rodauth-oauth 0.8.0 → 0.9.2

data/lib/rodauth/features/oauth_jwt.rb

@@ -1,5 +1,6 @@
 # frozen-string-literal: true
 
+require "rodauth/oauth/version"
 require "rodauth/oauth/ttl_store"
 
 module Rodauth
@@ -10,22 +11,41 @@ module Rodauth
 
     # Recommended to have hmac_secret as well
 
-    auth_value_method :oauth_jwt_subject_type, "public" # public, pairwise
+    auth_value_method :oauth_jwt_subject_type, "public" # fallback subject type: public, pairwise
     auth_value_method :oauth_jwt_subject_secret, nil # salt for pairwise generation
 
     auth_value_method :oauth_jwt_token_issuer, nil
 
-    auth_value_method :oauth_applications_jws_jwk_column, :jws_jwk
+    configuration_module_eval do
+      define_method :oauth_applications_jws_jwk_column do
+        warn "#{__method__} is deprecated, switch to `oauth_applications_jwks_column`"
+        oauth_applications_jwks_column
+      end
+      define_method :oauth_applications_jws_jwk_label do
+        warn "#{__method__} is deprecated, switch to `oauth_applications_jwks_label`"
+        oauth_applications_jws_jwk_label
+      end
+      define_method :oauth_application_jws_jwk_param do
+        warn "#{__method__} is deprecated, switch to `oauth_applications_jwks_param`"
+        oauth_applications_jwks_param
+      end
+    end
+
+    auth_value_method :oauth_applications_subject_type_column, :subject_type
     auth_value_method :oauth_applications_jwt_public_key_column, :jwt_public_key
+    auth_value_method :oauth_applications_request_object_signing_alg_column, :request_object_signing_alg
+    auth_value_method :oauth_applications_request_object_encryption_alg_column, :request_object_encryption_alg
+    auth_value_method :oauth_applications_request_object_encryption_enc_column, :request_object_encryption_enc
 
-    translatable_method :oauth_applications_jws_jwk_label, "JSON Web Keys"
     translatable_method :oauth_applications_jwt_public_key_label, "Public key"
-    auth_value_method :oauth_application_jws_jwk_param, :jws_jwk
-    auth_value_method :oauth_application_jwt_public_key_param, :jwt_public_key
 
+    auth_value_method :oauth_application_jwt_public_key_param, "jwt_public_key"
+    auth_value_method :oauth_application_jwks_param, "jwks"
+
+    auth_value_method :oauth_jwt_keys, {}
     auth_value_method :oauth_jwt_key, nil
     auth_value_method :oauth_jwt_public_key, nil
-    auth_value_method :oauth_jwt_algorithm, "HS256"
+    auth_value_method :oauth_jwt_algorithm, "RS256"
 
     auth_value_method :oauth_jwt_jwe_key, nil
     auth_value_method :oauth_jwt_jwe_public_key, nil
@@ -119,13 +139,19 @@ module Rodauth
 
       return super unless request_object && oauth_application
 
-      jws_jwk = if (jwk = oauth_application[oauth_applications_jws_jwk_column])
-                  jwk = JSON.parse(jwk, symbolize_names: true) if jwk && jwk.is_a?(String)
-                else
-                  redirect_response_error("invalid_request_object")
-                end
+      if (jwks = oauth_application_jwks)
+        jwks = JSON.parse(jwks, symbolize_names: true) if jwks.is_a?(String)
+      else
+        redirect_response_error("invalid_request_object")
+      end
+
+      request_sig_enc_opts = {
+        jws_algorithm: oauth_application[oauth_applications_request_object_signing_alg_column],
+        jws_encryption_algorithm: oauth_application[oauth_applications_request_object_encryption_alg_column],
+        jws_encryption_method: oauth_application[oauth_applications_request_object_encryption_enc_column]
+      }.compact
 
