rodauth-oauth 0.10.4 → 1.0.0.pre.beta2
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/MIGRATION-GUIDE-v1.md +286 -0
- data/README.md +28 -35
- data/doc/release_notes/1_0_0_beta1.md +38 -0
- data/doc/release_notes/1_0_0_beta2.md +34 -0
- data/lib/generators/rodauth/oauth/install_generator.rb +0 -1
- data/lib/generators/rodauth/oauth/templates/app/views/rodauth/authorize.html.erb +21 -11
- data/lib/generators/rodauth/oauth/templates/app/views/rodauth/device_search.html.erb +1 -1
- data/lib/generators/rodauth/oauth/templates/app/views/rodauth/device_verification.html.erb +2 -2
- data/lib/generators/rodauth/oauth/templates/app/views/rodauth/new_oauth_application.html.erb +1 -6
- data/lib/generators/rodauth/oauth/templates/app/views/rodauth/oauth_application.html.erb +0 -2
- data/lib/generators/rodauth/oauth/templates/app/views/rodauth/oauth_application_oauth_grants.html.erb +41 -0
- data/lib/generators/rodauth/oauth/templates/app/views/rodauth/oauth_applications.html.erb +2 -2
- data/lib/generators/rodauth/oauth/templates/app/views/rodauth/oauth_grants.html.erb +37 -0
- data/lib/generators/rodauth/oauth/templates/db/migrate/create_rodauth_oauth.rb +57 -57
- data/lib/rodauth/features/oauth_application_management.rb +61 -74
- data/lib/rodauth/features/oauth_assertion_base.rb +19 -23
- data/lib/rodauth/features/oauth_authorization_code_grant.rb +62 -90
- data/lib/rodauth/features/oauth_authorize_base.rb +115 -22
- data/lib/rodauth/features/oauth_base.rb +397 -315
- data/lib/rodauth/features/oauth_client_credentials_grant.rb +20 -18
- data/lib/rodauth/features/{oauth_device_grant.rb → oauth_device_code_grant.rb} +62 -73
- data/lib/rodauth/features/oauth_dynamic_client_registration.rb +52 -31
- data/lib/rodauth/features/oauth_grant_management.rb +70 -0
- data/lib/rodauth/features/oauth_implicit_grant.rb +29 -27
- data/lib/rodauth/features/oauth_jwt.rb +53 -689
- data/lib/rodauth/features/oauth_jwt_base.rb +458 -0
- data/lib/rodauth/features/oauth_jwt_bearer_grant.rb +48 -17
- data/lib/rodauth/features/oauth_jwt_jwks.rb +47 -0
- data/lib/rodauth/features/oauth_jwt_secured_authorization_request.rb +116 -0
- data/lib/rodauth/features/oauth_management_base.rb +2 -0
- data/lib/rodauth/features/oauth_pkce.rb +22 -26
- data/lib/rodauth/features/oauth_resource_indicators.rb +33 -25
- data/lib/rodauth/features/oauth_resource_server.rb +59 -0
- data/lib/rodauth/features/oauth_saml_bearer_grant.rb +7 -1
- data/lib/rodauth/features/oauth_token_introspection.rb +76 -46
- data/lib/rodauth/features/oauth_token_revocation.rb +46 -33
- data/lib/rodauth/features/oidc.rb +382 -241
- data/lib/rodauth/features/oidc_dynamic_client_registration.rb +127 -51
- data/lib/rodauth/features/oidc_rp_initiated_logout.rb +115 -0
- data/lib/rodauth/oauth/database_extensions.rb +8 -6
- data/lib/rodauth/oauth/http_extensions.rb +74 -0
- data/lib/rodauth/oauth/railtie.rb +20 -0
- data/lib/rodauth/oauth/ttl_store.rb +2 -0
- data/lib/rodauth/oauth/version.rb +1 -1
- data/lib/rodauth/oauth.rb +29 -1
- data/locales/en.yml +34 -22
- data/locales/pt.yml +34 -22
- data/templates/authorize.str +19 -17
- data/templates/device_search.str +1 -1
- data/templates/device_verification.str +2 -2
- data/templates/jwks_field.str +1 -0
- data/templates/new_oauth_application.str +1 -2
- data/templates/oauth_application.str +2 -2
- data/templates/oauth_application_oauth_grants.str +54 -0
- data/templates/oauth_applications.str +2 -2
- data/templates/oauth_grants.str +52 -0
- metadata +23 -16
- data/lib/generators/rodauth/oauth/templates/app/models/oauth_token.rb +0 -4
- data/lib/generators/rodauth/oauth/templates/app/views/rodauth/oauth_application_oauth_tokens.html.erb +0 -39
- data/lib/generators/rodauth/oauth/templates/app/views/rodauth/oauth_tokens.html.erb +0 -35
- data/lib/rodauth/features/oauth.rb +0 -9
- data/lib/rodauth/features/oauth_http_mac.rb +0 -86
- data/lib/rodauth/features/oauth_token_management.rb +0 -81
- data/lib/rodauth/oauth/refinements.rb +0 -48
- data/templates/jwt_public_key_field.str +0 -4
- data/templates/oauth_application_oauth_tokens.str +0 -52
- data/templates/oauth_tokens.str +0 -50
@@ -1,5 +1,7 @@
|
|
1
1
|
# frozen_string_literal: true
|
2
2
|
|
3
|
+
require "rodauth/oauth"
|
4
|
+
|
3
5
|
module Rodauth
|
4
6
|
Feature.define(:oauth_token_revocation, :OauthTokenRevocation) do
|
5
7
|
depends :oauth_base
|
@@ -7,14 +9,10 @@ module Rodauth
|
|
7
9
|
before "revoke"
|
8
10
|
after "revoke"
|
9
11
|
|
10
|
-
notice_flash "The oauth
|
12
|
+
notice_flash "The oauth grant has been revoked", "revoke_oauth_grant"
|
11
13
|
|
12
14
|
# /revoke
|
13
|
-
|
14
|
-
next unless is_authorization_server?
