rodauth-oauth 1.6.0 has been released. rodauth-oauth is a rack-compatible toolkit for building OAuth 2.0 authorization servers, as well as OpenID Authentication Providers. rodauth-oauth is certified <https://openid.net/certification/> for the following profiles of the OpenID Connect™ protocol: Basic OP, Implicit OP, Hybrid OP, Config OP, Dynamic OP, Form Post OP, 3rd Party Init OP Session Management OP, RP-Initiated Logout OP, Front-Channel OP, Back-Channel OP # as simple as rodauth do enable :oauth_authorization_code_grant # or enable :oidc end Among its features, it supports: * Authorization Code Grant * Refresh Token Grant * Implicit Grant * Client Credentials Grant * Device Code Grant * Token Revocation * Token Introspection * Auth Server Metadata * PKCE * Resource Indicators * JWT Access Tokens * mTLS Client Authentication * Assertion Framework * SAML 2.0 Bearer Assertion Grant * JWT Bearer Assertion Grant * JWT Secured authorization requests (JAR) * JWT Secured authorization response mode (JARM) * Pushed Authorization requests (PAR) * Demonstrating Proof-of-Possession at the Application Layer (DPoP) * Dynamic Client Registration * OpenID * OpenID Discovery * OpenID Multiple Response types * OpenID Self Issued Tokens * OpenID Connect Dynamic Client Registration * OpenID Session Management * OpenID RP Initiated Logout * OpenID Frontchannel Logout * OpenID Backchannel Logout It can also be used with Rails (via the "rodauth-rails" gem). Website: https://honeyryderchuck.gitlab.io/rodauth-oauth/ Documentation: https://honeyryderchuck.gitlab.io/rodauth-oauth/rdoc/ Wiki: https://gitlab.com/honeyryderchuck/rodauth-oauth/wikis/home CI: https://gitlab.com/honeyryderchuck/rodauth-oauth/pipeline These are the release notes since the last update: # 1.6.0 ## Improvements ### "at+jwt" and "id_token+jwt" ty header in JWT tokens In order to distinguish/identify tokens, JWT access tokens generated by the `oauth_jwt` feature will contain the "at+jwt" value in the "typ" header (which follows the [recomendation in the RFC](https://datatracker.ietf.org/doc/html/rfc9068#section-2.1)), whereas ID tokens generated by the `oidc` feature will contain the "id_token+jwt" value in the "typ" header (there is no official recommendation, but some providers are using this). **Note**: This header will also be used to validate access tokens. This means that, once you upgrade, **access tokens generated prior to the upgrade won't be usable anymore**. In order to mitigate this and smoothen the upgrade process, disable header verification for a period greater than the access token expiration time in your application (controlled by the `oauth_access_token_expires_in` auth value method, 60 minutes by default); this will allow older access tokens to expire. You can so by overriding the `verify_access_token_headers` auth method: ```ruby rodauth do enable :oauth_jwt # or :oidc oauth_access_token_expires_in 60 * 60 verify_access_token_headers { } # do nothing end