rodauth-oauth 0.2.0 → 0.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 02d69464053b6809900da774b4c9957d642b003d0a0de7aa076e57a5eb8895bc
-  data.tar.gz: e1dd94b69aa4bdf051b1c28d684a0ec2a1435da9f99ca6bf77da9d537474f9a6
+  metadata.gz: 24f3563d467a065dc119cbe53c0f14c8f28654d6512de0b7fd09a99e3f4aabdb
+  data.tar.gz: 8abc6dc62b463885f7198cafec57fe707f99885e67754be1d7cefbbefa31a834
 SHA512:
-  metadata.gz: cfe325a2e8daa96a72b4577566ae84772dcf114411ebbd9d0115f0f33f5b104f7c138a1b1ef7813d46f0fd2226c6560db5d974e51ec92b33ce7e393726005b2d
-  data.tar.gz: df5866c1cd089c0d361a00d1ffd1db02df9b6551940dbf70e7390657fa8558ae0fb3c8eb2fcff6ec6fb9fd52406a99615574305d5a3bacdbd20f5fc22bacd63f
+  metadata.gz: 9fd172c9930f1cf88239a8f5ba7d5c93dc9c92b05a601c6f909b5ad12e4319ce0aa093831b93dad93542fdda0cdc1694b001ca78922239e80a2370472373b9a5
+  data.tar.gz: 26e8e9c619425213f2cd5f21e7710f9561c0b0395bd8928656584c88586f4197bf80a765d9a90baea604ef9fdaff5c27f4b8447adf3fa617463e26b7b0a08470

data/CHANGELOG.md

@@ -2,6 +2,35 @@
 
 ## master
 
+### 0.3.0
+
+#### Features
+
+* `oauth_refresh_token_protection_policy` is a new option, which can be used to set a protection policy around usage of refresh tokens. By default it's `none`, for backwards-compatibility. However, when set to `rotation`, refresh tokens will be "use-once", i.e. a token refresh request will generate a new refresh token. Also,  refresh token requests doen with already-used refresh tokens will be interpreted as a security breach, i.e. all tokens linked to the compromised refresh token will be revoked.
+
+#### Improvements
+
+
+* Support for the OIDC authorize [`prompt` parameter](https://openid.net/specs/openid-connect-core-1_0.html) (sectionn 3.1.2.1). It supports the `none`, `login` and `consent` out-of-the-box, while providing support for `select-account` when paired with [rodauth-select-account, a rodauth feature to handle multiple accounts in the same session](https://gitlab.com/honeyryderchuck/rodauth-select-account).
+
+* Refresh Tokens are now expired. The refresh token expiration period is governed by the `oauth_refresh_token_expires_in` option (default: 1 year), and is the period for which a refresh token can be used after its respective token expired.
+
+#### Bugfixes
+
+* Default Templates now being packaged, as a way to provide a default experience to the OAuth journeys.
+
+* fixing metadata urls when plugin loaded with a prefix path (@ianks)
+
+* All date/time-based calculations, such as determining an expiration date, or checking if a token has expired, are now performed using database arithmetic operations, using sequel's `date_arithmetic` plugin. This will eliminate subtle bugs, such as when the database timezone is different than the application OS timezone.
+
+* OIDC configuration endpoint is now stricter, eliminating JSON metadata inherited from the Oauth metadata endpoint. (@ianks)
+
+#### Chore
+
+Use `rodauth.convert_timestamp` in the templates, whenever dates are displayed.
+
+Set HTTP Cache headers for metadata responses, such as `/.well-known/oauth-authorization-server` and `/.well-known/openid-configuration`, so they can be stored at the edge. The cache will be valid for 1 day (this value isn't set by an option yet).
+
 ### 0.2.0
 
 #### Features

data/README.md

@@ -1,7 +1,7 @@
 # Rodauth::Oauth
 
 [![pipeline status](https://gitlab.com/honeyryderchuck/rodauth-oauth/badges/master/pipeline.svg)](https://gitlab.com/honeyryderchuck/rodauth-oauth/-/pipelines?page=1&ref=master)
-[![coverage report](https://gitlab.com/honeyryderchuck/rodauth-oauth/badges/master/coverage.svg)](https://honeyryderchuck.gitlab.io/rodauth-oauth/coverage/#_AllFiles)
+[![coverage report](https://gitlab.com/honeyryderchuck/rodauth-oauth/badges/master/coverage.svg?job=coverage)](https://honeyryderchuck.gitlab.io/rodauth-oauth/coverage/#_AllFiles)
 
 This is an extension to the `rodauth` gem which implements the [OAuth 2.0 framework](https://tools.ietf.org/html/rfc6749) for an authorization server.
 

data/lib/rodauth/features/oauth.rb

@@ -46,6 +46,8 @@ module Rodauth
 
     SCOPES = %w[profile.read].freeze
 
+    SERVER_METADATA = OAuth::TtlStore.new
+
     before "authorize"
     after "authorize"
 
@@ -75,6 +77,7 @@ module Rodauth
 
     auth_value_method :oauth_grant_expires_in, 60 * 5 # 5 minutes
     auth_value_method :oauth_token_expires_in, 60 * 60 # 60 minutes
+    auth_value_method :oauth_refresh_token_expires_in, 60 * 60 * 24 * 360 # 1 year
     auth_value_method :use_oauth_implicit_grant_type?, false
     auth_value_method :use_oauth_pkce?, true
     auth_value_method :use_oauth_access_type?, true
@@ -149,9 +152,11 @@ module Rodauth
       auth_value_method :"oauth_applications_#{column}_column", column
     end
 
