[ruby-talk:443111] [ANN] rodauth-oauth 1.0.0.pre.beta2 released

rodauth-oauth 1.0.0.pre.beta2 has been released.

rodauth-oauth is a rack-compatible toolkit for building OAuth 2.0
authorization servers, as well as OpenID Authentication Providers.

# as simple as
rodauth do
  enable :oauth_authorization_code_grant
  # or
  enable :oidc
end

Among its features, it supports:

* Authorization Code Grant
* Refresh Token Grant
* Implicit Grant
* Client Credentials Grant
* Device Code Grant
* Token Revocation
* Token Introspection
* Auth Server Metadata
* PKCE
* Resource Indicators
* JWT Access Tokens
* Assertion Framework
* SAML 2.0 Bearer Assertion Grant
* JWT Bearer Assertion Grant
* JWT Secured authorization (JAR) requests
* Dynamic Client Registration
* OpenID
* OpenID Discovery
* OpenID Multiple Response types
* OpenID Connect Dynamic Client Registration
* OpenID Relying Party Initiated Logout

It can also be used with Rails (via the "rodauth-rails" gem).

Website: · Rodauth OAuth
Documentation: Rodauth OAuth: OAuth 2.0 and OpenID for rodauth
Wiki: Home · Wiki · HoneyryderChuck / rodauth-oauth · GitLab
CI: https://gitlab.com/honeyryderchuck/rodauth-oauth/pipeline

This is the second beta release of v1. Most of the accompanying resources
are still control-versioned, among them:

## Wiki

In order to access the wiki for v1, you can do the following:

git clone git@gitlab.com:honeyryderchuck/rodauth-oauth.wiki.git
cd rodauth-oauth.wiki
git checkout -b issue-28

and follow the remainder of the instructions [here](
Git Access · Wiki · HoneyryderChuck / rodauth-oauth · GitLab)

## Example apps

Repo examples: examples · issue-28 · HoneyryderChuck / rodauth-oauth · GitLab
Rodauth Oauth Rails example:
Files · issue-28 · HoneyryderChuck / rodauth-oauth-demo-rails · GitLab
Rodauth OAuth Rails Devise example:
Files · issue-28 · HoneyryderChuck / rodauth-oauth-devise-demo · GitLab

## Changelog

These are the release notes since the last update:

This version passes the conformance tests for the following OpenID Connect
certification profiles:

* Basic certification
* Form-post basic certification
* Config certification
* Dynamic Config certification (`response_type=code`)

## Breaking Changes

* homepage url is no longer a client application required property.
* OIDC RP-initiated logout extracted into `oidc_rp_initiated_logout`
feature.

## Features

* `oauth_jwt_secured_authorization_request` now supports a `request_uri`
query param as well.
* `oidc` supports essential claims, via the `claims` authorization request
query parameter.

## Improvements

* exposing `acr_values_supported` in the openid configuration.
* `oauth_request_object_signing_alg_allow_none` enables `"none"` as an
accepted request object signing alg when `true` (`false` by default).
* OIDC `offline_access` supported.

## Bugfixes

* JWT: "sub" is now always a string.
* `response_type` is now an authorization request required parameter (as
per the RFC).
* `state` is now passed along when redirecting from authorization requeests
with `error`;
* access token can now be read from POST body or GET quety params (as per
the RFC).
* id token no longer shipping with claims with `null` value;
* id token no longer encoding claims by default (only when
`response_type=id_token`, as per the RFC).
* support "JWT without kid" when doing jwt decoding for JWT tokens not
generated in the provider (such as request objects).
* Set `iss` and `aud` claims in the Userinfo JWT response.
* Make sure errors are also delivered via form POST, when
`response_mode=form_post`.