rodauth-oauth 0.7.4 → 0.8.0

data/templates/homepage_url_field.str

@@ -1,4 +1,4 @@
 <div class="form-group">
-  <label for="homepage_url">#{rodauth.homepage_url_label}#{rodauth.input_field_label_suffix}</label>
-  #{rodauth.input_field_string(rodauth.oauth_application_homepage_url_param, "homepage_url", :type=>"text")}
+  <label for="homepage_url">#{rodauth.oauth_applications_homepage_url_label}#{rodauth.input_field_label_suffix}</label>
+  #{rodauth.input_field_string(rodauth.oauth_application_homepage_url_param, "homepage-url", :type=>"text")}
 </div>

data/templates/jws_jwk_field.str

@@ -0,0 +1,4 @@
+<div class="form-group">
+  <label for="name">#{rodauth.oauth_applications_jws_jwk_label}#{rodauth.input_field_label_suffix}</label>
+  #{rodauth.input_field_string(rodauth.oauth_application_jws_jwk_param, "jws_jwk", :type=>"text")}
+</div>

data/templates/jwt_public_key_field.str

@@ -0,0 +1,4 @@
+<div class="form-group">
+  <label for="name">#{rodauth.oauth_applications_jwt_public_key_label}#{rodauth.input_field_label_suffix}</label>
+  #{rodauth.input_field_string(rodauth.oauth_application_jwt_public_key_param, "jwt_public_key", :type=>"text")}
+</div>

data/templates/name_field.str

@@ -1,4 +1,4 @@
 <div class="form-group">
-  <label for="name">#{rodauth.name_label}#{rodauth.input_field_label_suffix}</label>
+  <label for="name">#{rodauth.oauth_applications_name_label}#{rodauth.input_field_label_suffix}</label>
   #{rodauth.input_field_string(rodauth.oauth_application_name_param, "name", :type=>"text")}
 </div>

data/templates/new_oauth_application.str

@@ -1,3 +1,4 @@
+<h2>#{rodauth.new_oauth_application_page_title}</h2>
 <form method="post" action="#{rodauth.oauth_applications_path}" class="rodauth" role="form" id="oauth-application-form">
   #{rodauth.csrf_tag}
   #{rodauth.render('name_field')}
@@ -6,5 +7,13 @@
   #{rodauth.render('redirect_uri_field')}
   #{rodauth.render('client_secret_field')}
   #{rodauth.render('scope_field')}
+  #{
+    if rodauth.features.include?(:oauth_jwt)
+      <<-HTML
+        #{rodauth.render('jwt_public_key_field')}
+        #{rodauth.render('jws_jwk_field')}
+      HTML
+    end
+  }
   #{rodauth.button(rodauth.oauth_application_button)}
 </form>

data/templates/oauth_application.str

@@ -1,11 +1,15 @@
 <div id="oauth-application">
   <dl>
     #{
-      (rodauth.oauth_application_required_params + %w[client_id] - %w[client_secret]).map do |param|
-        "<dt class=\"#{param}\">#{rodauth.send(:"#{param}_label")}</dt>" +
+      params = [*rodauth.oauth_application_required_params, "client_id", "client_secret"]
+      if rodauth.features.include?(:oauth_jwt)
+        params += %w[jws_jwk jwt_public_key]
+      end
+      params.map do |param|
+        "<dt class=\"#{param}\">#{rodauth.send(:"oauth_applications_#{param}_label")}: </dt>" +
         "<dd class=\"#{param}\">#{@oauth_application[rodauth.send(:"oauth_applications_#{param}_column")]}</dd>"
       end.join
     }
   </dl>
-  <a href="#{rodauth.oauth_applications_path}/#{@oauth_application[:id]}/#{rodauth.oauth_tokens_path}" class="btn btn-outline-secondary">Oauth Tokens</a>
+  <a href="#{rodauth.oauth_applications_path}/#{@oauth_application[rodauth.oauth_applications_id_column]}/#{rodauth.oauth_applications_oauth_tokens_path}" class="btn btn-outline-secondary">#{rodauth.oauth_application_oauth_tokens_page_title}</a>
 </div>

