dkam/clinch
1
0
Fork 0
Code Issues 4 Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: dkam:5137a25626cb2d08e697a611143a397a4dc847dc
Branches Tags
dkam:main dkam:feature/enhance-jwt
dkam:0.8.6 dkam:2026.01 dkam:2025.03 dkam:0.5.0 dkam:2025.02 dkam:2025.01
...
compare: dkam:main
Branches Tags
dkam:main dkam:feature/enhance-jwt
dkam:0.8.6 dkam:2026.01 dkam:2025.03 dkam:0.5.0 dkam:2025.02 dkam:2025.01

31 Commits
5137a25626 ... main

Author SHA1 Message Date
Dan Milne
444ae6291c Add missing files, fix formatting
Some checks failed
CI / scan_ruby (push) Has been cancelled
Details
CI / scan_js (push) Has been cancelled
Details
CI / scan_container (push) Has been cancelled
Details
CI / lint (push) Has been cancelled
Details
CI / test (push) Has been cancelled
Details
CI / system-test (push) Has been cancelled
Details
2026-01-05 23:34:11 +11:00
Dan Milne
233fb723d5 More accurate language around passing the OpenID Conformance tests
Some checks failed
CI / scan_ruby (push) Has been cancelled
Details
CI / scan_js (push) Has been cancelled
Details
CI / scan_container (push) Has been cancelled
Details
CI / lint (push) Has been cancelled
Details
CI / test (push) Has been cancelled
Details
CI / system-test (push) Has been cancelled
Details
2026-01-05 23:32:34 +11:00
Dan Milne
cc6d4fcc65 Add test files, update checklist
Some checks failed
CI / scan_ruby (push) Has been cancelled
Details
CI / scan_js (push) Has been cancelled
Details
CI / scan_container (push) Has been cancelled
Details
CI / lint (push) Has been cancelled
Details
CI / test (push) Has been cancelled
Details
CI / system-test (push) Has been cancelled
Details
2026-01-05 23:28:55 +11:00
Dan Milne
5268f10eb3 Don't allow claim escalation
Some checks failed
CI / scan_ruby (push) Has been cancelled
Details
CI / scan_js (push) Has been cancelled
Details
CI / scan_container (push) Has been cancelled
Details
CI / lint (push) Has been cancelled
Details
CI / test (push) Has been cancelled
Details
CI / system-test (push) Has been cancelled
Details
2026-01-05 16:40:11 +11:00
Dan Milne
5c5662eaab Expose 'username' via forward auth headers 2026-01-05 15:12:24 +11:00
Dan Milne
27d77ebf47 Expose 'username' via forward auth headers 2026-01-05 15:12:02 +11:00
Dan Milne
ba08158c85 Bug fix for background jobs 2026-01-05 14:43:06 +11:00
Dan Milne
a6480b0860 Verion Bump
Some checks failed
CI / scan_ruby (push) Has been cancelled
Details
CI / scan_js (push) Has been cancelled
Details
CI / scan_container (push) Has been cancelled
Details
CI / lint (push) Has been cancelled
Details
CI / test (push) Has been cancelled
Details
CI / system-test (push) Has been cancelled
Details
2026-01-05 13:08:22 +11:00
Dan Milne
75cc223329 303 is the correct response 2026-01-05 13:05:24 +11:00
Dan Milne
46ae65f4d2 Move the 'remove_query_param' to the application controller 2026-01-05 13:03:03 +11:00
Dan Milne
95d0d844e9 Add a method to remove parameters from urls, so we can redirect without risk of infinite redirect. Fix a bunch of redirects to login afer being foced to log out. Add missing migrations 2026-01-05 13:01:32 +11:00
Dan Milne
524a7719c3 Merge branch 'main' into feature/claims 2026-01-05 12:11:53 +11:00
Dan Milne
8110d547dd Fix bug with session deletion when logout forced and we have a redirect to follow 2026-01-05 12:11:52 +11:00
Dan Milne
25e1043312 Add skip-consent, correctly use 303, rather than 302, actually rename per app 'logout' to 'require re-auth'. Add helper methods for token lifetime - allowing 10d for 10days for example. 2026-01-05 12:03:01 +11:00
Dan Milne
074a734c0c Accidentally added skip-consent to this branch 2026-01-05 12:01:04 +11:00
Dan Milne
4a48012a82 Add claims support 2026-01-05 12:00:29 +11:00
Dan Milne
e631f606e7 Better error messages
Some checks failed
CI / scan_ruby (push) Has been cancelled
Details
CI / scan_js (push) Has been cancelled
Details
CI / scan_container (push) Has been cancelled
Details
CI / lint (push) Has been cancelled
Details
CI / test (push) Has been cancelled
Details
CI / system-test (push) Has been cancelled
Details
2026-01-03 12:29:27 +11:00
Dan Milne
f4a697ae9b More OpenID Conformance test fixes - work with POST, correct auth code character set, correct no-store cache headers 2026-01-03 12:28:43 +11:00
Dan Milne
16e34ffaf0 Updates for oidc conformance 2026-01-03 10:11:10 +11:00
Dan Milne
0bb84f08d6 OpenID conformance test: we get a warning for not having a value for every claim. But we can explictly list support claims. Nothing we can do about a warning in the complience.
Some checks failed
CI / scan_ruby (push) Has been cancelled
Details
CI / scan_js (push) Has been cancelled
Details
CI / scan_container (push) Has been cancelled
Details
CI / lint (push) Has been cancelled
Details
CI / test (push) Has been cancelled
Details
CI / system-test (push) Has been cancelled
Details
2026-01-02 16:35:12 +11:00
Dan Milne
182682024d OpenID Conformance: Include all required scopes when profile is requested, even if they're empty
Some checks failed
CI / scan_ruby (push) Has been cancelled
Details
CI / scan_js (push) Has been cancelled
Details
CI / scan_container (push) Has been cancelled
Details
CI / lint (push) Has been cancelled
Details
CI / test (push) Has been cancelled
Details
CI / system-test (push) Has been cancelled
Details
2026-01-02 15:47:40 +11:00
Dan Milne
b517ebe809 OpenID conformance test: Allow posting the access token in the body for userinfo endpoint
Some checks failed
CI / scan_ruby (push) Has been cancelled
Details
CI / scan_js (push) Has been cancelled
Details
CI / scan_container (push) Has been cancelled
Details
CI / lint (push) Has been cancelled
Details
CI / test (push) Has been cancelled
Details
CI / system-test (push) Has been cancelled
Details
2026-01-02 15:41:07 +11:00
Dan Milne
dd8bd15a76 CSRF issue with API endpoint
Some checks failed
CI / scan_ruby (push) Has been cancelled
Details
CI / scan_js (push) Has been cancelled
Details
CI / scan_container (push) Has been cancelled
Details
CI / lint (push) Has been cancelled
Details
CI / test (push) Has been cancelled
Details
CI / system-test (push) Has been cancelled
Details
2026-01-02 15:29:34 +11:00
Dan Milne
f67a73821c OpenID Conformance: user info endpoint should support get and post requets, not just get
Some checks failed
CI / scan_ruby (push) Has been cancelled
Details
CI / scan_js (push) Has been cancelled
Details
CI / scan_container (push) Has been cancelled
Details
CI / lint (push) Has been cancelled
Details
CI / test (push) Has been cancelled
Details
CI / system-test (push) Has been cancelled
Details
2026-01-02 15:26:39 +11:00
Dan Milne
b09ddf6db5 OpenID Conformance: We need to return to the redirect_uri in the case of errors.
Some checks failed
CI / scan_ruby (push) Has been cancelled
Details
CI / scan_js (push) Has been cancelled
Details
CI / scan_container (push) Has been cancelled
Details
CI / lint (push) Has been cancelled
Details
CI / test (push) Has been cancelled
Details
CI / system-test (push) Has been cancelled
Details
2026-01-02 15:12:55 +11:00
Dan Milne
abbb11a41d Return only scopes requested, add tests ( OpenID conformance test )
Some checks failed
CI / scan_ruby (push) Has been cancelled
Details
CI / scan_js (push) Has been cancelled
Details
CI / scan_container (push) Has been cancelled
Details
CI / lint (push) Has been cancelled
Details
CI / test (push) Has been cancelled
Details
CI / system-test (push) Has been cancelled
Details
2026-01-02 14:55:06 +11:00
Dan Milne
b2030df8c2 Return only scopes requested ( OpenID conformance test. Update README 2026-01-02 14:05:54 +11:00
Dan Milne
07cddf5823 Version bump
Some checks failed
CI / scan_ruby (push) Has been cancelled
Details
CI / scan_js (push) Has been cancelled
Details
CI / scan_container (push) Has been cancelled
Details
CI / lint (push) Has been cancelled
Details
CI / test (push) Has been cancelled
Details
CI / system-test (push) Has been cancelled
Details
2026-01-02 12:57:28 +11:00
Dan Milne
46aa983189 Don't use secret scanner for trivy - github already does it and it's hard to ignore the test key
Some checks failed
CI / scan_ruby (push) Has been cancelled
Details
CI / scan_js (push) Has been cancelled
Details
CI / scan_container (push) Has been cancelled
Details
CI / lint (push) Has been cancelled
Details
CI / test (push) Has been cancelled
Details
CI / system-test (push) Has been cancelled
Details
2026-01-02 12:56:03 +11:00
Dan Milne
d0d79ee1da Try ignore capybara's test tripping trivy
Some checks failed
CI / scan_ruby (push) Has been cancelled
Details
CI / scan_js (push) Has been cancelled
Details
CI / scan_container (push) Has been cancelled
Details
CI / lint (push) Has been cancelled
Details
CI / test (push) Has been cancelled
Details
CI / system-test (push) Has been cancelled
Details
2026-01-02 12:52:24 +11:00
Dan Milne
2f6a2c7406 Update ruby 3.4.6 -> 3.4.7. Update gems. Add trivy scanning and ignore unfixable Debian CVEs. Ignore a test fixture key for Capybara
Some checks failed
CI / scan_ruby (push) Has been cancelled
Details
CI / scan_js (push) Has been cancelled
Details
CI / scan_container (push) Has been cancelled
Details
CI / lint (push) Has been cancelled
Details
CI / test (push) Has been cancelled
Details
CI / system-test (push) Has been cancelled
Details
2026-01-02 12:48:40 +11:00
43 changed files with 2387 additions and 233 deletions
Expand all files Collapse all files

28
.github/workflows/ci.yml vendored
View File

@@ -41,6 +41,34 @@ jobs:
- name: Scan for security vulnerabilities in JavaScript dependencies
run: bin/importmap audit
scan_container:
runs-on: ubuntu-latest
permissions:
security-events: write # Required for uploading SARIF results
contents: read
steps:
- name: Checkout code
uses: actions/checkout@v5
- name: Build Docker image
run: docker build -t clinch:${{ github.sha }} .
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: clinch:${{ github.sha }}
format: 'sarif'
output: 'trivy-results.sarif'
severity: 'CRITICAL,HIGH'
scanners: 'vuln' # Only scan vulnerabilities, not secrets (avoids false positives in vendored gems)
- name: Upload Trivy results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3
if: always()
with:
sarif_file: 'trivy-results.sarif'
lint:
runs-on: ubuntu-latest
steps:

2
.ruby-version
View File

@@ -1 +1 @@
3.4.6
3.4.8

48
.trivyignore Normal file
View File

@@ -0,0 +1,48 @@
# Trivy ignore file
# This file tells Trivy to skip specific vulnerabilities or files
# See: https://aquasecurity.github.io/trivy/latest/docs/configuration/filtering/
# =============================================================================
# False Positives - Test Fixtures
# =============================================================================
# Capybara test fixture - not a real private key
# Ignore secrets in test fixtures
# Format: secret:<rule-id>:<exact-file-path>
secret:private-key:/usr/local/bundle/ruby/3.4.0/gems/capybara-3.40.0/spec/fixtures/key.pem
# =============================================================================
# Unfixable CVEs - No Patches Available (Status: affected/fix_deferred)
# =============================================================================
# GnuPG vulnerabilities - not used by Clinch at runtime
# Low risk: dirmngr/gpg tools not invoked during normal operation
CVE-2025-68973
# Image processing library vulnerabilities
# Low risk for Clinch: Only admins upload images (app icons), not untrusted users
# Waiting on Debian security team to release patches
# ImageMagick - Integer overflow (32-bit only)
CVE-2025-66628
# glib - Integer overflow in URI escaping
CVE-2025-13601
# HDF5 - Critical vulnerabilities in scientific data format library
CVE-2025-2153
CVE-2025-2308
CVE-2025-2309
CVE-2025-2310
# libmatio - MATLAB file format library
CVE-2025-2338
# OpenEXR - Image format vulnerabilities
CVE-2025-12495
CVE-2025-12839
CVE-2025-12840
CVE-2025-64181
# libvips - Image processing library
CVE-2025-59933

5
Dockerfile
View File

@@ -8,7 +8,7 @@
# For a containerized dev environment, see Dev Containers: https://guides.rubyonrails.org/getting_started_with_devcontainer.html
# Make sure RUBY_VERSION matches the Ruby version in .ruby-version
ARG RUBY_VERSION=3.4.6
ARG RUBY_VERSION=3.4.8
FROM docker.io/library/ruby:$RUBY_VERSION-slim AS base
LABEL org.opencontainers.image.source=https://github.com/dkam/clinch
@@ -16,8 +16,9 @@ LABEL org.opencontainers.image.source=https://github.com/dkam/clinch
# Rails app lives here
WORKDIR /rails
# Install base packages
# Install base packages and upgrade to latest security patches
RUN apt-get update -qq && \
apt-get upgrade -y && \
apt-get install --no-install-recommends -y curl libjemalloc2 libvips sqlite3 && \
ln -s /usr/lib/$(uname -m)-linux-gnu/libjemalloc.so.2 /usr/local/lib/libjemalloc.so && \
rm -rf /var/lib/apt/lists /var/cache/apt/archives

3
Gemfile
View File

@@ -90,4 +90,7 @@ group :test do
# Code coverage analysis
gem "simplecov", require: false
# Pin minitest to < 6.0 until Rails 8.1 supports the new API
gem "minitest", "< 6.0"
end

