rodauth-oauth 0.10.4 → 1.0.0.pre.beta1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/MIGRATION-GUIDE-v1.md +286 -0
- data/README.md +22 -30
- data/doc/release_notes/1_0_0_beta1.md +38 -0
- data/lib/generators/rodauth/oauth/install_generator.rb +0 -1
- data/lib/generators/rodauth/oauth/templates/app/views/rodauth/authorize.html.erb +4 -6
- data/lib/generators/rodauth/oauth/templates/app/views/rodauth/device_search.html.erb +1 -1
- data/lib/generators/rodauth/oauth/templates/app/views/rodauth/device_verification.html.erb +2 -2
- data/lib/generators/rodauth/oauth/templates/app/views/rodauth/new_oauth_application.html.erb +1 -6
- data/lib/generators/rodauth/oauth/templates/app/views/rodauth/oauth_application.html.erb +0 -2
- data/lib/generators/rodauth/oauth/templates/app/views/rodauth/oauth_application_oauth_grants.html.erb +41 -0
- data/lib/generators/rodauth/oauth/templates/app/views/rodauth/oauth_applications.html.erb +2 -2
- data/lib/generators/rodauth/oauth/templates/app/views/rodauth/oauth_grants.html.erb +37 -0
- data/lib/generators/rodauth/oauth/templates/db/migrate/create_rodauth_oauth.rb +18 -29
- data/lib/rodauth/features/oauth_application_management.rb +59 -72
- data/lib/rodauth/features/oauth_assertion_base.rb +19 -23
- data/lib/rodauth/features/oauth_authorization_code_grant.rb +35 -88
- data/lib/rodauth/features/oauth_authorize_base.rb +103 -20
- data/lib/rodauth/features/oauth_base.rb +365 -302
- data/lib/rodauth/features/oauth_client_credentials_grant.rb +20 -18
- data/lib/rodauth/features/{oauth_device_grant.rb → oauth_device_code_grant.rb} +62 -73
- data/lib/rodauth/features/oauth_dynamic_client_registration.rb +46 -28
- data/lib/rodauth/features/oauth_grant_management.rb +70 -0
- data/lib/rodauth/features/oauth_implicit_grant.rb +25 -24
- data/lib/rodauth/features/oauth_jwt.rb +52 -688
- data/lib/rodauth/features/oauth_jwt_base.rb +435 -0
- data/lib/rodauth/features/oauth_jwt_bearer_grant.rb +45 -17
- data/lib/rodauth/features/oauth_jwt_jwks.rb +47 -0
- data/lib/rodauth/features/oauth_jwt_secured_authorization_request.rb +62 -0
- data/lib/rodauth/features/oauth_management_base.rb +2 -0
- data/lib/rodauth/features/oauth_pkce.rb +22 -26
- data/lib/rodauth/features/oauth_resource_indicators.rb +33 -21
- data/lib/rodauth/features/oauth_resource_server.rb +59 -0
- data/lib/rodauth/features/oauth_saml_bearer_grant.rb +5 -1
- data/lib/rodauth/features/oauth_token_introspection.rb +76 -46
- data/lib/rodauth/features/oauth_token_revocation.rb +46 -33
- data/lib/rodauth/features/oidc.rb +188 -95
- data/lib/rodauth/features/oidc_dynamic_client_registration.rb +89 -53
- data/lib/rodauth/oauth/database_extensions.rb +8 -6
- data/lib/rodauth/oauth/http_extensions.rb +61 -0
- data/lib/rodauth/oauth/railtie.rb +20 -0
- data/lib/rodauth/oauth/version.rb +1 -1
- data/lib/rodauth/oauth.rb +29 -1
- data/locales/en.yml +32 -22
- data/locales/pt.yml +32 -22
- data/templates/authorize.str +19 -24
- data/templates/device_search.str +1 -1
- data/templates/device_verification.str +2 -2
- data/templates/jwks_field.str +1 -0
- data/templates/new_oauth_application.str +1 -2
- data/templates/oauth_application.str +2 -2
- data/templates/oauth_application_oauth_grants.str +54 -0
- data/templates/oauth_applications.str +2 -2
- data/templates/oauth_grants.str +52 -0
- metadata +20 -16
- data/lib/generators/rodauth/oauth/templates/app/models/oauth_token.rb +0 -4
- data/lib/generators/rodauth/oauth/templates/app/views/rodauth/oauth_application_oauth_tokens.html.erb +0 -39
- data/lib/generators/rodauth/oauth/templates/app/views/rodauth/oauth_tokens.html.erb +0 -35
- data/lib/rodauth/features/oauth.rb +0 -9
- data/lib/rodauth/features/oauth_http_mac.rb +0 -86
- data/lib/rodauth/features/oauth_token_management.rb +0 -81
- data/lib/rodauth/oauth/refinements.rb +0 -48
- data/templates/jwt_public_key_field.str +0 -4
- data/templates/oauth_application_oauth_tokens.str +0 -52
- data/templates/oauth_tokens.str +0 -50
|
@@ -1,5 +1,7 @@
|
|
|
1
1
|
# frozen_string_literal: true
|
|
2
2
|
|
|
3
|
+
require "rodauth/oauth"
|
|
4
|
+
|
|
3
5
|
module Rodauth
|
|
4
6
|
Feature.define(:oidc_dynamic_client_registration, :OidcDynamicClientRegistration) do
