rodauth-oauth 0.0.3 → 0.0.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: ec27cf0fcac2e93b6ba08d76a4fa3e165c55722864d87fb78e4f0fc70a15c759
-  data.tar.gz: 535f0b61b987f38179de2d7011b55d8b9b6e12bdf1293c9da7534c063277c2f3
+  metadata.gz: 22808f6f421ce935e5f69301b1f0edc37a286baedf0c4a4039d29b3ff678bf40
+  data.tar.gz: 64305ba438e3035309ca428d4820f00f7b169ca219882575262ee8242a800f50
 SHA512:
-  metadata.gz: d1179a1e5db37dbfdc9932a6ec74fb3fba37c7c863c0ec643f9b1c11fee8ef8b8bf71d0705bb9629135f517dbb3d49dd5e7609014ddc3aae28ad4bd0f45981a1
-  data.tar.gz: ebc711bc991746fbfa780f81a91c92508c55eca65e3e316a1fc4b23b6e9141f0d97a8871ce12527fdeaf71234d97ddfa0c712aca870c65f73ab89a11fe40839e
+  metadata.gz: c6302e1e592bf760b9a1a1ac4adc6e9189545f58818553ec85fda0f86299531dcea1e1b59cba65aaa62d607e2cf541fb18ee2a9c2161ce96678b5b2812326a0b
+  data.tar.gz: 689a8e88d89c8fe74b665c65138ff8372cee05d0783e473e8e124b9a9f21d9806bb397d185edf9d0c87ef21cfcd2d81bfa16ab0aaa3da64b9b28d6e5e2e24ab3

data/CHANGELOG.md

@@ -2,6 +2,43 @@
 
 ## master
 
+## 0.0.4 (13/6/2020)
+
+### Features
+
+#### Token introspection
+
+`rodauth-oauth` now ships with an introspection endpoint (`/oauth-introspect`).
+
+#### Authorization Server Metadata
+
+`rodauth-oauth` now allows to define an authorization metadata endpoint, which has to be defined at the route of the router:
+
+```ruby
+route do |r|
+  r.rodauth
+  rodauth.oauth_server_metadata
+  ...
+```
+
+#### JWKs URI
+
+the `oauth_jwt` feature now ships with an endpoint, `/oauth-jwks`, where client applications can retrieve the JWK set to verify generated tokens.
+
+#### JWT access tokens as authorization grants
+
+The `oauth_jwt` feature now allows the usage of access tokens to authorize the generation of new tokens, [as per the RFC](https://tools.ietf.org/html/rfc7523#section-4);
+
+### Improvements
+
+* using `client_secret_basic` authorization where client id/secret params were allowed (i.e. in the token and revoke endpoints, for example);
+* improved JWK usage for both supported jwt libraries;
+* marked `fetch_access_token` as auth_value_method, thereby allowing users to fetch the access token from other sources than the "Authorization" header (i.e. form body, query params, etc...)
+
+### Bugfixes
+
+* Fixed scope claim of JWT ("scopes" -> "scope");
+
 ## 0.0.3 (5/6/2020)
 
 ### Features

data/README.md

@@ -15,6 +15,8 @@ This gem implements:
   * [Access Token refresh](https://tools.ietf.org/html/rfc6749#section-1.5);
   * [Implicit grant (off by default)[https://tools.ietf.org/html/rfc6749#section-4.2];
 * [Token revocation](https://tools.ietf.org/html/rfc7009);
+* [Token introspection](https://tools.ietf.org/html/rfc7662);
+* [Authorization Server Metadata](https://tools.ietf.org/html/rfc8414);
 * [PKCE](https://tools.ietf.org/html/rfc7636);
 * Access Type (Token refresh online and offline);
 * [MAC Authentication Scheme](https://tools.ietf.org/html/draft-hammer-oauth-v2-mac-token-02);
@@ -146,10 +148,9 @@ Token revocation can be done both by the idenntity owner or the application owne
 
 ```ruby
 require "httpx"
-httpx = HTTPX.plugin(:authorization)
-response = httpx.with(headers: { "X-your-auth-scheme" => ENV["SERVER_KEY"] })
+httpx = HTTPX.plugin(:basic_authorization)
+response = httpx.basic_authentication(ENV["CLIENT_ID"], ENV["CLIENT_SECRET"])
                 .post("https://auth_server/oauth-revoke",json: {
-                  client_id: ENV["OAUTH_CLIENT_ID"],
                   token_type_hint: "access_token", # can also be "refresh:tokn"
                   token: "2r89hfef4j9f90d2j2390jf390g"
                 })
@@ -164,6 +165,55 @@ puts payload #=> {"access_token" => "awr23f3h8f9d2h89...", "token_type" => "Bear
 > curl -H "X-your-auth-scheme: $SERVER_KEY" --data '{"client_id":"$OAUTH_CLIENT_ID","token_type_hint":"access_token","token":"2r89hfef4j9f90d2j2390jf390g"}' https://auth_server/oauth-revoke
 ```
 
+#### Token introspection
+
+Token revocation can be used to determine the state of a token (whether active, what's the scope...) . Here's an example using server-to-server:
+
+```ruby
+require "httpx"
+httpx = HTTPX.plugin(:basic_authorization)
+response = httpx.basic_authentication(ENV["CLIENT_ID"], ENV["CLIENT_SECRET"])
+                .post("https://auth_server/oauth-introspect",json: {
+                  token_type_hint: "access_token", # can also be "refresh:tokn"
+                  token: "2r89hfef4j9f90d2j2390jf390g"
+                })
+response.raise_for_status
+payload = JSON.parse(response.to_s)
+puts payload #=> {"active" => true, "scope" => "read write" ....
