rodauth-oauth 1.3.2 → 1.5.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: bf721a3632883e34bff44e33ca84c9a5aa2248748ccecf52c180edd25086abad
-  data.tar.gz: 59966edc773dbee470be46770532ee9159dfe370d346eca936a2ebc48a8fd224
+  metadata.gz: 40ff3b3b3de0595eae98f218aec2f8e876f18329061c537e91e5841ab35e67dc
+  data.tar.gz: 19692e86d66400a9e7227f655bdc6375e38554cb52b97ee3a5e22cceab582168
 SHA512:
-  metadata.gz: 6855059fe2d8225e4f3650dca01ad4ff3d82ad4e42623b43e5ea1d42ef3dbec317bf9488a2b1598556c135f9b9bf1d45ac41512d7347e3c5c55b7c5e8bd63305
-  data.tar.gz: 9a564b8ad6812841f4a2737ee263af188e5231c49b8b475f0c575a5b0496aa6f534709552845caaaacbb73dbe1afabb9079a17265683be5df73f62075a78896e
+  metadata.gz: cd6efdeda012c25d83949e7f0ea2aa043238851f95bf1217b8156786f7376d39792caed37a2af68fc7777ed5a892fa2f9e5185efe1f8a3e7168df07de84b954d
+  data.tar.gz: 0e435eea239f81ff16db08b187ce7bb06ba3d25359603906e48610e38912162b35c79c3d8b7fbfa74df2c56f52bb653d61b999da76c1cc8d445f2077b876c578

data/README.md

@@ -18,8 +18,12 @@ This is an extension to the `rodauth` gem which implements the [OAuth 2.0 framew
 * Dynamic OP
 * Form Post OP
 * 3rd Party-Init OP
+* Session Management OP
+* RP-Initiated Logout OP
+* Front-Channel Logout OP
+* Back-Channel Logout OP
 
-(it also passes the conformance tests for the RP-Initiated Logout OP).
+The certifications were obtained using the [example OIDC server](/examples/oidc/authentication_server.rb) deployed [here](https://rodauth-oauth-oidc.onrender.com/).
 
 ## Features
 
@@ -43,7 +47,6 @@ This gem implements the following RFCs and features of OAuth:
   * `oauth_jwt_secured_authorization_response_mode` - [JWT Secured Authorization Response_mode](https://openid.net/specs/openid-financial-api-jarm.html);
   * `oauth_resource_indicators` - [Resource Indicators](https://datatracker.ietf.org/doc/html/rfc8707);
   * Access Type (Token refresh online and offline);
-* `oauth_http_mac` - [MAC Authentication Scheme](https://tools.ietf.org/html/draft-hammer-oauth-v2-mac-token-02);
 * `oauth_assertion_base` - [Assertion Framework](https://datatracker.ietf.org/doc/html/rfc7521);
   * `oauth_saml_bearer_grant` - [SAML 2.0 Bearer Assertion](https://datatracker.ietf.org/doc/html/rfc7522);
   * `oauth_jwt_bearer_grant` - [JWT Bearer Assertion](https://datatracker.ietf.org/doc/html/rfc7523);
@@ -52,13 +55,17 @@ This gem implements the following RFCs and features of OAuth:
 * OAuth application and token management dashboards;
 *  The recommendations for [Native Apps](https://www.rfc-editor.org/rfc/rfc8252);
 
-It also implements the [OpenID Connect layer](https://openid.net/connect/) (via the `openid` feature) on top of the OAuth features it provides, including:
+It also implements several components of [OpenID Connect](https://openid.net/connect/) on top of the OAuth features it provides, including:
 