-      claims = jwt_decode(request_object, jws_key: jwk_import(jws_jwk), jws_algorithm: jwk[:alg], verify_jti: false)
+      claims = jwt_decode(request_object, jwks: jwks, verify_jti: false, **request_sig_enc_opts)
 
       redirect_response_error("invalid_request_object") unless claims
 
@@ -208,7 +234,12 @@ module Rodauth
     end
 
     def jwt_subject(oauth_token)
-      case oauth_jwt_subject_type
+      subject_type = if oauth_application
+                       oauth_application[oauth_applications_subject_type_column] || oauth_jwt_subject_type
+                     else
+                       oauth_jwt_subject_type
+                     end
+      case subject_type
       when "public"
         oauth_token[oauth_tokens_account_id_column]
       when "pairwise"
@@ -216,7 +247,7 @@ module Rodauth
         application_id = oauth_token[oauth_tokens_oauth_application_id_column]
         Digest::SHA256.hexdigest("#{id}#{application_id}#{oauth_jwt_subject_secret}")
       else
-        raise StandardError, "unexpected subject (#{oauth_jwt_subject_type})"
+        raise StandardError, "unexpected subject (#{subject_type})"
       end
     end
 
@@ -245,11 +276,11 @@ module Rodauth
       }
     end
 
-    def oauth_server_metadata_body(path)
+    def oauth_server_metadata_body(path = nil)
       metadata = super
       metadata.merge! \
         jwks_uri: jwks_url,
-        token_endpoint_auth_signing_alg_values_supported: [oauth_jwt_algorithm]
+        token_endpoint_auth_signing_alg_values_supported: (oauth_jwt_keys.keys + [oauth_jwt_algorithm]).uniq
       metadata
     end
 
@@ -257,9 +288,9 @@ module Rodauth
       @_jwt_key ||= oauth_jwt_key || begin
         if oauth_application
 
-          if (jwk = oauth_application[oauth_applications_jws_jwk_column])
-            jwk = JSON.parse(jwk, symbolize_names: true) if jwk && jwk.is_a?(String)
-            jwk
+          if (jwks = oauth_application_jwks)
+            jwks = JSON.parse(jwks, symbolize_names: true) if jwks && jwks.is_a?(String)
+            jwks
           else
             oauth_application[oauth_applications_jwt_public_key_column]
           end
@@ -267,6 +298,16 @@ module Rodauth
       end
     end
 
+    def _jwt_public_key
+      @_jwt_public_key ||= oauth_jwt_public_key || begin
+        if oauth_application
+          jwks || oauth_application[oauth_applications_jwt_public_key_column]
+        else
+          _jwt_key
+        end
+      end
+    end
+
     # Resource Server only!
     #
     # returns the jwks set from the authorization server.
@@ -319,44 +360,121 @@ module Rodauth
       expected_aud == aud
     end
 
+    def oauth_application_jwks
+      jwks = oauth_application[oauth_applications_jwks_column]
+
+      if jwks
+        jwks = JSON.parse(jwks, symbolize_names: true) if jwks.is_a?(String)
+        return jwks
+      end
+
+      jwks_uri = oauth_application[oauth_applications_jwks_uri_column]
+
+      return unless jwks_uri
+
+      jwks_uri = URI(jwks_uri)
+
+      jwks = JWKS[jwks_uri]
+
+      return jwks if jwks
+
+      JWKS.set(jwks_uri) do
+        http = Net::HTTP.new(jwks_uri.host, jwks_uri.port)
+        http.use_ssl = jwks_uri.scheme == "https"
+
+        request = Net::HTTP::Get.new(jwks_uri.request_uri)
+        request["accept"] = json_response_content_type
+        response = http.request(request)
+        return unless response.code.to_i == 200
+
+        # time-to-live
+        ttl = if response.key?("cache-control")
+                cache_control = response["cache-control"]
+                cache_control[/max-age=(\d+)/, 1].to_i
+              elsif response.key?("expires")
+                Time.parse(response["expires"]).to_i - Time.now.to_i
+              end
+
+        [JSON.parse(response.body, symbolize_names: true), ttl]
+      end
+    end
+
     if defined?(JSON::JWT)
+      # json-jwt
+
+      auth_value_method :oauth_jwt_algorithms_supported, %w[
+        HS256 HS384 HS512
+        RS256 RS384 RS512
+        PS256 PS384 PS512
+        ES256 ES384 ES512 ES256K
+      ]
+      auth_value_method :oauth_jwt_jwe_algorithms_supported, %w[
+        RSA1_5 RSA-OAEP dir A128KW A256KW
+      ]
+      auth_value_method :oauth_jwt_jwe_encryption_methods_supported, %w[
+        A128GCM A256GCM A128CBC-HS256 A256CBC-HS512
+      ]
 
