rodauth-oauth 0.10.4 → 1.0.0.pre.beta1

data/lib/generators/rodauth/oauth/templates/db/migrate/create_rodauth_oauth.rb

@@ -24,6 +24,19 @@ class CreateRodauthOauth < ActiveRecord::Migration<%= migration_version %>
       # t.string :contacts, null: true
       # t.string :software_id, null: true
       # t.string :software_version, null: true
+      # oidc extra params
+      # t.string :sector_identifier_uri, null: true
+      # t.string :application_type, null: true
+      # t.string :subject_type, null: true
+      # t.string :id_token_signed_response_alg, null: true
+      # t.string :id_token_encrypted_response_alg, null: true
+      # t.string :id_token_encrypted_response_enc, null: true
+      # t.string :userinfo_signed_response_alg, null: true
+      # t.string :userinfo_encrypted_response_alg, null: true
+      # t.string :userinfo_encrypted_response_enc, null: true
+      # t.string :request_object_signing_alg, null: true
+      # t.string :request_object_encryption_alg, null: true
+      # t.string :request_object_encryption_enc, null: true
       # JWT/OIDC per application signing verification
       # t.text :jwt_public_key, null: true
       # RP-initiated logout
@@ -35,8 +48,11 @@ class CreateRodauthOauth < ActiveRecord::Migration<%= migration_version %>
       t.foreign_key :accounts, column: :account_id
       t.integer :oauth_application_id
       t.foreign_key :oauth_applications, column: :oauth_application_id
-      t.string :code, null: false
+      t.string :type, null: true
+      t.string :code, null: true
       t.index(%i[oauth_application_id code], unique: true)
+      t.string :token, unique: true
+      t.string :refresh_token, unique: true
       t.datetime :expires_in, null: false
       t.string :redirect_uri
       t.datetime :revoked_at
@@ -47,41 +63,14 @@ class CreateRodauthOauth < ActiveRecord::Migration<%= migration_version %>
       # uncomment to enable PKCE
       # t.string :code_challenge
       # t.string :code_challenge_method
-      # uncomment to use OIDC nonce
-      # t.string :nonce
       # device code grant
       # t.string :user_code, null: true, unique: true
       # t.datetime :last_polled_at, null: true
       # when using :oauth_resource_indicators feature
       # t.string :resource
-    end
-
-    create_table :oauth_tokens do |t|
-      t.integer :account_id
-      t.foreign_key :accounts, column: :account_id
-      t.integer :oauth_grant_id
-      t.foreign_key :oauth_grants, column: :oauth_grant_id
-      t.integer :oauth_token_id
-      t.foreign_key :oauth_tokens, column: :oauth_token_id
-      t.integer :oauth_application_id
-      t.foreign_key :oauth_applications, column: :oauth_application_id
-      t.string :token, null: false, token: true, unique: true
-      # uncomment if setting oauth_tokens_token_hash_column
-      # and delete the token column
-      # t.string :token_hash, token: true, unique: true
-      t.string :refresh_token, unique: true
-      # uncomment if setting oauth_tokens_refresh_token_hash_column
-      # and delete the refresh_token column
-      # t.string :refresh_token_hash, token: true, unique: true
-      t.datetime :expires_in, null: false
-      t.datetime :revoked_at
-      t.string :scopes, null: false
-      t.datetime :created_at, null: false, default: -> { "CURRENT_TIMESTAMP" }
       # uncomment to use OIDC nonce
       # t.string :nonce
-      # t.datetime :auth_time
-      # when using :oauth_resource_indicators feature
-      # t.string :resource
+      # t.string :acr
     end
   end
 end

data/lib/rodauth/features/oauth_application_management.rb

@@ -1,8 +1,10 @@
 # frozen_string_literal: true
 
+require "rodauth/oauth"
+
 module Rodauth
   Feature.define(:oauth_application_management, :OauthApplicationManagement) do
-    depends :oauth_management_base
+    depends :oauth_management_base, :oauth_token_revocation
 
     before "create_oauth_application"
     after "create_oauth_application"
@@ -13,7 +15,7 @@ module Rodauth
     view "oauth_applications", "Oauth Applications", "oauth_applications"
     view "oauth_application", "Oauth Application", "oauth_application"
     view "new_oauth_application", "New Oauth Application", "new_oauth_application"
-    view "oauth_application_oauth_tokens", "Oauth Application Tokens", "oauth_application_oauth_tokens"
+    view "oauth_application_oauth_grants", "Oauth Application Grants", "oauth_application_oauth_grants"
 
     # Application
     APPLICATION_REQUIRED_PARAMS = %w[name scopes homepage_url redirect_uri client_secret].freeze
@@ -21,12 +23,6 @@ module Rodauth
 
     (APPLICATION_REQUIRED_PARAMS + %w[description client_id]).each do |param|
       auth_value_method :"oauth_application_#{param}_param", param
-      configuration_module_eval do
-        define_method :"#{param}_label" do
-          warn "#{__method__} is deprecated, switch to oauth_applications_#{__method__}_label"
-          __send__(:"oauth_applications_#{param}_label")
-        end
-      end
     end
 
     translatable_method :oauth_applications_name_label, "Name"
@@ -41,36 +37,42 @@ module Rodauth
     translatable_method :oauth_applications_redirect_uri_label, "Redirect URI"
     translatable_method :oauth_applications_client_secret_label, "Client Secret"
     translatable_method :oauth_applications_client_id_label, "Client ID"
+
+    %w[type token refresh_token expires_in revoked_at].each do |param|
+      translatable_method :"oauth_grants_#{param}_label", param.gsub("_", " ").capitalize
+    end
+
     button "Register", "oauth_application"
-    button "Revoke", "oauth_token_revoke"
+    button "Revoke", "oauth_grant_revoke"
 
-    auth_value_method :oauth_applications_oauth_tokens_path, "oauth-tokens"
+    auth_value_method :oauth_applications_oauth_grants_path, "oauth-grants"
     auth_value_method :oauth_applications_route, "oauth-applications"
     auth_value_method :oauth_applications_per_page, 20
     auth_value_method :oauth_applications_id_pattern, Integer
-    auth_value_method :oauth_tokens_per_page, 20
+    auth_value_method :oauth_grants_per_page, 20
 
     translatable_method :invalid_url_message, "Invalid URL"
     translatable_method :null_error_message, "is not filled"
 
-    def oauth_applications_path(opts = {})
-      route_path(oauth_applications_route, opts)
-    end
+    translatable_method :oauth_no_applications_text, "No oauth applications yet!"
+    translatable_method :oauth_no_grants_text, "No oauth grants yet!"
 
-    def oauth_applications_url(opts = {})
-      route_url(oauth_applications_route, opts)
-    end
     auth_value_methods(
       :oauth_application_path
     )
 
+    def oauth_applications_path(opts = {})
+      route_path(oauth_applications_route, opts)
+    end
+
     def oauth_application_path(id)
       "#{oauth_applications_path}/#{id}"
     end
 
     # /oauth-applications routes
-    def oauth_applications
+    def load_oauth_application_management_routes
       request.on(oauth_applications_route) do
+        check_csrf if check_csrf?
         require_account
 
         request.get "new" do
@@ -92,57 +94,52 @@ module Rodauth
             end
           end
 
-          request.on(oauth_applications_oauth_tokens_path) do
+          request.on(oauth_applications_oauth_grants_path) do
             page = Integer(param_or_nil("page") || 1)
-            per_page = per_page_param(oauth_tokens_per_page)
-            oauth_tokens = db[oauth_tokens_table]
-                           .where(oauth_tokens_oauth_application_id_column => id)
-                           .order(Sequel.desc(oauth_tokens_id_column))
-            scope.instance_variable_set(:@oauth_tokens, oauth_tokens.paginate(page, per_page))
-            request.get do
-              oauth_application_oauth_tokens_view
+            per_page = per_page_param(oauth_grants_per_page)
+            oauth_grants = db[oauth_grants_table]
+                           .where(oauth_grants_oauth_application_id_column => id)
+                           .order(Sequel.desc(oauth_grants_id_column))
+            scope.instance_variable_set(:@oauth_grants, oauth_grants.paginate(page, per_page))
+            request.is do
+              request.get do
+                oauth_application_oauth_grants_view
+              end
             end
           end
         end
 
-        request.get do
-          page = Integer(param_or_nil("page") || 1)
-          per_page = per_page_param(oauth_applications_per_page)
-          scope.instance_variable_set(:@oauth_applications, db[oauth_applications_table]
-            .where(oauth_applications_account_id_column => account_id)
-            .order(Sequel.desc(oauth_applications_id_column))
-            .paginate(page, per_page))
-
-          oauth_applications_view
-        end
+        request.is do
+          request.get do
+            page = Integer(param_or_nil("page") || 1)
+            per_page = per_page_param(oauth_applications_per_page)
+            scope.instance_variable_set(:@oauth_applications, db[oauth_applications_table]
+              .where(oauth_applications_account_id_column => account_id)
+              .order(Sequel.desc(oauth_applications_id_column))
+              .paginate(page, per_page))
 
-        request.post do
-          catch_error do
-            validate_oauth_application_params
+            oauth_applications_view
+          end
 
-            transaction do
-              before_create_oauth_application
-              id = create_oauth_application
-              after_create_oauth_application
-              set_notice_flash create_oauth_application_notice_flash
-              redirect "#{request.path}/#{id}"
+          request.post do
+            catch_error do
+              validate_oauth_application_params
+
+              transaction do
+                before_create_oauth_application
+                id = create_oauth_application
+                after_create_oauth_application
+                set_notice_flash create_oauth_application_notice_flash
+                redirect "#{request.path}/#{id}"
+              end
             end
+            set_error_flash create_oauth_application_error_flash
+            new_oauth_application_view
           end
-          set_error_flash create_oauth_application_error_flash
-          new_oauth_application_view
         end
       end
     end
 
-    def check_csrf?
-      case request.path
-      when oauth_applications_path
-        only_json? ? false : super
-      else
-        super
-      end
-    end
-
     private
 
     def oauth_application_params
@@ -176,7 +173,7 @@ module Rodauth
         elsif key == oauth_application_scopes_param
 
           value.each do |scope|
-            set_field_error(key, invalid_scope_message) unless oauth_application_scopes.include?(scope)
+            set_field_error(key, oauth_invalid_scope_message) unless oauth_application_scopes.include?(scope)
           end
         end
       end
@@ -196,28 +193,18 @@ module Rodauth
       redirect_uris = oauth_application_params[oauth_application_redirect_uri_param]
       redirect_uris = redirect_uris.to_a.reject(&:empty?).join(" ") if redirect_uris.respond_to?(:each)
       create_params[oauth_applications_redirect_uri_column] = redirect_uris unless redirect_uris.empty?
-      # set client ID/secret pairs
 
-      create_params.merge! \
-        oauth_applications_client_secret_column => \
-          secret_hash(oauth_application_params[oauth_application_client_secret_param])
+      # set client ID/secret pairs
+      set_client_secret(create_params, oauth_application_params[oauth_application_client_secret_param])
 
-      create_params[oauth_applications_scopes_column] = if create_params[oauth_applications_scopes_column]
-                                                          create_params[oauth_applications_scopes_column].join(oauth_scope_separator)
-                                                        else
-                                                          oauth_application_default_scope
-                                                        end
+      if create_params[oauth_applications_scopes_column]
+        create_params[oauth_applications_scopes_column] = create_params[oauth_applications_scopes_column].join(oauth_scope_separator)
+      end
 
       rescue_from_uniqueness_error do
         create_params[oauth_applications_client_id_column] = oauth_unique_id_generator
         db[oauth_applications_table].insert(create_params)
       end
     end
-
-    def oauth_server_metadata_body(*)
-      super.tap do |data|
-        data[:registration_endpoint] = oauth_applications_url
-      end
-    end
   end
 end

data/lib/rodauth/features/oauth_assertion_base.rb

@@ -1,11 +1,9 @@
 # frozen_string_literal: true
 
-require "rodauth/oauth/refinements"
+require "rodauth/oauth"
 
 module Rodauth
   Feature.define(:oauth_assertion_base, :OauthAssertionBase) do
-    using PrefixExtensions
-
     depends :oauth_base
 
     auth_value_methods(
@@ -17,7 +15,7 @@ module Rodauth
 
     private
 
-    def validate_oauth_token_params
+    def validate_token_params
       return super unless assertion_grant_type?
 
       redirect_response_error("invalid_grant") unless param_or_nil("assertion")
@@ -29,19 +27,16 @@ module Rodauth
       elsif client_assertion_type?
         @oauth_application = __send__(:"require_oauth_application_from_#{client_assertion_type}_assertion_subject",
                                       param("client_assertion"))
-      else
-        return super
-      end
 
-      redirect_response_error("invalid_grant") unless @oauth_application
-
-      if client_assertion_type? &&
-         (client_id = param_or_nil("client_id")) &&
-         client_id != @oauth_application[oauth_applications_client_id_column]
-        # If present, the value of the
-        # "client_id" parameter MUST identify the same client as is
-        # identified by the client assertion.
-        redirect_response_error("invalid_grant")
+        if (client_id = param_or_nil("client_id")) &&
+           client_id != @oauth_application[oauth_applications_client_id_column]
+          # If present, the value of the
+          # "client_id" parameter MUST identify the same client as is
+          # identified by the client assertion.
+          redirect_response_error("invalid_grant")
+        end
+      else
+        super
       end
     end
 
@@ -54,7 +49,7 @@ module Rodauth
       )
     end
 
-    def create_oauth_token(grant_type)
+    def create_token(grant_type)
       return super unless assertion_grant_type?(grant_type) && supported_grant_type?(grant_type)
 
       account = __send__(:"account_from_#{assertion_grant_type}_assertion", param("assertion"))
@@ -62,19 +57,20 @@ module Rodauth
       redirect_response_error("invalid_grant") unless account
 
       grant_scopes = if param_or_nil("scope")
-                       redirect_response_error("invalid_grant") unless check_valid_scopes?
+                       redirect_response_error("invalid_scope") unless check_valid_scopes?
                        scopes
                      else
                        @oauth_application[oauth_applications_scopes_column]
                      end
 
-      create_params = {
-        oauth_tokens_account_id_column => account[account_id_column],
-        oauth_tokens_oauth_application_id_column => @oauth_application[oauth_applications_id_column],
-        oauth_tokens_scopes_column => grant_scopes
+      grant_params = {
+        oauth_grants_type_column => grant_type,
+        oauth_grants_account_id_column => account[account_id_column],
+        oauth_grants_oauth_application_id_column => @oauth_application[oauth_applications_id_column],
+        oauth_grants_scopes_column => grant_scopes
       }
 
-      generate_oauth_token(create_params, false)
+      generate_token(grant_params, false)
     end
 
     def assertion_grant_type?(grant_type = param("grant_type"))

data/lib/rodauth/features/oauth_authorization_code_grant.rb

@@ -1,67 +1,53 @@
 # frozen_string_literal: true
 
+require "rodauth/oauth"
+
 module Rodauth
   Feature.define(:oauth_authorization_code_grant, :OauthAuthorizationCodeGrant) do
     depends :oauth_authorize_base
 
-    auth_value_method :use_oauth_access_type?, true
+    auth_value_method :oauth_response_mode, "form_post"
+
+    def oauth_grant_types_supported
+      super | %w[authorization_code]
+    end
+
+    def oauth_response_types_supported
+      super | %w[code]
+    end
+
+    def oauth_response_modes_supported
+      super | %w[query form_post]
+    end
 
     private
 
     def validate_authorize_params
       super
 
-      redirect_response_error("invalid_request") unless check_valid_access_type? && check_valid_approval_prompt?
+      return unless (response_mode = param_or_nil("response_mode")) && !oauth_response_modes_supported.include?(response_mode)
 
-      redirect_response_error("invalid_request") if (response_mode = param_or_nil("response_mode")) && response_mode != "form_post"
-
-      try_approval_prompt if use_oauth_access_type? && request.get?
+      redirect_response_error("invalid_request")
     end
 
-    def validate_oauth_token_params
+    def validate_token_params
       redirect_response_error("invalid_request") if param_or_nil("grant_type") == "authorization_code" && !param_or_nil("code")
       super
     end
 
-    def try_approval_prompt
-      approval_prompt = param_or_nil("approval_prompt")
-
-      return unless approval_prompt && approval_prompt == "auto"
-
-      return if db[oauth_grants_table].where(
-        oauth_grants_account_id_column => account_id,
-        oauth_grants_oauth_application_id_column => oauth_application[oauth_applications_id_column],
-        oauth_grants_redirect_uri_column => redirect_uri,
-        oauth_grants_scopes_column => scopes.join(oauth_scope_separator),
-        oauth_grants_access_type_column => "online"
-      ).count.zero?
-
-      # if there's a previous oauth grant for the params combo, it means that this user has approved before.
-      request.env["REQUEST_METHOD"] = "POST"
-    end
+    def do_authorize(response_params = {}, response_mode = param_or_nil("response_mode"))
+      response_mode ||= oauth_response_mode
 
-    def create_oauth_grant(create_params = {})
-      # Access Type flow
-      if use_oauth_access_type? && (access_type = param_or_nil("access_type"))
-        create_params[oauth_grants_access_type_column] = access_type
-      end
+      redirect_response_error("invalid_request") unless response_mode.nil? || supported_response_mode?(response_mode)
 
-      super
-    end
+      response_type = param_or_nil("response_type")
 
-    def do_authorize(response_params = {}, response_mode = param_or_nil("response_mode"))
-      case param("response_type")
+      redirect_response_error("invalid_request") unless response_type.nil? || supported_response_type?(response_type)
 
-      when "code"
-        response_mode ||= "query"
-        response_params.replace(_do_authorize_code)
-      when "none"
-        response_mode ||= "none"
-      when "", nil
+      case response_type
+      when "code", nil
         response_mode ||= oauth_response_mode
         response_params.replace(_do_authorize_code)
-      else
-        return super if response_params.empty?
       end
 
       response_params["state"] = param("state") if param_or_nil("state")
@@ -70,11 +56,11 @@ module Rodauth
     end
 
     def _do_authorize_code
-      create_params = { oauth_grants_account_id_column => account_id }
-      # Access Type flow
-      if use_oauth_access_type? && (access_type = param_or_nil("access_type"))
-        create_params[oauth_grants_access_type_column] = access_type
-      end
+      create_params = {
+        oauth_grants_type_column => "authorization_code",
+        oauth_grants_account_id_column => account_id
+      }
+
       { "code" => create_oauth_grant(create_params) }
     end
 
@@ -102,53 +88,20 @@ module Rodauth
             </body>
           </html>
         FORM
-      when "none"
-        redirect(redirect_url.to_s)
-      else
-        super
       end
     end
 
-    def create_oauth_token(grant_type)
+    def create_token(grant_type)
       return super unless supported_grant_type?(grant_type, "authorization_code")
 
-      # fetch oauth grant
-      oauth_grant = db[oauth_grants_table].where(
+      grant_params = {
+        oauth_grants_type_column => grant_type,
         oauth_grants_code_column => param("code"),
         oauth_grants_redirect_uri_column => param("redirect_uri"),
-        oauth_grants_oauth_application_id_column => oauth_application[oauth_applications_id_column],
-        oauth_grants_revoked_at_column => nil
-      ).where(Sequel[oauth_grants_expires_in_column] >= Sequel::CURRENT_TIMESTAMP)
-                                          .for_update
-                                          .first
-
-      redirect_response_error("invalid_grant") unless oauth_grant
-
-      create_params = {
-        oauth_tokens_account_id_column => oauth_grant[oauth_grants_account_id_column],
-        oauth_tokens_oauth_application_id_column => oauth_grant[oauth_grants_oauth_application_id_column],
-        oauth_tokens_oauth_grant_id_column => oauth_grant[oauth_grants_id_column],
-        oauth_tokens_scopes_column => oauth_grant[oauth_grants_scopes_column]
+        oauth_grants_oauth_application_id_column => oauth_application[oauth_applications_id_column]
       }
-      create_oauth_token_from_authorization_code(oauth_grant, create_params, !use_oauth_access_type?)
-    end
-
-    ACCESS_TYPES = %w[offline online].freeze
-
-    def check_valid_access_type?
-      return true unless use_oauth_access_type?
 
-      access_type = param_or_nil("access_type")
-      !access_type || ACCESS_TYPES.include?(access_type)
-    end
-
-    APPROVAL_PROMPTS = %w[force auto].freeze
-
-    def check_valid_approval_prompt?
-      return true unless use_oauth_access_type?
-
-      approval_prompt = param_or_nil("approval_prompt")
-      !approval_prompt || APPROVAL_PROMPTS.include?(approval_prompt)
+      create_token_from_authorization_code(grant_params)
     end
 
     def check_valid_response_type?
@@ -160,12 +113,6 @@ module Rodauth
     def oauth_server_metadata_body(*)
       super.tap do |data|
         data[:authorization_endpoint] = authorize_url
-        data[:response_types_supported] << "code"
-
-        data[:response_modes_supported] << "query"
-        data[:response_modes_supported] << "form_post"
-
-        data[:grant_types_supported] << "authorization_code"
       end
     end
   end