+    # Feature options
     auth_value_method :oauth_application_default_scope, SCOPES.first
     auth_value_method :oauth_application_scopes, SCOPES
     auth_value_method :oauth_token_type, "bearer"
+    auth_value_method :oauth_refresh_token_protection_policy, "none" # can be: none, sender_constrained, rotation
 
     auth_value_method :invalid_client_message, "Invalid client"
     auth_value_method :invalid_grant_type_message, "Invalid grant type"
@@ -200,7 +205,184 @@ module Rodauth
 
     auth_value_method :json_request_regexp, %r{\bapplication/(?:vnd\.api\+)?json\b}i
 
-    SERVER_METADATA = OAuth::TtlStore.new
+    # /token
+    route(:token) do |r|
+      next unless is_authorization_server?
+
+      before_token_route
+      require_oauth_application
+
+      r.post do
+        catch_error do
+          validate_oauth_token_params
+
+          oauth_token = nil
+          transaction do
+            before_token
+            oauth_token = create_oauth_token
+          end
+
+          json_response_success(json_access_token_payload(oauth_token))
+        end
+
+        throw_json_response_error(invalid_oauth_response_status, "invalid_request")
+      end
+    end
+
+    # /introspect
+    route(:introspect) do |r|
+      next unless is_authorization_server?
+
+      before_introspect_route
+
+      r.post do
+        catch_error do
+          validate_oauth_introspect_params
+
+          before_introspect
+          oauth_token = case param("token_type_hint")
+                        when "access_token"
+                          oauth_token_by_token(param("token"))
+                        when "refresh_token"
+                          oauth_token_by_refresh_token(param("token"))
+                        else
+                          oauth_token_by_token(param("token")) || oauth_token_by_refresh_token(param("token"))
+                        end
+
+          if oauth_application
+            redirect_response_error("invalid_request") if oauth_token && !token_from_application?(oauth_token, oauth_application)
+          elsif oauth_token
+            @oauth_application = db[oauth_applications_table].where(oauth_applications_id_column =>
+              oauth_token[oauth_tokens_oauth_application_id_column]).first
+          end
+
+          json_response_success(json_token_introspect_payload(oauth_token))
+        end
+
+        throw_json_response_error(invalid_oauth_response_status, "invalid_request")
+      end
+    end
+
+    # /revoke
+    route(:revoke) do |r|
+      next unless is_authorization_server?
+
+      before_revoke_route
+      require_oauth_application
+
+      r.post do
+        catch_error do
+          validate_oauth_revoke_params
+
+          oauth_token = nil
+          transaction do
+            before_revoke
+            oauth_token = revoke_oauth_token
+            after_revoke
+          end
+
+          if accepts_json?
+            json_response_success \
+              "token" => oauth_token[oauth_tokens_token_column],
+              "refresh_token" => oauth_token[oauth_tokens_refresh_token_column],
+              "revoked_at" => convert_timestamp(oauth_token[oauth_tokens_revoked_at_column])
+          else
+            set_notice_flash revoke_oauth_token_notice_flash
+            redirect request.referer || "/"
+          end
+        end
+
+        redirect_response_error("invalid_request", request.referer || "/")
+      end
+    end
+
+    # /authorize
+    route(:authorize) do |r|
+      next unless is_authorization_server?
+
+      before_authorize_route
+      require_authorizable_account
+
+      validate_oauth_grant_params
+      try_approval_prompt if use_oauth_access_type? && request.get?
+
+      r.get do
+        authorize_view
+      end
+
+      r.post do
+        redirect_url = URI.parse(redirect_uri)
+
+        transaction do
+          before_authorize
+          do_authorize(redirect_url)
+        end
+        redirect(redirect_url.to_s)
+      end
+    end
+
+    def oauth_server_metadata(issuer = nil)
+      request.on(".well-known") do
+        request.on("oauth-authorization-server") do
+          request.get do
+            json_response_success(oauth_server_metadata_body(issuer), true)
+          end
+        end
+      end
+    end
+
+    # /oauth-applications routes
+    def oauth_applications
+      request.on(oauth_applications_path) do
+        require_account
+
+        request.get "new" do
+          new_oauth_application_view
+        end
+
+        request.on(oauth_applications_id_pattern) do |id|
+          oauth_application = db[oauth_applications_table].where(oauth_applications_id_column => id).first
+          next unless oauth_application
+
+          scope.instance_variable_set(:@oauth_application, oauth_application)
+
+          request.is do
+            request.get do
+              oauth_application_view
+            end
+          end
+
+          request.on(oauth_tokens_path) do
+            oauth_tokens = db[oauth_tokens_table].where(oauth_tokens_oauth_application_id_column => id)
+            scope.instance_variable_set(:@oauth_tokens, oauth_tokens)
+            request.get do
+              oauth_tokens_view
+            end
+          end
+        end
+
+        request.get do
+          scope.instance_variable_set(:@oauth_applications, db[oauth_applications_table])
+          oauth_applications_view
+        end
+
+        request.post do
+          catch_error do
+            validate_oauth_application_params
+
+            transaction do
+              before_create_oauth_application
+              id = create_oauth_application
+              after_create_oauth_application
+              set_notice_flash create_oauth_application_notice_flash
+              redirect "#{request.path}/#{id}"
+            end
+          end
+          set_error_flash create_oauth_application_error_flash
+          new_oauth_application_view
+        end
+      end
+    end
 
     def check_csrf?
       case request.path
@@ -324,69 +506,6 @@ module Rodauth
       authorization_required unless scopes.any? { |scope| token_scopes.include?(scope) }
     end
 
-    # /oauth-applications routes
-    def oauth_applications
-      request.on(oauth_applications_path) do
-        require_account
-
-        request.get "new" do
-          new_oauth_application_view
-        end
-
-        request.on(oauth_applications_id_pattern) do |id|
-          oauth_application = db[oauth_applications_table].where(oauth_applications_id_column => id).first
-          next unless oauth_application
-
-          scope.instance_variable_set(:@oauth_application, oauth_application)
-
-          request.is do
-            request.get do
-              oauth_application_view
-            end
-          end
-
-          request.on(oauth_tokens_path) do
-            oauth_tokens = db[oauth_tokens_table].where(oauth_tokens_oauth_application_id_column => id)
-            scope.instance_variable_set(:@oauth_tokens, oauth_tokens)
-            request.get do
-              oauth_tokens_view
-            end
-          end
-        end
-
-        request.get do
-          scope.instance_variable_set(:@oauth_applications, db[oauth_applications_table])
-          oauth_applications_view
-        end
-
-        request.post do
-          catch_error do
-            validate_oauth_application_params
-
-            transaction do
-              before_create_oauth_application
-              id = create_oauth_application
-              after_create_oauth_application
-              set_notice_flash create_oauth_application_notice_flash
-              redirect "#{request.path}/#{id}"
-            end
-          end
-          set_error_flash create_oauth_application_error_flash
-          new_oauth_application_view
-        end
-      end
-    end
-
-    def oauth_server_metadata(issuer = nil)
-      request.on(".well-known") do
-        request.on("oauth-authorization-server") do
-          request.get do
-            json_response_success(oauth_server_metadata_body(issuer))
-          end
-        end
-      end
-    end
-
     def post_configure
       super
       self.class.__send__(:include, Rodauth::OAuth::ExtendDatabase(db))
@@ -401,6 +520,10 @@ module Rodauth
       self.class.send(:define_method, :__one_oauth_token_per_account) { one_oauth_token_per_account }
     end
 
