rodauth-oauth can also be used strictly only as a resource server. Given that you define the server like this:plugin :rodauth do
enable :oauth_resource_server
authorization_server_url "https://external-auth-server"
before_introspection_request do |request|
# how to add client_secret_basic auth params to introspection request
request.basic_auth(CLIENT_ID, CLIENT_SECRET)
end
end
route do |r|
r.on "books" do
rodauth.require_oauth_authorization("books.read")
r.get do
...
In the example above, GET /books will require an access token with at least "books.read" scope, and token verification will be done by performing a token introspection request to the authorization server (the URL will be fetched from the provider oauth server metadata endpoint, i.e. /.well-known/oauth-authorization-server).
In this way, you can rodauth-oauth both for setting up the authorization server and the resource server.
This callback allows one to tweak the request object (by default, net-http is used, so it’ll be a Net::HTTPRequest), and set up client authentication parameters.
# assuming client id and secret are stored in reachable static variables:
before_introspection_request do |request|
# client_secret_basic example
request.basic_auth(CLIENT_ID, CLIENT_SECRET)
# client_form_post
body = URI.decode_www_form(request.body).to_h
body["client_id"] = CLIENT_ID
body["client_secret"] = CLIENT_SECRET
request.body = URI.encode_www_form(body)
end
The rodauth.authorization_token method, in “resource server” mode, returns the authorization server introspection payload for the authorized bearer token.
When the :oauth_jwt feature is enabled, token verification will use the auth server JWKs URI to retrieve the server JWKs, and will verify the signatures using it. The JWKs URI should be discoverable via service discovery.