lib/rodauth/features/oidc.rb in rodauth-oauth-1.1.0 vs lib/rodauth/features/oidc.rb in rodauth-oauth-1.2.0
- old
+ new
@@ -66,11 +66,11 @@
depends :account_expiration, :oauth_jwt, :oauth_jwt_jwks, :oauth_authorization_code_grant
auth_value_method :oauth_application_scopes, %w[openid]
%i[
- subject_type application_type sector_identifier_uri
+ subject_type application_type sector_identifier_uri initiate_login_uri
id_token_signed_response_alg id_token_encrypted_response_alg id_token_encrypted_response_enc
userinfo_signed_response_alg userinfo_encrypted_response_alg userinfo_encrypted_response_enc
].each do |column|
auth_value_method :"oauth_applications_#{column}_column", column
end
@@ -110,11 +110,11 @@
oauth_scopes = claims["scope"].split(" ")
throw_json_response_error(oauth_authorization_required_error_status, "invalid_token") unless oauth_scopes.include?("openid")
- account = db[accounts_table].where(account_id_column => claims["sub"]).first
+ account = account_ds(claims["sub"]).first
throw_json_response_error(oauth_authorization_required_error_status, "invalid_token") unless account
oauth_scopes.delete("openid")
@@ -124,11 +124,11 @@
throw_json_response_error(oauth_authorization_required_error_status, "invalid_token") unless @oauth_application
oauth_grant = valid_oauth_grant_ds(
oauth_grants_oauth_application_id_column => @oauth_application[oauth_applications_id_column],
- oauth_grants_account_id_column => account[account_id_column]
+ **resource_owner_params_from_jwt_claims(claims)
).first
claims_locales = oauth_grant[oauth_grants_claims_locales_column] if oauth_grant
if (claims = oauth_grant[oauth_grants_claims_column])
@@ -331,12 +331,13 @@
identifier_uri = identifier_uri.first
end
identifier_uri = URI(identifier_uri).host
- account_id = oauth_grant[oauth_grants_account_id_column]
- Digest::SHA256.hexdigest("#{identifier_uri}#{account_id}#{oauth_jwt_subject_secret}")
+ account_ids = oauth_grant.values_at(oauth_grants_resource_owner_columns)
+ values = [identifier_uri, *account_ids, oauth_jwt_subject_secret]
+ Digest::SHA256.hexdigest(values.join)
else
raise StandardError, "unexpected subject (#{subject_type})"
end
end
@@ -432,12 +433,12 @@
create_params.replace(oidc_grant_params.merge(create_params))
super
end
def create_oauth_grant_with_token(create_params = {})
+ create_params.merge!(resource_owner_params)
create_params[oauth_grants_type_column] = "hybrid"
- create_params[oauth_grants_account_id_column] = account_id
create_params[oauth_grants_expires_in_column] = Sequel.date_add(Sequel::CURRENT_TIMESTAMP, seconds: oauth_access_token_expires_in)
authorization_code = create_oauth_grant(create_params)
access_token = if oauth_jwt_access_tokens
_generate_jwt_access_token(create_params)
else
@@ -585,18 +586,18 @@
if meth.arity == 2
lambda do |account, param, cl = claims|
additional_info = additional_claims_info[param] || EMPTY_HASH
value = additional_info["value"] || meth[account, param]
value = nil if additional_info["values"] && additional_info["values"].include?(value)
- cl[param] = value if value
+ cl[param] = value unless value.nil?
end
elsif claims_locales.nil?
lambda do |account, param, cl = claims|
additional_info = additional_claims_info[param] || EMPTY_HASH
value = additional_info["value"] || meth[account, param, nil]
value = nil if additional_info["values"] && additional_info["values"].include?(value)
- cl[param] = value if value
+ cl[param] = value unless value.nil?
end
else
lambda do |account, param, cl = claims|
claims_values = claims_locales.map do |locale|
additional_info = additional_claims_info[param] || EMPTY_HASH
@@ -689,10 +690,10 @@
super(response_params, response_mode)
end
def oidc_grant_params
grant_params = {
- oauth_grants_account_id_column => account_id,
+ **resource_owner_params,
oauth_grants_oauth_application_id_column => oauth_application[oauth_applications_id_column],
oauth_grants_scopes_column => scopes.join(oauth_scope_separator)
}
if (nonce = param_or_nil("nonce"))
grant_params[oauth_grants_nonce_column] = nonce