-* [OpenID Connect Core](https://gitlab.com/os85/rodauth-oauth/-/wikis/Id-Token-Authentication);
-* [OpenID Connect Discovery](https://gitlab.com/os85/rodauth-oauth/-/wikis/OIDC-Dynamic-Client-Registration);
-* [OpenID Multiple Response Types](https://gitlab.com/os85/rodauth-oauth/-/wikis/Hybrid-flow);
-* [OpenID Connect Dynamic Client Registration](https://gitlab.com/os85/rodauth-oauth/-/wikis/OIDC-Dynamic-Client-Registration);
-* [RP Initiated Logout](https://gitlab.com/os85/rodauth-oauth/-/wikis/RP-Initiated-Logout);
+* `oidc` - [OpenID Connect Core](https://gitlab.com/os85/rodauth-oauth/-/wikis/Id-Token-Authentication);
+  * `oidc_self_issued` - [Self-Issued OpenID Provider](https://openid.net/specs/openid-connect-core-1_0.html#SelfIssued)
+  * [OpenID Multiple Response Types](https://gitlab.com/os85/rodauth-oauth/-/wikis/Hybrid-flow);
+  * [OpenID Connect Discovery](https://gitlab.com/os85/rodauth-oauth/-/wikis/OIDC-Dynamic-Client-Registration);
+* `oidc_dynamic_client_registration` - [OpenID Connect Dynamic Client Registration](https://gitlab.com/os85/rodauth-oauth/-/wikis/OIDC-Dynamic-Client-Registration);
+* `oidc_session_management` - [Session Management](https://gitlab.com/os85/rodauth-oauth/-/wikis/Session-Management);
+* `oidc_rp_initiated_logout` - [RP Initiated Logout](https://gitlab.com/os85/rodauth-oauth/-/wikis/RP-Initiated-Logout);
+* `oidc_frontchannel_logout` - [Frontchannel Logout](https://gitlab.com/os85/rodauth-oauth/-/wikis/Frontchannel-Logout);
+* `oidc_backchannel_logout` - [Backchannel Logout](https://gitlab.com/os85/rodauth-oauth/-/wikis/Backchannel-Logout);
 
 This gem supports also rails (through [rodauth-rails]((https://github.com/janko/rodauth-rails))).
 
@@ -83,8 +90,8 @@ Or install it yourself as:
 ## Resources
 |               |                                                             |
 | ------------- | ----------------------------------------------------------- |
-| Website       | https://os85.gitlab.io/rodauth-oauth/            |
-| Documentation | https://os85.gitlab.io/rodauth-oauth/rdoc/       |
+| Website       | https://honeyryderchuck.gitlab.io/rodauth-oauth/            |
+| Documentation | https://honeyryderchuck.gitlab.io/rodauth-oauth/rdoc/       |
 | Wiki          | https://gitlab.com/os85/rodauth-oauth/wikis/home |
 | CI            | https://gitlab.com/os85/rodauth-oauth/pipelines  |
 

data/doc/release_notes/1_4_0.md

@@ -0,0 +1,57 @@
+## 1.4.0 (08/11/2023)
+
+## Highlights
+
+rodauth-oauth is now [OpenID certified](https://openid.net/certification/) for the following logout profiles:
+
+* Session Management OP
+* RP-Initiated Logout OP
+* Front-Channel Logout OP
+* Back-Channel Logout OP
+
+The OIDC server used to run the test can be found [here](https://gitlab.com/os85/rodauth-oauth/-/blob/master/examples/oidc/authentication_server.rb) and deployed [here](https://rodauth-oauth-oidc.onrender.com).
+
+## Features
+
+### OIDC logout features
+
+`rodauth-oauth` ships with the following new features:
+
+* `oidc_sesssion_management` - enables [OIDC session management](https://openid.net/specs/openid-connect-session-1_0.html)
+* `oidc_frontchannel_logout` - enables [OIDC frontchannel logout](https://openid.net/specs/openid-connect-frontchannel-1_0.html)
+* `oidc_backchannel_logout` - enables [OIDC backchannel logout](https://openid.net/specs/openid-connect-backchannel-1_0.html)
+
+which, along with the existing `oidc_rp_initiated_logout`, implemment all OIDC logout profiles.
+
+## Breaking changes
+
+If you're using `oidc`, the dependency on `account_expiration` has been replaced by the `active_sessions` rodauth feature. This change is required because it fixes bugs associated with accounts expiring in order for id token invalidation to work.
+
+If you're migrating, it's recommended that you keep depending on `account_expiration` during the transition, add `active_sessions` tables as per [rodauth specs](https://github.com/jeremyevans/rodauth/blob/master/spec/migrate/001_tables.rb#L150), and run them alongside one another for the max period ID tokens should be valid, after which you can remove `account_expiration` and its tables.
+
+Some `auth_value_methods` were changed to `auth_methods` everywhere where it made sense. If you were overriding them, you'll have to wrap them in a block:
+
+```ruby
+# in 1.3.2
+oauth_jwt_issuer "http://myissuer.com"
+# in 1.4.0
+oauth_jwt_issuer { "http://myissuer.com" }
+```
+
+## Improvements
+
+### OAuth SAML Bearer Grant per oauth application settings
+
+The `oauth_saml_bearer_grant` feature requires a new table/resource, SAML settings, which enable "per client applicatioon" SAML settings, and therefore, make this feature usable in enterprise/multi-tenancy scenarios.
+
+## Bugfixes
+
+* remove `html_safe` usage in rails views to prevent XSS in the authorize form.
+* fixed for OIDC RFC 5.4 when requesting claims using scope values
+* `oauth_rp_initiated_logout` does not crash anymore on logout requests with `id_token_hint`
+* `oauth_rp_initiated_logout` now works with response types other than `code`
+* `oauth_rp_initiated_logout` emits an ID token hint invalid message when not able to decode the `id_token_hint`
+
+## Chore
+
+* `oauth_tls_client_auth` is not dependent on the `oauth_jwt` feature, and can therefore be used with non-JWT access tokens, at least with the features which do not require it.

