token_authority 0.2.1 → 0.3.0

data/app/models/token_authority/refresh_token_request.rb

@@ -58,7 +58,7 @@ module TokenAuthority
       return if resources.empty?
 
       # If resources are provided but feature is disabled, reject them
-      unless TokenAuthority.config.rfc_8707_enabled?
+      unless TokenAuthority.config.resources_enabled?
         errors.add(:resources, :not_allowed)
         return
       end

data/lib/generators/token_authority/install/templates/token_authority.rb

@@ -10,25 +10,19 @@ TokenAuthority.configure do |config|
   # secret_key_base from credentials or configuration.
   config.secret_key = Rails.application.credentials.secret_key_base || Rails.application.secret_key_base
 
-  # ==========================================================================
-  # JWT Access Tokens (RFC 9068)
-  # ==========================================================================
-
-  # The audience URL for JWT tokens. This is typically your API's base URL.
-  # Used as the "aud" (audience) claim in issued tokens.
-  config.rfc_9068_audience_url = ENV.fetch("TOKEN_AUTHORITY_AUDIENCE_URL", "http://localhost:3000/api/")
-
-  # The issuer URL for JWT tokens. This is typically your application's base URL.
-  # Used as the "iss" (issuer) claim in issued tokens.
-  config.rfc_9068_issuer_url = ENV.fetch("TOKEN_AUTHORITY_ISSUER_URL", "http://localhost:3000/")
+  # Enable event logging (default: true).
+  # When enabled, events are emitted and logged to Rails.logger.
+  # Events include: authorization requests, consent actions, token exchanges,
+  # token refreshes, revocations, client authentication, and security events.
+  # config.event_logging_enabled = true
 
-  # Default duration for access tokens in seconds (5 minutes).
-  # This value is used when creating new clients without explicit durations.
-  # config.rfc_9068_default_access_token_duration = 300
+  # Enable debug events (default: false).
+  # Debug events provide detailed information useful during development,
+  # such as PKCE validation steps and cache hits/misses.
+  # config.event_logging_debug_events = false
 
-  # Default duration for refresh tokens in seconds (14 days).
-  # This value is used when creating new clients without explicit durations.
-  # config.rfc_9068_default_refresh_token_duration = 1_209_600
+  # Enable ActiveSupport::Notifications instrumentation (default: true).
+  # config.instrumentation_enabled = true
 
   # ==========================================================================
   # User Authentication
@@ -62,131 +56,143 @@ TokenAuthority.configure do |config|
   config.error_page_layout = "application"
 
   # ==========================================================================
-  # Server Metadata (RFC 8414)
+  # Scopes
   # ==========================================================================
 
-  # URL to developer documentation for your OAuth server.
-  # Included in the /.well-known/oauth-authorization-server response.
-  # config.rfc_8414_service_documentation = "https://example.com/docs/oauth"
+  # Configure allowed scopes with human-friendly display names.
+  # Keys are the scope strings (used as the allowlist), values are display names
+  # shown on the consent screen.
+  #
+  # IMPORTANT: You must configure at least one scope since require_scope is true by default.
+  config.scopes = {
+    "read" => "Read access to your data",
+    "write" => "Write access to your data"
+  }
 
-  # Note: scopes_supported in the metadata response is automatically derived
-  # from the keys of config.scopes (see Scopes section below).
+  # Require the scope parameter in authorization requests (default: true).
+  # When true, clients must specify at least one scope.
+  # config.require_scope = true
 
   # ==========================================================================
-  # Protected Resource Metadata (RFC 9728)
+  # Resources (RFC 9728 / RFC 8707)
   # ==========================================================================
 
