rodauth-oauth 0.8.0 → 0.9.2

data/lib/rodauth/features/oidc_dynamic_client_registration.rb

@@ -0,0 +1,147 @@
+# frozen_string_literal: true
+
+module Rodauth
+  Feature.define(:oidc_dynamic_client_registration, :OidcDynamicClientRegistration) do
+    depends :oauth_dynamic_client_registration, :oidc
+
+    auth_value_method :oauth_applications_application_type_column, :application_type
+
+    private
+
+    def registration_metadata
+      openid_configuration_body
+    end
+
+    def validate_client_registration_params
+      super
+
+      if (value = @oauth_application_params[oauth_applications_application_type_column])
+        case value
+        when "native"
+          request.params["redirect_uris"].each do |uri|
+            uri = URI(uri)
+            # Native Clients MUST only register redirect_uris using custom URI schemes or
+            # URLs using the http: scheme with localhost as the hostname.
+            case uri.scheme
+            when "http"
+              register_throw_json_response_error("invalid_redirect_uri", register_invalid_uri_message(uri)) unless uri.host == "localhost"
+            when "https"
+              register_throw_json_response_error("invalid_redirect_uri", register_invalid_uri_message(uri))
+            end
+          end
+        when "web"
+          # Web Clients using the OAuth Implicit Grant Type MUST only register URLs using the https scheme as redirect_uris;
+          # they MUST NOT use localhost as the hostname.
+          if request.params["grant_types"].include?("implicit")
+            request.params["redirect_uris"].each do |uri|
+              uri = URI(uri)
+              unless uri.scheme == "https" && uri.host != "localhost"
+                register_throw_json_response_error("invalid_redirect_uri", register_invalid_uri_message(uri))
+              end
+            end
+          end
+        else
+          register_throw_json_response_error("invalid_client_metadata", register_invalid_application_type_message(type))
+        end
+      elsif (value = @oauth_application_params[oauth_applications_subject_type_column])
+        unless %w[pairwise public].include?(value)
+          register_throw_json_response_error("invalid_client_metadata", register_invalid_param_message("subject_type"))
+        end
+      elsif (value = @oauth_application_params[oauth_applications_id_token_signed_response_alg_column])
+        if value == "none"
+          # The value none MUST NOT be used as the ID Token alg value unless the Client uses only Response Types
+          # that return no ID Token from the Authorization Endpoint
+          response_types = @oauth_application_params[oauth_applications_response_types_column]
+          if response_types && response_types.include?("id_token")
+            register_throw_json_response_error("invalid_client_metadata", register_invalid_param_message("id_token_signed_response_alg"))
+          end
+        elsif !oauth_jwt_algorithms_supported.include?(value)
+          register_throw_json_response_error("invalid_client_metadata", register_invalid_param_message("id_token_signed_response_alg"))
+        end
+      elsif (value = @oauth_application_params[oauth_applications_id_token_encrypted_response_alg_column])
+        unless oauth_jwt_jwe_algorithms_supported.include?(value)
+          register_throw_json_response_error("invalid_client_metadata", register_invalid_param_message("id_token_encrypted_response_alg"))
+        end
+      elsif (value = @oauth_application_params[oauth_applications_id_token_encrypted_response_enc_column])
+        unless oauth_jwt_jwe_encryption_methods_supported.include?(value)
+          register_throw_json_response_error("invalid_client_metadata", register_invalid_param_message("id_token_encrypted_response_enc"))
+        end
+      elsif (value = @oauth_application_params[oauth_applications_userinfo_signed_response_alg_column])
