rodauth-oauth 0.7.4 → 0.8.0

data/lib/rodauth/features/oauth_saml_bearer_grant.rb

@@ -0,0 +1,102 @@
+# frozen-string-literal: true
+
+require "onelogin/ruby-saml"
+
+module Rodauth
+  Feature.define(:oauth_saml_bearer_grant, :OauthSamlBearerGrant) do
+    depends :oauth_assertion_base
+
+    auth_value_method :oauth_saml_cert_fingerprint, "9E:65:2E:03:06:8D:80:F2:86:C7:6C:77:A1:D9:14:97:0A:4D:F4:4D"
+    auth_value_method :oauth_saml_cert, nil
+    auth_value_method :oauth_saml_cert_fingerprint_algorithm, nil
+    auth_value_method :oauth_saml_name_identifier_format, "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
+
+    auth_value_method :oauth_saml_security_authn_requests_signed, true
+    auth_value_method :oauth_saml_security_metadata_signed, true
+    auth_value_method :oauth_saml_security_digest_method, XMLSecurity::Document::SHA1
+    auth_value_method :oauth_saml_security_signature_method, XMLSecurity::Document::RSA_SHA1
+
+    auth_value_methods(
+      :require_oauth_application_from_saml2_bearer_assertion_issuer,
+      :require_oauth_application_from_saml2_bearer_assertion_subject,
+      :account_from_saml2_bearer_assertion
+    )
+
+    private
+
+    def require_oauth_application_from_saml2_bearer_assertion_issuer(assertion)
+      saml = saml_assertion(assertion)
+
+      return unless saml
+
+      db[oauth_applications_table].where(
+        oauth_applications_homepage_url_column => saml.issuers
+      ).first
+    end
+
+    def require_oauth_application_from_saml2_bearer_assertion_subject(assertion)
+      saml = saml_assertion(assertion)
+
+      return unless saml
+
+      db[oauth_applications_table].where(
+        oauth_applications_client_id_column => saml.nameid
+      ).first
+    end
+
+    def account_from_saml2_bearer_assertion(assertion)
+      saml = saml_assertion(assertion)
+
+      return unless saml
+
+      account_from_bearer_assertion_subject(saml.nameid)
+    end
+
+    def saml_assertion(assertion)
+      settings = OneLogin::RubySaml::Settings.new
+      settings.idp_cert = oauth_saml_cert
+      settings.idp_cert_fingerprint = oauth_saml_cert_fingerprint
+      settings.idp_cert_fingerprint_algorithm = oauth_saml_cert_fingerprint_algorithm
+      settings.name_identifier_format = oauth_saml_name_identifier_format
+      settings.security[:authn_requests_signed] = oauth_saml_security_authn_requests_signed
+      settings.security[:metadata_signed] = oauth_saml_security_metadata_signed
+      settings.security[:digest_method] = oauth_saml_security_digest_method
+      settings.security[:signature_method] = oauth_saml_security_signature_method
+
+      response = OneLogin::RubySaml::Response.new(assertion, settings: settings, skip_recipient_check: true)
+
+      # 3. he Assertion MUST have an expiry that limits the time window ...
+      # 4. The Assertion MUST have an expiry that limits the time window ...
+      # 5. The <Subject> element MUST contain at least one ...
+      # 6. The authorization server MUST reject the entire Assertion if the ...
+      # 7. If the Assertion issuer directly authenticated the subject, ...
+      redirect_response_error("invalid_grant") unless response.is_valid?
+
+      # In order to issue an access token response as described in OAuth 2.0
+      # [RFC6749] or to rely on an Assertion for client authentication, the
+      # authorization server MUST validate the Assertion according to the
+      # criteria below.
+
+      # 1. The Assertion's <Issuer> element MUST contain a unique identifier
+      # for the entity that issued the Assertion.
+      redirect_response_error("invalid_grant") unless response.issuers.size == 1
+
+      # 2. in addition to the URI references
+      # discussed there, the token endpoint URL of the authorization
+      # server MAY be used as a URI that identifies the authorization
+      # server as an intended audience.  The authorization server MUST
+      # reject any Assertion that does not contain its own identity as
+      # the intended audience.
+      redirect_response_error("invalid_grant") if response.audiences && !response.audiences.include?(token_url)
+
+      response
+    end
+
+    def oauth_server_metadata_body(*)
+      super.tap do |data|
+        data[:grant_types_supported] << "urn:ietf:params:oauth:grant-type:saml2-bearer"
+        data[:token_endpoint_auth_methods_supported] << "urn:ietf:params:oauth:client-assertion-type:saml2-bearer"
+      end
+    end
+  end
+end

