rodauth-oauth 0.4.0 → 0.5.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: b09ecfc1d3a8ee0f5b890620baa14ca6d847362bf38dd158e02bd2c8ebfc204e
-  data.tar.gz: 89f0e82d7721f7ee175b1c53b7b3e0cc534e6983fe37dfc02e433df77b58225d
+  metadata.gz: 366fa7201a8cb26525b2abdfab0c4108a4afbef4fa8697cf57e874919eda2afd
+  data.tar.gz: 958b9fd8b4cd2996a85b96fac6dff6a6b35832adcdaed4d81e20842041a1299e
 SHA512:
-  metadata.gz: d00a178f561ddecacff0587e1120b68bb22cd10b76b106b00f41167ba9c8bd8b2b8958fd629588924e502be8c947a81d3722102038cd329c006f4b4daf6efada
-  data.tar.gz: 328542ba8ce7ef8e8f605056a9a8cbf6599136232d93f7246b13fe037ebc07225e2051b3ee454eb90ec4ae480e2b493d662d1cbbcd0ae5cc7e57a0ff29b10696
+  metadata.gz: fb496f7d438c0447ba4ef899f9ec37549cea355fb5c670818cd040970c1316c13442caa58aebc4ea66cd92f2f369d6ff7c39b502190e2d4fec2f95d5e27b4279
+  data.tar.gz: 73048d860285b29056ade97d9092103e2cae18fa9967df603ddce9c83c10fd5c44891e7282f3195d0b79b2d73bf12c748483a811f404d50fb29df40da26a6bf4

data/CHANGELOG.md

@@ -2,26 +2,72 @@
 
 ## master
 
-### 0.4.0
+### 0.5.1 (19/03/2021)
 
-### Features
+#### Improvements
+
+* Changing "Callback URL" to "Redirect URL" in default templates;
+
+#### Bugfixes
+
+* (rails integration) Fixed templates location;
+* (rails integration) Fixed migration name from generator;
+* (rails integration) fixed links, html tags, styling and unassigned variables from a few view templates;
+* `oauth_application_path` is now compliant with prefixes and other url helpers, while now having a `oauth_application_url` counterpart;
+* (rails integration) skipping csrf checks for "/userinfo" request (OIDC)
+
+### 0.5.0 (08/02/2021)
+
+#### RP-Initiated Logout
+
+The `:oidc` plugin can now do [RP-Initiated Logout](https://gitlab.com/honeyryderchuck/rodauth-oauth/-/wikis/RP-Initiated-Logout). It's disabled by default, so read the docs to learn how to enable it.
+
+#### Security
+
+The `:oauth_jwt` (and by association, `:oidc`) plugin(s) verifies the claims of used JWT tokens. This is a **very important security fix**, as without it, there is no protection against replay attacks and other types of misuse of the JWT token.
+
+A new auth method, `generate_jti(claims)`, was [added to the list of oauth_jwt plugin options](https://gitlab.com/honeyryderchuck/rodauth-oauth/-/wikis/JWT-Access-Tokens#rodauth-options). By default, it'll hash the `aud` and `iat` claims together, but you can overwrite how this is done.
+
+### 0.4.3 (09/12/2020)
+
+* Introspection requests made to an Authorization Server in "resource server" mode are not correctly encoding the body using the "application/x-www-form-urlencoded" format.
+
+### 0.4.2 (24/11/2020)
+
+#### Bugfixes
+
+* database extensions were being run in resource server mode, when it's not expected that the oauth db tables are around.
+
+### 0.4.1 (24/11/2020)
+
+#### Improvements
+
+When in "Resource Server" mode, calling `rodauth.authorization_token` will now return an hash of the JSON payload that the Authorization Server responds, and which was already previously used to authorize access to protected resources.
+
+#### Bugfixes
+
+* An error occurred if the client passed an empty authorization header (`Authorization: ` or `Authorization: Bearer `), causing an unexpected error; It now responds with the proper `401 Unauthorized` status code.
+
+### 0.4.0 (13/11/2020)
+
+#### Features
 
 * A new method, `get_additional_param(account, claim)`, is now exposed; this method will be called whenever non-OIDC scopes are requested in the emission of the ID token.
 
