rodauth-oauth 1.1.0 → 1.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 12c86242a8a2001fba629cb6bd8e25886b8805fce5d0965ebc70377824e25e91
-  data.tar.gz: 2fdc78f81b737c9c0d0086f258a86807f8855d3f0bc9be89bffb6d6a90946ed3
+  metadata.gz: 4d7d5f8b68686703954bf4e335cef0ea33f9e31c94c439df84f08e8ff3270829
+  data.tar.gz: 1da57ba2082818a74dbca4d1c6bcab0c15f97da891e12c03a8bf91440a4edcfd
 SHA512:
-  metadata.gz: be15b77c46a135d213cd6e6e6bc7000b961e036febdb8f75bb922f09554d68ab757d5094fe96816c83c5966a3094daa32ecbbee798b2a8bb72417df9506ac3b3
-  data.tar.gz: a5fec610e9193d449ef49fbfde36688398c9e4e576da5ea579165c306ecc51bc910d0d758c923a9bece59ef4e7651347f9ebb7951504f3354b101fe5f845173a
+  metadata.gz: 8230b54e51d2081e25d1386d6294745d54eebbe11a6677bdb9cade14e0a418658bc2b8a67ae2e6355458f4b43d8a2df1700cd3e0496fa8a10e690318f3d03ba0
+  data.tar.gz: 31ab5721a6464b751860b6896f47999e189592582842ba419ab0a057ff38af98612d54a8b00177092e2fe5993af1e5554cecafbbfaab18a495656117f19ce4fd

data/README.md

@@ -17,6 +17,7 @@ This is an extension to the `rodauth` gem which implements the [OAuth 2.0 framew
 * Config OP
 * Dynamic OP
 * Form Post OP
+* 3rd Party-Init OP
 
 (it also passes the conformance tests for the RP-Initiated Logout OP).
 
@@ -24,7 +25,7 @@ This is an extension to the `rodauth` gem which implements the [OAuth 2.0 framew
 
 This gem implements the following RFCs and features of OAuth:
 
-* `oauth` - [The OAuth 2.0 protocol framework](https://tools.ietf.org/html/rfc6749):
+* `oauth` - [The OAuth 2.0 protocol framework](-/wikis/home#oauth-20-protocol-framework):
   * [Access Token generation](https://tools.ietf.org/html/rfc6749#section-1.4);
   * [Access Token refresh token grant](https://tools.ietf.org/html/rfc6749#section-1.5);
   * `oauth_authorization_code_grant` - [Authorization code grant](https://tools.ietf.org/html/rfc6749#section-1.3);
@@ -33,10 +34,13 @@ This gem implements the following RFCs and features of OAuth:
   * `oauth_device_code_grant` - [Device code grant (off by default)](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-device-flow-15);
   * `oauth_token_revocation` - [Token revocation](https://tools.ietf.org/html/rfc7009);
   * `oauth_token_introspection` - [Token introspection](https://tools.ietf.org/html/rfc7662);
+  * `oauth_pushed_authorization_request` - [Pushed Authorization Request](https://datatracker.ietf.org/doc/html/rfc9126);
   * [Authorization Server Metadata](https://tools.ietf.org/html/rfc8414);
   * `oauth_pkce` - [PKCE](https://tools.ietf.org/html/rfc7636);
+  * `oauth_tls_client_auth` - [Mutual-TLS Client Authentication](https://datatracker.ietf.org/doc/html/rfc8705);
   * `oauth_jwt` - [JWT Access Tokens](https://tools.ietf.org/html/draft-ietf-oauth-access-token-jwt-07);
   * `oauth_jwt_secured_authorization_request` - [JWT Secured Authorization Request](https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-20);
+  * `oauth_jwt_secured_authorization_response_mode` - [JWT Secured Authorization Response_mode](https://openid.net/specs/openid-financial-api-jarm.html);
   * `oauth_resource_indicators` - [Resource Indicators](https://datatracker.ietf.org/doc/html/rfc8707);
   * Access Type (Token refresh online and offline);
 * `oauth_http_mac` - [MAC Authentication Scheme](https://tools.ietf.org/html/draft-hammer-oauth-v2-mac-token-02);
@@ -44,18 +48,17 @@ This gem implements the following RFCs and features of OAuth:
   * `oauth_saml_bearer_grant` - [SAML 2.0 Bearer Assertion](https://datatracker.ietf.org/doc/html/rfc7522);
   * `oauth_jwt_bearer_grant` - [JWT Bearer Assertion](https://datatracker.ietf.org/doc/html/rfc7523);
 
