rodauth-oauth 1.4.0 → 1.5.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 87a675b4d44ba1003c451dc25b22c0b9fec5f346e2d03ef114d19f77ffd768da
-  data.tar.gz: 6921bd4b1bef1c88124bc323e293d9218959f94c985b9ed4c7e4b4452d474d55
+  metadata.gz: 40ff3b3b3de0595eae98f218aec2f8e876f18329061c537e91e5841ab35e67dc
+  data.tar.gz: 19692e86d66400a9e7227f655bdc6375e38554cb52b97ee3a5e22cceab582168
 SHA512:
-  metadata.gz: 4969a6eba906a0b180c325528c780c122b841ce7cc59c844d510a0dee8791de41cebb294f0f11d6bd23e09644732bf4b32b72e9b8ac918f0c53249fdcf4e6fd0
-  data.tar.gz: 4fae6adcc4b8ac567160182c52dc1c8d8f6fe34d0875f617b5284777fb64f0f5e7c4430ec9e769d78a8774e04d1c755bbabc4be6757d916b07fa5d14dc2b7eb4
+  metadata.gz: cd6efdeda012c25d83949e7f0ea2aa043238851f95bf1217b8156786f7376d39792caed37a2af68fc7777ed5a892fa2f9e5185efe1f8a3e7168df07de84b954d
+  data.tar.gz: 0e435eea239f81ff16db08b187ce7bb06ba3d25359603906e48610e38912162b35c79c3d8b7fbfa74df2c56f52bb653d61b999da76c1cc8d445f2077b876c578

data/doc/release_notes/1_4_0.md

@@ -29,6 +29,15 @@ If you're using `oidc`, the dependency on `account_expiration` has been replaced
 
 If you're migrating, it's recommended that you keep depending on `account_expiration` during the transition, add `active_sessions` tables as per [rodauth specs](https://github.com/jeremyevans/rodauth/blob/master/spec/migrate/001_tables.rb#L150), and run them alongside one another for the max period ID tokens should be valid, after which you can remove `account_expiration` and its tables.
 
+Some `auth_value_methods` were changed to `auth_methods` everywhere where it made sense. If you were overriding them, you'll have to wrap them in a block:
+
+```ruby
+# in 1.3.2
+oauth_jwt_issuer "http://myissuer.com"
+# in 1.4.0
+oauth_jwt_issuer { "http://myissuer.com" }
+```
+
 ## Improvements
 
 ### OAuth SAML Bearer Grant per oauth application settings
@@ -45,5 +54,4 @@ The `oauth_saml_bearer_grant` feature requires a new table/resource, SAML settin
 
 ## Chore
 
-* Using `auth_methods` everywhere where `auth_value_methods` was used and didn't make sense.
-* `oauth_tls_client_auth` is not dependent on the `oauth_jwt` feature, and can therefore be used with non-JWT access tokens, at least with the features which do not require it.
+* `oauth_tls_client_auth` is not dependent on the `oauth_jwt` feature, and can therefore be used with non-JWT access tokens, at least with the features which do not require it.

data/doc/release_notes/1_5_0.md

@@ -0,0 +1,20 @@
+# 1.5.0
+
+## Highlights
+
+### OAuth DPoP Support
+
+`rodauth-oauth` supports Demonstrating Proof-of-Possession at the Application Layer (also known as DPoP), via the `oauth_dpop` feature. This provides a mechanism to bind access tokens to a particular client based on public key cryptography.
+
+More info about the feature [in the docs](https://gitlab.com/os85/rodauth-oauth/-/wikis/DPoP).
+
+## Improvements
+
+All features managing cookies are now able to set configure them as "session cookies" (i.e. removed on browser shutdown) by setting the expiration interval auth method to `nil`. This ncludes:
+
+* `oauth_prompt_login_interval` (from the `oidc` feature)
+* `oauth_oidc_user_agent_state_cookie_expires_in` (from the `oidc_session_management` feature)
+
+## Bugfixes
+
+* when using the `oauth_token_instrospection` feature, the `token_type` has been fixed to show "Bearer" (instead of "access_token").

data/lib/generators/rodauth/oauth/templates/app/views/rodauth/authorize.html.erb

@@ -79,6 +79,11 @@
         <%= hidden_field_tag :registration, rodauth.param_or_nil("registration") %>
       <% end %>
     <% end %>
+    <% if rodauth.features.include?(:oidc) %>
+      <% if rodauth.param_or_nil("dpop_jkt") %>
+        <%= hidden_field_tag :dpop_jkt, rodauth.param_or_nil("dpop_jkt") %>
+      <% end %>
+    <% end %>
   </div>
  <p class="text-center">
     <%= submit_tag rodauth.oauth_authorize_button, class: "btn btn-outline-primary" %>

data/lib/generators/rodauth/oauth/templates/db/migrate/create_rodauth_oauth.rb

@@ -49,6 +49,9 @@ class CreateRodauthOauth < ActiveRecord::Migration<%= migration_version %>
       t.boolean :require_signed_request_object, null: true
       t.boolean :require_pushed_authorization_requests, null: false, default: false
 