|
|
5
7
|
depends :oauth_dynamic_client_registration, :oidc
|
|
@@ -8,10 +10,6 @@ module Rodauth
|
|
|
8
10
|
|
|
9
11
|
private
|
|
10
12
|
|
|
11
|
-
def registration_metadata
|
|
12
|
-
openid_configuration_body
|
|
13
|
-
end
|
|
14
|
-
|
|
15
13
|
def validate_client_registration_params
|
|
16
14
|
super
|
|
17
15
|
|
|
@@ -43,11 +41,41 @@ module Rodauth
|
|
|
43
41
|
else
|
|
44
42
|
register_throw_json_response_error("invalid_client_metadata", register_invalid_application_type_message(type))
|
|
45
43
|
end
|
|
46
|
-
|
|
44
|
+
end
|
|
45
|
+
|
|
46
|
+
if (value = @oauth_application_params[oauth_applications_sector_identifier_uri_column])
|
|
47
|
+
uri = URI(value)
|
|
48
|
+
|
|
49
|
+
unless uri.scheme == "https" || uri.host == "localhost"
|
|
50
|
+
register_throw_json_response_error("invalid_redirect_uri", register_invalid_uri_message(uri))
|
|
51
|
+
end
|
|
52
|
+
end
|
|
53
|
+
|
|
54
|
+
if (value = @oauth_application_params[oauth_applications_subject_type_column])
|
|
47
55
|
unless %w[pairwise public].include?(value)
|
|
48
56
|
register_throw_json_response_error("invalid_client_metadata", register_invalid_param_message("subject_type"))
|
|
49
57
|
end
|
|
50
|
-
|
|
58
|
+
|
|
59
|
+
if value == "pairwise"
|
|
60
|
+
sector_identifier_uri = @oauth_application_params[oauth_applications_sector_identifier_uri_column]
|
|
61
|
+
|
|
62
|
+
if sector_identifier_uri
|
|
63
|
+
response = http_request(sector_identifier_uri)
|
|
64
|
+
unless response.code.to_i == 200
|
|
65
|
+
register_throw_json_response_error("invalid_client_metadata",
|
|
66
|
+
register_invalid_param_message("sector_identifier_uri"))
|
|
67
|
+
end
|
|
68
|
+
uris = JSON.parse(response.body)
|
|
69
|
+
|
|
70
|
+
if uris != @oauth_application_params[oauth_applications_redirect_uri_column].split(" ")
|
|
71
|
+
register_throw_json_response_error("invalid_client_metadata", register_invalid_param_message("sector_identifier_uri"))
|
|
72
|
+
end
|
|
73
|
+
|
|
74
|
+
end
|
|
75
|
+
end
|
|
76
|
+
end
|
|
77
|
+
|
|
78
|
+
if (value = @oauth_application_params[oauth_applications_id_token_signed_response_alg_column])
|
|
51
79
|
if value == "none"
|
|
52
80
|
# The value none MUST NOT be used as the ID Token alg value unless the Client uses only Response Types
|
|
53
81
|
# that return no ID Token from the Authorization Endpoint
|
|
@@ -55,41 +83,52 @@ module Rodauth
|
|
|
55
83
|
if response_types && response_types.include?("id_token")
|
|
56
84
|
register_throw_json_response_error("invalid_client_metadata", register_invalid_param_message("id_token_signed_response_alg"))
|
|
57
85
|
end
|
|
58
|
-
elsif !
|
|
86
|
+
elsif !oauth_jwt_jws_algorithms_supported.include?(value)
|
|
59
87
|
register_throw_json_response_error("invalid_client_metadata", register_invalid_param_message("id_token_signed_response_alg"))
|
|
60
88
|
end
|
|
61
|
-
|
|
62
|
-
|
|
63
|
-
|
|
64
|
-
|
|
65
|
-
|
|
66
|
-
|
|
67
|
-
|
|
68
|
-
|
|
69
|
-
|
|
70
|
-
|
|
71
|
-
|
|
72
|
-
|
|
73
|
-
|
|
74
|
-
|
|
75
|
-
|
|
76
|
-
|
|
77
|
-
|
|
78
|
-
|
|
79
|
-
|
|
80
|
-
|
|
81
|
-
|
|
82
|
-
|
|
83
|
-
|
|
84
|
-
|
|
85
|
-
|
|
86
|
-
|
|
87
|
-
|
|
88
|
-
|
|
89
|
-
|
|
90
|
-
|
|
91
|
-
|
|
92
|
-
|
|
89
|
+
end
|
|
90
|
+
|
|
91
|
+
if (value = @oauth_application_params[oauth_applications_id_token_encrypted_response_alg_column]) &&
|
|
92
|
+
!oauth_jwt_jwe_algorithms_supported.include?(value)
|
|
93
|
+
register_throw_json_response_error("invalid_client_metadata", register_invalid_param_message("id_token_encrypted_response_alg"))
|
|
94
|
+
end
|
|
95
|
+
|
|
96
|
+
if (value = @oauth_application_params[oauth_applications_id_token_encrypted_response_enc_column]) &&
|
|
97
|
+
!oauth_jwt_jwe_encryption_methods_supported.include?(value)
|
|
98
|
+
register_throw_json_response_error("invalid_client_metadata", register_invalid_param_message("id_token_encrypted_response_enc"))
|
|
99
|
+
end
|
|
100
|
+
|
|
101
|
+
if (value = @oauth_application_params[oauth_applications_userinfo_signed_response_alg_column]) &&
|
|
102
|
+
!oauth_jwt_jws_algorithms_supported.include?(value)
|
|
103
|
+
