token_authority 0.1.0 → 0.2.0

data/config/locales/token_authority.en.yml

@@ -0,0 +1,248 @@
+en:
+  activerecord:
+    models:
+      token_authority/authorization_grant: 'Authorization grant'
+      token_authority/challenge: 'Challenge'
+      token_authority/client: 'Client'
+      token_authority/session: 'Session'
+    attributes:
+      token_authority/authorization_grant:
+        token_authority_client_id: 'TokenAuthority client ID'
+        client_id_url: 'Client ID URL'
+        redeemed: 'Redeemed'
+        user_id: 'User ID'
+      token_authority/challenge:
+        code_challenge: 'Code challenge'
+        code_challenge_method: 'Code challenge method'
+        token_authority_authorization_grant_id: 'TokenAuthority authorization grant ID'
+        redirect_uri: 'Redirect URI'
+      token_authority/client:
+        access_token_duration: 'Access token duration'
+        client_secret_id: 'Client secret ID'
+        client_type: 'Client type'
+        name: 'Name'
+        redirect_uris: 'Redirect URIs'
+        refresh_token_duration: 'Refresh token duration'
+        token_endpoint_auth_method: 'Token endpoint auth method'
+        grant_types: 'Grant types'
+        response_types: 'Response types'
+        scope: 'Scope'
+        client_uri: 'Client URI'
+        logo_uri: 'Logo URI'
+        tos_uri: 'Terms of service URI'
+        policy_uri: 'Policy URI'
+        contacts: 'Contacts'
+        jwks_uri: 'JWKS URI'
+        jwks: 'JWKS'
+        software_id: 'Software ID'
+        software_version: 'Software version'
+        software_statement: 'Software statement'
+        client_id_issued_at: 'Client ID issued at'
+        client_secret_expires_at: 'Client secret expires at'
+        dynamically_registered: 'Dynamically registered'
+      token_authority/session:
+        access_token_jti: 'Access token JTI'
+        client_id: 'Client ID'
+        expires_at: 'Expires at'
+        token_authority_authorization_grant_id: 'TokenAuthority authorization grant ID'
+        status: 'Status'
+        refresh_token_jti: 'Refresh token JTI'
+        user_id: 'User ID'
+    errors:
+      models:
+        token_authority/authorization_grant:
+          attributes:
+            token_authority_client_id:
+              blank: 'must be linked to a client'
+            user_id:
+              blank: 'must be linked to a user'
+            base:
+              must_have_client_identifier: 'must have either a registered client or a client ID URL'
+        token_authority/challenge:
+          attributes:
+            code_challenge:
+              blank: 'is required for PKCE'
+              failed_challenge: 'failed validation'
+              requires_code_verifier: 'must be validated against a code_verifier'
+            code_challenge_method:
+              blank: 'is required for PKCE'
+              invalid: 'must be a supported code challenge method'
+            token_authority_authorization_grant_id:
+              blank: 'must be linked to an authorization grant'
+            redirect_uri:
+              blank: 'must be provided if sent in the original authorization request'
+              invalid: 'must be a supported code challenge method'
+        token_authority/client:
+          attributes:
+            redirect_uris:
+              invalid_http_scheme: 'must contain valid HTTP(S) scheme in all URIs'
+              invalid_uri: 'must contain valid URIs'
+          base:
+            jwks_required_for_private_key_jwt: 'JWKS or JWKS URI is required when using private_key_jwt authentication'
+        token_authority/session:
+          access_token_jti:
+            invalid: 'must be a valid UUID'
+          client_id:
+              blank: 'must be linked to a client'
+          token_authority_authorization_grant_id:
+              blank: 'must be linked to an authorization grant'
+          refresh_token_jti:
+            invalid: 'must be a valid UUID'
+          user_id:
+              blank: 'must be linked to a user'
+  activemodel:
+    models:
+      token_authority/access_token: 'Access token'
+      token_authority/access_token_request: 'Access token request'
+      token_authority/authorization_request: 'Authorization request'
+      token_authority/refresh_token: 'Refresh token'
+    attributes:
+      token_authority/access_token:
+        aud: 'Audience (aud)'
+        exp: 'Expires at (exp)'
+        iat: 'Issued at (iat)'
+        iss: 'Issuer (iss)'
+        jti: 'JTI (jti)'
+        user_id: 'User ID'
+      token_authority/access_token_request:
+        code_verifier: 'Code verifier'
+        token_authority_authorization_grant: 'TokenAuthority authorization grant'
+        redirect_uri: 'Redirect URI'
+      token_authority/authorization_request:
+        client_id: 'Client ID'
+        code_challenge: 'Code challenge'
+        code_challenge_method: 'Code challenge method'
+        token_authority_client: 'TokenAuthority client'
+        redirect_uri: 'Redirect URI'
+        response_type: 'Response type'
+        state: 'State'
+        resources: 'Resources'
+        scope: 'Scope'
+      token_authority/access_token_request:
+        resources: 'Resources'
+        scope: 'Scope'
+      token_authority/refresh_token:
+        aud: 'Audience (aud)'
+        exp: 'Expires at (exp)'
+        iat: 'Issued at (iat)'
+        iss: 'Issuer (iss)'
+        jti: 'JTI (jti)'
+      token_authority/refresh_token_request:
+        token: 'Token'
+        resources: 'Resources'
+        client_id: 'Client ID'
+        scope: 'Scope'
+    errors:
+      models:
+        token_authority/access_token:
+          attributes:
+            aud:
+              blank: 'claim not present in token'
+              invalid: 'claim does not match server configuration'
+            exp:
+              blank: 'claim not present in token'
+              expired: 'is in the past'
+            iss:
+              blank: 'claim not present in token'
+              invalid: 'claim does not match server configuration'
+            jti:
+              blank: 'claim not present in token'
+            user_id:
+              blank: 'claim not present in token'
+        token_authority/access_token_request:
+          attributes:
+            code_verifier:
+              blank: 'must be provided as a param in the access token request'
+              does_not_validate_code_challenge: 'does not vaidate code_challenge from the authorize request'
+              present_in_authorize: 'must be provided if sent in the original authorization request'
+            token_authority_authorization_grant:
+              invalid: 'must be initialized with an authorization grant'
+            redirect_uri:
+              blank: 'must be provided as a param in the access token request'
+              mismatched: 'does not match the redirect_uri from the authorize request'
+              present_in_authorize: 'must be provided if sent in the original authorization request'
+            resources:
+              invalid_uri: 'must contain valid absolute URIs with http/https scheme and no fragments'
+              not_allowed: 'must only contain allowed resource URIs'
+              not_subset: 'must be a subset of the originally granted resources'
+            scope:
+              invalid: 'contains invalid scope tokens'
+              not_allowed: 'must only contain allowed scopes'
+              not_subset: 'must be a subset of the originally granted scopes'
+        token_authority/authorization_request:
+          attributes:
+            client_id:
+              blank: 'must be provided as a param in the request to authorize when client is public'
+              mismatched: 'does not match the client ID URL'
+              unregistered_client: 'does not map to a registered client'
+            code_challenge:
+              required_if_other_pkce_params_present: 'must be provided as a param in the request to authorize if other PKCE params were sent'
+              required_for_public_clients: 'must be provided as a param in the request to authorize when client is public'
+            code_challenge_method:
+              invalid: 'must be a supported code challenge method'
+              required_if_other_pkce_params_present: 'must be provided as a param in the request to authorize if other PKCE params were sent'
+              required_for_public_clients: 'must be provided as a param in the request to authorize when client is public'
+            token_authority_client:
+              invalid: 'must be initiated by a client'
+            redirect_uri:
+              blank: 'must be provided as a param in the request to authorize when client is public'
+              invalid: 'must match redirect_uri configured for client'
+            response_type:
+              blank: 'must be provided as a param in the request to authorize'
+              invalid: 'must be a supported response type'
+            state:
+            resources:
+              required: 'must be provided when resource indicators are required'
+              invalid_uri: 'must contain valid absolute URIs with http/https scheme and no fragments'
+              not_allowed: 'must only contain allowed resource URIs'
+              not_subset: 'must be a subset of the originally granted resources'
+            scope:
+              required: 'must be provided when scopes are required'
+              invalid: 'contains invalid scope tokens'
+              not_allowed: 'must only contain allowed scopes'
+        token_authority/refresh_token:
+          attributes:
+            aud:
+              blank: 'claim not present in token'
+              invalid: 'claim does not match server configuration'
+            exp:
+              blank: 'claim not present in token'
+              expired: 'is in the past'
+            iss:
+              blank: 'claim not present in token'
+              invalid: 'claim does not match server configuration'
+            jti:
+              blank: 'claim not present in token'
+        token_authority/refresh_token_request:
+          attributes:
+            token:
+              blank: 'must be provided as a param in the refresh token request'
+              session_not_found: 'does not map to a valid session'
+            resources:
+              invalid_uri: 'must contain valid absolute URIs with http/https scheme and no fragments'
+              not_allowed: 'must only contain allowed resource URIs'
+              not_subset: 'must be a subset of the originally granted resources'
+            scope:
+              invalid: 'contains invalid scope tokens'
+              not_allowed: 'must only contain allowed scopes'
+              not_subset: 'must be a subset of the originally granted scopes'
+  token_authority:
+    authorization_grants:
+      new:
+        title: 'Authorize this Client'
+        lede: 'Confirm that you wish to grant access to this client.'
+        resources_heading: 'This application is requesting access to:'
+        scopes_heading: 'This application is requesting the following permissions:'
+        approve_cta: 'Approve'
+        reject_cta: 'Reject'
+    client_error:
+      title: 'Client Error'
+      lede: 'The request provided by the client to this server is malformed. Please report this error through the client support channel.'
+    errors:
+      invalid_grant: 'The authorization grant is invalid'
+      mismatched_refresh_token: 'The provided refresh token JTI does not match the refresh token JTI of the target OAuthSession.'
+      oauth_session_failure: 'Failed to create OAuthSession. Errors: %{errors}'
+      revoked_session: 'Refresh token replay attack detected. Refreshed OAuthSession: %{refreshed_session_id}, Revoked OAuthSession: %{revoked_session_id}, Client ID: %{client_id}, User ID: %{user_id}'
+      missing_auth_header: 'Authorization header is missing or empty'
+      invalid_token: 'The access token is invalid or malformed'
+      unauthorized_token: 'The access token is expired or unauthorized'

