rodauth-oauth 1.0.0.pre.beta1 → 1.0.0.pre.beta2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 299307b4879c519f6bcf7e5cfb875b75ac1d6b73b90371d3c9925baaf50dee08
-  data.tar.gz: 05a87d3e473b514f7cbb67d841a4a9185154dd1d15933d3321a3e4946c9c28ed
+  metadata.gz: 0f96bced835f21567ea5603751e8cf06b53d4eae70d9cab8bc685e2fca8c2027
+  data.tar.gz: 59badde6a055fa2638bcb41b01534f0b5b8de9eac541ac596f25e6d5cd6fb043
 SHA512:
-  metadata.gz: 2600d4236957c98ece6db0b06d280675d0e64c203a42e59e52063fea851bb42ec782063da5e8598211ae2a20faf9282616ffba14de8333f4e3a49ba04c97d154
-  data.tar.gz: 7a3b5a0b1f9979c92329848d57c6de9a68f372f2357d4ade96538aea884124235efeeb3bd28d2336d3dad92344ce59cb61958c868ffa8b12f4771d17b2e1f0f7
+  metadata.gz: 492a5c3c12bcc678c5eb6171e9d9851db745412fdb3675674c61b512dbfd1ff1aec09da02a3d4df3acb9133148990538200c49ce05de7a34dea85107aebf151b
+  data.tar.gz: 65f1223065b2a0bce609b4137b8fadd206fffa9904caac97c41dc4d429528dea474a8b450128409ed164f6407c690e95a3e7c4a83b8f9302fb41d0336e132dea

data/README.md

@@ -35,11 +35,12 @@ This gem implements the following RFCs and features of OAuth:
 
 It also implements the [OpenID Connect layer](https://openid.net/connect/) (via the `openid` feature) on top of the OAuth features it provides, including:
 
-* [OpenID Connect Core](https://openid.net/specs/openid-connect-core-1_0.html);
-* [OpenID Connect Discovery](https://openid.net/specs/openid-connect-discovery-1_0-29.html);
-* [OpenID Multiple Response Types](https://openid.net/specs/oauth-v2-multiple-response-types-1_0.html);
-* [OpenID Connect Dynamic Client Registration](https://openid.net/specs/openid-connect-registration-1_0.html);
-* [RP Initiated Logout](https://openid.net/specs/openid-connect-rpinitiated-1_0.html);
+* `oidc`
+  * [OpenID Connect Core](https://openid.net/specs/openid-connect-core-1_0.html);
+  * [OpenID Connect Discovery](https://openid.net/specs/openid-connect-discovery-1_0-29.html);
+  * [OpenID Multiple Response Types](https://openid.net/specs/oauth-v2-multiple-response-types-1_0.html);
+* `oidc_dynamic_client_registration` - [OpenID Connect Dynamic Client Registration](https://openid.net/specs/openid-connect-registration-1_0.html);
+* `oidc_rp_initiated_logout` - [RP Initiated Logout](https://openid.net/specs/openid-connect-rpinitiated-1_0.html);
 
 This gem supports also rails (through [rodauth-rails]((https://github.com/janko/rodauth-rails))).
 

