rodauth-oauth 0.7.3 → 0.9.0

data/doc/release_notes/0_1_0.md

@@ -0,0 +1,44 @@
+### 0.1.0 (31/7/2020)
+
+#### Features
+
+##### OpenID
+
+`rodauth-oauth` now ships with support for [OpenID Connect](https://openid.net/connect/). In order to enable, you have to:
+
+```ruby
+plugin :rodauth do
+  enable :oidc
+end
+```
+
+For more info about integrating it, [check the wiki](https://gitlab.com/honeyryderchuck/rodauth-oauth/-/wikis/home#openid-connect-since-v01).
+
+It supports omniauth openID integrations out-of-the-box, [check the OpenID example, which integrates with omniauth_openid_connect](https://gitlab.com/honeyryderchuck/rodauth-oauth/-/tree/master/examples).
+
+#### Improvements
+
+* JWT: `sub` claim now also handles "pairwise" subjects. For that, you have to set the `oauth_jwt_subject_type` option (`"public"` or `"pairwise"`) and `oauth_jwt_subject_secret` (will be used for salting the `sub` when the type is `"pairwise"`).
+* JWT: `auth_time` claim is now supported; if your application uses the `rodauth` feature `:account_expiration`, it'll use the `last_account_login_at` method, otherwise you can set the `last_account_login_at` option:
+
+```ruby
+last_account_login_at do
+  convert_timestamp(db[accounts_table].where(account_id_column => account_id).get(:that_column_where_you_keep_the_data))
+end
+```
+* JWT: `iss` claim now defaults to `authorization_server_url` when not defined;
+* JWT: `aud` claim now defaults to the token application's client ID (`client_id` claim was removed as a result);
+
+
+
+#### Breaking Changes
+
+`rodauth-oauth` URLs no longer have the `oauth-` prefix, so make sure you update your integrations accordingly, i.e. where you used to rely on `/oauth-authorize`, you'll have to use `/authorize`.
+
+URI schemes for client applications redirect URIs have to be `https`. In order to override this, set the `oauth_valid_uri_schemes` to an array of your expected URI schemes.
+
+
+#### Bugfixes
+
+* Authorization request submission can receive the `scope` as an array of values now, instead of only dealing with receiving a white-space separated list.
+* fixed trailing "/" in the "issuer" value in server metadata (`https://server.com/` -> `https://server.com`).

data/doc/release_notes/0_2_0.md

@@ -0,0 +1,43 @@
+### 0.2.0 (9/9/2020)
+
+#### Features
+
+##### SAML Assertion Grant Type
+
+`rodauth-auth` now supports using a SAML Assertion to request for an Access token.In order to enable, you have to:
+
+```ruby
+plugin :rodauth do
+  enable :oauth_saml
+end
+```
+
+For more info about integrating it, [check the wiki](https://gitlab.com/honeyryderchuck/rodauth-oauth/-/wikis/SAML-Assertion-Access-Tokens).
+
+##### Supporting rotating keys
+
+At some point, you'll want to replace the pkeys and algorithm used to generate and verify the JWT access tokens, but you want to keep validating previously-distributed JWT tokens, at least until they expire. Now you can, via two new options, `oauth_jwt_legacy_public_key` and `oauth_jwt_legacy_algorithm`, which will be declared in the JWKs URI and used to verify access tokens.
+
+
+##### Reuse access tokens
+
+If the `oauth_reuse_access_token` is set, if there's already an existing valid access token, any new grant for the same application / account / scope will keep the same access token. This can be helpful in scenarios where one wants the same access token distributed across devices.
+
+##### require_authorizable_account
+
+The method used to verify access to the authorize flow is called `require_authorizable_account`. By default, it checks if a user is logged in by using rodauth's own `require_account`. This is the method you'd want to redefine in order to augment these requirements, i.e. request 2fa authentication.
+
+#### Improvements
+
+Expired and revoked access tokens end up generating a lot of garbage, which will have to be periodically cleaned up. You can mitigate this now by setting a uniqueness index for a group of columns, i.e. if you set a uniqueness index for the `oauth_application_id/account_id/scopes` column, `rodauth-oauth` will transparently reuse the same db entry to store the new access token. If setting some other type of uniqueness index, make sure to update the option `oauth_tokens_unique_columns` (the array of columns from the uniqueness index).
+
+#### Bugfixes
+
+Calling `before_*_route` callbacks appropriately.
+
+Fixed some mishandling of HTTP headers when in in resource-server mode.
+
+#### Chore
+
+* 97.7% test coverage;
+* `rodauth-oauth` CI tests run against sqlite, postgresql and mysql.

