rodauth-oauth 0.2.0 → 0.4.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 02d69464053b6809900da774b4c9957d642b003d0a0de7aa076e57a5eb8895bc
-  data.tar.gz: e1dd94b69aa4bdf051b1c28d684a0ec2a1435da9f99ca6bf77da9d537474f9a6
+  metadata.gz: 96756ac8a30c904c5b832b64c47a00af9524810561d58c909b6f322da7348e8c
+  data.tar.gz: 965f6ff260bd86c2fcb7bbd2ba2bd131b453f04a39b73f99ef0860d2bc95b0e0
 SHA512:
-  metadata.gz: cfe325a2e8daa96a72b4577566ae84772dcf114411ebbd9d0115f0f33f5b104f7c138a1b1ef7813d46f0fd2226c6560db5d974e51ec92b33ce7e393726005b2d
-  data.tar.gz: df5866c1cd089c0d361a00d1ffd1db02df9b6551940dbf70e7390657fa8558ae0fb3c8eb2fcff6ec6fb9fd52406a99615574305d5a3bacdbd20f5fc22bacd63f
+  metadata.gz: e7e257a12204599a27d0917f2b31c32906f0d4c566d51ee6d4fde146e2340e36afb9a932cff8bf37872d59259f4d43d423d1c1266f3066063c70aa334f83e119
+  data.tar.gz: 07c0e564e7636893f736f6e05f634684cd7bc28e9d0acfb53ba518357fab198bc878792a68bde6b988b8c8ddf2d3e2bb4d4ecebcd9c4bf68d85f75178cdd0fdf

data/CHANGELOG.md

@@ -2,7 +2,75 @@
 
 ## master
 
-### 0.2.0
+### 0.4.3 (09/12/2020)
+
+* Introspection requests made to an Authorization Server in "resource server" mode are not correctly encoding the body using the "application/x-www-form-urlencoded" format.
+
+### 0.4.2 (24/11/2020)
+
+### Bugfixes
+
+* database extensions were being run in resource server mode, when it's not expected that the oauth db tables are around.
+
+### 0.4.1 (24/11/2020)
+
+### Improvements
+
+When in "Resource Server" mode, calling `rodauth.authorization_token` will now return an hash of the JSON payload that the Authorization Server responds, and which was already previously used to authorize access to protected resources.
+
+### Bugfixes
+
+* An error occurred if the client passed an empty authorization header (`Authorization: ` or `Authorization: Bearer `), causing an unexpected error; It now responds with the proper `401 Unauthorized` status code.
+
+### 0.4.0 (13/11/2020)
+
+### Features
+
+* A new method, `get_additional_param(account, claim)`, is now exposed; this method will be called whenever non-OIDC scopes are requested in the emission of the ID token.
+
+* The `form_post` response is now supported, either by passing the `response_mode=form_post` request param in the authorization URL, or by setting `oauth_response_mode "form_post"` option. This improves the overall security of an Authorization server even more, as authorization codes are sent to client applications via a POST request to the redirect URI.
+
+
+### Improvements
+
+* For the OIDC `address` scope, proper claims are now emitted as per the standard, i.e. the "formatted", "street_address", "locality", "region", "postal_code", "country". These will be the ones referenced in the `get_oidc_param` method.
+
+### Bugfixes
+
+* The rails templates were missing declarations from a few params, which made some of the flows (the PKCE for example) not work out-of-the box;
+* rails tests were silently not running in CI;
+* The CI suite was revamped, so that all Oauth tests would be run under rails as well. All versions from rails equal or above 5.0 are now targeted;
+
+### 0.3.0 (8/10/2020)
+
+#### Features
+
+* `oauth_refresh_token_protection_policy` is a new option, which can be used to set a protection policy around usage of refresh tokens. By default it's `none`, for backwards-compatibility. However, when set to `rotation`, refresh tokens will be "use-once", i.e. a token refresh request will generate a new refresh token. Also,  refresh token requests performed with already-used refresh tokens will be interpreted as a security breach, i.e. all tokens linked to the compromised refresh token will be revoked.
+
+#### Improvements
+
+
+* Support for the OIDC authorize [`prompt` parameter](https://openid.net/specs/openid-connect-core-1_0.html) (sectionn 3.1.2.1). It supports the `none`, `login` and `consent` out-of-the-box, while providing support for `select-account` when paired with [rodauth-select-account, a rodauth feature to handle multiple accounts in the same session](https://gitlab.com/honeyryderchuck/rodauth-select-account).
+
+* Refresh Tokens are now expirable. The refresh token expiration period is governed by the `oauth_refresh_token_expires_in` option (default: 1 year), and is the period for which a refresh token can be used after its respective access token expired.
+
+#### Bugfixes
+
+* Default Templates now being packaged, as a way to provide a default experience to the OAuth journeys.
+
+* fixing metadata urls when plugin loaded with a prefix path (@ianks)
+
+* All date/time-based calculations, such as determining an expiration date, or checking if a token has expired, are now performed using database arithmetic operations, using sequel's `date_arithmetic` plugin. This will eliminate subtle bugs, such as when the database timezone is different than the application OS timezone.
+
+* OIDC configuration endpoint is now stricter, eliminating JSON metadata inherited from the Oauth metadata endpoint. (@ianks)
+
+#### Chore
+
+Use `rodauth.convert_timestamp` in the templates, whenever dates are displayed.
+
+Set HTTP Cache headers for metadata responses, such as `/.well-known/oauth-authorization-server` and `/.well-known/openid-configuration`, so they can be stored at the edge. The cache will be valid for 1 day (this value isn't set by an option yet).
+
+### 0.2.0 (9/9/2020)
 
