rodauth-oauth 0.2.0 → 0.4.3

data/lib/rodauth/features/oauth_http_mac.rb

@@ -8,20 +8,16 @@ module Rodauth
           def delete_suffix(suffix)
             suffix = suffix.to_s
             len = suffix.length
-            if len.positive? && index(suffix, -len)
-              self[0...-len]
-            else
-              dup
-            end
+            return dup unless len.positive? && index(suffix, -len)
+
+            self[0...-len]
           end
 
           def delete_prefix(prefix)
             prefix = prefix.to_s
-            if rindex(prefix, 0)
-              self[prefix.length..-1]
-            else
-              dup
-            end
+            return dup unless rindex(prefix, 0)
+
+            self[prefix.length..-1]
           end
         end
       end

data/lib/rodauth/features/oauth_jwt.rb

@@ -6,6 +6,8 @@ module Rodauth
   Feature.define(:oauth_jwt) do
     depends :oauth
 
+    JWKS = OAuth::TtlStore.new
+
     auth_value_method :oauth_jwt_subject_type, "public" # public, pairwise
     auth_value_method :oauth_jwt_subject_secret, nil # salt for pairwise generation
 
@@ -39,7 +41,13 @@ module Rodauth
       :last_account_login_at
     )
 
-    JWKS = OAuth::TtlStore.new
+    route(:jwks) do |r|
+      next unless is_authorization_server?
+
+      r.get do
+        json_response_success({ keys: jwks_set }, true)
+      end
+    end
 
     def require_oauth_authorization(*scopes)
       authorization_required unless authorization_token
@@ -168,7 +176,7 @@ module Rodauth
 
     def generate_oauth_token(params = {}, should_generate_refresh_token = true)
       create_params = {
-        oauth_grants_expires_in_column => Time.now + oauth_token_expires_in
+        oauth_grants_expires_in_column => Sequel.date_add(Sequel::CURRENT_TIMESTAMP, seconds: oauth_token_expires_in)
       }.merge(params)
 
       oauth_token = rescue_from_uniqueness_error do
@@ -198,7 +206,7 @@ module Rodauth
     end
 
     def jwt_claims(oauth_token)
-      issued_at = Time.now.utc.to_i
+      issued_at = Time.now.to_i
 
       claims = {
         iss: (oauth_jwt_token_issuer || authorization_server_url), # issuer
@@ -219,7 +227,7 @@ module Rodauth
         aud: (oauth_jwt_audience || oauth_application[oauth_applications_client_id_column])
       }
 
-      claims[:auth_time] = last_account_login_at.utc.to_i if last_account_login_at
+      claims[:auth_time] = last_account_login_at.to_i if last_account_login_at
 
       claims
     end
@@ -237,7 +245,7 @@ module Rodauth
       end
     end
 
-    def oauth_token_by_token(token, *)
+    def oauth_token_by_token(token)
       jwt_decode(token)
     end
 
@@ -300,9 +308,9 @@ module Rodauth
         # time-to-live
         ttl = if response.key?("cache-control")
                 cache_control = response["cache-control"]
-                cache_control[/max-age=(\d+)/, 1]
+                cache_control[/max-age=(\d+)/, 1].to_i
               elsif response.key?("expires")
-                DateTime.httpdate(response["expires"]).utc.to_i - Time.now.utc.to_i
+                Time.parse(response["expires"]).to_i - Time.now.to_i
               end
 
         [JSON.parse(response.body, symbolize_names: true), ttl]
@@ -454,13 +462,5 @@ module Rodauth
 
       super
     end
-
-    route(:jwks) do |r|
-      next unless is_authorization_server?
-
-      r.get do
-        json_response_success({ keys: jwks_set })
-      end
-    end
   end
 end

data/lib/rodauth/features/oidc.rb

@@ -2,14 +2,63 @@
 
 module Rodauth
   Feature.define(:oidc) do
+    # https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims
     OIDC_SCOPES_MAP = {
       "profile" => %i[name family_name given_name middle_name nickname preferred_username
                       profile picture website gender birthdate zoneinfo locale updated_at].freeze,
       "email" => %i[email email_verified].freeze,
-      "address" => %i[address].freeze,
+      "address" => %i[formatted street_address locality region postal_code country].freeze,
       "phone" => %i[phone_number phone_number_verified].freeze
     }.freeze
 
