rodauth-oauth 0.8.0 → 0.9.0

data/lib/rodauth/features/oauth_management_base.rb

@@ -0,0 +1,68 @@
+# frozen_string_literal: true
+
+module Rodauth
+  Feature.define(:oauth_management_base, :OauthManagementBase) do
+    depends :oauth_base
+
+    button "Previous", "oauth_management_pagination_previous"
+    button "Next", "oauth_management_pagination_next"
+
+    def oauth_management_pagination_links(paginated_ds)
+      html = +'<nav aria-label="Pagination"><ul class="pagination">'
+      html << oauth_management_pagination_link(paginated_ds.prev_page, label: oauth_management_pagination_previous_button)
+      html << oauth_management_pagination_link(paginated_ds.current_page - 1) unless paginated_ds.first_page?
+      html << oauth_management_pagination_link(paginated_ds.current_page, label: paginated_ds.current_page, current: true)
+      html << oauth_management_pagination_link(paginated_ds.current_page + 1) unless paginated_ds.last_page?
+      html << oauth_management_pagination_link(paginated_ds.next_page, label: oauth_management_pagination_next_button)
+      html << "</ul></nav>"
+    end
+
+    def oauth_management_pagination_link(page, label: page, current: false, classes: "")
+      classes += " disabled" if current || !page
+      classes += " active" if current
+      if page
+        params = request.GET.merge("page" => page).map do |k, v|
+          v ? "#{CGI.escape(String(k))}=#{CGI.escape(String(v))}" : CGI.escape(String(k))
+        end.join("&")
+
+        href = "#{request.path}?#{params}"
+
+        <<-HTML
+          <li class="page-item #{classes}" #{'aria-current="page"' if current}>
+            <a class="page-link" href="#{href}" tabindex="-1" aria-disabled="#{current || !page}">
+              #{label}
+            </a>
+          </li>
+        HTML
+      else
+        <<-HTML
+          <li class="page-item #{classes}">
+            <span class="page-link">
+              #{label}
+              #{'<span class="sr-only">(current)</span>' if current}
+            </span>
+          </li>
+        HTML
+      end
+    end
+
+    def post_configure
+      super
+      db.extension :pagination
+    end
+
+    private
+
+    def per_page_param(default_per_page)
+      per_page = param_or_nil("per_page")
+
+      return default_per_page unless per_page
+
+      per_page = per_page.to_i
+
+      return default_per_page if per_page <= 0
+
+      [per_page, default_per_page].min
+    end
+  end
+end

data/lib/rodauth/features/oauth_pkce.rb

@@ -23,7 +23,7 @@ module Rodauth
 
     private
 
-    def authorized_oauth_application?(oauth_application, client_secret)
+    def authorized_oauth_application?(oauth_application, client_secret, _)
       return true if use_oauth_pkce? && param_or_nil("code_verifier")
 
       super

data/lib/rodauth/features/oauth_token_management.rb

@@ -4,7 +4,7 @@ module Rodauth
   Feature.define(:oauth_token_management, :OauthTokenManagement) do
     using RegexpExtensions
 
-    depends :oauth_base
+    depends :oauth_management_base
 
     view "oauth_tokens", "My Oauth Tokens", "oauth_tokens"
 
@@ -18,6 +18,7 @@ module Rodauth
 
     auth_value_method :oauth_tokens_route, "oauth-tokens"
     auth_value_method :oauth_tokens_id_pattern, Integer
+    auth_value_method :oauth_tokens_per_page, 20
 
     auth_value_methods(
       :oauth_token_path
@@ -40,12 +41,17 @@ module Rodauth
         require_account
 
