rodauth-oauth 1.3.1 → 1.4.0

data/lib/rodauth/features/oauth_jwt_secured_authorization_request.rb

@@ -9,13 +9,15 @@ module Rodauth
     depends :oauth_authorize_base, :oauth_jwt_base
 
     auth_value_method :oauth_require_request_uri_registration, false
+    auth_value_method :oauth_require_signed_request_object, false
     auth_value_method :oauth_request_object_signing_alg_allow_none, false
 
-    auth_value_method :oauth_applications_request_uris_column, :request_uris
-
-    auth_value_method :oauth_applications_request_object_signing_alg_column, :request_object_signing_alg
-    auth_value_method :oauth_applications_request_object_encryption_alg_column, :request_object_encryption_alg
-    auth_value_method :oauth_applications_request_object_encryption_enc_column, :request_object_encryption_enc
+    %i[
+      request_uris require_signed_request_object request_object_signing_alg
+      request_object_encryption_alg request_object_encryption_enc
+    ].each do |column|
+      auth_value_method :"oauth_applications_#{column}_column", column
+    end
 
     translatable_method :oauth_invalid_request_object_message, "request object is invalid"
 
@@ -30,7 +32,13 @@ module Rodauth
 
       request_uri = param_or_nil("request_uri")
 
-      return super unless (request_object || request_uri) && oauth_application
+      unless (request_object || request_uri) && oauth_application
+        if request.path == authorize_path && request.get? && require_signed_request_object?
+          redirect_response_error("invalid_request_object")
+        end
+
+        return super
+      end
 
       if request_uri
         request_uri = CGI.unescape(request_uri)
@@ -84,6 +92,14 @@ module Rodauth
       request_uris.nil? || request_uris.split(oauth_scope_separator).one? { |uri| request_uri.start_with?(uri) }
     end
 
+    def require_signed_request_object?
+      return @require_signed_request_object if defined?(@require_signed_request_object)
+
+      @require_signed_request_object = (oauth_application[oauth_applications_require_signed_request_object_column] if oauth_application)
+      @require_signed_request_object = oauth_require_signed_request_object if @require_signed_request_object.nil?
+      @require_signed_request_object
+    end
+
     def decode_request_object(request_object)
       request_sig_enc_opts = {
         jws_algorithm: oauth_application[oauth_applications_request_object_signing_alg_column],
@@ -94,6 +110,8 @@ module Rodauth
       request_sig_enc_opts[:jws_algorithm] ||= "none" if oauth_request_object_signing_alg_allow_none
 
       if request_sig_enc_opts[:jws_algorithm] == "none"
+        redirect_response_error("invalid_request_object") if require_signed_request_object?
+
         jwks = nil
       elsif (jwks = oauth_application_jwks(oauth_application))
         jwks = JSON.parse(jwks, symbolize_names: true) if jwks.is_a?(String)
@@ -118,6 +136,7 @@ module Rodauth
         data[:request_parameter_supported] = true
         data[:request_uri_parameter_supported] = true
         data[:require_request_uri_registration] = oauth_require_request_uri_registration
+        data[:require_signed_request_object] = oauth_require_signed_request_object
       end
     end
   end

data/lib/rodauth/features/oauth_pushed_authorization_request.rb

@@ -65,32 +65,37 @@ module Rodauth
       # The request_uri authorization request parameter is one exception, and it MUST NOT be provided.
       redirect_response_error("invalid_request") if param_or_nil("request_uri")
 
-      if (request_object = param_or_nil("request")) && features.include?(:oauth_jwt_secured_authorization_request)
-        claims = decode_request_object(request_object)
-
-        # https://datatracker.ietf.org/doc/html/rfc9126#section-3-5.3
-        # reject the request if the authenticated client_id does not match the client_id claim in the Request Object
-        if (client_id = claims["client_id"]) && (client_id != oauth_application[oauth_applications_client_id_column])
-          redirect_response_error("invalid_request_object")
-        end
-
-        # requiring the iss claim to match the client_id is at the discretion of the authorization server
-        if oauth_require_pushed_authorization_request_iss_request_object &&
-           (iss = claims.delete("iss")) &&
-           iss != oauth_application[oauth_applications_client_id_column]
-          redirect_response_error("invalid_request_object")
-        end
-
-        if (aud = claims.delete("aud")) && !verify_aud(aud, oauth_jwt_issuer)
+      if features.include?(:oauth_jwt_secured_authorization_request)
+
+        if (request_object = param_or_nil("request"))
+          claims = decode_request_object(request_object)
+
+          # https://datatracker.ietf.org/doc/html/rfc9126#section-3-5.3
+          # reject the request if the authenticated client_id does not match the client_id claim in the Request Object
+          if (client_id = claims["client_id"]) && (client_id != oauth_application[oauth_applications_client_id_column])
+            redirect_response_error("invalid_request_object")
+          end
+
+          # requiring the iss claim to match the client_id is at the discretion of the authorization server
+          if oauth_require_pushed_authorization_request_iss_request_object &&
+             (iss = claims.delete("iss")) &&
+             iss != oauth_application[oauth_applications_client_id_column]
+            redirect_response_error("invalid_request_object")
+          end
+
+          if (aud = claims.delete("aud")) && !verify_aud(aud, oauth_jwt_issuer)
+            redirect_response_error("invalid_request_object")
+          end
+
+          claims.delete("exp")
+          request.params.delete("request")
+
+          claims.each do |k, v|
+            request.params[k.to_s] = v
+          end
+        elsif require_signed_request_object?
           redirect_response_error("invalid_request_object")
         end
-
-        claims.delete("exp")
-        request.params.delete("request")
-
-        claims.each do |k, v|
-          request.params[k.to_s] = v
-        end
       end
 
       validate_authorize_params
@@ -118,6 +123,10 @@ module Rodauth
           request.params[k.to_s] = v
         end
 
+        request.params.delete("request_uri")
+
+        # we're removing the request_uri here, so the checkup for signed reqest has to be invalidated.
+        @require_signed_request_object = false
       elsif oauth_require_pushed_authorization_requests ||
             (oauth_application && oauth_application[oauth_applications_require_pushed_authorization_requests_column])
         redirect_authorize_error("request_uri")

data/lib/rodauth/features/oauth_resource_server.rb

@@ -8,7 +8,7 @@ module Rodauth
 
     auth_value_method :is_authorization_server?, false
 
-    auth_value_methods(
+    auth_methods(
       :before_introspection_request
     )
 

data/lib/rodauth/features/oauth_saml_bearer_grant.rb

@@ -7,19 +7,28 @@ module Rodauth
   Feature.define(:oauth_saml_bearer_grant, :OauthSamlBearerGrant) do
     depends :oauth_assertion_base
 
-    auth_value_method :oauth_saml_cert_fingerprint, "9E:65:2E:03:06:8D:80:F2:86:C7:6C:77:A1:D9:14:97:0A:4D:F4:4D"
-    auth_value_method :oauth_saml_cert, nil
-    auth_value_method :oauth_saml_cert_fingerprint_algorithm, nil
     auth_value_method :oauth_saml_name_identifier_format, "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
-
-    auth_value_method :oauth_saml_security_authn_requests_signed, true
-    auth_value_method :oauth_saml_security_metadata_signed, true
-    auth_value_method :oauth_saml_security_digest_method, XMLSecurity::Document::SHA1
-    auth_value_method :oauth_saml_security_signature_method, XMLSecurity::Document::RSA_SHA1
+    auth_value_method :oauth_saml_idp_cert_check_expiration, true
 
     auth_value_method :max_param_bytesize, nil if Rodauth::VERSION >= "2.26.0"
 
-    auth_value_methods(
+    auth_value_method :oauth_saml_settings_table, :oauth_saml_settings
+    %i[
+      id oauth_application_id
+      idp_cert idp_cert_fingerprint idp_cert_fingerprint_algorithm
+      name_identifier_format
+      issuer
+      audience
+      idp_cert_check_expiration
+    ].each do |column|
+      auth_value_method :"oauth_saml_settings_#{column}_column", column
+    end
+
+    translatable_method :oauth_saml_assertion_not_base64_message, "SAML assertion must be in base64 format"
+    translatable_method :oauth_saml_assertion_single_issuer_message, "SAML assertion must have a single issuer"
+    translatable_method :oauth_saml_settings_not_found_message, "No SAML settings found for issuer"
+
+    auth_methods(
       :require_oauth_application_from_saml2_bearer_assertion_issuer,
       :require_oauth_application_from_saml2_bearer_assertion_subject,
       :account_from_saml2_bearer_assertion
@@ -32,72 +41,95 @@ module Rodauth
     private
 
     def require_oauth_application_from_saml2_bearer_assertion_issuer(assertion)
-      saml = saml_assertion(assertion)
+      parse_saml_assertion(assertion)
 
