rodauth-oauth 0.7.3 → 0.9.0

data/lib/rodauth/features/oidc_dynamic_client_registration.rb

@@ -0,0 +1,147 @@
+# frozen_string_literal: true
+
+module Rodauth
+  Feature.define(:oidc_dynamic_client_registration, :OidcDynamicClientRegistration) do
+    depends :oauth_dynamic_client_registration, :oidc
+
+    auth_value_method :oauth_applications_application_type_column, :application_type
+
+    private
+
+    def registration_metadata
+      openid_configuration_body
+    end
+
+    def validate_client_registration_params
+      super
+
+      if (value = @oauth_application_params[oauth_applications_application_type_column])
+        case value
+        when "native"
+          request.params["redirect_uris"].each do |uri|
+            uri = URI(uri)
+            # Native Clients MUST only register redirect_uris using custom URI schemes or
+            # URLs using the http: scheme with localhost as the hostname.
+            case uri.scheme
+            when "http"
+              register_throw_json_response_error("invalid_redirect_uri", register_invalid_uri_message(uri)) unless uri.host == "localhost"
+            when "https"
+              register_throw_json_response_error("invalid_redirect_uri", register_invalid_uri_message(uri))
+            end
+          end
+        when "web"
+          # Web Clients using the OAuth Implicit Grant Type MUST only register URLs using the https scheme as redirect_uris;
+          # they MUST NOT use localhost as the hostname.
+          if request.params["grant_types"].include?("implicit")
+            request.params["redirect_uris"].each do |uri|
+              uri = URI(uri)
+              unless uri.scheme == "https" && uri.host != "localhost"
+                register_throw_json_response_error("invalid_redirect_uri", register_invalid_uri_message(uri))
+              end
+            end
+          end
+        else
+          register_throw_json_response_error("invalid_client_metadata", register_invalid_application_type_message(type))
+        end
+      elsif (value = @oauth_application_params[oauth_applications_subject_type_column])
+        unless %w[pairwise public].include?(value)
+          register_throw_json_response_error("invalid_client_metadata", register_invalid_param_message("subject_type"))
+        end
+      elsif (value = @oauth_application_params[oauth_applications_id_token_signed_response_alg_column])
+        if value == "none"
+          # The value none MUST NOT be used as the ID Token alg value unless the Client uses only Response Types
+          # that return no ID Token from the Authorization Endpoint
+          response_types = @oauth_application_params[oauth_applications_response_types_column]
+          if response_types && response_types.include?("id_token")
+            register_throw_json_response_error("invalid_client_metadata", register_invalid_param_message("id_token_signed_response_alg"))
+          end
+        elsif !oauth_jwt_algorithms_supported.include?(value)
+          register_throw_json_response_error("invalid_client_metadata", register_invalid_param_message("id_token_signed_response_alg"))
+        end
+      elsif (value = @oauth_application_params[oauth_applications_id_token_encrypted_response_alg_column])
+        unless oauth_jwt_jwe_algorithms_supported.include?(value)
+          register_throw_json_response_error("invalid_client_metadata", register_invalid_param_message("id_token_encrypted_response_alg"))
+        end
+      elsif (value = @oauth_application_params[oauth_applications_id_token_encrypted_response_enc_column])
+        unless oauth_jwt_jwe_encryption_methods_supported.include?(value)
+          register_throw_json_response_error("invalid_client_metadata", register_invalid_param_message("id_token_encrypted_response_enc"))
+        end
+      elsif (value = @oauth_application_params[oauth_applications_userinfo_signed_response_alg_column])
+        unless oauth_jwt_algorithms_supported.include?(value)
+          register_throw_json_response_error("invalid_client_metadata", register_invalid_param_message("userinfo_signed_response_alg"))
+        end
+      elsif (value = @oauth_application_params[oauth_applications_userinfo_encrypted_response_alg_column])
+        unless oauth_jwt_jwe_algorithms_supported.include?(value)
+          register_throw_json_response_error("invalid_client_metadata", register_invalid_param_message("userinfo_encrypted_response_alg"))
+        end
+      elsif (value = @oauth_application_params[oauth_applications_userinfo_encrypted_response_enc_column])
+        unless oauth_jwt_jwe_encryption_methods_supported.include?(value)
+          register_throw_json_response_error("invalid_client_metadata", register_invalid_param_message("userinfo_encrypted_response_enc"))
+        end
+      elsif (value = @oauth_application_params[oauth_applications_request_object_signing_alg_column])
+        unless oauth_jwt_algorithms_supported.include?(value)
+          register_throw_json_response_error("invalid_client_metadata", register_invalid_param_message("request_object_signing_alg"))
+        end
+      elsif (value = @oauth_application_params[oauth_applications_request_object_encryption_alg_column])
+        unless oauth_jwt_jwe_algorithms_supported.include?(value)
+          register_throw_json_response_error("invalid_client_metadata", register_invalid_param_message("request_object_encryption_alg"))
+        end
+      elsif (value = @oauth_application_params[oauth_applications_request_object_encryption_enc_column])
+        unless oauth_jwt_jwe_encryption_methods_supported.include?(value)
+          register_throw_json_response_error("invalid_client_metadata", register_invalid_param_message("request_object_encryption_enc"))
+        end
+      end
+    end
+
+    def validate_client_registration_response_type(response_type, grant_types)
+      case response_type
+      when "id_token"
+        unless grant_types.include?("implicit")
+          register_throw_json_response_error("invalid_client_metadata",
+                                             register_invalid_response_type_for_grant_type_message(response_type, "implicit"))
+        end
+      else
+        super
+      end
+    end
+
+    def do_register(return_params = request.params.dup)
+      # set defaults
+
+      create_params = @oauth_application_params
+
+      create_params[oauth_applications_application_type_column] ||= begin
+        return_params["application_type"] = "web"
+        "web"
+      end
+      create_params[oauth_applications_id_token_signed_response_alg_column] ||= begin
+        return_params["id_token_signed_response_alg"] = oauth_jwt_algorithm
+        oauth_jwt_algorithm
+      end
+      if create_params.key?(oauth_applications_id_token_encrypted_response_alg_column)
+        create_params[oauth_applications_id_token_encrypted_response_enc_column] ||= begin
+          return_params["id_token_encrypted_response_enc"] = "A128CBC-HS256"
+          "A128CBC-HS256"
+        end
+      end
+      if create_params.key?(oauth_applications_userinfo_encrypted_response_alg_column)
+        create_params[oauth_applications_userinfo_encrypted_response_enc_column] ||= begin
+          return_params["userinfo_encrypted_response_enc"] = "A128CBC-HS256"
+          "A128CBC-HS256"
+        end
+      end
+      if create_params.key?(oauth_applications_request_object_encryption_alg_column)
+        create_params[oauth_applications_request_object_encryption_enc_column] ||= begin
+          return_params["request_object_encryption_enc"] = "A128CBC-HS256"
+          "A128CBC-HS256"
+        end
+      end
+
+      super(return_params)
+    end
+
+    def register_invalid_application_type_message(application_type)
+      "The application type '#{application_type}' is not allowed."
+    end
+  end
+end