131
Gemfile.lock
View File

@@ -1,7 +1,7 @@
GEM
remote: https://rubygems.org/
specs:
action_text-trix (2.1.15)
action_text-trix (2.1.16)
railties
actioncable (8.1.1)
actionpack (= 8.1.1)
@@ -80,14 +80,14 @@ GEM
android_key_attestation (0.3.0)
ast (2.4.3)
base64 (0.3.0)
bcrypt (3.1.20)
bcrypt_pbkdf (1.1.1)
bigdecimal (3.3.1)
bcrypt (3.1.21)
bcrypt_pbkdf (1.1.2)
bigdecimal (4.0.1)
bindata (2.5.1)
bindex (0.8.1)
bootsnap (1.19.0)
bootsnap (1.20.1)
msgpack (~> 1.2)
brakeman (7.1.1)
brakeman (7.1.2)
racc
builder (3.3.0)
bundler-audit (0.9.3)
@@ -106,37 +106,37 @@ GEM
childprocess (5.1.0)
logger (~> 1.5)
chunky_png (1.4.0)
concurrent-ruby (1.3.5)
connection_pool (2.5.5)
concurrent-ruby (1.3.6)
connection_pool (3.0.2)
cose (1.3.1)
cbor (~> 0.5.9)
openssl-signature_algorithm (~> 1.0)
crass (1.0.6)
date (3.5.0)
debug (1.11.0)
date (3.5.1)
debug (1.11.1)
irb (~> 1.10)
reline (>= 0.3.8)
docile (1.4.1)
dotenv (3.1.8)
dotenv (3.2.0)
drb (2.2.3)
ed25519 (1.4.0)
erb (6.0.0)
erb (6.0.1)
erubi (1.13.1)
et-orbi (1.4.0)
tzinfo
ffi (1.17.2-aarch64-linux-gnu)
ffi (1.17.2-aarch64-linux-musl)
ffi (1.17.2-arm-linux-gnu)
ffi (1.17.2-arm-linux-musl)
ffi (1.17.2-arm64-darwin)
ffi (1.17.2-x86_64-linux-gnu)
ffi (1.17.2-x86_64-linux-musl)
ffi (1.17.3-aarch64-linux-gnu)
ffi (1.17.3-aarch64-linux-musl)
ffi (1.17.3-arm-linux-gnu)
ffi (1.17.3-arm-linux-musl)
ffi (1.17.3-arm64-darwin)
ffi (1.17.3-x86_64-linux-gnu)
ffi (1.17.3-x86_64-linux-musl)
fugit (1.12.1)
et-orbi (~> 1.4)
raabro (~> 1.4)
globalid (1.3.0)
activesupport (>= 6.1)
i18n (1.14.7)
i18n (1.14.8)
concurrent-ruby (~> 1.0)
image_processing (1.14.0)
mini_magick (>= 4.9.5, < 6)
@@ -145,18 +145,18 @@ GEM
actionpack (>= 6.0.0)
activesupport (>= 6.0.0)
railties (>= 6.0.0)
io-console (0.8.1)
irb (1.15.3)
io-console (0.8.2)
irb (1.16.0)
pp (>= 0.6.0)
rdoc (>= 4.0.0)
reline (>= 0.4.2)
jbuilder (2.14.1)
actionview (>= 7.0.0)
activesupport (>= 7.0.0)
json (2.16.0)
json (2.18.0)
jwt (3.1.2)
base64
kamal (2.9.0)
kamal (2.10.1)
activesupport (>= 7.0)
base64 (~> 0.2)
bcrypt_pbkdf (~> 1.0)
@@ -176,7 +176,7 @@ GEM
launchy (>= 2.2, < 4)
lint_roller (1.1.0)
logger (1.7.0)
loofah (2.24.1)
loofah (2.25.0)
crass (~> 1.0.2)
nokogiri (>= 1.12.0)
mail (2.9.0)
@@ -190,9 +190,9 @@ GEM
mini_magick (5.3.1)
logger
mini_mime (1.1.5)
minitest (5.26.2)
minitest (5.27.0)
msgpack (1.8.0)
net-imap (0.5.12)
net-imap (0.6.2)
date
net-protocol
net-pop (0.1.2)
@@ -207,21 +207,21 @@ GEM
net-protocol
net-ssh (7.3.0)
nio4r (2.7.5)
nokogiri (1.18.10-aarch64-linux-gnu)
nokogiri (1.19.0-aarch64-linux-gnu)
racc (~> 1.4)
nokogiri (1.18.10-aarch64-linux-musl)
nokogiri (1.19.0-aarch64-linux-musl)
racc (~> 1.4)
nokogiri (1.18.10-arm-linux-gnu)
nokogiri (1.19.0-arm-linux-gnu)
racc (~> 1.4)
nokogiri (1.18.10-arm-linux-musl)
nokogiri (1.19.0-arm-linux-musl)
racc (~> 1.4)
nokogiri (1.18.10-arm64-darwin)
nokogiri (1.19.0-arm64-darwin)
racc (~> 1.4)
nokogiri (1.18.10-x86_64-linux-gnu)
nokogiri (1.19.0-x86_64-linux-gnu)
racc (~> 1.4)
nokogiri (1.18.10-x86_64-linux-musl)
nokogiri (1.19.0-x86_64-linux-musl)
racc (~> 1.4)
openssl (3.3.2)
openssl (4.0.0)
openssl-signature_algorithm (1.3.0)
openssl (> 2.0)
ostruct (0.6.3)
@@ -232,12 +232,12 @@ GEM
pp (0.6.3)
prettyprint
prettyprint (0.2.0)
prism (1.6.0)
prism (1.7.0)
propshaft (1.3.1)
actionpack (>= 7.0.0)
activesupport (>= 7.0.0)
rack
psych (5.2.6)
psych (5.3.1)
date
stringio
public_suffix (7.0.0)
@@ -251,7 +251,7 @@ GEM
rack (>= 3.0.0)
rack-test (2.2.0)
rack (>= 1.3)
rackup (2.2.1)
rackup (2.3.1)
rack (>= 3)
rails (8.1.1)
actioncable (= 8.1.1)
@@ -285,7 +285,7 @@ GEM
zeitwerk (~> 2.6)
rainbow (3.1.1)
rake (13.3.1)
rdoc (6.16.1)
rdoc (7.0.3)
erb
psych (>= 4.0.0)
tsort
@@ -309,22 +309,22 @@ GEM
rubocop-ast (>= 1.47.1, < 2.0)
ruby-progressbar (~> 1.7)
unicode-display_width (>= 2.4.0, < 4.0)
rubocop-ast (1.48.0)
rubocop-ast (1.49.0)
parser (>= 3.3.7.2)
prism (~> 1.4)
prism (~> 1.7)
rubocop-performance (1.26.1)
lint_roller (~> 1.1)
rubocop (>= 1.75.0, < 2.0)
rubocop-ast (>= 1.47.1, < 2.0)
ruby-progressbar (1.13.0)
ruby-vips (2.2.5)
ruby-vips (2.3.0)
ffi (~> 1.12)
logger
rubyzip (3.2.2)
safety_net_attestation (0.5.0)
jwt (>= 2.0, < 4.0)
securerandom (0.4.1)
selenium-webdriver (4.38.0)
selenium-webdriver (4.39.0)
base64 (~> 0.2)
logger (~> 1.4)
rexml (~> 3.2, >= 3.2.5)
@@ -358,14 +358,14 @@ GEM
fugit (~> 1.11)
railties (>= 7.1)
thor (>= 1.3.1)
sqlite3 (2.8.1-aarch64-linux-gnu)
sqlite3 (2.8.1-aarch64-linux-musl)
sqlite3 (2.8.1-arm-linux-gnu)
sqlite3 (2.8.1-arm-linux-musl)
sqlite3 (2.8.1-arm64-darwin)
sqlite3 (2.8.1-x86_64-linux-gnu)
sqlite3 (2.8.1-x86_64-linux-musl)
sshkit (1.24.0)
sqlite3 (2.9.0-aarch64-linux-gnu)
sqlite3 (2.9.0-aarch64-linux-musl)
sqlite3 (2.9.0-arm-linux-gnu)
sqlite3 (2.9.0-arm-linux-musl)
sqlite3 (2.9.0-arm64-darwin)
sqlite3 (2.9.0-x86_64-linux-gnu)
sqlite3 (2.9.0-x86_64-linux-musl)
sshkit (1.25.0)
base64
logger
net-scp (>= 1.1.2)
@@ -386,22 +386,22 @@ GEM
rubocop-performance (~> 1.26.0)
stimulus-rails (1.3.4)
railties (>= 6.0.0)
stringio (3.1.8)
stringio (3.2.0)
tailwindcss-rails (4.4.0)
railties (>= 7.0.0)
tailwindcss-ruby (~> 4.0)
tailwindcss-ruby (4.1.16)
tailwindcss-ruby (4.1.16-aarch64-linux-gnu)
tailwindcss-ruby (4.1.16-aarch64-linux-musl)
tailwindcss-ruby (4.1.16-arm64-darwin)
tailwindcss-ruby (4.1.16-x86_64-linux-gnu)
tailwindcss-ruby (4.1.16-x86_64-linux-musl)
tailwindcss-ruby (4.1.18)
tailwindcss-ruby (4.1.18-aarch64-linux-gnu)
tailwindcss-ruby (4.1.18-aarch64-linux-musl)
tailwindcss-ruby (4.1.18-arm64-darwin)
tailwindcss-ruby (4.1.18-x86_64-linux-gnu)
tailwindcss-ruby (4.1.18-x86_64-linux-musl)
thor (1.4.0)
thruster (0.1.16)
thruster (0.1.16-aarch64-linux)
thruster (0.1.16-arm64-darwin)
thruster (0.1.16-x86_64-linux)
timeout (0.4.4)
thruster (0.1.17)
thruster (0.1.17-aarch64-linux)
thruster (0.1.17-arm64-darwin)
thruster (0.1.17-x86_64-linux)
timeout (0.6.0)
tpm-key_attestation (0.14.1)
bindata (~> 2.4)
openssl (> 2.0)
@@ -437,7 +437,7 @@ GEM
websocket-extensions (0.1.5)
xpath (3.2.0)
nokogiri (~> 1.8)
zeitwerk (2.7.3)
zeitwerk (2.7.4)
PLATFORMS
aarch64-linux
@@ -463,6 +463,7 @@ DEPENDENCIES
jwt (~> 3.1)
kamal
letter_opener
minitest (< 6.0)
propshaft
public_suffix (~> 7.0)
puma (>= 5.0)
@@ -487,4 +488,4 @@ DEPENDENCIES
webauthn (~> 3.0)
BUNDLED WITH
2.7.2
4.0.3

57
README.md
View File

@@ -1,7 +1,9 @@
# Clinch
## Position and Control for your Authentication
> [!NOTE]
> This software is experimental. If you'd like to try it out, find bugs, security flaws and improvements, please do.
> This software is experimental. If you'd like to try it out, find bugs, security flaws and improvements, please do.
We do these things not because they're easy, but because we thought they'd be easy.
**A lightweight, self-hosted identity & SSO / IpD portal**
@@ -73,6 +75,9 @@ Apps that speak OIDC use the OIDC flow.
Apps that only need "who is it?", or you want available from the internet behind authentication (MeTube, Jellyfin) use ForwardAuth.
#### OpenID Connect (OIDC)
**[OpenID Connect Conformance](https://www.certification.openid.net/plan-detail.html?plan=FbQNTJuYVzrzs&public=true)** - Clinch passes the official OpenID Connect conformance tests (valid as of [v0.8.6](https://github.com/dkam/clinch/releases/tag/0.8.6)).
Standard OAuth2/OIDC provider with endpoints:
- `/.well-known/openid-configuration` - Discovery endpoint
- `/authorize` - Authorization endpoint with PKCE support
@@ -347,27 +352,39 @@ services:
Create a `.env` file in the same directory:
```bash
# Generate with: openssl rand -hex 64
SECRET_KEY_BASE=your-secret-key-here
**Generate required secrets first:**
# Application URLs
```bash
# Generate SECRET_KEY_BASE (required)
openssl rand -hex 64
# Generate OIDC private key (optional - auto-generated if not provided)
openssl genpkey -algorithm RSA -out private_key.pem -pkeyopt rsa_keygen_bits:2048
cat private_key.pem # Copy the output into OIDC_PRIVATE_KEY below
```
**Then create `.env`:**
```bash
# Rails Secret (REQUIRED)
SECRET_KEY_BASE=paste-output-from-openssl-rand-hex-64-here
# Application URLs (REQUIRED)
CLINCH_HOST=https://auth.yourdomain.com
CLINCH_FROM_EMAIL=noreply@yourdomain.com
# SMTP Settings
# SMTP Settings (REQUIRED for invitations and password resets)
SMTP_ADDRESS=smtp.example.com
SMTP_PORT=587
SMTP_DOMAIN=yourdomain.com
SMTP_USERNAME=your-smtp-username
SMTP_PASSWORD=your-smtp-password
# OIDC (optional - generates temporary key if not set)
# Generate with: openssl genpkey -algorithm RSA -out private_key.pem -pkeyopt rsa_keygen_bits:2048
# Then: OIDC_PRIVATE_KEY=$(cat private_key.pem)
# OIDC Private Key (OPTIONAL - generates temporary key if not provided)
# For production, generate a persistent key and paste the ENTIRE contents here
OIDC_PRIVATE_KEY=
# Optional: Force SSL redirects (if not behind a reverse proxy handling SSL)
# Optional: Force SSL redirects (only if NOT behind a reverse proxy handling SSL)
FORCE_SSL=false
```
@@ -715,12 +732,30 @@ bin/bundler-audit check --update # Dependency vulnerability scan
bin/importmap audit # JavaScript dependency scan
```
**Container Image Scanning:**
```bash
# Install Trivy
brew install trivy # macOS
# or use Docker: alias trivy='docker run --rm -v /var/run/docker.sock:/var/run/docker.sock aquasec/trivy'
# Build and scan image (CRITICAL and HIGH severity only, like CI)
docker build -t clinch:local .
trivy image --severity CRITICAL,HIGH --scanners vuln clinch:local
# Scan only for fixable vulnerabilities
trivy image --severity CRITICAL,HIGH --scanners vuln --ignore-unfixed clinch:local
```
**CI/CD Integration:**
All security scans run automatically on every pull request and push to main via GitHub Actions.
**Security Tools:**
- **Brakeman** - Static analysis for Rails security vulnerabilities
- **bundler-audit** - Checks gems for known CVEs
- **Trivy** - Container image vulnerability scanning (OS/system packages)
- **Dependabot** - Automated dependency updates
- **GitHub Secret Scanning** - Detects leaked credentials with push protection
- **SimpleCov** - Code coverage tracking
- **RuboCop** - Code style and quality enforcement

2
app/controllers/active_sessions_controller.rb
View File

@@ -71,7 +71,7 @@ class ActiveSessionsController < ApplicationController
Rails.logger.info "ActiveSessionsController: Logged out from #{application.name} - revoked #{revoked_access_tokens} access tokens and #{revoked_refresh_tokens} refresh tokens"
# Keep the consent intact - this is the key difference from revoke_consent
redirect_to root_path, notice: "Successfully logged out of #{application.name}."
redirect_to root_path, notice: "Revoked access tokens for #{application.name}. Re-authentication will be required on next use."
end
def revoke_all_consents

2
app/controllers/admin/applications_controller.rb
View File

@@ -104,7 +104,7 @@ module Admin
permitted = params.require(:application).permit(
:name, :slug, :app_type, :active, :redirect_uris, :description, :metadata,
:domain_pattern, :landing_url, :access_token_ttl, :refresh_token_ttl, :id_token_ttl,
:icon, :backchannel_logout_uri, :is_public_client, :require_pkce
:icon, :backchannel_logout_uri, :is_public_client, :require_pkce, :skip_consent
)
# Handle headers_config - it comes as a JSON string from the text area

2
app/controllers/api/forward_auth_controller.rb
View File

@@ -88,6 +88,8 @@ module Api
case key
when :user, :email, :name
[header_name, user.email_address]
when :username
[header_name, user.username] if user.username.present?
when :groups
user.groups.any? ? [header_name, user.groups.pluck(:name).join(",")] : nil
when :admin

29
app/controllers/application_controller.rb
View File

@@ -9,4 +9,33 @@ class ApplicationController < ActionController::Base
# CSRF protection
protect_from_forgery with: :exception
helper_method :remove_query_param
private
# Remove a query parameter from a URL using proper URI parsing
# More robust than regex - handles URL encoding, edge cases, etc.
#
# @param url [String] The URL to modify
# @param param_name [String] The query parameter name to remove
# @return [String] The URL with the parameter removed
#
# @example
# remove_query_param("https://example.com?foo=bar&baz=qux", "foo")
# # => "https://example.com?baz=qux"
def remove_query_param(url, param_name)
uri = URI.parse(url)
return url unless uri.query
# Parse query string into hash
params = CGI.parse(uri.query)
params.delete(param_name)
# Rebuild query string (empty string if no params left)
uri.query = params.any? ? URI.encode_www_form(params) : nil
uri.to_s
rescue URI::InvalidURIError
url
end
end

25
app/controllers/concerns/authentication.rb
View File

@@ -40,7 +40,6 @@ module Authentication
end
def after_authentication_url
session[:return_to_after_authenticating]
session.delete(:return_to_after_authenticating) || root_url
end
@@ -52,12 +51,24 @@ module Authentication
# Extract root domain for cross-subdomain cookies (required for forward auth)
domain = extract_root_domain(request.host)
cookie_options = {
value: session.id,
httponly: true,
same_site: :lax,
secure: Rails.env.production?
}
# Set cookie options based on environment
# Production: Use SameSite=None to allow cross-site cookies (needed for OIDC conformance testing)
# Development: Use SameSite=Lax since HTTPS might not be available
cookie_options = if Rails.env.production?
{
value: session.id,
httponly: true,
same_site: :none, # Allow cross-site cookies for OIDC testing
secure: true # Required for SameSite=None
}
else
{
value: session.id,
httponly: true,
same_site: :lax,
secure: false
}
end
# Set domain for cross-subdomain authentication if we can extract it
cookie_options[:domain] = domain if domain.present?

