rodauth-oauth 1.0.0.pre.beta2 → 1.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 0f96bced835f21567ea5603751e8cf06b53d4eae70d9cab8bc685e2fca8c2027
-  data.tar.gz: 59badde6a055fa2638bcb41b01534f0b5b8de9eac541ac596f25e6d5cd6fb043
+  metadata.gz: 12c86242a8a2001fba629cb6bd8e25886b8805fce5d0965ebc70377824e25e91
+  data.tar.gz: 2fdc78f81b737c9c0d0086f258a86807f8855d3f0bc9be89bffb6d6a90946ed3
 SHA512:
-  metadata.gz: 492a5c3c12bcc678c5eb6171e9d9851db745412fdb3675674c61b512dbfd1ff1aec09da02a3d4df3acb9133148990538200c49ce05de7a34dea85107aebf151b
-  data.tar.gz: 65f1223065b2a0bce609b4137b8fadd206fffa9904caac97c41dc4d429528dea474a8b450128409ed164f6407c690e95a3e7c4a83b8f9302fb41d0336e132dea
+  metadata.gz: be15b77c46a135d213cd6e6e6bc7000b961e036febdb8f75bb922f09554d68ab757d5094fe96816c83c5966a3094daa32ecbbee798b2a8bb72417df9506ac3b3
+  data.tar.gz: a5fec610e9193d449ef49fbfde36688398c9e4e576da5ea579165c306ecc51bc910d0d758c923a9bece59ef4e7651347f9ebb7951504f3354b101fe5f845173a

data/CHANGELOG.md

@@ -1 +1 @@
-See the Release Notes under https://gitlab.com/honeyryderchuck/rodauth-oauth/-/tree/master/doc/release_notes
+See the Release Notes under https://gitlab.com/os85/rodauth-oauth/-/tree/master/doc/release_notes

data/MIGRATION-GUIDE-v1.md

@@ -90,6 +90,10 @@ The client secret is hashed (with bcrypt) before being stored, by default. While
 oauth_applications_client_secret_hash_column nil
 ```
 
+## oauth applications: oauth_applications_homepage_url_column no longer required
+
+The homepage url is no longer considered a require prooperty of an OAuth client application.
+
 ## oauth grants: access token and refresh token hashed by default
 
 access token and refresh token columns are now hashed by default, and point to the same column as the main counterpart:
@@ -205,6 +209,14 @@ JWKs URI endpoint has been moved to its plugin. If you require this functionalit
 enable :oauth_jwt, :oauth_jwt_jwks
 ```
 
+## OIDC RP-initiated logout segregated in its plugin
+
+It was previously being loaded in the `:oidc` plugin by default. If you require this funtionality, enable the plugin:
+
+```ruby
+enable :oidc_rp_initiated_logout
+```
+
 ## routing functions renamed
 
 Previously, loading well-known routes, the oauth server metadata, or oauth application/tokens (now grants) management dashboard implied calling a function on roda to load those routes. These have been renamed:

data/README.md

@@ -1,11 +1,25 @@
 # Rodauth::Oauth
 
 [![Gem Version](https://badge.fury.io/rb/rodauth-oauth.svg)](http://rubygems.org/gems/rodauth-oauth)
-[![pipeline status](https://gitlab.com/honeyryderchuck/rodauth-oauth/badges/master/pipeline.svg)](https://gitlab.com/honeyryderchuck/rodauth-oauth/pipelines?page=1&scope=all&ref=master)
-[![coverage report](https://gitlab.com/honeyryderchuck/rodauth-oauth/badges/master/coverage.svg?job=coverage)](https://honeyryderchuck.gitlab.io/rodauth-oauth/coverage/#_AllFiles)
+[![pipeline status](https://gitlab.com/os85/rodauth-oauth/badges/master/pipeline.svg)](https://gitlab.com/os85/rodauth-oauth/pipelines?page=1&scope=all&ref=master)
+[![coverage report](https://gitlab.com/os85/rodauth-oauth/badges/master/coverage.svg?job=coverage)](https://os85.gitlab.io/rodauth-oauth/coverage/#_AllFiles)
 
 This is an extension to the `rodauth` gem which implements the [OAuth 2.0 framework](https://tools.ietf.org/html/rfc6749) for an authorization server.
 
+## Certification
+[<img width="184" height="96" align="right" src="/openid-certified.jpg" alt="OpenID Certification">](https://openid.net/certification/)
+
+`rodauth-oauth` is [certified](https://openid.net/certification/) for the following profiles of the OpenID Connect™ protocol:
+
+* Basic OP
+* Implicit OP
+* Hybrid OP
+* Config OP
+* Dynamic OP
+* Form Post OP
+
+(it also passes the conformance tests for the RP-Initiated Logout OP).
+
 ## Features
 
 This gem implements the following RFCs and features of OAuth:
@@ -32,6 +46,7 @@ This gem implements the following RFCs and features of OAuth:
 
 * `oauth_dynamic_client_registration` - [Dynamic Client Registration Protocol](https://datatracker.ietf.org/doc/html/rfc7591);
 * OAuth application and token management dashboards;
+*  The recommendations for [Native Apps](https://www.rfc-editor.org/rfc/rfc8252);
 
 It also implements the [OpenID Connect layer](https://openid.net/connect/) (via the `openid` feature) on top of the OAuth features it provides, including:
 
