rodauth-oauth 1.3.2 → 1.5.0

data/lib/rodauth/features/oauth_jwt_jwks.rb

@@ -7,7 +7,7 @@ module Rodauth
   Feature.define(:oauth_jwt_jwks, :OauthJwtJwks) do
     depends :oauth_jwt_base
 
-    auth_value_methods(:jwks_set)
+    auth_methods(:jwks_set)
 
     auth_server_route(:jwks) do |r|
       before_jwks_route

data/lib/rodauth/features/oauth_resource_indicators.rb

@@ -116,7 +116,7 @@ module Rodauth
 
     module IndicatorIntrospection
       def json_token_introspect_payload(grant)
-        return super unless grant[oauth_grants_id_column]
+        return super unless grant && grant[oauth_grants_id_column]
 
         payload = super
 

data/lib/rodauth/features/oauth_resource_server.rb

@@ -8,7 +8,7 @@ module Rodauth
 
     auth_value_method :is_authorization_server?, false
 
-    auth_value_methods(
+    auth_methods(
       :before_introspection_request
     )
 

data/lib/rodauth/features/oauth_saml_bearer_grant.rb

@@ -7,19 +7,28 @@ module Rodauth
   Feature.define(:oauth_saml_bearer_grant, :OauthSamlBearerGrant) do
     depends :oauth_assertion_base
 
-    auth_value_method :oauth_saml_cert_fingerprint, "9E:65:2E:03:06:8D:80:F2:86:C7:6C:77:A1:D9:14:97:0A:4D:F4:4D"
-    auth_value_method :oauth_saml_cert, nil
-    auth_value_method :oauth_saml_cert_fingerprint_algorithm, nil
     auth_value_method :oauth_saml_name_identifier_format, "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
-
-    auth_value_method :oauth_saml_security_authn_requests_signed, true
-    auth_value_method :oauth_saml_security_metadata_signed, true
-    auth_value_method :oauth_saml_security_digest_method, XMLSecurity::Document::SHA1
-    auth_value_method :oauth_saml_security_signature_method, XMLSecurity::Document::RSA_SHA1
+    auth_value_method :oauth_saml_idp_cert_check_expiration, true
 
     auth_value_method :max_param_bytesize, nil if Rodauth::VERSION >= "2.26.0"
 
-    auth_value_methods(
+    auth_value_method :oauth_saml_settings_table, :oauth_saml_settings
+    %i[
+      id oauth_application_id
+      idp_cert idp_cert_fingerprint idp_cert_fingerprint_algorithm
+      name_identifier_format
+      issuer
+      audience
+      idp_cert_check_expiration
+    ].each do |column|
+      auth_value_method :"oauth_saml_settings_#{column}_column", column
+    end
+
+    translatable_method :oauth_saml_assertion_not_base64_message, "SAML assertion must be in base64 format"
+    translatable_method :oauth_saml_assertion_single_issuer_message, "SAML assertion must have a single issuer"
+    translatable_method :oauth_saml_settings_not_found_message, "No SAML settings found for issuer"
+
+    auth_methods(
       :require_oauth_application_from_saml2_bearer_assertion_issuer,
       :require_oauth_application_from_saml2_bearer_assertion_subject,
       :account_from_saml2_bearer_assertion
@@ -32,72 +41,95 @@ module Rodauth
     private
 
     def require_oauth_application_from_saml2_bearer_assertion_issuer(assertion)
-      saml = saml_assertion(assertion)
+      parse_saml_assertion(assertion)
 
-      return unless saml
+      return unless @saml_settings
 
       db[oauth_applications_table].where(
-        oauth_applications_homepage_url_column => saml.issuers
+        oauth_applications_id_column => @saml_settings[oauth_saml_settings_oauth_application_id_column]
       ).first
     end
 
     def require_oauth_application_from_saml2_bearer_assertion_subject(assertion)
-      saml = saml_assertion(assertion)
+      parse_saml_assertion(assertion)
 
