rodauth-oauth 0.10.4 → 1.0.0.pre.beta2

data/lib/rodauth/features/oidc_dynamic_client_registration.rb

@@ -1,5 +1,7 @@
 # frozen_string_literal: true
 
+require "rodauth/oauth"
+
 module Rodauth
   Feature.define(:oidc_dynamic_client_registration, :OidcDynamicClientRegistration) do
     depends :oauth_dynamic_client_registration, :oidc
@@ -8,10 +10,6 @@ module Rodauth
 
     private
 
-    def registration_metadata
-      openid_configuration_body
-    end
-
     def validate_client_registration_params
       super
 
@@ -43,11 +41,57 @@ module Rodauth
         else
           register_throw_json_response_error("invalid_client_metadata", register_invalid_application_type_message(type))
         end
-      elsif (value = @oauth_application_params[oauth_applications_subject_type_column])
+      end
+
+      if (value = @oauth_application_params[oauth_applications_sector_identifier_uri_column])
+        uri = URI(value)
+
+        unless uri.scheme == "https" || uri.host == "localhost"
+          register_throw_json_response_error("invalid_redirect_uri", register_invalid_uri_message(uri))
+        end
+      end
+
+      if features.include?(:oauth_jwt_secured_authorization_request)
+        if (value = @oauth_application_params[oauth_applications_request_uris_column])
+          if value.is_a?(Array)
+            @oauth_application_params[oauth_applications_request_uris_column] = value.each do |req_uri|
+              unless check_valid_uri?(req_uri)
+                register_throw_json_response_error("invalid_redirect_uri", register_invalid_uri_message(req_uri))
+              end
+            end.join(" ")
+          else
+            register_throw_json_response_error("invalid_redirect_uri", register_invalid_uri_message(value))
+          end
+        elsif oauth_require_request_uri_registration
+          register_throw_json_response_error("invalid_client_metadata", register_required_param_message("request_uris"))
+        end
+      end
+
+      if (value = @oauth_application_params[oauth_applications_subject_type_column])
         unless %w[pairwise public].include?(value)
-          register_throw_json_response_error("invalid_client_metadata", register_invalid_param_message("subject_type"))
+          register_throw_json_response_error("invalid_client_metadata", register_invalid_client_metadata_message("subject_type", value))
         end
-      elsif (value = @oauth_application_params[oauth_applications_id_token_signed_response_alg_column])
+
+        if value == "pairwise"
+          sector_identifier_uri = @oauth_application_params[oauth_applications_sector_identifier_uri_column]
+
+          if sector_identifier_uri
+            response = http_request(sector_identifier_uri)
+            unless response.code.to_i == 200
+              register_throw_json_response_error("invalid_client_metadata",
+                                                 register_invalid_param_message("sector_identifier_uri"))
+            end
+            uris = JSON.parse(response.body)
+
+            if uris != @oauth_application_params[oauth_applications_redirect_uri_column].split(" ")
+              register_throw_json_response_error("invalid_client_metadata", register_invalid_param_message("sector_identifier_uri"))
+            end
+
+          end
+        end
+      end
+
+      if (value = @oauth_application_params[oauth_applications_id_token_signed_response_alg_column])
         if value == "none"
           # The value none MUST NOT be used as the ID Token alg value unless the Client uses only Response Types
           # that return no ID Token from the Authorization Endpoint
@@ -55,42 +99,77 @@ module Rodauth
           if response_types && response_types.include?("id_token")
             register_throw_json_response_error("invalid_client_metadata", register_invalid_param_message("id_token_signed_response_alg"))
           end
-        elsif !oauth_jwt_algorithms_supported.include?(value)
-          register_throw_json_response_error("invalid_client_metadata", register_invalid_param_message("id_token_signed_response_alg"))
-        end
-      elsif (value = @oauth_application_params[oauth_applications_id_token_encrypted_response_alg_column])
-        unless oauth_jwt_jwe_algorithms_supported.include?(value)
-          register_throw_json_response_error("invalid_client_metadata", register_invalid_param_message("id_token_encrypted_response_alg"))
-        end
-      elsif (value = @oauth_application_params[oauth_applications_id_token_encrypted_response_enc_column])
-        unless oauth_jwt_jwe_encryption_methods_supported.include?(value)
-          register_throw_json_response_error("invalid_client_metadata", register_invalid_param_message("id_token_encrypted_response_enc"))
-        end
-      elsif (value = @oauth_application_params[oauth_applications_userinfo_signed_response_alg_column])
-        unless oauth_jwt_algorithms_supported.include?(value)
-          register_throw_json_response_error("invalid_client_metadata", register_invalid_param_message("userinfo_signed_response_alg"))
-        end
-      elsif (value = @oauth_application_params[oauth_applications_userinfo_encrypted_response_alg_column])
-        unless oauth_jwt_jwe_algorithms_supported.include?(value)
-          register_throw_json_response_error("invalid_client_metadata", register_invalid_param_message("userinfo_encrypted_response_alg"))
+        elsif !oauth_jwt_jws_algorithms_supported.include?(value)
+          register_throw_json_response_error("invalid_client_metadata",
