rodauth-oauth 1.2.0 has been released.
rodauth-oauth is a rack-compatible toolkit for building OAuth 2.0
authorization servers, as well as OpenID Authentication Providers.
rodauth-oauth
is certified <https://openid.net/certification/> for the following profiles
of the OpenID Connect™ protocol:
Basic OP, Implicit OP, Hybrid OP, Config OP, Dynamic OP, Form Post OP.
# as simple as
rodauth do
enable :oauth_authorization_code_grant
# or
enable :oidc
end
Among its features, it supports:
* Authorization Code Grant
* Refresh Token Grant
* Implicit Grant
* Client Credentials Grant
* Device Code Grant
* Token Revocation
* Token Introspection
* Auth Server Metadata
* PKCE
* Resource Indicators
* JWT Access Tokens
* mTLS Client Authentication
* Assertion Framework
* SAML 2.0 Bearer Assertion Grant
* JWT Bearer Assertion Grant
* JWT Secured authorization requests
* Pushed Authorization requests
* Dynamic Client Registration
* OpenID
* OpenID Discovery
* OpenID Multiple Response types
* OpenID Connect Dynamic Client Registration
* OpenID Relying Party Initiated Logout
It can also be used with Rails (via the "rodauth-rails" gem).
Website: rodauth-oauth · honeyryder
Documentation: Rodauth OAuth: OAuth 2.0 and OpenID for rodauth
Wiki: Home · Wiki · OS / rodauth-oauth · GitLab
CI: https://gitlab.com/honeyryderchuck/rodauth-oauth/pipeline
These are the release notes since the last update:
## 1.2.0 (13/02/2023)
### Features
#### Pushed Authorization Requests (PAR)
RFC: RFC 9126 - OAuth 2.0 Pushed Authorization Requests
`rodauth-oauth` supports Pushed Authorization Requests, via the
`:oauth_pushed_authorization_request` feature.
More info about the feature [in the
wiki](Pushed Authorization Requests · Wiki · OS / rodauth-oauth · GitLab).
#### mTLS Client Auth (+ certificate-bound access tokens)
RFC: RFC 8705: OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens
The `:oauth_tls_client_auth` feature adds support for the variants of
mTLS Client Authentication "PKI Mutual-TLS Method" and 2Self-Signed
Certificate Mutual-TLS Method". It also supports client certificate
bound access tokens.
More about it [in the
wiki](mTLS Client Authentication · Wiki · OS / rodauth-oauth · GitLab).
#### Dynamic Client Registration management
RFC: RFC 7592: OAuth 2.0 Dynamic Client Registration Management Protocol
Support for dynamci client registration management was added to the
`:oauth_dynamic_client_registration` feature.
More info about it [in the
wiki](Dynamic Client Registration · Wiki · OS / rodauth-oauth · GitLab).
### Improvements
* Support for 3rd-party initiated login was added, by including
support for the `initiate_login_uri` attribute in the register route
from the `:oauth_dynamic_client_registration` feature.
* Support for multitenant resource ownership was added, here's a
[description from the
wiki](How to · Wiki · OS / rodauth-oauth · GitLab).
### Bugfixes
* oidc: userinfo claims were not including claims with value `false`,
such as `"email_verified"`. This behaviour has been fixed, and only
claims of value `null` are omitted.
## 1.1.0 (10/01/2023)
## Features
### Loopback Interface Redirection URI support
https://www.rfc-editor.org/rfc/rfc8252#section-7.3
Redirect URIs based on loopback addresses ("127.0.0.1", "::1") are now
supported when used in an authorization request with an ephemeral port
(@avdigrimm).