rodauth-oauth 0.3.0 → 0.4.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 24f3563d467a065dc119cbe53c0f14c8f28654d6512de0b7fd09a99e3f4aabdb
-  data.tar.gz: 8abc6dc62b463885f7198cafec57fe707f99885e67754be1d7cefbbefa31a834
+  metadata.gz: b09ecfc1d3a8ee0f5b890620baa14ca6d847362bf38dd158e02bd2c8ebfc204e
+  data.tar.gz: 89f0e82d7721f7ee175b1c53b7b3e0cc534e6983fe37dfc02e433df77b58225d
 SHA512:
-  metadata.gz: 9fd172c9930f1cf88239a8f5ba7d5c93dc9c92b05a601c6f909b5ad12e4319ce0aa093831b93dad93542fdda0cdc1694b001ca78922239e80a2370472373b9a5
-  data.tar.gz: 26e8e9c619425213f2cd5f21e7710f9561c0b0395bd8928656584c88586f4197bf80a765d9a90baea604ef9fdaff5c27f4b8447adf3fa617463e26b7b0a08470
+  metadata.gz: d00a178f561ddecacff0587e1120b68bb22cd10b76b106b00f41167ba9c8bd8b2b8958fd629588924e502be8c947a81d3722102038cd329c006f4b4daf6efada
+  data.tar.gz: 328542ba8ce7ef8e8f605056a9a8cbf6599136232d93f7246b13fe037ebc07225e2051b3ee454eb90ec4ae480e2b493d662d1cbbcd0ae5cc7e57a0ff29b10696

data/CHANGELOG.md

@@ -2,18 +2,37 @@
 
 ## master
 
+### 0.4.0
+
+### Features
+
+* A new method, `get_additional_param(account, claim)`, is now exposed; this method will be called whenever non-OIDC scopes are requested in the emission of the ID token.
+
+* The `form_post` response is now supported, either by passing the `response_mode=form_post` request param in the authorization URL, or by setting `oauth_response_mode "form_post"` option. This improves the overall security of an Authorization server even more, as authorization codes are sent to client applications via a POST request to the redirect URI.
+
+
+### Improvements
+
+* For the OIDC `address` scope, proper claims are now emitted as per the standard, i.e. the "formatted", "street_address", "locality", "region", "postal_code", "country". These will be the ones referenced in the `get_oidc_param` method.
+
+### Bugfixes
+
+* The rails templates were missing declarations from a few params, which made some of the flows (the PKCE for example) not work out-of-the box;
+* rails tests were silently not running in CI;
+* The CI suite was revamped, so that all Oauth tests would be run under rails as well. All versions from rails equal or above 5.0 are now targeted;
+
 ### 0.3.0
 
 #### Features
 
-* `oauth_refresh_token_protection_policy` is a new option, which can be used to set a protection policy around usage of refresh tokens. By default it's `none`, for backwards-compatibility. However, when set to `rotation`, refresh tokens will be "use-once", i.e. a token refresh request will generate a new refresh token. Also,  refresh token requests doen with already-used refresh tokens will be interpreted as a security breach, i.e. all tokens linked to the compromised refresh token will be revoked.
+* `oauth_refresh_token_protection_policy` is a new option, which can be used to set a protection policy around usage of refresh tokens. By default it's `none`, for backwards-compatibility. However, when set to `rotation`, refresh tokens will be "use-once", i.e. a token refresh request will generate a new refresh token. Also,  refresh token requests performed with already-used refresh tokens will be interpreted as a security breach, i.e. all tokens linked to the compromised refresh token will be revoked.
 
 #### Improvements
 
 
 * Support for the OIDC authorize [`prompt` parameter](https://openid.net/specs/openid-connect-core-1_0.html) (sectionn 3.1.2.1). It supports the `none`, `login` and `consent` out-of-the-box, while providing support for `select-account` when paired with [rodauth-select-account, a rodauth feature to handle multiple accounts in the same session](https://gitlab.com/honeyryderchuck/rodauth-select-account).
 
-* Refresh Tokens are now expired. The refresh token expiration period is governed by the `oauth_refresh_token_expires_in` option (default: 1 year), and is the period for which a refresh token can be used after its respective token expired.
+* Refresh Tokens are now expirable. The refresh token expiration period is governed by the `oauth_refresh_token_expires_in` option (default: 1 year), and is the period for which a refresh token can be used after its respective access token expired.
 
