rodauth-oauth 0.10.4 → 1.0.0.pre.beta2

data/lib/rodauth/features/oauth_jwt_secured_authorization_request.rb

@@ -0,0 +1,116 @@
+# frozen_string_literal: true
+
+require "rodauth/oauth"
+
+module Rodauth
+  Feature.define(:oauth_jwt_secured_authorization_request, :OauthJwtSecuredAuthorizationRequest) do
+    ALLOWED_REQUEST_URI_CONTENT_TYPES = %w[application/jose application/oauth-authz-req+jwt].freeze
+
+    depends :oauth_authorize_base, :oauth_jwt_base
+
+    auth_value_method :oauth_require_request_uri_registration, false
+    auth_value_method :oauth_request_object_signing_alg_allow_none, false
+
+    auth_value_method :oauth_applications_request_uris_column, :request_uris
+
+    auth_value_method :oauth_applications_request_object_signing_alg_column, :request_object_signing_alg
+    auth_value_method :oauth_applications_request_object_encryption_alg_column, :request_object_encryption_alg
+    auth_value_method :oauth_applications_request_object_encryption_enc_column, :request_object_encryption_enc
+
+    translatable_method :oauth_invalid_request_object_message, "request object is invalid"
+
+    auth_value_method :max_param_bytesize, nil if Rodauth::VERSION >= "2.26.0"
+
+    private
+
+    # /authorize
+
+    def validate_authorize_params
+      request_object = param_or_nil("request")
+
+      request_uri = param_or_nil("request_uri")
+
+      return super unless (request_object || request_uri) && oauth_application
+
+      if request_uri
+        request_uri = CGI.unescape(request_uri)
+
+        redirect_response_error("invalid_request_uri") unless supported_request_uri?(request_uri, oauth_application)
+
+        response = http_request(request_uri)
+
+        unless response.code.to_i == 200 && ALLOWED_REQUEST_URI_CONTENT_TYPES.include?(response["content-type"])
+          redirect_response_error("invalid_request_uri")
+        end
+
+        request_object = response.body
+      end
+
+      request_sig_enc_opts = {
+        jws_algorithm: oauth_application[oauth_applications_request_object_signing_alg_column],
+        jws_encryption_algorithm: oauth_application[oauth_applications_request_object_encryption_alg_column],
+        jws_encryption_method: oauth_application[oauth_applications_request_object_encryption_enc_column]
+      }.compact
+
+      request_sig_enc_opts[:jws_algorithm] ||= "none" if oauth_request_object_signing_alg_allow_none
+
+      if request_sig_enc_opts[:jws_algorithm] == "none"
+        jwks = nil
+      elsif (jwks = oauth_application_jwks(oauth_application))
+        jwks = JSON.parse(jwks, symbolize_names: true) if jwks.is_a?(String)
+      else
+        redirect_response_error("invalid_request_object")
+      end
+
+      claims = jwt_decode(request_object,
+                          jwks: jwks,
+                          verify_jti: false,
+                          verify_iss: false,
+                          verify_aud: false,
+                          **request_sig_enc_opts)
+
+      redirect_response_error("invalid_request_object") unless claims
+
+      if (iss = claims["iss"]) && (iss != oauth_application[oauth_applications_client_id_column])
+        redirect_response_error("invalid_request_object")
+      end
+
+      if (aud = claims["aud"]) && !verify_aud(aud, oauth_jwt_issuer)
+        redirect_response_error("invalid_request_object")
+      end
+
+      # If signed, the Authorization Request
+      # Object SHOULD contain the Claims "iss" (issuer) and "aud" (audience)
+      # as members, with their semantics being the same as defined in the JWT
+      # [RFC7519] specification.  The value of "aud" should be the value of
+      # the Authorization Server (AS) "issuer" as defined in RFC8414
+      # [RFC8414].
+      claims.delete("iss")
+      audience = claims.delete("aud")
+
+      redirect_response_error("invalid_request_object") if audience && audience != oauth_jwt_issuer
+
+      claims.each do |k, v|
+        request.params[k.to_s] = v
+      end
+
+      super
+    end
+
+    def supported_request_uri?(request_uri, oauth_application)
+      return false unless check_valid_uri?(request_uri)
+
+      request_uris = oauth_application[oauth_applications_request_uris_column]
+
+      request_uris.nil? || request_uris.split(oauth_scope_separator).one? { |uri| request_uri.start_with?(uri) }
+    end
+
+    def oauth_server_metadata_body(*)
+      super.tap do |data|
+        data[:request_parameter_supported] = true
+        data[:request_uri_parameter_supported] = true
+        data[:require_request_uri_registration] = oauth_require_request_uri_registration
+      end
+    end
+  end
+end

