rodauth-oauth 1.5.0 → 1.6.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/doc/release_notes/1_6_0.md +18 -0
- data/lib/rodauth/features/oauth_jwt.rb +12 -3
- data/lib/rodauth/features/oidc.rb +5 -1
- data/lib/rodauth/oauth/version.rb +1 -1
- metadata +4 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 9fc6216412a63e6ce3b6beecf2d476b50b8e3445026927ce40cdc649023c1b15
|
|
4
|
+
data.tar.gz: d5f2f5ea24ade170615894f352a28ed428fac7a0bb39db4506d8343ead0c2e07
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 984a083c4e8814244c8566106a757095ae046b049ad76c6fa2947e5a7d12b0bc63c5fba621c1a0674e3deb4246a7f09d228ee51bb0e4f16a81c25bcd1a28d04c
|
|
7
|
+
data.tar.gz: 0aafc4b37f059b134ce08940d8e38d9ed3afb577e80c790b646c45ce0792ba6d833582ac53c036f9449ee3b130f77e4f5fc9098ce1ed3614b969dd78219eecba
|
|
@@ -0,0 +1,18 @@
|
|
|
1
|
+
# 1.6.0
|
|
2
|
+
|
|
3
|
+
## Improvements
|
|
4
|
+
|
|
5
|
+
### "at+jwt" and "id_token+jwt" ty header in JWT tokens
|
|
6
|
+
|
|
7
|
+
In order to distinguish/identify tokens, JWT access tokens generated by the `oauth_jwt` feature will contain the "at+jwt" value in the "typ" header (which follows the [recomendation in the RFC](https://datatracker.ietf.org/doc/html/rfc9068#section-2.1)), whereas ID tokens generated by the `oidc` feature will contain the "id_token+jwt" value in the "typ" header (there is no official recommendation, but some providers are using this).
|
|
8
|
+
|
|
9
|
+
**Note**: This header will also be used to validate access tokens. This means that, once you upgrade, **access tokens generated prior to the upgrade won't be usable anymore**. In order to mitigate this and smoothen the upgrade process, disable header verification for a period greater than the access token expiration time in your application (controlled by the `oauth_access_token_expires_in` auth value method, 60 minutes by default); this will allow older access tokens to expire. You can so by overriding the `verify_access_token_headers` auth method:
|
|
10
|
+
|
|
11
|
+
```ruby
|
|
12
|
+
|
|
13
|
+
rodauth do
|
|
14
|
+
enable :oauth_jwt # or :oidc
|
|
15
|
+
oauth_access_token_expires_in 60 * 60
|
|
16
|
+
|
|
17
|
+
verify_access_token_headers { } # do nothing
|
|
18
|
+
end
|
|
@@ -9,7 +9,10 @@ module Rodauth
|
|
|
9
9
|
|
|
10
10
|
auth_value_method :oauth_jwt_access_tokens, true
|
|
11
11
|
|
|
12
|
-
auth_methods(
|
|
12
|
+
auth_methods(
|
|
13
|
+
:jwt_claims,
|
|
14
|
+
:verify_access_token_headers
|
|
15
|
+
)
|
|
13
16
|
|
|
14
17
|
def require_oauth_authorization(*scopes)
|
|
15
18
|
return super unless oauth_jwt_access_tokens
|
|
@@ -53,10 +56,14 @@ module Rodauth
|
|
|
53
56
|
@authorization_token = decode_access_token
|
|
54
57
|
end
|
|
55
58
|
|
|
59
|
+
def verify_access_token_headers(headers)
|
|
60
|
+
headers["typ"] == "at+jwt"
|
|
61
|
+
end
|
|
62
|
+
|
|
56
63
|
def decode_access_token(access_token = fetch_access_token)
|
|
57
64
|
return unless access_token
|
|
58
65
|
|
|
59
|
-
jwt_claims = jwt_decode(access_token)
|
|
66
|
+
jwt_claims = jwt_decode(access_token, verify_headers: method(:verify_access_token_headers))
|
|
60
67
|
|
|
61
68
|
return unless jwt_claims
|
|
62
69
|
|
|
@@ -94,7 +101,9 @@ module Rodauth
|
|
|
94
101
|
# token data.
|
|
95
102
|
claims[:scope] = oauth_grant[oauth_grants_scopes_column]
|
|
96
103
|
|
|
97
|
-
|
|
104
|
+
# RFC8725 section 3.11: Use Explicit Typing
|
|
105
|
+
# RFC9068 section 2.1 : The "typ" value used SHOULD be "at+jwt".
|
|
106
|
+
jwt_encode(claims, headers: { typ: "at+jwt" })
|
|
98
107
|
end
|
|
99
108
|
|
|
100
109
|
def _generate_access_token(*)
|
|
@@ -545,7 +545,11 @@ module Rodauth
|
|
|
545
545
|
jwks: oauth_application_jwks(oauth_application),
|
|
546
546
|
signing_algorithm: signing_algorithm,
|
|
547
547
|
encryption_algorithm: oauth_application[oauth_applications_id_token_encrypted_response_alg_column],
|
|
548
|
-
encryption_method: oauth_application[oauth_applications_id_token_encrypted_response_enc_column]
|
|
548
|
+
encryption_method: oauth_application[oauth_applications_id_token_encrypted_response_enc_column],
|
|
549
|
+
|
|
550
|
+
# Not officially part of the spec, but some providers follow this convention.
|
|
551
|
+
# This is useful for distinguishing between ID Tokens and JWT Access Tokens.
|
|
552
|
+
headers: { typ: "id_token+jwt" }
|
|
549
553
|
}.compact
|
|
550
554
|
|
|
551
555
|
oauth_grant[:id_token] = jwt_encode(id_claims, **params)
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: rodauth-oauth
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.
|
|
4
|
+
version: 1.6.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Tiago Cardoso
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2024-
|
|
11
|
+
date: 2024-04-02 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: rodauth
|
|
@@ -74,6 +74,7 @@ extra_rdoc_files:
|
|
|
74
74
|
- doc/release_notes/1_3_2.md
|
|
75
75
|
- doc/release_notes/1_4_0.md
|
|
76
76
|
- doc/release_notes/1_5_0.md
|
|
77
|
+
- doc/release_notes/1_6_0.md
|
|
77
78
|
files:
|
|
78
79
|
- CHANGELOG.md
|
|
79
80
|
- LICENSE.txt
|
|
@@ -119,6 +120,7 @@ files:
|
|
|
119
120
|
- doc/release_notes/1_3_2.md
|
|
120
121
|
- doc/release_notes/1_4_0.md
|
|
121
122
|
- doc/release_notes/1_5_0.md
|
|
123
|
+
- doc/release_notes/1_6_0.md
|
|
122
124
|
- lib/generators/rodauth/oauth/install_generator.rb
|
|
123
125
|
- lib/generators/rodauth/oauth/templates/app/models/oauth_application.rb
|
|
124
126
|
- lib/generators/rodauth/oauth/templates/app/models/oauth_grant.rb
|