[ruby-talk:443092] [ANN] rodauth-oauth 1.0.0-beta1 released

rodauth-oauth 1.0.0-beta1 has been released.

rodauth-oauth is a rack-compatible toolkit for building OAuth 2.0
authorization servers, as well as OpenID Authentication Providers.

# as simple as
rodauth do
  enable :oauth_authorization_code_grant
  # or
  enable :oidc
end

Among its features, it supports:

* Authorization Code Grant
* Refresh Token Grant
* Implicit Grant
* Client Credentials Grant
* Device Code Grant
* Token Revocation
* Token Introspection
* Auth Server Metadata
* PKCE
* Resource Indicators
* JWT Access Tokens
* Assertion Framework
* SAML 2.0 Bearer Assertion Grant
* JWT Bearer Assertion Grant
* JWT Secured authorization requests
* Dynamic Client Registration
* OpenID
* OpenID Discovery
* OpenID Multiple Response types
* OpenID Connect Dynamic Client Registration
* OpenID Relying Party Initiated Logout

It can also be used with Rails (via the "rodauth-rails" gem).

Website: rodauth-oauth · honeyryder
Documentation: Rodauth OAuth: OAuth 2.0 and OpenID for rodauth
Wiki: Home · Wiki · OS / rodauth-oauth · GitLab
CI: https://gitlab.com/honeyryderchuck/rodauth-oauth/pipeline

This is the first beta release of v1. Most of the accompanying resources
are still control-versioned, among them:

## Wiki

In order to access the wiki for v1, you can do the following:

git clone git@gitlab.com:honeyryderchuck/rodauth-oauth.wiki.git
cd rodauth-oauth.wiki
git checkout -b issue-28

and follow the remainder of the instructions [here](
Git Access · Wiki · OS / rodauth-oauth · GitLab)

## Example apps

Repo examples: https://gitlab.com/honeyryderchuck/rodauth-oauth/-/tree/issue-28/examples
Rodauth Oauth Rails example:
https://gitlab.com/honeyryderchuck/rodauth-oauth-demo-rails/-/tree/issue-28
Rodauth OAuth Rails Devise example:
https://gitlab.com/honeyryderchuck/rodauth-oauth-devise-demo/-/tree/issue-28

## Changelog

These are the release notes since the last update:

## 1.0.0-beta1 (21/10/2022)

### Breaking changes

The full description of breaking changes, and suggestions on how to
make the migration smoother, can be found in the [migration
guide](MIGRATION-GUIDE-v1.md · 6465b8522a78cf0037a55d3d4b81f68f7811be68 · OS / rodauth-oauth · GitLab).

A short list of the main highlights:

* Ruby 2.5 or higher is required.
* `oauth_http_mac` feature removed.
* `oauth_tokens` table (and resource) were removed (only
`oauth_applications` and `oauth_grants`, access and refresh tokens are
now properties of the latter).
* access and refresh tokens hashed by default when stored in the database.
* default oauth response mode is `"form_post"`.
* oauth specific features require explicit enablement of respective
features (no more `enable :oauth`)
* refresh token policy is "rotation" by default

### Features

The following helpers are exposed in the `rodauth` object:

* `current_oauth_account` - returns the dataset row for the `rodauth`
account associated to an oauth access token in the "authorization"
header.
* `current_oauth_application` - returns the dataset row for the oauth
application associated to an oauth access token in the "authorization"
header.

When used in `rails` via `rodauth-rails`, both are exposed directly as
controller helpers.

#### `oauth_resource_server` plugin

This plugin can be used as a convenience when configuring resource servers.

### Improvements

* `:oauth_introspect` plugin: OAuth introspection endpoint exposes the
token's `"username"` claim.
* endpoint client authentication supports "client credentials grant"
access tokens.

### Bugfixes

* fixed `oidc` calculation of `"auth_time"` claim.

### 0.10.4 (18/09/2022)

#### Bugfixes

* refresh token lookups are now scoped by application.

This bug meant that lookups of refresh token via the refresh token
grant were not scoped by the application identified by the `/token`
request credentials, so grant hijacking could happen in theory, if
attackers knew of existing refresh tokens.

The same issue was observed (and fixed) for token revocation (this
time involving the access token).

* Fix for a case which made resource indicators unusable under Rack 3.0 .

### 0.10.3 (29/08/2022)

#### Features

The `oauth_token_subject` rodauth function is introduced. It returns
the grant subject (usually the user account id, but in some cases,
such as the client credentials grant, returns the oauth application
id).

It still has a few rough edges, but in version 1.0, this will be the
main function to use to get the associated grant owner from a given
token.

#### Bugfixes

* oauth applications management: fixed labels usage in default rails
oauth applications list template.
* introspection requests were discarding the
`authorization_server_url` url path (only taking the origin). That has
been fixed now.

### 0.10.2 (11/08/2022)

#### Bugfixes

* application description colum null-constraint was still set to false
in most scripts and migration cookbooks, although it's not a mandatory
requirement anymore.

### 0.10.1 (20/06/2022)

#### Bugfixes

* refresh token grant logic wasn't scoping the token to be
revoked/retokened, which was a bug introduced in a recent refactoring
(commit 83e3f183f6c9941d37c8fe8cfd3fc258ab9c576a).