register_throw_json_response_error("invalid_client_metadata", register_invalid_param_message("userinfo_signed_response_alg"))
|
|
104
|
+
end
|
|
105
|
+
|
|
106
|
+
if (value = @oauth_application_params[oauth_applications_userinfo_encrypted_response_alg_column]) &&
|
|
107
|
+
!oauth_jwt_jwe_algorithms_supported.include?(value)
|
|
108
|
+
register_throw_json_response_error("invalid_client_metadata", register_invalid_param_message("userinfo_encrypted_response_alg"))
|
|
109
|
+
end
|
|
110
|
+
|
|
111
|
+
if (value = @oauth_application_params[oauth_applications_userinfo_encrypted_response_enc_column]) &&
|
|
112
|
+
!oauth_jwt_jwe_encryption_methods_supported.include?(value)
|
|
113
|
+
register_throw_json_response_error("invalid_client_metadata", register_invalid_param_message("userinfo_encrypted_response_enc"))
|
|
114
|
+
end
|
|
115
|
+
|
|
116
|
+
if defined?(oauth_applications_request_object_signing_alg_column) &&
|
|
117
|
+
(value = @oauth_application_params[oauth_applications_request_object_signing_alg_column]) &&
|
|
118
|
+
!oauth_jwt_jws_algorithms_supported.include?(value)
|
|
119
|
+
register_throw_json_response_error("invalid_client_metadata", register_invalid_param_message("request_object_signing_alg"))
|
|
120
|
+
end
|
|
121
|
+
|
|
122
|
+
if defined?(oauth_applications_request_object_encryption_alg_column) &&
|
|
123
|
+
(value = @oauth_application_params[oauth_applications_request_object_encryption_alg_column]) &&
|
|
124
|
+
!oauth_jwt_jwe_algorithms_supported.include?(value)
|
|
125
|
+
register_throw_json_response_error("invalid_client_metadata", register_invalid_param_message("request_object_encryption_alg"))
|
|
126
|
+
end
|
|
127
|
+
|
|
128
|
+
if defined?(oauth_applications_request_object_encryption_enc_column) &&
|
|
129
|
+
(value = @oauth_application_params[oauth_applications_request_object_encryption_enc_column]) &&
|
|
130
|
+
!oauth_jwt_jwe_encryption_methods_supported.include?(value)
|
|
131
|
+
register_throw_json_response_error("invalid_client_metadata", register_invalid_param_message("request_object_encryption_enc"))
|
|
93
132
|
end
|
|
94
133
|
end
|
|
95
134
|
|
|
@@ -114,27 +153,24 @@ module Rodauth
|
|
|
114
153
|
return_params["application_type"] = "web"
|
|
115
154
|
"web"
|
|
116
155
|
end
|
|
117
|
-
create_params[oauth_applications_id_token_signed_response_alg_column] ||=
|
|
118
|
-
|
|
119
|
-
|
|
120
|
-
end
|
|
156
|
+
create_params[oauth_applications_id_token_signed_response_alg_column] ||= return_params["id_token_signed_response_alg"] =
|
|
157
|
+
oauth_jwt_keys.keys.first
|
|
158
|
+
|
|
121
159
|
if create_params.key?(oauth_applications_id_token_encrypted_response_alg_column)
|
|
122
|
-
create_params[oauth_applications_id_token_encrypted_response_enc_column] ||=
|
|
123
|
-
return_params["id_token_encrypted_response_enc"] = "A128CBC-HS256"
|
|
160
|
+
create_params[oauth_applications_id_token_encrypted_response_enc_column] ||= return_params["id_token_encrypted_response_enc"] =
|
|
124
161
|
"A128CBC-HS256"
|
|
125
|
-
|
|
162
|
+
|
|
126
163
|
end
|
|
127
164
|
if create_params.key?(oauth_applications_userinfo_encrypted_response_alg_column)
|
|
128
|
-
create_params[oauth_applications_userinfo_encrypted_response_enc_column] ||=
|
|
129
|
-
return_params["userinfo_encrypted_response_enc"] = "A128CBC-HS256"
|
|
165
|
+
create_params[oauth_applications_userinfo_encrypted_response_enc_column] ||= return_params["userinfo_encrypted_response_enc"] =
|
|
130
166
|
"A128CBC-HS256"
|
|
131
|
-
|
|
167
|
+
|
|
132
168
|
end
|
|
133
|
-
if
|
|
134
|
-
|
|
135
|
-
|
|
169
|
+
if defined?(oauth_applications_request_object_encryption_alg_column) &&
|
|
170
|
+
create_params.key?(oauth_applications_request_object_encryption_alg_column)
|
|
171
|
+
create_params[oauth_applications_request_object_encryption_enc_column] ||= return_params["request_object_encryption_enc"] =
|
|
136
172
|
"A128CBC-HS256"
|
|
137
|
-
|
|
173
|
+
|
|
138
174
|
end
|
|
139
175
|
|
|
140
176
|
super(return_params)
|
|
@@ -30,13 +30,14 @@ module Rodauth
|
|
|
30
30
|
end
|
|
31
31
|
|
|
32
32
|
if dataset.respond_to?(:supports_insert_conflict?) && dataset.supports_insert_conflict?