         request.get do
+          page = Integer(param_or_nil("page") || 1)
+          per_page = per_page_param(oauth_tokens_per_page)
+
           scope.instance_variable_set(:@oauth_tokens, db[oauth_tokens_table]
             .select(Sequel[oauth_tokens_table].*, Sequel[oauth_applications_table][oauth_applications_name_column])
             .join(oauth_applications_table, Sequel[oauth_tokens_table][oauth_tokens_oauth_application_id_column] =>
               Sequel[oauth_applications_table][oauth_applications_id_column])
             .where(Sequel[oauth_tokens_table][oauth_tokens_account_id_column] => account_id)
-                .where(oauth_tokens_revoked_at_column => nil))
+            .where(oauth_tokens_revoked_at_column => nil)
+            .order(Sequel.desc(oauth_tokens_id_column))
+            .paginate(page, per_page))
           oauth_tokens_view
         end
 
@@ -69,9 +75,5 @@ module Rodauth
         super
       end
     end
-
-    def check_valid_uri?(uri)
-      URI::DEFAULT_PARSER.make_regexp(oauth_valid_uri_schemes).match?(uri)
-    end
   end
 end

data/lib/rodauth/features/oidc.rb

@@ -65,6 +65,13 @@ module Rodauth
     auth_value_method :oauth_application_default_scope, "openid"
     auth_value_method :oauth_application_scopes, %w[openid]
 
+    auth_value_method :oauth_applications_id_token_signed_response_alg_column, :id_token_signed_response_alg
+    auth_value_method :oauth_applications_id_token_encrypted_response_alg_column, :id_token_encrypted_response_alg
+    auth_value_method :oauth_applications_id_token_encrypted_response_enc_column, :id_token_encrypted_response_enc
+    auth_value_method :oauth_applications_userinfo_signed_response_alg_column, :userinfo_signed_response_alg
+    auth_value_method :oauth_applications_userinfo_encrypted_response_alg_column, :userinfo_encrypted_response_alg
+    auth_value_method :oauth_applications_userinfo_encrypted_response_enc_column, :userinfo_encrypted_response_enc
+
     auth_value_method :oauth_grants_nonce_column, :nonce
     auth_value_method :oauth_tokens_nonce_column, :nonce
 
@@ -106,7 +113,23 @@ module Rodauth
 
           fill_with_account_claims(oidc_claims, account, oauth_scopes)
 
-          json_response_success(oidc_claims)
+          @oauth_application = db[oauth_applications_table].where(oauth_applications_client_id_column => oauth_token["client_id"]).first
+
+          if (algo = @oauth_application && @oauth_application[oauth_applications_userinfo_signed_response_alg_column])
+            params = {
+              jwks: oauth_application_jwks,
+              encryption_algorithm: @oauth_application[oauth_applications_userinfo_encrypted_response_alg_column],
+              encryption_method: @oauth_application[oauth_applications_userinfo_encrypted_response_enc_column]
+            }
+            jwt = jwt_encode(
+              oidc_claims,
+              signing_algorithm: algo,
+              **params
+            )
+            jwt_response_success(jwt)
+          else
+            json_response_success(oidc_claims)
+          end
         end
 
         throw_json_response_error(authorization_required_error_status, "invalid_token")
@@ -330,7 +353,13 @@ module Rodauth
 
       fill_with_account_claims(id_token_claims, account, oauth_scopes)
 
-      oauth_token[:id_token] = jwt_encode(id_token_claims)
+      params = {
+        jwks: oauth_application_jwks,
+        signing_algorithm: oauth_application[oauth_applications_id_token_signed_response_alg_column] || oauth_jwt_algorithm,
+        encryption_algorithm: oauth_application[oauth_applications_id_token_encrypted_response_alg_column],
+        encryption_method: oauth_application[oauth_applications_id_token_encrypted_response_enc_column]
+      }
+      oauth_token[:id_token] = jwt_encode(id_token_claims, **params)
     end
 
