token_authority 0.2.0 → 0.2.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: c0e6a0810b0a8015aea5ada0e1bbb87596875c7641042281dac811fb3fc8bf0c
-  data.tar.gz: 76eda2d8230aca93850b6e025c0be79cfac68da48159bbcb7f34e9f102229649
+  metadata.gz: 1b6b1981cf717ab9e179f87aaea998642ad74315333c25ea3ea1e8e267d3a293
+  data.tar.gz: 25b6bb154158120808d02ab4f8c939c1d7f731f57db9e380167fe414ecaba7e0
 SHA512:
-  metadata.gz: '069ecd5dc4b50ca9929192ea6d22084db1e5019fa4df90ebcacbc900f4385d88452f3abc108deaa3ce29a88a7c212095dbfc4f056968409983189c0f97292130'
-  data.tar.gz: 45ae89f8b90abffacc828544b9c910c40801cf93b65ce5a362faa28b01a242a565233d771f1a56b64e82765a89452ec4a45aacab42ce7883d98b120dbc11c3aa
+  metadata.gz: 9ce50536b44c5ef5063160808e7c93bc757f01b01f81f62c1ed0d3ba86da56d675c0d97e6fb3d944da4ac822925e5a7efc81dfef2c1adbc2094f9a43a4801af7
+  data.tar.gz: 476f43e644e3bf3b10aa57c3cff10e0bf2d1a73712b9cc0f2b9c89d306ec187e8663e3efd58582f5032f8f81f0ef8b5f46343daeb415b8e17a32ad047e2a38ee

data/CHANGELOG.md

@@ -1,5 +1,16 @@
 ## [Unreleased]
 
+## [0.2.1] - 2025-01-24
+
+### Fixes
+
+- Implemented support for all mandatory access token JWT claims
+- Disable turbo on consent screen to allow redirects
+
+### Documentation
+
+- Update README to include link to MCP Quickstart guide.
+
 ## [0.2.0] - 2025-01-23
 
 - Implemented support for OAuth 2.1 authorization flows and JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens (RFC 9068).
@@ -18,6 +29,7 @@
 
 - Initial release
 
-[Unreleased]: https://github.com/dickdavis/token_authority/compare/v0.2.0...HEAD
+[Unreleased]: https://github.com/dickdavis/token_authority/compare/v0.2.1...HEAD
+[0.2.1]: https://github.com/dickdavis/token_authority/compare/v0.2.0...v0.2.1
 [0.2.0]: https://github.com/dickdavis/token_authority/compare/v0.1.0...v0.2.0
 [0.1.0]: https://github.com/dickdavis/token_authority/releases/tag/v0.1.0

data/README.md

@@ -16,7 +16,7 @@ This project aims to implement the OAuth standards specified in the [MCP Authori
 
 ## Usage
 
-TokenAuthority is simple to install and configure.
+TokenAuthority is simple to install and configure. For MCP server developers, see the [MCP Quickstart](https://github.com/dickdavis/token_authority/wiki/MCP-Quickstart) guide for a complete working example.
 
 ### Installation
 

data/app/controllers/concerns/token_authority/token_authentication.rb

@@ -84,7 +84,7 @@ module TokenAuthority
     # @return [User] the user from the configured user_class
     # @api private
     def token_user
-      @token_user ||= TokenAuthority.config.user_class.constantize.find(@decoded_token.user_id)
+      @token_user ||= TokenAuthority.config.user_class.constantize.find(@decoded_token.sub)
     end
 
     # Returns the scopes granted in the authenticated token.

data/app/models/concerns/token_authority/claim_validatable.rb

@@ -21,8 +21,8 @@ module TokenAuthority
     extend ActiveSupport::Concern
 
     # JWT claims that should trigger session revocation when invalid.
-    # These represent security violations like wrong audience or issuer.
-    REVOCABLE_CLAIMS = %i[aud iss user_id].freeze
+    # These represent security violations like wrong audience, issuer, or subject.
+    REVOCABLE_CLAIMS = %i[aud iss sub].freeze
 
     # JWT claims that should trigger session expiration when invalid.
     # Currently only includes the exp (expiration time) claim.

data/app/models/concerns/token_authority/session_creatable.rb

@@ -78,7 +78,7 @@ module TokenAuthority
 
       instrument("session.create") do
         access_token_expiration = client.access_token_duration.seconds.from_now.to_i
-        access_token = TokenAuthority::AccessToken.default(user_id:, exp: access_token_expiration, resources:, scopes:)
+        access_token = TokenAuthority::AccessToken.default(user_id:, client_id: client.public_id, exp: access_token_expiration, resources:, scopes:)
 
         refresh_token_expiration = client.refresh_token_duration.seconds.from_now.to_i
         refresh_token = TokenAuthority::RefreshToken.default(exp: refresh_token_expiration, resources:, scopes:)

data/app/models/token_authority/access_token.rb

@@ -8,8 +8,7 @@ module TokenAuthority
   # (JWT ID) is stored in the Session model for revocation lookups.
   #
   # The tokens follow RFC 9068 JWT Profile for OAuth Access Tokens, including
-  # standard claims (iss, aud, exp, iat, jti) plus custom claims like user_id
-  # and scope.
+  # standard claims (iss, sub, aud, exp, iat, jti, client_id) plus the scope claim.
   #
   # This is an ActiveModel object (not ActiveRecord) that provides validation
   # and serialization of JWT claims without database persistence.
@@ -18,6 +17,7 @@ module TokenAuthority
   #   token = TokenAuthority::AccessToken.default(
   #     exp: 5.minutes.from_now,
   #     user_id: 42,
+  #     client_id: "550e8400-e29b-41d4-a716-446655440000",
   #     resources: ["https://api.example.com"],
   #     scopes: ["read", "write"]
   #   )
@@ -31,17 +31,22 @@ module TokenAuthority
   class AccessToken
     include TokenAuthority::ClaimValidatable
 