data/lib/rodauth/features/oauth_management_base.rb

@@ -1,5 +1,7 @@
 # frozen_string_literal: true
 
+require "rodauth/oauth"
+
 module Rodauth
   Feature.define(:oauth_management_base, :OauthManagementBase) do
     depends :oauth_authorize_base

data/lib/rodauth/features/oauth_pkce.rb

@@ -1,44 +1,40 @@
 # frozen_string_literal: true
 
-require "rodauth/oauth/refinements"
+require "rodauth/oauth"
 
 module Rodauth
   Feature.define(:oauth_pkce, :OauthPkce) do
-    using PrefixExtensions
-
     depends :oauth_authorization_code_grant
 
-    auth_value_method :use_oauth_pkce?, true
-
-    auth_value_method :oauth_require_pkce, false
+    auth_value_method :oauth_require_pkce, true
     auth_value_method :oauth_pkce_challenge_method, "S256"
 
     auth_value_method :oauth_grants_code_challenge_column, :code_challenge
     auth_value_method :oauth_grants_code_challenge_method_column, :code_challenge_method
 
-    auth_value_method :code_challenge_required_error_code, "invalid_request"
-    translatable_method :code_challenge_required_message, "code challenge required"
-    auth_value_method :unsupported_transform_algorithm_error_code, "invalid_request"
-    translatable_method :unsupported_transform_algorithm_message, "transform algorithm not supported"
+    auth_value_method :oauth_code_challenge_required_error_code, "invalid_request"
+    translatable_method :oauth_code_challenge_required_message, "code challenge required"
+    auth_value_method :oauth_unsupported_transform_algorithm_error_code, "invalid_request"
+    translatable_method :oauth_unsupported_transform_algorithm_message, "transform algorithm not supported"
 
     private
 
-    def authorized_oauth_application?(oauth_application, client_secret, _)
-      return true if use_oauth_pkce? && param_or_nil("code_verifier")
+    def supports_auth_method?(oauth_application, auth_method)
+      return super unless auth_method == "none"
 
-      super
+      request.params.key?("code_verifier") || super
     end
 
     def validate_authorize_params
-      validate_pkce_challenge_params if use_oauth_pkce?
+      validate_pkce_challenge_params
 
       super
     end
 
     def create_oauth_grant(create_params = {})
       # PKCE flow
-      if use_oauth_pkce? && (code_challenge = param_or_nil("code_challenge"))
-        code_challenge_method = param_or_nil("code_challenge_method")
+      if (code_challenge = param_or_nil("code_challenge"))
+        code_challenge_method = param_or_nil("code_challenge_method") || oauth_pkce_challenge_method
 
         create_params[oauth_grants_code_challenge_column] = code_challenge
         create_params[oauth_grants_code_challenge_method_column] = code_challenge_method
@@ -47,18 +43,18 @@ module Rodauth
       super
     end
 
-    def create_oauth_token_from_authorization_code(oauth_grant, create_params, *)
-      if use_oauth_pkce?
-        if oauth_grant[oauth_grants_code_challenge_column]
-          code_verifier = param_or_nil("code_verifier")
+    def create_token_from_authorization_code(grant_params, *args, oauth_grant: nil)
+      oauth_grant ||= valid_locked_oauth_grant(grant_params)
 
