rodauth-oauth 1.2.0 → 1.3.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: aa95c4db43b0068e5a7c1f8af1d904a26351a007f203be233803bae0ed471f32
-  data.tar.gz: fe0da3df41a98b6411fd20378eb41f22e5c4766cf42fd3061a45d0c6b8606bcf
+  metadata.gz: ac42aa0fb7d65030b403957a408d6d5b1f999614c957ec8176d814030ddb9381
+  data.tar.gz: f67cf98dfdb162d1e015d3930b569756f2a25737a64e68ed36fcf31e2d672be2
 SHA512:
-  metadata.gz: 910bb63ff3a0be7cb035d54ed4eb48916b2137d886523403154d0eefd5d72bdb4375a268e8c94eb8047592bddfb2dd79b7022611243e18902ec33f467450e013
-  data.tar.gz: 332125982a596d3ea0c773c7e84e5a4e4cdeed2bc9de0069f742d9b2a10de0b2182fcaea69c658fefe88b1a67e4c8b81c2dbafa3dc4c155d0100a64b1d444bb9
+  metadata.gz: e86da1d43f30dfb18e1ae530dc5b1cc9cf69903d32a39bade2dc5881075140d79ef5644159ff40b1406b58dfb12197c79d13f683f20b431330d02d452b3cf87e
+  data.tar.gz: ad35b6bc881f1e22f7cb7227115daee9556ebeada9e10b21e8ecfeb9dc0e7a51ddd606ef481f1125064e49d6ee39076bd8bc2043d58d0d103df6a27813a022db

data/README.md

@@ -17,6 +17,7 @@ This is an extension to the `rodauth` gem which implements the [OAuth 2.0 framew
 * Config OP
 * Dynamic OP
 * Form Post OP
+* 3rd Party-Init OP
 
 (it also passes the conformance tests for the RP-Initiated Logout OP).
 
@@ -39,6 +40,7 @@ This gem implements the following RFCs and features of OAuth:
   * `oauth_tls_client_auth` - [Mutual-TLS Client Authentication](https://datatracker.ietf.org/doc/html/rfc8705);
   * `oauth_jwt` - [JWT Access Tokens](https://tools.ietf.org/html/draft-ietf-oauth-access-token-jwt-07);
   * `oauth_jwt_secured_authorization_request` - [JWT Secured Authorization Request](https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-20);
+  * `oauth_jwt_secured_authorization_response_mode` - [JWT Secured Authorization Response_mode](https://openid.net/specs/openid-financial-api-jarm.html);
   * `oauth_resource_indicators` - [Resource Indicators](https://datatracker.ietf.org/doc/html/rfc8707);
   * Access Type (Token refresh online and offline);
 * `oauth_http_mac` - [MAC Authentication Scheme](https://tools.ietf.org/html/draft-hammer-oauth-v2-mac-token-02);

data/doc/release_notes/1_1_0.md

@@ -1,4 +1,4 @@
-## 1.0.0 (10/01/2023)
+## 1.1.0 (10/01/2023)
 
 ## Features
 

data/doc/release_notes/1_3_0.md

@@ -0,0 +1,38 @@
+## 1.3.0 (02/04/2023)
+
+## Features
+
+### Self-Signed Issued Tokens
+
+`rodauth-oauth` supports self-signed issued tokens, via the `oidc_self_issued` feature.
+
+More info about the feature [in the docs](https://gitlab.com/os85/rodauth-oauth/-/wikis/Self-Issued-OpenID).
+
+#### JARM
+
+`rodauth-oauth` supports JWT-secured Authorization Response Mode, also known as JARM, via the `oauth_jwt_secured_authorization_response_mode`.
+
+More info about the feature [in the docs](https://gitlab.com/os85/rodauth-oauth/-/wikis/JWT-Secured-Authorization-Response-Mode).
+
+## Improvements
+
+### `fill_with_account_claims` auth method
+
+`fill_with_account_claims` is now exposed as an auth method. This allows one to override to be able to cover certain requirements, such as aggregated and distributed claims. Here's a [link to the docs](https://gitlab.com/os85/rodauth-oauth/-/wikis/Id-Token-Authentication#claim-types) explaining how to do it.
+
+### oidc: only generate refresh token when `offline_access` scope is used.
+
+When the `oidc` feature is used, refresh tokens won't be generated anymore by default; in order to do so, the `offline_access` needs to be requested for in the respective authorization request, [as the spec mandates](https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess).
+
+### oidc: implicit grant loaded by default
+
+The `oidc` feature now loads the `oauth_implicit_grant` feature by default. This hadn't been done before due to the wish to ship a secure integration by default, but since then, spec compliance became more prioritary, and this is a requirement.
+
+## Bugfixes
+
+* rails integration: activerecord migrations fixes:
+  * use `bigint` for foreign keys;
+  * index creation instruction with the wrong syntax;
+  * set precision 6 for default timestamps, to comply with AR defaults;
+  * add missing `code` column to the `oauth_pushed_requests` table;
+* oidc: when using the `id_token` , or any composite response type including `id_token`, using any response mode other than `fragment` will result in an invalid request.

data/doc/release_notes/1_3_1.md

@@ -0,0 +1,10 @@
+### 1.3.1 (27/06/2023)
+
+#### Bugfixes
+
+* Set 401 error response when `client_id` parameter is invalid, or from an unexisting client application, instead of failing with a 500 (@igor-alexandrov).
+* update rails authorize form to use roda request params instead, as plain params was breaking JAR and PAR-based authorize forms in rails applications.
+
+#### Chore
+
+* set `:padding` to `false` in `Base64.urlsafe_encode64` calls (@felipe.zavan)

data/lib/generators/rodauth/oauth/templates/app/views/rodauth/authorize.html.erb

@@ -37,10 +37,10 @@
         </div>
       <% end %>
     <% end %>
-    <%= hidden_field_tag :client_id, params[:client_id] %>
-    <% %i[access_type response_type response_mode state redirect_uri].each do |oauth_param| %>
-      <% if params[oauth_param] %>
-        <%= hidden_field_tag oauth_param,  params[oauth_param] %>
+    <%= hidden_field_tag :client_id, rodauth.raw_param("client_id") %>
+    <% %w[access_type response_type response_mode state redirect_uri].each do |oauth_param| %>
+      <% if rodauth.raw_param(oauth_param) %>
+        <%= hidden_field_tag oauth_param, rodauth.raw_param(oauth_param) %>
       <% end %>
     <% end %>
     <% if rodauth.features.include?(:oauth_resource_indicators) && rodauth.resource_indicators %>
@@ -49,36 +49,39 @@
       <% end %>
     <% end %>
     <% if rodauth.features.include?(:oauth_pkce) %>
-      <% if params[:code_challenge] %>
-        <%= hidden_field_tag :code_challenge,  params[:code_challenge] %>
+      <% if rodauth.raw_param("code_challenge") %>
+        <%= hidden_field_tag :code_challenge, rodauth.raw_param("code_challenge") %>
       <% end %>
-      <% if params[:code_challenge_method] %>
-        <%= hidden_field_tag :code_challenge_method,  params[:code_challenge_method] %>
+      <% if rodauth.raw_param("code_challenge_method") %>
+        <%= hidden_field_tag :code_challenge_method, rodauth.raw_param("code_challenge_method") %>
       <% end %>
     <% end %>
     <% if rodauth.features.include?(:oidc) %>
-      <% if params[:prompt] %>
-        <%= hidden_field_tag :prompt,  params[:prompt] %>
+      <% if rodauth.raw_param("prompt") %>
+        <%= hidden_field_tag :prompt, rodauth.raw_param("prompt") %>
       <% end %>
-      <% if params[:nonce] %>
-        <%= hidden_field_tag :nonce,  params[:nonce] %>
+      <% if rodauth.raw_param("nonce") %>
+        <%= hidden_field_tag :nonce, rodauth.raw_param("nonce") %>
       <% end %>
-      <% if params[:ui_locales] %>
-        <%= hidden_field_tag :ui_locales,  params[:ui_locales] %>
+      <% if rodauth.raw_param("ui_locales") %>
+        <%= hidden_field_tag :ui_locales, rodauth.raw_param("ui_locales") %>
       <% end %>
-      <% if params[:claims_locales] %>
-        <%= hidden_field_tag :claims_locales,  params[:claims_locales] %>
+      <% if rodauth.raw_param("claims_locales") %>
+        <%= hidden_field_tag :claims_locales, rodauth.raw_param("claims_locales") %>
       <% end %>
-      <% if params[:claims] %>
-        <%= hidden_field_tag :claims,  sanitize(params[:claims]) %>
+      <% if rodauth.raw_param("claims") %>
+        <%= hidden_field_tag :claims, sanitize(rodauth.raw_param("claims")) %>
       <% end %>
-      <% if params[:acr_values] %>
-        <%= hidden_field_tag :acr_values,  params[:acr_values] %>
+      <% if rodauth.raw_param("acr_values") %>
+        <%= hidden_field_tag :acr_values, rodauth.raw_param("acr_values") %>
+      <% end %>
+      <% if rodauth.raw_param("registration") %>
+        <%= hidden_field_tag :registration, rodauth.raw_param("registration") %>
       <% end %>
     <% end %>
   </div>
  <p class="text-center">
     <%= submit_tag rodauth.oauth_authorize_button, class: "btn btn-outline-primary" %>
-    <%= link_to rodauth.oauth_cancel_button, "#{rodauth.redirect_uri}?error=access_denied&error_description=The+resource+owner+or+authorization+server+denied+the+request#{"&state=\#{CGI.escape(rodauth.state)}" if params[:state] }", class: "btn btn-outline-danger" %>
+    <%= link_to rodauth.oauth_cancel_button, "#{rodauth.redirect_uri}?error=access_denied&error_description=The+resource+owner+or+authorization+server+denied+the+request#{"&state=\#{CGI.escape(rodauth.state)}" if rodauth.raw_param("state") }", class: "btn btn-outline-danger" %>
   </p>
 <% end %>

data/lib/generators/rodauth/oauth/templates/db/migrate/create_rodauth_oauth.rb

@@ -1,7 +1,7 @@
 class CreateRodauthOauth < ActiveRecord::Migration<%= migration_version %>
   def change
     create_table :oauth_applications do |t|
-      t.integer :account_id
+      t.bigint :account_id
       t.foreign_key :accounts, column: :account_id
       t.string :name, null: false
       t.string :description, null: true
@@ -11,7 +11,7 @@ class CreateRodauthOauth < ActiveRecord::Migration<%= migration_version %>
       t.string :client_secret, null: false, index: { unique: true }
       t.string :registration_access_token, null: true
       t.string :scopes, null: false
-      t.datetime :created_at, null: false, default: -> { "CURRENT_TIMESTAMP" }
+      t.datetime :created_at, null: false, default: -> { "CURRENT_TIMESTAMP(6)" }
 
       # :oauth_dynamic_client_configuration enabled, extra optional params
       t.string :token_endpoint_auth_method, null: true
@@ -61,20 +61,20 @@ class CreateRodauthOauth < ActiveRecord::Migration<%= migration_version %>
     end
 
     create_table :oauth_grants do |t|
-      t.integer :account_id
+      t.bigint :account_id
       t.foreign_key :accounts, column: :account_id
-      t.integer :oauth_application_id
+      t.bigint :oauth_application_id
       t.foreign_key :oauth_applications, column: :oauth_application_id
       t.string :type, null: true
       t.string :code, null: true
       t.index(%i[oauth_application_id code], unique: true)
-      t.string :token, unique: true
-      t.string :refresh_token, unique: true
+      t.string :token, index: { unique: true }
+      t.string :refresh_token, index: { unique: true }
       t.datetime :expires_in, null: false
       t.string :redirect_uri
       t.datetime :revoked_at
       t.string :scopes, null: false
-      t.datetime :created_at, null: false, default: -> { "CURRENT_TIMESTAMP" }
+      t.datetime :created_at, null: false, default: -> { "CURRENT_TIMESTAMP(6)" }
       t.string :access_type, null: false, default: "offline"
 
       # :oauth_pkce enabled
@@ -82,7 +82,7 @@ class CreateRodauthOauth < ActiveRecord::Migration<%= migration_version %>
       t.string :code_challenge_method
 
       # :oauth_device_code_grant enabled
-      t.string :user_code, null: true, unique: true
+      t.string :user_code, null: true, index: { unique: true }
       t.datetime :last_polled_at, null: true
 
       # :oauth_tls_client_auth
@@ -99,11 +99,12 @@ class CreateRodauthOauth < ActiveRecord::Migration<%= migration_version %>
     end
 
     create_table :oauth_pushed_requests do |t|
-      t.integer :oauth_application_id
+      t.bigint :oauth_application_id
       t.foreign_key :oauth_applications, column: :oauth_application_id
+      t.string :code, null: false, index: { unique: true }
       t.string :params, null: false
       t.datetime :expires_in, null: false
       t.index %i[oauth_application_id code], unique: true
     end
   end
-end
+end

data/lib/rodauth/features/oauth_authorization_code_grant.rb

@@ -27,7 +27,19 @@ module Rodauth
 
       response_mode = param_or_nil("response_mode")
 
-      redirect_response_error("invalid_request") if response_mode && !oauth_response_modes_supported.include?(response_mode)
+      return unless response_mode
+
+      redirect_response_error("invalid_request") unless oauth_response_modes_supported.include?(response_mode)
+
+      response_type = param_or_nil("response_type")
+
+      return unless response_type.nil? || response_type == "code"
+
+      redirect_response_error("invalid_request") unless oauth_response_modes_for_code_supported.include?(response_mode)
+    end
+
+    def oauth_response_modes_for_code_supported
+      %w[query form_post]
     end
 
     def validate_token_params
@@ -67,55 +79,65 @@ module Rodauth
       redirect_url = URI.parse(redirect_uri)
       case mode
       when "query"
-        params = params.map { |k, v| "#{CGI.escape(k)}=#{CGI.escape(v)}" }
+        params = [URI.encode_www_form(params)]
         params << redirect_url.query if redirect_url.query
         redirect_url.query = params.join("&")
         redirect(redirect_url.to_s)
       when "form_post"
-        scope.view layout: false, inline: <<-FORM
-          <html>
-            <head><title>Authorized</title></head>
-            <body onload="javascript:document.forms[0].submit()">
-              <form method="post" action="#{redirect_uri}">
-                #{
-                  params.map do |name, value|
-                    "<input type=\"hidden\" name=\"#{scope.h(name)}\" value=\"#{scope.h(value)}\" />"
-                  end.join
-                }
-                <input type="submit" class="btn btn-outline-primary" value="#{scope.h(oauth_authorize_post_button)}"/>
-              </form>
-            </body>
-          </html>
-        FORM
+        inline_html = form_post_response_html(redirect_uri) do
+          params.map do |name, value|
+            "<input type=\"hidden\" name=\"#{scope.h(name)}\" value=\"#{scope.h(value)}\" />"
+          end.join
+        end
+        scope.view layout: false, inline: inline_html
       end
     end
 
-    def _redirect_response_error(redirect_url, query_params)
+    def _redirect_response_error(redirect_url, params)
       response_mode = param_or_nil("response_mode") || oauth_response_mode
 
       case response_mode
       when "form_post"
         response["Content-Type"] = "text/html"
-        response.write <<-FORM
-          <html>
-            <head><title></title></head>
-            <body onload="javascript:document.forms[0].submit()">
-              <form method="post" action="#{redirect_uri}">
-                #{
-                  query_params.map do |name, value|
-                    "<input type=\"hidden\" name=\"#{name}\" value=\"#{scope.h(value)}\" />"
-                  end.join
-                }
-              </form>
-            </body>
-          </html>
-        FORM
+        error_body = form_post_error_response_html(redirect_url) do
+          params.map do |name, value|
+            "<input type=\"hidden\" name=\"#{name}\" value=\"#{scope.h(value)}\" />"
+          end.join
+        end
+        response.write(error_body)
         request.halt
       else
         super
       end
     end
 
+    def form_post_response_html(url)
+      <<-FORM
+        <html>
+          <head><title>Authorized</title></head>
+          <body onload="javascript:document.forms[0].submit()">
+            <form method="post" action="#{url}">
+              #{yield}
+              <input type="submit" class="btn btn-outline-primary" value="#{scope.h(oauth_authorize_post_button)}"/>
+            </form>
+          </body>
+        </html>
+      FORM
+    end
+
+    def form_post_error_response_html(url)
+      <<-FORM
+        <html>
+          <head><title></title></head>
+          <body onload="javascript:document.forms[0].submit()">
+            <form method="post" action="#{url}">
+              #{yield}
+            </form>
+          </body>
+        </html>
+      FORM
+    end
+
     def create_token(grant_type)
       return super unless supported_grant_type?(grant_type, "authorization_code")
 

data/lib/rodauth/features/oauth_authorize_base.rb

@@ -92,6 +92,14 @@ module Rodauth
       try_approval_prompt if use_oauth_access_type? && request.get?
 
       redirect_response_error("invalid_scope") if (request.post? || param_or_nil("scope")) && !check_valid_scopes?
+
+      response_mode = param_or_nil("response_mode")
+
+      redirect_response_error("invalid_request") unless response_mode.nil? || oauth_response_modes_supported.include?(response_mode)
+    end
+
+    def check_valid_scopes?(scp = scopes)
+      super(scp - %w[offline_access])
     end
 
     def check_valid_response_type?

data/lib/rodauth/features/oauth_base.rb

@@ -367,7 +367,7 @@ module Rodauth
     end
 
     def require_oauth_application_from_client_secret_basic(token)
-      client_id, client_secret = Base64.decode64(token).split(/:/, 2)
+      client_id, client_secret = Base64.decode64(token).split(":", 2)
       authorization_required unless client_id
       oauth_application = db[oauth_applications_table].where(oauth_applications_client_id_column => client_id).first
       authorization_required unless supports_auth_method?(oauth_application,
@@ -389,6 +389,8 @@ module Rodauth
     end
 
     def supports_auth_method?(oauth_application, auth_method)
+      return false unless oauth_application
+
       supported_auth_methods = if oauth_application[oauth_applications_token_endpoint_auth_method_column]
                                  oauth_application[oauth_applications_token_endpoint_auth_method_column].split(/ +/)
                                else
@@ -762,31 +764,31 @@ module Rodauth
         throw_json_response_error(status_code, error_code)
       else
         redirect_url = URI.parse(redirect_url)
-        query_params = []
+        params = []
 
-        query_params << if respond_to?(:"oauth_#{error_code}_error_code")
-                          ["error", send(:"oauth_#{error_code}_error_code")]
-                        else
-                          ["error", error_code]
-                        end
+        params << if respond_to?(:"oauth_#{error_code}_error_code")
+                    ["error", send(:"oauth_#{error_code}_error_code")]
+                  else
+                    ["error", error_code]
+                  end
 
         if respond_to?(:"oauth_#{error_code}_message")
           message = send(:"oauth_#{error_code}_message")
-          query_params << ["error_description", CGI.escape(message)]
+          params << ["error_description", CGI.escape(message)]
         end
 
         state = param_or_nil("state")
 
-        query_params << ["state", state] if state
+        params << ["state", state] if state
 
-        _redirect_response_error(redirect_url, query_params)
+        _redirect_response_error(redirect_url, params)
       end
     end
 
-    def _redirect_response_error(redirect_url, query_params)
-      query_params = query_params.map { |k, v| "#{k}=#{v}" }
-      query_params << redirect_url.query if redirect_url.query
-      redirect_url.query = query_params.join("&")
+    def _redirect_response_error(redirect_url, params)
+      params = params.map { |k, v| "#{k}=#{v}" }
+      params << redirect_url.query if redirect_url.query
+      redirect_url.query = params.join("&")
       redirect(redirect_url.to_s)
     end
 
@@ -841,10 +843,10 @@ module Rodauth
       throw_json_response_error(oauth_authorization_required_error_status, "invalid_client")
     end
 
-    def check_valid_scopes?
-      return false unless scopes
+    def check_valid_scopes?(scp = scopes)
+      return false unless scp
 
-      (scopes - oauth_application[oauth_applications_scopes_column].split(oauth_scope_separator)).empty?
+      (scp - oauth_application[oauth_applications_scopes_column].split(oauth_scope_separator)).empty?
     end
 
     def check_valid_uri?(uri)

data/lib/rodauth/features/oauth_dynamic_client_registration.rb

@@ -118,8 +118,8 @@ module Rodauth
       }
     end
 
-    def validate_client_registration_params
-      @oauth_application_params = request.params.each_with_object({}) do |(key, value), params|
+    def validate_client_registration_params(request_params = request.params)
+      @oauth_application_params = request_params.each_with_object({}) do |(key, value), params|
         case key
         when "redirect_uris"
           if value.is_a?(Array)
@@ -152,7 +152,7 @@ module Rodauth
           key = oauth_applications_grant_types_column
         when "response_types"
           if value.is_a?(Array)
-            grant_types = request.params["grant_types"] || %w[authorization_code]
+            grant_types = request_params["grant_types"] || %w[authorization_code]
             value = value.each do |response_type|
               unless oauth_response_types_supported.include?(response_type)
                 register_throw_json_response_error("invalid_client_metadata",
@@ -172,7 +172,7 @@ module Rodauth
           when "client_uri"
             key = oauth_applications_homepage_url_column
           when "jwks_uri"
-            if request.params.key?("jwks")
+            if request_params.key?("jwks")
               register_throw_json_response_error("invalid_client_metadata",
                                                  register_invalid_jwks_param_message(key, "jwks"))
             end
@@ -180,7 +180,7 @@ module Rodauth
           key = __send__(:"oauth_applications_#{key}_column")
         when "jwks"
           register_throw_json_response_error("invalid_client_metadata", register_invalid_param_message(value)) unless value.is_a?(Hash)
-          if request.params.key?("jwks_uri")
+          if request_params.key?("jwks_uri")
             register_throw_json_response_error("invalid_client_metadata",
                                                register_invalid_jwks_param_message(key, "jwks_uri"))
           end
@@ -205,14 +205,14 @@ module Rodauth
             register_throw_json_response_error("invalid_client_metadata",
                                                register_invalid_param_message(key))
           end
-          request.params[key] = value = convert_to_boolean(key, value)
+          request_params[key] = value = convert_to_boolean(key, value)
 
           key = oauth_applications_require_pushed_authorization_requests_column
         when "tls_client_certificate_bound_access_tokens"
           property = :oauth_applications_tls_client_certificate_bound_access_tokens_column
           register_throw_json_response_error("invalid_client_metadata", register_invalid_param_message(key)) unless respond_to?(property)
 
-          request.params[key] = value = convert_to_boolean(key, value)
+          request_params[key] = value = convert_to_boolean(key, value)
 
           key = oauth_applications_tls_client_certificate_bound_access_tokens_column
         when /\Atls_client_auth_/

data/lib/rodauth/features/oauth_implicit_grant.rb

@@ -20,6 +20,24 @@ module Rodauth
 
     private
 
+    def validate_authorize_params
+      super
+
+      response_mode = param_or_nil("response_mode")
+
+      return unless response_mode
+
+      response_type = param_or_nil("response_type")
+
+      return unless response_type == "token"
+
+      redirect_response_error("invalid_request") unless oauth_response_modes_for_token_supported.include?(response_mode)
+    end
+
+    def oauth_response_modes_for_token_supported
+      %w[fragment]
+    end
+
     def do_authorize(response_params = {}, response_mode = param_or_nil("response_mode"))
       response_type = param("response_type")
       return super unless response_type == "token" && supported_response_type?(response_type)
@@ -48,13 +66,13 @@ module Rodauth
       generate_token(grant_params, false)
     end
 
-    def _redirect_response_error(redirect_url, query_params)
+    def _redirect_response_error(redirect_url, params)
       response_types = param("response_type").split(/ +/)
 
       return super if response_types.empty? || response_types == %w[code]
 
-      query_params = query_params.map { |k, v| "#{k}=#{v}" }
-      redirect_url.fragment = query_params.join("&")
+      params = params.map { |k, v| "#{k}=#{v}" }
+      redirect_url.fragment = params.join("&")
       redirect(redirect_url.to_s)
     end
 
@@ -62,7 +80,7 @@ module Rodauth
       return super unless mode == "fragment"
 
       redirect_url = URI.parse(redirect_uri)
-      params = params.map { |k, v| "#{k}=#{v}" }
+      params = [URI.encode_www_form(params)]
       params << redirect_url.query if redirect_url.query
       redirect_url.fragment = params.join("&")
       redirect(redirect_url.to_s)

data/lib/rodauth/features/oauth_jwt_secured_authorization_response_mode.rb

@@ -0,0 +1,126 @@
+# frozen_string_literal: true
+
+require "rodauth/oauth"
+
+module Rodauth
+  Feature.define(:oauth_jwt_secured_authorization_response_mode, :OauthJwtSecuredAuthorizationResponseMode) do
+    depends :oauth_authorize_base, :oauth_jwt_base
+
+    auth_value_method :oauth_authorization_response_mode_expires_in, 60 * 5 # 5 minutes
+
+    auth_value_method :oauth_applications_authorization_signed_response_alg_column, :authorization_signed_response_alg
+    auth_value_method :oauth_applications_authorization_encrypted_response_alg_column, :authorization_encrypted_response_alg
+    auth_value_method :oauth_applications_authorization_encrypted_response_enc_column, :authorization_encrypted_response_enc
+
+    auth_value_methods(
+      :authorization_signing_alg_values_supported,
+      :authorization_encryption_alg_values_supported,
+      :authorization_encryption_enc_values_supported
+    )
+
+    def oauth_response_modes_supported
+      jwt_response_modes = %w[jwt]
+      jwt_response_modes.push("query.jwt", "form_post.jwt") if features.include?(:oauth_authorization_code_grant)
+      jwt_response_modes << "fragment.jwt" if features.include?(:oauth_implicit_grant)
+
+      super | jwt_response_modes
+    end
+
+    def authorization_signing_alg_values_supported
+      oauth_jwt_jws_algorithms_supported
+    end
+
+    def authorization_encryption_alg_values_supported
+      oauth_jwt_jwe_algorithms_supported
+    end
+
+    def authorization_encryption_enc_values_supported
+      oauth_jwt_jwe_encryption_methods_supported
+    end
+
+    private
+
+    def oauth_response_modes_for_code_supported
+      return [] unless features.include?(:oauth_authorization_code_grant)
+
+      super | %w[query.jwt form_post.jwt jwt]
+    end
+
+    def oauth_response_modes_for_token_supported
+      return [] unless features.include?(:oauth_implicit_grant)
+
+      super | %w[fragment.jwt jwt]
+    end
+
+    def authorize_response(params, mode)
+      return super unless mode.end_with?("jwt")
+
+      response_type = param_or_nil("response_type")
+
+      redirect_url = URI.parse(redirect_uri)
+
+      jwt = jwt_encode_authorization_response_mode(params)
+
+      if mode == "query.jwt" || (mode == "jwt" && response_type == "code")
+        return super unless features.include?(:oauth_authorization_code_grant)
+
+        params = ["response=#{CGI.escape(jwt)}"]
+        params << redirect_url.query if redirect_url.query
+        redirect_url.query = params.join("&")
+        redirect(redirect_url.to_s)
+      elsif mode == "form_post.jwt"
+        return super unless features.include?(:oauth_authorization_code_grant)
+
+        response["Content-Type"] = "text/html"
+        body = form_post_response_html(redirect_url) do
+          "<input type=\"hidden\" name=\"response\" value=\"#{scope.h(jwt)}\" />"
+        end
+        response.write(body)
+        request.halt
+      elsif mode == "fragment.jwt" || (mode == "jwt" && response_type == "token")
+        return super unless features.include?(:oauth_implicit_grant)
+
+        params = ["response=#{CGI.escape(jwt)}"]
+        params << redirect_url.query if redirect_url.query
+        redirect_url.fragment = params.join("&")
+        redirect(redirect_url.to_s)
+      else
+        super
+      end
+    end
+
+    def _redirect_response_error(redirect_url, params)
+      response_mode = param_or_nil("response_mode")
+      return super unless response_mode.end_with?("jwt")
+
+      authorize_response(Hash[params], response_mode)
+    end
+
+    def jwt_encode_authorization_response_mode(params)
+      now = Time.now.to_i
+      claims = {
+        iss: oauth_jwt_issuer,
+        aud: oauth_application[oauth_applications_client_id_column],
+        exp: now + oauth_authorization_response_mode_expires_in,
+        iat: now
+      }.merge(params)
+
+      encode_params = {
+        jwks: oauth_application_jwks(oauth_application),
+        signing_algorithm: oauth_application[oauth_applications_authorization_signed_response_alg_column],
+        encryption_algorithm: oauth_application[oauth_applications_authorization_encrypted_response_alg_column],
+        encryption_method: oauth_application[oauth_applications_authorization_encrypted_response_enc_column]
+      }.compact
+
+      jwt_encode(claims, **encode_params)
+    end
+
+    def oauth_server_metadata_body(*)
+      super.tap do |data|
+        data[:authorization_signing_alg_values_supported] = authorization_signing_alg_values_supported
+        data[:authorization_encryption_alg_values_supported] = authorization_encryption_alg_values_supported
+        data[:authorization_encryption_enc_values_supported] = authorization_encryption_enc_values_supported
+      end
+    end
+  end
+end

data/lib/rodauth/features/oauth_management_base.rb

@@ -23,9 +23,7 @@ module Rodauth
       classes += " disabled" if current || !page
       classes += " active" if current
       if page
-        params = request.GET.merge("page" => page).map do |k, v|
-          v ? "#{CGI.escape(String(k))}=#{CGI.escape(String(v))}" : CGI.escape(String(k))
-        end.join("&")
+        params = URI.encode_www_form(request.GET.merge("page" => page))
 
         href = "#{request.path}?#{params}"
 

data/lib/rodauth/features/oauth_pkce.rb

@@ -76,8 +76,7 @@ module Rodauth
       when "plain"
         challenge == verifier
       when "S256"
-        generated_challenge = Base64.urlsafe_encode64(Digest::SHA256.digest(verifier))
-        generated_challenge.delete_suffix!("=") while generated_challenge.end_with?("=")
+        generated_challenge = Base64.urlsafe_encode64(Digest::SHA256.digest(verifier), padding: false)
 
         challenge == generated_challenge
       else

data/lib/rodauth/features/oidc.rb

@@ -63,7 +63,7 @@ module Rodauth
       id_token_signing_alg_values_supported
     ].freeze
 
-    depends :account_expiration, :oauth_jwt, :oauth_jwt_jwks, :oauth_authorization_code_grant
+    depends :account_expiration, :oauth_jwt, :oauth_jwt_jwks, :oauth_authorization_code_grant, :oauth_implicit_grant
 
     auth_value_method :oauth_application_scopes, %w[openid]
 
@@ -89,9 +89,16 @@ module Rodauth
     auth_value_method :oauth_prompt_login_interval, 5 * 60 * 60 # 5 minutes
 
     auth_value_methods(
+      :userinfo_signing_alg_values_supported,
+      :userinfo_encryption_alg_values_supported,
+      :userinfo_encryption_enc_values_supported,
+      :request_object_signing_alg_values_supported,
+      :request_object_encryption_alg_values_supported,
+      :request_object_encryption_enc_values_supported,
       :oauth_acr_values_supported,
       :get_oidc_account_last_login_at,
       :oidc_authorize_on_prompt_none?,
+      :fill_with_account_claims,
       :get_oidc_param,
       :get_additional_param,
       :require_acr_value_phr,
@@ -233,6 +240,30 @@ module Rodauth
       end
     end
 
+    def userinfo_signing_alg_values_supported
+      oauth_jwt_jws_algorithms_supported
+    end
+
+    def userinfo_encryption_alg_values_supported
+      oauth_jwt_jwe_algorithms_supported
+    end
+
+    def userinfo_encryption_enc_values_supported
+      oauth_jwt_jwe_encryption_methods_supported
+    end
+
+    def request_object_signing_alg_values_supported
+      oauth_jwt_jws_algorithms_supported
+    end
+
+    def request_object_encryption_alg_values_supported
+      oauth_jwt_jwe_algorithms_supported
+    end
+
+    def request_object_encryption_enc_values_supported
+      oauth_jwt_jwe_encryption_methods_supported
+    end
+
     def oauth_acr_values_supported
       acr_values = []
       acr_values << "phrh" if features.include?(:webauthn_login)
@@ -274,29 +305,33 @@ module Rodauth
 
       sc = scopes
 
-      if sc && sc.include?("offline_access")
-
+      # MUST ensure that the prompt parameter contains consent
+      # MUST ignore the offline_access request unless the Client
+      # is using a response_type value that would result in an
+      # Authorization Code
+      if sc && sc.include?("offline_access") && !(param_or_nil("prompt") == "consent" && (
+                (response_type = param_or_nil("response_type")) && response_type.split(" ").include?("code")
+              ))
         sc.delete("offline_access")
 
-        # MUST ensure that the prompt parameter contains consent
-        # MUST ignore the offline_access request unless the Client
-        # is using a response_type value that would result in an
-        # Authorization Code
-        if param_or_nil("prompt") == "consent" && (
-          (response_type = param_or_nil("response_type")) && response_type.split(" ").include?("code")
-        )
-          request.params["access_type"] = "offline"
-        end
-
         request.params["scope"] = sc.join(" ")
       end
 
       super
 
-      return unless (response_type = param_or_nil("response_type"))
-      return unless response_type.include?("id_token")
+      response_type = param_or_nil("response_type")
+
+      is_id_token_response_type = response_type.include?("id_token")
+
+      redirect_response_error("invalid_request") if is_id_token_response_type && !param_or_nil("nonce")
+
+      return unless is_id_token_response_type || response_type == "code token"
+
+      response_mode = param_or_nil("response_mode")
+
+      # id_token: The default Response Mode for this Response Type is the fragment encoding and the query encoding MUST NOT be used.
 
-      redirect_response_error("invalid_request") unless param_or_nil("nonce")
+      redirect_response_error("invalid_request") unless response_mode.nil? || response_mode == "fragment"
     end
 
     def require_authorizable_account
@@ -463,24 +498,7 @@ module Rodauth
       signing_algorithm = oauth_application[oauth_applications_id_token_signed_response_alg_column] ||
                           oauth_jwt_keys.keys.first
 
-      id_token_claims = jwt_claims(oauth_grant)
-
-      id_token_claims[:nonce] = oauth_grant[oauth_grants_nonce_column] if oauth_grant[oauth_grants_nonce_column]
-
-      id_token_claims[:acr] = oauth_grant[oauth_grants_acr_column] if oauth_grant[oauth_grants_acr_column]
-
-      # Time when the End-User authentication occurred.
-      id_token_claims[:auth_time] = get_oidc_account_last_login_at(oauth_grant[oauth_grants_account_id_column]).to_i
-
-      # Access Token hash value.
-      if (access_token = oauth_grant[oauth_grants_token_column])
-        id_token_claims[:at_hash] = id_token_hash(access_token, signing_algorithm)
-      end
-
-      # code hash value.
-      if (code = oauth_grant[oauth_grants_code_column])
-        id_token_claims[:c_hash] = id_token_hash(code, signing_algorithm)
-      end
+      id_claims = id_token_claims(oauth_grant, signing_algorithm)
 
       account = db[accounts_table].where(account_id_column => oauth_grant[oauth_grants_account_id_column]).first
 
@@ -500,7 +518,7 @@ module Rodauth
 
       # 5.4 - However, when no Access Token is issued (which is the case for the response_type value id_token),
       # the resulting Claims are returned in the ID Token.
-      fill_with_account_claims(id_token_claims, account, oauth_scopes, param_or_nil("claims_locales")) if include_claims
+      fill_with_account_claims(id_claims, account, oauth_scopes, param_or_nil("claims_locales")) if include_claims
 
       params = {
         jwks: oauth_application_jwks(oauth_application),
@@ -509,7 +527,30 @@ module Rodauth
         encryption_method: oauth_application[oauth_applications_id_token_encrypted_response_enc_column]
       }.compact
 
-      oauth_grant[:id_token] = jwt_encode(id_token_claims, **params)
+      oauth_grant[:id_token] = jwt_encode(id_claims, **params)
+    end
+
+    def id_token_claims(oauth_grant, signing_algorithm)
+      claims = jwt_claims(oauth_grant)
+
+      claims[:nonce] = oauth_grant[oauth_grants_nonce_column] if oauth_grant[oauth_grants_nonce_column]
+
+      claims[:acr] = oauth_grant[oauth_grants_acr_column] if oauth_grant[oauth_grants_acr_column]
+
+      # Time when the End-User authentication occurred.
+      claims[:auth_time] = get_oidc_account_last_login_at(oauth_grant[oauth_grants_account_id_column]).to_i
+
+      # Access Token hash value.
+      if (access_token = oauth_grant[oauth_grants_token_column])
+        claims[:at_hash] = id_token_hash(access_token, signing_algorithm)
+      end
+
+      # code hash value.
+      if (code = oauth_grant[oauth_grants_code_column])
+        claims[:c_hash] = id_token_hash(code, signing_algorithm)
+      end
+
+      claims
     end
 
     # aka fill_with_standard_claims
@@ -627,10 +668,9 @@ module Rodauth
 
     def check_valid_response_type?
       case param_or_nil("response_type")
-      when "none", "id_token", "code id_token" # multiple
+      when "none", "id_token", "code id_token", # multiple
+           "code token", "id_token token", "code id_token token"
         true
-      when "code token", "id_token token", "code id_token token"
-        supports_token_response_type?
       else
         super
       end
@@ -642,10 +682,6 @@ module Rodauth
       param("response_type") == "none"
     end
 
-    def supports_token_response_type?
-      features.include?(:oauth_implicit_grant)
-    end
-
     def do_authorize(response_params = {}, response_mode = param_or_nil("response_mode"))
       response_type = param("response_type")
       case response_type
@@ -654,8 +690,6 @@ module Rodauth
         generate_id_token(grant_params, true)
         response_params.replace("id_token" => grant_params[:id_token])
       when "code token"
-        redirect_response_error("invalid_request") unless supports_token_response_type?
-
         response_params.replace(create_oauth_grant_with_token)
       when "code id_token"
         params = _do_authorize_code
@@ -666,16 +700,12 @@ module Rodauth
           "code" => params["code"]
         )
       when "id_token token"
-        redirect_response_error("invalid_request") unless supports_token_response_type?
-
         grant_params = oidc_grant_params.merge(oauth_grants_type_column => "hybrid")
         oauth_grant = _do_authorize_token(grant_params)
         generate_id_token(oauth_grant)
 
         response_params.replace(json_access_token_payload(oauth_grant))
       when "code id_token token"
-        redirect_response_error("invalid_request") unless supports_token_response_type?
-
         params = create_oauth_grant_with_token
         oauth_grant = valid_oauth_grant_ds.where(oauth_grants_code_column => params["code"]).first
         oauth_grant[oauth_grants_token_column] = params["access_token"]
@@ -694,7 +724,8 @@ module Rodauth
       grant_params = {
         **resource_owner_params,
         oauth_grants_oauth_application_id_column => oauth_application[oauth_applications_id_column],
-        oauth_grants_scopes_column => scopes.join(oauth_scope_separator)
+        oauth_grants_scopes_column => scopes.join(oauth_scope_separator),
+        oauth_grants_redirect_uri_column => param_or_nil("redirect_uri")
       }
       if (nonce = param_or_nil("nonce"))
         grant_params[oauth_grants_nonce_column] = nonce
@@ -709,6 +740,12 @@ module Rodauth
       grant_params
     end
 
+    def generate_token(grant_params = {}, should_generate_refresh_token = true)
+      scopes = grant_params[oauth_grants_scopes_column].split(oauth_scope_separator)
+
+      super(grant_params, scopes.include?("offline_access") && should_generate_refresh_token)
+    end
+
     def authorize_response(params, mode)
       redirect_url = URI.parse(redirect_uri)
       redirect(redirect_url.to_s) if mode == "none"

data/lib/rodauth/features/oidc_dynamic_client_registration.rb

@@ -10,7 +10,7 @@ module Rodauth
 
     private
 
-    def validate_client_registration_params
+    def validate_client_registration_params(*)
       super
 
       if (value = @oauth_application_params[oauth_applications_application_type_column])
@@ -174,6 +174,44 @@ module Rodauth
         register_throw_json_response_error("invalid_client_metadata",
                                            register_invalid_client_metadata_message("userinfo_encrypted_response_enc", value))
       end
+
+      if features.include?(:oauth_jwt_secured_authorization_response_mode)
+        if defined?(oauth_applications_authorization_signed_response_alg_column) &&
+           (value = @oauth_application_params[oauth_applications_authorization_signed_response_alg_column]) &&
+           (!oauth_jwt_jws_algorithms_supported.include?(value) || value == "none")
+          register_throw_json_response_error("invalid_client_metadata",
+                                             register_invalid_client_metadata_message("authorization_signed_response_alg", value))
+        end
+
+        if defined?(oauth_applications_authorization_encrypted_response_alg_column) &&
+           (value = @oauth_application_params[oauth_applications_authorization_encrypted_response_alg_column]) &&
+           !oauth_jwt_jwe_algorithms_supported.include?(value)
+          register_throw_json_response_error("invalid_client_metadata",
+                                             register_invalid_client_metadata_message("authorization_encrypted_response_alg", value))
+        end
+
+        if defined?(oauth_applications_authorization_encrypted_response_enc_column)
+          if (value = @oauth_application_params[oauth_applications_authorization_encrypted_response_enc_column])
+
+            unless @oauth_application_params[oauth_applications_authorization_encrypted_response_alg_column]
+              # When authorization_encrypted_response_enc is included, authorization_encrypted_response_alg MUST also be provided.
+              register_throw_json_response_error("invalid_client_metadata",
+                                                 register_invalid_client_metadata_message("authorization_encrypted_response_alg", value))
+
+            end
+
+            unless oauth_jwt_jwe_encryption_methods_supported.include?(value)
+              register_throw_json_response_error("invalid_client_metadata",
+                                                 register_invalid_client_metadata_message("authorization_encrypted_response_enc", value))
+            end
+          elsif @oauth_application_params[oauth_applications_authorization_encrypted_response_alg_column]
+            # If authorization_encrypted_response_alg is specified, the default for this value is A128CBC-HS256.
+            @oauth_application_params[oauth_applications_authorization_encrypted_response_enc_column] = "A128CBC-HS256"
+          end
+        end
+      end
+
+      @oauth_application_params
     end
 
     def validate_client_registration_response_type(response_type, grant_types)

data/lib/rodauth/features/oidc_self_issued.rb

@@ -0,0 +1,73 @@
+# frozen_string_literal: true
+
+require "rodauth/oauth"
+
+module Rodauth
+  Feature.define(:oidc_self_issued, :OidcSelfIssued) do
+    depends :oidc, :oidc_dynamic_client_registration
+
+    auth_value_method :oauth_application_scopes, %w[openid profile email address phone]
+    auth_value_method :oauth_jwt_jws_algorithms_supported, %w[RS256]
+
+    SELF_ISSUED_DEFAULT_APPLICATION_PARAMS = {
+      "scope" => "openid profile email address phone",
+      "response_types" => ["id_token"],
+      "subject_type" => "pairwise",
+      "id_token_signed_response_alg" => "RS256",
+      "request_object_signing_alg" => "RS256",
+      "grant_types" => %w[implicit]
+    }.freeze
+
+    def oauth_application
+      return @oauth_application if defined?(@oauth_application)
+
+      return super unless (registration = param_or_nil("registration"))
+
+      # self-issued!
+      redirect_uri = param_or_nil("client_id")
+
+      registration_params = JSON.parse(registration)
+
+      registration_params = SELF_ISSUED_DEFAULT_APPLICATION_PARAMS.merge(registration_params)
+
+      client_params = validate_client_registration_params(registration_params)
+
+      request.params["redirect_uri"] = client_params[oauth_applications_client_id_column] = redirect_uri
+      client_params[oauth_applications_redirect_uri_column] ||= redirect_uri
+
+      @oauth_application = client_params
+    end
+
+    private
+
+    def oauth_response_types_supported
+      %w[id_token]
+    end
+
+    def request_object_signing_alg_values_supported
+      %w[none RS256]
+    end
+
+    def id_token_claims(oauth_grant, signing_algorithm)
+      claims = super
+
+      return claims unless claims[:client_id] == oauth_grant[oauth_grants_redirect_uri_column]
+
+      # https://openid.net/specs/openid-connect-core-1_0.html#SelfIssued - 7.4
+
+      pub_key = oauth_jwt_public_keys[signing_algorithm]
+      pub_key = pub_key.first if pub_key.is_a?(Array)
+      claims[:sub_jwk] = sub_jwk = jwk_export(pub_key)
+
+      claims[:iss] = "https://self-issued.me"
+
+      claims[:aud] = oauth_grant[oauth_grants_redirect_uri_column]
+
+      jwk_thumbprint = jwk_thumbprint(sub_jwk)
+
+      claims[:sub] = Base64.urlsafe_encode64(jwk_thumbprint, padding: false)
+
+      claims
+    end
+  end
+end

data/lib/rodauth/oauth/version.rb

@@ -2,6 +2,6 @@
 
 module Rodauth
   module OAuth
-    VERSION = "1.2.0"
+    VERSION = "1.3.1"
   end
 end

data/templates/authorize.str

@@ -88,6 +88,7 @@
     #{"<input type=\"hidden\" name=\"claims_locales\" value=\"#{rodauth.param("claims_locales")}\"/>" if rodauth.features.include?(:oidc) && rodauth.param_or_nil("claims_locales")}
     #{"<input type=\"hidden\" name=\"claims\" value=\"#{h(rodauth.param("claims"))}\"/>" if rodauth.features.include?(:oidc) && rodauth.param_or_nil("claims")}
     #{"<input type=\"hidden\" name=\"acr_values\" value=\"#{rodauth.param("acr_values")}\"/>" if rodauth.features.include?(:oidc) && rodauth.param_or_nil("acr_values")}
+    #{"<input type=\"hidden\" name=\"registration\" value=\"#{h(rodauth.param("registration"))}\"/>" if rodauth.features.include?(:oidc_self_issued) && rodauth.param_or_nil("registration")}
     #{
       if rodauth.features.include?(:oauth_resource_indicators) && rodauth.resource_indicators
         rodauth.resource_indicators.map do |resource|

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rodauth-oauth
 version: !ruby/object:Gem::Version
-  version: 1.2.0
+  version: 1.3.1
 platform: ruby
 authors:
 - Tiago Cardoso
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2023-02-13 00:00:00.000000000 Z
+date: 2023-06-27 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rodauth
@@ -69,6 +69,8 @@ extra_rdoc_files:
 - doc/release_notes/1_0_0.md
 - doc/release_notes/1_1_0.md
 - doc/release_notes/1_2_0.md
+- doc/release_notes/1_3_0.md
+- doc/release_notes/1_3_1.md
 files:
 - CHANGELOG.md
 - LICENSE.txt
@@ -109,6 +111,8 @@ files:
 - doc/release_notes/1_0_0.md
 - doc/release_notes/1_1_0.md
 - doc/release_notes/1_2_0.md
+- doc/release_notes/1_3_0.md
+- doc/release_notes/1_3_1.md
 - lib/generators/rodauth/oauth/install_generator.rb
 - lib/generators/rodauth/oauth/templates/app/models/oauth_application.rb
 - lib/generators/rodauth/oauth/templates/app/models/oauth_grant.rb
@@ -138,6 +142,7 @@ files:
 - lib/rodauth/features/oauth_jwt_bearer_grant.rb
 - lib/rodauth/features/oauth_jwt_jwks.rb
 - lib/rodauth/features/oauth_jwt_secured_authorization_request.rb
+- lib/rodauth/features/oauth_jwt_secured_authorization_response_mode.rb
 - lib/rodauth/features/oauth_management_base.rb
 - lib/rodauth/features/oauth_pkce.rb
 - lib/rodauth/features/oauth_pushed_authorization_request.rb
@@ -150,6 +155,7 @@ files:
 - lib/rodauth/features/oidc.rb
 - lib/rodauth/features/oidc_dynamic_client_registration.rb
 - lib/rodauth/features/oidc_rp_initiated_logout.rb
+- lib/rodauth/features/oidc_self_issued.rb
 - lib/rodauth/oauth.rb
 - lib/rodauth/oauth/database_extensions.rb
 - lib/rodauth/oauth/http_extensions.rb
@@ -200,7 +206,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.3.7
+rubygems_version: 3.4.10
 signing_key:
 specification_version: 4
 summary: Implementation of the OAuth 2.0 protocol on top of rodauth.