rodauth-oauth 1.3.2 → 1.4.0

data/lib/rodauth/features/oidc_rp_initiated_logout.rb

@@ -4,11 +4,15 @@ require "rodauth/oauth"
 
 module Rodauth
   Feature.define(:oidc_rp_initiated_logout, :OidcRpInitiatedLogout) do
-    depends :oidc
+    depends :oidc_logout_base
+    response "oidc_logout"
 
     auth_value_method :oauth_applications_post_logout_redirect_uris_column, :post_logout_redirect_uris
+    translatable_method :oauth_invalid_id_token_hint_message, "Invalid ID token hint"
     translatable_method :oauth_invalid_post_logout_redirect_uri_message, "Invalid post logout redirect URI"
 
+    attr_reader :oidc_logout_redirect
+
     # /oidc-logout
     auth_server_route(:oidc_logout) do |r|
       require_authorizable_account
@@ -19,7 +23,7 @@ module Rodauth
         catch_error do
           validate_oidc_logout_params
 
-          oauth_application = nil
+          claims = oauth_application = nil
 
           if (id_token_hint = param_or_nil("id_token_hint"))
             #
@@ -32,7 +36,12 @@ module Rodauth
             #
             claims = jwt_decode(id_token_hint, verify_claims: false)
 
-            redirect_logout_with_error(oauth_invalid_client_message) unless claims
+            redirect_logout_with_error(oauth_invalid_id_token_hint_message) unless claims
+
+            # If the ID Token's sid claim does not correspond to the RP's current session or a
+            # recent session at the OP, the OP SHOULD treat the logout request as suspect, and
+            # MAY decline to act upon it.
+            redirect_logout_with_error(oauth_invalid_client_message) if claims["sid"] && !active_sessions?(claims["sid"])
 
             oauth_application = db[oauth_applications_table].where(oauth_applications_client_id_column => claims["aud"]).first
             oauth_grant = db[oauth_grants_table]
@@ -40,9 +49,15 @@ module Rodauth
                           .where(oauth_grants_oauth_application_id_column => oauth_application[oauth_applications_id_column])
                           .first
 
+            unique_account_id = if oauth_grant
+                                  oauth_grant[oauth_grants_account_id_column]
+                                else
+                                  account_id
+                                end
+
             # check whether ID token belongs to currently logged-in user
-            redirect_logout_with_error(oauth_invalid_client_message) unless oauth_grant && claims["sub"] == jwt_subject(oauth_grant,
-                                                                                                                        oauth_application)
+            redirect_logout_with_error(oauth_invalid_client_message) unless claims["sub"] == jwt_subject(unique_account_id,
+                                                                                                         oauth_application)
 
             # When an id_token_hint parameter is present, the OP MUST validate that it was the issuer of the ID Token.
             redirect_logout_with_error(oauth_invalid_client_message) unless claims && claims["iss"] == oauth_jwt_issuer
@@ -59,6 +74,8 @@ module Rodauth
 
           if (post_logout_redirect_uri = param_or_nil("post_logout_redirect_uri"))
             error_message = catch(:default_logout_redirect) do
+              throw(:default_logout_redirect, oauth_invalid_id_token_hint_message) unless claims
+
               oauth_application = db[oauth_applications_table].where(oauth_applications_client_id_column => claims["client_id"]).first
 
               throw(:default_logout_redirect, oauth_invalid_client_message) unless oauth_application
@@ -78,7 +95,9 @@ module Rodauth
                 post_logout_redirect_uri = post_logout_redirect_uri.to_s
               end
 
-              redirect(post_logout_redirect_uri)
+              @oidc_logout_redirect = post_logout_redirect_uri
+
+              require_response(:_oidc_logout_response)
             end
 
           end
@@ -90,6 +109,10 @@ module Rodauth
       end
     end
 
+    def _oidc_logout_response
+      redirect(oidc_logout_redirect)
+    end
+
     private
 
