rodauth-oauth 1.4.0 has been released. rodauth-oauth is a rack-compatible toolkit for building OAuth 2.0 authorization servers, as well as OpenID Authentication Providers. rodauth-oauth is certified <https://openid.net/certification/> for the following profiles of the OpenID Connect™ protocol: Basic OP, Implicit OP, Hybrid OP, Config OP, Dynamic OP, Form Post OP, 3rd Party Init OP Session Management OP, RP-Initiated Logout OP, Front-Channel OP, Back-Channel OP # as simple as rodauth do enable :oauth_authorization_code_grant # or enable :oidc end Among its features, it supports: * Authorization Code Grant * Refresh Token Grant * Implicit Grant * Client Credentials Grant * Device Code Grant * Token Revocation * Token Introspection * Auth Server Metadata * PKCE * Resource Indicators * JWT Access Tokens * mTLS Client Authentication * Assertion Framework * SAML 2.0 Bearer Assertion Grant * JWT Bearer Assertion Grant * JWT Secured authorization requests (JAR) * JWT Secured authorization response mode (JARM) * Pushed Authorization requests (PAR) * Demonstrating Proof-of-Possession at the Application Layer (DPoP) * Dynamic Client Registration * OpenID * OpenID Discovery * OpenID Multiple Response types * OpenID Self Issued Tokens * OpenID Connect Dynamic Client Registration * OpenID Session Management * OpenID RP Initiated Logout * OpenID Frontchannel Logout * OpenID Backchannel Logout It can also be used with Rails (via the "rodauth-rails" gem). Website: https://honeyryderchuck.gitlab.io/rodauth-oauth/ Documentation: https://honeyryderchuck.gitlab.io/rodauth-oauth/rdoc/ Wiki: https://gitlab.com/honeyryderchuck/rodauth-oauth/wikis/home CI: https://gitlab.com/honeyryderchuck/rodauth-oauth/pipeline These are the release notes since the last update: # 1.5.0 ## Highlights ### OAuth DPoP Support `rodauth-oauth` supports Demonstrating Proof-of-Possession at the Application Layer (also known as DPoP), via the `oauth_dpop` feature. This provides a mechanism to bind access tokens to a particular client based on public key cryptography. More info about the feature [in the docs](https://gitlab.com/os85/rodauth-oauth/-/wikis/DPoP). ## Improvements All features managing cookies are now able to configure them as "session cookies" (i.e. removed on browser shutdown) by setting the expiration interval auth method to `nil`. This ncludes: * `oauth_prompt_login_interval` (from the `oidc` feature) * `oauth_oidc_user_agent_state_cookie_expires_in` (from the `oidc_session_management` feature) ## Bugfixes * when using the `oauth_token_instrospection` feature, the `token_type` has been fixed to show "Bearer" (instead of "access_token").