rodauth-oauth 0.0.5 → 0.0.6

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: a809caa12783f20af9ba7b6d4b8710f2b783d11c5c74c0be6cbb129841ebce19
-  data.tar.gz: 928fd524dd2f9ec502deccc96b17eb232119543b2150363a398d04a5008b4d22
+  metadata.gz: 73f73e4143c1c646b3a6f2a5e87fb925f38f18e157366d7522328b5cbcd2fbb7
+  data.tar.gz: bce8a4532e365328bb46197e72b05b78beca19b00587630f234cff0c8d51bc35
 SHA512:
-  metadata.gz: 15b98394108c73ba4888bd92835d264750c46194b77322b0b159b45134031f0ac9c264a2a8d0a9991fb0d36b05b85b0d127d94468d77d3f7fb45777ec5bb6002
-  data.tar.gz: 282f53b5fd4eff08fdce56a42a7c42e3ef00cf888ced3acb2a692fd416b8dbb7250c982a53fc3c4a61a83884d8eb1068981580390e3bea2ba35d741165aa2c6a
+  metadata.gz: 46053f71e35baad7b3c217bfbca0a259d07fd6909713805db23ff92c0503c0907903483e659fe988af774b26a87b274f8b72006983b1acc191bccb7d00919a86
+  data.tar.gz: 35305a71ea2b4035933d93e3fa5a3e9b388f32b2301ff05b87a86af45defa494cefc4d6d9adb823822c82acb995e57794fb710b1935aaab10430c1898d1a55b0

data/CHANGELOG.md

@@ -2,6 +2,29 @@
 
 ## master
 
+### 0.0.6
+
+#### Features
+
+The `oauth_jwt` feature now supports JWT Secured Authorization Request (JAR) (see https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-20). This means that client applications can send the authorization parameters inside a signed JWT. The client applications keeps the private key, while the authorization server **must** store a public key for the client application. For encrypted JWTs, the client application should use one of the public encryption keys exposed in the JWKs URI, to encrypt the JWT. Remember, **tokens must be signed then encrypted** (or just signed).
+
+###### Options:
+
+* `:oauth_application_jws_jwk_column`: db column where the public key is stored; since it's stored in the JWS format, it can be stored either as a String (JSON-encoded), or as an hstore (if you're using postgresql);
+* `:oauth_jwt_jwe_key`: key used to decrypt the request JWT;
+* `:oauth_jwt_jwe_public_key`: key used to encrypt the request JWT, and which will be exposed in the JWKs URI in the JWK format;
+
+
+#### Improvements
+
+* Removing all `_param` options; these defined the URL params, however we're using protocol-defined params, so it's unlikely (and undesired) that these'll change.
+* Hitting the revoke endpoint with a JWT access token returns a 400 error;
+
+#### Chore
+
+Removed React Javascript from example applications.
+
+
 ### 0.0.5 (26/6/2020)
 
 #### Features

data/README.md

@@ -21,6 +21,7 @@ This gem implements:
 * Access Type (Token refresh online and offline);
 * [MAC Authentication Scheme](https://tools.ietf.org/html/draft-hammer-oauth-v2-mac-token-02);
 * [JWT Acess Tokens](https://tools.ietf.org/html/draft-ietf-oauth-access-token-jwt-07);
+* [JWT Secured Authorization Requests](https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-20);
 * OAuth application and token management dashboards;
 
 This gem supports also rails (through [rodauth-rails]((https://github.com/janko/rodauth-rails))).
@@ -89,7 +90,7 @@ You'll have to do a bit more boilerplate, so here's the instructions.
 
 ### Example (TL;DR)
 
-If you're familiar with the technology and want to skip the next paragraphs, just [check our roda example](https://gitlab.com/honeyryderchuck/rodauth-oauth/-/tree/master/examples/roda).
+If you're familiar with the technology and want to skip the next paragraphs, just [check our example applications](https://gitlab.com/honeyryderchuck/rodauth-oauth/-/tree/master/examples/).
 