+    def use_date_arithmetic?
+      true
+    end
+
     private
 
     def rescue_from_uniqueness_error(&block)
@@ -446,9 +569,9 @@ module Rodauth
         # time-to-live
         ttl = if response.key?("cache-control")
                 cache_control = response["cache-control"]
-                cache_control[/max-age=(\d+)/, 1]
+                cache_control[/max-age=(\d+)/, 1].to_i
               elsif response.key?("expires")
-                DateTime.httpdate(response["expires"]).utc.to_i - Time.now.utc.to_i
+                Time.parse(response["expires"]).to_i - Time.now.to_i
               end
 
         [JSON.parse(response.body, symbolize_names: true), ttl]
@@ -516,7 +639,7 @@ module Rodauth
     end
 
     def oauth_unique_id_generator
-      SecureRandom.hex(32)
+      SecureRandom.urlsafe_base64(32)
     end
 
     def generate_token_hash(token)
@@ -537,7 +660,7 @@ module Rodauth
 
     def generate_oauth_token(params = {}, should_generate_refresh_token = true)
       create_params = {
-        oauth_grants_expires_in_column => Time.now + oauth_token_expires_in
+        oauth_grants_expires_in_column => Sequel.date_add(Sequel::CURRENT_TIMESTAMP, seconds: oauth_token_expires_in)
       }.merge(params)
 
       rescue_from_uniqueness_error do
@@ -597,26 +720,37 @@ module Rodauth
       end
     end
 
-    def oauth_token_by_token(token, dataset = db[oauth_tokens_table])
+    def oauth_token_by_token(token)
+      ds = db[oauth_tokens_table]
+
       ds = if oauth_tokens_token_hash_column
-             dataset.where(oauth_tokens_token_hash_column => generate_token_hash(token))
+             ds.where(oauth_tokens_token_hash_column => generate_token_hash(token))
            else
-             dataset.where(oauth_tokens_token_column => token)
+             ds.where(oauth_tokens_token_column => token)
            end
 
       ds.where(Sequel[oauth_tokens_expires_in_column] >= Sequel::CURRENT_TIMESTAMP)
         .where(oauth_tokens_revoked_at_column => nil).first
     end
 
-    def oauth_token_by_refresh_token(token, dataset = db[oauth_tokens_table])
+    def oauth_token_by_refresh_token(token, revoked: false)
+      ds = db[oauth_tokens_table]
+      #
+      # filter expired refresh tokens out.
+      # an expired refresh token is a token whose access token expired for a period longer than the
+      # refresh token expiration period.
+      #
+      ds = ds.where(Sequel.date_add(oauth_tokens_expires_in_column, seconds: oauth_refresh_token_expires_in) >= Sequel::CURRENT_TIMESTAMP)
+
       ds = if oauth_tokens_refresh_token_hash_column
-             dataset.where(oauth_tokens_refresh_token_hash_column => generate_token_hash(token))
+             ds.where(oauth_tokens_refresh_token_hash_column => generate_token_hash(token))
            else
-             dataset.where(oauth_tokens_refresh_token_column => token)
+             ds.where(oauth_tokens_refresh_token_column => token)
            end
 
-      ds.where(Sequel[oauth_tokens_expires_in_column] >= Sequel::CURRENT_TIMESTAMP)
-        .where(oauth_tokens_revoked_at_column => nil).first
+      ds = ds.where(oauth_tokens_revoked_at_column => nil) unless revoked
+
+      ds.first
     end
 
     def json_access_token_payload(oauth_token)
@@ -731,7 +865,6 @@ module Rodauth
       ).count.zero?
 
       # if there's a previous oauth grant for the params combo, it means that this user has approved before.
-
       request.env["REQUEST_METHOD"] = "POST"
     end
 
@@ -740,7 +873,7 @@ module Rodauth
         oauth_grants_account_id_column => account_id,
         oauth_grants_oauth_application_id_column => oauth_application[oauth_applications_id_column],
         oauth_grants_redirect_uri_column => redirect_uri,
-        oauth_grants_expires_in_column => Time.now + oauth_grant_expires_in,
+        oauth_grants_expires_in_column => Sequel.date_add(Sequel::CURRENT_TIMESTAMP, seconds: oauth_grant_expires_in),
         oauth_grants_scopes_column => scopes.join(oauth_scope_separator)
       )
 
@@ -846,14 +979,30 @@ module Rodauth
         }
         create_oauth_token_from_authorization_code(oauth_grant, create_params)
       when "refresh_token"
-        # fetch oauth token
-        oauth_token = oauth_token_by_refresh_token(param("refresh_token"))
-
-        redirect_response_error("invalid_grant") unless oauth_token
+        # fetch potentially revoked oauth token
+        oauth_token = oauth_token_by_refresh_token(param("refresh_token"), revoked: true)
+
+        if !oauth_token
+          redirect_response_error("invalid_grant")
+        elsif oauth_token[oauth_tokens_revoked_at_column]
+          if oauth_refresh_token_protection_policy == "rotation"
+            # https://tools.ietf.org/html/draft-ietf-oauth-v2-1-00#section-6.1
+            #
+            # If a refresh token is compromised and subsequently used by both the attacker and the legitimate
+            # client, one of them will present an invalidated refresh token, which will inform the authorization
+            # server of the breach.  The authorization server cannot determine which party submitted the invalid
+            # refresh token, but it will revoke the active refresh token.  This stops the attack at the cost of
+            # forcing the legitimate client to obtain a fresh authorization grant.
+
+            db[oauth_tokens_table].where(oauth_tokens_oauth_token_id_column => oauth_token[oauth_tokens_id_column])
+                                  .update(oauth_tokens_revoked_at_column => Sequel::CURRENT_TIMESTAMP)
+          end
+          redirect_response_error("invalid_grant")
+        end
 
         update_params = {
           oauth_tokens_oauth_application_id_column => oauth_token[oauth_grants_oauth_application_id_column],
-          oauth_tokens_expires_in_column => Time.now + oauth_token_expires_in
+          oauth_tokens_expires_in_column => Sequel.date_add(Sequel::CURRENT_TIMESTAMP, seconds: oauth_token_expires_in)
         }
         create_oauth_token_from_token(oauth_token, update_params)
       end
@@ -885,6 +1034,7 @@ module Rodauth
       redirect_response_error("invalid_grant") unless token_from_application?(oauth_token, oauth_application)
 
       rescue_from_uniqueness_error do
+        oauth_tokens_ds = db[oauth_tokens_table]
         token = oauth_unique_id_generator
 
         if oauth_tokens_token_hash_column
@@ -893,9 +1043,25 @@ module Rodauth
           update_params[oauth_tokens_token_column] = token
         end
 
