rodauth-oauth 0.3.0 → 0.5.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 24f3563d467a065dc119cbe53c0f14c8f28654d6512de0b7fd09a99e3f4aabdb
-  data.tar.gz: 8abc6dc62b463885f7198cafec57fe707f99885e67754be1d7cefbbefa31a834
+  metadata.gz: 7324d08b229d4bfdea92df95c769539570565e161d758a38d95bea50f78fda96
+  data.tar.gz: c421e4886baf39eb9ebe04e6919c6ab292d3c85dbc32bc78e5d8992c17a40816
 SHA512:
-  metadata.gz: 9fd172c9930f1cf88239a8f5ba7d5c93dc9c92b05a601c6f909b5ad12e4319ce0aa093831b93dad93542fdda0cdc1694b001ca78922239e80a2370472373b9a5
-  data.tar.gz: 26e8e9c619425213f2cd5f21e7710f9561c0b0395bd8928656584c88586f4197bf80a765d9a90baea604ef9fdaff5c27f4b8447adf3fa617463e26b7b0a08470
+  metadata.gz: 4ba7e8a7975260618034285b77d4489416fe368c500b31516e7dd69d89e75863e18bebdb4868a72caa61fa2ed93541f1da6ea1c9c9d4cf15072bf4008209a1a9
+  data.tar.gz: 87e9f031183ede6af4f338f60ff5ae5f7a8581412068abb484b5312de4a6962fcaa68cb95eae8aab7c755adc4e1c0ada6e3e19b009ece35d4902cc84d1ab1e01

data/CHANGELOG.md

@@ -2,18 +2,69 @@
 
 ## master
 
-### 0.3.0
+### 0.5.0 (08/02/2021)
+
+#### RP-Initiated Logout
+
+The `:oidc` plugin can now do [RP-Initiated Logout](https://gitlab.com/honeyryderchuck/rodauth-oauth/-/wikis/RP-Initiated-Logout). It's disabled by default, so read the docs to learn how to enable it.
+
+#### Security
+
+The `:oauth_jwt` (and by association, `:oidc`) plugin(s) verifies the claims of used JWT tokens. This is a **very important security fix**, as without it, there is no protection against replay attacks and other types of misuse of the JWT token.
+
+A new auth method, `generate_jti(claims)`, was [added to the list of oauth_jwt plugin options](https://gitlab.com/honeyryderchuck/rodauth-oauth/-/wikis/JWT-Access-Tokens#rodauth-options). By default, it'll hash the `aud` and `iat` claims together, but you can overwrite how this is done.
+
+### 0.4.3 (09/12/2020)
+
+* Introspection requests made to an Authorization Server in "resource server" mode are not correctly encoding the body using the "application/x-www-form-urlencoded" format.
+
+### 0.4.2 (24/11/2020)
+
+#### Bugfixes
+
+* database extensions were being run in resource server mode, when it's not expected that the oauth db tables are around.
+
+### 0.4.1 (24/11/2020)
+
+#### Improvements
+
+When in "Resource Server" mode, calling `rodauth.authorization_token` will now return an hash of the JSON payload that the Authorization Server responds, and which was already previously used to authorize access to protected resources.
+
+#### Bugfixes
+
+* An error occurred if the client passed an empty authorization header (`Authorization: ` or `Authorization: Bearer `), causing an unexpected error; It now responds with the proper `401 Unauthorized` status code.
+
+### 0.4.0 (13/11/2020)
 
 #### Features
 
-* `oauth_refresh_token_protection_policy` is a new option, which can be used to set a protection policy around usage of refresh tokens. By default it's `none`, for backwards-compatibility. However, when set to `rotation`, refresh tokens will be "use-once", i.e. a token refresh request will generate a new refresh token. Also,  refresh token requests doen with already-used refresh tokens will be interpreted as a security breach, i.e. all tokens linked to the compromised refresh token will be revoked.
+* A new method, `get_additional_param(account, claim)`, is now exposed; this method will be called whenever non-OIDC scopes are requested in the emission of the ID token.
+
+* The `form_post` response is now supported, either by passing the `response_mode=form_post` request param in the authorization URL, or by setting `oauth_response_mode "form_post"` option. This improves the overall security of an Authorization server even more, as authorization codes are sent to client applications via a POST request to the redirect URI.
+
+
+#### Improvements
+
+* For the OIDC `address` scope, proper claims are now emitted as per the standard, i.e. the "formatted", "street_address", "locality", "region", "postal_code", "country". These will be the ones referenced in the `get_oidc_param` method.
+
+#### Bugfixes
+
+* The rails templates were missing declarations from a few params, which made some of the flows (the PKCE for example) not work out-of-the box;
+* rails tests were silently not running in CI;
+* The CI suite was revamped, so that all Oauth tests would be run under rails as well. All versions from rails equal or above 5.0 are now targeted;
+
+### 0.3.0 (8/10/2020)
+
+#### Features
+
+* `oauth_refresh_token_protection_policy` is a new option, which can be used to set a protection policy around usage of refresh tokens. By default it's `none`, for backwards-compatibility. However, when set to `rotation`, refresh tokens will be "use-once", i.e. a token refresh request will generate a new refresh token. Also,  refresh token requests performed with already-used refresh tokens will be interpreted as a security breach, i.e. all tokens linked to the compromised refresh token will be revoked.
 
