rodauth-oauth 0.8.0 → 0.9.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 7381dc47a766e5ff725d77331e045bbd97e09bff282d7b9b9d7b176011c87fa3
-  data.tar.gz: 0c8562b520431858d3ad9b88e311087ad98747eaeb473d16286a061e8a9d84b9
+  metadata.gz: 2514b45f82f9e8dda98f15dc2c1ccc0eeba306c9d1ee40e6fa47e4999d766c1c
+  data.tar.gz: d68579829772121a157b7bd654fb40999921af46673910caa21892462655ed0e
 SHA512:
-  metadata.gz: 82d32250cadc973d9cb0618b6654ad783ac77529d2000f6d24b1759ec4d3d39f4764e64a3ac3c0e72b752f47e35331489e7feba6060f1239049954f004c7485e
-  data.tar.gz: c9bb9d578f40d924e4c2bad34840257f9de5a38e9d0cf427bf5d63ca1f672e0cbfeeffb8d513e0210e17a9060bb871c328e8ab88d64de334c54ca29bc3ff338f
+  metadata.gz: 8121458a789119610c920c835fc99cde76d4eca41fb7bb48acbe9c1e2f4be89f68c9370235335d7dc8c6b3b715b6825a4d77bafbda37551464ebf35a516f55de
+  data.tar.gz: bdd2c1d2bee336459186606b2bfb293cd690333a58c421798155e6bc53e418b71bbd142ac19e48ddcff701f28eaaa6c65c8d045c715a7f84690fb5dd6865ddbe

data/README.md

@@ -11,9 +11,10 @@ This gem implements the following RFCs and features of OAuth:
 
 * `oauth` - [The OAuth 2.0 protocol framework](https://tools.ietf.org/html/rfc6749):
   * [Access Token generation](https://tools.ietf.org/html/rfc6749#section-1.4);
-  * [Access Token refresh](https://tools.ietf.org/html/rfc6749#section-1.5);
-  * `oauth_authorization_code_grant` - [Authorization grant flow](https://tools.ietf.org/html/rfc6749#section-1.3);
+  * [Access Token refresh token grant](https://tools.ietf.org/html/rfc6749#section-1.5);
+  * `oauth_authorization_code_grant` - [Authorization code grant](https://tools.ietf.org/html/rfc6749#section-1.3);
   * `oauth_implicit_grant` - [Implicit grant (off by default)](https://tools.ietf.org/html/rfc6749#section-4.2);
+  * `oauth_client_credentials_grant` - [Client credentials grant (off by default)](https://tools.ietf.org/html/rfc6749#section-4.4);
   * `oauth_device_grant` - [Device code grant (off by default)](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-device-flow-15);
   * `oauth_token_revocation` - [Token revocation](https://tools.ietf.org/html/rfc7009);
   * `oauth_token_introspection` - [Token introspection](https://tools.ietf.org/html/rfc7662);
@@ -26,6 +27,7 @@ This gem implements the following RFCs and features of OAuth:
   * `oauth_saml_bearer_grant` - [SAML 2.0 Bearer Assertion](https://datatracker.ietf.org/doc/html/rfc7522);
   * `oauth_jwt_bearer_grant` - [JWT Bearer Assertion](https://datatracker.ietf.org/doc/html/rfc7523);
 * [JWT Secured Authorization Requests](https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-20);
+* [Dynamic Client Registration Protocol](https://datatracker.ietf.org/doc/html/rfc7591);
 * OAuth application and token management dashboards;
 
 It also implements the [OpenID Connect layer](https://openid.net/connect/) (via the `openid` feature) on top of the OAuth features it provides, including:
@@ -33,6 +35,7 @@ It also implements the [OpenID Connect layer](https://openid.net/connect/) (via
 * [OpenID Connect Core](https://openid.net/specs/openid-connect-core-1_0.html);
 * [OpenID Connect Discovery](https://openid.net/specs/openid-connect-discovery-1_0-29.html);
 * [OpenID Multiple Response Types](https://openid.net/specs/oauth-v2-multiple-response-types-1_0.html);
+* [OpenID Connect Dynamic Client Registration](https://openid.net/specs/openid-connect-registration-1_0.html);
 * [RP Initiated Logout](https://openid.net/specs/openid-connect-rpinitiated-1_0.html);
 
 This gem supports also rails (through [rodauth-rails]((https://github.com/janko/rodauth-rails))).