data/lib/rodauth/oauth/database_extensions.rb

@@ -2,7 +2,7 @@
 
 module Rodauth
   module OAuth
-    # rubocop:disable Naming/MethodName, Metrics/ParameterLists
+    # rubocop:disable Naming/MethodName
     def self.ExtendDatabase(db)
       Module.new do
         dataset = db.dataset
@@ -42,6 +42,14 @@ module Rodauth
 
             __insert_and_return__(dataset, pkey, params)
           end
+
+          def __insert_or_do_nothing_and_return__(dataset, pkey, unique_columns, params)
+            __insert_and_return__(
+              dataset.insert_conflict(target: unique_columns),
+              pkey,
+              params
+            ) || dataset.where(params).first
+          end
         else
           def __insert_or_update_and_return__(dataset, pkey, unique_columns, params, conds = nil, exclude_on_update = nil)
             find_params, update_params = params.partition { |key, _| unique_columns.include?(key) }.map { |h| Hash[h] }
@@ -65,9 +73,14 @@ module Rodauth
               __insert_and_return__(dataset, pkey, params)
             end
           end
+
+          def __insert_or_do_nothing_and_return__(dataset, pkey, unique_columns, params)
+            find_params = params.select { |key, _| unique_columns.include?(key) }
+            dataset.where(find_params).first || __insert_and_return__(dataset, pkey, params)
+          end
         end
       end
     end
-    # rubocop:enable Naming/MethodName, Metrics/ParameterLists
+    # rubocop:enable Naming/MethodName
   end
 end

data/lib/rodauth/oauth/jwe_extensions.rb

@@ -0,0 +1,64 @@
+# frozen_string_literal: true
+
+module JWE
+  #
+  # this is a monkey-patch!
+  # it's necessary, as the original jwe does not support jwks.
+  # if this works long term, it may be merged upstreamm.
+  #
+  def self.__rodauth_oauth_decrypt_from_jwks(payload, jwks, alg: "RSA-OAEP", enc: "A128GCM")
+    header, enc_key, iv, ciphertext, tag = Serialization::Compact.decode(payload)
+    header = JSON.parse(header)
+
+    key = find_key_by_kid(jwks, header["kid"], alg, enc)
+
+    check_params(header, key)
+
+    cek = Alg.decrypt_cek(header["alg"], key, enc_key)
+    cipher = Enc.for(header["enc"], cek, iv, tag)
+
+    plaintext = cipher.decrypt(ciphertext, payload.split(".").first)
+
+    apply_zip(header, plaintext, :decompress)
+  end
+
+  def self.__rodauth_oauth_encrypt_from_jwks(payload, jwks, alg: "RSA-OAEP", enc: "A128GCM", **more_headers)
+    header = generate_header(alg, enc, more_headers)
+
+    key = find_key_by_alg_enc(jwks, alg, enc)
+
+    check_params(header, key)
+    payload = apply_zip(header, payload, :compress)
+
+    cipher = Enc.for(enc)
+    cipher.cek = key if alg == "dir"
+
+    json_hdr = header.to_json
+    ciphertext = cipher.encrypt(payload, Base64.jwe_encode(json_hdr))
+
+    generate_serialization(json_hdr, Alg.encrypt_cek(alg, key, cipher.cek), ciphertext, cipher)
+  end
+
+  def self.find_key_by_kid(jwks, kid, alg, enc)
+    raise DecodeError, "No key id (kid) found from token headers" unless kid
+
+    jwk = jwks.find { |key, _| (key[:kid] || key["kid"]) == kid }
+
+    raise DecodeError, "Could not find public key for kid #{kid}" unless jwk
+    raise DecodeError, "Expected a different encryption algorithm" unless alg == (jwk[:alg] || jwk["alg"])
+    raise DecodeError, "Expected a different encryption method" unless enc == (jwk[:enc] || jwk["enc"])
+
+    ::JWT::JWK.import(jwk).keypair
+  end
+
+  def self.find_key_by_alg_enc(jwks, alg, enc)
+    jwk = jwks.find do |key, _|
+      (key[:alg] || key["alg"]) == alg &&
+        (key[:enc] || key["enc"]) == enc
+    end
+
+    raise DecodeError, "No key found" unless jwk
+
+    ::JWT::JWK.import(jwk).keypair
+  end
+end

data/lib/rodauth/oauth/refinements.rb

@@ -0,0 +1,48 @@
+# frozen_string_literal: true
+
+module Rodauth
+  module PrefixExtensions
+    unless String.method_defined?(:delete_prefix)
+      refine(String) do
+        def delete_suffix(suffix)
+          suffix = suffix.to_s
+          len = suffix.length
+          return dup unless len.positive? && index(suffix, -len)
+
+          self[0...-len]
+        end
+
+        def delete_prefix(prefix)
+          prefix = prefix.to_s
+          return dup unless rindex(prefix, 0)
+
+          self[prefix.length..-1]
+        end
+      end
+    end
+
+    unless String.method_defined?(:delete_suffix!)
+      refine(String) do
+        def delete_suffix!(suffix)
+          suffix = suffix.to_s
+          chomp! if frozen?
+          len = suffix.length
+          return unless len.positive? && index(suffix, -len)
+
+          self[-len..-1] = ""
+          self
+        end
+      end
+    end
+  end
+
+  module RegexpExtensions
+    unless Regexp.method_defined?(:match?)
+      refine(Regexp) do
+        def match?(*args)
+          !match(*args).nil?
+        end
+      end
+    end
+  end
+end

data/lib/rodauth/oauth/ttl_store.rb

@@ -24,12 +24,18 @@ class Rodauth::OAuth::TtlStore
     @store_mutex.synchronize do
       # short circuit
       return @store[key][:payload] if @store[key] && @store[key][:ttl] < now
+    end
 
-      payload, ttl = block.call
-      @store[key] = { payload: payload, ttl: (ttl || (now + DEFAULT_TTL)) }
+    payload, ttl = block.call
+
+    @store_mutex.synchronize do
+      # given that the block call triggers network, and two requests for the same key be processed
+      # at the same time, this ensures the first one wins.
+      return @store[key][:payload] if @store[key] && @store[key][:ttl] < now
 
-      @store[key][:payload]
+      @store[key] = { payload: payload, ttl: (ttl || (now + DEFAULT_TTL)) }
     end
+    @store[key][:payload]
   end
 
   def uncache(key)

data/lib/rodauth/oauth/version.rb

@@ -2,6 +2,6 @@
 
 module Rodauth
   module OAuth
-    VERSION = "0.7.3"
+    VERSION = "0.9.0"
   end
 end

data/locales/en.yml

@@ -5,22 +5,39 @@ en:
     create_oauth_application_notice_flash: "Your oauth application has been registered"
     revoke_unauthorized_account_error_flash: "You are not authorized to revoke this token"
     revoke_oauth_token_notice_flash: "The oauth token has been revoked"
+    device_verification_notice_flash: "The device is verified"
+    user_code_not_found_error_flash: "No device to authorize with the given user code"
     oauth_authorize_title: "Authorize"
-    oauth_oauth_applications_page_title: "Oauth Applications"
-    oauth_oauth_application_page_title: "Oauth Application"
-    oauth_new_oauth_application_page_title: "New Oauth Application"
-    oauth_oauth_tokens_page_title: "Oauth Tokens"
-    name_label: "Name"
-    description_label: "Description"
-    scopes_label: "Scopes"
-    homepage_url_label: "Homepage URL"
-    redirect_uri_label: "Redirect URL"
-    client_secret_label: "Client Secret"
-    client_id_label: "Client ID"
-    oauth_applications_button: "Register"
+    oauth_applications_page_title: "Oauth Applications"
+    oauth_application_page_title: "Oauth Application"
+    new_oauth_application_page_title: "New Oauth Application"
+    oauth_application_oauth_tokens_page_title: "Application Oauth Tokens"
+    oauth_tokens_page_title: "My Oauth Tokens"
+    device_verification_page_title: "Device Verification"
+    device_search_page_title: "Device Search"
+    oauth_management_pagination_previous_button: "Previous"
+    oauth_management_pagination_next_button: "Next"
+    oauth_applications_name_label: "Name"
+    oauth_applications_description_label: "Description"
+    oauth_applications_scopes_label: "Scopes"
+    oauth_applications_contacts_label: "Contacts"
+    oauth_applications_homepage_url_label: "Homepage URL"
+    oauth_applications_tos_uri_label: "Terms of Service URL"
+    oauth_applications_policy_uri_label: "Policy URL"
+    oauth_applications_redirect_uri_label: "Redirect URL"
+    oauth_applications_client_secret_label: "Client Secret"
+    oauth_applications_client_id_label: "Client ID"
+    oauth_grant_user_code_label: "User code"
+    oauth_grant_user_jws_jwk_label: "JSON Web Keys"
+    oauth_grant_user_jwt_public_key_label: "Public key"
+    oauth_application_button: "Register"
     oauth_authorize_button: "Authorize"
     oauth_token_revoke_button: "Revoke"
     oauth_authorize_post_button: "Back to Client Application"
+    oauth_device_verification_button: "Verify"
+    oauth_device_search_button: "Search"
+    invalid_client_message: "Client authentication failed"
+    invalid_grant_type_message: "Invalid grant type"
     invalid_grant_message: "Invalid grant"
     invalid_scope_message: "Invalid scope"
     invalid_url_message: "Invalid URL"
@@ -28,6 +45,10 @@ en:
     unique_error_message: "is already in use"
     null_error_message: "is not filled"
     already_in_use_message: "error generating unique token"
+    expired_token_message: "the device code has expired"
+    access_denied_message: "the authorization request has been denied"
+    authorization_pending_message: "the authorization request is still pending"
+    slow_down_message: "authorization request is still pending but poll interval should be increased"
     code_challenge_required_message: "code challenge required"
     unsupported_transform_algorithm_message: "transform algorithm not supported"
     request_uri_not_supported_message: "request uri is unsupported"

