rodauth-oauth 0.10.4 → 1.0.0.pre.beta2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: fa43bf0d9c1f6d8ac7a9e2c05b9f9751a68bf0720d47bcdcd92090cdc80b8ec6
-  data.tar.gz: 14101a64005ea99770b2548c3dda8589b06c10cb8d26a4bb30a9e396c301ec17
+  metadata.gz: 0f96bced835f21567ea5603751e8cf06b53d4eae70d9cab8bc685e2fca8c2027
+  data.tar.gz: 59badde6a055fa2638bcb41b01534f0b5b8de9eac541ac596f25e6d5cd6fb043
 SHA512:
-  metadata.gz: d5ca40d77877ff713dad6bee5d6424d869a8e6d61101fe87ff18c97372e3c9d8d2acd6fc3450ea8f938582f42740ff5da1326a3501b46e43ada73d1d192592a8
-  data.tar.gz: 4cd099ee6f8e8b5195fb62d8370e46063fa88a1eb3631cad0705fff076d627c891e6cbfc147e7f0c3c4ea651463f611e87c756e93f65b9475322d523f5b101b1
+  metadata.gz: 492a5c3c12bcc678c5eb6171e9d9851db745412fdb3675674c61b512dbfd1ff1aec09da02a3d4df3acb9133148990538200c49ce05de7a34dea85107aebf151b
+  data.tar.gz: 65f1223065b2a0bce609b4137b8fadd206fffa9904caac97c41dc4d429528dea474a8b450128409ed164f6407c690e95a3e7c4a83b8f9302fb41d0336e132dea

data/MIGRATION-GUIDE-v1.md

@@ -0,0 +1,286 @@
+# Migration Guide v1
+
+This guide is to share a few helpful tips to migrate a production app using `rodauth-oauth` v0.10 to v1. There are quite a few breaking changes which will require some work to pull through, and I'll go 1 by 1.
+
+**Most important tip**: Make sure you're running v0.10.3 before you try to migrate to v1!
+
+## Minimum ruby version: 2.5
+
+Make sure you're at least running ruby 2.5 before considering migrating.
+
+## The Oauth Token Resource was removed
+
+The access and refresh tokens are now stored in the `oauth_grants` table, and the `oauth_tokens` table is no longer necessary.
+
+This means that:
+
+* Both the table, columns and labels config options prefixed by `oauth_tokens` were removed.
+* "Oauth Token Revocation" becomes "OAuth Grant Revocation", and all relevant options and text changed accordingly.
+* OAuth management plugins also change (i.e. URL path for listing grants is `/oauth-grants`)
+
+### How to migrate
+
+The tl;dr is: you'll need to start by adding the new columns to the `oauth_grants` table, start backfilling the values in runtime, backfill historical grants in the background, then deploy v1.
+
+This example is going to use `token` and `refresh_token` columns as an example, but it's extensible to `token_hash` and `refresh_token_hash`.
+
+Add the required token columns to the `oauth_grants` table and start backfilling themm:
+
+```ruby
+# example sequel migration
+
+Sequel.migration do
+  up do
+    alter_table :oauth_grants do
+      String :code, nullable: true # to change the nullable constraint
+      String :token, nullable: true, unique: true
+      String :refresh_token, nullable: true, unique: true
+    end
+
+
+    # Then the runtime backfilling can happen. You can do that using a trigger on the `oauth_tokens` table
+
+    run <<-SQL
+CREATE OR REPLACE FUNCTION copy_tokens_to_grant()
+  RETURNS trigger AS
+$$
+BEGIN
+  UPDATE "oauth_grants" SET "oauth_grants"."token" = NEW."token",
+    "oauth_grants"."refresh_token" = NEW."refresh_token",
+    "oauth_grants"."expires_in" = NEW."expires_in",
+    "oauth_grants"."code" = NULL
+    WHERE "oauth_grants"."id" = NEW."oauth_grant_id";
+
+RETURN NEW;
+END;
+$$
+LANGUAGE 'plpgsql';
+
+CREATE TRIGGER copy_tokens_to_grant
+  AFTER INSERT
+  ON oauth_tokens
+  FOR EACH ROW
+  EXECUTE PROCEDURE copy_tokens_to_grant();
+    SQL
+  end
+end
+```
+
+Then you'll need too backfill grants created before the changes above.