@@ -70,7 +73,7 @@ Or install it yourself as:
 
 ## Usage
 
-This tutorial assumes you already read the documentation and know how to set up `rodauth`. After that, integrating `roda-auth` will look like:
+This tutorial assumes you already read the documentation and know how to set up `rodauth`. After that, integrating `rodauth-oauth` will look like:
 
 ```ruby
 plugin :rodauth do

data/doc/release_notes/0_9_0.md

@@ -0,0 +1,56 @@
+### 0.9.0 (18/04/2022)
+
+#### Features
+
+##### Dynamic client registration
+
+`rodauth-oauth` now supports the [Oauth Dynamic client registration RFC](https://datatracker.ietf.org/doc/html/rfc7591), via the `oauth_dynamic_client_registration` feature; it also supports [the OpenID variant](https://openid.net/specs/openid-connect-registration-1_0.html), via the  `oidc_dynamic_client_registration` feature.
+
+With it, you now have the option to enable API-driven client application registration.
+
+##### Client Credentials grant
+
+`rodauth-oauth` now supports the [Client Credentials grant](https://tools.ietf.org/html/rfc6749#section-4.4), via the `oauth_client_credentials_grant` feature.
+
+
+#### Improvements
+
+##### OAuth Applications & Tokens paginated list pages
+
+The management dashboards for OAuth Applications & Tokens were loading the full dataset into the HTML view. They'll now only show 20 records by default, and present pagination links to navigate across pages (for the default templates).
+
+##### More Oauth Application properties
+
+As a result of implementing "OAuth Dynamic client registration", new functionality is unlocked when the following database columns are set on the oauth applications table:
+
+* `token_endpoint_auth_method` - enables oauth application-scoped verification of used client authentication method.
+* `grant_types` - scopes the supported grant types for the given application.
+* `response_type` - scopes the supported response types for the given application.
+* `logo_uri` - stores an image link which can be used to load and display a logo in the authorization form.
+* `tos_uri` - stores a link to the oauth application "Terms of Service" page.
+* `policy_uri` - stores a link to the oauth application "Policy" page.
+* `jwks_uri` - stores a link where to load the oauth application JWKs from.
+* `jwks` - stores the JWKS from the oauth application.
+* `contacts` stores the contacts.
+* `software_id` - stores the software unique identifier.
+* `software_version` - stores the software version for the unique identifier.
+* `subject_type` - stores the subject type used for calculating the JWT `sub` claim for the applicatiion.
+* `request_object_signing_alg` - stores the signing algorithm which request objects coming from the application will be signed with.
+* `request_object_encryption_alg` - stores the encryption algorithm which request objects coming from the application will be encrypted with.
+* `request_object_encryption_enc` -  stores the encryption method which request objects coming from the application will be encrypted with.
+* `id_token_signed_response_alg` - stores the signing algorithm which id tokens from the application will be signed with.
+* `id_token_encrypted_response_alg` - stores the encryption algorithm which id tokens from the application will be encrypted with.
+* `id_token_encrypted_response_enc` -  stores the encryption method which id tokens from the application will be encrypted with.
+* `userinfo_signed_response_alg` - stores the signing algorithm which JWT-encoded userinfo payloads from the application will be signed with.
+* `userinfo_encrypted_response_alg` - stores the encryption algorithm which JWT-encoded userinfo payloads from the application will be encrypted with.
+* `userinfo_encrypted_response_enc` -  stores the encryption method which JWT-encoded userinfo payloads from the application will be encrypted with.