data/templates/oauth_application_oauth_tokens.str

@@ -0,0 +1,51 @@
+<div id="oauth-tokens">
+  #{
+    if @oauth_tokens.count.zero?
+      "<p>No oauth tokens yet!</p>"
+    else
+      <<-HTML
+        <table class="table">
+          <thead>
+            <tr>
+              <th scope="col">#{rodauth.oauth_tokens_token_label}</th>
+              <th scope="col">#{rodauth.oauth_tokens_refresh_token_label}</th>
+              <th scope="col">#{rodauth.oauth_tokens_expires_in_label}</th>
+              <th scope="col">#{rodauth.oauth_tokens_revoked_at_label}</th>
+              <th scope="col">#{rodauth.oauth_tokens_scopes_label}</th>
+              <th scope="col"><span class="badge badge-pill badge-dark">#{@oauth_tokens.count}</span>
+            </tr>
+          </thead>
+          <tbody>
+            #{
+              @oauth_tokens.map do |oauth_token|
+                <<-HTML
+                  <tr>
+                    <td><code class="token">#{oauth_token[rodauth.oauth_tokens_token_column]}</code></td>
+                    <td><code class="token">#{oauth_token[rodauth.oauth_tokens_refresh_token_column]}</code></td>
+                    <td>#{oauth_token[rodauth.oauth_tokens_expires_in_column]}</td>
+                    <td>#{oauth_token[rodauth.oauth_tokens_revoked_at_column]}</td>
+                    <td>#{oauth_token[rodauth.oauth_tokens_scopes_column]}</td>
+                    <td>
+                      #{
+                        if !oauth_token[rodauth.oauth_tokens_revoked_at_column] && !oauth_token[rodauth.oauth_tokens_token_hash_column]
+                          <<-HTML
+                            <form method="post" action="#{rodauth.revoke_path}" class="form-horizontal" role="form" id="revoke-form">
+                              #{csrf_tag(rodauth.revoke_path) if respond_to?(:csrf_tag)}
+                              #{rodauth.input_field_string("token_type_hint", "revoke-token-type-hint", :value => "access_token", :type=>"hidden")}
+                              #{rodauth.input_field_string("token", "revoke-token", :value => oauth_token[rodauth.oauth_tokens_token_column], :type=>"hidden")}
+                              #{rodauth.button(rodauth.oauth_token_revoke_button)}
+                            </form>
+                          HTML
+                        end
+                      }
+                    </td>
+                  </tr>
+                HTML
+              end.join
+            }
+          </tbody>
+        </table>
+      HTML
+    end
+  }
+</div>

data/templates/oauth_applications.str

@@ -1,10 +1,10 @@
 <div id="oauth-applications">
-  <a class="btn btn-outline-primary" href="/oauth-applications/new">Register new Oauth Application</a>
+  <a class="btn btn-outline-primary" href="/oauth-applications/new">#{rodauth.new_oauth_application_page_title}</a>
   #{
     if @oauth_applications.count.zero?
       "<p>No oauth applications yet!</p>"
     else
-      "<ul class=\"list-group\">" + 
+      "<ul class=\"list-group\">" +
         @oauth_applications.map do |application|
           "<li class=\"list-group-item\"><a href=\"/oauth-applications/#{application[:id]}\">#{application[:name]}</a></li>"
         end.join +