487
app/controllers/oidc_controller.rb
View File

@@ -1,7 +1,8 @@
class OidcController < ApplicationController
# Discovery and JWKS endpoints are public
allow_unauthenticated_access only: [:discovery, :jwks, :token, :revoke, :userinfo, :logout]
skip_before_action :verify_authenticity_token, only: [:token, :revoke, :logout]
# authorize is also unauthenticated to handle prompt=none and prompt=login specially
allow_unauthenticated_access only: [:discovery, :jwks, :token, :revoke, :userinfo, :logout, :authorize]
skip_before_action :verify_authenticity_token, only: [:token, :revoke, :userinfo, :logout, :authorize, :consent]
# Rate limiting to prevent brute force and abuse
rate_limit to: 60, within: 1.minute, only: [:token, :revoke], with: -> {
@@ -30,10 +31,22 @@ class OidcController < ApplicationController
id_token_signing_alg_values_supported: ["RS256"],
scopes_supported: ["openid", "profile", "email", "groups", "offline_access"],
token_endpoint_auth_methods_supported: ["client_secret_post", "client_secret_basic"],
claims_supported: ["sub", "email", "email_verified", "name", "preferred_username", "groups", "admin", "auth_time", "acr", "azp", "at_hash"],
claims_supported: [
"sub", # Always included
"email", # email scope
"email_verified", # email scope
"name", # profile scope
"preferred_username", # profile scope
"updated_at", # profile scope
"groups" # groups scope
# Note: Custom claims are also supported but not listed here
# ID-token-only claims (auth_time, acr, azp, at_hash, nonce) are not listed
],
code_challenge_methods_supported: ["plain", "S256"],
backchannel_logout_supported: true,
backchannel_logout_session_supported: true
backchannel_logout_session_supported: true,
request_parameter_supported: false,
claims_parameter_supported: true
}
render json: config
@@ -56,32 +69,14 @@ class OidcController < ApplicationController
code_challenge = params[:code_challenge]
code_challenge_method = params[:code_challenge_method] || "plain"
# Validate required parameters
unless client_id.present? && redirect_uri.present? && response_type == "code"
error_details = []
error_details << "client_id is required" unless client_id.present?
error_details << "redirect_uri is required" unless redirect_uri.present?
error_details << "response_type must be 'code'" unless response_type == "code"
render plain: "Invalid request: #{error_details.join(", ")}", status: :bad_request
# Validate client_id first (required before we can look up the application)
# OAuth2 RFC 6749 Section 4.1.2.1: If client_id is missing/invalid, show error page (don't redirect)
unless client_id.present?
render plain: "Invalid request: client_id is required", status: :bad_request
return
end
# Validate PKCE parameters if present
if code_challenge.present?
unless %w[plain S256].include?(code_challenge_method)
render plain: "Invalid code_challenge_method: must be 'plain' or 'S256'", status: :bad_request
return
end
# Validate code challenge format (base64url-encoded, 43-128 characters)
unless code_challenge.match?(/\A[A-Za-z0-9\-_]{43,128}\z/)
render plain: "Invalid code_challenge format: must be 43-128 characters of base64url encoding", status: :bad_request
return
end
end
# Find the application
# Find the application by client_id
@application = Application.find_by(client_id: client_id, app_type: "oidc")
unless @application
# Log all OIDC applications for debugging
@@ -99,7 +94,14 @@ class OidcController < ApplicationController
return
end
# Validate redirect URI first (required before we can safely redirect with errors)
# Validate redirect_uri presence and format
# OAuth2 RFC 6749 Section 4.1.2.1: If redirect_uri is missing/invalid, show error page (don't redirect)
unless redirect_uri.present?
render plain: "Invalid request: redirect_uri is required", status: :bad_request
return
end
# Validate redirect URI matches one of the registered URIs
unless @application.parsed_redirect_uris.include?(redirect_uri)
Rails.logger.error "OAuth: Invalid request - redirect URI mismatch. Expected: #{@application.parsed_redirect_uris}, Got: #{redirect_uri}"
@@ -114,6 +116,85 @@ class OidcController < ApplicationController
return
end
# ============================================================================
# At this point we have a valid client_id and redirect_uri
# All subsequent errors should redirect back to the client with error parameters
# per OAuth2 RFC 6749 Section 4.1.2.1
# ============================================================================
# Reject request objects (JWT-encoded authorization parameters)
# Per OIDC Core §3.1.2.6: If request parameter is present and not supported,
# return request_not_supported error
if params[:request].present? || params[:request_uri].present?
Rails.logger.error "OAuth: Request object not supported"
error_uri = "#{redirect_uri}?error=request_not_supported"
error_uri += "&error_description=#{CGI.escape("Request objects are not supported")}"
error_uri += "&state=#{CGI.escape(state)}" if state.present?
redirect_to error_uri, allow_other_host: true
return
end
# Validate response_type (now we can safely redirect with error)
unless response_type == "code"
Rails.logger.error "OAuth: Invalid response_type: #{response_type}"
error_uri = "#{redirect_uri}?error=unsupported_response_type"
error_uri += "&error_description=#{CGI.escape("Only 'code' response_type is supported")}"
error_uri += "&state=#{CGI.escape(state)}" if state.present?
redirect_to error_uri, allow_other_host: true
return
end
# Validate PKCE parameters if present (now we can safely redirect with error)
if code_challenge.present?
unless %w[plain S256].include?(code_challenge_method)
Rails.logger.error "OAuth: Invalid code_challenge_method: #{code_challenge_method}"
error_uri = "#{redirect_uri}?error=invalid_request"
error_uri += "&error_description=#{CGI.escape("Invalid code_challenge_method: must be 'plain' or 'S256'")}"
error_uri += "&state=#{CGI.escape(state)}" if state.present?
redirect_to error_uri, allow_other_host: true
return
end
# Validate code challenge format (base64url-encoded, 43-128 characters)
unless code_challenge.match?(/\A[A-Za-z0-9\-_]{43,128}\z/)
Rails.logger.error "OAuth: Invalid code_challenge format"
error_uri = "#{redirect_uri}?error=invalid_request"
error_uri += "&error_description=#{CGI.escape("Invalid code_challenge format: must be 43-128 characters of base64url encoding")}"
error_uri += "&state=#{CGI.escape(state)}" if state.present?
redirect_to error_uri, allow_other_host: true
return
end
end
# Parse claims parameter (JSON string) for OIDC claims request
# Per OIDC Core §5.5: The claims parameter is a JSON object that requests
# specific claims to be returned in the id_token and/or userinfo
claims_parameter = params[:claims]
parsed_claims = parse_claims_parameter(claims_parameter) if claims_parameter.present?
# Validate claims parameter format if present
if claims_parameter.present? && parsed_claims.nil?
Rails.logger.error "OAuth: Invalid claims parameter format"
error_uri = "#{redirect_uri}?error=invalid_request"
error_uri += "&error_description=#{CGI.escape("Invalid claims parameter: must be valid JSON")}"
error_uri += "&state=#{CGI.escape(state)}" if state.present?
redirect_to error_uri, allow_other_host: true
return
end
# Validate that requested claims are covered by granted scopes
if parsed_claims.present?
validation_result = validate_claims_against_scopes(parsed_claims, requested_scopes)
unless validation_result[:valid]
Rails.logger.error "OAuth: Claims parameter requests claims not covered by scopes: #{validation_result[:errors]}"
error_uri = "#{redirect_uri}?error=invalid_scope"
error_uri += "&error_description=#{CGI.escape("Claims parameter requests claims not covered by granted scopes")}"
error_uri += "&state=#{CGI.escape(state)}" if state.present?
redirect_to error_uri, allow_other_host: true
return
end
end
# Check if application is active (now we can safely redirect with error)
unless @application.active?
Rails.logger.error "OAuth: Application is not active: #{@application.name}"
@@ -125,7 +206,17 @@ class OidcController < ApplicationController
# Check if user is authenticated
unless authenticated?
# Store OAuth parameters in session and redirect to sign in
# Handle prompt=none - no UI allowed, return error immediately
# Per OIDC Core spec §3.1.2.6: If prompt=none and user not authenticated,
# return login_required error without showing any UI
if params[:prompt] == "none"
error_uri = "#{redirect_uri}?error=login_required"
error_uri += "&state=#{CGI.escape(state)}" if state.present?
redirect_to error_uri, allow_other_host: true
return
end
# Normal flow: store OAuth parameters and redirect to sign in
session[:oauth_params] = {
client_id: client_id,
redirect_uri: redirect_uri,
@@ -133,12 +224,62 @@ class OidcController < ApplicationController
nonce: nonce,
scope: scope,
code_challenge: code_challenge,
code_challenge_method: code_challenge_method
code_challenge_method: code_challenge_method,
claims_requests: parsed_claims&.to_json
}
# Store the current URL (with all OAuth params) for redirect after authentication
session[:return_to_after_authenticating] = request.url
redirect_to signin_path, alert: "Please sign in to continue"
return
end
# Handle prompt=login - force re-authentication
# Per OIDC Core spec §3.1.2.1: If prompt=login, the Authorization Server MUST prompt
# the End-User for reauthentication, even if the End-User is currently authenticated
if params[:prompt] == "login"
# Destroy current session to force re-authentication
# This creates a fresh authentication event with a new auth_time
Current.session&.destroy!
# Clear the session cookie so the user is truly logged out
cookies.delete(:session_id)
# Store the current URL (which contains all OAuth params) for redirect after login
# Remove prompt=login to prevent infinite re-auth loop
return_url = remove_query_param(request.url, "prompt")
session[:return_to_after_authenticating] = return_url
redirect_to signin_path, alert: "Please sign in to continue"
return
end
# Handle max_age - require re-authentication if session is too old
# Per OIDC Core spec §3.1.2.1: If max_age is provided and the auth time is older,
# the Authorization Server MUST prompt for reauthentication
if params[:max_age].present?
max_age_seconds = params[:max_age].to_i
# Calculate session age
session_age_seconds = Time.current.to_i - Current.session.created_at.to_i
if session_age_seconds >= max_age_seconds
# Session is too old - require re-authentication
# Store the return URL in Rails session, then destroy the Session record
# Store return URL before destroying anything
# Remove max_age from return URL to prevent infinite re-auth loop
return_url = remove_query_param(request.url, "max_age")
session[:return_to_after_authenticating] = return_url
# Destroy the Session record and clear its cookie
Current.session&.destroy!
cookies.delete(:session_id)
Current.session = nil
redirect_to signin_path, alert: "Please sign in to continue"
return
end
end
# Get the authenticated user
user = Current.session.user
@@ -150,9 +291,41 @@ class OidcController < ApplicationController
requested_scopes = scope.split(" ")
# Check if application is configured to skip consent
# If so, automatically create consent and proceed without showing consent screen
if @application.skip_consent?
# Create or update consent record automatically for trusted applications
consent = OidcUserConsent.find_or_initialize_by(user: user, application: @application)
consent.scopes_granted = requested_scopes.join(" ")
consent.claims_requests = parsed_claims || {}
consent.granted_at = Time.current
consent.save!
# Generate authorization code directly
auth_code = OidcAuthorizationCode.create!(
application: @application,
user: user,
redirect_uri: redirect_uri,
scope: scope,
nonce: nonce,
code_challenge: code_challenge,
code_challenge_method: code_challenge_method,
claims_requests: parsed_claims || {},
auth_time: Current.session.created_at.to_i,
acr: Current.session.acr,
expires_at: 10.minutes.from_now
)
# Redirect back to client with authorization code (plaintext)
redirect_uri = "#{redirect_uri}?code=#{auth_code.plaintext_code}"
redirect_uri += "&state=#{CGI.escape(state)}" if state.present?
redirect_to redirect_uri, allow_other_host: true
return
end
# Check if user has already granted consent for these scopes
existing_consent = user.has_oidc_consent?(@application, requested_scopes)
if existing_consent
if existing_consent && claims_match_consent?(parsed_claims, existing_consent)
# User has already consented, generate authorization code directly
auth_code = OidcAuthorizationCode.create!(
application: @application,
@@ -162,6 +335,7 @@ class OidcController < ApplicationController
nonce: nonce,
code_challenge: code_challenge,
code_challenge_method: code_challenge_method,
claims_requests: parsed_claims || {},
auth_time: Current.session.created_at.to_i,
acr: Current.session.acr,
expires_at: 10.minutes.from_now
@@ -182,7 +356,8 @@ class OidcController < ApplicationController
nonce: nonce,
scope: scope,
code_challenge: code_challenge,
code_challenge_method: code_challenge_method
code_challenge_method: code_challenge_method,
claims_requests: parsed_claims&.to_json
}
# Render consent page with dynamic CSP for OAuth redirect
@@ -247,8 +422,15 @@ class OidcController < ApplicationController
# Record user consent
requested_scopes = oauth_params["scope"].split(" ")
parsed_claims = begin
JSON.parse(oauth_params["claims_requests"])
rescue
{}
end
consent = OidcUserConsent.find_or_initialize_by(user: user, application: application)
consent.scopes_granted = requested_scopes.join(" ")
consent.claims_requests = parsed_claims
consent.granted_at = Time.current
consent.save!
@@ -261,6 +443,7 @@ class OidcController < ApplicationController
nonce: oauth_params["nonce"],
code_challenge: oauth_params["code_challenge"],
code_challenge_method: oauth_params["code_challenge_method"],
claims_requests: parsed_claims,
auth_time: Current.session.created_at.to_i,
acr: Current.session.acr,
expires_at: 10.minutes.from_now
@@ -278,6 +461,16 @@ class OidcController < ApplicationController
# POST /oauth/token
def token
# Reject claims parameter - per OIDC security, claims parameter is only valid
# in authorization requests, not at the token endpoint
if params[:claims].present?
render json: {
error: "invalid_request",
error_description: "claims parameter is not allowed at the token endpoint"
}, status: :bad_request
return
end
grant_type = params[:grant_type]
case grant_type
@@ -419,6 +612,8 @@ class OidcController < ApplicationController
# Generate ID token (JWT) with pairwise SID, at_hash, auth_time, and acr
# auth_time and acr come from the authorization code (captured at /authorize time)
# scopes determine which claims are included (per OIDC Core spec)
# claims_requests parameter filters which claims are included
id_token = OidcJwtService.generate_id_token(
user,
application,
@@ -426,9 +621,15 @@ class OidcController < ApplicationController
nonce: auth_code.nonce,
access_token: access_token_record.plaintext_token,
auth_time: auth_code.auth_time,
acr: auth_code.acr
acr: auth_code.acr,
scopes: auth_code.scope,
claims_requests: auth_code.parsed_claims_requests
)
# RFC6749-5.1: Token endpoint MUST return Cache-Control: no-store
response.headers["Cache-Control"] = "no-store"
response.headers["Pragma"] = "no-cache"
# Return tokens
render json: {
access_token: access_token_record.plaintext_token, # Opaque token
@@ -547,15 +748,23 @@ class OidcController < ApplicationController
# Generate new ID token (JWT with pairwise SID, at_hash, auth_time, acr; no nonce for refresh grants)
# auth_time and acr come from the original refresh token (carried over from initial auth)
# scopes determine which claims are included (per OIDC Core spec)
# claims_requests parameter filters which claims are included (from original consent)
id_token = OidcJwtService.generate_id_token(
user,
application,
consent: consent,
access_token: new_access_token.plaintext_token,
auth_time: refresh_token_record.auth_time,
acr: refresh_token_record.acr
acr: refresh_token_record.acr,
scopes: refresh_token_record.scope,
claims_requests: consent.parsed_claims_requests
)
# RFC6749-5.1: Token endpoint MUST return Cache-Control: no-store
response.headers["Cache-Control"] = "no-store"
response.headers["Pragma"] = "no-cache"
# Return new tokens
render json: {
access_token: new_access_token.plaintext_token, # Opaque token
@@ -569,17 +778,22 @@ class OidcController < ApplicationController
render json: {error: "invalid_grant"}, status: :bad_request
end
# GET /oauth/userinfo
# GET/POST /oauth/userinfo
# OIDC Core spec: UserInfo endpoint MUST support GET, SHOULD support POST
def userinfo
# Extract access token from Authorization header
auth_header = request.headers["Authorization"]
unless auth_header&.start_with?("Bearer ")
# Extract access token from Authorization header or POST body
# RFC 6750: Bearer token can be in Authorization header, request body, or query string
token = if request.headers["Authorization"]&.start_with?("Bearer ")
request.headers["Authorization"].sub("Bearer ", "")
elsif request.params["access_token"].present?
request.params["access_token"]
end
unless token
head :unauthorized
return
end
token = auth_header.sub("Bearer ", "")
# Find and validate access token (opaque token with BCrypt hashing)
access_token = OidcAccessToken.find_by_token(token)
unless access_token&.active?
@@ -605,18 +819,48 @@ class OidcController < ApplicationController
consent = OidcUserConsent.find_by(user: user, application: access_token.application)
subject = consent&.sid || user.id.to_s
# Return user claims
# Parse scopes from access token (space-separated string)
requested_scopes = access_token.scope.to_s.split
# Get claims_requests from consent (if available) for UserInfo context
userinfo_claims = consent&.parsed_claims_requests&.dig("userinfo") || {}
# Return user claims (filter by scope per OIDC Core spec)
# Required claims (always included - cannot be filtered by claims parameter)
claims = {
sub: subject,
email: user.email_address,
email_verified: true,
preferred_username: user.email_address,
name: user.name.presence || user.email_address
sub: subject
}
# Add groups if user has any
if user.groups.any?
claims[:groups] = user.groups.pluck(:name)
# Email claims (only if 'email' scope requested AND requested in claims parameter)
if requested_scopes.include?("email")
if should_include_claim_for_userinfo?("email", userinfo_claims)
claims[:email] = user.email_address
end
if should_include_claim_for_userinfo?("email_verified", userinfo_claims)
claims[:email_verified] = true
end
end
# Profile claims (only if 'profile' scope requested)
# Per OIDC Core spec section 5.4, include available profile claims
# Only include claims we have data for - omit unknown claims rather than returning null
if requested_scopes.include?("profile")
if should_include_claim_for_userinfo?("preferred_username", userinfo_claims)
claims[:preferred_username] = user.username.presence || user.email_address
end
if should_include_claim_for_userinfo?("name", userinfo_claims)
claims[:name] = user.name.presence || user.email_address
end
if should_include_claim_for_userinfo?("updated_at", userinfo_claims)
claims[:updated_at] = user.updated_at.to_i
end
end
# Groups claim (only if 'groups' scope requested AND requested in claims parameter)
if requested_scopes.include?("groups") && user.groups.any?
if should_include_claim_for_userinfo?("groups", userinfo_claims)
claims[:groups] = user.groups.pluck(:name)
end
end
# Merge custom claims from groups
@@ -631,6 +875,16 @@ class OidcController < ApplicationController
application = access_token.application
claims.merge!(application.custom_claims_for_user(user))
# Filter custom claims based on claims parameter
# If claims parameter is present, only include requested custom claims
if userinfo_claims.any?
claims = filter_custom_claims_for_userinfo(claims, userinfo_claims)
end
# Security: Don't cache user data responses
response.headers["Cache-Control"] = "no-store"
response.headers["Pragma"] = "no-cache"
render json: claims
end
@@ -775,12 +1029,12 @@ class OidcController < ApplicationController
}
end
# Validate code verifier format (base64url-encoded, 43-128 characters)
unless code_verifier.match?(/\A[A-Za-z0-9\-_]{43,128}\z/)
# Validate code verifier format (per RFC 7636: [A-Za-z0-9\-._~], 43-128 characters)
unless code_verifier.match?(/\A[A-Za-z0-9.\-_~]{43,128}\z/)
return {
valid: false,
error: "invalid_request",
error_description: "Invalid code_verifier format. Must be 43-128 characters of base64url encoding",
error_description: "Invalid code_verifier format. Must be 43-128 characters [A-Z/a-z/0-9/-/./_/~]",
status: :bad_request
}
end
@@ -896,4 +1150,133 @@ class OidcController < ApplicationController
# Log error but don't block logout
Rails.logger.error "OidcController: Failed to enqueue backchannel logout: #{e.class} - #{e.message}"
end
# Parse claims parameter JSON string
# Per OIDC Core §5.5: The claims parameter is a JSON object containing
# id_token and/or userinfo keys, each mapping to claim requests
def parse_claims_parameter(claims_string)
return {} if claims_string.blank?
parsed = JSON.parse(claims_string)
return nil unless parsed.is_a?(Hash)
# Validate structure: can have id_token, userinfo, or both
valid_keys = parsed.keys & ["id_token", "userinfo"]
return nil if valid_keys.empty?
# Validate each claim request has proper structure
valid_keys.each do |key|
next unless parsed[key].is_a?(Hash)
parsed[key].each do |_claim_name, claim_spec|
# Claim spec can be null (requested), true (essential), or a hash with specific keys
next if claim_spec.nil? || claim_spec == true || claim_spec == false
next if claim_spec.is_a?(Hash) && claim_spec.keys.all? { |k| ["essential", "value", "values"].include?(k) }
# Invalid claim specification
return nil
end
end
parsed
rescue JSON::ParserError
nil
end
# Validate that requested claims are covered by granted scopes
# Per OIDC Core §5.5: Claims can only be requested if the corresponding scope is granted
def validate_claims_against_scopes(parsed_claims, granted_scopes)
granted = Array(granted_scopes).map(&:to_s)
errors = []
# Standard claim-to-scope mapping
claim_scope_mapping = {
"email" => "email",
"email_verified" => "email",
"preferred_username" => "profile",
"name" => "profile",
"updated_at" => "profile",
"groups" => "groups"
}
# Check both id_token and userinfo claims
["id_token", "userinfo"].each do |context|
next unless parsed_claims[context]&.is_a?(Hash)
parsed_claims[context].each do |claim_name, _claim_spec|
# Skip custom claims (not in standard mapping)
# Custom claims are allowed since they're configured in the IdP
next unless claim_scope_mapping.key?(claim_name)
required_scope = claim_scope_mapping[claim_name]
unless granted.include?(required_scope)
errors << "#{claim_name} requires #{required_scope} scope"
end
end
end
if errors.any?
{valid: false, errors: errors}
else
{valid: true}
end
end
# Check if claims match existing consent
# For MVP: treat any claims request as requiring new consent if consent has no claims stored
def claims_match_consent?(parsed_claims, consent)
return true if parsed_claims.nil? || parsed_claims.empty?
# If consent has no claims stored, this is a new claims request
# Require fresh consent
return false if consent.parsed_claims_requests.empty?
# If both have claims, they must match exactly
consent.parsed_claims_requests == parsed_claims
end
# Check if a claim should be included in UserInfo response
# Returns true if no claims filtering or claim is explicitly requested
def should_include_claim_for_userinfo?(claim_name, userinfo_claims)
return true if userinfo_claims.empty?
userinfo_claims.key?(claim_name)
end
# Filter custom claims for UserInfo endpoint
# Removes claims not explicitly requested
# Applies value/values filtering if specified
def filter_custom_claims_for_userinfo(claims, userinfo_claims)
# Get all claim names that are NOT standard OIDC claims
standard_claims = %w[sub email email_verified name preferred_username updated_at groups]
custom_claim_names = claims.keys.map(&:to_s) - standard_claims
filtered = claims.dup
custom_claim_names.each do |claim_name|
claim_sym = claim_name.to_sym
unless userinfo_claims.key?(claim_name) || userinfo_claims.key?(claim_sym)
filtered.delete(claim_sym)
next
end
# Apply value/values filtering if specified
claim_spec = userinfo_claims[claim_name] || userinfo_claims[claim_sym]
next unless claim_spec.is_a?(Hash)
current_value = filtered[claim_sym]
# Check value constraint
if claim_spec["value"].present?
filtered.delete(claim_sym) unless current_value == claim_spec["value"]
end
# Check values constraint (array of allowed values)
if claim_spec["values"].is_a?(Array)
filtered.delete(claim_sym) unless claim_spec["values"].include?(current_value)
end
end
filtered
end
end

