All Files ( 96.09% covered at 539.33 hits/line )
39 files in total.
3451 relevant lines,
3316 lines covered and
135 lines missed.
(
96.09%
)
-
# frozen_string_literal: true
-
-
17
require "rodauth/oauth"
-
-
17
module Rodauth
-
17
Feature.define(:oauth_application_management, :OauthApplicationManagement) do
-
17
depends :oauth_management_base, :oauth_token_revocation
-
-
17
before "create_oauth_application"
-
17
after "create_oauth_application"
-
-
17
error_flash "There was an error registering your oauth application", "create_oauth_application"
-
17
notice_flash "Your oauth application has been registered", "create_oauth_application"
-
-
17
view "oauth_applications", "Oauth Applications", "oauth_applications"
-
17
view "oauth_application", "Oauth Application", "oauth_application"
-
17
view "new_oauth_application", "New Oauth Application", "new_oauth_application"
-
17
view "oauth_application_oauth_grants", "Oauth Application Grants", "oauth_application_oauth_grants"
-
-
# Application
-
17
APPLICATION_REQUIRED_PARAMS = %w[name scopes homepage_url redirect_uri client_secret].freeze
-
17
auth_value_method :oauth_application_required_params, APPLICATION_REQUIRED_PARAMS
-
-
17
(APPLICATION_REQUIRED_PARAMS + %w[description client_id]).each do |param|
-
119
auth_value_method :"oauth_application_#{param}_param", param
-
end
-
-
17
translatable_method :oauth_applications_name_label, "Name"
-
17
translatable_method :oauth_applications_description_label, "Description"
-
17
translatable_method :oauth_applications_scopes_label, "Default scopes"
-
17
translatable_method :oauth_applications_contacts_label, "Contacts"
-
17
translatable_method :oauth_applications_tos_uri_label, "Terms of service"
-
17
translatable_method :oauth_applications_policy_uri_label, "Policy"
-
17
translatable_method :oauth_applications_jwks_label, "JSON Web Keys"
-
17
translatable_method :oauth_applications_jwks_uri_label, "JSON Web Keys URI"
-
17
translatable_method :oauth_applications_homepage_url_label, "Homepage URL"
-
17
translatable_method :oauth_applications_redirect_uri_label, "Redirect URI"
-
17
translatable_method :oauth_applications_client_secret_label, "Client Secret"
-
17
translatable_method :oauth_applications_client_id_label, "Client ID"
-
-
17
%w[type token refresh_token expires_in revoked_at].each do |param|
-
85
translatable_method :"oauth_grants_#{param}_label", param.gsub("_", " ").capitalize
-
end
-
-
17
button "Register", "oauth_application"
-
17
button "Revoke", "oauth_grant_revoke"
-
-
17
auth_value_method :oauth_applications_oauth_grants_path, "oauth-grants"
-
17
auth_value_method :oauth_applications_route, "oauth-applications"
-
17
auth_value_method :oauth_applications_per_page, 20
-
17
auth_value_method :oauth_applications_id_pattern, Integer
-
17
auth_value_method :oauth_grants_per_page, 20
-
-
17
translatable_method :invalid_url_message, "Invalid URL"
-
17
translatable_method :null_error_message, "is not filled"
-
-
17
translatable_method :oauth_no_applications_text, "No oauth applications yet!"
-
17
translatable_method :oauth_no_grants_text, "No oauth grants yet!"
-
-
17
auth_methods(
-
:oauth_application_path
-
)
-
-
17
def oauth_applications_path(opts = {})
-
1749
route_path(oauth_applications_route, opts)
-
end
-
-
17
def oauth_application_path(id)
-
221
"#{oauth_applications_path}/#{id}"
-
end
-
-
# /oauth-applications routes
-
17
def load_oauth_application_management_routes
-
425
request.on(oauth_applications_route) do
-
425
check_csrf if check_csrf?
-
425
require_account
-
-
425
request.get "new" do
-
68
new_oauth_application_view
-
end
-
-
357
request.on(oauth_applications_id_pattern) do |id|
-
136
oauth_application = db[oauth_applications_table]
-
.where(oauth_applications_id_column => id)
-
.where(oauth_applications_account_id_column => account_id)
-
.first
-
136
next unless oauth_application
-
-
119
scope.instance_variable_set(:@oauth_application, oauth_application)
-
-
119
request.is do
-
51
request.get do
-
51
oauth_application_view
-
end
-
end
-
-
68
request.on(oauth_applications_oauth_grants_path) do
-
68
page = Integer(param_or_nil("page") || 1)
-
68
per_page = per_page_param(oauth_grants_per_page)
-
68
oauth_grants = db[oauth_grants_table]
-
.where(oauth_grants_oauth_application_id_column => id)
-
.order(Sequel.desc(oauth_grants_id_column))
-
68
scope.instance_variable_set(:@oauth_grants, oauth_grants.paginate(page, per_page))
-
68
request.is do
-
68
request.get do
-
68
oauth_application_oauth_grants_view
-
end
-
end
-
end
-
end
-
-
221
request.is do
-
221
request.get do
-
136
page = Integer(param_or_nil("page") || 1)
-
136
per_page = per_page_param(oauth_applications_per_page)
-
136
scope.instance_variable_set(:@oauth_applications, db[oauth_applications_table]
-
.where(oauth_applications_account_id_column => account_id)
-
.order(Sequel.desc(oauth_applications_id_column))
-
.paginate(page, per_page))
-
-
136
oauth_applications_view
-
end
-
-
85
request.post do
-
85
catch_error do
-
85
validate_oauth_application_params
-
-
51
transaction do
-
51
before_create_oauth_application
-
51
id = create_oauth_application
-
51
after_create_oauth_application
-
51
set_notice_flash create_oauth_application_notice_flash
-
51
redirect "#{request.path}/#{id}"
-
end
-
end
-
34
set_error_flash create_oauth_application_error_flash
-
34
new_oauth_application_view
-
end
-
end
-
end
-
end
-
-
17
private
-
-
17
def oauth_application_params
-
391
@oauth_application_params ||= oauth_application_required_params.each_with_object({}) do |param, params|
-
425
value = request.params[__send__(:"oauth_application_#{param}_param")]
-
425
if value && !value.empty?
-
234
params[param] = value
-
else
-
119
set_field_error(param, null_error_message)
-
end
-
end
-
end
-
-
17
def validate_oauth_application_params
-
85
oauth_application_params.each do |key, value|
-
306
if key == oauth_application_homepage_url_param
-
-
68
set_field_error(key, invalid_url_message) unless check_valid_uri?(value)
-
-
238
elsif key == oauth_application_redirect_uri_param
-
-
68
if value.respond_to?(:each)
-
17
value.each do |uri|
-
34
next if uri.empty?
-
-
34
set_field_error(key, invalid_url_message) unless check_valid_no_fragment_uri?(uri)
-
end
-
else
-
51
set_field_error(key, invalid_url_message) unless check_valid_no_fragment_uri?(value)
-
end
-
170
elsif key == oauth_application_scopes_param
-
-
51
value.each do |scope|
-
102
set_field_error(key, oauth_invalid_scope_message) unless oauth_application_scopes.include?(scope)
-
end
-
end
-
end
-
-
85
throw :rodauth_error if @field_errors && !@field_errors.empty?
-
end
-
-
17
def create_oauth_application
-
15
create_params = {
-
36
oauth_applications_account_id_column => account_id,
-
oauth_applications_name_column => oauth_application_params[oauth_application_name_param],
-
oauth_applications_description_column => oauth_application_params[oauth_application_description_param],
-
oauth_applications_scopes_column => oauth_application_params[oauth_application_scopes_param],
-
oauth_applications_homepage_url_column => oauth_application_params[oauth_application_homepage_url_param]
-
}
-
-
51
redirect_uris = oauth_application_params[oauth_application_redirect_uri_param]
-
51
redirect_uris = redirect_uris.to_a.reject(&:empty?).join(" ") if redirect_uris.respond_to?(:each)
-
51
create_params[oauth_applications_redirect_uri_column] = redirect_uris unless redirect_uris.empty?
-
-
# set client ID/secret pairs
-
51
set_client_secret(create_params, oauth_application_params[oauth_application_client_secret_param])
-
-
51
if create_params[oauth_applications_scopes_column]
-
39
create_params[oauth_applications_scopes_column] = create_params[oauth_applications_scopes_column].join(oauth_scope_separator)
-
end
-
-
51
rescue_from_uniqueness_error do
-
39
create_params[oauth_applications_client_id_column] = oauth_unique_id_generator
-
51
db[oauth_applications_table].insert(create_params)
-
end
-
end
-
end
-
end
-
# frozen_string_literal: true
-
-
17
require "rodauth/oauth"
-
-
17
module Rodauth
-
17
Feature.define(:oauth_assertion_base, :OauthAssertionBase) do
-
17
depends :oauth_base
-
-
17
auth_methods(
-
:assertion_grant_type?,
-
:client_assertion_type?,
-
:assertion_grant_type,
-
:client_assertion_type
-
)
-
-
17
private
-
-
17
def validate_token_params
-
136
return super unless assertion_grant_type?
-
-
68
redirect_response_error("invalid_grant") unless param_or_nil("assertion")
-
end
-
-
17
def require_oauth_application
-
272
if assertion_grant_type?
-
68
@oauth_application = __send__(:"require_oauth_application_from_#{assertion_grant_type}_assertion_issuer", param("assertion"))
-
204
elsif client_assertion_type?
-
153
@oauth_application = __send__(:"require_oauth_application_from_#{client_assertion_type}_assertion_subject",
-
param("client_assertion"))
-
-
102
if (client_id = param_or_nil("client_id")) &&
-
client_id != @oauth_application[oauth_applications_client_id_column]
-
# If present, the value of the
-
# "client_id" parameter MUST identify the same client as is
-
# identified by the client assertion.
-
34
redirect_response_error("invalid_grant")
-
end
-
else
-
51
super
-
end
-
end
-
-
17
def account_from_bearer_assertion_subject(subject)
-
68
__insert_or_do_nothing_and_return__(
-
db[accounts_table],
-
account_id_column,
-
[login_column],
-
login_column => subject
-
)
-
end
-
-
17
def create_token(grant_type)
-
85
return super unless assertion_grant_type?(grant_type) && supported_grant_type?(grant_type)
-
-
68
account = __send__(:"account_from_#{assertion_grant_type}_assertion", param("assertion"))
-
-
68
redirect_response_error("invalid_grant") unless account
-
-
68
grant_scopes = if param_or_nil("scope")
-
34
redirect_response_error("invalid_scope") unless check_valid_scopes?
-
17
scopes
-
else
-
34
@oauth_application[oauth_applications_scopes_column]
-
end
-
-
15
grant_params = {
-
36
oauth_grants_type_column => grant_type,
-
oauth_grants_account_id_column => account[account_id_column],
-
oauth_grants_oauth_application_id_column => @oauth_application[oauth_applications_id_column],
-
oauth_grants_scopes_column => grant_scopes
-
}
-
-
51
generate_token(grant_params, false)
-
end
-
-
17
def assertion_grant_type?(grant_type = param("grant_type"))
-
493
grant_type.start_with?("urn:ietf:params:oauth:grant-type:")
-
end
-
-
17
def client_assertion_type?(client_assertion_type = param("client_assertion_type"))
-
204
client_assertion_type.start_with?("urn:ietf:params:oauth:client-assertion-type:")
-
end
-
-
17
def assertion_grant_type(grant_type = param("grant_type"))
-
136
grant_type.delete_prefix("urn:ietf:params:oauth:grant-type:").tr("-", "_")
-
end
-
-
17
def client_assertion_type(assertion_type = param("client_assertion_type"))
-
153
assertion_type.delete_prefix("urn:ietf:params:oauth:client-assertion-type:").tr("-", "_")
-
end
-
end
-
end
-
# frozen_string_literal: true
-
-
17
require "rodauth/oauth"
-
-
17
module Rodauth
-
17
Feature.define(:oauth_authorization_code_grant, :OauthAuthorizationCodeGrant) do
-
17
depends :oauth_authorize_base
-
-
17
auth_value_method :oauth_response_mode, "form_post"
-
-
17
def oauth_grant_types_supported
-
6205
super | %w[authorization_code]
-
end
-
-
17
def oauth_response_types_supported
-
2839
super | %w[code]
-
end
-
-
17
def oauth_response_modes_supported
-
4726
super | %w[query form_post]
-
end
-
-
17
private
-
-
17
def validate_authorize_params
-
3889
super
-
-
3617
response_mode = param_or_nil("response_mode")
-
-
3617
return unless response_mode
-
-
1411
redirect_response_error("invalid_request") unless oauth_response_modes_supported.include?(response_mode)
-
-
1411
response_type = param_or_nil("response_type")
-
-
1411
return unless response_type.nil? || response_type == "code"
-
-
1173
redirect_response_error("invalid_request") unless oauth_response_modes_for_code_supported.include?(response_mode)
-
end
-
-
17
def oauth_response_modes_for_code_supported
-
1173
%w[query form_post]
-
end
-
-
17
def validate_token_params
-
2584
redirect_response_error("invalid_request") if param_or_nil("grant_type") == "authorization_code" && !param_or_nil("code")
-
2584
super
-
end
-
-
17
def do_authorize(response_params = {}, response_mode = param_or_nil("response_mode"))
-
1394
response_mode ||= oauth_response_mode
-
-
1394
redirect_response_error("invalid_request") unless response_mode.nil? || supported_response_mode?(response_mode)
-
-
1394
response_type = param_or_nil("response_type")
-
-
1394
redirect_response_error("invalid_request") unless response_type.nil? || supported_response_type?(response_type)
-
-
1066
case response_type
-
when "code", nil
-
935
response_params.replace(_do_authorize_code)
-
end
-
-
1377
response_params["state"] = param("state") if param_or_nil("state")
-
-
1377
[response_params, response_mode]
-
end
-
-
17
def _do_authorize_code
-
325
create_params = {
-
780
oauth_grants_type_column => "authorization_code",
-
**resource_owner_params
-
}
-
-
1105
{ "code" => create_oauth_grant(create_params) }
-
end
-
-
17
def authorize_response(params, mode)
-
833
redirect_url = URI.parse(redirect_uri)
-
637
case mode
-
when "query"
-
799
params = [URI.encode_www_form(params)]
-
799
params << redirect_url.query if redirect_url.query
-
799
redirect_url.query = params.join("&")
-
799
redirect(redirect_url.to_s)
-
when "form_post"
-
34
inline_html = form_post_response_html(redirect_uri) do
-
32
params.map do |name, value|
-
34
"<input type=\"hidden\" name=\"#{scope.h(name)}\" value=\"#{scope.h(value)}\" />"
-
2
end.join
-
end
-
34
scope.view layout: false, inline: inline_html
-
end
-
end
-
-
17
def _redirect_response_error(redirect_url, params)
-
544
response_mode = param_or_nil("response_mode") || oauth_response_mode
-
-
416
case response_mode
-
when "form_post"
-
13
response["Content-Type"] = "text/html"
-
17
error_body = form_post_error_response_html(redirect_url) do
-
16
params.map do |name, value|
-
34
"<input type=\"hidden\" name=\"#{name}\" value=\"#{scope.h(value)}\" />"
-
1
end.join
-
end
-
17
response.write(error_body)
-
17
request.halt
-
else
-
527
super
-
end
-
end
-
-
17
def form_post_response_html(url)
-
39
<<-FORM
-
12
<html>
-
<head><title>Authorized</title></head>
-
<body onload="javascript:document.forms[0].submit()">
-
12
<form method="post" action="#{url}">
-
12
#{yield}
-
12
<input type="submit" class="btn btn-outline-primary" value="#{scope.h(oauth_authorize_post_button)}"/>
-
</form>
-
</body>
-
</html>
-
FORM
-
end
-
-
17
def form_post_error_response_html(url)
-
13
<<-FORM
-
4
<html>
-
<head><title></title></head>
-
<body onload="javascript:document.forms[0].submit()">
-
4
<form method="post" action="#{url}">
-
4
#{yield}
-
</form>
-
</body>
-
</html>
-
FORM
-
end
-
-
17
def create_token(grant_type)
-
2295
return super unless supported_grant_type?(grant_type, "authorization_code")
-
-
545
grant_params = {
-
1308
oauth_grants_code_column => param("code"),
-
oauth_grants_redirect_uri_column => param("redirect_uri"),
-
oauth_grants_oauth_application_id_column => oauth_application[oauth_applications_id_column]
-
}
-
-
1853
create_token_from_authorization_code(grant_params)
-
end
-
-
17
def check_valid_response_type?
-
2478
response_type = param_or_nil("response_type")
-
-
2478
response_type == "code" || response_type == "none" || super
-
end
-
-
17
def oauth_server_metadata_body(*)
-
459
super.tap do |data|
-
351
data[:authorization_endpoint] = authorize_url
-
end
-
end
-
end
-
end
-
# frozen_string_literal: true
-
-
17
require "ipaddr"
-
17
require "rodauth/oauth"
-
-
17
module Rodauth
-
17
Feature.define(:oauth_authorize_base, :OauthAuthorizeBase) do
-
17
depends :oauth_base
-
-
17
before "authorize"
-
17
after "authorize"
-
-
17
view "authorize", "Authorize", "authorize"
-
17
view "authorize_error", "Authorize Error", "authorize_error"
-
-
17
button "Authorize", "oauth_authorize"
-
17
button "Back to Client Application", "oauth_authorize_post"
-
-
17
auth_value_method :use_oauth_access_type?, false
-
-
17
auth_value_method :oauth_grants_access_type_column, :access_type
-
-
17
translatable_method :authorize_page_lead, "The application %<name>s would like to access your data"
-
17
translatable_method :oauth_grants_scopes_label, "Scopes"
-
17
translatable_method :oauth_applications_contacts_label, "Contacts"
-
17
translatable_method :oauth_applications_tos_uri_label, "Terms of service URL"
-
17
translatable_method :oauth_applications_policy_uri_label, "Policy URL"
-
17
translatable_method :oauth_unsupported_response_type_message, "Unsupported response type"
-
17
translatable_method :oauth_authorize_parameter_required, "Invalid or missing '%<parameter>s'"
-
-
17
auth_methods(
-
:resource_owner_params,
-
:oauth_grants_resource_owner_columns
-
)
-
-
17
OAUTH_ACCESS_TYPES = %w[offline online].freeze
-
-
17
OAUTH_APPROVAL_PROMPTS = %w[force auto].freeze
-
-
# /authorize
-
17
auth_server_route(:authorize) do |r|
-
4293
require_authorizable_account
-
4123
before_authorize_route
-
-
4123
validate_authorize_params
-
-
3277
r.get do
-
1815
authorize_view
-
end
-
-
1462
r.post do
-
1462
params, mode = transaction do
-
1462
before_authorize
-
1462
do_authorize
-
end
-
-
1445
authorize_response(params, mode)
-
end
-
end
-
-
17
def check_csrf?
-
12639
case request.path
-
when authorize_path
-
4293
only_json? ? false : super
-
else
-
12226
super
-
end
-
end
-
-
17
def authorize_scopes
-
1815
scopes || begin
-
255
oauth_application[oauth_applications_scopes_column].split(oauth_scope_separator)
-
end
-
end
-
-
17
private
-
-
17
def validate_authorize_params
-
3838
redirect_authorize_error("client_id") unless oauth_application
-
-
3770
redirect_uris = oauth_application[oauth_applications_redirect_uri_column].split(" ")
-
-
3770
if (redirect_uri = param_or_nil("redirect_uri"))
-
799
normalized_redirect_uri = normalize_redirect_uri_for_comparison(redirect_uri)
-
799
unless redirect_uris.include?(normalized_redirect_uri) || redirect_uris.include?(redirect_uri)
-
17
redirect_authorize_error("redirect_uri")
-
end
-
2971
elsif redirect_uris.size > 1
-
17
redirect_authorize_error("redirect_uri")
-
end
-
-
3736
redirect_response_error("unsupported_response_type") unless check_valid_response_type?
-
-
3702
redirect_response_error("invalid_request") unless check_valid_access_type? && check_valid_approval_prompt?
-
-
3702
try_approval_prompt if use_oauth_access_type? && request.get?
-
-
3702
redirect_response_error("invalid_scope") if (request.post? || param_or_nil("scope")) && !check_valid_scopes?
-
-
3668
response_mode = param_or_nil("response_mode")
-
-
3668
redirect_response_error("invalid_request") unless response_mode.nil? || oauth_response_modes_supported.include?(response_mode)
-
end
-
-
17
def check_valid_scopes?(scp = scopes)
-
3345
super(scp - %w[offline_access])
-
end
-
-
17
def check_valid_response_type?
-
34
false
-
end
-
-
17
def check_valid_access_type?
-
3702
return true unless use_oauth_access_type?
-
-
51
access_type = param_or_nil("access_type")
-
51
!access_type || OAUTH_ACCESS_TYPES.include?(access_type)
-
end
-
-
17
def check_valid_approval_prompt?
-
3702
return true unless use_oauth_access_type?
-
-
51
approval_prompt = param_or_nil("approval_prompt")
-
51
!approval_prompt || OAUTH_APPROVAL_PROMPTS.include?(approval_prompt)
-
end
-
-
17
def resource_owner_params
-
2074
{ oauth_grants_account_id_column => account_id }
-
end
-
-
17
def oauth_grants_resource_owner_columns
-
[oauth_grants_account_id_column]
-
end
-
-
17
def try_approval_prompt
-
34
approval_prompt = param_or_nil("approval_prompt")
-
-
34
return unless approval_prompt && approval_prompt == "auto"
-
-
16
return if db[oauth_grants_table].where(resource_owner_params).where(
-
oauth_grants_oauth_application_id_column => oauth_application[oauth_applications_id_column],
-
oauth_grants_redirect_uri_column => redirect_uri,
-
oauth_grants_scopes_column => scopes.join(oauth_scope_separator),
-
oauth_grants_access_type_column => "online"
-
1
).none?
-
-
# if there's a previous oauth grant for the params combo, it means that this user has approved before.
-
13
request.env["REQUEST_METHOD"] = "POST"
-
end
-
-
17
def redirect_authorize_error(parameter, referer = request.referer || default_redirect)
-
136
error_message = oauth_authorize_parameter_required(parameter: parameter)
-
-
136
if accepts_json?
-
status_code = oauth_invalid_response_status
-
-
throw_json_response_error(status_code, "invalid_request", error_message)
-
else
-
136
scope.instance_variable_set(:@error, error_message)
-
136
scope.instance_variable_set(:@back_url, referer)
-
-
136
return_response(authorize_error_view)
-
end
-
end
-
-
17
def authorization_required
-
578
if accepts_json?
-
561
throw_json_response_error(oauth_authorization_required_error_status, "invalid_client")
-
else
-
17
set_redirect_error_flash(require_authorization_error_flash)
-
17
redirect(authorize_path)
-
end
-
end
-
-
17
def do_authorize(*args); end
-
-
17
def authorize_response(params, mode); end
-
-
17
def create_token_from_authorization_code(grant_params, should_generate_refresh_token = !use_oauth_access_type?, oauth_grant: nil)
-
# fetch oauth grant
-
1785
oauth_grant ||= valid_locked_oauth_grant(grant_params)
-
-
1496
should_generate_refresh_token ||= oauth_grant[oauth_grants_access_type_column] == "offline"
-
-
1496
generate_token(oauth_grant, should_generate_refresh_token)
-
end
-
-
17
def create_oauth_grant(create_params = {})
-
1173
create_params[oauth_grants_oauth_application_id_column] ||= oauth_application[oauth_applications_id_column]
-
1173
create_params[oauth_grants_redirect_uri_column] ||= redirect_uri
-
1173
create_params[oauth_grants_expires_in_column] ||= Sequel.date_add(Sequel::CURRENT_TIMESTAMP, seconds: oauth_grant_expires_in)
-
1173
create_params[oauth_grants_scopes_column] ||= scopes.join(oauth_scope_separator)
-
-
1173
if use_oauth_access_type? && (access_type = param_or_nil("access_type"))
-
26
create_params[oauth_grants_access_type_column] = access_type
-
end
-
-
1173
ds = db[oauth_grants_table]
-
-
897
create_params[oauth_grants_code_column] = oauth_unique_id_generator
-
-
1173
if oauth_reuse_access_token
-
544
unique_conds = Hash[oauth_grants_unique_columns.map { |column| [column, create_params[column]] }]
-
136
valid_grant = valid_oauth_grant_ds(unique_conds).select(oauth_grants_id_column).first
-
136
if valid_grant
-
104
create_params[oauth_grants_id_column] = valid_grant[oauth_grants_id_column]
-
136
rescue_from_uniqueness_error do
-
136
__insert_or_update_and_return__(
-
ds,
-
oauth_grants_id_column,
-
[oauth_grants_id_column],
-
create_params
-
)
-
end
-
136
return create_params[oauth_grants_code_column]
-
end
-
end
-
-
1037
rescue_from_uniqueness_error do
-
1088
if __one_oauth_token_per_account
-
384
__insert_or_update_and_return__(
-
ds,
-
oauth_grants_id_column,
-
oauth_grants_unique_columns,
-
create_params,
-
nil,
-
{
-
oauth_grants_expires_in_column => Sequel.date_add(Sequel::CURRENT_TIMESTAMP, seconds: oauth_grant_expires_in),
-
oauth_grants_revoked_at_column => nil
-
}
-
)
-
else
-
704
__insert_and_return__(ds, oauth_grants_id_column, create_params)
-
end
-
end
-
1020
create_params[oauth_grants_code_column]
-
end
-
-
17
def normalize_redirect_uri_for_comparison(redirect_uri)
-
799
uri = URI(redirect_uri)
-
-
799
return redirect_uri unless uri.scheme == "http" && uri.port
-
-
68
hostname = uri.hostname
-
-
# https://www.rfc-editor.org/rfc/rfc8252#section-7.3
-
# ignore (potentially ephemeral) port number for native clients per RFC8252
-
4
begin
-
68
ip = IPAddr.new(hostname)
-
34
uri.port = nil if ip.loopback?
-
rescue IPAddr::InvalidAddressError
-
# https://www.rfc-editor.org/rfc/rfc8252#section-8.3
-
# Although the use of localhost is NOT RECOMMENDED, it is still allowed.
-
34
uri.port = nil if hostname == "localhost"
-
end
-
-
68
uri.to_s
-
end
-
end
-
end
-
# frozen_string_literal: true
-
-
17
require "time"
-
17
require "base64"
-
17
require "securerandom"
-
17
require "cgi"
-
17
require "digest/sha2"
-
17
require "rodauth/version"
-
17
require "rodauth/oauth"
-
17
require "rodauth/oauth/database_extensions"
-
17
require "rodauth/oauth/http_extensions"
-
-
17
module Rodauth
-
17
Feature.define(:oauth_base, :OauthBase) do
-
17
include OAuth::HTTPExtensions
-
-
17
EMPTY_HASH = {}.freeze
-
-
17
auth_value_methods(:http_request)
-
17
auth_value_methods(:http_request_cache)
-
-
17
before "token"
-
-
17
error_flash "Please authorize to continue", "require_authorization"
-
17
error_flash "You are not authorized to revoke this token", "revoke_unauthorized_account"
-
-
17
button "Cancel", "oauth_cancel"
-
-
17
auth_value_method :json_response_content_type, "application/json"
-
-
17
auth_value_method :oauth_grant_expires_in, 60 * 5 # 5 minutes
-
17
auth_value_method :oauth_access_token_expires_in, 60 * 60 # 60 minutes
-
17
auth_value_method :oauth_refresh_token_expires_in, 60 * 60 * 24 * 360 # 1 year
-
17
auth_value_method :oauth_unique_id_generation_retries, 3
-
-
17
auth_value_method :oauth_token_endpoint_auth_methods_supported, %w[client_secret_basic client_secret_post]
-
17
auth_value_method :oauth_grant_types_supported, %w[refresh_token]
-
17
auth_value_method :oauth_response_types_supported, []
-
17
auth_value_method :oauth_response_modes_supported, []
-
-
17
auth_value_method :oauth_valid_uri_schemes, %w[https]
-
17
auth_value_method :oauth_scope_separator, " "
-
-
# OAuth Grants
-
17
auth_value_method :oauth_grants_table, :oauth_grants
-
17
auth_value_method :oauth_grants_id_column, :id
-
16
%i[
-
account_id oauth_application_id type
-
redirect_uri code scopes
-
expires_in revoked_at
-
token refresh_token
-
1
].each do |column|
-
170
auth_value_method :"oauth_grants_#{column}_column", column
-
end
-
-
# Enables Token Hash
-
17
auth_value_method :oauth_grants_token_hash_column, :token
-
17
auth_value_method :oauth_grants_refresh_token_hash_column, :refresh_token
-
-
# Access Token reuse
-
17
auth_value_method :oauth_reuse_access_token, false
-
-
17
auth_value_method :oauth_applications_table, :oauth_applications
-
17
auth_value_method :oauth_applications_id_column, :id
-
-
16
%i[
-
account_id
-
name description scopes
-
client_id client_secret
-
homepage_url redirect_uri
-
token_endpoint_auth_method grant_types response_types response_modes
-
logo_uri tos_uri policy_uri jwks jwks_uri
-
contacts software_id software_version
-
1
].each do |column|
-
340
auth_value_method :"oauth_applications_#{column}_column", column
-
end
-
# Enables client secret Hash
-
17
auth_value_method :oauth_applications_client_secret_hash_column, :client_secret
-
-
17
auth_value_method :oauth_authorization_required_error_status, 401
-
17
auth_value_method :oauth_invalid_response_status, 400
-
17
auth_value_method :oauth_already_in_use_response_status, 409
-
-
# Feature options
-
17
auth_value_method :oauth_application_scopes, []
-
17
auth_value_method :oauth_token_type, "bearer"
-
17
auth_value_method :oauth_refresh_token_protection_policy, "rotation" # can be: none, sender_constrained, rotation
-
-
17
translatable_method :oauth_invalid_client_message, "Invalid client"
-
17
translatable_method :oauth_invalid_grant_type_message, "Invalid grant type"
-
17
translatable_method :oauth_invalid_grant_message, "Invalid grant"
-
17
translatable_method :oauth_invalid_scope_message, "Invalid scope"
-
17
translatable_method :oauth_unsupported_token_type_message, "Invalid token type hint"
-
-
17
translatable_method :oauth_already_in_use_message, "error generating unique token"
-
17
auth_value_method :oauth_already_in_use_error_code, "invalid_request"
-
17
auth_value_method :oauth_invalid_grant_type_error_code, "unsupported_grant_type"
-
-
17
auth_value_method :is_authorization_server?, true
-
-
17
auth_value_methods(:only_json?)
-
-
17
auth_value_method :json_request_regexp, %r{\bapplication/(?:vnd\.api\+)?json\b}i
-
-
# METADATA
-
17
auth_value_method :oauth_metadata_service_documentation, nil
-
17
auth_value_method :oauth_metadata_ui_locales_supported, nil
-
17
auth_value_method :oauth_metadata_op_policy_uri, nil
-
17
auth_value_method :oauth_metadata_op_tos_uri, nil
-
-
17
auth_value_methods(
-
:authorization_server_url,
-
:oauth_grants_unique_columns
-
)
-
-
17
auth_methods(
-
:fetch_access_token,
-
:secret_hash,
-
:generate_token_hash,
-
:secret_matches?,
-
:oauth_unique_id_generator,
-
:require_authorizable_account,
-
:oauth_account_ds,
-
:oauth_application_ds
-
)
-
-
# /token
-
17
auth_server_route(:token) do |r|
-
3451
require_oauth_application
-
3043
before_token_route
-
-
3043
r.post do
-
3043
catch_error do
-
3043
validate_token_params
-
-
2788
oauth_grant = nil
-
-
2788
transaction do
-
2788
before_token
-
2788
oauth_grant = create_token(param("grant_type"))
-
end
-
-
1836
json_response_success(json_access_token_payload(oauth_grant))
-
end
-
-
throw_json_response_error(oauth_invalid_response_status, "invalid_request")
-
end
-
end
-
-
17
def load_oauth_server_metadata_route(issuer = nil)
-
340
request.on(".well-known") do
-
340
request.get("oauth-authorization-server") do
-
340
json_response_success(oauth_server_metadata_body(issuer), true)
-
end
-
end
-
end
-
-
17
def check_csrf?
-
11963
case request.path
-
when token_path
-
3451
false
-
else
-
12184
super
-
end
-
end
-
-
17
def oauth_token_subject
-
187
return unless authorization_token
-
-
187
authorization_token[oauth_grants_account_id_column] ||
-
db[oauth_applications_table].where(
-
oauth_applications_id_column => authorization_token[oauth_grants_oauth_application_id_column]
-
).select_map(oauth_applications_client_id_column).first
-
end
-
-
17
def current_oauth_account
-
187
account_id = authorization_token[oauth_grants_account_id_column]
-
-
187
return unless account_id
-
-
153
oauth_account_ds(account_id).first
-
end
-
-
17
def current_oauth_application
-
221
oauth_application_ds(authorization_token[oauth_grants_oauth_application_id_column]).first
-
end
-
-
17
def accepts_json?
