rodauth-oauth 0.4.3 → 0.5.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 96756ac8a30c904c5b832b64c47a00af9524810561d58c909b6f322da7348e8c
-  data.tar.gz: 965f6ff260bd86c2fcb7bbd2ba2bd131b453f04a39b73f99ef0860d2bc95b0e0
+  metadata.gz: 7324d08b229d4bfdea92df95c769539570565e161d758a38d95bea50f78fda96
+  data.tar.gz: c421e4886baf39eb9ebe04e6919c6ab292d3c85dbc32bc78e5d8992c17a40816
 SHA512:
-  metadata.gz: e7e257a12204599a27d0917f2b31c32906f0d4c566d51ee6d4fde146e2340e36afb9a932cff8bf37872d59259f4d43d423d1c1266f3066063c70aa334f83e119
-  data.tar.gz: 07c0e564e7636893f736f6e05f634684cd7bc28e9d0acfb53ba518357fab198bc878792a68bde6b988b8c8ddf2d3e2bb4d4ecebcd9c4bf68d85f75178cdd0fdf
+  metadata.gz: 4ba7e8a7975260618034285b77d4489416fe368c500b31516e7dd69d89e75863e18bebdb4868a72caa61fa2ed93541f1da6ea1c9c9d4cf15072bf4008209a1a9
+  data.tar.gz: 87e9f031183ede6af4f338f60ff5ae5f7a8581412068abb484b5312de4a6962fcaa68cb95eae8aab7c755adc4e1c0ada6e3e19b009ece35d4902cc84d1ab1e01

data/CHANGELOG.md

@@ -2,40 +2,52 @@
 
 ## master
 
+### 0.5.0 (08/02/2021)
+
+#### RP-Initiated Logout
+
+The `:oidc` plugin can now do [RP-Initiated Logout](https://gitlab.com/honeyryderchuck/rodauth-oauth/-/wikis/RP-Initiated-Logout). It's disabled by default, so read the docs to learn how to enable it.
+
+#### Security
+
+The `:oauth_jwt` (and by association, `:oidc`) plugin(s) verifies the claims of used JWT tokens. This is a **very important security fix**, as without it, there is no protection against replay attacks and other types of misuse of the JWT token.
+
+A new auth method, `generate_jti(claims)`, was [added to the list of oauth_jwt plugin options](https://gitlab.com/honeyryderchuck/rodauth-oauth/-/wikis/JWT-Access-Tokens#rodauth-options). By default, it'll hash the `aud` and `iat` claims together, but you can overwrite how this is done.
+
 ### 0.4.3 (09/12/2020)
 
 * Introspection requests made to an Authorization Server in "resource server" mode are not correctly encoding the body using the "application/x-www-form-urlencoded" format.
 
 ### 0.4.2 (24/11/2020)
 
-### Bugfixes
+#### Bugfixes
 
 * database extensions were being run in resource server mode, when it's not expected that the oauth db tables are around.
 
 ### 0.4.1 (24/11/2020)
 
-### Improvements
+#### Improvements
 
 When in "Resource Server" mode, calling `rodauth.authorization_token` will now return an hash of the JSON payload that the Authorization Server responds, and which was already previously used to authorize access to protected resources.
 
-### Bugfixes
+#### Bugfixes
 
 * An error occurred if the client passed an empty authorization header (`Authorization: ` or `Authorization: Bearer `), causing an unexpected error; It now responds with the proper `401 Unauthorized` status code.
 
 ### 0.4.0 (13/11/2020)
 
-### Features
+#### Features
 
 * A new method, `get_additional_param(account, claim)`, is now exposed; this method will be called whenever non-OIDC scopes are requested in the emission of the ID token.
 
 * The `form_post` response is now supported, either by passing the `response_mode=form_post` request param in the authorization URL, or by setting `oauth_response_mode "form_post"` option. This improves the overall security of an Authorization server even more, as authorization codes are sent to client applications via a POST request to the redirect URI.
 
