rodauth-oauth 1.0.0-beta1 has been released.
rodauth-oauth is a rack-compatible toolkit for building OAuth 2.0
authorization servers, as well as OpenID Authentication Providers.
# as simple as
Among its features, it supports:
* Authorization Code Grant
* Refresh Token Grant
* Implicit Grant
* Client Credentials Grant
* Device Code Grant
* Token Revocation
* Token Introspection
* Auth Server Metadata
* Resource Indicators
* JWT Access Tokens
* Assertion Framework
* SAML 2.0 Bearer Assertion Grant
* JWT Bearer Assertion Grant
* JWT Secured authorization requests
* Dynamic Client Registration
* OpenID Discovery
* OpenID Multiple Response types
* OpenID Connect Dynamic Client Registration
* OpenID Relying Party Initiated Logout
It can also be used with Rails (via the "rodauth-rails" gem).
Website: · Rodauth OAuth
Documentation: Rodauth OAuth: OAuth 2.0 and OpenID for rodauth
Wiki: Home · Wiki · HoneyryderChuck / rodauth-oauth · GitLab
This is the first beta release of v1. Most of the accompanying resources
are still control-versioned, among them:
In order to access the wiki for v1, you can do the following:
git clone email@example.com:honeyryderchuck/rodauth-oauth.wiki.git
git checkout -b issue-28
and follow the remainder of the instructions [here](
Git Access · Wiki · HoneyryderChuck / rodauth-oauth · GitLab)
## Example apps
Repo examples: examples · issue-28 · HoneyryderChuck / rodauth-oauth · GitLab
Rodauth Oauth Rails example:
Files · issue-28 · HoneyryderChuck / rodauth-oauth-demo-rails · GitLab
Rodauth OAuth Rails Devise example:
Files · issue-28 · HoneyryderChuck / rodauth-oauth-devise-demo · GitLab
These are the release notes since the last update:
## 1.0.0-beta1 (21/10/2022)
### Breaking changes
The full description of breaking changes, and suggestions on how to
make the migration smoother, can be found in the [migration
guide](MIGRATION-GUIDE-v1.md · 6465b8522a78cf0037a55d3d4b81f68f7811be68 · HoneyryderChuck / rodauth-oauth · GitLab).
A short list of the main highlights:
* Ruby 2.5 or higher is required.
* `oauth_http_mac` feature removed.
* `oauth_tokens` table (and resource) were removed (only
`oauth_applications` and `oauth_grants`, access and refresh tokens are
now properties of the latter).
* access and refresh tokens hashed by default when stored in the database.
* default oauth response mode is `"form_post"`.
* oauth specific features require explicit enablement of respective
features (no more `enable :oauth`)
* refresh token policy is "rotation" by default
The following helpers are exposed in the `rodauth` object:
* `current_oauth_account` - returns the dataset row for the `rodauth`
account associated to an oauth access token in the "authorization"
* `current_oauth_application` - returns the dataset row for the oauth
application associated to an oauth access token in the "authorization"
When used in `rails` via `rodauth-rails`, both are exposed directly as
#### `oauth_resource_server` plugin
This plugin can be used as a convenience when configuring resource servers.
* `:oauth_introspect` plugin: OAuth introspection endpoint exposes the
token's `"username"` claim.
* endpoint client authentication supports "client credentials grant"
* fixed `oidc` calculation of `"auth_time"` claim.
### 0.10.4 (18/09/2022)
* refresh token lookups are now scoped by application.
This bug meant that lookups of refresh token via the refresh token
grant were not scoped by the application identified by the `/token`
request credentials, so grant hijacking could happen in theory, if
attackers knew of existing refresh tokens.
The same issue was observed (and fixed) for token revocation (this
time involving the access token).
* Fix for a case which made resource indicators unusable under Rack 3.0 .
### 0.10.3 (29/08/2022)
The `oauth_token_subject` rodauth function is introduced. It returns
the grant subject (usually the user account id, but in some cases,
such as the client credentials grant, returns the oauth application
It still has a few rough edges, but in version 1.0, this will be the
main function to use to get the associated grant owner from a given
* oauth applications management: fixed labels usage in default rails
oauth applications list template.
* introspection requests were discarding the
`authorization_server_url` url path (only taking the origin). That has
been fixed now.
### 0.10.2 (11/08/2022)
* application description colum null-constraint was still set to false
in most scripts and migration cookbooks, although it's not a mandatory
### 0.10.1 (20/06/2022)
* refresh token grant logic wasn't scoping the token to be
revoked/retokened, which was a bug introduced in a recent refactoring