rodauth-oauth 1.0.0.pre.beta2 has been released.
rodauth-oauth is a rack-compatible toolkit for building OAuth 2.0
authorization servers, as well as OpenID Authentication Providers.
# as simple as
rodauth do
enable :oauth_authorization_code_grant
# or
enable :oidc
end
Among its features, it supports:
* Authorization Code Grant
* Refresh Token Grant
* Implicit Grant
* Client Credentials Grant
* Device Code Grant
* Token Revocation
* Token Introspection
* Auth Server Metadata
* PKCE
* Resource Indicators
* JWT Access Tokens
* Assertion Framework
* SAML 2.0 Bearer Assertion Grant
* JWT Bearer Assertion Grant
* JWT Secured authorization (JAR) requests
* Dynamic Client Registration
* OpenID
* OpenID Discovery
* OpenID Multiple Response types
* OpenID Connect Dynamic Client Registration
* OpenID Relying Party Initiated Logout
It can also be used with Rails (via the "rodauth-rails" gem).
Website: rodauth-oauth · honeyryder
Documentation: Rodauth OAuth: OAuth 2.0 and OpenID for rodauth
Wiki: Home · Wiki · OS / rodauth-oauth · GitLab
CI: https://gitlab.com/honeyryderchuck/rodauth-oauth/pipeline
This is the second beta release of v1. Most of the accompanying resources
are still control-versioned, among them:
## Wiki
In order to access the wiki for v1, you can do the following:
git clone git@gitlab.com:honeyryderchuck/rodauth-oauth.wiki.git
cd rodauth-oauth.wiki
git checkout -b issue-28
and follow the remainder of the instructions [here](
Git Access · Wiki · OS / rodauth-oauth · GitLab)
## Example apps
Repo examples: https://gitlab.com/honeyryderchuck/rodauth-oauth/-/tree/issue-28/examples
Rodauth Oauth Rails example:
https://gitlab.com/honeyryderchuck/rodauth-oauth-demo-rails/-/tree/issue-28
Rodauth OAuth Rails Devise example:
https://gitlab.com/honeyryderchuck/rodauth-oauth-devise-demo/-/tree/issue-28
## Changelog
These are the release notes since the last update:
This version passes the conformance tests for the following OpenID Connect
certification profiles:
* Basic certification
* Form-post basic certification
* Config certification
* Dynamic Config certification (`response_type=code`)
## Breaking Changes
* homepage url is no longer a client application required property.
* OIDC RP-initiated logout extracted into `oidc_rp_initiated_logout`
feature.
## Features
* `oauth_jwt_secured_authorization_request` now supports a `request_uri`
query param as well.
* `oidc` supports essential claims, via the `claims` authorization request
query parameter.
## Improvements
* exposing `acr_values_supported` in the openid configuration.
* `oauth_request_object_signing_alg_allow_none` enables `"none"` as an
accepted request object signing alg when `true` (`false` by default).
* OIDC `offline_access` supported.
## Bugfixes
* JWT: "sub" is now always a string.
* `response_type` is now an authorization request required parameter (as
per the RFC).
* `state` is now passed along when redirecting from authorization requeests
with `error`;
* access token can now be read from POST body or GET quety params (as per
the RFC).
* id token no longer shipping with claims with `null` value;
* id token no longer encoding claims by default (only when
`response_type=id_token`, as per the RFC).
* support "JWT without kid" when doing jwt decoding for JWT tokens not
generated in the provider (such as request objects).
* Set `iss` and `aud` claims in the Userinfo JWT response.
* Make sure errors are also delivered via form POST, when
`response_mode=form_post`.