Class: Himari::DynamicClientRegistration

Inherits:

Object

• Object
• Himari::DynamicClientRegistration

Defined in:

lib/himari/dynamic_client_registration.rb

Overview

A client created at runtime via RFC 7591 Dynamic Client Registration, persisted in storage. This is purely a storage/registration record: the registration endpoint interacts with it directly, while the OIDC endpoints only ever see the plain ClientRegistration produced by #to_client_registration at the provider layer.

Defined Under Namespace

Classes: ValidationError

Constant Summary

REGISTRATION_LIFETIME =

Default registration lifetime; overridable per deployment via Middlewares::DynamicClients.

180 * 86400

SUPPORTED_GRANT_TYPES =

%w(authorization_code refresh_token).freeze

SUPPORTED_RESPONSE_TYPES =

%w(code).freeze

SUPPORTED_TOKEN_ENDPOINT_AUTH_METHODS =

%w(none client_secret_basic client_secret_post).freeze

DEFAULT_TOKEN_ENDPOINT_AUTH_METHOD =

'client_secret_basic'

MAX_REDIRECT_URIS =

32

MAX_URI_LENGTH =

2000

MAX_CLIENT_NAME_LENGTH =

60

DANGEROUS_REDIRECT_URI_SCHEMES =

%w(javascript data vbscript file blob).freeze

Instance Attribute Summary

• #client_id_issued_at ⇒ Object readonly

  Returns the value of attribute client_id_issued_at.

• #client_name ⇒ Object readonly

  Returns the value of attribute client_name.

• #client_uri ⇒ Object readonly

  Returns the value of attribute client_uri.

• #expiry ⇒ Object readonly

  Returns the value of attribute expiry.

• #grant_types ⇒ Object readonly

  Returns the value of attribute grant_types.

• #id ⇒ Object readonly

  Returns the value of attribute id.

• #ignore_localhost_redirect_uri_port ⇒ Object readonly

  Returns the value of attribute ignore_localhost_redirect_uri_port.

• #preferred_key_group ⇒ Object readonly

  Returns the value of attribute preferred_key_group.

• #redirect_uris ⇒ Object readonly

  Returns the value of attribute redirect_uris.

• #registration_ip ⇒ Object readonly

  Returns the value of attribute registration_ip.

• #registration_remote_addr ⇒ Object readonly

  Returns the value of attribute registration_remote_addr.

• #registration_x_forwarded_for ⇒ Object readonly

  Returns the value of attribute registration_x_forwarded_for.

• #response_types ⇒ Object readonly

  Returns the value of attribute response_types.

• #scope ⇒ Object readonly

  Returns the value of attribute scope.

• #secret ⇒ Object readonly

  Returns the value of attribute secret.

• #secret_hash ⇒ Object readonly

  Returns the value of attribute secret_hash.

• #token_endpoint_auth_method ⇒ Object readonly

  Returns the value of attribute token_endpoint_auth_method.

Class Method Summary

• .from_json(hash) ⇒ Object
• .register(metadata:, registration_ip: nil, registration_remote_addr: nil, registration_x_forwarded_for: nil, lifetime: REGISTRATION_LIFETIME, ignore_localhost_redirect_uri_port: true, now: Time.now) ⇒ DynamicClientRegistration

  Build and validate a registration from RFC 7591 client metadata.

• .validate_client_uri(given) ⇒ Object
• .validate_redirect_uris(given) ⇒ Object

Instance Method Summary

• #active?(now = Time.now) ⇒ Boolean
• #as_json ⇒ Object
• #as_log ⇒ Object
• #confidential? ⇒ Boolean
• #initialize(id:, redirect_uris:, token_endpoint_auth_method:, grant_types:, response_types:, client_id_issued_at:, expiry:, secret: nil, secret_hash: nil, client_name: nil, client_uri: nil, scope: nil, preferred_key_group: nil, registration_ip: nil, registration_remote_addr: nil, registration_x_forwarded_for: nil, ignore_localhost_redirect_uri_port: true) ⇒ DynamicClientRegistration constructor

  A new instance of DynamicClientRegistration.

• #registration_response ⇒ Object

  RFC 7591 §3.2.1 client information response.

• #require_pkce ⇒ Object

  Public clients have no secret to bind the authorization code, so PKCE is mandatory.

• #to_client_registration(skip_consent: false, scopes: ClientRegistration::IMPLICIT_SCOPES) ⇒ Object

  The client object the OIDC authorization/token endpoints consume.

Constructor Details

#initialize(id:, redirect_uris:, token_endpoint_auth_method:, grant_types:, response_types:, client_id_issued_at:, expiry:, secret: nil, secret_hash: nil, client_name: nil, client_uri: nil, scope: nil, preferred_key_group: nil, registration_ip: nil, registration_remote_addr: nil, registration_x_forwarded_for: nil, ignore_localhost_redirect_uri_port: true) ⇒ DynamicClientRegistration

Returns a new instance of DynamicClientRegistration.

