rodauth-oauth 0.7.3 → 0.9.0

data/lib/rodauth/features/oauth_pkce.rb

@@ -0,0 +1,98 @@
+# frozen_string_literal: true
+
+require "rodauth/oauth/refinements"
+
+module Rodauth
+  Feature.define(:oauth_pkce, :OauthPkce) do
+    using PrefixExtensions
+
+    depends :oauth_authorization_code_grant
+
+    auth_value_method :use_oauth_pkce?, true
+
+    auth_value_method :oauth_require_pkce, false
+    auth_value_method :oauth_pkce_challenge_method, "S256"
+
+    auth_value_method :oauth_grants_code_challenge_column, :code_challenge
+    auth_value_method :oauth_grants_code_challenge_method_column, :code_challenge_method
+
+    auth_value_method :code_challenge_required_error_code, "invalid_request"
+    translatable_method :code_challenge_required_message, "code challenge required"
+    auth_value_method :unsupported_transform_algorithm_error_code, "invalid_request"
+    translatable_method :unsupported_transform_algorithm_message, "transform algorithm not supported"
+
+    private
+
+    def authorized_oauth_application?(oauth_application, client_secret, _)
+      return true if use_oauth_pkce? && param_or_nil("code_verifier")
+
+      super
+    end
+
+    def validate_oauth_grant_params
+      validate_pkce_challenge_params if use_oauth_pkce?
+
+      super
+    end
+
+    def create_oauth_grant(create_params = {})
+      # PKCE flow
+      if use_oauth_pkce? && (code_challenge = param_or_nil("code_challenge"))
+        code_challenge_method = param_or_nil("code_challenge_method")
+
+        create_params[oauth_grants_code_challenge_column] = code_challenge
+        create_params[oauth_grants_code_challenge_method_column] = code_challenge_method
+      end
+
+      super
+    end
+
+    def create_oauth_token_from_authorization_code(oauth_grant, create_params)
+      if use_oauth_pkce?
+        if oauth_grant[oauth_grants_code_challenge_column]
+          code_verifier = param_or_nil("code_verifier")
+
+          redirect_response_error("invalid_request") unless code_verifier && check_valid_grant_challenge?(oauth_grant, code_verifier)
+        elsif oauth_require_pkce
+          redirect_response_error("code_challenge_required")
+        end
+      end
+
+      super
+    end
+
+    def validate_pkce_challenge_params
+      if param_or_nil("code_challenge")
+
+        challenge_method = param_or_nil("code_challenge_method")
+        redirect_response_error("code_challenge_required") unless oauth_pkce_challenge_method == challenge_method
+      else
+        return unless oauth_require_pkce
+
+        redirect_response_error("code_challenge_required")
+      end
+    end
+
+    def check_valid_grant_challenge?(grant, verifier)
+      challenge = grant[oauth_grants_code_challenge_column]
+
+      case grant[oauth_grants_code_challenge_method_column]
+      when "plain"
+        challenge == verifier
+      when "S256"
+        generated_challenge = Base64.urlsafe_encode64(Digest::SHA256.digest(verifier))
+        generated_challenge.delete_suffix!("=") while generated_challenge.end_with?("=")
+
+        challenge == generated_challenge
+      else
+        redirect_response_error("unsupported_transform_algorithm")
+      end
+    end
+
+    def oauth_server_metadata_body(*)
+      super.tap do |data|
+        data[:code_challenge_methods_supported] = oauth_pkce_challenge_method if use_oauth_pkce?
+      end
+    end
+  end
+end

data/lib/rodauth/features/oauth_resource_server.rb

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+module Rodauth
+  Feature.define(:oauth_resource_server, :OauthResourceServer) do
+    def authorization_token
+      return @authorization_token if defined?(@authorization_token)
+
+      # check if there is a token
+      bearer_token = fetch_access_token
+
+      return unless bearer_token
+
+      # where in resource server, NOT the authorization server.
+      payload = introspection_request("access_token", bearer_token)
+
+      return unless payload["active"]
+
+      @authorization_token = payload
+    end
+  end
+end

data/lib/rodauth/features/oauth_saml_bearer_grant.rb

@@ -0,0 +1,102 @@
+# frozen-string-literal: true
+
+require "onelogin/ruby-saml"
+
+module Rodauth
+  Feature.define(:oauth_saml_bearer_grant, :OauthSamlBearerGrant) do
+    depends :oauth_assertion_base
+
+    auth_value_method :oauth_saml_cert_fingerprint, "9E:65:2E:03:06:8D:80:F2:86:C7:6C:77:A1:D9:14:97:0A:4D:F4:4D"
+    auth_value_method :oauth_saml_cert, nil
+    auth_value_method :oauth_saml_cert_fingerprint_algorithm, nil
+    auth_value_method :oauth_saml_name_identifier_format, "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
+
+    auth_value_method :oauth_saml_security_authn_requests_signed, true
+    auth_value_method :oauth_saml_security_metadata_signed, true
+    auth_value_method :oauth_saml_security_digest_method, XMLSecurity::Document::SHA1
+    auth_value_method :oauth_saml_security_signature_method, XMLSecurity::Document::RSA_SHA1
+
+    auth_value_methods(
+      :require_oauth_application_from_saml2_bearer_assertion_issuer,
+      :require_oauth_application_from_saml2_bearer_assertion_subject,
+      :account_from_saml2_bearer_assertion
+    )
+
+    private
+
+    def require_oauth_application_from_saml2_bearer_assertion_issuer(assertion)
+      saml = saml_assertion(assertion)
+
+      return unless saml
+
+      db[oauth_applications_table].where(
+        oauth_applications_homepage_url_column => saml.issuers
+      ).first
+    end
+
+    def require_oauth_application_from_saml2_bearer_assertion_subject(assertion)
+      saml = saml_assertion(assertion)
+
+      return unless saml
+
+      db[oauth_applications_table].where(
+        oauth_applications_client_id_column => saml.nameid
+      ).first
+    end
+
+    def account_from_saml2_bearer_assertion(assertion)
+      saml = saml_assertion(assertion)
+
+      return unless saml
+
+      account_from_bearer_assertion_subject(saml.nameid)
+    end
+
+    def saml_assertion(assertion)
+      settings = OneLogin::RubySaml::Settings.new
+      settings.idp_cert = oauth_saml_cert
+      settings.idp_cert_fingerprint = oauth_saml_cert_fingerprint
+      settings.idp_cert_fingerprint_algorithm = oauth_saml_cert_fingerprint_algorithm
+      settings.name_identifier_format = oauth_saml_name_identifier_format
+      settings.security[:authn_requests_signed] = oauth_saml_security_authn_requests_signed
+      settings.security[:metadata_signed] = oauth_saml_security_metadata_signed
+      settings.security[:digest_method] = oauth_saml_security_digest_method
+      settings.security[:signature_method] = oauth_saml_security_signature_method
+
+      response = OneLogin::RubySaml::Response.new(assertion, settings: settings, skip_recipient_check: true)
+
+      # 3. he Assertion MUST have an expiry that limits the time window ...
+      # 4. The Assertion MUST have an expiry that limits the time window ...
+      # 5. The <Subject> element MUST contain at least one ...
+      # 6. The authorization server MUST reject the entire Assertion if the ...
+      # 7. If the Assertion issuer directly authenticated the subject, ...
+      redirect_response_error("invalid_grant") unless response.is_valid?
+
+      # In order to issue an access token response as described in OAuth 2.0
+      # [RFC6749] or to rely on an Assertion for client authentication, the
+      # authorization server MUST validate the Assertion according to the
+      # criteria below.
+
+      # 1. The Assertion's <Issuer> element MUST contain a unique identifier
+      # for the entity that issued the Assertion.
+      redirect_response_error("invalid_grant") unless response.issuers.size == 1
+
+      # 2. in addition to the URI references
+      # discussed there, the token endpoint URL of the authorization
+      # server MAY be used as a URI that identifies the authorization
+      # server as an intended audience.  The authorization server MUST
+      # reject any Assertion that does not contain its own identity as
+      # the intended audience.
+      redirect_response_error("invalid_grant") if response.audiences && !response.audiences.include?(token_url)
+
+      response
+    end
+
+    def oauth_server_metadata_body(*)
+      super.tap do |data|
+        data[:grant_types_supported] << "urn:ietf:params:oauth:grant-type:saml2-bearer"
+        data[:token_endpoint_auth_methods_supported] << "urn:ietf:params:oauth:client-assertion-type:saml2-bearer"
+      end
+    end
+  end
+end