+
+
+##### TTL Store has finer grained lock
+
+The TTL Store, used for the JWKs cache rotation p.ex., had a lock around the section which would involve the HTTP request for the JWKs, which would block the process for the duration of it. The lock has been removed around that area, and if two requests happen for the same URL, first one wins.
+
+#### Deprecations and breaking changes
+
+* (`oauth_jwt` plugin) `:oauth_jwt_algorithm` option default is now `"RS256"` (previous one was `"HS256"`, and yes, this an assymetric cryptography move).
+* (`oauth_jwt` plugin) `jws_jwk` option (and all the labels and params) is deprecated.

data/doc/release_notes/0_9_1.md

@@ -0,0 +1,9 @@
+### 0.9.1 (08/05/2022)
+
+#### Improvements
+
+Using `return_response`, introduced in `rodauth` v2.23, which accomplishes better integration with rails response logging mechanism when used under `rodauth-rails`.
+
+#### Bugfixes
+
+* Fixing namespacing issue which required anyone to have to `require "rodauth-oauth"` before loading it (no need to anymore).

data/doc/release_notes/0_9_2.md

@@ -0,0 +1,10 @@
+### 0.9.2 (11/05/2022)
+
+#### Bugfixes
+
+* Fixed remaining namespacing fix issues requiring usage of `require "rodauth-oauth"`.
+* Fixed wrong expectation of database for resource-server mode when `:oauth_management_base` plugin was used.
+* oidc: fixed incorrect grant creation flow whenn using `nonce` param.
+* oidc: fixed jwt encoding regression when not setting encryption method/algorithmm for client applications.
+* templates: added missing jwks field to the "New oauth application" form.
+* Several fixes on the example OIDC applications, mostly around CSRF breakage when using latest version of `omniauth`.

data/lib/generators/rodauth/oauth/templates/app/views/rodauth/authorize.html.erb

@@ -1,5 +1,26 @@
 <%= form_tag rodauth.authorize_path, method: :post do %>
-  <p class="lead">The application <%= rodauth.oauth_application[rodauth.oauth_applications_name_column] %> would like to access your data.</p>
+  <% if rodauth.oauth_application[rodauth.oauth_applications_logo_uri_column] %>
+    <%= image_tag rodauth.oauth_application[rodauth.oauth_applications_logo_uri_column] %>
+  <% end %>
+  <p class="lead">The application <%= link_to rodauth.oauth_application[rodauth.oauth_applications_name_column],  rodauth.oauth_application[rodauth.oauth_applications_homepage_url_column] %> would like to access your data.</p>
+
+  <div class="list-group">
+    <% if rodauth.oauth_application[rodauth.oauth_applications_tos_uri_column] %>
+      <%= link_to rodauth.oauth_applications_tos_uri_label, rodauth.oauth_application[rodauth.oauth_applications_tos_uri_column], class: "list-group-item" %>
+    <% end %>
+    <% if rodauth.oauth_application[rodauth.oauth_applications_policy_uri_column] %>
+      <%= link_to rodauth.oauth_applications_policy_uri_label, rodauth.oauth_application[rodauth.oauth_applications_policy_uri_column], class: "list-group-item" %>
+    <% end %>
+  </div>
+
+  <% if rodauth.oauth_application[rodauth.oauth_applications_contacts_column] %>
+    <div class="list-group">
+      <h3 class="display-6"><%= rodauth.oauth_applications_contacts_label %></h3>
+      <% rodauth.oauth_application[rodauth.oauth_applications_contacts_column].split(/ +/).each do |contact| %>
+        <div class="list-group-item"><%= contact %></div>
+      <% end %>
+    </div>
+  <% end %>
 
   <div class="form-group">
     <h1 class="display-6"><%= rodauth.oauth_tokens_scopes_label %></h1>

data/lib/generators/rodauth/oauth/templates/app/views/rodauth/new_oauth_application.html.erb

@@ -28,9 +28,14 @@
   </div>
   <% if rodauth.features.include?(:oauth_jwt) %>
     <div class="form-group">
-      <%= label_tag "jws_jwk", rodauth.oauth_applications_jws_jwk_label %>
-      <%= text_field_tag "jws_jwk", rodauth.param('jws_jwk'), id: "jws-jwk", class: "form-control#{' is-invalid' if rodauth.field_error('jws_jwk')}" %>
