if rodauth.param_or_nil("access_type")}
|
|
81
74
|
#{"<input type=\"hidden\" name=\"response_type\" value=\"#{rodauth.param("response_type")}\"/>" if rodauth.param_or_nil("response_type")}
|
|
82
75
|
#{"<input type=\"hidden\" name=\"response_mode\" value=\"#{rodauth.param("response_mode")}\"/>" if rodauth.param_or_nil("response_mode")}
|
|
@@ -98,6 +91,8 @@
|
|
|
98
91
|
</div>
|
|
99
92
|
<p class="text-center">
|
|
100
93
|
<input type="submit" class="btn btn-outline-primary" value="#{h(rodauth.oauth_authorize_button)}"/>
|
|
101
|
-
<a href="#{rodauth.redirect_uri}?error=access_denied&error_description=The+resource+owner+or+authorization+server+denied+the+request#{ "&state=#{rodauth.param("state")}" if rodauth.param_or_nil("state")}" class="btn btn-outline-danger"
|
|
94
|
+
<a href="#{rodauth.redirect_uri}?error=access_denied&error_description=The+resource+owner+or+authorization+server+denied+the+request#{ "&state=#{rodauth.param("state")}" if rodauth.param_or_nil("state")}" class="btn btn-outline-danger">
|
|
95
|
+
#{rodauth.oauth_cancel_button}
|
|
96
|
+
</a>
|
|
102
97
|
</p>
|
|
103
98
|
</form>
|
data/templates/device_search.str
CHANGED
|
@@ -1,5 +1,5 @@
|
|
|
1
1
|
<form method="get" action="#{rodauth.device_path}" class="form-horizontal" role="form" id="device-search-form">
|
|
2
|
-
<p class="lead"
|
|
2
|
+
<p class="lead">#{rodauth.oauth_device_search_page_lead}</p>
|
|
3
3
|
|
|
4
4
|
<div class="form-group">
|
|
5
5
|
<label for="user_code">#{rodauth.oauth_grant_user_code_label}</label>
|
|
@@ -1,9 +1,9 @@
|
|
|
1
1
|
<form method="post" action="#{rodauth.device_path}" class="form-horizontal" role="form" id="device-verification-form">
|
|
2
2
|
#{csrf_tag(rodauth.device_path) if respond_to?(:csrf_tag)}
|
|
3
|
-
<p class="lead"
|
|
3
|
+
<p class="lead">#{rodauth.oauth_device_verification_page_lead(user_code: @oauth_grant[rodauth.oauth_grants_user_code_column])}</p>
|
|
4
4
|
|
|
5
5
|
<div class="form-group">
|
|
6
|
-
<h1 class="display-6">#{rodauth.
|
|
6
|
+
<h1 class="display-6">#{rodauth.oauth_grants_scopes_label}</h1>
|
|
7
7
|
|
|
8
8
|
<ul class="list-group">
|
|
9
9
|
#{
|
data/templates/jwks_field.str
CHANGED
|
@@ -2,3 +2,4 @@
|
|
|
2
2
|
<label for="name">#{rodauth.oauth_applications_jwks_label}#{rodauth.input_field_label_suffix}</label>
|
|
3
3
|
<textarea id="jwks" class="form-control" name="#{rodauth.oauth_application_jwks_param}" rows="3"></textarea>
|
|
4
4
|
</div>
|
|
5
|
+
#{rodauth.input_field_string(rodauth.oauth_application_jwks_uri_param, "jwks-uri", :type=>"text")}
|