+
+```SQL
+--- this is how to do it in SQL, but can also be accomplished with a ruby script looping on rows.
+
+UPDATE "oauth_grants"
+  INNER JOIN "oauth_tokens" ON "oauth_tokens"."oauth_grant_id" = "oauth_grants"."id"
+  SET "oauth_grants"."token" = "oauth_tokens"."token",
+    "oauth_grants"."refresh_token" = "oauth_tokens"."refresh_token",
+    "oauth_grants"."expires_in" = "oauth_tokens"."expires_in",
+    "oauth_grants"."code" = NULL
+  WHERE "oauth_grants"."token" IS NULL;
+```
+
+And now you can deploy the app with v1 installed (after you've done the required changes).
+
+## oauth applications: oauth_applications_client_secret_hash_column
+
+The client secret is hashed (with bcrypt) before being stored, by default. While previously it was also hashed by default, this is now driven by the new `:oauth_applications_client_secret_hash_column` options, which is set to `:client_secret`. In order to disable hashing and store the client secret in plain-text (smth whic, p.ex. the `client_secret_jwt` auth method requires), just do this:
+
+```ruby
+oauth_applications_client_secret_hash_column nil
+```
+
+## oauth grants: access token and refresh token hashed by default
+
+access token and refresh token columns are now hashed by default, and point to the same column as the main counterpart:
+
+```ruby
+# this is now the default
+oauth_grants_token_hash_column :token
+oauth_grants_token_column :token
+oauth_grants_refresh_token_hash_column :refresh_token
+oauth_grants_refresh_token_column :refresh_token
+```
+
+in order to keep storing the tokens in plaintext, set the hash column options to`nil`. In order to keep storing the hashed token in a separate coluumn, just redefine it to the name of the column.
+
+## oauth_response_mode is now form_post.
+
+To get the old behaviour back:
+
+```ruby
+oauth_response_mode "query"
+```
+
+## renamed options
+
+The following auth config methods were renamed (rename them if you're redefining them):
+
+* `description_param` (replaced by `oauth_applications_description_param`)
+* `client_id_param` (replaced by `oauth_applications_client_id_param`)
+* `oauth_applications_jws_jwk_column` (replaced by `oauth_applications_jwks_column`)
+* `oauth_applications_jws_jwk_label` (replaced by `oauth_applications_jwks_label`)
+* `oauth_application_jws_jwk_param` (replaced by `oauth_applications_jwks_param`)
+* all config methods terminated in `"_error_status"` are now prefixed by `"oauth_"`
+* all config methods terminated in `"_message"` are now prefixed by `"oauth_`
+* all config methods terminated in `"_error_code`` are now prefixed by `"oauth"`
+* `unique_error_message` config method was removed (not in use)
+* `oauth_jwt_token_issuer` renamed to `oauth_jwt_issuer`
+* `oauth_auth_methods_supported` renamed to `oauth_token_endpoint_auth_methods_supported`
+* `oauth_jwt_algorithms_supported` renamed to `oauth_jwt_jws_algorithms_supported`
+* `oauth_token_expires_in` renamed to `oauth_access_token_expires_in`
+
+## Removed options
+
+### Base options
+
+* `oauth_application_default_scope`: if you were using it to pre-fill scopes in the Authorization form, or the New OAuth Application form, you'll have to do it yourself.