 #### Bugfixes
 

data/lib/rodauth/features/oauth.rb

@@ -84,6 +84,7 @@ module Rodauth
 
     auth_value_method :oauth_require_pkce, false
     auth_value_method :oauth_pkce_challenge_method, "S256"
+    auth_value_method :oauth_response_mode, "query"
 
     auth_value_method :oauth_valid_uri_schemes, %w[https]
 
@@ -100,6 +101,7 @@ module Rodauth
     button "Register", "oauth_application"
     button "Authorize", "oauth_authorize"
     button "Revoke", "oauth_token_revoke"
+    button "Back to Client Application", "oauth_authorize_post"
 
     # OAuth Token
     auth_value_method :oauth_tokens_path, "oauth-tokens"
@@ -313,11 +315,41 @@ module Rodauth
       r.post do
         redirect_url = URI.parse(redirect_uri)
 
-        transaction do
+        params, mode = transaction do
           before_authorize
-          do_authorize(redirect_url)
+          do_authorize
+        end
+
+        case mode
+        when "query"
+          params = params.map { |k, v| "#{k}=#{v}" }
+          params << redirect_url.query if redirect_url.query
+          redirect_url.query = params.join("&")
+          redirect(redirect_url.to_s)
+        when "fragment"
+          params = params.map { |k, v| "#{k}=#{v}" }
+          params << redirect_url.query if redirect_url.query
+          redirect_url.fragment = params.join("&")
+          redirect(redirect_url.to_s)
+        when "form_post"
+          scope.view layout: false, inline: <<-FORM
+            <html>
+              <head><title>Authorized</title></head>
+              <body onload="javascript:document.forms[0].submit()">
+                <form method="post" action="#{redirect_uri}">
+                  #{
+                    params.map do |name, value|
+                      "<input type=\"hidden\" name=\"#{name}\" value=\"#{scope.h(value)}\" />"
+                    end.join
+                  }
+                  <input type="submit" class="btn btn-outline-primary" value="#{scope.h(oauth_authorize_post_button)}"/>
+                </form>
+              </body>
+            </html>
+          FORM
+        when "none"
+          redirect(redirect_url.to_s)
         end
-        redirect(redirect_url.to_s)
       end
     end
 
@@ -848,6 +880,9 @@ module Rodauth
       end
       redirect_response_error("invalid_scope") unless check_valid_scopes?
 
+      if (response_mode = param_or_nil("response_mode")) && response_mode != "form_post"
+        redirect_response_error("invalid_request")
+      end
       validate_pkce_challenge_params if use_oauth_pkce?
     end
 
@@ -899,28 +934,26 @@ module Rodauth
       create_params[oauth_grants_code_column]
     end
 
-    def do_authorize(redirect_url, query_params = [], fragment_params = [])
+    def do_authorize(response_params = {}, response_mode = param_or_nil("response_mode"))
       case param("response_type")
       when "token"
         redirect_response_error("invalid_request") unless use_oauth_implicit_grant_type?
 
-        fragment_params.replace(_do_authorize_token.map { |k, v| "#{k}=#{v}" })
-      when "code", "", nil
-        query_params.replace(_do_authorize_code.map { |k, v| "#{k}=#{v}" })
-      end
-
-      if param_or_nil("state")
-        if !fragment_params.empty?
-          fragment_params << "state=#{param('state')}"
-        else
-          query_params << "state=#{param('state')}"
-        end
+        response_mode ||= "fragment"
+        response_params.replace(_do_authorize_token)
+      when "code"
+        response_mode ||= "query"
+        response_params.replace(_do_authorize_code)
+      when "none"
+        response_mode ||= "none"
+      when "", nil
+        response_mode ||= oauth_response_mode
+        response_params.replace(_do_authorize_code)
       end
 
-      query_params << redirect_url.query if redirect_url.query
+      response_params["state"] = param("state") if param_or_nil("state")
 
-      redirect_url.query = query_params.join("&") unless query_params.empty?
-      redirect_url.fragment = fragment_params.join("&") unless fragment_params.empty?
+      [response_params, response_mode]
     end
 
     def _do_authorize_code
@@ -1296,7 +1329,7 @@ module Rodauth
       issuer += "/#{path}" if path
 
       responses_supported = %w[code]
-      response_modes_supported = %w[query]
+      response_modes_supported = %w[query form_post]
       grant_types_supported = %w[authorization_code]
 
       if use_oauth_implicit_grant_type?