+      # :oauth_dpop
+      t.string :dpop_bound_access_tokens, null: true
+
       # :oauth_tls_client_auth
       t.string :tls_client_auth_subject_dn, null: true
       t.string :tls_client_auth_san_dns, null: true
@@ -86,6 +89,9 @@ class CreateRodauthOauth < ActiveRecord::Migration<%= migration_version %>
       t.datetime :created_at, null: false, default: -> { "CURRENT_TIMESTAMP(6)" }
       t.string :access_type, null: false, default: "offline"
 
+      # :oauth_dpop enabled
+      t.string :dpop_jwk, null: true
+
       # :oauth_pkce enabled
       t.string :code_challenge
       t.string :code_challenge_method
@@ -105,15 +111,20 @@ class CreateRodauthOauth < ActiveRecord::Migration<%= migration_version %>
       t.string :acr
       t.string :claims_locales
       t.string :claims
+
+      # :oauth_dpop enabled
+      t.string :dpop_jkt
     end
 
     create_table :oauth_pushed_requests do |t|
       t.bigint :oauth_application_id
       t.foreign_key :oauth_applications, column: :oauth_application_id
       t.string :code, null: false, index: { unique: true }
+      t.index %i[oauth_application_id code], unique: true
       t.string :params, null: false
       t.datetime :expires_in, null: false
-      t.index %i[oauth_application_id code], unique: true
+      # :oauth_dpop
+      t.string :dpop_jkt
     end
 
     create_table :oauth_saml_settings do |t|
@@ -127,5 +138,10 @@ class CreateRodauthOauth < ActiveRecord::Migration<%= migration_version %>
       t.string :audience, null: true
       t.string :issuer, null: false, unique: true
     end
+
+    create_table :oauth_dpop_proofs, primary_key: :jti do |t|
+      t.string :jti, null: false
+      t.datetime :first_use, null: false, default: -> { "CURRENT_TIMESTAMP(6)" }
+    end
   end
 end

data/lib/rodauth/features/oauth_base.rb

@@ -237,16 +237,22 @@ module Rodauth
           return
         end
       else
-        value = request.env["HTTP_AUTHORIZATION"]
+        token = fetch_access_token_from_authorization_header
+      end
 
-        return unless value && !value.empty?
+      return if token.nil? || token.empty?
 
-        scheme, token = value.split(" ", 2)
+      token
+    end
 
-        return unless scheme.downcase == oauth_token_type
-      end
+    def fetch_access_token_from_authorization_header(token_type = oauth_token_type)
+      value = request.env["HTTP_AUTHORIZATION"]
 
-      return if token.nil? || token.empty?
+      return unless value && !value.empty?
+
+      scheme, token = value.split(" ", 2)
+
+      return unless scheme.downcase == token_type
 
       token
     end
@@ -353,7 +359,7 @@ module Rodauth
     # parse client id and secret
     #
     def require_oauth_application
-      @oauth_application = if (token = ((v = request.env["HTTP_AUTHORIZATION"]) && v[/\A *Basic (.*)\Z/, 1]))
+      @oauth_application = if (token = (v = request.env["HTTP_AUTHORIZATION"]) && v[/\A *Basic (.*)\Z/, 1])
                              # client_secret_basic
                              require_oauth_application_from_client_secret_basic(token)
                            elsif (client_id = param_or_nil("client_id"))
@@ -819,10 +825,14 @@ module Rodauth
       payload = response_error_params(error_code, message)
       json_payload = _json_response_body(payload)
       response["Content-Type"] ||= json_response_content_type
-      response["WWW-Authenticate"] = oauth_token_type.upcase if status == 401
+      response["WWW-Authenticate"] = www_authenticate_header(payload) if status == 401
       return_response(json_payload)
     end
 
+    def www_authenticate_header(*)
+      oauth_token_type.capitalize
+    end
+
     def _json_response_body(hash)
       return super if features.include?(:json)
 

