Dan Milne
b7fa49953c
Revoke full token chain on OIDC authorization-code replay
...
The replay handler previously used a created_at time-range filter to
target access tokens and called update_all(expires_at:), which left
revoked_at nil, skipped refresh tokens entirely, and could miss or
falsely catch tokens from concurrent flows. Add an oidc_authorization_code
FK on both token tables, carry it through refresh-token rotation, and
use the association to revoke every descendant via revoke! (which sets
revoked_at and cascades access -> refresh).
Co-Authored-By: Claude Opus 4 <noreply@anthropic.com >
2026-04-20 17:39:08 +10:00
Dan Milne
b7dd3c02e7
Extract client_id and redirect_uri validation into before_actions
...
The authorize action opened with ~55 lines of parameter validation that
ran before any business logic. Move the two RFC 6749 §4.1.2.1 checks
(client_id lookup, redirect_uri registration) into set_application and
validate_redirect_uri before_actions. The action body now starts at the
point where errors may legitimately redirect back to the client.
Co-Authored-By: Claude Opus 4 <noreply@anthropic.com >
2026-04-20 17:29:36 +10:00
Dan Milne
17a464fd15
Fix OIDC claims validation against undefined scopes variable
...
The authorize action called validate_claims_against_scopes with
requested_scopes before that local was assigned (assignment was ~100
lines later), raising NameError whenever a client passed a claims=
parameter. Move the scope normalization above the claims validation.
Co-Authored-By: Claude Opus 4 <noreply@anthropic.com >
2026-04-20 17:26:46 +10:00
Dan Milne
2235924f37
Harden OIDC, add SVG sanitization, improve form UX and security defaults
...
Remove PKCE plain method support (S256 only), enforce openid scope requirement,
filter to supported scopes, strip reserved claims from custom claims as
defense-in-depth, sanitize SVG icons with Loofah, add global input padding,
switch session cookies to SameSite=Lax, use Session.active scope, and remove
unsafe-eval from CSP.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com >
2026-04-06 21:06:51 +10:00
Dan Milne
444ae6291c
Add missing files, fix formatting
CI / scan_ruby (push) Has been cancelled
CI / scan_js (push) Has been cancelled
CI / scan_container (push) Has been cancelled
CI / lint (push) Has been cancelled
CI / test (push) Has been cancelled
CI / system-test (push) Has been cancelled
2026-01-05 23:34:11 +11:00
Dan Milne
5268f10eb3
Don't allow claim escalation
CI / scan_ruby (push) Has been cancelled
CI / scan_js (push) Has been cancelled
CI / scan_container (push) Has been cancelled
CI / lint (push) Has been cancelled
CI / test (push) Has been cancelled
CI / system-test (push) Has been cancelled
2026-01-05 16:40:11 +11:00
Dan Milne
46ae65f4d2
Move the 'remove_query_param' to the application controller
2026-01-05 13:03:03 +11:00
Dan Milne
95d0d844e9
Add a method to remove parameters from urls, so we can redirect without risk of infinite redirect. Fix a bunch of redirects to login afer being foced to log out. Add missing migrations
2026-01-05 13:01:32 +11:00
Dan Milne
074a734c0c
Accidentally added skip-consent to this branch
2026-01-05 12:01:04 +11:00
Dan Milne
4a48012a82
Add claims support
2026-01-05 12:00:29 +11:00
Dan Milne
e631f606e7
Better error messages
CI / scan_ruby (push) Has been cancelled
CI / scan_js (push) Has been cancelled
CI / scan_container (push) Has been cancelled
CI / lint (push) Has been cancelled
CI / test (push) Has been cancelled
CI / system-test (push) Has been cancelled
2026-01-03 12:29:27 +11:00
Dan Milne
f4a697ae9b
More OpenID Conformance test fixes - work with POST, correct auth code character set, correct no-store cache headers
2026-01-03 12:28:43 +11:00
Dan Milne
16e34ffaf0
Updates for oidc conformance
2026-01-03 10:11:10 +11:00
Dan Milne
0bb84f08d6
OpenID conformance test: we get a warning for not having a value for every claim. But we can explictly list support claims. Nothing we can do about a warning in the complience.