data/config/routes.rb

@@ -1,2 +1,31 @@
 TokenAuthority::Engine.routes.draw do
+  get "authorize", to: "authorizations#authorize"
+  resources :authorization_grants, path: "authorization-grants", only: %i[new create]
+
+  # Dynamic Client Registration (RFC 7591)
+  constraints(TokenAuthority::Routing::DynamicRegistrationEnabledConstraint.new) do
+    post "register", to: "clients#create"
+  end
+
+  # Token endpoint with grant_type constraints
+  constraints(TokenAuthority::Routing::GrantTypeConstraint.new("refresh_token")) do
+    post "token", to: "sessions#refresh", as: :refresh_session
+  end
+
+  constraints(TokenAuthority::Routing::GrantTypeConstraint.new("authorization_code")) do
+    post "token", to: "sessions#token", as: :create_session
+  end
+
+  post "token", to: "sessions#unsupported_grant_type", as: :unsupported_grant_type
+
+  # Revoke endpoint with token_type_hint constraints
+  constraints(TokenAuthority::Routing::TokenTypeHintConstraint.new("access_token")) do
+    post "revoke", to: "sessions#revoke_access_token", as: :revoke_access_token
+  end
+
+  constraints(TokenAuthority::Routing::TokenTypeHintConstraint.new("refresh_token")) do
+    post "revoke", to: "sessions#revoke_refresh_token", as: :revoke_refresh_token
+  end
+
+  post "revoke", to: "sessions#revoke"
 end

data/lib/generators/token_authority/install/install_generator.rb

@@ -0,0 +1,61 @@
+# frozen_string_literal: true
+
+require "rails/generators"
+require "rails/generators/active_record"
+
+module TokenAuthority
+  module Generators
+    class InstallGenerator < Rails::Generators::Base
+      include ActiveRecord::Generators::Migration
+
+      source_root File.expand_path("templates", __dir__)
+
+      class_option :user_table_name,
+        type: :string,
+        default: "users",
+        desc: "Name of the user table in your application"
+
+      class_option :user_foreign_key_type,
+        type: :string,
+        default: "bigint",
+        desc: "Type of the user table's primary key (bigint, uuid, integer)"
+
+      def create_migration_file
+        migration_template(
+          "create_token_authority_tables.rb.erb",
+          "db/migrate/create_token_authority_tables.rb"
+        )
+      end
+
+      def create_initializer_file
+        template "token_authority.rb", "config/initializers/token_authority.rb"
+      end
+
+      def copy_views
+        directory engine_views_path, "app/views/token_authority"
+      end
+
+      def add_routes
+        route "token_authority_routes"
+      end
+
+      private
+
+      def engine_views_path
+        File.expand_path("../../../../app/views/token_authority", __dir__)
+      end
+
+      def user_table_name
+        options[:user_table_name]
+      end
+
+      def user_foreign_key_type
+        options[:user_foreign_key_type]
+      end
+
+      def migration_version
+        "[#{ActiveRecord::VERSION::MAJOR}.#{ActiveRecord::VERSION::MINOR}]"
+      end
+    end
+  end
+end

data/lib/generators/token_authority/install/templates/create_token_authority_tables.rb.erb