-          redirect_response_error("invalid_request") unless code_verifier && check_valid_grant_challenge?(oauth_grant, code_verifier)
-        elsif oauth_require_pkce
-          redirect_response_error("code_challenge_required")
-        end
+      if oauth_grant[oauth_grants_code_challenge_column]
+        code_verifier = param_or_nil("code_verifier")
+
+        redirect_response_error("invalid_request") unless code_verifier && check_valid_grant_challenge?(oauth_grant, code_verifier)
+      elsif oauth_require_pkce
+        redirect_response_error("code_challenge_required")
       end
 
-      super
+      super({ oauth_grants_id_column => oauth_grant[oauth_grants_id_column] }, *args, oauth_grant: oauth_grant)
     end
 
     def validate_pkce_challenge_params
@@ -91,7 +87,7 @@ module Rodauth
 
     def oauth_server_metadata_body(*)
       super.tap do |data|
-        data[:code_challenge_methods_supported] = oauth_pkce_challenge_method if use_oauth_pkce?
+        data[:code_challenge_methods_supported] = oauth_pkce_challenge_method
       end
     end
   end

data/lib/rodauth/features/oauth_resource_indicators.rb

@@ -1,14 +1,12 @@
 # frozen_string_literal: true
 
-require "rodauth/oauth/version"
-require "rodauth/oauth/ttl_store"
+require "rodauth/oauth"
 
 module Rodauth
   Feature.define(:oauth_resource_indicators, :OauthResourceIndicators) do
     depends :oauth_authorize_base
 
     auth_value_method :oauth_grants_resource_column, :resource
-    auth_value_method :oauth_tokens_resource_column, :resource
 
     def resource_indicators
       return @resource_indicators if defined?(@resource_indicators)
@@ -38,9 +36,10 @@ module Rodauth
     def require_oauth_authorization(*)
       super
 
-      return unless authorization_token[oauth_tokens_resource_column]
+      # done so to support token-in-grant-db, jwt, and resource-server mode
+      token_indicators = authorization_token[oauth_grants_resource_column] || authorization_token["resource"]
 
-      token_indicators = authorization_token[oauth_tokens_resource_column]
+      return unless token_indicators
 
       token_indicators = token_indicators.split(" ") if token_indicators.is_a?(String)
 
@@ -49,7 +48,7 @@ module Rodauth
 
     private
 
-    def validate_oauth_token_params
+    def validate_token_params
       super
 
       return unless resource_indicators
@@ -59,27 +58,16 @@ module Rodauth
       end
     end
 
-    def create_oauth_token_from_token(oauth_token, update_params)
+    def create_token_from_token(oauth_grant, update_params)
       return super unless resource_indicators
 
-      return super unless oauth_token[oauth_tokens_oauth_grant_id_column]
-
-      oauth_grant = db[oauth_grants_table].where(
-        oauth_grants_id_column => oauth_token[oauth_tokens_oauth_grant_id_column],
-        oauth_grants_revoked_at_column => nil
-      ).first
-
       grant_indicators = oauth_grant[oauth_grants_resource_column]
 
       grant_indicators = grant_indicators.split(" ") if grant_indicators.is_a?(String)
 
       redirect_response_error("invalid_target") unless (grant_indicators - resource_indicators) != grant_indicators
 
-      super(oauth_token, update_params.merge(oauth_tokens_resource_column => resource_indicators))
-    end
-
-    def check_valid_no_fragment_uri?(uri)
-      check_valid_uri?(uri) && URI.parse(uri).fragment.nil?
+      super(oauth_grant, update_params.merge(oauth_grants_resource_column => resource_indicators))
     end
 
     module IndicatorAuthorizationCodeGrant
@@ -95,9 +83,11 @@ module Rodauth
         end
       end
 
-      def create_oauth_token_from_authorization_code(oauth_grant, create_params, *args)
+      def create_token_from_authorization_code(grant_params, *args, oauth_grant: nil)
         return super unless resource_indicators
 