 * The `form_post` response is now supported, either by passing the `response_mode=form_post` request param in the authorization URL, or by setting `oauth_response_mode "form_post"` option. This improves the overall security of an Authorization server even more, as authorization codes are sent to client applications via a POST request to the redirect URI.
 
 
-### Improvements
+#### Improvements
 
 * For the OIDC `address` scope, proper claims are now emitted as per the standard, i.e. the "formatted", "street_address", "locality", "region", "postal_code", "country". These will be the ones referenced in the `get_oidc_param` method.
 
-### Bugfixes
+#### Bugfixes
 
 * The rails templates were missing declarations from a few params, which made some of the flows (the PKCE for example) not work out-of-the box;
 * rails tests were silently not running in CI;
 * The CI suite was revamped, so that all Oauth tests would be run under rails as well. All versions from rails equal or above 5.0 are now targeted;
 
-### 0.3.0
+### 0.3.0 (8/10/2020)
 
 #### Features
 
@@ -50,7 +96,7 @@ Use `rodauth.convert_timestamp` in the templates, whenever dates are displayed.
 
 Set HTTP Cache headers for metadata responses, such as `/.well-known/oauth-authorization-server` and `/.well-known/openid-configuration`, so they can be stored at the edge. The cache will be valid for 1 day (this value isn't set by an option yet).
 
-### 0.2.0
+### 0.2.0 (9/9/2020)
 
 #### Features
 
@@ -94,9 +140,7 @@ Fixed some mishandling of HTTP headers when in in resource-server mode.
 * 97.7% test coverage;
 * `rodauth-oauth` CI tests run against sqlite, postgresql and mysql.
 
-### 0.1.0
-
-(31/7/2020)
+### 0.1.0 (31/7/2020)
 
 #### Features
 
@@ -142,9 +186,7 @@ URI schemes for client applications redirect URIs have to be `https`. In order t
 * fixed trailing "/" in the "issuer" value in server metadata (`https://server.com/` -> `https://server.com`).
 
 
-### 0.0.6
-
-(6/7/2020)
+### 0.0.6 (6/7/2020)
 
 #### Features
 
@@ -167,9 +209,7 @@ The `oauth_jwt` feature now supports JWT Secured Authorization Request (JAR) (se
 Removed React Javascript from example applications.
 
 
-### 0.0.5
-
-(26/6/2020)
+### 0.0.5 (26/6/2020)
 
 #### Features
 
@@ -206,9 +246,7 @@ It **requires** the authorization to implement the server metadata endpoint (`/.
 * option `scopes_param` renamed to `scope_param`;
 *
 
-## 0.0.4
-
-(13/6/2020)
+## 0.0.4 (13/6/2020)
 
 ### Features
 
@@ -245,9 +283,7 @@ The `oauth_jwt` feature now allows the usage of access tokens to authorize the g
 
 * Fixed scope claim of JWT ("scopes" -> "scope");
 
-## 0.0.3
-
-(5/6/2020)
+## 0.0.3 (5/6/2020)
 
 ### Features
 
@@ -279,9 +315,7 @@ end
 * renamed the existing `use_oauth_implicit_grant_type` to `use_oauth_implicit_grant_type?`;
 * It's now usable as JSON API (small caveat: POST authorize will still redirect on success...);
 
-## 0.0.2
-
-(29/5/2020)
+## 0.0.2 (29/5/2020)
 
 ### Features
 
@@ -297,8 +331,6 @@ end
 
 * usage of client secret for authorizing the generation of tokens, as the spec mandates (and refraining from them when doing PKCE).
 