-      return unless saml
+      return unless @assertion
 
+      # 3.3.8 - For client authentication, the Subject MUST be the "client_id" of the OAuth client.
       db[oauth_applications_table].where(
-        oauth_applications_client_id_column => saml.nameid
+        oauth_applications_client_id_column => @assertion.nameid
       ).first
     end
 
     def account_from_saml2_bearer_assertion(assertion)
-      saml = saml_assertion(assertion)
+      parse_saml_assertion(assertion)
 
-      return unless saml
+      return unless @assertion
 
-      account_from_bearer_assertion_subject(saml.nameid)
+      account_from_bearer_assertion_subject(@assertion.nameid)
     end
 
-    def saml_assertion(assertion)
+    def generate_saml_settings(saml_settings)
       settings = OneLogin::RubySaml::Settings.new
-      settings.idp_cert = oauth_saml_cert
-      settings.idp_cert_fingerprint = oauth_saml_cert_fingerprint
-      settings.idp_cert_fingerprint_algorithm = oauth_saml_cert_fingerprint_algorithm
-      settings.name_identifier_format = oauth_saml_name_identifier_format
-      settings.security[:authn_requests_signed] = oauth_saml_security_authn_requests_signed
-      settings.security[:metadata_signed] = oauth_saml_security_metadata_signed
-      settings.security[:digest_method] = oauth_saml_security_digest_method
-      settings.security[:signature_method] = oauth_saml_security_signature_method
 
-      response = OneLogin::RubySaml::Response.new(assertion, settings: settings, skip_recipient_check: true)
+      # issuer
+      settings.idp_entity_id = saml_settings[oauth_saml_settings_issuer_column]
 
-      # 3. he Assertion MUST have an expiry that limits the time window ...
-      # 4. The Assertion MUST have an expiry that limits the time window ...
-      # 5. The <Subject> element MUST contain at least one ...
-      # 6. The authorization server MUST reject the entire Assertion if the ...
-      # 7. If the Assertion issuer directly authenticated the subject, ...
-      redirect_response_error("invalid_grant") unless response.is_valid?
+      # audience
+      settings.sp_entity_id = saml_settings[oauth_saml_settings_audience_column] || token_url
+
+      # recipient
+      settings.assertion_consumer_service_url = token_url
+
+      settings.idp_cert = saml_settings[oauth_saml_settings_idp_cert_column]
+      settings.idp_cert_fingerprint = saml_settings[oauth_saml_settings_idp_cert_fingerprint_column]
+      settings.idp_cert_fingerprint_algorithm = saml_settings[oauth_saml_settings_idp_cert_fingerprint_algorithm_column]
+
+      if settings.idp_cert
+        check_idp_cert_expiration = saml_settings[oauth_saml_settings_idp_cert_check_expiration_column]
+        check_idp_cert_expiration = oauth_saml_idp_cert_check_expiration if check_idp_cert_expiration.nil?
+        settings.security[:check_idp_cert_expiration] = check_idp_cert_expiration
+      end
+      settings.security[:strict_audience_validation] = true
+      settings.security[:want_name_id] = true
 
-      # In order to issue an access token response as described in OAuth 2.0
-      # [RFC6749] or to rely on an Assertion for client authentication, the
-      # authorization server MUST validate the Assertion according to the
-      # criteria below.
+      settings.name_identifier_format = saml_settings[oauth_saml_settings_name_identifier_format_column] ||
+                                        oauth_saml_name_identifier_format
+      settings
+    end
+
+    # rubocop:disable Naming/MemoizedInstanceVariableName
+    def parse_saml_assertion(assertion)
+      return @assertion if defined?(@assertion)
+
+      response = OneLogin::RubySaml::Response.new(assertion)
+
+      # The SAML Assertion XML data MUST be encoded using base64url
+      redirect_response_error("invalid_grant", oauth_saml_assertion_not_base64_message) unless response.send(:base64_encoded?, assertion)
 