19
app/controllers/sessions_controller.rb
View File

@@ -14,6 +14,20 @@ class SessionsController < ApplicationController
return
end
# Extract login_hint from the return URL for pre-filling the email field (OIDC spec)
@login_hint = nil
if session[:return_to_after_authenticating].present?
begin
uri = URI.parse(session[:return_to_after_authenticating])
if uri.query.present?
query_params = CGI.parse(uri.query)
@login_hint = query_params["login_hint"]&.first
end
rescue URI::InvalidURIError
# Ignore parsing errors
end
end
respond_to do |format|
format.html # render HTML login page
format.json { render json: {error: "Authentication required"}, status: :unauthorized }
@@ -73,7 +87,10 @@ class SessionsController < ApplicationController
# Sign in successful (password only)
start_new_session_for user, acr: "1"
redirect_to after_authentication_url, notice: "Signed in successfully.", allow_other_host: true
# Use status: :see_other to ensure browser makes a GET request
# This prevents Turbo from converting it to a TURBO_STREAM request
redirect_to after_authentication_url, notice: "Signed in successfully.", allow_other_host: true, status: :see_other
end
def verify_totp

45
app/lib/duration_parser.rb Normal file
View File

@@ -0,0 +1,45 @@
class DurationParser
UNITS = {
"s" => 1, # seconds
"m" => 60, # minutes
"h" => 3600, # hours
"d" => 86400, # days
"w" => 604800, # weeks
"M" => 2592000, # months (30 days)
"y" => 31536000 # years (365 days)
}
# Parse a duration string into seconds
# Accepts formats: "1h", "30m", "1d", "1M" (month), "3600" (plain number)
# Returns integer seconds or nil if invalid
# Case-sensitive: 1s, 1m, 1h, 1d, 1w, 1M (month), 1y
def self.parse(input)
# Handle integers directly
return input if input.is_a?(Integer)
# Convert to string and strip whitespace
str = input.to_s.strip
# Return nil for blank input
return nil if str.blank?
# Try to parse as plain number (already in seconds)
if str.match?(/^\d+$/)
return str.to_i
end
# Try to parse with unit (e.g., "1h", "30m", "1M")
# Allow optional space between number and unit
# Case-sensitive to avoid confusion (1m = minute, 1M = month)
match = str.match(/^(\d+)\s*([smhdwMy])$/)
return nil unless match
number = match[1].to_i
unit = match[2]
multiplier = UNITS[unit]
return nil unless multiplier
number * multiplier
end
end

22
app/models/application.rb
View File

@@ -5,6 +5,23 @@ class Application < ApplicationRecord
# When true, no client_secret will be generated (public client)
attr_accessor :is_public_client
# Virtual setters for TTL fields - accept human-friendly durations
# e.g., "1h", "30m", "1d", or plain numbers "3600"
def access_token_ttl=(value)
parsed = DurationParser.parse(value)
super(parsed)
end
def refresh_token_ttl=(value)
parsed = DurationParser.parse(value)
super(parsed)
end
def id_token_ttl=(value)
parsed = DurationParser.parse(value)
super(parsed)
end
has_one_attached :icon
# Fix SVG content type after attachment
@@ -39,7 +56,7 @@ class Application < ApplicationRecord
# Token TTL validations (for OIDC apps)
validates :access_token_ttl, numericality: {greater_than_or_equal_to: 300, less_than_or_equal_to: 86400}, if: :oidc? # 5 min - 24 hours
validates :refresh_token_ttl, numericality: {greater_than_or_equal_to: 86400, less_than_or_equal_to: 7776000}, if: :oidc? # 1 day - 90 days
validates :refresh_token_ttl, numericality: {greater_than_or_equal_to: 300, less_than_or_equal_to: 7776000}, if: :oidc? # 5 min - 90 days
validates :id_token_ttl, numericality: {greater_than_or_equal_to: 300, less_than_or_equal_to: 86400}, if: :oidc? # 5 min - 24 hours
normalizes :slug, with: ->(slug) { slug.strip.downcase }
@@ -59,6 +76,7 @@ class Application < ApplicationRecord
user: "X-Remote-User",
email: "X-Remote-Email",
name: "X-Remote-Name",
username: "X-Remote-Username",
groups: "X-Remote-Groups",
admin: "X-Remote-Admin"
}.freeze
@@ -178,6 +196,8 @@ class Application < ApplicationRecord
headers[header_name] = user.email_address
when :name
headers[header_name] = user.name.presence || user.email_address
when :username
headers[header_name] = user.username if user.username.present?
when :groups
headers[header_name] = user.groups.pluck(:name).join(",") if user.groups.any?
when :admin

6
app/models/oidc_authorization_code.rb
View File

@@ -44,6 +44,12 @@ class OidcAuthorizationCode < ApplicationRecord
code_challenge.present?
end
# Parse claims_requests JSON field
def parsed_claims_requests
return {} if claims_requests.blank?
claims_requests.is_a?(Hash) ? claims_requests : {}
end
private
def generate_code

6
app/models/oidc_user_consent.rb
View File

@@ -50,6 +50,12 @@ class OidcUserConsent < ApplicationRecord
find_by(sid: sid)
end
# Parse claims_requests JSON field
def parsed_claims_requests
return {} if claims_requests.blank?
claims_requests.is_a?(Hash) ? claims_requests : {}
end
private
def set_granted_at

117
app/services/oidc_jwt_service.rb
View File

@@ -3,7 +3,7 @@ class OidcJwtService
class << self
# Generate an ID token (JWT) for the user
def generate_id_token(user, application, consent: nil, nonce: nil, access_token: nil, auth_time: nil, acr: nil)
def generate_id_token(user, application, consent: nil, nonce: nil, access_token: nil, auth_time: nil, acr: nil, scopes: "openid", claims_requests: {})
now = Time.current.to_i
# Use application's configured ID token TTL (defaults to 1 hour)
ttl = application.id_token_expiry_seconds
@@ -11,18 +11,44 @@ class OidcJwtService
# Use pairwise SID from consent if available, fallback to user ID
subject = consent&.sid || user.id.to_s
# Parse scopes (space-separated string)
requested_scopes = scopes.to_s.split
# Parse claims_requests parameter for id_token context
id_token_claims = claims_requests["id_token"] || {}
# Required claims (always included per OIDC Core spec)
payload = {
iss: issuer_url,
sub: subject,
aud: application.client_id,
exp: now + ttl,
iat: now,
email: user.email_address,
email_verified: true,
preferred_username: user.username.presence || user.email_address,
name: user.name.presence || user.email_address
iat: now
}
# Email claims (only if 'email' scope requested AND either no claims filter OR email requested)
if requested_scopes.include?("email")
if should_include_claim?("email", id_token_claims)
payload[:email] = user.email_address
end
if should_include_claim?("email_verified", id_token_claims)
payload[:email_verified] = true
end
end
# Profile claims (only if 'profile' scope requested)
if requested_scopes.include?("profile")
if should_include_claim?("preferred_username", id_token_claims)
payload[:preferred_username] = user.username.presence || user.email_address
end
if should_include_claim?("name", id_token_claims)
payload[:name] = user.name.presence || user.email_address
end
if should_include_claim?("updated_at", id_token_claims)
payload[:updated_at] = user.updated_at.to_i
end
end
# Add nonce if provided (OIDC requires this for implicit flow)
payload[:nonce] = nonce if nonce.present?
@@ -44,12 +70,15 @@ class OidcJwtService
payload[:at_hash] = at_hash
end
# Add groups if user has any
if user.groups.any?
payload[:groups] = user.groups.pluck(:name)
# Groups claims (only if 'groups' scope requested AND requested in claims parameter)
if requested_scopes.include?("groups") && user.groups.any?
if should_include_claim?("groups", id_token_claims)
payload[:groups] = user.groups.pluck(:name)
end
end
# Merge custom claims from groups (arrays are combined, not overwritten)
# Note: Custom claims from groups are always merged (not scope-dependent)
user.groups.each do |group|
payload = deep_merge_claims(payload, group.parsed_custom_claims)
end
@@ -60,6 +89,12 @@ class OidcJwtService
# Merge app-specific custom claims (highest priority, arrays are combined)
payload = deep_merge_claims(payload, application.custom_claims_for_user(user))
# Filter custom claims based on claims parameter
# If claims parameter is present, only include requested custom claims
if id_token_claims.any?
payload = filter_custom_claims(payload, id_token_claims)
end
JWT.encode(payload, private_key, "RS256", {kid: key_id, typ: "JWT"})
end
@@ -172,5 +207,69 @@ class OidcJwtService
def key_id
@key_id ||= Digest::SHA256.hexdigest(public_key.to_pem)[0..15]
end
# Check if a claim should be included based on claims parameter
# Returns true if:
# - No claims parameter specified (include all scope-based claims)
# - Claim is explicitly requested (even with null spec or essential: true)
def should_include_claim?(claim_name, id_token_claims)
# No claims parameter = include all scope-based claims
return true if id_token_claims.empty?
# Check if claim is requested
return false unless id_token_claims.key?(claim_name)
# Claim specification can be:
# - null (requested)
# - true (essential, requested)
# - false (not requested)
# - Hash with essential/value/values
claim_spec = id_token_claims[claim_name]
return true if claim_spec.nil? || claim_spec == true
return false if claim_spec == false
# If it's a hash, the claim is requested (filtering happens later)
true if claim_spec.is_a?(Hash)
end
# Filter custom claims based on claims parameter
# Removes claims not explicitly requested
# Applies value/values filtering if specified
def filter_custom_claims(payload, id_token_claims)
# Get all claim names that are NOT standard OIDC claims
standard_claims = %w[iss sub aud exp iat nbf jti nonce azp at_hash auth_time acr email email_verified name preferred_username updated_at groups]
custom_claim_names = payload.keys.map(&:to_s) - standard_claims
filtered = payload.dup
custom_claim_names.each do |claim_name|
claim_sym = claim_name.to_sym
# If claim is not requested, remove it
unless id_token_claims.key?(claim_name) || id_token_claims.key?(claim_sym)
filtered.delete(claim_sym)
next
end
# Apply value/values filtering if specified
claim_spec = id_token_claims[claim_name] || id_token_claims[claim_sym]
next unless claim_spec.is_a?(Hash)
current_value = filtered[claim_sym]
# Check value constraint
if claim_spec["value"].present?
filtered.delete(claim_sym) unless current_value == claim_spec["value"]
end
# Check values constraint (array of allowed values)
if claim_spec["values"].is_a?(Array)
filtered.delete(claim_sym) unless claim_spec["values"].include?(current_value)
end
end
filtered
end
end
end