@@ -65,10 +80,10 @@ Or install it yourself as:
 ## Resources
 |               |                                                             |
 | ------------- | ----------------------------------------------------------- |
-| Website       | https://honeyryderchuck.gitlab.io/rodauth-oauth/            |
-| Documentation | https://honeyryderchuck.gitlab.io/rodauth-oauth/rdoc/       |
-| Wiki          | https://gitlab.com/honeyryderchuck/rodauth-oauth/wikis/home |
-| CI            | https://gitlab.com/honeyryderchuck/rodauth-oauth/pipelines  |
+| Website       | https://os85.gitlab.io/rodauth-oauth/            |
+| Documentation | https://os85.gitlab.io/rodauth-oauth/rdoc/       |
+| Wiki          | https://gitlab.com/os85/rodauth-oauth/wikis/home |
+| CI            | https://gitlab.com/os85/rodauth-oauth/pipelines  |
 
 ## Articles
 
@@ -132,12 +147,12 @@ end
 
 ### Example (TL;DR)
 
-Just [check our example applications](https://gitlab.com/honeyryderchuck/rodauth-oauth/-/tree/master/examples/).
+Just [check our example applications](https://gitlab.com/os85/rodauth-oauth/-/tree/master/examples/).
 
 
 ### Database migrations
 
-You have to generate database tables for accounts, oauth applications, grants and tokens. In order for you to hit the ground running, [here's a set of migrations (using `sequel`) to generate the needed tables](https://gitlab.com/honeyryderchuck/rodauth-oauth/-/tree/master/test/migrate) (omit the first 2 if you already have account tables, and [follow recommendations from rodauth accordingly](https://github.com/jeremyevans/rodauth)).
+You have to generate database tables for accounts, oauth applications, grants and tokens. In order for you to hit the ground running, [here's a set of migrations (using `sequel`) to generate the needed tables](https://gitlab.com/os85/rodauth-oauth/-/tree/master/test/migrate) (omit the first 2 if you already have account tables, and [follow recommendations from rodauth accordingly](https://github.com/jeremyevans/rodauth)).
 
 You can change column names or even use existing tables, however, be aware that you'll have to define new column accessors at the `rodauth` plugin declaration level. Let's say, for instance, you'd like to change the `oauth_grants` table name to `access_grants`, and it's `code` column to `authorization_code`; then, you'd have to do the following:
 
@@ -270,7 +285,7 @@ end
 
 `rodauth-oauth` supports translating all user-facing text found in all pages and forms, by integrating with [rodauth-i18n](https://github.com/janko/rodauth-i18n). Just set it up in your application and `rodauth` configuration.
 
-Default translations shipping with `rodauth-oauth` can be found [in this directory](https://gitlab.com/honeyryderchuck/rodauth-oauth/-/tree/master/locales). If they're not available for the languages you'd like to support, consider getting them translated from the english text, and contributing them to this repository via a Merge Request.
+Default translations shipping with `rodauth-oauth` can be found [in this directory](https://gitlab.com/os85/rodauth-oauth/-/tree/master/locales). If they're not available for the languages you'd like to support, consider getting them translated from the english text, and contributing them to this repository via a Merge Request.
 
 (This feature is available since `v0.7`.)
 
@@ -289,4 +304,4 @@ After checking out the repo, run `bundle install` to install dependencies. Then,
 
 ## Contributing
 
-Bug reports and pull requests are welcome on Gitlab at https://gitlab.com/honeyryderchuck/rodauth-oauth.
+Bug reports and pull requests are welcome on Gitlab at https://gitlab.com/os85/rodauth-oauth.

data/doc/release_notes/0_1_0.md

@@ -12,9 +12,9 @@ plugin :rodauth do
 end
 ```
 
-For more info about integrating it, [check the wiki](https://gitlab.com/honeyryderchuck/rodauth-oauth/-/wikis/home#openid-connect-since-v01).
+For more info about integrating it, [check the wiki](https://gitlab.com/os85/rodauth-oauth/-/wikis/home#openid-connect-since-v01).
 
-It supports omniauth openID integrations out-of-the-box, [check the OpenID example, which integrates with omniauth_openid_connect](https://gitlab.com/honeyryderchuck/rodauth-oauth/-/tree/master/examples).
+It supports omniauth openID integrations out-of-the-box, [check the OpenID example, which integrates with omniauth_openid_connect](https://gitlab.com/os85/rodauth-oauth/-/tree/master/examples).
 
 #### Improvements
 

data/doc/release_notes/0_2_0.md

@@ -12,7 +12,7 @@ plugin :rodauth do
 end
 ```
 
-For more info about integrating it, [check the wiki](https://gitlab.com/honeyryderchuck/rodauth-oauth/-/wikis/SAML-Assertion-Access-Tokens).
+For more info about integrating it, [check the wiki](https://gitlab.com/os85/rodauth-oauth/-/wikis/SAML-Assertion-Access-Tokens).
 
