rodauth-oauth 0.10.4 → 1.0.0.pre.beta2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (68) hide show
  1. checksums.yaml +4 -4
  2. data/MIGRATION-GUIDE-v1.md +286 -0
  3. data/README.md +28 -35
  4. data/doc/release_notes/1_0_0_beta1.md +38 -0
  5. data/doc/release_notes/1_0_0_beta2.md +34 -0
  6. data/lib/generators/rodauth/oauth/install_generator.rb +0 -1
  7. data/lib/generators/rodauth/oauth/templates/app/views/rodauth/authorize.html.erb +21 -11
  8. data/lib/generators/rodauth/oauth/templates/app/views/rodauth/device_search.html.erb +1 -1
  9. data/lib/generators/rodauth/oauth/templates/app/views/rodauth/device_verification.html.erb +2 -2
  10. data/lib/generators/rodauth/oauth/templates/app/views/rodauth/new_oauth_application.html.erb +1 -6
  11. data/lib/generators/rodauth/oauth/templates/app/views/rodauth/oauth_application.html.erb +0 -2
  12. data/lib/generators/rodauth/oauth/templates/app/views/rodauth/oauth_application_oauth_grants.html.erb +41 -0
  13. data/lib/generators/rodauth/oauth/templates/app/views/rodauth/oauth_applications.html.erb +2 -2
  14. data/lib/generators/rodauth/oauth/templates/app/views/rodauth/oauth_grants.html.erb +37 -0
  15. data/lib/generators/rodauth/oauth/templates/db/migrate/create_rodauth_oauth.rb +57 -57
  16. data/lib/rodauth/features/oauth_application_management.rb +61 -74
  17. data/lib/rodauth/features/oauth_assertion_base.rb +19 -23
  18. data/lib/rodauth/features/oauth_authorization_code_grant.rb +62 -90
  19. data/lib/rodauth/features/oauth_authorize_base.rb +115 -22
  20. data/lib/rodauth/features/oauth_base.rb +397 -315
  21. data/lib/rodauth/features/oauth_client_credentials_grant.rb +20 -18
  22. data/lib/rodauth/features/{oauth_device_grant.rb → oauth_device_code_grant.rb} +62 -73
  23. data/lib/rodauth/features/oauth_dynamic_client_registration.rb +52 -31
  24. data/lib/rodauth/features/oauth_grant_management.rb +70 -0
  25. data/lib/rodauth/features/oauth_implicit_grant.rb +29 -27
  26. data/lib/rodauth/features/oauth_jwt.rb +53 -689
  27. data/lib/rodauth/features/oauth_jwt_base.rb +458 -0
  28. data/lib/rodauth/features/oauth_jwt_bearer_grant.rb +48 -17
  29. data/lib/rodauth/features/oauth_jwt_jwks.rb +47 -0
  30. data/lib/rodauth/features/oauth_jwt_secured_authorization_request.rb +116 -0
  31. data/lib/rodauth/features/oauth_management_base.rb +2 -0
  32. data/lib/rodauth/features/oauth_pkce.rb +22 -26
  33. data/lib/rodauth/features/oauth_resource_indicators.rb +33 -25
  34. data/lib/rodauth/features/oauth_resource_server.rb +59 -0
  35. data/lib/rodauth/features/oauth_saml_bearer_grant.rb +7 -1
  36. data/lib/rodauth/features/oauth_token_introspection.rb +76 -46
  37. data/lib/rodauth/features/oauth_token_revocation.rb +46 -33
  38. data/lib/rodauth/features/oidc.rb +382 -241
  39. data/lib/rodauth/features/oidc_dynamic_client_registration.rb +127 -51
  40. data/lib/rodauth/features/oidc_rp_initiated_logout.rb +115 -0
  41. data/lib/rodauth/oauth/database_extensions.rb +8 -6
  42. data/lib/rodauth/oauth/http_extensions.rb +74 -0
  43. data/lib/rodauth/oauth/railtie.rb +20 -0
  44. data/lib/rodauth/oauth/ttl_store.rb +2 -0
  45. data/lib/rodauth/oauth/version.rb +1 -1
  46. data/lib/rodauth/oauth.rb +29 -1
  47. data/locales/en.yml +34 -22
  48. data/locales/pt.yml +34 -22
  49. data/templates/authorize.str +19 -17
  50. data/templates/device_search.str +1 -1
  51. data/templates/device_verification.str +2 -2
  52. data/templates/jwks_field.str +1 -0
  53. data/templates/new_oauth_application.str +1 -2
  54. data/templates/oauth_application.str +2 -2
  55. data/templates/oauth_application_oauth_grants.str +54 -0
  56. data/templates/oauth_applications.str +2 -2
  57. data/templates/oauth_grants.str +52 -0
  58. metadata +23 -16
  59. data/lib/generators/rodauth/oauth/templates/app/models/oauth_token.rb +0 -4
  60. data/lib/generators/rodauth/oauth/templates/app/views/rodauth/oauth_application_oauth_tokens.html.erb +0 -39
  61. data/lib/generators/rodauth/oauth/templates/app/views/rodauth/oauth_tokens.html.erb +0 -35
  62. data/lib/rodauth/features/oauth.rb +0 -9
  63. data/lib/rodauth/features/oauth_http_mac.rb +0 -86
  64. data/lib/rodauth/features/oauth_token_management.rb +0 -81
  65. data/lib/rodauth/oauth/refinements.rb +0 -48
  66. data/templates/jwt_public_key_field.str +0 -4
  67. data/templates/oauth_application_oauth_tokens.str +0 -52
  68. data/templates/oauth_tokens.str +0 -50
data/lib/rodauth/features/oauth_token_revocation.rb CHANGED
@@ -1,5 +1,7 @@
1
1
  # frozen_string_literal: true
2
2
 