       def jwk_import(data)
         JSON::JWK.new(data)
       end
 
-      # json-jwt
-      def jwt_encode(payload)
+      def jwt_encode(payload,
+                     jwks: nil,
+                     jwe_key: oauth_jwt_jwe_public_key || oauth_jwt_jwe_key,
+                     signing_algorithm: oauth_jwt_algorithm,
+                     encryption_algorithm: oauth_jwt_jwe_algorithm,
+                     encryption_method: oauth_jwt_jwe_encryption_method)
         payload[:jti] = generate_jti(payload)
         jwt = JSON::JWT.new(payload)
-        jwk = JSON::JWK.new(_jwt_key)
 
-        jwt = jwt.sign(jwk, oauth_jwt_algorithm)
+        key = oauth_jwt_keys[signing_algorithm] || _jwt_key
+        key = key.first if key.is_a?(Array)
+
+        jwk = JSON::JWK.new(key || "")
+
+        jwt = jwt.sign(jwk, signing_algorithm)
         jwt.kid = jwk.thumbprint
 
-        if oauth_jwt_jwe_key
-          algorithm = oauth_jwt_jwe_algorithm.to_sym if oauth_jwt_jwe_algorithm
-          jwt = jwt.encrypt(oauth_jwt_jwe_public_key || oauth_jwt_jwe_key,
-                            algorithm,
-                            oauth_jwt_jwe_encryption_method.to_sym)
+        if jwks && (jwk = jwks.find { |k| k[:use] == "enc" && k[:alg] == encryption_algorithm && k[:enc] == encryption_method })
+          jwk = JSON::JWK.new(jwk)
+          jwe = jwt.encrypt(jwk, encryption_algorithm.to_sym, encryption_method.to_sym)
+          jwe.to_s
+        elsif jwe_key
+          algorithm = encryption_algorithm.to_sym if encryption_algorithm
+          meth = encryption_method.to_sym if encryption_method
+          jwt.encrypt(jwe_key, algorithm, meth)
+        else
+          jwt.to_s
         end
-        jwt.to_s
       end
 
       def jwt_decode(
         token,
+        jwks: nil,
         jws_key: oauth_jwt_public_key || _jwt_key,
+        jws_algorithm: oauth_jwt_algorithm,
+        jwe_key: oauth_jwt_jwe_key,
+        jws_encryption_algorithm: oauth_jwt_jwe_algorithm,
+        jws_encryption_method: oauth_jwt_jwe_encryption_method,
         verify_claims: true,
         verify_jti: true,
         verify_iss: true,
         verify_aud: false,
         **
       )
-        token = JSON::JWT.decode(token, oauth_jwt_jwe_key).plain_text if oauth_jwt_jwe_key
+        token = JSON::JWT.decode(token, oauth_jwt_jwe_key).plain_text if jwe_key
 
         claims = if is_authorization_server?
                    if oauth_jwt_legacy_public_key
                      JSON::JWT.decode(token, JSON::JWK::Set.new({ keys: jwks_set }))
+                   elsif jwks
+                     enc_algs = [jws_encryption_algorithm].compact
+                     enc_meths = [jws_encryption_method].compact
+                     sig_algs = [jws_algorithm].compact.map(&:to_sym)
+                     jws = JSON::JWT.decode(token, JSON::JWK::Set.new({ keys: jwks }), enc_algs + sig_algs, enc_meths)
+                     jws = JSON::JWT.decode(jws.plain_text, JSON::JWK::Set.new({ keys: jwks }), sig_algs) if jws.is_a?(JSON::JWE)
+                     jws
                    elsif jws_key
                      JSON::JWT.decode(token, jws_key)
                    end
@@ -390,20 +508,43 @@ module Rodauth
       end
 
     elsif defined?(JWT)
-
       # ruby-jwt
+      require "rodauth/oauth/jwe_extensions" if defined?(JWE)
+
+      auth_value_method :oauth_jwt_algorithms_supported, %w[
+        HS256 HS384 HS512 HS512256
+        RS256 RS384 RS512
+        ED25519
+        ES256 ES384 ES512
+        PS256 PS384 PS512
+      ]
+
+      auth_value_methods(
+        :oauth_jwt_jwe_algorithms_supported,
+        :oauth_jwt_jwe_encryption_methods_supported
+      )
+
+      def oauth_jwt_jwe_algorithms_supported
+        JWE::VALID_ALG
+      end
+
+      def oauth_jwt_jwe_encryption_methods_supported
+        JWE::VALID_ENC
+      end
 
       def jwk_import(data)
         JWT::JWK.import(data).keypair
       end
 
-      def jwt_encode(payload)
+      def jwt_encode(payload, signing_algorithm: oauth_jwt_algorithm)
         headers = {}
 
-        key = _jwt_key
+        key = oauth_jwt_keys[signing_algorithm] || _jwt_key
+        key = key.first if key.is_a?(Array)
 
-        if key.is_a?(OpenSSL::PKey::RSA)
-          jwk = JWT::JWK.new(_jwt_key)
+        case key
+        when OpenSSL::PKey::PKey
+          jwk = JWT::JWK.new(key)
           headers[:kid] = jwk.kid
 
           key = jwk.keypair
@@ -411,23 +552,44 @@ module Rodauth
 
         # @see JWT reserved claims - https://tools.ietf.org/html/draft-jones-json-web-token-07#page-7
         payload[:jti] = generate_jti(payload)
-        token = JWT.encode(payload, key, oauth_jwt_algorithm, headers)
-
-        if oauth_jwt_jwe_key
-          params = {
-            zip: "DEF",
-            copyright: oauth_jwt_jwe_copyright
-          }
-          params[:enc] = oauth_jwt_jwe_encryption_method if oauth_jwt_jwe_encryption_method
-          params[:alg] = oauth_jwt_jwe_algorithm if oauth_jwt_jwe_algorithm
-          token = JWE.encrypt(token, oauth_jwt_jwe_public_key || oauth_jwt_jwe_key, **params)
+        JWT.encode(payload, key, signing_algorithm, headers)
+      end
+
+      if defined?(JWE)
+        def jwt_encode_with_jwe(
+          payload,
+          jwks: nil,
+          jwe_key: oauth_jwt_jwe_public_key || oauth_jwt_jwe_key,
+          encryption_algorithm: oauth_jwt_jwe_algorithm,
+          encryption_method: oauth_jwt_jwe_encryption_method, **args
+        )
+
+          token = jwt_encode_without_jwe(payload, **args)
+
+          return token unless encryption_algorithm && encryption_method
+
+          if jwks && jwks.any? { |k| k[:use] == "enc" }
+            JWE.__rodauth_oauth_encrypt_from_jwks(token, jwks, alg: encryption_algorithm, enc: encryption_method)
+          elsif jwe_key
+            params = {
+              zip: "DEF",
+              copyright: oauth_jwt_jwe_copyright
+            }
+            params[:enc] = encryption_method if encryption_method
+            params[:alg] = encryption_algorithm if encryption_algorithm
+            JWE.encrypt(token, jwe_key, **params)
+          else
+            token
+          end
         end
 
-        token
+        alias_method :jwt_encode_without_jwe, :jwt_encode
+        alias_method :jwt_encode, :jwt_encode_with_jwe
       end
 
       def jwt_decode(
         token,
+        jwks: nil,
         jws_key: oauth_jwt_public_key || _jwt_key,
         jws_algorithm: oauth_jwt_algorithm,
         verify_claims: true,
@@ -435,9 +597,6 @@ module Rodauth
         verify_iss: true,
         verify_aud: false
       )
-        # decrypt jwe
-        token = JWE.decrypt(token, oauth_jwt_jwe_key) if oauth_jwt_jwe_key
-
         # verifying the JWT implies verifying:
         #
         # issuer: check that server generated the token
@@ -465,6 +624,8 @@ module Rodauth
                    if oauth_jwt_legacy_public_key
                      algorithms = jwks_set.select { |k| k[:use] == "sig" }.map { |k| k[:alg] }
                      JWT.decode(token, nil, true, jwks: { keys: jwks_set }, algorithms: algorithms, **verify_claims_params).first
+                   elsif jwks
+                     JWT.decode(token, nil, true, algorithms: [jws_algorithm], jwks: { keys: jwks }, **verify_claims_params).first
                    elsif jws_key
                      JWT.decode(token, jws_key, true, algorithms: [jws_algorithm], **verify_claims_params).first
                    end
@@ -480,6 +641,33 @@ module Rodauth
         nil
       end
 
+      if defined?(JWE)
+        def jwt_decode_with_jwe(
+          token,
+          jwks: nil,
+          jwe_key: oauth_jwt_jwe_key,
+          jws_encryption_algorithm: oauth_jwt_jwe_algorithm,
+          jws_encryption_method: oauth_jwt_jwe_encryption_method,
+          **args
+        )
+
+          token = if jwks && jwks.any? { |k| k[:use] == "enc" }
+                    JWE.__rodauth_oauth_decrypt_from_jwks(token, jwks, alg: jws_encryption_algorithm, enc: jws_encryption_method)
+                  elsif jwe_key
+                    JWE.decrypt(token, jwe_key)
+                  else
+                    token
+                  end
+
+          jwt_decode_without_jwe(token, jwks: jwks, **args)
+        rescue JWE::DecodeError => e
+          jwt_decode_without_jwe(token, jwks: jwks, **args) if e.message.include?("Not enough or too many segments")
+        end
+
+        alias_method :jwt_decode_without_jwe, :jwt_decode
+        alias_method :jwt_decode, :jwt_decode_with_jwe
+      end
+
       def jwks_set
         @jwks_set ||= [
           (JWT::JWK.new(oauth_jwt_public_key).export.merge(use: "sig", alg: oauth_jwt_algorithm) if oauth_jwt_public_key),
@@ -518,5 +706,19 @@ module Rodauth
 
       super
     end
+
+    def jwt_response_success(jwt, cache = false)
+      response.status = 200
+      response["Content-Type"] ||= "application/jwt"
+      if cache
+        # defaulting to 1-day for everyone, for now at least
+        max_age = 60 * 60 * 24
+        response["Cache-Control"] = "private, max-age=#{max_age}"
+      else
+        response["Cache-Control"] = "no-store"
+        response["Pragma"] = "no-cache"
+      end
+      return_response(jwt)
+    end
   end
 end

data/lib/rodauth/features/oauth_jwt_bearer_grant.rb

@@ -1,5 +1,6 @@
 # frozen-string-literal: true
 
+require "rodauth/oauth/version"
 require "rodauth/oauth/ttl_store"
 
 module Rodauth

data/lib/rodauth/features/oauth_management_base.rb

@@ -0,0 +1,72 @@
+# frozen_string_literal: true
+
+module Rodauth
+  Feature.define(:oauth_management_base, :OauthManagementBase) do
+    depends :oauth_base
+
+    button "Previous", "oauth_management_pagination_previous"
+    button "Next", "oauth_management_pagination_next"
+
+    def oauth_management_pagination_links(paginated_ds)
+      html = +'<nav aria-label="Pagination"><ul class="pagination">'
+      html << oauth_management_pagination_link(paginated_ds.prev_page, label: oauth_management_pagination_previous_button)
+      html << oauth_management_pagination_link(paginated_ds.current_page - 1) unless paginated_ds.first_page?
+      html << oauth_management_pagination_link(paginated_ds.current_page, label: paginated_ds.current_page, current: true)
+      html << oauth_management_pagination_link(paginated_ds.current_page + 1) unless paginated_ds.last_page?
+      html << oauth_management_pagination_link(paginated_ds.next_page, label: oauth_management_pagination_next_button)
+      html << "</ul></nav>"
+    end
+
+    def oauth_management_pagination_link(page, label: page, current: false, classes: "")
+      classes += " disabled" if current || !page
+      classes += " active" if current
+      if page
+        params = request.GET.merge("page" => page).map do |k, v|
+          v ? "#{CGI.escape(String(k))}=#{CGI.escape(String(v))}" : CGI.escape(String(k))
+        end.join("&")
+
+        href = "#{request.path}?#{params}"
+
+        <<-HTML
+          <li class="page-item #{classes}" #{'aria-current="page"' if current}>
+            <a class="page-link" href="#{href}" tabindex="-1" aria-disabled="#{current || !page}">
+              #{label}
+            </a>
+          </li>
+        HTML
+      else
+        <<-HTML
+          <li class="page-item #{classes}">
+            <span class="page-link">
+              #{label}
+              #{'<span class="sr-only">(current)</span>' if current}
+            </span>
+          </li>
+        HTML
+      end
+    end
+
+    def post_configure
+      super
+
+      # TODO: remove this in v1, when resource-server mode does not load all of the provider features.
+      return unless db
+
+      db.extension :pagination
+    end
+
+    private
+
+    def per_page_param(default_per_page)
+      per_page = param_or_nil("per_page")
+
+      return default_per_page unless per_page
+
+      per_page = per_page.to_i
+
+      return default_per_page if per_page <= 0
+
+      [per_page, default_per_page].min
+    end
+  end
+end

data/lib/rodauth/features/oauth_pkce.rb

@@ -23,7 +23,7 @@ module Rodauth
 
     private
 
-    def authorized_oauth_application?(oauth_application, client_secret)
+    def authorized_oauth_application?(oauth_application, client_secret, _)
       return true if use_oauth_pkce? && param_or_nil("code_verifier")
 
       super

data/lib/rodauth/features/oauth_token_management.rb

@@ -4,7 +4,7 @@ module Rodauth
   Feature.define(:oauth_token_management, :OauthTokenManagement) do
     using RegexpExtensions
 
-    depends :oauth_base
+    depends :oauth_management_base
 
     view "oauth_tokens", "My Oauth Tokens", "oauth_tokens"
 
@@ -18,6 +18,7 @@ module Rodauth
 
     auth_value_method :oauth_tokens_route, "oauth-tokens"
     auth_value_method :oauth_tokens_id_pattern, Integer
+    auth_value_method :oauth_tokens_per_page, 20
 
     auth_value_methods(
       :oauth_token_path
@@ -40,12 +41,17 @@ module Rodauth
         require_account
 
         request.get do
+          page = Integer(param_or_nil("page") || 1)
+          per_page = per_page_param(oauth_tokens_per_page)
+
           scope.instance_variable_set(:@oauth_tokens, db[oauth_tokens_table]
             .select(Sequel[oauth_tokens_table].*, Sequel[oauth_applications_table][oauth_applications_name_column])
             .join(oauth_applications_table, Sequel[oauth_tokens_table][oauth_tokens_oauth_application_id_column] =>
               Sequel[oauth_applications_table][oauth_applications_id_column])
             .where(Sequel[oauth_tokens_table][oauth_tokens_account_id_column] => account_id)
-                .where(oauth_tokens_revoked_at_column => nil))
+            .where(oauth_tokens_revoked_at_column => nil)
+            .order(Sequel.desc(oauth_tokens_id_column))
+            .paginate(page, per_page))
           oauth_tokens_view
         end
 