-* `oauth_dynamic_client_registration` - [Dynamic Client Registration Protocol](https://datatracker.ietf.org/doc/html/rfc7591);
+* `oauth_dynamic_client_registration` - [Dynamic Client Registration Protocol](https://datatracker.ietf.org/doc/html/rfc7591) and [Dynamic Client Registration Management](https://www.rfc-editor.org/rfc/rfc7592);
 * OAuth application and token management dashboards;
 *  The recommendations for [Native Apps](https://www.rfc-editor.org/rfc/rfc8252);
 
 It also implements the [OpenID Connect layer](https://openid.net/connect/) (via the `openid` feature) on top of the OAuth features it provides, including:
 
-* `oidc`
-  * [OpenID Connect Core](https://openid.net/specs/openid-connect-core-1_0.html);
-  * [OpenID Connect Discovery](https://openid.net/specs/openid-connect-discovery-1_0-29.html);
-  * [OpenID Multiple Response Types](https://openid.net/specs/oauth-v2-multiple-response-types-1_0.html);
-* `oidc_dynamic_client_registration` - [OpenID Connect Dynamic Client Registration](https://openid.net/specs/openid-connect-registration-1_0.html);
-* `oidc_rp_initiated_logout` - [RP Initiated Logout](https://openid.net/specs/openid-connect-rpinitiated-1_0.html);
+* [OpenID Connect Core](https://gitlab.com/os85/rodauth-oauth/-/wikis/Id-Token-Authentication);
+* [OpenID Connect Discovery](https://gitlab.com/os85/rodauth-oauth/-/wikis/OIDC-Dynamic-Client-Registration);
+* [OpenID Multiple Response Types](https://gitlab.com/os85/rodauth-oauth/-/wikis/Hybrid-flow);
+* [OpenID Connect Dynamic Client Registration](https://gitlab.com/os85/rodauth-oauth/-/wikis/OIDC-Dynamic-Client-Registration);
+* [RP Initiated Logout](https://gitlab.com/os85/rodauth-oauth/-/wikis/RP-Initiated-Logout);
 
 This gem supports also rails (through [rodauth-rails]((https://github.com/janko/rodauth-rails))).
 

data/doc/release_notes/1_1_0.md

@@ -1,4 +1,4 @@
-## 1.0.0 (10/01/2023)
+## 1.1.0 (10/01/2023)
 
 ## Features
 

data/doc/release_notes/1_2_0.md

@@ -0,0 +1,36 @@
+## 1.2.0 (13/02/2023)
+
+### Features
+
+#### Pushed Authorization Requests (PAR)
+
+RFC: https://datatracker.ietf.org/doc/html/rfc9126
+
+`rodauth-oauth` supports Pushed Authorization Requests, via the `:oauth_pushed_authorization_request` feature.
+
+More info about the feature [in the wiki](https://gitlab.com/os85/rodauth-oauth/-/wikis/Pushed-Authorization-Requests).
+
+#### mTLS Client Auth (+ certificate-bound access tokens)
+
+RFC: https://www.rfc-editor.org/rfc/rfc8705
+
+The `:oauth_tls_client_auth` feature adds support for the variants of mTLS Client Authentication "PKI Mutual-TLS Method" and 2Self-Signed Certificate Mutual-TLS Method". It also supports client certificate bound access tokens.
+
+More about it [in the wiki](https://gitlab.com/os85/rodauth-oauth/-/wikis/mTLS-Client-Authentication).
+
+#### Dynamic Client Registration management
+
+RFC: https://www.rfc-editor.org/rfc/rfc7592
+
+Support for dynamci client registration management was added to the `:oauth_dynamic_client_registration` feature.
+
+More info about it [in the wiki](https://gitlab.com/os85/rodauth-oauth/-/wikis/Dynamic-Client-Registration#getputdelete-registerclient_id).
+
+### Improvements
+
+* Support for 3rd-party initiated login was added, by including support for the `initiate_login_uri` attribute in the register route from the `:oauth_dynamic_client_registration` feature.
+* Support for multitenant resource ownership was added, here's a [description from the wiki](https://gitlab.com/os85/rodauth-oauth/-/wikis/How-to#scoping-grants-from-the-same-resource-owner).
+
+### Bugfixes
+
+* oidc: userinfo claims were not including claims with value `false`, such as `"email_verified"`. This behaviour has been fixed, and only claims of value `null` are omitted.