-        ds = db[oauth_tokens_table].where(oauth_tokens_id_column => oauth_token[oauth_tokens_id_column])
+        oauth_token = if oauth_refresh_token_protection_policy == "rotation"
+                        insert_params = {
+                          **update_params,
+                          oauth_tokens_oauth_token_id_column => oauth_token[oauth_tokens_id_column],
+                          oauth_tokens_scopes_column => oauth_token[oauth_tokens_scopes_column]
+                        }
+
+                        # revoke the refresh token
+                        oauth_tokens_ds.where(oauth_tokens_id_column => oauth_token[oauth_tokens_id_column])
+                                       .update(oauth_tokens_revoked_at_column => Sequel::CURRENT_TIMESTAMP)
+
+                        insert_params[oauth_tokens_oauth_token_id_column] = oauth_token[oauth_tokens_id_column]
+                        __insert_and_return__(oauth_tokens_ds, oauth_tokens_id_column, insert_params)
+                      else
+                        # includes none
+                        ds = oauth_tokens_ds.where(oauth_tokens_id_column => oauth_token[oauth_tokens_id_column])
+                        __update_and_return__(ds, update_params)
+                      end
 
-        oauth_token = __update_and_return__(ds, update_params)
         oauth_token[oauth_tokens_token_column] = token
         oauth_token
       end
@@ -1000,9 +1166,17 @@ module Rodauth
       end
     end
 
-    def json_response_success(body)
+    def json_response_success(body, cache = false)
       response.status = 200
       response["Content-Type"] ||= json_response_content_type
+      if cache
+        # defaulting to 1-day for everyone, for now at least
+        max_age = 60 * 60 * 24
+        response["Cache-Control"] = "private, max-age=#{max_age}"
+      else
+        response["Cache-Control"] = "no-store"
+        response["Pragma"] = "no-cache"
+      end
       json_payload = _json_response_body(body)
       response.write(json_payload)
       request.halt
@@ -1130,11 +1304,12 @@ module Rodauth
         response_modes_supported << "fragment"
         grant_types_supported << "implicit"
       end
+
       {
         issuer: issuer,
         authorization_endpoint: authorize_url,
         token_endpoint: token_url,
-        registration_endpoint: "#{base_url}/#{oauth_applications_path}",
+        registration_endpoint: route_url(oauth_applications_path),
         scopes_supported: oauth_application_scopes,
         response_types_supported: responses_supported,
         response_modes_supported: response_modes_supported,
@@ -1151,121 +1326,5 @@ module Rodauth
         code_challenge_methods_supported: (use_oauth_pkce? ? oauth_pkce_challenge_method : nil)
       }
     end
-
-    # /token
-    route(:token) do |r|
-      next unless is_authorization_server?
-
-      before_token_route
-      require_oauth_application
-
-      r.post do
-        catch_error do
-          validate_oauth_token_params
-
-          oauth_token = nil
-          transaction do
-            before_token
-            oauth_token = create_oauth_token
-          end
-
-          json_response_success(json_access_token_payload(oauth_token))
-        end
-
-        throw_json_response_error(invalid_oauth_response_status, "invalid_request")
-      end
-    end
-
-    # /introspect
-    route(:introspect) do |r|
-      next unless is_authorization_server?
-
-      before_introspect_route
-
-      r.post do
-        catch_error do
-          validate_oauth_introspect_params
-
-          before_introspect
-          oauth_token = case param("token_type_hint")
-                        when "access_token"
-                          oauth_token_by_token(param("token"))
-                        when "refresh_token"
-                          oauth_token_by_refresh_token(param("token"))
-                        else
-                          oauth_token_by_token(param("token")) || oauth_token_by_refresh_token(param("token"))
-                        end
-
-          if oauth_application
-            redirect_response_error("invalid_request") if oauth_token && !token_from_application?(oauth_token, oauth_application)
-          elsif oauth_token
-            @oauth_application = db[oauth_applications_table].where(oauth_applications_id_column =>
-              oauth_token[oauth_tokens_oauth_application_id_column]).first
-          end
-
-          json_response_success(json_token_introspect_payload(oauth_token))
-        end
-
-        throw_json_response_error(invalid_oauth_response_status, "invalid_request")
-      end
-    end
-
-    # /revoke
-    route(:revoke) do |r|
-      next unless is_authorization_server?
-
-      before_revoke_route
-      require_oauth_application
-
-      r.post do
-        catch_error do
-          validate_oauth_revoke_params
-
-          oauth_token = nil
-          transaction do
-            before_revoke
-            oauth_token = revoke_oauth_token
-            after_revoke
-          end
-
-          if accepts_json?
-            json_response_success \
-              "token" => oauth_token[oauth_tokens_token_column],
-              "refresh_token" => oauth_token[oauth_tokens_refresh_token_column],
-              "revoked_at" => oauth_token[oauth_tokens_revoked_at_column]
-          else
-            set_notice_flash revoke_oauth_token_notice_flash
-            redirect request.referer || "/"
-          end
-        end
-
-        redirect_response_error("invalid_request", request.referer || "/")
-      end
-    end
-
-    # /authorize
-    route(:authorize) do |r|
-      next unless is_authorization_server?
-
-      before_authorize_route
-      require_authorizable_account
-
-      validate_oauth_grant_params
-      try_approval_prompt if use_oauth_access_type? && request.get?
-
-      r.get do
-        authorize_view
-      end
-
-      r.post do
-        redirect_url = URI.parse(redirect_uri)
-
-        transaction do
-          before_authorize
-          do_authorize(redirect_url)
-        end
-        redirect(redirect_url.to_s)
-      end
-    end
   end
 end

data/lib/rodauth/features/oauth_jwt.rb

@@ -6,6 +6,8 @@ module Rodauth
   Feature.define(:oauth_jwt) do
     depends :oauth
 