 
 Generating tokens happens mostly server-to-server, so here's an example using:

data/lib/rodauth/features/oauth.rb

@@ -189,20 +189,6 @@ module Rodauth
 
     auth_value_methods(:only_json?)
 
-    redirect(:oauth_application) do |id|
-      "/#{oauth_applications_path}/#{id}"
-    end
-
-    redirect(:require_authorization) do
-      if logged_in?
-        oauth_authorize_path
-      elsif respond_to?(:login_redirect)
-        login_redirect
-      else
-        default_redirect
-      end
-    end
-
     auth_value_method :json_request_regexp, %r{\bapplication/(?:vnd\.api\+)?json\b}i
 
     SERVER_METADATA = OAuth::TtlStore.new
@@ -246,18 +232,10 @@ module Rodauth
       @scope = scope
     end
 
-    def state
-      param_or_nil("state")
-    end
-
     def scopes
       (param_or_nil("scope") || oauth_application_default_scope).split(" ")
     end
 
-    def client_id
-      param_or_nil("client_id")
-    end
-
     def redirect_uri
       param_or_nil("redirect_uri") || begin
         return unless oauth_application
@@ -267,14 +245,6 @@ module Rodauth
       end
     end
 
-    def token_type_hint
-      param_or_nil("token_type_hint") || "access_token"
-    end
-
-    def token
-      param_or_nil("token")
-    end
-
     def oauth_application
       return @oauth_application if defined?(@oauth_application)
 
@@ -348,6 +318,8 @@ module Rodauth
 
         request.on(oauth_applications_id_pattern) do |id|
           oauth_application = db[oauth_applications_table].where(oauth_applications_id_column => id).first
+          next unless oauth_application
+
           scope.instance_variable_set(:@oauth_application, oauth_application)
 
           request.is do
@@ -359,7 +331,9 @@ module Rodauth
           request.on(oauth_tokens_path) do
             oauth_tokens = db[oauth_tokens_table].where(oauth_tokens_oauth_application_id_column => id)
             scope.instance_variable_set(:@oauth_tokens, oauth_tokens)
-            oauth_tokens_view
+            request.get do
+              oauth_tokens_view
+            end
           end
         end
 
@@ -377,7 +351,7 @@ module Rodauth
               id = create_oauth_application
               after_create_oauth_application
               set_notice_flash create_oauth_application_notice_flash
-              redirect oauth_application_redirect(id)
+              redirect "#{request.path}/#{id}"
             end
           end
           set_error_flash create_oauth_application_error_flash
@@ -877,8 +851,8 @@ module Rodauth
 
     def validate_oauth_introspect_params
       # check if valid token hint type
-      if token_type_hint
-        redirect_response_error("unsupported_token_type") unless TOKEN_HINT_TYPES.include?(token_type_hint)
+      if param_or_nil("token_type_hint")
+        redirect_response_error("unsupported_token_type") unless TOKEN_HINT_TYPES.include?(param("token_type_hint"))
       end
 
       redirect_response_error("invalid_request") unless param_or_nil("token")
@@ -906,17 +880,20 @@ module Rodauth
 
     def validate_oauth_revoke_params
       # check if valid token hint type
-      redirect_response_error("unsupported_token_type") unless TOKEN_HINT_TYPES.include?(token_type_hint)
+      if param_or_nil("token_type_hint")
+        redirect_response_error("unsupported_token_type") unless TOKEN_HINT_TYPES.include?(param("token_type_hint"))
+      end
 
       redirect_response_error("invalid_request") unless param_or_nil("token")
     end
 
     def revoke_oauth_token
-      oauth_token = case token_type_hint
-                    when "access_token"
-                      oauth_token_by_token(token)
-                    when "refresh_token"
+      token = param("token")
+
+      oauth_token = if param("token_type_hint") == "refresh_token"
                       oauth_token_by_refresh_token(token)
+                    else
+                      oauth_token_by_token(token)
                     end
 
       redirect_response_error("invalid_request") unless oauth_token
@@ -1018,7 +995,7 @@ module Rodauth
         throw_json_response_error(authorization_required_error_status, "invalid_client")
       else
         set_redirect_error_flash(require_authorization_error_flash)
-        redirect(require_authorization_redirect)
+        redirect(oauth_authorize_path)
       end
     end
 
@@ -1186,7 +1163,6 @@ module Rodauth
     route(:oauth_revoke) do |r|
       before_revoke
 
-      # access-token
       r.post do
         catch_error do
           validate_oauth_revoke_params
@@ -1208,7 +1184,7 @@ module Rodauth
           end
         end
 
-        throw_json_response_error(invalid_oauth_response_status, "invalid_request")
+        redirect_response_error("invalid_request", request.referer || "/")
       end
     end
 
@@ -1253,7 +1229,7 @@ module Rodauth
         end
 
         redirect_url = URI.parse(redirect_uri)
-        query_params << "state=#{state}" if state
+        query_params << "state=#{param('state')}" if param_or_nil("state")
         query_params << redirect_url.query if redirect_url.query
         redirect_url.query = query_params.join("&") unless query_params.empty?
         redirect_url.fragment = fragment_params.join("&") unless fragment_params.empty?

data/lib/rodauth/features/oauth_jwt.rb

@@ -8,6 +8,8 @@ module Rodauth
 
     auth_value_method :oauth_jwt_token_issuer, "Example"
 
+    auth_value_method :oauth_application_jws_jwk_column, nil
+
     auth_value_method :oauth_jwt_key, nil
     auth_value_method :oauth_jwt_public_key, nil
     auth_value_method :oauth_jwt_algorithm, "HS256"
@@ -20,6 +22,9 @@ module Rodauth
     auth_value_method :oauth_jwt_jwe_copyright, nil
     auth_value_method :oauth_jwt_audience, nil
 
+    auth_value_method :request_uri_not_supported_message, "request uri is unsupported"
+    auth_value_method :invalid_request_object_message, "request object is invalid"
+
     auth_value_methods(
       :jwt_encode,
       :jwt_decode,
@@ -60,6 +65,48 @@ module Rodauth
       end
     end
 
+    # /authorize
+
+    def validate_oauth_grant_params
+      # TODO: add support for requst_uri
+      redirect_response_error("request_uri_not_supported") if param_or_nil("request_uri")
+
+      request_object = param_or_nil("request")
+
+      return super unless request_object && oauth_application
+
+      jws_jwk = if oauth_application[oauth_application_jws_jwk_column]
+                  jwk = oauth_application[oauth_application_jws_jwk_column]
+
+                  if jwk
+                    jwk = JSON.parse(jwk, symbolize_names: true) if jwk.is_a?(String)
+                  end
+                else
+                  redirect_response_error("invalid_request_object")
+                end
+
+      claims = jwt_decode(request_object, jws_key: jwk_import(jws_jwk), jws_algorithm: jwk[:alg])
+
+      redirect_response_error("invalid_request_object") unless claims
+
+      # If signed, the Authorization Request
+      # Object SHOULD contain the Claims "iss" (issuer) and "aud" (audience)
+      # as members, with their semantics being the same as defined in the JWT
+      # [RFC7519] specification.  The value of "aud" should be the value of
+      # the Authorization Server (AS) "issuer" as defined in RFC8414
+      # [RFC8414].
+      claims.delete(:iss)
+      audience = claims.delete(:aud)
+
+      redirect_response_error("invalid_request_object") if audience && audience != authorization_server_url
+
+      claims.each do |k, v|
+        request.params[k.to_s] = v
+      end
+
+      super
+    end
+
     # /token
 
     def before_token
@@ -234,6 +281,10 @@ module Rodauth
     if defined?(JSON::JWT)
       # :nocov:
 
+      def jwk_import(data)
+        JSON::JWK.new(data)
+      end
+
       # json-jwt
       def jwt_encode(payload)
         jwt = JSON::JWT.new(payload)
@@ -251,15 +302,11 @@ module Rodauth
         jwt.to_s
       end
 
-      def jwt_decode(token)
-        return @jwt_token if defined?(@jwt_token)
-
+      def jwt_decode(token, jws_key: oauth_jwt_public_key || _jwt_key, **)
         token = JSON::JWT.decode(token, oauth_jwt_jwe_key).plain_text if oauth_jwt_jwe_key
 
-        jwk = oauth_jwt_public_key || _jwt_key
-
-        @jwt_token = if jwk
-                       JSON::JWT.decode(token, jwk)
+        @jwt_token = if jws_key
+                       JSON::JWT.decode(token, jws_key)
                      elsif !is_authorization_server? && auth_server_jwks_set
                        JSON::JWT.decode(token, JSON::JWK::Set.new(auth_server_jwks_set))
                      end
@@ -279,6 +326,10 @@ module Rodauth
 
       # ruby-jwt
 
+      def jwk_import(data)
+        JWT::JWK.import(data).keypair
+      end
+
       def jwt_encode(payload)
         headers = {}
 
@@ -312,17 +363,13 @@ module Rodauth
         token
       end
 
-      def jwt_decode(token)
-        return @jwt_token if defined?(@jwt_token)
-
+      def jwt_decode(token, jws_key: oauth_jwt_public_key || _jwt_key, jws_algorithm: oauth_jwt_algorithm)
         # decrypt jwe
         token = JWE.decrypt(token, oauth_jwt_jwe_key) if oauth_jwt_jwe_key
 
         # decode jwt
-        key = oauth_jwt_public_key || _jwt_key
-
-        @jwt_token = if key
-                       JWT.decode(token, key, true, algorithms: [oauth_jwt_algorithm]).first
+        @jwt_token = if jws_key
+                       JWT.decode(token, jws_key, true, algorithms: [jws_algorithm]).first
                      elsif !is_authorization_server? && auth_server_jwks_set
                        algorithms = auth_server_jwks_set[:keys].select { |k| k[:use] == "sig" }.map { |k| k[:alg] }
                        JWT.decode(token, nil, true, jwks: auth_server_jwks_set, algorithms: algorithms).first
@@ -339,11 +386,15 @@ module Rodauth
       end
     else
       # :nocov:
+      def jwk_import(_data)
+        raise "#{__method__} is undefined, redefine it or require either \"jwt\" or \"json-jwt\""
+      end
+
       def jwt_encode(_token)
         raise "#{__method__} is undefined, redefine it or require either \"jwt\" or \"json-jwt\""
       end
 
-      def jwt_decode(_token)
+      def jwt_decode(_token, **)
         raise "#{__method__} is undefined, redefine it or require either \"jwt\" or \"json-jwt\""
       end
 
@@ -353,6 +404,14 @@ module Rodauth
       # :nocov:
     end
 
+    def validate_oauth_revoke_params
+      token_hint = param_or_nil("token_type_hint")
+
+      throw(:rodauth_error) if !token_hint || token_hint == "access_token"
+
+      super
+    end
+
     route(:oauth_jwks) do |r|
       r.get do
         json_response_success({ keys: jwks_set })

data/lib/rodauth/oauth/version.rb

@@ -2,6 +2,6 @@
 
 module Rodauth
   module OAuth
-    VERSION = "0.0.5"
+    VERSION = "0.0.6"
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rodauth-oauth
 version: !ruby/object:Gem::Version
-  version: 0.0.5
+  version: 0.0.6
 platform: ruby
 authors:
 - Tiago Cardoso
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-06-28 00:00:00.000000000 Z
+date: 2020-07-06 00:00:00.000000000 Z
 dependencies: []
 description: Implementation of the OAuth 2.0 protocol on top of rodauth.
 email: