token_authority 0.1.0 → 0.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 957552579a7b93218cdad9471e5687ee985cda61315660e1f49f1d6de250f765
-  data.tar.gz: 188821e48e11150b811a4a79011fd8989881723012f5fa225d642f0b186ca14a
+  metadata.gz: c0e6a0810b0a8015aea5ada0e1bbb87596875c7641042281dac811fb3fc8bf0c
+  data.tar.gz: 76eda2d8230aca93850b6e025c0be79cfac68da48159bbcb7f34e9f102229649
 SHA512:
-  metadata.gz: 93d1c243a6cc29f607cf614d919b356eb94da68418fe4e5948034241b3e8b520fcf472bf7a02239be9a25738684412d4e05710174e54972c34233083532f407a
-  data.tar.gz: 915b69065cbc0eb9d7532ae063d637f4be7e99d1639103c6516e0d15939e12c6e71c20a472e92ad08b170c2f4ce68018d25e2d456fe76a92097e73a9879addaf
+  metadata.gz: '069ecd5dc4b50ca9929192ea6d22084db1e5019fa4df90ebcacbc900f4385d88452f3abc108deaa3ce29a88a7c212095dbfc4f056968409983189c0f97292130'
+  data.tar.gz: 45ae89f8b90abffacc828544b9c910c40801cf93b65ce5a362faa28b01a242a565233d771f1a56b64e82765a89452ec4a45aacab42ce7883d98b120dbc11c3aa

data/CHANGELOG.md

@@ -0,0 +1,23 @@
+## [Unreleased]
+
+## [0.2.0] - 2025-01-23
+
+- Implemented support for OAuth 2.1 authorization flows and JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens (RFC 9068).
+- Implemented support for OAuth 2.0 Authorization Server Metadata (RFC 8414).
+- Implemented support for OAuth 2.0 Protected Resource Metadata (RFC 9728).
+- Implemented support for OAuth 2.0 Dynamic Client Registration Protocol (RFC 7591).
+- Implemented support for OAuth Client ID Metadata Documents.
+- Implemented support for OAuth 2.0 Resource Indicators (RFC 8707).
+- Implemented configuration.
+- Implemented install generator with templates.
+- Implemented structured event logging.
+- Implemented instrumentation.
+- Added documentation.
+
+## [0.1.0] - 2026-01-19
+
+- Initial release
+
+[Unreleased]: https://github.com/dickdavis/token_authority/compare/v0.2.0...HEAD
+[0.2.0]: https://github.com/dickdavis/token_authority/compare/v0.1.0...v0.2.0
+[0.1.0]: https://github.com/dickdavis/token_authority/releases/tag/v0.1.0

data/README.md

@@ -1,28 +1,220 @@
 # TokenAuthority
-Short description and motivation.
+
+Rails engine allowing apps to act as their own OAuth 2.1 provider. The goal of this project is to make authorization dead simple for MCP server developers.
+
+This project aims to implement the OAuth standards specified in the [MCP Authorization Specification](https://modelcontextprotocol.io/specification/2025-11-25/basic/authorization#standards-compliance).
+
+| Status | Standard |
+|--------|----------|
+| ✅ | [OAuth 2.1 IETF DRAFT](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-13) |
+| ✅ | [JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens (RFC 9068)](https://datatracker.ietf.org/doc/html/rfc9068) |
+| ✅ | [OAuth 2.0 Authorization Server Metadata (RFC 8414)](https://datatracker.ietf.org/doc/html/rfc8414) |
+| ✅ | [OAuth 2.0 Protected Resource Metadata (RFC 9728)](https://datatracker.ietf.org/doc/html/rfc9728) |
+| ✅ | [OAuth 2.0 Resource Indicators (RFC 8707)](https://datatracker.ietf.org/doc/html/rfc8707) |
+| ✅ | [OAuth 2.0 Dynamic Client Registration Protocol (RFC 7591)](https://datatracker.ietf.org/doc/html/rfc7591) |
+| ✅ | [OAuth Client ID Metadata Documents](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-client-id-metadata-document-00) |
 
 ## Usage
-How to use my plugin.
 
-## Installation
+TokenAuthority is simple to install and configure.
+
+### Installation
+
 Add this line to your application's Gemfile:
 
 ```ruby
 gem "token_authority"
 ```
 