+    JWKS = OAuth::TtlStore.new
+
     auth_value_method :oauth_jwt_subject_type, "public" # public, pairwise
     auth_value_method :oauth_jwt_subject_secret, nil # salt for pairwise generation
 
@@ -39,7 +41,13 @@ module Rodauth
       :last_account_login_at
     )
 
-    JWKS = OAuth::TtlStore.new
+    route(:jwks) do |r|
+      next unless is_authorization_server?
+
+      r.get do
+        json_response_success({ keys: jwks_set }, true)
+      end
+    end
 
     def require_oauth_authorization(*scopes)
       authorization_required unless authorization_token
@@ -168,7 +176,7 @@ module Rodauth
 
     def generate_oauth_token(params = {}, should_generate_refresh_token = true)
       create_params = {
-        oauth_grants_expires_in_column => Time.now + oauth_token_expires_in
+        oauth_grants_expires_in_column => Sequel.date_add(Sequel::CURRENT_TIMESTAMP, seconds: oauth_token_expires_in)
       }.merge(params)
 
       oauth_token = rescue_from_uniqueness_error do
@@ -198,7 +206,7 @@ module Rodauth
     end
 
     def jwt_claims(oauth_token)
-      issued_at = Time.now.utc.to_i
+      issued_at = Time.now.to_i
 
       claims = {
         iss: (oauth_jwt_token_issuer || authorization_server_url), # issuer
@@ -219,7 +227,7 @@ module Rodauth
         aud: (oauth_jwt_audience || oauth_application[oauth_applications_client_id_column])
       }
 
-      claims[:auth_time] = last_account_login_at.utc.to_i if last_account_login_at
+      claims[:auth_time] = last_account_login_at.to_i if last_account_login_at
 
       claims
     end
@@ -237,7 +245,7 @@ module Rodauth
       end
     end
 
-    def oauth_token_by_token(token, *)
+    def oauth_token_by_token(token)
       jwt_decode(token)
     end
 
@@ -300,9 +308,9 @@ module Rodauth
         # time-to-live
         ttl = if response.key?("cache-control")
                 cache_control = response["cache-control"]
-                cache_control[/max-age=(\d+)/, 1]
+                cache_control[/max-age=(\d+)/, 1].to_i
               elsif response.key?("expires")
-                DateTime.httpdate(response["expires"]).utc.to_i - Time.now.utc.to_i
+                Time.parse(response["expires"]).to_i - Time.now.to_i
               end
 
         [JSON.parse(response.body, symbolize_names: true), ttl]
@@ -454,13 +462,5 @@ module Rodauth
 
       super
     end
-
-    route(:jwks) do |r|
-      next unless is_authorization_server?
-
-      r.get do
-        json_response_success({ keys: jwks_set })
-      end
-    end
   end
 end

data/lib/rodauth/features/oidc.rb

@@ -10,6 +10,54 @@ module Rodauth
       "phone" => %i[phone_number phone_number_verified].freeze
     }.freeze
 
+    VALID_METADATA_KEYS = %i[
+      issuer
+      authorization_endpoint
+      token_endpoint
+      userinfo_endpoint
+      jwks_uri
+      registration_endpoint
+      scopes_supported
+      response_types_supported
+      response_modes_supported
+      grant_types_supported
+      acr_values_supported
+      subject_types_supported
+      id_token_signing_alg_values_supported
+      id_token_encryption_alg_values_supported
+      id_token_encryption_enc_values_supported
+      userinfo_signing_alg_values_supported
+      userinfo_encryption_alg_values_supported
+      userinfo_encryption_enc_values_supported
+      request_object_signing_alg_values_supported
+      request_object_encryption_alg_values_supported
+      request_object_encryption_enc_values_supported
+      token_endpoint_auth_methods_supported
+      token_endpoint_auth_signing_alg_values_supported
+      display_values_supported
+      claim_types_supported
+      claims_supported
+      service_documentation
+      claims_locales_supported
+      ui_locales_supported
+      claims_parameter_supported
+      request_parameter_supported
+      request_uri_parameter_supported
+      require_request_uri_registration
+      op_policy_uri
+      op_tos_uri
+    ].freeze
+
+    REQUIRED_METADATA_KEYS = %i[
+      issuer
+      authorization_endpoint
+      token_endpoint
+      jwks_uri
+      response_types_supported
+      subject_types_supported
+      id_token_signing_alg_values_supported
+    ].freeze
+
     depends :oauth_jwt
 
     auth_value_method :oauth_application_default_scope, "openid"
@@ -22,12 +70,47 @@ module Rodauth
 
     auth_value_method :webfinger_relation, "http://openid.net/specs/connect/1.0/issuer"
 
+    auth_value_method :oauth_prompt_login_cookie_key, "_rodauth_oauth_prompt_login"
+    auth_value_method :oauth_prompt_login_cookie_options, {}.freeze
+    auth_value_method :oauth_prompt_login_interval, 5 * 60 * 60 # 5 minutes
+
     auth_value_methods(:get_oidc_param)
 
