odauth-oauth 0.10.0 has been released.
rodauth-oauth is a rack-compatible toolkit for building OAuth 2.0
authorization servers, as well as OpenID Authentication Providers.
# as simple as
rodauth do
enable :oauth #, :oidc
end
Among its features, it supports:
* Authorization Code Grant
* Refresh Token Grant
* Implicit Grant
* Client Credentials Grant
* Device Code Grant
* Token Revocation
* Token Introspection
* Auth Server Metadata
* PKCE
* Resource Indicators
* JWT Access Tokens
* Assertion Framework
* SAML 2.0 Bearer Assertion Grant
* JWT Bearer Assertion Grant
* JWT secured authorization requests
* Dynamic Client Registration
* OpenID
* OpenID Discovery
* OpenID Multiple Response types
* OpenID Connect Dynamic Client Registration
* OpenID Relying Party Initiated Logout
It can also be used with Rails (via the "rodauth-rails" gem).
Website: · Rodauth OAuth
Documentation: Rodauth OAuth: OAuth 2.0 and OpenID for rodauth
Wiki: Home · Wiki · HoneyryderChuck / rodauth-oauth · GitLab
CI: https://gitlab.com/honeyryderchuck/rodauth-oauth/pipeline
These are the release notes since the last update:
## 0.10.0 (10/06/2022)
### Features
#### Resource Indicators
RFC: RFC 8707 - Resource Indicators for OAuth 2.0
`rodauth-oauth` now supports Resource Indicators, via the optional
`:oauth_resource_indicators` feature.
#### JWT: extra options
The following extra option values were added:
* `oauth_jwt_jwe_keys`
* `oauth_jwt_public_keys`
* `oauth_jwt_jwe_public_keys`
`:oauth_jwt_jwe_keys` should be used to store all provider combos of
encryption keys, indexed by an algo/method tuple:
oauth_jwt_jwe_keys { { %w[RSA-OAEP A128CBC-HS256] => key } }
The first element of the hash should indicate the preferred encryption
mode, when no combination is specifically requested.
It should be considered the most future-proof way of declaring JWE keys,
and support for `oauth_jwt_jwe_key` and friends should be soon deprecated.
Both `oauth_jwt_public_keys` and `oauth_jwt_jwe_public_keys` provide a way
to declare multiple keys to be exposed as the provider JWKs in the `/jwks`
endpoint.
### Improvements
* Added translations for portuguese.
#### OpenID Connect improvements
* The `:oidc` feature now depends on `rodauth`'s [account_expiration](
account_expiration.rdoc)
feature.
Although a more-involved-somewhat-breaking change, it was required in order
to keep track of account login event timestamps, necessary for correct
`"auth_time"` calculation (see the first bugfix mention for more details,
and Breaking Changes for migration path).
* Support for the `ui_locales` parameter was added. This feature depends on
the `:i18n` feature provided by [rodauth-i18n](
GitHub - janko/rodauth-i18n: I18n integration and translations for Rodauth authentication framework).
* Support for the `claims_locales` parameter was added, in that the
`get_oidc_param` and `get_additional_param`, when accepting a 3rd
parameter, will be passed a locale code:
# given "claims_locales=en pt"
get_oidc_param { |account, param, locale| }
# will be called twice for the same param, one with locale as "en", another
as "pt"
get_oidc_param { |account, param| }
# will be called once without locale
* Support for `max_age` parameter was added.
* Support for `acr_values` parameter was added.
When "phr", and a `rodauth` 2-factor feature (like [otp](
otp.rdoc)) is enabled,
the user will be requested for 2-factor authentication before performing
the OpenID Authorization Request.
When "phrh", and `rodauth`'s [webauthn_login](
webauthn_login.rdoc)
feature is enabled, the user will be requested for WebAuthn authentication
before performing the OpenID Authorization Request.
Any other acr values are considered provider-specific, and the
`require_acr_value(acr_value)` option should be provided to deal with it
(it'll be called after authentication is ensured and before the
authorization request is processed).
### Bugfixes
* reverted the `"auth_time"` calculation "fix" introduced in 0.9.3, which
broke compliance with the RFC (the implementation prior to that was also
broken, hence why `"account_expiration"` plugin was introduced as a
dependency).
### Breaking Changes
As you read already, the `"account_expiration"` feature is now required by
default by `"oidc"`. In order to migrate to it, here's a suggested strategy:
1. Add the relevant database tables
Add a migration looking roughly like this:
create_table(:account_activity_times) do
foreign_key :id, :accounts, primary_key: true, type: Integer
DateTime :last_activity_at, null: false
DateTime :last_login_at, null: false
DateTime :expired_at
end
2. Update and deploy `rodauth-oauth` 0.10.0
(Nothing required beyond `enable :oidc`.)
3. Set `:last_login_at` to a value.
Like now. You can , for example, run this SQL:
UPDATE account_activity_times SET last_login_at = CURRENT_TIMESTAMP;
···
---
That's it, nothing fancy or accurate. Yes, the `last_login_at` is wrong,
but as sessions expire, it should go back to normal.
### 0.9.3 (30/05/2022)
#### Bugfixes
* `oauth_jwt`: new access tokens generated via the `"refresh_token"` grant
type are now JWT (it was falling back to non JWT behaviour);
* `oidc`: a new `id_token` is now generated via the `"refresh_token"`
grant type with "rotation" policy (it was being omitted from the response);
* `oidc`: fixing calculation of `"auth_time"` claim, which (as per RFC)
needs to stay the same across first authentication and subsequent
`"refresh_token"` requests;
* it requires a new db column (default: `"auth_time"`, datetime) in the
`"oauth_tokens"` database;
* hash-column `"refresh_token"` will now expose the refresh token (instead
of the hash column version) in the `"refresh_token"` grant type response
payload (only happened in "non-rotation" refresh token mode).
### 0.9.2 (11/05/2022)
#### Bugfixes
* Fixed remaining namespacing fix issues requiring usage of `require
"rodauth-oauth"`.
* Fixed wrong expectation of database for resource-server mode when
`:oauth_management_base` plugin was used.
* oidc: fixed incorrect grant creation flow when using `nonce` param.
* oidc: fixed jwt encoding regression when not setting encryption
method/algorithm for client applications.
* templates: added missing jwks field to the "New oauth application" form.
* Several fixes on the example OIDC applications, mostly around CSRF
breakage when using latest version of `omniauth`.
### 0.9.1 (08/05/2022)
#### Improvements
Using `return_response`, introduced in `rodauth` v2.23, which accomplishes
better integration with rails response logging mechanism when used under
`rodauth-rails`.
#### Bugfixes
* Fixing namespacing issue which required anyone to have to `require
"rodauth-oauth"` before loading it (no need to anymore).