rodauth-oauth 1.1.0 → 1.3.0

data/lib/rodauth/features/oidc_rp_initiated_logout.rb

@@ -36,10 +36,9 @@ module Rodauth
 
             oauth_application = db[oauth_applications_table].where(oauth_applications_client_id_column => claims["aud"]).first
             oauth_grant = db[oauth_grants_table]
-                          .where(
-                            oauth_grants_oauth_application_id_column => oauth_application[oauth_applications_id_column],
-                            oauth_grants_account_id_column => account_id
-                          ).first
+                          .where(resource_owner_params)
+                          .where(oauth_grants_oauth_application_id_column => oauth_application[oauth_applications_id_column])
+                          .first
 
             # check whether ID token belongs to currently logged-in user
             redirect_logout_with_error(oauth_invalid_client_message) unless oauth_grant && claims["sub"] == jwt_subject(oauth_grant,

data/lib/rodauth/features/oidc_self_issued.rb

@@ -0,0 +1,73 @@
+# frozen_string_literal: true
+
+require "rodauth/oauth"
+
+module Rodauth
+  Feature.define(:oidc_self_issued, :OidcSelfIssued) do
+    depends :oidc, :oidc_dynamic_client_registration
+
+    auth_value_method :oauth_application_scopes, %w[openid profile email address phone]
+    auth_value_method :oauth_jwt_jws_algorithms_supported, %w[RS256]
+
+    SELF_ISSUED_DEFAULT_APPLICATION_PARAMS = {
+      "scope" => "openid profile email address phone",
+      "response_types" => ["id_token"],
+      "subject_type" => "pairwise",
+      "id_token_signed_response_alg" => "RS256",
+      "request_object_signing_alg" => "RS256",
+      "grant_types" => %w[implicit]
+    }.freeze
+
+    def oauth_application
+      return @oauth_application if defined?(@oauth_application)
+
+      return super unless (registration = param_or_nil("registration"))
+
+      # self-issued!
+      redirect_uri = param_or_nil("client_id")
+
+      registration_params = JSON.parse(registration)
+
+      registration_params = SELF_ISSUED_DEFAULT_APPLICATION_PARAMS.merge(registration_params)
+
+      client_params = validate_client_registration_params(registration_params)
+
+      request.params["redirect_uri"] = client_params[oauth_applications_client_id_column] = redirect_uri
+      client_params[oauth_applications_redirect_uri_column] ||= redirect_uri
+
+      @oauth_application = client_params
+    end
+
+    private
+
+    def oauth_response_types_supported
+      %w[id_token]
+    end
+
+    def request_object_signing_alg_values_supported
+      %w[none RS256]
+    end
+
+    def id_token_claims(oauth_grant, signing_algorithm)
+      claims = super
+
+      return claims unless claims[:client_id] == oauth_grant[oauth_grants_redirect_uri_column]
+
+      # https://openid.net/specs/openid-connect-core-1_0.html#SelfIssued - 7.4
+
+      pub_key = oauth_jwt_public_keys[signing_algorithm]
+      pub_key = pub_key.first if pub_key.is_a?(Array)
+      claims[:sub_jwk] = sub_jwk = jwk_export(pub_key)
+
+      claims[:iss] = "https://self-issued.me"
+
+      claims[:aud] = oauth_grant[oauth_grants_redirect_uri_column]
+
+      jwk_thumbprint = jwk_thumbprint(sub_jwk)
+
+      claims[:sub] = Base64.urlsafe_encode64(jwk_thumbprint, padding: false)
+
+      claims
+    end
+  end
+end

data/lib/rodauth/oauth/version.rb

@@ -2,6 +2,6 @@
 
 module Rodauth
   module OAuth
-    VERSION = "1.1.0"
+    VERSION = "1.3.0"
   end
 end

data/templates/authorize.str

@@ -88,6 +88,7 @@
     #{"<input type=\"hidden\" name=\"claims_locales\" value=\"#{rodauth.param("claims_locales")}\"/>" if rodauth.features.include?(:oidc) && rodauth.param_or_nil("claims_locales")}
     #{"<input type=\"hidden\" name=\"claims\" value=\"#{h(rodauth.param("claims"))}\"/>" if rodauth.features.include?(:oidc) && rodauth.param_or_nil("claims")}
     #{"<input type=\"hidden\" name=\"acr_values\" value=\"#{rodauth.param("acr_values")}\"/>" if rodauth.features.include?(:oidc) && rodauth.param_or_nil("acr_values")}
+    #{"<input type=\"hidden\" name=\"registration\" value=\"#{h(rodauth.param("registration"))}\"/>" if rodauth.features.include?(:oidc_self_issued) && rodauth.param_or_nil("registration")}
     #{
       if rodauth.features.include?(:oauth_resource_indicators) && rodauth.resource_indicators
         rodauth.resource_indicators.map do |resource|

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rodauth-oauth
 version: !ruby/object:Gem::Version
-  version: 1.1.0
+  version: 1.3.0
 platform: ruby
 authors:
 - Tiago Cardoso
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2023-01-10 00:00:00.000000000 Z
+date: 2023-04-01 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rodauth
@@ -68,6 +68,8 @@ extra_rdoc_files:
 - doc/release_notes/0_9_3.md
 - doc/release_notes/1_0_0.md
 - doc/release_notes/1_1_0.md
+- doc/release_notes/1_2_0.md
+- doc/release_notes/1_3_0.md
 files:
 - CHANGELOG.md
 - LICENSE.txt
@@ -107,6 +109,8 @@ files:
 - doc/release_notes/0_9_3.md
 - doc/release_notes/1_0_0.md
 - doc/release_notes/1_1_0.md
+- doc/release_notes/1_2_0.md
+- doc/release_notes/1_3_0.md
 - lib/generators/rodauth/oauth/install_generator.rb
 - lib/generators/rodauth/oauth/templates/app/models/oauth_application.rb
 - lib/generators/rodauth/oauth/templates/app/models/oauth_grant.rb
@@ -136,16 +140,20 @@ files:
 - lib/rodauth/features/oauth_jwt_bearer_grant.rb
 - lib/rodauth/features/oauth_jwt_jwks.rb
 - lib/rodauth/features/oauth_jwt_secured_authorization_request.rb
+- lib/rodauth/features/oauth_jwt_secured_authorization_response_mode.rb
 - lib/rodauth/features/oauth_management_base.rb
 - lib/rodauth/features/oauth_pkce.rb
+- lib/rodauth/features/oauth_pushed_authorization_request.rb
 - lib/rodauth/features/oauth_resource_indicators.rb
 - lib/rodauth/features/oauth_resource_server.rb
 - lib/rodauth/features/oauth_saml_bearer_grant.rb
+- lib/rodauth/features/oauth_tls_client_auth.rb
 - lib/rodauth/features/oauth_token_introspection.rb
 - lib/rodauth/features/oauth_token_revocation.rb
 - lib/rodauth/features/oidc.rb
 - lib/rodauth/features/oidc_dynamic_client_registration.rb
 - lib/rodauth/features/oidc_rp_initiated_logout.rb
+- lib/rodauth/features/oidc_self_issued.rb
 - lib/rodauth/oauth.rb
 - lib/rodauth/oauth/database_extensions.rb
 - lib/rodauth/oauth/http_extensions.rb