data/lib/rodauth/features/oauth_token_introspection.rb

@@ -0,0 +1,108 @@
+# frozen_string_literal: true
+
+module Rodauth
+  Feature.define(:oauth_token_introspection, :OauthTokenIntrospection) do
+    depends :oauth_base
+
+    before "introspect"
+
+    auth_value_methods(
+      :before_introspection_request
+    )
+
+    # /introspect
+    route(:introspect) do |r|
+      next unless is_authorization_server?
+
+      before_introspect_route
+
+      r.post do
+        catch_error do
+          validate_oauth_introspect_params
+
+          before_introspect
+          oauth_token = case param("token_type_hint")
+                        when "access_token"
+                          oauth_token_by_token(param("token"))
+                        when "refresh_token"
+                          oauth_token_by_refresh_token(param("token"))
+                        else
+                          oauth_token_by_token(param("token")) || oauth_token_by_refresh_token(param("token"))
+                        end
+
+          if oauth_application
+            redirect_response_error("invalid_request") if oauth_token && !token_from_application?(oauth_token, oauth_application)
+          elsif oauth_token
+            @oauth_application = db[oauth_applications_table].where(oauth_applications_id_column =>
+              oauth_token[oauth_tokens_oauth_application_id_column]).first
+          end
+
+          json_response_success(json_token_introspect_payload(oauth_token))
+        end
+
+        throw_json_response_error(invalid_oauth_response_status, "invalid_request")
+      end
+    end
+
+    # Token introspect
+
+    def validate_oauth_introspect_params(token_hint_types = %w[access_token refresh_token].freeze)
+      # check if valid token hint type
+      if param_or_nil("token_type_hint") && !token_hint_types.include?(param("token_type_hint"))
+        redirect_response_error("unsupported_token_type")
+      end
+
+      redirect_response_error("invalid_request") unless param_or_nil("token")
+    end
+
+    def json_token_introspect_payload(token)
+      return { active: false } unless token
+
+      {
+        active: true,
+        scope: token[oauth_tokens_scopes_column],
+        client_id: oauth_application[oauth_applications_client_id_column],
+        # username
+        token_type: oauth_token_type,
+        exp: token[oauth_tokens_expires_in_column].to_i
+      }
+    end
+
+    def check_csrf?
+      case request.path
+      when introspect_path
+        false
+      else
+        super
+      end
+    end
+
+    private
+
+    def introspection_request(token_type_hint, token)
+      auth_url = URI(authorization_server_url)
+      http = Net::HTTP.new(auth_url.host, auth_url.port)
+      http.use_ssl = auth_url.scheme == "https"
+
+      request = Net::HTTP::Post.new(introspect_path)
+      request["content-type"] = "application/x-www-form-urlencoded"
+      request["accept"] = json_response_content_type
+      request.set_form_data({ "token_type_hint" => token_type_hint, "token" => token })
+
+      before_introspection_request(request)
+      response = http.request(request)
+      authorization_required unless response.code.to_i == 200
+
+      JSON.parse(response.body)
+    end
+
+    def before_introspection_request(request); end
+
+    def oauth_server_metadata_body(*)
+      super.tap do |data|
+        data[:introspection_endpoint] = introspect_url
+        data[:introspection_endpoint_auth_methods_supported] = %w[client_secret_basic]
+      end
+    end
+  end
+end

data/lib/rodauth/features/oauth_token_management.rb

@@ -0,0 +1,79 @@
+# frozen_string_literal: true
+
+module Rodauth
+  Feature.define(:oauth_token_management, :OauthTokenManagement) do
+    using RegexpExtensions
+
+    depends :oauth_management_base
+
+    view "oauth_tokens", "My Oauth Tokens", "oauth_tokens"
+
+    button "Revoke", "oauth_token_revoke"
+
+    auth_value_method :oauth_tokens_path, "oauth-tokens"
+
+    %w[token refresh_token expires_in revoked_at].each do |param|
+      translatable_method :"oauth_tokens_#{param}_label", param.gsub("_", " ").capitalize
+    end
+
+    auth_value_method :oauth_tokens_route, "oauth-tokens"
+    auth_value_method :oauth_tokens_id_pattern, Integer
+    auth_value_method :oauth_tokens_per_page, 20
+
+    auth_value_methods(
+      :oauth_token_path
+    )
+
+    def oauth_tokens_path(opts = {})
+      route_path(oauth_tokens_route, opts)
+    end
+
+    def oauth_tokens_url(opts = {})
+      route_url(oauth_tokens_route, opts)
+    end
+
+    def oauth_token_path(id)
+      "#{oauth_tokens_path}/#{id}"
+    end
+
+    def oauth_tokens
+      request.on(oauth_tokens_route) do
+        require_account
+
+        request.get do
+          page = Integer(param_or_nil("page") || 1)
+          per_page = per_page_param(oauth_tokens_per_page)
+
+          scope.instance_variable_set(:@oauth_tokens, db[oauth_tokens_table]
+            .select(Sequel[oauth_tokens_table].*, Sequel[oauth_applications_table][oauth_applications_name_column])
+            .join(oauth_applications_table, Sequel[oauth_tokens_table][oauth_tokens_oauth_application_id_column] =>
+              Sequel[oauth_applications_table][oauth_applications_id_column])
+            .where(Sequel[oauth_tokens_table][oauth_tokens_account_id_column] => account_id)
+            .where(oauth_tokens_revoked_at_column => nil)
+            .order(Sequel.desc(oauth_tokens_id_column))
+            .paginate(page, per_page))
+          oauth_tokens_view
+        end
+
+        request.post(oauth_tokens_id_pattern) do |id|
+          db[oauth_tokens_table]
+            .where(oauth_tokens_id_column => id)
+            .where(oauth_tokens_account_id_column => account_id)
+            .update(oauth_tokens_revoked_at_column => Sequel::CURRENT_TIMESTAMP)
+
+          set_notice_flash revoke_oauth_token_notice_flash
+          redirect oauth_tokens_path || "/"
+        end
+      end
+    end
+
+    def check_csrf?
+      case request.path
+      when oauth_tokens_path
+        only_json? ? false : super
+      else
+        super
+      end
+    end
+  end
+end

data/lib/rodauth/features/oauth_token_revocation.rb

@@ -0,0 +1,109 @@
+# frozen_string_literal: true
+
+module Rodauth
+  Feature.define(:oauth_token_revocation, :OauthTokenRevocation) do
+    depends :oauth_base
+
+    before "revoke"
+    after "revoke"
+
+    notice_flash "The oauth token has been revoked", "revoke_oauth_token"
+
+    # /revoke
+    route(:revoke) do |r|
+      next unless is_authorization_server?
+
+      before_revoke_route
+
+      if logged_in?
+        require_account
+        require_oauth_application_from_account
+      else
+        require_oauth_application
+      end
+
+      r.post do
+        catch_error do
+          validate_oauth_revoke_params
+
+          oauth_token = nil
+          transaction do
+            before_revoke
+            oauth_token = revoke_oauth_token
+            after_revoke
+          end
+
+          if accepts_json?
+            json_response_success \
+              "token" => oauth_token[oauth_tokens_token_column],
+              "refresh_token" => oauth_token[oauth_tokens_refresh_token_column],
+              "revoked_at" => convert_timestamp(oauth_token[oauth_tokens_revoked_at_column])
+          else
+            set_notice_flash revoke_oauth_token_notice_flash
+            redirect request.referer || "/"
+          end
+        end
+
+        redirect_response_error("invalid_request", request.referer || "/")
+      end
+    end
+
+    def validate_oauth_revoke_params(token_hint_types = %w[access_token refresh_token].freeze)
+      # check if valid token hint type
+      if param_or_nil("token_type_hint") && !token_hint_types.include?(param("token_type_hint"))
+        redirect_response_error("unsupported_token_type")
+      end
+
+      redirect_response_error("invalid_request") unless param_or_nil("token")
+    end
+
+    def check_csrf?
+      case request.path
+      when revoke_path
+        !json_request?
+      else
+        super
+      end
+    end
+
+    private
+
+    def revoke_oauth_token
+      token = param("token")
+
+      oauth_token = if param("token_type_hint") == "refresh_token"
+                      oauth_token_by_refresh_token(token)
+                    else
+                      oauth_token_by_token(token)
+                    end
+
+      redirect_response_error("invalid_request") unless oauth_token
+
+      redirect_response_error("invalid_request") unless token_from_application?(oauth_token, oauth_application)
+
+      update_params = { oauth_tokens_revoked_at_column => Sequel::CURRENT_TIMESTAMP }
+
+      ds = db[oauth_tokens_table].where(oauth_tokens_id_column => oauth_token[oauth_tokens_id_column])
+
+      oauth_token = __update_and_return__(ds, update_params)
+
+      oauth_token[oauth_tokens_token_column] = token
+      oauth_token
+
+      # If the particular
+      # token is a refresh token and the authorization server supports the
+      # revocation of access tokens, then the authorization server SHOULD
+      # also invalidate all access tokens based on the same authorization
+      # grant
+      #
+      # we don't need to do anything here, as we revalidate existing tokens
+    end
+
+    def oauth_server_metadata_body(*)
+      super.tap do |data|
+        data[:revocation_endpoint] = revoke_url
+        data[:revocation_endpoint_auth_methods_supported] = nil # because it's client_secret_basic
+      end
+    end
+  end
+end

data/lib/rodauth/features/oidc.rb

@@ -65,6 +65,13 @@ module Rodauth
     auth_value_method :oauth_application_default_scope, "openid"
     auth_value_method :oauth_application_scopes, %w[openid]
 