126
app/views/admin/applications/_form.html.erb
View File

@@ -153,6 +153,26 @@
</div>
<% end %>
<!-- OAuth2/OIDC Flow Information -->
<div class="bg-blue-50 border border-blue-200 rounded-lg p-4 space-y-3">
<div>
<h4 class="text-sm font-semibold text-gray-900 mb-2">OAuth2 Flow</h4>
<p class="text-sm text-gray-700">
Clinch uses the <code class="bg-white px-1.5 py-0.5 rounded text-xs font-mono">authorization_code</code> flow with <code class="bg-white px-1.5 py-0.5 rounded text-xs font-mono">response_type=code</code> (the modern, secure standard).
</p>
<p class="text-sm text-gray-600 mt-1">
Deprecated flows like Implicit (<code class="bg-white px-1 rounded text-xs font-mono">id_token</code>, <code class="bg-white px-1 rounded text-xs font-mono">token</code>) are not supported for security reasons.
</p>
</div>
<div class="border-t border-blue-200 pt-3">
<h4 class="text-sm font-semibold text-gray-900 mb-2">Client Authentication</h4>
<p class="text-sm text-gray-700">
Clinch supports both <code class="bg-white px-1.5 py-0.5 rounded text-xs font-mono">client_secret_basic</code> (HTTP Basic Auth) and <code class="bg-white px-1.5 py-0.5 rounded text-xs font-mono">client_secret_post</code> (POST parameters) authentication methods.
</p>
</div>
</div>
<!-- PKCE Requirement (only for confidential clients) -->
<div id="pkce-options" data-application-form-target="pkceOptions" class="<%= 'hidden' if application.persisted? && application.public_client? %>">
<div class="flex items-center">
@@ -165,6 +185,16 @@
</p>
</div>
<!-- Skip Consent -->
<div class="flex items-center">
<%= form.check_box :skip_consent, class: "h-4 w-4 rounded border-gray-300 text-blue-600 focus:ring-blue-500" %>
<%= form.label :skip_consent, "Skip Consent Screen", class: "ml-2 block text-sm font-medium text-gray-900" %>
</div>
<p class="ml-6 text-sm text-gray-500">
Automatically grant consent for all users. Useful for first-party or trusted applications.
<br><span class="text-xs text-amber-600">Only enable for applications you fully trust. Consent is still recorded in the database.</span>
</p>
<div>
<%= form.label :redirect_uris, "Redirect URIs", class: "block text-sm font-medium text-gray-700" %>
<%= form.text_area :redirect_uris, rows: 4, class: "mt-1 block w-full rounded-md border-gray-300 shadow-sm focus:border-blue-500 focus:ring-blue-500 sm:text-sm font-mono", placeholder: "https://example.com/callback\nhttps://app.example.com/auth/callback" %>
@@ -187,43 +217,90 @@
<div class="grid grid-cols-1 md:grid-cols-3 gap-4">
<div>
<%= form.label :access_token_ttl, "Access Token TTL (seconds)", class: "block text-sm font-medium text-gray-700" %>
<%= form.number_field :access_token_ttl, value: application.access_token_ttl || 3600, min: 300, max: 86400, step: 60, class: "mt-1 block w-full rounded-md border-gray-300 shadow-sm focus:border-blue-500 focus:ring-blue-500 sm:text-sm" %>
<%= form.label :access_token_ttl, "Access Token TTL", class: "block text-sm font-medium text-gray-700" %>
<%= form.text_field :access_token_ttl,
value: application.access_token_ttl || "1h",
placeholder: "e.g., 1h, 30m, 3600",
class: "mt-1 block w-full rounded-md border-gray-300 shadow-sm focus:border-blue-500 focus:ring-blue-500 sm:text-sm font-mono" %>
<p class="mt-1 text-xs text-gray-500">
Range: 5 min - 24 hours
<br>Default: 1 hour (3600s)
<br>Current: <span class="font-medium"><%= application.access_token_ttl_human || "1 hour" %></span>
Range: 5m - 24h
<br>Default: 1h
<% if application.access_token_ttl.present? %>
<br>Current: <span class="font-medium"><%= application.access_token_ttl_human %> (<%= application.access_token_ttl %>s)</span>
<% end %>
</p>
</div>
<div>
<%= form.label :refresh_token_ttl, "Refresh Token TTL (seconds)", class: "block text-sm font-medium text-gray-700" %>
<%= form.number_field :refresh_token_ttl, value: application.refresh_token_ttl || 2592000, min: 86400, max: 7776000, step: 86400, class: "mt-1 block w-full rounded-md border-gray-300 shadow-sm focus:border-blue-500 focus:ring-blue-500 sm:text-sm" %>
<%= form.label :refresh_token_ttl, "Refresh Token TTL", class: "block text-sm font-medium text-gray-700" %>
<%= form.text_field :refresh_token_ttl,
value: application.refresh_token_ttl || "30d",
placeholder: "e.g., 30d, 1M, 2592000",
class: "mt-1 block w-full rounded-md border-gray-300 shadow-sm focus:border-blue-500 focus:ring-blue-500 sm:text-sm font-mono" %>
<p class="mt-1 text-xs text-gray-500">
Range: 1 day - 90 days
<br>Default: 30 days (2592000s)
<br>Current: <span class="font-medium"><%= application.refresh_token_ttl_human || "30 days" %></span>
Range: 5m - 90d
<br>Default: 30d
<% if application.refresh_token_ttl.present? %>
<br>Current: <span class="font-medium"><%= application.refresh_token_ttl_human %> (<%= application.refresh_token_ttl %>s)</span>
<% end %>
</p>
</div>
<div>
<%= form.label :id_token_ttl, "ID Token TTL (seconds)", class: "block text-sm font-medium text-gray-700" %>
<%= form.number_field :id_token_ttl, value: application.id_token_ttl || 3600, min: 300, max: 86400, step: 60, class: "mt-1 block w-full rounded-md border-gray-300 shadow-sm focus:border-blue-500 focus:ring-blue-500 sm:text-sm" %>
<%= form.label :id_token_ttl, "ID Token TTL", class: "block text-sm font-medium text-gray-700" %>
<%= form.text_field :id_token_ttl,
value: application.id_token_ttl || "1h",
placeholder: "e.g., 1h, 30m, 3600",
class: "mt-1 block w-full rounded-md border-gray-300 shadow-sm focus:border-blue-500 focus:ring-blue-500 sm:text-sm font-mono" %>
<p class="mt-1 text-xs text-gray-500">
Range: 5 min - 24 hours
<br>Default: 1 hour (3600s)
<br>Current: <span class="font-medium"><%= application.id_token_ttl_human || "1 hour" %></span>
Range: 5m - 24h
<br>Default: 1h
<% if application.id_token_ttl.present? %>
<br>Current: <span class="font-medium"><%= application.id_token_ttl_human %> (<%= application.id_token_ttl %>s)</span>
<% end %>
</p>
</div>
</div>
<details class="mt-3">
<summary class="cursor-pointer text-sm text-blue-600 hover:text-blue-800">Understanding Token Types</summary>
<div class="mt-2 ml-4 space-y-2 text-sm text-gray-600">
<p><strong>Access Token:</strong> Used to access protected resources (APIs). Shorter lifetime = more secure. Users won't notice automatic refreshes.</p>
<p><strong>Refresh Token:</strong> Used to get new access tokens without re-authentication. Longer lifetime = better UX (less re-logins).</p>
<p><strong>ID Token:</strong> Contains user identity information (JWT). Should match access token lifetime in most cases.</p>
<p class="text-xs italic mt-2">💡 Tip: Banking apps use 5-15 min access tokens. Internal tools use 1-4 hours.</p>
<summary class="cursor-pointer text-sm text-blue-600 hover:text-blue-800">Understanding Token Types & Session Length</summary>
<div class="mt-2 ml-4 space-y-3 text-sm text-gray-600">
<div>
<p class="font-medium text-gray-900 mb-1">Token Types:</p>
<p><strong>Access Token:</strong> Used to access protected resources (APIs). Shorter lifetime = more secure. Users won't notice automatic refreshes.</p>
<p><strong>Refresh Token:</strong> Used to get new access tokens without re-authentication. Each refresh issues a new refresh token (token rotation).</p>
<p><strong>ID Token:</strong> Contains user identity information (JWT). Should match access token lifetime in most cases.</p>
</div>
<div class="border-t border-gray-200 pt-2">
<p class="font-medium text-gray-900 mb-1">How Session Length Works:</p>
<p><strong>Refresh Token TTL = Maximum Inactivity Period</strong></p>
<p class="ml-3">Because refresh tokens are automatically rotated (new token = new expiry), active users can stay logged in indefinitely. The TTL controls how long they can be <em>inactive</em> before requiring re-authentication.</p>
<p class="mt-2"><strong>Example:</strong> Refresh TTL = 30 days</p>
<ul class="ml-6 list-disc space-y-1 text-xs">
<li>User logs in on Day 0, uses app daily → stays logged in forever (tokens keep rotating)</li>
<li>User logs in on Day 0, stops using app → must re-login after 30 days of inactivity</li>
</ul>
</div>
<div class="border-t border-gray-200 pt-2">
<p class="font-medium text-gray-900 mb-1">Forcing Re-Authentication:</p>
<p class="ml-3 text-xs">Because of token rotation, there's no way to force periodic re-authentication using TTL settings alone. Active users can stay logged in indefinitely by refreshing tokens before they expire.</p>
<p class="mt-2 ml-3 text-xs"><strong>To enforce absolute session limits:</strong> Clients can include the <code class="bg-gray-100 px-1 rounded">max_age</code> parameter in their authorization requests to require re-authentication after a specific time, regardless of token rotation.</p>
<p class="mt-2 ml-3 text-xs"><strong>Example:</strong> A banking app might set <code class="bg-gray-100 px-1 rounded">max_age=900</code> (15 minutes) in the authorization request to force re-authentication every 15 minutes, even if refresh tokens are still valid.</p>
</div>
<div class="border-t border-gray-200 pt-2">
<p class="font-medium text-gray-900 mb-1">Common Configurations:</p>
<ul class="ml-3 space-y-1 text-xs">
<li><strong>Banking/High Security:</strong> Access TTL = <code class="bg-gray-100 px-1 rounded">5m</code>, Refresh TTL = <code class="bg-gray-100 px-1 rounded">5m</code> → Re-auth every 5 minutes</li>
<li><strong>Corporate Tools:</strong> Access TTL = <code class="bg-gray-100 px-1 rounded">1h</code>, Refresh TTL = <code class="bg-gray-100 px-1 rounded">8h</code> → Re-auth after 8 hours inactive</li>
<li><strong>Personal Apps:</strong> Access TTL = <code class="bg-gray-100 px-1 rounded">1h</code>, Refresh TTL = <code class="bg-gray-100 px-1 rounded">30d</code> → Re-auth after 30 days inactive</li>
</ul>
</div>
</div>
</details>
</div>
@@ -253,10 +330,10 @@
<p class="font-medium">Optional: Customize header names sent to your application.</p>
<div class="flex items-center gap-2">
<button type="button" data-action="json-validator#format" class="text-xs bg-gray-100 hover:bg-gray-200 px-2 py-1 rounded">Format JSON</button>
<button type="button" data-action="json-validator#insertSample" data-json-sample='{"user": "Remote-User", "groups": "Remote-Groups", "email": "Remote-Email", "name": "Remote-Name", "admin": "Remote-Admin"}' class="text-xs bg-blue-100 hover:bg-blue-200 text-blue-700 px-2 py-1 rounded">Insert Example</button>
<button type="button" data-action="json-validator#insertSample" data-json-sample='{"user": "Remote-User", "groups": "Remote-Groups", "email": "Remote-Email", "name": "Remote-Name", "username": "Remote-Username", "admin": "Remote-Admin"}' class="text-xs bg-blue-100 hover:bg-blue-200 text-blue-700 px-2 py-1 rounded">Insert Example</button>
</div>
</div>
<p><strong>Default headers:</strong> X-Remote-User, X-Remote-Email, X-Remote-Name, X-Remote-Groups, X-Remote-Admin</p>
<p><strong>Default headers:</strong> X-Remote-User, X-Remote-Email, X-Remote-Name, X-Remote-Username, X-Remote-Groups, X-Remote-Admin</p>
<div data-json-validator-target="status" class="text-xs font-medium"></div>
<details class="mt-2">
<summary class="cursor-pointer text-blue-600 hover:text-blue-800">Show available header keys and what data they send</summary>
@@ -264,9 +341,10 @@
<p><code class="bg-gray-100 px-1 rounded">user</code> - User's email address</p>
<p><code class="bg-gray-100 px-1 rounded">email</code> - User's email address</p>
<p><code class="bg-gray-100 px-1 rounded">name</code> - User's display name (falls back to email if not set)</p>
<p><code class="bg-gray-100 px-1 rounded">username</code> - User's login username (only sent if set)</p>
<p><code class="bg-gray-100 px-1 rounded">groups</code> - Comma-separated list of group names (e.g., "admin,developers")</p>
<p><code class="bg-gray-100 px-1 rounded">admin</code> - "true" or "false" indicating admin status</p>
<p class="mt-2 italic">Example: <code class="bg-gray-100 px-1 rounded">{"user": "Remote-User", "groups": "Remote-Groups"}</code></p>
<p class="mt-2 italic">Example: <code class="bg-gray-100 px-1 rounded">{"user": "Remote-User", "groups": "Remote-Groups", "username": "Remote-Username"}</code></p>
<p class="italic">Need custom user fields? Add them to user's custom_claims for OIDC tokens</p>
</div>
</details>

2
app/views/admin/applications/show.html.erb
View File

@@ -215,7 +215,7 @@
<code class="block bg-gray-100 px-3 py-2 rounded font-mono text-xs whitespace-pre-wrap"><%= JSON.pretty_generate(@application.headers_config) %></code>
<% else %>
<div class="bg-gray-100 px-3 py-2 rounded text-xs text-gray-500">
Using default headers: X-Remote-User, X-Remote-Email, X-Remote-Name, X-Remote-Groups, X-Remote-Admin
Using default headers: X-Remote-User, X-Remote-Email, X-Remote-Name, X-Remote-Username, X-Remote-Groups, X-Remote-Admin
</div>
<% end %>
</dd>

4
app/views/dashboard/index.html.erb
View File

@@ -147,9 +147,9 @@
<% end %>
<% if app.user_has_active_session?(@user) %>
<%= button_to "Logout", logout_from_app_active_sessions_path(application_id: app.id), method: :delete,
<%= button_to "Require Re-Auth", logout_from_app_active_sessions_path(application_id: app.id), method: :delete,
class: "w-full flex justify-center items-center px-4 py-2 border border-orange-300 text-sm font-medium rounded-md text-orange-700 bg-white hover:bg-orange-50 focus:outline-none focus:ring-2 focus:ring-offset-2 focus:ring-orange-500 transition",
form: { data: { turbo_confirm: "This will log you out of #{app.name}. You can sign back in without re-authorizing. Continue?" } } %>
form: { data: { turbo_confirm: "This will revoke #{app.name}'s access tokens. The next time #{app.name} needs to authenticate, you'll sign in again (no re-authorization needed). Continue?" } } %>
<% end %>
</div>
</div>

2
app/views/sessions/new.html.erb
View File

@@ -12,7 +12,7 @@
autofocus: true,
autocomplete: "username",
placeholder: "your@email.com",
value: params[:email_address],
value: @login_hint || params[:email_address],
data: { action: "blur->webauthn#checkWebAuthnSupport change->webauthn#checkWebAuthnSupport" },
class: "block shadow-sm rounded-md border border-gray-400 focus:outline-blue-600 px-3 py-2 mt-2 w-full" %>
</div>

1
config/environments/production.rb
View File

@@ -59,6 +59,7 @@ Rails.application.configure do
# Use Solid Queue for background jobs
config.active_job.queue_adapter = :solid_queue
config.solid_queue.connects_to = {database: {writing: :queue}}
# Ignore bad email addresses and do not raise email delivery errors.
# Set this to true and configure the email server for immediate delivery to raise delivery errors.

2
config/initializers/version.rb
View File

@@ -1,5 +1,5 @@
# frozen_string_literal: true
module Clinch
VERSION = "0.8.2"
VERSION = "0.8.7"
end

4
config/routes.rb
View File

@@ -26,11 +26,11 @@ Rails.application.routes.draw do
# OIDC (OpenID Connect) routes
get "/.well-known/openid-configuration", to: "oidc#discovery"
get "/.well-known/jwks.json", to: "oidc#jwks"
get "/oauth/authorize", to: "oidc#authorize"
match "/oauth/authorize", to: "oidc#authorize", via: [:get, :post]
post "/oauth/authorize/consent", to: "oidc#consent", as: :oauth_consent
post "/oauth/token", to: "oidc#token"
post "/oauth/revoke", to: "oidc#revoke"
get "/oauth/userinfo", to: "oidc#userinfo"
match "/oauth/userinfo", to: "oidc#userinfo", via: [:get, :post]
get "/logout", to: "oidc#logout"
# ForwardAuth / Trusted Header SSO

5
db/migrate/20260104032220_add_skip_consent_to_applications.rb Normal file
View File

@@ -0,0 +1,5 @@
class AddSkipConsentToApplications < ActiveRecord::Migration[8.1]
def change
add_column :applications, :skip_consent, :boolean, default: false, null: false
end
end

5
db/migrate/20260105000745_add_claims_requests_to_oidc_user_consents.rb Normal file
View File

@@ -0,0 +1,5 @@
class AddClaimsRequestsToOidcUserConsents < ActiveRecord::Migration[8.1]
def change
add_column :oidc_user_consents, :claims_requests, :json, default: {}, null: false
end
end

5
db/migrate/20260105000809_add_claims_requests_to_oidc_authorization_codes.rb Normal file
View File

@@ -0,0 +1,5 @@
class AddClaimsRequestsToOidcAuthorizationCodes < ActiveRecord::Migration[8.1]
def change
add_column :oidc_authorization_codes, :claims_requests, :json, default: {}, null: false
end
end

5
db/schema.rb generated
View File

@@ -10,7 +10,7 @@
#
# It's strongly recommended that you check this file into your version control system.
ActiveRecord::Schema[8.1].define(version: 2025_12_31_060112) do
ActiveRecord::Schema[8.1].define(version: 2026_01_05_000809) do
create_table "active_storage_attachments", force: :cascade do |t|
t.bigint "blob_id", null: false
t.datetime "created_at", null: false
@@ -78,6 +78,7 @@ ActiveRecord::Schema[8.1].define(version: 2025_12_31_060112) do
t.text "redirect_uris"
t.integer "refresh_token_ttl", default: 2592000
t.boolean "require_pkce", default: true, null: false
t.boolean "skip_consent", default: false, null: false
t.string "slug", null: false
t.datetime "updated_at", null: false
t.index ["active"], name: "index_applications_on_active"
@@ -116,6 +117,7 @@ ActiveRecord::Schema[8.1].define(version: 2025_12_31_060112) do
t.string "acr"
t.integer "application_id", null: false
t.integer "auth_time"
t.json "claims_requests", default: {}, null: false
t.string "code_challenge"
t.string "code_challenge_method"
t.string "code_hmac", null: false
@@ -160,6 +162,7 @@ ActiveRecord::Schema[8.1].define(version: 2025_12_31_060112) do
create_table "oidc_user_consents", force: :cascade do |t|
t.integer "application_id", null: false
t.json "claims_requests", default: {}, null: false
t.datetime "created_at", null: false
t.datetime "granted_at", null: false
t.text "scopes_granted", null: false