data/templates/authorize.str

@@ -1,25 +1,74 @@
 <form method="post" action="#{rodauth.authorize_path}" class="form-horizontal" role="form" id="authorize-form">
   #{csrf_tag(rodauth.authorize_path) if respond_to?(:csrf_tag)}
-  <p class="lead">The application #{rodauth.oauth_application[rodauth.oauth_applications_name_column]} would like to access your data.</p>
+  #{
+    if rodauth.oauth_application[rodauth.oauth_applications_logo_uri_column]
+      <<-HTML
+        <img src="#{h(rodauth.oauth_application[rodauth.oauth_applications_logo_uri_column])}" />
+      HTML
+    end
+  }
+  <p class="lead">
+    The application
+    <a target="_blank" href="#{h(rodauth.oauth_application[rodauth.oauth_applications_homepage_url_column])}">
+      #{h(rodauth.oauth_application[rodauth.oauth_applications_name_column])}
+    </a> would like to access your data.
+  </p>
+  <div class="list-group">
+  #{
+    if rodauth.oauth_application[rodauth.oauth_applications_tos_uri_column]
+      <<-HTML
+        <a class="list-group-item" target="_blank" href="#{h(rodauth.oauth_application[rodauth.oauth_applications_tos_uri_column])}">
+          #{rodauth.oauth_applications_tos_uri_label}
+        </a>
+      HTML
+    end
+  }
+  #{
+    if rodauth.oauth_application[rodauth.oauth_applications_policy_uri_column]
+      <<-HTML
+        <a class="list-group-item" target="_blank" href="#{h(rodauth.oauth_application[rodauth.oauth_applications_policy_uri_column])}">
+          #{rodauth.oauth_applications_policy_uri_label}
+        </a>
+      HTML
+    end
+  }
+  </div>
+
+  #{
+    if rodauth.oauth_application[rodauth.oauth_applications_contacts_column]
+      data = <<-HTML
+        <div class="list-group">
+          <h3 class="display-6">#{rodauth.oauth_applications_contacts_label}</h3>
+      HTML
+      rodauth.oauth_application[rodauth.oauth_applications_contacts_column].split(/ +/).each do |contact|
+        data << <<-HTML
+          <div class="list-group-item">
+            #{h(contact)}
+          </div>
+        HTML
+      end
+      data << "</div>"
+    end
+  }
 
   <div class="form-group">
-    <h1 class="display-6">#{rodauth.scopes_label}</h1>
+    <h1 class="display-6">#{rodauth.oauth_tokens_scopes_label}</h1>
 