 #### Features
 
@@ -46,9 +114,7 @@ Fixed some mishandling of HTTP headers when in in resource-server mode.
 * 97.7% test coverage;
 * `rodauth-oauth` CI tests run against sqlite, postgresql and mysql.
 
-### 0.1.0
-
-(31/7/2020)
+### 0.1.0 (31/7/2020)
 
 #### Features
 
@@ -94,9 +160,7 @@ URI schemes for client applications redirect URIs have to be `https`. In order t
 * fixed trailing "/" in the "issuer" value in server metadata (`https://server.com/` -> `https://server.com`).
 
 
-### 0.0.6
-
-(6/7/2020)
+### 0.0.6 (6/7/2020)
 
 #### Features
 
@@ -119,9 +183,7 @@ The `oauth_jwt` feature now supports JWT Secured Authorization Request (JAR) (se
 Removed React Javascript from example applications.
 
 
-### 0.0.5
-
-(26/6/2020)
+### 0.0.5 (26/6/2020)
 
 #### Features
 
@@ -158,9 +220,7 @@ It **requires** the authorization to implement the server metadata endpoint (`/.
 * option `scopes_param` renamed to `scope_param`;
 *
 
-## 0.0.4
-
-(13/6/2020)
+## 0.0.4 (13/6/2020)
 
 ### Features
 
@@ -197,9 +257,7 @@ The `oauth_jwt` feature now allows the usage of access tokens to authorize the g
 
 * Fixed scope claim of JWT ("scopes" -> "scope");
 
-## 0.0.3
-
-(5/6/2020)
+## 0.0.3 (5/6/2020)
 
 ### Features
 
@@ -231,9 +289,7 @@ end
 * renamed the existing `use_oauth_implicit_grant_type` to `use_oauth_implicit_grant_type?`;
 * It's now usable as JSON API (small caveat: POST authorize will still redirect on success...);
 
-## 0.0.2
-
-(29/5/2020)
+## 0.0.2 (29/5/2020)
 
 ### Features
 
@@ -249,8 +305,6 @@ end
 
 * usage of client secret for authorizing the generation of tokens, as the spec mandates (and refraining from them when doing PKCE).
 
-## 0.0.1
-
-(14/5/2020)
+## 0.0.1 (14/5/2020)
 
 Initial implementation of the Oauth 2.0 framework, with an example app done using roda.

data/README.md

@@ -1,7 +1,7 @@
 # Rodauth::Oauth
 
 [![pipeline status](https://gitlab.com/honeyryderchuck/rodauth-oauth/badges/master/pipeline.svg)](https://gitlab.com/honeyryderchuck/rodauth-oauth/-/pipelines?page=1&ref=master)
-[![coverage report](https://gitlab.com/honeyryderchuck/rodauth-oauth/badges/master/coverage.svg)](https://honeyryderchuck.gitlab.io/rodauth-oauth/coverage/#_AllFiles)
+[![coverage report](https://gitlab.com/honeyryderchuck/rodauth-oauth/badges/master/coverage.svg?job=coverage)](https://honeyryderchuck.gitlab.io/rodauth-oauth/coverage/#_AllFiles)
 
 This is an extension to the `rodauth` gem which implements the [OAuth 2.0 framework](https://tools.ietf.org/html/rfc6749) for an authorization server.
 

data/lib/rodauth/features/oauth.rb

@@ -46,6 +46,8 @@ module Rodauth
 
     SCOPES = %w[profile.read].freeze
 
+    SERVER_METADATA = OAuth::TtlStore.new
+
     before "authorize"
     after "authorize"
 
