rodauth-oauth 1.0.0.pre.beta1 → 1.0.0

data/lib/rodauth/features/oauth_authorize_base.rb

@@ -10,6 +10,7 @@ module Rodauth
     after "authorize"
 
     view "authorize", "Authorize", "authorize"
+    view "authorize_error", "Authorize Error", "authorize_error"
 
     button "Authorize", "oauth_authorize"
     button "Back to Client Application", "oauth_authorize_post"
@@ -23,6 +24,8 @@ module Rodauth
     translatable_method :oauth_applications_contacts_label, "Contacts"
     translatable_method :oauth_applications_tos_uri_label, "Terms of service URL"
     translatable_method :oauth_applications_policy_uri_label, "Policy URL"
+    translatable_method :oauth_unsupported_response_type_message, "Unsupported response type"
+    translatable_method :oauth_authorize_parameter_required, "Invalid or missing '%<parameter>s'"
 
     # /authorize
     auth_server_route(:authorize) do |r|
@@ -63,9 +66,17 @@ module Rodauth
     private
 
     def validate_authorize_params
-      redirect_response_error("invalid_request", request.referer || default_redirect) unless oauth_application && check_valid_redirect_uri?
+      redirect_authorize_error("client_id") unless oauth_application
 
-      redirect_response_error("invalid_request") unless check_valid_response_type?
+      redirect_uris = oauth_application[oauth_applications_redirect_uri_column].split(" ")
+
+      if (redirect_uri = param_or_nil("redirect_uri"))
+        redirect_authorize_error("redirect_uri") unless redirect_uris.include?(redirect_uri)
+      elsif redirect_uris.size > 1
+        redirect_authorize_error("redirect_uri")
+      end
+
+      redirect_response_error("unsupported_response_type") unless check_valid_response_type?
 
       redirect_response_error("invalid_request") unless check_valid_access_type? && check_valid_approval_prompt?
 
@@ -78,10 +89,6 @@ module Rodauth
       false
     end
 
-    def check_valid_redirect_uri?
-      oauth_application[oauth_applications_redirect_uri_column].split(" ").include?(redirect_uri)
-    end
-
     ACCESS_TYPES = %w[offline online].freeze
 
     def check_valid_access_type?
@@ -117,6 +124,21 @@ module Rodauth
       request.env["REQUEST_METHOD"] = "POST"
     end
 
+    def redirect_authorize_error(parameter, referer = request.referer || default_redirect)
+      error_message = oauth_authorize_parameter_required(parameter: parameter)
+
+      if accepts_json?
+        status_code = oauth_invalid_response_status
+
+        throw_json_response_error(status_code, "invalid_request", error_message)
+      else
+        scope.instance_variable_set(:@error, error_message)
+        scope.instance_variable_set(:@back_url, referer)
+
+        return_response(authorize_error_view)
+      end
+    end
+
     def authorization_required
       if accepts_json?
         throw_json_response_error(oauth_authorization_required_error_status, "invalid_client")
@@ -140,10 +162,10 @@ module Rodauth
     end
 
     def create_oauth_grant(create_params = {})
-      create_params[oauth_grants_oauth_application_id_column] = oauth_application[oauth_applications_id_column]
-      create_params[oauth_grants_redirect_uri_column] = redirect_uri
-      create_params[oauth_grants_expires_in_column] = Sequel.date_add(Sequel::CURRENT_TIMESTAMP, seconds: oauth_grant_expires_in)
-      create_params[oauth_grants_scopes_column] = scopes.join(oauth_scope_separator)
+      create_params[oauth_grants_oauth_application_id_column] ||= oauth_application[oauth_applications_id_column]
+      create_params[oauth_grants_redirect_uri_column] ||= redirect_uri
+      create_params[oauth_grants_expires_in_column] ||= Sequel.date_add(Sequel::CURRENT_TIMESTAMP, seconds: oauth_grant_expires_in)
+      create_params[oauth_grants_scopes_column] ||= scopes.join(oauth_scope_separator)
 
       if use_oauth_access_type? && (access_type = param_or_nil("access_type"))
         create_params[oauth_grants_access_type_column] = access_type

data/lib/rodauth/features/oauth_base.rb

@@ -3,6 +3,8 @@
 require "time"
 require "base64"
 require "securerandom"
+require "cgi"
+require "digest/sha2"
 require "rodauth/version"
 require "rodauth/oauth"
 require "rodauth/oauth/database_extensions"
@@ -17,8 +19,6 @@ module Rodauth
     auth_value_methods(:http_request)
     auth_value_methods(:http_request_cache)
 
