rodauth-oauth 1.1.0 → 1.3.0

data/lib/rodauth/features/oauth_dynamic_client_registration.rb

@@ -9,16 +9,78 @@ module Rodauth
     before "register"
 
     auth_value_method :oauth_client_registration_required_params, %w[redirect_uris client_name]
+    auth_value_method :oauth_applications_registration_access_token_column, :registration_access_token
+    auth_value_method :registration_client_uri_route, "register"
 
     PROTECTED_APPLICATION_ATTRIBUTES = %w[account_id client_id].freeze
 
+    def load_registration_client_uri_routes
+      request.on(registration_client_uri_route) do
+        # CLIENT REGISTRATION URI
+        request.on(String) do |client_id|
+          (token = ((v = request.env["HTTP_AUTHORIZATION"]) && v[/\A *Bearer (.*)\Z/, 1]))
+
+          next unless token
+
+          oauth_application = db[oauth_applications_table]
+                              .where(oauth_applications_client_id_column => client_id)
+                              .first
+          next unless oauth_application
+
+          authorization_required unless password_hash_match?(oauth_application[oauth_applications_registration_access_token_column], token)
+
+          request.is do
+            request.get do
+              json_response_oauth_application(oauth_application)
+            end
+            request.on method: :put do
+              %w[client_id registration_access_token registration_client_uri client_secret_expires_at
+                 client_id_issued_at].each do |prohibited_param|
+                if request.params.key?(prohibited_param)
+                  register_throw_json_response_error("invalid_client_metadata", register_invalid_param_message(prohibited_param))
+                end
+              end
+              validate_client_registration_params
+
+              # if the client includes the "client_secret" field in the request, the value of this field MUST match the currently
+              # issued client secret for that client.  The client MUST NOT be allowed to overwrite its existing client secret with
+              # its own chosen value.
+              authorization_required if request.params.key?("client_secret") && secret_matches?(oauth_application,
+                                                                                                request.params["client_secret"])
+
+              oauth_application = transaction do
+                applications_ds = db[oauth_applications_table]
+                __update_and_return__(applications_ds, @oauth_application_params)
+              end
+              json_response_oauth_application(oauth_application)
+            end
+
+            request.on method: :delete do
+              applications_ds = db[oauth_applications_table]
+              applications_ds.where(oauth_applications_client_id_column => client_id).delete
+              response.status = 204
+              response["Cache-Control"] = "no-store"
+              response["Pragma"] = "no-cache"
+              response.finish
+            end
+          end
+        end
+      end
+    end
+
     # /register
     auth_server_route(:register) do |r|
       before_register_route
 
-      validate_client_registration_params
-
       r.post do
+        oauth_client_registration_required_params.each do |required_param|
+          unless request.params.key?(required_param)
+            register_throw_json_response_error("invalid_client_metadata", register_required_param_message(required_param))
+          end
+        end
+
+        validate_client_registration_params
+
         response_params = transaction do
           before_register
           do_register
@@ -56,14 +118,8 @@ module Rodauth
       }
     end
 
-    def validate_client_registration_params
-      oauth_client_registration_required_params.each do |required_param|
-        unless request.params.key?(required_param)
-          register_throw_json_response_error("invalid_client_metadata", register_required_param_message(required_param))
-        end
-      end
-
-      @oauth_application_params = request.params.each_with_object({}) do |(key, value), params|
+    def validate_client_registration_params(request_params = request.params)
+      @oauth_application_params = request_params.each_with_object({}) do |(key, value), params|
         case key
         when "redirect_uris"
           if value.is_a?(Array)
@@ -96,7 +152,7 @@ module Rodauth
           key = oauth_applications_grant_types_column
         when "response_types"
           if value.is_a?(Array)
-            grant_types = request.params["grant_types"] || oauth_grant_types_supported
+            grant_types = request_params["grant_types"] || %w[authorization_code]
             value = value.each do |response_type|
               unless oauth_response_types_supported.include?(response_type)
                 register_throw_json_response_error("invalid_client_metadata",
@@ -114,9 +170,9 @@ module Rodauth
           register_throw_json_response_error("invalid_client_metadata", register_invalid_uri_message(value)) unless check_valid_uri?(value)
           case key
           when "client_uri"
-            key = "homepage_url"
+            key = oauth_applications_homepage_url_column
           when "jwks_uri"
-            if request.params.key?("jwks")
+            if request_params.key?("jwks")
               register_throw_json_response_error("invalid_client_metadata",
                                                  register_invalid_jwks_param_message(key, "jwks"))
             end
@@ -124,7 +180,7 @@ module Rodauth
           key = __send__(:"oauth_applications_#{key}_column")
         when "jwks"
           register_throw_json_response_error("invalid_client_metadata", register_invalid_param_message(value)) unless value.is_a?(Hash)
-          if request.params.key?("jwks_uri")
+          if request_params.key?("jwks_uri")
             register_throw_json_response_error("invalid_client_metadata",
                                                register_invalid_jwks_param_message(key, "jwks_uri"))
           end
@@ -132,6 +188,7 @@ module Rodauth
           key = oauth_applications_jwks_column
           value = JSON.dump(value)
         when "scope"
+          register_throw_json_response_error("invalid_client_metadata", register_invalid_param_message(value)) unless value.is_a?(String)
           scopes = value.split(" ") - oauth_application_scopes
           register_throw_json_response_error("invalid_client_metadata", register_invalid_scopes_message(value)) unless scopes.empty?
           key = oauth_applications_scopes_column
@@ -141,7 +198,37 @@ module Rodauth
           value = value.join(" ")
           key = oauth_applications_contacts_column
         when "client_name"
+          register_throw_json_response_error("invalid_client_metadata", register_invalid_param_message(value)) unless value.is_a?(String)
           key = oauth_applications_name_column
+        when "require_pushed_authorization_requests"
+          unless respond_to?(:oauth_applications_require_pushed_authorization_requests_column)
+            register_throw_json_response_error("invalid_client_metadata",
+                                               register_invalid_param_message(key))
+          end
+          request_params[key] = value = convert_to_boolean(key, value)
+
+          key = oauth_applications_require_pushed_authorization_requests_column
+        when "tls_client_certificate_bound_access_tokens"
+          property = :oauth_applications_tls_client_certificate_bound_access_tokens_column
+          register_throw_json_response_error("invalid_client_metadata", register_invalid_param_message(key)) unless respond_to?(property)
+
+          request_params[key] = value = convert_to_boolean(key, value)
+
+          key = oauth_applications_tls_client_certificate_bound_access_tokens_column
+        when /\Atls_client_auth_/
+          unless respond_to?(:"oauth_applications_#{key}_column")
+            register_throw_json_response_error("invalid_client_metadata",
+                                               register_invalid_param_message(key))
+          end
+
+          #  client using the tls_client_auth authentication method MUST use exactly one of the below metadata
+          # parameters to indicate the certificate subject value that the authorization server is to expect when
+          # authenticating the respective client.
+          if params.any? { |k, _| k.to_s.start_with?("tls_client_auth_") }
+            register_throw_json_response_error("invalid_client_metadata", register_invalid_param_message(key))
+          end
+
+          key = __send__(:"oauth_applications_#{key}_column")
         else
           if respond_to?(:"oauth_applications_#{key}_column")
             if PROTECTED_APPLICATION_ATTRIBUTES.include?(key)
@@ -183,42 +270,60 @@ module Rodauth
 
       # set defaults
       create_params = @oauth_application_params
+
+      # If omitted, an authorization server MAY register a client with a default set of scopes
       create_params[oauth_applications_scopes_column] ||= return_params["scopes"] = oauth_application_scopes.join(" ")
+
+      # https://datatracker.ietf.org/doc/html/rfc7591#section-2
       if create_params[oauth_applications_grant_types_column] ||= begin
+        # If omitted, the default behavior is that the client will use only the "authorization_code" Grant Type.
         return_params["grant_types"] = %w[authorization_code] # rubocop:disable Lint/AssignmentInCondition
         "authorization_code"
       end
         create_params[oauth_applications_token_endpoint_auth_method_column] ||= begin
+          # If unspecified or omitted, the default is "client_secret_basic", denoting the HTTP Basic
+          # authentication scheme as specified in Section 2.3.1 of OAuth 2.0.
           return_params["token_endpoint_auth_method"] = "client_secret_basic"
           "client_secret_basic"
         end
       end
       create_params[oauth_applications_response_types_column] ||= begin
+        # If omitted, the default is that the client will use only the "code" response type.
         return_params["response_types"] = %w[code]
         "code"
       end
       rescue_from_uniqueness_error do
-        client_id = oauth_unique_id_generator
-        create_params[oauth_applications_client_id_column] = client_id
-        return_params["client_id"] = client_id
-        return_params["client_id_issued_at"] = Time.now.utc.iso8601
-        if create_params.key?(oauth_applications_client_secret_column)
-          set_client_secret(create_params, create_params[oauth_applications_client_secret_column])
-          return_params.delete("client_secret")
-        else
-          client_secret = oauth_unique_id_generator
-          set_client_secret(create_params, client_secret)
-          return_params["client_secret"] = client_secret
-          return_params["client_secret_expires_at"] = 0
-
-          create_params.delete_if { |k, _| !application_columns.include?(k) }
-        end
+        initialize_register_params(create_params, return_params)
+        create_params.delete_if { |k, _| !application_columns.include?(k) }
         applications_ds.insert(create_params)
       end
 
       return_params
     end
 
+    def initialize_register_params(create_params, return_params)
+      client_id = oauth_unique_id_generator
+      create_params[oauth_applications_client_id_column] = client_id
+      return_params["client_id"] = client_id
+      return_params["client_id_issued_at"] = Time.now.utc.iso8601
+
+      registration_access_token = oauth_unique_id_generator
+      create_params[oauth_applications_registration_access_token_column] = secret_hash(registration_access_token)
+      return_params["registration_access_token"] = registration_access_token
+      return_params["registration_client_uri"] = "#{base_url}/#{registration_client_uri_route}/#{return_params['client_id']}"
+
+      if create_params.key?(oauth_applications_client_secret_column)
+        set_client_secret(create_params, create_params[oauth_applications_client_secret_column])
+        return_params.delete("client_secret")
+      else
+        client_secret = oauth_unique_id_generator
+        set_client_secret(create_params, client_secret)
+        return_params["client_secret"] = client_secret
+        return_params["client_secret_expires_at"] = 0
+
+      end
+    end
+
     def register_throw_json_response_error(code, message)
       throw_json_response_error(oauth_invalid_response_status, code, message)
     end
@@ -264,6 +369,54 @@ module Rodauth
         "type '#{response_type}' to be allowed."
     end
 
+    def convert_to_boolean(key, value)
+      case value
+      when "true" then true
+      when "false" then false
+      else
+        register_throw_json_response_error(
+          "invalid_client_metadata",
+          register_invalid_param_message(key)
+        )
+      end
+    end
+
+    def json_response_oauth_application(oauth_application)
+      params = methods.map { |k| k.to_s[/\Aoauth_applications_(\w+)_column\z/, 1] }.compact
+
+      body = params.each_with_object({}) do |k, hash|
+        next if %w[id account_id client_id client_secret cliennt_secret_hash].include?(k)
+
+        value = oauth_application[__send__(:"oauth_applications_#{k}_column")]
+
+        next unless value
+
+        case k
+        when "redirect_uri"
+          hash["redirect_uris"] = value.split(" ")
+        when "token_endpoint_auth_method", "grant_types", "response_types", "request_uris", "post_logout_redirect_uris"
+          hash[k] = value.split(" ")
+        when "scopes"
+          hash["scope"] = value
+        when "jwks"
+          hash[k] = value.is_a?(String) ? JSON.parse(value) : value
+        when "homepage_url"
+          hash["client_uri"] = value
+        when "name"
+          hash["client_name"] = value
+        else
+          hash[k] = value
+        end
+      end
+
+      response.status = 200
+      response["Content-Type"] ||= json_response_content_type
+      response["Cache-Control"] = "no-store"
+      response["Pragma"] = "no-cache"
+      json_payload = _json_response_body(body)
+      return_response(json_payload)
+    end
+
     def oauth_server_metadata_body(*)
       super.tap do |data|
         data[:registration_endpoint] = register_url

data/lib/rodauth/features/oauth_implicit_grant.rb

@@ -20,6 +20,24 @@ module Rodauth
 
     private
 
+    def validate_authorize_params
+      super
+
+      response_mode = param_or_nil("response_mode")
+
+      return unless response_mode
+
+      response_type = param_or_nil("response_type")
+
+      return unless response_type == "token"
+
+      redirect_response_error("invalid_request") unless oauth_response_modes_for_token_supported.include?(response_mode)
+    end
+
+    def oauth_response_modes_for_token_supported
+      %w[fragment]
+    end
+
     def do_authorize(response_params = {}, response_mode = param_or_nil("response_mode"))
       response_type = param("response_type")
       return super unless response_type == "token" && supported_response_type?(response_type)
@@ -42,19 +60,19 @@ module Rodauth
         oauth_grants_type_column => "implicit",
         oauth_grants_oauth_application_id_column => oauth_application[oauth_applications_id_column],
         oauth_grants_scopes_column => scopes,
-        oauth_grants_account_id_column => account_id
+        **resource_owner_params
       }.merge(grant_params)
 
       generate_token(grant_params, false)
     end
 
-    def _redirect_response_error(redirect_url, query_params)
+    def _redirect_response_error(redirect_url, params)
       response_types = param("response_type").split(/ +/)
 
       return super if response_types.empty? || response_types == %w[code]
 
-      query_params = query_params.map { |k, v| "#{k}=#{v}" }
-      redirect_url.fragment = query_params.join("&")
+      params = params.map { |k, v| "#{k}=#{v}" }
+      redirect_url.fragment = params.join("&")
       redirect(redirect_url.to_s)
     end
 
@@ -62,7 +80,7 @@ module Rodauth
       return super unless mode == "fragment"
 
       redirect_url = URI.parse(redirect_uri)
-      params = params.map { |k, v| "#{k}=#{v}" }
+      params = [URI.encode_www_form(params)]
       params << redirect_url.query if redirect_url.query
       redirect_url.fragment = params.join("&")
       redirect(redirect_url.to_s)

data/lib/rodauth/features/oauth_jwt.rb

@@ -9,6 +9,8 @@ module Rodauth
 
     auth_value_method :oauth_jwt_access_tokens, true
 
+    auth_value_methods(:jwt_claims)
+
     def require_oauth_authorization(*scopes)
       return super unless oauth_jwt_access_tokens
 

data/lib/rodauth/features/oauth_jwt_base.rb

@@ -24,7 +24,8 @@ module Rodauth
       :jwt_decode_no_key,
       :generate_jti,
       :oauth_jwt_issuer,
-      :oauth_jwt_audience
+      :oauth_jwt_audience,
+      :resource_owner_params_from_jwt_claims
     )
 
     private
@@ -70,6 +71,10 @@ module Rodauth
       client_application[oauth_applications_client_id_column]
     end
 
+    def resource_owner_params_from_jwt_claims(claims)
+      { oauth_grants_account_id_column => claims["sub"] }
+    end
+
     def oauth_server_metadata_body(path = nil)
       metadata = super
       metadata.merge! \
@@ -81,14 +86,6 @@ module Rodauth
       @_jwt_key ||= (oauth_application_jwks(oauth_application) if oauth_application)
     end
 
-    def _jwt_public_key
-      @_jwt_public_key ||= if oauth_application
-                             oauth_application_jwks(oauth_application)
-                           else
-                             _jwt_key
-                           end
-    end
-
     # Resource Server only!
     #
     # returns the jwks set from the authorization server.
@@ -152,10 +149,28 @@ module Rodauth
         A128GCM A256GCM A128CBC-HS256 A256CBC-HS512
       ]
 
-      def jwk_export(key)
+      def key_to_jwk(key)
         JSON::JWK.new(key)
       end
 
+      def jwk_export(key)
+        key_to_jwk(key)
+      end
+
+      def jwk_import(jwk)
+        JSON::JWK.new(jwk)
+      end
+
+      def jwk_key(jwk)
+        jwk = jwk_import(jwk) unless jwk.is_a?(JSON::JWK)
+        jwk.to_key
+      end
+
+      def jwk_thumbprint(jwk)
+        jwk = jwk_import(jwk) if jwk.is_a?(Hash)
+        jwk.thumbprint
+      end
+
       def jwt_encode(payload,
                      jwks: nil,
                      encryption_algorithm: oauth_jwt_jwe_keys.keys.dig(0, 0),
@@ -287,8 +302,26 @@ module Rodauth
         auth_value_method :oauth_jwt_jwe_encryption_methods_supported, []
       end
 
+      def key_to_jwk(key)
+        JWT::JWK.new(key)
+      end
+
       def jwk_export(key)
-        JWT::JWK.new(key).export
+        key_to_jwk(key).export
+      end
+
+      def jwk_import(jwk)
+        JWT::JWK.import(jwk)
+      end
+
+      def jwk_key(jwk)
+        jwk = jwk_import(jwk) unless jwk.is_a?(JWT::JWK)
+        jwk.keypair
+      end
+
+      def jwk_thumbprint(jwk)
+        jwk = jwk_import(jwk) if jwk.is_a?(Hash)
+        JWT::JWK::Thumbprint.new(jwk).generate
       end
 
       def jwt_encode(payload,
@@ -445,6 +478,14 @@ module Rodauth
         raise "#{__method__} is undefined, redefine it or require either \"jwt\" or \"json-jwt\""
       end
 