-
2856
return true if only_json?
-
-
2839
(accept = request.env["HTTP_ACCEPT"]) && accept =~ json_request_regexp
-
end
-
-
# copied from the jwt feature
-
17
def json_request?
-
340
return super if features.include?(:jsonn)
-
340
return @json_request if defined?(@json_request)
-
-
340
@json_request = request.content_type =~ json_request_regexp
-
end
-
-
17
def scopes
-
8811
scope = request.params["scope"]
-
6747
case scope
-
when Array
-
3485
scope
-
when String
-
4799
scope.split(" ")
-
end
-
end
-
-
17
def redirect_uri
-
6439
param_or_nil("redirect_uri") || begin
-
5113
return unless oauth_application
-
-
5113
redirect_uris = oauth_application[oauth_applications_redirect_uri_column].split(" ")
-
5113
redirect_uris.size == 1 ? redirect_uris.first : nil
-
end
-
end
-
-
17
def oauth_application
-
59770
return @oauth_application if defined?(@oauth_application)
-
-
4739
client_id = param_or_nil("client_id")
-
-
4739
return unless client_id
-
-
4569
@oauth_application = db[oauth_applications_table].filter(oauth_applications_client_id_column => client_id).first
-
end
-
-
17
def fetch_access_token
-
1156
if (token = request.params["access_token"])
-
34
if request.post? && !(request.content_type.start_with?("application/x-www-form-urlencoded") &&
-
request.params.size == 1)
-
return
-
end
-
else
-
1122
token = fetch_access_token_from_authorization_header
-
end
-
-
1156
return if token.nil? || token.empty?
-
-
918
token
-
end
-
-
17
def fetch_access_token_from_authorization_header(token_type = oauth_token_type)
-
1190
value = request.env["HTTP_AUTHORIZATION"]
-
-
1190
return unless value && !value.empty?
-
-
1054
scheme, token = value.split(" ", 2)
-
-
1054
return unless scheme.downcase == token_type
-
-
1020
token
-
end
-
-
17
def authorization_token
-
1547
return @authorization_token if defined?(@authorization_token)
-
-
# check if there is a token
-
493
access_token = fetch_access_token
-
-
493
return unless access_token
-
-
306
@authorization_token = oauth_grant_by_token(access_token)
-
end
-
-
17
def require_oauth_authorization(*scopes)
-
459
authorization_required unless authorization_token
-
-
238
token_scopes = authorization_token[oauth_grants_scopes_column].split(oauth_scope_separator)
-
-
510
authorization_required unless scopes.any? { |scope| token_scopes.include?(scope) }
-
end
-
-
17
def use_date_arithmetic?
-
7470
true
-
end
-
-
# override
-
17
def translate(key, default, args = EMPTY_HASH)
-
41099
return i18n_translate(key, default, **args) if features.include?(:i18n)
-
# do not attempt to translate by default
-
136
return default if args.nil?
-
-
136
default % args
-
end
-
-
17
def post_configure
-
7844
super
-
-
7844
i18n_register(File.expand_path(File.join(__dir__, "..", "..", "..", "locales"))) if features.include?(:i18n)
-
-
# all of the extensions below involve DB changes. Resource server mode doesn't use
-
# database functions for OAuth though.
-
7844
return unless is_authorization_server?
-
-
7606
self.class.__send__(:include, Rodauth::OAuth::ExtendDatabase(db))
-
-
# Check whether we can reutilize db entries for the same account / application pair
-
7606
one_oauth_token_per_account = db.indexes(oauth_grants_table).values.any? do |definition|
-
40719
definition[:unique] &&
-
definition[:columns] == oauth_grants_unique_columns
-
end
-
-
10275
self.class.send(:define_method, :__one_oauth_token_per_account) { one_oauth_token_per_account }
-
end
-
-
17
private
-
-
17
def oauth_account_ds(account_id)
-
374
account_ds(account_id)
-
end
-
-
17
def oauth_application_ds(oauth_application_id)
-
221
db[oauth_applications_table].where(oauth_applications_id_column => oauth_application_id)
-
end
-
-
17
def require_authorizable_account
-
4650
require_account
-
end
-
-
17
def rescue_from_uniqueness_error(&block)
-
4029
retries = oauth_unique_id_generation_retries
-
237
begin
-
4131
transaction(savepoint: :only, &block)
-
40
rescue Sequel::UniqueConstraintViolation
-
136
redirect_response_error("already_in_use") if retries.zero?
-
78
retries -= 1
-
102
retry
-
end
-
end
-
-
# OAuth Token Unique/Reuse
-
17
def oauth_grants_unique_columns
-
13496
[
-
27942
oauth_grants_oauth_application_id_column,
-
oauth_grants_account_id_column,
-
oauth_grants_scopes_column
-
]
-
end
-
-
17
def authorization_server_url
-
2765
base_url
-
end
-
-
17
def template_path(page)
-
89249
path = File.join(File.dirname(__FILE__), "../../../templates", "#{page}.str")
-
89249
return super unless File.exist?(path)
-
-
3321
path
-
end
-
-
# to be used internally. Same semantics as require account, must:
-
# fetch an authorization basic header
-
# parse client id and secret
-
#
-
17
def require_oauth_application
-
3417
@oauth_application = if (token = (v = request.env["HTTP_AUTHORIZATION"]) && v[/\A *Basic (.*)\Z/, 1])
-
# client_secret_basic
-
935
require_oauth_application_from_client_secret_basic(token)
-
2482
elsif (client_id = param_or_nil("client_id"))
-
2363
if (client_secret = param_or_nil("client_secret"))
-
# client_secret_post
-
1666
require_oauth_application_from_client_secret_post(client_id, client_secret)
-
else
-
# none
-
697
require_oauth_application_from_none(client_id)
-
end
-
else
-
119
authorization_required
-
end
-
end
-
-
17
def require_oauth_application_from_client_secret_basic(token)
-
935
client_id, client_secret = Base64.decode64(token).split(":", 2)
-
935
authorization_required unless client_id
-
935
oauth_application = db[oauth_applications_table].where(oauth_applications_client_id_column => client_id).first
-
880
authorization_required unless supports_auth_method?(oauth_application,
-
55
"client_secret_basic") && secret_matches?(oauth_application, client_secret)
-
901
oauth_application
-
end
-
-
17
def require_oauth_application_from_client_secret_post(client_id, client_secret)
-
1666
oauth_application = db[oauth_applications_table].where(oauth_applications_client_id_column => client_id).first
-
1568
authorization_required unless supports_auth_method?(oauth_application,
-
98
"client_secret_post") && secret_matches?(oauth_application, client_secret)
-
1632
oauth_application
-
end
-
-
17
def require_oauth_application_from_none(client_id)
-
697
oauth_application = db[oauth_applications_table].where(oauth_applications_client_id_column => client_id).first
-
697
authorization_required unless supports_auth_method?(oauth_application, "none")
-
544
oauth_application
-
end
-
-
17
def supports_auth_method?(oauth_application, auth_method)
-
3638
return false unless oauth_application
-
-
3587
supported_auth_methods = if oauth_application[oauth_applications_token_endpoint_auth_method_column]
-
935
oauth_application[oauth_applications_token_endpoint_auth_method_column].split(/ +/)
-
else
-
2652
oauth_token_endpoint_auth_methods_supported
-
end
-
-
3587
supported_auth_methods.include?(auth_method)
-
end
-
-
17
def require_oauth_application_from_account
-
17
ds = db[oauth_applications_table]
-
.join(oauth_grants_table, Sequel[oauth_grants_table][oauth_grants_oauth_application_id_column] =>
-
Sequel[oauth_applications_table][oauth_applications_id_column])
-
.where(oauth_grant_by_token_ds(param("token")).opts.fetch(:where, true))
-
.where(Sequel[oauth_applications_table][oauth_applications_account_id_column] => account_id)
-
-
17
@oauth_application = ds.qualify.first
-
17
return if @oauth_application
-
-
set_redirect_error_flash revoke_unauthorized_account_error_flash
-
redirect request.referer || "/"
-
end
-
-
17
def secret_matches?(oauth_application, secret)
-
2533
if oauth_applications_client_secret_hash_column
-
2533
BCrypt::Password.new(oauth_application[oauth_applications_client_secret_hash_column]) == secret
-
else
-
oauth_application[oauth_applications_client_secret_column] == secret
-
end
-
end
-
-
17
def set_client_secret(params, secret)
-
969
if oauth_applications_client_secret_hash_column
-
741
params[oauth_applications_client_secret_hash_column] = secret_hash(secret)
-
else
-
params[oauth_applications_client_secret_column] = secret
-
end
-
end
-
-
17
def secret_hash(secret)
-
2278
password_hash(secret)
-
end
-
-
17
def oauth_unique_id_generator
-
6341
SecureRandom.urlsafe_base64(32)
-
end
-
-
17
def generate_token_hash(token)
-
425
Base64.urlsafe_encode64(Digest::SHA256.digest(token))
-
end
-
-
17
def grant_from_application?(oauth_grant, oauth_application)
-
289
oauth_grant[oauth_grants_oauth_application_id_column] == oauth_application[oauth_applications_id_column]
-
end
-
-
17
def password_hash(password)
-
2278
return super if features.include?(:login_password_requirements_base)
-
-
BCrypt::Password.create(password, cost: BCrypt::Engine::DEFAULT_COST)
-
end
-
-
17
def generate_token(grant_params = {}, should_generate_refresh_token = true)
-
1717
if grant_params[oauth_grants_id_column] && oauth_reuse_access_token &&
-
(
-
272
if oauth_grants_token_hash_column
-
136
grant_params[oauth_grants_token_hash_column]
-
else
-
136
grant_params[oauth_grants_token_column]
-
end
-
)
-
104
return grant_params
-
end
-
-
465
update_params = {
-
1116
oauth_grants_expires_in_column => Sequel.date_add(Sequel::CURRENT_TIMESTAMP, seconds: oauth_access_token_expires_in),
-
oauth_grants_code_column => nil
-
}
-
-
1581
rescue_from_uniqueness_error do
-
1581
access_token = _generate_access_token(update_params)
-
1581
refresh_token = _generate_refresh_token(update_params) if should_generate_refresh_token
-
1581
oauth_grant = store_token(grant_params, update_params)
-
-
1581
return unless oauth_grant
-
-
1209
oauth_grant[oauth_grants_token_column] = access_token
-
1581
oauth_grant[oauth_grants_refresh_token_column] = refresh_token if refresh_token
-
1581
oauth_grant
-
end
-
end
-
-
17
def _generate_access_token(params = {})
-
901
token = oauth_unique_id_generator
-
-
901
if oauth_grants_token_hash_column
-
117
params[oauth_grants_token_hash_column] = generate_token_hash(token)
-
else
-
572
params[oauth_grants_token_column] = token
-
end
-
-
901
token
-
end
-
-
17
def _generate_refresh_token(params)
-
1054
token = oauth_unique_id_generator
-
-
1054
if oauth_grants_refresh_token_hash_column
-
117
params[oauth_grants_refresh_token_hash_column] = generate_token_hash(token)
-
else
-
689
params[oauth_grants_refresh_token_column] = token
-
end
-
-
1054
token
-
end
-
-
17
def _grant_with_access_token?(oauth_grant)
-
if oauth_grants_token_hash_column
-
oauth_grant[oauth_grants_token_hash_column]
-
else
-
oauth_grant[oauth_grants_token_column]
-
end
-
end
-
-
17
def store_token(grant_params, update_params = {})
-
1581
ds = db[oauth_grants_table]
-
-
1581
if __one_oauth_token_per_account
-
-
to_update_if_null = [
-
558
oauth_grants_token_column,
-
oauth_grants_token_hash_column,
-
oauth_grants_refresh_token_column,
-
oauth_grants_refresh_token_hash_column
-
].compact.map do |attribute|
-
[
-
1224
attribute,
-
(
-
1224
if ds.respond_to?(:supports_insert_conflict?) && ds.supports_insert_conflict?
-
612
Sequel.function(:coalesce, Sequel[oauth_grants_table][attribute], Sequel[:excluded][attribute])
-
else
-
612
Sequel.function(:coalesce, Sequel[oauth_grants_table][attribute], update_params[attribute])
-
end
-
)
-
]
-
end
-
-
558
token = __insert_or_update_and_return__(
-
ds,
-
oauth_grants_id_column,
-
oauth_grants_unique_columns,
-
grant_params.merge(update_params),
-
Sequel.expr(Sequel[oauth_grants_table][oauth_grants_expires_in_column]) > Sequel::CURRENT_TIMESTAMP,
-
Hash[to_update_if_null]
-
)
-
-
# if the previous operation didn't return a row, it means that the conditions
-
# invalidated the update, and the existing token is still valid.
-
558
token || ds.where(
-
oauth_grants_account_id_column => update_params[oauth_grants_account_id_column],
-
oauth_grants_oauth_application_id_column => update_params[oauth_grants_oauth_application_id_column]
-
).first
-
else
-
-
1023
if oauth_reuse_access_token
-
352
unique_conds = Hash[oauth_grants_unique_columns.map { |column| [column, update_params[column]] }]
-
88
valid_token_ds = valid_oauth_grant_ds(unique_conds)
-
88
if oauth_grants_token_hash_column
-
44
valid_token_ds.exclude(oauth_grants_token_hash_column => nil)
-
else
-
44
valid_token_ds.exclude(oauth_grants_token_column => nil)
-
end
-
-
88
valid_token = valid_token_ds.first
-
-
88
return valid_token if valid_token
-
end
-
-
1023
if grant_params[oauth_grants_id_column]
-
880
__update_and_return__(ds.where(oauth_grants_id_column => grant_params[oauth_grants_id_column]), update_params)
-
else
-
143
__insert_and_return__(ds, oauth_grants_id_column, grant_params.merge(update_params))
-
end
-
end
-
end
-
-
17
def valid_locked_oauth_grant(grant_params = nil)
-
1853
oauth_grant = valid_oauth_grant_ds(grant_params).for_update.first
-
-
1853
redirect_response_error("invalid_grant") unless oauth_grant
-
-
1547
oauth_grant
-
end
-
-
17
def valid_oauth_grant_ds(grant_params = nil)
-
3199
ds = db[oauth_grants_table]
-
.where(Sequel[oauth_grants_table][oauth_grants_revoked_at_column] => nil)
-
.where(Sequel.expr(Sequel[oauth_grants_table][oauth_grants_expires_in_column]) >= Sequel::CURRENT_TIMESTAMP)
-
3199
ds = ds.where(grant_params) if grant_params
-
-
3199
ds
-
end
-
-
17
def oauth_grant_by_token_ds(token)
-
629
ds = valid_oauth_grant_ds
-
-
629
if oauth_grants_token_hash_column
-
68
ds.where(Sequel[oauth_grants_table][oauth_grants_token_hash_column] => generate_token_hash(token))
-
else
-
561
ds.where(Sequel[oauth_grants_table][oauth_grants_token_column] => token)
-
end
-
end
-
-
17
def oauth_grant_by_token(token)
-
527
oauth_grant_by_token_ds(token).first
-
end
-
-
17
def oauth_grant_by_refresh_token_ds(token, revoked: false)
-
561
ds = db[oauth_grants_table].where(oauth_grants_oauth_application_id_column => oauth_application[oauth_applications_id_column])
-
#
-
# filter expired refresh tokens out.
-
# an expired refresh token is a token whose access token expired for a period longer than the
-
# refresh token expiration period.
-
#
-
561
ds = ds.where(Sequel.date_add(oauth_grants_expires_in_column,
-
561
seconds: (oauth_refresh_token_expires_in - oauth_access_token_expires_in)) >= Sequel::CURRENT_TIMESTAMP)
-
-
561
ds = if oauth_grants_refresh_token_hash_column
-
51
ds.where(oauth_grants_refresh_token_hash_column => generate_token_hash(token))
-
else
-
510
ds.where(oauth_grants_refresh_token_column => token)
-
end
-
-
561
ds = ds.where(oauth_grants_revoked_at_column => nil) unless revoked
-
-
561
ds
-
end
-
-
17
def oauth_grant_by_refresh_token(token, **kwargs)
-
136
oauth_grant_by_refresh_token_ds(token, **kwargs).first
-
end
-
-
17
def json_access_token_payload(oauth_grant)
-
575
payload = {
-
1380
"access_token" => oauth_grant[oauth_grants_token_column],
-
"token_type" => oauth_token_type,
-
"expires_in" => oauth_access_token_expires_in
-
}
-
1955
payload["refresh_token"] = oauth_grant[oauth_grants_refresh_token_column] if oauth_grant[oauth_grants_refresh_token_column]
-
1955
payload
-
end
-
-
# Access Tokens
-
-
17
def validate_token_params
-
2805
unless (grant_type = param_or_nil("grant_type"))
-
85
redirect_response_error("invalid_request")
-
end
-
-
2720
redirect_response_error("invalid_request") if grant_type == "refresh_token" && !param_or_nil("refresh_token")
-
end
-
-
17
def create_token(grant_type)
-
612
redirect_response_error("invalid_request") unless supported_grant_type?(grant_type, "refresh_token")
-
-
425
refresh_token = param("refresh_token")
-
# fetch potentially revoked oauth token
-
425
oauth_grant = oauth_grant_by_refresh_token_ds(refresh_token, revoked: true).for_update.first
-
-
425
update_params = { oauth_grants_expires_in_column => Sequel.date_add(Sequel::CURRENT_TIMESTAMP,
-
seconds: oauth_access_token_expires_in) }
-
-
425
if !oauth_grant || oauth_grant[oauth_grants_revoked_at_column]
-
204
redirect_response_error("invalid_grant")
-
221
elsif oauth_refresh_token_protection_policy == "rotation"
-
# https://tools.ietf.org/html/draft-ietf-oauth-v2-1-00#section-6.1
-
#
-
# If a refresh token is compromised and subsequently used by both the attacker and the legitimate
-
# client, one of them will present an invalidated refresh token, which will inform the authorization
-
# server of the breach. The authorization server cannot determine which party submitted the invalid
-
# refresh token, but it will revoke the active refresh token. This stops the attack at the cost of
-
# forcing the legitimate client to obtain a fresh authorization grant.
-
-
102
refresh_token = _generate_refresh_token(update_params)
-
end
-
-
169
update_params[oauth_grants_oauth_application_id_column] = oauth_grant[oauth_grants_oauth_application_id_column]
-
-
221
oauth_grant = create_token_from_token(oauth_grant, update_params)
-
156
oauth_grant[oauth_grants_refresh_token_column] = refresh_token
-
204
oauth_grant
-
end
-
-
17
def create_token_from_token(oauth_grant, update_params)
-
221
redirect_response_error("invalid_grant") unless grant_from_application?(oauth_grant, oauth_application)
-
-
221
rescue_from_uniqueness_error do
-
272
oauth_grants_ds = db[oauth_grants_table].where(oauth_grants_id_column => oauth_grant[oauth_grants_id_column])
-
272
access_token = _generate_access_token(update_params)
-
272
oauth_grant = __update_and_return__(oauth_grants_ds, update_params)
-
-
156
oauth_grant[oauth_grants_token_column] = access_token
-
204
oauth_grant
-
end
-
end
-
-
17
def supported_grant_type?(grant_type, expected_grant_type = grant_type)
-
3281
return false unless grant_type == expected_grant_type
-
-
2669
grant_types_supported = if oauth_application[oauth_applications_grant_types_column]
-
68
oauth_application[oauth_applications_grant_types_column].split(/ +/)
-
else
-
2601
oauth_grant_types_supported
-
end
-
-
2669
grant_types_supported.include?(grant_type)
-
end
-
-
17
def supported_response_type?(response_type, expected_response_type = response_type)
-
1462
return false unless response_type == expected_response_type
-
-
1462
response_types_supported = if oauth_application[oauth_applications_response_types_column]
-
17
oauth_application[oauth_applications_response_types_column].split(/ +/)
-
else
-
1445
oauth_response_types_supported
-
end
-
-
1462
response_types = response_type.split(/ +/)
-
-
1462
(response_types - response_types_supported).empty?
-
end
-
-
17
def supported_response_mode?(response_mode, expected_response_mode = response_mode)
-
1445
return false unless response_mode == expected_response_mode
-
-
1445
response_modes_supported = if oauth_application[oauth_applications_response_modes_column]
-
oauth_application[oauth_applications_response_modes_column].split(/ +/)
-
else
-
1445
oauth_response_modes_supported
-
end
-
-
1445
response_modes_supported.include?(response_mode)
-
end
-
-
17
def oauth_server_metadata_body(path = nil)
-
459
issuer = base_url
-
459
issuer += "/#{path}" if path
-
-
135
{
-
324
issuer: issuer,
-
token_endpoint: token_url,
-
scopes_supported: oauth_application_scopes,
-
response_types_supported: oauth_response_types_supported,
-
response_modes_supported: oauth_response_modes_supported,
-
grant_types_supported: oauth_grant_types_supported,
-
token_endpoint_auth_methods_supported: oauth_token_endpoint_auth_methods_supported,
-
service_documentation: oauth_metadata_service_documentation,
-
ui_locales_supported: oauth_metadata_ui_locales_supported,
-
op_policy_uri: oauth_metadata_op_policy_uri,
-
op_tos_uri: oauth_metadata_op_tos_uri
-
}
-
end
-
-
17
def redirect_response_error(error_code, message = nil)
-
2074
if accepts_json?
-
1309
status_code = if respond_to?(:"oauth_#{error_code}_response_status")
-
34
send(:"oauth_#{error_code}_response_status")
-
else
-
1275
oauth_invalid_response_status
-
end
-
-
1309
throw_json_response_error(status_code, error_code, message)
-
else
-
765
redirect_url = redirect_uri || request.referer || default_redirect
-
765
redirect_url = URI.parse(redirect_url)
-
765
params = response_error_params(error_code, message)
-
765
state = param_or_nil("state")
-
765
params["state"] = state if state
-
765
_redirect_response_error(redirect_url, params)
-
end
-
end
-
-
17
def _redirect_response_error(redirect_url, params)
-
510
params = URI.encode_www_form(params)
-
510
if redirect_url.query
-
params << "&" unless params.empty?
-
params << redirect_url.query
-
end
-
510
redirect_url.query = params
-
510
redirect(redirect_url.to_s)
-
end
-
-
17
def response_error_params(error_code, message = nil)
-
4080
code = if respond_to?(:"oauth_#{error_code}_error_code")
-
119
send(:"oauth_#{error_code}_error_code")
-
else
-
3961
error_code
-
end
-
4080
payload = { "error" => code }
-
4080
error_description = message
-
4080
error_description ||= send(:"oauth_#{error_code}_message") if respond_to?(:"oauth_#{error_code}_message")
-
4080
payload["error_description"] = error_description if error_description
-
-
4080
payload
-
end
-
-
17
def json_response_success(body, cache = false)
-
2958
response.status = 200
-
2958
response["Content-Type"] ||= json_response_content_type
-
2958
if cache
-
# defaulting to 1-day for everyone, for now at least
-
510
max_age = 60 * 60 * 24
-
390
response["Cache-Control"] = "private, max-age=#{max_age}"
-
else
-
1872
response["Cache-Control"] = "no-store"
-
1872
response["Pragma"] = "no-cache"
-
end
-
2958
json_payload = _json_response_body(body)
-
2958
return_response(json_payload)
-
end
-
-
17
def throw_json_response_error(status, error_code, message = nil)
-
3315
set_response_error_status(status)
-
3315
payload = response_error_params(error_code, message)
-
3315
json_payload = _json_response_body(payload)
-
3315
response["Content-Type"] ||= json_response_content_type
-
3315
response["WWW-Authenticate"] = www_authenticate_header(payload) if status == 401
-
3315
return_response(json_payload)
-
end
-
-
17
def www_authenticate_header(*)
-
833
oauth_token_type.capitalize
-
end
-
-
17
def _json_response_body(hash)
-
7225
return super if features.include?(:json)
-
-
7225
if request.respond_to?(:convert_to_json)
-
request.send(:convert_to_json, hash)
-
else
-
7225
JSON.dump(hash)
-
end
-
end
-
-
17
if Gem::Version.new(Rodauth.version) < Gem::Version.new("2.23")
-
def return_response(body = nil)
-
response.write(body) if body
-
request.halt
-
end
-
end
-
-
17
def authorization_required
-
272
throw_json_response_error(oauth_authorization_required_error_status, "invalid_client")
-
end
-
-
17
def check_valid_scopes?(scp = scopes)
-
3396
return false unless scp
-
-
3396
(scp - oauth_application[oauth_applications_scopes_column].split(oauth_scope_separator)).empty?
-
end
-
-
17
def check_valid_uri?(uri)
-
12682
URI::DEFAULT_PARSER.make_regexp(oauth_valid_uri_schemes).match?(uri)
-
end
-
-
17
def check_valid_no_fragment_uri?(uri)
-
3910
check_valid_uri?(uri) && URI.parse(uri).fragment.nil?
-
end
-
-
# Resource server mode
-
-
17
def authorization_server_metadata
-
68
auth_url = URI(authorization_server_url).dup
-
68
auth_url.path = "/.well-known/oauth-authorization-server"
-
-
68
http_request_with_cache(auth_url)
-
end
-
end
-
end
-
# frozen_string_literal: true
-
-
17
require "rodauth/oauth"
-
-
17
module Rodauth
-
17
Feature.define(:oauth_client_credentials_grant, :OauthClientCredentialsGrant) do
-
17
depends :oauth_base
-
-
17
def oauth_grant_types_supported
-
136
super | %w[client_credentials]
-
end
-
-
17
private
-
-
17
def create_token(grant_type)
-
102
return super unless supported_grant_type?(grant_type, "client_credentials")
-
-
85
grant_scopes = scopes
-
-
85
grant_scopes = if grant_scopes
-
17
redirect_response_error("invalid_scope") unless check_valid_scopes?
-
17
grant_scopes.join(oauth_scope_separator)
-
else
-
68
oauth_application[oauth_applications_scopes_column]
-
end
-
-
25
grant_params = {
-
60
oauth_grants_type_column => "client_credentials",
-
oauth_grants_oauth_application_id_column => oauth_application[oauth_applications_id_column],
-
oauth_grants_scopes_column => grant_scopes
-
}
-
85
generate_token(grant_params, false)
-
end
-
end
-
end
-
# frozen_string_literal: true
-
-
17
require "rodauth/oauth"
-
-
17
module Rodauth
-
17
Feature.define(:oauth_device_code_grant, :OauthDeviceCodeGrant) do
-
17
depends :oauth_authorize_base
-
-
17
before "device_authorization"
-
17
before "device_verification"
-
-
17
notice_flash "The device is verified", "device_verification"
-
17
error_flash "No device to authorize with the given user code", "user_code_not_found"
-
-
17
view "device_verification", "Device Verification", "device_verification"
-
17
view "device_search", "Device Search", "device_search"
-
-
17
button "Verify", "oauth_device_verification"
-
17
button "Search", "oauth_device_search"
-
-
17
auth_value_method :oauth_grants_user_code_column, :user_code
-
17
auth_value_method :oauth_grants_last_polled_at_column, :last_polled_at
-
-
17
translatable_method :oauth_device_search_page_lead, "Insert the user code from the device you'd like to authorize."
-
17
translatable_method :oauth_device_verification_page_lead, "The device with user code %<user_code>s would like to access your data."
-
17
translatable_method :oauth_expired_token_message, "the device code has expired"
-
17
translatable_method :oauth_access_denied_message, "the authorization request has been denied"
-
17
translatable_method :oauth_authorization_pending_message, "the authorization request is still pending"
-
17
translatable_method :oauth_slow_down_message, "authorization request is still pending but poll interval should be increased"
-
-
17
auth_value_method :oauth_device_code_grant_polling_interval, 5 # seconds
-
17
auth_value_method :oauth_device_code_grant_user_code_size, 8 # characters
-
17
%w[user_code].each do |param|
-
17
auth_value_method :"oauth_grant_#{param}_param", param
-
end
-
17
translatable_method :oauth_grant_user_code_label, "User code"
-
-
17
auth_methods(
-
:generate_user_code
-
)
-
-
# /device-authorization
-
17
auth_server_route(:device_authorization) do |r|
-
34
require_oauth_application
-
34
before_device_authorization_route
-
-
34
r.post do
-
34
user_code = generate_user_code
-
34
device_code = transaction do
-
34
before_device_authorization
-
34
create_oauth_grant(
-
oauth_grants_type_column => "device_code",
-
oauth_grants_user_code_column => user_code
-
)
-
end
-
-
34
json_response_success \
-
"device_code" => device_code,
-
"user_code" => user_code,
-
"verification_uri" => device_url,
-
"verification_uri_complete" => device_url(user_code: user_code),
-
"expires_in" => oauth_grant_expires_in,
-
"interval" => oauth_device_code_grant_polling_interval
-
end
-
end
-
-
# /device
-
17
auth_server_route(:device) do |r|
-
357
require_authorizable_account
-
340
before_device_route
-
-
340
r.get do
-
289
if (user_code = param_or_nil("user_code"))
-
102
oauth_grant = valid_oauth_grant_ds(oauth_grants_user_code_column => user_code).first
-
-
102
unless oauth_grant
-
51
set_redirect_error_flash user_code_not_found_error_flash
-
51
redirect device_path
-
end
-
-
51
scope.instance_variable_set(:@oauth_grant, oauth_grant)
-
51
device_verification_view
-
else
-
187
device_search_view
-
end
-
end
-
-
51
r.post do
-
51
catch_error do
-
51
unless (user_code = param_or_nil("user_code")) && !user_code.empty?
-
17
set_redirect_error_flash oauth_invalid_grant_message
-
17
redirect device_path
-
end
-
-
34
transaction do
-
34
before_device_verification
-
34
create_token("device_code")
-
end
-
end
-
34
set_notice_flash device_verification_notice_flash
-
34
redirect device_path
-
end
-
end
-
-
17
def check_csrf?
-
611
case request.path
-
when device_authorization_path
-
34
false
-
else
-
765
super
-
end
-
end
-
-
17
def oauth_grant_types_supported
-
187
super | %w[urn:ietf:params:oauth:grant-type:device_code]
-
end
-
-
17
private
-
-
17
def generate_user_code
-
34
user_code_size = oauth_device_code_grant_user_code_size
-
32
SecureRandom.random_number(36**user_code_size)
-
.to_s(36) # 0 to 9, a to z
-
.upcase
-
2
.rjust(user_code_size, "0")
-
end
-
-
# TODO: think about removing this and recommend PKCE
-
17
def supports_auth_method?(oauth_application, auth_method)
-
221
return super unless auth_method == "none"
-
-
187
request.path == device_authorization_path || request.params.key?("device_code") || super
-
end
-
-
17
def create_token(grant_type)
-
204
if supported_grant_type?(grant_type, "urn:ietf:params:oauth:grant-type:device_code")
-
-
170
oauth_grant = db[oauth_grants_table].where(
-
oauth_grants_type_column => "device_code",
-
oauth_grants_code_column => param("device_code"),
-
oauth_grants_oauth_application_id_column => oauth_application[oauth_applications_id_column]
-
).for_update.first
-
-
170
throw_json_response_error(oauth_invalid_response_status, "invalid_grant") unless oauth_grant
-
-
153
now = Time.now
-
-
153
if oauth_grant[oauth_grants_user_code_column].nil?
-
24
return create_token_from_authorization_code(
-
{ oauth_grants_id_column => oauth_grant[oauth_grants_id_column] },
-
oauth_grant: oauth_grant
-
2
)
-
end
-
-
119
if oauth_grant[oauth_grants_revoked_at_column]
-
34
throw_json_response_error(oauth_invalid_response_status, "access_denied")
-
85
elsif oauth_grant[oauth_grants_expires_in_column] < now
-
17
throw_json_response_error(oauth_invalid_response_status, "expired_token")
-
else
-
68
last_polled_at = oauth_grant[oauth_grants_last_polled_at_column]
-
68
if last_polled_at && convert_timestamp(last_polled_at) + oauth_device_code_grant_polling_interval > now
-
17
throw_json_response_error(oauth_invalid_response_status, "slow_down")
-
else
-
51
db[oauth_grants_table].where(oauth_grants_id_column => oauth_grant[oauth_grants_id_column])
-
3
.update(oauth_grants_last_polled_at_column => Sequel::CURRENT_TIMESTAMP)
-
51
throw_json_response_error(oauth_invalid_response_status, "authorization_pending")
-
end
-
end
-
34
elsif grant_type == "device_code"
-
-
# fetch oauth grant
-
34
rs = valid_oauth_grant_ds(
-
oauth_grants_user_code_column => param("user_code")
-
).update(oauth_grants_user_code_column => nil, oauth_grants_type_column => "device_code")
-
-
34
rs if rs.positive?