data/doc/release_notes/0_3_0.md

@@ -0,0 +1,28 @@
+### 0.3.0 (8/10/2020)
+
+#### Features
+
+* `oauth_refresh_token_protection_policy` is a new option, which can be used to set a protection policy around usage of refresh tokens. By default it's `none`, for backwards-compatibility. However, when set to `rotation`, refresh tokens will be "use-once", i.e. a token refresh request will generate a new refresh token. Also,  refresh token requests performed with already-used refresh tokens will be interpreted as a security breach, i.e. all tokens linked to the compromised refresh token will be revoked.
+
+#### Improvements
+
+
+* Support for the OIDC authorize [`prompt` parameter](https://openid.net/specs/openid-connect-core-1_0.html) (sectionn 3.1.2.1). It supports the `none`, `login` and `consent` out-of-the-box, while providing support for `select-account` when paired with [rodauth-select-account, a rodauth feature to handle multiple accounts in the same session](https://gitlab.com/honeyryderchuck/rodauth-select-account).
+
+* Refresh Tokens are now expirable. The refresh token expiration period is governed by the `oauth_refresh_token_expires_in` option (default: 1 year), and is the period for which a refresh token can be used after its respective access token expired.
+
+#### Bugfixes
+
+* Default Templates now being packaged, as a way to provide a default experience to the OAuth journeys.
+
+* fixing metadata urls when plugin loaded with a prefix path (@ianks)
+
+* All date/time-based calculations, such as determining an expiration date, or checking if a token has expired, are now performed using database arithmetic operations, using sequel's `date_arithmetic` plugin. This will eliminate subtle bugs, such as when the database timezone is different than the application OS timezone.
+
+* OIDC configuration endpoint is now stricter, eliminating JSON metadata inherited from the Oauth metadata endpoint. (@ianks)
+
+#### Chore
+
+Use `rodauth.convert_timestamp` in the templates, whenever dates are displayed.
+
+Set HTTP Cache headers for metadata responses, such as `/.well-known/oauth-authorization-server` and `/.well-known/openid-configuration`, so they can be stored at the edge. The cache will be valid for 1 day (this value isn't set by an option yet).

data/doc/release_notes/0_4_0.md

@@ -0,0 +1,18 @@
+### 0.4.0 (13/11/2020)
+
+#### Features
+
+* A new method, `get_additional_param(account, claim)`, is now exposed; this method will be called whenever non-OIDC scopes are requested in the emission of the ID token.
+
+* The `form_post` response is now supported, either by passing the `response_mode=form_post` request param in the authorization URL, or by setting `oauth_response_mode "form_post"` option. This improves the overall security of an Authorization server even more, as authorization codes are sent to client applications via a POST request to the redirect URI.
+
+
+#### Improvements
+
+* For the OIDC `address` scope, proper claims are now emitted as per the standard, i.e. the "formatted", "street_address", "locality", "region", "postal_code", "country". These will be the ones referenced in the `get_oidc_param` method.
+
+#### Bugfixes
+
+* The rails templates were missing declarations from a few params, which made some of the flows (the PKCE for example) not work out-of-the box;
+* rails tests were silently not running in CI;
+* The CI suite was revamped, so that all Oauth tests would be run under rails as well. All versions from rails equal or above 5.0 are now targeted;

data/doc/release_notes/0_4_1.md

@@ -0,0 +1,9 @@
+### 0.4.1 (24/11/2020)
+
+#### Improvements
+
+When in "Resource Server" mode, calling `rodauth.authorization_token` will now return an hash of the JSON payload that the Authorization Server responds, and which was already previously used to authorize access to protected resources.
+
+#### Bugfixes
+
+* An error occurred if the client passed an empty authorization header (`Authorization: ` or `Authorization: Bearer `), causing an unexpected error; It now responds with the proper `401 Unauthorized` status code.

data/doc/release_notes/0_4_2.md

@@ -0,0 +1,5 @@
+### 0.4.2 (24/11/2020)
+
+#### Bugfixes
+
+* database extensions were being run in resource server mode, when it's not expected that the oauth db tables are around.

data/doc/release_notes/0_4_3.md

@@ -0,0 +1,3 @@
+### 0.4.3 (09/12/2020)
+
+* Introspection requests made to an Authorization Server in "resource server" mode are not correctly encoding the body using the "application/x-www-form-urlencoded" format.