+    VALID_METADATA_KEYS = %i[
+      issuer
+      authorization_endpoint
+      token_endpoint
+      userinfo_endpoint
+      jwks_uri
+      registration_endpoint
+      scopes_supported
+      response_types_supported
+      response_modes_supported
+      grant_types_supported
+      acr_values_supported
+      subject_types_supported
+      id_token_signing_alg_values_supported
+      id_token_encryption_alg_values_supported
+      id_token_encryption_enc_values_supported
+      userinfo_signing_alg_values_supported
+      userinfo_encryption_alg_values_supported
+      userinfo_encryption_enc_values_supported
+      request_object_signing_alg_values_supported
+      request_object_encryption_alg_values_supported
+      request_object_encryption_enc_values_supported
+      token_endpoint_auth_methods_supported
+      token_endpoint_auth_signing_alg_values_supported
+      display_values_supported
+      claim_types_supported
+      claims_supported
+      service_documentation
+      claims_locales_supported
+      ui_locales_supported
+      claims_parameter_supported
+      request_parameter_supported
+      request_uri_parameter_supported
+      require_request_uri_registration
+      op_policy_uri
+      op_tos_uri
+    ].freeze
+
+    REQUIRED_METADATA_KEYS = %i[
+      issuer
+      authorization_endpoint
+      token_endpoint
+      jwks_uri
+      response_types_supported
+      subject_types_supported
+      id_token_signing_alg_values_supported
+    ].freeze
+
     depends :oauth_jwt
 
     auth_value_method :oauth_application_default_scope, "openid"
@@ -22,12 +71,47 @@ module Rodauth
 
     auth_value_method :webfinger_relation, "http://openid.net/specs/connect/1.0/issuer"
 
-    auth_value_methods(:get_oidc_param)
+    auth_value_method :oauth_prompt_login_cookie_key, "_rodauth_oauth_prompt_login"
+    auth_value_method :oauth_prompt_login_cookie_options, {}.freeze
+    auth_value_method :oauth_prompt_login_interval, 5 * 60 * 60 # 5 minutes
+
+    auth_value_methods(:get_oidc_param, :get_additional_param)
+
+    # /userinfo
+    route(:userinfo) do |r|
+      next unless is_authorization_server?
+
+      r.on method: %i[get post] do
+        catch_error do
+          oauth_token = authorization_token
+
+          throw_json_response_error(authorization_required_error_status, "invalid_token") unless oauth_token
+
+          oauth_scopes = oauth_token["scope"].split(" ")
+
+          throw_json_response_error(authorization_required_error_status, "invalid_token") unless oauth_scopes.include?("openid")
+
+          account = db[accounts_table].where(account_id_column => oauth_token["sub"]).first
+
+          throw_json_response_error(authorization_required_error_status, "invalid_token") unless account
+
+          oauth_scopes.delete("openid")
+
+          oidc_claims = { "sub" => oauth_token["sub"] }
+
+          fill_with_account_claims(oidc_claims, account, oauth_scopes)
+
+          json_response_success(oidc_claims)
+        end
+
+        throw_json_response_error(authorization_required_error_status, "invalid_token")
+      end
+    end
 
     def openid_configuration(issuer = nil)
       request.on(".well-known/openid-configuration") do
         request.get do
-          json_response_success(openid_configuration_body(issuer))
+          json_response_success(openid_configuration_body(issuer), cache: true)
         end
       end
     end
@@ -57,6 +141,68 @@ module Rodauth
 