-
else
-
super
-
end
-
end
-
-
17
def validate_token_params
-
187
grant_type = param_or_nil("grant_type")
-
-
187
if grant_type == "urn:ietf:params:oauth:grant-type:device_code" && !param_or_nil("device_code")
-
17
redirect_response_error("invalid_request")
-
end
-
170
super
-
end
-
-
17
def store_token(grant_params, update_params = {})
-
34
return super unless grant_params[oauth_grants_user_code_column]
-
-
# do not clean up device code just yet
-
update_params.delete(oauth_grants_code_column)
-
update_params[oauth_grants_user_code_column] = nil
-
update_params.merge!(resource_params)
-
-
super(grant_params, update_params)
-
end
-
-
17
def oauth_server_metadata_body(*)
-
17
super.tap do |data|
-
13
data[:device_authorization_endpoint] = device_authorization_url
-
end
-
end
-
end
-
end
-
# frozen_string_literal: true
-
-
17
require "rodauth/oauth"
-
-
17
module Rodauth
-
17
Feature.define(:oauth_dpop, :OauthDpop) do
-
17
depends :oauth_jwt, :oauth_authorize_base
-
-
17
auth_value_method :oauth_invalid_token_error_response_status, 401
-
17
auth_value_method :oauth_multiple_auth_methods_response_status, 401
-
17
auth_value_method :oauth_access_token_dpop_bound_response_status, 401
-
-
17
translatable_method :oauth_invalid_dpop_proof_message, "Invalid DPoP proof"
-
17
translatable_method :oauth_multiple_auth_methods_message, "Multiple methods used to include access token"
-
17
auth_value_method :oauth_multiple_dpop_proofs_error_code, "invalid_request"
-
17
translatable_method :oauth_multiple_dpop_proofs_message, "Multiple DPoP proofs used"
-
17
auth_value_method :oauth_invalid_dpop_jkt_error_code, "invalid_dpop_proof"
-
17
translatable_method :oauth_invalid_dpop_jkt_message, "Invalid DPoP JKT"
-
17
auth_value_method :oauth_invalid_dpop_jti_error_code, "invalid_dpop_proof"
-
17
translatable_method :oauth_invalid_dpop_jti_message, "Invalid DPoP jti"
-
17
auth_value_method :oauth_invalid_dpop_htm_error_code, "invalid_dpop_proof"
-
17
translatable_method :oauth_invalid_dpop_htm_message, "Invalid DPoP htm"
-
17
auth_value_method :oauth_invalid_dpop_htu_error_code, "invalid_dpop_proof"
-
17
translatable_method :oauth_invalid_dpop_htu_message, "Invalid DPoP htu"
-
17
translatable_method :oauth_access_token_dpop_bound_message, "DPoP bound access token requires DPoP proof"
-
-
17
translatable_method :oauth_use_dpop_nonce_message, "DPoP nonce is required"
-
-
17
auth_value_method :oauth_dpop_proof_expires_in, 60 * 5 # 5 minutes
-
17
auth_value_method :oauth_dpop_bound_access_tokens, false
-
17
auth_value_method :oauth_dpop_use_nonce, false
-
17
auth_value_method :oauth_dpop_nonce_expires_in, 5 # 5 seconds
-
17
auth_value_method :oauth_dpop_signing_alg_values_supported,
-
%w[
-
RS256
-
RS384
-
RS512
-
PS256
-
PS384
-
PS512
-
ES256
-
ES384
-
ES512
-
ES256K
-
]
-
-
17
auth_value_method :oauth_applications_dpop_bound_access_tokens_column, :dpop_bound_access_tokens
-
17
auth_value_method :oauth_grants_dpop_jkt_column, :dpop_jkt
-
17
auth_value_method :oauth_pushed_authorization_requests_dpop_jkt_column, :dpop_jkt
-
-
17
auth_value_method :oauth_dpop_proofs_table, :oauth_dpop_proofs
-
17
auth_value_method :oauth_dpop_proofs_jti_column, :jti
-
17
auth_value_method :oauth_dpop_proofs_first_use_column, :first_use
-
-
17
auth_methods(:validate_dpop_proof_usage)
-
-
17
def require_oauth_authorization(*scopes)
-
68
@dpop_access_token = fetch_access_token_from_authorization_header("dpop")
-
-
68
unless @dpop_access_token
-
51
authorization_required if oauth_dpop_bound_access_tokens
-
-
# Specifically, such a protected resource MUST reject a DPoP-bound access token received as a bearer token
-
34
redirect_response_error("access_token_dpop_bound") if authorization_token && authorization_token.dig("cnf", "jkt")
-
-
13
return super
-
end
-
-
17
dpop = fetch_dpop_token
-
-
17
dpop_claims = validate_dpop_token(dpop)
-
-
# 4.3.12
-
17
validate_ath(dpop_claims, @dpop_access_token)
-
-
17
@authorization_token = decode_access_token(@dpop_access_token)
-
-
# 4.3.12 - confirm that the public key to which the access token is bound matches the public key from the DPoP proof.
-
17
jkt = authorization_token.dig("cnf", "jkt")
-
-
17
redirect_response_error("invalid_dpop_jkt") if oauth_dpop_bound_access_tokens && !jkt
-
-
17
redirect_response_error("invalid_dpop_jkt") unless jkt == @dpop_thumbprint
-
-
17
super
-
end
-
-
17
private
-
-
17
def validate_token_params
-
340
dpop = fetch_dpop_token
-
-
340
unless dpop
-
17
authorization_required if dpop_bound_access_tokens_required?
-
-
return super
-
end
-
-
323
validate_dpop_token(dpop)
-
-
187
super
-
end
-
-
17
def validate_par_params
-
68
super
-
-
68
return unless (dpop = fetch_dpop_token)
-
-
51
validate_dpop_token(dpop)
-
-
51
if (dpop_jkt = param_or_nil("dpop_jkt"))
-
34
redirect_response_error("invalid_request") if dpop_jkt != @dpop_thumbprint
-
else
-
13
request.params["dpop_jkt"] = @dpop_thumbprint
-
end
-
end
-
-
17
def validate_dpop_token(dpop)
-
# 4.3.2
-
391
@dpop_claims = dpop_decode(dpop)
-
340
redirect_response_error("invalid_dpop_proof") unless @dpop_claims
-
-
323
validate_dpop_jwt_claims(@dpop_claims)
-
-
# 4.3.10
-
289
validate_nonce(@dpop_claims)
-
-
# 11.1
-
# To prevent multiple uses of the same DPoP proof, servers can store, in the
-
# context of the target URI, the jti value of each DPoP proof for the time window
-
# in which the respective DPoP proof JWT would be accepted.
-
272
validate_dpop_proof_usage(@dpop_claims)
-
-
255
@dpop_claims
-
end
-
-
17
def validate_dpop_proof_usage(claims)
-
272
jti = claims["jti"]
-
-
272
dpop_proof = __insert_or_do_nothing_and_return__(
-
db[oauth_dpop_proofs_table],
-
oauth_dpop_proofs_jti_column,
-
[oauth_dpop_proofs_jti_column],
-
oauth_dpop_proofs_jti_column => Digest::SHA256.hexdigest(jti),
-
oauth_dpop_proofs_first_use_column => Sequel::CURRENT_TIMESTAMP
-
)
-
-
272
return unless (Time.now - dpop_proof[oauth_dpop_proofs_first_use_column]) > oauth_dpop_proof_expires_in
-
-
17
redirect_response_error("invalid_dpop_proof")
-
end
-
-
17
def dpop_decode(dpop)
-
# decode first without verifying!
-
391
_, headers = jwt_decode_no_key(dpop)
-
-
391
redirect_response_error("invalid_dpop_proof") unless verify_dpop_jwt_headers(headers)
-
-
340
dpop_jwk = headers["jwk"]
-
-
340
jwt_decode(
-
dpop,
-
jws_key: jwk_key(dpop_jwk),
-
jws_algorithm: headers["alg"],
-
verify_iss: false,
-
verify_aud: false,
-
verify_jti: false
-
)
-
end
-
-
17
def verify_dpop_jwt_headers(headers)
-
# 4.3.4 - A field with the value dpop+jwt
-
391
return false unless headers["typ"] == "dpop+jwt"
-
-
# 4.3.5 - It MUST NOT be none or an identifier for a symmetric algorithm
-
374
alg = headers["alg"]
-
374
return false unless alg && oauth_dpop_signing_alg_values_supported.include?(alg)
-
-
357
dpop_jwk = headers["jwk"]
-
-
357
return false unless dpop_jwk
-
-
# 4.3.7 - It MUST NOT contain a private key.
-
357
return false if private_jwk?(dpop_jwk)
-
-
# store thumbprint for future assertions
-
340
@dpop_thumbprint = jwk_thumbprint(dpop_jwk)
-
-
340
true
-
end
-
-
17
def validate_dpop_jwt_claims(claims)
-
323
jti = claims["jti"]
-
-
323
unless jti && jti == Digest::SHA256.hexdigest("#{request.request_method}:#{request.url}:#{claims['iat']}")
-
redirect_response_error("invalid_dpop_jti")
-
end
-
-
323
htm = claims["htm"]
-
-
# 4.3.8 - Check if htm matches the request method
-
323
redirect_response_error("invalid_dpop_htm") unless htm && htm == request.request_method
-
-
306
htu = claims["htu"]
-
-
# 4.3.9 - Check if htu matches the request URL
-
306
redirect_response_error("invalid_dpop_htu") unless htu && htu == request.url
-
end
-
-
17
def validate_ath(claims, access_token)
-
# When the DPoP proof is used in conjunction with the presentation of an access token in protected resource access
-
# the DPoP proof MUST also contain the following claim
-
17
ath = claims["ath"]
-
-
17
redirect_response_error("invalid_token") unless ath
-
-
# The value MUST be the result of a base64url encoding of the SHA-256 hash of the ASCII encoding of
-
# the associated access token's value.
-
17
redirect_response_error("invalid_token") unless ath == Base64.urlsafe_encode64(Digest::SHA256.digest(access_token), padding: false)
-
end
-
-
17
def validate_nonce(claims)
-
289
nonce = claims["nonce"]
-
-
289
unless nonce
-
272
dpop_nonce_required(claims) if dpop_use_nonce?
-
-
195
return
-
end
-
-
17
dpop_nonce_required(claims) unless valid_dpop_nonce?(nonce)
-
end
-
-
17
def jwt_claims(oauth_grant)
-
153
claims = super
-
153
if @dpop_thumbprint
-
# the authorization server associates the issued access token with the
-
# public key from the DPoP proof
-
117
claims[:cnf] = { jkt: @dpop_thumbprint }
-
end
-
153
claims
-
end
-
-
17
def generate_token(grant_params = {}, should_generate_refresh_token = true)
-
# When an authorization server supporting DPoP issues a refresh token to a public client
-
# that presents a valid DPoP proof at the token endpoint, the refresh token MUST be bound to the respective public key.
-
153
grant_params[oauth_grants_dpop_jkt_column] = @dpop_thumbprint if @dpop_thumbprint
-
153
super
-
end
-
-
17
def valid_oauth_grant_ds(grant_params = nil)
-
187
ds = super
-
-
187
ds = ds.where(oauth_grants_dpop_jkt_column => nil)
-
187
ds = ds.or(oauth_grants_dpop_jkt_column => @dpop_thumbprint) if @dpop_thumbprint
-
187
ds
-
end
-
-
17
def oauth_grant_by_refresh_token_ds(_token, revoked: false)
-
ds = super
-
# The binding MUST be validated when the refresh token is later presented to get new access tokens.
-
ds = ds.where(oauth_grants_dpop_jkt_column => nil)
-
ds = ds.or(oauth_grants_dpop_jkt_column => @dpop_thumbprint) if @dpop_thumbprint
-
ds
-
end
-
-
17
def oauth_grant_by_token_ds(_token)
-
ds = super
-
# The binding MUST be validated when the refresh token is later presented to get new access tokens.
-
ds = ds.where(oauth_grants_dpop_jkt_column => nil)
-
ds = ds.or(oauth_grants_dpop_jkt_column => @dpop_thumbprint) if @dpop_thumbprint
-
ds
-
end
-
-
17
def create_oauth_grant(create_params = {})
-
# 10. Authorization Code Binding to DPoP Key
-
# Binding the authorization code issued to the client's proof-of-possession key can enable end-to-end
-
# binding of the entire authorization flow.
-
85
if (dpop_jkt = param_or_nil("dpop_jkt"))
-
65
create_params[oauth_grants_dpop_jkt_column] = dpop_jkt
-
end
-
-
85
super
-
end
-
-
17
def json_access_token_payload(oauth_grant)
-
153
payload = super
-
# 5. A token_type of DPoP MUST be included in the access token response to
-
# signal to the client that the access token was bound to its DPoP key
-
153
payload["token_type"] = "DPoP" if @dpop_claims
-
153
payload
-
end
-
-
17
def fetch_dpop_token
-
425
dpop = request.env["HTTP_DPOP"]
-
-
425
return if dpop.nil? || dpop.empty?
-
-
# 4.3.1 - There is not more than one DPoP HTTP request header field.
-
391
redirect_response_error("multiple_dpop_proofs") if dpop.split(";").size > 1
-
-
391
dpop
-
end
-
-
17
def dpop_bound_access_tokens_required?
-
85
oauth_dpop_bound_access_tokens || (oauth_application && oauth_application[oauth_applications_dpop_bound_access_tokens_column])
-
end
-
-
17
def dpop_use_nonce?
-
272
oauth_dpop_use_nonce || (oauth_application && oauth_application[oauth_applications_dpop_bound_access_tokens_column])
-
end
-
-
17
def valid_dpop_proof_required(error_code = "invalid_dpop_proof")
-
if @dpop_access_token
-
# protected resource access
-
throw_json_response_error(401, error_code)
-
else
-
redirect_response_error(error_code)
-
end
-
end
-
-
17
def dpop_nonce_required(dpop_claims)
-
13
response["DPoP-Nonce"] = generate_dpop_nonce(dpop_claims)
-
-
17
if @dpop_access_token
-
# protected resource access
-
throw_json_response_error(401, "use_dpop_nonce")
-
else
-
17
redirect_response_error("use_dpop_nonce")
-
end
-
end
-
-
17
def www_authenticate_header(payload)
-
68
header = if dpop_bound_access_tokens_required?
-
34
"DPoP"
-
else
-
26
"#{super}, DPoP"
-
end
-
-
68
error_code = payload["error"]
-
-
68
unless error_code == "invalid_client"
-
17
header = "#{header} error=\"#{error_code}\""
-
-
17
if (desc = payload["error_description"])
-
17
header = "#{header} error_description=\"#{desc}\""
-
end
-
end
-
-
68
algs = oauth_dpop_signing_alg_values_supported.join(" ")
-
-
52
"#{header} algs=\"#{algs}\""
-
end
-
-
# Nonce
-
-
17
def generate_dpop_nonce(dpop_claims)
-
17
issued_at = Time.now.to_i
-
-
17
aud = "#{dpop_claims['htm']}:#{dpop_claims['htu']}"
-
-
5
nonce_claims = {
-
12
iss: oauth_jwt_issuer,
-
iat: issued_at,
-
exp: issued_at + oauth_dpop_nonce_expires_in,
-
aud: aud
-
}
-
-
17
jwt_encode(nonce_claims)
-
end
-
-
17
def valid_dpop_nonce?(nonce)
-
17
nonce_claims = jwt_decode(nonce, verify_aud: false, verify_jti: false)
-
-
17
return false unless nonce_claims
-
-
17
jti = nonce_claims["jti"]
-
-
17
return false unless jti
-
-
17
return false unless jti == Digest::SHA256.hexdigest("#{request.request_method}:#{request.url}:#{nonce_claims['iat']}")
-
-
17
return false unless nonce_claims.key?("aud")
-
-
17
htm, htu = nonce_claims["aud"].split(":", 2)
-
-
17
htm == request.request_method && htu == request.url
-
end
-
-
17
def json_token_introspect_payload(grant_or_claims)
-
17
claims = super
-
-
17
return claims unless grant_or_claims
-
-
17
if (jkt = grant_or_claims.dig("cnf", "jkt"))
-
13
(claims[:cnf] ||= {})[:jkt] = jkt
-
13
claims[:token_type] = "DPoP"
-
end
-
-
17
claims
-
end
-
-
17
def oauth_server_metadata_body(*)
-
17
super.tap do |data|
-
13
data[:dpop_signing_alg_values_supported] = oauth_dpop_signing_alg_values_supported
-
end
-
end
-
end
-
end
-
# frozen_string_literal: true
-
-
17
require "rodauth/oauth"
-
-
17
module Rodauth
-
17
Feature.define(:oauth_dynamic_client_registration, :OauthDynamicClientRegistration) do
-
17
depends :oauth_base
-
-
17
before "register"
-
-
17
auth_value_method :oauth_client_registration_required_params, %w[redirect_uris client_name]
-
17
auth_value_method :oauth_applications_registration_access_token_column, :registration_access_token
-
17
auth_value_method :registration_client_uri_route, "register"
-
-
17
PROTECTED_APPLICATION_ATTRIBUTES = %w[account_id client_id].freeze
-
-
17
def load_registration_client_uri_routes
-
68
request.on(registration_client_uri_route) do
-
# CLIENT REGISTRATION URI
-
68
request.on(String) do |client_id|
-
68
token = (v = request.env["HTTP_AUTHORIZATION"]) && v[/\A *Bearer (.*)\Z/, 1]
-
-
68
next unless token
-
-
68
oauth_application = db[oauth_applications_table]
-
.where(oauth_applications_client_id_column => client_id)
-
.first
-
68
next unless oauth_application
-
-
68
authorization_required unless password_hash_match?(oauth_application[oauth_applications_registration_access_token_column], token)
-
-
68
request.is do
-
68
request.get do
-
17
json_response_oauth_application(oauth_application)
-
end
-
51
request.on method: :put do
-
32
%w[client_id registration_access_token registration_client_uri client_secret_expires_at
-
2
client_id_issued_at].each do |prohibited_param|
-
102
if request.params.key?(prohibited_param)
-
17
register_throw_json_response_error("invalid_client_metadata", register_invalid_param_message(prohibited_param))
-
end
-
end
-
17
validate_client_registration_params
-
-
# if the client includes the "client_secret" field in the request, the value of this field MUST match the currently
-
# issued client secret for that client. The client MUST NOT be allowed to overwrite its existing client secret with
-
# its own chosen value.
-
17
authorization_required if request.params.key?("client_secret") && secret_matches?(oauth_application,
-
request.params["client_secret"])
-
-
17
oauth_application = transaction do
-
17
applications_ds = db[oauth_applications_table]
-
17
__update_and_return__(applications_ds, @oauth_application_params)
-
end
-
17
json_response_oauth_application(oauth_application)
-
end
-
-
17
request.on method: :delete do
-
17
applications_ds = db[oauth_applications_table]
-
17
applications_ds.where(oauth_applications_client_id_column => client_id).delete
-
17
response.status = 204
-
13
response["Cache-Control"] = "no-store"
-
13
response["Pragma"] = "no-cache"
-
17
response.finish
-
end
-
end
-
end
-
end
-
end
-
-
# /register
-
17
auth_server_route(:register) do |r|
-
1904
before_register_route
-
-
1904
r.post do
-
1904
oauth_client_registration_required_params.each do |required_param|
-
3740
unless request.params.key?(required_param)
-
68
register_throw_json_response_error("invalid_client_metadata", register_required_param_message(required_param))
-
end
-
end
-
-
1836
validate_client_registration_params
-
-
918
response_params = transaction do
-
918
before_register
-
918
do_register
-
end
-
-
918
response.status = 201
-
702
response["Content-Type"] = json_response_content_type
-
702
response["Cache-Control"] = "no-store"
-
702
response["Pragma"] = "no-cache"
-
918
response.write(_json_response_body(response_params))
-
end
-
end
-
-
17
def check_csrf?
-
1508
case request.path
-
when register_path
-
1904
false
-
else
-
68
super
-
end
-
end
-
-
17
private
-
-
17
def _before_register
-
raise %{dynamic client registration requires authentication.
-
Override ´before_register` to perform it.
-
example:
-
-
before_register do
-
account = _account_from_login(request.env["HTTP_X_USER_EMAIL"])
-
authorization_required unless account
-
@oauth_application_params[:account_id] = account[:id]
-
end
-
}
-
end
-
-
17
def validate_client_registration_params(request_params = request.params)
-
1887
@oauth_application_params = request_params.each_with_object({}) do |(key, value), params|
-
17589
case key
-
when "redirect_uris"
-
1836
if value.is_a?(Array)
-
1819
value = value.each do |uri|
-
3468
unless check_valid_no_fragment_uri?(uri)
-
34
register_throw_json_response_error("invalid_redirect_uri",
-
register_invalid_uri_message(uri))
-
end
-
end.join(" ")
-
else
-
17
register_throw_json_response_error("invalid_redirect_uri", register_invalid_uri_message(value))
-
end
-
1785
key = oauth_applications_redirect_uri_column
-
when "token_endpoint_auth_method"
-
867
unless oauth_token_endpoint_auth_methods_supported.include?(value)
-
17
register_throw_json_response_error("invalid_client_metadata", register_invalid_client_metadata_message(key, value))
-
end
-
# verify if in range
-
850
key = oauth_applications_token_endpoint_auth_method_column
-
when "grant_types"
-
952
if value.is_a?(Array)
-
935
value = value.each do |grant_type|
-
1717
unless oauth_grant_types_supported.include?(grant_type)
-
34
register_throw_json_response_error("invalid_client_metadata", register_invalid_client_metadata_message(grant_type, value))
-
end
-
end.join(" ")
-
else
-
17
register_throw_json_response_error("invalid_client_metadata", register_invalid_client_metadata_message(key, value))
-
end
-
901
key = oauth_applications_grant_types_column
-
when "response_types"
-
986
if value.is_a?(Array)
-
969
grant_types = request_params["grant_types"] || %w[authorization_code]
-
969
value = value.each do |response_type|
-
986
unless oauth_response_types_supported.include?(response_type)
-
17
register_throw_json_response_error("invalid_client_metadata",
-
register_invalid_response_type_message(response_type))
-
end
-
-
969
validate_client_registration_response_type(response_type, grant_types)
-
end.join(" ")
-
else
-
17
register_throw_json_response_error("invalid_client_metadata", register_invalid_client_metadata_message(key, value))
-
end
-
884
key = oauth_applications_response_types_column
-
# verify if in range and match grant type
-
when "client_uri", "logo_uri", "tos_uri", "policy_uri", "jwks_uri"
-
8483
register_throw_json_response_error("invalid_client_metadata", register_invalid_uri_message(value)) unless check_valid_uri?(value)
-
6422
case key
-
when "client_uri"
-
1751
key = oauth_applications_homepage_url_column
-
when "jwks_uri"
-
1598
if request_params.key?("jwks")
-
17
register_throw_json_response_error("invalid_client_metadata",
-
register_invalid_jwks_param_message(key, "jwks"))
-
end
-
end
-
8381
key = __send__(:"oauth_applications_#{key}_column")
-
when "jwks"
-
34
register_throw_json_response_error("invalid_client_metadata", register_invalid_param_message(value)) unless value.is_a?(Hash)
-
17
if request_params.key?("jwks_uri")
-
register_throw_json_response_error("invalid_client_metadata",
-
register_invalid_jwks_param_message(key, "jwks_uri"))
-
end
-
-
17
key = oauth_applications_jwks_column
-
17
value = JSON.dump(value)
-
when "scope"
-
1768
register_throw_json_response_error("invalid_client_metadata", register_invalid_param_message(value)) unless value.is_a?(String)
-
1768
scopes = value.split(" ") - oauth_application_scopes
-
1768
register_throw_json_response_error("invalid_client_metadata", register_invalid_scopes_message(value)) unless scopes.empty?
-
1734
key = oauth_applications_scopes_column
-
# verify if in range
-
when "contacts"
-
1700
register_throw_json_response_error("invalid_client_metadata", register_invalid_contacts_message(value)) unless value.is_a?(Array)
-
1683
value = value.join(" ")
-
1683
key = oauth_applications_contacts_column
-
when "client_name"
-
1768
register_throw_json_response_error("invalid_client_metadata", register_invalid_param_message(value)) unless value.is_a?(String)
-
1768
key = oauth_applications_name_column
-
when "dpop_bound_access_tokens"
-
51
unless respond_to?(:oauth_applications_dpop_bound_access_tokens_column)
-
register_throw_json_response_error("invalid_client_metadata",
-
register_invalid_param_message(key))
-
end
-
39
request_params[key] = value = convert_to_boolean(key, value)
-
-
34
key = oauth_applications_dpop_bound_access_tokens_column
-
when "require_signed_request_object"
-
51
unless respond_to?(:oauth_applications_require_signed_request_object_column)
-
register_throw_json_response_error("invalid_client_metadata",
-
register_invalid_param_message(key))
-
end
-
39
request_params[key] = value = convert_to_boolean(key, value)
-
-
34
key = oauth_applications_require_signed_request_object_column
-
when "require_pushed_authorization_requests"
-
51
unless respond_to?(:oauth_applications_require_pushed_authorization_requests_column)
-
register_throw_json_response_error("invalid_client_metadata",
-
register_invalid_param_message(key))
-
end
-
39
request_params[key] = value = convert_to_boolean(key, value)
-
-
34
key = oauth_applications_require_pushed_authorization_requests_column
-
when "tls_client_certificate_bound_access_tokens"
-
17
property = :oauth_applications_tls_client_certificate_bound_access_tokens_column
-
17
register_throw_json_response_error("invalid_client_metadata", register_invalid_param_message(key)) unless respond_to?(property)
-
-
13
request_params[key] = value = convert_to_boolean(key, value)
-
-
17
key = oauth_applications_tls_client_certificate_bound_access_tokens_column
-
when /\Atls_client_auth_/
-
119
unless respond_to?(:"oauth_applications_#{key}_column")
-
register_throw_json_response_error("invalid_client_metadata",
-
register_invalid_param_message(key))
-
end
-
-
# client using the tls_client_auth authentication method MUST use exactly one of the below metadata
-
# parameters to indicate the certificate subject value that the authorization server is to expect when
-
# authenticating the respective client.
-
1445
if params.any? { |k, _| k.to_s.start_with?("tls_client_auth_") }
-
17
register_throw_json_response_error("invalid_client_metadata", register_invalid_param_message(key))
-
end
-
-
102
key = __send__(:"oauth_applications_#{key}_column")
-
else
-
4318
if respond_to?(:"oauth_applications_#{key}_column")
-
4233
if PROTECTED_APPLICATION_ATTRIBUTES.include?(key)
-
17
register_throw_json_response_error("invalid_client_metadata", register_invalid_param_message(key))
-
end
-
4216
property = :"oauth_applications_#{key}_column"
-
4216
key = __send__(property)
-
85
elsif !db[oauth_applications_table].columns.include?(key.to_sym)
-
51
register_throw_json_response_error("invalid_client_metadata", register_invalid_param_message(key))
-
end
-
end
-
17186
params[key] = value
-
end
-
end
-
-
17
def validate_client_registration_response_type(response_type, grant_types)
-
689
case response_type
-
when "code"
-
799
unless grant_types.include?("authorization_code")
-
register_throw_json_response_error("invalid_client_metadata",
-
register_invalid_response_type_for_grant_type_message(response_type,
-
"authorization_code"))
-
end
-
when "token"
-
85
unless grant_types.include?("implicit")
-
34
register_throw_json_response_error("invalid_client_metadata",
-
register_invalid_response_type_for_grant_type_message(response_type, "implicit"))
-
end
-
when "none"
-
17
if grant_types.include?("implicit") || grant_types.include?("authorization_code")
-
17
register_throw_json_response_error("invalid_client_metadata", register_invalid_response_type_message(response_type))
-
end
-
end
-
end
-
-
17
def do_register(return_params = request.params.dup)
-
918
applications_ds = db[oauth_applications_table]
-
918
application_columns = applications_ds.columns
-
-
# set defaults
-
918
create_params = @oauth_application_params
-
-
# If omitted, an authorization server MAY register a client with a default set of scopes
-
918
create_params[oauth_applications_scopes_column] ||= return_params["scopes"] = oauth_application_scopes.join(" ")
-
-
# https://datatracker.ietf.org/doc/html/rfc7591#section-2
-
918
if create_params[oauth_applications_grant_types_column] ||= begin
-
# If omitted, the default behavior is that the client will use only the "authorization_code" Grant Type.
-
377
return_params["grant_types"] = %w[authorization_code] # rubocop:disable Lint/AssignmentInCondition
-
493
"authorization_code"
-
end
-
918
create_params[oauth_applications_token_endpoint_auth_method_column] ||= begin
-
# If unspecified or omitted, the default is "client_secret_basic", denoting the HTTP Basic
-
# authentication scheme as specified in Section 2.3.1 of OAuth 2.0.
-
390
return_params["token_endpoint_auth_method"] =
-
"client_secret_basic"
-
510
"client_secret_basic"
-
end
-
end
-
918
create_params[oauth_applications_response_types_column] ||= begin
-
# If omitted, the default is that the client will use only the "code" response type.
-
377
return_params["response_types"] = %w[code]
-
493
"code"
-
end
-
918
rescue_from_uniqueness_error do
-
918
initialize_register_params(create_params, return_params)
-
17935
create_params.delete_if { |k, _| !application_columns.include?(k) }
-
918
applications_ds.insert(create_params)
-
end
-
-
918
return_params
-
end
-
-
17
def initialize_register_params(create_params, return_params)
-
918
client_id = oauth_unique_id_generator
-
702
create_params[oauth_applications_client_id_column] = client_id
-
702
return_params["client_id"] = client_id
-
702
return_params["client_id_issued_at"] = Time.now.utc.iso8601
-
-
918
registration_access_token = oauth_unique_id_generator
-
702
create_params[oauth_applications_registration_access_token_column] = secret_hash(registration_access_token)
-
702
return_params["registration_access_token"] = registration_access_token
-
702
return_params["registration_client_uri"] = "#{base_url}/#{registration_client_uri_route}/#{return_params['client_id']}"
-
-
918
if create_params.key?(oauth_applications_client_secret_column)
-
17
set_client_secret(create_params, create_params[oauth_applications_client_secret_column])
-
17
return_params.delete("client_secret")
-
else
-
901
client_secret = oauth_unique_id_generator
-
901
set_client_secret(create_params, client_secret)
-
689
return_params["client_secret"] = client_secret
-
689
return_params["client_secret_expires_at"] = 0
-
-
end
-
end
-
-
17
def register_throw_json_response_error(code, message)
-
1003
throw_json_response_error(oauth_invalid_response_status, code, message)
-
end
-
-
17
def register_required_param_message(key)
-
85
"The param '#{key}' is required by this server."
-
end
-
-
17
def register_invalid_param_message(key)
-
187
"The param '#{key}' is not supported by this server."
-
end
-
-
17
def register_invalid_client_metadata_message(key, value)
-
272
"The value '#{value}' is not supported by this server for param '#{key}'."
-
end
-
-
17
def register_invalid_contacts_message(contacts)
-
17
"The contacts '#{contacts}' are not allowed by this server."
-
end
-
-
17
def register_invalid_uri_message(uri)
-
306
"The '#{uri}' URL is not allowed by this server."
-
end
-
-
17
def register_invalid_jwks_param_message(key1, key2)
-
17
"The param '#{key1}' cannot be accepted together with param '#{key2}'."
-
end
-
-
17
def register_invalid_scopes_message(scopes)
-
34
"The given scopes (#{scopes}) are not allowed by this server."
-
end
-
-
17
def register_oauth_invalid_grant_type_message(grant_type)
-
"The grant type #{grant_type} is not allowed by this server."
-
end
-
-
17
def register_invalid_response_type_message(response_type)
-
34
"The response type #{response_type} is not allowed by this server."
-
end
-
-
17
def register_invalid_response_type_for_grant_type_message(response_type, grant_type)
-
51
"The grant type '#{grant_type}' must be registered for the response " \
-
12
"type '#{response_type}' to be allowed."
-
end
-
-
17
def convert_to_boolean(key, value)
-
156
case value
-
when true, false then value
-
102
when "true" then true
-
51
when "false" then false
-
else
-
51
register_throw_json_response_error(
-
"invalid_client_metadata",
-
register_invalid_param_message(key)
-
)
-
end
-
end
-
-
17
def json_response_oauth_application(oauth_application)
-
14910
params = methods.map { |k| k.to_s[/\Aoauth_applications_(\w+)_column\z/, 1] }.compact
-
-
34
body = params.each_with_object({}) do |k, hash|
-
782
next if %w[id account_id client_id client_secret cliennt_secret_hash].include?(k)
-
-
646
value = oauth_application[__send__(:"oauth_applications_#{k}_column")]
-
-
646
next unless value
-
-
182
case k
-
when "redirect_uri"
-
26
hash["redirect_uris"] = value.split(" ")
-
when "token_endpoint_auth_method", "grant_types", "response_types", "request_uris", "post_logout_redirect_uris"
-
hash[k] = value.split(" ")
-
when "scopes"
-
26
hash["scope"] = value
-
when "jwks"
-
hash[k] = value.is_a?(String) ? JSON.parse(value) : value
-
when "homepage_url"
-
26
hash["client_uri"] = value
-
when "name"
-
26
hash["client_name"] = value
-
else
-
78
hash[k] = value
-
end
-
end
-
-
34
response.status = 200
-
34
response["Content-Type"] ||= json_response_content_type
-
26
response["Cache-Control"] = "no-store"
-
26
response["Pragma"] = "no-cache"
-
34
json_payload = _json_response_body(body)
-
34
return_response(json_payload)
-
end
-
-
17
def oauth_server_metadata_body(*)
-
34
super.tap do |data|
-
26
data[:registration_endpoint] = register_url
-
end
-
end
-
end
-
end
-
# frozen_string_literal: true
-
-
17
require "rodauth/oauth"
-
-
17
module Rodauth
-
17
Feature.define(:oauth_grant_management, :OauthTokenManagement) do
-
17
depends :oauth_management_base, :oauth_token_revocation
-
-
17
view "oauth_grants", "My Oauth Grants", "oauth_grants"
-
-
17
button "Revoke", "oauth_grant_revoke"
-
-
17
auth_value_method :oauth_grants_path, "oauth-grants"
-
-
17
%w[type token refresh_token expires_in revoked_at].each do |param|
-
85
translatable_method :"oauth_grants_#{param}_label", param.gsub("_", " ").capitalize
-
end
-
17
translatable_method :oauth_no_grants_text, "No oauth grants yet!"
