rodauth-oauth 1.3.0 → 1.3.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 4d7d5f8b68686703954bf4e335cef0ea33f9e31c94c439df84f08e8ff3270829
-  data.tar.gz: 1da57ba2082818a74dbca4d1c6bcab0c15f97da891e12c03a8bf91440a4edcfd
+  metadata.gz: bf721a3632883e34bff44e33ca84c9a5aa2248748ccecf52c180edd25086abad
+  data.tar.gz: 59966edc773dbee470be46770532ee9159dfe370d346eca936a2ebc48a8fd224
 SHA512:
-  metadata.gz: 8230b54e51d2081e25d1386d6294745d54eebbe11a6677bdb9cade14e0a418658bc2b8a67ae2e6355458f4b43d8a2df1700cd3e0496fa8a10e690318f3d03ba0
-  data.tar.gz: 31ab5721a6464b751860b6896f47999e189592582842ba419ab0a057ff38af98612d54a8b00177092e2fe5993af1e5554cecafbbfaab18a495656117f19ce4fd
+  metadata.gz: 6855059fe2d8225e4f3650dca01ad4ff3d82ad4e42623b43e5ea1d42ef3dbec317bf9488a2b1598556c135f9b9bf1d45ac41512d7347e3c5c55b7c5e8bd63305
+  data.tar.gz: 9a564b8ad6812841f4a2737ee263af188e5231c49b8b475f0c575a5b0496aa6f534709552845caaaacbb73dbe1afabb9079a17265683be5df73f62075a78896e

data/README.md

@@ -90,8 +90,8 @@ Or install it yourself as:
 
 ## Articles
 
-* [How to use rodauth-oauth with rails and rodauth](https://honeyryderchuck.gitlab.io/httpx/2021/03/15/oidc-provider-on-rails-using-rodauth-oauth.html)
-* [How to use rodauth-oauth with rails and without rodauth](https://honeyryderchuck.gitlab.io/httpx/2021/09/08/using-rodauth-oauth-in-rails-without-rodauth-based-auth.html)
+* [How to use rodauth-oauth with rails and rodauth](https://honeyryderchuck.gitlab.io/2021/03/15/oidc-provider-on-rails-using-rodauth-oauth.html)
+* [How to use rodauth-oauth with rails and without rodauth](https://honeyryderchuck.gitlab.io/2021/09/08/using-rodauth-oauth-in-rails-without-rodauth-based-auth.html)
 
 ## Usage
 

data/doc/release_notes/1_3_1.md

@@ -0,0 +1,10 @@
+### 1.3.1 (27/06/2023)
+
+#### Bugfixes
+
+* Set 401 error response when `client_id` parameter is invalid, or from an unexisting client application, instead of failing with a 500 (@igor-alexandrov).
+* update rails authorize form to use roda request params instead, as plain params was breaking JAR and PAR-based authorize forms in rails applications.
+
+#### Chore
+
+* set `:padding` to `false` in `Base64.urlsafe_encode64` calls (@felipe.zavan)

data/doc/release_notes/1_3_2.md

@@ -0,0 +1,14 @@
+### 1.3.2 (27/07/2023)
+
+#### Improvements
+
+* `require_signed_request_object` option for JAR (`oauth_jwt_secured_authorization_request` plugin) is now supported:
+  * in the oauth server metadata endpoint
+  * as a plugin config option (`oauth_require_signed_request_object`, defaults to `false`)
+  * as a oauth dynamic registration endpoint param (`require_signed_request_object`, requires corresponding columnn)
+  * enforces JAR-based authorization, andd does not allow unsigned JAR JWTs, when turned on.
+
+#### Bugfixes
+
+* JWT decoding failed in circumstances where a declared encryption algo didn't have key/method declared.
+* fix for when PAR (`oauth_pushed_authorization_request` feature) is used with JAR (`oauth_jwt_secured_authorization_request` plugin), and PAR `request_uri` param wasn't being removed when validating authorize request parameters, thereby making JAR logic evaluate it as a JAR `requuest_uri` (it is now correctly not taken into account in such a case);