     # aka fill_with_standard_claims
@@ -443,7 +472,7 @@ module Rodauth
 
     # Metadata
 
-    def openid_configuration_body(path)
+    def openid_configuration_body(path = nil)
       metadata = oauth_server_metadata_body(path).select do |k, _|
         VALID_METADATA_KEYS.include?(k)
       end

data/lib/rodauth/features/oidc_dynamic_client_registration.rb

@@ -0,0 +1,147 @@
+# frozen_string_literal: true
+
+module Rodauth
+  Feature.define(:oidc_dynamic_client_registration, :OidcDynamicClientRegistration) do
+    depends :oauth_dynamic_client_registration, :oidc
+
+    auth_value_method :oauth_applications_application_type_column, :application_type
+
+    private
+
+    def registration_metadata
+      openid_configuration_body
+    end
+
+    def validate_client_registration_params
+      super
+
+      if (value = @oauth_application_params[oauth_applications_application_type_column])
+        case value
+        when "native"
+          request.params["redirect_uris"].each do |uri|
+            uri = URI(uri)
+            # Native Clients MUST only register redirect_uris using custom URI schemes or
+            # URLs using the http: scheme with localhost as the hostname.
+            case uri.scheme
+            when "http"
+              register_throw_json_response_error("invalid_redirect_uri", register_invalid_uri_message(uri)) unless uri.host == "localhost"
+            when "https"
+              register_throw_json_response_error("invalid_redirect_uri", register_invalid_uri_message(uri))
+            end
+          end
+        when "web"
+          # Web Clients using the OAuth Implicit Grant Type MUST only register URLs using the https scheme as redirect_uris;
+          # they MUST NOT use localhost as the hostname.
+          if request.params["grant_types"].include?("implicit")
+            request.params["redirect_uris"].each do |uri|
+              uri = URI(uri)
+              unless uri.scheme == "https" && uri.host != "localhost"
+                register_throw_json_response_error("invalid_redirect_uri", register_invalid_uri_message(uri))
+              end
+            end
+          end
+        else
+          register_throw_json_response_error("invalid_client_metadata", register_invalid_application_type_message(type))
+        end
+      elsif (value = @oauth_application_params[oauth_applications_subject_type_column])
+        unless %w[pairwise public].include?(value)
+          register_throw_json_response_error("invalid_client_metadata", register_invalid_param_message("subject_type"))
+        end
+      elsif (value = @oauth_application_params[oauth_applications_id_token_signed_response_alg_column])
+        if value == "none"
+          # The value none MUST NOT be used as the ID Token alg value unless the Client uses only Response Types
+          # that return no ID Token from the Authorization Endpoint
+          response_types = @oauth_application_params[oauth_applications_response_types_column]
+          if response_types && response_types.include?("id_token")
+            register_throw_json_response_error("invalid_client_metadata", register_invalid_param_message("id_token_signed_response_alg"))
+          end
+        elsif !oauth_jwt_algorithms_supported.include?(value)
+          register_throw_json_response_error("invalid_client_metadata", register_invalid_param_message("id_token_signed_response_alg"))
+        end
+      elsif (value = @oauth_application_params[oauth_applications_id_token_encrypted_response_alg_column])
+        unless oauth_jwt_jwe_algorithms_supported.include?(value)
+          register_throw_json_response_error("invalid_client_metadata", register_invalid_param_message("id_token_encrypted_response_alg"))
+        end
+      elsif (value = @oauth_application_params[oauth_applications_id_token_encrypted_response_enc_column])
+        unless oauth_jwt_jwe_encryption_methods_supported.include?(value)
+          register_throw_json_response_error("invalid_client_metadata", register_invalid_param_message("id_token_encrypted_response_enc"))