|
|
33
|
-
def __insert_or_update_and_return__(dataset, pkey, unique_columns, params, conds = nil,
|
|
34
|
-
to_update = params.keys - unique_columns
|
|
35
|
-
|
|
33
|
+
def __insert_or_update_and_return__(dataset, pkey, unique_columns, params, conds = nil, to_update_extra = nil)
|
|
34
|
+
to_update = Hash[(params.keys - unique_columns).map { |attribute| [attribute, Sequel[:excluded][attribute]] }]
|
|
35
|
+
|
|
36
|
+
to_update.merge!(to_update_extra) if to_update_extra
|
|
36
37
|
|
|
37
38
|
dataset = dataset.insert_conflict(
|
|
38
39
|
target: unique_columns,
|
|
39
|
-
update:
|
|
40
|
+
update: to_update,
|
|
40
41
|
update_where: conds
|
|
41
42
|
)
|
|
42
43
|
|
|
@@ -51,7 +52,7 @@ module Rodauth
|
|
|
51
52
|
) || dataset.where(params).first
|
|
52
53
|
end
|
|
53
54
|
else
|
|
54
|
-
def __insert_or_update_and_return__(dataset, pkey, unique_columns, params, conds = nil,
|
|
55
|
+
def __insert_or_update_and_return__(dataset, pkey, unique_columns, params, conds = nil, to_update_extra = nil)
|
|
55
56
|
find_params, update_params = params.partition { |key, _| unique_columns.include?(key) }.map { |h| Hash[h] }
|
|
56
57
|
|
|
57
58
|
dataset_where = dataset.where(find_params)
|
|
@@ -67,7 +68,8 @@ module Rodauth
|
|
|
67
68
|
end
|
|
68
69
|
|
|
69
70
|
if record
|
|
70
|
-
update_params.
|
|
71
|
+
update_params.merge!(to_update_extra) if to_update_extra
|
|
72
|
+
|
|
71
73
|
__update_and_return__(dataset_where, update_params)
|
|
72
74
|
else
|
|
73
75
|
__insert_and_return__(dataset, pkey, params)
|
|
@@ -0,0 +1,61 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
2
|
+
|
|
3
|
+
require "uri"
|
|
4
|
+
require "net/http"
|
|
5
|
+
require "rodauth/oauth/ttl_store"
|
|
6
|
+
|
|
7
|
+
module Rodauth
|
|
8
|
+
module OAuth
|
|
9
|
+
module HTTPExtensions
|
|
10
|
+
REQUEST_CACHE = OAuth::TtlStore.new
|
|
11
|
+
|
|
12
|
+
private
|
|
13
|
+
|
|
14
|
+
def http_request(uri, form_data = nil)
|
|
15
|
+
uri = URI(uri)
|
|
16
|
+
|
|
17
|
+
http = Net::HTTP.new(uri.host, uri.port)
|
|
18
|
+
http.use_ssl = uri.scheme == "https"
|
|
19
|
+
|
|
20
|
+
if form_data
|
|
21
|
+
request = Net::HTTP::Post.new(uri.request_uri)
|
|
22
|
+
request["content-type"] = "application/x-www-form-urlencoded"
|
|
23
|
+
request.set_form_data(form_data)
|
|
24
|
+
else
|
|
25
|
+
request = Net::HTTP::Get.new(uri.request_uri)
|
|
26
|
+
end
|
|
27
|
+
request["accept"] = json_response_content_type
|
|
28
|
+
|
|
29
|
+
yield request if block_given?
|
|
30
|
+
|
|
31
|
+
response = http.request(request)
|
|
32
|
+
authorization_required unless response.code.to_i == 200
|
|
33
|
+
response
|
|
34
|
+
end
|
|
35
|
+
|
|
36
|
+
def http_request_with_cache(uri, *args)
|
|
37
|
+
uri = URI(uri)
|
|
38
|
+
|
|
39
|
+
response = http_request_cache[uri]
|
|
40
|
+
|
|
41
|
+
return response if response
|
|
42
|
+
|
|
43
|
+
http_request_cache.set(uri) do
|
|
44
|
+
response = http_request(uri, *args)
|
|
45
|
+
ttl = if response.key?("cache-control")
|
|
46
|
+
cache_control = response["cache-control"]
|
|
47
|
+
cache_control[/max-age=(\d+)/, 1].to_i
|
|
48
|
+
elsif response.key?("expires")
|
|
49
|
+
Time.parse(response["expires"]).to_i - Time.now.to_i
|
|
50
|
+
end
|
|
51
|
+
|
|
52
|
+
[JSON.parse(response.body, symbolize_names: true), ttl]
|
|
53
|
+
end
|
|
54
|
+
end
|
|
55
|
+
|
|
56
|
+
def http_request_cache
|
|
57
|
+
REQUEST_CACHE
|
|
58
|
+
end
|
|
59
|
+
end
|
|
60
|
+
end
|
|
61
|
+
end
|
|
@@ -2,7 +2,27 @@
|
|
|
2
2
|
|
|
3
3
|
module Rodauth
|
|
4
4
|
module OAuth
|
|
5
|
+
module ControllerMethods
|
|
6
|
+
def self.included(controller)
|
|
7
|
+
# ActionController::API doesn't have helper methods
|
|
8
|
+
