rodauth-oauth 0.9.3 → 0.10.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 79fa7abfcf7ea1c0a2594f92bfd7a59e53769dec5a7221a22f740b37471e6e07
-  data.tar.gz: 9f7e8ce4370d44d985940d46d569e3192c35e53cb6e3841094517e64258b2b1a
+  metadata.gz: f9b68ff6e15b91128db72a07fa91b86afb70352f9582fa8c27e7abfe3c0dc17c
+  data.tar.gz: 1c35b67bc10619c8de31cbcef514636e7975307a0cfc02585ae10ec97de74be1
 SHA512:
-  metadata.gz: 520a85416c418f93615a471133201c7ec6dd5c16ff9d697a6ca87b609084b58c7b9799c5d3c7a8d02a4fc68ca9750c9ef41dd07dde17c1e1153f0cec8e58f3c1
-  data.tar.gz: 8e7ebc28ba158f43b5226a2de98fc76de8c81e8a8c87dbaa95a69050eed96793e487666389b60be6694437c298fdf23f183a1df098983eeec5f5549df0321c7c
+  metadata.gz: 2cf0e357529093b45834697c54bae5eaf17419885e04ccba279d18e65464aa8d8fb2e49da09dd5c96c83331e0f60915e993af5dfc7decfff4c8752b5401dfe8a
+  data.tar.gz: 784d5184526ff8dcbc3c112eb58311705baf82e1bf17b40b87cd55dc43f0b06cc6bf7c2cb71f67caf315008b14d3fe4b9fe8eea991a0475586bf4effb0d77ed3

data/README.md

@@ -21,14 +21,16 @@ This gem implements the following RFCs and features of OAuth:
   * `oauth_token_introspection` - [Token introspection](https://tools.ietf.org/html/rfc7662);
   * [Authorization Server Metadata](https://tools.ietf.org/html/rfc8414);
   * `oauth_pkce` - [PKCE](https://tools.ietf.org/html/rfc7636);
-  * Access Type (Token refresh online and offline);
   * `oauth_jwt` - [JWT Access Tokens](https://tools.ietf.org/html/draft-ietf-oauth-access-token-jwt-07);
+    * Supports [JWT Secured Authorization Request](https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-20);
+  * `oauth_resource_indicators` - [Resource Indicators](https://datatracker.ietf.org/doc/html/rfc8707);
+  * Access Type (Token refresh online and offline);
 * `oauth_http_mac` - [MAC Authentication Scheme](https://tools.ietf.org/html/draft-hammer-oauth-v2-mac-token-02);
 * `oauth_assertion_base` - [Assertion Framework](https://datatracker.ietf.org/doc/html/rfc7521);
   * `oauth_saml_bearer_grant` - [SAML 2.0 Bearer Assertion](https://datatracker.ietf.org/doc/html/rfc7522);
   * `oauth_jwt_bearer_grant` - [JWT Bearer Assertion](https://datatracker.ietf.org/doc/html/rfc7523);
-* [JWT Secured Authorization Requests](https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-20);
-* [Dynamic Client Registration Protocol](https://datatracker.ietf.org/doc/html/rfc7591);
+
+* `oauth_dynamic_client_registration` - [Dynamic Client Registration Protocol](https://datatracker.ietf.org/doc/html/rfc7591);
 * OAuth application and token management dashboards;
 
 It also implements the [OpenID Connect layer](https://openid.net/connect/) (via the `openid` feature) on top of the OAuth features it provides, including:

