rodauth-oauth 1.0.0.pre.beta1 → 1.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 299307b4879c519f6bcf7e5cfb875b75ac1d6b73b90371d3c9925baaf50dee08
-  data.tar.gz: 05a87d3e473b514f7cbb67d841a4a9185154dd1d15933d3321a3e4946c9c28ed
+  metadata.gz: 8288f66a0f7dd5400b60d2508a0247aefd37f1aa73322c19bf3b744d3e8b1ace
+  data.tar.gz: 6f2c333c4c2c3a4f92544f939ac1112d31c78a56779f22234bb7e7ce95105931
 SHA512:
-  metadata.gz: 2600d4236957c98ece6db0b06d280675d0e64c203a42e59e52063fea851bb42ec782063da5e8598211ae2a20faf9282616ffba14de8333f4e3a49ba04c97d154
-  data.tar.gz: 7a3b5a0b1f9979c92329848d57c6de9a68f372f2357d4ade96538aea884124235efeeb3bd28d2336d3dad92344ce59cb61958c868ffa8b12f4771d17b2e1f0f7
+  metadata.gz: 612b2651b4c29f98427a5113b403ce214d3d8513cd740977a834f5efdbb4aac46fc83f74f54a2b925836e6860cf008226232956ee5dc975f08cd88215aa198f2
+  data.tar.gz: 2940dd71610ea52f3c18ea942f0a2fd4122028f9c1c0bce5986506501c24c5603d981406e997b662e68986411244db442747e453ff65a49431551d56d8da0eac

data/CHANGELOG.md

@@ -1 +1 @@
-See the Release Notes under https://gitlab.com/honeyryderchuck/rodauth-oauth/-/tree/master/doc/release_notes
+See the Release Notes under https://gitlab.com/os85/rodauth-oauth/-/tree/master/doc/release_notes

data/MIGRATION-GUIDE-v1.md

@@ -90,6 +90,10 @@ The client secret is hashed (with bcrypt) before being stored, by default. While
 oauth_applications_client_secret_hash_column nil
 ```
 
+## oauth applications: oauth_applications_homepage_url_column no longer required
+
+The homepage url is no longer considered a require prooperty of an OAuth client application.
+
 ## oauth grants: access token and refresh token hashed by default
 
 access token and refresh token columns are now hashed by default, and point to the same column as the main counterpart:
@@ -205,6 +209,14 @@ JWKs URI endpoint has been moved to its plugin. If you require this functionalit
 enable :oauth_jwt, :oauth_jwt_jwks
 ```
 
+## OIDC RP-initiated logout segregated in its plugin
+
+It was previously being loaded in the `:oidc` plugin by default. If you require this funtionality, enable the plugin:
+
+```ruby
+enable :oidc_rp_initiated_logout
+```
+
 ## routing functions renamed
 
 Previously, loading well-known routes, the oauth server metadata, or oauth application/tokens (now grants) management dashboard implied calling a function on roda to load those routes. These have been renamed:

data/README.md

@@ -1,11 +1,25 @@
 # Rodauth::Oauth
 
 [![Gem Version](https://badge.fury.io/rb/rodauth-oauth.svg)](http://rubygems.org/gems/rodauth-oauth)
-[![pipeline status](https://gitlab.com/honeyryderchuck/rodauth-oauth/badges/master/pipeline.svg)](https://gitlab.com/honeyryderchuck/rodauth-oauth/pipelines?page=1&scope=all&ref=master)
-[![coverage report](https://gitlab.com/honeyryderchuck/rodauth-oauth/badges/master/coverage.svg?job=coverage)](https://honeyryderchuck.gitlab.io/rodauth-oauth/coverage/#_AllFiles)
+[![pipeline status](https://gitlab.com/os85/rodauth-oauth/badges/master/pipeline.svg)](https://gitlab.com/os85/rodauth-oauth/pipelines?page=1&scope=all&ref=master)
+[![coverage report](https://gitlab.com/os85/rodauth-oauth/badges/master/coverage.svg?job=coverage)](https://os85.gitlab.io/rodauth-oauth/coverage/#_AllFiles)
 
 This is an extension to the `rodauth` gem which implements the [OAuth 2.0 framework](https://tools.ietf.org/html/rfc6749) for an authorization server.
 