     private
 
+    def require_authorizable_account
+      try_prompt if param_or_nil("prompt")
+      super
+    end
+
+    # this executes before checking for a logged in account
+    def try_prompt
+      prompt = param_or_nil("prompt")
+
+      case prompt
+      when "none"
+        redirect_response_error("login_required") unless logged_in?
+
+        require_account
+
+        if db[oauth_grants_table].where(
+          oauth_grants_account_id_column => account_id,
+          oauth_grants_oauth_application_id_column => oauth_application[oauth_applications_id_column],
+          oauth_grants_redirect_uri_column => redirect_uri,
+          oauth_grants_scopes_column => scopes.join(oauth_scope_separator),
+          oauth_grants_access_type_column => "online"
+        ).count.zero?
+          redirect_response_error("consent_required")
+        end
+
+        request.env["REQUEST_METHOD"] = "POST"
+      when "login"
+        if logged_in? && request.cookies[oauth_prompt_login_cookie_key] == "login"
+          ::Rack::Utils.delete_cookie_header!(response.headers, oauth_prompt_login_cookie_key, oauth_prompt_login_cookie_options)
+          return
+        end
+
+        # logging out
+        clear_session
+        set_session_value(login_redirect_session_key, request.fullpath)
+
+        login_cookie_opts = Hash[oauth_prompt_login_cookie_options]
+        login_cookie_opts[:value] = "login"
+        login_cookie_opts[:expires] = convert_timestamp(Time.now + oauth_prompt_login_interval) # 15 minutes
+        ::Rack::Utils.set_cookie_header!(response.headers, oauth_prompt_login_cookie_key, login_cookie_opts)
+
+        redirect require_login_redirect
+      when "consent"
+        require_account
+
+        if db[oauth_grants_table].where(
+          oauth_grants_account_id_column => account_id,
+          oauth_grants_oauth_application_id_column => oauth_application[oauth_applications_id_column],
+          oauth_grants_redirect_uri_column => redirect_uri,
+          oauth_grants_scopes_column => scopes.join(oauth_scope_separator),
+          oauth_grants_access_type_column => "online"
+        ).count.zero?
+          redirect_response_error("consent_required")
+        end
+      when "select-account"
+        # obly works if select_account plugin is available
+        require_select_account if respond_to?(:require_select_account)
+      else
+        redirect_response_error("invalid_request")
+      end
+    end
+
     def create_oauth_grant(create_params = {})
       return super unless (nonce = param_or_nil("nonce"))
 
@@ -100,8 +246,11 @@ module Rodauth
       oauth_token[:id_token] = jwt_encode(id_token_claims)
     end
 
+    # aka fill_with_standard_claims
     def fill_with_account_claims(claims, account, scopes)
-      scopes_by_oidc = scopes.each_with_object({}) do |scope, by_oidc|
+      scopes_by_claim = scopes.each_with_object({}) do |scope, by_oidc|
+        next if scope == "openid"
+
         oidc, param = scope.split(".", 2)
 
         by_oidc[oidc] ||= []
@@ -109,21 +258,33 @@ module Rodauth
         by_oidc[oidc] << param.to_sym if param
       end
 
-      oidc_scopes = (OIDC_SCOPES_MAP.keys & scopes_by_oidc.keys)
-
-      return if oidc_scopes.empty?
+      oidc_scopes, additional_scopes = scopes_by_claim.keys.partition { |key| OIDC_SCOPES_MAP.key?(key) }
 
-      if respond_to?(:get_oidc_param)
-        oidc_scopes.each do |scope|
-          params = scopes_by_oidc[scope]
-          params = params.empty? ? OIDC_SCOPES_MAP[scope] : (OIDC_SCOPES_MAP[scope] & params)
+      unless oidc_scopes.empty?
+        if respond_to?(:get_oidc_param)
+          oidc_scopes.each do |scope|
+            scope_claims = claims
+            params = scopes_by_claim[scope]
+            params = params.empty? ? OIDC_SCOPES_MAP[scope] : (OIDC_SCOPES_MAP[scope] & params)
 
-          params.each do |param|
-            claims[param] = __send__(:get_oidc_param, account, param)
+            scope_claims = (claims["address"] = {}) if scope == "address"
+            params.each do |param|
+              scope_claims[param] = __send__(:get_oidc_param, account, param)
+            end
           end
+        else
+          warn "`get_oidc_param(account, claim)` must be implemented to use oidc scopes."
+        end
+      end
+
+      return if additional_scopes.empty?
+
+      if respond_to?(:get_additional_param)
+        additional_scopes.each do |scope|
+          claims[scope] = __send__(:get_additional_param, account, scope.to_sym)
         end
       else
-        warn "`get_oidc_param(token, param)` must be implemented to use oidc scopes."
+        warn "`get_additional_param(account, claim)` must be implemented to use oidc scopes."
       end
     end
 
@@ -145,33 +306,27 @@ module Rodauth
       end
     end
 
-    def do_authorize(redirect_url, query_params = [], fragment_params = [])
+    def do_authorize(response_params = {}, response_mode = param_or_nil("response_mode"))
       return super unless use_oauth_implicit_grant_type?
 
       case param("response_type")
       when "id_token"
-        fragment_params.replace(_do_authorize_id_token.map { |k, v| "#{k}=#{v}" })
+        response_params.replace(_do_authorize_id_token)
       when "code token"
         redirect_response_error("invalid_request") unless use_oauth_implicit_grant_type?
 
-        params = _do_authorize_code.merge(_do_authorize_token)
-
-        fragment_params.replace(params.map { |k, v| "#{k}=#{v}" })
+        response_params.replace(_do_authorize_code.merge(_do_authorize_token))
       when "code id_token"
-        params = _do_authorize_code.merge(_do_authorize_id_token)
-
-        fragment_params.replace(params.map { |k, v| "#{k}=#{v}" })
+        response_params.replace(_do_authorize_code.merge(_do_authorize_id_token))
       when "id_token token"
-        params = _do_authorize_id_token.merge(_do_authorize_token)
-
-        fragment_params.replace(params.map { |k, v| "#{k}=#{v}" })
+        response_params.replace(_do_authorize_id_token.merge(_do_authorize_token))
       when "code id_token token"
-        params = _do_authorize_code.merge(_do_authorize_id_token).merge(_do_authorize_token)
 
-        fragment_params.replace(params.map { |k, v| "#{k}=#{v}" })
+        response_params.replace(_do_authorize_code.merge(_do_authorize_id_token).merge(_do_authorize_token))
       end
+      response_mode ||= "fragment" unless response_params.empty?
 
-      super(redirect_url, query_params, fragment_params)
+      super(response_params, response_mode)
     end
 
     def _do_authorize_id_token
@@ -190,7 +345,9 @@ module Rodauth
     # Metadata
 
     def openid_configuration_body(path)
-      metadata = oauth_server_metadata_body(path)
+      metadata = oauth_server_metadata_body(path).select do |k, _|
+        VALID_METADATA_KEYS.include?(k)
+      end
 
       scope_claims = oauth_application_scopes.each_with_object([]) do |scope, claims|
         oidc, param = scope.split(".", 2)
@@ -204,63 +361,38 @@ module Rodauth
 