data/doc/release_notes/1_3_0.md

@@ -0,0 +1,38 @@
+## 1.3.0 (02/04/2023)
+
+## Features
+
+### Self-Signed Issued Tokens
+
+`rodauth-oauth` supports self-signed issued tokens, via the `oidc_self_issued` feature.
+
+More info about the feature [in the docs](https://gitlab.com/os85/rodauth-oauth/-/wikis/Self-Issued-OpenID).
+
+#### JARM
+
+`rodauth-oauth` supports JWT-secured Authorization Response Mode, also known as JARM, via the `oauth_jwt_secured_authorization_response_mode`.
+
+More info about the feature [in the docs](https://gitlab.com/os85/rodauth-oauth/-/wikis/JWT-Secured-Authorization-Response-Mode).
+
+## Improvements
+
+### `fill_with_account_claims` auth method
+
+`fill_with_account_claims` is now exposed as an auth method. This allows one to override to be able to cover certain requirements, such as aggregated and distributed claims. Here's a [link to the docs](https://gitlab.com/os85/rodauth-oauth/-/wikis/Id-Token-Authentication#claim-types) explaining how to do it.
+
+### oidc: only generate refresh token when `offline_access` scope is used.
+
+When the `oidc` feature is used, refresh tokens won't be generated anymore by default; in order to do so, the `offline_access` needs to be requested for in the respective authorization request, [as the spec mandates](https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess).
+
+### oidc: implicit grant loaded by default
+
+The `oidc` feature now loads the `oauth_implicit_grant` feature by default. This hadn't been done before due to the wish to ship a secure integration by default, but since then, spec compliance became more prioritary, and this is a requirement.
+
+## Bugfixes
+
+* rails integration: activerecord migrations fixes:
+  * use `bigint` for foreign keys;
+  * index creation instruction with the wrong syntax;
+  * set precision 6 for default timestamps, to comply with AR defaults;
+  * add missing `code` column to the `oauth_pushed_requests` table;
+* oidc: when using the `id_token` , or any composite response type including `id_token`, using any response mode other than `fragment` will result in an invalid request.

data/lib/generators/rodauth/oauth/templates/app/views/rodauth/authorize.html.erb

@@ -75,6 +75,9 @@
       <% if params[:acr_values] %>
         <%= hidden_field_tag :acr_values,  params[:acr_values] %>
       <% end %>
+      <% if params[:registration] %>
+        <%= hidden_field_tag :registration,  params[:registration] %>
+      <% end %>
     <% end %>
   </div>
  <p class="text-center">

data/lib/generators/rodauth/oauth/templates/db/migrate/create_rodauth_oauth.rb

@@ -1,7 +1,7 @@
 class CreateRodauthOauth < ActiveRecord::Migration<%= migration_version %>
   def change
     create_table :oauth_applications do |t|
-      t.integer :account_id
+      t.bigint :account_id
       t.foreign_key :accounts, column: :account_id
       t.string :name, null: false
       t.string :description, null: true
@@ -9,8 +9,9 @@ class CreateRodauthOauth < ActiveRecord::Migration<%= migration_version %>
       t.string :redirect_uri, null: false
       t.string :client_id, null: false, index: { unique: true }
       t.string :client_secret, null: false, index: { unique: true }
+      t.string :registration_access_token, null: true
       t.string :scopes, null: false
-      t.datetime :created_at, null: false, default: -> { "CURRENT_TIMESTAMP" }
+      t.datetime :created_at, null: false, default: -> { "CURRENT_TIMESTAMP(6)" }
 
