rodauth-oauth 0.7.4 → 0.8.0

data/doc/release_notes/0_2_0.md

@@ -0,0 +1,43 @@
+### 0.2.0 (9/9/2020)
+
+#### Features
+
+##### SAML Assertion Grant Type
+
+`rodauth-auth` now supports using a SAML Assertion to request for an Access token.In order to enable, you have to:
+
+```ruby
+plugin :rodauth do
+  enable :oauth_saml
+end
+```
+
+For more info about integrating it, [check the wiki](https://gitlab.com/honeyryderchuck/rodauth-oauth/-/wikis/SAML-Assertion-Access-Tokens).
+
+##### Supporting rotating keys
+
+At some point, you'll want to replace the pkeys and algorithm used to generate and verify the JWT access tokens, but you want to keep validating previously-distributed JWT tokens, at least until they expire. Now you can, via two new options, `oauth_jwt_legacy_public_key` and `oauth_jwt_legacy_algorithm`, which will be declared in the JWKs URI and used to verify access tokens.
+
+
+##### Reuse access tokens
+
+If the `oauth_reuse_access_token` is set, if there's already an existing valid access token, any new grant for the same application / account / scope will keep the same access token. This can be helpful in scenarios where one wants the same access token distributed across devices.
+
+##### require_authorizable_account
+
+The method used to verify access to the authorize flow is called `require_authorizable_account`. By default, it checks if a user is logged in by using rodauth's own `require_account`. This is the method you'd want to redefine in order to augment these requirements, i.e. request 2fa authentication.
+
+#### Improvements
+
+Expired and revoked access tokens end up generating a lot of garbage, which will have to be periodically cleaned up. You can mitigate this now by setting a uniqueness index for a group of columns, i.e. if you set a uniqueness index for the `oauth_application_id/account_id/scopes` column, `rodauth-oauth` will transparently reuse the same db entry to store the new access token. If setting some other type of uniqueness index, make sure to update the option `oauth_tokens_unique_columns` (the array of columns from the uniqueness index).
+
+#### Bugfixes
+
+Calling `before_*_route` callbacks appropriately.
+
+Fixed some mishandling of HTTP headers when in in resource-server mode.
+
+#### Chore
+
+* 97.7% test coverage;
+* `rodauth-oauth` CI tests run against sqlite, postgresql and mysql.

data/doc/release_notes/0_3_0.md

@@ -0,0 +1,28 @@
+### 0.3.0 (8/10/2020)
+
+#### Features
+
+* `oauth_refresh_token_protection_policy` is a new option, which can be used to set a protection policy around usage of refresh tokens. By default it's `none`, for backwards-compatibility. However, when set to `rotation`, refresh tokens will be "use-once", i.e. a token refresh request will generate a new refresh token. Also,  refresh token requests performed with already-used refresh tokens will be interpreted as a security breach, i.e. all tokens linked to the compromised refresh token will be revoked.
+
+#### Improvements
+
+
+* Support for the OIDC authorize [`prompt` parameter](https://openid.net/specs/openid-connect-core-1_0.html) (sectionn 3.1.2.1). It supports the `none`, `login` and `consent` out-of-the-box, while providing support for `select-account` when paired with [rodauth-select-account, a rodauth feature to handle multiple accounts in the same session](https://gitlab.com/honeyryderchuck/rodauth-select-account).
+
+* Refresh Tokens are now expirable. The refresh token expiration period is governed by the `oauth_refresh_token_expires_in` option (default: 1 year), and is the period for which a refresh token can be used after its respective access token expired.
+
+#### Bugfixes
+
+* Default Templates now being packaged, as a way to provide a default experience to the OAuth journeys.
+
+* fixing metadata urls when plugin loaded with a prefix path (@ianks)
+
+* All date/time-based calculations, such as determining an expiration date, or checking if a token has expired, are now performed using database arithmetic operations, using sequel's `date_arithmetic` plugin. This will eliminate subtle bugs, such as when the database timezone is different than the application OS timezone.
+
+* OIDC configuration endpoint is now stricter, eliminating JSON metadata inherited from the Oauth metadata endpoint. (@ianks)
+
+#### Chore
+
+Use `rodauth.convert_timestamp` in the templates, whenever dates are displayed.
+
+Set HTTP Cache headers for metadata responses, such as `/.well-known/oauth-authorization-server` and `/.well-known/openid-configuration`, so they can be stored at the edge. The cache will be valid for 1 day (this value isn't set by an option yet).