data/doc/release_notes/0_10_0.md

@@ -0,0 +1,100 @@
+## 0.10.0 (10/06/2022)
+
+### Features
+
+#### Resource Indicators
+
+RFC: https://datatracker.ietf.org/doc/html/rfc8707
+
+`rodauth-oauth` now supports Resource Indicators, via the optional `:oauth_resource_indicators` feature.
+
+#### JWT: extra options
+
+The following extra option values were added:
+
+* `oauth_jwt_jwe_keys`
+* `oauth_jwt_public_keys`
+* `oauth_jwt_jwe_public_keys`
+
+`:oauth_jwt_jwe_keys` should be used to store all provider combos of encryption keys, indexed by an algo/method tuple:
+
+```ruby
+oauth_jwt_jwe_keys { { %w[RSA-OAEP A128CBC-HS256] => key } }
+```
+
+The first element of the hash should indicate the preferred encryption mode, when no combination is specifically requested.
+
+It should be considered the most future-proof way of declaring JWE keys, and support for `oauth_jwt_jwe_key` and friends should be soon deprecated.
+
+Both `oauth_jwt_public_keys` and `oauth_jwt_jwe_public_keys` provide a way to declare multiple keys to be exposed as the provider JWKs in the `/jwks` endpoint.
+
+### Improvements
+
+* Added translations for portuguese.
+
+#### OpenID Connect improvements
+
+* The `:oidc` feature now depends on `rodauth`'s [account_expiration](http://rodauth.jeremyevans.net/rdoc/files/doc/account_expiration_rdoc.html) feature.
+
+Although a more-involved-somewhat-breaking change, it was required in order to keep track of account login event timestamps, necessary for correct `"auth_time"` calculation (see the first bugfix mention for more details, and Breaking Changes for migration path).
+
+
+* Support for the `ui_locales` parameter was added. This feature depends on the `:i18n` feature provided by [rodauth-i18n](https://github.com/janko/rodauth-i18n).
+*  Support for the `claims_locales` parameter was added, in that the `get_oidc_param` and `get_additional_param`, when accepting a 3rd parameter, will be passed a locale code:
+
+```ruby
+# given "claims_locales=en pt"
+
+get_oidc_param { |account, param, locale| }
+# will be called twice for the same param, one with locale as "en", another as "pt"
+
+get_oidc_param { |account, param| }
+# will be called once without locale
+```
+
+* Support for `max_age` parameter was added.
+
+* Support for `acr_values` parameter was added.
+
+When "phr", and a `rodauth` 2-factor feature (like [otp](http://rodauth.jeremyevans.net/rdoc/files/doc/otp_rdoc.html)) is enabled, the user will be requested for 2-factor authentication before performing the OpenID Authorization Request.
+
+When "phrh", and `rodauth`'s [webauthn_login](http://rodauth.jeremyevans.net/rdoc/files/doc/webauthn_login_rdoc.html) feature is enabled,  the user will be requested for WebAuthn authentication before performing the OpenID Authorization Request.
+
+Any other acr values are considered provider-specific, and the `require_acr_value(acr_value)` option should be provided to deal with it (it'll be called after authentication is ensured and before the authorization request is processed).
+
+### Bugfixes
+
+* reverted the `"auth_time"` calculation "fix" introduced in 0.9.3, which broke compliance with the RFC (the implementation prior to that was also broken, hence why `"account_expiration"` plugin was introduced as a dependency).
+
+### Breaking Changes
+
+As you read already, the `"account_expiration"` feature is now required by default by `"oidc"`. In order to migrate to it, here's a suggested strategy:
+
+1. Add the relevant database tables
+
+Add a migration looking roughly like this:
+
+```ruby
+create_table(:account_activity_times) do
+  foreign_key :id, :accounts, primary_key: true, type: Integer
+  DateTime :last_activity_at, null: false
+  DateTime :last_login_at, null: false
+  DateTime :expired_at
+end
+```
+
+2. Update and deploy `rodauth-oauth` 0.10.0
+
+(Nothing required beyond `enable :oidc`.)
+
+3. Set `:last_login_at` to a value.
+
+Like now. You can , for example, run this SQL:
+
+```sql
+UPDATE account_activity_times SET last_login_at = CURRENT_TIMESTAMP;
+```
+
+---
+
+That's it, nothing fancy or accurate. Yes, the `last_login_at` is wrong, but as sessions expire, it should go back to normal.

data/lib/generators/rodauth/oauth/templates/app/views/rodauth/authorize.html.erb

@@ -34,13 +34,37 @@
       </div>
     <% end %>
     <%= hidden_field_tag :client_id, params[:client_id] %>
-    <% %i[access_type response_type state nonce redirect_uri code_challenge code_challenge_method].each do |oauth_param| %>
+    <% %i[access_type response_type response_mode state redirect_uri].each do |oauth_param| %>
       <% if params[oauth_param] %>
         <%= hidden_field_tag oauth_param,  params[oauth_param] %>
       <% end %>
     <% end %>
-    <% if params[:response_mode] %>
-      <%= hidden_field_tag :response_mode, params[:response_mode] %>
+    <% if rodauth.features.include?(:oauth_resource_indicators) && rodauth.resource_indicators %>
+      <% rodauth.resource_indicators.each do |resource| %>
+        <%= hidden_field_tag "resource", resource %>
+      <% end %>
+    <% end %>
+    <% if rodauth.features.include?(:oauth_pkce) %>
+      <% if params[:code_challenge] %>
+        <%= hidden_field_tag :code_challenge,  params[:code_challenge] %>
+      <% end %>
+      <% if params[:code_challenge_method] %>
+        <%= hidden_field_tag :code_challenge_method,  params[:code_challenge_method] %>
+      <% end %>
+    <% end %>
+    <% if rodauth.features.include?(:oidc) %>
+      <% if params[:nonce] %>
+        <%= hidden_field_tag :nonce,  params[:nonce] %>
+      <% end %>
+      <% if params[:ui_locales] %>
+        <%= hidden_field_tag :ui_locales,  params[:ui_locales] %>
+      <% end %>
+      <% if params[:claims_locales] %>
+        <%= hidden_field_tag :claims_locales,  params[:claims_locales] %>
+      <% end %>
+      <% if params[:acr_values] %>
+        <%= hidden_field_tag :acr,  params[:acr_values] %>
+      <% end %>
     <% end %>
   </div>
  <p class="text-center">

data/lib/generators/rodauth/oauth/templates/db/migrate/create_rodauth_oauth.rb

@@ -52,6 +52,8 @@ class CreateRodauthOauth < ActiveRecord::Migration<%= migration_version %>
       # device code grant
       # t.string :user_code, null: true, unique: true
       # t.datetime :last_polled_at, null: true
+      # when using :oauth_resource_indicators feature
+      # t.string :resource
     end
 
     create_table :oauth_tokens do |t|
@@ -78,6 +80,8 @@ class CreateRodauthOauth < ActiveRecord::Migration<%= migration_version %>
       # uncomment to use OIDC nonce
       # t.string :nonce
       # t.datetime :auth_time
+      # when using :oauth_resource_indicators feature
+      # t.string :resource
     end
   end
 end

data/lib/rodauth/features/oauth_base.rb

@@ -425,6 +425,11 @@ module Rodauth
         oauth_tokens_expires_in_column => Sequel.date_add(Sequel::CURRENT_TIMESTAMP, seconds: oauth_token_expires_in)
       }.merge(params)
 