data/lib/rodauth/features/oauth_token_introspection.rb

@@ -0,0 +1,108 @@
+# frozen_string_literal: true
+
+module Rodauth
+  Feature.define(:oauth_token_introspection, :OauthTokenIntrospection) do
+    depends :oauth_base
+
+    before "introspect"
+
+    auth_value_methods(
+      :before_introspection_request
+    )
+
+    # /introspect
+    route(:introspect) do |r|
+      next unless is_authorization_server?
+
+      before_introspect_route
+
+      r.post do
+        catch_error do
+          validate_oauth_introspect_params
+
+          before_introspect
+          oauth_token = case param("token_type_hint")
+                        when "access_token"
+                          oauth_token_by_token(param("token"))
+                        when "refresh_token"
+                          oauth_token_by_refresh_token(param("token"))
+                        else
+                          oauth_token_by_token(param("token")) || oauth_token_by_refresh_token(param("token"))
+                        end
+
+          if oauth_application
+            redirect_response_error("invalid_request") if oauth_token && !token_from_application?(oauth_token, oauth_application)
+          elsif oauth_token
+            @oauth_application = db[oauth_applications_table].where(oauth_applications_id_column =>
+              oauth_token[oauth_tokens_oauth_application_id_column]).first
+          end
+
+          json_response_success(json_token_introspect_payload(oauth_token))
+        end
+
+        throw_json_response_error(invalid_oauth_response_status, "invalid_request")
+      end
+    end
+
+    # Token introspect
+
+    def validate_oauth_introspect_params(token_hint_types = %w[access_token refresh_token].freeze)
+      # check if valid token hint type
+      if param_or_nil("token_type_hint") && !token_hint_types.include?(param("token_type_hint"))
+        redirect_response_error("unsupported_token_type")
+      end
+
+      redirect_response_error("invalid_request") unless param_or_nil("token")
+    end
+
+    def json_token_introspect_payload(token)
+      return { active: false } unless token
+
+      {
+        active: true,
+        scope: token[oauth_tokens_scopes_column],
+        client_id: oauth_application[oauth_applications_client_id_column],
+        # username
+        token_type: oauth_token_type,
+        exp: token[oauth_tokens_expires_in_column].to_i
+      }
+    end
+
+    def check_csrf?
+      case request.path
+      when introspect_path
+        false
+      else
+        super
+      end
+    end
+
+    private
+
+    def introspection_request(token_type_hint, token)
+      auth_url = URI(authorization_server_url)
+      http = Net::HTTP.new(auth_url.host, auth_url.port)
+      http.use_ssl = auth_url.scheme == "https"
+
+      request = Net::HTTP::Post.new(introspect_path)
+      request["content-type"] = "application/x-www-form-urlencoded"
+      request["accept"] = json_response_content_type
+      request.set_form_data({ "token_type_hint" => token_type_hint, "token" => token })
+
+      before_introspection_request(request)
+      response = http.request(request)
+      authorization_required unless response.code.to_i == 200
+
+      JSON.parse(response.body)
+    end
+
+    def before_introspection_request(request); end
+
+    def oauth_server_metadata_body(*)
+      super.tap do |data|
+        data[:introspection_endpoint] = introspect_url
+        data[:introspection_endpoint_auth_methods_supported] = %w[client_secret_basic]
+      end
+    end
+  end
+end