data/lib/rodauth/features/oauth_http_mac.rb

@@ -8,20 +8,16 @@ module Rodauth
           def delete_suffix(suffix)
             suffix = suffix.to_s
             len = suffix.length
-            if len.positive? && index(suffix, -len)
-              self[0...-len]
-            else
-              dup
-            end
+            return dup unless len.positive? && index(suffix, -len)
+
+            self[0...-len]
           end
 
           def delete_prefix(prefix)
             prefix = prefix.to_s
-            if rindex(prefix, 0)
-              self[prefix.length..-1]
-            else
-              dup
-            end
+            return dup unless rindex(prefix, 0)
+
+            self[prefix.length..-1]
           end
         end
       end

data/lib/rodauth/features/oidc.rb

@@ -2,11 +2,12 @@
 
 module Rodauth
   Feature.define(:oidc) do
+    # https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims
     OIDC_SCOPES_MAP = {
       "profile" => %i[name family_name given_name middle_name nickname preferred_username
                       profile picture website gender birthdate zoneinfo locale updated_at].freeze,
       "email" => %i[email email_verified].freeze,
-      "address" => %i[address].freeze,
+      "address" => %i[formatted street_address locality region postal_code country].freeze,
       "phone" => %i[phone_number phone_number_verified].freeze
     }.freeze
 
@@ -74,7 +75,7 @@ module Rodauth
     auth_value_method :oauth_prompt_login_cookie_options, {}.freeze
     auth_value_method :oauth_prompt_login_interval, 5 * 60 * 60 # 5 minutes
 
-    auth_value_methods(:get_oidc_param)
+    auth_value_methods(:get_oidc_param, :get_additional_param)
 
     # /userinfo
     route(:userinfo) do |r|
@@ -245,8 +246,11 @@ module Rodauth
       oauth_token[:id_token] = jwt_encode(id_token_claims)
     end
 
+    # aka fill_with_standard_claims
     def fill_with_account_claims(claims, account, scopes)
-      scopes_by_oidc = scopes.each_with_object({}) do |scope, by_oidc|
+      scopes_by_claim = scopes.each_with_object({}) do |scope, by_oidc|
+        next if scope == "openid"
+
         oidc, param = scope.split(".", 2)
 
         by_oidc[oidc] ||= []
@@ -254,21 +258,33 @@ module Rodauth
         by_oidc[oidc] << param.to_sym if param
       end
 
-      oidc_scopes = (OIDC_SCOPES_MAP.keys & scopes_by_oidc.keys)
-
-      return if oidc_scopes.empty?
+      oidc_scopes, additional_scopes = scopes_by_claim.keys.partition { |key| OIDC_SCOPES_MAP.key?(key) }
 
-      if respond_to?(:get_oidc_param)
-        oidc_scopes.each do |scope|
-          params = scopes_by_oidc[scope]
-          params = params.empty? ? OIDC_SCOPES_MAP[scope] : (OIDC_SCOPES_MAP[scope] & params)
+      unless oidc_scopes.empty?
+        if respond_to?(:get_oidc_param)
+          oidc_scopes.each do |scope|
+            scope_claims = claims
+            params = scopes_by_claim[scope]
+            params = params.empty? ? OIDC_SCOPES_MAP[scope] : (OIDC_SCOPES_MAP[scope] & params)
 
-          params.each do |param|
-            claims[param] = __send__(:get_oidc_param, account, param)
+            scope_claims = (claims["address"] = {}) if scope == "address"
+            params.each do |param|
+              scope_claims[param] = __send__(:get_oidc_param, account, param)
+            end
           end
+        else
+          warn "`get_oidc_param(account, claim)` must be implemented to use oidc scopes."
+        end
+      end
+
+      return if additional_scopes.empty?
+
+      if respond_to?(:get_additional_param)
+        additional_scopes.each do |scope|
+          claims[scope] = __send__(:get_additional_param, account, scope.to_sym)
         end
       else
-        warn "`get_oidc_param(token, param)` must be implemented to use oidc scopes."
+        warn "`get_additional_param(account, claim)` must be implemented to use oidc scopes."
       end
     end
 
@@ -290,33 +306,27 @@ module Rodauth
       end
     end
 
-    def do_authorize(redirect_url, query_params = [], fragment_params = [])
+    def do_authorize(response_params = {}, response_mode = param_or_nil("response_mode"))
       return super unless use_oauth_implicit_grant_type?
 
       case param("response_type")
       when "id_token"
-        fragment_params.replace(_do_authorize_id_token.map { |k, v| "#{k}=#{v}" })
+        response_params.replace(_do_authorize_id_token)
       when "code token"
         redirect_response_error("invalid_request") unless use_oauth_implicit_grant_type?
 