+```
+
+##### cURL
+
+```
+> curl -H "X-your-auth-scheme: $SERVER_KEY" --data '{"client_id":"$OAUTH_CLIENT_ID","token_type_hint":"access_token","token":"2r89hfef4j9f90d2j2390jf390g"}' https://auth_server/oauth-revoke
+```
+
+### Authorization Server Metadata
+
+The Authorization Server Metadata endpoint can be used by clients to obtain the information needed to interact with an
+   OAuth 2.0 authorization server, i.e. know which endpoint is used to authorize clients.
+
+Because this endpoint **must be https://AUTHSERVER/.well-known/oauth-authorization-server**, you'll have to define it at the root-level of your app:
+
+```ruby
+plugin :rodauth do
+  # enable it in the plugin
+  enable :login, :oauth
+  oauth_application_default_scope %w[profile.read]
+  oauth_application_scopes %w[profile.read profile.write]
+end
+
+# then, inside roda
+
+route do |r|
+  r.rodauth
+  # server metadata endpoint
+  rodauth.oauth_server_metadata
+
+  # now, your oauth and app code...
+
+```
+
 ### Database migrations
 
 You have to generate database tables for Oauth applications, grants and tokens. In order for you to hit the ground running, [here's a set of migrations (using `sequel`) to generate the needed tables](https://gitlab.com/honeyryderchuck/rodauth-oauth/-/tree/master/test/migrate) (omit the first 2 if you already have account tables).
@@ -427,13 +477,13 @@ Generating an access token will deliver the following fields:
 # with httpx
 require "httpx"
 response = httpx.post("https://auth_server/oauth-token",json: {
-                  client_id: ENV["OAUTH_CLIENT_ID"],
-                  client_secret: ENV["OAUTH_CLIENT_SECRET"],
+                  client_id: env["oauth_client_id"],
+                  client_secret: env["oauth_client_secret"],
                   grant_type: "authorization_code",
                   code: "oiweicnewdh32fhoi3hf3ihfo2ih3f2o3as"
                 })
 response.raise_for_status
-payload = JSON.parse(response.to_s)
+payload = json.parse(response.to_s)
 puts payload #=> {
 # "access_token" => ....
 # "mac_key" => ....
@@ -469,7 +519,6 @@ This will, by default, use the OAuth application as HMAC signature and "HS256" a
 ```ruby
 enable :oauth_jwt
 oauth_jwt_secret "SECRET"
-# or oauth_jwt_secret_path "path/to/file"
 oauth_jwt_algorithm "HS512"
 ```
 
@@ -486,7 +535,7 @@ rsa_public = rsa_private.public_key
 plugin :rodauth do
   enable :oauth_jwt
   oauth_jwt_key rsa_private
-  oauth_jwt_decoding_secret rsa_public
+  oauth_jwt_public_key rsa_public
   oauth_jwt_algorithm "RS256" 
 end
 ```
@@ -496,10 +545,14 @@ end
 One can further encode the JWT token using JSON Web Keys. Here's how you could enable the feature:
 
 ```ruby
+rsa_private = OpenSSL::PKey::RSA.generate 2048
+rsa_public = rsa_private.public_key
+
 plugin :rodauth do
   enable :oauth_jwt
-  oauth_jwt_jwk_key 2048 # can be key size or the encoded RSA key, which is the only one supported now.
-  # oauth_jwt_jwk_key "path/to/rsa.pem" if you prefer
+  oauth_jwt_jwk_key rsa_private
+  oauth_jwt_jwk_public_key rsa_public
+  oauth_jwt_jwk_algorithm "RS256" 
 end
 ```
 
@@ -520,6 +573,26 @@ end
 
 which adds an extra layer of protection.
 
+#### JWKS URI
+
+A route is defined for getting the JWK Set in a JSON format; this is typically used by client applications, who need the JWK set to decode the JWT token. This URL is typically `https://oauth-server/oauth-jwks`.
