rodauth-oauth 1.3.0 has been released.
rodauth-oauth is a rack-compatible toolkit for building OAuth 2.0
authorization servers, as well as OpenID Authentication Providers.
rodauth-oauth
is certified <https://openid.net/certification/> for the following profiles
of the OpenID Connect™ protocol:
Basic OP, Implicit OP, Hybrid OP, Config OP, Dynamic OP, Form Post OP, 3rd
Party Init OP
# as simple as
rodauth do
enable :oauth_authorization_code_grant
# or
enable :oidc
end
Among its features, it supports:
* Authorization Code Grant
* Refresh Token Grant
* Implicit Grant
* Client Credentials Grant
* Device Code Grant
* Token Revocation
* Token Introspection
* Auth Server Metadata
* PKCE
* Resource Indicators
* JWT Access Tokens
* mTLS Client Authentication
* Assertion Framework
* SAML 2.0 Bearer Assertion Grant
* JWT Bearer Assertion Grant
* JWT Secured authorization requests (JAR)
* JWT Secured authorization response mode (JARM)
* Pushed Authorization requests
* Dynamic Client Registration
* OpenID
* OpenID Discovery
* OpenID Multiple Response types
* OpenID Self Issued Tokens
* OpenID Connect Dynamic Client Registration
* OpenID Relying Party Initiated Logout
It can also be used with Rails (via the "rodauth-rails" gem).
Website:
https://honeyryderchuck.gitlab.io/rodauth-oauth/
Documentation:
https://honeyryderchuck.gitlab.io/rodauth-oauth/rdoc/
Wiki:
https://gitlab.com/honeyryderchuck/rodauth-oauth/wikis/home
CI:
https://gitlab.com/honeyryderchuck/rodauth-oauth/pipeline
These are the release notes since the last update:
## 1.3.0 (02/04/2023)
## Features
### Self-Signed Issued Tokens
`rodauth-oauth` supports self-signed issued tokens, via the
`oidc_self_issued` feature.
More info about the feature [in the
docs](https://gitlab.com/os85/rodauth-oauth/-/wikis/Self-Issued-OpenID).
#### JARM
`rodauth-oauth` supports JWT-secured Authorization Response Mode, also
known as JARM, via the
`oauth_jwt_secured_authorization_response_mode`.
More info about the feature [in the
docs](https://gitlab.com/os85/rodauth-oauth/-/wikis/JWT-Secured-Authorizati….
## Improvements
### `fill_with_account_claims` auth method
`fill_with_account_claims` is now exposed as an auth method. This
allows one to override to be able to cover certain requirements, such
as aggregated and distributed claims. Here's a [link to the
docs](https://gitlab.com/os85/rodauth-oauth/-/wikis/Id-Token-Authentication…
explaining how to do it.
### oidc: only generate refresh token when `offline_access` scope is used.
When the `oidc` feature is used, refresh tokens won't be generated
anymore by default; in order to do so, the `offline_access` needs to
be requested for in the respective authorization request, [as the spec
mandates](https://openid.net/specs/openid-connect-core-1_0.html#OfflineAcce….
### oidc: implicit grant loaded by default
The `oidc` feature now loads the `oauth_implicit_grant` feature by
default. This hadn't been done before due to the wish to ship a secure
integration by default, but since then, spec compliance became more
prioritary, and this is a requirement.
## Bugfixes
* rails integration: activerecord migrations fixes:
* use `bigint` for foreign keys;
* index creation instruction with the wrong syntax;
* set precision 6 for default timestamps, to comply with AR defaults;
* add missing `code` column to the `oauth_pushed_requests` table;
* oidc: when using the `id_token` , or any composite response type
including `id_token`, using any response mode other than `fragment`
will result in an invalid request.