-        params = _do_authorize_code.merge(_do_authorize_token)
-
-        fragment_params.replace(params.map { |k, v| "#{k}=#{v}" })
+        response_params.replace(_do_authorize_code.merge(_do_authorize_token))
       when "code id_token"
-        params = _do_authorize_code.merge(_do_authorize_id_token)
-
-        fragment_params.replace(params.map { |k, v| "#{k}=#{v}" })
+        response_params.replace(_do_authorize_code.merge(_do_authorize_id_token))
       when "id_token token"
-        params = _do_authorize_id_token.merge(_do_authorize_token)
-
-        fragment_params.replace(params.map { |k, v| "#{k}=#{v}" })
+        response_params.replace(_do_authorize_id_token.merge(_do_authorize_token))
       when "code id_token token"
-        params = _do_authorize_code.merge(_do_authorize_id_token).merge(_do_authorize_token)
 
-        fragment_params.replace(params.map { |k, v| "#{k}=#{v}" })
+        response_params.replace(_do_authorize_code.merge(_do_authorize_id_token).merge(_do_authorize_token))
       end
+      response_mode ||= "fragment" unless response_params.empty?
 
-      super(redirect_url, query_params, fragment_params)
+      super(response_params, response_mode)
     end
 
     def _do_authorize_id_token
@@ -351,13 +361,14 @@ module Rodauth
 
       scope_claims.unshift("auth_time") if last_account_login_at
 
+      response_types_supported = metadata[:response_types_supported]
+      if use_oauth_implicit_grant_type?
+        response_types_supported += ["none", "id_token", "code token", "code id_token", "id_token token", "code id_token token"]
+      end
+
       metadata.merge(
         userinfo_endpoint: userinfo_url,
-        response_types_supported: metadata[:response_types_supported] +
-          ["none", "id_token", "code token", "code id_token", "id_token token", "code id_token token"],
-        response_modes_supported: %w[query fragment],
-        grant_types_supported: %w[authorization_code implicit],
-
+        response_types_supported: response_types_supported,
         subject_types_supported: [oauth_jwt_subject_type],
 
         id_token_signing_alg_values_supported: metadata[:token_endpoint_auth_signing_alg_values_supported],

data/lib/rodauth/oauth/ttl_store.rb

@@ -13,7 +13,7 @@ class Rodauth::OAuth::TtlStore
 
   def initialize
     @store_mutex = Mutex.new
-    @store = Hash.new {}
+    @store = {}
   end
 
   def [](key)

data/lib/rodauth/oauth/version.rb

@@ -2,6 +2,6 @@
 
 module Rodauth
   module OAuth
-    VERSION = "0.3.0"
+    VERSION = "0.4.0"
   end
 end

data/templates/authorize.str

@@ -20,6 +20,7 @@
 
     #{"<input type=\"hidden\" name=\"access_type\" value=\"#{rodauth.param("access_type")}\"/>" if rodauth.param_or_nil("access_type")}
     #{"<input type=\"hidden\" name=\"response_type\" value=\"#{rodauth.param("response_type")}\"/>" if rodauth.param_or_nil("response_type")}
+    #{"<input type=\"hidden\" name=\"response_mode\" value=\"#{rodauth.param("response_mode")}\"/>" if rodauth.param_or_nil("response_mode")}
     #{"<input type=\"hidden\" name=\"state\" value=\"#{rodauth.param("state")}\"/>" if rodauth.param_or_nil("state")}
     #{"<input type=\"hidden\" name=\"nonce\" value=\"#{rodauth.param("nonce")}\"/>" if rodauth.param_or_nil("nonce")}
     #{"<input type=\"hidden\" name=\"redirect_uri\" value=\"#{rodauth.redirect_uri}\"/>" if rodauth.param_or_nil("redirect_uri")}

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rodauth-oauth
 version: !ruby/object:Gem::Version
-  version: 0.3.0
+  version: 0.4.0
 platform: ruby
 authors:
 - Tiago Cardoso
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2020-10-08 00:00:00.000000000 Z
+date: 2020-11-13 00:00:00.000000000 Z
 dependencies: []
 description: Implementation of the OAuth 2.0 protocol on top of rodauth.
 email:
@@ -71,7 +71,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.2
+rubygems_version: 3.1.4
 signing_key:
 specification_version: 4
 summary: Implementation of the OAuth 2.0 protocol on top of rodauth.