+        end
+      elsif (value = @oauth_application_params[oauth_applications_userinfo_signed_response_alg_column])
+        unless oauth_jwt_algorithms_supported.include?(value)
+          register_throw_json_response_error("invalid_client_metadata", register_invalid_param_message("userinfo_signed_response_alg"))
+        end
+      elsif (value = @oauth_application_params[oauth_applications_userinfo_encrypted_response_alg_column])
+        unless oauth_jwt_jwe_algorithms_supported.include?(value)
+          register_throw_json_response_error("invalid_client_metadata", register_invalid_param_message("userinfo_encrypted_response_alg"))
+        end
+      elsif (value = @oauth_application_params[oauth_applications_userinfo_encrypted_response_enc_column])
+        unless oauth_jwt_jwe_encryption_methods_supported.include?(value)
+          register_throw_json_response_error("invalid_client_metadata", register_invalid_param_message("userinfo_encrypted_response_enc"))
+        end
+      elsif (value = @oauth_application_params[oauth_applications_request_object_signing_alg_column])
+        unless oauth_jwt_algorithms_supported.include?(value)
+          register_throw_json_response_error("invalid_client_metadata", register_invalid_param_message("request_object_signing_alg"))
+        end
+      elsif (value = @oauth_application_params[oauth_applications_request_object_encryption_alg_column])
+        unless oauth_jwt_jwe_algorithms_supported.include?(value)
+          register_throw_json_response_error("invalid_client_metadata", register_invalid_param_message("request_object_encryption_alg"))
+        end
+      elsif (value = @oauth_application_params[oauth_applications_request_object_encryption_enc_column])
+        unless oauth_jwt_jwe_encryption_methods_supported.include?(value)
+          register_throw_json_response_error("invalid_client_metadata", register_invalid_param_message("request_object_encryption_enc"))
+        end
+      end
+    end
+
+    def validate_client_registration_response_type(response_type, grant_types)
+      case response_type
+      when "id_token"
+        unless grant_types.include?("implicit")
+          register_throw_json_response_error("invalid_client_metadata",
+                                             register_invalid_response_type_for_grant_type_message(response_type, "implicit"))
+        end
+      else
+        super
+      end
+    end
+
+    def do_register(return_params = request.params.dup)
+      # set defaults
+
+      create_params = @oauth_application_params
+
+      create_params[oauth_applications_application_type_column] ||= begin
+        return_params["application_type"] = "web"
+        "web"
+      end
+      create_params[oauth_applications_id_token_signed_response_alg_column] ||= begin
+        return_params["id_token_signed_response_alg"] = oauth_jwt_algorithm
+        oauth_jwt_algorithm
+      end
+      if create_params.key?(oauth_applications_id_token_encrypted_response_alg_column)
+        create_params[oauth_applications_id_token_encrypted_response_enc_column] ||= begin
+          return_params["id_token_encrypted_response_enc"] = "A128CBC-HS256"
+          "A128CBC-HS256"
+        end
+      end
+      if create_params.key?(oauth_applications_userinfo_encrypted_response_alg_column)
+        create_params[oauth_applications_userinfo_encrypted_response_enc_column] ||= begin
+          return_params["userinfo_encrypted_response_enc"] = "A128CBC-HS256"
+          "A128CBC-HS256"
+        end
+      end
+      if create_params.key?(oauth_applications_request_object_encryption_alg_column)
+        create_params[oauth_applications_request_object_encryption_enc_column] ||= begin
+          return_params["request_object_encryption_enc"] = "A128CBC-HS256"
+          "A128CBC-HS256"
+        end
+      end
+
+      super(return_params)
+    end
+
+    def register_invalid_application_type_message(application_type)
+      "The application type '#{application_type}' is not allowed."
+    end
+  end
+end