# File 'lib/himari/dynamic_client_registration.rb', line 138

def initialize(id:, redirect_uris:, token_endpoint_auth_method:, grant_types:, response_types:, client_id_issued_at:, expiry:, secret: nil, secret_hash: nil, client_name: nil, client_uri: nil, scope: nil, preferred_key_group: nil, registration_ip: nil, registration_remote_addr: nil, registration_x_forwarded_for: nil, ignore_localhost_redirect_uri_port: true)
  @id = id
  @redirect_uris = redirect_uris
  @token_endpoint_auth_method = token_endpoint_auth_method
  @grant_types = grant_types
  @response_types = response_types
  @client_id_issued_at = client_id_issued_at
  @expiry = expiry
  @secret = secret
  @secret_hash = secret_hash
  @client_name = client_name
  @client_uri = client_uri
  @scope = scope
  @preferred_key_group = preferred_key_group
  @registration_ip = registration_ip
  @registration_remote_addr = registration_remote_addr
  @registration_x_forwarded_for = registration_x_forwarded_for
  @ignore_localhost_redirect_uri_port = ignore_localhost_redirect_uri_port
end

Instance Attribute Details

#client_id_issued_at ⇒ Object (readonly)

Returns the value of attribute client_id_issued_at.

# File 'lib/himari/dynamic_client_registration.rb', line 158

def client_id_issued_at
  @client_id_issued_at
end

#client_name ⇒ Object (readonly)

Returns the value of attribute client_name.

# File 'lib/himari/dynamic_client_registration.rb', line 158

def client_name
  @client_name
end

#client_uri ⇒ Object (readonly)

Returns the value of attribute client_uri.

# File 'lib/himari/dynamic_client_registration.rb', line 158

def client_uri
  @client_uri
end

#expiry ⇒ Object (readonly)

Returns the value of attribute expiry.

# File 'lib/himari/dynamic_client_registration.rb', line 158

def expiry
  @expiry
end

#grant_types ⇒ Object (readonly)

Returns the value of attribute grant_types.

# File 'lib/himari/dynamic_client_registration.rb', line 158

def grant_types
  @grant_types
end

#id ⇒ Object (readonly)

Returns the value of attribute id.

# File 'lib/himari/dynamic_client_registration.rb', line 158

def id
  @id
end

#ignore_localhost_redirect_uri_port ⇒ Object (readonly)

Returns the value of attribute ignore_localhost_redirect_uri_port.

# File 'lib/himari/dynamic_client_registration.rb', line 158

def ignore_localhost_redirect_uri_port
  @ignore_localhost_redirect_uri_port
end

#preferred_key_group ⇒ Object (readonly)

Returns the value of attribute preferred_key_group.

# File 'lib/himari/dynamic_client_registration.rb', line 158

def preferred_key_group
  @preferred_key_group
end

#redirect_uris ⇒ Object (readonly)

Returns the value of attribute redirect_uris.

# File 'lib/himari/dynamic_client_registration.rb', line 158

def redirect_uris
  @redirect_uris
end

#registration_ip ⇒ Object (readonly)

Returns the value of attribute registration_ip.

# File 'lib/himari/dynamic_client_registration.rb', line 158

def registration_ip
  @registration_ip
end

#registration_remote_addr ⇒ Object (readonly)

Returns the value of attribute registration_remote_addr.

# File 'lib/himari/dynamic_client_registration.rb', line 158

def registration_remote_addr
  @registration_remote_addr
end

#registration_x_forwarded_for ⇒ Object (readonly)

Returns the value of attribute registration_x_forwarded_for.

# File 'lib/himari/dynamic_client_registration.rb', line 158

def registration_x_forwarded_for
  @registration_x_forwarded_for
end

#response_types ⇒ Object (readonly)

Returns the value of attribute response_types.

# File 'lib/himari/dynamic_client_registration.rb', line 158

def response_types
  @response_types
end

#scope ⇒ Object (readonly)

Returns the value of attribute scope.

# File 'lib/himari/dynamic_client_registration.rb', line 158

def scope
  @scope
end

#secret ⇒ Object (readonly)

Returns the value of attribute secret.

# File 'lib/himari/dynamic_client_registration.rb', line 158

def secret
  @secret
end

#secret_hash ⇒ Object (readonly)

Returns the value of attribute secret_hash.

# File 'lib/himari/dynamic_client_registration.rb', line 158

def secret_hash
  @secret_hash
end

#token_endpoint_auth_method ⇒ Object (readonly)

Returns the value of attribute token_endpoint_auth_method.

