rodauth-oauth 0.7.4 → 0.8.0

data/lib/rodauth/features/oauth_device_grant.rb

@@ -0,0 +1,221 @@
+# frozen_string_literal: true
+
+module Rodauth
+  Feature.define(:oauth_device_grant, :OauthDeviceGrant) do
+    depends :oauth_base
+
+    auth_value_method :use_oauth_device_code_grant_type?, false
+
+    before "device_authorization"
+    before "device_verification"
+
+    notice_flash "The device is verified", "device_verification"
+    error_flash "No device to authorize with the given user code", "user_code_not_found"
+
+    view "device_verification", "Device Verification", "device_verification"
+    view "device_search", "Device Search", "device_search"
+
+    button "Verify", "oauth_device_verification"
+    button "Search", "oauth_device_search"
+
+    auth_value_method :oauth_grants_user_code_column, :user_code
+    auth_value_method :oauth_grants_last_polled_at_column, :last_polled_at
+
+    translatable_method :expired_token_message, "the device code has expired"
+    translatable_method :access_denied_message, "the authorization request has been denied"
+    translatable_method :authorization_pending_message, "the authorization request is still pending"
+    translatable_method :slow_down_message, "authorization request is still pending but poll interval should be increased"
+
+    auth_value_method :oauth_device_code_grant_polling_interval, 5 # seconds
+    auth_value_method :oauth_device_code_grant_user_code_size, 8 # characters
+    %w[user_code].each do |param|
+      auth_value_method :"oauth_grant_#{param}_param", param
+    end
+    translatable_method :oauth_grant_user_code_label, "User code"
+
+    auth_value_methods(
+      :generate_user_code
+    )
+
+    # /device-authorization
+    route(:device_authorization) do |r|
+      next unless is_authorization_server? && use_oauth_device_code_grant_type?
+
+      before_device_authorization_route
+
+      r.post do
+        require_oauth_application
+
+        user_code = generate_user_code
+        device_code = transaction do
+          before_device_authorization
+          create_oauth_grant(oauth_grants_user_code_column => user_code)
+        end
+
+        json_response_success \
+          "device_code" => device_code,
+          "user_code" => user_code,
+          "verification_uri" => device_url,
+          "verification_uri_complete" => device_url(user_code: user_code),
+          "expires_in" => oauth_grant_expires_in,
+          "interval" => oauth_device_code_grant_polling_interval
+      end
+    end
+
+    # /device
+    route(:device) do |r|
+      next unless is_authorization_server? && use_oauth_device_code_grant_type?
+
+      before_device_route
+      require_authorizable_account
+
+      r.get do
+        if (user_code = param_or_nil("user_code"))
+          oauth_grant = db[oauth_grants_table].where(
+            oauth_grants_user_code_column => user_code,
+            oauth_grants_revoked_at_column => nil
+          ).where(Sequel[oauth_grants_expires_in_column] >= Sequel::CURRENT_TIMESTAMP).first
+
+          unless oauth_grant
+            set_redirect_error_flash user_code_not_found_error_flash
+            redirect device_path
+          end
+
+          scope.instance_variable_set(:@oauth_grant, oauth_grant)
+          device_verification_view
+        else
+          device_search_view
+        end
+      end
+
+      r.post do
+        catch_error do
+          unless param_or_nil("user_code")
+            set_redirect_error_flash invalid_grant_message
+            redirect device_path
+          end
+
+          transaction do
+            before_device_verification
+            create_oauth_token("device_code")
+          end
+        end
+        set_notice_flash device_verification_notice_flash
+        redirect device_path
+      end
+    end
+
+    def check_csrf?
+      case request.path
+      when device_authorization_path
+        false
+      else
+        super
+      end
+    end
+
+    private
+
+    def generate_user_code
+      user_code_size = oauth_device_code_grant_user_code_size
+      SecureRandom.random_number(36**user_code_size)
+                  .to_s(36) # 0 to 9, a to z
+                  .upcase
+                  .rjust(user_code_size, "0")
+    end
+
+    def authorized_oauth_application?(oauth_application, client_secret)