data/doc/release_notes/1_0_0_beta2.md

@@ -0,0 +1,34 @@
+This version passes the conformance tests for the following OpenID Connect certification profiles:
+
+* Basic certification
+* Form-post basic certification
+* Config certification
+* Dynamic Config certification (`response_type=code`)
+
+## Breaking Changes
+
+* homepage url is no longer a client application required property.
+* OIDC RP-initiated logout extracted into `oidc_rp_initiated_logout` feature.
+
+## Features
+
+* `oauth_jwt_secured_authorization_request` now supports a `request_uri` query param as well.
+* `oidc` supports essential claims, via the `claims` authorization request query parameter.
+
+## Improvements
+
+* exposing `acr_values_supported` in the openid configuration.
+* `oauth_request_object_signing_alg_allow_none` enables `"none"` as an accepted request object signing alg when `true` (`false` by default).
+* OIDC `offline_access` supported.
+
+## Bugfixes
+
+* JWT: "sub" is now always a string.
+* `response_type` is now an authorization request required parameter (as per the RFC).
+* `state` is now passed along when redirecting from authorization requeests with `error`;
+* access token can now be read from POST body or GET quety params (as per the RFC).
+* id token no longer shipping with claims with `null` value;
+* id token no longer encoding claims by default (only when `response_type=id_token`, as per the RFC).
+* support "JWT without kid" when doing jwt decoding for JWT tokens not generated in the provider (such as request objects).
+* Set `iss` and `aud` claims in the Userinfo JWT response.
+* Make sure errors are also delivered via form POST, when `response_mode=form_post`.

data/lib/generators/rodauth/oauth/templates/app/views/rodauth/authorize.html.erb

@@ -2,7 +2,9 @@
   <% if rodauth.oauth_application[rodauth.oauth_applications_logo_uri_column] %>
     <%= image_tag rodauth.oauth_application[rodauth.oauth_applications_logo_uri_column] %>
   <% end %>
-  <p class="lead"><%= rodauth.authorize_page_lead(name: link_to(rodauth.oauth_application[rodauth.oauth_applications_name_column], rodauth.oauth_application[rodauth.oauth_applications_homepage_url_column])).html_safe %></p>
+  <% application_uri = rodauth.oauth_application[rodauth.oauth_applications_homepage_url_column] %>
+  <% application_name = application_uri ? link_to(rodauth.oauth_application[rodauth.oauth_applications_name_column], application_uri) : rodauth.oauth_application[rodauth.oauth_applications_name_column] %>
+  <p class="lead"><%= rodauth.authorize_page_lead(name: application_name).html_safe %></p>
 
   <div class="list-group">
     <% if rodauth.oauth_application[rodauth.oauth_applications_tos_uri_column] %>
@@ -26,10 +28,14 @@
     <h1 class="display-6"><%= rodauth.oauth_grants_scopes_label %></h1>
 
     <% rodauth.authorize_scopes.each do |scope| %>
-      <div class="form-check">
-        <%= check_box_tag "scope[]", scope, id: scope, class: "form-check-input" %>
-        <%= label_tag scope, scope, class: "form-check-label" %>
-      </div>
+      <% if rodauth.features.include?(:oidc) && scope == "offline_access" %>
+        <%= hidden_field_tag "scope[]", scope %>
+      <% else %>
+        <div class="form-check">
+          <%= check_box_tag "scope[]", scope, id: scope, class: "form-check-input" %>
+          <%= label_tag scope, scope, class: "form-check-label" %>
+        </div>
+      <% end %>
     <% end %>
     <%= hidden_field_tag :client_id, params[:client_id] %>
     <% %i[access_type response_type response_mode state redirect_uri].each do |oauth_param| %>
@@ -51,6 +57,9 @@
       <% end %>
     <% end %>
     <% if rodauth.features.include?(:oidc) %>
+      <% if params[:prompt] %>
+        <%= hidden_field_tag :prompt,  params[:prompt] %>
+      <% end %>
       <% if params[:nonce] %>
         <%= hidden_field_tag :nonce,  params[:nonce] %>
       <% end %>
@@ -60,13 +69,16 @@
       <% if params[:claims_locales] %>
         <%= hidden_field_tag :claims_locales,  params[:claims_locales] %>
       <% end %>
+      <% if params[:claims] %>
+        <%= hidden_field_tag :claims,  sanitize(params[:claims]) %>
+      <% end %>
       <% if params[:acr_values] %>
-        <%= hidden_field_tag :acr,  params[:acr_values] %>
+        <%= hidden_field_tag :acr_values,  params[:acr_values] %>
       <% end %>
     <% end %>
   </div>
  <p class="text-center">
     <%= submit_tag rodauth.oauth_authorize_button, class: "btn btn-outline-primary" %>
-    <%= link_to rodauth.oauth_cancel_button, "#{rodauth.redirect_uri}?error=access_denied&error_description=The+resource+owner+or+authorization+server+denied+the+request#{"&state=\#{rodauth.state}" if params[:state] }", class: "btn btn-outline-danger" %>
+    <%= link_to rodauth.oauth_cancel_button, "#{rodauth.redirect_uri}?error=access_denied&error_description=The+resource+owner+or+authorization+server+denied+the+request#{"&state=\#{CGI.escape(rodauth.state)}" if params[:state] }", class: "btn btn-outline-danger" %>
   </p>
 <% end %>