data/lib/rodauth/features/oauth_token_management.rb

@@ -0,0 +1,77 @@
+# frozen_string_literal: true
+
+module Rodauth
+  Feature.define(:oauth_token_management, :OauthTokenManagement) do
+    using RegexpExtensions
+
+    depends :oauth_base
+
+    view "oauth_tokens", "My Oauth Tokens", "oauth_tokens"
+
+    button "Revoke", "oauth_token_revoke"
+
+    auth_value_method :oauth_tokens_path, "oauth-tokens"
+
+    %w[token refresh_token expires_in revoked_at].each do |param|
+      translatable_method :"oauth_tokens_#{param}_label", param.gsub("_", " ").capitalize
+    end
+
+    auth_value_method :oauth_tokens_route, "oauth-tokens"
+    auth_value_method :oauth_tokens_id_pattern, Integer
+
+    auth_value_methods(
+      :oauth_token_path
+    )
+
+    def oauth_tokens_path(opts = {})
+      route_path(oauth_tokens_route, opts)
+    end
+
+    def oauth_tokens_url(opts = {})
+      route_url(oauth_tokens_route, opts)
+    end
+
+    def oauth_token_path(id)
+      "#{oauth_tokens_path}/#{id}"
+    end
+
+    def oauth_tokens
+      request.on(oauth_tokens_route) do
+        require_account
+
+        request.get do
+          scope.instance_variable_set(:@oauth_tokens, db[oauth_tokens_table]
+            .select(Sequel[oauth_tokens_table].*, Sequel[oauth_applications_table][oauth_applications_name_column])
+            .join(oauth_applications_table, Sequel[oauth_tokens_table][oauth_tokens_oauth_application_id_column] =>
+              Sequel[oauth_applications_table][oauth_applications_id_column])
+            .where(Sequel[oauth_tokens_table][oauth_tokens_account_id_column] => account_id)
+                .where(oauth_tokens_revoked_at_column => nil))
+          oauth_tokens_view
+        end
+
+        request.post(oauth_tokens_id_pattern) do |id|
+          db[oauth_tokens_table]
+            .where(oauth_tokens_id_column => id)
+            .where(oauth_tokens_account_id_column => account_id)
+            .update(oauth_tokens_revoked_at_column => Sequel::CURRENT_TIMESTAMP)
+
+          set_notice_flash revoke_oauth_token_notice_flash
+          redirect oauth_tokens_path || "/"
+        end
+      end
+    end
+
+    def check_csrf?
+      case request.path
+      when oauth_tokens_path
+        only_json? ? false : super
+      else
+        super
+      end
+    end
+
+    def check_valid_uri?(uri)
+      URI::DEFAULT_PARSER.make_regexp(oauth_valid_uri_schemes).match?(uri)
+    end
+  end
+end

data/lib/rodauth/features/oauth_token_revocation.rb

@@ -0,0 +1,109 @@
+# frozen_string_literal: true
+
+module Rodauth
+  Feature.define(:oauth_token_revocation, :OauthTokenRevocation) do
+    depends :oauth_base
+
+    before "revoke"
+    after "revoke"
+
+    notice_flash "The oauth token has been revoked", "revoke_oauth_token"
+
+    # /revoke
+    route(:revoke) do |r|
+      next unless is_authorization_server?
+
+      before_revoke_route
+
+      if logged_in?
+        require_account
+        require_oauth_application_from_account
+      else
+        require_oauth_application
+      end
+
+      r.post do
+        catch_error do
+          validate_oauth_revoke_params
+
+          oauth_token = nil
+          transaction do
+            before_revoke
+            oauth_token = revoke_oauth_token
+            after_revoke
+          end
+
+          if accepts_json?
+            json_response_success \
+              "token" => oauth_token[oauth_tokens_token_column],
+              "refresh_token" => oauth_token[oauth_tokens_refresh_token_column],
+              "revoked_at" => convert_timestamp(oauth_token[oauth_tokens_revoked_at_column])
+          else
+            set_notice_flash revoke_oauth_token_notice_flash
+            redirect request.referer || "/"
+          end
+        end
+
+        redirect_response_error("invalid_request", request.referer || "/")
+      end
+    end
+
+    def validate_oauth_revoke_params(token_hint_types = %w[access_token refresh_token].freeze)
+      # check if valid token hint type
+      if param_or_nil("token_type_hint") && !token_hint_types.include?(param("token_type_hint"))
+        redirect_response_error("unsupported_token_type")
+      end
+
+      redirect_response_error("invalid_request") unless param_or_nil("token")
+    end
+
+    def check_csrf?
+      case request.path
+      when revoke_path
+        !json_request?
+      else
+        super
+      end
+    end
+
+    private
+
+    def revoke_oauth_token
+      token = param("token")
+
+      oauth_token = if param("token_type_hint") == "refresh_token"
+                      oauth_token_by_refresh_token(token)
+                    else
+                      oauth_token_by_token(token)
+                    end
+
+      redirect_response_error("invalid_request") unless oauth_token
+
+      redirect_response_error("invalid_request") unless token_from_application?(oauth_token, oauth_application)
+
+      update_params = { oauth_tokens_revoked_at_column => Sequel::CURRENT_TIMESTAMP }
+
+      ds = db[oauth_tokens_table].where(oauth_tokens_id_column => oauth_token[oauth_tokens_id_column])
+
+      oauth_token = __update_and_return__(ds, update_params)
+
+      oauth_token[oauth_tokens_token_column] = token
+      oauth_token
+
+      # If the particular
+      # token is a refresh token and the authorization server supports the
+      # revocation of access tokens, then the authorization server SHOULD
+      # also invalidate all access tokens based on the same authorization
+      # grant
+      #
+      # we don't need to do anything here, as we revalidate existing tokens
+    end
+
+    def oauth_server_metadata_body(*)
+      super.tap do |data|
+        data[:revocation_endpoint] = revoke_url
+        data[:revocation_endpoint_auth_methods_supported] = nil # because it's client_secret_basic
+      end
+    end
+  end
+end