     # Logout

data/lib/rodauth/features/oidc_session_management.rb

@@ -0,0 +1,89 @@
+# frozen_string_literal: true
+
+require "rodauth/oauth"
+
+module Rodauth
+  Feature.define(:oidc_session_management, :OidcSessionManagement) do
+    depends :oidc
+
+    view "check_session", "Check Session", "check_session"
+
+    auth_value_method :oauth_oidc_user_agent_state_cookie_key, "_rodauth_oauth_user_agent_state"
+    auth_value_method :oauth_oidc_user_agent_state_cookie_options, {}.freeze
+    auth_value_method :oauth_oidc_user_agent_state_cookie_expires_in, 365 * 24 * 60 * 60 # 1 year
+
+    auth_value_method :oauth_oidc_user_agent_state_js, nil
+
+    auth_value_methods(
+      :oauth_oidc_session_management_salt
+    )
+    # /authorize
+    auth_server_route(:check_session) do |r|
+      allow_cors(r)
+
+      r.get do
+        set_title(:check_session_page_title)
+        scope.view(_view_opts("check_session").merge(layout: false))
+      end
+    end
+
+    def clear_session
+      super
+
+      # update user agent state in the process
+      # TODO: dangerous if this gets overidden by the user
+
+      user_agent_state_cookie_opts = Hash[oauth_oidc_user_agent_state_cookie_options]
+      user_agent_state_cookie_opts[:value] = oauth_unique_id_generator
+      user_agent_state_cookie_opts[:expires] = convert_timestamp(Time.now + oauth_oidc_user_agent_state_cookie_expires_in)
+      user_agent_state_cookie_opts[:secure] = true
+      ::Rack::Utils.set_cookie_header!(response.headers, oauth_oidc_user_agent_state_cookie_key, user_agent_state_cookie_opts)
+    end
+
+    private
+
+    def do_authorize(*)
+      params, mode = super
+
+      params["session_state"] = generate_session_state
+
+      [params, mode]
+    end
+
+    def response_error_params(*)
+      payload = super
+
+      return payload unless request.path == authorize_path
+
+      payload["session_state"] = generate_session_state
+      payload
+    end
+
+    def generate_session_state
+      salt = oauth_oidc_session_management_salt
+
+      uri = URI(redirect_uri)
+      origin = if uri.respond_to?(:origin)
+                 uri.origin
+               else
+                 # TODO: remove when not supporting uri < 0.11
+                 "#{uri.scheme}://#{uri.host}#{":#{uri.port}" if uri.port != uri.default_port}"
+               end
+      session_id = "#{oauth_application[oauth_applications_client_id_column]} " \
+                   "#{origin} " \
+                   "#{request.cookies[oauth_oidc_user_agent_state_cookie_key]} #{salt}"
+
+      "#{Digest::SHA256.hexdigest(session_id)}.#{salt}"
+    end
+
+    def oauth_server_metadata_body(*)
+      super.tap do |data|
+        data[:check_session_iframe] = check_session_url
+      end
+    end
+
+    def oauth_oidc_session_management_salt
+      oauth_unique_id_generator
+    end
+  end
+end

data/lib/rodauth/oauth/http_extensions.rb

@@ -32,7 +32,7 @@ module Rodauth
         yield request if block_given?
 
         response = http.request(request)
-        authorization_required unless response.code.to_i == 200
+        authorization_required unless (200..299).include?(response.code.to_i)
         response
       end
 

data/lib/rodauth/oauth/version.rb

@@ -2,6 +2,6 @@
 
 module Rodauth
   module OAuth
-    VERSION = "1.3.2"
+    VERSION = "1.4.0"
   end
 end

data/locales/en.yml

@@ -8,7 +8,9 @@ en:
     device_verification_notice_flash: "The device is verified"
     user_code_not_found_error_flash: "No device to authorize with the given user code"
     authorize_page_title: "Authorize"
+    frontchannel_logout_page_title: "Logout"
     authorize_page_lead: "The application %{name} would like to access your data."
+    oauth_frontchannel_logout_redirecting_lead: "You are being redirected..."
     authorize_error_page_title: "Authorize Error"
     oauth_cancel_button: "Cancel"
     oauth_applications_page_title: "Oauth Applications"
@@ -18,6 +20,7 @@ en:
     oauth_grants_page_title: "My Oauth Grants"
     device_verification_page_title: "Device Verification"
     device_search_page_title: "Device Search"
+    check_session_page_title: "Check Session"
     oauth_management_pagination_previous_button: "Previous"
     oauth_management_pagination_next_button: "Next"
     oauth_grants_type_label: "Grant Type"
@@ -41,6 +44,8 @@ en:
     oauth_grant_user_code_label: "User code"
     oauth_grant_user_jws_jwk_label: "JSON Web Keys"
     oauth_grant_user_jwt_public_key_label: "Public key"
+    oauth_frontchannel_logout_redirecting_label: "please click %{link} if your browser does not redirect you in a few seconds."
+    oauth_frontchannel_logout_redirecting_link_label: "here"
     oauth_application_button: "Register"
     oauth_authorize_button: "Authorize"
     oauth_grant_revoke_button: "Revoke"
@@ -68,3 +73,7 @@ en:
     oauth_invalid_scope_message: "The Access Token expired"
     oauth_authorize_parameter_required: "Invalid or missing '%{parameter}'"
     oauth_invalid_post_logout_redirect_uri_message: "Invalid post logout redirect URI"
+    oauth_saml_assertion_not_base64_message: "SAML assertion must be in base64 format"
+    oauth_saml_assertion_single_issuer_message: "SAML assertion must have a single issuer"
+    oauth_saml_settings_not_found_message: "No SAML settings found for issuer"
+    oauth_invalid_id_token_hint_message: "Invalid ID token hint"

data/locales/pt.yml

@@ -8,7 +8,9 @@ pt:
     device_verification_notice_flash: "O dispositivo foi verificado com sucesso"
     user_code_not_found_error_flash: "Não existe nenhum dispositivo a ser autorizado com o código de usuário inserido"
     authorize_page_title: "Autorizar"
+    frontchannel_logout_page_title: "Saindo"
     authorize_page_lead: "O aplicativo %{name} gostaria de aceder aos seus dados."
+    oauth_frontchannel_logout_redirecting_lead: "Redireccionando.."
     authorize_error_page_title: Erro de autorização
     oauth_cancel_button: "Cancelar"
     oauth_applications_page_title: "Aplicativos OAuth"
@@ -18,6 +20,7 @@ pt:
     oauth_grants_page_title: "As minhas concessões Oauth"
     device_verification_page_title: "Verificação de dispositivo"
     device_search_page_title: "Pesquisa de dispositivo"
+    check_session_page_title: "Verificação de Sessão"
     oauth_management_pagination_previous_button: "Anterior"
     oauth_management_pagination_next_button: "Próxima"
     oauth_grants_type_label: "Tipo de concessão"
@@ -41,6 +44,8 @@ pt:
     oauth_grant_user_code_label: "Código do usuário"
     oauth_grant_user_jws_jwk_label: "Chaves JSON Web"
     oauth_grant_user_jwt_public_key_label: "Chave pública"
+    oauth_frontchannel_logout_redirecting_label: "por favor clique %{link} se o seu navegador não lhe redireccionar em alguns segundos."
+    oauth_frontchannel_logout_redirecting_link_label: "aqui"
     oauth_application_button: "Registar"
     oauth_authorize_button: "Autorizar"
     oauth_grant_revoke_button: "Revogar"
@@ -68,3 +73,7 @@ pt:
     oauth_invalid_scope_message: "O Token de acesso expirou"
     oauth_authorize_parameter_required: "'%{parameter}' inválido ou em falta"
     oauth_invalid_post_logout_redirect_uri_message: "URI de redireccionamento pós-logout inválido"
+    oauth_saml_assertion_not_base64_message: "A asserção SAML tem que estar no formato base64"
+    oauth_saml_assertion_single_issuer_message: "A asserção SAML tem que ter um único emissor"
+    oauth_saml_settings_not_found_message: "Nenhuma configuração SAML encontrada para o emissor"
+    oauth_invalid_id_token_hint_message: "ID token hint inválido"

data/templates/check_session.str

@@ -0,0 +1,67 @@
+<!DOCTYPE html>
+<html>
+  <head>
+    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
+    <meta name="viewport" content="width=device-width, initial-scale=1">
+    <title>#{@page_title}</title>
+  </head>
+  <body>
+    <script type="text/javascript">
+      window.addEventListener("message", receiveMessage, false);
+
+      function receiveMessage(e) { // e.data has client_id and session_state
+        var client_id = e.data.substr(0, e.data.lastIndexOf(' '));
+        var session_state = e.data.substr(e.data.lastIndexOf(' ') + 1);
+        var salt = session_state.split('.')[1];
+
+        if (!client_id || !session_state || !salt) {
+          postMessage('error', e.origin);
+          return;
+        }
+
+        #{rodauth.oauth_oidc_user_agent_state_js}
+
+        // get_op_user_agent_state() is an OP defined function
+        // that returns the User Agent's login status at the OP.
+        // How it is done is entirely up to the OP.
+        var opuas = getOpUserAgentState();
+
+        // Here, the session_state is calculated in this particular way,
+        // but it is entirely up to the OP how to do it under the
+        // requirements defined in this specification.
+        var msgBuffer = new TextEncoder('utf-8').encode(client_id + ' ' + e.origin + ' ' + opuas + ' ' + salt);
+        crypto.subtle.digest('SHA-256', msgBuffer).then(function(hash) {
+          var hashArray = Array.from(new Uint8Array(hash)); // convert buffer to byte array
+          var hashHex = hashArray
+            .map(function(b) { return b.toString(16).padStart(2, "0"); })
+            .join("");
+          var ss = hashHex + "." + salt;
+
+          var stat = '';
+          if (session_state === ss) {
+              stat = 'unchanged';
+          } else {
+              stat = 'changed';
+          }
+
+          e.source.postMessage(stat, e.origin);
+        });
+      };
+
+      function getOpUserAgentState() {
+        var name = "#{rodauth.oauth_oidc_user_agent_state_cookie_key}=";
+        var ca = document.cookie.split(';');
+        var value = null;
+        for (var i = 0; i < ca.length; i++) {
+            var c = ca[i].trim();
+            if ((c.indexOf(name)) == 0) {
+                value = c.substr(name.length);
+                break;
+            }
+        }
+
+        return value;
+      }
+    </script>
+  </body>
+</html>

data/templates/frontchannel_logout.str

@@ -0,0 +1,17 @@
+<div class="mb-3">
+  <h1>#{rodauth.oauth_frontchannel_logout_redirecting_lead}</h1>
+  <p>
+    #{
+      rodauth.oauth_frontchannel_logout_redirecting_label(
+        link: "<a href=\"#{rodauth.frontchannel_logout_redirect}\">" \
+              "#{rodauth.oauth_frontchannel_logout_redirecting_link_label}</a>"
+    )
+    }
+  </p>
+  #{
+    rodauth.frontchannel_logout_urls.map do |logout_url|
+      "<iframe src=\"#{logout_url}\"></iframe>"
+    end.join
+   }
+</div>
+<meta http-equiv="refresh" content="#{rodauth.frontchannel_logout_redirect_timeout}; URL=#{rodauth.frontchannel_logout_redirect}" />

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rodauth-oauth
 version: !ruby/object:Gem::Version
-  version: 1.3.2
+  version: 1.4.0
 platform: ruby
 authors:
 - Tiago Cardoso
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2023-07-26 00:00:00.000000000 Z
+date: 2023-11-08 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rodauth
@@ -72,6 +72,7 @@ extra_rdoc_files:
 - doc/release_notes/1_3_0.md
 - doc/release_notes/1_3_1.md
 - doc/release_notes/1_3_2.md
+- doc/release_notes/1_4_0.md
 files:
 - CHANGELOG.md
 - LICENSE.txt
@@ -115,6 +116,7 @@ files:
 - doc/release_notes/1_3_0.md
 - doc/release_notes/1_3_1.md
 - doc/release_notes/1_3_2.md
+- doc/release_notes/1_4_0.md
 - lib/generators/rodauth/oauth/install_generator.rb
 - lib/generators/rodauth/oauth/templates/app/models/oauth_application.rb
 - lib/generators/rodauth/oauth/templates/app/models/oauth_grant.rb
@@ -122,6 +124,7 @@ files:
 - lib/generators/rodauth/oauth/templates/app/views/rodauth/authorize_error.erb
 - lib/generators/rodauth/oauth/templates/app/views/rodauth/device_search.html.erb
 - lib/generators/rodauth/oauth/templates/app/views/rodauth/device_verification.html.erb
+- lib/generators/rodauth/oauth/templates/app/views/rodauth/frontchannel_logout.html.erb
 - lib/generators/rodauth/oauth/templates/app/views/rodauth/new_oauth_application.html.erb
 - lib/generators/rodauth/oauth/templates/app/views/rodauth/oauth_application.html.erb
 - lib/generators/rodauth/oauth/templates/app/views/rodauth/oauth_application_oauth_grants.html.erb
@@ -155,9 +158,13 @@ files:
 - lib/rodauth/features/oauth_token_introspection.rb
 - lib/rodauth/features/oauth_token_revocation.rb
 - lib/rodauth/features/oidc.rb
+- lib/rodauth/features/oidc_backchannel_logout.rb
 - lib/rodauth/features/oidc_dynamic_client_registration.rb
+- lib/rodauth/features/oidc_frontchannel_logout.rb
+- lib/rodauth/features/oidc_logout_base.rb
 - lib/rodauth/features/oidc_rp_initiated_logout.rb
 - lib/rodauth/features/oidc_self_issued.rb
+- lib/rodauth/features/oidc_session_management.rb
 - lib/rodauth/oauth.rb
 - lib/rodauth/oauth/database_extensions.rb
 - lib/rodauth/oauth/http_extensions.rb
@@ -169,10 +176,12 @@ files:
 - locales/pt.yml
 - templates/authorize.str
 - templates/authorize_error.str
+- templates/check_session.str
 - templates/client_secret_field.str
 - templates/description_field.str
 - templates/device_search.str
 - templates/device_verification.str
+- templates/frontchannel_logout.str
 - templates/homepage_url_field.str
 - templates/jwks_field.str
 - templates/name_field.str