+    # /userinfo
+    route(:userinfo) do |r|
+      next unless is_authorization_server?
+
+      r.on method: %i[get post] do
+        catch_error do
+          oauth_token = authorization_token
+
+          throw_json_response_error(authorization_required_error_status, "invalid_token") unless oauth_token
+
+          oauth_scopes = oauth_token["scope"].split(" ")
+
+          throw_json_response_error(authorization_required_error_status, "invalid_token") unless oauth_scopes.include?("openid")
+
+          account = db[accounts_table].where(account_id_column => oauth_token["sub"]).first
+
+          throw_json_response_error(authorization_required_error_status, "invalid_token") unless account
+
+          oauth_scopes.delete("openid")
+
+          oidc_claims = { "sub" => oauth_token["sub"] }
+
+          fill_with_account_claims(oidc_claims, account, oauth_scopes)
+
+          json_response_success(oidc_claims)
+        end
+
+        throw_json_response_error(authorization_required_error_status, "invalid_token")
+      end
+    end
+
     def openid_configuration(issuer = nil)
       request.on(".well-known/openid-configuration") do
         request.get do
-          json_response_success(openid_configuration_body(issuer))
+          json_response_success(openid_configuration_body(issuer), cache: true)
         end
       end
     end
@@ -57,6 +140,68 @@ module Rodauth
 
     private
 
+    def require_authorizable_account
+      try_prompt if param_or_nil("prompt")
+      super
+    end
+
+    # this executes before checking for a logged in account
+    def try_prompt
+      prompt = param_or_nil("prompt")
+
+      case prompt
+      when "none"
+        redirect_response_error("login_required") unless logged_in?
+
+        require_account
+
+        if db[oauth_grants_table].where(
+          oauth_grants_account_id_column => account_id,
+          oauth_grants_oauth_application_id_column => oauth_application[oauth_applications_id_column],
+          oauth_grants_redirect_uri_column => redirect_uri,
+          oauth_grants_scopes_column => scopes.join(oauth_scope_separator),
+          oauth_grants_access_type_column => "online"
+        ).count.zero?
+          redirect_response_error("consent_required")
+        end
+
+        request.env["REQUEST_METHOD"] = "POST"
+      when "login"
+        if logged_in? && request.cookies[oauth_prompt_login_cookie_key] == "login"
+          ::Rack::Utils.delete_cookie_header!(response.headers, oauth_prompt_login_cookie_key, oauth_prompt_login_cookie_options)
+          return
+        end
+
+        # logging out
+        clear_session
+        set_session_value(login_redirect_session_key, request.fullpath)
+
+        login_cookie_opts = Hash[oauth_prompt_login_cookie_options]
+        login_cookie_opts[:value] = "login"
+        login_cookie_opts[:expires] = convert_timestamp(Time.now + oauth_prompt_login_interval) # 15 minutes
+        ::Rack::Utils.set_cookie_header!(response.headers, oauth_prompt_login_cookie_key, login_cookie_opts)
+
+        redirect require_login_redirect
+      when "consent"
+        require_account
+
+        if db[oauth_grants_table].where(
+          oauth_grants_account_id_column => account_id,
+          oauth_grants_oauth_application_id_column => oauth_application[oauth_applications_id_column],
+          oauth_grants_redirect_uri_column => redirect_uri,
+          oauth_grants_scopes_column => scopes.join(oauth_scope_separator),
+          oauth_grants_access_type_column => "online"
+        ).count.zero?
+          redirect_response_error("consent_required")
+        end
+      when "select-account"
+        # obly works if select_account plugin is available
+        require_select_account if respond_to?(:require_select_account)
+      else
+        redirect_response_error("invalid_request")
+      end
+    end
+
     def create_oauth_grant(create_params = {})
       return super unless (nonce = param_or_nil("nonce"))
 
@@ -190,7 +335,9 @@ module Rodauth
     # Metadata
 
     def openid_configuration_body(path)
-      metadata = oauth_server_metadata_body(path)
+      metadata = oauth_server_metadata_body(path).select do |k, _|
+        VALID_METADATA_KEYS.include?(k)
+      end
 
       scope_claims = oauth_application_scopes.each_with_object([]) do |scope, claims|
         oidc, param = scope.split(".", 2)
@@ -204,63 +351,37 @@ module Rodauth
 
       scope_claims.unshift("auth_time") if last_account_login_at
 
-      metadata.merge({
-                       userinfo_endpoint: userinfo_url,
-                       response_types_supported: metadata[:response_types_supported] +
-                         ["none", "id_token", %w[code token], %w[code id_token], %w[id_token token], %w[code id_token token]],
-                       response_modes_supported: %w[query fragment],
-                       grant_types_supported: %w[authorization_code implicit],
-
-                       subject_types_supported: [oauth_jwt_subject_type],
-
-                       id_token_signing_alg_values_supported: metadata[:token_endpoint_auth_signing_alg_values_supported],
-                       id_token_encryption_alg_values_supported: [oauth_jwt_jwe_algorithm].compact,
-                       id_token_encryption_enc_values_supported: [oauth_jwt_jwe_encryption_method].compact,
-
-                       userinfo_signing_alg_values_supported: [],
-                       userinfo_encryption_alg_values_supported: [],
-                       userinfo_encryption_enc_values_supported: [],
-
-                       request_object_signing_alg_values_supported: [],
-                       request_object_encryption_alg_values_supported: [],
-                       request_object_encryption_enc_values_supported: [],
-
-                       # These Claim Types are described in Section 5.6 of OpenID Connect Core 1.0 [OpenID.Core].
-                       # Values defined by this specification are normal, aggregated, and distributed.
-                       # If omitted, the implementation supports only normal Claims.
-                       claim_types_supported: %w[normal],
-                       claims_supported: %w[sub iss iat exp aud] | scope_claims
-                     })
-    end
-
-    # /userinfo
-    route(:userinfo) do |r|
-      next unless is_authorization_server?
-
-      r.on method: %i[get post] do
-        catch_error do
-          oauth_token = authorization_token
-
-          throw_json_response_error(authorization_required_error_status, "invalid_token") unless oauth_token
-
-          oauth_scopes = oauth_token["scope"].split(" ")
-
-          throw_json_response_error(authorization_required_error_status, "invalid_token") unless oauth_scopes.include?("openid")
-
-          account = db[accounts_table].where(account_id_column => oauth_token["sub"]).first
-
-          throw_json_response_error(authorization_required_error_status, "invalid_token") unless account
-
-          oauth_scopes.delete("openid")
-
-          oidc_claims = { "sub" => oauth_token["sub"] }
-
-          fill_with_account_claims(oidc_claims, account, oauth_scopes)
-
-          json_response_success(oidc_claims)
-        end
-
-        throw_json_response_error(authorization_required_error_status, "invalid_token")
+      metadata.merge(
+        userinfo_endpoint: userinfo_url,
+        response_types_supported: metadata[:response_types_supported] +
+          ["none", "id_token", "code token", "code id_token", "id_token token", "code id_token token"],
+        response_modes_supported: %w[query fragment],
+        grant_types_supported: %w[authorization_code implicit],
+
+        subject_types_supported: [oauth_jwt_subject_type],
+
+        id_token_signing_alg_values_supported: metadata[:token_endpoint_auth_signing_alg_values_supported],
+        id_token_encryption_alg_values_supported: [oauth_jwt_jwe_algorithm].compact,
+        id_token_encryption_enc_values_supported: [oauth_jwt_jwe_encryption_method].compact,
+
+        userinfo_signing_alg_values_supported: [],
+        userinfo_encryption_alg_values_supported: [],
+        userinfo_encryption_enc_values_supported: [],
+
+        request_object_signing_alg_values_supported: [],
+        request_object_encryption_alg_values_supported: [],
+        request_object_encryption_enc_values_supported: [],
+
+        # These Claim Types are described in Section 5.6 of OpenID Connect Core 1.0 [OpenID.Core].
+        # Values defined by this specification are normal, aggregated, and distributed.
+        # If omitted, the implementation supports only normal Claims.
+        claim_types_supported: %w[normal],
+        claims_supported: %w[sub iss iat exp aud] | scope_claims
+      ).reject do |key, val|
+        # Filter null values in optional items
+        (!REQUIRED_METADATA_KEYS.include?(key.to_sym) && val.nil?) ||
+          # Claims with zero elements MUST be omitted from the response
+          (val.respond_to?(:empty?) && val.empty?)
       end
     end
   end

