RubyFlow The Ruby and Rails community linklog

×

The Ruby and Rails community linklog

Made a library? Written a blog post? Found a useful tutorial? Share it with the Ruby community here or just enjoy what everyone else has found!

[ANN] rodauth-oauth 1.0.0-beta1 released

by Tiago

rodauth-oauth 1.0.0-beta1 has been released.

rodauth-oauth is a rack-compatible toolkit for building OAuth 2.0 authorization servers, as well as OpenID Authentication Providers.

as simple as

rodauth do enable :oauth_authorization_code_grant # or enable :oidc end

Among its features, it supports:

  • Authorization Code Grant
  • Refresh Token Grant
  • Implicit Grant
  • Client Credentials Grant
  • Device Code Grant
  • Token Revocation
  • Token Introspection
  • Auth Server Metadata
  • PKCE
  • Resource Indicators
  • JWT Access Tokens
  • Assertion Framework
  • SAML 2.0 Bearer Assertion Grant
  • JWT Bearer Assertion Grant
  • JWT Secured authorization requests
  • Dynamic Client Registration
  • OpenID
  • OpenID Discovery
  • OpenID Multiple Response types
  • OpenID Connect Dynamic Client Registration
  • OpenID Relying Party Initiated Logout

It can also be used with Rails (via the “rodauth-rails” gem).

Website: https://honeyryderchuck.gitlab.io/rodauth-oauth/ Documentation: https://honeyryderchuck.gitlab.io/rodauth-oauth/rdoc/ Wiki: https://gitlab.com/honeyryderchuck/rodauth-oauth/wikis/home CI: https://gitlab.com/honeyryderchuck/rodauth-oauth/pipeline

This is the first beta release of v1. Most of the accompanying resources are still control-versioned, among them:

Wiki

In order to access the wiki for v1, you can do the following:

git clone git@gitlab.com:honeyryderchuck/rodauth-oauth.wiki.git cd rodauth-oauth.wiki git checkout -b issue-28

and follow the remainder of the instructions here

Example apps

Repo examples: https://gitlab.com/honeyryderchuck/rodauth-oauth/-/tree/issue-28/examples Rodauth Oauth Rails example: https://gitlab.com/honeyryderchuck/rodauth-oauth-demo-rails/-/tree/issue-28 Rodauth OAuth Rails Devise example: https://gitlab.com/honeyryderchuck/rodauth-oauth-devise-demo/-/tree/issue-28

Changelog

These are the release notes since the last update:

1.0.0-beta1 (21/10/2022) Breaking changes

The full description of breaking changes, and suggestions on how to make the migration smoother, can be found in the migration guide.

A short list of the main highlights:

  • Ruby 2.5 or higher is required.
  • oauth_http_mac feature removed.
  • oauth_tokens table (and resource) were removed (only oauth_applications and oauth_grants, access and refresh tokens are now properties of the latter).
  • access and refresh tokens hashed by default when stored in the database.
  • default oauth response mode is "form_post".
  • oauth specific features require explicit enablement of respective features (no more enable :oauth)
  • refresh token policy is “rotation” by default
Features

The following helpers are exposed in the rodauth object:

  • current_oauth_account - returns the dataset row for the rodauth account associated to an oauth access token in the “authorization” header.
  • current_oauth_application - returns the dataset row for the oauth application associated to an oauth access token in the “authorization” header.

When used in rails via rodauth-rails, both are exposed directly as controller helpers.

oauth_resource_server plugin

This plugin can be used as a convenience when configuring resource servers.

Improvements
  • :oauth_introspect plugin: OAuth introspection endpoint exposes the token’s "username" claim.
  • endpoint client authentication supports “client credentials grant” access tokens.
Bugfixes
  • fixed oidc calculation of "auth_time" claim.
0.10.4 (18/09/2022) Bugfixes
  • refresh token lookups are now scoped by application.

This bug meant that lookups of refresh token via the refresh token grant were not scoped by the application identified by the /token request credentials, so grant hijacking could happen in theory, if attackers knew of existing refresh tokens.

The same issue was observed (and fixed) for token revocation (this time involving the access token).

  • Fix for a case which made resource indicators unusable under Rack 3.0 .
0.10.3 (29/08/2022) Features

The oauth_token_subject rodauth function is introduced. It returns the grant subject (usually the user account id, but in some cases, such as the client credentials grant, returns the oauth application id).

It still has a few rough edges, but in version 1.0, this will be the main function to use to get the associated grant owner from a given token.

Bugfixes
  • oauth applications management: fixed labels usage in default rails oauth applications list template.
  • introspection requests were discarding the authorization_server_url url path (only taking the origin). That has been fixed now.
0.10.2 (11/08/2022) Bugfixes
  • application description colum null-constraint was still set to false in most scripts and migration cookbooks, although it’s not a mandatory requirement anymore.
0.10.1 (20/06/2022) Bugfixes
  • refresh token grant logic wasn’t scoping the token to be revoked/retokened, which was a bug introduced in a recent refactoring (commit 83e3f183f6c9941d37c8fe8cfd3fc258ab9c576a).

Post a comment

You can use basic HTML markup (e.g. <a>) or Markdown.

As you are not logged in, you will be
directed via GitHub to signup or sign in