+        oauth_grant ||= valid_locked_oauth_grant(grant_params)
+
         redirect_response_error("invalid_target") unless oauth_grant[oauth_grants_resource_column]
 
         grant_indicators = oauth_grant[oauth_grants_resource_column]
@@ -106,7 +96,15 @@ module Rodauth
 
         redirect_response_error("invalid_target") unless (grant_indicators - resource_indicators) != grant_indicators
 
-        super(oauth_grant, create_params.merge(oauth_tokens_resource_column => resource_indicators), *args)
+        # update ownership
+        if grant_indicators != resource_indicators
+          oauth_grant = __update_and_return__(
+            db[oauth_grants_table].where(oauth_grants_id_column => oauth_grant[oauth_grants_id_column]),
+            oauth_grants_resource_column => resource_indicators
+          )
+        end
+
+        super({ oauth_grants_id_column => oauth_grant[oauth_grants_id_column] }, *args, oauth_grant: oauth_grant)
       end
 
       def create_oauth_grant(create_params = {})
@@ -117,12 +115,12 @@ module Rodauth
     end
 
     module IndicatorIntrospection
-      def json_token_introspect_payload(token)
-        return super unless token[oauth_tokens_oauth_grant_id_column]
+      def json_token_introspect_payload(grant)
+        return super unless grant[oauth_grants_id_column]
 
         payload = super
 
-        token_indicators = token[oauth_tokens_resource_column]
+        token_indicators = grant[oauth_grants_resource_column]
 
         token_indicators = token_indicators.split(" ") if token_indicators.is_a?(String)
 
@@ -134,7 +132,7 @@ module Rodauth
       def introspection_request(*)
         payload = super
 
-        payload[oauth_tokens_resource_column] = payload["aud"] if payload["aud"]
+        payload[oauth_grants_resource_column] = payload["aud"] if payload["aud"]
 
         payload
       end
@@ -146,6 +144,16 @@ module Rodauth
 
         super.merge(aud: resource_indicators)
       end
+
+      def jwt_decode(token, verify_aud: true, **args)
+        claims = super(token, verify_aud: false, **args)
+
+        return claims unless verify_aud
+
+        return unless claims["aud"] && claims["aud"].one? { |aud| request.url.starts_with?(aud) }
+
+        claims
+      end
     end
 
     def self.included(rodauth)

data/lib/rodauth/features/oauth_resource_server.rb

@@ -0,0 +1,59 @@
+# frozen_string_literal: true
+
+require "rodauth/oauth"
+
+module Rodauth
+  Feature.define(:oauth_resource_server, :OauthResourceServer) do
+    depends :oauth_token_introspection
+
+    auth_value_method :is_authorization_server?, false
+
+    auth_value_methods(
+      :before_introspection_request
+    )
+
+    def authorization_token
+      return @authorization_token if defined?(@authorization_token)
+
+      # check if there is a token
+      access_token = fetch_access_token
+
+      return unless access_token
+
+      # where in resource server, NOT the authorization server.
+      payload = introspection_request("access_token", access_token)
+
+      return unless payload["active"]
+
+      @authorization_token = payload
+    end
+
+    def require_oauth_authorization(*scopes)
+      authorization_required unless authorization_token
+
+      aux_scopes = authorization_token["scope"]
+
+      token_scopes = if aux_scopes
+                       aux_scopes.split(oauth_scope_separator)
+                     else
+                       []
+                     end
+
+      authorization_required unless scopes.any? { |scope| token_scopes.include?(scope) }
+    end
+
+    private
+
+    def introspection_request(token_type_hint, token)
+      introspect_url = URI("#{authorization_server_url}#{introspect_path}")
+
+      response = http_request(introspect_url, { "token_type_hint" => token_type_hint, "token" => token }) do |request|
+        before_introspection_request(request)
+      end
+
+      JSON.parse(response.body)
+    end
+
+    def before_introspection_request(request); end
+  end
+end

data/lib/rodauth/features/oauth_saml_bearer_grant.rb

@@ -1,6 +1,7 @@
 # frozen_string_literal: true
 
 require "onelogin/ruby-saml"
+require "rodauth/oauth"
 
 module Rodauth
   Feature.define(:oauth_saml_bearer_grant, :OauthSamlBearerGrant) do
@@ -16,12 +17,18 @@ module Rodauth
     auth_value_method :oauth_saml_security_digest_method, XMLSecurity::Document::SHA1
     auth_value_method :oauth_saml_security_signature_method, XMLSecurity::Document::RSA_SHA1
 