|
15
|
-
|
16
|
-
before_revoke_route
|
17
|
-
|
15
|
+
auth_server_route(:revoke) do |r|
|
18
16
|
if logged_in?
|
19
17
|
require_account
|
20
18
|
require_oauth_application_from_account
|
@@ -22,24 +20,32 @@ module Rodauth
|
|
22
20
|
require_oauth_application
|
23
21
|
end
|
24
22
|
|
23
|
+
before_revoke_route
|
24
|
+
|
25
25
|
r.post do
|
26
26
|
catch_error do
|
27
|
-
|
27
|
+
validate_revoke_params
|
28
28
|
|
29
|
-
|
29
|
+
oauth_grant = nil
|
30
30
|
transaction do
|
31
31
|
before_revoke
|
32
|
-
|
32
|
+
oauth_grant = revoke_oauth_grant
|
33
33
|
after_revoke
|
34
34
|
end
|
35
35
|
|
36
36
|
if accepts_json?
|
37
|
-
|
38
|
-
"
|
39
|
-
|
40
|
-
|
37
|
+
json_payload = {
|
38
|
+
"revoked_at" => convert_timestamp(oauth_grant[oauth_grants_revoked_at_column])
|
39
|
+
}
|
40
|
+
if param("token_type_hint") == "refresh_token"
|
41
|
+
json_payload["refresh_token"] = oauth_grant[oauth_grants_refresh_token_column]
|
42
|
+
else
|
43
|
+
json_payload["token"] = oauth_grant[oauth_grants_token_column]
|
44
|
+
end
|
45
|
+
|
46
|
+
json_response_success json_payload
|
41
47
|
else
|
42
|
-
set_notice_flash
|
48
|
+
set_notice_flash revoke_oauth_grant_notice_flash
|
43
49
|
redirect request.referer || "/"
|
44
50
|
end
|
45
51
|
end
|
@@ -48,12 +54,17 @@ module Rodauth
|
|
48
54
|
end
|
49
55
|
end
|
50
56
|
|
51
|
-
def
|
52
|
-
|
53
|
-
|
54
|
-
|
57
|
+
def validate_revoke_params(token_hint_types = %w[access_token refresh_token].freeze)
|
58
|
+
token_hint = param_or_nil("token_type_hint")
|
59
|
+
|
60
|
+
if features.include?(:oauth_jwt) && oauth_jwt_access_tokens && (!token_hint || token_hint == "access_token")
|
61
|
+
# JWT access tokens can't be revoked
|
62
|
+
throw(:rodauth_error)
|
55
63
|
end
|
56
64
|
|
65
|
+
# check if valid token hint type
|
66
|
+
redirect_response_error("unsupported_token_type") if token_hint && !token_hint_types.include?(token_hint)
|
67
|
+
|
57
68
|
redirect_response_error("invalid_request") unless param_or_nil("token")
|
58
69
|
end
|
59
70
|
|
@@ -68,29 +79,31 @@ module Rodauth
|
|
68
79
|
|
69
80
|
private
|
70
81
|
|
71
|
-
def
|
82
|
+
def revoke_oauth_grant
|
72
83
|
token = param("token")
|
73
84
|
|
74
|
-
|
75
|
-
|
76
|
-
|
77
|
-
|
78
|
-
|
79
|
-
|
80
|
-
|
85
|
+
if param("token_type_hint") == "refresh_token"
|
86
|
+
oauth_grant = oauth_grant_by_refresh_token(token)
|
87
|
+
token_column = oauth_grants_refresh_token_column
|
88
|
+
else
|
89
|
+
oauth_grant = oauth_grant_by_token_ds(token).where(
|
90
|
+
oauth_grants_oauth_application_id_column => oauth_application[oauth_applications_id_column]
|
91
|
+
).first
|
92
|
+
token_column = oauth_grants_token_column
|
93
|
+
end
|
81
94
|
|
82
|
-
redirect_response_error("invalid_request") unless
|
95
|
+
redirect_response_error("invalid_request") unless oauth_grant
|
83
96
|
|
84
|
-
redirect_response_error("invalid_request") unless
|
97
|
+
redirect_response_error("invalid_request") unless grant_from_application?(oauth_grant, oauth_application)
|
85
98
|
|
86
|
-
update_params = {
|
99
|
+
update_params = { oauth_grants_revoked_at_column => Sequel::CURRENT_TIMESTAMP }
|
87
100
|
|
88
|
-
ds = db[
|
101
|
+
ds = db[oauth_grants_table].where(oauth_grants_id_column => oauth_grant[oauth_grants_id_column])
|
89
102
|
|
90
|
-
|
103
|
+
oauth_grant = __update_and_return__(ds, update_params)
|
91
104
|
|
92
|
-
|
93
|
-
|
105
|
+
oauth_grant[token_column] = token
|
106
|
+
oauth_grant
|
94
107
|
|
95
108
|
# If the particular
|
96
109
|
# token is a refresh token and the authorization server supports the
|