 ##### Supporting rotating keys
 

data/doc/release_notes/0_3_0.md

@@ -7,7 +7,7 @@
 #### Improvements
 
 
-* Support for the OIDC authorize [`prompt` parameter](https://openid.net/specs/openid-connect-core-1_0.html) (sectionn 3.1.2.1). It supports the `none`, `login` and `consent` out-of-the-box, while providing support for `select-account` when paired with [rodauth-select-account, a rodauth feature to handle multiple accounts in the same session](https://gitlab.com/honeyryderchuck/rodauth-select-account).
+* Support for the OIDC authorize [`prompt` parameter](https://openid.net/specs/openid-connect-core-1_0.html) (sectionn 3.1.2.1). It supports the `none`, `login` and `consent` out-of-the-box, while providing support for `select-account` when paired with [rodauth-select-account, a rodauth feature to handle multiple accounts in the same session](https://gitlab.com/os85/rodauth-select-account).
 
 * Refresh Tokens are now expirable. The refresh token expiration period is governed by the `oauth_refresh_token_expires_in` option (default: 1 year), and is the period for which a refresh token can be used after its respective access token expired.
 

data/doc/release_notes/0_5_0.md

@@ -2,10 +2,10 @@
 
 #### RP-Initiated Logout
 
-The `:oidc` plugin can now do [RP-Initiated Logout](https://gitlab.com/honeyryderchuck/rodauth-oauth/-/wikis/RP-Initiated-Logout). It's disabled by default, so read the docs to learn how to enable it.
+The `:oidc` plugin can now do [RP-Initiated Logout](https://gitlab.com/os85/rodauth-oauth/-/wikis/RP-Initiated-Logout). It's disabled by default, so read the docs to learn how to enable it.
 
 #### Security
 
 The `:oauth_jwt` (and by association, `:oidc`) plugin(s) verifies the claims of used JWT tokens. This is a **very important security fix**, as without it, there is no protection against replay attacks and other types of misuse of the JWT token.
 
-A new auth method, `generate_jti(claims)`, was [added to the list of oauth_jwt plugin options](https://gitlab.com/honeyryderchuck/rodauth-oauth/-/wikis/JWT-Access-Tokens#rodauth-options). By default, it'll hash the `aud` and `iat` claims together, but you can overwrite how this is done.
+A new auth method, `generate_jti(claims)`, was [added to the list of oauth_jwt plugin options](https://gitlab.com/os85/rodauth-oauth/-/wikis/JWT-Access-Tokens#rodauth-options). By default, it'll hash the `aud` and `iat` claims together, but you can overwrite how this is done.

data/doc/release_notes/0_8_0.md

@@ -4,7 +4,7 @@
 
 * Device code grant
 
-`rodauth-oauth` now supports the [Device code grant RFC](https://gitlab.com/honeyryderchuck/rodauth-oauth/-/wikis/Device-Grant), via the `oauth_device_grant` feature.
+`rodauth-oauth` now supports the [Device code grant RFC](https://gitlab.com/os85/rodauth-oauth/-/wikis/Device-Grant), via the `oauth_device_grant` feature.
 
 * OAuth Tokens Management
 
@@ -12,7 +12,7 @@ An OAuth Tokens Management Dashboard is now provided (via `r.oauth_tokens` call
 
 * Assertion Framework (+ SAML and JWT Bearer Grant)
 
-A new plugin, `oauth_assertion_base`, was introduced to provide a baseline for implementing custom Bearer Assertion as per the [OAuth Client Assertion Framework RFC](https://gitlab.com/honeyryderchuck/rodauth-oauth/-/wikis/Client-Assertion-Framework). This in turn was used to refactor and reintroduce the [oauth_saml_bearer_grant](https://gitlab.com/honeyryderchuck/rodauth-oauth/-/wikis/SAML-Bearer-Assertions) and the [oauth_jwt_bearer_grant](https://gitlab.com/honeyryderchuck/rodauth-oauth/-/wikis/JWT-Bearer-Assertions) features, which implement the respective and most recent version of the assertion RFCs.
+A new plugin, `oauth_assertion_base`, was introduced to provide a baseline for implementing custom Bearer Assertion as per the [OAuth Client Assertion Framework RFC](https://gitlab.com/os85/rodauth-oauth/-/wikis/Client-Assertion-Framework). This in turn was used to refactor and reintroduce the [oauth_saml_bearer_grant](https://gitlab.com/os85/rodauth-oauth/-/wikis/SAML-Bearer-Assertions) and the [oauth_jwt_bearer_grant](https://gitlab.com/os85/rodauth-oauth/-/wikis/JWT-Bearer-Assertions) features, which implement the respective and most recent version of the assertion RFCs.
 
 (as a result, `oauth_saml` was removed, which implemented a very old draft version of the SAML Bearer spec).
 