-And then execute:
+Install the gem, generate the required set-up files, and run the migration:
+
 ```bash
 $ bundle
+$ bin/rails generate token_authority:install
+$ bin/rails db:migrate
 ```
 
-Or install it yourself as:
+See the [Installation Guide](https://github.com/dickdavis/token_authority/wiki/Installation-Guide) for generator options and custom configurations.
+
+### Configuration
+
+Configure TokenAuthority in the generated initializer. The following represents a minimal configuration:
+
+```ruby
+# config/initializers/token_authority.rb
+TokenAuthority.configure do |config|
+  # The secret key used for encryption/decryption
+  config.secret_key = Rails.application.credentials.secret_key_base
+  # The URI for the protected resource (to be included in tokens and metadata)
+  config.rfc_9068_audience_url = "https://example.com/api/"
+  # The URI for the authorization server (to be included in tokens and metadata)
+  config.rfc_9068_issuer_url = "https://example.com/"
+  # Define available scopes and their descriptions (shown on consent screen)
+  config.scopes = {
+    "read" => "Read your data",
+    "write" => "Create and modify your data",
+    "delete" => "Delete your data"
+  }
+end
+```
+
+See the [Configuration Reference](https://github.com/dickdavis/token_authority/wiki/Configuration-Reference) for all available options.
+
+### Mount the Engine
+
+Add the engine routes to your `config/routes.rb`:
+
+```ruby
+Rails.application.routes.draw do
+  token_authority_routes
+end
+```
+
+This exposes:
+- RFC 8414 Authorization Server Metadata at `/.well-known/oauth-authorization-server`
+- RFC 9728 Protected Resource Metadata at `/.well-known/oauth-protected-resource`
+- OAuth endpoints at `/oauth/authorize`, `/oauth/token`, etc.
+
+To mount the engine at a different path, use the `at` option:
+
+```ruby
+Rails.application.routes.draw do
+  token_authority_routes(at: "/auth")
+end
+```
+
+### User Consent
+
+Before issuing authorization codes, TokenAuthority displays a consent screen where users can approve or deny access to OAuth clients. The consent views are fully customizable and the layout is configurable—see [Customizing Views](https://github.com/dickdavis/token_authority/wiki/Customizing-Views) for details.
+
+The consent screen requires user authentication. Your `authenticatable_controller` must provide two methods:
+
+- `authenticate_user!` - Ensures the user is logged in (redirects to login if not)
+- `current_user` - Returns the authenticated user
+
+If you use [Devise](https://github.com/heartcombo/devise), these methods are already available on `ApplicationController`. For other authentication systems, see [User Authentication](https://github.com/dickdavis/token_authority/wiki/User-Authentication).
+
+### Protecting API Endpoints
+
+Use the `TokenAuthentication` concern to validate access tokens:
+
+```ruby
+class Api::V1::UsersController < ActionController::API
+  include TokenAuthority::TokenAuthentication
+
+  before_action :require_read_scope
+
+  def current
+    render json: { id: token_user.id, email: token_user.email }
+  end
+
+  private
+
+  def require_read_scope
+    return if token_scope.include?("read")
+
+    render json: { error: "insufficient_scope" }, status: :forbidden
+  end
+end
+```
+
+The concern automatically validates the access token on every request and provides:
+- `token_user` - Returns the authenticated user
+- `token_scope` - Returns an array of scope tokens (e.g., `["read", "write"]`), or `[]` if no scopes
+
+See [Protecting API Endpoints](https://github.com/dickdavis/token_authority/wiki/Protecting-API-Endpoints) for error handling details.
+
+### Event Logging
+
+TokenAuthority emits structured events using Rails 8.1's event reporting system for monitoring, debugging, and auditing. Events cover the full OAuth lifecycle:
+
+- Authorization requests and consent
+- Token exchanges, refreshes, and revocations
+- Client and token authentication
+- Security events (e.g., token theft detection)
+
+Event logging is enabled by default. Events are automatically logged to `Rails.logger`:
+
+```
+[TokenAuthority] token_authority.authorization.request.received client_id="..." client_type="public" ...
+[TokenAuthority] token_authority.token.exchange.completed client_id="..." user_id=42 session_id=1 ...
+[TokenAuthority] token_authority.security.token.theft_detected client_id="..." user_id=42 ...
+```
+
+See [Event Logging](https://github.com/dickdavis/token_authority/wiki/Event-Logging) for the full event reference and custom subscriber examples.
+
+### Instrumentation
+
+TokenAuthority emits `ActiveSupport::Notifications` instrumentation events for performance monitoring. These events provide timing data that APM tools (New Relic, Datadog, Skylight) automatically capture.
+
+Instrumentation is enabled by default. Events are automatically logged to `Rails.logger`:
+
+```
+[TokenAuthority::Instrumentation] token_authority.session.create (15.2ms)
+[TokenAuthority::Instrumentation] token_authority.jwt.encode (0.4ms) token_size=312
+[TokenAuthority::Instrumentation] token_authority.client.resolve (0.5ms) client_type="registered"
+```
+
+See [Instrumentation](https://github.com/dickdavis/token_authority/wiki/Instrumentation) for the full event reference and custom subscriber examples.
+
+### Learn More
+
+- [Installation Guide](https://github.com/dickdavis/token_authority/wiki/Installation-Guide) - Generator options, custom table names
+- [Configuration Reference](https://github.com/dickdavis/token_authority/wiki/Configuration-Reference) - All configuration options
+- [User Authentication](https://github.com/dickdavis/token_authority/wiki/User-Authentication) - Custom authentication setups
+- [Protecting API Endpoints](https://github.com/dickdavis/token_authority/wiki/Protecting-API-Endpoints) - Error handling, validation details
+- [Customizing Views](https://github.com/dickdavis/token_authority/wiki/Customizing-Views) - Styling consent screens
+- [Event Logging](https://github.com/dickdavis/token_authority/wiki/Event-Logging) - Structured events for monitoring
+- [Instrumentation](https://github.com/dickdavis/token_authority/wiki/Instrumentation) - Performance monitoring with ActiveSupport::Notifications
+
+## Development
+
+Clone the repository and install dependencies:
+
+```bash
+git clone https://github.com/dickdavis/token-authority.git
+cd token-authority
+bundle install
+```
+
+Set up git hooks:
+
+```bash
+bundle exec lefthook install
+```
+
+Run the test suite:
+
+```bash
+bundle exec rspec
+```
+
+Run the linter:
+
 ```bash
-$ gem install token_authority
+bundle exec standardrb
 ```
 
+Generate documentation:
+
+```bash
+bundle exec yard
+```
+
+For manual testing with the dummy app, see [Manual Testing](https://github.com/dickdavis/token_authority/wiki/Manual-Testing).
+
+### Releasing
+
+1. Update the version number in `lib/token_authority/version.rb`
+2. Commit the version change: `git commit -am "Bump version to X.Y.Z"`
+3. Run the release task: `rake release`
+
+This will create a git tag, push the tag to GitHub, and publish the gem to RubyGems.
+
 ## Contributing
-Contribution directions go here.
+
+Bug reports and pull requests are welcome on GitHub at https://github.com/dickdavis/token-authority.
 
 ## License
+
 The gem is available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT).

data/app/controllers/concerns/token_authority/client_authentication.rb

@@ -0,0 +1,141 @@
+# frozen_string_literal: true
+
+module TokenAuthority
+  # Provides OAuth client authentication for controllers.
+  #
+  # This concern handles authentication of OAuth clients during authorization
+  # and token requests. It supports both confidential clients (using HTTP Basic
+  # authentication with client_id and client_secret) and public clients (using
+  # only client_id).
+  #
+  # The concern automatically:
+  # - Resolves client_id to either a registered Client or URL-based ClientMetadataDocument
+  # - Validates HTTP Basic credentials for confidential clients
+  # - Emits authentication events for monitoring and security auditing
+  # - Handles authentication errors with appropriate HTTP responses
+  #
+  # @example Using in a controller
+  #   class MyController < ApplicationController
+  #     include TokenAuthority::ClientAuthentication
+  #
+  #     before_action :authenticate_client
+  #
+  #     def my_action
+  #       # @token_authority_client is now available
+  #     end
+  #   end
+  #
+  # @since 0.2.0
+  module ClientAuthentication
+    extend ActiveSupport::Concern
+
+    included do
+      include ActionController::HttpAuthentication::Basic::ControllerMethods
+      include TokenAuthority::ControllerEventLogging
+
+      rescue_from TokenAuthority::ClientMismatchError do
+        notify_event("authentication.client.failed",
+          client_id: params[:client_id],
+          failure_reason: "client_mismatch",
+          auth_method_attempted: "http_basic")
+
+        render plain: "HTTP Basic: Access denied.", status: :unauthorized
+      end
+
+      rescue_from TokenAuthority::ClientNotFoundError do
+        notify_event("authentication.client.failed",
+          client_id: params[:client_id],
+          failure_reason: "client_not_found",
+          auth_method_attempted: "http_basic")
+
+        render plain: "HTTP Basic: Access denied.", status: :unauthorized
+      end
+    end
+
+    private
+
+    # Authenticates an OAuth client.
+    #
+    # Public clients are authenticated by client_id alone. Confidential clients
+    # must provide valid credentials via HTTP Basic authentication.
+    #
+    # Sets @token_authority_client instance variable on successful authentication.
+    #
+    # @param id [String, nil] the client_id (uses params[:client_id] if not provided)
+    #
+    # @return [void]
+    #
+    # @raise [TokenAuthority::ClientMismatchError] if HTTP Basic credentials don't match params
+    # @raise [TokenAuthority::ClientNotFoundError] if client cannot be found
+    #
+    # @api private
+    def authenticate_client(id: nil)
+      client_id = id || params[:client_id]
+      load_token_authority_client(id: client_id)
+
+      if @token_authority_client.present? && @token_authority_client.public_client_type?
+        notify_event("authentication.client.succeeded",
+          client_id: @token_authority_client.public_id,
+          client_type: @token_authority_client.client_type,
+          auth_method: "public_client")
+        return
+      end
+
+      if http_basic_auth_successful?
+        notify_event("authentication.client.succeeded",
+          client_id: @token_authority_client.public_id,
+          client_type: @token_authority_client.client_type,
+          auth_method: "http_basic")
+        return
+      end
+
+      notify_event("authentication.client.failed",
+        client_id: client_id,
+        failure_reason: "missing_credentials",
+        auth_method_attempted: "none")
+
+      request_http_basic_authentication
+    end
+
+    # Loads the client by ID using the ClientIdResolver.
+    #
+    # Sets @token_authority_client to nil if client is not found.
+    #
+    # @param id [String, nil] the client identifier
+    #
+    # @return [void]
+    # @api private
+    def load_token_authority_client(id: nil)
+      @token_authority_client = TokenAuthority::ClientIdResolver.resolve(id)
+    rescue TokenAuthority::ClientNotFoundError
+      @token_authority_client = nil
+    end
+
+    # Attempts to authenticate using HTTP Basic credentials.
+    #
+    # Verifies that the client_id in Basic auth matches params[:client_id] if present,
+    # and validates the client_secret.
+    #
+    # @return [Boolean] true if authentication succeeds
+    #
+    # @raise [TokenAuthority::ClientMismatchError] if IDs don't match
+    # @raise [TokenAuthority::ClientNotFoundError] if client not found
+    # @api private
+    def http_basic_auth_successful?
+      authenticate_with_http_basic do |public_id, client_secret|
+        @token_authority_client = TokenAuthority::Client.find_by(public_id:)
+        raise TokenAuthority::ClientNotFoundError if @token_authority_client.blank?
+        raise TokenAuthority::ClientMismatchError if params.key?(:client_id) && params[:client_id] != @token_authority_client.public_id
+
+        authenticated = @token_authority_client.authenticate_with_secret(client_secret)
+        unless authenticated
+          notify_event("authentication.client.failed",
+            client_id: public_id,
+            failure_reason: "invalid_secret",
+            auth_method_attempted: "http_basic")
+        end
+        authenticated
+      end
+    end
+  end
+end

data/app/controllers/concerns/token_authority/controller_event_logging.rb

@@ -0,0 +1,98 @@
+# frozen_string_literal: true
+
+module TokenAuthority
+  # Provides structured event logging for controller classes.
+  #
+  # This concern extends event logging for use in controllers by automatically
+  # including the request ID in all event payloads. This enables correlation
+  # of events across the request lifecycle.
+  #
+  # Unlike the model EventLogging concern, this version automatically extracts
+  # request_id from the controller's request object, eliminating the need to
+  # manually pass it.
+  #
+  # @example Using in a controller
+  #   class AuthorizationsController < ApplicationController
+  #     include TokenAuthority::ControllerEventLogging
+  #
+  #     def authorize
+  #       notify_event("authorization.request.received",
+  #         client_id: params[:client_id],
+  #         redirect_uri: params[:redirect_uri])
+  #     end
+  #   end
+  #
+  # @since 0.2.0
+  module ControllerEventLogging
+    extend ActiveSupport::Concern
+
+    included do
+      class_attribute :_event_logging_enabled, default: true
+    end
+
+    private
+
+    # Emits a production-level event with automatic request ID.
+    #
+    # The request_id is automatically extracted from the current request
+    # for correlation across the request lifecycle.
+    #
+    # @param event_name [String] the event name (will be prefixed with "token_authority.")
+    # @param payload [Hash] additional event data
+    #
+    # @return [void]
+    #
+    # @example
+    #   notify_event("authorization.request.received",
+    #     client_id: params[:client_id],
+    #     has_pkce: params[:code_challenge].present?)
+    def notify_event(event_name, **payload)
+      return unless event_logging_enabled?
+
+      full_payload = build_controller_payload(payload)
+      Rails.event.notify("token_authority.#{event_name}", **full_payload)
+    end
+
+    # Emits a debug-level event with automatic request ID.
+    #
+    # Debug events are only emitted when both event_logging_enabled and
+    # event_logging_debug_events are true.
+    #
+    # @param event_name [String] the event name (will be prefixed with "token_authority.")
+    # @param payload [Hash] additional event data
+    #
+    # @return [void]
+    def debug_event(event_name, **payload)
+      return unless event_logging_enabled?
+      return unless debug_events_enabled?
+
+      full_payload = build_controller_payload(payload)
+      Rails.event.debug("token_authority.#{event_name}", **full_payload)
+    end
+
+    # Checks if event logging is enabled.
+    # @return [Boolean]
+    # @api private
+    def event_logging_enabled?
+      _event_logging_enabled && TokenAuthority.config.event_logging_enabled
+    end
+
+    # Checks if debug events are enabled.
+    # @return [Boolean]
+    # @api private
+    def debug_events_enabled?
+      TokenAuthority.config.event_logging_debug_events
+    end
+
+    # Builds the event payload with timestamp and request_id.
+    #
+    # @param payload [Hash] the base payload
+    # @return [Hash] the enriched payload
+    # @api private
+    def build_controller_payload(payload)
+      base = {timestamp: Time.current.iso8601(6)}
+      base[:request_id] = request.request_id if request.respond_to?(:request_id) && request.request_id.present?
+      base.merge(payload)
+    end
+  end
+end

data/app/controllers/concerns/token_authority/initial_access_token_authentication.rb

@@ -0,0 +1,35 @@
+# frozen_string_literal: true
+
+module TokenAuthority
+  ##
+  # Concern for authenticating initial access tokens in protected registration mode
+  module InitialAccessTokenAuthentication
+    extend ActiveSupport::Concern
+
+    included do
+      before_action :authenticate_initial_access_token, if: :initial_access_token_required?
+    end
+
+    private
+
+    def initial_access_token_required?
+      TokenAuthority.config.rfc_7591_require_initial_access_token
+    end
+
+    def authenticate_initial_access_token
+      token = extract_bearer_token
+      raise TokenAuthority::InvalidInitialAccessTokenError if token.blank?
+
+      validator = TokenAuthority.config.rfc_7591_initial_access_token_validator
+      raise TokenAuthority::InvalidInitialAccessTokenError unless validator&.call(token)
+    end
+
+    def extract_bearer_token
+      auth_header = request.headers["Authorization"]
+      return nil if auth_header.blank?
+
+      match = auth_header.match(/\ABearer\s+(.+)\z/i)
+      match&.captures&.first
+    end
+  end
+end

data/app/controllers/concerns/token_authority/token_authentication.rb

@@ -0,0 +1,128 @@
+# frozen_string_literal: true
+
+module TokenAuthority
+  # Provides JWT access token authentication for protected API endpoints.
+  #
+  # This concern enables host applications to protect their API endpoints using
+  # JWT access tokens issued by TokenAuthority. It validates tokens, checks
+  # session status, and provides helper methods to access the authenticated user
+  # and token scopes.
+  #
+  # The concern automatically:
+  # - Extracts and validates the Bearer token from the Authorization header
+  # - Verifies the token signature and claims
+  # - Checks that the session is still active (not revoked or expired)
+  # - Emits authentication events for monitoring
+  # - Handles authentication errors with JSON error responses
+  #
+  # @example Protecting an API endpoint
+  #   class Api::UsersController < ApplicationController
+  #     include TokenAuthority::TokenAuthentication
+  #
+  #     def show
+  #       # token_user is the authenticated user
+  #       # token_scope contains the granted scopes
+  #       render json: token_user
+  #     end
+  #   end
+  #
+  # @since 0.2.0
+  module TokenAuthentication
+    extend ActiveSupport::Concern
+
+    included do
+      include TokenAuthority::ControllerEventLogging
+
+      before_action :decode_token
+
+      rescue_from TokenAuthority::MissingAuthorizationHeaderError, with: :missing_auth_header_response
+      rescue_from TokenAuthority::InvalidAccessTokenError, with: :invalid_token_response
+      rescue_from TokenAuthority::UnauthorizedAccessTokenError, with: :unauthorized_token_response
+    end
+
+    private
+
+    # Extracts, decodes, and validates the JWT access token.
+    #
+    # Verifies that:
+    # - An Authorization header is present
+    # - The token can be decoded and has a valid signature
+    # - A matching session exists and is still active
+    # - The token passes all claim validations
+    #
+    # Sets @decoded_token instance variable on success.
+    #
+    # @return [void]
+    #
+    # @raise [TokenAuthority::MissingAuthorizationHeaderError] if no header present
+    # @raise [TokenAuthority::InvalidAccessTokenError] if token is malformed
+    # @raise [TokenAuthority::UnauthorizedAccessTokenError] if token is invalid or revoked
+    # @api private
+    def decode_token
+      bearer_token_header = request.headers["AUTHORIZATION"]
+      raise TokenAuthority::MissingAuthorizationHeaderError if bearer_token_header.blank?
+
+      token = bearer_token_header.split.last
+      access_token = TokenAuthority::AccessToken.from_token(token)
+
+      oauth_session = TokenAuthority::Session.find_by(access_token_jti: access_token.jti)
+      raise TokenAuthority::UnauthorizedAccessTokenError if oauth_session.blank?
+      raise TokenAuthority::UnauthorizedAccessTokenError unless oauth_session.created_status?
+      raise TokenAuthority::UnauthorizedAccessTokenError unless access_token.valid?
+
+      @decoded_token = access_token
+
+      notify_event("authentication.token.succeeded",
+        session_id: oauth_session.id,
+        scopes: access_token.scope)
+    rescue JWT::DecodeError, ActiveModel::UnknownAttributeError
+      raise TokenAuthority::InvalidAccessTokenError
+    end
+
+    # Returns the user associated with the authenticated token.
+    #
+    # @return [User] the user from the configured user_class
+    # @api private
+    def token_user
+      @token_user ||= TokenAuthority.config.user_class.constantize.find(@decoded_token.user_id)
+    end
+
+    # Returns the scopes granted in the authenticated token.
+    #
+    # @return [Array<String>] the scope tokens
+    # @api private
+    def token_scope
+      @token_scope ||= @decoded_token.scope&.split || []
+    end
+
+    # Renders error response for missing Authorization header.
+    # @return [void]
+    # @api private
+    def missing_auth_header_response
+      notify_event("authentication.token.failed",
+        failure_reason: "missing_authorization_header")
+
+      render json: {error: I18n.t("token_authority.errors.missing_auth_header")}, status: :unauthorized
+    end
+
+    # Renders error response for invalid token format.
+    # @return [void]
+    # @api private
+    def invalid_token_response
+      notify_event("authentication.token.failed",
+        failure_reason: "invalid_token_format")
+
+      render json: {error: I18n.t("token_authority.errors.invalid_token")}, status: :unauthorized
+    end
+
+    # Renders error response for unauthorized token.
+    # @return [void]
+    # @api private
+    def unauthorized_token_response
+      notify_event("authentication.token.failed",
+        failure_reason: "unauthorized_token")
+
+      render json: {error: I18n.t("token_authority.errors.unauthorized_token")}, status: :unauthorized
+    end
+  end
+end