-## 0.0.1
-
-(14/5/2020)
+## 0.0.1 (14/5/2020)
 
 Initial implementation of the Oauth 2.0 framework, with an example app done using roda.

data/README.md

@@ -25,7 +25,12 @@ This gem implements the following RFCs and features of OAuth:
 * [JWT Secured Authorization Requests](https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-20);
 * OAuth application and token management dashboards;
 
-It also implements the [OpenID Connect layer](https://openid.net/connect/) on top of the OAuth features it provides.
+It also implements the [OpenID Connect layer](https://openid.net/connect/) on top of the OAuth features it provides, including:
+
+* [OpenID Connect Core](https://openid.net/specs/openid-connect-core-1_0.html);
+* [OpenID Connect Discovery](https://openid.net/specs/openid-connect-discovery-1_0-29.html);
+* [OpenID Multiple Response Types](https://openid.net/specs/oauth-v2-multiple-response-types-1_0.html);
+* [RP Initiated Logout](https://openid.net/specs/openid-connect-rpinitiated-1_0.html);
 
 This gem supports also rails (through [rodauth-rails]((https://github.com/janko/rodauth-rails))).
 
@@ -104,7 +109,7 @@ For OpenID, it's very similar to the example above:
 ```ruby
 plugin :rodauth do
   # enable it in the plugin
-  enable :login, :openid
+  enable :login, :oidc
   oauth_application_default_scope %w[openid]
   oauth_application_scopes %w[openid email profile]
 end

data/lib/generators/{roda → rodauth}/oauth/templates/db/migrate/create_rodauth_oauth.rb

@@ -1,4 +1,4 @@
-class CreateRodauthOAuth < ActiveRecord::Migration<%= migration_version %>
+class CreateRodauthOauth < ActiveRecord::Migration<%= migration_version %>
   def change
     create_table :oauth_applications do |t|
       t.integer :account_id

data/lib/rodauth/features/oauth.rb

@@ -139,7 +139,15 @@ module Rodauth
     auth_value_method :already_in_use_response_status, 409
 
     # OAuth Applications
-    auth_value_method :oauth_applications_path, "oauth-applications"
+    auth_value_method :oauth_applications_route, "oauth-applications"
+    def oauth_applications_path(opts = {})
+      route_path(oauth_applications_route, opts)
+    end
+
+    def oauth_applications_url(opts = {})
+      route_url(oauth_applications_route, opts)
+    end
+
     auth_value_method :oauth_applications_table, :oauth_applications
 
     auth_value_method :oauth_applications_id_column, :id
@@ -192,6 +200,7 @@ module Rodauth
     auth_value_method :oauth_unique_id_generation_retries, 3
 
     auth_value_methods(
+      :oauth_application_path,
       :fetch_access_token,
       :oauth_unique_id_generator,
       :secret_matches?,
@@ -363,9 +372,13 @@ module Rodauth
       end
     end
 
+    def oauth_application_path(id)
+      "#{oauth_applications_path}/#{id}"
+    end
+
     # /oauth-applications routes
     def oauth_applications
-      request.on(oauth_applications_path) do
+      request.on(oauth_applications_route) do
         require_account
 
         request.get "new" do
@@ -422,16 +435,20 @@ module Rodauth
         false
       when revoke_path
         !json_request?
-      when authorize_path, %r{/#{oauth_applications_path}}
+      when authorize_path, oauth_applications_path
         only_json? ? false : super
       else
         super
       end
     end
 
-    # Overrides logged_in?, so that a valid authorization token also authnenticates a request
-    def logged_in?
-      super || authorization_token
+    # Overrides session_value, so that a valid authorization token also authenticates a request
+    def session_value
+      super || begin
+        return unless authorization_token
+
+        authorization_token[oauth_tokens_account_id_column]
+      end
     end
 
     def accepts_json?
@@ -489,13 +506,13 @@ module Rodauth
     def fetch_access_token
       value = request.env["HTTP_AUTHORIZATION"]
 
-      return unless value
+      return unless value && !value.empty?
 