data/doc/release_notes/1_0_0.md

@@ -0,0 +1,79 @@
+## 1.0.0 (15/12/2022)
+
+## Highlights
+
+rodauth-oauth is now [OpenID certified](https://openid.net/certification/) for the following certification profiles:
+
+* Basic OP
+* Implicit OP
+* Hybrid OP
+* Config OP
+* Dynamic OP
+* Form Post OP
+
+and passes the conformance tests for RP-Initiated Logout OP.
+
+The OIDC server used to run the test can be found [here](https://gitlab.com/os85/rodauth-oauth/-/blob/master/examples/oidc/authentication_server.rb) and deployed [here](https://rodauth-oauth-oidc.onrender.com).
+
+### Breaking changes
+
+The full description of breaking changes, and suggestions on how to make the migration smoother, can be found in the [migration guide](https://gitlab.com/os85/rodauth-oauth/-/blob/6465b8522a78cf0037a55d3d4b81f68f7811be68/MIGRATION-GUIDE-v1.md).
+
+A short list of the main highlights:
+
+
+* Ruby 2.5 or higher is required.
+* `oauth_http_mac` feature removed.
+* `oauth_tokens` table (and resource) were removed (only `oauth_applications` and `oauth_grants`, access and refresh tokens are now properties of the latter).
+* access and refresh tokens hashed by default when stored in the database.
+* default oauth response mode is `"form_post"`.
+* oauth specific features require explicit enablement of respective features (no more `enable :oauth`)
+* refresh token policy is "rotation" by default
+* homepage url is no longer a client application required property.
+* OIDC RP-initiated logout extracted into `oidc_rp_initiated_logout` feature.
+
+### Features
+
+The following helpers are exposed in the `rodauth` object:
+
+* `current_oauth_account` - returns the dataset row for the `rodauth` account associated to an oauth access token in the "authorization" header.
+* `current_oauth_application` - returns the dataset row for the oauth application associated to an oauth access token in the "authorization" header.
+
+When used in `rails` via `rodauth-rails`, both are exposed directly as controller helpers.
+
+#### `oauth_resource_server` plugin
+
+This plugin can be used as a convenience when configuring resource servers.
+
+#### JAR support for request_uri query param
+
+The `oauth_jwt_secured_authorization_request` plugin now supports a `request_uri` query param as well.
+
+#### OIDC features
+
+* The `oidc` plugin supports [essential claims](https://openid.net/specs/openid-connect-core-1_0.html#ClaimsParameter), via the `claims` authorization request query parameter.
+* id token built with `"c_hash"` and `"at_hash"` claims when they should.
+
+### Improvements
+
+* `:oauth_introspect` plugin: OAuth introspection endpoint exposes the token's `"username"` claim.
+* endpoint client authentication supports "client credentials grant" access tokens.
+* `acr_values_supported` exposed in the openid configuration.
+* `oauth_request_object_signing_alg_allow_none` enables `"none"` as an accepted request object signing alg when `true` (`false` by default).
+* OIDC `offline_access` supported.
+
+### Bugfixes
+
+* fixed `oidc` calculation of `"auth_time"` claim.
+* JWT: "sub" is now always a string.
+* `response_type` is now an authorization request required parameter (as per the RFC).
+* `state` is now passed along when redirecting from authorization requests with `error`;
+* access token can now be read from POST body or GET query params (as per the RFC).
+* id token no longer shipping with claims with `null` value;
+* id token no longer encoding claims by default (only when `response_type=id_token`, as per the RFC).
+* support "JWT without kid" when doing jwt decoding for JWT tokens not generated in the provider (such as request objects).
+* Set `iss` and `aud` claims in the Userinfo JWT response.
+* Make sure errors are also delivered via form POST, when `response_mode=form_post`.
+* Authorization request now shows an error page when `response_type` or `client_id` are missing, or `redirect_uri` is missing or invalid; a new `"authorize_error"` template is invoked in such cases.
+* oidc: nonce present in id token when using the "id_token token" response type.
+* error parameter delivered in URL fragment when failing an implicit grant autorization request.

data/doc/release_notes/1_1_0.md

@@ -0,0 +1,9 @@
+## 1.0.0 (10/01/2023)
+
+## Features
+
+### Loopback Interface Redirection URI support
+
+https://www.rfc-editor.org/rfc/rfc8252#section-7.3
+
+Redirect URIs based on loopback addresses ("127.0.0.1", "::1") are now supported when used in an authorization request with an ephemeral port (@avdigrimm).

data/lib/generators/rodauth/oauth/templates/app/views/rodauth/authorize_error.erb

@@ -0,0 +1,10 @@
+<div class="container">
+  <div class="alert alert-danger">
+    <p>
+      <%= @error %>%
+    </p>
+  </div>
+ <p class="text-center">
+  <%= link_to rodauth.oauth_cancel_button, @back_url, class: "btn btn-outline-danger" %>
+ </p>
+</div>

data/lib/rodauth/features/oauth_authorization_code_grant.rb

@@ -120,7 +120,6 @@ module Rodauth
       return super unless supported_grant_type?(grant_type, "authorization_code")
 
       grant_params = {
-        oauth_grants_type_column => grant_type,
         oauth_grants_code_column => param("code"),
         oauth_grants_redirect_uri_column => param("redirect_uri"),
         oauth_grants_oauth_application_id_column => oauth_application[oauth_applications_id_column]

data/lib/rodauth/features/oauth_authorize_base.rb

@@ -1,5 +1,6 @@
 # frozen_string_literal: true
 
+require "ipaddr"
 require "rodauth/oauth"
 
 module Rodauth
@@ -10,6 +11,7 @@ module Rodauth
     after "authorize"
 
     view "authorize", "Authorize", "authorize"
+    view "authorize_error", "Authorize Error", "authorize_error"
 
     button "Authorize", "oauth_authorize"
     button "Back to Client Application", "oauth_authorize_post"
@@ -24,7 +26,7 @@ module Rodauth
     translatable_method :oauth_applications_tos_uri_label, "Terms of service URL"
     translatable_method :oauth_applications_policy_uri_label, "Policy URL"
     translatable_method :oauth_unsupported_response_type_message, "Unsupported response type"
-    translatable_method :oauth_authorize_parameter_required, "'%<parameter>s' is a required parameter"
+    translatable_method :oauth_authorize_parameter_required, "Invalid or missing '%<parameter>s'"
 