+      # skip if using device grant
+      #
+      # requests may be performed by devices with no knowledge of client secret.
+      return true if !client_secret && oauth_application && use_oauth_device_code_grant_type?
+
+      super
+    end
+
+    def create_oauth_token(grant_type)
+      case grant_type
+      when "urn:ietf:params:oauth:grant-type:device_code"
+        throw_json_response_error(invalid_oauth_response_status, "invalid_grant_type") unless use_oauth_device_code_grant_type?
+
+        oauth_grant = db[oauth_grants_table].where(
+          oauth_grants_code_column => param("device_code"),
+          oauth_grants_oauth_application_id_column => oauth_application[oauth_applications_id_column]
+        ).for_update.first
+
+        throw_json_response_error(invalid_oauth_response_status, "invalid_grant") unless oauth_grant
+
+        now = Time.now
+
+        if oauth_grant[oauth_grants_revoked_at_column]
+          oauth_token = db[oauth_tokens_table]
+                        .where(Sequel[oauth_tokens_table][oauth_tokens_expires_in_column] >= Sequel::CURRENT_TIMESTAMP)
+                        .where(Sequel[oauth_tokens_table][oauth_tokens_revoked_at_column] => nil)
+                        .where(oauth_tokens_oauth_grant_id_column => oauth_grant[oauth_grants_id_column])
+                        .first
+
+          throw_json_response_error(invalid_oauth_response_status, "access_denied") unless oauth_token
+        elsif oauth_grant[oauth_grants_expires_in_column] < now
+          throw_json_response_error(invalid_oauth_response_status, "expired_token")
+        else
+          last_polled_at = oauth_grant[oauth_grants_last_polled_at_column]
+          if last_polled_at && convert_timestamp(last_polled_at) + oauth_device_code_grant_polling_interval > now
+            throw_json_response_error(invalid_oauth_response_status, "slow_down")
+          else
+            db[oauth_grants_table].where(oauth_grants_id_column => oauth_grant[oauth_grants_id_column])
+                                  .update(oauth_grants_last_polled_at_column => Sequel::CURRENT_TIMESTAMP)
+            throw_json_response_error(invalid_oauth_response_status, "authorization_pending")
+          end
+        end
+        oauth_token
+      when "device_code"
+        redirect_response_error("invalid_grant_type") unless use_oauth_device_code_grant_type?
+
+        # fetch oauth grant
+        oauth_grant = db[oauth_grants_table].where(
+          oauth_grants_user_code_column => param("user_code"),
+          oauth_grants_revoked_at_column => nil
+        ).where(Sequel[oauth_grants_expires_in_column] >= Sequel::CURRENT_TIMESTAMP)
+                                            .for_update
+                                            .first
+
+        return unless oauth_grant
+
+        # update ownership
+        db[oauth_grants_table].where(oauth_grants_id_column => oauth_grant[oauth_grants_id_column])
+                              .update(
+                                oauth_grants_user_code_column => nil,
+                                oauth_grants_account_id_column => account_id
+                              )
+
+        create_params = {
+          oauth_tokens_account_id_column => account_id,
+          oauth_tokens_oauth_application_id_column => oauth_grant[oauth_grants_oauth_application_id_column],
+          oauth_tokens_oauth_grant_id_column => oauth_grant[oauth_grants_id_column],
+          oauth_tokens_scopes_column => oauth_grant[oauth_grants_scopes_column]
+        }
+        create_oauth_token_from_authorization_code(oauth_grant, create_params)
+      else
+        super
+      end
+    end
+
+    def validate_oauth_token_params
+      grant_type = param_or_nil("grant_type")
+
+      if grant_type == "urn:ietf:params:oauth:grant-type:device_code" && !param_or_nil("device_code")
+        redirect_response_error("invalid_request")
+      end
+      super
+    end
+
+    def oauth_server_metadata_body(*)
+      super.tap do |data|
+        if use_oauth_device_code_grant_type?
+          data[:grant_types_supported] << "urn:ietf:params:oauth:grant-type:device_code"
+          data[:device_authorization_endpoint] = device_authorization_url
+        end
+      end
+    end
+  end
+end