data/lib/rodauth/features/oauth_dpop.rb

@@ -0,0 +1,410 @@
+# frozen_string_literal: true
+
+require "rodauth/oauth"
+require "logger"
+
+module Rodauth
+  Feature.define(:oauth_dpop, :OauthDpop) do
+    depends :oauth_jwt, :oauth_authorize_base
+
+    auth_value_method :oauth_invalid_token_error_response_status, 401
+    auth_value_method :oauth_multiple_auth_methods_response_status, 401
+    auth_value_method :oauth_access_token_dpop_bound_response_status, 401
+
+    translatable_method :oauth_invalid_dpop_proof_message, "Invalid DPoP proof"
+    translatable_method :oauth_multiple_auth_methods_message, "Multiple methods used to include access token"
+    auth_value_method :oauth_multiple_dpop_proofs_error_code, "invalid_request"
+    translatable_method :oauth_multiple_dpop_proofs_message, "Multiple DPoP proofs used"
+    auth_value_method :oauth_invalid_dpop_jkt_error_code, "invalid_dpop_proof"
+    translatable_method :oauth_invalid_dpop_jkt_message, "Invalid DPoP JKT"
+    auth_value_method :oauth_invalid_dpop_jti_error_code, "invalid_dpop_proof"
+    translatable_method :oauth_invalid_dpop_jti_message, "Invalid DPoP jti"
+    auth_value_method :oauth_invalid_dpop_htm_error_code, "invalid_dpop_proof"
+    translatable_method :oauth_invalid_dpop_htm_message, "Invalid DPoP htm"
+    auth_value_method :oauth_invalid_dpop_htu_error_code, "invalid_dpop_proof"
+    translatable_method :oauth_invalid_dpop_htu_message, "Invalid DPoP htu"
+    translatable_method :oauth_access_token_dpop_bound_message, "DPoP bound access token requires DPoP proof"
+
+    translatable_method :oauth_use_dpop_nonce_message, "DPoP nonce is required"
+
+    auth_value_method :oauth_dpop_proof_expires_in, 60 * 5 # 5 minutes
+    auth_value_method :oauth_dpop_bound_access_tokens, false
+    auth_value_method :oauth_dpop_use_nonce, false
+    auth_value_method :oauth_dpop_nonce_expires_in, 5 # 5 seconds
+    auth_value_method :oauth_dpop_signing_alg_values_supported,
+                      %w[
+                        RS256
+                        RS384
+                        RS512
+                        PS256
+                        PS384
+                        PS512
+                        ES256
+                        ES384
+                        ES512
+                        ES256K
+                      ]
+
+    auth_value_method :oauth_applications_dpop_bound_access_tokens_column, :dpop_bound_access_tokens
+    auth_value_method :oauth_grants_dpop_jkt_column, :dpop_jkt
+    auth_value_method :oauth_pushed_authorization_requests_dpop_jkt_column, :dpop_jkt
+
+    auth_value_method :oauth_dpop_proofs_table, :oauth_dpop_proofs
+    auth_value_method :oauth_dpop_proofs_jti_column, :jti
+    auth_value_method :oauth_dpop_proofs_first_use_column, :first_use
+
+    auth_methods(:validate_dpop_proof_usage)
+
+    def require_oauth_authorization(*scopes)
+      @dpop_access_token = fetch_access_token_from_authorization_header("dpop")
+
+      unless @dpop_access_token
+        authorization_required if oauth_dpop_bound_access_tokens
+
+        # Specifically, such a protected resource MUST reject a DPoP-bound access token received as a bearer token
+        redirect_response_error("access_token_dpop_bound") if authorization_token && authorization_token.dig("cnf", "jkt")
+
+        return super
+      end
+
+      dpop = fetch_dpop_token
+
+      dpop_claims = validate_dpop_token(dpop)
+
+      # 4.3.12
+      validate_ath(dpop_claims, @dpop_access_token)
+
+      @authorization_token = decode_access_token(@dpop_access_token)
+
+      # 4.3.12 - confirm that the public key to which the access token is bound matches the public key from the DPoP proof.
+      jkt = authorization_token.dig("cnf", "jkt")
+
+      redirect_response_error("invalid_dpop_jkt") if oauth_dpop_bound_access_tokens && !jkt
+
+      redirect_response_error("invalid_dpop_jkt") unless jkt == @dpop_thumbprint
+
+      super
+    end
+
+    private
+
+    def validate_token_params
+      dpop = fetch_dpop_token
+
+      unless dpop
+        authorization_required if dpop_bound_access_tokens_required?
+
+        return super
+      end
+
+      validate_dpop_token(dpop)
+
+      super
+    end
+
+    def validate_par_params
+      super
+
+      return unless (dpop = fetch_dpop_token)
+
+      validate_dpop_token(dpop)
+
+      if (dpop_jkt = param_or_nil("dpop_jkt"))
+        redirect_response_error("invalid_request") if dpop_jkt != @dpop_thumbprint
+      else
+        request.params["dpop_jkt"] = @dpop_thumbprint
+      end
+    end
+
+    def validate_dpop_token(dpop)
+      # 4.3.2
