rodauth-oauth 0.9.0 → 0.9.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: ae63d25ed38845cc8186a0484cf7a223f4939b2695d61b58bc2df7d3aec1af0c
-  data.tar.gz: bb0361efcde688c2dda720825513af035a7befcb36460c11d6d80226e8791bbe
+  metadata.gz: 79fa7abfcf7ea1c0a2594f92bfd7a59e53769dec5a7221a22f740b37471e6e07
+  data.tar.gz: 9f7e8ce4370d44d985940d46d569e3192c35e53cb6e3841094517e64258b2b1a
 SHA512:
-  metadata.gz: 28a740ca518ec609cfcbffc61fbaa8f71fb049a8221ccb7858b9357b8f4eee9b3fe263b1a2747f1839677f07d05f3a2cf8c2c4370d1ae8c1b3fe4c33d54012c1
-  data.tar.gz: ad1d38778909f1f7bb8d6e69fbb44177c02eb96c2d40a94e54e0a1221efc871b7fc0e5c364845b38b5a7bb35d33610a9fdcddbb2e95f18be47a6b039f986ed9f
+  metadata.gz: 520a85416c418f93615a471133201c7ec6dd5c16ff9d697a6ca87b609084b58c7b9799c5d3c7a8d02a4fc68ca9750c9ef41dd07dde17c1e1153f0cec8e58f3c1
+  data.tar.gz: 8e7ebc28ba158f43b5226a2de98fc76de8c81e8a8c87dbaa95a69050eed96793e487666389b60be6694437c298fdf23f183a1df098983eeec5f5549df0321c7c

data/README.md

@@ -1,6 +1,7 @@
 # Rodauth::Oauth
 
-[![pipeline status](https://gitlab.com/honeyryderchuck/rodauth-oauth/badges/master/pipeline.svg)](https://gitlab.com/honeyryderchuck/rodauth-oauth/-/pipelines?page=1&ref=master)
+[![Gem Version](https://badge.fury.io/rb/rodauth-oauth.svg)](http://rubygems.org/gems/rodauth-oauth)
+[![pipeline status](https://gitlab.com/honeyryderchuck/rodauth-oauth/badges/master/pipeline.svg)](https://gitlab.com/honeyryderchuck/rodauth-oauth/pipelines?page=1&scope=all&ref=master)
 [![coverage report](https://gitlab.com/honeyryderchuck/rodauth-oauth/badges/master/coverage.svg?job=coverage)](https://honeyryderchuck.gitlab.io/rodauth-oauth/coverage/#_AllFiles)
 
 This is an extension to the `rodauth` gem which implements the [OAuth 2.0 framework](https://tools.ietf.org/html/rfc6749) for an authorization server.
@@ -73,7 +74,7 @@ Or install it yourself as:
 
 ## Usage
 
-This tutorial assumes you already read the documentation and know how to set up `rodauth`. After that, integrating `roda-auth` will look like:
+This tutorial assumes you already read the documentation and know how to set up `rodauth`. After that, integrating `rodauth-oauth` will look like:
 
 ```ruby
 plugin :rodauth do

data/doc/release_notes/0_9_1.md

@@ -0,0 +1,9 @@
+### 0.9.1 (08/05/2022)
+
+#### Improvements
+
+Using `return_response`, introduced in `rodauth` v2.23, which accomplishes better integration with rails response logging mechanism when used under `rodauth-rails`.
+
+#### Bugfixes
+
+* Fixing namespacing issue which required anyone to have to `require "rodauth-oauth"` before loading it (no need to anymore).

data/doc/release_notes/0_9_2.md

@@ -0,0 +1,10 @@
+### 0.9.2 (11/05/2022)
+
+#### Bugfixes
+
+* Fixed remaining namespacing fix issues requiring usage of `require "rodauth-oauth"`.
+* Fixed wrong expectation of database for resource-server mode when `:oauth_management_base` plugin was used.
+* oidc: fixed incorrect grant creation flow whenn using `nonce` param.
+* oidc: fixed jwt encoding regression when not setting encryption method/algorithmm for client applications.
+* templates: added missing jwks field to the "New oauth application" form.
+* Several fixes on the example OIDC applications, mostly around CSRF breakage when using latest version of `omniauth`.

data/doc/release_notes/0_9_3.md

@@ -0,0 +1,9 @@
+### 0.9.2 (30/05/2022)
+
+#### Bugfixes
+
+* `oauth_jwt`: new access tokens generated via the `"refresh_token"` grant type are now JWT (it was falling back to non JWT behaviour);
+*  `oidc`: a new `id_token` is now generated via the `"refresh_token"` grant type with "rotation" policy (it was being omitted from the response);
+* `oidc`: fixing calculation of `"auth_time"` claim, which (as per RFC) needs to stay the same across first authentication and subsequent `"refresh_token"` requests;
+    * it requires a new db column (default: `"auth_time"`, datetime) in the `"oauth_tokens"` database;
+* hash-column `"refresh_token"` will now expose the refresh token (instead of the hash column version) in the `"refresh_token"` grant type response payload (only happened in "non-rotation" refresh token mode).

data/lib/generators/rodauth/oauth/templates/db/migrate/create_rodauth_oauth.rb

@@ -77,6 +77,7 @@ class CreateRodauthOauth < ActiveRecord::Migration<%= migration_version %>
       t.datetime :created_at, null: false, default: -> { "CURRENT_TIMESTAMP" }
       # uncomment to use OIDC nonce
       # t.string :nonce
+      # t.datetime :auth_time
     end
   end
 end

data/lib/rodauth/features/oauth_application_management.rb

@@ -33,7 +33,7 @@ module Rodauth
 
     translatable_method :oauth_applications_name_label, "Name"
     translatable_method :oauth_applications_description_label, "Description"
-    translatable_method :oauth_applications_scopes_label, "Scopes"
+    translatable_method :oauth_applications_scopes_label, "Default scopes"
     translatable_method :oauth_applications_contacts_label, "Contacts"
     translatable_method :oauth_applications_tos_uri_label, "Terms of service"
     translatable_method :oauth_applications_policy_uri_label, "Policy"

data/lib/rodauth/features/oauth_base.rb

@@ -4,6 +4,8 @@ require "time"
 require "base64"
 require "securerandom"
 require "net/http"
+require "rodauth/version"
+require "rodauth/oauth/version"
 require "rodauth/oauth/ttl_store"
 require "rodauth/oauth/database_extensions"
 require "rodauth/oauth/refinements"
@@ -424,32 +426,40 @@ module Rodauth
       }.merge(params)
 
       rescue_from_uniqueness_error do
-        token = oauth_unique_id_generator
+        access_token = _generate_access_token(create_params)
+        refresh_token = _generate_refresh_token(create_params) if should_generate_refresh_token
+        oauth_token = _store_oauth_token(create_params)
+        oauth_token[oauth_tokens_token_column] = access_token
+        oauth_token[oauth_tokens_refresh_token_column] = refresh_token if refresh_token
+        oauth_token
+      end
+    end
 
-        if oauth_tokens_token_hash_column
-          create_params[oauth_tokens_token_hash_column] = generate_token_hash(token)
-        else
-          create_params[oauth_tokens_token_column] = token
-        end
+    def _generate_access_token(params = {})
+      token = oauth_unique_id_generator
 
-        refresh_token = nil
-        if should_generate_refresh_token
-          refresh_token = oauth_unique_id_generator
+      if oauth_tokens_token_hash_column
+        params[oauth_tokens_token_hash_column] = generate_token_hash(token)
+      else
+        params[oauth_tokens_token_column] = token
+      end
 
-          if oauth_tokens_refresh_token_hash_column
-            create_params[oauth_tokens_refresh_token_hash_column] = generate_token_hash(refresh_token)
-          else
-            create_params[oauth_tokens_refresh_token_column] = refresh_token
-          end
-        end
-        oauth_token = _generate_oauth_token(create_params)
-        oauth_token[oauth_tokens_token_column] = token
-        oauth_token[oauth_tokens_refresh_token_column] = refresh_token if refresh_token
-        oauth_token
+      token
+    end
+
+    def _generate_refresh_token(params)
+      token = oauth_unique_id_generator
+
+      if oauth_tokens_refresh_token_hash_column
+        params[oauth_tokens_refresh_token_hash_column] = generate_token_hash(token)
+      else
+        params[oauth_tokens_refresh_token_column] = token
       end
+
+      token
     end
 
-    def _generate_oauth_token(params = {})
+    def _store_oauth_token(params = {})
       ds = db[oauth_tokens_table]
 
       if __one_oauth_token_per_account
@@ -575,43 +585,24 @@ module Rodauth
 
       rescue_from_uniqueness_error do
         oauth_tokens_ds = db[oauth_tokens_table]
-        token = oauth_unique_id_generator
+        access_token = _generate_access_token(update_params)
 
-        if oauth_tokens_token_hash_column
-          update_params[oauth_tokens_token_hash_column] = generate_token_hash(token)
+        if oauth_refresh_token_protection_policy == "rotation"
+          update_params = {
+            **update_params,
+            oauth_tokens_oauth_token_id_column => oauth_token[oauth_tokens_id_column],
+            oauth_tokens_account_id_column => oauth_token[oauth_tokens_account_id_column],
+            oauth_tokens_scopes_column => oauth_token[oauth_tokens_scopes_column]
+          }
+
+          refresh_token = _generate_refresh_token(update_params)
         else
-          update_params[oauth_tokens_token_column] = token
+          refresh_token = param("refresh_token")
         end
+        oauth_token = __update_and_return__(oauth_tokens_ds, update_params)
 
-        oauth_token = if oauth_refresh_token_protection_policy == "rotation"
-                        insert_params = {
-                          **update_params,
-                          oauth_tokens_oauth_token_id_column => oauth_token[oauth_tokens_id_column],
-                          oauth_tokens_scopes_column => oauth_token[oauth_tokens_scopes_column]
-                        }
-
-                        refresh_token = oauth_unique_id_generator
-
-                        if oauth_tokens_refresh_token_hash_column
-                          insert_params[oauth_tokens_refresh_token_hash_column] = generate_token_hash(refresh_token)
-                        else
-                          insert_params[oauth_tokens_refresh_token_column] = refresh_token
-                        end
-
-                        # revoke the refresh token
-                        oauth_tokens_ds.where(oauth_tokens_id_column => oauth_token[oauth_tokens_id_column])
-                                       .update(oauth_tokens_revoked_at_column => Sequel::CURRENT_TIMESTAMP)
-
-                        insert_params[oauth_tokens_oauth_token_id_column] = oauth_token[oauth_tokens_id_column]
-                        __insert_and_return__(oauth_tokens_ds, oauth_tokens_id_column, insert_params)
-                      else
-                        # includes none
-                        ds = oauth_tokens_ds.where(oauth_tokens_id_column => oauth_token[oauth_tokens_id_column])
-                        __update_and_return__(ds, update_params)
-                      end
-
-        oauth_token[oauth_tokens_token_column] = token
-        oauth_token[oauth_tokens_refresh_token_column] = refresh_token if refresh_token
+        oauth_token[oauth_tokens_token_column] = access_token
+        oauth_token[oauth_tokens_refresh_token_column] = refresh_token
         oauth_token
       end
     end
@@ -687,8 +678,7 @@ module Rodauth
         response["Pragma"] = "no-cache"
       end
       json_payload = _json_response_body(body)
-      response.write(json_payload)
-      request.halt
+      return_response(json_payload)
     end
 
     def throw_json_response_error(status, error_code, message = nil)
@@ -703,8 +693,7 @@ module Rodauth
       json_payload = _json_response_body(payload)
       response["Content-Type"] ||= json_response_content_type
       response["WWW-Authenticate"] = oauth_token_type.upcase if status == 401
-      response.write(json_payload)
-      request.halt
+      return_response(json_payload)
     end
 
     unless method_defined?(:_json_response_body)
@@ -717,6 +706,13 @@ module Rodauth
       end
     end
 
+    if Gem::Version.new(Rodauth.version) < Gem::Version.new("2.23")
+      def return_response(body = nil)
+        response.write(body) if body
+        request.halt
+      end
+    end
+
     def authorization_required
       if accepts_json?
         throw_json_response_error(authorization_required_error_status, "invalid_client")

data/lib/rodauth/features/oauth_jwt.rb

@@ -1,5 +1,6 @@
 # frozen-string-literal: true
 
+require "rodauth/oauth/version"
 require "rodauth/oauth/ttl_store"
 
 module Rodauth
@@ -38,6 +39,9 @@ module Rodauth
 
     translatable_method :oauth_applications_jwt_public_key_label, "Public key"
 
+    auth_value_method :oauth_application_jwt_public_key_param, "jwt_public_key"
+    auth_value_method :oauth_application_jwks_param, "jwks"
+
     auth_value_method :oauth_jwt_keys, {}
     auth_value_method :oauth_jwt_key, nil
     auth_value_method :oauth_jwt_public_key, nil
@@ -62,7 +66,6 @@ module Rodauth
       :jwt_encode,
       :jwt_decode,
       :jwks_set,
-      :last_account_login_at,
       :generate_jti
     )
 
@@ -95,12 +98,6 @@ module Rodauth
 
     private
 
-    unless method_defined?(:last_account_login_at)
-      def last_account_login_at
-        nil
-      end
-    end
-
     def issuer
       @issuer ||= oauth_jwt_token_issuer || authorization_server_url
     end
@@ -171,41 +168,38 @@ module Rodauth
 
     # /token
 
-    def generate_oauth_token(params = {}, should_generate_refresh_token = true)
-      create_params = {
-        oauth_grants_expires_in_column => Sequel.date_add(Sequel::CURRENT_TIMESTAMP, seconds: oauth_token_expires_in)
-      }.merge(params)
-
-      oauth_token = rescue_from_uniqueness_error do
-        if should_generate_refresh_token
-          refresh_token = oauth_unique_id_generator
-
-          if oauth_tokens_refresh_token_hash_column
-            create_params[oauth_tokens_refresh_token_hash_column] = generate_token_hash(refresh_token)
-          else
-            create_params[oauth_tokens_refresh_token_column] = refresh_token
-          end
-        end
+    def create_oauth_token_from_token(oauth_token, update_params)
+      otoken = super
+      access_token = _generate_jwt_access_token(otoken)
+      otoken[oauth_tokens_token_column] = access_token
+      otoken
+    end
 
-        _generate_oauth_token(create_params)
-      end
+    def generate_oauth_token(params = {}, should_generate_refresh_token = true)
+      oauth_token = super
+      access_token = _generate_jwt_access_token(oauth_token)
+      oauth_token[oauth_tokens_token_column] = access_token
+      oauth_token
+    end
 
+    def _generate_jwt_access_token(oauth_token)
       claims = jwt_claims(oauth_token)
 
       # one of the points of using jwt is avoiding database lookups, so we put here all relevant
       # token data.
       claims[:scope] = oauth_token[oauth_tokens_scopes_column]
 
-      token = jwt_encode(claims)
+      jwt_encode(claims)
+    end
 
-      oauth_token[oauth_tokens_token_column] = token
-      oauth_token
+    def _generate_access_token(*)
+      # no op
     end
 
     def jwt_claims(oauth_token)
       issued_at = Time.now.to_i
 
-      claims = {
+      {
         iss: issuer, # issuer
         iat: issued_at, # issued at
         #
@@ -223,10 +217,6 @@ module Rodauth
         exp: issued_at + oauth_token_expires_in,
         aud: (oauth_jwt_audience || oauth_application[oauth_applications_client_id_column])
       }
-
-      claims[:auth_time] = last_account_login_at.to_i if last_account_login_at
-
-      claims
     end
 
     def jwt_subject(oauth_token)
@@ -714,8 +704,7 @@ module Rodauth
         response["Cache-Control"] = "no-store"
         response["Pragma"] = "no-cache"
       end
-      response.write(jwt)
-      request.halt
+      return_response(jwt)
     end
   end
 end

data/lib/rodauth/features/oauth_jwt_bearer_grant.rb

@@ -1,5 +1,6 @@
 # frozen-string-literal: true
 
+require "rodauth/oauth/version"
 require "rodauth/oauth/ttl_store"
 
 module Rodauth

data/lib/rodauth/features/oauth_management_base.rb

@@ -48,6 +48,10 @@ module Rodauth
 
     def post_configure
       super
+
+      # TODO: remove this in v1, when resource-server mode does not load all of the provider features.
+      return unless db
+
       db.extension :pagination
     end
 

data/lib/rodauth/features/oidc.rb

@@ -74,6 +74,7 @@ module Rodauth
 
     auth_value_method :oauth_grants_nonce_column, :nonce
     auth_value_method :oauth_tokens_nonce_column, :nonce
+    auth_value_method :oauth_tokens_auth_time_column, :auth_time
 
     translatable_method :invalid_scope_message, "The Access Token expired"
 
@@ -120,7 +121,8 @@ module Rodauth
               jwks: oauth_application_jwks,
               encryption_algorithm: @oauth_application[oauth_applications_userinfo_encrypted_response_alg_column],
               encryption_method: @oauth_application[oauth_applications_userinfo_encrypted_response_enc_column]
-            }
+            }.compact
+
             jwt = jwt_encode(
               oidc_claims,
               signing_algorithm: algo,
@@ -234,8 +236,7 @@ module Rodauth
                                        href: authorization_server_url
                                      }]
                                    })
-          response.write(json_payload)
-          request.halt
+          return_response(json_payload)
         end
       end
     end
@@ -316,7 +317,7 @@ module Rodauth
     def create_oauth_grant(create_params = {})
       return super unless (nonce = param_or_nil("nonce"))
 
-      super(oauth_grants_nonce_column => nonce)
+      super(create_params.merge(oauth_grants_nonce_column => nonce))
     end
 
     def create_oauth_token_from_authorization_code(oauth_grant, create_params)
@@ -341,8 +342,7 @@ module Rodauth
 
       # Time when the End-User authentication occurred.
       #
-      # Sounds like the same as issued at claim.
-      id_token_claims[:auth_time] = id_token_claims[:iat]
+      id_token_claims[:auth_time] = oauth_token[oauth_tokens_auth_time_column].to_i
 
       account = db[accounts_table].where(account_id_column => oauth_token[oauth_tokens_account_id_column]).first
 
@@ -358,7 +358,8 @@ module Rodauth
         signing_algorithm: oauth_application[oauth_applications_id_token_signed_response_alg_column] || oauth_jwt_algorithm,
         encryption_algorithm: oauth_application[oauth_applications_id_token_encrypted_response_alg_column],
         encryption_method: oauth_application[oauth_applications_id_token_encrypted_response_enc_column]
-      }
+      }.compact
+
       oauth_token[:id_token] = jwt_encode(id_token_claims, **params)