data/doc/release_notes/0_5_0.md

@@ -0,0 +1,11 @@
+### 0.5.0 (08/02/2021)
+
+#### RP-Initiated Logout
+
+The `:oidc` plugin can now do [RP-Initiated Logout](https://gitlab.com/honeyryderchuck/rodauth-oauth/-/wikis/RP-Initiated-Logout). It's disabled by default, so read the docs to learn how to enable it.
+
+#### Security
+
+The `:oauth_jwt` (and by association, `:oidc`) plugin(s) verifies the claims of used JWT tokens. This is a **very important security fix**, as without it, there is no protection against replay attacks and other types of misuse of the JWT token.
+
+A new auth method, `generate_jti(claims)`, was [added to the list of oauth_jwt plugin options](https://gitlab.com/honeyryderchuck/rodauth-oauth/-/wikis/JWT-Access-Tokens#rodauth-options). By default, it'll hash the `aud` and `iat` claims together, but you can overwrite how this is done.

data/doc/release_notes/0_5_1.md

@@ -0,0 +1,13 @@
+### 0.5.1 (19/03/2021)
+
+#### Improvements
+
+* Changing "Callback URL" to "Redirect URL" in default templates;
+
+#### Bugfixes
+
+* (rails integration) Fixed templates location;
+* (rails integration) Fixed migration name from generator;
+* (rails integration) fixed links, html tags, styling and unassigned variables from a few view templates;
+* `oauth_application_path` is now compliant with prefixes and other url helpers, while now having a `oauth_application_url` counterpart;
+* (rails integration) skipping csrf checks for "/userinfo" request (OIDC)

data/doc/release_notes/0_6_0.md

@@ -0,0 +1,9 @@
+### 0.6.0 (21/05/2021)
+
+### Improvements
+
+* RBS signatures
+
+### Chore
+
+* Ruby 3 and Truffleruby are now officially supported and tested in CI.

data/doc/release_notes/0_6_1.md

@@ -0,0 +1,6 @@
+### 0.6.1 (08/09/2021)
+
+#### Bugfixes
+
+* Fixed rails view templates escaping.
+* Fixed declaration of authorize template in the generator.

data/doc/release_notes/0_7_0.md

@@ -0,0 +1,20 @@
+### 0.7.0 (02/12/2021)
+
+#### Features
+
+* Internationalization (i18n) support by hooking on [rodauth-i18n](https://github.com/janko/rodauth-i18n).
+  * Sets all text using `translatable_method`.
+  * Provides english translations for all `rodauth-oauth` related user facing text.
+
+#### Improvements
+
+* Enable CORS requests for OpenID configuration endpoint (@ianks)
+* Introspect endpoint now exposes the `exp` token property (@gmanley)
+
+#### Bugfixes
+
+*  on rotation policy, although the first refresh token was invalidated, a new one wasn't being provided. This change allows a new refresh token to be generated and exposed in the response (@gmanley)
+
+#### Chore
+
+Setting `rodauth` minimal supported version to `2.0.0`.

data/doc/release_notes/0_7_1.md

@@ -0,0 +1,10 @@
+### 0.7.1 (05/12/2021)
+
+#### Improvements
+
+* Adapted the `rodauth-i18n` configuration to comply with the guidelines for `v0.2.0` (which is the defacto minimmal supported version).
+
+#### Bugfixes
+
+* `convert_timestamp` was removed from the templates, as it's private API.
+* Several missing or wrong URLs in templates fixed (authorize form was wrongly processing scopes when none was selected).

data/doc/release_notes/0_7_2.md

@@ -0,0 +1,21 @@
+### 0.7.2 (14/12/2021)
+
+#### Features
+
+* Revoking tokens from the OAuth Application management interface (@muellerj)
+
+Token revocation was only possible when using the client ID and Secret, to aid "logout" functionality from client applications. Although the admin interface (available via `r.oauth_applications`) displayed a "Revoke" button alongside tokens in the list page, this was not working. The RFC does allow for the use case of application administrators being able to manually revoke tokens (as a result of client support, for example), so this functionality was enabled (only for the oauth application owner, for now).
+
+#### Bugfixes
+
+Default scope usage related bugfixes:
+
+* Improved default scope conversion to avoid nested arrays (@muellerj);
+* Authorize form shows a disabled checkbox and POST's no scope when default scope is to be used (@muellerj);
+* example default scope fixed for example authorization server (should be string) (@muellerj);
+* several param fixes in view templates (@muellerj);
+
+OAuth Applications Management fixes:
+
+* Access to OAuth Application page is now restricted to app owner;
+* OAuth Applications page now lists the **only** the applications owned by the logged in user;