data/lib/rodauth/oauth/version.rb

@@ -2,6 +2,6 @@
 
 module Rodauth
   module OAuth
-    VERSION = "0.2.0"
+    VERSION = "0.3.0"
   end
 end

data/templates/authorize.str

@@ -0,0 +1,33 @@
+<form method="post" class="form-horizontal" role="form" id="authorize-form">
+  #{csrf_tag(rodauth.authorize_path) if respond_to?(:csrf_tag)}
+  <p class="lead">The application #{rodauth.oauth_application[rodauth.oauth_applications_name_column]} would like to access your data.</p>
+
+  <div class="form-group">
+    <h1 class="display-6">#{rodauth.scopes_label}</h1>
+
+    #{
+      rodauth.scopes.map do |scope|
+        <<-HTML
+         	<div class="form-check">
+            <input id="#{scope}" class="form-check-input" type="checkbox" name="scope[]" value="#{scope}" #{"checked disabled" if scope == rodauth.oauth_application_default_scope}>
+            <label class="form-check-label" for="#{scope}">#{scope}</label>
+          </div>
+        HTML
+      end.join
+    }
+
+    <input type="hidden" name="client_id" value="#{rodauth.param("client_id")}"/>
+
+    #{"<input type=\"hidden\" name=\"access_type\" value=\"#{rodauth.param("access_type")}\"/>" if rodauth.param_or_nil("access_type")}
+    #{"<input type=\"hidden\" name=\"response_type\" value=\"#{rodauth.param("response_type")}\"/>" if rodauth.param_or_nil("response_type")}
+    #{"<input type=\"hidden\" name=\"state\" value=\"#{rodauth.param("state")}\"/>" if rodauth.param_or_nil("state")}
+    #{"<input type=\"hidden\" name=\"nonce\" value=\"#{rodauth.param("nonce")}\"/>" if rodauth.param_or_nil("nonce")}
+    #{"<input type=\"hidden\" name=\"redirect_uri\" value=\"#{rodauth.redirect_uri}\"/>" if rodauth.param_or_nil("redirect_uri")}
+    #{"<input type=\"hidden\" name=\"code_challenge\" value=\"#{rodauth.param("code_challenge")}\"/>" if rodauth.param_or_nil("code_challenge")}
+    #{"<input type=\"hidden\" name=\"code_challenge_method\" value=\"#{rodauth.param("code_challenge_method")}\"/>" if rodauth.param_or_nil("code_challenge_method")}
+  </div>
+  <p class="text-center">
+    <input type="submit" class="btn btn-outline-primary" value="#{h(rodauth.oauth_authorize_button)}"/>
+    <a href="#{rodauth.redirect_uri}?error=access_denied&error_description=The+resource+owner+or+authorization+server+denied+the+request#{ "&state=#{rodauth.param("state")}" if rodauth.param_or_nil("state")}" class="btn btn-outline-danger">Cancel</a>
+  </p>
+</form>

data/templates/client_secret_field.str

@@ -0,0 +1,4 @@
+<div class="form-group">
+  <label for="client_secret">#{rodauth.client_secret_label}#{rodauth.input_field_label_suffix}</label>
+  #{rodauth.input_field_string(rodauth.oauth_application_client_secret_param, "client_secret", :type=>"text")}
+</div>

data/templates/description_field.str

@@ -0,0 +1,4 @@
+<div class="form-group">
+  <label for="description">#{rodauth.description_label}#{rodauth.input_field_label_suffix}</label>
+  #{rodauth.input_field_string(rodauth.oauth_application_description_param, "description", :type=>"text", :required => false)}
+</div>

data/templates/homepage_url_field.str

@@ -0,0 +1,4 @@
+<div class="form-group">
+  <label for="homepage_url">#{rodauth.homepage_url_label}#{rodauth.input_field_label_suffix}</label>
+  #{rodauth.input_field_string(rodauth.oauth_application_homepage_url_param, "homepage_url", :type=>"text")}
+</div>

data/templates/name_field.str

@@ -0,0 +1,4 @@
+<div class="form-group">
+  <label for="name">#{rodauth.name_label}#{rodauth.input_field_label_suffix}</label>
+  #{rodauth.input_field_string(rodauth.oauth_application_name_param, "name", :type=>"text")}
+</div>

data/templates/new_oauth_application.str

@@ -0,0 +1,10 @@
+<form method="post" action="#{rodauth.oauth_applications_path}" class="rodauth" role="form" id="oauth-application-form">
+  #{rodauth.csrf_tag}
+  #{rodauth.render('name_field')}
+  #{rodauth.render('description_field')}
+  #{rodauth.render('homepage_url_field')}
+  #{rodauth.render('redirect_uri_field')}
+  #{rodauth.render('client_secret_field')}
+  #{rodauth.render('scope_field')}
+  #{rodauth.button(rodauth.oauth_application_button)}
+</form>

data/templates/oauth_application.str

@@ -0,0 +1,11 @@
+<div id="oauth-application">
+  <dl>
+    #{
+      (rodauth.oauth_application_required_params + %w[client_id] - %w[client_secret]).map do |param|
+        "<dt class=\"#{param}\">#{rodauth.send(:"#{param}_label")}</dt>" +
+        "<dd class=\"#{param}\">#{@oauth_application[rodauth.send(:"oauth_applications_#{param}_column")]}</dd>"
+      end.join
+    }
+  </dl>
+  <a href="/#{"#{rodauth.oauth_applications_path}/#{@oauth_application[:id]}/#{rodauth.oauth_tokens_path}"}" class="btn btn-outline-secondary">Oauth Tokens</a>
+</div>

data/templates/oauth_applications.str

@@ -0,0 +1,14 @@
+<div id="oauth-applications">
+  <a class="btn btn-outline-primary" href="/oauth-applications/new">Register new Oauth Application</a>
+  #{
+    if @oauth_applications.count.zero?
+      "<p>No oauth applications yet!</p>"
+    else
+      "<ul class=\"list-group\">" + 
+        @oauth_applications.map do |application|
+          "<li class=\"list-group-item\"><a href=\"/oauth-applications/#{application[:id]}\">#{application[:name]}</a></li>"
+        end.join +
+      "</ul>"
+    end
+  }
+</div>

data/templates/oauth_tokens.str

@@ -0,0 +1,49 @@
+<div id="oauth-tokens">
+  #{
+    if @oauth_tokens.count.zero?
+      "<p>No oauth tokens yet!</p>"
+    else
+      <<-HTML
+        <table class="table">
+          <thead>
+            <tr>
+              <th scope="col">Token</th>
+              <th scope="col">Refresh Token</th>
+              <th scope="col">Expires in</th>
+              <th scope="col">Revoke</th>
+              <th scope="col"><span class="badge badge-pill badge-dark">#{@oauth_tokens.count}</span>
+            </tr>
+          </thead>
+          <tbody>
+            #{
+              @oauth_tokens.map do |oauth_token|
+                <<-HTML
+                  <tr>
+                    <td>#{oauth_token[rodauth.oauth_tokens_token_column]}</td>
+                    <td>#{oauth_token[rodauth.oauth_tokens_refresh_token_column]}</td>
+                    <td>#{rodauth.convert_timestamp(oauth_token[rodauth.oauth_tokens_expires_in_column])}</td>
+                    <td>#{rodauth.convert_timestamp(oauth_token[rodauth.oauth_tokens_revoked_at_column])}</td>
+                    <td>
+                      #{
+                        if !oauth_token[rodauth.oauth_tokens_revoked_at_param] && !oauth_token[rodauth.oauth_tokens_token_hash_column]
+                          <<-HTML
+                            <form method="post" action="#{rodauth.revoke_path}" class="form-horizontal" role="form" id="revoke-form">
+                              #{csrf_tag(rodauth.oauth_revoke_path) if respond_to?(:csrf_tag)}
+                              #{rodauth.input_field_string("token_type_hint", "revoke-token-type-hint", :value => "access_token", :type=>"hidden")}
+                              #{rodauth.input_field_string("token", "revoke-token", :value => oauth_token[rodauth.oauth_tokens_token_column], :type=>"hidden")}
+                              #{rodauth.button(rodauth.oauth_token_revoke_button)}
+                            </form>
+                          HTML
+                        end
+                      }
+                    </td>
+                  </tr>
+                HTML
+              end.join
+            }
+          </tbody>
+        </table>
+      HTML
+    end
+  }
+</div>

data/templates/redirect_uri_field.str

@@ -0,0 +1,4 @@
+<div class="form-group">
+  <label for="redirect_uri">#{rodauth.redirect_uri_label}#{rodauth.input_field_label_suffix}</label>
+  #{rodauth.input_field_string(rodauth.oauth_application_redirect_uri_param, "redirect_uri", :type=>"text")}
+</div>

data/templates/scope_field.str

@@ -0,0 +1,10 @@
+<fieldset class="form-group">
+  #{
+    rodauth.oauth_application_scopes.map do |scope|
+      "<div class=\"form-check checkbox\">" +
+      "<input id=\"#{scope}\" type=\"checkbox\" name=\"#{rodauth.oauth_application_scopes_param}[]\" value=\"#{scope}\">" +
+      "<label for=\"#{scope}\">#{scope}</label>" +
+      "</div>"
+    end.join
+  }
+</fieldset>

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rodauth-oauth
 version: !ruby/object:Gem::Version
-  version: 0.2.0
+  version: 0.3.0
 platform: ruby
 authors:
 - Tiago Cardoso
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2020-09-09 00:00:00.000000000 Z
+date: 2020-10-08 00:00:00.000000000 Z
 dependencies: []
 description: Implementation of the OAuth 2.0 protocol on top of rodauth.
 email:
@@ -39,12 +39,23 @@ files:
 - lib/rodauth/oauth/railtie.rb
 - lib/rodauth/oauth/ttl_store.rb
 - lib/rodauth/oauth/version.rb
-homepage: https://gitlab.com/honeyryderchuck/roda-oauth
+- templates/authorize.str
+- templates/client_secret_field.str
+- templates/description_field.str
+- templates/homepage_url_field.str
+- templates/name_field.str
+- templates/new_oauth_application.str
+- templates/oauth_application.str
+- templates/oauth_applications.str
+- templates/oauth_tokens.str
+- templates/redirect_uri_field.str
+- templates/scope_field.str
+homepage: https://gitlab.com/honeyryderchuck/rodauth-oauth
 licenses: []
 metadata:
-  homepage_uri: https://gitlab.com/honeyryderchuck/roda-oauth
-  source_code_uri: https://gitlab.com/honeyryderchuck/roda-oauth
-  changelog_uri: https://gitlab.com/honeyryderchuck/roda-oauth/-/blob/master/CHANGELOG.md
+  homepage_uri: https://gitlab.com/honeyryderchuck/rodauth-oauth
+  source_code_uri: https://gitlab.com/honeyryderchuck/rodauth-oauth
+  changelog_uri: https://gitlab.com/honeyryderchuck/rodauth-oauth/-/blob/master/CHANGELOG.md
 post_install_message:
 rdoc_options: []
 require_paths: