rodauth-oauth 0.10.4 → 1.0.0.pre.beta1

data/lib/rodauth/features/oauth_pkce.rb

@@ -1,44 +1,40 @@
 # frozen_string_literal: true
 
-require "rodauth/oauth/refinements"
+require "rodauth/oauth"
 
 module Rodauth
   Feature.define(:oauth_pkce, :OauthPkce) do
-    using PrefixExtensions
-
     depends :oauth_authorization_code_grant
 
-    auth_value_method :use_oauth_pkce?, true
-
-    auth_value_method :oauth_require_pkce, false
+    auth_value_method :oauth_require_pkce, true
     auth_value_method :oauth_pkce_challenge_method, "S256"
 
     auth_value_method :oauth_grants_code_challenge_column, :code_challenge
     auth_value_method :oauth_grants_code_challenge_method_column, :code_challenge_method
 
-    auth_value_method :code_challenge_required_error_code, "invalid_request"
-    translatable_method :code_challenge_required_message, "code challenge required"
-    auth_value_method :unsupported_transform_algorithm_error_code, "invalid_request"
-    translatable_method :unsupported_transform_algorithm_message, "transform algorithm not supported"
+    auth_value_method :oauth_code_challenge_required_error_code, "invalid_request"
+    translatable_method :oauth_code_challenge_required_message, "code challenge required"
+    auth_value_method :oauth_unsupported_transform_algorithm_error_code, "invalid_request"
+    translatable_method :oauth_unsupported_transform_algorithm_message, "transform algorithm not supported"
 
     private
 
-    def authorized_oauth_application?(oauth_application, client_secret, _)
-      return true if use_oauth_pkce? && param_or_nil("code_verifier")
+    def supports_auth_method?(oauth_application, auth_method)
+      return super unless auth_method == "none"
 
-      super
+      request.params.key?("code_verifier") || super
     end
 
     def validate_authorize_params
-      validate_pkce_challenge_params if use_oauth_pkce?
+      validate_pkce_challenge_params
 
       super
     end
 
     def create_oauth_grant(create_params = {})
       # PKCE flow
-      if use_oauth_pkce? && (code_challenge = param_or_nil("code_challenge"))
-        code_challenge_method = param_or_nil("code_challenge_method")
+      if (code_challenge = param_or_nil("code_challenge"))
+        code_challenge_method = param_or_nil("code_challenge_method") || oauth_pkce_challenge_method
 
         create_params[oauth_grants_code_challenge_column] = code_challenge
         create_params[oauth_grants_code_challenge_method_column] = code_challenge_method
@@ -47,18 +43,18 @@ module Rodauth
       super
     end
 
-    def create_oauth_token_from_authorization_code(oauth_grant, create_params, *)
-      if use_oauth_pkce?
-        if oauth_grant[oauth_grants_code_challenge_column]
-          code_verifier = param_or_nil("code_verifier")
+    def create_token_from_authorization_code(grant_params, *args, oauth_grant: nil)
+      oauth_grant ||= valid_locked_oauth_grant(grant_params)
 
-          redirect_response_error("invalid_request") unless code_verifier && check_valid_grant_challenge?(oauth_grant, code_verifier)
-        elsif oauth_require_pkce
-          redirect_response_error("code_challenge_required")
-        end
+      if oauth_grant[oauth_grants_code_challenge_column]
+        code_verifier = param_or_nil("code_verifier")
+
+        redirect_response_error("invalid_request") unless code_verifier && check_valid_grant_challenge?(oauth_grant, code_verifier)
+      elsif oauth_require_pkce
+        redirect_response_error("code_challenge_required")
       end
 