       scheme, token = value.split(" ", 2)
 
       return unless scheme.downcase == oauth_token_type
 
-      return if token.empty?
+      return if token.nil? || token.empty?
 
       token
     end
@@ -508,31 +525,34 @@ module Rodauth
 
       return unless bearer_token
 
-      # check if token has not expired
-      # check if token has been revoked
-      @authorization_token = oauth_token_by_token(bearer_token)
+      @authorization_token = if is_authorization_server?
+                               # check if token has not expired
+                               # check if token has been revoked
+                               oauth_token_by_token(bearer_token)
+                             else
+                               # where in resource server, NOT the authorization server.
+                               payload = introspection_request("access_token", bearer_token)
+
+                               return unless payload["active"]
+
+                               payload
+                             end
     end
 
     def require_oauth_authorization(*scopes)
-      token_scopes = if is_authorization_server?
-                       authorization_required unless authorization_token
+      authorization_required unless authorization_token
 
-                       scopes << oauth_application_default_scope if scopes.empty?
+      scopes << oauth_application_default_scope if scopes.empty?
 
+      token_scopes = if is_authorization_server?
                        authorization_token[oauth_tokens_scopes_column].split(oauth_scope_separator)
                      else
-                       bearer_token = fetch_access_token
-
-                       authorization_required unless bearer_token
-
-                       scopes << oauth_application_default_scope if scopes.empty?
-
-                       # where in resource server, NOT the authorization server.
-                       payload = introspection_request("access_token", bearer_token)
-
-                       authorization_required unless payload["active"]
-
-                       payload["scope"].split(oauth_scope_separator)
+                       aux_scopes = authorization_token["scope"]
+                       if aux_scopes
+                         aux_scopes.split(oauth_scope_separator)
+                       else
+                         []
+                       end
                      end
 
       authorization_required unless scopes.any? { |scope| token_scopes.include?(scope) }
@@ -540,6 +560,11 @@ module Rodauth
 
     def post_configure
       super
+
+      # all of the extensions below involve DB changes. Resource server mode doesn't use
+      # database functions for OAuth though.
+      return unless is_authorization_server?
+
       self.class.__send__(:include, Rodauth::OAuth::ExtendDatabase(db))
 
       # Check whether we can reutilize db entries for the same account / application pair
@@ -616,9 +641,9 @@ module Rodauth
       http.use_ssl = auth_url.scheme == "https"
 
       request = Net::HTTP::Post.new(introspect_path)
-      request["content-type"] = json_response_content_type
+      request["content-type"] = "application/x-www-form-urlencoded"
       request["accept"] = json_response_content_type
-      request.body = JSON.dump({ "token_type_hint" => token_type_hint, "token" => token })
+      request.set_form_data({ "token_type_hint" => token_type_hint, "token" => token })
 
       before_introspection_request(request)
       response = http.request(request)
@@ -1342,7 +1367,7 @@ module Rodauth
         issuer: issuer,
         authorization_endpoint: authorize_url,
         token_endpoint: token_url,
-        registration_endpoint: route_url(oauth_applications_path),
+        registration_endpoint: oauth_applications_url,
         scopes_supported: oauth_application_scopes,
         response_types_supported: responses_supported,