+
+### JWT options
+
+* `oauth_jwt_key`: can be replaced by using it as the value in `oauth_jwt_keys` (```oauth_jwt_keys("RS256" => [privkey])```);
+* `oauth_jwt_algorithm`: can be replaced by using it as the key in `oauth_jwt_keys` (```oauth_jwt_keys("RS256" => [privkey])```);
+* `oauth_jwt_public_key`:  can be replaced by using it as the value in `oauth_jwt_public_keys` (```oauth_jwt_public_keys("RS256" => [pubkey])```);
+* `oauth_jwe_key`: can be replaced by using it as the value in `oauth_jwe_keys` (```oauth_jwe_keys((%w[RSA-OAEP A128CBC-HS256] => [privkey])```);
+* `oauth_jwt_jwe_algorithm`: can be replaced by using it as the first element in the key tuple in `oauth_jwe_keys` (```oauth_jwe_keys(%w[RSA-OAEP A128CBC-HS256] => [privkey])```);
+* `oauth_jwt_jwe_encryption_method`: can be replaced by using it as the second element in the key tuple in `oauth_jwe_keys` (```oauth_jwe_keys(%w[RSA-OAEP A128CBC-HS256] => [privkey])```);
+* `oauth_jwe_public_key`:  can be replaced by using it as the value in `oauth_jwe_public_keys` (```oauth_jwt_public_keys(%w[RSA-OAEP A128CBC-HS256] => [pubkey])```);
+* `oauth_jwt_legacy_algorithm`: can be replaced by adding it as a key to `oauth_jwt_public_keys`;
+* `oauth_jwt_legacy_public_key`: can be replaced by adding it to the value set of `oauth_jwt_public_keys`, after the current key (```oauth_jwt_public_keys("RS256" => [pubkey, legacy_pubkey])```);
+
+#### `oauth_jwt_key`
+
+## `oauth_device_grant` feature becomes `oauth_device_code_grant`
+
+In case you were using it directly, you should rename it.
+
+## `use_oauth_*_grant` options were removed
+
+One of the main changes in v1.0.0 is that one should enable the features one needs, explicitly. So when you used to have:
+
+```ruby
+rodauth do
+  enable :oauth
+end
+```
+
+you should now load the grants you use:
+
+
+```ruby
+rodauth do
+  enable :oauth_authorization_code_grant, :oauth_pkce, :oauth_credentials_grant, :oauth_token_introspection
+  # or
+  enable :oidc, :oauth_implicit_grant
+end
+```
+
+Now that the features are explicitly enable, there's is no more use for config methods for unsetting them, such as `use_oauth_implicit_grant_type?` or `use_oauth_pkce?`.
+
+
+## `oauth_jwt_audience` and `oauth_jwt_issuer` repurposed as functions
+
+To maintain legacy behaviour, you can return them in the function body.
+
+```diff
+- oauth_jwt_audience legacy_aud
+- oauth_jwt_issuer legacy_iss
++ oauth_jwt_audience { legacy_aud }
++ oauth_jwt_issuer { legacy_iss }
+```
+
+## JAR (Secured authorization request) segregated in its plugin
+
+It was previously being loaded in the `:oauth_jwt` plugin by default. If you require this funtionality, enable the plugin:
+
+```ruby
+enable :oauth_jwt_secured_authorization_request
+```
+
+## `oauth_jwt_jwks` plugin
+
+JWKs URI endpoint has been moved to its plugin. If you require this functionality, make sure you enable it:
+
+```ruby
+enable :oauth_jwt, :oauth_jwt_jwks
+```
+
+## routing functions renamed
+
+Previously, loading well-known routes, the oauth server metadata, or oauth application/tokens (now grants) management dashboard implied calling a function on roda to load those routes. These have been renamed:
+
+```diff
+plugin :rodauth do
+  enable :oidc, :oauth_application_management, :oauth_grant_management
+end
+
+roda do |r|
+-  rodauth.oauth_applications
+-  rodauth.oauth_grants
+-  rodauth.openid_configuration
+-  rodauth.webfinger
++  rodauth.load_oauth_application_management_routes
++  rodauth.load_oauth_grant_management_routes
++  rodauth.load_openid_configuration_route
++  rodauth.load_webfinger_route
+end
+```
+
+## resource server mode via `oauth_resource_server` feature
+
+You should now be able to set a resource server just using this plugin, instead of the combination of config tweaks previously suggested.
+
+```diff
+plugin :rodauth do
+-  enable :oauth
+-  is_authorization_server? false
+  enable :oauth_resource_server
+  authorization_server_url "https://external-auth-server"
+end
+```
+
+## `oauth_token_subject` returns client id for client-application tokens
+
+Previously, if a token from a client credentials grant would be used, calling `oauth_token_subject` would return the oauth application primary key. It now returns the application client id.