data/doc/release_notes/0_7_3.md

@@ -0,0 +1,10 @@
+## 0.7.3 (14/01/2022)
+
+#### Bugfixes
+
+* fixed generator declarations and views generator, in orderto copy templates and rewrite paths accordingly.
+* update view templates to not use "%%".
+
+#### Chore
+
+* `rodauth` is now declared as a dependency, with minimum version set `2.0`.

data/doc/release_notes/0_7_4.md

@@ -0,0 +1,5 @@
+### 0.7.4 (15/01/2022)
+
+#### Bugfixes
+
+* including missing erb templates in the package.

data/doc/release_notes/0_8_0.md

@@ -0,0 +1,37 @@
+### 0.8.0 (12/03/2022)
+
+#### Features
+
+* Device code grant
+
+`rodauth-oauth` now supports the [Device code grant RFC](https://gitlab.com/honeyryderchuck/rodauth-oauth/-/wikis/Device-Grant), via the `oauth_device_grant` feature.
+
+* OAuth Tokens Management
+
+An OAuth Tokens Management Dashboard is now provided (via `r.oauth_tokens` call to enable the routes). It allows the logged in account to list and revoke OAuth Tokens which have been issued for its resources.
+
+* Assertion Framework (+ SAML and JWT Bearer Grant)
+
+A new plugin, `oauth_assertion_base`, was introduced to provide a baseline for implementing custom Bearer Assertion as per the [OAuth Client Assertion Framework RFC](https://gitlab.com/honeyryderchuck/rodauth-oauth/-/wikis/Client-Assertion-Framework). This in turn was used to refactor and reintroduce the [oauth_saml_bearer_grant](https://gitlab.com/honeyryderchuck/rodauth-oauth/-/wikis/SAML-Bearer-Assertions) and the [oauth_jwt_bearer_grant](https://gitlab.com/honeyryderchuck/rodauth-oauth/-/wikis/JWT-Bearer-Assertions) features, which implement the respective and most recent version of the assertion RFCs.
+
+(as a result, `oauth_saml` was removed, which implemented a very old draft version of the SAML Bearer spec).
+
+#### Improvements
+
+The OAuth functionality was refactored from 1 big feature, into several features:
+
+* `oauth_base`
+* `oauth_authorization_code_grant`
+* `oauth_implicit_grant`
+* `oauth_device_grant`
+* `oauth_token_introspection`
+* `oauth_token_revocation`
+* `oauth_application_management`
+* `oauth_token_management`
+* `oauth_pkce`
+
+They're still loaded together via the `oauth` feature for backwards compatibility. This will change in a major version.
+
+#### Bugfixes
+
+* `oauth_jwt` integration with the `json-jwt` gem does proper claims validation now;

