standard_id 0.2.4 → 0.2.6

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 144da6f9e7281b9b22e80c7ecdee847eb8d41f85571ab07846558f9ee565df83
-  data.tar.gz: 5e3bdb2356d73520039fa35387a49beb55fe34501a5787510ff0359a4143470e
+  metadata.gz: '088c979a8207e9ed4cf6cdeec8a679985271bea03989b3feeaa187bf28df95f4'
+  data.tar.gz: 0aee93fe07e01a10c1c5133bffac61dae72f59933999c279f1fb54ee178e27e0
 SHA512:
-  metadata.gz: 2b6daa2a3da9c30167cb2648c3adce23613913226c56a722106e5fc924631ee666c444273cfd5f1e603f16f6026d29183521704c947683c4cb011250c2af23e5
-  data.tar.gz: a70e979d184c85620203291f1a67521342b2b7bb130814ecdb96f2eef384c233d5e285e557f59c6d6ac49a4512e71b7e112a1f13b73d3ce2e9b50876d6b501b2
+  metadata.gz: 0ea65251e2b8a5599ee837d0e35ce8204ae5c98fd701fbba18fa2e53b34450af6d30fb54b89149c3539ffefbdadc60a93db9688b94469df08957a307ce62884a
+  data.tar.gz: bf4af5c23d299ff9488b44a4f5e3a30c59f892a155d4ca01491fb6c3b434946ba43d967f8e2e8c4d4ea4cdaa811d855bebfa8d4632430c7f779339475bdb6004

data/app/controllers/standard_id/api/well_known/jwks_controller.rb

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+module StandardId
+  module Api
+    module WellKnown
+      class JwksController < ActionController::API
+        def show
+          jwks = StandardId::JwtService.jwks
+
+          if jwks.nil?
+            render json: { error: "JWKS not available" }, status: :not_found
+            return
+          end
+
+          response.headers["Cache-Control"] = "public, max-age=3600"
+          render json: jwks
+        end
+      end
+    end
+  end
+end

data/config/routes/api.rb

@@ -19,5 +19,9 @@ StandardId::ApiEngine.routes.draw do
         post ":provider", to: "providers#callback", as: :provider
       end
     end
+
+    scope ".well-known", module: :well_known do
+      get "jwks.json", to: "jwks#show", as: :jwks
+    end
   end
 end

data/lib/generators/standard_id/install/templates/standard_id.rb

@@ -8,6 +8,10 @@ StandardId.configure do |c|
   # c.logger = Rails.logger
   # c.web_layout = "application"
 
+  # JWT issuer claim (iss) - typically your application's URL
+  # Used in JWT tokens and verified on decode when set
+  # c.issuer = "https://auth.example.com"
+
   # Inertia.js support (requires inertia_rails gem)
   # When enabled, StandardId web controllers will render Inertia components
   # instead of ERB views. You must create the corresponding components in your
@@ -44,8 +48,38 @@ StandardId.configure do |c|
   #   email: ->(account:) { account.email },
   #   display_name: ->(account:, client:) {
   #     "#{account.name} for #{client.client_id}"
+  #   },
+  #   profile_id: ->(account:, audience:) {
+  #     account.profiles.find_by(type: audience)&.id
   #   }
   # }
+  # c.oauth.allowed_audiences = %w[web mobile admin] # Empty = no validation
+
+  # JWT Signing Configuration (Asymmetric Algorithms)
+  # By default, JWTs are signed with HS256 using Rails.application.secret_key_base.
+  # For asymmetric signing, configure a private key and expose the public key
+  # via the JWKS endpoint at /.well-known/jwks.json
+  #
+  # Algorithm choices:
+  #   ES256 (ECDSA) - Recommended for new projects. Smaller keys, faster, modern.
+  #   RS256 (RSA)   - Wider compatibility with older systems.
+  #
+  # Generate keys:
+  #   ES256: openssl ecparam -name prime256v1 -genkey -noout -out signing_key.pem
+  #   RS256: openssl genrsa -out signing_key.pem 2048
+  #
+  # Option 1: Rails credentials (recommended)
+  # c.oauth.signing_algorithm = :es256
+  # c.oauth.signing_key = Rails.application.credentials.dig(:standard_id, :signing_key)
+  #
+  # Option 2: Environment variable (replace literal \n with newlines)
+  # Convert PEM to env-safe format: awk 'NF {sub(/\r/, ""); printf "%s\\n",$0;}' signing_key.pem
+  # c.oauth.signing_algorithm = :es256
+  # c.oauth.signing_key = ENV["JWT_SIGNING_KEY"]&.gsub('\n', "\n")
+  #
+  # Option 3: File path
+  # c.oauth.signing_algorithm = :es256
+  # c.oauth.signing_key = Rails.root.join("config/signing_key.pem")
 
