rodauth-oauth is a rack-compatible toolkit for building OAuth 2.0
authorization servers, as well as OpenID Authentication Providers..
# as simple as
* `oauth_refresh_token_protection_policy` is a new option, which can be
used to set a protection policy around usage of refresh tokens. By default
it's `none`, for backwards-compatibility. However, when set to `rotation`,
refresh tokens will be "use-once", i.e. a token refresh request will
generate a new refresh token. Also, refresh token requests performed with
already-used refresh tokens will be interpreted as a security breach, i.e.
all tokens linked to the compromised refresh token will be revoked.
* Support for the OIDC authorize [`prompt` parameter](
https://openid.net/specs/openid-connect-core-1_0.html) (sectionn 188.8.131.52).
It supports the `none`, `login` and `consent` out-of-the-box, while
providing support for `select-account` when paired with
[rodauth-select-account, a rodauth feature to handle multiple accounts in
the same session](https://gitlab.com/honeyryderchuck/rodauth-select-account
* Refresh Tokens are now expirable. The refresh token expiration period is
governed by the `oauth_refresh_token_expires_in` option (default: 1 year),
and is the period for which a refresh token can be used after its
respective access token expired.
* Default Templates now being packaged, as a way to provide a default
experience to the OAuth journeys.
* fixing metadata urls when plugin loaded with a prefix path (@ianks)
* All date/time-based calculations, such as determining an expiration date,
or checking if a token has expired, are now performed using database
arithmetic operations, using sequel's `date_arithmetic` plugin. This will
eliminate subtle bugs, such as when the database timezone is different than
the application OS timezone.
* OIDC configuration endpoint is now stricter, eliminating JSON metadata
inherited from the Oauth metadata endpoint. (@ianks)
Using `rodauth.convert_timestamp` in the templates, whenever dates are
Set HTTP Cache headers for metadata responses, such as
`/.well-known/openid-configuration`, so they can be stored at the edge. The
cache will be valid for 1 day (this value isn't set by an option yet).