+
+## `oauth_jwt_subject*` family of options moved to `oidc` feature
+
+Previously, they were in the `oauth_jwt` feature; however, they're not specced for use in general purpose JWT Access Tokens, but rather in OIDC ID tokens.
+
+## `oauth` feature removed
+
+The `oauth` plugin, which is how this gem started, was a giant "god" feature, which has been gradually broken down into sub-features, each implementing an RFC or specific feature, and building on top of each other. In its last state, it was just loading all those sub-features, for backwards-compatibility; and when you need to turn off a particular feature, you'd have to set a `use_oauth_implicit_grant_type?` type of config to `false`.
+
+That is now over, and you'll need to explicitly load all features you need yourself.
+
+```diff
+plugin :rodauth
+-  enable :oauth
+-  use_oauth_implicit_grant_type? false
++  enable :oauth_authorization_code_grant, :oauth_client_credentials_grant
+end
+```
+
+## `require_oauth_application` will not support "none" strategy by default
+
+Unless explicitly set in oauth application config, or `oauth_token_endpoint_auth_methods_supported` config.
+
+## `jwt_bearer_grant` feature exposes `client_secret_jwt` and `private_key_jwt` as token endpoint auth methods
+
+While the latter is a new feature, the former was already implemented, but not declared.
+
+## Webfinger options
+
+`webfinger_relation` has been removed. If you were overriding it, you can override `json_webfinger_payload` to backport this behaviour.
+
+## PKCE is strict by default
+
+This was a security improvement. However, if you were relying on, set `oauth_require_pkce` to `false`.
+
+## refresh token policy set to "rotation" by default
+
+This was a security improvement. However, if you were relying on, set `oauth_refresh_token_protection_policy` to `"none"`.
+
+## using access tokens won't set rodauth session
+
+Which means that rodauth won't identify you as "logged in". If you were relying on this behaviour, you'll have to tweak one of the available `rodauth` options.

data/README.md

@@ -16,13 +16,13 @@ This gem implements the following RFCs and features of OAuth:
   * `oauth_authorization_code_grant` - [Authorization code grant](https://tools.ietf.org/html/rfc6749#section-1.3);
   * `oauth_implicit_grant` - [Implicit grant (off by default)](https://tools.ietf.org/html/rfc6749#section-4.2);
   * `oauth_client_credentials_grant` - [Client credentials grant (off by default)](https://tools.ietf.org/html/rfc6749#section-4.4);
-  * `oauth_device_grant` - [Device code grant (off by default)](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-device-flow-15);
+  * `oauth_device_code_grant` - [Device code grant (off by default)](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-device-flow-15);
   * `oauth_token_revocation` - [Token revocation](https://tools.ietf.org/html/rfc7009);
   * `oauth_token_introspection` - [Token introspection](https://tools.ietf.org/html/rfc7662);
   * [Authorization Server Metadata](https://tools.ietf.org/html/rfc8414);
   * `oauth_pkce` - [PKCE](https://tools.ietf.org/html/rfc7636);
   * `oauth_jwt` - [JWT Access Tokens](https://tools.ietf.org/html/draft-ietf-oauth-access-token-jwt-07);
-    * Supports [JWT Secured Authorization Request](https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-20);
+  * `oauth_jwt_secured_authorization_request` - [JWT Secured Authorization Request](https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-20);
   * `oauth_resource_indicators` - [Resource Indicators](https://datatracker.ietf.org/doc/html/rfc8707);
   * Access Type (Token refresh online and offline);
 * `oauth_http_mac` - [MAC Authentication Scheme](https://tools.ietf.org/html/draft-hammer-oauth-v2-mac-token-02);
@@ -35,11 +35,12 @@ This gem implements the following RFCs and features of OAuth:
 
 It also implements the [OpenID Connect layer](https://openid.net/connect/) (via the `openid` feature) on top of the OAuth features it provides, including:
 
-* [OpenID Connect Core](https://openid.net/specs/openid-connect-core-1_0.html);
-* [OpenID Connect Discovery](https://openid.net/specs/openid-connect-discovery-1_0-29.html);
-* [OpenID Multiple Response Types](https://openid.net/specs/oauth-v2-multiple-response-types-1_0.html);
-* [OpenID Connect Dynamic Client Registration](https://openid.net/specs/openid-connect-registration-1_0.html);
-* [RP Initiated Logout](https://openid.net/specs/openid-connect-rpinitiated-1_0.html);
+* `oidc`
+  * [OpenID Connect Core](https://openid.net/specs/openid-connect-core-1_0.html);
+  * [OpenID Connect Discovery](https://openid.net/specs/openid-connect-discovery-1_0-29.html);
+  * [OpenID Multiple Response Types](https://openid.net/specs/oauth-v2-multiple-response-types-1_0.html);
+* `oidc_dynamic_client_registration` - [OpenID Connect Dynamic Client Registration](https://openid.net/specs/openid-connect-registration-1_0.html);
+* `oidc_rp_initiated_logout` - [RP Initiated Logout](https://openid.net/specs/openid-connect-rpinitiated-1_0.html);
 
 This gem supports also rails (through [rodauth-rails]((https://github.com/janko/rodauth-rails))).