+    auth_value_method :max_param_bytesize, nil if Rodauth::VERSION >= "2.26.0"
+
     auth_value_methods(
       :require_oauth_application_from_saml2_bearer_assertion_issuer,
       :require_oauth_application_from_saml2_bearer_assertion_subject,
       :account_from_saml2_bearer_assertion
     )
 
+    def oauth_grant_types_supported
+      super | %w[urn:ietf:params:oauth:grant-type:saml2-bearer]
+    end
+
     private
 
     def require_oauth_application_from_saml2_bearer_assertion_issuer(assertion)
@@ -94,7 +101,6 @@ module Rodauth
 
     def oauth_server_metadata_body(*)
       super.tap do |data|
-        data[:grant_types_supported] << "urn:ietf:params:oauth:grant-type:saml2-bearer"
         data[:token_endpoint_auth_methods_supported] << "urn:ietf:params:oauth:client-assertion-type:saml2-bearer"
       end
     end

data/lib/rodauth/features/oauth_token_introspection.rb

@@ -1,5 +1,8 @@
 # frozen_string_literal: true
 
+require "rodauth/oauth"
+require "rodauth/oauth/http_extensions"
+
 module Rodauth
   Feature.define(:oauth_token_introspection, :OauthTokenIntrospection) do
     depends :oauth_base
@@ -7,47 +10,44 @@ module Rodauth
     before "introspect"
 
     auth_value_methods(
-      :before_introspection_request
+      :resource_owner_identifier
     )
 
     # /introspect
-    route(:introspect) do |r|
-      next unless is_authorization_server?
-
+    auth_server_route(:introspect) do |r|
+      require_oauth_application_for_introspect
       before_introspect_route
-      require_oauth_application
 
       r.post do
         catch_error do
-          validate_oauth_introspect_params
+          validate_introspect_params
+
+          token_type_hint = param_or_nil("token_type_hint")
 
           before_introspect
-          oauth_token = case param("token_type_hint")
-                        when "access_token"
-                          oauth_token_by_token(param("token"))
+          oauth_grant = case token_type_hint
+                        when "access_token", nil
+                          if features.include?(:oauth_jwt) && oauth_jwt_access_tokens
+                            jwt_decode(param("token"))
+                          else
+                            oauth_grant_by_token(param("token"))
+                          end
                         when "refresh_token"
-                          oauth_token_by_refresh_token(param("token"))
-                        else
-                          oauth_token_by_token(param("token")) || oauth_token_by_refresh_token(param("token"))
+                          oauth_grant_by_refresh_token(param("token"))
                         end
 
-          if oauth_application
-            redirect_response_error("invalid_request") if oauth_token && !token_from_application?(oauth_token, oauth_application)
-          elsif oauth_token
-            @oauth_application = db[oauth_applications_table].where(oauth_applications_id_column =>
-              oauth_token[oauth_tokens_oauth_application_id_column]).first
-          end
+          oauth_grant ||= oauth_grant_by_refresh_token(param("token")) if token_type_hint.nil?
 