data/doc/release_notes/0_4_0.md

@@ -0,0 +1,18 @@
+### 0.4.0 (13/11/2020)
+
+#### Features
+
+* A new method, `get_additional_param(account, claim)`, is now exposed; this method will be called whenever non-OIDC scopes are requested in the emission of the ID token.
+
+* The `form_post` response is now supported, either by passing the `response_mode=form_post` request param in the authorization URL, or by setting `oauth_response_mode "form_post"` option. This improves the overall security of an Authorization server even more, as authorization codes are sent to client applications via a POST request to the redirect URI.
+
+
+#### Improvements
+
+* For the OIDC `address` scope, proper claims are now emitted as per the standard, i.e. the "formatted", "street_address", "locality", "region", "postal_code", "country". These will be the ones referenced in the `get_oidc_param` method.
+
+#### Bugfixes
+
+* The rails templates were missing declarations from a few params, which made some of the flows (the PKCE for example) not work out-of-the box;
+* rails tests were silently not running in CI;
+* The CI suite was revamped, so that all Oauth tests would be run under rails as well. All versions from rails equal or above 5.0 are now targeted;

data/doc/release_notes/0_4_1.md

@@ -0,0 +1,9 @@
+### 0.4.1 (24/11/2020)
+
+#### Improvements
+
+When in "Resource Server" mode, calling `rodauth.authorization_token` will now return an hash of the JSON payload that the Authorization Server responds, and which was already previously used to authorize access to protected resources.
+
+#### Bugfixes
+
+* An error occurred if the client passed an empty authorization header (`Authorization: ` or `Authorization: Bearer `), causing an unexpected error; It now responds with the proper `401 Unauthorized` status code.

data/doc/release_notes/0_4_2.md

@@ -0,0 +1,5 @@
+### 0.4.2 (24/11/2020)
+
+#### Bugfixes
+
+* database extensions were being run in resource server mode, when it's not expected that the oauth db tables are around.

data/doc/release_notes/0_4_3.md

@@ -0,0 +1,3 @@
+### 0.4.3 (09/12/2020)
+
+* Introspection requests made to an Authorization Server in "resource server" mode are not correctly encoding the body using the "application/x-www-form-urlencoded" format.

data/doc/release_notes/0_5_0.md

@@ -0,0 +1,11 @@
+### 0.5.0 (08/02/2021)
+
+#### RP-Initiated Logout
+
+The `:oidc` plugin can now do [RP-Initiated Logout](https://gitlab.com/honeyryderchuck/rodauth-oauth/-/wikis/RP-Initiated-Logout). It's disabled by default, so read the docs to learn how to enable it.
+
+#### Security
+
+The `:oauth_jwt` (and by association, `:oidc`) plugin(s) verifies the claims of used JWT tokens. This is a **very important security fix**, as without it, there is no protection against replay attacks and other types of misuse of the JWT token.
+
+A new auth method, `generate_jti(claims)`, was [added to the list of oauth_jwt plugin options](https://gitlab.com/honeyryderchuck/rodauth-oauth/-/wikis/JWT-Access-Tokens#rodauth-options). By default, it'll hash the `aud` and `iat` claims together, but you can overwrite how this is done.

data/doc/release_notes/0_5_1.md

@@ -0,0 +1,13 @@
+### 0.5.1 (19/03/2021)
+
+#### Improvements
+
+* Changing "Callback URL" to "Redirect URL" in default templates;
+
+#### Bugfixes
+
+* (rails integration) Fixed templates location;
+* (rails integration) Fixed migration name from generator;
+* (rails integration) fixed links, html tags, styling and unassigned variables from a few view templates;
+* `oauth_application_path` is now compliant with prefixes and other url helpers, while now having a `oauth_application_url` counterpart;
+* (rails integration) skipping csrf checks for "/userinfo" request (OIDC)

data/doc/release_notes/0_6_0.md

@@ -0,0 +1,9 @@
+### 0.6.0 (21/05/2021)
+
+### Improvements
+
+* RBS signatures
+
+### Chore
+
+* Ruby 3 and Truffleruby are now officially supported and tested in CI.