# File 'lib/himari/dynamic_client_registration.rb', line 158

def token_endpoint_auth_method
  @token_endpoint_auth_method
end

Class Method Details

.from_json(hash) ⇒ Object

# File 'lib/himari/dynamic_client_registration.rb', line 132

def self.from_json(hash)
  attrs = hash.dup
  attrs.delete(:ttl)
  new(**attrs)
end

.register(metadata:, registration_ip: nil, registration_remote_addr: nil, registration_x_forwarded_for: nil, lifetime: REGISTRATION_LIFETIME, ignore_localhost_redirect_uri_port: true, now: Time.now) ⇒ DynamicClientRegistration

Build and validate a registration from RFC 7591 client metadata.

Parameters:

• metadata (Hash) —

  parsed client metadata (symbolized keys) from the request body

Returns:

• (DynamicClientRegistration)

Raises:

• (ValidationError)

# File 'lib/himari/dynamic_client_registration.rb', line 42

def self.register(metadata:, registration_ip: nil, registration_remote_addr: nil, registration_x_forwarded_for: nil, lifetime: REGISTRATION_LIFETIME, ignore_localhost_redirect_uri_port: true, now: Time.now)
  raise ValidationError.new(:invalid_client_metadata, 'request body must be a JSON object') unless metadata.is_a?(Hash)

  auth_method = metadata.fetch(:token_endpoint_auth_method, DEFAULT_TOKEN_ENDPOINT_AUTH_METHOD).to_s
  unless SUPPORTED_TOKEN_ENDPOINT_AUTH_METHODS.include?(auth_method)
    raise ValidationError.new(:invalid_client_metadata, "unsupported token_endpoint_auth_method: #{auth_method}")
  end

  grant_types = Array(metadata[:grant_types] || %w(authorization_code)).map(&:to_s)
  unless (grant_types - SUPPORTED_GRANT_TYPES).empty?
    raise ValidationError.new(:invalid_client_metadata, "unsupported grant_types: #{(grant_types - SUPPORTED_GRANT_TYPES).join(",")}")
  end

  response_types = Array(metadata[:response_types] || %w(code)).map(&:to_s)
  unless (response_types - SUPPORTED_RESPONSE_TYPES).empty?
    raise ValidationError.new(:invalid_client_metadata, "unsupported response_types: #{(response_types - SUPPORTED_RESPONSE_TYPES).join(",")}")
  end

  if response_types.include?('code') && !grant_types.include?('authorization_code')
    raise ValidationError.new(:invalid_client_metadata, 'response_type "code" requires grant_type "authorization_code"')
  end

  redirect_uris = validate_redirect_uris(metadata[:redirect_uris])

  client_name = metadata[:client_name]&.to_s
  if client_name && client_name.length > MAX_CLIENT_NAME_LENGTH
    raise ValidationError.new(:invalid_client_metadata, "client_name must not exceed #{MAX_CLIENT_NAME_LENGTH} characters")
  end

  client_uri = validate_client_uri(metadata[:client_uri])

  issued_at = now.to_i
  secret = auth_method == 'none' ? nil : SecureRandom.urlsafe_base64(48)

  new(
    id: SecureRandom.urlsafe_base64(24),
    redirect_uris: redirect_uris,
    token_endpoint_auth_method: auth_method,
    grant_types: grant_types,
    response_types: response_types,
    client_name: client_name,
    client_uri: client_uri,
    scope: metadata[:scope]&.to_s,
    secret: secret,
    secret_hash: secret && Digest::SHA384.hexdigest(secret),
    client_id_issued_at: issued_at,
    expiry: issued_at + lifetime,
    registration_ip: registration_ip,
    registration_remote_addr: registration_remote_addr,
    registration_x_forwarded_for: registration_x_forwarded_for,
    ignore_localhost_redirect_uri_port: ignore_localhost_redirect_uri_port,
  )
end

.validate_client_uri(given) ⇒ Object

Raises:

• (ValidationError)

# File 'lib/himari/dynamic_client_registration.rb', line 116

def self.validate_client_uri(given)
  return if given.nil?

  str = given.to_s
  raise ValidationError.new(:invalid_client_metadata, "client_uri must not exceed #{MAX_URI_LENGTH} characters") if str.length > MAX_URI_LENGTH

  parsed = begin
    Addressable::URI.parse(str)
  rescue Addressable::URI::InvalidURIError
    nil
  end
  raise ValidationError.new(:invalid_client_metadata, "invalid client_uri: #{str}") unless parsed&.scheme && parsed.host

  str
end

.validate_redirect_uris(given) ⇒ Object

Raises:

• (ValidationError)