+                                             register_invalid_client_metadata_message("id_token_signed_response_alg", value))
         end
-      elsif (value = @oauth_application_params[oauth_applications_userinfo_encrypted_response_enc_column])
-        unless oauth_jwt_jwe_encryption_methods_supported.include?(value)
-          register_throw_json_response_error("invalid_client_metadata", register_invalid_param_message("userinfo_encrypted_response_enc"))
+      end
+
+      if features.include?(:oauth_jwt_secured_authorization_request)
+        if defined?(oauth_applications_request_object_signing_alg_column) &&
+           (value = @oauth_application_params[oauth_applications_request_object_signing_alg_column]) &&
+           !oauth_jwt_jws_algorithms_supported.include?(value) && !(value == "none" && oauth_request_object_signing_alg_allow_none)
+          register_throw_json_response_error("invalid_client_metadata",
+                                             register_invalid_client_metadata_message("request_object_signing_alg", value))
         end
-      elsif (value = @oauth_application_params[oauth_applications_request_object_signing_alg_column])
-        unless oauth_jwt_algorithms_supported.include?(value)
-          register_throw_json_response_error("invalid_client_metadata", register_invalid_param_message("request_object_signing_alg"))
+
+        if defined?(oauth_applications_request_object_encryption_alg_column) &&
+           (value = @oauth_application_params[oauth_applications_request_object_encryption_alg_column]) &&
+           !oauth_jwt_jwe_algorithms_supported.include?(value)
+          register_throw_json_response_error("invalid_client_metadata",
+                                             register_invalid_client_metadata_message("request_object_encryption_alg", value))
         end
-      elsif (value = @oauth_application_params[oauth_applications_request_object_encryption_alg_column])
-        unless oauth_jwt_jwe_algorithms_supported.include?(value)
-          register_throw_json_response_error("invalid_client_metadata", register_invalid_param_message("request_object_encryption_alg"))
+
+        if defined?(oauth_applications_request_object_encryption_enc_column) &&
+           (value = @oauth_application_params[oauth_applications_request_object_encryption_enc_column]) &&
+           !oauth_jwt_jwe_encryption_methods_supported.include?(value)
+          register_throw_json_response_error("invalid_client_metadata",
+                                             register_invalid_client_metadata_message("request_object_encryption_enc", value))
         end
-      elsif (value = @oauth_application_params[oauth_applications_request_object_encryption_enc_column])
-        unless oauth_jwt_jwe_encryption_methods_supported.include?(value)
-          register_throw_json_response_error("invalid_client_metadata", register_invalid_param_message("request_object_encryption_enc"))
+      end
+
+      if features.include?(:oidc_rp_initiated_logout) && (defined?(oauth_applications_post_logout_redirect_uris_column) &&
+           (value = @oauth_application_params[oauth_applications_post_logout_redirect_uris_column]))
+        if value.is_a?(Array)
+          @oauth_application_params[oauth_applications_post_logout_redirect_uris_column] = value.each do |redirect_uri|
+            unless check_valid_uri?(redirect_uri)
+              register_throw_json_response_error("invalid_client_metadata", register_invalid_uri_message(redirect_uri))
+            end
+          end.join(" ")
+        else
+          register_throw_json_response_error("invalid_client_metadata", register_invalid_uri_message(value))
         end
       end
+
+      if (value = @oauth_application_params[oauth_applications_id_token_encrypted_response_alg_column]) &&
+         !oauth_jwt_jwe_algorithms_supported.include?(value)
+        register_throw_json_response_error("invalid_client_metadata",
+                                           register_invalid_client_metadata_message("id_token_encrypted_response_alg", value))
+      end
+
+      if (value = @oauth_application_params[oauth_applications_id_token_encrypted_response_enc_column]) &&
+         !oauth_jwt_jwe_encryption_methods_supported.include?(value)
+        register_throw_json_response_error("invalid_client_metadata",
+                                           register_invalid_client_metadata_message("id_token_encrypted_response_enc", value))
+      end
+
+      if (value = @oauth_application_params[oauth_applications_userinfo_signed_response_alg_column]) &&
+         !oauth_jwt_jws_algorithms_supported.include?(value)
+        register_throw_json_response_error("invalid_client_metadata",
+                                           register_invalid_client_metadata_message("userinfo_signed_response_alg", value))
+      end
+
+      if (value = @oauth_application_params[oauth_applications_userinfo_encrypted_response_alg_column]) &&
+         !oauth_jwt_jwe_algorithms_supported.include?(value)
+        register_throw_json_response_error("invalid_client_metadata",
+                                           register_invalid_client_metadata_message("userinfo_encrypted_response_alg", value))
+      end
+
+      if (value = @oauth_application_params[oauth_applications_userinfo_encrypted_response_enc_column]) &&
+         !oauth_jwt_jwe_encryption_methods_supported.include?(value)
+        register_throw_json_response_error("invalid_client_metadata",
+                                           register_invalid_client_metadata_message("userinfo_encrypted_response_enc", value))
+      end
     end
 