CI / scan_ruby (push) Has been cancelled
CI / scan_js (push) Has been cancelled
CI / scan_container (push) Has been cancelled
CI / lint (push) Has been cancelled
CI / test (push) Has been cancelled
CI / system-test (push) Has been cancelled
2026-01-02 16:35:12 +11:00
Dan Milne
182682024d
OpenID Conformance: Include all required scopes when profile is requested, even if they're empty
CI / scan_ruby (push) Has been cancelled
CI / scan_js (push) Has been cancelled
CI / scan_container (push) Has been cancelled
CI / lint (push) Has been cancelled
CI / test (push) Has been cancelled
CI / system-test (push) Has been cancelled
2026-01-02 15:47:40 +11:00
Dan Milne
b517ebe809
OpenID conformance test: Allow posting the access token in the body for userinfo endpoint
CI / scan_ruby (push) Has been cancelled
CI / scan_js (push) Has been cancelled
CI / scan_container (push) Has been cancelled
CI / lint (push) Has been cancelled
CI / test (push) Has been cancelled
CI / system-test (push) Has been cancelled
2026-01-02 15:41:07 +11:00
Dan Milne
dd8bd15a76
CSRF issue with API endpoint
CI / scan_ruby (push) Has been cancelled
CI / scan_js (push) Has been cancelled
CI / scan_container (push) Has been cancelled
CI / lint (push) Has been cancelled
CI / test (push) Has been cancelled
CI / system-test (push) Has been cancelled
2026-01-02 15:29:34 +11:00
Dan Milne
f67a73821c
OpenID Conformance: user info endpoint should support get and post requets, not just get
CI / scan_ruby (push) Has been cancelled
CI / scan_js (push) Has been cancelled
CI / scan_container (push) Has been cancelled
CI / lint (push) Has been cancelled
CI / test (push) Has been cancelled
CI / system-test (push) Has been cancelled
2026-01-02 15:26:39 +11:00
Dan Milne
b09ddf6db5
OpenID Conformance: We need to return to the redirect_uri in the case of errors.
CI / scan_ruby (push) Has been cancelled
CI / scan_js (push) Has been cancelled
CI / scan_container (push) Has been cancelled
CI / lint (push) Has been cancelled
CI / test (push) Has been cancelled
CI / system-test (push) Has been cancelled
2026-01-02 15:12:55 +11:00
Dan Milne
abbb11a41d
Return only scopes requested, add tests ( OpenID conformance test )
CI / scan_ruby (push) Has been cancelled
CI / scan_js (push) Has been cancelled
CI / scan_container (push) Has been cancelled
CI / lint (push) Has been cancelled
CI / test (push) Has been cancelled
CI / system-test (push) Has been cancelled
2026-01-02 14:55:06 +11:00
Dan Milne
93a0edb0a2
StandardRB fixes
CI / scan_ruby (push) Has been cancelled
CI / scan_js (push) Has been cancelled
CI / lint (push) Has been cancelled
CI / test (push) Has been cancelled
CI / system-test (push) Has been cancelled
2026-01-01 13:29:44 +11:00
Dan Milne
e36a9a781a
Add new claims to the discovery endpoint
CI / scan_ruby (push) Has been cancelled
CI / scan_js (push) Has been cancelled
CI / lint (push) Has been cancelled
CI / test (push) Has been cancelled
CI / system-test (push) Has been cancelled
2025-12-31 17:27:28 +11:00
Dan Milne
d036e25fef
Add auth_time, acr and azp support for OIDC claims
2025-12-31 17:07:54 +11:00
Dan Milne
fcdd2b6de7
Continue adding auth_time - need it in the refresh token too, so we can accurately create new access tokens.
2025-12-31 16:57:28 +11:00
Dan Milne
3939ea773f
We already have a login_time stored - the time stamp of the Session instance creation ( created after successful login ).
2025-12-31 16:45:45 +11:00
Dan Milne
4b4afe277e
Include auth_time in ID token. Switch from upsert -> find_and_create_by so we actually get sid values for consent on the creation of the record
2025-12-31 16:36:32 +11:00
Dan Milne
7c6ae7ab7e
Store only HMAC'd Auth codes, rather than plain text auth codes.
2025-12-31 15:00:00 +11:00
Dan Milne
ed7ceedef5
Include the hash of the access token in the JWT / ID Token under the key at_hash as per the requirements. Update the discovery endpoint to describe subject_type as 'pairwise', rather than 'public', since we do pairwise subject ids.
CI / scan_ruby (push) Has been cancelled
CI / scan_js (push) Has been cancelled
CI / lint (push) Has been cancelled
CI / test (push) Has been cancelled
CI / system-test (push) Has been cancelled
2025-12-31 14:45:38 +11:00
Dan Milne
40815d3576
Use SolidQueue in production. Use the find_by_token method, rather than iterating over refresh tokens, as we already fixed for tokens
2025-12-31 14:32:34 +11:00
Dan Milne
bb5aa2e6d6
Add rails encryption for totp - allow configuration of encryption secrets from env, or derive them from SECRET_KEY_BASE. Don't leak email address via web_authn, rate limit web_authn, escape oidc state value, require password for changing email address, allow settings the hmac secret for token prefix generation
2025-12-31 10:33:56 +11:00
Dan Milne
cc7beba9de
PKCE is now default enabled. You can now create public / no-secret apps OIDC apps
2025-12-31 09:22:18 +11:00
Dan Milne
acab15ce30
Fix more tests
2025-12-29 18:48:41 +11:00
Dan Milne
5b9d15584a
Add more rate limiting, and more restrictive headers
2025-12-29 13:29:14 +11:00
Dan Milne
f8543f98cc
Add a subdirectory for active storage
CI / scan_ruby (push) Has been cancelled
CI / scan_js (push) Has been cancelled
CI / lint (push) Has been cancelled
CI / test (push) Has been cancelled
CI / system-test (push) Has been cancelled
2025-11-27 19:12:09 +11:00
Dan Milne
6be23c2c37
Add backchannel logout, per application logout.