data/lib/generators/rodauth/oauth/templates/db/migrate/create_rodauth_oauth.rb

@@ -5,42 +5,48 @@ class CreateRodauthOauth < ActiveRecord::Migration<%= migration_version %>
       t.foreign_key :accounts, column: :account_id
       t.string :name, null: false
       t.string :description, null: true
-      t.string :homepage_url, null: false
+      t.string :homepage_url, null: true
       t.string :redirect_uri, null: false
       t.string :client_id, null: false, index: { unique: true }
       t.string :client_secret, null: false, index: { unique: true }
       t.string :scopes, null: false
       t.datetime :created_at, null: false, default: -> { "CURRENT_TIMESTAMP" }
-      # extra params
-      # t.string :token_endpoint_auth_method, null: true
-      # t.string :grant_types, null: true
-      # t.string :response_types, null: true
-      # t.string :client_uri, null: true
-      # t.string :logo_uri, null: true
-      # t.string :tos_uri, null: true
-      # t.string :policy_uri, null: true
-      # t.string :jwks_uri, null: true
-      # t.string :jwks, null: true
-      # t.string :contacts, null: true
-      # t.string :software_id, null: true
-      # t.string :software_version, null: true
-      # oidc extra params
-      # t.string :sector_identifier_uri, null: true
-      # t.string :application_type, null: true
-      # t.string :subject_type, null: true
-      # t.string :id_token_signed_response_alg, null: true
-      # t.string :id_token_encrypted_response_alg, null: true
-      # t.string :id_token_encrypted_response_enc, null: true
-      # t.string :userinfo_signed_response_alg, null: true
-      # t.string :userinfo_encrypted_response_alg, null: true
-      # t.string :userinfo_encrypted_response_enc, null: true
-      # t.string :request_object_signing_alg, null: true
-      # t.string :request_object_encryption_alg, null: true
-      # t.string :request_object_encryption_enc, null: true
-      # JWT/OIDC per application signing verification
-      # t.text :jwt_public_key, null: true
-      # RP-initiated logout
-      # t.string :post_logout_redirect_uri, null: false
+
+      # :oauth_dynamic_client_configuration enabled, extra optional params
+      t.string :token_endpoint_auth_method, null: true
+      t.string :grant_types, null: true
+      t.string :response_types, null: true
+      t.string :client_uri, null: true
+      t.string :logo_uri, null: true
+      t.string :tos_uri, null: true
+      t.string :policy_uri, null: true
+      t.string :jwks_uri, null: true
+      t.string :jwks, null: true
+      t.string :contacts, null: true
+      t.string :software_id, null: true
+      t.string :software_version, null: true
+
+      # :oidc_dynamic_client_configuration enabled, extra optional params
+      t.string :sector_identifier_uri, null: true
+      t.string :application_type, null: true
+
+      # :oidc enabled
+      t.string :subject_type, null: true
+      t.string :id_token_signed_response_alg, null: true
+      t.string :id_token_encrypted_response_alg, null: true
+      t.string :id_token_encrypted_response_enc, null: true
+      t.string :userinfo_signed_response_alg, null: true
+      t.string :userinfo_encrypted_response_alg, null: true
+      t.string :userinfo_encrypted_response_enc, null: true
+
+      # :oauth_jwt_secured_authorization_request
+      t.string :request_object_signing_alg, null: true
+      t.string :request_object_encryption_alg, null: true
+      t.string :request_object_encryption_enc, null: true
+      t.string :request_uris, null: true
+
+      # :oidc_rp_initiated_logout enabled
+      t.string :post_logout_redirect_uris, null: false
     end
 
     create_table :oauth_grants do |t|
@@ -58,19 +64,24 @@ class CreateRodauthOauth < ActiveRecord::Migration<%= migration_version %>
       t.datetime :revoked_at
       t.string :scopes, null: false
       t.datetime :created_at, null: false, default: -> { "CURRENT_TIMESTAMP" }
-      # for using access_types
       t.string :access_type, null: false, default: "offline"
-      # uncomment to enable PKCE
-      # t.string :code_challenge
-      # t.string :code_challenge_method
-      # device code grant
-      # t.string :user_code, null: true, unique: true
-      # t.datetime :last_polled_at, null: true
-      # when using :oauth_resource_indicators feature
-      # t.string :resource
-      # uncomment to use OIDC nonce
-      # t.string :nonce
-      # t.string :acr
+
+      # :oauth_pkce enabled
+      t.string :code_challenge
+      t.string :code_challenge_method
+
+      # :oauth_device_code_grant enabled
+      t.string :user_code, null: true, unique: true
+      t.datetime :last_polled_at, null: true
+
+      # :resource_indicators enabled
+      t.string :resource
+
+      # :oidc enabled
+      t.string :nonce
+      t.string :acr
+      t.string :claims_locales
+      t.string :claims
     end
   end
 end

data/lib/rodauth/features/oauth_application_management.rb

@@ -165,10 +165,10 @@ module Rodauth
             value.each do |uri|
               next if uri.empty?
 
-              set_field_error(key, invalid_url_message) unless check_valid_uri?(uri)
+              set_field_error(key, invalid_url_message) unless check_valid_no_fragment_uri?(uri)
             end
           else
-            set_field_error(key, invalid_url_message) unless check_valid_uri?(value)
+            set_field_error(key, invalid_url_message) unless check_valid_no_fragment_uri?(value)
           end
         elsif key == oauth_application_scopes_param
 

data/lib/rodauth/features/oauth_authorization_code_grant.rb

@@ -25,9 +25,9 @@ module Rodauth
     def validate_authorize_params
       super
 
-      return unless (response_mode = param_or_nil("response_mode")) && !oauth_response_modes_supported.include?(response_mode)
+      response_mode = param_or_nil("response_mode")
 
-      redirect_response_error("invalid_request")
+      redirect_response_error("invalid_request") if response_mode && !oauth_response_modes_supported.include?(response_mode)
     end
 
     def validate_token_params
@@ -46,7 +46,6 @@ module Rodauth
 
       case response_type
       when "code", nil
-        response_mode ||= oauth_response_mode
         response_params.replace(_do_authorize_code)
       end
 
@@ -68,7 +67,7 @@ module Rodauth
       redirect_url = URI.parse(redirect_uri)
       case mode
       when "query"
-        params = params.map { |k, v| "#{k}=#{v}" }
+        params = params.map { |k, v| "#{CGI.escape(k)}=#{CGI.escape(v)}" }
         params << redirect_url.query if redirect_url.query
         redirect_url.query = params.join("&")
         redirect(redirect_url.to_s)
@@ -80,7 +79,7 @@ module Rodauth
               <form method="post" action="#{redirect_uri}">
                 #{
                   params.map do |name, value|
-                    "<input type=\"hidden\" name=\"#{name}\" value=\"#{scope.h(value)}\" />"
+                    "<input type=\"hidden\" name=\"#{scope.h(name)}\" value=\"#{scope.h(value)}\" />"
                   end.join
                 }
                 <input type="submit" class="btn btn-outline-primary" value="#{scope.h(oauth_authorize_post_button)}"/>
@@ -91,6 +90,32 @@ module Rodauth
       end
     end
 