-  # The protected resource's identifier URL.
-  # Defaults to rfc_9068_issuer_url if not set.
-  # config.rfc_9728_resource = "https://api.example.com/"
-
-  # Scopes accepted by the protected resource.
-  # Falls back to config.scopes keys if not set.
-  # config.rfc_9728_scopes_supported = ["api:read", "api:write"]
-
-  # List of authorization server issuer URLs that can issue tokens for this resource.
-  # Defaults to the local authorization server (rfc_9068_issuer_url) if not set.
-  # config.rfc_9728_authorization_servers = ["https://auth.example.com"]
-
-  # Token presentation methods supported by the resource (e.g., "header", "body", "query").
-  # config.rfc_9728_bearer_methods_supported = ["header"]
-
-  # URL to the resource's JSON Web Key Set (JWKS).
-  # config.rfc_9728_jwks_uri = "https://api.example.com/.well-known/jwks.json"
-
-  # Human-readable name for the protected resource.
-  # config.rfc_9728_resource_name = "Example API"
-
-  # URL to developer documentation for the protected resource.
-  # config.rfc_9728_resource_documentation = "https://example.com/docs/api"
-
-  # URL to the resource's privacy policy.
-  # config.rfc_9728_resource_policy_uri = "https://example.com/privacy"
-
-  # URL to the resource's terms of service.
-  # config.rfc_9728_resource_tos_uri = "https://example.com/tos"
+  # Protected resources keyed by identifier. For single-resource deployments,
+  # just configure one entry - it will be used for all requests.
+  # For multi-resource deployments, add entries for each subdomain.
+  # The first entry is used as the default when no subdomain matches.
+  #
+  # Each entry must include the :resource field (required per RFC 9728).
+  # The :resource URL is used as the audience (aud) claim in access tokens.
+  # The first :authorization_servers entry is used as the issuer (iss) claim.
+  #
+  # Resource indicators (RFC 8707) are automatically enabled when resources are
+  # configured. The allowlist of valid resource URIs is derived from the :resource
+  # key in the configuration below.
+  #
+  # IMPORTANT: You must configure at least one resource since require_resource is true by default.
+  #
+  # Available options:
+  #   resource (required)        - The protected resource URI (used as aud claim)
+  #   resource_name              - Human-readable name shown on consent screen
+  #   scopes_supported           - Array of scopes this resource accepts
+  #   authorization_servers      - Array of auth server URLs (first used as iss claim)
+  #   bearer_methods_supported   - Array of supported bearer token methods
+  #   jwks_uri                   - URI for JSON Web Key Set endpoint
+  #   resource_documentation     - URL for API documentation
+  #   resource_policy_uri        - URL for privacy policy
+  #   resource_tos_uri           - URL for terms of service
+  config.resources = {
+    api: {
+      resource: ENV.fetch("TOKEN_AUTHORITY_RESOURCE_URL", "http://localhost:3000/api"),
+      resource_name: "My API",
+      scopes_supported: %w[read write],
+      authorization_servers: [ENV.fetch("TOKEN_AUTHORITY_BASE_URL", "http://localhost:3000")],
+      bearer_methods_supported: ["header"],
+      resource_documentation: "http://localhost:3000/docs/api"
+    }
+  }
+
+  # Require the resource parameter in authorization requests (default: true).
+  # When true, clients must specify at least one resource.
+  # config.require_resource = true
 
   # ==========================================================================
-  # Scopes
+  # JWT Access Tokens (RFC 9068)
   # ==========================================================================
 
-  # Configure allowed scopes with human-friendly display names.
-  # Keys are the scope strings (used as the allowlist), values are display names
-  # shown on the consent screen.
-  #
-  # Set to nil or {} to disable scope validation entirely.
-  # When configured, only these scopes are allowed in authorization requests.
-  # config.scopes = {
-  #   "read" => "Read access to your data",
-  #   "write" => "Write access to your data"
-  # }
+  # The issuer URL for JWT tokens (default: nil).
+  # Used as the "iss" (issuer) claim in issued tokens.
+  # If nil, the issuer is derived from the first resource's :authorization_servers.
+  # You must configure either this OR :authorization_servers on at least one resource.
+  # config.token_issuer_url = nil
 
-  # Require the scope parameter in authorization requests.
-  # When true, clients must specify at least one scope.
-  # config.require_scope = false
+  # The audience URL for JWT tokens (default: nil).
+  # When set, this value is used as the "aud" claim for all tokens.
+  # When nil (recommended), the audience is the resource URL from config.resources.
+  # config.token_audience_url = nil
+
+  # Default duration for access tokens in seconds (5 minutes).
+  # This value is used when creating new clients without explicit durations.
+  # config.default_access_token_duration = 300
+
+  # Default duration for refresh tokens in seconds (14 days).
+  # This value is used when creating new clients without explicit durations.
+  # config.default_refresh_token_duration = 1_209_600
 
   # ==========================================================================
-  # Resource Indicators (RFC 8707)
+  # Server Metadata (RFC 8414)
   # ==========================================================================
 
-  # Configure allowed resources with human-friendly display names.
-  # Keys are the resource URIs (used as the allowlist), values are display names
-  # shown on the consent screen.
-  #
-  # Set to nil or {} to disable resource indicators entirely.
-  # When configured, only these resources are allowed in authorization requests.
-  # config.rfc_8707_resources = {
-  #   "https://api.example.com/" => "Main API",
-  #   "https://billing.example.com/" => "Billing Service"
-  # }
+  # URL to developer documentation for your OAuth server.
+  # Included in the /.well-known/oauth-authorization-server response.
+  # config.authorization_server_documentation = "https://example.com/docs/oauth"
 
-  # Require the resource parameter in authorization requests.
-  # When true, clients must specify at least one resource.
-  # config.rfc_8707_require_resource = false
+  # Note: scopes_supported in the metadata response is automatically derived
+  # from the keys of config.scopes (see Scopes section above).
 