-    SCOPES = %w[profile.read].freeze
-
     before "token"
 
     error_flash "Please authorize to continue", "require_authorization"
@@ -82,7 +82,7 @@ module Rodauth
     auth_value_method :oauth_already_in_use_response_status, 409
 
     # Feature options
-    auth_value_method :oauth_application_scopes, SCOPES
+    auth_value_method :oauth_application_scopes, []
     auth_value_method :oauth_token_type, "bearer"
     auth_value_method :oauth_refresh_token_protection_policy, "rotation" # can be: none, sender_constrained, rotation
 
@@ -228,13 +228,20 @@ module Rodauth
     end
 
     def fetch_access_token
-      value = request.env["HTTP_AUTHORIZATION"]
+      if (token = request.params["access_token"])
+        if request.post? && !(request.content_type.start_with?("application/x-www-form-urlencoded") &&
+                        request.params.size == 1)
+          return
+        end
+      else
+        value = request.env["HTTP_AUTHORIZATION"]
 
-      return unless value && !value.empty?
+        return unless value && !value.empty?
 
-      scheme, token = value.split(" ", 2)
+        scheme, token = value.split(" ", 2)
 
-      return unless scheme.downcase == oauth_token_type
+        return unless scheme.downcase == oauth_token_type
+      end
 
       return if token.nil? || token.empty?
 
@@ -245,11 +252,11 @@ module Rodauth
       return @authorization_token if defined?(@authorization_token)
 
       # check if there is a token
-      bearer_token = fetch_access_token
+      access_token = fetch_access_token
 
-      return unless bearer_token
+      return unless access_token
 
-      @authorization_token = oauth_grant_by_token(bearer_token)
+      @authorization_token = oauth_grant_by_token(access_token)
     end
 
     def require_oauth_authorization(*scopes)
@@ -758,22 +765,31 @@ module Rodauth
         query_params = []
 
         query_params << if respond_to?(:"oauth_#{error_code}_error_code")
-                          "error=#{send(:"oauth_#{error_code}_error_code")}"
+                          ["error", send(:"oauth_#{error_code}_error_code")]
                         else
-                          "error=#{error_code}"
+                          ["error", error_code]
                         end
 
         if respond_to?(:"oauth_#{error_code}_message")
           message = send(:"oauth_#{error_code}_message")
-          query_params << ["error_description=#{CGI.escape(message)}"]
+          query_params << ["error_description", CGI.escape(message)]
         end
 
-        query_params << redirect_url.query if redirect_url.query
-        redirect_url.query = query_params.join("&")
-        redirect(redirect_url.to_s)
+        state = param_or_nil("state")
+
+        query_params << ["state", state] if state
+
+        _redirect_response_error(redirect_url, query_params)
       end
     end
 
+    def _redirect_response_error(redirect_url, query_params)
+      query_params = query_params.map { |k, v| "#{k}=#{v}" }
+      query_params << redirect_url.query if redirect_url.query
+      redirect_url.query = query_params.join("&")
+      redirect(redirect_url.to_s)
+    end
+
     def json_response_success(body, cache = false)
       response.status = 200
       response["Content-Type"] ||= json_response_content_type
@@ -835,6 +851,10 @@ module Rodauth
       URI::DEFAULT_PARSER.make_regexp(oauth_valid_uri_schemes).match?(uri)
     end
 
+    def check_valid_no_fragment_uri?(uri)
+      check_valid_uri?(uri) && URI.parse(uri).fragment.nil?
+    end
+
     # Resource server mode
 
     def authorization_server_metadata

data/lib/rodauth/features/oauth_dynamic_client_registration.rb

@@ -8,7 +8,7 @@ module Rodauth
 
     before "register"
 
-    auth_value_method :oauth_client_registration_required_params, %w[redirect_uris client_name client_uri]
+    auth_value_method :oauth_client_registration_required_params, %w[redirect_uris client_name]
 
     PROTECTED_APPLICATION_ATTRIBUTES = %w[account_id client_id].freeze
 
@@ -68,7 +68,10 @@ module Rodauth
         when "redirect_uris"
           if value.is_a?(Array)
             value = value.each do |uri|
-              register_throw_json_response_error("invalid_redirect_uri", register_invalid_uri_message(uri)) unless check_valid_uri?(uri)
+              unless check_valid_no_fragment_uri?(uri)
+                register_throw_json_response_error("invalid_redirect_uri",
+                                                   register_invalid_uri_message(uri))
+              end
             end.join(" ")
           else
             register_throw_json_response_error("invalid_redirect_uri", register_invalid_uri_message(value))
@@ -76,7 +79,7 @@ module Rodauth
           key = oauth_applications_redirect_uri_column
         when "token_endpoint_auth_method"
           unless oauth_token_endpoint_auth_methods_supported.include?(value)
-            register_throw_json_response_error("invalid_client_metadata", register_invalid_param_message(key))
+            register_throw_json_response_error("invalid_client_metadata", register_invalid_client_metadata_message(key, value))
           end
           # verify if in range
           key = oauth_applications_token_endpoint_auth_method_column
@@ -84,7 +87,7 @@ module Rodauth
           if value.is_a?(Array)
             value = value.each do |grant_type|
               unless oauth_grant_types_supported.include?(grant_type)
-                register_throw_json_response_error("invalid_client_metadata", register_oauth_invalid_grant_type_message(grant_type))
+                register_throw_json_response_error("invalid_client_metadata", register_invalid_client_metadata_message(grant_type, value))
               end
             end.join(" ")
           else

data/lib/rodauth/features/oauth_implicit_grant.rb

@@ -28,23 +28,34 @@ module Rodauth
 
       redirect_response_error("invalid_request") unless supported_response_mode?(response_mode)
 
-      response_params.replace(_do_authorize_token)
+      oauth_grant = _do_authorize_token
+
+      response_params.replace(json_access_token_payload(oauth_grant))
 
       response_params["state"] = param("state") if param_or_nil("state")
 
       [response_params, response_mode]
     end
 
-    def _do_authorize_token
+    def _do_authorize_token(grant_params = {})
       grant_params = {
         oauth_grants_type_column => "implicit",
         oauth_grants_oauth_application_id_column => oauth_application[oauth_applications_id_column],
         oauth_grants_scopes_column => scopes,
         oauth_grants_account_id_column => account_id
-      }
-      oauth_grant = generate_token(grant_params, false)
+      }.merge(grant_params)
+
+      generate_token(grant_params, false)
+    end
 
-      json_access_token_payload(oauth_grant)
+    def _redirect_response_error(redirect_url, query_params)
+      response_types = param("response_type").split(/ +/)
+
+      return super if response_types.empty? || response_types == %w[code]
+
+      query_params = query_params.map { |k, v| "#{k}=#{v}" }
+      redirect_url.fragment = query_params.join("&")
+      redirect(redirect_url.to_s)
     end
 
     def authorize_response(params, mode)

data/lib/rodauth/features/oauth_jwt.rb

@@ -49,11 +49,11 @@ module Rodauth
       return @authorization_token if defined?(@authorization_token)
 
       @authorization_token = begin
-        bearer_token = fetch_access_token
+        access_token = fetch_access_token
 
-        return unless bearer_token
+        return unless access_token
 
-        jwt_claims = jwt_decode(bearer_token)
+        jwt_claims = jwt_decode(access_token)
 
         return unless jwt_claims
 

data/lib/rodauth/features/oauth_jwt_base.rb

@@ -63,7 +63,11 @@ module Rodauth
     end
 
     def jwt_subject(oauth_grant, client_application = oauth_application)
-      oauth_grant[oauth_grants_account_id_column] || client_application[oauth_applications_client_id_column]
+      account_id = oauth_grant[oauth_grants_account_id_column]
+
+      return account_id.to_s if account_id
+
+      client_application[oauth_applications_client_id_column]
     end
 
     def oauth_server_metadata_body(path = nil)
@@ -207,14 +211,23 @@ module Rodauth
 
         claims = if is_authorization_server?
                    if jwks
+                     jwks = jwks[:keys] if jwks.is_a?(Hash)
+
                      enc_algs = [jws_encryption_algorithm].compact
                      enc_meths = [jws_encryption_method].compact
 
                      sig_algs = jws_algorithm ? [jws_algorithm] : jwks.select { |k| k[:use] == "sig" }.map { |k| k[:alg] }
                      sig_algs = sig_algs.compact.map(&:to_sym)
 
-                     jws = JSON::JWT.decode(token, JSON::JWK::Set.new({ keys: jwks }), enc_algs + sig_algs, enc_meths)
-                     jws = JSON::JWT.decode(jws.plain_text, JSON::JWK::Set.new({ keys: jwks }), sig_algs) if jws.is_a?(JSON::JWE)
+                     # JWKs may be set up without a KID, when there's a single one
+                     if jwks.size == 1 && !jwks[0][:kid]
+                       key = jwks[0]
+                       jwk_key = JSON::JWK.new(key)
+                       jws = JSON::JWT.decode(token, jwk_key)
+                     else
+                       jws = JSON::JWT.decode(token, JSON::JWK::Set.new({ keys: jwks }), enc_algs + sig_algs, enc_meths)
+                       jws = JSON::JWT.decode(jws.plain_text, JSON::JWK::Set.new({ keys: jwks }), sig_algs) if jws.is_a?(JSON::JWE)
+                     end
                      jws
                    elsif jws_key
                      JSON::JWT.decode(token, jws_key)
@@ -279,7 +292,7 @@ module Rodauth
       end
 
       def jwt_encode(payload,
-                     signing_algorithm: oauth_jwt_keys.keys.first)
+                     signing_algorithm: oauth_jwt_keys.keys.first, **)
         headers = {}
 
         key = oauth_jwt_keys[signing_algorithm] || _jwt_key
@@ -368,8 +381,18 @@ module Rodauth
         # decode jwt
         claims = if is_authorization_server?
                    if jwks
-                     algorithms = jws_algorithm ? [jws_algorithm] : jwks.select { |k| k[:use] == "sig" }.map { |k| k[:alg] }
-                     JWT.decode(token, nil, true, algorithms: algorithms, jwks: { keys: jwks }, **verify_claims_params).first
+                     jwks = jwks[:keys] if jwks.is_a?(Hash)
+
+                     # JWKs may be set up without a KID, when there's a single one
+                     if jwks.size == 1 && !jwks[0][:kid]
+                       key = jwks[0]
+                       algo = key[:alg]
+                       key = JWT::JWK.import(key).keypair
+                       JWT.decode(token, key, true, algorithms: [algo], **verify_claims_params).first
+                     else
+                       algorithms = jws_algorithm ? [jws_algorithm] : jwks.select { |k| k[:use] == "sig" }.map { |k| k[:alg] }
+                       JWT.decode(token, nil, true, algorithms: algorithms, jwks: { keys: jwks }, **verify_claims_params).first
+                     end
                    elsif jws_key
                      JWT.decode(token, jws_key, true, algorithms: [jws_algorithm], **verify_claims_params).first
                    end

data/lib/rodauth/features/oauth_jwt_bearer_grant.rb

@@ -6,6 +6,8 @@ module Rodauth
   Feature.define(:oauth_jwt_bearer_grant, :OauthJwtBearerGrant) do
     depends :oauth_assertion_base, :oauth_jwt
 
