rodauth-oauth 0.10.2 → 0.10.3
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/doc/release_notes/0_10_3.md +12 -0
- data/lib/generators/rodauth/oauth/templates/app/views/rodauth/oauth_applications.html.erb +3 -3
- data/lib/rodauth/features/oauth.rb +1 -1
- data/lib/rodauth/features/oauth_assertion_base.rb +1 -1
- data/lib/rodauth/features/oauth_authorization_code_grant.rb +19 -99
- data/lib/rodauth/features/oauth_authorize_base.rb +110 -0
- data/lib/rodauth/features/oauth_base.rb +21 -10
- data/lib/rodauth/features/oauth_device_grant.rb +1 -1
- data/lib/rodauth/features/oauth_http_mac.rb +1 -1
- data/lib/rodauth/features/oauth_implicit_grant.rb +7 -1
- data/lib/rodauth/features/oauth_jwt.rb +5 -8
- data/lib/rodauth/features/oauth_jwt_bearer_grant.rb +1 -1
- data/lib/rodauth/features/oauth_management_base.rb +1 -1
- data/lib/rodauth/features/oauth_pkce.rb +2 -2
- data/lib/rodauth/features/oauth_resource_indicators.rb +5 -5
- data/lib/rodauth/features/oauth_saml_bearer_grant.rb +1 -1
- data/lib/rodauth/features/oauth_token_introspection.rb +1 -1
- data/lib/rodauth/features/oauth_token_management.rb +3 -1
- data/lib/rodauth/features/oidc.rb +10 -8
- data/lib/rodauth/oauth/version.rb +1 -1
- metadata +5 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 8ab7ede677cd918473b708b02509526add2744f96a2cf143c71e79b8d8950f49
|
4
|
+
data.tar.gz: ad19fced98a7f8b62fb856ef0103d09263b1442b33a95adecc9419afe5132ff6
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: e62b0a2586b493c3012e1106c88ec6cdc1dabc6ce5e632526dd81dbf4ef2427a3645449e8ca5484e77e7a41470b09b9ab53df0c1ebc9598a12a62862cefe1b51
|
7
|
+
data.tar.gz: f3b20d4b7566466b40d09e8391b0c73f4f2a1e250ec0aa238af246eed8cc8c9d3a329d6b24369a0a265f1cd0dcd13853941003bca4ce26ce125fcfb5e6e258aa
|
@@ -0,0 +1,12 @@
|
|
1
|
+
### 0.10.2 (29/08/2022)
|
2
|
+
|
3
|
+
#### Features
|
4
|
+
|
5
|
+
The `oauth_token_subject` rodauth function is introduced. It returns the grant subject (usually the user account id, but in some cases, such as the client credentials grant, returns the oauth application id).
|
6
|
+
|
7
|
+
It still has a few rough edges, but in version 1.0, this will be the main function to use to get the associated grant owner from a given token.
|
8
|
+
|
9
|
+
#### Bugfixes
|
10
|
+
|
11
|
+
* oauth applications management: fixed labels usage in default rails oauth applications list template.
|
12
|
+
* introspection requests were discarding the `authorization_server_url` url path (only taking the origin). That has been fixed now.
|
@@ -9,9 +9,9 @@
|
|
9
9
|
<table class="table">
|
10
10
|
<thead>
|
11
11
|
<tr>
|
12
|
-
<th scope="col"><%= rodauth.
|
13
|
-
<th scope="col"><%= rodauth.
|
14
|
-
<th scope="col"><%= rodauth.