   # Events
   # Enable or disable logging emitted via the internal event system

data/lib/standard_id/config/schema.rb

@@ -50,6 +50,17 @@ StandardConfig.schema.draw do
     field :client_secret, type: :string, default: nil
     field :scope_claims, type: :hash, default: -> { {} }
     field :claim_resolvers, type: :hash, default: -> { {} }
+    field :allowed_audiences, type: :array, default: -> { [] } # Empty = no validation, any audience allowed
+
+    # JWT signing configuration (for asymmetric algorithms)
+    # If nil, uses HS256 with Rails.application.secret_key_base
+    field :signing_key, type: :any, default: nil
+
+    # Signing algorithm (see JwtService::SUPPORTED_ALGORITHMS for full list)
+    # Symmetric (HMAC): :hs256, :hs384, :hs512
+    # Asymmetric (RSA): :rs256, :rs384, :rs512
+    # Asymmetric (ECDSA): :es256, :es384, :es512
+    field :signing_algorithm, type: :symbol, default: :hs256
   end
 
   scope :social do

data/lib/standard_id/jwt_service.rb

@@ -1,11 +1,30 @@
 require "jwt"
 require "concurrent/delay"
+require "openssl"
+require "digest"
 
 module StandardId
   class JwtService
-    ALGORITHM = "HS256"
     RESERVED_JWT_KEYS = %i[sub client_id scope grant_type exp iat aud iss nbf jti]
-    BASE_SESSION_FIELDS = %i[account_id client_id scopes grant_type]
+    BASE_SESSION_FIELDS = %i[account_id client_id scopes grant_type aud]
+
+    # Supported signing algorithms categorized by type
+    # Symmetric: use shared secret (Rails.application.secret_key_base)
+    # Asymmetric: use key pairs (RSA or EC private key)
+    SUPPORTED_ALGORITHMS = {
+      # HMAC (symmetric)
+      "HS256" => { type: :symmetric },
+      "HS384" => { type: :symmetric },
+      "HS512" => { type: :symmetric },
+      # RSA (asymmetric)
+      "RS256" => { type: :asymmetric, key_class: OpenSSL::PKey::RSA },
+      "RS384" => { type: :asymmetric, key_class: OpenSSL::PKey::RSA },
+      "RS512" => { type: :asymmetric, key_class: OpenSSL::PKey::RSA },
+      # ECDSA (asymmetric)
+      "ES256" => { type: :asymmetric, key_class: OpenSSL::PKey::EC },
+      "ES384" => { type: :asymmetric, key_class: OpenSSL::PKey::EC },
+      "ES512" => { type: :asymmetric, key_class: OpenSSL::PKey::EC }
+    }.freeze
 
     SESSION_CLASS = Concurrent::Delay.new do
       Struct.new(*(BASE_SESSION_FIELDS + claim_resolver_keys), keyword_init: true) do
@@ -19,17 +38,73 @@ module StandardId
       SESSION_CLASS.value
     end
 
+    def self.algorithm
+      StandardId.config.oauth.signing_algorithm.to_s.upcase
+    end
+
+    def self.algorithm_config
+      SUPPORTED_ALGORITHMS[algorithm] || raise(ArgumentError, "Unsupported algorithm: #{algorithm}. Supported: #{SUPPORTED_ALGORITHMS.keys.join(', ')}")
+    end
+
+    def self.asymmetric?
+      algorithm_config[:type] == :asymmetric
+    end
+
+    def self.signing_key
+      if asymmetric?
+        @signing_key_cache ||= parse_private_key(StandardId.config.oauth.signing_key)
+      else
+        Rails.application.secret_key_base
+      end
+    end
+
+    def self.verification_key
+      if asymmetric?
+        key = signing_key
+        # For EC keys, the key itself can be used for verification
+        # For RSA keys, we extract the public key
+        key.is_a?(OpenSSL::PKey::EC) ? key : key.public_key
+      else
+        Rails.application.secret_key_base
+      end
+    end
+
+    def self.key_id
+      return nil unless asymmetric?
+
+      # Generate stable key ID from public key fingerprint
+      # Use public_to_pem which works for both RSA and EC keys
+      @key_id ||= Digest::SHA256.hexdigest(signing_key.public_to_pem)[0..7]
+    end
+
+    def self.reset_cached_key!
+      @key_id = nil
+      @signing_key_cache = nil
+      @jwks = nil
+    end
+
     def self.encode(payload, expires_in: 1.hour)
       payload[:exp] = expires_in.from_now.to_i
       payload[:iat] = Time.current.to_i
+      payload[:iss] ||= StandardId.config.issuer if StandardId.config.issuer.present?
+
+      headers = {}
+      headers[:kid] = key_id if asymmetric?
 
