rodauth-oauth 1.4.0 has been released.

rodauth-oauth is a rack-compatible toolkit for building OAuth 2.0 authorization servers, as well as OpenID Authentication Providers. rodauth-oauth is certified for the following profiles of the OpenID Connect™ protocol:

Basic OP, Implicit OP, Hybrid OP, Config OP, Dynamic OP, Form Post OP, 3rd Party Init OP

Session Management OP, RP-Initiated Logout OP, Front-Channel OP, Back-Channel OP

# as simple as

rodauth do

enable :oauth_authorization_code_grant

# or

enable :oidc

end

Among its features, it supports:

* Authorization Code Grant

* Refresh Token Grant

* Implicit Grant

* Client Credentials Grant

* Device Code Grant

* Token Revocation

* Token Introspection

* Auth Server Metadata

* PKCE

* Resource Indicators

* JWT Access Tokens

* mTLS Client Authentication

* Assertion Framework

* SAML 2.0 Bearer Assertion Grant

* JWT Bearer Assertion Grant

* JWT Secured authorization requests (JAR)

* JWT Secured authorization response mode (JARM)

* Pushed Authorization requests (PAR)

* Demonstrating Proof-of-Possession at the Application Layer (DPoP)

* Dynamic Client Registration

* OpenID

* OpenID Discovery

* OpenID Multiple Response types

* OpenID Self Issued Tokens

* OpenID Connect Dynamic Client Registration

* OpenID Session Management

* OpenID RP Initiated Logout

* OpenID Frontchannel Logout

* OpenID Backchannel Logout

It can also be used with Rails (via the "rodauth-rails" gem).

Website: https://honeyryderchuck.gitlab.io/rodauth-oauth/
Documentation: https://honeyryderchuck.gitlab.io/rodauth-oauth/rdoc/
Wiki: https://gitlab.com/honeyryderchuck/rodauth-oauth/wikis/home
CI: https://gitlab.com/honeyryderchuck/rodauth-oauth/pipeline

These are the release notes since the last update:

# 1.5.0

## Highlights

### OAuth DPoP Support

`rodauth-oauth` supports Demonstrating Proof-of-Possession at the Application Layer (also known as DPoP), via the `oauth_dpop` feature. This provides a mechanism to bind access tokens to a particular client based on public key cryptography.

More info about the feature [in the docs](https://gitlab.com/os85/rodauth-oauth/-/wikis/DPoP).

## Improvements

All features managing cookies are now able to configure them as "session cookies" (i.e. removed on browser shutdown) by setting the expiration interval auth method to `nil`. This ncludes:

* `oauth_prompt_login_interval` (from the `oidc` feature)
* `oauth_oidc_user_agent_state_cookie_expires_in` (from the `oidc_session_management` feature)

## Bugfixes

* when using the `oauth_token_instrospection` feature, the `token_type` has been fixed to show "Bearer" (instead of "access_token").