[ruby-talk:444183] [ANN] rodauth-oauth 1.3.0 released

rodauth-oauth 1.3.0 has been released.

rodauth-oauth is a rack-compatible toolkit for building OAuth 2.0
authorization servers, as well as OpenID Authentication Providers.
is certified <https://openid.net/certification/&gt; for the following profiles
of the OpenID Connect™ protocol:

Basic OP, Implicit OP, Hybrid OP, Config OP, Dynamic OP, Form Post OP, 3rd
Party Init OP

# as simple as
rodauth do
  enable :oauth_authorization_code_grant
  # or
  enable :oidc

Among its features, it supports:

* Authorization Code Grant
* Refresh Token Grant
* Implicit Grant
* Client Credentials Grant
* Device Code Grant
* Token Revocation
* Token Introspection
* Auth Server Metadata
* Resource Indicators
* JWT Access Tokens
* mTLS Client Authentication
* Assertion Framework
* SAML 2.0 Bearer Assertion Grant
* JWT Bearer Assertion Grant
* JWT Secured authorization requests (JAR)
* JWT Secured authorization response mode (JARM)
* Pushed Authorization requests
* Dynamic Client Registration
* OpenID
* OpenID Discovery
* OpenID Multiple Response types
* OpenID Self Issued Tokens
* OpenID Connect Dynamic Client Registration
* OpenID Relying Party Initiated Logout

It can also be used with Rails (via the "rodauth-rails" gem).

Website: rodauth-oauth · honeyryder
Documentation: Rodauth OAuth: OAuth 2.0 and OpenID for rodauth
Wiki: https://gitlab.com/honeyryderchuck/rodauth-oauth/wikis/home
CI: https://gitlab.com/honeyryderchuck/rodauth-oauth/pipeline

These are the release notes since the last update:

## 1.3.0 (02/04/2023)

## Features

### Self-Signed Issued Tokens

`rodauth-oauth` supports self-signed issued tokens, via the
`oidc_self_issued` feature.

More info about the feature [in the
docs](Self Issued OpenID · Wiki · OS / rodauth-oauth · GitLab).

#### JARM

`rodauth-oauth` supports JWT-secured Authorization Response Mode, also
known as JARM, via the

More info about the feature [in the
docs](JWT Secured Authorization Response Mode · Wiki · OS / rodauth-oauth · GitLab).

## Improvements

### `fill_with_account_claims` auth method

`fill_with_account_claims` is now exposed as an auth method. This
allows one to override to be able to cover certain requirements, such
as aggregated and distributed claims. Here's a [link to the
docs](Id Token Authentication · Wiki · OS / rodauth-oauth · GitLab)
explaining how to do it.

### oidc: only generate refresh token when `offline_access` scope is used.

When the `oidc` feature is used, refresh tokens won't be generated
anymore by default; in order to do so, the `offline_access` needs to
be requested for in the respective authorization request, [as the spec
mandates](Final: OpenID Connect Core 1.0 incorporating errata set 1).

### oidc: implicit grant loaded by default

The `oidc` feature now loads the `oauth_implicit_grant` feature by
default. This hadn't been done before due to the wish to ship a secure
integration by default, but since then, spec compliance became more
prioritary, and this is a requirement.

## Bugfixes

* rails integration: activerecord migrations fixes:
  * use `bigint` for foreign keys;
  * index creation instruction with the wrong syntax;
  * set precision 6 for default timestamps, to comply with AR defaults;
  * add missing `code` column to the `oauth_pushed_requests` table;
* oidc: when using the `id_token` , or any composite response type
including `id_token`, using any response mode other than `fragment`
will result in an invalid request.