@@ -75,12 +77,14 @@ module Rodauth
 
     auth_value_method :oauth_grant_expires_in, 60 * 5 # 5 minutes
     auth_value_method :oauth_token_expires_in, 60 * 60 # 60 minutes
+    auth_value_method :oauth_refresh_token_expires_in, 60 * 60 * 24 * 360 # 1 year
     auth_value_method :use_oauth_implicit_grant_type?, false
     auth_value_method :use_oauth_pkce?, true
     auth_value_method :use_oauth_access_type?, true
 
     auth_value_method :oauth_require_pkce, false
     auth_value_method :oauth_pkce_challenge_method, "S256"
+    auth_value_method :oauth_response_mode, "query"
 
     auth_value_method :oauth_valid_uri_schemes, %w[https]
 
@@ -97,6 +101,7 @@ module Rodauth
     button "Register", "oauth_application"
     button "Authorize", "oauth_authorize"
     button "Revoke", "oauth_token_revoke"
+    button "Back to Client Application", "oauth_authorize_post"
 
     # OAuth Token
     auth_value_method :oauth_tokens_path, "oauth-tokens"
@@ -149,9 +154,11 @@ module Rodauth
       auth_value_method :"oauth_applications_#{column}_column", column
     end
 
+    # Feature options
     auth_value_method :oauth_application_default_scope, SCOPES.first
     auth_value_method :oauth_application_scopes, SCOPES
     auth_value_method :oauth_token_type, "bearer"
+    auth_value_method :oauth_refresh_token_protection_policy, "none" # can be: none, sender_constrained, rotation
 
     auth_value_method :invalid_client_message, "Invalid client"
     auth_value_method :invalid_grant_type_message, "Invalid grant type"
@@ -200,7 +207,214 @@ module Rodauth
 