+        unless oauth_jwt_algorithms_supported.include?(value)
+          register_throw_json_response_error("invalid_client_metadata", register_invalid_param_message("userinfo_signed_response_alg"))
+        end
+      elsif (value = @oauth_application_params[oauth_applications_userinfo_encrypted_response_alg_column])
+        unless oauth_jwt_jwe_algorithms_supported.include?(value)
+          register_throw_json_response_error("invalid_client_metadata", register_invalid_param_message("userinfo_encrypted_response_alg"))
+        end
+      elsif (value = @oauth_application_params[oauth_applications_userinfo_encrypted_response_enc_column])
+        unless oauth_jwt_jwe_encryption_methods_supported.include?(value)
+          register_throw_json_response_error("invalid_client_metadata", register_invalid_param_message("userinfo_encrypted_response_enc"))
+        end
+      elsif (value = @oauth_application_params[oauth_applications_request_object_signing_alg_column])
+        unless oauth_jwt_algorithms_supported.include?(value)
+          register_throw_json_response_error("invalid_client_metadata", register_invalid_param_message("request_object_signing_alg"))
+        end
+      elsif (value = @oauth_application_params[oauth_applications_request_object_encryption_alg_column])
+        unless oauth_jwt_jwe_algorithms_supported.include?(value)
+          register_throw_json_response_error("invalid_client_metadata", register_invalid_param_message("request_object_encryption_alg"))
+        end
+      elsif (value = @oauth_application_params[oauth_applications_request_object_encryption_enc_column])
+        unless oauth_jwt_jwe_encryption_methods_supported.include?(value)
+          register_throw_json_response_error("invalid_client_metadata", register_invalid_param_message("request_object_encryption_enc"))
+        end
+      end
+    end
+
+    def validate_client_registration_response_type(response_type, grant_types)
+      case response_type
+      when "id_token"
+        unless grant_types.include?("implicit")
+          register_throw_json_response_error("invalid_client_metadata",
+                                             register_invalid_response_type_for_grant_type_message(response_type, "implicit"))
+        end
+      else
+        super
+      end
+    end
+
+    def do_register(return_params = request.params.dup)
+      # set defaults
+
+      create_params = @oauth_application_params
+
+      create_params[oauth_applications_application_type_column] ||= begin
+        return_params["application_type"] = "web"
+        "web"
+      end
+      create_params[oauth_applications_id_token_signed_response_alg_column] ||= begin
+        return_params["id_token_signed_response_alg"] = oauth_jwt_algorithm
+        oauth_jwt_algorithm
+      end
+      if create_params.key?(oauth_applications_id_token_encrypted_response_alg_column)
+        create_params[oauth_applications_id_token_encrypted_response_enc_column] ||= begin
+          return_params["id_token_encrypted_response_enc"] = "A128CBC-HS256"
+          "A128CBC-HS256"
+        end
+      end
+      if create_params.key?(oauth_applications_userinfo_encrypted_response_alg_column)
+        create_params[oauth_applications_userinfo_encrypted_response_enc_column] ||= begin
+          return_params["userinfo_encrypted_response_enc"] = "A128CBC-HS256"
+          "A128CBC-HS256"
+        end
+      end
+      if create_params.key?(oauth_applications_request_object_encryption_alg_column)
+        create_params[oauth_applications_request_object_encryption_enc_column] ||= begin
+          return_params["request_object_encryption_enc"] = "A128CBC-HS256"
+          "A128CBC-HS256"
+        end
+      end
+
+      super(return_params)
+    end
+
+    def register_invalid_application_type_message(application_type)
+      "The application type '#{application_type}' is not allowed."
+    end
+  end
+end

data/lib/rodauth/oauth/jwe_extensions.rb

@@ -0,0 +1,64 @@
+# frozen_string_literal: true
+
+module JWE
+  #
+  # this is a monkey-patch!
+  # it's necessary, as the original jwe does not support jwks.
+  # if this works long term, it may be merged upstreamm.
+  #
+  def self.__rodauth_oauth_decrypt_from_jwks(payload, jwks, alg: "RSA-OAEP", enc: "A128GCM")
+    header, enc_key, iv, ciphertext, tag = Serialization::Compact.decode(payload)
+    header = JSON.parse(header)
+
+    key = find_key_by_kid(jwks, header["kid"], alg, enc)
+
+    check_params(header, key)
+
+    cek = Alg.decrypt_cek(header["alg"], key, enc_key)
+    cipher = Enc.for(header["enc"], cek, iv, tag)
+
+    plaintext = cipher.decrypt(ciphertext, payload.split(".").first)
+
+    apply_zip(header, plaintext, :decompress)
+  end
+
+  def self.__rodauth_oauth_encrypt_from_jwks(payload, jwks, alg: "RSA-OAEP", enc: "A128GCM", **more_headers)
+    header = generate_header(alg, enc, more_headers)
+
+    key = find_key_by_alg_enc(jwks, alg, enc)
+
+    check_params(header, key)
+    payload = apply_zip(header, payload, :compress)
+
+    cipher = Enc.for(enc)
+    cipher.cek = key if alg == "dir"
+
+    json_hdr = header.to_json
+    ciphertext = cipher.encrypt(payload, Base64.jwe_encode(json_hdr))
+
+    generate_serialization(json_hdr, Alg.encrypt_cek(alg, key, cipher.cek), ciphertext, cipher)
+  end
+
+  def self.find_key_by_kid(jwks, kid, alg, enc)
+    raise DecodeError, "No key id (kid) found from token headers" unless kid
+
+    jwk = jwks.find { |key, _| (key[:kid] || key["kid"]) == kid }
+
+    raise DecodeError, "Could not find public key for kid #{kid}" unless jwk
+    raise DecodeError, "Expected a different encryption algorithm" unless alg == (jwk[:alg] || jwk["alg"])
+    raise DecodeError, "Expected a different encryption method" unless enc == (jwk[:enc] || jwk["enc"])
+
+    ::JWT::JWK.import(jwk).keypair
+  end
+
+  def self.find_key_by_alg_enc(jwks, alg, enc)
+    jwk = jwks.find do |key, _|
+      (key[:alg] || key["alg"]) == alg &&
+        (key[:enc] || key["enc"]) == enc
+    end
+
+    raise DecodeError, "No key found" unless jwk
+
+    ::JWT::JWK.import(jwk).keypair
+  end
+end

data/lib/rodauth/oauth/ttl_store.rb

@@ -24,12 +24,18 @@ class Rodauth::OAuth::TtlStore
     @store_mutex.synchronize do
       # short circuit
       return @store[key][:payload] if @store[key] && @store[key][:ttl] < now
+    end
 
-      payload, ttl = block.call
-      @store[key] = { payload: payload, ttl: (ttl || (now + DEFAULT_TTL)) }
+    payload, ttl = block.call
+
+    @store_mutex.synchronize do
+      # given that the block call triggers network, and two requests for the same key be processed
+      # at the same time, this ensures the first one wins.
+      return @store[key][:payload] if @store[key] && @store[key][:ttl] < now
 
-      @store[key][:payload]
+      @store[key] = { payload: payload, ttl: (ttl || (now + DEFAULT_TTL)) }
     end
+    @store[key][:payload]
   end
 
   def uncache(key)

data/lib/rodauth/oauth/version.rb

@@ -2,6 +2,6 @@
 
 module Rodauth
   module OAuth
-    VERSION = "0.8.0"
+    VERSION = "0.9.2"
   end
 end

data/locales/en.yml

@@ -15,10 +15,15 @@ en:
     oauth_tokens_page_title: "My Oauth Tokens"
     device_verification_page_title: "Device Verification"
     device_search_page_title: "Device Search"
+    oauth_management_pagination_previous_button: "Previous"
+    oauth_management_pagination_next_button: "Next"
     oauth_applications_name_label: "Name"
     oauth_applications_description_label: "Description"
-    oauth_applications_scopes_label: "Scopes"
+    oauth_applications_scopes_label: "Default scopes"
+    oauth_applications_contacts_label: "Contacts"
     oauth_applications_homepage_url_label: "Homepage URL"
+    oauth_applications_tos_uri_label: "Terms of Service URL"
+    oauth_applications_policy_uri_label: "Policy URL"
     oauth_applications_redirect_uri_label: "Redirect URL"
     oauth_applications_client_secret_label: "Client Secret"
     oauth_applications_client_id_label: "Client ID"