+## Certification
+[<img width="184" height="96" align="right" src="/openid-certified.jpg" alt="OpenID Certification">](https://openid.net/certification/)
+
+`rodauth-oauth` is [certified](https://openid.net/certification/) for the following profiles of the OpenID Connect™ protocol:
+
+* Basic OP
+* Implicit OP
+* Hybrid OP
+* Config OP
+* Dynamic OP
+* Form Post OP
+
+(it also passes the conformance tests for the RP-Initiated Logout OP).
+
 ## Features
 
 This gem implements the following RFCs and features of OAuth:
@@ -35,11 +49,12 @@ This gem implements the following RFCs and features of OAuth:
 
 It also implements the [OpenID Connect layer](https://openid.net/connect/) (via the `openid` feature) on top of the OAuth features it provides, including:
 
-* [OpenID Connect Core](https://openid.net/specs/openid-connect-core-1_0.html);
-* [OpenID Connect Discovery](https://openid.net/specs/openid-connect-discovery-1_0-29.html);
-* [OpenID Multiple Response Types](https://openid.net/specs/oauth-v2-multiple-response-types-1_0.html);
-* [OpenID Connect Dynamic Client Registration](https://openid.net/specs/openid-connect-registration-1_0.html);
-* [RP Initiated Logout](https://openid.net/specs/openid-connect-rpinitiated-1_0.html);
+* `oidc`
+  * [OpenID Connect Core](https://openid.net/specs/openid-connect-core-1_0.html);
+  * [OpenID Connect Discovery](https://openid.net/specs/openid-connect-discovery-1_0-29.html);
+  * [OpenID Multiple Response Types](https://openid.net/specs/oauth-v2-multiple-response-types-1_0.html);
+* `oidc_dynamic_client_registration` - [OpenID Connect Dynamic Client Registration](https://openid.net/specs/openid-connect-registration-1_0.html);
+* `oidc_rp_initiated_logout` - [RP Initiated Logout](https://openid.net/specs/openid-connect-rpinitiated-1_0.html);
 
 This gem supports also rails (through [rodauth-rails]((https://github.com/janko/rodauth-rails))).
 
@@ -64,10 +79,10 @@ Or install it yourself as:
 ## Resources
 |               |                                                             |
 | ------------- | ----------------------------------------------------------- |
-| Website       | https://honeyryderchuck.gitlab.io/rodauth-oauth/            |
-| Documentation | https://honeyryderchuck.gitlab.io/rodauth-oauth/rdoc/       |
-| Wiki          | https://gitlab.com/honeyryderchuck/rodauth-oauth/wikis/home |
-| CI            | https://gitlab.com/honeyryderchuck/rodauth-oauth/pipelines  |
+| Website       | https://os85.gitlab.io/rodauth-oauth/            |
+| Documentation | https://os85.gitlab.io/rodauth-oauth/rdoc/       |
+| Wiki          | https://gitlab.com/os85/rodauth-oauth/wikis/home |
+| CI            | https://gitlab.com/os85/rodauth-oauth/pipelines  |
 
 ## Articles
 
@@ -131,12 +146,12 @@ end
 
 ### Example (TL;DR)
 
-Just [check our example applications](https://gitlab.com/honeyryderchuck/rodauth-oauth/-/tree/master/examples/).
+Just [check our example applications](https://gitlab.com/os85/rodauth-oauth/-/tree/master/examples/).
 
 
 ### Database migrations
 
-You have to generate database tables for accounts, oauth applications, grants and tokens. In order for you to hit the ground running, [here's a set of migrations (using `sequel`) to generate the needed tables](https://gitlab.com/honeyryderchuck/rodauth-oauth/-/tree/master/test/migrate) (omit the first 2 if you already have account tables, and [follow recommendations from rodauth accordingly](https://github.com/jeremyevans/rodauth)).
+You have to generate database tables for accounts, oauth applications, grants and tokens. In order for you to hit the ground running, [here's a set of migrations (using `sequel`) to generate the needed tables](https://gitlab.com/os85/rodauth-oauth/-/tree/master/test/migrate) (omit the first 2 if you already have account tables, and [follow recommendations from rodauth accordingly](https://github.com/jeremyevans/rodauth)).
 