-          json_response_success(json_token_introspect_payload(oauth_token))
+          json_response_success(json_token_introspect_payload(oauth_grant))
         end
 
-        throw_json_response_error(invalid_oauth_response_status, "invalid_request")
+        throw_json_response_error(oauth_invalid_response_status, "invalid_request")
       end
     end
 
     # Token introspect
 
-    def validate_oauth_introspect_params(token_hint_types = %w[access_token refresh_token].freeze)
+    def validate_introspect_params(token_hint_types = %w[access_token refresh_token].freeze)
       # check if valid token hint type
       if param_or_nil("token_type_hint") && !token_hint_types.include?(param("token_type_hint"))
         redirect_response_error("unsupported_token_type")
@@ -56,17 +56,35 @@ module Rodauth
       redirect_response_error("invalid_request") unless param_or_nil("token")
     end
 
-    def json_token_introspect_payload(token)
-      return { active: false } unless token
-
-      {
-        active: true,
-        scope: token[oauth_tokens_scopes_column],
-        client_id: oauth_application[oauth_applications_client_id_column],
-        # username
-        token_type: oauth_token_type,
-        exp: token[oauth_tokens_expires_in_column].to_i
-      }
+    def json_token_introspect_payload(grant_or_claims)
+      return { active: false } unless grant_or_claims
+
+      if grant_or_claims["sub"]
+        # JWT
+        {
+          active: true,
+          scope: grant_or_claims["scope"],
+          client_id: grant_or_claims["client_id"],
+          username: resource_owner_identifier(grant_or_claims),
+          token_type: "access_token",
+          exp: grant_or_claims["exp"],
+          iat: grant_or_claims["iat"],
+          nbf: grant_or_claims["nbf"],
+          sub: grant_or_claims["sub"],
+          aud: grant_or_claims["aud"],
+          iss: grant_or_claims["iss"],
+          jti: grant_or_claims["jti"]
+        }
+      else
+        {
+          active: true,
+          scope: grant_or_claims[oauth_grants_scopes_column],
+          client_id: oauth_application[oauth_applications_client_id_column],
+          username: resource_owner_identifier(grant_or_claims),
+          token_type: oauth_token_type,
+          exp: grant_or_claims[oauth_grants_expires_in_column].to_i
+        }
+      end
     end
 
     def check_csrf?
@@ -80,24 +98,17 @@ module Rodauth
 
     private
 
-    def introspection_request(token_type_hint, token)
-      auth_url = URI(authorization_server_url)
-      http = Net::HTTP.new(auth_url.host, auth_url.port)
-      http.use_ssl = auth_url.scheme == "https"
+    def require_oauth_application_for_introspect
+      (token = ((v = request.env["HTTP_AUTHORIZATION"]) && v[/\A *Bearer (.*)\Z/, 1]))
 
-      request = Net::HTTP::Post.new(auth_url.path + introspect_path)
-      request["content-type"] = "application/x-www-form-urlencoded"
-      request["accept"] = json_response_content_type
-      request.set_form_data({ "token_type_hint" => token_type_hint, "token" => token })
+      return require_oauth_application unless token
 
-      before_introspection_request(request)
-      response = http.request(request)
-      authorization_required unless response.code.to_i == 200
+      oauth_application = current_oauth_application
 
-      JSON.parse(response.body)
-    end
+      authorization_required unless oauth_application
 
-    def before_introspection_request(request); end
+      @oauth_application = oauth_application
+    end
 
     def oauth_server_metadata_body(*)
       super.tap do |data|
@@ -105,5 +116,24 @@ module Rodauth
         data[:introspection_endpoint_auth_methods_supported] = %w[client_secret_basic]
       end
     end
+
+    def resource_owner_identifier(grant_or_claims)
+      if (account_id = grant_or_claims[oauth_grants_account_id_column])
+        account_ds(account_id).select(login_column).first[login_column]
+      elsif (app_id = grant_or_claims[oauth_grants_oauth_application_id_column])
+        db[oauth_applications_table].where(oauth_applications_id_column => app_id)
+                                    .select(oauth_applications_name_column)
+                                    .first[oauth_applications_name_column]
+      elsif (subject = grant_or_claims["sub"])
+        # JWT
+        if subject == grant_or_claims["client_id"]
+          db[oauth_applications_table].where(oauth_applications_client_id_column => subject)
+                                      .select(oauth_applications_name_column)
+                                      .first[oauth_applications_name_column]
+        else
+          account_ds(subject).select(login_column).first[login_column]
+        end
+      end
+    end
   end
 end