         response_modes_supported: response_modes_supported,

data/lib/rodauth/features/oauth_jwt.rb

@@ -8,6 +8,8 @@ module Rodauth
 
     JWKS = OAuth::TtlStore.new
 
+    # Recommended to have hmac_secret as well
+
     auth_value_method :oauth_jwt_subject_type, "public" # public, pairwise
     auth_value_method :oauth_jwt_subject_secret, nil # salt for pairwise generation
 
@@ -38,7 +40,8 @@ module Rodauth
       :jwt_encode,
       :jwt_decode,
       :jwks_set,
-      :last_account_login_at
+      :last_account_login_at,
+      :generate_jti
     )
 
     route(:jwks) do |r|
@@ -59,6 +62,15 @@ module Rodauth
       authorization_required unless scopes.any? { |scope| token_scopes.include?(scope) }
     end
 
+    # Overrides session_value, so that a valid authorization token also authenticates a request
+    def session_value
+      super || begin
+        return unless authorization_token
+
+        authorization_token["sub"]
+      end
+    end
+
     private
 
     unless method_defined?(:last_account_login_at)
@@ -67,6 +79,10 @@ module Rodauth
       end
     end
 
+    def issuer
+      @issuer ||= oauth_jwt_token_issuer || authorization_server_url
+    end
+
     def authorization_token
       return @authorization_token if defined?(@authorization_token)
 
@@ -79,7 +95,7 @@ module Rodauth
 
         return unless jwt_token
 
-        return if jwt_token["iss"] != (oauth_jwt_token_issuer || authorization_server_url) ||
+        return if jwt_token["iss"] != issuer ||
                   (oauth_jwt_audience && jwt_token["aud"] != oauth_jwt_audience) ||
                   !jwt_token["sub"]
 
@@ -105,7 +121,7 @@ module Rodauth
                   redirect_response_error("invalid_request_object")
                 end
 
-      claims = jwt_decode(request_object, jws_key: jwk_import(jws_jwk), jws_algorithm: jwk[:alg])
+      claims = jwt_decode(request_object, jws_key: jwk_import(jws_jwk), jws_algorithm: jwk[:alg], verify_jti: false)
 
       redirect_response_error("invalid_request_object") unless claims
 
@@ -118,7 +134,7 @@ module Rodauth
       claims.delete("iss")
       audience = claims.delete("aud")
 
-      redirect_response_error("invalid_request_object") if audience && audience != authorization_server_url
+      redirect_response_error("invalid_request_object") if audience && audience != issuer
 
       claims.each do |k, v|
         request.params[k.to_s] = v
@@ -209,7 +225,7 @@ module Rodauth
       issued_at = Time.now.to_i
 
       claims = {
-        iss: (oauth_jwt_token_issuer || authorization_server_url), # issuer
+        iss: issuer, # issuer
         iat: issued_at, # issued at
         #
         # sub  REQUIRED - as defined in section 4.1.2 of [RFC7519].  In case of
@@ -317,6 +333,23 @@ module Rodauth
       end
     end
 
+    def generate_jti(payload)
+      # Use the key and iat to create a unique key per request to prevent replay attacks
+      jti_raw = [
+        payload[:aud] || payload["aud"],
+        payload[:iat] || payload["iat"]
+      ].join(":").to_s
+      Digest::SHA256.hexdigest(jti_raw)
+    end
+
+    def verify_jti(jti, claims)
+      generate_jti(claims) == jti
+    end
+
+    def verify_aud(aud, claims)
+      aud == (oauth_jwt_audience || claims["client_id"])
+    end
+
     if defined?(JSON::JWT)
 
       def jwk_import(data)
@@ -325,6 +358,7 @@ module Rodauth
 
       # json-jwt
       def jwt_encode(payload)
+        payload[:jti] = generate_jti(payload)
         jwt = JSON::JWT.new(payload)
         jwk = JSON::JWK.new(_jwt_key)
 
@@ -340,18 +374,34 @@ module Rodauth
         jwt.to_s
       end
 
-      def jwt_decode(token, jws_key: oauth_jwt_public_key || _jwt_key, **)
+      def jwt_decode(
+        token,
+        jws_key: oauth_jwt_public_key || _jwt_key,
+        verify_claims: true,
+        verify_jti: true,
+        **
+      )