 You can change column names or even use existing tables, however, be aware that you'll have to define new column accessors at the `rodauth` plugin declaration level. Let's say, for instance, you'd like to change the `oauth_grants` table name to `access_grants`, and it's `code` column to `authorization_code`; then, you'd have to do the following:
 
@@ -269,7 +284,7 @@ end
 
 `rodauth-oauth` supports translating all user-facing text found in all pages and forms, by integrating with [rodauth-i18n](https://github.com/janko/rodauth-i18n). Just set it up in your application and `rodauth` configuration.
 
-Default translations shipping with `rodauth-oauth` can be found [in this directory](https://gitlab.com/honeyryderchuck/rodauth-oauth/-/tree/master/locales). If they're not available for the languages you'd like to support, consider getting them translated from the english text, and contributing them to this repository via a Merge Request.
+Default translations shipping with `rodauth-oauth` can be found [in this directory](https://gitlab.com/os85/rodauth-oauth/-/tree/master/locales). If they're not available for the languages you'd like to support, consider getting them translated from the english text, and contributing them to this repository via a Merge Request.
 
 (This feature is available since `v0.7`.)
 
@@ -288,4 +303,4 @@ After checking out the repo, run `bundle install` to install dependencies. Then,
 
 ## Contributing
 
-Bug reports and pull requests are welcome on Gitlab at https://gitlab.com/honeyryderchuck/rodauth-oauth.
+Bug reports and pull requests are welcome on Gitlab at https://gitlab.com/os85/rodauth-oauth.

data/doc/release_notes/0_1_0.md

@@ -12,9 +12,9 @@ plugin :rodauth do
 end
 ```
 
-For more info about integrating it, [check the wiki](https://gitlab.com/honeyryderchuck/rodauth-oauth/-/wikis/home#openid-connect-since-v01).
+For more info about integrating it, [check the wiki](https://gitlab.com/os85/rodauth-oauth/-/wikis/home#openid-connect-since-v01).
 
-It supports omniauth openID integrations out-of-the-box, [check the OpenID example, which integrates with omniauth_openid_connect](https://gitlab.com/honeyryderchuck/rodauth-oauth/-/tree/master/examples).
+It supports omniauth openID integrations out-of-the-box, [check the OpenID example, which integrates with omniauth_openid_connect](https://gitlab.com/os85/rodauth-oauth/-/tree/master/examples).
 
 #### Improvements
 

data/doc/release_notes/0_2_0.md

@@ -12,7 +12,7 @@ plugin :rodauth do
 end
 ```
 
-For more info about integrating it, [check the wiki](https://gitlab.com/honeyryderchuck/rodauth-oauth/-/wikis/SAML-Assertion-Access-Tokens).
+For more info about integrating it, [check the wiki](https://gitlab.com/os85/rodauth-oauth/-/wikis/SAML-Assertion-Access-Tokens).
 
 ##### Supporting rotating keys
 

data/doc/release_notes/0_3_0.md

@@ -7,7 +7,7 @@
 #### Improvements
 
 
-* Support for the OIDC authorize [`prompt` parameter](https://openid.net/specs/openid-connect-core-1_0.html) (sectionn 3.1.2.1). It supports the `none`, `login` and `consent` out-of-the-box, while providing support for `select-account` when paired with [rodauth-select-account, a rodauth feature to handle multiple accounts in the same session](https://gitlab.com/honeyryderchuck/rodauth-select-account).
+* Support for the OIDC authorize [`prompt` parameter](https://openid.net/specs/openid-connect-core-1_0.html) (sectionn 3.1.2.1). It supports the `none`, `login` and `consent` out-of-the-box, while providing support for `select-account` when paired with [rodauth-select-account, a rodauth feature to handle multiple accounts in the same session](https://gitlab.com/os85/rodauth-select-account).
 