 
@@ -81,8 +82,7 @@ This tutorial assumes you already read the documentation and know how to set up
 ```ruby
 plugin :rodauth do
   # enable it in the plugin
-  enable :login, :oauth
-  oauth_application_default_scope %w[profile.read]
+  enable :login, :oauth_authorization_code_grant
   oauth_application_scopes %w[profile.read profile.write]
 end
 
@@ -111,6 +111,7 @@ route do |r|
   r.is "books" do
     rodauth.require_oauth_authorization("books.read", "books.research")
     r.get do
+      @books = Book.where(user_id: rodauth.current_oauth_account[:id]).all
       # ...
     end
   end
@@ -124,7 +125,6 @@ For OpenID, it's very similar to the example above:
 plugin :rodauth do
   # enable it in the plugin
   enable :login, :oidc
-  oauth_application_default_scope %w[openid]
   oauth_application_scopes %w[openid email profile]
 end
 ```
@@ -144,10 +144,10 @@ You can change column names or even use existing tables, however, be aware that
 ```ruby
 plugin :rodauth do
   # enable it in the plugin
-  enable :login, :oauth
+  enable :login, :oauth_authorization_code_grant
   # ...
-  oauth_grants_table "access_grants"
-  oauth_grants_code_column "authorization_code"
+  oauth_grants_table :access_grants
+  oauth_grants_code_column :authorization_code
 end
 ```
 
@@ -195,9 +195,8 @@ You can then enable this feature in `lib/rodauth_app.rb` and set up any options
 
 ```ruby
 # lib/roudauth_app.rb
-enable :oauth
+enable :oauth_authorization_code_grant
 # OAuth
-oauth_application_default_scope "profile.read"
 oauth_application_scopes %w[profile.read profile.write books.read books.write]
 ```
 
@@ -242,34 +241,28 @@ In this section, the non-standard features are going to be described in more det
 
 ### Token / Secrets Hashing
 
-Although not human-friendly as passwords, for security reasons, you might not want to store access (and refresh) tokens in the database. If that is the case, You'll have to add the respective hash columns in the table:
+Access tokens, refresh tokens and client secrets are hashed before being stored in the database (using `bcrypt`), by default.
 
-```ruby
-# in migration
-String :token_hash, null: false, token: true
-String :refresh_token_hash, token, true
-# and you DO NOT NEED the token and refresh_token columns anymore!
-```
-
-And declare them in the plugin:
+Disabling this behaviour is a matter of nullifying the hash column option:
 
 ```ruby
 plugin :rodauth do
-  enable :oauth
-  oauth_tokens_token_hash_column :token_hash
-  oauth_tokens_token_hash_column :refresh_token_hash
-```
+  enable :oauth_authorization_code_grant
 
-#### Client Secret
-
-By default, it's expected that the "client secret" property from an OAuth application is only known by the owner, and only the hash is stored in the database; this way, the authorization server doesn't know what the client secret is, only the application owner. The provided [OAuth Applications Extensions](#oauth-applications) application form contains a "Client Secret" input field for this reason.