-
-
17
auth_value_method :oauth_grants_route, "oauth-grants"
-
17
auth_value_method :oauth_grants_id_pattern, Integer
-
17
auth_value_method :oauth_grants_per_page, 20
-
-
17
auth_methods(
-
:oauth_grant_path
-
)
-
-
17
def oauth_grants_path(opts = {})
-
1035
route_path(oauth_grants_route, opts)
-
end
-
-
17
def oauth_grant_path(id)
-
290
"#{oauth_grants_path}/#{id}"
-
end
-
-
17
def load_oauth_grant_management_routes
-
146
request.on(oauth_grants_route) do
-
146
check_csrf if check_csrf?
-
146
require_account
-
-
146
request.post(oauth_grants_id_pattern) do |id|
-
16
db[oauth_grants_table]
-
.where(oauth_grants_id_column => id)
-
.where(oauth_grants_account_id_column => account_id)
-
1
.update(oauth_grants_revoked_at_column => Sequel::CURRENT_TIMESTAMP)
-
-
17
set_notice_flash revoke_oauth_grant_notice_flash
-
17
redirect oauth_grants_path || "/"
-
end
-
-
129
request.is do
-
129
request.get do
-
129
page = Integer(param_or_nil("page") || 1)
-
129
per_page = per_page_param(oauth_grants_per_page)
-
-
129
scope.instance_variable_set(:@oauth_grants, db[oauth_grants_table]
-
.select(Sequel[oauth_grants_table].*, Sequel[oauth_applications_table][oauth_applications_name_column])
-
.join(oauth_applications_table, Sequel[oauth_grants_table][oauth_grants_oauth_application_id_column] =>
-
Sequel[oauth_applications_table][oauth_applications_id_column])
-
.where(Sequel[oauth_grants_table][oauth_grants_account_id_column] => account_id)
-
.where(oauth_grants_revoked_at_column => nil)
-
.order(Sequel.desc(oauth_grants_id_column))
-
.paginate(page, per_page))
-
129
oauth_grants_view
-
end
-
end
-
end
-
end
-
end
-
end
-
# frozen_string_literal: true
-
-
17
require "rodauth/oauth"
-
-
17
module Rodauth
-
17
Feature.define(:oauth_implicit_grant, :OauthImplicitGrant) do
-
17
depends :oauth_authorize_base
-
-
17
def oauth_grant_types_supported
-
3927
super | %w[implicit]
-
end
-
-
17
def oauth_response_types_supported
-
1989
super | %w[token]
-
end
-
-
17
def oauth_response_modes_supported
-
2210
super | %w[fragment]
-
end
-
-
17
private
-
-
17
def validate_authorize_params
-
2291
super
-
-
2155
response_mode = param_or_nil("response_mode")
-
-
2155
return unless response_mode
-
-
561
response_type = param_or_nil("response_type")
-
-
561
return unless response_type == "token"
-
-
102
redirect_response_error("invalid_request") unless oauth_response_modes_for_token_supported.include?(response_mode)
-
end
-
-
17
def oauth_response_modes_for_token_supported
-
102
%w[fragment]
-
end
-
-
17
def do_authorize(response_params = {}, response_mode = param_or_nil("response_mode"))
-
901
response_type = param("response_type")
-
901
return super unless response_type == "token" && supported_response_type?(response_type)
-
-
68
response_mode ||= "fragment"
-
-
68
redirect_response_error("invalid_request") unless supported_response_mode?(response_mode)
-
-
68
oauth_grant = _do_authorize_token
-
-
68
response_params.replace(json_access_token_payload(oauth_grant))
-
-
68
response_params["state"] = param("state") if param_or_nil("state")
-
-
68
[response_params, response_mode]
-
end
-
-
17
def _do_authorize_token(grant_params = {})
-
25
grant_params = {
-
60
oauth_grants_type_column => "implicit",
-
oauth_grants_oauth_application_id_column => oauth_application[oauth_applications_id_column],
-
oauth_grants_scopes_column => scopes,
-
**resource_owner_params
-
}.merge(grant_params)
-
-
85
generate_token(grant_params, false)
-
end
-
-
17
def _redirect_response_error(redirect_url, params)
-
340
response_types = param("response_type").split(/ +/)
-
-
340
return super if response_types.empty? || response_types == %w[code]
-
-
408
params = params.map { |k, v| "#{k}=#{v}" }
-
187
redirect_url.fragment = params.join("&")
-
187
redirect(redirect_url.to_s)
-
end
-
-
17
def authorize_response(params, mode)
-
765
return super unless mode == "fragment"
-
-
476
redirect_url = URI.parse(redirect_uri)
-
476
params = [URI.encode_www_form(params)]
-
476
params << redirect_url.query if redirect_url.query
-
476
redirect_url.fragment = params.join("&")
-
476
redirect(redirect_url.to_s)
-
end
-
-
17
def check_valid_response_type?
-
1118
return true if param_or_nil("response_type") == "token"
-
-
931
super
-
end
-
end
-
end
-
# frozen_string_literal: true
-
-
17
require "rodauth/oauth"
-
17
require "rodauth/oauth/http_extensions"
-
-
17
module Rodauth
-
17
Feature.define(:oauth_jwt, :OauthJwt) do
-
17
depends :oauth_jwt_base, :oauth_jwt_jwks
-
-
17
auth_value_method :oauth_jwt_access_tokens, true
-
-
17
auth_methods(
-
:jwt_claims,
-
:verify_access_token_headers
-
)
-
-
17
def require_oauth_authorization(*scopes)
-
357
return super unless oauth_jwt_access_tokens
-
-
357
authorization_required unless authorization_token
-
-
323
token_scopes = authorization_token["scope"].split(" ")
-
-
646
authorization_required unless scopes.any? { |scope| token_scopes.include?(scope) }
-
end
-
-
17
def oauth_token_subject
-
493
return super unless oauth_jwt_access_tokens
-
-
493
return unless authorization_token
-
-
493
authorization_token["sub"]
-
end
-
-
17
def current_oauth_account
-
238
subject = oauth_token_subject
-
-
238
return if subject == authorization_token["client_id"]
-
-
221
oauth_account_ds(subject).first
-
end
-
-
17
def current_oauth_application
-
272
db[oauth_applications_table].where(
-
oauth_applications_client_id_column => authorization_token["client_id"]
-
17
).first
-
end
-
-
17
private
-
-
17
def authorization_token
-
2465
return super unless oauth_jwt_access_tokens
-
-
2465
return @authorization_token if defined?(@authorization_token)
-
-
544
@authorization_token = decode_access_token
-
end
-
-
17
def verify_access_token_headers(headers)
-
527
headers["typ"] == "at+jwt"
-
end
-
-
17
def decode_access_token(access_token = fetch_access_token)
-
561
return unless access_token
-
-
544
jwt_claims = jwt_decode(access_token, verify_headers: method(:verify_access_token_headers))
-
-
544
return unless jwt_claims
-
-
527
return unless jwt_claims["sub"]
-
-
527
return unless jwt_claims["aud"]
-
-
527
jwt_claims
-
end
-
# /token
-
-
17
def create_token_from_token(_grant, update_params)
-
136
oauth_grant = super
-
-
136
if oauth_jwt_access_tokens
-
136
access_token = _generate_jwt_access_token(oauth_grant)
-
104
oauth_grant[oauth_grants_token_column] = access_token
-
end
-
136
oauth_grant
-
end
-
-
17
def generate_token(_grant_params = {}, should_generate_refresh_token = true)
-
833
oauth_grant = super
-
833
if oauth_jwt_access_tokens
-
816
access_token = _generate_jwt_access_token(oauth_grant)
-
624
oauth_grant[oauth_grants_token_column] = access_token
-
end
-
833
oauth_grant
-
end
-
-
17
def _generate_jwt_access_token(oauth_grant)
-
986
claims = jwt_claims(oauth_grant)
-
-
# one of the points of using jwt is avoiding database lookups, so we put here all relevant
-
# token data.
-
754
claims[:scope] = oauth_grant[oauth_grants_scopes_column]
-
-
# RFC8725 section 3.11: Use Explicit Typing
-
# RFC9068 section 2.1 : The "typ" value used SHOULD be "at+jwt".
-
986
jwt_encode(claims, headers: { typ: "at+jwt" })
-
end
-
-
17
def _generate_access_token(*)
-
969
super unless oauth_jwt_access_tokens
-
end
-
-
17
def jwt_claims(oauth_grant)
-
1802
issued_at = Time.now.to_i
-
-
530
{
-
1272
iss: oauth_jwt_issuer, # issuer
-
iat: issued_at, # issued at
-
#
-
# sub REQUIRED - as defined in section 4.1.2 of [RFC7519]. In case of
-
# access tokens obtained through grants where a resource owner is
-
# involved, such as the authorization code grant, the value of "sub"
-
# SHOULD correspond to the subject identifier of the resource owner.
-
# In case of access tokens obtained through grants where no resource
-
# owner is involved, such as the client credentials grant, the value
-
# of "sub" SHOULD correspond to an identifier the authorization
-
# server uses to indicate the client application.
-
sub: jwt_subject(oauth_grant[oauth_grants_account_id_column]),
-
client_id: oauth_application[oauth_applications_client_id_column],
-
-
exp: issued_at + oauth_access_token_expires_in,
-
aud: oauth_jwt_audience
-
}
-
end
-
end
-
end
-
# frozen_string_literal: true
-
-
17
require "rodauth/oauth"
-
17
require "rodauth/oauth/http_extensions"
-
-
17
module Rodauth
-
17
Feature.define(:oauth_jwt_base, :OauthJwtBase) do
-
17
depends :oauth_base
-
-
17
auth_value_method :oauth_application_jwt_public_key_param, "jwt_public_key"
-
17
auth_value_method :oauth_application_jwks_param, "jwks"
-
-
17
auth_value_method :oauth_jwt_keys, {}
-
17
auth_value_method :oauth_jwt_public_keys, {}
-
-
17
auth_value_method :oauth_jwt_jwe_keys, {}
-
17
auth_value_method :oauth_jwt_jwe_public_keys, {}
-
-
17
auth_value_method :oauth_jwt_jwe_copyright, nil
-
-
17
auth_methods(
-
:jwt_encode,
-
:jwt_decode,
-
:jwt_decode_no_key,
-
:generate_jti,
-
:oauth_jwt_issuer,
-
:oauth_jwt_audience,
-
:resource_owner_params_from_jwt_claims
-
)
-
-
17
private
-
-
17
def oauth_jwt_issuer
-
# The JWT MUST contain an "iss" (issuer) claim that contains a
-
# unique identifier for the entity that issued the JWT.
-
4047
@oauth_jwt_issuer ||= authorization_server_url
-
end
-
-
17
def oauth_jwt_audience
-
# The JWT MUST contain an "aud" (audience) claim containing a
-
# value that identifies the authorization server as an intended
-
# audience. The token endpoint URL of the authorization server
-
# MAY be used as a value for an "aud" element to identify the
-
# authorization server as an intended audience of the JWT.
-
1802
@oauth_jwt_audience ||= if is_authorization_server?
-
1377
oauth_application[oauth_applications_client_id_column]
-
else
-
metadata = authorization_server_metadata
-
-
return unless metadata
-
-
metadata[:token_endpoint]
-
end
-
end
-
-
17
def grant_from_application?(grant_or_claims, oauth_application)
-
153
return super if grant_or_claims[oauth_grants_id_column]
-
-
if grant_or_claims["client_id"]
-
grant_or_claims["client_id"] == oauth_application[oauth_applications_client_id_column]
-
else
-
Array(grant_or_claims["aud"]).include?(oauth_application[oauth_applications_client_id_column])
-
end
-
end
-
-
17
def jwt_subject(account_unique_id, client_application = oauth_application)
-
1853
(account_unique_id || client_application[oauth_applications_client_id_column]).to_s
-
end
-
-
17
def resource_owner_params_from_jwt_claims(claims)
-
170
{ oauth_grants_account_id_column => claims["sub"] }
-
end
-
-
17
def oauth_server_metadata_body(path = nil)
-
272
metadata = super
-
272
metadata.merge! \
-
token_endpoint_auth_signing_alg_values_supported: oauth_jwt_keys.keys.uniq
-
272
metadata
-
end
-
-
17
def _jwt_key
-
378
@_jwt_key ||= (oauth_application_jwks(oauth_application) if oauth_application)
-
end
-
-
# Resource Server only!
-
#
-
# returns the jwks set from the authorization server.
-
17
def auth_server_jwks_set
-
68
metadata = authorization_server_metadata
-
-
68
return unless metadata && (jwks_uri = metadata[:jwks_uri])
-
-
68
jwks_uri = URI(jwks_uri)
-
-
68
http_request_with_cache(jwks_uri)
-
end
-
-
17
def generate_jti(payload)
-
# Use the key and iat to create a unique key per request to prevent replay attacks
-
765
jti_raw = [
-
1815
payload[:aud] || payload["aud"],
-
payload[:iat] || payload["iat"]
-
].join(":").to_s
-
2580
Digest::SHA256.hexdigest(jti_raw)
-
end
-
-
17
def verify_jti(jti, claims)
-
455
generate_jti(claims) == jti
-
end
-
-
17
def verify_aud(expected_aud, aud)
-
935
expected_aud == aud
-
end
-
-
17
def oauth_application_jwks(oauth_application)
-
1942
jwks = oauth_application[oauth_applications_jwks_column]
-
-
1942
if jwks
-
888
jwks = JSON.parse(jwks, symbolize_names: true) if jwks.is_a?(String)
-
679
return jwks
-
end
-
-
1054
jwks_uri = oauth_application[oauth_applications_jwks_uri_column]
-
-
1054
return unless jwks_uri
-
-
34
jwks_uri = URI(jwks_uri)
-
-
34
http_request_with_cache(jwks_uri)
-
end
-
-
17
if defined?(JSON::JWT)
-
# json-jwt
-
-
4
auth_value_method :oauth_jwt_jws_algorithms_supported, %w[
-
HS256 HS384 HS512
-
RS256 RS384 RS512
-
PS256 PS384 PS512
-
ES256 ES384 ES512 ES256K
-
]
-
4
auth_value_method :oauth_jwt_jwe_algorithms_supported, %w[
-
RSA1_5 RSA-OAEP dir A128KW A256KW
-
]
-
4
auth_value_method :oauth_jwt_jwe_encryption_methods_supported, %w[
-
A128GCM A256GCM A128CBC-HS256 A256CBC-HS512
-
]
-
-
4
def key_to_jwk(key)
-
20
JSON::JWK.new(key)
-
end
-
-
4
def jwk_export(key)
-
16
key_to_jwk(key)
-
end
-
-
4
def jwk_import(jwk)
-
168
JSON::JWK.new(jwk)
-
end
-
-
4
def jwk_key(jwk)
-
80
jwk = jwk_import(jwk) unless jwk.is_a?(JSON::JWK)
-
80
jwk.to_key
-
end
-
-
4
def jwk_thumbprint(jwk)
-
88
jwk = jwk_import(jwk) if jwk.is_a?(Hash)
-
88
jwk.thumbprint
-
end
-
-
4
def private_jwk?(jwk)
-
84
%w[d p q dp dq qi].any?(&jwk.method(:key?))
-
end
-
-
4
def jwt_encode(payload,
-
jwks: nil,
-
headers: {},
-
encryption_algorithm: oauth_jwt_jwe_keys.keys.dig(0, 0),
-
encryption_method: oauth_jwt_jwe_keys.keys.dig(0, 1),
-
jwe_key: oauth_jwt_jwe_keys[[encryption_algorithm,
-
encryption_method]],
-
signing_algorithm: oauth_jwt_keys.keys.first)
-
375
payload[:jti] = generate_jti(payload)
-
500
jwt = JSON::JWT.new(payload)
-
-
500
key = oauth_jwt_keys[signing_algorithm] || _jwt_key
-
500
key = key.first if key.is_a?(Array)
-
-
500
jwk = JSON::JWK.new(key || "")
-
-
# update headers
-
500
headers.each_key do |k|
-
448
if jwt.respond_to?(:"#{k}=")
-
448
jwt.send(:"#{k}=", headers[k])
-
448
headers.delete(k)
-
end
-
end
-
500
jwt.header.merge(headers) unless headers.empty?
-
-
500
jwt = jwt.sign(jwk, signing_algorithm)
-
-
500
return jwt.to_s unless encryption_algorithm && encryption_method
-
-
76
if jwks && (jwk = jwks.find { |k| k[:use] == "enc" && k[:alg] == encryption_algorithm && k[:enc] == encryption_method })
-
24
jwk = JSON::JWK.new(jwk)
-
24
jwe = jwt.encrypt(jwk, encryption_algorithm.to_sym, encryption_method.to_sym)
-
24
jwe.to_s
-
4
elsif jwe_key
-
4
jwe_key = jwe_key.first if jwe_key.is_a?(Array)
-
4
algorithm = encryption_algorithm.to_sym
-
4
meth = encryption_method.to_sym
-
4
jwt.encrypt(jwe_key, algorithm, meth)
-
else
-
jwt.to_s
-
end
-
end
-
-
4
def jwt_decode(
-
token,
-
jwks: nil,
-
jws_algorithm: oauth_jwt_public_keys.keys.first || oauth_jwt_keys.keys.first,
-
jws_key: oauth_jwt_keys[jws_algorithm] || _jwt_key,
-
jws_encryption_algorithm: oauth_jwt_jwe_keys.keys.dig(0, 0),
-
jws_encryption_method: oauth_jwt_jwe_keys.keys.dig(0, 1),
-
jwe_key: oauth_jwt_jwe_keys[[jws_encryption_algorithm, jws_encryption_method]] || oauth_jwt_jwe_keys.values.first,
-
verify_claims: true,
-
verify_jti: true,
-
verify_iss: true,
-
verify_aud: true,
-
verify_headers: nil,
-
**
-
)
-
384
jws_key = jws_key.first if jws_key.is_a?(Array)
-
-
384
if jwe_key
-
12
jwe_key = jwe_key.first if jwe_key.is_a?(Array)
-
12
token = JSON::JWT.decode(token, jwe_key).plain_text
-
end
-
-
384
claims = if is_authorization_server?
-
368
if jwks
-
96
jwks = jwks[:keys] if jwks.is_a?(Hash)
-
-
96
enc_algs = [jws_encryption_algorithm].compact
-
96
enc_meths = [jws_encryption_method].compact
-
-
200
sig_algs = jws_algorithm ? [jws_algorithm] : jwks.select { |k| k[:use] == "sig" }.map { |k| k[:alg] }
-
96
sig_algs = sig_algs.compact.map(&:to_sym)
-
-
# JWKs may be set up without a KID, when there's a single one
-
96
if jwks.size == 1 && !jwks[0][:kid]
-
4
key = jwks[0]
-
4
jwk_key = JSON::JWK.new(key)
-
4
jws = JSON::JWT.decode(token, jwk_key)
-
else
-
92
jws = JSON::JWT.decode(token, JSON::JWK::Set.new({ keys: jwks }), enc_algs + sig_algs, enc_meths)
-
84
jws = JSON::JWT.decode(jws.plain_text, JSON::JWK::Set.new({ keys: jwks }), sig_algs) if jws.is_a?(JSON::JWE)
-
end
-
88
jws
-
272
elsif jws_key
-
268
JSON::JWT.decode(token, jws_key)
-
else
-
4
JSON::JWT.decode(token, nil, jws_algorithm)
-
end
-
16
elsif (jwks = auth_server_jwks_set)
-
16
JSON::JWT.decode(token, JSON::JWK::Set.new(jwks))
-
end
-
-
368
now = Time.now
-
368
if verify_claims &&
-
258
(!claims[:exp] || Time.at(claims[:exp]) < now) &&
-
claims[:nbf] && Time.at(claims[:nbf]) < now &&
-
claims[:iat] && Time.at(claims[:iat]) < now &&
-
verify_iss && claims[:iss] != oauth_jwt_issuer &&
-
verify_aud && !verify_aud(claims[:aud], claims[:client_id]) &&
-
verify_jti && !verify_jti(claims[:jti], claims)
-
-
return
-
end
-
-
368
return if verify_headers && !verify_headers.call(claims.header)
-
-
368
claims
-
rescue JSON::JWT::Exception
-
16
nil
-
end
-
-
4
def jwt_decode_no_key(token)
-
124
jws = JSON::JWT.decode(token, :skip_verification)
-
124
[jws.to_h, jws.header]
-
end
-
13
elsif defined?(JWT)
-
# ruby-jwt
-
13
require "rodauth/oauth/jwe_extensions" if defined?(JWE)
-
-
13
auth_value_method :oauth_jwt_jws_algorithms_supported, %w[
-
HS256 HS384 HS512 HS512256
-
RS256 RS384 RS512
-
ED25519
-
ES256 ES384 ES512
-
PS256 PS384 PS512
-
]
-
-
13
if defined?(JWE)
-
13
auth_value_methods(
-
:oauth_jwt_jwe_algorithms_supported,
-
:oauth_jwt_jwe_encryption_methods_supported
-
)
-
-
13
def oauth_jwt_jwe_algorithms_supported
-
390
JWE::VALID_ALG
-
end
-
-
13
def oauth_jwt_jwe_encryption_methods_supported
-
377
JWE::VALID_ENC
-
end
-
else
-
auth_value_method :oauth_jwt_jwe_algorithms_supported, []
-
auth_value_method :oauth_jwt_jwe_encryption_methods_supported, []
-
end
-
-
13
def key_to_jwk(key)
-
65
JWT::JWK.new(key)
-
end
-
-
13
def jwk_export(key)
-
52
key_to_jwk(key).export
-
end
-
-
13
def jwk_import(jwk)
-
806
JWT::JWK.import(jwk)
-
end
-
-
13
def jwk_key(jwk)
-
260
jwk = jwk_import(jwk) unless jwk.is_a?(JWT::JWK)
-
260
jwk.keypair
-
end
-
-
13
def jwk_thumbprint(jwk)
-
286
jwk = jwk_import(jwk) if jwk.is_a?(Hash)
-
286
JWT::JWK::Thumbprint.new(jwk).generate
-
end
-
-
13
def private_jwk?(jwk)
-
273
jwk_import(jwk).private?
-
end
-
-
13
def jwt_encode(payload,
-
signing_algorithm: oauth_jwt_keys.keys.first,
-
headers: {}, **)
-
1625
key = oauth_jwt_keys[signing_algorithm] || _jwt_key
-
1625
key = key.first if key.is_a?(Array)
-
-
1250
case key
-
when OpenSSL::PKey::PKey
-
1313
jwk = JWT::JWK.new(key)
-
1010
headers[:kid] = jwk.kid
-
-
1313
key = jwk.keypair
-
end
-
-
# @see JWT reserved claims - https://tools.ietf.org/html/draft-jones-json-web-token-07#page-7
-
1250
payload[:jti] = generate_jti(payload)
-
1625
JWT.encode(payload, key, signing_algorithm, headers)
-
end
-
-
13
if defined?(JWE)
-
13
def jwt_encode_with_jwe(
-
payload,
-
jwks: nil,
-
encryption_algorithm: oauth_jwt_jwe_keys.keys.dig(0, 0),
-
encryption_method: oauth_jwt_jwe_keys.keys.dig(0, 1),
-
jwe_key: oauth_jwt_jwe_keys[[encryption_algorithm, encryption_method]],
-
**args
-
)
-
1625
token = jwt_encode_without_jwe(payload, **args)
-
-
1625
return token unless encryption_algorithm && encryption_method
-
-
221
if jwks && jwks.any? { |k| k[:use] == "enc" }
-
78
JWE.__rodauth_oauth_encrypt_from_jwks(token, jwks, alg: encryption_algorithm, enc: encryption_method)
-
13
elsif jwe_key
-
13
jwe_key = jwe_key.first if jwe_key.is_a?(Array)
-
10
params = {
-
3
zip: "DEF",
-
copyright: oauth_jwt_jwe_copyright
-
}
-
13
params[:enc] = encryption_method if encryption_method
-
13
params[:alg] = encryption_algorithm if encryption_algorithm
-
13
JWE.encrypt(token, jwe_key, **params)
-
else
-
token
-
end
-
end
-
-
13
alias_method :jwt_encode_without_jwe, :jwt_encode
-
13
alias_method :jwt_encode, :jwt_encode_with_jwe
-
end
-
-
13
def jwt_decode(
-
token,
-
jwks: nil,
-
jws_algorithm: oauth_jwt_public_keys.keys.first || oauth_jwt_keys.keys.first,
-
jws_key: oauth_jwt_keys[jws_algorithm] || _jwt_key,
-
verify_claims: true,
-
verify_jti: true,
-
verify_iss: true,
-
verify_aud: true,
-
verify_headers: nil
-
)
-
1235
jws_key = jws_key.first if jws_key.is_a?(Array)
-
-
# verifying the JWT implies verifying:
-
#
-
# issuer: check that server generated the token
-
# aud: check the audience field (client is who he says he is)
-
# iat: check that the token didn't expire
-
#
-
# subject can't be verified automatically without having access to the account id,
-
# which we don't because that's the whole point.
-
#
-
1235
verify_claims_params = if verify_claims
-
356
{
-
801
verify_iss: verify_iss,
-
iss: oauth_jwt_issuer,
-
# can't use stock aud verification, as it's dependent on the client application id
-
verify_aud: false,
-
1157
verify_jti: (verify_jti ? method(:verify_jti) : false),
-
verify_iat: true
-
}
-
else
-
78
{}
-
end
-
-
# decode jwt
-
1235
claims, headers = if is_authorization_server?
-
1183
if jwks
-
299
jwks = jwks[:keys] if jwks.is_a?(Hash)
-
-
# JWKs may be set up without a KID, when there's a single one
-
299
if jwks.size == 1 && !jwks[0][:kid]
-
13
key = jwks[0]
-
13
algo = key[:alg]
-
13
key = JWT::JWK.import(key).keypair
-
13
JWT.decode(token, key, true, algorithms: [algo], **verify_claims_params)
-
else
-
624
algorithms = jws_algorithm ? [jws_algorithm] : jwks.select { |k| k[:use] == "sig" }.map { |k| k[:alg] }
-
286
JWT.decode(token, nil, true, algorithms: algorithms, jwks: { keys: jwks }, **verify_claims_params)
-
end
-
884
elsif jws_key
-
871
JWT.decode(token, jws_key, true, algorithms: [jws_algorithm], **verify_claims_params)
-
else
-
13
JWT.decode(token, jws_key, false, **verify_claims_params)
-
end
-
52
elsif (jwks = auth_server_jwks_set)
-
156
algorithms = jwks[:keys].select { |k| k[:use] == "sig" }.map { |k| k[:alg] }
-
52
JWT.decode(token, nil, true, jwks: jwks, algorithms: algorithms, **verify_claims_params)
-
end
-
-
1196
return if verify_claims && verify_aud && !verify_aud(claims["aud"], claims["client_id"])
-
-
1196
return if verify_headers && !verify_headers.call(headers)
-
-
1196
claims
-
rescue JWT::DecodeError, JWT::JWKError
-
39
nil
-
end
-
-
13
if defined?(JWE)
-
13
def jwt_decode_with_jwe(
-
token,
-
jwks: nil,
-
jws_encryption_algorithm: oauth_jwt_jwe_keys.keys.dig(0, 0),
-
jws_encryption_method: oauth_jwt_jwe_keys.keys.dig(0, 1),
-
jwe_key: oauth_jwt_jwe_keys[[jws_encryption_algorithm, jws_encryption_method]] || oauth_jwt_jwe_keys.values.first,
-
**args
-
)
-
1625
token = if jwks && jwks.any? { |k| k[:use] == "enc" }
-
39
JWE.__rodauth_oauth_decrypt_from_jwks(token, jwks, alg: jws_encryption_algorithm, enc: jws_encryption_method)
-
1209
elsif jwe_key
-
39
jwe_key = jwe_key.first if jwe_key.is_a?(Array)
-
39
JWE.decrypt(token, jwe_key)
-
else
-
1170
token
-
end
-
-
1222
jwt_decode_without_jwe(token, jwks: jwks, **args)
-
rescue JWE::DecodeError => e
-
26
jwt_decode_without_jwe(token, jwks: jwks, **args) if e.message.include?("Not enough or too many segments")
-
end
-
-
13
alias_method :jwt_decode_without_jwe, :jwt_decode
-
13
alias_method :jwt_decode, :jwt_decode_with_jwe
-
end
-
-
13
def jwt_decode_no_key(token)
-
403
JWT.decode(token, nil, false)
-
end
-
else
-
skipped
# :nocov:
-
skipped
def jwk_export(_key)
-
skipped
raise "#{__method__} is undefined, redefine it or require either \"jwt\" or \"json-jwt\""
-
skipped
end
-
skipped
-
skipped
def jwk_import(_jwk)
-
skipped
raise "#{__method__} is undefined, redefine it or require either \"jwt\" or \"json-jwt\""
-
skipped
end
-
skipped
-
skipped
def jwk_thumbprint(_jwk)
-
skipped
raise "#{__method__} is undefined, redefine it or require either \"jwt\" or \"json-jwt\""
-
skipped
end
-
skipped
-
skipped
def jwt_encode(_token)
-
skipped
raise "#{__method__} is undefined, redefine it or require either \"jwt\" or \"json-jwt\""
-
skipped
end
-
skipped
-
skipped
def jwt_decode(_token, **)
-
skipped
raise "#{__method__} is undefined, redefine it or require either \"jwt\" or \"json-jwt\""
-
skipped
end
-
skipped
-
skipped
def private_jwk?(_jwk)
-
skipped
raise "#{__method__} is undefined, redefine it or require either \"jwt\" or \"json-jwt\""
-
skipped
end
-
skipped
# :nocov:
-
end
-
end
-
end
-
# frozen_string_literal: true
-
-
17
require "rodauth/oauth"
-
-
17
module Rodauth
-
17
Feature.define(:oauth_jwt_bearer_grant, :OauthJwtBearerGrant) do
-
17
depends :oauth_assertion_base, :oauth_jwt
-
-
17
auth_value_method :max_param_bytesize, nil if Rodauth::VERSION >= "2.26.0"
-
-
17
auth_methods(
-
:require_oauth_application_from_jwt_bearer_assertion_issuer,
-
:require_oauth_application_from_jwt_bearer_assertion_subject,
-
:account_from_jwt_bearer_assertion
-
)
-
-
17
def oauth_token_endpoint_auth_methods_supported
-
51
if oauth_applications_client_secret_hash_column.nil?