       # :oauth_dynamic_client_configuration enabled, extra optional params
       t.string :token_endpoint_auth_method, null: true
@@ -29,6 +30,7 @@ class CreateRodauthOauth < ActiveRecord::Migration<%= migration_version %>
       # :oidc_dynamic_client_configuration enabled, extra optional params
       t.string :sector_identifier_uri, null: true
       t.string :application_type, null: true
+      t.string :initiate_login_uri, null: true
 
       # :oidc enabled
       t.string :subject_type, null: true
@@ -44,26 +46,35 @@ class CreateRodauthOauth < ActiveRecord::Migration<%= migration_version %>
       t.string :request_object_encryption_alg, null: true
       t.string :request_object_encryption_enc, null: true
       t.string :request_uris, null: true
+      t.boolean :require_pushed_authorization_requests, null: false, default: false
+
+      # :oauth_tls_client_auth
+      t.string :tls_client_auth_subject_dn, null: true
+      t.string :tls_client_auth_san_dns, null: true
+      t.string :tls_client_auth_san_uri, null: true
+      t.string :tls_client_auth_san_ip, null: true
+      t.string :tls_client_auth_san_email, null: true
+      t.boolean :tls_client_certificate_bound_access_tokens, default: false
 
       # :oidc_rp_initiated_logout enabled
       t.string :post_logout_redirect_uris, null: false
     end
 
     create_table :oauth_grants do |t|
-      t.integer :account_id
+      t.bigint :account_id
       t.foreign_key :accounts, column: :account_id
-      t.integer :oauth_application_id
+      t.bigint :oauth_application_id
       t.foreign_key :oauth_applications, column: :oauth_application_id
       t.string :type, null: true
       t.string :code, null: true
       t.index(%i[oauth_application_id code], unique: true)
-      t.string :token, unique: true
-      t.string :refresh_token, unique: true
+      t.string :token, index: { unique: true }
+      t.string :refresh_token, index: { unique: true }
       t.datetime :expires_in, null: false
       t.string :redirect_uri
       t.datetime :revoked_at
       t.string :scopes, null: false
-      t.datetime :created_at, null: false, default: -> { "CURRENT_TIMESTAMP" }
+      t.datetime :created_at, null: false, default: -> { "CURRENT_TIMESTAMP(6)" }
       t.string :access_type, null: false, default: "offline"
 
       # :oauth_pkce enabled
@@ -71,9 +82,12 @@ class CreateRodauthOauth < ActiveRecord::Migration<%= migration_version %>
       t.string :code_challenge_method
 
       # :oauth_device_code_grant enabled
-      t.string :user_code, null: true, unique: true
+      t.string :user_code, null: true, index: { unique: true }
       t.datetime :last_polled_at, null: true
 
+      # :oauth_tls_client_auth
+      t.string :certificate_thumbprint, null: true
+
       # :resource_indicators enabled
       t.string :resource
 
@@ -83,5 +97,14 @@ class CreateRodauthOauth < ActiveRecord::Migration<%= migration_version %>
       t.string :claims_locales
       t.string :claims
     end
+
+    create_table :oauth_pushed_requests do |t|
+      t.bigint :oauth_application_id
+      t.foreign_key :oauth_applications, column: :oauth_application_id
+      t.string :code, null: false, index: { unique: true }
+      t.string :params, null: false
+      t.datetime :expires_in, null: false
+      t.index %i[oauth_application_id code], unique: true
+    end
   end
-end
+end

data/lib/rodauth/features/oauth_authorization_code_grant.rb

@@ -27,7 +27,19 @@ module Rodauth
 
       response_mode = param_or_nil("response_mode")
 
-      redirect_response_error("invalid_request") if response_mode && !oauth_response_modes_supported.include?(response_mode)
+      return unless response_mode
+
+      redirect_response_error("invalid_request") unless oauth_response_modes_supported.include?(response_mode)
+
+      response_type = param_or_nil("response_type")
+
+      return unless response_type.nil? || response_type == "code"
+
+      redirect_response_error("invalid_request") unless oauth_response_modes_for_code_supported.include?(response_mode)
+    end
+
+    def oauth_response_modes_for_code_supported
+      %w[query form_post]
     end
 
     def validate_token_params
@@ -57,7 +69,7 @@ module Rodauth
     def _do_authorize_code
       create_params = {
         oauth_grants_type_column => "authorization_code",
-        oauth_grants_account_id_column => account_id
+        **resource_owner_params
       }
 