     # /authorize
     auth_server_route(:authorize) do |r|
@@ -65,7 +67,16 @@ module Rodauth
     private
 
     def validate_authorize_params
-      redirect_response_error("invalid_request", request.referer || default_redirect) unless oauth_application && check_valid_redirect_uri?
+      redirect_authorize_error("client_id") unless oauth_application
+
+      redirect_uris = oauth_application[oauth_applications_redirect_uri_column].split(" ")
+
+      if (redirect_uri = param_or_nil("redirect_uri"))
+        normalized_redirect_uri = normalize_redirect_uri_for_comparison(redirect_uri)
+        redirect_authorize_error("redirect_uri") unless redirect_uris.include?(normalized_redirect_uri)
+      elsif redirect_uris.size > 1
+        redirect_authorize_error("redirect_uri")
+      end
 
       redirect_response_error("unsupported_response_type") unless check_valid_response_type?
 
@@ -80,18 +91,6 @@ module Rodauth
       false
     end
 
-    def check_valid_redirect_uri?
-      application_redirect_uris = oauth_application[oauth_applications_redirect_uri_column].split(" ")
-
-      if (redirect_uri = param_or_nil("redirect_uri"))
-        application_redirect_uris.include?(redirect_uri)
-      else
-        set_error_flash(oauth_authorize_parameter_required(parameter: "redirect_uri")) if application_redirect_uris.size > 1
-
-        true
-      end
-    end
-
     ACCESS_TYPES = %w[offline online].freeze
 
     def check_valid_access_type?
@@ -127,6 +126,21 @@ module Rodauth
       request.env["REQUEST_METHOD"] = "POST"
     end
 
+    def redirect_authorize_error(parameter, referer = request.referer || default_redirect)
+      error_message = oauth_authorize_parameter_required(parameter: parameter)
+
+      if accepts_json?
+        status_code = oauth_invalid_response_status
+
+        throw_json_response_error(status_code, "invalid_request", error_message)
+      else
+        scope.instance_variable_set(:@error, error_message)
+        scope.instance_variable_set(:@back_url, referer)
+
+        return_response(authorize_error_view)
+      end
+    end
+
     def authorization_required
       if accepts_json?
         throw_json_response_error(oauth_authorization_required_error_status, "invalid_client")
@@ -199,5 +213,26 @@ module Rodauth
       end
       create_params[oauth_grants_code_column]
     end
+
+    def normalize_redirect_uri_for_comparison(redirect_uri)
+      uri = URI(redirect_uri)
+
+      return redirect_uri unless uri.scheme == "http" && uri.port
+
+      hostname = uri.hostname
+
+      # https://www.rfc-editor.org/rfc/rfc8252#section-7.3
+      # ignore (potentially ephemeral) port number for native clients per RFC8252
+      begin
+        ip = IPAddr.new(hostname)
+        uri.port = nil if ip.loopback?
+      rescue IPAddr::InvalidAddressError
+        # https://www.rfc-editor.org/rfc/rfc8252#section-8.3
+        # Although the use of localhost is NOT RECOMMENDED, it is still allowed.
+        uri.port = nil if hostname == "localhost"
+      end
+
+      uri.to_s
+    end
   end
 end

data/lib/rodauth/features/oauth_base.rb

@@ -4,6 +4,7 @@ require "time"
 require "base64"
 require "securerandom"
 require "cgi"
+require "digest/sha2"
 require "rodauth/version"
 require "rodauth/oauth"
 require "rodauth/oauth/database_extensions"

data/lib/rodauth/features/oauth_implicit_grant.rb

@@ -48,6 +48,16 @@ module Rodauth
       generate_token(grant_params, false)
     end
 
+    def _redirect_response_error(redirect_url, query_params)
+      response_types = param("response_type").split(/ +/)
+
+      return super if response_types.empty? || response_types == %w[code]
+
+      query_params = query_params.map { |k, v| "#{k}=#{v}" }
+      redirect_url.fragment = query_params.join("&")
+      redirect(redirect_url.to_s)
+    end
+
     def authorize_response(params, mode)
       return super unless mode == "fragment"
 

data/lib/rodauth/features/oidc.rb

@@ -292,6 +292,11 @@ module Rodauth
       end
 
       super
+
+      return unless (response_type = param_or_nil("response_type"))
+      return unless response_type.include?("id_token")
+
+      redirect_response_error("invalid_request") unless param_or_nil("nonce")
     end
 
     def require_authorizable_account
@@ -440,10 +445,7 @@ module Rodauth
                        _generate_access_token(oauth_grant)
                      end
 
-      {
-        "code" => authorization_code,
-        **json_access_token_payload(oauth_grants_token_column => access_token)
-      }
+      json_access_token_payload(oauth_grants_token_column => access_token).merge("code" => authorization_code)
     end
 
     def create_token(*)
@@ -457,6 +459,9 @@ module Rodauth
 
       return unless oauth_scopes.include?("openid")
 
+      signing_algorithm = oauth_application[oauth_applications_id_token_signed_response_alg_column] ||
+                          oauth_jwt_keys.keys.first
+
       id_token_claims = jwt_claims(oauth_grant)
 
       id_token_claims[:nonce] = oauth_grant[oauth_grants_nonce_column] if oauth_grant[oauth_grants_nonce_column]
@@ -466,6 +471,16 @@ module Rodauth
       # Time when the End-User authentication occurred.
       id_token_claims[:auth_time] = get_oidc_account_last_login_at(oauth_grant[oauth_grants_account_id_column]).to_i
 
+      # Access Token hash value.
+      if (access_token = oauth_grant[oauth_grants_token_column])
+        id_token_claims[:at_hash] = id_token_hash(access_token, signing_algorithm)
+      end
+
+      # code hash value.
+      if (code = oauth_grant[oauth_grants_code_column])
+        id_token_claims[:c_hash] = id_token_hash(code, signing_algorithm)
+      end
+
       account = db[accounts_table].where(account_id_column => oauth_grant[oauth_grants_account_id_column]).first
 
       # this should never happen!
@@ -488,10 +503,7 @@ module Rodauth
 
       params = {
         jwks: oauth_application_jwks(oauth_application),
-        signing_algorithm: (
-          oauth_application[oauth_applications_id_token_signed_response_alg_column] ||
-          oauth_jwt_keys.keys.first
-        ),
+        signing_algorithm: signing_algorithm,
         encryption_algorithm: oauth_application[oauth_applications_id_token_encrypted_response_alg_column],
         encryption_method: oauth_application[oauth_applications_id_token_encrypted_response_enc_column]
       }.compact
@@ -655,7 +667,8 @@ module Rodauth
       when "id_token token"
         redirect_response_error("invalid_request") unless supports_token_response_type?
 
-        oauth_grant = _do_authorize_token(oauth_grants_type_column => "hybrid")
+        grant_params = oidc_grant_params.merge(oauth_grants_type_column => "hybrid")
+        oauth_grant = _do_authorize_token(grant_params)
         generate_id_token(oauth_grant)
 
         response_params.replace(json_access_token_payload(oauth_grant))
@@ -664,6 +677,7 @@ module Rodauth
 
         params = create_oauth_grant_with_token
         oauth_grant = valid_oauth_grant_ds.where(oauth_grants_code_column => params["code"]).first
+        oauth_grant[oauth_grants_token_column] = params["access_token"]
         generate_id_token(oauth_grant)
 
         response_params.replace(params.merge("id_token" => oauth_grant[:id_token]))
@@ -785,5 +799,19 @@ module Rodauth
       end
       return_response(jwt)
     end
+
+    def id_token_hash(hash, algo)
+      digest = case algo
+               when /256/ then Digest::SHA256
+               when /384/ then Digest::SHA384
+               when /512/ then Digest::SHA512
+               end
+
+      return unless digest
+
+      hash = digest.digest(hash)
+      hash = hash[0...hash.size / 2]
+      Base64.urlsafe_encode64(hash).tr("=", "")
+    end
   end
 end

data/lib/rodauth/features/oidc_rp_initiated_logout.rb

@@ -19,31 +19,35 @@ module Rodauth
         catch_error do
           validate_oidc_logout_params
 
-          #
-          # why this is done:
-          #
-          # we need to decode the id token in order to get the application, because, if the
-          # signing key is application-specific, we don't know how to verify the signature
-          # beforehand. Hence, we have to do it twice: decode-and-do-not-verify, initialize
-          # the @oauth_application, and then decode-and-verify.
-          #
-          claims = jwt_decode(param("id_token_hint"), verify_claims: false)
-
-          redirect_logout_with_error(oauth_invalid_client_message) unless claims
-
-          oauth_application = db[oauth_applications_table].where(oauth_applications_client_id_column => claims["aud"]).first
-          oauth_grant = db[oauth_grants_table]
-                        .where(
-                          oauth_grants_oauth_application_id_column => oauth_application[oauth_applications_id_column],
-                          oauth_grants_account_id_column => account_id
-                        ).first
-
-          # check whether ID token belongs to currently logged-in user
-          redirect_logout_with_error(oauth_invalid_client_message) unless oauth_grant && claims["sub"] == jwt_subject(oauth_grant,
-                                                                                                                      oauth_application)
-
-          # When an id_token_hint parameter is present, the OP MUST validate that it was the issuer of the ID Token.
-          redirect_logout_with_error(oauth_invalid_client_message) unless claims && claims["iss"] == oauth_jwt_issuer
+          oauth_application = nil
+
+          if (id_token_hint = param_or_nil("id_token_hint"))
+            #
+            # why this is done:
+            #
+            # we need to decode the id token in order to get the application, because, if the
+            # signing key is application-specific, we don't know how to verify the signature
+            # beforehand. Hence, we have to do it twice: decode-and-do-not-verify, initialize
+            # the @oauth_application, and then decode-and-verify.
+            #
+            claims = jwt_decode(id_token_hint, verify_claims: false)
+
+            redirect_logout_with_error(oauth_invalid_client_message) unless claims
+
+            oauth_application = db[oauth_applications_table].where(oauth_applications_client_id_column => claims["aud"]).first
+            oauth_grant = db[oauth_grants_table]
+                          .where(
+                            oauth_grants_oauth_application_id_column => oauth_application[oauth_applications_id_column],
+                            oauth_grants_account_id_column => account_id
+                          ).first
+
+            # check whether ID token belongs to currently logged-in user
+            redirect_logout_with_error(oauth_invalid_client_message) unless oauth_grant && claims["sub"] == jwt_subject(oauth_grant,
+                                                                                                                        oauth_application)
+
+            # When an id_token_hint parameter is present, the OP MUST validate that it was the issuer of the ID Token.
+            redirect_logout_with_error(oauth_invalid_client_message) unless claims && claims["iss"] == oauth_jwt_issuer
+          end
 