+    def _redirect_response_error(redirect_url, query_params)
+      response_mode = param_or_nil("response_mode") || oauth_response_mode
+
+      case response_mode
+      when "form_post"
+        response["Content-Type"] = "text/html"
+        response.write <<-FORM
+          <html>
+            <head><title></title></head>
+            <body onload="javascript:document.forms[0].submit()">
+              <form method="post" action="#{redirect_uri}">
+                #{
+                  query_params.map do |name, value|
+                    "<input type=\"hidden\" name=\"#{name}\" value=\"#{scope.h(value)}\" />"
+                  end.join
+                }
+              </form>
+            </body>
+          </html>
+        FORM
+        request.halt
+      else
+        super
+      end
+    end
+
     def create_token(grant_type)
       return super unless supported_grant_type?(grant_type, "authorization_code")
 
@@ -107,7 +132,7 @@ module Rodauth
     def check_valid_response_type?
       response_type = param_or_nil("response_type")
 
-      response_type.nil? || response_type == "code" || response_type == "none" || super
+      response_type == "code" || response_type == "none" || super
     end
 
     def oauth_server_metadata_body(*)

data/lib/rodauth/features/oauth_authorize_base.rb

@@ -23,6 +23,8 @@ module Rodauth
     translatable_method :oauth_applications_contacts_label, "Contacts"
     translatable_method :oauth_applications_tos_uri_label, "Terms of service URL"
     translatable_method :oauth_applications_policy_uri_label, "Policy URL"
+    translatable_method :oauth_unsupported_response_type_message, "Unsupported response type"
+    translatable_method :oauth_authorize_parameter_required, "'%<parameter>s' is a required parameter"
 
     # /authorize
     auth_server_route(:authorize) do |r|
@@ -65,7 +67,7 @@ module Rodauth
     def validate_authorize_params
       redirect_response_error("invalid_request", request.referer || default_redirect) unless oauth_application && check_valid_redirect_uri?
 
-      redirect_response_error("invalid_request") unless check_valid_response_type?
+      redirect_response_error("unsupported_response_type") unless check_valid_response_type?
 
       redirect_response_error("invalid_request") unless check_valid_access_type? && check_valid_approval_prompt?
 
@@ -79,7 +81,15 @@ module Rodauth
     end
 
     def check_valid_redirect_uri?
-      oauth_application[oauth_applications_redirect_uri_column].split(" ").include?(redirect_uri)
+      application_redirect_uris = oauth_application[oauth_applications_redirect_uri_column].split(" ")
+
+      if (redirect_uri = param_or_nil("redirect_uri"))
+        application_redirect_uris.include?(redirect_uri)
+      else
+        set_error_flash(oauth_authorize_parameter_required(parameter: "redirect_uri")) if application_redirect_uris.size > 1
+
+        true
+      end
     end
 
     ACCESS_TYPES = %w[offline online].freeze
@@ -140,10 +150,10 @@ module Rodauth
     end
 
     def create_oauth_grant(create_params = {})
-      create_params[oauth_grants_oauth_application_id_column] = oauth_application[oauth_applications_id_column]
-      create_params[oauth_grants_redirect_uri_column] = redirect_uri
-      create_params[oauth_grants_expires_in_column] = Sequel.date_add(Sequel::CURRENT_TIMESTAMP, seconds: oauth_grant_expires_in)
-      create_params[oauth_grants_scopes_column] = scopes.join(oauth_scope_separator)
+      create_params[oauth_grants_oauth_application_id_column] ||= oauth_application[oauth_applications_id_column]
+      create_params[oauth_grants_redirect_uri_column] ||= redirect_uri
+      create_params[oauth_grants_expires_in_column] ||= Sequel.date_add(Sequel::CURRENT_TIMESTAMP, seconds: oauth_grant_expires_in)
+      create_params[oauth_grants_scopes_column] ||= scopes.join(oauth_scope_separator)
 