         token = JSON::JWT.decode(token, oauth_jwt_jwe_key).plain_text if oauth_jwt_jwe_key
 
-        if is_authorization_server?
-          if oauth_jwt_legacy_public_key
-            JSON::JWT.decode(token, JSON::JWK::Set.new({ keys: jwks_set }))
-          elsif jws_key
-            JSON::JWT.decode(token, jws_key)
-          end
-        elsif (jwks = auth_server_jwks_set)
-          JSON::JWT.decode(token, JSON::JWK::Set.new(jwks))
+        claims = if is_authorization_server?
+                   if oauth_jwt_legacy_public_key
+                     JSON::JWT.decode(token, JSON::JWK::Set.new({ keys: jwks_set }))
+                   elsif jws_key
+                     JSON::JWT.decode(token, jws_key)
+                   end
+                 elsif (jwks = auth_server_jwks_set)
+                   JSON::JWT.decode(token, JSON::JWK::Set.new(jwks))
+                 end
+
+        if verify_claims && !(claims[:iss] == issuer &&
+            verify_aud(claims[:aud], claims) &&
+            (!claims[:iat] || Time.at(claims[:iat]) > (Time.now - oauth_token_expires_in)) &&
+            (!claims[:exp] || Time.at(claims[:exp]) > Time.now) &&
+            (!verify_jti || verify_jti(claims[:jti], claims)))
+          return
         end
+
+        claims
       rescue JSON::JWT::Exception
         nil
       end
@@ -384,12 +434,8 @@ module Rodauth
           key = jwk.keypair
         end
 
-        # Use the key and iat to create a unique key per request to prevent replay attacks
-        jti_raw = [key, payload[:iat]].join(":").to_s
-        jti = Digest::SHA256.hexdigest(jti_raw)
-
         # @see JWT reserved claims - https://tools.ietf.org/html/draft-jones-json-web-token-07#page-7
-        payload[:jti] = jti
+        payload[:jti] = generate_jti(payload)
         token = JWT.encode(payload, key, oauth_jwt_algorithm, headers)
 
         if oauth_jwt_jwe_key
@@ -405,21 +451,54 @@ module Rodauth
         token
       end
 
-      def jwt_decode(token, jws_key: oauth_jwt_public_key || _jwt_key, jws_algorithm: oauth_jwt_algorithm)
+      def jwt_decode(
+        token,
+        jws_key: oauth_jwt_public_key || _jwt_key,
+        jws_algorithm: oauth_jwt_algorithm,
+        verify_claims: true,
+        verify_jti: true
+      )
         # decrypt jwe
         token = JWE.decrypt(token, oauth_jwt_jwe_key) if oauth_jwt_jwe_key
+
+        # verifying the JWT implies verifying:
+        #
+        # issuer: check that server generated the token
+        # aud: check the audience field (client is who he says he is)
+        # iat: check that the token didn't expire
+        #
+        # subject can't be verified automatically without having access to the account id,
+        # which we don't because that's the whole point.
+        #
+        verify_claims_params = if verify_claims
+                                 {
+                                   verify_iss: true,
+                                   iss: issuer,
+                                   # can't use stock aud verification, as it's dependent on the client application id
+                                   verify_aud: false,
+                                   verify_jti: (verify_jti ? method(:verify_jti) : false),
+                                   verify_iat: true
+                                 }
+                               else
+                                 {}
+                               end
+
         # decode jwt
-        if is_authorization_server?
-          if oauth_jwt_legacy_public_key
-            algorithms = jwks_set.select { |k| k[:use] == "sig" }.map { |k| k[:alg] }
-            JWT.decode(token, nil, true, jwks: { keys: jwks_set }, algorithms: algorithms).first
-          elsif jws_key
-            JWT.decode(token, jws_key, true, algorithms: [jws_algorithm]).first
-          end
-        elsif (jwks = auth_server_jwks_set)
-          algorithms = jwks[:keys].select { |k| k[:use] == "sig" }.map { |k| k[:alg] }
