rodauth-oauth 1.4.0 has been released. rodauth-oauth is a rack-compatible toolkit for building OAuth 2.0 authorization servers, as well as OpenID Authentication Providers. rodauth-oauth is certified <https://openid.net/certification/> for the following profiles of the OpenID Connect™ protocol: Basic OP, Implicit OP, Hybrid OP, Config OP, Dynamic OP, Form Post OP, 3rd Party Init OP Session Management OP, RP-Initiated Logout OP, Front-Channel OP, Back-Channel OP # as simple as rodauth do enable :oauth_authorization_code_grant # or enable :oidc end Among its features, it supports: * Authorization Code Grant * Refresh Token Grant * Implicit Grant * Client Credentials Grant * Device Code Grant * Token Revocation * Token Introspection * Auth Server Metadata * PKCE * Resource Indicators * JWT Access Tokens * mTLS Client Authentication * Assertion Framework * SAML 2.0 Bearer Assertion Grant * JWT Bearer Assertion Grant * JWT Secured authorization requests (JAR) * JWT Secured authorization response mode (JARM) * Pushed Authorization requests * Dynamic Client Registration * OpenID * OpenID Discovery * OpenID Multiple Response types * OpenID Self Issued Tokens * OpenID Connect Dynamic Client Registration * OpenID Session Management * OpenID RP Initiated Logout * OpenID Frontchannel Logout * OpenID Backchannel Logout It can also be used with Rails (via the "rodauth-rails" gem). Website: https://honeyryderchuck.gitlab.io/rodauth-oauth/ Documentation: https://honeyryderchuck.gitlab.io/rodauth-oauth/rdoc/ Wiki: https://gitlab.com/honeyryderchuck/rodauth-oauth/wikis/home CI: https://gitlab.com/honeyryderchuck/rodauth-oauth/pipeline These are the release notes since the last update: ## 1.4.0 (08/11/2023) ## Highlights rodauth-oauth is now [OpenID certified](https://openid.net/certification/) for the following logout profiles: * Session Management OP * RP-Initiated Logout OP * Front-Channel Logout OP * Back-Channel Logout OP The OIDC server used to run the test can be found [here](https://gitlab.com/os85/rodauth-oauth/-/blob/master/examples/oidc/authentica...) and deployed [here](https://rodauth-oauth-oidc.onrender.com). ## Features ### OIDC logout features `rodauth-oauth` ships with the following new features: * `oidc_sesssion_management` - enables [OIDC session management](https://openid.net/specs/openid-connect-session-1_0.html) * `oidc_frontchannel_logout` - enables [OIDC frontchannel logout](https://openid.net/specs/openid-connect-frontchannel-1_0.html) * `oidc_backchannel_logout` - enables [OIDC backchannel logout](https://openid.net/specs/openid-connect-backchannel-1_0.html) which, along with the existing `oidc_rp_initiated_logout`, implemment all OIDC logout profiles. ## Breaking changes If you're using `oidc`, the dependency on `account_expiration` has been replaced by the `active_sessions` rodauth feature. This change is required because it fixes bugs associated with accounts expiring in order for id token invalidation to work. If you're migrating, it's recommended that you keep depending on `account_expiration` during the transition, add `active_sessions` tables as per [rodauth specs](https://github.com/jeremyevans/rodauth/blob/master/spec/migrate/001_tables.r...), and run them alongside one another for the max period ID tokens should be valid, after which you can remove `account_expiration` and its tables. ## Improvements ### OAuth SAML Bearer Grant per oauth application settings The `oauth_saml_bearer_grant` feature requires a new table/resource, SAML settings, which enable "per client applicatioon" SAML settings, and therefore, make this feature usable in enterprise/multi-tenancy scenarios. ## Bugfixes * remove `html_safe` usage in rails views to prevent XSS in the authorize form. * fixed for OIDC RFC 5.4 when requesting claims using scope values * `oauth_rp_initiated_logout` does not crash anymore on logout requests with `id_token_hint` * `oauth_rp_initiated_logout` now works with response types other than `code` * `oauth_rp_initiated_logout` emits an ID token hint invalid message when not able to decode the `id_token_hint` ## Chore * Using `auth_methods` everywhere where `auth_value_methods` was used and didn't make sense. * `oauth_tls_client_auth` is not dependent on the `oauth_jwt` feature, and can therefore be used with non-JWT access tokens, at least with the features which do not require it. ### 1.3.2 (27/07/2023) #### Improvements * `require_signed_request_object` option for JAR (`oauth_jwt_secured_authorization_request` plugin) is now supported: * in the oauth server metadata endpoint * as a plugin config option (`oauth_require_signed_request_object`, defaults to `false`) * as a oauth dynamic registration endpoint param (`require_signed_request_object`, requires corresponding columnn) * enforces JAR-based authorization, andd does not allow unsigned JAR JWTs, when turned on. #### Bugfixes * JWT decoding failed in circumstances where a declared encryption algo didn't have key/method declared. * fix for when PAR (`oauth_pushed_authorization_request` feature) is used with JAR (`oauth_jwt_secured_authorization_request` plugin), and PAR `request_uri` param wasn't being removed when validating authorize request parameters, thereby making JAR logic evaluate it as a JAR `requuest_uri` (it is now correctly not taken into account in such a case); ### 1.3.1 (27/06/2023) #### Bugfixes * Set 401 error response when `client_id` parameter is invalid, or from an unexisting client application, instead of failing with a 500 (@igor-alexandrov). * update rails authorize form to use roda request params instead, as plain params was breaking JAR and PAR-based authorize forms in rails applications. #### Chore * set `:padding` to `false` in `Base64.urlsafe_encode64` calls (@felipe.zavan)