 
-### Improvements
+#### Improvements
 
 * For the OIDC `address` scope, proper claims are now emitted as per the standard, i.e. the "formatted", "street_address", "locality", "region", "postal_code", "country". These will be the ones referenced in the `get_oidc_param` method.
 
-### Bugfixes
+#### Bugfixes
 
 * The rails templates were missing declarations from a few params, which made some of the flows (the PKCE for example) not work out-of-the box;
 * rails tests were silently not running in CI;

data/README.md

@@ -25,7 +25,12 @@ This gem implements the following RFCs and features of OAuth:
 * [JWT Secured Authorization Requests](https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-20);
 * OAuth application and token management dashboards;
 
-It also implements the [OpenID Connect layer](https://openid.net/connect/) on top of the OAuth features it provides.
+It also implements the [OpenID Connect layer](https://openid.net/connect/) on top of the OAuth features it provides, including:
+
+* [OpenID Connect Core](https://openid.net/specs/openid-connect-core-1_0.html);
+* [OpenID Connect Discovery](https://openid.net/specs/openid-connect-discovery-1_0-29.html);
+* [OpenID Multiple Response Types](https://openid.net/specs/oauth-v2-multiple-response-types-1_0.html);
+* [RP Initiated Logout](https://openid.net/specs/openid-connect-rpinitiated-1_0.html);
 
 This gem supports also rails (through [rodauth-rails]((https://github.com/janko/rodauth-rails))).
 
@@ -104,7 +109,7 @@ For OpenID, it's very similar to the example above:
 ```ruby
 plugin :rodauth do
   # enable it in the plugin
-  enable :login, :openid
+  enable :login, :oidc
   oauth_application_default_scope %w[openid]
   oauth_application_scopes %w[openid email profile]
 end

data/lib/rodauth/features/oauth_jwt.rb

@@ -8,6 +8,8 @@ module Rodauth
 
     JWKS = OAuth::TtlStore.new
 
+    # Recommended to have hmac_secret as well
+
     auth_value_method :oauth_jwt_subject_type, "public" # public, pairwise
     auth_value_method :oauth_jwt_subject_secret, nil # salt for pairwise generation
 
@@ -38,7 +40,8 @@ module Rodauth
       :jwt_encode,
       :jwt_decode,
       :jwks_set,
-      :last_account_login_at
+      :last_account_login_at,
+      :generate_jti
     )
 
     route(:jwks) do |r|
@@ -67,6 +70,10 @@ module Rodauth
       end
     end
 
+    def issuer
+      @issuer ||= oauth_jwt_token_issuer || authorization_server_url
+    end
+
     def authorization_token
       return @authorization_token if defined?(@authorization_token)
 
@@ -79,7 +86,7 @@ module Rodauth
 
         return unless jwt_token
 
-        return if jwt_token["iss"] != (oauth_jwt_token_issuer || authorization_server_url) ||
+        return if jwt_token["iss"] != issuer ||
                   (oauth_jwt_audience && jwt_token["aud"] != oauth_jwt_audience) ||
                   !jwt_token["sub"]
 
@@ -105,7 +112,7 @@ module Rodauth
                   redirect_response_error("invalid_request_object")
                 end
 
-      claims = jwt_decode(request_object, jws_key: jwk_import(jws_jwk), jws_algorithm: jwk[:alg])
+      claims = jwt_decode(request_object, jws_key: jwk_import(jws_jwk), jws_algorithm: jwk[:alg], verify_jti: false)
 
       redirect_response_error("invalid_request_object") unless claims
 
@@ -118,7 +125,7 @@ module Rodauth
       claims.delete("iss")
       audience = claims.delete("aud")
 
-      redirect_response_error("invalid_request_object") if audience && audience != authorization_server_url
+      redirect_response_error("invalid_request_object") if audience && audience != issuer
 
       claims.each do |k, v|
         request.params[k.to_s] = v
@@ -209,7 +216,7 @@ module Rodauth
       issued_at = Time.now.to_i
 
       claims = {
-        iss: (oauth_jwt_token_issuer || authorization_server_url), # issuer
+        iss: issuer, # issuer
         iat: issued_at, # issued at
         #
         # sub  REQUIRED - as defined in section 4.1.2 of [RFC7519].  In case of
@@ -317,6 +324,23 @@ module Rodauth
       end
     end
 
+    def generate_jti(payload)
+      # Use the key and iat to create a unique key per request to prevent replay attacks
+      jti_raw = [
+        payload[:aud] || payload["aud"],
+        payload[:iat] || payload["iat"]
+      ].join(":").to_s
+      Digest::SHA256.hexdigest(jti_raw)
+    end
+
+    def verify_jti(jti, claims)
+      generate_jti(claims) == jti
+    end
+
+    def verify_aud(aud, claims)
+      aud == (oauth_jwt_audience || claims["client_id"])
+    end
+
     if defined?(JSON::JWT)
 
       def jwk_import(data)
@@ -325,6 +349,7 @@ module Rodauth
 
       # json-jwt
       def jwt_encode(payload)
+        payload[:jti] = generate_jti(payload)
         jwt = JSON::JWT.new(payload)
         jwk = JSON::JWK.new(_jwt_key)
 
@@ -340,18 +365,34 @@ module Rodauth
         jwt.to_s
       end
 
-      def jwt_decode(token, jws_key: oauth_jwt_public_key || _jwt_key, **)
+      def jwt_decode(
+        token,
+        jws_key: oauth_jwt_public_key || _jwt_key,
+        verify_claims: true,
+        verify_jti: true,
+        **
+      )
         token = JSON::JWT.decode(token, oauth_jwt_jwe_key).plain_text if oauth_jwt_jwe_key
 
-        if is_authorization_server?
-          if oauth_jwt_legacy_public_key
-            JSON::JWT.decode(token, JSON::JWK::Set.new({ keys: jwks_set }))
-          elsif jws_key
-            JSON::JWT.decode(token, jws_key)
-          end
-        elsif (jwks = auth_server_jwks_set)
-          JSON::JWT.decode(token, JSON::JWK::Set.new(jwks))
+        claims = if is_authorization_server?
+                   if oauth_jwt_legacy_public_key
+                     JSON::JWT.decode(token, JSON::JWK::Set.new({ keys: jwks_set }))
+                   elsif jws_key
+                     JSON::JWT.decode(token, jws_key)
+                   end
+                 elsif (jwks = auth_server_jwks_set)
+                   JSON::JWT.decode(token, JSON::JWK::Set.new(jwks))
+                 end
+
+        if verify_claims && !(claims[:iss] == issuer &&
+            verify_aud(claims[:aud], claims) &&
+            (!claims[:iat] || Time.at(claims[:iat]) > (Time.now - oauth_token_expires_in)) &&