     #{
       rodauth.scopes.map do |scope|
         if scope == rodauth.oauth_application_default_scope
           <<-HTML
             <div class="form-check">
-              <input id="#{scope}" class="form-check-input" type="checkbox" name="scope[]" value="#{scope}" checked disabled>
-              <label class="form-check-label" for="#{scope}">#{scope}</label>
-              <input type="hidden" name="scope[]" value="#{scope}">
+              <input id="#{scope}" class="form-check-input" type="checkbox" name="scope[]" value="#{h(scope)}" checked disabled>
+              <label class="form-check-label" for="#{scope}">#{h(scope)}</label>
+              <input type="hidden" name="scope[]" value="#{h(scope)}">
             </div>
           HTML
         else
           <<-HTML
             <div class="form-check">
-              <input id="#{scope}" class="form-check-input" type="checkbox" name="scope[]" value="#{scope}">
-              <label class="form-check-label" for="#{scope}">#{scope}</label>
+              <input id="#{scope}" class="form-check-input" type="checkbox" name="scope[]" value="#{h(scope)}">
+              <label class="form-check-label" for="#{scope}">#{h(scope)}</label>
             </div>
           HTML
         end
@@ -39,6 +88,6 @@
   </div>
   <p class="text-center">
     <input type="submit" class="btn btn-outline-primary" value="#{h(rodauth.oauth_authorize_button)}"/>
-    <a href="#{rodauth.redirect_uri}?error=access_denied&error_description=The+resource+owner+or+authorization+server+denied+the+request#{ "&state=#{rodauth.param("state")}" if rodauth.param_or_nil("state")}" class="btn btn-outline-danger">Cancel</a>
+    <a href="#{rodauth.redirect_uri}?error=access_denied&error_description=The+resource+owner+or+authorization+server+denied+the+request#{ "&state=#{rodauth.param("state")}" if rodauth.param_or_nil("state")}" class="btn btn-outline-danger">#{rodauth.oauth_cancel_button}</a>
   </p>
 </form>

data/templates/client_secret_field.str

@@ -1,4 +1,4 @@
 <div class="form-group">
-  <label for="client_secret">#{rodauth.client_secret_label}#{rodauth.input_field_label_suffix}</label>
-  #{rodauth.input_field_string(rodauth.oauth_application_client_secret_param, "client_secret", :type=>"text")}
+  <label for="client_secret">#{rodauth.oauth_applications_client_secret_label}#{rodauth.input_field_label_suffix}</label>
+  #{rodauth.input_field_string(rodauth.oauth_application_client_secret_param, "client-secret", :type=>"text")}
 </div>

data/templates/description_field.str

@@ -1,4 +1,4 @@
 <div class="form-group">
-  <label for="description">#{rodauth.description_label}#{rodauth.input_field_label_suffix}</label>
+  <label for="description">#{rodauth.oauth_applications_description_label}#{rodauth.input_field_label_suffix}</label>
   #{rodauth.input_field_string(rodauth.oauth_application_description_param, "description", :type=>"text", :required => false)}
 </div>

data/templates/device_search.str

@@ -0,0 +1,11 @@
+<form method="get" action="#{rodauth.device_path}" class="form-horizontal" role="form" id="device-search-form">
+  <p class="lead">Insert the user code from the device you'd like to authorize.</p>
+
+  <div class="form-group">
+    <label for="user_code">#{rodauth.oauth_grant_user_code_label}</label>
+    #{rodauth.input_field_string("user_code", "user_code", :value => rodauth.param_or_nil(rodauth.oauth_grant_user_code_param))}
+  </div>
+  <p class="text-center">
+    <input type="submit" class="btn btn-outline-primary" value="#{h(rodauth.oauth_device_search_button)}"/>
+  </p>
+</form>

data/templates/device_verification.str

@@ -0,0 +1,24 @@
+<form method="post" action="#{rodauth.device_path}" class="form-horizontal" role="form" id="device-verification-form">
+  #{csrf_tag(rodauth.device_path) if respond_to?(:csrf_tag)}
+  <p class="lead">The device with user code #{@oauth_grant[rodauth.oauth_grants_user_code_column]} would like to access your data.</p>
+
+  <div class="form-group">
+    <h1 class="display-6">#{rodauth.oauth_tokens_scopes_label}</h1>
+
+    <ul class="list-group">
+    #{
+      scopes = @oauth_grant[rodauth.oauth_grants_scopes_column].split(rodauth.oauth_scope_separator)
+      scopes.map do |scope|
+        <<-HTML
+          <li class="list-group-item">#{scope}</li>
+        HTML
+      end.join
+    }
+    </ul>
+  </div>
+  <input type="hidden" name="user_code" value="#{rodauth.param("user_code")}"/>
+  <p class="text-center">
+    <input type="submit" class="btn btn-outline-primary" value="#{h(rodauth.oauth_device_verification_button)}"/>
+    <a href="#{rodauth.device_path}?error=access_denied" class="btn btn-outline-danger">#{rodauth.oauth_cancel_button}</a>
+  </p>
+</form>