data/doc/release_notes/0_9_0.md

@@ -0,0 +1,56 @@
+### 0.9.0 (18/04/2022)
+
+#### Features
+
+##### Dynamic client registration
+
+`rodauth-oauth` now supports the [Oauth Dynamic client registration RFC](https://datatracker.ietf.org/doc/html/rfc7591), via the `oauth_dynamic_client_registration` feature; it also supports [the OpenID variant](https://openid.net/specs/openid-connect-registration-1_0.html), via the  `oidc_dynamic_client_registration` feature.
+
+With it, you now have the option to enable API-driven client application registration.
+
+##### Client Credentials grant
+
+`rodauth-oauth` now supports the [Client Credentials grant](https://tools.ietf.org/html/rfc6749#section-4.4), via the `oauth_client_credentials_grant` feature.
+
+
+#### Improvements
+
+##### OAuth Applications & Tokens paginated list pages
+
+The management dashboards for OAuth Applications & Tokens were loading the full dataset into the HTML view. They'll now only show 20 records by default, and present pagination links to navigate across pages (for the default templates).
+
+##### More Oauth Application properties
+
+As a result of implementing "OAuth Dynamic client registration", new functionality is unlocked when the following database columns are set on the oauth applications table:
+
+* `token_endpoint_auth_method` - enables oauth application-scoped verification of used client authentication method.
+* `grant_types` - scopes the supported grant types for the given application.
+* `response_type` - scopes the supported response types for the given application.
+* `logo_uri` - stores an image link which can be used to load and display a logo in the authorization form.
+* `tos_uri` - stores a link to the oauth application "Terms of Service" page.
+* `policy_uri` - stores a link to the oauth application "Policy" page.
+* `jwks_uri` - stores a link where to load the oauth application JWKs from.
+* `jwks` - stores the JWKS from the oauth application.
+* `contacts` stores the contacts.
+* `software_id` - stores the software unique identifier.
+* `software_version` - stores the software version for the unique identifier.
+* `subject_type` - stores the subject type used for calculating the JWT `sub` claim for the applicatiion.
+* `request_object_signing_alg` - stores the signing algorithm which request objects coming from the application will be signed with.
+* `request_object_encryption_alg` - stores the encryption algorithm which request objects coming from the application will be encrypted with.
+* `request_object_encryption_enc` -  stores the encryption method which request objects coming from the application will be encrypted with.
+* `id_token_signed_response_alg` - stores the signing algorithm which id tokens from the application will be signed with.
+* `id_token_encrypted_response_alg` - stores the encryption algorithm which id tokens from the application will be encrypted with.
+* `id_token_encrypted_response_enc` -  stores the encryption method which id tokens from the application will be encrypted with.
+* `userinfo_signed_response_alg` - stores the signing algorithm which JWT-encoded userinfo payloads from the application will be signed with.
+* `userinfo_encrypted_response_alg` - stores the encryption algorithm which JWT-encoded userinfo payloads from the application will be encrypted with.
+* `userinfo_encrypted_response_enc` -  stores the encryption method which JWT-encoded userinfo payloads from the application will be encrypted with.
+
+
+##### TTL Store has finer grained lock
+
+The TTL Store, used for the JWKs cache rotation p.ex., had a lock around the section which would involve the HTTP request for the JWKs, which would block the process for the duration of it. The lock has been removed around that area, and if two requests happen for the same URL, first one wins.
+
+#### Deprecations and breaking changes
+
+* (`oauth_jwt` plugin) `:oauth_jwt_algorithm` option default is now `"RS256"` (previous one was `"HS256"`, and yes, this an assymetric cryptography move).
+* (`oauth_jwt` plugin) `jws_jwk` option (and all the labels and params) is deprecated.

data/lib/generators/rodauth/oauth/templates/app/views/rodauth/authorize.html.erb

@@ -0,0 +1,50 @@
+<%= form_tag rodauth.authorize_path, method: :post do %>
+  <% if rodauth.oauth_application[rodauth.oauth_applications_logo_uri_column] %>
+    <%= image_tag rodauth.oauth_application[rodauth.oauth_applications_logo_uri_column] %>
+  <% end %>
+  <p class="lead">The application <%= link_to rodauth.oauth_application[rodauth.oauth_applications_name_column],  rodauth.oauth_application[rodauth.oauth_applications_homepage_url_column] %> would like to access your data.</p>
+
+  <div class="list-group">
+    <% if rodauth.oauth_application[rodauth.oauth_applications_tos_uri_column] %>
+      <%= link_to rodauth.oauth_applications_tos_uri_label, rodauth.oauth_application[rodauth.oauth_applications_tos_uri_column], class: "list-group-item" %>
+    <% end %>
+    <% if rodauth.oauth_application[rodauth.oauth_applications_policy_uri_column] %>
+      <%= link_to rodauth.oauth_applications_policy_uri_label, rodauth.oauth_application[rodauth.oauth_applications_policy_uri_column], class: "list-group-item" %>
+    <% end %>
+  </div>
+
+  <% if rodauth.oauth_application[rodauth.oauth_applications_contacts_column] %>
+    <div class="list-group">
+      <h3 class="display-6"><%= rodauth.oauth_applications_contacts_label %></h3>
+      <% rodauth.oauth_application[rodauth.oauth_applications_contacts_column].split(/ +/).each do |contact| %>
+        <div class="list-group-item"><%= contact %></div>
+      <% end %>
+    </div>
+  <% end %>
+
+  <div class="form-group">
+    <h1 class="display-6"><%= rodauth.oauth_tokens_scopes_label %></h1>
+
+    <% rodauth.scopes.each do |scope| %>
+      <% is_default = scope == rodauth.oauth_application_default_scope %>
+      <div class="form-check">
+        <%= check_box_tag "scope[]", scope, is_default, disabled: is_default, id: scope, class: "form-check-input" %>
+        <%= label_tag scope, scope, class: "form-check-label" %>
+        <%= hidden_field_tag "scope[]", scope if is_default %>
+      </div>
+    <% end %>
+    <%= hidden_field_tag :client_id, params[:client_id] %>
+    <% %i[access_type response_type state nonce redirect_uri code_challenge code_challenge_method].each do |oauth_param| %>
+      <% if params[oauth_param] %>
+        <%= hidden_field_tag oauth_param,  params[oauth_param] %>
+      <% end %>
+    <% end %>
+    <% if params[:response_mode] %>
+      <%= hidden_field_tag :response_mode, params[:response_mode] %>
+    <% end %>
+  </div>
+ <p class="text-center">
+    <%= submit_tag rodauth.oauth_authorize_button, class: "btn btn-outline-primary" %>
+    <%= link_to rodauth.oauth_cancel_button, "#{rodauth.redirect_uri}?error=access_denied&error_description=The+resource+owner+or+authorization+server+denied+the+request#{"&state=\#{rodauth.state}" if params[:state] }", class: "btn btn-outline-danger" %>
+  </p>
+<% end %>