92
docs/beta-checklist.md
View File

@@ -24,6 +24,18 @@ This checklist ensures Clinch meets security, quality, and documentation standar
- [x] **importmap audit** - JavaScript dependency scanning
- CI: Runs on every PR and push to main
- [x] **Trivy** - Container image vulnerability scanning
- Scans Docker images for OS and system package vulnerabilities
- CI: Builds and scans image on every PR and push to main
- Results uploaded to GitHub Security tab
- [x] **Dependabot** - Automated dependency updates
- Creates PRs for outdated dependencies
- Enabled for Ruby gems and GitHub Actions
- [x] **GitHub Secret Scanning** - Detects leaked credentials
- Push protection enabled to block commits with secrets
- [x] **Test Coverage** - SimpleCov integration
- Command: `COVERAGE=1 bin/rails test`
- Coverage report: `coverage/index.html`
@@ -44,7 +56,8 @@ This checklist ensures Clinch meets security, quality, and documentation standar
- [x] Authorization code flow with PKCE support
- [x] Refresh token rotation
- [x] Token family tracking (detects replay attacks)
- [x] All tokens HMAC-SHA256 hashed in database
- [x] All tokens and authorization codes HMAC-SHA256 hashed in database
- [x] TOTP secrets AES-256-GCM encrypted at rest (Rails credentials)
- [x] Configurable token expiry (access, refresh, ID)
- [x] One-time use authorization codes
- [x] Pairwise subject identifiers (privacy)
@@ -118,8 +131,7 @@ This checklist ensures Clinch meets security, quality, and documentation standar
## Code Quality
- [x] **RuboCop** - Code style and linting
- Configuration: Rails Omakase
- [x] **StandardRB** - Code style and linting
- CI: Runs on every PR and push to main
- [x] **Documentation** - Comprehensive README
@@ -146,7 +158,7 @@ This checklist ensures Clinch meets security, quality, and documentation standar
### Performance
- [ ] Review N+1 queries
- [ ] Add database indexes where needed
- [x] Add database indexes where needed
- [ ] Test with realistic data volumes
- [ ] Review token cleanup job performance
@@ -192,21 +204,32 @@ This checklist ensures Clinch meets security, quality, and documentation standar
- [ ] Document backup code security (single-use, store securely)
- [ ] Document admin password security requirements
### Future Security Enhancements
- [ ] Rate limiting on authentication endpoints
- [ ] Account lockout after N failed attempts
### Future Security Enhancements (Post-Beta)
- [x] Rate limiting on authentication endpoints (comprehensive coverage implemented)
- [ ] Account lockout after N failed attempts (rate limiting provides similar protection)
- [ ] Admin audit logging
- [ ] Security event notifications
- [ ] Brute force detection
- [ ] Suspicious login detection
- [ ] Security event notifications (email/webhook alerts for suspicious activity)
- [ ] Advanced brute force detection (pattern analysis beyond rate limiting)
- [ ] Suspicious login detection (geolocation, device fingerprinting)
- [ ] IP allowlist/blocklist
## External Security Review
## Protocol Conformance & Security Review
- [ ] Consider bug bounty or security audit
- [ ] Penetration testing for OIDC flows
- [ ] WebAuthn implementation review
- [ ] Token security review
**Protocol Conformance (Completed):**
- [x] **OpenID Connect Conformance Testing** - [48/48 tests passed](https://www.certification.openid.net/log-detail.html?log=TZ8vOG0kf35lUiD)
- OIDC authorization code flow ✅
- PKCE flow ✅
- Token security (ID tokens, access tokens, refresh tokens) ✅
- Scope-based claim filtering ✅
- Standard OIDC claims and metadata ✅
- Proper OAuth2 error handling (redirect vs. error page) ✅
**External Security Review (Optional for Post-Beta):**
- [ ] Traditional security audit or penetration test
- Note: OIDC conformance tests protocol compliance, not security vulnerabilities
- A dedicated security audit would test for injection, XSS, auth bypasses, etc.
- [ ] Bug bounty program
- [ ] WebAuthn implementation security review
## Documentation for Users
@@ -227,7 +250,8 @@ To move from "experimental" to "Beta", the following must be completed:
- [x] Basic documentation complete
- [x] Backup/restore documentation
- [x] Production deployment guide
- [ ] At least one external security review or penetration test
- [x] Protocol conformance validation
- [OpenID Connect Conformance Testing](https://www.certification.openid.net/log-detail.html?log=TZ8vOG0kf35lUiD) - **48 tests PASSED**, 0 failures, 0 warnings
**Important (Should have for Beta):**
- [x] Rate limiting on auth endpoints
@@ -238,26 +262,42 @@ To move from "experimental" to "Beta", the following must be completed:
**Nice to have (Can defer to post-Beta):**
- [ ] Bug bounty program
- [ ] Advanced monitoring/alerting
- [ ] Automated security testing in CI beyond brakeman/bundler-audit
- [x] Automated security testing in CI beyond brakeman/bundler-audit
- [x] Dependabot (automated dependency updates)
- [x] GitHub Secret Scanning (automatic with push protection enabled)
- [x] Container image scanning (Trivy scans Docker images for OS/system vulnerabilities)
- [ ] DAST/Dynamic testing (OWASP ZAP) - optional for post-Beta
## Status Summary
**Current Status:** Pre-Beta / Experimental
**Current Status:** Ready for Beta Release 🎉
**Strengths:**
- ✅ Comprehensive security tooling in place
- ✅ Strong test coverage (341 tests, 1349 assertions)
- ✅ Strong test coverage (374 tests, 1538 assertions)
- ✅ Modern security features (PKCE, token rotation, WebAuthn)
- ✅ Clean security scans (brakeman, bundler-audit)
- ✅ Clean security scans (brakeman, bundler-audit, Trivy)
- ✅ Well-documented codebase
-**OpenID Connect Conformance certified** - 48/48 tests passed
**Before Beta Release:**
- 🔶 External security review recommended
- 🔶 Admin audit logging (optional)
**All Critical Requirements Met:**
- All automated security scans passing ✅
- All tests passing (374 tests, 1542 assertions) ✅
- Core features implemented and tested ✅
- Documentation complete ✅
- Production deployment guide ✅
- Protocol conformance validation complete ✅
**Recommendation:** Consider Beta status after:
1. External security review or penetration testing
2. Real-world testing period
**Optional for Post-Beta:**
- Admin audit logging
- Traditional security audit/penetration test
- Bug bounty program
- Advanced monitoring/alerting
**Recommendation:**
Clinch meets all critical requirements for Beta release. The OIDC implementation is protocol-compliant (48/48 conformance tests passed), security scans are clean, and the codebase has strong test coverage.
For production use in security-sensitive environments, consider a traditional security audit or penetration test post-Beta to validate against common vulnerabilities (injection, XSS, auth bypasses, etc.) beyond protocol conformance.
---

2
test/controllers/api/forward_auth_controller_test.rb
View File

@@ -279,7 +279,7 @@ module Api
rd: evil_url # Ensure the rd parameter is preserved in login
}
assert_response 302
assert_response 303
# Should NOT redirect to evil URL after successful authentication
refute_match evil_url, response.location, "Should not redirect to evil URL after authentication"
# Should redirect to the legitimate URL (not the evil one)

394
test/controllers/oidc_claims_security_test.rb Normal file
View File

@@ -0,0 +1,394 @@
require "test_helper"
class OidcClaimsSecurityTest < ActionDispatch::IntegrationTest
setup do
@user = User.create!(email_address: "claims_security_test@example.com", password: "password123")
@application = Application.create!(
name: "Claims Security Test App",
slug: "claims-security-test-app",
app_type: "oidc",
redirect_uris: ["http://localhost:4000/callback"].to_json,
active: true,
require_pkce: false
)
# Store the plain text client secret for testing
@application.generate_new_client_secret!
@plain_client_secret = @application.client_secret
@application.save!
end
def teardown
# Delete in correct order to avoid foreign key constraints
OidcRefreshToken.where(application: @application).delete_all
OidcAccessToken.where(application: @application).delete_all
OidcAuthorizationCode.where(application: @application).delete_all
OidcUserConsent.where(application: @application).delete_all
@user.destroy
@application.destroy
end
# ====================
# CLAIMS PARAMETER ESCALATION ATTACKS
# ====================
test "rejects claims parameter during authorization code exchange" do
# Create consent with minimal scopes (no profile, email, or admin access)
OidcUserConsent.create!(
user: @user,
application: @application,
scopes_granted: "openid",
granted_at: Time.current,
sid: "test-sid-123"
)
auth_code = OidcAuthorizationCode.create!(
application: @application,
user: @user,
redirect_uri: "http://localhost:4000/callback",
scope: "openid",
expires_at: 10.minutes.from_now
)
# ATTEMPT: Inject claims parameter during token exchange (ATTACK!)
# The client is trying to request 'admin' claim that they never got consent for
post "/oauth/token", params: {
grant_type: "authorization_code",
code: auth_code.plaintext_code,
redirect_uri: "http://localhost:4000/callback",
claims: '{"id_token":{"admin":{"essential":true}}}' # ← ATTACK!
}, headers: {
"Authorization" => "Basic " + Base64.strict_encode64("#{@application.client_id}:#{@plain_client_secret}")
}
# SHOULD: Reject the claims parameter - it's only allowed in authorization requests
assert_response :bad_request
error = JSON.parse(response.body)
assert_equal "invalid_request", error["error"], "Should reject claims parameter at token endpoint"
assert_match(/claims.*not allowed|unsupported parameter/i, error["error_description"], "Error should mention claims parameter not allowed")
end
test "rejects claims parameter during authorization code exchange with profile escalation" do
# Create consent with ONLY openid scope (no profile scope)
OidcUserConsent.create!(
user: @user,
application: @application,
scopes_granted: "openid",
granted_at: Time.current,
sid: "test-sid-123"
)
auth_code = OidcAuthorizationCode.create!(
application: @application,
user: @user,
redirect_uri: "http://localhost:4000/callback",
scope: "openid",
expires_at: 10.minutes.from_now
)
# ATTEMPT: Try to get profile claims via claims parameter without profile scope
post "/oauth/token", params: {
grant_type: "authorization_code",
code: auth_code.plaintext_code,
redirect_uri: "http://localhost:4000/callback",
claims: '{"id_token":{"name":null,"email":{"essential":true}}}'
}, headers: {
"Authorization" => "Basic " + Base64.strict_encode64("#{@application.client_id}:#{@plain_client_secret}")
}
# SHOULD: Reject the claims parameter
assert_response :bad_request
error = JSON.parse(response.body)
assert_equal "invalid_request", error["error"]
end
test "rejects claims parameter during refresh token grant" do
access_token = OidcAccessToken.create!(
application: @application,
user: @user,
scope: "openid"
)
refresh_token = OidcRefreshToken.create!(
application: @application,
user: @user,
oidc_access_token: access_token,
scope: "openid"
)
plaintext_refresh_token = refresh_token.token
# ATTEMPT: Inject claims parameter during refresh (ATTACK!)
# Trying to escalate to admin claims during refresh
post "/oauth/token", params: {
grant_type: "refresh_token",
refresh_token: plaintext_refresh_token,
claims: '{"id_token":{"admin":true,"role":{"essential":true}}}' # ← ATTACK!
}, headers: {
"Authorization" => "Basic " + Base64.strict_encode64("#{@application.client_id}:#{@plain_client_secret}")
}
# SHOULD: Reject the claims parameter
assert_response :bad_request
error = JSON.parse(response.body)
assert_equal "invalid_request", error["error"], "Should reject claims parameter at refresh token endpoint"
assert_match(/claims.*not allowed|unsupported parameter/i, error["error_description"])
end
test "rejects claims parameter during refresh token grant with custom claims escalation" do
# Setup: User has a custom claim at user level
@user.update!(custom_claims: {"role" => "user"})
access_token = OidcAccessToken.create!(
application: @application,
user: @user,
scope: "openid"
)
refresh_token = OidcRefreshToken.create!(
application: @application,
user: @user,
oidc_access_token: access_token,
scope: "openid"
)
plaintext_refresh_token = refresh_token.token
# ATTEMPT: Try to escalate role to admin via claims parameter
post "/oauth/token", params: {
grant_type: "refresh_token",
refresh_token: plaintext_refresh_token,
claims: '{"id_token":{"role":{"value":"admin"}}}' # ← ATTACK! Trying to override role value
}, headers: {
"Authorization" => "Basic " + Base64.strict_encode64("#{@application.client_id}:#{@plain_client_secret}")
}
# SHOULD: Reject the claims parameter
assert_response :bad_request
error = JSON.parse(response.body)
assert_equal "invalid_request", error["error"]
end
test "allows token exchange without claims parameter" do
# Create consent
OidcUserConsent.create!(
user: @user,
application: @application,
scopes_granted: "openid profile",
granted_at: Time.current,
sid: "test-sid-123"
)
auth_code = OidcAuthorizationCode.create!(
application: @application,
user: @user,
redirect_uri: "http://localhost:4000/callback",
scope: "openid profile",
expires_at: 10.minutes.from_now
)
# Normal token exchange WITHOUT claims parameter should work fine
post "/oauth/token", params: {
grant_type: "authorization_code",
code: auth_code.plaintext_code,
redirect_uri: "http://localhost:4000/callback"
}, headers: {
"Authorization" => "Basic " + Base64.strict_encode64("#{@application.client_id}:#{@plain_client_secret}")
}
assert_response :success
response_body = JSON.parse(response.body)
assert response_body.key?("access_token")
assert response_body.key?("id_token")
end
test "allows refresh without claims parameter" do
# Create consent for this application
OidcUserConsent.create!(
user: @user,
application: @application,
scopes_granted: "openid profile",
granted_at: Time.current,
sid: "test-sid-refresh-456"
)
access_token = OidcAccessToken.create!(
application: @application,
user: @user,
scope: "openid profile"
)
refresh_token = OidcRefreshToken.create!(
application: @application,
user: @user,
oidc_access_token: access_token,
scope: "openid profile"
)
plaintext_refresh_token = refresh_token.token
# Normal refresh WITHOUT claims parameter should work fine
post "/oauth/token", params: {
grant_type: "refresh_token",
refresh_token: plaintext_refresh_token
}, headers: {
"Authorization" => "Basic " + Base64.strict_encode64("#{@application.client_id}:#{@plain_client_secret}")
}
assert_response :success
response_body = JSON.parse(response.body)
assert response_body.key?("access_token")
assert response_body.key?("id_token")
end
# ====================
# CLAIMS PARAMETER IS AUTHORIZATION-ONLY
# ====================
test "claims parameter is only valid in authorization request per OIDC spec" do
# Per OIDC Core spec section 18.2.1, claims parameter usage location is "Authorization Request"
# This test verifies that claims parameter cannot be used at token endpoint
OidcUserConsent.create!(
user: @user,
application: @application,
scopes_granted: "openid",
granted_at: Time.current,
sid: "test-sid-123"
)
auth_code = OidcAuthorizationCode.create!(
application: @application,
user: @user,
redirect_uri: "http://localhost:4000/callback",
scope: "openid",
expires_at: 10.minutes.from_now
)
# Test various attempts to inject claims parameter
malicious_claims = [
'{"id_token":{"admin":true}}',
'{"id_token":{"email":{"essential":true}}}',
'{"userinfo":{"groups":{"values":["admin"]}}}',
'{"id_token":{"custom_claim":"custom_value"}}',
"invalid-json"
]
malicious_claims.each do |claims_value|
post "/oauth/token", params: {
grant_type: "authorization_code",
code: auth_code.plaintext_code,
redirect_uri: "http://localhost:4000/callback",
claims: claims_value
}, headers: {
"Authorization" => "Basic " + Base64.strict_encode64("#{@application.client_id}:#{@plain_client_secret}")
}
# All should be rejected
assert_response :bad_request, "Claims parameter '#{claims_value}' should be rejected"
error = JSON.parse(response.body)
assert_equal "invalid_request", error["error"]
end
end
# ====================
# VERIFY CONSENT-BASED ACCESS IS ENFORCED
# ====================
test "token endpoint respects scopes granted during authorization" do
# Create consent with ONLY openid scope (no email, profile, etc.)
OidcUserConsent.create!(
user: @user,
application: @application,
scopes_granted: "openid",
granted_at: Time.current,
sid: "test-sid-123"
)
auth_code = OidcAuthorizationCode.create!(
application: @application,
user: @user,
redirect_uri: "http://localhost:4000/callback",
scope: "openid",
expires_at: 10.minutes.from_now
)
# Exchange code for tokens
post "/oauth/token", params: {
grant_type: "authorization_code",
code: auth_code.plaintext_code,
redirect_uri: "http://localhost:4000/callback"
}, headers: {
"Authorization" => "Basic " + Base64.strict_encode64("#{@application.client_id}:#{@plain_client_secret}")
}
assert_response :success
response_body = JSON.parse(response.body)
id_token = response_body["id_token"]
# Decode ID token to check claims
decoded = JWT.decode(id_token, nil, false).first
# Should only have required claims, not email/profile
assert_includes decoded.keys, "iss"
assert_includes decoded.keys, "sub"
assert_includes decoded.keys, "aud"
assert_includes decoded.keys, "exp"
assert_includes decoded.keys, "iat"
# Should NOT have claims that weren't consented to
refute_includes decoded.keys, "email", "Should not include email without email scope"
refute_includes decoded.keys, "email_verified", "Should not include email_verified without email scope"
refute_includes decoded.keys, "name", "Should not include name without profile scope"
refute_includes decoded.keys, "preferred_username", "Should not include preferred_username without profile scope"
end
test "refresh token preserves original scopes granted during authorization" do
# Create consent with specific scopes
OidcUserConsent.create!(
user: @user,
application: @application,
scopes_granted: "openid email",
granted_at: Time.current,
sid: "test-sid-refresh-123"
)
access_token = OidcAccessToken.create!(
application: @application,
user: @user,
scope: "openid email"
)
refresh_token = OidcRefreshToken.create!(
application: @application,
user: @user,
oidc_access_token: access_token,
scope: "openid email"
)
plaintext_refresh_token = refresh_token.token
# Refresh the token
post "/oauth/token", params: {
grant_type: "refresh_token",
refresh_token: plaintext_refresh_token
}, headers: {
"Authorization" => "Basic " + Base64.strict_encode64("#{@application.client_id}:#{@plain_client_secret}")
}
assert_response :success
response_body = JSON.parse(response.body)
id_token = response_body["id_token"]
# Decode ID token to verify scopes are preserved
decoded = JWT.decode(id_token, nil, false).first
# Should have email claims (from original consent)
assert_includes decoded.keys, "email", "Should preserve email scope from original consent"
assert_includes decoded.keys, "email_verified", "Should preserve email_verified scope from original consent"
# Should NOT have profile claims (not in original consent)
refute_includes decoded.keys, "name", "Should not add profile claims that weren't consented to"
refute_includes decoded.keys, "preferred_username", "Should not add preferred_username that wasn't consented to"
end
end