-      super
+      super({ oauth_grants_id_column => oauth_grant[oauth_grants_id_column] }, *args, oauth_grant: oauth_grant)
     end
 
     def validate_pkce_challenge_params
@@ -91,7 +87,7 @@ module Rodauth
 
     def oauth_server_metadata_body(*)
       super.tap do |data|
-        data[:code_challenge_methods_supported] = oauth_pkce_challenge_method if use_oauth_pkce?
+        data[:code_challenge_methods_supported] = oauth_pkce_challenge_method
       end
     end
   end

data/lib/rodauth/features/oauth_resource_indicators.rb

@@ -1,14 +1,12 @@
 # frozen_string_literal: true
 
-require "rodauth/oauth/version"
-require "rodauth/oauth/ttl_store"
+require "rodauth/oauth"
 
 module Rodauth
   Feature.define(:oauth_resource_indicators, :OauthResourceIndicators) do
     depends :oauth_authorize_base
 
     auth_value_method :oauth_grants_resource_column, :resource
-    auth_value_method :oauth_tokens_resource_column, :resource
 
     def resource_indicators
       return @resource_indicators if defined?(@resource_indicators)
@@ -38,9 +36,10 @@ module Rodauth
     def require_oauth_authorization(*)
       super
 
-      return unless authorization_token[oauth_tokens_resource_column]
+      # done so to support token-in-grant-db, jwt, and resource-server mode
+      token_indicators = authorization_token[oauth_grants_resource_column] || authorization_token["resource"]
 
-      token_indicators = authorization_token[oauth_tokens_resource_column]
+      return unless token_indicators
 
       token_indicators = token_indicators.split(" ") if token_indicators.is_a?(String)
 
@@ -49,7 +48,7 @@ module Rodauth
 
     private
 
-    def validate_oauth_token_params
+    def validate_token_params
       super
 
       return unless resource_indicators
@@ -59,23 +58,16 @@ module Rodauth
       end
     end
 
-    def create_oauth_token_from_token(oauth_token, update_params)
+    def create_token_from_token(oauth_grant, update_params)
       return super unless resource_indicators
 
-      return super unless oauth_token[oauth_tokens_oauth_grant_id_column]
-
-      oauth_grant = db[oauth_grants_table].where(
-        oauth_grants_id_column => oauth_token[oauth_tokens_oauth_grant_id_column],
-        oauth_grants_revoked_at_column => nil
-      ).first
-
       grant_indicators = oauth_grant[oauth_grants_resource_column]
 
       grant_indicators = grant_indicators.split(" ") if grant_indicators.is_a?(String)
 
       redirect_response_error("invalid_target") unless (grant_indicators - resource_indicators) != grant_indicators
 
-      super(oauth_token, update_params.merge(oauth_tokens_resource_column => resource_indicators))
+      super(oauth_grant, update_params.merge(oauth_grants_resource_column => resource_indicators))
     end
 
     def check_valid_no_fragment_uri?(uri)
@@ -95,9 +87,11 @@ module Rodauth
         end
       end
 
-      def create_oauth_token_from_authorization_code(oauth_grant, create_params, *args)
+      def create_token_from_authorization_code(grant_params, *args, oauth_grant: nil)
         return super unless resource_indicators
 
+        oauth_grant ||= valid_locked_oauth_grant(grant_params)
+
         redirect_response_error("invalid_target") unless oauth_grant[oauth_grants_resource_column]
 
         grant_indicators = oauth_grant[oauth_grants_resource_column]
@@ -106,7 +100,15 @@ module Rodauth
 
         redirect_response_error("invalid_target") unless (grant_indicators - resource_indicators) != grant_indicators
 
-        super(oauth_grant, create_params.merge(oauth_tokens_resource_column => resource_indicators), *args)
+        # update ownership
+        if grant_indicators != resource_indicators
+          oauth_grant = __update_and_return__(
+            db[oauth_grants_table].where(oauth_grants_id_column => oauth_grant[oauth_grants_id_column]),
+            oauth_grants_resource_column => resource_indicators
+          )
+        end
+
+        super({ oauth_grants_id_column => oauth_grant[oauth_grants_id_column] }, *args, oauth_grant: oauth_grant)
       end
 
       def create_oauth_grant(create_params = {})
@@ -117,12 +119,12 @@ module Rodauth
     end
 
     module IndicatorIntrospection
-      def json_token_introspect_payload(token)
-        return super unless token[oauth_tokens_oauth_grant_id_column]
+      def json_token_introspect_payload(grant)
+        return super unless grant[oauth_grants_id_column]
 
         payload = super
 
-        token_indicators = token[oauth_tokens_resource_column]
+        token_indicators = grant[oauth_grants_resource_column]
 
         token_indicators = token_indicators.split(" ") if token_indicators.is_a?(String)
 
@@ -134,7 +136,7 @@ module Rodauth
       def introspection_request(*)
         payload = super
 
-        payload[oauth_tokens_resource_column] = payload["aud"] if payload["aud"]
+        payload[oauth_grants_resource_column] = payload["aud"] if payload["aud"]
 
         payload
       end
@@ -146,6 +148,16 @@ module Rodauth
 
         super.merge(aud: resource_indicators)
       end
+
+      def jwt_decode(token, verify_aud: true, **args)
+        claims = super(token, verify_aud: false, **args)
+
+        return claims unless verify_aud
+
+        return unless claims["aud"] && claims["aud"].one? { |aud| request.url.starts_with?(aud) }
+
+        claims
+      end
     end
 
     def self.included(rodauth)

data/lib/rodauth/features/oauth_resource_server.rb

@@ -0,0 +1,59 @@
+# frozen_string_literal: true
+
+require "rodauth/oauth"
+
+module Rodauth
+  Feature.define(:oauth_resource_server, :OauthResourceServer) do
+    depends :oauth_token_introspection
+
+    auth_value_method :is_authorization_server?, false
+
+    auth_value_methods(
+      :before_introspection_request
+    )
+
+    def authorization_token
+      return @authorization_token if defined?(@authorization_token)
+
+      # check if there is a token
+      bearer_token = fetch_access_token
+
+      return unless bearer_token
+
+      # where in resource server, NOT the authorization server.
+      payload = introspection_request("access_token", bearer_token)
+
+      return unless payload["active"]
+
+      @authorization_token = payload
+    end
+
+    def require_oauth_authorization(*scopes)
+      authorization_required unless authorization_token
+
+      aux_scopes = authorization_token["scope"]
+
+      token_scopes = if aux_scopes
+                       aux_scopes.split(oauth_scope_separator)
+                     else
+                       []
+                     end
+
+      authorization_required unless scopes.any? { |scope| token_scopes.include?(scope) }
+    end
+
+    private
+
+    def introspection_request(token_type_hint, token)
+      introspect_url = URI("#{authorization_server_url}#{introspect_path}")
+
+      response = http_request(introspect_url, { "token_type_hint" => token_type_hint, "token" => token }) do |request|
+        before_introspection_request(request)
+      end
+
+      JSON.parse(response.body)
+    end
+
+    def before_introspection_request(request); end
+  end
+end

data/lib/rodauth/features/oauth_saml_bearer_grant.rb

@@ -1,6 +1,7 @@
 # frozen_string_literal: true
 
 require "onelogin/ruby-saml"
+require "rodauth/oauth"
 
 module Rodauth
   Feature.define(:oauth_saml_bearer_grant, :OauthSamlBearerGrant) do
@@ -22,6 +23,10 @@ module Rodauth
       :account_from_saml2_bearer_assertion
     )
 
