rodauth-oauth 1.6.3 → 1.6.4
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/README.md +2 -1
- data/doc/release_notes/1_6_4.md +9 -0
- data/lib/rodauth/features/oauth_authorize_base.rb +7 -7
- data/lib/rodauth/features/oauth_base.rb +8 -8
- data/lib/rodauth/features/oauth_dynamic_client_registration.rb +1 -1
- data/lib/rodauth/features/oauth_jwt_base.rb +8 -10
- data/lib/rodauth/features/oauth_token_introspection.rb +1 -1
- data/lib/rodauth/features/oidc.rb +7 -8
- data/lib/rodauth/features/oidc_dynamic_client_registration.rb +2 -2
- data/lib/rodauth/features/oidc_rp_initiated_logout.rb +1 -1
- data/lib/rodauth/oauth/database_extensions.rb +1 -1
- data/lib/rodauth/oauth/version.rb +1 -1
- metadata +7 -8
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 83351fdb82b53fcc94fbafcfe1f3a2057b887b633ae39c4de24a5268136164ec
|
|
4
|
+
data.tar.gz: 6b1d1f26cfc189cb6d18269af0634f358724a156bd26edc514bb008615e55e68
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: c2197aad8a6e0d0e5d46ef2b18f0730133d06463c1115c60a949b079849c8bb5ab62e1424db5fea1ede68ae5ff1084dfe805a4247164387163a16f8b5f425c40
|
|
7
|
+
data.tar.gz: 63f3c8bfff288028767e833735c8c1496595a9ec08a7c06463df98fe2b93ad987d95e42e0e68c08c24698b97a454924a326d6326c056f41181920c189f04472d
|
data/README.md
CHANGED
|
@@ -50,6 +50,7 @@ This gem implements the following RFCs and features of OAuth:
|
|
|
50
50
|
* `oauth_assertion_base` - [Assertion Framework](https://datatracker.ietf.org/doc/html/rfc7521);
|
|
51
51
|
* `oauth_saml_bearer_grant` - [SAML 2.0 Bearer Assertion](https://datatracker.ietf.org/doc/html/rfc7522);
|
|
52
52
|
* `oauth_jwt_bearer_grant` - [JWT Bearer Assertion](https://datatracker.ietf.org/doc/html/rfc7523);
|
|
53
|
+
* `oauth_dpop` - [OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP)](https://datatracker.ietf.org/doc/rfc9449/);
|
|
53
54
|
|
|
54
55
|
* `oauth_dynamic_client_registration` - [Dynamic Client Registration Protocol](https://datatracker.ietf.org/doc/html/rfc7591) and [Dynamic Client Registration Management](https://www.rfc-editor.org/rfc/rfc7592);
|
|
55
56
|
* OAuth application and token management dashboards;
|
|
@@ -67,7 +68,7 @@ It also implements several components of [OpenID Connect](https://openid.net/con
|
|
|
67
68
|
* `oidc_frontchannel_logout` - [Frontchannel Logout](https://gitlab.com/os85/rodauth-oauth/-/wikis/Frontchannel-Logout);
|
|
68
69
|
* `oidc_backchannel_logout` - [Backchannel Logout](https://gitlab.com/os85/rodauth-oauth/-/wikis/Backchannel-Logout);
|
|
69
70
|
|
|
70
|
-
This gem supports also rails (
|
|
71
|
+
This gem supports also rails (via [rodauth-rails]((https://github.com/janko/rodauth-rails)), which also dictates the versioning policy).
|
|
71
72
|
|
|
72
73
|
|
|
73
74
|
## Installation
|
|
@@ -33,6 +33,10 @@ module Rodauth
|
|
|
33
33
|
:oauth_grants_resource_owner_columns
|
|
34
34
|
)
|
|
35
35
|
|
|
36
|
+
OAUTH_ACCESS_TYPES = %w[offline online].freeze
|
|
37
|
+
|
|
38
|
+
OAUTH_APPROVAL_PROMPTS = %w[force auto].freeze
|
|
39
|
+
|
|
36
40
|
# /authorize
|
|
37
41
|
auth_server_route(:authorize) do |r|
|
|
38
42
|
require_authorizable_account
|
|
@@ -106,22 +110,18 @@ module Rodauth
|
|
|
106
110
|
false
|
|
107
111
|
end
|
|
108
112
|
|
|
109
|
-
ACCESS_TYPES = %w[offline online].freeze
|
|
110
|
-
|
|
111
113
|
def check_valid_access_type?
|
|
112
114
|
return true unless use_oauth_access_type?
|
|
113
115
|
|
|
114
116
|
access_type = param_or_nil("access_type")
|
|
115
|
-
!access_type ||
|
|
117
|
+
!access_type || OAUTH_ACCESS_TYPES.include?(access_type)
|
|
116
118
|
end
|
|
117
119
|
|
|
118
|
-
APPROVAL_PROMPTS = %w[force auto].freeze
|
|
119
|
-
|
|
120
120
|
def check_valid_approval_prompt?
|
|
121
121
|
return true unless use_oauth_access_type?
|
|
122
122
|
|
|
123
123
|
approval_prompt = param_or_nil("approval_prompt")
|
|
124
|
-
!approval_prompt ||
|
|
124
|
+
!approval_prompt || OAUTH_APPROVAL_PROMPTS.include?(approval_prompt)
|
|
125
125
|
end
|
|
126
126
|
|
|
127
127
|
def resource_owner_params
|
|
@@ -142,7 +142,7 @@ module Rodauth
|
|
|
142
142
|
oauth_grants_redirect_uri_column => redirect_uri,
|
|
143
143
|
oauth_grants_scopes_column => scopes.join(oauth_scope_separator),
|
|
144
144
|
oauth_grants_access_type_column => "online"
|
|
145
|
-
).
|
|
145
|
+
).none?
|
|
146
146
|
|
|
147
147
|
# if there's a previous oauth grant for the params combo, it means that this user has approved before.
|
|
148
148
|
request.env["REQUEST_METHOD"] = "POST"
|
|
@@ -462,14 +462,14 @@ module Rodauth
|
|
|
462
462
|
end
|
|
463
463
|
|
|
464
464
|
def generate_token(grant_params = {}, should_generate_refresh_token = true)
|
|
465
|
-
if grant_params[oauth_grants_id_column] &&
|
|
466
|
-
|
|
467
|
-
|
|
468
|
-
|
|
469
|
-
|
|
470
|
-
|
|
471
|
-
|
|
472
|
-
|
|
465
|
+
if grant_params[oauth_grants_id_column] && oauth_reuse_access_token &&
|
|
466
|
+
(
|
|
467
|
+
if oauth_grants_token_hash_column
|
|
468
|
+
grant_params[oauth_grants_token_hash_column]
|
|
469
|
+
else
|
|
470
|
+
grant_params[oauth_grants_token_column]
|
|
471
|
+
end
|
|
472
|
+
)
|
|
473
473
|
return grant_params
|
|
474
474
|
end
|
|
475
475
|
|
|
@@ -18,7 +18,7 @@ module Rodauth
|
|
|
18
18
|
request.on(registration_client_uri_route) do
|
|
19
19
|
# CLIENT REGISTRATION URI
|
|
20
20
|
request.on(String) do |client_id|
|
|
21
|
-
|
|
21
|
+
token = (v = request.env["HTTP_AUTHORIZATION"]) && v[/\A *Bearer (.*)\Z/, 1]
|
|
22
22
|
|
|
23
23
|
next unless token
|
|
24
24
|
|
|
@@ -266,14 +266,14 @@ module Rodauth
|
|
|
266
266
|
end
|
|
267
267
|
|
|
268
268
|
now = Time.now
|
|
269
|
-
if verify_claims &&
|
|
270
|
-
|
|
271
|
-
|
|
272
|
-
|
|
273
|
-
|
|
274
|
-
|
|
275
|
-
|
|
276
|
-
|
|
269
|
+
if verify_claims &&
|
|
270
|
+
(!claims[:exp] || Time.at(claims[:exp]) < now) &&
|
|
271
|
+
claims[:nbf] && Time.at(claims[:nbf]) < now &&
|
|
272
|
+
claims[:iat] && Time.at(claims[:iat]) < now &&
|
|
273
|
+
verify_iss && claims[:iss] != oauth_jwt_issuer &&
|
|
274
|
+
verify_aud && !verify_aud(claims[:aud], claims[:client_id]) &&
|
|
275
|
+
verify_jti && !verify_jti(claims[:jti], claims)
|
|
276
|
+
|
|
277
277
|
return
|
|
278
278
|
end
|
|
279
279
|
|
|
@@ -347,7 +347,6 @@ module Rodauth
|
|
|
347
347
|
def jwt_encode(payload,
|
|
348
348
|
signing_algorithm: oauth_jwt_keys.keys.first,
|
|
349
349
|
headers: {}, **)
|
|
350
|
-
|
|
351
350
|
key = oauth_jwt_keys[signing_algorithm] || _jwt_key
|
|
352
351
|
key = key.first if key.is_a?(Array)
|
|
353
352
|
|
|
@@ -475,7 +474,6 @@ module Rodauth
|
|
|
475
474
|
jwe_key: oauth_jwt_jwe_keys[[jws_encryption_algorithm, jws_encryption_method]] || oauth_jwt_jwe_keys.values.first,
|
|
476
475
|
**args
|
|
477
476
|
)
|
|
478
|
-
|
|
479
477
|
token = if jwks && jwks.any? { |k| k[:use] == "enc" }
|
|
480
478
|
JWE.__rodauth_oauth_decrypt_from_jwks(token, jwks, alg: jws_encryption_algorithm, enc: jws_encryption_method)
|
|
481
479
|
elsif jwe_key
|
|
@@ -99,7 +99,7 @@ module Rodauth
|
|
|
99
99
|
private
|
|
100
100
|
|
|
101
101
|
def require_oauth_application_for_introspect
|
|
102
|
-
|
|
102
|
+
token = (v = request.env["HTTP_AUTHORIZATION"]) && v[/\A *Bearer (.*)\Z/, 1]
|
|
103
103
|
|
|
104
104
|
return require_oauth_application unless token
|
|
105
105
|
|
|
@@ -144,7 +144,9 @@ module Rodauth
|
|
|
144
144
|
**resource_owner_params_from_jwt_claims(claims)
|
|
145
145
|
).first
|
|
146
146
|
|
|
147
|
-
|
|
147
|
+
throw_json_response_error(oauth_authorization_required_error_status, "invalid_token") unless oauth_grant
|
|
148
|
+
|
|
149
|
+
claims_locales = oauth_grant[oauth_grants_claims_locales_column]
|
|
148
150
|
|
|
149
151
|
if (claims = oauth_grant[oauth_grants_claims_column])
|
|
150
152
|
claims = JSON.parse(claims)
|
|
@@ -317,9 +319,8 @@ module Rodauth
|
|
|
317
319
|
# MUST ignore the offline_access request unless the Client
|
|
318
320
|
# is using a response_type value that would result in an
|
|
319
321
|
# Authorization Code
|
|
320
|
-
if sc && sc.include?("offline_access") && !(param_or_nil("prompt") == "consent" &&
|
|
321
|
-
(response_type = param_or_nil("response_type")) && response_type.split(" ").include?("code")
|
|
322
|
-
))
|
|
322
|
+
if sc && sc.include?("offline_access") && !(param_or_nil("prompt") == "consent" &&
|
|
323
|
+
(response_type = param_or_nil("response_type")) && response_type.split(" ").include?("code"))
|
|
323
324
|
sc.delete("offline_access")
|
|
324
325
|
|
|
325
326
|
request.params["scope"] = sc.join(" ")
|
|
@@ -792,9 +793,7 @@ module Rodauth
|
|
|
792
793
|
# Metadata
|
|
793
794
|
|
|
794
795
|
def openid_configuration_body(path = nil)
|
|
795
|
-
metadata = oauth_server_metadata_body(path).
|
|
796
|
-
VALID_METADATA_KEYS.include?(k)
|
|
797
|
-
end
|
|
796
|
+
metadata = oauth_server_metadata_body(path).slice(*VALID_METADATA_KEYS)
|
|
798
797
|
|
|
799
798
|
scope_claims = oauth_application_scopes.each_with_object([]) do |scope, claims|
|
|
800
799
|
oidc, param = scope.split(".", 2)
|
|
@@ -873,7 +872,7 @@ module Rodauth
|
|
|
873
872
|
return unless digest
|
|
874
873
|
|
|
875
874
|
hash = digest.digest(hash)
|
|
876
|
-
hash = hash[0...hash.size / 2]
|
|
875
|
+
hash = hash[0...(hash.size / 2)]
|
|
877
876
|
Base64.urlsafe_encode64(hash).tr("=", "")
|
|
878
877
|
end
|
|
879
878
|
end
|
|
@@ -132,8 +132,8 @@ module Rodauth
|
|
|
132
132
|
end
|
|
133
133
|
end
|
|
134
134
|
|
|
135
|
-
if features.include?(:oidc_rp_initiated_logout) &&
|
|
136
|
-
|
|
135
|
+
if features.include?(:oidc_rp_initiated_logout) && defined?(oauth_applications_post_logout_redirect_uris_column) &&
|
|
136
|
+
(value = @oauth_application_params[oauth_applications_post_logout_redirect_uris_column])
|
|
137
137
|
if value.is_a?(Array)
|
|
138
138
|
@oauth_application_params[oauth_applications_post_logout_redirect_uris_column] = value.each do |redirect_uri|
|
|
139
139
|
unless check_valid_uri?(redirect_uri)
|
|
@@ -81,7 +81,7 @@ module Rodauth
|
|
|
81
81
|
end
|
|
82
82
|
|
|
83
83
|
def __insert_or_do_nothing_and_return__(dataset, pkey, unique_columns, params)
|
|
84
|
-
find_params = params.
|
|
84
|
+
find_params = params.slice(*unique_columns)
|
|
85
85
|
dataset.where(find_params).first || __insert_and_return__(dataset, pkey, params)
|
|
86
86
|
end
|
|
87
87
|
end
|
metadata
CHANGED
|
@@ -1,14 +1,13 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: rodauth-oauth
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.6.
|
|
4
|
+
version: 1.6.4
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Tiago Cardoso
|
|
8
|
-
autorequire:
|
|
9
8
|
bindir: bin
|
|
10
9
|
cert_chain: []
|
|
11
|
-
date:
|
|
10
|
+
date: 1980-01-02 00:00:00.000000000 Z
|
|
12
11
|
dependencies:
|
|
13
12
|
- !ruby/object:Gem::Dependency
|
|
14
13
|
name: base64
|
|
@@ -44,10 +43,10 @@ email:
|
|
|
44
43
|
executables: []
|
|
45
44
|
extensions: []
|
|
46
45
|
extra_rdoc_files:
|
|
46
|
+
- CHANGELOG.md
|
|
47
47
|
- LICENSE.txt
|
|
48
|
-
- README.md
|
|
49
48
|
- MIGRATION-GUIDE-v1.md
|
|
50
|
-
-
|
|
49
|
+
- README.md
|
|
51
50
|
- doc/release_notes/0_0_1.md
|
|
52
51
|
- doc/release_notes/0_0_2.md
|
|
53
52
|
- doc/release_notes/0_0_3.md
|
|
@@ -92,6 +91,7 @@ extra_rdoc_files:
|
|
|
92
91
|
- doc/release_notes/1_6_1.md
|
|
93
92
|
- doc/release_notes/1_6_2.md
|
|
94
93
|
- doc/release_notes/1_6_3.md
|
|
94
|
+
- doc/release_notes/1_6_4.md
|
|
95
95
|
files:
|
|
96
96
|
- CHANGELOG.md
|
|
97
97
|
- LICENSE.txt
|
|
@@ -141,6 +141,7 @@ files:
|
|
|
141
141
|
- doc/release_notes/1_6_1.md
|
|
142
142
|
- doc/release_notes/1_6_2.md
|
|
143
143
|
- doc/release_notes/1_6_3.md
|
|
144
|
+
- doc/release_notes/1_6_4.md
|
|
144
145
|
- lib/generators/rodauth/oauth/install_generator.rb
|
|
145
146
|
- lib/generators/rodauth/oauth/templates/app/models/oauth_application.rb
|
|
146
147
|
- lib/generators/rodauth/oauth/templates/app/models/oauth_grant.rb
|
|
@@ -227,7 +228,6 @@ metadata:
|
|
|
227
228
|
source_code_uri: https://gitlab.com/os85/rodauth-oauth
|
|
228
229
|
changelog_uri: https://gitlab.com/os85/rodauth-oauth/-/blob/master/CHANGELOG.md
|
|
229
230
|
rubygems_mfa_required: 'true'
|
|
230
|
-
post_install_message:
|
|
231
231
|
rdoc_options: []
|
|
232
232
|
require_paths:
|
|
233
233
|
- lib
|
|
@@ -242,8 +242,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
242
242
|
- !ruby/object:Gem::Version
|
|
243
243
|
version: '0'
|
|
244
244
|
requirements: []
|
|
245
|
-
rubygems_version: 3.
|
|
246
|
-
signing_key:
|
|
245
|
+
rubygems_version: 3.6.9
|
|
247
246
|
specification_version: 4
|
|
248
247
|
summary: Implementation of the OAuth 2.0 protocol on top of rodauth.
|
|
249
248
|
test_files: []
|