data/lib/rodauth/oauth/jwe_extensions.rb

@@ -0,0 +1,64 @@
+# frozen_string_literal: true
+
+module JWE
+  #
+  # this is a monkey-patch!
+  # it's necessary, as the original jwe does not support jwks.
+  # if this works long term, it may be merged upstreamm.
+  #
+  def self.__rodauth_oauth_decrypt_from_jwks(payload, jwks, alg: "RSA-OAEP", enc: "A128GCM")
+    header, enc_key, iv, ciphertext, tag = Serialization::Compact.decode(payload)
+    header = JSON.parse(header)
+
+    key = find_key_by_kid(jwks, header["kid"], alg, enc)
+
+    check_params(header, key)
+
+    cek = Alg.decrypt_cek(header["alg"], key, enc_key)
+    cipher = Enc.for(header["enc"], cek, iv, tag)
+
+    plaintext = cipher.decrypt(ciphertext, payload.split(".").first)
+
+    apply_zip(header, plaintext, :decompress)
+  end
+
+  def self.__rodauth_oauth_encrypt_from_jwks(payload, jwks, alg: "RSA-OAEP", enc: "A128GCM", **more_headers)
+    header = generate_header(alg, enc, more_headers)
+
+    key = find_key_by_alg_enc(jwks, alg, enc)
+
+    check_params(header, key)
+    payload = apply_zip(header, payload, :compress)
+
+    cipher = Enc.for(enc)
+    cipher.cek = key if alg == "dir"
+
+    json_hdr = header.to_json
+    ciphertext = cipher.encrypt(payload, Base64.jwe_encode(json_hdr))
+
+    generate_serialization(json_hdr, Alg.encrypt_cek(alg, key, cipher.cek), ciphertext, cipher)
+  end
+
+  def self.find_key_by_kid(jwks, kid, alg, enc)
+    raise DecodeError, "No key id (kid) found from token headers" unless kid
+
+    jwk = jwks.find { |key, _| (key[:kid] || key["kid"]) == kid }
+
+    raise DecodeError, "Could not find public key for kid #{kid}" unless jwk
+    raise DecodeError, "Expected a different encryption algorithm" unless alg == (jwk[:alg] || jwk["alg"])
+    raise DecodeError, "Expected a different encryption method" unless enc == (jwk[:enc] || jwk["enc"])
+
+    ::JWT::JWK.import(jwk).keypair
+  end
+
+  def self.find_key_by_alg_enc(jwks, alg, enc)
+    jwk = jwks.find do |key, _|
+      (key[:alg] || key["alg"]) == alg &&
+        (key[:enc] || key["enc"]) == enc
+    end
+
+    raise DecodeError, "No key found" unless jwk
+
+    ::JWT::JWK.import(jwk).keypair
+  end
+end

data/lib/rodauth/oauth/ttl_store.rb

@@ -24,12 +24,18 @@ class Rodauth::OAuth::TtlStore
     @store_mutex.synchronize do
       # short circuit
       return @store[key][:payload] if @store[key] && @store[key][:ttl] < now
+    end
 
-      payload, ttl = block.call
-      @store[key] = { payload: payload, ttl: (ttl || (now + DEFAULT_TTL)) }
+    payload, ttl = block.call
+
+    @store_mutex.synchronize do
+      # given that the block call triggers network, and two requests for the same key be processed
+      # at the same time, this ensures the first one wins.
+      return @store[key][:payload] if @store[key] && @store[key][:ttl] < now
 
-      @store[key][:payload]
+      @store[key] = { payload: payload, ttl: (ttl || (now + DEFAULT_TTL)) }
     end
+    @store[key][:payload]
   end
 
   def uncache(key)

data/lib/rodauth/oauth/version.rb

@@ -2,6 +2,6 @@
 
 module Rodauth
   module OAuth
-    VERSION = "0.8.0"
+    VERSION = "0.9.0"
   end
 end