-      <%= rodauth.field_error('jws_jwk') %>
+      <%= label_tag "jwks", rodauth.oauth_applications_jwks_label %>
+      <%= text_field_tag "jwks", rodauth.param('jwks'), id: "jwks", class: "form-control#{' is-invalid' if rodauth.field_error('jwks')}" %>
+      <%= rodauth.field_error('jwks') %>
+    </div>
+    <div class="form-group">
+      <%= label_tag "jwks_uri", rodauth.oauth_applications_jwks_uri_label %>
+      <%= text_field_tag "jwks_uri", rodauth.param('jwks_uri'), id: "jwks-uri", class: "form-control#{' is-invalid' if rodauth.field_error('jwks_uri')}" %>
+      <%= rodauth.field_error('jwks_uri') %>
     </div>
     <div class="form-group">
       <%= label_tag "jwt_public_key", rodauth.oauth_applications_jwt_public_key_label %>

data/lib/generators/rodauth/oauth/templates/app/views/rodauth/oauth_application.html.erb

@@ -14,8 +14,14 @@
     <dt><%= rodauth.oauth_applications_scopes_label %>: </dt>
     <dd><%= oauth_application[rodauth.oauth_applications_scopes_column] %></dd>
     <% if rodauth.features.include?(:oauth_jwt) %>
-      <dt><%= rodauth.oauth_applications_jws_jwk_label %>: </dt>
-      <dd><%= oauth_application[rodauth.oauth_applications_jws_jwk_column] %></dd>
+      <% if oauth_application[rodauth.oauth_applications_jwks_column] %>
+        <dt><%= rodauth.oauth_applications_jwks_label %>: </dt>
+        <dd><%= oauth_application[rodauth.oauth_applications_jwks_column] %></dd>
+      <% end %>
+      <% if oauth_application[rodauth.oauth_applications_jwks_uri_column] %>
+        <dt><%= rodauth.oauth_applications_jwks_uri_label %>: </dt>
+        <dd><%= oauth_application[rodauth.oauth_applications_jwks_uri_column] %></dd>
+      <% end %>
       <dt><%= rodauth.oauth_applications_jwt_public_key_label %>: </dt>
       <dd><%= oauth_application[rodauth.oauth_applications_jwt_public_key_column] %></dd>
     <% end %>

data/lib/generators/rodauth/oauth/templates/app/views/rodauth/oauth_application_oauth_tokens.html.erb

@@ -35,4 +35,5 @@
       <% end %>
     </tbody>
   </table>
+  <%= rodauth.oauth_management_pagination_links(@oauth_tokens) %>
 <% end %>

data/lib/generators/rodauth/oauth/templates/app/views/rodauth/oauth_applications.html.erb

@@ -26,4 +26,5 @@
       <% end %>
     </tbody>
   </table>
+  <%= rodauth.oauth_management_pagination_links(oauth_applications_ds) %>
 <% end %>

data/lib/generators/rodauth/oauth/templates/app/views/rodauth/oauth_tokens.html.erb

@@ -31,4 +31,5 @@
       <% end %>
     </tbody>
   </table>
+  <%= rodauth.oauth_management_pagination_links(oauth_tokens) %>
 <% end %>

data/lib/generators/rodauth/oauth/templates/db/migrate/create_rodauth_oauth.rb

@@ -11,9 +11,21 @@ class CreateRodauthOauth < ActiveRecord::Migration<%= migration_version %>
       t.string :client_secret, null: false, index: { unique: true }
       t.string :scopes, null: false
       t.datetime :created_at, null: false, default: -> { "CURRENT_TIMESTAMP" }
+      # extra params
+      # t.string :token_endpoint_auth_method, null: true
+      # t.string :grant_types, null: true
+      # t.string :response_types, null: true
+      # t.string :client_uri, null: true
+      # t.string :logo_uri, null: true
+      # t.string :tos_uri, null: true
+      # t.string :policy_uri, null: true
+      # t.string :jwks_uri, null: true
+      # t.string :jwks, null: true
+      # t.string :contacts, null: true
+      # t.string :software_id, null: true
+      # t.string :software_version, null: true
       # JWT/OIDC per application signing verification
       # t.text :jwt_public_key, null: true
-      # t.text :jws_jwk, null: true
       # RP-initiated logout
       # t.string :post_logout_redirect_uri, null: false
     end

data/lib/rodauth/features/oauth.rb

@@ -3,7 +3,7 @@
 module Rodauth
