rodauth-oauth 1.6.0 has been released.

rodauth-oauth is a rack-compatible toolkit for building OAuth 2.0 authorization servers, as well as OpenID Authentication Providers. rodauth-oauth is certified for the following profiles of the OpenID Connect™ protocol:

Basic OP, Implicit OP, Hybrid OP, Config OP, Dynamic OP, Form Post OP, 3rd Party Init OP

Session Management OP, RP-Initiated Logout OP, Front-Channel OP, Back-Channel OP

# as simple as

rodauth do

enable :oauth_authorization_code_grant

# or

enable :oidc

end

Among its features, it supports:

* Authorization Code Grant

* Refresh Token Grant

* Implicit Grant

* Client Credentials Grant

* Device Code Grant

* Token Revocation

* Token Introspection

* Auth Server Metadata

* PKCE

* Resource Indicators

* JWT Access Tokens

* mTLS Client Authentication

* Assertion Framework

* SAML 2.0 Bearer Assertion Grant

* JWT Bearer Assertion Grant

* JWT Secured authorization requests (JAR)

* JWT Secured authorization response mode (JARM)

* Pushed Authorization requests (PAR)

* Demonstrating Proof-of-Possession at the Application Layer (DPoP)

* Dynamic Client Registration

* OpenID

* OpenID Discovery

* OpenID Multiple Response types

* OpenID Self Issued Tokens

* OpenID Connect Dynamic Client Registration

* OpenID Session Management

* OpenID RP Initiated Logout

* OpenID Frontchannel Logout

* OpenID Backchannel Logout

It can also be used with Rails (via the "rodauth-rails" gem).

Website: https://honeyryderchuck.gitlab.io/rodauth-oauth/
Documentation: https://honeyryderchuck.gitlab.io/rodauth-oauth/rdoc/
Wiki: https://gitlab.com/honeyryderchuck/rodauth-oauth/wikis/home
CI: https://gitlab.com/honeyryderchuck/rodauth-oauth/pipeline

These are the release notes since the last update:

# 1.6.0

## Improvements

### "at+jwt" and "id_token+jwt" ty header in JWT tokens

In order to distinguish/identify tokens, JWT access tokens generated by the `oauth_jwt` feature will contain the "at+jwt" value in the "typ" header (which follows the [recomendation in the RFC](https://datatracker.ietf.org/doc/html/rfc9068#section-2.1)), whereas ID tokens generated by the `oidc` feature will contain the "id_token+jwt" value in the "typ" header (there is no official recommendation, but some providers are using this).

**Note**: This header will also be used to validate access tokens. This means that, once you upgrade, **access tokens generated prior to the upgrade won't be usable anymore**. In order to mitigate this and smoothen the upgrade process, disable header verification for a period greater than the access token expiration time in your application (controlled by the `oauth_access_token_expires_in` auth value method, 60 minutes by default); this will allow older access tokens to expire. You can so by overriding the `verify_access_token_headers` auth method:

```ruby

rodauth do
  enable :oauth_jwt # or :oidc
  oauth_access_token_expires_in 60 * 60

  verify_access_token_headers { } # do nothing
end