           # now let's logout from IdP
           transaction do
@@ -92,7 +96,6 @@ module Rodauth
     # Logout
 
     def validate_oidc_logout_params
-      redirect_logout_with_error(oauth_invalid_client_message) unless param_or_nil("id_token_hint")
       # check if valid token hint type
       return unless (redirect_uri = param_or_nil("post_logout_redirect_uri"))
 

data/lib/rodauth/oauth/version.rb

@@ -2,6 +2,6 @@
 
 module Rodauth
   module OAuth
-    VERSION = "1.0.0-beta2"
+    VERSION = "1.1.0"
   end
 end

data/locales/en.yml

@@ -9,6 +9,7 @@ en:
     user_code_not_found_error_flash: "No device to authorize with the given user code"
     authorize_page_title: "Authorize"
     authorize_page_lead: "The application %{name} would like to access your data."
+    authorize_error_page_title: "Authorize Error"
     oauth_cancel_button: "Cancel"
     oauth_applications_page_title: "Oauth Applications"
     oauth_application_page_title: "Oauth Application"
@@ -65,5 +66,5 @@ en:
     oauth_unsupported_transform_algorithm_message: "transform algorithm not supported"
     oauth_invalid_request_object_message: "request object is invalid"
     oauth_invalid_scope_message: "The Access Token expired"
-    oauth_authorize_parameter_required: "'%{parameter}' is a required parameter"
+    oauth_authorize_parameter_required: "Invalid or missing '%{parameter}'"
     oauth_invalid_post_logout_redirect_uri_message: "Invalid post logout redirect URI"

data/locales/pt.yml

@@ -9,6 +9,7 @@ pt:
     user_code_not_found_error_flash: "Não existe nenhum dispositivo a ser autorizado com o código de usuário inserido"
     authorize_page_title: "Autorizar"
     authorize_page_lead: "O aplicativo %{name} gostaria de aceder aos seus dados."
+    authorize_error_page_title: Erro de autorização
     oauth_cancel_button: "Cancelar"
     oauth_applications_page_title: "Aplicativos OAuth"
     oauth_application_page_title: "Aplicativo Oauth"
@@ -65,5 +66,5 @@ pt:
     oauth_unsupported_transform_algorithm_message: "algoritmo de transformação não suportado"
     oauth_invalid_request_object_message: "request_object é inválido"
     oauth_invalid_scope_message: "O Token de acesso expirou"
-    oauth_authorize_parameter_required: "'%{parameter}' é um parâmetro obrigatório"
+    oauth_authorize_parameter_required: "'%{parameter}' inválido ou em falta"
     oauth_invalid_post_logout_redirect_uri_message: "URI de redireccionamento pós-logout inválido"

data/templates/authorize_error.str

@@ -0,0 +1,12 @@
+<div class="container">
+  <div class="alert alert-danger">
+    <p>
+      #{@error}
+    </p>
+  </div>
+ <p class="text-center">
+  <a href="#{@back_url}" class="btn btn-outline-danger">
+    #{rodauth.oauth_cancel_button}
+  </a>
+ </p>
+</div>

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rodauth-oauth
 version: !ruby/object:Gem::Version
-  version: 1.0.0.pre.beta2
+  version: 1.1.0
 platform: ruby
 authors:
 - Tiago Cardoso
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2022-11-09 00:00:00.000000000 Z
+date: 2023-01-10 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rodauth
@@ -66,8 +66,8 @@ extra_rdoc_files:
 - doc/release_notes/0_9_1.md
 - doc/release_notes/0_9_2.md
 - doc/release_notes/0_9_3.md
-- doc/release_notes/1_0_0_beta1.md
-- doc/release_notes/1_0_0_beta2.md
+- doc/release_notes/1_0_0.md
+- doc/release_notes/1_1_0.md
 files:
 - CHANGELOG.md
 - LICENSE.txt
@@ -105,12 +105,13 @@ files:
 - doc/release_notes/0_9_1.md
 - doc/release_notes/0_9_2.md
 - doc/release_notes/0_9_3.md
-- doc/release_notes/1_0_0_beta1.md
-- doc/release_notes/1_0_0_beta2.md
+- doc/release_notes/1_0_0.md
+- doc/release_notes/1_1_0.md
 - lib/generators/rodauth/oauth/install_generator.rb
 - lib/generators/rodauth/oauth/templates/app/models/oauth_application.rb
 - lib/generators/rodauth/oauth/templates/app/models/oauth_grant.rb
 - lib/generators/rodauth/oauth/templates/app/views/rodauth/authorize.html.erb
+- lib/generators/rodauth/oauth/templates/app/views/rodauth/authorize_error.erb
 - lib/generators/rodauth/oauth/templates/app/views/rodauth/device_search.html.erb
 - lib/generators/rodauth/oauth/templates/app/views/rodauth/device_verification.html.erb
 - lib/generators/rodauth/oauth/templates/app/views/rodauth/new_oauth_application.html.erb
@@ -155,6 +156,7 @@ files:
 - locales/en.yml
 - locales/pt.yml
 - templates/authorize.str
+- templates/authorize_error.str
 - templates/client_secret_field.str
 - templates/description_field.str
 - templates/device_search.str
@@ -169,15 +171,15 @@ files:
 - templates/oauth_grants.str
 - templates/redirect_uri_field.str
 - templates/scope_field.str
-homepage: https://gitlab.com/honeyryderchuck/rodauth-oauth
+homepage: https://gitlab.com/os85/rodauth-oauth
 licenses:
 - Apache-2.0
 metadata:
-  homepage_uri: https://honeyryderchuck.gitlab.io/rodauth-oauth/
-  documentation_uri: https://honeyryderchuck.gitlab.io/rodauth-oauth/rdoc/
-  bug_tracker_uri: https://gitlab.com/honeyryderchuck/rodauth-oauth/issues
-  source_code_uri: https://gitlab.com/honeyryderchuck/rodauth-oauth
-  changelog_uri: https://gitlab.com/honeyryderchuck/rodauth-oauth/-/blob/master/CHANGELOG.md
+  homepage_uri: https://os85.gitlab.io/rodauth-oauth/
+  documentation_uri: https://os85.gitlab.io/rodauth-oauth/rdoc/
+  bug_tracker_uri: https://gitlab.com/os85/rodauth-oauth/issues
+  source_code_uri: https://gitlab.com/os85/rodauth-oauth
+  changelog_uri: https://gitlab.com/os85/rodauth-oauth/-/blob/master/CHANGELOG.md
   rubygems_mfa_required: 'true'
 post_install_message:
 rdoc_options: []
@@ -190,11 +192,11 @@ required_ruby_version: !ruby/object:Gem::Requirement
       version: 2.5.0
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ">"
+  - - ">="
     - !ruby/object:Gem::Version
-      version: 1.3.1
+      version: '0'
 requirements: []
-rubygems_version: 3.2.32
+rubygems_version: 3.3.7
 signing_key:
 specification_version: 4
 summary: Implementation of the OAuth 2.0 protocol on top of rodauth.

data/doc/release_notes/1_0_0_beta1.md

@@ -1,38 +0,0 @@
-## 1.0.0-beta1 (21/10/2022)
-
-### Breaking changes
-
-The full description of breaking changes, and suggestions on how to make the migration smoother, can be found in the [migration guide](https://gitlab.com/honeyryderchuck/rodauth-oauth/-/blob/6465b8522a78cf0037a55d3d4b81f68f7811be68/MIGRATION-GUIDE-v1.md).
-
-A short list of the main highlights:
-
-
-* Ruby 2.5 or higher is required.
-* `oauth_http_mac` feature removed.
-* `oauth_tokens` table (and resource) were removed (only `oauth_applications` and `oauth_grants`, access and refresh tokens are now properties of the latter).
-* access and refresh tokens hashed by default when stored in the database.
-* default oauth response mode is `"form_post"`.
-* oauth specific features require explicit enablement of respective features (no more `enable :oauth`)
-* refresh token policy is "rotation" by default
-
-### Features
-
-The following helpers are exposed in the `rodauth` object:
-
-* `current_oauth_account` - returns the dataset row for the `rodauth` account associated to an oauth access token in the "authorization" header.
-* `current_oauth_application` - returns the dataset row for the oauth application associated to an oauth access token in the "authorization" header.
-
-When used in `rails` via `rodauth-rails`, both are exposed directly as controller helpers.
-
-#### `oauth_resource_server` plugin
-
-This plugin can be used as a convenience when configuring resource servers.
-
-### Improvements
-
-* `:oauth_introspect` plugin: OAuth introspection endpoint exposes the token's `"username"` claim.
-* endpoint client authentication supports "client credentials grant" access tokens.
-
-### Bugfixes
-
-* fixed `oidc` calculation of `"auth_time"` claim.

data/doc/release_notes/1_0_0_beta2.md

@@ -1,34 +0,0 @@
-This version passes the conformance tests for the following OpenID Connect certification profiles:
-
-* Basic certification
-* Form-post basic certification
-* Config certification
-* Dynamic Config certification (`response_type=code`)
-
-## Breaking Changes
-
-* homepage url is no longer a client application required property.
-* OIDC RP-initiated logout extracted into `oidc_rp_initiated_logout` feature.
-
-## Features
-
-* `oauth_jwt_secured_authorization_request` now supports a `request_uri` query param as well.
-* `oidc` supports essential claims, via the `claims` authorization request query parameter.
-
-## Improvements
-
-* exposing `acr_values_supported` in the openid configuration.
-* `oauth_request_object_signing_alg_allow_none` enables `"none"` as an accepted request object signing alg when `true` (`false` by default).
-* OIDC `offline_access` supported.
-
-## Bugfixes
-
-* JWT: "sub" is now always a string.
-* `response_type` is now an authorization request required parameter (as per the RFC).
-* `state` is now passed along when redirecting from authorization requeests with `error`;
-* access token can now be read from POST body or GET quety params (as per the RFC).
-* id token no longer shipping with claims with `null` value;
-* id token no longer encoding claims by default (only when `response_type=id_token`, as per the RFC).
-* support "JWT without kid" when doing jwt decoding for JWT tokens not generated in the provider (such as request objects).
-* Set `iss` and `aud` claims in the Userinfo JWT response.
-* Make sure errors are also delivered via form POST, when `response_mode=form_post`.