[ruby-talk:444129] [ANN] rodauth-oauth 1.2.0 released

rodauth-oauth 1.2.0 has been released.

rodauth-oauth is a rack-compatible toolkit for building OAuth 2.0
authorization servers, as well as OpenID Authentication Providers.
is certified <https://openid.net/certification/&gt; for the following profiles
of the OpenID Connect™ protocol:

Basic OP, Implicit OP, Hybrid OP, Config OP, Dynamic OP, Form Post OP.

# as simple as
rodauth do
  enable :oauth_authorization_code_grant
  # or
  enable :oidc

Among its features, it supports:

* Authorization Code Grant
* Refresh Token Grant
* Implicit Grant
* Client Credentials Grant
* Device Code Grant
* Token Revocation
* Token Introspection
* Auth Server Metadata
* Resource Indicators
* JWT Access Tokens
* mTLS Client Authentication
* Assertion Framework
* SAML 2.0 Bearer Assertion Grant
* JWT Bearer Assertion Grant
* JWT Secured authorization requests
* Pushed Authorization requests
* Dynamic Client Registration
* OpenID
* OpenID Discovery
* OpenID Multiple Response types
* OpenID Connect Dynamic Client Registration
* OpenID Relying Party Initiated Logout

It can also be used with Rails (via the "rodauth-rails" gem).

Website: rodauth-oauth · honeyryder
Documentation: Rodauth OAuth: OAuth 2.0 and OpenID for rodauth
Wiki: Home · Wiki · OS / rodauth-oauth · GitLab
CI: https://gitlab.com/honeyryderchuck/rodauth-oauth/pipeline

These are the release notes since the last update:

## 1.2.0 (13/02/2023)

### Features

#### Pushed Authorization Requests (PAR)

RFC: RFC 9126 - OAuth 2.0 Pushed Authorization Requests

`rodauth-oauth` supports Pushed Authorization Requests, via the
`:oauth_pushed_authorization_request` feature.

More info about the feature [in the
wiki](Pushed Authorization Requests · Wiki · OS / rodauth-oauth · GitLab).

#### mTLS Client Auth (+ certificate-bound access tokens)

RFC: RFC 8705: OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens

The `:oauth_tls_client_auth` feature adds support for the variants of
mTLS Client Authentication "PKI Mutual-TLS Method" and 2Self-Signed
Certificate Mutual-TLS Method". It also supports client certificate
bound access tokens.

More about it [in the
wiki](mTLS Client Authentication · Wiki · OS / rodauth-oauth · GitLab).

#### Dynamic Client Registration management

RFC: RFC 7592: OAuth 2.0 Dynamic Client Registration Management Protocol

Support for dynamci client registration management was added to the
`:oauth_dynamic_client_registration` feature.

More info about it [in the
wiki](Dynamic Client Registration · Wiki · OS / rodauth-oauth · GitLab).

### Improvements

* Support for 3rd-party initiated login was added, by including
support for the `initiate_login_uri` attribute in the register route
from the `:oauth_dynamic_client_registration` feature.
* Support for multitenant resource ownership was added, here's a
[description from the
wiki](How to · Wiki · OS / rodauth-oauth · GitLab).

### Bugfixes

* oidc: userinfo claims were not including claims with value `false`,
such as `"email_verified"`. This behaviour has been fixed, and only
claims of value `null` are omitted.

## 1.1.0 (10/01/2023)

## Features

### Loopback Interface Redirection URI support


Redirect URIs based on loopback addresses ("", "::1") are now
supported when used in an authorization request with an ephemeral port