       if use_oauth_access_type? && (access_type = param_or_nil("access_type"))
         create_params[oauth_grants_access_type_column] = access_type

data/lib/rodauth/features/oauth_base.rb

@@ -3,6 +3,7 @@
 require "time"
 require "base64"
 require "securerandom"
+require "cgi"
 require "rodauth/version"
 require "rodauth/oauth"
 require "rodauth/oauth/database_extensions"
@@ -17,8 +18,6 @@ module Rodauth
     auth_value_methods(:http_request)
     auth_value_methods(:http_request_cache)
 
-    SCOPES = %w[profile.read].freeze
-
     before "token"
 
     error_flash "Please authorize to continue", "require_authorization"
@@ -82,7 +81,7 @@ module Rodauth
     auth_value_method :oauth_already_in_use_response_status, 409
 
     # Feature options
-    auth_value_method :oauth_application_scopes, SCOPES
+    auth_value_method :oauth_application_scopes, []
     auth_value_method :oauth_token_type, "bearer"
     auth_value_method :oauth_refresh_token_protection_policy, "rotation" # can be: none, sender_constrained, rotation
 
@@ -228,13 +227,20 @@ module Rodauth
     end
 
     def fetch_access_token
-      value = request.env["HTTP_AUTHORIZATION"]
+      if (token = request.params["access_token"])
+        if request.post? && !(request.content_type.start_with?("application/x-www-form-urlencoded") &&
+                        request.params.size == 1)
+          return
+        end
+      else
+        value = request.env["HTTP_AUTHORIZATION"]
 
-      return unless value && !value.empty?
+        return unless value && !value.empty?
 
-      scheme, token = value.split(" ", 2)
+        scheme, token = value.split(" ", 2)
 
-      return unless scheme.downcase == oauth_token_type
+        return unless scheme.downcase == oauth_token_type
+      end
 
       return if token.nil? || token.empty?
 
@@ -245,11 +251,11 @@ module Rodauth
       return @authorization_token if defined?(@authorization_token)
 
       # check if there is a token
-      bearer_token = fetch_access_token
+      access_token = fetch_access_token
 
-      return unless bearer_token
+      return unless access_token
 
-      @authorization_token = oauth_grant_by_token(bearer_token)
+      @authorization_token = oauth_grant_by_token(access_token)
     end
 
     def require_oauth_authorization(*scopes)
@@ -758,22 +764,31 @@ module Rodauth
         query_params = []
 
         query_params << if respond_to?(:"oauth_#{error_code}_error_code")
-                          "error=#{send(:"oauth_#{error_code}_error_code")}"
+                          ["error", send(:"oauth_#{error_code}_error_code")]
                         else
-                          "error=#{error_code}"
+                          ["error", error_code]
                         end
 
         if respond_to?(:"oauth_#{error_code}_message")
           message = send(:"oauth_#{error_code}_message")
-          query_params << ["error_description=#{CGI.escape(message)}"]
+          query_params << ["error_description", CGI.escape(message)]
         end
 
-        query_params << redirect_url.query if redirect_url.query
-        redirect_url.query = query_params.join("&")
-        redirect(redirect_url.to_s)
+        state = param_or_nil("state")
+
+        query_params << ["state", state] if state
+
+        _redirect_response_error(redirect_url, query_params)
       end
     end
 
+    def _redirect_response_error(redirect_url, query_params)
+      query_params = query_params.map { |k, v| "#{k}=#{v}" }
+      query_params << redirect_url.query if redirect_url.query
+      redirect_url.query = query_params.join("&")
+      redirect(redirect_url.to_s)
+    end
+
     def json_response_success(body, cache = false)
       response.status = 200
       response["Content-Type"] ||= json_response_content_type
@@ -835,6 +850,10 @@ module Rodauth
       URI::DEFAULT_PARSER.make_regexp(oauth_valid_uri_schemes).match?(uri)
     end
 
+    def check_valid_no_fragment_uri?(uri)
+      check_valid_uri?(uri) && URI.parse(uri).fragment.nil?
+    end
+
     # Resource server mode
 
     def authorization_server_metadata

data/lib/rodauth/features/oauth_dynamic_client_registration.rb

@@ -8,7 +8,7 @@ module Rodauth
 
     before "register"
 
-    auth_value_method :oauth_client_registration_required_params, %w[redirect_uris client_name client_uri]
+    auth_value_method :oauth_client_registration_required_params, %w[redirect_uris client_name]
 
     PROTECTED_APPLICATION_ATTRIBUTES = %w[account_id client_id].freeze
 
@@ -68,7 +68,10 @@ module Rodauth
         when "redirect_uris"
           if value.is_a?(Array)
             value = value.each do |uri|
-              register_throw_json_response_error("invalid_redirect_uri", register_invalid_uri_message(uri)) unless check_valid_uri?(uri)
+              unless check_valid_no_fragment_uri?(uri)
+                register_throw_json_response_error("invalid_redirect_uri",
+                                                   register_invalid_uri_message(uri))
+              end
             end.join(" ")
           else
             register_throw_json_response_error("invalid_redirect_uri", register_invalid_uri_message(value))
@@ -76,7 +79,7 @@ module Rodauth
           key = oauth_applications_redirect_uri_column
         when "token_endpoint_auth_method"
           unless oauth_token_endpoint_auth_methods_supported.include?(value)
-            register_throw_json_response_error("invalid_client_metadata", register_invalid_param_message(key))
+            register_throw_json_response_error("invalid_client_metadata", register_invalid_client_metadata_message(key, value))
           end
           # verify if in range
           key = oauth_applications_token_endpoint_auth_method_column
@@ -84,7 +87,7 @@ module Rodauth
           if value.is_a?(Array)
             value = value.each do |grant_type|
               unless oauth_grant_types_supported.include?(grant_type)
-                register_throw_json_response_error("invalid_client_metadata", register_oauth_invalid_grant_type_message(grant_type))
+                register_throw_json_response_error("invalid_client_metadata", register_invalid_client_metadata_message(grant_type, value))
               end
             end.join(" ")
           else

data/lib/rodauth/features/oauth_implicit_grant.rb

@@ -28,23 +28,24 @@ module Rodauth
 
       redirect_response_error("invalid_request") unless supported_response_mode?(response_mode)
 
-      response_params.replace(_do_authorize_token)
+      oauth_grant = _do_authorize_token
+
+      response_params.replace(json_access_token_payload(oauth_grant))
 
       response_params["state"] = param("state") if param_or_nil("state")
 
       [response_params, response_mode]
     end
 
-    def _do_authorize_token
+    def _do_authorize_token(grant_params = {})
       grant_params = {
         oauth_grants_type_column => "implicit",
         oauth_grants_oauth_application_id_column => oauth_application[oauth_applications_id_column],
         oauth_grants_scopes_column => scopes,
         oauth_grants_account_id_column => account_id
-      }
-      oauth_grant = generate_token(grant_params, false)
+      }.merge(grant_params)
 
-      json_access_token_payload(oauth_grant)
+      generate_token(grant_params, false)
     end
 
     def authorize_response(params, mode)

data/lib/rodauth/features/oauth_jwt.rb

@@ -49,11 +49,11 @@ module Rodauth
       return @authorization_token if defined?(@authorization_token)
 
       @authorization_token = begin
-        bearer_token = fetch_access_token
+        access_token = fetch_access_token
 
-        return unless bearer_token
+        return unless access_token
 
-        jwt_claims = jwt_decode(bearer_token)
+        jwt_claims = jwt_decode(access_token)
 
         return unless jwt_claims
 

data/lib/rodauth/features/oauth_jwt_base.rb

@@ -63,7 +63,11 @@ module Rodauth
     end
 
     def jwt_subject(oauth_grant, client_application = oauth_application)
-      oauth_grant[oauth_grants_account_id_column] || client_application[oauth_applications_client_id_column]
+      account_id = oauth_grant[oauth_grants_account_id_column]
+
+      return account_id.to_s if account_id
+
+      client_application[oauth_applications_client_id_column]
     end
 
     def oauth_server_metadata_body(path = nil)
@@ -207,14 +211,23 @@ module Rodauth
 
         claims = if is_authorization_server?
                    if jwks
+                     jwks = jwks[:keys] if jwks.is_a?(Hash)
+
                      enc_algs = [jws_encryption_algorithm].compact
                      enc_meths = [jws_encryption_method].compact
 
                      sig_algs = jws_algorithm ? [jws_algorithm] : jwks.select { |k| k[:use] == "sig" }.map { |k| k[:alg] }
                      sig_algs = sig_algs.compact.map(&:to_sym)
 
-                     jws = JSON::JWT.decode(token, JSON::JWK::Set.new({ keys: jwks }), enc_algs + sig_algs, enc_meths)
-                     jws = JSON::JWT.decode(jws.plain_text, JSON::JWK::Set.new({ keys: jwks }), sig_algs) if jws.is_a?(JSON::JWE)
+                     # JWKs may be set up without a KID, when there's a single one
+                     if jwks.size == 1 && !jwks[0][:kid]
+                       key = jwks[0]
+                       jwk_key = JSON::JWK.new(key)
+                       jws = JSON::JWT.decode(token, jwk_key)
+                     else
+                       jws = JSON::JWT.decode(token, JSON::JWK::Set.new({ keys: jwks }), enc_algs + sig_algs, enc_meths)
+                       jws = JSON::JWT.decode(jws.plain_text, JSON::JWK::Set.new({ keys: jwks }), sig_algs) if jws.is_a?(JSON::JWE)
+                     end
                      jws
                    elsif jws_key
                      JSON::JWT.decode(token, jws_key)
@@ -279,7 +292,7 @@ module Rodauth
       end
 
       def jwt_encode(payload,
-                     signing_algorithm: oauth_jwt_keys.keys.first)
+                     signing_algorithm: oauth_jwt_keys.keys.first, **)
         headers = {}
 
         key = oauth_jwt_keys[signing_algorithm] || _jwt_key
@@ -368,8 +381,18 @@ module Rodauth
         # decode jwt
         claims = if is_authorization_server?
                    if jwks
-                     algorithms = jws_algorithm ? [jws_algorithm] : jwks.select { |k| k[:use] == "sig" }.map { |k| k[:alg] }
-                     JWT.decode(token, nil, true, algorithms: algorithms, jwks: { keys: jwks }, **verify_claims_params).first
+                     jwks = jwks[:keys] if jwks.is_a?(Hash)
+
+                     # JWKs may be set up without a KID, when there's a single one
+                     if jwks.size == 1 && !jwks[0][:kid]
+                       key = jwks[0]
+                       algo = key[:alg]
+                       key = JWT::JWK.import(key).keypair
+                       JWT.decode(token, key, true, algorithms: [algo], **verify_claims_params).first
+                     else
+                       algorithms = jws_algorithm ? [jws_algorithm] : jwks.select { |k| k[:use] == "sig" }.map { |k| k[:alg] }
+                       JWT.decode(token, nil, true, algorithms: algorithms, jwks: { keys: jwks }, **verify_claims_params).first
+                     end
                    elsif jws_key
                      JWT.decode(token, jws_key, true, algorithms: [jws_algorithm], **verify_claims_params).first
                    end