     def validate_client_registration_response_type(response_type, grant_types)
@@ -114,27 +193,24 @@ module Rodauth
         return_params["application_type"] = "web"
         "web"
       end
-      create_params[oauth_applications_id_token_signed_response_alg_column] ||= begin
-        return_params["id_token_signed_response_alg"] = oauth_jwt_algorithm
-        oauth_jwt_algorithm
-      end
+      create_params[oauth_applications_id_token_signed_response_alg_column] ||= return_params["id_token_signed_response_alg"] =
+        oauth_jwt_keys.keys.first
+
       if create_params.key?(oauth_applications_id_token_encrypted_response_alg_column)
-        create_params[oauth_applications_id_token_encrypted_response_enc_column] ||= begin
-          return_params["id_token_encrypted_response_enc"] = "A128CBC-HS256"
+        create_params[oauth_applications_id_token_encrypted_response_enc_column] ||= return_params["id_token_encrypted_response_enc"] =
           "A128CBC-HS256"
-        end
+
       end
       if create_params.key?(oauth_applications_userinfo_encrypted_response_alg_column)
-        create_params[oauth_applications_userinfo_encrypted_response_enc_column] ||= begin
-          return_params["userinfo_encrypted_response_enc"] = "A128CBC-HS256"
+        create_params[oauth_applications_userinfo_encrypted_response_enc_column] ||= return_params["userinfo_encrypted_response_enc"] =
           "A128CBC-HS256"
-        end
+
       end
-      if create_params.key?(oauth_applications_request_object_encryption_alg_column)
-        create_params[oauth_applications_request_object_encryption_enc_column] ||= begin
-          return_params["request_object_encryption_enc"] = "A128CBC-HS256"
+      if defined?(oauth_applications_request_object_encryption_alg_column) &&
+         create_params.key?(oauth_applications_request_object_encryption_alg_column)
+        create_params[oauth_applications_request_object_encryption_enc_column] ||= return_params["request_object_encryption_enc"] =
           "A128CBC-HS256"
-        end
+
       end
 