-
17
super | %w[client_secret_jwt private_key_jwt urn:ietf:params:oauth:client-assertion-type:jwt-bearer]
-
else
-
34
super | %w[private_key_jwt]
-
end
-
end
-
-
17
def oauth_grant_types_supported
-
136
super | %w[urn:ietf:params:oauth:grant-type:jwt-bearer]
-
end
-
-
17
private
-
-
17
def require_oauth_application_from_jwt_bearer_assertion_issuer(assertion)
-
51
claims = jwt_assertion(assertion)
-
-
51
return unless claims
-
-
48
db[oauth_applications_table].where(
-
oauth_applications_client_id_column => claims["iss"]
-
3
).first
-
end
-
-
17
def require_oauth_application_from_jwt_bearer_assertion_subject(assertion)
-
136
claims, header = jwt_decode_no_key(assertion)
-
-
136
client_id = claims["sub"]
-
-
104
case header["alg"]
-
when "none"
-
# do not accept jwts with no alg set
-
17
authorization_required
-
when /\AHS/
-
51
require_oauth_application_from_client_secret_jwt(client_id, assertion, header["alg"])
-
else
-
68
require_oauth_application_from_private_key_jwt(client_id, assertion)
-
end
-
end
-
-
17
def require_oauth_application_from_client_secret_jwt(client_id, assertion, alg)
-
51
oauth_application = db[oauth_applications_table].where(oauth_applications_client_id_column => client_id).first
-
51
authorization_required unless oauth_application && supports_auth_method?(oauth_application, "client_secret_jwt")
-
34
client_secret = oauth_application[oauth_applications_client_secret_column]
-
34
claims = jwt_assertion(assertion, jws_key: client_secret, jws_algorithm: alg)
-
34
authorization_required unless claims && claims["iss"] == client_id
-
34
oauth_application
-
end
-
-
17
def require_oauth_application_from_private_key_jwt(client_id, assertion)
-
68
oauth_application = db[oauth_applications_table].where(oauth_applications_client_id_column => client_id).first
-
68
authorization_required unless oauth_application && supports_auth_method?(oauth_application, "private_key_jwt")
-
51
jwks = oauth_application_jwks(oauth_application)
-
51
claims = jwt_assertion(assertion, jwks: jwks)
-
51
authorization_required unless claims
-
51
oauth_application
-
end
-
-
17
def account_from_jwt_bearer_assertion(assertion)
-
51
claims = jwt_assertion(assertion)
-
-
51
return unless claims
-
-
51
account_from_bearer_assertion_subject(claims["sub"])
-
end
-
-
17
def jwt_assertion(assertion, **kwargs)
-
187
claims = jwt_decode(assertion, verify_iss: false, verify_aud: false, verify_jti: false, **kwargs)
-
-
187
return unless claims && verify_aud(request.url, claims["aud"])
-
-
187
claims
-
end
-
end
-
end
-
# frozen_string_literal: true
-
-
17
require "rodauth/oauth"
-
17
require "rodauth/oauth/http_extensions"
-
-
17
module Rodauth
-
17
Feature.define(:oauth_jwt_jwks, :OauthJwtJwks) do
-
17
depends :oauth_jwt_base
-
-
17
auth_methods(:jwks_set)
-
-
17
auth_server_route(:jwks) do |r|
-
51
before_jwks_route
-
-
51
r.get do
-
51
json_response_success({ keys: jwks_set }, true)
-
end
-
end
-
-
17
private
-
-
17
def oauth_server_metadata_body(path = nil)
-
272
metadata = super
-
272
metadata.merge!(jwks_uri: jwks_url)
-
272
metadata
-
end
-
-
17
def jwks_set
-
51
@jwks_set ||= [
-
*(
-
51
unless oauth_jwt_public_keys.empty?
-
102
oauth_jwt_public_keys.flat_map { |algo, pkeys| Array(pkeys).map { |pkey| jwk_export(pkey).merge(use: "sig", alg: algo) } }
-
end
-
),
-
*(
-
51
unless oauth_jwt_jwe_public_keys.empty?
-
17
oauth_jwt_jwe_public_keys.flat_map do |(algo, _enc), pkeys|
-
17
Array(pkeys).map do |pkey|
-
17
jwk_export(pkey).merge(use: "enc", alg: algo)
-
end
-
end
-
end
-
)
-
].compact
-
end
-
end
-
end
-
# frozen_string_literal: true
-
-
17
require "rodauth/oauth"
-
-
17
module Rodauth
-
17
Feature.define(:oauth_jwt_secured_authorization_request, :OauthJwtSecuredAuthorizationRequest) do
-
17
ALLOWED_REQUEST_URI_CONTENT_TYPES = %w[application/jose application/oauth-authz-req+jwt].freeze
-
-
17
depends :oauth_authorize_base, :oauth_jwt_base
-
-
17
auth_value_method :oauth_require_request_uri_registration, false
-
17
auth_value_method :oauth_require_signed_request_object, false
-
17
auth_value_method :oauth_request_object_signing_alg_allow_none, false
-
-
16
%i[
-
request_uris require_signed_request_object request_object_signing_alg
-
request_object_encryption_alg request_object_encryption_enc
-
1
].each do |column|
-
85
auth_value_method :"oauth_applications_#{column}_column", column
-
end
-
-
17
translatable_method :oauth_invalid_request_object_message, "request object is invalid"
-
-
17
auth_value_method :max_param_bytesize, nil if Rodauth::VERSION >= "2.26.0"
-
-
17
private
-
-
# /authorize
-
-
17
def validate_authorize_params
-
765
request_object = param_or_nil("request")
-
-
765
request_uri = param_or_nil("request_uri")
-
-
765
unless (request_object || request_uri) && oauth_application
-
187
if request.path == authorize_path && request.get? && require_signed_request_object?
-
17
redirect_response_error("invalid_request_object")
-
end
-
-
130
return super
-
end
-
-
578
if request_uri
-
153
request_uri = CGI.unescape(request_uri)
-
-
153
redirect_response_error("invalid_request_uri") unless supported_request_uri?(request_uri, oauth_application)
-
-
85
response = http_request(request_uri)
-
-
85
unless response.code.to_i == 200 && ALLOWED_REQUEST_URI_CONTENT_TYPES.include?(response["content-type"])
-
17
redirect_response_error("invalid_request_uri")
-
end
-
-
68
request_object = response.body
-
end
-
-
493
claims = decode_request_object(request_object)
-
-
323
redirect_response_error("invalid_request_object") unless claims
-
-
323
if (iss = claims["iss"]) && (iss != oauth_application[oauth_applications_client_id_column])
-
17
redirect_response_error("invalid_request_object")
-
end
-
-
306
if (aud = claims["aud"]) && !verify_aud(aud, oauth_jwt_issuer)
-
17
redirect_response_error("invalid_request_object")
-
end
-
-
# If signed, the Authorization Request
-
# Object SHOULD contain the Claims "iss" (issuer) and "aud" (audience)
-
# as members, with their semantics being the same as defined in the JWT
-
# [RFC7519] specification. The value of "aud" should be the value of
-
# the Authorization Server (AS) "issuer" as defined in RFC8414
-
# [RFC8414].
-
289
claims.delete("iss")
-
289
audience = claims.delete("aud")
-
-
289
redirect_response_error("invalid_request_object") if audience && audience != oauth_jwt_issuer
-
-
289
claims.each do |k, v|
-
1365
request.params[k.to_s] = v
-
end
-
-
289
super
-
end
-
-
17
def supported_request_uri?(request_uri, oauth_application)
-
153
return false unless check_valid_uri?(request_uri)
-
-
119
request_uris = oauth_application[oauth_applications_request_uris_column]
-
-
204
request_uris.nil? || request_uris.split(oauth_scope_separator).one? { |uri| request_uri.start_with?(uri) }
-
end
-
-
17
def require_signed_request_object?
-
85
return @require_signed_request_object if defined?(@require_signed_request_object)
-
-
68
@require_signed_request_object = (oauth_application[oauth_applications_require_signed_request_object_column] if oauth_application)
-
68
@require_signed_request_object = oauth_require_signed_request_object if @require_signed_request_object.nil?
-
68
@require_signed_request_object
-
end
-
-
17
def decode_request_object(request_object)
-
150
request_sig_enc_opts = {
-
360
jws_algorithm: oauth_application[oauth_applications_request_object_signing_alg_column],
-
jws_encryption_algorithm: oauth_application[oauth_applications_request_object_encryption_alg_column],
-
jws_encryption_method: oauth_application[oauth_applications_request_object_encryption_enc_column]
-
}.compact
-
-
510
request_sig_enc_opts[:jws_algorithm] ||= "none" if oauth_request_object_signing_alg_allow_none
-
-
510
if request_sig_enc_opts[:jws_algorithm] == "none"
-
51
redirect_response_error("invalid_request_object") if require_signed_request_object?
-
-
17
jwks = nil
-
459
elsif (jwks = oauth_application_jwks(oauth_application))
-
357
jwks = JSON.parse(jwks, symbolize_names: true) if jwks.is_a?(String)
-
else
-
102
redirect_response_error("invalid_request_object")
-
end
-
-
374
claims = jwt_decode(request_object,
-
jwks: jwks,
-
verify_jti: false,
-
verify_iss: false,
-
verify_aud: false,
-
**request_sig_enc_opts)
-
-
374
redirect_response_error("invalid_request_object") unless claims
-
-
340
claims
-
end
-
-
17
def oauth_server_metadata_body(*)
-
51
super.tap do |data|
-
39
data[:request_parameter_supported] = true
-
39
data[:request_uri_parameter_supported] = true
-
39
data[:require_request_uri_registration] = oauth_require_request_uri_registration
-
39
data[:require_signed_request_object] = oauth_require_signed_request_object
-
end
-
end
-
end
-
end
-
# frozen_string_literal: true
-
-
17
require "rodauth/oauth"
-
-
17
module Rodauth
-
17
Feature.define(:oauth_jwt_secured_authorization_response_mode, :OauthJwtSecuredAuthorizationResponseMode) do
-
17
depends :oauth_authorize_base, :oauth_jwt_base
-
-
17
auth_value_method :oauth_authorization_response_mode_expires_in, 60 * 5 # 5 minutes
-
-
17
auth_value_method :oauth_applications_authorization_signed_response_alg_column, :authorization_signed_response_alg
-
17
auth_value_method :oauth_applications_authorization_encrypted_response_alg_column, :authorization_encrypted_response_alg
-
17
auth_value_method :oauth_applications_authorization_encrypted_response_enc_column, :authorization_encrypted_response_enc
-
-
17
auth_value_methods(
-
:authorization_signing_alg_values_supported,
-
:authorization_encryption_alg_values_supported,
-
:authorization_encryption_enc_values_supported
-
)
-
-
17
def oauth_response_modes_supported
-
731
jwt_response_modes = %w[jwt]
-
731
jwt_response_modes.push("query.jwt", "form_post.jwt") if features.include?(:oauth_authorization_code_grant)
-
731
jwt_response_modes << "fragment.jwt" if features.include?(:oauth_implicit_grant)
-
-
731
super | jwt_response_modes
-
end
-
-
17
def authorization_signing_alg_values_supported
-
17
oauth_jwt_jws_algorithms_supported
-
end
-
-
17
def authorization_encryption_alg_values_supported
-
34
oauth_jwt_jwe_algorithms_supported
-
end
-
-
17
def authorization_encryption_enc_values_supported
-
34
oauth_jwt_jwe_encryption_methods_supported
-
end
-
-
17
private
-
-
17
def oauth_response_modes_for_code_supported
-
204
return [] unless features.include?(:oauth_authorization_code_grant)
-
-
204
super | %w[query.jwt form_post.jwt jwt]
-
end
-
-
17
def oauth_response_modes_for_token_supported
-
85
return [] unless features.include?(:oauth_implicit_grant)
-
-
85
super | %w[fragment.jwt jwt]
-
end
-
-
17
def authorize_response(params, mode)
-
170
return super unless mode.end_with?("jwt")
-
-
170
response_type = param_or_nil("response_type")
-
-
170
redirect_url = URI.parse(redirect_uri)
-
-
170
jwt = jwt_encode_authorization_response_mode(params)
-
-
170
if mode == "query.jwt" || (mode == "jwt" && response_type == "code")
-
85
return super unless features.include?(:oauth_authorization_code_grant)
-
-
85
params = ["response=#{CGI.escape(jwt)}"]
-
85
params << redirect_url.query if redirect_url.query
-
85
redirect_url.query = params.join("&")
-
85
redirect(redirect_url.to_s)
-
85
elsif mode == "form_post.jwt"
-
17
return super unless features.include?(:oauth_authorization_code_grant)
-
-
13
response["Content-Type"] = "text/html"
-
17
body = form_post_response_html(redirect_url) do
-
17
"<input type=\"hidden\" name=\"response\" value=\"#{scope.h(jwt)}\" />"
-
end
-
17
response.write(body)
-
17
request.halt
-
68
elsif mode == "fragment.jwt" || (mode == "jwt" && response_type == "token")
-
68
return super unless features.include?(:oauth_implicit_grant)
-
-
68
params = ["response=#{CGI.escape(jwt)}"]
-
68
params << redirect_url.query if redirect_url.query
-
68
redirect_url.fragment = params.join("&")
-
68
redirect(redirect_url.to_s)
-
else
-
super
-
end
-
end
-
-
17
def _redirect_response_error(redirect_url, params)
-
51
response_mode = param_or_nil("response_mode")
-
51
return super unless response_mode.end_with?("jwt")
-
-
51
authorize_response(Hash[params], response_mode)
-
end
-
-
17
def jwt_encode_authorization_response_mode(params)
-
170
now = Time.now.to_i
-
50
claims = {
-
120
iss: oauth_jwt_issuer,
-
aud: oauth_application[oauth_applications_client_id_column],
-
exp: now + oauth_authorization_response_mode_expires_in,
-
iat: now
-
}.merge(params)
-
-
50
encode_params = {
-
120
jwks: oauth_application_jwks(oauth_application),
-
signing_algorithm: oauth_application[oauth_applications_authorization_signed_response_alg_column],
-
encryption_algorithm: oauth_application[oauth_applications_authorization_encrypted_response_alg_column],
-
encryption_method: oauth_application[oauth_applications_authorization_encrypted_response_enc_column]
-
}.compact
-
-
170
jwt_encode(claims, **encode_params)
-
end
-
-
17
def oauth_server_metadata_body(*)
-
34
super.tap do |data|
-
26
data[:authorization_signing_alg_values_supported] = authorization_signing_alg_values_supported
-
26
data[:authorization_encryption_alg_values_supported] = authorization_encryption_alg_values_supported
-
26
data[:authorization_encryption_enc_values_supported] = authorization_encryption_enc_values_supported
-
end
-
end
-
end
-
end
-
# frozen_string_literal: true
-
-
17
require "rodauth/oauth"
-
-
17
module Rodauth
-
17
Feature.define(:oauth_management_base, :OauthManagementBase) do
-
17
depends :oauth_authorize_base
-
-
17
button "Previous", "oauth_management_pagination_previous"
-
17
button "Next", "oauth_management_pagination_next"
-
-
17
def oauth_management_pagination_links(paginated_ds)
-
265
html = +'<nav aria-label="Pagination"><ul class="pagination">'
-
265
html << oauth_management_pagination_link(paginated_ds.prev_page, label: oauth_management_pagination_previous_button)
-
265
html << oauth_management_pagination_link(paginated_ds.current_page - 1) unless paginated_ds.first_page?
-
265
html << oauth_management_pagination_link(paginated_ds.current_page, label: paginated_ds.current_page, current: true)
-
265
html << oauth_management_pagination_link(paginated_ds.current_page + 1) unless paginated_ds.last_page?
-
265
html << oauth_management_pagination_link(paginated_ds.next_page, label: oauth_management_pagination_next_button)
-
265
html << "</ul></nav>"
-
end
-
-
17
def oauth_management_pagination_link(page, label: page, current: false, classes: "")
-
879
classes += " disabled" if current || !page
-
879
classes += " active" if current
-
879
if page
-
433
params = URI.encode_www_form(request.GET.merge("page" => page))
-
-
433
href = "#{request.path}?#{params}"
-
-
317
<<-HTML
-
236
<li class="page-item #{classes}" #{'aria-current="page"' if current}>
-
116
<a class="page-link" href="#{href}" tabindex="-1" aria-disabled="#{current || !page}">
-
116
#{label}
-
</a>
-
</li>
-
HTML
-
else
-
334
<<-HTML
-
112
<li class="page-item #{classes}">
-
<span class="page-link">
-
112
#{label}
-
112
#{'<span class="sr-only">(current)</span>' if current}
-
</span>
-
</li>
-
HTML
-
end
-
end
-
-
17
def post_configure
-
130
super
-
-
# TODO: remove this in v1, when resource-server mode does not load all of the provider features.
-
130
return unless db
-
-
130
db.extension :pagination
-
end
-
-
17
private
-
-
17
def per_page_param(default_per_page)
-
333
per_page = param_or_nil("per_page")
-
-
333
return default_per_page unless per_page
-
-
84
per_page = per_page.to_i
-
-
84
return default_per_page if per_page <= 0
-
-
84
[per_page, default_per_page].min
-
end
-
end
-
end
-
# frozen_string_literal: true
-
-
17
require "rodauth/oauth"
-
-
17
module Rodauth
-
17
Feature.define(:oauth_pkce, :OauthPkce) do
-
17
depends :oauth_authorization_code_grant
-
-
17
auth_value_method :oauth_require_pkce, true
-
17
auth_value_method :oauth_pkce_challenge_method, "S256"
-
-
17
auth_value_method :oauth_grants_code_challenge_column, :code_challenge
-
17
auth_value_method :oauth_grants_code_challenge_method_column, :code_challenge_method
-
-
17
auth_value_method :oauth_code_challenge_required_error_code, "invalid_request"
-
17
translatable_method :oauth_code_challenge_required_message, "code challenge required"
-
17
auth_value_method :oauth_unsupported_transform_algorithm_error_code, "invalid_request"
-
17
translatable_method :oauth_unsupported_transform_algorithm_message, "transform algorithm not supported"
-
-
17
private
-
-
17
def supports_auth_method?(oauth_application, auth_method)
-
136
return super unless auth_method == "none"
-
-
102
request.params.key?("code_verifier") || super
-
end
-
-
17
def validate_authorize_params
-
102
validate_pkce_challenge_params
-
-
85
super
-
end
-
-
17
def create_oauth_grant(create_params = {})
-
# PKCE flow
-
34
if (code_challenge = param_or_nil("code_challenge"))
-
34
code_challenge_method = param_or_nil("code_challenge_method") || oauth_pkce_challenge_method
-
-
26
create_params[oauth_grants_code_challenge_column] = code_challenge
-
26
create_params[oauth_grants_code_challenge_method_column] = code_challenge_method
-
end
-
-
34
super
-
end
-
-
17
def create_token_from_authorization_code(grant_params, *args, oauth_grant: nil)
-
136
oauth_grant ||= valid_locked_oauth_grant(grant_params)
-
-
119
if oauth_grant[oauth_grants_code_challenge_column]
-
102
code_verifier = param_or_nil("code_verifier")
-
-
102
redirect_response_error("invalid_request") unless code_verifier && check_valid_grant_challenge?(oauth_grant, code_verifier)
-
17
elsif oauth_require_pkce
-
17
redirect_response_error("code_challenge_required")
-
end
-
-
51
super({ oauth_grants_id_column => oauth_grant[oauth_grants_id_column] }, *args, oauth_grant: oauth_grant)
-
end
-
-
17
def validate_pkce_challenge_params
-
102
if param_or_nil("code_challenge")
-
-
68
challenge_method = param_or_nil("code_challenge_method")
-
68
redirect_response_error("code_challenge_required") unless oauth_pkce_challenge_method == challenge_method
-
else
-
34
return unless oauth_require_pkce
-
-
17
redirect_response_error("code_challenge_required")
-
end
-
end
-
-
17
def check_valid_grant_challenge?(grant, verifier)
-
85
challenge = grant[oauth_grants_code_challenge_column]
-
-
65
case grant[oauth_grants_code_challenge_method_column]
-
when "plain"
-
17
challenge == verifier
-
when "S256"
-
51
generated_challenge = Base64.urlsafe_encode64(Digest::SHA256.digest(verifier), padding: false)
-
-
51
challenge == generated_challenge
-
else
-
17
redirect_response_error("unsupported_transform_algorithm")
-
end
-
end
-
-
17
def oauth_server_metadata_body(*)
-
17
super.tap do |data|
-
13
data[:code_challenge_methods_supported] = oauth_pkce_challenge_method
-
end
-
end
-
end
-
end
-
# frozen_string_literal: true
-
-
17
require "rodauth/oauth"
-
-
17
module Rodauth
-
17
Feature.define(:oauth_pushed_authorization_request, :OauthJwtPushedAuthorizationRequest) do
-
17
depends :oauth_authorize_base
-
-
17
auth_value_method :oauth_require_pushed_authorization_requests, false
-
17
auth_value_method :oauth_applications_require_pushed_authorization_requests_column, :require_pushed_authorization_requests
-
17
auth_value_method :oauth_pushed_authorization_request_expires_in, 90 # 90 seconds
-
17
auth_value_method :oauth_require_pushed_authorization_request_iss_request_object, true
-
-
17
auth_value_method :oauth_pushed_authorization_requests_table, :oauth_pushed_requests
-
-
16
%i[
-
oauth_application_id params code expires_in
-
1
].each do |column|
-
68
auth_value_method :"oauth_pushed_authorization_requests_#{column}_column", column
-
end
-
-
# /par
-
17
auth_server_route(:par) do |r|
-
136
require_oauth_application
-
119
before_par_route
-
-
119
r.post do
-
119
validate_par_params
-
-
85
ds = db[oauth_pushed_authorization_requests_table]
-
-
85
code = oauth_unique_id_generator
-
25
push_request_params = {
-
60
oauth_pushed_authorization_requests_oauth_application_id_column => oauth_application[oauth_applications_id_column],
-
oauth_pushed_authorization_requests_code_column => code,
-
oauth_pushed_authorization_requests_params_column => URI.encode_www_form(request.params),
-
oauth_pushed_authorization_requests_expires_in_column => Sequel.date_add(Sequel::CURRENT_TIMESTAMP,
-
seconds: oauth_pushed_authorization_request_expires_in)
-
}
-
-
85
rescue_from_uniqueness_error do
-
85
ds.insert(push_request_params)
-
end
-
-
85
json_response_success(
-
20
"request_uri" => "urn:ietf:params:oauth:request_uri:#{code}",
-
"expires_in" => oauth_pushed_authorization_request_expires_in
-
)
-
end
-
end
-
-
17
def check_csrf?
-
598
case request.path
-
when par_path
-
136
false
-
else
-
646
super
-
end
-
end
-
-
17
private
-
-
17
def validate_par_params
-
# https://datatracker.ietf.org/doc/html/rfc9126#section-2.1
-
# The request_uri authorization request parameter is one exception, and it MUST NOT be provided.
-
119
redirect_response_error("invalid_request") if param_or_nil("request_uri")
-
-
102
if features.include?(:oauth_jwt_secured_authorization_request)
-
-
17
if (request_object = param_or_nil("request"))
-
17
claims = decode_request_object(request_object)
-
-
# https://datatracker.ietf.org/doc/html/rfc9126#section-3-5.3
-
# reject the request if the authenticated client_id does not match the client_id claim in the Request Object
-
17
if (client_id = claims["client_id"]) && (client_id != oauth_application[oauth_applications_client_id_column])
-
redirect_response_error("invalid_request_object")
-
end
-
-
# requiring the iss claim to match the client_id is at the discretion of the authorization server
-
17
if oauth_require_pushed_authorization_request_iss_request_object &&
-
17
(iss = claims.delete("iss")) &&
-
iss != oauth_application[oauth_applications_client_id_column]
-
redirect_response_error("invalid_request_object")
-
end
-
-
17
if (aud = claims.delete("aud")) && !verify_aud(aud, oauth_jwt_issuer)
-
redirect_response_error("invalid_request_object")
-
end
-
-
17
claims.delete("exp")
-
17
request.params.delete("request")
-
-
17
claims.each do |k, v|
-
78
request.params[k.to_s] = v
-
end
-
elsif require_signed_request_object?
-
redirect_response_error("invalid_request_object")
-
end
-
end
-
-
102
validate_authorize_params
-
end
-
-
17
def validate_authorize_params
-
323
return super unless request.get? && request.path == authorize_path
-
-
153
if (request_uri = param_or_nil("request_uri"))
-
85
code = request_uri.delete_prefix("urn:ietf:params:oauth:request_uri:")
-
-
85
table = oauth_pushed_authorization_requests_table
-
85
ds = db[table]
-
-
85
pushed_request = ds.where(
-
oauth_pushed_authorization_requests_oauth_application_id_column => oauth_application[oauth_applications_id_column],
-
oauth_pushed_authorization_requests_code_column => code
-
).where(
-
Sequel.expr(Sequel[table][oauth_pushed_authorization_requests_expires_in_column]) >= Sequel::CURRENT_TIMESTAMP
-
).first
-
-
85
redirect_response_error("invalid_request") unless pushed_request
-
-
68
URI.decode_www_form(pushed_request[oauth_pushed_authorization_requests_params_column]).each do |k, v|
-
221
request.params[k.to_s] = v
-
end
-
-
68
request.params.delete("request_uri")
-
-
# we're removing the request_uri here, so the checkup for signed reqest has to be invalidated.
-
68
@require_signed_request_object = false
-
68
elsif oauth_require_pushed_authorization_requests ||
-
36
(oauth_application && oauth_application[oauth_applications_require_pushed_authorization_requests_column])
-
34
redirect_authorize_error("request_uri")
-
end
-
102
super
-
end
-
-
17
def oauth_server_metadata_body(*)
-
17
super.tap do |data|
-
13
data[:require_pushed_authorization_requests] = oauth_require_pushed_authorization_requests
-
13
data[:pushed_authorization_request_endpoint] = par_url
-
end
-
end
-
end
-
end
-
# frozen_string_literal: true
-
-
17
require "rodauth/oauth"
-
-
17
module Rodauth
-
17
Feature.define(:oauth_resource_indicators, :OauthResourceIndicators) do
-
17
depends :oauth_authorize_base
-
-
17
auth_value_method :oauth_grants_resource_column, :resource
-
-
17
def resource_indicators
-
680
return @resource_indicators if defined?(@resource_indicators)
-
-
170
resources = param_or_nil("resource")
-
-
170
return unless resources
-
-
170
if json_request? || param_or_nil("request") # signed request
-
34
resources = Array(resources)
-
else
-
136
query = if request.form_data?
-
85
request.body.rewind
-
85
request.body.read
-
else
-
51
request.query_string
-
end
-
# resource query param does not conform to rack parsing rules
-
136
resources = URI.decode_www_form(query).each_with_object([]) do |(k, v), memo|
-
714
memo << v if k == "resource"
-
end
-
end
-
-
170
@resource_indicators = resources
-
end
-
-
17
def require_oauth_authorization(*)
-
119
super
-
-
# done so to support token-in-grant-db, jwt, and resource-server mode
-
102
token_indicators = authorization_token[oauth_grants_resource_column] || authorization_token["resource"]
-
-
102
return unless token_indicators
-
-
85
token_indicators = token_indicators.split(" ") if token_indicators.is_a?(String)
-
-
170
authorization_required unless token_indicators.any? { |resource| base_url.start_with?(resource) }
-
end
-
-
17
private
-
-
17
def validate_token_params
-
68
super
-
-
68
return unless resource_indicators
-
-
68
resource_indicators.each do |resource|
-
68
redirect_response_error("invalid_target") unless check_valid_no_fragment_uri?(resource)
-
end
-
end
-
-
17
def create_token_from_token(oauth_grant, update_params)
-
return super unless resource_indicators
-
-
grant_indicators = oauth_grant[oauth_grants_resource_column]
-
-
grant_indicators = grant_indicators.split(" ") if grant_indicators.is_a?(String)
-
-
redirect_response_error("invalid_target") unless (grant_indicators - resource_indicators) != grant_indicators
-
-
super(oauth_grant, update_params.merge(oauth_grants_resource_column => resource_indicators))
-
end
-
-
17
module IndicatorAuthorizationCodeGrant
-
17
private
-
-
17
def validate_authorize_params
-
102
super
-
-
102
return unless resource_indicators
-
-
102
resource_indicators.each do |resource|
-
102
redirect_response_error("invalid_target") unless check_valid_no_fragment_uri?(resource)
-
end
-
end
-
-
17
def create_token_from_authorization_code(grant_params, *args, oauth_grant: nil)
-
68
return super unless resource_indicators
-
-
68
oauth_grant ||= valid_locked_oauth_grant(grant_params)
-
-
68
redirect_response_error("invalid_target") unless oauth_grant[oauth_grants_resource_column]
-
-
68
grant_indicators = oauth_grant[oauth_grants_resource_column]
-
-
68
grant_indicators = grant_indicators.split(" ") if grant_indicators.is_a?(String)
-
-
68
redirect_response_error("invalid_target") unless (grant_indicators - resource_indicators) != grant_indicators
-
-
# update ownership
-
51
if grant_indicators != resource_indicators
-
17
oauth_grant = __update_and_return__(
-
db[oauth_grants_table].where(oauth_grants_id_column => oauth_grant[oauth_grants_id_column]),
-
oauth_grants_resource_column => resource_indicators
-
)
-
end
-
-
51
super({ oauth_grants_id_column => oauth_grant[oauth_grants_id_column] }, *args, oauth_grant: oauth_grant)
-
end
-
-
17
def create_oauth_grant(create_params = {})
-
17
create_params[oauth_grants_resource_column] = resource_indicators.join(" ") if resource_indicators
-
-
17
super
-
end
-
end
-
-
17
module IndicatorIntrospection
-
17
def json_token_introspect_payload(grant)
-
17
return super unless grant && grant[oauth_grants_id_column]
-
-
17
payload = super
-
-
17
token_indicators = grant[oauth_grants_resource_column]
-
-
17
token_indicators = token_indicators.split(" ") if token_indicators.is_a?(String)
-
-
13
payload[:aud] = token_indicators
-
-
17
payload
-
end
-
-
17
def introspection_request(*)
-
51
payload = super
-
-
51
payload[oauth_grants_resource_column] = payload["aud"] if payload["aud"]
-
-
51
payload
-
end
-
end
-
-
17
module IndicatorJwt
-
17
def jwt_claims(*)
-
17
return super unless resource_indicators
-
-
17
super.merge(aud: resource_indicators)
-
end
-
-
17
def jwt_decode(token, verify_aud: true, **args)
-
51
claims = super(token, verify_aud: false, **args)
-
-
51
return claims unless verify_aud
-
-
34
return unless claims["aud"] && claims["aud"].one? { |aud| request.url.starts_with?(aud) }
-
-
17
claims
-
end
-
end
-
-
17
def self.included(rodauth)
-
255
super
-
255
rodauth.send(:include, IndicatorAuthorizationCodeGrant) if rodauth.features.include?(:oauth_authorization_code_grant)
-
255
rodauth.send(:include, IndicatorIntrospection) if rodauth.features.include?(:oauth_token_introspection)
-
255
rodauth.send(:include, IndicatorJwt) if rodauth.features.include?(:oauth_jwt)
-
end
-
end
-
end
-
# frozen_string_literal: true
-
-
17
require "rodauth/oauth"
-
-
17
module Rodauth
-
17
Feature.define(:oauth_resource_server, :OauthResourceServer) do
-
17
depends :oauth_token_introspection
-
-
17
auth_value_method :is_authorization_server?, false
-
-
17
auth_methods(
-
:before_introspection_request
-
)
-
-
17
def authorization_token
-
306
return @authorization_token if defined?(@authorization_token)
-
-
# check if there is a token
-
153
access_token = fetch_access_token
-
-
153
return unless access_token
-
-
# where in resource server, NOT the authorization server.
-
119
payload = introspection_request("access_token", access_token)
-
-
119
return unless payload["active"]
-
-
102
@authorization_token = payload
-
end
-
-
17
def require_oauth_authorization(*scopes)
-
153
authorization_required unless authorization_token
-
-
102
aux_scopes = authorization_token["scope"]
-
-
102
token_scopes = if aux_scopes
-
102
aux_scopes.split(oauth_scope_separator)
-
else
-
[]
-
end
-
-
204
authorization_required unless scopes.any? { |scope| token_scopes.include?(scope) }
-
end
-
-
17
private
-
-
17
def introspection_request(token_type_hint, token)
-
119
introspect_url = URI("#{authorization_server_url}#{introspect_path}")
-
-
119
response = http_request(introspect_url, { "token_type_hint" => token_type_hint, "token" => token }) do |request|
-
119
before_introspection_request(request)
-
end
-
-
119
JSON.parse(response.body)
-
end
-
-
17
def before_introspection_request(request); end
-
end
-
end
-
# frozen_string_literal: true
-
-
17
require "onelogin/ruby-saml"
-
17
require "rodauth/oauth"
-
-
17
module Rodauth
-
17
Feature.define(:oauth_saml_bearer_grant, :OauthSamlBearerGrant) do
-
17
depends :oauth_assertion_base
-
-
17
auth_value_method :oauth_saml_name_identifier_format, "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
-
17
auth_value_method :oauth_saml_idp_cert_check_expiration, true
-
-
17
auth_value_method :max_param_bytesize, nil if Rodauth::VERSION >= "2.26.0"
-
-
17
auth_value_method :oauth_saml_settings_table, :oauth_saml_settings
-
16
%i[
-
id oauth_application_id
-
idp_cert idp_cert_fingerprint idp_cert_fingerprint_algorithm
-
name_identifier_format
-
issuer
-
audience
-
idp_cert_check_expiration
-
1
].each do |column|
-
153
auth_value_method :"oauth_saml_settings_#{column}_column", column
-
end
-
-
17
translatable_method :oauth_saml_assertion_not_base64_message, "SAML assertion must be in base64 format"
-
17
translatable_method :oauth_saml_assertion_single_issuer_message, "SAML assertion must have a single issuer"
-
17
translatable_method :oauth_saml_settings_not_found_message, "No SAML settings found for issuer"
-
-
17
auth_methods(
-
:require_oauth_application_from_saml2_bearer_assertion_issuer,
-
:require_oauth_application_from_saml2_bearer_assertion_subject,
-
:account_from_saml2_bearer_assertion
-
)
-
-
17
def oauth_grant_types_supported
-
34
super | %w[urn:ietf:params:oauth:grant-type:saml2-bearer]
-
end
-
-
17
private
-
-
17
def require_oauth_application_from_saml2_bearer_assertion_issuer(assertion)
-
17
parse_saml_assertion(assertion)
-
-
17
return unless @saml_settings
-
-
16
db[oauth_applications_table].where(
-
oauth_applications_id_column => @saml_settings[oauth_saml_settings_oauth_application_id_column]
-
1
).first
-
end
-
-
17
def require_oauth_application_from_saml2_bearer_assertion_subject(assertion)
-
17
parse_saml_assertion(assertion)
-
-
17
return unless @assertion
-
-
# 3.3.8 - For client authentication, the Subject MUST be the "client_id" of the OAuth client.
-
16
db[oauth_applications_table].where(
-
oauth_applications_client_id_column => @assertion.nameid
-
1
).first
-
end
-
-
17
def account_from_saml2_bearer_assertion(assertion)
-
17
parse_saml_assertion(assertion)
-
-
17
return unless @assertion
-
-
17
account_from_bearer_assertion_subject(@assertion.nameid)
-
end
-
-
17
def generate_saml_settings(saml_settings)
-
34
settings = OneLogin::RubySaml::Settings.new
-
-
# issuer
-
34
settings.idp_entity_id = saml_settings[oauth_saml_settings_issuer_column]
-
-
# audience
-
34
settings.sp_entity_id = saml_settings[oauth_saml_settings_audience_column] || token_url
-
-
# recipient
-
34
settings.assertion_consumer_service_url = token_url
-
-
34
settings.idp_cert = saml_settings[oauth_saml_settings_idp_cert_column]
-
34
settings.idp_cert_fingerprint = saml_settings[oauth_saml_settings_idp_cert_fingerprint_column]
-
34
settings.idp_cert_fingerprint_algorithm = saml_settings[oauth_saml_settings_idp_cert_fingerprint_algorithm_column]
-
-
34
if settings.idp_cert
-
34
check_idp_cert_expiration = saml_settings[oauth_saml_settings_idp_cert_check_expiration_column]
-
34
check_idp_cert_expiration = oauth_saml_idp_cert_check_expiration if check_idp_cert_expiration.nil?