 #### Improvements
 
 
 * Support for the OIDC authorize [`prompt` parameter](https://openid.net/specs/openid-connect-core-1_0.html) (sectionn 3.1.2.1). It supports the `none`, `login` and `consent` out-of-the-box, while providing support for `select-account` when paired with [rodauth-select-account, a rodauth feature to handle multiple accounts in the same session](https://gitlab.com/honeyryderchuck/rodauth-select-account).
 
-* Refresh Tokens are now expired. The refresh token expiration period is governed by the `oauth_refresh_token_expires_in` option (default: 1 year), and is the period for which a refresh token can be used after its respective token expired.
+* Refresh Tokens are now expirable. The refresh token expiration period is governed by the `oauth_refresh_token_expires_in` option (default: 1 year), and is the period for which a refresh token can be used after its respective access token expired.
 
 #### Bugfixes
 
@@ -31,7 +82,7 @@ Use `rodauth.convert_timestamp` in the templates, whenever dates are displayed.
 
 Set HTTP Cache headers for metadata responses, such as `/.well-known/oauth-authorization-server` and `/.well-known/openid-configuration`, so they can be stored at the edge. The cache will be valid for 1 day (this value isn't set by an option yet).
 
-### 0.2.0
+### 0.2.0 (9/9/2020)
 
 #### Features
 
@@ -75,9 +126,7 @@ Fixed some mishandling of HTTP headers when in in resource-server mode.
 * 97.7% test coverage;
 * `rodauth-oauth` CI tests run against sqlite, postgresql and mysql.
 
-### 0.1.0
-
-(31/7/2020)
+### 0.1.0 (31/7/2020)
 
 #### Features
 
@@ -123,9 +172,7 @@ URI schemes for client applications redirect URIs have to be `https`. In order t
 * fixed trailing "/" in the "issuer" value in server metadata (`https://server.com/` -> `https://server.com`).
 
 
-### 0.0.6
-
-(6/7/2020)
+### 0.0.6 (6/7/2020)
 
 #### Features
 
@@ -148,9 +195,7 @@ The `oauth_jwt` feature now supports JWT Secured Authorization Request (JAR) (se
 Removed React Javascript from example applications.
 
 
-### 0.0.5
-
-(26/6/2020)
+### 0.0.5 (26/6/2020)
 
 #### Features
 
@@ -187,9 +232,7 @@ It **requires** the authorization to implement the server metadata endpoint (`/.
 * option `scopes_param` renamed to `scope_param`;
 *
 
-## 0.0.4
-
-(13/6/2020)
+## 0.0.4 (13/6/2020)
 
 ### Features
 
@@ -226,9 +269,7 @@ The `oauth_jwt` feature now allows the usage of access tokens to authorize the g
 
 * Fixed scope claim of JWT ("scopes" -> "scope");
 
-## 0.0.3
-
-(5/6/2020)
+## 0.0.3 (5/6/2020)
 
 ### Features
 
@@ -260,9 +301,7 @@ end
 * renamed the existing `use_oauth_implicit_grant_type` to `use_oauth_implicit_grant_type?`;
 * It's now usable as JSON API (small caveat: POST authorize will still redirect on success...);
 
-## 0.0.2
-
-(29/5/2020)
+## 0.0.2 (29/5/2020)
 
 ### Features
 
@@ -278,8 +317,6 @@ end
 
 * usage of client secret for authorizing the generation of tokens, as the spec mandates (and refraining from them when doing PKCE).
 
-## 0.0.1
-
-(14/5/2020)
+## 0.0.1 (14/5/2020)
 
 Initial implementation of the Oauth 2.0 framework, with an example app done using roda.

data/README.md

@@ -25,7 +25,12 @@ This gem implements the following RFCs and features of OAuth:
 * [JWT Secured Authorization Requests](https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-20);
 * OAuth application and token management dashboards;
 
-It also implements the [OpenID Connect layer](https://openid.net/connect/) on top of the OAuth features it provides.
+It also implements the [OpenID Connect layer](https://openid.net/connect/) on top of the OAuth features it provides, including:
+
+* [OpenID Connect Core](https://openid.net/specs/openid-connect-core-1_0.html);
+* [OpenID Connect Discovery](https://openid.net/specs/openid-connect-discovery-1_0-29.html);
+* [OpenID Multiple Response Types](https://openid.net/specs/oauth-v2-multiple-response-types-1_0.html);
+* [RP Initiated Logout](https://openid.net/specs/openid-connect-rpinitiated-1_0.html);
 
 This gem supports also rails (through [rodauth-rails]((https://github.com/janko/rodauth-rails))).
 
