rodauth-oauth 1.0.0 has been released.

rodauth-oauth is a rack-compatible toolkit for building OAuth 2.0 authorization servers, as well as OpenID Authentication Providers. rodauth-oauth is certified for the following profiles of the OpenID Connect™ protocol:

Basic OP, Implicit OP, Hybrid OP, Config OP, Dynamic OP, Form Post OP.

# as simple as

rodauth do

enable :oauth_authorization_code_grant

# or

enable :oidc

end

Among its features, it supports:

* Authorization Code Grant

* Refresh Token Grant

* Implicit Grant

* Client Credentials Grant

* Device Code Grant

* Token Revocation

* Token Introspection

* Auth Server Metadata

* PKCE

* Resource Indicators

* JWT Access Tokens

* Assertion Framework

* SAML 2.0 Bearer Assertion Grant

* JWT Bearer Assertion Grant

* JWT Secured authorization requests

* Dynamic Client Registration

* OpenID

* OpenID Discovery

* OpenID Multiple Response types

* OpenID Connect Dynamic Client Registration

* OpenID Relying Party Initiated Logout

It can also be used with Rails (via the "rodauth-rails" gem).

Website: https://honeyryderchuck.gitlab.io/rodauth-oauth/
Documentation: https://honeyryderchuck.gitlab.io/rodauth-oauth/rdoc/
Wiki: https://gitlab.com/honeyryderchuck/rodauth-oauth/wikis/home
CI: https://gitlab.com/honeyryderchuck/rodauth-oauth/pipeline

These are the release notes since the last update:

## 1.0.0 (15/12/2022)

## Highlights

rodauth-oauth is now [OpenID certified](https://openid.net/certification/) for the following certification profiles:

* Basic OP
* Implicit OP
* Hybrid OP
* Config OP
* Dynamic OP
* Form Post OP

and passes the conformance tests for RP-Initiated Logout OP.

The OIDC server used to run the test can be found [here](https://gitlab.com/os85/rodauth-oauth/-/blob/master/examples/oidc/authentication_server.rb) and deployed [here](https://rodauth-oauth-oidc.onrender.com).

### Breaking changes

The full description of breaking changes, and suggestions on how to make the migration smoother, can be found in the [migration guide](https://gitlab.com/os85/rodauth-oauth/-/blob/6465b8522a78cf0037a55d3d4b81f68f7811be68/MIGRATION-GUIDE-v1.md).

A short list of the main highlights:

* Ruby 2.5 or higher is required.
* `oauth_http_mac` feature removed.
* `oauth_tokens` table (and resource) were removed (only `oauth_applications` and `oauth_grants`, access and refresh tokens are now properties of the latter).
* access and refresh tokens hashed by default when stored in the database.
* default oauth response mode is `"form_post"`.
* oauth specific features require explicit enablement of respective features (no more `enable :oauth`)
* refresh token policy is "rotation" by default
* homepage url is no longer a client application required property.
* OIDC RP-initiated logout extracted into `oidc_rp_initiated_logout` feature.

### Features

The following helpers are exposed in the `rodauth` object:

* `current_oauth_account` - returns the dataset row for the `rodauth` account associated to an oauth access token in the "authorization" header.
* `current_oauth_application` - returns the dataset row for the oauth application associated to an oauth access token in the "authorization" header.

When used in `rails` via `rodauth-rails`, both are exposed directly as controller helpers.

#### `oauth_resource_server` plugin

This plugin can be used as a convenience when configuring resource servers.

#### JAR support for request_uri query param

The `oauth_jwt_secured_authorization_request` plugin now supports a `request_uri` query param as well.

#### OIDC features

* The `oidc` plugin supports [essential claims](https://openid.net/specs/openid-connect-core-1_0.html#ClaimsParameter), via the `claims` authorization request query parameter.
* id token built with `"c_hash"` and `"at_hash"` claims when they should.

### Improvements

* `:oauth_introspect` plugin: OAuth introspection endpoint exposes the token's `"username"` claim.
* endpoint client authentication supports "client credentials grant" access tokens.
* `acr_values_supported` exposed in the openid configuration.
* `oauth_request_object_signing_alg_allow_none` enables `"none"` as an accepted request object signing alg when `true` (`false` by default).
* OIDC `offline_access` supported.

### Bugfixes

* fixed `oidc` calculation of `"auth_time"` claim.
* JWT: "sub" is now always a string.
* `response_type` is now an authorization request required parameter (as per the RFC).
* `state` is now passed along when redirecting from authorization requests with `error`;
* access token can now be read from POST body or GET query params (as per the RFC).
* id token no longer shipping with claims with `null` value;
* id token no longer encoding claims by default (only when `response_type=id_token`, as per the RFC).
* support "JWT without kid" when doing jwt decoding for JWT tokens not generated in the provider (such as request objects).
* Set `iss` and `aud` claims in the Userinfo JWT response.
* Make sure errors are also delivered via form POST, when `response_mode=form_post`.
* Authorization request now shows an error page when `response_type` or `client_id` are missing, or `redirect_uri` is missing or invalid; a new `"authorize_error"` template is invoked in such cases.
* oidc: nonce present in id token when using the "id_token token" response type.
* error parameter delivered in URL fragment when failing an implicit grant autorization request.