-
26
settings.security[:check_idp_cert_expiration] = check_idp_cert_expiration
-
end
-
26
settings.security[:strict_audience_validation] = true
-
26
settings.security[:want_name_id] = true
-
-
34
settings.name_identifier_format = saml_settings[oauth_saml_settings_name_identifier_format_column] ||
-
oauth_saml_name_identifier_format
-
34
settings
-
end
-
-
# rubocop:disable Naming/MemoizedInstanceVariableName
-
17
def parse_saml_assertion(assertion)
-
51
return @assertion if defined?(@assertion)
-
-
34
response = OneLogin::RubySaml::Response.new(assertion)
-
-
# The SAML Assertion XML data MUST be encoded using base64url
-
34
redirect_response_error("invalid_grant", oauth_saml_assertion_not_base64_message) unless response.send(:base64_encoded?, assertion)
-
-
# 1. The Assertion's <Issuer> element MUST contain a unique identifier
-
# for the entity that issued the Assertion.
-
34
redirect_response_error("invalid_grant", oauth_saml_assertion_single_issuer_message) unless response.issuers.size == 1
-
-
34
@saml_settings = db[oauth_saml_settings_table].where(
-
oauth_saml_settings_issuer_column => response.issuers.first
-
).first
-
-
34
redirect_response_error("invalid_grant", oauth_saml_settings_not_found_message) unless @saml_settings
-
-
34
response.settings = generate_saml_settings(@saml_settings)
-
-
# 2. The Assertion MUST contain a <Conditions> element ...
-
# 3. he Assertion MUST have an expiry that limits the time window ...
-
# 4. The Assertion MUST have an expiry that limits the time window ...
-
# 5. The <Subject> element MUST contain at least one ...
-
# 6. The authorization server MUST reject the entire Assertion if the ...
-
# 7. If the Assertion issuer directly authenticated the subject, ...
-
34
redirect_response_error("invalid_grant", response.errors.join("; ")) unless response.is_valid?
-
-
34
@assertion = response
-
end
-
# rubocop:enable Naming/MemoizedInstanceVariableName
-
-
17
def oauth_server_metadata_body(*)
-
super.tap do |data|
-
data[:token_endpoint_auth_methods_supported] << "urn:ietf:params:oauth:client-assertion-type:saml2-bearer"
-
end
-
end
-
end
-
end
-
# frozen_string_literal: true
-
-
17
require "openssl"
-
17
require "ipaddr"
-
17
require "uri"
-
17
require "rodauth/oauth"
-
-
17
module Rodauth
-
17
Feature.define(:oauth_tls_client_auth, :OauthTlsClientAuth) do
-
17
depends :oauth_base
-
-
17
auth_value_method :oauth_tls_client_certificate_bound_access_tokens, false
-
-
16
%i[
-
tls_client_auth_subject_dn tls_client_auth_san_dns
-
tls_client_auth_san_uri tls_client_auth_san_ip
-
tls_client_auth_san_email tls_client_certificate_bound_access_tokens
-
1
].each do |column|
-
102
auth_value_method :"oauth_applications_#{column}_column", column
-
end
-
-
17
auth_value_method :oauth_grants_certificate_thumbprint_column, :certificate_thumbprint
-
-
17
def oauth_token_endpoint_auth_methods_supported
-
17
super | %w[tls_client_auth self_signed_tls_client_auth]
-
end
-
-
17
private
-
-
17
def validate_token_params
-
# For all requests to the authorization server utilizing mutual-TLS client authentication,
-
# the client MUST include the client_id parameter
-
340
redirect_response_error("invalid_request") if client_certificate && !param_or_nil("client_id")
-
-
340
super
-
end
-
-
17
def require_oauth_application
-
510
return super unless client_certificate
-
-
476
authorization_required unless oauth_application
-
-
476
if supports_auth_method?(oauth_application, "tls_client_auth")
-
# It relies on a validated certificate chain [RFC5280]
-
-
459
ssl_verify = request.env["SSL_CLIENT_VERIFY"] || request.env["HTTP_SSL_CLIENT_VERIFY"] || request.env["HTTP_X_SSL_CLIENT_VERIFY"]
-
-
459
authorization_required unless ssl_verify == "SUCCESS"
-
-
# and a single subject distinguished name (DN) or a single subject alternative name (SAN) to
-
# authenticate the client. Only one subject name value of any type is used for each client.
-
-
459
name_matches = if oauth_application[:tls_client_auth_subject_dn]
-
391
distinguished_name_match?(client_certificate.subject, oauth_application[:tls_client_auth_subject_dn])
-
68
elsif (dns = oauth_application[:tls_client_auth_san_dns])
-
34
client_certificate_sans.any? { |san| san.tag == 2 && OpenSSL::SSL.verify_hostname(dns, san.value) }
-
51
elsif (uri = oauth_application[:tls_client_auth_san_uri])
-
17
uri = URI(uri)
-
68
client_certificate_sans.any? { |san| san.tag == 6 && URI(san.value) == uri }
-
34
elsif (ip = oauth_application[:tls_client_auth_san_ip])
-
17
ip = IPAddr.new(ip).hton
-
51
client_certificate_sans.any? { |san| san.tag == 7 && san.value == ip }
-
17
elsif (email = oauth_application[:tls_client_auth_san_email])
-
85
client_certificate_sans.any? { |san| san.tag == 1 && san.value == email }
-
else
-
false
-
end
-
459
authorization_required unless name_matches
-
-
459
oauth_application
-
17
elsif supports_auth_method?(oauth_application, "self_signed_tls_client_auth")
-
17
jwks = oauth_application_jwks(oauth_application)
-
-
17
thumbprint = jwk_thumbprint(key_to_jwk(client_certificate.public_key))
-
-
# The client is successfully authenticated if the certificate that it presented during the handshake
-
# matches one of the certificates configured or registered for that particular client.
-
34
authorization_required unless jwks.any? { |jwk| Array(jwk[:x5c]).first == thumbprint }
-
-
17
oauth_application
-
else
-
super
-
end
-
rescue URI::InvalidURIError, IPAddr::InvalidAddressError
-
authorization_required
-
end
-
-
17
def store_token(grant_params, update_params = {})
-
275
return super unless client_certificate && (
-
132
oauth_tls_client_certificate_bound_access_tokens ||
-
oauth_application[oauth_applications_tls_client_certificate_bound_access_tokens_column]
-
)
-
-
update_params[oauth_grants_certificate_thumbprint_column] = jwk_thumbprint(key_to_jwk(client_certificate.public_key))
-
super
-
end
-
-
17
def jwt_claims(oauth_grant)
-
claims = super
-
-
return claims unless oauth_grant[oauth_grants_certificate_thumbprint_column]
-
-
claims[:cnf] = {
-
"x5t#S256" => oauth_grant[oauth_grants_certificate_thumbprint_column]
-
}
-
-
claims
-
end
-
-
17
def json_token_introspect_payload(grant_or_claims)
-
119
claims = super
-
-
119
return claims unless grant_or_claims && grant_or_claims[oauth_grants_certificate_thumbprint_column]
-
-
65
(claims[:cnf] ||= {})["x5t#S256"] = grant_or_claims[oauth_grants_certificate_thumbprint_column]
-
-
85
claims
-
end
-
-
17
def oauth_server_metadata_body(*)
-
17
super.tap do |data|
-
13
data[:tls_client_certificate_bound_access_tokens] = oauth_tls_client_certificate_bound_access_tokens
-
end
-
end
-
-
17
def client_certificate
-
1581
return @client_certificate if defined?(@client_certificate)
-
-
1581
unless (pem_cert = request.env["SSL_CLIENT_CERT"] || request.env["HTTP_SSL_CLIENT_CERT"] || request.env["HTTP_X_SSL_CLIENT_CERT"])
-
26
return
-
end
-
-
1547
return if pem_cert.empty?
-
-
1547
@certificate = OpenSSL::X509::Certificate.new(pem_cert)
-
end
-
-
17
def client_certificate_sans
-
68
return @client_certificate_sans if defined?(@client_certificate_sans)
-
-
20
@client_certificate_sans =
-
68
if client_certificate
-
340
if (san = client_certificate.extensions.find { |ext| ext.oid == "subjectAltName" })
-
68
ostr = OpenSSL::ASN1.decode(san.to_der).value.last
-
-
68
sans = OpenSSL::ASN1.decode(ostr.value)
-
-
68
sans ? sans.value : []
-
else
-
[]
-
end
-
else
-
[]
-
end
-
end
-
-
17
def distinguished_name_match?(sub1, sub2)
-
391
sub1 = OpenSSL::X509::Name.parse(sub1) if sub1.is_a?(String)
-
391
sub2 = OpenSSL::X509::Name.parse(sub2) if sub2.is_a?(String)
-
# OpenSSL::X509::Name#cp calls X509_NAME_cmp via openssl.
-
# https://www.openssl.org/docs/manmaster/man3/X509_NAME_cmp.html
-
# This procedure adheres to the matching rules for Distinguished Names (DN) given in
-
# RFC 4517 section 4.2.15 and RFC 5280 section 7.1.
-
391
sub1.cmp(sub2).zero?
-
end
-
end
-
end
-
# frozen_string_literal: true
-
-
17
require "rodauth/oauth"
-
17
require "rodauth/oauth/http_extensions"
-
-
17
module Rodauth
-
17
Feature.define(:oauth_token_introspection, :OauthTokenIntrospection) do
-
17
depends :oauth_base
-
-
17
before "introspect"
-
-
17
auth_methods(
-
:resource_owner_identifier
-
)
-
-
# /introspect
-
17
auth_server_route(:introspect) do |r|
-
391
require_oauth_application_for_introspect
-
391
before_introspect_route
-
-
391
r.post do
-
391
catch_error do
-
391
validate_introspect_params
-
-
323
token_type_hint = param_or_nil("token_type_hint")
-
-
323
before_introspect
-
323
oauth_grant = case token_type_hint
-
when "access_token", nil
-
289
if features.include?(:oauth_jwt) && oauth_jwt_access_tokens
-
68
jwt_decode(param("token"))
-
else
-
221
oauth_grant_by_token(param("token"))
-
end
-
when "refresh_token"
-
34
oauth_grant_by_refresh_token(param("token"))
-
end
-
-
323
oauth_grant ||= oauth_grant_by_refresh_token(param("token")) if token_type_hint.nil?
-
-
323
json_response_success(json_token_introspect_payload(oauth_grant))
-
end
-
-
throw_json_response_error(oauth_invalid_response_status, "invalid_request")
-
end
-
end
-
-
# Token introspect
-
-
17
def validate_introspect_params(token_hint_types = %w[access_token refresh_token].freeze)
-
# check if valid token hint type
-
391
if param_or_nil("token_type_hint") && !token_hint_types.include?(param("token_type_hint"))
-
34
redirect_response_error("unsupported_token_type")
-
end
-
-
357
redirect_response_error("invalid_request") unless param_or_nil("token")
-
end
-
-
17
def json_token_introspect_payload(grant_or_claims)
-
323
return { active: false } unless grant_or_claims
-
-
255
if grant_or_claims["sub"]
-
# JWT
-
52
{
-
16
active: true,
-
scope: grant_or_claims["scope"],
-
client_id: grant_or_claims["client_id"],
-
username: resource_owner_identifier(grant_or_claims),
-
token_type: oauth_token_type.capitalize,
-
exp: grant_or_claims["exp"],
-
iat: grant_or_claims["iat"],
-
nbf: grant_or_claims["nbf"],
-
sub: grant_or_claims["sub"],
-
aud: grant_or_claims["aud"],
-
iss: grant_or_claims["iss"],
-
jti: grant_or_claims["jti"]
-
}
-
else
-
143
{
-
44
active: true,
-
scope: grant_or_claims[oauth_grants_scopes_column],
-
client_id: oauth_application[oauth_applications_client_id_column],
-
username: resource_owner_identifier(grant_or_claims),
-
token_type: oauth_token_type,
-
exp: grant_or_claims[oauth_grants_expires_in_column].to_i
-
}
-
end
-
end
-
-
17
def check_csrf?
-
390
case request.path
-
when introspect_path
-
391
false
-
else
-
119
super
-
end
-
end
-
-
17
private
-
-
17
def require_oauth_application_for_introspect
-
391
token = (v = request.env["HTTP_AUTHORIZATION"]) && v[/\A *Bearer (.*)\Z/, 1]
-
-
391
return require_oauth_application unless token
-
-
51
oauth_application = current_oauth_application
-
-
51
authorization_required unless oauth_application
-
-
51
@oauth_application = oauth_application
-
end
-
-
17
def oauth_server_metadata_body(*)
-
34
super.tap do |data|
-
26
data[:introspection_endpoint] = introspect_url
-
26
data[:introspection_endpoint_auth_methods_supported] = %w[client_secret_basic]
-
end
-
end
-
-
17
def resource_owner_identifier(grant_or_claims)
-
255
if (account_id = grant_or_claims[oauth_grants_account_id_column])
-
153
account_ds(account_id).select(login_column).first[login_column]
-
102
elsif (app_id = grant_or_claims[oauth_grants_oauth_application_id_column])
-
32
db[oauth_applications_table].where(oauth_applications_id_column => app_id)
-
.select(oauth_applications_name_column)
-
2
.first[oauth_applications_name_column]
-
68
elsif (subject = grant_or_claims["sub"])
-
# JWT
-
68
if subject == grant_or_claims["client_id"]
-
16
db[oauth_applications_table].where(oauth_applications_client_id_column => subject)
-
.select(oauth_applications_name_column)
-
1
.first[oauth_applications_name_column]
-
else
-
51
account_ds(subject).select(login_column).first[login_column]
-
end
-
end
-
end
-
end
-
end
-
# frozen_string_literal: true
-
-
17
require "rodauth/oauth"
-
-
17
module Rodauth
-
17
Feature.define(:oauth_token_revocation, :OauthTokenRevocation) do
-
17
depends :oauth_base
-
-
17
before "revoke"
-
17
after "revoke"
-
-
17
notice_flash "The oauth grant has been revoked", "revoke_oauth_grant"
-
-
# /revoke
-
17
auth_server_route(:revoke) do |r|
-
170
if logged_in?
-
17
require_account
-
17
require_oauth_application_from_account
-
else
-
153
require_oauth_application
-
end
-
-
170
before_revoke_route
-
-
170
r.post do
-
170
catch_error do
-
170
validate_revoke_params
-
-
119
oauth_grant = nil
-
119
transaction do
-
119
before_revoke
-
119
oauth_grant = revoke_oauth_grant
-
68
after_revoke
-
end
-
-
68
if accepts_json?
-
15
json_payload = {
-
36
"revoked_at" => convert_timestamp(oauth_grant[oauth_grants_revoked_at_column])
-
}
-
51
if param("token_type_hint") == "refresh_token"
-
26
json_payload["refresh_token"] = oauth_grant[oauth_grants_refresh_token_column]
-
else
-
13
json_payload["token"] = oauth_grant[oauth_grants_token_column]
-
end
-
-
51
json_response_success json_payload
-
else
-
17
set_notice_flash revoke_oauth_grant_notice_flash
-
17
redirect request.referer || "/"
-
end
-
end
-
-
34
redirect_response_error("invalid_request")
-
end
-
end
-
-
17
def validate_revoke_params(token_hint_types = %w[access_token refresh_token].freeze)
-
170
token_hint = param_or_nil("token_type_hint")
-
-
170
if features.include?(:oauth_jwt) && oauth_jwt_access_tokens && (!token_hint || token_hint == "access_token")
-
# JWT access tokens can't be revoked
-
34
throw(:rodauth_error)
-
end
-
-
# check if valid token hint type
-
136
redirect_response_error("unsupported_token_type") if token_hint && !token_hint_types.include?(token_hint)
-
-
119
redirect_response_error("invalid_request") unless param_or_nil("token")
-
end
-
-
17
def check_csrf?
-
1095
case request.path
-
when revoke_path
-
170
!json_request?
-
else
-
1273
super
-
end
-
end
-
-
17
private
-
-
17
def revoke_oauth_grant
-
119
token = param("token")
-
-
119
if param("token_type_hint") == "refresh_token"
-
34
oauth_grant = oauth_grant_by_refresh_token(token)
-
34
token_column = oauth_grants_refresh_token_column
-
else
-
85
oauth_grant = oauth_grant_by_token_ds(token).where(
-
oauth_grants_oauth_application_id_column => oauth_application[oauth_applications_id_column]
-
).first
-
85
token_column = oauth_grants_token_column
-
end
-
-
119
redirect_response_error("invalid_request") unless oauth_grant
-
-
68
redirect_response_error("invalid_request") unless grant_from_application?(oauth_grant, oauth_application)
-
-
68
update_params = { oauth_grants_revoked_at_column => Sequel::CURRENT_TIMESTAMP }
-
-
68
ds = db[oauth_grants_table].where(oauth_grants_id_column => oauth_grant[oauth_grants_id_column])
-
-
68
oauth_grant = __update_and_return__(ds, update_params)
-
-
52
oauth_grant[token_column] = token
-
68
oauth_grant
-
-
# If the particular
-
# token is a refresh token and the authorization server supports the
-
# revocation of access tokens, then the authorization server SHOULD
-
# also invalidate all access tokens based on the same authorization
-
# grant
-
#
-
# we don't need to do anything here, as we revalidate existing tokens
-
end
-
-
17
def oauth_server_metadata_body(*)
-
34
super.tap do |data|
-
26
data[:revocation_endpoint] = revoke_url
-
26
data[:revocation_endpoint_auth_methods_supported] = nil # because it's client_secret_basic
-
end
-
end
-
end
-
end
-
# frozen_string_literal: true
-
-
17
require "rodauth/oauth"
-
-
17
module Rodauth
-
17
Feature.define(:oidc, :Oidc) do
-
# https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims
-
5
OIDC_SCOPES_MAP = {
-
12
"profile" => %i[name family_name given_name middle_name nickname preferred_username
-
profile picture website gender birthdate zoneinfo locale updated_at].freeze,
-
"email" => %i[email email_verified].freeze,
-
"address" => %i[formatted street_address locality region postal_code country].freeze,
-
"phone" => %i[phone_number phone_number_verified].freeze
-
}.freeze
-
-
17
VALID_METADATA_KEYS = %i[
-
issuer
-
authorization_endpoint
-
end_session_endpoint
-
backchannel_logout_session_supported
-
token_endpoint
-
userinfo_endpoint
-
jwks_uri
-
registration_endpoint
-
scopes_supported
-
response_types_supported
-
response_modes_supported
-
grant_types_supported
-
acr_values_supported
-
subject_types_supported
-
id_token_signing_alg_values_supported
-
id_token_encryption_alg_values_supported
-
id_token_encryption_enc_values_supported
-
userinfo_signing_alg_values_supported
-
userinfo_encryption_alg_values_supported
-
userinfo_encryption_enc_values_supported
-
request_object_signing_alg_values_supported
-
request_object_encryption_alg_values_supported
-
request_object_encryption_enc_values_supported
-
token_endpoint_auth_methods_supported
-
token_endpoint_auth_signing_alg_values_supported
-
display_values_supported
-
claim_types_supported
-
claims_supported
-
service_documentation
-
claims_locales_supported
-
ui_locales_supported
-
claims_parameter_supported
-
request_parameter_supported
-
request_uri_parameter_supported
-
require_request_uri_registration
-
op_policy_uri
-
op_tos_uri
-
check_session_iframe
-
frontchannel_logout_supported
-
frontchannel_logout_session_supported
-
backchannel_logout_supported
-
backchannel_logout_session_supported
-
].freeze
-
-
17
REQUIRED_METADATA_KEYS = %i[
-
issuer
-
authorization_endpoint
-
token_endpoint
-
jwks_uri
-
response_types_supported
-
subject_types_supported
-
id_token_signing_alg_values_supported
-
].freeze
-
-
17
depends :active_sessions, :oauth_jwt, :oauth_jwt_jwks, :oauth_authorization_code_grant, :oauth_implicit_grant
-
-
17
auth_value_method :oauth_application_scopes, %w[openid]
-
-
16
%i[
-
subject_type application_type sector_identifier_uri initiate_login_uri
-
id_token_signed_response_alg id_token_encrypted_response_alg id_token_encrypted_response_enc
-
userinfo_signed_response_alg userinfo_encrypted_response_alg userinfo_encrypted_response_enc
-
1
].each do |column|
-
170
auth_value_method :"oauth_applications_#{column}_column", column
-
end
-
-
17
%i[nonce acr claims_locales claims].each do |column|
-
68
auth_value_method :"oauth_grants_#{column}_column", column
-
end
-
-
17
auth_value_method :oauth_jwt_subject_type, "public" # fallback subject type: public, pairwise
-
17
auth_value_method :oauth_jwt_subject_secret, nil # salt for pairwise generation
-
-
17
translatable_method :oauth_invalid_scope_message, "The Access Token expired"
-
-
17
auth_value_method :oauth_prompt_login_cookie_key, "_rodauth_oauth_prompt_login"
-
17
auth_value_method :oauth_prompt_login_cookie_options, {}.freeze
-
17
auth_value_method :oauth_prompt_login_interval, 5 * 60 * 60 # 5 minutes
-
-
17
auth_value_methods(
-
:userinfo_signing_alg_values_supported,
-
:userinfo_encryption_alg_values_supported,
-
:userinfo_encryption_enc_values_supported,
-
:request_object_signing_alg_values_supported,
-
:request_object_encryption_alg_values_supported,
-
:request_object_encryption_enc_values_supported,
-
:oauth_acr_values_supported
-
)
-
-
17
auth_methods(
-
:get_oidc_account_last_login_at,
-
:oidc_authorize_on_prompt_none?,
-
:fill_with_account_claims,
-
:get_oidc_param,
-
:get_additional_param,
-
:require_acr_value_phr,
-
:require_acr_value_phrh,
-
:require_acr_value,
-
:json_webfinger_payload
-
)
-
-
# /userinfo
-
17
auth_server_route(:userinfo) do |r|
-
170
r.on method: %i[get post] do
-
170
catch_error do
-
170
claims = authorization_token
-
-
170
throw_json_response_error(oauth_authorization_required_error_status, "invalid_token") unless claims
-
-
170
oauth_scopes = claims["scope"].split(" ")
-
-
170
throw_json_response_error(oauth_authorization_required_error_status, "invalid_token") unless oauth_scopes.include?("openid")
-
-
170
account = account_ds(claims["sub"]).first
-
-
170
throw_json_response_error(oauth_authorization_required_error_status, "invalid_token") unless account
-
-
170
oauth_scopes.delete("openid")
-
-
170
oidc_claims = { "sub" => claims["sub"] }
-
-
170
@oauth_application = db[oauth_applications_table].where(oauth_applications_client_id_column => claims["client_id"]).first
-
-
170
throw_json_response_error(oauth_authorization_required_error_status, "invalid_token") unless @oauth_application
-
-
170
oauth_grant = valid_oauth_grant_ds(
-
oauth_grants_oauth_application_id_column => @oauth_application[oauth_applications_id_column],
-
**resource_owner_params_from_jwt_claims(claims)
-
).first
-
-
170
throw_json_response_error(oauth_authorization_required_error_status, "invalid_token") unless oauth_grant
-
-
153
claims_locales = oauth_grant[oauth_grants_claims_locales_column]
-
-
153
if (claims = oauth_grant[oauth_grants_claims_column])
-
17
claims = JSON.parse(claims)
-
17
if (userinfo_essential_claims = claims["userinfo"])
-
13
oauth_scopes |= userinfo_essential_claims.to_a
-
end
-
end
-
-
# 5.4 - The Claims requested by the profile, email, address, and phone scope values are returned from the UserInfo Endpoint
-
153
fill_with_account_claims(oidc_claims, account, oauth_scopes, claims_locales)
-
-
153
if (algo = @oauth_application[oauth_applications_userinfo_signed_response_alg_column])
-
10
params = {
-
24
jwks: oauth_application_jwks(@oauth_application),
-
encryption_algorithm: @oauth_application[oauth_applications_userinfo_encrypted_response_alg_column],
-
encryption_method: @oauth_application[oauth_applications_userinfo_encrypted_response_enc_column]
-
}.compact
-
-
34
jwt = jwt_encode(
-
oidc_claims.merge(
-
# If signed, the UserInfo Response SHOULD contain the Claims iss (issuer) and aud (audience) as members. The iss value
-
# SHOULD be the OP's Issuer Identifier URL. The aud value SHOULD be or include the RP's Client ID value.
-
iss: oauth_jwt_issuer,
-
aud: @oauth_application[oauth_applications_client_id_column]
-
),
-
signing_algorithm: algo,
-
**params
-
)
-
34
jwt_response_success(jwt)
-
else
-
119
json_response_success(oidc_claims)
-
end
-
end
-
-
throw_json_response_error(oauth_authorization_required_error_status, "invalid_token")
-
end
-
end
-
-
17
def load_openid_configuration_route(alt_issuer = nil)
-
136
request.on(".well-known/openid-configuration") do
-
136
allow_cors(request)
-
-
119
request.is do
-
119
request.get do
-
119
json_response_success(openid_configuration_body(alt_issuer), cache: true)
-
end
-
end
-
end
-
end
-
-
17
def load_webfinger_route
-
34
request.on(".well-known/webfinger") do
-
34
request.get do
-
34
resource = param_or_nil("resource")
-
-
34
throw_json_response_error(400, "invalid_request") unless resource
-
-
17
response.status = 200
-
17
response["Content-Type"] ||= "application/jrd+json"
-
-
17
return_response(json_webfinger_payload)
-
end
-
end
-
end
-
-
17
def check_csrf?
-
5304
case request.path
-
when userinfo_path
-
170
false
-
else
-
6746
super
-
end
-
end
-
-
17
def oauth_response_types_supported
-
1700
grant_types = oauth_grant_types_supported
-
1700
oidc_response_types = %w[id_token none]
-
1700
oidc_response_types |= ["code id_token"] if grant_types.include?("authorization_code")
-
1700
oidc_response_types |= ["code token", "id_token token", "code id_token token"] if grant_types.include?("implicit")
-
1700
super | oidc_response_types
-
end
-
-
17
def current_oauth_account
-
17
subject_type = current_oauth_application[oauth_applications_subject_type_column] || oauth_jwt_subject_type
-
-
17
super unless subject_type == "pairwise"
-
end
-
-
17
private
-
-
17
if defined?(::I18n)
-
17
def before_authorize_route
-
1964
if (ui_locales = param_or_nil("ui_locales"))
-
17
ui_locales = ui_locales.split(" ").map(&:to_sym)
-
13
ui_locales &= ::I18n.available_locales
-
-
17
::I18n.locale = ui_locales.first unless ui_locales.empty?
-
end
-
-
1964
super
-
end
-
end
-
-
17
def userinfo_signing_alg_values_supported
-
oauth_jwt_jws_algorithms_supported
-
end
-
-
17
def userinfo_encryption_alg_values_supported
-
oauth_jwt_jwe_algorithms_supported
-
end
-
-
17
def userinfo_encryption_enc_values_supported
-
oauth_jwt_jwe_encryption_methods_supported
-
end
-
-
17
def request_object_signing_alg_values_supported
-
oauth_jwt_jws_algorithms_supported
-
end
-
-
17
def request_object_encryption_alg_values_supported
-
oauth_jwt_jwe_algorithms_supported
-
end
-
-
17
def request_object_encryption_enc_values_supported
-
oauth_jwt_jwe_encryption_methods_supported
-
end
-
-
17
def oauth_acr_values_supported
-
204
acr_values = []
-
204
acr_values << "phrh" if features.include?(:webauthn_login)
-
204
acr_values << "phr" if respond_to?(:require_two_factor_authenticated)
-
204
acr_values
-
end
-
-
17
def oidc_authorize_on_prompt_none?(_account)
-
17
false
-
end
-
-
17
def validate_authorize_params
-
1964
if (max_age = param_or_nil("max_age"))
-
-
26
max_age = Integer(max_age)
-
-
26
redirect_response_error("invalid_request") unless max_age.positive?
-
-
26
if Time.now - get_oidc_account_last_login_at(session_value) > max_age
-
# force user to re-login
-
13
clear_session
-
13
set_session_value(login_redirect_session_key, request.fullpath)
-
13
redirect require_login_redirect
-
end
-
end
-
-
1951
if (claims = param_or_nil("claims"))
-
# The value is a JSON object listing the requested Claims.
-
34
claims = JSON.parse(claims)
-
-
34
claims.each_value do |individual_claims|
-
68
redirect_response_error("invalid_request") unless individual_claims.is_a?(Hash)
-
-
68
individual_claims.each_value do |claim|
-
102
redirect_response_error("invalid_request") unless claim.nil? || individual_claims.is_a?(Hash)
-
end
-
end
-
end
-
-
1951
sc = scopes
-
-
# MUST ensure that the prompt parameter contains consent
-
# MUST ignore the offline_access request unless the Client
-
# is using a response_type value that would result in an
-
# Authorization Code
-
1951
if sc && sc.include?("offline_access") && !(param_or_nil("prompt") == "consent" &&
-
51
(response_type = param_or_nil("response_type")) && response_type.split(" ").include?("code"))
-
34
sc.delete("offline_access")
-
-
26
request.params["scope"] = sc.join(" ")
-
end
-
-
1951
super
-
-
1849
response_type = param_or_nil("response_type")
-
-
1849
is_id_token_response_type = response_type.include?("id_token")
-
-
1849
redirect_response_error("invalid_request") if is_id_token_response_type && !param_or_nil("nonce")
-
-
1832
return unless is_id_token_response_type || response_type == "code token"
-
-
1037
response_mode = param_or_nil("response_mode")
-
-
# id_token: The default Response Mode for this Response Type is the fragment encoding and the query encoding MUST NOT be used.
-
-
1037
redirect_response_error("invalid_request") unless response_mode.nil? || response_mode == "fragment"
-
end
-
-
17
def require_authorizable_account
-
2202
try_prompt
-
2100
super
-
2066
@acr = try_acr_values
-
end
-
-
17
def get_oidc_account_last_login_at(account_id)
-
842
return get_activity_timestamp(account_id, account_activity_last_activity_column) if features.include?(:account_expiration)
-
-
# active sessions based
-
842
ds = db[active_sessions_table].where(active_sessions_account_id_column => account_id)
-
-
842
ds = ds.order(Sequel.desc(active_sessions_created_at_column))
-
-
842
convert_timestamp(ds.get(active_sessions_created_at_column))
-
end
-
-
17
def jwt_subject(account_unique_id, client_application = oauth_application)
-
1377
subject_type = client_application[oauth_applications_subject_type_column] || oauth_jwt_subject_type
-
-
1053
case subject_type
-
when "public"
-
1326
super
-
when "pairwise"
-
51
identifier_uri = client_application[oauth_applications_sector_identifier_uri_column]
-
-
51
unless identifier_uri
-
51
identifier_uri = client_application[oauth_applications_redirect_uri_column]
-
51
identifier_uri = identifier_uri.split(" ")
-
# If the Client has not provided a value for sector_identifier_uri in Dynamic Client Registration
-
# [OpenID.Registration], the Sector Identifier used for pairwise identifier calculation is the host
-
# component of the registered redirect_uri. If there are multiple hostnames in the registered redirect_uris,
-
# the Client MUST register a sector_identifier_uri.
-
51
if identifier_uri.size > 1
-
# return error message
-
end
-
51
identifier_uri = identifier_uri.first
-
end
-
-
51
identifier_uri = URI(identifier_uri).host
-
-
51
values = [identifier_uri, account_unique_id, oauth_jwt_subject_secret]
-
51
Digest::SHA256.hexdigest(values.join)
-
else
-
raise StandardError, "unexpected subject (#{subject_type})"
-
end
-
end
-
-
# this executes before checking for a logged in account
-
17
def try_prompt
-
2202
return unless (prompt = param_or_nil("prompt"))
-
-
221
case prompt
-
when "none"
-
51
return unless request.get?