+      def jwk_import(_jwk)
+        raise "#{__method__} is undefined, redefine it or require either \"jwt\" or \"json-jwt\""
+      end
+
+      def jwk_thumbprint(_jwk)
+        raise "#{__method__} is undefined, redefine it or require either \"jwt\" or \"json-jwt\""
+      end
+
       def jwt_encode(_token)
         raise "#{__method__} is undefined, redefine it or require either \"jwt\" or \"json-jwt\""
       end

data/lib/rodauth/features/oauth_jwt_secured_authorization_request.rb

@@ -46,28 +46,7 @@ module Rodauth
         request_object = response.body
       end
 
-      request_sig_enc_opts = {
-        jws_algorithm: oauth_application[oauth_applications_request_object_signing_alg_column],
-        jws_encryption_algorithm: oauth_application[oauth_applications_request_object_encryption_alg_column],
-        jws_encryption_method: oauth_application[oauth_applications_request_object_encryption_enc_column]
-      }.compact
-
-      request_sig_enc_opts[:jws_algorithm] ||= "none" if oauth_request_object_signing_alg_allow_none
-
-      if request_sig_enc_opts[:jws_algorithm] == "none"
-        jwks = nil
-      elsif (jwks = oauth_application_jwks(oauth_application))
-        jwks = JSON.parse(jwks, symbolize_names: true) if jwks.is_a?(String)
-      else
-        redirect_response_error("invalid_request_object")
-      end
-
-      claims = jwt_decode(request_object,
-                          jwks: jwks,
-                          verify_jti: false,
-                          verify_iss: false,
-                          verify_aud: false,
-                          **request_sig_enc_opts)
+      claims = decode_request_object(request_object)
 
       redirect_response_error("invalid_request_object") unless claims
 
@@ -105,6 +84,35 @@ module Rodauth
       request_uris.nil? || request_uris.split(oauth_scope_separator).one? { |uri| request_uri.start_with?(uri) }
     end
 
+    def decode_request_object(request_object)
+      request_sig_enc_opts = {
+        jws_algorithm: oauth_application[oauth_applications_request_object_signing_alg_column],
+        jws_encryption_algorithm: oauth_application[oauth_applications_request_object_encryption_alg_column],
+        jws_encryption_method: oauth_application[oauth_applications_request_object_encryption_enc_column]
+      }.compact
+
+      request_sig_enc_opts[:jws_algorithm] ||= "none" if oauth_request_object_signing_alg_allow_none
+
+      if request_sig_enc_opts[:jws_algorithm] == "none"
+        jwks = nil
+      elsif (jwks = oauth_application_jwks(oauth_application))
+        jwks = JSON.parse(jwks, symbolize_names: true) if jwks.is_a?(String)
+      else
+        redirect_response_error("invalid_request_object")
+      end
+
+      claims = jwt_decode(request_object,
+                          jwks: jwks,
+                          verify_jti: false,
+                          verify_iss: false,
+                          verify_aud: false,
+                          **request_sig_enc_opts)
+
+      redirect_response_error("invalid_request_object") unless claims
+
+      claims
+    end
+
     def oauth_server_metadata_body(*)
       super.tap do |data|
         data[:request_parameter_supported] = true

data/lib/rodauth/features/oauth_jwt_secured_authorization_response_mode.rb

@@ -0,0 +1,126 @@
+# frozen_string_literal: true
+
+require "rodauth/oauth"
+
+module Rodauth
+  Feature.define(:oauth_jwt_secured_authorization_response_mode, :OauthJwtSecuredAuthorizationResponseMode) do
+    depends :oauth_authorize_base, :oauth_jwt_base
+
+    auth_value_method :oauth_authorization_response_mode_expires_in, 60 * 5 # 5 minutes
+
+    auth_value_method :oauth_applications_authorization_signed_response_alg_column, :authorization_signed_response_alg
+    auth_value_method :oauth_applications_authorization_encrypted_response_alg_column, :authorization_encrypted_response_alg
+    auth_value_method :oauth_applications_authorization_encrypted_response_enc_column, :authorization_encrypted_response_enc
+
+    auth_value_methods(
+      :authorization_signing_alg_values_supported,
+      :authorization_encryption_alg_values_supported,
+      :authorization_encryption_enc_values_supported
+    )
+
+    def oauth_response_modes_supported
+      jwt_response_modes = %w[jwt]
+      jwt_response_modes.push("query.jwt", "form_post.jwt") if features.include?(:oauth_authorization_code_grant)
+      jwt_response_modes << "fragment.jwt" if features.include?(:oauth_implicit_grant)
+
+      super | jwt_response_modes
+    end
+
+    def authorization_signing_alg_values_supported
+      oauth_jwt_jws_algorithms_supported
+    end
+
+    def authorization_encryption_alg_values_supported
+      oauth_jwt_jwe_algorithms_supported
+    end
+
+    def authorization_encryption_enc_values_supported
+      oauth_jwt_jwe_encryption_methods_supported
+    end
+
+    private
+
+    def oauth_response_modes_for_code_supported
+      return [] unless features.include?(:oauth_authorization_code_grant)
+
+      super | %w[query.jwt form_post.jwt jwt]
+    end
+
+    def oauth_response_modes_for_token_supported
+      return [] unless features.include?(:oauth_implicit_grant)
+
+      super | %w[fragment.jwt jwt]
+    end
+
+    def authorize_response(params, mode)
+      return super unless mode.end_with?("jwt")
+
+      response_type = param_or_nil("response_type")
+
+      redirect_url = URI.parse(redirect_uri)
+
+      jwt = jwt_encode_authorization_response_mode(params)
+
+      if mode == "query.jwt" || (mode == "jwt" && response_type == "code")
+        return super unless features.include?(:oauth_authorization_code_grant)
+
+        params = ["response=#{CGI.escape(jwt)}"]
+        params << redirect_url.query if redirect_url.query
+        redirect_url.query = params.join("&")
+        redirect(redirect_url.to_s)
+      elsif mode == "form_post.jwt"
+        return super unless features.include?(:oauth_authorization_code_grant)
+
+        response["Content-Type"] = "text/html"
+        body = form_post_response_html(redirect_url) do
+          "<input type=\"hidden\" name=\"response\" value=\"#{scope.h(jwt)}\" />"
+        end
+        response.write(body)
+        request.halt
+      elsif mode == "fragment.jwt" || (mode == "jwt" && response_type == "token")
+        return super unless features.include?(:oauth_implicit_grant)
+
+        params = ["response=#{CGI.escape(jwt)}"]
+        params << redirect_url.query if redirect_url.query
+        redirect_url.fragment = params.join("&")
+        redirect(redirect_url.to_s)
+      else
+        super
+      end
+    end
+
+    def _redirect_response_error(redirect_url, params)
+      response_mode = param_or_nil("response_mode")
+      return super unless response_mode.end_with?("jwt")
+
+      authorize_response(Hash[params], response_mode)
+    end
+
+    def jwt_encode_authorization_response_mode(params)
+      now = Time.now.to_i
+      claims = {
+        iss: oauth_jwt_issuer,
+        aud: oauth_application[oauth_applications_client_id_column],
+        exp: now + oauth_authorization_response_mode_expires_in,
+        iat: now
+      }.merge(params)
+
+      encode_params = {
+        jwks: oauth_application_jwks(oauth_application),
+        signing_algorithm: oauth_application[oauth_applications_authorization_signed_response_alg_column],
+        encryption_algorithm: oauth_application[oauth_applications_authorization_encrypted_response_alg_column],
+        encryption_method: oauth_application[oauth_applications_authorization_encrypted_response_enc_column]
+      }.compact
+
+      jwt_encode(claims, **encode_params)
+    end
+
+    def oauth_server_metadata_body(*)
+      super.tap do |data|
+        data[:authorization_signing_alg_values_supported] = authorization_signing_alg_values_supported
+        data[:authorization_encryption_alg_values_supported] = authorization_encryption_alg_values_supported
+        data[:authorization_encryption_enc_values_supported] = authorization_encryption_enc_values_supported
+      end
+    end
+  end
+end

data/lib/rodauth/features/oauth_management_base.rb

@@ -23,9 +23,7 @@ module Rodauth
       classes += " disabled" if current || !page
       classes += " active" if current
       if page
-        params = request.GET.merge("page" => page).map do |k, v|
-          v ? "#{CGI.escape(String(k))}=#{CGI.escape(String(v))}" : CGI.escape(String(k))
-        end.join("&")
+        params = URI.encode_www_form(request.GET.merge("page" => page))
 
         href = "#{request.path}?#{params}"