-      JWT.encode(payload, secret_key, ALGORITHM)
+      JWT.encode(payload, signing_key, algorithm, headers)
     end
 
     def self.decode(token)
-      decoded = JWT.decode(token, secret_key, true, { algorithm: ALGORITHM })
+      options = { algorithm: algorithm }
+
+      if StandardId.config.issuer.present?
+        options[:iss] = StandardId.config.issuer
+        options[:verify_iss] = true
+      end
+
+      decoded = JWT.decode(token, verification_key, true, options)
       decoded.first.with_indifferent_access
-    rescue JWT::DecodeError, JWT::ExpiredSignature, JWT::InvalidIatError
+    rescue JWT::DecodeError, JWT::ExpiredSignature, JWT::InvalidIatError, JWT::InvalidIssuerError
       nil
     end
 
@@ -49,13 +124,26 @@ module StandardId
         client_id: payload[:client_id],
         scopes: scopes,
         grant_type: payload[:grant_type],
+        aud: payload[:aud]
       )
     end
 
+    def self.jwks
+      return nil unless asymmetric?
+
+      @jwks ||= begin
+        jwk = JWT::JWK.new(verification_key, kid: key_id)
+        { keys: [jwk.export] }
+      end
+    end
+
     private
 
-    def self.secret_key
-      Rails.application.secret_key_base
+    def self.parse_private_key(key_source)
+      pem = key_source.is_a?(Pathname) ? File.read(key_source) : key_source
+      key_class = algorithm_config[:key_class]
+
+      key_class.new(pem)
     end
 
     def self.claim_resolver_keys

data/lib/standard_id/oauth/authorization_code_flow.rb

@@ -66,6 +66,10 @@ module StandardId
       def token_account
         @authorization_code&.account
       end
+
+      def audience
+        @authorization_code&.audience
+      end
     end
   end
 end

data/lib/standard_id/oauth/refresh_token_flow.rb

@@ -41,6 +41,11 @@ module StandardId
         true
       end
 
+      # Audience is bound to the refresh token - cannot be changed on refresh
+      def audience
+        @refresh_payload[:aud]
+      end
+
       def validate_scope_narrowing!
         return unless params[:scope].present?
 

data/lib/standard_id/oauth/token_grant_flow.rb

@@ -35,6 +35,7 @@ module StandardId
       end
 
       def generate_token_response
+        validate_audience!
         emit_token_issuing
         expires_in = token_expiry
         payload = build_jwt_payload(expires_in)
@@ -77,8 +78,9 @@ module StandardId
           sub: subject_id,
           client_id: client_id,
           scope: token_scope,
+          aud: audience,
           grant_type: "refresh_token"
-        }
+        }.compact
         StandardId::JwtService.encode(payload, expires_in: refresh_token_expiry)
       end
 
@@ -110,6 +112,20 @@ module StandardId
         params[:audience]
       end
 
+      def validate_audience!
+        allowed = StandardId.config.oauth.allowed_audiences
+        return if allowed.blank? # No restriction configured
+        return if audience.blank? # Audience not provided (optional)
+
+        # aud can be string or array per JWT spec
+        requested = Array(audience)
+        invalid = requested - allowed
+
+        if invalid.any?
+          raise StandardId::InvalidRequestError, "Invalid audience: #{invalid.join(', ')}"
+        end
+      end
+
       def claims_from_scope_mapping
         scope_claims = StandardId.config.oauth.scope_claims.with_indifferent_access
         resolvers = StandardId.config.oauth.claim_resolvers.with_indifferent_access
@@ -152,7 +168,8 @@ module StandardId
         @claim_resolvers_context ||= {
           client: token_client,
           account: token_account,
-          request: request
+          request: request,
+          audience: audience
         }
       end
 

data/lib/standard_id/version.rb

@@ -1,3 +1,3 @@
 module StandardId
-  VERSION = "0.2.4"
+  VERSION = "0.2.6"
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: standard_id
 version: !ruby/object:Gem::Version
-  version: 0.2.4
+  version: 0.2.6
 platform: ruby
 authors:
 - Jaryl Sim
@@ -80,6 +80,7 @@ files:
 - app/controllers/standard_id/api/oidc/logout_controller.rb
 - app/controllers/standard_id/api/passwordless_controller.rb
 - app/controllers/standard_id/api/userinfo_controller.rb
+- app/controllers/standard_id/api/well_known/jwks_controller.rb
 - app/controllers/standard_id/web/account_controller.rb
 - app/controllers/standard_id/web/auth/callback/providers_controller.rb
 - app/controllers/standard_id/web/base_controller.rb