# File 'lib/himari/dynamic_client_registration.rb', line 96

def self.validate_redirect_uris(given)
  raise ValidationError.new(:invalid_redirect_uri, 'redirect_uris is required and must be a non-empty array') unless given.is_a?(Array) && !given.empty?
  raise ValidationError.new(:invalid_redirect_uri, "redirect_uris must not exceed #{MAX_REDIRECT_URIS} entries") if given.size > MAX_REDIRECT_URIS

  given.map do |uri|
    str = uri.to_s
    parsed = begin
      Addressable::URI.parse(str)
    rescue Addressable::URI::InvalidURIError
      nil
    end
    raise ValidationError.new(:invalid_redirect_uri, "redirect_uri must not exceed #{MAX_URI_LENGTH} characters") if str.length > MAX_URI_LENGTH
    raise ValidationError.new(:invalid_redirect_uri, "invalid redirect_uri: #{str}") unless parsed&.scheme
    raise ValidationError.new(:invalid_redirect_uri, "redirect_uri must not contain a fragment: #{str}") if parsed.fragment
    raise ValidationError.new(:invalid_redirect_uri, "redirect_uri scheme not allowed: #{str}") if DANGEROUS_REDIRECT_URI_SCHEMES.include?(parsed.scheme.downcase)

    str
  end
end

Instance Method Details

#active?(now = Time.now) ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/himari/dynamic_client_registration.rb', line 172

def active?(now = Time.now)
  expiry > now.to_i
end

#as_json ⇒ Object

# File 'lib/himari/dynamic_client_registration.rb', line 210

def as_json
  {
    id: id,
    secret_hash: secret_hash,
    redirect_uris: redirect_uris,
    grant_types: grant_types,
    response_types: response_types,
    token_endpoint_auth_method: token_endpoint_auth_method,
    client_name: client_name,
    client_uri: client_uri,
    scope: scope,
    preferred_key_group: preferred_key_group,
    client_id_issued_at: client_id_issued_at,
    expiry: expiry,
    ttl: expiry,
    registration_ip: registration_ip,
    registration_remote_addr: registration_remote_addr,
    registration_x_forwarded_for: registration_x_forwarded_for,
    ignore_localhost_redirect_uri_port: ignore_localhost_redirect_uri_port,
  }
end

#as_log ⇒ Object

# File 'lib/himari/dynamic_client_registration.rb', line 194

def as_log
  {
    id: id,
    token_endpoint_auth_method: token_endpoint_auth_method,
    redirect_uris: redirect_uris,
    grant_types: grant_types,
    response_types: response_types,
    client_name: client_name,
    client_uri: client_uri,
    scope: scope,
    client_id_issued_at: client_id_issued_at,
    expiry: expiry,
    dynamic: true,
  }
end

#confidential? ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/himari/dynamic_client_registration.rb', line 163

def confidential?
  token_endpoint_auth_method != 'none'
end

#registration_response ⇒ Object

RFC 7591 §3.2.1 client information response. Includes client_secret only when freshly generated (the plaintext is never persisted, so it is available only right after register).

# File 'lib/himari/dynamic_client_registration.rb', line 234

def registration_response
  response = {
    client_id: id,
    client_id_issued_at: client_id_issued_at,
    redirect_uris: redirect_uris,
    grant_types: grant_types,
    response_types: response_types,
    token_endpoint_auth_method: token_endpoint_auth_method,
    client_name: client_name,
    client_uri: client_uri,
    scope: scope,
  }.compact

  if confidential? && secret
    response[:client_secret] = secret
    response[:client_secret_expires_at] = expiry
  end

  response
end

#require_pkce ⇒ Object

Public clients have no secret to bind the authorization code, so PKCE is mandatory.

# File 'lib/himari/dynamic_client_registration.rb', line 168

def require_pkce
  !confidential?
end

#to_client_registration(skip_consent: false, scopes: ClientRegistration::IMPLICIT_SCOPES) ⇒ Object

The client object the OIDC authorization/token endpoints consume. Dynamic records carry no name (so operator rules keyed on name never match them) and pass through the secret hash only for confidential clients. skip_consent and scopes default to the conservative values and are supplied by the provider from the DynamicClients middleware options.

# File 'lib/himari/dynamic_client_registration.rb', line 180

def to_client_registration(skip_consent: false, scopes: ClientRegistration::IMPLICIT_SCOPES)
  ClientRegistration.new(
    id: id,
    redirect_uris: redirect_uris,
    secret_hash: confidential? ? secret_hash : nil,
    preferred_key_group: preferred_key_group,
    require_pkce: require_pkce,
    confidential: confidential?,
    ignore_localhost_redirect_uri_port: ignore_localhost_redirect_uri_port,
    skip_consent: skip_consent,
    scopes: scopes,
  )
end