       { "code" => create_oauth_grant(create_params) }
@@ -67,55 +79,65 @@ module Rodauth
       redirect_url = URI.parse(redirect_uri)
       case mode
       when "query"
-        params = params.map { |k, v| "#{CGI.escape(k)}=#{CGI.escape(v)}" }
+        params = [URI.encode_www_form(params)]
         params << redirect_url.query if redirect_url.query
         redirect_url.query = params.join("&")
         redirect(redirect_url.to_s)
       when "form_post"
-        scope.view layout: false, inline: <<-FORM
-          <html>
-            <head><title>Authorized</title></head>
-            <body onload="javascript:document.forms[0].submit()">
-              <form method="post" action="#{redirect_uri}">
-                #{
-                  params.map do |name, value|
-                    "<input type=\"hidden\" name=\"#{scope.h(name)}\" value=\"#{scope.h(value)}\" />"
-                  end.join
-                }
-                <input type="submit" class="btn btn-outline-primary" value="#{scope.h(oauth_authorize_post_button)}"/>
-              </form>
-            </body>
-          </html>
-        FORM
+        inline_html = form_post_response_html(redirect_uri) do
+          params.map do |name, value|
+            "<input type=\"hidden\" name=\"#{scope.h(name)}\" value=\"#{scope.h(value)}\" />"
+          end.join
+        end
+        scope.view layout: false, inline: inline_html
       end
     end
 
-    def _redirect_response_error(redirect_url, query_params)
+    def _redirect_response_error(redirect_url, params)
       response_mode = param_or_nil("response_mode") || oauth_response_mode
 
       case response_mode
       when "form_post"
         response["Content-Type"] = "text/html"
-        response.write <<-FORM
-          <html>
-            <head><title></title></head>
-            <body onload="javascript:document.forms[0].submit()">
-              <form method="post" action="#{redirect_uri}">
-                #{
-                  query_params.map do |name, value|
-                    "<input type=\"hidden\" name=\"#{name}\" value=\"#{scope.h(value)}\" />"
-                  end.join
-                }
-              </form>
-            </body>
-          </html>
-        FORM
+        error_body = form_post_error_response_html(redirect_url) do
+          params.map do |name, value|
+            "<input type=\"hidden\" name=\"#{name}\" value=\"#{scope.h(value)}\" />"
+          end.join
+        end
+        response.write(error_body)
         request.halt
       else
         super
       end
     end
 
+    def form_post_response_html(url)
+      <<-FORM
+        <html>
+          <head><title>Authorized</title></head>
+          <body onload="javascript:document.forms[0].submit()">
+            <form method="post" action="#{url}">
+              #{yield}
+              <input type="submit" class="btn btn-outline-primary" value="#{scope.h(oauth_authorize_post_button)}"/>
+            </form>
+          </body>
+        </html>
+      FORM
+    end
+
+    def form_post_error_response_html(url)
+      <<-FORM
+        <html>
+          <head><title></title></head>
+          <body onload="javascript:document.forms[0].submit()">
+            <form method="post" action="#{url}">
+              #{yield}
+            </form>
+          </body>
+        </html>
+      FORM
+    end
+
     def create_token(grant_type)
       return super unless supported_grant_type?(grant_type, "authorization_code")
 

data/lib/rodauth/features/oauth_authorize_base.rb

@@ -28,6 +28,11 @@ module Rodauth
     translatable_method :oauth_unsupported_response_type_message, "Unsupported response type"
     translatable_method :oauth_authorize_parameter_required, "Invalid or missing '%<parameter>s'"
 
+    auth_value_methods(
+      :resource_owner_params,
+      :oauth_grants_resource_owner_columns
+    )
+
     # /authorize
     auth_server_route(:authorize) do |r|
       require_authorizable_account
@@ -73,7 +78,9 @@ module Rodauth
 
       if (redirect_uri = param_or_nil("redirect_uri"))
         normalized_redirect_uri = normalize_redirect_uri_for_comparison(redirect_uri)
-        redirect_authorize_error("redirect_uri") unless redirect_uris.include?(normalized_redirect_uri)
+        unless redirect_uris.include?(normalized_redirect_uri) || redirect_uris.include?(redirect_uri)
+          redirect_authorize_error("redirect_uri")
+        end
       elsif redirect_uris.size > 1
         redirect_authorize_error("redirect_uri")
       end
@@ -85,6 +92,14 @@ module Rodauth
       try_approval_prompt if use_oauth_access_type? && request.get?
 