     auth_value_method :json_request_regexp, %r{\bapplication/(?:vnd\.api\+)?json\b}i
 
-    SERVER_METADATA = OAuth::TtlStore.new
+    # /token
+    route(:token) do |r|
+      next unless is_authorization_server?
+
+      before_token_route
+      require_oauth_application
+
+      r.post do
+        catch_error do
+          validate_oauth_token_params
+
+          oauth_token = nil
+          transaction do
+            before_token
+            oauth_token = create_oauth_token
+          end
+
+          json_response_success(json_access_token_payload(oauth_token))
+        end
+
+        throw_json_response_error(invalid_oauth_response_status, "invalid_request")
+      end
+    end
+
+    # /introspect
+    route(:introspect) do |r|
+      next unless is_authorization_server?
+
+      before_introspect_route
+
+      r.post do
+        catch_error do
+          validate_oauth_introspect_params
+
+          before_introspect
+          oauth_token = case param("token_type_hint")
+                        when "access_token"
+                          oauth_token_by_token(param("token"))
+                        when "refresh_token"
+                          oauth_token_by_refresh_token(param("token"))
+                        else
+                          oauth_token_by_token(param("token")) || oauth_token_by_refresh_token(param("token"))
+                        end
+
+          if oauth_application
+            redirect_response_error("invalid_request") if oauth_token && !token_from_application?(oauth_token, oauth_application)
+          elsif oauth_token
+            @oauth_application = db[oauth_applications_table].where(oauth_applications_id_column =>
+              oauth_token[oauth_tokens_oauth_application_id_column]).first
+          end
+
+          json_response_success(json_token_introspect_payload(oauth_token))
+        end
+
+        throw_json_response_error(invalid_oauth_response_status, "invalid_request")
+      end
+    end
+
+    # /revoke
+    route(:revoke) do |r|
+      next unless is_authorization_server?
+
+      before_revoke_route
+      require_oauth_application
+
+      r.post do
+        catch_error do
+          validate_oauth_revoke_params
+
+          oauth_token = nil
+          transaction do
+            before_revoke
+            oauth_token = revoke_oauth_token
+            after_revoke
+          end
+
+          if accepts_json?
+            json_response_success \
+              "token" => oauth_token[oauth_tokens_token_column],
+              "refresh_token" => oauth_token[oauth_tokens_refresh_token_column],
+              "revoked_at" => convert_timestamp(oauth_token[oauth_tokens_revoked_at_column])
+          else
+            set_notice_flash revoke_oauth_token_notice_flash
+            redirect request.referer || "/"
+          end
+        end
+
+        redirect_response_error("invalid_request", request.referer || "/")
+      end
+    end
+
+    # /authorize
+    route(:authorize) do |r|
+      next unless is_authorization_server?
+
+      before_authorize_route
+      require_authorizable_account
+
+      validate_oauth_grant_params
+      try_approval_prompt if use_oauth_access_type? && request.get?
+
+      r.get do
+        authorize_view
+      end
+
+      r.post do
+        redirect_url = URI.parse(redirect_uri)
+
+        params, mode = transaction do
+          before_authorize
+          do_authorize
+        end
+
+        case mode
+        when "query"
+          params = params.map { |k, v| "#{k}=#{v}" }
+          params << redirect_url.query if redirect_url.query
+          redirect_url.query = params.join("&")
+          redirect(redirect_url.to_s)
+        when "fragment"
+          params = params.map { |k, v| "#{k}=#{v}" }
+          params << redirect_url.query if redirect_url.query
+          redirect_url.fragment = params.join("&")
+          redirect(redirect_url.to_s)
+        when "form_post"
+          scope.view layout: false, inline: <<-FORM
+            <html>
+              <head><title>Authorized</title></head>
+              <body onload="javascript:document.forms[0].submit()">
+                <form method="post" action="#{redirect_uri}">
+                  #{
+                    params.map do |name, value|
+                      "<input type=\"hidden\" name=\"#{name}\" value=\"#{scope.h(value)}\" />"
+                    end.join
+                  }
+                  <input type="submit" class="btn btn-outline-primary" value="#{scope.h(oauth_authorize_post_button)}"/>
+                </form>
+              </body>
+            </html>
+          FORM
+        when "none"
+          redirect(redirect_url.to_s)
+        end
+      end
+    end
+
+    def oauth_server_metadata(issuer = nil)
+      request.on(".well-known") do
+        request.on("oauth-authorization-server") do
+          request.get do
+            json_response_success(oauth_server_metadata_body(issuer), true)
+          end
+        end
+      end
+    end
+
+    # /oauth-applications routes
+    def oauth_applications
+      request.on(oauth_applications_path) do
+        require_account
+
+        request.get "new" do
+          new_oauth_application_view
+        end
+
+        request.on(oauth_applications_id_pattern) do |id|
+          oauth_application = db[oauth_applications_table].where(oauth_applications_id_column => id).first
+          next unless oauth_application
+
+          scope.instance_variable_set(:@oauth_application, oauth_application)
+
+          request.is do
+            request.get do
+              oauth_application_view
+            end
+          end
+
+          request.on(oauth_tokens_path) do
+            oauth_tokens = db[oauth_tokens_table].where(oauth_tokens_oauth_application_id_column => id)
+            scope.instance_variable_set(:@oauth_tokens, oauth_tokens)
+            request.get do
+              oauth_tokens_view
+            end
+          end
+        end
+
+        request.get do
+          scope.instance_variable_set(:@oauth_applications, db[oauth_applications_table])
+          oauth_applications_view
+        end
+
+        request.post do
+          catch_error do
+            validate_oauth_application_params
+
+            transaction do
+              before_create_oauth_application
+              id = create_oauth_application
+              after_create_oauth_application
+              set_notice_flash create_oauth_application_notice_flash
+              redirect "#{request.path}/#{id}"
+            end
+          end
+          set_error_flash create_oauth_application_error_flash
+          new_oauth_application_view
+        end
+      end
+    end
 
     def check_csrf?
       case request.path
@@ -275,13 +489,13 @@ module Rodauth
     def fetch_access_token
       value = request.env["HTTP_AUTHORIZATION"]
 
-      return unless value
+      return unless value && !value.empty?
 
       scheme, token = value.split(" ", 2)
 
       return unless scheme.downcase == oauth_token_type
 
-      return if token.empty?
+      return if token.nil? || token.empty?
 
       token
     end
@@ -294,101 +508,46 @@ module Rodauth
 
       return unless bearer_token
 
-      # check if token has not expired
-      # check if token has been revoked
-      @authorization_token = oauth_token_by_token(bearer_token)
+      @authorization_token = if is_authorization_server?
+                               # check if token has not expired
+                               # check if token has been revoked
+                               oauth_token_by_token(bearer_token)
+                             else
+                               # where in resource server, NOT the authorization server.
+                               payload = introspection_request("access_token", bearer_token)
+
+                               return unless payload["active"]
+
+                               payload
+                             end
     end
 
     def require_oauth_authorization(*scopes)
-      token_scopes = if is_authorization_server?
-                       authorization_required unless authorization_token
+      authorization_required unless authorization_token
 
-                       scopes << oauth_application_default_scope if scopes.empty?
+      scopes << oauth_application_default_scope if scopes.empty?
 