data/doc/release_notes/1_5_0.md

@@ -0,0 +1,20 @@
+# 1.5.0
+
+## Highlights
+
+### OAuth DPoP Support
+
+`rodauth-oauth` supports Demonstrating Proof-of-Possession at the Application Layer (also known as DPoP), via the `oauth_dpop` feature. This provides a mechanism to bind access tokens to a particular client based on public key cryptography.
+
+More info about the feature [in the docs](https://gitlab.com/os85/rodauth-oauth/-/wikis/DPoP).
+
+## Improvements
+
+All features managing cookies are now able to set configure them as "session cookies" (i.e. removed on browser shutdown) by setting the expiration interval auth method to `nil`. This ncludes:
+
+* `oauth_prompt_login_interval` (from the `oidc` feature)
+* `oauth_oidc_user_agent_state_cookie_expires_in` (from the `oidc_session_management` feature)
+
+## Bugfixes
+
+* when using the `oauth_token_instrospection` feature, the `token_type` has been fixed to show "Bearer" (instead of "access_token").

data/lib/generators/rodauth/oauth/templates/app/views/rodauth/authorize.html.erb

@@ -4,7 +4,7 @@
   <% end %>
   <% application_uri = rodauth.oauth_application[rodauth.oauth_applications_homepage_url_column] %>
   <% application_name = application_uri ? link_to(rodauth.oauth_application[rodauth.oauth_applications_name_column], application_uri) : rodauth.oauth_application[rodauth.oauth_applications_name_column] %>
-  <p class="lead"><%= rodauth.authorize_page_lead(name: application_name).html_safe %></p>
+  <p class="lead"><%= rodauth.authorize_page_lead(name: application_name) %></p>
 
   <div class="list-group">
     <% if rodauth.oauth_application[rodauth.oauth_applications_tos_uri_column] %>
@@ -37,10 +37,10 @@
         </div>
       <% end %>
     <% end %>
-    <%= hidden_field_tag :client_id, rodauth.raw_param("client_id") %>
+    <%= hidden_field_tag :client_id, rodauth.param_or_nil("client_id") %>
     <% %w[access_type response_type response_mode state redirect_uri].each do |oauth_param| %>
-      <% if rodauth.raw_param(oauth_param) %>
-        <%= hidden_field_tag oauth_param, rodauth.raw_param(oauth_param) %>
+      <% if rodauth.param_or_nil(oauth_param) %>
+        <%= hidden_field_tag oauth_param, rodauth.param_or_nil(oauth_param) %>
       <% end %>
     <% end %>
     <% if rodauth.features.include?(:oauth_resource_indicators) && rodauth.resource_indicators %>
@@ -49,39 +49,44 @@
       <% end %>
     <% end %>
     <% if rodauth.features.include?(:oauth_pkce) %>
-      <% if rodauth.raw_param("code_challenge") %>
-        <%= hidden_field_tag :code_challenge, rodauth.raw_param("code_challenge") %>
+      <% if rodauth.param_or_nil("code_challenge") %>
+        <%= hidden_field_tag :code_challenge, rodauth.param_or_nil("code_challenge") %>
       <% end %>
-      <% if rodauth.raw_param("code_challenge_method") %>
-        <%= hidden_field_tag :code_challenge_method, rodauth.raw_param("code_challenge_method") %>
+      <% if rodauth.param_or_nil("code_challenge_method") %>
+        <%= hidden_field_tag :code_challenge_method, rodauth.param_or_nil("code_challenge_method") %>
       <% end %>
     <% end %>
     <% if rodauth.features.include?(:oidc) %>
-      <% if rodauth.raw_param("prompt") %>
-        <%= hidden_field_tag :prompt, rodauth.raw_param("prompt") %>
+      <% if rodauth.param_or_nil("prompt") %>
+        <%= hidden_field_tag :prompt, rodauth.param_or_nil("prompt") %>
       <% end %>
-      <% if rodauth.raw_param("nonce") %>
-        <%= hidden_field_tag :nonce, rodauth.raw_param("nonce") %>
+      <% if rodauth.param_or_nil("nonce") %>
+        <%= hidden_field_tag :nonce, rodauth.param_or_nil("nonce") %>
       <% end %>
-      <% if rodauth.raw_param("ui_locales") %>
-        <%= hidden_field_tag :ui_locales, rodauth.raw_param("ui_locales") %>
+      <% if rodauth.param_or_nil("ui_locales") %>
+        <%= hidden_field_tag :ui_locales, rodauth.param_or_nil("ui_locales") %>
       <% end %>
-      <% if rodauth.raw_param("claims_locales") %>
-        <%= hidden_field_tag :claims_locales, rodauth.raw_param("claims_locales") %>
+      <% if rodauth.param_or_nil("claims_locales") %>
+        <%= hidden_field_tag :claims_locales, rodauth.param_or_nil("claims_locales") %>
       <% end %>
-      <% if rodauth.raw_param("claims") %>
-        <%= hidden_field_tag :claims, sanitize(rodauth.raw_param("claims")) %>
+      <% if rodauth.param_or_nil("claims") %>
+        <%= hidden_field_tag :claims, sanitize(rodauth.param_or_nil("claims")) %>
       <% end %>
-      <% if rodauth.raw_param("acr_values") %>
-        <%= hidden_field_tag :acr_values, rodauth.raw_param("acr_values") %>
+      <% if rodauth.param_or_nil("acr_values") %>
+        <%= hidden_field_tag :acr_values, rodauth.param_or_nil("acr_values") %>
       <% end %>
-      <% if rodauth.raw_param("registration") %>
-        <%= hidden_field_tag :registration, rodauth.raw_param("registration") %>
+      <% if rodauth.param_or_nil("registration") %>
+        <%= hidden_field_tag :registration, rodauth.param_or_nil("registration") %>
+      <% end %>
+    <% end %>
+    <% if rodauth.features.include?(:oidc) %>
+      <% if rodauth.param_or_nil("dpop_jkt") %>
+        <%= hidden_field_tag :dpop_jkt, rodauth.param_or_nil("dpop_jkt") %>
       <% end %>
     <% end %>
   </div>
  <p class="text-center">
     <%= submit_tag rodauth.oauth_authorize_button, class: "btn btn-outline-primary" %>
-    <%= link_to rodauth.oauth_cancel_button, "#{rodauth.redirect_uri}?error=access_denied&error_description=The+resource+owner+or+authorization+server+denied+the+request#{"&state=\#{CGI.escape(rodauth.state)}" if rodauth.raw_param("state") }", class: "btn btn-outline-danger" %>
+    <%= link_to rodauth.oauth_cancel_button, "#{rodauth.redirect_uri}?error=access_denied&error_description=The+resource+owner+or+authorization+server+denied+the+request#{"&state=\#{CGI.escape(rodauth.state)}" if rodauth.param_or_nil("state") }", class: "btn btn-outline-danger" %>
   </p>
 <% end %>

data/lib/generators/rodauth/oauth/templates/app/views/rodauth/frontchannel_logout.html.erb

@@ -0,0 +1,10 @@
+<div class="mb-3">
+  <h1><%= rodauth.oauth_frontchannel_logout_redirecting_lead %></h1>
+  <p>
+    <%= rodauth.oauth_frontchannel_logout_redirecting_label(link: link_to(rodauth.oauth_frontchannel_logout_redirecting_link_label, rodauth.logout_redirect)) %>
+  </p>
+  <% rodauth.frontchannel_logout_urls.each do |logout_url| %>
+    <iframe src="<%= logout_url %>"></iframe>
+  <% end %>
+</div>
+<meta http-equiv="refresh" content="5; URL=<%= rodauth.logout_redirect %>" />

data/lib/generators/rodauth/oauth/templates/app/views/rodauth/oauth_applications.html.erb

@@ -26,5 +26,5 @@
       <% end %>
     </tbody>
   </table>
-  <%= rodauth.oauth_management_pagination_links(oauth_applications_ds).html_safe %>
+  <%= rodauth.oauth_management_pagination_links(oauth_applications_ds) %>
 <% end %>

data/lib/generators/rodauth/oauth/templates/db/migrate/create_rodauth_oauth.rb

@@ -49,6 +49,9 @@ class CreateRodauthOauth < ActiveRecord::Migration<%= migration_version %>
       t.boolean :require_signed_request_object, null: true
       t.boolean :require_pushed_authorization_requests, null: false, default: false
 
+      # :oauth_dpop
+      t.string :dpop_bound_access_tokens, null: true
+
       # :oauth_tls_client_auth
       t.string :tls_client_auth_subject_dn, null: true
       t.string :tls_client_auth_san_dns, null: true
@@ -59,6 +62,14 @@ class CreateRodauthOauth < ActiveRecord::Migration<%= migration_version %>
 
       # :oidc_rp_initiated_logout enabled
       t.string :post_logout_redirect_uris, null: false
+
+      # frontchannel logout
+      t.string :frontchannel_logout_uri
+      t.boolean :frontchannel_logout_session_required, default: false
+
+      # backchannel logout
+      t.string :backchannel_logout_uri
+      t.boolean :backchannel_logout_session_required, default: false
     end
 
     create_table :oauth_grants do |t|
@@ -78,6 +89,9 @@ class CreateRodauthOauth < ActiveRecord::Migration<%= migration_version %>
       t.datetime :created_at, null: false, default: -> { "CURRENT_TIMESTAMP(6)" }
       t.string :access_type, null: false, default: "offline"
 
+      # :oauth_dpop enabled
+      t.string :dpop_jwk, null: true
+
       # :oauth_pkce enabled
       t.string :code_challenge
       t.string :code_challenge_method
@@ -97,15 +111,37 @@ class CreateRodauthOauth < ActiveRecord::Migration<%= migration_version %>
       t.string :acr
       t.string :claims_locales
       t.string :claims
+
+      # :oauth_dpop enabled
+      t.string :dpop_jkt
     end
 
     create_table :oauth_pushed_requests do |t|
       t.bigint :oauth_application_id
       t.foreign_key :oauth_applications, column: :oauth_application_id
       t.string :code, null: false, index: { unique: true }
+      t.index %i[oauth_application_id code], unique: true
       t.string :params, null: false
       t.datetime :expires_in, null: false
-      t.index %i[oauth_application_id code], unique: true
+      # :oauth_dpop
+      t.string :dpop_jkt
+    end
+
+    create_table :oauth_saml_settings do |t|
+      t.bigint :oauth_application_id
+      t.foreign_key :oauth_applications, column: :oauth_application_id
+      t.text :idp_cert, null: true
+      t.text :idp_cert_fingerprint, null: true
+      t.string :idp_cert_fingerprint_algorithm, null: true
+      t.boolean :check_idp_cert_expiration, null: true
+      t.text :name_identifier_format, null: true
+      t.string :audience, null: true
+      t.string :issuer, null: false, unique: true
+    end
+
+    create_table :oauth_dpop_proofs, primary_key: :jti do |t|
+      t.string :jti, null: false
+      t.datetime :first_use, null: false, default: -> { "CURRENT_TIMESTAMP(6)" }
     end
   end
 end

data/lib/generators/rodauth/oauth/views_generator.rb

@@ -20,11 +20,11 @@ module Rodauth::OAuth
         }.freeze
 
         class_option :features, type: :array,
-                                desc: "Roda OAuth features to generate views for (oauth_applications etc.)",
+                                desc: "Rodauth OAuth features to generate views for (oauth_applications etc.)",
                                 default: DEFAULT
 
         class_option :all, aliases: "-a", type: :boolean,
-                           desc: "Generates views for all Roda OAuth features",
+                           desc: "Generates views for all Rodauth OAuth features",
                            default: false
 
         class_option :directory, aliases: "-d", type: :string,

data/lib/rodauth/features/oauth_application_management.rb

@@ -57,7 +57,7 @@ module Rodauth
     translatable_method :oauth_no_applications_text, "No oauth applications yet!"
     translatable_method :oauth_no_grants_text, "No oauth grants yet!"
 
-    auth_value_methods(
+    auth_methods(
       :oauth_application_path
     )
 

data/lib/rodauth/features/oauth_assertion_base.rb

@@ -6,7 +6,7 @@ module Rodauth
   Feature.define(:oauth_assertion_base, :OauthAssertionBase) do
     depends :oauth_base
 
-    auth_value_methods(
+    auth_methods(
       :assertion_grant_type?,
       :client_assertion_type?,
       :assertion_grant_type,

data/lib/rodauth/features/oauth_authorize_base.rb

@@ -28,7 +28,7 @@ module Rodauth
     translatable_method :oauth_unsupported_response_type_message, "Unsupported response type"
     translatable_method :oauth_authorize_parameter_required, "Invalid or missing '%<parameter>s'"
 
-    auth_value_methods(
+    auth_methods(
       :resource_owner_params,
       :oauth_grants_resource_owner_columns
     )

data/lib/rodauth/features/oauth_base.rb

@@ -109,13 +109,16 @@ module Rodauth
     auth_value_method :oauth_metadata_op_tos_uri, nil
 
     auth_value_methods(
+      :authorization_server_url,
+      :oauth_grants_unique_columns
+    )
+
+    auth_methods(
       :fetch_access_token,
       :secret_hash,
       :generate_token_hash,
       :secret_matches?,
-      :authorization_server_url,
       :oauth_unique_id_generator,
-      :oauth_grants_unique_columns,
       :require_authorizable_account,
       :oauth_account_ds,
       :oauth_application_ds
@@ -234,16 +237,22 @@ module Rodauth
           return
         end
       else
-        value = request.env["HTTP_AUTHORIZATION"]
+        token = fetch_access_token_from_authorization_header
+      end
 
-        return unless value && !value.empty?
+      return if token.nil? || token.empty?
 
-        scheme, token = value.split(" ", 2)
+      token
+    end
 
-        return unless scheme.downcase == oauth_token_type
-      end
+    def fetch_access_token_from_authorization_header(token_type = oauth_token_type)
+      value = request.env["HTTP_AUTHORIZATION"]
 
-      return if token.nil? || token.empty?
+      return unless value && !value.empty?
+
+      scheme, token = value.split(" ", 2)
+
+      return unless scheme.downcase == token_type
 
       token
     end
@@ -350,7 +359,7 @@ module Rodauth
     # parse client id and secret
     #
     def require_oauth_application
-      @oauth_application = if (token = ((v = request.env["HTTP_AUTHORIZATION"]) && v[/\A *Basic (.*)\Z/, 1]))
+      @oauth_application = if (token = (v = request.env["HTTP_AUTHORIZATION"]) && v[/\A *Basic (.*)\Z/, 1])
                              # client_secret_basic
                              require_oauth_application_from_client_secret_basic(token)
                            elsif (client_id = param_or_nil("client_id"))
@@ -753,7 +762,7 @@ module Rodauth
       }
     end
 
-    def redirect_response_error(error_code, redirect_url = redirect_uri || request.referer || default_redirect)
+    def redirect_response_error(error_code, message = nil)
       if accepts_json?
         status_code = if respond_to?(:"oauth_#{error_code}_response_status")
                         send(:"oauth_#{error_code}_response_status")
@@ -761,37 +770,41 @@ module Rodauth
                         oauth_invalid_response_status
                       end
 
-        throw_json_response_error(status_code, error_code)
+        throw_json_response_error(status_code, error_code, message)
       else
+        redirect_url = redirect_uri || request.referer || default_redirect
         redirect_url = URI.parse(redirect_url)
-        params = []
-
-        params << if respond_to?(:"oauth_#{error_code}_error_code")
-                    ["error", send(:"oauth_#{error_code}_error_code")]
-                  else
-                    ["error", error_code]
-                  end
-
-        if respond_to?(:"oauth_#{error_code}_message")
-          message = send(:"oauth_#{error_code}_message")
-          params << ["error_description", CGI.escape(message)]
-        end
-
+        params = response_error_params(error_code, message)
         state = param_or_nil("state")
-
-        params << ["state", state] if state
-
+        params["state"] = state if state
         _redirect_response_error(redirect_url, params)
       end
     end
 
     def _redirect_response_error(redirect_url, params)
-      params = params.map { |k, v| "#{k}=#{v}" }
-      params << redirect_url.query if redirect_url.query
-      redirect_url.query = params.join("&")
+      params = URI.encode_www_form(params)
+      if redirect_url.query
+        params << "&" unless params.empty?
+        params << redirect_url.query
+      end
+      redirect_url.query = params
       redirect(redirect_url.to_s)
     end
 
+    def response_error_params(error_code, message = nil)
+      code = if respond_to?(:"oauth_#{error_code}_error_code")
+               send(:"oauth_#{error_code}_error_code")
+             else
+               error_code
+             end
+      payload = { "error" => code }
+      error_description = message
+      error_description ||= send(:"oauth_#{error_code}_message") if respond_to?(:"oauth_#{error_code}_message")
+      payload["error_description"] = error_description if error_description
+
+      payload
+    end
+
     def json_response_success(body, cache = false)
       response.status = 200
       response["Content-Type"] ||= json_response_content_type
@@ -809,19 +822,17 @@ module Rodauth
 
     def throw_json_response_error(status, error_code, message = nil)
       set_response_error_status(status)
-      code = if respond_to?(:"oauth_#{error_code}_error_code")
-               send(:"oauth_#{error_code}_error_code")
-             else
-               error_code
-             end
-      payload = { "error" => code }
-      payload["error_description"] = message || (send(:"oauth_#{error_code}_message") if respond_to?(:"oauth_#{error_code}_message"))
+      payload = response_error_params(error_code, message)
       json_payload = _json_response_body(payload)
       response["Content-Type"] ||= json_response_content_type
-      response["WWW-Authenticate"] = oauth_token_type.upcase if status == 401
+      response["WWW-Authenticate"] = www_authenticate_header(payload) if status == 401
       return_response(json_payload)
     end
 
+    def www_authenticate_header(*)
+      oauth_token_type.capitalize
+    end
+
     def _json_response_body(hash)
       return super if features.include?(:json)
 

data/lib/rodauth/features/oauth_device_code_grant.rb

@@ -35,7 +35,7 @@ module Rodauth
     end
     translatable_method :oauth_grant_user_code_label, "User code"
 
-    auth_value_methods(
+    auth_methods(
       :generate_user_code
     )
 
@@ -173,7 +173,7 @@ module Rodauth
           oauth_grants_user_code_column => param("user_code")
         ).update(oauth_grants_user_code_column => nil, oauth_grants_type_column => "device_code")
 
-        return unless rs.positive?
+        rs if rs.positive?
       else
         super
       end