data/lib/generators/rodauth/oauth/templates/app/views/rodauth/authorize.html.erb

@@ -37,10 +37,10 @@
         </div>
       <% end %>
     <% end %>
-    <%= hidden_field_tag :client_id, params[:client_id] %>
-    <% %i[access_type response_type response_mode state redirect_uri].each do |oauth_param| %>
-      <% if params[oauth_param] %>
-        <%= hidden_field_tag oauth_param,  params[oauth_param] %>
+    <%= hidden_field_tag :client_id, rodauth.raw_param("client_id") %>
+    <% %w[access_type response_type response_mode state redirect_uri].each do |oauth_param| %>
+      <% if rodauth.raw_param(oauth_param) %>
+        <%= hidden_field_tag oauth_param, rodauth.raw_param(oauth_param) %>
       <% end %>
     <% end %>
     <% if rodauth.features.include?(:oauth_resource_indicators) && rodauth.resource_indicators %>
@@ -49,39 +49,39 @@
       <% end %>
     <% end %>
     <% if rodauth.features.include?(:oauth_pkce) %>
-      <% if params[:code_challenge] %>
-        <%= hidden_field_tag :code_challenge,  params[:code_challenge] %>
+      <% if rodauth.raw_param("code_challenge") %>
+        <%= hidden_field_tag :code_challenge, rodauth.raw_param("code_challenge") %>
       <% end %>
-      <% if params[:code_challenge_method] %>
-        <%= hidden_field_tag :code_challenge_method,  params[:code_challenge_method] %>
+      <% if rodauth.raw_param("code_challenge_method") %>
+        <%= hidden_field_tag :code_challenge_method, rodauth.raw_param("code_challenge_method") %>
       <% end %>
     <% end %>
     <% if rodauth.features.include?(:oidc) %>
-      <% if params[:prompt] %>
-        <%= hidden_field_tag :prompt,  params[:prompt] %>
+      <% if rodauth.raw_param("prompt") %>
+        <%= hidden_field_tag :prompt, rodauth.raw_param("prompt") %>
       <% end %>
-      <% if params[:nonce] %>
-        <%= hidden_field_tag :nonce,  params[:nonce] %>
+      <% if rodauth.raw_param("nonce") %>
+        <%= hidden_field_tag :nonce, rodauth.raw_param("nonce") %>
       <% end %>
-      <% if params[:ui_locales] %>
-        <%= hidden_field_tag :ui_locales,  params[:ui_locales] %>
+      <% if rodauth.raw_param("ui_locales") %>
+        <%= hidden_field_tag :ui_locales, rodauth.raw_param("ui_locales") %>
       <% end %>
-      <% if params[:claims_locales] %>
-        <%= hidden_field_tag :claims_locales,  params[:claims_locales] %>
+      <% if rodauth.raw_param("claims_locales") %>
+        <%= hidden_field_tag :claims_locales, rodauth.raw_param("claims_locales") %>
       <% end %>
-      <% if params[:claims] %>
-        <%= hidden_field_tag :claims,  sanitize(params[:claims]) %>
+      <% if rodauth.raw_param("claims") %>
+        <%= hidden_field_tag :claims, sanitize(rodauth.raw_param("claims")) %>
       <% end %>
-      <% if params[:acr_values] %>
-        <%= hidden_field_tag :acr_values,  params[:acr_values] %>
+      <% if rodauth.raw_param("acr_values") %>
+        <%= hidden_field_tag :acr_values, rodauth.raw_param("acr_values") %>
       <% end %>
-      <% if params[:registration] %>
-        <%= hidden_field_tag :registration,  params[:registration] %>
+      <% if rodauth.raw_param("registration") %>
+        <%= hidden_field_tag :registration, rodauth.raw_param("registration") %>
       <% end %>
     <% end %>
   </div>
  <p class="text-center">
     <%= submit_tag rodauth.oauth_authorize_button, class: "btn btn-outline-primary" %>
-    <%= link_to rodauth.oauth_cancel_button, "#{rodauth.redirect_uri}?error=access_denied&error_description=The+resource+owner+or+authorization+server+denied+the+request#{"&state=\#{CGI.escape(rodauth.state)}" if params[:state] }", class: "btn btn-outline-danger" %>
+    <%= link_to rodauth.oauth_cancel_button, "#{rodauth.redirect_uri}?error=access_denied&error_description=The+resource+owner+or+authorization+server+denied+the+request#{"&state=\#{CGI.escape(rodauth.state)}" if rodauth.raw_param("state") }", class: "btn btn-outline-danger" %>
   </p>
 <% end %>

data/lib/generators/rodauth/oauth/templates/db/migrate/create_rodauth_oauth.rb

@@ -46,6 +46,7 @@ class CreateRodauthOauth < ActiveRecord::Migration<%= migration_version %>
       t.string :request_object_encryption_alg, null: true
       t.string :request_object_encryption_enc, null: true
       t.string :request_uris, null: true
+      t.boolean :require_signed_request_object, null: true
       t.boolean :require_pushed_authorization_requests, null: false, default: false
 
       # :oauth_tls_client_auth

data/lib/rodauth/features/oauth_base.rb

@@ -367,7 +367,7 @@ module Rodauth
     end
 
     def require_oauth_application_from_client_secret_basic(token)
-      client_id, client_secret = Base64.decode64(token).split(/:/, 2)
+      client_id, client_secret = Base64.decode64(token).split(":", 2)
       authorization_required unless client_id
       oauth_application = db[oauth_applications_table].where(oauth_applications_client_id_column => client_id).first
       authorization_required unless supports_auth_method?(oauth_application,
@@ -389,6 +389,8 @@ module Rodauth
     end
 
     def supports_auth_method?(oauth_application, auth_method)
+      return false unless oauth_application
+
       supported_auth_methods = if oauth_application[oauth_applications_token_endpoint_auth_method_column]
                                  oauth_application[oauth_applications_token_endpoint_auth_method_column].split(/ +/)
                                else

data/lib/rodauth/features/oauth_dynamic_client_registration.rb

@@ -200,6 +200,14 @@ module Rodauth
         when "client_name"
           register_throw_json_response_error("invalid_client_metadata", register_invalid_param_message(value)) unless value.is_a?(String)
           key = oauth_applications_name_column
+        when "require_signed_request_object"
+          unless respond_to?(:oauth_applications_require_signed_request_object_column)
+            register_throw_json_response_error("invalid_client_metadata",
+                                               register_invalid_param_message(key))
+          end
+          request_params[key] = value = convert_to_boolean(key, value)
+
+          key = oauth_applications_require_signed_request_object_column
         when "require_pushed_authorization_requests"
           unless respond_to?(:oauth_applications_require_pushed_authorization_requests_column)
             register_throw_json_response_error("invalid_client_metadata",

data/lib/rodauth/features/oauth_jwt_base.rb

@@ -189,14 +189,16 @@ module Rodauth
         jwt = jwt.sign(jwk, signing_algorithm)
         jwt.kid = jwk.thumbprint
 
+        return jwt.to_s unless encryption_algorithm && encryption_method
+
         if jwks && (jwk = jwks.find { |k| k[:use] == "enc" && k[:alg] == encryption_algorithm && k[:enc] == encryption_method })
           jwk = JSON::JWK.new(jwk)
           jwe = jwt.encrypt(jwk, encryption_algorithm.to_sym, encryption_method.to_sym)
           jwe.to_s
         elsif jwe_key
           jwe_key = jwe_key.first if jwe_key.is_a?(Array)
-          algorithm = encryption_algorithm.to_sym if encryption_algorithm
-          meth = encryption_method.to_sym if encryption_method
+          algorithm = encryption_algorithm.to_sym
+          meth = encryption_method.to_sym
           jwt.encrypt(jwe_key, algorithm, meth)
         else
           jwt.to_s
@@ -246,6 +248,8 @@ module Rodauth
                      jws
                    elsif jws_key
                      JSON::JWT.decode(token, jws_key)
+                   else
+                     JSON::JWT.decode(token, nil, jws_algorithm)
                    end
                  elsif (jwks = auth_server_jwks_set)
                    JSON::JWT.decode(token, JSON::JWK::Set.new(jwks))
@@ -428,6 +432,8 @@ module Rodauth
                      end
                    elsif jws_key
                      JWT.decode(token, jws_key, true, algorithms: [jws_algorithm], **verify_claims_params).first
+                   else
+                     JWT.decode(token, jws_key, false, **verify_claims_params).first
                    end
                  elsif (jwks = auth_server_jwks_set)
                    algorithms = jwks[:keys].select { |k| k[:use] == "sig" }.map { |k| k[:alg] }

data/lib/rodauth/features/oauth_jwt_secured_authorization_request.rb

@@ -9,13 +9,15 @@ module Rodauth
     depends :oauth_authorize_base, :oauth_jwt_base
 
     auth_value_method :oauth_require_request_uri_registration, false
+    auth_value_method :oauth_require_signed_request_object, false
     auth_value_method :oauth_request_object_signing_alg_allow_none, false
 
-    auth_value_method :oauth_applications_request_uris_column, :request_uris
-
-    auth_value_method :oauth_applications_request_object_signing_alg_column, :request_object_signing_alg
-    auth_value_method :oauth_applications_request_object_encryption_alg_column, :request_object_encryption_alg
-    auth_value_method :oauth_applications_request_object_encryption_enc_column, :request_object_encryption_enc
+    %i[
+      request_uris require_signed_request_object request_object_signing_alg
+      request_object_encryption_alg request_object_encryption_enc
+    ].each do |column|
+      auth_value_method :"oauth_applications_#{column}_column", column
+    end
 
     translatable_method :oauth_invalid_request_object_message, "request object is invalid"
 
@@ -30,7 +32,13 @@ module Rodauth
 
       request_uri = param_or_nil("request_uri")
 
-      return super unless (request_object || request_uri) && oauth_application
+      unless (request_object || request_uri) && oauth_application
+        if request.path == authorize_path && request.get? && require_signed_request_object?
+          redirect_response_error("invalid_request_object")
+        end
+
+        return super
+      end
 
       if request_uri
         request_uri = CGI.unescape(request_uri)
@@ -84,6 +92,14 @@ module Rodauth
       request_uris.nil? || request_uris.split(oauth_scope_separator).one? { |uri| request_uri.start_with?(uri) }
     end
 
+    def require_signed_request_object?
+      return @require_signed_request_object if defined?(@require_signed_request_object)
+
+      @require_signed_request_object = (oauth_application[oauth_applications_require_signed_request_object_column] if oauth_application)
+      @require_signed_request_object = oauth_require_signed_request_object if @require_signed_request_object.nil?
+      @require_signed_request_object
+    end
+
     def decode_request_object(request_object)
       request_sig_enc_opts = {
         jws_algorithm: oauth_application[oauth_applications_request_object_signing_alg_column],
@@ -94,6 +110,8 @@ module Rodauth
       request_sig_enc_opts[:jws_algorithm] ||= "none" if oauth_request_object_signing_alg_allow_none
 
       if request_sig_enc_opts[:jws_algorithm] == "none"
+        redirect_response_error("invalid_request_object") if require_signed_request_object?
+
         jwks = nil
       elsif (jwks = oauth_application_jwks(oauth_application))
         jwks = JSON.parse(jwks, symbolize_names: true) if jwks.is_a?(String)
@@ -118,6 +136,7 @@ module Rodauth
         data[:request_parameter_supported] = true
         data[:request_uri_parameter_supported] = true
         data[:require_request_uri_registration] = oauth_require_request_uri_registration
+        data[:require_signed_request_object] = oauth_require_signed_request_object
       end
     end
   end

data/lib/rodauth/features/oauth_pkce.rb

@@ -76,8 +76,7 @@ module Rodauth
       when "plain"
         challenge == verifier
       when "S256"
-        generated_challenge = Base64.urlsafe_encode64(Digest::SHA256.digest(verifier))
-        generated_challenge.delete_suffix!("=") while generated_challenge.end_with?("=")
+        generated_challenge = Base64.urlsafe_encode64(Digest::SHA256.digest(verifier), padding: false)
 
         challenge == generated_challenge
       else

data/lib/rodauth/features/oauth_pushed_authorization_request.rb

@@ -65,32 +65,37 @@ module Rodauth
       # The request_uri authorization request parameter is one exception, and it MUST NOT be provided.
       redirect_response_error("invalid_request") if param_or_nil("request_uri")
 
-      if (request_object = param_or_nil("request")) && features.include?(:oauth_jwt_secured_authorization_request)
-        claims = decode_request_object(request_object)
-
-        # https://datatracker.ietf.org/doc/html/rfc9126#section-3-5.3
-        # reject the request if the authenticated client_id does not match the client_id claim in the Request Object
-        if (client_id = claims["client_id"]) && (client_id != oauth_application[oauth_applications_client_id_column])
-          redirect_response_error("invalid_request_object")
-        end
-
-        # requiring the iss claim to match the client_id is at the discretion of the authorization server
-        if oauth_require_pushed_authorization_request_iss_request_object &&
-           (iss = claims.delete("iss")) &&
-           iss != oauth_application[oauth_applications_client_id_column]
-          redirect_response_error("invalid_request_object")
-        end
-
-        if (aud = claims.delete("aud")) && !verify_aud(aud, oauth_jwt_issuer)
+      if features.include?(:oauth_jwt_secured_authorization_request)
+
+        if (request_object = param_or_nil("request"))
+          claims = decode_request_object(request_object)
+
+          # https://datatracker.ietf.org/doc/html/rfc9126#section-3-5.3
+          # reject the request if the authenticated client_id does not match the client_id claim in the Request Object
+          if (client_id = claims["client_id"]) && (client_id != oauth_application[oauth_applications_client_id_column])
+            redirect_response_error("invalid_request_object")
+          end
+
+          # requiring the iss claim to match the client_id is at the discretion of the authorization server
+          if oauth_require_pushed_authorization_request_iss_request_object &&
+             (iss = claims.delete("iss")) &&
+             iss != oauth_application[oauth_applications_client_id_column]
+            redirect_response_error("invalid_request_object")
+          end
+
+          if (aud = claims.delete("aud")) && !verify_aud(aud, oauth_jwt_issuer)
+            redirect_response_error("invalid_request_object")
+          end
+
+          claims.delete("exp")
+          request.params.delete("request")
+
+          claims.each do |k, v|
+            request.params[k.to_s] = v
+          end
+        elsif require_signed_request_object?
           redirect_response_error("invalid_request_object")
         end
-
-        claims.delete("exp")
-        request.params.delete("request")
-
-        claims.each do |k, v|
-          request.params[k.to_s] = v
-        end
       end
 
       validate_authorize_params
@@ -118,6 +123,10 @@ module Rodauth
           request.params[k.to_s] = v
         end
 
+        request.params.delete("request_uri")
+
+        # we're removing the request_uri here, so the checkup for signed reqest has to be invalidated.
+        @require_signed_request_object = false
       elsif oauth_require_pushed_authorization_requests ||
             (oauth_application && oauth_application[oauth_applications_require_pushed_authorization_requests_column])
         redirect_authorize_error("request_uri")

data/lib/rodauth/oauth/version.rb

@@ -2,6 +2,6 @@
 
 module Rodauth
   module OAuth
-    VERSION = "1.3.0"
+    VERSION = "1.3.2"
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rodauth-oauth
 version: !ruby/object:Gem::Version
-  version: 1.3.0
+  version: 1.3.2
 platform: ruby
 authors:
 - Tiago Cardoso
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2023-04-01 00:00:00.000000000 Z
+date: 2023-07-26 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rodauth
@@ -70,6 +70,8 @@ extra_rdoc_files:
 - doc/release_notes/1_1_0.md
 - doc/release_notes/1_2_0.md
 - doc/release_notes/1_3_0.md
+- doc/release_notes/1_3_1.md
+- doc/release_notes/1_3_2.md
 files:
 - CHANGELOG.md
 - LICENSE.txt
@@ -111,6 +113,8 @@ files:
 - doc/release_notes/1_1_0.md
 - doc/release_notes/1_2_0.md
 - doc/release_notes/1_3_0.md
+- doc/release_notes/1_3_1.md
+- doc/release_notes/1_3_2.md
 - lib/generators/rodauth/oauth/install_generator.rb
 - lib/generators/rodauth/oauth/templates/app/models/oauth_application.rb
 - lib/generators/rodauth/oauth/templates/app/models/oauth_grant.rb
@@ -204,7 +208,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.3.7
+rubygems_version: 3.4.10
 signing_key:
 specification_version: 4
 summary: Implementation of the OAuth 2.0 protocol on top of rodauth.