-      return unless saml
+      return unless @saml_settings
 
       db[oauth_applications_table].where(
-        oauth_applications_homepage_url_column => saml.issuers
+        oauth_applications_id_column => @saml_settings[oauth_saml_settings_oauth_application_id_column]
       ).first
     end
 
     def require_oauth_application_from_saml2_bearer_assertion_subject(assertion)
-      saml = saml_assertion(assertion)
+      parse_saml_assertion(assertion)
 
-      return unless saml
+      return unless @assertion
 
+      # 3.3.8 - For client authentication, the Subject MUST be the "client_id" of the OAuth client.
       db[oauth_applications_table].where(
-        oauth_applications_client_id_column => saml.nameid
+        oauth_applications_client_id_column => @assertion.nameid
       ).first
     end
 
     def account_from_saml2_bearer_assertion(assertion)
-      saml = saml_assertion(assertion)
+      parse_saml_assertion(assertion)
 
-      return unless saml
+      return unless @assertion
 
-      account_from_bearer_assertion_subject(saml.nameid)
+      account_from_bearer_assertion_subject(@assertion.nameid)
     end
 
-    def saml_assertion(assertion)
+    def generate_saml_settings(saml_settings)
       settings = OneLogin::RubySaml::Settings.new
-      settings.idp_cert = oauth_saml_cert
-      settings.idp_cert_fingerprint = oauth_saml_cert_fingerprint
-      settings.idp_cert_fingerprint_algorithm = oauth_saml_cert_fingerprint_algorithm
-      settings.name_identifier_format = oauth_saml_name_identifier_format
-      settings.security[:authn_requests_signed] = oauth_saml_security_authn_requests_signed
-      settings.security[:metadata_signed] = oauth_saml_security_metadata_signed
-      settings.security[:digest_method] = oauth_saml_security_digest_method
-      settings.security[:signature_method] = oauth_saml_security_signature_method
 
-      response = OneLogin::RubySaml::Response.new(assertion, settings: settings, skip_recipient_check: true)
+      # issuer
+      settings.idp_entity_id = saml_settings[oauth_saml_settings_issuer_column]
 
-      # 3. he Assertion MUST have an expiry that limits the time window ...
-      # 4. The Assertion MUST have an expiry that limits the time window ...
-      # 5. The <Subject> element MUST contain at least one ...
-      # 6. The authorization server MUST reject the entire Assertion if the ...
-      # 7. If the Assertion issuer directly authenticated the subject, ...
-      redirect_response_error("invalid_grant") unless response.is_valid?
+      # audience
+      settings.sp_entity_id = saml_settings[oauth_saml_settings_audience_column] || token_url
+
+      # recipient
+      settings.assertion_consumer_service_url = token_url
+
+      settings.idp_cert = saml_settings[oauth_saml_settings_idp_cert_column]
+      settings.idp_cert_fingerprint = saml_settings[oauth_saml_settings_idp_cert_fingerprint_column]
+      settings.idp_cert_fingerprint_algorithm = saml_settings[oauth_saml_settings_idp_cert_fingerprint_algorithm_column]
+
+      if settings.idp_cert
+        check_idp_cert_expiration = saml_settings[oauth_saml_settings_idp_cert_check_expiration_column]
+        check_idp_cert_expiration = oauth_saml_idp_cert_check_expiration if check_idp_cert_expiration.nil?
+        settings.security[:check_idp_cert_expiration] = check_idp_cert_expiration
+      end
+      settings.security[:strict_audience_validation] = true
+      settings.security[:want_name_id] = true
 
-      # In order to issue an access token response as described in OAuth 2.0
-      # [RFC6749] or to rely on an Assertion for client authentication, the
-      # authorization server MUST validate the Assertion according to the
-      # criteria below.
+      settings.name_identifier_format = saml_settings[oauth_saml_settings_name_identifier_format_column] ||
+                                        oauth_saml_name_identifier_format
+      settings
+    end
+
+    # rubocop:disable Naming/MemoizedInstanceVariableName
+    def parse_saml_assertion(assertion)
+      return @assertion if defined?(@assertion)
+
+      response = OneLogin::RubySaml::Response.new(assertion)
+
+      # The SAML Assertion XML data MUST be encoded using base64url
+      redirect_response_error("invalid_grant", oauth_saml_assertion_not_base64_message) unless response.send(:base64_encoded?, assertion)
 
       # 1. The Assertion's <Issuer> element MUST contain a unique identifier
       # for the entity that issued the Assertion.
-      redirect_response_error("invalid_grant") unless response.issuers.size == 1
+      redirect_response_error("invalid_grant", oauth_saml_assertion_single_issuer_message) unless response.issuers.size == 1
+
+      @saml_settings = db[oauth_saml_settings_table].where(
+        oauth_saml_settings_issuer_column => response.issuers.first
+      ).first
+
+      redirect_response_error("invalid_grant", oauth_saml_settings_not_found_message) unless @saml_settings
 
-      # 2. in addition to the URI references
-      # discussed there, the token endpoint URL of the authorization
-      # server MAY be used as a URI that identifies the authorization
-      # server as an intended audience.  The authorization server MUST
-      # reject any Assertion that does not contain its own identity as
-      # the intended audience.
-      redirect_response_error("invalid_grant") if response.audiences && !response.audiences.include?(token_url)
+      response.settings = generate_saml_settings(@saml_settings)
+
+      # 2. The Assertion MUST contain a <Conditions> element ...
+      # 3. he Assertion MUST have an expiry that limits the time window ...
+      # 4. The Assertion MUST have an expiry that limits the time window ...
+      # 5. The <Subject> element MUST contain at least one ...
+      # 6. The authorization server MUST reject the entire Assertion if the ...
+      # 7. If the Assertion issuer directly authenticated the subject, ...
+      redirect_response_error("invalid_grant", response.errors.join("; ")) unless response.is_valid?
 
-      response
+      @assertion = response
     end
+    # rubocop:enable Naming/MemoizedInstanceVariableName
 
     def oauth_server_metadata_body(*)
       super.tap do |data|

data/lib/rodauth/features/oauth_tls_client_auth.rb

@@ -7,7 +7,7 @@ require "rodauth/oauth"
 
 module Rodauth
   Feature.define(:oauth_tls_client_auth, :OauthTlsClientAuth) do
-    depends :oauth_jwt_base
+    depends :oauth_base
 
     auth_value_method :oauth_tls_client_certificate_bound_access_tokens, false
 

data/lib/rodauth/features/oauth_token_introspection.rb

@@ -9,7 +9,7 @@ module Rodauth
 
     before "introspect"
 
-    auth_value_methods(
+    auth_methods(
       :resource_owner_identifier
     )
 

data/lib/rodauth/features/oauth_token_revocation.rb

@@ -50,7 +50,7 @@ module Rodauth
           end
         end
 
-        redirect_response_error("invalid_request", request.referer || "/")
+        redirect_response_error("invalid_request")
       end
     end
 

data/lib/rodauth/features/oidc.rb

@@ -51,6 +51,11 @@ module Rodauth
       require_request_uri_registration
       op_policy_uri
       op_tos_uri
+      check_session_iframe
+      frontchannel_logout_supported
+      frontchannel_logout_session_supported
+      backchannel_logout_supported
+      backchannel_logout_session_supported
     ].freeze
 
     REQUIRED_METADATA_KEYS = %i[
@@ -63,7 +68,7 @@ module Rodauth
       id_token_signing_alg_values_supported
     ].freeze
 
-    depends :account_expiration, :oauth_jwt, :oauth_jwt_jwks, :oauth_authorization_code_grant, :oauth_implicit_grant
+    depends :active_sessions, :oauth_jwt, :oauth_jwt_jwks, :oauth_authorization_code_grant, :oauth_implicit_grant
 
     auth_value_method :oauth_application_scopes, %w[openid]
 
@@ -95,7 +100,10 @@ module Rodauth
       :request_object_signing_alg_values_supported,
       :request_object_encryption_alg_values_supported,
       :request_object_encryption_enc_values_supported,
-      :oauth_acr_values_supported,
+      :oauth_acr_values_supported
+    )
+
+    auth_methods(
       :get_oidc_account_last_login_at,
       :oidc_authorize_on_prompt_none?,
       :fill_with_account_claims,
@@ -222,7 +230,7 @@ module Rodauth
     def current_oauth_account
       subject_type = current_oauth_application[oauth_applications_subject_type_column] || oauth_jwt_subject_type
 
-      return super unless subject_type == "pairwise"
+      super unless subject_type == "pairwise"
     end
 
     private
@@ -341,10 +349,17 @@ module Rodauth
     end
 
     def get_oidc_account_last_login_at(account_id)
-      get_activity_timestamp(account_id, account_activity_last_activity_column)
+      return get_activity_timestamp(account_id, account_activity_last_activity_column) if features.include?(:account_expiration)
+
+      # active sessions based
+      ds = db[active_sessions_table].where(active_sessions_account_id_column => account_id)
+
+      ds = ds.order(Sequel.desc(active_sessions_created_at_column))
+
+      convert_timestamp(ds.get(active_sessions_created_at_column))
     end
 
-    def jwt_subject(oauth_grant, client_application = oauth_application)
+    def jwt_subject(account_unique_id, client_application = oauth_application)
       subject_type = client_application[oauth_applications_subject_type_column] || oauth_jwt_subject_type
 
       case subject_type
@@ -368,8 +383,7 @@ module Rodauth
 
         identifier_uri = URI(identifier_uri).host
 
-        account_ids = oauth_grant.values_at(oauth_grants_resource_owner_columns)
-        values = [identifier_uri, *account_ids, oauth_jwt_subject_secret]
+        values = [identifier_uri, account_unique_id, oauth_jwt_subject_secret]
         Digest::SHA256.hexdigest(values.join)
       else
         raise StandardError, "unexpected subject (#{subject_type})"
@@ -516,7 +530,12 @@ module Rodauth
         end
       end
 
-      # 5.4 - However, when no Access Token is issued (which is the case for the response_type value id_token),
+      # OpenID Connect Core 1.0's 5.4 Requesting Claims using Scope Values:
+      # If standard claims (profile, email, etc) are requested as scope values in the Authorization Request,
+      # include in the response.
+      include_claims ||= (OIDC_SCOPES_MAP.keys & oauth_scopes).any?
+
+      # However, when no Access Token is issued (which is the case for the response_type value id_token),
       # the resulting Claims are returned in the ID Token.
       fill_with_account_claims(id_claims, account, oauth_scopes, param_or_nil("claims_locales")) if include_claims
 

data/lib/rodauth/features/oidc_backchannel_logout.rb

@@ -0,0 +1,120 @@
+# frozen_string_literal: true
+
+require "rodauth/oauth"
+
+module Rodauth
+  Feature.define(:oidc_backchannel_logout, :OidBackchannelLogout) do
+    depends :logout, :oidc_logout_base
+
+    auth_value_method :oauth_logout_token_expires_in, 60 # 1 minute
+    auth_value_method :backchannel_logout_session_supported, true
+    auth_value_method :oauth_applications_backchannel_logout_uri_column, :backchannel_logout_uri
+    auth_value_method :oauth_applications_backchannel_logout_session_required_column, :backchannel_logout_session_required
+
+    auth_methods(
+      :perform_logout_requests
+    )
+
+    def logout
+      visited_sites = session[visited_sites_key]
+
+      return super unless visited_sites
+
+      oauth_applications = db[oauth_applications_table].where(oauth_applications_client_id_column => visited_sites.map(&:first))
+                                                       .as_hash(oauth_applications_id_column)
+
+      logout_params = oauth_applications.flat_map do |_id, oauth_application|
+        logout_url = oauth_application[oauth_applications_backchannel_logout_uri_column]
+
+        next unless logout_url
+
+        client_id = oauth_application[oauth_applications_client_id_column]
+
+        sids = visited_sites.select { |cid, _| cid == client_id }.map(&:last)
+
+        sids.map do |sid|
+          logout_token = generate_logout_token(oauth_application, sid)
+
+          [logout_url, logout_token]
+        end
+      end.compact
+
+      perform_logout_requests(logout_params) unless logout_params.empty?
+
+      # now we can clear the session
+      super
+    end
+
+    private
+
+    def generate_logout_token(oauth_application, sid)
+      issued_at = Time.now.to_i
+
+      logout_claims = {
+        iss: oauth_jwt_issuer, # issuer
+        iat: issued_at, # issued at
+        exp: issued_at + oauth_logout_token_expires_in,
+        aud: oauth_application[oauth_applications_client_id_column],
+        events: {
+          "http://schemas.openid.net/event/backchannel-logout": {}
+        }
+      }
+
+      logout_claims[:sid] = sid if sid
+
+      signing_algorithm = oauth_application[oauth_applications_id_token_signed_response_alg_column] ||
+                          oauth_jwt_keys.keys.first
+
+      params = {
+        jwks: oauth_application_jwks(oauth_application),
+        headers: { typ: "logout+jwt" },
+        signing_algorithm: signing_algorithm,
+        encryption_algorithm: oauth_application[oauth_applications_id_token_encrypted_response_alg_column],
+        encryption_method: oauth_application[oauth_applications_id_token_encrypted_response_enc_column]
+      }.compact
+
+      jwt_encode(logout_claims, **params)
+    end
+
+    def perform_logout_requests(logout_params)
+      # performs logout requests sequentially
+      logout_params.each do |logout_url, logout_token|
+        http_request(logout_url, { "logout_token" => logout_token })
+      rescue StandardError
+        warn "failed to perform backchannel logout on #{logout_url}"
+      end
+    end
+
+    def id_token_claims(oauth_grant, signing_algorithm)
+      claims = super
+
+      return claims unless oauth_application[oauth_applications_backchannel_logout_uri_column]
+
+      session_id_in_claims(oauth_grant, claims)
+
+      claims
+    end
+
+    def should_set_oauth_application_in_visited_sites?
+      true
+    end
+
+    def should_set_sid_in_visited_sites?(oauth_application)
+      super || requires_backchannel_logout_session?(oauth_application)
+    end
+
+    def requires_backchannel_logout_session?(oauth_application)
+      (
+        oauth_application &&
+        oauth_application[oauth_applications_backchannel_logout_session_required_column]
+      ) || backchannel_logout_session_supported
+    end
+
+    def oauth_server_metadata_body(*)
+      super.tap do |data|
+        data[:backchannel_logout_supported] = true
+        data[:backchannel_logout_session_supported] = backchannel_logout_session_supported
+      end
+    end
+  end
+end

data/lib/rodauth/features/oidc_dynamic_client_registration.rb

@@ -145,6 +145,31 @@ module Rodauth
         end
       end
 
+      if features.include?(:oidc_frontchannel_logout)
+        if (value = @oauth_application_params[oauth_applications_frontchannel_logout_uri_column]) && !check_valid_no_fragment_uri?(value)
+          register_throw_json_response_error("invalid_client_metadata",
+                                             register_invalid_uri_message(value))
+        end
+
+        if (value = @oauth_application_params[oauth_applications_frontchannel_logout_session_required_column])
+          @oauth_application_params[oauth_applications_frontchannel_logout_session_required_column] =
+            convert_to_boolean("frontchannel_logout_session_required", value)
+        end
+      end
+
+      if features.include?(:oidc_backchannel_logout)
+        if (value = @oauth_application_params[oauth_applications_backchannel_logout_uri_column]) && !check_valid_no_fragment_uri?(value)
+          register_throw_json_response_error("invalid_client_metadata",
+                                             register_invalid_uri_message(value))
+        end
+
+        if @oauth_application_params.key?(oauth_applications_backchannel_logout_session_required_column)
+          value = @oauth_application_params[oauth_applications_backchannel_logout_session_required_column]
+          @oauth_application_params[oauth_applications_backchannel_logout_session_required_column] =
+            convert_to_boolean("backchannel_logout_session_required", value)
+        end
+      end
+
       if (value = @oauth_application_params[oauth_applications_id_token_encrypted_response_alg_column]) &&
          !oauth_jwt_jwe_algorithms_supported.include?(value)
         register_throw_json_response_error("invalid_client_metadata",