data/lib/rodauth/features/oauth_http_mac.rb

@@ -1,28 +1,10 @@
 # frozen-string-literal: true
 
+require "rodauth/oauth/refinements"
+
 module Rodauth
   Feature.define(:oauth_http_mac, :OauthHttpMac) do
-    unless String.method_defined?(:delete_prefix)
-      module PrefixExtensions
-        refine(String) do
-          def delete_suffix(suffix)
-            suffix = suffix.to_s
-            len = suffix.length
-            return dup unless len.positive? && index(suffix, -len)
-
-            self[0...-len]
-          end
-
-          def delete_prefix(prefix)
-            prefix = prefix.to_s
-            return dup unless rindex(prefix, 0)
-
-            self[prefix.length..-1]
-          end
-        end
-      end
-      using(PrefixExtensions)
-    end
+    using PrefixExtensions
 
     depends :oauth
 

data/lib/rodauth/features/oauth_implicit_grant.rb

@@ -0,0 +1,59 @@
+# frozen_string_literal: true
+
+module Rodauth
+  Feature.define(:oauth_implicit_grant, :OauthImplicitGrant) do
+    depends :oauth_base
+
+    auth_value_method :use_oauth_implicit_grant_type?, false
+
+    private
+
+    def do_authorize(response_params = {}, response_mode = param_or_nil("response_mode"))
+      return super unless param("response_type") == "token" && use_oauth_implicit_grant_type?
+
+      response_mode ||= "fragment"
+      response_params.replace(_do_authorize_token)
+
+      response_params["state"] = param("state") if param_or_nil("state")
+
+      [response_params, response_mode]
+    end
+
+    def _do_authorize_token
+      create_params = {
+        oauth_tokens_account_id_column => account_id,
+        oauth_tokens_oauth_application_id_column => oauth_application[oauth_applications_id_column],
+        oauth_tokens_scopes_column => scopes
+      }
+      oauth_token = generate_oauth_token(create_params, false)
+
+      json_access_token_payload(oauth_token)
+    end
+
+    def authorize_response(params, mode)
+      return super unless mode == "fragment"
+
+      redirect_url = URI.parse(redirect_uri)
+      params = params.map { |k, v| "#{k}=#{v}" }
+      params << redirect_url.query if redirect_url.query
+      redirect_url.fragment = params.join("&")
+      redirect(redirect_url.to_s)
+    end
+
+    def oauth_server_metadata_body(*)
+      super.tap do |data|
+        if use_oauth_implicit_grant_type?
+          data[:response_types_supported] << "token"
+          data[:response_modes_supported] << "fragment"
+          data[:grant_types_supported] << "implicit"
+        end
+      end
+    end
+
+    def check_valid_response_type?
+      return true if use_oauth_implicit_grant_type? && param_or_nil("response_type") == "token"
+
+      super
+    end
+  end
+end

data/lib/rodauth/features/oauth_jwt.rb

@@ -15,7 +15,13 @@ module Rodauth
 
     auth_value_method :oauth_jwt_token_issuer, nil
 
-    auth_value_method :oauth_application_jws_jwk_column, nil
+    auth_value_method :oauth_applications_jws_jwk_column, :jws_jwk
+    auth_value_method :oauth_applications_jwt_public_key_column, :jwt_public_key
+
+    translatable_method :oauth_applications_jws_jwk_label, "JSON Web Keys"
+    translatable_method :oauth_applications_jwt_public_key_label, "Public key"
+    auth_value_method :oauth_application_jws_jwk_param, :jws_jwk
+    auth_value_method :oauth_application_jwt_public_key_param, :jwt_public_key
 
     auth_value_method :oauth_jwt_key, nil
     auth_value_method :oauth_jwt_public_key, nil
@@ -113,9 +119,7 @@ module Rodauth
 
       return super unless request_object && oauth_application
 
-      jws_jwk = if oauth_application[oauth_application_jws_jwk_column]
-                  jwk = oauth_application[oauth_application_jws_jwk_column]
-
+      jws_jwk = if (jwk = oauth_application[oauth_applications_jws_jwk_column])
                   jwk = JSON.parse(jwk, symbolize_names: true) if jwk && jwk.is_a?(String)
                 else
                   redirect_response_error("invalid_request_object")
@@ -145,51 +149,6 @@ module Rodauth
 