 * Refresh Tokens are now expirable. The refresh token expiration period is governed by the `oauth_refresh_token_expires_in` option (default: 1 year), and is the period for which a refresh token can be used after its respective access token expired.
 

data/doc/release_notes/0_5_0.md

@@ -2,10 +2,10 @@
 
 #### RP-Initiated Logout
 
-The `:oidc` plugin can now do [RP-Initiated Logout](https://gitlab.com/honeyryderchuck/rodauth-oauth/-/wikis/RP-Initiated-Logout). It's disabled by default, so read the docs to learn how to enable it.
+The `:oidc` plugin can now do [RP-Initiated Logout](https://gitlab.com/os85/rodauth-oauth/-/wikis/RP-Initiated-Logout). It's disabled by default, so read the docs to learn how to enable it.
 
 #### Security
 
 The `:oauth_jwt` (and by association, `:oidc`) plugin(s) verifies the claims of used JWT tokens. This is a **very important security fix**, as without it, there is no protection against replay attacks and other types of misuse of the JWT token.
 
-A new auth method, `generate_jti(claims)`, was [added to the list of oauth_jwt plugin options](https://gitlab.com/honeyryderchuck/rodauth-oauth/-/wikis/JWT-Access-Tokens#rodauth-options). By default, it'll hash the `aud` and `iat` claims together, but you can overwrite how this is done.
+A new auth method, `generate_jti(claims)`, was [added to the list of oauth_jwt plugin options](https://gitlab.com/os85/rodauth-oauth/-/wikis/JWT-Access-Tokens#rodauth-options). By default, it'll hash the `aud` and `iat` claims together, but you can overwrite how this is done.

data/doc/release_notes/0_8_0.md

@@ -4,7 +4,7 @@
 
 * Device code grant
 
-`rodauth-oauth` now supports the [Device code grant RFC](https://gitlab.com/honeyryderchuck/rodauth-oauth/-/wikis/Device-Grant), via the `oauth_device_grant` feature.
+`rodauth-oauth` now supports the [Device code grant RFC](https://gitlab.com/os85/rodauth-oauth/-/wikis/Device-Grant), via the `oauth_device_grant` feature.
 
 * OAuth Tokens Management
 
@@ -12,7 +12,7 @@ An OAuth Tokens Management Dashboard is now provided (via `r.oauth_tokens` call
 
 * Assertion Framework (+ SAML and JWT Bearer Grant)
 
-A new plugin, `oauth_assertion_base`, was introduced to provide a baseline for implementing custom Bearer Assertion as per the [OAuth Client Assertion Framework RFC](https://gitlab.com/honeyryderchuck/rodauth-oauth/-/wikis/Client-Assertion-Framework). This in turn was used to refactor and reintroduce the [oauth_saml_bearer_grant](https://gitlab.com/honeyryderchuck/rodauth-oauth/-/wikis/SAML-Bearer-Assertions) and the [oauth_jwt_bearer_grant](https://gitlab.com/honeyryderchuck/rodauth-oauth/-/wikis/JWT-Bearer-Assertions) features, which implement the respective and most recent version of the assertion RFCs.
+A new plugin, `oauth_assertion_base`, was introduced to provide a baseline for implementing custom Bearer Assertion as per the [OAuth Client Assertion Framework RFC](https://gitlab.com/os85/rodauth-oauth/-/wikis/Client-Assertion-Framework). This in turn was used to refactor and reintroduce the [oauth_saml_bearer_grant](https://gitlab.com/os85/rodauth-oauth/-/wikis/SAML-Bearer-Assertions) and the [oauth_jwt_bearer_grant](https://gitlab.com/os85/rodauth-oauth/-/wikis/JWT-Bearer-Assertions) features, which implement the respective and most recent version of the assertion RFCs.
 
