lib/rodauth/features/oidc.rb in rodauth-oauth-1.3.2 vs lib/rodauth/features/oidc.rb in rodauth-oauth-1.4.0
- old
+ new
@@ -49,10 +49,15 @@
request_parameter_supported
request_uri_parameter_supported
require_request_uri_registration
op_policy_uri
op_tos_uri
+ check_session_iframe
+ frontchannel_logout_supported
+ frontchannel_logout_session_supported
+ backchannel_logout_supported
+ backchannel_logout_session_supported
].freeze
REQUIRED_METADATA_KEYS = %i[
issuer
authorization_endpoint
@@ -61,11 +66,11 @@
response_types_supported
subject_types_supported
id_token_signing_alg_values_supported
].freeze
- depends :account_expiration, :oauth_jwt, :oauth_jwt_jwks, :oauth_authorization_code_grant, :oauth_implicit_grant
+ depends :active_sessions, :oauth_jwt, :oauth_jwt_jwks, :oauth_authorization_code_grant, :oauth_implicit_grant
auth_value_method :oauth_application_scopes, %w[openid]
%i[
subject_type application_type sector_identifier_uri initiate_login_uri
@@ -93,11 +98,14 @@
:userinfo_encryption_alg_values_supported,
:userinfo_encryption_enc_values_supported,
:request_object_signing_alg_values_supported,
:request_object_encryption_alg_values_supported,
:request_object_encryption_enc_values_supported,
- :oauth_acr_values_supported,
+ :oauth_acr_values_supported
+ )
+
+ auth_methods(
:get_oidc_account_last_login_at,
:oidc_authorize_on_prompt_none?,
:fill_with_account_claims,
:get_oidc_param,
:get_additional_param,
@@ -220,11 +228,11 @@
end
def current_oauth_account
subject_type = current_oauth_application[oauth_applications_subject_type_column] || oauth_jwt_subject_type
- return super unless subject_type == "pairwise"
+ super unless subject_type == "pairwise"
end
private
if defined?(::I18n)
@@ -339,14 +347,21 @@
super
@acr = try_acr_values
end
def get_oidc_account_last_login_at(account_id)
- get_activity_timestamp(account_id, account_activity_last_activity_column)
+ return get_activity_timestamp(account_id, account_activity_last_activity_column) if features.include?(:account_expiration)
+
+ # active sessions based
+ ds = db[active_sessions_table].where(active_sessions_account_id_column => account_id)
+
+ ds = ds.order(Sequel.desc(active_sessions_created_at_column))
+
+ convert_timestamp(ds.get(active_sessions_created_at_column))
end
- def jwt_subject(oauth_grant, client_application = oauth_application)
+ def jwt_subject(account_unique_id, client_application = oauth_application)
subject_type = client_application[oauth_applications_subject_type_column] || oauth_jwt_subject_type
case subject_type
when "public"
super
@@ -366,12 +381,11 @@
identifier_uri = identifier_uri.first
end
identifier_uri = URI(identifier_uri).host
- account_ids = oauth_grant.values_at(oauth_grants_resource_owner_columns)
- values = [identifier_uri, *account_ids, oauth_jwt_subject_secret]
+ values = [identifier_uri, account_unique_id, oauth_jwt_subject_secret]
Digest::SHA256.hexdigest(values.join)
else
raise StandardError, "unexpected subject (#{subject_type})"
end
end
@@ -514,10 +528,15 @@
include_claims = true
end
end
- # 5.4 - However, when no Access Token is issued (which is the case for the response_type value id_token),
+ # OpenID Connect Core 1.0's 5.4 Requesting Claims using Scope Values:
+ # If standard claims (profile, email, etc) are requested as scope values in the Authorization Request,
+ # include in the response.
+ include_claims ||= (OIDC_SCOPES_MAP.keys & oauth_scopes).any?
+
+ # However, when no Access Token is issued (which is the case for the response_type value id_token),
# the resulting Claims are returned in the ID Token.
fill_with_account_claims(id_claims, account, oauth_scopes, param_or_nil("claims_locales")) if include_claims
params = {
jwks: oauth_application_jwks(oauth_application),