rodauth-oauth 1.0.0 has been released. rodauth-oauth is a rack-compatible toolkit for building OAuth 2.0 authorization servers, as well as OpenID Authentication Providers. rodauth-oauth is certified <https://openid.net/certification/> for the following profiles of the OpenID Connect™ protocol: Basic OP, Implicit OP, Hybrid OP, Config OP, Dynamic OP, Form Post OP. # as simple as rodauth do enable :oauth_authorization_code_grant # or enable :oidc end Among its features, it supports: * Authorization Code Grant * Refresh Token Grant * Implicit Grant * Client Credentials Grant * Device Code Grant * Token Revocation * Token Introspection * Auth Server Metadata * PKCE * Resource Indicators * JWT Access Tokens * Assertion Framework * SAML 2.0 Bearer Assertion Grant * JWT Bearer Assertion Grant * JWT Secured authorization requests * Dynamic Client Registration * OpenID * OpenID Discovery * OpenID Multiple Response types * OpenID Connect Dynamic Client Registration * OpenID Relying Party Initiated Logout It can also be used with Rails (via the "rodauth-rails" gem). Website: https://honeyryderchuck.gitlab.io/rodauth-oauth/ Documentation: https://honeyryderchuck.gitlab.io/rodauth-oauth/rdoc/ Wiki: https://gitlab.com/honeyryderchuck/rodauth-oauth/wikis/home CI: https://gitlab.com/honeyryderchuck/rodauth-oauth/pipeline These are the release notes since the last update: ## 1.0.0 (15/12/2022) ## Highlights rodauth-oauth is now [OpenID certified](https://openid.net/certification/) for the following certification profiles: * Basic OP * Implicit OP * Hybrid OP * Config OP * Dynamic OP * Form Post OP and passes the conformance tests for RP-Initiated Logout OP. The OIDC server used to run the test can be found [here](https://gitlab.com/os85/rodauth-oauth/-/blob/master/examples/oidc/authentica...) and deployed [here](https://rodauth-oauth-oidc.onrender.com). ### Breaking changes The full description of breaking changes, and suggestions on how to make the migration smoother, can be found in the [migration guide](https://gitlab.com/os85/rodauth-oauth/-/blob/6465b8522a78cf0037a55d3d4b81f68...). A short list of the main highlights: * Ruby 2.5 or higher is required. * `oauth_http_mac` feature removed. * `oauth_tokens` table (and resource) were removed (only `oauth_applications` and `oauth_grants`, access and refresh tokens are now properties of the latter). * access and refresh tokens hashed by default when stored in the database. * default oauth response mode is `"form_post"`. * oauth specific features require explicit enablement of respective features (no more `enable :oauth`) * refresh token policy is "rotation" by default * homepage url is no longer a client application required property. * OIDC RP-initiated logout extracted into `oidc_rp_initiated_logout` feature. ### Features The following helpers are exposed in the `rodauth` object: * `current_oauth_account` - returns the dataset row for the `rodauth` account associated to an oauth access token in the "authorization" header. * `current_oauth_application` - returns the dataset row for the oauth application associated to an oauth access token in the "authorization" header. When used in `rails` via `rodauth-rails`, both are exposed directly as controller helpers. #### `oauth_resource_server` plugin This plugin can be used as a convenience when configuring resource servers. #### JAR support for request_uri query param The `oauth_jwt_secured_authorization_request` plugin now supports a `request_uri` query param as well. #### OIDC features * The `oidc` plugin supports [essential claims](https://openid.net/specs/openid-connect-core-1_0.html#ClaimsParameter), via the `claims` authorization request query parameter. * id token built with `"c_hash"` and `"at_hash"` claims when they should. ### Improvements * `:oauth_introspect` plugin: OAuth introspection endpoint exposes the token's `"username"` claim. * endpoint client authentication supports "client credentials grant" access tokens. * `acr_values_supported` exposed in the openid configuration. * `oauth_request_object_signing_alg_allow_none` enables `"none"` as an accepted request object signing alg when `true` (`false` by default). * OIDC `offline_access` supported. ### Bugfixes * fixed `oidc` calculation of `"auth_time"` claim. * JWT: "sub" is now always a string. * `response_type` is now an authorization request required parameter (as per the RFC). * `state` is now passed along when redirecting from authorization requests with `error`; * access token can now be read from POST body or GET query params (as per the RFC). * id token no longer shipping with claims with `null` value; * id token no longer encoding claims by default (only when `response_type=id_token`, as per the RFC). * support "JWT without kid" when doing jwt decoding for JWT tokens not generated in the provider (such as request objects). * Set `iss` and `aud` claims in the Userinfo JWT response. * Make sure errors are also delivered via form POST, when `response_mode=form_post`. * Authorization request now shows an error page when `response_type` or `client_id` are missing, or `redirect_uri` is missing or invalid; a new `"authorize_error"` template is invoked in such cases. * oidc: nonce present in id token when using the "id_token token" response type. * error parameter delivered in URL fragment when failing an implicit grant autorization request.