+      token_scopes = if is_authorization_server?
                        authorization_token[oauth_tokens_scopes_column].split(oauth_scope_separator)
                      else
-                       bearer_token = fetch_access_token
-
-                       authorization_required unless bearer_token
-
-                       scopes << oauth_application_default_scope if scopes.empty?
-
-                       # where in resource server, NOT the authorization server.
-                       payload = introspection_request("access_token", bearer_token)
-
-                       authorization_required unless payload["active"]
-
-                       payload["scope"].split(oauth_scope_separator)
+                       aux_scopes = authorization_token["scope"]
+                       if aux_scopes
+                         aux_scopes.split(oauth_scope_separator)
+                       else
+                         []
+                       end
                      end
 
       authorization_required unless scopes.any? { |scope| token_scopes.include?(scope) }
     end
 
-    # /oauth-applications routes
-    def oauth_applications
-      request.on(oauth_applications_path) do
-        require_account
-
-        request.get "new" do
-          new_oauth_application_view
-        end
-
-        request.on(oauth_applications_id_pattern) do |id|
-          oauth_application = db[oauth_applications_table].where(oauth_applications_id_column => id).first
-          next unless oauth_application
-
-          scope.instance_variable_set(:@oauth_application, oauth_application)
-
-          request.is do
-            request.get do
-              oauth_application_view
-            end
-          end
-
-          request.on(oauth_tokens_path) do
-            oauth_tokens = db[oauth_tokens_table].where(oauth_tokens_oauth_application_id_column => id)
-            scope.instance_variable_set(:@oauth_tokens, oauth_tokens)
-            request.get do
-              oauth_tokens_view
-            end
-          end
-        end
-
-        request.get do
-          scope.instance_variable_set(:@oauth_applications, db[oauth_applications_table])
-          oauth_applications_view
-        end
-
-        request.post do
-          catch_error do
-            validate_oauth_application_params
-
-            transaction do
-              before_create_oauth_application
-              id = create_oauth_application
-              after_create_oauth_application
-              set_notice_flash create_oauth_application_notice_flash
-              redirect "#{request.path}/#{id}"
-            end
-          end
-          set_error_flash create_oauth_application_error_flash
-          new_oauth_application_view
-        end
-      end
-    end
-
-    def oauth_server_metadata(issuer = nil)
-      request.on(".well-known") do
-        request.on("oauth-authorization-server") do
-          request.get do
-            json_response_success(oauth_server_metadata_body(issuer))
-          end
-        end
-      end
-    end
-
     def post_configure
       super
+
+      # all of the extensions below involve DB changes. Resource server mode doesn't use
+      # database functions for OAuth though.
+      return unless is_authorization_server?
+
       self.class.__send__(:include, Rodauth::OAuth::ExtendDatabase(db))
 
       # Check whether we can reutilize db entries for the same account / application pair
@@ -401,6 +560,10 @@ module Rodauth
       self.class.send(:define_method, :__one_oauth_token_per_account) { one_oauth_token_per_account }
     end
 
+    def use_date_arithmetic?
+      true
+    end
+
     private
 
     def rescue_from_uniqueness_error(&block)
@@ -446,9 +609,9 @@ module Rodauth
         # time-to-live
         ttl = if response.key?("cache-control")
                 cache_control = response["cache-control"]
-                cache_control[/max-age=(\d+)/, 1]
+                cache_control[/max-age=(\d+)/, 1].to_i
               elsif response.key?("expires")
-                DateTime.httpdate(response["expires"]).utc.to_i - Time.now.utc.to_i
+                Time.parse(response["expires"]).to_i - Time.now.to_i
               end
 
         [JSON.parse(response.body, symbolize_names: true), ttl]
@@ -461,9 +624,9 @@ module Rodauth
       http.use_ssl = auth_url.scheme == "https"
 
       request = Net::HTTP::Post.new(introspect_path)
-      request["content-type"] = json_response_content_type
+      request["content-type"] = "application/x-www-form-urlencoded"
       request["accept"] = json_response_content_type
-      request.body = JSON.dump({ "token_type_hint" => token_type_hint, "token" => token })
+      request.set_form_data({ "token_type_hint" => token_type_hint, "token" => token })
 
       before_introspection_request(request)
       response = http.request(request)
@@ -516,7 +679,7 @@ module Rodauth
     end
 
     def oauth_unique_id_generator
-      SecureRandom.hex(32)
+      SecureRandom.urlsafe_base64(32)
     end
 
     def generate_token_hash(token)
@@ -537,7 +700,7 @@ module Rodauth
 
     def generate_oauth_token(params = {}, should_generate_refresh_token = true)
       create_params = {
-        oauth_grants_expires_in_column => Time.now + oauth_token_expires_in
+        oauth_grants_expires_in_column => Sequel.date_add(Sequel::CURRENT_TIMESTAMP, seconds: oauth_token_expires_in)
       }.merge(params)
 
       rescue_from_uniqueness_error do
@@ -597,26 +760,37 @@ module Rodauth
       end
     end
 