data/lib/generators/rodauth/oauth/templates/app/views/rodauth/device_search.html.erb

@@ -0,0 +1,11 @@
+<%= form_tag rodauth.device_path, method: :get, class: "form-horizontal", id: "device-search-form" do %>
+  <p class="lead">Insert the user code from the device you'd like to authorize.</p>
+
+  <div class="form-group">
+    <%= label_tag "user_code", rodauth.oauth_grant_user_code_label %>
+    <%= text_field_tag "user_code", rodauth.param_or_nil(rodauth.oauth_grant_user_code_param), class: "form-control#{' is-invalid' if rodauth.field_error('user_code')}" %>
+  </div>
+  <p class="text-center">
+    <%= submit_tag rodauth.oauth_device_search_button, class: "btn btn-outline-primary" %>
+  </p>
+<% end %>

data/lib/generators/rodauth/oauth/templates/app/views/rodauth/device_verification.html.erb

@@ -0,0 +1,20 @@
+<% oauth_grant = rodauth.scope.instance_variable_get(:@oauth_grant) %>
+<%= form_tag rodauth.device_path, method: :post, class: "form-horizontal", id: "device-verification-form" do %>
+  <p class="lead">The device with user code <%= oauth_grant[rodauth.oauth_grants_user_code_column] %> would like to access your data.</p>
+
+  <div class="form-group">
+    <h1 class="display-6"><%= rodauth.oauth_tokens_scopes_label %></h1>
+
+    <ul class="list-group">
+      <% oauth_grant[rodauth.oauth_grants_scopes_column].split(rodauth.oauth_scope_separator).each do |scope| %>
+        <li class="list-group-item"><%= scope %></li>
+      <% end %>
+    </ul>
+  </div>
+  <%= hidden_field_tag :user_code, rodauth.param("user_code") %>
+
+  <p class="text-center">
+    <%= submit_tag rodauth.oauth_device_verification_button, class: "btn btn-outline-primary" %>
+    <%= link_to rodauth.oauth_cancel_button, "#{rodauth.device_path}?error=access_denied", class: "btn btn-outline-danger" %>
+  </p>
+<% end %>

data/lib/generators/rodauth/oauth/templates/app/views/rodauth/new_oauth_application.html.erb