+
+#### JWT Bearer as authorization grant
+
+One can emit a new access token by using the bearer access token as grant. This can be done emitting a request similar to this:
+
+```ruby
+# with httpx
+require "httpx"
+response = httpx.post("https://auth_server/oauth-token",json: {
+                  grant_type: "urn:ietf:params:oauth:grant-type:jwt-bearer",
+                  assertion: "eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOjEsImlzcyI6IkV4YW1wbGUiLCJpYXQiOjE1OTIwMDk1MDEsImNsaWVudF9pZCI6IkNMSUVOVF9JRCIsImV4cCI6MTU5MjAxMzEwMSwiYXVkIjpudWxsLCJzY29wZSI6InVzZXIucmVhZCB1c2VyLndyaXRlIiwianRpIjoiOGM1NTVjMjdiOWRjNDdmOTcyNWRkYzBhMjk0NzA1ZTA4NzFkY2JlN2Q5ZTNlMmVkNGE1ZTBiOGZlNTZlYzcxMSJ9.AlxKRtE3ec0mtyBSDx4VseND4eC6cH5ubtv8gfYxxsc"
+                })
+response.raise_for_status
+payload = json.parse(response.to_s)
+puts payload #=> {
+# "access_token" => "ey....
+```
 
 #### DB Schema
 

data/lib/rodauth/features/oauth.rb

@@ -1,5 +1,7 @@
 # frozen-string-literal: true
 
+require "base64"
+
 module Rodauth
   Feature.define(:oauth) do
     # RUBY EXTENSIONS
@@ -38,11 +40,12 @@ module Rodauth
     after "authorize_failure"
 
     before "token"
-    after "token"
 
     before "revoke"
     after "revoke"
 
+    before "introspect"
+
     before "create_oauth_application"
     after "create_oauth_application"
 
@@ -143,7 +146,7 @@ module Rodauth
 
     auth_value_method :oauth_application_default_scope, SCOPES.first
     auth_value_method :oauth_application_scopes, SCOPES
-    auth_value_method :oauth_token_type, "Bearer"
+    auth_value_method :oauth_token_type, "bearer"
 
     auth_value_method :invalid_request, "Request is missing a required parameter"
     auth_value_method :invalid_client, "Invalid client"
@@ -164,7 +167,14 @@ module Rodauth
     auth_value_method :unsupported_transform_algorithm_error_code, "invalid_request"
     auth_value_method :unsupported_transform_algorithm_message, "transform algorithm not supported"
 
+    # METADATA
+    auth_value_method :oauth_metadata_service_documentation, nil
+    auth_value_method :oauth_metadata_ui_locales_supported, nil
+    auth_value_method :oauth_metadata_op_policy_uri, nil
+    auth_value_method :oauth_metadata_op_tos_uri, nil
+
     auth_value_methods(
+      :fetch_access_token,
       :oauth_unique_id_generator,
       :secret_matches?,
       :secret_hash
@@ -190,7 +200,7 @@ module Rodauth
 
     def check_csrf?
       case request.path
-      when oauth_token_path
+      when oauth_token_path, oauth_introspect_path
         false
       when oauth_revoke_path
         !json_request?
@@ -221,8 +231,6 @@ module Rodauth
       end
     end
 
-    attr_reader :oauth_application
-
     def initialize(scope)
       @scope = scope
     end
@@ -267,23 +275,25 @@ module Rodauth
       end
     end
 
-    def authorization_token
-      return @authorization_token if defined?(@authorization_token)
+    def fetch_access_token
+      value = request.env["HTTP_AUTHORIZATION"]
 
-      @authorization_token = begin
-        value = request.get_header("HTTP_AUTHORIZATION").to_s
+      return unless value
 
-        scheme, token = value.split(" ", 2)
+      scheme, token = value.split(" ", 2)
 
-        return unless scheme == "Bearer"
+      return unless scheme.downcase == oauth_token_type
 
-        # check if there is a token
-        # check if token has not expired
-        # check if token has been revoked
-        oauth_token_by_token(token).where(Sequel[oauth_tokens_expires_in_column] >= Sequel::CURRENT_TIMESTAMP)
-                                   .where(oauth_tokens_revoked_at_column => nil)
-                                   .first
-      end
+      token
+    end
+
+    def authorization_token
+      return @authorization_token if defined?(@authorization_token)
+
+      # check if there is a token
+      # check if token has not expired
+      # check if token has been revoked
+      @authorization_token = oauth_token_by_token(fetch_access_token)
     end
 
     def require_oauth_authorization(*scopes)
@@ -344,8 +354,44 @@ module Rodauth
       end
     end
 
+    def oauth_server_metadata(issuer = nil)
+      request.on(".well-known") do
+        request.on("oauth-authorization-server") do
+          request.get do
+            json_response_success(oauth_server_metadata_body(issuer))
+          end
+        end
+      end
+    end
+
     private
 
+    # to be used internally. Same semantics as require account, must:
+    # fetch an authorization basic header
+    # parse client id and secret
+    #
+    def require_oauth_application
+      # get client credenntials
+      client_id = client_secret = nil
+
+      # client_secret_basic
+      if (token = ((v = request.env["HTTP_AUTHORIZATION"]) && v[/\A *Basic (.*)\Z/, 1]))
+        client_id, client_secret = Base64.decode64(token).split(/:/, 2)
+      else
+        client_id = param_or_nil(client_id_param)
+        client_secret = param_or_nil(client_secret_param)
+      end
+
+      authorization_required unless client_id
+
+      @oauth_application = db[oauth_applications_table].where(oauth_applications_client_id_column => client_id).first