@@ -104,7 +109,7 @@ For OpenID, it's very similar to the example above:
 ```ruby
 plugin :rodauth do
   # enable it in the plugin
-  enable :login, :openid
+  enable :login, :oidc
   oauth_application_default_scope %w[openid]
   oauth_application_scopes %w[openid email profile]
 end

data/lib/rodauth/features/oauth.rb

@@ -84,6 +84,7 @@ module Rodauth
 
     auth_value_method :oauth_require_pkce, false
     auth_value_method :oauth_pkce_challenge_method, "S256"
+    auth_value_method :oauth_response_mode, "query"
 
     auth_value_method :oauth_valid_uri_schemes, %w[https]
 
@@ -100,6 +101,7 @@ module Rodauth
     button "Register", "oauth_application"
     button "Authorize", "oauth_authorize"
     button "Revoke", "oauth_token_revoke"
+    button "Back to Client Application", "oauth_authorize_post"
 
     # OAuth Token
     auth_value_method :oauth_tokens_path, "oauth-tokens"
@@ -313,11 +315,41 @@ module Rodauth
       r.post do
         redirect_url = URI.parse(redirect_uri)
 
-        transaction do
+        params, mode = transaction do
           before_authorize
-          do_authorize(redirect_url)
+          do_authorize
+        end
+
+        case mode
+        when "query"
+          params = params.map { |k, v| "#{k}=#{v}" }
+          params << redirect_url.query if redirect_url.query
+          redirect_url.query = params.join("&")
+          redirect(redirect_url.to_s)
+        when "fragment"
+          params = params.map { |k, v| "#{k}=#{v}" }
+          params << redirect_url.query if redirect_url.query
+          redirect_url.fragment = params.join("&")
+          redirect(redirect_url.to_s)
+        when "form_post"
+          scope.view layout: false, inline: <<-FORM
+            <html>
+              <head><title>Authorized</title></head>
+              <body onload="javascript:document.forms[0].submit()">
+                <form method="post" action="#{redirect_uri}">
+                  #{
+                    params.map do |name, value|
+                      "<input type=\"hidden\" name=\"#{name}\" value=\"#{scope.h(value)}\" />"
+                    end.join
+                  }
+                  <input type="submit" class="btn btn-outline-primary" value="#{scope.h(oauth_authorize_post_button)}"/>
+                </form>
+              </body>
+            </html>
+          FORM
+        when "none"
+          redirect(redirect_url.to_s)
         end
-        redirect(redirect_url.to_s)
       end
     end
 
@@ -457,13 +489,13 @@ module Rodauth
     def fetch_access_token
       value = request.env["HTTP_AUTHORIZATION"]
 
-      return unless value
+      return unless value && !value.empty?
 
       scheme, token = value.split(" ", 2)
 
       return unless scheme.downcase == oauth_token_type
 
-      return if token.empty?
+      return if token.nil? || token.empty?
 
       token
     end
@@ -476,31 +508,34 @@ module Rodauth
 
       return unless bearer_token
 
-      # check if token has not expired
-      # check if token has been revoked
-      @authorization_token = oauth_token_by_token(bearer_token)
+      @authorization_token = if is_authorization_server?
+                               # check if token has not expired
+                               # check if token has been revoked
+                               oauth_token_by_token(bearer_token)
+                             else
+                               # where in resource server, NOT the authorization server.
+                               payload = introspection_request("access_token", bearer_token)
+
+                               return unless payload["active"]
+
+                               payload
+                             end
     end
 
     def require_oauth_authorization(*scopes)
-      token_scopes = if is_authorization_server?
-                       authorization_required unless authorization_token
+      authorization_required unless authorization_token
 
-                       scopes << oauth_application_default_scope if scopes.empty?
+      scopes << oauth_application_default_scope if scopes.empty?
 
+      token_scopes = if is_authorization_server?
                        authorization_token[oauth_tokens_scopes_column].split(oauth_scope_separator)
                      else
-                       bearer_token = fetch_access_token
-
-                       authorization_required unless bearer_token
-
-                       scopes << oauth_application_default_scope if scopes.empty?
-
-                       # where in resource server, NOT the authorization server.
-                       payload = introspection_request("access_token", bearer_token)
-
-                       authorization_required unless payload["active"]
-
-                       payload["scope"].split(oauth_scope_separator)
+                       aux_scopes = authorization_token["scope"]
+                       if aux_scopes
+                         aux_scopes.split(oauth_scope_separator)
+                       else
+                         []
+                       end
                      end
 
       authorization_required unless scopes.any? { |scope| token_scopes.include?(scope) }
@@ -508,6 +543,11 @@ module Rodauth
 
     def post_configure
       super
+
+      # all of the extensions below involve DB changes. Resource server mode doesn't use
+      # database functions for OAuth though.
+      return unless is_authorization_server?
+
       self.class.__send__(:include, Rodauth::OAuth::ExtendDatabase(db))
 
       # Check whether we can reutilize db entries for the same account / application pair
@@ -584,9 +624,9 @@ module Rodauth
       http.use_ssl = auth_url.scheme == "https"
 
       request = Net::HTTP::Post.new(introspect_path)
-      request["content-type"] = json_response_content_type
+      request["content-type"] = "application/x-www-form-urlencoded"
       request["accept"] = json_response_content_type
-      request.body = JSON.dump({ "token_type_hint" => token_type_hint, "token" => token })
+      request.set_form_data({ "token_type_hint" => token_type_hint, "token" => token })
 
       before_introspection_request(request)
       response = http.request(request)
@@ -848,6 +888,9 @@ module Rodauth
       end
       redirect_response_error("invalid_scope") unless check_valid_scopes?
 
+      if (response_mode = param_or_nil("response_mode")) && response_mode != "form_post"
+        redirect_response_error("invalid_request")
+      end
       validate_pkce_challenge_params if use_oauth_pkce?
     end
 
@@ -899,28 +942,26 @@ module Rodauth
       create_params[oauth_grants_code_column]
     end
 
-    def do_authorize(redirect_url, query_params = [], fragment_params = [])
+    def do_authorize(response_params = {}, response_mode = param_or_nil("response_mode"))
       case param("response_type")
       when "token"
         redirect_response_error("invalid_request") unless use_oauth_implicit_grant_type?
 
-        fragment_params.replace(_do_authorize_token.map { |k, v| "#{k}=#{v}" })
-      when "code", "", nil
-        query_params.replace(_do_authorize_code.map { |k, v| "#{k}=#{v}" })
-      end
-
-      if param_or_nil("state")
-        if !fragment_params.empty?
-          fragment_params << "state=#{param('state')}"
-        else
-          query_params << "state=#{param('state')}"
-        end
+        response_mode ||= "fragment"
+        response_params.replace(_do_authorize_token)
+      when "code"
+        response_mode ||= "query"
+        response_params.replace(_do_authorize_code)
+      when "none"
+        response_mode ||= "none"
+      when "", nil
+        response_mode ||= oauth_response_mode
+        response_params.replace(_do_authorize_code)
       end
 
-      query_params << redirect_url.query if redirect_url.query
+      response_params["state"] = param("state") if param_or_nil("state")
 
-      redirect_url.query = query_params.join("&") unless query_params.empty?
-      redirect_url.fragment = fragment_params.join("&") unless fragment_params.empty?
+      [response_params, response_mode]
     end
 
     def _do_authorize_code
@@ -1296,7 +1337,7 @@ module Rodauth
       issuer += "/#{path}" if path
 
       responses_supported = %w[code]
-      response_modes_supported = %w[query]
+      response_modes_supported = %w[query form_post]
       grant_types_supported = %w[authorization_code]
 
       if use_oauth_implicit_grant_type?

data/lib/rodauth/features/oauth_http_mac.rb

@@ -8,20 +8,16 @@ module Rodauth
           def delete_suffix(suffix)
             suffix = suffix.to_s
             len = suffix.length
-            if len.positive? && index(suffix, -len)
-              self[0...-len]
-            else
-              dup
-            end
+            return dup unless len.positive? && index(suffix, -len)
+
+            self[0...-len]
           end
 
           def delete_prefix(prefix)
             prefix = prefix.to_s
-            if rindex(prefix, 0)
-              self[prefix.length..-1]
-            else
-              dup
-            end
+            return dup unless rindex(prefix, 0)
+
+            self[prefix.length..-1]
           end
         end
       end

data/lib/rodauth/features/oauth_jwt.rb

@@ -8,6 +8,8 @@ module Rodauth
 
     JWKS = OAuth::TtlStore.new
 
+    # Recommended to have hmac_secret as well
+
     auth_value_method :oauth_jwt_subject_type, "public" # public, pairwise
     auth_value_method :oauth_jwt_subject_secret, nil # salt for pairwise generation
 
@@ -38,7 +40,8 @@ module Rodauth
       :jwt_encode,
       :jwt_decode,
       :jwks_set,
-      :last_account_login_at
+      :last_account_login_at,
+      :generate_jti
     )
 
     route(:jwks) do |r|
@@ -67,6 +70,10 @@ module Rodauth
       end
     end
 
+    def issuer
+      @issuer ||= oauth_jwt_token_issuer || authorization_server_url
+    end
+
     def authorization_token
       return @authorization_token if defined?(@authorization_token)
 
@@ -79,7 +86,7 @@ module Rodauth
 
         return unless jwt_token
 
-        return if jwt_token["iss"] != (oauth_jwt_token_issuer || authorization_server_url) ||
+        return if jwt_token["iss"] != issuer ||
                   (oauth_jwt_audience && jwt_token["aud"] != oauth_jwt_audience) ||
                   !jwt_token["sub"]
 
@@ -105,7 +112,7 @@ module Rodauth
                   redirect_response_error("invalid_request_object")
                 end
 
-      claims = jwt_decode(request_object, jws_key: jwk_import(jws_jwk), jws_algorithm: jwk[:alg])
+      claims = jwt_decode(request_object, jws_key: jwk_import(jws_jwk), jws_algorithm: jwk[:alg], verify_jti: false)
 
       redirect_response_error("invalid_request_object") unless claims
 
@@ -118,7 +125,7 @@ module Rodauth
       claims.delete("iss")
       audience = claims.delete("aud")
 
-      redirect_response_error("invalid_request_object") if audience && audience != authorization_server_url
+      redirect_response_error("invalid_request_object") if audience && audience != issuer
 
       claims.each do |k, v|
         request.params[k.to_s] = v
@@ -209,7 +216,7 @@ module Rodauth
       issued_at = Time.now.to_i
 
       claims = {
-        iss: (oauth_jwt_token_issuer || authorization_server_url), # issuer
+        iss: issuer, # issuer
         iat: issued_at, # issued at
         #
         # sub  REQUIRED - as defined in section 4.1.2 of [RFC7519].  In case of
@@ -317,6 +324,23 @@ module Rodauth
       end
     end
 
+    def generate_jti(payload)
+      # Use the key and iat to create a unique key per request to prevent replay attacks
+      jti_raw = [
+        payload[:aud] || payload["aud"],
+        payload[:iat] || payload["iat"]
+      ].join(":").to_s
+      Digest::SHA256.hexdigest(jti_raw)
+    end
+
+    def verify_jti(jti, claims)
+      generate_jti(claims) == jti
+    end
+
+    def verify_aud(aud, claims)
+      aud == (oauth_jwt_audience || claims["client_id"])
+    end
+
     if defined?(JSON::JWT)
 
       def jwk_import(data)
@@ -325,6 +349,7 @@ module Rodauth
 
       # json-jwt
       def jwt_encode(payload)
+        payload[:jti] = generate_jti(payload)
         jwt = JSON::JWT.new(payload)
         jwk = JSON::JWK.new(_jwt_key)
 
@@ -340,18 +365,34 @@ module Rodauth
         jwt.to_s
       end
 
-      def jwt_decode(token, jws_key: oauth_jwt_public_key || _jwt_key, **)
+      def jwt_decode(
+        token,
+        jws_key: oauth_jwt_public_key || _jwt_key,
+        verify_claims: true,
+        verify_jti: true,
+        **
+      )
         token = JSON::JWT.decode(token, oauth_jwt_jwe_key).plain_text if oauth_jwt_jwe_key
 
-        if is_authorization_server?
-          if oauth_jwt_legacy_public_key
-            JSON::JWT.decode(token, JSON::JWK::Set.new({ keys: jwks_set }))
-          elsif jws_key
-            JSON::JWT.decode(token, jws_key)
-          end
-        elsif (jwks = auth_server_jwks_set)
-          JSON::JWT.decode(token, JSON::JWK::Set.new(jwks))
+        claims = if is_authorization_server?
+                   if oauth_jwt_legacy_public_key
+                     JSON::JWT.decode(token, JSON::JWK::Set.new({ keys: jwks_set }))
+                   elsif jws_key
+                     JSON::JWT.decode(token, jws_key)
+                   end
+                 elsif (jwks = auth_server_jwks_set)
+                   JSON::JWT.decode(token, JSON::JWK::Set.new(jwks))
+                 end
+
+        if verify_claims && !(claims[:iss] == issuer &&
+            verify_aud(claims[:aud], claims) &&
+            (!claims[:iat] || Time.at(claims[:iat]) > (Time.now - oauth_token_expires_in)) &&
+            (!claims[:exp] || Time.at(claims[:exp]) > Time.now) &&
+            (!verify_jti || verify_jti(claims[:jti], claims)))
+          return
         end
+
+        claims
       rescue JSON::JWT::Exception
         nil
       end
@@ -384,12 +425,8 @@ module Rodauth
           key = jwk.keypair
         end
 
-        # Use the key and iat to create a unique key per request to prevent replay attacks
-        jti_raw = [key, payload[:iat]].join(":").to_s
-        jti = Digest::SHA256.hexdigest(jti_raw)
-
         # @see JWT reserved claims - https://tools.ietf.org/html/draft-jones-json-web-token-07#page-7
-        payload[:jti] = jti
+        payload[:jti] = generate_jti(payload)
         token = JWT.encode(payload, key, oauth_jwt_algorithm, headers)
 
         if oauth_jwt_jwe_key
@@ -405,21 +442,54 @@ module Rodauth
         token
       end
 
-      def jwt_decode(token, jws_key: oauth_jwt_public_key || _jwt_key, jws_algorithm: oauth_jwt_algorithm)
+      def jwt_decode(
+        token,
+        jws_key: oauth_jwt_public_key || _jwt_key,
+        jws_algorithm: oauth_jwt_algorithm,
+        verify_claims: true,
+        verify_jti: true
+      )
         # decrypt jwe
         token = JWE.decrypt(token, oauth_jwt_jwe_key) if oauth_jwt_jwe_key
+
+        # verifying the JWT implies verifying:
+        #
+        # issuer: check that server generated the token
+        # aud: check the audience field (client is who he says he is)
+        # iat: check that the token didn't expire
+        #
+        # subject can't be verified automatically without having access to the account id,
+        # which we don't because that's the whole point.
+        #
+        verify_claims_params = if verify_claims
+                                 {
+                                   verify_iss: true,
+                                   iss: issuer,
+                                   # can't use stock aud verification, as it's dependent on the client application id
+                                   verify_aud: false,
+                                   verify_jti: (verify_jti ? method(:verify_jti) : false),
+                                   verify_iat: true
+                                 }
+                               else
+                                 {}
+                               end
+
         # decode jwt
-        if is_authorization_server?
-          if oauth_jwt_legacy_public_key
-            algorithms = jwks_set.select { |k| k[:use] == "sig" }.map { |k| k[:alg] }
-            JWT.decode(token, nil, true, jwks: { keys: jwks_set }, algorithms: algorithms).first
-          elsif jws_key
-            JWT.decode(token, jws_key, true, algorithms: [jws_algorithm]).first
-          end
-        elsif (jwks = auth_server_jwks_set)
-          algorithms = jwks[:keys].select { |k| k[:use] == "sig" }.map { |k| k[:alg] }
-          JWT.decode(token, nil, true, jwks: jwks, algorithms: algorithms).first
-        end
+        claims = if is_authorization_server?
+                   if oauth_jwt_legacy_public_key
+                     algorithms = jwks_set.select { |k| k[:use] == "sig" }.map { |k| k[:alg] }
+                     JWT.decode(token, nil, true, jwks: { keys: jwks_set }, algorithms: algorithms, **verify_claims_params).first
+                   elsif jws_key
+                     JWT.decode(token, jws_key, true, algorithms: [jws_algorithm], **verify_claims_params).first
+                   end
+                 elsif (jwks = auth_server_jwks_set)
+                   algorithms = jwks[:keys].select { |k| k[:use] == "sig" }.map { |k| k[:alg] }
+                   JWT.decode(token, nil, true, jwks: jwks, algorithms: algorithms, **verify_claims_params).first
+                 end
+
+        return if verify_claims && !verify_aud(claims["aud"], claims)
+
+        claims
       rescue JWT::DecodeError, JWT::JWKError
         nil
       end

data/lib/rodauth/features/oidc.rb

@@ -2,17 +2,19 @@
 
 module Rodauth
   Feature.define(:oidc) do
+    # https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims
     OIDC_SCOPES_MAP = {
       "profile" => %i[name family_name given_name middle_name nickname preferred_username
                       profile picture website gender birthdate zoneinfo locale updated_at].freeze,
       "email" => %i[email email_verified].freeze,
-      "address" => %i[address].freeze,
+      "address" => %i[formatted street_address locality region postal_code country].freeze,
       "phone" => %i[phone_number phone_number_verified].freeze
     }.freeze
 
     VALID_METADATA_KEYS = %i[
       issuer
       authorization_endpoint
+      end_session_endpoint
       token_endpoint
       userinfo_endpoint
       jwks_uri
@@ -74,7 +76,11 @@ module Rodauth
     auth_value_method :oauth_prompt_login_cookie_options, {}.freeze
     auth_value_method :oauth_prompt_login_interval, 5 * 60 * 60 # 5 minutes
 
-    auth_value_methods(:get_oidc_param)
+    # logout
+    auth_value_method :oauth_applications_post_logout_redirect_uri_column, :post_logout_redirect_uri
+    auth_value_method :use_rp_initiated_logout?, false
+
+    auth_value_methods(:get_oidc_param, :get_additional_param)
 
     # /userinfo
     route(:userinfo) do |r|
@@ -107,10 +113,81 @@ module Rodauth
       end
     end
 
-    def openid_configuration(issuer = nil)
+    # /oidc-logout
+    route(:oidc_logout) do |r|
+      next unless use_rp_initiated_logout?
+
+      before_oidc_logout_route
+      require_authorizable_account
+
+      # OpenID Providers MUST support the use of the HTTP GET and POST methods
+      r.on method: %i[get post] do
+        catch_error do
+          validate_oidc_logout_params
+
+          #
+          # why this is done:
+          #
+          # we need to decode the id token in order to get the application, because, if the
+          # signing key is application-specific, we don't know how to verify the signature
+          # beforehand. Hence, we have to do it twice: decode-and-do-not-verify, initialize
+          # the @oauth_application, and then decode-and-verify.