       super(return_params)

data/lib/rodauth/features/oidc_rp_initiated_logout.rb

@@ -0,0 +1,115 @@
+# frozen_string_literal: true
+
+require "rodauth/oauth"
+
+module Rodauth
+  Feature.define(:oidc_rp_initiated_logout, :OidcRpInitiatedLogout) do
+    depends :oidc
+
+    auth_value_method :oauth_applications_post_logout_redirect_uris_column, :post_logout_redirect_uris
+    translatable_method :oauth_invalid_post_logout_redirect_uri_message, "Invalid post logout redirect URI"
+
+    # /oidc-logout
+    auth_server_route(:oidc_logout) do |r|
+      require_authorizable_account
+      before_oidc_logout_route
+
+      # OpenID Providers MUST support the use of the HTTP GET and POST methods
+      r.on method: %i[get post] do
+        catch_error do
+          validate_oidc_logout_params
+
+          #
+          # why this is done:
+          #
+          # we need to decode the id token in order to get the application, because, if the
+          # signing key is application-specific, we don't know how to verify the signature
+          # beforehand. Hence, we have to do it twice: decode-and-do-not-verify, initialize
+          # the @oauth_application, and then decode-and-verify.
+          #
+          claims = jwt_decode(param("id_token_hint"), verify_claims: false)
+
+          redirect_logout_with_error(oauth_invalid_client_message) unless claims
+
+          oauth_application = db[oauth_applications_table].where(oauth_applications_client_id_column => claims["aud"]).first
+          oauth_grant = db[oauth_grants_table]
+                        .where(
+                          oauth_grants_oauth_application_id_column => oauth_application[oauth_applications_id_column],
+                          oauth_grants_account_id_column => account_id
+                        ).first
+
+          # check whether ID token belongs to currently logged-in user
+          redirect_logout_with_error(oauth_invalid_client_message) unless oauth_grant && claims["sub"] == jwt_subject(oauth_grant,
+                                                                                                                      oauth_application)
+
+          # When an id_token_hint parameter is present, the OP MUST validate that it was the issuer of the ID Token.
+          redirect_logout_with_error(oauth_invalid_client_message) unless claims && claims["iss"] == oauth_jwt_issuer
+
+          # now let's logout from IdP
+          transaction do
+            before_logout
+            logout
+            after_logout
+          end
+
+          error_message = logout_notice_flash
+
+          if (post_logout_redirect_uri = param_or_nil("post_logout_redirect_uri"))
+            error_message = catch(:default_logout_redirect) do
+              oauth_application = db[oauth_applications_table].where(oauth_applications_client_id_column => claims["client_id"]).first
+
+              throw(:default_logout_redirect, oauth_invalid_client_message) unless oauth_application
+
+              post_logout_redirect_uris = oauth_application[oauth_applications_post_logout_redirect_uris_column].split(" ")
+
+              unless post_logout_redirect_uris.include?(post_logout_redirect_uri)
+                throw(:default_logout_redirect,
+                      oauth_invalid_post_logout_redirect_uri_message)
+              end
+
+              if (state = param_or_nil("state"))
+                post_logout_redirect_uri = URI(post_logout_redirect_uri)
+                params = ["state=#{CGI.escape(state)}"]
+                params << post_logout_redirect_uri.query if post_logout_redirect_uri.query
+                post_logout_redirect_uri.query = params.join("&")
+                post_logout_redirect_uri = post_logout_redirect_uri.to_s
+              end
+
+              redirect(post_logout_redirect_uri)
+            end
+
+          end
+
+          redirect_logout_with_error(error_message)
+        end
+
+        redirect_response_error("invalid_request")
+      end
+    end
+
+    private
+
+    # Logout
+
+    def validate_oidc_logout_params
+      redirect_logout_with_error(oauth_invalid_client_message) unless param_or_nil("id_token_hint")
+      # check if valid token hint type
+      return unless (redirect_uri = param_or_nil("post_logout_redirect_uri"))
+
+      return if check_valid_no_fragment_uri?(redirect_uri)
+
+      redirect_logout_with_error(oauth_invalid_client_message)
+    end
+
+    def redirect_logout_with_error(error_message = oauth_invalid_client_message)
+      set_notice_flash(error_message)
+      redirect(logout_redirect)
+    end
+
+    def oauth_server_metadata_body(*)
+      super.tap do |data|
+        data[:end_session_endpoint] = oidc_logout_url
+      end
+    end
+  end
+end

