RubyGems - rodauth-oauth - Versions diffs - 1.0.0.pre.beta1 → 1.0.0.pre.beta2 - Mend

rodauth-oauth 1.0.0.pre.beta1 → 1.0.0.pre.beta2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (28) hide show

checksums.yaml +4 -4
data/README.md +6 -5
data/doc/release_notes/1_0_0_beta2.md +34 -0
data/lib/generators/rodauth/oauth/templates/app/views/rodauth/authorize.html.erb +19 -7
data/lib/generators/rodauth/oauth/templates/db/migrate/create_rodauth_oauth.rb +54 -43
data/lib/rodauth/features/oauth_application_management.rb +2 -2
data/lib/rodauth/features/oauth_authorization_code_grant.rb +31 -6
data/lib/rodauth/features/oauth_authorize_base.rb +16 -6
data/lib/rodauth/features/oauth_base.rb +35 -16
data/lib/rodauth/features/oauth_dynamic_client_registration.rb +7 -4
data/lib/rodauth/features/oauth_implicit_grant.rb +6 -5
data/lib/rodauth/features/oauth_jwt.rb +3 -3
data/lib/rodauth/features/oauth_jwt_base.rb +29 -6
data/lib/rodauth/features/oauth_jwt_bearer_grant.rb +7 -4
data/lib/rodauth/features/oauth_jwt_secured_authorization_request.rb +64 -10
data/lib/rodauth/features/oauth_resource_indicators.rb +0 -4
data/lib/rodauth/features/oauth_resource_server.rb +3 -3
data/lib/rodauth/features/oauth_saml_bearer_grant.rb +2 -0
data/lib/rodauth/features/oidc.rb +231 -183
data/lib/rodauth/features/oidc_dynamic_client_registration.rb +65 -25
data/lib/rodauth/features/oidc_rp_initiated_logout.rb +115 -0
data/lib/rodauth/oauth/http_extensions.rb +15 -2
data/lib/rodauth/oauth/ttl_store.rb +2 -0
data/lib/rodauth/oauth/version.rb +1 -1
data/locales/en.yml +3 -1
data/locales/pt.yml +3 -1
data/templates/authorize.str +17 -10
metadata +5 -2

data/lib/rodauth/features/oauth_jwt_bearer_grant.rb CHANGED Viewed

@@ -6,6 +6,8 @@ module Rodauth
   Feature.define(:oauth_jwt_bearer_grant, :OauthJwtBearerGrant) do
     depends :oauth_assertion_base, :oauth_jwt
+    auth_value_method :max_param_bytesize, nil if Rodauth::VERSION >= "2.26.0"
     auth_value_methods(
       :require_oauth_application_from_jwt_bearer_assertion_issuer,
       :require_oauth_application_from_jwt_bearer_assertion_subject,
@@ -54,7 +56,7 @@ module Rodauth
     def require_oauth_application_from_client_secret_jwt(client_id, assertion, alg)
       oauth_application = db[oauth_applications_table].where(oauth_applications_client_id_column => client_id).first
-      authorization_required unless supports_auth_method?(oauth_application, "client_secret_jwt")
+      authorization_required unless oauth_application && supports_auth_method?(oauth_application, "client_secret_jwt")
       client_secret = oauth_application[oauth_applications_client_secret_column]
       claims = jwt_assertion(assertion, jws_key: client_secret, jws_algorithm: alg)
       authorization_required unless claims && claims["iss"] == client_id
@@ -63,7 +65,7 @@ module Rodauth
     def require_oauth_application_from_private_key_jwt(client_id, assertion)
       oauth_application = db[oauth_applications_table].where(oauth_applications_client_id_column => client_id).first
-      authorization_required unless supports_auth_method?(oauth_application, "private_key_jwt")
+      authorization_required unless oauth_application && supports_auth_method?(oauth_application, "private_key_jwt")
       jwks = oauth_application_jwks(oauth_application)
       claims = jwt_assertion(assertion, jwks: jwks)
       authorization_required unless claims
@@ -79,8 +81,9 @@ module Rodauth
     end
     def jwt_assertion(assertion, **kwargs)
-      claims = jwt_decode(assertion, verify_iss: false, verify_aud: false, **kwargs)
-      return unless verify_aud(request.url, claims["aud"])
+      claims = jwt_decode(assertion, verify_iss: false, verify_aud: false, verify_jti: false, **kwargs)
+      return unless claims && verify_aud(request.url, claims["aud"])
       claims
     end

data/lib/rodauth/features/oauth_jwt_secured_authorization_request.rb CHANGED Viewed