data/doc/release_notes/0_6_1.md

@@ -0,0 +1,6 @@
+### 0.6.1 (08/09/2021)
+
+#### Bugfixes
+
+* Fixed rails view templates escaping.
+* Fixed declaration of authorize template in the generator.

data/doc/release_notes/0_7_0.md

@@ -0,0 +1,20 @@
+### 0.7.0 (02/12/2021)
+
+#### Features
+
+* Internationalization (i18n) support by hooking on [rodauth-i18n](https://github.com/janko/rodauth-i18n).
+  * Sets all text using `translatable_method`.
+  * Provides english translations for all `rodauth-oauth` related user facing text.
+
+#### Improvements
+
+* Enable CORS requests for OpenID configuration endpoint (@ianks)
+* Introspect endpoint now exposes the `exp` token property (@gmanley)
+
+#### Bugfixes
+
+*  on rotation policy, although the first refresh token was invalidated, a new one wasn't being provided. This change allows a new refresh token to be generated and exposed in the response (@gmanley)
+
+#### Chore
+
+Setting `rodauth` minimal supported version to `2.0.0`.

data/doc/release_notes/0_7_1.md

@@ -0,0 +1,10 @@
+### 0.7.1 (05/12/2021)
+
+#### Improvements
+
+* Adapted the `rodauth-i18n` configuration to comply with the guidelines for `v0.2.0` (which is the defacto minimmal supported version).
+
+#### Bugfixes
+
+* `convert_timestamp` was removed from the templates, as it's private API.
+* Several missing or wrong URLs in templates fixed (authorize form was wrongly processing scopes when none was selected).

data/doc/release_notes/0_7_2.md

@@ -0,0 +1,21 @@
+### 0.7.2 (14/12/2021)
+
+#### Features
+
+* Revoking tokens from the OAuth Application management interface (@muellerj)
+
+Token revocation was only possible when using the client ID and Secret, to aid "logout" functionality from client applications. Although the admin interface (available via `r.oauth_applications`) displayed a "Revoke" button alongside tokens in the list page, this was not working. The RFC does allow for the use case of application administrators being able to manually revoke tokens (as a result of client support, for example), so this functionality was enabled (only for the oauth application owner, for now).
+
+#### Bugfixes
+
+Default scope usage related bugfixes:
+
+* Improved default scope conversion to avoid nested arrays (@muellerj);
+* Authorize form shows a disabled checkbox and POST's no scope when default scope is to be used (@muellerj);
+* example default scope fixed for example authorization server (should be string) (@muellerj);
+* several param fixes in view templates (@muellerj);
+
+OAuth Applications Management fixes:
+
+* Access to OAuth Application page is now restricted to app owner;
+* OAuth Applications page now lists the **only** the applications owned by the logged in user;

data/doc/release_notes/0_7_3.md

@@ -0,0 +1,10 @@
+## 0.7.3 (14/01/2022)
+
+#### Bugfixes
+
+* fixed generator declarations and views generator, in orderto copy templates and rewrite paths accordingly.
+* update view templates to not use "%%".
+
+#### Chore
+
+* `rodauth` is now declared as a dependency, with minimum version set `2.0`.

data/doc/release_notes/0_7_4.md

@@ -0,0 +1,5 @@
+### 0.7.4 (15/01/2022)
+
+#### Bugfixes
+
+* including missing erb templates in the package.

