rodauth-oauth 0.10.3 → 0.10.4
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/doc/release_notes/0_10_3.md +1 -1
- data/doc/release_notes/0_10_4.md +11 -0
- data/lib/rodauth/features/oauth_base.rb +1 -1
- data/lib/rodauth/features/oauth_jwt.rb +10 -0
- data/lib/rodauth/features/oauth_resource_indicators.rb +6 -1
- data/lib/rodauth/features/oauth_token_introspection.rb +1 -0
- data/lib/rodauth/features/oauth_token_revocation.rb +3 -1
- data/lib/rodauth/oauth/version.rb +1 -1
- metadata +4 -4
- data/lib/rodauth/features/oauth_authorization_server.rb +0 -0
- data/lib/rodauth/features/oauth_resource_server.rb +0 -21
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: fa43bf0d9c1f6d8ac7a9e2c05b9f9751a68bf0720d47bcdcd92090cdc80b8ec6
|
|
4
|
+
data.tar.gz: 14101a64005ea99770b2548c3dda8589b06c10cb8d26a4bb30a9e396c301ec17
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: d5ca40d77877ff713dad6bee5d6424d869a8e6d61101fe87ff18c97372e3c9d8d2acd6fc3450ea8f938582f42740ff5da1326a3501b46e43ada73d1d192592a8
|
|
7
|
+
data.tar.gz: 4cd099ee6f8e8b5195fb62d8370e46063fa88a1eb3631cad0705fff076d627c891e6cbfc147e7f0c3c4ea651463f611e87c756e93f65b9475322d523f5b101b1
|
data/doc/release_notes/0_10_3.md
CHANGED
|
@@ -0,0 +1,11 @@
|
|
|
1
|
+
### 0.10.4 (18/09/2022)
|
|
2
|
+
|
|
3
|
+
#### Bugfixes
|
|
4
|
+
|
|
5
|
+
* refresh token lookups are now scoped by application.
|
|
6
|
+
|
|
7
|
+
This bug meant that lookups of refresh token via the refresh token grant were not scoped by the application identified by the `/token` request credentials, so grant hijacking could happen in theory, if attackers knew of existing refresh tokens.
|
|
8
|
+
|
|
9
|
+
The same issue was observed (and fixed) for token revocation (this time involving the access token).
|
|
10
|
+
|
|
11
|
+
* Fix for a case which made resource indicators unusable under Rack 3.0 .
|
|
@@ -530,7 +530,7 @@ module Rodauth
|
|
|
530
530
|
end
|
|
531
531
|
|
|
532
532
|
def oauth_token_by_refresh_token(token, revoked: false)
|
|
533
|
-
ds = db[oauth_tokens_table]
|
|
533
|
+
ds = db[oauth_tokens_table].where(oauth_grants_oauth_application_id_column => oauth_application[oauth_applications_id_column])
|
|
534
534
|
#
|
|
535
535
|
# filter expired refresh tokens out.
|
|
536
536
|
# an expired refresh token is a token whose access token expired for a period longer than the
|
|
@@ -241,6 +241,16 @@ module Rodauth
|
|
|
241
241
|
jwt_decode(token)
|
|
242
242
|
end
|
|
243
243
|
|
|
244
|
+
def token_from_application?(grant_or_claims, oauth_application)
|
|
245
|
+
return super if grant_or_claims[oauth_tokens_id_column]
|
|
246
|
+
|
|
247
|
+
if grant_or_claims["client_id"]
|
|
248
|
+
grant_or_claims["client_id"] == oauth_application[oauth_applications_client_id_column]
|
|
249
|
+
else
|
|
250
|
+
Array(grant_or_claims["aud"]).include?(oauth_application[oauth_applications_client_id_column])
|
|
251
|
+
end
|
|
252
|
+
end
|
|
253
|
+
|
|
244
254
|
def json_token_introspect_payload(oauth_token)
|
|
245
255
|
return { active: false } unless oauth_token
|
|
246
256
|
|
|
@@ -20,7 +20,12 @@ module Rodauth
|
|
|
20
20
|
if json_request? || param_or_nil("request") # signed request
|
|
21
21
|
resources = Array(resources)
|
|
22
22
|
else
|
|
23
|
-
query = request.form_data?
|
|
23
|
+
query = if request.form_data?