+            (!claims[:exp] || Time.at(claims[:exp]) > Time.now) &&
+            (!verify_jti || verify_jti(claims[:jti], claims)))
+          return
         end
+
+        claims
       rescue JSON::JWT::Exception
         nil
       end
@@ -384,12 +425,8 @@ module Rodauth
           key = jwk.keypair
         end
 
-        # Use the key and iat to create a unique key per request to prevent replay attacks
-        jti_raw = [key, payload[:iat]].join(":").to_s
-        jti = Digest::SHA256.hexdigest(jti_raw)
-
         # @see JWT reserved claims - https://tools.ietf.org/html/draft-jones-json-web-token-07#page-7
-        payload[:jti] = jti
+        payload[:jti] = generate_jti(payload)
         token = JWT.encode(payload, key, oauth_jwt_algorithm, headers)
 
         if oauth_jwt_jwe_key
@@ -405,21 +442,54 @@ module Rodauth
         token
       end
 
-      def jwt_decode(token, jws_key: oauth_jwt_public_key || _jwt_key, jws_algorithm: oauth_jwt_algorithm)
+      def jwt_decode(
+        token,
+        jws_key: oauth_jwt_public_key || _jwt_key,
+        jws_algorithm: oauth_jwt_algorithm,
+        verify_claims: true,
+        verify_jti: true
+      )
         # decrypt jwe
         token = JWE.decrypt(token, oauth_jwt_jwe_key) if oauth_jwt_jwe_key
+
+        # verifying the JWT implies verifying:
+        #
+        # issuer: check that server generated the token
+        # aud: check the audience field (client is who he says he is)
+        # iat: check that the token didn't expire
+        #
+        # subject can't be verified automatically without having access to the account id,
+        # which we don't because that's the whole point.
+        #
+        verify_claims_params = if verify_claims
+                                 {
+                                   verify_iss: true,
+                                   iss: issuer,
+                                   # can't use stock aud verification, as it's dependent on the client application id
+                                   verify_aud: false,
+                                   verify_jti: (verify_jti ? method(:verify_jti) : false),
+                                   verify_iat: true
+                                 }
+                               else
+                                 {}
+                               end
+
         # decode jwt
-        if is_authorization_server?
-          if oauth_jwt_legacy_public_key
-            algorithms = jwks_set.select { |k| k[:use] == "sig" }.map { |k| k[:alg] }
-            JWT.decode(token, nil, true, jwks: { keys: jwks_set }, algorithms: algorithms).first
-          elsif jws_key
-            JWT.decode(token, jws_key, true, algorithms: [jws_algorithm]).first
-          end
-        elsif (jwks = auth_server_jwks_set)
-          algorithms = jwks[:keys].select { |k| k[:use] == "sig" }.map { |k| k[:alg] }
-          JWT.decode(token, nil, true, jwks: jwks, algorithms: algorithms).first
-        end
+        claims = if is_authorization_server?
+                   if oauth_jwt_legacy_public_key
+                     algorithms = jwks_set.select { |k| k[:use] == "sig" }.map { |k| k[:alg] }
+                     JWT.decode(token, nil, true, jwks: { keys: jwks_set }, algorithms: algorithms, **verify_claims_params).first
+                   elsif jws_key
+                     JWT.decode(token, jws_key, true, algorithms: [jws_algorithm], **verify_claims_params).first
+                   end
+                 elsif (jwks = auth_server_jwks_set)
+                   algorithms = jwks[:keys].select { |k| k[:use] == "sig" }.map { |k| k[:alg] }
+                   JWT.decode(token, nil, true, jwks: jwks, algorithms: algorithms, **verify_claims_params).first
+                 end
+
+        return if verify_claims && !verify_aud(claims["aud"], claims)
+
+        claims
       rescue JWT::DecodeError, JWT::JWKError
         nil
       end

data/lib/rodauth/features/oidc.rb

@@ -14,6 +14,7 @@ module Rodauth
     VALID_METADATA_KEYS = %i[
       issuer
       authorization_endpoint
+      end_session_endpoint
       token_endpoint
       userinfo_endpoint
       jwks_uri
@@ -75,6 +76,10 @@ module Rodauth
     auth_value_method :oauth_prompt_login_cookie_options, {}.freeze
     auth_value_method :oauth_prompt_login_interval, 5 * 60 * 60 # 5 minutes
 
+    # logout
+    auth_value_method :oauth_applications_post_logout_redirect_uri_column, :post_logout_redirect_uri
+    auth_value_method :use_rp_initiated_logout?, false
+
     auth_value_methods(:get_oidc_param, :get_additional_param)
 
     # /userinfo
@@ -108,10 +113,81 @@ module Rodauth
       end
     end
 
-    def openid_configuration(issuer = nil)
+    # /oidc-logout
+    route(:oidc_logout) do |r|