       # 1. The Assertion's <Issuer> element MUST contain a unique identifier
       # for the entity that issued the Assertion.
-      redirect_response_error("invalid_grant") unless response.issuers.size == 1
+      redirect_response_error("invalid_grant", oauth_saml_assertion_single_issuer_message) unless response.issuers.size == 1
+
+      @saml_settings = db[oauth_saml_settings_table].where(
+        oauth_saml_settings_issuer_column => response.issuers.first
+      ).first
+
+      redirect_response_error("invalid_grant", oauth_saml_settings_not_found_message) unless @saml_settings
 
-      # 2. in addition to the URI references
-      # discussed there, the token endpoint URL of the authorization
-      # server MAY be used as a URI that identifies the authorization
-      # server as an intended audience.  The authorization server MUST
-      # reject any Assertion that does not contain its own identity as
-      # the intended audience.
-      redirect_response_error("invalid_grant") if response.audiences && !response.audiences.include?(token_url)
+      response.settings = generate_saml_settings(@saml_settings)
+
+      # 2. The Assertion MUST contain a <Conditions> element ...
+      # 3. he Assertion MUST have an expiry that limits the time window ...
+      # 4. The Assertion MUST have an expiry that limits the time window ...
+      # 5. The <Subject> element MUST contain at least one ...
+      # 6. The authorization server MUST reject the entire Assertion if the ...
+      # 7. If the Assertion issuer directly authenticated the subject, ...
+      redirect_response_error("invalid_grant", response.errors.join("; ")) unless response.is_valid?
 
-      response
+      @assertion = response
     end
+    # rubocop:enable Naming/MemoizedInstanceVariableName
 
     def oauth_server_metadata_body(*)
       super.tap do |data|

data/lib/rodauth/features/oauth_tls_client_auth.rb

@@ -7,7 +7,7 @@ require "rodauth/oauth"
 
 module Rodauth
   Feature.define(:oauth_tls_client_auth, :OauthTlsClientAuth) do
-    depends :oauth_jwt_base
+    depends :oauth_base
 
     auth_value_method :oauth_tls_client_certificate_bound_access_tokens, false
 
@@ -112,9 +112,7 @@ module Rodauth
 
       return claims unless grant_or_claims && grant_or_claims[oauth_grants_certificate_thumbprint_column]
 
-      claims[:cnf] = {
-        "x5t#S256" => grant_or_claims[oauth_grants_certificate_thumbprint_column]
-      }
+      (claims[:cnf] ||= {})["x5t#S256"] = grant_or_claims[oauth_grants_certificate_thumbprint_column]
 
       claims
     end

data/lib/rodauth/features/oauth_token_introspection.rb

@@ -9,7 +9,7 @@ module Rodauth
 
     before "introspect"
 
-    auth_value_methods(
+    auth_methods(
       :resource_owner_identifier
     )
 
@@ -66,7 +66,7 @@ module Rodauth
           scope: grant_or_claims["scope"],
           client_id: grant_or_claims["client_id"],
           username: resource_owner_identifier(grant_or_claims),
-          token_type: "access_token",
+          token_type: oauth_token_type.capitalize,
           exp: grant_or_claims["exp"],
           iat: grant_or_claims["iat"],
           nbf: grant_or_claims["nbf"],
@@ -99,7 +99,7 @@ module Rodauth
     private
 
     def require_oauth_application_for_introspect
-      (token = ((v = request.env["HTTP_AUTHORIZATION"]) && v[/\A *Bearer (.*)\Z/, 1]))
+      (token = (v = request.env["HTTP_AUTHORIZATION"]) && v[/\A *Bearer (.*)\Z/, 1])
 
       return require_oauth_application unless token
 

data/lib/rodauth/features/oauth_token_revocation.rb

@@ -50,7 +50,7 @@ module Rodauth
           end
         end
 
-        redirect_response_error("invalid_request", request.referer || "/")
+        redirect_response_error("invalid_request")
       end
     end
 

data/lib/rodauth/features/oidc.rb

@@ -51,6 +51,11 @@ module Rodauth
       require_request_uri_registration
       op_policy_uri
       op_tos_uri
+      check_session_iframe
+      frontchannel_logout_supported
+      frontchannel_logout_session_supported
+      backchannel_logout_supported
+      backchannel_logout_session_supported
     ].freeze
 
     REQUIRED_METADATA_KEYS = %i[
@@ -63,7 +68,7 @@ module Rodauth
       id_token_signing_alg_values_supported
     ].freeze
 
-    depends :account_expiration, :oauth_jwt, :oauth_jwt_jwks, :oauth_authorization_code_grant, :oauth_implicit_grant
+    depends :active_sessions, :oauth_jwt, :oauth_jwt_jwks, :oauth_authorization_code_grant, :oauth_implicit_grant
 
     auth_value_method :oauth_application_scopes, %w[openid]
 
@@ -95,7 +100,10 @@ module Rodauth
       :request_object_signing_alg_values_supported,
       :request_object_encryption_alg_values_supported,
       :request_object_encryption_enc_values_supported,
-      :oauth_acr_values_supported,
+      :oauth_acr_values_supported
+    )
+
+    auth_methods(
       :get_oidc_account_last_login_at,
       :oidc_authorize_on_prompt_none?,
       :fill_with_account_claims,
@@ -222,7 +230,7 @@ module Rodauth
     def current_oauth_account
       subject_type = current_oauth_application[oauth_applications_subject_type_column] || oauth_jwt_subject_type
 
-      return super unless subject_type == "pairwise"
+      super unless subject_type == "pairwise"
     end
 
     private
@@ -294,10 +302,10 @@ module Rodauth
         # The value is a JSON object listing the requested Claims.
         claims = JSON.parse(claims)
 
-        claims.each do |_, individual_claims|
+        claims.each_value do |individual_claims|
           redirect_response_error("invalid_request") unless individual_claims.is_a?(Hash)
 
-          individual_claims.each do |_, claim|
+          individual_claims.each_value do |claim|
             redirect_response_error("invalid_request") unless claim.nil? || individual_claims.is_a?(Hash)
           end
         end
@@ -341,10 +349,17 @@ module Rodauth
     end
 
     def get_oidc_account_last_login_at(account_id)
-      get_activity_timestamp(account_id, account_activity_last_activity_column)
+      return get_activity_timestamp(account_id, account_activity_last_activity_column) if features.include?(:account_expiration)
+
+      # active sessions based
+      ds = db[active_sessions_table].where(active_sessions_account_id_column => account_id)
+
+      ds = ds.order(Sequel.desc(active_sessions_created_at_column))
+
+      convert_timestamp(ds.get(active_sessions_created_at_column))
     end
 
-    def jwt_subject(oauth_grant, client_application = oauth_application)
+    def jwt_subject(account_unique_id, client_application = oauth_application)
       subject_type = client_application[oauth_applications_subject_type_column] || oauth_jwt_subject_type
 
       case subject_type
@@ -368,8 +383,7 @@ module Rodauth
 
         identifier_uri = URI(identifier_uri).host
 
-        account_ids = oauth_grant.values_at(oauth_grants_resource_owner_columns)
-        values = [identifier_uri, *account_ids, oauth_jwt_subject_secret]
+        values = [identifier_uri, account_unique_id, oauth_jwt_subject_secret]
         Digest::SHA256.hexdigest(values.join)
       else
         raise StandardError, "unexpected subject (#{subject_type})"
@@ -405,7 +419,9 @@ module Rodauth
 
         login_cookie_opts = Hash[oauth_prompt_login_cookie_options]
         login_cookie_opts[:value] = "login"
-        login_cookie_opts[:expires] = convert_timestamp(Time.now + oauth_prompt_login_interval) # 15 minutes
+        if oauth_prompt_login_interval
+          login_cookie_opts[:expires] = convert_timestamp(Time.now + oauth_prompt_login_interval) # 15 minutes
+        end
         ::Rack::Utils.set_cookie_header!(response.headers, oauth_prompt_login_cookie_key, login_cookie_opts)
 
         redirect require_login_redirect
@@ -516,7 +532,12 @@ module Rodauth
         end
       end
 
-      # 5.4 - However, when no Access Token is issued (which is the case for the response_type value id_token),
+      # OpenID Connect Core 1.0's 5.4 Requesting Claims using Scope Values:
+      # If standard claims (profile, email, etc) are requested as scope values in the Authorization Request,
+      # include in the response.
+      include_claims ||= (OIDC_SCOPES_MAP.keys & oauth_scopes).any?
+
+      # However, when no Access Token is issued (which is the case for the response_type value id_token),
       # the resulting Claims are returned in the ID Token.
       fill_with_account_claims(id_claims, account, oauth_scopes, param_or_nil("claims_locales")) if include_claims
 

data/lib/rodauth/features/oidc_backchannel_logout.rb

@@ -0,0 +1,120 @@
+# frozen_string_literal: true
+
+require "rodauth/oauth"
+
+module Rodauth
+  Feature.define(:oidc_backchannel_logout, :OidBackchannelLogout) do
+    depends :logout, :oidc_logout_base
+
+    auth_value_method :oauth_logout_token_expires_in, 60 # 1 minute
+    auth_value_method :backchannel_logout_session_supported, true
+    auth_value_method :oauth_applications_backchannel_logout_uri_column, :backchannel_logout_uri
+    auth_value_method :oauth_applications_backchannel_logout_session_required_column, :backchannel_logout_session_required
+
+    auth_methods(
+      :perform_logout_requests
+    )
+
+    def logout
+      visited_sites = session[visited_sites_key]
+
+      return super unless visited_sites
+
+      oauth_applications = db[oauth_applications_table].where(oauth_applications_client_id_column => visited_sites.map(&:first))
+                                                       .as_hash(oauth_applications_id_column)
+
+      logout_params = oauth_applications.flat_map do |_id, oauth_application|
+        logout_url = oauth_application[oauth_applications_backchannel_logout_uri_column]
+
+        next unless logout_url
+
+        client_id = oauth_application[oauth_applications_client_id_column]
+
+        sids = visited_sites.select { |cid, _| cid == client_id }.map(&:last)
+
+        sids.map do |sid|
+          logout_token = generate_logout_token(oauth_application, sid)
+
+          [logout_url, logout_token]
+        end
+      end.compact
+
+      perform_logout_requests(logout_params) unless logout_params.empty?
+
+      # now we can clear the session
+      super
+    end
+
+    private
+
+    def generate_logout_token(oauth_application, sid)
+      issued_at = Time.now.to_i
+
+      logout_claims = {
+        iss: oauth_jwt_issuer, # issuer
+        iat: issued_at, # issued at
+        exp: issued_at + oauth_logout_token_expires_in,
+        aud: oauth_application[oauth_applications_client_id_column],
+        events: {
+          "http://schemas.openid.net/event/backchannel-logout": {}
+        }
+      }
+
+      logout_claims[:sid] = sid if sid
+
+      signing_algorithm = oauth_application[oauth_applications_id_token_signed_response_alg_column] ||
+                          oauth_jwt_keys.keys.first
+
+      params = {
+        jwks: oauth_application_jwks(oauth_application),
+        headers: { typ: "logout+jwt" },
+        signing_algorithm: signing_algorithm,
+        encryption_algorithm: oauth_application[oauth_applications_id_token_encrypted_response_alg_column],
+        encryption_method: oauth_application[oauth_applications_id_token_encrypted_response_enc_column]
+      }.compact
+
+      jwt_encode(logout_claims, **params)
+    end
+
+    def perform_logout_requests(logout_params)
+      # performs logout requests sequentially
+      logout_params.each do |logout_url, logout_token|
+        http_request(logout_url, { "logout_token" => logout_token })
+      rescue StandardError
+        warn "failed to perform backchannel logout on #{logout_url}"
+      end
+    end
+
+    def id_token_claims(oauth_grant, signing_algorithm)
+      claims = super
+
+      return claims unless oauth_application[oauth_applications_backchannel_logout_uri_column]
+
+      session_id_in_claims(oauth_grant, claims)
+
+      claims
+    end
+
+    def should_set_oauth_application_in_visited_sites?
+      true
+    end
+
+    def should_set_sid_in_visited_sites?(oauth_application)
+      super || requires_backchannel_logout_session?(oauth_application)
+    end
+
+    def requires_backchannel_logout_session?(oauth_application)
+      (
+        oauth_application &&
+        oauth_application[oauth_applications_backchannel_logout_session_required_column]
+      ) || backchannel_logout_session_supported
+    end
+
+    def oauth_server_metadata_body(*)
+      super.tap do |data|
+        data[:backchannel_logout_supported] = true
+        data[:backchannel_logout_session_supported] = backchannel_logout_session_supported
+      end
+    end
+  end
+end

data/lib/rodauth/features/oidc_dynamic_client_registration.rb

@@ -145,6 +145,31 @@ module Rodauth
         end
       end
 
+      if features.include?(:oidc_frontchannel_logout)
+        if (value = @oauth_application_params[oauth_applications_frontchannel_logout_uri_column]) && !check_valid_no_fragment_uri?(value)
+          register_throw_json_response_error("invalid_client_metadata",
+                                             register_invalid_uri_message(value))
+        end
+
+        if (value = @oauth_application_params[oauth_applications_frontchannel_logout_session_required_column])
+          @oauth_application_params[oauth_applications_frontchannel_logout_session_required_column] =
+            convert_to_boolean("frontchannel_logout_session_required", value)
+        end
+      end
+
+      if features.include?(:oidc_backchannel_logout)
+        if (value = @oauth_application_params[oauth_applications_backchannel_logout_uri_column]) && !check_valid_no_fragment_uri?(value)
+          register_throw_json_response_error("invalid_client_metadata",
+                                             register_invalid_uri_message(value))
+        end
+
+        if @oauth_application_params.key?(oauth_applications_backchannel_logout_session_required_column)
+          value = @oauth_application_params[oauth_applications_backchannel_logout_session_required_column]
+          @oauth_application_params[oauth_applications_backchannel_logout_session_required_column] =
+            convert_to_boolean("backchannel_logout_session_required", value)
+        end
+      end
+
       if (value = @oauth_application_params[oauth_applications_id_token_encrypted_response_alg_column]) &&
          !oauth_jwt_jwe_algorithms_supported.include?(value)
         register_throw_json_response_error("invalid_client_metadata",

data/lib/rodauth/features/oidc_frontchannel_logout.rb

@@ -0,0 +1,134 @@
+# frozen_string_literal: true
+
+require "rodauth/oauth"
+
+# :nocov:
+raise LoadError, "the `:oidc_frontchannel_logout` requires rodauth 2.32.0 or higher" if Rodauth::VERSION < "2.32.0"
+
+# :nocov:
+
+module Rodauth
+  Feature.define(:oidc_frontchannel_logout, :OidFrontchannelLogout) do
+    depends :logout, :oidc_logout_base
+
+    view "frontchannel_logout", "Logout", "frontchannel_logout"
+
+    translatable_method :oauth_frontchannel_logout_redirecting_lead, "You are being redirected..."
+    translatable_method :oauth_frontchannel_logout_redirecting_label, "please click %<link>s if your browser does not " \
+                                                                      "redirect you in a few seconds."
+    translatable_method :oauth_frontchannel_logout_redirecting_link_label, "here"
+    auth_value_method :frontchannel_logout_session_supported, true
+    auth_value_method :frontchannel_logout_redirect_timeout, 5
+    auth_value_method :oauth_applications_frontchannel_logout_uri_column, :frontchannel_logout_uri
+    auth_value_method :oauth_applications_frontchannel_logout_session_required_column, :frontchannel_logout_session_required
+
+    attr_reader :frontchannel_logout_urls
+
+    attr_reader :frontchannel_logout_redirect
+
+    def logout
+      @visited_sites = session[visited_sites_key]
+
+      super
+    end
+
+    def _logout_response
+      visited_sites = @visited_sites
+
+      return super unless visited_sites
+
+      logout_urls = db[oauth_applications_table]
+                    .where(oauth_applications_client_id_column => visited_sites.map(&:first))
+                    .as_hash(oauth_applications_client_id_column, oauth_applications_frontchannel_logout_uri_column)
+
+      return super if logout_urls.empty?
+
+      generate_frontchannel_logout_urls(visited_sites, logout_urls)
+
+      @frontchannel_logout_redirect = logout_redirect
+
+      set_notice_flash logout_notice_flash
+      return_response frontchannel_logout_view
+    end
+
+    # overrides rp-initiate logout response
+    def _oidc_logout_response
+      visited_sites = @visited_sites
+
+      return super unless visited_sites
+
+      logout_urls = db[oauth_applications_table]
+                    .where(oauth_applications_client_id_column => visited_sites.map(&:first))
+                    .as_hash(oauth_applications_client_id_column, oauth_applications_frontchannel_logout_uri_column)
+
+      return super if logout_urls.empty?
+
+      generate_frontchannel_logout_urls(visited_sites, logout_urls)
+
+      @frontchannel_logout_redirect = oidc_logout_redirect
+
+      set_notice_flash logout_notice_flash
+      return_response frontchannel_logout_view
+    end
+
+    private
+
+    def generate_frontchannel_logout_urls(visited_sites, logout_urls)
+      @frontchannel_logout_urls = logout_urls.flat_map do |client_id, logout_url|
+        next unless logout_url
+
+        sids = visited_sites.select { |cid, _| cid == client_id }.map(&:last)
+
+        sids.map do |sid|
+          logout_url = URI(logout_url)
+
+          if sid
+            query = logout_url.query
+            query = if query
+                      URI.decode_www_form(query)
+                    else
+                      []
+                    end
+            query << ["iss", oauth_jwt_issuer]
+            query << ["sid", sid]
+            logout_url.query = URI.encode_www_form(query)
+          end
+
+          logout_url
+        end
+      end.compact
+    end
+
+    def id_token_claims(oauth_grant, signing_algorithm)
+      claims = super
+
+      return claims unless oauth_application[oauth_applications_frontchannel_logout_uri_column]
+
+      session_id_in_claims(oauth_grant, claims)
+
+      claims
+    end
+
+    def should_set_oauth_application_in_visited_sites?
+      true
+    end
+
+    def should_set_sid_in_visited_sites?(oauth_application)
+      super || requires_frontchannel_logout_session?(oauth_application)
+    end
+
+    def requires_frontchannel_logout_session?(oauth_application)
+      (
+        oauth_application &&
+        oauth_application[oauth_applications_frontchannel_logout_session_required_column]
+      ) || frontchannel_logout_session_supported
+    end
+
+    def oauth_server_metadata_body(*)
+      super.tap do |data|
+        data[:frontchannel_logout_supported] = true
+        data[:frontchannel_logout_session_supported] = frontchannel_logout_session_supported
+      end
+    end
+  end
+end