   Feature.define(:oauth, :Oauth) do
     depends :oauth_base, :oauth_authorization_code_grant, :oauth_pkce, :oauth_implicit_grant,
-            :oauth_device_grant, :oauth_token_introspection, :oauth_token_revocation,
-            :oauth_application_management, :oauth_token_management
+            :oauth_client_credentials_grant, :oauth_device_grant, :oauth_token_introspection,
+            :oauth_token_revocation, :oauth_application_management, :oauth_token_management
   end
 end

data/lib/rodauth/features/oauth_application_management.rb

@@ -2,7 +2,7 @@
 
 module Rodauth
   Feature.define(:oauth_application_management, :OauthApplicationManagement) do
-    depends :oauth_base
+    depends :oauth_management_base
 
     before "create_oauth_application"
     after "create_oauth_application"
@@ -18,10 +18,10 @@ module Rodauth
     auth_value_method :oauth_valid_uri_schemes, %w[https]
 
     # Application
-    APPLICATION_REQUIRED_PARAMS = %w[name description scopes homepage_url redirect_uri client_secret].freeze
+    APPLICATION_REQUIRED_PARAMS = %w[name scopes homepage_url redirect_uri client_secret].freeze
     auth_value_method :oauth_application_required_params, APPLICATION_REQUIRED_PARAMS
 
-    (APPLICATION_REQUIRED_PARAMS + %w[client_id]).each do |param|
+    (APPLICATION_REQUIRED_PARAMS + %w[description client_id]).each do |param|
       auth_value_method :"oauth_application_#{param}_param", param
       configuration_module_eval do
         define_method :"#{param}_label" do
@@ -33,7 +33,12 @@ module Rodauth
 
     translatable_method :oauth_applications_name_label, "Name"
     translatable_method :oauth_applications_description_label, "Description"
-    translatable_method :oauth_applications_scopes_label, "Scopes"
+    translatable_method :oauth_applications_scopes_label, "Default scopes"
+    translatable_method :oauth_applications_contacts_label, "Contacts"
+    translatable_method :oauth_applications_tos_uri_label, "Terms of service"
+    translatable_method :oauth_applications_policy_uri_label, "Policy"
+    translatable_method :oauth_applications_jwks_label, "JSON Web Keys"
+    translatable_method :oauth_applications_jwks_uri_label, "JSON Web Keys URI"
     translatable_method :oauth_applications_homepage_url_label, "Homepage URL"
     translatable_method :oauth_applications_redirect_uri_label, "Redirect URI"
     translatable_method :oauth_applications_client_secret_label, "Client Secret"
@@ -43,7 +48,9 @@ module Rodauth
 
     auth_value_method :oauth_applications_oauth_tokens_path, "oauth-tokens"
     auth_value_method :oauth_applications_route, "oauth-applications"
+    auth_value_method :oauth_applications_per_page, 20
     auth_value_method :oauth_applications_id_pattern, Integer
+    auth_value_method :oauth_tokens_per_page, 20
 
     translatable_method :invalid_url_message, "Invalid URL"
     translatable_method :null_error_message, "is not filled"
@@ -88,8 +95,12 @@ module Rodauth
           end
 
           request.on(oauth_applications_oauth_tokens_path) do
-            oauth_tokens = db[oauth_tokens_table].where(oauth_tokens_oauth_application_id_column => id)
-            scope.instance_variable_set(:@oauth_tokens, oauth_tokens)
+            page = Integer(param_or_nil("page") || 1)
+            per_page = per_page_param(oauth_tokens_per_page)
+            oauth_tokens = db[oauth_tokens_table]
+                           .where(oauth_tokens_oauth_application_id_column => id)
+                           .order(Sequel.desc(oauth_tokens_id_column))
+            scope.instance_variable_set(:@oauth_tokens, oauth_tokens.paginate(page, per_page))
             request.get do
               oauth_application_oauth_tokens_view
             end
@@ -97,8 +108,13 @@ module Rodauth
         end
 
         request.get do
+          page = Integer(param_or_nil("page") || 1)