+      @dpop_claims = dpop_decode(dpop)
+      redirect_response_error("invalid_dpop_proof") unless @dpop_claims
+
+      validate_dpop_jwt_claims(@dpop_claims)
+
+      # 4.3.10
+      validate_nonce(@dpop_claims)
+
+      # 11.1
+      # To prevent multiple uses of the same DPoP proof, servers can store, in the
+      # context of the target URI, the jti value of each DPoP proof for the time window
+      # in which the respective DPoP proof JWT would be accepted.
+      validate_dpop_proof_usage(@dpop_claims)
+
+      @dpop_claims
+    end
+
+    def validate_dpop_proof_usage(claims)
+      jti = claims["jti"]
+
+      dpop_proof = __insert_or_do_nothing_and_return__(
+        db[oauth_dpop_proofs_table],
+        oauth_dpop_proofs_jti_column,
+        [oauth_dpop_proofs_jti_column],
+        oauth_dpop_proofs_jti_column => Digest::SHA256.hexdigest(jti),
+        oauth_dpop_proofs_first_use_column => Sequel::CURRENT_TIMESTAMP
+      )
+
+      return unless (Time.now - dpop_proof[oauth_dpop_proofs_first_use_column]) > oauth_dpop_proof_expires_in
+
+      redirect_response_error("invalid_dpop_proof")
+    end
+
+    def dpop_decode(dpop)
+      # decode first without verifying!
+      _, headers = jwt_decode_no_key(dpop)
+
+      redirect_response_error("invalid_dpop_proof") unless verify_dpop_jwt_headers(headers)
+
+      dpop_jwk = headers["jwk"]
+
+      jwt_decode(
+        dpop,
+        jws_key: jwk_key(dpop_jwk),
+        jws_algorithm: headers["alg"],
+        verify_iss: false,
+        verify_aud: false,
+        verify_jti: false
+      )
+    end
+
+    def verify_dpop_jwt_headers(headers)
+      # 4.3.4 - A field with the value dpop+jwt
+      return false unless headers["typ"] == "dpop+jwt"
+
+      # 4.3.5 - It MUST NOT be none or an identifier for a symmetric algorithm
+      alg = headers["alg"]
+      return false unless alg && oauth_dpop_signing_alg_values_supported.include?(alg)
+
+      dpop_jwk = headers["jwk"]
+
+      return false unless dpop_jwk
+
+      # 4.3.7 - It MUST NOT contain a private key.
+      return false if private_jwk?(dpop_jwk)
+
+      # store thumbprint for future assertions
+      @dpop_thumbprint = jwk_thumbprint(dpop_jwk)
+
+      true
+    end
+
+    def validate_dpop_jwt_claims(claims)
+      jti = claims["jti"]
+
+      unless jti && jti == Digest::SHA256.hexdigest("#{request.request_method}:#{request.url}:#{claims['iat']}")
+        redirect_response_error("invalid_dpop_jti")
+      end
+
+      htm = claims["htm"]
+
+      # 4.3.8 - Check if htm matches the request method
+      redirect_response_error("invalid_dpop_htm") unless htm && htm == request.request_method
+
+      htu = claims["htu"]
+
+      # 4.3.9 - Check if htu matches the request URL
+      redirect_response_error("invalid_dpop_htu") unless htu && htu == request.url
+    end
+
+    def validate_ath(claims, access_token)
+      # When the DPoP proof is used in conjunction with the presentation of an access token in protected resource access
+      # the DPoP proof MUST also contain the following claim
+      ath = claims["ath"]
+
+      redirect_response_error("invalid_token") unless ath
+
+      # The value MUST be the result of a base64url encoding of the SHA-256 hash of the ASCII encoding of
+      # the associated access token's value.
+      redirect_response_error("invalid_token") unless ath == Base64.urlsafe_encode64(Digest::SHA256.digest(access_token), padding: false)
+    end
+
+    def validate_nonce(claims)
+      nonce = claims["nonce"]
+
+      unless nonce
+        dpop_nonce_required(claims) if dpop_use_nonce?
+
+        return
+      end
+
+      dpop_nonce_required(claims) unless valid_dpop_nonce?(nonce)
+    end
+
+    def jwt_claims(oauth_grant)
+      claims = super
+      if @dpop_thumbprint
+        # the authorization server associates the issued access token with the
+        # public key from the DPoP proof
+        claims[:cnf] = { jkt: @dpop_thumbprint }
+      end
+      claims
+    end
+
+    def generate_token(grant_params = {}, should_generate_refresh_token = true)
+      # When an authorization server supporting DPoP issues a refresh token to a public client
+      # that presents a valid DPoP proof at the token endpoint, the refresh token MUST be bound to the respective public key.
+      grant_params[oauth_grants_dpop_jkt_column] = @dpop_thumbprint if @dpop_thumbprint
+      super
+    end
+
+    def valid_oauth_grant_ds(grant_params = nil)
+      ds = super
+
+      ds = ds.where(oauth_grants_dpop_jkt_column => nil)
+      ds = ds.or(oauth_grants_dpop_jkt_column => @dpop_thumbprint) if @dpop_thumbprint