+    auth_value_method :oauth_applications_id_token_signed_response_alg_column, :id_token_signed_response_alg
+    auth_value_method :oauth_applications_id_token_encrypted_response_alg_column, :id_token_encrypted_response_alg
+    auth_value_method :oauth_applications_id_token_encrypted_response_enc_column, :id_token_encrypted_response_enc
+    auth_value_method :oauth_applications_userinfo_signed_response_alg_column, :userinfo_signed_response_alg
+    auth_value_method :oauth_applications_userinfo_encrypted_response_alg_column, :userinfo_encrypted_response_alg
+    auth_value_method :oauth_applications_userinfo_encrypted_response_enc_column, :userinfo_encrypted_response_enc
+
     auth_value_method :oauth_grants_nonce_column, :nonce
     auth_value_method :oauth_tokens_nonce_column, :nonce
 
@@ -106,7 +113,23 @@ module Rodauth
 
           fill_with_account_claims(oidc_claims, account, oauth_scopes)
 
-          json_response_success(oidc_claims)
+          @oauth_application = db[oauth_applications_table].where(oauth_applications_client_id_column => oauth_token["client_id"]).first
+
+          if (algo = @oauth_application && @oauth_application[oauth_applications_userinfo_signed_response_alg_column])
+            params = {
+              jwks: oauth_application_jwks,
+              encryption_algorithm: @oauth_application[oauth_applications_userinfo_encrypted_response_alg_column],
+              encryption_method: @oauth_application[oauth_applications_userinfo_encrypted_response_enc_column]
+            }
+            jwt = jwt_encode(
+              oidc_claims,
+              signing_algorithm: algo,
+              **params
+            )
+            jwt_response_success(jwt)
+          else
+            json_response_success(oidc_claims)
+          end
         end
 
         throw_json_response_error(authorization_required_error_status, "invalid_token")
@@ -283,7 +306,7 @@ module Rodauth
           redirect_response_error("consent_required")
         end
       when "select-account"
-        # obly works if select_account plugin is available
+        # only works if select_account plugin is available
         require_select_account if respond_to?(:require_select_account)
       else
         redirect_response_error("invalid_request")
@@ -302,7 +325,7 @@ module Rodauth
       super(oauth_grant, create_params.merge(oauth_tokens_nonce_column => oauth_grant[oauth_grants_nonce_column]))
     end
 
-    def create_oauth_token
+    def create_oauth_token(*)
       oauth_token = super
       generate_id_token(oauth_token)
       oauth_token
@@ -330,7 +353,13 @@ module Rodauth
 
       fill_with_account_claims(id_token_claims, account, oauth_scopes)
 
-      oauth_token[:id_token] = jwt_encode(id_token_claims)
+      params = {
+        jwks: oauth_application_jwks,
+        signing_algorithm: oauth_application[oauth_applications_id_token_signed_response_alg_column] || oauth_jwt_algorithm,
+        encryption_algorithm: oauth_application[oauth_applications_id_token_encrypted_response_alg_column],
+        encryption_method: oauth_application[oauth_applications_id_token_encrypted_response_enc_column]
+      }
+      oauth_token[:id_token] = jwt_encode(id_token_claims, **params)
     end
 
     # aka fill_with_standard_claims
@@ -443,7 +472,7 @@ module Rodauth
 
     # Metadata
 
-    def openid_configuration_body(path)
+    def openid_configuration_body(path = nil)
       metadata = oauth_server_metadata_body(path).select do |k, _|
         VALID_METADATA_KEYS.include?(k)
       end
@@ -461,7 +490,8 @@ module Rodauth
       scope_claims.unshift("auth_time") if last_account_login_at
 
       response_types_supported = metadata[:response_types_supported]
-      if use_oauth_implicit_grant_type?
+
+      if metadata[:grant_types_supported].include?("implicit")
         response_types_supported += ["none", "id_token", "code token", "code id_token", "id_token token", "code id_token token"]
       end