+    auth_value_method :max_param_bytesize, nil if Rodauth::VERSION >= "2.26.0"
+
     auth_value_methods(
       :require_oauth_application_from_jwt_bearer_assertion_issuer,
       :require_oauth_application_from_jwt_bearer_assertion_subject,
@@ -54,7 +56,7 @@ module Rodauth
 
     def require_oauth_application_from_client_secret_jwt(client_id, assertion, alg)
       oauth_application = db[oauth_applications_table].where(oauth_applications_client_id_column => client_id).first
-      authorization_required unless supports_auth_method?(oauth_application, "client_secret_jwt")
+      authorization_required unless oauth_application && supports_auth_method?(oauth_application, "client_secret_jwt")
       client_secret = oauth_application[oauth_applications_client_secret_column]
       claims = jwt_assertion(assertion, jws_key: client_secret, jws_algorithm: alg)
       authorization_required unless claims && claims["iss"] == client_id
@@ -63,7 +65,7 @@ module Rodauth
 
     def require_oauth_application_from_private_key_jwt(client_id, assertion)
       oauth_application = db[oauth_applications_table].where(oauth_applications_client_id_column => client_id).first
-      authorization_required unless supports_auth_method?(oauth_application, "private_key_jwt")
+      authorization_required unless oauth_application && supports_auth_method?(oauth_application, "private_key_jwt")
       jwks = oauth_application_jwks(oauth_application)
       claims = jwt_assertion(assertion, jwks: jwks)
       authorization_required unless claims
@@ -79,8 +81,9 @@ module Rodauth
     end
 
     def jwt_assertion(assertion, **kwargs)
-      claims = jwt_decode(assertion, verify_iss: false, verify_aud: false, **kwargs)
-      return unless verify_aud(request.url, claims["aud"])
+      claims = jwt_decode(assertion, verify_iss: false, verify_aud: false, verify_jti: false, **kwargs)
+
+      return unless claims && verify_aud(request.url, claims["aud"])
 
       claims
     end

data/lib/rodauth/features/oauth_jwt_secured_authorization_request.rb

@@ -4,31 +4,46 @@ require "rodauth/oauth"
 
 module Rodauth
   Feature.define(:oauth_jwt_secured_authorization_request, :OauthJwtSecuredAuthorizationRequest) do
+    ALLOWED_REQUEST_URI_CONTENT_TYPES = %w[application/jose application/oauth-authz-req+jwt].freeze
+
     depends :oauth_authorize_base, :oauth_jwt_base
 
+    auth_value_method :oauth_require_request_uri_registration, false
+    auth_value_method :oauth_request_object_signing_alg_allow_none, false
+
+    auth_value_method :oauth_applications_request_uris_column, :request_uris
+
     auth_value_method :oauth_applications_request_object_signing_alg_column, :request_object_signing_alg
     auth_value_method :oauth_applications_request_object_encryption_alg_column, :request_object_encryption_alg
     auth_value_method :oauth_applications_request_object_encryption_enc_column, :request_object_encryption_enc
 
-    translatable_method :oauth_request_uri_not_supported_message, "request uri is unsupported"
     translatable_method :oauth_invalid_request_object_message, "request object is invalid"
 
+    auth_value_method :max_param_bytesize, nil if Rodauth::VERSION >= "2.26.0"
+
     private
 
     # /authorize
 
     def validate_authorize_params
-      # TODO: add support for requst_uri
-      redirect_response_error("request_uri_not_supported") if param_or_nil("request_uri")
-
       request_object = param_or_nil("request")
 
-      return super unless request_object && oauth_application
+      request_uri = param_or_nil("request_uri")
 
-      if (jwks = oauth_application_jwks(oauth_application))
-        jwks = JSON.parse(jwks, symbolize_names: true) if jwks.is_a?(String)
-      else
-        redirect_response_error("invalid_request_object")
+      return super unless (request_object || request_uri) && oauth_application
+
+      if request_uri
+        request_uri = CGI.unescape(request_uri)
+
+        redirect_response_error("invalid_request_uri") unless supported_request_uri?(request_uri, oauth_application)
+
+        response = http_request(request_uri)
+
+        unless response.code.to_i == 200 && ALLOWED_REQUEST_URI_CONTENT_TYPES.include?(response["content-type"])
+          redirect_response_error("invalid_request_uri")
+        end
+
+        request_object = response.body
       end
 
       request_sig_enc_opts = {
@@ -37,10 +52,33 @@ module Rodauth
         jws_encryption_method: oauth_application[oauth_applications_request_object_encryption_enc_column]
       }.compact
 