+          #
+          oauth_token = jwt_decode(param("id_token_hint"), verify_claims: false)
+          oauth_application_id = oauth_token["client_id"]
+
+          # check whether ID token belongs to currently logged-in user
+          redirect_response_error("invalid_request") unless oauth_token["sub"] == jwt_subject(
+            oauth_tokens_account_id_column => account_id,
+            oauth_tokens_oauth_application_id_column => oauth_application_id
+          )
+
+          # When an id_token_hint parameter is present, the OP MUST validate that it was the issuer of the ID Token.
+          redirect_response_error("invalid_request") unless oauth_token && oauth_token["iss"] == issuer
+
+          # now let's logout from IdP
+          transaction do
+            before_logout
+            logout
+            after_logout
+          end
+
+          if (post_logout_redirect_uri = param_or_nil("post_logout_redirect_uri"))
+            catch(:default_logout_redirect) do
+              oauth_application = db[oauth_applications_table].where(oauth_applications_client_id_column => oauth_token["client_id"]).first
+
+              throw(:default_logout_redirect) unless oauth_application
+
+              post_logout_redirect_uris = oauth_application[oauth_applications_post_logout_redirect_uri_column].split(" ")
+
+              throw(:default_logout_redirect) unless post_logout_redirect_uris.include?(post_logout_redirect_uri)
+
+              if (state = param_or_nil("state"))
+                post_logout_redirect_uri = URI(post_logout_redirect_uri)
+                params = ["state=#{state}"]
+                params << post_logout_redirect_uri.query if post_logout_redirect_uri.query
+                post_logout_redirect_uri.query = params.join("&")
+                post_logout_redirect_uri = post_logout_redirect_uri.to_s
+              end
+
+              redirect(post_logout_redirect_uri)
+            end
+
+          end
+
+          # regular logout procedure
+          set_notice_flash(logout_notice_flash)
+          redirect(logout_redirect)
+        end
+
+        redirect_response_error("invalid_request")
+      end
+    end
+
+    def openid_configuration(alt_issuer = nil)
       request.on(".well-known/openid-configuration") do
         request.get do
-          json_response_success(openid_configuration_body(issuer), cache: true)
+          json_response_success(openid_configuration_body(alt_issuer), cache: true)
         end
       end
     end
@@ -245,8 +322,11 @@ module Rodauth
       oauth_token[:id_token] = jwt_encode(id_token_claims)
     end
 
+    # aka fill_with_standard_claims
     def fill_with_account_claims(claims, account, scopes)
-      scopes_by_oidc = scopes.each_with_object({}) do |scope, by_oidc|
+      scopes_by_claim = scopes.each_with_object({}) do |scope, by_oidc|
+        next if scope == "openid"
+
         oidc, param = scope.split(".", 2)
 
         by_oidc[oidc] ||= []
@@ -254,21 +334,33 @@ module Rodauth
         by_oidc[oidc] << param.to_sym if param
       end
 
-      oidc_scopes = (OIDC_SCOPES_MAP.keys & scopes_by_oidc.keys)
-
-      return if oidc_scopes.empty?
+      oidc_scopes, additional_scopes = scopes_by_claim.keys.partition { |key| OIDC_SCOPES_MAP.key?(key) }
 
-      if respond_to?(:get_oidc_param)
-        oidc_scopes.each do |scope|
-          params = scopes_by_oidc[scope]
-          params = params.empty? ? OIDC_SCOPES_MAP[scope] : (OIDC_SCOPES_MAP[scope] & params)
+      unless oidc_scopes.empty?
+        if respond_to?(:get_oidc_param)
+          oidc_scopes.each do |scope|
+            scope_claims = claims
+            params = scopes_by_claim[scope]
+            params = params.empty? ? OIDC_SCOPES_MAP[scope] : (OIDC_SCOPES_MAP[scope] & params)
 
-          params.each do |param|
-            claims[param] = __send__(:get_oidc_param, account, param)
+            scope_claims = (claims["address"] = {}) if scope == "address"
+            params.each do |param|
+              scope_claims[param] = __send__(:get_oidc_param, account, param)
+            end
           end
+        else
+          warn "`get_oidc_param(account, claim)` must be implemented to use oidc scopes."
+        end
+      end
+
+      return if additional_scopes.empty?
+
+      if respond_to?(:get_additional_param)
+        additional_scopes.each do |scope|
+          claims[scope] = __send__(:get_additional_param, account, scope.to_sym)
         end
       else
-        warn "`get_oidc_param(token, param)` must be implemented to use oidc scopes."
+        warn "`get_additional_param(account, claim)` must be implemented to use oidc scopes."
       end
     end
 
@@ -290,33 +382,27 @@ module Rodauth
       end
     end
 
-    def do_authorize(redirect_url, query_params = [], fragment_params = [])
+    def do_authorize(response_params = {}, response_mode = param_or_nil("response_mode"))