       scope_claims.unshift("auth_time") if last_account_login_at
 
-      metadata.merge({
-                       userinfo_endpoint: userinfo_url,
-                       response_types_supported: metadata[:response_types_supported] +
-                         ["none", "id_token", %w[code token], %w[code id_token], %w[id_token token], %w[code id_token token]],
-                       response_modes_supported: %w[query fragment],
-                       grant_types_supported: %w[authorization_code implicit],
-
-                       subject_types_supported: [oauth_jwt_subject_type],
-
-                       id_token_signing_alg_values_supported: metadata[:token_endpoint_auth_signing_alg_values_supported],
-                       id_token_encryption_alg_values_supported: [oauth_jwt_jwe_algorithm].compact,
-                       id_token_encryption_enc_values_supported: [oauth_jwt_jwe_encryption_method].compact,
-
-                       userinfo_signing_alg_values_supported: [],
-                       userinfo_encryption_alg_values_supported: [],
-                       userinfo_encryption_enc_values_supported: [],
-
-                       request_object_signing_alg_values_supported: [],
-                       request_object_encryption_alg_values_supported: [],
-                       request_object_encryption_enc_values_supported: [],
-
-                       # These Claim Types are described in Section 5.6 of OpenID Connect Core 1.0 [OpenID.Core].
-                       # Values defined by this specification are normal, aggregated, and distributed.
-                       # If omitted, the implementation supports only normal Claims.
-                       claim_types_supported: %w[normal],
-                       claims_supported: %w[sub iss iat exp aud] | scope_claims
-                     })
-    end
-
-    # /userinfo
-    route(:userinfo) do |r|
-      next unless is_authorization_server?
-
-      r.on method: %i[get post] do
-        catch_error do
-          oauth_token = authorization_token
-
-          throw_json_response_error(authorization_required_error_status, "invalid_token") unless oauth_token
-
-          oauth_scopes = oauth_token["scope"].split(" ")
-
-          throw_json_response_error(authorization_required_error_status, "invalid_token") unless oauth_scopes.include?("openid")
-
-          account = db[accounts_table].where(account_id_column => oauth_token["sub"]).first
-
-          throw_json_response_error(authorization_required_error_status, "invalid_token") unless account
-
-          oauth_scopes.delete("openid")
-
-          oidc_claims = { "sub" => oauth_token["sub"] }
-
-          fill_with_account_claims(oidc_claims, account, oauth_scopes)
-
-          json_response_success(oidc_claims)
-        end
+      response_types_supported = metadata[:response_types_supported]
+      if use_oauth_implicit_grant_type?
+        response_types_supported += ["none", "id_token", "code token", "code id_token", "id_token token", "code id_token token"]
+      end
 
-        throw_json_response_error(authorization_required_error_status, "invalid_token")
+      metadata.merge(
+        userinfo_endpoint: userinfo_url,
+        response_types_supported: response_types_supported,
+        subject_types_supported: [oauth_jwt_subject_type],
+
+        id_token_signing_alg_values_supported: metadata[:token_endpoint_auth_signing_alg_values_supported],
+        id_token_encryption_alg_values_supported: [oauth_jwt_jwe_algorithm].compact,
+        id_token_encryption_enc_values_supported: [oauth_jwt_jwe_encryption_method].compact,
+
+        userinfo_signing_alg_values_supported: [],
+        userinfo_encryption_alg_values_supported: [],
+        userinfo_encryption_enc_values_supported: [],
+
+        request_object_signing_alg_values_supported: [],
+        request_object_encryption_alg_values_supported: [],
+        request_object_encryption_enc_values_supported: [],
+
+        # These Claim Types are described in Section 5.6 of OpenID Connect Core 1.0 [OpenID.Core].
+        # Values defined by this specification are normal, aggregated, and distributed.
+        # If omitted, the implementation supports only normal Claims.
+        claim_types_supported: %w[normal],
+        claims_supported: %w[sub iss iat exp aud] | scope_claims
+      ).reject do |key, val|
+        # Filter null values in optional items
+        (!REQUIRED_METADATA_KEYS.include?(key.to_sym) && val.nil?) ||
+          # Claims with zero elements MUST be omitted from the response
+          (val.respond_to?(:empty?) && val.empty?)
       end
     end
   end