     end
 
@@ -487,7 +488,7 @@ module Rodauth
         end
       end
 
-      scope_claims.unshift("auth_time") if last_account_login_at
+      scope_claims.unshift("auth_time")
 
       response_types_supported = metadata[:response_types_supported]
 
@@ -533,7 +534,7 @@ module Rodauth
       response["Access-Control-Allow-Methods"] = "GET, OPTIONS"
       response["Access-Control-Max-Age"] = "3600"
       response.status = 200
-      request.halt
+      return_response
     end
   end
 end

data/lib/rodauth/oauth/version.rb

@@ -2,6 +2,6 @@
 
 module Rodauth
   module OAuth
-    VERSION = "0.9.0"
+    VERSION = "0.9.3"
   end
 end

data/locales/en.yml

@@ -19,7 +19,7 @@ en:
     oauth_management_pagination_next_button: "Next"
     oauth_applications_name_label: "Name"
     oauth_applications_description_label: "Description"
-    oauth_applications_scopes_label: "Scopes"
+    oauth_applications_scopes_label: "Default scopes"
     oauth_applications_contacts_label: "Contacts"
     oauth_applications_homepage_url_label: "Homepage URL"
     oauth_applications_tos_uri_label: "Terms of Service URL"

data/templates/jwks_field.str

@@ -1,4 +1,4 @@
 <div class="form-group">
   <label for="name">#{rodauth.oauth_applications_jwks_label}#{rodauth.input_field_label_suffix}</label>
-  #{rodauth.input_field_string(rodauth.oauth_application_jwks_param, "jwks", :type=>"text")}
+   <textarea id="jwks" class="form-control" name="#{rodauth.oauth_application_jwks_param}" rows="3"></textarea>
 </div>

data/templates/jwt_public_key_field.str

@@ -1,4 +1,4 @@
 <div class="form-group">
   <label for="name">#{rodauth.oauth_applications_jwt_public_key_label}#{rodauth.input_field_label_suffix}</label>
-  #{rodauth.input_field_string(rodauth.oauth_application_jwt_public_key_param, "jwt_public_key", :type=>"text")}
+  #{rodauth.input_field_string(rodauth.oauth_application_jwt_public_key_param, "jwt_public_key", :type=>"text", :required=>false)}
 </div>

data/templates/new_oauth_application.str

@@ -11,7 +11,7 @@
     if rodauth.features.include?(:oauth_jwt)
       <<-HTML
         #{rodauth.render('jwt_public_key_field')}
-        #{rodauth.render('jws_jwk_field')}
+        #{rodauth.render('jwks_field')}
       HTML
     end
   }

data/templates/scope_field.str

@@ -1,8 +1,9 @@
 <fieldset class="form-group">
+  <legend>#{rodauth.oauth_applications_scopes_label}</legend>
   #{
     rodauth.oauth_application_scopes.map do |scope|
-      "<div class=\"form-check checkbox\">" +
-      "<input id=\"#{scope}\" type=\"checkbox\" name=\"#{rodauth.oauth_application_scopes_param}[]\" value=\"#{scope}\">" +
+      "<div class=\"form-group form-check\">" +
+      "<input id=\"#{scope}\" type=\"checkbox\" class=\"form-check-input\" name=\"#{rodauth.oauth_application_scopes_param}[]\" value=\"#{scope}\">" +
       "<label for=\"#{scope}\">#{scope}</label>" +
       "</div>"
     end.join

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rodauth-oauth
 version: !ruby/object:Gem::Version
-  version: 0.9.0
+  version: 0.9.3
 platform: ruby
 authors:
 - Tiago Cardoso
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2022-04-19 00:00:00.000000000 Z
+date: 2022-05-30 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rodauth
@@ -57,6 +57,9 @@ extra_rdoc_files:
 - doc/release_notes/0_7_4.md
 - doc/release_notes/0_8_0.md
 - doc/release_notes/0_9_0.md
+- doc/release_notes/0_9_1.md
+- doc/release_notes/0_9_2.md
+- doc/release_notes/0_9_3.md
 files:
 - CHANGELOG.md
 - LICENSE.txt
@@ -85,6 +88,9 @@ files:
 - doc/release_notes/0_7_4.md
 - doc/release_notes/0_8_0.md
 - doc/release_notes/0_9_0.md
+- doc/release_notes/0_9_1.md
+- doc/release_notes/0_9_2.md
+- doc/release_notes/0_9_3.md
 - lib/generators/rodauth/oauth/install_generator.rb
 - lib/generators/rodauth/oauth/templates/app/models/oauth_application.rb
 - lib/generators/rodauth/oauth/templates/app/models/oauth_grant.rb