-    def oauth_token_by_token(token, dataset = db[oauth_tokens_table])
+    def oauth_token_by_token(token)
+      ds = db[oauth_tokens_table]
+
       ds = if oauth_tokens_token_hash_column
-             dataset.where(oauth_tokens_token_hash_column => generate_token_hash(token))
+             ds.where(oauth_tokens_token_hash_column => generate_token_hash(token))
            else
-             dataset.where(oauth_tokens_token_column => token)
+             ds.where(oauth_tokens_token_column => token)
            end
 
       ds.where(Sequel[oauth_tokens_expires_in_column] >= Sequel::CURRENT_TIMESTAMP)
         .where(oauth_tokens_revoked_at_column => nil).first
     end
 
-    def oauth_token_by_refresh_token(token, dataset = db[oauth_tokens_table])
+    def oauth_token_by_refresh_token(token, revoked: false)
+      ds = db[oauth_tokens_table]
+      #
+      # filter expired refresh tokens out.
+      # an expired refresh token is a token whose access token expired for a period longer than the
+      # refresh token expiration period.
+      #
+      ds = ds.where(Sequel.date_add(oauth_tokens_expires_in_column, seconds: oauth_refresh_token_expires_in) >= Sequel::CURRENT_TIMESTAMP)
+
       ds = if oauth_tokens_refresh_token_hash_column
-             dataset.where(oauth_tokens_refresh_token_hash_column => generate_token_hash(token))
+             ds.where(oauth_tokens_refresh_token_hash_column => generate_token_hash(token))
            else
-             dataset.where(oauth_tokens_refresh_token_column => token)
+             ds.where(oauth_tokens_refresh_token_column => token)
            end
 
-      ds.where(Sequel[oauth_tokens_expires_in_column] >= Sequel::CURRENT_TIMESTAMP)
-        .where(oauth_tokens_revoked_at_column => nil).first
+      ds = ds.where(oauth_tokens_revoked_at_column => nil) unless revoked
+
+      ds.first
     end
 
     def json_access_token_payload(oauth_token)
@@ -714,6 +888,9 @@ module Rodauth
       end
       redirect_response_error("invalid_scope") unless check_valid_scopes?
 
+      if (response_mode = param_or_nil("response_mode")) && response_mode != "form_post"
+        redirect_response_error("invalid_request")
+      end
       validate_pkce_challenge_params if use_oauth_pkce?
     end
 
@@ -731,7 +908,6 @@ module Rodauth
       ).count.zero?
 
       # if there's a previous oauth grant for the params combo, it means that this user has approved before.
-
       request.env["REQUEST_METHOD"] = "POST"
     end
 
@@ -740,7 +916,7 @@ module Rodauth
         oauth_grants_account_id_column => account_id,
         oauth_grants_oauth_application_id_column => oauth_application[oauth_applications_id_column],
         oauth_grants_redirect_uri_column => redirect_uri,
-        oauth_grants_expires_in_column => Time.now + oauth_grant_expires_in,
+        oauth_grants_expires_in_column => Sequel.date_add(Sequel::CURRENT_TIMESTAMP, seconds: oauth_grant_expires_in),
         oauth_grants_scopes_column => scopes.join(oauth_scope_separator)
       )
 
@@ -766,28 +942,26 @@ module Rodauth
       create_params[oauth_grants_code_column]
     end
 
-    def do_authorize(redirect_url, query_params = [], fragment_params = [])
+    def do_authorize(response_params = {}, response_mode = param_or_nil("response_mode"))
       case param("response_type")
       when "token"
         redirect_response_error("invalid_request") unless use_oauth_implicit_grant_type?
 
-        fragment_params.replace(_do_authorize_token.map { |k, v| "#{k}=#{v}" })
-      when "code", "", nil
-        query_params.replace(_do_authorize_code.map { |k, v| "#{k}=#{v}" })
-      end
-
-      if param_or_nil("state")
-        if !fragment_params.empty?
-          fragment_params << "state=#{param('state')}"
-        else
-          query_params << "state=#{param('state')}"
-        end
+        response_mode ||= "fragment"
+        response_params.replace(_do_authorize_token)
+      when "code"
+        response_mode ||= "query"
+        response_params.replace(_do_authorize_code)
+      when "none"
+        response_mode ||= "none"
+      when "", nil
+        response_mode ||= oauth_response_mode
+        response_params.replace(_do_authorize_code)
       end
 
-      query_params << redirect_url.query if redirect_url.query
+      response_params["state"] = param("state") if param_or_nil("state")
 
-      redirect_url.query = query_params.join("&") unless query_params.empty?
-      redirect_url.fragment = fragment_params.join("&") unless fragment_params.empty?
+      [response_params, response_mode]
     end
 
     def _do_authorize_code
@@ -846,14 +1020,30 @@ module Rodauth
         }
         create_oauth_token_from_authorization_code(oauth_grant, create_params)
       when "refresh_token"
-        # fetch oauth token
-        oauth_token = oauth_token_by_refresh_token(param("refresh_token"))
-
-        redirect_response_error("invalid_grant") unless oauth_token
+        # fetch potentially revoked oauth token
+        oauth_token = oauth_token_by_refresh_token(param("refresh_token"), revoked: true)
+
+        if !oauth_token
+          redirect_response_error("invalid_grant")
+        elsif oauth_token[oauth_tokens_revoked_at_column]
+          if oauth_refresh_token_protection_policy == "rotation"
+            # https://tools.ietf.org/html/draft-ietf-oauth-v2-1-00#section-6.1
+            #
+            # If a refresh token is compromised and subsequently used by both the attacker and the legitimate
+            # client, one of them will present an invalidated refresh token, which will inform the authorization
+            # server of the breach.  The authorization server cannot determine which party submitted the invalid
+            # refresh token, but it will revoke the active refresh token.  This stops the attack at the cost of
+            # forcing the legitimate client to obtain a fresh authorization grant.
+
+            db[oauth_tokens_table].where(oauth_tokens_oauth_token_id_column => oauth_token[oauth_tokens_id_column])
+                                  .update(oauth_tokens_revoked_at_column => Sequel::CURRENT_TIMESTAMP)
+          end
+          redirect_response_error("invalid_grant")
+        end
 
         update_params = {
           oauth_tokens_oauth_application_id_column => oauth_token[oauth_grants_oauth_application_id_column],
-          oauth_tokens_expires_in_column => Time.now + oauth_token_expires_in
+          oauth_tokens_expires_in_column => Sequel.date_add(Sequel::CURRENT_TIMESTAMP, seconds: oauth_token_expires_in)
         }
         create_oauth_token_from_token(oauth_token, update_params)
       end
@@ -885,6 +1075,7 @@ module Rodauth
       redirect_response_error("invalid_grant") unless token_from_application?(oauth_token, oauth_application)
 
       rescue_from_uniqueness_error do
+        oauth_tokens_ds = db[oauth_tokens_table]
         token = oauth_unique_id_generator
 
         if oauth_tokens_token_hash_column
@@ -893,9 +1084,25 @@ module Rodauth
           update_params[oauth_tokens_token_column] = token
         end
 
-        ds = db[oauth_tokens_table].where(oauth_tokens_id_column => oauth_token[oauth_tokens_id_column])
+        oauth_token = if oauth_refresh_token_protection_policy == "rotation"
+                        insert_params = {
+                          **update_params,
+                          oauth_tokens_oauth_token_id_column => oauth_token[oauth_tokens_id_column],
+                          oauth_tokens_scopes_column => oauth_token[oauth_tokens_scopes_column]
+                        }
+
+                        # revoke the refresh token
+                        oauth_tokens_ds.where(oauth_tokens_id_column => oauth_token[oauth_tokens_id_column])
+                                       .update(oauth_tokens_revoked_at_column => Sequel::CURRENT_TIMESTAMP)
+
+                        insert_params[oauth_tokens_oauth_token_id_column] = oauth_token[oauth_tokens_id_column]
+                        __insert_and_return__(oauth_tokens_ds, oauth_tokens_id_column, insert_params)
+                      else
+                        # includes none
+                        ds = oauth_tokens_ds.where(oauth_tokens_id_column => oauth_token[oauth_tokens_id_column])
+                        __update_and_return__(ds, update_params)
+                      end
 
-        oauth_token = __update_and_return__(ds, update_params)
         oauth_token[oauth_tokens_token_column] = token
         oauth_token
       end
@@ -1000,9 +1207,17 @@ module Rodauth
       end
     end
 
-    def json_response_success(body)
+    def json_response_success(body, cache = false)
       response.status = 200
       response["Content-Type"] ||= json_response_content_type
+      if cache
+        # defaulting to 1-day for everyone, for now at least
+        max_age = 60 * 60 * 24
+        response["Cache-Control"] = "private, max-age=#{max_age}"
+      else
+        response["Cache-Control"] = "no-store"
+        response["Pragma"] = "no-cache"
+      end
       json_payload = _json_response_body(body)
       response.write(json_payload)
       request.halt
@@ -1122,7 +1337,7 @@ module Rodauth
       issuer += "/#{path}" if path
 
       responses_supported = %w[code]
-      response_modes_supported = %w[query]
+      response_modes_supported = %w[query form_post]
       grant_types_supported = %w[authorization_code]
 
       if use_oauth_implicit_grant_type?
@@ -1130,11 +1345,12 @@ module Rodauth
         response_modes_supported << "fragment"
         grant_types_supported << "implicit"
       end
+
       {
         issuer: issuer,
         authorization_endpoint: authorize_url,
         token_endpoint: token_url,
-        registration_endpoint: "#{base_url}/#{oauth_applications_path}",
+        registration_endpoint: route_url(oauth_applications_path),
         scopes_supported: oauth_application_scopes,
         response_types_supported: responses_supported,
         response_modes_supported: response_modes_supported,
@@ -1151,121 +1367,5 @@ module Rodauth
         code_challenge_methods_supported: (use_oauth_pkce? ? oauth_pkce_challenge_method : nil)
       }
     end
-
-    # /token
-    route(:token) do |r|
-      next unless is_authorization_server?
-
-      before_token_route
-      require_oauth_application
-
-      r.post do
-        catch_error do
-          validate_oauth_token_params
-
-          oauth_token = nil
-          transaction do
-            before_token
-            oauth_token = create_oauth_token
-          end
-
-          json_response_success(json_access_token_payload(oauth_token))
-        end
-
-        throw_json_response_error(invalid_oauth_response_status, "invalid_request")
-      end
-    end
-
-    # /introspect
-    route(:introspect) do |r|
-      next unless is_authorization_server?
-
-      before_introspect_route
-
-      r.post do
-        catch_error do
-          validate_oauth_introspect_params
-
-          before_introspect
-          oauth_token = case param("token_type_hint")
-                        when "access_token"
-                          oauth_token_by_token(param("token"))
-                        when "refresh_token"
-                          oauth_token_by_refresh_token(param("token"))
-                        else
-                          oauth_token_by_token(param("token")) || oauth_token_by_refresh_token(param("token"))
-                        end
-
-          if oauth_application
-            redirect_response_error("invalid_request") if oauth_token && !token_from_application?(oauth_token, oauth_application)
-          elsif oauth_token
-            @oauth_application = db[oauth_applications_table].where(oauth_applications_id_column =>
-              oauth_token[oauth_tokens_oauth_application_id_column]).first
-          end
-
-          json_response_success(json_token_introspect_payload(oauth_token))
-        end
-
-        throw_json_response_error(invalid_oauth_response_status, "invalid_request")
-      end
-    end
-
-    # /revoke
-    route(:revoke) do |r|
-      next unless is_authorization_server?
-
-      before_revoke_route
-      require_oauth_application
-
-      r.post do
-        catch_error do
-          validate_oauth_revoke_params
-
-          oauth_token = nil
-          transaction do
-            before_revoke
-            oauth_token = revoke_oauth_token
-            after_revoke
-          end
-
-          if accepts_json?
-            json_response_success \
-              "token" => oauth_token[oauth_tokens_token_column],
-              "refresh_token" => oauth_token[oauth_tokens_refresh_token_column],
-              "revoked_at" => oauth_token[oauth_tokens_revoked_at_column]
-          else
-            set_notice_flash revoke_oauth_token_notice_flash
-            redirect request.referer || "/"
-          end
-        end
-
-        redirect_response_error("invalid_request", request.referer || "/")
-      end
-    end
-
-    # /authorize
-    route(:authorize) do |r|
-      next unless is_authorization_server?
-
-      before_authorize_route
-      require_authorizable_account
-
-      validate_oauth_grant_params
-      try_approval_prompt if use_oauth_access_type? && request.get?
-
-      r.get do
-        authorize_view
-      end
-
-      r.post do
-        redirect_url = URI.parse(redirect_uri)
-
-        transaction do
-          before_authorize
-          do_authorize(redirect_url)
-        end
-        redirect(redirect_url.to_s)
-      end
-    end
   end
 end