[ruby-talk:444043] [ANN] rodauth-oauth 1.0.0 released

rodauth-oauth 1.0.0 has been released.

rodauth-oauth is a rack-compatible toolkit for building OAuth 2.0
authorization servers, as well as OpenID Authentication Providers.
is certified <https://openid.net/certification/&gt; for the following profiles
of the OpenID Connect™ protocol:

Basic OP, Implicit OP, Hybrid OP, Config OP, Dynamic OP, Form Post OP.

# as simple as
rodauth do
  enable :oauth_authorization_code_grant
  # or
  enable :oidc

Among its features, it supports:

* Authorization Code Grant
* Refresh Token Grant
* Implicit Grant
* Client Credentials Grant
* Device Code Grant
* Token Revocation
* Token Introspection
* Auth Server Metadata
* Resource Indicators
* JWT Access Tokens
* Assertion Framework
* SAML 2.0 Bearer Assertion Grant
* JWT Bearer Assertion Grant
* JWT Secured authorization requests
* Dynamic Client Registration
* OpenID
* OpenID Discovery
* OpenID Multiple Response types
* OpenID Connect Dynamic Client Registration
* OpenID Relying Party Initiated Logout

It can also be used with Rails (via the "rodauth-rails" gem).

Website: rodauth-oauth · honeyryder
Documentation: Rodauth OAuth: OAuth 2.0 and OpenID for rodauth
Wiki: Home · Wiki · OS / rodauth-oauth · GitLab
CI: https://gitlab.com/honeyryderchuck/rodauth-oauth/pipeline

These are the release notes since the last update:

## 1.0.0 (15/12/2022)

## Highlights

rodauth-oauth is now [OpenID
certified](OpenID Certification | OpenID) for the following
certification profiles:

* Basic OP
* Implicit OP
* Hybrid OP
* Config OP
* Dynamic OP
* Form Post OP

and passes the conformance tests for RP-Initiated Logout OP.

The OIDC server used to run the test can be found
[here](examples/oidc/authentication_server.rb · master · OS / rodauth-oauth · GitLab)
and deployed [here](https://rodauth-oauth-oidc.onrender.com).

### Breaking changes

The full description of breaking changes, and suggestions on how to
make the migration smoother, can be found in the [migration
guide](MIGRATION-GUIDE-v1.md · 6465b8522a78cf0037a55d3d4b81f68f7811be68 · OS / rodauth-oauth · GitLab).

A short list of the main highlights:

* Ruby 2.5 or higher is required.
* `oauth_http_mac` feature removed.
* `oauth_tokens` table (and resource) were removed (only
`oauth_applications` and `oauth_grants`, access and refresh tokens are
now properties of the latter).
* access and refresh tokens hashed by default when stored in the database.
* default oauth response mode is `"form_post"`.
* oauth specific features require explicit enablement of respective
features (no more `enable :oauth`)
* refresh token policy is "rotation" by default
* homepage url is no longer a client application required property.
* OIDC RP-initiated logout extracted into `oidc_rp_initiated_logout` feature.

### Features

The following helpers are exposed in the `rodauth` object:

* `current_oauth_account` - returns the dataset row for the `rodauth`
account associated to an oauth access token in the "authorization"
* `current_oauth_application` - returns the dataset row for the oauth
application associated to an oauth access token in the "authorization"

When used in `rails` via `rodauth-rails`, both are exposed directly as
controller helpers.

#### `oauth_resource_server` plugin

This plugin can be used as a convenience when configuring resource servers.

#### JAR support for request_uri query param

The `oauth_jwt_secured_authorization_request` plugin now supports a
`request_uri` query param as well.

#### OIDC features

* The `oidc` plugin supports [essential
claims](Final: OpenID Connect Core 1.0 incorporating errata set 1),
via the `claims` authorization request query parameter.
* id token built with `"c_hash"` and `"at_hash"` claims when they should.

### Improvements

* `:oauth_introspect` plugin: OAuth introspection endpoint exposes the
token's `"username"` claim.
* endpoint client authentication supports "client credentials grant"
access tokens.
* `acr_values_supported` exposed in the openid configuration.
* `oauth_request_object_signing_alg_allow_none` enables `"none"` as an
accepted request object signing alg when `true` (`false` by default).
* OIDC `offline_access` supported.

### Bugfixes

* fixed `oidc` calculation of `"auth_time"` claim.
* JWT: "sub" is now always a string.
* `response_type` is now an authorization request required parameter
(as per the RFC).
* `state` is now passed along when redirecting from authorization
requests with `error`;
* access token can now be read from POST body or GET query params (as
per the RFC).
* id token no longer shipping with claims with `null` value;
* id token no longer encoding claims by default (only when
`response_type=id_token`, as per the RFC).
* support "JWT without kid" when doing jwt decoding for JWT tokens not
generated in the provider (such as request objects).
* Set `iss` and `aud` claims in the Userinfo JWT response.
* Make sure errors are also delivered via form POST, when
* Authorization request now shows an error page when `response_type`
or `client_id` are missing, or `redirect_uri` is missing or invalid; a
new `"authorize_error"` template is invoked in such cases.
* oidc: nonce present in id token when using the "id_token token" response type.
* error parameter delivered in URL fragment when failing an implicit
grant autorization request.