 (as a result, `oauth_saml` was removed, which implemented a very old draft version of the SAML Bearer spec).
 

data/doc/release_notes/1_0_0.md

@@ -0,0 +1,79 @@
+## 1.0.0 (15/12/2022)
+
+## Highlights
+
+rodauth-oauth is now [OpenID certified](https://openid.net/certification/) for the following certification profiles:
+
+* Basic OP
+* Implicit OP
+* Hybrid OP
+* Config OP
+* Dynamic OP
+* Form Post OP
+
+and passes the conformance tests for RP-Initiated Logout OP.
+
+The OIDC server used to run the test can be found [here](https://gitlab.com/os85/rodauth-oauth/-/blob/master/examples/oidc/authentication_server.rb) and deployed [here](https://rodauth-oauth-oidc.onrender.com).
+
+### Breaking changes
+
+The full description of breaking changes, and suggestions on how to make the migration smoother, can be found in the [migration guide](https://gitlab.com/os85/rodauth-oauth/-/blob/6465b8522a78cf0037a55d3d4b81f68f7811be68/MIGRATION-GUIDE-v1.md).
+
+A short list of the main highlights:
+
+
+* Ruby 2.5 or higher is required.
+* `oauth_http_mac` feature removed.
+* `oauth_tokens` table (and resource) were removed (only `oauth_applications` and `oauth_grants`, access and refresh tokens are now properties of the latter).
+* access and refresh tokens hashed by default when stored in the database.
+* default oauth response mode is `"form_post"`.
+* oauth specific features require explicit enablement of respective features (no more `enable :oauth`)
+* refresh token policy is "rotation" by default
+* homepage url is no longer a client application required property.
+* OIDC RP-initiated logout extracted into `oidc_rp_initiated_logout` feature.
+
+### Features
+
+The following helpers are exposed in the `rodauth` object:
+
+* `current_oauth_account` - returns the dataset row for the `rodauth` account associated to an oauth access token in the "authorization" header.
+* `current_oauth_application` - returns the dataset row for the oauth application associated to an oauth access token in the "authorization" header.
+
+When used in `rails` via `rodauth-rails`, both are exposed directly as controller helpers.
+
+#### `oauth_resource_server` plugin
+
+This plugin can be used as a convenience when configuring resource servers.
+
+#### JAR support for request_uri query param
+
+The `oauth_jwt_secured_authorization_request` plugin now supports a `request_uri` query param as well.
+
+#### OIDC features
+
+* The `oidc` plugin supports [essential claims](https://openid.net/specs/openid-connect-core-1_0.html#ClaimsParameter), via the `claims` authorization request query parameter.
+* id token built with `"c_hash"` and `"at_hash"` claims when they should.
+
+### Improvements
+
+* `:oauth_introspect` plugin: OAuth introspection endpoint exposes the token's `"username"` claim.
+* endpoint client authentication supports "client credentials grant" access tokens.
+* `acr_values_supported` exposed in the openid configuration.
+* `oauth_request_object_signing_alg_allow_none` enables `"none"` as an accepted request object signing alg when `true` (`false` by default).
+* OIDC `offline_access` supported.
+
+### Bugfixes
+
+* fixed `oidc` calculation of `"auth_time"` claim.
+* JWT: "sub" is now always a string.
+* `response_type` is now an authorization request required parameter (as per the RFC).
+* `state` is now passed along when redirecting from authorization requests with `error`;
+* access token can now be read from POST body or GET query params (as per the RFC).
+* id token no longer shipping with claims with `null` value;
+* id token no longer encoding claims by default (only when `response_type=id_token`, as per the RFC).
+* support "JWT without kid" when doing jwt decoding for JWT tokens not generated in the provider (such as request objects).
+* Set `iss` and `aud` claims in the Userinfo JWT response.
+* Make sure errors are also delivered via form POST, when `response_mode=form_post`.
+* Authorization request now shows an error page when `response_type` or `client_id` are missing, or `redirect_uri` is missing or invalid; a new `"authorize_error"` template is invoked in such cases.
+* oidc: nonce present in id token when using the "id_token token" response type.
+* error parameter delivered in URL fragment when failing an implicit grant autorization request.