data/locales/en.yml

@@ -15,10 +15,15 @@ en:
     oauth_tokens_page_title: "My Oauth Tokens"
     device_verification_page_title: "Device Verification"
     device_search_page_title: "Device Search"
+    oauth_management_pagination_previous_button: "Previous"
+    oauth_management_pagination_next_button: "Next"
     oauth_applications_name_label: "Name"
     oauth_applications_description_label: "Description"
     oauth_applications_scopes_label: "Scopes"
+    oauth_applications_contacts_label: "Contacts"
     oauth_applications_homepage_url_label: "Homepage URL"
+    oauth_applications_tos_uri_label: "Terms of Service URL"
+    oauth_applications_policy_uri_label: "Policy URL"
     oauth_applications_redirect_uri_label: "Redirect URL"
     oauth_applications_client_secret_label: "Client Secret"
     oauth_applications_client_id_label: "Client ID"

data/templates/authorize.str

@@ -1,6 +1,55 @@
 <form method="post" action="#{rodauth.authorize_path}" class="form-horizontal" role="form" id="authorize-form">
   #{csrf_tag(rodauth.authorize_path) if respond_to?(:csrf_tag)}
-  <p class="lead">The application #{rodauth.oauth_application[rodauth.oauth_applications_name_column]} would like to access your data.</p>
+  #{
+    if rodauth.oauth_application[rodauth.oauth_applications_logo_uri_column]
+      <<-HTML
+        <img src="#{h(rodauth.oauth_application[rodauth.oauth_applications_logo_uri_column])}" />
+      HTML
+    end
+  }
+  <p class="lead">
+    The application
+    <a target="_blank" href="#{h(rodauth.oauth_application[rodauth.oauth_applications_homepage_url_column])}">
+      #{h(rodauth.oauth_application[rodauth.oauth_applications_name_column])}
+    </a> would like to access your data.
+  </p>
+  <div class="list-group">
+  #{
+    if rodauth.oauth_application[rodauth.oauth_applications_tos_uri_column]
+      <<-HTML
+        <a class="list-group-item" target="_blank" href="#{h(rodauth.oauth_application[rodauth.oauth_applications_tos_uri_column])}">
+          #{rodauth.oauth_applications_tos_uri_label}
+        </a>
+      HTML
+    end
+  }
+  #{
+    if rodauth.oauth_application[rodauth.oauth_applications_policy_uri_column]
+      <<-HTML
+        <a class="list-group-item" target="_blank" href="#{h(rodauth.oauth_application[rodauth.oauth_applications_policy_uri_column])}">
+          #{rodauth.oauth_applications_policy_uri_label}
+        </a>
+      HTML
+    end
+  }
+  </div>
+
+  #{
+    if rodauth.oauth_application[rodauth.oauth_applications_contacts_column]
+      data = <<-HTML
+        <div class="list-group">
+          <h3 class="display-6">#{rodauth.oauth_applications_contacts_label}</h3>
+      HTML
+      rodauth.oauth_application[rodauth.oauth_applications_contacts_column].split(/ +/).each do |contact|
+        data << <<-HTML
+          <div class="list-group-item">
+            #{h(contact)}
+          </div>
+        HTML
+      end
+      data << "</div>"
+    end
+  }
 
   <div class="form-group">
     <h1 class="display-6">#{rodauth.oauth_tokens_scopes_label}</h1>

data/templates/jwks_field.str

@@ -0,0 +1,4 @@
+<div class="form-group">
+  <label for="name">#{rodauth.oauth_applications_jwks_label}#{rodauth.input_field_label_suffix}</label>
+  #{rodauth.input_field_string(rodauth.oauth_application_jwks_param, "jwks", :type=>"text")}
+</div>

data/templates/oauth_application.str

@@ -3,7 +3,7 @@
     #{
       params = [*rodauth.oauth_application_required_params, "client_id", "client_secret"]
       if rodauth.features.include?(:oauth_jwt)
-        params += %w[jws_jwk jwt_public_key]
+        params += %w[jwks jwt_public_key]
       end
       params.map do |param|
         "<dt class=\"#{param}\">#{rodauth.send(:"oauth_applications_#{param}_label")}: </dt>" +

data/templates/oauth_application_oauth_tokens.str

@@ -45,6 +45,7 @@
             }
           </tbody>
         </table>
+        #{rodauth.oauth_management_pagination_links(@oauth_tokens)}
       HTML
     end
   }

data/templates/oauth_applications.str

@@ -11,4 +11,5 @@
       "</ul>"
     end
   }
+  #{rodauth.oauth_management_pagination_links(@oauth_applications)}
 </div>

data/templates/oauth_tokens.str

@@ -43,6 +43,7 @@
             }
           </tbody>
         </table>
+        #{rodauth.oauth_management_pagination_links(@oauth_tokens)}
       HTML
     end
   }