data/lib/rodauth/features/oidc.rb

@@ -283,7 +283,7 @@ module Rodauth
           redirect_response_error("consent_required")
         end
       when "select-account"
-        # obly works if select_account plugin is available
+        # only works if select_account plugin is available
         require_select_account if respond_to?(:require_select_account)
       else
         redirect_response_error("invalid_request")
@@ -302,7 +302,7 @@ module Rodauth
       super(oauth_grant, create_params.merge(oauth_tokens_nonce_column => oauth_grant[oauth_grants_nonce_column]))
     end
 
-    def create_oauth_token
+    def create_oauth_token(*)
       oauth_token = super
       generate_id_token(oauth_token)
       oauth_token
@@ -461,7 +461,8 @@ module Rodauth
       scope_claims.unshift("auth_time") if last_account_login_at
 
       response_types_supported = metadata[:response_types_supported]
-      if use_oauth_implicit_grant_type?
+
+      if metadata[:grant_types_supported].include?("implicit")
         response_types_supported += ["none", "id_token", "code token", "code id_token", "id_token token", "code id_token token"]
       end
 

data/lib/rodauth/oauth/database_extensions.rb

@@ -2,7 +2,7 @@
 
 module Rodauth
   module OAuth
-    # rubocop:disable Naming/MethodName, Metrics/ParameterLists
+    # rubocop:disable Naming/MethodName
     def self.ExtendDatabase(db)
       Module.new do
         dataset = db.dataset
@@ -42,6 +42,14 @@ module Rodauth
 
             __insert_and_return__(dataset, pkey, params)
           end
+
+          def __insert_or_do_nothing_and_return__(dataset, pkey, unique_columns, params)
+            __insert_and_return__(
+              dataset.insert_conflict(target: unique_columns),
+              pkey,
+              params
+            ) || dataset.where(params).first
+          end
         else
           def __insert_or_update_and_return__(dataset, pkey, unique_columns, params, conds = nil, exclude_on_update = nil)
             find_params, update_params = params.partition { |key, _| unique_columns.include?(key) }.map { |h| Hash[h] }
@@ -65,9 +73,14 @@ module Rodauth
               __insert_and_return__(dataset, pkey, params)
             end
           end
+
+          def __insert_or_do_nothing_and_return__(dataset, pkey, unique_columns, params)
+            find_params = params.select { |key, _| unique_columns.include?(key) }
+            dataset.where(find_params).first || __insert_and_return__(dataset, pkey, params)
+          end
         end
       end
     end
-    # rubocop:enable Naming/MethodName, Metrics/ParameterLists
+    # rubocop:enable Naming/MethodName
   end
 end

data/lib/rodauth/oauth/refinements.rb

@@ -0,0 +1,48 @@
+# frozen_string_literal: true
+
+module Rodauth
+  module PrefixExtensions
+    unless String.method_defined?(:delete_prefix)
+      refine(String) do
+        def delete_suffix(suffix)
+          suffix = suffix.to_s
+          len = suffix.length
+          return dup unless len.positive? && index(suffix, -len)
+
+          self[0...-len]
+        end
+
+        def delete_prefix(prefix)
+          prefix = prefix.to_s
+          return dup unless rindex(prefix, 0)
+
+          self[prefix.length..-1]
+        end
+      end
+    end
+
+    unless String.method_defined?(:delete_suffix!)
+      refine(String) do
+        def delete_suffix!(suffix)
+          suffix = suffix.to_s
+          chomp! if frozen?
+          len = suffix.length
+          return unless len.positive? && index(suffix, -len)
+
+          self[-len..-1] = ""
+          self
+        end
+      end
+    end
+  end
+
+  module RegexpExtensions
+    unless Regexp.method_defined?(:match?)
+      refine(Regexp) do
+        def match?(*args)
+          !match(*args).nil?
+        end
+      end
+    end
+  end
+end

data/lib/rodauth/oauth/version.rb

@@ -2,6 +2,6 @@
 
 module Rodauth
   module OAuth
-    VERSION = "0.7.4"
+    VERSION = "0.8.0"
   end
 end

data/locales/en.yml

@@ -5,22 +5,34 @@ en:
     create_oauth_application_notice_flash: "Your oauth application has been registered"
     revoke_unauthorized_account_error_flash: "You are not authorized to revoke this token"
     revoke_oauth_token_notice_flash: "The oauth token has been revoked"
+    device_verification_notice_flash: "The device is verified"
+    user_code_not_found_error_flash: "No device to authorize with the given user code"
     oauth_authorize_title: "Authorize"
-    oauth_oauth_applications_page_title: "Oauth Applications"
-    oauth_oauth_application_page_title: "Oauth Application"
-    oauth_new_oauth_application_page_title: "New Oauth Application"
-    oauth_oauth_tokens_page_title: "Oauth Tokens"
-    name_label: "Name"
-    description_label: "Description"
-    scopes_label: "Scopes"
-    homepage_url_label: "Homepage URL"
-    redirect_uri_label: "Redirect URL"
-    client_secret_label: "Client Secret"
-    client_id_label: "Client ID"
-    oauth_applications_button: "Register"
+    oauth_applications_page_title: "Oauth Applications"
+    oauth_application_page_title: "Oauth Application"
+    new_oauth_application_page_title: "New Oauth Application"
+    oauth_application_oauth_tokens_page_title: "Application Oauth Tokens"
+    oauth_tokens_page_title: "My Oauth Tokens"
+    device_verification_page_title: "Device Verification"
+    device_search_page_title: "Device Search"
+    oauth_applications_name_label: "Name"
+    oauth_applications_description_label: "Description"
+    oauth_applications_scopes_label: "Scopes"
+    oauth_applications_homepage_url_label: "Homepage URL"
+    oauth_applications_redirect_uri_label: "Redirect URL"
+    oauth_applications_client_secret_label: "Client Secret"
+    oauth_applications_client_id_label: "Client ID"
+    oauth_grant_user_code_label: "User code"
+    oauth_grant_user_jws_jwk_label: "JSON Web Keys"
+    oauth_grant_user_jwt_public_key_label: "Public key"
+    oauth_application_button: "Register"
     oauth_authorize_button: "Authorize"
     oauth_token_revoke_button: "Revoke"
     oauth_authorize_post_button: "Back to Client Application"
+    oauth_device_verification_button: "Verify"
+    oauth_device_search_button: "Search"
+    invalid_client_message: "Client authentication failed"
+    invalid_grant_type_message: "Invalid grant type"
     invalid_grant_message: "Invalid grant"
     invalid_scope_message: "Invalid scope"
     invalid_url_message: "Invalid URL"
@@ -28,6 +40,10 @@ en:
     unique_error_message: "is already in use"
     null_error_message: "is not filled"
     already_in_use_message: "error generating unique token"
+    expired_token_message: "the device code has expired"
+    access_denied_message: "the authorization request has been denied"
+    authorization_pending_message: "the authorization request is still pending"
+    slow_down_message: "authorization request is still pending but poll interval should be increased"
     code_challenge_required_message: "code challenge required"
     unsupported_transform_algorithm_message: "transform algorithm not supported"
     request_uri_not_supported_message: "request uri is unsupported"

data/templates/authorize.str

@@ -3,23 +3,23 @@
   <p class="lead">The application #{rodauth.oauth_application[rodauth.oauth_applications_name_column]} would like to access your data.</p>
 
   <div class="form-group">
-    <h1 class="display-6">#{rodauth.scopes_label}</h1>
+    <h1 class="display-6">#{rodauth.oauth_tokens_scopes_label}</h1>
 
     #{
       rodauth.scopes.map do |scope|
         if scope == rodauth.oauth_application_default_scope
           <<-HTML
             <div class="form-check">
-              <input id="#{scope}" class="form-check-input" type="checkbox" name="scope[]" value="#{scope}" checked disabled>
-              <label class="form-check-label" for="#{scope}">#{scope}</label>
-              <input type="hidden" name="scope[]" value="#{scope}">
+              <input id="#{scope}" class="form-check-input" type="checkbox" name="scope[]" value="#{h(scope)}" checked disabled>
+              <label class="form-check-label" for="#{scope}">#{h(scope)}</label>
+              <input type="hidden" name="scope[]" value="#{h(scope)}">
             </div>
           HTML
         else
           <<-HTML
             <div class="form-check">
-              <input id="#{scope}" class="form-check-input" type="checkbox" name="scope[]" value="#{scope}">
-              <label class="form-check-label" for="#{scope}">#{scope}</label>
+              <input id="#{scope}" class="form-check-input" type="checkbox" name="scope[]" value="#{h(scope)}">
+              <label class="form-check-label" for="#{scope}">#{h(scope)}</label>
             </div>
           HTML
         end
@@ -39,6 +39,6 @@
   </div>
   <p class="text-center">
     <input type="submit" class="btn btn-outline-primary" value="#{h(rodauth.oauth_authorize_button)}"/>
-    <a href="#{rodauth.redirect_uri}?error=access_denied&error_description=The+resource+owner+or+authorization+server+denied+the+request#{ "&state=#{rodauth.param("state")}" if rodauth.param_or_nil("state")}" class="btn btn-outline-danger">Cancel</a>
+    <a href="#{rodauth.redirect_uri}?error=access_denied&error_description=The+resource+owner+or+authorization+server+denied+the+request#{ "&state=#{rodauth.param("state")}" if rodauth.param_or_nil("state")}" class="btn btn-outline-danger">#{rodauth.oauth_cancel_button}</a>
   </p>
 </form>

data/templates/client_secret_field.str

@@ -1,4 +1,4 @@
 <div class="form-group">
-  <label for="client_secret">#{rodauth.client_secret_label}#{rodauth.input_field_label_suffix}</label>
-  #{rodauth.input_field_string(rodauth.oauth_application_client_secret_param, "client_secret", :type=>"text")}
+  <label for="client_secret">#{rodauth.oauth_applications_client_secret_label}#{rodauth.input_field_label_suffix}</label>
+  #{rodauth.input_field_string(rodauth.oauth_application_client_secret_param, "client-secret", :type=>"text")}
 </div>

data/templates/description_field.str

@@ -1,4 +1,4 @@
 <div class="form-group">
-  <label for="description">#{rodauth.description_label}#{rodauth.input_field_label_suffix}</label>
+  <label for="description">#{rodauth.oauth_applications_description_label}#{rodauth.input_field_label_suffix}</label>
   #{rodauth.input_field_string(rodauth.oauth_application_description_param, "description", :type=>"text", :required => false)}
 </div>

data/templates/device_search.str

@@ -0,0 +1,11 @@
+<form method="get" action="#{rodauth.device_path}" class="form-horizontal" role="form" id="device-search-form">
+  <p class="lead">Insert the user code from the device you'd like to authorize.</p>
+
+  <div class="form-group">
+    <label for="user_code">#{rodauth.oauth_grant_user_code_label}</label>
+    #{rodauth.input_field_string("user_code", "user_code", :value => rodauth.param_or_nil(rodauth.oauth_grant_user_code_param))}
+  </div>
+  <p class="text-center">
+    <input type="submit" class="btn btn-outline-primary" value="#{h(rodauth.oauth_device_search_button)}"/>
+  </p>
+</form>

data/templates/device_verification.str

@@ -0,0 +1,24 @@
+<form method="post" action="#{rodauth.device_path}" class="form-horizontal" role="form" id="device-verification-form">
+  #{csrf_tag(rodauth.device_path) if respond_to?(:csrf_tag)}
+  <p class="lead">The device with user code #{@oauth_grant[rodauth.oauth_grants_user_code_column]} would like to access your data.</p>
+
+  <div class="form-group">
+    <h1 class="display-6">#{rodauth.oauth_tokens_scopes_label}</h1>
+
+    <ul class="list-group">
+    #{
+      scopes = @oauth_grant[rodauth.oauth_grants_scopes_column].split(rodauth.oauth_scope_separator)
+      scopes.map do |scope|
+        <<-HTML
+          <li class="list-group-item">#{scope}</li>
+        HTML
+      end.join
+    }
+    </ul>
+  </div>
+  <input type="hidden" name="user_code" value="#{rodauth.param("user_code")}"/>
+  <p class="text-center">
+    <input type="submit" class="btn btn-outline-primary" value="#{h(rodauth.oauth_device_verification_button)}"/>
+    <a href="#{rodauth.device_path}?error=access_denied" class="btn btn-outline-danger">#{rodauth.oauth_cancel_button}</a>
+  </p>
+</form>