rodauth-oauth 1.2.0 has been released. rodauth-oauth is a rack-compatible toolkit for building OAuth 2.0 authorization servers, as well as OpenID Authentication Providers. rodauth-oauth is certified <https://openid.net/certification/> for the following profiles of the OpenID Connect™ protocol: Basic OP, Implicit OP, Hybrid OP, Config OP, Dynamic OP, Form Post OP. # as simple as rodauth do enable :oauth_authorization_code_grant # or enable :oidc end Among its features, it supports: * Authorization Code Grant * Refresh Token Grant * Implicit Grant * Client Credentials Grant * Device Code Grant * Token Revocation * Token Introspection * Auth Server Metadata * PKCE * Resource Indicators * JWT Access Tokens * mTLS Client Authentication * Assertion Framework * SAML 2.0 Bearer Assertion Grant * JWT Bearer Assertion Grant * JWT Secured authorization requests * Pushed Authorization requests * Dynamic Client Registration * OpenID * OpenID Discovery * OpenID Multiple Response types * OpenID Connect Dynamic Client Registration * OpenID Relying Party Initiated Logout It can also be used with Rails (via the "rodauth-rails" gem). Website: https://honeyryderchuck.gitlab.io/rodauth-oauth/ Documentation: https://honeyryderchuck.gitlab.io/rodauth-oauth/rdoc/ Wiki: https://gitlab.com/honeyryderchuck/rodauth-oauth/wikis/home CI: https://gitlab.com/honeyryderchuck/rodauth-oauth/pipeline These are the release notes since the last update: ## 1.2.0 (13/02/2023) ### Features #### Pushed Authorization Requests (PAR) RFC: https://datatracker.ietf.org/doc/html/rfc9126 `rodauth-oauth` supports Pushed Authorization Requests, via the `:oauth_pushed_authorization_request` feature. More info about the feature [in the wiki](https://gitlab.com/os85/rodauth-oauth/-/wikis/Pushed-Authorization-Requests). #### mTLS Client Auth (+ certificate-bound access tokens) RFC: https://www.rfc-editor.org/rfc/rfc8705 The `:oauth_tls_client_auth` feature adds support for the variants of mTLS Client Authentication "PKI Mutual-TLS Method" and 2Self-Signed Certificate Mutual-TLS Method". It also supports client certificate bound access tokens. More about it [in the wiki](https://gitlab.com/os85/rodauth-oauth/-/wikis/mTLS-Client-Authentication). #### Dynamic Client Registration management RFC: https://www.rfc-editor.org/rfc/rfc7592 Support for dynamci client registration management was added to the `:oauth_dynamic_client_registration` feature. More info about it [in the wiki](https://gitlab.com/os85/rodauth-oauth/-/wikis/Dynamic-Client-Registration#ge...). ### Improvements * Support for 3rd-party initiated login was added, by including support for the `initiate_login_uri` attribute in the register route from the `:oauth_dynamic_client_registration` feature. * Support for multitenant resource ownership was added, here's a [description from the wiki](https://gitlab.com/os85/rodauth-oauth/-/wikis/How-to#scoping-grants-from-the...). ### Bugfixes * oidc: userinfo claims were not including claims with value `false`, such as `"email_verified"`. This behaviour has been fixed, and only claims of value `null` are omitted. ## 1.1.0 (10/01/2023) ## Features ### Loopback Interface Redirection URI support https://www.rfc-editor.org/rfc/rfc8252#section-7.3 Redirect URIs based on loopback addresses ("127.0.0.1", "::1") are now supported when used in an authorization request with an ephemeral port (@avdigrimm).