rodauth-oauth 0.9.2 → 0.10.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 2514b45f82f9e8dda98f15dc2c1ccc0eeba306c9d1ee40e6fa47e4999d766c1c
-  data.tar.gz: d68579829772121a157b7bd654fb40999921af46673910caa21892462655ed0e
+  metadata.gz: 9a8ec41b29b514398bc764c53190df1b832387e1c392dd4c03988ffc16bdf0c5
+  data.tar.gz: 565c9ebb6871cd7a36b2ddf549cd368c509bce9303fb308cda4620d96a191647
 SHA512:
-  metadata.gz: 8121458a789119610c920c835fc99cde76d4eca41fb7bb48acbe9c1e2f4be89f68c9370235335d7dc8c6b3b715b6825a4d77bafbda37551464ebf35a516f55de
-  data.tar.gz: bdd2c1d2bee336459186606b2bfb293cd690333a58c421798155e6bc53e418b71bbd142ac19e48ddcff701f28eaaa6c65c8d045c715a7f84690fb5dd6865ddbe
+  metadata.gz: 724c9d6bf98689b63f1919ea9e513907c784152b7a164797e152f6cf5c9bacf19364bf8ea0df8dd3b03f281f2190eaafb0927d70d040e1c636eea8e7a4846269
+  data.tar.gz: f89c6dea666c7bfe2b8722d84cbc04cf38c42dc9827df4ec05596d490dc73cbd0f1ac3e57adf358a564dc37ef774f913df383192ee63771a91a6cdc454d35c4e

data/README.md

@@ -1,6 +1,7 @@
 # Rodauth::Oauth
 
-[![pipeline status](https://gitlab.com/honeyryderchuck/rodauth-oauth/badges/master/pipeline.svg)](https://gitlab.com/honeyryderchuck/rodauth-oauth/-/pipelines?page=1&ref=master)
+[![Gem Version](https://badge.fury.io/rb/rodauth-oauth.svg)](http://rubygems.org/gems/rodauth-oauth)
+[![pipeline status](https://gitlab.com/honeyryderchuck/rodauth-oauth/badges/master/pipeline.svg)](https://gitlab.com/honeyryderchuck/rodauth-oauth/pipelines?page=1&scope=all&ref=master)
 [![coverage report](https://gitlab.com/honeyryderchuck/rodauth-oauth/badges/master/coverage.svg?job=coverage)](https://honeyryderchuck.gitlab.io/rodauth-oauth/coverage/#_AllFiles)
 
 This is an extension to the `rodauth` gem which implements the [OAuth 2.0 framework](https://tools.ietf.org/html/rfc6749) for an authorization server.
@@ -20,14 +21,16 @@ This gem implements the following RFCs and features of OAuth:
   * `oauth_token_introspection` - [Token introspection](https://tools.ietf.org/html/rfc7662);
   * [Authorization Server Metadata](https://tools.ietf.org/html/rfc8414);
   * `oauth_pkce` - [PKCE](https://tools.ietf.org/html/rfc7636);
-  * Access Type (Token refresh online and offline);
   * `oauth_jwt` - [JWT Access Tokens](https://tools.ietf.org/html/draft-ietf-oauth-access-token-jwt-07);
+    * Supports [JWT Secured Authorization Request](https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-20);
+  * `oauth_resource_indicators` - [Resource Indicators](https://datatracker.ietf.org/doc/html/rfc8707);
+  * Access Type (Token refresh online and offline);
 * `oauth_http_mac` - [MAC Authentication Scheme](https://tools.ietf.org/html/draft-hammer-oauth-v2-mac-token-02);
 * `oauth_assertion_base` - [Assertion Framework](https://datatracker.ietf.org/doc/html/rfc7521);
   * `oauth_saml_bearer_grant` - [SAML 2.0 Bearer Assertion](https://datatracker.ietf.org/doc/html/rfc7522);
   * `oauth_jwt_bearer_grant` - [JWT Bearer Assertion](https://datatracker.ietf.org/doc/html/rfc7523);
-* [JWT Secured Authorization Requests](https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-20);
-* [Dynamic Client Registration Protocol](https://datatracker.ietf.org/doc/html/rfc7591);
+
+* `oauth_dynamic_client_registration` - [Dynamic Client Registration Protocol](https://datatracker.ietf.org/doc/html/rfc7591);
 * OAuth application and token management dashboards;
 
 It also implements the [OpenID Connect layer](https://openid.net/connect/) (via the `openid` feature) on top of the OAuth features it provides, including:

data/doc/release_notes/0_10_0.md

@@ -0,0 +1,100 @@
+## 0.10.0 (10/06/2022)
+
+### Features
+
+#### Resource Indicators
+
+RFC: https://datatracker.ietf.org/doc/html/rfc8707
+
+`rodauth-oauth` now supports Resource Indicators, via the optional `:oauth_resource_indicators` feature.
+
+#### JWT: extra options
+
+The following extra option values were added:
+
+* `oauth_jwt_jwe_keys`
+* `oauth_jwt_public_keys`
+* `oauth_jwt_jwe_public_keys`
+
+`:oauth_jwt_jwe_keys` should be used to store all provider combos of encryption keys, indexed by an algo/method tuple:
+
+```ruby
+oauth_jwt_jwe_keys { { %w[RSA-OAEP A128CBC-HS256] => key } }
+```
+
+The first element of the hash should indicate the preferred encryption mode, when no combination is specifically requested.
+
+It should be considered the most future-proof way of declaring JWE keys, and support for `oauth_jwt_jwe_key` and friends should be soon deprecated.
+
+Both `oauth_jwt_public_keys` and `oauth_jwt_jwe_public_keys` provide a way to declare multiple keys to be exposed as the provider JWKs in the `/jwks` endpoint.
+
+### Improvements
+
+* Added translations for portuguese.
+
+#### OpenID Connect improvements
+
+* The `:oidc` feature now depends on `rodauth`'s [account_expiration](http://rodauth.jeremyevans.net/rdoc/files/doc/account_expiration_rdoc.html) feature.
+
+Although a more-involved-somewhat-breaking change, it was required in order to keep track of account login event timestamps, necessary for correct `"auth_time"` calculation (see the first bugfix mention for more details, and Breaking Changes for migration path).
+
+
+* Support for the `ui_locales` parameter was added. This feature depends on the `:i18n` feature provided by [rodauth-i18n](https://github.com/janko/rodauth-i18n).
+*  Support for the `claims_locales` parameter was added, in that the `get_oidc_param` and `get_additional_param`, when accepting a 3rd parameter, will be passed a locale code:
+
+```ruby
+# given "claims_locales=en pt"
+
+get_oidc_param { |account, param, locale| }
+# will be called twice for the same param, one with locale as "en", another as "pt"
+
+get_oidc_param { |account, param| }
+# will be called once without locale
+```
+
+* Support for `max_age` parameter was added.
+
+* Support for `acr_values` parameter was added.
+
+When "phr", and a `rodauth` 2-factor feature (like [otp](http://rodauth.jeremyevans.net/rdoc/files/doc/otp_rdoc.html)) is enabled, the user will be requested for 2-factor authentication before performing the OpenID Authorization Request.
+
+When "phrh", and `rodauth`'s [webauthn_login](http://rodauth.jeremyevans.net/rdoc/files/doc/webauthn_login_rdoc.html) feature is enabled,  the user will be requested for WebAuthn authentication before performing the OpenID Authorization Request.
+
+Any other acr values are considered provider-specific, and the `require_acr_value(acr_value)` option should be provided to deal with it (it'll be called after authentication is ensured and before the authorization request is processed).
+
+### Bugfixes
+
+* reverted the `"auth_time"` calculation "fix" introduced in 0.9.3, which broke compliance with the RFC (the implementation prior to that was also broken, hence why `"account_expiration"` plugin was introduced as a dependency).
+
+### Breaking Changes
+
+As you read already, the `"account_expiration"` feature is now required by default by `"oidc"`. In order to migrate to it, here's a suggested strategy:
+
+1. Add the relevant database tables
+
+Add a migration looking roughly like this:
+
+```ruby
+create_table(:account_activity_times) do
+  foreign_key :id, :accounts, primary_key: true, type: Integer
+  DateTime :last_activity_at, null: false
+  DateTime :last_login_at, null: false
+  DateTime :expired_at
+end
+```
+
+2. Update and deploy `rodauth-oauth` 0.10.0
+
+(Nothing required beyond `enable :oidc`.)
+
+3. Set `:last_login_at` to a value.
+
+Like now. You can , for example, run this SQL:
+
+```sql
+UPDATE account_activity_times SET last_login_at = CURRENT_TIMESTAMP;
+```
+
+---
+
+That's it, nothing fancy or accurate. Yes, the `last_login_at` is wrong, but as sessions expire, it should go back to normal.