+          per_page = per_page_param(oauth_applications_per_page)
           scope.instance_variable_set(:@oauth_applications, db[oauth_applications_table]
-            .where(oauth_applications_account_id_column => account_id))
+            .where(oauth_applications_account_id_column => account_id)
+            .order(Sequel.desc(oauth_applications_id_column))
+            .paginate(page, per_page))
+
           oauth_applications_view
         end
 

data/lib/rodauth/features/oauth_assertion_base.rb

@@ -55,7 +55,7 @@ module Rodauth
     end
 
     def create_oauth_token(grant_type)
-      return super unless assertion_grant_type?(grant_type)
+      return super unless assertion_grant_type?(grant_type) && supported_grant_type?(grant_type)
 
       account = __send__(:"account_from_#{assertion_grant_type}_assertion", param("assertion"))
 

data/lib/rodauth/features/oauth_authorization_code_grant.rb

@@ -26,6 +26,9 @@ module Rodauth
     end
 
     translatable_method :oauth_tokens_scopes_label, "Scopes"
+    translatable_method :oauth_applications_contacts_label, "Contacts"
+    translatable_method :oauth_applications_tos_uri_label, "Terms of service URL"
+    translatable_method :oauth_applications_policy_uri_label, "Policy URL"
 
     # /authorize
     route(:authorize) do |r|
@@ -172,7 +175,7 @@ module Rodauth
     end
 
     def create_oauth_token(grant_type)
-      return super unless grant_type == "authorization_code"
+      return super unless supported_grant_type?(grant_type, "authorization_code")
 
       # fetch oauth grant
       oauth_grant = db[oauth_grants_table].where(

data/lib/rodauth/features/oauth_base.rb

@@ -4,6 +4,8 @@ require "time"
 require "base64"
 require "securerandom"
 require "net/http"
+require "rodauth/version"
+require "rodauth/oauth/version"
 require "rodauth/oauth/ttl_store"
 require "rodauth/oauth/database_extensions"
 require "rodauth/oauth/refinements"
@@ -29,6 +31,7 @@ module Rodauth
     auth_value_method :oauth_unique_id_generation_retries, 3
 
     auth_value_method :oauth_response_mode, "query"
+    auth_value_method :oauth_auth_methods_supported, %w[client_secret_basic client_secret_post]
 
     auth_value_method :oauth_scope_separator, " "
 
@@ -58,6 +61,9 @@ module Rodauth
       name description scopes
       client_id client_secret
       homepage_url redirect_uri
+      token_endpoint_auth_method grant_types response_types
+      logo_uri tos_uri policy_uri jwks jwks_uri
+      contacts software_id software_version
     ].each do |column|
       auth_value_method :"oauth_applications_#{column}_column", column
     end
@@ -331,26 +337,45 @@ module Rodauth
     #
     def require_oauth_application
       # get client credentials
+      auth_method = nil
       client_id = client_secret = nil
 
       if (token = ((v = request.env["HTTP_AUTHORIZATION"]) && v[/\A *Basic (.*)\Z/, 1]))
         # client_secret_basic
         client_id, client_secret = Base64.decode64(token).split(/:/, 2)
+        auth_method = "client_secret_basic"
       else
         # client_secret_post
         client_id = param_or_nil("client_id")
         client_secret = param_or_nil("client_secret")
+        auth_method = "client_secret_post" if client_secret
       end
 
       authorization_required unless client_id
 
       @oauth_application = db[oauth_applications_table].where(oauth_applications_client_id_column => client_id).first
 
-      authorization_required unless authorized_oauth_application?(@oauth_application, client_secret)
+      authorization_required unless @oauth_application
+
+      authorization_required unless authorized_oauth_application?(@oauth_application, client_secret, auth_method)
+    end
+
+    def authorized_oauth_application?(oauth_application, client_secret, auth_method)
+      supported_auth_methods = if oauth_application[oauth_applications_token_endpoint_auth_method_column]
+                                 oauth_application[oauth_applications_token_endpoint_auth_method_column].split(/ +/)
+                               else
+                                 oauth_auth_methods_supported
+                               end
+
+      if auth_method
+        supported_auth_methods.include?(auth_method) && secret_matches?(oauth_application, client_secret)
+      else
+        supported_auth_methods.include?("none")
+      end
     end
 
-    def authorized_oauth_application?(oauth_application, client_secret)
-      oauth_application && secret_matches?(oauth_application, client_secret)
+    def no_auth_oauth_application?(_oauth_application)
+      supported_auth_methods.include?("none")
     end
 
     def require_oauth_application_from_account
@@ -515,8 +540,7 @@ module Rodauth
     end
 
     def create_oauth_token(grant_type)
-      case grant_type
-      when "refresh_token"
+      if supported_grant_type?(grant_type, "refresh_token")
         # fetch potentially revoked oauth token
         oauth_token = oauth_token_by_refresh_token(param("refresh_token"), revoked: true)
 
@@ -594,7 +618,17 @@ module Rodauth
       end
     end
 
-    def oauth_server_metadata_body(path)
+    def supported_grant_type?(grant_type, expected_grant_type = grant_type)
+      return false unless grant_type == expected_grant_type
+
+      return true unless (grant_types_supported = oauth_application[oauth_applications_grant_types_column])
+
+      grant_types_supported = grant_types_supported.split(/ +/)
+
+      grant_types_supported.include?(grant_type)
+    end
+
+    def oauth_server_metadata_body(path = nil)
       issuer = base_url
       issuer += "/#{path}" if path
 
@@ -604,8 +638,8 @@ module Rodauth
         scopes_supported: oauth_application_scopes,
         response_types_supported: [],
         response_modes_supported: [],
-        grant_types_supported: [],
-        token_endpoint_auth_methods_supported: %w[client_secret_basic client_secret_post],
+        grant_types_supported: %w[refresh_token],
+        token_endpoint_auth_methods_supported: oauth_auth_methods_supported,
         service_documentation: oauth_metadata_service_documentation,
         ui_locales_supported: oauth_metadata_ui_locales_supported,
         op_policy_uri: oauth_metadata_op_policy_uri,
@@ -655,11 +689,10 @@ module Rodauth
         response["Pragma"] = "no-cache"
       end
       json_payload = _json_response_body(body)
-      response.write(json_payload)
-      request.halt
+      return_response(json_payload)
     end
 
-    def throw_json_response_error(status, error_code)
+    def throw_json_response_error(status, error_code, message = nil)
       set_response_error_status(status)
       code = if respond_to?(:"#{error_code}_error_code")
                send(:"#{error_code}_error_code")
@@ -667,12 +700,11 @@ module Rodauth
                error_code
              end
       payload = { "error" => code }
-      payload["error_description"] = send(:"#{error_code}_message") if respond_to?(:"#{error_code}_message")
+      payload["error_description"] = message || (send(:"#{error_code}_message") if respond_to?(:"#{error_code}_message"))
       json_payload = _json_response_body(payload)
       response["Content-Type"] ||= json_response_content_type
       response["WWW-Authenticate"] = oauth_token_type.upcase if status == 401
-      response.write(json_payload)
-      request.halt
+      return_response(json_payload)
     end
 
     unless method_defined?(:_json_response_body)
@@ -685,6 +717,13 @@ module Rodauth
       end
     end
 
+    if Gem::Version.new(Rodauth.version) < Gem::Version.new("2.23")
+      def return_response(body = nil)
+        response.write(body) if body
+        request.halt
+      end
+    end
+
     def authorization_required
       if accepts_json?
