rodauth-oauth 1.2.0 has been released.

rodauth-oauth is a rack-compatible toolkit for building OAuth 2.0 authorization servers, as well as OpenID Authentication Providers. rodauth-oauth is certified for the following profiles of the OpenID Connect™ protocol:

Basic OP, Implicit OP, Hybrid OP, Config OP, Dynamic OP, Form Post OP.

# as simple as

rodauth do

enable :oauth_authorization_code_grant

# or

enable :oidc

end

Among its features, it supports:

* Authorization Code Grant

* Refresh Token Grant

* Implicit Grant

* Client Credentials Grant

* Device Code Grant

* Token Revocation

* Token Introspection

* Auth Server Metadata

* PKCE

* Resource Indicators

* JWT Access Tokens

* mTLS Client Authentication

* Assertion Framework

* SAML 2.0 Bearer Assertion Grant

* JWT Bearer Assertion Grant

* JWT Secured authorization requests

* Pushed Authorization requests

* Dynamic Client Registration

* OpenID

* OpenID Discovery

* OpenID Multiple Response types

* OpenID Connect Dynamic Client Registration

* OpenID Relying Party Initiated Logout

It can also be used with Rails (via the "rodauth-rails" gem).

Website: https://honeyryderchuck.gitlab.io/rodauth-oauth/
Documentation: https://honeyryderchuck.gitlab.io/rodauth-oauth/rdoc/
Wiki: https://gitlab.com/honeyryderchuck/rodauth-oauth/wikis/home
CI: https://gitlab.com/honeyryderchuck/rodauth-oauth/pipeline

These are the release notes since the last update:

## 1.2.0 (13/02/2023)

### Features

#### Pushed Authorization Requests (PAR)

RFC: https://datatracker.ietf.org/doc/html/rfc9126

`rodauth-oauth` supports Pushed Authorization Requests, via the `:oauth_pushed_authorization_request` feature.

More info about the feature [in the wiki](https://gitlab.com/os85/rodauth-oauth/-/wikis/Pushed-Authorization-Requests).

#### mTLS Client Auth (+ certificate-bound access tokens)

RFC: https://www.rfc-editor.org/rfc/rfc8705

The `:oauth_tls_client_auth` feature adds support for the variants of mTLS Client Authentication "PKI Mutual-TLS Method" and 2Self-Signed Certificate Mutual-TLS Method". It also supports client certificate bound access tokens.

More about it [in the wiki](https://gitlab.com/os85/rodauth-oauth/-/wikis/mTLS-Client-Authentication).

#### Dynamic Client Registration management

RFC: https://www.rfc-editor.org/rfc/rfc7592

Support for dynamci client registration management was added to the `:oauth_dynamic_client_registration` feature.

More info about it [in the wiki](https://gitlab.com/os85/rodauth-oauth/-/wikis/Dynamic-Client-Registration#getputdelete-registerclient_id).

### Improvements

* Support for 3rd-party initiated login was added, by including support for the `initiate_login_uri` attribute in the register route from the `:oauth_dynamic_client_registration` feature.
* Support for multitenant resource ownership was added, here's a [description from the wiki](https://gitlab.com/os85/rodauth-oauth/-/wikis/How-to#scoping-grants-from-the-same-resource-owner).

### Bugfixes

* oidc: userinfo claims were not including claims with value `false`, such as `"email_verified"`. This behaviour has been fixed, and only claims of value `null` are omitted.

## 1.1.0 (10/01/2023)

## Features

### Loopback Interface Redirection URI support

https://www.rfc-editor.org/rfc/rfc8252#section-7.3

Redirect URIs based on loopback addresses ("127.0.0.1", "::1") are now supported when used in an authorization request with an ephemeral port (@avdigrimm).