       return super unless use_oauth_implicit_grant_type?
 
       case param("response_type")
       when "id_token"
-        fragment_params.replace(_do_authorize_id_token.map { |k, v| "#{k}=#{v}" })
+        response_params.replace(_do_authorize_id_token)
       when "code token"
         redirect_response_error("invalid_request") unless use_oauth_implicit_grant_type?
 
-        params = _do_authorize_code.merge(_do_authorize_token)
-
-        fragment_params.replace(params.map { |k, v| "#{k}=#{v}" })
+        response_params.replace(_do_authorize_code.merge(_do_authorize_token))
       when "code id_token"
-        params = _do_authorize_code.merge(_do_authorize_id_token)
-
-        fragment_params.replace(params.map { |k, v| "#{k}=#{v}" })
+        response_params.replace(_do_authorize_code.merge(_do_authorize_id_token))
       when "id_token token"
-        params = _do_authorize_id_token.merge(_do_authorize_token)
-
-        fragment_params.replace(params.map { |k, v| "#{k}=#{v}" })
+        response_params.replace(_do_authorize_id_token.merge(_do_authorize_token))
       when "code id_token token"
-        params = _do_authorize_code.merge(_do_authorize_id_token).merge(_do_authorize_token)
 
-        fragment_params.replace(params.map { |k, v| "#{k}=#{v}" })
+        response_params.replace(_do_authorize_code.merge(_do_authorize_id_token).merge(_do_authorize_token))
       end
+      response_mode ||= "fragment" unless response_params.empty?
 
-      super(redirect_url, query_params, fragment_params)
+      super(response_params, response_mode)
     end
 
     def _do_authorize_id_token
@@ -332,6 +418,18 @@ module Rodauth
       params
     end
 
+    # Logout
+
+    def validate_oidc_logout_params
+      redirect_response_error("invalid_request") unless param_or_nil("id_token_hint")
+      # check if valid token hint type
+      return unless (redirect_uri = param_or_nil("post_logout_redirect_uri"))
+
+      return if check_valid_uri?(redirect_uri)
+
+      redirect_response_error("invalid_request")
+    end
+
     # Metadata
 
     def openid_configuration_body(path)
@@ -351,13 +449,15 @@ module Rodauth
 
       scope_claims.unshift("auth_time") if last_account_login_at
 
+      response_types_supported = metadata[:response_types_supported]
+      if use_oauth_implicit_grant_type?
+        response_types_supported += ["none", "id_token", "code token", "code id_token", "id_token token", "code id_token token"]
+      end
+
       metadata.merge(
         userinfo_endpoint: userinfo_url,
-        response_types_supported: metadata[:response_types_supported] +
-          ["none", "id_token", "code token", "code id_token", "id_token token", "code id_token token"],
-        response_modes_supported: %w[query fragment],
-        grant_types_supported: %w[authorization_code implicit],
-
+        end_session_endpoint: (oidc_logout_url if use_rp_initiated_logout?),
+        response_types_supported: response_types_supported,
         subject_types_supported: [oauth_jwt_subject_type],
 
         id_token_signing_alg_values_supported: metadata[:token_endpoint_auth_signing_alg_values_supported],

data/lib/rodauth/oauth/ttl_store.rb

@@ -13,7 +13,7 @@ class Rodauth::OAuth::TtlStore
 
   def initialize
     @store_mutex = Mutex.new
-    @store = Hash.new {}
+    @store = {}
   end
 
   def [](key)

data/lib/rodauth/oauth/version.rb

@@ -2,6 +2,6 @@
 
 module Rodauth
   module OAuth
-    VERSION = "0.3.0"
+    VERSION = "0.5.0"
   end
 end

data/templates/authorize.str

@@ -20,6 +20,7 @@
 
     #{"<input type=\"hidden\" name=\"access_type\" value=\"#{rodauth.param("access_type")}\"/>" if rodauth.param_or_nil("access_type")}
     #{"<input type=\"hidden\" name=\"response_type\" value=\"#{rodauth.param("response_type")}\"/>" if rodauth.param_or_nil("response_type")}
+    #{"<input type=\"hidden\" name=\"response_mode\" value=\"#{rodauth.param("response_mode")}\"/>" if rodauth.param_or_nil("response_mode")}
     #{"<input type=\"hidden\" name=\"state\" value=\"#{rodauth.param("state")}\"/>" if rodauth.param_or_nil("state")}
     #{"<input type=\"hidden\" name=\"nonce\" value=\"#{rodauth.param("nonce")}\"/>" if rodauth.param_or_nil("nonce")}
     #{"<input type=\"hidden\" name=\"redirect_uri\" value=\"#{rodauth.redirect_uri}\"/>" if rodauth.param_or_nil("redirect_uri")}

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rodauth-oauth
 version: !ruby/object:Gem::Version
-  version: 0.3.0
+  version: 0.5.0
 platform: ruby
 authors:
 - Tiago Cardoso
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2020-10-08 00:00:00.000000000 Z
+date: 2021-02-08 00:00:00.000000000 Z
 dependencies: []
 description: Implementation of the OAuth 2.0 protocol on top of rodauth.
 email:
@@ -71,7 +71,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.2
+rubygems_version: 3.2.3
 signing_key:
 specification_version: 4
 summary: Implementation of the OAuth 2.0 protocol on top of rodauth.