data/templates/homepage_url_field.str

@@ -1,4 +1,4 @@
 <div class="form-group">
-  <label for="homepage_url">#{rodauth.homepage_url_label}#{rodauth.input_field_label_suffix}</label>
-  #{rodauth.input_field_string(rodauth.oauth_application_homepage_url_param, "homepage_url", :type=>"text")}
+  <label for="homepage_url">#{rodauth.oauth_applications_homepage_url_label}#{rodauth.input_field_label_suffix}</label>
+  #{rodauth.input_field_string(rodauth.oauth_application_homepage_url_param, "homepage-url", :type=>"text")}
 </div>

data/templates/jwks_field.str

@@ -0,0 +1,4 @@
+<div class="form-group">
+  <label for="name">#{rodauth.oauth_applications_jwks_label}#{rodauth.input_field_label_suffix}</label>
+  #{rodauth.input_field_string(rodauth.oauth_application_jwks_param, "jwks", :type=>"text")}
+</div>

data/templates/jwt_public_key_field.str

@@ -0,0 +1,4 @@
+<div class="form-group">
+  <label for="name">#{rodauth.oauth_applications_jwt_public_key_label}#{rodauth.input_field_label_suffix}</label>
+  #{rodauth.input_field_string(rodauth.oauth_application_jwt_public_key_param, "jwt_public_key", :type=>"text")}
+</div>

data/templates/name_field.str

@@ -1,4 +1,4 @@
 <div class="form-group">
-  <label for="name">#{rodauth.name_label}#{rodauth.input_field_label_suffix}</label>
+  <label for="name">#{rodauth.oauth_applications_name_label}#{rodauth.input_field_label_suffix}</label>
   #{rodauth.input_field_string(rodauth.oauth_application_name_param, "name", :type=>"text")}
 </div>

data/templates/new_oauth_application.str

@@ -1,3 +1,4 @@
+<h2>#{rodauth.new_oauth_application_page_title}</h2>
 <form method="post" action="#{rodauth.oauth_applications_path}" class="rodauth" role="form" id="oauth-application-form">
   #{rodauth.csrf_tag}
   #{rodauth.render('name_field')}
@@ -6,5 +7,13 @@
   #{rodauth.render('redirect_uri_field')}
   #{rodauth.render('client_secret_field')}
   #{rodauth.render('scope_field')}
+  #{
+    if rodauth.features.include?(:oauth_jwt)
+      <<-HTML
+        #{rodauth.render('jwt_public_key_field')}
+        #{rodauth.render('jws_jwk_field')}
+      HTML
+    end
+  }
   #{rodauth.button(rodauth.oauth_application_button)}
 </form>

data/templates/oauth_application.str

@@ -1,11 +1,15 @@
 <div id="oauth-application">
   <dl>
     #{
-      (rodauth.oauth_application_required_params + %w[client_id] - %w[client_secret]).map do |param|
-        "<dt class=\"#{param}\">#{rodauth.send(:"#{param}_label")}</dt>" +
+      params = [*rodauth.oauth_application_required_params, "client_id", "client_secret"]
+      if rodauth.features.include?(:oauth_jwt)
+        params += %w[jwks jwt_public_key]
+      end
+      params.map do |param|
+        "<dt class=\"#{param}\">#{rodauth.send(:"oauth_applications_#{param}_label")}: </dt>" +
         "<dd class=\"#{param}\">#{@oauth_application[rodauth.send(:"oauth_applications_#{param}_column")]}</dd>"
       end.join
     }
   </dl>
-  <a href="#{rodauth.oauth_applications_path}/#{@oauth_application[:id]}/#{rodauth.oauth_tokens_path}" class="btn btn-outline-secondary">Oauth Tokens</a>
+  <a href="#{rodauth.oauth_applications_path}/#{@oauth_application[rodauth.oauth_applications_id_column]}/#{rodauth.oauth_applications_oauth_tokens_path}" class="btn btn-outline-secondary">#{rodauth.oauth_application_oauth_tokens_page_title}</a>
 </div>