controller.helper_method :current_oauth_account, :current_oauth_application if controller.respond_to?(:helper_method)
|
|
9
|
+
end
|
|
10
|
+
|
|
11
|
+
def current_oauth_account(name = nil)
|
|
12
|
+
rodauth(name).current_oauth_account
|
|
13
|
+
end
|
|
14
|
+
|
|
15
|
+
def current_oauth_application(name = nil)
|
|
16
|
+
rodauth(name).current_oauth_application
|
|
17
|
+
end
|
|
18
|
+
end
|
|
19
|
+
|
|
5
20
|
class Railtie < ::Rails::Railtie
|
|
21
|
+
initializer "rodauth.controller" do
|
|
22
|
+
ActiveSupport.on_load(:action_controller) do
|
|
23
|
+
include ControllerMethods
|
|
24
|
+
end
|
|
25
|
+
end
|
|
6
26
|
end
|
|
7
27
|
end
|
|
8
28
|
end
|
data/lib/rodauth/oauth.rb
CHANGED
|
@@ -1,7 +1,35 @@
|
|
|
1
1
|
# frozen_string_literal: true
|
|
2
2
|
|
|
3
3
|
require "rodauth"
|
|
4
|
-
|
|
5
4
|
require "rodauth/oauth/version"
|
|
6
5
|
|
|
6
|
+
module Rodauth
|
|
7
|
+
module OAuth
|
|
8
|
+
module FeatureExtensions
|
|
9
|
+
def auth_server_route(*args, &blk)
|
|
10
|
+
routes = route(*args, &blk)
|
|
11
|
+
|
|
12
|
+
handle_meth = routes.last
|
|
13
|
+
|
|
14
|
+
define_method(:"#{handle_meth}_for_auth_server") do
|
|
15
|
+
next unless is_authorization_server?
|
|
16
|
+
|
|
17
|
+
send(:"#{handle_meth}_not_for_auth_server")
|
|
18
|
+
end
|
|
19
|
+
|
|
20
|
+
alias_method :"#{handle_meth}_not_for_auth_server", handle_meth
|
|
21
|
+
alias_method handle_meth, :"#{handle_meth}_for_auth_server"
|
|
22
|
+
end
|
|
23
|
+
|
|
24
|
+
# override
|
|
25
|
+
def translatable_method(meth, value)
|
|
26
|
+
define_method(meth) { |*args| translate(meth, value, *args) }
|
|
27
|
+
auth_value_methods(meth)
|
|
28
|
+
end
|
|
29
|
+
end
|
|
30
|
+
end
|
|
31
|
+
|
|
32
|
+
Feature.prepend OAuth::FeatureExtensions
|
|
33
|
+
end
|
|
34
|
+
|
|
7
35
|
require "rodauth/oauth/railtie" if defined?(Rails)
|
data/locales/en.yml
CHANGED
|
@@ -3,21 +3,29 @@ en:
|
|
|
3
3
|
require_authorization_error_flash: "Please authorize to continue"
|
|
4
4
|
create_oauth_application_error_flash: "There was an error registering your oauth application"
|
|
5
5
|
create_oauth_application_notice_flash: "Your oauth application has been registered"
|
|
6
|
-
revoke_unauthorized_account_error_flash: "You are not authorized to revoke this
|
|
7
|
-
|
|
6
|
+
revoke_unauthorized_account_error_flash: "You are not authorized to revoke this grant"
|
|
7
|
+
revoke_oauth_grant_notice_flash: "The oauth grant has been revoked"
|
|
8
8
|
device_verification_notice_flash: "The device is verified"
|
|
9
9
|
user_code_not_found_error_flash: "No device to authorize with the given user code"
|
|
10
10
|
authorize_page_title: "Authorize"
|
|
11
|
+
authorize_page_lead: "The application %{name} would like to access your data."
|
|
12
|
+
oauth_cancel_button: "Cancel"
|
|
11
13
|
oauth_applications_page_title: "Oauth Applications"
|
|
12
14
|
oauth_application_page_title: "Oauth Application"
|
|
13
15
|
new_oauth_application_page_title: "New Oauth Application"
|
|
14
|
-
|
|
15
|
-
|
|
16
|
+
oauth_application_oauth_grants_page_title: "Application Oauth Grants"
|
|
17
|
+
oauth_grants_page_title: "My Oauth Grants"
|
|
16
18
|
device_verification_page_title: "Device Verification"
|
|
17
19
|
device_search_page_title: "Device Search"
|
|
18
20
|
oauth_management_pagination_previous_button: "Previous"
|
|
19
21
|
oauth_management_pagination_next_button: "Next"
|
|
20
|
-
|
|
22
|
+
oauth_grants_type_label: "Grant Type"
|
|
23
|
+
oauth_grants_scopes_label: "Scopes"
|
|
24
|
+
oauth_grants_token_label: "Token"
|
|
25
|
+
oauth_grants_refresh_token_label: "Refresh Token"
|
|
26
|
+
oauth_grants_expires_in_label: "Expires In"
|
|
27
|
+
oauth_grants_revoked_at_label: "Revoked at"
|
|
28
|
+
oauth_no_grants_text: "No oauth grants yet!"