data/lib/rodauth/oauth/database_extensions.rb

@@ -30,13 +30,14 @@ module Rodauth
         end
 
         if dataset.respond_to?(:supports_insert_conflict?) && dataset.supports_insert_conflict?
-          def __insert_or_update_and_return__(dataset, pkey, unique_columns, params, conds = nil, exclude_on_update = nil)
-            to_update = params.keys - unique_columns
-            to_update -= exclude_on_update if exclude_on_update
+          def __insert_or_update_and_return__(dataset, pkey, unique_columns, params, conds = nil, to_update_extra = nil)
+            to_update = Hash[(params.keys - unique_columns).map { |attribute| [attribute, Sequel[:excluded][attribute]] }]
+
+            to_update.merge!(to_update_extra) if to_update_extra
 
             dataset = dataset.insert_conflict(
               target: unique_columns,
-              update: Hash[ to_update.map { |attribute| [attribute, Sequel[:excluded][attribute]] } ],
+              update: to_update,
               update_where: conds
             )
 
@@ -51,7 +52,7 @@ module Rodauth
             ) || dataset.where(params).first
           end
         else
-          def __insert_or_update_and_return__(dataset, pkey, unique_columns, params, conds = nil, exclude_on_update = nil)
+          def __insert_or_update_and_return__(dataset, pkey, unique_columns, params, conds = nil, to_update_extra = nil)
             find_params, update_params = params.partition { |key, _| unique_columns.include?(key) }.map { |h| Hash[h] }
 
             dataset_where = dataset.where(find_params)
@@ -67,7 +68,8 @@ module Rodauth
                      end
 
             if record
-              update_params.reject! { |k, _v| exclude_on_update.include?(k) } if exclude_on_update
+              update_params.merge!(to_update_extra) if to_update_extra
+
               __update_and_return__(dataset_where, update_params)
             else
               __insert_and_return__(dataset, pkey, params)

data/lib/rodauth/oauth/http_extensions.rb

@@ -0,0 +1,74 @@
+# frozen_string_literal: true
+
+require "uri"
+require "net/http"
+require "rodauth/oauth/ttl_store"
+
+module Rodauth
+  module OAuth
+    module HTTPExtensions
+      REQUEST_CACHE = OAuth::TtlStore.new
+
+      private
+
+      def http_request(uri, form_data = nil)
+        uri = URI(uri)
+
+        http = Net::HTTP.new(uri.host, uri.port)
+        http.use_ssl = uri.scheme == "https"
+        http.open_timeout = 15
+        http.read_timeout = 15
+        http.write_timeout = 15 if http.respond_to?(:write_timeout)
+
+        if form_data
+          request = Net::HTTP::Post.new(uri.request_uri)
+          request["content-type"] = "application/x-www-form-urlencoded"
+          request.set_form_data(form_data)
+        else
+          request = Net::HTTP::Get.new(uri.request_uri)
+        end
+        request["accept"] = json_response_content_type
+
+        yield request if block_given?
+
+        response = http.request(request)
+        authorization_required unless response.code.to_i == 200
+        response
+      end
+
+      def http_request_with_cache(uri, *args)
+        uri = URI(uri)
+
+        response = http_request_cache[uri]
+
+        return response if response
+
+        http_request_cache.set(uri) do
+          response = http_request(uri, *args)
+          ttl = if response.key?("cache-control")
+                  cache_control = response["cache-control"]
+                  if cache_control.include?("no-cache")
+                    nil
+                  else
+                    max_age = cache_control[/max-age=(\d+)/, 1].to_i
+                    max_age.zero? ? nil : max_age
+                  end
+                elsif response.key?("expires")
+                  expires = response["expires"]
+                  begin
+                    Time.parse(expires).to_i - Time.now.to_i
+                  rescue ArgumentError
+                    nil
+                  end
+                end
+
+          [JSON.parse(response.body, symbolize_names: true), ttl]
+        end
+      end
+
+      def http_request_cache
+        REQUEST_CACHE
+      end
+    end
+  end
+end