+      next unless use_rp_initiated_logout?
+
+      before_oidc_logout_route
+      require_authorizable_account
+
+      # OpenID Providers MUST support the use of the HTTP GET and POST methods
+      r.on method: %i[get post] do
+        catch_error do
+          validate_oidc_logout_params
+
+          #
+          # why this is done:
+          #
+          # we need to decode the id token in order to get the application, because, if the
+          # signing key is application-specific, we don't know how to verify the signature
+          # beforehand. Hence, we have to do it twice: decode-and-do-not-verify, initialize
+          # the @oauth_application, and then decode-and-verify.
+          #
+          oauth_token = jwt_decode(param("id_token_hint"), verify_claims: false)
+          oauth_application_id = oauth_token["client_id"]
+
+          # check whether ID token belongs to currently logged-in user
+          redirect_response_error("invalid_request") unless oauth_token["sub"] == jwt_subject(
+            oauth_tokens_account_id_column => account_id,
+            oauth_tokens_oauth_application_id_column => oauth_application_id
+          )
+
+          # When an id_token_hint parameter is present, the OP MUST validate that it was the issuer of the ID Token.
+          redirect_response_error("invalid_request") unless oauth_token && oauth_token["iss"] == issuer
+
+          # now let's logout from IdP
+          transaction do
+            before_logout
+            logout
+            after_logout
+          end
+
+          if (post_logout_redirect_uri = param_or_nil("post_logout_redirect_uri"))
+            catch(:default_logout_redirect) do
+              oauth_application = db[oauth_applications_table].where(oauth_applications_client_id_column => oauth_token["client_id"]).first
+
+              throw(:default_logout_redirect) unless oauth_application
+
+              post_logout_redirect_uris = oauth_application[oauth_applications_post_logout_redirect_uri_column].split(" ")
+
+              throw(:default_logout_redirect) unless post_logout_redirect_uris.include?(post_logout_redirect_uri)
+
+              if (state = param_or_nil("state"))
+                post_logout_redirect_uri = URI(post_logout_redirect_uri)
+                params = ["state=#{state}"]
+                params << post_logout_redirect_uri.query if post_logout_redirect_uri.query
+                post_logout_redirect_uri.query = params.join("&")
+                post_logout_redirect_uri = post_logout_redirect_uri.to_s
+              end
+
+              redirect(post_logout_redirect_uri)
+            end
+
+          end
+
+          # regular logout procedure
+          set_notice_flash(logout_notice_flash)
+          redirect(logout_redirect)
+        end
+
+        redirect_response_error("invalid_request")
+      end
+    end
+
+    def openid_configuration(alt_issuer = nil)
       request.on(".well-known/openid-configuration") do
         request.get do
-          json_response_success(openid_configuration_body(issuer), cache: true)
+          json_response_success(openid_configuration_body(alt_issuer), cache: true)
         end
       end
     end
@@ -342,6 +418,18 @@ module Rodauth
       params
     end
 
+    # Logout
+
+    def validate_oidc_logout_params
+      redirect_response_error("invalid_request") unless param_or_nil("id_token_hint")
+      # check if valid token hint type
+      return unless (redirect_uri = param_or_nil("post_logout_redirect_uri"))
+
+      return if check_valid_uri?(redirect_uri)
+
+      redirect_response_error("invalid_request")
+    end
+
     # Metadata
 
     def openid_configuration_body(path)
@@ -368,6 +456,7 @@ module Rodauth
 
       metadata.merge(
         userinfo_endpoint: userinfo_url,
+        end_session_endpoint: (oidc_logout_url if use_rp_initiated_logout?),
         response_types_supported: response_types_supported,
         subject_types_supported: [oauth_jwt_subject_type],
 

data/lib/rodauth/oauth/version.rb

@@ -2,6 +2,6 @@
 
 module Rodauth
   module OAuth
-    VERSION = "0.4.3"
+    VERSION = "0.5.0"
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rodauth-oauth
 version: !ruby/object:Gem::Version
-  version: 0.4.3
+  version: 0.5.0
 platform: ruby
 authors:
 - Tiago Cardoso
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2020-12-10 00:00:00.000000000 Z
+date: 2021-02-08 00:00:00.000000000 Z
 dependencies: []
 description: Implementation of the OAuth 2.0 protocol on top of rodauth.
 email:
@@ -71,7 +71,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.4
+rubygems_version: 3.2.3
 signing_key:
 specification_version: 4
 summary: Implementation of the OAuth 2.0 protocol on top of rodauth.