lib/rodauth/features/oauth_jwt_base.rb in rodauth-oauth-1.1.0 vs lib/rodauth/features/oauth_jwt_base.rb in rodauth-oauth-1.2.0
- old
+ new
@@ -22,11 +22,12 @@
:jwt_encode,
:jwt_decode,
:jwt_decode_no_key,
:generate_jti,
:oauth_jwt_issuer,
- :oauth_jwt_audience
+ :oauth_jwt_audience,
+ :resource_owner_params_from_jwt_claims
)
private
def oauth_jwt_issuer
@@ -68,10 +69,14 @@
return account_id.to_s if account_id
client_application[oauth_applications_client_id_column]
end
+ def resource_owner_params_from_jwt_claims(claims)
+ { oauth_grants_account_id_column => claims["sub"] }
+ end
+
def oauth_server_metadata_body(path = nil)
metadata = super
metadata.merge! \
token_endpoint_auth_signing_alg_values_supported: oauth_jwt_keys.keys.uniq
metadata
@@ -79,18 +84,10 @@
def _jwt_key
@_jwt_key ||= (oauth_application_jwks(oauth_application) if oauth_application)
end
- def _jwt_public_key
- @_jwt_public_key ||= if oauth_application
- oauth_application_jwks(oauth_application)
- else
- _jwt_key
- end
- end
-
# Resource Server only!
#
# returns the jwks set from the authorization server.
def auth_server_jwks_set
metadata = authorization_server_metadata
@@ -150,14 +147,32 @@
]
auth_value_method :oauth_jwt_jwe_encryption_methods_supported, %w[
A128GCM A256GCM A128CBC-HS256 A256CBC-HS512
]
- def jwk_export(key)
+ def key_to_jwk(key)
JSON::JWK.new(key)
end
+ def jwk_export(key)
+ key_to_jwk(key)
+ end
+
+ def jwk_import(jwk)
+ JSON::JWK.new(jwk)
+ end
+
+ def jwk_key(jwk)
+ jwk = jwk_import(jwk) unless jwk.is_a?(JSON::JWK)
+ jwk.to_key
+ end
+
+ def jwk_thumbprint(jwk)
+ jwk = jwk_import(jwk) if jwk.is_a?(Hash)
+ jwk.thumbprint
+ end
+
def jwt_encode(payload,
jwks: nil,
encryption_algorithm: oauth_jwt_jwe_keys.keys.dig(0, 0),
encryption_method: oauth_jwt_jwe_keys.keys.dig(0, 1),
jwe_key: oauth_jwt_jwe_keys[[encryption_algorithm,
@@ -285,14 +300,32 @@
else
auth_value_method :oauth_jwt_jwe_algorithms_supported, []
auth_value_method :oauth_jwt_jwe_encryption_methods_supported, []
end
+ def key_to_jwk(key)
+ JWT::JWK.new(key)
+ end
+
def jwk_export(key)
- JWT::JWK.new(key).export
+ key_to_jwk(key).export
end
+ def jwk_import(jwk)
+ JWT::JWK.import(jwk)
+ end
+
+ def jwk_key(jwk)
+ jwk = jwk_import(jwk) unless jwk.is_a?(JWT::JWK)
+ jwk.keypair
+ end
+
+ def jwk_thumbprint(jwk)
+ jwk = jwk_import(jwk) if jwk.is_a?(Hash)
+ JWT::JWK::Thumbprint.new(jwk).generate
+ end
+
def jwt_encode(payload,
signing_algorithm: oauth_jwt_keys.keys.first, **)
headers = {}
key = oauth_jwt_keys[signing_algorithm] || _jwt_key
@@ -440,9 +473,17 @@
JWT.decode(token, nil, false)
end
else
# :nocov:
def jwk_export(_key)
+ raise "#{__method__} is undefined, redefine it or require either \"jwt\" or \"json-jwt\""
+ end
+
+ def jwk_import(_jwk)
+ raise "#{__method__} is undefined, redefine it or require either \"jwt\" or \"json-jwt\""
+ end
+
+ def jwk_thumbprint(_jwk)
raise "#{__method__} is undefined, redefine it or require either \"jwt\" or \"json-jwt\""
end
def jwt_encode(_token)
raise "#{__method__} is undefined, redefine it or require either \"jwt\" or \"json-jwt\""