data/lib/rodauth/oauth/railtie.rb

@@ -2,7 +2,27 @@
 
 module Rodauth
   module OAuth
+    module ControllerMethods
+      def self.included(controller)
+        # ActionController::API doesn't have helper methods
+        controller.helper_method :current_oauth_account, :current_oauth_application if controller.respond_to?(:helper_method)
+      end
+
+      def current_oauth_account(name = nil)
+        rodauth(name).current_oauth_account
+      end
+
+      def current_oauth_application(name = nil)
+        rodauth(name).current_oauth_application
+      end
+    end
+
     class Railtie < ::Rails::Railtie
+      initializer "rodauth.controller" do
+        ActiveSupport.on_load(:action_controller) do
+          include ControllerMethods
+        end
+      end
     end
   end
 end

data/lib/rodauth/oauth/ttl_store.rb

@@ -28,6 +28,8 @@ class Rodauth::OAuth::TtlStore
 
     payload, ttl = block.call
 
+    return payload unless ttl
+
     @store_mutex.synchronize do
       # given that the block call triggers network, and two requests for the same key be processed
       # at the same time, this ensures the first one wins.

data/lib/rodauth/oauth/version.rb

@@ -2,6 +2,6 @@
 
 module Rodauth
   module OAuth
-    VERSION = "0.10.4"
+    VERSION = "1.0.0-beta2"
   end
 end

data/lib/rodauth/oauth.rb

@@ -1,7 +1,35 @@
 # frozen_string_literal: true
 
 require "rodauth"
-
 require "rodauth/oauth/version"
 
+module Rodauth
+  module OAuth
+    module FeatureExtensions
+      def auth_server_route(*args, &blk)
+        routes = route(*args, &blk)
+
+        handle_meth = routes.last
+
+        define_method(:"#{handle_meth}_for_auth_server") do
+          next unless is_authorization_server?
+
+          send(:"#{handle_meth}_not_for_auth_server")
+        end
+
+        alias_method :"#{handle_meth}_not_for_auth_server", handle_meth
+        alias_method handle_meth, :"#{handle_meth}_for_auth_server"
+      end
+
+      # override
+      def translatable_method(meth, value)
+        define_method(meth) { |*args| translate(meth, value, *args) }
+        auth_value_methods(meth)
+      end
+    end
+  end
+
+  Feature.prepend OAuth::FeatureExtensions
+end
+
 require "rodauth/oauth/railtie" if defined?(Rails)

