rodauth-oauth 0.8.0 has been released.
rodauth-oauth is a rack-compatible toolkit for building OAuth 2.0
authorization servers, as well as OpenID Authentication Providers.
# as simple as
rodauth do
enable :oauth
end
It can also be used with Rails (via the "rodauth-rails" gem).
Website: · Rodauth OAuth
Documentation: Rodauth OAuth: OAuth 2.0 and OpenID for rodauth
Wiki: Home · Wiki · HoneyryderChuck / rodauth-oauth · GitLab
CI: https://gitlab.com/honeyryderchuck/rodauth-oauth/pipeline
These are the release notes since the last update:
### 0.8.0 (12/03/2022)
#### Features
* Device code grant
`rodauth-oauth` now supports the [Device code grant RFC](
Device Grant · Wiki · HoneyryderChuck / rodauth-oauth · GitLab), via
the `oauth_device_grant` feature.
* OAuth Tokens Management
An OAuth Tokens Management Dashboard is now provided (via `r.oauth_tokens`
call to enable the routes). It allows the logged in account to list and
revoke OAuth Tokens which have been issued for its resources.
* Assertion Framework (+ SAML and JWT Bearer Grant)
A new plugin, `oauth_assertion_base`, was introduced to provide a baseline
for implementing custom Bearer Assertion as per the [OAuth Client Assertion
Framework RFC](
Client Assertion Framework · Wiki · HoneyryderChuck / rodauth-oauth · GitLab).
This in turn was used to refactor and reintroduce the
[oauth_saml_bearer_grant](
SAML Bearer Assertions · Wiki · HoneyryderChuck / rodauth-oauth · GitLab)
and the [oauth_jwt_bearer_grant](
JWT Bearer Assertions · Wiki · HoneyryderChuck / rodauth-oauth · GitLab)
features, which implement the respective and most recent version of the
assertion RFCs.
(as a result, `oauth_saml` was removed, which implemented a very old draft
version of the SAML Bearer spec).
#### Improvements
The OAuth functionality was refactored from 1 big feature, into several
features:
* `oauth_base`
* `oauth_authorization_code_grant`
* `oauth_implicit_grant`
* `oauth_device_grant`
* `oauth_token_introspection`
* `oauth_token_revocation`
* `oauth_application_management`
* `oauth_token_management`
* `oauth_pkce`
They're still loaded together via the `oauth` feature for backwards
compatibility. This will change in a major version.
#### Bugfixes
* `oauth_jwt` integration with the `json-jwt` gem does proper claims
validation now;
### 0.7.4 (15/01/2022)
#### Bugfixes
* including missing erb templates in the package.
## 0.7.3 (14/01/2022)
#### Bugfixes
* fixed generator declarations and views generator, in orderto copy
templates and rewrite paths accordingly.
* update view templates to not use "%%".
#### Chore
* `rodauth` is now declared as a dependency, with minimum version set `2.0`.
### 0.7.2 (14/12/2021)
#### Features
* Revoking tokens from the OAuth Application management interface
(@muellerj)
Token revocation was only possible when using the client ID and Secret, to
aid "logout" functionality from client applications. Although the admin
interface (available via `r.oauth_applications`) displayed a "Revoke"
button alongside tokens in the list page, this was not working. The RFC
does allow for the use case of application administrators being able to
manually revoke tokens (as a result of client support, for example), so
this functionality was enabled (only for the oauth application owner, for
now).
#### Bugfixes
Default scope usage related bugfixes:
* Improved default scope conversion to avoid nested arrays (@muellerj);
* Authorize form shows a disabled checkbox and POST's no scope when default
scope is to be used (@muellerj);
* example default scope fixed for example authorization server (should be
string) (@muellerj);
* several param fixes in view templates (@muellerj);
OAuth Applications Management fixes:
* Access to OAuth Application page is now restricted to app owner;
* OAuth Applications page now lists the **only** the applications owned by
the logged in user;
### 0.7.1 (05/12/2021)
#### Improvements
* Adapted the `rodauth-i18n` configuration to comply with the guidelines
for `v0.2.0` (which is the defacto minimmal supported version).
#### Bugfixes
* `convert_timestamp` was removed from the templates, as it's private API.
* Several missing or wrong URLs in templates fixed (authorize form was
wrongly processing scopes when none was selected).