     # /token
 
-    def require_oauth_application
-      # requset authentication optional for assertions
-      return super unless param("grant_type") == "urn:ietf:params:oauth:grant-type:jwt-bearer"
-
-      claims = jwt_decode(param("assertion"))
-
-      redirect_response_error("invalid_grant") unless claims
-
-      @oauth_application = db[oauth_applications_table].where(oauth_applications_client_id_column => claims["client_id"]).first
-
-      authorization_required unless @oauth_application
-    end
-
-    def validate_oauth_token_params
-      if param("grant_type") == "urn:ietf:params:oauth:grant-type:jwt-bearer"
-        redirect_response_error("invalid_client") unless param_or_nil("assertion")
-      else
-        super
-      end
-    end
-
-    def create_oauth_token
-      if param("grant_type") == "urn:ietf:params:oauth:grant-type:jwt-bearer"
-        create_oauth_token_from_assertion
-      else
-        super
-      end
-    end
-
-    def create_oauth_token_from_assertion
-      claims = jwt_decode(param("assertion"))
-
-      account = account_ds(claims["sub"]).first
-
-      redirect_response_error("invalid_client") unless oauth_application && account
-
-      create_params = {
-        oauth_tokens_account_id_column => claims["sub"],
-        oauth_tokens_oauth_application_id_column => oauth_application[oauth_applications_id_column],
-        oauth_tokens_scopes_column => claims["scope"]
-      }
-
-      generate_oauth_token(create_params, false)
-    end
-
     def generate_oauth_token(params = {}, should_generate_refresh_token = true)
       create_params = {
         oauth_grants_expires_in_column => Sequel.date_add(Sequel::CURRENT_TIMESTAMP, seconds: oauth_token_expires_in)
@@ -295,7 +254,17 @@ module Rodauth
     end
 
     def _jwt_key
-      @_jwt_key ||= oauth_jwt_key || (oauth_application[oauth_applications_client_secret_column] if oauth_application)
+      @_jwt_key ||= oauth_jwt_key || begin
+        if oauth_application
+
+          if (jwk = oauth_application[oauth_applications_jws_jwk_column])
+            jwk = JSON.parse(jwk, symbolize_names: true) if jwk && jwk.is_a?(String)
+            jwk
+          else
+            oauth_application[oauth_applications_jwt_public_key_column]
+          end
+        end
+      end
     end
 
     # Resource Server only!
@@ -346,8 +315,8 @@ module Rodauth
       generate_jti(claims) == jti
     end
 
-    def verify_aud(aud, claims)
-      aud == (oauth_jwt_audience || claims["client_id"])
+    def verify_aud(expected_aud, aud)
+      expected_aud == aud
     end
 
     if defined?(JSON::JWT)
@@ -379,6 +348,8 @@ module Rodauth
         jws_key: oauth_jwt_public_key || _jwt_key,
         verify_claims: true,
         verify_jti: true,
+        verify_iss: true,
+        verify_aud: false,
         **
       )
         token = JSON::JWT.decode(token, oauth_jwt_jwe_key).plain_text if oauth_jwt_jwe_key
@@ -393,11 +364,15 @@ module Rodauth
                    JSON::JWT.decode(token, JSON::JWK::Set.new(jwks))
                  end
 