+      ds
+    end
+
+    def oauth_grant_by_refresh_token_ds(_token, revoked: false)
+      ds = super
+      # The binding MUST be validated when the refresh token is later presented to get new access tokens.
+      ds = ds.where(oauth_grants_dpop_jkt_column => nil)
+      ds = ds.or(oauth_grants_dpop_jkt_column => @dpop_thumbprint) if @dpop_thumbprint
+      ds
+    end
+
+    def oauth_grant_by_token_ds(_token)
+      ds = super
+      # The binding MUST be validated when the refresh token is later presented to get new access tokens.
+      ds = ds.where(oauth_grants_dpop_jkt_column => nil)
+      ds = ds.or(oauth_grants_dpop_jkt_column => @dpop_thumbprint) if @dpop_thumbprint
+      ds
+    end
+
+    def create_oauth_grant(create_params = {})
+      # 10. Authorization Code Binding to DPoP Key
+      # Binding the authorization code issued to the client's proof-of-possession key can enable end-to-end
+      # binding of the entire authorization flow.
+      if (dpop_jkt = param_or_nil("dpop_jkt"))
+        create_params[oauth_grants_dpop_jkt_column] = dpop_jkt
+      end
+
+      super
+    end
+
+    def json_access_token_payload(oauth_grant)
+      payload = super
+      # 5. A token_type of DPoP MUST be included in the access token response to
+      # signal to the client that the access token was bound to its DPoP key
+      payload["token_type"] = "DPoP" if @dpop_claims
+      payload
+    end
+
+    def fetch_dpop_token
+      dpop = request.env["HTTP_DPOP"]
+
+      return if dpop.nil? || dpop.empty?
+
+      # 4.3.1 - There is not more than one DPoP HTTP request header field.
+      redirect_response_error("multiple_dpop_proofs") if dpop.split(";").size > 1
+
+      dpop
+    end
+
+    def dpop_bound_access_tokens_required?
+      oauth_dpop_bound_access_tokens || (oauth_application && oauth_application[oauth_applications_dpop_bound_access_tokens_column])
+    end
+
+    def dpop_use_nonce?
+      oauth_dpop_use_nonce || (oauth_application && oauth_application[oauth_applications_dpop_bound_access_tokens_column])
+    end
+
+    def valid_dpop_proof_required(error_code = "invalid_dpop_proof")
+      if @dpop_access_token
+        # protected resource access
+        throw_json_response_error(401, error_code)
+      else
+        redirect_response_error(error_code)
+      end
+    end
+
+    def dpop_nonce_required(dpop_claims)
+      response["DPoP-Nonce"] = generate_dpop_nonce(dpop_claims)
+
+      if @dpop_access_token
+        # protected resource access
+        throw_json_response_error(401, "use_dpop_nonce")
+      else
+        redirect_response_error("use_dpop_nonce")
+      end
+    end
+
+    def www_authenticate_header(payload)
+      header = if dpop_bound_access_tokens_required?
+                 "DPoP"
+               else
+                 "#{super}, DPoP"
+               end
+
+      error_code = payload["error"]
+
+      unless error_code == "invalid_client"
+        header = "#{header} error=\"#{error_code}\""
+
+        if (desc = payload["error_description"])
+          header = "#{header} error_description=\"#{desc}\""
+        end
+      end
+
+      algs = oauth_dpop_signing_alg_values_supported.join(" ")
+
+      "#{header} algs=\"#{algs}\""
+    end
+
+    # Nonce
+
+    def generate_dpop_nonce(dpop_claims)
+      issued_at = Time.now.to_i
+
+      aud = "#{dpop_claims['htm']}:#{dpop_claims['htu']}"
+
+      nonce_claims = {
+        iss: oauth_jwt_issuer,
+        iat: issued_at,
+        exp: issued_at + oauth_dpop_nonce_expires_in,
+        aud: aud
+      }
+
+      jwt_encode(nonce_claims)
+    end
+
+    def valid_dpop_nonce?(nonce)
+      nonce_claims = jwt_decode(nonce, verify_aud: false, verify_jti: false)
+
+      return false unless nonce_claims
+
+      jti = nonce_claims["jti"]
+
+      return false unless jti
+
+      return false unless jti == Digest::SHA256.hexdigest("#{request.request_method}:#{request.url}:#{nonce_claims['iat']}")
+
+      return false unless nonce_claims.key?("aud")
+
+      htm, htu = nonce_claims["aud"].split(":", 2)
+
+      htm == request.request_method && htu == request.url
+    end
+
+    def json_token_introspect_payload(grant_or_claims)
+      claims = super
+
+      return claims unless grant_or_claims
+
+      if (jkt = grant_or_claims.dig("cnf", "jkt"))
+        (claims[:cnf] ||= {})[:jkt] = jkt
+        claims[:token_type] = "DPoP"
+      end
+
+      claims
+    end
+
+    def oauth_server_metadata_body(*)
+      super.tap do |data|
+        data[:dpop_signing_alg_values_supported] = oauth_dpop_signing_alg_values_supported
+      end
+    end
+  end
+end

data/lib/rodauth/features/oauth_dynamic_client_registration.rb

@@ -18,7 +18,7 @@ module Rodauth
       request.on(registration_client_uri_route) do
         # CLIENT REGISTRATION URI
         request.on(String) do |client_id|
-          (token = ((v = request.env["HTTP_AUTHORIZATION"]) && v[/\A *Bearer (.*)\Z/, 1]))
+          (token = (v = request.env["HTTP_AUTHORIZATION"]) && v[/\A *Bearer (.*)\Z/, 1])
 
           next unless token
 
@@ -200,6 +200,14 @@ module Rodauth
         when "client_name"
           register_throw_json_response_error("invalid_client_metadata", register_invalid_param_message(value)) unless value.is_a?(String)
           key = oauth_applications_name_column
+        when "dpop_bound_access_tokens"
+          unless respond_to?(:oauth_applications_dpop_bound_access_tokens_column)
+            register_throw_json_response_error("invalid_client_metadata",
+                                               register_invalid_param_message(key))
+          end
+          request_params[key] = value = convert_to_boolean(key, value)
+
+          key = oauth_applications_dpop_bound_access_tokens_column
         when "require_signed_request_object"
           unless respond_to?(:oauth_applications_require_signed_request_object_column)
             register_throw_json_response_error("invalid_client_metadata",
@@ -291,7 +299,8 @@ module Rodauth
         create_params[oauth_applications_token_endpoint_auth_method_column] ||= begin
           # If unspecified or omitted, the default is "client_secret_basic", denoting the HTTP Basic
           # authentication scheme as specified in Section 2.3.1 of OAuth 2.0.
-          return_params["token_endpoint_auth_method"] = "client_secret_basic"
+          return_params["token_endpoint_auth_method"] =
+            "client_secret_basic"
           "client_secret_basic"
         end
       end

data/lib/rodauth/features/oauth_jwt.rb

@@ -50,23 +50,22 @@ module Rodauth
 
       return @authorization_token if defined?(@authorization_token)
 
-      @authorization_token = begin
-        access_token = fetch_access_token
+      @authorization_token = decode_access_token
+    end
 
-        return unless access_token
+    def decode_access_token(access_token = fetch_access_token)
+      return unless access_token
 
-        jwt_claims = jwt_decode(access_token)
+      jwt_claims = jwt_decode(access_token)
 
-        return unless jwt_claims
+      return unless jwt_claims
 
-        return unless jwt_claims["sub"]
+      return unless jwt_claims["sub"]
 
-        return unless jwt_claims["aud"]
+      return unless jwt_claims["aud"]
 
-        jwt_claims
-      end
+      jwt_claims
     end
-
     # /token
 
     def create_token_from_token(_grant, update_params)

data/lib/rodauth/features/oauth_jwt_base.rb

@@ -167,6 +167,10 @@ module Rodauth
         jwk.thumbprint
       end
 
+      def private_jwk?(jwk)
+        %w[d p q dp dq qi].any?(&jwk.method(:key?))
+      end
+
       def jwt_encode(payload,
                      jwks: nil,
                      headers: {},
@@ -222,6 +226,7 @@ module Rodauth
         verify_jti: true,
         verify_iss: true,
         verify_aud: true,
+        verify_headers: nil,
         **
       )
         jws_key = jws_key.first if jws_key.is_a?(Array)
@@ -272,6 +277,8 @@ module Rodauth
           return
         end
 
+        return if verify_headers && !verify_headers.call(claims.header)
+
         claims
       rescue JSON::JWT::Exception
         nil
@@ -333,6 +340,10 @@ module Rodauth
         JWT::JWK::Thumbprint.new(jwk).generate
       end
 
+      def private_jwk?(jwk)
+        jwk_import(jwk).private?
+      end
+
       def jwt_encode(payload,
                      signing_algorithm: oauth_jwt_keys.keys.first,
                      headers: {}, **)
@@ -394,7 +405,8 @@ module Rodauth
         verify_claims: true,
         verify_jti: true,
         verify_iss: true,
-        verify_aud: true
+        verify_aud: true,
+        verify_headers: nil
       )
         jws_key = jws_key.first if jws_key.is_a?(Array)
 
@@ -421,32 +433,34 @@ module Rodauth
                                end
 
         # decode jwt
-        claims = if is_authorization_server?
-                   if jwks
-                     jwks = jwks[:keys] if jwks.is_a?(Hash)
-
-                     # JWKs may be set up without a KID, when there's a single one
-                     if jwks.size == 1 && !jwks[0][:kid]
-                       key = jwks[0]
-                       algo = key[:alg]
-                       key = JWT::JWK.import(key).keypair
-                       JWT.decode(token, key, true, algorithms: [algo], **verify_claims_params).first
-                     else
-                       algorithms = jws_algorithm ? [jws_algorithm] : jwks.select { |k| k[:use] == "sig" }.map { |k| k[:alg] }
-                       JWT.decode(token, nil, true, algorithms: algorithms, jwks: { keys: jwks }, **verify_claims_params).first
-                     end
-                   elsif jws_key
-                     JWT.decode(token, jws_key, true, algorithms: [jws_algorithm], **verify_claims_params).first
-                   else
-                     JWT.decode(token, jws_key, false, **verify_claims_params).first
-                   end
-                 elsif (jwks = auth_server_jwks_set)
-                   algorithms = jwks[:keys].select { |k| k[:use] == "sig" }.map { |k| k[:alg] }
-                   JWT.decode(token, nil, true, jwks: jwks, algorithms: algorithms, **verify_claims_params).first
-                 end
+        claims, headers = if is_authorization_server?
+                            if jwks
+                              jwks = jwks[:keys] if jwks.is_a?(Hash)
+
+                              # JWKs may be set up without a KID, when there's a single one
+                              if jwks.size == 1 && !jwks[0][:kid]
+                                key = jwks[0]
+                                algo = key[:alg]
+                                key = JWT::JWK.import(key).keypair
+                                JWT.decode(token, key, true, algorithms: [algo], **verify_claims_params)
+                              else
+                                algorithms = jws_algorithm ? [jws_algorithm] : jwks.select { |k| k[:use] == "sig" }.map { |k| k[:alg] }
+                                JWT.decode(token, nil, true, algorithms: algorithms, jwks: { keys: jwks }, **verify_claims_params)
+                              end
+                            elsif jws_key
+                              JWT.decode(token, jws_key, true, algorithms: [jws_algorithm], **verify_claims_params)
+                            else
+                              JWT.decode(token, jws_key, false, **verify_claims_params)
+                            end
+                          elsif (jwks = auth_server_jwks_set)
+                            algorithms = jwks[:keys].select { |k| k[:use] == "sig" }.map { |k| k[:alg] }
+                            JWT.decode(token, nil, true, jwks: jwks, algorithms: algorithms, **verify_claims_params)
+                          end
 
         return if verify_claims && verify_aud && !verify_aud(claims["aud"], claims["client_id"])
 
+        return if verify_headers && !verify_headers.call(headers)
+
         claims
       rescue JWT::DecodeError, JWT::JWKError
         nil
@@ -504,6 +518,10 @@ module Rodauth
       def jwt_decode(_token, **)
         raise "#{__method__} is undefined, redefine it or require either \"jwt\" or \"json-jwt\""
       end
+
+      def private_jwk?(_jwk)
+        raise "#{__method__} is undefined, redefine it or require either \"jwt\" or \"json-jwt\""
+      end
       # :nocov:
     end
   end

data/lib/rodauth/features/oauth_resource_indicators.rb

@@ -116,7 +116,7 @@ module Rodauth
 
     module IndicatorIntrospection
       def json_token_introspect_payload(grant)
-        return super unless grant[oauth_grants_id_column]
+        return super unless grant && grant[oauth_grants_id_column]
 
         payload = super
 

data/lib/rodauth/features/oauth_tls_client_auth.rb

@@ -112,9 +112,7 @@ module Rodauth
 
       return claims unless grant_or_claims && grant_or_claims[oauth_grants_certificate_thumbprint_column]
 
-      claims[:cnf] = {
-        "x5t#S256" => grant_or_claims[oauth_grants_certificate_thumbprint_column]
-      }
+      (claims[:cnf] ||= {})["x5t#S256"] = grant_or_claims[oauth_grants_certificate_thumbprint_column]
 
       claims
     end

data/lib/rodauth/features/oauth_token_introspection.rb

@@ -66,7 +66,7 @@ module Rodauth
           scope: grant_or_claims["scope"],
           client_id: grant_or_claims["client_id"],
           username: resource_owner_identifier(grant_or_claims),
-          token_type: "access_token",
+          token_type: oauth_token_type.capitalize,
           exp: grant_or_claims["exp"],
           iat: grant_or_claims["iat"],
           nbf: grant_or_claims["nbf"],
@@ -99,7 +99,7 @@ module Rodauth
     private
 
     def require_oauth_application_for_introspect
-      (token = ((v = request.env["HTTP_AUTHORIZATION"]) && v[/\A *Bearer (.*)\Z/, 1]))
+      (token = (v = request.env["HTTP_AUTHORIZATION"]) && v[/\A *Bearer (.*)\Z/, 1])
 
       return require_oauth_application unless token
 

data/lib/rodauth/features/oidc.rb

@@ -302,10 +302,10 @@ module Rodauth
         # The value is a JSON object listing the requested Claims.
         claims = JSON.parse(claims)
 
-        claims.each do |_, individual_claims|
+        claims.each_value do |individual_claims|
           redirect_response_error("invalid_request") unless individual_claims.is_a?(Hash)
 
-          individual_claims.each do |_, claim|
+          individual_claims.each_value do |claim|
             redirect_response_error("invalid_request") unless claim.nil? || individual_claims.is_a?(Hash)
           end
         end
@@ -419,7 +419,9 @@ module Rodauth
 
         login_cookie_opts = Hash[oauth_prompt_login_cookie_options]
         login_cookie_opts[:value] = "login"
-        login_cookie_opts[:expires] = convert_timestamp(Time.now + oauth_prompt_login_interval) # 15 minutes
+        if oauth_prompt_login_interval
+          login_cookie_opts[:expires] = convert_timestamp(Time.now + oauth_prompt_login_interval) # 15 minutes
+        end
         ::Rack::Utils.set_cookie_header!(response.headers, oauth_prompt_login_cookie_key, login_cookie_opts)
 
         redirect require_login_redirect

data/lib/rodauth/features/oidc_session_management.rb

@@ -35,8 +35,10 @@ module Rodauth
 
       user_agent_state_cookie_opts = Hash[oauth_oidc_user_agent_state_cookie_options]
       user_agent_state_cookie_opts[:value] = oauth_unique_id_generator
-      user_agent_state_cookie_opts[:expires] = convert_timestamp(Time.now + oauth_oidc_user_agent_state_cookie_expires_in)
       user_agent_state_cookie_opts[:secure] = true
+      if oauth_oidc_user_agent_state_cookie_expires_in
+        user_agent_state_cookie_opts[:expires] = convert_timestamp(Time.now + oauth_oidc_user_agent_state_cookie_expires_in)
+      end
       ::Rack::Utils.set_cookie_header!(response.headers, oauth_oidc_user_agent_state_cookie_key, user_agent_state_cookie_opts)
     end
 

data/lib/rodauth/oauth/database_extensions.rb

@@ -14,6 +14,10 @@ module Rodauth
         else
           def __insert_and_return__(dataset, pkey, params)
             id = dataset.insert(params)
+            if params.key?(pkey)
+              # mysql returns 0 when the primary key is a varchar.
+              id = params[pkey]
+            end
             dataset.where(pkey => id).first
           end
         end

data/lib/rodauth/oauth/ttl_store.rb

@@ -35,7 +35,7 @@ class Rodauth::OAuth::TtlStore
       # at the same time, this ensures the first one wins.
       return @store[key][:payload] if @store[key] && @store[key][:ttl] < now
 
-      @store[key] = { payload: payload, ttl: (ttl || (now + DEFAULT_TTL)) }
+      @store[key] = { payload: payload, ttl: ttl || (now + DEFAULT_TTL) }
     end
     @store[key][:payload]
   end

data/lib/rodauth/oauth/version.rb

@@ -2,6 +2,6 @@
 
 module Rodauth
   module OAuth
-    VERSION = "1.4.0"
+    VERSION = "1.5.0"
   end
 end

data/locales/en.yml

@@ -76,4 +76,14 @@ en:
     oauth_saml_assertion_not_base64_message: "SAML assertion must be in base64 format"
     oauth_saml_assertion_single_issuer_message: "SAML assertion must have a single issuer"
     oauth_saml_settings_not_found_message: "No SAML settings found for issuer"
-    oauth_invalid_id_token_hint_message: "Invalid ID token hint"
+    oauth_invalid_id_token_hint_message: "Invalid ID token hint"
+    translatable_method :oauth_saml_settings_not_found_message: "No SAML settings found for issuer"
+    oauth_invalid_dpop_proof_message: "Invalid DPoP proof"
+    oauth_multiple_dpop_proofs_message: "Multiple DPoP proofs used"
+    oauth_invalid_dpop_jkt_message: "Invalid DPoP JKT"
+    oauth_invalid_dpop_jti_message: "Invalid DPoP jti"
+    oauth_invalid_dpop_htm_message: "Invalid DPoP htm"
+    oauth_invalid_dpop_htu_message: "Invalid DPoP htu"
+    oauth_use_dpop_nonce_message: "DPoP nonce is required"
+    oauth_access_token_dpop_bound_message: "DPoP bound access token requires DPoP proof"
+    oauth_multiple_auth_methods_message: "Multiple methods used to include access token"

data/templates/authorize.str

@@ -96,6 +96,7 @@
         end.join
       end
       }
+    #{"<input type=\"hidden\" name=\"dpop_jkt\" value=\"#{h(rodauth.param("dpop_jkt"))}\"/>" if rodauth.features.include?(:oauth_dpop) && rodauth.param_or_nil("dpop_jkt")}
   </div>
   <p class="text-center">
     <input type="submit" class="btn btn-outline-primary" value="#{h(rodauth.oauth_authorize_button)}"/>

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rodauth-oauth
 version: !ruby/object:Gem::Version
-  version: 1.4.0
+  version: 1.5.0
 platform: ruby
 authors:
 - Tiago Cardoso
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2023-11-08 00:00:00.000000000 Z
+date: 2024-02-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rodauth
@@ -73,6 +73,7 @@ extra_rdoc_files:
 - doc/release_notes/1_3_1.md
 - doc/release_notes/1_3_2.md
 - doc/release_notes/1_4_0.md
+- doc/release_notes/1_5_0.md
 files:
 - CHANGELOG.md
 - LICENSE.txt
@@ -117,6 +118,7 @@ files:
 - doc/release_notes/1_3_1.md
 - doc/release_notes/1_3_2.md
 - doc/release_notes/1_4_0.md
+- doc/release_notes/1_5_0.md
 - lib/generators/rodauth/oauth/install_generator.rb
 - lib/generators/rodauth/oauth/templates/app/models/oauth_application.rb
 - lib/generators/rodauth/oauth/templates/app/models/oauth_grant.rb
@@ -139,6 +141,7 @@ files:
 - lib/rodauth/features/oauth_base.rb
 - lib/rodauth/features/oauth_client_credentials_grant.rb
 - lib/rodauth/features/oauth_device_code_grant.rb
+- lib/rodauth/features/oauth_dpop.rb
 - lib/rodauth/features/oauth_dynamic_client_registration.rb
 - lib/rodauth/features/oauth_grant_management.rb
 - lib/rodauth/features/oauth_implicit_grant.rb