+    def oauth_grant_types_supported
+      super | %w[urn:ietf:params:oauth:grant-type:saml2-bearer]
+    end
+
     private
 
     def require_oauth_application_from_saml2_bearer_assertion_issuer(assertion)
@@ -94,7 +99,6 @@ module Rodauth
 
     def oauth_server_metadata_body(*)
       super.tap do |data|
-        data[:grant_types_supported] << "urn:ietf:params:oauth:grant-type:saml2-bearer"
         data[:token_endpoint_auth_methods_supported] << "urn:ietf:params:oauth:client-assertion-type:saml2-bearer"
       end
     end

data/lib/rodauth/features/oauth_token_introspection.rb

@@ -1,5 +1,8 @@
 # frozen_string_literal: true
 
+require "rodauth/oauth"
+require "rodauth/oauth/http_extensions"
+
 module Rodauth
   Feature.define(:oauth_token_introspection, :OauthTokenIntrospection) do
     depends :oauth_base
@@ -7,47 +10,44 @@ module Rodauth
     before "introspect"
 
     auth_value_methods(
-      :before_introspection_request
+      :resource_owner_identifier
     )
 
     # /introspect
-    route(:introspect) do |r|
-      next unless is_authorization_server?
-
+    auth_server_route(:introspect) do |r|
+      require_oauth_application_for_introspect
       before_introspect_route
-      require_oauth_application
 
       r.post do
         catch_error do
-          validate_oauth_introspect_params
+          validate_introspect_params
+
+          token_type_hint = param_or_nil("token_type_hint")
 
           before_introspect
-          oauth_token = case param("token_type_hint")
-                        when "access_token"
-                          oauth_token_by_token(param("token"))
+          oauth_grant = case token_type_hint
+                        when "access_token", nil
+                          if features.include?(:oauth_jwt) && oauth_jwt_access_tokens
+                            jwt_decode(param("token"))
+                          else
+                            oauth_grant_by_token(param("token"))
+                          end
                         when "refresh_token"
-                          oauth_token_by_refresh_token(param("token"))
-                        else
-                          oauth_token_by_token(param("token")) || oauth_token_by_refresh_token(param("token"))
+                          oauth_grant_by_refresh_token(param("token"))
                         end
 
-          if oauth_application
-            redirect_response_error("invalid_request") if oauth_token && !token_from_application?(oauth_token, oauth_application)
-          elsif oauth_token
-            @oauth_application = db[oauth_applications_table].where(oauth_applications_id_column =>
-              oauth_token[oauth_tokens_oauth_application_id_column]).first
-          end
+          oauth_grant ||= oauth_grant_by_refresh_token(param("token")) if token_type_hint.nil?
 
-          json_response_success(json_token_introspect_payload(oauth_token))
+          json_response_success(json_token_introspect_payload(oauth_grant))
         end
 
-        throw_json_response_error(invalid_oauth_response_status, "invalid_request")
+        throw_json_response_error(oauth_invalid_response_status, "invalid_request")
       end
     end
 
     # Token introspect
 
-    def validate_oauth_introspect_params(token_hint_types = %w[access_token refresh_token].freeze)
+    def validate_introspect_params(token_hint_types = %w[access_token refresh_token].freeze)
       # check if valid token hint type
       if param_or_nil("token_type_hint") && !token_hint_types.include?(param("token_type_hint"))
         redirect_response_error("unsupported_token_type")
@@ -56,17 +56,35 @@ module Rodauth
       redirect_response_error("invalid_request") unless param_or_nil("token")
     end
 
-    def json_token_introspect_payload(token)
-      return { active: false } unless token
-
-      {
-        active: true,
-        scope: token[oauth_tokens_scopes_column],
-        client_id: oauth_application[oauth_applications_client_id_column],
-        # username
-        token_type: oauth_token_type,
-        exp: token[oauth_tokens_expires_in_column].to_i
-      }
+    def json_token_introspect_payload(grant_or_claims)
+      return { active: false } unless grant_or_claims
+
+      if grant_or_claims["sub"]
+        # JWT
+        {
+          active: true,
+          scope: grant_or_claims["scope"],
+          client_id: grant_or_claims["client_id"],
+          username: resource_owner_identifier(grant_or_claims),
+          token_type: "access_token",
+          exp: grant_or_claims["exp"],
+          iat: grant_or_claims["iat"],
+          nbf: grant_or_claims["nbf"],
+          sub: grant_or_claims["sub"],
+          aud: grant_or_claims["aud"],
+          iss: grant_or_claims["iss"],
+          jti: grant_or_claims["jti"]
+        }
+      else
+        {
+          active: true,
+          scope: grant_or_claims[oauth_grants_scopes_column],
+          client_id: oauth_application[oauth_applications_client_id_column],
+          username: resource_owner_identifier(grant_or_claims),
+          token_type: oauth_token_type,
+          exp: grant_or_claims[oauth_grants_expires_in_column].to_i
+        }
+      end
     end
 
     def check_csrf?
@@ -80,24 +98,17 @@ module Rodauth
 
     private
 
-    def introspection_request(token_type_hint, token)
-      auth_url = URI(authorization_server_url)
-      http = Net::HTTP.new(auth_url.host, auth_url.port)
-      http.use_ssl = auth_url.scheme == "https"
+    def require_oauth_application_for_introspect
+      (token = ((v = request.env["HTTP_AUTHORIZATION"]) && v[/\A *Bearer (.*)\Z/, 1]))
 
-      request = Net::HTTP::Post.new(auth_url.path + introspect_path)
-      request["content-type"] = "application/x-www-form-urlencoded"
-      request["accept"] = json_response_content_type
-      request.set_form_data({ "token_type_hint" => token_type_hint, "token" => token })
+      return require_oauth_application unless token
 
-      before_introspection_request(request)
-      response = http.request(request)
-      authorization_required unless response.code.to_i == 200
+      oauth_application = current_oauth_application
 
-      JSON.parse(response.body)
-    end
+      authorization_required unless oauth_application
 
-    def before_introspection_request(request); end
+      @oauth_application = oauth_application
+    end
 
     def oauth_server_metadata_body(*)
       super.tap do |data|
@@ -105,5 +116,24 @@ module Rodauth
         data[:introspection_endpoint_auth_methods_supported] = %w[client_secret_basic]
       end
     end
+
+    def resource_owner_identifier(grant_or_claims)
+      if (account_id = grant_or_claims[oauth_grants_account_id_column])
+        account_ds(account_id).select(login_column).first[login_column]
+      elsif (app_id = grant_or_claims[oauth_grants_oauth_application_id_column])
+        db[oauth_applications_table].where(oauth_applications_id_column => app_id)
+                                    .select(oauth_applications_name_column)
+                                    .first[oauth_applications_name_column]
+      elsif (subject = grant_or_claims["sub"])
+        # JWT
+        if subject == grant_or_claims["client_id"]
+          db[oauth_applications_table].where(oauth_applications_client_id_column => subject)
+                                      .select(oauth_applications_name_column)
+                                      .first[oauth_applications_name_column]
+        else
+          account_ds(subject).select(login_column).first[login_column]
+        end
+      end
+    end
   end
 end

data/lib/rodauth/features/oauth_token_revocation.rb

@@ -1,5 +1,7 @@
 # frozen_string_literal: true
 
+require "rodauth/oauth"
+
 module Rodauth
   Feature.define(:oauth_token_revocation, :OauthTokenRevocation) do
     depends :oauth_base
@@ -7,14 +9,10 @@ module Rodauth
     before "revoke"
     after "revoke"
 
-    notice_flash "The oauth token has been revoked", "revoke_oauth_token"
+    notice_flash "The oauth grant has been revoked", "revoke_oauth_grant"
 
     # /revoke
-    route(:revoke) do |r|
-      next unless is_authorization_server?
-
-      before_revoke_route
-
+    auth_server_route(:revoke) do |r|
       if logged_in?
         require_account
         require_oauth_application_from_account
@@ -22,24 +20,32 @@ module Rodauth
         require_oauth_application
       end
 
+      before_revoke_route
+
       r.post do
         catch_error do
-          validate_oauth_revoke_params
+          validate_revoke_params
 