-        if verify_claims && !(claims[:iss] == issuer &&
-            verify_aud(claims[:aud], claims) &&
-            (!claims[:iat] || Time.at(claims[:iat]) > (Time.now - oauth_token_expires_in)) &&
-            (!claims[:exp] || Time.at(claims[:exp]) > Time.now) &&
-            (!verify_jti || verify_jti(claims[:jti], claims)))
+        now = Time.now
+        if verify_claims && (
+            (!claims[:exp] || Time.at(claims[:exp]) < now) &&
+            (claims[:nbf] && Time.at(claims[:nbf]) < now) &&
+            (claims[:iat] && Time.at(claims[:iat]) < now) &&
+            (verify_iss && claims[:iss] != issuer) &&
+            (verify_aud && !verify_aud(claims[:aud], claims[:client_id])) &&
+            (verify_jti && !verify_jti(claims[:jti], claims))
+          )
           return
         end
 
@@ -456,7 +431,9 @@ module Rodauth
         jws_key: oauth_jwt_public_key || _jwt_key,
         jws_algorithm: oauth_jwt_algorithm,
         verify_claims: true,
-        verify_jti: true
+        verify_jti: true,
+        verify_iss: true,
+        verify_aud: false
       )
         # decrypt jwe
         token = JWE.decrypt(token, oauth_jwt_jwe_key) if oauth_jwt_jwe_key
@@ -472,7 +449,7 @@ module Rodauth
         #
         verify_claims_params = if verify_claims
                                  {
-                                   verify_iss: true,
+                                   verify_iss: verify_iss,
                                    iss: issuer,
                                    # can't use stock aud verification, as it's dependent on the client application id
                                    verify_aud: false,
@@ -496,7 +473,7 @@ module Rodauth
                    JWT.decode(token, nil, true, jwks: jwks, algorithms: algorithms, **verify_claims_params).first
                  end
 
-        return if verify_claims && !verify_aud(claims["aud"], claims)
+        return if verify_claims && verify_aud && !verify_aud(claims["aud"], claims["client_id"])
 
         claims
       rescue JWT::DecodeError, JWT::JWKError

data/lib/rodauth/features/oauth_jwt_bearer_grant.rb

@@ -0,0 +1,59 @@
+# frozen-string-literal: true
+
+require "rodauth/oauth/ttl_store"
+
+module Rodauth
+  Feature.define(:oauth_jwt_bearer_grant, :OauthJwtBearerGrant) do
+    depends :oauth_assertion_base, :oauth_jwt
+
+    auth_value_methods(
+      :require_oauth_application_from_jwt_bearer_assertion_issuer,
+      :require_oauth_application_from_jwt_bearer_assertion_subject,
+      :account_from_jwt_bearer_assertion
+    )
+
+    private
+
+    def require_oauth_application_from_jwt_bearer_assertion_issuer(assertion)
+      claims = jwt_assertion(assertion)
+
+      return unless claims
+
+      db[oauth_applications_table].where(
+        oauth_applications_client_id_column => claims["iss"]
+      ).first
+    end
+
+    def require_oauth_application_from_jwt_bearer_assertion_subject(assertion)
+      claims = jwt_assertion(assertion)
+
+      return unless claims
+
+      db[oauth_applications_table].where(
+        oauth_applications_client_id_column => claims["sub"]
+      ).first
+    end
+
+    def account_from_jwt_bearer_assertion(assertion)
+      claims = jwt_assertion(assertion)
+
+      return unless claims
+
+      account_from_bearer_assertion_subject(claims["sub"])
+    end
+
+    def jwt_assertion(assertion)
+      claims = jwt_decode(assertion, verify_iss: false, verify_aud: false)
+      return unless verify_aud(token_url, claims["aud"])
+
+      claims
+    end
+
+    def oauth_server_metadata_body(*)
+      super.tap do |data|
+        data[:grant_types_supported] << "urn:ietf:params:oauth:grant-type:jwt-bearer"
+        data[:token_endpoint_auth_methods_supported] << "urn:ietf:params:oauth:client-assertion-type:jwt-bearer"
+      end
+    end
+  end
+end

data/lib/rodauth/features/oauth_pkce.rb

@@ -0,0 +1,98 @@
+# frozen_string_literal: true
+
+require "rodauth/oauth/refinements"
+
+module Rodauth
+  Feature.define(:oauth_pkce, :OauthPkce) do
+    using PrefixExtensions
+
+    depends :oauth_authorization_code_grant
+
+    auth_value_method :use_oauth_pkce?, true
+
+    auth_value_method :oauth_require_pkce, false
+    auth_value_method :oauth_pkce_challenge_method, "S256"
+
+    auth_value_method :oauth_grants_code_challenge_column, :code_challenge
+    auth_value_method :oauth_grants_code_challenge_method_column, :code_challenge_method
+
+    auth_value_method :code_challenge_required_error_code, "invalid_request"
+    translatable_method :code_challenge_required_message, "code challenge required"
+    auth_value_method :unsupported_transform_algorithm_error_code, "invalid_request"
+    translatable_method :unsupported_transform_algorithm_message, "transform algorithm not supported"
+
+    private
+
+    def authorized_oauth_application?(oauth_application, client_secret)
+      return true if use_oauth_pkce? && param_or_nil("code_verifier")
+
+      super
+    end
+
+    def validate_oauth_grant_params
+      validate_pkce_challenge_params if use_oauth_pkce?
+
+      super
+    end
+
+    def create_oauth_grant(create_params = {})
+      # PKCE flow
+      if use_oauth_pkce? && (code_challenge = param_or_nil("code_challenge"))
+        code_challenge_method = param_or_nil("code_challenge_method")
+
+        create_params[oauth_grants_code_challenge_column] = code_challenge
+        create_params[oauth_grants_code_challenge_method_column] = code_challenge_method
+      end
+
+      super
+    end
+
+    def create_oauth_token_from_authorization_code(oauth_grant, create_params)
+      if use_oauth_pkce?
+        if oauth_grant[oauth_grants_code_challenge_column]
+          code_verifier = param_or_nil("code_verifier")
+
+          redirect_response_error("invalid_request") unless code_verifier && check_valid_grant_challenge?(oauth_grant, code_verifier)
+        elsif oauth_require_pkce
+          redirect_response_error("code_challenge_required")
+        end
+      end
+
+      super
+    end
+
+    def validate_pkce_challenge_params
+      if param_or_nil("code_challenge")
+
+        challenge_method = param_or_nil("code_challenge_method")
+        redirect_response_error("code_challenge_required") unless oauth_pkce_challenge_method == challenge_method
+      else
+        return unless oauth_require_pkce
+
+        redirect_response_error("code_challenge_required")
+      end
+    end
+
+    def check_valid_grant_challenge?(grant, verifier)
+      challenge = grant[oauth_grants_code_challenge_column]
+
+      case grant[oauth_grants_code_challenge_method_column]
+      when "plain"
+        challenge == verifier
+      when "S256"
+        generated_challenge = Base64.urlsafe_encode64(Digest::SHA256.digest(verifier))
+        generated_challenge.delete_suffix!("=") while generated_challenge.end_with?("=")
+
+        challenge == generated_challenge
+      else
+        redirect_response_error("unsupported_transform_algorithm")
+      end
+    end
+
+    def oauth_server_metadata_body(*)
+      super.tap do |data|
+        data[:code_challenge_methods_supported] = oauth_pkce_challenge_method if use_oauth_pkce?
+      end
+    end
+  end
+end

data/lib/rodauth/features/oauth_resource_server.rb

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+module Rodauth
+  Feature.define(:oauth_resource_server, :OauthResourceServer) do
+    def authorization_token
+      return @authorization_token if defined?(@authorization_token)
+
+      # check if there is a token
+      bearer_token = fetch_access_token
+
+      return unless bearer_token
+
+      # where in resource server, NOT the authorization server.
+      payload = introspection_request("access_token", bearer_token)
+
+      return unless payload["active"]
+
+      @authorization_token = payload
+    end
+  end
+end