-          JWT.decode(token, nil, true, jwks: jwks, algorithms: algorithms).first
-        end
+        claims = if is_authorization_server?
+                   if oauth_jwt_legacy_public_key
+                     algorithms = jwks_set.select { |k| k[:use] == "sig" }.map { |k| k[:alg] }
+                     JWT.decode(token, nil, true, jwks: { keys: jwks_set }, algorithms: algorithms, **verify_claims_params).first
+                   elsif jws_key
+                     JWT.decode(token, jws_key, true, algorithms: [jws_algorithm], **verify_claims_params).first
+                   end
+                 elsif (jwks = auth_server_jwks_set)
+                   algorithms = jwks[:keys].select { |k| k[:use] == "sig" }.map { |k| k[:alg] }
+                   JWT.decode(token, nil, true, jwks: jwks, algorithms: algorithms, **verify_claims_params).first
+                 end
+
+        return if verify_claims && !verify_aud(claims["aud"], claims)
+
+        claims
       rescue JWT::DecodeError, JWT::JWKError
         nil
       end

data/lib/rodauth/features/oidc.rb

@@ -14,6 +14,7 @@ module Rodauth
     VALID_METADATA_KEYS = %i[
       issuer
       authorization_endpoint
+      end_session_endpoint
       token_endpoint
       userinfo_endpoint
       jwks_uri
@@ -75,6 +76,10 @@ module Rodauth
     auth_value_method :oauth_prompt_login_cookie_options, {}.freeze
     auth_value_method :oauth_prompt_login_interval, 5 * 60 * 60 # 5 minutes
 
+    # logout
+    auth_value_method :oauth_applications_post_logout_redirect_uri_column, :post_logout_redirect_uri
+    auth_value_method :use_rp_initiated_logout?, false
+
     auth_value_methods(:get_oidc_param, :get_additional_param)
 
     # /userinfo
@@ -108,10 +113,81 @@ module Rodauth
       end
     end
 
-    def openid_configuration(issuer = nil)
+    # /oidc-logout
+    route(:oidc_logout) do |r|
+      next unless use_rp_initiated_logout?
+
+      before_oidc_logout_route
+      require_authorizable_account
+
+      # OpenID Providers MUST support the use of the HTTP GET and POST methods
+      r.on method: %i[get post] do
+        catch_error do
+          validate_oidc_logout_params
+
+          #
+          # why this is done:
+          #
+          # we need to decode the id token in order to get the application, because, if the
+          # signing key is application-specific, we don't know how to verify the signature
+          # beforehand. Hence, we have to do it twice: decode-and-do-not-verify, initialize
+          # the @oauth_application, and then decode-and-verify.
+          #
+          oauth_token = jwt_decode(param("id_token_hint"), verify_claims: false)
+          oauth_application_id = oauth_token["client_id"]
+
+          # check whether ID token belongs to currently logged-in user
+          redirect_response_error("invalid_request") unless oauth_token["sub"] == jwt_subject(
+            oauth_tokens_account_id_column => account_id,
+            oauth_tokens_oauth_application_id_column => oauth_application_id
+          )
+
+          # When an id_token_hint parameter is present, the OP MUST validate that it was the issuer of the ID Token.
+          redirect_response_error("invalid_request") unless oauth_token && oauth_token["iss"] == issuer
+
+          # now let's logout from IdP
+          transaction do
+            before_logout
+            logout
+            after_logout
+          end
+
+          if (post_logout_redirect_uri = param_or_nil("post_logout_redirect_uri"))
+            catch(:default_logout_redirect) do
+              oauth_application = db[oauth_applications_table].where(oauth_applications_client_id_column => oauth_token["client_id"]).first
+
+              throw(:default_logout_redirect) unless oauth_application
+
+              post_logout_redirect_uris = oauth_application[oauth_applications_post_logout_redirect_uri_column].split(" ")