3
+ require "rodauth/oauth"
4
+
3
5
  module Rodauth
4
6
  Feature.define(:oauth_token_revocation, :OauthTokenRevocation) do
5
7
  depends :oauth_base
@@ -7,14 +9,10 @@ module Rodauth
7
9
  before "revoke"
8
10
  after "revoke"
9
11
 
10
- notice_flash "The oauth token has been revoked", "revoke_oauth_token"
12
+ notice_flash "The oauth grant has been revoked", "revoke_oauth_grant"
11
13
 
12
14
  # /revoke
13
- route(:revoke) do |r|
14
- next unless is_authorization_server?
15
-
16
- before_revoke_route
17
-
15
+ auth_server_route(:revoke) do |r|
18
16
  if logged_in?
19
17
  require_account
20
18
  require_oauth_application_from_account
@@ -22,24 +20,32 @@ module Rodauth
22
20
  require_oauth_application
23
21
  end
24
22
 
23
+ before_revoke_route
24
+
25
25
  r.post do
26
26
  catch_error do
27
- validate_oauth_revoke_params
27
+ validate_revoke_params
28
28
 
29
- oauth_token = nil
29
+ oauth_grant = nil
30
30
  transaction do
31
31
  before_revoke
32
- oauth_token = revoke_oauth_token
32
+ oauth_grant = revoke_oauth_grant
33
33
  after_revoke
34
34
  end
35
35
 