data/lib/generators/rodauth/oauth/templates/app/views/rodauth/authorize.html.erb

@@ -2,7 +2,9 @@
   <% if rodauth.oauth_application[rodauth.oauth_applications_logo_uri_column] %>
     <%= image_tag rodauth.oauth_application[rodauth.oauth_applications_logo_uri_column] %>
   <% end %>
-  <p class="lead"><%= rodauth.authorize_page_lead(name: link_to(rodauth.oauth_application[rodauth.oauth_applications_name_column], rodauth.oauth_application[rodauth.oauth_applications_homepage_url_column])).html_safe %></p>
+  <% application_uri = rodauth.oauth_application[rodauth.oauth_applications_homepage_url_column] %>
+  <% application_name = application_uri ? link_to(rodauth.oauth_application[rodauth.oauth_applications_name_column], application_uri) : rodauth.oauth_application[rodauth.oauth_applications_name_column] %>
+  <p class="lead"><%= rodauth.authorize_page_lead(name: application_name).html_safe %></p>
 
   <div class="list-group">
     <% if rodauth.oauth_application[rodauth.oauth_applications_tos_uri_column] %>
@@ -26,10 +28,14 @@
     <h1 class="display-6"><%= rodauth.oauth_grants_scopes_label %></h1>
 
     <% rodauth.authorize_scopes.each do |scope| %>
-      <div class="form-check">
-        <%= check_box_tag "scope[]", scope, id: scope, class: "form-check-input" %>
-        <%= label_tag scope, scope, class: "form-check-label" %>
-      </div>
+      <% if rodauth.features.include?(:oidc) && scope == "offline_access" %>
+        <%= hidden_field_tag "scope[]", scope %>
+      <% else %>
+        <div class="form-check">
+          <%= check_box_tag "scope[]", scope, id: scope, class: "form-check-input" %>
+          <%= label_tag scope, scope, class: "form-check-label" %>
+        </div>
+      <% end %>
     <% end %>
     <%= hidden_field_tag :client_id, params[:client_id] %>
     <% %i[access_type response_type response_mode state redirect_uri].each do |oauth_param| %>
@@ -51,6 +57,9 @@
       <% end %>
     <% end %>
     <% if rodauth.features.include?(:oidc) %>
+      <% if params[:prompt] %>
+        <%= hidden_field_tag :prompt,  params[:prompt] %>
+      <% end %>
       <% if params[:nonce] %>
         <%= hidden_field_tag :nonce,  params[:nonce] %>
       <% end %>
@@ -60,13 +69,16 @@
       <% if params[:claims_locales] %>
         <%= hidden_field_tag :claims_locales,  params[:claims_locales] %>
       <% end %>
+      <% if params[:claims] %>
+        <%= hidden_field_tag :claims,  sanitize(params[:claims]) %>
+      <% end %>
       <% if params[:acr_values] %>
-        <%= hidden_field_tag :acr,  params[:acr_values] %>
+        <%= hidden_field_tag :acr_values,  params[:acr_values] %>
       <% end %>
     <% end %>
   </div>
  <p class="text-center">
     <%= submit_tag rodauth.oauth_authorize_button, class: "btn btn-outline-primary" %>
-    <%= link_to rodauth.oauth_cancel_button, "#{rodauth.redirect_uri}?error=access_denied&error_description=The+resource+owner+or+authorization+server+denied+the+request#{"&state=\#{rodauth.state}" if params[:state] }", class: "btn btn-outline-danger" %>
+    <%= link_to rodauth.oauth_cancel_button, "#{rodauth.redirect_uri}?error=access_denied&error_description=The+resource+owner+or+authorization+server+denied+the+request#{"&state=\#{CGI.escape(rodauth.state)}" if params[:state] }", class: "btn btn-outline-danger" %>
   </p>
 <% end %>

data/lib/generators/rodauth/oauth/templates/app/views/rodauth/authorize_error.erb

@@ -0,0 +1,10 @@
+<div class="container">
+  <div class="alert alert-danger">
+    <p>
+      <%= @error %>%
+    </p>
+  </div>
+ <p class="text-center">
+  <%= link_to rodauth.oauth_cancel_button, @back_url, class: "btn btn-outline-danger" %>
+ </p>
+</div>