+
+              throw(:default_logout_redirect) unless post_logout_redirect_uris.include?(post_logout_redirect_uri)
+
+              if (state = param_or_nil("state"))
+                post_logout_redirect_uri = URI(post_logout_redirect_uri)
+                params = ["state=#{state}"]
+                params << post_logout_redirect_uri.query if post_logout_redirect_uri.query
+                post_logout_redirect_uri.query = params.join("&")
+                post_logout_redirect_uri = post_logout_redirect_uri.to_s
+              end
+
+              redirect(post_logout_redirect_uri)
+            end
+
+          end
+
+          # regular logout procedure
+          set_notice_flash(logout_notice_flash)
+          redirect(logout_redirect)
+        end
+
+        redirect_response_error("invalid_request")
+      end
+    end
+
+    def openid_configuration(alt_issuer = nil)
       request.on(".well-known/openid-configuration") do
         request.get do
-          json_response_success(openid_configuration_body(issuer), cache: true)
+          json_response_success(openid_configuration_body(alt_issuer), cache: true)
         end
       end
     end
@@ -139,6 +215,15 @@ module Rodauth
       end
     end
 
+    def check_csrf?
+      case request.path
+      when userinfo_path
+        false
+      else
+        super
+      end
+    end
+
     private
 
     def require_authorizable_account
@@ -342,6 +427,18 @@ module Rodauth
       params
     end
 
+    # Logout
+
+    def validate_oidc_logout_params
+      redirect_response_error("invalid_request") unless param_or_nil("id_token_hint")
+      # check if valid token hint type
+      return unless (redirect_uri = param_or_nil("post_logout_redirect_uri"))
+
+      return if check_valid_uri?(redirect_uri)
+
+      redirect_response_error("invalid_request")
+    end
+
     # Metadata
 
     def openid_configuration_body(path)
@@ -368,6 +465,7 @@ module Rodauth
 
       metadata.merge(
         userinfo_endpoint: userinfo_url,
+        end_session_endpoint: (oidc_logout_url if use_rp_initiated_logout?),
         response_types_supported: response_types_supported,
         subject_types_supported: [oauth_jwt_subject_type],
 

data/lib/rodauth/oauth/version.rb

@@ -2,6 +2,6 @@
 
 module Rodauth
   module OAuth
-    VERSION = "0.4.0"
+    VERSION = "0.5.1"
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rodauth-oauth
 version: !ruby/object:Gem::Version
-  version: 0.4.0
+  version: 0.5.1
 platform: ruby
 authors:
 - Tiago Cardoso
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2020-11-13 00:00:00.000000000 Z
+date: 2021-03-19 00:00:00.000000000 Z
 dependencies: []
 description: Implementation of the OAuth 2.0 protocol on top of rodauth.
 email:
@@ -23,12 +23,12 @@ files:
 - CHANGELOG.md
 - LICENSE.txt
 - README.md
-- lib/generators/roda/oauth/install_generator.rb
-- lib/generators/roda/oauth/templates/app/models/oauth_application.rb
-- lib/generators/roda/oauth/templates/app/models/oauth_grant.rb
-- lib/generators/roda/oauth/templates/app/models/oauth_token.rb
-- lib/generators/roda/oauth/templates/db/migrate/create_rodauth_oauth.rb
-- lib/generators/roda/oauth/views_generator.rb
+- lib/generators/rodauth/oauth/install_generator.rb
+- lib/generators/rodauth/oauth/templates/app/models/oauth_application.rb
+- lib/generators/rodauth/oauth/templates/app/models/oauth_grant.rb
+- lib/generators/rodauth/oauth/templates/app/models/oauth_token.rb
+- lib/generators/rodauth/oauth/templates/db/migrate/create_rodauth_oauth.rb
+- lib/generators/rodauth/oauth/views_generator.rb
 - lib/rodauth/features/oauth.rb
 - lib/rodauth/features/oauth_http_mac.rb
 - lib/rodauth/features/oauth_jwt.rb
@@ -71,7 +71,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.4
+rubygems_version: 3.2.3
 signing_key:
 specification_version: 4
 summary: Implementation of the OAuth 2.0 protocol on top of rodauth.