[ANN] rodauth-oauth 0.10.0 released

odauth-oauth 0.10.0 has been released.

rodauth-oauth is a rack-compatible toolkit for building OAuth 2.0
authorization servers, as well as OpenID Authentication Providers.

# as simple as
rodauth do
  enable :oauth #, :oidc
end

Among its features, it supports:

* Authorization Code Grant
* Refresh Token Grant
* Implicit Grant
* Client Credentials Grant
* Device Code Grant
* Token Revocation
* Token Introspection
* Auth Server Metadata
* PKCE
* Resource Indicators
* JWT Access Tokens
* Assertion Framework
* SAML 2.0 Bearer Assertion Grant
* JWT Bearer Assertion Grant
* JWT secured authorization requests
* Dynamic Client Registration
* OpenID
* OpenID Discovery
* OpenID Multiple Response types
* OpenID Connect Dynamic Client Registration
* OpenID Relying Party Initiated Logout

It can also be used with Rails (via the "rodauth-rails" gem).

Website: · Rodauth OAuth
Documentation: Rodauth OAuth: OAuth 2.0 and OpenID for rodauth
Wiki: Home · Wiki · HoneyryderChuck / rodauth-oauth · GitLab
CI: https://gitlab.com/honeyryderchuck/rodauth-oauth/pipeline

These are the release notes since the last update:

## 0.10.0 (10/06/2022)

### Features

#### Resource Indicators

RFC: RFC 8707 - Resource Indicators for OAuth 2.0

`rodauth-oauth` now supports Resource Indicators, via the optional
`:oauth_resource_indicators` feature.

#### JWT: extra options

The following extra option values were added:

* `oauth_jwt_jwe_keys`
* `oauth_jwt_public_keys`
* `oauth_jwt_jwe_public_keys`

`:oauth_jwt_jwe_keys` should be used to store all provider combos of
encryption keys, indexed by an algo/method tuple:

oauth_jwt_jwe_keys { { %w[RSA-OAEP A128CBC-HS256] => key } }

The first element of the hash should indicate the preferred encryption
mode, when no combination is specifically requested.

It should be considered the most future-proof way of declaring JWE keys,
and support for `oauth_jwt_jwe_key` and friends should be soon deprecated.

Both `oauth_jwt_public_keys` and `oauth_jwt_jwe_public_keys` provide a way
to declare multiple keys to be exposed as the provider JWKs in the `/jwks`
endpoint.

### Improvements

* Added translations for portuguese.

#### OpenID Connect improvements

* The `:oidc` feature now depends on `rodauth`'s [account_expiration](
account_expiration.rdoc)
feature.

Although a more-involved-somewhat-breaking change, it was required in order
to keep track of account login event timestamps, necessary for correct
`"auth_time"` calculation (see the first bugfix mention for more details,
and Breaking Changes for migration path).

* Support for the `ui_locales` parameter was added. This feature depends on
the `:i18n` feature provided by [rodauth-i18n](
GitHub - janko/rodauth-i18n: I18n integration and translations for Rodauth authentication framework).
* Support for the `claims_locales` parameter was added, in that the
`get_oidc_param` and `get_additional_param`, when accepting a 3rd
parameter, will be passed a locale code:

# given "claims_locales=en pt"

get_oidc_param { |account, param, locale| }
# will be called twice for the same param, one with locale as "en", another
as "pt"

get_oidc_param { |account, param| }
# will be called once without locale

* Support for `max_age` parameter was added.

* Support for `acr_values` parameter was added.

When "phr", and a `rodauth` 2-factor feature (like [otp](
otp.rdoc)) is enabled,
the user will be requested for 2-factor authentication before performing
the OpenID Authorization Request.

When "phrh", and `rodauth`'s [webauthn_login](
webauthn_login.rdoc)
feature is enabled, the user will be requested for WebAuthn authentication
before performing the OpenID Authorization Request.

Any other acr values are considered provider-specific, and the
`require_acr_value(acr_value)` option should be provided to deal with it
(it'll be called after authentication is ensured and before the
authorization request is processed).

### Bugfixes

* reverted the `"auth_time"` calculation "fix" introduced in 0.9.3, which
broke compliance with the RFC (the implementation prior to that was also
broken, hence why `"account_expiration"` plugin was introduced as a
dependency).

### Breaking Changes

As you read already, the `"account_expiration"` feature is now required by
default by `"oidc"`. In order to migrate to it, here's a suggested strategy:

1. Add the relevant database tables

Add a migration looking roughly like this:

create_table(:account_activity_times) do
  foreign_key :id, :accounts, primary_key: true, type: Integer
  DateTime :last_activity_at, null: false
  DateTime :last_login_at, null: false
  DateTime :expired_at
end

2. Update and deploy `rodauth-oauth` 0.10.0

(Nothing required beyond `enable :oidc`.)

3. Set `:last_login_at` to a value.

Like now. You can , for example, run this SQL:

UPDATE account_activity_times SET last_login_at = CURRENT_TIMESTAMP;
···

---

That's it, nothing fancy or accurate. Yes, the `last_login_at` is wrong,
but as sessions expire, it should go back to normal.

### 0.9.3 (30/05/2022)

#### Bugfixes

* `oauth_jwt`: new access tokens generated via the `"refresh_token"` grant
type are now JWT (it was falling back to non JWT behaviour);
* `oidc`: a new `id_token` is now generated via the `"refresh_token"`
grant type with "rotation" policy (it was being omitted from the response);
* `oidc`: fixing calculation of `"auth_time"` claim, which (as per RFC)
needs to stay the same across first authentication and subsequent
`"refresh_token"` requests;
    * it requires a new db column (default: `"auth_time"`, datetime) in the
`"oauth_tokens"` database;
* hash-column `"refresh_token"` will now expose the refresh token (instead
of the hash column version) in the `"refresh_token"` grant type response
payload (only happened in "non-rotation" refresh token mode).

### 0.9.2 (11/05/2022)

#### Bugfixes

* Fixed remaining namespacing fix issues requiring usage of `require
"rodauth-oauth"`.
* Fixed wrong expectation of database for resource-server mode when
`:oauth_management_base` plugin was used.
* oidc: fixed incorrect grant creation flow when using `nonce` param.
* oidc: fixed jwt encoding regression when not setting encryption
method/algorithm for client applications.
* templates: added missing jwks field to the "New oauth application" form.
* Several fixes on the example OIDC applications, mostly around CSRF
breakage when using latest version of `omniauth`.

### 0.9.1 (08/05/2022)

#### Improvements

Using `return_response`, introduced in `rodauth` v2.23, which accomplishes
better integration with rails response logging mechanism when used under
`rodauth-rails`.

#### Bugfixes

* Fixing namespacing issue which required anyone to have to `require
"rodauth-oauth"` before loading it (no need to anymore).