rodauth-oauth 0.5.0 has been released.
rodauth-oauth is a rack-compatible toolkit for building OAuth 2.0
authorization servers, as well as OpenID Authentication Providers.
# as simple as
rodauth do
enable :oauth
end
It can also be used with Rails (via the "rodauth-rails" gem).
Website: · Rodauth OAuth
Documentation: Rodauth OAuth: OAuth 2.0 and OpenID for rodauth
Wiki: https://gitlab.com/honeyryderchuck/rodauth-oauth/wikis/home
CI: https://gitlab.com/honeyryderchuck/rodauth-oauth/pipeline
### 0.5.0
#### RP-Initiated Logout
The `:oidc` plugin can now do [RP-Initiated Logout](
RP Initiated Logout · Wiki · HoneyryderChuck / rodauth-oauth · GitLab).
It's disabled by default, so read the docs to learn how to enable it.
#### Security
The `:oauth_jwt` (and by association, `:oidc`) plugin(s) verifies the
claims of used JWT tokens. This is a **very important security fix**, as
without it, there is no protection against replay attacks and other types
of misuse of the JWT token.
A new auth method, `generate_jti(claims)`, was [added to the list of
oauth_jwt plugin options](
JWT Access Tokens · Wiki · HoneyryderChuck / rodauth-oauth · GitLab).
By default, it'll hash the `aud` and `iat` claims together, but you can
overwrite how this is done.