-      claims = jwt_decode(request_object, jwks: jwks, verify_jti: false, verify_aud: false, **request_sig_enc_opts)
+      request_sig_enc_opts[:jws_algorithm] ||= "none" if oauth_request_object_signing_alg_allow_none
+
+      if request_sig_enc_opts[:jws_algorithm] == "none"
+        jwks = nil
+      elsif (jwks = oauth_application_jwks(oauth_application))
+        jwks = JSON.parse(jwks, symbolize_names: true) if jwks.is_a?(String)
+      else
+        redirect_response_error("invalid_request_object")
+      end
+
+      claims = jwt_decode(request_object,
+                          jwks: jwks,
+                          verify_jti: false,
+                          verify_iss: false,
+                          verify_aud: false,
+                          **request_sig_enc_opts)
 
       redirect_response_error("invalid_request_object") unless claims
 
+      if (iss = claims["iss"]) && (iss != oauth_application[oauth_applications_client_id_column])
+        redirect_response_error("invalid_request_object")
+      end
+
+      if (aud = claims["aud"]) && !verify_aud(aud, oauth_jwt_issuer)
+        redirect_response_error("invalid_request_object")
+      end
+
       # If signed, the Authorization Request
       # Object SHOULD contain the Claims "iss" (issuer) and "aud" (audience)
       # as members, with their semantics being the same as defined in the JWT
@@ -58,5 +96,21 @@ module Rodauth
 
       super
     end
+
+    def supported_request_uri?(request_uri, oauth_application)
+      return false unless check_valid_uri?(request_uri)
+
+      request_uris = oauth_application[oauth_applications_request_uris_column]
+
+      request_uris.nil? || request_uris.split(oauth_scope_separator).one? { |uri| request_uri.start_with?(uri) }
+    end
+
+    def oauth_server_metadata_body(*)
+      super.tap do |data|
+        data[:request_parameter_supported] = true
+        data[:request_uri_parameter_supported] = true
+        data[:require_request_uri_registration] = oauth_require_request_uri_registration
+      end
+    end
   end
 end

data/lib/rodauth/features/oauth_resource_indicators.rb

@@ -70,10 +70,6 @@ module Rodauth
       super(oauth_grant, update_params.merge(oauth_grants_resource_column => resource_indicators))
     end
 
-    def check_valid_no_fragment_uri?(uri)
-      check_valid_uri?(uri) && URI.parse(uri).fragment.nil?
-    end
-
     module IndicatorAuthorizationCodeGrant
       private
 

data/lib/rodauth/features/oauth_resource_server.rb

@@ -16,12 +16,12 @@ module Rodauth
       return @authorization_token if defined?(@authorization_token)
 
       # check if there is a token
-      bearer_token = fetch_access_token
+      access_token = fetch_access_token
 
-      return unless bearer_token
+      return unless access_token
 
       # where in resource server, NOT the authorization server.
-      payload = introspection_request("access_token", bearer_token)
+      payload = introspection_request("access_token", access_token)
 
       return unless payload["active"]
 

data/lib/rodauth/features/oauth_saml_bearer_grant.rb

@@ -17,6 +17,8 @@ module Rodauth
     auth_value_method :oauth_saml_security_digest_method, XMLSecurity::Document::SHA1
     auth_value_method :oauth_saml_security_signature_method, XMLSecurity::Document::RSA_SHA1
 
+    auth_value_method :max_param_bytesize, nil if Rodauth::VERSION >= "2.26.0"
+
     auth_value_methods(
       :require_oauth_application_from_saml2_bearer_assertion_issuer,
       :require_oauth_application_from_saml2_bearer_assertion_subject,