data/doc/release_notes/0_10_1.md

@@ -0,0 +1,5 @@
+### 0.10.1 (20/06/2022)
+
+#### Bugfixes
+
+* refresh token grant logic wasn't scoping the token to be revoked/retokened, which was a bug introduced in a recent refactoring (commit 83e3f183f6c9941d37c8fe8cfd3fc258ab9c576a).

data/doc/release_notes/0_9_2.md

@@ -4,7 +4,7 @@
 
 * Fixed remaining namespacing fix issues requiring usage of `require "rodauth-oauth"`.
 * Fixed wrong expectation of database for resource-server mode when `:oauth_management_base` plugin was used.
-* oidc: fixed incorrect grant creation flow whenn using `nonce` param.
-* oidc: fixed jwt encoding regression when not setting encryption method/algorithmm for client applications.
+* oidc: fixed incorrect grant creation flow when using `nonce` param.
+* oidc: fixed jwt encoding regression when not setting encryption method/algorithm for client applications.
 * templates: added missing jwks field to the "New oauth application" form.
 * Several fixes on the example OIDC applications, mostly around CSRF breakage when using latest version of `omniauth`.

data/doc/release_notes/0_9_3.md

@@ -0,0 +1,9 @@
+### 0.9.3 (30/05/2022)
+
+#### Bugfixes
+
+* `oauth_jwt`: new access tokens generated via the `"refresh_token"` grant type are now JWT (it was falling back to non JWT behaviour);
+*  `oidc`: a new `id_token` is now generated via the `"refresh_token"` grant type with "rotation" policy (it was being omitted from the response);
+* `oidc`: fixing calculation of `"auth_time"` claim, which (as per RFC) needs to stay the same across first authentication and subsequent `"refresh_token"` requests;
+    * it requires a new db column (default: `"auth_time"`, datetime) in the `"oauth_tokens"` database;
+* hash-column `"refresh_token"` will now expose the refresh token (instead of the hash column version) in the `"refresh_token"` grant type response payload (only happened in "non-rotation" refresh token mode).

data/lib/generators/rodauth/oauth/templates/app/views/rodauth/authorize.html.erb

@@ -34,13 +34,37 @@
       </div>
     <% end %>
     <%= hidden_field_tag :client_id, params[:client_id] %>
-    <% %i[access_type response_type state nonce redirect_uri code_challenge code_challenge_method].each do |oauth_param| %>
+    <% %i[access_type response_type response_mode state redirect_uri].each do |oauth_param| %>
       <% if params[oauth_param] %>
         <%= hidden_field_tag oauth_param,  params[oauth_param] %>
       <% end %>
     <% end %>
-    <% if params[:response_mode] %>
-      <%= hidden_field_tag :response_mode, params[:response_mode] %>
+    <% if rodauth.features.include?(:oauth_resource_indicators) && rodauth.resource_indicators %>
+      <% rodauth.resource_indicators.each do |resource| %>
+        <%= hidden_field_tag "resource", resource %>
+      <% end %>
+    <% end %>
+    <% if rodauth.features.include?(:oauth_pkce) %>
+      <% if params[:code_challenge] %>
+        <%= hidden_field_tag :code_challenge,  params[:code_challenge] %>
+      <% end %>
+      <% if params[:code_challenge_method] %>
+        <%= hidden_field_tag :code_challenge_method,  params[:code_challenge_method] %>
+      <% end %>
+    <% end %>
+    <% if rodauth.features.include?(:oidc) %>
+      <% if params[:nonce] %>
+        <%= hidden_field_tag :nonce,  params[:nonce] %>
+      <% end %>
+      <% if params[:ui_locales] %>
+        <%= hidden_field_tag :ui_locales,  params[:ui_locales] %>
+      <% end %>
+      <% if params[:claims_locales] %>
+        <%= hidden_field_tag :claims_locales,  params[:claims_locales] %>
+      <% end %>
+      <% if params[:acr_values] %>
+        <%= hidden_field_tag :acr,  params[:acr_values] %>
+      <% end %>
     <% end %>
   </div>
  <p class="text-center">

data/lib/generators/rodauth/oauth/templates/db/migrate/create_rodauth_oauth.rb

@@ -52,6 +52,8 @@ class CreateRodauthOauth < ActiveRecord::Migration<%= migration_version %>
       # device code grant
       # t.string :user_code, null: true, unique: true
       # t.datetime :last_polled_at, null: true
+      # when using :oauth_resource_indicators feature
+      # t.string :resource
     end
 
     create_table :oauth_tokens do |t|
@@ -77,6 +79,9 @@ class CreateRodauthOauth < ActiveRecord::Migration<%= migration_version %>
       t.datetime :created_at, null: false, default: -> { "CURRENT_TIMESTAMP" }
       # uncomment to use OIDC nonce
       # t.string :nonce
+      # t.datetime :auth_time
+      # when using :oauth_resource_indicators feature
+      # t.string :resource
     end
   end
 end

data/lib/rodauth/features/oauth_base.rb

@@ -425,33 +425,46 @@ module Rodauth
         oauth_tokens_expires_in_column => Sequel.date_add(Sequel::CURRENT_TIMESTAMP, seconds: oauth_token_expires_in)
       }.merge(params)
 