data/locales/en.yml

@@ -3,21 +3,29 @@ en:
     require_authorization_error_flash: "Please authorize to continue"
     create_oauth_application_error_flash: "There was an error registering your oauth application"
     create_oauth_application_notice_flash: "Your oauth application has been registered"
-    revoke_unauthorized_account_error_flash: "You are not authorized to revoke this token"
-    revoke_oauth_token_notice_flash: "The oauth token has been revoked"
+    revoke_unauthorized_account_error_flash: "You are not authorized to revoke this grant"
+    revoke_oauth_grant_notice_flash: "The oauth grant has been revoked"
     device_verification_notice_flash: "The device is verified"
     user_code_not_found_error_flash: "No device to authorize with the given user code"
     authorize_page_title: "Authorize"
+    authorize_page_lead: "The application %{name} would like to access your data."
+    oauth_cancel_button: "Cancel"
     oauth_applications_page_title: "Oauth Applications"
     oauth_application_page_title: "Oauth Application"
     new_oauth_application_page_title: "New Oauth Application"
-    oauth_application_oauth_tokens_page_title: "Application Oauth Tokens"
-    oauth_tokens_page_title: "My Oauth Tokens"
+    oauth_application_oauth_grants_page_title: "Application Oauth Grants"
+    oauth_grants_page_title: "My Oauth Grants"
     device_verification_page_title: "Device Verification"
     device_search_page_title: "Device Search"
     oauth_management_pagination_previous_button: "Previous"
     oauth_management_pagination_next_button: "Next"
-    oauth_tokens_scopes_label: "Scopes"
+    oauth_grants_type_label: "Grant Type"
+    oauth_grants_scopes_label: "Scopes"
+    oauth_grants_token_label: "Token"
+    oauth_grants_refresh_token_label: "Refresh Token"
+    oauth_grants_expires_in_label: "Expires In"
+    oauth_grants_revoked_at_label: "Revoked at"
+    oauth_no_grants_text: "No oauth grants yet!"
     oauth_applications_name_label: "Name"
     oauth_applications_description_label: "Description"
     oauth_applications_scopes_label: "Default scopes"
@@ -28,30 +36,34 @@ en:
     oauth_applications_redirect_uri_label: "Redirect URL"
     oauth_applications_client_secret_label: "Client Secret"
     oauth_applications_client_id_label: "Client ID"
+    oauth_no_applications_text: "No oauth applications yet!"
     oauth_grant_user_code_label: "User code"
     oauth_grant_user_jws_jwk_label: "JSON Web Keys"
     oauth_grant_user_jwt_public_key_label: "Public key"
     oauth_application_button: "Register"
     oauth_authorize_button: "Authorize"
-    oauth_token_revoke_button: "Revoke"
+    oauth_grant_revoke_button: "Revoke"
     oauth_authorize_post_button: "Back to Client Application"
+    oauth_device_verification_page_lead: "The device with user code %{user_code} would like to access your data."
     oauth_device_verification_button: "Verify"
+    oauth_device_search_page_lead: "Insert the user code from the device you'd like to authorize."
     oauth_device_search_button: "Search"
-    invalid_client_message: "Client authentication failed"
-    invalid_grant_type_message: "Invalid grant type"
-    invalid_grant_message: "Invalid grant"
-    invalid_scope_message: "Invalid scope"
+    oauth_invalid_client_message: "Client authentication failed"
+    oauth_invalid_grant_type_message: "Invalid grant type"
+    oauth_invalid_grant_message: "Invalid grant"
+    oauth_invalid_scope_message: "Invalid scope"
     invalid_url_message: "Invalid URL"
-    unsupported_token_type_message: "Invalid token type hint"
-    unique_error_message: "is already in use"
+    oauth_unsupported_token_type_message: "Invalid token type hint"
     null_error_message: "is not filled"
-    already_in_use_message: "error generating unique token"
-    expired_token_message: "the device code has expired"
-    access_denied_message: "the authorization request has been denied"
-    authorization_pending_message: "the authorization request is still pending"
-    slow_down_message: "authorization request is still pending but poll interval should be increased"
-    code_challenge_required_message: "code challenge required"
-    unsupported_transform_algorithm_message: "transform algorithm not supported"
-    request_uri_not_supported_message: "request uri is unsupported"
-    invalid_request_object_message: "request object is invalid"
-    invalid_scope_message: "The Access Token expired"
+    oauth_unsupported_response_type_message: "Unsupported response type"
+    oauth_already_in_use_message: "error generating unique token"
+    oauth_expired_token_message: "the device code has expired"
+    oauth_access_denied_message: "the authorization request has been denied"
+    oauth_authorization_pending_message: "the authorization request is still pending"
+    oauth_slow_down_message: "authorization request is still pending but poll interval should be increased"
+    oauth_code_challenge_required_message: "code challenge required"
+    oauth_unsupported_transform_algorithm_message: "transform algorithm not supported"
+    oauth_invalid_request_object_message: "request object is invalid"
+    oauth_invalid_scope_message: "The Access Token expired"
+    oauth_authorize_parameter_required: "'%{parameter}' is a required parameter"
+    oauth_invalid_post_logout_redirect_uri_message: "Invalid post logout redirect URI"