12
test/controllers/oidc_pkce_controller_test.rb
View File

@@ -91,8 +91,10 @@ class OidcPkceControllerTest < ActionDispatch::IntegrationTest
get "/oauth/authorize", params: auth_params
assert_response :bad_request
assert_match(/Invalid code_challenge_method/, @response.body)
# Should redirect back to client with error parameters (OAuth2 spec)
assert_response :redirect
assert_match(/error=invalid_request/, @response.location)
assert_match(/error_description=.*code_challenge_method/, @response.location)
end
test "authorization endpoint rejects invalid code_challenge format" do
@@ -108,8 +110,10 @@ class OidcPkceControllerTest < ActionDispatch::IntegrationTest
get "/oauth/authorize", params: auth_params
assert_response :bad_request
assert_match(/Invalid code_challenge format/, @response.body)
# Should redirect back to client with error parameters (OAuth2 spec)
assert_response :redirect
assert_match(/error=invalid_request/, @response.location)
assert_match(/error_description=.*code_challenge.*format/, @response.location)
end
test "token endpoint requires code_verifier when PKCE was used (S256)" do

236
test/controllers/oidc_prompt_login_test.rb Normal file
View File

@@ -0,0 +1,236 @@
require "test_helper"
class OidcPromptLoginTest < ActionDispatch::IntegrationTest
setup do
@user = users(:alice)
@application = applications(:kavita_app)
@client_secret = SecureRandom.urlsafe_base64(48)
@application.client_secret = @client_secret
@application.save!
# Pre-authorize the application so we skip consent screen
consent = OidcUserConsent.find_or_initialize_by(
user: @user,
application: @application
)
consent.scopes_granted ||= "openid profile email"
consent.save!
end
teardown do
# Clean up
OidcAccessToken.where(user: @user, application: @application).destroy_all
OidcAuthorizationCode.where(user: @user, application: @application).destroy_all
end
test "max_age requires re-authentication when session is too old" do
# Sign in to create a session
post "/signin", params: {
email_address: @user.email_address,
password: "password"
}
assert_response :redirect
follow_redirect!
assert_response :success
# Get first auth_time
get "/oauth/authorize", params: {
client_id: @application.client_id,
redirect_uri: @application.parsed_redirect_uris.first,
response_type: "code",
scope: "openid",
state: "first-state",
nonce: "first-nonce"
}
assert_response :redirect
first_redirect_url = response.location
first_code = CGI.parse(URI(first_redirect_url).query)["code"].first
# Exchange for tokens and extract auth_time
post "/oauth/token", params: {
grant_type: "authorization_code",
code: first_code,
redirect_uri: @application.parsed_redirect_uris.first,
client_id: @application.client_id,
client_secret: @client_secret
}
assert_response :success
first_tokens = JSON.parse(response.body)
first_id_token = OidcJwtService.decode_id_token(first_tokens["id_token"])
first_auth_time = first_id_token[0]["auth_time"]
# Wait a bit (simulate time passing - in real scenario this would be actual seconds)
# Then request with max_age=0 (means session must be brand new)
get "/oauth/authorize", params: {
client_id: @application.client_id,
redirect_uri: @application.parsed_redirect_uris.first,
response_type: "code",
scope: "openid",
state: "second-state",
nonce: "second-nonce",
max_age: "0" # Requires session to be 0 seconds old (i.e., brand new)
}
# Should redirect to sign in because session is too old
assert_response :redirect
assert_redirected_to(/signin/)
# Sign in again
post "/signin", params: {
email_address: @user.email_address,
password: "password"
}
assert_response :redirect
follow_redirect!
# Should receive authorization code
assert_response :redirect
second_redirect_url = response.location
second_code = CGI.parse(URI(second_redirect_url).query)["code"].first
assert second_code.present?, "Should receive authorization code after re-authentication"
# Exchange second authorization code for tokens
post "/oauth/token", params: {
grant_type: "authorization_code",
code: second_code,
redirect_uri: @application.parsed_redirect_uris.first,
client_id: @application.client_id,
client_secret: @client_secret
}
assert_response :success
second_tokens = JSON.parse(response.body)
second_id_token = OidcJwtService.decode_id_token(second_tokens["id_token"])
second_auth_time = second_id_token[0]["auth_time"]
# The second auth_time should be >= the first (re-authentication occurred)
# Note: May be equal if both occur in the same second (test timing edge case)
assert second_auth_time >= first_auth_time,
"max_age=0 should result in a re-authentication. " \
"First: #{first_auth_time}, Second: #{second_auth_time}"
end
test "prompt=none returns login_required error when not authenticated" do
# Don't sign in - user is not authenticated
# Request authorization with prompt=none
get "/oauth/authorize", params: {
client_id: @application.client_id,
redirect_uri: @application.parsed_redirect_uris.first,
response_type: "code",
scope: "openid",
state: "test-state",
prompt: "none"
}
# Should redirect with error=login_required (NOT to sign-in page)
assert_response :redirect
redirect_url = response.location
# Parse the redirect URL
uri = URI.parse(redirect_url)
query_params = uri.query ? CGI.parse(uri.query) : {}
assert_equal "login_required", query_params["error"]&.first,
"Should return login_required error for prompt=none when not authenticated"
assert_equal "test-state", query_params["state"]&.first,
"Should return state parameter"
end
test "prompt=login forces re-authentication with new auth_time" do
# First authentication
post "/signin", params: {
email_address: @user.email_address,
password: "password"
}
assert_response :redirect
follow_redirect!
assert_response :success
# Get first authorization code
get "/oauth/authorize", params: {
client_id: @application.client_id,
redirect_uri: @application.parsed_redirect_uris.first,
response_type: "code",
scope: "openid",
state: "first-state",
nonce: "first-nonce"
}
assert_response :redirect
first_redirect_url = response.location
first_code = CGI.parse(URI(first_redirect_url).query)["code"].first
# Exchange for tokens and extract auth_time from ID token
post "/oauth/token", params: {
grant_type: "authorization_code",
code: first_code,
redirect_uri: @application.parsed_redirect_uris.first,
client_id: @application.client_id,
client_secret: @client_secret
}
assert_response :success
first_tokens = JSON.parse(response.body)
first_id_token = OidcJwtService.decode_id_token(first_tokens["id_token"])
first_auth_time = first_id_token[0]["auth_time"]
# Now request authorization again with prompt=login
get "/oauth/authorize", params: {
client_id: @application.client_id,
redirect_uri: @application.parsed_redirect_uris.first,
response_type: "code",
scope: "openid",
state: "second-state",
nonce: "second-nonce",
prompt: "login"
}
# Should redirect to sign in
assert_response :redirect
assert_redirected_to(/signin/)
# Sign in again (simulating user re-authentication)
post "/signin", params: {
email_address: @user.email_address,
password: "password"
}
assert_response :redirect
# Follow redirect to after_authentication_url (which is /oauth/authorize without prompt=login)
follow_redirect!
# Should receive authorization code redirect
assert_response :redirect
second_redirect_url = response.location
second_code = CGI.parse(URI(second_redirect_url).query)["code"].first
assert second_code.present?, "Should receive authorization code after re-authentication"
# Exchange second authorization code for tokens
post "/oauth/token", params: {
grant_type: "authorization_code",
code: second_code,
redirect_uri: @application.parsed_redirect_uris.first,
client_id: @application.client_id,
client_secret: @client_secret
}
assert_response :success
second_tokens = JSON.parse(response.body)
second_id_token = OidcJwtService.decode_id_token(second_tokens["id_token"])
second_auth_time = second_id_token[0]["auth_time"]
# The second auth_time should be >= the first (re-authentication occurred)
# Note: May be equal if both occur in the same second (test timing edge case)
assert second_auth_time >= first_auth_time,
"prompt=login should result in a later auth_time. " \
"First: #{first_auth_time}, Second: #{second_auth_time}"
end
end

6
test/controllers/oidc_refresh_token_controller_test.rb
View File

@@ -228,7 +228,11 @@ class OidcRefreshTokenControllerTest < ActionDispatch::IntegrationTest
assert_response :success
json = JSON.parse(response.body)
assert_equal @user.id.to_s, json["sub"]
# Should return pairwise SID from consent (alice has consent for kavita_app in fixtures)
consent = OidcUserConsent.find_by(user: @user, application: @application)
expected_sub = consent&.sid || @user.id.to_s
assert_equal expected_sub, json["sub"]
assert_equal @user.email_address, json["email"]
end
end

269
test/controllers/oidc_userinfo_controller_test.rb Normal file
View File

@@ -0,0 +1,269 @@
require "test_helper"
class OidcUserinfoControllerTest < ActionDispatch::IntegrationTest
def setup
@user = users(:alice)
@application = applications(:kavita_app)
# Add user to a group for groups claim testing
@admin_group = groups(:admin_group)
@user.groups << @admin_group unless @user.groups.include?(@admin_group)
end
def teardown
# Clean up
OidcAccessToken.where(user: @user, application: @application).destroy_all
end
# ============================================================================
# HTTP Method Tests (GET and POST)
# ============================================================================
test "userinfo endpoint accepts GET requests" do
access_token = create_access_token("openid email profile")
get "/oauth/userinfo", headers: {
"Authorization" => "Bearer #{access_token.plaintext_token}"
}
assert_response :success
json = JSON.parse(response.body)
assert json["sub"].present?
end
test "userinfo endpoint accepts POST requests" do
access_token = create_access_token("openid email profile")
post "/oauth/userinfo", headers: {
"Authorization" => "Bearer #{access_token.plaintext_token}"
}
assert_response :success
json = JSON.parse(response.body)
assert json["sub"].present?
end
test "userinfo endpoint accepts POST with access_token in body" do
access_token = create_access_token("openid email profile")
post "/oauth/userinfo", params: {
access_token: access_token.plaintext_token
}
assert_response :success
json = JSON.parse(response.body)
assert json["sub"].present?
end
# ============================================================================
# Scope-Based Claim Filtering Tests
# ============================================================================
test "userinfo with openid scope only returns minimal claims" do
access_token = create_access_token("openid")
get "/oauth/userinfo", headers: {
"Authorization" => "Bearer #{access_token.plaintext_token}"
}
assert_response :success
json = JSON.parse(response.body)
# Required claims
assert json["sub"].present?, "Should include sub claim"
# Scope-dependent claims should NOT be present
assert_nil json["email"], "Should not include email without email scope"
assert_nil json["email_verified"], "Should not include email_verified without email scope"
assert_nil json["name"], "Should not include name without profile scope"
assert_nil json["preferred_username"], "Should not include preferred_username without profile scope"
assert_nil json["groups"], "Should not include groups without groups scope"
end
test "userinfo with email scope includes email claims" do
access_token = create_access_token("openid email")
get "/oauth/userinfo", headers: {
"Authorization" => "Bearer #{access_token.plaintext_token}"
}
assert_response :success
json = JSON.parse(response.body)
# Required claims
assert json["sub"].present?
# Email claims should be present
assert_equal @user.email_address, json["email"], "Should include email with email scope"
assert_equal true, json["email_verified"], "Should include email_verified with email scope"
# Profile claims should NOT be present
assert_nil json["name"], "Should not include name without profile scope"
assert_nil json["preferred_username"], "Should not include preferred_username without profile scope"
end
test "userinfo with profile scope includes profile claims" do
access_token = create_access_token("openid profile")
get "/oauth/userinfo", headers: {
"Authorization" => "Bearer #{access_token.plaintext_token}"
}
assert_response :success
json = JSON.parse(response.body)
# Required claims
assert json["sub"].present?
# Profile claims we support should be present
assert json["name"].present?, "Should include name with profile scope"
assert json["preferred_username"].present?, "Should include preferred_username with profile scope"
assert json["updated_at"].present?, "Should include updated_at with profile scope"
# Email claims should NOT be present
assert_nil json["email"], "Should not include email without email scope"
assert_nil json["email_verified"], "Should not include email_verified without email scope"
end
test "userinfo with groups scope includes groups claim" do
access_token = create_access_token("openid groups")
get "/oauth/userinfo", headers: {
"Authorization" => "Bearer #{access_token.plaintext_token}"
}
assert_response :success
json = JSON.parse(response.body)
# Required claims
assert json["sub"].present?
# Groups claim should be present
assert json["groups"].present?, "Should include groups with groups scope"
assert_includes json["groups"], "Administrators", "Should include user's groups"
# Email and profile claims should NOT be present
assert_nil json["email"], "Should not include email without email scope"
assert_nil json["name"], "Should not include name without profile scope"
end
test "userinfo with multiple scopes includes all requested claims" do
access_token = create_access_token("openid email profile groups")
get "/oauth/userinfo", headers: {
"Authorization" => "Bearer #{access_token.plaintext_token}"
}
assert_response :success
json = JSON.parse(response.body)
# All scope-based claims should be present
assert json["sub"].present?
assert json["email"].present?, "Should include email"
assert json["email_verified"].present?, "Should include email_verified"
assert json["name"].present?, "Should include name"
assert json["preferred_username"].present?, "Should include preferred_username"
assert json["groups"].present?, "Should include groups"
end
test "userinfo returns same filtered claims for GET and POST" do
access_token = create_access_token("openid email")
# GET request
get "/oauth/userinfo", headers: {
"Authorization" => "Bearer #{access_token.plaintext_token}"
}
get_json = JSON.parse(response.body)
# POST request
post "/oauth/userinfo", headers: {
"Authorization" => "Bearer #{access_token.plaintext_token}"
}
post_json = JSON.parse(response.body)
# Both should return the same claims
assert_equal get_json, post_json, "GET and POST should return identical claims"
end
# ============================================================================
# Authentication Tests
# ============================================================================
test "userinfo endpoint requires Bearer token" do
get "/oauth/userinfo"
assert_response :unauthorized
end
test "userinfo endpoint rejects invalid token" do
get "/oauth/userinfo", headers: {
"Authorization" => "Bearer invalid_token_12345"
}
assert_response :unauthorized
end
test "userinfo endpoint rejects expired token" do
access_token = create_access_token("openid email profile")
# Expire the token
access_token.update!(expires_at: 1.hour.ago)
get "/oauth/userinfo", headers: {
"Authorization" => "Bearer #{access_token.plaintext_token}"
}
assert_response :unauthorized
end
test "userinfo endpoint rejects revoked token" do
access_token = create_access_token("openid email profile")
# Revoke the token
access_token.revoke!
get "/oauth/userinfo", headers: {
"Authorization" => "Bearer #{access_token.plaintext_token}"
}
assert_response :unauthorized
end
# ============================================================================
# Pairwise Subject Identifier Test
# ============================================================================
test "userinfo returns pairwise SID when consent exists" do
access_token = create_access_token("openid")
# Find existing consent or create new one (ensure it has a SID)
consent = OidcUserConsent.find_or_initialize_by(
user: @user,
application: @application
)
consent.scopes_granted ||= "openid"
consent.save!
# Reload to get the auto-generated SID
consent.reload
get "/oauth/userinfo", headers: {
"Authorization" => "Bearer #{access_token.plaintext_token}"
}
assert_response :success
json = JSON.parse(response.body)
assert_equal consent.sid, json["sub"], "Should use pairwise SID from consent"
assert consent.sid.present?, "Consent should have a SID"
end
private
def create_access_token(scope)
OidcAccessToken.create!(
application: @application,
user: @user,
scope: scope
)
end
end

2
test/fixtures/oidc_user_consents.yml vendored
View File

@@ -5,9 +5,11 @@ alice_consent:
application: kavita_app
scopes_granted: openid profile email
granted_at: 2025-10-24 16:57:39
sid: alice-kavita-sid-12345
bob_consent:
user: bob
application: another_app
scopes_granted: openid email groups
granted_at: 2025-10-24 16:57:39
sid: bob-another-sid-67890

10
test/integration/forward_auth_advanced_test.rb
View File

@@ -31,7 +31,7 @@ class ForwardAuthAdvancedTest < ActionDispatch::IntegrationTest
# Step 3: Sign in
post "/signin", params: {email_address: @user.email_address, password: "password"}
assert_response 302
assert_response 303
redirect_uri = URI.parse(response.location)
assert_equal "https", redirect_uri.scheme
assert_equal "app.example.com", redirect_uri.host
@@ -64,7 +64,7 @@ class ForwardAuthAdvancedTest < ActionDispatch::IntegrationTest
# Sign in once
post "/signin", params: {email_address: @user.email_address, password: "password"}
assert_response 302
assert_response 303
assert_redirected_to "/"
# Test access to different applications
@@ -101,7 +101,7 @@ class ForwardAuthAdvancedTest < ActionDispatch::IntegrationTest
# Sign in
post "/signin", params: {email_address: @user.email_address, password: "password"}
assert_response 302
assert_response 303
# Should have access (in allowed group)
get "/api/verify", headers: {"X-Forwarded-Host" => "admin.example.com"}
@@ -139,7 +139,7 @@ class ForwardAuthAdvancedTest < ActionDispatch::IntegrationTest
# Sign in
post "/signin", params: {email_address: @user.email_address, password: "password"}
assert_response 302
assert_response 303
# Should have access (bypass mode)
get "/api/verify", headers: {"X-Forwarded-Host" => "public.example.com"}
@@ -255,7 +255,7 @@ class ForwardAuthAdvancedTest < ActionDispatch::IntegrationTest
# Sign in once
post "/signin", params: {email_address: @user.email_address, password: "password"}
assert_response 302
assert_response 303
# Test access to each application
apps.each do |app|