   # ==========================================================================
   # Dynamic Client Registration (RFC 7591)
   # ==========================================================================
 
-  # Enable dynamic client registration endpoint (/register).
+  # Enable dynamic client registration endpoint (/register) (default: true).
   # When enabled, clients can register programmatically via POST requests.
-  # Disabled by default for security - enable only if you need this feature.
-  # config.rfc_7591_enabled = false
+  # config.dcr_enabled = true
 
-  # Require an initial access token for client registration.
+  # Require an initial access token for client registration (default: false).
   # When enabled, registration requests must include a Bearer token.
-  # config.rfc_7591_require_initial_access_token = false
+  # config.dcr_require_initial_access_token = false
 
   # Validator proc for initial access tokens.
   # Must return true if the token is valid, false otherwise.
   # Example:
-  # config.rfc_7591_initial_access_token_validator = ->(token) {
+  # config.dcr_initial_access_token_validator = ->(token) {
   #   token == ENV["REGISTRATION_ACCESS_TOKEN"]
   # }
 
   # Allowed grant types for dynamically registered clients.
-  # config.rfc_7591_allowed_grant_types = %w[authorization_code refresh_token]
+  # config.dcr_allowed_grant_types = %w[authorization_code refresh_token]
 
   # Allowed response types for dynamically registered clients.
-  # config.rfc_7591_allowed_response_types = %w[code]
+  # config.dcr_allowed_response_types = %w[code]
 
   # Allowed token endpoint authentication methods.
   # Options: none, client_secret_basic, client_secret_post, client_secret_jwt, private_key_jwt
-  # config.rfc_7591_allowed_token_endpoint_auth_methods = %w[none client_secret_basic client_secret_post client_secret_jwt private_key_jwt]
+  # config.dcr_allowed_token_endpoint_auth_methods = %w[none client_secret_basic client_secret_post client_secret_jwt private_key_jwt]
 
   # Client secret expiration duration in seconds (nil = never expires).
-  # config.rfc_7591_client_secret_expiration = nil
+  # config.dcr_client_secret_expiration = nil
 
   # JWKS for verifying software statements (signed JWTs with client metadata).
   # Set to a JWKS hash to enable software statement verification.
-  # config.rfc_7591_software_statement_jwks = nil
+  # config.dcr_software_statement_jwks = nil
 
   # Require software statements for client registration.
   # When enabled, registration requests must include a valid software_statement.
-  # config.rfc_7591_software_statement_required = false
+  # config.dcr_software_statement_required = false
 
   # Cache TTL in seconds for fetched JWKS from jwks_uri (default: 1 hour).
-  # config.rfc_7591_jwks_cache_ttl = 3600
+  # config.dcr_jwks_cache_ttl = 3600
 
   # ==========================================================================
   # Client Metadata Document (draft-ietf-oauth-client-id-metadata-document)
@@ -224,24 +230,4 @@ TokenAuthority.configure do |config|
   # Connection and read timeouts in seconds (default: 5 each).
   # config.client_metadata_document_connect_timeout = 5
   # config.client_metadata_document_read_timeout = 5
-
-  # ==========================================================================
-  # Event Logging
-  # ==========================================================================
-
-  # TokenAuthority emits structured events using Rails 8.1's event reporting.
-  # Events are automatically logged to Rails.logger when enabled.
-  #
-  # Events include: authorization requests, consent actions, token exchanges,
-  # token refreshes, revocations, client authentication, and security events
-  # (e.g., token theft detection).
-
-  # Enable event logging (default: true).
-  # When enabled, events are emitted and logged to Rails.logger.
-  # config.event_logging_enabled = true
-
-  # Enable debug events (default: false).
-  # Debug events provide detailed information useful during development,
-  # such as PKCE validation steps and cache hits/misses.
-  # config.event_logging_debug_events = false
 end