CI / scan_ruby (push) Has been cancelled
CI / scan_js (push) Has been cancelled
CI / lint (push) Has been cancelled
CI / test (push) Has been cancelled
CI / system-test (push) Has been cancelled
2025-11-27 16:38:27 +11:00
Dan Milne
d6029556d3
Add OIDC fixes, add prefered_username, add application-user claims
2025-11-25 16:29:40 +11:00
Dan Milne
7796c38c08
Add pairwise SID with a UUIDv4, a significatant upgrade over User.id.to_s. Complete allowing admin to enforce TOTP per user
CI / scan_ruby (push) Has been cancelled
CI / scan_js (push) Has been cancelled
CI / lint (push) Has been cancelled
CI / test (push) Has been cancelled
CI / system-test (push) Has been cancelled
2025-11-23 11:16:06 +11:00
Dan Milne
e882a4d6d1
More complete oidc
CI / scan_ruby (push) Has been cancelled
CI / scan_js (push) Has been cancelled
CI / lint (push) Has been cancelled
CI / test (push) Has been cancelled
CI / system-test (push) Has been cancelled
2025-11-18 20:03:03 +11:00
Dan Milne
1ee3302319
Improvements derived from rodauth-oauth
2025-11-12 22:17:55 +11:00
Dan Milne
67f28faaca
Improve some front end views. More descriptive error condition reporting. Updates to CLINCH_HOST for better WEBAUTHN
2025-11-12 16:24:05 +11:00
Dan Milne
11ec753c68
Bump up the forward auth token ttl, fix leaking of error data
CI / scan_ruby (push) Has been cancelled
CI / scan_js (push) Has been cancelled
CI / lint (push) Has been cancelled
CI / test (push) Has been cancelled
CI / system-test (push) Has been cancelled
2025-11-09 12:27:53 +11:00
Dan Milne
4df2eee4d9
Bug fix for domain names with empty string instead of null. Form errors and some security fixes
CI / scan_ruby (push) Has been cancelled
CI / scan_js (push) Has been cancelled
CI / lint (push) Has been cancelled
CI / test (push) Has been cancelled
CI / system-test (push) Has been cancelled
2025-11-09 12:22:41 +11:00
Dan Milne
d9f11abbbf
Fixes for OIDC and HTML
2025-11-09 12:04:26 +11:00
Dan Milne
c92e69fa4a
Add PCKE
2025-11-09 11:54:45 +11:00
Dan Milne
19bfc21f11
Move sessions into their own view for easier management
CI / scan_ruby (push) Has been cancelled
CI / scan_js (push) Has been cancelled
CI / lint (push) Has been cancelled
CI / test (push) Has been cancelled
CI / system-test (push) Has been cancelled
2025-11-04 15:19:39 +11:00
Dan Milne
ef15db77f9
Massive refactor. Merge forward_auth into App, remove references to unimplemented OIDC federation and SAML features. Add group and user custom claims. Groups now allocate which apps a user can use
CI / scan_ruby (push) Has been cancelled
CI / scan_js (push) Has been cancelled
CI / lint (push) Has been cancelled
CI / test (push) Has been cancelled
CI / system-test (push) Has been cancelled
2025-11-04 13:21:55 +11:00
Dan Milne
e36850f8ba
Bug fix
CI / scan_ruby (push) Has been cancelled
CI / scan_js (push) Has been cancelled
CI / lint (push) Has been cancelled
CI / test (push) Has been cancelled
CI / system-test (push) Has been cancelled
2025-10-24 17:07:12 +11:00
Dan Milne
0af3dbefed
Remember that we concented.
CI / scan_ruby (push) Has been cancelled
CI / scan_js (push) Has been cancelled
CI / lint (push) Has been cancelled
CI / test (push) Has been cancelled
CI / system-test (push) Has been cancelled
2025-10-24 17:01:03 +11:00
Dan Milne
d6c24e50df
Whoops - add oidc logout
CI / scan_ruby (push) Has been cancelled
CI / scan_js (push) Has been cancelled
CI / lint (push) Has been cancelled
CI / test (push) Has been cancelled
CI / system-test (push) Has been cancelled
2025-10-24 16:47:55 +11:00
Dan Milne
8c80343b89
Add nonce to the auth codes
CI / scan_ruby (push) Has been cancelled
CI / scan_js (push) Has been cancelled
CI / lint (push) Has been cancelled
CI / test (push) Has been cancelled
CI / system-test (push) Has been cancelled
2025-10-24 16:34:38 +11:00