|
|
24
|
+
request.body.rewind
|
|
25
|
+
request.body.read
|
|
26
|
+
else
|
|
27
|
+
request.query_string
|
|
28
|
+
end
|
|
24
29
|
# resource query param does not conform to rack parsing rules
|
|
25
30
|
resources = URI.decode_www_form(query).each_with_object([]) do |(k, v), memo|
|
|
26
31
|
memo << v if k == "resource"
|
|
@@ -74,7 +74,9 @@ module Rodauth
|
|
|
74
74
|
oauth_token = if param("token_type_hint") == "refresh_token"
|
|
75
75
|
oauth_token_by_refresh_token(token)
|
|
76
76
|
else
|
|
77
|
-
|
|
77
|
+
oauth_token_by_token_ds(token).where(
|
|
78
|
+
oauth_tokens_oauth_application_id_column => oauth_application[oauth_applications_id_column]
|
|
79
|
+
).first
|
|
78
80
|
end
|
|
79
81
|
|
|
80
82
|
redirect_response_error("invalid_request") unless oauth_token
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: rodauth-oauth
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.10.
|
|
4
|
+
version: 0.10.4
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Tiago Cardoso
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2022-
|
|
11
|
+
date: 2022-09-17 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: rodauth
|
|
@@ -43,6 +43,7 @@ extra_rdoc_files:
|
|
|
43
43
|
- doc/release_notes/0_10_1.md
|
|
44
44
|
- doc/release_notes/0_10_2.md
|
|
45
45
|
- doc/release_notes/0_10_3.md
|
|
46
|
+
- doc/release_notes/0_10_4.md
|
|
46
47
|
- doc/release_notes/0_1_0.md
|
|
47
48
|
- doc/release_notes/0_2_0.md
|
|
48
49
|
- doc/release_notes/0_3_0.md
|
|
@@ -78,6 +79,7 @@ files:
|
|
|
78
79
|
- doc/release_notes/0_10_1.md
|
|
79
80
|
- doc/release_notes/0_10_2.md
|
|
80
81
|
- doc/release_notes/0_10_3.md
|
|
82
|
+
- doc/release_notes/0_10_4.md
|
|
81
83
|
- doc/release_notes/0_1_0.md
|
|
82
84
|
- doc/release_notes/0_2_0.md
|
|
83
85
|
- doc/release_notes/0_3_0.md
|
|
@@ -117,7 +119,6 @@ files:
|
|
|
117
119
|
- lib/rodauth/features/oauth_application_management.rb
|
|
118
120
|
- lib/rodauth/features/oauth_assertion_base.rb
|
|
119
121
|
- lib/rodauth/features/oauth_authorization_code_grant.rb
|
|
120
|
-
- lib/rodauth/features/oauth_authorization_server.rb
|
|
121
122
|
- lib/rodauth/features/oauth_authorize_base.rb
|
|
122
123
|
- lib/rodauth/features/oauth_base.rb
|
|
123
124
|
- lib/rodauth/features/oauth_client_credentials_grant.rb
|
|
@@ -130,7 +131,6 @@ files:
|
|
|
130
131
|
- lib/rodauth/features/oauth_management_base.rb
|
|
131
132
|
- lib/rodauth/features/oauth_pkce.rb
|
|
132
133
|
- lib/rodauth/features/oauth_resource_indicators.rb
|
|
133
|
-
- lib/rodauth/features/oauth_resource_server.rb
|
|
134
134
|
- lib/rodauth/features/oauth_saml_bearer_grant.rb
|
|
135
135
|
- lib/rodauth/features/oauth_token_introspection.rb
|
|
136
136
|
- lib/rodauth/features/oauth_token_management.rb
|
|
File without changes
|
|
@@ -1,21 +0,0 @@
|
|
|
1
|
-
# frozen_string_literal: true
|
|
2
|
-
|
|
3
|
-
module Rodauth
|
|
4
|
-
Feature.define(:oauth_resource_server, :OauthResourceServer) do
|
|
5
|
-
def authorization_token
|
|
6
|
-
return @authorization_token if defined?(@authorization_token)
|
|
7
|
-
|
|
8
|
-
# check if there is a token
|
|
9
|
-
bearer_token = fetch_access_token
|
|
10
|
-
|
|
11
|
-
return unless bearer_token
|
|
12
|
-
|
|
13
|
-
# where in resource server, NOT the authorization server.
|
|
14
|
-
payload = introspection_request("access_token", bearer_token)
|
|
15
|
-
|
|
16
|
-
return unless payload["active"]
|
|
17
|
-
|
|
18
|
-
@authorization_token = payload
|
|
19
|
-
end
|
|
20
|
-
end
|
|
21
|
-
end
|