@@ -69,9 +75,5 @@ module Rodauth
         super
       end
     end
-
-    def check_valid_uri?(uri)
-      URI::DEFAULT_PARSER.make_regexp(oauth_valid_uri_schemes).match?(uri)
-    end
   end
 end

data/lib/rodauth/features/oidc.rb

@@ -65,6 +65,13 @@ module Rodauth
     auth_value_method :oauth_application_default_scope, "openid"
     auth_value_method :oauth_application_scopes, %w[openid]
 
+    auth_value_method :oauth_applications_id_token_signed_response_alg_column, :id_token_signed_response_alg
+    auth_value_method :oauth_applications_id_token_encrypted_response_alg_column, :id_token_encrypted_response_alg
+    auth_value_method :oauth_applications_id_token_encrypted_response_enc_column, :id_token_encrypted_response_enc
+    auth_value_method :oauth_applications_userinfo_signed_response_alg_column, :userinfo_signed_response_alg
+    auth_value_method :oauth_applications_userinfo_encrypted_response_alg_column, :userinfo_encrypted_response_alg
+    auth_value_method :oauth_applications_userinfo_encrypted_response_enc_column, :userinfo_encrypted_response_enc
+
     auth_value_method :oauth_grants_nonce_column, :nonce
     auth_value_method :oauth_tokens_nonce_column, :nonce
 
@@ -106,7 +113,24 @@ module Rodauth
 
           fill_with_account_claims(oidc_claims, account, oauth_scopes)
 
-          json_response_success(oidc_claims)
+          @oauth_application = db[oauth_applications_table].where(oauth_applications_client_id_column => oauth_token["client_id"]).first
+
+          if (algo = @oauth_application && @oauth_application[oauth_applications_userinfo_signed_response_alg_column])
+            params = {
+              jwks: oauth_application_jwks,
+              encryption_algorithm: @oauth_application[oauth_applications_userinfo_encrypted_response_alg_column],
+              encryption_method: @oauth_application[oauth_applications_userinfo_encrypted_response_enc_column]
+            }.compact
+
+            jwt = jwt_encode(
+              oidc_claims,
+              signing_algorithm: algo,
+              **params
+            )
+            jwt_response_success(jwt)
+          else
+            json_response_success(oidc_claims)
+          end
         end
 
         throw_json_response_error(authorization_required_error_status, "invalid_token")
@@ -211,8 +235,7 @@ module Rodauth
                                        href: authorization_server_url
                                      }]
                                    })
-          response.write(json_payload)
-          request.halt
+          return_response(json_payload)
         end
       end
     end
@@ -293,7 +316,7 @@ module Rodauth
     def create_oauth_grant(create_params = {})
       return super unless (nonce = param_or_nil("nonce"))
 
-      super(oauth_grants_nonce_column => nonce)
+      super(create_params.merge(oauth_grants_nonce_column => nonce))
     end
 
     def create_oauth_token_from_authorization_code(oauth_grant, create_params)
@@ -330,7 +353,14 @@ module Rodauth
 
       fill_with_account_claims(id_token_claims, account, oauth_scopes)
 
-      oauth_token[:id_token] = jwt_encode(id_token_claims)
+      params = {
+        jwks: oauth_application_jwks,
+        signing_algorithm: oauth_application[oauth_applications_id_token_signed_response_alg_column] || oauth_jwt_algorithm,
+        encryption_algorithm: oauth_application[oauth_applications_id_token_encrypted_response_alg_column],
+        encryption_method: oauth_application[oauth_applications_id_token_encrypted_response_enc_column]
+      }.compact
+
+      oauth_token[:id_token] = jwt_encode(id_token_claims, **params)
     end
 
     # aka fill_with_standard_claims
@@ -443,7 +473,7 @@ module Rodauth
 
     # Metadata
 
-    def openid_configuration_body(path)
+    def openid_configuration_body(path = nil)
       metadata = oauth_server_metadata_body(path).select do |k, _|
         VALID_METADATA_KEYS.include?(k)
       end
@@ -504,7 +534,7 @@ module Rodauth
       response["Access-Control-Allow-Methods"] = "GET, OPTIONS"
       response["Access-Control-Max-Age"] = "3600"
       response.status = 200
-      request.halt
+      return_response
     end
   end
 end