         throw_json_response_error(authorization_required_error_status, "invalid_client")
@@ -700,6 +739,10 @@ module Rodauth
       (scopes - oauth_application[oauth_applications_scopes_column].split(oauth_scope_separator)).empty?
     end
 
+    def check_valid_uri?(uri)
+      URI::DEFAULT_PARSER.make_regexp(oauth_valid_uri_schemes).match?(uri)
+    end
+
     # Resource server mode
 
     SERVER_METADATA = OAuth::TtlStore.new

data/lib/rodauth/features/oauth_client_credentials_grant.rb

@@ -0,0 +1,33 @@
+# frozen_string_literal: true
+
+module Rodauth
+  Feature.define(:oauth_client_credentials_grant, :OauthClientCredentialsGrant) do
+    depends :oauth_base
+
+    auth_value_method :use_oauth_client_credentials_grant_type?, false
+
+    private
+
+    def create_oauth_token(grant_type)
+      return super unless grant_type == "client_credentials" && use_oauth_client_credentials_grant_type?
+
+      create_params = {
+        oauth_tokens_oauth_application_id_column => oauth_application[oauth_applications_id_column],
+        oauth_tokens_scopes_column => scopes.join(oauth_scope_separator)
+      }
+      generate_oauth_token(create_params, false)
+    end
+
+    def oauth_server_metadata_body(*)
+      super.tap do |data|
+        data[:grant_types_supported] << "client_credentials" if use_oauth_client_credentials_grant_type?
+      end
+    end
+
+    def check_valid_response_type?
+      return true if use_oauth_implicit_grant_type? && param_or_nil("response_type") == "token"
+
+      super
+    end
+  end
+end

data/lib/rodauth/features/oauth_device_grant.rb

@@ -124,18 +124,17 @@ module Rodauth
                   .rjust(user_code_size, "0")
     end
 
-    def authorized_oauth_application?(oauth_application, client_secret)
+    def authorized_oauth_application?(oauth_application, client_secret, _)
       # skip if using device grant
       #
       # requests may be performed by devices with no knowledge of client secret.
-      return true if !client_secret && oauth_application && use_oauth_device_code_grant_type?
+      return true if !client_secret && use_oauth_device_code_grant_type?
 
       super
     end
 
     def create_oauth_token(grant_type)
-      case grant_type
-      when "urn:ietf:params:oauth:grant-type:device_code"
+      if supported_grant_type?(grant_type, "urn:ietf:params:oauth:grant-type:device_code")
         throw_json_response_error(invalid_oauth_response_status, "invalid_grant_type") unless use_oauth_device_code_grant_type?
 
         oauth_grant = db[oauth_grants_table].where(
@@ -168,7 +167,7 @@ module Rodauth
           end
         end
         oauth_token
-      when "device_code"
+      elsif grant_type == "device_code"
         redirect_response_error("invalid_grant_type") unless use_oauth_device_code_grant_type?
 
         # fetch oauth grant