|
|
21
29
|
oauth_applications_name_label: "Name"
|
|
22
30
|
oauth_applications_description_label: "Description"
|
|
23
31
|
oauth_applications_scopes_label: "Default scopes"
|
|
@@ -28,30 +36,32 @@ en:
|
|
|
28
36
|
oauth_applications_redirect_uri_label: "Redirect URL"
|
|
29
37
|
oauth_applications_client_secret_label: "Client Secret"
|
|
30
38
|
oauth_applications_client_id_label: "Client ID"
|
|
39
|
+
oauth_no_applications_text: "No oauth applications yet!"
|
|
31
40
|
oauth_grant_user_code_label: "User code"
|
|
32
41
|
oauth_grant_user_jws_jwk_label: "JSON Web Keys"
|
|
33
42
|
oauth_grant_user_jwt_public_key_label: "Public key"
|
|
34
43
|
oauth_application_button: "Register"
|
|
35
44
|
oauth_authorize_button: "Authorize"
|
|
36
|
-
|
|
45
|
+
oauth_grant_revoke_button: "Revoke"
|
|
37
46
|
oauth_authorize_post_button: "Back to Client Application"
|
|
47
|
+
oauth_device_verification_page_lead: "The device with user code %{user_code} would like to access your data."
|
|
38
48
|
oauth_device_verification_button: "Verify"
|
|
49
|
+
oauth_device_search_page_lead: "Insert the user code from the device you'd like to authorize."
|
|
39
50
|
oauth_device_search_button: "Search"
|
|
40
|
-
|
|
41
|
-
|
|
42
|
-
|
|
43
|
-
|
|
51
|
+
oauth_invalid_client_message: "Client authentication failed"
|
|
52
|
+
oauth_invalid_grant_type_message: "Invalid grant type"
|
|
53
|
+
oauth_invalid_grant_message: "Invalid grant"
|
|
54
|
+
oauth_invalid_scope_message: "Invalid scope"
|
|
44
55
|
invalid_url_message: "Invalid URL"
|
|
45
|
-
|
|
46
|
-
unique_error_message: "is already in use"
|
|
56
|
+
oauth_unsupported_token_type_message: "Invalid token type hint"
|
|
47
57
|
null_error_message: "is not filled"
|
|
48
|
-
|
|
49
|
-
|
|
50
|
-
|
|
51
|
-
|
|
52
|
-
|
|
53
|
-
|
|
54
|
-
|
|
55
|
-
|
|
56
|
-
|
|
57
|
-
|
|
58
|
+
oauth_already_in_use_message: "error generating unique token"
|
|
59
|
+
oauth_expired_token_message: "the device code has expired"
|
|
60
|
+
oauth_access_denied_message: "the authorization request has been denied"
|
|
61
|
+
oauth_authorization_pending_message: "the authorization request is still pending"
|
|
62
|
+
oauth_slow_down_message: "authorization request is still pending but poll interval should be increased"
|
|
63
|
+
oauth_code_challenge_required_message: "code challenge required"
|
|
64
|
+
oauth_unsupported_transform_algorithm_message: "transform algorithm not supported"
|
|
65
|
+
oauth_request_uri_not_supported_message: "request uri is unsupported"
|
|
66
|
+
oauth_invalid_request_object_message: "request object is invalid"
|
|
67
|
+
oauth_invalid_scope_message: "The Access Token expired"
|
data/locales/pt.yml
CHANGED
|
@@ -3,21 +3,29 @@ pt:
|
|
|
3
3
|
require_authorization_error_flash: "Autorize para continuar"
|
|
4
4
|
create_oauth_application_error_flash: "Aconteceu um erro ao registar o aplicativo oauth"
|
|
5
5
|
create_oauth_application_notice_flash: "O seu aplicativo oauth foi registado com sucesso"
|
|
6
|
-
revoke_unauthorized_account_error_flash: "Não está autorizado a revogar
|
|
7
|
-
|
|
6
|
+
revoke_unauthorized_account_error_flash: "Não está autorizado a revogar esta concessão"
|
|
7
|
+
revoke_oauth_grant_notice_flash: "O token oauth foi revogado com sucesso"
|
|
8
8
|
device_verification_notice_flash: "O dispositivo foi verificado com sucesso"
|
|
9
9
|
user_code_not_found_error_flash: "Não existe nenhum dispositivo a ser autorizado com o código de usuário inserido"
|
|
10
10
|
authorize_page_title: "Autorizar"
|
|
11
|
+
authorize_page_lead: "O aplicativo %{name} gostaria de aceder aos seus dados."
|
|
12
|
+
oauth_cancel_button: "Cancelar"
|
|
11
13
|
oauth_applications_page_title: "Aplicativos OAuth"
|
|
12
14
|
oauth_application_page_title: "Aplicativo Oauth"
|
|
13
15
|
new_oauth_application_page_title: "Novo Aplicativo Oauth"
|
|
14
|
-
|
|
15
|
-
|
|
16
|
+
oauth_application_oauth_grants_page_title: "Concessões Oauth do Aplicativo"
|
|
17
|
+
oauth_grants_page_title: "As minhas concessões Oauth"
|
|
16
18
|
device_verification_page_title: "Verificação de dispositivo"
|
|
17
19
|
device_search_page_title: "Pesquisa de dispositivo"
|
|
18
20
|
oauth_management_pagination_previous_button: "Anterior"
|
|
19
21
|
oauth_management_pagination_next_button: "Próxima"
|
|
20
|
-
|
|
22
|
+
oauth_grants_type_label: "Tipo de concessão"
|
|
23
|
+
oauth_grants_scopes_label: "Escopos"
|
|
24
|
+
oauth_grants_token_label: "Token"
|
|
25
|
+
oauth_grants_refresh_token_label: "Refresh Token"
|
|
26
|
+
oauth_grants_expires_in_label: "Expira em"
|
|
27
|
+
oauth_grants_revoked_at_label: "Revogado a"
|
|
28
|
+
oauth_no_grants_text: "Nenhuma concessão OAuth ainda!"
|
|
21
29
|
oauth_applications_name_label: "Nome"
|
|
22
30
|
oauth_applications_description_label: "Descrição"
|
|
23
31
|
oauth_applications_scopes_label: "Escopos prédefinidos"
|
|
@@ -28,30 +36,32 @@ pt:
|
|
|
28
36
|
oauth_applications_redirect_uri_label: "URL para redireccionamento"
|
|
29
37
|
oauth_applications_client_secret_label: "Segredo de cliente"
|
|
30
38
|
oauth_applications_client_id_label: "ID do cliente"
|
|
39
|
+
oauth_no_applications_text: "Nenhum aplicativo OAuth ainda!"
|
|
31
40
|
oauth_grant_user_code_label: "Código do usuário"
|
|
32
41
|
oauth_grant_user_jws_jwk_label: "Chaves JSON Web"
|
|
33
42
|
oauth_grant_user_jwt_public_key_label: "Chave pública"
|
|
34
43
|
oauth_application_button: "Registar"
|
|
35
44
|
oauth_authorize_button: "Autorizar"
|
|
36
|
-
|
|
45
|
+
oauth_grant_revoke_button: "Revogar"
|
|
37
46
|
oauth_authorize_post_button: "Voltar para o aplicativo cliente"
|
|
47
|
+
oauth_device_verification_page_lead: "O dispositivo com o código de usuário %{user_code} gostaria de aceder aos seus dados."
|
|
38
48
|
oauth_device_verification_button: "Verificar"
|
|
49
|
+
oauth_device_search_page_lead: "Introduza o código de usuário do dispositivo que gostaria de autorizar."
|
|
39
50
|
oauth_device_search_button: "Pesquisar"
|
|
40
|
-
|
|
41
|
-
|
|
42
|
-
|
|
43
|
-
|
|
51
|
+
oauth_invalid_client_message: "A autenticação do cliente falhou"
|
|
52
|
+
oauth_invalid_grant_type_message: "Tipo de atribuição inválida"
|
|
53
|
+
oauth_invalid_grant_message: "Atribuição inválida"
|
|
54
|
+
oauth_invalid_scope_message: "Escopo inválido"
|
|
44
55
|
invalid_url_message: "URL inválido"
|
|
45
|
-
|
|
46
|
-
unique_error_message: "já está sendo utilizado"
|
|
56
|
+
oauth_unsupported_token_type_message: "Sugestão de tipo de token inválida"
|
|
47
57
|
null_error_message: "não está preenchido"
|
|
48
|
-
|
|
49
|
-
|
|
50
|
-
|
|
51
|
-
|
|
52
|
-
|
|
53
|
-
|
|
54
|
-
|
|
55
|
-
|
|
56
|
-
|
|
57
|
-
|
|
58
|
+
oauth_already_in_use_message: "erro ao gerar token único"
|
|
59
|
+
oauth_expired_token_message: "o código de dispositivo expirou"
|
|
60
|
+
oauth_access_denied_message: "o pedido de autorização foi negado"
|
|
61
|
+
oauth_authorization_pending_message: "o pedido de autorização ainda está pendente"
|
|
62
|
+
oauth_slow_down_message: "o pedido de autorização ainda está pendente mas o intervalo de actualização deve ser aumentado"
|
|
63
|
+
oauth_code_challenge_required_message: "código de negociação necessário"
|
|
64
|
+
oauth_unsupported_transform_algorithm_message: "algoritmo de transformação não suportado"
|
|
65
|
+
oauth_request_uri_not_supported_message: "request_uri não é suportado"
|
|
66
|
+
oauth_invalid_request_object_message: "request_object é inválido"
|
|
67
|
+
oauth_invalid_scope_message: "O Token de acesso expirou"
|
data/templates/authorize.str
CHANGED
|
@@ -8,10 +8,14 @@
|
|
|
8
8
|
end
|
|
9
9
|
}
|
|
10
10
|
<p class="lead">
|
|
11
|
-
|
|
12
|
-
|
|
13
|
-
#{h(rodauth.oauth_application[rodauth.
|
|
14
|
-
|
|
11
|
+
#{
|
|
12
|
+
rodauth.authorize_page_lead(name: <<-LINK
|
|
13
|
+
<a target="_blank" href="#{h(rodauth.oauth_application[rodauth.oauth_applications_homepage_url_column])}">
|
|
14
|
+
#{h(rodauth.oauth_application[rodauth.oauth_applications_name_column])}
|
|
15
|
+
</a>
|
|
16
|
+
LINK
|
|
17
|
+
)
|
|
18
|
+
}
|
|
15
19
|
</p>
|
|
16
20
|
<div class="list-group">
|
|
17
21
|
#{
|
|
@@ -52,31 +56,20 @@
|
|
|
52
56
|
}
|
|
53
57
|
|
|
54
58
|
<div class="form-group">
|
|
55
|
-
<h1 class="display-6">#{rodauth.
|
|
59
|
+
<h1 class="display-6">#{rodauth.oauth_grants_scopes_label}</h1>
|
|
56
60
|
|
|
57
61
|
#{
|
|
58
|
-
rodauth.
|
|
59
|
-
|
|
60
|
-
|
|
61
|
-
<
|
|
62
|
-
|
|
63
|
-
|
|
64
|
-
|
|
65
|
-
</div>
|
|
66
|
-
HTML
|
|
67
|
-
else
|
|
68
|
-
<<-HTML
|
|
69
|
-
<div class="form-check">
|
|
70
|
-
<input id="#{scope}" class="form-check-input" type="checkbox" name="scope[]" value="#{h(scope)}">
|
|
71
|
-
<label class="form-check-label" for="#{scope}">#{h(scope)}</label>
|
|
72
|
-
</div>
|
|
73
|
-
HTML
|
|
74
|
-
end
|
|
62
|
+
rodauth.authorize_scopes.map do |scope|
|
|
63
|
+
<<-HTML
|
|
64
|
+
<div class="form-check">
|
|
65
|
+
<input id="#{scope}" class="form-check-input" type="checkbox" name="scope[]" value="#{h(scope)}">
|
|
66
|
+
<label class="form-check-label" for="#{scope}">#{h(scope)}</label>
|
|
67
|
+
</div>
|
|
68
|
+
HTML
|
|
75
69
|
end.join
|
|
76
70
|
}
|
|
77
71
|
|
|
78
72
|
<input type="hidden" name="client_id" value="#{rodauth.param("client_id")}"/>
|
|
79
|
-
|
|
80
73
|
#{"<input type=\"hidden\" name=\"access_type\" value=\"#{rodauth.param("access_type")}\"/>" if rodauth.param_or_nil("access_type")}
|
|
81
74
|
#{"<input type=\"hidden\" name=\"response_type\" value=\"#{rodauth.param("response_type")}\"/>" if rodauth.param_or_nil("response_type")}
|
|
82
75
|
#{"<input type=\"hidden\" name=\"response_mode\" value=\"#{rodauth.param("response_mode")}\"/>" if rodauth.param_or_nil("response_mode")}
|
|
@@ -98,6 +91,8 @@
|
|
|
98
91
|
</div>
|
|
99
92
|
<p class="text-center">
|
|
100
93
|
<input type="submit" class="btn btn-outline-primary" value="#{h(rodauth.oauth_authorize_button)}"/>
|
|
101
|
-
<a href="#{rodauth.redirect_uri}?error=access_denied&error_description=The+resource+owner+or+authorization+server+denied+the+request#{ "&state=#{rodauth.param("state")}" if rodauth.param_or_nil("state")}" class="btn btn-outline-danger"
|
|
94
|
+
<a href="#{rodauth.redirect_uri}?error=access_denied&error_description=The+resource+owner+or+authorization+server+denied+the+request#{ "&state=#{rodauth.param("state")}" if rodauth.param_or_nil("state")}" class="btn btn-outline-danger">
|
|
95
|
+
#{rodauth.oauth_cancel_button}
|
|
96
|
+
</a>
|
|
102
97
|
</p>
|
|
103
98
|
</form>
|
data/templates/device_search.str
CHANGED
|
@@ -1,5 +1,5 @@
|
|
|
1
1
|
<form method="get" action="#{rodauth.device_path}" class="form-horizontal" role="form" id="device-search-form">
|
|
2
|
-
<p class="lead"
|
|
2
|
+
<p class="lead">#{rodauth.oauth_device_search_page_lead}</p>
|
|
3
3
|
|
|
4
4
|
<div class="form-group">
|
|
5
5
|
<label for="user_code">#{rodauth.oauth_grant_user_code_label}</label>
|
|
@@ -1,9 +1,9 @@
|
|
|
1
1
|
<form method="post" action="#{rodauth.device_path}" class="form-horizontal" role="form" id="device-verification-form">
|
|
2
2
|
#{csrf_tag(rodauth.device_path) if respond_to?(:csrf_tag)}
|
|
3
|
-
<p class="lead"
|
|
3
|
+
<p class="lead">#{rodauth.oauth_device_verification_page_lead(user_code: @oauth_grant[rodauth.oauth_grants_user_code_column])}</p>
|
|
4
4
|
|
|
5
5
|
<div class="form-group">
|
|
6
|
-
<h1 class="display-6">#{rodauth.
|
|
6
|
+
<h1 class="display-6">#{rodauth.oauth_grants_scopes_label}</h1>
|
|
7
7
|
|
|
8
8
|
<ul class="list-group">
|
|
9
9
|
#{
|
data/templates/jwks_field.str
CHANGED
|
@@ -2,3 +2,4 @@
|
|
|
2
2
|
<label for="name">#{rodauth.oauth_applications_jwks_label}#{rodauth.input_field_label_suffix}</label>
|
|
3
3
|
<textarea id="jwks" class="form-control" name="#{rodauth.oauth_application_jwks_param}" rows="3"></textarea>
|
|
4
4
|
</div>
|
|
5
|
+
#{rodauth.input_field_string(rodauth.oauth_application_jwks_uri_param, "jwks-uri", :type=>"text")}
|