data/templates/oauth_tokens.str

@@ -7,11 +7,11 @@
         <table class="table">
           <thead>
             <tr>
-              <th scope="col">Token</th>
-              <th scope="col">Refresh Token</th>
-              <th scope="col">Expires in</th>
-              <th scope="col">Revoked at</th>
-              <th scope="col">Scopes</th>
+            <th scope="col">#{rodauth.oauth_applications_name_label}</th>
+              <th scope="col">#{rodauth.oauth_tokens_token_label}</th>
+              <th scope="col">#{rodauth.oauth_tokens_refresh_token_label}</th>
+              <th scope="col">#{rodauth.oauth_tokens_expires_in_label}</th>
+              <th scope="col">#{rodauth.oauth_tokens_scopes_label}</th>
               <th scope="col"><span class="badge badge-pill badge-dark">#{@oauth_tokens.count}</span>
             </tr>
           </thead>
@@ -20,19 +20,17 @@
               @oauth_tokens.map do |oauth_token|
                 <<-HTML
                   <tr>
+                    <td>#{oauth_token[rodauth.oauth_applications_name_column]}</td>
                     <td><code class="token">#{oauth_token[rodauth.oauth_tokens_token_column]}</code></td>
                     <td><code class="token">#{oauth_token[rodauth.oauth_tokens_refresh_token_column]}</code></td>
                     <td>#{oauth_token[rodauth.oauth_tokens_expires_in_column]}</td>
-                    <td>#{oauth_token[rodauth.oauth_tokens_revoked_at_column]}</td>
                     <td>#{oauth_token[rodauth.oauth_tokens_scopes_column]}</td>
                     <td>
                       #{
-                        if !oauth_token[rodauth.oauth_tokens_revoked_at_column] && !oauth_token[rodauth.oauth_tokens_token_hash_column]
+                        if !oauth_token[rodauth.oauth_tokens_token_hash_column]
                           <<-HTML
-                            <form method="post" action="#{rodauth.revoke_path}" class="form-horizontal" role="form" id="revoke-form">
-                              #{csrf_tag(rodauth.revoke_path) if respond_to?(:csrf_tag)}
-                              #{rodauth.input_field_string("token_type_hint", "revoke-token-type-hint", :value => "access_token", :type=>"hidden")}
-                              #{rodauth.input_field_string("token", "revoke-token", :value => oauth_token[rodauth.oauth_tokens_token_column], :type=>"hidden")}
+                            <form method="post" action="#{rodauth.oauth_token_path(oauth_token[rodauth.oauth_tokens_id_column])}" class="form-horizontal" role="form" id="token-revoke-form">
+                              #{csrf_tag(rodauth.oauth_token_path(oauth_token[rodauth.oauth_tokens_id_column])) if respond_to?(:csrf_tag)}
                               #{rodauth.button(rodauth.oauth_token_revoke_button)}
                             </form>
                           HTML

data/templates/redirect_uri_field.str

@@ -1,4 +1,4 @@
 <div class="form-group">
-  <label for="redirect_uri">#{rodauth.redirect_uri_label}#{rodauth.input_field_label_suffix}</label>
-  #{rodauth.input_field_string(rodauth.oauth_application_redirect_uri_param, "redirect_uri", :type=>"text")}
+  <label for="redirect_uri">#{rodauth.oauth_applications_redirect_uri_label}#{rodauth.input_field_label_suffix}</label>
+  #{rodauth.input_field_string(rodauth.oauth_application_redirect_uri_param, "redirect-uri", :type=>"text")}
 </div>