data/doc/release_notes/0_8_0.md

@@ -0,0 +1,37 @@
+### 0.8.0 (12/03/2022)
+
+#### Features
+
+* Device code grant
+
+`rodauth-oauth` now supports the [Device code grant RFC](https://gitlab.com/honeyryderchuck/rodauth-oauth/-/wikis/Device-Grant), via the `oauth_device_grant` feature.
+
+* OAuth Tokens Management
+
+An OAuth Tokens Management Dashboard is now provided (via `r.oauth_tokens` call to enable the routes). It allows the logged in account to list and revoke OAuth Tokens which have been issued for its resources.
+
+* Assertion Framework (+ SAML and JWT Bearer Grant)
+
+A new plugin, `oauth_assertion_base`, was introduced to provide a baseline for implementing custom Bearer Assertion as per the [OAuth Client Assertion Framework RFC](https://gitlab.com/honeyryderchuck/rodauth-oauth/-/wikis/Client-Assertion-Framework). This in turn was used to refactor and reintroduce the [oauth_saml_bearer_grant](https://gitlab.com/honeyryderchuck/rodauth-oauth/-/wikis/SAML-Bearer-Assertions) and the [oauth_jwt_bearer_grant](https://gitlab.com/honeyryderchuck/rodauth-oauth/-/wikis/JWT-Bearer-Assertions) features, which implement the respective and most recent version of the assertion RFCs.
+
+(as a result, `oauth_saml` was removed, which implemented a very old draft version of the SAML Bearer spec).
+
+#### Improvements
+
+The OAuth functionality was refactored from 1 big feature, into several features:
+
+* `oauth_base`
+* `oauth_authorization_code_grant`
+* `oauth_implicit_grant`
+* `oauth_device_grant`
+* `oauth_token_introspection`
+* `oauth_token_revocation`
+* `oauth_application_management`
+* `oauth_token_management`
+* `oauth_pkce`
+
+They're still loaded together via the `oauth` feature for backwards compatibility. This will change in a major version.
+
+#### Bugfixes
+
+* `oauth_jwt` integration with the `json-jwt` gem does proper claims validation now;

data/lib/generators/rodauth/oauth/templates/app/views/rodauth/authorize.html.erb

@@ -2,7 +2,7 @@
   <p class="lead">The application <%= rodauth.oauth_application[rodauth.oauth_applications_name_column] %> would like to access your data.</p>
 
   <div class="form-group">
-    <h1 class="display-6"><%= rodauth.scopes_label %></h1>
+    <h1 class="display-6"><%= rodauth.oauth_tokens_scopes_label %></h1>
 
     <% rodauth.scopes.each do |scope| %>
       <% is_default = scope == rodauth.oauth_application_default_scope %>
@@ -23,7 +23,7 @@
     <% end %>
   </div>
  <p class="text-center">
-    <%= submit_tag "Authorize", class: "btn btn-outline-primary" %>
-    <%= link_to "Cancel", "#{rodauth.redirect_uri}?error=access_denied&error_description=The+resource+owner+or+authorization+server+denied+the+request#{"&state=\#{rodauth.state}" if params[:state] }", class: "btn btn-outline-danger" %>
+    <%= submit_tag rodauth.oauth_authorize_button, class: "btn btn-outline-primary" %>
+    <%= link_to rodauth.oauth_cancel_button, "#{rodauth.redirect_uri}?error=access_denied&error_description=The+resource+owner+or+authorization+server+denied+the+request#{"&state=\#{rodauth.state}" if params[:state] }", class: "btn btn-outline-danger" %>
   </p>
 <% end %>

data/lib/generators/rodauth/oauth/templates/app/views/rodauth/device_search.html.erb

@@ -0,0 +1,11 @@
+<%= form_tag rodauth.device_path, method: :get, class: "form-horizontal", id: "device-search-form" do %>
+  <p class="lead">Insert the user code from the device you'd like to authorize.</p>
+
+  <div class="form-group">
+    <%= label_tag "user_code", rodauth.oauth_grant_user_code_label %>
+    <%= text_field_tag "user_code", rodauth.param_or_nil(rodauth.oauth_grant_user_code_param), class: "form-control#{' is-invalid' if rodauth.field_error('user_code')}" %>
+  </div>
+  <p class="text-center">
+    <%= submit_tag rodauth.oauth_device_search_button, class: "btn btn-outline-primary" %>
+  </p>
+<% end %>

data/lib/generators/rodauth/oauth/templates/app/views/rodauth/device_verification.html.erb

