rodauth-oauth 1.3.0 has been released.

rodauth-oauth is a rack-compatible toolkit for building OAuth 2.0 authorization servers, as well as OpenID Authentication Providers. rodauth-oauth is certified for the following profiles of the OpenID Connect™ protocol:

Basic OP, Implicit OP, Hybrid OP, Config OP, Dynamic OP, Form Post OP, 3rd Party Init OP

# as simple as

rodauth do

enable :oauth_authorization_code_grant

# or

enable :oidc

end

Among its features, it supports:

* Authorization Code Grant

* Refresh Token Grant

* Implicit Grant

* Client Credentials Grant

* Device Code Grant

* Token Revocation

* Token Introspection

* Auth Server Metadata

* PKCE

* Resource Indicators

* JWT Access Tokens

* mTLS Client Authentication

* Assertion Framework

* SAML 2.0 Bearer Assertion Grant

* JWT Bearer Assertion Grant

* JWT Secured authorization requests (JAR)

* JWT Secured authorization response mode (JARM)

* Pushed Authorization requests

* Dynamic Client Registration

* OpenID

* OpenID Discovery

* OpenID Multiple Response types

* OpenID Self Issued Tokens

* OpenID Connect Dynamic Client Registration

* OpenID Relying Party Initiated Logout

It can also be used with Rails (via the "rodauth-rails" gem).

Website: https://honeyryderchuck.gitlab.io/rodauth-oauth/
Documentation: https://honeyryderchuck.gitlab.io/rodauth-oauth/rdoc/
Wiki: https://gitlab.com/honeyryderchuck/rodauth-oauth/wikis/home
CI: https://gitlab.com/honeyryderchuck/rodauth-oauth/pipeline

These are the release notes since the last update:

## 1.3.0 (02/04/2023)

## Features

### Self-Signed Issued Tokens

`rodauth-oauth` supports self-signed issued tokens, via the `oidc_self_issued` feature.

More info about the feature [in the docs](https://gitlab.com/os85/rodauth-oauth/-/wikis/Self-Issued-OpenID).

#### JARM

`rodauth-oauth` supports JWT-secured Authorization Response Mode, also known as JARM, via the `oauth_jwt_secured_authorization_response_mode`.

More info about the feature [in the docs](https://gitlab.com/os85/rodauth-oauth/-/wikis/JWT-Secured-Authorization-Response-Mode).

## Improvements

### `fill_with_account_claims` auth method

`fill_with_account_claims` is now exposed as an auth method. This allows one to override to be able to cover certain requirements, such as aggregated and distributed claims. Here's a [link to the docs](https://gitlab.com/os85/rodauth-oauth/-/wikis/Id-Token-Authentication#claim-types) explaining how to do it.

### oidc: only generate refresh token when `offline_access` scope is used.

When the `oidc` feature is used, refresh tokens won't be generated anymore by default; in order to do so, the `offline_access` needs to be requested for in the respective authorization request, [as the spec mandates](https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess).

### oidc: implicit grant loaded by default

The `oidc` feature now loads the `oauth_implicit_grant` feature by default. This hadn't been done before due to the wish to ship a secure integration by default, but since then, spec compliance became more prioritary, and this is a requirement.

## Bugfixes

* rails integration: activerecord migrations fixes:
* use `bigint` for foreign keys;
* index creation instruction with the wrong syntax;
* set precision 6 for default timestamps, to comply with AR defaults;
* add missing `code` column to the `oauth_pushed_requests` table;
* oidc: when using the `id_token` , or any composite response type including `id_token`, using any response mode other than `fragment` will result in an invalid request.