@@ -0,0 +1,55 @@
+<h2><%= rodauth.new_oauth_application_page_title %></h2>
+<%= form_tag rodauth.oauth_applications_path, method: :post, class: "form-horizontal" do %>
+  <%= rodauth.field_error('scope') %>
+  <div class="form-group">
+    <%= label_tag "name", rodauth.oauth_applications_name_label %>
+    <%= text_field_tag "name", rodauth.param('name'), class: "form-control#{' is-invalid' if rodauth.field_error('name')}" %>
+    <%= rodauth.field_error('name') %>
+  </div>
+  <div class="form-group">
+    <%= label_tag "description", rodauth.oauth_applications_description_label %>
+    <%= text_field_tag "description", rodauth.param('description'), class: "form-control#{' is-invalid' if rodauth.field_error('description')}" %>
+    <%= rodauth.field_error('description') %>
+  </div>
+  <div class="form-group">
+    <%= label_tag "homepage_url", rodauth.oauth_applications_homepage_url_label %>
+    <%= text_field_tag "homepage_url", rodauth.param('homepage_url'), id: "homepage-url", class: "form-control#{' is-invalid' if rodauth.field_error('homepage_url')}" %>
+    <%= rodauth.field_error('homepage_url') %>
+  </div>
+  <div class="form-group">
+    <%= label_tag "redirect_uri", rodauth.oauth_applications_redirect_uri_label %>
+    <%= text_field_tag "redirect_uri", rodauth.param('redirect_uri'), id: "redirect-uri", class: "form-control#{' is-invalid' if rodauth.field_error('redirect_uri')}" %>
+    <%= rodauth.field_error('redirect_uri') %>
+  </div>
+  <div class="form-group">
+    <%= label_tag "client_secret", rodauth.oauth_applications_client_secret_label %>
+    <%= text_field_tag "client_secret", rodauth.param('client_secret'), id: "client-secret", class: "form-control#{' is-invalid' if rodauth.field_error('client_secret')}" %>
+    <%= rodauth.field_error('client_secret') %>
+  </div>
+  <% if rodauth.features.include?(:oauth_jwt) %>
+    <div class="form-group">
+      <%= label_tag "jwks", rodauth.oauth_applications_jwks_label %>
+      <%= text_field_tag "jwks", rodauth.param('jwks'), id: "jwks", class: "form-control#{' is-invalid' if rodauth.field_error('jwks')}" %>
+      <%= rodauth.field_error('jwks') %>
+    </div>
+    <div class="form-group">
+      <%= label_tag "jwks_uri", rodauth.oauth_applications_jwks_uri_label %>
+      <%= text_field_tag "jwks_uri", rodauth.param('jwks_uri'), id: "jwks-uri", class: "form-control#{' is-invalid' if rodauth.field_error('jwks_uri')}" %>
+      <%= rodauth.field_error('jwks_uri') %>
+    </div>
+    <div class="form-group">
+      <%= label_tag "jwt_public_key", rodauth.oauth_applications_jwt_public_key_label %>
+      <%= text_field_tag "jwt_public_key", rodauth.param('jwt_public_key'), id: "jwt-public-key", class: "form-control#{' is-invalid' if rodauth.field_error('jwt_public_key')}" %>
+      <%= rodauth.field_error('jwt_public_key') %>
+    </div>
+  <% end %>
+  <% rodauth.oauth_application_scopes.each do |scope| %>
+    <div class="form-check">
+      <%= check_box_tag "scopes[]", scope, scope == rodauth.oauth_application_default_scope, id: scope, class: "form-check-input" %>
+      <%= scope %>
+    </div>
+  <% end %>
+  <div class="form-group">
+    <%= submit_tag rodauth.oauth_application_button, class: "btn btn-primary" %>
+  </div>
+<% end %>

data/lib/generators/rodauth/oauth/templates/app/views/rodauth/oauth_application.html.erb

@@ -0,0 +1,29 @@
+<% oauth_application = rodauth.scope.instance_variable_get(:@oauth_application) %>
+<div>
+  <h2><%= oauth_application[rodauth.oauth_applications_name_column] %></h2>
+
+  <dl>
+    <dt><%= rodauth.oauth_applications_description_label %>: </dt>
+    <dd><%= oauth_application[rodauth.oauth_applications_description_column] %></dd>
+    <dt><%= rodauth.oauth_applications_homepage_url_label %>: </dt>
+    <dd><%= oauth_application[rodauth.oauth_applications_homepage_url_column] %></dd>
+    <dt><%= rodauth.oauth_applications_client_id_label %>: </dt>
+    <dd><%= oauth_application[rodauth.oauth_applications_client_id_column] %></dd>
+    <dt><%= rodauth.oauth_applications_redirect_uri_label %>: </dt>
+    <dd><%= oauth_application[rodauth.oauth_applications_redirect_uri_column] %></dd>
+    <dt><%= rodauth.oauth_applications_scopes_label %>: </dt>
+    <dd><%= oauth_application[rodauth.oauth_applications_scopes_column] %></dd>
+    <% if rodauth.features.include?(:oauth_jwt) %>
+      <% if oauth_application[rodauth.oauth_applications_jwks_column] %>
+        <dt><%= rodauth.oauth_applications_jwks_label %>: </dt>
+        <dd><%= oauth_application[rodauth.oauth_applications_jwks_column] %></dd>
+      <% end %>
+      <% if oauth_application[rodauth.oauth_applications_jwks_uri_column] %>
+        <dt><%= rodauth.oauth_applications_jwks_uri_label %>: </dt>
+        <dd><%= oauth_application[rodauth.oauth_applications_jwks_uri_column] %></dd>
+      <% end %>
+      <dt><%= rodauth.oauth_applications_jwt_public_key_label %>: </dt>
+      <dd><%= oauth_application[rodauth.oauth_applications_jwt_public_key_column] %></dd>
+    <% end %>
+  </dl>
+</div>

data/lib/generators/rodauth/oauth/templates/app/views/rodauth/oauth_application_oauth_tokens.html.erb

@@ -0,0 +1,39 @@
+<% oauth_tokens = rodauth.scope.instance_variable_get(:@oauth_tokens) %>
+<% tokens_count = oauth_tokens.count %>
+<% if tokens_count.zero? %>
+  <p>No oauth tokens yet!</p>
+<% else %>
+  <table class="table">
+    <thead>
+      <tr>
+        <th scope="col"><=% rodauth.oauth_tokens_token_label %></th>
+        <th scope="col"><=% rodauth.oauth_tokens_refresh_token_label %></th>
+        <th scope="col"><=% rodauth.oauth_tokens_expires_in_label %></th>
+        <th scope="col"><=% rodauth.oauth_tokens_revoked_at_label %></th>
+        <th scope="col"><=% rodauth.oauth_tokens_scopes_label %></th>
+        <th scope="col"><span class="badge badge-pill badge-dark"><%= tokens_count %></span>
+      </tr>
+    </thead>
+    <tbody>
+      <% oauth_tokens.each do |oauth_token| %>
+        <tr>
+          <td><code class="token"><%= oauth_token[rodauth.oauth_tokens_token_column] %></code></td>
+          <td><code class="token"><%= oauth_token[rodauth.oauth_tokens_refresh_token_column] %></code></td>
+          <td><%= oauth_token[rodauth.oauth_tokens_expires_in_column] %></td>
+          <td><%= oauth_token[rodauth.oauth_tokens_revoked_at_column] %></td>
+          <td><%= oauth_token[rodauth.oauth_tokens_scopes_column] %></td>
+          <td>
+            <% if !oauth_token[rodauth.oauth_tokens_revoked_at_column] %>
+              <%= form_tag rodauth.revoke_path, method: :post do %>
+                <%= hidden_field_tag :token_type_hint, "access_token" %>
+                <%= hidden_field_tag :token, oauth_token[rodauth.oauth_tokens_token_column] %>
+                <%= submit_tag rodauth.oauth_token_revoke_button, class: "btn btn-danger" %>
+              <% end %>
+            <% end %>
+          </td>
+        </tr>
+      <% end %>
+    </tbody>
+  </table>
+  <%= rodauth.oauth_management_pagination_links(@oauth_tokens) %>
+<% end %>

data/lib/generators/rodauth/oauth/templates/app/views/rodauth/oauth_applications.html.erb

@@ -0,0 +1,30 @@
+<% oauth_applications_ds = rodauth.scope.instance_variable_get(:@oauth_applications) %>
+<% apps_count = oauth_applications_ds.count %>
+<div class="btn-group" role="group" aria-label="Buttons">
+  <%= link_to rodauth.new_oauth_application_page_title, "#{rodauth.oauth_applications_path}/new", class: "btn btn-secondary" %>
+</div>
+<% if apps_count.zero? %>
+  <p>No oauth applications yet!</p>
+<% else %>
+  <table class="table">
+    <thead>
+      <tr>
+        <th scope="col"><%= rodauth.oauth_application_client_id_label %> (<%= apps_count %>)</th>
+        <th scope="col"><%= rodauth.oauth_application_name_label %></th>
+        <th scope="col"><%= rodauth.oauth_application_homepage_url_label %></th>
+        <th scope="col"></th>
+      </tr>
+    </thead>
+    <tbody>
+      <% oauth_applications_ds.each do |application| %>
+        <tr>
+          <td><%= application[rodauth.oauth_applications_client_id_column] %></td>
+          <td><%= application[rodauth.oauth_applications_name_column] %></td>
+          <td><%= application[rodauth.oauth_applications_homepage_url_column] %></td>
+          <td><%= link_to "Show", rodauth.oauth_application_path(application[rodauth.oauth_applications_id_column]) %></td>
+        </tr>
+      <% end %>
+    </tbody>
+  </table>
+  <%= rodauth.oauth_management_pagination_links(oauth_applications_ds) %>
+<% end %>