@@ -0,0 +1,20 @@
+<% oauth_grant = rodauth.scope.instance_variable_get(:@oauth_grant) %>
+<%= form_tag rodauth.device_path, method: :post, class: "form-horizontal", id: "device-verification-form" do %>
+  <p class="lead">The device with user code <%= oauth_grant[rodauth.oauth_grants_user_code_column] %> would like to access your data.</p>
+
+  <div class="form-group">
+    <h1 class="display-6"><%= rodauth.oauth_tokens_scopes_label %></h1>
+
+    <ul class="list-group">
+      <% oauth_grant[rodauth.oauth_grants_scopes_column].split(rodauth.oauth_scope_separator).each do |scope| %>
+        <li class="list-group-item"><%= scope %></li>
+      <% end %>
+    </ul>
+  </div>
+  <%= hidden_field_tag :user_code, rodauth.param("user_code") %>
+
+  <p class="text-center">
+    <%= submit_tag rodauth.oauth_device_verification_button, class: "btn btn-outline-primary" %>
+    <%= link_to rodauth.oauth_cancel_button, "#{rodauth.device_path}?error=access_denied", class: "btn btn-outline-danger" %>
+  </p>
+<% end %>

data/lib/generators/rodauth/oauth/templates/app/views/rodauth/new_oauth_application.html.erb

@@ -1,31 +1,43 @@
+<h2><%= rodauth.new_oauth_application_page_title %></h2>
 <%= form_tag rodauth.oauth_applications_path, method: :post, class: "form-horizontal" do %>
-  <h2>Register Oauth Application</h2>
   <%= rodauth.field_error('scope') %>
   <div class="form-group">
-    <%= label_tag "name", "Name" %>
+    <%= label_tag "name", rodauth.oauth_applications_name_label %>
     <%= text_field_tag "name", rodauth.param('name'), class: "form-control#{' is-invalid' if rodauth.field_error('name')}" %>
     <%= rodauth.field_error('name') %>
   </div>
   <div class="form-group">
-    <%= label_tag "description", "Description" %>
+    <%= label_tag "description", rodauth.oauth_applications_description_label %>
     <%= text_field_tag "description", rodauth.param('description'), class: "form-control#{' is-invalid' if rodauth.field_error('description')}" %>
     <%= rodauth.field_error('description') %>
   </div>
   <div class="form-group">
-    <%= label_tag "homepage_url", "Homepage URL" %>
-    <%= text_field_tag "homepage_url", rodauth.param('homepage_url'), class: "form-control#{' is-invalid' if rodauth.field_error('homepage_url')}" %>
+    <%= label_tag "homepage_url", rodauth.oauth_applications_homepage_url_label %>
+    <%= text_field_tag "homepage_url", rodauth.param('homepage_url'), id: "homepage-url", class: "form-control#{' is-invalid' if rodauth.field_error('homepage_url')}" %>
     <%= rodauth.field_error('homepage_url') %>
   </div>
   <div class="form-group">
-    <%= label_tag "redirect_uri", "Redirect URL" %>
-    <%= text_field_tag "redirect_uri", rodauth.param('redirect_uri'), class: "form-control#{' is-invalid' if rodauth.field_error('redirect_uri')}" %>
+    <%= label_tag "redirect_uri", rodauth.oauth_applications_redirect_uri_label %>
+    <%= text_field_tag "redirect_uri", rodauth.param('redirect_uri'), id: "redirect-uri", class: "form-control#{' is-invalid' if rodauth.field_error('redirect_uri')}" %>
     <%= rodauth.field_error('redirect_uri') %>
   </div>
   <div class="form-group">
-    <%= label_tag "client_secret", "Secret (make it random and at least 32 character-long)" %>
-    <%= text_field_tag "client_secret", rodauth.param('client_secret'), class: "form-control#{' is-invalid' if rodauth.field_error('client_secret')}" %>
+    <%= label_tag "client_secret", rodauth.oauth_applications_client_secret_label %>
+    <%= text_field_tag "client_secret", rodauth.param('client_secret'), id: "client-secret", class: "form-control#{' is-invalid' if rodauth.field_error('client_secret')}" %>
     <%= rodauth.field_error('client_secret') %>
   </div>
+  <% if rodauth.features.include?(:oauth_jwt) %>
+    <div class="form-group">
+      <%= label_tag "jws_jwk", rodauth.oauth_applications_jws_jwk_label %>
+      <%= text_field_tag "jws_jwk", rodauth.param('jws_jwk'), id: "jws-jwk", class: "form-control#{' is-invalid' if rodauth.field_error('jws_jwk')}" %>
+      <%= rodauth.field_error('jws_jwk') %>
+    </div>
+    <div class="form-group">
+      <%= label_tag "jwt_public_key", rodauth.oauth_applications_jwt_public_key_label %>
+      <%= text_field_tag "jwt_public_key", rodauth.param('jwt_public_key'), id: "jwt-public-key", class: "form-control#{' is-invalid' if rodauth.field_error('jwt_public_key')}" %>
+      <%= rodauth.field_error('jwt_public_key') %>
+    </div>
+  <% end %>
   <% rodauth.oauth_application_scopes.each do |scope| %>
     <div class="form-check">
       <%= check_box_tag "scopes[]", scope, scope == rodauth.oauth_application_default_scope, id: scope, class: "form-check-input" %>
@@ -33,6 +45,6 @@
     </div>
   <% end %>
   <div class="form-group">
-    <%= submit_tag "Register", class: "btn btn-primary" %>
+    <%= submit_tag rodauth.oauth_application_button, class: "btn btn-primary" %>
   </div>
 <% end %>