-
-
51
redirect_response_error("login_required") unless logged_in?
-
-
34
require_account
-
-
34
redirect_response_error("interaction_required") unless oidc_authorize_on_prompt_none?(account_from_session)
-
-
13
request.env["REQUEST_METHOD"] = "POST"
-
when "login"
-
102
return unless request.get?
-
-
68
if logged_in? && request.cookies[oauth_prompt_login_cookie_key] == "login"
-
34
::Rack::Utils.delete_cookie_header!(response.headers, oauth_prompt_login_cookie_key, oauth_prompt_login_cookie_options)
-
26
return
-
end
-
-
# logging out
-
34
clear_session
-
34
set_session_value(login_redirect_session_key, request.fullpath)
-
-
34
login_cookie_opts = Hash[oauth_prompt_login_cookie_options]
-
26
login_cookie_opts[:value] = "login"
-
34
if oauth_prompt_login_interval
-
26
login_cookie_opts[:expires] = convert_timestamp(Time.now + oauth_prompt_login_interval) # 15 minutes
-
end
-
34
::Rack::Utils.set_cookie_header!(response.headers, oauth_prompt_login_cookie_key, login_cookie_opts)
-
-
34
redirect require_login_redirect
-
when "consent"
-
85
return unless request.post?
-
-
34
require_account
-
-
34
sc = scopes || []
-
-
34
redirect_response_error("consent_required") if sc.empty?
-
-
when "select-account"
-
51
return unless request.get?
-
-
# only works if select_account plugin is available
-
34
require_select_account if respond_to?(:require_select_account)
-
else
-
redirect_response_error("invalid_request")
-
end
-
end
-
-
17
def try_acr_values
-
2066
return unless (acr_values = param_or_nil("acr_values"))
-
-
85
acr_values.split(" ").each do |acr_value|
-
85
next unless oauth_acr_values_supported.include?(acr_value)
-
-
52
case acr_value
-
when "phr"
-
34
return acr_value if require_acr_value_phr
-
when "phrh"
-
34
return acr_value if require_acr_value_phrh
-
else
-
return acr_value if require_acr_value(acr_value)
-
end
-
end
-
-
12
nil
-
end
-
-
17
def require_acr_value_phr
-
68
return false unless respond_to?(:require_two_factor_authenticated)
-
-
68
require_two_factor_authenticated
-
68
true
-
end
-
-
17
def require_acr_value_phrh
-
34
return false unless features.include?(:webauthn_login)
-
-
34
require_acr_value_phr && two_factor_login_type_match?("webauthn")
-
end
-
-
17
def require_acr_value(_acr)
-
true
-
end
-
-
17
def create_oauth_grant(create_params = {})
-
493
create_params.replace(oidc_grant_params.merge(create_params))
-
493
super
-
end
-
-
17
def create_oauth_grant_with_token(create_params = {})
-
34
create_params.merge!(resource_owner_params)
-
26
create_params[oauth_grants_type_column] = "hybrid"
-
26
create_params[oauth_grants_expires_in_column] = Sequel.date_add(Sequel::CURRENT_TIMESTAMP, seconds: oauth_access_token_expires_in)
-
34
authorization_code = create_oauth_grant(create_params)
-
34
access_token = if oauth_jwt_access_tokens
-
34
_generate_jwt_access_token(create_params)
-
else
-
oauth_grant = valid_oauth_grant_ds.where(oauth_grants_code_column => authorization_code).first
-
_generate_access_token(oauth_grant)
-
end
-
-
34
json_access_token_payload(oauth_grants_token_column => access_token).merge("code" => authorization_code)
-
end
-
-
17
def create_token(*)
-
442
oauth_grant = super
-
391
generate_id_token(oauth_grant)
-
391
oauth_grant
-
end
-
-
17
def generate_id_token(oauth_grant, include_claims = false)
-
816
oauth_scopes = oauth_grant[oauth_grants_scopes_column].split(oauth_scope_separator)
-
-
816
return unless oauth_scopes.include?("openid")
-
-
816
signing_algorithm = oauth_application[oauth_applications_id_token_signed_response_alg_column] ||
-
oauth_jwt_keys.keys.first
-
-
816
id_claims = id_token_claims(oauth_grant, signing_algorithm)
-
-
816
account = db[accounts_table].where(account_id_column => oauth_grant[oauth_grants_account_id_column]).first
-
-
# this should never happen!
-
# a newly minted oauth token from a grant should have been assigned to an account
-
# who just authorized its generation.
-
816
return unless account
-
-
816
if (claims = oauth_grant[oauth_grants_claims_column])
-
34
claims = JSON.parse(claims)
-
34
if (id_token_essential_claims = claims["id_token"])
-
26
oauth_scopes |= id_token_essential_claims.to_a
-
-
34
include_claims = true
-
end
-
end
-
-
# OpenID Connect Core 1.0's 5.4 Requesting Claims using Scope Values:
-
# If standard claims (profile, email, etc) are requested as scope values in the Authorization Request,
-
# include in the response.
-
816
include_claims ||= (OIDC_SCOPES_MAP.keys & oauth_scopes).any?
-
-
# However, when no Access Token is issued (which is the case for the response_type value id_token),
-
# the resulting Claims are returned in the ID Token.
-
816
fill_with_account_claims(id_claims, account, oauth_scopes, param_or_nil("claims_locales")) if include_claims
-
-
240
params = {
-
576
jwks: oauth_application_jwks(oauth_application),
-
signing_algorithm: signing_algorithm,
-
encryption_algorithm: oauth_application[oauth_applications_id_token_encrypted_response_alg_column],
-
encryption_method: oauth_application[oauth_applications_id_token_encrypted_response_enc_column],
-
-
# Not officially part of the spec, but some providers follow this convention.
-
# This is useful for distinguishing between ID Tokens and JWT Access Tokens.
-
headers: { typ: "id_token+jwt" }
-
}.compact
-
-
624
oauth_grant[:id_token] = jwt_encode(id_claims, **params)
-
end
-
-
17
def id_token_claims(oauth_grant, signing_algorithm)
-
816
claims = jwt_claims(oauth_grant)
-
-
816
claims[:nonce] = oauth_grant[oauth_grants_nonce_column] if oauth_grant[oauth_grants_nonce_column]
-
-
816
claims[:acr] = oauth_grant[oauth_grants_acr_column] if oauth_grant[oauth_grants_acr_column]
-
-
# Time when the End-User authentication occurred.
-
624
claims[:auth_time] = get_oidc_account_last_login_at(oauth_grant[oauth_grants_account_id_column]).to_i
-
-
# Access Token hash value.
-
816
if (access_token = oauth_grant[oauth_grants_token_column])
-
325
claims[:at_hash] = id_token_hash(access_token, signing_algorithm)
-
end
-
-
# code hash value.
-
816
if (code = oauth_grant[oauth_grants_code_column])
-
143
claims[:c_hash] = id_token_hash(code, signing_algorithm)
-
end
-
-
816
claims
-
end
-
-
# aka fill_with_standard_claims
-
17
def fill_with_account_claims(claims, account, scopes, claims_locales)
-
459
additional_claims_info = {}
-
-
459
scopes_by_claim = scopes.each_with_object({}) do |scope, by_oidc|
-
578
next if scope == "openid"
-
-
272
if scope.is_a?(Array)
-
# essential claims
-
85
param, additional_info = scope
-
-
85
param = param.to_sym
-
-
85
oidc, = OIDC_SCOPES_MAP.find do |_, oidc_scopes|
-
187
oidc_scopes.include?(param)
-
end || param.to_s
-
-
85
param = nil if oidc == param.to_s
-
-
65
additional_claims_info[param] = additional_info
-
else
-
-
187
oidc, param = scope.split(".", 2)
-
-
187
param = param.to_sym if param
-
end
-
-
272
by_oidc[oidc] ||= []
-
-
272
by_oidc[oidc] << param.to_sym if param
-
end
-
-
731
oidc_scopes, additional_scopes = scopes_by_claim.keys.partition { |key| OIDC_SCOPES_MAP.key?(key) }
-
-
459
claims_locales = claims_locales.split(" ").map(&:to_sym) if claims_locales
-
-
459
unless oidc_scopes.empty?
-
153
if respond_to?(:get_oidc_param)
-
153
get_oidc_param = proxy_get_param(:get_oidc_param, claims, claims_locales, additional_claims_info)
-
-
153
oidc_scopes.each do |scope|
-
153
scope_claims = claims
-
153
params = scopes_by_claim[scope]
-
153
params = params.empty? ? OIDC_SCOPES_MAP[scope] : (OIDC_SCOPES_MAP[scope] & params)
-
-
153
scope_claims = (claims["address"] = {}) if scope == "address"
-
-
153
params.each do |param|
-
374
get_oidc_param[account, param, scope_claims]
-
end
-
end
-
else
-
warn "`get_oidc_param(account, claim)` must be implemented to use oidc scopes."
-
end
-
end
-
-
459
return if additional_scopes.empty?
-
-
119
if respond_to?(:get_additional_param)
-
119
get_additional_param = proxy_get_param(:get_additional_param, claims, claims_locales, additional_claims_info)
-
-
119
additional_scopes.each do |scope|
-
119
get_additional_param[account, scope.to_sym]
-
end
-
else
-
warn "`get_additional_param(account, claim)` must be implemented to use oidc scopes."
-
end
-
end
-
-
17
def proxy_get_param(get_param_func, claims, claims_locales, additional_claims_info)
-
272
meth = method(get_param_func)
-
272
if meth.arity == 2
-
238
lambda do |account, param, cl = claims|
-
459
additional_info = additional_claims_info[param] || EMPTY_HASH
-
459
value = additional_info["value"] || meth[account, param]
-
459
value = nil if additional_info["values"] && additional_info["values"].include?(value)
-
459
cl[param] = value unless value.nil?
-
end
-
34
elsif claims_locales.nil?
-
lambda do |account, param, cl = claims|
-
additional_info = additional_claims_info[param] || EMPTY_HASH
-
value = additional_info["value"] || meth[account, param, nil]
-
value = nil if additional_info["values"] && additional_info["values"].include?(value)
-
cl[param] = value unless value.nil?
-
end
-
else
-
34
lambda do |account, param, cl = claims|
-
34
claims_values = claims_locales.map do |locale|
-
68
additional_info = additional_claims_info[param] || EMPTY_HASH
-
68
value = additional_info["value"] || meth[account, param, locale]
-
68
value = nil if additional_info["values"] && additional_info["values"].include?(value)
-
68
value
-
end.compact
-
-
34
if claims_values.uniq.size == 1
-
cl[param] = claims_values.first
-
else
-
34
claims_locales.zip(claims_values).each do |locale, value|
-
68
cl["#{param}##{locale}"] = value if value
-
end
-
end
-
end
-
end
-
end
-
-
17
def json_access_token_payload(oauth_grant)
-
459
payload = super
-
459
payload["id_token"] = oauth_grant[:id_token] if oauth_grant[:id_token]
-
459
payload
-
end
-
-
# Authorize
-
-
17
def check_valid_response_type?
-
1430
case param_or_nil("response_type")
-
when "none", "id_token", "code id_token", # multiple
-
"code token", "id_token token", "code id_token token"
-
1088
true
-
else
-
778
super
-
end
-
end
-
-
17
def supported_response_mode?(response_mode, *)
-
765
return super unless response_mode == "none"
-
-
17
param("response_type") == "none"
-
end
-
-
17
def do_authorize(response_params = {}, response_mode = param_or_nil("response_mode"))
-
765
response_type = param("response_type")
-
585
case response_type
-
when "id_token"
-
221
grant_params = oidc_grant_params
-
221
generate_id_token(grant_params, true)
-
221
response_params.replace("id_token" => grant_params[:id_token])
-
when "code token"
-
17
response_params.replace(create_oauth_grant_with_token)
-
when "code id_token"
-
170
params = _do_authorize_code
-
170
oauth_grant = valid_oauth_grant_ds.where(oauth_grants_code_column => params["code"]).first
-
170
generate_id_token(oauth_grant)
-
170
response_params.replace(
-
"id_token" => oauth_grant[:id_token],
-
"code" => params["code"]
-
)
-
when "id_token token"
-
17
grant_params = oidc_grant_params.merge(oauth_grants_type_column => "hybrid")
-
17
oauth_grant = _do_authorize_token(grant_params)
-
17
generate_id_token(oauth_grant)
-
-
17
response_params.replace(json_access_token_payload(oauth_grant))
-
when "code id_token token"
-
17
params = create_oauth_grant_with_token
-
17
oauth_grant = valid_oauth_grant_ds.where(oauth_grants_code_column => params["code"]).first
-
13
oauth_grant[oauth_grants_token_column] = params["access_token"]
-
17
generate_id_token(oauth_grant)
-
-
17
response_params.replace(params.merge("id_token" => oauth_grant[:id_token]))
-
when "none"
-
17
response_mode ||= "none"
-
end
-
765
response_mode ||= "fragment" unless response_params.empty?
-
-
765
super(response_params, response_mode)
-
end
-
-
17
def oidc_grant_params
-
731
grant_params = {
-
**resource_owner_params,
-
oauth_grants_oauth_application_id_column => oauth_application[oauth_applications_id_column],
-
oauth_grants_scopes_column => scopes.join(oauth_scope_separator),
-
oauth_grants_redirect_uri_column => param_or_nil("redirect_uri")
-
}
-
731
if (nonce = param_or_nil("nonce"))
-
429
grant_params[oauth_grants_nonce_column] = nonce
-
end
-
731
grant_params[oauth_grants_acr_column] = @acr if @acr
-
731
if (claims_locales = param_or_nil("claims_locales"))
-
26
grant_params[oauth_grants_claims_locales_column] = claims_locales
-
end
-
731
if (claims = param_or_nil("claims"))
-
13
grant_params[oauth_grants_claims_column] = claims
-
end
-
731
grant_params
-
end
-
-
17
def generate_token(grant_params = {}, should_generate_refresh_token = true)
-
357
scopes = grant_params[oauth_grants_scopes_column].split(oauth_scope_separator)
-
-
357
super(grant_params, scopes.include?("offline_access") && should_generate_refresh_token)
-
end
-
-
17
def authorize_response(params, mode)
-
765
redirect_url = URI.parse(redirect_uri)
-
765
redirect(redirect_url.to_s) if mode == "none"
-
748
super
-
end
-
-
# Webfinger
-
-
17
def json_webfinger_payload
-
17
JSON.dump({
-
subject: param("resource"),
-
links: [{
-
rel: "http://openid.net/specs/connect/1.0/issuer",
-
href: authorization_server_url
-
}]
-
})
-
end
-
-
# Metadata
-
-
17
def openid_configuration_body(path = nil)
-
119
metadata = oauth_server_metadata_body(path).slice(*VALID_METADATA_KEYS)
-
-
119
scope_claims = oauth_application_scopes.each_with_object([]) do |scope, claims|
-
187
oidc, param = scope.split(".", 2)
-
187
if param
-
17
claims << param
-
else
-
170
oidc_claims = OIDC_SCOPES_MAP[oidc]
-
170
claims.concat(oidc_claims) if oidc_claims
-
end
-
end
-
-
119
scope_claims.unshift("auth_time")
-
-
112
metadata.merge(
-
userinfo_endpoint: userinfo_url,
-
subject_types_supported: %w[public pairwise],
-
acr_values_supported: oauth_acr_values_supported,
-
claims_parameter_supported: true,
-
-
id_token_signing_alg_values_supported: oauth_jwt_jws_algorithms_supported,
-
id_token_encryption_alg_values_supported: oauth_jwt_jwe_algorithms_supported,
-
id_token_encryption_enc_values_supported: oauth_jwt_jwe_encryption_methods_supported,
-
-
userinfo_signing_alg_values_supported: oauth_jwt_jws_algorithms_supported,
-
userinfo_encryption_alg_values_supported: oauth_jwt_jwe_algorithms_supported,
-
userinfo_encryption_enc_values_supported: oauth_jwt_jwe_encryption_methods_supported,
-
-
request_object_signing_alg_values_supported: oauth_jwt_jws_algorithms_supported,
-
request_object_encryption_alg_values_supported: oauth_jwt_jwe_algorithms_supported,
-
request_object_encryption_enc_values_supported: oauth_jwt_jwe_encryption_methods_supported,
-
-
# These Claim Types are described in Section 5.6 of OpenID Connect Core 1.0 [OpenID.Core].
-
# Values defined by this specification are normal, aggregated, and distributed.
-
# If omitted, the implementation supports only normal Claims.
-
claim_types_supported: %w[normal],
-
claims_supported: %w[sub iss iat exp aud] | scope_claims
-
7
).reject do |key, val|
-
# Filter null values in optional items
-
3553
(!REQUIRED_METADATA_KEYS.include?(key.to_sym) && val.nil?) ||
-
# Claims with zero elements MUST be omitted from the response
-
3077
(val.respond_to?(:empty?) && val.empty?)
-
end
-
end
-
-
17
def allow_cors(request)
-
153
return unless request.request_method == "OPTIONS"
-
-
13
response["Access-Control-Allow-Origin"] = "*"
-
13
response["Access-Control-Allow-Methods"] = "GET, OPTIONS"
-
13
response["Access-Control-Max-Age"] = "3600"
-
17
response.status = 200
-
17
return_response
-
end
-
-
17
def jwt_response_success(jwt, cache = false)
-
34
response.status = 200
-
34
response["Content-Type"] ||= "application/jwt"
-
34
if cache
-
# defaulting to 1-day for everyone, for now at least
-
max_age = 60 * 60 * 24
-
response["Cache-Control"] = "private, max-age=#{max_age}"
-
else
-
26
response["Cache-Control"] = "no-store"
-
26
response["Pragma"] = "no-cache"
-
end
-
34
return_response(jwt)
-
end
-
-
17
def id_token_hash(hash, algo)
-
612
digest = case algo
-
612
when /256/ then Digest::SHA256
-
when /384/ then Digest::SHA384
-
when /512/ then Digest::SHA512
-
end
-
-
612
return unless digest
-
-
612
hash = digest.digest(hash)
-
612
hash = hash[0...(hash.size / 2)]
-
612
Base64.urlsafe_encode64(hash).tr("=", "")
-
end
-
end
-
end
-
# frozen_string_literal: true
-
-
17
require "rodauth/oauth"
-
-
17
module Rodauth
-
17
Feature.define(:oidc_backchannel_logout, :OidBackchannelLogout) do
-
17
depends :logout, :oidc_logout_base
-
-
17
auth_value_method :oauth_logout_token_expires_in, 60 # 1 minute
-
17
auth_value_method :backchannel_logout_session_supported, true
-
17
auth_value_method :oauth_applications_backchannel_logout_uri_column, :backchannel_logout_uri
-
17
auth_value_method :oauth_applications_backchannel_logout_session_required_column, :backchannel_logout_session_required
-
-
17
auth_methods(
-
:perform_logout_requests
-
)
-
-
17
def logout
-
102
visited_sites = session[visited_sites_key]
-
-
102
return super unless visited_sites
-
-
102
oauth_applications = db[oauth_applications_table].where(oauth_applications_client_id_column => visited_sites.map(&:first))
-
.as_hash(oauth_applications_id_column)
-
-
102
logout_params = oauth_applications.flat_map do |_id, oauth_application|
-
102
logout_url = oauth_application[oauth_applications_backchannel_logout_uri_column]
-
-
102
next unless logout_url
-
-
102
client_id = oauth_application[oauth_applications_client_id_column]
-
-
204
sids = visited_sites.select { |cid, _| cid == client_id }.map(&:last)
-
-
102
sids.map do |sid|
-
102
logout_token = generate_logout_token(oauth_application, sid)
-
-
102
[logout_url, logout_token]
-
end
-
end.compact
-
-
102
perform_logout_requests(logout_params) unless logout_params.empty?
-
-
# now we can clear the session
-
102
super
-
end
-
-
17
private
-
-
17
def generate_logout_token(oauth_application, sid)
-
102
issued_at = Time.now.to_i
-
-
30
logout_claims = {
-
72
iss: oauth_jwt_issuer, # issuer
-
iat: issued_at, # issued at
-
exp: issued_at + oauth_logout_token_expires_in,
-
aud: oauth_application[oauth_applications_client_id_column],
-
events: {
-
"http://schemas.openid.net/event/backchannel-logout": {}
-
}
-
}
-
-
102
logout_claims[:sid] = sid if sid
-
-
102
signing_algorithm = oauth_application[oauth_applications_id_token_signed_response_alg_column] ||
-
oauth_jwt_keys.keys.first
-
-
30
params = {
-
72
jwks: oauth_application_jwks(oauth_application),
-
headers: { typ: "logout+jwt" },
-
signing_algorithm: signing_algorithm,
-
encryption_algorithm: oauth_application[oauth_applications_id_token_encrypted_response_alg_column],
-
encryption_method: oauth_application[oauth_applications_id_token_encrypted_response_enc_column]
-
}.compact
-
-
102
jwt_encode(logout_claims, **params)
-
end
-
-
17
def perform_logout_requests(logout_params)
-
# performs logout requests sequentially
-
102
logout_params.each do |logout_url, logout_token|
-
102
http_request(logout_url, { "logout_token" => logout_token })
-
rescue StandardError
-
warn "failed to perform backchannel logout on #{logout_url}"
-
end
-
end
-
-
17
def id_token_claims(oauth_grant, signing_algorithm)
-
102
claims = super
-
-
102
return claims unless oauth_application[oauth_applications_backchannel_logout_uri_column]
-
-
102
session_id_in_claims(oauth_grant, claims)
-
-
102
claims
-
end
-
-
17
def should_set_oauth_application_in_visited_sites?
-
51
true
-
end
-
-
17
def should_set_sid_in_visited_sites?(oauth_application)
-
153
super || requires_backchannel_logout_session?(oauth_application)
-
end
-
-
17
def requires_backchannel_logout_session?(oauth_application)
-
36
(
-
153
oauth_application &&
-
oauth_application[oauth_applications_backchannel_logout_session_required_column]
-
9
) || backchannel_logout_session_supported
-
end
-
-
17
def oauth_server_metadata_body(*)
-
17
super.tap do |data|
-
13
data[:backchannel_logout_supported] = true
-
13
data[:backchannel_logout_session_supported] = backchannel_logout_session_supported
-
end
-
end
-
end
-
end
-
# frozen_string_literal: true
-
-
17
require "rodauth/oauth"
-
-
17
module Rodauth
-
17
Feature.define(:oidc_dynamic_client_registration, :OidcDynamicClientRegistration) do
-
17
depends :oauth_dynamic_client_registration, :oidc
-
-
17
auth_value_method :oauth_applications_application_type_column, :application_type
-
-
17
private
-
-
17
def validate_client_registration_params(*)
-
867
super
-
-
816
if (value = @oauth_application_params[oauth_applications_application_type_column])
-
91
case value
-
when "native"
-
68
request.params["redirect_uris"].each do |uri|
-
68
uri = URI(uri)
-
# Native Clients MUST only register redirect_uris using custom URI schemes or
-
# URLs using the http: scheme with localhost as the hostname.
-
52
case uri.scheme
-
when "http"
-
34
register_throw_json_response_error("invalid_redirect_uri", register_invalid_uri_message(uri)) unless uri.host == "localhost"
-
when "https"
-
17
register_throw_json_response_error("invalid_redirect_uri", register_invalid_uri_message(uri))
-
end
-
end
-
when "web"
-
# Web Clients using the OAuth Implicit Grant Type MUST only register URLs using the https scheme as redirect_uris;
-
# they MUST NOT use localhost as the hostname.
-
51
if request.params["grant_types"].include?("implicit")
-
34
request.params["redirect_uris"].each do |uri|
-
34
uri = URI(uri)
-
34
unless uri.scheme == "https" && uri.host != "localhost"
-
17
register_throw_json_response_error("invalid_redirect_uri", register_invalid_uri_message(uri))
-
end
-
end
-
end
-
else
-
register_throw_json_response_error("invalid_client_metadata", register_invalid_application_type_message(type))
-
end
-
end
-
-
765
if (value = @oauth_application_params[oauth_applications_sector_identifier_uri_column]) && !check_valid_uri?(value)
-
register_throw_json_response_error("invalid_redirect_uri", register_invalid_uri_message(value))
-
end
-
-
765
if (value = @oauth_application_params[oauth_applications_initiate_login_uri_column])
-
34
uri = URI(value)
-
-
34
unless uri.scheme == "https" || uri.host == "localhost"
-
17
register_throw_json_response_error("invalid_redirect_uri", register_invalid_uri_message(uri))
-
end
-
end
-
-
748
if features.include?(:oauth_jwt_secured_authorization_request)
-
153
if (value = @oauth_application_params[oauth_applications_request_uris_column])
-
34
if value.is_a?(Array)
-
13
@oauth_application_params[oauth_applications_request_uris_column] = value.each do |req_uri|
-
17
unless check_valid_uri?(req_uri)
-
register_throw_json_response_error("invalid_redirect_uri", register_invalid_uri_message(req_uri))
-
end
-
end.join(" ")
-
else
-
17
register_throw_json_response_error("invalid_redirect_uri", register_invalid_uri_message(value))
-
end
-
119
elsif oauth_require_request_uri_registration
-
17
register_throw_json_response_error("invalid_client_metadata", register_required_param_message("request_uris"))
-
end
-
end
-
-
714
if (value = @oauth_application_params[oauth_applications_subject_type_column])
-
119
unless %w[pairwise public].include?(value)
-
17
register_throw_json_response_error("invalid_client_metadata", register_invalid_client_metadata_message("subject_type", value))
-
end
-
-
102
if value == "pairwise"
-
85
sector_identifier_uri = @oauth_application_params[oauth_applications_sector_identifier_uri_column]
-
-
85
if sector_identifier_uri
-
34
response = http_request(sector_identifier_uri)
-
34
unless response.code.to_i == 200
-
register_throw_json_response_error("invalid_client_metadata",
-
register_invalid_param_message("sector_identifier_uri"))
-
end
-
34
uris = JSON.parse(response.body)
-
-
34
if uris != @oauth_application_params[oauth_applications_redirect_uri_column].split(" ")
-
17
register_throw_json_response_error("invalid_client_metadata", register_invalid_param_message("sector_identifier_uri"))
-
end
-
-
end
-
end
-
end
-
-
680
if (value = @oauth_application_params[oauth_applications_id_token_signed_response_alg_column])
-
68
if value == "none"
-
# The value none MUST NOT be used as the ID Token alg value unless the Client uses only Response Types
-
# that return no ID Token from the Authorization Endpoint
-
response_types = @oauth_application_params[oauth_applications_response_types_column]
-
if response_types && response_types.include?("id_token")
-
register_throw_json_response_error("invalid_client_metadata", register_invalid_param_message("id_token_signed_response_alg"))
-
end
-
68
elsif !oauth_jwt_jws_algorithms_supported.include?(value)
-
17
register_throw_json_response_error("invalid_client_metadata",
-
register_invalid_client_metadata_message("id_token_signed_response_alg", value))
-
end
-
end
-
-
663
if features.include?(:oauth_jwt_secured_authorization_request)
-
119
if defined?(oauth_applications_request_object_signing_alg_column) &&
-
119
(value = @oauth_application_params[oauth_applications_request_object_signing_alg_column]) &&
-
17
!oauth_jwt_jws_algorithms_supported.include?(value) && !(value == "none" && oauth_request_object_signing_alg_allow_none)
-
17
register_throw_json_response_error("invalid_client_metadata",
-
register_invalid_client_metadata_message("request_object_signing_alg", value))
-
end
-
-
102
if defined?(oauth_applications_request_object_encryption_alg_column) &&
-
102
(value = @oauth_application_params[oauth_applications_request_object_encryption_alg_column]) &&
-
!oauth_jwt_jwe_algorithms_supported.include?(value)
-
17
register_throw_json_response_error("invalid_client_metadata",
-
register_invalid_client_metadata_message("request_object_encryption_alg", value))
-
end
-
-
85
if defined?(oauth_applications_request_object_encryption_enc_column) &&
-
85
(value = @oauth_application_params[oauth_applications_request_object_encryption_enc_column]) &&
-
!oauth_jwt_jwe_encryption_methods_supported.include?(value)
-
17
register_throw_json_response_error("invalid_client_metadata",
-
register_invalid_client_metadata_message("request_object_encryption_enc", value))
-
end
-
end
-
-
612
if features.include?(:oidc_rp_initiated_logout) && defined?(oauth_applications_post_logout_redirect_uris_column) &&
-
34
(value = @oauth_application_params[oauth_applications_post_logout_redirect_uris_column])
-
34
if value.is_a?(Array)
-
13
@oauth_application_params[oauth_applications_post_logout_redirect_uris_column] = value.each do |redirect_uri|
-
17
unless check_valid_uri?(redirect_uri)
-
register_throw_json_response_error("invalid_client_metadata", register_invalid_uri_message(redirect_uri))
-
end
-
end.join(" ")
-
else
-
17
register_throw_json_response_error("invalid_client_metadata", register_invalid_uri_message(value))
-
end
-
end
-
-
595
if features.include?(:oidc_frontchannel_logout)
-
51
if (value = @oauth_application_params[oauth_applications_frontchannel_logout_uri_column]) && !check_valid_no_fragment_uri?(value)
-
34
register_throw_json_response_error("invalid_client_metadata",
-
register_invalid_uri_message(value))
-
end
-
-
17
if (value = @oauth_application_params[oauth_applications_frontchannel_logout_session_required_column])
-
13
@oauth_application_params[oauth_applications_frontchannel_logout_session_required_column] =
-
convert_to_boolean("frontchannel_logout_session_required", value)
-
end
-
end
-
-
561
if features.include?(:oidc_backchannel_logout)
-
51
if (value = @oauth_application_params[oauth_applications_backchannel_logout_uri_column]) && !check_valid_no_fragment_uri?(value)
-
34
register_throw_json_response_error("invalid_client_metadata",
-
register_invalid_uri_message(value))
-
end
-
-
17
if @oauth_application_params.key?(oauth_applications_backchannel_logout_session_required_column)
-
17
value = @oauth_application_params[oauth_applications_backchannel_logout_session_required_column]
-
13
@oauth_application_params[oauth_applications_backchannel_logout_session_required_column] =
-
convert_to_boolean("backchannel_logout_session_required", value)
-
end
-
end
-
-
527
if (value = @oauth_application_params[oauth_applications_id_token_encrypted_response_alg_column]) &&
-
!oauth_jwt_jwe_algorithms_supported.include?(value)
-
17
register_throw_json_response_error("invalid_client_metadata",
-
register_invalid_client_metadata_message("id_token_encrypted_response_alg", value))
-
end
-
-
510
if (value = @oauth_application_params[oauth_applications_id_token_encrypted_response_enc_column]) &&
-
!oauth_jwt_jwe_encryption_methods_supported.include?(value)
-
17
register_throw_json_response_error("invalid_client_metadata",
-
register_invalid_client_metadata_message("id_token_encrypted_response_enc", value))
-
end
-
-
493
if (value = @oauth_application_params[oauth_applications_userinfo_signed_response_alg_column]) &&
-
!oauth_jwt_jws_algorithms_supported.include?(value)
-
17
register_throw_json_response_error("invalid_client_metadata",
-
register_invalid_client_metadata_message("userinfo_signed_response_alg", value))
-
end
-
-
476
if (value = @oauth_application_params[oauth_applications_userinfo_encrypted_response_alg_column]) &&
-
!oauth_jwt_jwe_algorithms_supported.include?(value)
-
17
register_throw_json_response_error("invalid_client_metadata",
-
register_invalid_client_metadata_message("userinfo_encrypted_response_alg", value))
-
end
-
-
459
if (value = @oauth_application_params[oauth_applications_userinfo_encrypted_response_enc_column]) &&
-
!oauth_jwt_jwe_encryption_methods_supported.include?(value)
-
17
register_throw_json_response_error("invalid_client_metadata",
-
register_invalid_client_metadata_message("userinfo_encrypted_response_enc", value))
-
end
-
-
442
if features.include?(:oauth_jwt_secured_authorization_response_mode)
-
34
if defined?(oauth_applications_authorization_signed_response_alg_column) &&
-
34
(value = @oauth_application_params[oauth_applications_authorization_signed_response_alg_column]) &&
-
24
(!oauth_jwt_jws_algorithms_supported.include?(value) || value == "none")
-
register_throw_json_response_error("invalid_client_metadata",
-
register_invalid_client_metadata_message("authorization_signed_response_alg", value))
-
end
-
-
34
if defined?(oauth_applications_authorization_encrypted_response_alg_column) &&
-
34
(value = @oauth_application_params[oauth_applications_authorization_encrypted_response_alg_column]) &&
-
!oauth_jwt_jwe_algorithms_supported.include?(value)
-
register_throw_json_response_error("invalid_client_metadata",
-
register_invalid_client_metadata_message("authorization_encrypted_response_alg", value))
-
end
-
-
34
if defined?(oauth_applications_authorization_encrypted_response_enc_column)
-
34
if (value = @oauth_application_params[oauth_applications_authorization_encrypted_response_enc_column])
-
-
17
unless @oauth_application_params[oauth_applications_authorization_encrypted_response_alg_column]
-
# When authorization_encrypted_response_enc is included, authorization_encrypted_response_alg MUST also be provided.
-
17
register_throw_json_response_error("invalid_client_metadata",
-
register_invalid_client_metadata_message("authorization_encrypted_response_alg", value))
-
-
end
-
-
unless oauth_jwt_jwe_encryption_methods_supported.include?(value)
-
register_throw_json_response_error("invalid_client_metadata",
-
register_invalid_client_metadata_message("authorization_encrypted_response_enc", value))
-
end
-
17
elsif @oauth_application_params[oauth_applications_authorization_encrypted_response_alg_column]
-
# If authorization_encrypted_response_alg is specified, the default for this value is A128CBC-HS256.
-
13
@oauth_application_params[oauth_applications_authorization_encrypted_response_enc_column] = "A128CBC-HS256"
-
end
-
end
-
end
-
-
425
@oauth_application_params
-
end
-
-
17
def validate_client_registration_response_type(response_type, grant_types)
-
663
case response_type
-
when "id_token"
-
68
unless grant_types.include?("implicit")
-
17
register_throw_json_response_error("invalid_client_metadata",
-
register_invalid_response_type_for_grant_type_message(response_type, "implicit"))
-
end
-
else
-
799
super
-
end
-
end
-
-
17
def do_register(return_params = request.params.dup)
-
# set defaults
-
-
391
create_params = @oauth_application_params
-
-
391
create_params[oauth_applications_application_type_column] ||= begin
-
247
return_params["application_type"] = "web"
-
323
"web"
-
end
-
391
create_params[oauth_applications_id_token_signed_response_alg_column] ||= return_params["id_token_signed_response_alg"] =
-
oauth_jwt_keys.keys.first
-
-
391
if create_params.key?(oauth_applications_id_token_encrypted_response_alg_column)
-
17
create_params[oauth_applications_id_token_encrypted_response_enc_column] ||= return_params["id_token_encrypted_response_enc"] =
-
"A128CBC-HS256"
-
-
end
-
391
if create_params.key?(oauth_applications_userinfo_encrypted_response_alg_column)
-
17
create_params[oauth_applications_userinfo_encrypted_response_enc_column] ||= return_params["userinfo_encrypted_response_enc"] =
-
"A128CBC-HS256"
-
-
end
-
391
if defined?(oauth_applications_request_object_encryption_alg_column) &&
-
create_params.key?(oauth_applications_request_object_encryption_alg_column)
-
17
create_params[oauth_applications_request_object_encryption_enc_column] ||= return_params["request_object_encryption_enc"] =
-
"A128CBC-HS256"
-
-
end
-
-
391
super(return_params)
-
end
-
-
17
def register_invalid_application_type_message(application_type)
-
"The application type '#{application_type}' is not allowed."