       redirect_response_error("invalid_scope") if (request.post? || param_or_nil("scope")) && !check_valid_scopes?
+
+      response_mode = param_or_nil("response_mode")
+
+      redirect_response_error("invalid_request") unless response_mode.nil? || oauth_response_modes_supported.include?(response_mode)
+    end
+
+    def check_valid_scopes?(scp = scopes)
+      super(scp - %w[offline_access])
     end
 
     def check_valid_response_type?
@@ -109,13 +124,20 @@ module Rodauth
       !approval_prompt || APPROVAL_PROMPTS.include?(approval_prompt)
     end
 
+    def resource_owner_params
+      { oauth_grants_account_id_column => account_id }
+    end
+
+    def oauth_grants_resource_owner_columns
+      [oauth_grants_account_id_column]
+    end
+
     def try_approval_prompt
       approval_prompt = param_or_nil("approval_prompt")
 
       return unless approval_prompt && approval_prompt == "auto"
 
-      return if db[oauth_grants_table].where(
-        oauth_grants_account_id_column => account_id,
+      return if db[oauth_grants_table].where(resource_owner_params).where(
         oauth_grants_oauth_application_id_column => oauth_application[oauth_applications_id_column],
         oauth_grants_redirect_uri_column => redirect_uri,
         oauth_grants_scopes_column => scopes.join(oauth_scope_separator),

data/lib/rodauth/features/oauth_base.rb

@@ -762,31 +762,31 @@ module Rodauth
         throw_json_response_error(status_code, error_code)
       else
         redirect_url = URI.parse(redirect_url)
-        query_params = []
+        params = []
 
-        query_params << if respond_to?(:"oauth_#{error_code}_error_code")
-                          ["error", send(:"oauth_#{error_code}_error_code")]
-                        else
-                          ["error", error_code]
-                        end
+        params << if respond_to?(:"oauth_#{error_code}_error_code")
+                    ["error", send(:"oauth_#{error_code}_error_code")]
+                  else
+                    ["error", error_code]
+                  end
 
         if respond_to?(:"oauth_#{error_code}_message")
           message = send(:"oauth_#{error_code}_message")
-          query_params << ["error_description", CGI.escape(message)]
+          params << ["error_description", CGI.escape(message)]
         end
 
         state = param_or_nil("state")
 
-        query_params << ["state", state] if state
+        params << ["state", state] if state
 
-        _redirect_response_error(redirect_url, query_params)
+        _redirect_response_error(redirect_url, params)
       end
     end
 
-    def _redirect_response_error(redirect_url, query_params)
-      query_params = query_params.map { |k, v| "#{k}=#{v}" }
-      query_params << redirect_url.query if redirect_url.query
-      redirect_url.query = query_params.join("&")
+    def _redirect_response_error(redirect_url, params)
+      params = params.map { |k, v| "#{k}=#{v}" }
+      params << redirect_url.query if redirect_url.query
+      redirect_url.query = params.join("&")
       redirect(redirect_url.to_s)
     end
 
@@ -841,10 +841,10 @@ module Rodauth
       throw_json_response_error(oauth_authorization_required_error_status, "invalid_client")
     end
 
-    def check_valid_scopes?
-      return false unless scopes
+    def check_valid_scopes?(scp = scopes)
+      return false unless scp
 
-      (scopes - oauth_application[oauth_applications_scopes_column].split(oauth_scope_separator)).empty?
+      (scp - oauth_application[oauth_applications_scopes_column].split(oauth_scope_separator)).empty?
     end
 
     def check_valid_uri?(uri)

data/lib/rodauth/features/oauth_device_code_grant.rb

@@ -193,9 +193,8 @@ module Rodauth
 
       # do not clean up device code just yet
       update_params.delete(oauth_grants_code_column)
-
       update_params[oauth_grants_user_code_column] = nil
-      update_params[oauth_grants_account_id_column] = account_id
+      update_params.merge!(resource_params)
 
       super(grant_params, update_params)
     end