+  # storing access token, refresh token and client secret in plaintext:
+  oauth_grants_token_hash_column nil
+  oauth_grants_refresh_token_hash_column nil
+  oauth_applications_client_secret_hash_column nil
+```
 
-However, this extension is optional, and you might want to generate the secrets and store them as is. In that case, you'll have to re-define some options:
+If you'd like to replace the hashing function (for, let's say, [argon2](https://github.com/technion/ruby-argon2)), you'll need to perform the following overrides:
 
 ```ruby
 plugin :rodauth do
-  enable :oauth
-  secret_matches? ->(application, secret){ application[:client_secret] == secret }
+  enable :oauth_authorization_code_grant
+
+  secret_matches? { |oauth_application, secret| Argon2::Password.verify_password(secret, oauth_application[oauth_applications_client_secret_hash_column]) }
+  secret_hash { |secret| Argon2::Password.create(secret) }
 end
 ```
 
@@ -284,7 +277,7 @@ Default translations shipping with `rodauth-oauth` can be found [in this directo
 
 ## Ruby support policy
 
-The minimum Ruby version required to run `rodauth-oauth` is 2.3 . Besides that, it should support all rubies that rodauth and roda support, including JRuby and truffleruby.
+The minimum Ruby version required to run `rodauth-oauth` is 2.5 . Besides that, it should support all rubies that rodauth and roda support, including JRuby and truffleruby.
 
 ### Rails
 

data/doc/release_notes/1_0_0_beta1.md

@@ -0,0 +1,38 @@
+## 1.0.0-beta1 (21/10/2022)
+
+### Breaking changes
+
+The full description of breaking changes, and suggestions on how to make the migration smoother, can be found in the [migration guide](https://gitlab.com/honeyryderchuck/rodauth-oauth/-/blob/6465b8522a78cf0037a55d3d4b81f68f7811be68/MIGRATION-GUIDE-v1.md).
+
+A short list of the main highlights:
+
+
+* Ruby 2.5 or higher is required.
+* `oauth_http_mac` feature removed.
+* `oauth_tokens` table (and resource) were removed (only `oauth_applications` and `oauth_grants`, access and refresh tokens are now properties of the latter).
+* access and refresh tokens hashed by default when stored in the database.
+* default oauth response mode is `"form_post"`.
+* oauth specific features require explicit enablement of respective features (no more `enable :oauth`)
+* refresh token policy is "rotation" by default
+
+### Features
+
+The following helpers are exposed in the `rodauth` object:
+
+* `current_oauth_account` - returns the dataset row for the `rodauth` account associated to an oauth access token in the "authorization" header.
+* `current_oauth_application` - returns the dataset row for the oauth application associated to an oauth access token in the "authorization" header.
+
+When used in `rails` via `rodauth-rails`, both are exposed directly as controller helpers.
+
+#### `oauth_resource_server` plugin
+
+This plugin can be used as a convenience when configuring resource servers.
+
+### Improvements
+
+* `:oauth_introspect` plugin: OAuth introspection endpoint exposes the token's `"username"` claim.
+* endpoint client authentication supports "client credentials grant" access tokens.
+
+### Bugfixes
+
+* fixed `oidc` calculation of `"auth_time"` claim.

data/doc/release_notes/1_0_0_beta2.md

@@ -0,0 +1,34 @@
+This version passes the conformance tests for the following OpenID Connect certification profiles:
+
+* Basic certification
+* Form-post basic certification
+* Config certification
+* Dynamic Config certification (`response_type=code`)
+
+## Breaking Changes
+
+* homepage url is no longer a client application required property.
+* OIDC RP-initiated logout extracted into `oidc_rp_initiated_logout` feature.
+
+## Features
+
+* `oauth_jwt_secured_authorization_request` now supports a `request_uri` query param as well.
+* `oidc` supports essential claims, via the `claims` authorization request query parameter.
+
+## Improvements
+
+* exposing `acr_values_supported` in the openid configuration.
+* `oauth_request_object_signing_alg_allow_none` enables `"none"` as an accepted request object signing alg when `true` (`false` by default).
+* OIDC `offline_access` supported.
+
+## Bugfixes
+
+* JWT: "sub" is now always a string.
+* `response_type` is now an authorization request required parameter (as per the RFC).
+* `state` is now passed along when redirecting from authorization requeests with `error`;
+* access token can now be read from POST body or GET quety params (as per the RFC).