-
end
-
-
17
def initialize_register_params(create_params, return_params)
-
391
super
-
391
registration_access_token = oauth_unique_id_generator
-
299
create_params[oauth_applications_registration_access_token_column] = secret_hash(registration_access_token)
-
299
return_params["registration_access_token"] = registration_access_token
-
299
return_params["registration_client_uri"] = "#{base_url}/#{registration_client_uri_route}/#{return_params['client_id']}"
-
end
-
end
-
end
-
# frozen_string_literal: true
-
-
17
require "rodauth/oauth"
-
-
skipped
# :nocov:
-
skipped
raise LoadError, "the `:oidc_frontchannel_logout` requires rodauth 2.32.0 or higher" if Rodauth::VERSION < "2.32.0"
-
skipped
-
skipped
# :nocov:
-
-
17
module Rodauth
-
17
Feature.define(:oidc_frontchannel_logout, :OidFrontchannelLogout) do
-
17
depends :logout, :oidc_logout_base
-
-
17
view "frontchannel_logout", "Logout", "frontchannel_logout"
-
-
17
translatable_method :oauth_frontchannel_logout_redirecting_lead, "You are being redirected..."
-
17
translatable_method :oauth_frontchannel_logout_redirecting_label, "please click %<link>s if your browser does not " \
-
"redirect you in a few seconds."
-
17
translatable_method :oauth_frontchannel_logout_redirecting_link_label, "here"
-
17
auth_value_method :frontchannel_logout_session_supported, true
-
17
auth_value_method :frontchannel_logout_redirect_timeout, 5
-
17
auth_value_method :oauth_applications_frontchannel_logout_uri_column, :frontchannel_logout_uri
-
17
auth_value_method :oauth_applications_frontchannel_logout_session_required_column, :frontchannel_logout_session_required
-
-
17
attr_reader :frontchannel_logout_urls
-
-
17
attr_reader :frontchannel_logout_redirect
-
-
17
def logout
-
119
@visited_sites = session[visited_sites_key]
-
-
119
super
-
end
-
-
17
def _logout_response
-
102
visited_sites = @visited_sites
-
-
102
return super unless visited_sites
-
-
102
logout_urls = db[oauth_applications_table]
-
.where(oauth_applications_client_id_column => visited_sites.map(&:first))
-
.as_hash(oauth_applications_client_id_column, oauth_applications_frontchannel_logout_uri_column)
-
-
102
return super if logout_urls.empty?
-
-
102
generate_frontchannel_logout_urls(visited_sites, logout_urls)
-
-
102
@frontchannel_logout_redirect = logout_redirect
-
-
102
set_notice_flash logout_notice_flash
-
102
return_response frontchannel_logout_view
-
end
-
-
# overrides rp-initiate logout response
-
17
def _oidc_logout_response
-
17
visited_sites = @visited_sites
-
-
17
return super unless visited_sites
-
-
17
logout_urls = db[oauth_applications_table]
-
.where(oauth_applications_client_id_column => visited_sites.map(&:first))
-
.as_hash(oauth_applications_client_id_column, oauth_applications_frontchannel_logout_uri_column)
-
-
17
return super if logout_urls.empty?
-
-
17
generate_frontchannel_logout_urls(visited_sites, logout_urls)
-
-
17
@frontchannel_logout_redirect = oidc_logout_redirect
-
-
17
set_notice_flash logout_notice_flash
-
17
return_response frontchannel_logout_view
-
end
-
-
17
private
-
-
17
def generate_frontchannel_logout_urls(visited_sites, logout_urls)
-
119
@frontchannel_logout_urls = logout_urls.flat_map do |client_id, logout_url|
-
119
next unless logout_url
-
-
238
sids = visited_sites.select { |cid, _| cid == client_id }.map(&:last)
-
-
119
sids.map do |sid|
-
119
logout_url = URI(logout_url)
-
-
119
if sid
-
85
query = logout_url.query
-
85
query = if query
-
34
URI.decode_www_form(query)
-
else
-
51
[]
-
end
-
85
query << ["iss", oauth_jwt_issuer]
-
85
query << ["sid", sid]
-
85
logout_url.query = URI.encode_www_form(query)
-
end
-
-
119
logout_url
-
end
-
end.compact
-
end
-
-
17
def id_token_claims(oauth_grant, signing_algorithm)
-
119
claims = super
-
-
119
return claims unless oauth_application[oauth_applications_frontchannel_logout_uri_column]
-
-
119
session_id_in_claims(oauth_grant, claims)
-
-
119
claims
-
end
-
-
17
def should_set_oauth_application_in_visited_sites?
-
68
true
-
end
-
-
17
def should_set_sid_in_visited_sites?(oauth_application)
-
187
super || requires_frontchannel_logout_session?(oauth_application)
-
end
-
-
17
def requires_frontchannel_logout_session?(oauth_application)
-
44
(
-
187
oauth_application &&
-
oauth_application[oauth_applications_frontchannel_logout_session_required_column]
-
11
) || frontchannel_logout_session_supported
-
end
-
-
17
def oauth_server_metadata_body(*)
-
17
super.tap do |data|
-
13
data[:frontchannel_logout_supported] = true
-
13
data[:frontchannel_logout_session_supported] = frontchannel_logout_session_supported
-
end
-
end
-
end
-
end
-
# frozen_string_literal: true
-
-
17
require "rodauth/oauth"
-
-
17
module Rodauth
-
17
Feature.define(:oidc_logout_base, :OidcLogoutBase) do
-
17
depends :oidc
-
-
17
session_key :visited_sites_key, :visited_sites
-
-
17
private
-
-
# set application/sid in visited sites when required
-
17
def create_oauth_grant(create_params = {})
-
187
sid_in_visited_sites
-
-
187
super
-
end
-
-
17
def active_sessions?(session_id)
-
17
!active_sessions_ds.where(active_sessions_session_id_column => session_id).empty?
-
end
-
-
17
def session_id_in_claims(oauth_grant, claims)
-
221
oauth_application_in_visited_sites do
-
221
if should_set_sid_in_visited_sites?(oauth_application)
-
# id_token or token response types
-
153
session_id = if (sess = session[session_id_session_key])
-
85
compute_hmac(sess)
-
else
-
# code response type
-
68
ds = db[active_sessions_table]
-
68
ds = ds.where(active_sessions_account_id_column => oauth_grant[oauth_grants_account_id_column])
-
68
ds = ds.order(Sequel.desc(active_sessions_last_use_column))
-
68
ds.get(active_sessions_session_id_column)
-
end
-
-
117
claims[:sid] = session_id
-
end
-
end
-
end
-
-
17
def oauth_application_in_visited_sites
-
340
visited_sites = session[visited_sites_key] || []
-
-
340
session_id = yield
-
-
340
visited_site = [oauth_application[oauth_applications_client_id_column], session_id]
-
-
340
return if visited_sites.include?(visited_site)
-
-
323
visited_sites << visited_site
-
323
set_session_value(visited_sites_key, visited_sites)
-
end
-
-
17
def sid_in_visited_sites
-
187
return unless should_set_oauth_application_in_visited_sites?
-
-
119
oauth_application_in_visited_sites do
-
119
if should_set_sid_in_visited_sites?(oauth_application)
-
85
ds = active_sessions_ds.order(Sequel.desc(active_sessions_last_use_column))
-
-
85
ds.get(active_sessions_session_id_column)
-
end
-
end
-
end
-
-
17
def should_set_oauth_application_in_visited_sites?
-
68
false
-
end
-
-
17
def should_set_sid_in_visited_sites?(*)
-
340
false
-
end
-
end
-
end
-
# frozen_string_literal: true
-
-
17
require "rodauth/oauth"
-
-
17
module Rodauth
-
17
Feature.define(:oidc_rp_initiated_logout, :OidcRpInitiatedLogout) do
-
17
depends :oidc_logout_base
-
17
response "oidc_logout"
-
-
17
auth_value_method :oauth_applications_post_logout_redirect_uris_column, :post_logout_redirect_uris
-
17
translatable_method :oauth_invalid_id_token_hint_message, "Invalid ID token hint"
-
17
translatable_method :oauth_invalid_post_logout_redirect_uri_message, "Invalid post logout redirect URI"
-
-
17
attr_reader :oidc_logout_redirect
-
-
# /oidc-logout
-
17
auth_server_route(:oidc_logout) do |r|
-
102
require_authorizable_account
-
102
before_oidc_logout_route
-
-
# OpenID Providers MUST support the use of the HTTP GET and POST methods
-
102
r.on method: %i[get post] do
-
102
catch_error do
-
102
validate_oidc_logout_params
-
-
102
claims = nil
-
-
102
if (id_token_hint = param_or_nil("id_token_hint"))
-
#
-
# why this is done:
-
#
-
# we need to decode the id token in order to get the application, because, if the
-
# signing key is application-specific, we don't know how to verify the signature
-
# beforehand. Hence, we have to do it twice: decode-and-do-not-verify, initialize
-
# the @oauth_application, and then decode-and-verify.
-
#
-
102
claims = jwt_decode(id_token_hint, verify_claims: false)
-
-
102
redirect_logout_with_error(oauth_invalid_id_token_hint_message) unless claims
-
-
# If the ID Token's sid claim does not correspond to the RP's current session or a
-
# recent session at the OP, the OP SHOULD treat the logout request as suspect, and
-
# MAY decline to act upon it.
-
102
redirect_logout_with_error(oauth_invalid_client_message) if claims["sid"] && !active_sessions?(claims["sid"])
-
-
102
oauth_application = db[oauth_applications_table].where(oauth_applications_client_id_column => claims["aud"]).first
-
102
oauth_grant = db[oauth_grants_table]
-
.where(resource_owner_params)
-
.where(oauth_grants_oauth_application_id_column => oauth_application[oauth_applications_id_column])
-
.first
-
-
102
unique_account_id = if oauth_grant
-
85
oauth_grant[oauth_grants_account_id_column]
-
else
-
17
account_id
-
end
-
-
# check whether ID token belongs to currently logged-in user
-
102
redirect_logout_with_error(oauth_invalid_client_message) unless claims["sub"] == jwt_subject(unique_account_id,
-
oauth_application)
-
-
# When an id_token_hint parameter is present, the OP MUST validate that it was the issuer of the ID Token.
-
102
redirect_logout_with_error(oauth_invalid_client_message) unless claims && claims["iss"] == oauth_jwt_issuer
-
end
-
-
# now let's logout from IdP
-
102
transaction do
-
102
before_logout
-
102
logout
-
102
after_logout
-
end
-
-
102
error_message = logout_notice_flash
-
-
102
if (post_logout_redirect_uri = param_or_nil("post_logout_redirect_uri"))
-
85
error_message = catch(:default_logout_redirect) do
-
85
throw(:default_logout_redirect, oauth_invalid_id_token_hint_message) unless claims
-
-
85
oauth_application = db[oauth_applications_table].where(oauth_applications_client_id_column => claims["client_id"]).first
-
-
85
throw(:default_logout_redirect, oauth_invalid_client_message) unless oauth_application
-
-
85
post_logout_redirect_uris = oauth_application[oauth_applications_post_logout_redirect_uris_column].split(" ")
-
-
85
unless post_logout_redirect_uris.include?(post_logout_redirect_uri)
-
throw(:default_logout_redirect,
-
oauth_invalid_post_logout_redirect_uri_message)
-
end
-
-
85
if (state = param_or_nil("state"))
-
17
post_logout_redirect_uri = URI(post_logout_redirect_uri)
-
17
params = ["state=#{CGI.escape(state)}"]
-
17
params << post_logout_redirect_uri.query if post_logout_redirect_uri.query
-
17
post_logout_redirect_uri.query = params.join("&")
-
17
post_logout_redirect_uri = post_logout_redirect_uri.to_s
-
end
-
-
85
@oidc_logout_redirect = post_logout_redirect_uri
-
-
85
require_response(:_oidc_logout_response)
-
end
-
-
end
-
-
17
redirect_logout_with_error(error_message)
-
end
-
-
redirect_response_error("invalid_request")
-
end
-
end
-
-
17
def _oidc_logout_response
-
68
redirect(oidc_logout_redirect)
-
end
-
-
17
private
-
-
# Logout
-
-
17
def validate_oidc_logout_params
-
# check if valid token hint type
-
102
return unless (redirect_uri = param_or_nil("post_logout_redirect_uri"))
-
-
85
return if check_valid_no_fragment_uri?(redirect_uri)
-
-
redirect_logout_with_error(oauth_invalid_client_message)
-
end
-
-
17
def redirect_logout_with_error(error_message = oauth_invalid_client_message)
-
17
set_notice_flash(error_message)
-
17
redirect(logout_redirect)
-
end
-
-
17
def oauth_server_metadata_body(*)
-
17
super.tap do |data|
-
13
data[:end_session_endpoint] = oidc_logout_url
-
end
-
end
-
end
-
end
-
# frozen_string_literal: true
-
-
17
require "rodauth/oauth"
-
-
17
module Rodauth
-
17
Feature.define(:oidc_self_issued, :OidcSelfIssued) do
-
17
depends :oidc, :oidc_dynamic_client_registration
-
-
17
auth_value_method :oauth_application_scopes, %w[openid profile email address phone]
-
17
auth_value_method :oauth_jwt_jws_algorithms_supported, %w[RS256]
-
-
13
SELF_ISSUED_DEFAULT_APPLICATION_PARAMS = {
-
4
"scope" => "openid profile email address phone",
-
"response_types" => ["id_token"],
-
"subject_type" => "pairwise",
-
"id_token_signed_response_alg" => "RS256",
-
"request_object_signing_alg" => "RS256",
-
"grant_types" => %w[implicit]
-
}.freeze
-
-
17
def oauth_application
-
391
return @oauth_application if defined?(@oauth_application)
-
-
34
return super unless (registration = param_or_nil("registration"))
-
-
# self-issued!
-
34
redirect_uri = param_or_nil("client_id")
-
-
34
registration_params = JSON.parse(registration)
-
-
34
registration_params = SELF_ISSUED_DEFAULT_APPLICATION_PARAMS.merge(registration_params)
-
-
34
client_params = validate_client_registration_params(registration_params)
-
-
26
request.params["redirect_uri"] = client_params[oauth_applications_client_id_column] = redirect_uri
-
34
client_params[oauth_applications_redirect_uri_column] ||= redirect_uri
-
-
34
@oauth_application = client_params
-
end
-
-
17
private
-
-
17
def oauth_response_types_supported
-
34
%w[id_token]
-
end
-
-
17
def request_object_signing_alg_values_supported
-
%w[none RS256]
-
end
-
-
17
def id_token_claims(oauth_grant, signing_algorithm)
-
17
claims = super
-
-
17
return claims unless claims[:client_id] == oauth_grant[oauth_grants_redirect_uri_column]
-
-
# https://openid.net/specs/openid-connect-core-1_0.html#SelfIssued - 7.4
-
-
17
pub_key = oauth_jwt_public_keys[signing_algorithm]
-
17
pub_key = pub_key.first if pub_key.is_a?(Array)
-
13
claims[:sub_jwk] = sub_jwk = jwk_export(pub_key)
-
-
13
claims[:iss] = "https://self-issued.me"
-
-
13
claims[:aud] = oauth_grant[oauth_grants_redirect_uri_column]
-
-
17
jwk_thumbprint = jwk_thumbprint(sub_jwk)
-
-
13
claims[:sub] = Base64.urlsafe_encode64(jwk_thumbprint, padding: false)
-
-
17
claims
-
end
-
end
-
end
-
# frozen_string_literal: true
-
-
17
require "rodauth/oauth"
-
-
17
module Rodauth
-
17
Feature.define(:oidc_session_management, :OidcSessionManagement) do
-
17
depends :oidc
-
-
17
view "check_session", "Check Session", "check_session"
-
-
17
auth_value_method :oauth_oidc_user_agent_state_cookie_key, "_rodauth_oauth_user_agent_state"
-
17
auth_value_method :oauth_oidc_user_agent_state_cookie_options, {}.freeze
-
17
auth_value_method :oauth_oidc_user_agent_state_cookie_expires_in, 365 * 24 * 60 * 60 # 1 year
-
-
17
auth_value_method :oauth_oidc_user_agent_state_js, nil
-
-
17
auth_value_methods(
-
:oauth_oidc_session_management_salt
-
)
-
# /authorize
-
17
auth_server_route(:check_session) do |r|
-
17
allow_cors(r)
-
-
17
r.get do
-
17
set_title(:check_session_page_title)
-
17
scope.view(_view_opts("check_session").merge(layout: false))
-
end
-
end
-
-
17
def clear_session
-
51
super
-
-
# update user agent state in the process
-
# TODO: dangerous if this gets overidden by the user
-
-
51
user_agent_state_cookie_opts = Hash[oauth_oidc_user_agent_state_cookie_options]
-
39
user_agent_state_cookie_opts[:value] = oauth_unique_id_generator
-
39
user_agent_state_cookie_opts[:secure] = true
-
51
if oauth_oidc_user_agent_state_cookie_expires_in
-
39
user_agent_state_cookie_opts[:expires] = convert_timestamp(Time.now + oauth_oidc_user_agent_state_cookie_expires_in)
-
end
-
51
::Rack::Utils.set_cookie_header!(response.headers, oauth_oidc_user_agent_state_cookie_key, user_agent_state_cookie_opts)
-
end
-
-
17
private
-
-
17
def do_authorize(*)
-
17
params, mode = super
-
-
13
params["session_state"] = generate_session_state
-
-
17
[params, mode]
-
end
-
-
17
def response_error_params(*)
-
17
payload = super
-
-
17
return payload unless request.path == authorize_path
-
-
13
payload["session_state"] = generate_session_state
-
17
payload
-
end
-
-
17
def generate_session_state
-
34
salt = oauth_oidc_session_management_salt
-
-
34
uri = URI(redirect_uri)
-
34
origin = if uri.respond_to?(:origin)
-
24
uri.origin
-
else
-
# TODO: remove when not supporting uri < 0.11
-
10
"#{uri.scheme}://#{uri.host}#{":#{uri.port}" if uri.port != uri.default_port}"
-
end
-
34
session_id = "#{oauth_application[oauth_applications_client_id_column]} " \
-
8
"#{origin} " \
-
8
"#{request.cookies[oauth_oidc_user_agent_state_cookie_key]} #{salt}"
-
-
26
"#{Digest::SHA256.hexdigest(session_id)}.#{salt}"
-
end
-
-
17
def oauth_server_metadata_body(*)
-
17
super.tap do |data|
-
13
data[:check_session_iframe] = check_session_url
-
end
-
end
-
-
17
def oauth_oidc_session_management_salt
-
oauth_unique_id_generator
-
end
-
end
-
end
-
# frozen_string_literal: true
-
-
17
require "rodauth"
-
17
require "rodauth/oauth/version"
-
-
17
module Rodauth
-
17
module OAuth
-
17
module FeatureExtensions
-
17
def auth_server_route(name, *args, &blk)
-
204
routes = route(name, *args, &blk)
-
-
204
handle_meth = routes.last
-
-
204
define_method(:"#{handle_meth}_for_auth_server") do
-
11076
next unless is_authorization_server?
-
-
11076
send(:"#{handle_meth}_not_for_auth_server")
-
end
-
-
204
alias_method :"#{handle_meth}_not_for_auth_server", handle_meth
-
204
alias_method handle_meth, :"#{handle_meth}_for_auth_server"
-
-
# make all requests usable via internal_request feature
-
204
internal_request_method name
-
end
-
-
# override
-
17
def translatable_method(meth, value)
-
44295
define_method(meth) { |*args| translate(meth, value, *args) }
-
3196
auth_value_methods(meth)
-
end
-
end
-
end
-
-
17
Feature.prepend OAuth::FeatureExtensions
-
end
-
-
17
require "rodauth/oauth/railtie" if defined?(Rails)
-
# frozen_string_literal: true
-
-
17
module Rodauth
-
17
module OAuth
-
# rubocop:disable Naming/MethodName
-
17
def self.ExtendDatabase(db)
-
7606
Module.new do
-
7606
dataset = db.dataset
-
-
7606
if dataset.supports_returning?(:insert)
-
5370
def __insert_and_return__(dataset, _pkey, params)
-
1388
dataset.returning.insert(params).first
-
end
-
else
-
2236
def __insert_and_return__(dataset, pkey, params)
-
442
id = dataset.insert(params)
-
422
if params.key?(pkey)
-
# mysql returns 0 when the primary key is a varchar.
-
60
id = params[pkey]
-
end
-
422
dataset.where(pkey => id).first
-
end
-
end
-
-
7606
if dataset.supports_returning?(:update)
-
5370
def __update_and_return__(dataset, params)
-
1040
dataset.returning.update(params).first
-
end
-
else
-
2236
def __update_and_return__(dataset, params)
-
553
dataset.update(params)
-
533
dataset.first
-
end
-
end
-
-
7606
if dataset.respond_to?(:supports_insert_conflict?) && dataset.supports_insert_conflict?
-
2235
def __insert_or_update_and_return__(dataset, pkey, unique_columns, params, conds = nil, to_update_extra = nil)
-
7340
to_update = Hash[(params.keys - unique_columns).map { |attribute| [attribute, Sequel[:excluded][attribute]] }]
-
-
511
to_update.merge!(to_update_extra) if to_update_extra
-
-
511
dataset = dataset.insert_conflict(
-
target: unique_columns,
-
update: to_update,
-
update_where: conds
-
)
-
-
511
__insert_and_return__(dataset, pkey, params)
-
end
-
-
2235
def __insert_or_do_nothing_and_return__(dataset, pkey, unique_columns, params)
-
100
__insert_and_return__(
-
dataset.insert_conflict(target: unique_columns),
-
pkey,
-
params
-
) || dataset.where(params).first
-
end
-
else
-
5371
def __insert_or_update_and_return__(dataset, pkey, unique_columns, params, conds = nil, to_update_extra = nil)
-
10410
find_params, update_params = params.partition { |key, _| unique_columns.include?(key) }.map { |h| Hash[h] }
-
-
567
dataset_where = dataset.where(find_params)
-
567
record = if conds
-
279
dataset_where_conds = dataset_where.where(conds)
-
-
# this means that there's still a valid entry there, so return early
-
279
return if dataset_where.count != dataset_where_conds.count
-
-
279
dataset_where_conds.first
-
else
-
288
dataset_where.first
-
end
-
-
567
if record
-
339
update_params.merge!(to_update_extra) if to_update_extra
-
-
339
__update_and_return__(dataset_where, update_params)
-
else
-
228
__insert_and_return__(dataset, pkey, params)
-
end
-
end
-
-
5371
def __insert_or_do_nothing_and_return__(dataset, pkey, unique_columns, params)
-
240
find_params = params.slice(*unique_columns)
-
240
dataset.where(find_params).first || __insert_and_return__(dataset, pkey, params)
-
end
-
end
-
end
-
end
-
# rubocop:enable Naming/MethodName
-
end
-
end
-
# frozen_string_literal: true
-
-
17
require "uri"
-
17
require "net/http"
-
17
require "rodauth/oauth/ttl_store"
-
-
17
module Rodauth
-
17
module OAuth
-
17
module HTTPExtensions
-
17
REQUEST_CACHE = OAuth::TtlStore.new
-
-
17
private
-
-
17
def http_request(uri, form_data = nil)
-
493
uri = URI(uri)
-
-
493
http = Net::HTTP.new(uri.host, uri.port)
-
493
http.use_ssl = uri.scheme == "https"
-
493
http.open_timeout = 15
-
493
http.read_timeout = 15
-
493
http.write_timeout = 15 if http.respond_to?(:write_timeout)
-
-
493
if form_data
-
221
request = Net::HTTP::Post.new(uri.request_uri)
-
169
request["content-type"] = "application/x-www-form-urlencoded"
-
221
request.set_form_data(form_data)
-
else
-
272
request = Net::HTTP::Get.new(uri.request_uri)
-
end
-
377
request["accept"] = json_response_content_type
-
-
493
yield request if block_given?
-
-
493
response = http.request(request)
-
493
authorization_required unless (200..299).include?(response.code.to_i)
-
493
response
-
end
-
-
17
def http_request_with_cache(uri, *args)
-
170
uri = URI(uri)
-
-
170
response = http_request_cache[uri]
-
-
170
return response if response
-
-
153
http_request_cache.set(uri) do
-
153
response = http_request(uri, *args)
-
153
ttl = if response.key?("cache-control")
-
102
cache_control = response["cache-control"]
-
102
if cache_control.include?("no-cache")
-
nil
-
else
-
102
max_age = cache_control[/max-age=(\d+)/, 1].to_i
-
102
max_age.zero? ? nil : max_age
-
end
-
51
elsif response.key?("expires")
-
51
expires = response["expires"]
-
3
begin
-
51
Time.parse(expires).to_i - Time.now.to_i
-
rescue ArgumentError
-
nil
-
end
-
end
-
-
153
[JSON.parse(response.body, symbolize_names: true), ttl]
-
end
-
end
-
-
17
def http_request_cache
-
51
REQUEST_CACHE
-
end
-
end
-
end
-
end
-
# frozen_string_literal: true
-
-
13
module JWE
-
#
-
# this is a monkey-patch!
-
# it's necessary, as the original jwe does not support jwks.
-
# if this works long term, it may be merged upstreamm.
-
#
-
13
def self.__rodauth_oauth_decrypt_from_jwks(payload, jwks, alg: "RSA-OAEP", enc: "A128GCM")
-
39
header, enc_key, iv, ciphertext, tag = Serialization::Compact.decode(payload)
-
26
header = JSON.parse(header)
-
-
26
key = find_key_by_kid(jwks, header["kid"], alg, enc)
-
-
13
check_params(header, key)
-
-
13
cek = Alg.decrypt_cek(header["alg"], key, enc_key)
-
13
cipher = Enc.for(header["enc"], cek, iv, tag)
-
-
13
plaintext = cipher.decrypt(ciphertext, payload.split(".").first)
-
-
13
apply_zip(header, plaintext, :decompress)
-
end
-
-
13
def self.__rodauth_oauth_encrypt_from_jwks(payload, jwks, alg: "RSA-OAEP", enc: "A128GCM", **more_headers)
-
78
header = generate_header(alg, enc, more_headers)
-
-
78
key = find_key_by_alg_enc(jwks, alg, enc)
-
-
78
check_params(header, key)
-
78
payload = apply_zip(header, payload, :compress)
-
-
78
cipher = Enc.for(enc)
-
78
cipher.cek = key if alg == "dir"
-
-
78
json_hdr = header.to_json
-
78
ciphertext = cipher.encrypt(payload, Base64.jwe_encode(json_hdr))
-
-
78
generate_serialization(json_hdr, Alg.encrypt_cek(alg, key, cipher.cek), ciphertext, cipher)
-
end
-
-
13
def self.find_key_by_kid(jwks, kid, alg, enc)
-
26
raise DecodeError, "No key id (kid) found from token headers" unless kid
-
-
91
jwk = jwks.find { |key, _| (key[:kid] || key["kid"]) == kid }
-
-
26
raise DecodeError, "Could not find public key for kid #{kid}" unless jwk
-
26
raise DecodeError, "Expected a different encryption algorithm" unless alg == (jwk[:alg] || jwk["alg"])
-
26
raise DecodeError, "Expected a different encryption method" unless enc == (jwk[:enc] || jwk["enc"])
-
-
13
::JWT::JWK.import(jwk).keypair
-
end
-
-
13
def self.find_key_by_alg_enc(jwks, alg, enc)
-
78
jwk = jwks.find do |key, _|
-
156
(key[:alg] || key["alg"]) == alg &&
-
104
(key[:enc] || key["enc"]) == enc
-
end
-
-
78
raise DecodeError, "No key found" unless jwk
-
-
78
::JWT::JWK.import(jwk).keypair
-
end
-
end
-
# frozen_string_literal: true
-
-
#
-
# The TTL store is a data structure which keeps data by a key, and with a time-to-live.
-
# It is specifically designed for data which is static, i.e. for a certain key in a
-
# sufficiently large span, the value will be the same.
-
#
-
# Because of that, synchronizations around reads do not exist, while write synchronizations
-
# will be short-circuited by a read.
-
#
-
17
class Rodauth::OAuth::TtlStore
-
17
DEFAULT_TTL = 60 * 60 * 24 # default TTL is one day
-
-
17
def initialize
-
17
@store_mutex = Mutex.new
-
17
@store = {}
-
end
-
-
17
def [](key)
-
34
lookup(key, now)
-
end
-
-
17
def set(key, &block)
-
17
@store_mutex.synchronize do
-
# short circuit
-
17
return @store[key][:payload] if @store[key] && @store[key][:ttl] < now
-
end
-
-
17
payload, ttl = block.call
-
-
17
return payload unless ttl
-
-
17
@store_mutex.synchronize do
-
# given that the block call triggers network, and two requests for the same key be processed
-
# at the same time, this ensures the first one wins.
-
17
return @store[key][:payload] if @store[key] && @store[key][:ttl] < now
-
-
13
@store[key] = { payload: payload, ttl: ttl || (now + DEFAULT_TTL) }
-
end
-
17
@store[key][:payload]
-
end
-
-
17
def uncache(key)
-
@store_mutex.synchronize do
-
@store.delete(key)
-
end
-
end
-
-
17
private
-
-
17
def now
-
34
Process.clock_gettime(Process::CLOCK_MONOTONIC)
-
end
-
-
# do not use directly!
-
17
def lookup(key, ttl)
-
34
return unless @store.key?(key)
-
-
17
value = @store[key]
-
-
17
return if value.empty?
-
-
17
return unless value[:ttl] > ttl
-
-
17
value[:payload]
-
end
-
end