36
36
  if accepts_json?
37
- json_response_success \
38
- "token" => oauth_token[oauth_tokens_token_column],
39
- "refresh_token" => oauth_token[oauth_tokens_refresh_token_column],
40
- "revoked_at" => convert_timestamp(oauth_token[oauth_tokens_revoked_at_column])
37
+ json_payload = {
38
+ "revoked_at" => convert_timestamp(oauth_grant[oauth_grants_revoked_at_column])
39
+ }
40
+ if param("token_type_hint") == "refresh_token"
41
+ json_payload["refresh_token"] = oauth_grant[oauth_grants_refresh_token_column]
42
+ else
43
+ json_payload["token"] = oauth_grant[oauth_grants_token_column]
44
+ end
45
+
46
+ json_response_success json_payload
41
47
  else
42
- set_notice_flash revoke_oauth_token_notice_flash
48
+ set_notice_flash revoke_oauth_grant_notice_flash
43
49
  redirect request.referer || "/"
44
50
  end
45
51
  end
@@ -48,12 +54,17 @@ module Rodauth
48
54
  end
49
55
  end
50
56
 
51
- def validate_oauth_revoke_params(token_hint_types = %w[access_token refresh_token].freeze)
52
- # check if valid token hint type
53
- if param_or_nil("token_type_hint") && !token_hint_types.include?(param("token_type_hint"))
54
- redirect_response_error("unsupported_token_type")
57
+ def validate_revoke_params(token_hint_types = %w[access_token refresh_token].freeze)
58
+ token_hint = param_or_nil("token_type_hint")
59
+
60
+ if features.include?(:oauth_jwt) && oauth_jwt_access_tokens && (!token_hint || token_hint == "access_token")
61
+ # JWT access tokens can't be revoked
62
+ throw(:rodauth_error)
55
63
  end
56
64
 
65
+ # check if valid token hint type
66
+ redirect_response_error("unsupported_token_type") if token_hint && !token_hint_types.include?(token_hint)
67
+
57
68
  redirect_response_error("invalid_request") unless param_or_nil("token")
58
69
  end
59
70
 
@@ -68,29 +79,31 @@ module Rodauth
68
79
 
69
80
  private
70
81
 
71
- def revoke_oauth_token
82
+ def revoke_oauth_grant
72
83
  token = param("token")
73
84
 
74
- oauth_token = if param("token_type_hint") == "refresh_token"
75
- oauth_token_by_refresh_token(token)
76
- else
77
- oauth_token_by_token_ds(token).where(
78
- oauth_tokens_oauth_application_id_column => oauth_application[oauth_applications_id_column]
79
- ).first
80
- end
85
+ if param("token_type_hint") == "refresh_token"
86
+ oauth_grant = oauth_grant_by_refresh_token(token)
87
+ token_column = oauth_grants_refresh_token_column
88
+ else
89
+ oauth_grant = oauth_grant_by_token_ds(token).where(
90
+ oauth_grants_oauth_application_id_column => oauth_application[oauth_applications_id_column]
91
+ ).first
92
+ token_column = oauth_grants_token_column
93
+ end
81
94
 
82
- redirect_response_error("invalid_request") unless oauth_token
95
+ redirect_response_error("invalid_request") unless oauth_grant
83
96
 
84
- redirect_response_error("invalid_request") unless token_from_application?(oauth_token, oauth_application)
97
+ redirect_response_error("invalid_request") unless grant_from_application?(oauth_grant, oauth_application)
85
98
 
86
- update_params = { oauth_tokens_revoked_at_column => Sequel::CURRENT_TIMESTAMP }
99
+ update_params = { oauth_grants_revoked_at_column => Sequel::CURRENT_TIMESTAMP }
87
100
 
88
- ds = db[oauth_tokens_table].where(oauth_tokens_id_column => oauth_token[oauth_tokens_id_column])
101
+ ds = db[oauth_grants_table].where(oauth_grants_id_column => oauth_grant[oauth_grants_id_column])
89
102
 
90
- oauth_token = __update_and_return__(ds, update_params)
103
+ oauth_grant = __update_and_return__(ds, update_params)
91
104
 
92
- oauth_token[oauth_tokens_token_column] = token
93
- oauth_token
105
+ oauth_grant[token_column] = token
106
+ oauth_grant
94
107
 
95
108
  # If the particular
96
109
  # token is a refresh token and the authorization server supports the