+* id token no longer shipping with claims with `null` value;
+* id token no longer encoding claims by default (only when `response_type=id_token`, as per the RFC).
+* support "JWT without kid" when doing jwt decoding for JWT tokens not generated in the provider (such as request objects).
+* Set `iss` and `aud` claims in the Userinfo JWT response.
+* Make sure errors are also delivered via form POST, when `response_mode=form_post`.

data/lib/generators/rodauth/oauth/install_generator.rb

@@ -23,7 +23,6 @@ module Rodauth::OAuth::Rails
 
         template "app/models/oauth_application.rb"
         template "app/models/oauth_grant.rb"
-        template "app/models/oauth_token.rb"
       end
 
       private

data/lib/generators/rodauth/oauth/templates/app/views/rodauth/authorize.html.erb

@@ -2,7 +2,9 @@
   <% if rodauth.oauth_application[rodauth.oauth_applications_logo_uri_column] %>
     <%= image_tag rodauth.oauth_application[rodauth.oauth_applications_logo_uri_column] %>
   <% end %>
-  <p class="lead">The application <%= link_to rodauth.oauth_application[rodauth.oauth_applications_name_column],  rodauth.oauth_application[rodauth.oauth_applications_homepage_url_column] %> would like to access your data.</p>
+  <% application_uri = rodauth.oauth_application[rodauth.oauth_applications_homepage_url_column] %>
+  <% application_name = application_uri ? link_to(rodauth.oauth_application[rodauth.oauth_applications_name_column], application_uri) : rodauth.oauth_application[rodauth.oauth_applications_name_column] %>
+  <p class="lead"><%= rodauth.authorize_page_lead(name: application_name).html_safe %></p>
 
   <div class="list-group">
     <% if rodauth.oauth_application[rodauth.oauth_applications_tos_uri_column] %>
@@ -23,15 +25,17 @@
   <% end %>
 
   <div class="form-group">
-    <h1 class="display-6"><%= rodauth.oauth_tokens_scopes_label %></h1>
+    <h1 class="display-6"><%= rodauth.oauth_grants_scopes_label %></h1>
 
-    <% rodauth.scopes.each do |scope| %>
-      <% is_default = scope == rodauth.oauth_application_default_scope %>
-      <div class="form-check">
-        <%= check_box_tag "scope[]", scope, is_default, disabled: is_default, id: scope, class: "form-check-input" %>
-        <%= label_tag scope, scope, class: "form-check-label" %>
-        <%= hidden_field_tag "scope[]", scope if is_default %>
-      </div>
+    <% rodauth.authorize_scopes.each do |scope| %>
+      <% if rodauth.features.include?(:oidc) && scope == "offline_access" %>
+        <%= hidden_field_tag "scope[]", scope %>
+      <% else %>
+        <div class="form-check">
+          <%= check_box_tag "scope[]", scope, id: scope, class: "form-check-input" %>
+          <%= label_tag scope, scope, class: "form-check-label" %>
+        </div>
+      <% end %>
     <% end %>
     <%= hidden_field_tag :client_id, params[:client_id] %>
     <% %i[access_type response_type response_mode state redirect_uri].each do |oauth_param| %>
@@ -53,6 +57,9 @@
       <% end %>
     <% end %>
     <% if rodauth.features.include?(:oidc) %>
+      <% if params[:prompt] %>
+        <%= hidden_field_tag :prompt,  params[:prompt] %>
+      <% end %>
       <% if params[:nonce] %>
         <%= hidden_field_tag :nonce,  params[:nonce] %>
       <% end %>
@@ -62,13 +69,16 @@
       <% if params[:claims_locales] %>
         <%= hidden_field_tag :claims_locales,  params[:claims_locales] %>
       <% end %>
+      <% if params[:claims] %>
+        <%= hidden_field_tag :claims,  sanitize(params[:claims]) %>
+      <% end %>
       <% if params[:acr_values] %>
-        <%= hidden_field_tag :acr,  params[:acr_values] %>