2
test/integration/forward_auth_integration_test.rb
View File

@@ -27,7 +27,7 @@ class ForwardAuthIntegrationTest < ActionDispatch::IntegrationTest
# Step 2: Sign in
post "/signin", params: {email_address: @user.email_address, password: "password"}
assert_response 302
assert_response 303
# Signin now redirects back with fa_token parameter
assert_match(/\?fa_token=/, response.location)
assert cookies[:session_id]

136
test/lib/duration_parser_test.rb Normal file
View File

@@ -0,0 +1,136 @@
require "test_helper"
class DurationParserTest < ActiveSupport::TestCase
# Valid formats
test "parses seconds" do
assert_equal 1, DurationParser.parse("1s")
assert_equal 30, DurationParser.parse("30s")
assert_equal 3600, DurationParser.parse("3600s")
end
test "parses minutes" do
assert_equal 60, DurationParser.parse("1m")
assert_equal 300, DurationParser.parse("5m")
assert_equal 1800, DurationParser.parse("30m")
end
test "parses hours" do
assert_equal 3600, DurationParser.parse("1h")
assert_equal 7200, DurationParser.parse("2h")
assert_equal 86400, DurationParser.parse("24h")
end
test "parses days" do
assert_equal 86400, DurationParser.parse("1d")
assert_equal 172800, DurationParser.parse("2d")
assert_equal 2592000, DurationParser.parse("30d")
end
test "parses weeks" do
assert_equal 604800, DurationParser.parse("1w")
assert_equal 1209600, DurationParser.parse("2w")
end
test "parses months (30 days)" do
assert_equal 2592000, DurationParser.parse("1M")
assert_equal 5184000, DurationParser.parse("2M")
end
test "parses years (365 days)" do
assert_equal 31536000, DurationParser.parse("1y")
assert_equal 63072000, DurationParser.parse("2y")
end
# Plain numbers
test "parses plain integer as seconds" do
assert_equal 3600, DurationParser.parse(3600)
assert_equal 300, DurationParser.parse(300)
assert_equal 0, DurationParser.parse(0)
end
test "parses plain numeric string as seconds" do
assert_equal 3600, DurationParser.parse("3600")
assert_equal 300, DurationParser.parse("300")
assert_equal 0, DurationParser.parse("0")
end
# Whitespace handling
test "handles leading and trailing whitespace" do
assert_equal 3600, DurationParser.parse(" 1h ")
assert_equal 300, DurationParser.parse(" 5m ")
assert_equal 86400, DurationParser.parse("\t1d\n")
end
test "handles space between number and unit" do
assert_equal 3600, DurationParser.parse("1 h")
assert_equal 300, DurationParser.parse("5 m")
assert_equal 86400, DurationParser.parse("1 d")
end
# Case sensitivity - only lowercase units work (except M for months)
test "lowercase units work" do
assert_equal 1, DurationParser.parse("1s")
assert_equal 60, DurationParser.parse("1m") # minute (lowercase)
assert_equal 3600, DurationParser.parse("1h")
assert_equal 86400, DurationParser.parse("1d")
assert_equal 604800, DurationParser.parse("1w")
assert_equal 31536000, DurationParser.parse("1y")
end
test "uppercase M for months works" do
assert_equal 2592000, DurationParser.parse("1M") # month (uppercase)
end
test "returns nil for wrong case" do
assert_nil DurationParser.parse("1S") # Should be 1s
assert_nil DurationParser.parse("1H") # Should be 1h
assert_nil DurationParser.parse("1D") # Should be 1d
assert_nil DurationParser.parse("1W") # Should be 1w
assert_nil DurationParser.parse("1Y") # Should be 1y
end
# Edge cases
test "handles zero duration" do
assert_equal 0, DurationParser.parse("0s")
assert_equal 0, DurationParser.parse("0m")
assert_equal 0, DurationParser.parse("0h")
end
test "handles large numbers" do
assert_equal 86400000, DurationParser.parse("1000d")
assert_equal 360000, DurationParser.parse("100h")
end
# Invalid formats - should return nil (not raise)
test "returns nil for invalid format" do
assert_nil DurationParser.parse("invalid")
assert_nil DurationParser.parse("1x")
assert_nil DurationParser.parse("abc")
assert_nil DurationParser.parse("1.5h") # No decimals
assert_nil DurationParser.parse("-1h") # No negatives
assert_nil DurationParser.parse("h1") # Wrong order
end
test "returns nil for blank input" do
assert_nil DurationParser.parse("")
assert_nil DurationParser.parse(nil)
assert_nil DurationParser.parse(" ")
end
test "returns nil for multiple units" do
assert_nil DurationParser.parse("1h30m") # Keep it simple, don't support this
assert_nil DurationParser.parse("1d2h")
end
# String coercion
test "handles string input" do
assert_equal 3600, DurationParser.parse("1h")
assert_equal 3600, DurationParser.parse(:"1h") # Symbol
end
# Boundary validation (not parser's job, but good to know)
test "parses values outside typical TTL ranges without error" do
assert_equal 1, DurationParser.parse("1s") # Below min access_token_ttl
assert_equal 315360000, DurationParser.parse("10y") # Above max refresh_token_ttl
end
end

109
test/models/application_duration_parser_test.rb Normal file
View File

@@ -0,0 +1,109 @@
require "test_helper"
class ApplicationDurationParserTest < ActiveSupport::TestCase
test "access_token_ttl accepts human-friendly durations" do
app = Application.new(access_token_ttl: "1h")
assert_equal 3600, app.access_token_ttl
app.access_token_ttl = "30m"
assert_equal 1800, app.access_token_ttl
app.access_token_ttl = "5m"
assert_equal 300, app.access_token_ttl
end
test "refresh_token_ttl accepts human-friendly durations" do
app = Application.new(refresh_token_ttl: "30d")
assert_equal 2592000, app.refresh_token_ttl
app.refresh_token_ttl = "1M"
assert_equal 2592000, app.refresh_token_ttl
app.refresh_token_ttl = "7d"
assert_equal 604800, app.refresh_token_ttl
end
test "id_token_ttl accepts human-friendly durations" do
app = Application.new(id_token_ttl: "1h")
assert_equal 3600, app.id_token_ttl
app.id_token_ttl = "2h"
assert_equal 7200, app.id_token_ttl
end
test "TTL fields still accept plain numbers" do
app = Application.new(
access_token_ttl: 3600,
refresh_token_ttl: 2592000,
id_token_ttl: 3600
)
assert_equal 3600, app.access_token_ttl
assert_equal 2592000, app.refresh_token_ttl
assert_equal 3600, app.id_token_ttl
end
test "TTL fields accept plain number strings" do
app = Application.new(
access_token_ttl: "3600",
refresh_token_ttl: "2592000",
id_token_ttl: "3600"
)
assert_equal 3600, app.access_token_ttl
assert_equal 2592000, app.refresh_token_ttl
assert_equal 3600, app.id_token_ttl
end
test "invalid TTL values are set to nil" do
app = Application.new(
access_token_ttl: "invalid",
refresh_token_ttl: "bad",
id_token_ttl: "nope"
)
assert_nil app.access_token_ttl
assert_nil app.refresh_token_ttl
assert_nil app.id_token_ttl
end
test "validation still works with parsed values" do
app = Application.new(
name: "Test",
slug: "test",
app_type: "oidc",
redirect_uris: "https://example.com/callback"
)
# Too short (below 5 minutes)
app.access_token_ttl = "1m"
assert_not app.valid?
assert_includes app.errors[:access_token_ttl], "must be greater than or equal to 300"
# Too long (above 24 hours for access token)
app.access_token_ttl = "2d"
assert_not app.valid?
assert_includes app.errors[:access_token_ttl], "must be less than or equal to 86400"
# Just right
app.access_token_ttl = "1h"
app.valid? # Revalidate
assert app.errors[:access_token_ttl].blank?
end
test "can create OIDC app with human-friendly TTL values" do
app = Application.create!(
name: "Test App",
slug: "test-app",
app_type: "oidc",
redirect_uris: "https://example.com/callback",
access_token_ttl: "1h",
refresh_token_ttl: "30d",
id_token_ttl: "2h"
)
assert_equal 3600, app.access_token_ttl
assert_equal 2592000, app.refresh_token_ttl
assert_equal 7200, app.id_token_ttl
end
end

153
test/services/oidc_jwt_service_test.rb
View File

@@ -57,7 +57,7 @@ class OidcJwtServiceTest < ActiveSupport::TestCase
end
test "should generate id token with required claims" do
token = @service.generate_id_token(@user, @application)
token = @service.generate_id_token(@user, @application, scopes: "openid email profile")
assert_not_nil token, "Should generate token"
assert token.length > 100, "Token should be substantial"
@@ -88,7 +88,7 @@ class OidcJwtServiceTest < ActiveSupport::TestCase
admin_group = groups(:admin_group)
@user.groups << admin_group unless @user.groups.include?(admin_group)
token = @service.generate_id_token(@user, @application)
token = @service.generate_id_token(@user, @application, scopes: "openid groups")
decoded = JWT.decode(token, nil, false).first
assert_includes decoded["groups"], "Administrators", "Should include user's groups"
@@ -248,10 +248,10 @@ class OidcJwtServiceTest < ActiveSupport::TestCase
end
test "should handle access token generation" do
token = @service.generate_id_token(@user, @application)
token = @service.generate_id_token(@user, @application, scopes: "openid email")
decoded = JWT.decode(token, nil, false).first
# ID tokens always include email_verified
# ID tokens include email_verified when email scope is requested
assert_includes decoded.keys, "email_verified"
assert_equal @user.id.to_s, decoded["sub"], "Should decode subject correctly"
assert_equal @application.client_id, decoded["aud"], "Should decode audience correctly"
@@ -278,7 +278,7 @@ class OidcJwtServiceTest < ActiveSupport::TestCase
custom_claims: {app_groups: ["admin"], library_access: "all"}
)
token = @service.generate_id_token(user, app)
token = @service.generate_id_token(user, app, scopes: "openid email profile groups")
decoded = JWT.decode(token, nil, false).first
assert_equal ["admin"], decoded["app_groups"]
@@ -305,7 +305,7 @@ class OidcJwtServiceTest < ActiveSupport::TestCase
custom_claims: {role: "admin", app_specific: true}
)
token = @service.generate_id_token(user, app)
token = @service.generate_id_token(user, app, scopes: "openid email profile groups")
decoded = JWT.decode(token, nil, false).first
# App-specific claim should win
@@ -330,7 +330,7 @@ class OidcJwtServiceTest < ActiveSupport::TestCase
# User adds roles: ["admin"]
user.update!(custom_claims: {"roles" => ["admin"], "permissions" => ["write"]})
token = @service.generate_id_token(user, app)
token = @service.generate_id_token(user, app, scopes: "openid email profile groups")
decoded = JWT.decode(token, nil, false).first
# Roles should be combined (not overwritten)
@@ -360,7 +360,7 @@ class OidcJwtServiceTest < ActiveSupport::TestCase
# User adds roles: ["admin"]
user.update!(custom_claims: {"roles" => ["admin"]})
token = @service.generate_id_token(user, app)
token = @service.generate_id_token(user, app, scopes: "openid email profile groups")
decoded = JWT.decode(token, nil, false).first
# All roles should be combined
@@ -382,7 +382,7 @@ class OidcJwtServiceTest < ActiveSupport::TestCase
# User also has "user" role (duplicate)
user.update!(custom_claims: {"roles" => ["user", "admin"]})
token = @service.generate_id_token(user, app)
token = @service.generate_id_token(user, app, scopes: "openid email profile groups")
decoded = JWT.decode(token, nil, false).first
# "user" should only appear once
@@ -404,7 +404,7 @@ class OidcJwtServiceTest < ActiveSupport::TestCase
# User overrides max_items and theme, adds to roles
user.update!(custom_claims: {"roles" => ["admin"], "max_items" => 100, "theme" => "dark"})
token = @service.generate_id_token(user, app)
token = @service.generate_id_token(user, app, scopes: "openid email profile groups")
decoded = JWT.decode(token, nil, false).first
# Arrays should be combined
@@ -438,7 +438,7 @@ class OidcJwtServiceTest < ActiveSupport::TestCase
}
})
token = @service.generate_id_token(user, app)
token = @service.generate_id_token(user, app, scopes: "openid email profile groups")
decoded = JWT.decode(token, nil, false).first
# Nested hashes should be deep merged
@@ -467,7 +467,7 @@ class OidcJwtServiceTest < ActiveSupport::TestCase
custom_claims: {"roles" => ["app_admin"]}
)
token = @service.generate_id_token(user, app)
token = @service.generate_id_token(user, app, scopes: "openid email profile groups")
decoded = JWT.decode(token, nil, false).first
# All three sources should be combined
@@ -562,4 +562,133 @@ class OidcJwtServiceTest < ActiveSupport::TestCase
assert_includes decoded.keys, "azp", "Should include azp claim"
assert_equal @application.client_id, decoded["azp"], "azp should be the application's client_id"
end
# Scope-based claim filtering tests (OIDC Core compliance)
test "openid scope only should include minimal required claims" do
token = @service.generate_id_token(@user, @application, scopes: "openid")
decoded = JWT.decode(token, nil, false).first
# Required claims should always be present
assert_includes decoded.keys, "iss", "Should include issuer"
assert_includes decoded.keys, "sub", "Should include subject"
assert_includes decoded.keys, "aud", "Should include audience"
assert_includes decoded.keys, "exp", "Should include expiration"
assert_includes decoded.keys, "iat", "Should include issued at"
assert_includes decoded.keys, "azp", "Should include authorized party"
# Scope-dependent claims should NOT be present
refute_includes decoded.keys, "email", "Should not include email without email scope"
refute_includes decoded.keys, "email_verified", "Should not include email_verified without email scope"
refute_includes decoded.keys, "name", "Should not include name without profile scope"
refute_includes decoded.keys, "preferred_username", "Should not include preferred_username without profile scope"
refute_includes decoded.keys, "groups", "Should not include groups without groups scope"
end
test "email scope should include email claims" do
token = @service.generate_id_token(@user, @application, scopes: "openid email")
decoded = JWT.decode(token, nil, false).first
# Email claims should be present
assert_includes decoded.keys, "email", "Should include email with email scope"
assert_includes decoded.keys, "email_verified", "Should include email_verified with email scope"
assert_equal @user.email_address, decoded["email"]
assert_equal true, decoded["email_verified"]
# Profile claims should NOT be present
refute_includes decoded.keys, "name", "Should not include name without profile scope"
refute_includes decoded.keys, "preferred_username", "Should not include preferred_username without profile scope"
end
test "profile scope should include profile claims" do
token = @service.generate_id_token(@user, @application, scopes: "openid profile")
decoded = JWT.decode(token, nil, false).first
# Profile claims should be present
assert_includes decoded.keys, "name", "Should include name with profile scope"
assert_includes decoded.keys, "preferred_username", "Should include preferred_username with profile scope"
assert_equal @user.email_address, decoded["name"]
assert_equal @user.email_address, decoded["preferred_username"]
# Email claims should NOT be present
refute_includes decoded.keys, "email", "Should not include email without email scope"
refute_includes decoded.keys, "email_verified", "Should not include email_verified without email scope"
end
test "groups scope should include groups claim" do
admin_group = groups(:admin_group)
@user.groups << admin_group unless @user.groups.include?(admin_group)
token = @service.generate_id_token(@user, @application, scopes: "openid groups")
decoded = JWT.decode(token, nil, false).first
# Groups claim should be present
assert_includes decoded.keys, "groups", "Should include groups with groups scope"
assert_includes decoded["groups"], "Administrators"
# Email and profile claims should NOT be present
refute_includes decoded.keys, "email", "Should not include email without email scope"
refute_includes decoded.keys, "name", "Should not include name without profile scope"
end
test "groups scope should not include groups claim when user has no groups" do
# Ensure user has no groups
@user.groups.clear
token = @service.generate_id_token(@user, @application, scopes: "openid groups")
decoded = JWT.decode(token, nil, false).first
# Groups claim should not be present when user has no groups
refute_includes decoded.keys, "groups", "Should not include empty groups claim"
end
test "multiple scopes should include all requested claims" do
admin_group = groups(:admin_group)
@user.groups << admin_group unless @user.groups.include?(admin_group)
token = @service.generate_id_token(@user, @application, scopes: "openid email profile groups")
decoded = JWT.decode(token, nil, false).first
# All scope-based claims should be present
assert_includes decoded.keys, "email", "Should include email"
assert_includes decoded.keys, "email_verified", "Should include email_verified"
assert_includes decoded.keys, "name", "Should include name"
assert_includes decoded.keys, "preferred_username", "Should include preferred_username"
assert_includes decoded.keys, "groups", "Should include groups"
end
test "scope parameter should handle space-separated string" do
token = @service.generate_id_token(@user, @application, scopes: "openid email profile")
decoded = JWT.decode(token, nil, false).first
assert_includes decoded.keys, "email", "Should parse space-separated scopes"
assert_includes decoded.keys, "name", "Should parse space-separated scopes"
end
test "custom claims should always be merged regardless of scopes" do
user = users(:bob)
app = applications(:another_app)
# Add user custom claim
user.update!(custom_claims: {"custom_field" => "custom_value"})
# Request only openid scope (no email, profile, or groups)
token = @service.generate_id_token(user, app, scopes: "openid")
decoded = JWT.decode(token, nil, false).first
# Custom claims should be present even with minimal scopes
assert_equal "custom_value", decoded["custom_field"], "Custom claims should be included regardless of scopes"
# Standard claims should be filtered
refute_includes decoded.keys, "email", "Should not include email without email scope"
refute_includes decoded.keys, "name", "Should not include name without profile scope"
end
end