+      if create_params[oauth_tokens_scopes_column].is_a?(Array)
+        create_params[oauth_tokens_scopes_column] =
+          create_params[oauth_tokens_scopes_column].join(" ")
+      end
+
       rescue_from_uniqueness_error do
-        token = oauth_unique_id_generator
+        access_token = _generate_access_token(create_params)
+        refresh_token = _generate_refresh_token(create_params) if should_generate_refresh_token
+        oauth_token = _store_oauth_token(create_params)
+        oauth_token[oauth_tokens_token_column] = access_token
+        oauth_token[oauth_tokens_refresh_token_column] = refresh_token if refresh_token
+        oauth_token
+      end
+    end
 
-        if oauth_tokens_token_hash_column
-          create_params[oauth_tokens_token_hash_column] = generate_token_hash(token)
-        else
-          create_params[oauth_tokens_token_column] = token
-        end
+    def _generate_access_token(params = {})
+      token = oauth_unique_id_generator
 
-        refresh_token = nil
-        if should_generate_refresh_token
-          refresh_token = oauth_unique_id_generator
+      if oauth_tokens_token_hash_column
+        params[oauth_tokens_token_hash_column] = generate_token_hash(token)
+      else
+        params[oauth_tokens_token_column] = token
+      end
 
-          if oauth_tokens_refresh_token_hash_column
-            create_params[oauth_tokens_refresh_token_hash_column] = generate_token_hash(refresh_token)
-          else
-            create_params[oauth_tokens_refresh_token_column] = refresh_token
-          end
-        end
-        oauth_token = _generate_oauth_token(create_params)
-        oauth_token[oauth_tokens_token_column] = token
-        oauth_token[oauth_tokens_refresh_token_column] = refresh_token if refresh_token
-        oauth_token
+      token
+    end
+
+    def _generate_refresh_token(params)
+      token = oauth_unique_id_generator
+
+      if oauth_tokens_refresh_token_hash_column
+        params[oauth_tokens_refresh_token_hash_column] = generate_token_hash(token)
+      else
+        params[oauth_tokens_refresh_token_column] = token
       end
+
+      token
     end
 
-    def _generate_oauth_token(params = {})
+    def _store_oauth_token(params = {})
       ds = db[oauth_tokens_table]
 
       if __one_oauth_token_per_account
@@ -576,44 +589,25 @@ module Rodauth
       redirect_response_error("invalid_grant") unless token_from_application?(oauth_token, oauth_application)
 
       rescue_from_uniqueness_error do
-        oauth_tokens_ds = db[oauth_tokens_table]
-        token = oauth_unique_id_generator
-
-        if oauth_tokens_token_hash_column
-          update_params[oauth_tokens_token_hash_column] = generate_token_hash(token)
+        oauth_tokens_ds = db[oauth_tokens_table].where(oauth_tokens_id_column => oauth_token[oauth_tokens_id_column])
+        access_token = _generate_access_token(update_params)
+
+        if oauth_refresh_token_protection_policy == "rotation"
+          update_params = {
+            **update_params,
+            oauth_tokens_oauth_token_id_column => oauth_token[oauth_tokens_id_column],
+            oauth_tokens_account_id_column => oauth_token[oauth_tokens_account_id_column],
+            oauth_tokens_scopes_column => oauth_token[oauth_tokens_scopes_column]
+          }
+
+          refresh_token = _generate_refresh_token(update_params)
         else
-          update_params[oauth_tokens_token_column] = token
+          refresh_token = param("refresh_token")
         end
+        oauth_token = __update_and_return__(oauth_tokens_ds, update_params)
 
-        oauth_token = if oauth_refresh_token_protection_policy == "rotation"
-                        insert_params = {
-                          **update_params,
-                          oauth_tokens_oauth_token_id_column => oauth_token[oauth_tokens_id_column],
-                          oauth_tokens_scopes_column => oauth_token[oauth_tokens_scopes_column]
-                        }
-
-                        refresh_token = oauth_unique_id_generator
-
-                        if oauth_tokens_refresh_token_hash_column
-                          insert_params[oauth_tokens_refresh_token_hash_column] = generate_token_hash(refresh_token)
-                        else
-                          insert_params[oauth_tokens_refresh_token_column] = refresh_token
-                        end
-
-                        # revoke the refresh token
-                        oauth_tokens_ds.where(oauth_tokens_id_column => oauth_token[oauth_tokens_id_column])
-                                       .update(oauth_tokens_revoked_at_column => Sequel::CURRENT_TIMESTAMP)
-
-                        insert_params[oauth_tokens_oauth_token_id_column] = oauth_token[oauth_tokens_id_column]
-                        __insert_and_return__(oauth_tokens_ds, oauth_tokens_id_column, insert_params)
-                      else
-                        # includes none
-                        ds = oauth_tokens_ds.where(oauth_tokens_id_column => oauth_token[oauth_tokens_id_column])
-                        __update_and_return__(ds, update_params)
-                      end
-
-        oauth_token[oauth_tokens_token_column] = token
-        oauth_token[oauth_tokens_refresh_token_column] = refresh_token if refresh_token
+        oauth_token[oauth_tokens_token_column] = access_token
+        oauth_token[oauth_tokens_refresh_token_column] = refresh_token
         oauth_token
       end
     end

data/lib/rodauth/features/oauth_jwt.rb

@@ -44,10 +44,13 @@ module Rodauth
 
     auth_value_method :oauth_jwt_keys, {}
     auth_value_method :oauth_jwt_key, nil
+    auth_value_method :oauth_jwt_public_keys, {}
     auth_value_method :oauth_jwt_public_key, nil
     auth_value_method :oauth_jwt_algorithm, "RS256"
 
+    auth_value_method :oauth_jwt_jwe_keys, {}
     auth_value_method :oauth_jwt_jwe_key, nil
+    auth_value_method :oauth_jwt_jwe_public_keys, {}
     auth_value_method :oauth_jwt_jwe_public_key, nil
     auth_value_method :oauth_jwt_jwe_algorithm, nil
     auth_value_method :oauth_jwt_jwe_encryption_method, nil
@@ -66,7 +69,6 @@ module Rodauth
       :jwt_encode,
       :jwt_decode,
       :jwks_set,
-      :last_account_login_at,
       :generate_jti
     )
 
@@ -99,12 +101,6 @@ module Rodauth
 
     private
 
-    unless method_defined?(:last_account_login_at)
-      def last_account_login_at
-        nil
-      end
-    end
-
     def issuer
       @issuer ||= oauth_jwt_token_issuer || authorization_server_url
     end
@@ -175,41 +171,38 @@ module Rodauth
 