-    # @!attribute [rw] user_id
-    #   The ID of the user this token grants access for.
-    #   @return [Integer]
-    attr_accessor :user_id
+    # @!attribute [rw] sub
+    #   The subject identifier (resource owner) per RFC 9068.
+    #   @return [String]
+    attr_accessor :sub
+
+    # @!attribute [rw] client_id
+    #   The OAuth client identifier per RFC 9068/RFC 8693.
+    #   @return [String]
+    attr_accessor :client_id
 
     # @!attribute [rw] scope
     #   Space-separated list of OAuth scopes granted to this token.
     #   @return [String, nil]
     attr_accessor :scope
 
-    validates :user_id, presence: true, comparison: {equal_to: :user_id_from_token_authority_session}
+    validates :sub, presence: true, comparison: {equal_to: :sub_from_token_authority_session}
 
     # Creates a new access token with default claims per RFC 9068.
     #
@@ -49,7 +54,8 @@ module TokenAuthority
     # otherwise falls back to the configured default audience URL.
     #
     # @param exp [Time, Integer] token expiration time
-    # @param user_id [Integer] the user ID
+    # @param user_id [Integer] the user ID (converted to string for sub claim)
+    # @param client_id [String] the OAuth client identifier
     # @param resources [Array<String>] resource indicators (RFC 8707)
     # @param scopes [Array<String>] OAuth scopes to include
     #
@@ -59,10 +65,11 @@ module TokenAuthority
     #   token = AccessToken.default(
     #     exp: 5.minutes.from_now,
     #     user_id: 123,
+    #     client_id: "550e8400-e29b-41d4-a716-446655440000",
     #     resources: ["https://api.example.com"],
     #     scopes: ["read", "write"]
     #   )
-    def self.default(exp:, user_id:, resources: [], scopes: [])
+    def self.default(exp:, user_id:, client_id:, resources: [], scopes: [])
       # Use resources for aud claim if provided, otherwise fall back to config
       aud = if resources.any?
         (resources.size == 1) ? resources.first : resources
@@ -78,7 +85,8 @@ module TokenAuthority
         iat: Time.zone.now.to_i,
         iss: TokenAuthority.config.rfc_9068_issuer_url,
         jti: SecureRandom.uuid,
-        user_id:,
+        sub: user_id.to_s,
+        client_id:,
         scope: scope_claim
       )
     end
@@ -93,7 +101,7 @@ module TokenAuthority
     #
     # @example
     #   token = AccessToken.from_token(jwt_string)
-    #   user_id = token.user_id
+    #   subject = token.sub
     def self.from_token(token)
       new(TokenAuthority::JsonWebToken.decode(token))
     end
@@ -104,7 +112,7 @@ module TokenAuthority
     #
     # @return [Hash] the JWT claims
     def to_h
-      {aud:, exp:, iat:, iss:, jti:, user_id:, scope:}.compact
+      {aud:, exp:, iat:, iss:, jti:, sub:, client_id:, scope:}.compact
     end
 
     # Encodes the token as a signed JWT string.
@@ -116,12 +124,12 @@ module TokenAuthority
 
     private
 
-    # Returns the user_id from the associated session for validation.
+    # Returns the subject (user_id as string) from the associated session for validation.
     #
-    # @return [Integer, nil]
+    # @return [String, nil]
     # @api private
-    def user_id_from_token_authority_session
-      token_authority_session&.user_id
+    def sub_from_token_authority_session
+      token_authority_session&.user_id&.to_s
     end
   end
 end

data/app/views/token_authority/authorization_grants/new.html.erb

@@ -19,7 +19,7 @@
     </ul>
   <% end %>
   <div>
-    <%= button_to t('token_authority.authorization_grants.new.reject_cta'), authorization_grants_path, params: { approve: false } %>
-    <%= button_to t('token_authority.authorization_grants.new.approve_cta'), authorization_grants_path, params: { approve: true } %>
+    <%= button_to t('token_authority.authorization_grants.new.reject_cta'), authorization_grants_path, params: { approve: false }, data: { turbo: false } %>
+    <%= button_to t('token_authority.authorization_grants.new.approve_cta'), authorization_grants_path, params: { approve: true }, data: { turbo: false } %>
   </div>
 </div>

data/lib/token_authority/version.rb

@@ -2,5 +2,5 @@ module TokenAuthority
   # The current version of the TokenAuthority gem.
   #
   # @return [String] the version string in semantic versioning format
-  VERSION = "0.2.0"
+  VERSION = "0.2.1"
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: token_authority
 version: !ruby/object:Gem::Version
-  version: 0.2.0
+  version: 0.2.1
 platform: ruby
 authors:
 - Dick Davis