|
12
|
+
<th scope="col"><%= rodauth.oauth_applications_client_id_label %> (<%= apps_count %>)</th>
|
13
|
+
<th scope="col"><%= rodauth.oauth_applications_name_label %></th>
|
14
|
+
<th scope="col"><%= rodauth.oauth_applications_homepage_url_label %></th>
|
15
15
|
<th scope="col"></th>
|
16
16
|
</tr>
|
17
17
|
</thead>
|
@@ -2,81 +2,20 @@
|
|
2
2
|
|
3
3
|
module Rodauth
|
4
4
|
Feature.define(:oauth_authorization_code_grant, :OauthAuthorizationCodeGrant) do
|
5
|
-
depends :
|
6
|
-
|
7
|
-
before "authorize"
|
8
|
-
after "authorize"
|
9
|
-
|
10
|
-
view "authorize", "Authorize", "authorize"
|
11
|
-
|
12
|
-
button "Authorize", "oauth_authorize"
|
13
|
-
button "Back to Client Application", "oauth_authorize_post"
|
5
|
+
depends :oauth_authorize_base
|
14
6
|
|
15
7
|
auth_value_method :use_oauth_access_type?, true
|
16
8
|
|
17
|
-
# OAuth Grants
|
18
|
-
auth_value_method :oauth_grants_table, :oauth_grants
|
19
|
-
auth_value_method :oauth_grants_id_column, :id
|
20
|
-
%i[
|
21
|
-
account_id oauth_application_id
|
22
|
-
redirect_uri code scopes access_type
|
23
|
-
expires_in revoked_at
|
24
|
-
].each do |column|
|
25
|
-
auth_value_method :"oauth_grants_#{column}_column", column
|
26
|
-
end
|
27
|
-
|
28
|
-
translatable_method :oauth_tokens_scopes_label, "Scopes"
|
29
|
-
translatable_method :oauth_applications_contacts_label, "Contacts"
|
30
|
-
translatable_method :oauth_applications_tos_uri_label, "Terms of service URL"
|
31
|
-
translatable_method :oauth_applications_policy_uri_label, "Policy URL"
|
32
|
-
|
33
|
-
# /authorize
|
34
|
-
route(:authorize) do |r|
|
35
|
-
next unless is_authorization_server?
|
36
|
-
|
37
|
-
before_authorize_route
|
38
|
-
require_authorizable_account
|
39
|
-
|
40
|
-
validate_oauth_grant_params
|
41
|
-
try_approval_prompt if use_oauth_access_type? && request.get?
|
42
|
-
|
43
|
-
r.get do
|
44
|
-
authorize_view
|
45
|
-
end
|
46
|
-
|
47
|
-
r.post do
|
48
|
-
params, mode = transaction do
|
49
|
-
before_authorize
|
50
|
-
do_authorize
|
51
|
-
end
|
52
|
-
|
53
|
-
authorize_response(params, mode)
|
54
|
-
end
|
55
|
-
end
|
56
|
-
|
57
|
-
def check_csrf?
|
58
|
-
case request.path
|
59
|
-
when authorize_path
|
60
|
-
only_json? ? false : super
|
61
|
-
else
|
62
|
-
super
|
63
|
-
end
|
64
|
-
end
|
65
|
-
|
66
9
|
private
|
67
10
|
|
68
|
-
def
|
69
|
-
|
11
|
+
def validate_authorize_params
|
12
|
+
super
|
70
13
|
|
71
|
-
unless
|
72
|
-
check_valid_approval_prompt? && check_valid_response_type?
|
73
|
-
redirect_response_error("invalid_request")
|
74
|
-
end
|
75
|
-
redirect_response_error("invalid_scope") unless check_valid_scopes?
|
14
|
+
redirect_response_error("invalid_request") unless check_valid_access_type? && check_valid_approval_prompt?
|
76
15
|
|
77
|
-
|
16
|
+
redirect_response_error("invalid_request") if (response_mode = param_or_nil("response_mode")) && response_mode != "form_post"
|
78
17
|
|
79
|
-
|
18
|
+
try_approval_prompt if use_oauth_access_type? && request.get?
|
80
19
|
end
|
81
20
|
|
82
21
|
def validate_oauth_token_params
|
@@ -102,25 +41,12 @@ module Rodauth
|
|
102
41
|
end
|
103
42
|
|
104
43
|
def create_oauth_grant(create_params = {})
|
105
|
-
create_params.merge!(
|
106
|
-
oauth_grants_oauth_application_id_column => oauth_application[oauth_applications_id_column],
|
107
|
-
oauth_grants_redirect_uri_column => redirect_uri,
|
108
|
-
oauth_grants_expires_in_column => Sequel.date_add(Sequel::CURRENT_TIMESTAMP, seconds: oauth_grant_expires_in),
|
109
|
-
oauth_grants_scopes_column => scopes.join(oauth_scope_separator)
|
110
|
-
)
|
111
|
-
|
112
44
|
# Access Type flow
|
113
45
|
if use_oauth_access_type? && (access_type = param_or_nil("access_type"))
|
114
46
|
create_params[oauth_grants_access_type_column] = access_type
|
115
47
|
end
|
116
48
|
|
117
|
-
|
118
|
-
|
119
|
-
rescue_from_uniqueness_error do
|
120
|
-
create_params[oauth_grants_code_column] = oauth_unique_id_generator
|
121
|
-
__insert_and_return__(ds, oauth_grants_id_column, create_params)
|
122
|
-
end
|
123
|
-
create_params[oauth_grants_code_column]
|
49
|
+
super
|
124
50
|
end
|
125
51
|
|
126
52
|
def do_authorize(response_params = {}, response_mode = param_or_nil("response_mode"))
|
@@ -134,6 +60,8 @@ module Rodauth
|
|
134
60
|
when "", nil
|
135
61
|
response_mode ||= oauth_response_mode
|
136
62
|
response_params.replace(_do_authorize_code)
|
63
|
+
else
|
64
|
+
return super if response_params.empty?
|
137
65
|
end
|
138
66
|
|
139
67
|
response_params["state"] = param("state") if param_or_nil("state")
|
@@ -142,7 +70,12 @@ module Rodauth
|
|
142
70
|
end
|
143
71
|
|
144
72
|
def _do_authorize_code
|
145
|
-
|
73
|
+
create_params = { oauth_grants_account_id_column => account_id }
|
74
|
+
# Access Type flow
|
75
|
+
if use_oauth_access_type? && (access_type = param_or_nil("access_type"))
|
76
|
+
create_params[oauth_grants_access_type_column] = access_type
|
77
|
+
end
|
78
|
+
{ "code" => create_oauth_grant(create_params) }
|
146
79
|
end
|
147
80
|
|
148
81
|
def authorize_response(params, mode)
|
@@ -171,6 +104,8 @@ module Rodauth
|
|
171
104
|
FORM
|
172
105
|
when "none"
|
173
106
|
redirect(redirect_url.to_s)
|
107
|
+
else
|
108
|
+
super
|
174
109
|
end
|
175
110
|
end
|
176
111
|
|
@@ -195,18 +130,7 @@ module Rodauth
|
|
195
130
|
oauth_tokens_oauth_grant_id_column => oauth_grant[oauth_grants_id_column],
|
196
131
|
oauth_tokens_scopes_column => oauth_grant[oauth_grants_scopes_column]
|
197
132
|
}
|
198
|
-
create_oauth_token_from_authorization_code(oauth_grant, create_params)
|
199
|
-
end
|
200
|
-
|
201
|
-
def create_oauth_token_from_authorization_code(oauth_grant, create_params)
|
202
|
-
# revoke oauth grant
|
203
|
-
db[oauth_grants_table].where(oauth_grants_id_column => oauth_grant[oauth_grants_id_column])
|
204
|
-
.update(oauth_grants_revoked_at_column => Sequel::CURRENT_TIMESTAMP)
|
205
|
-
|
206
|
-
should_generate_refresh_token = !use_oauth_access_type? ||
|
207
|
-
oauth_grant[oauth_grants_access_type_column] == "offline"
|
208
|
-
|
209
|
-
generate_oauth_token(create_params, should_generate_refresh_token)
|
133
|
+
create_oauth_token_from_authorization_code(oauth_grant, create_params, !use_oauth_access_type?)
|
210
134
|
end
|
211
135
|
|
212
136
|
ACCESS_TYPES = %w[offline online].freeze
|
@@ -230,11 +154,7 @@ module Rodauth
|
|
230
154
|
def check_valid_response_type?
|
231
155
|
response_type = param_or_nil("response_type")
|
232
156
|
|
233
|
-
response_type.nil? || response_type == "code"
|
234
|
-
end
|
235
|
-
|
236
|
-
def check_valid_redirect_uri?
|
237
|
-
oauth_application[oauth_applications_redirect_uri_column].split(" ").include?(redirect_uri)
|
157
|
+
response_type.nil? || response_type == "code" || response_type == "none" || super
|
238
158
|
end
|
239
159
|
|
240
160
|
def oauth_server_metadata_body(*)
|
@@ -0,0 +1,110 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
module Rodauth
|
4
|
+
Feature.define(:oauth_authorize_base, :OauthAuthorizeBase) do
|
5
|
+
depends :oauth_base
|
6
|
+
|
7
|
+
before "authorize"
|
8
|
+
after "authorize"
|
9
|
+
|
10
|
+
view "authorize", "Authorize", "authorize"
|
11
|
+
|
12
|
+
button "Authorize", "oauth_authorize"
|
13
|
+
button "Back to Client Application", "oauth_authorize_post"
|
14
|
+
|
15
|
+
translatable_method :oauth_tokens_scopes_label, "Scopes"
|
16
|
+
translatable_method :oauth_applications_contacts_label, "Contacts"
|
17
|
+
translatable_method :oauth_applications_tos_uri_label, "Terms of service URL"
|
18
|
+
translatable_method :oauth_applications_policy_uri_label, "Policy URL"
|
19
|
+
|
20
|
+
# /authorize
|
21
|
+
route(:authorize) do |r|
|
22
|
+
next unless is_authorization_server?
|
23
|
+
|
24
|
+
before_authorize_route
|
25
|
+
require_authorizable_account
|
26
|
+
|
27
|
+
validate_authorize_params
|
28
|
+
|
29
|
+
r.get do
|
30
|
+
authorize_view
|
31
|
+
end
|
32
|
+
|
33
|
+
r.post do
|
34
|
+
params, mode = transaction do
|
35
|
+
before_authorize
|
36
|
+
do_authorize
|
37
|
+
end
|
38
|
+
|
39
|
+
authorize_response(params, mode)
|
40
|
+
end
|
41
|
+
end
|
42
|
+
|
43
|
+
def check_csrf?
|
44
|
+
case request.path
|
45
|
+
when authorize_path
|
46
|
+
only_json? ? false : super
|
47
|
+
else
|
48
|
+
super
|
49
|
+
end
|
50
|
+
end
|
51
|
+
|
52
|
+
private
|
53
|
+
|
54
|
+
def validate_authorize_params
|
55
|
+
redirect_response_error("invalid_request", request.referer || default_redirect) unless oauth_application && check_valid_redirect_uri?
|
56
|
+
|
57
|
+
redirect_response_error("invalid_request") unless check_valid_response_type?
|
58
|
+
|
59
|
+
redirect_response_error("invalid_scope") unless check_valid_scopes?
|
60
|
+
end
|
61
|
+
|
62
|
+
def check_valid_response_type?
|
63
|
+
false
|
64
|
+
end
|
65
|
+
|
66
|
+
def check_valid_redirect_uri?
|
67
|
+
oauth_application[oauth_applications_redirect_uri_column].split(" ").include?(redirect_uri)
|
68
|
+
end
|
69
|
+
|
70
|
+
def authorization_required
|
71
|
+
if accepts_json?
|
72
|
+
throw_json_response_error(authorization_required_error_status, "invalid_client")
|
73
|
+
else
|
74
|
+
set_redirect_error_flash(require_authorization_error_flash)
|
75
|
+
redirect(authorize_path)
|
76
|
+
end
|
77
|
+
end
|
78
|
+
|
79
|
+
def do_authorize(*args); end
|
80
|
+
|
81
|
+
def authorize_response(params, mode); end
|
82
|
+
|
83
|
+
def create_oauth_token_from_authorization_code(oauth_grant, create_params, should_generate_refresh_token = false)
|
84
|
+
# revoke oauth grant
|
85
|
+
db[oauth_grants_table].where(oauth_grants_id_column => oauth_grant[oauth_grants_id_column])
|
86
|
+
.update(oauth_grants_revoked_at_column => Sequel::CURRENT_TIMESTAMP)
|
87
|
+
|
88
|
+
should_generate_refresh_token ||= oauth_grant[oauth_grants_access_type_column] == "offline"
|
89
|
+
|
90
|
+
generate_oauth_token(create_params, should_generate_refresh_token)
|
91
|
+
end
|
92
|
+
|
93
|
+
def create_oauth_grant(create_params = {})
|
94
|
+
create_params.merge!(
|
95
|
+
oauth_grants_oauth_application_id_column => oauth_application[oauth_applications_id_column],
|
96
|
+
oauth_grants_redirect_uri_column => redirect_uri,
|
97
|
+
oauth_grants_expires_in_column => Sequel.date_add(Sequel::CURRENT_TIMESTAMP, seconds: oauth_grant_expires_in),
|
98
|
+
oauth_grants_scopes_column => scopes.join(oauth_scope_separator)
|
99
|
+
)
|
100
|
+
|
101
|
+
ds = db[oauth_grants_table]
|
102
|
+
|
103
|
+
rescue_from_uniqueness_error do
|
104
|
+
create_params[oauth_grants_code_column] = oauth_unique_id_generator
|
105
|
+
__insert_and_return__(ds, oauth_grants_id_column, create_params)
|
106
|
+
end
|
107
|
+
create_params[oauth_grants_code_column]
|
108
|
+
end
|
109
|
+
end
|
110
|
+
end
|
@@ -47,6 +47,17 @@ module Rodauth
|
|
47
47
|
auth_value_method :"oauth_tokens_#{column}_column", column
|
48
48
|
end
|
49
49
|
|
50
|
+
# OAuth Grants
|
51
|
+
auth_value_method :oauth_grants_table, :oauth_grants
|
52
|
+
auth_value_method :oauth_grants_id_column, :id
|
53
|
+
%i[
|
54
|
+
account_id oauth_application_id
|
55
|
+
redirect_uri code scopes access_type
|
56
|
+
expires_in revoked_at
|
57
|
+
].each do |column|
|
58
|
+
auth_value_method :"oauth_grants_#{column}_column", column
|
59
|
+
end
|
60
|
+
|
50
61
|
# Oauth Token Hash
|
51
62
|
auth_value_method :oauth_tokens_token_hash_column, nil
|
52
63
|
auth_value_method :oauth_tokens_refresh_token_hash_column, nil
|
@@ -160,12 +171,17 @@ module Rodauth
|
|
160
171
|
end
|
161
172
|
|
162
173
|
# Overrides session_value, so that a valid authorization token also authenticates a request
|
174
|
+
# TODO: deprecate
|
163
175
|
def session_value
|
164
|
-
super ||
|
165
|
-
|
176
|
+
super || oauth_token_subject
|
177
|
+
end
|
166
178
|
|
167
|
-
|
168
|
-
|
179
|
+
def oauth_token_subject
|
180
|
+
return unless authorization_token
|
181
|
+
|
182
|
+
# TODO: fix this once tokens know which type they were generated with
|
183
|
+
authorization_token[oauth_tokens_account_id_column] ||
|
184
|
+
authorization_token[oauth_tokens_oauth_application_id_column]
|
169
185
|
end
|
170
186
|
|
171
187
|
def accepts_json?
|
@@ -720,12 +736,7 @@ module Rodauth
|
|
720
736
|
end
|
721
737
|
|
722
738
|
def authorization_required
|
723
|
-
|
724
|
-
throw_json_response_error(authorization_required_error_status, "invalid_client")
|
725
|
-
else
|
726
|
-
set_redirect_error_flash(require_authorization_error_flash)
|
727
|
-
redirect(authorize_path)
|
728
|
-
end
|
739
|
+
throw_json_response_error(authorization_required_error_status, "invalid_client")
|
729
740
|
end
|
730
741
|
|
731
742
|
def check_valid_scopes?
|
@@ -2,12 +2,18 @@
|
|
2
2
|
|
3
3
|
module Rodauth
|
4
4
|
Feature.define(:oauth_implicit_grant, :OauthImplicitGrant) do
|
5
|
-
depends :
|
5
|
+
depends :oauth_authorize_base
|
6
6
|
|
7
7
|
auth_value_method :use_oauth_implicit_grant_type?, false
|
8
8
|
|
9
9
|
private
|
10
10
|
|
11
|
+
def check_valid_response_type?
|
12
|
+
response_type = param_or_nil("response_type")
|
13
|
+
|
14
|
+
response_type.nil? || response_type == "token" || super
|
15
|
+
end
|
16
|
+
|
11
17
|
def do_authorize(response_params = {}, response_mode = param_or_nil("response_mode"))
|
12
18
|
return super unless param("response_type") == "token" && use_oauth_implicit_grant_type?
|
13
19
|
|
@@ -1,4 +1,4 @@
|
|
1
|
-
#
|
1
|
+
# frozen_string_literal: true
|
2
2
|
|
3
3
|
require "rodauth/oauth/version"
|
4
4
|
require "rodauth/oauth/ttl_store"
|
@@ -90,13 +90,10 @@ module Rodauth
|
|
90
90
|
authorization_required unless scopes.any? { |scope| token_scopes.include?(scope) }
|
91
91
|
end
|
92
92
|
|
93
|
-
|
94
|
-
|
95
|
-
super || begin
|
96
|
-
return unless authorization_token
|
93
|
+
def oauth_token_subject
|
94
|
+
return unless authorization_token
|
97
95
|
|
98
|
-
|
99
|
-
end
|
96
|
+
authorization_token["sub"]
|
100
97
|
end
|
101
98
|
|
102
99
|
private
|
@@ -127,7 +124,7 @@ module Rodauth
|
|
127
124
|
|
128
125
|
# /authorize
|
129
126
|
|
130
|
-
def
|
127
|
+
def validate_authorize_params
|
131
128
|
# TODO: add support for requst_uri
|
132
129
|
redirect_response_error("request_uri_not_supported") if param_or_nil("request_uri")
|
133
130
|
|
@@ -29,7 +29,7 @@ module Rodauth
|
|
29
29
|
super
|
30
30
|
end
|
31
31
|
|
32
|
-
def
|
32
|
+
def validate_authorize_params
|
33
33
|
validate_pkce_challenge_params if use_oauth_pkce?
|
34
34
|
|
35
35
|
super
|
@@ -47,7 +47,7 @@ module Rodauth
|
|
47
47
|
super
|
48
48
|
end
|
49
49
|
|
50
|
-
def create_oauth_token_from_authorization_code(oauth_grant, create_params)
|
50
|
+
def create_oauth_token_from_authorization_code(oauth_grant, create_params, *)
|
51
51
|
if use_oauth_pkce?
|
52
52
|
if oauth_grant[oauth_grants_code_challenge_column]
|
53
53
|
code_verifier = param_or_nil("code_verifier")
|
@@ -1,11 +1,11 @@
|
|
1
|
-
#
|
1
|
+
# frozen_string_literal: true
|
2
2
|
|
3
3
|
require "rodauth/oauth/version"
|
4
4
|
require "rodauth/oauth/ttl_store"
|
5
5
|
|
6
6
|
module Rodauth
|
7
7
|
Feature.define(:oauth_resource_indicators, :OauthResourceIndicators) do
|
8
|
-
depends :
|
8
|
+
depends :oauth_authorize_base
|
9
9
|
|
10
10
|
auth_value_method :oauth_grants_resource_column, :resource
|
11
11
|
auth_value_method :oauth_tokens_resource_column, :resource
|
@@ -80,7 +80,7 @@ module Rodauth
|
|
80
80
|
module IndicatorAuthorizationCodeGrant
|
81
81
|
private
|
82
82
|
|
83
|
-
def
|
83
|
+
def validate_authorize_params
|
84
84
|
super
|
85
85
|
|
86
86
|
return unless resource_indicators
|
@@ -90,7 +90,7 @@ module Rodauth
|
|
90
90
|
end
|
91
91
|
end
|
92
92
|
|
93
|
-
def create_oauth_token_from_authorization_code(oauth_grant, create_params)
|
93
|
+
def create_oauth_token_from_authorization_code(oauth_grant, create_params, *args)
|
94
94
|
return super unless resource_indicators
|
95
95
|
|
96
96
|
redirect_response_error("invalid_target") unless oauth_grant[oauth_grants_resource_column]
|
@@ -101,7 +101,7 @@ module Rodauth
|
|
101
101
|
|
102
102
|
redirect_response_error("invalid_target") unless (grant_indicators - resource_indicators) != grant_indicators
|
103
103
|
|
104
|
-
super(oauth_grant, create_params.merge(oauth_tokens_resource_column => resource_indicators))
|
104
|
+
super(oauth_grant, create_params.merge(oauth_tokens_resource_column => resource_indicators), *args)
|
105
105
|
end
|
106
106
|
|
107
107
|
def create_oauth_grant(create_params = {})
|
@@ -84,7 +84,7 @@ module Rodauth
|
|
84
84
|
http = Net::HTTP.new(auth_url.host, auth_url.port)
|
85
85
|
http.use_ssl = auth_url.scheme == "https"
|
86
86
|
|
87
|
-
request = Net::HTTP::Post.new(introspect_path)
|
87
|
+
request = Net::HTTP::Post.new(auth_url.path + introspect_path)
|
88
88
|
request["content-type"] = "application/x-www-form-urlencoded"
|
89
89
|
request["accept"] = json_response_content_type
|
90
90
|
request.set_form_data({ "token_type_hint" => token_type_hint, "token" => token })
|
@@ -1,10 +1,12 @@
|
|
1
1
|
# frozen_string_literal: true
|
2
2
|
|
3
|
+
require "rodauth/oauth/refinements"
|
4
|
+
|
3
5
|
module Rodauth
|
4
6
|
Feature.define(:oauth_token_management, :OauthTokenManagement) do
|
5
7
|
using RegexpExtensions
|
6
8
|
|
7
|
-
depends :oauth_management_base
|
9
|
+
depends :oauth_management_base, :oauth_token_revocation
|
8
10
|
|
9
11
|
view "oauth_tokens", "My Oauth Tokens", "oauth_tokens"
|
10
12
|
|
@@ -1,4 +1,4 @@
|
|
1
|
-
#
|
1
|
+
# frozen_string_literal: true
|
2
2
|
|
3
3
|
module Rodauth
|
4
4
|
Feature.define(:oidc, :Oidc) do
|
@@ -272,19 +272,21 @@ module Rodauth
|
|
272
272
|
end
|
273
273
|
end
|
274
274
|
|
275
|
-
def
|
275
|
+
def validate_authorize_params
|
276
276
|
return super unless (max_age = param_or_nil("max_age"))
|
277
277
|
|
278
278
|
max_age = Integer(max_age)
|
279
279
|
|
280
280
|
redirect_response_error("invalid_request") unless max_age.positive?
|
281
281
|
|
282
|
-
|
282
|
+
if Time.now - last_account_login_at > max_age
|
283
|
+
# force user to re-login
|
284
|
+
clear_session
|
285
|
+
set_session_value(login_redirect_session_key, request.fullpath)
|
286
|
+
redirect require_login_redirect
|
287
|
+
end
|
283
288
|
|
284
|
-
|
285
|
-
clear_session
|
286
|
-
set_session_value(login_redirect_session_key, request.fullpath)
|
287
|
-
redirect require_login_redirect
|
289
|
+
super
|
288
290
|
end
|
289
291
|
|
290
292
|
def require_authorizable_account
|
@@ -385,7 +387,7 @@ module Rodauth
|
|
385
387
|
super
|
386
388
|
end
|
387
389
|
|
388
|
-
def create_oauth_token_from_authorization_code(oauth_grant, create_params)
|
390
|
+
def create_oauth_token_from_authorization_code(oauth_grant, create_params, *)
|
389
391
|
create_params[oauth_tokens_nonce_column] = oauth_grant[oauth_grants_nonce_column] if oauth_grant[oauth_grants_nonce_column]
|
390
392
|
create_params[oauth_tokens_acr_column] = oauth_grant[oauth_grants_acr_column] if oauth_grant[oauth_grants_acr_column]
|
391
393
|
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: rodauth-oauth
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.10.
|
4
|
+
version: 0.10.3
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Tiago Cardoso
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2022-08-
|
11
|
+
date: 2022-08-29 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: rodauth
|
@@ -42,6 +42,7 @@ extra_rdoc_files:
|
|
42
42
|
- doc/release_notes/0_10_0.md
|
43
43
|
- doc/release_notes/0_10_1.md
|
44
44
|
- doc/release_notes/0_10_2.md
|
45
|
+
- doc/release_notes/0_10_3.md
|
45
46
|
- doc/release_notes/0_1_0.md
|
46
47
|
- doc/release_notes/0_2_0.md
|
47
48
|
- doc/release_notes/0_3_0.md
|
@@ -76,6 +77,7 @@ files:
|
|
76
77
|
- doc/release_notes/0_10_0.md
|
77
78
|
- doc/release_notes/0_10_1.md
|
78
79
|
- doc/release_notes/0_10_2.md
|
80
|
+
- doc/release_notes/0_10_3.md
|
79
81
|
- doc/release_notes/0_1_0.md
|
80
82
|
- doc/release_notes/0_2_0.md
|
81
83
|
- doc/release_notes/0_3_0.md
|
@@ -116,6 +118,7 @@ files:
|
|
116
118
|
- lib/rodauth/features/oauth_assertion_base.rb
|
117
119
|
- lib/rodauth/features/oauth_authorization_code_grant.rb
|
118
120
|
- lib/rodauth/features/oauth_authorization_server.rb
|
121
|
+
- lib/rodauth/features/oauth_authorize_base.rb
|
119
122
|
- lib/rodauth/features/oauth_base.rb
|
120
123
|
- lib/rodauth/features/oauth_client_credentials_grant.rb
|
121
124
|
- lib/rodauth/features/oauth_device_grant.rb
|