     # /token
 
-    def generate_oauth_token(params = {}, should_generate_refresh_token = true)
-      create_params = {
-        oauth_grants_expires_in_column => Sequel.date_add(Sequel::CURRENT_TIMESTAMP, seconds: oauth_token_expires_in)
-      }.merge(params)
-
-      oauth_token = rescue_from_uniqueness_error do
-        if should_generate_refresh_token
-          refresh_token = oauth_unique_id_generator
-
-          if oauth_tokens_refresh_token_hash_column
-            create_params[oauth_tokens_refresh_token_hash_column] = generate_token_hash(refresh_token)
-          else
-            create_params[oauth_tokens_refresh_token_column] = refresh_token
-          end
-        end
+    def create_oauth_token_from_token(oauth_token, update_params)
+      otoken = super
+      access_token = _generate_jwt_access_token(otoken)
+      otoken[oauth_tokens_token_column] = access_token
+      otoken
+    end
 
-        _generate_oauth_token(create_params)
-      end
+    def generate_oauth_token(params = {}, should_generate_refresh_token = true)
+      oauth_token = super
+      access_token = _generate_jwt_access_token(oauth_token)
+      oauth_token[oauth_tokens_token_column] = access_token
+      oauth_token
+    end
 
+    def _generate_jwt_access_token(oauth_token)
       claims = jwt_claims(oauth_token)
 
       # one of the points of using jwt is avoiding database lookups, so we put here all relevant
       # token data.
       claims[:scope] = oauth_token[oauth_tokens_scopes_column]
 
-      token = jwt_encode(claims)
+      jwt_encode(claims)
+    end
 
-      oauth_token[oauth_tokens_token_column] = token
-      oauth_token
+    def _generate_access_token(*)
+      # no op
     end
 
     def jwt_claims(oauth_token)
       issued_at = Time.now.to_i
 
-      claims = {
+      {
         iss: issuer, # issuer
         iat: issued_at, # issued at
         #
@@ -227,10 +220,6 @@ module Rodauth
         exp: issued_at + oauth_token_expires_in,
         aud: (oauth_jwt_audience || oauth_application[oauth_applications_client_id_column])
       }
-
-      claims[:auth_time] = last_account_login_at.to_i if last_account_login_at
-
-      claims
     end
 
     def jwt_subject(oauth_token)
@@ -421,10 +410,11 @@ module Rodauth
 
       def jwt_encode(payload,
                      jwks: nil,
-                     jwe_key: oauth_jwt_jwe_public_key || oauth_jwt_jwe_key,
-                     signing_algorithm: oauth_jwt_algorithm,
                      encryption_algorithm: oauth_jwt_jwe_algorithm,
-                     encryption_method: oauth_jwt_jwe_encryption_method)
+                     encryption_method: oauth_jwt_jwe_encryption_method,
+                     jwe_key: oauth_jwt_jwe_keys[[encryption_algorithm,
+                                                  encryption_method]] || oauth_jwt_jwe_public_key || oauth_jwt_jwe_key,
+                     signing_algorithm: oauth_jwt_algorithm || oauth_jwt_keys.keys.first)
         payload[:jti] = generate_jti(payload)
         jwt = JSON::JWT.new(payload)
 
@@ -441,6 +431,7 @@ module Rodauth
           jwe = jwt.encrypt(jwk, encryption_algorithm.to_sym, encryption_method.to_sym)
           jwe.to_s
         elsif jwe_key
+          jwe_key = jwe_key.first if jwe_key.is_a?(Array)
           algorithm = encryption_algorithm.to_sym if encryption_algorithm
           meth = encryption_method.to_sym if encryption_method
           jwt.encrypt(jwe_key, algorithm, meth)
@@ -452,18 +443,23 @@ module Rodauth
       def jwt_decode(
         token,
         jwks: nil,
-        jws_key: oauth_jwt_public_key || _jwt_key,
-        jws_algorithm: oauth_jwt_algorithm,
-        jwe_key: oauth_jwt_jwe_key,
+        jws_algorithm: oauth_jwt_algorithm || oauth_jwt_public_key.keys.first || oauth_jwt_keys.keys.first,
+        jws_key: oauth_jwt_public_key || oauth_jwt_keys[jws_algorithm] || _jwt_key,
         jws_encryption_algorithm: oauth_jwt_jwe_algorithm,
         jws_encryption_method: oauth_jwt_jwe_encryption_method,
+        jwe_key: oauth_jwt_jwe_keys[[jws_encryption_algorithm, jws_encryption_method]] || oauth_jwt_jwe_key,
         verify_claims: true,
         verify_jti: true,
         verify_iss: true,
         verify_aud: false,
         **
       )
-        token = JSON::JWT.decode(token, oauth_jwt_jwe_key).plain_text if jwe_key
+        jws_key = jws_key.first if jws_key.is_a?(Array)
+
+        if jwe_key
+          jwe_key = jwe_key.first if jwe_key.is_a?(Array)
+          token = JSON::JWT.decode(token, jwe_key).plain_text
+        end
 
         claims = if is_authorization_server?
                    if oauth_jwt_legacy_public_key
@@ -501,6 +497,21 @@ module Rodauth
 
       def jwks_set
         @jwks_set ||= [
+          *(
+            unless oauth_jwt_public_keys.empty?
+              oauth_jwt_public_keys.flat_map { |algo, pkeys| pkeys.map { |pkey| JSON::JWK.new(pkey).merge(use: "sig", alg: algo) } }
+            end
+          ),
+          *(
+            unless oauth_jwt_jwe_public_keys.empty?
+              oauth_jwt_jwe_public_keys.flat_map do |(algo, _enc), pkeys|
+                pkeys.map do |pkey|
+                  JSON::JWK.new(pkey).merge(use: "enc", alg: algo)
+                end
+              end
+            end
+          ),
+          # legacy
           (JSON::JWK.new(oauth_jwt_public_key).merge(use: "sig", alg: oauth_jwt_algorithm) if oauth_jwt_public_key),
           (JSON::JWK.new(oauth_jwt_legacy_public_key).merge(use: "sig", alg: oauth_jwt_legacy_algorithm) if oauth_jwt_legacy_public_key),
           (JSON::JWK.new(oauth_jwt_jwe_public_key).merge(use: "enc", alg: oauth_jwt_jwe_algorithm) if oauth_jwt_jwe_public_key)
@@ -536,7 +547,8 @@ module Rodauth
         JWT::JWK.import(data).keypair
       end
 