data/lib/generators/rodauth/oauth/templates/db/migrate/create_rodauth_oauth.rb

@@ -5,42 +5,48 @@ class CreateRodauthOauth < ActiveRecord::Migration<%= migration_version %>
       t.foreign_key :accounts, column: :account_id
       t.string :name, null: false
       t.string :description, null: true
-      t.string :homepage_url, null: false
+      t.string :homepage_url, null: true
       t.string :redirect_uri, null: false
       t.string :client_id, null: false, index: { unique: true }
       t.string :client_secret, null: false, index: { unique: true }
       t.string :scopes, null: false
       t.datetime :created_at, null: false, default: -> { "CURRENT_TIMESTAMP" }
-      # extra params
-      # t.string :token_endpoint_auth_method, null: true
-      # t.string :grant_types, null: true
-      # t.string :response_types, null: true
-      # t.string :client_uri, null: true
-      # t.string :logo_uri, null: true
-      # t.string :tos_uri, null: true
-      # t.string :policy_uri, null: true
-      # t.string :jwks_uri, null: true
-      # t.string :jwks, null: true
-      # t.string :contacts, null: true
-      # t.string :software_id, null: true
-      # t.string :software_version, null: true
-      # oidc extra params
-      # t.string :sector_identifier_uri, null: true
-      # t.string :application_type, null: true
-      # t.string :subject_type, null: true
-      # t.string :id_token_signed_response_alg, null: true
-      # t.string :id_token_encrypted_response_alg, null: true
-      # t.string :id_token_encrypted_response_enc, null: true
-      # t.string :userinfo_signed_response_alg, null: true
-      # t.string :userinfo_encrypted_response_alg, null: true
-      # t.string :userinfo_encrypted_response_enc, null: true
-      # t.string :request_object_signing_alg, null: true
-      # t.string :request_object_encryption_alg, null: true
-      # t.string :request_object_encryption_enc, null: true
-      # JWT/OIDC per application signing verification
-      # t.text :jwt_public_key, null: true
-      # RP-initiated logout
-      # t.string :post_logout_redirect_uri, null: false
+
+      # :oauth_dynamic_client_configuration enabled, extra optional params
+      t.string :token_endpoint_auth_method, null: true
+      t.string :grant_types, null: true
+      t.string :response_types, null: true
+      t.string :client_uri, null: true
+      t.string :logo_uri, null: true
+      t.string :tos_uri, null: true
+      t.string :policy_uri, null: true
+      t.string :jwks_uri, null: true
+      t.string :jwks, null: true
+      t.string :contacts, null: true
+      t.string :software_id, null: true
+      t.string :software_version, null: true
+
+      # :oidc_dynamic_client_configuration enabled, extra optional params
+      t.string :sector_identifier_uri, null: true
+      t.string :application_type, null: true
+
+      # :oidc enabled
+      t.string :subject_type, null: true
+      t.string :id_token_signed_response_alg, null: true
+      t.string :id_token_encrypted_response_alg, null: true
+      t.string :id_token_encrypted_response_enc, null: true
+      t.string :userinfo_signed_response_alg, null: true
+      t.string :userinfo_encrypted_response_alg, null: true
+      t.string :userinfo_encrypted_response_enc, null: true
+
+      # :oauth_jwt_secured_authorization_request
+      t.string :request_object_signing_alg, null: true
+      t.string :request_object_encryption_alg, null: true
+      t.string :request_object_encryption_enc, null: true
+      t.string :request_uris, null: true
+
+      # :oidc_rp_initiated_logout enabled
+      t.string :post_logout_redirect_uris, null: false
     end
 
     create_table :oauth_grants do |t|
@@ -58,19 +64,24 @@ class CreateRodauthOauth < ActiveRecord::Migration<%= migration_version %>
       t.datetime :revoked_at
       t.string :scopes, null: false
       t.datetime :created_at, null: false, default: -> { "CURRENT_TIMESTAMP" }
-      # for using access_types
       t.string :access_type, null: false, default: "offline"
-      # uncomment to enable PKCE
-      # t.string :code_challenge
-      # t.string :code_challenge_method
-      # device code grant
-      # t.string :user_code, null: true, unique: true
-      # t.datetime :last_polled_at, null: true
-      # when using :oauth_resource_indicators feature
-      # t.string :resource
-      # uncomment to use OIDC nonce
-      # t.string :nonce
-      # t.string :acr
+
+      # :oauth_pkce enabled
+      t.string :code_challenge
+      t.string :code_challenge_method
+
+      # :oauth_device_code_grant enabled
+      t.string :user_code, null: true, unique: true
+      t.datetime :last_polled_at, null: true
+
+      # :resource_indicators enabled
+      t.string :resource
+
+      # :oidc enabled
+      t.string :nonce
+      t.string :acr
+      t.string :claims_locales
+      t.string :claims
     end
   end
 end

data/lib/rodauth/features/oauth_application_management.rb

@@ -165,10 +165,10 @@ module Rodauth
             value.each do |uri|
               next if uri.empty?
 