+        <%= hidden_field_tag :acr_values,  params[:acr_values] %>
       <% end %>
     <% end %>
   </div>
  <p class="text-center">
     <%= submit_tag rodauth.oauth_authorize_button, class: "btn btn-outline-primary" %>
-    <%= link_to rodauth.oauth_cancel_button, "#{rodauth.redirect_uri}?error=access_denied&error_description=The+resource+owner+or+authorization+server+denied+the+request#{"&state=\#{rodauth.state}" if params[:state] }", class: "btn btn-outline-danger" %>
+    <%= link_to rodauth.oauth_cancel_button, "#{rodauth.redirect_uri}?error=access_denied&error_description=The+resource+owner+or+authorization+server+denied+the+request#{"&state=\#{CGI.escape(rodauth.state)}" if params[:state] }", class: "btn btn-outline-danger" %>
   </p>
 <% end %>

data/lib/generators/rodauth/oauth/templates/app/views/rodauth/device_search.html.erb

@@ -1,5 +1,5 @@
 <%= form_tag rodauth.device_path, method: :get, class: "form-horizontal", id: "device-search-form" do %>
-  <p class="lead">Insert the user code from the device you'd like to authorize.</p>
+  <p class="lead"><%= rodauth.oauth_device_search_page_lead %></p>
 
   <div class="form-group">
     <%= label_tag "user_code", rodauth.oauth_grant_user_code_label %>

data/lib/generators/rodauth/oauth/templates/app/views/rodauth/device_verification.html.erb

@@ -1,9 +1,9 @@
 <% oauth_grant = rodauth.scope.instance_variable_get(:@oauth_grant) %>
 <%= form_tag rodauth.device_path, method: :post, class: "form-horizontal", id: "device-verification-form" do %>
-  <p class="lead">The device with user code <%= oauth_grant[rodauth.oauth_grants_user_code_column] %> would like to access your data.</p>
+  <p class="lead"><%= rodauth.oauth_device_verification_page_lead(user_code: @oauth_grant[rodauth.oauth_grants_user_code_column]) %></p>
 
   <div class="form-group">
-    <h1 class="display-6"><%= rodauth.oauth_tokens_scopes_label %></h1>
+    <h1 class="display-6"><%= rodauth.oauth_grants_scopes_label %></h1>
 
     <ul class="list-group">
       <% oauth_grant[rodauth.oauth_grants_scopes_column].split(rodauth.oauth_scope_separator).each do |scope| %>

data/lib/generators/rodauth/oauth/templates/app/views/rodauth/new_oauth_application.html.erb

@@ -37,15 +37,10 @@
       <%= text_field_tag "jwks_uri", rodauth.param('jwks_uri'), id: "jwks-uri", class: "form-control#{' is-invalid' if rodauth.field_error('jwks_uri')}" %>
       <%= rodauth.field_error('jwks_uri') %>
     </div>
-    <div class="form-group">
-      <%= label_tag "jwt_public_key", rodauth.oauth_applications_jwt_public_key_label %>
-      <%= text_field_tag "jwt_public_key", rodauth.param('jwt_public_key'), id: "jwt-public-key", class: "form-control#{' is-invalid' if rodauth.field_error('jwt_public_key')}" %>
-      <%= rodauth.field_error('jwt_public_key') %>
-    </div>
   <% end %>
   <% rodauth.oauth_application_scopes.each do |scope| %>
     <div class="form-check">
-      <%= check_box_tag "scopes[]", scope, scope == rodauth.oauth_application_default_scope, id: scope, class: "form-check-input" %>
+      <%= check_box_tag "scopes[]", scope, id: scope, class: "form-check-input" %>
       <%= scope %>
     </div>
   <% end %>

data/lib/generators/rodauth/oauth/templates/app/views/rodauth/oauth_application.html.erb

@@ -22,8 +22,6 @@
         <dt><%= rodauth.oauth_applications_jwks_uri_label %>: </dt>
         <dd><%= oauth_application[rodauth.oauth_applications_jwks_uri_column] %></dd>
       <% end %>
-      <dt><%= rodauth.oauth_applications_jwt_public_key_label %>: </dt>
-      <dd><%= oauth_application[rodauth.oauth_applications_jwt_public_key_column] %></dd>
     <% end %>
   </dl>
 </div>