+
+      # skip if using pkce
+      return if @oauth_application && use_oauth_pkce? && param_or_nil(code_verifier_param)
+
+      authorization_required unless @oauth_application && secret_matches?(@oauth_application, client_secret)
+    end
+
     def secret_matches?(oauth_application, secret)
       BCrypt::Password.new(oauth_application[oauth_applications_client_secret_column]) == secret
     end
@@ -362,6 +408,10 @@ module Rodauth
       Base64.urlsafe_encode64(Digest::SHA256.digest(token))
     end
 
+    def token_from_application?(oauth_token, oauth_application)
+      oauth_token[oauth_tokens_oauth_application_id_column] == oauth_application[oauth_applications_id_column]
+    end
+
     unless method_defined?(:password_hash)
       # From login_requirements_base feature
       if ENV["RACK_ENV"] == "test"
@@ -426,31 +476,35 @@ module Rodauth
       end
     end
 
-    def oauth_token_by_token(token)
-      if oauth_tokens_token_hash_column
-        db[oauth_tokens_table].where(oauth_tokens_token_hash_column => generate_token_hash(token))
-      else
-        db[oauth_tokens_table].where(oauth_tokens_token_column => token)
-      end
+    def oauth_token_by_token(token, dataset = db[oauth_tokens_table])
+      ds = if oauth_tokens_token_hash_column
+             dataset.where(oauth_tokens_token_hash_column => generate_token_hash(token))
+           else
+             dataset.where(oauth_tokens_token_column => token)
+           end
+
+      ds.where(Sequel[oauth_tokens_expires_in_column] >= Sequel::CURRENT_TIMESTAMP)
+        .where(oauth_tokens_revoked_at_column => nil).first
     end
 
-    def oauth_token_by_refresh_token(token)
-      if oauth_tokens_refresh_token_hash_column
-        db[oauth_tokens_table].where(oauth_tokens_refresh_token_hash_column => generate_token_hash(token))
-      else
-        db[oauth_tokens_table].where(oauth_tokens_refresh_token_column => token)
-      end
+    def oauth_token_by_refresh_token(token, dataset = db[oauth_tokens_table])
+      ds = if oauth_tokens_refresh_token_hash_column
+             dataset.where(oauth_tokens_refresh_token_hash_column => generate_token_hash(token))
+           else
+             dataset.where(oauth_tokens_refresh_token_column => token)
+           end
+
+      ds.where(Sequel[oauth_tokens_expires_in_column] >= Sequel::CURRENT_TIMESTAMP)
+        .where(oauth_tokens_revoked_at_column => nil).first
     end
 
     def json_access_token_payload(oauth_token)
       payload = {
         "access_token" => oauth_token[oauth_tokens_token_column],
-        "token_type" => oauth_token_type.downcase,
+        "token_type" => oauth_token_type,
         "expires_in" => oauth_token_expires_in
       }
-      if oauth_token[oauth_tokens_refresh_token_column]
-        payload["refresh_token"] = oauth_token[oauth_tokens_refresh_token_column]
-      end
+      payload["refresh_token"] = oauth_token[oauth_tokens_refresh_token_column] if oauth_token[oauth_tokens_refresh_token_column]
       payload
     end
 
@@ -472,9 +526,7 @@ module Rodauth
         if key == oauth_application_homepage_url_param ||
            key == oauth_application_redirect_uri_param
 
-          unless URI::DEFAULT_PARSER.make_regexp(oauth_valid_uri_schemes).match?(value)
-            set_field_error(key, invalid_url_message)
-          end
+          set_field_error(key, invalid_url_message) unless URI::DEFAULT_PARSER.make_regexp(oauth_valid_uri_schemes).match?(value)
 
         elsif key == oauth_application_scopes_param
 
@@ -617,13 +669,11 @@ module Rodauth
 
     # Access Tokens
 
-    def validate_oauth_token_params
-      redirect_response_error("invalid_request") unless param_or_nil(client_id_param)
-
-      unless param_or_nil(client_secret_param)
-        redirect_response_error("invalid_request") unless param_or_nil(code_verifier_param)
-      end
+    def before_token
+      require_oauth_application
+    end
 
+    def validate_oauth_token_params
       unless (grant_type = param_or_nil(grant_type_param))
         redirect_response_error("invalid_request")
       end
@@ -640,16 +690,6 @@ module Rodauth
     end
 
     def create_oauth_token
-      oauth_application = db[oauth_applications_table].where(
-        oauth_applications_client_id_column => param(client_id_param)
-      ).first
-
-      redirect_response_error("invalid_request") unless oauth_application
-
-      if (client_secret = param_or_nil(client_secret_param))
-        redirect_response_error("invalid_request") unless secret_matches?(oauth_application, client_secret)
-      end
-
       case param(grant_type_param)
       when "authorization_code"
         create_oauth_token_from_authorization_code(oauth_application)
@@ -678,9 +718,7 @@ module Rodauth
         if oauth_grant[oauth_grants_code_challenge_column]
           code_verifier = param_or_nil(code_verifier_param)
 
-          unless code_verifier && check_valid_grant_challenge?(oauth_grant, code_verifier)
-            redirect_response_error("invalid_request")
-          end
+          redirect_response_error("invalid_request") unless code_verifier && check_valid_grant_challenge?(oauth_grant, code_verifier)