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rodauth-oauth
 version: !ruby/object:Gem::Version
-  version: 0.8.0
+  version: 0.9.0
 platform: ruby
 authors:
 - Tiago Cardoso
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2022-03-12 00:00:00.000000000 Z
+date: 2022-04-19 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rodauth
@@ -56,6 +56,7 @@ extra_rdoc_files:
 - doc/release_notes/0_7_3.md
 - doc/release_notes/0_7_4.md
 - doc/release_notes/0_8_0.md
+- doc/release_notes/0_9_0.md
 files:
 - CHANGELOG.md
 - LICENSE.txt
@@ -83,6 +84,7 @@ files:
 - doc/release_notes/0_7_3.md
 - doc/release_notes/0_7_4.md
 - doc/release_notes/0_8_0.md
+- doc/release_notes/0_9_0.md
 - lib/generators/rodauth/oauth/install_generator.rb
 - lib/generators/rodauth/oauth/templates/app/models/oauth_application.rb
 - lib/generators/rodauth/oauth/templates/app/models/oauth_grant.rb
@@ -103,11 +105,14 @@ files:
 - lib/rodauth/features/oauth_authorization_code_grant.rb
 - lib/rodauth/features/oauth_authorization_server.rb
 - lib/rodauth/features/oauth_base.rb
+- lib/rodauth/features/oauth_client_credentials_grant.rb
 - lib/rodauth/features/oauth_device_grant.rb
+- lib/rodauth/features/oauth_dynamic_client_registration.rb
 - lib/rodauth/features/oauth_http_mac.rb
 - lib/rodauth/features/oauth_implicit_grant.rb
 - lib/rodauth/features/oauth_jwt.rb
 - lib/rodauth/features/oauth_jwt_bearer_grant.rb
+- lib/rodauth/features/oauth_management_base.rb
 - lib/rodauth/features/oauth_pkce.rb
 - lib/rodauth/features/oauth_resource_server.rb
 - lib/rodauth/features/oauth_saml_bearer_grant.rb
@@ -115,8 +120,10 @@ files:
 - lib/rodauth/features/oauth_token_management.rb
 - lib/rodauth/features/oauth_token_revocation.rb
 - lib/rodauth/features/oidc.rb
+- lib/rodauth/features/oidc_dynamic_client_registration.rb
 - lib/rodauth/oauth.rb
 - lib/rodauth/oauth/database_extensions.rb
+- lib/rodauth/oauth/jwe_extensions.rb
 - lib/rodauth/oauth/railtie.rb
 - lib/rodauth/oauth/refinements.rb
 - lib/rodauth/oauth/ttl_store.rb
@@ -128,7 +135,7 @@ files:
 - templates/device_search.str
 - templates/device_verification.str
 - templates/homepage_url_field.str
-- templates/jws_jwk_field.str
+- templates/jwks_field.str
 - templates/jwt_public_key_field.str
 - templates/name_field.str
 - templates/new_oauth_application.str

data/templates/jws_jwk_field.str

@@ -1,4 +0,0 @@
-<div class="form-group">
-  <label for="name">#{rodauth.oauth_applications_jws_jwk_label}#{rodauth.input_field_label_suffix}</label>
-  #{rodauth.input_field_string(rodauth.oauth_application_jws_jwk_param, "jws_jwk", :type=>"text")}
-</div>