+      if create_params[oauth_tokens_scopes_column].is_a?(Array)
+        create_params[oauth_tokens_scopes_column] =
+          create_params[oauth_tokens_scopes_column].join(" ")
+      end
+
       rescue_from_uniqueness_error do
         access_token = _generate_access_token(create_params)
         refresh_token = _generate_refresh_token(create_params) if should_generate_refresh_token

data/lib/rodauth/features/oauth_jwt.rb

@@ -44,10 +44,13 @@ module Rodauth
 
     auth_value_method :oauth_jwt_keys, {}
     auth_value_method :oauth_jwt_key, nil
+    auth_value_method :oauth_jwt_public_keys, {}
     auth_value_method :oauth_jwt_public_key, nil
     auth_value_method :oauth_jwt_algorithm, "RS256"
 
+    auth_value_method :oauth_jwt_jwe_keys, {}
     auth_value_method :oauth_jwt_jwe_key, nil
+    auth_value_method :oauth_jwt_jwe_public_keys, {}
     auth_value_method :oauth_jwt_jwe_public_key, nil
     auth_value_method :oauth_jwt_jwe_algorithm, nil
     auth_value_method :oauth_jwt_jwe_encryption_method, nil
@@ -407,10 +410,11 @@ module Rodauth
 
       def jwt_encode(payload,
                      jwks: nil,
-                     jwe_key: oauth_jwt_jwe_public_key || oauth_jwt_jwe_key,
-                     signing_algorithm: oauth_jwt_algorithm,
                      encryption_algorithm: oauth_jwt_jwe_algorithm,
-                     encryption_method: oauth_jwt_jwe_encryption_method)
+                     encryption_method: oauth_jwt_jwe_encryption_method,
+                     jwe_key: oauth_jwt_jwe_keys[[encryption_algorithm,
+                                                  encryption_method]] || oauth_jwt_jwe_public_key || oauth_jwt_jwe_key,
+                     signing_algorithm: oauth_jwt_algorithm || oauth_jwt_keys.keys.first)
         payload[:jti] = generate_jti(payload)
         jwt = JSON::JWT.new(payload)
 
@@ -427,6 +431,7 @@ module Rodauth
           jwe = jwt.encrypt(jwk, encryption_algorithm.to_sym, encryption_method.to_sym)
           jwe.to_s
         elsif jwe_key
+          jwe_key = jwe_key.first if jwe_key.is_a?(Array)
           algorithm = encryption_algorithm.to_sym if encryption_algorithm
           meth = encryption_method.to_sym if encryption_method
           jwt.encrypt(jwe_key, algorithm, meth)
@@ -438,18 +443,23 @@ module Rodauth
       def jwt_decode(
         token,
         jwks: nil,
-        jws_key: oauth_jwt_public_key || _jwt_key,
-        jws_algorithm: oauth_jwt_algorithm,
-        jwe_key: oauth_jwt_jwe_key,
+        jws_algorithm: oauth_jwt_algorithm || oauth_jwt_public_key.keys.first || oauth_jwt_keys.keys.first,
+        jws_key: oauth_jwt_public_key || oauth_jwt_keys[jws_algorithm] || _jwt_key,
         jws_encryption_algorithm: oauth_jwt_jwe_algorithm,
         jws_encryption_method: oauth_jwt_jwe_encryption_method,
+        jwe_key: oauth_jwt_jwe_keys[[jws_encryption_algorithm, jws_encryption_method]] || oauth_jwt_jwe_key,
         verify_claims: true,
         verify_jti: true,
         verify_iss: true,
         verify_aud: false,
         **
       )
-        token = JSON::JWT.decode(token, oauth_jwt_jwe_key).plain_text if jwe_key
+        jws_key = jws_key.first if jws_key.is_a?(Array)
+
+        if jwe_key
+          jwe_key = jwe_key.first if jwe_key.is_a?(Array)
+          token = JSON::JWT.decode(token, jwe_key).plain_text
+        end
 
         claims = if is_authorization_server?
                    if oauth_jwt_legacy_public_key
@@ -487,6 +497,21 @@ module Rodauth
 
       def jwks_set
         @jwks_set ||= [
+          *(
+            unless oauth_jwt_public_keys.empty?
+              oauth_jwt_public_keys.flat_map { |algo, pkeys| pkeys.map { |pkey| JSON::JWK.new(pkey).merge(use: "sig", alg: algo) } }
+            end
+          ),
+          *(
+            unless oauth_jwt_jwe_public_keys.empty?
+              oauth_jwt_jwe_public_keys.flat_map do |(algo, _enc), pkeys|
+                pkeys.map do |pkey|
+                  JSON::JWK.new(pkey).merge(use: "enc", alg: algo)
+                end
+              end
+            end
+          ),
+          # legacy
           (JSON::JWK.new(oauth_jwt_public_key).merge(use: "sig", alg: oauth_jwt_algorithm) if oauth_jwt_public_key),
           (JSON::JWK.new(oauth_jwt_legacy_public_key).merge(use: "sig", alg: oauth_jwt_legacy_algorithm) if oauth_jwt_legacy_public_key),
           (JSON::JWK.new(oauth_jwt_jwe_public_key).merge(use: "enc", alg: oauth_jwt_jwe_algorithm) if oauth_jwt_jwe_public_key)
@@ -522,7 +547,8 @@ module Rodauth
         JWT::JWK.import(data).keypair
       end
 
-      def jwt_encode(payload, signing_algorithm: oauth_jwt_algorithm)
+      def jwt_encode(payload,
+                     signing_algorithm: oauth_jwt_algorithm || oauth_jwt_keys.keys.first)
         headers = {}
 
         key = oauth_jwt_keys[signing_algorithm] || _jwt_key
@@ -545,11 +571,11 @@ module Rodauth
         def jwt_encode_with_jwe(
           payload,
           jwks: nil,
-          jwe_key: oauth_jwt_jwe_public_key || oauth_jwt_jwe_key,
           encryption_algorithm: oauth_jwt_jwe_algorithm,
-          encryption_method: oauth_jwt_jwe_encryption_method, **args
+          encryption_method: oauth_jwt_jwe_encryption_method,
+          jwe_key: oauth_jwt_jwe_public_key || oauth_jwt_jwe_keys[[encryption_algorithm, encryption_method]] || oauth_jwt_jwe_key,
+          **args
         )
-
           token = jwt_encode_without_jwe(payload, **args)
 
           return token unless encryption_algorithm && encryption_method
@@ -557,6 +583,7 @@ module Rodauth
           if jwks && jwks.any? { |k| k[:use] == "enc" }
             JWE.__rodauth_oauth_encrypt_from_jwks(token, jwks, alg: encryption_algorithm, enc: encryption_method)
           elsif jwe_key
+            jwe_key = jwe_key.first if jwe_key.is_a?(Array)
             params = {
               zip: "DEF",
               copyright: oauth_jwt_jwe_copyright
@@ -576,13 +603,15 @@ module Rodauth
       def jwt_decode(
         token,
         jwks: nil,
-        jws_key: oauth_jwt_public_key || _jwt_key,
-        jws_algorithm: oauth_jwt_algorithm,
+        jws_algorithm: oauth_jwt_algorithm || oauth_jwt_public_key.keys.first || oauth_jwt_keys.keys.first,
+        jws_key: oauth_jwt_public_key || oauth_jwt_keys[jws_algorithm] || _jwt_key,
         verify_claims: true,
         verify_jti: true,
         verify_iss: true,
         verify_aud: false
       )
+        jws_key = jws_key.first if jws_key.is_a?(Array)
+
         # verifying the JWT implies verifying:
         #
         # issuer: check that server generated the token
@@ -631,15 +660,16 @@ module Rodauth
         def jwt_decode_with_jwe(
           token,
           jwks: nil,
-          jwe_key: oauth_jwt_jwe_key,
           jws_encryption_algorithm: oauth_jwt_jwe_algorithm,
           jws_encryption_method: oauth_jwt_jwe_encryption_method,
+          jwe_key: oauth_jwt_jwe_keys[[jws_encryption_algorithm, jws_encryption_method]] || oauth_jwt_jwe_key,
           **args
         )
 
           token = if jwks && jwks.any? { |k| k[:use] == "enc" }
                     JWE.__rodauth_oauth_decrypt_from_jwks(token, jwks, alg: jws_encryption_algorithm, enc: jws_encryption_method)
                   elsif jwe_key
+                    jwe_key = jwe_key.first if jwe_key.is_a?(Array)
                     JWE.decrypt(token, jwe_key)
                   else
                     token
@@ -656,6 +686,21 @@ module Rodauth
 
       def jwks_set
         @jwks_set ||= [
+          *(
+            unless oauth_jwt_public_keys.empty?
+              oauth_jwt_public_keys.flat_map { |algo, pkeys| pkeys.map { |pkey| JWT::JWK.new(pkey).export.merge(use: "sig", alg: algo) } }
+            end
+          ),
+          *(
+            unless oauth_jwt_jwe_public_keys.empty?
+              oauth_jwt_jwe_public_keys.flat_map do |(algo, _enc), pkeys|
+                pkeys.map do |pkey|
+                  JWT::JWK.new(pkey).export.merge(use: "enc", alg: algo)
+                end
+              end
+            end
+          ),
+          # legacy
           (JWT::JWK.new(oauth_jwt_public_key).export.merge(use: "sig", alg: oauth_jwt_algorithm) if oauth_jwt_public_key),
           (
              if oauth_jwt_legacy_public_key

data/lib/rodauth/features/oauth_resource_indicators.rb

@@ -0,0 +1,153 @@
+# frozen-string-literal: true
+
+require "rodauth/oauth/version"
+require "rodauth/oauth/ttl_store"
+
+module Rodauth
+  Feature.define(:oauth_resource_indicators, :OauthResourceIndicators) do
+    depends :oauth_base
+
+    auth_value_method :oauth_grants_resource_column, :resource
+    auth_value_method :oauth_tokens_resource_column, :resource
+
+    def resource_indicators
+      return @resource_indicators if defined?(@resource_indicators)
+
+      resources = param_or_nil("resource")
+
+      return unless resources
+
+      if json_request? || param_or_nil("request") # signed request
+        resources = Array(resources)
+      else
+        query = request.form_data? ? request.body.read : request.query_string
+        # resource query param does not conform to rack parsing rules
+        resources = URI.decode_www_form(query).each_with_object([]) do |(k, v), memo|
+          memo << v if k == "resource"
+        end
+      end
+
+      @resource_indicators = resources
+    end
+
+    def require_oauth_authorization(*)
+      super
+
+      return unless authorization_token[oauth_tokens_resource_column]
+
+      token_indicators = authorization_token[oauth_tokens_resource_column]
+
+      token_indicators = token_indicators.split(" ") if token_indicators.is_a?(String)
+
+      authorization_required unless token_indicators.any? { |resource| base_url.start_with?(resource) }
+    end
+
+    private
+
+    def validate_oauth_token_params
+      super
+
+      return unless resource_indicators
+
+      resource_indicators.each do |resource|
+        redirect_response_error("invalid_target") unless check_valid_no_fragment_uri?(resource)
+      end
+    end
+
+    def create_oauth_token_from_token(oauth_token, update_params)
+      return super unless resource_indicators
+
+      return super unless oauth_token[oauth_tokens_oauth_grant_id_column]
+
+      oauth_grant = db[oauth_grants_table].where(
+        oauth_grants_id_column => oauth_token[oauth_tokens_oauth_grant_id_column],
+        oauth_grants_revoked_at_column => nil
+      ).first
+
+      grant_indicators = oauth_grant[oauth_grants_resource_column]
+
+      grant_indicators = grant_indicators.split(" ") if grant_indicators.is_a?(String)
+
+      redirect_response_error("invalid_target") unless (grant_indicators - resource_indicators) != grant_indicators
+
+      super(oauth_token, update_params.merge(oauth_tokens_resource_column => resource_indicators))
+    end
+
+    def check_valid_no_fragment_uri?(uri)
+      check_valid_uri?(uri) && URI.parse(uri).fragment.nil?
+    end
+
+    module IndicatorAuthorizationCodeGrant
+      private
+
+      def validate_oauth_grant_params
+        super
+
+        return unless resource_indicators
+
+        resource_indicators.each do |resource|
+          redirect_response_error("invalid_target") unless check_valid_no_fragment_uri?(resource)
+        end
+      end
+
+      def create_oauth_token_from_authorization_code(oauth_grant, create_params)
+        return super unless resource_indicators
+
+        redirect_response_error("invalid_target") unless oauth_grant[oauth_grants_resource_column]
+
+        grant_indicators = oauth_grant[oauth_grants_resource_column]
+
+        grant_indicators = grant_indicators.split(" ") if grant_indicators.is_a?(String)
+
+        redirect_response_error("invalid_target") unless (grant_indicators - resource_indicators) != grant_indicators
+
+        super(oauth_grant, create_params.merge(oauth_tokens_resource_column => resource_indicators))
+      end
+
+      def create_oauth_grant(create_params = {})
+        create_params[oauth_grants_resource_column] = resource_indicators.join(" ") if resource_indicators
+
+        super
+      end
+    end
+
+    module IndicatorIntrospection
+      def json_token_introspect_payload(token)
+        return super unless token[oauth_tokens_oauth_grant_id_column]
+
+        payload = super
+
+        token_indicators = token[oauth_tokens_resource_column]
+
+        token_indicators = token_indicators.split(" ") if token_indicators.is_a?(String)
+
+        payload[:aud] = token_indicators
+
+        payload
+      end
+
+      def introspection_request(*)
+        payload = super
+
+        payload[oauth_tokens_resource_column] = payload["aud"] if payload["aud"]
+
+        payload
+      end
+    end
+
+    module IndicatorJwt
+      def jwt_claims(*)
+        return super unless resource_indicators
+
+        super.merge(aud: resource_indicators)
+      end
+    end
+
+    def self.included(rodauth)
+      super
+      rodauth.send(:include, IndicatorAuthorizationCodeGrant) if rodauth.features.include?(:oauth_authorization_code_grant)
+      rodauth.send(:include, IndicatorIntrospection) if rodauth.features.include?(:oauth_token_introspection)
+      rodauth.send(:include, IndicatorJwt) if rodauth.features.include?(:oauth_jwt)
+    end
+  end
+end

data/lib/rodauth/features/oidc.rb

@@ -60,7 +60,7 @@ module Rodauth
       id_token_signing_alg_values_supported
     ].freeze
 
-    depends :oauth_jwt
+    depends :account_expiration, :oauth_jwt
 
     auth_value_method :oauth_application_default_scope, "openid"
     auth_value_method :oauth_application_scopes, %w[openid]
@@ -73,8 +73,9 @@ module Rodauth
     auth_value_method :oauth_applications_userinfo_encrypted_response_enc_column, :userinfo_encrypted_response_enc
 
     auth_value_method :oauth_grants_nonce_column, :nonce
+    auth_value_method :oauth_grants_acr_column, :acr
     auth_value_method :oauth_tokens_nonce_column, :nonce
-    auth_value_method :oauth_tokens_auth_time_column, :auth_time
+    auth_value_method :oauth_tokens_acr_column, :acr
 
     translatable_method :invalid_scope_message, "The Access Token expired"
 
@@ -88,7 +89,13 @@ module Rodauth
     auth_value_method :oauth_applications_post_logout_redirect_uri_column, :post_logout_redirect_uri
     auth_value_method :use_rp_initiated_logout?, false
 
-    auth_value_methods(:get_oidc_param, :get_additional_param)
+    auth_value_methods(
+      :get_oidc_param,
+      :get_additional_param,
+      :require_acr_value_phr,
+      :require_acr_value_phrh,
+      :require_acr_value
+    )
 
     # /userinfo
     route(:userinfo) do |r|
@@ -252,14 +259,43 @@ module Rodauth
 
     private
 
+    if defined?(::I18n)
+      def before_authorize_route
+        if (ui_locales = param_or_nil("ui_locales"))
+          ui_locales = ui_locales.split(" ").map(&:to_sym)
+          ui_locales &= ::I18n.available_locales
+
+          ::I18n.locale = ui_locales.first unless ui_locales.empty?
+        end
+
+        super
+      end
+    end
+
+    def validate_oauth_grant_params
+      return super unless (max_age = param_or_nil("max_age"))
+
+      max_age = Integer(max_age)
+
+      redirect_response_error("invalid_request") unless max_age.positive?
+
+      return unless Time.now - last_account_login_at > max_age
+
+      # force user to re-login
+      clear_session
+      set_session_value(login_redirect_session_key, request.fullpath)
+      redirect require_login_redirect
+    end
+
     def require_authorizable_account
-      try_prompt if param_or_nil("prompt")
+      try_prompt
       super
+      try_acr_values
     end
 
     # this executes before checking for a logged in account
     def try_prompt
-      prompt = param_or_nil("prompt")
+      return unless (prompt = param_or_nil("prompt"))
 
       case prompt
       when "none"
@@ -314,16 +350,46 @@ module Rodauth
       end
     end
 
-    def create_oauth_grant(create_params = {})
-      return super unless (nonce = param_or_nil("nonce"))
+    def try_acr_values
+      return unless (acr_values = param_or_nil("acr_values"))
+
+      acr_values.split(" ").each do |acr_value|
+        case acr_value
+        when "phr" then require_acr_value_phr
+        when "phrh" then require_acr_value_phrh
+        else
+          require_acr_value(acr_value)
+        end
+      end
+    end
 
-      super(create_params.merge(oauth_grants_nonce_column => nonce))
+    def require_acr_value_phr
+      return unless respond_to?(:require_two_factor_authenticated)
+
+      require_two_factor_authenticated
+    end
+
+    def require_acr_value_phrh
+      require_acr_value_phr && two_factor_login_type_match?("webauthn")
+    end
+
+    def require_acr_value(_acr); end
+
+    def create_oauth_grant(create_params = {})
+      if (nonce = param_or_nil("nonce"))
+        create_params[oauth_grants_nonce_column] = nonce
+      end
+      if (acr = param_or_nil("acr"))
+        create_params[oauth_grants_acr_column] = acr
+      end
+      super
     end
 
     def create_oauth_token_from_authorization_code(oauth_grant, create_params)
-      return super unless oauth_grant[oauth_grants_nonce_column]
+      create_params[oauth_tokens_nonce_column] = oauth_grant[oauth_grants_nonce_column] if oauth_grant[oauth_grants_nonce_column]
+      create_params[oauth_tokens_acr_column] = oauth_grant[oauth_grants_acr_column] if oauth_grant[oauth_grants_acr_column]
 
-      super(oauth_grant, create_params.merge(oauth_tokens_nonce_column => oauth_grant[oauth_grants_nonce_column]))
+      super
     end
 
     def create_oauth_token(*)
@@ -338,11 +404,13 @@ module Rodauth
       return unless oauth_scopes.include?("openid")
 
       id_token_claims = jwt_claims(oauth_token)
+
       id_token_claims[:nonce] = oauth_token[oauth_tokens_nonce_column] if oauth_token[oauth_tokens_nonce_column]
 
+      id_token_claims[:acr] = oauth_token[oauth_tokens_acr_column] if oauth_token[oauth_tokens_acr_column]
+
       # Time when the End-User authentication occurred.
-      #
-      id_token_claims[:auth_time] = oauth_token[oauth_tokens_auth_time_column].to_i
+      id_token_claims[:auth_time] = last_account_login_at.to_i
 
       account = db[accounts_table].where(account_id_column => oauth_token[oauth_tokens_account_id_column]).first
 
@@ -377,16 +445,23 @@ module Rodauth
 
       oidc_scopes, additional_scopes = scopes_by_claim.keys.partition { |key| OIDC_SCOPES_MAP.key?(key) }
 
+      if (claims_locales = param_or_nil("claims_locales"))
+        claims_locales = claims_locales.split(" ").map(&:to_sym)
+      end
+
       unless oidc_scopes.empty?
         if respond_to?(:get_oidc_param)
+          get_oidc_param = proxy_get_param(:get_oidc_param, claims, claims_locales)
+
           oidc_scopes.each do |scope|
             scope_claims = claims
             params = scopes_by_claim[scope]
             params = params.empty? ? OIDC_SCOPES_MAP[scope] : (OIDC_SCOPES_MAP[scope] & params)
 
             scope_claims = (claims["address"] = {}) if scope == "address"
+
             params.each do |param|
-              scope_claims[param] = __send__(:get_oidc_param, account, param)
+              get_oidc_param[account, param, scope_claims]
             end
           end
         else
@@ -397,14 +472,39 @@ module Rodauth
       return if additional_scopes.empty?
 
       if respond_to?(:get_additional_param)
+        get_additional_param = proxy_get_param(:get_additional_param, claims, claims_locales)
+
         additional_scopes.each do |scope|
-          claims[scope] = __send__(:get_additional_param, account, scope.to_sym)
+          get_additional_param[account, scope.to_sym]
         end
       else
         warn "`get_additional_param(account, claim)` must be implemented to use oidc scopes."
       end
     end
 
+    def proxy_get_param(get_param_func, claims, claims_locales)
+      meth = method(get_param_func)
+      if meth.arity == 2
+        ->(account, param, cl = claims) { cl[param] = meth[account, param] }
+      elsif claims_locales.nil?
+        ->(account, param, cl = claims) { cl[param] = meth[account, param, nil] }
+      else
+        lambda do |account, param, cl = claims|
+          claims_values = claims_locales.map do |locale|
+            meth[account, param, locale]
+          end
+
+          if claims_values.uniq.size == 1
+            cl[param] = claims_values.first
+          else
+            claims_locales.zip(claims_values).each do |locale, value|
+              cl["#{param}##{locale}"] = value
+            end
+          end
+        end
+      end
+    end
+
     def json_access_token_payload(oauth_token)
       payload = super
       payload["id_token"] = oauth_token[:id_token] if oauth_token[:id_token]
@@ -452,6 +552,12 @@ module Rodauth
         oauth_tokens_oauth_application_id_column => oauth_application[oauth_applications_id_column],
         oauth_tokens_scopes_column => scopes
       }
+      if (nonce = param_or_nil("nonce"))
+        create_params[oauth_grants_nonce_column] = nonce
+      end
+      if (acr = param_or_nil("acr"))
+        create_params[oauth_grants_acr_column] = acr
+      end
       oauth_token = generate_oauth_token(create_params, false)
       generate_id_token(oauth_token)
       params = json_access_token_payload(oauth_token)

data/lib/rodauth/oauth/version.rb

@@ -2,6 +2,6 @@
 
 module Rodauth
   module OAuth
-    VERSION = "0.9.3"
+    VERSION = "0.10.0"
   end
 end

data/locales/en.yml

@@ -7,7 +7,7 @@ en:
     revoke_oauth_token_notice_flash: "The oauth token has been revoked"
     device_verification_notice_flash: "The device is verified"
     user_code_not_found_error_flash: "No device to authorize with the given user code"
-    oauth_authorize_title: "Authorize"
+    authorize_page_title: "Authorize"
     oauth_applications_page_title: "Oauth Applications"
     oauth_application_page_title: "Oauth Application"
     new_oauth_application_page_title: "New Oauth Application"
@@ -17,6 +17,7 @@ en:
     device_search_page_title: "Device Search"
     oauth_management_pagination_previous_button: "Previous"
     oauth_management_pagination_next_button: "Next"
+    oauth_tokens_scopes_label: "Scopes"
     oauth_applications_name_label: "Name"
     oauth_applications_description_label: "Description"
     oauth_applications_scopes_label: "Default scopes"

data/locales/pt.yml

@@ -0,0 +1,57 @@
+pt:
+  rodauth:
+    require_authorization_error_flash: "Autorize para continuar"
+    create_oauth_application_error_flash: "Aconteceu um erro ao registar o aplicativo oauth"
+    create_oauth_application_notice_flash: "O seu aplicativo oauth foi registado com sucesso"
+    revoke_unauthorized_account_error_flash: "Não está autorizado a revogar este token"
+    revoke_oauth_token_notice_flash: "O token oauth foi revogado com sucesso"
+    device_verification_notice_flash: "O dispositivo foi verificado com sucesso"
+    user_code_not_found_error_flash: "Não existe nenhum dispositivo a ser autorizado com o código de usuário inserido"
+    authorize_page_title: "Autorizar"
+    oauth_applications_page_title: "Aplicativos OAuth"
+    oauth_application_page_title: "Aplicativo Oauth"
+    new_oauth_application_page_title: "Novo Aplicativo Oauth"
+    oauth_application_oauth_tokens_page_title: "Tokens Oauth do Aplicativo"
+    oauth_tokens_page_title: "Os meus Tokens Oauth"
+    device_verification_page_title: "Verificação de dispositivo"
+    device_search_page_title: "Pesquisa de dispositivo"
+    oauth_management_pagination_previous_button: "Anterior"
+    oauth_management_pagination_next_button: "Próxima"
+    oauth_tokens_scopes_label: "Escopos"
+    oauth_applications_name_label: "Nome"
+    oauth_applications_description_label: "Descrição"
+    oauth_applications_scopes_label: "Escopos prédefinidos"
+    oauth_applications_contacts_label: "Contactos"
+    oauth_applications_homepage_url_label: "URL da página principal"
+    oauth_applications_tos_uri_label: "URL dos termos de serviço"
+    oauth_applications_policy_uri_label: "URL das diretrizes"
+    oauth_applications_redirect_uri_label: "URL para redireccionamento"
+    oauth_applications_client_secret_label: "Segredo de cliente"
+    oauth_applications_client_id_label: "ID do cliente"
+    oauth_grant_user_code_label: "Código do usuário"
+    oauth_grant_user_jws_jwk_label: "Chaves JSON Web"
+    oauth_grant_user_jwt_public_key_label: "Chave pública"
+    oauth_application_button: "Registar"
+    oauth_authorize_button: "Autorizar"
+    oauth_token_revoke_button: "Revogar"
+    oauth_authorize_post_button: "Voltar para o aplicativo cliente"
+    oauth_device_verification_button: "Verificar"
+    oauth_device_search_button: "Pesquisar"
+    invalid_client_message: "A autenticação do cliente falhou"
+    invalid_grant_type_message: "Tipo de atribuição inválida"
+    invalid_grant_message: "Atribuição inválida"
+    invalid_scope_message: "Escopo inválido"
+    invalid_url_message: "URL inválido"
+    unsupported_token_type_message: "Sugestão de tipo de token inválida"
+    unique_error_message: "já está sendo utilizado"
+    null_error_message: "não está preenchido"
+    already_in_use_message: "erro ao gerar token único"
+    expired_token_message: "o código de dispositivo expirou"
+    access_denied_message: "o pedido de autorização foi negado"
+    authorization_pending_message: "o pedido de autorização ainda está pendente"
+    slow_down_message: "o pedido de autorização ainda está pendente mas o intervalo de actualização deve ser aumentado"
+    code_challenge_required_message: "código de negociação necessário"
+    unsupported_transform_algorithm_message: "algoritmo de transformação não suportado"
+    request_uri_not_supported_message: "request_uri não é suportado"
+    invalid_request_object_message: "request_object é inválido"
+    invalid_scope_message: "O Token de acesso expirou"

data/templates/authorize.str

@@ -81,10 +81,20 @@
     #{"<input type=\"hidden\" name=\"response_type\" value=\"#{rodauth.param("response_type")}\"/>" if rodauth.param_or_nil("response_type")}
     #{"<input type=\"hidden\" name=\"response_mode\" value=\"#{rodauth.param("response_mode")}\"/>" if rodauth.param_or_nil("response_mode")}
     #{"<input type=\"hidden\" name=\"state\" value=\"#{rodauth.param("state")}\"/>" if rodauth.param_or_nil("state")}
-    #{"<input type=\"hidden\" name=\"nonce\" value=\"#{rodauth.param("nonce")}\"/>" if rodauth.param_or_nil("nonce")}
     #{"<input type=\"hidden\" name=\"redirect_uri\" value=\"#{rodauth.redirect_uri}\"/>" if rodauth.param_or_nil("redirect_uri")}
-    #{"<input type=\"hidden\" name=\"code_challenge\" value=\"#{rodauth.param("code_challenge")}\"/>" if rodauth.param_or_nil("code_challenge")}
-    #{"<input type=\"hidden\" name=\"code_challenge_method\" value=\"#{rodauth.param("code_challenge_method")}\"/>" if rodauth.param_or_nil("code_challenge_method")}
+    #{"<input type=\"hidden\" name=\"code_challenge\" value=\"#{rodauth.param("code_challenge")}\"/>" if rodauth.features.include?(:oauth_pkce) && rodauth.param_or_nil("code_challenge")}
+    #{"<input type=\"hidden\" name=\"code_challenge_method\" value=\"#{rodauth.param("code_challenge_method")}\"/>" if rodauth.features.include?(:oauth_pkce) && rodauth.param_or_nil("code_challenge_method")}
+    #{"<input type=\"hidden\" name=\"nonce\" value=\"#{rodauth.param("nonce")}\"/>" if rodauth.features.include?(:oidc) && rodauth.param_or_nil("nonce")}
+    #{"<input type=\"hidden\" name=\"ui_locales\" value=\"#{rodauth.param("ui_locales")}\"/>" if rodauth.features.include?(:oidc) && rodauth.param_or_nil("ui_locales")}
+    #{"<input type=\"hidden\" name=\"claims_locales\" value=\"#{rodauth.param("claims_locales")}\"/>" if rodauth.features.include?(:oidc) && rodauth.param_or_nil("claims_locales")}
+    #{"<input type=\"hidden\" name=\"acr\" value=\"#{rodauth.param("acr_values")}\"/>" if rodauth.features.include?(:oidc) && rodauth.param_or_nil("acr_values")}
+    #{
+      if rodauth.features.include?(:oauth_resource_indicators) && rodauth.resource_indicators
+        rodauth.resource_indicators.map do |resource|
+          "<input type=\"hidden\" name=\"resource\" value=\"#{resource}\"/>"
+        end.join
+      end
+      }
   </div>
   <p class="text-center">
     <input type="submit" class="btn btn-outline-primary" value="#{h(rodauth.oauth_authorize_button)}"/>

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rodauth-oauth
 version: !ruby/object:Gem::Version
-  version: 0.9.3
+  version: 0.10.0
 platform: ruby
 authors:
 - Tiago Cardoso
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2022-05-30 00:00:00.000000000 Z
+date: 2022-06-10 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rodauth
@@ -39,6 +39,7 @@ extra_rdoc_files:
 - doc/release_notes/0_0_4.md
 - doc/release_notes/0_0_5.md
 - doc/release_notes/0_0_6.md
+- doc/release_notes/0_10_0.md
 - doc/release_notes/0_1_0.md
 - doc/release_notes/0_2_0.md
 - doc/release_notes/0_3_0.md
@@ -70,6 +71,7 @@ files:
 - doc/release_notes/0_0_4.md
 - doc/release_notes/0_0_5.md
 - doc/release_notes/0_0_6.md
+- doc/release_notes/0_10_0.md
 - doc/release_notes/0_1_0.md
 - doc/release_notes/0_2_0.md
 - doc/release_notes/0_3_0.md
@@ -120,6 +122,7 @@ files:
 - lib/rodauth/features/oauth_jwt_bearer_grant.rb
 - lib/rodauth/features/oauth_management_base.rb
 - lib/rodauth/features/oauth_pkce.rb
+- lib/rodauth/features/oauth_resource_indicators.rb
 - lib/rodauth/features/oauth_resource_server.rb
 - lib/rodauth/features/oauth_saml_bearer_grant.rb
 - lib/rodauth/features/oauth_token_introspection.rb
@@ -135,6 +138,7 @@ files:
 - lib/rodauth/oauth/ttl_store.rb
 - lib/rodauth/oauth/version.rb
 - locales/en.yml
+- locales/pt.yml
 - templates/authorize.str
 - templates/client_secret_field.str
 - templates/description_field.str