rodauth-oauth 1.5.0 → 1.6.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/doc/release_notes/1_6_0.md +18 -0
- data/lib/rodauth/features/oauth_jwt.rb +12 -3
- data/lib/rodauth/features/oidc.rb +5 -1
- data/lib/rodauth/oauth/version.rb +1 -1
- metadata +4 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 9fc6216412a63e6ce3b6beecf2d476b50b8e3445026927ce40cdc649023c1b15
|
|
4
|
+
data.tar.gz: d5f2f5ea24ade170615894f352a28ed428fac7a0bb39db4506d8343ead0c2e07
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 984a083c4e8814244c8566106a757095ae046b049ad76c6fa2947e5a7d12b0bc63c5fba621c1a0674e3deb4246a7f09d228ee51bb0e4f16a81c25bcd1a28d04c
|
|
7
|
+
data.tar.gz: 0aafc4b37f059b134ce08940d8e38d9ed3afb577e80c790b646c45ce0792ba6d833582ac53c036f9449ee3b130f77e4f5fc9098ce1ed3614b969dd78219eecba
|
|
@@ -0,0 +1,18 @@
|
|
|
1
|
+
# 1.6.0
|
|
2
|
+
|
|
3
|
+
## Improvements
|
|
4
|
+
|
|
5
|
+
### "at+jwt" and "id_token+jwt" ty header in JWT tokens
|
|
6
|
+
|
|
7
|
+
In order to distinguish/identify tokens, JWT access tokens generated by the `oauth_jwt` feature will contain the "at+jwt" value in the "typ" header (which follows the [recomendation in the RFC](https://datatracker.ietf.org/doc/html/rfc9068#section-2.1)), whereas ID tokens generated by the `oidc` feature will contain the "id_token+jwt" value in the "typ" header (there is no official recommendation, but some providers are using this).
|
|
8
|
+
|
|
9
|
+
**Note**: This header will also be used to validate access tokens. This means that, once you upgrade, **access tokens generated prior to the upgrade won't be usable anymore**. In order to mitigate this and smoothen the upgrade process, disable header verification for a period greater than the access token expiration time in your application (controlled by the `oauth_access_token_expires_in` auth value method, 60 minutes by default); this will allow older access tokens to expire. You can so by overriding the `verify_access_token_headers` auth method:
|
|
10
|
+
|
|
11
|
+
```ruby
|
|
12
|
+
|
|
13
|
+
rodauth do
|
|
14
|
+
enable :oauth_jwt # or :oidc
|
|
15
|
+
oauth_access_token_expires_in 60 * 60
|
|
16
|
+
|
|
17
|
+
verify_access_token_headers { } # do nothing
|
|
18
|
+
end
|
|
@@ -9,7 +9,10 @@ module Rodauth
|
|
|
9
9
|
|
|
10
10
|
auth_value_method :oauth_jwt_access_tokens, true
|
|
11
11
|
|
|
12
|
-
auth_methods(
|
|
12
|
+
auth_methods(
|
|
13
|
+
:jwt_claims,
|
|
14
|
+
:verify_access_token_headers
|
|
15
|
+
)
|
|
13
16
|
|
|
14
17
|
def require_oauth_authorization(*scopes)
|
|
15
18
|
return super unless oauth_jwt_access_tokens
|
|
@@ -53,10 +56,14 @@ module Rodauth
|
|
|
53
56
|
@authorization_token = decode_access_token
|
|
54
57
|
end
|
|
55
58
|
|
|
59
|
+
def verify_access_token_headers(headers)
|
|
60
|
+
headers["typ"] == "at+jwt"
|
|
61
|
+
end
|
|
62
|
+
|
|
56
63
|
def decode_access_token(access_token = fetch_access_token)
|
|
57
64
|
return unless access_token
|
|
58
65
|
|
|
59
|
-
jwt_claims = jwt_decode(access_token)
|
|
66
|
+
jwt_claims = jwt_decode(access_token, verify_headers: method(:verify_access_token_headers))
|
|
60
67
|
|
|
61
68
|
return unless jwt_claims
|
|
62
69
|
|
|
@@ -94,7 +101,9 @@ module Rodauth
|
|
|
94
101
|
# token data.
|
|
95
102
|
claims[:scope] = oauth_grant[oauth_grants_scopes_column]
|
|
96
103
|
|
|
97
|
-
|
|
104
|
+
# RFC8725 section 3.11: Use Explicit Typing
|
|
105
|
+
# RFC9068 section 2.1 : The "typ" value used SHOULD be "at+jwt".
|
|
106
|
+
jwt_encode(claims, headers: { typ: "at+jwt" })
|
|
98
107
|
end
|
|
99
108
|
|
|
100
109
|
def _generate_access_token(*)
|
|
@@ -545,7 +545,11 @@ module Rodauth
|
|
|
545
545
|
jwks: oauth_application_jwks(oauth_application),
|
|
546
546
|
signing_algorithm: signing_algorithm,
|
|
547
547
|
encryption_algorithm: oauth_application[oauth_applications_id_token_encrypted_response_alg_column],
|
|
548
|
-
encryption_method: oauth_application[oauth_applications_id_token_encrypted_response_enc_column]
|
|
548
|
+
encryption_method: oauth_application[oauth_applications_id_token_encrypted_response_enc_column],
|
|
549
|
+
|
|
550
|
+
# Not officially part of the spec, but some providers follow this convention.
|
|
551
|
+
# This is useful for distinguishing between ID Tokens and JWT Access Tokens.
|
|
552
|
+
headers: { typ: "id_token+jwt" }
|
|
549
553
|
}.compact
|
|
550
554
|
|
|
551
555
|
oauth_grant[:id_token] = jwt_encode(id_claims, **params)
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: rodauth-oauth
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.
|
|
4
|
+
version: 1.6.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Tiago Cardoso
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2024-
|
|
11
|
+
date: 2024-04-02 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: rodauth
|
|
@@ -74,6 +74,7 @@ extra_rdoc_files:
|
|
|
74
74
|
- doc/release_notes/1_3_2.md
|
|
75
75
|
- doc/release_notes/1_4_0.md
|
|
76
76
|
- doc/release_notes/1_5_0.md
|
|
77
|
+
- doc/release_notes/1_6_0.md
|
|
77
78
|
files:
|
|
78
79
|
- CHANGELOG.md
|
|
79
80
|
- LICENSE.txt
|
|
@@ -119,6 +120,7 @@ files:
|
|
|
119
120
|
- doc/release_notes/1_3_2.md
|
|
120
121
|
- doc/release_notes/1_4_0.md
|
|
121
122
|
- doc/release_notes/1_5_0.md
|
|
123
|
+
- doc/release_notes/1_6_0.md
|
|
122
124
|
- lib/generators/rodauth/oauth/install_generator.rb
|
|
123
125
|
- lib/generators/rodauth/oauth/templates/app/models/oauth_application.rb
|
|
124
126
|
- lib/generators/rodauth/oauth/templates/app/models/oauth_grant.rb
|