-      def jwt_encode(payload, signing_algorithm: oauth_jwt_algorithm)
+      def jwt_encode(payload,
+                     signing_algorithm: oauth_jwt_algorithm || oauth_jwt_keys.keys.first)
         headers = {}
 
         key = oauth_jwt_keys[signing_algorithm] || _jwt_key
@@ -559,11 +571,11 @@ module Rodauth
         def jwt_encode_with_jwe(
           payload,
           jwks: nil,
-          jwe_key: oauth_jwt_jwe_public_key || oauth_jwt_jwe_key,
           encryption_algorithm: oauth_jwt_jwe_algorithm,
-          encryption_method: oauth_jwt_jwe_encryption_method, **args
+          encryption_method: oauth_jwt_jwe_encryption_method,
+          jwe_key: oauth_jwt_jwe_public_key || oauth_jwt_jwe_keys[[encryption_algorithm, encryption_method]] || oauth_jwt_jwe_key,
+          **args
         )
-
           token = jwt_encode_without_jwe(payload, **args)
 
           return token unless encryption_algorithm && encryption_method
@@ -571,6 +583,7 @@ module Rodauth
           if jwks && jwks.any? { |k| k[:use] == "enc" }
             JWE.__rodauth_oauth_encrypt_from_jwks(token, jwks, alg: encryption_algorithm, enc: encryption_method)
           elsif jwe_key
+            jwe_key = jwe_key.first if jwe_key.is_a?(Array)
             params = {
               zip: "DEF",
               copyright: oauth_jwt_jwe_copyright
@@ -590,13 +603,15 @@ module Rodauth
       def jwt_decode(
         token,
         jwks: nil,
-        jws_key: oauth_jwt_public_key || _jwt_key,
-        jws_algorithm: oauth_jwt_algorithm,
+        jws_algorithm: oauth_jwt_algorithm || oauth_jwt_public_key.keys.first || oauth_jwt_keys.keys.first,
+        jws_key: oauth_jwt_public_key || oauth_jwt_keys[jws_algorithm] || _jwt_key,
         verify_claims: true,
         verify_jti: true,
         verify_iss: true,
         verify_aud: false
       )
+        jws_key = jws_key.first if jws_key.is_a?(Array)
+
         # verifying the JWT implies verifying:
         #
         # issuer: check that server generated the token
@@ -645,15 +660,16 @@ module Rodauth
         def jwt_decode_with_jwe(
           token,
           jwks: nil,
-          jwe_key: oauth_jwt_jwe_key,
           jws_encryption_algorithm: oauth_jwt_jwe_algorithm,
           jws_encryption_method: oauth_jwt_jwe_encryption_method,
+          jwe_key: oauth_jwt_jwe_keys[[jws_encryption_algorithm, jws_encryption_method]] || oauth_jwt_jwe_key,
           **args
         )
 
           token = if jwks && jwks.any? { |k| k[:use] == "enc" }
                     JWE.__rodauth_oauth_decrypt_from_jwks(token, jwks, alg: jws_encryption_algorithm, enc: jws_encryption_method)
                   elsif jwe_key
+                    jwe_key = jwe_key.first if jwe_key.is_a?(Array)
                     JWE.decrypt(token, jwe_key)
                   else
                     token
@@ -670,6 +686,21 @@ module Rodauth
 
       def jwks_set
         @jwks_set ||= [
+          *(
+            unless oauth_jwt_public_keys.empty?
+              oauth_jwt_public_keys.flat_map { |algo, pkeys| pkeys.map { |pkey| JWT::JWK.new(pkey).export.merge(use: "sig", alg: algo) } }
+            end
+          ),
+          *(
+            unless oauth_jwt_jwe_public_keys.empty?
+              oauth_jwt_jwe_public_keys.flat_map do |(algo, _enc), pkeys|
+                pkeys.map do |pkey|
+                  JWT::JWK.new(pkey).export.merge(use: "enc", alg: algo)
+                end
+              end
+            end
+          ),
+          # legacy
           (JWT::JWK.new(oauth_jwt_public_key).export.merge(use: "sig", alg: oauth_jwt_algorithm) if oauth_jwt_public_key),
           (
              if oauth_jwt_legacy_public_key

data/lib/rodauth/features/oauth_resource_indicators.rb

@@ -0,0 +1,153 @@
+# frozen-string-literal: true
+
+require "rodauth/oauth/version"
+require "rodauth/oauth/ttl_store"
+
+module Rodauth
+  Feature.define(:oauth_resource_indicators, :OauthResourceIndicators) do
+    depends :oauth_base
+
+    auth_value_method :oauth_grants_resource_column, :resource
+    auth_value_method :oauth_tokens_resource_column, :resource
+
+    def resource_indicators
+      return @resource_indicators if defined?(@resource_indicators)
+
+      resources = param_or_nil("resource")
+
+      return unless resources
+
+      if json_request? || param_or_nil("request") # signed request
+        resources = Array(resources)
+      else
+        query = request.form_data? ? request.body.read : request.query_string
+        # resource query param does not conform to rack parsing rules
+        resources = URI.decode_www_form(query).each_with_object([]) do |(k, v), memo|
+          memo << v if k == "resource"
+        end
+      end
+
+      @resource_indicators = resources
+    end
+
+    def require_oauth_authorization(*)
+      super
+
+      return unless authorization_token[oauth_tokens_resource_column]
+
+      token_indicators = authorization_token[oauth_tokens_resource_column]
+
+      token_indicators = token_indicators.split(" ") if token_indicators.is_a?(String)
+
+      authorization_required unless token_indicators.any? { |resource| base_url.start_with?(resource) }
+    end
+
+    private
+
+    def validate_oauth_token_params
+      super
+
+      return unless resource_indicators
+
+      resource_indicators.each do |resource|
+        redirect_response_error("invalid_target") unless check_valid_no_fragment_uri?(resource)
+      end
+    end
+
+    def create_oauth_token_from_token(oauth_token, update_params)
+      return super unless resource_indicators
+
+      return super unless oauth_token[oauth_tokens_oauth_grant_id_column]
+
+      oauth_grant = db[oauth_grants_table].where(
+        oauth_grants_id_column => oauth_token[oauth_tokens_oauth_grant_id_column],
+        oauth_grants_revoked_at_column => nil
+      ).first
+
+      grant_indicators = oauth_grant[oauth_grants_resource_column]
+
+      grant_indicators = grant_indicators.split(" ") if grant_indicators.is_a?(String)
+
+      redirect_response_error("invalid_target") unless (grant_indicators - resource_indicators) != grant_indicators
+
+      super(oauth_token, update_params.merge(oauth_tokens_resource_column => resource_indicators))
+    end
+
+    def check_valid_no_fragment_uri?(uri)
+      check_valid_uri?(uri) && URI.parse(uri).fragment.nil?
+    end
+
+    module IndicatorAuthorizationCodeGrant
+      private
+
+      def validate_oauth_grant_params
+        super
+
+        return unless resource_indicators
+
+        resource_indicators.each do |resource|
+          redirect_response_error("invalid_target") unless check_valid_no_fragment_uri?(resource)
+        end
+      end
+
+      def create_oauth_token_from_authorization_code(oauth_grant, create_params)
+        return super unless resource_indicators
+
+        redirect_response_error("invalid_target") unless oauth_grant[oauth_grants_resource_column]
+
+        grant_indicators = oauth_grant[oauth_grants_resource_column]
+
+        grant_indicators = grant_indicators.split(" ") if grant_indicators.is_a?(String)
+
+        redirect_response_error("invalid_target") unless (grant_indicators - resource_indicators) != grant_indicators
+
+        super(oauth_grant, create_params.merge(oauth_tokens_resource_column => resource_indicators))
+      end
+
+      def create_oauth_grant(create_params = {})
+        create_params[oauth_grants_resource_column] = resource_indicators.join(" ") if resource_indicators
+
+        super
+      end
+    end
+
+    module IndicatorIntrospection
+      def json_token_introspect_payload(token)
+        return super unless token[oauth_tokens_oauth_grant_id_column]
+
+        payload = super
+
+        token_indicators = token[oauth_tokens_resource_column]
+
+        token_indicators = token_indicators.split(" ") if token_indicators.is_a?(String)
+
+        payload[:aud] = token_indicators
+
+        payload
+      end
+
+      def introspection_request(*)
+        payload = super
+
+        payload[oauth_tokens_resource_column] = payload["aud"] if payload["aud"]
+
+        payload
+      end
+    end
+
+    module IndicatorJwt
+      def jwt_claims(*)
+        return super unless resource_indicators
+
+        super.merge(aud: resource_indicators)
+      end
+    end
+
+    def self.included(rodauth)
+      super
+      rodauth.send(:include, IndicatorAuthorizationCodeGrant) if rodauth.features.include?(:oauth_authorization_code_grant)
+      rodauth.send(:include, IndicatorIntrospection) if rodauth.features.include?(:oauth_token_introspection)
+      rodauth.send(:include, IndicatorJwt) if rodauth.features.include?(:oauth_jwt)
+    end
+  end
+end