-              set_field_error(key, invalid_url_message) unless check_valid_uri?(uri)
+              set_field_error(key, invalid_url_message) unless check_valid_no_fragment_uri?(uri)
             end
           else
-            set_field_error(key, invalid_url_message) unless check_valid_uri?(value)
+            set_field_error(key, invalid_url_message) unless check_valid_no_fragment_uri?(value)
           end
         elsif key == oauth_application_scopes_param
 

data/lib/rodauth/features/oauth_authorization_code_grant.rb

@@ -25,9 +25,9 @@ module Rodauth
     def validate_authorize_params
       super
 
-      return unless (response_mode = param_or_nil("response_mode")) && !oauth_response_modes_supported.include?(response_mode)
+      response_mode = param_or_nil("response_mode")
 
-      redirect_response_error("invalid_request")
+      redirect_response_error("invalid_request") if response_mode && !oauth_response_modes_supported.include?(response_mode)
     end
 
     def validate_token_params
@@ -46,7 +46,6 @@ module Rodauth
 
       case response_type
       when "code", nil
-        response_mode ||= oauth_response_mode
         response_params.replace(_do_authorize_code)
       end
 
@@ -68,7 +67,7 @@ module Rodauth
       redirect_url = URI.parse(redirect_uri)
       case mode
       when "query"
-        params = params.map { |k, v| "#{k}=#{v}" }
+        params = params.map { |k, v| "#{CGI.escape(k)}=#{CGI.escape(v)}" }
         params << redirect_url.query if redirect_url.query
         redirect_url.query = params.join("&")
         redirect(redirect_url.to_s)
@@ -80,7 +79,7 @@ module Rodauth
               <form method="post" action="#{redirect_uri}">
                 #{
                   params.map do |name, value|
-                    "<input type=\"hidden\" name=\"#{name}\" value=\"#{scope.h(value)}\" />"
+                    "<input type=\"hidden\" name=\"#{scope.h(name)}\" value=\"#{scope.h(value)}\" />"
                   end.join
                 }
                 <input type="submit" class="btn btn-outline-primary" value="#{scope.h(oauth_authorize_post_button)}"/>
@@ -91,11 +90,36 @@ module Rodauth
       end
     end
 
+    def _redirect_response_error(redirect_url, query_params)
+      response_mode = param_or_nil("response_mode") || oauth_response_mode
+
+      case response_mode
+      when "form_post"
+        response["Content-Type"] = "text/html"
+        response.write <<-FORM
+          <html>
+            <head><title></title></head>
+            <body onload="javascript:document.forms[0].submit()">
+              <form method="post" action="#{redirect_uri}">
+                #{
+                  query_params.map do |name, value|
+                    "<input type=\"hidden\" name=\"#{name}\" value=\"#{scope.h(value)}\" />"
+                  end.join
+                }
+              </form>
+            </body>
+          </html>
+        FORM
+        request.halt
+      else
+        super
+      end
+    end
+
     def create_token(grant_type)
       return super unless supported_grant_type?(grant_type, "authorization_code")
 
       grant_params = {
-        oauth_grants_type_column => grant_type,
         oauth_grants_code_column => param("code"),
         oauth_grants_redirect_uri_column => param("redirect_uri"),
         oauth_grants_oauth_application_id_column => oauth_application[oauth_applications_id_column]
@@ -107,7 +131,7 @@ module Rodauth
     def check_valid_response_type?
       response_type = param_or_nil("response_type")
 
-      response_type.nil? || response_type == "code" || response_type == "none" || super
+      response_type == "code" || response_type == "none" || super
     end
 
     def oauth_server_metadata_body(*)