         elsif oauth_require_pkce
           redirect_response_error("code_challenge_required")
         end
@@ -705,11 +743,9 @@ module Rodauth
 
     def create_oauth_token_from_token(oauth_application)
       # fetch oauth token
-      oauth_token = oauth_token_by_refresh_token(param(refresh_token_param)).where(
-        oauth_tokens_oauth_application_id_column => oauth_application[oauth_applications_id_column]
-      ).where(oauth_grants_revoked_at_column => nil).for_update.first
+      oauth_token = oauth_token_by_refresh_token(param(refresh_token_param))
 
-      redirect_response_error("invalid_grant") unless oauth_token
+      redirect_response_error("invalid_grant") unless oauth_token && token_from_application?(oauth_token, oauth_application)
 
       token = oauth_unique_id_generator
 
@@ -741,42 +777,57 @@ module Rodauth
       oauth_token
     end
 
+    TOKEN_HINT_TYPES = %w[access_token refresh_token].freeze
+
+    # Token introspect
+
+    def validate_oauth_introspect_params
+      # check if valid token hint type
+      if token_type_hint
+        redirect_response_error("unsupported_token_type") unless TOKEN_HINT_TYPES.include?(token_type_hint)
+      end
+
+      redirect_response_error("invalid_request") unless param_or_nil(token_param)
+    end
+
+    def json_token_introspect_payload(token)
+      return { active: false } unless token
+
+      {
+        active: true,
+        scope: token[oauth_tokens_scopes_column].gsub(",", " "),
+        client_id: oauth_application[oauth_applications_client_id_column],
+        # username
+        token_type: oauth_token_type
+      }
+    end
+
+    def before_introspect
+      require_oauth_application
+    end
+
     # Token revocation
 
     def before_revoke
-      require_account
+      require_oauth_application
     end
 
-    TOKEN_HINT_TYPES = %w[access_token refresh_token].freeze
-
     def validate_oauth_revoke_params
       # check if valid token hint type
       redirect_response_error("unsupported_token_type") unless TOKEN_HINT_TYPES.include?(token_type_hint)
 
-      redirect_response_error("invalid_request") unless param(token_param)
+      redirect_response_error("invalid_request") unless param_or_nil(token_param)
     end
 
     def revoke_oauth_token
-      ds = case token_type_hint
-           when "access_token"
-             oauth_token_by_token(token)
-           when "refresh_token"
-             oauth_token_by_refresh_token(token)
-           end
-      # one can only revoke tokens which haven't been revoked before, and which are
-      # either our tokens, or tokens from applications we own.
-      oauth_token = ds.where(oauth_tokens_revoked_at_column => nil)
-                      .where(
-                        Sequel.or(
-                          oauth_tokens_account_id_column => account_id,
-                          oauth_tokens_oauth_application_id_column => db[oauth_applications_table].where(
-                            oauth_applications_client_id_column => param(client_id_param),
-                            oauth_applications_account_id_column => account_id
-                          ).select(oauth_applications_id_column)
-                        )
-                      ).for_update.first
-
-      redirect_response_error("invalid_request") unless oauth_token
+      oauth_token = case token_type_hint
+                    when "access_token"
+                      oauth_token_by_token(token)
+                    when "refresh_token"
+                      oauth_token_by_refresh_token(token)
+                    end
+
+      redirect_response_error("invalid_request") unless oauth_token && token_from_application?(oauth_token, oauth_application)
 
       update_params = { oauth_tokens_revoked_at_column => Sequel::CURRENT_TIMESTAMP }
 
@@ -827,6 +878,14 @@ module Rodauth
       end
     end
 
+    def json_response_success(body)
+      response.status = 200
+      response["Content-Type"] ||= json_response_content_type
+      json_payload = _json_response_body(body)
+      response.write(json_payload)
+      request.halt
+    end
+
     def throw_json_response_error(status, error_code)
       set_response_error_status(status)
       code = if respond_to?(:"#{error_code}_error_code")
@@ -838,7 +897,7 @@ module Rodauth
       payload["error_description"] = send(:"#{error_code}_message") if respond_to?(:"#{error_code}_message")
       json_payload = _json_response_body(payload)
       response["Content-Type"] ||= json_response_content_type
-      response["WWW-Authenticate"] = oauth_token_type if status == 401
+      response["WWW-Authenticate"] = oauth_token_type.upcase if status == 401
       response.write(json_payload)
       request.halt
     end
@@ -930,6 +989,43 @@ module Rodauth
       end
     end
 
+    # Server metadata
+
+    def oauth_server_metadata_body(path)
+      issuer = base_url
+      issuer += "/#{path}" if issuer
+
+      responses_supported = %w[code]
+      response_modes_supported = %w[query]
+      grant_types_supported = %w[authorization_code]
+
+      if use_oauth_implicit_grant_type?