data/templates/authorize.str

@@ -1,6 +1,55 @@
 <form method="post" action="#{rodauth.authorize_path}" class="form-horizontal" role="form" id="authorize-form">
   #{csrf_tag(rodauth.authorize_path) if respond_to?(:csrf_tag)}
-  <p class="lead">The application #{rodauth.oauth_application[rodauth.oauth_applications_name_column]} would like to access your data.</p>
+  #{
+    if rodauth.oauth_application[rodauth.oauth_applications_logo_uri_column]
+      <<-HTML
+        <img src="#{h(rodauth.oauth_application[rodauth.oauth_applications_logo_uri_column])}" />
+      HTML
+    end
+  }
+  <p class="lead">
+    The application
+    <a target="_blank" href="#{h(rodauth.oauth_application[rodauth.oauth_applications_homepage_url_column])}">
+      #{h(rodauth.oauth_application[rodauth.oauth_applications_name_column])}
+    </a> would like to access your data.
+  </p>
+  <div class="list-group">
+  #{
+    if rodauth.oauth_application[rodauth.oauth_applications_tos_uri_column]
+      <<-HTML
+        <a class="list-group-item" target="_blank" href="#{h(rodauth.oauth_application[rodauth.oauth_applications_tos_uri_column])}">
+          #{rodauth.oauth_applications_tos_uri_label}
+        </a>
+      HTML
+    end
+  }
+  #{
+    if rodauth.oauth_application[rodauth.oauth_applications_policy_uri_column]
+      <<-HTML
+        <a class="list-group-item" target="_blank" href="#{h(rodauth.oauth_application[rodauth.oauth_applications_policy_uri_column])}">
+          #{rodauth.oauth_applications_policy_uri_label}
+        </a>
+      HTML
+    end
+  }
+  </div>
+
+  #{
+    if rodauth.oauth_application[rodauth.oauth_applications_contacts_column]
+      data = <<-HTML
+        <div class="list-group">
+          <h3 class="display-6">#{rodauth.oauth_applications_contacts_label}</h3>
+      HTML
+      rodauth.oauth_application[rodauth.oauth_applications_contacts_column].split(/ +/).each do |contact|
+        data << <<-HTML
+          <div class="list-group-item">
+            #{h(contact)}
+          </div>
+        HTML
+      end
+      data << "</div>"
+    end
+  }
 
   <div class="form-group">
     <h1 class="display-6">#{rodauth.oauth_tokens_scopes_label}</h1>

data/templates/jwks_field.str

@@ -0,0 +1,4 @@
+<div class="form-group">
+  <label for="name">#{rodauth.oauth_applications_jwks_label}#{rodauth.input_field_label_suffix}</label>
+   <textarea id="jwks" class="form-control" name="#{rodauth.oauth_application_jwks_param}" rows="3"></textarea>
+</div>

data/templates/jwt_public_key_field.str

@@ -1,4 +1,4 @@
 <div class="form-group">
   <label for="name">#{rodauth.oauth_applications_jwt_public_key_label}#{rodauth.input_field_label_suffix}</label>
-  #{rodauth.input_field_string(rodauth.oauth_application_jwt_public_key_param, "jwt_public_key", :type=>"text")}
+  #{rodauth.input_field_string(rodauth.oauth_application_jwt_public_key_param, "jwt_public_key", :type=>"text", :required=>false)}
 </div>

data/templates/new_oauth_application.str

@@ -11,7 +11,7 @@
     if rodauth.features.include?(:oauth_jwt)
       <<-HTML
         #{rodauth.render('jwt_public_key_field')}
-        #{rodauth.render('jws_jwk_field')}
+        #{rodauth.render('jwks_field')}
       HTML
     end
   }

data/templates/oauth_application.str

@@ -3,7 +3,7 @@
     #{
       params = [*rodauth.oauth_application_required_params, "client_id", "client_secret"]
       if rodauth.features.include?(:oauth_jwt)
-        params += %w[jws_jwk jwt_public_key]
+        params += %w[jwks jwt_public_key]
       end
       params.map do |param|
         "<dt class=\"#{param}\">#{rodauth.send(:"oauth_applications_#{param}_label")}: </dt>" +

data/templates/oauth_application_oauth_tokens.str

@@ -45,6 +45,7 @@
             }
           </tbody>
         </table>
+        #{rodauth.oauth_management_pagination_links(@oauth_tokens)}
       HTML
     end
   }

data/templates/oauth_applications.str

@@ -11,4 +11,5 @@
       "</ul>"
     end
   }
+  #{rodauth.oauth_management_pagination_links(@oauth_applications)}
 </div>

data/templates/oauth_tokens.str

@@ -43,6 +43,7 @@
             }
           </tbody>
         </table>
+        #{rodauth.oauth_management_pagination_links(@oauth_tokens)}
       HTML
     end
   }

data/templates/scope_field.str

@@ -1,8 +1,9 @@
 <fieldset class="form-group">
+  <legend>#{rodauth.oauth_applications_scopes_label}</legend>
   #{
     rodauth.oauth_application_scopes.map do |scope|
-      "<div class=\"form-check checkbox\">" +
-      "<input id=\"#{scope}\" type=\"checkbox\" name=\"#{rodauth.oauth_application_scopes_param}[]\" value=\"#{scope}\">" +
+      "<div class=\"form-group form-check\">" +
+      "<input id=\"#{scope}\" type=\"checkbox\" class=\"form-check-input\" name=\"#{rodauth.oauth_application_scopes_param}[]\" value=\"#{scope}\">" +
       "<label for=\"#{scope}\">#{scope}</label>" +
       "</div>"
     end.join

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rodauth-oauth
 version: !ruby/object:Gem::Version
-  version: 0.8.0
+  version: 0.9.2
 platform: ruby
 authors:
 - Tiago Cardoso
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2022-03-12 00:00:00.000000000 Z
+date: 2022-05-11 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rodauth
@@ -56,6 +56,9 @@ extra_rdoc_files:
 - doc/release_notes/0_7_3.md
 - doc/release_notes/0_7_4.md
 - doc/release_notes/0_8_0.md
+- doc/release_notes/0_9_0.md
+- doc/release_notes/0_9_1.md
+- doc/release_notes/0_9_2.md
 files:
 - CHANGELOG.md
 - LICENSE.txt
@@ -83,6 +86,9 @@ files:
 - doc/release_notes/0_7_3.md
 - doc/release_notes/0_7_4.md
 - doc/release_notes/0_8_0.md
+- doc/release_notes/0_9_0.md
+- doc/release_notes/0_9_1.md
+- doc/release_notes/0_9_2.md
 - lib/generators/rodauth/oauth/install_generator.rb
 - lib/generators/rodauth/oauth/templates/app/models/oauth_application.rb
 - lib/generators/rodauth/oauth/templates/app/models/oauth_grant.rb
@@ -103,11 +109,14 @@ files:
 - lib/rodauth/features/oauth_authorization_code_grant.rb
 - lib/rodauth/features/oauth_authorization_server.rb
 - lib/rodauth/features/oauth_base.rb
+- lib/rodauth/features/oauth_client_credentials_grant.rb
 - lib/rodauth/features/oauth_device_grant.rb
+- lib/rodauth/features/oauth_dynamic_client_registration.rb
 - lib/rodauth/features/oauth_http_mac.rb
 - lib/rodauth/features/oauth_implicit_grant.rb
 - lib/rodauth/features/oauth_jwt.rb
 - lib/rodauth/features/oauth_jwt_bearer_grant.rb
+- lib/rodauth/features/oauth_management_base.rb
 - lib/rodauth/features/oauth_pkce.rb
 - lib/rodauth/features/oauth_resource_server.rb
 - lib/rodauth/features/oauth_saml_bearer_grant.rb
@@ -115,8 +124,10 @@ files:
 - lib/rodauth/features/oauth_token_management.rb
 - lib/rodauth/features/oauth_token_revocation.rb
 - lib/rodauth/features/oidc.rb
+- lib/rodauth/features/oidc_dynamic_client_registration.rb
 - lib/rodauth/oauth.rb
 - lib/rodauth/oauth/database_extensions.rb
+- lib/rodauth/oauth/jwe_extensions.rb
 - lib/rodauth/oauth/railtie.rb
 - lib/rodauth/oauth/refinements.rb
 - lib/rodauth/oauth/ttl_store.rb
@@ -128,7 +139,7 @@ files:
 - templates/device_search.str
 - templates/device_verification.str
 - templates/homepage_url_field.str
-- templates/jws_jwk_field.str
+- templates/jwks_field.str
 - templates/jwt_public_key_field.str
 - templates/name_field.str
 - templates/new_oauth_application.str

data/templates/jws_jwk_field.str

@@ -1,4 +0,0 @@
-<div class="form-group">
-  <label for="name">#{rodauth.oauth_applications_jws_jwk_label}#{rodauth.input_field_label_suffix}</label>
-  #{rodauth.input_field_string(rodauth.oauth_application_jws_jwk_param, "jws_jwk", :type=>"text")}
-</div>