data/lib/generators/rodauth/oauth/templates/app/views/rodauth/oauth_application.html.erb

@@ -3,15 +3,21 @@
   <h2><%= oauth_application[rodauth.oauth_applications_name_column] %></h2>
 
   <dl>
-    <dt>Description: </dt>
+    <dt><%= rodauth.oauth_applications_description_label %>: </dt>
     <dd><%= oauth_application[rodauth.oauth_applications_description_column] %></dd>
-    <dt>Homepage URL: </dt>
+    <dt><%= rodauth.oauth_applications_homepage_url_label %>: </dt>
     <dd><%= oauth_application[rodauth.oauth_applications_homepage_url_column] %></dd>
-    <dt>Client ID: </dt>
+    <dt><%= rodauth.oauth_applications_client_id_label %>: </dt>
     <dd><%= oauth_application[rodauth.oauth_applications_client_id_column] %></dd>
-    <dt>Redirect URL: </dt>
+    <dt><%= rodauth.oauth_applications_redirect_uri_label %>: </dt>
     <dd><%= oauth_application[rodauth.oauth_applications_redirect_uri_column] %></dd>
-    <dt>Scopes: </dt>
+    <dt><%= rodauth.oauth_applications_scopes_label %>: </dt>
     <dd><%= oauth_application[rodauth.oauth_applications_scopes_column] %></dd>
+    <% if rodauth.features.include?(:oauth_jwt) %>
+      <dt><%= rodauth.oauth_applications_jws_jwk_label %>: </dt>
+      <dd><%= oauth_application[rodauth.oauth_applications_jws_jwk_column] %></dd>
+      <dt><%= rodauth.oauth_applications_jwt_public_key_label %>: </dt>
+      <dd><%= oauth_application[rodauth.oauth_applications_jwt_public_key_column] %></dd>
+    <% end %>
   </dl>
 </div>

data/lib/generators/rodauth/oauth/templates/app/views/rodauth/oauth_application_oauth_tokens.html.erb

@@ -0,0 +1,38 @@
+<% oauth_tokens = rodauth.scope.instance_variable_get(:@oauth_tokens) %>
+<% tokens_count = oauth_tokens.count %>
+<% if tokens_count.zero? %>
+  <p>No oauth tokens yet!</p>
+<% else %>
+  <table class="table">
+    <thead>
+      <tr>
+        <th scope="col"><=% rodauth.oauth_tokens_token_label %></th>
+        <th scope="col"><=% rodauth.oauth_tokens_refresh_token_label %></th>
+        <th scope="col"><=% rodauth.oauth_tokens_expires_in_label %></th>
+        <th scope="col"><=% rodauth.oauth_tokens_revoked_at_label %></th>
+        <th scope="col"><=% rodauth.oauth_tokens_scopes_label %></th>
+        <th scope="col"><span class="badge badge-pill badge-dark"><%= tokens_count %></span>
+      </tr>
+    </thead>
+    <tbody>
+      <% oauth_tokens.each do |oauth_token| %>
+        <tr>
+          <td><code class="token"><%= oauth_token[rodauth.oauth_tokens_token_column] %></code></td>
+          <td><code class="token"><%= oauth_token[rodauth.oauth_tokens_refresh_token_column] %></code></td>
+          <td><%= oauth_token[rodauth.oauth_tokens_expires_in_column] %></td>
+          <td><%= oauth_token[rodauth.oauth_tokens_revoked_at_column] %></td>
+          <td><%= oauth_token[rodauth.oauth_tokens_scopes_column] %></td>
+          <td>
+            <% if !oauth_token[rodauth.oauth_tokens_revoked_at_column] %>
+              <%= form_tag rodauth.revoke_path, method: :post do %>
+                <%= hidden_field_tag :token_type_hint, "access_token" %>
+                <%= hidden_field_tag :token, oauth_token[rodauth.oauth_tokens_token_column] %>
+                <%= submit_tag rodauth.oauth_token_revoke_button, class: "btn btn-danger" %>
+              <% end %>
+            <% end %>
+          </td>
+        </tr>
+      <% end %>
+    </tbody>
+  </table>
+<% end %>

data/lib/generators/rodauth/oauth/templates/app/views/rodauth/oauth_applications.html.erb

@@ -1,7 +1,7 @@
 <% oauth_applications_ds = rodauth.scope.instance_variable_get(:@oauth_applications) %>
 <% apps_count = oauth_applications_ds.count %>
 <div class="btn-group" role="group" aria-label="Buttons">
-  <%= link_to "New Oauth Application",  "#{rodauth.oauth_applications_path}/new", class: "btn btn-secondary" %>
+  <%= link_to rodauth.new_oauth_application_page_title, "#{rodauth.oauth_applications_path}/new", class: "btn btn-secondary" %>
 </div>
 <% if apps_count.zero? %>
   <p>No oauth applications yet!</p>
@@ -9,9 +9,9 @@
   <table class="table">
     <thead>
       <tr>
-        <th scope="col">Client ID (<%= apps_count %>)</th>
-        <th scope="col">Name</th>
-        <th scope="col">Homepage</th>
+        <th scope="col"><%= rodauth.oauth_application_client_id_label %> (<%= apps_count %>)</th>
+        <th scope="col"><%= rodauth.oauth_application_name_label %></th>
+        <th scope="col"><%= rodauth.oauth_application_homepage_url_label %></th>
         <th scope="col"></th>
       </tr>
     </thead>
@@ -21,7 +21,7 @@
           <td><%= application[rodauth.oauth_applications_client_id_column] %></td>
           <td><%= application[rodauth.oauth_applications_name_column] %></td>
           <td><%= application[rodauth.oauth_applications_homepage_url_column] %></td>
-          <td><%= link_to "Show",  rodauth.oauth_application_path(application[rodauth.oauth_applications_id_column]) %></td>
+          <td><%= link_to "Show", rodauth.oauth_application_path(application[rodauth.oauth_applications_id_column]) %></td>
         </tr>
       <% end %>
     </tbody>

data/lib/generators/rodauth/oauth/templates/app/views/rodauth/oauth_tokens.html.erb

@@ -1,34 +1,30 @@
-<% oauth_tokens_ds = rodauth.scope.instance_variable_get(:@oauth_tokens) %>
-<% tokens_count = oauth_tokens_ds.count %>
+<% oauth_tokens = rodauth.scope.instance_variable_get(:@oauth_tokens) %>
+<% tokens_count = oauth_tokens.count %>
 <% if tokens_count.zero? %>
   <p>No oauth tokens yet!</p>
 <% else %>
   <table class="table">
     <thead>
       <tr>
-        <th scope="col">Token</th>
-        <th scope="col">Refresh Token</th>
-        <th scope="col">Expires in</th>
-        <th scope="col">Revoked at</th>
-        <th scope="col">Scopes</th>
+        <th scope="col"><=% rodauth.oauth_applications_name_label %></th>
+        <th scope="col"><=% rodauth.oauth_tokens_token_label %></th>
+        <th scope="col"><=% rodauth.oauth_tokens_refresh_token_label %></th>
+        <th scope="col"><=% rodauth.oauth_tokens_expires_in_label %></th>
+        <th scope="col"><=% rodauth.oauth_tokens_scopes_label %></th>
         <th scope="col"><span class="badge badge-pill badge-dark"><%= tokens_count %></span>
       </tr>
     </thead>
     <tbody>
-      <% oauth_tokens_ds.each do |application| %>
+      <% oauth_tokens.each do |oauth_token| %>
         <tr>
+          <td><%= oauth_token[rodauth.oauth_applications_name_column] %></td>
           <td><code class="token"><%= oauth_token[rodauth.oauth_tokens_token_column] %></code></td>
           <td><code class="token"><%= oauth_token[rodauth.oauth_tokens_refresh_token_column] %></code></td>
           <td><%= oauth_token[rodauth.oauth_tokens_expires_in_column] %></td>
-          <td><%= oauth_token[rodauth.oauth_tokens_revoked_at_column] %></td>
           <td><%= oauth_token[rodauth.oauth_tokens_scopes_column] %></td>
           <td>
-            <% if !oauth_token[rodauth.oauth_tokens_revoked_at_column] %>
-              <%= form_tag rodauth.revoke_path, method: :post do %>
-                <%= hidden_field_tag :token_type_hint, "access_token" %>
-                <%= hidden_field_tag :token, oauth_token[rodauth.oauth_tokens_token_column] %>
-                <%= submit_tag "Revoke", class: "btn btn-danger" %>
-              <% end %>
+            <%= form_tag rodauth.oauth_token_path(oauth_token[rodauth.oauth_tokens_id_column]), method: :post do %>
+              <%= submit_tag rodauth.oauth_token_revoke_button, class: "btn btn-danger" %>
             <% end %>
           </td>
         </tr>

data/lib/generators/rodauth/oauth/templates/db/migrate/create_rodauth_oauth.rb

@@ -11,6 +11,11 @@ class CreateRodauthOauth < ActiveRecord::Migration<%= migration_version %>
       t.string :client_secret, null: false, index: { unique: true }
       t.string :scopes, null: false
       t.datetime :created_at, null: false, default: -> { "CURRENT_TIMESTAMP" }
+      # JWT/OIDC per application signing verification
+      # t.text :jwt_public_key, null: true
+      # t.text :jws_jwk, null: true
+      # RP-initiated logout
+      # t.string :post_logout_redirect_uri, null: false
     end
 
     create_table :oauth_grants do |t|
@@ -19,6 +24,7 @@ class CreateRodauthOauth < ActiveRecord::Migration<%= migration_version %>
       t.integer :oauth_application_id
       t.foreign_key :oauth_applications, column: :oauth_application_id
       t.string :code, null: false
+      t.index(%i[oauth_application_id code], unique: true)
       t.datetime :expires_in, null: false
       t.string :redirect_uri
       t.datetime :revoked_at
@@ -31,7 +37,9 @@ class CreateRodauthOauth < ActiveRecord::Migration<%= migration_version %>
       # t.string :code_challenge_method
       # uncomment to use OIDC nonce
       # t.string :nonce
-      t.index(%i[oauth_application_id code], unique: true)
+      # device code grant
+      # t.string :user_code, null: true, unique: true
+      # t.datetime :last_polled_at, null: true
     end
 
     create_table :oauth_tokens do |t|