@@ -4,31 +4,46 @@ require "rodauth/oauth"
 module Rodauth
   Feature.define(:oauth_jwt_secured_authorization_request, :OauthJwtSecuredAuthorizationRequest) do
+    ALLOWED_REQUEST_URI_CONTENT_TYPES = %w[application/jose application/oauth-authz-req+jwt].freeze
     depends :oauth_authorize_base, :oauth_jwt_base
+    auth_value_method :oauth_require_request_uri_registration, false
+    auth_value_method :oauth_request_object_signing_alg_allow_none, false
+    auth_value_method :oauth_applications_request_uris_column, :request_uris
     auth_value_method :oauth_applications_request_object_signing_alg_column, :request_object_signing_alg
     auth_value_method :oauth_applications_request_object_encryption_alg_column, :request_object_encryption_alg
     auth_value_method :oauth_applications_request_object_encryption_enc_column, :request_object_encryption_enc
-    translatable_method :oauth_request_uri_not_supported_message, "request uri is unsupported"
     translatable_method :oauth_invalid_request_object_message, "request object is invalid"
+    auth_value_method :max_param_bytesize, nil if Rodauth::VERSION >= "2.26.0"
     private
     # /authorize
     def validate_authorize_params
-      # TODO: add support for requst_uri
-      redirect_response_error("request_uri_not_supported") if param_or_nil("request_uri")
       request_object = param_or_nil("request")
-      return super unless request_object && oauth_application
+      request_uri = param_or_nil("request_uri")
-      if (jwks = oauth_application_jwks(oauth_application))
-        jwks = JSON.parse(jwks, symbolize_names: true) if jwks.is_a?(String)
-      else
-        redirect_response_error("invalid_request_object")
+      return super unless (request_object || request_uri) && oauth_application
+      if request_uri
+        request_uri = CGI.unescape(request_uri)
+        redirect_response_error("invalid_request_uri") unless supported_request_uri?(request_uri, oauth_application)
+        response = http_request(request_uri)
+        unless response.code.to_i == 200 && ALLOWED_REQUEST_URI_CONTENT_TYPES.include?(response["content-type"])
+          redirect_response_error("invalid_request_uri")
+        end
+        request_object = response.body
       end
       request_sig_enc_opts = {
@@ -37,10 +52,33 @@ module Rodauth
         jws_encryption_method: oauth_application[oauth_applications_request_object_encryption_enc_column]
       }.compact
-      claims = jwt_decode(request_object, jwks: jwks, verify_jti: false, verify_aud: false, **request_sig_enc_opts)
+      request_sig_enc_opts[:jws_algorithm] ||= "none" if oauth_request_object_signing_alg_allow_none
+      if request_sig_enc_opts[:jws_algorithm] == "none"
+        jwks = nil
+      elsif (jwks = oauth_application_jwks(oauth_application))
+        jwks = JSON.parse(jwks, symbolize_names: true) if jwks.is_a?(String)
+      else
+        redirect_response_error("invalid_request_object")
+      end
+      claims = jwt_decode(request_object,
+                          jwks: jwks,
+                          verify_jti: false,
+                          verify_iss: false,
+                          verify_aud: false,
+                          **request_sig_enc_opts)
       redirect_response_error("invalid_request_object") unless claims
+      if (iss = claims["iss"]) && (iss != oauth_application[oauth_applications_client_id_column])
+        redirect_response_error("invalid_request_object")
+      end
+      if (aud = claims["aud"]) && !verify_aud(aud, oauth_jwt_issuer)
+        redirect_response_error("invalid_request_object")
+      end
       # If signed, the Authorization Request
       # Object SHOULD contain the Claims "iss" (issuer) and "aud" (audience)
       # as members, with their semantics being the same as defined in the JWT
@@ -58,5 +96,21 @@ module Rodauth
       super
     end
+    def supported_request_uri?(request_uri, oauth_application)
+      return false unless check_valid_uri?(request_uri)
+      request_uris = oauth_application[oauth_applications_request_uris_column]
+      request_uris.nil? || request_uris.split(oauth_scope_separator).one? { |uri| request_uri.start_with?(uri) }
+    end
+    def oauth_server_metadata_body(*)
+      super.tap do |data|
+        data[:request_parameter_supported] = true
+        data[:request_uri_parameter_supported] = true
+        data[:require_request_uri_registration] = oauth_require_request_uri_registration
+      end
+    end
   end
 end

data/lib/rodauth/features/oauth_resource_indicators.rb CHANGED Viewed

@@ -70,10 +70,6 @@ module Rodauth
       super(oauth_grant, update_params.merge(oauth_grants_resource_column => resource_indicators))
     end
-    def check_valid_no_fragment_uri?(uri)
-      check_valid_uri?(uri) && URI.parse(uri).fragment.nil?
-    end
     module IndicatorAuthorizationCodeGrant
       private

data/lib/rodauth/features/oauth_resource_server.rb CHANGED Viewed

@@ -16,12 +16,12 @@ module Rodauth
       return @authorization_token if defined?(@authorization_token)
       # check if there is a token
-      bearer_token = fetch_access_token
+      access_token = fetch_access_token
-      return unless bearer_token
+      return unless access_token
       # where in resource server, NOT the authorization server.
-      payload = introspection_request("access_token", bearer_token)
+      payload = introspection_request("access_token", access_token)
       return unless payload["active"]

data/lib/rodauth/features/oauth_saml_bearer_grant.rb CHANGED Viewed

@@ -17,6 +17,8 @@ module Rodauth
     auth_value_method :oauth_saml_security_digest_method, XMLSecurity::Document::SHA1
     auth_value_method :oauth_saml_security_signature_method, XMLSecurity::Document::RSA_SHA1
+    auth_value_method :max_param_bytesize, nil if Rodauth::VERSION >= "2.26.0"
     auth_value_methods(
       :require_oauth_application_from_saml2_bearer_assertion_issuer,
       :require_oauth_application_from_saml2_bearer_assertion_subject,