@@ -0,0 +1,116 @@
+# frozen_string_literal: true
+
+class CreateTokenAuthorityTables < ActiveRecord::Migration<%= migration_version %>
+  def change
+    # OAuth Clients - registered applications that can request tokens
+    create_table :token_authority_clients do |t|
+      t.string :public_id, null: false # Public-facing identifier (UUID)
+      t.string :name, null: false
+      t.string :client_type, null: false, default: "confidential" # "confidential" or "public"
+      t.json :redirect_uris, null: false # Array of redirect URIs
+      t.bigint :access_token_duration, null: false
+      t.bigint :refresh_token_duration, null: false
+      t.string :client_secret_id # Used for HMAC-based secret generation (confidential clients only)
+
+      # RFC 7591 client metadata
+      t.string :token_endpoint_auth_method, null: false, default: "client_secret_basic"
+      t.json :grant_types                  # Array, default: ["authorization_code"]
+      t.json :response_types               # Array, default: ["code"]
+      t.string :scope                      # space-delimited scope string
+
+      # Human-readable metadata
+      t.string :client_uri
+      t.string :logo_uri
+      t.string :tos_uri
+      t.string :policy_uri
+      t.json :contacts                     # Array of email addresses
+
+      # Technical metadata (for JWT auth methods)
+      t.string :jwks_uri
+      t.json :jwks                         # JWKS object (inline)
+      t.string :software_id
+      t.string :software_version
+      t.text :software_statement           # Original software statement JWT (if provided)
+
+      # Registration metadata
+      t.datetime :client_id_issued_at
+      t.datetime :client_secret_expires_at
+      t.boolean :dynamically_registered, null: false, default: false
+
+      t.timestamps
+    end
+
+    add_index :token_authority_clients, :public_id, unique: true
+    add_index :token_authority_clients, :client_secret_id, unique: true
+    add_index :token_authority_clients, :software_id
+
+    # Authorization Grants - authorization codes issued during OAuth flow
+    create_table :token_authority_authorization_grants do |t|
+      t.string :public_id, null: false # Public-facing identifier (UUID) - this is the authorization code
+      t.datetime :expires_at, null: false
+      t.boolean :redeemed, null: false, default: false
+      t.references :token_authority_client,
+        null: true, # Nullable for URL-based clients (Client Metadata Document)
+        foreign_key: { to_table: :token_authority_clients },
+        index: { name: "index_ta_auth_grants_on_client_id" }
+      t.string :client_id_url # URL for URL-based client IDs (Client Metadata Document)
+      t.<%= user_foreign_key_type %> :user_id
+
+      # PKCE parameters
+      t.string :code_challenge
+      t.string :code_challenge_method, default: "S256"
+      t.string :redirect_uri
+      t.json :resources, null: false, default: []  # RFC 8707 resource indicators
+      t.json :scopes, null: false, default: []     # OAuth scopes (RFC 6749 Section 3.3)
+
+      t.timestamps
+    end
+
+    add_index :token_authority_authorization_grants, :public_id, unique: true
+    add_index :token_authority_authorization_grants, :user_id, name: "index_ta_auth_grants_on_user_id"
+    add_index :token_authority_authorization_grants, :expires_at, name: "index_ta_auth_grants_on_expires_at"
+    add_foreign_key :token_authority_authorization_grants, :<%= user_table_name %>, column: :user_id
+
+    # OAuth Sessions - tracks issued tokens and their status
+    create_table :token_authority_sessions do |t|
+      t.string :access_token_jti, null: false
+      t.string :refresh_token_jti, null: false
+      t.string :status, null: false, default: "created" # "created", "expired", "refreshed", "revoked"
+      t.references :token_authority_authorization_grant,
+        null: true,
+        foreign_key: { to_table: :token_authority_authorization_grants },
+        index: { name: "index_ta_sessions_on_auth_grant_id" }
+
+      t.timestamps
+    end
+
+    add_index :token_authority_sessions, :access_token_jti, unique: true
+    add_index :token_authority_sessions, :refresh_token_jti, unique: true
+
+    # JWKS Cache - stores fetched JWKS from remote URIs
+    create_table :token_authority_jwks_caches do |t|
+      t.string :uri_hash, null: false      # SHA256 hash of the URI for lookups
+      t.string :uri, null: false           # Original URI for debugging/display
+      t.json :jwks, null: false            # The cached JWKS data
+      t.datetime :expires_at, null: false  # When this cache entry expires
+
+      t.timestamps
+    end
+
+    add_index :token_authority_jwks_caches, :uri_hash, unique: true
+    add_index :token_authority_jwks_caches, :expires_at
+
+    # Client Metadata Document Cache - stores fetched metadata documents
+    create_table :token_authority_client_metadata_document_caches do |t|
+      t.string :uri_hash, null: false      # SHA256 hash of the URI for lookups
+      t.string :uri, null: false           # Original URI for debugging/display
+      t.json :metadata, null: false        # The cached metadata document
+      t.datetime :expires_at, null: false  # When this cache entry expires
+
+      t.timestamps
+    end
+
+    add_index :token_authority_client_metadata_document_caches, :uri_hash, unique: true, name: "index_ta_client_metadata_caches_on_uri_hash"
+    add_index :token_authority_client_metadata_document_caches, :expires_at, name: "index_ta_client_metadata_caches_on_expires_at"
+  end
+end