+        responses_supported << "token"
+        response_modes_supported << "fragment"
+        grant_types_supported << "implicit"
+      end
+      {
+        issuer: issuer,
+        authorization_endpoint: oauth_authorize_url,
+        token_endpoint: oauth_token_url,
+        registration_endpoint: "#{base_url}/#{oauth_applications_path}",
+        scopes_supported: oauth_application_scopes,
+        response_types_supported: responses_supported,
+        response_modes_supported: response_modes_supported,
+        grant_types_supported: grant_types_supported,
+        token_endpoint_auth_methods_supported: %w[client_secret_basic client_secret_post],
+        service_documentation: oauth_metadata_service_documentation,
+        ui_locales_supported: oauth_metadata_ui_locales_supported,
+        op_policy_uri: oauth_metadata_op_policy_uri,
+        op_tos_uri: oauth_metadata_op_tos_uri,
+        revocation_endpoint: oauth_revoke_url,
+        revocation_endpoint_auth_methods_supported: nil, # because it's client_secret_basic
+        introspection_endpoint: oauth_introspect_url,
+        introspection_endpoint_auth_methods_supported: %w[client_secret_basic],
+        code_challenge_methods_supported: (use_oauth_pkce? ? oauth_pkce_challenge_method : nil)
+      }
+    end
+
     # /oauth-token
     route(:oauth_token) do |r|
       before_token
@@ -941,14 +1037,35 @@ module Rodauth
           oauth_token = nil
           transaction do
             oauth_token = create_oauth_token
-            after_token
           end
 
-          response.status = 200
-          response["Content-Type"] ||= json_response_content_type
-          json_payload = _json_response_body(json_access_token_payload(oauth_token))
-          response.write(json_payload)
-          request.halt
+          json_response_success(json_access_token_payload(oauth_token))
+        end
+
+        throw_json_response_error(invalid_oauth_response_status, "invalid_request")
+      end
+    end
+
+    # /oauth-introspect
+    route(:oauth_introspect) do |r|
+      before_introspect
+
+      r.post do
+        catch_error do
+          validate_oauth_introspect_params
+
+          oauth_token = case param(token_type_hint_param)
+                        when "access_token"
+                          oauth_token_by_token(param(token_param))
+                        when "refresh_token"
+                          oauth_token_by_refresh_token(param(token_param))
+                        else
+                          oauth_token_by_token(param(token_param)) || oauth_token_by_refresh_token(param(token_param))
+                        end
+
+          redirect_response_error("invalid_request") if oauth_token && !token_from_application?(oauth_token, oauth_application)
+
+          json_response_success(json_token_introspect_payload(oauth_token))
         end
 
         throw_json_response_error(invalid_oauth_response_status, "invalid_request")
@@ -957,7 +1074,6 @@ module Rodauth
 
     # /oauth-revoke
     route(:oauth_revoke) do |r|
-      require_account
       before_revoke
 
       # access-token
@@ -972,16 +1088,10 @@ module Rodauth
           end
 
           if accepts_json?
-            response.status = 200
-            response["Content-Type"] ||= json_response_content_type
-            json_response = {
+            json_response_success \
               "token" => oauth_token[oauth_tokens_token_column],
               "refresh_token" => oauth_token[oauth_tokens_refresh_token_column],
               "revoked_at" => oauth_token[oauth_tokens_revoked_at_column]
-            }
-            json_payload = _json_response_body(json_response)
-            response.write(json_payload)
-            request.halt
           else
             set_notice_flash revoke_oauth_token_notice_flash
             redirect request.referer || "/"

data/lib/rodauth/features/oauth_http_mac.rb

@@ -47,9 +47,6 @@ module Rodauth
         mac_attributes = parse_mac_authorization_header_props(token)
 
         oauth_token = oauth_token_by_token(mac_attributes["id"])
-                      .where(Sequel[oauth_tokens_expires_in_column] >= Sequel::CURRENT_TIMESTAMP)
-                      .where(oauth_tokens_revoked_at_column => nil)
-                      .first
 
         return unless oauth_token && mac_signature_matches?(oauth_token, mac_attributes)
 

data/lib/rodauth/features/oauth_jwt.rb

@@ -4,6 +4,9 @@ module Rodauth
   Feature.define(:oauth_jwt) do
     depends :oauth
 
+    auth_value_method :grant_type_param, "grant_type"
+    auth_value_method :assertion_param, "assertion"
+
     auth_value_method :oauth_jwt_token_issuer, "Example"
 
     auth_value_method :oauth_jwt_key, nil
@@ -23,9 +26,9 @@ module Rodauth
     auth_value_method :oauth_jwt_audience, nil
 
     auth_value_methods(
-      :generate_jti,
       :jwt_encode,
-      :jwt_decode
+      :jwt_decode,
+      :jwks_set
     )
 
     def require_oauth_authorization(*scopes)
@@ -33,7 +36,7 @@ module Rodauth
 
       scopes << oauth_application_default_scope if scopes.empty?
 
-      token_scopes = authorization_token["scopes"].split(",")
+      token_scopes = authorization_token["scope"].split(" ")
 
       authorization_required unless scopes.any? { |scope| token_scopes.include?(scope) }
     end
@@ -43,17 +46,54 @@ module Rodauth
     def authorization_token
       return @authorization_token if defined?(@authorization_token)
 
-      @authorization_token = begin
-        value = request.get_header("HTTP_AUTHORIZATION").to_s
+      @authorization_token = jwt_decode(fetch_access_token)
+    end
+
+    # /token
 
-        scheme, token = value.split(/ +/, 2)
+    def before_token
+      # requset authentication optional for assertions
+      return if param(grant_type_param) == "urn:ietf:params:oauth:grant-type:jwt-bearer"
 
-        return unless scheme == "Bearer"
+      super
+    end
 
-        jwt_decode(token)
+    def validate_oauth_token_params
+      if param(grant_type_param) == "urn:ietf:params:oauth:grant-type:jwt-bearer"
+        redirect_response_error("invalid_client") unless param_or_nil(assertion_param)
+      else
+        super
       end
     end
 
+    def create_oauth_token
+      if param(grant_type_param) == "urn:ietf:params:oauth:grant-type:jwt-bearer"
+        create_oauth_token_from_assertion
+      else
+        super
+      end
+    end
+
+    def create_oauth_token_from_assertion
+      claims = jwt_decode(param(assertion_param))
+
+      redirect_response_error("invalid_grant") unless claims
+
+      @oauth_application = db[oauth_applications_table].where(oauth_applications_client_id_column => claims["client_id"]).first
+
+      account = account_ds(claims["sub"]).first
+
+      redirect_response_error("invalid_client") unless oauth_application && account
+
+      create_params = {
+        oauth_tokens_account_id_column => claims["sub"],
+        oauth_tokens_oauth_application_id_column => oauth_application[oauth_applications_id_column],
+        oauth_tokens_scopes_column => claims["scope"]
+      }
+
+      generate_oauth_token(create_params, false)
+    end
+
     def generate_oauth_token(params = {}, should_generate_refresh_token = true)
       create_params = {
         oauth_grants_expires_in_column => Time.now + oauth_token_expires_in
@@ -86,14 +126,14 @@ module Rodauth
         # owner is involved, such as the client credentials grant, the value
         # of "sub" SHOULD correspond to an identifier the authorization
         # server uses to indicate the client application.
-        client_id: oauth_token[oauth_tokens_oauth_application_id_column],
+        client_id: oauth_application[oauth_applications_client_id_column],
 
         exp: issued_at + oauth_token_expires_in,
         aud: oauth_jwt_audience,
 
         # one of the points of using jwt is avoiding database lookups, so we put here all relevant
         # token data.
-        scopes: oauth_token[oauth_tokens_scopes_column]
+        scope: oauth_token[oauth_tokens_scopes_column].gsub(",", " ")
       }
 
       token = jwt_encode(payload)
@@ -102,6 +142,45 @@ module Rodauth
       oauth_token
     end
 
+    def oauth_token_by_token(token, *)
+      jwt_decode(token)
+    end
+
+    def json_token_introspect_payload(oauth_token)
+      return { active: false } unless oauth_token
+
+      return super unless oauth_token["sub"] # naive check on whether it's a jwt token
+
+      {
+        active: true,
+        scope: oauth_token["scope"],
+        client_id: oauth_token["client_id"],
+        # username
+        token_type: "access_token",
+        exp: oauth_token["exp"],
+        iat: oauth_token["iat"],
+        nbf: oauth_token["nbf"],
+        sub: oauth_token["sub"],
+        aud: oauth_token["aud"],
+        iss: oauth_token["iss"],
+        jti: oauth_token["jti"]
+      }
+    end
+
+    def oauth_server_metadata_body(path)
+      metadata = super
+      metadata.merge! \
+        jwks_uri: oauth_jwks_url,
+        token_endpoint_auth_signing_alg_values_supported: [oauth_jwt_algorithm]
+      metadata
+    end
+
+    def token_from_application?(oauth_token, oauth_application)
+      return super unless oauth_token["sub"] # naive check on whether it's a jwt token
+
+      oauth_token["client_id"] == oauth_application[oauth_applications_client_id_column]
+    end
+
     def _jwt_key
       @_jwt_key ||= oauth_jwt_key || oauth_application[oauth_applications_client_secret_column]
     end
@@ -130,16 +209,26 @@ module Rodauth
       end
 
       def jwt_decode(token)
+        return @jwt_token if defined?(@jwt_token)
+
         token = JSON::JWT.decode(token, oauth_jwt_jwe_key).plain_text if oauth_jwt_jwe_key
-        if oauth_jwt_jwk_key
-          jwk = JSON::JWK.new(oauth_jwt_jwk_key)
-          JSON::JWT.decode(token, jwk)
-        else
-          JSON::JWT.decode(token, oauth_jwt_public_key || _jwt_key)
-        end
+
+        @jwt_token = if oauth_jwt_jwk_key
+                       jwk = JSON::JWK.new(oauth_jwt_jwk_public_key || oauth_jwt_jwk_key)
+                       JSON::JWT.decode(token, jwk)
+                     else
+                       JSON::JWT.decode(token, oauth_jwt_public_key || _jwt_key)
+                     end
       rescue JSON::JWT::Exception
         nil
       end
+
+      def jwks_set
+        [
+          (JSON::JWK.new(oauth_jwt_jwk_public_key).merge(use: "sig", alg: oauth_jwt_jwk_algorithm) if oauth_jwt_jwk_public_key),
+          (JSON::JWK.new(oauth_jwt_jwe_public_key).merge(use: "enc", alg: oauth_jwt_jwe_algorithm) if oauth_jwt_jwe_public_key)
+        ].compact
+      end
       # :nocov:
     elsif defined?(JWT)
 
@@ -163,7 +252,7 @@ module Rodauth
 
         # Use the key and iat to create a unique key per request to prevent replay attacks
         jti_raw = [key, payload[:iat]].join(":").to_s
-        jti = Digest::MD5.hexdigest(jti_raw)
+        jti = Digest::SHA256.hexdigest(jti_raw)
 
         # @see JWT reserved claims - https://tools.ietf.org/html/draft-jones-json-web-token-07#page-7
         payload[:jti] = jti
@@ -183,6 +272,8 @@ module Rodauth
       end
 
       def jwt_decode(token)
+        return @jwt_token if defined?(@jwt_token)
+
         # decrypt jwe
         token = JWE.decrypt(token, oauth_jwt_jwe_key) if oauth_jwt_jwe_key
 
@@ -190,7 +281,7 @@ module Rodauth
         headers = { algorithms: [oauth_jwt_algorithm] }
 
         key = if oauth_jwt_jwk_key
-                jwk_key = JWT::JWK.new(oauth_jwt_jwk_key)
+                jwk_key = JWT::JWK.new(oauth_jwt_jwk_public_key || oauth_jwt_jwk_key)
                 # JWK
                 # The jwk loader would fetch the set of JWKs from a trusted source
                 jwk_loader = lambda do |options|
@@ -207,12 +298,18 @@ module Rodauth
                 # worst case scenario, the key is the application key
                 oauth_jwt_public_key || _jwt_key
               end
-        token, = JWT.decode(token, key, true, headers)
-        token
+        @jwt_token, = JWT.decode(token, key, true, headers)
+        @jwt_token
       rescue JWT::DecodeError
         nil
       end
 
+      def jwks_set
+        [
+          (JWT::JWK.new(oauth_jwt_jwk_public_key).export.merge(use: "sig", alg: oauth_jwt_jwk_algorithm) if oauth_jwt_jwk_public_key),
+          (JWT::JWK.new(oauth_jwt_jwe_public_key).export.merge(use: "enc", alg: oauth_jwt_jwe_algorithm) if oauth_jwt_jwe_public_key)
+        ].compact
+      end
     else
       # :nocov:
       def jwt_encode(_token)
@@ -222,7 +319,17 @@ module Rodauth
       def jwt_decode(_token)
         raise "#{__method__} is undefined, redefine it or require either \"jwt\" or \"json-jwt\""
       end
+
+      def jwks_set
+        raise "#{__method__} is undefined, redefine it or require either \"jwt\" or \"json-jwt\""
+      end
       # :nocov:
     end
+
+    route(:oauth_jwks) do |r|
+      r.get do
+        json_response_success(jwks_set)
+      end
+    end
   end
 end

data/lib/rodauth/oauth/version.rb

@@ -2,6 +2,6 @@
 
 module Rodauth
   module OAuth
-    VERSION = "0.0.3"
+    VERSION = "0.0.4"
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rodauth-oauth
 version: !ruby/object:Gem::Version
-  version: 0.0.3
+  version: 0.0.4
 platform: ruby
 authors:
 - Tiago Cardoso
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-06-05 00:00:00.000000000 Z
+date: 2020-06-13 00:00:00.000000000 Z
 dependencies: []
 description: Implementation of the OAuth 2.0 protocol on top of rodauth.
 email: