rodauth-oauth 0.10.2 → 0.10.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: ec0cd919b0135e453bd429e8982e883897b83c9ab068add6270afaf2cd1272d1
-  data.tar.gz: fd5f30a1a2a64457a1ca44e19a4af172494a0b9ac03935e4850ad7320eadcb1b
+  metadata.gz: 8ab7ede677cd918473b708b02509526add2744f96a2cf143c71e79b8d8950f49
+  data.tar.gz: ad19fced98a7f8b62fb856ef0103d09263b1442b33a95adecc9419afe5132ff6
 SHA512:
-  metadata.gz: 13c1127f8084dc782bcd6fa58da37e3b94976809ebf71be93487bc1a87d23d8f494fa66298465219b027fb93ef648b9c73da98289e07ce0d6cc98ff48d8d9023
-  data.tar.gz: 2f065eda1c8084e31fc879badb9d6309ea0fb30a24520d8276afccc8dfcfc3480d3d3400c8c1b600a81f5b8884609688b4b4aeab19b955ea5eb45f866aba8ab7
+  metadata.gz: e62b0a2586b493c3012e1106c88ec6cdc1dabc6ce5e632526dd81dbf4ef2427a3645449e8ca5484e77e7a41470b09b9ab53df0c1ebc9598a12a62862cefe1b51
+  data.tar.gz: f3b20d4b7566466b40d09e8391b0c73f4f2a1e250ec0aa238af246eed8cc8c9d3a329d6b24369a0a265f1cd0dcd13853941003bca4ce26ce125fcfb5e6e258aa

data/doc/release_notes/0_10_3.md

@@ -0,0 +1,12 @@
+### 0.10.2 (29/08/2022)
+
+#### Features
+
+The `oauth_token_subject` rodauth function is introduced. It returns the grant subject (usually the user account id, but in some cases, such as the client credentials grant, returns the oauth application id).
+
+It still has a few rough edges, but in version 1.0, this will be the main function to use to get the associated grant owner from a given token.
+
+#### Bugfixes
+
+* oauth applications management: fixed labels usage in default rails oauth applications list template.
+* introspection requests were discarding the `authorization_server_url` url path (only taking the origin). That has been fixed now.

data/lib/generators/rodauth/oauth/templates/app/views/rodauth/oauth_applications.html.erb

@@ -9,9 +9,9 @@
   <table class="table">
     <thead>
       <tr>
-        <th scope="col"><%= rodauth.oauth_application_client_id_label %> (<%= apps_count %>)</th>
-        <th scope="col"><%= rodauth.oauth_application_name_label %></th>
-        <th scope="col"><%= rodauth.oauth_application_homepage_url_label %></th>
+        <th scope="col"><%= rodauth.oauth_applications_client_id_label %> (<%= apps_count %>)</th>
+        <th scope="col"><%= rodauth.oauth_applications_name_label %></th>
+        <th scope="col"><%= rodauth.oauth_applications_homepage_url_label %></th>
         <th scope="col"></th>
       </tr>
     </thead>

data/lib/rodauth/features/oauth.rb

@@ -1,4 +1,4 @@
-# frozen-string-literal: true
+# frozen_string_literal: true
 
 module Rodauth
   Feature.define(:oauth, :Oauth) do

data/lib/rodauth/features/oauth_assertion_base.rb

@@ -1,4 +1,4 @@
-# frozen-string-literal: true
+# frozen_string_literal: true
 
 require "rodauth/oauth/refinements"
 

data/lib/rodauth/features/oauth_authorization_code_grant.rb

@@ -2,81 +2,20 @@
 
 module Rodauth
   Feature.define(:oauth_authorization_code_grant, :OauthAuthorizationCodeGrant) do
-    depends :oauth_base
-
-    before "authorize"
-    after "authorize"
-
-    view "authorize", "Authorize", "authorize"
-
-    button "Authorize", "oauth_authorize"
-    button "Back to Client Application", "oauth_authorize_post"
+    depends :oauth_authorize_base
 
     auth_value_method :use_oauth_access_type?, true
 
-    # OAuth Grants
-    auth_value_method :oauth_grants_table, :oauth_grants
-    auth_value_method :oauth_grants_id_column, :id
-    %i[
-      account_id oauth_application_id
-      redirect_uri code scopes access_type
-      expires_in revoked_at
-    ].each do |column|
-      auth_value_method :"oauth_grants_#{column}_column", column
-    end
-
-    translatable_method :oauth_tokens_scopes_label, "Scopes"
-    translatable_method :oauth_applications_contacts_label, "Contacts"
-    translatable_method :oauth_applications_tos_uri_label, "Terms of service URL"
-    translatable_method :oauth_applications_policy_uri_label, "Policy URL"
-
-    # /authorize
-    route(:authorize) do |r|
-      next unless is_authorization_server?
-
-      before_authorize_route
-      require_authorizable_account
-
-      validate_oauth_grant_params
-      try_approval_prompt if use_oauth_access_type? && request.get?
-
-      r.get do
-        authorize_view
-      end
-
-      r.post do
-        params, mode = transaction do
-          before_authorize
-          do_authorize
-        end
-
-        authorize_response(params, mode)
-      end
-    end
-
-    def check_csrf?
-      case request.path
-      when authorize_path
-        only_json? ? false : super
-      else
-        super
-      end
-    end
-
     private
 
-    def validate_oauth_grant_params
-      redirect_response_error("invalid_request", request.referer || default_redirect) unless oauth_application && check_valid_redirect_uri?
+    def validate_authorize_params
+      super
 
-      unless oauth_application && check_valid_redirect_uri? && check_valid_access_type? &&
-             check_valid_approval_prompt? && check_valid_response_type?
-        redirect_response_error("invalid_request")
-      end
-      redirect_response_error("invalid_scope") unless check_valid_scopes?
+      redirect_response_error("invalid_request") unless check_valid_access_type? && check_valid_approval_prompt?
 
-      return unless (response_mode = param_or_nil("response_mode")) && response_mode != "form_post"
+      redirect_response_error("invalid_request") if (response_mode = param_or_nil("response_mode")) && response_mode != "form_post"
 
-      redirect_response_error("invalid_request")
+      try_approval_prompt if use_oauth_access_type? && request.get?
     end
 
     def validate_oauth_token_params
@@ -102,25 +41,12 @@ module Rodauth
     end
 
     def create_oauth_grant(create_params = {})
-      create_params.merge!(
-        oauth_grants_oauth_application_id_column => oauth_application[oauth_applications_id_column],
-        oauth_grants_redirect_uri_column => redirect_uri,
-        oauth_grants_expires_in_column => Sequel.date_add(Sequel::CURRENT_TIMESTAMP, seconds: oauth_grant_expires_in),
-        oauth_grants_scopes_column => scopes.join(oauth_scope_separator)
-      )
-
       # Access Type flow
       if use_oauth_access_type? && (access_type = param_or_nil("access_type"))
         create_params[oauth_grants_access_type_column] = access_type
       end
 
-      ds = db[oauth_grants_table]
-
-      rescue_from_uniqueness_error do
-        create_params[oauth_grants_code_column] = oauth_unique_id_generator
-        __insert_and_return__(ds, oauth_grants_id_column, create_params)
-      end
-      create_params[oauth_grants_code_column]
+      super
     end
 
     def do_authorize(response_params = {}, response_mode = param_or_nil("response_mode"))
@@ -134,6 +60,8 @@ module Rodauth
       when "", nil
         response_mode ||= oauth_response_mode
         response_params.replace(_do_authorize_code)
+      else
+        return super if response_params.empty?
       end
 
       response_params["state"] = param("state") if param_or_nil("state")
@@ -142,7 +70,12 @@ module Rodauth
     end
 
     def _do_authorize_code
-      { "code" => create_oauth_grant(oauth_grants_account_id_column => account_id) }
+      create_params = { oauth_grants_account_id_column => account_id }
+      # Access Type flow
+      if use_oauth_access_type? && (access_type = param_or_nil("access_type"))
+        create_params[oauth_grants_access_type_column] = access_type
+      end
+      { "code" => create_oauth_grant(create_params) }
     end
 
     def authorize_response(params, mode)
@@ -171,6 +104,8 @@ module Rodauth
         FORM
       when "none"
         redirect(redirect_url.to_s)
+      else
+        super
       end
     end
 
@@ -195,18 +130,7 @@ module Rodauth
         oauth_tokens_oauth_grant_id_column => oauth_grant[oauth_grants_id_column],
         oauth_tokens_scopes_column => oauth_grant[oauth_grants_scopes_column]
       }
-      create_oauth_token_from_authorization_code(oauth_grant, create_params)
-    end
-
-    def create_oauth_token_from_authorization_code(oauth_grant, create_params)
-      # revoke oauth grant
-      db[oauth_grants_table].where(oauth_grants_id_column => oauth_grant[oauth_grants_id_column])
-                            .update(oauth_grants_revoked_at_column => Sequel::CURRENT_TIMESTAMP)
-
-      should_generate_refresh_token = !use_oauth_access_type? ||
-                                      oauth_grant[oauth_grants_access_type_column] == "offline"
-
-      generate_oauth_token(create_params, should_generate_refresh_token)
+      create_oauth_token_from_authorization_code(oauth_grant, create_params, !use_oauth_access_type?)
     end
 
     ACCESS_TYPES = %w[offline online].freeze
@@ -230,11 +154,7 @@ module Rodauth
     def check_valid_response_type?
       response_type = param_or_nil("response_type")
 
-      response_type.nil? || response_type == "code"
-    end
-
-    def check_valid_redirect_uri?
-      oauth_application[oauth_applications_redirect_uri_column].split(" ").include?(redirect_uri)
+      response_type.nil? || response_type == "code" || response_type == "none" || super
     end
 
     def oauth_server_metadata_body(*)

data/lib/rodauth/features/oauth_authorize_base.rb

@@ -0,0 +1,110 @@
+# frozen_string_literal: true
+
+module Rodauth
+  Feature.define(:oauth_authorize_base, :OauthAuthorizeBase) do
+    depends :oauth_base
+
+    before "authorize"
+    after "authorize"
+
+    view "authorize", "Authorize", "authorize"
+
+    button "Authorize", "oauth_authorize"
+    button "Back to Client Application", "oauth_authorize_post"
+
+    translatable_method :oauth_tokens_scopes_label, "Scopes"
+    translatable_method :oauth_applications_contacts_label, "Contacts"
+    translatable_method :oauth_applications_tos_uri_label, "Terms of service URL"
+    translatable_method :oauth_applications_policy_uri_label, "Policy URL"
+
+    # /authorize
+    route(:authorize) do |r|
+      next unless is_authorization_server?
+
+      before_authorize_route
+      require_authorizable_account
+
+      validate_authorize_params
+
+      r.get do
+        authorize_view
+      end
+
+      r.post do
+        params, mode = transaction do
+          before_authorize
+          do_authorize
+        end
+
+        authorize_response(params, mode)
+      end
+    end
+
+    def check_csrf?
+      case request.path
+      when authorize_path
+        only_json? ? false : super
+      else
+        super
+      end
+    end
+
+    private
+
+    def validate_authorize_params
+      redirect_response_error("invalid_request", request.referer || default_redirect) unless oauth_application && check_valid_redirect_uri?
+
+      redirect_response_error("invalid_request") unless check_valid_response_type?
+
+      redirect_response_error("invalid_scope") unless check_valid_scopes?
+    end
+
+    def check_valid_response_type?
+      false
+    end
+
+    def check_valid_redirect_uri?
+      oauth_application[oauth_applications_redirect_uri_column].split(" ").include?(redirect_uri)
+    end
+
+    def authorization_required
+      if accepts_json?
+        throw_json_response_error(authorization_required_error_status, "invalid_client")
+      else
+        set_redirect_error_flash(require_authorization_error_flash)
+        redirect(authorize_path)
+      end
+    end
+
+    def do_authorize(*args); end
+
+    def authorize_response(params, mode); end
+
+    def create_oauth_token_from_authorization_code(oauth_grant, create_params, should_generate_refresh_token = false)
+      # revoke oauth grant
+      db[oauth_grants_table].where(oauth_grants_id_column => oauth_grant[oauth_grants_id_column])
+                            .update(oauth_grants_revoked_at_column => Sequel::CURRENT_TIMESTAMP)
+
+      should_generate_refresh_token ||= oauth_grant[oauth_grants_access_type_column] == "offline"
+
+      generate_oauth_token(create_params, should_generate_refresh_token)
+    end
+
+    def create_oauth_grant(create_params = {})
+      create_params.merge!(
+        oauth_grants_oauth_application_id_column => oauth_application[oauth_applications_id_column],
+        oauth_grants_redirect_uri_column => redirect_uri,
+        oauth_grants_expires_in_column => Sequel.date_add(Sequel::CURRENT_TIMESTAMP, seconds: oauth_grant_expires_in),
+        oauth_grants_scopes_column => scopes.join(oauth_scope_separator)
+      )
+
+      ds = db[oauth_grants_table]
+
+      rescue_from_uniqueness_error do
+        create_params[oauth_grants_code_column] = oauth_unique_id_generator
+        __insert_and_return__(ds, oauth_grants_id_column, create_params)
+      end
+      create_params[oauth_grants_code_column]
+    end
+  end
+end

data/lib/rodauth/features/oauth_base.rb

@@ -47,6 +47,17 @@ module Rodauth
       auth_value_method :"oauth_tokens_#{column}_column", column
     end
 
+    # OAuth Grants
+    auth_value_method :oauth_grants_table, :oauth_grants
+    auth_value_method :oauth_grants_id_column, :id
+    %i[
+      account_id oauth_application_id
+      redirect_uri code scopes access_type
+      expires_in revoked_at
+    ].each do |column|
+      auth_value_method :"oauth_grants_#{column}_column", column
+    end
+
     # Oauth Token Hash
     auth_value_method :oauth_tokens_token_hash_column, nil
     auth_value_method :oauth_tokens_refresh_token_hash_column, nil
@@ -160,12 +171,17 @@ module Rodauth
     end
 
     # Overrides session_value, so that a valid authorization token also authenticates a request
+    # TODO: deprecate
     def session_value
-      super || begin
-        return unless authorization_token
+      super || oauth_token_subject
+    end
 
-        authorization_token[oauth_tokens_account_id_column]
-      end
+    def oauth_token_subject
+      return unless authorization_token
+
+      # TODO: fix this once tokens know which type they were generated with
+      authorization_token[oauth_tokens_account_id_column] ||
+        authorization_token[oauth_tokens_oauth_application_id_column]
     end
 
     def accepts_json?
@@ -720,12 +736,7 @@ module Rodauth
     end
 
     def authorization_required
-      if accepts_json?
-        throw_json_response_error(authorization_required_error_status, "invalid_client")
-      else
-        set_redirect_error_flash(require_authorization_error_flash)
-        redirect(authorize_path)
-      end
+      throw_json_response_error(authorization_required_error_status, "invalid_client")
     end
 
     def check_valid_scopes?

data/lib/rodauth/features/oauth_device_grant.rb

@@ -2,7 +2,7 @@
 
 module Rodauth
   Feature.define(:oauth_device_grant, :OauthDeviceGrant) do
-    depends :oauth_base
+    depends :oauth_authorize_base
 
     auth_value_method :use_oauth_device_code_grant_type?, false
 

data/lib/rodauth/features/oauth_http_mac.rb

@@ -1,4 +1,4 @@
-# frozen-string-literal: true
+# frozen_string_literal: true
 
 require "rodauth/oauth/refinements"
 

data/lib/rodauth/features/oauth_implicit_grant.rb

@@ -2,12 +2,18 @@
 
 module Rodauth
   Feature.define(:oauth_implicit_grant, :OauthImplicitGrant) do
-    depends :oauth_base
+    depends :oauth_authorize_base
 
     auth_value_method :use_oauth_implicit_grant_type?, false
 
     private
 
+    def check_valid_response_type?
+      response_type = param_or_nil("response_type")
+
+      response_type.nil? || response_type == "token" || super
+    end
+
     def do_authorize(response_params = {}, response_mode = param_or_nil("response_mode"))
       return super unless param("response_type") == "token" && use_oauth_implicit_grant_type?
 

data/lib/rodauth/features/oauth_jwt.rb

@@ -1,4 +1,4 @@
-# frozen-string-literal: true
+# frozen_string_literal: true
 
 require "rodauth/oauth/version"
 require "rodauth/oauth/ttl_store"
@@ -90,13 +90,10 @@ module Rodauth
       authorization_required unless scopes.any? { |scope| token_scopes.include?(scope) }
     end
 
-    # Overrides session_value, so that a valid authorization token also authenticates a request
-    def session_value
-      super || begin
-        return unless authorization_token
+    def oauth_token_subject
+      return unless authorization_token
 
-        authorization_token["sub"]
-      end
+      authorization_token["sub"]
     end
 
     private
@@ -127,7 +124,7 @@ module Rodauth
 
     # /authorize
 
-    def validate_oauth_grant_params
+    def validate_authorize_params
       # TODO: add support for requst_uri
       redirect_response_error("request_uri_not_supported") if param_or_nil("request_uri")
 

data/lib/rodauth/features/oauth_jwt_bearer_grant.rb

@@ -1,4 +1,4 @@
-# frozen-string-literal: true
+# frozen_string_literal: true
 
 require "rodauth/oauth/version"
 require "rodauth/oauth/ttl_store"

data/lib/rodauth/features/oauth_management_base.rb

@@ -2,7 +2,7 @@
 
 module Rodauth
   Feature.define(:oauth_management_base, :OauthManagementBase) do
-    depends :oauth_base
+    depends :oauth_authorize_base
 
     button "Previous", "oauth_management_pagination_previous"
     button "Next", "oauth_management_pagination_next"

data/lib/rodauth/features/oauth_pkce.rb

@@ -29,7 +29,7 @@ module Rodauth
       super
     end
 
-    def validate_oauth_grant_params
+    def validate_authorize_params
       validate_pkce_challenge_params if use_oauth_pkce?
 
       super
@@ -47,7 +47,7 @@ module Rodauth
       super
     end
 
-    def create_oauth_token_from_authorization_code(oauth_grant, create_params)
+    def create_oauth_token_from_authorization_code(oauth_grant, create_params, *)
       if use_oauth_pkce?
         if oauth_grant[oauth_grants_code_challenge_column]
           code_verifier = param_or_nil("code_verifier")

data/lib/rodauth/features/oauth_resource_indicators.rb

@@ -1,11 +1,11 @@
-# frozen-string-literal: true
+# frozen_string_literal: true
 
 require "rodauth/oauth/version"
 require "rodauth/oauth/ttl_store"
 
 module Rodauth
   Feature.define(:oauth_resource_indicators, :OauthResourceIndicators) do
-    depends :oauth_base
+    depends :oauth_authorize_base
 
     auth_value_method :oauth_grants_resource_column, :resource
     auth_value_method :oauth_tokens_resource_column, :resource
@@ -80,7 +80,7 @@ module Rodauth
     module IndicatorAuthorizationCodeGrant
       private
 
-      def validate_oauth_grant_params
+      def validate_authorize_params
         super
 
         return unless resource_indicators
@@ -90,7 +90,7 @@ module Rodauth
         end
       end
 
-      def create_oauth_token_from_authorization_code(oauth_grant, create_params)
+      def create_oauth_token_from_authorization_code(oauth_grant, create_params, *args)
         return super unless resource_indicators
 
         redirect_response_error("invalid_target") unless oauth_grant[oauth_grants_resource_column]
@@ -101,7 +101,7 @@ module Rodauth
 
         redirect_response_error("invalid_target") unless (grant_indicators - resource_indicators) != grant_indicators
 
-        super(oauth_grant, create_params.merge(oauth_tokens_resource_column => resource_indicators))
+        super(oauth_grant, create_params.merge(oauth_tokens_resource_column => resource_indicators), *args)
       end
 
       def create_oauth_grant(create_params = {})

data/lib/rodauth/features/oauth_saml_bearer_grant.rb

@@ -1,4 +1,4 @@
-# frozen-string-literal: true
+# frozen_string_literal: true
 
 require "onelogin/ruby-saml"
 

data/lib/rodauth/features/oauth_token_introspection.rb

@@ -84,7 +84,7 @@ module Rodauth
       http = Net::HTTP.new(auth_url.host, auth_url.port)
       http.use_ssl = auth_url.scheme == "https"
 
-      request = Net::HTTP::Post.new(introspect_path)
+      request = Net::HTTP::Post.new(auth_url.path + introspect_path)
       request["content-type"] = "application/x-www-form-urlencoded"
       request["accept"] = json_response_content_type
       request.set_form_data({ "token_type_hint" => token_type_hint, "token" => token })

data/lib/rodauth/features/oauth_token_management.rb

@@ -1,10 +1,12 @@
 # frozen_string_literal: true
 
+require "rodauth/oauth/refinements"
+
 module Rodauth
   Feature.define(:oauth_token_management, :OauthTokenManagement) do
     using RegexpExtensions
 
-    depends :oauth_management_base
+    depends :oauth_management_base, :oauth_token_revocation
 
     view "oauth_tokens", "My Oauth Tokens", "oauth_tokens"
 

data/lib/rodauth/features/oidc.rb

@@ -1,4 +1,4 @@
-# frozen-string-literal: true
+# frozen_string_literal: true
 
 module Rodauth
   Feature.define(:oidc, :Oidc) do
@@ -272,19 +272,21 @@ module Rodauth
       end
     end
 
-    def validate_oauth_grant_params
+    def validate_authorize_params
       return super unless (max_age = param_or_nil("max_age"))
 
       max_age = Integer(max_age)
 
       redirect_response_error("invalid_request") unless max_age.positive?
 
-      return unless Time.now - last_account_login_at > max_age
+      if Time.now - last_account_login_at > max_age
+        # force user to re-login
+        clear_session
+        set_session_value(login_redirect_session_key, request.fullpath)
+        redirect require_login_redirect
+      end
 
-      # force user to re-login
-      clear_session
-      set_session_value(login_redirect_session_key, request.fullpath)
-      redirect require_login_redirect
+      super
     end
 
     def require_authorizable_account
@@ -385,7 +387,7 @@ module Rodauth
       super
     end
 
-    def create_oauth_token_from_authorization_code(oauth_grant, create_params)
+    def create_oauth_token_from_authorization_code(oauth_grant, create_params, *)
       create_params[oauth_tokens_nonce_column] = oauth_grant[oauth_grants_nonce_column] if oauth_grant[oauth_grants_nonce_column]
       create_params[oauth_tokens_acr_column] = oauth_grant[oauth_grants_acr_column] if oauth_grant[oauth_grants_acr_column]
 

data/lib/rodauth/oauth/version.rb

@@ -2,6 +2,6 @@
 
 module Rodauth
   module OAuth
-    VERSION = "0.10.2"
+    VERSION = "0.10.3"
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rodauth-oauth
 version: !ruby/object:Gem::Version
-  version: 0.10.2
+  version: 0.10.3
 platform: ruby
 authors:
 - Tiago Cardoso
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2022-08-11 00:00:00.000000000 Z
+date: 2022-08-29 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rodauth
@@ -42,6 +42,7 @@ extra_rdoc_files:
 - doc/release_notes/0_10_0.md
 - doc/release_notes/0_10_1.md
 - doc/release_notes/0_10_2.md
+- doc/release_notes/0_10_3.md
 - doc/release_notes/0_1_0.md
 - doc/release_notes/0_2_0.md
 - doc/release_notes/0_3_0.md
@@ -76,6 +77,7 @@ files:
 - doc/release_notes/0_10_0.md
 - doc/release_notes/0_10_1.md
 - doc/release_notes/0_10_2.md
+- doc/release_notes/0_10_3.md
 - doc/release_notes/0_1_0.md
 - doc/release_notes/0_2_0.md
 - doc/release_notes/0_3_0.md
@@ -116,6 +118,7 @@ files:
 - lib/rodauth/features/oauth_assertion_base.rb
 - lib/rodauth/features/oauth_authorization_code_grant.rb
 - lib/rodauth/features/oauth_authorization_server.rb
+- lib/rodauth/features/oauth_authorize_base.rb
 - lib/rodauth/features/oauth_base.rb
 - lib/rodauth/features/oauth_client_credentials_grant.rb
 - lib/rodauth/features/oauth_device_grant.rb