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rodauth-oauth
 version: !ruby/object:Gem::Version
-  version: 0.7.4
+  version: 0.8.0
 platform: ruby
 authors:
 - Tiago Cardoso
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2022-01-14 00:00:00.000000000 Z
+date: 2022-03-12 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rodauth
@@ -33,39 +33,107 @@ extra_rdoc_files:
 - LICENSE.txt
 - README.md
 - CHANGELOG.md
+- doc/release_notes/0_0_1.md
+- doc/release_notes/0_0_2.md
+- doc/release_notes/0_0_3.md
+- doc/release_notes/0_0_4.md
+- doc/release_notes/0_0_5.md
+- doc/release_notes/0_0_6.md
+- doc/release_notes/0_1_0.md
+- doc/release_notes/0_2_0.md
+- doc/release_notes/0_3_0.md
+- doc/release_notes/0_4_0.md
+- doc/release_notes/0_4_1.md
+- doc/release_notes/0_4_2.md
+- doc/release_notes/0_4_3.md
+- doc/release_notes/0_5_0.md
+- doc/release_notes/0_5_1.md
+- doc/release_notes/0_6_0.md
+- doc/release_notes/0_6_1.md
+- doc/release_notes/0_7_0.md
+- doc/release_notes/0_7_1.md
+- doc/release_notes/0_7_2.md
+- doc/release_notes/0_7_3.md
+- doc/release_notes/0_7_4.md
+- doc/release_notes/0_8_0.md
 files:
 - CHANGELOG.md
 - LICENSE.txt
 - README.md
+- doc/release_notes/0_0_1.md
+- doc/release_notes/0_0_2.md
+- doc/release_notes/0_0_3.md
+- doc/release_notes/0_0_4.md
+- doc/release_notes/0_0_5.md
+- doc/release_notes/0_0_6.md
+- doc/release_notes/0_1_0.md
+- doc/release_notes/0_2_0.md
+- doc/release_notes/0_3_0.md
+- doc/release_notes/0_4_0.md
+- doc/release_notes/0_4_1.md
+- doc/release_notes/0_4_2.md
+- doc/release_notes/0_4_3.md
+- doc/release_notes/0_5_0.md
+- doc/release_notes/0_5_1.md
+- doc/release_notes/0_6_0.md
+- doc/release_notes/0_6_1.md
+- doc/release_notes/0_7_0.md
+- doc/release_notes/0_7_1.md
+- doc/release_notes/0_7_2.md
+- doc/release_notes/0_7_3.md
+- doc/release_notes/0_7_4.md
+- doc/release_notes/0_8_0.md
 - lib/generators/rodauth/oauth/install_generator.rb
 - lib/generators/rodauth/oauth/templates/app/models/oauth_application.rb
 - lib/generators/rodauth/oauth/templates/app/models/oauth_grant.rb
 - lib/generators/rodauth/oauth/templates/app/models/oauth_token.rb
 - lib/generators/rodauth/oauth/templates/app/views/rodauth/authorize.html.erb
+- lib/generators/rodauth/oauth/templates/app/views/rodauth/device_search.html.erb
+- lib/generators/rodauth/oauth/templates/app/views/rodauth/device_verification.html.erb
 - lib/generators/rodauth/oauth/templates/app/views/rodauth/new_oauth_application.html.erb
 - lib/generators/rodauth/oauth/templates/app/views/rodauth/oauth_application.html.erb
+- lib/generators/rodauth/oauth/templates/app/views/rodauth/oauth_application_oauth_tokens.html.erb
 - lib/generators/rodauth/oauth/templates/app/views/rodauth/oauth_applications.html.erb
 - lib/generators/rodauth/oauth/templates/app/views/rodauth/oauth_tokens.html.erb
 - lib/generators/rodauth/oauth/templates/db/migrate/create_rodauth_oauth.rb
 - lib/generators/rodauth/oauth/views_generator.rb
 - lib/rodauth/features/oauth.rb
+- lib/rodauth/features/oauth_application_management.rb
+- lib/rodauth/features/oauth_assertion_base.rb
+- lib/rodauth/features/oauth_authorization_code_grant.rb
+- lib/rodauth/features/oauth_authorization_server.rb
+- lib/rodauth/features/oauth_base.rb
+- lib/rodauth/features/oauth_device_grant.rb
 - lib/rodauth/features/oauth_http_mac.rb
+- lib/rodauth/features/oauth_implicit_grant.rb
 - lib/rodauth/features/oauth_jwt.rb
-- lib/rodauth/features/oauth_saml.rb
+- lib/rodauth/features/oauth_jwt_bearer_grant.rb
+- lib/rodauth/features/oauth_pkce.rb
+- lib/rodauth/features/oauth_resource_server.rb
+- lib/rodauth/features/oauth_saml_bearer_grant.rb
+- lib/rodauth/features/oauth_token_introspection.rb
+- lib/rodauth/features/oauth_token_management.rb
+- lib/rodauth/features/oauth_token_revocation.rb
 - lib/rodauth/features/oidc.rb
 - lib/rodauth/oauth.rb
 - lib/rodauth/oauth/database_extensions.rb
 - lib/rodauth/oauth/railtie.rb
+- lib/rodauth/oauth/refinements.rb
 - lib/rodauth/oauth/ttl_store.rb
 - lib/rodauth/oauth/version.rb
 - locales/en.yml
 - templates/authorize.str
 - templates/client_secret_field.str
 - templates/description_field.str
+- templates/device_search.str
+- templates/device_verification.str
 - templates/homepage_url_field.str
+- templates/jws_jwk_field.str
+- templates/jwt_public_key_field.str
 - templates/name_field.str
 - templates/new_oauth_application.str
 - templates/oauth_application.str
+- templates/oauth_application_oauth_tokens.str
 - templates/oauth_applications.str
 - templates/oauth_tokens.str
 - templates/redirect_uri_field.str

data/lib/rodauth/features/oauth_saml.rb

@@ -1,104 +0,0 @@
-# frozen-string-literal: true
-
-require "onelogin/ruby-saml"
-
-module Rodauth
-  Feature.define(:oauth_saml, :OauthSaml) do
-    depends :oauth
-
-    auth_value_method :oauth_saml_cert_fingerprint, "9E:65:2E:03:06:8D:80:F2:86:C7:6C:77:A1:D9:14:97:0A:4D:F4:4D"
-    auth_value_method :oauth_saml_cert_fingerprint_algorithm, nil
-    auth_value_method :oauth_saml_name_identifier_format, "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
-
-    auth_value_method :oauth_saml_security_authn_requests_signed, false
-    auth_value_method :oauth_saml_security_metadata_signed, false
-    auth_value_method :oauth_saml_security_digest_method, XMLSecurity::Document::SHA1
-    auth_value_method :oauth_saml_security_signature_method, XMLSecurity::Document::RSA_SHA1
-
-    SAML_GRANT_TYPE = "http://oauth.net/grant_type/assertion/saml/2.0/bearer"
-
-    # /token
-
-    def require_oauth_application
-      # requset authentication optional for assertions
-      return super unless param("grant_type") == SAML_GRANT_TYPE && !param_or_nil("client_id")
-
-      # TODO: invalid grant
-      authorization_required unless saml_assertion
-
-      redirect_uri = saml_assertion.destination
-
-      @oauth_application = db[oauth_applications_table].where(
-        oauth_applications_homepage_url_column => saml_assertion.audiences,
-        oauth_applications_redirect_uri_column => redirect_uri
-      ).first
-
-      # The Assertion's <Issuer> element MUST contain a unique identifier
-      # for the entity that issued the Assertion.
-      authorization_required unless saml_assertion.issuers.all? do |issuer|
-        issuer.start_with?(@oauth_application[oauth_applications_homepage_url_column])
-      end
-
-      authorization_required unless @oauth_application
-    end
-
-    private
-
-    def secret_matches?(oauth_application, secret)
-      return super unless param_or_nil("assertion")
-
-      true
-    end
-
-    def saml_assertion
-      return @saml_assertion if defined?(@saml_assertion)
-
-      @saml_assertion = begin
-        settings = OneLogin::RubySaml::Settings.new
-        settings.idp_cert_fingerprint = oauth_saml_cert_fingerprint
-        settings.idp_cert_fingerprint_algorithm = oauth_saml_cert_fingerprint_algorithm
-        settings.name_identifier_format = oauth_saml_name_identifier_format
-        settings.security[:authn_requests_signed] = oauth_saml_security_authn_requests_signed
-        settings.security[:metadata_signed] = oauth_saml_security_metadata_signed
-        settings.security[:digest_method] = oauth_saml_security_digest_method
-        settings.security[:signature_method] = oauth_saml_security_signature_method
-
-        response = OneLogin::RubySaml::Response.new(param("assertion"), settings: settings, skip_recipient_check: true)
-
-        return unless response.is_valid?
-
-        response
-      end
-    end
-
-    def validate_oauth_token_params
-      return super unless param("grant_type") == SAML_GRANT_TYPE
-
-      redirect_response_error("invalid_client") unless param_or_nil("assertion")
-
-      redirect_response_error("invalid_scope") unless check_valid_scopes?
-    end
-
-    def create_oauth_token
-      if param("grant_type") == SAML_GRANT_TYPE
-        create_oauth_token_from_saml_assertion
-      else
-        super
-      end
-    end
-
-    def create_oauth_token_from_saml_assertion
-      account = db[accounts_table].where(login_column => saml_assertion.nameid).first
-
-      redirect_response_error("invalid_client") unless oauth_application && account
-
-      create_params = {
-        oauth_tokens_account_id_column => account[account_id_column],
-        oauth_tokens_oauth_application_id_column => oauth_application[oauth_applications_id_column],
-        oauth_tokens_scopes_column => (param_or_nil("scope") || oauth_application[oauth_applications_scopes_column])
-      }
-
-      generate_oauth_token(create_params, false)
-    end
-  end
-end