data/lib/rodauth/features/oidc.rb

@@ -60,7 +60,7 @@ module Rodauth
       id_token_signing_alg_values_supported
     ].freeze
 
-    depends :oauth_jwt
+    depends :account_expiration, :oauth_jwt
 
     auth_value_method :oauth_application_default_scope, "openid"
     auth_value_method :oauth_application_scopes, %w[openid]
@@ -73,7 +73,9 @@ module Rodauth
     auth_value_method :oauth_applications_userinfo_encrypted_response_enc_column, :userinfo_encrypted_response_enc
 
     auth_value_method :oauth_grants_nonce_column, :nonce
+    auth_value_method :oauth_grants_acr_column, :acr
     auth_value_method :oauth_tokens_nonce_column, :nonce
+    auth_value_method :oauth_tokens_acr_column, :acr
 
     translatable_method :invalid_scope_message, "The Access Token expired"
 
@@ -87,7 +89,13 @@ module Rodauth
     auth_value_method :oauth_applications_post_logout_redirect_uri_column, :post_logout_redirect_uri
     auth_value_method :use_rp_initiated_logout?, false
 
-    auth_value_methods(:get_oidc_param, :get_additional_param)
+    auth_value_methods(
+      :get_oidc_param,
+      :get_additional_param,
+      :require_acr_value_phr,
+      :require_acr_value_phrh,
+      :require_acr_value
+    )
 
     # /userinfo
     route(:userinfo) do |r|
@@ -251,14 +259,43 @@ module Rodauth
 
     private
 
+    if defined?(::I18n)
+      def before_authorize_route
+        if (ui_locales = param_or_nil("ui_locales"))
+          ui_locales = ui_locales.split(" ").map(&:to_sym)
+          ui_locales &= ::I18n.available_locales
+
+          ::I18n.locale = ui_locales.first unless ui_locales.empty?
+        end
+
+        super
+      end
+    end
+
+    def validate_oauth_grant_params
+      return super unless (max_age = param_or_nil("max_age"))
+
+      max_age = Integer(max_age)
+
+      redirect_response_error("invalid_request") unless max_age.positive?
+
+      return unless Time.now - last_account_login_at > max_age
+
+      # force user to re-login
+      clear_session
+      set_session_value(login_redirect_session_key, request.fullpath)
+      redirect require_login_redirect
+    end
+
     def require_authorizable_account
-      try_prompt if param_or_nil("prompt")
+      try_prompt
       super
+      try_acr_values
     end
 
     # this executes before checking for a logged in account
     def try_prompt
-      prompt = param_or_nil("prompt")
+      return unless (prompt = param_or_nil("prompt"))
 
       case prompt
       when "none"
@@ -313,16 +350,46 @@ module Rodauth
       end
     end
 
-    def create_oauth_grant(create_params = {})
-      return super unless (nonce = param_or_nil("nonce"))
+    def try_acr_values
+      return unless (acr_values = param_or_nil("acr_values"))
+
+      acr_values.split(" ").each do |acr_value|
+        case acr_value
+        when "phr" then require_acr_value_phr
+        when "phrh" then require_acr_value_phrh
+        else
+          require_acr_value(acr_value)
+        end
+      end
+    end
 
-      super(create_params.merge(oauth_grants_nonce_column => nonce))
+    def require_acr_value_phr
+      return unless respond_to?(:require_two_factor_authenticated)
+
+      require_two_factor_authenticated
+    end
+
+    def require_acr_value_phrh
+      require_acr_value_phr && two_factor_login_type_match?("webauthn")
+    end
+
+    def require_acr_value(_acr); end
+
+    def create_oauth_grant(create_params = {})
+      if (nonce = param_or_nil("nonce"))
+        create_params[oauth_grants_nonce_column] = nonce
+      end
+      if (acr = param_or_nil("acr"))
+        create_params[oauth_grants_acr_column] = acr
+      end
+      super
     end
 
     def create_oauth_token_from_authorization_code(oauth_grant, create_params)
-      return super unless oauth_grant[oauth_grants_nonce_column]
+      create_params[oauth_tokens_nonce_column] = oauth_grant[oauth_grants_nonce_column] if oauth_grant[oauth_grants_nonce_column]
+      create_params[oauth_tokens_acr_column] = oauth_grant[oauth_grants_acr_column] if oauth_grant[oauth_grants_acr_column]
 
-      super(oauth_grant, create_params.merge(oauth_tokens_nonce_column => oauth_grant[oauth_grants_nonce_column]))
+      super
     end
 
     def create_oauth_token(*)
@@ -337,12 +404,13 @@ module Rodauth
       return unless oauth_scopes.include?("openid")
 
       id_token_claims = jwt_claims(oauth_token)
+
       id_token_claims[:nonce] = oauth_token[oauth_tokens_nonce_column] if oauth_token[oauth_tokens_nonce_column]
 
+      id_token_claims[:acr] = oauth_token[oauth_tokens_acr_column] if oauth_token[oauth_tokens_acr_column]
+
       # Time when the End-User authentication occurred.
-      #
-      # Sounds like the same as issued at claim.
-      id_token_claims[:auth_time] = id_token_claims[:iat]
+      id_token_claims[:auth_time] = last_account_login_at.to_i
 
       account = db[accounts_table].where(account_id_column => oauth_token[oauth_tokens_account_id_column]).first
 
@@ -377,16 +445,23 @@ module Rodauth
 
       oidc_scopes, additional_scopes = scopes_by_claim.keys.partition { |key| OIDC_SCOPES_MAP.key?(key) }
 
+      if (claims_locales = param_or_nil("claims_locales"))
+        claims_locales = claims_locales.split(" ").map(&:to_sym)
+      end
+
       unless oidc_scopes.empty?
         if respond_to?(:get_oidc_param)
+          get_oidc_param = proxy_get_param(:get_oidc_param, claims, claims_locales)
+
           oidc_scopes.each do |scope|
             scope_claims = claims
             params = scopes_by_claim[scope]
             params = params.empty? ? OIDC_SCOPES_MAP[scope] : (OIDC_SCOPES_MAP[scope] & params)
 
             scope_claims = (claims["address"] = {}) if scope == "address"
+
             params.each do |param|
-              scope_claims[param] = __send__(:get_oidc_param, account, param)
+              get_oidc_param[account, param, scope_claims]
             end
           end
         else
@@ -397,14 +472,39 @@ module Rodauth
       return if additional_scopes.empty?
 
       if respond_to?(:get_additional_param)
+        get_additional_param = proxy_get_param(:get_additional_param, claims, claims_locales)
+
         additional_scopes.each do |scope|
-          claims[scope] = __send__(:get_additional_param, account, scope.to_sym)
+          get_additional_param[account, scope.to_sym]
         end
       else
         warn "`get_additional_param(account, claim)` must be implemented to use oidc scopes."
       end
     end
 
+    def proxy_get_param(get_param_func, claims, claims_locales)
+      meth = method(get_param_func)
+      if meth.arity == 2
+        ->(account, param, cl = claims) { cl[param] = meth[account, param] }
+      elsif claims_locales.nil?
+        ->(account, param, cl = claims) { cl[param] = meth[account, param, nil] }
+      else
+        lambda do |account, param, cl = claims|
+          claims_values = claims_locales.map do |locale|
+            meth[account, param, locale]
+          end
+
+          if claims_values.uniq.size == 1
+            cl[param] = claims_values.first
+          else
+            claims_locales.zip(claims_values).each do |locale, value|
+              cl["#{param}##{locale}"] = value
+            end
+          end
+        end
+      end
+    end
+
     def json_access_token_payload(oauth_token)
       payload = super
       payload["id_token"] = oauth_token[:id_token] if oauth_token[:id_token]
@@ -452,6 +552,12 @@ module Rodauth
         oauth_tokens_oauth_application_id_column => oauth_application[oauth_applications_id_column],
         oauth_tokens_scopes_column => scopes
       }
+      if (nonce = param_or_nil("nonce"))
+        create_params[oauth_grants_nonce_column] = nonce
+      end
+      if (acr = param_or_nil("acr"))
+        create_params[oauth_grants_acr_column] = acr
+      end
       oauth_token = generate_oauth_token(create_params, false)
       generate_id_token(oauth_token)
       params = json_access_token_payload(oauth_token)
@@ -488,7 +594,7 @@ module Rodauth
         end
       end
 
-      scope_claims.unshift("auth_time") if last_account_login_at
+      scope_claims.unshift("auth_time")
 
       response_types_supported = metadata[:response_types_supported]
 

data/lib/rodauth/oauth/version.rb

@@ -2,6 +2,6 @@
 
 module Rodauth
   module OAuth
-    VERSION = "0.9.2"
+    VERSION = "0.10.1"
   end
 end

data/locales/en.yml

@@ -7,7 +7,7 @@ en:
     revoke_oauth_token_notice_flash: "The oauth token has been revoked"
     device_verification_notice_flash: "The device is verified"
     user_code_not_found_error_flash: "No device to authorize with the given user code"
-    oauth_authorize_title: "Authorize"
+    authorize_page_title: "Authorize"
     oauth_applications_page_title: "Oauth Applications"
     oauth_application_page_title: "Oauth Application"
     new_oauth_application_page_title: "New Oauth Application"
@@ -17,6 +17,7 @@ en:
     device_search_page_title: "Device Search"
     oauth_management_pagination_previous_button: "Previous"
     oauth_management_pagination_next_button: "Next"
+    oauth_tokens_scopes_label: "Scopes"
     oauth_applications_name_label: "Name"
     oauth_applications_description_label: "Description"
     oauth_applications_scopes_label: "Default scopes"

data/locales/pt.yml

@@ -0,0 +1,57 @@
+pt:
+  rodauth:
+    require_authorization_error_flash: "Autorize para continuar"
+    create_oauth_application_error_flash: "Aconteceu um erro ao registar o aplicativo oauth"
+    create_oauth_application_notice_flash: "O seu aplicativo oauth foi registado com sucesso"
+    revoke_unauthorized_account_error_flash: "Não está autorizado a revogar este token"
+    revoke_oauth_token_notice_flash: "O token oauth foi revogado com sucesso"
+    device_verification_notice_flash: "O dispositivo foi verificado com sucesso"
+    user_code_not_found_error_flash: "Não existe nenhum dispositivo a ser autorizado com o código de usuário inserido"
+    authorize_page_title: "Autorizar"
+    oauth_applications_page_title: "Aplicativos OAuth"
+    oauth_application_page_title: "Aplicativo Oauth"
+    new_oauth_application_page_title: "Novo Aplicativo Oauth"
+    oauth_application_oauth_tokens_page_title: "Tokens Oauth do Aplicativo"
+    oauth_tokens_page_title: "Os meus Tokens Oauth"
+    device_verification_page_title: "Verificação de dispositivo"
+    device_search_page_title: "Pesquisa de dispositivo"
+    oauth_management_pagination_previous_button: "Anterior"
+    oauth_management_pagination_next_button: "Próxima"
+    oauth_tokens_scopes_label: "Escopos"
+    oauth_applications_name_label: "Nome"
+    oauth_applications_description_label: "Descrição"
+    oauth_applications_scopes_label: "Escopos prédefinidos"
+    oauth_applications_contacts_label: "Contactos"
+    oauth_applications_homepage_url_label: "URL da página principal"
+    oauth_applications_tos_uri_label: "URL dos termos de serviço"
+    oauth_applications_policy_uri_label: "URL das diretrizes"
+    oauth_applications_redirect_uri_label: "URL para redireccionamento"
+    oauth_applications_client_secret_label: "Segredo de cliente"
+    oauth_applications_client_id_label: "ID do cliente"
+    oauth_grant_user_code_label: "Código do usuário"
+    oauth_grant_user_jws_jwk_label: "Chaves JSON Web"
+    oauth_grant_user_jwt_public_key_label: "Chave pública"
+    oauth_application_button: "Registar"
+    oauth_authorize_button: "Autorizar"
+    oauth_token_revoke_button: "Revogar"
+    oauth_authorize_post_button: "Voltar para o aplicativo cliente"
+    oauth_device_verification_button: "Verificar"
+    oauth_device_search_button: "Pesquisar"
+    invalid_client_message: "A autenticação do cliente falhou"
+    invalid_grant_type_message: "Tipo de atribuição inválida"
+    invalid_grant_message: "Atribuição inválida"
+    invalid_scope_message: "Escopo inválido"
+    invalid_url_message: "URL inválido"
+    unsupported_token_type_message: "Sugestão de tipo de token inválida"
+    unique_error_message: "já está sendo utilizado"
+    null_error_message: "não está preenchido"
+    already_in_use_message: "erro ao gerar token único"
+    expired_token_message: "o código de dispositivo expirou"
+    access_denied_message: "o pedido de autorização foi negado"
+    authorization_pending_message: "o pedido de autorização ainda está pendente"
+    slow_down_message: "o pedido de autorização ainda está pendente mas o intervalo de actualização deve ser aumentado"
+    code_challenge_required_message: "código de negociação necessário"
+    unsupported_transform_algorithm_message: "algoritmo de transformação não suportado"
+    request_uri_not_supported_message: "request_uri não é suportado"
+    invalid_request_object_message: "request_object é inválido"
+    invalid_scope_message: "O Token de acesso expirou"

data/templates/authorize.str

@@ -81,10 +81,20 @@
     #{"<input type=\"hidden\" name=\"response_type\" value=\"#{rodauth.param("response_type")}\"/>" if rodauth.param_or_nil("response_type")}
     #{"<input type=\"hidden\" name=\"response_mode\" value=\"#{rodauth.param("response_mode")}\"/>" if rodauth.param_or_nil("response_mode")}
     #{"<input type=\"hidden\" name=\"state\" value=\"#{rodauth.param("state")}\"/>" if rodauth.param_or_nil("state")}
-    #{"<input type=\"hidden\" name=\"nonce\" value=\"#{rodauth.param("nonce")}\"/>" if rodauth.param_or_nil("nonce")}
     #{"<input type=\"hidden\" name=\"redirect_uri\" value=\"#{rodauth.redirect_uri}\"/>" if rodauth.param_or_nil("redirect_uri")}
-    #{"<input type=\"hidden\" name=\"code_challenge\" value=\"#{rodauth.param("code_challenge")}\"/>" if rodauth.param_or_nil("code_challenge")}
-    #{"<input type=\"hidden\" name=\"code_challenge_method\" value=\"#{rodauth.param("code_challenge_method")}\"/>" if rodauth.param_or_nil("code_challenge_method")}
+    #{"<input type=\"hidden\" name=\"code_challenge\" value=\"#{rodauth.param("code_challenge")}\"/>" if rodauth.features.include?(:oauth_pkce) && rodauth.param_or_nil("code_challenge")}
+    #{"<input type=\"hidden\" name=\"code_challenge_method\" value=\"#{rodauth.param("code_challenge_method")}\"/>" if rodauth.features.include?(:oauth_pkce) && rodauth.param_or_nil("code_challenge_method")}
+    #{"<input type=\"hidden\" name=\"nonce\" value=\"#{rodauth.param("nonce")}\"/>" if rodauth.features.include?(:oidc) && rodauth.param_or_nil("nonce")}
+    #{"<input type=\"hidden\" name=\"ui_locales\" value=\"#{rodauth.param("ui_locales")}\"/>" if rodauth.features.include?(:oidc) && rodauth.param_or_nil("ui_locales")}
+    #{"<input type=\"hidden\" name=\"claims_locales\" value=\"#{rodauth.param("claims_locales")}\"/>" if rodauth.features.include?(:oidc) && rodauth.param_or_nil("claims_locales")}
+    #{"<input type=\"hidden\" name=\"acr\" value=\"#{rodauth.param("acr_values")}\"/>" if rodauth.features.include?(:oidc) && rodauth.param_or_nil("acr_values")}
+    #{
+      if rodauth.features.include?(:oauth_resource_indicators) && rodauth.resource_indicators
+        rodauth.resource_indicators.map do |resource|
+          "<input type=\"hidden\" name=\"resource\" value=\"#{resource}\"/>"
+        end.join
+      end
+      }
   </div>
   <p class="text-center">
     <input type="submit" class="btn btn-outline-primary" value="#{h(rodauth.oauth_authorize_button)}"/>

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rodauth-oauth
 version: !ruby/object:Gem::Version
-  version: 0.9.2
+  version: 0.10.1
 platform: ruby
 authors:
 - Tiago Cardoso
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2022-05-11 00:00:00.000000000 Z
+date: 2022-06-20 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rodauth
@@ -39,6 +39,8 @@ extra_rdoc_files:
 - doc/release_notes/0_0_4.md
 - doc/release_notes/0_0_5.md
 - doc/release_notes/0_0_6.md
+- doc/release_notes/0_10_0.md
+- doc/release_notes/0_10_1.md
 - doc/release_notes/0_1_0.md
 - doc/release_notes/0_2_0.md
 - doc/release_notes/0_3_0.md
@@ -59,6 +61,7 @@ extra_rdoc_files:
 - doc/release_notes/0_9_0.md
 - doc/release_notes/0_9_1.md
 - doc/release_notes/0_9_2.md
+- doc/release_notes/0_9_3.md
 files:
 - CHANGELOG.md
 - LICENSE.txt
@@ -69,6 +72,8 @@ files:
 - doc/release_notes/0_0_4.md
 - doc/release_notes/0_0_5.md
 - doc/release_notes/0_0_6.md
+- doc/release_notes/0_10_0.md
+- doc/release_notes/0_10_1.md
 - doc/release_notes/0_1_0.md
 - doc/release_notes/0_2_0.md
 - doc/release_notes/0_3_0.md
@@ -89,6 +94,7 @@ files:
 - doc/release_notes/0_9_0.md
 - doc/release_notes/0_9_1.md
 - doc/release_notes/0_9_2.md
+- doc/release_notes/0_9_3.md
 - lib/generators/rodauth/oauth/install_generator.rb
 - lib/generators/rodauth/oauth/templates/app/models/oauth_application.rb
 - lib/generators/rodauth/oauth/templates/app/models/oauth_grant.rb
@@ -118,6 +124,7 @@ files:
 - lib/rodauth/features/oauth_jwt_bearer_grant.rb
 - lib/rodauth/features/oauth_management_base.rb
 - lib/rodauth/features/oauth_pkce.rb
+- lib/rodauth/features/oauth_resource_indicators.rb
 - lib/rodauth/features/oauth_resource_server.rb
 - lib/rodauth/features/oauth_saml_bearer_grant.rb
 - lib/rodauth/features/oauth_token_introspection.rb
@@ -133,6 +140,7 @@ files:
 - lib/rodauth/oauth/ttl_store.rb
 - lib/rodauth/oauth/version.rb
 - locales/en.yml
+- locales/pt.yml
 - templates/authorize.str
 - templates/client_secret_field.str
 - templates/description_field.str