-          oauth_token = nil
+          oauth_grant = nil
           transaction do
             before_revoke
-            oauth_token = revoke_oauth_token
+            oauth_grant = revoke_oauth_grant
             after_revoke
           end
 
           if accepts_json?
-            json_response_success \
-              "token" => oauth_token[oauth_tokens_token_column],
-              "refresh_token" => oauth_token[oauth_tokens_refresh_token_column],
-              "revoked_at" => convert_timestamp(oauth_token[oauth_tokens_revoked_at_column])
+            json_payload = {
+              "revoked_at" => convert_timestamp(oauth_grant[oauth_grants_revoked_at_column])
+            }
+            if param("token_type_hint") == "refresh_token"
+              json_payload["refresh_token"] = oauth_grant[oauth_grants_refresh_token_column]
+            else
+              json_payload["token"] = oauth_grant[oauth_grants_token_column]
+            end
+
+            json_response_success json_payload
           else
-            set_notice_flash revoke_oauth_token_notice_flash
+            set_notice_flash revoke_oauth_grant_notice_flash
             redirect request.referer || "/"
           end
         end
@@ -48,12 +54,17 @@ module Rodauth
       end
     end
 
-    def validate_oauth_revoke_params(token_hint_types = %w[access_token refresh_token].freeze)
-      # check if valid token hint type
-      if param_or_nil("token_type_hint") && !token_hint_types.include?(param("token_type_hint"))
-        redirect_response_error("unsupported_token_type")
+    def validate_revoke_params(token_hint_types = %w[access_token refresh_token].freeze)
+      token_hint = param_or_nil("token_type_hint")
+
+      if features.include?(:oauth_jwt) && oauth_jwt_access_tokens && (!token_hint || token_hint == "access_token")
+        # JWT access tokens can't be revoked
+        throw(:rodauth_error)
       end
 
+      # check if valid token hint type
+      redirect_response_error("unsupported_token_type") if token_hint && !token_hint_types.include?(token_hint)
+
       redirect_response_error("invalid_request") unless param_or_nil("token")
     end
 
@@ -68,29 +79,31 @@ module Rodauth
 
     private
 
-    def revoke_oauth_token
+    def revoke_oauth_grant
       token = param("token")
 
-      oauth_token = if param("token_type_hint") == "refresh_token"
-                      oauth_token_by_refresh_token(token)
-                    else
-                      oauth_token_by_token_ds(token).where(
-                        oauth_tokens_oauth_application_id_column => oauth_application[oauth_applications_id_column]
-                      ).first
-                    end
+      if param("token_type_hint") == "refresh_token"
+        oauth_grant = oauth_grant_by_refresh_token(token)
+        token_column = oauth_grants_refresh_token_column
+      else
+        oauth_grant = oauth_grant_by_token_ds(token).where(
+          oauth_grants_oauth_application_id_column => oauth_application[oauth_applications_id_column]
+        ).first
+        token_column = oauth_grants_token_column
+      end
 
-      redirect_response_error("invalid_request") unless oauth_token
+      redirect_response_error("invalid_request") unless oauth_grant
 
-      redirect_response_error("invalid_request") unless token_from_application?(oauth_token, oauth_application)
+      redirect_response_error("invalid_request") unless grant_from_application?(oauth_grant, oauth_application)
 
-      update_params = { oauth_tokens_revoked_at_column => Sequel::CURRENT_TIMESTAMP }
+      update_params = { oauth_grants_revoked_at_column => Sequel::CURRENT_TIMESTAMP }
 
-      ds = db[oauth_tokens_table].where(oauth_tokens_id_column => oauth_token[oauth_tokens_id_column])
+      ds = db[oauth_grants_table].where(oauth_grants_id_column => oauth_grant[oauth_grants_id_column])
 
-      oauth_token = __update_and_return__(ds, update_params)
+      oauth_grant = __update_and_return__(ds, update_params)
 
-      oauth_token[oauth_tokens_token_column] = token
-      oauth_token
+      oauth_grant[token_column] = token
+      oauth_grant
 
       # If the particular
       # token is a refresh token and the authorization server supports the